blob: 841f183a723b3ff4b176d85267fe93dfc2e343d7 [file] [log] [blame]
Tamas Banf70ef8c2017-12-19 15:35:09 +00001/*
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing,
13 * software distributed under the License is distributed on an
14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 * KIND, either express or implied. See the License for the
16 * specific language governing permissions and limitations
17 * under the License.
18 */
19
Oliver Swedef9982442018-08-24 18:37:44 +010020/*
21 * Original code taken from mcuboot project at:
David Vincze39e78552018-10-10 17:10:01 +020022 * https://github.com/JuulLabs-OSS/mcuboot
David Vinczecea8b592019-10-29 16:09:51 +010023 * Git SHA of the original version: 4f0ea747c314547daa6b6299ccbd77ae4dee6758
David Vincze39e78552018-10-10 17:10:01 +020024 * Modifications are Copyright (c) 2018-2019 Arm Limited.
Oliver Swedef9982442018-08-24 18:37:44 +010025 */
26
Tamas Banf70ef8c2017-12-19 15:35:09 +000027#include <assert.h>
28#include <stddef.h>
29#include <inttypes.h>
30#include <string.h>
31
Tamas Banf70ef8c2017-12-19 15:35:09 +000032#include "flash_map/flash_map.h"
33#include "bootutil/image.h"
34#include "bootutil/sha256.h"
35#include "bootutil/sign_key.h"
David Vincze060968d2019-05-23 01:13:14 +020036#include "security_cnt.h"
Tamas Banf70ef8c2017-12-19 15:35:09 +000037
David Vinczecea8b592019-10-29 16:09:51 +010038#if defined(MCUBOOT_SIGN_RSA)
Tamas Banf70ef8c2017-12-19 15:35:09 +000039#include "mbedtls/rsa.h"
40#endif
Tamas Ban581034a2017-12-19 19:54:37 +000041
Tamas Banf70ef8c2017-12-19 15:35:09 +000042#include "mbedtls/asn1.h"
43
44#include "bootutil_priv.h"
45
Tamas Ban1d37c342019-07-11 08:55:55 +010046#ifdef MCUBOOT_HW_KEY
47#include "platform/include/tfm_plat_crypto_keys.h"
48#endif
49
Tamas Banf70ef8c2017-12-19 15:35:09 +000050/*
51 * Compute SHA256 over the image.
52 */
53static int
David Vinczecea8b592019-10-29 16:09:51 +010054bootutil_img_hash(int image_index,
55 struct image_header *hdr, const struct flash_area *fap,
56 uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *hash_result,
57 uint8_t *seed, int seed_len)
Tamas Banf70ef8c2017-12-19 15:35:09 +000058{
59 bootutil_sha256_context sha256_ctx;
Tamas Banf70ef8c2017-12-19 15:35:09 +000060 uint32_t size;
Raef Coles27a61452019-09-25 15:32:25 +010061#ifndef MCUBOOT_RAM_LOADING
62 uint32_t blk_sz;
Tamas Banf70ef8c2017-12-19 15:35:09 +000063 uint32_t off;
David Vinczecea8b592019-10-29 16:09:51 +010064 int rc;
Raef Coles27a61452019-09-25 15:32:25 +010065#endif /* MCUBOOT_RAM_LOADING */
Tamas Banf70ef8c2017-12-19 15:35:09 +000066
David Vinczecea8b592019-10-29 16:09:51 +010067 (void)image_index;
68
Tamas Banf70ef8c2017-12-19 15:35:09 +000069 bootutil_sha256_init(&sha256_ctx);
70
71 /* in some cases (split image) the hash is seeded with data from
72 * the loader image */
Tamas Ban581034a2017-12-19 19:54:37 +000073 if (seed && (seed_len > 0)) {
Tamas Banf70ef8c2017-12-19 15:35:09 +000074 bootutil_sha256_update(&sha256_ctx, seed, seed_len);
75 }
76
David Vinczedb32b212019-04-16 17:43:57 +020077 /* Hash is computed over image header and image itself. */
David Vinczecea8b592019-10-29 16:09:51 +010078 size = BOOT_TLV_OFF(hdr);
David Vinczedb32b212019-04-16 17:43:57 +020079
David Vincze219a1752019-10-14 11:35:09 +020080 /* If protected TLVs are present (e.g. security counter TLV) then the
81 * TLV info header and these TLVs must be included in the hash calculation.
