1 /* Copyright 2015 The ChromiumOS Authors
2 * Use of this source code is governed by a BSD-style license that can be
3 * found in the LICENSE file.
4 *
5 * Tests for kernel verification library
6 */
7
8 #include <stdio.h>
9
10 #include "2api.h"
11 #include "2common.h"
12 #include "2misc.h"
13 #include "2nvstorage.h"
14 #include "2rsa.h"
15 #include "2secdata.h"
16 #include "2sysincludes.h"
17 #include "common/tests.h"
18
19 /* Common context for tests */
20 static uint8_t workbuf[VB2_KERNEL_WORKBUF_RECOMMENDED_SIZE]
21 __attribute__((aligned(VB2_WORKBUF_ALIGN)));
22 static struct vb2_workbuf wb;
23 static struct vb2_context *ctx;
24 static struct vb2_shared_data *sd;
25
26 /* Mocked function data */
27
28 static struct {
29 struct vb2_gbb_header h;
30 struct vb2_packed_key recovery_key;
31 char recovery_key_data[32];
32 } mock_gbb;
33
34 static struct {
35 /* Keyblock */
36 struct {
37 struct vb2_keyblock kb;
38 char data_key_data[16];
39 uint8_t kbdata[128];
40 uint8_t hash[VB2_SHA512_DIGEST_SIZE];
41 } k;
42 /* Preamble follows keyblock */
43 struct {
44 struct vb2_kernel_preamble pre;
45 uint8_t predata[128];
46 } p;
47 } mock_vblock;
48
49 static int mock_read_res_fail_on_call;
50 static int mock_unpack_key_retval;
51 static int mock_verify_keyblock_retval;
52 static int mock_verify_preamble_retval;
53
54 /* Type of test to reset for */
55 enum reset_type {
56 FOR_KEYBLOCK,
57 FOR_PREAMBLE
58 };
59
rehash_keyblock(void)60 static void rehash_keyblock(void)
61 {
62 struct vb2_keyblock *kb = &mock_vblock.k.kb;
63 struct vb2_signature *hashsig = &mock_vblock.k.kb.keyblock_hash;
64 struct vb2_digest_context dc;
65
66
67 hashsig->sig_offset = vb2_offset_of(hashsig, mock_vblock.k.hash);
68 hashsig->sig_size = sizeof(mock_vblock.k.hash);
69 hashsig->data_size = hashsig->sig_offset;
70 vb2_digest_init(&dc, false, VB2_HASH_SHA512, 0);
71 vb2_digest_extend(&dc, (const uint8_t *)kb, hashsig->data_size);
72 vb2_digest_finalize(&dc, mock_vblock.k.hash, hashsig->sig_size);
73 }
74
reset_common_data(enum reset_type t)75 static void reset_common_data(enum reset_type t)
76 {
77 struct vb2_keyblock *kb = &mock_vblock.k.kb;
78 struct vb2_kernel_preamble *pre = &mock_vblock.p.pre;
79
80 memset(workbuf, 0xaa, sizeof(workbuf));
81
82 TEST_SUCC(vb2api_init(workbuf, sizeof(workbuf), &ctx),
83 "vb2api_init failed");
84
85 vb2_workbuf_from_ctx(ctx, &wb);
86 sd = vb2_get_sd(ctx);
87
88 vb2_nv_init(ctx);
89
90 vb2api_secdata_kernel_create(ctx);
91 vb2_secdata_kernel_init(ctx);
92
93 mock_read_res_fail_on_call = 0;
