diff options
| author | Bill Richardson <wfrichar@chromium.org> | 2013-01-25 17:58:04 -0800 |
|---|---|---|
| committer | Bill Richardson <wfrichar@chromium.org> | 2013-01-25 17:58:04 -0800 |
| commit | 4c3f6e0e16844db159ccaa7e1f8fe8fa5a1d6e01 (patch) | |
| tree | 6bc5321f574073bd92c47c7e012b8c4c26d9e1c6 | |
| parent | 0fd2017f20ecf649065d4a97bf7d9a90432e34de (diff) | |
| parent | 68f54d44756e8f0a777808b710a4ccc5d2ce353d (diff) | |
| download | vboot-4c3f6e0e16844db159ccaa7e1f8fe8fa5a1d6e01.tar.gz | |
Merge remote-tracking branch 'm/master' into futility
26 files changed, 2443 insertions, 2054 deletions
diff --git a/firmware/include/bmpblk_header.h b/firmware/include/bmpblk_header.h index 7a588219..5957c31c 100644 --- a/firmware/include/bmpblk_header.h +++ b/firmware/include/bmpblk_header.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2010-2011 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * @@ -40,7 +40,6 @@ * +-----------------------------------------+ * | List of locale names | * +-----------------------------------------+ - * */ #ifndef VBOOT_REFERENCE_BMPBLK_HEADER_H_ @@ -60,83 +59,93 @@ __pragma(pack(push, 1)) /* Support packing for MSVC. */ /* BMPBLOCK header, describing how many screen layouts and image infos */ typedef struct BmpBlockHeader { - uint8_t signature[BMPBLOCK_SIGNATURE_SIZE]; /* BMPBLOCK_SIGNATURE $BMP */ - uint16_t major_version; /* see BMPBLOCK_MAJOR_VER */ - uint16_t minor_version; /* see BMPBLOCK_MINOR_VER */ - uint32_t number_of_localizations; /* Number of localizations */ - uint32_t number_of_screenlayouts; /* Number of screen layouts in each - * localization */ - uint32_t number_of_imageinfos; /* Number of image infos */ - uint32_t locale_string_offset; /* Offset of locale-translation string */ - uint32_t reserved[2]; + /* BMPBLOCK_SIGNATURE $BMP */ + uint8_t signature[BMPBLOCK_SIGNATURE_SIZE]; + uint16_t major_version; /* see BMPBLOCK_MAJOR_VER */ + uint16_t minor_version; /* see BMPBLOCK_MINOR_VER */ + uint32_t number_of_localizations; /* Number of localizations */ + /* Number of screen layouts in each localization */ + uint32_t number_of_screenlayouts; + uint32_t number_of_imageinfos; /* Number of image infos */ + /* Offset of locale-translation string */ + uint32_t locale_string_offset; + uint32_t reserved[2]; } __attribute__((packed)) BmpBlockHeader; /* Screen layout, describing how to stack multiple images on screen */ typedef struct ScreenLayout { - struct { - uint32_t x; /* X-offset of the image to be rendered */ - uint32_t y; /* Y-offset of the image to be rendered */ - uint32_t image_info_offset; /* Offset of image info from start of - * BMPBLOCK. 0 means end of it. */ - } images[MAX_IMAGE_IN_LAYOUT]; /* Images contained in the screen. Will be - * rendered from 0 to (number_of_images-1). */ + /* + * Images contained in the screen. Will be rendered from 0 to + * (number_of_images-1). + */ + struct { + /* (X,Y) offset of image to be rendered */ + uint32_t x; + uint32_t y; + /* Offset of image info from start of BMPBLOCK; 0=end it. */ + uint32_t image_info_offset; + } images[MAX_IMAGE_IN_LAYOUT]; } __attribute__((packed)) ScreenLayout; /* Constants for screen index */ typedef enum ScreenIndex { - SCREEN_DEVELOPER_WARNING = 0, - SCREEN_RECOVERY_REMOVE, - SCREEN_RECOVERY_NO_GOOD, - SCREEN_RECOVERY_INSERT, - SCREEN_RECOVERY_TO_DEV, - SCREEN_DEVELOPER_TO_NORM, - SCREEN_WAIT, - SCREEN_TO_NORM_CONFIRMED, - MAX_VALID_SCREEN_INDEX, - SCREEN_BLANK = ~0UL, + SCREEN_DEVELOPER_WARNING = 0, + SCREEN_RECOVERY_REMOVE, + SCREEN_RECOVERY_NO_GOOD, + SCREEN_RECOVERY_INSERT, + SCREEN_RECOVERY_TO_DEV, + SCREEN_DEVELOPER_TO_NORM, + SCREEN_WAIT, + SCREEN_TO_NORM_CONFIRMED, + MAX_VALID_SCREEN_INDEX, + SCREEN_BLANK = ~0UL, } ScreenIndex; /* Image info, describing the information of the image block */ typedef struct ImageInfo { - uint32_t tag; /* Tag it as a special image, like HWID */ - uint32_t width; /* Width of the image */ - uint32_t height; /* Height of the image */ - uint32_t format; /* File format of the image */ - uint32_t compression; /* Compression method for the image file */ - uint32_t original_size; /* Size of the original uncompressed image */ - uint32_t compressed_size; /* Size of the compressed image; if image is not - * compressed, this will be the same as the - * original size. */ - uint32_t reserved; + uint32_t tag; /* Tag it as a special image, like HWID */ + uint32_t width; /* Width of the image */ + uint32_t height; /* Height of the image */ + uint32_t format; /* File format of the image */ + uint32_t compression; /* Compression method for the image file */ + uint32_t original_size; /* Size of the original uncompressed image */ + /* + * Size of the compressed image; if image is not compressed, this will + * be the same as the original size. + */ + uint32_t compressed_size; + uint32_t reserved; /* NOTE: The actual image content (if any) follows immediately. */ } __attribute__((packed)) ImageInfo; /* Constants for ImageInfo.tag */ typedef enum ImageTag { - TAG_NONE = 0, - TAG_HWID, - TAG_HWID_RTOL, /* "right-to-left", ie, right-justified HWID */ + TAG_NONE = 0, + TAG_HWID, + TAG_HWID_RTOL, /* "right-to-left", ie, right-justified HWID */ } ImageTag; /* Constants for ImageInfo.format */ typedef enum ImageFormat { - FORMAT_INVALID = 0, - FORMAT_BMP, - FORMAT_FONT, + FORMAT_INVALID = 0, + FORMAT_BMP, + FORMAT_FONT, } ImageFormat; /* Constants for ImageInfo.compression */ typedef enum Compression { - COMPRESS_NONE = 0, - COMPRESS_EFIv1, /* The x86 BIOS only supports this */ - COMPRESS_LZMA1, /* The ARM BIOS supports LZMA1 */ - MAX_COMPRESS, + COMPRESS_NONE = 0, + COMPRESS_EFIv1, /* The x86 BIOS only supports this */ + COMPRESS_LZMA1, /* The ARM BIOS supports LZMA1 */ + MAX_COMPRESS, } Compression; -/* These magic image names can be used in the .yaml file to indicate that - the ASCII HWID should be displayed. For RENDER_HWID, the image coordinates - specify upper-left corner of the HWID string. For RENDER_HWID_RTOL, they - indicate the upper-right corner (handy for right-to-left languages). */ +/* + * These magic image names can be used in the .yaml file to indicate that the + * ASCII HWID should be displayed. For RENDER_HWID, the image coordinates + * specify upper-left corner of the HWID string. For RENDER_HWID_RTOL, they + * indicate the upper-right corner (handy for right-to-left languages). + */ #define RENDER_HWID "$HWID" #define RENDER_HWID_RTOL "$HWID.rtol" diff --git a/firmware/include/gbb_header.h b/firmware/include/gbb_header.h index f490bb01..5ab5121b 100644 --- a/firmware/include/gbb_header.h +++ b/firmware/include/gbb_header.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * @@ -15,17 +15,18 @@ #define GBB_SIGNATURE "$GBB" #define GBB_SIGNATURE_SIZE 4 -/* GBB version constants. +/* + * GBB version constants. * - * If the major version is different than the reader can handle, it - * shouldn't attempt to parse the GBB. + * If the major version is different than the reader can handle, it shouldn't + * attempt to parse the GBB. * - * If the minor version is different, the reader can still parse it. - * If the minor version is greater than expected, new fields were - * added in a way which does not interfere with the old fields. If - * it's less than expected, some of the fields expected by the reader - * aren't initialized, and the reader should return default values for - * those fields. */ + * If the minor version is different, the reader can still parse it. If the + * minor version is greater than expected, new fields were added in a way which + * does not interfere with the old fields. If it's less than expected, some of + * the fields expected by the reader aren't initialized, and the reader should + * return default values for those fields. + */ #define GBB_MAJOR_VER 1 #define GBB_MINOR_VER 1 @@ -35,13 +36,17 @@ /* Flags for .flags field */ /* Reduce the dev screen delay to 2 sec from 30 sec to speedup factory. */ #define GBB_FLAG_DEV_SCREEN_SHORT_DELAY 0x00000001 -/* BIOS should load option ROMs from arbitrary PCI devices. We'll never enable - * this ourselves because it executes non-verified code, but if a customer wants - * to void their warranty and set this flag in the read-only flash, they should - * be able to do so. */ +/* + * BIOS should load option ROMs from arbitrary PCI devices. We'll never enable + * this ourselves because it executes non-verified code, but if a customer + * wants to void their warranty and set this flag in the read-only flash, they + * should be able to do so. + */ #define GBB_FLAG_LOAD_OPTION_ROMS 0x00000002 -/* The factory flow may need the BIOS to boot a non-ChromeOS kernel if the - * dev-switch is on. This flag allows that. */ +/* + * The factory flow may need the BIOS to boot a non-ChromeOS kernel if the + * dev-switch is on. This flag allows that. + */ #define GBB_FLAG_ENABLE_ALTERNATE_OS 0x00000004 /* Force dev switch on, regardless of physical/keyboard dev switch position. */ #define GBB_FLAG_FORCE_DEV_SWITCH_ON 0x00000008 @@ -60,24 +65,25 @@ extern "C" { #endif /* __cplusplus */ -typedef struct GoogleBinaryBlockHeader { - /* Fields present in version 1.0 */ - uint8_t signature[GBB_SIGNATURE_SIZE]; /* GBB_SIGNATURE "$GBB" */ - uint16_t major_version; /* See GBB_MAJOR_VER */ - uint16_t minor_version; /* See GBB_MINOR_VER */ - uint32_t header_size; /* size of GBB header in bytes */ - uint32_t flags; /* Flags (see GBB_FLAG_*), should be 0 for 1.0. */ - - uint32_t hwid_offset; /* HWID offset from start of header */ - uint32_t hwid_size; /* HWID size in bytes */ - uint32_t rootkey_offset; /* Root Key offset from start of header */ - uint32_t rootkey_size; /* Root Key size in bytes */ - uint32_t bmpfv_offset; /* BMP FV offset from start of header */ - uint32_t bmpfv_size; /* BMP FV size in bytes */ - uint32_t recovery_key_offset; /* Recovery Key offset from start of header */ - uint32_t recovery_key_size; /* Recovery Key size in bytes */ +typedef struct GoogleBinaryBlockHeader +{ + /* Fields present in version 1.0 */ + uint8_t signature[GBB_SIGNATURE_SIZE]; /* GBB_SIGNATURE "$GBB" */ + uint16_t major_version; /* See GBB_MAJOR_VER */ + uint16_t minor_version; /* See GBB_MINOR_VER */ + uint32_t header_size; /* size of GBB header in bytes */ + uint32_t flags; /* Flags (see GBB_FLAG_*), should be 0 for 1.0. */ + /* Offsets (from start of header) and sizes (in bytes) of components */ + uint32_t hwid_offset; /* HWID */ + uint32_t hwid_size; + uint32_t rootkey_offset; /* Root key */ + uint32_t rootkey_size; + uint32_t bmpfv_offset; /* BMP FV */ + uint32_t bmpfv_size; + uint32_t recovery_key_offset; /* Recovery key */ + uint32_t recovery_key_size; - uint8_t pad[80]; /* To match GBB_HEADER_SIZE. Initialize to 0. */ + uint8_t pad[80]; /* To match GBB_HEADER_SIZE. Initialize to 0. */ } __attribute__((packed)) GoogleBinaryBlockHeader; #ifdef __cplusplus diff --git a/firmware/include/load_firmware_fw.h b/firmware/include/load_firmware_fw.h index 87af7282..f582e880 100644 --- a/firmware/include/load_firmware_fw.h +++ b/firmware/include/load_firmware_fw.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * @@ -14,15 +14,17 @@ #include "vboot_nvstorage.h" #include "vboot_struct.h" -/* Load the rewritable firmware. +/** + * Load the rewritable firmware. * * Pass the common and firmware params from VbSelectFirmware(), and a * VbNvContext. Caller is responsible for calling VbNvSetup() and * VbNvTeardown() on the VbNvContext. * * Returns VBERROR_SUCCESS if successful. If unsuccessful, sets a recovery - * reason via VbNvStorage and returns an error code. */ -int LoadFirmware(VbCommonParams* cparams, VbSelectFirmwareParams* fparams, - VbNvContext* vnc); + * reason via VbNvStorage and returns an error code. + */ +int LoadFirmware(VbCommonParams *cparams, VbSelectFirmwareParams *fparams, + VbNvContext *vnc); #endif /* VBOOT_REFERENCE_LOAD_FIRMWARE_FW_H_ */ diff --git a/firmware/include/load_kernel_fw.h b/firmware/include/load_kernel_fw.h index 0040e56d..7e8d6960 100644 --- a/firmware/include/load_kernel_fw.h +++ b/firmware/include/load_kernel_fw.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * @@ -20,63 +20,82 @@ #define BOOT_FLAG_DEVELOPER UINT64_C(0x01) /* In recovery mode */ #define BOOT_FLAG_RECOVERY UINT64_C(0x02) -/* Skip check of kernel buffer address. Since body load address check is - * omitted; this flag is deprecated and not used anywhere in the codebase. */ -#define BOOT_FLAG_SKIP_ADDR_CHECK UINT64_C(0x04) typedef struct LoadKernelParams { - /* Inputs to LoadKernel() */ - void* shared_data_blob; /* Buffer for data shared between - * LoadFirmware() and LoadKernel(). Pass the - * same buffer which was passed to - * LoadFirmware(). */ - uint64_t shared_data_size; /* Size of shared data blob buffer, in bytes. - * On output, this will contain the actual - * data size placed into the buffer. */ - void* gbb_data; /* Pointer to GBB data */ - uint64_t gbb_size; /* Size of GBB data in bytes */ + /* Inputs to LoadKernel() */ + /* + * Buffer for data shared between LoadFirmware() and LoadKernel(). + * Pass the same buffer which was passed to LoadFirmware(). + */ + void *shared_data_blob; + /* + * Size of shared data blob buffer, in bytes. On output, this will + * contain the actual data size placed into the buffer. + */ + uint64_t shared_data_size; + /* Pointer to GBB data */ + void *gbb_data; + /* Size of GBB data in bytes */ + uint64_t gbb_size; + /* Disk handle for current device */ + VbExDiskHandle_t disk_handle; + /* Bytes per lba sector on current device */ + uint64_t bytes_per_lba; + /* Last addressable lba sector on current device */ + uint64_t ending_lba; + /* Destination buffer for kernel (normally at 0x100000) */ + void *kernel_buffer; + /* Size of kernel buffer in bytes */ + uint64_t kernel_buffer_size; + /* Boot flags */ + uint64_t boot_flags; + /* + * Context for NV storage. Caller is responsible for calling + * VbNvSetup() and VbNvTeardown() on the context. + */ + VbNvContext *nv_context; - VbExDiskHandle_t disk_handle; /* Disk handle for current device */ - uint64_t bytes_per_lba; /* Bytes per lba sector on current device */ - uint64_t ending_lba; /* Last addressable lba sector on current - * device */ - - void* kernel_buffer; /* Destination buffer for kernel - * (normally at 0x100000) */ - uint64_t kernel_buffer_size; /* Size of kernel buffer in bytes */ - uint64_t boot_flags; /* Boot flags */ - VbNvContext* nv_context; /* Context for NV storage. Caller is - * responsible for calling VbNvSetup() and - * VbNvTeardown() on the context. */ - - /* Outputs from LoadKernel(); valid only if LoadKernel() returns - * LOAD_KERNEL_SUCCESS */ - uint64_t partition_number; /* Partition number to boot on current device - * (1...M) */ - uint64_t bootloader_address; /* Address of bootloader image in RAM */ - uint64_t bootloader_size; /* Size of bootloader image in bytes */ - uint8_t partition_guid[16]; /* UniquePartitionGuid for boot partition */ + /* + * Outputs from LoadKernel(); valid only if LoadKernel() returns + * LOAD_KERNEL_SUCCESS + */ + /* Partition number to boot on current device (1...M) */ + uint64_t partition_number; + /* Address of bootloader image in RAM */ + uint64_t bootloader_address; + /* Size of bootloader image in bytes */ + uint64_t bootloader_size; + /* UniquePartitionGuid for boot partition */ + uint8_t partition_guid[16]; } LoadKernelParams; -VbError_t LoadKernel(LoadKernelParams* params); -/* Attempts to load the kernel from the current device. +/** + * Attempt to load the kernel from the current device. * * Returns VBERROR_SUCCESS if successful. If unsuccessful, sets a recovery - * reason via VbNvStorage and returns an error code. */ - + * reason via VbNvStorage and returns an error code. + */ +VbError_t LoadKernel(LoadKernelParams *params); +/* + * The bootloader is loaded using the EFI LoadImage() and StartImage() calls. + * Pass this struct via loaded_image->load_options. + */ typedef struct KernelBootloaderOptions { - /* The bootloader is loaded using the EFI LoadImage() and StartImage() - * calls. Pass this struct via loaded_image->load_options. */ - uint64_t drive_number; /* Drive number of boot device (0...N) */ - uint64_t partition_number; /* Partition number, as returned from - * LoadKernel() in - * LoadKernelParams.partition_number */ - uint64_t original_address; /* Absolute bootloader start adddress, - * as returned from LoadKernel() in - * LoadKernelParams.bootloader_start */ - uint8_t partition_guid[16]; /* UniquePartitionGuid for boot partition */ + /* Drive number of boot device (0...N) */ + uint64_t drive_number; + /* + * Partition number, as returned from LoadKernel() in + * LoadKernelParams.partition_number + */ + uint64_t partition_number; + /* + * Absolute bootloader start adddress, as returned from LoadKernel() in + * LoadKernelParams.bootloader_start + */ + uint64_t original_address; + /* UniquePartitionGuid for boot partition */ + uint8_t partition_guid[16]; } KernelBootloaderOptions; - #endif /* VBOOT_REFERENCE_LOAD_KERNEL_FW_H_ */ diff --git a/firmware/include/tlcl.h b/firmware/include/tlcl.h index cd82fdca..ca4e47f7 100644 --- a/firmware/include/tlcl.h +++ b/firmware/include/tlcl.h @@ -1,9 +1,10 @@ -/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. */ -/* TPM Lightweight Command Library. +/* + * TPM Lightweight Command Library. * * A low-level library for interfacing to TPM hardware or an emulator. */ @@ -17,163 +18,200 @@ /*****************************************************************************/ /* Functions implemented in tlcl.c */ -/* Call this first. Returns 0 if success, nonzero if error. +/** + * Call this first. Returns 0 if success, nonzero if error. */ uint32_t TlclLibInit(void); -/* Call this on shutdown. Returns 0 if success, nonzero if error. +/** + * Call this on shutdown. Returns 0 if success, nonzero if error. */ uint32_t TlclLibClose(void); -/* Logs to stdout. Arguments like printf. +/** + * Log to stdout. Arguments like printf. */ -void TlclLog(char* format, ...); +void TlclLog(char *format, ...); -/* Sets the log level. 0 is quietest. +/** + * Set the log level. 0 is quietest. */ void TlclSetLogLevel(int level); /* Low-level operations */ -/* Performs a raw TPM request/response transaction. +/** + * Perform a raw TPM request/response transaction. */ -uint32_t TlclSendReceive(const uint8_t* request, uint8_t* response, +uint32_t TlclSendReceive(const uint8_t *request, uint8_t *response, int max_length); -/* Returns the size of a TPM request or response packet. +/** + * Return the size of a TPM request or response packet. */ -int TlclPacketSize(const uint8_t* packet); +int TlclPacketSize(const uint8_t *packet); /* Commands */ -/* Sends a TPM_Startup(ST_CLEAR). The TPM error code is returned (0 - * for success). +/** + * Send a TPM_Startup(ST_CLEAR). The TPM error code is returned (0 for + * success). */ uint32_t TlclStartup(void); -/* Save the TPM state. Normally done by the kernel before a suspend, included +/** + * Save the TPM state. Normally done by the kernel before a suspend, included * here for tests. The TPM error code is returned (0 for success). */ uint32_t TlclSaveState(void); -/* Resumes by sending a TPM_Startup(ST_STATE). The TPM error code is returned +/** + * Resume by sending a TPM_Startup(ST_STATE). The TPM error code is returned * (0 for success). */ uint32_t TlclResume(void); -/* Runs the self test. Note---this is synchronous. To run this in parallel - * with other firmware, use ContinueSelfTest. The TPM error code is returned. +/** + * Run the self test. + * + * Note---this is synchronous. To run this in parallel with other firmware, + * use ContinueSelfTest(). The TPM error code is returned. */ uint32_t TlclSelfTestFull(void); -/* Runs the self test in the background. +/** + * Run the self test in the background. */ uint32_t TlclContinueSelfTest(void); -/* Defines a space with permission [perm]. [index] is the index for the space, +/** + * Define a space with permission [perm]. [index] is the index for the space, * [size] the usable data size. The TPM error code is returned. */ uint32_t TlclDefineSpace(uint32_t index, uint32_t perm, uint32_t size); -/* Writes [length] bytes of [data] to space at [index]. The TPM error code is +/** + * Write [length] bytes of [data] to space at [index]. The TPM error code is * returned. */ -uint32_t TlclWrite(uint32_t index, const void* data, uint32_t length); +uint32_t TlclWrite(uint32_t index, const void *data, uint32_t length); -/* Reads [length] bytes from space at [index] into [data]. The TPM error code +/** + * Read [length] bytes from space at [index] into [data]. The TPM error code * is returned. */ -uint32_t TlclRead(uint32_t index, void* data, uint32_t length); +uint32_t TlclRead(uint32_t index, void *data, uint32_t length); -/* Reads PCR at [index] into [data]. [length] must be TPM_PCR_DIGEST or +/** + * Read PCR at [index] into [data]. [length] must be TPM_PCR_DIGEST or * larger. The TPM error code is returned. */ -uint32_t TlclPCRRead(uint32_t index, void* data, uint32_t length); +uint32_t TlclPCRRead(uint32_t index, void *data, uint32_t length); -/* Write-locks space at [index]. The TPM error code is returned. +/** + * Write-lock space at [index]. The TPM error code is returned. */ uint32_t TlclWriteLock(uint32_t index); -/* Read-locks space at [index]. The TPM error code is returned. +/** + * Read-lock space at [index]. The TPM error code is returned. */ uint32_t TlclReadLock(uint32_t index); -/* Asserts physical presence in software. The TPM error code is returned. +/** + * Assert physical presence in software. The TPM error code is returned. */ uint32_t TlclAssertPhysicalPresence(void); -/* Enables the physical presence command. The TPM error code is returned. +/** + * Enable the physical presence command. The TPM error code is returned. */ uint32_t TlclPhysicalPresenceCMDEnable(void); -/* Finalizes the physical presence settings: sofware PP is enabled, hardware PP +/** + * Finalize the physical presence settings: sofware PP is enabled, hardware PP * is disabled, and the lifetime lock is set. The TPM error code is returned. */ uint32_t TlclFinalizePhysicalPresence(void); -/* Turns off physical presence and locks it off until next reboot. The TPM +/** + * Turn off physical presence and locks it off until next reboot. The TPM * error code is returned. */ uint32_t TlclLockPhysicalPresence(void); -/* Sets the nvLocked bit. The TPM error code is returned. +/** + * Set the nvLocked bit. The TPM error code is returned. */ uint32_t TlclSetNvLocked(void); -/* Returns 1 if the TPM is owned, 0 otherwise. +/** + * Return 1 if the TPM is owned, 0 otherwise. */ int TlclIsOwned(void); -/* Issues a ForceClear. The TPM error code is returned. +/** + * Issue a ForceClear. The TPM error code is returned. */ uint32_t TlclForceClear(void); -/* Issues a PhysicalEnable. The TPM error code is returned. +/** + * Issue a PhysicalEnable. The TPM error code is returned. */ uint32_t TlclSetEnable(void); -/* Issues a PhysicalDisable. The TPM error code is returned. +/** + * Issue a PhysicalDisable. The TPM error code is returned. */ uint32_t TlclClearEnable(void); -/* Issues a SetDeactivated. Pass 0 to activate. Returns result code. +/** + * Issue a SetDeactivated. Pass 0 to activate. Returns result code. */ uint32_t TlclSetDeactivated(uint8_t flag); -/* Gets flags of interest. Pointers for flags you aren't interested in may +/** + * Get flags of interest. Pointers for flags you aren't interested in may * be NULL. The TPM error code is returned. */ -uint32_t TlclGetFlags(uint8_t* disable, uint8_t* deactivated, - uint8_t* nvlocked); +uint32_t TlclGetFlags(uint8_t *disable, uint8_t *deactivated, + uint8_t *nvlocked); -/* Sets the bGlobalLock flag, which only a reboot can clear. The TPM error +/** + * Set the bGlobalLock flag, which only a reboot can clear. The TPM error * code is returned. */ uint32_t TlclSetGlobalLock(void); -/* Performs a TPM_Extend. +/** + * Perform a TPM_Extend. */ -uint32_t TlclExtend(int pcr_num, const uint8_t* in_digest, uint8_t* out_digest); +uint32_t TlclExtend(int pcr_num, const uint8_t *in_digest, uint8_t *out_digest); -/* Gets the permission bits for the NVRAM space with |index|. +/** + * Get the permission bits for the NVRAM space with |index|. */ -uint32_t TlclGetPermissions(uint32_t index, uint32_t* permissions); +uint32_t TlclGetPermissions(uint32_t index, uint32_t *permissions); -/* Gets the entire set of permanent flags. +/** + * Get the entire set of permanent flags. */ -uint32_t TlclGetPermanentFlags(TPM_PERMANENT_FLAGS* pflags); +uint32_t TlclGetPermanentFlags(TPM_PERMANENT_FLAGS *pflags); -/* Gets the entire set of volatile (ST_CLEAR) flags. +/** + * Get the entire set of volatile (ST_CLEAR) flags. */ -uint32_t TlclGetSTClearFlags(TPM_STCLEAR_FLAGS* pflags); +uint32_t TlclGetSTClearFlags(TPM_STCLEAR_FLAGS *pflags); -/* Gets ownership flag. The TPM error code is returned. +/** + * Get the ownership flag. The TPM error code is returned. */ -uint32_t TlclGetOwnership(uint8_t* owned); +uint32_t TlclGetOwnership(uint8_t *owned); -/* Requests [length] bytes from TPM RNG to be stored in [data]. Actual - * number of bytes read is stored in [size]. The TPM error code is returned. +/** + * Request [length] bytes from TPM RNG to be stored in [data]. Actual number of + * bytes read is stored in [size]. The TPM error code is returned. */ -uint32_t TlclGetRandom(uint8_t* data, uint32_t