TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mcuboot / 2fc80df49f9aaff48c4be10b049df2c3f5e1912e / . / boot / bootutil / src / image_validate.c
blob: d2d741abe25918d9193ed99df2660e2c9300878d [file] [log] [blame]
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]1/*
2 * Licensed to the Apache Software Foundation (ASF) under one
3 * or more contributor license agreements. See the NOTICE file
4 * distributed with this work for additional information
5 * regarding copyright ownership. The ASF licenses this file
6 * to you under the Apache License, Version 2.0 (the
7 * "License"); you may not use this file except in compliance
8 * with the License. You may obtain a copy of the License at
9 *
10 * http://www.apache.org/licenses/LICENSE-2.0
11 *
12 * Unless required by applicable law or agreed to in writing,
13 * software distributed under the License is distributed on an
14 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
15 * KIND, either express or implied. See the License for the
16 * specific language governing permissions and limitations
17 * under the License.
18 */
19
20#include <assert.h>
21#include <stddef.h>
22#include <inttypes.h>
23#include <string.h>
24
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]25#include "hal/hal_flash.h"
Andrzej Puzdrowskib788c712018-04-12 12:42:49 +0200[diff] [blame]26
27#include <flash_map_backend/flash_map_backend.h>
28
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]29#include "bootutil/image.h"
David Browne629bf32017-04-24 13:37:33 -0600[diff] [blame]30#include "bootutil/sha256.h"
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]31#include "bootutil/sign_key.h"
32
Fabio Utzigba1fbe62017-07-21 14:01:20 -0300[diff] [blame]33#include "mcuboot_config/mcuboot_config.h"
Fabio Utzigeed80b62017-06-10 08:03:05 -0300[diff] [blame]34
Fabio Utzigba829042018-09-18 08:29:34 -0300[diff] [blame]35#ifdef MCUBOOT_ENC_IMAGES
36#include "bootutil/enc_key.h"
37#endif
38#if defined(MCUBOOT_SIGN_RSA)
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]39#include "mbedtls/rsa.h"
David Brownd7e350d2017-04-24 13:29:28 -0600[diff] [blame]40#endif
Fabio Utzig19356bf2017-05-11 16:19:36 -0300[diff] [blame]41#if defined(MCUBOOT_SIGN_EC) || defined(MCUBOOT_SIGN_EC256)
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]42#include "mbedtls/ecdsa.h"
David Brownd7e350d2017-04-24 13:29:28 -0600[diff] [blame]43#endif
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]44#include "mbedtls/asn1.h"
45
46#include "bootutil_priv.h"
47
48/*
49 * Compute SHA256 over the image.
50 */
51static int
52bootutil_img_hash(struct image_header *hdr, const struct flash_area *fap,
53 uint8_t *tmp_buf, uint32_t tmp_buf_sz,
54 uint8_t *hash_result, uint8_t *seed, int seed_len)
55{
David Browne629bf32017-04-24 13:37:33 -0600[diff] [blame]56 bootutil_sha256_context sha256_ctx;
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]57 uint32_t blk_sz;
58 uint32_t size;
Fabio Utzig2fc80df2018-12-14 06:47:38 -0200[diff] [blame^]59 uint16_t hdr_size;
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]60 uint32_t off;
61 int rc;
Fabio Utzigba829042018-09-18 08:29:34 -0300[diff] [blame]62#ifdef MCUBOOT_ENC_IMAGES
63 uint32_t blk_off;
Fabio Utzigba829042018-09-18 08:29:34 -0300[diff] [blame]64#endif
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]65
David Browne629bf32017-04-24 13:37:33 -0600[diff] [blame]66 bootutil_sha256_init(&sha256_ctx);
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]67
68 /* in some cases (split image) the hash is seeded with data from
69 * the loader image */
Fabio Utzig53986042017-12-12 14:57:07 -0200[diff] [blame]70 if (seed && (seed_len > 0)) {
David Browne629bf32017-04-24 13:37:33 -0600[diff] [blame]71 bootutil_sha256_update(&sha256_ctx, seed, seed_len);
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]72 }
73
Fabio Utzigba829042018-09-18 08:29:34 -0300[diff] [blame]74#ifdef MCUBOOT_ENC_IMAGES
75 /* Encrypted images only exist in slot1 */
Fabio Utzig2fc80df2018-12-14 06:47:38 -0200[diff] [blame^]76 if (fap->fa_id == FLASH_AREA_IMAGE_1 && IS_ENCRYPTED(hdr) && !boot_enc_valid(fap)) {
Fabio Utzigba829042018-09-18 08:29:34 -0300[diff] [blame]77 return -1;
78 }
79#endif
80
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]81 /*
82 * Hash is computed over image header and image itself. No TLV is
83 * included ATM.
