blob: 653a37e07afcc401eae06375f3f0481d70cb56e5 [file] [log] [blame]
#include "stddef.h"
#include <libcr51sign/cr51_image_descriptor.h>
#include <libcr51sign/libcr51sign.h>
#include <libcr51sign/libcr51sign_internal.h>
#include <libcr51sign/libcr51sign_mauv.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C"
{
#endif
#define IMAGE_MAUV_MAX_DENYLIST_ENTRIES \
((IMAGE_MAUV_DATA_MAX_SIZE - sizeof(struct image_mauv)) / sizeof(uint64_t))
_Static_assert(
(sizeof(struct image_mauv) +
IMAGE_MAUV_MAX_DENYLIST_ENTRIES *
MEMBER_SIZE(struct image_mauv, version_denylist[0])) ==
IMAGE_MAUV_DATA_MAX_SIZE,
"IMAGE_MAUV_MAX_DENYLIST_ENTRIES number of denylist entries do not "
"completely fill IMAGE_MAUV_MAX_SIZE bytes assumed for data in struct "
"image_mauv");
// Use wrapper struct to preserve alignment of image_mauv
struct full_mauv
{
struct image_mauv mauv;
uint8_t extra[IMAGE_MAUV_DATA_MAX_SIZE - sizeof(struct image_mauv)];
};
// Verify BLOB magic bytes in payload's image descriptor at the expected offset
//
// @param[in] ctx context which describes the image and holds opaque private
// data for the user of the library
// @param[in] intf function pointers which interface to the current system
// and environment
// @param[in] payload_blob_offset Absolute offset of payload BLOB data in
// payload's image descriptor
//
// @return `failure_reason`
static failure_reason
verify_payload_blob_magic(const struct libcr51sign_ctx* const ctx,
const struct libcr51sign_intf* const intf,
const uint32_t payload_blob_offset)
{
int irv = 0;
struct blob payload_blob = {0};
if (!intf->read)
{
CPRINTS(ctx, "%s: Missing interface intf->read\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_INTERFACE;
}
irv = intf->read(ctx, payload_blob_offset, sizeof(struct blob),
(uint8_t*)&payload_blob);
if (irv != LIBCR51SIGN_SUCCESS)
{
CPRINTS(ctx, "%s: Could not read BLOB magic bytes from payload\n",
__FUNCTION__);
return LIBCR51SIGN_ERROR_RUNTIME_FAILURE;
}
if (payload_blob.blob_magic != BLOB_MAGIC)
{
CPRINTS(ctx, "%s: BLOB magic bytes read from payload(%x) are invalid\n",
__FUNCTION__, payload_blob.blob_magic);
return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
}
return LIBCR51SIGN_SUCCESS;
}
// Find offset of Image MAUV data in payload BLOB inside the image descriptor
//
// @param[in] ctx context which describes the image and holds opaque private
// data for the user of the library
// @param[in] intf function pointers which interface to the current system
// and environment
// @param[in] offset_after_payload_blob_magic Absolute offset of data after
// payload BLOB magic bytes in image
// descriptor
// @param[in] payload_blob_size Size of payload BLOB as per its image
// descriptor
// @param[out] payload_image_mauv_data_offset Absolute offset of Image MAUV
// data in payload's image
// descriptor
// @param[out] payload_image_mauv_data_size Size of Image MAUV data embedded in
// payload's image descriptor
//
// @return `failure_reason`
static failure_reason find_image_mauv_data_offset_in_payload(
const struct libcr51sign_ctx* const ctx,
const struct libcr51sign_intf* const intf,
const uint32_t offset_after_payload_blob_magic,
const uint32_t payload_blob_size,
uint32_t* const restrict payload_image_mauv_data_offset,
uint32_t* const restrict payload_image_mauv_data_size)
{
struct blob_data payload_blob_data = {0};
int irv = 0;
bool found_image_mauv_data = false;
if (!intf->read)
{
