1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
/* Copyright 2017 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
#ifndef __CROS_EC_RWSIG_H
#define __CROS_EC_RWSIG_H
#include "config.h"
#include "rsa.h"
#ifndef __ASSEMBLER__
#ifdef HAS_TASK_RWSIG
/* The functions below only make sense if RWSIG task is defined. */
/* Current status of RW signature verification */
enum rwsig_status {
RWSIG_UNKNOWN = 0, /* Unknown/not started */
RWSIG_IN_PROGRESS,
RWSIG_VALID,
RWSIG_INVALID,
RWSIG_ABORTED,
};
/* Returns current rwsig verification status. */
enum rwsig_status rwsig_get_status(void);
/*
* Aborts current verification, also prevents RWSIG task from automatically
* jumping to RW.
* This is used by usb_updater when a RW update is required, giving it enough
* time to actually perform the update.
*/
void rwsig_abort(void);
/*
* Tells RWSIG task to jump to RW immediately, if the signature is correct.
* This is used by usb_updater when no RW update is required, to speed up
* boot time.
*/
void rwsig_continue(void);
#else /* !HAS_TASK_RWSIG */
/* These functions can only be called directly if RWSIG task is not defined. */
/* Checks RW signature. Returns a boolean indicating success. */
int rwsig_check_signature(void);
/* Jumps to RW, if signature is fine, returns on error (otherwise, jumps). */
void rwsig_jump_now(void);
#endif
#endif /* !__ASSEMBLER__ */
/*
* The signer puts the public key and signature into the RO and RW images
* (respectively) at known locations after the complete image is assembled. But
* since we compile the RO & RW images separately, the other image's addresses
* can't be computed by the linker. So we just hardcode the addresses here.
* These can be overridden in board.h files if desired.
*/
#ifndef CONFIG_RO_PUBKEY_SIZE
#ifdef CONFIG_RWSIG_TYPE_RWSIG
/*
* rwsig type: 1024 bytes is enough to fit RSA-3072 public key.
*
* TODO(crosbug.com/p/62321): This still wastes space. We could pack the key at
* any arbitrary location, but we need proper signer support to make sure it
* can overwrite the key correctly.
*/
#define CONFIG_RO_PUBKEY_SIZE 1024
#else
#define CONFIG_RO_PUBKEY_SIZE RSA_PUBLIC_KEY_SIZE
#endif
#endif /* ! CONFIG_RO_PUBKEY_SIZE */
#ifndef CONFIG_RO_PUBKEY_ADDR
#ifdef CONFIG_RWSIG_TYPE_RWSIG
/* The pubkey goes at the end of the RO region */
#define CONFIG_RO_PUBKEY_ADDR (CONFIG_PROGRAM_MEMORY_BASE \
+ CONFIG_RO_MEM_OFF \
+ CONFIG_RO_SIZE \
- CONFIG_RO_PUBKEY_SIZE)
#else
/*
* usbpd1 type assumes pubkey location at the end of first half of flash,
* which might actually be in the PSTATE region.
*/
#define CONFIG_RO_PUBKEY_ADDR (CONFIG_PROGRAM_MEMORY_BASE \
+ (CONFIG_FLASH_SIZE / 2) \
- CONFIG_RO_PUBKEY_SIZE)
#endif
#endif /* CONFIG_RO_PUBKEY_ADDR */
#ifndef CONFIG_RW_SIG_SIZE
#ifdef CONFIG_RWSIG_TYPE_RWSIG
/*
* rwsig type: futility expects signature to be 1024 bytes from the end of
* the file.
*/
#define CONFIG_RW_SIG_SIZE 1024
#else
#define CONFIG_RW_SIG_SIZE RSANUMBYTES
#endif
#endif /* ! CONFIG_RW_SIG_SIZE */
#ifndef CONFIG_RW_SIG_ADDR
/* The signature goes at the end of the RW region */
#define CONFIG_RW_SIG_ADDR (CONFIG_PROGRAM_MEMORY_BASE \
+ CONFIG_RW_MEM_OFF \
+ CONFIG_RW_SIZE \
- CONFIG_RW_SIG_SIZE)
#endif /* !CONFIG_RW_SIG_ADDR */
#endif /* __CROS_EC_RWSIG_H */
|
