image: Add support for signing of FIT configurations

While signing images is useful, it does not provide complete protection
against several types of attack. For example, it it possible to create a
FIT with the same signed images, but with the configuration changed such
that a different one is selected (mix and match attack). It is also possible
to substitute a signed image from an older FIT version into a newer FIT
(roll-back attack).

Add support for signing of FIT configurations using the libfdt's region
support.

Please see doc/uImage.FIT/signature.txt for more information.

Signed-off-by: Simon Glass <sjg@chromium.org>
This commit is contained in:
Simon Glass 2013-06-13 15:10:09 -07:00 committed by Tom Rini
parent 3e06cd1f97
commit 4d0985295b
5 changed files with 798 additions and 3 deletions

View File

@ -25,10 +25,11 @@
#include <malloc.h>
DECLARE_GLOBAL_DATA_PTR;
#endif /* !USE_HOSTCC*/
#include <errno.h>
#include <image.h>
#include <rsa.h>
#define IMAGE_MAX_HASHED_NODES 100
struct image_sig_algo image_sig_algos[] = {
{
"sha1,rsa2048",
@ -50,6 +51,50 @@ struct image_sig_algo *image_get_sig_algo(const char *name)
return NULL;
}
/**
* fit_region_make_list() - Make a list of image regions
*
* Given a list of fdt_regions, create a list of image_regions. This is a
* simple conversion routine since the FDT and image code use different
* structures.
*
* @fit: FIT image
* @fdt_regions: Pointer to FDT regions
* @count: Number of FDT regions
* @region: Pointer to image regions, which must hold @count records. If
* region is NULL, then (except for an SPL build) the array will be
* allocated.
* @return: Pointer to image regions
*/
struct image_region *fit_region_make_list(const void *fit,
struct fdt_region *fdt_regions, int count,
struct image_region *region)
{
int i;
debug("Hash regions:\n");
debug("%10s %10s\n", "Offset", "Size");
/*
* Use malloc() except in SPL (to save code size). In SPL the caller
* must allocate the array.
*/
#ifndef CONFIG_SPL_BUILD
if (!region)
region = calloc(sizeof(*region), count);
#endif
if (!region)
return NULL;
for (i = 0; i < count; i++) {
debug("%10x %10x\n", fdt_regions[i].offset,
fdt_regions[i].size);
region[i].data = fit + fdt_regions[i].offset;
region[i].size = fdt_regions[i].size;
}
return region;
}
static int fit_image_setup_verify(struct image_sign_info *info,
const void *fit, int noffset, int required_keynode,
char **err_msgp)
@ -191,3 +236,187 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset,
return 0;
}
int fit_config_check_sig(const void *fit, int noffset, int required_keynode,
char **err_msgp)
{
char * const exc_prop[] = {"data"};
const char *prop, *end, *name;
struct image_sign_info info;
const uint32_t *strings;
uint8_t *fit_value;
int fit_value_len;
int max_regions;
int i, prop_len;
char path[200];
int count;
debug("%s: fdt=%p, conf='%s', sig='%s'\n", __func__, gd_fdt_blob(),
fit_get_name(fit, noffset, NULL),
fit_get_name(gd_fdt_blob(), required_keynode, NULL));
*err_msgp = NULL;
if (fit_image_setup_verify(&info, fit, noffset, required_keynode,
err_msgp))
return -1;
if (fit_image_hash_get_value(fit, noffset, &fit_value,
&fit_value_len)) {
*err_msgp = "Can't get hash value property";
return -1;
}
/* Count the number of strings in the property */
prop = fdt_getprop(fit, noffset, "hashed-nodes", &prop_len);
end = prop ? prop + prop_len : prop;
for (name = prop, count = 0; name < end; name++)
if (!*name)
count++;
