/* * Copyright (C) 2016 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #include <inttypes.h> #include <stdint.h> #include <stdio.h> #include <string.h> #include <nanohub/aes.h> #include <nanohub/rsa.h> #include <nanohub/sha2.h> #include <appSec.h> #include <bl.h> #include <heap.h> #include <seos.h> #define APP_HDR_SIZE (sizeof(struct ImageHeader)) #define APP_HDR_MAX_SIZE (sizeof(struct ImageHeader) + sizeof(struct AppSecSignHdr) + sizeof(struct AppSecEncrHdr)) #define APP_DATA_CHUNK_SIZE (AES_BLOCK_WORDS * sizeof(uint32_t)) //data blocks are this size #define APP_SIG_SIZE RSA_BYTES // verify block is SHA placed in integral number of encryption blocks (for SHA256 and AES256 happens to be exactly 2 AES blocks) #define APP_VERIFY_BLOCK_SIZE ((SHA2_HASH_SIZE + AES_BLOCK_SIZE - 1) / AES_BLOCK_SIZE) * AES_BLOCK_SIZE #define APP_SEC_SIG_ALIGN APP_DATA_CHUNK_SIZE #define APP_SEC_ENCR_ALIGN APP_DATA_CHUNK_SIZE #define STATE_INIT 0 // nothing gotten yet #define STATE_RXING_HEADERS 1 // variable size headers (min APP_HDR_SIZE, max APP_HDR_MAX_SIZE) #define STATE_RXING_DATA 2 // each data block is AES_BLOCK_WORDS 32-bit words (for AES reasons) #define STATE_RXING_SIG_HASH 3 // each is RSA_BYTES bytes #define STATE_RXING_SIG_PUBKEY 4 // each is RSA_BYTES bytes #define STATE_VERIFY 5 // decryption of ciphertext done; now decrypting and verifying the encrypted plaintext SHA2 #define STATE_DONE 6 // all is finished and well #define STATE_BAD 7 // unrecoverable badness has happened. this will *NOT* fix itself. It is now ok to give up, start over, cry, or pray to your favourite deity for help #define STATE_MAX 8 // total number of states //#define DEBUG_FSM struct AppSecState { union { //we save some memory by reusing this space. struct { struct AesCbcContext cbc; struct Sha2state sha; struct Sha2state cbcSha; }; struct { struct RsaState rsa; uint32_t rsaState1, rsaState2, rsaStep; }; }; uint32_t rsaTmp[RSA_WORDS]; uint32_t lastHash[SHA2_HASH_WORDS]; AppSecWriteCbk writeCbk; AppSecPubKeyFindCbk pubKeyFindCbk; AppSecGetAesKeyCbk aesKeyAccessCbk; union { union { //make the compiler work to make sure we have enough space uint8_t placeholderAppHdr[APP_HDR_MAX_SIZE]; uint8_t placeholderDataChunk[APP_DATA_CHUNK_SIZE]; uint8_t placeholderSigChunk[APP_SIG_SIZE]; uint8_t placeholderAesKey[AES_KEY_WORDS * sizeof(uint32_t)]; }; uint8_t dataBytes[0]; //we actually use these two for access uint32_t dataWords[0]; }; uint32_t signedBytesIn; uint32_t encryptedBytesIn; uint32_t signedBytesOut; uint32_t encryptedBytesOut; uint16_t haveBytes; //in dataBytes... uint16_t chunkSize; uint8_t curState; uint8_t needSig :1; uint8_t haveSig :1; uint8_t haveEncr :1; uint8_t haveTrustedKey :1; uint8_t doingRsa :1; }; static void limitChunkSize(struct AppSecState *state) { if (state->haveSig && state->chunkSize > state->signedBytesIn) state->chunkSize = state->signedBytesIn; if (state->haveEncr && state->chunkSize > state->encryptedBytesIn) state->chunkSize = state->signedBytesIn; } static void appSecSetCurState(struct AppSecState *state, uint32_t curState) { const static uint16_t chunkSize[STATE_MAX] = { [STATE_RXING_HEADERS] = APP_HDR_SIZE, [STATE_RXING_DATA] = APP_DATA_CHUNK_SIZE, [STATE_VERIFY] = APP_VERIFY_BLOCK_SIZE, [STATE_RXING_SIG_HASH] = APP_SIG_SIZE, [STATE_RXING_SIG_PUBKEY] = APP_SIG_SIZE, }; if (curState >= STATE_MAX) curState = STATE_BAD; if (curState != state->curState || curState == STATE_INIT) { #ifdef DEBUG_FSM osLog(LOG_INFO, "%s: oldState=%" PRIu8 "; new state=%" PRIu32 "; old chunk size=%" PRIu16 "; new chunk size=%" PRIu16 "; have bytes=%" PRIu16 "\n", __func__, state->curState, curState, state->chunkSize, chunkSize[curState], state->haveBytes); #endif state->curState = curState; state->chunkSize = chunkSize[curState]; } } static inline uint32_t appSecGetCurState(const struct AppSecState *state) { return state->curState; } //init/deinit struct AppSecState *appSecInit(AppSecWriteCbk writeCbk, AppSecPubKeyFindCbk pubKeyFindCbk, AppSecGetAesKeyCbk aesKeyAccessCbk, bool mandateSigning) { struct AppSecState *state = heapAlloc(sizeof(struct AppSecState)); if (!state) return NULL; memset(state, 0, sizeof(struct AppSecState)); state->writeCbk = writeCbk; state->pubKeyFindCbk = pubKeyFindCbk; state->aesKeyAccessCbk = aesKeyAccessCbk; appSecSetCurState(state, STATE_INIT); if (mandateSigning) state->needSig = 1; return state; } void appSecDeinit(struct AppSecState *state) { heapFree(state); } //if needed, decrypt and hash incoming data static AppSecErr appSecBlockRx(struct AppSecState *state) { //if signatures are on, hash it if (state->haveSig) { //make sure we do not get too much data & account for the data we got if (state->haveBytes > state->signedBytesIn) return APP_SEC_TOO_MUCH_DATA; state->signedBytesIn -= state->haveBytes; //make sure we do not produce too much data (discard padding) & make sure we account for it if (state->signedBytesOut < state->haveBytes) state->haveBytes = state->signedBytesOut; state->signedBytesOut -= state->haveBytes; //hash the data BL.blSha2processBytes(&state->sha, state->dataBytes, state->haveBytes); } // decrypt if encryption is on if (state->haveEncr) { uint32_t *dataP = state->dataWords; uint32_t i, numBlocks = state->haveBytes / APP_DATA_CHUNK_SIZE; //we should not be called with partial encr blocks if (state->haveBytes % APP_DATA_CHUNK_SIZE) return APP_SEC_TOO_LITTLE_DATA; // make sure we do not get too much data & account for the data we got if (state->haveBytes > state->encryptedBytesIn) return APP_SEC_TOO_MUCH_DATA; state->encryptedBytesIn -= state->haveBytes; // decrypt for (i = 0; i < numBlocks; i++, dataP += AES_BLOCK_WORDS) BL.blAesCbcDecr(&state->cbc, dataP, dataP); // make sure we do not produce too much data (discard padding) & make sure we account for it if (state->encryptedBytesOut < state->haveBytes) state->haveBytes = state->encryptedBytesOut; state->encryptedBytesOut -= state->haveBytes; if (state->haveBytes) BL.blSha2processBytes(&state->cbcSha, state->dataBytes, state->haveBytes); } limitChunkSize(state); return APP_SEC_NO_ERROR; } static AppSecErr appSecProcessIncomingHdr(struct AppSecState *state, uint32_t *needBytesOut) { struct ImageHeader *image; struct nano_app_binary_t *aosp; uint32_t flags; uint32_t needBytes; struct AppSecSignHdr *signHdr = NULL; struct AppSecEncrHdr *encrHdr = NULL; uint8_t *hdr = state->dataBytes; AppSecErr ret; image = (struct ImageHeader *)hdr; hdr += sizeof(*image); aosp = &image->aosp; flags = aosp->flags; if (aosp->header_version != 1 || aosp->magic != NANOAPP_AOSP_MAGIC || image->layout.version != 1 || image->layout.magic != GOOGLE_LAYOUT_MAGIC) return