buildman: Drop -I option
[platform/kernel/u-boot.git] / tools / sunxi_toc0.c
1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3  * (C) Copyright 2018 Arm Ltd.
4  * (C) Copyright 2020-2021 Samuel Holland <samuel@sholland.org>
5  */
6
7 #define OPENSSL_API_COMPAT 0x10101000L
8
9 #include <assert.h>
10 #include <stdint.h>
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14
15 #include <openssl/asn1t.h>
16 #include <openssl/bn.h>
17 #include <openssl/pem.h>
18 #include <openssl/rsa.h>
19
20 #include <image.h>
21 #include <sunxi_image.h>
22
23 #include "imagetool.h"
24 #include "mkimage.h"
25
26 /*
27  * NAND requires 8K padding. For other devices, BROM requires only
28  * 512B padding, but let's use the larger padding to cover everything.
29  */
30 #define PAD_SIZE                8192
31
32 #define pr_fmt(fmt)             "mkimage (TOC0): %s: " fmt
33 #define pr_err(fmt, args...)    fprintf(stderr, pr_fmt(fmt), "error", ##args)
34 #define pr_warn(fmt, args...)   fprintf(stderr, pr_fmt(fmt), "warning", ##args)
35 #define pr_info(fmt, args...)   fprintf(stderr, pr_fmt(fmt), "info", ##args)
36
37 #if defined(LIBRESSL_VERSION_NUMBER)
38 #define RSA_get0_n(key) (key)->n
39 #define RSA_get0_e(key) (key)->e
40 #define RSA_get0_d(key) (key)->d
41 #endif
42
43 struct __packed toc0_key_item {
44         __le32  vendor_id;
45         __le32  key0_n_len;
46         __le32  key0_e_len;
47         __le32  key1_n_len;
48         __le32  key1_e_len;
49         __le32  sig_len;
50         uint8_t key0[512];
51         uint8_t key1[512];
52         uint8_t reserved[32];
53         uint8_t sig[256];
54 };
55
56 /*
57  * This looks somewhat like an X.509 certificate, but it is not valid BER.
58  *
59  * Some differences:
60  *  - Some X.509 certificate fields are missing or rearranged.
61  *  - Some sequences have the wrong tag.
62  *  - Zero-length sequences are accepted.
63  *  - Large strings and integers must be an even number of bytes long.
64  *  - Positive integers are not zero-extended to maintain their sign.
65  *
66  * See https://linux-sunxi.org/TOC0 for more information.
67  */
68 struct __packed toc0_small_tag {
69         uint8_t tag;
70         uint8_t length;
71 };
72
73 typedef struct toc0_small_tag toc0_small_int;
74 typedef struct toc0_small_tag toc0_small_oct;
75 typedef struct toc0_small_tag toc0_small_seq;
76 typedef struct toc0_small_tag toc0_small_exp;
77
78 #define TOC0_SMALL_INT(len) { 0x02, (len) }
79 #define TOC0_SMALL_SEQ(len) { 0x30, (len) }
80 #define TOC0_SMALL_EXP(tag, len) { 0xa0 | (tag), len }
81
82 struct __packed toc0_large_tag {
83         uint8_t tag;
84         uint8_t prefix;
85         uint8_t length_hi;
86         uint8_t length_lo;
87 };
88
89 typedef struct toc0_large_tag toc0_large_int;
90 typedef struct toc0_large_tag toc0_large_bit;
91 typedef struct toc0_large_tag toc0_large_seq;
92
93 #define TOC0_LARGE_INT(len) { 0x02, 0x82, (len) >> 8, (len) & 0xff }
94 #define TOC0_LARGE_BIT(len) { 0x03, 0x82, (len) >> 8, (len) & 0xff }
95 #define TOC0_LARGE_SEQ(len) { 0x30, 0x82, (len) >> 8, (len) & 0xff }
96
97 struct __packed toc0_cert_item {
98         toc0_large_seq tag_totalSequence;
99         struct __packed toc0_totalSequence {
100                 toc0_large_seq tag_mainSequence;
101                 struct __packed toc0_mainSequence {
102                         toc0_small_exp tag_explicit0;
103                         struct __packed toc0_explicit0 {
104                                 toc0_small_int tag_version;
105                                 uint8_t version;
106                         } explicit0;
107                         toc0_small_int tag_serialNumber;
108                         uint8_t serialNumber;
109                         toc0_small_seq tag_signature;
110                         toc0_small_seq tag_issuer;
111                         toc0_small_seq tag_validity;
112                         toc0_small_seq tag_subject;
113                         toc0_large_seq tag_subjectPublicKeyInfo;
114                         struct __packed toc0_subjectPublicKeyInfo {
115                                 toc0_small_seq tag_algorithm;
116                                 toc0_large_seq tag_publicKey;
117                                 struct __packed toc0_publicKey {
118                                         toc0_large_int tag_n;