CPRINTS(ctx, "%s: Missing interface intf->read\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_INTERFACE;
}
for (uint32_t current_offset = offset_after_payload_blob_magic;
current_offset <= offset_after_payload_blob_magic + payload_blob_size -
sizeof(struct blob_data);
/* increment based on each blob_data's size in loop */)
{
irv = intf->read(ctx, current_offset, sizeof(struct blob_data),
(uint8_t*)&payload_blob_data);
if (irv != LIBCR51SIGN_SUCCESS)
{
CPRINTS(ctx, "%s: Could not read BLOB data at offset %x\n",
__FUNCTION__, current_offset);
return LIBCR51SIGN_ERROR_RUNTIME_FAILURE;
}
if ((current_offset - offset_after_payload_blob_magic) +
sizeof(struct blob_data) + payload_blob_data.blob_payload_size >
payload_blob_size)
{
CPRINTS(
ctx,
"%s: BLOB payload size crosses threshold expected by blob_size "
"in image descriptor",
__FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
}
switch (payload_blob_data.blob_type_magic)
{
case BLOB_TYPE_MAGIC_MAUV:
if (!found_image_mauv_data)
{
*payload_image_mauv_data_offset =
current_offset + sizeof(struct blob_data);
*payload_image_mauv_data_size =
payload_blob_data.blob_payload_size;
found_image_mauv_data = true;
/* intentional fall-through to increment current offset */
}
else
{
/* There should be only one Image MAUV in a valid image
* descriptor */
CPRINTS(
ctx,
"%s: Found multiple Image MAUV BLOB instances in payload\n",
__FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
}
default:
current_offset += sizeof(struct blob_data) +
payload_blob_data.blob_payload_size;
/* Increment offset to keep the expected alignment */
current_offset =
((current_offset - 1) & ~(BLOB_DATA_ALIGNMENT - 1)) +
BLOB_DATA_ALIGNMENT;
break;
}
}
if (!found_image_mauv_data)
{
CPRINTS(ctx, "%s: Did not find Image MAUV BLOB inside payload\n",
__FUNCTION__);
}
return LIBCR51SIGN_SUCCESS;
}
// Read Image MAUV data from BLOB inside payload's image descriptor
//
// @param[in] ctx context which describes the image and holds opaque private
// data for the user of the library
// @param[in] intf function pointers which interface to the current system
// and environment
// @param[in] payload_image_mauv_data_offset Absolute offset of Image MAUV data
// in payload's image descriptor
// @param[in] payload_image_mauv_data_size Size of Image MAUV data embedded in
// payload's image descriptor
// @param[out] payload_image_mauv_data_buffer Buffer to store Image MAUV data
// read from payload's image
// descriptor
//
// @return `failure_reason`
static failure_reason read_image_mauv_data_from_payload(
const struct libcr51sign_ctx* const ctx,
const struct libcr51sign_intf* const intf,
const uint32_t payload_image_mauv_data_offset,
const uint32_t payload_image_mauv_data_size,
struct image_mauv* const restrict payload_image_mauv_data_buffer)
{
int irv = 0;
if (!intf->read)
{
CPRINTS(ctx, "%s: Missing interface intf->read\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_INTERFACE;
}
if (payload_image_mauv_data_size > IMAGE_MAUV_DATA_MAX_SIZE)
{
CPRINTS(
ctx,
"%s: Payload Image MAUV data size (0x%x) is more than supported "
"maximum size\n",
__FUNCTION__, payload_image_mauv_data_size);
return LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA;
}
irv = intf->read(ctx, payload_image_mauv_data_offset,
payload_image_mauv_data_size,
(uint8_t*)payload_image_mauv_data_buffer);
if (irv != LIBCR51SIGN_SUCCESS)
{
CPRINTS(ctx,
"%s: Could not read Image MAUV data from payload @ offset 0x%x "