APP_SEC_HEADER_ERROR; needBytes = sizeof(*image); if ((flags & NANOAPP_SIGNED_FLAG) != 0) needBytes += sizeof(*signHdr); if ((flags & NANOAPP_ENCRYPTED_FLAG) != 0) needBytes += sizeof(*encrHdr); *needBytesOut = needBytes; if (needBytes > state->haveBytes) return APP_SEC_NO_ERROR; *needBytesOut = 0; if ((flags & NANOAPP_SIGNED_FLAG) != 0) { signHdr = (struct AppSecSignHdr *)hdr; hdr += sizeof(*signHdr); osLog(LOG_INFO, "%s: signed size=%" PRIu32 "\n", __func__, signHdr->appDataLen); if (!signHdr->appDataLen) { //no data bytes return APP_SEC_INVALID_DATA; } state->signedBytesIn = state->signedBytesOut = signHdr->appDataLen; state->haveSig = 1; BL.blSha2init(&state->sha); BL.blSha2processBytes(&state->sha, state->dataBytes, needBytes); } if ((flags & NANOAPP_ENCRYPTED_FLAG) != 0) { uint32_t k[AES_KEY_WORDS]; encrHdr = (struct AppSecEncrHdr *)hdr; hdr += sizeof(*encrHdr); osLog(LOG_INFO, "%s: encrypted data size=%" PRIu32 "; key ID=%016" PRIX64 "\n", __func__, encrHdr->dataLen, encrHdr->keyID); if (!encrHdr->dataLen || !encrHdr->keyID) return APP_SEC_INVALID_DATA; ret = state->aesKeyAccessCbk(encrHdr->keyID, k); if (ret != APP_SEC_NO_ERROR) { osLog(LOG_ERROR, "%s: Secret key not found\n", __func__); return ret; } BL.blAesCbcInitForDecr(&state->cbc, k, encrHdr->IV); BL.blSha2init(&state->cbcSha); state->encryptedBytesOut = encrHdr->dataLen; state->encryptedBytesIn = ((state->encryptedBytesOut + APP_SEC_ENCR_ALIGN - 1) / APP_SEC_ENCR_ALIGN) * APP_SEC_ENCR_ALIGN; state->haveEncr = 1; osLog(LOG_INFO, "%s: encrypted aligned data size=%" PRIu32 "\n", __func__, state->encryptedBytesIn); if (state->haveSig) { state->signedBytesIn = state->signedBytesOut = signHdr->appDataLen - sizeof(*encrHdr); // at this point, signedBytesOut must equal encryptedBytesIn if (state->signedBytesOut != (state->encryptedBytesIn + SHA2_HASH_SIZE)) { osLog(LOG_ERROR, "%s: sig data size does not match encrypted data\n", __func__); return APP_SEC_INVALID_DATA; } } } //if we are in must-sign mode and no signature was provided, fail if (!state->haveSig && state->needSig) { osLog(LOG_ERROR, "%s: only signed images can be uploaded\n", __func__); return APP_SEC_SIG_VERIFY_FAIL; } // now, transform AOSP header to FW common header struct FwCommonHdr common = { .magic = APP_HDR_MAGIC, .appId = aosp->app_id, .fwVer = APP_HDR_VER_CUR, .fwFlags = image->layout.flags, .appVer = aosp->app_version, .payInfoType = image->layout.payload, .chreApiMajor = 0xFF, .chreApiMinor = 0xFF, }; if (image->layout.flags & FL_APP_HDR_CHRE) { if (aosp->chre_api_major || aosp->chre_api_minor) { common.chreApiMajor = aosp->chre_api_major; common.chreApiMinor = aosp->chre_api_minor; } else { // fields not defined prior to CHRE 1.1 common.chreApiMajor = 0x01; common.chreApiMinor = 0x00; } } // check to see if this is special system types of payload switch(image->layout.payload) { case LAYOUT_APP: common.fwFlags = (common.fwFlags | FL_APP_HDR_APPLICATION) & ~FL_APP_HDR_INTERNAL; common.payInfoSize = sizeof(struct AppInfo); osLog(LOG_INFO, "App container found\n"); break; case LAYOUT_KEY: common.fwFlags |= FL_APP_HDR_SECURE; common.payInfoSize = sizeof(struct KeyInfo); osLog(LOG_INFO, "Key container found\n"); break; case LAYOUT_OS: common.payInfoSize = sizeof(struct OsUpdateHdr); osLog(LOG_INFO, "OS update container found\n"); break; default: break; } memcpy(state->dataBytes, &common, sizeof(common)); state->haveBytes = sizeof(common); //we're now in data-accepting state appSecSetCurState(state, STATE_RXING_DATA); return APP_SEC_NO_ERROR; } static AppSecErr appSecProcessIncomingData(struct AppSecState *state) { //check for data-ending conditions if (state->haveSig && !state->signedBytesIn) { // we're all done with the signed portion of the data, now come the signatures appSecSetCurState(state, STATE_RXING_SIG_HASH); //collect the hash memcpy(state->lastHash, BL.blSha2finish(&state->sha), SHA2_HASH_SIZE); } else if (state->haveEncr && !state->encryptedBytesIn) { if (appSecGetCurState(state) == STATE_RXING_DATA) { //we're all done with encrypted plaintext state->encryptedBytesIn = sizeof(state->cbcSha); appSecSetCurState(state, STATE_VERIFY); } } //pass to caller return state->haveBytes ? state->writeCbk(state->dataBytes, state->haveBytes) : APP_SEC_NO_ERROR; } AppSecErr appSecDoSomeProcessing(struct AppSecState *state) { const uint32_t *result; if (!state->doingRsa) { //shouldn't be calling us then... return APP_SEC_BAD; } result = BL.blRsaPubOpIterative(&state->rsa, state->rsaTmp, state->dataWords, &state->rsaState1, &state->rsaState2, &state->rsaStep); if (state->rsaStep) return APP_SEC_NEED_MORE_TIME; //we just finished the RSA-ing state->doingRsa = 0; //verify signature padding (and thus likely: correct decryption) result = BL.blSigPaddingVerify(result); if (!result) return APP_SEC_SIG_DECODE_FAIL; //check if hashes match if (memcmp(state->lastHash, result, SHA2_HASH_SIZE)) return APP_SEC_SIG_VERIFY_FAIL; //hash the provided pubkey BL.blSha2init(&state->sha); BL.blSha2processBytes(&state->sha, state->dataBytes, APP_SIG_SIZE); memcpy(state->lastHash, BL.blSha2finish(&state->sha), SHA2_HASH_SIZE); appSecSetCurState(state, STATE_RXING_SIG_HASH); return APP_SEC_NO_ERROR; } static AppSecErr appSecProcessIncomingSigData(struct AppSecState *state) { bool keyFound = false; //if we're RXing the hash, just stash it away and move on if (appSecGetCurState(state) == STATE_RXING_SIG_HASH) { state->haveTrustedKey = 0; memcpy(state->rsaTmp, state->dataWords, APP_SIG_SIZE); appSecSetCurState(state, STATE_RXING_SIG_PUBKEY); return APP_SEC_NO_ERROR; } // verify it is a known root state->pubKeyFindCbk(state->dataWords, &keyFound); state->haveTrustedKey = keyFound; //we now have the pubKey. decrypt over time state->doingRsa = 1; state->rsaStep = 0; return APP_SEC_NEED_MORE_TIME; } static AppSecErr appSecVerifyEncryptedData(struct AppSecState *state) { const uint32_t *hash = BL.blSha2finish(&state->cbcSha); bool verified = memcmp(hash, state->dataBytes, SHA2_BLOCK_SIZE) == 0; osLog(LOG_INFO, "%s: decryption verification: %s\n", __func__, verified ? "passed" : "failed"); // TODO: fix verify logic // return verified ? APP_SEC_NO_ERROR : APP_SEC_VERIFY_FAILED; return APP_SEC_NO_ERROR; } AppSecErr appSecRxData(struct AppSecState *state, const void *dataP, uint32_t len, uint32_t *lenUnusedP) { const uint8_t *data = (const uint8_t*)dataP; AppSecErr ret = APP_SEC_NO_ERROR; uint32_t needBytes; if (appSecGetCurState(state) == STATE_INIT) appSecSetCurState(state, STATE_RXING_HEADERS); while (len) { len--; state->dataBytes[state->haveBytes++] = *data++; if (state->haveBytes < state->chunkSize) continue; switch (appSecGetCurState(state)) { case