include/zircon-estelle/vboot.h - u-boot - Git at Google

 /*
  * Copyright (c) 2019 The Fuchsia Authors
  *
  * SPDX-License-Identifier:	BSD-3-Clause
  */

 #ifndef _ZIRCON_VBOOT_H_
 #define _ZIRCON_VBOOT_H_

 #include <abr/abr.h>
 #include <libavb/libavb.h>
 #include <libavb_atx/libavb_atx.h>

 typedef enum {
 	AVB_ATX_LOCKED,
 	AVB_ATX_UNLOCKED,
 } AvbAtxLockState;

 typedef enum {
 	AVB_ATX_SLOT_MARKED_SUCCESSFUL,
 	AVB_ATX_SLOT_NOT_MARKED_SUCCESSFUL,
 } AvbAtxSlotState;

 /* Add extra zbi items from vbmeta into |zbi| container */
 int zircon_vboot_add_extra_zbi_items(zbi_header_t *zbi, size_t capacity);

 /**
  * Loads zircon image using A/B/R scheme.
  *
  * @loadaddr: address at which to load the Zircon image.
  * @loadsize: size of the load buffer.
  * @force_recovery: trigger a force boot into recovery (R slot).
  *
  * Return: 0 if successful, negative value on failure.
  */
 int zircon_vboot_img_load(unsigned char *loadaddr, size_t loadsize,
 			  bool force_recovery);

 /**
  * Loads and verifies a preloaded zbi + vbmeta.
  *
  * The validation is done in-place, so loadaddr is not touched until the
  * validation has completed successfully. This function also sets some global
  * state required to correctly extract items from vbmeta.
  *
  * @loadaddr: address to load the validated zbi.
  * @loadsize: size of the load buffer.
  * @zbi: address of the preloaded zbi.
  * @zbi_size: size of the preloaded zbi.
  * @vbmeta: address of the preloaded vbmeta.
  * @vbmeta_size: size of the preloaded vbmeta.
  *
  * Return: 0 if successful, non-zero value on failure.
  */
 int zircon_vboot_preloaded_img_load(unsigned char *loadaddr, size_t loadsize,
 				    unsigned char *zbi, size_t zbi_size,
 				    unsigned char *vbmeta, size_t vbmeta_size);

 /* Performs a full load + verification of the indicated slot.
  *
  * @loadaddr: address at which to load the Zircon image.
  * @loadsize: size of the load buffer.
  * @requested_partitions: partitions to verify.
  * @ab_suffix: slot suffix to load and verify.
  * @lock_state: if AVB_ATX_UNLOCKED, verification errors will be allowed (see
  *              AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR for details).
  * @slot_state: if AVB_ATX_SLOT_MARKED_SUCCESSFUL, minimum rollback index values
  *              will be bumped to match the values in the verified slot (on
  *              success).
  * @verify_data: see |out_data| for avb_slot_verify().
  */
 AvbSlotVerifyResult
 zircon_vboot_slot_verify(unsigned char *loadaddr, size_t loadsize,
 			 const char *const *requested_partitions,
 			 const char *ab_suffix, AvbAtxLockState lock_state,
 			 AvbAtxSlotState slot_state,
 			 AvbSlotVerifyData **verify_data);

 /**
  * Verifies a preloaded zbi + vbmeta.
  *
  * @zbi: address of the preloaded zbi.
  * @zbi_size: size of the preloaded zbi.
  * @vbmeta: address of the preloaded vbmeta.
  * @vbmeta_size: size of the preloaded vbmeta.
  * @verify_data: verification data, will be allocated and filled if vbmeta
  *               verification succeeds; note that this can still be NULL even
  *               if the function succeeds if we're booting unlocked and no
  *               vbmeta was provided.
  *
  * Return: true if either the ZBI verified successfully, or we're unlocked.
  */
 bool zircon_vboot_preloaded_img_verify(unsigned char *zbi, size_t zbi_size,
 				       unsigned char *vbmeta,
 				       size_t vbmeta_size,
 				       AvbSlotVerifyData **verify_data);

