blob: b7654aa10b8ff7baadcf1318c7fb0a1f0f503d1a [file] [log] [blame]
#include "config.h"
#include "image_verify.hpp"
#include "images.hpp"
#include "utils.hpp"
#include "version.hpp"
#include <fcntl.h>
#include <openssl/err.h>
#include <sys/stat.h>
#include <phosphor-logging/elog-errors.hpp>
#include <phosphor-logging/elog.hpp>
#include <phosphor-logging/lg2.hpp>
#include <xyz/openbmc_project/Common/error.hpp>
#include <cassert>
#include <fstream>
#include <set>
namespace phosphor
{
namespace software
{
namespace image
{
PHOSPHOR_LOG2_USING;
using namespace phosphor::logging;
using namespace phosphor::software::manager;
using InternalFailure =
sdbusplus::xyz::openbmc_project::Common::Error::InternalFailure;
constexpr auto keyTypeTag = "KeyType";
constexpr auto hashFunctionTag = "HashType";
Signature::Signature(const fs::path& imageDirPath,
const fs::path& signedConfPath) :
imageDirPath(imageDirPath),
signedConfPath(signedConfPath)
{
fs::path file(imageDirPath / MANIFEST_FILE_NAME);
keyType = Version::getValue(file, keyTypeTag);
hashType = Version::getValue(file, hashFunctionTag);
}
AvailableKeyTypes Signature::getAvailableKeyTypesFromSystem() const
{
AvailableKeyTypes keyTypes{};
// Find the path of all the files
if (!fs::is_directory(signedConfPath))
{
error("Signed configuration path not found in the system");
elog<InternalFailure>();
}
// Look for all the hash and public key file names get the key value
// For example:
// /etc/activationdata/OpenBMC/publickey
// /etc/activationdata/OpenBMC/hashfunc
// /etc/activationdata/GA/publickey
// /etc/activationdata/GA/hashfunc
// Set will have OpenBMC, GA
for (const auto& p : fs::recursive_directory_iterator(signedConfPath))
{
if ((p.path().filename() == HASH_FILE_NAME) ||
(p.path().filename() == PUBLICKEY_FILE_NAME))
{
// extract the key types
// /etc/activationdata/OpenBMC/ -> get OpenBMC from the path
auto key = p.path().parent_path();
keyTypes.insert(key.filename());
}
}
return keyTypes;
}
inline KeyHashPathPair Signature::getKeyHashFileNames(const Key_t& key) const
{
fs::path hashpath(signedConfPath / key / HASH_FILE_NAME);
fs::path keyPath(signedConfPath / key / PUBLICKEY_FILE_NAME);
return std::make_pair(std::move(hashpath), std::move(keyPath));
}
bool Signature::verifyFullImage()
{
bool ret = true;
#ifdef WANT_SIGNATURE_FULL_VERIFY
std::vector<std::string> fullImages = {
fs::path(imageDirPath) / "image-bmc.sig",
fs::path(imageDirPath) / "image-hostfw.sig",
fs::path(imageDirPath) / "image-kernel.sig",
fs::path(imageDirPath) / "image-rofs.sig",
fs::path(imageDirPath) / "image-rwfs.sig",
fs::path(imageDirPath) / "image-u-boot.sig",
fs::path(imageDirPath) / "MANIFEST.sig",
fs::path(imageDirPath) / "publickey.sig"};
// Merge files
std::string tmpFullFile = "/tmp/image-full";
utils::mergeFiles(fullImages, tmpFullFile);
// Validate the full image files
fs::path pkeyFullFile(tmpFullFile);
std::string imageFullSig = "image-full.sig";
fs::path pkeyFullFileSig(imageDirPath / imageFullSig);
pkeyFullFileSig.replace_extension(SIGNATURE_FILE_EXT);
// image specific publickey file name.
fs::path publicKeyFile(imageDirPath / PUBLICKEY_FILE_NAME);
ret = verifyFile(pkeyFullFile, pkeyFullFileSig, publicKeyFile, hashType);
fs::remove(tmpFullFile);
#endif
return ret;
}
bool Signature::verify()
{
try
{
bool valid;
// Verify the MANIFEST and publickey file using available
// public keys and hash on the system.