84 */
Fabio Utzig2fc80df2018-12-14 06:47:38 -0200[diff] [blame^]85 hdr_size = hdr->ih_hdr_size;
86 size = hdr->ih_img_size + hdr_size;
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]87 for (off = 0; off < size; off += blk_sz) {
88 blk_sz = size - off;
89 if (blk_sz > tmp_buf_sz) {
90 blk_sz = tmp_buf_sz;
91 }
Fabio Utzig2fc80df2018-12-14 06:47:38 -0200[diff] [blame^]92#ifdef MCUBOOT_ENC_IMAGES
93 /* Avoid reading header data together with other image data
94 * because the header is not encrypted, so maintain correct
95 * bounds when sending encrypted data to decrypt routine.
96 */
97 if ((off < hdr_size) && ((off + blk_sz) > hdr_size)) {
98 blk_sz = hdr_size - off;
99 }
100#endif
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]101 rc = flash_area_read(fap, off, tmp_buf, blk_sz);
102 if (rc) {
103 return rc;
104 }
Fabio Utzigba829042018-09-18 08:29:34 -0300[diff] [blame]105#ifdef MCUBOOT_ENC_IMAGES
Fabio Utzig2fc80df2018-12-14 06:47:38 -0200[diff] [blame^]106 if (fap->fa_id == FLASH_AREA_IMAGE_1 && IS_ENCRYPTED(hdr) && off >= hdr_size) {
107 blk_off = (off - hdr_size) & 0xf;
108 boot_encrypt(fap, off - hdr_size, blk_sz, blk_off, tmp_buf);
Fabio Utzigba829042018-09-18 08:29:34 -0300[diff] [blame]109 }
110#endif
David Browne629bf32017-04-24 13:37:33 -0600[diff] [blame]111 bootutil_sha256_update(&sha256_ctx, tmp_buf, blk_sz);
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]112 }
David Browne629bf32017-04-24 13:37:33 -0600[diff] [blame]113 bootutil_sha256_finish(&sha256_ctx, hash_result);
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]114
115 return 0;
116}
117
118/*
David Brown43cda332017-09-01 09:53:23 -0600[diff] [blame]119 * Currently, we only support being able to verify one type of
120 * signature, because there is a single verification function that we
121 * call. List the type of TLV we are expecting. If we aren't
122 * configured for any signature, don't define this macro.
