xref: /freebsd/lib/libsecureboot/verify_file.c (revision f616d61ab6b071e5fbfdbae7033a9ef04c1444ad)

/*-
 * Copyright (c) 2017-2020, Juniper Networks, Inc.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
 * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
/*
 * Routines to verify files loaded.
 */

#include <sys/param.h>
#include <string.h>
#include <sys/queue.h>
#include <sys/kenv.h>

#include "libsecureboot.h"
#include <verify_file.h>
#include <manifests.h>

#ifdef UNIT_TEST
# include <err.h>
# define panic warn
/*
 * define MANIFEST_SKIP to Skip - in tests/tvo.c so that
 * tvo can control the value we use in find_manifest()
 */
extern char *Destdir;
extern size_t DestdirLen;
extern char *Skip;
# undef MANIFEST_SKIP
# define MANIFEST_SKIP Skip
# undef VE_DEBUG_LEVEL
#endif

/*
 * We sometimes need to know if input is verified or not.
 * The extra slot is for tracking most recently opened.
 */
#ifndef SOPEN_MAX
#define SOPEN_MAX       64
#endif
static int ve_status[SOPEN_MAX+1];
static int ve_status_state;
struct verify_status;
static struct verify_status *verified_files = NULL;
static int loaded_manifests = 0;	/* have we loaded anything? */

enum {
	VE_VERBOSE_SILENT,		/* only report errors */
	VE_VERBOSE_UNVERIFIED,		/* all unverified files */
	VE_VERBOSE_MUST,		/* report VE_MUST */
	VE_VERBOSE_ALL,			/* report all */
	VE_VERBOSE_DEBUG,		/* extra noise */
};

#ifndef VE_VERBOSE_DEFAULT
# define VE_VERBOSE_DEFAULT VE_VERBOSE_MUST
#endif
static int Verbose = VE_VERBOSE_DEFAULT;

#define VE_STATUS_NONE	1
#define VE_STATUS_VALID	2

/**
 * @brief set ve status for fd
 */
void
ve_status_set(int fd, int ves)
{
	if (fd >= 0 && fd < SOPEN_MAX) {
		ve_status[fd] = ves;
		ve_status_state = VE_STATUS_VALID;
	}
	ve_status[SOPEN_MAX] = ves;
}

/**
 * @brief get ve status of fd
 *
 * What we return depends on ve_status_state.
 *
 * @return
 *	@li ve_status[fd] if ve_status_state is valid
 *	@li ve_status[SOPEN_MAX] if ve_status_state is none
 *	@li VE_NOT_CHECKED if ve_status_state uninitialized
 */
int
ve_status_get(int fd)
{
	if (!ve_status_state) {
		return (VE_NOT_CHECKED);
	}
	if (ve_status_state == VE_STATUS_VALID &&
		fd >= 0 && fd < SOPEN_MAX)
		return (ve_status[fd]);
	return (ve_status[SOPEN_MAX]);	/* most recent */
}

/**
 * @brief track verify status
 *
 * occasionally loader will make multiple calls
 * for the same file, we need only check it once.
 */
struct verify_status {
	dev_t	vs_dev;
	ino_t	vs_ino;
	int	vs_status;
	struct verify_status *vs_next;
};

int
is_verified(struct stat *stp)
{
	struct verify_status *vsp;
	int rc = VE_NOT_CHECKED;

	if (stp->st_ino > 0) {
		for (vsp = verified_files; vsp != NULL; vsp = vsp->vs_next) {
			if (stp->st_dev == vsp->vs_dev &&
			    stp->st_ino == vsp->vs_ino) {
				rc = vsp->vs_status;
				break;
			}
		}
	}
	DEBUG_PRINTF(4, ("%s: dev=%lld,ino=%llu,status=%d\n",
		__func__, (long long)stp->st_dev,
		(unsigned long long)stp->st_ino, rc));
	return (rc);
}

/* most recent first, since most likely to see repeated calls. */
void
add_verify_status(struct stat *stp, int status)
{
	struct verify_status *vsp;

	vsp = malloc(sizeof(struct verify_status));
	if (vsp) {
		vsp->vs_next = verified_files;
		vsp->vs_dev = stp->st_dev;
		vsp->vs_ino = stp->st_ino;
		vsp->vs_status = status;
		verified_files = vsp;
	}
	DEBUG_PRINTF(4, ("%s: dev=%lld,ino=%llu,status=%d\n",
		__func__, (long long)stp->st_dev,
		(unsigned long long)stp->st_ino, status));
}


