1// SPDX-License-Identifier: GPL-2.0+ 2/* 3 * (C) Copyright 2018 Arm Ltd. 4 * (C) Copyright 2020-2021 Samuel Holland <samuel@sholland.org> 5 */ 6 7#define OPENSSL_API_COMPAT 0x10101000L 8 9#include <assert.h> 10#include <stdint.h> 11#include <stdio.h> 12#include <stdlib.h> 13#include <string.h> 14 15#include <openssl/asn1t.h> 16#include <openssl/bn.h> 17#include <openssl/pem.h> 18#include <openssl/rsa.h> 19 20#include <image.h> 21#include <sunxi_image.h> 22 23#include "imagetool.h" 24#include "mkimage.h" 25 26/* 27 * NAND requires 8K padding. For other devices, BROM requires only 28 * 512B padding, but let's use the larger padding to cover everything. 29 */ 30#define PAD_SIZE 8192 31 32#define pr_fmt(fmt) "mkimage (TOC0): %s: " fmt 33#define pr_err(fmt, args...) fprintf(stderr, pr_fmt(fmt), "error", ##args) 34#define pr_warn(fmt, args...) fprintf(stderr, pr_fmt(fmt), "warning", ##args) 35#define pr_info(fmt, args...) fprintf(stderr, pr_fmt(fmt), "info", ##args) 36 37#if defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER < 0x3050000fL 38#define RSA_get0_n(key) (key)->n 39#define RSA_get0_e(key) (key)->e 40#define RSA_get0_d(key) (key)->d 41#endif 42 43struct __packed toc0_key_item { 44 __le32 vendor_id; 45 __le32 key0_n_len; 46 __le32 key0_e_len; 47 __le32 key1_n_len; 48 __le32 key1_e_len; 49 __le32 sig_len; 50 uint8_t key0[512]; 51 uint8_t key1[512]; 52 uint8_t reserved[32]; 53 uint8_t sig[256]; 54}; 55 56/* 57 * This looks somewhat like an X.509 certificate, but it is not valid BER. 58 * 59 * Some differences: 60 * - Some X.509 certificate fields are missing or rearranged. 61 * - Some sequences have the wrong tag. 62 * - Zero-length sequences are accepted. 63 * - Large strings and integers must be an even number of bytes long. 64 * - Positive integers are not zero-extended to maintain their sign. 65 * 66 * See https://linux-sunxi.org/TOC0 for more information. 67 */ 68struct __packed toc0_small_tag { 69 uint8_t tag; 70 uint8_t length; 71}; 72 73typedef struct toc0_small_tag toc0_small_int; 74typedef struct toc0_small_tag toc0_small_oct; 75typedef struct toc0_small_tag toc0_small_seq; 76typedef struct toc0_small_tag toc0_small_exp; 77 78#define TOC0_SMALL_INT(len) { 0x02, (len) } 79#define TOC0_SMALL_SEQ(len) { 0x30, (len) } 80#define TOC0_SMALL_EXP(tag, len) { 0xa0 | (tag), len } 81 82struct __packed toc0_large_tag { 83 uint8_t tag; 84 uint8_t prefix; 85 uint8_t length_hi; 86 uint8_t length_lo; 87}; 88 89typedef struct toc0_large_tag toc0_large_int; 90typedef struct toc0_large_tag toc0_large_bit; 91typedef struct toc0_large_tag toc0_large_seq; 92 93#define TOC0_LARGE_INT(len) { 0x02, 0x82, (len) >> 8, (len) & 0xff } 94#define TOC0_LARGE_BIT(len) { 0x03, 0x82, (len) >> 8, (len) & 0xff } 95#define TOC0_LARGE_SEQ(len) { 0x30, 0x82, (len) >> 8, (len) & 0xff } 96 97struct __packed toc0_cert_item { 98 toc0_large_seq tag_totalSequence; 99 struct __packed toc0_totalSequence { 100 toc0_large_seq tag_mainSequence; 101 struct __packed toc0_mainSequence { 102 toc0_small_exp tag_explicit0; 103 struct __packed toc0_explicit0 { 104 toc0_small_int tag_version; 105 uint8_t version; 106 } explicit0; 107 toc0_small_int tag_serialNumber; 108 uint8_t serialNumber; 109 toc0_small_seq tag_signature; 110 toc0_small_seq tag_issuer; 111 toc0_small_seq tag_validity; 112 toc0_small_seq tag_subject; 113 toc0_large_seq tag_subjectPublicKeyInfo; 114 struct __packed toc0_subjectPublicKeyInfo { 115 toc0_small_seq tag_algorithm; 116 toc0_large_seq tag_publicKey; 117 struct __packed toc0_publicKey { 118 toc0_large_int tag_n; 119 uint8_t n[256]; 120 toc0_small_int