"size 0x%x\n",
__FUNCTION__, payload_image_mauv_data_offset,
payload_image_mauv_data_size);
return LIBCR51SIGN_ERROR_RUNTIME_FAILURE;
}
return LIBCR51SIGN_SUCCESS;
}
// Check if Image MAUV allows update to a target payload version
//
// @param[in] stored_image_mauv_data Image MAUV data stored in system
// @param[in] new_payload_security_version Payload version
//
// @return `bool` `True` if update to target version is allowed by MAUV data
static bool does_stored_image_mauv_allow_update(
const struct image_mauv* const stored_image_mauv_data,
const uint64_t new_payload_security_version)
{
if (new_payload_security_version <
stored_image_mauv_data->minimum_acceptable_update_version)
{
return false;
}
for (uint32_t i = 0;
i < stored_image_mauv_data->version_denylist_num_entries; i++)
{
if (stored_image_mauv_data->version_denylist[i] ==
new_payload_security_version)
{
return false;
}
}
return true;
}
// Do a sanity check for values stored in Image MAUV data
//
// @param[in] image_mauv_data Image MAUV data
// @param[in] image_mauv_data_size Size of Image MAUV data in bytes
//
// @return `failure_reason`
static failure_reason sanity_check_image_mauv_data(
const struct image_mauv* const restrict image_mauv_data,
const uint32_t image_mauv_data_size)
{
uint32_t expected_image_mauv_data_size = 0;
if (image_mauv_data_size < sizeof(struct image_mauv))
{
CPRINTS(ctx, "%s: Image MAUV data size is smaller than expected\n",
__FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA;
}
if (image_mauv_data->mauv_struct_version != IMAGE_MAUV_STRUCT_VERSION)
{
CPRINTS(ctx, "%s: Unexpected Image MAUV version\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA;
}
if (image_mauv_data->payload_security_version == 0)
{
// Handle trivial case of someone not initializing MAUV properly
CPRINTS(ctx, "%s: Payload security version should be greater than 0\n",
__FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA;
}
if (image_mauv_data->version_denylist_num_entries >
IMAGE_MAUV_MAX_DENYLIST_ENTRIES)
{
CPRINTS(
ctx,
"%s: Version denylist entries in Image MAUV exceed maximum count\n",
__FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA;
}
expected_image_mauv_data_size =
sizeof(struct image_mauv) +
image_mauv_data->version_denylist_num_entries *
MEMBER_SIZE(struct image_mauv, version_denylist[0]);
if (image_mauv_data_size != expected_image_mauv_data_size)
{
CPRINTS(ctx,
"%s: Size of Image MAUV data (0x%x) is different than expected "
"size (0x%x)\n",
__FUNCTION__, image_mauv_data_size,
expected_image_mauv_data_size);
return LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA;
}
if (!does_stored_image_mauv_allow_update(
image_mauv_data, image_mauv_data->payload_security_version))
{
CPRINTS(ctx,
"%s: Image MAUV does not allow update to the payload it was "
"contained in\n",
__FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA;
}
return LIBCR51SIGN_SUCCESS;
}
// Find and read (if found) Image MAUV from payload's image descriptor
//
// @param[in] ctx context which describes the image and holds opaque private
// data for the user of the library
// @param[in] intf function pointers which interface to the current system
// and environment
// @param[in] payload_blob_offset Absolute offset of payload BLOB data in
// payload's image descriptor
// @param[in] payload_blob_size Size of payload BLOB data as per payload's
// image descriptor
// @param[out] payload_image_mauv_data_buffer Buffer to store Image MAUV data
