Soby Mathew | 5d70800 | 2017-05-10 11:49:58 +0100 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (c) 2017, ARM Limited and Contributors. All rights reserved. |
| 3 | * |
| 4 | * SPDX-License-Identifier: BSD-3-Clause |
| 5 | */ |
| 6 | |
| 7 | #include <arch_helpers.h> |
Soby Mathew | 5d70800 | 2017-05-10 11:49:58 +0100 | [diff] [blame] | 8 | #include <crypto_driver.h> |
Isla Mitchell | 9930501 | 2017-07-11 14:54:08 +0100 | [diff] [blame] | 9 | #include <crypto_mod.h> |
Soby Mathew | 5d70800 | 2017-05-10 11:49:58 +0100 | [diff] [blame] | 10 | #include <debug.h> |
| 11 | #include <mbedtls_common.h> |
| 12 | #include <platform_def.h> |
| 13 | #include <rsa.h> |
| 14 | #include <sbrom_bsv_api.h> |
| 15 | #include <secureboot_base_func.h> |
| 16 | #include <secureboot_gen_defs.h> |
| 17 | #include <stddef.h> |
| 18 | #include <string.h> |
Soby Mathew | 5d70800 | 2017-05-10 11:49:58 +0100 | [diff] [blame] | 19 | #include <util.h> |
Isla Mitchell | 9930501 | 2017-07-11 14:54:08 +0100 | [diff] [blame] | 20 | #include <utils.h> |
Soby Mathew | 5d70800 | 2017-05-10 11:49:58 +0100 | [diff] [blame] | 21 | |
| 22 | #include <mbedtls/oid.h> |
| 23 | |
| 24 | #define LIB_NAME "CryptoCell SBROM" |
| 25 | #define RSA_SALT_LEN 32 |
| 26 | #define RSA_EXPONENT 65537 |
| 27 | |
| 28 | /* |
| 29 | * AlgorithmIdentifier ::= SEQUENCE { |
| 30 | * algorithm OBJECT IDENTIFIER, |
| 31 | * parameters ANY DEFINED BY algorithm OPTIONAL |
| 32 | * } |
| 33 | * |
| 34 | * SubjectPublicKeyInfo ::= SEQUENCE { |
| 35 | * algorithm AlgorithmIdentifier, |
| 36 | * subjectPublicKey BIT STRING |
| 37 | * } |
| 38 | * |
| 39 | * DigestInfo ::= SEQUENCE { |
| 40 | * digestAlgorithm AlgorithmIdentifier, |
| 41 | * digest OCTET STRING |
| 42 | * } |
| 43 | * |
| 44 | * RSASSA-PSS-params ::= SEQUENCE { |
| 45 | * hashAlgorithm [0] HashAlgorithm, |
| 46 | * maskGenAlgorithm [1] MaskGenAlgorithm, |
| 47 | * saltLength [2] INTEGER, |
| 48 | * trailerField [3] TrailerField DEFAULT trailerFieldBC |
| 49 | * } |
| 50 | */ |
| 51 | |
| 52 | /* |
| 53 | * Initialize the library and export the descriptor |
| 54 | */ |
| 55 | static void init(void) |
| 56 | { |
| 57 | CCError_t ret; |
Soby Mathew | d349023 | 2017-06-05 15:55:59 +0100 | [diff] [blame] | 58 | uint32_t lcs; |
Soby Mathew | 5d70800 | 2017-05-10 11:49:58 +0100 | [diff] [blame] | 59 | |
| 60 | /* Initialize CC SBROM */ |
| 61 | ret = CC_BsvSbromInit((uintptr_t)PLAT_CRYPTOCELL_BASE); |
| 62 | if (ret != CC_OK) { |
| 63 | ERROR("CryptoCell CC_BsvSbromInit() error %x\n", ret); |
| 64 | panic(); |
| 65 | } |
Soby Mathew | d349023 | 2017-06-05 15:55:59 +0100 | [diff] [blame] | 66 | |
| 67 | /* Initialize lifecycle state */ |
| 68 | ret = CC_BsvLcsGetAndInit((uintptr_t)PLAT_CRYPTOCELL_BASE, &lcs); |
| 69 | if (ret != CC_OK) { |