tag_e; 121 uint8_t e[3]; 122 } publicKey; 123 } subjectPublicKeyInfo; 124 toc0_small_exp tag_explicit3; 125 struct __packed toc0_explicit3 { 126 toc0_small_seq tag_extension; 127 struct __packed toc0_extension { 128 toc0_small_int tag_digest; 129 uint8_t digest[32]; 130 } extension; 131 } explicit3; 132 } mainSequence; 133 toc0_large_bit tag_sigSequence; 134 struct __packed toc0_sigSequence { 135 toc0_small_seq tag_algorithm; 136 toc0_large_bit tag_signature; 137 uint8_t signature[256]; 138 } sigSequence; 139 } totalSequence; 140}; 141 142#define sizeof_field(TYPE, MEMBER) sizeof((((TYPE *)0)->MEMBER)) 143 144static const struct toc0_cert_item cert_item_template = { 145 TOC0_LARGE_SEQ(sizeof(struct toc0_totalSequence)), 146 { 147 TOC0_LARGE_SEQ(sizeof(struct toc0_mainSequence)), 148 { 149 TOC0_SMALL_EXP(0, sizeof(struct toc0_explicit0)), 150 { 151 TOC0_SMALL_INT(sizeof_field(struct toc0_explicit0, version)), 152 0, 153 }, 154 TOC0_SMALL_INT(sizeof_field(struct toc0_mainSequence, serialNumber)), 155 0, 156 TOC0_SMALL_SEQ(0), 157 TOC0_SMALL_SEQ(0), 158 TOC0_SMALL_SEQ(0), 159 TOC0_SMALL_SEQ(0), 160 TOC0_LARGE_SEQ(sizeof(struct toc0_subjectPublicKeyInfo)), 161 { 162 TOC0_SMALL_SEQ(0), 163 TOC0_LARGE_SEQ(sizeof(struct toc0_publicKey)), 164 { 165 TOC0_LARGE_INT(sizeof_field(struct toc0_publicKey, n)), 166 {}, 167 TOC0_SMALL_INT(sizeof_field(struct toc0_publicKey, e)), 168 {}, 169 }, 170 }, 171 TOC0_SMALL_EXP(3, sizeof(struct toc0_explicit3)), 172 { 173 TOC0_SMALL_SEQ(sizeof(struct toc0_extension)), 174 { 175 TOC0_SMALL_INT(sizeof_field(struct toc0_extension, digest)), 176 {}, 177 }, 178 }, 179 }, 180 TOC0_LARGE_BIT(sizeof(struct toc0_sigSequence)), 181 { 182 TOC0_SMALL_SEQ(0), 183 TOC0_LARGE_BIT(sizeof_field(struct toc0_sigSequence, signature)), 184 {}, 185 }, 186 }, 187}; 188 189#define TOC0_DEFAULT_NUM_ITEMS 3 190#define TOC0_DEFAULT_HEADER_LEN \ 191 ALIGN( \ 192 sizeof(struct toc0_main_info) + \ 193 sizeof(struct toc0_item_info) * TOC0_DEFAULT_NUM_ITEMS + \ 194 sizeof(struct toc0_cert_item) + \ 195 sizeof(struct toc0_key_item), \ 196 32) 197 198static char *fw_key_file = "fw_key.pem"; 199static char *key_item_file = "key_item.bin"; 200static char *root_key_file = "root_key.pem"; 201 202/* 203 * Create a key item in @buf, containing the public keys @root_key and @fw_key, 204 * and signed by the RSA key @root_key. 205 */ 206static int toc0_create_key_item(uint8_t *buf, uint32_t *len, 207 RSA *root_key, RSA *fw_key) 208{ 209 struct toc0_key_item *key_item = (void *)buf; 210 uint8_t digest[SHA256_DIGEST_LENGTH]; 211 int ret = EXIT_FAILURE; 212 unsigned int sig_len; 213 int n_len, e_len; 214 215 /* Store key 0. */ 216 n_len = BN_bn2bin(RSA_get0_n(root_key), key_item->key0); 217 e_len = BN_bn2bin(RSA_get0_e(root_key), key_item->key0 + n_len); 218 if (n_len + e_len > sizeof(key_item->key0)) { 219 pr_err("Root key is too big for key item\n"); 220 goto err; 221 } 222 key_item->key0_n_len = cpu_to_le32(n_len); 223 key_item->key0_e_len = cpu_to_le32(e_len); 224 225 /* Store key 1. */ 226 n_len = BN_bn2bin(RSA_get0_n(fw_key), key_item->key1); 227 e_len = BN_bn2bin(RSA_get0_e(fw_key), key_item->key1 + n_len); 228 if (n_len + e_len > sizeof(key_item->key1)) { 229 pr_err("Firmware key is too big for key item\n"); 230 goto err; 231 } 232 key_item->key1_n_len = cpu_to_le32(n_len); 233 key_item->key1_e_len = cpu_to_le32(e_len); 234 235 /* Sign the key item. */ 236 key_item->sig_len = cpu_to_le32(RSA_size(root_key)); 237 SHA256(buf, key_item->sig - buf, digest); 238 if (!RSA_sign(NID_sha256, digest, sizeof(digest), 239 key_item->sig, &sig_len, root_key)) { 240 