Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 1 | /* Copyright (c) 2015, The Linux Foundation. All rights reserved. |
| 2 | * |
| 3 | * Redistribution and use in source and binary forms, with or without |
| 4 | * modification, are permitted provided that the following conditions are |
| 5 | * met: |
| 6 | * * Redistributions of source code must retain the above copyright |
| 7 | * notice, this list of conditions and the following disclaimer. |
| 8 | * * Redistributions in binary form must reproduce the above |
| 9 | * copyright notice, this list of conditions and the following |
| 10 | * disclaimer in the documentation and/or other materials provided |
| 11 | * with the distribution. |
| 12 | * * Neither the name of The Linux Foundation nor the names of its |
| 13 | * contributors may be used to endorse or promote products derived |
| 14 | * from this software without specific prior written permission. |
| 15 | * |
| 16 | * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED |
| 17 | * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF |
| 18 | * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT |
| 19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS |
| 20 | * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
| 21 | * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
| 22 | * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR |
| 23 | * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, |
| 24 | * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE |
| 25 | * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN |
| 26 | * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 27 | */ |
| 28 | |
| 29 | #include <debug.h> |
| 30 | #include <dev/fbcon.h> |
| 31 | #include <target.h> |
| 32 | #include <mmc.h> |
| 33 | #include <partition_parser.h> |
| 34 | #include <platform.h> |
| 35 | #include <crypto_hash.h> |
| 36 | #include <malloc.h> |
| 37 | #include <sha.h> |
| 38 | #include <string.h> |
| 39 | #include <rand.h> |
| 40 | #include <stdlib.h> |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 41 | #include <boot_verifier.h> |
| 42 | #include <image_verify.h> |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 43 | #include "scm.h" |
| 44 | #include "mdtp.h" |
| 45 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 46 | #define DIP_ENCRYPT (0) |
| 47 | #define DIP_DECRYPT (1) |
| 48 | #define MAX_CIPHER_DIP_SCM_CALLS (3) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 49 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 50 | #define MDTP_MAJOR_VERSION (0) |
| 51 | #define MDTP_MINOR_VERSION (2) |
| 52 | |
| 53 | /** Extract major version number from complete version. */ |
| 54 | #define MDTP_GET_MAJOR_VERSION(version) ((version) >> 16) |
| 55 | |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 56 | static int mdtp_tzbsp_dec_verify_DIP(DIP_t *enc_dip, DIP_t *dec_dip, uint32_t *verified); |
| 57 | static int mdtp_tzbsp_enc_hash_DIP(DIP_t *dec_dip, DIP_t *enc_dip); |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 58 | static void mdtp_tzbsp_disallow_cipher_DIP(void); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 59 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 60 | uint32_t g_mdtp_version = (((MDTP_MAJOR_VERSION << 16) & 0xFFFF0000) | (MDTP_MINOR_VERSION & 0x0000FFFF)); |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 61 | static int is_mdtp_activated = -1; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 62 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 63 | int check_aboot_addr_range_overlap(uint32_t start, uint32_t size); |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 64 | int scm_random(uint32_t * rbuf, uint32_t r_len); |
Rami Butstein | faecf7f | 2015-06-04 16:39:30 +0300 | [diff] [blame] | 65 | void free_mdtp_image(void); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 66 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 67 | /********************************************************************************/ |
| 68 | |
| 69 | /* Read the DIP from EMMC */ |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 70 | static int read_DIP(DIP_t *dip) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 71 | { |
| 72 | unsigned long long ptn = 0; |
| 73 | uint32_t actual_partition_size; |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 74 | uint32_t block_size = mmc_get_device_blocksize(); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 75 | |
| 76 | int index = INVALID_PTN; |
| 77 | |
| 78 | ASSERT(dip != NULL); |
| 79 | |
| 80 | index = partition_get_index("dip"); |
| 81 | ptn = partition_get_offset(index); |
| 82 | |
| 83 | if(ptn == 0) |
| 84 | { |
| 85 | return -1; |
| 86 | } |
| 87 | |
| 88 | actual_partition_size = ROUNDUP(sizeof(DIP_t), block_size); |
| 89 | |
| 90 | if(mmc_read(ptn, (void *)dip, actual_partition_size)) |
| 91 | { |
| 92 | dprintf(CRITICAL, "mdtp: read_DIP: ERROR, cannot read DIP info\n"); |
| 93 | return -1; |
| 94 | } |
| 95 | |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 96 | dprintf(SPEW, "mdtp: read_DIP: SUCCESS, read %d bytes\n", actual_partition_size); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 97 | |
| 98 | return 0; |
| 99 | } |
| 100 | |
| 101 | /* Store the DIP into the EMMC */ |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 102 | static int write_DIP(DIP_t *dip) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 103 | { |
| 104 | unsigned long long ptn = 0; |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 105 | uint32_t block_size = mmc_get_device_blocksize(); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 106 | |