length, uint32_t* size); +uint32_t TlclGetRandom(uint8_t *data, uint32_t length, uint32_t *size); #endif /* TPM_LITE_TLCL_H_ */ diff --git a/firmware/include/tss_constants.h b/firmware/include/tss_constants.h index ef584007..bcceded8 100644 --- a/firmware/include/tss_constants.h +++ b/firmware/include/tss_constants.h @@ -1,9 +1,9 @@ -/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * - * Some TPM constants and type definitions for standalone compilation for use in - * the firmware + * Some TPM constants and type definitions for standalone compilation for use + * in the firmware */ #ifndef VBOOT_REFERENCE_TSS_CONSTANTS_H_ @@ -63,36 +63,36 @@ typedef uint16_t TPM_STRUCTURE_TAG; typedef struct tdTPM_PERMANENT_FLAGS { - TPM_STRUCTURE_TAG tag; - TSS_BOOL disable; - TSS_BOOL ownership; - TSS_BOOL deactivated; - TSS_BOOL readPubek; - TSS_BOOL disableOwnerClear; - TSS_BOOL allowMaintenance; - TSS_BOOL physicalPresenceLifetimeLock; - TSS_BOOL physicalPresenceHWEnable; - TSS_BOOL physicalPresenceCMDEnable; - TSS_BOOL CEKPUsed; - TSS_BOOL TPMpost; - TSS_BOOL TPMpostLock; - TSS_BOOL FIPS; - TSS_BOOL Operator; - TSS_BOOL enableRevokeEK; - TSS_BOOL nvLocked; - TSS_BOOL readSRKPub; - TSS_BOOL tpmEstablished; - TSS_BOOL maintenanceDone; - TSS_BOOL disableFullDALogicInfo; + TPM_STRUCTURE_TAG tag; + TSS_BOOL disable; + TSS_BOOL ownership; + TSS_BOOL deactivated; + TSS_BOOL readPubek; + TSS_BOOL disableOwnerClear; + TSS_BOOL allowMaintenance; + TSS_BOOL physicalPresenceLifetimeLock; + TSS_BOOL physicalPresenceHWEnable; + TSS_BOOL physicalPresenceCMDEnable; + TSS_BOOL CEKPUsed; + TSS_BOOL TPMpost; + TSS_BOOL TPMpostLock; + TSS_BOOL FIPS; + TSS_BOOL Operator; + TSS_BOOL enableRevokeEK; + TSS_BOOL nvLocked; + TSS_BOOL readSRKPub; + TSS_BOOL tpmEstablished; + TSS_BOOL maintenanceDone; + TSS_BOOL disableFullDALogicInfo; } TPM_PERMANENT_FLAGS; typedef struct tdTPM_STCLEAR_FLAGS{ - TPM_STRUCTURE_TAG tag; - TSS_BOOL deactivated; - TSS_BOOL disableForceClear; - TSS_BOOL physicalPresence; - TSS_BOOL physicalPresenceLock; - TSS_BOOL bGlobalLock; + TPM_STRUCTURE_TAG tag; + TSS_BOOL deactivated; + TSS_BOOL disableForceClear; + TSS_BOOL physicalPresence; + TSS_BOOL physicalPresenceLock; + TSS_BOOL bGlobalLock; } TPM_STCLEAR_FLAGS; #endif /* VBOOT_REFERENCE_TSS_CONSTANTS_H_ */ diff --git a/firmware/include/utility.h b/firmware/include/utility.h index 5a71e835..ead2351e 100644 --- a/firmware/include/utility.h +++ b/firmware/include/utility.h @@ -1,9 +1,10 @@ -/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. */ -/* Helper functions/wrappers for memory allocations, manipulation and +/* + * Helper functions/wrappers for memory allocations, manipulation and * comparison. */ @@ -20,7 +21,8 @@ #endif #ifndef VBOOT_PERFORMANCE -/* Define performance macros as nothing. If you enable VBOOT_PERFORMANCE, +/* + * Define performance macros as nothing. If you enable VBOOT_PERFORMANCE, * you must define these macros in your platform's biosincludes.h. * * Intended usage for using a performance counter called 'foo': @@ -50,56 +52,72 @@ #define VBEASTEREGG 0 #endif -/* Combine [msw] and [lsw] uint16s to a uint32_t with its [msw] and - * [lsw] forming the most and least signficant 16-bit words. +/* + * Combine [msw] and [lsw] uint16s to a uint32_t with its [msw] and [lsw] + * forming the most and least signficant 16-bit words. */ #define CombineUint16Pair(msw,lsw) (((uint32_t)(msw) << 16) | \ (((lsw)) & 0xFFFF)) + /* Return the minimum of (a) or (b). */ #define Min(a, b) (((a) < (b)) ? (a) : (b)) -/* Compare [n] bytes in [src1] and [src2] - * Returns an integer less than, equal to, or greater than zero if the first [n] - * bytes of [src1] is found, respectively, to be less than, to match, or be +/** + * Compare [n] bytes in [src1] and [src2]. + * + * Returns an integer less than, equal to, or greater than zero if the first + * [n] bytes of [src1] is found, respectively, to be less than, to match, or be * greater than the first n bytes of [src2]. */ -int Memcmp(const void* src1, const void* src2, size_t n); - -/* Copy [n] bytes from [src] to [dest]. */ -void* Memcpy(void* dest, const void* src, uint64_t n); +int Memcmp(const void *src1, const void *src2, size_t n); +/** + * Copy [n] bytes from [src] to [dest]. + */ +void *Memcpy(void *dest, const void *src, uint64_t n); -/* Implementations of the functions below must be built as part of the firmware - * and defined in lib/utility.c */ +/* + * Implementations of the functions below must be built as part of the firmware + * and defined in lib/utility.c. + */ -/* Set [n] bytes starting at [s] to [c]. Returns dest. */ -void* Memset(void* dest, const uint8_t c, uint64_t n); +/** + * Set [n] bytes starting at [s] to [c]. Returns dest. + */ +void *Memset(void *dest, const uint8_t c, uint64_t n); -/* Compare [n] bytes starting at [s1] with [s2] and return 0 if they +/** + * Compare [n] bytes starting at [s1] with [s2] and return 0 if they * match, 1 if they don't. Returns 0 if n=0, since no bytes mismatched. + * * Time taken to perform the comparison is only dependent on [n] and * not on the relationship of the match between [s1] and [s2]. * * Note that unlike Memcmp(), this only indicates inequality, not * whether s1 is less than or greater than s2. */ -int SafeMemcmp(const void* s1, const void* s2, size_t n); +int SafeMemcmp(const void *s1, const void *s2, size_t n); -/* Buffer size required to hold the longest possible output of - * Uint64ToString() - that is, Uint64ToString(~0, 2). */ +/* + * Buffer size required to hold the longest possible output of Uint64ToString() + * - that is, Uint64ToString(~0, 2). + */ #define UINT64_TO_STRING_MAX 65 -/* Convert a value to a string in the specified radix (2=binary, 10=decimal, +/** + * Convert a value to a string in the specified radix (2=binary, 10=decimal, * 16=hex) and store it in <buf>, which is <bufsize> chars long. If * <zero_pad_width>, left-pads the string to at least that width with '0'. - * Returns the length of the stored string, not counting the terminating - * null. */ + * Returns the length of the stored string, not counting the terminating null. + */ uint32_t Uint64ToString(char *buf, uint32_t bufsize, uint64_t value, uint32_t radix, uint32_t zero_pad_width); -/* Concatenate <src> onto <dest>, which has space for <destlen> characters +/** + * Concatenate <src> onto <dest>, which has space for <destlen> characters * including the terminating null. Note that <dest> will always be - * null-terminated if <destlen> > 0. Returns the number of characters - * used in <dest>, not counting the terminating null. */ + * null-terminated if <destlen> > 0. Returns the number of characters used in + * <dest>, not counting the terminating null. + */ uint32_t Strncat(char *dest, const char *src, uint32_t destlen); /* Ensure that only our stub implementations are used, not standard C */ diff --git a/firmware/include/vboot_api.h b/firmware/include/vboot_api.h index 5b55bf50..d91db7d8 100644 --- a/firmware/include/vboot_api.h +++ b/firmware/include/vboot_api.h @@ -1,24 +1,23 @@ -/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. */ -/* APIs provided by firmware to vboot_reference. */ - -/* General notes: +/* APIs provided by firmware to vboot_reference. + * + * General notes: + * + * All verified boot functions now start with "Vb" for namespace clarity. This + * fixes the problem where uboot and vboot both defined assert(). * - * All verified boot functions now start with "Vb" for namespace - * clarity. This fixes the problem where uboot and vboot both defined - * assert(). + * Verified boot APIs to be implemented by the calling firmware and exported to + * vboot_reference start with "VbEx". * - * Verified boot APIs to be implemented by the calling firmware and - * exported to vboot_reference start with "VbEx". + * TODO: split this file into a vboot_entry_points.h file which contains the + * entry points for the firmware to call vboot_reference, and a + * vboot_firmware_exports.h which contains the APIs to be implemented by the + * calling firmware and exported to vboot_reference. */ -/* TODO: split this file into a vboot_entry_points.h file which - * contains the entry points for the firmware to call vboot_reference, - * and a vboot_firmware_exports.h which contains the APIs to be - * implemented by the calling firmware and exported to - * vboot_reference. */ #ifndef VBOOT_REFERENCE_VBOOT_API_H_ #define VBOOT_REFERENCE_VBOOT_API_H_ @@ -26,132 +25,148 @@ #include "sysincludes.h" #include "bmpblk_header.h" - /*****************************************************************************/ /* Error codes */ -/* Functions which return an error all return this type. This is a - * 32-bit value rather than an int so it's consistent across UEFI, - * which is 32-bit during PEI and 64-bit during DXE/BDS. */ +/* + * Functions which return an error all return this type. This is a 32-bit + * value rather than an int so it's consistent across UEFI, which is 32-bit + * during PEI and 64-bit during DXE/BDS. + */ typedef uint32_t VbError_t; -/* Predefined error numbers. */ +/* + * Predefined error numbers. Success is 0. Errors are non-zero, but differ + * between functions. For example, the TPM functions may pass through TPM + * error codes, some of which may be recoverable. + */ enum VbErrorPredefined_t { - /* No error; function completed successfully. */ - VBERROR_SUCCESS = 0, - - /* Errors are non-zero, but differ between functions. For example, - * the TPM functions may pass through TPM error codes, some of which - * may be recoverable. */ - - /* The verified boot entry points VbInit(), VbSelectFirmware(), - * VbSelectAndLoadKernel() may return the following errors. */ - - /* Unknown error */ - VBERROR_UNKNOWN = 0x10000, - /* Unable to initialize shared data */ - VBERROR_INIT_SHARED_DATA = 0x10001, - /* Error resuming TPM during a S3 resume */ - VBERROR_TPM_S3_RESUME = 0x10002, - /* VbSelectFirmware() failed to find a valid firmware */ - VBERROR_LOAD_FIRMWARE = 0x10003, - /* Unable to write firmware versions to TPM */ - VBERROR_TPM_WRITE_FIRMWARE = 0x10004, - /* Unable to lock firmware versions in TPM */ - VBERROR_TPM_LOCK_FIRMWARE = 0x10005, - /* Unable to set boot mode state in TPM */ - VBERROR_TPM_SET_BOOT_MODE_STATE = 0x10006, - /* TPM requires reboot */ - VBERROR_TPM_REBOOT_REQUIRED = 0x10007, - /* Unable to set up TPM */ - VBERROR_TPM_FIRMWARE_SETUP = 0x10008, - /* Unable to read kernel versions from TPM */ - VBERROR_TPM_READ_KERNEL = 0x10009, - /* Attempted to load developer-only firmware when developer switch was off */ - VBERROR_DEV_FIRMWARE_SWITCH_MISMATCH = 0x1000A, - /* Unable to write kernel versions to TPM */ - VBERROR_TPM_WRITE_KERNEL = 0x1000B, - /* Unable to lock kernel versions in TPM */ - VBERROR_TPM_LOCK_KERNEL = 0x1000C, - /* Calling firmware requested shutdown via VbExIsShutdownRequested() */ - VBERROR_SHUTDOWN_REQUESTED = 0x1000D, - /* Unable to find a suitable boot device on which to look for a kernel */ - VBERROR_NO_DISK_FOUND = 0x1000E, - /* No OS kernel found on any boot device */ - VBERROR_NO_KERNEL_FOUND = 0x1000F, - /* All OS kernels found were invalid (corrupt, improperly signed, etc.) */ - VBERROR_INVALID_KERNEL_FOUND = 0x10010, - /* VbSelectAndLoadKernel() requested recovery mode */ - VBERROR_LOAD_KERNEL_RECOVERY = 0x10011, - /* Other error inside VbSelectAndLoadKernel() */ - VBERROR_LOAD_KERNEL = 0x10012, - /* Invalid Google binary block */ - VBERROR_INVALID_GBB = 0x10013, - /* Invalid bitmap volume */ - VBERROR_INVALID_BMPFV = 0x10014, - /* Invalid screen index */ - VBERROR_INVALID_SCREEN_INDEX = 0x10015, - /* Simulated (test) error */ - VBERROR_SIMULATED = 0x10016, - /* Invalid parameter */ - VBERROR_INVALID_PARAMETER = 0x10017, - /* VbExBeep() can't make sounds at all */ - VBERROR_NO_SOUND = 0x10018, - /* VbExBeep() can't make sound in the background */ - VBERROR_NO_BACKGROUND_SOUND = 0x10019, - /* Developer has requested a BIOS shell */ - VBERROR_BIOS_SHELL_REQUESTED = 0x10020, - /* Need VGA and don't have it, or vice-versa */ - VBERROR_VGA_OPROM_MISMATCH = 0x10021, - /* Need EC to reboot to read-only code */ - VBERROR_EC_REBOOT_TO_RO_REQUIRED = 0x10022 + /* No error; function completed successfully. */ + VBERROR_SUCCESS = 0, + + /* + * The verified boot entry points VbInit(), VbSelectFirmware(), + * VbSelectAndLoadKernel() may return the following errors. + */ + /* Unknown error */ + VBERROR_UNKNOWN = 0x10000, + /* Unable to initialize shared data */ + VBERROR_INIT_SHARED_DATA = 0x10001, + /* Error resuming TPM during a S3 resume */ + VBERROR_TPM_S3_RESUME = 0x10002, + /* VbSelectFirmware() failed to find a valid firmware */ + VBERROR_LOAD_FIRMWARE = 0x10003, + /* Unable to write firmware versions to TPM */ + VBERROR_TPM_WRITE_FIRMWARE = 0x10004, + /* Unable to lock firmware versions in TPM */ + VBERROR_TPM_LOCK_FIRMWARE = 0x10005, + /* Unable to set boot mode state in TPM */ + VBERROR_TPM_SET_BOOT_MODE_STATE = 0x10006, + /* TPM requires reboot */ + VBERROR_TPM_REBOOT_REQUIRED = 0x10007, + /* Unable to set up TPM */ + VBERROR_TPM_FIRMWARE_SETUP = 0x10008, + /* Unable to read kernel versions from TPM */ + VBERROR_TPM_READ_KERNEL = 0x10009, + /* Attempt to load developer-only firmware with developer switch off */ + VBERROR_DEV_FIRMWARE_SWITCH_MISMATCH = 0x1000A, + /* Unable to write kernel versions to TPM */ + VBERROR_TPM_WRITE_KERNEL = 0x1000B, + /* Unable to lock kernel versions in TPM */ + VBERROR_TPM_LOCK_KERNEL = 0x1000C, + /* Calling firmware requested shutdown via VbExIsShutdownRequested() */ + VBERROR_SHUTDOWN_REQUESTED = 0x1000D, + /* Unable to find a boot device on which to look for a kernel */ + VBERROR_NO_DISK_FOUND = 0x1000E, + /* No OS kernel found on any boot device */ + VBERROR_NO_KERNEL_FOUND = 0x1000F, + /* All OS kernels found were invalid (corrupt, improperly signed...) */ + VBERROR_INVALID_KERNEL_FOUND = 0x10010, + /* VbSelectAndLoadKernel() requested recovery mode */ + VBERROR_LOAD_KERNEL_RECOVERY = 0x10011, + /* Other error inside VbSelectAndLoadKernel() */ + VBERROR_LOAD_KERNEL = 0x10012, + /* Invalid Google binary block */ + VBERROR_INVALID_GBB = 0x10013, + /* Invalid bitmap volume */ + VBERROR_INVALID_BMPFV = 0x10014, + /* Invalid screen index */ + VBERROR_INVALID_SCREEN_INDEX = 0x10015, + /* Simulated (test) error */ + VBERROR_SIMULATED = 0x10016, + /* Invalid parameter */ + VBERROR_INVALID_PARAMETER = 0x10017, + /* VbExBeep() can't make sounds at all */ + VBERROR_NO_SOUND = 0x10018, + /* VbExBeep() can't make sound in the background */ + VBERROR_NO_BACKGROUND_SOUND = 0x10019, + /* Developer has requested a BIOS shell */ + VBERROR_BIOS_SHELL_REQUESTED = 0x10020, + /* Need VGA and don't have it, or vice-versa */ + VBERROR_VGA_OPROM_MISMATCH = 0x10021, + /* Need EC to reboot to read-only code */ + VBERROR_EC_REBOOT_TO_RO_REQUIRED = 0x10022 }; /*****************************************************************************/ /* Main entry points from firmware into vboot_reference */ -/* Minimum and recommended size of shared_data_blob in bytes. Shared - * data blob is used to communicate data between calls to VbInit(), - * VbSelectFirmware(), the OS. Minimum size is enough to hold all - * required data for verified boot but may not be able to hold debug - * output. */ +/* + * Minimum and recommended size of shared_data_blob in bytes. Shared data blob + * is used to communicate data between calls to VbInit(), VbSelectFirmware(), + * the OS. Minimum size is enough to hold all required data for verified boot + * but may not be able to hold debug output. + */ #define VB_SHARED_DATA_MIN_SIZE 3072 #define VB_SHARED_DATA_REC_SIZE 16384 -/* Data passed by firmware to VbInit(), VbSelectFirmware() and - * VbSelectAndLoadKernel(). */ -/* Note that in UEFI, these are called by different phases in - * different processor modes (VbInit() and VbSelectFirmware() = 32-bit PEI, +/* + * Data passed by firmware to VbInit(), VbSelectFirmware() and + * VbSelectAndLoadKernel(). + * + * Note that in UEFI, these are called by different phases in different + * processor modes (VbInit() and VbSelectFirmware() = 32-bit PEI, * VbSelectAndLoadKernel() = 64-bit BDS), so the data may be at a different - * location between calls. */ + * location between calls. + */ typedef struct VbCommonParams { - void* gbb_data; /* Pointer to GBB data */ - uint32_t gbb_size; /* Size of GBB data in bytes */ - - /* Shared data blob for data shared between verified boot entry - * points. This should be at least VB_SHARED_DATA_MIN_SIZE bytes - * long, and ideally is VB_SHARED_DATA_REC_SIZE bytes long. */ - void* shared_data_blob; /* Pointer to shared data blob buffer */ - uint32_t shared_data_size; /* On input, set to size of shared data blob - * buffer, in bytes. On output, this will - * contain the actual data size placed into - * the buffer. */ - - /* Internal context/data for verified boot, to maintain state during - * calls to other API functions such as VbExHashFirmwareBody(). - * Allocated and freed inside the entry point; firmware should not - * look at this. */ - void* vboot_context; - - /* Internal context/data for firmware / VbExHashFirmwareBody(). - * Needed because the PEI phase of UEFI boot runs out of ROM and - * thus can't modify global variables; everything needs to get - * passed around on the stack. */ - void* caller_context; + /* Pointer to GBB data */ + void *gbb_data; + /* Size of GBB data in bytes */ + uint32_t gbb_size; + + /* + * Shared data blob for data shared between verified boot entry points. + * This should be at least VB_SHARED_DATA_MIN_SIZE bytes long, and + * ideally is VB_SHARED_DATA_REC_SIZE bytes long. + */ + /* Pointer to shared data blob buffer */ + void *shared_data_blob; + /* + * On input, set to size of shared data blob buffer, in bytes. On + * output, this will contain the actual data size placed into the + * buffer. + */ + uint32_t shared_data_size; + + /* + * Internal context/data for verified boot, to maintain state during + * calls to other API functions such as VbExHashFirmwareBody(). + * Allocated and freed inside the entry point; firmware should not look + * at this. + */ + void *vboot_context; + + /* + * Internal context/data for firmware / VbExHashFirmwareBody(). Needed + * because the PEI phase of UEFI boot runs out of ROM and thus can't + * modify global variables; everything needs to get passed around on + * the stack. + */ + void *caller_context; } VbCommonParams; - /* Flags for VbInitParams.flags */ /* Developer switch was on at boot time. */ #define VB_INIT_FLAG_DEV_SWITCH_ON 0x00000001 @@ -161,17 +176,23 @@ typedef struct VbCommonParams { #define VB_INIT_FLAG_WP_ENABLED 0x00000004 /* This is a S3 resume, not a normal boot. */ #define VB_INIT_FLAG_S3_RESUME 0x00000008 -/* Previous boot attempt failed for reasons external to verified boot (RAM - * init failure, SSD missing, etc.). */ -/* TODO: add a field to VbInitParams which holds a reason code, and report - * that via VbSharedData. */ +/* + * Previous boot attempt failed for reasons external to verified boot (RAM + * init failure, SSD missing, etc.). + * + * TODO: add a field to VbInitParams which holds a reason code, and report + * that via VbSharedData. + */ #define VB_INIT_FLAG_PREVIOUS_BOOT_FAIL 0x00000010 -/* Calling firmware supports read only firmware for normal/developer - * boot path. */ +/* + * Calling firmware supports read only firmware for normal/developer boot path. + */ #define VB_INIT_FLAG_RO_NORMAL_SUPPORT 0x00000020 -/* This platform does not have a physical dev-switch, so we must rely on a +/* + * This platform does not have a physical dev-switch, so we must rely on a * virtual switch (kept in the TPM) instead. When this flag is set, - * VB_INIT_FLAG_DEV_SWITCH_ON is ignored. */ + * VB_INIT_FLAG_DEV_SWITCH_ON is ignored. + */ #define VB_INIT_FLAG_VIRTUAL_DEV_SWITCH 0x00000040 /* Set when the VGA Option ROM has been loaded already. */ #define VB_INIT_FLAG_OPROM_LOADED 0x00000080 @@ -181,27 +202,35 @@ typedef struct VbCommonParams { #define VB_INIT_FLAG_EC_SOFTWARE_SYNC 0x00000200 /* EC on this platform is slow to update. */ #define VB_INIT_FLAG_EC_SLOW_UPDATE 0x00000400 -/* Software write protect was enabled at boot time. This is separate from the - * HW write protect. Both must be set for flash write protection to work. */ +/* + * Software write protect was enabled at boot time. This is separate from the + * HW write protect. Both must be set for flash write protection to work. + */ #define VB_INIT_FLAG_SW_WP_ENABLED 0x00000800 -/* Output flags for VbInitParams.out_flags. Used to indicate - * potential boot paths and configuration to the calling firmware - * early in the boot process, so that it can properly configure itself - * for the capabilities subsequently required by VbSelectFirmware() - * and VbSelectAndLoadKernel(). */ -/* Enable recovery path. Do not rely on any rewritable data (cached - * RAM timings, etc.). Reliable operation is more important than boot - * speed. */ +/* + * Output flags for VbInitParams.out_flags. Used to indicate potential boot + * paths and configuration to the calling firmware early in the boot process, + * so that it can properly configure itself for the capabilities subsequently + * required by VbSelectFirmware() and VbSelectAndLoadKernel(). + */ +/* + * Enable recovery path. Do not rely on any rewritable data (cached RAM + * timings, etc.). Reliable operation is more important than boot speed. + */ #define VB_INIT_OUT_ENABLE_RECOVERY 0x00000001 /* RAM must be cleared before calling VbSelectFirmware(). */ #define VB_INIT_OUT_CLEAR_RAM 0x00000002 -/* Load display drivers; VbExDisplay*() functions may be called. If this flag - * is not present, VbExDisplay*() functions will not be called this boot. */ +/* + * Load display drivers; VbExDisplay*() functions may be called. If this flag + * is not present, VbExDisplay*() functions will not be called this boot. + */ #define VB_INIT_OUT_ENABLE_DISPLAY 0x00000004 -/* Load USB storage drivers; VbExDisk*() functions may be called with the +/* + * Load USB storage drivers; VbExDisk*() functions may be called with the * VB_DISK_FLAG_REMOVABLE flag. If this flag is not present, VbExDisk*() - * functions will only be called for fixed disks. */ + * functions will only be called for fixed disks. + */ #define VB_INIT_OUT_ENABLE_USB_STORAGE 0x00000008 /* If this is a S3 resume, do a debug reset boot instead */ #define VB_INIT_OUT_S3_DEBUG_BOOT 0x00000010 @@ -212,159 +241,189 @@ typedef struct VbCommonParams { /* Enable developer path. */ #define VB_INIT_OUT_ENABLE_DEVELOPER 0x00000080 - /* Data only used by VbInit() */ typedef struct VbInitParams { - /* Inputs to VbInit() */ - uint32_t flags; /* Flags (see VB_INIT_FLAG_*) */ + /* Inputs to VbInit() */ + /* Flags (see VB_INIT_FLAG_*) */ + uint32_t flags; - /* Outputs from VbInit(); valid only if it returns success. */ - uint32_t out_flags; /* Output flags for firmware; see - * VB_INIT_OUT_*) */ + /* Outputs from VbInit(); valid only if it returns success. */ + /* Output flags for firmware; see VB_INIT_OUT_*) */ + uint32_t out_flags; } VbInitParams; - -/* Firmware types for VbHashFirmwareBody() and - * VbSelectFirmwareParams.selected_firmware. Note that we store these - * in a uint32_t because enum maps to int, which isn't fixed-size. */ +/* + * Firmware types for VbHashFirmwareBody() and + * VbSelectFirmwareParams.selected_firmware. Note that we store these in a + * uint32_t because enum maps to int, which isn't fixed-size. + */ enum VbSelectFirmware_t { - /* Recovery mode */ - VB_SELECT_FIRMWARE_RECOVERY = 0, - /* Rewritable firmware A/B for normal or developer path */ - VB_SELECT_FIRMWARE_A = 1, - VB_SELECT_FIRMWARE_B = 2, - /* Read only firmware for normal or developer path. */ - VB_SELECT_FIRMWARE_READONLY = 3 + /* Recovery mode */ + VB_SELECT_FIRMWARE_RECOVERY = 0, + /* Rewritable firmware A/B for normal or developer path */ + VB_SELECT_FIRMWARE_A = 1, + VB_SELECT_FIRMWARE_B = 2, + /* Read only firmware for normal or developer path. */ + VB_SELECT_FIRMWARE_READONLY = 3 }; - /* Data only used by VbSelectFirmware() */ typedef struct VbSelectFirmwareParams { - /* Inputs to VbSelectFirmware() */ - void* verification_block_A; /* Key block + preamble for firmware A */ - void* verification_block_B; /* Key block + preamble for firmware B */ - uint32_t verification_size_A; /* Verification block A size in bytes */ - uint32_t verification_size_B; /* Verification block B size in bytes */ - - /* Outputs from VbSelectFirmware(); valid only if it returns success. */ - uint32_t selected_firmware; /* Main firmware to run; see - * VB_SELECT_FIRMWARE_*. */ + /* Inputs to VbSelectFirmware() */ + /* Key block + preamble for firmware A */ + void *verification_block_A; + /* Key block + preamble for firmware B */ + void *verification_block_B; + /* Verification block A size in bytes */ + uint32_t verification_size_A; + /* Verification block B size in bytes */ + uint32_t verification_size_B; + + /* Outputs from VbSelectFirmware(); valid only if it returns success. */ + /* Main firmware to run; see VB_SELECT_FIRMWARE_*. */ + uint32_t selected_firmware; } VbSelectFirmwareParams; - -/* We use disk handles rather than indices. Using indices causes problems if - * a disk is removed/inserted in the middle of processing. */ -typedef void* VbExDiskHandle_t; - +/* + * We use disk handles rather than indices. Using indices causes problems if + * a disk is removed/inserted in the middle of processing. + */ +typedef void *VbExDiskHandle_t; /* Data used only by VbSelectAndLoadKernel() */ typedef struct VbSelectAndLoadKernelParams { - /* Inputs to VbSelectAndLoadKernel() */ - void* kernel_buffer; /* Destination buffer for kernel - * (normally at 0x100000 on x86) */ - uint32_t kernel_buffer_size; /* Size of kernel buffer in bytes */ - - /* Outputs from VbSelectAndLoadKernel(); valid only if it returns success. */ - VbExDiskHandle_t disk_handle; /* Handle of disk containing loaded kernel */ - uint32_t partition_number; /* Partition number on disk to boot (1...M) */ - uint64_t bootloader_address; /* Address of bootloader image in RAM */ - uint32_t bootloader_size; /* Size of bootloader image in bytes */ - uint8_t partition_guid[16]; /* UniquePartitionGuid for boot partition */ - /* TODO: in H2C, all that pretty much just gets passed to the bootloader - * as KernelBootloaderOptions, though the disk handle is passed as an index - * instead of a handle. Is that used anymore now that we're passing - * partition_guid? */ + /* Inputs to VbSelectAndLoadKernel() */ + /* Destination buffer for kernel (normally at 0x100000 on x86) */ + void *kernel_buffer; + /* Size of kernel buffer in bytes */ + uint32_t kernel_buffer_size; + + /* + * Outputs from VbSelectAndLoadKernel(); valid only if it returns + * success. + */ + /* Handle of disk containing loaded kernel */ + VbExDiskHandle_t disk_handle; + /* Partition number on disk to boot (1...M) */ + uint32_t partition_number; + /* Address of bootloader image in RAM */ + uint64_t bootloader_address; + /* Size of bootloader image in bytes */ + uint32_t bootloader_size; + /* UniquePartitionGuid for boot partition */ + uint8_t partition_guid[16]; + /* + * TODO: in H2C, all that pretty much just gets passed to the + * bootloader as KernelBootloaderOptions, though the disk handle is + * passed as an index instead of a handle. Is that used anymore now + * that we're passing partition_guid? + */ } VbSelectAndLoadKernelParams; - -/* Initialize the verified boot library. +/** + * Initialize the verified boot library. * * Returns VBERROR_SUCCESS if success, non-zero if error; on error, - * caller should reboot. */ -VbError_t VbInit(VbCommonParams* cparams, VbInitParams* iparams); - + * caller should reboot. + */ +VbError_t VbInit(VbCommonParams *cparams, VbInitParams *iparams); -/* Select the main firmware. +/** + * Select the main firmware. * * Returns VBERROR_SUCCESS if success, non-zero if error; on error, - * caller should reboot. */ -/* NOTE: This is now called in all modes, including recovery. - * Previously, LoadFirmware() was not called in recovery mode, which - * meant that LoadKernel() needed to duplicate the TPM and - * VbSharedData initialization code. */ -VbError_t VbSelectFirmware(VbCommonParams* cparams, - VbSelectFirmwareParams* fparams); - -/* Update the data hash for the current firmware image, extending it - * by [size] bytes stored in [*data]. This function must only be - * called inside VbExHashFirmwareBody(), which is in turn called by - * VbSelectFirmware(). */ -void VbUpdateFirmwareBodyHash(VbCommonParams* cparams, - uint8_t* data, uint32_t size); - -/* Select and loads the kernel. + * caller should reboot. * - * Returns VBERROR_SUCCESS if success, non-zero if error; on error, - * caller should reboot. */ -VbError_t VbSelectAndLoadKernel(VbCommonParams* cparams, - VbSelectAndLoadKernelParams* kparams); + * NOTE: This is now called in all modes, including recovery. Previously, + * LoadFirmware() was not called in recovery mode, which meant that + * LoadKernel() needed to duplicate the TPM and VbSharedData initialization + * code. + */ +VbError_t VbSelectFirmware(VbCommonParams *cparams, + VbSelectFirmwareParams *fparams); + +/** + * Update the data hash for the current firmware image, extending it by [size] + * bytes stored in [*data]. This function must only be called inside + * VbExHashFirmwareBody(), which is in turn called by VbSelectFirmware(). + */ +void VbUpdateFirmwareBodyHash(VbCommonParams *cparams, + uint8_t *data, uint32_t size); + +/** + * Select and loads the kernel. + * + * Returns VBERROR_SUCCESS if success, non-zero if error; on error, caller + * should reboot. */ +VbError_t VbSelectAndLoadKernel(VbCommonParams *cparams, + VbSelectAndLoadKernelParams *kparams); /*****************************************************************************/ /* Debug output (from utility.h) */ -/* Output an error message and quit. Does not return. Supports - * printf()-style formatting. */ -void VbExError(const char* format, ...); - -/* Output a debug message. Supports printf()-style formatting. */ -void VbExDebug(const char* format, ...); +/** + * Output an error message and quit. Does not return. Supports + * printf()-style formatting. + */ +void VbExError(const char *format, ...); +/** + * Output a debug message. Supports printf()-style formatting. + */ +void VbExDebug(const char *format, ...); /*****************************************************************************/ /* Memory (from utility.h) */ -/* Allocate [size] bytes and return a pointer to the allocated memory. Abort +/** + * Allocate [size] bytes and return a pointer to the allocated memory. Abort * on error; this always either returns a good pointer or never returns. * - * If any of the firmware API implementations require aligned data - * (for example, disk access on ARM), all pointers returned by - * VbExMalloc() must also be aligned. */ -void* VbExMalloc(size_t size); - -/* Free memory pointed to by [ptr] previously allocated by VbExMalloc(). */ -void VbExFree(void* ptr); + * If any of the firmware API implementations require aligned data (for + * example, disk access on ARM), all pointers returned by VbExMalloc() must + * also be aligned. + */ +void *VbExMalloc(size_t size); +/** + * Free memory pointed to by [ptr] previously allocated by VbExMalloc(). + */ +void VbExFree(void *ptr); /*****************************************************************************/ /* Timer and delay (first two from utility.h) */ -/* Read a high-resolution timer. Returns the current timer value in - * arbitrary units. +/** + * Read a high-resolution timer. Returns the current timer value in arbitrary + * units. * - * This is intended for benchmarking, so this call MUST be fast. The - * timer frequency must be >1 KHz (preferably >1 MHz), and the timer - * must not wrap around for at least 10 minutes. It is preferable - * (but not required) that the timer be initialized to 0 at boot. + * This is intended for benchmarking, so this call MUST be fast. The timer + * frequency must be >1 KHz (preferably >1 MHz), and the timer must not wrap + * around for at least 10 minutes. It is preferable (but not required) that + * the timer be initialized to 0 at boot. * - * It is assumed that the firmware has some other way of communicating - * the timer frequency to the OS. For example, on x86 we use TSC, and - * the OS kernel reports the initial TSC value at kernel-start and - * calculates the frequency. */ + * It is assumed that the firmware has some other way of communicating the + * timer frequency to the OS. For example, on x86 we use TSC, and the OS + * kernel reports the initial TSC value at kernel-start and calculates the + * frequency. */ uint64_t VbExGetTimer(void); -/* Delay for at least the specified number of milliseconds. Should be - * accurate to within 10% (a requested delay of 1000 ms should - * result in an actual delay of between 1000 - 1100 ms). */ +/** + * Delay for at least the specified number of milliseconds. Should be accurate + * to within 10% (a requested delay of 1000 ms should result in an actual delay + * of between 1000 - 1100 ms). + */ void VbExSleepMs(uint32_t msec); -/* Play a beep tone of the specified frequency in Hz and duration in msec. +/** + * Play a beep tone of the specified frequency in Hz and duration in msec. * This is effectively a VbSleep() variant that makes noise. * * If the audio codec can run in the background, then: * zero frequency means OFF, non-zero frequency means ON * zero msec means return immediately, non-zero msec means delay (and * then OFF if needed) - * else: + * otherwise, * non-zero msec and non-zero frequency means ON, delay, OFF, return * zero msec or zero frequency means do nothing and return immediately * @@ -376,66 +435,71 @@ void VbExSleepMs(uint32_t msec); */ VbError_t VbExBeep(uint32_t msec, uint32_t frequency); - /*****************************************************************************/ /* TPM (from tlcl_stub.h) */ -/* Initialize the stub library. */ +/** + * Initialize the stub library. */ VbError_t VbExTpmInit(void); -/* Close and open the device. This is needed for running more complex commands +/** + * Close and open the device. This is needed for running more complex commands * at user level, such as TPM_TakeOwnership, since the TPM device can be opened - * only by one process at a time. */ + * only by one process at a time. + */ VbError_t VbExTpmClose(void); VbError_t VbExTpmOpen(void); -/* Send a request_length-byte request to the TPM and receive a - * response. On input, response_length is the size of the response - * buffer in bytes. On exit, response_length is set to the actual - * received response length in bytes. */ -VbError_t VbExTpmSendReceive(const uint8_t* request, uint32_t request_length, - uint8_t* response, uint32_t* response_length); - +/** + * Send a request_length-byte request to the TPM and receive a response. On + * input, response_length is the size of the response buffer in bytes. On + * exit, response_length is set to the actual received response length in + * bytes. */ +VbError_t VbExTpmSendReceive(const uint8_t *request, uint32_t request_length, + uint8_t *response, uint32_t *response_length); /*****************************************************************************/ /* Non-volatile storage */ #define VBNV_BLOCK_SIZE 16 /* Size of NV storage block in bytes */ -/* Read the VBNV_BLOCK_SIZE-byte non-volatile storage into buf. */ -VbError_t VbExNvStorageRead(uint8_t* buf); - -/* Write the VBNV_BLOCK_SIZE-byte non-volatile storage from buf. */ -VbError_t VbExNvStorageWrite(const uint8_t* buf); +/** + * Read the VBNV_BLOCK_SIZE-byte non-volatile storage into buf. + */ +VbError_t VbExNvStorageRead(uint8_t *buf); +/** + * Write the VBNV_BLOCK_SIZE-byte non-volatile storage from buf. + */ +VbError_t VbExNvStorageWrite(const uint8_t *buf); /*****************************************************************************/ /* Firmware / EEPROM access (previously in load_firmware_fw.h) */ -/* Calculate the hash of the firmware body data for [firmware_index], - * which is either VB_SELECT_FIRMWARE_A or VB_SELECT_FIRMWARE B. - * - * This function must call VbUpdateFirmwareBodyHash() before - * returning, to update the secure hash for the firmware image. For - * best performance, the implementation should call - * VbUpdateFirmwareBodyHash() periodically during the read, so that - * updating the hash can be pipelined with the read. If the reader - * cannot update the hash during the read process, it should call - * VbUpdateFirmwareBodyHash() on the entire firmware data after the - * read, before returning. - * - * It is recommended that the firmware use this call to copy the - * requested firmware body from EEPROM into RAM, so that it doesn't - * need to do a second slow copy from EEPROM to RAM if this firmware - * body is selected. - * - * Note this function doesn't actually pass the firmware body data to - * verified boot, because verified boot doesn't actually need the - * firmware body, just its hash. This is important on x86, where the - * firmware is stored compressed. We hash the compressed data, but - * the BIOS decompresses it during read. Simply updating a hash is - * compatible with the x86 read-and-decompress pipeline. */ -VbError_t VbExHashFirmwareBody(VbCommonParams* cparams, +/** + * Calculate the hash of the firmware body data for [firmware_index], which is + * either VB_SELECT_FIRMWARE_A or VB_SELECT_FIRMWARE B. + * + * This function must call VbUpdateFirmwareBodyHash() before returning, to + * update the secure hash for the firmware image. For best performance, the + * implementation should call VbUpdateFirmwareBodyHash() periodically during + * the read, so that updating the hash can be pipelined with the read. If the + * reader cannot update the hash during the read process, it should call + * VbUpdateFirmwareBodyHash() on the entire firmware data after the read, + * before returning. + * + * It is recommended that the firmware use this call to copy the requested + * firmware body from EEPROM into RAM, so that it doesn't need to do a second + * slow copy from EEPROM to RAM if this firmware body is selected. + * + * Note this function doesn't actually pass the firmware body data to verified + * boot, because verified boot doesn't actually need the firmware body, just + * its hash. This is important on x86, where the firmware is stored + * compressed. We hash the compressed data, but the BIOS decompresses it + * during read. Simply updating a hash is compatible with the x86 + * read-and-decompress pipeline. + */ +VbError_t VbExHashFirmwareBody(VbCommonParams *cparams, uint32_t firmware_index); /*****************************************************************************/ @@ -444,13 +508,17 @@ VbError_t VbExHashFirmwareBody(VbCommonParams* cparams, /* Flags for VbDisk APIs */ /* Disk is removable. Example removable disks: SD cards, USB keys. */ #define VB_DISK_FLAG_REMOVABLE 0x00000001 -/* Disk is fixed. If this flag is present, disk is internal to the - * system and not removable. Example fixed disks: internal SATA SSD, eMMC. */ +/* + * Disk is fixed. If this flag is present, disk is internal to the system and + * not removable. Example fixed disks: internal SATA SSD, eMMC. + */ #define VB_DISK_FLAG_FIXED 0x00000002 -/* Note that VB_DISK_FLAG_REMOVABLE and VB_DISK_FLAG_FIXED are - * mutually-exclusive for a single disk. VbExDiskGetInfo() may specify - * both flags to request disks of both types in a single call. */ -/* At some point we could specify additional flags, but we don't currently +/* + * Note that VB_DISK_FLAG_REMOVABLE and VB_DISK_FLAG_FIXED are + * mutually-exclusive for a single disk. VbExDiskGetInfo() may specify both + * flags to request disks of both types in a single call. + * + * At some point we could specify additional flags, but we don't currently * have a way to make use of these: * * USB Device is known to be attached to USB. Note that the SD @@ -461,133 +529,162 @@ VbError_t VbExHashFirmwareBody(VbCommonParams* cparams, * questionable use. * READ_ONLY Device is known to be read-only. Could be used by recovery * when processing read-only recovery image. - **/ + */ /* Information on a single disk */ typedef struct VbDiskInfo { - VbExDiskHandle_t handle; /* Disk handle */ - uint64_t bytes_per_lba; /* Size of a LBA sector in bytes */ - uint64_t lba_count; /* Number of LBA sectors on the device */ - uint32_t flags; /* Flags (see VB_DISK_FLAG_* constants) */ - const char* name; /* Optional name string, for use in debugging. - * May be empty or null if not available. */ + /* Disk handle */ + VbExDiskHandle_t handle; + /* Size of a LBA sector in bytes */ + uint64_t bytes_per_lba; + /* Number of LBA sectors on the device */ + uint64_t lba_count; + /* Flags (see VB_DISK_FLAG_* constants) */ + uint32_t flags; + /* + * Optional name string, for use in debugging. May be empty or null if + * not available. + */ + const char *name; } VbDiskInfo; -/* Store information into [info] for all disks (storage devices) - * attached to the system which match all of the disk_flags. +/** + * Store information into [info] for all disks (storage devices) attached to + * the system which match all of the disk_flags. * - * On output, count indicates how many disks are present, and - * [infos_ptr] points to a [count]-sized array of VbDiskInfo structs - * with the information on those disks; this pointer must be freed by - * calling VbExDiskFreeInfo(). If count=0, infos_ptr may point to - * NULL. If [infos_ptr] points to NULL because count=0 or error, it - * is not necessary to call VbExDiskFreeInfo(). + * On output, count indicates how many disks are present, and [infos_ptr] + * points to a [count]-sized array of VbDiskInfo structs with the information + * on those disks; this pointer must be freed by calling VbExDiskFreeInfo(). + * If count=0, infos_ptr may point to NULL. If [infos_ptr] points to NULL + * because count=0 or error, it is not necessary to call VbExDiskFreeInfo(). * * A multi-function device (such as a 4-in-1 card reader) should provide * multiple disk handles. * - * The firmware must not alter or free the list pointed to by - * [infos_ptr] until VbExDiskFreeInfo() is called. */ -VbError_t VbExDiskGetInfo(VbDiskInfo** infos_ptr, uint32_t* count, + * The firmware must not alter or free the list pointed to by [infos_ptr] until + * VbExDiskFreeInfo() is called. + */ +VbError_t VbExDiskGetInfo(VbDiskInfo **infos_ptr, uint32_t *count, uint32_t disk_flags); -/* Free a disk information list [infos] previously returned by - * VbExDiskGetInfo(). If [preserve_handle] != NULL, the firmware must - * ensure that handle remains valid after this call; all other handles - * from the info list need not remain valid after this call. */ -VbError_t VbExDiskFreeInfo(VbDiskInfo* infos, +/** + * Free a disk information list [infos] previously returned by + * VbExDiskGetInfo(). If [preserve_handle] != NULL, the firmware must ensure + * that handle remains valid after this call; all other handles from the info + * list need not remain valid after this call. + */ +VbError_t VbExDiskFreeInfo(VbDiskInfo *infos, VbExDiskHandle_t preserve_handle); -/* Read lba_count LBA sectors, starting at sector lba_start, from the disk, +/** + * Read lba_count LBA sectors, starting at sector lba_start, from the disk, * into the buffer. * - * If the disk handle is invalid (for example, the handle refers to a - * disk which as been removed), the function must return error but - * must not crash. */ + * If the disk handle is invalid (for example, the handle refers to a disk + * which as been removed), the function must return error but must not + * crash. + */ VbError_t VbExDiskRead(VbExDiskHandle_t handle, uint64_t lba_start, - uint64_t lba_count, void* buffer); + uint64_t lba_count, void *buffer); -/* Write lba_count LBA sectors, starting at sector lba_start, to the - * disk, from the buffer. +/** + * Write lba_count LBA sectors, starting at sector lba_start, to the disk, from + * the buffer. * - * If the disk handle is invalid (for example, the handle refers to a - * disk which as been removed), the function must return error but - * must not crash. */ + * If the disk handle is invalid (for example, the handle refers to a disk + * which as been removed), the function must return error but must not + * crash. + */ VbError_t VbExDiskWrite(VbExDiskHandle_t handle, uint64_t lba_start, - uint64_t lba_count, const void* buffer); - + uint64_t lba_count, const void *buffer); /*****************************************************************************/ /* Display */ /* Predefined (default) screens for VbExDisplayScreen(). */ enum VbScreenType_t { - VB_SCREEN_BLANK = 0, /* Blank (clear) screen */ - VB_SCREEN_DEVELOPER_WARNING = 0x101, /* Developer - warning */ - VB_SCREEN_DEVELOPER_EGG = 0x102, /* Developer - easter egg */ - VB_SCREEN_RECOVERY_REMOVE = 0x201, /* Recovery - remove inserted devices */ - VB_SCREEN_RECOVERY_INSERT = 0x202, /* Recovery - insert recovery image */ - VB_SCREEN_RECOVERY_NO_GOOD = 0x203, /* Recovery - inserted image invalid */ - VB_SCREEN_RECOVERY_TO_DEV = 0x204, /* Recovery - confirm dev mode */ - VB_SCREEN_DEVELOPER_TO_NORM = 0x205, /* Developer - confirm normal mode */ - VB_SCREEN_WAIT = 0x206, /* Please wait - programming EC */ - VB_SCREEN_TO_NORM_CONFIRMED = 0x207, /* Confirm after DEVELOPER_TO_NORM */ + /* Blank (clear) screen */ + VB_SCREEN_BLANK = 0, + /* Developer - warning */ + VB_SCREEN_DEVELOPER_WARNING = 0x101, + /* Developer - easter egg */ + VB_SCREEN_DEVELOPER_EGG = 0x102, + /* Recovery - remove inserted devices */ + VB_SCREEN_RECOVERY_REMOVE = 0x201, + /* Recovery - insert recovery image */ + VB_SCREEN_RECOVERY_INSERT = 0x202, + /* Recovery - inserted image invalid */ + VB_SCREEN_RECOVERY_NO_GOOD = 0x203, + /* Recovery - confirm dev mode */ + VB_SCREEN_RECOVERY_TO_DEV = 0x204, + /* Developer - confirm normal mode */ + VB_SCREEN_DEVELOPER_TO_NORM = 0x205, + /* Please wait - programming EC */ + VB_SCREEN_WAIT = 0x206, + /* Confirm after DEVELOPER_TO_NORM */ + VB_SCREEN_TO_NORM_CONFIRMED = 0x207, }; -/* Initialize and clear the display. Set width and height to the screen - * dimensions in pixels. */ -VbError_t VbExDisplayInit(uint32_t* width, uint32_t* height); - +/** + * Initialize and clear the display. Set width and height to the screen + * dimensions in pixels. + */ +VbError_t VbExDisplayInit(uint32_t *width, uint32_t *height); -/* Enable (enable!=0) or disable (enable=0) the display backlight. */ +/** + * Enable (enable!=0) or disable (enable=0) the display backlight. + */ VbError_t VbExDisplayBacklight(uint8_t enable); - -/* Display a predefined screen; see VB_SCREEN_* for valid screens. - * This is a backup method of screen display, intended for use if the - * GBB does not contain a full set of bitmaps. It is acceptable for - * the backup screen to be simple ASCII text such as "NO GOOD" or - * "INSERT"; these screens should only be seen during development. */ +/** + * Display a predefined screen; see VB_SCREEN_* for valid screens. + * + * This is a backup method of screen display, intended for use if the GBB does + * not contain a full set of bitmaps. It is acceptable for the backup screen + * to be simple ASCII text such as "NO GOOD" or "INSERT"; these screens should + * only be seen during development. + */ VbError_t VbExDisplayScreen(uint32_t screen_type); - -/* Write an image to the display, with the upper left corner at the specified +/** + * Write an image to the display, with the upper left corner at the specified * pixel coordinates. The bitmap buffer is a pointer to the platform-dependent * uncompressed binary blob with dimensions and format specified internally * (for example, a raw BMP, GIF, PNG, whatever). We pass the size just for * convenience. */ VbError_t VbExDisplayImage(uint32_t x, uint32_t y, - void* buffer, uint32_t buffersize); - -/* Display a string containing debug information on the screen, - * rendered in a platform-dependent font. Should be able to handle - * newlines '\n' in the string. Firmware must support displaying at - * least 20 lines of text, where each line may be at least 80 - * characters long. If the firmware has its own debug state, it may - * display it to the screen below this information. */ -VbError_t VbExDisplayDebugInfo(const char* info_str); -/* NOTE: This is what we currently display on ZGB/Alex when TAB is - * pressed. Some information (HWID, recovery reason) is ours; some - * (CMOS breadcrumbs) is platform-specific. If we decide to - * soft-render the HWID string (chrome-os-partner:3693), we'll need to - * maintain our own fonts, so we'll likely display it via - * VbExDisplayImage() above. */ - + void *buffer, uint32_t buffersize); + +/** + * Display a string containing debug information on the screen, rendered in a + * platform-dependent font. Should be able to handle newlines '\n' in the + * string. Firmware must support displaying at least 20 lines of text, where + * each line may be at least 80 characters long. If the firmware has its own + * debug state, it may display it to the screen below this information. + * + * NOTE: This is what we currently display when TAB is pressed. Some + * information (HWID, recovery reason) is ours; some (CMOS breadcrumbs) is + * platform-specific. If we decide to soft-render the HWID string + * (chrome-os-partner:3693), we'll need to maintain our own fonts, so we'll + * likely display it via VbExDisplayImage() above. + */ +VbError_t VbExDisplayDebugInfo(const char *info_str); /*****************************************************************************/ /* Keyboard and switches */ /* Key codes for required non-printable-ASCII characters. */ enum VbKeyCode_t { - VB_KEY_UP = 0x100, - VB_KEY_DOWN = 0x101, - VB_KEY_LEFT = 0x102, - VB_KEY_RIGHT = 0x103, - VB_KEY_CTRL_ENTER = 0x104, + VB_KEY_UP = 0x100, + VB_KEY_DOWN = 0x101, + VB_KEY_LEFT = 0x102, + VB_KEY_RIGHT = 0x103, + VB_KEY_CTRL_ENTER = 0x104, }; -/* Read the next keypress from the keyboard buffer. +/** + * Read the next keypress from the keyboard buffer. * * Returns the keypress, or zero if no keypress is pending or error. * @@ -612,72 +709,91 @@ enum VbKeyCode_t { * sending an arrow key as the sequence of keys '\x1b', '[', '1', 'A'). */ uint32_t VbExKeyboardRead(void); - /*****************************************************************************/ /* Embedded controller (EC) */ -/* This is called only if the system implements a keyboard-based (virtual) +/** + * This is called only if the system implements a keyboard-based (virtual) * developer switch. It must return true only if the system has an embedded * controller which is provably running in its RO firmware at the time the - * function is called. */ + * function