/**
 * @brief
 * load specified manifest if verified
 */
int
load_manifest(const char *name, const char *prefix,
    const char *skip, struct stat *stp)
{
	struct stat st;
	size_t n;
	int rc;
	char *content;

	rc = VE_FINGERPRINT_NONE;
	n = strlen(name);
	if (n > 4) {
		if (!stp) {
			stp = &st;
			if (stat(name, &st) < 0 || !S_ISREG(st.st_mode))
				return (rc);
		}
		rc = is_verified(stp);
		if (rc != VE_NOT_CHECKED) {
			return (rc);
		}
		/* loader has no sense of time */
		ve_utc_set(stp->st_mtime);
		content = (char *)verify_signed(name, VerifyFlags);
		if (content) {
#ifdef UNIT_TEST
			if (DestdirLen > 0 &&
			    strncmp(name, Destdir, DestdirLen) == 0) {
				name += DestdirLen;
				if (prefix &&
				    strncmp(prefix, Destdir, DestdirLen) == 0)
					prefix += DestdirLen;
			}
#endif
			fingerprint_info_add(name, prefix, skip, content, stp);
			add_verify_status(stp, VE_VERIFIED);
			loaded_manifests = 1; /* we are verifying! */
			DEBUG_PRINTF(3, ("loaded: %s %s %s\n",
				name, prefix, skip));
			rc = VE_VERIFIED;
		} else {
			rc = VE_FINGERPRINT_WRONG;
			add_verify_status(stp, rc);	/* remember */
		}
	}
	return (rc);
}

static int
find_manifest(const char *name)
{
	struct stat st;
	char buf[MAXPATHLEN];
	char *prefix;
	char *skip;
	const char **tp;
	int rc;

	strncpy(buf, name, MAXPATHLEN - 1);
	if (!(prefix = strrchr(buf, '/')))
		return (-1);
	*prefix = '\0';
	prefix = strdup(buf);
	rc = VE_FINGERPRINT_NONE;
	for (tp = manifest_names; *tp; tp++) {
		snprintf(buf, sizeof(buf), "%s/%s", prefix, *tp);
		if (*tp[0] == '.') {
			/* skip /../ */
			if (prefix[0] == '\0' || prefix[1] == '\0')
				continue;
		}
		DEBUG_PRINTF(5, ("looking for %s\n", buf));
		if (stat(buf, &st) == 0 && st.st_size > 0) {
#ifdef MANIFEST_SKIP_ALWAYS		/* very unlikely */
			skip = MANIFEST_SKIP_ALWAYS;
#else
#ifdef MANIFEST_SKIP			/* rare */
			if (*tp[0] == '.') {
				skip = MANIFEST_SKIP;
			} else
#endif
				skip = NULL;
#endif
			rc = load_manifest(buf, skip ? prefix : NULL,
			    skip, &st);
			break;
		}
	}
	free(prefix);
	return (rc);
}


#ifdef LOADER_VERIEXEC_TESTING
# define ACCEPT_NO_FP_DEFAULT	VE_MUST + 1
#else
# define ACCEPT_NO_FP_DEFAULT	VE_MUST
#endif

static int
severity_guess(const char *filename)
{
	const char *cp;

	/*
	 * Some files like *.conf and *.hints may be unsigned,
	 * a *.tgz is expected to have its own signed manifest.
	 * We allow *.conf to get VE_WANT, but files we expect
	 * to always be unverified get VE_TRY and we will not
	 * report them.
	 */
	if ((cp = strrchr(filename, '.'))) {
		if (strcmp(cp, ".cookie") == 0 ||
		    strcmp(cp, ".hints") == 0 ||
		    strcmp(cp, ".order") == 0 ||
		    strcmp(cp, ".tgz") == 0)
			return (VE_TRY);
		if (strcmp(cp, ".4th") == 0 ||
		    strcmp(cp, ".lua") == 0 ||
		    strcmp(cp, ".rc") == 0)
			return (VE_MUST);
	}
	return (VE_WANT);
}