David Vinczedb32b212019-04-16 17:43:57 +020082 */
83 if (hdr->ih_protect_tlv_size != 0) {
84 size += hdr->ih_protect_tlv_size;
85 }
86
Raef Coles27a61452019-09-25 15:32:25 +010087#ifdef MCUBOOT_RAM_LOADING
88 bootutil_sha256_update(&sha256_ctx,(void*)(hdr->ih_load_addr), size);
89#else
Tamas Banf70ef8c2017-12-19 15:35:09 +000090 for (off = 0; off < size; off += blk_sz) {
91 blk_sz = size - off;
92 if (blk_sz > tmp_buf_sz) {
93 blk_sz = tmp_buf_sz;
94 }
David Vinczecea8b592019-10-29 16:09:51 +010095 rc = flash_area_read(fap, off, tmp_buf, blk_sz);
96 if (rc) {
97 return rc;
Tamas Banf70ef8c2017-12-19 15:35:09 +000098 }
99 bootutil_sha256_update(&sha256_ctx, tmp_buf, blk_sz);
100 }
Raef Coles27a61452019-09-25 15:32:25 +0100101#endif
Tamas Banf70ef8c2017-12-19 15:35:09 +0000102 bootutil_sha256_finish(&sha256_ctx, hash_result);
103
104 return 0;
105}
106
107/*
108 * Currently, we only support being able to verify one type of
109 * signature, because there is a single verification function that we
110 * call. List the type of TLV we are expecting. If we aren't
111 * configured for any signature, don't define this macro.
112 */
Tamas Ban81daed02019-05-20 15:05:22 +0100113
Tamas Banf70ef8c2017-12-19 15:35:09 +0000114#if defined(MCUBOOT_SIGN_RSA)
Tamas Ban81daed02019-05-20 15:05:22 +0100115# if MCUBOOT_SIGN_RSA_LEN == 2048
116# define EXPECTED_SIG_TLV IMAGE_TLV_RSA2048_PSS
117# elif MCUBOOT_SIGN_RSA_LEN == 3072
118# define EXPECTED_SIG_TLV IMAGE_TLV_RSA3072_PSS
119# else
120# error "Unsupported RSA signature length"
121# endif
122# define SIG_BUF_SIZE (MCUBOOT_SIGN_RSA_LEN / 8)
123# define EXPECTED_SIG_LEN(x) ((x) == SIG_BUF_SIZE)
124#else
125# define SIG_BUF_SIZE 32 /* no signing, sha256 digest only */
Tamas Banf70ef8c2017-12-19 15:35:09 +0000126#endif
127
128#ifdef EXPECTED_SIG_TLV
Tamas Ban1d37c342019-07-11 08:55:55 +0100129#ifdef MCUBOOT_HW_KEY
130extern unsigned int pub_key_len;
131static int
David Vinczecea8b592019-10-29 16:09:51 +0100132bootutil_find_key(uint8_t image_id, uint8_t *key, uint16_t key_len)
Tamas Ban1d37c342019-07-11 08:55:55 +0100133{
134 bootutil_sha256_context sha256_ctx;
135 uint8_t hash[32];
136 uint8_t key_hash[32];
137 uint32_t key_hash_size= sizeof(key_hash);
138 enum tfm_plat_err_t plat_err;
139
140 bootutil_sha256_init(&sha256_ctx);
141 bootutil_sha256_update(&sha256_ctx, key, key_len);
142 bootutil_sha256_finish(&sha256_ctx, hash);
143
David Vinczecea8b592019-10-29 16:09:51 +0100144 plat_err = tfm_plat_get_rotpk_hash(image_id, key_hash, &key_hash_size);
Tamas Ban1d37c342019-07-11 08:55:55 +0100145 if (plat_err != TFM_PLAT_ERR_SUCCESS) {
146 return -1;
147 }
Raef Coles25b857a2019-09-05 13:59:55 +0100148 if (!boot_secure_memequal(hash, key_hash, key_hash_size)) {
Tamas Ban1d37c342019-07-11 08:55:55 +0100149 bootutil_keys[0].key = key;
150 pub_key_len = key_len;
151 return 0;
152 }
153 return -1;
154}
David Vinczecea8b592019-10-29 16:09:51 +0100155#else /* !MCUBOOT_HW_KEY */
Tamas Banf70ef8c2017-12-19 15:35:09 +0000156static int
157bootutil_find_key(uint8_t *keyhash, uint8_t keyhash_len)
158{
159 bootutil_sha256_context sha256_ctx;
160 int i;
161 const struct bootutil_key *key;
162 uint8_t hash[32];
163
David Vinczecea8b592019-10-29 16:09:51 +0100164 if (keyhash_len > 32) {
165 return -1;
166 }
Tamas Banf70ef8c2017-12-19 15:35:09 +0000167
168 for (i = 0; i < bootutil_key_cnt; i++) {
169 key = &bootutil_keys[i];
170 bootutil_sha256_init(&sha256_ctx);
171 bootutil_sha256_update(&sha256_ctx, key->key, *key->len);
172 bootutil_sha256_finish(&sha256_ctx, hash);
Raef Coles25b857a2019-09-05 13:59:55 +0100173 if (!boot_secure_memequal(hash, keyhash, keyhash_len)) {
Tamas Banf70ef8c2017-12-19 15:35:09 +0000174 return i;
175 }
176 }
177 return -1;
178}
179#endif
Tamas Ban1d37c342019-07-11 08:55:55 +0100180#endif
Tamas Banf70ef8c2017-12-19 15:35:09 +0000181
David Vincze060968d2019-05-23 01:13:14 +0200182/**
183 * Reads the value of an image's security counter.