119                                         uint8_t n[256];
120                                         toc0_small_int tag_e;
121                                         uint8_t e[3];
122                                 } publicKey;
123                         } subjectPublicKeyInfo;
124                         toc0_small_exp tag_explicit3;
125                         struct __packed toc0_explicit3 {
126                                 toc0_small_seq tag_extension;
127                                 struct __packed toc0_extension {
128                                         toc0_small_int tag_digest;
129                                         uint8_t digest[32];
130                                 } extension;
131                         } explicit3;
132                 } mainSequence;
133                 toc0_large_bit tag_sigSequence;
134                 struct __packed toc0_sigSequence {
135                         toc0_small_seq tag_algorithm;
136                         toc0_large_bit tag_signature;
137                         uint8_t signature[256];
138                 } sigSequence;
139         } totalSequence;
140 };
141
142 #define sizeof_field(TYPE, MEMBER) sizeof((((TYPE *)0)->MEMBER))
143
144 static const struct toc0_cert_item cert_item_template = {
145         TOC0_LARGE_SEQ(sizeof(struct toc0_totalSequence)),
146         {
147                 TOC0_LARGE_SEQ(sizeof(struct toc0_mainSequence)),
148                 {
149                         TOC0_SMALL_EXP(0, sizeof(struct toc0_explicit0)),
150                         {
151                                 TOC0_SMALL_INT(sizeof_field(struct toc0_explicit0, version)),
152                                 0,
153                         },
154                         TOC0_SMALL_INT(sizeof_field(struct toc0_mainSequence, serialNumber)),
155                         0,
156                         TOC0_SMALL_SEQ(0),
157                         TOC0_SMALL_SEQ(0),
158                         TOC0_SMALL_SEQ(0),
159                         TOC0_SMALL_SEQ(0),
160                         TOC0_LARGE_SEQ(sizeof(struct toc0_subjectPublicKeyInfo)),
161                         {
162                                 TOC0_SMALL_SEQ(0),
163                                 TOC0_LARGE_SEQ(sizeof(struct toc0_publicKey)),
164                                 {
165                                         TOC0_LARGE_INT(sizeof_field(struct toc0_publicKey, n)),
166                                         {},
167                                         TOC0_SMALL_INT(sizeof_field(struct toc0_publicKey, e)),
168                                         {},
169                                 },
170                         },
171                         TOC0_SMALL_EXP(3, sizeof(struct toc0_explicit3)),
172                         {
173                                 TOC0_SMALL_SEQ(sizeof(struct toc0_extension)),
174                                 {
175                                         TOC0_SMALL_INT(sizeof_field(struct toc0_extension, digest)),
176                                         {},
177                                 },
178                         },
179                 },
180                 TOC0_LARGE_BIT(sizeof(struct toc0_sigSequence)),
181                 {
182                         TOC0_SMALL_SEQ(0),
183                         TOC0_LARGE_BIT(sizeof_field(struct toc0_sigSequence, signature)),
184                         {},
185                 },
186         },
187 };
188
189 #define TOC0_DEFAULT_NUM_ITEMS          3
190 #define TOC0_DEFAULT_HEADER_LEN                                           \
191         ALIGN(                                                            \
192                 sizeof(struct toc0_main_info)                           + \
193                 sizeof(struct toc0_item_info) * TOC0_DEFAULT_NUM_ITEMS  + \
194                 sizeof(struct toc0_cert_item)                           + \
195                 sizeof(struct toc0_key_item),                             \
196         32)
197
198 static char *fw_key_file   = "fw_key.pem";
199 static char *key_item_file = "key_item.bin";
200 static char *root_key_file = "root_key.pem";
201
202 /*
203  * Create a key item in @buf, containing the public keys @root_key and @fw_key,
204  * and signed by the RSA key @root_key.