if (false == systemLevelVerify())
{
error("System level Signature Validation failed");
return false;
}
bool bmcFilesFound = false;
// image specific publickey file name.
fs::path publicKeyFile(imageDirPath / PUBLICKEY_FILE_NAME);
// Record the images which are being updated
// First check and Validate for the fullimage, then check and Validate
// for images with partitions
std::vector<std::string> imageUpdateList = {bmcFullImages};
valid = checkAndVerifyImage(imageDirPath, publicKeyFile,
imageUpdateList, bmcFilesFound);
if (bmcFilesFound && !valid)
{
return false;
}
if (!valid)
{
// Validate bmcImages
imageUpdateList.clear();
imageUpdateList.assign(bmcImages.begin(), bmcImages.end());
valid = checkAndVerifyImage(imageDirPath, publicKeyFile,
imageUpdateList, bmcFilesFound);
if (bmcFilesFound && !valid)
{
return false;
}
}
// Validate the optional image files.
auto optionalImages = getOptionalImages();
bool optionalFilesFound = false;
bool optionalImagesValid = false;
for (const auto& optionalImage : optionalImages)
{
// Build Image File name
fs::path file(imageDirPath);
file /= optionalImage;
if (fs::exists(file))
{
optionalFilesFound = true;
// Build Signature File name
fs::path sigFile(file);
sigFile += SIGNATURE_FILE_EXT;
// Verify the signature.
optionalImagesValid =
verifyFile(file, sigFile, publicKeyFile, hashType);
if (!optionalImagesValid)
{
error("Image file Signature Validation failed on {IMAGE}",
"IMAGE", optionalImage);
return false;
}
}
}
if (verifyFullImage() == false)
{
error("Image full file Signature Validation failed");
return false;
}
if (!bmcFilesFound && !optionalFilesFound)
{
error("Unable to find files to verify");
return false;
}
// Either BMC images or optional images shall be valid
assert(valid || optionalImagesValid);
debug("Successfully completed Signature vaildation.");
return true;
}
catch (const InternalFailure& e)
{
return false;
}
catch (const std::exception& e)
{
error("Error during processing: {ERROR}", "ERROR", e);
return false;
}
}
bool Signature::systemLevelVerify()
{
// Get available key types from the system.
auto keyTypes = getAvailableKeyTypesFromSystem();
if (keyTypes.empty())
{
error("Missing Signature configuration data in system");
elog<InternalFailure>();
}
// Build publickey and its signature file name.
fs::path pkeyFile(imageDirPath / PUBLICKEY_FILE_NAME);
fs::path pkeyFileSig(pkeyFile);
pkeyFileSig.replace_extension(SIGNATURE_FILE_EXT);
// Build manifest and its signature file name.
fs::path manifestFile(imageDirPath / MANIFEST_FILE_NAME);
fs::path manifestFileSig(manifestFile);
manifestFileSig.replace_extension(SIGNATURE_FILE_EXT);
auto valid = false;
// Verify the file signature with available key types
// public keys and hash function.
// For any internal failure during the key/hash pair specific
// validation, should continue the validation with next
// available Key/hash pair.
for (const auto& keyType : keyTypes)
{
auto keyHashPair = getKeyHashFileNames(keyType);
auto hashFunc = Version::getValue(keyHashPair.first, hashFunctionTag);
try
{
// Verify manifest file signature
valid = verifyFile(manifestFile, manifestFileSig,
keyHashPair.second, hashFunc);
if (valid)
{
// Verify publickey file signature.
valid = verifyFile(pkeyFile, pkeyFileSig, keyHashPair.second,
hashFunc);
if (valid)
{
break;
}
}
}
catch (const InternalFailure& e)
{
valid = false;
}
}
return valid;
}
bool Signature::verifyFile(const fs::path& file, const fs::path& sigFile,
const fs::path& publicKey,
const std::string& hashFunc)
{
// Check existence of the files in the system.
if (!(fs::exists(file) && fs::exists(sigFile)))
{
error("Failed to find the Data or signature file {PATH}.", "PATH",
file);
elog<InternalFailure>();
}
// Create RSA.
auto publicRSA = createPublicRSA(publicKey);
if (publicRSA == nullptr)
{
error("Failed to create RSA from {PATH}", "PATH", publicKey);
elog<InternalFailure>();
}
// Assign key to RSA.
