xref: /freebsd/lib/libsecureboot/vectx.c (revision f4fbc49d201f81c481a33fac6ba28e19faf96260)
1 /*-
2  * Copyright (c) 2018, Juniper Networks, Inc.
3  *
4  * Redistribution and use in source and binary forms, with or without
5  * modification, are permitted provided that the following conditions
6  * are met:
7  * 1. Redistributions of source code must retain the above copyright
8  *    notice, this list of conditions and the following disclaimer.
9  * 2. Redistributions in binary form must reproduce the above copyright
10  *    notice, this list of conditions and the following disclaimer in the
11  *    documentation and/or other materials provided with the distribution.
12  *
13  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
14  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
15  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
16  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
17  * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
18  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
19  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
20  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
21  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
22  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
23  * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
24  */
25 #include <sys/cdefs.h>
26 #ifndef _STANDALONE
27 /* Avoid unwanted userlandish components */
28 #define _KERNEL
29 #include <sys/errno.h>
30 #undef _KERNEL
31 #endif
32 
33 #ifdef VECTX_DEBUG
34 static int vectx_debug = VECTX_DEBUG;
35 # define DEBUG_PRINTF(n, x) if (vectx_debug >= n) printf x
36 #endif
37 
38 #include "libsecureboot-priv.h"
39 #include <verify_file.h>
40 
41 /**
42  * @file vectx.c
43  * @brief api to verify file while reading
44  *
45  * This API allows the hash of a file to be computed as it is read.
46  * Key to this is seeking by reading.
47  *
48  * On close an indication of the verification result is returned.
49  */
50 
51 struct vectx {
52 	br_hash_compat_context vec_ctx;	/* hash ctx */
53 	const br_hash_class *vec_md;	/* hash method */
54 	const char	*vec_path;	/* path we are verifying */
55 	const char	*vec_want;	/* hash value we want */
56 	off_t		vec_off;	/* current offset */
57 	off_t		vec_hashed;	/* where we have hashed to */
58 	off_t		vec_size;	/* size of path */
59 	size_t		vec_hashsz;	/* size of hash */
60 	int		vec_fd;		/* file descriptor */
61 	int		vec_status;	/* verification status */
62 	int		vec_closing;	/* we are closing */
63 };
64 
65 
66 /**
67  * @brief
68  * verify an open file as we read it
69  *
70  * If the file has no fingerprint to match, we will still return a
71  * verification context containing little more than the file
72  * descriptor, and an error code in @c error.
73  *
74  * @param[in] fd
75  *	open descriptor
76  *
77  * @param[in] path
78  *	pathname to open
79  *
80  * @param[in] off
81  *	current offset
82  *
83  * @param[in] stp
84  *	pointer to struct stat
85  *
86  * @param[out] error
87  *	@li 0 all is good
88  *	@li ENOMEM out of memory
89  *	@li VE_FINGERPRINT_NONE	no entry found
90  *	@li VE_FINGERPRINT_UNKNOWN no fingerprint in entry
91  *
92  * @return ctx or NULL on error.
93  *	NULL is only returned for non-files or out-of-memory.
94  */
95 struct vectx *
96 vectx_open(int fd, const char *path, off_t off, struct stat *stp,
97     int *error, const char *caller)
98 {
99 	struct vectx *ctx;
100 	struct stat st;
101 	size_t hashsz;
102 	char *cp;
103 	int rc;
104 
105 	if (!stp)
106 	    stp = &st;
107 
108 	rc = verify_prep(fd, path, off, stp, __func__);
109 
110 	DEBUG_PRINTF(2,
111 	    ("vectx_open: caller=%s,fd=%d,name='%s',prep_rc=%d\n",
112 		caller, fd, path, rc));
113 
114 	switch (rc) {
115 	case VE_FINGERPRINT_NONE:
116 	case VE_FINGERPRINT_UNKNOWN:
117 	case VE_FINGERPRINT_WRONG:
118 		*error = rc;
119 		return (NULL);
120 	}
121 	ctx = malloc(sizeof(struct vectx));
122 	if (!ctx)
123 		goto enomem;
124 	ctx->vec_fd = fd;
125 	ctx->vec_path = path;