static int Verifying = -1;		/* 0 if not verifying */

static void
verify_tweak(int fd, off_t off, struct stat *stp,
    char *tweak, int *accept_no_fp)
{
	if (strcmp(tweak, "off") == 0) {
		Verifying = 0;
	} else if (strcmp(tweak, "strict") == 0) {
		/* anything caller wants verified must be */
		*accept_no_fp = VE_WANT;
		Verbose = VE_VERBOSE_ALL;
		/* treat self test failure as fatal */
		if (!ve_self_tests()) {
			panic("verify self tests failed");
		}
	} else if (strcmp(tweak, "modules") == 0) {
		/* modules/kernel must be verified */
		*accept_no_fp = VE_MUST;
	} else if (strcmp(tweak, "try") == 0) {
		/* best effort: always accept no fp */
		*accept_no_fp = VE_MUST + 1;
	} else if (strcmp(tweak, "verbose") == 0) {
		Verbose = VE_VERBOSE_ALL;
	} else if (strcmp(tweak, "quiet") == 0) {
		Verbose = VE_VERBOSE_UNVERIFIED;
		VerifyFlags = 0;
	} else if (strcmp(tweak, "silent") == 0) {
		Verbose = VE_VERBOSE_SILENT;
		VerifyFlags = 0;
	} else if (strncmp(tweak, "trust", 5) == 0) {
		/* content is trust anchor to add or revoke */
		unsigned char *ucp;
		size_t num;

		if (off > 0)
			lseek(fd, 0, SEEK_SET);
		ucp = read_fd(fd, stp->st_size);
		if (ucp == NULL)
			return;
		if (strstr(tweak, "revoke")) {
			num = ve_trust_anchors_revoke(ucp, stp->st_size);
			DEBUG_PRINTF(3, ("revoked %d trust anchors\n",
				(int) num));
		} else {
			num = ve_trust_anchors_add_buf(ucp, stp->st_size);
			DEBUG_PRINTF(3, ("added %d trust anchors\n",
				(int) num));
		}
	}
}

#ifndef VE_DEBUG_LEVEL
# define VE_DEBUG_LEVEL 0
#endif

static int
getenv_int(const char *var, int def)
{
	const char *cp;
	char *ep;
	long val;

	val = def;
	cp = getenv(var);
	if (cp && *cp) {
		val = strtol(cp, &ep, 0);
		if ((ep && *ep) || val != (int)val) {
			val = def;
		}
	}
	return (int)val;
}


/**
 * @brief report verification status
 *
 * @param[in] path
 *	path we attempted to verify
 *
 * @param[in] severity
 * 	indicator of how to handle case of missing fingerprint
 *
 * @param[in] status
 *	result of verification
 *	0 not a file to be verified, > 0 success, < 0 error
 *
 * @param[in] stp
 *	pointer to struct stat, used in extra info to be output
 *
 * The output is dictated by combinations of the above and the setting
 * of Verbose:
 *
 * VE_VERBOSE_SILENT
 * 	report only failure to verify if severity is VE_WANT or higher.
 *
 * VE_VERBOSE_UNVERIFIED
 * 	report any unverified file.
 *
 * VE_VERBOSE_MUST
 * 	report verified only if severity is VE_MUST or higher.
 *
 * VE_VERBOSE_ALL
 * 	report all verified files.
 *
 * VE_VERBOSE_DEBUG
 * 	if stp is not NULL report dev,inode for path
 */
void
verify_report(const char *path, int severity, int status, struct stat *stp)
{
	if (status < 0 || status == VE_FINGERPRINT_IGNORE) {
		if (Verbose < VE_VERBOSE_ALL && severity < VE_WANT)
			return;
		if (Verbose >= VE_VERBOSE_UNVERIFIED || severity > VE_TRY ||
		    status <= VE_FINGERPRINT_WRONG) {
			if (Verbose == VE_VERBOSE_DEBUG && stp != NULL)
				printf("Unverified %s %llu,%llu\n",
				    ve_error_get(),
				    (long long)stp->st_dev,
				    (long long)stp->st_ino);
			else
				printf("Unverified %s\n", ve_error_get());
		}
	} else if (status > 0 && Verbose >= VE_VERBOSE_MUST) {
		if (severity >= VE_MUST || Verbose >= VE_VERBOSE_ALL) {
			if (Verbose == VE_VERBOSE_DEBUG && stp != NULL)
				printf("Unverified %s %llu,%llu\n",
				    path,
				    (long long)stp->st_dev,
				    (long long)stp->st_ino);
			else
				printf("Verified %s\n", path);
		}
	}
}


