/* Copyright 2015 The Chromium OS Authors. All rights reserved. * Use of this source code is governed by a BSD-style license that can be * found in the LICENSE file. */ #include "dcrypto.h" #include "debug_printf.h" #include "registers.h" #include "setup.h" #include "trng.h" #define LOADERKEYEXP 3 #define RSA_NUM_WORDS 96 #define RSA_NUM_BYTES (RSA_NUM_WORDS * 4) static const uint32_t LOADERKEY_A[RSA_NUM_WORDS + 1] = { 0xea54076f, 0xe986c871, 0x8cffffb4, 0xd7c50bda, 0x30700ee0, 0xc023a878, 0x30e7fdf8, 0x5bb0c06f, 0x1d25d80f, 0x18e181f7, 0xfbf7a8b0, 0x331c16d4, 0xeb042379, 0x4cef13ec, 0x5b2072e7, 0xc807b01d, 0x443fb117, 0xd2e04e5b, 0xcb984393, 0x85d90d9d, 0x0332dcb8, 0xd42ccacf, 0x787e3947, 0x1975095c, 0x2d523b0b, 0xf815be95, 0x00db9a2c, 0x6c08442b, 0x57a022bb, 0x9d5c84ed, 0x46a6d275, 0x4392dcf8, 0xfa6812e3, 0xe0f3a3e6, 0xc8ff3f61, 0xd518dbac, 0xbba7376a, 0x767a219a, 0x9d153119, 0x980b16f8, 0x79eb5078, 0xb869924d, 0x2e392cc2, 0x76c04f32, 0xe35ea788, 0xcb67fa62, 0x30efec79, 0x36f04ae0, 0x2212a5fc, 0x51c41de8, 0x2b0b84db, 0x6803ca1c, 0x39a248fd, 0xa0c31ee2, 0xb1ca22b6, 0x16e54056, 0x086f6591, 0x3825208d, 0x079c157b, 0xe51c15a6, 0x0dd1c66f, 0x8267b8ae, 0xf06b4f85, 0xc68b27ab, 0x31bcd5fc, 0x34d563b7, 0xc4d2212e, 0x1e770199, 0xaf797061, 0x824d4853, 0x526e18cd, 0x4bb8a0dc, 0xeb9377fe, 0x04fda73c, 0x2933f8a6, 0xe16c0432, 0x40ea1bd5, 0x9efcd77e, 0x92be9e55, 0x003c1128, 0x48442cf9, 0x80b4fb31, 0xfe1e3df3, 0x1d28e14d, 0xe99c0f9d, 0x521d38c2, 0x0082c4f1, 0xcff25d56, 0x0d3e7186, 0xe72b98f0, 0xefaa5689, 0x74051ed5, 0x6b7e7fff, 0x822b1944, 0x77a94732, 0x8d0b9aaf, 0x7a8ee958 }; const uint32_t LOADERKEY_B[RSA_NUM_WORDS + 1] = { 0xeea8b39f, 0xdfa457a1, 0x8b81fdc3, 0xb0204c84, 0x297b9db2, 0xaa70318d, 0x8cd41a68, 0x4aa0f9bb, 0xf63f9d69, 0xf0fe64b0, 0x96e42e2d, 0x5e494b1d, 0x066cefd0, 0xde949c16, 0xc92499ed, 0x92229990, 0x48ac3b1a, 0x1dfc2388, 0xda71d258, 0x826ddedf, 0xd0220e70, 0x6140dedf, 0x92bcdec7, 0xcdf91c22, 0xaa110aed, 0xc371c2f9, 0xa3fedf2a, 0xfd2c6a07, 0xe71aabce, 0x7f426484, 0x0ac51128, 0x4bab4ca2, 0x0162d0b9, 0x49fef7e3, 0xeda8664e, 0x14b92b7a, 0x0397dbb7, 0x5b9eb94a, 0x069b5059, 0x3851f46b, 0x45bbcaba, 0x0b812652, 0x7cd8b10b, 0xcaeccc32, 0x0ffd08e3, 0xfe6f0306, 0x8c02d5f7, 0xafdc4595, 0xe0edda47, 0x0cc821db, 0x50beeae5, 0xb9868c18, 0xefd2de11, 0xdfecd15c, 0xa8937a70, 0x223d9d95, 0x1b70848b, 0x54fa9176, 0x8bf012ef, 0xd37c1446, 0xf9a7ebeb, 0xbf2dfa9a, 0xdc6b8ea0, 0xe5f8bc4d, 0x539222b5, 0x192521e4, 0xe7088628, 0x2646bb56, 0x6fcc5d70, 0x3f1cd8e9, 0xae9cec24, 0xf53b6559, 0x6f091891, 0x5342fa61, 0xbfee50e9, 0x211ad58a, 0xd1c5aa17, 0x252dfa56, 0x17131164, 0x4630a459, 0x2f681f51, 0x3fb9ab3c, 0x6c8e0a70, 0xa34a868b, 0xe960e702, 0xa470d241, 0x00647369, 0xa4c25391, 0xd1926cf9, 0x5fce5488, 0xd171cb2e, 0x8a7c982e, 0xc89cbe39, 0xc0e019d8, 0x82cd1ebe, 0x68918fce, 0x5ec138fd }; #define RANDOM_STEP 5 inline uint32_t bswap(uint32_t a) { uint32_t result; __asm__ volatile("rev %0, %1;" : "=r"(result) : "r"(a)); return result; } /* Montgomery c[] += a * b[] / R % key. */ static void montMulAdd(const uint32_t *key, uint32_t *c, const uint32_t a, const uint32_t *b) { register uint64_t tmp; uint32_t i, A, B, d0; { tmp = c[0] + (uint64_t)a * b[0]; A = tmp >> 32; d0 = (uint32_t)tmp * *key++; tmp = (uint32_t)tmp + (uint64_t)d0 * *key++; B = tmp >> 32; } for (i = 0; i < RSA_NUM_WORDS - 1; ++i) { tmp = A + (uint64_t)a * b[i + 1] + c[i + 1]; A = tmp >> 32; tmp = B + (uint64_t)d0 * *key++ + (uint32_t)tmp; c[i] = (uint32_t)tmp; B = tmp >> 32; } c[RSA_NUM_WORDS - 1] = A + B; } /* Montgomery c[] = a[] * b[] / R % key. */ static void montMul(const uint32_t *key, uint32_t *c, const uint32_t *a, const uint32_t *b) { int i; for (i = 0; i < RSA_NUM_WORDS; ++i) c[i] = 0; for (i = 0; i < RSA_NUM_WORDS; ++i) montMulAdd(key, c, a[i], b); } /* Montgomery c[] = a[] * 1 / R % key. */ static void montMul1(const uint32_t *key, uint32_t *c, const uint32_t *a) { int i; for (i = 0; i < RSA_NUM_WORDS; ++i) c[i] = 0; montMulAdd(key, c, 1, a); for (i = 1; i < RSA_NUM_WORDS; ++i) montMulAdd(key, c, 0, a); } #if LOADERKEYEXP == 3 /* In-place exponentiation to power 3 % key. */ static void modpow(const uint32_t *key, const uint32_t *signature, uint32_t *out) { static uint32_t aaR[RSA_NUM_WORDS]; static uint32_t aaaR[RSA_NUM_WORDS]; montMul(key, aaR, signature, signature); montMul(key, aaaR, aaR, signature); montMul1(key, out, aaaR); } #endif void LOADERKEY_verify(uint32_t keyid, const uint32_t *signature, const uint32_t *sha256) { static uint32_t buf[RSA_NUM_WORDS] __attribute__((section(".guarded_data"))); static uint32_t hash[SHA256_DIGEST_WORDS] __attribute__((section(".guarded_data"))); uint32_t step, offset; const uint32_t *key; int i; if (keyid == LOADERKEY_B[0]) key = LOADERKEY_B; else key = LOADERKEY_A; modpow(key, signature, buf); VERBOSE("sig %.384h\n", buf); /* * XOR in offsets across buf. Mostly to get rid of all those -1 words * in there. */ offset = rand() % RSA_NUM_WORDS; step = (RANDOM_STEP % RSA_NUM_WORDS) || 1; for (i = 0; i < RSA_NUM_WORDS; ++i) { buf[offset] ^= (0x1000u + offset); offset = (offset + step) % RSA_NUM_WORDS; } /* * Xor digest location, so all words becomes 0 only iff equal. * * Also XOR in offset and non-zero const. This to avoid repeat * glitches to zero be able to produce the right result. */ offset = rand() % SHA256_DIGEST_WORDS; step = (RANDOM_STEP % SHA256_DIGEST_WORDS) || 1; for (i = 0; i < SHA256_DIGEST_WORDS; ++i) { buf[offset] ^= bswap(sha256[SHA256_DIGEST_WORDS - 1 - offset]) ^ (offset + 0x10u); offset = (offset + step) % SHA256_DIGEST_WORDS; } VERBOSE("\nsig^ %.384h\n\n", buf); /* Hash resulting buffer. */ DCRYPTO_SHA256_hash((uint8_t *) buf, RSA_NUM_BYTES, (uint8_t *) hash); VERBOSE("hash %.32h\n", hash); /* * Write computed hash to unlock register to unlock execution, iff * right. Idea is that this flow cannot be glitched to have correct * values with any probability. */ for (i = 0; i < SHA256_DIGEST_WORDS; ++i) GREG32_ADDR(GLOBALSEC, SB_BL_SIG0)[i] = hash[i]; /* * Make an unlock attempt. Value written is irrelevant, as long as * something is written. */ GREG32(GLOBALSEC, SIG_UNLOCK) = 1; }