1 /*
2  * SPDX-License-Identifier: Apache-2.0
3  *
4  * Copyright (c) 2016-2019 Linaro LTD
5  * Copyright (c) 2016-2019 JUUL Labs
6  * Copyright (c) 2019-2023 Arm Limited
7  *
8  * Original license:
9  *
10  * Licensed to the Apache Software Foundation (ASF) under one
11  * or more contributor license agreements.  See the NOTICE file
12  * distributed with this work for additional information
13  * regarding copyright ownership.  The ASF licenses this file
14  * to you under the Apache License, Version 2.0 (the
15  * "License"); you may not use this file except in compliance
16  * with the License.  You may obtain a copy of the License at
17  *
18  *  http://www.apache.org/licenses/LICENSE-2.0
19  *
20  * Unless required by applicable law or agreed to in writing,
21  * software distributed under the License is distributed on an
22  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
23  * KIND, either express or implied.  See the License for the
24  * specific language governing permissions and limitations
25  * under the License.
26  */
27 
28 #ifndef H_IMAGE_
29 #define H_IMAGE_
30 
31 #include <inttypes.h>
32 #include <stdbool.h>
33 #include "bootutil/fault_injection_hardening.h"
34 
35 #ifdef __cplusplus
36 extern "C" {
37 #endif
38 
39 #ifndef __packed
40 #define __packed __attribute__((__packed__))
41 #endif
42 
43 struct flash_area;
44 
45 #define IMAGE_MAGIC                 0x96f3b83d
46 #define IMAGE_MAGIC_V1              0x96f3b83c
47 #define IMAGE_MAGIC_NONE            0xffffffff
48 #define IMAGE_TLV_INFO_MAGIC        0x6907
49 #define IMAGE_TLV_PROT_INFO_MAGIC   0x6908
50 
51 #define IMAGE_HEADER_SIZE           32
52 #define IMAGE_HASH_LEN              32 /* Size of SHA256 TLV hash */
53 
54 /*
55  * Image header flags.
56  */
57 #define IMAGE_F_PIC                      0x00000001 /* Not supported. */
58 #define IMAGE_F_ENCRYPTED_AES128         0x00000004 /* Encrypted using AES128. */
59 #define IMAGE_F_ENCRYPTED_AES256         0x00000008 /* Encrypted using AES256. */
60 #define IMAGE_F_NON_BOOTABLE             0x00000010 /* Split image app. */
61 /*
62  * Indicates that this image should be loaded into RAM instead of run
63  * directly from flash.  The address to load should be in the
64  * ih_load_addr field of the header.
65  */
66 #define IMAGE_F_RAM_LOAD                 0x00000020
67 
68 /*
69  * Indicates that ih_load_addr stores information on flash/ROM address the
70  * image has been built for.
71  */
72 #define IMAGE_F_ROM_FIXED                0x00000100
73 
74 /*
75  * ECSDA224 is with NIST P-224
76  * ECSDA256 is with NIST P-256
77  */
78 
79 /*
80  * Image trailer TLV types.
81  *
82  * Signature is generated by computing signature over the image hash.
83  *
84  * Signature comes in the form of 2 TLVs.
85  *   1st on identifies the public key which should be used to verify it.
86  *   2nd one is the actual signature.
87  */
88 #define IMAGE_TLV_KEYHASH           0x01   /* hash of the public key */
89 #define IMAGE_TLV_PUBKEY            0x02   /* public key */
90 #define IMAGE_TLV_SHA256            0x10   /* SHA256 of image hdr and body */
91 #define IMAGE_TLV_SHA384            0x11   /* SHA384 of image hdr and body */
92 #define IMAGE_TLV_RSA2048_PSS       0x20   /* RSA2048 of hash output */
93 #define IMAGE_TLV_ECDSA224          0x21   /* ECDSA of hash output - Not supported anymore */
94 #define IMAGE_TLV_ECDSA_SIG         0x22   /* ECDSA of hash output */
95 #define IMAGE_TLV_RSA3072_PSS       0x23   /* RSA3072 of hash output */
96 #define IMAGE_TLV_ED25519           0x24   /* ed25519 of hash output */
97 #define IMAGE_TLV_ENC_RSA2048       0x30   /* Key encrypted with RSA-OAEP-2048 */
98 #define IMAGE_TLV_ENC_KW            0x31   /* Key encrypted with AES-KW 128 or 256*/
99 #define IMAGE_TLV_ENC_EC256         0x32   /* Key encrypted with ECIES-EC256 */
100 #define IMAGE_TLV_ENC_X25519        0x33   /* Key encrypted with ECIES-X25519 */
101 #define IMAGE_TLV_DEPENDENCY        0x40   /* Image depends on other image */
102 #define IMAGE_TLV_SEC_CNT           0x50   /* security counter */
103 #define IMAGE_TLV_BOOT_RECORD       0x60   /* measured boot record */
104 					   /*
105 					    * vendor reserved TLVs at xxA0-xxFF,
106 					    * where xx denotes the upper byte
107 					    * range.  Examples:
108 					    * 0x00a0 - 0x00ff
109 					    * 0x01a0 - 0x01ff
110 					    * 0x02a0 - 0x02ff
111 					    * ...