205  */
206 static int toc0_create_key_item(uint8_t *buf, uint32_t *len,
207                                 RSA *root_key, RSA *fw_key)
208 {
209         struct toc0_key_item *key_item = (void *)buf;
210         uint8_t digest[SHA256_DIGEST_LENGTH];
211         int ret = EXIT_FAILURE;
212         unsigned int sig_len;
213         int n_len, e_len;
214
215         /* Store key 0. */
216         n_len = BN_bn2bin(RSA_get0_n(root_key), key_item->key0);
217         e_len = BN_bn2bin(RSA_get0_e(root_key), key_item->key0 + n_len);
218         if (n_len + e_len > sizeof(key_item->key0)) {
219                 pr_err("Root key is too big for key item\n");
220                 goto err;
221         }
222         key_item->key0_n_len = cpu_to_le32(n_len);
223         key_item->key0_e_len = cpu_to_le32(e_len);
224
225         /* Store key 1. */
226         n_len = BN_bn2bin(RSA_get0_n(fw_key), key_item->key1);
227         e_len = BN_bn2bin(RSA_get0_e(fw_key), key_item->key1 + n_len);
228         if (n_len + e_len > sizeof(key_item->key1)) {
229                 pr_err("Firmware key is too big for key item\n");
230                 goto err;
231         }
232         key_item->key1_n_len = cpu_to_le32(n_len);
233         key_item->key1_e_len = cpu_to_le32(e_len);
234
235         /* Sign the key item. */
236         key_item->sig_len = cpu_to_le32(RSA_size(root_key));
237         SHA256(buf, key_item->sig - buf, digest);
238         if (!RSA_sign(NID_sha256, digest, sizeof(digest),
239                       key_item->sig, &sig_len, root_key)) {
240                 pr_err("Failed to sign key item\n");
241                 goto err;
242         }
243         if (sig_len != sizeof(key_item->sig)) {
244                 pr_err("Bad key item signature length\n");
245                 goto err;
246         }
247
248         *len = sizeof(*key_item);
249         ret = EXIT_SUCCESS;
250
251 err:
252         return ret;
253 }
254
255 /*
256  * Verify the key item in @buf, containing two public keys @key0 and @key1,
257  * and signed by the RSA key @key0. If @root_key is provided, only signatures
258  * by that key will be accepted. @key1 is returned in @key.
259  */
260 static int toc0_verify_key_item(const uint8_t *buf, uint32_t len,
261                                 RSA *root_key, RSA **fw_key)
262 {
263         struct toc0_key_item *key_item = (void *)buf;
264         uint8_t digest[SHA256_DIGEST_LENGTH];
265         int ret = EXIT_FAILURE;
266         int n_len, e_len;
267         RSA *key0 = NULL;
268         RSA *key1 = NULL;
269         BIGNUM *n, *e;
270
271         if (len < sizeof(*key_item))
272                 goto err;
273
274         /* Load key 0. */
275         n_len = le32_to_cpu(key_item->key0_n_len);
276         e_len = le32_to_cpu(key_item->key0_e_len);
277         if (n_len + e_len > sizeof(key_item->key0)) {
278                 pr_err("Bad root key size in key item\n");
279                 goto err;
280         }
281         n = BN_bin2bn(key_item->key0, n_len, NULL);
282         e = BN_bin2bn(key_item->key0 + n_len, e_len, NULL);
283         key0 = RSA_new();
284         if (!key0)
285                 goto err;
286         if (!RSA_set0_key(key0, n, e, NULL))
287                 goto err;
288
289         /* If a root key was provided, compare it to key 0. */
290         if (root_key && (BN_cmp(n, RSA_get0_n(root_key)) ||
291                          BN_cmp(e, RSA_get0_e(root_key)))) {
292                 pr_err("Wrong root key in key item\n");
293                 goto err;
294         }
295
296         /* Verify the key item signature. */
297         SHA256(buf, key_item->sig - buf, digest);
298         if (!RSA_verify(NID_sha256, digest, sizeof(digest),
299                         key_item->sig, le32_to_cpu(key_item->sig_len), key0)) {
300                 pr_err("Bad key item signature\n");
301                 goto err;
302         }
303
304         if (fw_key) {
305                 /* Load key 1. */
306                 n_len = le32_to_cpu(key_item->key1_n_len);
307                 e_len = le32_to_cpu(key_item->key1_e_len);
308                 if (n_len + e_len > sizeof(key_item->key1)) {
309                         pr_err("Bad firmware key size in key item\n");
310                         goto err;
311                 }
312                 n = BN_bin2bn(key_item->key1, n_len, NULL);
313                 e = BN_bin2bn(key_item->key1 + n_len, e_len, NULL);
314                 key1 = RSA_new();
315                 if (!key1)
316                         goto err;
317                 if (!RSA_set0_key(key1, n, e, NULL))
318                         goto err;
319
320                 if (*fw_key) {
321                         /* If a FW key was provided, compare it to key 1. */
322                         if (BN_cmp(n, RSA_get0_n(*fw_key)) ||
323                             BN_cmp(e, RSA_get0_e(*fw_key))) {
324                                 pr_err("Wrong firmware key in key item\n");
325                                 goto err;
326                         }
327                 } else {
328                         /* Otherwise, send key1 back to the caller. */
329                         *fw_key = key1;
330                         key1 = NULL;
331                 }
332         }
333
334         ret = EXIT_SUCCESS;
335
336 err:
337         RSA_free(key0);
338         RSA_free(key1);
339
340         return ret;
341 }
342
343 /*
344  * Create a certificate in @buf, describing the firmware with SHA256 digest
345  * @digest, and signed by the RSA key @fw_key.