94 mock_unpack_key_retval = VB2_SUCCESS;
95 mock_verify_keyblock_retval = VB2_SUCCESS;
96 mock_verify_preamble_retval = VB2_SUCCESS;
97
98 /* Set up mock data for verifying keyblock */
99 sd->kernel_version_secdata = 0x20002;
100 vb2_secdata_kernel_set(ctx, VB2_SECDATA_KERNEL_VERSIONS, 0x20002);
101
102 mock_gbb.recovery_key.algorithm = 11;
103 mock_gbb.recovery_key.key_offset =
104 vb2_offset_of(&mock_gbb.recovery_key,
105 &mock_gbb.recovery_key_data);
106 mock_gbb.recovery_key.key_size = sizeof(mock_gbb.recovery_key_data);
107
108 kb->keyblock_size = sizeof(mock_vblock.k);
109 memcpy(kb->magic, VB2_KEYBLOCK_MAGIC, VB2_KEYBLOCK_MAGIC_SIZE);
110
111 kb->keyblock_flags = VB2_KEYBLOCK_FLAG_DEVELOPER_1 |
112 VB2_KEYBLOCK_FLAG_DEVELOPER_0 |
113 VB2_KEYBLOCK_FLAG_RECOVERY_1 | VB2_KEYBLOCK_FLAG_RECOVERY_0;
114 kb->header_version_major = VB2_KEYBLOCK_VERSION_MAJOR;
115 kb->header_version_minor = VB2_KEYBLOCK_VERSION_MINOR;
116 kb->data_key.algorithm = 7;
117 kb->data_key.key_version = 2;
118 kb->data_key.key_offset =
119 vb2_offset_of(&mock_vblock.k, &mock_vblock.k.data_key_data) -
120 vb2_offset_of(&mock_vblock.k, &kb->data_key);
121 kb->data_key.key_size = sizeof(mock_vblock.k.data_key_data);
122 strcpy(mock_vblock.k.data_key_data, "data key data!!");
123 rehash_keyblock();
124
125 pre->preamble_size = sizeof(mock_vblock.p);
126 pre->kernel_version = 2;
127
128 /* If verifying preamble, verify keyblock first to set up data key */
129 if (t == FOR_PREAMBLE)
130 vb2_load_kernel_keyblock(ctx);
131 };
132
133 /* Mocked functions */
134
vb2ex_read_resource(struct vb2_context * c,enum vb2_resource_index index,uint32_t offset,void * buf,uint32_t size)135 vb2_error_t vb2ex_read_resource(struct vb2_context *c,
136 enum vb2_resource_index index, uint32_t offset,
137 void *buf, uint32_t size)
138 {
139 uint8_t *rptr;
140 uint32_t rsize;
141
142 if (--mock_read_res_fail_on_call == 0)
143 return VB2_ERROR_MOCK;
144
145 switch(index) {
146 case VB2_RES_GBB:
147 rptr = (uint8_t *)&mock_gbb;
148 rsize = sizeof(mock_gbb);
149 break;
150 case VB2_RES_KERNEL_VBLOCK:
151 rptr = (uint8_t *)&mock_vblock;
152 rsize = sizeof(mock_vblock);
153 break;
154 default:
155 return VB2_ERROR_EX_READ_RESOURCE_INDEX;
156 }
157
158 if (offset > rsize || offset + size > rsize)
159 return VB2_ERROR_EX_READ_RESOURCE_SIZE;
160
161 memcpy(buf, rptr + offset, size);
162 return VB2_SUCCESS;
163 }
164
vb2_unpack_key_buffer(struct vb2_public_key * key,const uint8_t * buf,uint32_t size)165 vb2_error_t vb2_unpack_key_buffer(struct vb2_public_key *key,