| 107 | int index = INVALID_PTN; |
| 108 | |
| 109 | ASSERT(dip != NULL); |
| 110 | |
| 111 | index = partition_get_index("dip"); |
| 112 | ptn = partition_get_offset(index); |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 113 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 114 | if(ptn == 0) |
| 115 | { |
| 116 | return -1; |
| 117 | } |
| 118 | |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 119 | if(mmc_write(ptn, ROUNDUP(sizeof(DIP_t), block_size), (void *)dip)) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 120 | { |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 121 | dprintf(CRITICAL, "mdtp: write_DIP: ERROR, cannot write DIP info\n"); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 122 | return -1; |
| 123 | } |
| 124 | |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 125 | dprintf(SPEW, "mdtp: write_DIP: SUCCESS, write %d bytes\n", ROUNDUP(sizeof(DIP_t), block_size)); |
| 126 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 127 | return 0; |
| 128 | } |
| 129 | |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 130 | /* Deactivate MDTP by storing the default DIP into the EMMC */ |
| 131 | static void write_deactivated_DIP() |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 132 | { |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 133 | DIP_t *enc_dip; |
| 134 | DIP_t *dec_dip; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 135 | int ret; |
| 136 | |
| 137 | enc_dip = malloc(sizeof(DIP_t)); |
| 138 | if (enc_dip == NULL) |
| 139 | { |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 140 | dprintf(CRITICAL, "mdtp: write_deactivated_DIP: ERROR, cannot allocate DIP\n"); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 141 | return; |
| 142 | } |
| 143 | |
| 144 | dec_dip = malloc(sizeof(DIP_t)); |
| 145 | if (dec_dip == NULL) |
| 146 | { |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 147 | dprintf(CRITICAL, "mdtp: write_deactivated_DIP: ERROR, cannot allocate DIP\n"); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 148 | free(enc_dip); |
| 149 | return; |
| 150 | } |
| 151 | |
| 152 | memset(dec_dip, 0, sizeof(DIP_t)); |
| 153 | |
| 154 | dec_dip->status = DIP_STATUS_DEACTIVATED; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 155 | dec_dip->version = g_mdtp_version; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 156 | |
| 157 | ret = mdtp_tzbsp_enc_hash_DIP(dec_dip, enc_dip); |
| 158 | if(ret < 0) |
| 159 | { |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 160 | dprintf(CRITICAL, "mdtp: write_deactivated_DIP: ERROR, cannot cipher DIP\n"); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 161 | goto out; |
| 162 | } |
| 163 | |
| 164 | ret = write_DIP(enc_dip); |
| 165 | if(ret < 0) |
| 166 | { |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 167 | dprintf(CRITICAL, "mdtp: write_deactivated_DIP: ERROR, cannot write DIP\n"); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 168 | goto out; |
| 169 | } |
| 170 | |
| 171 | out: |
| 172 | free(enc_dip); |
| 173 | free(dec_dip); |
| 174 | } |
| 175 | |
| 176 | /* Validate a hash calculated on entire given partition */ |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 177 | static int verify_partition_single_hash(char *name, uint64_t size, DIP_hash_table_entry_t *hash_table) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 178 | { |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 179 | unsigned char digest[HASH_LEN]={0}; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 180 | unsigned long long ptn = 0; |
| 181 | int index = INVALID_PTN; |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 182 | unsigned char *buf = (unsigned char *)target_get_scratch_address() + MDTP_SCRATCH_OFFSET; |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 183 | uint32_t block_size = mmc_get_device_blocksize(); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 184 | uint64_t actual_partition_size = ROUNDUP(size, block_size); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 185 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 186 | dprintf(SPEW, "mdtp: verify_partition_single_hash: %s, %llu\n", name, size); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 187 | |
| 188 | ASSERT(name != NULL); |
| 189 | ASSERT(hash_table != NULL); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 190 | ASSERT(size > 0); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 191 | |
| 192 | index = partition_get_index(name); |
| 193 | ptn = partition_get_offset(index); |
| 194 | |
| 195 | if(ptn == 0) { |
| 196 | dprintf(CRITICAL, "mdtp: verify_partition_single_hash: %s: partition was not found\n", name); |
| 197 | return -1; |
| 198 | } |
| 199 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 200 | if (mmc_read(ptn, (void *)buf, actual_partition_size)) |
| 201 | { |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 202 | dprintf(CRITICAL, "mdtp: verify_partition_single_hash: %s: mmc_read() fail.\n", name); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 203 | return -1; |
| 204 | } |
| 205 | |
Amit Blay | fe64921 | 2015-01-25 11:21:10 +0200 | [diff] [blame] | 206 | /* calculating the hash value using HW crypto */ |
| 207 | target_crypto_init_params(); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 208 | hash_find(buf, size, digest, CRYPTO_AUTH_ALG_SHA256); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 209 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 210 | if (memcmp(digest, hash_table->hash, HASH_LEN)) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 211 | { |
