Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / lk / 8e2731cb7560c4b1a62e7d1cd393625c0ff29e10 / . / app / aboot / mdtp.c
blob: 5c5782ac5b43a42e7fac00968108ae78730fc2e2 [file] [log] [blame]
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]1/* Copyright (c) 2015, The Linux Foundation. All rights reserved.
2 *
3 * Redistribution and use in source and binary forms, with or without
4 * modification, are permitted provided that the following conditions are
5 * met:
6 * * Redistributions of source code must retain the above copyright
7 * notice, this list of conditions and the following disclaimer.
8 * * Redistributions in binary form must reproduce the above
9 * copyright notice, this list of conditions and the following
10 * disclaimer in the documentation and/or other materials provided
11 * with the distribution.
12 * * Neither the name of The Linux Foundation nor the names of its
13 * contributors may be used to endorse or promote products derived
14 * from this software without specific prior written permission.
15 *
16 * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
17 * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
18 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
20 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
21 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
22 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
23 * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
24 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
25 * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
26 * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
27 */
28
29#include <debug.h>
30#include <dev/fbcon.h>
31#include <target.h>
32#include <mmc.h>
33#include <partition_parser.h>
34#include <platform.h>
35#include <crypto_hash.h>
36#include <malloc.h>
37#include <sha.h>
38#include <string.h>
39#include <rand.h>
40#include <stdlib.h>
41#include "scm.h"
42#include "mdtp.h"
43
44#define DIP_ENCRYPT 0
45#define DIP_DECRYPT 1
46
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]47#define MDTP_MAJOR_VERSION (0)
48#define MDTP_MINOR_VERSION (2)
49
50/** Extract major version number from complete version. */
51#define MDTP_GET_MAJOR_VERSION(version) ((version) >> 16)
52
53static int is_mdtp_activated = -1;
54
Amit Blaydf42d2f2015-02-03 16:37:09 +0200[diff] [blame]55static int mdtp_tzbsp_dec_verify_DIP(DIP_t *enc_dip, DIP_t *dec_dip, uint32_t *verified);
56static int mdtp_tzbsp_enc_hash_DIP(DIP_t *dec_dip, DIP_t *enc_dip);
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]57
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]58uint32_t g_mdtp_version = (((MDTP_MAJOR_VERSION << 16) & 0xFFFF0000) | (MDTP_MINOR_VERSION & 0x0000FFFF));
59
60int scm_random(uint32_t * rbuf, uint32_t r_len);
61int check_aboot_addr_range_overlap(uint32_t start, uint32_t size);
62
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]63/********************************************************************************/
64
65/* Read the DIP from EMMC */
Amit Blaydf42d2f2015-02-03 16:37:09 +0200[diff] [blame]66static int read_DIP(DIP_t *dip)
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]67{
68 unsigned long long ptn = 0;
69 uint32_t actual_partition_size;
Amit Blaydf42d2f2015-02-03 16:37:09 +0200[diff] [blame]70 uint32_t block_size = mmc_get_device_blocksize();
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]71
72 int index = INVALID_PTN;
73
74 ASSERT(dip != NULL);
75
76 index = partition_get_index("dip");
77 ptn = partition_get_offset(index);
78
79 if(ptn == 0)
80 {
81 return -1;
82 }
83
84 actual_partition_size = ROUNDUP(sizeof(DIP_t), block_size);
85
86 if(mmc_read(ptn, (void *)dip, actual_partition_size))
87 {
88 dprintf(CRITICAL, "mdtp: read_DIP: ERROR, cannot read DIP info\n");
89 return -1;
90 }
91
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]92 dprintf(SPEW, "mdtp: read_DIP: SUCCESS, read %d bytes\n", actual_partition_size);
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]93
94 return 0;
95}
96
97/* Store the DIP into the EMMC */
Amit Blaydf42d2f2015-02-03 16:37:09 +0200[diff] [blame]98static int write_DIP(DIP_t *dip)
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]99{
100 unsigned long long ptn = 0;
Amit Blaydf42d2f2015-02-03 16:37:09 +0200[diff] [blame]101 uint32_t block_size = mmc_get_device_blocksize();
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]102
103 int index = INVALID_PTN;
104
