]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright (c) 2011-2018 Apple Inc. All rights reserved. | |
3 | * | |
4 | * @APPLE_OSREFERENCE_LICENSE_HEADER_START@ | |
5 | * | |
6 | * This file contains Original Code and/or Modifications of Original Code | |
7 | * as defined in and that are subject to the Apple Public Source License | |
8 | * Version 2.0 (the 'License'). You may not use this file except in | |
9 | * compliance with the License. The rights granted to you under the License | |
10 | * may not be used to create, or enable the creation or redistribution of, | |
11 | * unlawful or unlicensed copies of an Apple operating system, or to | |
12 | * circumvent, violate, or enable the circumvention or violation of, any | |
13 | * terms of an Apple operating system software license agreement. | |
14 | * | |
15 | * Please obtain a copy of the License at | |
16 | * http://www.opensource.apple.com/apsl/ and read it before using this file. | |
17 | * | |
18 | * The Original Code and all software distributed under the License are | |
19 | * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER | |
20 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, | |
21 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, | |
22 | * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. | |
23 | * Please see the License for the specific language governing rights and | |
24 | * limitations under the License. | |
25 | * | |
26 | * @APPLE_OSREFERENCE_LICENSE_HEADER_END@ | |
27 | */ | |
28 | ||
29 | #include <string.h> | |
30 | ||
31 | #include <arm/pmap.h> | |
32 | ||
33 | #include <kern/debug.h> | |
34 | #include <kern/trustcache.h> | |
35 | #include <kern/misc_protos.h> | |
36 | ||
37 | #include <libkern/section_keywords.h> | |
38 | ||
39 | #include <mach/machine/vm_types.h> | |
40 | ||
41 | #include <pexpert/device_tree.h> | |
42 | ||
43 | #include <sys/cdefs.h> | |
44 | ||
45 | // All the external+engineering trust caches (accepting only one on RELEASE). | |
46 | SECURITY_READ_ONLY_LATE(static struct serialized_trust_caches *)pmap_serialized_trust_caches = NULL; | |
47 | ||
48 | // Shortcut to the first (= non-engineering, and therefore "static") trust cache. | |
49 | SECURITY_READ_ONLY_LATE(static struct trust_cache_module1 *)pmap_static_trust_cache = NULL; | |
50 | ||
51 | #if CONFIG_SECOND_STATIC_TRUST_CACHE | |
52 | SECURITY_READ_ONLY_LATE(static struct trust_cache_module1 *)pmap_secondary_static_trust_cache = NULL; | |
53 | #endif | |
54 | ||
55 | // The EXTRADATA segment is where we find the external trust cache. | |
56 | extern vm_offset_t segEXTRADATA; | |
57 | extern unsigned long segSizeEXTRADATA; | |
58 | ||
59 | void | |
60 | trust_cache_init(void) | |
61 | { | |
62 | size_t const len = segSizeEXTRADATA; | |
63 | ||
64 | if (len == 0) { | |
65 | #if XNU_TARGET_OS_OSX | |
66 | printf("No external trust cache found (region len is 0)."); | |
67 | #else | |
68 | panic("No external trust cache found (region len is 0)."); | |
69 | #endif | |
70 | return; | |
71 | } | |
72 | ||
73 | size_t const locked_down_dt_size = SecureDTIsLockedDown() ? PE_state.deviceTreeSize : 0; | |
74 | ||
75 | pmap_serialized_trust_caches = (struct serialized_trust_caches*)(segEXTRADATA + | |
76 | locked_down_dt_size); | |
77 | ||
78 | uint8_t const *region_end = (uint8_t*)pmap_serialized_trust_caches + len; | |
79 | ||
80 | /* Validate the trust cache region for consistency. | |
81 | * | |
82 | * Technically, this shouldn't be necessary because any problem | |
83 | * here would indicate that iBoot is either broken or compromised, | |
84 | * but we do it anyway to assist in development, and for defense | |
85 | * in depth. | |
86 | */ | |
87 | ||
88 | if (len < sizeof(struct serialized_trust_caches)) { | |
89 | panic("short serialized trust cache region: %zu", len); | |
90 | } | |
91 | ||
92 | printf("%d external trust cache modules available.\n", pmap_serialized_trust_caches->num_caches); | |
93 | ||
94 | if (len < (sizeof(struct serialized_trust_caches) + | |
95 | pmap_serialized_trust_caches->num_caches * sizeof(uint32_t))) { | |
96 | panic("serialized trust cache region too short for its %d entries: %zu", | |
97 | pmap_serialized_trust_caches->num_caches, len); | |
98 | } | |
99 | ||
100 | uint8_t *module_end = (uint8_t*)pmap_serialized_trust_caches; | |
101 | ||
102 | for (uint32_t i = 0; i < pmap_serialized_trust_caches->num_caches; i++) { | |
103 | struct trust_cache_module1 *module = (struct trust_cache_module1*) | |
104 | ((uint8_t*)pmap_serialized_trust_caches + pmap_serialized_trust_caches->offsets[i]); | |
