update libcr51sign to support MAUV
Add feature support to manage MAUV with cr51 descriptor.
Change-Id: I3795259f81b1dbd3016d1c41c68895be00455061
Signed-off-by: Willy Tu <wltu@google.com>
diff --git a/subprojects/libcr51sign/include/libcr51sign/cr51_image_descriptor.h b/subprojects/libcr51sign/include/libcr51sign/cr51_image_descriptor.h
index 0f4bf6f..e52fb84 100644
--- a/subprojects/libcr51sign/include/libcr51sign/cr51_image_descriptor.h
+++ b/subprojects/libcr51sign/include/libcr51sign/cr51_image_descriptor.h
@@ -13,6 +13,7 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
+
#ifndef PLATFORMS_SECURITY_TITAN_CR51_IMAGE_DESCRIPTOR_H_
#define PLATFORMS_SECURITY_TITAN_CR51_IMAGE_DESCRIPTOR_H_
#include <stddef.h>
@@ -24,12 +25,15 @@
#define _Static_assert static_assert
#endif
/* This structure encodes a superset of what we have historically encoded in:
+ * - FMAP & HMAP
+ * - BBINFO
+ * - BIOS signature header
*
* Unless explicitly noted all fields are little-endian & offset/size fields
- * are in bytes. This struct must reside in a IMAGE_REGION_STATIC region and
- * must also reside on a 64K boundary. The size of the hashed/signed portion
- * of the descriptor region can be determined solely by parsing the (fixed)
- * image_descriptor struct.
+ * are in bytes. This struct must reside in a IMAGE_REGION_STATIC region.
+ * In the context of Haven it must also reside on a 64K boundary.
+ * The size of the hashed/signed portion of the descriptor region can be
+ * determined solely by parsing the (fixed) image_descriptor struct.
*
* --------------------------------Flash layout--------------------------------
* | struct image_descriptor (signed) |
@@ -45,21 +49,22 @@
* ----------------------------------------------------------------------------
* | (optional: signature_scheme) struct signature_* (partially signed) |
* ----------------------------------------------------------------------------
- * | (optional) struct key_rotation_records (not signed) |
- * ----------------------------------------------------------------------------
*/
-#define IMAGE_REGION_STATIC (1 << 0)
-#define IMAGE_REGION_COMPRESSED (1 << 1)
-#define IMAGE_REGION_WRITE_PROTECTED (1 << 2)
-#define IMAGE_REGION_READ_PROTECTED (1 << 3)
-#define IMAGE_REGION_PERSISTENT (1 << 4)
-#define IMAGE_REGION_PERSISTENT_RELOCATABLE (1 << 5)
-#define IMAGE_REGION_PERSISTENT_EXPANDABLE (1 << 6)
-#define IMAGE_REGION_OVERRIDE (1 << 7)
-#define IMAGE_REGION_OVERRIDE_ON_TRANSITION (1 << 8)
-#define IMAGE_REGION_MAILBOX (1 << 9)
-#define IMAGE_REGION_SKIP_BOOT_VALIDATION (1 << 10)
+// clang-format off
+#define IMAGE_REGION_STATIC (1 << 0)
+#define IMAGE_REGION_COMPRESSED (1 << 1)
+#define IMAGE_REGION_WRITE_PROTECTED (1 << 2)
+#define IMAGE_REGION_READ_PROTECTED (1 << 3)
+#define IMAGE_REGION_PERSISTENT (1 << 4)
+#define IMAGE_REGION_PERSISTENT_RELOCATABLE (1 << 5)
+#define IMAGE_REGION_PERSISTENT_EXPANDABLE (1 << 6)
+#define IMAGE_REGION_OVERRIDE (1 << 7)
+#define IMAGE_REGION_OVERRIDE_ON_TRANSITION (1 << 8)
+#define IMAGE_REGION_MAILBOX (1 << 9)
+#define IMAGE_REGION_SKIP_BOOT_VALIDATION (1 << 10)
+#define IMAGE_REGION_EMPTY (1 << 11)
+// clang-format on
/* Little endian on flash. */
#define DESCRIPTOR_MAGIC 0x5f435344474d495f // "_IMGDSC_"
@@ -67,10 +72,41 @@
#define DENYLIST_MAGIC 0x4b434c42 // "BLCK"
#define BLOB_MAGIC 0x424f4c42 // "BLOB"
#define SIGNATURE_MAGIC 0x4e474953 // "SIGN"
-#define ROTATION_MAGIC 0x5254524b // "KRTR"
+
+/* Values for 'blob_data.blob_type_magic'. Little-endian on flash. */
+
+/* Indicates that 'blob_data.blob_payload' contains a serialized
+ * platforms.security.titan.DescriptorExtensions protocol buffer message. There
+ * must be zero or one DescriptorExtensions in an image. If more than one is
+ * found, the image descriptor is invalid and the image must be treated as
+ * unsigned.
+ */
+#define BLOB_TYPE_MAGIC_DESCRIPTOR_EXTENSIONS 0x58454250 // "PBEX"
+
+/* Indicates that 'blob_data.blob_payload' contains an image_mauv structure.
+ * There must be zero or one image_mauv
+ * structures in an image. If more than one is found, the image descriptor is
+ * invalid and the image must be treated as unsigned.
+ */
+#define BLOB_TYPE_MAGIC_MAUV 0x5655414D // "MAUV"
+
+/* Indicates that 'blob_data.blob_payload' contains a 32-byte sha256 hash of
+ * all the IMAGE_REGION_STATIC partitions that don't have
+ * IMAGE_REGION_SKIP_BOOT_VALIDATION set.
+ */
+#define BLOB_TYPE_MAGIC_BOOT_HASH_SHA256 0x48534842 // "BHSH"
+
+/* Indicates that 'blob_data.blob_payload' contains a lockdown_control
+ * structure. There must be zero or
+ * one lockdown_status structures in an image. If more than one is found, the
+ * image descriptor is invalid and the image must be treated as unsigned.
+ */
+#define BLOB_TYPE_MAGIC_LOCKDOWN_CONTROL 0x4E444B4C // "LKDN"
/* Indicates the type of the image. The type of the image also indicates the
- * family of key that was used to sign the image.
+ * family of key that was used to sign the image. If the image type is signed
+ * with a key stored in RKM, then a corresponding enumeration should be added to
+ * google3/platforms/security/titan/keyspec.proto.
*
* Note: if the image type is IMAGE_UNSIGNED_INTEGRITY, the signature_scheme has
* to be of type
@@ -116,7 +152,7 @@
SHA256_ONLY_NO_SIGNATURE = 5
};
-/* Payload image family. */
+/* Payload image family. Distinct from the Haven image family. */
enum image_family
{
IMAGE_FAMILY_ALL = 0,
@@ -175,9 +211,9 @@
*/
uint32_t descriptor_offset;
/* Includes this struct as well as the auxiliary structs (hash_*,
- * signature_*, denylist, blob & key_rotation_records). This many bytes
- * will be skipped when computing the hash of the region this struct
- * resides in. Tail padding is allowed but must be all 0xff's.
+ * signature_*, denylist, and blob). This many bytes will be skipped when
+ * computing the hash of the region this struct resides in. Tail padding is
+ * allowed but must be all 0xff's.
*/
uint32_t descriptor_area_size;
@@ -194,6 +230,7 @@
* See image_family enum above.
*/
uint32_t image_family;
+ /* Follow the Kibbles versioning scheme. */
uint32_t image_major;
uint32_t image_minor;
uint32_t image_point;
@@ -225,9 +262,7 @@
/* The list is strictly ordered by region_offset.
* Must exhaustively describe the image.
*/
-#ifndef OMIT_VARIABLE_ARRAYS
struct image_region image_regions[];
-#endif
} __attribute__((__packed__));
/* Hash the static regions (IMAGE_REGION_STATIC) excluding this descriptor
@@ -259,20 +294,19 @@
/* Deny list. The first entry is the watermark. All subsequent entries must
* be newer than the watermark.
*/
-#ifndef OMIT_VARIABLE_ARRAYS
struct denylist_record denylist_record[];
-#endif
} __attribute__((__packed__));
struct blob
{
uint32_t blob_magic; // #define BLOB_MAGIC
-#ifndef OMIT_VARIABLE_ARRAYS
/* Array of blob_data structures - see blob_data below for details. */
uint8_t blobs[];
-#endif
} __attribute__((__packed__));
+/* blob data is expected to be aligned to 4 bytes */
+#define BLOB_DATA_ALIGNMENT (4)
+
/* If blobs[] is non-empty, it is expected to contain one more more instances
* of this struct. Each blob_data is followed by the minimum number of padding
* bytes (0-3) needed to maintain 4-byte alignment of blob_data structures.
@@ -300,11 +334,106 @@
* blob_size.
*/
uint32_t blob_payload_size;
-#ifndef OMIT_VARIABLE_ARRAYS
uint8_t blob_payload[];
-#endif
} __attribute__((__packed__));
+#define IMAGE_MAUV_STRUCT_VERSION 1
+
+struct image_mauv
+{
+ /* Version of the MAUV structure. */
+ uint32_t mauv_struct_version;
+
+ /* padding for 64-bit alignment of payload_security_version
+ * must be set to 0xffffffff */
+ uint32_t reserved_0;
+
+ /* The version of the payload in which this `struct image_mauv` was
+ * embedded. This would be better inside of `struct image_descriptor`, but
+ * that structure doesn't have any spare fields or a reasonable way to grow
+ * the structure. When processing firmware updates, the update will be
+ * aborted if `payload_security_version` of the update payload is less than
+ * the `minimum_acceptable_update_version` in gNVRAM.