346  */
347 static int toc0_create_cert_item(uint8_t *buf, uint32_t *len, RSA *fw_key,
348                                  uint8_t digest[static SHA256_DIGEST_LENGTH])
349 {
350         struct toc0_cert_item *cert_item = (void *)buf;
351         uint8_t cert_digest[SHA256_DIGEST_LENGTH];
352         struct toc0_totalSequence *totalSequence;
353         struct toc0_sigSequence *sigSequence;
354         struct toc0_extension *extension;
355         struct toc0_publicKey *publicKey;
356         int ret = EXIT_FAILURE;
357         unsigned int sig_len;
358
359         memcpy(cert_item, &cert_item_template, sizeof(*cert_item));
360         *len = sizeof(*cert_item);
361
362         /*
363          * Fill in the public key.
364          *
365          * Only 2048-bit RSA keys are supported. Since this uses a fixed-size
366          * structure, it may fail for non-standard exponents.
367          */
368         totalSequence = &cert_item->totalSequence;
369         publicKey = &totalSequence->mainSequence.subjectPublicKeyInfo.publicKey;
370         if (BN_bn2binpad(RSA_get0_n(fw_key), publicKey->n, sizeof(publicKey->n)) < 0 ||
371             BN_bn2binpad(RSA_get0_e(fw_key), publicKey->e, sizeof(publicKey->e)) < 0) {
372                 pr_err("Firmware key is too big for certificate\n");
373                 goto err;
374         }
375
376         /* Fill in the firmware digest. */
377         extension = &totalSequence->mainSequence.explicit3.extension;
378         memcpy(&extension->digest, digest, SHA256_DIGEST_LENGTH);
379
380         /*
381          * Sign the certificate.
382          *
383          * In older SBROM versions (and by default in newer versions),
384          * the last 4 bytes of the certificate are not signed.
385          *
386          * (The buffer passed to SHA256 starts at tag_mainSequence, but
387          *  the buffer size does not include the length of that tag.)
388          */
389         SHA256((uint8_t *)totalSequence, sizeof(struct toc0_mainSequence), cert_digest);
390         sigSequence = &totalSequence->sigSequence;
391         if (!RSA_sign(NID_sha256, cert_digest, SHA256_DIGEST_LENGTH,
392                       sigSequence->signature, &sig_len, fw_key)) {
393                 pr_err("Failed to sign certificate\n");
394                 goto err;
395         }
396         if (sig_len != sizeof(sigSequence->signature)) {
397                 pr_err("Bad certificate signature length\n");
398                 goto err;
399         }
400
401         ret = EXIT_SUCCESS;
402
403 err:
404         return ret;
405 }
406
407 /*
408  * Verify the certificate in @buf, describing the firmware with SHA256 digest
409  * @digest, and signed by the RSA key contained within. If @fw_key is provided,
410  * only that key will be accepted.
411  *
412  * This function is only expected to work with images created by mkimage.
413  */
414 static int toc0_verify_cert_item(const uint8_t *buf, uint32_t len, RSA *fw_key,
415                                  uint8_t digest[static SHA256_DIGEST_LENGTH])
416 {
417         const struct toc0_cert_item *cert_item = (const void *)buf;
418         uint8_t cert_digest[SHA256_DIGEST_LENGTH];
419         const struct toc0_totalSequence *totalSequence;
420         const struct toc0_sigSequence *sigSequence;
421         const struct toc0_extension *extension;
422         const struct toc0_publicKey *publicKey;
423         int ret = EXIT_FAILURE;
424         RSA *key = NULL;
425         BIGNUM *n, *e;
426
427         /* Extract the public key from the certificate. */
428         totalSequence = &cert_item->totalSequence;
429         publicKey = &totalSequence->mainSequence.subjectPublicKeyInfo.publicKey;
430         n = BN_bin2bn(publicKey->n, sizeof(publicKey->n), NULL);
431         e = BN_bin2bn(publicKey->e, sizeof(publicKey->e), NULL);
432         key = RSA_new();
433         if (!key)
434                 goto err;
435         if (!RSA_set0_key(key, n, e, NULL))
436                 goto err;
437
438         /* If a key was provided, compare it to the embedded key. */
439         if (fw_key && (BN_cmp(RSA_get0_n(key), RSA_get0_n(fw_key)) ||
440                        BN_cmp(RSA_get0_e(key), RSA_get0_e(fw_key)))) {
441                 pr_err("Wrong firmware key in certificate\n");
442                 goto err;
443         }
444
445         /* If a digest was provided, compare it to the embedded digest. */
446         extension = &totalSequence->mainSequence.explicit3.extension;
447         if (digest && memcmp(&extension->digest, digest, SHA256_DIGEST_LENGTH)) {
448                 pr_err("Wrong firmware digest in certificate\n");
449                 goto err;
450         }
451
452         /* Verify the certificate's signature. See the comment above. */
453         SHA256((uint8_t *)totalSequence, sizeof(struct toc0_mainSequence), cert_digest);
454         sigSequence = &totalSequence->sigSequence;
455         if (!RSA_verify(NID_sha256, cert_digest, SHA256_DIGEST_LENGTH,
456                         sigSequence->signature,
457                         sizeof(sigSequence->signature), key)) {
458                 pr_err("Bad certificate signature\n");
459                 goto err;
460         }
461
462         ret = EXIT_SUCCESS;
463
464 err:
465         RSA_free(key);
466
467         return ret;
468 }
469
470 /*
471  * Always create a TOC0 containing 3 items. The extra item will be ignored on
472  * SoCs which do not support it.