 /* Get current slot to boot */
 const char *zircon_vboot_get_current_slot(void);

 /* Get slot last set active */
 const char *zircon_vboot_get_slot_last_set_active(void);

 /* Get slot info for |slot_number| slot.
  *
  * Returns > 0 if an error occured.
  */
 int zircon_vboot_get_slot_info(int slot_number, AbrSlotInfo *info);

 /* Set slot active */
 int zircon_vboot_set_slot_active(int slot_number);

 /* Generate unlock challenge */
 int zircon_vboot_generate_unlock_challenge(AvbAtxUnlockChallenge *out);

 /* Validate unlock credential */
 int zircon_vboot_validate_unlock_credential(AvbAtxUnlockCredential *in,
 					    bool *out_is_trusted);

 /* True if ZVB is enabled */
 bool zircon_is_vboot_enabled(void);

 /* Fills |hash| with the permanent attributes SHA256 hash. */
 AvbIOResult
 avb_read_permanent_attributes_hash(AvbAtxOps *atx_ops,
 				   uint8_t hash[AVB_SHA256_DIGEST_SIZE]);

 /* Unlocks verified boot, allowing unsigned Zircon images to boot.
  *
  * Since we lack the VX TA on this board, we can't easily disable sensitive
  * TA operations (e.g. zxcrypt key access), so instead BL31 will disable OP-TEE
  * SMC calls until reboot. This will likely cause some runtime errors in
  * Fuchsia, but should be fine for loading a simple diagnostic image.
  *
  * Re-locking is not supported; once OP-TEE routing has been disabled the
  * device must be rebooted to return to normal operation.
  *
  * The calling code MUST have successfully authenticated an unlock token before
  * calling this.
  *
  * Returns 0 on success.
  */
 int zircon_vboot_unlock(void);

 #endif // _ZIRCON_VBOOT_H_
	/*
	* Copyright (c) 2019 The Fuchsia Authors
	*
	* SPDX-License-Identifier: BSD-3-Clause
	*/

	#ifndef _ZIRCON_VBOOT_H_
	#define _ZIRCON_VBOOT_H_

	#include <abr/abr.h>
	#include <libavb/libavb.h>
	#include <libavb_atx/libavb_atx.h>

	typedef enum {
	AVB_ATX_LOCKED,
	AVB_ATX_UNLOCKED,
	} AvbAtxLockState;

	typedef enum {
	AVB_ATX_SLOT_MARKED_SUCCESSFUL,
	AVB_ATX_SLOT_NOT_MARKED_SUCCESSFUL,
	} AvbAtxSlotState;

	/* Add extra zbi items from vbmeta into \|zbi\| container */
	int zircon_vboot_add_extra_zbi_items(zbi_header_t *zbi, size_t capacity);

	/**
	* Loads zircon image using A/B/R scheme.
	*
	* @loadaddr: address at which to load the Zircon image.
	* @loadsize: size of the load buffer.
	* @force_recovery: trigger a force boot into recovery (R slot).
	*
	* Return: 0 if successful, negative value on failure.
	*/
	int zircon_vboot_img_load(unsigned char *loadaddr, size_t loadsize,
	bool force_recovery);

	/**
	* Loads and verifies a preloaded zbi + vbmeta.
	*
	* The validation is done in-place, so loadaddr is not touched until the
	* validation has completed successfully. This function also sets some global
	* state required to correctly extract items from vbmeta.
	*
	* @loadaddr: address to load the validated zbi.
	* @loadsize: size of the load buffer.
	* @zbi: address of the preloaded zbi.
	* @zbi_size: size of the preloaded zbi.
	* @vbmeta: address of the preloaded vbmeta.
	* @vbmeta_size: size of the preloaded vbmeta.
	*
	* Return: 0 if successful, non-zero value on failure.
	*/
	int zircon_vboot_preloaded_img_load(unsigned char *loadaddr, size_t loadsize,
	unsigned char *zbi, size_t zbi_size,
	unsigned char *vbmeta, size_t vbmeta_size);

