blob: 4ad22d177b262465df0d0f08ea1ef85c4f47a1df [file] [log] [blame]
Gunnar Millsf6ed5892018-09-07 17:08:02 -05001#include "config.h"
Jayanth Othayoth70804dc2018-03-20 06:31:59 -05002
3#include "image_verify.hpp"
Gunnar Millsf6ed5892018-09-07 17:08:02 -05004
Jayanth Othayoth70804dc2018-03-20 06:31:59 -05005#include "version.hpp"
6
Gunnar Millsf6ed5892018-09-07 17:08:02 -05007#include <fcntl.h>
8#include <openssl/err.h>
9#include <sys/stat.h>
10
11#include <fstream>
Jayanth Othayoth70804dc2018-03-20 06:31:59 -050012#include <phosphor-logging/elog-errors.hpp>
Gunnar Millsf6ed5892018-09-07 17:08:02 -050013#include <phosphor-logging/elog.hpp>
14#include <phosphor-logging/log.hpp>
15#include <set>
Jayanth Othayoth70804dc2018-03-20 06:31:59 -050016#include <xyz/openbmc_project/Common/error.hpp>
17
18namespace openpower
19{
20namespace software
21{
22namespace image
23{
24
25using namespace phosphor::logging;
26using namespace openpower::software::updater;
27using InternalFailure =
28 sdbusplus::xyz::openbmc_project::Common::Error::InternalFailure;
29
30constexpr auto keyTypeTag = "KeyType";
31constexpr auto hashFunctionTag = "HashType";
32
33Signature::Signature(const fs::path& imageDirPath,
34 const fs::path& signedConfPath) :
35 imageDirPath(imageDirPath),
36 signedConfPath(signedConfPath)
37{
38 fs::path file(imageDirPath / MANIFEST_FILE);
39
40 auto keyValues =
41 Version::getValue(file, {{keyTypeTag, " "}, {hashFunctionTag, " "}});
42 keyType = keyValues.at(keyTypeTag);
43 hashType = keyValues.at(hashFunctionTag);
44}
45
46AvailableKeyTypes Signature::getAvailableKeyTypesFromSystem() const
47{
48 AvailableKeyTypes keyTypes{};
49
50 // Find the path of all the files
51 if (!fs::is_directory(signedConfPath))
52 {
53 log<level::ERR>("Signed configuration path not found in the system");
54 elog<InternalFailure>();
55 }
56
57 // Look for all the hash and public key file names get the key value
58 // For example:
59 // /etc/activationdata/OpenPOWER/publickey
60 // /etc/activationdata/OpenPOWER/hashfunc
61 // /etc/activationdata/GA/publickey
62 // /etc/activationdata/GA/hashfunc
63 // Set will have OpenPOWER, GA
64
65 for (const auto& p : fs::recursive_directory_iterator(signedConfPath))
66 {
67 if ((p.path().filename() == HASH_FILE_NAME) ||
68 (p.path().filename() == PUBLICKEY_FILE_NAME))
69 {
70 // extract the key types
71 // /etc/activationdata/GA/ -> get GA from the path
72 auto key = p.path().parent_path();
73 keyTypes.insert(key.filename());
74 }
75 }
76
77 return keyTypes;
78}
79
80inline KeyHashPathPair Signature::getKeyHashFileNames(const Key_t& key) const
81{
82 fs::path hashpath(signedConfPath / key / HASH_FILE_NAME);
83 fs::path keyPath(signedConfPath / key / PUBLICKEY_FILE_NAME);
84
85 return std::make_pair(std::move(hashpath), std::move(keyPath));
86}
87
88bool Signature::verify()
89{
90 try
91 {
92 // Verify the MANIFEST and publickey file using available
93 // public keys and hash on the system.
94 if (false == systemLevelVerify())
95 {
96 log<level::ERR>("System level Signature Validation failed");
97 return false;
98 }
99
Gunnar Mills4c7d2062018-03-23 12:12:20 -0500100 // image specific publickey file name.
Jayanth Othayoth70804dc2018-03-20 06:31:59 -0500101 fs::path publicKeyFile(imageDirPath / PUBLICKEY_FILE_NAME);
102
103 // Validate the PNOR image file.