105 ASSERT(dip != NULL);
106
107 index = partition_get_index("dip");
108 ptn = partition_get_offset(index);
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]109
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]110 if(ptn == 0)
111 {
112 return -1;
113 }
114
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]115 if(mmc_write(ptn, ROUNDUP(sizeof(DIP_t), block_size), (void *)dip))
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]116 {
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]117 dprintf(CRITICAL, "mdtp: write_DIP: ERROR, cannot write DIP info\n");
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]118 return -1;
119 }
120
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]121 dprintf(SPEW, "mdtp: write_DIP: SUCCESS, write %d bytes\n", ROUNDUP(sizeof(DIP_t), block_size));
122
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]123 return 0;
124}
125
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]126/* Deactivate MDTP by storing the default DIP into the EMMC */
127static void write_deactivated_DIP()
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]128{
Amit Blaydf42d2f2015-02-03 16:37:09 +0200[diff] [blame]129 DIP_t *enc_dip;
130 DIP_t *dec_dip;
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]131 int ret;
132
133 enc_dip = malloc(sizeof(DIP_t));
134 if (enc_dip == NULL)
135 {
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]136 dprintf(CRITICAL, "mdtp: write_deactivated_DIP: ERROR, cannot allocate DIP\n");
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]137 return;
138 }
139
140 dec_dip = malloc(sizeof(DIP_t));
141 if (dec_dip == NULL)
142 {
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]143 dprintf(CRITICAL, "mdtp: write_deactivated_DIP: ERROR, cannot allocate DIP\n");
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]144 free(enc_dip);
145 return;
146 }
147
148 memset(dec_dip, 0, sizeof(DIP_t));
149
150 dec_dip->status = DIP_STATUS_DEACTIVATED;
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]151 dec_dip->version = g_mdtp_version;
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]152
153 ret = mdtp_tzbsp_enc_hash_DIP(dec_dip, enc_dip);
154 if(ret < 0)
155 {
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]156 dprintf(CRITICAL, "mdtp: write_deactivated_DIP: ERROR, cannot cipher DIP\n");
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]157 goto out;
158 }
159
160 ret = write_DIP(enc_dip);
161 if(ret < 0)
162 {
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]163 dprintf(CRITICAL, "mdtp: write_deactivated_DIP: ERROR, cannot write DIP\n");
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]164 goto out;
165 }
166
167out:
168 free(enc_dip);
169 free(dec_dip);
170}
171
172/* Validate a hash calculated on entire given partition */
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]173static int verify_partition_single_hash(char *name, uint64_t size, DIP_hash_table_entry_t *hash_table)
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]174{
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]175 unsigned char digest[HASH_LEN]={0};
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]176 unsigned long long ptn = 0;
177 int index = INVALID_PTN;
178 unsigned char *buf = (unsigned char *)target_get_scratch_address();
Amit Blaydf42d2f2015-02-03 16:37:09 +0200[diff] [blame]179 uint32_t block_size = mmc_get_device_blocksize();
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]180 uint64_t actual_partition_size = ROUNDUP(size, block_size);
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]181
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]182 dprintf(SPEW, "mdtp: verify_partition_single_hash: %s, %llu\n", name, size);
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]183
184 ASSERT(name != NULL);
185 ASSERT(hash_table != NULL);
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]186 ASSERT(size > 0);
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]187
188 index = partition_get_index(name);
189 ptn = partition_get_offset(index);
190
191 if(ptn == 0) {
192 dprintf(CRITICAL, "mdtp: verify_partition_single_hash: %s: partition was not found\n", name);
193 return -1;
194 }
195
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]196 if (mmc_read(ptn, (void *)buf, actual_partition_size))
197 {
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]198 dprintf(CRITICAL, "mdtp: verify_partition_single_hash: %s: mmc_read() fail.\n", name);
