blob: fe0b223e753ae8beed48f43ea61c137fc227fd68 [file] [log] [blame]
/* Copyright 2014 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
#include <errno.h>
#include <limits.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#include "file_type_bios.h"
#include "file_type.h"
#include "fmap.h"
#include "futility.h"
#include "futility_options.h"
#include "host_common.h"
#include "vb1_helper.h"
static const char * const fmap_name[] = {
"GBB", /* BIOS_FMAP_GBB */
"FW_MAIN_A", /* BIOS_FMAP_FW_MAIN_A */
"FW_MAIN_B", /* BIOS_FMAP_FW_MAIN_B */
"VBLOCK_A", /* BIOS_FMAP_VBLOCK_A */
"VBLOCK_B", /* BIOS_FMAP_VBLOCK_B */
};
_Static_assert(ARRAY_SIZE(fmap_name) == NUM_BIOS_COMPONENTS,
"Size of fmap_name[] should match NUM_BIOS_COMPONENTS");
static const char * const fmap_oldname[] = {
"GBB Area", /* BIOS_FMAP_GBB */
"Firmware A Data", /* BIOS_FMAP_FW_MAIN_A */
"Firmware B Data", /* BIOS_FMAP_FW_MAIN_B */
"Firmware A Key", /* BIOS_FMAP_VBLOCK_A */
"Firmware B Key", /* BIOS_FMAP_VBLOCK_B */
};
_Static_assert(ARRAY_SIZE(fmap_oldname) == NUM_BIOS_COMPONENTS,
"Size of fmap_oldname[] should match NUM_BIOS_COMPONENTS");
static void fmap_limit_area(FmapAreaHeader *ah, uint32_t len)
{
uint32_t sum = ah->area_offset + ah->area_size;
if (sum < ah->area_size || sum > len) {
VB2_DEBUG("%s %#x + %#x > %#x\n",
ah->area_name, ah->area_offset, ah->area_size, len);
ah->area_offset = 0;
ah->area_size = 0;
}
}
/** Show functions **/
int ft_show_gbb(const char *name, uint8_t *buf, uint32_t len, void *data)
{
struct vb2_gbb_header *gbb = (struct vb2_gbb_header *)buf;
struct bios_state_s *state = (struct bios_state_s *)data;
int retval = 0;
uint32_t maxlen = 0;
if (!len) {
printf("GBB header: %s <invalid>\n", name);
return 1;
}
/* It looks like a GBB or we wouldn't be called. */
if (!futil_valid_gbb_header(gbb, len, &maxlen))
retval = 1;
printf("GBB header: %s\n", name);
printf(" Version: %d.%d\n",
gbb->major_version, gbb->minor_version);
printf(" Flags: 0x%08x\n", gbb->flags);
printf(" Regions: offset size\n");
printf(" hwid 0x%08x 0x%08x\n",
gbb->hwid_offset, gbb->hwid_size);
printf(" bmpvf 0x%08x 0x%08x\n",
gbb->bmpfv_offset, gbb->bmpfv_size);
printf(" rootkey 0x%08x 0x%08x\n",
gbb->rootkey_offset, gbb->rootkey_size);
printf(" recovery_key 0x%08x 0x%08x\n",
gbb->recovery_key_offset, gbb->recovery_key_size);
printf(" Size: 0x%08x / 0x%08x%s\n",
maxlen, len, maxlen > len ? " (not enough)" : "");
if (retval) {
printf("GBB header is invalid, ignoring content\n");
return 1;
}
printf("GBB content:\n");
printf(" HWID: %s\n", buf + gbb->hwid_offset);
print_hwid_digest(gbb, " digest: ", "\n");
struct vb2_packed_key *pubkey =
(struct vb2_packed_key *)(buf + gbb->rootkey_offset);
if (vb2_packed_key_looks_ok(pubkey, gbb->rootkey_size) == VB2_SUCCESS) {
if (state) {
state->rootkey.offset =
state->area[BIOS_FMAP_GBB].offset +
gbb->rootkey_offset;
state->rootkey.buf = buf + gbb->rootkey_offset;
state->rootkey.len = gbb->rootkey_size;
state->rootkey.is_valid = 1;
}
printf(" Root Key:\n");
show_pubkey(pubkey, " ");
} else {
retval = 1;
printf(" Root Key: <invalid>\n");
}
pubkey = (struct vb2_packed_key *)(buf + gbb->recovery_key_offset);
if (vb2_packed_key_looks_ok(pubkey, gbb->recovery_key_size)
== VB2_SUCCESS) {
if (state) {
state->recovery_key.offset =
state->area[BIOS_FMAP_GBB].offset +
gbb->recovery_key_offset;
state->recovery_key.buf = buf +
gbb->recovery_key_offset;
state->recovery_key.len = gbb->recovery_key_size;
state->recovery_key.is_valid = 1;
}
printf(" Recovery Key:\n");
show_pubkey(pubkey, " ");
} else {
retval = 1;
printf(" Recovery Key: <invalid>\n");
}
if (!retval && state)
state->area[BIOS_FMAP_GBB].is_valid = 1;
return retval;
}
/*
* This handles FW_MAIN_A and FW_MAIN_B while processing a BIOS image.