126 	ctx->vec_size = stp->st_size;
127 	ctx->vec_off = 0;
128 	ctx->vec_hashed = 0;
129 	ctx->vec_want = NULL;
130 	ctx->vec_status = 0;
131 	ctx->vec_hashsz = hashsz = 0;
132 	ctx->vec_closing = 0;
133 
134 	if (rc == 0) {
135 		/* we are not verifying this */
136 		*error = 0;
137 		return (ctx);
138 	}
139 	cp = fingerprint_info_lookup(fd, path);
140 	if (!cp) {
141 		ctx->vec_status = VE_FINGERPRINT_NONE;
142 		ve_error_set("%s: no entry", path);
143 	} else {
144 		if (strncmp(cp, "no_hash", 7) == 0) {
145 			ctx->vec_status = VE_FINGERPRINT_IGNORE;
146 			hashsz = 0;
147 		} else if (strncmp(cp, "sha256=", 7) == 0) {
148 			ctx->vec_md = &br_sha256_vtable;
149 			hashsz = br_sha256_SIZE;
150 			cp += 7;
151 #ifdef VE_SHA1_SUPPORT
152 		} else if (strncmp(cp, "sha1=", 5) == 0) {
153 			ctx->vec_md = &br_sha1_vtable;
154 			hashsz = br_sha1_SIZE;
155 			cp += 5;
156 #endif
157 #ifdef VE_SHA384_SUPPORT
158 		} else if (strncmp(cp, "sha384=", 7) == 0) {
159 		    ctx->vec_md = &br_sha384_vtable;
160 		    hashsz = br_sha384_SIZE;
161 		    cp += 7;
162 #endif
163 #ifdef VE_SHA512_SUPPORT
164 		} else if (strncmp(cp, "sha512=", 7) == 0) {
165 		    ctx->vec_md = &br_sha512_vtable;
166 		    hashsz = br_sha512_SIZE;
167 		    cp += 7;
168 #endif
169 		} else {
170 			ctx->vec_status = VE_FINGERPRINT_UNKNOWN;
171 			ve_error_set("%s: no supported fingerprint", path);
172 		}
173 	}
174 	*error = ctx->vec_status;
175 	ctx->vec_hashsz = hashsz;
176 	ctx->vec_want = cp;
177 	if (hashsz > 0) {
178 		ctx->vec_md->init(&ctx->vec_ctx.vtable);
179 
180 		if (off > 0) {
181 			lseek(fd, 0, SEEK_SET);
182 			vectx_lseek(ctx, off, SEEK_SET);
183 		}
184 	}
185 	DEBUG_PRINTF(2,
186 	    ("vectx_open: caller=%s,name='%s',hashsz=%lu,status=%d\n",
187 		caller, path, (unsigned long)ctx->vec_hashsz,
188 		ctx->vec_status));
189 	return (ctx);
190 
191 enomem:					/* unlikely */
192 	*error = ENOMEM;
193 	free(ctx);
194 	return (NULL);
195 }
196 
197 /**
198  * @brief
199  * read bytes from file and update hash
200  *
201  * It is critical that all file I/O comes through here.
202  * We keep track of current offset.
203  * We also track what offset we have hashed to,
204  * so we won't replay data if we seek backwards.
205  *
206  * @param[in] pctx
207  *	pointer to ctx
208  *
209  * @param[in] buf
210  *
211  * @param[in] nbytes
212  *
213  * @return bytes read or error.
214  */
215 ssize_t
216 vectx_read(struct vectx *ctx, void *buf, size_t nbytes)
217 {
218 	unsigned char *bp = buf;
219 	int d;
220 	int n;
221 	int delta;
222 	int x;
223 	size_t off;
224 
225 	if (ctx->vec_hashsz == 0)	/* nothing to do */
226 		return (read(ctx->vec_fd, buf, nbytes));
227 
228 	off = 0;
229 	do {
230 		/*
231 		 * Do this in reasonable chunks so
232 		 * we don't timeout if doing tftp
233 		 */
234 		x = nbytes - off;
235 		x = MIN(PAGE_SIZE, x);
236 		d = n = read(ctx->vec_fd, &bp[off], x);
237 		if (ctx->vec_closing && n < x) {
238 			DEBUG_PRINTF(3,
239 			    ("%s: read %d off=%ld hashed=%ld size=%ld\n",
240 			     __func__, n, (long)ctx->vec_off,
241 			     (long)ctx->vec_hashed, (long)ctx->vec_size));
242 		}
243 		if (n < 0) {
244 			return (n);
245 		}
246 		if (d > 0) {
247 			/* we may have seeked backwards! */
248 			delta = ctx->vec_hashed - ctx->vec_off;
249 			if (delta > 0) {
250 				x = MIN(delta, d);
251 				off += x;
252 				d -= x;
253 				ctx->vec_off += x;
254 			}
255 			if (d > 0) {
256 				if (ctx->vec_closing && d < PAGE_SIZE) {
257 					DEBUG_PRINTF(3,
258 					    ("%s: update %ld + %d\n",
259 						__func__,
260 						(long)ctx->vec_hashed, d));
261 				}
262 				ctx->vec_md->update(&ctx->vec_ctx.vtable, &bp[off], d);
263 				off += d;
264 				ctx->vec_off += d;
265 				ctx->vec_hashed += d;
266 			}
267 		}
268 	} while (n > 0 && off < nbytes);
269 	return (off);
270 }
271 
272 /**
273  * @brief
274  * vectx equivalent of lseek
275  *
276  * When seeking forwards we actually call vectx_read
277  * to reach the desired offset.
