vboot2: Add common functions

This is the third of several CLs adding a more memory- and code-efficient firmware verification library. BUG=chromium:370082 BRANCH=none TEST=make clean && COV=1 make Change-Id: I3a5daa5438afc5598d3dfcf5a597ffb16eda8749 Signed-off-by: Randall Spangler <rspangler@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/200140 Reviewed-by: Bill Richardson <wfrichar@chromium.org>
2025-11-24 02:05:01 +00:00 · 2014-05-15 15:34:54 -07:00
parent 3333e57849
commit 7141d73c14
7 changed files with 1175 additions and 139 deletions
--- a/firmware/2lib/include/2common.h
+++ b/firmware/2lib/include/2common.h
@@ -9,6 +9,7 @@
 #define VBOOT_REFERENCE_VBOOT_2COMMON_H_

 #include "2return_codes.h"
+#include "2sha.h"
 #include "2struct.h"

 struct vb2_public_key;
@@ -118,4 +119,142 @@ int vb2_align(uint8_t **ptr,
 */
 ptrdiff_t vb2_offset_of(const void *base, const void *ptr);

+/*
+ * Helper functions to get data pointed to by a public key or signature.
+ */
+
+const uint8_t *vb2_packed_key_data(const struct vb2_packed_key *key);
+uint8_t *vb2_signature_data(struct vb2_signature *sig);
+
+/**
+ * Verify the data pointed to by a subfield is inside the parent data.
+ *
+ * The subfield has a header pointed to by member, and a separate data
+ * field at an offset relative to the header.  That is:
+ *
+ *   struct parent {
+ *     (possibly other parent fields)
+ *     struct member {
+ *        (member header fields)
+ *     };
+ *     (possibly other parent fields)
+ *   };
+ *   (possibly some other parent data)
+ *   (member data)
+ *   (possibly some other parent data)
+ *
+ * @param parent		Parent data
+ * @param parent_size		Parent size in bytes
+ * @param member		Subfield header
+ * @param member_size		Size of subfield header in bytes
+ * @param member_data_offset	Offset of member data from start of member
+ * @param member_data_size	Size of member data in bytes
+ * @return VB2_SUCCESS, or non-zero if error.
+ */
+int vb2_verify_member_inside(const void *parent, uint32_t parent_size,
+			     const void *member, uint32_t member_size,
+			     uint32_t member_data_offset,
+			     uint32_t member_data_size);
+
+/**
+ * Verify a signature is fully contained in its parent data
+ *
+ * @param parent	Parent data
+ * @param parent_size	Parent size in bytes
+ * @param sig		Signature pointer
+ * @return VB2_SUCCESS, or non-zero if error.
+ */
+int vb2_verify_signature_inside(const void *parent,
+				uint32_t parent_size,
+				const struct vb2_signature *sig);
+
+/**
+ * Verify a packed key is fully contained in its parent data
+ *
+ * @param parent	Parent data
+ * @param parent_size	Parent size in bytes
+ * @param key		Packed key pointer
+ * @return VB2_SUCCESS, or non-zero if error.
+ */
+int vb2_verify_packed_key_inside(const void *parent,
+				 uint32_t parent_size,
+				 const struct vb2_packed_key *key);
+
+/**
+ * Unpack a RSA key for use in verification
+ *
+ * The elements of the unpacked key will point into the source buffer, so don't
+ * free the source buffer until you're done with the key.
+ *
+ * @param key		Destintion for unpacked key
+ * @param buf		Source buffer containing packed key
+ * @param size		Size of buffer in bytes
+ * @return VB2_SUCCESS, or non-zero error code if error.
+ */
+int vb2_unpack_key(struct vb2_public_key *key,
+		   const uint8_t *buf,
+		   uint32_t size);
+
+/* Size of work buffer sufficient for vb2_verify_data() worst case */
+#define VB2_VERIFY_DATA_WORKBUF_BYTES					\
+	(VB2_SHA512_DIGEST_SIZE +					\
+	 VB2_MAX(VB2_VERIFY_DIGEST_WORKBUF_BYTES,			\
+		 sizeof(struct vb2_digest_context)))
+
+/**
+ * Verify data matches signature.
+ *
+ * @param data		Data to verify
+ * @param size		Size of data buffer.  Note that amount of data to
+ *			actually validate is contained in sig->data_size.
+ * @param sig		Signature of data (destroyed in process)
+ * @param key		Key to use to validate signature
+ * @param wb		Work buffer
+ * @return VB2_SUCCESS, or non-zero error code if error.
+ */
+int vb2_verify_data(const uint8_t *data,
+		    uint32_t size,
+		    struct vb2_signature *sig,
+		    const struct vb2_public_key *key,
+		    struct vb2_workbuf *wb);
+
+/* Size of work buffer sufficient for vb2_verify_keyblock() worst case */
+#define VB2_KEY_BLOCK_VERIFY_WORKBUF_BYTES VB2_VERIFY_DATA_WORKBUF_BYTES
+
+/**
+ * Check the sanity of a key block using a public key.
+ *
+ * Header fields are also checked for sanity.  Does not verify key index or key
+ * block flags.  Signature inside block is destroyed during check.
+ *
+ * @param block		Key block to verify
+ * @param size		Size of key block buffer
+ * @param key		Key to use to verify block
+ * @param wb		Work buffer
+ * @return VB2_SUCCESS, or non-zero error code if error.
+ */
+int vb2_verify_keyblock(struct vb2_keyblock *block,
+			uint32_t size,
+			const struct vb2_public_key *key,
+			struct vb2_workbuf *wb);
+
+/* Size of work buffer sufficient for vb2_verify_fw_preamble() worst case */
+#define VB2_VERIFY_FIRMWARE_PREAMBLE_WORKBUF_BYTES VB2_VERIFY_DATA_WORKBUF_BYTES
+
+/**
+ * Check the sanity of a firmware preamble using a public key.
+ *
+ * The signature in the preamble is destroyed during the check.
+ *
+ * @param preamble     	Preamble to verify
+ * @param size		Size of preamble buffer
+ * @param key		Key to use to verify preamble
+ * @param wb		Work buffer
+ * @return VB2_SUCCESS, or non-zero error code if error.
+ */
+int vb2_verify_fw_preamble(struct vb2_fw_preamble *preamble,
+			   uint32_t size,
+			   const struct vb2_public_key *key,
+			   struct vb2_workbuf *wb);
+
 #endif  /* VBOOT_REFERENCE_VBOOT_2COMMON_H_ */