*
* The data is just the RW firmware blob, so there's nothing useful to show
* about it. We'll just mark it as present so when we encounter corresponding
* VBLOCK area, we'll have this to verify.
*/
static int fmap_show_fw_main(const char *name, uint8_t *buf, uint32_t len,
void *data)
{
struct bios_state_s *state = (struct bios_state_s *)data;
if (!len) {
printf("Firmware body: %s <invalid>\n", name);
return 1;
}
printf("Firmware body: %s\n", name);
printf(" Offset: 0x%08x\n",
state->area[state->c].offset);
printf(" Size: 0x%08x\n", len);
state->area[state->c].is_valid = 1;
return 0;
}
/* Functions to call to show the bios components */
static int (*fmap_show_fn[])(const char *name, uint8_t *buf, uint32_t len,
void *data) = {
ft_show_gbb,
fmap_show_fw_main,
fmap_show_fw_main,
ft_show_fw_preamble,
ft_show_fw_preamble,
};
_Static_assert(ARRAY_SIZE(fmap_show_fn) == NUM_BIOS_COMPONENTS,
"Size of fmap_show_fn[] should match NUM_BIOS_COMPONENTS");
int ft_show_bios(const char *name, uint8_t *buf, uint32_t len, void *data)
{
FmapHeader *fmap;
FmapAreaHeader *ah = 0;
char ah_name[FMAP_NAMELEN + 1];
enum bios_component c;
int retval = 0;
struct bios_state_s state;
memset(&state, 0, sizeof(state));
printf("BIOS: %s\n", name);
/* We've already checked, so we know this will work. */
fmap = fmap_find(buf, len);
for (c = 0; c < NUM_BIOS_COMPONENTS; c++) {
/* We know one of these will work, too */
if (fmap_find_by_name(buf, len, fmap, fmap_name[c], &ah) ||
fmap_find_by_name(buf, len, fmap, fmap_oldname[c], &ah)) {
/* But the file might be truncated */
fmap_limit_area(ah, len);
/* The name is not necessarily null-terminated */
snprintf(ah_name, sizeof(ah_name), "%s", ah->area_name);
/* Update the state we're passing around */
state.c = c;
state.area[c].offset = ah->area_offset;
state.area[c].buf = buf + ah->area_offset;
state.area[c].len = ah->area_size;
VB2_DEBUG("showing FMAP area %d (%s),"
" offset=0x%08x len=0x%08x\n",
c, ah_name, ah->area_offset, ah->area_size);
/* Go look at it. */
if (fmap_show_fn[c])
retval += fmap_show_fn[c](ah_name,
state.area[c].buf,
state.area[c].len,
&state);
}
}
return retval;
}
/** Sign functions **/
/*
* This handles FW_MAIN_A and FW_MAIN_B while signing a BIOS image. The data is
* just the RW firmware blob so there's nothing useful to do with it, but we'll
* mark it as valid so that we'll know that this FMAP area exists and can
* be signed.
*/
static int fmap_sign_fw_main(const char *name, uint8_t *buf, uint32_t len,
void *data)
{
struct bios_state_s *state = (struct bios_state_s *)data;
state->area[state->c].is_valid = 1;
return 0;
}
/*
* This handles VBLOCK_A and VBLOCK_B while processing a BIOS image. We don't
* do any signing here. We just check to see if the existing FMAP area contains
* a firmware preamble so we can preserve its contents. We do the signing once
* we've looked over all the components.