is called. + */ int VbExTrustEC(void); -/* Check if the EC is currently running rewritable code. +/** + * Check if the EC is currently running rewritable code. * * If the EC is in RO code, sets *in_rw=0. * If the EC is in RW code, sets *in_rw non-zero. * If the current EC image is unknown, returns error. */ VbError_t VbExEcRunningRW(int *in_rw); -/* Request the EC jump to its rewritable code. If successful, returns - * when the EC has booting its RW code far enough to respond to - * subsequent commands. Does nothing if the EC is already in its - * rewritable code. */ +/** + * Request the EC jump to its rewritable code. If successful, returns when the + * EC has booting its RW code far enough to respond to subsequent commands. + * Does nothing if the EC is already in its rewritable code. + */ VbError_t VbExEcJumpToRW(void); -/* Tell the EC to stay in RO code until it reboots. Subsequent calls to +/** + * Tell the EC to stay in RO code until it reboots. Subsequent calls to * VbExEcJumpToRW() this boot will fail. Fails if the EC is not currently in - * RO code. */ + * RO code. + */ VbError_t VbExEcStayInRO(void); -/* Read the SHA-256 hash of the rewriteable EC image. */ +/** + * Read the SHA-256 hash of the rewriteable EC image. + */ VbError_t VbExEcHashRW(const uint8_t **hash, int *hash_size); -/* Get the expected contents of the EC image associated with the main firmware - * specified by the "select" argument. */ +/** + * Get the expected contents of the EC image associated with the main firmware + * specified by the "select" argument. + */ VbError_t VbExEcGetExpectedRW(enum VbSelectFirmware_t select, const uint8_t **image, int *image_size); -/* Update the EC rewritable image. */ +/** + * Update the EC rewritable image. + */ VbError_t VbExEcUpdateRW(const uint8_t *image, int image_size); -/* Lock the EC code to prevent updates until the EC is rebooted. - * Subsequent calls to VbExEcUpdateRW() this boot will fail. */ +/** + * Lock the EC code to prevent updates until the EC is rebooted. + * Subsequent calls to VbExEcUpdateRW() this boot will fail. + */ VbError_t VbExEcProtectRW(void); /* Args to VbExProtectFlash() */ enum VbProtectFlash_t { VBPROTECT_RW_A, VBPROTECT_RW_B, VBPROTECT_RW_DEVKEY }; -/* Lock a section of the BIOS flash address space to prevent updates until the +/** + * Lock a section of the BIOS flash address space to prevent updates until the * host is rebooted. Subsequent attempts to erase or modify the specified BIOS * image will fail. If this function is called more than once each call should - * be cumulative. */ + * be cumulative. + */ VbError_t VbExProtectFlash(enum VbProtectFlash_t region); /*****************************************************************************/ /* Misc */ -/* Checks if the firmware needs to shut down the system. +/** + * Check if the firmware needs to shut down the system. * * Returns 1 if a shutdown is being requested (for example, the user has - * pressed the power button or closed the lid), or 0 if a shutdown is not - * being requested. */ -/* NOTE: When we're displaying a screen, pressing the power button - * should shut down the computer. We need a way to break out of our - * control loop so this can occur cleanly. */ + * pressed the power button or closed the lid), or 0 if a shutdown is not being + * requested. + * + * NOTE: When we're displaying a screen, pressing the power button should shut + * down the computer. We need a way to break out of our control loop so this + * can occur cleanly. + */ uint32_t VbExIsShutdownRequested(void); -/* Expose the BIOS' built-in decompression routine to the vboot wrapper. The +/** + * Expose the BIOS' built-in decompression routine to the vboot wrapper. The * caller must know how large the uncompressed data will be and must manage * that memory. The decompression routine just puts the uncompressed data into * the specified buffer. We pass in the size of the outbuf, and get back the @@ -687,8 +803,9 @@ VbError_t VbExDecompress(void *inbuf, uint32_t in_size, uint32_t compression_type, void *outbuf, uint32_t *out_size); - -/* Execute legacy boot option */ +/** + * Execute legacy boot option. + */ int VbExLegacy(void); #endif /* VBOOT_REFERENCE_VBOOT_API_H_ */ diff --git a/firmware/include/vboot_nvstorage.h b/firmware/include/vboot_nvstorage.h index 8b41c8f1..890af4b6 100644 --- a/firmware/include/vboot_nvstorage.h +++ b/firmware/include/vboot_nvstorage.h @@ -1,10 +1,9 @@ -/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. */ -/* Non-volatile storage routines for verified boot. - */ +/* Non-volatile storage routines for verified boot. */ #ifndef VBOOT_REFERENCE_NVSTORAGE_H_ #define VBOOT_REFERENCE_NVSTORAGE_H_ @@ -12,70 +11,88 @@ #define VBNV_BLOCK_SIZE 16 /* Size of NV storage block in bytes */ typedef struct VbNvContext { - /* Raw NV data. Caller must fill this before calling VbNvSetup(). */ - uint8_t raw[VBNV_BLOCK_SIZE]; - /* Flag indicating whether raw data has changed. Set by VbNvTeardown() if - * the raw data has changed and needs to be stored to the underlying - * non-volatile data store. */ - int raw_changed; - - /* Internal data for NV storage routines. Caller should not touch - * these fields. */ - int regenerate_crc; + /* Raw NV data. Caller must fill this before calling VbNvSetup(). */ + uint8_t raw[VBNV_BLOCK_SIZE]; + /* + * Flag indicating whether raw data has changed. Set by VbNvTeardown() + * if the raw data has changed and needs to be stored to the underlying + * non-volatile data store. + */ + int raw_changed; + /* + * Internal data for NV storage routines. Caller should not touch + * these fields. + */ + int regenerate_crc; } VbNvContext; - /* Parameter type for VbNvGet(), VbNvSet(). */ typedef enum VbNvParam { - /* Parameter values have been reset to defaults (flag for firmware). - * 0=clear; 1=set. */ - VBNV_FIRMWARE_SETTINGS_RESET = 0, - /* Parameter values have been reset to defaults (flag for kernel). - * 0=clear; 1=set. */ - VBNV_KERNEL_SETTINGS_RESET, - /* Request debug reset on next S3->S0 transition. 0=clear; 1=set. */ - VBNV_DEBUG_RESET_MODE, - /* Number of times to try booting RW firmware slot B before slot A. - * Valid range: 0-15. */ - VBNV_TRY_B_COUNT, - /* Request recovery mode on next boot; see VBNB_RECOVERY_* below for - * currently defined reason codes. 8-bit value. */ - VBNV_RECOVERY_REQUEST, - /* Localization index for screen bitmaps displayed by firmware. - * 8-bit value. */ - VBNV_LOCALIZATION_INDEX, - /* Field reserved for kernel/user-mode use; 32-bit value. */ - VBNV_KERNEL_FIELD, - /* Allow booting from USB in developer mode. 0=no, 1=yes. */ - VBNV_DEV_BOOT_USB, - /* Allow booting of legacy OSes in developer mode. 0=no, 1=yes. */ - VBNV_DEV_BOOT_LEGACY, - /* Only boot Google-signed images in developer mode. 0=no, 1=yes. */ - VBNV_DEV_BOOT_SIGNED_ONLY, - /* Set by userspace to request that RO firmware disable dev-mode on the next - * boot. This is likely only possible if the dev-switch is virtual. */ - VBNV_DISABLE_DEV_REQUEST, - /* Set and cleared by vboot to request that the video Option ROM be loaded at - * boot time, so that BIOS screens can be displayed. 0=no, 1=yes. */ - VBNV_OPROM_NEEDED, - /* Request that the firmware clear the TPM owner on the next boot. */ - VBNV_CLEAR_TPM_OWNER_REQUEST, - /* Flag that TPM owner was cleared on request. */ - VBNV_CLEAR_TPM_OWNER_DONE, - /* More details on recovery reason */ - VBNV_RECOVERY_SUBCODE, + /* + * Parameter values have been reset to defaults (flag for firmware). + * 0=clear; 1=set. + */ + VBNV_FIRMWARE_SETTINGS_RESET = 0, + /* + * Parameter values have been reset to defaults (flag for kernel). + * 0=clear; 1=set. + */ + VBNV_KERNEL_SETTINGS_RESET, + /* Request debug reset on next S3->S0 transition. 0=clear; 1=set. */ + VBNV_DEBUG_RESET_MODE, + /* + * Number of times to try booting RW firmware slot B before slot A. + * Valid range: 0-15. + */ + VBNV_TRY_B_COUNT, + /* + * Request recovery mode on next boot; see VBNB_RECOVERY_* below for + * currently defined reason codes. 8-bit value. + */ + VBNV_RECOVERY_REQUEST, + /* + * Localization index for screen bitmaps displayed by firmware. + * 8-bit value. + */ + VBNV_LOCALIZATION_INDEX, + /* Field reserved for kernel/user-mode use; 32-bit value. */ + VBNV_KERNEL_FIELD, + /* Allow booting from USB in developer mode. 0=no, 1=yes. */ + VBNV_DEV_BOOT_USB, + /* Allow booting of legacy OSes in developer mode. 0=no, 1=yes. */ + VBNV_DEV_BOOT_LEGACY, + /* Only boot Google-signed images in developer mode. 0=no, 1=yes. */ + VBNV_DEV_BOOT_SIGNED_ONLY, + /* + * Set by userspace to request that RO firmware disable dev-mode on the + * next boot. This is likely only possible if the dev-switch is + * virtual. + */ + VBNV_DISABLE_DEV_REQUEST, + /* + * Set and cleared by vboot to request that the video Option ROM be + * loaded at boot time, so that BIOS screens can be displayed. 0=no, + * 1=yes. + */ + VBNV_OPROM_NEEDED, + /* Request that the firmware clear the TPM owner on the next boot. */ + VBNV_CLEAR_TPM_OWNER_REQUEST, + /* Flag that TPM owner was cleared on request. */ + VBNV_CLEAR_TPM_OWNER_DONE, + /* More details on recovery reason */ + VBNV_RECOVERY_SUBCODE, } VbNvParam; - /* Recovery reason codes for VBNV_RECOVERY_REQUEST */ /* Recovery not requested. */ #define VBNV_RECOVERY_NOT_REQUESTED 0x00 -/* Recovery requested from legacy utility. (Prior to the NV storage - * spec, recovery mode was a single bitfield; this value is reserved - * so that scripts which wrote 1 to the recovery field are - * distinguishable from scripts whch use the recovery reasons listed - * here. */ +/* + * Recovery requested from legacy utility. (Prior to the NV storage spec, + * recovery mode was a single bitfield; this value is reserved so that scripts + * which wrote 1 to the recovery field are distinguishable from scripts whch + * use the recovery reasons listed here. + */ #define VBNV_RECOVERY_LEGACY 0x01 /* User manually requested recovery via recovery button */ #define VBNV_RECOVERY_RO_MANUAL 0x02 @@ -93,17 +110,23 @@ typedef enum VbNvParam { #define VBNV_RECOVERY_RO_TEST_LFS 0x08 /* Test error from LoadFirmware() */ #define VBNV_RECOVERY_RO_TEST_LF 0x09 -/* RW firmware failed signature check (neither RW firmware slot was valid). +/* + * RW firmware failed signature check (neither RW firmware slot was valid). * Recovery reason is VBNV_RECOVERY_RO_INVALID_RW_CHECK_MIN + the check value * for the slot which came closest to validating; see VBSD_LF_CHECK_* in - * vboot_struct.h. */ + * vboot_struct.h. + */ #define VBNV_RECOVERY_RO_INVALID_RW_CHECK_MIN 0x10 #define VBNV_RECOVERY_RO_INVALID_RW_CHECK_MAX 0x1F -/* Firmware boot failure outside of verified boot (RAM init, missing SSD, - * etc.). */ +/* + * Firmware boot failure outside of verified boot (RAM init, missing SSD, + * etc.). + */ #define VBNV_RECOVERY_RO_FIRMWARE 0x20 -/* Recovery mode TPM initialization requires a system reboot. The system was - * already in recovery mode for some other reason when this happened. */ +/* + * Recovery mode TPM initialization requires a system reboot. The system was + * already in recovery mode for some other reason when this happened. + */ #define VBNV_RECOVERY_RO_TPM_REBOOT 0x21 /* EC software sync - other error */ #define VBNV_RECOVERY_EC_SOFTWARE_SYNC 0x22 @@ -121,8 +144,10 @@ typedef enum VbNvParam { #define VBNV_RECOVERY_EC_PROTECT 0x28 /* Unspecified/unknown error in read-only firmware */ #define VBNV_RECOVERY_RO_UNSPECIFIED 0x3F -/* User manually requested recovery by pressing a key at developer - * warning screen */ +/* + * User manually requested recovery by pressing a key at developer + * warning screen + */ #define VBNV_RECOVERY_RW_DEV_SCREEN 0x41 /* No OS kernel detected */ #define VBNV_RECOVERY_RW_NO_OS 0x42 @@ -175,10 +200,11 @@ typedef enum VbNvParam { /* Unspecified/unknown error in user-mode */ #define VBNV_RECOVERY_US_UNSPECIFIED 0xFF - -/* Initialize the NV storage library. This must be called before any - * other functions in this library. Returns 0 if success, non-zero if - * error. +/** + * Initialize the NV storage library. + * + * This must be called before any other functions in this library. Returns 0 + * if success, non-zero if error. * * Proper calling procedure: * 1) Allocate a context struct. @@ -187,14 +213,17 @@ typedef enum VbNvParam { * 3) Read underlying storage and fill in context->raw. * 4) Call VbNvSetup(). * - * If you have access to global variables, you may want to wrap all - * that in your own VbNvOpen() function. We don't do that in here - * because there are no global variables in UEFI BIOS during the PEI - * phase (that's also why we have to pass around a context pointer). */ -int VbNvSetup(VbNvContext* context); + * If you have access to global variables, you may want to wrap all that in + * your own VbNvOpen() function. We don't do that in here because there are no + * global variables in UEFI BIOS during the PEI phase (that's also why we have + * to pass around a context pointer). + */ +int VbNvSetup(VbNvContext *context); -/* Clean up and flush changes back to the raw data. This must be - * called after other functions in this library. Returns 0 if +/** + * Clean up and flush changes back to the raw data. + * + * This must be called after other functions in this library. Returns 0 if * success, non-zero if error. * * Proper calling procedure: @@ -204,20 +233,26 @@ int VbNvSetup(VbNvContext* context); * 4) Free the context struct. * * If you have access to global variables, you may want to wrap this - * in your own VbNvClose() function. */ -int VbNvTeardown(VbNvContext* context); + * in your own VbNvClose() function. + */ +int VbNvTeardown(VbNvContext *context); -/* Read a NV storage parameter into *dest. Returns 0 if success, - * non-zero if error. +/** + * Read a NV storage parameter into *dest. * - * This may only be called between VbNvSetup() and VbNvTeardown(). */ -int VbNvGet(VbNvContext* context, VbNvParam param, uint32_t* dest); - -/* Set a NV storage param to a new value. Returns 0 if success, - * non-zero if error. + * Returns 0 if success, non-zero if error. * - * This may only be called between VbNvSetup() and VbNvTeardown(). */ -int VbNvSet(VbNvContext* context, VbNvParam param, uint32_t value); + * This may only be called between VbNvSetup() and VbNvTeardown(). + */ +int VbNvGet(VbNvContext *context, VbNvParam param, uint32_t *dest); +/** + * Set a NV storage param to a new value. + * + * Returns 0 if success, non-zero if error. + * + * This may only be called between VbNvSetup() and VbNvTeardown(). + */ +int VbNvSet(VbNvContext *context, VbNvParam param, uint32_t value); #endif /* VBOOT_REFERENCE_NVSTORAGE_H_ */ diff --git a/firmware/include/vboot_struct.h b/firmware/include/vboot_struct.h index 4f48d9fc..8023cdc9 100644 --- a/firmware/include/vboot_struct.h +++ b/firmware/include/vboot_struct.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * @@ -15,27 +15,30 @@ __pragma(pack(push, 1)) /* Support packing for MSVC. */ /* Public key data */ typedef struct VbPublicKey { - uint64_t key_offset; /* Offset of key data from start of this struct */ - uint64_t key_size; /* Size of key data in bytes (NOT strength of key - * in bits) */ - uint64_t algorithm; /* Signature algorithm used by the key */ - uint64_t key_version; /* Key version */ + /* Offset of key data from start of this struct */ + uint64_t key_offset; + /* Size of key data in bytes (NOT strength of key in bits) */ + uint64_t key_size; + /* Signature algorithm used by the key */ + uint64_t algorithm; + /* Key version */ + uint64_t key_version; } __attribute__((packed)) VbPublicKey; #define EXPECTED_VBPUBLICKEY_SIZE 32 - /* Signature data (a secure hash, possibly signed) */ typedef struct VbSignature { - uint64_t sig_offset; /* Offset of signature data from start of this - * struct */ - uint64_t sig_size; /* Size of signature data in bytes */ - uint64_t data_size; /* Size of the data block which was signed in bytes */ + /* Offset of signature data from start of this struct */ + uint64_t sig_offset; + /* Size of signature data in bytes */ + uint64_t sig_size; + /* Size of the data block which was signed in bytes */ + uint64_t data_size; } __attribute__((packed)) VbSignature; #define EXPECTED_VBSIGNATURE_SIZE 24 - #define KEY_BLOCK_MAGIC "CHROMEOS" #define KEY_BLOCK_MAGIC_SIZE 8 @@ -49,153 +52,171 @@ typedef struct VbSignature { #define KEY_BLOCK_FLAG_RECOVERY_0 UINT64_C(0x04) /* Not recovery mode */ #define KEY_BLOCK_FLAG_RECOVERY_1 UINT64_C(0x08) /* Recovery mode */ -/* Key block, containing the public key used to sign some other chunk - * of data. */ -typedef struct VbKeyBlockHeader { - uint8_t magic[KEY_BLOCK_MAGIC_SIZE]; /* Magic number */ - uint32_t header_version_major; /* Version of this header format */ - uint32_t header_version_minor; /* Version of this header format */ - uint64_t key_block_size; /* Length of this entire key block, - * including keys, signatures, and - * padding, in bytes */ - VbSignature key_block_signature; /* Signature for this key block - * (header + data pointed to by data_key) - * For use with signed data keys*/ - VbSignature key_block_checksum; /* SHA-512 checksum for this key block - * (header + data pointed to by data_key) - * For use with unsigned data keys */ - uint64_t key_block_flags; /* Flags for key (KEY_BLOCK_FLAG_*) */ - VbPublicKey data_key; /* Key to verify the chunk of data */ -} __attribute__((packed)) VbKeyBlockHeader; -/* This should be followed by: +/* + * Key block, containing the public key used to sign some other chunk of data. + * + * This should be followed by: * 1) The data_key key data, pointed to by data_key.key_offset. * 2) The checksum data for (VBKeyBlockHeader + data_key data), pointed to * by key_block_checksum.sig_offset. * 3) The signature data for (VBKeyBlockHeader + data_key data), pointed to - * by key_block_signature.sig_offset. */ + * by key_block_signature.sig_offset. + */ +typedef struct VbKeyBlockHeader { + /* Magic number */ + uint8_t magic[KEY_BLOCK_MAGIC_SIZE]; + /* Version of this header format */ + uint32_t header_version_major; + /* Version of this header format */ + uint32_t header_version_minor; + /* + * Length of this entire key block, including keys, signatures, and + * padding, in bytes + */ + uint64_t key_block_size; + /* + * Signature for this key block (header + data pointed to by data_key) + * For use with signed data keys + */ + VbSignature key_block_signature; + /* + * SHA-512 checksum for this key block (header + data pointed to by + * data_key) For use with unsigned data keys + */ + VbSignature key_block_checksum; + /* Flags for key (KEY_BLOCK_FLAG_*) */ + uint64_t key_block_flags; + /* Key to verify the chunk of data */ + VbPublicKey data_key; +} __attribute__((packed)) VbKeyBlockHeader; #define EXPECTED_VBKEYBLOCKHEADER_SIZE 112 /****************************************************************************/ -#define EC_PREAMBLE_HEADER_VERSION_MAJOR 1 -#define EC_PREAMBLE_HEADER_VERSION_MINOR 0 - -/* Flags for VbECPreambleHeader.flags */ - -/* Use the normal boot path from the read-only firmware, instead - * of verifying the body signature. */ -#define VB_EC_PREAMBLE_USE_RO_NORMAL 0x00000001 - -/* Premable block for EC rewritable firmware, version 1.0 */ -typedef struct VbECPreambleHeader { - uint64_t preamble_size; /* Size of this preamble, including keys, - * signatures, and padding, in bytes */ - VbSignature preamble_signature; /* Signature for this preamble - * (header + * body signature) */ - uint32_t header_version_major; /* Version of this header format */ - uint32_t header_version_minor; /* Version of this header format */ - - uint64_t firmware_version; /* Firmware version */ - VbSignature body_digest; /* Digest for the firmware body */ - - uint32_t flags; /* Flags; see VB_EC_PREAMBLE_* */ - char name[128]; /* Human-readable ASCII, null-padded */ -} __attribute__((packed)) VbECPreambleHeader; - -#define EXPECTED_VB_EC_PREAMBLE_HEADER1_0_SIZE 76 - -/* The firmware preamble header should be followed by: - * 2) The signature data for the firmware body, pointed to by - * body_signature.sig_offset. - * 3) The signature data for (header + body signature data), pointed - * to by preamble_signature.sig_offset. */ - -/****************************************************************************/ - #define FIRMWARE_PREAMBLE_HEADER_VERSION_MAJOR 2 #define FIRMWARE_PREAMBLE_HEADER_VERSION_MINOR 1 -/* Preamble block for rewritable firmware, version 2.0. All 2.x - * versions of this struct must start with the same data, to be - * compatible with version 2.0 readers. */ +/* + * Preamble block for rewritable firmware, version 2.0. All 2.x versions of + * this struct must start with the same data, to be compatible with version 2.0 + * readers. + */ typedef struct VbFirmwarePreambleHeader2_0 { - uint64_t preamble_size; /* Size of this preamble, including keys, - * signatures, and padding, in bytes */ - VbSignature preamble_signature; /* Signature for this preamble - * (header + kernel subkey + - * body signature) */ - uint32_t header_version_major; /* Version of this header format (= 2) */ - uint32_t header_version_minor; /* Version of this header format (= 0) */ - - uint64_t firmware_version; /* Firmware version */ - VbPublicKey kernel_subkey; /* Key to verify kernel key block */ - VbSignature body_signature; /* Signature for the firmware body */ + /* + * Size of this preamble, including keys, signatures, and padding, in + * bytes + */ + uint64_t preamble_size; + /* + * Signature for this preamble (header + kernel subkey + body + * signature) + */ + VbSignature preamble_signature; + /* Version of this header format (= 2) */ + uint32_t header_version_major; + /* Version of this header format (= 0) */ + uint32_t header_version_minor; + + /* Firmware version */ + uint64_t firmware_version; + /* Key to verify kernel key block */ + VbPublicKey kernel_subkey; + /* Signature for the firmware body */ + VbSignature body_signature; } __attribute__((packed)) VbFirmwarePreambleHeader2_0; #define EXPECTED_VBFIRMWAREPREAMBLEHEADER2_0_SIZE 104 /* Flags for VbFirmwarePreambleHeader.flags */ -/* Use the normal/dev boot path from the read-only firmware, instead - * of verifying the body signature. */ +/* + * Use the normal/dev boot path from the read-only firmware, instead of + * verifying the body signature. + */ #define VB_FIRMWARE_PREAMBLE_USE_RO_NORMAL 0x00000001 -/* Premable block for rewritable firmware, version 2.1 */ -typedef struct VbFirmwarePreambleHeader { - uint64_t preamble_size; /* Size of this preamble, including keys, - * signatures, and padding, in bytes */ - VbSignature preamble_signature; /* Signature for this preamble - * (header + kernel subkey + - * body signature) */ - uint32_t header_version_major; /* Version of this header format */ - uint32_t header_version_minor; /* Version of this header format */ - - uint64_t firmware_version; /* Firmware version */ - VbPublicKey kernel_subkey; /* Key to verify kernel key block */ - VbSignature body_signature; /* Signature for the firmware body */ - - /* Fields added in header version 2.1. You must verify the header version - * before reading these fields! */ - uint32_t flags; /* Flags; see VB_FIRMWARE_PREAMBLE_*. - * Readers should return 0 for header - * version < 2.1. */ -} __attribute__((packed)) VbFirmwarePreambleHeader; - -#define EXPECTED_VBFIRMWAREPREAMBLEHEADER2_1_SIZE 108 - -/* The firmware preamble header should be followed by: +/* Premable block for rewritable firmware, version 2.1. + * + * The firmware preamble header should be followed by: * 1) The kernel_subkey key data, pointed to by kernel_subkey.key_offset. * 2) The signature data for the firmware body, pointed to by * body_signature.sig_offset. * 3) The signature data for (header + kernel_subkey data + body signature - * data), pointed to by preamble_signature.sig_offset. */ + * data), pointed to by preamble_signature.sig_offset. + */ +typedef struct VbFirmwarePreambleHeader { + /* + * Size of this preamble, including keys, signatures, and padding, in + * bytes + */ + uint64_t preamble_size; + /* + * Signature for this preamble (header + kernel subkey + body + * signature) + */ + VbSignature preamble_signature; + /* Version of this header format */ + uint32_t header_version_major; + /* Version of this header format */ + uint32_t header_version_minor; + + /* Firmware version */ + uint64_t firmware_version; + /* Key to verify kernel key block */ + VbPublicKey kernel_subkey; + /* Signature for the firmware body */ + VbSignature body_signature; + + /* + * Fields added in header version 2.1. You must verify the header + * version before reading these fields! + */ + /* + * Flags; see VB_FIRMWARE_PREAMBLE_*. Readers should return 0 for + * header version < 2.1. + */ + uint32_t flags; +} __attribute__((packed)) VbFirmwarePreambleHeader; + +#define EXPECTED_VBFIRMWAREPREAMBLEHEADER2_1_SIZE 108 /****************************************************************************/ #define KERNEL_PREAMBLE_HEADER_VERSION_MAJOR 2 #define KERNEL_PREAMBLE_HEADER_VERSION_MINOR 0 -/* Preamble block for kernel */ +/* Preamble block for kernel + * + * This should be followed by: + * 1) The signature data for the kernel body, pointed to by + * body_signature.sig_offset. + * 2) The signature data for (VBFirmwarePreambleHeader + body signature + * data), pointed to by preamble_signature.sig_offset. + */ typedef struct VbKernelPreambleHeader { - uint64_t preamble_size; /* Size of this preamble, including keys, - * signatures, and padding, in bytes */ - VbSignature preamble_signature; /* Signature for this preamble - * (header + body signature) */ - uint32_t header_version_major; /* Version of this header format */ - uint32_t header_version_minor; /* Version of this header format */ - - uint64_t kernel_version; /* Kernel version */ - uint64_t body_load_address; /* Load address for kernel body */ - uint64_t bootloader_address; /* Address of bootloader, after body is - * loaded at body_load_address */ - uint64_t bootloader_size; /* Size of bootloader in bytes */ - VbSignature body_signature; /* Signature for the kernel body */ + /* + * Size of this preamble, including keys, signatures, and padding, in + * bytes + */ + uint64_t preamble_size; + /* Signature for this preamble (header + body signature) */ + VbSignature preamble_signature; + /* Version of this header format */ + uint32_t header_version_major; + /* Version of this header format */ + uint32_t header_version_minor; + + /* Kernel version */ + uint64_t kernel_version; + /* Load address for kernel body */ + uint64_t body_load_address; + /* Address of bootloader, after body is loaded at body_load_address */ + uint64_t bootloader_address; + /* Size of bootloader in bytes */ + uint64_t bootloader_size; + /* Signature for the kernel body */ + VbSignature body_signature; } __attribute__((packed)) VbKernelPreambleHeader; -/* This should be followed by: - * 2) The signature data for the kernel body, pointed to by - * body_signature.sig_offset. - * 3) The signature data for (VBFirmwarePreambleHeader + body signature - * data), pointed to by preamble_signature.sig_offset. */ #define EXPECTED_VBKERNELPREAMBLEHEADER_SIZE 96 @@ -213,9 +234,11 @@ typedef struct VbKernelPreambleHeader { /* Flags for VbSharedDataHeader */ /* LoadFirmware() tried firmware B because of VbNvStorage firmware B tries */ #define VBSD_FWB_TRIED 0x00000001 -/* LoadKernel() verified the good kernel keyblock using the kernel subkey from +/* + * LoadKernel() verified the good kernel keyblock using the kernel subkey from * the firmware. If this flag is not present, it just used the hash of the - * kernel keyblock. */ + * kernel keyblock. + */ #define VBSD_KERNEL_KEY_VERIFIED 0x00000002 /* LoadFirmware() was told the developer switch was on */ #define VBSD_LF_DEV_SWITCH_ON 0x00000004 @@ -240,9 +263,11 @@ typedef struct VbKernelPreambleHeader { /* Firmware software write protect was enabled at boot time */ #define VBSD_BOOT_FIRMWARE_SW_WP_ENABLED 0x00002000 -/* Supported flags by header version. It's ok to add new flags while keeping +/* + * Supported flags by header version. It's ok to add new flags while keeping * struct version 2 as long as flag-NOT-present is the correct value for - * existing hardware (Stumpy/Lumpy). */ + * existing hardware (Stumpy/Lumpy). + */ #define VBSD_FLAGS_VERSION_1 0x00000007 /* Alex, ZGB */ #define VBSD_FLAGS_VERSION_2 0x00000F7F @@ -260,8 +285,10 @@ typedef struct VbKernelPreambleHeader { #define VBSD_LF_CHECK_HASH_WRONG_SIZE 10 #define VBSD_LF_CHECK_VERIFY_BODY 11 #define VBSD_LF_CHECK_VALID 12 -/* Read-only normal path requested by firmware preamble, but - * unsupported by firmware. */ +/* + * Read-only normal path requested by firmware preamble, but unsupported by + * firmware. + */ #define VBSD_LF_CHECK_NO_RO_NORMAL 13 /* Boot mode for VbSharedDataHeader.lk_boot_mode */ @@ -285,8 +312,10 @@ typedef struct VbKernelPreambleHeader { #define VBSD_LKP_CHECK_VERIFY_PREAMBLE 9 #define VBSD_LKP_CHECK_KERNEL_ROLLBACK 10 #define VBSD_LKP_CHECK_PREAMBLE_VALID 11 -/* Body load address check is omitted; this result code is deprecated and not - * used anywhere in the codebase. */ +/* + * Body load address check is omitted; this result code is deprecated and not + * used anywhere in the codebase. + */ #define VBSD_LKP_CHECK_BODY_ADDRESS 12 #define VBSD_LKP_CHECK_BODY_OFFSET 13 #define VBSD_LKP_CHECK_SELF_SIGNED 14 @@ -296,16 +325,15 @@ typedef struct VbKernelPreambleHeader { #define VBSD_LKP_CHECK_VERIFY_DATA 18 #define VBSD_LKP_CHECK_KERNEL_GOOD 19 - /* Information about a single kernel partition check in LoadKernel() */ typedef struct VbSharedDataKernelPart { - uint64_t sector_start; /* Start sector of partition */ - uint64_t sector_count; /* Sector count of partition */ - uint32_t combined_version; /* Combined key+kernel version */ - uint8_t gpt_index; /* Index of partition in GPT */ - uint8_t check_result; /* Check result; see VBSD_LKP_CHECK_* */ - uint8_t flags; /* Flags (see VBSD_LKP_FLAG_* */ - uint8_t reserved0; /* Reserved for padding */ + uint64_t sector_start; /* Start sector of partition */ + uint64_t sector_count; /* Sector count of partition */ + uint32_t combined_version; /* Combined key+kernel version */ + uint8_t gpt_index; /* Index of partition in GPT */ + uint8_t check_result; /* Check result; see VBSD_LKP_CHECK_* */ + uint8_t flags; /* Flags (see VBSD_LKP_FLAG_* */ + uint8_t reserved0; /* Reserved for padding */ } VbSharedDataKernelPart; /* Number of kernel partitions to track per call. Must be power of 2. */ @@ -326,25 +354,35 @@ typedef struct VbSharedDataKernelPart { /* Information about a single call to LoadKernel() */ typedef struct VbSharedDataKernelCall { - uint32_t boot_flags; /* Bottom 32 bits of flags passed in - * LoadKernelParams.boot_flags */ - uint32_t flags; /* Debug flags; see VBSD_LK_FLAG_* */ - uint64_t sector_count; /* Number of sectors on drive */ - uint32_t sector_size; /* Sector size in bytes */ - uint8_t check_result; /* Check result; see VBSD_LKC_CHECK_* */ - uint8_t boot_mode; /* Boot mode for LoadKernel(); see - * VBSD_LK_BOOT_MODE_* constants */ - uint8_t test_error_num; /* Test error number, if non-zero */ - uint8_t return_code; /* Return code from LoadKernel() */ - uint8_t kernel_parts_found; /* Number of kernel partitions found */ - uint8_t reserved0[7]; /* Reserved for padding */ - VbSharedDataKernelPart parts[VBSD_MAX_KERNEL_PARTS]; /* Data on kernels */ + /* Bottom 32 bits of flags passed in LoadKernelParams.boot_flags */ + uint32_t boot_flags; + /* Debug flags; see VBSD_LK_FLAG_* */ + uint32_t flags; + /* Number of sectors on drive */ + uint64_t sector_count; + /* Sector size in bytes */ + uint32_t sector_size; + /* Check result; see VBSD_LKC_CHECK_* */ + uint8_t check_result; + /* Boot mode for LoadKernel(); see VBSD_LK_BOOT_MODE_* constants */ + uint8_t boot_mode; + /* Test error number, if non-zero */ + uint8_t test_error_num; + /* Return code from LoadKernel() */ + uint8_t return_code; + /* Number of kernel partitions found */ + uint8_t kernel_parts_found; + /* Reserved for padding */ + uint8_t reserved0[7]; + /* Data on kernels */ + VbSharedDataKernelPart parts[VBSD_MAX_KERNEL_PARTS]; } VbSharedDataKernelCall; /* Number of kernel calls to track. Must be power of 2. */ #define VBSD_MAX_KERNEL_CALLS 4 -/* Data shared between LoadFirmware(), LoadKernel(), and OS. +/* + * Data shared between LoadFirmware(), LoadKernel(), and OS. * * The boot process is: * 1) Caller allocates buffer, at least VB_SHARED_DATA_MIN bytes, ideally @@ -355,86 +393,113 @@ typedef struct VbSharedDataKernelCall { * LoadKernel() initializes the buffer, adding this header. Regardless * of boot type, LoadKernel() adds some data to the buffer. * 4) Caller makes data available to the OS in a platform-dependent manner. - * For example, via ACPI or ATAGs. */ + * For example, via ACPI or ATAGs. + */ typedef struct VbSharedDataHeader { - /* Fields present in version 1 */ - uint32_t magic; /* Magic number for struct - * (VB_SHARED_DATA_MAGIC) */ - uint32_t struct_version; /* Version of this structure */ - uint64_t struct_size; /* Size of this structure in bytes */ - uint64_t data_size; /* Size of shared data buffer in bytes */ - uint64_t data_used; /* Amount of shared data used so far */ - uint32_t flags; /* Flags */ - uint32_t reserved0; /* Reserved for padding */ - - VbPublicKey kernel_subkey; /* Kernel subkey, from firmware */ - uint64_t kernel_subkey_data_offset; /* Offset of kernel subkey data from - * start of this struct */ - uint64_t kernel_subkey_data_size; /* Size of kernel subkey data */ - - /* Timer values from VbExGetTimer(). Unused values are set to 0. - * Note that these are now the enter/exit times for the wrapper API entry - * points; see crosbug.com/17018. */ - /* VbInit() enter/exit */ - uint64_t timer_vb_init_enter; - uint64_t timer_vb_init_exit; - /* VbSelectFirmware() enter/exit */ - uint64_t timer_vb_select_firmware_enter; - uint64_t timer_vb_select_firmware_exit; - /* VbSelectAndLoadKernel() enter/exit */ - uint64_t timer_vb_select_and_load_kernel_enter; - uint64_t timer_vb_select_and_load_kernel_exit; - - /* Information stored in TPM, as retrieved by firmware */ - uint32_t fw_version_tpm; /* Current firmware version in TPM */ - uint32_t kernel_version_tpm; /* Current kernel version in TPM */ - - /* Debugging information from LoadFirmware() */ - uint8_t check_fw_a_result; /* Result of checking RW firmware A */ - uint8_t check_fw_b_result; /* Result of checking RW firmware B */ - uint8_t firmware_index; /* Firmware index returned by - * LoadFirmware() or 0xFF if failure */ - uint8_t reserved1; /* Reserved for padding */ - uint32_t fw_version_tpm_start; /* Firmware TPM version at start of - * VbSelectFirmware() */ - uint32_t fw_version_lowest; /* Firmware lowest version found */ - - /* Debugging information from LoadKernel() */ - uint32_t lk_call_count; /* Number of times LoadKernel() called */ - VbSharedDataKernelCall lk_calls[VBSD_MAX_KERNEL_CALLS]; /* Info on calls */ - - /* Offset and size of supplemental kernel data. Reserve space for these - * fields now, so that future LoadKernel() versions can store information - * there without needing to shift down whatever data the original - * LoadFirmware() might have put immediately following its - * VbSharedDataHeader. */ - uint64_t kernel_supplemental_offset; - uint64_t kernel_supplemental_size; - - /* Fields added in version 2. Before accessing, make sure that - * struct_version >= 2*/ - uint8_t recovery_reason; /* Recovery reason for current boot */ - uint8_t reserved2[7]; /* Reserved for padding */ - uint64_t fw_keyblock_flags; /* Flags from firmware keyblock */ - uint32_t kernel_version_tpm_start; /* Kernel TPM version at start of - * VbSelectAndLoadKernel() */ - uint32_t kernel_version_lowest; /* Kernel lowest version found */ - - /* After read-only firmware which uses version 2 is released, any additional - * fields must be added below, and the struct version must be increased. - * Before reading/writing those fields, make sure that the struct being - * accessed is at least version 3. - * - * It's always ok for an older firmware to access a newer struct, since all - * the fields it knows about are present. Newer firmware needs to use - * reasonable defaults when accessing older structs. */ - + /* Fields present in version 1 */ + /* Magic number for struct (VB_SHARED_DATA_MAGIC) */ + uint32_t magic; + /* Version of this structure */ + uint32_t struct_version; + /* Size of this structure in bytes */ + uint64_t struct_size; + /* Size of shared data buffer in bytes */ + uint64_t data_size; + /* Amount of shared data used so far */ + uint64_t data_used; + /* Flags */ + uint32_t flags; + /* Reserved for padding */ + uint32_t reserved0; + /* Kernel subkey, from firmware */ + VbPublicKey kernel_subkey; + /* Offset of kernel subkey data from start of this struct */ + uint64_t kernel_subkey_data_offset; + /* Size of kernel subkey data */ + uint64_t kernel_subkey_data_size; + + /* + * Timer values from VbExGetTimer(). Unused values are set to 0. Note + * that these are now the enter/exit times for the wrapper API entry + * points; see crosbug.com/17018. */ + /* VbInit() enter/exit */ + uint64_t timer_vb_init_enter; + uint64_t timer_vb_init_exit; + /* VbSelectFirmware() enter/exit */ + uint64_t timer_vb_select_firmware_enter; + uint64_t timer_vb_select_firmware_exit; + /* VbSelectAndLoadKernel() enter/exit */ + uint64_t timer_vb_select_and_load_kernel_enter; + uint64_t timer_vb_select_and_load_kernel_exit; + + /* Information stored in TPM, as retrieved by firmware */ + /* Current firmware version in TPM */ + uint32_t fw_version_tpm; + /* Current kernel version in TPM */ + uint32_t kernel_version_tpm; + + /* Debugging information from LoadFirmware() */ + /* Result of checking RW firmware A and B */ + uint8_t check_fw_a_result; + uint8_t check_fw_b_result; + /* Firmware index returned by LoadFirmware() or 0xFF if failure */ + uint8_t firmware_index; + /* Reserved for padding */ + uint8_t reserved1; + /* Firmware TPM version at start of VbSelectFirmware() */ + uint32_t fw_version_tpm_start; + /* Firmware lowest version found */ + uint32_t fw_version_lowest; + + /* Debugging information from LoadKernel() */ + /* Number of times LoadKernel() called */ + uint32_t lk_call_count; + /* Info on calls */ + VbSharedDataKernelCall lk_calls[VBSD_MAX_KERNEL_CALLS]; + + /* + * Offset and size of supplemental kernel data. Reserve space for + * these fields now, so that future LoadKernel() versions can store + * information there without needing to shift down whatever data the + * original LoadFirmware() might have put immediately following its + * VbSharedDataHeader. + */ + uint64_t kernel_supplemental_offset; + uint64_t kernel_supplemental_size; + + /* + * Fields added in version 2. Before accessing, make sure that + * struct_version >= 2 + */ + /* Recovery reason for current boot */ + uint8_t recovery_reason; + /* Reserved for padding */ + uint8_t reserved2[7]; + /* Flags from firmware keyblock */ + uint64_t fw_keyblock_flags; + /* Kernel TPM version at start of VbSelectAndLoadKernel() */ + uint32_t kernel_version_tpm_start; + /* Kernel lowest version found */ + uint32_t kernel_version_lowest; + + /* + * After read-only firmware which uses version 2 is released, any + * additional fields must be added below, and the struct version must + * be increased. Before reading/writing those fields, make sure that + * the struct being accessed is at least version 3. + * + * It's always ok for an older firmware to access a newer struct, since + * all the fields it knows about are present. Newer firmware needs to + * use reasonable defaults when accessing older structs. + */ } __attribute__((packed)) VbSharedDataHeader; -/* Size of VbSharedDataheader for each version */ -// TODO: crossystem needs not to -// fail if called on a v1 system where sizeof(VbSharedDataHeader) was smaller - +/* + * Size of VbSharedDataheader for each version + * + * TODO: crossystem needs not to fail if called on a v1 system where + * sizeof(VbSharedDataHeader) was smaller + */ #define VB_SHARED_DATA_HEADER_SIZE_V1 1072 #define VB_SHARED_DATA_HEADER_SIZE_V2 1096 diff --git a/firmware/lib/include/bmpblk_font.h b/firmware/lib/include/bmpblk_font.h index 1ffaefda..b79274cc 100644 --- a/firmware/lib/include/bmpblk_font.h +++ b/firmware/lib/include/bmpblk_font.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * @@ -45,20 +45,22 @@ __pragma(pack(push, 1)) /* Support packing for MSVC. */ #define FONT_SIGNATURE_SIZE 4 typedef struct FontArrayHeader { - uint8_t signature[FONT_SIGNATURE_SIZE]; - uint32_t num_entries; /* Number of chars encoded here. */ + uint8_t signature[FONT_SIGNATURE_SIZE]; + uint32_t num_entries; /* Number of chars encoded here. */ } __attribute__((packed)) FontArrayHeader; typedef struct FontArrayEntryHeader { - uint32_t ascii; /* What to show. Could even be UTF? */ - ImageInfo info; /* Describes the bitmap. */ - /* The image to use follows immediately, NOT compressed. It's uncompressed - * because each glyph is only a few hundred bytes, but they have much in - * common (colormaps, for example). When we add the whole font blob to the - * bmpblk, it will be compressed as a single item there. - */ -} __attribute__((packed)) FontArrayEntryHeader; + uint32_t ascii; /* What to show. Could even be UTF? */ + ImageInfo info; /* Describes the bitmap. */ + /* + * The image to use follows immediately, NOT compressed. It's + * uncompressed because each glyph is only a few hundred bytes, but + * they have much in common (colormaps, for example). When we add the + * whole font blob to the bmpblk, it will be compressed as a single + * item there. + */ +} __attribute__((packed)) FontArrayEntryHeader; __pragma(pack(pop)) /* Support packing for MSVC. */ diff --git a/firmware/lib/include/crc8.h b/firmware/lib/include/crc8.h index 95bc9862..14341440 100644 --- a/firmware/lib/include/crc8.h +++ b/firmware/lib/include/crc8.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * @@ -8,6 +8,6 @@ #define VBOOT_REFERENCE_CRC8_H_ #include "sysincludes.h" -uint8_t Crc8(const void* data, int len); +uint8_t Crc8(const void *data, int len); #endif /* VBOOT_REFERENCE_CRC8_H_ */ diff --git a/firmware/lib/include/rollback_index.h b/firmware/lib/include/rollback_index.h index 51e6ec10..c8b0147b 100644 --- a/firmware/lib/include/rollback_index.h +++ b/firmware/lib/include/rollback_index.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * @@ -23,106 +23,155 @@ __pragma(pack(push, 1)) /* Support packing for MSVC. */ /* Kernel space - KERNEL_NV_INDEX, locked with physical presence. */ #define ROLLBACK_SPACE_KERNEL_VERSION 2 #define ROLLBACK_SPACE_KERNEL_UID 0x4752574C /* 'GRWL' */ + typedef struct RollbackSpaceKernel { - uint8_t struct_version; /* Struct version, for backwards - * compatibility */ - uint32_t uid; /* Unique ID to detect space redefinition */ - uint32_t kernel_versions; /* Kernel versions */ - uint8_t reserved[3]; /* Reserved for future expansion */ - uint8_t crc8; /* Checksum (v2 and later only) */ + /* Struct version, for backwards compatibility */ + uint8_t struct_version; + /* Unique ID to detect space redefinition */ + uint32_t uid; + /* Kernel versions */ + uint32_t kernel_versions; + /* Reserved for future expansion */ + uint8_t reserved[3]; + /* Checksum (v2 and later only) */ + uint8_t crc8; } __attribute__((packed)) RollbackSpaceKernel; - /* Flags for firmware space */ -/* Last boot was developer mode. TPM ownership is cleared when - * transitioning to/from developer mode. */ +/* + * Last boot was developer mode. TPM ownership is cleared when transitioning + * to/from developer mode. + */ #define FLAG_LAST_BOOT_DEVELOPER 0x01 -/* Some systems may not have a dedicated dev-mode switch, but enter and leave - * dev-mode through some recovery-mode magic keypresses. For those systems, - * the dev-mode "switch" state is in this bit (0=normal, 1=dev). To make it - * work, a new flag is passed to VbInit(), indicating that the system lacks a - * physical dev-mode switch. If a physical switch is present, this bit is - * ignored. */ +/* + * Some systems may not have a dedicated dev-mode switch, but enter and leave + * dev-mode through some recovery-mode magic keypresses. For those systems, the + * dev-mode "switch" state is in this bit (0=normal, 1=dev). To make it work, a + * new flag is passed to VbInit(), indicating that the system lacks a physical + * dev-mode switch. If a physical switch is present, this bit is ignored. + */ #define FLAG_VIRTUAL_DEV_MODE_ON 0x02 -#define ROLLBACK_SPACE_FIRMWARE_VERSION 2 /* Firmware space - FIRMWARE_NV_INDEX, locked with global lock. */ +#define ROLLBACK_SPACE_FIRMWARE_VERSION 2 + typedef struct RollbackSpaceFirmware { - uint8_t struct_version; /* Struct version, for backwards compatibility */ - uint8_t flags; /* Flags (see FLAG_* above) */ - uint32_t fw_versions; /* Firmware versions */ - uint8_t reserved[3]; /* Reserved for future expansion */ - uint8_t crc8; /* Checksum (v2 and later only) */ + /* Struct version, for backwards compatibility */ + uint8_t struct_version; + /* Flags (see FLAG_* above) */ + uint8_t flags; + /* Firmware versions */ + uint32_t fw_versions; + /* Reserved for future expansion */ + uint8_t reserved[3]; + /* Checksum (v2 and later only) */ + uint8_t crc8; } __attribute__((packed)) RollbackSpaceFirmware; __pragma(pack(pop)) /* Support packing for MSVC. */ - /* All functions return TPM_SUCCESS (zero) if successful, non-zero if error */ -/* These functions are called from VbInit(). They cannot use global - * variables. */ +/* + * These functions are called from VbInit(). They cannot use global + * variables. + */ + uint32_t RollbackS3Resume(void); -/* These functions are callable from VbSelectFirmware(). They cannot use - * global variables. */ +/* + * These functions are callable from VbSelectFirmware(). They cannot use + * global variables. + */ -/* This must be called. */ +/** + * This must be called. + */ uint32_t RollbackFirmwareSetup(int recovery_mode, int is_hw_dev, int disable_dev_request, int clear_tpm_owner_request, /* two outputs on success */ int *is_virt_dev, uint32_t *tpm_version); -/* Write may be called if the versions change */ +/** + * Write may be called if the versions change. + */ uint32_t RollbackFirmwareWrite(uint32_t version); -/* Lock must be called */ +/** + * Lock must be called. + */ uint32_t RollbackFirmwareLock(void); -/* These functions are callable from VbSelectAndLoadKernel(). They - * may use global variables. */ +/* + * These functions are callable from VbSelectAndLoadKernel(). They may use + * global variables. + */ + +/** + * Read stored kernel version. + */ +uint32_t RollbackKernelRead(uint32_t *version); -/* Read and write may be called to read and write the kernel version. */ -uint32_t RollbackKernelRead(uint32_t* version); +/** + * Write stored kernel version. + */ uint32_t RollbackKernelWrite(uint32_t version); -/* Lock must be called. Internally, it's ignored in recovery mode. */ +/** + * Lock must be called. Internally, it's ignored in recovery mode. + */ uint32_t RollbackKernelLock(void); /****************************************************************************/ -/* The following functions are internal apis, listed here for use by - * unit tests only. */ -/* Issue a TPM_Clear and reenable/reactivate the TPM. */ +/* + * The following functions are internal apis, listed here for use by unit tests + * only. + */ + +/** + * Issue a TPM_Clear and reenable/reactivate the TPM. + */ uint32_t TPMClearAndReenable(void); -/* Like TlclWrite(), but checks for write errors due to hitting the 64-write +/** + * Like TlclWrite(), but checks for write errors due to hitting the 64-write * limit and clears the TPM when that happens. This can only happen when the * TPM is unowned, so it is OK to clear it (and we really have no choice). - * This is not expected to happen frequently, but it could happen. */ -uint32_t SafeWrite(uint32_t index, const void* data, uint32_t length); + * This is not expected to happen frequently, but it could happen. + */ +uint32_t SafeWrite(uint32_t index, const void *data, uint32_t length); -/* Similarly to SafeWrite(), this ensures we don't fail a DefineSpace because +/** + * Similarly to SafeWrite(), this ensures we don't fail a DefineSpace because * we hit the TPM write limit. This is even less likely to happen than with * writes because we only define spaces once at initialization, but we'd rather - * be paranoid about this. */ + * be paranoid about this. + */ uint32_t SafeDefineSpace(uint32_t index, uint32_t perm, uint32_t size); -/* Performs one-time initializations. Creates the NVRAM spaces, and sets their - * initial values as needed. Sets the nvLocked bit and ensures the physical - * presence command is enabled and locked. +/** + * Perform one-time initializations. + * + * Create the NVRAM spaces, and set their initial values as needed. Sets the + * nvLocked bit and ensures the physical presence command is enabled and + * locked. */ -uint32_t OneTimeInitializeTPM(RollbackSpaceFirmware* rsf, - RollbackSpaceKernel* rsk); +uint32_t OneTimeInitializeTPM(RollbackSpaceFirmware *rsf, + RollbackSpaceKernel *rsk); -/* SetupTPM starts the TPM and establishes the root of trust for the - * anti-rollback mechanism. */ +/** + * Start the TPM and establish the root of trust for the anti-rollback + * mechanism. + */ uint32_t SetupTPM(int recovery_mode, int developer_mode, int disable_dev_request, int clear_tpm_owner_request, - RollbackSpaceFirmware* rsf); + RollbackSpaceFirmware *rsf); -/* Utility function to turn the virtual dev-mode flag on or off. 0=off, 1=on */ +/** + * Utility function to turn the virtual dev-mode flag on or off. 0=off, 1=on. + */ uint32_t SetVirtualDevMode(int val); #endif /* VBOOT_REFERENCE_ROLLBACK_INDEX_H_ */ diff --git a/firmware/lib/include/stateful_util.h b/firmware/lib/include/stateful_util.h index 980b12b0..5d144abf 100644 --- a/firmware/lib/include/stateful_util.h +++ b/firmware/lib/include/stateful_util.h @@ -1,66 +1,76 @@ -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. */ -/* Helper functions/wrappers for memory allocations, manipulation and +/* + * Helper functions/wrappers for memory allocations, manipulation and * comparison. */ -#ifndef VBOOT_FIRMWARE_LIB_UTILITY_H_ -#define VBOOT_FIRMWARE_LIB_UTILITY_H_ +#ifndef VBOOT_FIRMWARE_LIB_STATEFUL_UTIL_H_ +#define VBOOT_FIRMWARE_LIB_STATEFUL_UTIL_H_ #include "sysincludes.h" /* Track remaining data to be read in a buffer. */ typedef struct MemcpyState { - uint8_t* remaining_buf; - uint64_t remaining_len; /* Remaining length of the buffer. */ - uint8_t overrun; /* Flag set to 1 when an overrun occurs. */ + uint8_t *remaining_buf; + uint64_t remaining_len; /* Remaining length of the buffer. */ + uint8_t overrun; /* Flag set to 1 when an overrun occurs. */ } MemcpyState; -/* Initialize a stateful buffer struct to point to the buffer, with - * the specified remaining length in bytes. */ -void StatefulInit(MemcpyState* state, void* buf, uint64_t len); +/** + * Initialize a stateful buffer struct to point to the buffer, with the + * specified remaining length in bytes. + */ +void StatefulInit(MemcpyState *state, void *buf, uint64_t len); -/* Skip [len] bytes only if there's enough data to skip according - * to [state]. +/** + * Skip [len] bytes only if there's enough data to skip according to [state]. + * * On success, return a meaningless but non-NULL pointer and updates [state]. * On failure, return NULL, set state->overrun to 1. * * Useful for iterating through a binary blob to populate a struct. After the * first failure (buffer overrun), successive calls will always fail. */ -void* StatefulSkip(MemcpyState* state, uint64_t len); +void *StatefulSkip(MemcpyState *state, uint64_t len); -/* Copy [len] bytes into [dst] only if there's enough data to read according +/** + * Copy [len] bytes into [dst] only if there's enough data to read according * to [state]. + * * On success, return [dst] and update [state]. * On failure, return NULL, set state->overrun to 1. * * Useful for iterating through a binary blob to populate a struct. After the * first failure (buffer overrun), successive calls will always fail. */ -void* StatefulMemcpy(MemcpyState* state, void* dst, uint64_t len); +void *StatefulMemcpy(MemcpyState *state, void *dst, uint64_t len); -/* Like StatefulMemcpy() but copies in the opposite direction, populating +/** + * Like StatefulMemcpy() but copies in the opposite direction, populating * data from [src] into the buffer encapsulated in state [state]. + * * On success, return [src] and update [state]. * On failure, return NULL, set state->overrun to 1. * * Useful for iterating through a structure to populate a binary blob. After the * first failure (buffer overrun), successive calls will always fail. */ -const void* StatefulMemcpy_r(MemcpyState* state, const void* src, uint64_t len); +const void *StatefulMemcpy_r(MemcpyState *state, const void *src, uint64_t len); -/* Like StatefulMemcpy_r() but fills a portion of the encapsulated buffer with +/** + * Like StatefulMemcpy_r() but fills a portion of the encapsulated buffer with * a constant value. + * * On success, return a meaningless but non-NULL pointer and updates [state]. * On failure, return NULL, set state->overrun to 1. * * After the first failure (buffer overrun), successive calls will always fail. */ -const void* StatefulMemset_r(MemcpyState* state, const uint8_t val, +const void *StatefulMemset_r(MemcpyState *state, const uint8_t val, uint64_t len); -#endif /* VBOOT_FIRMWARE_LIB_UTILITY_H_ */ +#endif diff --git a/firmware/lib/include/tpm_bootmode.h b/firmware/lib/include/tpm_bootmode.h index cdc9fcd1..0a8044ec 100644 --- a/firmware/lib/include/tpm_bootmode.h +++ b/firmware/lib/include/tpm_bootmode.