473  */
474 static int toc0_create(uint8_t *buf, uint32_t len, RSA *root_key, RSA *fw_key,
475                        uint8_t *key_item, uint32_t key_item_len,
476                        uint8_t *fw_item, uint32_t fw_item_len, uint32_t fw_addr)
477 {
478         struct toc0_main_info *main_info = (void *)buf;
479         struct toc0_item_info *item_info = (void *)(main_info + 1);
480         uint8_t digest[SHA256_DIGEST_LENGTH];
481         uint32_t *buf32 = (void *)buf;
482         RSA *orig_fw_key = fw_key;
483         int ret = EXIT_FAILURE;
484         uint32_t checksum = 0;
485         uint32_t item_offset;
486         uint32_t item_length;
487         int i;
488
489         /* Hash the firmware for inclusion in the certificate. */
490         SHA256(fw_item, fw_item_len, digest);
491
492         /* Create the main TOC0 header, containing three items. */
493         memcpy(main_info->name, TOC0_MAIN_INFO_NAME, sizeof(main_info->name));
494         main_info->magic        = cpu_to_le32(TOC0_MAIN_INFO_MAGIC);
495         main_info->checksum     = cpu_to_le32(BROM_STAMP_VALUE);
496         main_info->num_items    = cpu_to_le32(TOC0_DEFAULT_NUM_ITEMS);
497         memcpy(main_info->end, TOC0_MAIN_INFO_END, sizeof(main_info->end));
498
499         /* The first item links the ROTPK to the signing key. */
500         item_offset = sizeof(*main_info) +
501                       sizeof(*item_info) * TOC0_DEFAULT_NUM_ITEMS;
502         /* Using an existing key item avoids needing the root private key. */
503         if (key_item) {
504                 item_length = sizeof(*key_item);
505                 if (toc0_verify_key_item(key_item, item_length,
506                                          root_key, &fw_key))
507                         goto err;
508                 memcpy(buf + item_offset, key_item, item_length);
509         } else if (toc0_create_key_item(buf + item_offset, &item_length,
510                                         root_key, fw_key)) {
511                 goto err;
512         }
513
514         item_info->name         = cpu_to_le32(TOC0_ITEM_INFO_NAME_KEY);
515         item_info->offset       = cpu_to_le32(item_offset);
516         item_info->length       = cpu_to_le32(item_length);
517         memcpy(item_info->end, TOC0_ITEM_INFO_END, sizeof(item_info->end));
518
519         /* The second item contains a certificate signed by the firmware key. */
520         item_offset = item_offset + item_length;
521         if (toc0_create_cert_item(buf + item_offset, &item_length,
522                                   fw_key, digest))
523                 goto err;
524
525         item_info++;
526         item_info->name         = cpu_to_le32(TOC0_ITEM_INFO_NAME_CERT);
527         item_info->offset       = cpu_to_le32(item_offset);
528         item_info->length       = cpu_to_le32(item_length);
529         memcpy(item_info->end, TOC0_ITEM_INFO_END, sizeof(item_info->end));
530
531         /* The third item contains the actual boot code. */
532         item_offset = ALIGN(item_offset + item_length, 32);
533         item_length = fw_item_len;
534         if (buf + item_offset != fw_item)
535                 memmove(buf + item_offset, fw_item, item_length);
536
537         item_info++;
538         item_info->name         = cpu_to_le32(TOC0_ITEM_INFO_NAME_FIRMWARE);
539         item_info->offset       = cpu_to_le32(item_offset);
540         item_info->length       = cpu_to_le32(item_length);
541         item_info->load_addr    = cpu_to_le32(fw_addr);
542         memcpy(item_info->end, TOC0_ITEM_INFO_END, sizeof(item_info->end));
543
544         /* Pad to the required block size with 0xff to be flash-friendly. */
545         item_offset = item_offset + item_length;
546         item_length = ALIGN(item_offset, PAD_SIZE) - item_offset;
547         memset(buf + item_offset, 0xff, item_length);
548
549         /* Fill in the total padded file length. */
550         item_offset = item_offset + item_length;
551         main_info->length = cpu_to_le32(item_offset);
552
553         /* Verify enough space was provided when creating the image. */
554         assert(len >= item_offset);
555
556         /* Calculate the checksum. Yes, it's that simple. */
557         for (i = 0; i < item_offset / 4; ++i)
558                 checksum += le32_to_cpu(buf32[i]);