104 // Build Image File name
105 fs::path file(imageDirPath);
106 file /= squashFSImage;
107
108 // Build Signature File name
109 std::string fileName = file.filename();
110 fs::path sigFile(imageDirPath);
111 sigFile /= fileName + SIGNATURE_FILE_EXT;
112
113 // Verify the signature.
114 auto valid = verifyFile(file, sigFile, publicKeyFile, hashType);
115 if (valid == false)
116 {
117 log<level::ERR>("Image file Signature Validation failed",
Jayanth Othayoth5248f3c2018-03-28 11:04:14 -0500118 entry("IMAGE=%s", squashFSImage));
Jayanth Othayoth70804dc2018-03-20 06:31:59 -0500119 return false;
120 }
121
Gunnar Mills4c7d2062018-03-23 12:12:20 -0500122 log<level::DEBUG>("Successfully completed Signature vaildation.");
Jayanth Othayoth70804dc2018-03-20 06:31:59 -0500123
124 return true;
125 }
126 catch (const InternalFailure& e)
127 {
128 return false;
129 }
130 catch (const std::exception& e)
131 {
132 log<level::ERR>(e.what());
133 return false;
134 }
135}
136
137bool Signature::systemLevelVerify()
138{
139 // Get available key types from the system.
140 auto keyTypes = getAvailableKeyTypesFromSystem();
141 if (keyTypes.empty())
142 {
143 log<level::ERR>("Missing Signature configuration data in system");
144 elog<InternalFailure>();
145 }
146
147 // Build publickey and its signature file name.
148 fs::path pkeyFile(imageDirPath / PUBLICKEY_FILE_NAME);
149 fs::path pkeyFileSig(pkeyFile);
150 pkeyFileSig.replace_extension(SIGNATURE_FILE_EXT);
151
152 // Build manifest and its signature file name.
153 fs::path manifestFile(imageDirPath / MANIFEST_FILE);
154 fs::path manifestFileSig(manifestFile);
155 manifestFileSig.replace_extension(SIGNATURE_FILE_EXT);
156
157 auto valid = false;
158
159 // Verify the file signature with available key types
160 // public keys and hash function.
161 // For any internal failure during the key/hash pair specific
162 // validation, should continue the validation with next
163 // available Key/hash pair.
164 for (const auto& keyType : keyTypes)
165 {
166 auto keyHashPair = getKeyHashFileNames(keyType);
167 auto keyValues =
168 Version::getValue(keyHashPair.first, {{hashFunctionTag, " "}});
169 auto hashFunc = keyValues.at(hashFunctionTag);
170
171 try
172 {
173 // Verify manifest file signature
174 valid = verifyFile(manifestFile, manifestFileSig,
175 keyHashPair.second, hashFunc);
176 if (valid)
177 {
178 // Verify publickey file signature.
179 valid = verifyFile(pkeyFile, pkeyFileSig, keyHashPair.second,
180 hashFunc);
181 if (valid)
182 {
183 break;
184 }
185 }
186 }
187 catch (const InternalFailure& e)
188 {
189 valid = false;
190 }
191 }
192 return valid;
193}
194
195bool Signature::verifyFile(const fs::path& file, const fs::path& sigFile,
196 const fs::path& publicKey,
197 const std::string& hashFunc)
198{
199
200 // Check existence of the files in the system.
201 if (!(fs::exists(file) && fs::exists(sigFile)))
202 {
203 log<level::ERR>("Failed to find the Data or signature file.",
204 entry("FILE=%s", file.c_str()));
205 elog<InternalFailure>();
206 }
207
208 // Create RSA.
209 auto publicRSA = createPublicRSA(publicKey);
210 if (publicRSA == nullptr)
211 {
212 log<level::ERR>("Failed to create RSA",
213 entry("FILE=%s", publicKey.c_str()));
214 elog<InternalFailure>();
215 }
216
217 // Assign key to RSA.
218 EVP_PKEY_Ptr pKeyPtr(EVP_PKEY_new(), ::EVP_PKEY_free);
219 EVP_PKEY_assign_RSA(pKeyPtr.get(), publicRSA);
220
221 // Initializes a digest context.