if (!count) {
*err_msgp = "Can't get hashed-nodes property";
return -1;
}
/* Add a sanity check here since we are using the stack */
if (count > IMAGE_MAX_HASHED_NODES) {
*err_msgp = "Number of hashed nodes exceeds maximum";
return -1;
}
/* Create a list of node names from those strings */
char *node_inc[count];
debug("Hash nodes (%d):\n", count);
for (name = prop, i = 0; name < end; name += strlen(name) + 1, i++) {
debug(" '%s'\n", name);
node_inc[i] = (char *)name;
}
/*
* Each node can generate one region for each sub-node. Allow for
* 7 sub-nodes (hash@1, signature@1, etc.) and some extra.
*/
max_regions = 20 + count * 7;
struct fdt_region fdt_regions[max_regions];
/* Get a list of regions to hash */
count = fdt_find_regions(fit, node_inc, count,
exc_prop, ARRAY_SIZE(exc_prop),
fdt_regions, max_regions - 1,
path, sizeof(path), 0);
if (count < 0) {
*err_msgp = "Failed to hash configuration";
return -1;
}
if (count == 0) {
*err_msgp = "No data to hash";
return -1;
}
if (count >= max_regions - 1) {
*err_msgp = "Too many hash regions";
return -1;
}
/* Add the strings */
strings = fdt_getprop(fit, noffset, "hashed-strings", NULL);
if (strings) {
fdt_regions[count].offset = fdt_off_dt_strings(fit) +
fdt32_to_cpu(strings[0]);
fdt_regions[count].size = fdt32_to_cpu(strings[1]);
count++;
}
/* Allocate the region list on the stack */
struct image_region region[count];
fit_region_make_list(fit, fdt_regions, count, region);
if (info.algo->verify(&info, region, count, fit_value,
fit_value_len)) {
*err_msgp = "Verification failed";
return -1;
}
return 0;
}
static int fit_config_verify_sig(const void *fit, int conf_noffset,
const void *sig_blob, int sig_offset)
{
int noffset;
char *err_msg = "";
int verified = 0;
int ret;
/* Process all hash subnodes of the component conf node */
for (noffset = fdt_first_subnode(fit, conf_noffset);
noffset >= 0;
noffset = fdt_next_subnode(fit, noffset)) {
const char *name = fit_get_name(fit, noffset, NULL);
if (!strncmp(name, FIT_SIG_NODENAME,
strlen(FIT_SIG_NODENAME))) {
ret = fit_config_check_sig(fit, noffset, sig_offset,
&err_msg);
if (ret) {
puts("- ");
} else {
puts("+ ");
verified = 1;
break;
}
}
}
if (noffset == -FDT_ERR_TRUNCATED || noffset == -FDT_ERR_BADSTRUCTURE) {
err_msg = "Corrupted or truncated tree";
goto error;
}
return verified ? 0 : -EPERM;
error:
printf(" error!\n%s for '%s' hash node in '%s' config node\n",
err_msg, fit_get_name(fit, noffset, NULL),
fit_get_name(fit, conf_noffset, NULL));
return -1;
}
int fit_config_verify_required_sigs(const void *fit, int conf_noffset,
const void *sig_blob)
{
int noffset;
int sig_node;
/* Work out what we need to verify */
sig_node = fdt_subnode_offset(sig_blob, 0, FIT_SIG_NODENAME);
if (sig_node < 0) {
debug("%s: No signature node found: %s\n", __func__,
fdt_strerror(sig_node));
return 0;
}
for (noffset = fdt_first_subnode(sig_blob, sig_node);
noffset >= 0;
noffset = fdt_next_subnode(sig_blob, noffset)) {
const char *required;
int ret;
required = fdt_getprop(sig_blob, noffset, "required", NULL);
if (!required || strcmp(required, "conf"))
continue;
ret = fit_config_verify_sig(fit, conf_noffset, sig_blob,
noffset);
if (ret) {
printf("Failed to verify required signature '%s'\n",
fit_get_name(sig_blob, noffset, NULL));
return ret;
}
}
return 0;
}
int fit_config_verify(const void *fit, int conf_noffset)
{
return !fit_config_verify_required_sigs(fit, conf_noffset,
gd_fdt_blob());
}

