1 // Copyright 2019 The ChromiumOS Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "2api.h"
6 #include "2common.h"
7 #include "2misc.h"
8 #include "2nvstorage.h"
9 #include "2rsa.h"
10 #include "2rsa_private.h"
11 #include "2secdata.h"
12
13 static struct vb2_context *ctx;
14 static uint8_t workbuf[VB2_FIRMWARE_WORKBUF_RECOMMENDED_SIZE]
15 __attribute__((aligned(VB2_WORKBUF_ALIGN)));
16 static struct {
17 struct vb2_gbb_header h;
18 uint8_t rootkey[4096];
19 } gbb;
20
21 static const uint8_t *mock_keyblock;
22 static size_t mock_keyblock_size;
23
24 /* Limit exposure of code for which we didn't set up the environment right. */
vb2api_fail(struct vb2_context * c,uint8_t reason,uint8_t subcode)25 void vb2api_fail(struct vb2_context *c, uint8_t reason, uint8_t subcode)
26 {
27 return;
28 }
29
vb2_get_gbb(struct vb2_context * c)30 struct vb2_gbb_header *vb2_get_gbb(struct vb2_context *c)
31 {
32 return &gbb.h;
33 }
34
vb2ex_read_resource(struct vb2_context * c,enum vb2_resource_index index,uint32_t offset,void * buf,uint32_t size)35 vb2_error_t vb2ex_read_resource(struct vb2_context *c,
36 enum vb2_resource_index index, uint32_t offset,
37 void *buf, uint32_t size)
38 {
39 const void *rbase;
40 size_t rsize;
41
42 switch (index) {
43 case VB2_RES_GBB:
44 rbase = &gbb;
45 rsize = sizeof(gbb);
46 break;
47 case VB2_RES_FW_VBLOCK:
48 rbase = mock_keyblock;
49 rsize = mock_keyblock_size;
50 break;
51 default:
52 return VB2_ERROR_EX_READ_RESOURCE_INDEX;
53 }
54
55 if (offset > rsize || rsize - offset < size)
56 return VB2_ERROR_EX_READ_RESOURCE_SIZE;
57
58 memcpy(buf, rbase + offset, size);
59 return VB2_SUCCESS;
60 }
61
62 /* Pretend that signature checks always succeed so the fuzzer can cover more. */
vb2_check_padding(const uint8_t * sig,const struct vb2_public_key * key)63 vb2_error_t vb2_check_padding(const uint8_t *sig,
64 const struct vb2_public_key *key)
65 {
66 return VB2_SUCCESS;
67 }
68
vb2_safe_memcmp(const void * s1,const void * s2,size_t size)69 vb2_error_t vb2_safe_memcmp(const void *s1, const void *s2, size_t size)
70 {
71 return VB2_SUCCESS;
72 }
73
74 int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size);
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)75 int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
76 /* Initialize fuzzing inputs. */
77 if (size < sizeof(gbb.rootkey))
78 return 0;
79
80 memset(&gbb.h, 0, sizeof(gbb.h));
81 gbb.h.rootkey_offset = gbb.rootkey - (uint8_t *)&gbb;
82 gbb.h.rootkey_size = sizeof(gbb.rootkey);
83
84 memcpy(gbb.rootkey, data, sizeof(gbb.rootkey));
85 mock_keyblock = data + sizeof(gbb.rootkey);
86 mock_keyblock_size = size - sizeof(gbb.rootkey);
87
88 /* Set up data structures needed by the tested function. */
89 if (vb2api_init(workbuf, sizeof(workbuf), &ctx))
90 abort();
91 vb2_nv_init(ctx);
92 vb2api_secdata_firmware_create(ctx);
93 vb2api_secdata_kernel_create(ctx);
94 if (vb2_secdata_firmware_init(ctx) || vb2_secdata_kernel_init(ctx))
95 abort();
96
97 /* Run function to test. */
98 vb2_load_fw_keyblock(ctx);
99
100 return 0;
101 }
102