Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / vboot_reference / f67bcaa9a6d8ac8c31cb5650405f99c475c9ad5e / . / include / kernel_image.h
blob: c65c6143767f16a2220984c2523945b6f14c7259 [file] [log] [blame]
Gaurav Shahf67bcaa2010-02-28 19:18:24 -0800[diff] [blame^]1/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved.
2 * Use of this source code is governed by a BSD-style license that can be
3 * found in the LICENSE file.
4 *
5 * Data structure and API definitions for a verified boot kernel image.
6 */
7
8#ifndef VBOOT_REFERENCE_KERNEL_IMAGE_H_
9#define VBOOT_REFERENCE_KERNEL_IMAGE_H_
10
11#include <inttypes.h>
12
13#include "rsa.h"
14#include "sha.h"
15
16#define KERNEL_MAGIC "CHROMEOS"
17#define KERNEL_MAGIC_SIZE 8
18
19/* Kernel config file options according to the Chrome OS drive map design. */
20typedef struct kconfig_options {
21 uint32_t version[2]; /* Configuration file version. */
22 uint32_t kernel_len; /* Size of the kernel. */
23 uint64_t kernel_load_addr; /* Load address in memory for the kernel image */
24 uint64_t kernel_entry_addr; /* Address to jump to after kernel is loaded. */
25} kconfig_options;
26
27
28typedef struct KernelImage {
29 uint8_t magic[KERNEL_MAGIC_SIZE];
30 /* Key header */
31 uint16_t header_version; /* Header version. */
32 uint16_t header_len; /* Length of the header. */
33 uint16_t firmware_sign_algorithm; /* Signature algorithm used by the firmware
34 * signing key (used to sign this kernel
35 * header. */
36 uint16_t kernel_sign_algorithm; /* Signature algorithm used by the kernel
37 * signing key. */
38 uint16_t kernel_key_version; /* Key Version# for preventing rollbacks. */
39 uint8_t* kernel_sign_key; /* Pre-processed public half of signing key. */
40 /* TODO(gauravsh): Do we need a choice of digest algorithms for the header
41 * checksum? */
42 uint8_t header_checksum[SHA512_DIGEST_SIZE]; /* SHA-512 Crytographic hash of
43 * the concatenation of the
44 * header fields, i.e.
45 * [header_len,
46 * firmware_sign_algorithm,
47 * sign_algorithm, sign_key,
48 * key_version] */
49
50 uint8_t* kernel_key_signature; /* Signature of the header above. */
51
52 uint16_t kernel_version; /* Kernel Version# for preventing rollbacks. */
53 kconfig_options options; /* Other kernel/bootloader options. */
54
55 uint8_t* config_signature; /* Signature of the kernel config file. */
56
57 /* The kernel signature comes first as it may allow us to parallelize
58 * the kernel data fetch and RSA public key operation.
59 */
60 uint8_t* kernel_signature; /* Signature on [kernel_data]. */
61 uint8_t* kernel_data; /* Actual kernel data. */
62
63} KernelImage;
64
65/* Allocate and return a new KernelImage structure. */
66KernelImage* KernelImageNew(void);
67
68/* Deep free the contents of [image]. */
69void KernelImageFree(KernelImage* image);
70
71/* Read kernel data from file named [input_file].
72 *
73 * Returns a filled up KernelImage on success, NULL on error.
74 */
75KernelImage* ReadKernelImage(const char* input_file);
76
77/* Write kernel key header from [image] to an open file pointed by the
78 * file descriptor [fd].
79 */
80void WriteKernelHeader(int fd, KernelImage* image);
81
82/* Write kernel config from [image] to an open file pointed by the
83 * file descriptor [fd].
84 */
85void WriteKernelConfig(int fd, KernelImage* image);
86
87/* Write kernel data from [image] to a file named [input_file].
88 *
89 * Return [image] on success, NULL on error.
90 */
91KernelImage* WriteKernelImage(const char* input_file,
92 KernelImage* image);
93
94/* Pretty print the contents of [image]. Only headers and metadata information
95 * is printed.
