aboutsummaryrefslogblamecommitdiff
path: root/ks_token.c
blob: cc25ca5f61631fe983eb3061daa102a7f6aeb74d (plain) (tree)
1
2
3
4
5
6
7
  
             


                                           
                                       
                                                             



























                                                                           








                                                                          



                   

                         
               

                                   
 

                          

             

                             

      
                                                       
 




                     
                                                                                  


                                  







                                                                    
 



                                                                         
 

                                         
  
                                                            

   
                                                              
 
                                           
 
 
  

                      

                                                                   
   
 
                                                                                        
 
                                                                                                                      
                                
 
                                        


                                                  
                                     
 
                                  

                                
                  

                             
          




                                             

                                     
          
          
                                             
   






                                                                    



                                                      
 
 
  


                                                                      

   
                                                                          
 
                                                        
                                
 

                                               
                                             



                                                          
 
                                                       

                                        
                                                           
                                     

                

 
  
                                                                     

   
                                                                     
 
                                                        

                                
                                         
 
                                        
                                                                          

                                     



                
                                                                

   
                                                                      
 
                                                        
                                
 
                                        
                                             


                                     


  
                                                        
                                                          




                                                                      
   
 
                                                                            
 
                                                        

                                

                      
                                                                                                          





                                                       
 
                                                         


  


                                                         
                                                                                         
 
                                                                                                                      

                                
                                                  




                                  

                             













                                                                                    
                                                                                 

   
                                                   


                                                                      
 

                
 
                                                          




                                                                       


  


                     
                                                                    

  
                       

   
                                                               
 


                                



                           
                                                                                                         
              
 
                                               
              

    


                                   


                                                   
 


                                      


                                         


                                          
              








                                                                      
 


                                        
 

                                                          
 


                                                             
 
                                                                    
                


                              
                                   



                         
                

   




                  

 
  




















                                                                      


                                                                         

   
  










                                                                      
                      
 

                
                                          
                                                                                            

                  
                                                            


            
                                                                                     






                                             


                                       

                  


  




                                                                    
 
                  

                                   



                           
                 


                                                      
                                                       
   
 


                  
 
 
  

                                                                     
   
 
                                                                   
 
                    
                                

                  

               
 


                

                                                                               
               
 
                              
 
                                                      
                                
 




                                                                     


                                                                      
   
 
                                                     
                                                      

                                                                             
                                                                                             
                                
 
               
 
                         
 
                                                     

 





                                                       
 
                  

                                   
                    

                  
 

                
                                                    
              
 

                                          
 
                 


                                                                             
                                                                  
   
 

                                   
 

                                                              
 

                  
             

 
                               
 


                                                             




                                                                     





                                                                      
                                                                      
 
                                       
                                          
 
                    

                  
 
                                                    
               
 
                                          
                                       
 
                  

                                     






                                                               

                  

 
                                                                            
 
                  

                                   

                                          
 
                    


                  

                
                                                    
              
 
                                          
 

                                   
 




                                              
 
 




                                                 
                    

                  
 

                
                                                    
              





                                          




                                              

 

                                        
 




                        
/*
 * ks_token.c
 * ----------
 * Keystore implementation in flash memory.
 *
 * Authors: Rob Austein, Fredrik Thulin
 * Copyright (c) 2015-2017, NORDUnet A/S All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions are
 * met:
 * - Redistributions of source code must retain the above copyright notice,
 *   this list of conditions and the following disclaimer.
 *
 * - Redistributions in binary form must reproduce the above copyright
 *   notice, this list of conditions and the following disclaimer in the
 *   documentation and/or other materials provided with the distribution.
 *
 * - Neither the name of the NORDUnet nor the names of its contributors may
 *   be used to endorse or promote products derived from this software
 *   without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
 * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
 * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

/*
 * This keystore driver operates over bare flash, versus over a flash file
 * system or flash translation layer. The block size is large enough to
 * hold an AES-keywrapped 4096-bit RSA key. Any remaining space in the key
 * block may be used to store attributes (opaque TLV blobs). If the
 * attributes overflow the key block, additional blocks may be added, but
 * no attribute may exceed the block size.
 */