pr_err("Failed to sign key item\n"); 241 goto err; 242 } 243 if (sig_len != sizeof(key_item->sig)) { 244 pr_err("Bad key item signature length\n"); 245 goto err; 246 } 247 248 *len = sizeof(*key_item); 249 ret = EXIT_SUCCESS; 250 251err: 252 return ret; 253} 254 255/* 256 * Verify the key item in @buf, containing two public keys @key0 and @key1, 257 * and signed by the RSA key @key0. If @root_key is provided, only signatures 258 * by that key will be accepted. @key1 is returned in @key. 259 */ 260static int toc0_verify_key_item(const uint8_t *buf, uint32_t len, 261 RSA *root_key, RSA **fw_key) 262{ 263 struct toc0_key_item *key_item = (void *)buf; 264 uint8_t digest[SHA256_DIGEST_LENGTH]; 265 int ret = EXIT_FAILURE; 266 int n_len, e_len; 267 RSA *key0 = NULL; 268 RSA *key1 = NULL; 269 BIGNUM *n, *e; 270 271 if (len < sizeof(*key_item)) 272 goto err; 273 274 /* Load key 0. */ 275 n_len = le32_to_cpu(key_item->key0_n_len); 276 e_len = le32_to_cpu(key_item->key0_e_len); 277 if (n_len + e_len > sizeof(key_item->key0)) { 278 pr_err("Bad root key size in key item\n"); 279 goto err; 280 } 281 n = BN_bin2bn(key_item->key0, n_len, NULL); 282 e = BN_bin2bn(key_item->key0 + n_len, e_len, NULL); 283 key0 = RSA_new(); 284 if (!key0) 285 goto err; 286 if (!RSA_set0_key(key0, n, e, NULL)) 287 goto err; 288 289 /* If a root key was provided, compare it to key 0. */ 290 if (root_key && (BN_cmp(n, RSA_get0_n(root_key)) || 291 BN_cmp(e, RSA_get0_e(root_key)))) { 292 pr_err("Wrong root key in key item\n"); 293 goto err; 294 } 295 296 /* Verify the key item signature. */ 297 SHA256(buf, key_item->sig - buf, digest); 298 if (!RSA_verify(NID_sha256, digest, sizeof(digest), 299 key_item->sig, le32_to_cpu(key_item->sig_len), key0)) { 300 pr_err("Bad key item signature\n"); 301 goto err; 302 } 303 304 if (fw_key) { 305 /* Load key 1. */ 306 n_len = le32_to_cpu(key_item->key1_n_len); 307 e_len = le32_to_cpu(key_item->key1_e_len); 308 if (n_len + e_len > sizeof(key_item->key1)) { 309 pr_err("Bad firmware key size in key item\n"); 310 goto err; 311 } 312 n = BN_bin2bn(key_item->key1, n_len, NULL); 313 e = BN_bin2bn(key_item->key1 + n_len, e_len, NULL); 314 key1 = RSA_new(); 315 if (!key1) 316 goto err; 317 if (!RSA_set0_key(key1, n, e, NULL)) 318 goto err; 319 320 if (*fw_key) { 321 /* If a FW key was provided, compare it to key 1. */ 322 if (BN_cmp(n, RSA_get0_n(*fw_key)) || 323 BN_cmp(e, RSA_get0_e(*fw_key))) { 324 pr_err("Wrong firmware key in key item\n"); 325 goto err; 326 } 327 } else { 328 /* Otherwise, send key1 back to the caller. */ 329 *fw_key = key1; 330 key1 = NULL; 331 } 332 } 333 334 ret = EXIT_SUCCESS; 335 336err: 337 RSA_free(key0); 338 RSA_free(key1); 339 340 return ret; 341} 342 343/* 344 * Create a certificate in @buf, describing the firmware with SHA256 digest 345 * @digest, and signed by the RSA key @fw_key. 346 */ 347static int toc0_create_cert_item(uint8_t *buf, uint32_t *len, RSA *fw_key, 348 uint8_t digest[static SHA256_DIGEST_LENGTH]) 349{ 350 struct toc0_cert_item *cert_item = (void *)buf; 351 uint8_t cert_digest[SHA256_DIGEST_LENGTH]; 352 struct toc0_totalSequence *totalSequence; 353 struct toc0_sigSequence *sigSequence; 354 struct toc0_extension *extension; 355 struct toc0_publicKey *publicKey; 356 int ret = EXIT_FAILURE; 357 unsigned int sig_len; 358 359 memcpy(cert_item, &cert_item_template, sizeof(*cert_item)); 360 *len = sizeof(*cert_item); 361 362 /* 363 * Fill in the public key. 364 * 365 * Only 2048-bit RSA keys are supported. Since this uses a fixed-size 366 * structure, it may fail for non-standard exponents. 