xref: /aosp_15_r20/external/vboot_reference/tests/vb2_keyblock_fuzzer.c (revision 8617a60d3594060b7ecbd21bc622a7c14f3cf2bc) 
1*8617a60dSAndroid Build Coastguard Worker // Copyright 2019 The ChromiumOS Authors
2*8617a60dSAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be
3*8617a60dSAndroid Build Coastguard Worker // found in the LICENSE file.
4*8617a60dSAndroid Build Coastguard Worker 
5*8617a60dSAndroid Build Coastguard Worker #include "2api.h"
6*8617a60dSAndroid Build Coastguard Worker #include "2common.h"
7*8617a60dSAndroid Build Coastguard Worker #include "2misc.h"
8*8617a60dSAndroid Build Coastguard Worker #include "2nvstorage.h"
9*8617a60dSAndroid Build Coastguard Worker #include "2rsa.h"
10*8617a60dSAndroid Build Coastguard Worker #include "2rsa_private.h"
11*8617a60dSAndroid Build Coastguard Worker #include "2secdata.h"
12*8617a60dSAndroid Build Coastguard Worker 
13*8617a60dSAndroid Build Coastguard Worker static struct vb2_context *ctx;
14*8617a60dSAndroid Build Coastguard Worker static uint8_t workbuf[VB2_FIRMWARE_WORKBUF_RECOMMENDED_SIZE]
15*8617a60dSAndroid Build Coastguard Worker 	__attribute__((aligned(VB2_WORKBUF_ALIGN)));
16*8617a60dSAndroid Build Coastguard Worker static struct {
17*8617a60dSAndroid Build Coastguard Worker 	struct vb2_gbb_header h;
18*8617a60dSAndroid Build Coastguard Worker 	uint8_t rootkey[4096];
19*8617a60dSAndroid Build Coastguard Worker } gbb;
20*8617a60dSAndroid Build Coastguard Worker 
21*8617a60dSAndroid Build Coastguard Worker static const uint8_t *mock_keyblock;
22*8617a60dSAndroid Build Coastguard Worker static size_t mock_keyblock_size;
23*8617a60dSAndroid Build Coastguard Worker 
24*8617a60dSAndroid Build Coastguard Worker /* Limit exposure of code for which we didn't set up the environment right. */
vb2api_fail(struct vb2_context * c,uint8_t reason,uint8_t subcode)25*8617a60dSAndroid Build Coastguard Worker void vb2api_fail(struct vb2_context *c, uint8_t reason, uint8_t subcode)
26*8617a60dSAndroid Build Coastguard Worker {
27*8617a60dSAndroid Build Coastguard Worker 	return;
28*8617a60dSAndroid Build Coastguard Worker }
29*8617a60dSAndroid Build Coastguard Worker 
vb2_get_gbb(struct vb2_context * c)30*8617a60dSAndroid Build Coastguard Worker struct vb2_gbb_header *vb2_get_gbb(struct vb2_context *c)
31*8617a60dSAndroid Build Coastguard Worker {
32*8617a60dSAndroid Build Coastguard Worker 	return &gbb.h;
33*8617a60dSAndroid Build Coastguard Worker }
34*8617a60dSAndroid Build Coastguard Worker 
vb2ex_read_resource(struct vb2_context * c,enum vb2_resource_index index,uint32_t offset,void * buf,uint32_t size)35*8617a60dSAndroid Build Coastguard Worker vb2_error_t vb2ex_read_resource(struct vb2_context *c,
36*8617a60dSAndroid Build Coastguard Worker 				enum vb2_resource_index index, uint32_t offset,
37*8617a60dSAndroid Build Coastguard Worker 				void *buf, uint32_t size)
38*8617a60dSAndroid Build Coastguard Worker {
39*8617a60dSAndroid Build Coastguard Worker 	const void *rbase;
40*8617a60dSAndroid Build Coastguard Worker 	size_t rsize;
41*8617a60dSAndroid Build Coastguard Worker 
42*8617a60dSAndroid Build Coastguard Worker 	switch (index) {
43*8617a60dSAndroid Build Coastguard Worker 	case VB2_RES_GBB:
44*8617a60dSAndroid Build Coastguard Worker 		rbase = &gbb;
45*8617a60dSAndroid Build Coastguard Worker 		rsize = sizeof(gbb);
46*8617a60dSAndroid Build Coastguard Worker 		break;
47*8617a60dSAndroid Build Coastguard Worker 	case VB2_RES_FW_VBLOCK:
48*8617a60dSAndroid Build Coastguard Worker 		rbase = mock_keyblock;
49*8617a60dSAndroid Build Coastguard Worker 		rsize = mock_keyblock_size;
50*8617a60dSAndroid Build Coastguard Worker 		break;
51*8617a60dSAndroid Build Coastguard Worker 	default:
