Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / avb / 21e95266704e572ced1c633bbc4aea9f42afa0a5 / . / libavb / avb_vbmeta_image.h
blob: ad93d6a2b6a8937b608dd6aedb68cf07e42925e9 [file] [log] [blame]
David Zeuthen21e95262016-07-27 17:58:40 -0400[diff] [blame^]1/*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#if !defined(AVB_INSIDE_LIBAVB_H) && !defined(AVB_COMPILATION)
18#error "Never include this file directly, include libavb.h instead."
19#endif
20
21#ifndef AVB_VBMETA_IMAGE_H_
22#define AVB_VBMETA_IMAGE_H_
23
24#include "avb_sysdeps.h"
25
26#ifdef __cplusplus
27extern "C" {
28#endif
29
30#include "avb_crypto.h"
31#include "avb_descriptor.h"
32
33/* Size of the vbmeta image header. */
34#define AVB_VBMETA_IMAGE_HEADER_SIZE 256
35
36/* Magic for the vbmeta image header. */
37#define AVB_MAGIC "AVB0"
38#define AVB_MAGIC_LEN 4
39
40/* The current MAJOR and MINOR versions used - keep in sync with avbtool. */
41#define AVB_MAJOR_VERSION 1
42#define AVB_MINOR_VERSION 0
43
44/* Binary format for header of the vbmeta image.
45 *
46 * The vbmeta image consists of three blocks:
47 *
48 * +-----------------------------------------+
49 * | Header data - fixed size |
50 * +-----------------------------------------+
51 * | Authentication data - variable size |
52 * +-----------------------------------------+
53 * | Auxiliary data - variable size |
54 * +-----------------------------------------+
55 *
56 * The "Header data" block is described by this struct and is always
57 * |AVB_VBMETA_IMAGE_HEADER_SIZE| bytes long.
58 *
59 * The "Authentication data" block is |authentication_data_block_size|
60 * bytes long and contains the hash and signature used to authenticate
61 * the vbmeta image. The type of the hash and signature is defined by
62 * the |algorithm_type| field.
63 *
64 * The "Auxiliary data" is |auxiliary_data_block_size| bytes long and
65 * contains the auxiliary data including the public key used to make
66 * the signature and descriptors.
67 *
68 * The public key is at offset |public_key_offset| with size
69 * |public_key_size| in this block. The size of the public key data is
70 * defined by the |algorithm_type| field. The format of the public key
71 * data is described in the |AvbRSAPublicKeyHeader| struct.
72 *
73 * The descriptors starts at |descriptors_offset| from the beginning
74 * of the "Auxiliary Data" block and take up |descriptors_size|
75 * bytes. Each descriptor is stored as a |AvbDescriptor| with tag and
76 * number of bytes following. The number of descriptors can be
77 * determined by walking this data until |descriptors_size| is
78 * exhausted.
79 *
80 * The size of each of the "Authentication data" and "Auxiliary data"
81 * blocks must be divisible by 64. This is to ensure proper alignment.
82 *
83 * Descriptors are free-form blocks stored in a part of the vbmeta
84 * image subject to the same integrity checks as the rest of the
85 * image. See the documentation for |AvbDescriptor| for well-known
86 * descriptors. See avb_descriptor_foreach() for a convenience
87 * function to iterate over descriptors.
88 *
89 * This struct is versioned, see the |header_version_major| and
90 * |header_version_minor| fields. Compatibility is guaranteed only
91 * within the same major version.
92 *
93 * All fields are stored in network byte order when serialized. To
94 * generate a copy with fields swapped to native byte order, use the
95 * function avb_vbmeta_image_header_to_host_byte_order().
96 *
97 * Before reading and/or using any of this data, you MUST verify it
98 * using avb_vbmeta_image_verify() and reject it unless it's signed by
99 * a known good public key.
100 */
101typedef struct AvbVBMetaImageHeader {
102 /* 0: Four bytes equal to "AVB0" (AVB_MAGIC). */
103 uint8_t magic[AVB_MAGIC_LEN];
104 /* 4: The major version of the vbmeta image header. */
105 uint32_t header_version_major;
106 /* 8: The minor version of the vbmeta image header. */
107 uint32_t header_version_minor;
108
109 /* 12: The size of the signature block. */
110 uint64_t authentication_data_block_size;
111 /* 20: The size of the auxiliary data block. */
112 uint64_t auxiliary_data_block_size;
113
114 /* 28: The verification algorithm used, see |AvbAlgorithmType| enum. */
115 uint32_t algorithm_type;
116
117 /* 32: Offset into the "Authentication data" block of hash data. */
118 uint64_t hash_offset;
119 /* 40: Length of the hash data. */
120 uint64_t hash_size;
121
122 /* 48: Offset into the "Authentication data" block of signature data. */
123 uint64_t signature_offset;
124 /* 56: Length of the signature data. */
125 uint64_t signature_size;
126
127 /* 64: Offset into the "Auxiliary data" block of public key data. */
128 uint64_t public_key_offset;
129 /* 72: Length of the public key data. */
130 uint64_t public_key_size;
131
132 /* 80: Offset into the "Auxiliary data" block of descriptor data. */
133 uint64_t descriptors_offset;
134 /* 88: Length of descriptor data. */
135 uint64_t descriptors_size;
136
137 /* 96: The rollback index which can be used to prevent rollback to
138 * older versions.