+ */
+ uint64_t payload_security_version;
+
+ /* A monotonic counter that should be increased whenever the
+ * `minimum_acceptable_update_version or version_denylist fields are
+ * changed. In order for the image_mauv structure in gNVRAM to be updated
+ * after an payload update, the `mauv_update_timestamp` field in the new
+ * payload must be greater than the `mauv_update_timestamp` field in gNVRAM.
+ *
+ * Although the firmware doesn't assign any semantic meaning to this value,
+ * by convention should be the number of seconds since the unix epoch at the
+ * time the payload was signed.
+ */
+ uint64_t mauv_update_timestamp;
+
+ /* Minimum acceptable update version. An update to a payload with its
+ * `payload_security_version` field less than this field in gNVRAM is
+ * forbidden. This value is not monotonic.
+ */
+ uint64_t minimum_acceptable_update_version;
+
+ /* padding for 64-bit alignment of version_denylist
+ * must be set to 0xffffffff */
+ uint32_t reserved_1;
+
+ /* Number of entries in the denylist. */
+ uint32_t version_denylist_num_entries;
+
+ /* A version denylist. Updates to any version in this list will be rejected
+ * by the firmware.
+ */
+ uint64_t version_denylist[];
+} __attribute__((packed));
+
+_Static_assert(offsetof(struct image_mauv, payload_security_version) %
+ sizeof(uint64_t) ==
+ 0,
+ "bad payload_security_version alignment");
+
+_Static_assert(offsetof(struct image_mauv, version_denylist) %
+ sizeof(uint64_t) ==
+ 0,
+ "bad denylist alignment");
+
+// When A/B updates are enabled, SPS_EEPROM_LOCKDOWN_IMMUTABLE is invalid.
+enum sps_eeprom_lockdown_status
+{
+ // Unverified or invalid image. All writes allowed.
+ SPS_EEPROM_LOCKDOWN_FAILSAFE = 0,
+ // Valid image. Static regions are write protected. Write-protected
+ // non-static
+ // regions are still writable. In single image mode, can
+ // transition to SPS_EEPROM_LOCKDOWN_IMMUTABLE from this state.
+ SPS_EEPROM_LOCKDOWN_READY = 1,
+ // Entire image is write protected outside of the mailbox image region. Note
+ // that the payload image may be modified through EC Host mailbox
+ // update commands.
+ SPS_EEPROM_LOCKDOWN_IMMUTABLE = 2,
+ // Valid image. Immutable static and write-protected non-static regions. In
+ // single image mode, must reset to update.
+ SPS_EEPROM_LOCKDOWN_ENABLED = 3
+};
+
+#define LOCKDOWN_CONTROL_STRUCT_VERSION 1
+
+struct lockdown_control
+{
+ /* Version of the lockdown_status structure. */
+ uint32_t lockdown_control_struct_version;
+
+ /* The default lockdown status for a valid signed payload image. The value
+ * is identical to `enum sps_eeprom_lockdown_status`. 0 = Failsafe, 1 =
+ * Ready.
+ */
+ uint32_t default_status;
+};
+
+/* RSA4096 is the largest key type currently supported. */
+#define MAX_KEY_SIZE_NBYTES 512
+
/* Signature of the hash of the image_descriptor structure up to and including
* this struct but excluding the signature field (optional).
*/
@@ -350,71 +479,4 @@
uint8_t digest[32];
} __attribute__((__packed__));
-/* Key rotation record (optional).
- * Enables enforcers to verify images signed with newer (rotated) keys.
- * The hash function, signature & padding schemes are currently pinned
- * by image family. This struct is likely to evolve.
- */
-struct record_rsa2048_pkcs15
-{
- uint16_t from_index;
- uint16_t to_index;
- uint32_t exponent; // exponent of the new key, little-endian
- uint8_t modulus[256]; // modulus of the new key, big-endian
- /* SIGN[K<from_index>](HASH(to_index (LE) | exponent (LE) | modulus (BE)))
- */
- uint8_t signature[256]; // big-endian
-} __attribute__((__packed__));
-
-struct record_rsa3072_pkcs15
-{
- uint16_t from_index;
- uint16_t to_index;
- uint32_t exponent; // exponent of the new key, little-endian
- uint8_t modulus[384]; // modulus of the new key, big-endian
- /* SIGN[K<from_index>](HASH(to_index (LE) | exponent (LE) | modulus (BE)))
- */
- uint8_t signature[384]; // big-endian
-} __attribute__((__packed__));
-
-struct record_rsa4096_pkcs15
-{
- uint16_t from_index;
- uint16_t to_index;
- uint32_t exponent; // exponent of the new key, little-endian
- uint8_t modulus[512]; // modulus of the new key, big-endian
- /* SIGN[K<from_index>](HASH(to_index (LE) | exponent (LE) | modulus (BE)))
- */
- uint8_t signature[512]; // big-endian
-} __attribute__((__packed__));
-
-struct key_rotation_records_rsa2048_pkcs15
-{
- uint32_t rotation_magic; // #define ROTATION_MAGIC
- uint16_t record_count;
- uint16_t reserved_0;
-#ifndef OMIT_VARIABLE_ARRAYS
- struct record_rsa2048_pkcs15 records[];
-#endif
-} __attribute__((__packed__));
-
-struct key_rotation_records_rsa3072_pkcs15
-{
- uint32_t rotation_magic; // #define ROTATION_MAGIC
- uint16_t record_count;
- uint16_t reserved_0;
-#ifndef OMIT_VARIABLE_ARRAYS
- struct record_rsa3072_pkcs15 records[];
-#endif
-} __attribute__((__packed__));
-
-struct key_rotation_records_rsa4096_pkcs15
-{
- uint32_t rotation_magic; // #define ROTATION_MAGIC
- uint16_t record_count;
- uint16_t reserved_0;
-#ifndef OMIT_VARIABLE_ARRAYS
- struct record_rsa3072_pkcs15 records[];
-#endif
-} __attribute__((__packed__));
#endif // PLATFORMS_SECURITY_TITAN_CR51_IMAGE_DESCRIPTOR_H_
diff --git a/subprojects/libcr51sign/include/libcr51sign/libcr51sign.h b/subprojects/libcr51sign/include/libcr51sign/libcr51sign.h
index 4bf30ca..99936b0 100644
--- a/subprojects/libcr51sign/include/libcr51sign/libcr51sign.h
+++ b/subprojects/libcr51sign/include/libcr51sign/libcr51sign.h
@@ -16,8 +16,7 @@
#ifndef PLATFORMS_HAVEN_LIBCR51SIGN_LIBCR51SIGN_H_
#define PLATFORMS_HAVEN_LIBCR51SIGN_LIBCR51SIGN_H_
-#include "cr51_image_descriptor.h"
-
+#include <libcr51sign/cr51_image_descriptor.h>
#include <stdbool.h>
#include <stddef.h>
@@ -34,6 +33,8 @@
// Currently RSA4096 (in bytes).
#define LIBCR51SIGN_MAX_SIGNATURE_SIZE 512
+#define IMAGE_MAUV_DATA_MAX_SIZE (128)
+
// List of common error codes that can be returned
enum libcr51sign_validation_failure_reason
{
@@ -60,10 +61,18 @@
LIBCR51SIGN_ERROR_INVALID_CONTEXT = 13,
LIBCR51SIGN_ERROR_INVALID_INTERFACE = 14,
LIBCR51SIGN_ERROR_INVALID_SIG_SCHEME = 15,
- LIBCR51SIGN_ERROR_MAX = 16,
// Invalid image region
- LIBCR51SIGN_ERROR_INVALID_REGION_INPUT = 17,
- LIBCR51SIGN_ERROR_INVALID_REGION_SIZE = 18,
+ LIBCR51SIGN_ERROR_INVALID_REGION_INPUT = 16,
+ LIBCR51SIGN_ERROR_INVALID_REGION_SIZE = 17,
+ LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA = 18,
+ LIBCR51SIGN_ERROR_RETRIEVING_STORED_IMAGE_MAUV_DATA = 19,
+ LIBCR51SIGN_ERROR_STORING_NEW_IMAGE_MAUV_DATA = 20,
+ LIBCR51SIGN_ERROR_STORED_IMAGE_MAUV_DOES_NOT_ALLOW_UPDATE_TO_PAYLOAD = 21,
+ LIBCR51SIGN_ERROR_VALID_IMAGE_BUT_NEW_IMAGE_MAUV_DATA_NOT_STORED = 22,
+ LIBCR51SIGN_ERROR_STORED_IMAGE_MAUV_EXPECTS_PAYLOAD_IMAGE_MAUV = 23,
+ // Client did not find any stored MAUV in system
+ LIBCR51SIGN_NO_STORED_MAUV_FOUND = 24,
+ LIBCR51SIGN_ERROR_MAX = 25,
};
struct libcr51sign_ctx
@@ -118,11 +127,11 @@
int (*hash_update)(void*, const uint8_t*, size_t);
- // Note this is a combination of an spi_nor_read() with
- // spi_transaction() It is the responsibility of the caller to
- // synchronize with other potential SPI clients / transactions.
- // Collapsing the SPI stack results in a 2x throughput improvement (~20s
- // -> ~10s to verify an Indus image with SHA256 HW acceleration).
+ // Note this is a combination of an spi_nor_read() with spi_transaction()
+ // It is the responsibility of the caller to synchronize with other
+ // potential SPI clients / transactions. Collapsing the SPI stack results in
+ // a 2x throughput improvement (~20s -> ~10s to verify an Indus image with
+ // SHA256 HW acceleration).