367 */ 368 totalSequence = &cert_item->totalSequence; 369 publicKey = &totalSequence->mainSequence.subjectPublicKeyInfo.publicKey; 370 if (BN_bn2binpad(RSA_get0_n(fw_key), publicKey->n, sizeof(publicKey->n)) < 0 || 371 BN_bn2binpad(RSA_get0_e(fw_key), publicKey->e, sizeof(publicKey->e)) < 0) { 372 pr_err("Firmware key is too big for certificate\n"); 373 goto err; 374 } 375 376 /* Fill in the firmware digest. */ 377 extension = &totalSequence->mainSequence.explicit3.extension; 378 memcpy(&extension->digest, digest, SHA256_DIGEST_LENGTH); 379 380 /* 381 * Sign the certificate. 382 * 383 * In older SBROM versions (and by default in newer versions), 384 * the last 4 bytes of the certificate are not signed. 385 * 386 * (The buffer passed to SHA256 starts at tag_mainSequence, but 387 * the buffer size does not include the length of that tag.) 388 */ 389 SHA256((uint8_t *)totalSequence, sizeof(struct toc0_mainSequence), cert_digest); 390 sigSequence = &totalSequence->sigSequence; 391 if (!RSA_sign(NID_sha256, cert_digest, SHA256_DIGEST_LENGTH, 392 sigSequence->signature, &sig_len, fw_key)) { 393 pr_err("Failed to sign certificate\n"); 394 goto err; 395 } 396 if (sig_len != sizeof(sigSequence->signature)) { 397 pr_err("Bad certificate signature length\n"); 398 goto err; 399 } 400 401 ret = EXIT_SUCCESS; 402 403err: 404 return ret; 405} 406 407/* 408 * Verify the certificate in @buf, describing the firmware with SHA256 digest 409 * @digest, and signed by the RSA key contained within. If @fw_key is provided, 410 * only that key will be accepted. 411 * 412 * This function is only expected to work with images created by mkimage. 413 */ 414static int toc0_verify_cert_item(const uint8_t *buf, uint32_t len, RSA *fw_key, 415 uint8_t digest[static SHA256_DIGEST_LENGTH]) 416{ 417 const struct toc0_cert_item *cert_item = (const void *)buf; 418 uint8_t cert_digest[SHA256_DIGEST_LENGTH]; 419 const struct toc0_totalSequence *totalSequence; 420 const struct toc0_sigSequence *sigSequence; 421 const struct toc0_extension *extension; 422 const struct toc0_publicKey *publicKey; 423 int ret = EXIT_FAILURE; 424 RSA *key = NULL; 425 BIGNUM *n, *e; 426 427 /* Extract the public key from the certificate. */ 428 totalSequence = &cert_item->totalSequence; 429 publicKey = &totalSequence->mainSequence.subjectPublicKeyInfo.publicKey; 430 n = BN_bin2bn(publicKey->n, sizeof(publicKey->n), NULL); 431 e = BN_bin2bn(publicKey->e, sizeof(publicKey->e), NULL); 432 key = RSA_new(); 433 if (!key) 434 goto err; 435 if (!RSA_set0_key(key, n, e, NULL)) 436 goto err; 437 438 /* If a key was provided, compare it to the embedded key. */ 439 if (fw_key && (BN_cmp(RSA_get0_n(key), RSA_get0_n(fw_key)) || 440 BN_cmp(RSA_get0_e(key), RSA_get0_e(fw_key)))) { 441 pr_err("Wrong firmware key in certificate\n"); 442 goto err; 443 } 444 445 /* If a digest was provided, compare it to the embedded digest. */ 446 extension = &totalSequence->mainSequence.explicit3.extension; 447 if (digest && memcmp(&extension->digest, digest, SHA256_DIGEST_LENGTH)) { 448 pr_err("Wrong firmware digest in certificate\n"); 449 goto err; 450 } 451 452 /* Verify the certificate's signature. See the comment above. */ 453 SHA256((uint8_t *)totalSequence, sizeof(struct toc0_mainSequence), cert_digest); 454 sigSequence = &totalSequence->sigSequence; 455 if (!RSA_verify(NID_sha256, cert_digest, SHA256_DIGEST_LENGTH, 456 sigSequence->signature, 457 sizeof(sigSequence->signature), key)) { 458 pr_err("Bad certificate signature\n"); 459 goto err; 460 } 461 462 ret = EXIT_SUCCESS; 463 464err: 465 RSA_free(key); 466 467 return ret; 468} 469 470/* 471 * Always create a TOC0 containing 3 items. The extra item will be ignored on 472 * SoCs which do not support it. 473 */ 474static int toc0_create(uint8_t *buf, uint32_t len, RSA *root_key, RSA *fw_key, 475 uint8_t *key_item, uint32_t key_item_len, 476 uint8_t *fw_item, uint32_t fw_item_len, uint32_t fw_addr) 477{ 478 struct toc0_main_info *main_info = (void *)buf; 479 struct toc0_item_info *item_info = (void *)(main_info + 1); 480 uint8_t digest[SHA256_DIGEST_LENGTH]; 481 uint32_t *buf32 = (void *)buf; 482 RSA *orig_fw_key = fw_key; 483 int ret = EXIT_FAILURE; 484 uint32_t checksum = 0; 485 uint32_t item_offset; 486 uint32_t item_length; 487 int i; 488 489 /* Hash the firmware for inclusion in the certificate. */ 490 SHA256(fw_item, fw_item_len, digest); 491 492 /* Create the main TOC0 header, containing three items. */ 493 memcpy(main_info->name, TOC0_MAIN_INFO_NAME, sizeof(main_info->name)); 494 main_info->magic = cpu_to_le32(TOC0_MAIN_INFO_MAGIC); 495 main_info->checksum = cpu_to_le32(BROM_STAMP_VALUE); 496 main_info->num_items = cpu_to_le32(TOC0_DEFAULT_NUM_ITEMS); 497 memcpy(main_info->end, TOC0_MAIN_INFO_END, sizeof(main_info->end)); 498 499 /* The first item links the ROTPK to the signing key. */ 500 item_offset = sizeof(*main_info) + 501 sizeof(*item_info) * TOC0_DEFAULT_NUM_ITEMS; 502 /* Using an existing key item avoids needing the root private key. */ 503 if (key_item) { 504 item_length = sizeof(*key_item); 505 if (toc0_verify_key_item(key_item, item_length, 506 root_key, &fw_key)) 507 goto err; 508 memcpy(buf + item_offset, key_item, item_length); 509 } else if (toc0_create_key_item(buf + item_offset, &item_length, 510 root_key, fw_key)) { 511 goto err; 512 } 513 514 item_info->name = cpu_to_le32(TOC0_ITEM_INFO_NAME_KEY); 515 item_info->offset = cpu_to_le32(item_offset); 516 item_info->length = cpu_to_le32(item_length); 517 memcpy(item_info->end, TOC0_ITEM_INFO_END, sizeof(item_info->end)); 518 519 /* The second item contains a certificate signed by the firmware key. */ 520 item_offset = item_offset + item_length; 521 if (toc0_create_cert_item(buf + item_offset, &item_length, 522 fw_key, digest)) 523 goto err; 524 525 item_info++; 526 item_info->name = cpu_to_le32(TOC0_ITEM_INFO_NAME_CERT); 527 item_info->offset = cpu_to_le32(item_offset); 528 item_info->length = cpu_to_le32(item_length); 529 memcpy(item_info->end, TOC0_ITEM_INFO_END, sizeof(item_info->end)); 530 531 /* The third item contains the actual boot code. */ 532 item_offset = ALIGN(item_offset + item_length, 32); 533 item_length = fw_item_len; 534 if (buf + item_offset != fw_item) 535 memmove(buf + item_offset, fw_item, item_length); 536 537 item_info++; 538 item_info->name = cpu_to_le32(TOC0_ITEM_INFO_NAME_FIRMWARE); 539 item_info->offset = cpu_to_le32(item_offset); 540 item_info->length = cpu_to_le32(item_length); 541 item_info->load_addr = cpu_to_le32(fw_addr); 542 memcpy(item_info->end, TOC0_ITEM_INFO_END, sizeof(item_info->end)); 543 544 /* Pad to the required block size with 0xff to be flash-friendly. */ 545 item_offset = item_offset + item_length; 546 item_length = ALIGN(item_offset, PAD_SIZE) - item_offset; 547 memset(buf + item_offset, 0xff, item_length); 548 549 /* Fill in the total padded file length. */ 550 item_offset = item_offset + item_length; 551 main_info->length = cpu_to_le32(item_offset); 552 553 /* Verify enough space was provided when creating the image. */ 554 assert(len >= item_offset); 555 556 /* Calculate the checksum. Yes, it's that simple. */ 557 for (i = 0; i < item_offset / 4; ++i) 558 checksum += le32_to_cpu(buf32[i]); 559 main_info->checksum = cpu_to_le32(checksum); 560 561 ret = EXIT_SUCCESS; 562 563err: 564 if (fw_key != orig_fw_key) 565 RSA_free(fw_key); 566 567 return ret; 568} 569 570static const struct toc0_item_info * 571toc0_find_item(const struct toc0_main_info *main_info, uint32_t name, 572 uint32_t *offset, uint32_t *length) 573{ 574 const struct toc0_item_info *item_info = (void *)(main_info + 1); 575 uint32_t item_offset, item_length; 576 uint32_t num_items, main_length; 577 int i; 578 579 num_items = le32_to_cpu(main_info->num_items); 580 main_length = le32_to_cpu(main_info->length); 581 582 for (i = 0; i < num_items; ++i, ++item_info) { 583 if (le32_to_cpu(item_info->name) != name) 584 continue; 585 586 item_offset = le32_to_cpu(item_info->offset); 587 item_length = le32_to_cpu(item_info->length); 588 589 if (item_offset > main_length || 590 item_length > main_length - item_offset) 591 continue; 592 593 *offset = item_offset; 594 *length = item_length; 595 596 return item_info; 597 } 598 599 return NULL; 600} 601 602static int toc0_verify(const uint8_t *buf, uint32_t len, RSA *root_key) 603{ 604 const struct toc0_main_info *main_info = (void *)buf; 605 const struct toc0_item_info *item_info; 606 uint8_t digest[SHA256_DIGEST_LENGTH]; 607 uint32_t main_length = le32_to_cpu(main_info->length); 608 uint32_t checksum = BROM_STAMP_VALUE; 609 uint32_t *buf32 = (void *)buf; 610 uint32_t length, offset; 611 int ret = EXIT_FAILURE; 612 RSA *fw_key = NULL; 613 int i; 614 615 if (len < main_length) 616 goto err; 617 618 /* Verify the main header. */ 619 if (memcmp(main_info->name, TOC0_MAIN_INFO_NAME, sizeof(main_info->name))) 620 goto err; 621 if (le32_to_cpu(main_info->magic) != TOC0_MAIN_INFO_MAGIC) 622 goto err; 623 /* Verify the checksum without modifying the buffer. */ 624 for (i = 0; i < main_length / 4; ++i) 625 checksum += le32_to_cpu(buf32[i]); 626 if (checksum != 2 * le32_to_cpu(main_info->checksum)) 627 goto err; 628 /* The length must be at least 512 byte aligned. */ 629 if (main_length % 512) 630 goto err; 631 if (memcmp(main_info->end, TOC0_MAIN_INFO_END, sizeof(main_info->end))) 632 goto err; 633 634 /* Verify the key item if present (it is optional). */ 635 item_info = toc0_find_item(main_info, TOC0_ITEM_INFO_NAME_KEY, 636 &offset, &length); 637 if (!item_info) 638 fw_key = root_key; 639 else if (toc0_verify_key_item(buf + offset, length, root_key, &fw_key)) 640 goto err; 641 642 /* Hash the firmware to compare with the certificate. */ 643 item_info = toc0_find_item(main_info, TOC0_ITEM_INFO_NAME_FIRMWARE, 644 &offset, &length); 645 if (!item_info) { 646 pr_err("Missing firmware item\n"); 647 goto err; 648 } 649 SHA256(buf + offset, length, digest); 650 651 /* Verify the certificate item. */ 652 item_info = toc0_find_item(main_info, TOC0_ITEM_INFO_NAME_CERT, 653 &offset, &length); 654 if (!item_info) { 655 pr_err("Missing certificate item\n"); 656 goto err; 657 } 658 if (toc0_verify_cert_item(buf + offset, length, fw_key, digest)) 659 goto err; 660 661 ret = EXIT_SUCCESS; 662 663err: 664 if (fw_key != root_key) 665 RSA_free(fw_key); 666 667 return ret; 668} 669 670static int toc0_check_params(struct image_tool_params *params) 671{ 672 if (!params->dflag) 673 return -EINVAL; 674 675 /* 676 * If a key directory was provided, look for key files there. 677 * Otherwise, look for them in the current directory. The key files are 678 * the "quoted" terms in the description below. 679 * 680 * A summary of the chain of trust on most SoCs: 681 * 1) eFuse contains a SHA256 digest of the public "root key". 682 * 2) Private "root key" signs the certificate item (generated here). 