166 const uint8_t *buf, uint32_t size)
167 {
168 key->arrsize = 0;
169 return mock_unpack_key_retval;
170 }
171
vb2_verify_keyblock(struct vb2_keyblock * block,uint32_t size,const struct vb2_public_key * key,const struct vb2_workbuf * w)172 vb2_error_t vb2_verify_keyblock(struct vb2_keyblock *block, uint32_t size,
173 const struct vb2_public_key *key,
174 const struct vb2_workbuf *w)
175 {
176 return mock_verify_keyblock_retval;
177 }
178
vb2_verify_kernel_preamble(struct vb2_kernel_preamble * preamble,uint32_t size,const struct vb2_public_key * key,const struct vb2_workbuf * w)179 vb2_error_t vb2_verify_kernel_preamble(struct vb2_kernel_preamble *preamble,
180 uint32_t size,
181 const struct vb2_public_key *key,
182 const struct vb2_workbuf *w)
183 {
184 return mock_verify_preamble_retval;
185 }
186
187 /* Tests */
188
verify_keyblock_hash_tests(void)189 static void verify_keyblock_hash_tests(void)
190 {
191 struct vb2_keyblock *kb = &mock_vblock.k.kb;
192
193 /* Test successful call */
194 reset_common_data(FOR_KEYBLOCK);
195 TEST_SUCC(vb2_verify_keyblock_hash(kb, kb->keyblock_size, &wb),
196 "Keyblock hash good");
197
198 /* Validity check keyblock */
199 reset_common_data(FOR_KEYBLOCK);
200 kb->magic[0] ^= 0xd0;
201 TEST_EQ(vb2_verify_keyblock_hash(kb, kb->keyblock_size, &wb),
202 VB2_ERROR_KEYBLOCK_MAGIC, "Keyblock validity check");
203
204 /*
205 * Validity check should be looking at the keyblock hash struct, not
206 * the keyblock signature struct.
207 */
208 reset_common_data(FOR_KEYBLOCK);
209 kb->keyblock_hash.data_size = sizeof(*kb) - 1;
210 TEST_EQ(vb2_verify_keyblock_hash(kb, kb->keyblock_size, &wb),
211 VB2_ERROR_KEYBLOCK_SIGNED_TOO_LITTLE,
212 "Keyblock check hash sig");
213
214 reset_common_data(FOR_KEYBLOCK);
215 mock_vblock.k.data_key_data[0] ^= 0xa0;
216 TEST_EQ(vb2_verify_keyblock_hash(kb, kb->keyblock_size, &wb),
217 VB2_ERROR_KEYBLOCK_HASH_INVALID_IN_DEV_MODE,
218 "Keyblock check hash invalid");
219 }
220
load_kernel_keyblock_tests(void)221 static void load_kernel_keyblock_tests(void)
222 {
223 struct vb2_keyblock *kb = &mock_vblock.k.kb;
224 struct vb2_packed_key *k;
225 int expected_offset;
226
227 /* Test successful call */
228 reset_common_data(FOR_KEYBLOCK);
229 expected_offset = sd->workbuf_used;
230 TEST_SUCC(vb2_load_kernel_keyblock(ctx), "Kernel keyblock good");
231 TEST_NEQ(sd->flags & VB2_SD_FLAG_KERNEL_SIGNED, 0, " Kernel signed");
232 TEST_EQ(sd->kernel_version, 0x20000, "keyblock version");
233 TEST_EQ(sd->vblock_preamble_offset, sizeof(mock_vblock.k),
