Add load_kernel2_test
Add debug messages to LoadKernel2()
Review URL: http://codereview.chromium.org/2800007
diff --git a/utility/Makefile b/utility/Makefile
index b3f85bf..aef52ad 100644
--- a/utility/Makefile
+++ b/utility/Makefile
@@ -29,6 +29,7 @@
gbb_utility \
kernel_utility \
load_kernel_test \
+ load_kernel2_test \
sign_image \
signature_digest_utility \
vbutil_firmware \
@@ -55,6 +56,9 @@
${BUILD_ROOT}/load_kernel_test: load_kernel_test.c $(LIBS)
$(CC) $(CFLAGS) $(INCLUDES) $< -o $@ $(LIBS) -lcrypto
+${BUILD_ROOT}/load_kernel2_test: load_kernel2_test.c $(LIBS)
+ $(CC) $(CFLAGS) $(INCLUDES) $< -o $@ $(LIBS) -lcrypto
+
${BUILD_ROOT}/kernel_utility: kernel_utility.cc $(LIBS)
$(CXX) $(CFLAGS) $(INCLUDES) -ggdb -D__STDC_LIMIT_MACROS $< \
-o $@ $(LIBS) -lcrypto
diff --git a/utility/load_kernel2_test.c b/utility/load_kernel2_test.c
new file mode 100644
index 0000000..3d50211
--- /dev/null
+++ b/utility/load_kernel2_test.c
@@ -0,0 +1,145 @@
+/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
+ * Use of this source code is governed by a BSD-style license that can be
+ * found in the LICENSE file.
+ */
+
+/* Routines for verifying a file's signature. Useful in testing the core
+ * RSA verification implementation.
+ */
+
+#include <inttypes.h> /* For PRIu64 macro */
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+
+#include "load_kernel_fw.h"
+#include "boot_device.h"
+#include "host_common.h"
+#include "rollback_index.h"
+#include "utility.h"
+#include "vboot_kernel.h"
+
+/* ANSI Color coding sequences. */
+#define COL_GREEN "\e[1;32m"
+#define COL_RED "\e[0;31m"
+#define COL_STOP "\e[m"
+
+
+#define LBA_BYTES 512
+#define KERNEL_BUFFER_SIZE 0x600000
+
+/* Global variables for stub functions */
+static LoadKernelParams lkp;
+static FILE *image_file = NULL;
+
+
+/* Boot device stub implementations to read from the image file */
+int BootDeviceReadLBA(uint64_t lba_start, uint64_t lba_count, void *buffer) {
+ printf("Read(%" PRIu64 ", %" PRIu64 ")\n", lba_start, lba_count);
+
+ if (lba_start > lkp.ending_lba ||
+ lba_start + lba_count - 1 > lkp.ending_lba) {
+ fprintf(stderr, "Read overrun: %" PRIu64 " + %" PRIu64 " > %" PRIu64 "\n",
+ lba_start, lba_count, lkp.ending_lba);
+ return 1;
+ }
+
+ fseek(image_file, lba_start * lkp.bytes_per_lba, SEEK_SET);
+ if (1 != fread(buffer, lba_count * lkp.bytes_per_lba, 1, image_file)) {
+ fprintf(stderr, "Read error.");
+ return 1;
+ }
+ return 0;
+}
+
+
+int BootDeviceWriteLBA(uint64_t lba_start, uint64_t lba_count,
+ const void *buffer) {