| 70 | ERROR("CryptoCell CC_BsvLcsGetAndInit() error %x\n", ret); |
| 71 | panic(); |
| 72 | } |
| 73 | |
| 74 | /* If the lifecyclestate is `SD`, then stop further execution */ |
| 75 | if (lcs == CC_BSV_SECURITY_DISABLED_LCS) { |
| 76 | ERROR("CryptoCell LCS is security-disabled\n"); |
| 77 | panic(); |
| 78 | } |
Soby Mathew | 5d70800 | 2017-05-10 11:49:58 +0100 | [diff] [blame] | 79 | } |
| 80 | |
| 81 | /* |
| 82 | * Verify a signature. |
| 83 | * |
| 84 | * Parameters are passed using the DER encoding format following the ASN.1 |
| 85 | * structures detailed above. |
| 86 | */ |
| 87 | static int verify_signature(void *data_ptr, unsigned int data_len, |
| 88 | void *sig_ptr, unsigned int sig_len, |
| 89 | void *sig_alg, unsigned int sig_alg_len, |
| 90 | void *pk_ptr, unsigned int pk_len) |
| 91 | { |
| 92 | CCError_t error; |
| 93 | CCSbNParams_t pk; |
| 94 | CCSbSignature_t signature; |
| 95 | int rc, exp; |
| 96 | mbedtls_asn1_buf sig_oid, alg_oid, params; |
| 97 | mbedtls_md_type_t md_alg; |
| 98 | mbedtls_pk_type_t pk_alg; |
| 99 | mbedtls_pk_rsassa_pss_options pss_opts; |
| 100 | size_t len; |
| 101 | uint8_t *p, *end; |
| 102 | /* Temp buf to store the public key modulo (N) in LE format */ |
| 103 | uint32_t RevN[SB_RSA_MOD_SIZE_IN_WORDS]; |
| 104 | |
| 105 | /* Verify the signature algorithm */ |
| 106 | /* Get pointers to signature OID and parameters */ |
| 107 | p = sig_alg; |
| 108 | end = p + sig_alg_len; |
| 109 | rc = mbedtls_asn1_get_alg(&p, end, &sig_oid, ¶ms); |
| 110 | if (rc != 0) |
| 111 | return CRYPTO_ERR_SIGNATURE; |
| 112 | |
| 113 | /* Get the actual signature algorithm (MD + PK) */ |
| 114 | rc = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg); |
| 115 | if (rc != 0) |
| 116 | return CRYPTO_ERR_SIGNATURE; |
| 117 | |
| 118 | /* The CryptoCell only supports RSASSA-PSS signature */ |
| 119 | if (pk_alg != MBEDTLS_PK_RSASSA_PSS || md_alg != MBEDTLS_MD_NONE) |
| 120 | return CRYPTO_ERR_SIGNATURE; |
| 121 | |
| 122 | /* Verify the RSASSA-PSS params */ |
| 123 | /* The trailer field is verified to be 0xBC internally by this API */ |
| 124 | rc = mbedtls_x509_get_rsassa_pss_params(¶ms, &md_alg, |
| 125 | &pss_opts.mgf1_hash_id, |
| 126 | &pss_opts.expected_salt_len); |
| 127 | if (rc != 0) |
| 128 | return CRYPTO_ERR_SIGNATURE; |
| 129 | |
| 130 | /* The CryptoCell only supports SHA256 as hash algorithm */ |
| 131 | if (md_alg != MBEDTLS_MD_SHA256 || pss_opts.mgf1_hash_id != MBEDTLS_MD_SHA256) |
| 132 | return CRYPTO_ERR_SIGNATURE; |
| 133 | |
| 134 | if (pss_opts.expected_salt_len != RSA_SALT_LEN) |
| 135 | return CRYPTO_ERR_SIGNATURE; |
| 136 | |
| 137 | /* Parse the public key */ |
| 138 | p = pk_ptr; |
| 139 | end = p + pk_len; |
| 140 | rc = mbedtls_asn1_get_tag(&p, end, &len, |
| 141 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); |