234 "preamble offset");
235 TEST_EQ(sd->data_key_offset, expected_offset,
236 "keyblock data key offset");
237 TEST_EQ(sd->workbuf_used,
238 vb2_wb_round_up(sd->data_key_offset +
239 sd->data_key_size),
240 "workbuf used");
241
242 /* Make sure data key was properly saved */
243 k = vb2_member_of(sd, sd->data_key_offset);
244 TEST_EQ(k->algorithm, 7, "data key algorithm");
245 TEST_EQ(k->key_version, 2, "data key version");
246 TEST_EQ(k->key_size, sizeof(mock_vblock.k.data_key_data),
247 "data key size");
248 TEST_EQ(memcmp(vb2_member_of(k, k->key_offset),
249 mock_vblock.k.data_key_data,
250 sizeof(mock_vblock.k.data_key_data)),
251 0, "data key data");
252 TEST_EQ(sd->workbuf_used,
253 vb2_wb_round_up(sd->data_key_offset +
254 sd->data_key_size),
255 "workbuf used after");
256
257 /* Test failures */
258 reset_common_data(FOR_KEYBLOCK);
259 mock_unpack_key_retval = VB2_ERROR_MOCK;
260 TEST_EQ(vb2_load_kernel_keyblock(ctx),
261 VB2_ERROR_MOCK, "Kernel keyblock unpack key");
262
263 reset_common_data(FOR_KEYBLOCK);
264 sd->workbuf_used = sd->workbuf_size + VB2_WORKBUF_ALIGN -
265 vb2_wb_round_up(sizeof(*kb));
266 TEST_EQ(vb2_load_kernel_keyblock(ctx),
267 VB2_ERROR_KERNEL_KEYBLOCK_WORKBUF_HEADER,
268 "Kernel keyblock workbuf header");
269
270 reset_common_data(FOR_KEYBLOCK);
271 mock_read_res_fail_on_call = 1;
272 TEST_EQ(vb2_load_kernel_keyblock(ctx),
273 VB2_ERROR_MOCK, "Kernel keyblock read header");
274
275 reset_common_data(FOR_KEYBLOCK);
276 sd->workbuf_used = sd->workbuf_size + VB2_WORKBUF_ALIGN -
277 vb2_wb_round_up(kb->keyblock_size);
278 TEST_EQ(vb2_load_kernel_keyblock(ctx),
279 VB2_ERROR_KERNEL_KEYBLOCK_WORKBUF,
280 "Kernel keyblock workbuf");
281
282 reset_common_data(FOR_KEYBLOCK);
283 mock_read_res_fail_on_call = 2;
284 TEST_EQ(vb2_load_kernel_keyblock(ctx),
285 VB2_ERROR_MOCK, "Kernel keyblock read");
286
287 /* Normally, require signed keyblock */
288 reset_common_data(FOR_KEYBLOCK);
289 mock_verify_keyblock_retval = VB2_ERROR_MOCK;
290 TEST_EQ(vb2_load_kernel_keyblock(ctx),
291 VB2_ERROR_MOCK, "Verify keyblock");
292
293 /* Not in dev mode */
294 reset_common_data(FOR_KEYBLOCK);
295 ctx->flags |= VB2_CONTEXT_DEVELOPER_MODE;
296 mock_verify_keyblock_retval = VB2_ERROR_MOCK;
297 TEST_SUCC(vb2_load_kernel_keyblock(ctx), "Kernel keyblock hash good");
298 TEST_EQ(sd->flags & VB2_SD_FLAG_KERNEL_SIGNED, 0, " Kernel signed");
299
300 /* But we do in dev+rec mode */
301 reset_common_data(FOR_KEYBLOCK);
302 ctx->flags |= VB2_CONTEXT_DEVELOPER_MODE | VB2_CONTEXT_RECOVERY_MODE;