52*8617a60dSAndroid Build Coastguard Worker 		return VB2_ERROR_EX_READ_RESOURCE_INDEX;
53*8617a60dSAndroid Build Coastguard Worker 	}
54*8617a60dSAndroid Build Coastguard Worker 
55*8617a60dSAndroid Build Coastguard Worker 	if (offset > rsize || rsize - offset < size)
56*8617a60dSAndroid Build Coastguard Worker 		return VB2_ERROR_EX_READ_RESOURCE_SIZE;
57*8617a60dSAndroid Build Coastguard Worker 
58*8617a60dSAndroid Build Coastguard Worker 	memcpy(buf, rbase + offset, size);
59*8617a60dSAndroid Build Coastguard Worker 	return VB2_SUCCESS;
60*8617a60dSAndroid Build Coastguard Worker }
61*8617a60dSAndroid Build Coastguard Worker 
62*8617a60dSAndroid Build Coastguard Worker /* Pretend that signature checks always succeed so the fuzzer can cover more. */
vb2_check_padding(const uint8_t * sig,const struct vb2_public_key * key)63*8617a60dSAndroid Build Coastguard Worker vb2_error_t vb2_check_padding(const uint8_t *sig,
64*8617a60dSAndroid Build Coastguard Worker 			      const struct vb2_public_key *key)
65*8617a60dSAndroid Build Coastguard Worker {
66*8617a60dSAndroid Build Coastguard Worker 	return VB2_SUCCESS;
67*8617a60dSAndroid Build Coastguard Worker }
68*8617a60dSAndroid Build Coastguard Worker 
vb2_safe_memcmp(const void * s1,const void * s2,size_t size)69*8617a60dSAndroid Build Coastguard Worker vb2_error_t vb2_safe_memcmp(const void *s1, const void *s2, size_t size)
70*8617a60dSAndroid Build Coastguard Worker {
71*8617a60dSAndroid Build Coastguard Worker 	return VB2_SUCCESS;
72*8617a60dSAndroid Build Coastguard Worker }
73*8617a60dSAndroid Build Coastguard Worker 
74*8617a60dSAndroid Build Coastguard Worker int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size);
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)75*8617a60dSAndroid Build Coastguard Worker int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
76*8617a60dSAndroid Build Coastguard Worker 	/* Initialize fuzzing inputs. */
77*8617a60dSAndroid Build Coastguard Worker 	if (size < sizeof(gbb.rootkey))
78*8617a60dSAndroid Build Coastguard Worker 		return 0;
79*8617a60dSAndroid Build Coastguard Worker 
80*8617a60dSAndroid Build Coastguard Worker 	memset(&gbb.h, 0, sizeof(gbb.h));
81*8617a60dSAndroid Build Coastguard Worker 	gbb.h.rootkey_offset = gbb.rootkey - (uint8_t *)&gbb;
82*8617a60dSAndroid Build Coastguard Worker 	gbb.h.rootkey_size = sizeof(gbb.rootkey);
83*8617a60dSAndroid Build Coastguard Worker 
84*8617a60dSAndroid Build Coastguard Worker 	memcpy(gbb.rootkey, data, sizeof(gbb.rootkey));
85*8617a60dSAndroid Build Coastguard Worker 	mock_keyblock = data + sizeof(gbb.rootkey);
86*8617a60dSAndroid Build Coastguard Worker 	mock_keyblock_size = size - sizeof(gbb.rootkey);
87*8617a60dSAndroid Build Coastguard Worker 
88*8617a60dSAndroid Build Coastguard Worker 	/* Set up data structures needed by the tested function. */
89*8617a60dSAndroid Build Coastguard Worker 	if (vb2api_init(workbuf, sizeof(workbuf), &ctx))
90*8617a60dSAndroid Build Coastguard Worker 		abort();
91*8617a60dSAndroid Build Coastguard Worker 	vb2_nv_init(ctx);
92*8617a60dSAndroid Build Coastguard Worker 	vb2api_secdata_firmware_create(ctx);
93*8617a60dSAndroid Build Coastguard Worker 	vb2api_secdata_kernel_create(ctx);
94*8617a60dSAndroid Build Coastguard Worker 	if (vb2_secdata_firmware_init(ctx) || vb2_secdata_kernel_init(ctx))
95*8617a60dSAndroid Build Coastguard Worker 		abort();
96*8617a60dSAndroid Build Coastguard Worker 
97*8617a60dSAndroid Build Coastguard Worker 	/* Run function to test. */
98*8617a60dSAndroid Build Coastguard Worker 	vb2_load_fw_keyblock(ctx);
99*8617a60dSAndroid Build Coastguard Worker 
100*8617a60dSAndroid Build Coastguard Worker 	return 0;
101*8617a60dSAndroid Build Coastguard Worker }
102