/**
 * @brief prepare to verify an open file
 *
 * @param[in] fd
 * 	open descriptor
 *
 * @param[in] filename
 * 	path we opened and will use to lookup fingerprint
 *
 * @param[in] stp
 *	stat pointer so we can check file type
 */
int
verify_prep(int fd, const char *filename, off_t off, struct stat *stp,
    const char *caller)
{
	int rc;

	if (Verifying < 0) {
		Verifying = ve_trust_init();
		/* initialize ve_status with default result */
		rc = Verifying ? VE_NOT_CHECKED : VE_NOT_VERIFYING;
		ve_status_set(0, rc);
		ve_status_state = VE_STATUS_NONE;
		if (Verifying) {
			ve_self_tests();
			ve_anchor_verbose_set(1);
		}
	}
	if (!Verifying || fd < 0)
		return (0);
	if (stp) {
		if (fstat(fd, stp) < 0 || !S_ISREG(stp->st_mode))
			return (0);
	}
	DEBUG_PRINTF(2,
	    ("verify_prep: caller=%s,fd=%d,name='%s',off=%lld,dev=%lld,ino=%llu\n",
		caller, fd, filename, (long long)off, (long long)stp->st_dev,
		(unsigned long long)stp->st_ino));
	rc = is_verified(stp);
	if (rc == VE_NOT_CHECKED) {
		rc = find_manifest(filename);
		if (rc == VE_VERIFIED)
			rc = VE_NOT_CHECKED;
	} else {
		ve_status_set(fd, rc);
	}
	return (rc);
}

/**
 * @brief verify an open file
 *
 * @param[in] fd
 * 	open descriptor
 *
 * @param[in] filename
 * 	path we opened and will use to lookup fingerprint
 *
 * @param[in] off
 * 	current offset in fd, must be restored on return
 *
 * @param[in] severity
 * 	indicator of how to handle case of missing fingerprint
 *
 * We look for a signed manifest relative to the filename
 * just opened and verify/load it if needed.
 *
 * We then use verify_fd() in libve to actually verify that hash for
 * open file.  If it returns < 0 we look at the severity arg to decide
 * what to do about it.
 *
 * If verify_fd() returns VE_FINGERPRINT_NONE we accept it if severity
 * is < accept_no_fp.
 *
 * @return >= 0 on success < 0 on failure
 */
int
verify_file(int fd, const char *filename, off_t off, int severity,
    const char *caller)
{
	static int check_verbose = 1;
	static int accept_no_fp = ACCEPT_NO_FP_DEFAULT;
	struct stat st;
	char *cp;
	int rc;

	if (check_verbose) {
		check_verbose = 0;
		Verbose = getenv_int("VE_VERBOSE", VE_VERBOSE_DEFAULT);
		VerifyFlags = getenv_int("VE_VERIFY_FLAGS",
		    Verbose ? VEF_VERBOSE : 0);
#ifndef UNIT_TEST
		ve_debug_set(getenv_int("VE_DEBUG_LEVEL", VE_DEBUG_LEVEL));
#endif
	}

	rc = verify_prep(fd, filename, off, &st, caller);

	if (!rc)
		return (0);

	if (rc != VE_FINGERPRINT_WRONG && loaded_manifests) {
		if (rc != VE_NOT_CHECKED)
			return (rc);