*/
static int fmap_sign_fw_preamble(const char *name, uint8_t *buf, uint32_t len,
void *data)
{
static uint8_t workbuf[VB2_FIRMWARE_WORKBUF_RECOMMENDED_SIZE]
__attribute__((aligned(VB2_WORKBUF_ALIGN)));
static struct vb2_workbuf wb;
vb2_workbuf_init(&wb, workbuf, sizeof(workbuf));
struct vb2_keyblock *keyblock = (struct vb2_keyblock *)buf;
struct bios_state_s *state = (struct bios_state_s *)data;
/*
* If we have a valid keyblock and fw_preamble, then we can use them to
* determine the size of the firmware body. Otherwise, we'll have to
* just sign the whole region.
*/
if (VB2_SUCCESS != vb2_verify_keyblock_hash(keyblock, len, &wb)) {
fprintf(stderr, "Warning: %s keyblock is invalid. "
"Signing the entire FW FMAP region...\n", name);
goto whatever;
}
if (vb2_packed_key_looks_ok(&keyblock->data_key,
keyblock->data_key.key_offset +
keyblock->data_key.key_size)) {
fprintf(stderr, "Warning: %s public key is invalid. "
"Signing the entire FW FMAP region...\n", name);
goto whatever;
}
uint32_t more = keyblock->keyblock_size;
struct vb2_fw_preamble *preamble =
(struct vb2_fw_preamble *)(buf + more);
uint32_t fw_size = preamble->body_signature.data_size;
struct bios_area_s *fw_body_area = 0;
switch (state->c) {
case BIOS_FMAP_VBLOCK_A:
fw_body_area = &state->area[BIOS_FMAP_FW_MAIN_A];
/* Preserve the flags if they're not specified */
if (!sign_option.flags_specified)
sign_option.flags = preamble->flags;
break;
case BIOS_FMAP_VBLOCK_B:
fw_body_area = &state->area[BIOS_FMAP_FW_MAIN_B];
break;
default:
FATAL("Can only handle VBLOCK_A or VBLOCK_B\n");
}
if (fw_size > fw_body_area->len) {
fprintf(stderr,
"%s says the firmware is larger than we have\n",
name);
return 1;
}
/* Update the firmware size */
fw_body_area->len = fw_size;
whatever:
state->area[state->c].is_valid = 1;
return 0;
}
static int write_new_preamble(struct bios_area_s *vblock,
struct bios_area_s *fw_body,
struct vb2_private_key *signkey,
struct vb2_keyblock *keyblock)
{
struct vb2_signature *body_sig;
struct vb2_fw_preamble *preamble;
body_sig = vb2_calculate_signature(fw_body->buf, fw_body->len, signkey);
if (!body_sig) {
fprintf(stderr, "Error calculating body signature\n");
return 1;
}
preamble = vb2_create_fw_preamble(sign_option.version,
(struct vb2_packed_key *)sign_option.kernel_subkey,
body_sig,
signkey,
sign_option.flags);
if (!preamble) {
fprintf(stderr, "Error creating firmware preamble.\n");
free(body_sig);
return 1;
}
/* Write the new keyblock */
uint32_t more = keyblock->keyblock_size;
memcpy(vblock->buf, keyblock, more);
/* and the new preamble */
memcpy(vblock->buf + more, preamble, preamble->preamble_size);
free(preamble);
free(body_sig);
return 0;
}
static int write_loem(const char *ab, struct bios_area_s *vblock)
{
char filename[PATH_MAX];
int n;
n = snprintf(filename, sizeof(filename), "%s/vblock_%s.%s",
sign_option.loemdir ? sign_option.loemdir : ".",
ab, sign_option.loemid);
if (n >= sizeof(filename)) {
fprintf(stderr, "LOEM args produce bogus filename\n");
return 1;
}
FILE *fp = fopen(filename, "w");
if (!fp) {
fprintf(stderr, "Can't open %s for writing: %s\n",
filename, strerror(errno));
return 1;
}
if (1 != fwrite(vblock->buf, vblock->len, 1, fp)) {
fprintf(stderr, "Can't write to %s: %s\n",
filename, strerror(errno));
fclose(fp);
return 1;
}
if (fclose(fp)) {
fprintf(stderr, "Failed closing loem output: %s\n",
strerror(errno));