STATE_RXING_HEADERS: // AOSP header is never encrypted; if it is signed, it will hash itself needBytes = 0; ret = appSecProcessIncomingHdr(state, &needBytes); if (ret != APP_SEC_NO_ERROR) goto out; if (needBytes > state->chunkSize) { state->chunkSize = needBytes; // get more data and try again continue; } // done with parsing header(s); we might have something to write to flash if (state->haveBytes) { osLog(LOG_INFO, "%s: save converted header [%" PRIu16 " bytes] to flash\n", __func__, state->haveBytes); ret = appSecProcessIncomingData(state); state->haveBytes = 0; } limitChunkSize(state); goto out; case STATE_RXING_DATA: ret = appSecBlockRx(state); if (ret != APP_SEC_NO_ERROR) goto out; ret = appSecProcessIncomingData(state); state->haveBytes = 0; if (ret != APP_SEC_NO_ERROR) goto out; break; case STATE_VERIFY: ret = appSecBlockRx(state); if (ret == APP_SEC_NO_ERROR) ret = appSecProcessIncomingData(state); if (ret == APP_SEC_NO_ERROR) ret = appSecVerifyEncryptedData(state); goto out; case STATE_RXING_SIG_HASH: case STATE_RXING_SIG_PUBKEY: //no need for calling appSecBlockRx() as sigs are not signed, and encryption cannot be done after signing ret = appSecProcessIncomingSigData(state); state->haveBytes = 0; goto out; default: appSecSetCurState(state, STATE_BAD); state->haveBytes = 0; len = 0; ret = APP_SEC_BAD; break; } } out: *lenUnusedP = len; if (ret != APP_SEC_NO_ERROR && ret != APP_SEC_NEED_MORE_TIME) { osLog(LOG_ERROR, "%s: failed: state=%" PRIu32 "; err=%" PRIu32 "\n", __func__, appSecGetCurState(state), ret); appSecSetCurState(state, STATE_BAD); } return ret; } AppSecErr appSecRxDataOver(struct AppSecState *state) { AppSecErr ret; // Feed remaining data to data processor, if any if (state->haveBytes) { // if we are using encryption and/or signing, we are supposed to consume all data at this point. if (state->haveSig || state->haveEncr) { appSecSetCurState(state, STATE_BAD); return APP_SEC_TOO_LITTLE_DATA; } // Not in data rx stage when the incoming data ends? This is not good (if we had encr or sign we'd not be here) if (appSecGetCurState(state) != STATE_RXING_DATA) { appSecSetCurState(state, STATE_BAD); return APP_SEC_TOO_LITTLE_DATA; } // Feed the remaining data to the data processor ret = appSecProcessIncomingData(state); if (ret != APP_SEC_NO_ERROR) { appSecSetCurState(state, STATE_BAD); return ret; } } else { // we don't know in advance how many signature packs we shall receive, // so we evaluate every signature pack as if it is the last, but do not // return error if public key is not trusted; only here we make the final // determination if (state->haveSig) { // check the most recent key status if (!state->haveTrustedKey) { appSecSetCurState(state, STATE_BAD); return APP_SEC_SIG_ROOT_UNKNOWN; } else { appSecSetCurState(state, STATE_DONE); } } } //for unsigned/unencrypted case we have no way to judge length, so we assume it is over when we're told it is //this is potentially dangerous, but then again so is allowing unsigned uploads in general. if (!state->haveSig && !state->haveEncr && appSecGetCurState(state) == STATE_RXING_DATA) appSecSetCurState(state, STATE_DONE); //Check the state and return our verdict if(appSecGetCurState(state) == STATE_DONE) return APP_SEC_NO_ERROR; appSecSetCurState(state, STATE_BAD); return APP_SEC_TOO_LITTLE_DATA; }