| 212 | dprintf(CRITICAL, "mdtp: verify_partition_single_hash: %s: Failed partition hash verification\n", name); |
| 213 | |
| 214 | return -1; |
| 215 | } |
| 216 | |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 217 | dprintf(SPEW, "verify_partition_single_hash: %s: VERIFIED!\n", name); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 218 | |
| 219 | return 0; |
| 220 | } |
| 221 | |
| 222 | /* Validate a hash table calculated per block of a given partition */ |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 223 | static int verify_partition_block_hash(char *name, |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 224 | uint64_t size, |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 225 | uint32_t verify_num_blocks, |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 226 | DIP_hash_table_entry_t *hash_table, |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 227 | uint8_t *force_verify_block) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 228 | { |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 229 | unsigned char digest[HASH_LEN]={0}; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 230 | unsigned long long ptn = 0; |
| 231 | int index = INVALID_PTN; |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 232 | unsigned char *buf = (unsigned char *)target_get_scratch_address() + MDTP_SCRATCH_OFFSET; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 233 | uint32_t bytes_to_read; |
| 234 | uint32_t block_num = 0; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 235 | uint32_t total_num_blocks = ((size - 1) / MDTP_FWLOCK_BLOCK_SIZE) + 1; |
| 236 | uint32_t rand_int; |
| 237 | uint32_t block_size = mmc_get_device_blocksize(); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 238 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 239 | dprintf(SPEW, "mdtp: verify_partition_block_hash: %s, %llu\n", name, size); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 240 | |
| 241 | ASSERT(name != NULL); |
| 242 | ASSERT(hash_table != NULL); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 243 | ASSERT(size > 0); |
| 244 | ASSERT(force_verify_block != NULL); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 245 | |
| 246 | index = partition_get_index(name); |
| 247 | ptn = partition_get_offset(index); |
| 248 | |
| 249 | if(ptn == 0) { |
| 250 | dprintf(CRITICAL, "mdtp: verify_partition_block_hash: %s: partition was not found\n", name); |
| 251 | return -1; |
| 252 | } |
| 253 | |
Amit Blay | fe64921 | 2015-01-25 11:21:10 +0200 | [diff] [blame] | 254 | /* initiating parameters for hash calculation using HW crypto */ |
| 255 | target_crypto_init_params(); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 256 | if (check_aboot_addr_range_overlap((uint32_t)buf, ROUNDUP(MDTP_FWLOCK_BLOCK_SIZE, block_size))) |
| 257 | { |
| 258 | dprintf(CRITICAL, "mdtp: verify_partition_block_hash: %s: image buffer address overlaps with aboot addresses.\n", name); |
| 259 | return -1; |
| 260 | } |
Amit Blay | fe64921 | 2015-01-25 11:21:10 +0200 | [diff] [blame] | 261 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 262 | while (MDTP_FWLOCK_BLOCK_SIZE * block_num < size) |
| 263 | { |
| 264 | if (*force_verify_block == 0) |
| 265 | { |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 266 | if(scm_random((uint32_t *)&rand_int, sizeof(rand_int))) |
| 267 | { |
| 268 | dprintf(CRITICAL,"mdtp: scm_call for random failed\n"); |
| 269 | return -1; |
| 270 | } |
| 271 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 272 | /* Skip validation of this block with probability of verify_num_blocks / total_num_blocks */ |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 273 | if ((rand_int % total_num_blocks) >= verify_num_blocks) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 274 | { |
| 275 | block_num++; |
| 276 | hash_table += 1; |
| 277 | force_verify_block += 1; |
| 278 | dprintf(CRITICAL, "mdtp: verify_partition_block_hash: %s: skipped verification of block %d\n", name, block_num); |
| 279 | continue; |
| 280 | } |
| 281 | } |
| 282 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 283 | if ((size - (MDTP_FWLOCK_BLOCK_SIZE * block_num) < MDTP_FWLOCK_BLOCK_SIZE)) |
| 284 | { |
| 285 | bytes_to_read = size - (MDTP_FWLOCK_BLOCK_SIZE * block_num); |
| 286 | } else |
| 287 | { |
| 288 | bytes_to_read = MDTP_FWLOCK_BLOCK_SIZE; |
| 289 | } |
| 290 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 291 | if (mmc_read(ptn + (MDTP_FWLOCK_BLOCK_SIZE * block_num), (void *)buf, ROUNDUP(bytes_to_read, block_size))) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 292 | { |
| 293 | dprintf(CRITICAL, "mdtp: verify_partition_block_hash: %s: mmc_read() fail.\n", name); |
| 294 | return -1; |
| 295 | } |
| 296 | |
Amit Blay | fe64921 | 2015-01-25 11:21:10 +0200 | [diff] [blame] | 297 | /* calculating the hash value using HW */ |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 298 | hash_find(buf, bytes_to_read, digest, CRYPTO_AUTH_ALG_SHA256); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 299 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 300 | if (memcmp(digest, hash_table->hash, HASH_LEN)) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 301 | { |
| 302 | dprintf(CRITICAL, "mdtp: verify_partition_block_hash: %s: Failed partition hash[%d] verification\n", name, block_num); |
| 303 | return -1; |
| 304 | } |
| 305 | |
| 306 | block_num++; |
| 307 | hash_table += 1; |
| 308 | force_verify_block += 1; |
