vboot/vboot_kernel: check developer key hash in separate function

Create vb2_verify_kernel_dev_key_hash to encapsulate
developer key hash checking logic.

Also correct formatting of developer key hash when printed
to console.

This CL is part of a series to merge vboot1 and vboot2.0
kernel verification code; see b/181739551.

BUG=b:181739551
TEST=make clean && make runtests
BRANCH=none

Signed-off-by: Joel Kitching <kitching@google.com>
Change-Id: I0253e1e960fb966b67b4643794585ed8355d8efb
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2825268
Tested-by: Joel Kitching <kitching@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Commit-Queue: Joel Kitching <kitching@chromium.org>

2 files changed, 50 insertions, 34 deletions

diff --git a/firmware/2lib/include/2return_codes.h b/firmware/2lib/include/2return_codes.h
index 64cfca05..4512ff8b 100644
--- a/firmware/2lib/include/2return_codes.h
+++ b/firmware/2lib/include/2return_codes.h
@@ -563,8 +563,8 @@ enum vb2_return_code {
 	 * deprecated and replaced with VB2_ERROR_KERNEL_KEYBLOCK_* */
 	VB2_ERROR_DEPRECATED_VBLOCK_KEYBLOCK,
 
-	/* Wrong developer key hash in vb2_verify_vblock() */
-	VB2_ERROR_VBLOCK_DEV_KEY_HASH,
+	/* Wrong dev key hash in vb2_verify_kernel_vblock_dev_key_hash() */
+	VB2_ERROR_KERNEL_KEYBLOCK_DEV_KEY_HASH,
 
 	/* Work buffer too small in vb2_load_partition() */
 	VB2_ERROR_LOAD_PARTITION_WORKBUF,
diff --git a/firmware/lib/vboot_kernel.c b/firmware/lib/vboot_kernel.c
index 611981ce..1de3491a 100644
--- a/firmware/lib/vboot_kernel.c
+++ b/firmware/lib/vboot_kernel.c
@@ -120,6 +120,52 @@ static uint32_t get_body_offset(uint8_t *kbuf)
 }
 
 /**
+ * Verify developer mode key hash.
+ *
+ * @param ctx		Vboot context
+ * @param keyblock	Keyblock to verify
+ * @return VB2_SUCCESS, or non-zero error code.
+ */
+static vb2_error_t vb2_verify_kernel_dev_key_hash(
+	struct vb2_context *ctx, struct vb2_keyblock *keyblock)
+{
+	struct vb2_packed_key *key = &keyblock->data_key;
+	uint8_t *buf = ((uint8_t *)key) + key->key_offset;
+	uint32_t buflen = key->key_size;
+	uint8_t digest[VB2_SHA256_DIGEST_SIZE];
+
+	VB2_DEBUG("Checking developer key hash.\n");
+	VB2_TRY(vb2_digest_buffer(buf, buflen, VB2_HASH_SHA256, digest,
+				  sizeof(digest)));
+
+	uint8_t *fwmp_dev_key_hash =
+		vb2_secdata_fwmp_get_dev_key_hash(ctx);
+	if (fwmp_dev_key_hash == NULL) {
+		VB2_DEBUG("Couldn't retrieve developer key hash.\n");
+		return VB2_ERROR_KERNEL_KEYBLOCK_DEV_KEY_HASH;
+	}
+
+	if (vb2_safe_memcmp(digest, fwmp_dev_key_hash,
+			    VB2_SHA256_DIGEST_SIZE)) {
+		int i;
+
+		VB2_DEBUG("Wrong developer key hash.\n");
+		VB2_DEBUG("Want: ");
+		for (i = 0; i < VB2_SHA256_DIGEST_SIZE; i++)
+			VB2_DEBUG_RAW("%02x ", fwmp_dev_key_hash[i]);
+		VB2_DEBUG_RAW("\n");
+		VB2_DEBUG("Got:  ");
+		for (i = 0; i < VB2_SHA256_DIGEST_SIZE; i++)
+			VB2_DEBUG_RAW("%02x ", digest[i]);
+		VB2_DEBUG_RAW("\n");
+
+		return VB2_ERROR_KERNEL_KEYBLOCK_DEV_KEY_HASH;
+	}
+
+	return VB2_SUCCESS;
+}
+
+/**
  * Verify a kernel vblock.
  *
  * @param kbuf		Buffer containing the vblock
@@ -223,40 +269,10 @@ static vb2_error_t vb2_verify_kernel_vblock(
 		}
 	}
 
-	/* If in developer mode and using key hash, check it */
+	/* If in developer mode and using key hash, check it. */
 	if (boot_mode == VB2_BOOT_MODE_DEVELOPER &&
 	    vb2_secdata_fwmp_get_flag(ctx, VB2_SECDATA_FWMP_DEV_USE_KEY_HASH)) {
-		struct vb2_packed_key *key = &keyblock->data_key;
-		uint8_t *buf = ((uint8_t *)key) + key->key_offset;
-		uint32_t buflen = key->key_size;
-		uint8_t digest[VB2_SHA256_DIGEST_SIZE];
-
-		VB2_DEBUG("Checking developer key hash.\n");
-		vb2_digest_buffer(buf, buflen, VB2_HASH_SHA256,
-				  digest, sizeof(digest));
-
-		uint8_t *fwmp_dev_key_hash =
-			vb2_secdata_fwmp_get_dev_key_hash(ctx);
-		if (fwmp_dev_key_hash == NULL) {
-			VB2_DEBUG("Couldn't retrieve developer key hash.\n");
-			return VB2_ERROR_VBLOCK_DEV_KEY_HASH;
-		}
-
-		if (0 != vb2_safe_memcmp(digest, fwmp_dev_key_hash,
-					 VB2_SHA256_DIGEST_SIZE)) {
-			int i;
-
-			VB2_DEBUG("Wrong developer key hash.\n");
-			VB2_DEBUG("Want: ");
-			for (i = 0; i < VB2_SHA256_DIGEST_SIZE; i++)
-				VB2_DEBUG("%02x", fwmp_dev_key_hash[i]);
-			VB2_DEBUG("\nGot:  ");
-			for (i = 0; i < VB2_SHA256_DIGEST_SIZE; i++)
-				VB2_DEBUG("%02x", digest[i]);
-			VB2_DEBUG("\n");
-
-			return VB2_ERROR_VBLOCK_DEV_KEY_HASH;
-		}
+		VB2_TRY(vb2_verify_kernel_dev_key_hash(ctx, keyblock));
 	}
 
 	/*