View File

@ -0,0 +1,45 @@
/dts-v1/;
/ {
description = "Chrome OS kernel image with one or more FDT blobs";
#address-cells = <1>;
images {
kernel@1 {
data = /incbin/("test-kernel.bin");
type = "kernel_noload";
arch = "sandbox";
os = "linux";
compression = "lzo";
load = <0x4>;
entry = <0x8>;
kernel-version = <1>;
hash@1 {
algo = "sha1";
};
};
fdt@1 {
description = "snow";
data = /incbin/("sandbox-kernel.dtb");
type = "flat_dt";
arch = "sandbox";
compression = "none";
fdt-version = <1>;
hash@1 {
algo = "sha1";
};
};
};
configurations {
default = "conf@1";
conf@1 {
kernel = "kernel@1";
fdt = "fdt@1";
signature@1 {
algo = "sha1,rsa2048";
key-name-hint = "dev";
sign-images = "fdt", "kernel";
};
};
};
};

View File

@ -105,8 +105,27 @@ When the image is signed, the following properties are optional:
- comment: Additional information about the signer or image
For config bindings (see Signed Configurations below), the following
additional properties are optional:
Example: See sign-images.its for an example image tree source file.
- sign-images: A list of images to sign, each being a property of the conf
node that contains then. The default is "kernel,fdt" which means that these
two images will be looked up in the config and signed if present.
For config bindings, these properties are added by the signer:
- hashed-nodes: A list of nodes which were hashed by the signer. Each is
a string - the full path to node. A typical value might be:
hashed-nodes = "/", "/configurations/conf@1", "/images/kernel@1",
"/images/kernel@1/hash@1", "/images/fdt@1",
"/images/fdt@1/hash@1";
- hashed-strings: The start and size of the string region of the FIT that
was hashed
Example: See sign-images.its for an example image tree source file and
sign-configs.its for config signing.
Public Key Storage
@ -144,6 +163,153 @@ For RSA the following are mandatory:
- rsa,n0-inverse: -1 / modulus[0] mod 2^32
Signed Configurations
---------------------
While signing images is useful, it does not provide complete protection
against several types of attack. For example, it it possible to create a
FIT with the same signed images, but with the configuration changed such
that a different one is selected (mix and match attack). It is also possible
to substitute a signed image from an older FIT version into a newer FIT
(roll-back attack).
As an example, consider this FIT:
/ {
images {
kernel@1 {
data = <data for kernel1>
signature@1 {
algo = "sha1,rsa2048";
value = <...kernel signature 1...>
};
};
kernel@2 {
data = <data for kernel2>
signature@1 {
algo = "sha1,rsa2048";
value = <...kernel signature 2...>
};
};
fdt@1 {
data = <data for fdt1>;
signature@1 {
algo = "sha1,rsa2048";
vaue = <...fdt signature 1...>
};
};
fdt@2 {
data = <data for fdt2>;
signature@1 {
algo = "sha1,rsa2048";
vaue = <...fdt signature 2...>
};
};
};
configurations {
default = "conf@1";
conf@1 {
kernel = "kernel@1";
fdt = "fdt@1";
};
conf@1 {
kernel = "kernel@2";
fdt = "fdt@2";
};
};
};
Since both kernels are signed it is easy for an attacker to add a new
configuration 3 with kernel 1 and fdt 2:
configurations {
default = "conf@1";
conf@1 {
kernel = "kernel@1";
fdt = "fdt@1";
};
conf@1 {
kernel = "kernel@2";
fdt = "fdt@2";
};
conf@3 {
kernel = "kernel@1";
fdt = "fdt@2";
};
};
With signed images, nothing protects against this. Whether it gains an
advantage for the attacker is debatable, but it is not secure.
To solved this problem, we support signed configurations. In this case it
is the configurations that are signed, not the image. Each image has its
own hash, and we include the hash in the configuration signature.
So the above example is adjusted to look like this:
/ {
images {
kernel@1 {
data = <data for kernel1>
hash@1 {
algo = "sha1";
value = <...kernel hash 1...>
};
};
kernel@2 {
data = <data for kernel2>
hash@1 {
algo = "sha1";
value = <...kernel hash 2...>
};
};
fdt@1 {
data = <data for fdt1>;
hash@1 {
algo = "sha1";
value = <...fdt hash 1...>
};
};
fdt@2 {
data = <data for fdt2>;
hash@1 {
algo = "sha1";
value = <...fdt hash 2...>
};
};
};
configurations {
default = "conf@1";
conf@1 {
kernel = "kernel@1";
fdt = "fdt@1";
signature@1 {
algo = "sha1,rsa2048";
value = <...conf 1 signature...>;
};
};
conf@2 {
kernel = "kernel@2";
fdt = "fdt@2";
signature@1 {
algo = "sha1,rsa2048";
value = <...conf 1 signature...>;
};
};
};
};
You can see that we have added hashes for all images (since they are no
longer signed), and a signature to each configuration. In the above example,
mkimage will sign configurations/conf@1, the kernel and fdt that are
pointed to by the configuration (/images/kernel@1, /images/kernel@1/hash@1,
/images/fdt@1, /images/fdt@1/hash@1) and the root structure of the image
(so that it isn't possible to add or remove root nodes). The signature is
written into /configurations/conf@1/signature@1/value. It can easily be
verified later even if the FIT has been signed with other keys in the
meantime.
Verification
------------
FITs are verified when loaded. After the configuration is selected a list