| 142 | if (rc != 0) |
| 143 | return CRYPTO_ERR_SIGNATURE; |
| 144 | |
| 145 | end = p + len; |
| 146 | rc = mbedtls_asn1_get_alg_null(&p, end, &alg_oid); |
| 147 | if (rc != 0) |
| 148 | return CRYPTO_ERR_SIGNATURE; |
| 149 | |
| 150 | if (mbedtls_oid_get_pk_alg(&alg_oid, &pk_alg) != 0) |
| 151 | return CRYPTO_ERR_SIGNATURE; |
| 152 | |
| 153 | if (pk_alg != MBEDTLS_PK_RSA) |
| 154 | return CRYPTO_ERR_SIGNATURE; |
| 155 | |
| 156 | rc = mbedtls_asn1_get_bitstring_null(&p, end, &len); |
| 157 | if (rc != 0) |
| 158 | return CRYPTO_ERR_SIGNATURE; |
| 159 | |
| 160 | rc = mbedtls_asn1_get_tag(&p, end, &len, |
| 161 | MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); |
| 162 | if (rc != 0) |
| 163 | return CRYPTO_ERR_SIGNATURE; |
| 164 | |
| 165 | rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_INTEGER); |
| 166 | if (rc != 0) |
| 167 | return CRYPTO_ERR_SIGNATURE; |
| 168 | |
| 169 | if (*p == 0) { |
| 170 | p++; len--; |
| 171 | } |
| 172 | if (len != RSA_MOD_SIZE_IN_BYTES || ((p + len) > end)) |
| 173 | return CRYPTO_ERR_SIGNATURE; |
| 174 | |
| 175 | /* |
| 176 | * The CCSbVerifySignature() API expects N and Np in BE format and |
| 177 | * the signature in LE format. Copy N from certificate. |
| 178 | */ |
| 179 | memcpy(pk.N, p, RSA_MOD_SIZE_IN_BYTES); |
| 180 | |
| 181 | /* Verify the RSA exponent */ |
| 182 | p += len; |
| 183 | rc = mbedtls_asn1_get_int(&p, end, &exp); |
| 184 | if (rc != 0) |
| 185 | return CRYPTO_ERR_SIGNATURE; |
| 186 | |
| 187 | if (exp != RSA_EXPONENT) |
| 188 | return CRYPTO_ERR_SIGNATURE; |
| 189 | |
| 190 | /* |
| 191 | * Calculate the Np (Barrett n' value). The RSA_CalcNp() API expects |
| 192 | * N in LE format. Hence reverse N into a temporary buffer `RevN`. |
| 193 | */ |
| 194 | UTIL_ReverseMemCopy((uint8_t *)RevN, (uint8_t *)pk.N, sizeof(RevN)); |
| 195 | |
| 196 | RSA_CalcNp((uintptr_t)PLAT_CRYPTOCELL_BASE, RevN, pk.Np); |
| 197 | |
| 198 | /* Np is in LE format. Reverse it to BE */ |
| 199 | UTIL_ReverseBuff((uint8_t *)pk.Np, sizeof(pk.Np)); |
| 200 | |
| 201 | /* Get the signature (bitstring) */ |
| 202 | p = sig_ptr; |
| 203 | end = p + sig_len; |
| 204 | rc = mbedtls_asn1_get_bitstring_null(&p, end, &len); |
| 205 | if (rc != 0) |
| 206 | return CRYPTO_ERR_SIGNATURE; |
| 207 | |
| 208 | if (len != RSA_MOD_SIZE_IN_BYTES || ((p + len) > end)) |
| 209 | return CRYPTO_ERR_SIGNATURE; |
| 210 | |
| 211 | /* |
| 212 | * The signature is BE format. Convert it to LE before calling |
| 213 | * CCSbVerifySignature(). |
| 214 | */ |
| 215 | UTIL_ReverseMemCopy((uint8_t *)signature.sig, p, RSA_MOD_SIZE_IN_BYTES); |
| 216 | |
| 217 | /* |
| 218 | * CryptoCell utilises DMA internally to transfer data. Flush the data |
| 219 | * from caches. |
| 220 | */ |
