1 /*
2  * SPDX-License-Identifier: Apache-2.0
3  *
4  * Copyright (c) 2016-2019 Linaro LTD
5  * Copyright (c) 2016-2019 JUUL Labs
6  * Copyright (c) 2019-2023 Arm Limited
7  *
8  * Original license:
9  *
10  * Licensed to the Apache Software Foundation (ASF) under one
11  * or more contributor license agreements.  See the NOTICE file
12  * distributed with this work for additional information
13  * regarding copyright ownership.  The ASF licenses this file
14  * to you under the Apache License, Version 2.0 (the
15  * "License"); you may not use this file except in compliance
16  * with the License.  You may obtain a copy of the License at
17  *
18  *  http://www.apache.org/licenses/LICENSE-2.0
19  *
20  * Unless required by applicable law or agreed to in writing,
21  * software distributed under the License is distributed on an
22  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
23  * KIND, either express or implied.  See the License for the
24  * specific language governing permissions and limitations
25  * under the License.
26  */
27 
28 #ifndef H_IMAGE_
29 #define H_IMAGE_
30 
31 #include <inttypes.h>
32 #include <stdbool.h>
33 #include "bootutil/fault_injection_hardening.h"
34 
35 #ifdef __cplusplus
36 extern "C" {
37 #endif
38 
39 struct flash_area;
40 
41 #define IMAGE_MAGIC                 0x96f3b83d
42 #define IMAGE_MAGIC_V1              0x96f3b83c
43 #define IMAGE_MAGIC_NONE            0xffffffff
44 #define IMAGE_TLV_INFO_MAGIC        0x6907
45 #define IMAGE_TLV_PROT_INFO_MAGIC   0x6908
46 
47 #define IMAGE_HEADER_SIZE           32
48 
49 /*
50  * Image header flags.
51  */
52 #define IMAGE_F_PIC                      0x00000001 /* Not supported. */
53 #define IMAGE_F_ENCRYPTED_AES128         0x00000004 /* Encrypted using AES128. */
54 #define IMAGE_F_ENCRYPTED_AES256         0x00000008 /* Encrypted using AES256. */
55 #define IMAGE_F_NON_BOOTABLE             0x00000010 /* Split image app. */
56 /*
57  * Indicates that this image should be loaded into RAM instead of run
58  * directly from flash.  The address to load should be in the
59  * ih_load_addr field of the header.
60  */
61 #define IMAGE_F_RAM_LOAD                 0x00000020
62 
63 /*
64  * Indicates that ih_load_addr stores information on flash/ROM address the
65  * image has been built for.
66  */
67 #define IMAGE_F_ROM_FIXED                0x00000100
68 
69 /*
70  * ECSDA224 is with NIST P-224
71  * ECSDA256 is with NIST P-256
72  */
73 
74 /*
75  * Image trailer TLV types.
76  *
77  * Signature is generated by computing signature over the image hash.
78  * Currently the only image hash type is SHA256.
79  *
80  * Signature comes in the form of 2 TLVs.
81  *   1st on identifies the public key which should be used to verify it.
82  *   2nd one is the actual signature.
83  */
84 #define IMAGE_TLV_KEYHASH           0x01   /* hash of the public key */
85 #define IMAGE_TLV_PUBKEY            0x02   /* public key */
86 #define IMAGE_TLV_SHA256            0x10   /* SHA256 of image hdr and body */
87 #define IMAGE_TLV_RSA2048_PSS       0x20   /* RSA2048 of hash output */
88 #define IMAGE_TLV_ECDSA224          0x21   /* ECDSA of hash output - Not supported anymore */
89 #define IMAGE_TLV_ECDSA_SIG         0x22   /* ECDSA of hash output */
90 #define IMAGE_TLV_RSA3072_PSS       0x23   /* RSA3072 of hash output */
91 #define IMAGE_TLV_ED25519           0x24   /* ed25519 of hash output */
92 #define IMAGE_TLV_ENC_RSA2048       0x30   /* Key encrypted with RSA-OAEP-2048 */
93 #define IMAGE_TLV_ENC_KW            0x31   /* Key encrypted with AES-KW 128 or 256*/
94 #define IMAGE_TLV_ENC_EC256         0x32   /* Key encrypted with ECIES-EC256 */
95 #define IMAGE_TLV_ENC_X25519        0x33   /* Key encrypted with ECIES-X25519 */
96 #define IMAGE_TLV_DEPENDENCY        0x40   /* Image depends on other image */
97 #define IMAGE_TLV_SEC_CNT           0x50   /* security counter */
98 #define IMAGE_TLV_BOOT_RECORD       0x60   /* measured boot record */
99 					   /*
100 					    * vendor reserved TLVs at xxA0-xxFF,
101 					    * where xx denotes the upper byte
102 					    * range.  Examples:
103 					    * 0x00a0 - 0x00ff
104 					    * 0x01a0 - 0x01ff
105 					    * 0x02a0 - 0x02ff
106 					    * ...