// read from payload's image
// descriptor
// @param[out] payload_image_mauv_data_size Size of Image MAUV data (in bytes)
// read from payload's image
// descriptor
// @param[out] payload_contains_image_mauv_data Flag to indicate whether Image
// MAUV data is present in
// payload's image descriptor
//
// @return `failure_reason`
failure_reason find_and_read_image_mauv_data_from_payload(
const struct libcr51sign_ctx* const ctx,
const struct libcr51sign_intf* const intf,
const uint32_t payload_blob_offset, const uint32_t payload_blob_size,
uint8_t payload_image_mauv_data_buffer[],
uint32_t* const restrict payload_image_mauv_data_size,
bool* const restrict payload_contains_image_mauv_data)
{
failure_reason rv = LIBCR51SIGN_SUCCESS;
uint32_t payload_image_mauv_data_offset = 0;
rv = verify_payload_blob_magic(ctx, intf, payload_blob_offset);
if (rv != LIBCR51SIGN_SUCCESS)
{
return rv;
}
rv = find_image_mauv_data_offset_in_payload(
ctx, intf, payload_blob_offset + offsetof(struct blob, blobs),
payload_blob_size, &payload_image_mauv_data_offset,
payload_image_mauv_data_size);
if (rv != LIBCR51SIGN_SUCCESS)
{
return rv;
}
*payload_contains_image_mauv_data = (payload_image_mauv_data_offset != 0);
if (*payload_contains_image_mauv_data)
{
rv = read_image_mauv_data_from_payload(
ctx, intf, payload_image_mauv_data_offset,
*payload_image_mauv_data_size,
(struct image_mauv*)payload_image_mauv_data_buffer);
if (rv != LIBCR51SIGN_SUCCESS)
{
return rv;
}
return sanity_check_image_mauv_data(
(struct image_mauv*)payload_image_mauv_data_buffer,
*payload_image_mauv_data_size);
}
return LIBCR51SIGN_SUCCESS;
}
// Replace stored Image MAUV data with payload Image MAUV data
//
// @param[in] ctx context which describes the image and holds opaque private
// data for the user of the library
// @param[in] intf function pointers which interface to the current system
// and environment
// @param[in] payload_image_mauv_data Image MAUV data from payload
// @param[in] payload_image_mauv_data_size Size of Image MAUV data (in bytes)
// embedded inside payload
//
// @return `failure_reason`
static failure_reason update_stored_image_mauv_data(
const struct libcr51sign_ctx* const ctx,
const struct libcr51sign_intf* const intf,
const struct image_mauv* const restrict payload_image_mauv_data,
const uint32_t payload_image_mauv_data_size)
{
int irv = 0;
if (!intf->store_new_image_mauv_data)
{
CPRINTS(ctx, "%s: Missing interface intf->store_new_image_mauv_data\n",
__FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_INTERFACE;
}
irv = intf->store_new_image_mauv_data(
ctx, (uint8_t*)payload_image_mauv_data, payload_image_mauv_data_size);
if (irv != LIBCR51SIGN_SUCCESS)
{
CPRINTS(ctx,
"%s: Could not store new Image MAUV data from the payload\n",
__FUNCTION__);
return LIBCR51SIGN_ERROR_STORING_NEW_IMAGE_MAUV_DATA;
}
return LIBCR51SIGN_SUCCESS;
}
// Validates Image MAUV from payload against stored Image MAUV (if present)
//
// @param[in] ctx context which describes the image and holds opaque private
// data for the user of the library
// @param[in] intf function pointers which interface to the current system
// and environment
// @param[in] payload_blob_offset Absolute offset of BLOB data embedded in
// image descriptor. `0` if BLOB data is not
// present in image descriptor
// @param[in] payload_blob_size Size of BLOB data from `blob_size` field in
// image descriptor
//