| 221 | flush_dcache_range((uintptr_t)data_ptr, data_len); |
| 222 | |
| 223 | /* Verify the signature */ |
| 224 | error = CCSbVerifySignature((uintptr_t)PLAT_CRYPTOCELL_BASE, |
| 225 | (uint32_t *)data_ptr, &pk, &signature, |
| 226 | data_len, RSA_PSS_2048); |
| 227 | if (error != CC_OK) |
| 228 | return CRYPTO_ERR_SIGNATURE; |
| 229 | |
| 230 | /* Signature verification success */ |
| 231 | return CRYPTO_SUCCESS; |
| 232 | } |
| 233 | |
| 234 | /* |
| 235 | * Match a hash |
| 236 | * |
| 237 | * Digest info is passed in DER format following the ASN.1 structure detailed |
| 238 | * above. |
| 239 | */ |
| 240 | static int verify_hash(void *data_ptr, unsigned int data_len, |
| 241 | void *digest_info_ptr, unsigned int digest_info_len) |
| 242 | { |
| 243 | mbedtls_asn1_buf hash_oid, params; |
| 244 | mbedtls_md_type_t md_alg; |
| 245 | uint8_t *p, *end, *hash; |
| 246 | CCHashResult_t pubKeyHash; |
| 247 | size_t len; |
| 248 | int rc; |
| 249 | CCError_t error; |
| 250 | |
| 251 | /* Digest info should be an MBEDTLS_ASN1_SEQUENCE */ |
| 252 | p = digest_info_ptr; |
| 253 | end = p + digest_info_len; |
| 254 | rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED | |
| 255 | MBEDTLS_ASN1_SEQUENCE); |
| 256 | if (rc != 0) |
| 257 | return CRYPTO_ERR_HASH; |
| 258 | |
| 259 | /* Get the hash algorithm */ |
| 260 | rc = mbedtls_asn1_get_alg(&p, end, &hash_oid, ¶ms); |
| 261 | if (rc != 0) |
| 262 | return CRYPTO_ERR_HASH; |
| 263 | |
| 264 | rc = mbedtls_oid_get_md_alg(&hash_oid, &md_alg); |
| 265 | if (rc != 0) |
| 266 | return CRYPTO_ERR_HASH; |
| 267 | /* Verify that hash algorithm is SHA256 */ |
| 268 | if (md_alg != MBEDTLS_MD_SHA256) |
| 269 | return CRYPTO_ERR_HASH; |
| 270 | |
| 271 | /* Hash should be octet string type */ |
| 272 | rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING); |
| 273 | if (rc != 0) |
| 274 | return CRYPTO_ERR_HASH; |
| 275 | |
| 276 | /* Length of hash must match the algorithm's size */ |
| 277 | if (len != HASH_RESULT_SIZE_IN_BYTES) |
| 278 | return CRYPTO_ERR_HASH; |
| 279 | |
| 280 | /* |
| 281 | * CryptoCell utilises DMA internally to transfer data. Flush the data |
| 282 | * from caches. |
| 283 | */ |
| 284 | flush_dcache_range((uintptr_t)data_ptr, data_len); |
| 285 | |
| 286 | hash = p; |
| 287 | error = SBROM_CryptoHash((uintptr_t)PLAT_CRYPTOCELL_BASE, |
| 288 | (uintptr_t)data_ptr, data_len, pubKeyHash); |
| 289 | if (error != CC_OK) |
| 290 | return CRYPTO_ERR_HASH; |
| 291 | |
| 292 | rc = memcmp(pubKeyHash, hash, HASH_RESULT_SIZE_IN_BYTES); |
| 293 | if (rc != 0) |
| 294 | return CRYPTO_ERR_HASH; |
| 295 | |
| 296 | return CRYPTO_SUCCESS; |
| 297 | } |
| 298 | |
| 299 | /* |
| 300 | * Register crypto library descriptor |
| 301 | */ |
| 302 | REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash); |
| 303 | |
| 304 | |