+ printf("Write(%" PRIu64 ", %" PRIu64 ")\n", lba_start, lba_count);
+
+ if (lba_start > lkp.ending_lba ||
+ lba_start + lba_count - 1 > lkp.ending_lba) {
+ fprintf(stderr, "Read overrun: %" PRIu64 " + %" PRIu64 " > %" PRIu64 "\n",
+ lba_start, lba_count, lkp.ending_lba);
+ return 1;
+ }
+
+ /* TODO: enable writes, once we're sure it won't trash our example file */
+ return 0;
+
+ fseek(image_file, lba_start * lkp.bytes_per_lba, SEEK_SET);
+ if (1 != fwrite(buffer, lba_count * lkp.bytes_per_lba, 1, image_file)) {
+ fprintf(stderr, "Read error.");
+ return 1;
+ }
+ return 0;
+}
+
+
+/* Main routine */
+int main(int argc, char* argv[]) {
+
+ const char* image_name;
+ const char* keyfile_name;
+ int rv;
+
+ Memset(&lkp, 0, sizeof(LoadKernelParams));
+ lkp.bytes_per_lba = LBA_BYTES;
+
+ /* Read command line parameters */
+ if (3 > argc) {
+ fprintf(stderr, "usage: %s <drive_image> <sign_key>\n", argv[0]);
+ return 1;
+ }
+ image_name = argv[1];
+ keyfile_name = argv[2];
+
+ /* Read header signing key blob */
+ {
+ uint64_t key_size;
+ lkp.header_sign_key_blob = ReadFile(keyfile_name, &key_size);
+ if (!lkp.header_sign_key_blob) {
+ fprintf(stderr, "Unable to read key file %s\n", keyfile_name);
+ return 1;
+ }
+ }
+
+ /* Get image size */
+ printf("Reading from image: %s\n", image_name);
+ image_file = fopen(image_name, "rb");
+ if (!image_file) {
+ fprintf(stderr, "Unable to open image file %s\n", image_name);
+ return 1;
+ }
+ fseek(image_file, 0, SEEK_END);
+ lkp.ending_lba = (ftell(image_file) / LBA_BYTES) - 1;
+ rewind(image_file);
+ printf("Ending LBA: %" PRIu64 "\n", lkp.ending_lba);
+
+ /* Allocate a buffer for the kernel */
+ lkp.kernel_buffer = Malloc(KERNEL_BUFFER_SIZE);
+ if(!lkp.kernel_buffer) {
+ fprintf(stderr, "Unable to allocate kernel buffer.\n");
+ return 1;
+ }
+
+ /* TODO: Option for boot mode - developer, recovery */
+ /* Need to skip the address check, since we're putting it somewhere on the
+ * heap instead of its actual target address in the firmware. */
+ lkp.boot_flags = BOOT_FLAG_SKIP_ADDR_CHECK;
+
+ /* Call LoadKernel() */
+ rv = LoadKernel2(&lkp);
+ printf("LoadKernel() returned %d\n", rv);
+
+ if (LOAD_KERNEL_SUCCESS == rv) {
+ printf("Partition number: %" PRIu64 "\n", lkp.partition_number);
+ printf("Bootloader address: %" PRIu64 "\n", lkp.bootloader_address);
+ printf("Bootloader size: %" PRIu64 "\n", lkp.bootloader_size);
+ }
+
+ fclose(image_file);
+ Free(lkp.kernel_buffer);
+ return 0;
+}
diff --git a/vboot_firmware/include/load_kernel_fw.h b/vboot_firmware/include/load_kernel_fw.h