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]199 return -1;
200 }
201
Amit Blayfe649212015-01-25 11:21:10 +0200[diff] [blame]202 /* calculating the hash value using HW crypto */
203 target_crypto_init_params();
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]204 hash_find(buf, size, digest, CRYPTO_AUTH_ALG_SHA256);
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]205
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]206 if (memcmp(digest, hash_table->hash, HASH_LEN))
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]207 {
208 dprintf(CRITICAL, "mdtp: verify_partition_single_hash: %s: Failed partition hash verification\n", name);
209
210 return -1;
211 }
212
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]213 dprintf(SPEW, "verify_partition_single_hash: %s: VERIFIED!\n", name);
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]214
215 return 0;
216}
217
218/* Validate a hash table calculated per block of a given partition */
Amit Blaydf42d2f2015-02-03 16:37:09 +0200[diff] [blame]219static int verify_partition_block_hash(char *name,
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]220 uint64_t size,
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]221 uint32_t verify_num_blocks,
Amit Blaydf42d2f2015-02-03 16:37:09 +0200[diff] [blame]222 DIP_hash_table_entry_t *hash_table,
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]223 uint8_t *force_verify_block)
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]224{
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]225 unsigned char digest[HASH_LEN]={0};
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]226 unsigned long long ptn = 0;
227 int index = INVALID_PTN;
228 unsigned char *buf = (unsigned char *)target_get_scratch_address();
229 uint32_t bytes_to_read;
230 uint32_t block_num = 0;
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]231 uint32_t total_num_blocks = ((size - 1) / MDTP_FWLOCK_BLOCK_SIZE) + 1;
232 uint32_t rand_int;
233 uint32_t block_size = mmc_get_device_blocksize();
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]234
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]235 dprintf(SPEW, "mdtp: verify_partition_block_hash: %s, %llu\n", name, size);
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]236
237 ASSERT(name != NULL);
238 ASSERT(hash_table != NULL);
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]239 ASSERT(size > 0);
240 ASSERT(force_verify_block != NULL);
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]241
242 index = partition_get_index(name);
243 ptn = partition_get_offset(index);
244
245 if(ptn == 0) {
246 dprintf(CRITICAL, "mdtp: verify_partition_block_hash: %s: partition was not found\n", name);
247 return -1;
248 }
249
Amit Blayfe649212015-01-25 11:21:10 +0200[diff] [blame]250 /* initiating parameters for hash calculation using HW crypto */
251 target_crypto_init_params();
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]252 if (check_aboot_addr_range_overlap((uint32_t)buf, ROUNDUP(MDTP_FWLOCK_BLOCK_SIZE, block_size)))
253 {
254 dprintf(CRITICAL, "mdtp: verify_partition_block_hash: %s: image buffer address overlaps with aboot addresses.\n", name);
255 return -1;
256 }
Amit Blayfe649212015-01-25 11:21:10 +0200[diff] [blame]257
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]258 while (MDTP_FWLOCK_BLOCK_SIZE * block_num < size)
259 {
260 if (*force_verify_block == 0)
261 {
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]262 if(scm_random((uint32_t *)&rand_int, sizeof(rand_int)))
263 {
264 dprintf(CRITICAL,"mdtp: scm_call for random failed\n");
265 return -1;
266 }
267
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]268 /* Skip validation of this block with probability of verify_num_blocks / total_num_blocks */
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]269 if ((rand_int % total_num_blocks) >= verify_num_blocks)
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]270 {
271 block_num++;
272 hash_table += 1;
273 force_verify_block += 1;
274 dprintf(CRITICAL, "mdtp: verify_partition_block_hash: %s: skipped verification of block %d\n", name, block_num);
275 continue;
276 }
277 }
278
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]279 if ((size - (MDTP_FWLOCK_BLOCK_SIZE * block_num) < MDTP_FWLOCK_BLOCK_SIZE))
280 {
281 bytes_to_read = size - (MDTP_FWLOCK_BLOCK_SIZE * block_num);
282 } else
283 {
284 bytes_to_read = MDTP_FWLOCK_BLOCK_SIZE;
285 }
286