123 */
124#if defined(MCUBOOT_SIGN_RSA)
Marko Kiiskila8dd56f32017-08-22 21:40:49 -0700[diff] [blame]125# define EXPECTED_SIG_TLV IMAGE_TLV_RSA2048_PSS
David Brown43cda332017-09-01 09:53:23 -0600[diff] [blame]126# define EXPECTED_SIG_LEN(x) ((x) == 256) /* 2048 bits */
127# if defined(MCUBOOT_SIGN_EC) || defined(MCUBOOT_SIGN_EC256)
128# error "Multiple signature types not yet supported"
129# endif
130#elif defined(MCUBOOT_SIGN_EC)
131# define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA224
132# define EXPECTED_SIG_LEN(x) ((x) >= 64) /* oids + 2 * 28 bytes */
133# if defined(MCUBOOT_SIGN_EC256)
134# error "Multiple signature types not yet supported"
135# endif
136#elif defined(MCUBOOT_SIGN_EC256)
137# define EXPECTED_SIG_TLV IMAGE_TLV_ECDSA256
138# define EXPECTED_SIG_LEN(x) ((x) >= 72) /* oids + 2 * 32 bytes */
139#endif
140
141#ifdef EXPECTED_SIG_TLV
142static int
143bootutil_find_key(uint8_t *keyhash, uint8_t keyhash_len)
144{
145 bootutil_sha256_context sha256_ctx;
146 int i;
147 const struct bootutil_key *key;
148 uint8_t hash[32];
149
Fabio Utzig9911b182017-09-05 20:29:42 -0300[diff] [blame]150 assert(keyhash_len <= 32);
David Brown43cda332017-09-01 09:53:23 -0600[diff] [blame]151
152 for (i = 0; i < bootutil_key_cnt; i++) {
153 key = &bootutil_keys[i];
154 bootutil_sha256_init(&sha256_ctx);
155 bootutil_sha256_update(&sha256_ctx, key->key, *key->len);
156 bootutil_sha256_finish(&sha256_ctx, hash);
157 if (!memcmp(hash, keyhash, keyhash_len)) {
158 return i;
159 }
160 }
161 return -1;
162}
163#endif
164
165/*
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]166 * Verify the integrity of the image.
167 * Return non-zero if image could not be validated/does not validate.
168 */
169int
170bootutil_img_validate(struct image_header *hdr, const struct flash_area *fap,
171 uint8_t *tmp_buf, uint32_t tmp_buf_sz,
172 uint8_t *seed, int seed_len, uint8_t *out_hash)
173{
174 uint32_t off;
David Brown3eaa2a12017-09-01 11:19:03 -0600[diff] [blame]175 uint32_t end;
David Brown43cda332017-09-01 09:53:23 -0600[diff] [blame]176 int sha256_valid = 0;
David Brownf5b33d82017-09-01 10:58:27 -0600[diff] [blame]177 struct image_tlv_info info;
David Brown43cda332017-09-01 09:53:23 -0600[diff] [blame]178#ifdef EXPECTED_SIG_TLV
179 int valid_signature = 0;
180 int key_id = -1;
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]181#endif
182 struct image_tlv tlv;
183 uint8_t buf[256];
184 uint8_t hash[32];
185 int rc;
186
Fabio Utzigba829042018-09-18 08:29:34 -0300[diff] [blame]187 rc = bootutil_img_hash(hdr, fap, tmp_buf, tmp_buf_sz, hash, seed, seed_len);
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]188 if (rc) {
189 return rc;
190 }
191
192 if (out_hash) {
193 memcpy(out_hash, hash, 32);
194 }
195
David Brownf5b33d82017-09-01 10:58:27 -0600[diff] [blame]196 /* The TLVs come after the image. */
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]197 /* After image there are TLVs. */
198 off = hdr->ih_img_size + hdr->ih_hdr_size;
David Brownf5b33d82017-09-01 10:58:27 -0600[diff] [blame]199
200 rc = flash_area_read(fap, off, &info, sizeof(info));
201 if (rc) {
Fabio Utzigde6edc32017-09-04 14:35:49 -0300[diff] [blame]202 return rc;
David Brownf5b33d82017-09-01 10:58:27 -0600[diff] [blame]203 }
204 if (info.it_magic != IMAGE_TLV_INFO_MAGIC) {
Fabio Utzigde6edc32017-09-04 14:35:49 -0300[diff] [blame]205 return -1;
David Brownf5b33d82017-09-01 10:58:27 -0600[diff] [blame]206 }
David Brown3eaa2a12017-09-01 11:19:03 -0600[diff] [blame]207 end = off + info.it_tlv_tot;
David Brownf5b33d82017-09-01 10:58:27 -0600[diff] [blame]208 off += sizeof(info);
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]209
David Brown43cda332017-09-01 09:53:23 -0600[diff] [blame]210 /*
211 * Traverse through all of the TLVs, performing any checks we know
212 * and are able to do.
