Frans Hendriks has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/30831
Change subject: vendorcode/eltan Add hashing library used for measured and verified boot. ......................................................................
vendorcode/eltan Add hashing library used for measured and verified boot.
To avoid having the whole 3rdparty/vboot/firmware included a small hashing library has been created. Create library which is a 'wrapper' using only sha1, sha256 and sha512 of 3rdparty/vboot/firmware.
Fucntions cb_sha1(), cb_sha256() and cb_sha512 can be used for hashing.
BUG=N/A TEST=Created binary and verify logging on Facebok FBG-1701
Change-Id: If828bde54c79e836a5b05ff0447645d7e06e819a Signed-off-by: Frans Hendriks fhendriks@eltan.com --- A src/vendorcode/eltan/security/include/cb_sha1.h A src/vendorcode/eltan/security/include/cb_sha256.h A src/vendorcode/eltan/security/include/cb_sha512.h A src/vendorcode/eltan/security/include/cryptolib.h A src/vendorcode/eltan/security/lib/Makefile.inc A src/vendorcode/eltan/security/lib/cb_sha1.c A src/vendorcode/eltan/security/lib/cb_sha256.c A src/vendorcode/eltan/security/lib/cb_sha512.c 8 files changed, 297 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/31/30831/1
diff --git a/src/vendorcode/eltan/security/include/cb_sha1.h b/src/vendorcode/eltan/security/include/cb_sha1.h new file mode 100644 index 0000000..3b72355 --- /dev/null +++ b/src/vendorcode/eltan/security/include/cb_sha1.h @@ -0,0 +1,21 @@ +/* + * This file is part of the coreboot project. + * + * Copyright (C) 2018. Eltan B.V. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#ifndef __SECURITY_SHA1_H__ +#define __SECURITY_SHA1_H__ + +uint8_t *cb_sha1(const uint8_t *data, uint64_t len, uint8_t *digest); + +#endif diff --git a/src/vendorcode/eltan/security/include/cb_sha256.h b/src/vendorcode/eltan/security/include/cb_sha256.h new file mode 100644 index 0000000..3b45f73 --- /dev/null +++ b/src/vendorcode/eltan/security/include/cb_sha256.h @@ -0,0 +1,23 @@ +/* + * This file is part of the coreboot project. + * + * Copyright (C) 2018. Eltan B.V. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#ifndef __SECURITY_SHA256_H__ +#define __SECURITY_SHA256_H__ + +uint8_t *cb_sha256(const uint8_t *data, uint64_t len, uint8_t *digest); +uint8_t *cb_sha256_ex(const uint8_t *data, uint64_t len, uint8_t *digest, + bool endian); + +#endif diff --git a/src/vendorcode/eltan/security/include/cb_sha512.h b/src/vendorcode/eltan/security/include/cb_sha512.h new file mode 100644 index 0000000..a383cf0 --- /dev/null +++ b/src/vendorcode/eltan/security/include/cb_sha512.h @@ -0,0 +1,23 @@ +/* + * This file is part of the coreboot project. + * + * Copyright (C) 2018. Eltan B.V. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#ifndef __SECURITY_SHA512_H__ +#define __SECURITY_SHA512_H__ + +uint8_t *cb_sha512(const uint8_t *data, uint64_t len, uint8_t *digest); +uint8_t *cb_sha512_ex(const uint8_t *data, uint64_t len, uint8_t *digest, + bool endian); + +#endif diff --git a/src/vendorcode/eltan/security/include/cryptolib.h b/src/vendorcode/eltan/security/include/cryptolib.h new file mode 100644 index 0000000..ac1668a --- /dev/null +++ b/src/vendorcode/eltan/security/include/cryptolib.h @@ -0,0 +1,29 @@ +/* + * This file is part of the coreboot project. + * + * Copyright (C) 2018. Eltan B.V. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#ifndef __SECURITY_CRYPTOLIB_H__ +#define __SECURITY_CRYPTOLIB_H__ + +#define NEED_VB2_SHA_LIBRARY + +#include <2rsa.h> +#include <vb21_common.h> +#include <vb2_api.h> + +#include "cb_sha1.h" +#include "cb_sha512.h" +#include "cb_sha256.h" + +#endif \ No newline at end of file diff --git a/src/vendorcode/eltan/security/lib/Makefile.inc b/src/vendorcode/eltan/security/lib/Makefile.inc new file mode 100644 index 0000000..9e2fc39 --- /dev/null +++ b/src/vendorcode/eltan/security/lib/Makefile.inc @@ -0,0 +1,52 @@ +# +# This file is part of the coreboot project. +# +# Copyright (C) 2018 Eltan B.V. +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; version 2 of the License. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# + +SECURITYLIB_INCLUDES = -I3rdparty/vboot/firmware/2lib/include -I3rdparty/vboot/firmware/lib21/include + +CPPFLAGS_common+=$(SECURITYLIB_INCLUDES) + +ifeq ($(CONFIG_VERIFIED_BOOT),y) +bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += $(top)/3rdparty/vboot/firmware/2lib/2common.c +bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += $(top)/3rdparty/vboot/firmware/2lib/2rsa.c +bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += $(top)/3rdparty/vboot/firmware/2lib/2sha_utility.c +bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += $(top)/3rdparty/vboot/firmware/lib21/packed_key.c +ifeq ($(CONFIG_VERIFIED_BOOT_USE_SHA512),y) +bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += cb_sha512.c +bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += $(top)/3rdparty/vboot/firmware/2lib/2sha512.c +else +bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += cb_sha256.c +bootblock-$(CONFIG_C_ENVIRONMENT_BOOTBLOCK) += $(top)/3rdparty/vboot/firmware/2lib/2sha256.c +endif +endif + +ifeq ($(CONFIG_MBOOT),y) +ramstage-y += $(top)/3rdparty/vboot/firmware/2lib/2sha1.c +ramstage-y += $(top)/3rdparty/vboot/firmware/2lib/2sha512.c +ramstage-y += $(top)/3rdparty/vboot/firmware/2lib/2sha256.c +ramstage-y += cb_sha1.c +ramstage-y += cb_sha512.c +ramstage-y += cb_sha256.c + +romstage-y += $(top)/3rdparty/vboot/firmware/2lib/2common.c +romstage-y += $(top)/3rdparty/vboot/firmware/2lib/2rsa.c +romstage-y += $(top)/3rdparty/vboot/firmware/2lib/2sha1.c +romstage-y += $(top)/3rdparty/vboot/firmware/2lib/2sha256.c +romstage-y += $(top)/3rdparty/vboot/firmware/2lib/2sha512.c +romstage-y += $(top)/3rdparty/vboot/firmware/2lib/2sha_utility.c +romstage-y += $(top)/3rdparty/vboot/firmware/lib21/packed_key.c +romstage-y += cb_sha1.c +romstage-y += cb_sha512.c +romstage-y += cb_sha256.c +endif \ No newline at end of file diff --git a/src/vendorcode/eltan/security/lib/cb_sha1.c b/src/vendorcode/eltan/security/lib/cb_sha1.c new file mode 100644 index 0000000..fd96943 --- /dev/null +++ b/src/vendorcode/eltan/security/lib/cb_sha1.c @@ -0,0 +1,27 @@ +/* + * This file is part of the coreboot project. + * + * Copyright (C) 2018 Eltan B.V. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#include <cryptolib.h> + +uint8_t *cb_sha1(const uint8_t *data, uint64_t len, uint8_t *digest) +{ + struct vb2_sha1_context ctx; + + vb2_sha1_init(&ctx); + vb2_sha1_update(&ctx, data, len); + vb2_sha1_finalize(&ctx, digest); + + return digest; +} diff --git a/src/vendorcode/eltan/security/lib/cb_sha256.c b/src/vendorcode/eltan/security/lib/cb_sha256.c new file mode 100644 index 0000000..b02ebb2 --- /dev/null +++ b/src/vendorcode/eltan/security/lib/cb_sha256.c @@ -0,0 +1,61 @@ +/* + * This file is part of the coreboot project. + * + * Copyright (C) 2018 Eltan B.V. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#include <cryptolib.h> + +uint8_t *cb_sha256_ex(const uint8_t *data, uint64_t len, uint8_t *digest, + bool endian) +{ + int i; + const uint8_t *input_ptr; + uint8_t result[VB2_SHA256_DIGEST_SIZE]; + uint8_t *result_ptr; + uint64_t remaining_len; + struct vb2_sha256_context ctx; + + vb2_sha256_init(&ctx); + + input_ptr = data; + remaining_len = len; + + /* Process data in at most UINT32_MAX byte chunks at a time. */ + while (remaining_len) { + uint32_t block_size; + block_size = (uint32_t) ((remaining_len >= UINT32_MAX) ? + UINT32_MAX : remaining_len); + vb2_sha256_update(&ctx, input_ptr, block_size); + remaining_len -= block_size; + input_ptr += block_size; + } + + result_ptr = result; + vb2_sha256_finalize(&ctx, result_ptr); + for (i = 0; i < VB2_SHA256_DIGEST_SIZE; ++i) { + if (endian) { + /* use big endian here */ + digest[i] = *result_ptr++; + } else { + /* use little endian here */ + digest[VB2_SHA256_DIGEST_SIZE - i - 1] = *result_ptr++; + } + } + return digest; +} + +uint8_t *cb_sha256(const uint8_t *data, uint64_t len, uint8_t *digest) +{ + /* Returned the little endian SHA256 digest */ + return cb_sha256_ex(data, len, digest, 0); +} \ No newline at end of file diff --git a/src/vendorcode/eltan/security/lib/cb_sha512.c b/src/vendorcode/eltan/security/lib/cb_sha512.c new file mode 100644 index 0000000..9d713e7 --- /dev/null +++ b/src/vendorcode/eltan/security/lib/cb_sha512.c @@ -0,0 +1,61 @@ +/* + * This file is part of the coreboot project. + * + * Copyright (C) 2018 Eltan B.V. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; version 2 of the License. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + */ + +#include <cryptolib.h> + +uint8_t *cb_sha512_ex(const uint8_t *data, uint64_t len, uint8_t *digest, + bool endian) +{ + int i; + const uint8_t *input_ptr; + uint8_t result[VB2_SHA512_DIGEST_SIZE]; + uint8_t *result_ptr; + uint64_t remaining_len; + struct vb2_sha512_context ctx; + + vb2_sha512_init(&ctx); + + input_ptr = data; + remaining_len = len; + + /* Process data in at most UINT32_MAX byte chunks at a time. */ + while (remaining_len) { + uint32_t block_size; + block_size = (uint32_t) ((remaining_len >= UINT32_MAX) ? + UINT32_MAX : remaining_len); + vb2_sha512_update(&ctx, input_ptr, block_size); + remaining_len -= block_size; + input_ptr += block_size; + } + + result_ptr = result; + vb2_sha512_finalize(&ctx, result_ptr); + for (i = 0; i < VB2_SHA512_DIGEST_SIZE; ++i) { + if (endian) { + /* use big endian here */ + digest[i] = *result_ptr++; + } else { + /* use little endian here */ + digest[VB2_SHA512_DIGEST_SIZE - i - 1] = *result_ptr++; + } + } + return digest; +} + +uint8_t *cb_sha512(const uint8_t *data, uint64_t len, uint8_t *digest) +{ + /* Returned the little endian SHA512 digest */ + return cb_sha512_ex(data, len, digest, 0); +} \ No newline at end of file