#include <stddef.h>
#include <string.h>
#include <assert.h>

#include "hal.h"
#include "hal_internal.h"
#include "ks.h"

#include "last_gasp_pin_internal.h"

#define HAL_OK CMIS_HAL_OK
#include "stm-keystore.h"
#undef HAL_OK

#ifndef KS_TOKEN_CACHE_SIZE
#define KS_TOKEN_CACHE_SIZE 4
#endif

#define NUM_FLASH_BLOCKS        KEYSTORE_NUM_SUBSECTORS

/*
 * Keystore database.
 */

typedef struct {
  hal_ks_t              ks;                  /* Must be first (C "subclassing") */
  hal_ks_pin_t          wheel_pin;
  hal_ks_pin_t          so_pin;
  hal_ks_pin_t          user_pin;
} ks_token_db_t;

/*
 * This is a bit silly, but it's safe enough, and it lets us avoid a
 * nasty mess of forward references.
 */

#define db      ((ks_token_db_t * const) hal_ks_token)

/*
 * PIN block gets the all-zeros UUID, which will never be returned by
 * the UUID generation code (by definition -- it's not a version 4 UUID).
 */

const static hal_uuid_t pin_uuid = {{0}};

/*
 * Calculate offset of the block in the flash address space.
 */

static inline uint32_t ks_token_offset(const unsigned blockno)
{
  return blockno * KEYSTORE_SUBSECTOR_SIZE;
}

/*
 * Read a flash block.
 *
 * Flash read on the Alpha is slow enough that it pays to check the
 * first page before reading the rest of the block.
 */

static hal_error_t ks_token_read(hal_k_t *ks, const unsigned blockno, ks_block_t *block)
{
  if (ks != hal_ks_token || block == NULL || blockno >= NUM_FLASH_BLOCKS || sizeof(*block) != KEYSTORE_SUBSECTOR_SIZE)
    return HAL_ERROR_IMPOSSIBLE;

  /* Sigh, magic numeric return codes */
  if (keystore_read_data(block_offset(blockno),
                         block->bytes,
                         KEYSTORE_PAGE_SIZE) != 1)
    return HAL_ERROR_KEYSTORE_ACCESS;

  switch (block_get_type(block)) {
  case HAL_KS_BLOCK_TYPE_ERASED:
  case HAL_KS_BLOCK_TYPE_ZEROED:
    return HAL_OK;
  case HAL_KS_BLOCK_TYPE_KEY:
  case HAL_KS_BLOCK_TYPE_PIN:
    break;
  default:
    return HAL_ERROR_KEYSTORE_BAD_BLOCK_TYPE;
  }

  switch (block_get_status(block)) {
  case HAL_KS_BLOCK_STATUS_LIVE:
  case HAL_KS_BLOCK_STATUS_TOMBSTONE:
    break;
  default:
    return HAL_ERROR_KEYSTORE_BAD_BLOCK_TYPE;
  }

  /* Sigh, magic numeric return codes */
  if (keystore_read_data(block_offset(blockno) + KEYSTORE_PAGE_SIZE,
                         block->bytes + KEYSTORE_PAGE_SIZE,
                         sizeof(*block) - KEYSTORE_PAGE_SIZE) != 1)
    return HAL_ERROR_KEYSTORE_ACCESS;

  if (calculate_block_crc(block) != block->header.crc)
    return HAL_ERROR_KEYSTORE_BAD_CRC;

  return HAL_OK;
}

/*
 * Convert a live block into a tombstone.  Caller is responsible for
 * making sure that the block being converted is valid; since we don't
 * need to update the CRC for this, we just modify the first page.
 */

static hal_error_t ks_token_deprecate(hal_k_t *ks, const unsigned blockno)
{
  if (ks != hal_ks_token || blockno >= NUM_FLASH_BLOCKS)
    return HAL_ERROR_IMPOSSIBLE;

  uint8_t page[KEYSTORE_PAGE_SIZE];
  flash_block_header_t *header = (void *) page;
  uint32_t offset = ks_token_offset(blockno);