303 mock_verify_keyblock_retval = VB2_ERROR_MOCK;
304 TEST_EQ(vb2_load_kernel_keyblock(ctx),
305 VB2_ERROR_MOCK, "Kernel keyblock dev+rec");
306
307 /* Test keyblock flags matching mode */
308 reset_common_data(FOR_KEYBLOCK);
309 kb->keyblock_flags &= ~VB2_KEYBLOCK_FLAG_DEVELOPER_0;
310 TEST_EQ(vb2_load_kernel_keyblock(ctx),
311 VB2_ERROR_KERNEL_KEYBLOCK_DEV_FLAG,
312 "Kernel keyblock dev only");
313
314 reset_common_data(FOR_KEYBLOCK);
315 kb->keyblock_flags &= ~VB2_KEYBLOCK_FLAG_RECOVERY_0;
316 TEST_EQ(vb2_load_kernel_keyblock(ctx),
317 VB2_ERROR_KERNEL_KEYBLOCK_REC_FLAG,
318 "Kernel keyblock rec only");
319
320 reset_common_data(FOR_KEYBLOCK);
321 kb->keyblock_flags &= ~VB2_KEYBLOCK_FLAG_RECOVERY_1;
322 ctx->flags |= VB2_CONTEXT_RECOVERY_MODE;
323 TEST_EQ(vb2_load_kernel_keyblock(ctx),
324 VB2_ERROR_KERNEL_KEYBLOCK_REC_FLAG,
325 "Kernel keyblock not rec");
326
327 reset_common_data(FOR_KEYBLOCK);
328 kb->keyblock_flags &= ~VB2_KEYBLOCK_FLAG_DEVELOPER_0;
329 kb->keyblock_flags &= ~VB2_KEYBLOCK_FLAG_RECOVERY_0;
330 ctx->flags |= VB2_CONTEXT_RECOVERY_MODE;
331 TEST_EQ(vb2_load_kernel_keyblock(ctx),
332 VB2_ERROR_KERNEL_KEYBLOCK_DEV_FLAG,
333 "Kernel keyblock rec but not dev+rec");
334
335 reset_common_data(FOR_KEYBLOCK);
336 kb->keyblock_flags &= ~VB2_KEYBLOCK_FLAG_DEVELOPER_0;
337 kb->keyblock_flags &= ~VB2_KEYBLOCK_FLAG_RECOVERY_0;
338 ctx->flags |= VB2_CONTEXT_DEVELOPER_MODE | VB2_CONTEXT_RECOVERY_MODE;
339 TEST_SUCC(vb2_load_kernel_keyblock(ctx),
340 "Kernel keyblock flags dev+rec");
341
342 /* System in dev mode ignores flags */
343 reset_common_data(FOR_KEYBLOCK);
344 ctx->flags |= VB2_CONTEXT_DEVELOPER_MODE;
345 kb->keyblock_flags = 0;
346 TEST_SUCC(vb2_load_kernel_keyblock(ctx), "Kernel keyblock dev flags");
347
348 /* Test rollback */
349 reset_common_data(FOR_KEYBLOCK);
350 kb->data_key.key_version = 0x10000;
351 TEST_EQ(vb2_load_kernel_keyblock(ctx),
352 VB2_ERROR_KERNEL_KEYBLOCK_VERSION_RANGE,
353 "Kernel keyblock version range");
354
355 reset_common_data(FOR_KEYBLOCK);
356 kb->data_key.key_version = 1;
357 TEST_EQ(vb2_load_kernel_keyblock(ctx),
358 VB2_ERROR_KERNEL_KEYBLOCK_VERSION_ROLLBACK,
359 "Kernel keyblock rollback");
360
361 /* Rollback ok in developer mode */
362 reset_common_data(FOR_KEYBLOCK);
363 kb->data_key.key_version = 1;
364 ctx->flags |= VB2_CONTEXT_DEVELOPER_MODE;
365 TEST_SUCC(vb2_load_kernel_keyblock(ctx),
366 "Kernel keyblock rollback dev");
367
368 /*
369 * Recovery keyblocks aren't versioned (and even if they were, it
370 * wouldn't be with the same version as a normal kernel).