278  *
279  * We support seeking backwards.
280  *
281  * @param[in] pctx
282  *	pointer to ctx
283  *
284  * @param[in] off
285  *	desired offset
286  *
287  * @param[in] whence
288  * 	We try to convert whence to ``SEEK_SET``.
289  *	We do not support ``SEEK_DATA`` or ``SEEK_HOLE``.
290  *
291  * @return offset or error.
292  */
293 off_t
294 vectx_lseek(struct vectx *ctx, off_t off, int whence)
295 {
296 	unsigned char buf[PAGE_SIZE];
297 	size_t delta;
298 	ssize_t n;
299 
300 	if (ctx->vec_hashsz == 0)	/* nothing to do */
301 		return (lseek(ctx->vec_fd, off, whence));
302 
303 	/*
304 	 * Convert whence to SEEK_SET
305 	 */
306 	DEBUG_PRINTF(3,
307 	    ("%s(%s, %ld, %d)\n", __func__, ctx->vec_path, (long)off, whence));
308 	if (whence == SEEK_END && off <= 0) {
309 		if (ctx->vec_closing && ctx->vec_hashed < ctx->vec_size) {
310 			DEBUG_PRINTF(3, ("%s: SEEK_END %ld\n",
311 				__func__,
312 				(long)(ctx->vec_size - ctx->vec_hashed)));
313 		}
314 		whence = SEEK_SET;
315 		off += ctx->vec_size;
316 	} else if (whence == SEEK_CUR) {
317 		whence = SEEK_SET;
318 		off += ctx->vec_off;
319 	}
320 	if (whence != SEEK_SET ||
321 	    off > ctx->vec_size) {
322 		printf("ERROR: %s: unsupported operation: whence=%d off=%ld -> %ld\n",
323 		    __func__, whence, (long)ctx->vec_off, (long)off);
324 		return (-1);
325 	}
326 	if (off < ctx->vec_hashed) {
327 #ifdef _STANDALONE
328 		struct open_file *f = fd2open_file(ctx->vec_fd);
329 
330 		if (f != NULL &&
331 		    strncmp(f->f_ops->fs_name, "tftp", 4) == 0) {
332 			/* we cannot rewind if we've hashed much of the file */
333 			if (ctx->vec_hashed > ctx->vec_size / 5)
334 				return (-1);	/* refuse! */
335 		}
336 #endif
337 		/* seeking backwards! just do it */
338 		ctx->vec_off = lseek(ctx->vec_fd, off, whence);
339 		return (ctx->vec_off);
340 	}
341 	n = 0;
342 	do {
343 		delta = off - ctx->vec_off;
344 		if (delta > 0) {
345 			delta = MIN(PAGE_SIZE, delta);
346 			n = vectx_read(ctx, buf, delta);
347 			if (n < 0)
348 				return (n);
349 		}
350 	} while (ctx->vec_off < off && n > 0);
351 	return (ctx->vec_off);
352 }
353 
354 /**
355  * @brief
356  * check that hashes match and cleanup
357  *
358  * We have finished reading file, compare the hash with what
359  * we wanted.
360  *
361  * Be sure to call this before closing the file, since we may
362  * need to seek to the end to ensure hashing is complete.
363  *
364  * @param[in] pctx
365  *	pointer to ctx
366  *
367  * @return 0 or an error.
368  */
369 int
370 vectx_close(struct vectx *ctx, int severity, const char *caller)
371 {
372 	int rc;
373 
374 	ctx->vec_closing = 1;
375 	if (ctx->vec_hashsz == 0) {
376 		rc = ctx->vec_status;
377 	} else {
378 #ifdef VE_PCR_SUPPORT
379 		/*
380 		 * Only update pcr with things that must verify
381 		 * these tend to be processed in a more deterministic
382 		 * order, which makes our pseudo pcr more useful.
383 		 */
384 		ve_pcr_updating_set((severity == VE_MUST));
385 #endif
386 		/* make sure we have hashed it all */
387 		vectx_lseek(ctx, 0, SEEK_END);
388 		rc = ve_check_hash(&ctx->vec_ctx, ctx->vec_md,
389 		    ctx->vec_path, ctx->vec_want, ctx->vec_hashsz);
390 	}
391 	DEBUG_PRINTF(2,
392 	    ("vectx_close: caller=%s,name='%s',rc=%d,severity=%d\n",
393 		caller,ctx->vec_path, rc, severity));
394 	verify_report(ctx->vec_path, severity, rc, NULL);
395 	if (rc == VE_FINGERPRINT_WRONG) {
396 #if !defined(UNIT_TEST) && !defined(DEBUG_VECTX)
397 		/* we are generally called with VE_MUST */
398 		if (severity > VE_WANT)
399 			panic("cannot continue");
400 #endif
401 	}
402 	free(ctx);
403 	return ((rc < 0) ? rc : 0);
404 }
405