559         main_info->checksum = cpu_to_le32(checksum);
560
561         ret = EXIT_SUCCESS;
562
563 err:
564         if (fw_key != orig_fw_key)
565                 RSA_free(fw_key);
566
567         return ret;
568 }
569
570 static const struct toc0_item_info *
571 toc0_find_item(const struct toc0_main_info *main_info, uint32_t name,
572                uint32_t *offset, uint32_t *length)
573 {
574         const struct toc0_item_info *item_info = (void *)(main_info + 1);
575         uint32_t item_offset, item_length;
576         uint32_t num_items, main_length;
577         int i;
578
579         num_items   = le32_to_cpu(main_info->num_items);
580         main_length = le32_to_cpu(main_info->length);
581
582         for (i = 0; i < num_items; ++i, ++item_info) {
583                 if (le32_to_cpu(item_info->name) != name)
584                         continue;
585
586                 item_offset = le32_to_cpu(item_info->offset);
587                 item_length = le32_to_cpu(item_info->length);
588
589                 if (item_offset > main_length ||
590                     item_length > main_length - item_offset)
591                         continue;
592
593                 *offset = item_offset;
594                 *length = item_length;
595
596                 return item_info;
597         }
598
599         return NULL;
600 }
601
602 static int toc0_verify(const uint8_t *buf, uint32_t len, RSA *root_key)
603 {
604         const struct toc0_main_info *main_info = (void *)buf;
605         const struct toc0_item_info *item_info;
606         uint8_t digest[SHA256_DIGEST_LENGTH];
607         uint32_t main_length = le32_to_cpu(main_info->length);
608         uint32_t checksum = BROM_STAMP_VALUE;
609         uint32_t *buf32 = (void *)buf;
610         uint32_t length, offset;
611         int ret = EXIT_FAILURE;
612         RSA *fw_key = NULL;
613         int i;
614
615         if (len < main_length)
616                 goto err;
617
618         /* Verify the main header. */
619         if (memcmp(main_info->name, TOC0_MAIN_INFO_NAME, sizeof(main_info->name)))
620                 goto err;
621         if (le32_to_cpu(main_info->magic) != TOC0_MAIN_INFO_MAGIC)
622                 goto err;
623         /* Verify the checksum without modifying the buffer. */
624         for (i = 0; i < main_length / 4; ++i)
625                 checksum += le32_to_cpu(buf32[i]);
626         if (checksum != 2 * le32_to_cpu(main_info->checksum))
627                 goto err;
628         /* The length must be at least 512 byte aligned. */
629         if (main_length % 512)
630                 goto err;
631         if (memcmp(main_info->end, TOC0_MAIN_INFO_END, sizeof(main_info->end)))
632                 goto err;
633
634         /* Verify the key item if present (it is optional). */
635         item_info = toc0_find_item(main_info, TOC0_ITEM_INFO_NAME_KEY,
636                                    &offset, &length);
637         if (!item_info)
638                 fw_key = root_key;
639         else if (toc0_verify_key_item(buf + offset, length, root_key, &fw_key))
640                 goto err;
641
642         /* Hash the firmware to compare with the certificate. */
643         item_info = toc0_find_item(main_info, TOC0_ITEM_INFO_NAME_FIRMWARE,
644                                    &offset, &length);
645         if (!item_info) {
646                 pr_err("Missing firmware item\n");
647                 goto err;
648         }
649         SHA256(buf + offset, length, digest);
650
651         /* Verify the certificate item. */
652         item_info = toc0_find_item(main_info, TOC0_ITEM_INFO_NAME_CERT,
653                                    &offset, &length);
654         if (!item_info) {
655                 pr_err("Missing certificate item\n");
656                 goto err;
657         }
658         if (toc0_verify_cert_item(buf + offset, length, fw_key, digest))
659                 goto err;
660
661         ret = EXIT_SUCCESS;
662
663 err:
664         if (fw_key != root_key)
665                 RSA_free(fw_key);
666
667         return ret;
668 }
669
670 static int toc0_check_params(struct image_tool_params *params)
671 {
672         if (!params->dflag)
673                 return -EINVAL;
674
675         /*
676          * If a key directory was provided, look for key files there.