//
// The caller is responsible for calling DCRYPTO_init()/HASH_final().
@@ -152,8 +161,8 @@
int (*verify_signature)(const void*, enum signature_scheme, const uint8_t*,
size_t, const uint8_t*, size_t);
- // @func verify check that if the prod to dev downgrade/ hardware
- // allowlist is allowed
+ // @func verify check that if the prod to dev downgrade/ hardware allowlist
+ // is allowed
// @return true: if allowed
// false: if not allowed
// BMC would return always false or pass a NULL pointer
@@ -161,8 +170,7 @@
bool (*prod_to_dev_downgrade_allowed)();
- // @func returns true if the current firmware is running in production
- // mode.
+ // @func returns true if the current firmware is running in production mode.
// @return true: if in production mode
// false: if in any non-production mode
@@ -170,6 +178,38 @@
// @func returns true if the descriptor image size is valid.
bool (*image_size_valid)(size_t);
+
+ // @func Retrieve MAUV data currently stored in the system
+ // @param[in] ctx - context struct
+ // @param[out] current_image_mauv - Buffer to store the retrieved MAUV data
+ // @param[out] current_image_mauv_size - Number of bytes retrieved and
+ // stored
+ // in `current_image_mauv`
+ // @param[in] max_image_mauv_size - Maximum number of bytes to retrieve for
+ // MAUV data
+ //
+ // @return LIBCR51SIGN_SUCCESS: when MAUV is present in the system and
+ // retrieved successfully
+ // LIBCR51SIGN_NO_STORED_MAUV_FOUND: when MAUV is not present in the
+ // system (we are trusting the
+ // client here to return this
+ // value truthfully)
+ // other non-zero values: any other error scenario (like read
+ // failure,
+ // data corruption, etc.)
+ int (*retrieve_stored_image_mauv_data)(const void*, uint8_t* const,
+ uint32_t* const, const uint32_t);
+
+ // @func Store new MAUV data in the system
+ // @param[in] ctx - context struct
+ // @param[in] new_image_mauv - Buffer containing new MAUV data to be stored
+ // @param[in] new_image_mauv_size - Size of MAUV data in `new_image_mauv`
+ // buffer
+ //
+ // @return LIBCR51SIGN_SUCCESS: when new MAUV data is stored successfully.
+ // Non-zero value otherwise
+ int (*store_new_image_mauv_data)(const void*, const uint8_t* const,
+ const uint32_t);
};
struct libcr51sign_validated_regions
@@ -180,16 +220,14 @@
// Check whether the signature on the image is valid.
// Validates the authenticity of an EEPROM image. Scans for & validates the
-// signature on the image descriptor. If the descriptor validates, hashes
-// the rest of the image to verify its integrity.
+// signature on the image descriptor. If the descriptor validates, hashes the
+// rest of the image to verify its integrity.
//
-// @param[in] ctx - context which describes the image and holds opaque
-// private
+// @param[in] ctx - context which describes the image and holds opaque private
// data for the user of the library
// @param[in] intf - function pointers which interface to the current system
// and environment
-// @param[out] image_regions - image_region pointer to an array for the
-// output
+// @param[out] image_regions - image_region pointer to an array for the output
//
// @return nonzero on error, zero on success
diff --git a/subprojects/libcr51sign/include/libcr51sign/libcr51sign_internal.h b/subprojects/libcr51sign/include/libcr51sign/libcr51sign_internal.h
new file mode 100644
index 0000000..997ddfc
--- /dev/null
+++ b/subprojects/libcr51sign/include/libcr51sign/libcr51sign_internal.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef PLATFORMS_HAVEN_LIBCR51SIGN_LIBCR51SIGN_INTERNAL_H_
+#define PLATFORMS_HAVEN_LIBCR51SIGN_LIBCR51SIGN_INTERNAL_H_
+
+#include <libcr51sign/libcr51sign.h>
+#include <stdio.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+#ifndef USER_PRINT
+#define CPRINTS(ctx, ...) fprintf(stderr, __VA_ARGS__)
+#endif
+
+#define MEMBER_SIZE(type, field) sizeof(((type*)0)->field)
+
+typedef enum libcr51sign_validation_failure_reason failure_reason;
+
+#ifdef __cplusplus
+} // extern "C"
+#endif
+
+#endif // PLATFORMS_HAVEN_LIBCR51SIGN_LIBCR51SIGN_INTERNAL_H_
diff --git a/subprojects/libcr51sign/include/libcr51sign/libcr51sign_mauv.h b/subprojects/libcr51sign/include/libcr51sign/libcr51sign_mauv.h
new file mode 100644
index 0000000..9b0e814
--- /dev/null
+++ b/subprojects/libcr51sign/include/libcr51sign/libcr51sign_mauv.h
@@ -0,0 +1,38 @@
+/*
+ * Copyright 2021 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef PLATFORMS_HAVEN_LIBCR51SIGN_LIBCR51SIGN_MAUV_H_
+#define PLATFORMS_HAVEN_LIBCR51SIGN_LIBCR51SIGN_MAUV_H_
+
+#include <libcr51sign/libcr51sign.h>
+#include <libcr51sign/libcr51sign_internal.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+failure_reason validate_payload_image_mauv(const struct libcr51sign_ctx* ctx,
+ const struct libcr51sign_intf* intf,
+ uint32_t payload_blob_offset,
+ uint32_t payload_blob_size);
+
+#ifdef __cplusplus
+} // extern "C"
+#endif
+
+#endif // PLATFORMS_HAVEN_LIBCR51SIGN_LIBCR51SIGN_MAUV_H_
diff --git a/subprojects/libcr51sign/include/libcr51sign/libcr51sign_support.h b/subprojects/libcr51sign/include/libcr51sign/libcr51sign_support.h
index ed0d2cb..5a58159 100644
--- a/subprojects/libcr51sign/include/libcr51sign/libcr51sign_support.h
+++ b/subprojects/libcr51sign/include/libcr51sign/libcr51sign_support.h
@@ -13,9 +13,11 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
+
#ifndef PLATFORMS_HAVEN_LIBCR51SIGN_LIBCR51SIGN_SUPPORT_H_
#define PLATFORMS_HAVEN_LIBCR51SIGN_LIBCR51SIGN_SUPPORT_H_
+#include <libcr51sign/libcr51sign.h>
#include <openssl/sha.h>
#ifdef __cplusplus
diff --git a/subprojects/libcr51sign/src/libcr51sign.c b/subprojects/libcr51sign/src/libcr51sign.c
index 75d8b70..e5f5cf7 100644
--- a/subprojects/libcr51sign/src/libcr51sign.c
+++ b/subprojects/libcr51sign/src/libcr51sign.c
@@ -13,8 +13,17 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
+
+#include "stddef.h"
+
+#include <assert.h>
+#include <libcr51sign/cr51_image_descriptor.h>
#include <libcr51sign/libcr51sign.h>
+#include <libcr51sign/libcr51sign_internal.h>
+#include <libcr51sign/libcr51sign_mauv.h>
+#include <stdint.h>
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
#ifdef __cplusplus
@@ -22,12 +31,6 @@
{
#endif
-#ifndef USER_PRINT
-#define CPRINTS(ctx, ...) fprintf(stderr, __VA_ARGS__)
-#endif
-
-#define MEMBER_SIZE(type, field) sizeof(((type*)0)->field)
-
// True of x is a power of two
#define POWER_OF_TWO(x) ((x) && !((x) & ((x)-1)))
@@ -53,8 +56,6 @@
#define BUILD_ASSERT(cond) ((void)sizeof(char[1 - 2 * !(cond)]))
#endif
-typedef enum libcr51sign_validation_failure_reason failure_reason;
-
// Returns the bytes size of keys used in the given signature_scheme.
// Return error if signature_scheme is invalid.
//
@@ -139,7 +140,7 @@
*size = sizeof(struct hash_sha256);
return LIBCR51SIGN_SUCCESS;
case HASH_SHA2_512:
- *size = sizeof(struct hash_sha256);
+ *size = sizeof(struct hash_sha512);
return LIBCR51SIGN_SUCCESS;
default:
return LIBCR51SIGN_ERROR_INVALID_HASH_TYPE;
@@ -184,12 +185,12 @@
rv = intf->read(ctx, signature_struct_offset, read_len, buffer);
if (rv != LIBCR51SIGN_SUCCESS)
{
- CPRINTS(ctx, "validate_transition: failed to read signature struct\n");
+ CPRINTS(ctx, "%s: failed to read signature struct\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_RUNTIME_FAILURE;
}
if (*(uint32_t*)buffer != SIGNATURE_MAGIC)
{
- CPRINTS(ctx, "validate_transition: bad signature magic\n");
+ CPRINTS(ctx, "%s: bad signature magic\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
}
@@ -197,33 +198,33 @@
ctx->descriptor.image_family != IMAGE_FAMILY_ALL &&
ctx->current_image_family != IMAGE_FAMILY_ALL)
{
- CPRINTS(ctx, "validate_transition: invalid image family\n");
+ CPRINTS(ctx, "%s: invalid image family\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_IMAGE_FAMILY;
}
if (intf->is_production_mode == NULL)
{
- CPRINTS(ctx, "validate_transition: missing is_production_mode\n");
+ CPRINTS(ctx, "%s: missing is_production_mode\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_INTERFACE;
}
if (intf->is_production_mode() && (ctx->descriptor.image_type == IMAGE_DEV))
{
- CPRINTS(ctx, "validate_transition: checking exemption allowlist\n");
+ CPRINTS(ctx, "%s: checking exemption allowlist\n", __FUNCTION__);
// If function is NULL or if the function call return false, return
// error
if (intf->prod_to_dev_downgrade_allowed == NULL ||
!intf->prod_to_dev_downgrade_allowed())
{
- CPRINTS(ctx, "validate_transition: illegal image type\n");
+ CPRINTS(ctx, "%s: illegal image type\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_DEV_DOWNGRADE_DISALLOWED;
}
}
return LIBCR51SIGN_SUCCESS;
}
-// If caller had provided read_and_hash_update call that, otherwise call
-// read and then update.
