Samuel Holland | 7572878 | 2022-03-18 00:00:43 -0500 | [diff] [blame] | 1 | // SPDX-License-Identifier: GPL-2.0+ |
| 2 | /* |
| 3 | * (C) Copyright 2018 Arm Ltd. |
| 4 | * (C) Copyright 2020-2021 Samuel Holland <samuel@sholland.org> |
| 5 | */ |
| 6 | |
Heinrich Schuchardt | df128b7 | 2022-05-06 13:28:52 +0200 | [diff] [blame] | 7 | #define OPENSSL_API_COMPAT 0x10101000L |
| 8 | |
Samuel Holland | 7572878 | 2022-03-18 00:00:43 -0500 | [diff] [blame] | 9 | #include <assert.h> |
| 10 | #include <stdint.h> |
| 11 | #include <stdio.h> |
| 12 | #include <stdlib.h> |
| 13 | #include <string.h> |
| 14 | |
| 15 | #include <openssl/asn1t.h> |
Heinrich Schuchardt | df128b7 | 2022-05-06 13:28:52 +0200 | [diff] [blame] | 16 | #include <openssl/bn.h> |
Samuel Holland | 7572878 | 2022-03-18 00:00:43 -0500 | [diff] [blame] | 17 | #include <openssl/pem.h> |
| 18 | #include <openssl/rsa.h> |
| 19 | |
| 20 | #include <image.h> |
| 21 | #include <sunxi_image.h> |
| 22 | |
| 23 | #include "imagetool.h" |
| 24 | #include "mkimage.h" |
| 25 | |
| 26 | /* |
| 27 | * NAND requires 8K padding. For other devices, BROM requires only |
| 28 | * 512B padding, but let's use the larger padding to cover everything. |
| 29 | */ |
| 30 | #define PAD_SIZE 8192 |
| 31 | |
| 32 | #define pr_fmt(fmt) "mkimage (TOC0): %s: " fmt |
| 33 | #define pr_err(fmt, args...) fprintf(stderr, pr_fmt(fmt), "error", ##args) |
| 34 | #define pr_warn(fmt, args...) fprintf(stderr, pr_fmt(fmt), "warning", ##args) |
| 35 | #define pr_info(fmt, args...) fprintf(stderr, pr_fmt(fmt), "info", ##args) |
| 36 | |
Mark Kettenis | a94c5e6 | 2022-08-29 13:34:01 +0200 | [diff] [blame] | 37 | #if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050000fL |
Michal Vasilek | a02c5c7 | 2022-07-22 19:55:53 +0200 | [diff] [blame] | 38 | #define RSA_get0_n(key) (key)->n |
| 39 | #define RSA_get0_e(key) (key)->e |
| 40 | #define RSA_get0_d(key) (key)->d |
| 41 | #endif |
| 42 | |
Samuel Holland | 7572878 | 2022-03-18 00:00:43 -0500 | [diff] [blame] | 43 | struct __packed toc0_key_item { |
| 44 | __le32 vendor_id; |
| 45 | __le32 key0_n_len; |
| 46 | __le32 key0_e_len; |
| 47 | __le32 key1_n_len; |
| 48 | __le32 key1_e_len; |
| 49 | __le32 sig_len; |
| 50 | uint8_t key0[512]; |
| 51 | uint8_t key1[512]; |
| 52 | uint8_t reserved[32]; |
| 53 | uint8_t sig[256]; |
| 54 | }; |
| 55 | |
| 56 | /* |
| 57 | * This looks somewhat like an X.509 certificate, but it is not valid BER. |
| 58 | * |
| 59 | * Some differences: |
| 60 | * - Some X.509 certificate fields are missing or rearranged. |
| 61 | * - Some sequences have the wrong tag. |
| 62 | * - Zero-length sequences are accepted. |
| 63 | * - Large strings and integers must be an even number of bytes long. |
| 64 | * - Positive integers are not zero-extended to maintain their sign. |
| 65 | * |
| 66 | * See https://linux-sunxi.org/TOC0 for more information. |
| 67 | */ |
| 68 | struct __packed toc0_small_tag { |
| 69 | uint8_t tag; |
| 70 | uint8_t length; |
| 71 | }; |
| 72 | |
| 73 | typedef struct toc0_small_tag toc0_small_int; |
| 74 | typedef struct toc0_small_tag toc0_small_oct; |
| 75 | typedef struct toc0_small_tag toc0_small_seq; |
| 76 | typedef struct toc0_small_tag toc0_small_exp; |
| 77 | |
| 78 | #define TOC0_SMALL_INT(len) { 0x02, (len) } |
| 79 | #define TOC0_SMALL_SEQ(len) { 0x30, (len) } |
| 80 | #define TOC0_SMALL_EXP(tag, len) { 0xa0 | (tag), len } |
| 81 | |
| 82 | struct __packed toc0_large_tag { |
| 83 | uint8_t tag; |
| 84 | uint8_t prefix; |
| 85 | uint8_t length_hi; |
| 86 | uint8_t length_lo; |
| 87 | }; |
| 88 | |
| 89 | typedef struct toc0_large_tag toc0_large_int; |
| 90 | typedef struct toc0_large_tag toc0_large_bit; |
| 91 | typedef struct toc0_large_tag toc0_large_seq; |
| 92 | |
| 93 | #define TOC0_LARGE_INT(len) { 0x02, 0x82, (len) >> 8, (len) & 0xff } |
| 94 | #define TOC0_LARGE_BIT(len) { 0x03, 0x82, (len) >> 8, (len) & 0xff } |
| 95 | #define TOC0_LARGE_SEQ(len) { 0x30, 0x82, (len) >> 8, (len) & 0xff } |
| 96 | |
| 97 | struct __packed toc0_cert_item { |
| 98 | toc0_large_seq tag_totalSequence; |
| 99 | struct __packed toc0_totalSequence { |
| 100 | toc0_large_seq tag_mainSequence; |
| 101 | struct __packed toc0_mainSequence { |
| 102 | toc0_small_exp tag_explicit0; |
| 103 | struct __packed toc0_explicit0 { |
| 104 | toc0_small_int tag_version; |
| 105 | uint8_t version; |
| 106 | } explicit0; |