View File

@ -964,6 +964,22 @@ int fit_image_verify_required_sigs(const void *fit, int image_noffset,
int fit_image_check_sig(const void *fit, int noffset, const void *data,
size_t size, int required_keynode, char **err_msgp);
/**
* fit_region_make_list() - Make a list of regions to hash
*
* Given a list of FIT regions (offset, size) provided by libfdt, create
* a list of regions (void *, size) for use by the signature creationg
* and verification code.
*
* @fit: FIT image to process
* @fdt_regions: Regions as returned by libfdt
* @count: Number of regions returned by libfdt
* @region: Place to put list of regions (NULL to allocate it)
* @return pointer to list of regions, or NULL if out of memory
*/
struct image_region *fit_region_make_list(const void *fit,
struct fdt_region *fdt_regions, int count,
struct image_region *region);
static inline int fit_image_check_target_arch(const void *fdt, int node)
{

View File

@ -341,10 +341,326 @@ int fit_image_add_verification_data(const char *keydir, void *keydest,
return 0;
}
struct strlist {
int count;
char **strings;
};
static void strlist_init(struct strlist *list)
{
memset(list, '\0', sizeof(*list));
}
static void strlist_free(struct strlist *list)
{
int i;
for (i = 0; i < list->count; i++)
free(list->strings[i]);
free(list->strings);
}
static int strlist_add(struct strlist *list, const char *str)
{
char *dup;
dup = strdup(str);
list->strings = realloc(list->strings,
(list->count + 1) * sizeof(char *));
if (!list || !str)
return -1;
list->strings[list->count++] = dup;
return 0;
}
static const char *fit_config_get_image_list(void *fit, int noffset,
int *lenp, int *allow_missingp)
{
static const char default_list[] = FIT_KERNEL_PROP "\0"
FIT_FDT_PROP;
const char *prop;
/* If there is an "image" property, use that */
prop = fdt_getprop(fit, noffset, "sign-images", lenp);
if (prop) {
*allow_missingp = 0;
return *lenp ? prop : NULL;
}
/* Default image list */
*allow_missingp = 1;
*lenp = sizeof(default_list);
return default_list;
}
static int fit_config_get_hash_list(void *fit, int conf_noffset,
int sig_offset, struct strlist *node_inc)
{
int allow_missing;
const char *prop, *iname, *end;
const char *conf_name, *sig_name;
char name[200], path[200];
int image_count;
int ret, len;
conf_name = fit_get_name(fit, conf_noffset, NULL);
sig_name = fit_get_name(fit, sig_offset, NULL);
/*
* Build a list of nodes we need to hash. We always need the root
* node and the configuration.
*/
strlist_init(node_inc);
snprintf(name, sizeof(name), "%s/%s", FIT_CONFS_PATH, conf_name);
if (strlist_add(node_inc, "/") ||
strlist_add(node_inc, name))
goto err_mem;
/* Get a list of images that we intend to sign */
prop = fit_config_get_image_list(fit, conf_noffset, &len,
&allow_missing);
if (!prop)
return 0;
/* Locate the images */
end = prop + len;
image_count = 0;
for (iname = prop; iname < end; iname += strlen(iname) + 1) {
int noffset;
int image_noffset;
int hash_count;
image_noffset = fit_conf_get_prop_node(fit, conf_noffset,
iname);
if (image_noffset < 0) {
printf("Failed to find image '%s' in configuration '%s/%s'\n",
iname, conf_name, sig_name);
if (allow_missing)
continue;
return -ENOENT;
}
