diff options
Diffstat (limited to 'firmware/bdb/secrets.c')
-rw-r--r-- | firmware/bdb/secrets.c | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/firmware/bdb/secrets.c b/firmware/bdb/secrets.c new file mode 100644 index 00000000..08bca5f5 --- /dev/null +++ b/firmware/bdb/secrets.c @@ -0,0 +1,101 @@ +/* Copyright 2016 The Chromium OS Authors. All rights reserved. + * Use of this source code is governed by a BSD-style license that can be + * found in the LICENSE file. + */ + +#include "2sysincludes.h" +#include "2hmac.h" +#include "2sha.h" +#include "bdb_api.h" +#include "bdb_struct.h" +#include "bdb.h" +#include "secrets.h" + +static int get_constant(const uint8_t *buf, uint32_t buf_size, + const uint8_t *constant, uint8_t *out) +{ + int digest_size = vb2_digest_size(VB2_HASH_SHA256); + const struct bdb_key *key = (const struct bdb_key *)buf; + + if (!buf) + return !BDB_SUCCESS; + + if (bdb_check_key(key, buf_size)) + return !BDB_SUCCESS; + + if (vb2_digest_buffer(buf, buf_size, VB2_HASH_SHA256, out, digest_size)) + return !BDB_SUCCESS; + + memcpy(out + digest_size, constant, + BDB_CONSTANT_BLOCK_SIZE - digest_size); + + return BDB_SUCCESS; +} + +int vba_derive_secret(struct vba_context *ctx, enum bdb_secret_type type, + const uint8_t *buf, uint32_t buf_size) +{ + uint8_t c[BDB_CONSTANT_BLOCK_SIZE]; + const uint8_t *b = (const uint8_t *)c; + uint8_t *s; + uint8_t *o; + + switch (type) { + case BDB_SECRET_TYPE_BDB: + s = o = ctx->ro_secrets->bdb; + if (get_constant(buf, buf_size, secret_constant_q, c)) + return BDB_ERROR_SECRET_BDB; + break; + case BDB_SECRET_TYPE_BOOT_PATH: + s = o = ctx->ro_secrets->boot_path; + if (get_constant(buf, buf_size, secret_constant_l, c)) + return BDB_ERROR_SECRET_BOOT_PATH; + break; + case BDB_SECRET_TYPE_BOOT_VERIFIED: + s = o = ctx->ro_secrets->boot_verified; + if (ctx->flags & VBA_CONTEXT_FLAG_KERNEL_DATA_KEY_VERIFIED) + b = secret_constant_kv1; + else + b = secret_constant_kv0; + break; + case BDB_SECRET_TYPE_BUC: + s = ctx->ro_secrets->boot_verified; + b = secret_constant_c; + o = ctx->rw_secrets->buc; + break; + default: + return BDB_ERROR_SECRET_TYPE; + } + + vb2_sha256_extend(s, b, o); + + return BDB_SUCCESS; +} + +int vba_clear_secret(struct vba_context *ctx, enum bdb_secret_type type) +{ + uint8_t *s; + + switch (type) { + case BDB_SECRET_TYPE_NVM_RW: + s = ctx->ro_secrets->nvm_rw; + break; + case BDB_SECRET_TYPE_BDB: + s = ctx->ro_secrets->bdb; + break; + case BDB_SECRET_TYPE_BOOT_PATH: + s = ctx->ro_secrets->boot_path; + break; + case BDB_SECRET_TYPE_BOOT_VERIFIED: + s = ctx->ro_secrets->boot_verified; + break; + case BDB_SECRET_TYPE_BUC: + s = ctx->rw_secrets->buc; + break; + default: + return BDB_ERROR_SECRET_TYPE; + } + + memset(s, 0, BDB_SECRET_SIZE); + return BDB_SUCCESS; +} |