index 8dc48fd..bbacbbd 100644
--- a/vboot_firmware/include/load_kernel_fw.h
+++ b/vboot_firmware/include/load_kernel_fw.h
@@ -22,6 +22,8 @@
/* Boot flags for LoadKernel().boot_flags */
#define BOOT_FLAG_DEVELOPER UINT64_C(0x01) /* Developer switch is on */
#define BOOT_FLAG_RECOVERY UINT64_C(0x02) /* In recovery mode */
+#define BOOT_FLAG_SKIP_ADDR_CHECK UINT64_C(0x04) /* Skip check of kernel
+ * buffer address */
typedef struct LoadKernelParams {
/* Inputs to LoadKernel() */
diff --git a/vboot_firmware/lib/vboot_kernel.c b/vboot_firmware/lib/vboot_kernel.c
index 9e5dc52..fd791af 100644
--- a/vboot_firmware/lib/vboot_kernel.c
+++ b/vboot_firmware/lib/vboot_kernel.c
@@ -8,6 +8,7 @@
#include "vboot_kernel.h"
+#include <inttypes.h> /* For PRIu64 */
#include "boot_device.h"
#include "cgptlib.h"
#include "load_kernel_fw.h"
@@ -135,8 +136,10 @@
* initialized. */
if (0 != GetStoredVersions(KERNEL_VERSIONS,
&tpm_key_version,
- &tpm_kernel_version))
+ &tpm_kernel_version)) {
+ debug("Unable to get stored version from TPM\n");
return LOAD_KERNEL_RECOVERY;
+ }
} else if (is_dev) {
/* In developer mode, we ignore the kernel subkey, and just use
* the SHA-512 hash to verify the key block. */
@@ -147,12 +150,16 @@
/* Read GPT data */
gpt.sector_bytes = blba;
gpt.drive_sectors = params->ending_lba + 1;
- if (0 != AllocAndReadGptData(&gpt))
+ if (0 != AllocAndReadGptData(&gpt)) {
+ debug("Unable to read GPT data\n");
break;
+ }
/* Initialize GPT library */
- if (GPT_SUCCESS != GptInit(&gpt))
+ if (GPT_SUCCESS != GptInit(&gpt)) {
+ debug("Error parsing GPT\n");
break;
+ }
/* Allocate kernel header buffers */
kbuf = (uint8_t*)Malloc(KBUF_SIZE);
@@ -167,6 +174,9 @@
uint64_t key_version;
uint64_t body_offset;
+ debug("Found kernel entry at %" PRIu64 " size %" PRIu64 "\n",
+ part_start, part_size);
+
/* Found at least one kernel partition. */
found_partitions++;
@@ -178,25 +188,33 @@
/* Verify the key block */
key_block = (VbKeyBlockHeader*)kbuf;
- if ((0 != KeyBlockVerify(key_block, KBUF_SIZE, kernel_subkey)))
+ if ((0 != KeyBlockVerify(key_block, KBUF_SIZE, kernel_subkey))) {
+ debug("Verifying key block failed.\n");
continue;
+ }
/* Check the key block flags against the current boot mode */
if (!(key_block->key_block_flags &&
((BOOT_FLAG_DEVELOPER & params->boot_flags) ?
- KEY_BLOCK_FLAG_DEVELOPER_1 : KEY_BLOCK_FLAG_DEVELOPER_0)))
+ KEY_BLOCK_FLAG_DEVELOPER_1 : KEY_BLOCK_FLAG_DEVELOPER_0))) {
+ debug("Developer flag mismatch.\n");
continue;
+ }
if (!(key_block->key_block_flags &&
((BOOT_FLAG_RECOVERY & params->boot_flags) ?