184 *
185 * @param hdr Pointer to the image header structure.
186 * @param fap Pointer to a description structure of the image's
187 * flash area.
188 * @param security_cnt Pointer to store the security counter value.
189 *
190 * @return 0 on success; nonzero on failure.
191 */
192int32_t
193bootutil_get_img_security_cnt(struct image_header *hdr,
194 const struct flash_area *fap,
195 uint32_t *img_security_cnt)
196{
David Vincze060968d2019-05-23 01:13:14 +0200197 struct image_tlv tlv;
198 uint32_t off;
199 uint32_t end;
200 uint32_t found = 0;
201 int32_t rc;
202
203 if ((hdr == NULL) ||
204 (fap == NULL) ||
205 (img_security_cnt == NULL)) {
206 /* Invalid parameter. */
207 return BOOT_EBADARGS;
208 }
209
David Vincze060968d2019-05-23 01:13:14 +0200210 /* The security counter TLV is in the protected part of the TLV area. */
David Vinczec2566122019-10-25 13:18:54 +0200211 if (hdr->ih_protect_tlv_size == 0) {
212 return BOOT_EBADIMAGE;
213 }
David Vincze060968d2019-05-23 01:13:14 +0200214
David Vinczec2566122019-10-25 13:18:54 +0200215 rc = boot_find_tlv_offs(hdr, fap, &off, &end);
216 if (rc) {
217 return rc;
218 }
219
220 /* Calculate the end of the protected TLV area. */
221 end = off - sizeof(struct image_tlv_info) +
222 (uint32_t)hdr->ih_protect_tlv_size;
223
224 /* Traverse through the protected TLV area to find
225 * the security counter TLV.
226 */
227 while (off < end) {
David Vincze7673e592019-10-28 11:08:56 +0100228 rc = LOAD_IMAGE_DATA(hdr, fap, off, &tlv, sizeof(tlv));
David Vinczec2566122019-10-25 13:18:54 +0200229 if (rc != 0) {
230 return BOOT_EFLASH;
231 }
232
233 if (tlv.it_type == IMAGE_TLV_SEC_CNT) {
234
235 if (tlv.it_len != sizeof(*img_security_cnt)) {
236 /* Security counter is not valid. */
237 break;
238 }
239
David Vincze7673e592019-10-28 11:08:56 +0100240 rc = LOAD_IMAGE_DATA(hdr, fap, off + sizeof(tlv),
David Vinczec2566122019-10-25 13:18:54 +0200241 img_security_cnt, tlv.it_len);
David Vincze060968d2019-05-23 01:13:14 +0200242 if (rc != 0) {
243 return BOOT_EFLASH;
244 }
245
David Vinczec2566122019-10-25 13:18:54 +0200246 /* Security counter has been found. */
247 found = 1;
248 break;
249 }
David Vincze060968d2019-05-23 01:13:14 +0200250
David Vinczec2566122019-10-25 13:18:54 +0200251 /* Avoid integer overflow. */
252 if (boot_add_uint32_overflow_check(off, (sizeof(tlv) + tlv.it_len)))
253 {
254 /* Potential overflow. */
255 break;
256 } else {
257 off += sizeof(tlv) + tlv.it_len;
David Vincze060968d2019-05-23 01:13:14 +0200258 }
259 }
260
261 if (found) {
262 return 0;
263 }
264
265 return -1;
266}
267
Tamas Banf70ef8c2017-12-19 15:35:09 +0000268/*
269 * Verify the integrity of the image.