+// If caller had provided read_and_hash_update call that, otherwise call read
+// and then update.
static failure_reason read_and_hash_update(const struct libcr51sign_ctx* ctx,
const struct libcr51sign_intf* intf,
@@ -241,7 +242,7 @@
{
if (!intf->hash_update)
{
- CPRINTS(ctx, "read_and_hash_update: missing hash_update\n");
+ CPRINTS(ctx, "%s: missing hash_update\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_INTERFACE;
}
do
@@ -283,11 +284,11 @@
uint32_t i;
uint8_t d_region_num = 0;
int rv;
- const struct image_region* region;
+ struct image_region const* region;
if (image_regions == NULL)
{
- CPRINTS(ctx, "Missing image region input\n");
+ CPRINTS(ctx, "%s: Missing image region input\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_REGION_INPUT;
}
@@ -301,9 +302,10 @@
if (region_count > ARRAY_SIZE(image_regions->image_regions))
{
- CPRINTS(ctx, "validate_payload_regions: "
- "ctx->descriptor.region_count is greater "
- "than LIBCR51SIGN_MAX_REGION_COUNT\n");
+ CPRINTS(ctx,
+ "%s: ctx->descriptor.region_count is greater "
+ "than LIBCR51SIGN_MAX_REGION_COUNT\n",
+ __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_REGION_SIZE;
}
@@ -315,7 +317,7 @@
if (rv != LIBCR51SIGN_SUCCESS)
{
- CPRINTS(ctx, "validate_payload_regions: failed to read region array\n");
+ CPRINTS(ctx, "%s: failed to read region array\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_RUNTIME_FAILURE;
}
@@ -324,20 +326,19 @@
{
region = image_regions->image_regions + i;
- CPRINTS(ctx, "validate_payload_regions: region #%d \"%s\" (%x - %x)\n",
- i, (const char*)region->region_name, region->region_offset,
+ CPRINTS(ctx, "%s: region #%d \"%s\" (%x - %x)\n", __FUNCTION__, i,
+ (const char*)region->region_name, region->region_offset,
region->region_offset + region->region_size);
if ((region->region_offset % IMAGE_REGION_ALIGNMENT) != 0 ||
(region->region_size % IMAGE_REGION_ALIGNMENT) != 0)
{
- CPRINTS(ctx, "validate_payload_regions: regions must be sector "
- "aligned\n");
+ CPRINTS(ctx, "%s: regions must be sector aligned\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
}
if (region->region_offset != byte_count ||
region->region_size > image_size - byte_count)
{
- CPRINTS(ctx, "validate_payload_regions: invalid region array\n");
+ CPRINTS(ctx, "%s: invalid region array\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
}
byte_count += region->region_size;
@@ -345,23 +346,24 @@
if (d_offset >= region->region_offset && d_offset < byte_count)
{
d_region_num = i;
- CPRINTS(ctx,
- "validate_payload_regions: image descriptor in region %d\n",
+ CPRINTS(ctx, "%s: image descriptor in region %d\n", __FUNCTION__,
i);
// The descriptor can't span regions.
- if (ctx->descriptor.descriptor_area_size > byte_count ||
+ if ((ctx->descriptor.descriptor_area_size >
+ (byte_count - d_offset)) ||
!(region->region_attributes & IMAGE_REGION_STATIC))
{
CPRINTS(ctx,
- "validate_payload_regions: descriptor must reside in "
- "static region\n");
+ "%s: descriptor must reside in "
+ "static region\n",
+ __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
}
}
}
if (byte_count != image_size)
{
- CPRINTS(ctx, "validate_payload_regions: invalid image size\n");
+ CPRINTS(ctx, "%s: invalid image size\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
}
@@ -376,19 +378,18 @@
magic_and_digest);
if (rv != LIBCR51SIGN_SUCCESS)
{
- CPRINTS(ctx,
- "validate_payload_regions: failed to read hash from flash\n");
+ CPRINTS(ctx, "%s: failed to read hash from flash\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_RUNTIME_FAILURE;
}
if (*(uint32_t*)magic_and_digest != HASH_MAGIC)
{
- CPRINTS(ctx, "validate_payload_regions: bad hash magic\n");
+ CPRINTS(ctx, "%s: bad hash magic\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
}
rv = intf->hash_init(ctx, ctx->descriptor.hash_type);
if (rv != LIBCR51SIGN_SUCCESS)
{
- CPRINTS(ctx, "validate_payload_regions: hash_init failed\n");
+ CPRINTS(ctx, "%s: hash_init failed\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_RUNTIME_FAILURE;
}
for (i = 0; i < region_count; i++)
@@ -409,15 +410,15 @@
if (i == d_region_num)
{
hash_size = d_offset - hash_start;
+ if (!hash_size)
+ {
+ hash_start += ctx->descriptor.descriptor_area_size;
+ hash_size = (region->region_offset + region->region_size -
+ hash_start);
+ }
}
- if (!hash_size)
- {
- hash_start += ctx->descriptor.descriptor_area_size;
- hash_size =
- (region->region_offset + region->region_size - hash_start);
- }
- CPRINTS("validate_payload_regions: hashing %s (%x - %x)\n",
+ CPRINTS(ctx, "%s: hashing %s (%x - %x)\n", __FUNCTION__,
(const char*)region->region_name, hash_start,
hash_start + hash_size);
// Read the image_region array.
@@ -439,7 +440,7 @@
if (memcmp(magic_and_digest + MEMBER_SIZE(struct hash_sha256, hash_magic),
dcrypto_digest, digest_size))
{
- CPRINTS(ctx, "validate_payload_regions: invalid hash\n");
+ CPRINTS(ctx, "%s: invalid hash\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_HASH;
}
// Image is valid.
@@ -447,8 +448,8 @@
}
// Create empty image_regions to pass to validate_payload_regions
-// Support validate_payload_regions_helper to remove image_regions as a
-// required input.
+// Support validate_payload_regions_helper to remove image_regions as a required
+// input.
static failure_reason
allocate_and_validate_payload_regions(const struct libcr51sign_ctx* ctx,
@@ -459,9 +460,9 @@
return validate_payload_regions(ctx, intf, d_offset, &image_regions);
}
-// Wrapper around validate_payload_regions to allow nullptr for
-// image_regions. Calls allocate_and_validate_payload_regions when
-// image_regions is nullptr to create placer holder image_regions.
+// Wrapper around validate_payload_regions to allow nullptr for image_regions.
+// Calls allocate_and_validate_payload_regions when image_regions is nullptr to
+// create placer holder image_regions.
static failure_reason validate_payload_regions_helper(
const struct libcr51sign_ctx* ctx, struct libcr51sign_intf* intf,
@@ -556,38 +557,36 @@
if (!intf->hash_init)
{
- CPRINTS(ctx, "validate_signature: missing hash_init\n");
+ CPRINTS(ctx, "%s: missing hash_init\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_INTERFACE;
}
rv = get_hash_type_from_signature(scheme, &hash_type);
if (rv != LIBCR51SIGN_SUCCESS)
{
- CPRINTS(ctx,
- "validate_payload_regions: hash_type from signature failed\n");
+ CPRINTS(ctx, "%s: hash_type from signature failed\n", __FUNCTION__);
return rv;
}
rv = intf->hash_init(ctx, hash_type);
if (rv != LIBCR51SIGN_SUCCESS)
{
- CPRINTS(ctx, "validate_payload_regions: hash_init failed\n");
+ CPRINTS(ctx, "%s: hash_init failed\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_RUNTIME_FAILURE;
}
rv = read_and_hash_update(ctx, intf, data_offset, data_size);
if (rv != LIBCR51SIGN_SUCCESS)
{
- CPRINTS(ctx, "validate_signature: hash_update failed\n");
+ CPRINTS(ctx, "%s: hash_update failed\n", __FUNCTION__);
return rv;
}
if (!intf->hash_final)
{
- CPRINTS(ctx, "validate_signature: missing hash_final\n");
+ CPRINTS(ctx, "%s: missing hash_final\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_INTERFACE;
}
rv = intf->hash_final((void*)ctx, dcrypto_digest);
if (rv != LIBCR51SIGN_SUCCESS)
{
- CPRINTS(ctx, "validate_signature: hash_final failed (status = %d)\n",
- rv);
+ CPRINTS(ctx, "%s: hash_final failed (status = %d)\n", __FUNCTION__, rv);
return LIBCR51SIGN_ERROR_RUNTIME_FAILURE;
}
rv = get_key_size(scheme, &key_size);
@@ -599,14 +598,13 @@
rv = intf->read(ctx, raw_signature_offset, key_size, signature);
if (rv != LIBCR51SIGN_SUCCESS)
{
- CPRINTS(ctx,
- "validate_signature: failed to read signature (status = %d)\n",
- rv);
+ CPRINTS(ctx, "%s: failed to read signature (status = %d)\n",
+ __FUNCTION__, rv);
return LIBCR51SIGN_ERROR_RUNTIME_FAILURE;
}
if (!intf->verify_signature)
{
- CPRINTS(ctx, "validate_signature: missing verify_signature\n");
+ CPRINTS(ctx, "%s: missing verify_signature\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_INTERFACE;
}
rv = get_hash_digest_size(hash_type, &digest_size);
@@ -618,11 +616,11 @@
dcrypto_digest, digest_size);
if (rv != LIBCR51SIGN_SUCCESS)
{
- CPRINTS(ctx, "validate_signature: verification failed (status = %d)\n",
+ CPRINTS(ctx, "%s: verification failed (status = %d)\n", __FUNCTION__,
rv);
return LIBCR51SIGN_ERROR_INVALID_SIGNATURE;
}
- CPRINTS(ctx, "validate_signature: verification succeeded\n");
+ CPRINTS(ctx, "%s: verification succeeded\n", __FUNCTION__);
return LIBCR51SIGN_SUCCESS;
}
@@ -636,13 +634,13 @@
//@param offset Absolute image descriptor flash offset.