| 107 | toc0_small_int tag_serialNumber; |
| 108 | uint8_t serialNumber; |
| 109 | toc0_small_seq tag_signature; |
| 110 | toc0_small_seq tag_issuer; |
| 111 | toc0_small_seq tag_validity; |
| 112 | toc0_small_seq tag_subject; |
| 113 | toc0_large_seq tag_subjectPublicKeyInfo; |
| 114 | struct __packed toc0_subjectPublicKeyInfo { |
| 115 | toc0_small_seq tag_algorithm; |
| 116 | toc0_large_seq tag_publicKey; |
| 117 | struct __packed toc0_publicKey { |
| 118 | toc0_large_int tag_n; |
| 119 | uint8_t n[256]; |
| 120 | toc0_small_int tag_e; |
| 121 | uint8_t e[3]; |
| 122 | } publicKey; |
| 123 | } subjectPublicKeyInfo; |
| 124 | toc0_small_exp tag_explicit3; |
| 125 | struct __packed toc0_explicit3 { |
| 126 | toc0_small_seq tag_extension; |
| 127 | struct __packed toc0_extension { |
| 128 | toc0_small_int tag_digest; |
| 129 | uint8_t digest[32]; |
| 130 | } extension; |
| 131 | } explicit3; |
| 132 | } mainSequence; |
| 133 | toc0_large_bit tag_sigSequence; |
| 134 | struct __packed toc0_sigSequence { |
| 135 | toc0_small_seq tag_algorithm; |
| 136 | toc0_large_bit tag_signature; |
| 137 | uint8_t signature[256]; |
| 138 | } sigSequence; |
| 139 | } totalSequence; |
| 140 | }; |
| 141 | |
| 142 | #define sizeof_field(TYPE, MEMBER) sizeof((((TYPE *)0)->MEMBER)) |
| 143 | |
| 144 | static const struct toc0_cert_item cert_item_template = { |
| 145 | TOC0_LARGE_SEQ(sizeof(struct toc0_totalSequence)), |
| 146 | { |
| 147 | TOC0_LARGE_SEQ(sizeof(struct toc0_mainSequence)), |
| 148 | { |
| 149 | TOC0_SMALL_EXP(0, sizeof(struct toc0_explicit0)), |
| 150 | { |
| 151 | TOC0_SMALL_INT(sizeof_field(struct toc0_explicit0, version)), |
| 152 | 0, |
| 153 | }, |
| 154 | TOC0_SMALL_INT(sizeof_field(struct toc0_mainSequence, serialNumber)), |
| 155 | 0, |
| 156 | TOC0_SMALL_SEQ(0), |
| 157 | TOC0_SMALL_SEQ(0), |
| 158 | TOC0_SMALL_SEQ(0), |
| 159 | TOC0_SMALL_SEQ(0), |
| 160 | TOC0_LARGE_SEQ(sizeof(struct toc0_subjectPublicKeyInfo)), |
| 161 | { |
| 162 | TOC0_SMALL_SEQ(0), |
| 163 | TOC0_LARGE_SEQ(sizeof(struct toc0_publicKey)), |
| 164 | { |
| 165 | TOC0_LARGE_INT(sizeof_field(struct toc0_publicKey, n)), |
| 166 | {}, |
| 167 | TOC0_SMALL_INT(sizeof_field(struct toc0_publicKey, e)), |
| 168 | {}, |
| 169 | }, |
| 170 | }, |
| 171 | TOC0_SMALL_EXP(3, sizeof(struct toc0_explicit3)), |
| 172 | { |
| 173 | TOC0_SMALL_SEQ(sizeof(struct toc0_extension)), |
| 174 | { |
| 175 | TOC0_SMALL_INT(sizeof_field(struct toc0_extension, digest)), |
| 176 | {}, |
| 177 | }, |
| 178 | }, |
| 179 | }, |
| 180 | TOC0_LARGE_BIT(sizeof(struct toc0_sigSequence)), |
| 181 | { |
| 182 | TOC0_SMALL_SEQ(0), |
| 183 | TOC0_LARGE_BIT(sizeof_field(struct toc0_sigSequence, signature)), |
| 184 | {}, |
| 185 | }, |
| 186 | }, |
| 187 | }; |
| 188 | |
| 189 | #define TOC0_DEFAULT_NUM_ITEMS 3 |
| 190 | #define TOC0_DEFAULT_HEADER_LEN \ |
| 191 | ALIGN( \ |
| 192 | sizeof(struct toc0_main_info) + \ |
| 193 | sizeof(struct toc0_item_info) * TOC0_DEFAULT_NUM_ITEMS + \ |
| 194 | sizeof(struct toc0_cert_item) + \ |
| 195 | sizeof(struct toc0_key_item), \ |
| 196 | 32) |
| 197 | |
| 198 | static char *fw_key_file = "fw_key.pem"; |
| 199 | static char *key_item_file = "key_item.bin"; |
| 200 | static char *root_key_file = "root_key.pem"; |
| 201 | |
| 202 | /* |
| 203 | * Create a key item in @buf, containing the public keys @root_key and @fw_key, |
| 204 | * and signed by the RSA key @root_key. |
| 205 | */ |
| 206 | static int toc0_create_key_item(uint8_t *buf, uint32_t *len, |
| 207 | RSA *root_key, RSA *fw_key) |
| 208 | { |
| 209 | struct toc0_key_item *key_item = (void *)buf; |
| 210 | uint8_t digest[SHA256_DIGEST_LENGTH]; |
| 211 | int ret = EXIT_FAILURE; |
| 212 | unsigned int sig_len; |
| 213 | int n_len, e_len; |
| 214 | |
| 215 | /* Store key 0. */ |
| 216 | n_len = BN_bn2bin(RSA_get0_n(root_key), key_item->key0); |
| 217 | e_len = BN_bn2bin(RSA_get0_e(root_key), key_item->key0 + n_len); |
| 218 | if (n_len + e_len > sizeof(key_item->key0)) { |
| 219 | pr_err("Root key is too big for key item\n"); |
| 220 | goto err; |
| 221 | } |
| 222 | key_item->key0_n_len = cpu_to_le32(n_len); |
| 223 | key_item->key0_e_len = cpu_to_le32(e_len); |
| 224 | |
| 225 | /* Store key 1. */ |
| 226 | n_len = BN_bn2bin(RSA_get0_n(fw_key), key_item->key1); |
| 227 | e_len = BN_bn2bin(RSA_get0_e(fw_key), key_item->key1 + n_len); |
| 228 | if (n_len + e_len > sizeof(key_item->key1)) { |