| 309 | } |
| 310 | |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 311 | dprintf(SPEW, "verify_partition_block_hash: %s: VERIFIED!\n", name); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 312 | |
| 313 | return 0; |
| 314 | } |
| 315 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 316 | /* Validate the partition parameters read from DIP */ |
| 317 | static int validate_partition_params(uint64_t size, |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 318 | mdtp_fwlock_mode_t hash_mode, |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 319 | uint32_t verify_ratio) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 320 | { |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 321 | if (size == 0 || size > (uint64_t)MDTP_FWLOCK_BLOCK_SIZE * (uint64_t)MAX_BLOCKS || |
| 322 | hash_mode >= MDTP_FWLOCK_MODE_SIZE || verify_ratio > 100) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 323 | { |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 324 | dprintf(CRITICAL, "mdtp: validate_partition_params: error, size=%llu, hash_mode=%d, verify_ratio=%d\n", |
| 325 | size, hash_mode, verify_ratio); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 326 | return -1; |
| 327 | } |
| 328 | |
| 329 | return 0; |
| 330 | } |
| 331 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 332 | /* Verify a given partitinon */ |
| 333 | static int verify_partition(char *name, |
| 334 | uint64_t size, |
| 335 | mdtp_fwlock_mode_t hash_mode, |
| 336 | uint32_t verify_num_blocks, |
| 337 | DIP_hash_table_entry_t *hash_table, |
| 338 | uint8_t *force_verify_block) |
| 339 | { |
| 340 | if (hash_mode == MDTP_FWLOCK_MODE_SINGLE) |
| 341 | { |
| 342 | return verify_partition_single_hash(name, size, hash_table); |
| 343 | } else if (hash_mode == MDTP_FWLOCK_MODE_BLOCK || hash_mode == MDTP_FWLOCK_MODE_FILES) |
| 344 | { |
| 345 | return verify_partition_block_hash(name, size, verify_num_blocks, hash_table, force_verify_block); |
| 346 | } |
| 347 | |
| 348 | /* Illegal value of hash_mode */ |
| 349 | return -1; |
| 350 | } |
| 351 | |
| 352 | static int validate_dip(DIP_t *dip) |
| 353 | { |
| 354 | uint8_t *dip_p; |
| 355 | |
| 356 | ASSERT(dip != NULL); |
| 357 | |
| 358 | /* Make sure DIP version is supported by current SW */ |
| 359 | if (MDTP_GET_MAJOR_VERSION(dip->version) != MDTP_MAJOR_VERSION) |
| 360 | { |
| 361 | dprintf(CRITICAL, "mdtp: validate_dip: Wrong DIP version 0x%x\n", dip->version); |
| 362 | return -1; |
| 363 | } |
| 364 | |
| 365 | /* Make sure that deactivated DIP content is as expected */ |
| 366 | if (dip->status == DIP_STATUS_DEACTIVATED) |
| 367 | { |
| 368 | dip_p = (uint8_t*)&dip->mdtp_cfg; |
| 369 | while (dip_p < dip->hash) |
| 370 | { |
| 371 | if (*dip_p != 0) |
| 372 | { |
| 373 | dprintf(CRITICAL, "mdtp: validate_dip: error in deactivated DIP\n"); |
| 374 | return -1; |
| 375 | } |
| 376 | dip_p++; |
| 377 | } |
| 378 | } |
| 379 | |
| 380 | return 0; |
| 381 | } |
| 382 | |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 383 | /* Display the recovery UI to allow the user to enter the PIN and continue boot */ |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 384 | static void display_recovery_ui(mdtp_cfg_t *mdtp_cfg) |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 385 | { |
| 386 | uint32_t pin_length = 0; |
| 387 | char entered_pin[MDTP_MAX_PIN_LEN+1] = {0}; |
| 388 | uint32_t i; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 389 | char pin_mismatch = 0; |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 390 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 391 | if (mdtp_cfg->enable_local_pin_authentication) |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 392 | { |
| 393 | dprintf(SPEW, "mdtp: display_recovery_ui: Local deactivation enabled\n"); |
| 394 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 395 | pin_length = strlen(mdtp_cfg->mdtp_pin.mdtp_pin); |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 396 | |
| 397 | if (pin_length > MDTP_MAX_PIN_LEN || pin_length < MDTP_MIN_PIN_LEN) |
| 398 | { |
| 399 | dprintf(CRITICAL, "mdtp: display_recovery_ui: Error, invalid PIN length\n"); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 400 | display_error_msg(); /* This will never return */ |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 401 | } |
| 402 | |
| 403 | // Set entered_pin to initial '0' string + null terminator |
| 404 | for (i=0; i<pin_length; i++) |
| 405 | { |
| 406 | entered_pin[i] = '0'; |
| 407 | } |
| 408 | |
| 409 | // Allow the user to enter the PIN as many times as he wishes |
| 410 | // (with INVALID_PIN_DELAY_MSECONDS after each failed attempt) |
| 411 | while (1) |
| 412 | { |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 413 | get_pin_from_user(entered_pin, pin_length); |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 414 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 415 | // Go over the entire PIN in any case, to prevent side-channel attacks |
| 416 | for (i=0; i<pin_length; i++) |
| 417 | { |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 418 | pin_mismatch |= mdtp_cfg->mdtp_pin.mdtp_pin[i] ^ entered_pin[i]; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 419 | } |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 420 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 421 | if (0 == pin_mismatch) |
| 422 | { |
| 423 | // Valid PIN - deactivate and continue boot |
| 424 | dprintf(SPEW, "mdtp: display_recovery_ui: valid PIN, continue boot\n"); |
| 425 | write_deactivated_DIP(); |