677          * Otherwise, look for them in the current directory. The key files are
678          * the "quoted" terms in the description below.
679          *
680          * A summary of the chain of trust on most SoCs:
681          *  1) eFuse contains a SHA256 digest of the public "root key".
682          *  2) Private "root key" signs the certificate item (generated here).
683          *  3) Certificate item contains a SHA256 digest of the firmware item.
684          *
685          * A summary of the chain of trust on the H6 (by default; a bit in the
686          * BROM_CONFIG eFuse makes it work like above):
687          *  1) eFuse contains a SHA256 digest of the public "root key".
688          *  2) Private "root key" signs the "key item" (generated here).
689          *  3) "Key item" contains the public "root key" and public "fw key".
690          *  4) Private "fw key" signs the certificate item (generated here).
691          *  5) Certificate item contains a SHA256 digest of the firmware item.
692          *
693          * This means there are three valid ways to generate a TOC0:
694          *  1) Provide the private "root key" only. This works everywhere.
695          *     For H6, the "root key" will also be used as the "fw key".
696          *  2) FOR H6 ONLY: Provide the private "root key" and a separate
697          *     private "fw key".
698          *  3) FOR H6 ONLY: Provide the private "fw key" and a pre-existing
699          *     "key item" containing the corresponding  public "fw key".
700          *     In this case, the private "root key" can be kept offline. The
701          *     "key item" can be extracted from a TOC0 image generated using
702          *     method #2 above.
703          *
704          *  Note that until the ROTPK_HASH eFuse is programmed, any "root key"
705          *  will be accepted by the BROM.
706          */
707         if (params->keydir) {
708                 if (asprintf(&fw_key_file, "%s/%s", params->keydir, fw_key_file) < 0)
709                         return -ENOMEM;
710                 if (asprintf(&key_item_file, "%s/%s", params->keydir, key_item_file) < 0)
711                         return -ENOMEM;
712                 if (asprintf(&root_key_file, "%s/%s", params->keydir, root_key_file) < 0)
713                         return -ENOMEM;
714         }
715
716         return 0;
717 }
718
719 static int toc0_verify_header(unsigned char *buf, int image_size,
720                               struct image_tool_params *params)
721 {
722         int ret = EXIT_FAILURE;
723         RSA *root_key = NULL;
724         FILE *fp;
725
726         /* A root public key is optional. */
727         fp = fopen(root_key_file, "rb");
728         if (fp) {
729                 pr_info("Verifying image with existing root key\n");
730                 root_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
731                 if (!root_key)
732                         root_key = PEM_read_RSAPublicKey(fp, NULL, NULL, NULL);
733                 fclose(fp);
734                 if (!root_key) {
735                         pr_err("Failed to read public key from '%s'\n",
736                                root_key_file);
737                         goto err;
738                 }
739         }
740
741         ret = toc0_verify(buf, image_size, root_key);
742
743 err:
744         RSA_free(root_key);
745
746         return ret;
747 }
748
749 static const char *toc0_item_name(uint32_t name)
750 {
751         if (name == TOC0_ITEM_INFO_NAME_CERT)
752                 return "Certificate";
753         if (name == TOC0_ITEM_INFO_NAME_FIRMWARE)
754                 return "Firmware";
755         if (name == TOC0_ITEM_INFO_NAME_KEY)
756                 return "Key";
757         return "(unknown)";
758 }
759
760 static void toc0_print_header(const void *buf)
761 {
762         const struct toc0_main_info *main_info = buf;
763         const struct toc0_item_info *item_info = (void *)(main_info + 1);
764         uint32_t head_length, main_length, num_items;
765         uint32_t item_offset, item_length, item_name;
766         int load_addr = -1;
767         int i;
768
769         num_items   = le32_to_cpu(main_info->num_items);
770         head_length = sizeof(*main_info) + num_items * sizeof(*item_info);
771         main_length = le32_to_cpu(main_info->length);
772
773         printf("Allwinner TOC0 Image\n"
774                "Size: %d bytes\n"
775                "Contents: %d items\n"
776                " 00000000:%08x Headers\n",
777                main_length, num_items, head_length);
778
779         for (i = 0; i < num_items; ++i, ++item_info) {
780                 item_offset = le32_to_cpu(item_info->offset);
781                 item_length = le32_to_cpu(item_info->length);
782                 item_name   = le32_to_cpu(item_info->name);
783
784                 if (item_name == TOC0_ITEM_INFO_NAME_FIRMWARE)
785                         load_addr = le32_to_cpu(item_info->load_addr);