// @return `failure_reason`
failure_reason validate_payload_image_mauv(
const struct libcr51sign_ctx* const ctx,
const struct libcr51sign_intf* const intf,
const uint32_t payload_blob_offset, const uint32_t payload_blob_size)
{
uint32_t payload_image_mauv_data_size = 0;
struct full_mauv payload_image_mauv_data_buffer = {0};
uint32_t stored_image_mauv_data_size = 0;
struct full_mauv stored_image_mauv_data_buffer = {0};
bool payload_contains_image_mauv_data = false;
failure_reason rv = LIBCR51SIGN_SUCCESS;
int irv = 0;
bool payload_blob_present = (payload_blob_offset != 0);
if (payload_blob_present)
{
rv = find_and_read_image_mauv_data_from_payload(
ctx, intf, payload_blob_offset, payload_blob_size,
(uint8_t*)&payload_image_mauv_data_buffer,
&payload_image_mauv_data_size, &payload_contains_image_mauv_data);
if (rv != LIBCR51SIGN_SUCCESS)
{
return rv;
}
}
if (!intf->retrieve_stored_image_mauv_data)
{
if (payload_contains_image_mauv_data)
{
CPRINTS(
ctx,
"%s: Payload contains Image MAUV data but required interface "
"intf->retrieve_stored_image_mauv_data is missing\n",
__FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_INTERFACE;
}
CPRINTS(
ctx,
"%s: Payload does not contain Image MAUV data and interface "
"intf->retrieve_stored_image_mauv_data is missing. Skipping MAUV "
"check for backward compatibility.\n",
__FUNCTION__);
return LIBCR51SIGN_SUCCESS;
}
irv = intf->retrieve_stored_image_mauv_data(
ctx, (uint8_t*)&stored_image_mauv_data_buffer,
&stored_image_mauv_data_size, IMAGE_MAUV_DATA_MAX_SIZE);
if (irv == LIBCR51SIGN_NO_STORED_MAUV_FOUND)
{
CPRINTS(
ctx,
"%s: Stored Image MAUV data not present in the system. Skipping Image "
"MAUV check\n",
__FUNCTION__);
if (payload_contains_image_mauv_data)
{
return update_stored_image_mauv_data(
ctx, intf, (struct image_mauv*)&payload_image_mauv_data_buffer,
payload_image_mauv_data_size);
}
return LIBCR51SIGN_SUCCESS;
}
if (irv != LIBCR51SIGN_SUCCESS)
{
CPRINTS(ctx, "%s: Could not retrieve Image MAUV stored in system\n",
__FUNCTION__);
return LIBCR51SIGN_ERROR_RETRIEVING_STORED_IMAGE_MAUV_DATA;
}
if (stored_image_mauv_data_size > IMAGE_MAUV_DATA_MAX_SIZE)
{
CPRINTS(ctx,
"%s: Stored Image MAUV data size (0x%x) is more than supported "
"maximum size\n",
__FUNCTION__, stored_image_mauv_data_size);
return LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA;
}
rv = sanity_check_image_mauv_data(
(struct image_mauv*)&stored_image_mauv_data_buffer,
stored_image_mauv_data_size);
if (rv != LIBCR51SIGN_SUCCESS)
{
return rv;
}
if (!payload_contains_image_mauv_data)
{
CPRINTS(ctx, "%s: Image MAUV expected to be present in payload",
__FUNCTION__);
return LIBCR51SIGN_ERROR_STORED_IMAGE_MAUV_EXPECTS_PAYLOAD_IMAGE_MAUV;
}
if (!does_stored_image_mauv_allow_update(
(struct image_mauv*)&stored_image_mauv_data_buffer,
((struct image_mauv*)&payload_image_mauv_data_buffer)
->payload_security_version))
{
CPRINTS(ctx,
"%s: Stored Image MAUV data does not allow update to payload "
"version\n",
__FUNCTION__);
return LIBCR51SIGN_ERROR_STORED_IMAGE_MAUV_DOES_NOT_ALLOW_UPDATE_TO_PAYLOAD;
}
if (((struct image_mauv*)&payload_image_mauv_data_buffer)
->mauv_update_timestamp >
((struct image_mauv*)&stored_image_mauv_data_buffer)
->mauv_update_timestamp)
{
return update_stored_image_mauv_data(
ctx, intf, (struct image_mauv*)&payload_image_mauv_data_buffer,
payload_image_mauv_data_size);
}
return LIBCR51SIGN_SUCCESS;
}
#ifdef __cplusplus
} // extern "C"
#endif