Rami Butstein | faecf7f | 2015-06-04 16:39:30 +0300 | [diff] [blame] | 426 | goto out; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 427 | } |
| 428 | else |
| 429 | { |
| 430 | // Invalid PIN - display an appropriate message (which also includes a wait |
| 431 | // for INVALID_PIN_DELAY_MSECONDS), and allow the user to try again |
| 432 | dprintf(CRITICAL, "mdtp: display_recovery_ui: ERROR, invalid PIN\n"); |
| 433 | display_invalid_pin_msg(); |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 434 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 435 | pin_mismatch = 0; |
| 436 | } |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 437 | } |
| 438 | } |
| 439 | else |
| 440 | { |
| 441 | dprintf(CRITICAL, "mdtp: display_recovery_ui: Local deactivation disabled, unable to display recovery UI\n"); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 442 | display_error_msg(); /* This will never return */ |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 443 | } |
Rami Butstein | faecf7f | 2015-06-04 16:39:30 +0300 | [diff] [blame] | 444 | |
| 445 | out: |
| 446 | free_mdtp_image(); |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 447 | } |
| 448 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 449 | /* Verify the boot or recovery partitions using boot_verifier. */ |
| 450 | static int verify_ext_partition(mdtp_ext_partition_verification_t *ext_partition) |
| 451 | { |
| 452 | int ret = 0; |
| 453 | bool restore_to_orange = false; |
| 454 | unsigned long long ptn = 0; |
| 455 | int index = INVALID_PTN; |
| 456 | |
| 457 | /* If image was already verified in aboot, return its status */ |
| 458 | if (ext_partition->integrity_state == MDTP_PARTITION_STATE_INVALID) |
| 459 | { |
| 460 | dprintf(CRITICAL, "mdtp: verify_ext_partition: image %s verified externally and failed.\n", |
| 461 | ext_partition->partition == MDTP_PARTITION_BOOT ? "boot" : "recovery"); |
| 462 | return -1; |
| 463 | } |
| 464 | else if (ext_partition->integrity_state == MDTP_PARTITION_STATE_VALID) |
| 465 | { |
| 466 | dprintf(CRITICAL, "mdtp: verify_ext_partition: image %s verified externally succesfully.\n", |
| 467 | ext_partition->partition == MDTP_PARTITION_BOOT ? "boot" : "recovery"); |
| 468 | return 0; |
| 469 | } |
| 470 | |
| 471 | /* If image was not verified in aboot, verify it ourselves using boot_verifier. */ |
| 472 | |
| 473 | /* 1) Initialize keystore. We don't care about return value which is Verified Boot's state machine state. */ |
| 474 | boot_verify_keystore_init(); |
| 475 | |
| 476 | /* 2) If boot_verifier is ORANGE, it will prevent verifying an image. So |
| 477 | * temporarly change boot_verifier state to BOOT_INIT. |
| 478 | */ |
| 479 | if (boot_verify_get_state() == ORANGE) |
| 480 | restore_to_orange = true; |
| 481 | boot_verify_send_event(BOOT_INIT); |
| 482 | |
| 483 | switch (ext_partition->partition) |
| 484 | { |
| 485 | case MDTP_PARTITION_BOOT: |
| 486 | case MDTP_PARTITION_RECOVERY: |
| 487 | |
| 488 | /* 3) Signature may or may not be at the end of the image. Read the signature if needed. */ |
| 489 | if (!ext_partition->sig_avail) |
| 490 | { |
| 491 | if (check_aboot_addr_range_overlap((uint32_t)(ext_partition->image_addr + ext_partition->image_size), ext_partition->page_size)) |
| 492 | { |
| 493 | dprintf(CRITICAL, "ERROR: Signature read buffer address overlaps with aboot addresses.\n"); |
| 494 | return -1; |
| 495 | } |
| 496 | |
| 497 | index = partition_get_index(ext_partition->partition == MDTP_PARTITION_BOOT ? "boot" : "recovery"); |
| 498 | ptn = partition_get_offset(index); |
| 499 | if(ptn == 0) { |
| 500 | dprintf(CRITICAL, "ERROR: partition %s not found\n", |
| 501 | ext_partition->partition == MDTP_PARTITION_BOOT ? "boot" : "recovery"); |
| 502 | return -1; |
| 503 | } |
| 504 | |
| 505 | if(mmc_read(ptn + ext_partition->image_size, (void *)(ext_partition->image_addr + ext_partition->image_size), ext_partition->page_size)) |
| 506 | { |
| 507 | dprintf(CRITICAL, "ERROR: Cannot read %s image signature\n", |
| 508 | ext_partition->partition == MDTP_PARTITION_BOOT ? "boot" : "recovery"); |
| 509 | return -1; |
| 510 | } |
| 511 | } |
| 512 | |
| 513 | /* 4) Verify the image using its signature. */ |
| 514 | ret = boot_verify_image((unsigned char *)ext_partition->image_addr, |
| 515 | ext_partition->image_size, |
Amit Blay | 59fad25 | 2015-05-17 17:27:17 +0300 | [diff] [blame] | 516 | ext_partition->partition == MDTP_PARTITION_BOOT ? "/boot" : "/recovery"); |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 517 | break; |
| 518 | |
| 519 | default: |
| 520 | /* Only boot and recovery are legal here */ |
| 521 | dprintf(CRITICAL, "ERROR: wrong partition %d\n", ext_partition->partition); |
| 522 | return -1; |
| 523 | } |
| 524 | |
| 525 | if (ret) |
| 526 | { |
| 527 | dprintf(INFO, "mdtp: verify_ext_partition: image %s verified succesfully in MDTP.\n", |
| 528 | ext_partition->partition == MDTP_PARTITION_BOOT ? "boot" : "recovery"); |
| 529 | } |
| 530 | else |
| 531 | { |
| 532 | dprintf(CRITICAL, "mdtp: verify_ext_partition: image %s verification failed in MDTP.\n", |
| 533 | ext_partition->partition == MDTP_PARTITION_BOOT ? "boot" : "recovery"); |
| 534 | } |
| 535 | |
| 536 | /* 5) Restore the right boot_verifier state upon exit. */ |
| 537 | if (restore_to_orange) |
| 538 | { |
| 539 | boot_verify_send_event(DEV_UNLOCK); |
| 540 | } |
| 541 | |
| 542 | return ret ? 0 : -1; |
| 543 | } |