96 */
97void PrintKernelImage(const KernelImage* image);
98
99/* Error Codes for VerifyFirmware. */
100#define VERIFY_KERNEL_SUCCESS 0
101#define VERIFY_KERNEL_INVALID_IMAGE 1
102#define VERIFY_KERNEL_KEY_SIGNATURE_FAILED 2
103#define VERIFY_KERNEL_INVALID_ALGORITHM 3
104#define VERIFY_KERNEL_CONFIG_SIGNATURE_FAILED 4
105#define VERIFY_KERNEL_SIGNATURE_FAILED 5
106#define VERIFY_KERNEL_WRONG_MAGIC 6
107#define VERIFY_KERNEL_MAX 7 /* Generic catch-all. */
108
109char* kVerifyKernelErrors[VERIFY_KERNEL_MAX];
110
111/* Checks for the sanity of the kernel header pointed by [kernel_header_blob].
112 * If [dev_mode] is enabled, also checks the firmware key signature using the
113 * pre-processed public firmware signing key [firmware_sign_key_blob].
114 *
115 * On success, put firmware signature algorithm in [firmware_algorithm],
116 * kernel signature algorithm in [kernel_algorithm], kernel header
117 * length in [header_len], and return 0.
118 * Else, return error code on failure.
119 */
120int VerifyFirmwareHeader(const uint8_t* firmware_sign_key_blob,
121 const uint8_t* kernel_header_blob,
122 const int dev_mode,
123 int* firmware_algorithm,
124 int* kernel_algorithm,
125 int* header_len);
126
127/* Checks the kernel config (analogous to preamble for firmware) signature on
128 * kernel config pointed by [kernel_config_blob] using the signing key
129 * [kernel_sign_key].
130 *
131 * On success, put kernel length into [kernel_len], and return 0.
132 * Else, return error code on failure.
133 */
134int VerifyKernelConfig(RSAPublicKey* kernel_sign_key,
135 const uint8_t* kernel_config_blob,
136 int algorithm,
137 int* kernel_len);
138
139/* Checks the signature on the kernel data at location [kernel_data_start].
140 * The length of the actual kernel data is kernel _len and it is assumed to
141 * be prepended with the signature whose size depends on the signature_algorithm
142 * [algorithm].
143 *
144 * Return 0 on success, error code on failure.
145 */
146int VerifyKernelData(RSAPublicKey* kernel_sign_key,
147 const uint8_t* kernel_data_start,
148 int kernel_len,
149 int algorithm);
150
151/* Performs a chained verify of the kernel blob [kernel_blob]. If
152 * [dev_mode] is 0 [inactive], then the pre-processed public signing key
153 * [root_key_blob] is used to verify the signature of the signing key,
154 * else the check is skipped.
155 *
156 * TODO(gauravsh): Does the dev mode only effect the R/W firmware verification,
157 * or kernel verification, or both?
158 *
159 * Returns 0 on success, error code on failure.
160 *
161 * NOTE: The length of the kernel blob is derived from reading the fields
162 * in the first few bytes of the buffer. This might look risky but in firmware
163 * land, the start address of the kernel_blob will always be fixed depending
164 * on the memory map on the particular platform. In addition, the signature on
165 * length itself is checked early in the verification process for extra safety.
166 */
167int VerifyKernel(const uint8_t* signing_key_blob,
168 const uint8_t* kernel_blob,
169 const int dev_mode);
170
171/* Performs a chained verify of the kernel [image]. If [dev_mode] is
172 * 0 (inactive), then the [firmware_signing_key] is used to verify the signature
173 * of the signing key, else the check is skipped.
174 *
175 * Returns 0 on success, error code on failure.
176 */
177int VerifyKernelImage(const RSAPublicKey* firmware_signing_key,
178 const KernelImage* image,
179 int dev_mode);
180
181
182/* Maps error codes from VerifyKernel*() to error description. */
183const char* VerifyKernelErrorString(int error);
184
185/* Add a kernel signing key signature to the key header to a kernel image
186 * [image] using the private key in file [firmware_key_file].
187 *
188 * Return 1 on success, 0 on failure.
189 */
190int AddKernelKeySignature(KernelImage* image, const char* firmware_key_file);
191
192/* Add a kernel and kernel config signature to a kernel image [image]
193 * using the private signing key in file [kernel_sigining_key_file].
194 *
195 * Return 1 on success, 0 on failure.
196 */
197int AddKernelSignature(KernelImage* image, const char* kernel_sigining_key_file,
198 int algorithm);
199
200#endif /* VBOOT_REFERENCE_KERNEL_IMAGE_H_ */