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]287 if (mmc_read(ptn + (MDTP_FWLOCK_BLOCK_SIZE * block_num), (void *)buf, ROUNDUP(bytes_to_read, block_size)))
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]288 {
289 dprintf(CRITICAL, "mdtp: verify_partition_block_hash: %s: mmc_read() fail.\n", name);
290 return -1;
291 }
292
Amit Blayfe649212015-01-25 11:21:10 +0200[diff] [blame]293 /* calculating the hash value using HW */
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]294 hash_find(buf, bytes_to_read, digest, CRYPTO_AUTH_ALG_SHA256);
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]295
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]296 if (memcmp(digest, hash_table->hash, HASH_LEN))
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]297 {
298 dprintf(CRITICAL, "mdtp: verify_partition_block_hash: %s: Failed partition hash[%d] verification\n", name, block_num);
299 return -1;
300 }
301
302 block_num++;
303 hash_table += 1;
304 force_verify_block += 1;
305 }
306
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]307 dprintf(SPEW, "verify_partition_block_hash: %s: VERIFIED!\n", name);
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]308
309 return 0;
310}
311
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]312/* Validate the partition parameters read from DIP */
313static int validate_partition_params(uint64_t size,
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]314 mdtp_fwlock_mode_t hash_mode,
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]315 uint32_t verify_ratio)
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]316{
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]317 if (size == 0 || size > (uint64_t)MDTP_FWLOCK_BLOCK_SIZE * (uint64_t)MAX_BLOCKS ||
318 hash_mode >= MDTP_FWLOCK_MODE_SIZE || verify_ratio > 100)
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]319 {
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]320 dprintf(CRITICAL, "mdtp: validate_partition_params: error, size=%llu, hash_mode=%d, verify_ratio=%d\n",
321 size, hash_mode, verify_ratio);
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]322 return -1;
323 }
324
325 return 0;
326}
327
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]328/* Verify a given partitinon */
329static int verify_partition(char *name,
330 uint64_t size,
331 mdtp_fwlock_mode_t hash_mode,
332 uint32_t verify_num_blocks,
333 DIP_hash_table_entry_t *hash_table,
334 uint8_t *force_verify_block)
335{
336 if (hash_mode == MDTP_FWLOCK_MODE_SINGLE)
337 {
338 return verify_partition_single_hash(name, size, hash_table);
339 } else if (hash_mode == MDTP_FWLOCK_MODE_BLOCK || hash_mode == MDTP_FWLOCK_MODE_FILES)
340 {
341 return verify_partition_block_hash(name, size, verify_num_blocks, hash_table, force_verify_block);
342 }
343
344 /* Illegal value of hash_mode */
345 return -1;
346}
347
348static int validate_dip(DIP_t *dip)
349{
350 uint8_t *dip_p;
351
352 ASSERT(dip != NULL);
353
354 /* Make sure DIP version is supported by current SW */
355 if (MDTP_GET_MAJOR_VERSION(dip->version) != MDTP_MAJOR_VERSION)
356 {
357 dprintf(CRITICAL, "mdtp: validate_dip: Wrong DIP version 0x%x\n", dip->version);
358 return -1;
359 }
360
361 /* Make sure that deactivated DIP content is as expected */
362 if (dip->status == DIP_STATUS_DEACTIVATED)
363 {
364 dip_p = (uint8_t*)&dip->mdtp_cfg;
365 while (dip_p < dip->hash)
366 {
367 if (*dip_p != 0)
368 {
369 dprintf(CRITICAL, "mdtp: validate_dip: error in deactivated DIP\n");
370 return -1;
371 }
372 dip_p++;
373 }
374 }
375
376 return 0;
377}
378
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]379/* Display the recovery UI to allow the user to enter the PIN and continue boot */
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]380static void display_recovery_ui(DIP_t *dip)
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]381{
382 uint32_t pin_length = 0;
383 char entered_pin[MDTP_MAX_PIN_LEN+1] = {0};
384 uint32_t i;
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]385 char pin_mismatch = 0;
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]386
387 if (dip->mdtp_cfg.enable_local_pin_authentication)
388 {
389 dprintf(SPEW, "mdtp: display_recovery_ui: Local deactivation enabled\n");
390
391 pin_length = strlen(dip->mdtp_cfg.mdtp_pin.mdtp_pin);
392
393 if (pin_length > MDTP_MAX_PIN_LEN || pin_length < MDTP_MIN_PIN_LEN)
394 {
395 dprintf(CRITICAL, "mdtp: display_recovery_ui: Error, invalid PIN length\n");