| 544 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 545 | /* Verify all protected partitinons according to the DIP */ |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 546 | static void verify_all_partitions(DIP_t *dip, |
| 547 | mdtp_ext_partition_verification_t *ext_partition, |
| 548 | verify_result_t *verify_result) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 549 | { |
| 550 | int i; |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 551 | int verify_failure = 0; |
| 552 | int ext_partition_verify_failure = 0; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 553 | uint32_t total_num_blocks; |
| 554 | |
| 555 | ASSERT(dip != NULL); |
| 556 | ASSERT(verify_result != NULL); |
| 557 | |
| 558 | *verify_result = VERIFY_FAILED; |
| 559 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 560 | if (validate_dip(dip)) |
| 561 | { |
| 562 | dprintf(CRITICAL, "mdtp: verify_all_partitions: failed DIP validation\n"); |
| 563 | return; |
| 564 | } |
| 565 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 566 | if (dip->status == DIP_STATUS_DEACTIVATED) |
| 567 | { |
| 568 | *verify_result = VERIFY_SKIPPED; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 569 | return; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 570 | } |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 571 | else |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 572 | { |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 573 | for(i=0; i<MAX_PARTITIONS; i++) |
| 574 | { |
| 575 | if(dip->partition_cfg[i].lock_enabled && dip->partition_cfg[i].size) |
| 576 | { |
| 577 | total_num_blocks = ((dip->partition_cfg[i].size - 1) / MDTP_FWLOCK_BLOCK_SIZE); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 578 | if (validate_partition_params(dip->partition_cfg[i].size, |
| 579 | dip->partition_cfg[i].hash_mode, |
| 580 | dip->partition_cfg[i].verify_ratio)) |
| 581 | { |
| 582 | dprintf(CRITICAL, "mdtp: verify_all_partitions: Wrong partition parameters\n"); |
| 583 | verify_failure = TRUE; |
| 584 | break; |
| 585 | } |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 586 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 587 | verify_failure |= (verify_partition(dip->partition_cfg[i].name, |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 588 | dip->partition_cfg[i].size, |
| 589 | dip->partition_cfg[i].hash_mode, |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 590 | (dip->partition_cfg[i].verify_ratio * total_num_blocks) / 100, |
| 591 | dip->partition_cfg[i].hash_table, |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 592 | dip->partition_cfg[i].force_verify_block) != 0); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 593 | } |
| 594 | } |
| 595 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 596 | ext_partition_verify_failure = verify_ext_partition(ext_partition); |
| 597 | |
| 598 | if (verify_failure || ext_partition_verify_failure) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 599 | { |
| 600 | dprintf(CRITICAL, "mdtp: verify_all_partitions: Failed partition verification\n"); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 601 | return; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 602 | } |
Shay Nachmani | bc10dfe | 2015-02-10 14:45:55 +0200 | [diff] [blame] | 603 | is_mdtp_activated = 1; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 604 | |
| 605 | } |
| 606 | |
| 607 | *verify_result = VERIFY_OK; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 608 | return; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 609 | } |
| 610 | |
| 611 | /* Verify the DIP and all protected partitions */ |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 612 | static void validate_DIP_and_firmware(mdtp_ext_partition_verification_t *ext_partition) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 613 | { |
| 614 | int ret; |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 615 | DIP_t *enc_dip; |
| 616 | DIP_t *dec_dip; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 617 | uint32_t verified = 0; |
| 618 | verify_result_t verify_result; |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 619 | uint32_t block_size = mmc_get_device_blocksize(); |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 620 | mdtp_cfg_t mdtp_cfg; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 621 | |
| 622 | enc_dip = malloc(ROUNDUP(sizeof(DIP_t), block_size)); |
| 623 | if (enc_dip == NULL) |
| 624 | { |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 625 | dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, cannot allocate DIP\n"); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 626 | display_error_msg(); /* This will never return */ |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 627 | } |
| 628 | |
| 629 | dec_dip = malloc(ROUNDUP(sizeof(DIP_t), block_size)); |
| 630 | if (dec_dip == NULL) |
| 631 | { |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 632 | dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, cannot allocate DIP\n"); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 633 | free(enc_dip); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 634 | display_error_msg(); /* This will never return */ |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 635 | } |
| 636 | |
| 637 | /* Read the DIP holding the MDTP Firmware Lock state from the DIP partition */ |
| 638 | ret = read_DIP(enc_dip); |
| 639 | if(ret < 0) |
| 640 | { |
| 641 | dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, cannot read DIP\n"); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 642 | display_error_msg(); /* This will never return */ |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 643 | } |