| 229 | pr_err("Firmware key is too big for key item\n"); |
| 230 | goto err; |
| 231 | } |
| 232 | key_item->key1_n_len = cpu_to_le32(n_len); |
| 233 | key_item->key1_e_len = cpu_to_le32(e_len); |
| 234 | |
| 235 | /* Sign the key item. */ |
| 236 | key_item->sig_len = cpu_to_le32(RSA_size(root_key)); |
| 237 | SHA256(buf, key_item->sig - buf, digest); |
| 238 | if (!RSA_sign(NID_sha256, digest, sizeof(digest), |
| 239 | key_item->sig, &sig_len, root_key)) { |
| 240 | pr_err("Failed to sign key item\n"); |
| 241 | goto err; |
| 242 | } |
| 243 | if (sig_len != sizeof(key_item->sig)) { |
| 244 | pr_err("Bad key item signature length\n"); |
| 245 | goto err; |
| 246 | } |
| 247 | |
| 248 | *len = sizeof(*key_item); |
| 249 | ret = EXIT_SUCCESS; |
| 250 | |
| 251 | err: |
| 252 | return ret; |
| 253 | } |
| 254 | |
| 255 | /* |
| 256 | * Verify the key item in @buf, containing two public keys @key0 and @key1, |
| 257 | * and signed by the RSA key @key0. If @root_key is provided, only signatures |
| 258 | * by that key will be accepted. @key1 is returned in @key. |
| 259 | */ |
| 260 | static int toc0_verify_key_item(const uint8_t *buf, uint32_t len, |
| 261 | RSA *root_key, RSA **fw_key) |
| 262 | { |
| 263 | struct toc0_key_item *key_item = (void *)buf; |
| 264 | uint8_t digest[SHA256_DIGEST_LENGTH]; |
| 265 | int ret = EXIT_FAILURE; |
| 266 | int n_len, e_len; |
| 267 | RSA *key0 = NULL; |
| 268 | RSA *key1 = NULL; |
| 269 | BIGNUM *n, *e; |
| 270 | |
| 271 | if (len < sizeof(*key_item)) |
| 272 | goto err; |
| 273 | |
| 274 | /* Load key 0. */ |
| 275 | n_len = le32_to_cpu(key_item->key0_n_len); |
| 276 | e_len = le32_to_cpu(key_item->key0_e_len); |
| 277 | if (n_len + e_len > sizeof(key_item->key0)) { |
| 278 | pr_err("Bad root key size in key item\n"); |
| 279 | goto err; |
| 280 | } |
| 281 | n = BN_bin2bn(key_item->key0, n_len, NULL); |
| 282 | e = BN_bin2bn(key_item->key0 + n_len, e_len, NULL); |
| 283 | key0 = RSA_new(); |
| 284 | if (!key0) |
| 285 | goto err; |
| 286 | if (!RSA_set0_key(key0, n, e, NULL)) |
| 287 | goto err; |
| 288 | |
| 289 | /* If a root key was provided, compare it to key 0. */ |
| 290 | if (root_key && (BN_cmp(n, RSA_get0_n(root_key)) || |
| 291 | BN_cmp(e, RSA_get0_e(root_key)))) { |
| 292 | pr_err("Wrong root key in key item\n"); |
| 293 | goto err; |
| 294 | } |
| 295 | |
| 296 | /* Verify the key item signature. */ |
| 297 | SHA256(buf, key_item->sig - buf, digest); |
| 298 | if (!RSA_verify(NID_sha256, digest, sizeof(digest), |
| 299 | key_item->sig, le32_to_cpu(key_item->sig_len), key0)) { |
| 300 | pr_err("Bad key item signature\n"); |
| 301 | goto err; |
| 302 | } |
| 303 | |
| 304 | if (fw_key) { |
| 305 | /* Load key 1. */ |
| 306 | n_len = le32_to_cpu(key_item->key1_n_len); |
| 307 | e_len = le32_to_cpu(key_item->key1_e_len); |
| 308 | if (n_len + e_len > sizeof(key_item->key1)) { |
| 309 | pr_err("Bad firmware key size in key item\n"); |
| 310 | goto err; |
| 311 | } |
| 312 | n = BN_bin2bn(key_item->key1, n_len, NULL); |
| 313 | e = BN_bin2bn(key_item->key1 + n_len, e_len, NULL); |
| 314 | key1 = RSA_new(); |
| 315 | if (!key1) |
| 316 | goto err; |
| 317 | if (!RSA_set0_key(key1, n, e, NULL)) |
| 318 | goto err; |
| 319 | |
| 320 | if (*fw_key) { |
| 321 | /* If a FW key was provided, compare it to key 1. */ |
| 322 | if (BN_cmp(n, RSA_get0_n(*fw_key)) || |
| 323 | BN_cmp(e, RSA_get0_e(*fw_key))) { |
| 324 | pr_err("Wrong firmware key in key item\n"); |
| 325 | goto err; |
| 326 | } |
| 327 | } else { |
| 328 | /* Otherwise, send key1 back to the caller. */ |
| 329 | *fw_key = key1; |
| 330 | key1 = NULL; |
| 331 | } |
| 332 | } |
| 333 | |
| 334 | ret = EXIT_SUCCESS; |
| 335 | |
| 336 | err: |
| 337 | RSA_free(key0); |
| 338 | RSA_free(key1); |
| 339 | |
| 340 | return ret; |
| 341 | } |
| 342 | |
| 343 | /* |
| 344 | * Create a certificate in @buf, describing the firmware with SHA256 digest |
| 345 | * @digest, and signed by the RSA key @fw_key. |
| 346 | */ |
| 347 | static int toc0_create_cert_item(uint8_t *buf, uint32_t *len, RSA *fw_key, |
| 348 | uint8_t digest[static SHA256_DIGEST_LENGTH]) |
| 349 | { |
| 350 | struct toc0_cert_item *cert_item = (void *)buf; |
| 351 | uint8_t cert_digest[SHA256_DIGEST_LENGTH]; |
| 352 | struct toc0_totalSequence *totalSequence; |
| 353 | struct toc0_sigSequence *sigSequence; |
| 354 | struct toc0_extension *extension; |
| 355 | struct toc0_publicKey *publicKey; |