139 */
140 uint64_t rollback_index;
141
142 /* 104: Padding to ensure struct is size AVB_VBMETA_IMAGE_HEADER_SIZE
143 * bytes. This must be set to zeroes.
144 */
145 uint8_t reserved[152];
146} AVB_ATTR_PACKED AvbVBMetaImageHeader;
147
148/* Copies |src| to |dest|, byte-swapping fields in the process.
149 *
150 * Make sure you've verified |src| using avb_vbmeta_image_verify()
151 * before accessing the data and/or using this function.
152 */
153void avb_vbmeta_image_header_to_host_byte_order(const AvbVBMetaImageHeader* src,
154 AvbVBMetaImageHeader* dest);
155
156/* Return codes used in avb_vbmeta_image_verify().
157 *
158 * AVB_VBMETA_VERIFY_RESULT_OK is returned if the vbmeta image header
159 * is valid, the hash is correct and the signature is correct. Keep in
160 * mind that you still need to check that you know the public key used
161 * to sign the image, see avb_vbmeta_image_verify() for details.
162 *
163 * AVB_VBMETA_VERIFY_RESULT_OK_NOT_SIGNED is returned if the vbmeta
164 * image header is valid but there is no signature or hash.
165 *
166 * AVB_VERIFY_INVALID_VBMETA_HEADER is returned if the header of
167 * the vbmeta image is invalid, for example, invalid magic or
168 * inconsistent data.
169 *
170 * AVB_VERIFY_HASH_MISMATCH is returned if the hash stored in the
171 * "Authentication data" block does not match the calculated hash.
172 *
173 * AVB_VERIFY_SIGNATURE_MISMATCH is returned if the signature stored
174 * in the "Authentication data" block is invalid or doesn't match the
175 * public key stored in the vbmeta image.
176 */
177typedef enum {
178 AVB_VBMETA_VERIFY_RESULT_OK,
179 AVB_VBMETA_VERIFY_RESULT_OK_NOT_SIGNED,
180 AVB_VBMETA_VERIFY_RESULT_INVALID_VBMETA_HEADER,
181 AVB_VBMETA_VERIFY_RESULT_HASH_MISMATCH,
182 AVB_VBMETA_VERIFY_RESULT_SIGNATURE_MISMATCH,
183} AvbVBMetaVerifyResult;
184
185/* Checks that vbmeta image at |data| of size |length| is a valid
186 * vbmeta image. The complete contents of the vbmeta image must be
187 * passed in. It's fine if |length| is bigger than the actual image,
188 * typically callers of this function will load the entire contents of
189 * the 'vbmeta_a' or 'vbmeta_b' partition and pass in its length (for
190 * example, 1 MiB).
191 *
192 * See the |AvbVBMetaImageHeader| struct for information about the
193 * three blocks (header, authentication, auxiliary) that make up a
194 * vbmeta image.
195 *
196 * If the function returns |AVB_VBMETA_VERIFY_RESULT_OK| and
197 * |out_public_key_data| is non-NULL, it will be set to point inside
198 * |data| for where the serialized public key data is stored and
199 * |out_public_key_length|, if non-NULL, will be set to the length of
200 * the public key data.
201 *
202 * See the |AvbVBMetaVerifyResult| enum for possible return values.
203 *
204 * VERY IMPORTANT:
205 *
206 * 1. Even if |AVB_VBMETA_VERIFY_RESULT_OK| is returned, you still
207 * need to check that the public key embedded in the image
208 * matches a known key! You can use 'avbtool extract_public_key'
209 * to extract the key (at build time, then store it along your
210 * code) and compare it to what is returned in
211 * |out_public_key_data|.
212 *
213 * 2. You need to check the |rollback_index| field against a stored
214 * value in NVRAM and reject the vbmeta image if the value in
215 * NVRAM is bigger than |rollback_index|. You must also update
216 * the value stored in NVRAM to the smallest value of
217 * |rollback_index| field from boot images in all bootable and
218 * authentic slots marked as GOOD.
219 *
220 * This is a low-level function to only verify the vbmeta data - you
221 * are likely looking for avb_slot_verify() instead for verifying
222 * integrity data for a whole set of partitions.
223 */
224AvbVBMetaVerifyResult avb_vbmeta_image_verify(
225 const uint8_t* data, size_t length, const uint8_t** out_public_key_data,
226 size_t* out_public_key_length) AVB_ATTR_WARN_UNUSED_RESULT;
227
228#ifdef __cplusplus
229}
230#endif
231
232#endif /* AVB_VBMETA_IMAGE_H_ */