371 */
372 reset_common_data(FOR_KEYBLOCK);
373 kb->data_key.key_version = 1;
374 ctx->flags |= VB2_CONTEXT_RECOVERY_MODE;
375 TEST_SUCC(vb2_load_kernel_keyblock(ctx),
376 "Kernel keyblock rollback rec");
377 }
378
load_kernel_preamble_tests(void)379 static void load_kernel_preamble_tests(void)
380 {
381 struct vb2_kernel_preamble *pre = &mock_vblock.p.pre;
382 int expected_offset;
383 //uint32_t v;
384
385 /* Test successful call */
386 reset_common_data(FOR_PREAMBLE);
387 expected_offset = sd->workbuf_used;
388 TEST_SUCC(vb2_load_kernel_preamble(ctx), "preamble good");
389 TEST_EQ(sd->kernel_version, 0x20002, "combined version");
390 TEST_EQ(sd->preamble_offset, expected_offset,
391 "preamble offset");
392 TEST_EQ(sd->preamble_size, pre->preamble_size, "preamble size");
393 TEST_EQ(sd->workbuf_used,
394 vb2_wb_round_up(sd->preamble_offset +
395 sd->preamble_size),
396 "workbuf used");
397
398 /* Expected failures */
399 reset_common_data(FOR_PREAMBLE);
400 sd->data_key_size = 0;
401 TEST_EQ(vb2_load_kernel_preamble(ctx),
402 VB2_ERROR_KERNEL_PREAMBLE2_DATA_KEY,
403 "preamble no data key");
404
405 reset_common_data(FOR_PREAMBLE);
406 mock_unpack_key_retval = VB2_ERROR_UNPACK_KEY_HASH_ALGORITHM;
407 TEST_EQ(vb2_load_kernel_preamble(ctx),
408 VB2_ERROR_UNPACK_KEY_HASH_ALGORITHM,
409 "preamble unpack data key");
410
411 reset_common_data(FOR_PREAMBLE);
412 sd->workbuf_used = sd->workbuf_size + VB2_WORKBUF_ALIGN -
413 vb2_wb_round_up(sizeof(struct vb2_kernel_preamble));
414 TEST_EQ(vb2_load_kernel_preamble(ctx),
415 VB2_ERROR_KERNEL_PREAMBLE2_WORKBUF_HEADER,
416 "preamble not enough workbuf for header");
417
418 reset_common_data(FOR_PREAMBLE);
419 sd->vblock_preamble_offset = sizeof(mock_vblock);
420 TEST_EQ(vb2_load_kernel_preamble(ctx),
421 VB2_ERROR_EX_READ_RESOURCE_SIZE,
422 "preamble read header");
423
424 reset_common_data(FOR_PREAMBLE);
425 sd->workbuf_used = sd->workbuf_size + VB2_WORKBUF_ALIGN -
426 vb2_wb_round_up(sizeof(mock_vblock.p));
427 TEST_EQ(vb2_load_kernel_preamble(ctx),
428 VB2_ERROR_KERNEL_PREAMBLE2_WORKBUF,
429 "preamble not enough workbuf");
430
431 reset_common_data(FOR_PREAMBLE);
432 pre->preamble_size = sizeof(mock_vblock);
433 TEST_EQ(vb2_load_kernel_preamble(ctx),
434 VB2_ERROR_EX_READ_RESOURCE_SIZE,
435 "preamble read full");
436
437 reset_common_data(FOR_PREAMBLE);
438 mock_verify_preamble_retval = VB2_ERROR_MOCK;
439 TEST_EQ(vb2_load_kernel_preamble(ctx),
440 VB2_ERROR_MOCK,
441 "preamble verify");
442
443 reset_common_data(FOR_PREAMBLE);
444 pre->kernel_version = 0x10000;
445 TEST_EQ(vb2_load_kernel_preamble(ctx),
446 VB2_ERROR_KERNEL_PREAMBLE_VERSION_RANGE,
447 "preamble version range");
448
449 reset_common_data(FOR_PREAMBLE);
450 pre->kernel_version = 1;
451 TEST_EQ(vb2_load_kernel_preamble(ctx),
452 VB2_ERROR_KERNEL_PREAMBLE_VERSION_ROLLBACK,
453 "preamble version rollback");
454 }
455
main(int argc,char * argv[])456 int main(int argc, char* argv[])
457 {
458 verify_keyblock_hash_tests();
459 load_kernel_keyblock_tests();
460 load_kernel_preamble_tests();
461
462 return gTestSuccess ? 0 : 255;
463 }
464