| 356 | int ret = EXIT_FAILURE; |
| 357 | unsigned int sig_len; |
| 358 | |
| 359 | memcpy(cert_item, &cert_item_template, sizeof(*cert_item)); |
| 360 | *len = sizeof(*cert_item); |
| 361 | |
| 362 | /* |
| 363 | * Fill in the public key. |
| 364 | * |
| 365 | * Only 2048-bit RSA keys are supported. Since this uses a fixed-size |
| 366 | * structure, it may fail for non-standard exponents. |
| 367 | */ |
| 368 | totalSequence = &cert_item->totalSequence; |
| 369 | publicKey = &totalSequence->mainSequence.subjectPublicKeyInfo.publicKey; |
| 370 | if (BN_bn2binpad(RSA_get0_n(fw_key), publicKey->n, sizeof(publicKey->n)) < 0 || |
| 371 | BN_bn2binpad(RSA_get0_e(fw_key), publicKey->e, sizeof(publicKey->e)) < 0) { |
| 372 | pr_err("Firmware key is too big for certificate\n"); |
| 373 | goto err; |
| 374 | } |
| 375 | |
| 376 | /* Fill in the firmware digest. */ |
| 377 | extension = &totalSequence->mainSequence.explicit3.extension; |
| 378 | memcpy(&extension->digest, digest, SHA256_DIGEST_LENGTH); |
| 379 | |
| 380 | /* |
| 381 | * Sign the certificate. |
| 382 | * |
| 383 | * In older SBROM versions (and by default in newer versions), |
| 384 | * the last 4 bytes of the certificate are not signed. |
| 385 | * |
| 386 | * (The buffer passed to SHA256 starts at tag_mainSequence, but |
| 387 | * the buffer size does not include the length of that tag.) |
| 388 | */ |
| 389 | SHA256((uint8_t *)totalSequence, sizeof(struct toc0_mainSequence), cert_digest); |
| 390 | sigSequence = &totalSequence->sigSequence; |
| 391 | if (!RSA_sign(NID_sha256, cert_digest, SHA256_DIGEST_LENGTH, |
| 392 | sigSequence->signature, &sig_len, fw_key)) { |
| 393 | pr_err("Failed to sign certificate\n"); |
| 394 | goto err; |
| 395 | } |
| 396 | if (sig_len != sizeof(sigSequence->signature)) { |
| 397 | pr_err("Bad certificate signature length\n"); |
| 398 | goto err; |
| 399 | } |
| 400 | |
| 401 | ret = EXIT_SUCCESS; |
| 402 | |
| 403 | err: |
| 404 | return ret; |
| 405 | } |
| 406 | |
| 407 | /* |
| 408 | * Verify the certificate in @buf, describing the firmware with SHA256 digest |
| 409 | * @digest, and signed by the RSA key contained within. If @fw_key is provided, |
| 410 | * only that key will be accepted. |
| 411 | * |
| 412 | * This function is only expected to work with images created by mkimage. |
| 413 | */ |
| 414 | static int toc0_verify_cert_item(const uint8_t *buf, uint32_t len, RSA *fw_key, |
| 415 | uint8_t digest[static SHA256_DIGEST_LENGTH]) |
| 416 | { |
| 417 | const struct toc0_cert_item *cert_item = (const void *)buf; |
| 418 | uint8_t cert_digest[SHA256_DIGEST_LENGTH]; |
| 419 | const struct toc0_totalSequence *totalSequence; |
| 420 | const struct toc0_sigSequence *sigSequence; |
| 421 | const struct toc0_extension *extension; |
| 422 | const struct toc0_publicKey *publicKey; |
| 423 | int ret = EXIT_FAILURE; |
| 424 | RSA *key = NULL; |
| 425 | BIGNUM *n, *e; |
| 426 | |
| 427 | /* Extract the public key from the certificate. */ |
| 428 | totalSequence = &cert_item->totalSequence; |
| 429 | publicKey = &totalSequence->mainSequence.subjectPublicKeyInfo.publicKey; |
| 430 | n = BN_bin2bn(publicKey->n, sizeof(publicKey->n), NULL); |
| 431 | e = BN_bin2bn(publicKey->e, sizeof(publicKey->e), NULL); |
| 432 | key = RSA_new(); |
| 433 | if (!key) |
| 434 | goto err; |
| 435 | if (!RSA_set0_key(key, n, e, NULL)) |
| 436 | goto err; |
| 437 | |
| 438 | /* If a key was provided, compare it to the embedded key. */ |
| 439 | if (fw_key && (BN_cmp(RSA_get0_n(key), RSA_get0_n(fw_key)) || |
| 440 | BN_cmp(RSA_get0_e(key), RSA_get0_e(fw_key)))) { |
| 441 | pr_err("Wrong firmware key in certificate\n"); |
| 442 | goto err; |
| 443 | } |
| 444 | |
| 445 | /* If a digest was provided, compare it to the embedded digest. */ |
| 446 | extension = &totalSequence->mainSequence.explicit3.extension; |
Seung-Woo Kim | e36bd3e | 2024-08-01 10:01:00 +0900 | [diff] [blame] | 447 | if (memcmp(&extension->digest, digest, SHA256_DIGEST_LENGTH)) { |
Samuel Holland | 7572878 | 2022-03-18 00:00:43 -0500 | [diff] [blame] | 448 | pr_err("Wrong firmware digest in certificate\n"); |
| 449 | goto err; |
| 450 | } |
| 451 | |
| 452 | /* Verify the certificate's signature. See the comment above. */ |
| 453 | SHA256((uint8_t *)totalSequence, sizeof(struct toc0_mainSequence), cert_digest); |
| 454 | sigSequence = &totalSequence->sigSequence; |