683 * 3) Certificate item contains a SHA256 digest of the firmware item. 684 * 685 * A summary of the chain of trust on the H6 (by default; a bit in the 686 * BROM_CONFIG eFuse makes it work like above): 687 * 1) eFuse contains a SHA256 digest of the public "root key". 688 * 2) Private "root key" signs the "key item" (generated here). 689 * 3) "Key item" contains the public "root key" and public "fw key". 690 * 4) Private "fw key" signs the certificate item (generated here). 691 * 5) Certificate item contains a SHA256 digest of the firmware item. 692 * 693 * This means there are three valid ways to generate a TOC0: 694 * 1) Provide the private "root key" only. This works everywhere. 695 * For H6, the "root key" will also be used as the "fw key". 696 * 2) FOR H6 ONLY: Provide the private "root key" and a separate 697 * private "fw key". 698 * 3) FOR H6 ONLY: Provide the private "fw key" and a pre-existing 699 * "key item" containing the corresponding public "fw key". 700 * In this case, the private "root key" can be kept offline. The 701 * "key item" can be extracted from a TOC0 image generated using 702 * method #2 above. 703 * 704 * Note that until the ROTPK_HASH eFuse is programmed, any "root key" 705 * will be accepted by the BROM. 706 */ 707 if (params->keydir) { 708 if (asprintf(&fw_key_file, "%s/%s", params->keydir, fw_key_file) < 0) 709 return -ENOMEM; 710 if (asprintf(&key_item_file, "%s/%s", params->keydir, key_item_file) < 0) 711 return -ENOMEM; 712 if (asprintf(&root_key_file, "%s/%s", params->keydir, root_key_file) < 0) 713 return -ENOMEM; 714 } 715 716 return 0; 717} 718 719static int toc0_verify_header(unsigned char *buf, int image_size, 720 struct image_tool_params *params) 721{ 722 int ret = EXIT_FAILURE; 723 RSA *root_key = NULL; 724 FILE *fp; 725 726 /* A root public key is optional. */ 727 fp = fopen(root_key_file, "rb"); 728 if (fp) { 729 pr_info("Verifying image with existing root key\n"); 730 root_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL); 731 if (!root_key) 732 root_key = PEM_read_RSAPublicKey(fp, NULL, NULL, NULL); 733 fclose(fp); 734 if (!root_key) { 735 pr_err("Failed to read public key from '%s'\n", 736 root_key_file); 737 goto err; 738 } 739 } 740 741 ret = toc0_verify(buf, image_size, root_key); 742 743err: 744 RSA_free(root_key); 745 746 return ret; 747} 748 749static const char *toc0_item_name(uint32_t name) 750{ 751 if (name == TOC0_ITEM_INFO_NAME_CERT) 752 return "Certificate"; 753 if (name == TOC0_ITEM_INFO_NAME_FIRMWARE) 754 return "Firmware"; 755 if (name == TOC0_ITEM_INFO_NAME_KEY) 756 return "Key"; 757 return "(unknown)"; 758} 759 760static void toc0_print_header(const void *buf, struct image_tool_params *params) 761{ 762 const struct toc0_main_info *main_info = buf; 763 const struct toc0_item_info *item_info = (void *)(main_info + 1); 764 uint32_t head_length, main_length, num_items; 765 uint32_t item_offset, item_length, item_name; 766 int load_addr = -1; 767 int i; 768 769 num_items = le32_to_cpu(main_info->num_items); 770 head_length = sizeof(*main_info) + num_items * sizeof(*item_info); 771 main_length = le32_to_cpu(main_info->length); 772 773 printf("Allwinner TOC0 Image\n" 774 "Size: %d bytes\n" 775 "Contents: %d items\n" 776 " 00000000:%08x Headers\n", 777 main_length, num_items, head_length); 778 779 for (i = 0; i < num_items; ++i, ++item_info) { 780 item_offset = le32_to_cpu(item_info->offset); 781 item_length = le32_to_cpu(item_info->length); 782 item_name = le32_to_cpu(item_info->name); 783 784 if (item_name == TOC0_ITEM_INFO_NAME_FIRMWARE) 785 load_addr = le32_to_cpu(item_info->load_addr); 786 787 printf(" %08x:%08x %s\n", 788 item_offset, item_length, 789 toc0_item_name(item_name)); 790 } 791 792 if (num_items && item_offset + item_length < main_length) { 793 item_offset = item_offset + item_length; 794 item_length = main_length - item_offset; 795 796 printf(" %08x:%08x Padding\n", 797 item_offset, item_length); 798 } 799 800 if (load_addr != -1) 801 printf("Load address: 0x%08x\n", load_addr); 802} 803 804static void toc0_set_header(void *buf, struct stat *sbuf, int ifd, 805 struct image_tool_params *params) 806{ 807 uint32_t key_item_len = 0; 808 uint8_t *key_item = NULL; 809 int ret = EXIT_FAILURE; 810 RSA *root_key = NULL; 811 RSA *fw_key = NULL; 812 FILE *fp; 813 814 /* Either a key item or the root private key is required. */ 815 fp = fopen(key_item_file, "rb"); 816 if (fp) { 817 pr_info("Creating image using existing key item\n"); 818 key_item_len = sizeof(struct toc0_key_item); 819 key_item = OPENSSL_malloc(key_item_len); 820 if (!key_item || fread(key_item, key_item_len, 1, fp) != 1) { 821 pr_err("Failed to read key item from '%s'\n", 822 root_key_file); 823 goto err; 824 } 825 fclose(fp); 826 fp = NULL; 827 } 828 829 fp = fopen(root_key_file, "rb"); 830 if (fp) { 831 root_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL); 832 if (!root_key) 833 root_key = PEM_read_RSAPublicKey(fp, NULL, NULL, NULL); 834 fclose(fp); 835 fp = NULL; 836 } 837 838 /* When using an existing key item, the root key is optional. */ 839 if (!key_item && (!root_key || !RSA_get0_d(root_key))) { 840 pr_err("Failed to read private key from '%s'\n", 841 root_key_file); 842 pr_info("Try 'openssl genrsa -out root_key.pem'\n"); 843 goto err; 844 } 845 846 /* The certificate/firmware private key is always required. */ 847 fp = fopen(fw_key_file, "rb"); 848 if (fp) { 849 fw_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL); 850 fclose(fp); 851 fp = NULL; 852 } 853 if (!fw_key) { 854 /* If the root key is a private key, it can be used instead. */ 855 if (root_key && RSA_get0_d(root_key)) { 856 pr_info("Using root key as firmware key\n"); 857 fw_key = root_key; 858 } else { 859 pr_err("Failed to read private key from '%s'\n", 860 fw_key_file); 861 goto err; 862 } 863 } 864 865 /* Warn about potential compatibility issues. */ 866 if (key_item || fw_key != root_key) 867 pr_warn("Only H6 supports separate root and firmware keys\n"); 868 869 ret = toc0_create(buf, params->file_size, root_key, fw_key, 870 key_item, key_item_len, 871 buf + TOC0_DEFAULT_HEADER_LEN, 872 params->orig_file_size, params->addr); 873 874err: 875 OPENSSL_free(key_item); 876 OPENSSL_free(root_key); 877 if (fw_key != root_key) 878 OPENSSL_free(fw_key); 879 if (fp) 880 fclose(fp); 881 882 if (ret != EXIT_SUCCESS) 883 exit(ret); 884} 885 886static int toc0_check_image_type(uint8_t type) 887{ 888 return type == IH_TYPE_SUNXI_TOC0 ? 0 : 1; 889} 890 891static int toc0_vrec_header(struct image_tool_params *params, 892 struct image_type_params *tparams) 893{ 894 tparams->hdr = calloc(tparams->header_size, 1); 895 896 /* Save off the unpadded data size for SHA256 calculation. */ 897 params->orig_file_size = params->file_size - TOC0_DEFAULT_HEADER_LEN; 898 899 /* Return padding to 8K blocks. */ 900 return ALIGN(params->file_size, PAD_SIZE) - params->file_size; 901} 902 903U_BOOT_IMAGE_TYPE( 904 sunxi_toc0, 905 "Allwinner TOC0 Boot Image support", 906 TOC0_DEFAULT_HEADER_LEN, 907 NULL, 908 toc0_check_params, 909 toc0_verify_header, 910 toc0_print_header, 911 toc0_set_header, 912 NULL, 913 toc0_check_image_type, 914 NULL, 915 toc0_vrec_header 916); 917