]>
Commit | Line | Data |
---|---|---|
1 | #ifndef _CHUNKLIST_H | |
2 | #define _CHUNKLIST_H | |
3 | ||
4 | #include <libkern/crypto/sha2.h> | |
5 | ||
6 | /* | |
7 | * Boot argument for disabling trust in rev2 development key(s) | |
8 | * Set by boot.efi | |
9 | */ | |
10 | #define CHUNKLIST_NO_REV2_DEV "-chunklist-no-rev2-dev" | |
11 | ||
12 | /* | |
13 | * Boot argument for disabling trust in rev1 chunklists | |
14 | * Set by boot.efi | |
15 | */ | |
16 | #define CHUNKLIST_NO_REV1 "-chunklist-no-rev1" | |
17 | ||
18 | /* | |
19 | * Boot argument for obtaining current security epoch | |
20 | * Set by boot.efi | |
21 | */ | |
22 | #define CHUNKLIST_SECURITY_EPOCH "chunklist-security-epoch" | |
23 | #define CHUNKLIST_MIN_SECURITY_EPOCH 0 | |
24 | ||
25 | /* | |
26 | * Chunklist file format | |
27 | */ | |
28 | #define CHUNKLIST_MAGIC 0x4C4B4E43 | |
29 | #define CHUNKLIST_FILE_VERSION_10 1 | |
30 | #define CHUNKLIST_CHUNK_METHOD_10 1 | |
31 | #define CHUNKLIST_SIGNATURE_METHOD_REV1 1 | |
32 | #define CHUNKLIST_SIGNATURE_METHOD_REV2 3 | |
33 | #define CHUNKLIST_REV1_SIG_LEN 256 | |
34 | #define CHUNKLIST_REV2_SIG_LEN 808 | |
35 | #define CHUNKLIST_PUBKEY_LEN (2048/8) | |
36 | #define CHUNKLIST_SIGNATURE_LEN (2048/8) | |
37 | ||
38 | struct efi_guid_t { | |
39 | uint32_t data1; | |
40 | uint16_t data2; | |
41 | uint16_t data3; | |
42 | uint8_t data4[8]; | |
43 | } __attribute__((packed)); | |
44 | ||
45 | // 45E7BC51-913C-42AC-96A2-10712FFBEBA7 | |
46 | #define CHUNKLIST_REV2_SIG_HASH_GUID \ | |
47 | { \ | |
48 | 0x45E7BC51, 0x913C, 0x42AC, { 0x96, 0xA2, 0x10, 0x71, 0x2F, 0xFB, 0xEB, 0xA7 } \ | |
49 | }; | |
50 | ||
51 | // A7717414-C616-4977-9420-844712A735BF | |
52 | #define EFI_CERT_TYPE_RSA2048_SHA256 \ | |
53 | { \ | |
54 | 0xa7717414, 0xc616, 0x4977, { 0x94, 0x20, 0x84, 0x47, 0x12, 0xa7, 0x35, 0xbf } \ | |
55 | } | |
56 | ||
57 | #define WIN_CERT_TYPE_EFI_GUID 0x0EF1 | |
58 | ||
59 | struct chunklist_hdr { | |
60 | uint32_t cl_magic; | |
61 | uint32_t cl_header_size; | |
62 | uint8_t cl_file_ver; | |
63 | uint8_t cl_chunk_method; | |
64 | uint8_t cl_sig_method; | |
65 | uint8_t __unused1; | |
66 | uint64_t cl_chunk_count; | |
67 | uint64_t cl_chunk_offset; | |
68 | uint64_t cl_sig_offset; | |
69 | } __attribute__((packed)); | |
70 | ||
71 | struct chunklist_chunk { | |
72 | uint32_t chunk_size; | |
73 | uint8_t chunk_sha256[SHA256_DIGEST_LENGTH]; | |
74 | } __attribute__((packed)); | |
75 | ||
76 | struct rev2_chunklist_certificate { | |
77 | uint32_t length; | |
78 | uint8_t revision; | |
79 | uint8_t security_epoch; | |
80 | uint16_t certificate_type; | |
81 | guid_t certificate_guid; | |
82 | guid_t hash_type_guid; | |
83 | uint8_t rsa_public_key[CHUNKLIST_PUBKEY_LEN]; | |
84 | uint8_t rsa_signature[CHUNKLIST_SIGNATURE_LEN]; | |
85 | } __attribute__((packed)); | |
86 | ||
87 | struct chunklist_pubkey { | |
88 | const boolean_t is_production; | |
89 | const uint8_t key[CHUNKLIST_PUBKEY_LEN]; | |
90 | }; | |
91 | ||
92 | int authenticate_root_with_chunklist(const char *rootdmg_path, boolean_t *out_enforced); | |
93 | int authenticate_root_version_check(void); | |
94 | int authenticate_bootkc_uuid(void); | |
95 | int authenticate_libkern_uuid(void); | |
96 | #endif /* _CHUNKLIST_H */ |