| 455 | if (!RSA_verify(NID_sha256, cert_digest, SHA256_DIGEST_LENGTH, |
| 456 | sigSequence->signature, |
| 457 | sizeof(sigSequence->signature), key)) { |
| 458 | pr_err("Bad certificate signature\n"); |
| 459 | goto err; |
| 460 | } |
| 461 | |
| 462 | ret = EXIT_SUCCESS; |
| 463 | |
| 464 | err: |
| 465 | RSA_free(key); |
| 466 | |
| 467 | return ret; |
| 468 | } |
| 469 | |
| 470 | /* |
| 471 | * Always create a TOC0 containing 3 items. The extra item will be ignored on |
| 472 | * SoCs which do not support it. |
| 473 | */ |
| 474 | static int toc0_create(uint8_t *buf, uint32_t len, RSA *root_key, RSA *fw_key, |
| 475 | uint8_t *key_item, uint32_t key_item_len, |
| 476 | uint8_t *fw_item, uint32_t fw_item_len, uint32_t fw_addr) |
| 477 | { |
| 478 | struct toc0_main_info *main_info = (void *)buf; |
| 479 | struct toc0_item_info *item_info = (void *)(main_info + 1); |
| 480 | uint8_t digest[SHA256_DIGEST_LENGTH]; |
| 481 | uint32_t *buf32 = (void *)buf; |
| 482 | RSA *orig_fw_key = fw_key; |
| 483 | int ret = EXIT_FAILURE; |
| 484 | uint32_t checksum = 0; |
| 485 | uint32_t item_offset; |
| 486 | uint32_t item_length; |
| 487 | int i; |
| 488 | |
| 489 | /* Hash the firmware for inclusion in the certificate. */ |
| 490 | SHA256(fw_item, fw_item_len, digest); |
| 491 | |
| 492 | /* Create the main TOC0 header, containing three items. */ |
| 493 | memcpy(main_info->name, TOC0_MAIN_INFO_NAME, sizeof(main_info->name)); |
| 494 | main_info->magic = cpu_to_le32(TOC0_MAIN_INFO_MAGIC); |
| 495 | main_info->checksum = cpu_to_le32(BROM_STAMP_VALUE); |
| 496 | main_info->num_items = cpu_to_le32(TOC0_DEFAULT_NUM_ITEMS); |
| 497 | memcpy(main_info->end, TOC0_MAIN_INFO_END, sizeof(main_info->end)); |
| 498 | |
| 499 | /* The first item links the ROTPK to the signing key. */ |
| 500 | item_offset = sizeof(*main_info) + |
| 501 | sizeof(*item_info) * TOC0_DEFAULT_NUM_ITEMS; |
| 502 | /* Using an existing key item avoids needing the root private key. */ |
| 503 | if (key_item) { |
| 504 | item_length = sizeof(*key_item); |
| 505 | if (toc0_verify_key_item(key_item, item_length, |
| 506 | root_key, &fw_key)) |
| 507 | goto err; |
| 508 | memcpy(buf + item_offset, key_item, item_length); |
| 509 | } else if (toc0_create_key_item(buf + item_offset, &item_length, |
| 510 | root_key, fw_key)) { |
| 511 | goto err; |
| 512 | } |
| 513 | |
| 514 | item_info->name = cpu_to_le32(TOC0_ITEM_INFO_NAME_KEY); |
| 515 | item_info->offset = cpu_to_le32(item_offset); |
| 516 | item_info->length = cpu_to_le32(item_length); |
| 517 | memcpy(item_info->end, TOC0_ITEM_INFO_END, sizeof(item_info->end)); |
| 518 | |
| 519 | /* The second item contains a certificate signed by the firmware key. */ |
| 520 | item_offset = item_offset + item_length; |
| 521 | if (toc0_create_cert_item(buf + item_offset, &item_length, |
| 522 | fw_key, digest)) |
| 523 | goto err; |
| 524 | |
| 525 | item_info++; |
| 526 | item_info->name = cpu_to_le32(TOC0_ITEM_INFO_NAME_CERT); |
| 527 | item_info->offset = cpu_to_le32(item_offset); |
| 528 | item_info->length = cpu_to_le32(item_length); |
| 529 | memcpy(item_info->end, TOC0_ITEM_INFO_END, sizeof(item_info->end)); |
| 530 | |
| 531 | /* The third item contains the actual boot code. */ |
| 532 | item_offset = ALIGN(item_offset + item_length, 32); |
| 533 | item_length = fw_item_len; |
| 534 | if (buf + item_offset != fw_item) |
| 535 | memmove(buf + item_offset, fw_item, item_length); |
| 536 | |
| 537 | item_info++; |
| 538 | item_info->name = cpu_to_le32(TOC0_ITEM_INFO_NAME_FIRMWARE); |
| 539 | item_info->offset = cpu_to_le32(item_offset); |
| 540 | item_info->length = cpu_to_le32(item_length); |
| 541 | item_info->load_addr = cpu_to_le32(fw_addr); |
| 542 | memcpy(item_info->end, TOC0_ITEM_INFO_END, sizeof(item_info->end)); |
| 543 | |
| 544 | /* Pad to the required block size with 0xff to be flash-friendly. */ |
| 545 | item_offset = item_offset + item_length; |
| 546 | item_length = ALIGN(item_offset, PAD_SIZE) - item_offset; |
| 547 | memset(buf + item_offset, 0xff, item_length); |
| 548 | |
| 549 | /* Fill in the total padded file length. */ |
| 550 | item_offset = item_offset + item_length; |
| 551 | main_info->length = cpu_to_le32(item_offset); |
| 552 | |
| 553 | /* Verify enough space was provided when creating the image. */ |
| 554 | assert(len >= item_offset); |
| 555 | |
| 556 | /* Calculate the checksum. Yes, it's that simple. */ |