//@param relative_offset Image descriptor offset relative to image start.
//@param max_size Maximum size of the flash space in bytes.
-//@param descriptor Output pointer to an image_descriptor struct
-
-static failure_reason validate_descriptor(const struct libcr51sign_ctx* ctx,
- const struct libcr51sign_intf* intf,
- uint32_t offset,
- uint32_t relative_offset,
- uint32_t max_size)
+//@param[out] payload_blob_offset Absolute offset of BLOB data in image
+// descriptor (if BLOB data is present)
+static failure_reason
+ validate_descriptor(const struct libcr51sign_ctx* ctx,
+ const struct libcr51sign_intf* intf, uint32_t offset,
+ uint32_t relative_offset, uint32_t max_size,
+ uint32_t* const restrict payload_blob_offset)
{
uint32_t max_descriptor_size, signed_size, signature_scheme,
signature_offset;
@@ -653,7 +651,7 @@
if (max_size < relative_offset ||
max_descriptor_size < sizeof(struct image_descriptor))
{
- CPRINTS(ctx, "validate_descriptor: invalid arguments\n");
+ CPRINTS(ctx, "%s: invalid arguments\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
}
@@ -661,7 +659,7 @@
(uint8_t*)&ctx->descriptor);
if (rv != LIBCR51SIGN_SUCCESS)
{
- CPRINTS(ctx, "validate_descriptor: failed to read descriptor\n");
+ CPRINTS(ctx, "%s: failed to read descriptor\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_RUNTIME_FAILURE;
}
if (ctx->descriptor.descriptor_magic != DESCRIPTOR_MAGIC ||
@@ -670,22 +668,22 @@
ctx->descriptor.descriptor_area_size > max_descriptor_size ||
ctx->descriptor.image_size > max_size)
{
- CPRINTS(ctx, "validate_descriptor: invalid descriptor\n");
+ CPRINTS(ctx, "%s: invalid descriptor\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
}
if (intf->image_size_valid == NULL)
{
- // Preserve original behavior of requiring exact image_size match if
- // no operator is provided.
+ // Preserve original behavior of requiring exact image_size match if no
+ // operator is provided.
if (ctx->descriptor.image_size != max_size)
{
- CPRINTS(ctx, "validate_descriptor: invalid image size\n");
+ CPRINTS(ctx, "%s: invalid image size\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
}
}
else if (!intf->image_size_valid(ctx->descriptor.image_size))
{
- CPRINTS(ctx, "validate_descriptor: invalid image size\n");
+ CPRINTS(ctx, "%s: invalid image size\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
}
if (ctx->descriptor.image_type != IMAGE_DEV &&
@@ -694,7 +692,7 @@
ctx->descriptor.image_type != IMAGE_TEST &&
ctx->descriptor.image_type != IMAGE_UNSIGNED_INTEGRITY)
{
- CPRINTS(ctx, "validate_descriptor: bad image type\n");
+ CPRINTS(ctx, "%s: bad image type\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
}
// Although the image_descriptor struct supports unauthenticated
@@ -711,13 +709,13 @@
rv = is_hash_type_supported(ctx->descriptor.hash_type);
if (rv != LIBCR51SIGN_SUCCESS)
{
- CPRINTS(ctx, "validate_payload_regions: invalid hash type\n");
+ CPRINTS(ctx, "%s: invalid hash type\n", __FUNCTION__);
return rv;
}
if (ctx->descriptor.descriptor_major > MAX_MAJOR_VERSION ||
ctx->descriptor.region_count > LIBCR51SIGN_MAX_REGION_COUNT)
{
- CPRINTS(ctx, "validate_descriptor: unsupported descriptor\n");
+ CPRINTS(ctx, "%s: unsupported descriptor\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_UNSUPPORTED_DESCRIPTOR;
}
rv = get_signature_struct_size(signature_scheme, &signature_struct_size);
@@ -743,12 +741,15 @@
}
if (ctx->descriptor.blob_size)
{
+ *payload_blob_offset = offset + signed_size;
signed_size += sizeof(struct blob);
// Previous additions are guaranteed not to overflow.
- if (ctx->descriptor.blob_size >
- ctx->descriptor.descriptor_area_size - signed_size)
+ if ((ctx->descriptor.blob_size >
+ ctx->descriptor.descriptor_area_size - signed_size) ||
+ // Sanity check blob size
+ (ctx->descriptor.blob_size < sizeof(struct blob_data)))
{
- CPRINTS(ctx, "validate_descriptor: invalid blob size (0x%x)\n",
+ CPRINTS(ctx, "%s: invalid blob size (0x%x)\n", __FUNCTION__,
ctx->descriptor.blob_size);
return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
}
@@ -758,9 +759,9 @@
ctx->descriptor.descriptor_area_size - signed_size)
{
CPRINTS(ctx,
- "validate_descriptor: invalid descriptor area size "
+ "%s: invalid descriptor area size "
"(expected = 0x%x, actual = 0x%x)\n",
- ctx->descriptor.descriptor_area_size,
+ __FUNCTION__, ctx->descriptor.descriptor_area_size,
signed_size + signature_struct_size);
return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
}
@@ -811,7 +812,7 @@
if (!intf->read)
{
- CPRINTS(ctx, "scan_for_magic_8: missing intf->read\n");
+ CPRINTS(ctx, "%s: missing intf->read\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_INTERFACE;
}
// Align start_offset to the next valid boundary.
@@ -840,16 +841,16 @@
// Check whether the signature on the image is valid.
// Validates the authenticity of an EEPROM image. Scans for & validates the
-// signature on the image descriptor. If the descriptor validates, hashes
-// the rest of the image to verify its integrity.
+// signature on the image descriptor. If the descriptor validates, hashes the
+// rest of the image to verify its integrity.
//
-// @param[in] ctx - context which describes the image and holds opaque
-// private
+// @param[in] ctx - context which describes the image and holds opaque private
// data for the user of the library
// @param[in] intf - function pointers which interface to the current system
// and environment
-// @param[out] image_regions - image_region pointer to an array for the
-// output
+// @param[out] image_regions - image_region pointer to an array for the output
+//
+// TODO(aranika) return valid key
//
// @return nonzero on error, zero on success
@@ -858,18 +859,18 @@
struct libcr51sign_intf* intf,
struct libcr51sign_validated_regions* image_regions)
{
- uint32_t image_limit = 0;
int rv, rv_first_desc = LIBCR51SIGN_SUCCESS;
uint32_t descriptor_offset;
+ uint32_t payload_blob_offset = 0;
if (!ctx)
{
- CPRINTS(ctx, "Missing context\n");
+ CPRINTS(ctx, "%s: Missing context\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_CONTEXT;
}
else if (!intf)
{
- CPRINTS(ctx, "Missing interface\n");
+ CPRINTS(ctx, "%s: Missing interface\n", __FUNCTION__);
return LIBCR51SIGN_ERROR_INVALID_INTERFACE;
}
@@ -878,43 +879,78 @@
&descriptor_offset);
while (rv == LIBCR51SIGN_SUCCESS)
{
- CPRINTS(ctx, "validate: potential image descriptor found @%x\n",
+ CPRINTS(ctx, "%s: potential image descriptor found @%x\n", __FUNCTION__,
descriptor_offset);
- // Validation is split into 2 functions to minimize
- // stack usage.
+ // Validation is split into 3 functions to minimize stack usage.