786
787                 printf(" %08x:%08x %s\n",
788                        item_offset, item_length,
789                        toc0_item_name(item_name));
790         }
791
792         if (num_items && item_offset + item_length < main_length) {
793                 item_offset = item_offset + item_length;
794                 item_length = main_length - item_offset;
795
796                 printf(" %08x:%08x Padding\n",
797                        item_offset, item_length);
798         }
799
800         if (load_addr != -1)
801                 printf("Load address: 0x%08x\n", load_addr);
802 }
803
804 static void toc0_set_header(void *buf, struct stat *sbuf, int ifd,
805                             struct image_tool_params *params)
806 {
807         uint32_t key_item_len = 0;
808         uint8_t *key_item = NULL;
809         int ret = EXIT_FAILURE;
810         RSA *root_key = NULL;
811         RSA *fw_key = NULL;
812         FILE *fp;
813
814         /* Either a key item or the root private key is required. */
815         fp = fopen(key_item_file, "rb");
816         if (fp) {
817                 pr_info("Creating image using existing key item\n");
818                 key_item_len = sizeof(struct toc0_key_item);
819                 key_item = OPENSSL_malloc(key_item_len);
820                 if (!key_item || fread(key_item, key_item_len, 1, fp) != 1) {
821                         pr_err("Failed to read key item from '%s'\n",
822                                root_key_file);
823                         goto err;
824                 }
825                 fclose(fp);
826                 fp = NULL;
827         }
828
829         fp = fopen(root_key_file, "rb");
830         if (fp) {
831                 root_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
832                 if (!root_key)
833                         root_key = PEM_read_RSAPublicKey(fp, NULL, NULL, NULL);
834                 fclose(fp);
835                 fp = NULL;
836         }
837
838         /* When using an existing key item, the root key is optional. */
839         if (!key_item && (!root_key || !RSA_get0_d(root_key))) {
840                 pr_err("Failed to read private key from '%s'\n",
841                        root_key_file);
842                 pr_info("Try 'openssl genrsa -out root_key.pem'\n");
843                 goto err;
844         }
845
846         /* The certificate/firmware private key is always required. */
847         fp = fopen(fw_key_file, "rb");
848         if (fp) {
849                 fw_key = PEM_read_RSAPrivateKey(fp, NULL, NULL, NULL);
850                 fclose(fp);
851                 fp = NULL;
852         }
853         if (!fw_key) {
854                 /* If the root key is a private key, it can be used instead. */
855                 if (root_key && RSA_get0_d(root_key)) {
856                         pr_info("Using root key as firmware key\n");
857                         fw_key = root_key;
858                 } else {
859                         pr_err("Failed to read private key from '%s'\n",
860                                fw_key_file);
861                         goto err;
862                 }
863         }
864
865         /* Warn about potential compatibility issues. */
866         if (key_item || fw_key != root_key)
867                 pr_warn("Only H6 supports separate root and firmware keys\n");
868
869         ret = toc0_create(buf, params->file_size, root_key, fw_key,
870                           key_item, key_item_len,
871                           buf + TOC0_DEFAULT_HEADER_LEN,
872                           params->orig_file_size, params->addr);
873
874 err:
875         OPENSSL_free(key_item);
876         OPENSSL_free(root_key);
877         if (fw_key != root_key)
878                 OPENSSL_free(fw_key);
879         if (fp)
880                 fclose(fp);
881
882         if (ret != EXIT_SUCCESS)
883                 exit(ret);
884 }
885
886 static int toc0_check_image_type(uint8_t type)
887 {
888         return type == IH_TYPE_SUNXI_TOC0 ? 0 : 1;
889 }
890
891 static int toc0_vrec_header(struct image_tool_params *params,
892                             struct image_type_params *tparams)
893 {
894         tparams->hdr = calloc(tparams->header_size, 1);
895
896         /* Save off the unpadded data size for SHA256 calculation. */
897         params->orig_file_size = params->file_size - TOC0_DEFAULT_HEADER_LEN;
898
899         /* Return padding to 8K blocks. */
900         return ALIGN(params->file_size, PAD_SIZE) - params->file_size;
901 }
902
903 U_BOOT_IMAGE_TYPE(
904         sunxi_toc0,
905         "Allwinner TOC0 Boot Image support",
906         TOC0_DEFAULT_HEADER_LEN,
907         NULL,
908         toc0_check_params,
909         toc0_verify_header,
910         toc0_print_header,
911         toc0_set_header,
912         NULL,
913         toc0_check_image_type,
914         NULL,
915         toc0_vrec_header
916 );