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * @@ -10,16 +10,17 @@ #include "sysincludes.h" -/* Update TPM PCR State with the boot path status. +/** + * Update TPM PCR State with the boot path status. + * * [developer_mode]: State of the developer switch. * [recovery_mode}: State of the recovery mode. - * [fw_keyblock_flags]: Keyblock flags on the to-be-booted + * [fw_keyblock_flags]: Keyblock flags of the to-be-booted * RW firmware keyblock. * - * Returns: TPM_SUCCESS if the TPM extend operation succeeds. + * Returns: TPM_SUCCESS if the TPM extend operation succeeds. */ - uint32_t SetTPMBootModeState(int developer_mode, int recovery_mode, - uint64_t fw_keyblock_flags); + uint64_t fw_keyblock_flags); #endif /* VBOOT_REFERENCE_TPM_BOOTMODE_H_ */ diff --git a/firmware/lib/include/vboot_audio.h b/firmware/lib/include/vboot_audio.h index eea5a65a..afcac140 100644 --- a/firmware/lib/include/vboot_audio.h +++ b/firmware/lib/include/vboot_audio.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * @@ -12,14 +12,20 @@ typedef struct VbAudioContext VbAudioContext; -/* Initialization function. Returns context for processing dev-mode delay */ -VbAudioContext* VbAudioOpen(VbCommonParams* cparams); +/** + * Initialization function. Returns context for processing dev-mode delay. + */ +VbAudioContext *VbAudioOpen(VbCommonParams *cparams); -/* Caller should loop without extra delay until this returns false */ -int VbAudioLooping(VbAudioContext* audio); +/** + * Caller should loop without extra delay until this returns false. + */ +int VbAudioLooping(VbAudioContext *audio); -/* Caller should call this prior to booting */ -void VbAudioClose(VbAudioContext* audio); +/** + * Caller should call this prior to booting. + */ +void VbAudioClose(VbAudioContext *audio); #endif /* VBOOT_REFERENCE_VBOOT_AUDIO_H_ */ diff --git a/firmware/lib/include/vboot_audio_private.h b/firmware/lib/include/vboot_audio_private.h index 236cc09c..902bc62e 100644 --- a/firmware/lib/include/vboot_audio_private.h +++ b/firmware/lib/include/vboot_audio_private.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * @@ -12,32 +12,32 @@ #include "vboot_audio.h" typedef struct VbDevMusicNote { - uint16_t msec; - uint16_t frequency; + uint16_t msec; + uint16_t frequency; } __attribute__((packed)) VbDevMusicNote; typedef struct VbDevMusic { - uint8_t sig[4]; /* "$SND" */ - uint32_t checksum; /* crc32 over count & all notes */ - uint32_t count; /* number of notes */ - VbDevMusicNote notes[1]; /* gcc allows [0], MSVC doesn't */ - /* more VbDevMusicNotes follow immediately */ + uint8_t sig[4]; /* "$SND" */ + uint32_t checksum; /* crc32 over count & all notes */ + uint32_t count; /* number of notes */ + VbDevMusicNote notes[1]; /* gcc allows [0], MSVC doesn't */ + /* more VbDevMusicNotes follow immediately */ } __attribute__((packed)) VbDevMusic; struct VbAudioContext { - /* note tracking */ - VbDevMusicNote* music_notes; - uint32_t note_count; - uint32_t next_note; - - /* implementation flags */ - int background_beep; - int free_notes_when_done; - - /* sound tracking */ - uint16_t current_frequency; - uint64_t play_until; - uint64_t last_time; + /* note tracking */ + VbDevMusicNote *music_notes; + uint32_t note_count; + uint32_t next_note; + + /* implementation flags */ + int background_beep; + int free_notes_when_done; + + /* sound tracking */ + uint16_t current_frequency; + uint64_t play_until; + uint64_t last_time; }; #ifdef FOR_TEST @@ -55,4 +55,3 @@ uint32_t VbExMaxMusicSize(void); #endif #endif /* VBOOT_REFERENCE_VBOOT_AUDIO_PRIVATE_H_ */ - diff --git a/firmware/lib/include/vboot_common.h b/firmware/lib/include/vboot_common.h index fe886ce4..ca9abd0a 100644 --- a/firmware/lib/include/vboot_common.h +++ b/firmware/lib/include/vboot_common.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * @@ -17,122 +17,147 @@ /* Error Codes for all common functions. */ enum { - VBOOT_SUCCESS = 0, - VBOOT_KEY_BLOCK_INVALID, /* Key block internal structure is - * invalid, or not a key block */ - VBOOT_KEY_BLOCK_SIGNATURE, /* Key block signature check failed */ - VBOOT_KEY_BLOCK_HASH, /* Key block hash check failed */ - VBOOT_PUBLIC_KEY_INVALID, /* Invalid public key passed to a - * signature verficiation function. */ - VBOOT_PREAMBLE_INVALID, /* Preamble internal structure is - * invalid */ - VBOOT_PREAMBLE_SIGNATURE, /* Preamble signature check failed */ - VBOOT_SHARED_DATA_INVALID, /* Shared data is invalid. */ - VBOOT_ERROR_MAX, + VBOOT_SUCCESS = 0, + /* Key block internal structure is invalid, or not a key block */ + VBOOT_KEY_BLOCK_INVALID, + /* Key block signature check failed */ + VBOOT_KEY_BLOCK_SIGNATURE, + /* Key block hash check failed */ + VBOOT_KEY_BLOCK_HASH, + /* Invalid public key passed to a signature verficiation function. */ + VBOOT_PUBLIC_KEY_INVALID, + /* Preamble internal structure is invalid */ + VBOOT_PREAMBLE_INVALID, + /* Preamble signature check failed */ + VBOOT_PREAMBLE_SIGNATURE, + /* Shared data is invalid. */ + VBOOT_SHARED_DATA_INVALID, + VBOOT_ERROR_MAX, }; -extern char* kVbootErrors[VBOOT_ERROR_MAX]; +extern const char *kVbootErrors[VBOOT_ERROR_MAX]; +/** + * Return offset of ptr from base. + */ +uint64_t OffsetOf(const void *base, const void *ptr); -/* Return offset of ptr from base. */ -uint64_t OffsetOf(const void* base, const void* ptr); - - -/* Helper functions to get data pointed to by a public key or signature. */ -uint8_t* GetPublicKeyData(VbPublicKey* key); -const uint8_t* GetPublicKeyDataC(const VbPublicKey* key); -uint8_t* GetSignatureData(VbSignature* sig); -const uint8_t* GetSignatureDataC(const VbSignature* sig); - +/* + * Helper functions to get data pointed to by a public key or signature. + */ -/* Helper functions to verify the data pointed to by a subfield is inside - * the parent data. Returns 0 if inside, 1 if error. */ -int VerifyMemberInside(const void* parent, uint64_t parent_size, - const void* member, uint64_t member_size, - uint64_t member_data_offset, - uint64_t member_data_size); +uint8_t *GetPublicKeyData(VbPublicKey *key); +const uint8_t *GetPublicKeyDataC(const VbPublicKey *key); +uint8_t *GetSignatureData(VbSignature *sig); +const uint8_t *GetSignatureDataC(const VbSignature *sig); -int VerifyPublicKeyInside(const void* parent, uint64_t parent_size, - const VbPublicKey* key); +/* + * Helper functions to verify the data pointed to by a subfield is inside the + * parent data. Returns 0 if inside, 1 if error. + */ -int VerifySignatureInside(const void* parent, uint64_t parent_size, - const VbSignature* sig); +int VerifyMemberInside(const void *parent, uint64_t parent_size, + const void *member, uint64_t member_size, + uint64_t member_data_offset, + uint64_t member_data_size); +int VerifyPublicKeyInside(const void *parent, uint64_t parent_size, + const VbPublicKey *key); -/* Initialize a public key to refer to [key_data]. */ -void PublicKeyInit(VbPublicKey* key, uint8_t* key_data, uint64_t key_size); +int VerifySignatureInside(const void *parent, uint64_t parent_size, + const VbSignature *sig); +/** + * Initialize a public key to refer to [key_data]. + */ +void PublicKeyInit(VbPublicKey *key, uint8_t *key_data, uint64_t key_size); -/* Copy a public key from [src] to [dest]. +/** + * Copy a public key from [src] to [dest]. * - * Returns 0 if success, non-zero if error. */ -int PublicKeyCopy(VbPublicKey* dest, const VbPublicKey* src); - + * Returns 0 if success, non-zero if error. + */ +int PublicKeyCopy(VbPublicKey *dest, const VbPublicKey *src); -/* Converts a public key to RsaPublicKey format. The returned key must - * be freed using RSAPublicKeyFree(). +/** + * Convert a public key to RsaPublicKey format. The returned key must be freed + * using RSAPublicKeyFree(). * - * Returns NULL if error. */ -RSAPublicKey* PublicKeyToRSA(const VbPublicKey* key); - - -/* Verifies [data] matches signature [sig] using [key]. [size] is the size - * of the data buffer; the amount of data to be validated is contained in - * sig->data_size. */ -int VerifyData(const uint8_t* data, uint64_t size, const VbSignature* sig, - const RSAPublicKey* key); - + * Returns NULL if error. + */ +RSAPublicKey *PublicKeyToRSA(const VbPublicKey *key); -/* Verifies a secure hash digest from DigestBuf() or DigestFinal(), - * using [key]. Returns 0 on success. */ -int VerifyDigest(const uint8_t* digest, const VbSignature *sig, - const RSAPublicKey* key); +/** + * Verify [data] matches signature [sig] using [key]. [size] is the size of + * the data buffer; the amount of data to be validated is contained in + * sig->data_size. + */ +int VerifyData(const uint8_t *data, uint64_t size, const VbSignature *sig, + const RSAPublicKey *key); -/* Checks the sanity of a key block of size [size] bytes, using public - * key [key]. If hash_only is non-zero, uses only the block checksum - * to verify the key block. Header fields are also checked for - * sanity. Does not verify key index or key block flags. */ -int KeyBlockVerify(const VbKeyBlockHeader* block, uint64_t size, - const VbPublicKey *key, int hash_only); +/** + * Verify a secure hash digest from DigestBuf() or DigestFinal(), using + * [key]. Returns 0 on success. + */ +int VerifyDigest(const uint8_t *digest, const VbSignature *sig, + const RSAPublicKey *key); + +/** + * Check the sanity of a key block of size [size] bytes, using public key + * [key]. If hash_only is non-zero, uses only the block checksum to verify the + * key block. Header fields are also checked for sanity. Does not verify key + * index or key block flags. + */ +int KeyBlockVerify(const VbKeyBlockHeader *block, uint64_t size, + const VbPublicKey *key, int hash_only); -/* Checks the sanity of a firmware preamble of size [size] bytes, - * using public key [key]. +/** + * Check the sanity of a firmware preamble of size [size] bytes, using public + * key [key]. * - * Returns VBOOT_SUCCESS if successful. */ -int VerifyFirmwarePreamble(const VbFirmwarePreambleHeader* preamble, - uint64_t size, const RSAPublicKey* key); - + * Returns VBOOT_SUCCESS if successful. + */ +int VerifyFirmwarePreamble(const VbFirmwarePreambleHeader *preamble, + uint64_t size, const RSAPublicKey *key); -/* Returns the flags from a firmware preamble, or a default value for - * older preamble versions which didn't contain flags. Use this - * function to ensure compatibility with older preamble versions - * (2.0). Assumes the preamble has already been verified via - * VerifyFirmwarePreamble(). */ -uint32_t VbGetFirmwarePreambleFlags(const VbFirmwarePreambleHeader* preamble); +/** + * Return the flags from a firmware preamble, or a default value for older + * preamble versions which didn't contain flags. Use this function to ensure + * compatibility with older preamble versions (2.0). Assumes the preamble has + * already been verified via VerifyFirmwarePreamble(). + */ +uint32_t VbGetFirmwarePreambleFlags(const VbFirmwarePreambleHeader *preamble); -/* Checks the sanity of a kernel preamble of size [size] bytes, - * using public key [key]. +/** + * Check the sanity of a kernel preamble of size [size] bytes, using public key + * [key]. * - * Returns VBOOT_SUCCESS if successful. */ -int VerifyKernelPreamble(const VbKernelPreambleHeader* preamble, - uint64_t size, const RSAPublicKey* key); + * Returns VBOOT_SUCCESS if successful. + */ +int VerifyKernelPreamble(const VbKernelPreambleHeader *preamble, + uint64_t size, const RSAPublicKey *key); -/* Initialize a verified boot shared data structure. +/** + * Initialize a verified boot shared data structure. * - * Returns 0 if success, non-zero if error. */ -int VbSharedDataInit(VbSharedDataHeader* header, uint64_t size); + * Returns 0 if success, non-zero if error. + */ +int VbSharedDataInit(VbSharedDataHeader *header, uint64_t size); -/* Reserve [size] bytes of the shared data area. Returns the offset of the - * reserved data from the start of the shared data buffer, or 0 if error. */ -uint64_t VbSharedDataReserve(VbSharedDataHeader* header, uint64_t size); +/** + * Reserve [size] bytes of the shared data area. Returns the offset of the + * reserved data from the start of the shared data buffer, or 0 if error. + */ +uint64_t VbSharedDataReserve(VbSharedDataHeader *header, uint64_t size); -/* Copy the kernel subkey into the shared data. +/** + * Copy the kernel subkey into the shared data. * - * Returns 0 if success, non-zero if error. */ -int VbSharedDataSetKernelKey(VbSharedDataHeader* header, - const VbPublicKey* src); - + * Returns 0 if success, non-zero if error. + */ +int VbSharedDataSetKernelKey(VbSharedDataHeader *header, + const VbPublicKey *src); #endif /* VBOOT_REFERENCE_VBOOT_COMMON_H_ */ diff --git a/firmware/lib/include/vboot_display.h b/firmware/lib/include/vboot_display.h index b9ec04c0..f8aa810b 100644 --- a/firmware/lib/include/vboot_display.h +++ b/firmware/lib/include/vboot_display.h @@ -11,12 +11,12 @@ #include "vboot_api.h" #include "vboot_nvstorage.h" -VbError_t VbDisplayScreenFromGBB(VbCommonParams* cparams, uint32_t screen, +VbError_t VbDisplayScreenFromGBB(VbCommonParams *cparams, uint32_t screen, VbNvContext *vncptr); -VbError_t VbDisplayScreen(VbCommonParams* cparams, uint32_t screen, int force, +VbError_t VbDisplayScreen(VbCommonParams *cparams, uint32_t screen, int force, VbNvContext *vncptr); -VbError_t VbDisplayDebugInfo(VbCommonParams* cparams, VbNvContext *vncptr); -VbError_t VbCheckDisplayKey(VbCommonParams* cparams, uint32_t key, +VbError_t VbDisplayDebugInfo(VbCommonParams *cparams, VbNvContext *vncptr); +VbError_t VbCheckDisplayKey(VbCommonParams *cparams, uint32_t key, VbNvContext *vncptr); /* Internal functions, for unit testing */ diff --git a/firmware/lib/include/vboot_kernel.h b/firmware/lib/include/vboot_kernel.h index a9d8a407..6e6c5dc3 100644 --- a/firmware/lib/include/vboot_kernel.h +++ b/firmware/lib/include/vboot_kernel.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * @@ -12,15 +12,18 @@ #include "cgptlib.h" #include "vboot_api.h" -/* Allocates and reads GPT data from the drive. The sector_bytes and - * drive_sectors fields should be filled on input. The primary and - * secondary header and entries are filled on output. +/** + * Allocate and read GPT data from the drive. The sector_bytes and + * drive_sectors fields should be filled on input. The primary and secondary + * header and entries are filled on output. * - * Returns 0 if successful, 1 if error. */ -int AllocAndReadGptData(VbExDiskHandle_t disk_handle, GptData* gptdata); + * Returns 0 if successful, 1 if error. + */ +int AllocAndReadGptData(VbExDiskHandle_t disk_handle, GptData *gptdata); -/* Writes any changes for the GPT data back to the drive, then frees the - * buffers. */ -int WriteAndFreeGptData(VbExDiskHandle_t disk_handle, GptData* gptdata); +/** + * Write any changes for the GPT data back to the drive, then free the buffers. + */ +int WriteAndFreeGptData(VbExDiskHandle_t disk_handle, GptData *gptdata); #endif /* VBOOT_REFERENCE_VBOOT_KERNEL_H_ */ diff --git a/firmware/lib/vboot_common.c b/firmware/lib/vboot_common.c index bf79b81f..50a4cff8 100644 --- a/firmware/lib/vboot_common.c +++ b/firmware/lib/vboot_common.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2012 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * @@ -6,488 +6,496 @@ * (Firmware portion) */ - #include "vboot_api.h" #include "vboot_common.h" #include "utility.h" - -char* kVbootErrors[VBOOT_ERROR_MAX] = { - "Success.", - "Key block invalid.", - "Key block signature failed.", - "Key block hash failed.", - "Public key invalid.", - "Preamble invalid.", - "Preamble signature check failed.", - "Shared data invalid." +const char *kVbootErrors[VBOOT_ERROR_MAX] = { + "Success.", + "Key block invalid.", + "Key block signature failed.", + "Key block hash failed.", + "Public key invalid.", + "Preamble invalid.", + "Preamble signature check failed.", + "Shared data invalid." }; - -uint64_t OffsetOf(const void *base, const void *ptr) { - return (uint64_t)(size_t)ptr - (uint64_t)(size_t)base; +uint64_t OffsetOf(const void *base, const void *ptr) +{ + return (uint64_t)(size_t)ptr - (uint64_t)(size_t)base; } - /* Helper functions to get data pointed to by a public key or signature. */ -uint8_t* GetPublicKeyData(VbPublicKey* key) { - return (uint8_t*)key + key->key_offset; + +uint8_t *GetPublicKeyData(VbPublicKey *key) +{ + return (uint8_t *)key + key->key_offset; } -const uint8_t* GetPublicKeyDataC(const VbPublicKey* key) { - return (const uint8_t*)key + key->key_offset; +const uint8_t *GetPublicKeyDataC(const VbPublicKey *key) +{ + return (const uint8_t *)key + key->key_offset; } -uint8_t* GetSignatureData(VbSignature* sig) { - return (uint8_t*)sig + sig->sig_offset; +uint8_t *GetSignatureData(VbSignature *sig) +{ + return (uint8_t *)sig + sig->sig_offset; } -const uint8_t* GetSignatureDataC(const VbSignature* sig) { - return (const uint8_t*)sig + sig->sig_offset; +const uint8_t *GetSignatureDataC(const VbSignature *sig) +{ + return (const uint8_t *)sig + sig->sig_offset; } +/* + * Helper functions to verify the data pointed to by a subfield is inside + * the parent data. Returns 0 if inside, 1 if error. + */ -/* Helper functions to verify the data pointed to by a subfield is inside - * the parent data. Returns 0 if inside, 1 if error. */ -int VerifyMemberInside(const void* parent, uint64_t parent_size, - const void* member, uint64_t member_size, +int VerifyMemberInside(const void *parent, uint64_t parent_size, + const void *member, uint64_t member_size, uint64_t member_data_offset, - uint64_t member_data_size) { - uint64_t end = OffsetOf(parent, member); - - if (end > parent_size) - return 1; - - if (UINT64_MAX - end < member_size) - return 1; /* Detect wraparound in integer math */ - if (end + member_size > parent_size) - return 1; - - if (UINT64_MAX - end < member_data_offset) - return 1; - end += member_data_offset; - if (end > parent_size) - return 1; - - if (UINT64_MAX - end < member_data_size) - return 1; - if (end + member_data_size > parent_size) - return 1; - - return 0; + uint64_t member_data_size) +{ + uint64_t end = OffsetOf(parent, member); + + if (end > parent_size) + return 1; + + if (UINT64_MAX - end < member_size) + return 1; /* Detect wraparound in integer math */ + if (end + member_size > parent_size) + return 1; + + if (UINT64_MAX - end < member_data_offset) + return 1; + end += member_data_offset; + if (end > parent_size) + return 1; + + if (UINT64_MAX - end < member_data_size) + return 1; + if (end + member_data_size > parent_size) + return 1; + + return 0; } - -int VerifyPublicKeyInside(const void* parent, uint64_t parent_size, - const VbPublicKey* key) { - return VerifyMemberInside(parent, parent_size, - key, sizeof(VbPublicKey), - key->key_offset, key->key_size); +int VerifyPublicKeyInside(const void *parent, uint64_t parent_size, + const VbPublicKey *key) +{ + return VerifyMemberInside(parent, parent_size, + key, sizeof(VbPublicKey), + key->key_offset, key->key_size); } - -int VerifySignatureInside(const void* parent, uint64_t parent_size, - const VbSignature* sig) { - return VerifyMemberInside(parent, parent_size, - sig, sizeof(VbSignature), - sig->sig_offset, sig->sig_size); +int VerifySignatureInside(const void *parent, uint64_t parent_size, + const VbSignature *sig) +{ + return VerifyMemberInside(parent, parent_size, + sig, sizeof(VbSignature), + sig->sig_offset, sig->sig_size); } - -void PublicKeyInit(VbPublicKey* key, uint8_t* key_data, uint64_t key_size) { - key->key_offset = OffsetOf(key, key_data); - key->key_size = key_size; - key->algorithm = kNumAlgorithms; /* Key not present yet */ - key->key_version = 0; +void PublicKeyInit(VbPublicKey *key, uint8_t *key_data, uint64_t key_size) +{ + key->key_offset = OffsetOf(key, key_data); + key->key_size = key_size; + key->algorithm = kNumAlgorithms; /* Key not present yet */ + key->key_version = 0; } +int PublicKeyCopy(VbPublicKey *dest, const VbPublicKey *src) +{ + if (dest->key_size < src->key_size) + return 1; -int PublicKeyCopy(VbPublicKey* dest, const VbPublicKey* src) { - if (dest->key_size < src->key_size) - return 1; - - dest->key_size = src->key_size; - dest->algorithm = src->algorithm; - dest->key_version = src->key_version; - Memcpy(GetPublicKeyData(dest), GetPublicKeyDataC(src), src->key_size); - return 0; + dest->key_size = src->key_size; + dest->algorithm = src->algorithm; + dest->key_version = src->key_version; + Memcpy(GetPublicKeyData(dest), GetPublicKeyDataC(src), src->key_size); + return 0; } - -RSAPublicKey* PublicKeyToRSA(const VbPublicKey* key) { - RSAPublicKey *rsa; - uint64_t key_size; - - if (kNumAlgorithms <= key->algorithm) { - VBDEBUG(("Invalid algorithm.\n")); - return NULL; - } - if (!RSAProcessedKeySize(key->algorithm, &key_size) || - key_size != key->key_size) { - VBDEBUG(("Wrong key size for algorithm\n")); - return NULL; - } - - rsa = RSAPublicKeyFromBuf(GetPublicKeyDataC(key), key->key_size); - if (!rsa) - return NULL; - - rsa->algorithm = (unsigned int)key->algorithm; - return rsa; +RSAPublicKey *PublicKeyToRSA(const VbPublicKey *key) +{ + RSAPublicKey *rsa; + uint64_t key_size; + + if (kNumAlgorithms <= key->algorithm) { + VBDEBUG(("Invalid algorithm.\n")); + return NULL; + } + if (!RSAProcessedKeySize(key->algorithm, &key_size) || + key_size != key->key_size) { + VBDEBUG(("Wrong key size for algorithm\n")); + return NULL; + } + + rsa = RSAPublicKeyFromBuf(GetPublicKeyDataC(key), key->key_size); + if (!rsa) + return NULL; + + rsa->algorithm = (unsigned int)key->algorithm; + return rsa; } - -int VerifyData(const uint8_t* data, uint64_t size, const VbSignature *sig, - const RSAPublicKey* key) { - - if (sig->sig_size != siglen_map[key->algorithm]) { - VBDEBUG(("Wrong signature size for algorithm.\n")); - return 1; - } - if (sig->data_size > size) { - VBDEBUG(("Data buffer smaller than length of signed data.\n")); - return 1; - } - - if (!RSAVerifyBinary_f(NULL, key, data, sig->data_size, - GetSignatureDataC(sig), key->algorithm)) - return 1; - - return 0; +int VerifyData(const uint8_t *data, uint64_t size, const VbSignature *sig, + const RSAPublicKey *key) +{ + if (sig->sig_size != siglen_map[key->algorithm]) { + VBDEBUG(("Wrong signature size for algorithm.\n")); + return 1; + } + if (sig->data_size > size) { + VBDEBUG(("Data buffer smaller than length of signed data.