Adriana Kobylak70ca2422018-09-06 14:23:38 -0500222 EVP_MD_CTX_Ptr rsaVerifyCtx(EVP_MD_CTX_new(), ::EVP_MD_CTX_free);
Jayanth Othayoth70804dc2018-03-20 06:31:59 -0500223
224 // Adds all digest algorithms to the internal table
225 OpenSSL_add_all_digests();
226
Gunnar Millsa9cfced2018-04-08 15:01:57 -0500227 // Create Hash structure.
Jayanth Othayoth70804dc2018-03-20 06:31:59 -0500228 auto hashStruct = EVP_get_digestbyname(hashFunc.c_str());
229 if (!hashStruct)
230 {
231 log<level::ERR>("EVP_get_digestbynam: Unknown message digest",
232 entry("HASH=%s", hashFunc.c_str()));
233 elog<InternalFailure>();
234 }
235
236 auto result = EVP_DigestVerifyInit(rsaVerifyCtx.get(), nullptr, hashStruct,
237 nullptr, pKeyPtr.get());
238
239 if (result <= 0)
240 {
Gunnar Mills4c7d2062018-03-23 12:12:20 -0500241 log<level::ERR>("Error occurred during EVP_DigestVerifyInit",
Jayanth Othayoth70804dc2018-03-20 06:31:59 -0500242 entry("ERRCODE=%lu", ERR_get_error()));
243 elog<InternalFailure>();
244 }
245
246 // Hash the data file and update the verification context
247 auto size = fs::file_size(file);
248 auto dataPtr = mapFile(file, size);
249
250 result = EVP_DigestVerifyUpdate(rsaVerifyCtx.get(), dataPtr(), size);
251 if (result <= 0)
252 {
Gunnar Mills4c7d2062018-03-23 12:12:20 -0500253 log<level::ERR>("Error occurred during EVP_DigestVerifyUpdate",
Jayanth Othayoth70804dc2018-03-20 06:31:59 -0500254 entry("ERRCODE=%lu", ERR_get_error()));
255 elog<InternalFailure>();
256 }
257
258 // Verify the data with signature.
259 size = fs::file_size(sigFile);
260 auto signature = mapFile(sigFile, size);
261
262 result = EVP_DigestVerifyFinal(
263 rsaVerifyCtx.get(), reinterpret_cast<unsigned char*>(signature()),
264 size);
265
266 // Check the verification result.
267 if (result < 0)
268 {
Gunnar Mills4c7d2062018-03-23 12:12:20 -0500269 log<level::ERR>("Error occurred during EVP_DigestVerifyFinal",
Jayanth Othayoth70804dc2018-03-20 06:31:59 -0500270 entry("ERRCODE=%lu", ERR_get_error()));
271 elog<InternalFailure>();
272 }
273
274 if (result == 0)
275 {
276 log<level::ERR>("EVP_DigestVerifyFinal:Signature validation failed",
277 entry("PATH=%s", sigFile.c_str()));
278 return false;
279 }
280 return true;
281}
282
283inline RSA* Signature::createPublicRSA(const fs::path& publicKey)
284{
285 RSA* rsa = nullptr;
286 auto size = fs::file_size(publicKey);
287
288 // Read public key file
289 auto data = mapFile(publicKey, size);
290
291 BIO_MEM_Ptr keyBio(BIO_new_mem_buf(data(), -1), &::BIO_free);
292 if (keyBio.get() == nullptr)
293 {
294 log<level::ERR>("Failed to create new BIO Memory buffer");
295 elog<InternalFailure>();
296 }
297
298 rsa = PEM_read_bio_RSA_PUBKEY(keyBio.get(), &rsa, nullptr, nullptr);
299
300 return rsa;
301}
302
303CustomMap Signature::mapFile(const fs::path& path, size_t size)
304{
305
306 CustomFd fd(open(path.c_str(), O_RDONLY));
307
308 return CustomMap(mmap(nullptr, size, PROT_READ, MAP_PRIVATE, fd(), 0),
309 size);
310}
311
312} // namespace image
313} // namespace software
314} // namespace openpower