- rv = validate_descriptor(ctx, intf, descriptor_offset,
- descriptor_offset - ctx->start_offset,
- ctx->end_offset - ctx->start_offset);
+ rv = validate_descriptor(
+ ctx, intf, descriptor_offset, descriptor_offset - ctx->start_offset,
+ ctx->end_offset - ctx->start_offset, &payload_blob_offset);
if (rv != LIBCR51SIGN_SUCCESS)
{
- CPRINTS(ctx, "validate: validate_descriptor() failed ec%d\n", rv);
+ CPRINTS(ctx, "%s: validate_descriptor() failed ec%d\n",
+ __FUNCTION__, rv);
}
-
- if (rv == LIBCR51SIGN_SUCCESS)
+ else
{
rv = validate_payload_regions_helper(ctx, intf, descriptor_offset,
image_regions);
- if (rv == LIBCR51SIGN_SUCCESS)
+ if (rv != LIBCR51SIGN_SUCCESS)
{
- CPRINTS(ctx, "validate: success!\n");
+ CPRINTS(ctx, "%s: validate_payload_regions() failed ec%d\n",
+ __FUNCTION__, rv);
+ }
+ else if (ctx->descriptor.image_type == IMAGE_PROD)
+ {
+ // Lookup and validate payload Image MAUV against Image MAUV
+ // stored in the system after checking signature to ensure
+ // offsets and sizes are not tampered with. Also, do this after
+ // hash calculation for payload regions to ensure that stored
+ // Image MAUV is updated (if necessary) as close to the end of
+ // payload validation as possible
+ rv = validate_payload_image_mauv(ctx, intf, payload_blob_offset,
+ ctx->descriptor.blob_size);
+ if (rv == LIBCR51SIGN_SUCCESS)
+ {
+ CPRINTS(ctx,
+ "%s: Payload Image MAUV validation successful\n",
+ __FUNCTION__);
+ return rv;
+ }
+ if (rv == LIBCR51SIGN_ERROR_STORING_NEW_IMAGE_MAUV_DATA)
+ {
+ CPRINTS(
+ ctx,
+ "%s: Payload validation succeeded, but Image MAUV validation "
+ "failed\n",
+ __FUNCTION__);
+ return LIBCR51SIGN_ERROR_VALID_IMAGE_BUT_NEW_IMAGE_MAUV_DATA_NOT_STORED;
+ }
+ CPRINTS(ctx, "%s: Payload Image MAUV validation failed\n",
+ __FUNCTION__);
+ // In practice, we expect only 1 valid image descriptor in
+ // payload. If Image MAUV check fails for the payload after
+ // validating the image descriptor, do not try validating other
+ // image descriptors
return rv;
}
- CPRINTS(ctx, "validate: validate_payload_regions() failed ec%d\n",
- rv);
+ else
+ {
+ return rv;
+ }
}
+
// Store the first desc fail reason if any
if (rv != LIBCR51SIGN_SUCCESS && rv_first_desc == LIBCR51SIGN_SUCCESS)
rv_first_desc = rv;
// scan_for_magic_8() will round up to the next aligned boundary.
descriptor_offset++;
- image_limit = ctx->end_offset - ctx->start_offset;
rv = scan_for_magic_8(ctx, intf, DESCRIPTOR_MAGIC, descriptor_offset,
- image_limit, DESCRIPTOR_ALIGNMENT,
+ ctx->end_offset, DESCRIPTOR_ALIGNMENT,
&descriptor_offset);
}
- CPRINTS(ctx, "validate: failed to validate image ec%d\n", rv);
+ CPRINTS(ctx, "%s: failed to validate image ec%d\n", __FUNCTION__, rv);
// If desc validation failed for some reason then return that reason
if (rv_first_desc != LIBCR51SIGN_SUCCESS)
return rv_first_desc;
@@ -966,6 +1002,23 @@
return "Invalid image region input";
case LIBCR51SIGN_ERROR_INVALID_REGION_SIZE:
return "Invalid image region size";
+ case LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA:
+ return "Invalid Image MAUV data";
+ case LIBCR51SIGN_ERROR_RETRIEVING_STORED_IMAGE_MAUV_DATA:
+ return "Failed to retrieve Image MAUV data stored in system";
+ case LIBCR51SIGN_ERROR_STORING_NEW_IMAGE_MAUV_DATA:
+ return "Failed to store Image MAUV data from payload image into system";
+ case LIBCR51SIGN_ERROR_STORED_IMAGE_MAUV_DOES_NOT_ALLOW_UPDATE_TO_PAYLOAD:
+ return "Image MAUV stored in system does not allow payload "
+ "update";
+ case LIBCR51SIGN_ERROR_VALID_IMAGE_BUT_NEW_IMAGE_MAUV_DATA_NOT_STORED:
+ return "Payload image is valid for update but failed to store new Image "
+ "MAUV in system";
+ case LIBCR51SIGN_ERROR_STORED_IMAGE_MAUV_EXPECTS_PAYLOAD_IMAGE_MAUV:
+ return "Image MAUV is expected to be present in payload when stored "
+ "Image MAUV is present in the system";
+ case LIBCR51SIGN_NO_STORED_MAUV_FOUND:
+ return "Client did not find any MAUV data stored in the system";
default:
return "Unknown error";
}
diff --git a/subprojects/libcr51sign/src/libcr51sign_mauv.c b/subprojects/libcr51sign/src/libcr51sign_mauv.c
new file mode 100644
index 0000000..996260b
--- /dev/null
+++ b/subprojects/libcr51sign/src/libcr51sign_mauv.c
@@ -0,0 +1,574 @@
+#include "stddef.h"
+
+#include <libcr51sign/cr51_image_descriptor.h>
+#include <libcr51sign/libcr51sign.h>
+#include <libcr51sign/libcr51sign_internal.h>
+#include <libcr51sign/libcr51sign_mauv.h>
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C"
+{
+#endif
+
+#define IMAGE_MAUV_MAX_DENYLIST_ENTRIES \
+ ((IMAGE_MAUV_DATA_MAX_SIZE - sizeof(struct image_mauv)) / sizeof(uint64_t))
+
+_Static_assert(
+ (sizeof(struct image_mauv) +
+ IMAGE_MAUV_MAX_DENYLIST_ENTRIES *
+ MEMBER_SIZE(struct image_mauv, version_denylist[0])) ==
+ IMAGE_MAUV_DATA_MAX_SIZE,
+ "IMAGE_MAUV_MAX_DENYLIST_ENTRIES number of denylist entries do not "
+ "completely fill IMAGE_MAUV_MAX_SIZE bytes assumed for data in struct "
+ "image_mauv");
+
+// Use wrapper struct to preserve alignment of image_mauv
+struct full_mauv
+{
+ struct image_mauv mauv;
+ uint8_t extra[IMAGE_MAUV_DATA_MAX_SIZE - sizeof(struct image_mauv)];
+};
+
+// Verify BLOB magic bytes in payload's image descriptor at the expected offset
+//
+// @param[in] ctx context which describes the image and holds opaque private
+// data for the user of the library
+// @param[in] intf function pointers which interface to the current system
+// and environment
+// @param[in] payload_blob_offset Absolute offset of payload BLOB data in
+// payload's image descriptor
+//
+// @return `failure_reason`
+static failure_reason
+ verify_payload_blob_magic(const struct libcr51sign_ctx* const ctx,
+ const struct libcr51sign_intf* const intf,
+ const uint32_t payload_blob_offset)
+{
+ int irv = 0;
+ struct blob payload_blob = {0};
+
+ if (!intf->read)
+ {
+ CPRINTS(ctx, "%s: Missing interface intf->read\n", __FUNCTION__);
+ return LIBCR51SIGN_ERROR_INVALID_INTERFACE;
+ }
+
+ irv = intf->read(ctx, payload_blob_offset, sizeof(struct blob),
+ (uint8_t*)&payload_blob);
+ if (irv != LIBCR51SIGN_SUCCESS)
+ {
+ CPRINTS(ctx, "%s: Could not read BLOB magic bytes from payload\n",
+ __FUNCTION__);
+ return LIBCR51SIGN_ERROR_RUNTIME_FAILURE;
+ }
+
+ if (payload_blob.blob_magic != BLOB_MAGIC)
+ {
+ CPRINTS(ctx, "%s: BLOB magic bytes read from payload(%x) are invalid\n",
+ __FUNCTION__, payload_blob.blob_magic);
+ return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
+ }
+
+ return LIBCR51SIGN_SUCCESS;
+}
+
+// Find offset of Image MAUV data in payload BLOB inside the image descriptor
+//
+// @param[in] ctx context which describes the image and holds opaque private
+// data for the user of the library
+// @param[in] intf function pointers which interface to the current system
+// and environment
+// @param[in] offset_after_payload_blob_magic Absolute offset of data after
+// payload BLOB magic bytes in image
+// descriptor
+// @param[in] payload_blob_size Size of payload BLOB as per its image
+// descriptor
+// @param[out] payload_image_mauv_data_offset Absolute offset of Image MAUV
+// data in payload's image
+// descriptor
+// @param[out] payload_image_mauv_data_size Size of Image MAUV data embedded in
+// payload's image descriptor
+//
+// @return `failure_reason`
+static failure_reason find_image_mauv_data_offset_in_payload(
+ const struct libcr51sign_ctx* const ctx,
+ const struct libcr51sign_intf* const intf,
+ const uint32_t offset_after_payload_blob_magic,
+ const uint32_t payload_blob_size,
+ uint32_t* const restrict payload_image_mauv_data_offset,
+ uint32_t* const restrict payload_image_mauv_data_size)
+{
+ struct blob_data payload_blob_data = {0};
+ int irv = 0;
+ bool found_image_mauv_data = false;
+
+ if (!intf->read)
+ {
+ CPRINTS(ctx, "%s: Missing interface intf->read\n", __FUNCTION__);
+ return LIBCR51SIGN_ERROR_INVALID_INTERFACE;
+ }
+ for (uint32_t current_offset = offset_after_payload_blob_magic;