| 557 | for (i = 0; i < item_offset / 4; ++i) |
| 558 | checksum += le32_to_cpu(buf32[i]); |
| 559 | main_info->checksum = cpu_to_le32(checksum); |
| 560 | |
| 561 | ret = EXIT_SUCCESS; |
| 562 | |
| 563 | err: |
| 564 | if (fw_key != orig_fw_key) |
| 565 | RSA_free(fw_key); |
| 566 | |
| 567 | return ret; |
| 568 | } |
| 569 | |
| 570 | static const struct toc0_item_info * |
| 571 | toc0_find_item(const struct toc0_main_info *main_info, uint32_t name, |
| 572 | uint32_t *offset, uint32_t *length) |
| 573 | { |
| 574 | const struct toc0_item_info *item_info = (void *)(main_info + 1); |
| 575 | uint32_t item_offset, item_length; |
| 576 | uint32_t num_items, main_length; |
| 577 | int i; |
| 578 | |
| 579 | num_items = le32_to_cpu(main_info->num_items); |
| 580 | main_length = le32_to_cpu(main_info->length); |
| 581 | |
| 582 | for (i = 0; i < num_items; ++i, ++item_info) { |
| 583 | if (le32_to_cpu(item_info->name) != name) |
| 584 | continue; |
| 585 | |
| 586 | item_offset = le32_to_cpu(item_info->offset); |
| 587 | item_length = le32_to_cpu(item_info->length); |
| 588 | |
| 589 | if (item_offset > main_length || |
| 590 | item_length > main_length - item_offset) |
| 591 | continue; |
| 592 | |
| 593 | *offset = item_offset; |
| 594 | *length = item_length; |
| 595 | |
| 596 | return item_info; |
| 597 | } |
| 598 | |
| 599 | return NULL; |
| 600 | } |
| 601 | |
| 602 | static int toc0_verify(const uint8_t *buf, uint32_t len, RSA *root_key) |
| 603 | { |
| 604 | const struct toc0_main_info *main_info = (void *)buf; |
| 605 | const struct toc0_item_info *item_info; |
| 606 | uint8_t digest[SHA256_DIGEST_LENGTH]; |
| 607 | uint32_t main_length = le32_to_cpu(main_info->length); |
| 608 | uint32_t checksum = BROM_STAMP_VALUE; |
| 609 | uint32_t *buf32 = (void *)buf; |
| 610 | uint32_t length, offset; |
| 611 | int ret = EXIT_FAILURE; |
| 612 | RSA *fw_key = NULL; |
| 613 | int i; |
| 614 | |
| 615 | if (len < main_length) |
| 616 | goto err; |
| 617 | |
| 618 | /* Verify the main header. */ |
| 619 | if (memcmp(main_info->name, TOC0_MAIN_INFO_NAME, sizeof(main_info->name))) |
| 620 | goto err; |
| 621 | if (le32_to_cpu(main_info->magic) != TOC0_MAIN_INFO_MAGIC) |
| 622 | goto err; |
| 623 | /* Verify the checksum without modifying the buffer. */ |
| 624 | for (i = 0; i < main_length / 4; ++i) |
| 625 | checksum += le32_to_cpu(buf32[i]); |
| 626 | if (checksum != 2 * le32_to_cpu(main_info->checksum)) |
| 627 | goto err; |
| 628 | /* The length must be at least 512 byte aligned. */ |
| 629 | if (main_length % 512) |
| 630 | goto err; |
| 631 | if (memcmp(main_info->end, TOC0_MAIN_INFO_END, sizeof(main_info->end))) |
| 632 | goto err; |
| 633 | |
| 634 | /* Verify the key item if present (it is optional). */ |
| 635 | item_info = toc0_find_item(main_info, TOC0_ITEM_INFO_NAME_KEY, |
| 636 | &offset, &length); |
| 637 | if (!item_info) |
| 638 | fw_key = root_key; |
| 639 | else if (toc0_verify_key_item(buf + offset, length, root_key, &fw_key)) |
| 640 | goto err; |
| 641 | |
| 642 | /* Hash the firmware to compare with the certificate. */ |
| 643 | item_info = toc0_find_item(main_info, TOC0_ITEM_INFO_NAME_FIRMWARE, |
| 644 | &offset, &length); |
| 645 | if (!item_info) { |
| 646 | pr_err("Missing firmware item\n"); |
| 647 | goto err; |
| 648 | } |
| 649 | SHA256(buf + offset, length, digest); |
| 650 | |
| 651 | /* Verify the certificate item. */ |
| 652 | item_info = toc0_find_item(main_info, TOC0_ITEM_INFO_NAME_CERT, |
| 653 | &offset, &length); |
| 654 | if (!item_info) { |
| 655 | pr_err("Missing certificate item\n"); |
| 656 | goto err; |
| 657 | } |
| 658 | if (toc0_verify_cert_item(buf + offset, length, fw_key, digest)) |
| 659 | goto err; |
| 660 | |
| 661 | ret = EXIT_SUCCESS; |
| 662 | |
| 663 | err: |
| 664 | if (fw_key != root_key) |
| 665 | RSA_free(fw_key); |
| 666 | |
| 667 | return ret; |
| 668 | } |
| 669 | |
| 670 | static int toc0_check_params(struct image_tool_params *params) |
| 671 | { |
| 672 | if (!params->dflag) |
| 673 | return -EINVAL; |
| 674 | |
| 675 | /* |
| 676 | * If a key directory was provided, look for key files there. |
| 677 | * Otherwise, look for them in the current directory. The key files are |
| 678 | * the "quoted" terms in the description below. |
| 679 | * |
| 680 | * A summary of the chain of trust on most SoCs: |
| 681 | * 1) eFuse contains a SHA256 digest of the public "root key". |
