| /* Copyright 2015 The Chromium OS Authors. All rights reserved. |
| * Use of this source code is governed by a BSD-style license that can be |
| * found in the LICENSE file. |
| */ |
| |
| #include "dcrypto.h" |
| #include "debug_printf.h" |
| #include "registers.h" |
| #include "setup.h" |
| #include "trng.h" |
| |
| #define LOADERKEYEXP 3 |
| #define RSA_NUM_WORDS 96 |
| #define RSA_NUM_BYTES (RSA_NUM_WORDS * 4) |
| |
| |
| static const uint32_t LOADERKEY_A[RSA_NUM_WORDS + 1] = { |
| 0xea54076f, 0xe986c871, 0x8cffffb4, 0xd7c50bda, 0x30700ee0, 0xc023a878, |
| 0x30e7fdf8, 0x5bb0c06f, 0x1d25d80f, 0x18e181f7, 0xfbf7a8b0, 0x331c16d4, |
| 0xeb042379, 0x4cef13ec, 0x5b2072e7, 0xc807b01d, 0x443fb117, 0xd2e04e5b, |
| 0xcb984393, 0x85d90d9d, 0x0332dcb8, 0xd42ccacf, 0x787e3947, 0x1975095c, |
| 0x2d523b0b, 0xf815be95, 0x00db9a2c, 0x6c08442b, 0x57a022bb, 0x9d5c84ed, |
| 0x46a6d275, 0x4392dcf8, 0xfa6812e3, 0xe0f3a3e6, 0xc8ff3f61, 0xd518dbac, |
| 0xbba7376a, 0x767a219a, 0x9d153119, 0x980b16f8, 0x79eb5078, 0xb869924d, |
| 0x2e392cc2, 0x76c04f32, 0xe35ea788, 0xcb67fa62, 0x30efec79, 0x36f04ae0, |
| 0x2212a5fc, 0x51c41de8, 0x2b0b84db, 0x6803ca1c, 0x39a248fd, 0xa0c31ee2, |
| 0xb1ca22b6, 0x16e54056, 0x086f6591, 0x3825208d, 0x079c157b, 0xe51c15a6, |
| 0x0dd1c66f, 0x8267b8ae, 0xf06b4f85, 0xc68b27ab, 0x31bcd5fc, 0x34d563b7, |
| 0xc4d2212e, 0x1e770199, 0xaf797061, 0x824d4853, 0x526e18cd, 0x4bb8a0dc, |
| 0xeb9377fe, 0x04fda73c, 0x2933f8a6, 0xe16c0432, 0x40ea1bd5, 0x9efcd77e, |
| 0x92be9e55, 0x003c1128, 0x48442cf9, 0x80b4fb31, 0xfe1e3df3, 0x1d28e14d, |
| 0xe99c0f9d, 0x521d38c2, 0x0082c4f1, 0xcff25d56, 0x0d3e7186, 0xe72b98f0, |
| 0xefaa5689, 0x74051ed5, 0x6b7e7fff, 0x822b1944, 0x77a94732, 0x8d0b9aaf, |
| 0x7a8ee958 |
| }; |
| |
| const uint32_t LOADERKEY_B[RSA_NUM_WORDS + 1] = { |
| 0xeea8b39f, 0xdfa457a1, 0x8b81fdc3, 0xb0204c84, 0x297b9db2, 0xaa70318d, |
| 0x8cd41a68, 0x4aa0f9bb, 0xf63f9d69, 0xf0fe64b0, 0x96e42e2d, 0x5e494b1d, |
| 0x066cefd0, 0xde949c16, 0xc92499ed, 0x92229990, 0x48ac3b1a, 0x1dfc2388, |
| 0xda71d258, 0x826ddedf, 0xd0220e70, 0x6140dedf, 0x92bcdec7, 0xcdf91c22, |
| 0xaa110aed, 0xc371c2f9, 0xa3fedf2a, 0xfd2c6a07, 0xe71aabce, 0x7f426484, |
| 0x0ac51128, 0x4bab4ca2, 0x0162d0b9, 0x49fef7e3, 0xeda8664e, 0x14b92b7a, |
| 0x0397dbb7, 0x5b9eb94a, 0x069b5059, 0x3851f46b, 0x45bbcaba, 0x0b812652, |
| 0x7cd8b10b, 0xcaeccc32, 0x0ffd08e3, 0xfe6f0306, 0x8c02d5f7, 0xafdc4595, |
| 0xe0edda47, 0x0cc821db, 0x50beeae5, 0xb9868c18, 0xefd2de11, 0xdfecd15c, |
| 0xa8937a70, 0x223d9d95, 0x1b70848b, 0x54fa9176, 0x8bf012ef, 0xd37c1446, |
| 0xf9a7ebeb, 0xbf2dfa9a, 0xdc6b8ea0, 0xe5f8bc4d, 0x539222b5, 0x192521e4, |
| 0xe7088628, 0x2646bb56, 0x6fcc5d70, 0x3f1cd8e9, 0xae9cec24, 0xf53b6559, |
| 0x6f091891, 0x5342fa61, 0xbfee50e9, 0x211ad58a, 0xd1c5aa17, 0x252dfa56, |
| 0x17131164, 0x4630a459, 0x2f681f51, 0x3fb9ab3c, 0x6c8e0a70, 0xa34a868b, |
| 0xe960e702, 0xa470d241, 0x00647369, 0xa4c25391, 0xd1926cf9, 0x5fce5488, |
| 0xd171cb2e, 0x8a7c982e, 0xc89cbe39, 0xc0e019d8, 0x82cd1ebe, 0x68918fce, |
| 0x5ec138fd |
| }; |
| |
| #define RANDOM_STEP 5 |
| |
| inline uint32_t bswap(uint32_t a) |
| { |
| uint32_t result; |
| |
| __asm__ volatile("rev %0, %1;" : "=r"(result) : "r"(a)); |
| |
| return result; |
| } |
| |
| /* Montgomery c[] += a * b[] / R % key. */ |
| static void montMulAdd(const uint32_t *key, |
| uint32_t *c, const uint32_t a, |
| const uint32_t *b) |
| { |
| register uint64_t tmp; |
| uint32_t i, A, B, d0; |
| |
| { |
| |
