mirror of
https://github.com/ARM-software/arm-trusted-firmware.git
synced 2025-04-19 02:54:24 +00:00
fabd21ad36
This reverts commit b621fb503c.
Because of the Trusted Firmware design, timing-safe functions are not
needed. Using them may be misleading as it could be interpreted as being
a protection against private data leakage, which isn't the case here.
For each image, the SHA-256 hash is calculated. Some padding is appended
and the result is encrypted with a private key using RSA-2048. This is
the signature of the image. The public key is stored along with BL1 in
read-only memory and the encrypted hash is stored in the FIP.
When authenticating an image, the TF decrypts the hash stored in the FIP
and recalculates the hash of the image. If they don't match, the boot
sequence won't continue.
A constant-time comparison does not provide additional security as all
the data involved in this process is already known to any attacker.
There is no private data that can leaked through a timing attack when
authenticating an image.
`timingsafe_bcmp()` is kept in the codebase because it could be useful
in the future.
Change-Id: I44bdcd58faa586a050cc89447e38c142508c9888
Signed-off-by: Antonio Nino Diaz <antonio.ninodiaz@arm.com>
231 lines
6.1 KiB
C
231 lines
6.1 KiB
C
/*
|
|
* Copyright (c) 2015, ARM Limited and Contributors. All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions are met:
|
|
*
|
|
* Redistributions of source code must retain the above copyright notice, this
|
|
* list of conditions and the following disclaimer.
|
|
*
|
|
* Redistributions in binary form must reproduce the above copyright notice,
|
|
* this list of conditions and the following disclaimer in the documentation
|
|
* and/or other materials provided with the distribution.
|
|
*
|
|
* Neither the name of ARM nor the names of its contributors may be used
|
|
* to endorse or promote products derived from this software without specific
|
|
* prior written permission.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
|
|
#include <crypto_mod.h>
|
|
#include <debug.h>
|
|
#include <mbedtls_common.h>
|
|
#include <stddef.h>
|
|
#include <string.h>
|
|
|
|
/* mbed TLS headers */
|
|
#include <mbedtls/md.h>
|
|
#include <mbedtls/memory_buffer_alloc.h>
|
|
#include <mbedtls/oid.h>
|
|
#include <mbedtls/platform.h>
|
|
|
|
#define LIB_NAME "mbed TLS"
|
|
|
|
/*
|
|
* AlgorithmIdentifier ::= SEQUENCE {
|
|
* algorithm OBJECT IDENTIFIER,
|
|
* parameters ANY DEFINED BY algorithm OPTIONAL
|
|
* }
|
|
*
|
|
* SubjectPublicKeyInfo ::= SEQUENCE {
|
|
* algorithm AlgorithmIdentifier,
|
|
* subjectPublicKey BIT STRING
|
|
* }
|
|
*
|
|
* DigestInfo ::= SEQUENCE {
|
|
* digestAlgorithm AlgorithmIdentifier,
|
|
* digest OCTET STRING
|
|
* }
|
|
*/
|
|
|
|
/*
|
|
* Initialize the library and export the descriptor
|
|
*/
|
|
static void init(void)
|
|
{
|
|
/* Initialize mbed TLS */
|
|
mbedtls_init();
|
|
}
|
|
|
|
/*
|
|
* Verify a signature.
|
|
*
|
|
* Parameters are passed using the DER encoding format following the ASN.1
|
|
* structures detailed above.
|
|
*/
|
|
static int verify_signature(void *data_ptr, unsigned int data_len,
|
|
void *sig_ptr, unsigned int sig_len,
|
|
void *sig_alg, unsigned int sig_alg_len,
|
|
void *pk_ptr, unsigned int pk_len)
|
|
{
|
|
mbedtls_asn1_buf sig_oid, sig_params;
|
|
mbedtls_asn1_buf signature;
|
|
mbedtls_md_type_t md_alg;
|
|
mbedtls_pk_type_t pk_alg;
|
|
mbedtls_pk_context pk;
|
|
int rc;
|
|
void *sig_opts = NULL;
|
|
const mbedtls_md_info_t *md_info;
|
|
unsigned char *p, *end;
|
|
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
|
|
|
|