| 644 | |
| 645 | /* Decrypt and verify the integrity of the DIP */ |
| 646 | ret = mdtp_tzbsp_dec_verify_DIP(enc_dip, dec_dip, &verified); |
| 647 | if(ret < 0) |
| 648 | { |
| 649 | dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, cannot verify DIP\n"); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 650 | display_error_msg(); /* This will never return */ |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 651 | } |
| 652 | |
| 653 | /* In case DIP integrity verification fails, notify the user and halt */ |
| 654 | if(!verified) |
| 655 | { |
| 656 | dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, corrupted DIP\n"); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 657 | display_error_msg(); /* This will never return */ |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 658 | } |
| 659 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 660 | /* Verify the integrity of the partitions which are protected, according to the content of the DIP */ |
| 661 | verify_all_partitions(dec_dip, ext_partition, &verify_result); |
| 662 | |
| 663 | mdtp_cfg = dec_dip->mdtp_cfg; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 664 | |
| 665 | /* Clear decrypted DIP since we don't need it anymore */ |
| 666 | memset(dec_dip, 0, sizeof(DIP_t)); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 667 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 668 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 669 | if (verify_result == VERIFY_OK) |
| 670 | { |
Reut Zysman | 1841127 | 2015-02-09 13:47:27 +0200 | [diff] [blame] | 671 | dprintf(SPEW, "mdtp: validate_DIP_and_firmware: Verify OK\n"); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 672 | } |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 673 | else if (verify_result == VERIFY_SKIPPED) |
| 674 | { |
| 675 | dprintf(SPEW, "mdtp: validate_DIP_and_firmware: Verify skipped\n"); |
| 676 | } else /* VERIFY_FAILED */ |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 677 | { |
| 678 | dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, corrupted firmware\n"); |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 679 | display_recovery_ui(&mdtp_cfg); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 680 | } |
| 681 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 682 | memset(&mdtp_cfg, 0, sizeof(mdtp_cfg)); |
| 683 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 684 | free(enc_dip); |
| 685 | free(dec_dip); |
| 686 | |
| 687 | return; |
| 688 | } |
| 689 | |
| 690 | /********************************************************************************/ |
| 691 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 692 | /** Entry point of the MDTP Firmware Lock. |
| 693 | * If needed, verify the DIP and all protected partitions. |
| 694 | * Allow passing information about partition verified using an external method |
| 695 | * (either boot or recovery). For boot and recovery, either use aboot's |
| 696 | * verification result, or use boot_verifier APIs to verify internally. |
| 697 | **/ |
| 698 | void mdtp_fwlock_verify_lock(mdtp_ext_partition_verification_t *ext_partition) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 699 | { |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 700 | int ret; |
| 701 | bool enabled; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 702 | |
Shay Nachmani | bc10dfe | 2015-02-10 14:45:55 +0200 | [diff] [blame] | 703 | /* sets the default value of this global to be MDTP not activated */ |
| 704 | is_mdtp_activated = 0; |
| 705 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 706 | do { |
| 707 | if (ext_partition == NULL) |
| 708 | { |
| 709 | dprintf(CRITICAL, "mdtp: mdtp_fwlock_verify_lock: ERROR, external partition is NULL\n"); |
| 710 | display_error_msg(); /* This will never return */ |
| 711 | break; |
| 712 | } |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 713 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 714 | ret = mdtp_fuse_get_enabled(&enabled); |
| 715 | if(ret) |
| 716 | { |
| 717 | dprintf(CRITICAL, "mdtp: mdtp_fwlock_verify_lock: ERROR, cannot get enabled fuse\n"); |
| 718 | display_error_msg(); /* This will never return */ |
| 719 | } |
| 720 | |
| 721 | /* Continue with Firmware Lock verification only if enabled by eFuse */ |
| 722 | if (enabled) |
| 723 | { |
| 724 | /* This function will handle firmware verification failure via UI */ |
| 725 | validate_DIP_and_firmware(ext_partition); |
| 726 | } |
| 727 | } while (0); |
| 728 | |
| 729 | /* Disallow CIPHER_DIP SCM call from this point, unless we are in recovery */ |
| 730 | /* The recovery image will disallow CIPHER_DIP SCM call by itself. */ |
| 731 | if (ext_partition->partition != MDTP_PARTITION_RECOVERY) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 732 | { |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 733 | mdtp_tzbsp_disallow_cipher_DIP(); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 734 | } |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 735 | } |
Shay Nachmani | bc10dfe | 2015-02-10 14:45:55 +0200 | [diff] [blame] | 736 | /********************************************************************************/ |
| 737 | |
| 738 | /** Indicates whether the MDTP is currently in ACTIVATED state **/ |
| 739 | int mdtp_activated(bool * activated){ |
| 740 | if(is_mdtp_activated < 0){ |
| 741 | /* mdtp_fwlock_verify_lock was not called before, the value is not valid */ |
| 742 | return is_mdtp_activated; |
| 743 | } |
| 744 | |