EVP_PKEY_Ptr pKeyPtr(EVP_PKEY_new(), ::EVP_PKEY_free);
EVP_PKEY_assign_RSA(pKeyPtr.get(), publicRSA);
// Initializes a digest context.
EVP_MD_CTX_Ptr rsaVerifyCtx(EVP_MD_CTX_new(), ::EVP_MD_CTX_free);
// Adds all digest algorithms to the internal table
OpenSSL_add_all_digests();
// Create Hash structure.
auto hashStruct = EVP_get_digestbyname(hashFunc.c_str());
if (!hashStruct)
{
error("EVP_get_digestbynam: Unknown message digest: {HASH}", "HASH",
hashFunc);
elog<InternalFailure>();
}
auto result = EVP_DigestVerifyInit(rsaVerifyCtx.get(), nullptr, hashStruct,
nullptr, pKeyPtr.get());
if (result <= 0)
{
error("Error ({RC}) occurred during EVP_DigestVerifyInit", "RC",
ERR_get_error());
elog<InternalFailure>();
}
// Hash the data file and update the verification context
auto size = fs::file_size(file);
auto dataPtr = mapFile(file, size);
result = EVP_DigestVerifyUpdate(rsaVerifyCtx.get(), dataPtr(), size);
if (result <= 0)
{
error("Error ({RC}) occurred during EVP_DigestVerifyUpdate", "RC",
ERR_get_error());
elog<InternalFailure>();
}
// Verify the data with signature.
size = fs::file_size(sigFile);
auto signature = mapFile(sigFile, size);
result = EVP_DigestVerifyFinal(
rsaVerifyCtx.get(), reinterpret_cast<unsigned char*>(signature()),
size);
// Check the verification result.
if (result < 0)
{
error("Error ({RC}) occurred during EVP_DigestVerifyFinal", "RC",
ERR_get_error());
elog<InternalFailure>();
}
if (result == 0)
{
error("EVP_DigestVerifyFinal:Signature validation failed on {PATH}",
"PATH", sigFile);
return false;
}
return true;
}
inline RSA* Signature::createPublicRSA(const fs::path& publicKey)
{
RSA* rsa = nullptr;
auto size = fs::file_size(publicKey);
// Read public key file
auto data = mapFile(publicKey, size);
BIO_MEM_Ptr keyBio(BIO_new_mem_buf(data(), -1), &::BIO_free);
if (keyBio.get() == nullptr)
{
error("Failed to create new BIO Memory buffer");
elog<InternalFailure>();
}
rsa = PEM_read_bio_RSA_PUBKEY(keyBio.get(), &rsa, nullptr, nullptr);
return rsa;
}
CustomMap Signature::mapFile(const fs::path& path, size_t size)
{
CustomFd fd(open(path.c_str(), O_RDONLY));
return CustomMap(mmap(nullptr, size, PROT_READ, MAP_PRIVATE, fd(), 0),
size);
}
bool Signature::checkAndVerifyImage(const std::string& filePath,
const std::string& publicKeyPath,
const std::vector<std::string>& imageList,
bool& fileFound)
{
bool valid = true;
fileFound = false;
for (auto& bmcImage : imageList)
{
fs::path file(filePath);
file /= bmcImage;
if (!fs::exists(file))
{
valid = false;
break;
}
fileFound = true;
fs::path sigFile(file);
sigFile += SIGNATURE_FILE_EXT;
// Verify the signature.
auto valid = verifyFile(file, sigFile, publicKeyPath, hashType);
if (valid == false)
{
error("Image file Signature Validation failed on {PATH}", "PATH",
bmcImage);
return false;
}
}
return valid;
}
} // namespace image
} // namespace software
} // namespace phosphor