		if (severity <= VE_GUESS)
			severity = severity_guess(filename);
#ifdef VE_PCR_SUPPORT
		/*
		 * Only update pcr with things that must verify
		 * these tend to be processed in a more deterministic
		 * order, which makes our pseudo pcr more useful.
		 */
		ve_pcr_updating_set((severity == VE_MUST));
#endif
#ifdef UNIT_TEST
		if (DestdirLen > 0 &&
		    strncmp(filename, Destdir, DestdirLen) == 0) {
			filename += DestdirLen;
		}
#endif
		rc = verify_fd(fd, filename, off, &st);
		verify_report(filename, severity, rc, &st);
		if (rc >= 0) {
			if (severity < VE_MUST) { /* not a kernel or module */
				if ((cp = strrchr(filename, '/'))) {
					cp++;
					if (strncmp(cp, "loader.ve.", 10) == 0) {
						cp += 10;
						verify_tweak(fd, off, &st, cp,
						    &accept_no_fp);
					}
				}
			}
			add_verify_status(&st, rc);
			ve_status_set(fd, rc);
			return (rc);
		}
		if (rc == VE_FINGERPRINT_UNKNOWN && severity < VE_MUST)
			rc = VE_UNVERIFIED_OK;
		else if (rc == VE_FINGERPRINT_NONE && severity < accept_no_fp)
			rc = VE_UNVERIFIED_OK;

		add_verify_status(&st, rc);

		/* recheck debug/verbose level next time we are called */
		if (rc == VE_UNVERIFIED_OK) {
			check_verbose = 1;
		}
	}
#ifdef LOADER_VERIEXEC_TESTING
	else if (rc != VE_FINGERPRINT_WRONG) {
		/*
		 * We have not loaded any manifest and
		 * not because of verication failure.
		 * Most likely reason is we have none.
		 * Allow boot to proceed if we are just testing.
		 */
		return (VE_UNVERIFIED_OK);
	}
#endif
	if (rc == VE_FINGERPRINT_WRONG && severity > accept_no_fp)
		panic("cannot continue");
	ve_status_set(fd, rc);
	return (rc);
}

/**
 * @brief get hex string for pcr value and export
 *
 * In case we are doing measured boot, provide
 * value of the "pcr" data we have accumulated.
 */
void
verify_pcr_export(void)
{
#ifdef VE_PCR_SUPPORT
	char hexbuf[br_sha256_SIZE * 2 + 2];
	unsigned char hbuf[br_sha256_SIZE];
	char *hinfo;
	char *hex;
	ssize_t hlen;

	hlen = ve_pcr_get(hbuf, sizeof(hbuf));
	if (hlen > 0) {
		hex = hexdigest(hexbuf, sizeof(hexbuf), hbuf, hlen);
		if (hex) {
			hex[hlen*2] = '\0'; /* clobber newline */
			setenv("loader.ve.pcr", hex, 1);
			DEBUG_PRINTF(1,
			    ("%s: setenv(loader.ve.pcr, %s\n", __func__,
				hex));
			hinfo = ve_pcr_hashed_get(1);
			if (hinfo) {
				setenv("loader.ve.hashed", hinfo, 1);
				DEBUG_PRINTF(1,
				    ("%s: setenv(loader.ve.hashed, %s\n",
					__func__, hinfo));
				if ((hlen = strlen(hinfo)) > KENV_MVALLEN) {
					/*
					 * bump kenv_mvallen
					 * roundup to multiple of KENV_MVALLEN
					 */
					char mvallen[16];

					hlen += KENV_MVALLEN -
					    (hlen % KENV_MVALLEN);
					if (snprintf(mvallen, sizeof(mvallen),
						"%d", (int) hlen) < (int)sizeof(mvallen))
						setenv("kenv_mvallen", mvallen, 1);
				}
				free(hinfo);
			}
		}
	}
#endif
}

/*
 * For tftp and http we need to hash pathname
 * to be able to fake stat(2) data.
 */
int
hash_string(char *s, size_t n, char *buf, size_t bufsz)
{
	br_hash_compat_context mctx;
	const br_hash_class *md;

	switch (bufsz) {
	case br_sha1_SIZE:
		md = &br_sha1_vtable;
		break;
	case br_sha256_SIZE:
		md = &br_sha256_vtable;
		break;
	default:
		if (bufsz < br_sha1_SIZE)
			return -1;
		md = &br_sha1_vtable;
		bufsz = br_sha1_SIZE;
		break;
	}
	if (n == 0)
		n = strlen(s);
	md->init(&mctx.vtable);
	md->update(&mctx.vtable, s, n);
	md->out(&mctx.vtable, buf);
	return bufsz;
}