| 682 | * 2) Private "root key" signs the certificate item (generated here). |
| 683 | * 3) Certificate item contains a SHA256 digest of the firmware item. |
| 684 | * |
| 685 | * A summary of the chain of trust on the H6 (by default; a bit in the |
| 686 | * BROM_CONFIG eFuse makes it work like above): |
| 687 | * 1) eFuse contains a SHA256 digest of the public "root key". |
| 688 | * 2) Private "root key" signs the "key item" (generated here). |
| 689 | * 3) "Key item" contains the public "root key" and public "fw key". |
| 690 | * 4) Private "fw key" signs the certificate item (generated here). |
| 691 | * 5) Certificate item contains a SHA256 digest of the firmware item. |
| 692 | * |
| 693 | * This means there are three valid ways to generate a TOC0: |
| 694 | * 1) Provide the private "root key" only. This works everywhere. |
| 695 | * For H6, the "root key" will also be used as the "fw key". |
| 696 | * 2) FOR H6 ONLY: Provide the private "root key" and a separate |
| 697 | * private "fw key". |
| 698 | * 3) FOR H6 ONLY: Provide the private "fw key" and a pre-existing |
| 699 | * "key item" containing the corresponding public "fw key". |
| 700 | * In this case, the private "root key" can be kept offline. The |
| 701 | * "key item" can be extracted from a TOC0 image generated using |
| 702 | * method #2 above. |
| 703 | * |
| 704 | * Note that until the ROTPK_HASH eFuse is programmed, any "root key" |
| 705 | * will be accepted by the BROM. |
| 706 | */ |
| 707 | if (params->keydir) { |
| 708 | if (asprintf(&fw_key_file, "%s/%s", params->keydir, fw_key_file) < 0) |
| 709 | return -ENOMEM; |
| 710 | if (asprintf(&key_item_file, "%s/%s", params->keydir, key_item_file) < 0) |
| 711 | return -ENOMEM; |
| 712 | if (asprintf(&root_key_file, "%s/%s", params->keydir, root_key_file) < 0) |
| 713 | return -ENOMEM; |
| 714 | } |
| 715 | |
| 716 | return 0; |
| 717 | } |
| 718 | |
| 719 | static int toc0_verify_header(unsigned char *buf, int image_size, |
| 720 | struct image_tool_params *params) |
| 721 | { |
| 722 | int ret = EXIT_FAILURE; |
| 723 | RSA *root_key = NULL; |
| 724 | FILE *fp; |
| 725 | |
| 726 | /* A root public key is optional. */ |
| 727 | fp = fopen(root_key_file, "rb"); |
| 728 | if (fp) { |
| 729 | pr_info("Verifying image with existing root key\n"); |
| 730 | root_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL); |
| 731 | if (!root_key) |
| 732 | root_key = PEM_read_RSAPublicKey(fp, NULL, NULL, NULL); |
| 733 | fclose(fp); |
| 734 | if (!root_key) { |
| 735 | pr_err("Failed to read public key from '%s'\n", |
| 736 | root_key_file); |
| 737 | goto err; |
| 738 | } |
| 739 | } |
| 740 | |
| 741 | ret = toc0_verify(buf, image_size, root_key); |
| 742 | |
| 743 | err: |
| 744 | RSA_free(root_key); |
| 745 | |
| 746 | return ret; |
| 747 | } |
| 748 | |
| 749 | static const char *toc0_item_name(uint32_t name) |
| 750 | { |
| 751 | if (name == TOC0_ITEM_INFO_NAME_CERT) |
| 752 | return "Certificate"; |
| 753 | if (name == TOC0_ITEM_INFO_NAME_FIRMWARE) |
| 754 | return "Firmware"; |
| 755 | if (name == TOC0_ITEM_INFO_NAME_KEY) |
| 756 | return "Key"; |
| 757 | return "(unknown)"; |
| 758 | } |
| 759 | |
Pali Rohár | 0ed41e2 | 2023-03-29 21:25:54 +0200 | [diff] [blame] | 760 | static void toc0_print_header(const void *buf, struct image_tool_params *params) |
Samuel Holland | 7572878 | 2022-03-18 00:00:43 -0500 | [diff] [blame] | 761 | { |
| 762 | const struct toc0_main_info *main_info = buf; |
| 763 | const struct toc0_item_info *item_info = (void *)(main_info + 1); |
| 764 | uint32_t head_length, main_length, num_items; |
| 765 | uint32_t item_offset, item_length, item_name; |
| 766 | int load_addr = -1; |
| 767 | int i; |
| 768 | |
| 769 | num_items = le32_to_cpu(main_info->num_items); |
| 770 | head_length = sizeof(*main_info) + num_items * sizeof(*item_info); |
| 771 | main_length = le32_to_cpu(main_info->length); |
| 772 | |
| 773 | printf("Allwinner TOC0 Image\n" |
| 774 | "Size: %d bytes\n" |
| 775 | "Contents: %d items\n" |
| 776 | " 00000000:%08x Headers\n", |
| 777 | main_length, num_items, head_length); |
| 778 | |
| 779 | for (i = 0; i < num_items; ++i, ++item_info) { |
| 780 | item_offset = le32_to_cpu(item_info->offset); |
| 781 | item_length = le32_to_cpu(item_info->length); |
| 782 | item_name = le32_to_cpu(item_info->name); |
| 783 | |
| 784 | if (item_name == TOC0_ITEM_INFO_NAME_FIRMWARE) |
