]>
Commit | Line | Data |
---|---|---|
2a1bd2d3 A |
1 | /* |
2 | * Copyright (c) 2011-2018 Apple Inc. All rights reserved. | |
3 | * | |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ | |
5 | * | |
6 | * This file contains Original Code and/or Modifications of Original Code | |
7 | * as defined in and that are subject to the Apple Public Source License | |
8 | * Version 2.0 (the 'License'). You may not use this file except in | |
9 | * compliance with the License. The rights granted to you under the License | |
10 | * may not be used to create, or enable the creation or redistribution of, | |
11 | * unlawful or unlicensed copies of an Apple operating system, or to | |
12 | * circumvent, violate, or enable the circumvention or violation of, any | |
13 | * terms of an Apple operating system software license agreement. | |
14 | * | |
15 | * Please obtain a copy of the License at | |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. | |
17 | * | |
18 | * The Original Code and all software distributed under the License are | |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER | |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, | |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, | |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. | |
23 | * Please see the License for the specific language governing rights and | |
24 | * limitations under the License. | |
25 | * | |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ | |
27 | */ | |
28 | ||
29 | #include <string.h> | |
30 | ||
31 | #include <arm/pmap.h> | |
32 | ||
33 | #include <kern/debug.h> | |
34 | #include <kern/trustcache.h> | |
35 | #include <kern/misc_protos.h> | |
36 | ||
37 | #include <libkern/section_keywords.h> | |
38 | ||
39 | #include <mach/machine/vm_types.h> | |
40 | ||
41 | #include <pexpert/device_tree.h> | |
42 | ||
43 | #include <sys/cdefs.h> | |
44 | ||
45 | // All the external+engineering trust caches (accepting only one on RELEASE). | |
46 | SECURITY_READ_ONLY_LATE(static struct serialized_trust_caches *)pmap_serialized_trust_caches = NULL; | |
47 | ||
48 | // Shortcut to the first (= non-engineering, and therefore "static") trust cache. | |
49 | SECURITY_READ_ONLY_LATE(static struct trust_cache_module1 *)pmap_static_trust_cache = NULL; | |
50 | ||
51 | #if CONFIG_SECOND_STATIC_TRUST_CACHE | |
52 | SECURITY_READ_ONLY_LATE(static struct trust_cache_module1 *)pmap_secondary_static_trust_cache = NULL; | |
53 | #endif | |
54 | ||
55 | // The EXTRADATA segment is where we find the external trust cache. | |
56 | extern vm_offset_t segEXTRADATA; | |
57 | extern unsigned long segSizeEXTRADATA; | |
58 | ||
59 | void | |
60 | trust_cache_init(void) | |
61 | { | |
a991bd8d A |
62 | size_t const locked_down_dt_size = SecureDTIsLockedDown() ? PE_state.deviceTreeSize : 0; |
63 | size_t const len = segSizeEXTRADATA - locked_down_dt_size; | |
2a1bd2d3 A |
64 | |
65 | if (len == 0) { | |
a991bd8d | 66 | // We allow no trust cache at all. |
2a1bd2d3 | 67 | printf("No external trust cache found (region len is 0)."); |
2a1bd2d3 A |
68 | return; |
69 | } | |
70 | ||
2a1bd2d3 A |
71 | pmap_serialized_trust_caches = (struct serialized_trust_caches*)(segEXTRADATA + |
72 | locked_down_dt_size); | |
73 | ||
74 | uint8_t const *region_end = (uint8_t*)pmap_serialized_trust_caches + len; | |
75 | ||
76 | /* Validate the trust cache region for consistency. | |
77 | * | |
78 | * Technically, this shouldn't be necessary because any problem | |
79 | * here would indicate that iBoot is either broken or compromised, | |
80 | * but we do it anyway to assist in development, and for defense | |
81 | * in depth. | |
82 | */ | |
83 | ||
84 | if (len < sizeof(struct serialized_trust_caches)) { | |
85 | panic("short serialized trust cache region: %zu", len); | |
86 | } | |
87 | ||
88 | printf("%d external trust cache modules available.\n", pmap_serialized_trust_caches->num_caches); | |
89 | ||
90 | if (len < (sizeof(struct serialized_trust_caches) + | |
91 | pmap_serialized_trust_caches->num_caches * sizeof(uint32_t))) { | |
92 | panic("serialized trust cache region too short for its %d entries: %zu", | |
93 | pmap_serialized_trust_caches->num_caches, len); | |
94 | } | |
95 | ||
96 | uint8_t *module_end = (uint8_t*)pmap_serialized_trust_caches; | |
97 | ||
98 | for (uint32_t i = 0; i < pmap_serialized_trust_caches->num_caches; i++) { | |
99 | struct trust_cache_module1 *module = (struct trust_cache_module1*) | |