112 					    * 0xffa0 - 0xfffe
113 					    */
114 #define IMAGE_TLV_ANY               0xffff /* Used to iterate over all TLV */
115 
116 struct image_version {
117     uint8_t iv_major;
118     uint8_t iv_minor;
119     uint16_t iv_revision;
120     uint32_t iv_build_num;
121 } __packed;
122 
123 struct image_dependency {
124     uint8_t image_id;                       /* Image index (from 0) */
125     uint8_t _pad1;
126     uint16_t _pad2;
127     struct image_version image_min_version; /* Indicates at minimum which
128                                              * version of firmware must be
129                                              * available to satisfy compliance
130                                              */
131 };
132 
133 /** Image header.  All fields are in little endian byte order. */
134 struct image_header {
135     uint32_t ih_magic;
136     uint32_t ih_load_addr;
137     uint16_t ih_hdr_size;           /* Size of image header (bytes). */
138     uint16_t ih_protect_tlv_size;   /* Size of protected TLV area (bytes). */
139     uint32_t ih_img_size;           /* Does not include header. */
140     uint32_t ih_flags;              /* IMAGE_F_[...]. */
141     struct image_version ih_ver;
142     uint32_t _pad1;
143 } __packed;
144 
145 /** Image TLV header.  All fields in little endian. */
146 struct image_tlv_info {
147     uint16_t it_magic;
148     uint16_t it_tlv_tot;  /* size of TLV area (including tlv_info header) */
149 } __packed;
150 
151 /** Image trailer TLV format. All fields in little endian. */
152 struct image_tlv {
153     uint16_t it_type;   /* IMAGE_TLV_[...]. */
154     uint16_t it_len;    /* Data length (not including TLV header). */
155 } __packed;
156 
157 #define ENCRYPTIONFLAGS (IMAGE_F_ENCRYPTED_AES128 | IMAGE_F_ENCRYPTED_AES256)
158 #define IS_ENCRYPTED(hdr) (((hdr)->ih_flags & IMAGE_F_ENCRYPTED_AES128) \
159                         || ((hdr)->ih_flags & IMAGE_F_ENCRYPTED_AES256))
160 #define MUST_DECRYPT(fap, idx, hdr) \
161     (flash_area_get_id(fap) == FLASH_AREA_IMAGE_SECONDARY(idx) && IS_ENCRYPTED(hdr))
162 
163 _Static_assert(sizeof(struct image_header) == IMAGE_HEADER_SIZE,
164                "struct image_header not required size");
165 
166 struct enc_key_data;
167 fih_ret bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
168                               struct image_header *hdr,
169                               const struct flash_area *fap,
170                               uint8_t *tmp_buf, uint32_t tmp_buf_sz,
171                               uint8_t *seed, int seed_len, uint8_t *out_hash);
172 
173 struct image_tlv_iter {
174     const struct image_header *hdr;
175     const struct flash_area *fap;
176     uint16_t type;
177     bool prot;
178     uint32_t prot_end;
179     uint32_t tlv_off;
180     uint32_t tlv_end;
181 };
182 
183 int bootutil_tlv_iter_begin(struct image_tlv_iter *it,
184                             const struct image_header *hdr,
185                             const struct flash_area *fap, uint16_t type,
186                             bool prot);
187 int bootutil_tlv_iter_next(struct image_tlv_iter *it, uint32_t *off,
188                            uint16_t *len, uint16_t *type);
189 int bootutil_tlv_iter_is_prot(struct image_tlv_iter *it, uint32_t off);
190 
191 int32_t bootutil_get_img_security_cnt(struct image_header *hdr,
192                                       const struct flash_area *fap,
193                                       uint32_t *security_cnt);
194 
195 #ifdef __cplusplus
196 }
197 #endif
198 
199 #endif
200