+ current_offset <= offset_after_payload_blob_magic + payload_blob_size -
+ sizeof(struct blob_data);
+ /* increment based on each blob_data's size in loop */)
+ {
+ irv = intf->read(ctx, current_offset, sizeof(struct blob_data),
+ (uint8_t*)&payload_blob_data);
+ if (irv != LIBCR51SIGN_SUCCESS)
+ {
+ CPRINTS(ctx, "%s: Could not read BLOB data at offset %x\n",
+ __FUNCTION__, current_offset);
+ return LIBCR51SIGN_ERROR_RUNTIME_FAILURE;
+ }
+
+ if ((current_offset - offset_after_payload_blob_magic) +
+ sizeof(struct blob_data) + payload_blob_data.blob_payload_size >
+ payload_blob_size)
+ {
+ CPRINTS(
+ ctx,
+ "%s: BLOB payload size crosses threshold expected by blob_size "
+ "in image descriptor",
+ __FUNCTION__);
+ return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
+ }
+
+ switch (payload_blob_data.blob_type_magic)
+ {
+ case BLOB_TYPE_MAGIC_MAUV:
+ if (!found_image_mauv_data)
+ {
+ *payload_image_mauv_data_offset = current_offset +
+ sizeof(struct blob_data);
+ *payload_image_mauv_data_size =
+ payload_blob_data.blob_payload_size;
+ found_image_mauv_data = true;
+ /* intentional fall-through to increment current offset */
+ }
+ else
+ {
+ /* There should be only one Image MAUV in a valid image
+ * descriptor */
+ CPRINTS(
+ ctx,
+ "%s: Found multiple Image MAUV BLOB instances in payload\n",
+ __FUNCTION__);
+ return LIBCR51SIGN_ERROR_INVALID_DESCRIPTOR;
+ }
+ default:
+ current_offset += sizeof(struct blob_data) +
+ payload_blob_data.blob_payload_size;
+ /* Increment offset to keep the expected alignment */
+ current_offset =
+ ((current_offset - 1) & ~(BLOB_DATA_ALIGNMENT - 1)) +
+ BLOB_DATA_ALIGNMENT;
+ break;
+ }
+ }
+ if (!found_image_mauv_data)
+ {
+ CPRINTS(ctx, "%s: Did not find Image MAUV BLOB inside payload\n",
+ __FUNCTION__);
+ }
+ return LIBCR51SIGN_SUCCESS;
+}
+
+// Read Image MAUV data from BLOB inside payload's image descriptor
+//
+// @param[in] ctx context which describes the image and holds opaque private
+// data for the user of the library
+// @param[in] intf function pointers which interface to the current system
+// and environment
+// @param[in] payload_image_mauv_data_offset Absolute offset of Image MAUV data
+// in payload's image descriptor
+// @param[in] payload_image_mauv_data_size Size of Image MAUV data embedded in
+// payload's image descriptor
+// @param[out] payload_image_mauv_data_buffer Buffer to store Image MAUV data
+// read from payload's image
+// descriptor
+//
+// @return `failure_reason`
+static failure_reason read_image_mauv_data_from_payload(
+ const struct libcr51sign_ctx* const ctx,
+ const struct libcr51sign_intf* const intf,
+ const uint32_t payload_image_mauv_data_offset,
+ const uint32_t payload_image_mauv_data_size,
+ struct image_mauv* const restrict payload_image_mauv_data_buffer)
+{
+ int irv = 0;
+
+ if (!intf->read)
+ {
+ CPRINTS(ctx, "%s: Missing interface intf->read\n", __FUNCTION__);
+ return LIBCR51SIGN_ERROR_INVALID_INTERFACE;
+ }
+
+ if (payload_image_mauv_data_size > IMAGE_MAUV_DATA_MAX_SIZE)
+ {
+ CPRINTS(
+ ctx,
+ "%s: Payload Image MAUV data size (0x%x) is more than supported "
+ "maximum size\n",
+ __FUNCTION__, payload_image_mauv_data_size);
+ return LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA;
+ }
+
+ irv = intf->read(ctx, payload_image_mauv_data_offset,
+ payload_image_mauv_data_size,
+ (uint8_t*)payload_image_mauv_data_buffer);
+ if (irv != LIBCR51SIGN_SUCCESS)
+ {
+ CPRINTS(ctx,
+ "%s: Could not read Image MAUV data from payload @ offset 0x%x "
+ "size 0x%x\n",
+ __FUNCTION__, payload_image_mauv_data_offset,
+ payload_image_mauv_data_size);
+ return LIBCR51SIGN_ERROR_RUNTIME_FAILURE;
+ }
+
+ return LIBCR51SIGN_SUCCESS;
+}
+
+// Check if Image MAUV allows update to a target payload version
+//
+// @param[in] stored_image_mauv_data Image MAUV data stored in system
+// @param[in] new_payload_security_version Payload version
+//
+// @return `bool` `True` if update to target version is allowed by MAUV data
+static bool does_stored_image_mauv_allow_update(
+ const struct image_mauv* const stored_image_mauv_data,
+ const uint64_t new_payload_security_version)
+{
+ if (new_payload_security_version <
+ stored_image_mauv_data->minimum_acceptable_update_version)
+ {
+ return false;
+ }
+
+ for (uint32_t i = 0;
+ i < stored_image_mauv_data->version_denylist_num_entries; i++)
+ {
+ if (stored_image_mauv_data->version_denylist[i] ==
+ new_payload_security_version)
+ {
+ return false;
+ }
+ }
+
+ return true;
+}
+
+// Do a sanity check for values stored in Image MAUV data
+//
+// @param[in] image_mauv_data Image MAUV data
+// @param[in] image_mauv_data_size Size of Image MAUV data in bytes
+//
+// @return `failure_reason`
+static failure_reason sanity_check_image_mauv_data(
+ const struct image_mauv* const restrict image_mauv_data,
+ const uint32_t image_mauv_data_size)
+{
+ uint32_t expected_image_mauv_data_size = 0;
+
+ if (image_mauv_data_size < sizeof(struct image_mauv))
+ {
+ CPRINTS(ctx, "%s: Image MAUV data size is smaller than expected\n",
+ __FUNCTION__);
+ return LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA;
+ }
+
+ if (image_mauv_data->mauv_struct_version != IMAGE_MAUV_STRUCT_VERSION)
+ {
+ CPRINTS(ctx, "%s: Unexpected Image MAUV version\n", __FUNCTION__);
+ return LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA;
+ }
+
+ if (image_mauv_data->payload_security_version == 0)
+ {
+ // Handle trivial case of someone not initializing MAUV properly
+ CPRINTS(ctx, "%s: Payload security version should be greater than 0\n",
+ __FUNCTION__);
+ return LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA;
+ }
+
+ if (image_mauv_data->version_denylist_num_entries >
+ IMAGE_MAUV_MAX_DENYLIST_ENTRIES)
+ {
+ CPRINTS(
+ ctx,
+ "%s: Version denylist entries in Image MAUV exceed maximum count\n",
+ __FUNCTION__);
+ return LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA;
+ }
+
+ expected_image_mauv_data_size =
+ sizeof(struct image_mauv) +
+ image_mauv_data->version_denylist_num_entries *
+ MEMBER_SIZE(struct image_mauv, version_denylist[0]);
+
+ if (image_mauv_data_size != expected_image_mauv_data_size)
+ {
+ CPRINTS(ctx,
+ "%s: Size of Image MAUV data (0x%x) is different than expected "
+ "size (0x%x)\n",
+ __FUNCTION__, image_mauv_data_size,
+ expected_image_mauv_data_size);
+ return LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA;
+ }
+
+ if (!does_stored_image_mauv_allow_update(
+ image_mauv_data, image_mauv_data->payload_security_version))
+ {
+ CPRINTS(ctx,
+ "%s: Image MAUV does not allow update to the payload it was "
+ "contained in\n",
+ __FUNCTION__);
+ return LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA;
+ }
+ return LIBCR51SIGN_SUCCESS;
+}
+
+// Find and read (if found) Image MAUV from payload's image descriptor
+//
+// @param[in] ctx context which describes the image and holds opaque private
+// data for the user of the library
+// @param[in] intf function pointers which interface to the current system
+// and environment
+// @param[in] payload_blob_offset Absolute offset of payload BLOB data in
+// payload's image descriptor
+// @param[in] payload_blob_size Size of payload BLOB data as per payload's
+// image descriptor
+// @param[out] payload_image_mauv_data_buffer Buffer to store Image MAUV data
+// read from payload's image
+// descriptor
+// @param[out] payload_image_mauv_data_size Size of Image MAUV data (in bytes)
+// read from payload's image
+// descriptor
+// @param[out] payload_contains_image_mauv_data Flag to indicate whether Image
+// MAUV data is present in
+// payload's image descriptor
+//
+// @return `failure_reason`
+failure_reason find_and_read_image_mauv_data_from_payload(
+ const struct libcr51sign_ctx* const ctx,
+ const struct libcr51sign_intf* const intf,
+ const uint32_t payload_blob_offset, const uint32_t payload_blob_size,
+ uint8_t payload_image_mauv_data_buffer[],