ret = fdt_get_path(fit, image_noffset, path, sizeof(path));
if (ret < 0)
goto err_path;
if (strlist_add(node_inc, path))
goto err_mem;
snprintf(name, sizeof(name), "%s/%s", FIT_CONFS_PATH,
conf_name);
/* Add all this image's hashes */
hash_count = 0;
for (noffset = fdt_first_subnode(fit, image_noffset);
noffset >= 0;
noffset = fdt_next_subnode(fit, noffset)) {
const char *name = fit_get_name(fit, noffset, NULL);
if (strncmp(name, FIT_HASH_NODENAME,
strlen(FIT_HASH_NODENAME)))
continue;
ret = fdt_get_path(fit, noffset, path, sizeof(path));
if (ret < 0)
goto err_path;
if (strlist_add(node_inc, path))
goto err_mem;
hash_count++;
}
if (!hash_count) {
printf("Failed to find any hash nodes in configuration '%s/%s' image '%s' - without these it is not possible to verify this image\n",
conf_name, sig_name, iname);
return -ENOMSG;
}
image_count++;
}
if (!image_count) {
printf("Failed to find any images for configuration '%s/%s'\n",
conf_name, sig_name);
return -ENOMSG;
}
return 0;
err_mem:
printf("Out of memory processing configuration '%s/%s'\n", conf_name,
sig_name);
return -ENOMEM;
err_path:
printf("Failed to get path for image '%s' in configuration '%s/%s': %s\n",
iname, conf_name, sig_name, fdt_strerror(ret));
return -ENOENT;
}
static int fit_config_get_data(void *fit, int conf_noffset, int noffset,
struct image_region **regionp, int *region_countp,
char **region_propp, int *region_proplen)
{
char * const exc_prop[] = {"data"};
struct strlist node_inc;
struct image_region *region;
struct fdt_region fdt_regions[100];
const char *conf_name, *sig_name;
char path[200];
int count, i;
char *region_prop;
int ret, len;
conf_name = fit_get_name(fit, conf_noffset, NULL);
sig_name = fit_get_name(fit, conf_noffset, NULL);
debug("%s: conf='%s', sig='%s'\n", __func__, conf_name, sig_name);
/* Get a list of nodes we want to hash */
ret = fit_config_get_hash_list(fit, conf_noffset, noffset, &node_inc);
if (ret)
return ret;
/* Get a list of regions to hash */
count = fdt_find_regions(fit, node_inc.strings, node_inc.count,
exc_prop, ARRAY_SIZE(exc_prop),
fdt_regions, ARRAY_SIZE(fdt_regions),
path, sizeof(path), 1);
if (count < 0) {
printf("Failed to hash configuration '%s/%s': %s\n", conf_name,
sig_name, fdt_strerror(ret));
return -EIO;
}
if (count == 0) {
printf("No data to hash for configuration '%s/%s': %s\n",
conf_name, sig_name, fdt_strerror(ret));
return -EINVAL;
}
/* Build our list of data blocks */
region = fit_region_make_list(fit, fdt_regions, count, NULL);
if (!region) {
printf("Out of memory hashing configuration '%s/%s'\n",
conf_name, sig_name);
return -ENOMEM;
}
/* Create a list of all hashed properties */
debug("Hash nodes:\n");
for (i = len = 0; i < node_inc.count; i++) {
debug(" %s\n", node_inc.strings[i]);
len += strlen(node_inc.strings[i]) + 1;
}
region_prop = malloc(len);
if (!region_prop) {
printf("Out of memory setting up regions for configuration '%s/%s'\n",
conf_name, sig_name);
return -ENOMEM;
}
for (i = len = 0; i < node_inc.count;
len += strlen(node_inc.strings[i]) + 1, i++)
strcpy(region_prop + len, node_inc.strings[i]);
strlist_free(&node_inc);
*region_countp = count;
*regionp = region;
*region_propp = region_prop;