100 | ((uint8_t*)pmap_serialized_trust_caches + pmap_serialized_trust_caches->offsets[i]); | |
101 | ||
102 | if ((uint8_t*)module < module_end) { | |
103 | panic("trust cache module %d overlaps previous module", i); | |
104 | } | |
105 | ||
106 | module_end = (uint8_t*)(module + 1); | |
107 | ||
108 | if (module_end > region_end) { | |
109 | panic("trust cache module %d too short for header", i); | |
110 | } | |
111 | ||
112 | if (module->version != 1) { | |
113 | panic("trust cache module %d has unsupported version %d", i, module->version); | |
114 | } | |
115 | ||
116 | module_end += module->num_entries * sizeof(struct trust_cache_entry1); | |
117 | ||
118 | if (module_end > region_end) { | |
119 | panic("trust cache module %d too short for its %u entries", i, module->num_entries); | |
120 | } | |
121 | ||
122 | printf("external trust cache module %d with %d entries\n", i, module->num_entries); | |
123 | ||
124 | if (i == 0) { | |
125 | pmap_static_trust_cache = module; | |
126 | } | |
127 | #if CONFIG_SECOND_STATIC_TRUST_CACHE | |
128 | else if (i == 1) { | |
129 | pmap_secondary_static_trust_cache = module; | |
130 | } | |
131 | #endif | |
132 | } | |
133 | } | |
134 | ||
135 | ||
136 | // Lookup cdhash in a trust cache module. | |
137 | // Suitable for all kinds of trust caches (but loadable ones are currently different). | |
138 | bool | |
139 | lookup_in_trust_cache_module( | |
140 | struct trust_cache_module1 const * const module, | |
141 | uint8_t const cdhash[CS_CDHASH_LEN], | |
142 | uint8_t * const hash_type, | |
143 | uint8_t * const flags) | |
144 | { | |
145 | size_t lim; | |
146 | struct trust_cache_entry1 const *base = &module->entries[0]; | |
147 | ||
148 | struct trust_cache_entry1 const *entry = NULL; | |
149 | ||
150 | bool found = false; | |
151 | ||
152 | /* Initialization already (redundantly) verified the size of the module for us. */ | |
153 | for (lim = module->num_entries; lim != 0; lim >>= 1) { | |
154 | entry = base + (lim >> 1); | |
155 | int cmp = memcmp(cdhash, entry->cdhash, CS_CDHASH_LEN); | |
156 | if (cmp == 0) { | |
157 | found = true; | |
158 | break; | |
159 | } | |
160 | if (cmp > 0) { /* key > p: move right */ | |
161 | base = entry + 1; | |
162 | lim--; | |
163 | } /* else move left */ | |
164 | } | |
165 | ||
166 | if (found) { | |
167 | *hash_type = entry->hash_type; | |
168 | *flags = entry->flags; | |
169 | return true; | |
170 | } | |
171 | ||
172 | return false; | |
173 | } | |
174 | ||
175 | MARK_AS_PMAP_TEXT uint32_t | |
176 | lookup_in_static_trust_cache(const uint8_t cdhash[CS_CDHASH_LEN]) | |
177 | { | |
178 | /* We will cram those into a single return value, because output parameters require | |
179 | * some contortion. */ | |
180 | uint8_t hash_type = 0, flags = 0; | |
181 | uint32_t engineering_trust_cache_index = 1; | |
182 | ||
183 | if (pmap_static_trust_cache != NULL) { | |
184 | // The one real new static trust cache. | |
185 | if (lookup_in_trust_cache_module(pmap_static_trust_cache, cdhash, &hash_type, &flags)) { | |
186 | return (hash_type << TC_LOOKUP_HASH_TYPE_SHIFT) | | |
187 | (flags << TC_LOOKUP_FLAGS_SHIFT) | | |
188 | (TC_LOOKUP_FOUND << TC_LOOKUP_RESULT_SHIFT); | |
189 | } | |
190 | #if CONFIG_SECOND_STATIC_TRUST_CACHE | |
191 | if (pmap_secondary_static_trust_cache != NULL && | |
192 | lookup_in_trust_cache_module(pmap_secondary_static_trust_cache, cdhash, &hash_type, &flags)) { | |
193 | return (hash_type << TC_LOOKUP_HASH_TYPE_SHIFT) | | |
194 | (flags << TC_LOOKUP_FLAGS_SHIFT) | | |
195 | (TC_LOOKUP_FOUND << TC_LOOKUP_RESULT_SHIFT); | |
196 | } | |
197 | engineering_trust_cache_index = (pmap_secondary_static_trust_cache != NULL) ? 2 : 1; | |
198 | #endif | |
199 | ||
200 | // Engineering Trust Caches. | |
201 | if (pmap_serialized_trust_caches->num_caches > engineering_trust_cache_index) { | |
2a1bd2d3 A |
202 | for (uint32_t i = engineering_trust_cache_index; i < pmap_serialized_trust_caches->num_caches; i++) { |
203 | struct trust_cache_module1 const *module = | |
204 | (struct trust_cache_module1 const *)( | |
205 | (uint8_t*)pmap_serialized_trust_caches + pmap_serialized_trust_caches->offsets[i]); | |
206 | ||
207 | if (lookup_in_trust_cache_module(module, cdhash, &hash_type, &flags)) { | |
208 | return (hash_type << TC_LOOKUP_HASH_TYPE_SHIFT) | | |
209 | (flags << TC_LOOKUP_FLAGS_SHIFT) | | |
210 | (TC_LOOKUP_FOUND << TC_LOOKUP_RESULT_SHIFT); | |
211 | } | |
212 | } | |
2a1bd2d3 A |
213 | } |
214 | } | |
215 | ||
216 | return 0; | |
217 | } |