213 */
David Brown3eaa2a12017-09-01 11:19:03 -0600[diff] [blame]214 for (; off < end; off += sizeof(tlv) + tlv.it_len) {
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]215 rc = flash_area_read(fap, off, &tlv, sizeof tlv);
216 if (rc) {
217 return rc;
218 }
David Brown43cda332017-09-01 09:53:23 -0600[diff] [blame]219
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]220 if (tlv.it_type == IMAGE_TLV_SHA256) {
David Brown43cda332017-09-01 09:53:23 -0600[diff] [blame]221 /*
222 * Verify the SHA256 image hash. This must always be
223 * present.
224 */
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]225 if (tlv.it_len != sizeof(hash)) {
226 return -1;
227 }
David Brown43cda332017-09-01 09:53:23 -0600[diff] [blame]228 rc = flash_area_read(fap, off + sizeof(tlv), buf, sizeof hash);
229 if (rc) {
Fabio Utzigde6edc32017-09-04 14:35:49 -0300[diff] [blame]230 return rc;
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]231 }
David Brown43cda332017-09-01 09:53:23 -0600[diff] [blame]232 if (memcmp(hash, buf, sizeof(hash))) {
Fabio Utzigde6edc32017-09-04 14:35:49 -0300[diff] [blame]233 return -1;
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]234 }
David Brown43cda332017-09-01 09:53:23 -0600[diff] [blame]235
236 sha256_valid = 1;
237#ifdef EXPECTED_SIG_TLV
238 } else if (tlv.it_type == IMAGE_TLV_KEYHASH) {
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]239 /*
David Brown43cda332017-09-01 09:53:23 -0600[diff] [blame]240 * Determine which key we should be checking.
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]241 */
David Brown43cda332017-09-01 09:53:23 -0600[diff] [blame]242 if (tlv.it_len > 32) {
243 return -1;
244 }
245 rc = flash_area_read(fap, off + sizeof tlv, buf, tlv.it_len);
246 if (rc) {
247 return rc;
248 }
249 key_id = bootutil_find_key(buf, tlv.it_len);
250 /*
251 * The key may not be found, which is acceptable. There
252 * can be multiple signatures, each preceded by a key.
253 */
254 } else if (tlv.it_type == EXPECTED_SIG_TLV) {
255 /* Ignore this signature if it is out of bounds. */
256 if (key_id < 0 || key_id >= bootutil_key_cnt) {
257 key_id = -1;
258 continue;
259 }
260 if (!EXPECTED_SIG_LEN(tlv.it_len) || tlv.it_len > sizeof(buf)) {
261 return -1;
262 }
263 rc = flash_area_read(fap, off + sizeof(tlv), buf, tlv.it_len);
264 if (rc) {
265 return -1;
266 }
267 rc = bootutil_verify_sig(hash, sizeof(hash), buf, tlv.it_len, key_id);
268 if (rc == 0) {
269 valid_signature = 1;
270 }
271 key_id = -1;
272#endif
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]273 }
274 }
David Brown43cda332017-09-01 09:53:23 -0600[diff] [blame]275
276 if (!sha256_valid) {
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]277 return -1;
278 }
279
David Brown43cda332017-09-01 09:53:23 -0600[diff] [blame]280#ifdef EXPECTED_SIG_TLV
281 if (!valid_signature) {
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]282 return -1;
283 }
284#endif
David Brown43cda332017-09-01 09:53:23 -0600[diff] [blame]285
Christopher Collins92ea77f2016-12-12 15:59:26 -0800[diff] [blame]286 return 0;
287}