| tmp = c[0] + (uint64_t)a * b[0]; |
| A = tmp >> 32; |
| d0 = (uint32_t)tmp * *key++; |
| tmp = (uint32_t)tmp + (uint64_t)d0 * *key++; |
| B = tmp >> 32; |
| } |
| |
| for (i = 0; i < RSA_NUM_WORDS - 1; ++i) { |
| tmp = A + (uint64_t)a * b[i + 1] + c[i + 1]; |
| A = tmp >> 32; |
| tmp = B + (uint64_t)d0 * *key++ + (uint32_t)tmp; |
| c[i] = (uint32_t)tmp; |
| B = tmp >> 32; |
| } |
| |
| c[RSA_NUM_WORDS - 1] = A + B; |
| } |
| |
| /* Montgomery c[] = a[] * b[] / R % key. */ |
| static void montMul(const uint32_t *key, |
| uint32_t *c, const uint32_t *a, |
| const uint32_t *b) |
| { |
| int i; |
| |
| for (i = 0; i < RSA_NUM_WORDS; ++i) |
| c[i] = 0; |
| |
| for (i = 0; i < RSA_NUM_WORDS; ++i) |
| montMulAdd(key, c, a[i], b); |
| } |
| |
| /* Montgomery c[] = a[] * 1 / R % key. */ |
| static void montMul1(const uint32_t *key, |
| uint32_t *c, const uint32_t *a) |
| { |
| int i; |
| |
| for (i = 0; i < RSA_NUM_WORDS; ++i) |
| c[i] = 0; |
| |
| montMulAdd(key, c, 1, a); |
| for (i = 1; i < RSA_NUM_WORDS; ++i) |
| montMulAdd(key, c, 0, a); |
| } |
| |
| #if LOADERKEYEXP == 3 |
| /* In-place exponentiation to power 3 % key. */ |
| static void modpow(const uint32_t *key, |
| const uint32_t *signature, uint32_t *out) |
| { |
| static uint32_t aaR[RSA_NUM_WORDS]; |
| static uint32_t aaaR[RSA_NUM_WORDS]; |
| |
| montMul(key, aaR, signature, signature); |
| montMul(key, aaaR, aaR, signature); |
| montMul1(key, out, aaaR); |
| } |
| #endif |
| void LOADERKEY_verify(uint32_t keyid, const uint32_t *signature, |
| const uint32_t *sha256) |
| { |
| static uint32_t buf[RSA_NUM_WORDS] |
| __attribute__((section(".guarded_data"))); |
| static uint32_t hash[SHA256_DIGEST_WORDS] |
| __attribute__((section(".guarded_data"))); |
| uint32_t step, offset; |
| const uint32_t *key; |
| int i; |
| |
| if (keyid == LOADERKEY_B[0]) |
| key = LOADERKEY_B; |
| else |
| key = LOADERKEY_A; |
| |
| modpow(key, signature, buf); |
| VERBOSE("sig %.384h\n", buf); |
| |
| /* |
| * XOR in offsets across buf. Mostly to get rid of all those -1 words |
| * in there. |
| */ |
| offset = rand() % RSA_NUM_WORDS; |
| step = (RANDOM_STEP % RSA_NUM_WORDS) || 1; |
| |
| for (i = 0; i < RSA_NUM_WORDS; ++i) { |
| buf[offset] ^= (0x1000u + offset); |
| offset = (offset + step) % RSA_NUM_WORDS; |
| } |
| |
| /* |
| * Xor digest location, so all words becomes 0 only iff equal. |
| * |
| * Also XOR in offset and non-zero const. This to avoid repeat |
| * glitches to zero be able to produce the right result. |
| */ |
| offset = rand() % SHA256_DIGEST_WORDS; |
| step = (RANDOM_STEP % SHA256_DIGEST_WORDS) || 1; |
| for (i = 0; i < SHA256_DIGEST_WORDS; ++i) { |
| buf[offset] ^= bswap(sha256[SHA256_DIGEST_WORDS - 1 - offset]) |
| ^ (offset + 0x10u); |
| offset = (offset + step) % SHA256_DIGEST_WORDS; |
| } |
| |
| VERBOSE("\nsig^ %.384h\n\n", buf); |
| |
| /* Hash resulting buffer. */ |
| DCRYPTO_SHA256_hash((uint8_t *) buf, RSA_NUM_BYTES, (uint8_t *) hash); |
| |
| VERBOSE("hash %.32h\n", hash); |
| |
| /* |
| * Write computed hash to unlock register to unlock execution, iff |
| * right. Idea is that this flow cannot be glitched to have correct |
| * values with any probability. |
| */ |
| for (i = 0; i < SHA256_DIGEST_WORDS; ++i) |
| GREG32_ADDR(GLOBALSEC, SB_BL_SIG0)[i] = hash[i]; |
| |
| /* |
| * Make an unlock attempt. Value written is irrelevant, as long as |
| * something is written. |
| */ |
| GREG32(GLOBALSEC, SIG_UNLOCK) = 1; |
| } |