/* Get pointers to signature OID and parameters */
|
|
p = (unsigned char *)sig_alg;
|
|
end = (unsigned char *)(p + sig_alg_len);
|
|
rc = mbedtls_asn1_get_alg(&p, end, &sig_oid, &sig_params);
|
|
if (rc != 0) {
|
|
return CRYPTO_ERR_SIGNATURE;
|
|
}
|
|
|
|
/* Get the actual signature algorithm (MD + PK) */
|
|
rc = mbedtls_oid_get_sig_alg(&sig_oid, &md_alg, &pk_alg);
|
|
if (rc != 0) {
|
|
return CRYPTO_ERR_SIGNATURE;
|
|
}
|
|
|
|
/* Parse the public key */
|
|
mbedtls_pk_init(&pk);
|
|
p = (unsigned char *)pk_ptr;
|
|
end = (unsigned char *)(p + pk_len);
|
|
rc = mbedtls_pk_parse_subpubkey(&p, end, &pk);
|
|
if (rc != 0) {
|
|
return CRYPTO_ERR_SIGNATURE;
|
|
}
|
|
|
|
/* Get the signature (bitstring) */
|
|
p = (unsigned char *)sig_ptr;
|
|
end = (unsigned char *)(p + sig_len);
|
|
signature.tag = *p;
|
|
rc = mbedtls_asn1_get_bitstring_null(&p, end, &signature.len);
|
|
if (rc != 0) {
|
|
rc = CRYPTO_ERR_SIGNATURE;
|
|
goto end;
|
|
}
|
|
signature.p = p;
|
|
|
|
/* Calculate the hash of the data */
|
|
md_info = mbedtls_md_info_from_type(md_alg);
|
|
if (md_info == NULL) {
|
|
rc = CRYPTO_ERR_SIGNATURE;
|
|
goto end;
|
|
}
|
|
p = (unsigned char *)data_ptr;
|
|
rc = mbedtls_md(md_info, p, data_len, hash);
|
|
if (rc != 0) {
|
|
rc = CRYPTO_ERR_SIGNATURE;
|
|
goto end;
|
|
}
|
|
|
|
/* Verify the signature */
|
|
rc = mbedtls_pk_verify_ext(pk_alg, sig_opts, &pk, md_alg, hash,
|
|
mbedtls_md_get_size(md_info),
|
|
signature.p, signature.len);
|
|
if (rc != 0) {
|
|
rc = CRYPTO_ERR_SIGNATURE;
|
|
goto end;
|
|
}
|
|
|
|
/* Signature verification success */
|
|
rc = CRYPTO_SUCCESS;
|
|
|
|
end:
|
|
mbedtls_pk_free(&pk);
|
|
return rc;
|
|
}
|
|
|
|
/*
|
|
* Match a hash
|
|
*
|
|
* Digest info is passed in DER format following the ASN.1 structure detailed
|
|
* above.
|
|
*/
|
|
static int verify_hash(void *data_ptr, unsigned int data_len,
|
|
void *digest_info_ptr, unsigned int digest_info_len)
|
|
{
|
|
mbedtls_asn1_buf hash_oid, params;
|
|
mbedtls_md_type_t md_alg;
|
|
const mbedtls_md_info_t *md_info;
|
|
unsigned char *p, *end, *hash;
|
|
unsigned char data_hash[MBEDTLS_MD_MAX_SIZE];
|
|
size_t len;
|
|
int rc;
|
|
|
|
/* Digest info should be an MBEDTLS_ASN1_SEQUENCE */
|
|
p = (unsigned char *)digest_info_ptr;
|
|
end = p + digest_info_len;
|
|
rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED |
|
|
MBEDTLS_ASN1_SEQUENCE);
|
|
if (rc != 0) {
|
|
return CRYPTO_ERR_HASH;
|
|
}
|
|
|
|
/* Get the hash algorithm */
|
|
rc = mbedtls_asn1_get_alg(&p, end, &hash_oid, ¶ms);
|
|
if (rc != 0) {
|
|
return CRYPTO_ERR_HASH;
|
|
}
|
|
|
|
rc = mbedtls_oid_get_md_alg(&hash_oid, &md_alg);
|
|
if (rc != 0) {
|
|
return CRYPTO_ERR_HASH;
|
|
}
|
|
|
|
md_info = mbedtls_md_info_from_type(md_alg);
|
|
if (md_info == NULL) {
|
|
return CRYPTO_ERR_HASH;
|
|
}
|
|
|
|
/* Hash should be octet string type */
|
|
rc = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OCTET_STRING);
|
|
if (rc != 0) {
|
|
return CRYPTO_ERR_HASH;
|
|
}
|
|
|
|
/* Length of hash must match the algorithm's size */
|
|
if (len != mbedtls_md_get_size(md_info)) {
|
|
return CRYPTO_ERR_HASH;
|
|
}
|
|
hash = p;
|
|
|
|
/* Calculate the hash of the data */
|
|
p = (unsigned char *)data_ptr;
|
|
rc = mbedtls_md(md_info, p, data_len, data_hash);
|
|
if (rc != 0) {
|
|
return CRYPTO_ERR_HASH;
|
|
}
|
|
|
|
/* Compare values */
|
|
rc = memcmp(data_hash, hash, mbedtls_md_get_size(md_info));
|
|
if (rc != 0) {
|
|
return CRYPTO_ERR_HASH;
|
|
}
|
|
|
|
return CRYPTO_SUCCESS;
|
|
}
|
|
|
|
/*
|
|
* Register crypto library descriptor
|
|
*/
|
|
REGISTER_CRYPTO_LIB(LIB_NAME, init, verify_signature, verify_hash);
|