	/* Performs a full load + verification of the indicated slot.
	*
	* @loadaddr: address at which to load the Zircon image.
	* @loadsize: size of the load buffer.
	* @requested_partitions: partitions to verify.
	* @ab_suffix: slot suffix to load and verify.
	* @lock_state: if AVB_ATX_UNLOCKED, verification errors will be allowed (see
	* AVB_SLOT_VERIFY_FLAGS_ALLOW_VERIFICATION_ERROR for details).
	* @slot_state: if AVB_ATX_SLOT_MARKED_SUCCESSFUL, minimum rollback index values
	* will be bumped to match the values in the verified slot (on
	* success).
	* @verify_data: see \|out_data\| for avb_slot_verify().
	*/
	AvbSlotVerifyResult
	zircon_vboot_slot_verify(unsigned char *loadaddr, size_t loadsize,
	const char const requested_partitions,
	const char *ab_suffix, AvbAtxLockState lock_state,
	AvbAtxSlotState slot_state,
	AvbSlotVerifyData **verify_data);

	/**
	* Verifies a preloaded zbi + vbmeta.
	*
	* @zbi: address of the preloaded zbi.
	* @zbi_size: size of the preloaded zbi.
	* @vbmeta: address of the preloaded vbmeta.
	* @vbmeta_size: size of the preloaded vbmeta.
	* @verify_data: verification data, will be allocated and filled if vbmeta
	* verification succeeds; note that this can still be NULL even
	* if the function succeeds if we're booting unlocked and no
	* vbmeta was provided.
	*
	* Return: true if either the ZBI verified successfully, or we're unlocked.
	*/
	bool zircon_vboot_preloaded_img_verify(unsigned char *zbi, size_t zbi_size,
	unsigned char *vbmeta,
	size_t vbmeta_size,
	AvbSlotVerifyData **verify_data);

	/* Get current slot to boot */
	const char *zircon_vboot_get_current_slot(void);

	/* Get slot last set active */
	const char *zircon_vboot_get_slot_last_set_active(void);

	/* Get slot info for \|slot_number\| slot.
	*
	* Returns > 0 if an error occured.
	*/
	int zircon_vboot_get_slot_info(int slot_number, AbrSlotInfo *info);

	/* Set slot active */
	int zircon_vboot_set_slot_active(int slot_number);

	/* Generate unlock challenge */
	int zircon_vboot_generate_unlock_challenge(AvbAtxUnlockChallenge *out);

	/* Validate unlock credential */
	int zircon_vboot_validate_unlock_credential(AvbAtxUnlockCredential *in,
	bool *out_is_trusted);

	/* True if ZVB is enabled */
	bool zircon_is_vboot_enabled(void);

	/* Fills \|hash\| with the permanent attributes SHA256 hash. */
	AvbIOResult
	avb_read_permanent_attributes_hash(AvbAtxOps *atx_ops,
	uint8_t hash[AVB_SHA256_DIGEST_SIZE]);

	/* Unlocks verified boot, allowing unsigned Zircon images to boot.
	*
	* Since we lack the VX TA on this board, we can't easily disable sensitive
	* TA operations (e.g. zxcrypt key access), so instead BL31 will disable OP-TEE
	* SMC calls until reboot. This will likely cause some runtime errors in
	* Fuchsia, but should be fine for loading a simple diagnostic image.
	*
	* Re-locking is not supported; once OP-TEE routing has been disabled the
	* device must be rebooted to return to normal operation.
	*
	* The calling code MUST have successfully authenticated an unlock token before
	* calling this.
	*
	* Returns 0 on success.
	*/
	int zircon_vboot_unlock(void);

	#endif // _ZIRCON_VBOOT_H_