270 * Return non-zero if image could not be validated/does not validate.
271 */
272int
David Vinczecea8b592019-10-29 16:09:51 +0100273bootutil_img_validate(int image_index,
274 struct image_header *hdr, const struct flash_area *fap,
275 uint8_t *tmp_buf, uint32_t tmp_buf_sz, uint8_t *seed,
276 int seed_len, uint8_t *out_hash)
Tamas Banf70ef8c2017-12-19 15:35:09 +0000277{
278 uint32_t off;
279 uint32_t end;
280 int sha256_valid = 0;
Tamas Banf70ef8c2017-12-19 15:35:09 +0000281#ifdef EXPECTED_SIG_TLV
282 int valid_signature = 0;
283 int key_id = -1;
Tamas Ban1d37c342019-07-11 08:55:55 +0100284#ifdef MCUBOOT_HW_KEY
285 /* Few extra bytes for encoding and for public exponent */
286 uint8_t key_buf[SIG_BUF_SIZE + 24];
287#endif
Tamas Banf70ef8c2017-12-19 15:35:09 +0000288#endif
289 struct image_tlv tlv;
Tamas Ban81daed02019-05-20 15:05:22 +0100290 uint8_t buf[SIG_BUF_SIZE];
Tamas Ban581034a2017-12-19 19:54:37 +0000291 uint8_t hash[32] = {0};
David Vincze060968d2019-05-23 01:13:14 +0200292 uint32_t security_cnt;
293 uint32_t img_security_cnt;
294 int32_t security_counter_valid = 0;
Tamas Banf70ef8c2017-12-19 15:35:09 +0000295 int rc;
296
David Vinczecea8b592019-10-29 16:09:51 +0100297 rc = bootutil_img_hash(image_index, hdr, fap, tmp_buf,
298 tmp_buf_sz, hash, seed, seed_len);
Tamas Banf70ef8c2017-12-19 15:35:09 +0000299 if (rc) {
300 return rc;
301 }
302
303 if (out_hash) {
304 memcpy(out_hash, hash, 32);
305 }
306
David Vinczecea8b592019-10-29 16:09:51 +0100307 rc = boot_find_tlv_offs(hdr, fap, &off, &end);
Tamas Banf70ef8c2017-12-19 15:35:09 +0000308 if (rc) {
309 return rc;
310 }
Tamas Banf70ef8c2017-12-19 15:35:09 +0000311
312 /*
313 * Traverse through all of the TLVs, performing any checks we know
314 * and are able to do.
315 */
David Vincze060968d2019-05-23 01:13:14 +0200316 while (off < end) {
David Vincze7673e592019-10-28 11:08:56 +0100317 rc = LOAD_IMAGE_DATA(hdr, fap, off, &tlv, sizeof(tlv));
Tamas Banf70ef8c2017-12-19 15:35:09 +0000318 if (rc) {
319 return rc;
320 }
321
322 if (tlv.it_type == IMAGE_TLV_SHA256) {
323 /*
324 * Verify the SHA256 image hash. This must always be
325 * present.
326 */
327 if (tlv.it_len != sizeof(hash)) {
328 return -1;
329 }
David Vincze7673e592019-10-28 11:08:56 +0100330 rc = LOAD_IMAGE_DATA(hdr, fap, off + sizeof(tlv),
331 buf, sizeof(hash));
Tamas Banf70ef8c2017-12-19 15:35:09 +0000332 if (rc) {
333 return rc;
334 }
Raef Coles25b857a2019-09-05 13:59:55 +0100335 if (boot_secure_memequal(hash, buf, sizeof(hash))) {
Tamas Banf70ef8c2017-12-19 15:35:09 +0000336 return -1;
337 }
338
339 sha256_valid = 1;
340#ifdef EXPECTED_SIG_TLV
Tamas Ban1d37c342019-07-11 08:55:55 +0100341#ifndef MCUBOOT_HW_KEY
Tamas Banf70ef8c2017-12-19 15:35:09 +0000342 } else if (tlv.it_type == IMAGE_TLV_KEYHASH) {
343 /*
344 * Determine which key we should be checking.
345 */
346 if (tlv.it_len > 32) {
347 return -1;
348 }
David Vincze7673e592019-10-28 11:08:56 +0100349 rc = LOAD_IMAGE_DATA(hdr, fap, off + sizeof(tlv), buf, tlv.it_len);
Tamas Banf70ef8c2017-12-19 15:35:09 +0000350 if (rc) {
351 return rc;
352 }
353 key_id = bootutil_find_key(buf, tlv.it_len);
354 /*
355 * The key may not be found, which is acceptable. There
356 * can be multiple signatures, each preceded by a key.