| 745 | *activated = is_mdtp_activated; |
| 746 | return 0; |
| 747 | } |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 748 | |
| 749 | /********************************************************************************/ |
| 750 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 751 | /* Decrypt a given DIP and verify its integrity */ |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 752 | static int mdtp_tzbsp_dec_verify_DIP(DIP_t *enc_dip, DIP_t *dec_dip, uint32_t *verified) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 753 | { |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 754 | unsigned char hash[HASH_LEN]; |
Rami Burstein | befb093 | 2015-06-29 09:45:31 +0300 | [diff] [blame] | 755 | unsigned char buf[HASH_LEN], digest[HASH_LEN]; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 756 | SHA256_CTX sha256_ctx; |
| 757 | int ret; |
| 758 | |
| 759 | ASSERT(enc_dip != NULL); |
| 760 | ASSERT(dec_dip != NULL); |
| 761 | ASSERT(verified != NULL); |
| 762 | |
Amit Blay | 4418fb4 | 2015-05-05 08:45:13 +0300 | [diff] [blame] | 763 | arch_clean_invalidate_cache_range((addr_t)enc_dip, sizeof(DIP_t)); |
| 764 | arch_invalidate_cache_range((addr_t)dec_dip, sizeof(DIP_t)); |
| 765 | |
Rami Burstein | befb093 | 2015-06-29 09:45:31 +0300 | [diff] [blame] | 766 | /* workaround: Dummy call to hash_find prevents a boot loop when using the CE from TZ */ |
| 767 | hash_find(buf, HASH_LEN, digest, CRYPTO_AUTH_ALG_SHA1); |
| 768 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 769 | ret = mdtp_cipher_dip_cmd((uint8_t*)enc_dip, sizeof(DIP_t), |
| 770 | (uint8_t*)dec_dip, sizeof(DIP_t), |
| 771 | DIP_DECRYPT); |
| 772 | if (ret) |
| 773 | { |
| 774 | dprintf(CRITICAL, "mdtp: mdtp_tzbsp_dec_verify_DIP: ERROR, cannot cipher DIP\n"); |
| 775 | *verified = 0; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 776 | memset(dec_dip, 0, sizeof(DIP_t)); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 777 | return -1; |
| 778 | } |
| 779 | |
Amit Blay | 4418fb4 | 2015-05-05 08:45:13 +0300 | [diff] [blame] | 780 | arch_invalidate_cache_range((addr_t)dec_dip, sizeof(DIP_t)); |
| 781 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 782 | SHA256_Init(&sha256_ctx); |
| 783 | SHA256_Update(&sha256_ctx, dec_dip, sizeof(DIP_t) - HASH_LEN); |
| 784 | SHA256_Final(hash, &sha256_ctx); |
| 785 | |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 786 | if (memcmp(hash, dec_dip->hash, HASH_LEN)) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 787 | { |
| 788 | *verified = 0; |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 789 | memset(dec_dip, 0, sizeof(DIP_t)); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 790 | } |
| 791 | else |
| 792 | { |
| 793 | *verified = 1; |
| 794 | } |
| 795 | |
| 796 | return 0; |
| 797 | } |
| 798 | |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 799 | /* Encrypt a given DIP and calculate its integrity information */ |
Amit Blay | df42d2f | 2015-02-03 16:37:09 +0200 | [diff] [blame] | 800 | static int mdtp_tzbsp_enc_hash_DIP(DIP_t *dec_dip, DIP_t *enc_dip) |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 801 | { |
Rami Burstein | befb093 | 2015-06-29 09:45:31 +0300 | [diff] [blame] | 802 | unsigned char buf[HASH_LEN], digest[HASH_LEN]; |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 803 | SHA256_CTX sha256_ctx; |
| 804 | int ret; |
| 805 | |
| 806 | ASSERT(dec_dip != NULL); |
| 807 | ASSERT(enc_dip != NULL); |
| 808 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 809 | SHA256_Init(&sha256_ctx); |
| 810 | SHA256_Update(&sha256_ctx, dec_dip, sizeof(DIP_t) - HASH_LEN); |
Amit Blay | 8e2731c | 2015-04-28 21:54:55 +0300 | [diff] [blame] | 811 | SHA256_Final(dec_dip->hash, &sha256_ctx); |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 812 | |
Amit Blay | 4418fb4 | 2015-05-05 08:45:13 +0300 | [diff] [blame] | 813 | arch_clean_invalidate_cache_range((addr_t)dec_dip, sizeof(DIP_t)); |
| 814 | arch_invalidate_cache_range((addr_t)enc_dip, sizeof(DIP_t)); |
| 815 | |
Rami Burstein | befb093 | 2015-06-29 09:45:31 +0300 | [diff] [blame] | 816 | /* workaround: Dummy call to hash_find prevents a boot loop when using the CE from TZ */ |
| 817 | hash_find(buf, HASH_LEN, digest, CRYPTO_AUTH_ALG_SHA1); |
| 818 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 819 | ret = mdtp_cipher_dip_cmd((uint8_t*)dec_dip, sizeof(DIP_t), |
| 820 | (uint8_t*)enc_dip, sizeof(DIP_t), |
| 821 | DIP_ENCRYPT); |
| 822 | if (ret) |
| 823 | { |
| 824 | dprintf(CRITICAL, "mdtp: mdtp_tzbsp_enc_hash_DIP: ERROR, cannot cipher DIP\n"); |
| 825 | return -1; |
| 826 | } |
| 827 | |
Amit Blay | 4418fb4 | 2015-05-05 08:45:13 +0300 | [diff] [blame] | 828 | arch_invalidate_cache_range((addr_t)enc_dip, sizeof(DIP_t)); |
| 829 | |
Amit Blay | 6281ebc | 2015-01-11 14:44:08 +0200 | [diff] [blame] | 830 | return 0; |
| 831 | } |
Amit Blay | 4aa292f | 2015-04-28 21:55:59 +0300 | [diff] [blame] | 832 | |
| 833 | /* Disallow the CIPHER_DIP SCM call */ |
| 834 | static void mdtp_tzbsp_disallow_cipher_DIP(void) |
| 835 | { |
| 836 | DIP_t *dip; |
| 837 | int i; |
| 838 | |
| 839 | dip = malloc(sizeof(DIP_t)); |
| 840 | if (dip == NULL) |
| 841 | { |
| 842 | dprintf(CRITICAL, "mdtp: mdtp_tzbsp_disallow_cipher_DIP: ERROR, cannot allocate DIP\n"); |
| 843 | return; |
| 844 | } |
| 845 | |
| 846 | /* Disallow the CIPHER_DIP SCM by calling it MAX_CIPHER_DIP_SCM_CALLS times */ |
| 847 | for (i=0; i<MAX_CIPHER_DIP_SCM_CALLS; i++) |
| 848 | { |
| 849 | mdtp_tzbsp_enc_hash_DIP(dip, dip); |
| 850 | } |
| 851 | |
| 852 | free(dip); |
| 853 | } |