*region_proplen = len;
return 0;
}
static int fit_config_process_sig(const char *keydir, void *keydest,
void *fit, const char *conf_name, int conf_noffset,
int noffset, const char *comment, int require_keys)
{
struct image_sign_info info;
const char *node_name;
struct image_region *region;
char *region_prop;
int region_proplen;
int region_count;
uint8_t *value;
uint value_len;
int ret;
node_name = fit_get_name(fit, noffset, NULL);
if (fit_config_get_data(fit, conf_noffset, noffset, &region,
&region_count, &region_prop, &region_proplen))
return -1;
if (fit_image_setup_sig(&info, keydir, fit, conf_name, noffset,
require_keys ? "conf" : NULL))
return -1;
ret = info.algo->sign(&info, region, region_count, &value, &value_len);
free(region);
if (ret) {
printf("Failed to sign '%s' signature node in '%s' conf node\n",
node_name, conf_name);
/* We allow keys to be missing */
if (ret == -ENOENT)
return 0;
return -1;
}
if (fit_image_write_sig(fit, noffset, value, value_len, comment,
region_prop, region_proplen)) {
printf("Can't write signature for '%s' signature node in '%s' conf node\n",
node_name, conf_name);
return -1;
}
free(value);
free(region_prop);
/* Get keyname again, as FDT has changed and invalidated our pointer */
info.keyname = fdt_getprop(fit, noffset, "key-name-hint", NULL);
/* Write the public key into the supplied FDT file */
if (keydest && info.algo->add_verify_data(&info, keydest)) {
printf("Failed to add verification data for '%s' signature node in '%s' image node\n",
node_name, conf_name);
return -1;
}
return 0;
}
static int fit_config_add_verification_data(const char *keydir, void *keydest,
void *fit, int conf_noffset, const char *comment,
int require_keys)
{
const char *conf_name;
int noffset;
conf_name = fit_get_name(fit, conf_noffset, NULL);
/* Process all hash subnodes of the configuration node */
for (noffset = fdt_first_subnode(fit, conf_noffset);
noffset >= 0;
noffset = fdt_next_subnode(fit, noffset)) {
const char *node_name;
int ret = 0;
node_name = fit_get_name(fit, noffset, NULL);
if (!strncmp(node_name, FIT_SIG_NODENAME,
strlen(FIT_SIG_NODENAME))) {
ret = fit_config_process_sig(keydir, keydest,
fit, conf_name, conf_noffset, noffset, comment,
require_keys);
}
if (ret)
return ret;
}
return 0;
}
int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
const char *comment, int require_keys)
{
int images_noffset;
int images_noffset, confs_noffset;
int noffset;
int ret;
@ -370,5 +686,28 @@ int fit_add_verification_data(const char *keydir, void *keydest, void *fit,
return ret;
}
/* If there are no keys, we can't sign configurations */
if (!IMAGE_ENABLE_SIGN || !keydir)
return 0;
/* Find configurations parent node offset */
confs_noffset = fdt_path_offset(fit, FIT_CONFS_PATH);
if (confs_noffset < 0) {
printf("Can't find images parent node '%s' (%s)\n",
FIT_IMAGES_PATH, fdt_strerror(confs_noffset));
return -ENOENT;
}
/* Process its subnodes, print out component images details */
for (noffset = fdt_first_subnode(fit, confs_noffset);
noffset >= 0;
noffset = fdt_next_subnode(fit, noffset)) {
ret = fit_config_add_verification_data(keydir, keydest,
fit, noffset, comment,
require_keys);
if (ret)
return ret;
}
return 0;
}