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]396 display_error_msg(); /* This will never return */
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]397 }
398
399 // Set entered_pin to initial '0' string + null terminator
400 for (i=0; i<pin_length; i++)
401 {
402 entered_pin[i] = '0';
403 }
404
405 // Allow the user to enter the PIN as many times as he wishes
406 // (with INVALID_PIN_DELAY_MSECONDS after each failed attempt)
407 while (1)
408 {
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]409 get_pin_from_user(entered_pin, pin_length);
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]410
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]411 // Go over the entire PIN in any case, to prevent side-channel attacks
412 for (i=0; i<pin_length; i++)
413 {
414 pin_mismatch |= dip->mdtp_cfg.mdtp_pin.mdtp_pin[i] ^ entered_pin[i];
415 }
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]416
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]417 if (0 == pin_mismatch)
418 {
419 // Valid PIN - deactivate and continue boot
420 dprintf(SPEW, "mdtp: display_recovery_ui: valid PIN, continue boot\n");
421 write_deactivated_DIP();
422 return;
423 }
424 else
425 {
426 // Invalid PIN - display an appropriate message (which also includes a wait
427 // for INVALID_PIN_DELAY_MSECONDS), and allow the user to try again
428 dprintf(CRITICAL, "mdtp: display_recovery_ui: ERROR, invalid PIN\n");
429 display_invalid_pin_msg();
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]430
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]431 pin_mismatch = 0;
432 }
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]433 }
434 }
435 else
436 {
437 dprintf(CRITICAL, "mdtp: display_recovery_ui: Local deactivation disabled, unable to display recovery UI\n");
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]438 display_error_msg(); /* This will never return */
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]439 }
440}
441
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]442/* Verify all protected partitinons according to the DIP */
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]443static void verify_all_partitions(DIP_t *dip, verify_result_t *verify_result)
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]444{
445 int i;
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]446 bool verify_failure = FALSE;
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]447 uint32_t total_num_blocks;
448
449 ASSERT(dip != NULL);
450 ASSERT(verify_result != NULL);
451
452 *verify_result = VERIFY_FAILED;
453
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]454 if (validate_dip(dip))
455 {
456 dprintf(CRITICAL, "mdtp: verify_all_partitions: failed DIP validation\n");
457 return;
458 }
459
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]460 if (dip->status == DIP_STATUS_DEACTIVATED)
461 {
462 *verify_result = VERIFY_SKIPPED;
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]463 return;
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]464 }
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]465 else
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]466 {
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]467 for(i=0; i<MAX_PARTITIONS; i++)
468 {
469 if(dip->partition_cfg[i].lock_enabled && dip->partition_cfg[i].size)
470 {
471 total_num_blocks = ((dip->partition_cfg[i].size - 1) / MDTP_FWLOCK_BLOCK_SIZE);
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]472 if (validate_partition_params(dip->partition_cfg[i].size,
473 dip->partition_cfg[i].hash_mode,
474 dip->partition_cfg[i].verify_ratio))
475 {
476 dprintf(CRITICAL, "mdtp: verify_all_partitions: Wrong partition parameters\n");
477 verify_failure = TRUE;
478 break;
479 }
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]480
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]481 verify_failure |= (verify_partition(dip->partition_cfg[i].name,
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]482 dip->partition_cfg[i].size,
483 dip->partition_cfg[i].hash_mode,
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]484 (dip->partition_cfg[i].verify_ratio * total_num_blocks) / 100,
485 dip->partition_cfg[i].hash_table,
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]486 dip->partition_cfg[i].force_verify_block) != 0);
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]487 }
488 }
489
490 if (verify_failure)
491 {