- KEY_BLOCK_FLAG_RECOVERY_1 : KEY_BLOCK_FLAG_RECOVERY_0)))
+ KEY_BLOCK_FLAG_RECOVERY_1 : KEY_BLOCK_FLAG_RECOVERY_0))) {
+ debug("Recovery flag mismatch.\n");
continue;
+ }
/* Check for rollback of key version. Note this is implicitly
* skipped in recovery and developer modes because those set
* key_version=0 above. */
key_version = key_block->data_key.key_version;
- if (key_version < tpm_key_version)
+ if (key_version < tpm_key_version) {
+ debug("Key version too old.\n");
continue;
+ }
/* Get the key for preamble/data verification from the key block */
data_key = PublicKeyToRSA(&key_block->data_key);
@@ -208,6 +226,7 @@
if ((0 != VerifyKernelPreamble2(preamble,
KBUF_SIZE - key_block->key_block_size,
data_key))) {
+ debug("Preamble verification failed.\n");
RSAPublicKeyFree(data_key);
continue;
}
@@ -217,10 +236,13 @@
* key_version=0 and kernel_version=0 above. */
if (key_version == tpm_key_version &&
preamble->kernel_version < tpm_kernel_version) {
+ debug("Kernel version too low.\n");
RSAPublicKeyFree(data_key);
continue;
}
+ debug("Kernel preamble is good.\n");
+
/* Check for lowest key version from a valid header. */
if (lowest_key_version > key_version) {
lowest_key_version = key_version;
@@ -238,7 +260,9 @@
continue;
/* Verify body load address matches what we expect */
- if (preamble->body_load_address != (size_t)params->kernel_buffer) {
+ if ((preamble->body_load_address != (size_t)params->kernel_buffer) &&
+ !(params->boot_flags & BOOT_FLAG_SKIP_ADDR_CHECK)) {
+ debug("Wrong body load address.\n");
RSAPublicKeyFree(data_key);
continue;
}
@@ -246,6 +270,7 @@
/* Verify kernel body starts at a multiple of the sector size. */
body_offset = key_block->key_block_size + preamble->preamble_size;
if (0 != body_offset % blba) {
+ debug("Kernel body not at multiple of sector size.\n");
RSAPublicKeyFree(data_key);
continue;
}
@@ -253,6 +278,7 @@
/* Verify kernel body fits in the partition */
if (body_offset + preamble->body_signature.data_size >
part_size * blba) {
+ debug("Kernel body doesn't fit in partition.\n");
RSAPublicKeyFree(data_key);
continue;
}
@@ -262,6 +288,7 @@
part_start + (body_offset / blba),
(preamble->body_signature.data_size + blba - 1) / blba,
params->kernel_buffer)) {
+ debug("Unable to read kernel data.\n");
RSAPublicKeyFree(data_key);
continue;
}
@@ -269,6 +296,7 @@
/* Verify kernel data */
if (0 != VerifyData((const uint8_t*)params->kernel_buffer,
&preamble->body_signature, data_key)) {
+ debug("Kernel data verification failed.\n");
RSAPublicKeyFree(data_key);
continue;
}
@@ -278,25 +306,24 @@
/* If we're still here, the kernel is valid. */
/* Save the first good partition we find; that's the one we'll boot */
- if (-1 == good_partition) {
- good_partition = gpt.current_kernel;
- params->partition_number = gpt.current_kernel;
- params->bootloader_address = preamble->bootloader_address;
- params->bootloader_size = preamble->bootloader_size;
- /* If we're in developer or recovery mode, there's no rollback
- * protection, so we can stop at the first valid kernel. */
- if (!is_normal)
- break;
+ debug("Partiton is good.\n");
+ good_partition = gpt.current_kernel;
+ params->partition_number = gpt.current_kernel;
+ params->bootloader_address = preamble->bootloader_address;
+ params->bootloader_size = preamble->bootloader_size;
+ /* If we're in developer or recovery mode, there's no rollback
+ * protection, so we can stop at the first valid kernel. */
+ if (!is_normal)
+ break;
- /* Otherwise, we're in normal boot mode, so we do care about
- * the key index in the TPM. If the good partition's key
- * version is the same as the tpm, then the TPM doesn't need
- * updating; we can stop now. Otherwise, we'll check all the
- * other headers to see if they contain a newer key. */
- if (key_version == tpm_key_version &&
- preamble->kernel_version == tpm_kernel_version)
- break;
- }
+ /* Otherwise, we're in normal boot mode, so we do care about the
+ * key index in the TPM. If the good partition's key version is
+ * the same as the tpm, then the TPM doesn't need updating; we
+ * can stop now. Otherwise, we'll check all the other headers
+ * to see if they contain a newer key. */
+ if (key_version == tpm_key_version &&
+ preamble->kernel_version == tpm_kernel_version)
+ break;
} /* while(GptNextKernelEntry) */
} while(0);