\n")); + return 1; + } + + if (!RSAVerifyBinary_f(NULL, key, data, sig->data_size, + GetSignatureDataC(sig), key->algorithm)) + return 1; + + return 0; } +int VerifyDigest(const uint8_t *digest, const VbSignature *sig, + const RSAPublicKey *key) +{ + if (sig->sig_size != siglen_map[key->algorithm]) { + VBDEBUG(("Wrong signature size for algorithm.\n")); + return 1; + } -int VerifyDigest(const uint8_t* digest, const VbSignature *sig, - const RSAPublicKey* key) { - - if (sig->sig_size != siglen_map[key->algorithm]) { - VBDEBUG(("Wrong signature size for algorithm.\n")); - return 1; - } - - if (!RSAVerifyBinaryWithDigest_f(NULL, key, digest, - GetSignatureDataC(sig), key->algorithm)) - return 1; + if (!RSAVerifyBinaryWithDigest_f(NULL, key, digest, + GetSignatureDataC(sig), + key->algorithm)) + return 1; - return 0; + return 0; } - -int KeyBlockVerify(const VbKeyBlockHeader* block, uint64_t size, - const VbPublicKey *key, int hash_only) { - - const VbSignature* sig; - - /* Sanity checks before attempting signature of data */ - if(size < sizeof(VbKeyBlockHeader)) { - VBDEBUG(("Not enough space for key block header.\n")); - return VBOOT_KEY_BLOCK_INVALID; - } - if (SafeMemcmp(block->magic, KEY_BLOCK_MAGIC, KEY_BLOCK_MAGIC_SIZE)) { - VBDEBUG(("Not a valid verified boot key block.\n")); - return VBOOT_KEY_BLOCK_INVALID; - } - if (block->header_version_major != KEY_BLOCK_HEADER_VERSION_MAJOR) { - VBDEBUG(("Incompatible key block header version.\n")); - return VBOOT_KEY_BLOCK_INVALID; - } - if (size < block->key_block_size) { - VBDEBUG(("Not enough data for key block.\n")); - return VBOOT_KEY_BLOCK_INVALID; - } - if (!hash_only && !key) { - VBDEBUG(("Missing required public key.\n")); - return VBOOT_PUBLIC_KEY_INVALID; - } - - /* Check signature or hash, depending on the hash_only parameter. Note that - * we don't require a key even if the keyblock has a signature, because the - * caller may not care if the keyblock itself is signed (for example, booting - * a Google-signed kernel in developer mode). - */ - if (hash_only) { - /* Check hash */ - uint8_t* header_checksum = NULL; - int rv; - - sig = &block->key_block_checksum; - - if (VerifySignatureInside(block, block->key_block_size, sig)) { - VBDEBUG(("Key block hash off end of block\n")); - return VBOOT_KEY_BLOCK_INVALID; - } - if (sig->sig_size != SHA512_DIGEST_SIZE) { - VBDEBUG(("Wrong hash size for key block.\n")); - return VBOOT_KEY_BLOCK_INVALID; - } - - /* Make sure advertised signature data sizes are sane. */ - if (block->key_block_size < sig->data_size) { - VBDEBUG(("Signature calculated past end of the block\n")); - return VBOOT_KEY_BLOCK_INVALID; - } - - VBDEBUG(("Checking key block hash only...\n")); - header_checksum = DigestBuf((const uint8_t*)block, sig->data_size, - SHA512_DIGEST_ALGORITHM); - rv = SafeMemcmp(header_checksum, GetSignatureDataC(sig), - SHA512_DIGEST_SIZE); - VbExFree(header_checksum); - if (rv) { - VBDEBUG(("Invalid key block hash.\n")); - return VBOOT_KEY_BLOCK_HASH; - } - } else { - /* Check signature */ - RSAPublicKey* rsa; - int rv; - - sig = &block->key_block_signature; - - if (VerifySignatureInside(block, block->key_block_size, sig)) { - VBDEBUG(("Key block signature off end of block\n")); - return VBOOT_KEY_BLOCK_INVALID; - } - - rsa = PublicKeyToRSA(key); - if (!rsa) { - VBDEBUG(("Invalid public key\n")); - return VBOOT_PUBLIC_KEY_INVALID; - } - - /* Make sure advertised signature data sizes are sane. */ - if (block->key_block_size < sig->data_size) { - VBDEBUG(("Signature calculated past end of the block\n")); - RSAPublicKeyFree(rsa); - return VBOOT_KEY_BLOCK_INVALID; - } - - VBDEBUG(("Checking key block signature...\n")); - rv = VerifyData((const uint8_t*)block, size, sig, rsa); - RSAPublicKeyFree(rsa); - if (rv) { - VBDEBUG(("Invalid key block signature.\n")); - return VBOOT_KEY_BLOCK_SIGNATURE; - } - } - - /* Verify we signed enough data */ - if (sig->data_size < sizeof(VbKeyBlockHeader)) { - VBDEBUG(("Didn't sign enough data\n")); - return VBOOT_KEY_BLOCK_INVALID; - } - - /* Verify data key is inside the block and inside signed data */ - if (VerifyPublicKeyInside(block, block->key_block_size, &block->data_key)) { - VBDEBUG(("Data key off end of key block\n")); - return VBOOT_KEY_BLOCK_INVALID; - } - if (VerifyPublicKeyInside(block, sig->data_size, &block->data_key)) { - VBDEBUG(("Data key off end of signed data\n")); - return VBOOT_KEY_BLOCK_INVALID; - } - - /* Success */ - return VBOOT_SUCCESS; +int KeyBlockVerify(const VbKeyBlockHeader *block, uint64_t size, + const VbPublicKey *key, int hash_only) +{ + const VbSignature *sig; + + /* Sanity checks before attempting signature of data */ + if(size < sizeof(VbKeyBlockHeader)) { + VBDEBUG(("Not enough space for key block header.\n")); + return VBOOT_KEY_BLOCK_INVALID; + } + if (SafeMemcmp(block->magic, KEY_BLOCK_MAGIC, KEY_BLOCK_MAGIC_SIZE)) { + VBDEBUG(("Not a valid verified boot key block.\n")); + return VBOOT_KEY_BLOCK_INVALID; + } + if (block->header_version_major != KEY_BLOCK_HEADER_VERSION_MAJOR) { + VBDEBUG(("Incompatible key block header version.\n")); + return VBOOT_KEY_BLOCK_INVALID; + } + if (size < block->key_block_size) { + VBDEBUG(("Not enough data for key block.\n")); + return VBOOT_KEY_BLOCK_INVALID; + } + if (!hash_only && !key) { + VBDEBUG(("Missing required public key.\n")); + return VBOOT_PUBLIC_KEY_INVALID; + } + + /* + * Check signature or hash, depending on the hash_only parameter. Note + * that we don't require a key even if the keyblock has a signature, + * because the caller may not care if the keyblock itself is signed + * (for example, booting a Google-signed kernel in developer mode). + */ + if (hash_only) { + /* Check hash */ + uint8_t *header_checksum = NULL; + int rv; + + sig = &block->key_block_checksum; + + if (VerifySignatureInside(block, block->key_block_size, sig)) { + VBDEBUG(("Key block hash off end of block\n")); + return VBOOT_KEY_BLOCK_INVALID; + } + if (sig->sig_size != SHA512_DIGEST_SIZE) { + VBDEBUG(("Wrong hash size for key block.\n")); + return VBOOT_KEY_BLOCK_INVALID; + } + + /* Make sure advertised signature data sizes are sane. */ + if (block->key_block_size < sig->data_size) { + VBDEBUG(("Signature calculated past end of block\n")); + return VBOOT_KEY_BLOCK_INVALID; + } + + VBDEBUG(("Checking key block hash only...\n")); + header_checksum = DigestBuf((const uint8_t *)block, + sig->data_size, + SHA512_DIGEST_ALGORITHM); + rv = SafeMemcmp(header_checksum, GetSignatureDataC(sig), + SHA512_DIGEST_SIZE); + VbExFree(header_checksum); + if (rv) { + VBDEBUG(("Invalid key block hash.\n")); + return VBOOT_KEY_BLOCK_HASH; + } + } else { + /* Check signature */ + RSAPublicKey *rsa; + int rv; + + sig = &block->key_block_signature; + + if (VerifySignatureInside(block, block->key_block_size, sig)) { + VBDEBUG(("Key block signature off end of block\n")); + return VBOOT_KEY_BLOCK_INVALID; + } + + rsa = PublicKeyToRSA(key); + if (!rsa) { + VBDEBUG(("Invalid public key\n")); + return VBOOT_PUBLIC_KEY_INVALID; + } + + /* Make sure advertised signature data sizes are sane. */ + if (block->key_block_size < sig->data_size) { + VBDEBUG(("Signature calculated past end of block\n")); + RSAPublicKeyFree(rsa); + return VBOOT_KEY_BLOCK_INVALID; + } + + VBDEBUG(("Checking key block signature...\n")); + rv = VerifyData((const uint8_t *)block, size, sig, rsa); + RSAPublicKeyFree(rsa); + if (rv) { + VBDEBUG(("Invalid key block signature.\n")); + return VBOOT_KEY_BLOCK_SIGNATURE; + } + } + + /* Verify we signed enough data */ + if (sig->data_size < sizeof(VbKeyBlockHeader)) { + VBDEBUG(("Didn't sign enough data\n")); + return VBOOT_KEY_BLOCK_INVALID; + } + + /* Verify data key is inside the block and inside signed data */ + if (VerifyPublicKeyInside(block, block->key_block_size, + &block->data_key)) { + VBDEBUG(("Data key off end of key block\n")); + return VBOOT_KEY_BLOCK_INVALID; + } + if (VerifyPublicKeyInside(block, sig->data_size, &block->data_key)) { + VBDEBUG(("Data key off end of signed data\n")); + return VBOOT_KEY_BLOCK_INVALID; + } + + /* Success */ + return VBOOT_SUCCESS; } -int VerifyFirmwarePreamble(const VbFirmwarePreambleHeader* preamble, - uint64_t size, const RSAPublicKey* key) { - - const VbSignature* sig = &preamble->preamble_signature; - - /* Sanity checks before attempting signature of data */ - if(size < EXPECTED_VBFIRMWAREPREAMBLEHEADER2_0_SIZE) { - VBDEBUG(("Not enough data for preamble header 2.0.\n")); - return VBOOT_PREAMBLE_INVALID; - } - if (preamble->header_version_major != - FIRMWARE_PREAMBLE_HEADER_VERSION_MAJOR) { - VBDEBUG(("Incompatible firmware preamble header version.\n")); - return VBOOT_PREAMBLE_INVALID; - } - if (size < preamble->preamble_size) { - VBDEBUG(("Not enough data for preamble.\n")); - return VBOOT_PREAMBLE_INVALID; - } - - /* Check signature */ - if (VerifySignatureInside(preamble, preamble->preamble_size, sig)) { - VBDEBUG(("Preamble signature off end of preamble\n")); - return VBOOT_PREAMBLE_INVALID; - } - - /* Make sure advertised signature data sizes are sane. */ - if (preamble->preamble_size < sig->data_size) { - VBDEBUG(("Signature calculated past end of the block\n")); - return VBOOT_PREAMBLE_INVALID; - } - - if (VerifyData((const uint8_t*)preamble, size, sig, key)) { - VBDEBUG(("Preamble signature validation failed\n")); - return VBOOT_PREAMBLE_SIGNATURE; - } - - /* Verify we signed enough data */ - if (sig->data_size < sizeof(VbFirmwarePreambleHeader)) { - VBDEBUG(("Didn't sign enough data\n")); - return VBOOT_PREAMBLE_INVALID; - } - - /* Verify body signature is inside the signed data */ - if (VerifySignatureInside(preamble, sig->data_size, - &preamble->body_signature)) { - VBDEBUG(("Firmware body signature off end of preamble\n")); - return VBOOT_PREAMBLE_INVALID; - } - - /* Verify kernel subkey is inside the signed data */ - if (VerifyPublicKeyInside(preamble, sig->data_size, - &preamble->kernel_subkey)) { - VBDEBUG(("Kernel subkey off end of preamble\n")); - return VBOOT_PREAMBLE_INVALID; - } - - /* If the preamble header version is at least 2.1, verify we have - * space for the added fields from 2.1. */ - if (preamble->header_version_minor >= 1) { - if(size < EXPECTED_VBFIRMWAREPREAMBLEHEADER2_1_SIZE) { - VBDEBUG(("Not enough data for preamble header 2.1.\n")); - return VBOOT_PREAMBLE_INVALID; - } - } - - /* Success */ - return VBOOT_SUCCESS; +int VerifyFirmwarePreamble(const VbFirmwarePreambleHeader *preamble, + uint64_t size, const RSAPublicKey *key) +{ + const VbSignature *sig = &preamble->preamble_signature; + + /* Sanity checks before attempting signature of data */ + if(size < EXPECTED_VBFIRMWAREPREAMBLEHEADER2_0_SIZE) { + VBDEBUG(("Not enough data for preamble header 2.0.\n")); + return VBOOT_PREAMBLE_INVALID; + } + if (preamble->header_version_major != + FIRMWARE_PREAMBLE_HEADER_VERSION_MAJOR) { + VBDEBUG(("Incompatible firmware preamble header version.\n")); + return VBOOT_PREAMBLE_INVALID; + } + if (size < preamble->preamble_size) { + VBDEBUG(("Not enough data for preamble.\n")); + return VBOOT_PREAMBLE_INVALID; + } + + /* Check signature */ + if (VerifySignatureInside(preamble, preamble->preamble_size, sig)) { + VBDEBUG(("Preamble signature off end of preamble\n")); + return VBOOT_PREAMBLE_INVALID; + } + + /* Make sure advertised signature data sizes are sane. */ + if (preamble->preamble_size < sig->data_size) { + VBDEBUG(("Signature calculated past end of the block\n")); + return VBOOT_PREAMBLE_INVALID; + } + + if (VerifyData((const uint8_t *)preamble, size, sig, key)) { + VBDEBUG(("Preamble signature validation failed\n")); + return VBOOT_PREAMBLE_SIGNATURE; + } + + /* Verify we signed enough data */ + if (sig->data_size < sizeof(VbFirmwarePreambleHeader)) { + VBDEBUG(("Didn't sign enough data\n")); + return VBOOT_PREAMBLE_INVALID; + } + + /* Verify body signature is inside the signed data */ + if (VerifySignatureInside(preamble, sig->data_size, + &preamble->body_signature)) { + VBDEBUG(("Firmware body signature off end of preamble\n")); + return VBOOT_PREAMBLE_INVALID; + } + + /* Verify kernel subkey is inside the signed data */ + if (VerifyPublicKeyInside(preamble, sig->data_size, + &preamble->kernel_subkey)) { + VBDEBUG(("Kernel subkey off end of preamble\n")); + return VBOOT_PREAMBLE_INVALID; + } + + /* + * If the preamble header version is at least 2.1, verify we have space + * for the added fields from 2.1. + */ + if (preamble->header_version_minor >= 1) { + if(size < EXPECTED_VBFIRMWAREPREAMBLEHEADER2_1_SIZE) { + VBDEBUG(("Not enough data for preamble header 2.1.\n")); + return VBOOT_PREAMBLE_INVALID; + } + } + + /* Success */ + return VBOOT_SUCCESS; } - -uint32_t VbGetFirmwarePreambleFlags(const VbFirmwarePreambleHeader* preamble) { - if (preamble->header_version_minor < 1) { - /* Old structure; return default flags. (Note that we don't need - * to check header_version_major; if that's not 2 then - * VerifyFirmwarePreamble() would have already failed. */ - return 0; - } - - return preamble->flags; +uint32_t VbGetFirmwarePreambleFlags(const VbFirmwarePreambleHeader *preamble) +{ + if (preamble->header_version_minor < 1) { + /* + * Old structure; return default flags. (Note that we don't + * need to check header_version_major; if that's not 2 then + * VerifyFirmwarePreamble() would have already failed. + */ + return 0; + } + + return preamble->flags; } - -int VerifyKernelPreamble(const VbKernelPreambleHeader* preamble, - uint64_t size, const RSAPublicKey* key) { - - const VbSignature* sig = &preamble->preamble_signature; - - /* Sanity checks before attempting signature of data */ - if(size < sizeof(VbKernelPreambleHeader)) { - VBDEBUG(("Not enough data for preamble header.\n")); - return VBOOT_PREAMBLE_INVALID; - } - if (preamble->header_version_major != KERNEL_PREAMBLE_HEADER_VERSION_MAJOR) { - VBDEBUG(("Incompatible kernel preamble header version.\n")); - return VBOOT_PREAMBLE_INVALID; - } - if (size < preamble->preamble_size) { - VBDEBUG(("Not enough data for preamble.\n")); - return VBOOT_PREAMBLE_INVALID; - } - - /* Check signature */ - if (VerifySignatureInside(preamble, preamble->preamble_size, sig)) { - VBDEBUG(("Preamble signature off end of preamble\n")); - return VBOOT_PREAMBLE_INVALID; - } - if (VerifyData((const uint8_t*)preamble, size, sig, key)) { - VBDEBUG(("Preamble signature validation failed\n")); - return VBOOT_PREAMBLE_SIGNATURE; - } - - /* Verify we signed enough data */ - if (sig->data_size < sizeof(VbKernelPreambleHeader)) { - VBDEBUG(("Didn't sign enough data\n")); - return VBOOT_PREAMBLE_INVALID; - } - - /* Verify body signature is inside the signed data */ - if (VerifySignatureInside(preamble, sig->data_size, - &preamble->body_signature)) { - VBDEBUG(("Kernel body signature off end of preamble\n")); - return VBOOT_PREAMBLE_INVALID; - } - - /* Success */ - return VBOOT_SUCCESS; +int VerifyKernelPreamble(const VbKernelPreambleHeader *preamble, + uint64_t size, const RSAPublicKey *key) +{ + const VbSignature *sig = &preamble->preamble_signature; + + /* Sanity checks before attempting signature of data */ + if(size < sizeof(VbKernelPreambleHeader)) { + VBDEBUG(("Not enough data for preamble header.\n")); + return VBOOT_PREAMBLE_INVALID; + } + if (preamble->header_version_major != + KERNEL_PREAMBLE_HEADER_VERSION_MAJOR) { + VBDEBUG(("Incompatible kernel preamble header version.\n")); + return VBOOT_PREAMBLE_INVALID; + } + if (size < preamble->preamble_size) { + VBDEBUG(("Not enough data for preamble.\n")); + return VBOOT_PREAMBLE_INVALID; + } + + /* Check signature */ + if (VerifySignatureInside(preamble, preamble->preamble_size, sig)) { + VBDEBUG(("Preamble signature off end of preamble\n")); + return VBOOT_PREAMBLE_INVALID; + } + if (VerifyData((const uint8_t *)preamble, size, sig, key)) { + VBDEBUG(("Preamble signature validation failed\n")); + return VBOOT_PREAMBLE_SIGNATURE; + } + + /* Verify we signed enough data */ + if (sig->data_size < sizeof(VbKernelPreambleHeader)) { + VBDEBUG(("Didn't sign enough data\n")); + return VBOOT_PREAMBLE_INVALID; + } + + /* Verify body signature is inside the signed data */ + if (VerifySignatureInside(preamble, sig->data_size, + &preamble->body_signature)) { + VBDEBUG(("Kernel body signature off end of preamble\n")); + return VBOOT_PREAMBLE_INVALID; + } + + /* Success */ + return VBOOT_SUCCESS; } - -int VbSharedDataInit(VbSharedDataHeader* header, uint64_t size) { - - VBDEBUG(("VbSharedDataInit, %d bytes, header %d bytes\n", (int)size, - sizeof(VbSharedDataHeader))); - - if (size < sizeof(VbSharedDataHeader)) { - VBDEBUG(("Not enough data for header.\n")); - return VBOOT_SHARED_DATA_INVALID; - } - if (size < VB_SHARED_DATA_MIN_SIZE) { - VBDEBUG(("Shared data buffer too small.\n")); - return VBOOT_SHARED_DATA_INVALID; - } - - if (!header) - return VBOOT_SHARED_DATA_INVALID; - - /* Zero the header */ - Memset(header, 0, sizeof(VbSharedDataHeader)); - - /* Initialize fields */ - header->magic = VB_SHARED_DATA_MAGIC; - header->struct_version = VB_SHARED_DATA_VERSION; - header->struct_size = sizeof(VbSharedDataHeader); - header->data_size = size; - header->data_used = sizeof(VbSharedDataHeader); - header->firmware_index = 0xFF; - - /* Success */ - return VBOOT_SUCCESS; +int VbSharedDataInit(VbSharedDataHeader *header, uint64_t size) +{ + VBDEBUG(("VbSharedDataInit, %d bytes, header %d bytes\n", (int)size, + sizeof(VbSharedDataHeader))); + + if (size < sizeof(VbSharedDataHeader)) { + VBDEBUG(("Not enough data for header.\n")); + return VBOOT_SHARED_DATA_INVALID; + } + if (size < VB_SHARED_DATA_MIN_SIZE) { + VBDEBUG(("Shared data buffer too small.\n")); + return VBOOT_SHARED_DATA_INVALID; + } + + if (!header) + return VBOOT_SHARED_DATA_INVALID; + + /* Zero the header */ + Memset(header, 0, sizeof(VbSharedDataHeader)); + + /* Initialize fields */ + header->magic = VB_SHARED_DATA_MAGIC; + header->struct_version = VB_SHARED_DATA_VERSION; + header->struct_size = sizeof(VbSharedDataHeader); + header->data_size = size; + header->data_used = sizeof(VbSharedDataHeader); + header->firmware_index = 0xFF; + + /* Success */ + return VBOOT_SUCCESS; } +uint64_t VbSharedDataReserve(VbSharedDataHeader *header, uint64_t size) +{ + uint64_t offs = header->data_used; -uint64_t VbSharedDataReserve(VbSharedDataHeader* header, uint64_t size) { - uint64_t offs = header->data_used; - - VBDEBUG(("VbSharedDataReserve %d bytes at %d\n", (int)size, (int)offs)); + VBDEBUG(("VbSharedDataReserve %d bytes at %d\n", (int)size, (int)offs)); - if (!header || size > header->data_size - header->data_used) { - VBDEBUG(("VbSharedData buffer out of space.\n")); - return 0; /* Not initialized, or not enough space left. */ - } - header->data_used += size; - return offs; + if (!header || size > header->data_size - header->data_used) { + VBDEBUG(("VbSharedData buffer out of space.\n")); + return 0; /* Not initialized, or not enough space left. */ + } + header->data_used += size; + return offs; } +int VbSharedDataSetKernelKey(VbSharedDataHeader *header, const VbPublicKey *src) +{ + VbPublicKey *kdest = &header->kernel_subkey; -int VbSharedDataSetKernelKey(VbSharedDataHeader* header, - const VbPublicKey* src) { - - VbPublicKey *kdest = &header->kernel_subkey; - - if (!header) - return VBOOT_SHARED_DATA_INVALID; + if (!header) + return VBOOT_SHARED_DATA_INVALID; - /* Attempt to allocate space for the key, if it hasn't been allocated yet */ - if (!header->kernel_subkey_data_offset) { - header->kernel_subkey_data_offset = VbSharedDataReserve(header, - src->key_size); - if (!header->kernel_subkey_data_offset) - return VBOOT_SHARED_DATA_INVALID; - header->kernel_subkey_data_size = src->key_size; - } + /* Attempt to allocate space for key, if it hasn't been allocated yet */ + if (!header->kernel_subkey_data_offset) { + header->kernel_subkey_data_offset = + VbSharedDataReserve(header, src->key_size); + if (!header->kernel_subkey_data_offset) + return VBOOT_SHARED_DATA_INVALID; + header->kernel_subkey_data_size = src->key_size; + } - /* Copy the kernel sign key blob into the destination buffer */ - PublicKeyInit(kdest, (uint8_t*)header + header->kernel_subkey_data_offset, - header->kernel_subkey_data_size); + /* Copy the kernel sign key blob into the destination buffer */ + PublicKeyInit(kdest, + (uint8_t *)header + header->kernel_subkey_data_offset, + header->kernel_subkey_data_size); - return PublicKeyCopy(kdest, src); + return PublicKeyCopy(kdest, src); } diff --git a/host/include/host_common.h b/host/include/host_common.h index 6fa8b3e3..40ce212a 100644 --- a/host/include/host_common.h +++ b/host/include/host_common.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2010 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * @@ -8,8 +8,10 @@ #ifndef VBOOT_REFERENCE_HOST_COMMON_H_ #define VBOOT_REFERENCE_HOST_COMMON_H_ -/* Host is allowed direct use of stdlib funcs such as malloc() and free(), - * since it's using the stub implementation from firmware/lib/stub. */ +/* + * Host is allowed direct use of stdlib funcs such as malloc() and free(), + * since it's using the stub implementation from firmware/lib/stub. + */ #define _STUB_IMPLEMENTATION_ #include "cryptolib.h" @@ -21,42 +23,34 @@ #include "vboot_api.h" #include "vboot_struct.h" - -/* Creates an EC preamble, signed with [signing_key]. - * Caller owns the returned pointer, and must free it with Free(). +/** + * Create a firmware preamble, signed with [signing_key]. * - * Returns NULL if error. */ -VbECPreambleHeader* CreateECPreamble( - uint64_t firmware_version, - const VbSignature* body_signature, - const VbPrivateKey* signing_key, - uint32_t flags, - const char* name); - - -/* Creates a firmware preamble, signed with [signing_key]. * Caller owns the returned pointer, and must free it with Free(). * - * Returns NULL if error. */ -VbFirmwarePreambleHeader* CreateFirmwarePreamble( - uint64_t firmware_version, - const VbPublicKey* kernel_subkey, - const VbSignature* body_signature, - const VbPrivateKey* signing_key, - uint32_t flags); - - -/* Creates a kernel preamble, signed with [signing_key]. + * Returns NULL if error. + */ +VbFirmwarePreambleHeader *CreateFirmwarePreamble( + uint64_t firmware_version, + const VbPublicKey *kernel_subkey, + const VbSignature *body_signature, + const VbPrivateKey *signing_key, + uint32_t flags); + +/** + * Create a kernel preamble, signed with [signing_key]. + * * Caller owns the returned pointer, and must free it with Free(). * - * Returns NULL if error. */ -VbKernelPreambleHeader* CreateKernelPreamble( - uint64_t kernel_version, - uint64_t body_load_address, - uint64_t bootloader_address, - uint64_t bootloader_size, - const VbSignature* body_signature, - uint64_t desired_size, - const VbPrivateKey* signing_key); + * Returns NULL if error. + */ +VbKernelPreambleHeader *CreateKernelPreamble( + uint64_t kernel_version, + uint64_t body_load_address, + uint64_t bootloader_address, + uint64_t bootloader_size, + const VbSignature *body_signature, + uint64_t desired_size, + const VbPrivateKey *signing_key); #endif /* VBOOT_REFERENCE_HOST_COMMON_H_ */ diff --git a/host/lib/host_common.c b/host/lib/host_common.c index 3aceddd6..9f6121de 100644 --- a/host/lib/host_common.c +++ b/host/lib/host_common.c @@ -1,179 +1,127 @@ -/* Copyright (c) 2011 The Chromium OS Authors. All rights reserved. +/* Copyright (c) 2013 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. * * Host functions for verified boot. + * + * TODO: change all 'return 0', 'return 1' into meaningful return codes. */ -/* TODO: change all 'return 0', 'return 1' into meaningful return codes */ #include <string.h> #include "host_common.h" - #include "cryptolib.h" #include "utility.h" #include "vboot_common.h" -VbECPreambleHeader* CreateECPreamble( - uint64_t firmware_version, - const VbSignature* body_digest, - const VbPrivateKey* signing_key, - uint32_t flags, - const char* name) { - - VbECPreambleHeader* h; - uint64_t signed_size = (sizeof(VbECPreambleHeader) + body_digest->sig_size); - uint64_t block_size = signed_size + siglen_map[signing_key->algorithm]; - uint8_t* body_digest_dest; - uint8_t* block_sig_dest; - VbSignature *sigtmp; - - /* Allocate key block */ - h = (VbECPreambleHeader*)malloc(block_size); - if (!h) - return NULL; - Memset(h, 0, block_size); - body_digest_dest = (uint8_t*)(h + 1); - block_sig_dest = body_digest_dest + body_digest->sig_size; - - h->header_version_major = EC_PREAMBLE_HEADER_VERSION_MAJOR; - h->header_version_minor = EC_PREAMBLE_HEADER_VERSION_MINOR; - h->preamble_size = block_size; - h->firmware_version = firmware_version; - h->flags = flags; - if (name) - strncpy(h->name, name, sizeof(h->name)); - - /* Copy body hash */ - SignatureInit(&h->body_digest, body_digest_dest, - body_digest->sig_size, 0); - SignatureCopy(&h->body_digest, body_digest); - - /* Set up signature struct so we can calculate the signature */ - SignatureInit(&h->preamble_signature, block_sig_dest, - siglen_map[signing_key->algorithm], signed_size); - - /* Calculate signature */ - sigtmp = CalculateSignature((uint8_t*)h, signed_size, signing_key); - SignatureCopy(&h->preamble_signature, sigtmp); - free(sigtmp); - - /* Return the header */ - return h; -} - -VbFirmwarePreambleHeader* CreateFirmwarePreamble( - uint64_t firmware_version, - const VbPublicKey* kernel_subkey, - const VbSignature* body_signature, - const VbPrivateKey* signing_key, - uint32_t flags) { - - VbFirmwarePreambleHeader* h; - uint64_t signed_size = (sizeof(VbFirmwarePreambleHeader) + - kernel_subkey->key_size + - body_signature->sig_size); - uint64_t block_size = signed_size + siglen_map[signing_key->algorithm]; - uint8_t* kernel_subkey_dest; - uint8_t* body_sig_dest; - uint8_t* block_sig_dest; - VbSignature *sigtmp; - - /* Allocate key block */ - h = (VbFirmwarePreambleHeader*)malloc(block_size); - if (!h) - return NULL; - Memset(h, 0, block_size); - kernel_subkey_dest = (uint8_t*)(h + 1); - body_sig_dest = kernel_subkey_dest + kernel_subkey->key_size; - block_sig_dest = body_sig_dest + body_signature->sig_size; - - h->header_version_major = FIRMWARE_PREAMBLE_HEADER_VERSION_MAJOR; - h->header_version_minor = FIRMWARE_PREAMBLE_HEADER_VERSION_MINOR; - h->preamble_size = block_size; - h->firmware_version = firmware_version; - h->flags = flags; - - /* Copy data key */ - PublicKeyInit(&h->kernel_subkey, kernel_subkey_dest, - kernel_subkey->key_size); - PublicKeyCopy(&h->kernel_subkey, kernel_subkey); - - /* Copy body signature */ - SignatureInit(&h->body_signature, body_sig_dest, - body_signature->sig_size, 0); - SignatureCopy(&h->body_signature, body_signature); - - /* Set up signature struct so we can calculate the signature */ - SignatureInit(&h->preamble_signature, block_sig_dest, - siglen_map[signing_key->algorithm], signed_size); - - /* Calculate signature */ - sigtmp = CalculateSignature((uint8_t*)h, signed_size, signing_key); - SignatureCopy(&h->preamble_signature, sigtmp); - free(sigtmp); - - /* Return the header */ - return h; +VbFirmwarePreambleHeader *CreateFirmwarePreamble( + uint64_t firmware_version, + const VbPublicKey *kernel_subkey, + const VbSignature *body_signature, + const VbPrivateKey *signing_key, + uint32_t flags) +{ + VbFirmwarePreambleHeader *h; + uint64_t signed_size = (sizeof(VbFirmwarePreambleHeader) + + kernel_subkey->key_size + + body_signature->sig_size); + uint64_t block_size = signed_size + siglen_map[signing_key->algorithm]; + uint8_t *kernel_subkey_dest; + uint8_t *body_sig_dest; + uint8_t *block_sig_dest; + VbSignature *sigtmp; + + /* Allocate key block */ + h = (VbFirmwarePreambleHeader *)malloc(block_size); + if (!h) + return NULL; + + Memset(h, 0, block_size); + kernel_subkey_dest = (uint8_t *)(h + 1); + body_sig_dest = kernel_subkey_dest + kernel_subkey->key_size; + block_sig_dest = body_sig_dest + body_signature->sig_size; + + h->header_version_major = FIRMWARE_PREAMBLE_HEADER_VERSION_MAJOR; + h->header_version_minor = FIRMWARE_PREAMBLE_HEADER_VERSION_MINOR; + h->preamble_size = block_size; + h->firmware_version = firmware_version; + h->flags = flags; + + /* Copy data key */ + PublicKeyInit(&h->kernel_subkey, kernel_subkey_dest, + kernel_subkey->key_size); + PublicKeyCopy(&h->kernel_subkey, kernel_subkey); + + /* Copy body signature */ + SignatureInit(&h->body_signature, body_sig_dest, + body_signature->sig_size, 0); + SignatureCopy(&h->body_signature, body_signature); + + /* Set up signature struct so we can calculate the signature */ + SignatureInit(&h->preamble_signature, block_sig_dest, + siglen_map[signing_key->algorithm], signed_size); + + /* Calculate signature */ + sigtmp = CalculateSignature((uint8_t *)h, signed_size, signing_key); + SignatureCopy(&h->preamble_signature, sigtmp); + free(sigtmp); + + /* Return the header */ + return h; } - -/* Creates a kernel preamble, signed with [signing_key]. - * Caller owns the returned pointer, and must free it with free(). - * - * Returns NULL if error. */ -VbKernelPreambleHeader* CreateKernelPreamble( - uint64_t kernel_version, - uint64_t body_load_address, - uint64_t bootloader_address, - uint64_t bootloader_size, - const VbSignature* body_signature, - uint64_t desired_size, - const VbPrivateKey* signing_key) { - - VbKernelPreambleHeader* h; - uint64_t signed_size = (sizeof(VbKernelPreambleHeader) + - body_signature->sig_size); - uint64_t block_size = signed_size + siglen_map[signing_key->algorithm]; - uint8_t* body_sig_dest; - uint8_t* block_sig_dest; - VbSignature *sigtmp; - - /* If the block size is smaller than the desired size, pad it */ - if (block_size < desired_size) - block_size = desired_size; - - /* Allocate key block */ - h = (VbKernelPreambleHeader*)malloc(block_size); - Memset(h, 0, block_size); - - if (!h) - return NULL; - body_sig_dest = (uint8_t*)(h + 1); - block_sig_dest = body_sig_dest + body_signature->sig_size; - - h->header_version_major = KERNEL_PREAMBLE_HEADER_VERSION_MAJOR; - h->header_version_minor = KERNEL_PREAMBLE_HEADER_VERSION_MINOR; - h->preamble_size = block_size; - h->kernel_version = kernel_version; - h->body_load_address = body_load_address; - h->bootloader_address = bootloader_address; - h->bootloader_size = bootloader_size; - - /* Copy body signature */ - SignatureInit(&h->body_signature, body_sig_dest, - body_signature->sig_size, 0); - SignatureCopy(&h->body_signature, body_signature); - - /* Set up signature struct so we can calculate the signature */ - SignatureInit(&h->preamble_signature, block_sig_dest, - siglen_map[signing_key->algorithm], signed_size); - - /* Calculate signature */ - sigtmp = CalculateSignature((uint8_t*)h, signed_size, signing_key); - SignatureCopy(&h->preamble_signature, sigtmp); - free(sigtmp); - - /* Return the header */ - return h; +VbKernelPreambleHeader *CreateKernelPreamble( + uint64_t kernel_version, + uint64_t body_load_address, + uint64_t bootloader_address, + uint64_t bootloader_size, + const VbSignature *body_signature, + uint64_t desired_size, + const VbPrivateKey *signing_key) +{ + VbKernelPreambleHeader *h; + uint64_t signed_size = (sizeof(VbKernelPreambleHeader) + + body_signature->sig_size); + uint64_t block_size = signed_size + siglen_map[signing_key->algorithm]; + uint8_t *body_sig_dest; + uint8_t *block_sig_dest; + VbSignature *sigtmp; + + /* If the block size is smaller than the desired size, pad it */ + if (block_size < desired_size) + block_size = desired_size; + + /* Allocate key block */ + h = (VbKernelPreambleHeader *)malloc(block_size); + if (!h) + return NULL; + + Memset(h, 0, block_size); + body_sig_dest = (uint8_t *)(h + 1); + block_sig_dest = body_sig_dest + body_signature->sig_size; + + h->header_version_major = KERNEL_PREAMBLE_HEADER_VERSION_MAJOR; + h->header_version_minor = KERNEL_PREAMBLE_HEADER_VERSION_MINOR; + h->preamble_size = block_size; + h->kernel_version = kernel_version; + h->body_load_address = body_load_address; + h->bootloader_address = bootloader_address; + h->bootloader_size = bootloader_size; + + /* Copy body signature */ + SignatureInit(&h->body_signature, body_sig_dest, + body_signature->sig_size, 0); + SignatureCopy(&h->body_signature, body_signature); + + /* Set up signature struct so we can calculate the signature */ + SignatureInit(&h->preamble_signature, block_sig_dest, + siglen_map[signing_key->algorithm], signed_size); + + /* Calculate signature */ + sigtmp = CalculateSignature((uint8_t *)h, signed_size, signing_key); + SignatureCopy(&h->preamble_signature, sigtmp); + free(sigtmp); + + /* Return the header */ + return h; } diff --git a/tests/vboot_common2_tests.c b/tests/vboot_common2_tests.c index f2ed5260..b154e50b 100644 --- a/tests/vboot_common2_tests.c +++ b/tests/vboot_common2_tests.c @@ -96,6 +96,9 @@ static void VerifyDigestTest(const VbPublicKey *public_key, GetSignatureData(sig)[0] ^= 0x5A; TEST_EQ(VerifyDigest(digest, sig, rsa), 1, "VerifyDigest() wrong sig"); + sig->sig_size = 1; + TEST_EQ(VerifyDigest(digest, sig, rsa), 1, "VerifyDigest() sig size"); + RSAPublicKeyFree(rsa); free(sig); free(digest); @@ -135,6 +138,8 @@ static void VerifyKernelPreambleTest(const VbPublicKey *public_key, "VerifyKernelPreamble() ok using key"); TEST_NEQ(VerifyKernelPreamble(hdr, hsize - 1, rsa), 0, "VerifyKernelPreamble() size--"); + TEST_NEQ(VerifyKernelPreamble(hdr, 4, rsa), 0, + "VerifyKernelPreamble() size tiny"); TEST_EQ(VerifyKernelPreamble(hdr, hsize + 1, rsa), 0, "VerifyKernelPreamble() size++"); diff --git a/tests/vboot_common3_tests.c b/tests/vboot_common3_tests.c index ce818a4c..c4f81cd3 100644 --- a/tests/vboot_common3_tests.c +++ b/tests/vboot_common3_tests.c @@ -16,255 +16,273 @@ #include "vboot_common.h" -static void ReChecksumKeyBlock(VbKeyBlockHeader *h) { - uint8_t* newchk = DigestBuf((const uint8_t*)h, - h->key_block_checksum.data_size, - SHA512_DIGEST_ALGORITHM); - Memcpy(GetSignatureData(&h->key_block_checksum), newchk, SHA512_DIGEST_SIZE); - free(newchk); +static void ReChecksumKeyBlock(VbKeyBlockHeader *h) +{ + uint8_t *newchk = DigestBuf((const uint8_t *)h, + h->key_block_checksum.data_size, + SHA512_DIGEST_ALGORITHM); + Memcpy(GetSignatureData(&h->key_block_checksum), newchk, + SHA512_DIGEST_SIZE); + free(newchk); } - -static void KeyBlockVerifyTest(const VbPublicKey* public_key, - const VbPrivateKey* private_key, - const VbPublicKey* data_key) { - - VbKeyBlockHeader *hdr; - VbKeyBlockHeader *h; - unsigned hsize; - - hdr = KeyBlockCreate(data_key, private_key, 0x1234); - TEST_NEQ((size_t)hdr, 0, "KeyBlockVerify() prerequisites"); - if (!hdr) - return; - hsize = (unsigned) hdr->key_block_size; - h = (VbKeyBlockHeader*)malloc(hsize + 1024); - - TEST_EQ(KeyBlockVerify(hdr, hsize, NULL, 1), 0, - "KeyBlockVerify() ok using checksum"); - TEST_EQ(KeyBlockVerify(hdr, hsize, public_key, 0), 0, - "KeyBlockVerify() ok using key"); - TEST_NEQ(KeyBlockVerify(hdr, hsize, NULL, 0), 0, - "KeyBlockVerify() missing key"); - - TEST_NEQ(KeyBlockVerify(hdr, hsize - 1, NULL, 1), 0, - "KeyBlockVerify() size--"); - TEST_EQ(KeyBlockVerify(hdr, hsize + 1, NULL, 1), 0, - "KeyBlockVerify() size++"); - - Memcpy(h, hdr, hsize); - h->magic[0] &= 0x12; - TEST_NEQ(KeyBlockVerify(h, hsize, NULL, 1), 0, "KeyBlockVerify() magic"); - - /* Care about major version but not minor */ - Memcpy(h, hdr, hsize); - h->header_version_major++; - ReChecksumKeyBlock(h); - TEST_NEQ(KeyBlockVerify(h, hsize, NULL, 1), 0, "KeyBlockVerify() major++"); - - Memcpy(h, hdr, hsize); - h->header_version_major--; - ReChecksumKeyBlock(h); - TEST_NEQ(KeyBlockVerify(h, hsize, NULL, 1), 0, "KeyBlockVerify() major--"); - - Memcpy(h, hdr, hsize); - h->header_version_minor++; - ReChecksumKeyBlock(h); - TEST_EQ(KeyBlockVerify(h, hsize, NULL, 1), 0, "KeyBlockVerify() minor++"); - - Memcpy(h, hdr, hsize); - h->header_version_minor--; - ReChecksumKeyBlock(h); - TEST_EQ(KeyBlockVerify(h, hsize, NULL, 1), 0, "KeyBlockVerify() minor--"); - - /* Check hash */ - Memcpy(h, hdr, hsize); - h->key_block_checksum.sig_offset = hsize; - ReChecksumKeyBlock(h); - TEST_NEQ(KeyBlockVerify(h, hsize, NULL, 1), 0, - "KeyBlockVerify() checksum off end"); - - Memcpy(h, hdr, hsize); - h->key_block_checksum.sig_size /= 2; - ReChecksumKeyBlock(h); - TEST_NEQ(KeyBlockVerify(h, hsize, NULL, 1), 0, - "KeyBlockVerify() checksum too small"); - - Memcpy(h, hdr, hsize); - GetPublicKeyData(&h->data_key)[0] ^= 0x34; - TEST_NEQ(KeyBlockVerify(h, hsize, NULL, 1), 0, - "KeyBlockVerify() checksum mismatch"); - - /* Check signature */ - Memcpy(h, hdr, hsize); - h->key_block_signature.sig_offset = hsize; - ReChecksumKeyBlock(h); - TEST_NEQ(KeyBlockVerify(h, hsize, public_key, 0), 0, - "KeyBlockVerify() sig off end"); - - Memcpy(h, hdr, hsize); - h->key_block_signature.sig_size--; - ReChecksumKeyBlock(h); - TEST_NEQ(KeyBlockVerify(h, hsize, public_key, 0), 0, - "KeyBlockVerify() sig too small"); - - Memcpy(h, hdr, hsize); - GetPublicKeyData(&h->data_key)[0] ^= 0x34; - TEST_NEQ(KeyBlockVerify(h, hsize, public_key, 0), 0, - "KeyBlockVerify() sig mismatch"); - - /* Check that we signed header and data key */ - Memcpy(h, hdr, hsize); - h->key_block_checksum.data_size = 4; - h->data_key.key_offset = 0; - h->data_key.key_size = 0; - ReChecksumKeyBlock(h); - TEST_NEQ(KeyBlockVerify(h, hsize, NULL, 1), 0, - "KeyBlockVerify() didn't sign header"); - - Memcpy(h, hdr, hsize); - h->data_key.key_offset = hsize; - ReChecksumKeyBlock(h); - TEST_NEQ(KeyBlockVerify(h, hsize, NULL, 1), 0, - "KeyBlockVerify() data key off end"); - - /* TODO: verify parser can support a bigger header (i.e., one where - * data_key.key_offset is bigger than expected). */ - - free(h); - free(hdr); +static void KeyBlockVerifyTest(const VbPublicKey *public_key, + const VbPrivateKey *private_key, + const VbPublicKey *data_key) +{ + VbKeyBlockHeader *hdr; + VbKeyBlockHeader *h; + unsigned hsize; + + hdr = KeyBlockCreate(data_key, private_key, 0x1234); + TEST_NEQ((size_t)hdr, 0, "KeyBlockVerify() prerequisites"); + if (!hdr) + return; + hsize = (unsigned) hdr->key_block_size; + h = (VbKeyBlockHeader *)malloc(hsize + 1024); + + TEST_EQ(KeyBlockVerify(hdr, hsize, NULL, 1), 0, + "KeyBlockVerify() ok using checksum"); + TEST_EQ(KeyBlockVerify(hdr, hsize, public_key, 0), 0, + "KeyBlockVerify() ok using key"); + TEST_NEQ(KeyBlockVerify(hdr, hsize, NULL, 0), 0, + "KeyBlockVerify() missing key"); + + TEST_NEQ(KeyBlockVerify(hdr, hsize - 1, NULL, 1), 0, + "KeyBlockVerify() size--"); + TEST_EQ(KeyBlockVerify(hdr, hsize + 1, NULL, 1), 0, + "KeyBlockVerify() size++"); + + Memcpy(h, hdr, hsize); + h->magic[0] &= 0x12; + TEST_NEQ(KeyBlockVerify(h, hsize, NULL, 1), 0, + "KeyBlockVerify() magic"); + + /* Care about major version but not minor */ + Memcpy(h, hdr, hsize); + h->header_version_major++; + ReChecksumKeyBlock(h); + TEST_NEQ(KeyBlockVerify(h, hsize, NULL, 1), 0, + "KeyBlockVerify() major++"); + + Memcpy(h, hdr, hsize); + h->header_version_major--; + ReChecksumKeyBlock(h); + TEST_NEQ(KeyBlockVerify(h, hsize, NULL, 1), 0, + "KeyBlockVerify() major--"); + + Memcpy(h, hdr, hsize); + h->header_version_minor++; + ReChecksumKeyBlock(h); + TEST_EQ(KeyBlockVerify(h, hsize, NULL, 1), 0, + "KeyBlockVerify() minor++"); + + Memcpy(h, hdr, hsize); + h->header_version_minor--; + ReChecksumKeyBlock(h); + TEST_EQ(KeyBlockVerify(h, hsize, NULL, 1), 0, + "KeyBlockVerify() minor--"); + + /* Check hash */ + Memcpy(h, hdr, hsize); + h->key_block_checksum.sig_offset = hsize; + ReChecksumKeyBlock(h); + TEST_NEQ(KeyBlockVerify(h, hsize, NULL, 1), 0, + "KeyBlockVerify() checksum off end"); + + Memcpy(h, hdr, hsize); + h->key_block_checksum.sig_size /= 2; + ReChecksumKeyBlock(h); + TEST_NEQ(KeyBlockVerify(h, hsize, NULL, 1), 0, + "KeyBlockVerify() checksum too small"); + + Memcpy(h, hdr, hsize); + GetPublicKeyData(&h->data_key)[0] ^= 0x34; + TEST_NEQ(KeyBlockVerify(h, hsize, NULL, 1), 0, + "KeyBlockVerify() checksum mismatch"); + + /* Check signature */ + Memcpy(h, hdr, hsize); + h->key_block_signature.sig_offset = hsize; + ReChecksumKeyBlock(h); + TEST_NEQ(KeyBlockVerify(h, hsize, public_key, 0), 0, + "KeyBlockVerify() sig off end"); + + Memcpy(h, hdr, hsize); + h->key_block_signature.sig_size--; + ReChecksumKeyBlock(h); + TEST_NEQ(KeyBlockVerify(h, hsize, public_key, 0), 0, + "KeyBlockVerify() sig too small"); + + Memcpy(h, hdr, hsize); + GetPublicKeyData(&h->data_key)[0] ^= 0x34; + TEST_NEQ(KeyBlockVerify(h, hsize, public_key, 0), 0, + "KeyBlockVerify() sig mismatch"); + + Memcpy(h, hdr, hsize); + h->key_block_checksum.data_size = h->key_block_size + 1; + TEST_NEQ(KeyBlockVerify(h, hsize, public_key, 1), 0, + "KeyBlockVerify() checksum data past end of block"); + + /* Check that we signed header and data key */ + Memcpy(h, hdr, hsize); + h->key_block_checksum.data_size = 4; + h->data_key.key_offset = 0; + h->data_key.key_size = 0; + ReChecksumKeyBlock(h); + TEST_NEQ(KeyBlockVerify(h, hsize, NULL, 1), 0, + "KeyBlockVerify() didn't sign header"); + + Memcpy(h, hdr, hsize); + h->data_key.key_offset = hsize; + ReChecksumKeyBlock(h); + TEST_NEQ(KeyBlockVerify(h, hsize, NULL, 1), 0, + "KeyBlockVerify() data key off end"); + + /* Corner cases for error checking */ + TEST_NEQ(KeyBlockVerify(NULL, 4, NULL, 1), 0, + "KeyBlockVerify size too small"); + + /* + * TODO: verify parser can support a bigger header (i.e., one where + * data_key.key_offset is bigger than expected). + */ + + free(h); + free(hdr); } +static void ReSignFirmwarePreamble(VbFirmwarePreambleHeader *h, + const VbPrivateKey *key) +{ + VbSignature *sig = CalculateSignature( + (const uint8_t *)h, h->preamble_signature.data_size, key); -static void ReSignFirmwarePreamble(VbFirmwarePreambleHeader* h, - const VbPrivateKey* key) { - VbSignature *sig = CalculateSignature((const uint8_t*)h, - h->preamble_signature.data_size, key); - - SignatureCopy(&h->preamble_signature, sig); - free(sig); + SignatureCopy(&h->preamble_signature, sig); + free(sig); } - -static void VerifyFirmwarePreambleTest(const VbPublicKey* public_key, - const VbPrivateKey* private_key, - const VbPublicKey* kernel_subkey) { - - VbFirmwarePreambleHeader* hdr; - VbFirmwarePreambleHeader* h; - RSAPublicKey* rsa; - unsigned hsize; - - /* Create a dummy signature */ - VbSignature* body_sig = SignatureAlloc(56, 78); - - rsa = PublicKeyToRSA(public_key); - hdr = CreateFirmwarePreamble(0x1234, kernel_subkey, body_sig, private_key, - 0x5678); - TEST_NEQ(hdr && rsa, 0, "VerifyFirmwarePreamble() prerequisites"); - if (!hdr) - return; - hsize = (unsigned) hdr->preamble_size; - h = (VbFirmwarePreambleHeader*)malloc(hsize + 16384); - - TEST_EQ(VerifyFirmwarePreamble(hdr, hsize, rsa), 0, - "VerifyFirmwarePreamble() ok using key"); - TEST_NEQ(VerifyFirmwarePreamble(hdr, hsize - 1, rsa), 0, - "VerifyFirmwarePreamble() size--"); - TEST_EQ(VerifyFirmwarePreamble(hdr, hsize + 1, rsa), 0, - "VerifyFirmwarePreamble() size++"); - - /* Care about major version but not minor */ - Memcpy(h, hdr, hsize); - h->header_version_major++; - ReSignFirmwarePreamble(h, private_key); - TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, - "VerifyFirmwarePreamble() major++"); - - Memcpy(h, hdr, hsize); - h->header_version_major--; - ReSignFirmwarePreamble(h, private_key); - TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, - "VerifyFirmwarePreamble() major--"); - - Memcpy(h, hdr, hsize); - h->header_version_minor++; - ReSignFirmwarePreamble(h, private_key); - TEST_EQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, - "VerifyFirmwarePreamble() minor++"); - - Memcpy(h, hdr, hsize); - h->header_version_minor--; - ReSignFirmwarePreamble(h, private_key); - TEST_EQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, - "VerifyFirmwarePreamble() minor--"); - - /* Check signature */ - Memcpy(h, hdr, hsize); - h->preamble_signature.sig_offset = hsize; - ReSignFirmwarePreamble(h, private_key); - TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, - "VerifyFirmwarePreamble() sig off end"); - - Memcpy(h, hdr, hsize); - h->preamble_signature.sig_size--; - ReSignFirmwarePreamble(h, private_key); - TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, - "VerifyFirmwarePreamble() sig too small"); - - Memcpy(h, hdr, hsize); - GetPublicKeyData(&h->kernel_subkey)[0] ^= 0x34; - TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, - "VerifyFirmwarePreamble() sig mismatch"); - - /* Check that we signed header, kernel subkey, and body sig */ - Memcpy(h, hdr, hsize); - h->preamble_signature.data_size = 4; - h->kernel_subkey.key_offset = 0; - h->kernel_subkey.key_size = 0; - h->body_signature.sig_offset = 0; - h->body_signature.sig_size = 0; - ReSignFirmwarePreamble(h, private_key); - TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, - "VerifyFirmwarePreamble() didn't sign header"); - - Memcpy(h, hdr, hsize); - h->kernel_subkey.key_offset = hsize; - ReSignFirmwarePreamble(h, private_key); - TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, - "VerifyFirmwarePreamble() kernel subkey off end"); - - Memcpy(h, hdr, hsize); - h->body_signature.sig_offset = hsize; - ReSignFirmwarePreamble(h, private_key); - TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, - "VerifyFirmwarePreamble() body sig off end"); - - /* Check that we return flags properly for new and old structs */ - Memcpy(h, hdr, hsize); - TEST_EQ(VbGetFirmwarePreambleFlags(h), 0x5678, - "VbGetFirmwarePreambleFlags() v2.1"); - h->header_version_minor = 0; - TEST_EQ(VbGetFirmwarePreambleFlags(h), 0, - "VbGetFirmwarePreambleFlags() v2.0"); - - /* TODO: verify with extra padding at end of header. */ - - free(h); - RSAPublicKeyFree(rsa); - free(hdr); +static void VerifyFirmwarePreambleTest(const VbPublicKey *public_key, + const VbPrivateKey *private_key, + const VbPublicKey *kernel_subkey) +{ + VbFirmwarePreambleHeader *hdr; + VbFirmwarePreambleHeader *h; + RSAPublicKey *rsa; + unsigned hsize; + + /* Create a dummy signature */ + VbSignature* body_sig = SignatureAlloc(56, 78); + + rsa = PublicKeyToRSA(public_key); + hdr = CreateFirmwarePreamble(0x1234, kernel_subkey, body_sig, + private_key, 0x5678); + TEST_NEQ(hdr && rsa, 0, "VerifyFirmwarePreamble() prerequisites"); + if (!hdr) + return; + hsize = (unsigned) hdr->preamble_size; + h = (VbFirmwarePreambleHeader *)malloc(hsize + 16384); + + TEST_EQ(VerifyFirmwarePreamble(hdr, hsize, rsa), 0, + "VerifyFirmwarePreamble() ok using key"); + TEST_NEQ(VerifyFirmwarePreamble(hdr, 4, rsa), 0, + "VerifyFirmwarePreamble() size tiny"); + TEST_NEQ(VerifyFirmwarePreamble(hdr, hsize - 1, rsa), 0, + "VerifyFirmwarePreamble() size--"); + TEST_EQ(VerifyFirmwarePreamble(hdr, hsize + 1, rsa), 0, + "VerifyFirmwarePreamble() size++"); + + /* Care about major version but not minor */ + Memcpy(h, hdr, hsize); + h->header_version_major++; + ReSignFirmwarePreamble(h, private_key); + TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() major++"); + + Memcpy(h, hdr, hsize); + h->header_version_major--; + ReSignFirmwarePreamble(h, private_key); + TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() major--"); + + Memcpy(h, hdr, hsize); + h->header_version_minor++; + ReSignFirmwarePreamble(h, private_key); + TEST_EQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() minor++"); + + Memcpy(h, hdr, hsize); + h->header_version_minor--; + ReSignFirmwarePreamble(h, private_key); + TEST_EQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() minor--"); + + /* Check signature */ + Memcpy(h, hdr, hsize); + h->preamble_signature.sig_offset = hsize; + ReSignFirmwarePreamble(h, private_key); + TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() sig off end"); + + Memcpy(h, hdr, hsize); + h->preamble_signature.sig_size--; + ReSignFirmwarePreamble(h, private_key); + TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() sig too small"); + + Memcpy(h, hdr, hsize); + GetPublicKeyData(&h->kernel_subkey)[0] ^= 0x34; + TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() sig mismatch"); + + /* Check that we signed header, kernel subkey, and body sig */ + Memcpy(h, hdr, hsize); + h->preamble_signature.data_size = 4; + h->kernel_subkey.key_offset = 0; + h->kernel_subkey.key_size = 0; + h->body_signature.sig_offset = 0; + h->body_signature.sig_size = 0; + ReSignFirmwarePreamble(h, private_key); + TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() didn't sign header"); + + Memcpy(h, hdr, hsize); + h->kernel_subkey.key_offset = hsize; + ReSignFirmwarePreamble(h, private_key); + TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() kernel subkey off end"); + + Memcpy(h, hdr, hsize); + h->body_signature.sig_offset = hsize; + ReSignFirmwarePreamble(h, private_key); + TEST_NEQ(VerifyFirmwarePreamble(h, hsize, rsa), 0, + "VerifyFirmwarePreamble() body sig off end"); + + /* Check that we return flags properly for new and old structs */ + Memcpy(h, hdr, hsize); + TEST_EQ(VbGetFirmwarePreambleFlags(h), 0x5678, + "VbGetFirmwarePreambleFlags() v2.1"); + h->header_version_minor = 0; + TEST_EQ(VbGetFirmwarePreambleFlags(h), 0, + "VbGetFirmwarePreambleFlags() v2.0"); + + /* TODO: verify with extra padding at end of header. */ + + free(h); + RSAPublicKeyFree(rsa); + free(hdr); } int test_permutation(int signing_key_algorithm, int data_key_algorithm, const char *keys_dir) { char filename[1024]; - int signing_rsa_len = siglen_map[signing_key_algorithm] * 8;; - int data_rsa_len = siglen_map[data_key_algorithm] * 8;; + int signing_rsa_len = siglen_map[signing_key_algorithm] * 8; + int data_rsa_len = siglen_map[data_key_algorithm] * 8; - VbPrivateKey* signing_private_key = NULL; - VbPublicKey* signing_public_key = NULL; - VbPublicKey* data_public_key = NULL; + VbPrivateKey *signing_private_key = NULL; + VbPublicKey *signing_public_key = NULL; + VbPublicKey *data_public_key = NULL; printf("***Testing signing algorithm: %s\n", algo_strings[signing_key_algorithm]); @@ -327,7 +345,7 @@ struct test_perm */ const struct test_perm test_perms[] = {{7, 4}, {11, 4}, {11, 7}}; -int main(int argc, char* argv[]) +int main(int argc, char *argv[]) { if (argc == 2) { /* Test only the algorithms we use */ diff --git a/tests/vboot_common_tests.c b/tests/vboot_common_tests.c index f36ec76d..73cbeb55 100644 --- a/tests/vboot_common_tests.c +++ b/tests/vboot_common_tests.c @@ -100,6 +100,15 @@ static void VerifyHelperFunctions(void) "MemberInside data before parent"); TEST_EQ(VerifyMemberInside(p, 20, p, 4, 4, 17), 1, "MemberInside data too big"); + TEST_EQ(VerifyMemberInside(p, (uint64_t)-1, + p+(uint64_t)-10, 12, 5, 0), 1, + "MemberInside wraparound 1"); + TEST_EQ(VerifyMemberInside(p, (uint64_t)-1, + p+(uint64_t)-10, 5, 12, 0), 1, + "MemberInside wraparound 2"); + TEST_EQ(VerifyMemberInside(p, (uint64_t)-1, + p+(uint64_t)-10, 5, 0, 12), 1, + "MemberInside wraparound 3"); } { @@ -214,6 +223,9 @@ static void VbSharedDataTest(void) TEST_EQ(d->lk_call_count, 0, "VbSharedDataInit lk_call_count"); TEST_EQ(d->kernel_version_lowest, 0, "VbSharedDataInit kernel_version_lowest"); + + TEST_NEQ(VBOOT_SUCCESS, VbSharedDataSetKernelKey(NULL, NULL), + "VbSharedDataSetKernelKey null"); } /* disable MSVC warnings on unused arguments */ |