return 1;
}
return 0;
}
/* This signs a full BIOS image after it's been traversed. */
static int sign_bios_at_end(struct bios_state_s *state)
{
struct bios_area_s *vblock_a = &state->area[BIOS_FMAP_VBLOCK_A];
struct bios_area_s *vblock_b = &state->area[BIOS_FMAP_VBLOCK_B];
struct bios_area_s *fw_a = &state->area[BIOS_FMAP_FW_MAIN_A];
struct bios_area_s *fw_b = &state->area[BIOS_FMAP_FW_MAIN_B];
int retval = 0;
if (!vblock_a->is_valid || !vblock_b->is_valid ||
!fw_a->is_valid || !fw_b->is_valid) {
fprintf(stderr, "Something's wrong. Not changing anything\n");
return 1;
}
/* Do A & B differ ? */
if (fw_a->len != fw_b->len ||
memcmp(fw_a->buf, fw_b->buf, fw_a->len)) {
/* Yes, must use DEV keys for A */
if (!sign_option.devsignprivate || !sign_option.devkeyblock) {
fprintf(stderr,
"FW A & B differ. DEV keys are required.\n");
return 1;
}
retval |= write_new_preamble(vblock_a, fw_a,
sign_option.devsignprivate,
sign_option.devkeyblock);
} else {
retval |= write_new_preamble(vblock_a, fw_a,
sign_option.signprivate,
sign_option.keyblock);
}
/* FW B is always normal keys */
retval |= write_new_preamble(vblock_b, fw_b,
sign_option.signprivate,
sign_option.keyblock);
if (sign_option.loemid) {
retval |= write_loem("A", vblock_a);
retval |= write_loem("B", vblock_b);
}
return retval;
}
/* Functions to call while preparing to sign the bios */
static int (*fmap_sign_fn[])(const char *name, uint8_t *buf, uint32_t len,
void *data) = {
0,
fmap_sign_fw_main,
fmap_sign_fw_main,
fmap_sign_fw_preamble,
fmap_sign_fw_preamble,
};
_Static_assert(ARRAY_SIZE(fmap_sign_fn) == NUM_BIOS_COMPONENTS,
"Size of fmap_sign_fn[] should match NUM_BIOS_COMPONENTS");
int ft_sign_bios(const char *name, uint8_t *buf, uint32_t len, void *data)
{
FmapHeader *fmap;
FmapAreaHeader *ah = 0;
char ah_name[FMAP_NAMELEN + 1];
enum bios_component c;
int retval = 0;
struct bios_state_s state;
memset(&state, 0, sizeof(state));
/* We've already checked, so we know this will work. */
fmap = fmap_find(buf, len);
for (c = 0; c < NUM_BIOS_COMPONENTS; c++) {
/* We know one of these will work, too */
if (fmap_find_by_name(buf, len, fmap, fmap_name[c], &ah) ||
fmap_find_by_name(buf, len, fmap, fmap_oldname[c], &ah)) {
/* But the file might be truncated */
fmap_limit_area(ah, len);
/* The name is not necessarily null-terminated */
snprintf(ah_name, sizeof(ah_name), "%s", ah->area_name);
/* Update the state we're passing around */
state.c = c;
state.area[c].buf = buf + ah->area_offset;
state.area[c].len = ah->area_size;
VB2_DEBUG("examining FMAP area %d (%s),"
" offset=0x%08x len=0x%08x\n",
c, ah_name, ah->area_offset, ah->area_size);
/* Go look at it, but abort on error */
if (fmap_sign_fn[c])
retval += fmap_sign_fn[c](ah_name,
state.area[c].buf,
state.area[c].len,
&state);
}
}
retval += sign_bios_at_end(&state);
return retval;
}
enum futil_file_type ft_recognize_bios_image(uint8_t *buf, uint32_t len)
{
FmapHeader *fmap;
enum bios_component c;
fmap = fmap_find(buf, len);
if (!fmap)
return FILE_TYPE_UNKNOWN;
for (c = 0; c < NUM_BIOS_COMPONENTS; c++)
if (!fmap_find_by_name(buf, len, fmap, fmap_name[c], 0))
break;
if (c == NUM_BIOS_COMPONENTS)
return FILE_TYPE_BIOS_IMAGE;
for (c = 0; c < NUM_BIOS_COMPONENTS; c++)
if (!fmap_find_by_name(buf, len, fmap, fmap_oldname[c], 0))
break;
if (c == NUM_BIOS_COMPONENTS)
return FILE_TYPE_OLD_BIOS_IMAGE;
return FILE_TYPE_UNKNOWN;
}