+ uint32_t* const restrict payload_image_mauv_data_size,
+ bool* const restrict payload_contains_image_mauv_data)
+{
+ failure_reason rv = LIBCR51SIGN_SUCCESS;
+ uint32_t payload_image_mauv_data_offset = 0;
+
+ rv = verify_payload_blob_magic(ctx, intf, payload_blob_offset);
+ if (rv != LIBCR51SIGN_SUCCESS)
+ {
+ return rv;
+ }
+
+ rv = find_image_mauv_data_offset_in_payload(
+ ctx, intf, payload_blob_offset + offsetof(struct blob, blobs),
+ payload_blob_size, &payload_image_mauv_data_offset,
+ payload_image_mauv_data_size);
+ if (rv != LIBCR51SIGN_SUCCESS)
+ {
+ return rv;
+ }
+
+ *payload_contains_image_mauv_data = (payload_image_mauv_data_offset != 0);
+
+ if (*payload_contains_image_mauv_data)
+ {
+ rv = read_image_mauv_data_from_payload(
+ ctx, intf, payload_image_mauv_data_offset,
+ *payload_image_mauv_data_size,
+ (struct image_mauv*)payload_image_mauv_data_buffer);
+ if (rv != LIBCR51SIGN_SUCCESS)
+ {
+ return rv;
+ }
+
+ return sanity_check_image_mauv_data(
+ (struct image_mauv*)payload_image_mauv_data_buffer,
+ *payload_image_mauv_data_size);
+ }
+ return LIBCR51SIGN_SUCCESS;
+}
+
+// Replace stored Image MAUV data with payload Image MAUV data
+//
+// @param[in] ctx context which describes the image and holds opaque private
+// data for the user of the library
+// @param[in] intf function pointers which interface to the current system
+// and environment
+// @param[in] payload_image_mauv_data Image MAUV data from payload
+// @param[in] payload_image_mauv_data_size Size of Image MAUV data (in bytes)
+// embedded inside payload
+//
+// @return `failure_reason`
+static failure_reason update_stored_image_mauv_data(
+ const struct libcr51sign_ctx* const ctx,
+ const struct libcr51sign_intf* const intf,
+ const struct image_mauv* const restrict payload_image_mauv_data,
+ const uint32_t payload_image_mauv_data_size)
+{
+ int irv = 0;
+
+ if (!intf->store_new_image_mauv_data)
+ {
+ CPRINTS(ctx, "%s: Missing interface intf->store_new_image_mauv_data\n",
+ __FUNCTION__);
+ return LIBCR51SIGN_ERROR_INVALID_INTERFACE;
+ }
+
+ irv = intf->store_new_image_mauv_data(
+ ctx, (uint8_t*)payload_image_mauv_data, payload_image_mauv_data_size);
+ if (irv != LIBCR51SIGN_SUCCESS)
+ {
+ CPRINTS(ctx,
+ "%s: Could not store new Image MAUV data from the payload\n",
+ __FUNCTION__);
+ return LIBCR51SIGN_ERROR_STORING_NEW_IMAGE_MAUV_DATA;
+ }
+ return LIBCR51SIGN_SUCCESS;
+}
+
+// Validates Image MAUV from payload against stored Image MAUV (if present)
+//
+// @param[in] ctx context which describes the image and holds opaque private
+// data for the user of the library
+// @param[in] intf function pointers which interface to the current system
+// and environment
+// @param[in] payload_blob_offset Absolute offset of BLOB data embedded in
+// image descriptor. `0` if BLOB data is not
+// present in image descriptor
+// @param[in] payload_blob_size Size of BLOB data from `blob_size` field in
+// image descriptor
+//
+// @return `failure_reason`
+failure_reason
+ validate_payload_image_mauv(const struct libcr51sign_ctx* const ctx,
+ const struct libcr51sign_intf* const intf,
+ const uint32_t payload_blob_offset,
+ const uint32_t payload_blob_size)
+{
+ uint32_t payload_image_mauv_data_size = 0;
+ struct full_mauv payload_image_mauv_data_buffer = {0};
+
+ uint32_t stored_image_mauv_data_size = 0;
+ struct full_mauv stored_image_mauv_data_buffer = {0};
+
+ bool payload_contains_image_mauv_data = false;
+
+ failure_reason rv = LIBCR51SIGN_SUCCESS;
+ int irv = 0;
+
+ bool payload_blob_present = (payload_blob_offset != 0);
+ if (payload_blob_present)
+ {
+ rv = find_and_read_image_mauv_data_from_payload(
+ ctx, intf, payload_blob_offset, payload_blob_size,
+ (uint8_t*)&payload_image_mauv_data_buffer,
+ &payload_image_mauv_data_size, &payload_contains_image_mauv_data);
+ if (rv != LIBCR51SIGN_SUCCESS)
+ {
+ return rv;
+ }
+ }
+
+ if (!intf->retrieve_stored_image_mauv_data)
+ {
+ if (payload_contains_image_mauv_data)
+ {
+ CPRINTS(
+ ctx,
+ "%s: Payload contains Image MAUV data but required interface "
+ "intf->retrieve_stored_image_mauv_data is missing\n",
+ __FUNCTION__);
+ return LIBCR51SIGN_ERROR_INVALID_INTERFACE;
+ }
+ CPRINTS(
+ ctx,
+ "%s: Payload does not contain Image MAUV data and interface "
+ "intf->retrieve_stored_image_mauv_data is missing. Skipping MAUV "
+ "check for backward compatibility.\n",
+ __FUNCTION__);
+ return LIBCR51SIGN_SUCCESS;
+ }
+
+ irv = intf->retrieve_stored_image_mauv_data(
+ ctx, (uint8_t*)&stored_image_mauv_data_buffer,
+ &stored_image_mauv_data_size, IMAGE_MAUV_DATA_MAX_SIZE);
+ if (irv == LIBCR51SIGN_NO_STORED_MAUV_FOUND)
+ {
+ CPRINTS(
+ ctx,
+ "%s: Stored Image MAUV data not present in the system. Skipping Image "
+ "MAUV check\n",
+ __FUNCTION__);
+ if (payload_contains_image_mauv_data)
+ {
+ return update_stored_image_mauv_data(
+ ctx, intf, (struct image_mauv*)&payload_image_mauv_data_buffer,
+ payload_image_mauv_data_size);
+ }
+ return LIBCR51SIGN_SUCCESS;
+ }
+ if (irv != LIBCR51SIGN_SUCCESS)
+ {
+ CPRINTS(ctx, "%s: Could not retrieve Image MAUV stored in system\n",
+ __FUNCTION__);
+ return LIBCR51SIGN_ERROR_RETRIEVING_STORED_IMAGE_MAUV_DATA;
+ }
+ if (stored_image_mauv_data_size > IMAGE_MAUV_DATA_MAX_SIZE)
+ {
+ CPRINTS(ctx,
+ "%s: Stored Image MAUV data size (0x%x) is more than supported "
+ "maximum size\n",
+ __FUNCTION__, stored_image_mauv_data_size);
+ return LIBCR51SIGN_ERROR_INVALID_IMAGE_MAUV_DATA;
+ }
+
+ rv = sanity_check_image_mauv_data(
+ (struct image_mauv*)&stored_image_mauv_data_buffer,
+ stored_image_mauv_data_size);
+ if (rv != LIBCR51SIGN_SUCCESS)
+ {
+ return rv;
+ }
+
+ if (!payload_contains_image_mauv_data)
+ {
+ CPRINTS(ctx, "%s: Image MAUV expected to be present in payload",
+ __FUNCTION__);
+ return LIBCR51SIGN_ERROR_STORED_IMAGE_MAUV_EXPECTS_PAYLOAD_IMAGE_MAUV;
+ }
+
+ if (!does_stored_image_mauv_allow_update(
+ (struct image_mauv*)&stored_image_mauv_data_buffer,
+ ((struct image_mauv*)&payload_image_mauv_data_buffer)
+ ->payload_security_version))
+ {
+ CPRINTS(ctx,
+ "%s: Stored Image MAUV data does not allow update to payload "
+ "version\n",
+ __FUNCTION__);
+ return LIBCR51SIGN_ERROR_STORED_IMAGE_MAUV_DOES_NOT_ALLOW_UPDATE_TO_PAYLOAD;
+ }
+
+ if (((struct image_mauv*)&payload_image_mauv_data_buffer)
+ ->mauv_update_timestamp >
+ ((struct image_mauv*)&stored_image_mauv_data_buffer)
+ ->mauv_update_timestamp)
+ {
+ return update_stored_image_mauv_data(
+ ctx, intf, (struct image_mauv*)&payload_image_mauv_data_buffer,
+ payload_image_mauv_data_size);
+ }
+ return LIBCR51SIGN_SUCCESS;
+}
+
+#ifdef __cplusplus
+} // extern "C"
+#endif
diff --git a/subprojects/libcr51sign/src/libcr51sign_support.c b/subprojects/libcr51sign/src/libcr51sign_support.c
index 3118909..d0c2b96 100644
--- a/subprojects/libcr51sign/src/libcr51sign_support.c
+++ b/subprojects/libcr51sign/src/libcr51sign_support.c
@@ -14,13 +14,13 @@
* limitations under the License.
*/
-#include <libcr51sign/libcr51sign.h>
#include <libcr51sign/libcr51sign_support.h>
#include <openssl/err.h>
#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/rsa.h>
#include <stdio.h>
+#include <string.h>
#ifdef __cplusplus
extern "C"
@@ -164,7 +164,7 @@
goto clean_up;
}
CPRINTS(ctx, "public RSA\n");
- char buffer[1024];
+ char buffer[1024] = {};
while (BIO_read(bio, buffer, sizeof(buffer) - 1) > 0)
{
CPRINTS(ctx, " %s", buffer);
diff --git a/subprojects/libcr51sign/src/meson.build b/subprojects/libcr51sign/src/meson.build
index c2550e5..ff33a0c 100644
--- a/subprojects/libcr51sign/src/meson.build
+++ b/subprojects/libcr51sign/src/meson.build
@@ -17,7 +17,8 @@
]
libcr51sign_cflags = [
- '-DOMIT_VARIABLE_ARRAYS',
+ '-Wno-pedantic',
+ '-Wno-implicit-fallthrough'
]
libcr51sign_pre = declare_dependency(
@@ -29,6 +30,7 @@
'cr51sign',
'libcr51sign.c',
'libcr51sign_support.c',
+ 'libcr51sign_mauv.c',
dependencies: libcr51sign_pre,
c_args: [
# Temporarily ignore until updates land