357 */
David Vinczecea8b592019-10-29 16:09:51 +0100358#else /* MCUBOOT_HW_KEY */
Tamas Ban1d37c342019-07-11 08:55:55 +0100359 } else if (tlv.it_type == IMAGE_TLV_KEY) {
360 /*
361 * Determine which key we should be checking.
362 */
363 if (tlv.it_len > sizeof(key_buf)) {
364 return -1;
365 }
David Vincze7673e592019-10-28 11:08:56 +0100366 rc = LOAD_IMAGE_DATA(hdr, fap, off + sizeof(tlv),
367 key_buf, tlv.it_len);
Tamas Ban1d37c342019-07-11 08:55:55 +0100368 if (rc) {
369 return rc;
370 }
David Vinczecea8b592019-10-29 16:09:51 +0100371 key_id = bootutil_find_key(image_index, key_buf, tlv.it_len);
Tamas Ban1d37c342019-07-11 08:55:55 +0100372 /*
373 * The key may not be found, which is acceptable. There
374 * can be multiple signatures, each preceded by a key.
375 */
376#endif /* MCUBOOT_HW_KEY */
Tamas Banf70ef8c2017-12-19 15:35:09 +0000377 } else if (tlv.it_type == EXPECTED_SIG_TLV) {
378 /* Ignore this signature if it is out of bounds. */
David Vinczefb068302019-07-24 11:00:22 +0200379 if (key_id >= 0 && key_id < bootutil_key_cnt) {
380 if (!EXPECTED_SIG_LEN(tlv.it_len) || tlv.it_len > sizeof(buf)) {
381 return -1;
382 }
David Vincze7673e592019-10-28 11:08:56 +0100383 rc = LOAD_IMAGE_DATA(hdr, fap, off + sizeof(tlv),
384 buf, tlv.it_len);
David Vinczefb068302019-07-24 11:00:22 +0200385 if (rc) {
386 return -1;
387 }
388 rc = bootutil_verify_sig(hash, sizeof(hash), buf, tlv.it_len,
389 key_id);
390 if (rc == 0) {
391 valid_signature = 1;
392 }
Tamas Banf70ef8c2017-12-19 15:35:09 +0000393 }
394 key_id = -1;
395#endif
David Vincze060968d2019-05-23 01:13:14 +0200396 } else if (tlv.it_type == IMAGE_TLV_SEC_CNT) {
397 /*
398 * Verify the image's security counter.
399 * This must always be present.
400 */
401 if (tlv.it_len != sizeof(img_security_cnt)) {
402 /* Security counter is not valid. */
403 return -1;
404 }
405
David Vincze7673e592019-10-28 11:08:56 +0100406 rc = LOAD_IMAGE_DATA(hdr, fap, off + sizeof(tlv),
David Vincze060968d2019-05-23 01:13:14 +0200407 &img_security_cnt, tlv.it_len);
408 if (rc) {
409 return rc;
410 }
411
412 rc = boot_nv_security_counter_get(0, &security_cnt);
413 if (rc) {
414 return rc;
415 }
416
417 /* Compare the new image's security counter value against the
418 * stored security counter value.
419 */
420 if (img_security_cnt < security_cnt) {
421 /* The image's security counter is not accepted. */
422 return -1;
423 }
424
425 /* The image's security counter has been successfully verified. */
426 security_counter_valid = 1;
427 }
428
429 /* Avoid integer overflow. */
Tamas Ban056ed0b2019-09-16 12:48:32 +0100430 if (boot_add_uint32_overflow_check(off, (sizeof(tlv) + tlv.it_len))) {
David Vincze060968d2019-05-23 01:13:14 +0200431 /* Potential overflow. */
432 break;
433 } else {
434 off += sizeof(tlv) + tlv.it_len;
Tamas Banf70ef8c2017-12-19 15:35:09 +0000435 }
436 }
437
David Vincze060968d2019-05-23 01:13:14 +0200438 if (!sha256_valid || !security_counter_valid) {
Tamas Banf70ef8c2017-12-19 15:35:09 +0000439 return -1;
440 }
441
442#ifdef EXPECTED_SIG_TLV
443 if (!valid_signature) {
444 return -1;
445 }
446#endif
447
448 return 0;
449}