492 dprintf(CRITICAL, "mdtp: verify_all_partitions: Failed partition verification\n");
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]493 return;
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]494 }
Shay Nachmanibc10dfe2015-02-10 14:45:55 +0200[diff] [blame]495 is_mdtp_activated = 1;
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]496
497 }
498
499 *verify_result = VERIFY_OK;
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]500 return;
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]501}
502
503/* Verify the DIP and all protected partitions */
504static void validate_DIP_and_firmware()
505{
506 int ret;
Amit Blaydf42d2f2015-02-03 16:37:09 +0200[diff] [blame]507 DIP_t *enc_dip;
508 DIP_t *dec_dip;
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]509 uint32_t verified = 0;
510 verify_result_t verify_result;
Amit Blaydf42d2f2015-02-03 16:37:09 +0200[diff] [blame]511 uint32_t block_size = mmc_get_device_blocksize();
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]512
513 enc_dip = malloc(ROUNDUP(sizeof(DIP_t), block_size));
514 if (enc_dip == NULL)
515 {
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]516 dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, cannot allocate DIP\n");
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]517 display_error_msg(); /* This will never return */
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]518 }
519
520 dec_dip = malloc(ROUNDUP(sizeof(DIP_t), block_size));
521 if (dec_dip == NULL)
522 {
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]523 dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, cannot allocate DIP\n");
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]524 free(enc_dip);
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]525 display_error_msg(); /* This will never return */
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]526 }
527
528 /* Read the DIP holding the MDTP Firmware Lock state from the DIP partition */
529 ret = read_DIP(enc_dip);
530 if(ret < 0)
531 {
532 dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, cannot read DIP\n");
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]533 display_error_msg(); /* This will never return */
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]534 }
535
536 /* Decrypt and verify the integrity of the DIP */
537 ret = mdtp_tzbsp_dec_verify_DIP(enc_dip, dec_dip, &verified);
538 if(ret < 0)
539 {
540 dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, cannot verify DIP\n");
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]541 display_error_msg(); /* This will never return */
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]542 }
543
544 /* In case DIP integrity verification fails, notify the user and halt */
545 if(!verified)
546 {
547 dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, corrupted DIP\n");
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]548 display_error_msg(); /* This will never return */
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]549 }
550
551 /* Verify the integrity of the partitions which are protectedm, according to the content of the DIP */
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]552 verify_all_partitions(dec_dip, &verify_result);
553
554 /* Clear decrypted DIP since we don't need it anymore */
555 memset(dec_dip, 0, sizeof(DIP_t));
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]556
557 if (verify_result == VERIFY_OK)
558 {
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]559 dprintf(SPEW, "mdtp: validate_DIP_and_firmware: Verify OK\n");
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]560 }
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]561 else if (verify_result == VERIFY_SKIPPED)
562 {
563 dprintf(SPEW, "mdtp: validate_DIP_and_firmware: Verify skipped\n");
564 } else /* VERIFY_FAILED */
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]565 {
566 dprintf(CRITICAL, "mdtp: validate_DIP_and_firmware: ERROR, corrupted firmware\n");
Reut Zysman18411272015-02-09 13:47:27 +0200[diff] [blame]567 display_recovery_ui(dec_dip);
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]568 }
569
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]570 free(enc_dip);
571 free(dec_dip);
572
573 return;
574}
575
576/********************************************************************************/
577
578/** Entry point of the MDTP Firmware Lock: If needed, verify the DIP
579 * and all protected partitions **/
580
