1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
/* Copyright 2016 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
#include "2sysincludes.h"
#include "2hmac.h"
#include "2sha.h"
#include "bdb_api.h"
#include "bdb_struct.h"
#include "bdb.h"
#include "secrets.h"
static int get_constant(const uint8_t *buf, uint32_t buf_size,
const uint8_t *constant, uint8_t *out)
{
int digest_size = vb2_digest_size(VB2_HASH_SHA256);
const struct bdb_key *key = (const struct bdb_key *)buf;
if (!buf)
return !BDB_SUCCESS;
if (bdb_check_key(key, buf_size))
return !BDB_SUCCESS;
if (vb2_digest_buffer(buf, buf_size, VB2_HASH_SHA256, out, digest_size))
return !BDB_SUCCESS;
memcpy(out + digest_size, constant,
BDB_CONSTANT_BLOCK_SIZE - digest_size);
return BDB_SUCCESS;
}
int vba_derive_secret(struct vba_context *ctx, enum bdb_secret_type type,
const uint8_t *buf, uint32_t buf_size)
{
uint8_t c[BDB_CONSTANT_BLOCK_SIZE];
const uint8_t *b = (const uint8_t *)c;
uint8_t *s;
uint8_t *o;
switch (type) {
case BDB_SECRET_TYPE_BDB:
s = o = ctx->ro_secrets->bdb;
if (get_constant(buf, buf_size, secret_constant_q, c))
return BDB_ERROR_SECRET_BDB;
break;
case BDB_SECRET_TYPE_BOOT_PATH:
s = o = ctx->ro_secrets->boot_path;
if (get_constant(buf, buf_size, secret_constant_l, c))
return BDB_ERROR_SECRET_BOOT_PATH;
break;
case BDB_SECRET_TYPE_BOOT_VERIFIED:
s = o = ctx->ro_secrets->boot_verified;
if (ctx->flags & VBA_CONTEXT_FLAG_KERNEL_DATA_KEY_VERIFIED)
b = secret_constant_kv1;
else
b = secret_constant_kv0;
break;
case BDB_SECRET_TYPE_BUC:
s = ctx->ro_secrets->boot_verified;
b = secret_constant_c;
o = ctx->rw_secrets->buc;
break;
default:
return BDB_ERROR_SECRET_TYPE;
}
vb2_sha256_extend(s, b, o);
return BDB_SUCCESS;
}
int vba_clear_secret(struct vba_context *ctx, enum bdb_secret_type type)
{
uint8_t *s;
switch (type) {
case BDB_SECRET_TYPE_NVM_RW:
s = ctx->ro_secrets->nvm_rw;
break;
case BDB_SECRET_TYPE_BDB:
s = ctx->ro_secrets->bdb;
break;
case BDB_SECRET_TYPE_BOOT_PATH:
s = ctx->ro_secrets->boot_path;
break;
case BDB_SECRET_TYPE_BOOT_VERIFIED:
s = ctx->ro_secrets->boot_verified;
break;
case BDB_SECRET_TYPE_BUC:
s = ctx->rw_secrets->buc;
break;
default:
return BDB_ERROR_SECRET_TYPE;
}
memset(s, 0, BDB_SECRET_SIZE);
return BDB_SUCCESS;
}
|