105 | ||
106 | if ((uint8_t*)module < module_end) { | |
107 | panic("trust cache module %d overlaps previous module", i); | |
108 | } | |
109 | ||
110 | module_end = (uint8_t*)(module + 1); | |
111 | ||
112 | if (module_end > region_end) { | |
113 | panic("trust cache module %d too short for header", i); | |
114 | } | |
115 | ||
116 | if (module->version != 1) { | |
117 | panic("trust cache module %d has unsupported version %d", i, module->version); | |
118 | } | |
119 | ||
120 | module_end += module->num_entries * sizeof(struct trust_cache_entry1); | |
121 | ||
122 | if (module_end > region_end) { | |
123 | panic("trust cache module %d too short for its %u entries", i, module->num_entries); | |
124 | } | |
125 | ||
126 | printf("external trust cache module %d with %d entries\n", i, module->num_entries); | |
127 | ||
128 | if (i == 0) { | |
129 | pmap_static_trust_cache = module; | |
130 | } | |
131 | #if CONFIG_SECOND_STATIC_TRUST_CACHE | |
132 | else if (i == 1) { | |
133 | pmap_secondary_static_trust_cache = module; | |
134 | } | |
135 | #endif | |
136 | } | |
137 | } | |
138 | ||
139 | ||
140 | // Lookup cdhash in a trust cache module. | |
141 | // Suitable for all kinds of trust caches (but loadable ones are currently different). | |
142 | bool | |
143 | lookup_in_trust_cache_module( | |
144 | struct trust_cache_module1 const * const module, | |
145 | uint8_t const cdhash[CS_CDHASH_LEN], | |
146 | uint8_t * const hash_type, | |
147 | uint8_t * const flags) | |
148 | { | |
149 | size_t lim; | |
150 | struct trust_cache_entry1 const *base = &module->entries[0]; | |
151 | ||
152 | struct trust_cache_entry1 const *entry = NULL; | |
153 | ||
154 | bool found = false; | |
155 | ||
156 | /* Initialization already (redundantly) verified the size of the module for us. */ | |
157 | for (lim = module->num_entries; lim != 0; lim >>= 1) { | |
158 | entry = base + (lim >> 1); | |
159 | int cmp = memcmp(cdhash, entry->cdhash, CS_CDHASH_LEN); | |
160 | if (cmp == 0) { | |
161 | found = true; | |
162 | break; | |
163 | } | |
164 | if (cmp > 0) { /* key > p: move right */ | |
165 | base = entry + 1; | |
166 | lim--; | |
167 | } /* else move left */ | |
168 | } | |
169 | ||
170 | if (found) { | |
171 | *hash_type = entry->hash_type; | |
172 | *flags = entry->flags; | |
173 | return true; | |
174 | } | |
175 | ||
176 | return false; | |
177 | } | |
178 | ||
179 | MARK_AS_PMAP_TEXT uint32_t | |
180 | lookup_in_static_trust_cache(const uint8_t cdhash[CS_CDHASH_LEN]) | |
181 | { | |
182 | /* We will cram those into a single return value, because output parameters require | |
183 | * some contortion. */ | |
184 | uint8_t hash_type = 0, flags = 0; | |
185 | uint32_t engineering_trust_cache_index = 1; | |
186 | ||
187 | if (pmap_static_trust_cache != NULL) { | |
188 | // The one real new static trust cache. | |
189 | if (lookup_in_trust_cache_module(pmap_static_trust_cache, cdhash, &hash_type, &flags)) { | |
190 | return (hash_type << TC_LOOKUP_HASH_TYPE_SHIFT) | | |
191 | (flags << TC_LOOKUP_FLAGS_SHIFT) | | |
192 | (TC_LOOKUP_FOUND << TC_LOOKUP_RESULT_SHIFT); | |
193 | } | |
194 | #if CONFIG_SECOND_STATIC_TRUST_CACHE | |
195 | if (pmap_secondary_static_trust_cache != NULL && | |
196 | lookup_in_trust_cache_module(pmap_secondary_static_trust_cache, cdhash, &hash_type, &flags)) { | |
197 | return (hash_type << TC_LOOKUP_HASH_TYPE_SHIFT) | | |
198 | (flags << TC_LOOKUP_FLAGS_SHIFT) | | |
199 | (TC_LOOKUP_FOUND << TC_LOOKUP_RESULT_SHIFT); | |
200 | } | |
201 | engineering_trust_cache_index = (pmap_secondary_static_trust_cache != NULL) ? 2 : 1; | |
202 | #endif | |
203 | ||
204 | // Engineering Trust Caches. | |
205 | if (pmap_serialized_trust_caches->num_caches > engineering_trust_cache_index) { | |
206 | #if DEVELOPMENT || DEBUG | |
207 | for (uint32_t i = engineering_trust_cache_index; i < pmap_serialized_trust_caches->num_caches; i++) { | |
208 | struct trust_cache_module1 const *module = | |
209 | (struct trust_cache_module1 const *)( | |
210 | (uint8_t*)pmap_serialized_trust_caches + pmap_serialized_trust_caches->offsets[i]); | |
211 | ||
212 | if (lookup_in_trust_cache_module(module, cdhash, &hash_type, &flags)) { | |
213 | return (hash_type << TC_LOOKUP_HASH_TYPE_SHIFT) | | |
214 | (flags << TC_LOOKUP_FLAGS_SHIFT) | | |
215 | (TC_LOOKUP_FOUND << TC_LOOKUP_RESULT_SHIFT); | |
216 | } | |
217 | } | |
218 | #else | |
219 | panic("Number of trust caches: %d. How could we let this happen?", | |
220 | pmap_serialized_trust_caches->num_caches); | |
221 | #endif | |
222 | } | |
223 | } | |
224 | ||
225 | return 0; | |
226 | } |