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]581void mdtp_fwlock_verify_lock()
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]582{
Amit Blaydf42d2f2015-02-03 16:37:09 +0200[diff] [blame]583 int ret;
584 bool enabled;
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]585
Shay Nachmanibc10dfe2015-02-10 14:45:55 +0200[diff] [blame]586 /* sets the default value of this global to be MDTP not activated */
587 is_mdtp_activated = 0;
588
Amit Blaydf42d2f2015-02-03 16:37:09 +0200[diff] [blame]589 ret = mdtp_fuse_get_enabled(&enabled);
590 if(ret)
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]591 {
Amit Blaydf42d2f2015-02-03 16:37:09 +0200[diff] [blame]592 dprintf(CRITICAL, "mdtp: mdtp_fwlock_verify_lock: ERROR, cannot get enabled fuse\n");
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]593 display_error_msg(); /* This will never return */
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]594 }
595
Amit Blaydf42d2f2015-02-03 16:37:09 +0200[diff] [blame]596 /* Continue with Firmware Lock verification only if enabled by eFuse */
597 if (enabled)
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]598 {
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]599 /* This function will handle firmware verification failure via UI */
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]600 validate_DIP_and_firmware();
601 }
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]602}
Shay Nachmanibc10dfe2015-02-10 14:45:55 +0200[diff] [blame]603/********************************************************************************/
604
605/** Indicates whether the MDTP is currently in ACTIVATED state **/
606int mdtp_activated(bool * activated){
607 if(is_mdtp_activated < 0){
608 /* mdtp_fwlock_verify_lock was not called before, the value is not valid */
609 return is_mdtp_activated;
610 }
611
612 *activated = is_mdtp_activated;
613 return 0;
614}
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]615
616/********************************************************************************/
617
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]618/* Decrypt a given DIP and verify its integrity */
Amit Blaydf42d2f2015-02-03 16:37:09 +0200[diff] [blame]619static int mdtp_tzbsp_dec_verify_DIP(DIP_t *enc_dip, DIP_t *dec_dip, uint32_t *verified)
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]620{
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]621 unsigned char hash[HASH_LEN];
622 SHA256_CTX sha256_ctx;
623 int ret;
624
625 ASSERT(enc_dip != NULL);
626 ASSERT(dec_dip != NULL);
627 ASSERT(verified != NULL);
628
629 ret = mdtp_cipher_dip_cmd((uint8_t*)enc_dip, sizeof(DIP_t),
630 (uint8_t*)dec_dip, sizeof(DIP_t),
631 DIP_DECRYPT);
632 if (ret)
633 {
634 dprintf(CRITICAL, "mdtp: mdtp_tzbsp_dec_verify_DIP: ERROR, cannot cipher DIP\n");
635 *verified = 0;
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]636 memset(dec_dip, 0, sizeof(DIP_t));
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]637 return -1;
638 }
639
640 SHA256_Init(&sha256_ctx);
641 SHA256_Update(&sha256_ctx, dec_dip, sizeof(DIP_t) - HASH_LEN);
642 SHA256_Final(hash, &sha256_ctx);
643
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]644 if (memcmp(hash, dec_dip->hash, HASH_LEN))
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]645 {
646 *verified = 0;
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]647 memset(dec_dip, 0, sizeof(DIP_t));
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]648 }
649 else
650 {
651 *verified = 1;
652 }
653
654 return 0;
655}
656
Amit Blaydf42d2f2015-02-03 16:37:09 +0200[diff] [blame]657static int mdtp_tzbsp_enc_hash_DIP(DIP_t *dec_dip, DIP_t *enc_dip)
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]658{
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]659 SHA256_CTX sha256_ctx;
660 int ret;
661
662 ASSERT(dec_dip != NULL);
663 ASSERT(enc_dip != NULL);
664
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]665 SHA256_Init(&sha256_ctx);
666 SHA256_Update(&sha256_ctx, dec_dip, sizeof(DIP_t) - HASH_LEN);
Amit Blay8e2731c2015-04-28 21:54:55 +0300[diff] [blame^]667 SHA256_Final(dec_dip->hash, &sha256_ctx);
Amit Blay6281ebc2015-01-11 14:44:08 +0200[diff] [blame]668
669 ret = mdtp_cipher_dip_cmd((uint8_t*)dec_dip, sizeof(DIP_t),
670 (uint8_t*)enc_dip, sizeof(DIP_t),
671 DIP_ENCRYPT);
672 if (ret)
673 {
674 dprintf(CRITICAL, "mdtp: mdtp_tzbsp_enc_hash_DIP: ERROR, cannot cipher DIP\n");
675 return -1;
676 }
677
678 return 0;
679}