107 					    * 0xffa0 - 0xfffe
108 					    */
109 #define IMAGE_TLV_ANY               0xffff /* Used to iterate over all TLV */
110 
111 struct image_version {
112     uint8_t iv_major;
113     uint8_t iv_minor;
114     uint16_t iv_revision;
115     uint32_t iv_build_num;
116 };
117 
118 struct image_dependency {
119     uint8_t image_id;                       /* Image index (from 0) */
120     uint8_t _pad1;
121     uint16_t _pad2;
122     struct image_version image_min_version; /* Indicates at minimum which
123                                              * version of firmware must be
124                                              * available to satisfy compliance
125                                              */
126 };
127 
128 /** Image header.  All fields are in little endian byte order. */
129 struct image_header {
130     uint32_t ih_magic;
131     uint32_t ih_load_addr;
132     uint16_t ih_hdr_size;           /* Size of image header (bytes). */
133     uint16_t ih_protect_tlv_size;   /* Size of protected TLV area (bytes). */
134     uint32_t ih_img_size;           /* Does not include header. */
135     uint32_t ih_flags;              /* IMAGE_F_[...]. */
136     struct image_version ih_ver;
137     uint32_t _pad1;
138 };
139 
140 /** Image TLV header.  All fields in little endian. */
141 struct image_tlv_info {
142     uint16_t it_magic;
143     uint16_t it_tlv_tot;  /* size of TLV area (including tlv_info header) */
144 };
145 
146 /** Image trailer TLV format. All fields in little endian. */
147 struct image_tlv {
148     uint16_t it_type;   /* IMAGE_TLV_[...]. */
149     uint16_t it_len;    /* Data length (not including TLV header). */
150 };
151 
152 #define ENCRYPTIONFLAGS (IMAGE_F_ENCRYPTED_AES128 | IMAGE_F_ENCRYPTED_AES256)
153 #define IS_ENCRYPTED(hdr) (((hdr)->ih_flags & IMAGE_F_ENCRYPTED_AES128) \
154                         || ((hdr)->ih_flags & IMAGE_F_ENCRYPTED_AES256))
155 #define MUST_DECRYPT(fap, idx, hdr) \
156     (flash_area_get_id(fap) == FLASH_AREA_IMAGE_SECONDARY(idx) && IS_ENCRYPTED(hdr))
157 
158 _Static_assert(sizeof(struct image_header) == IMAGE_HEADER_SIZE,
159                "struct image_header not required size");
160 
161 struct enc_key_data;
162 fih_ret bootutil_img_validate(struct enc_key_data *enc_state, int image_index,
163                               struct image_header *hdr,
164                               const struct flash_area *fap,
165                               uint8_t *tmp_buf, uint32_t tmp_buf_sz,
166                               uint8_t *seed, int seed_len, uint8_t *out_hash);
167 
168 struct image_tlv_iter {
169     const struct image_header *hdr;
170     const struct flash_area *fap;
171     uint16_t type;
172     bool prot;
173     uint32_t prot_end;
174     uint32_t tlv_off;
175     uint32_t tlv_end;
176 };
177 
178 int bootutil_tlv_iter_begin(struct image_tlv_iter *it,
179                             const struct image_header *hdr,
180                             const struct flash_area *fap, uint16_t type,
181                             bool prot);
182 int bootutil_tlv_iter_next(struct image_tlv_iter *it, uint32_t *off,
183                            uint16_t *len, uint16_t *type);
184 
185 int32_t bootutil_get_img_security_cnt(struct image_header *hdr,
186                                       const struct flash_area *fap,
187                                       uint32_t *security_cnt);
188 
189 #ifdef __cplusplus
190 }
191 #endif
192 
193 #endif
194