| 785 | load_addr = le32_to_cpu(item_info->load_addr); |
| 786 | |
| 787 | printf(" %08x:%08x %s\n", |
| 788 | item_offset, item_length, |
| 789 | toc0_item_name(item_name)); |
| 790 | } |
| 791 | |
| 792 | if (num_items && item_offset + item_length < main_length) { |
| 793 | item_offset = item_offset + item_length; |
| 794 | item_length = main_length - item_offset; |
| 795 | |
| 796 | printf(" %08x:%08x Padding\n", |
| 797 | item_offset, item_length); |
| 798 | } |
| 799 | |
| 800 | if (load_addr != -1) |
| 801 | printf("Load address: 0x%08x\n", load_addr); |
| 802 | } |
| 803 | |
| 804 | static void toc0_set_header(void *buf, struct stat *sbuf, int ifd, |
| 805 | struct image_tool_params *params) |
| 806 | { |
| 807 | uint32_t key_item_len = 0; |
| 808 | uint8_t *key_item = NULL; |
| 809 | int ret = EXIT_FAILURE; |
| 810 | RSA *root_key = NULL; |
| 811 | RSA *fw_key = NULL; |
| 812 | FILE *fp; |
| 813 | |
| 814 | /* Either a key item or the root private key is required. */ |
| 815 | fp = fopen(key_item_file, "rb"); |
| 816 | if (fp) { |
| 817 | pr_info("Creating image using existing key item\n"); |
| 818 | key_item_len = sizeof(struct toc0_key_item); |
| 819 | key_item = OPENSSL_malloc(key_item_len); |
| 820 | if (!key_item || fread(key_item, key_item_len, 1, fp) != 1) { |
| 821 | pr_err("Failed to read key item from '%s'\n", |
| 822 | root_key_file); |
| 823 | goto err; |
| 824 | } |
| 825 | fclose(fp); |
| 826 | fp = NULL; |
| 827 | } |
| 828 | |
| 829 | fp = fopen(root_key_file, "rb"); |
| 830 | if (fp) { |
| 831 | root_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL); |
| 832 | if (!root_key) |
| 833 | root_key = PEM_read_RSAPublicKey(fp, NULL, NULL, NULL); |
| 834 | fclose(fp); |
| 835 | fp = NULL; |
| 836 | } |
| 837 | |
| 838 | /* When using an existing key item, the root key is optional. */ |
| 839 | if (!key_item && (!root_key || !RSA_get0_d(root_key))) { |
| 840 | pr_err("Failed to read private key from '%s'\n", |
| 841 | root_key_file); |
| 842 | pr_info("Try 'openssl genrsa -out root_key.pem'\n"); |
| 843 | goto err; |
| 844 | } |
| 845 | |
| 846 | /* The certificate/firmware private key is always required. */ |
| 847 | fp = fopen(fw_key_file, "rb"); |
| 848 | if (fp) { |
| 849 | fw_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL); |
| 850 | fclose(fp); |
| 851 | fp = NULL; |
| 852 | } |
| 853 | if (!fw_key) { |
| 854 | /* If the root key is a private key, it can be used instead. */ |
| 855 | if (root_key && RSA_get0_d(root_key)) { |
| 856 | pr_info("Using root key as firmware key\n"); |
| 857 | fw_key = root_key; |
| 858 | } else { |
| 859 | pr_err("Failed to read private key from '%s'\n", |
| 860 | fw_key_file); |
| 861 | goto err; |
| 862 | } |
| 863 | } |
| 864 | |
| 865 | /* Warn about potential compatibility issues. */ |
| 866 | if (key_item || fw_key != root_key) |
| 867 | pr_warn("Only H6 supports separate root and firmware keys\n"); |
| 868 | |
| 869 | ret = toc0_create(buf, params->file_size, root_key, fw_key, |
| 870 | key_item, key_item_len, |
| 871 | buf + TOC0_DEFAULT_HEADER_LEN, |
| 872 | params->orig_file_size, params->addr); |
| 873 | |
| 874 | err: |
| 875 | OPENSSL_free(key_item); |
| 876 | OPENSSL_free(root_key); |
| 877 | if (fw_key != root_key) |
| 878 | OPENSSL_free(fw_key); |
| 879 | if (fp) |
| 880 | fclose(fp); |
| 881 | |
| 882 | if (ret != EXIT_SUCCESS) |
| 883 | exit(ret); |
| 884 | } |
| 885 | |
| 886 | static int toc0_check_image_type(uint8_t type) |
| 887 | { |
| 888 | return type == IH_TYPE_SUNXI_TOC0 ? 0 : 1; |
| 889 | } |
| 890 | |
| 891 | static int toc0_vrec_header(struct image_tool_params *params, |
| 892 | struct image_type_params *tparams) |
| 893 | { |
| 894 | tparams->hdr = calloc(tparams->header_size, 1); |
| 895 | |
| 896 | /* Save off the unpadded data size for SHA256 calculation. */ |
| 897 | params->orig_file_size = params->file_size - TOC0_DEFAULT_HEADER_LEN; |
| 898 | |
| 899 | /* Return padding to 8K blocks. */ |
| 900 | return ALIGN(params->file_size, PAD_SIZE) - params->file_size; |
| 901 | } |
| 902 | |
| 903 | U_BOOT_IMAGE_TYPE( |
| 904 | sunxi_toc0, |
| 905 | "Allwinner TOC0 Boot Image support", |
| 906 | TOC0_DEFAULT_HEADER_LEN, |
| 907 | NULL, |
| 908 | toc0_check_params, |
| 909 | toc0_verify_header, |
| 910 | toc0_print_header, |
| 911 | toc0_set_header, |
| 912 | NULL, |
| 913 | toc0_check_image_type, |
| 914 | NULL, |
| 915 | toc0_vrec_header |
| 916 | ); |