  /* Sigh, magic numeric return codes */
  if (keystore_read_data(offset, page, sizeof(page)) != 1)
    return HAL_ERROR_KEYSTORE_ACCESS;

  header->block_status = HAL_KS_BLOCK_STATUS_TOMBSTONE;

  /* Sigh, magic numeric return codes */
  if (keystore_write_data(offset, page, sizeof(page)) != 1)
    return HAL_ERROR_KEYSTORE_ACCESS;

  return HAL_OK;
}

/*
 * Zero (not erase) a flash block.  Just need to zero the first page.
 */

static hal_error_t ks_token_zero(hal_k_t *ks, const unsigned blockno)
{
  if (ks != hal_ks_token || blockno >= NUM_FLASH_BLOCKS)
    return HAL_ERROR_IMPOSSIBLE;

  uint8_t page[KEYSTORE_PAGE_SIZE] = {0};

  /* Sigh, magic numeric return codes */
  if (keystore_write_data(block_offset(blockno), page, sizeof(page)) != 1)
    return HAL_ERROR_KEYSTORE_ACCESS;

  return HAL_OK;
}

/*
 * Erase a flash block.  Also see ks_token_erase_maybe(), below.
 */

static hal_error_t ks_token_erase(hal_k_t *ks, const unsigned blockno)
{
  if (ks != hal_ks_token || blockno >= NUM_FLASH_BLOCKS)
    return HAL_ERROR_IMPOSSIBLE;

  /* Sigh, magic numeric return codes */
  if (keystore_erase_subsector(blockno) != 1)
    return HAL_ERROR_KEYSTORE_ACCESS;

  return HAL_OK;
}

/*
 * Erase a flash block if it hasn't already been erased.
 * May not be necessary, trying to avoid unnecessary wear.
 *
 * Unclear whether there's any sane reason why this needs to be
 * constant time, given how slow erasure is.  But side channel attacks
 * can be tricky things, and it's theoretically possible that we could
 * leak information about, eg, key length, so we do constant time.
 */

static hal_error_t ks_token_erase_maybe(hal_k_t *ks, const unsigned blockno)
{
  if (ks != hal_ks_token || blockno >= NUM_FLASH_BLOCKS)
    return HAL_ERROR_IMPOSSIBLE;

  uint8_t mask = 0xFF;

  for (uint32_t a = ks_token_offset(blockno); a < ks_token_offset(blockno + 1); a += KEYSTORE_PAGE_SIZE) {
    uint8_t page[KEYSTORE_PAGE_SIZE];
    if (keystore_read_data(a, page, sizeof(page)) != 1)
      return HAL_ERROR_KEYSTORE_ACCESS;
    for (int i = 0; i < KEYSTORE_PAGE_SIZE; i++)
      mask &= page[i];
  }

  return mask == 0xFF ? HAL_OK : ks_token_erase(blockno);
}

/*
 * Write a flash block, calculating CRC when appropriate.
 */

static hal_error_t ks_token_write(hal_k_t *ks, const unsigned blockno, ks_block_t *block)
{
  if (ks != hal_ks_token || block == NULL || blockno >= NUM_FLASH_BLOCKS || sizeof(*block) != KEYSTORE_SUBSECTOR_SIZE)
    return HAL_ERROR_IMPOSSIBLE;

  hal_error_t err = ks_token_erase_maybe(blockno);

  if (err != HAL_OK)
    return err;

  switch (block_get_type(block)) {
  case HAL_KS_BLOCK_TYPE_KEY:
  case HAL_KS_BLOCK_TYPE_PIN:
    block->header.crc = calculate_block_crc(block);
    break;
  default:
    break;
  }

  /* Sigh, magic numeric return codes */
  if (keystore_write_data(block_offset(blockno), block->bytes, sizeof(*block)) != 1)
    return HAL_ERROR_KEYSTORE_ACCESS;

  return HAL_OK;
}

/*
 * The token keystore doesn't implement per-session objects, so these are no-ops.
 */

static hal_error_t ks_token_set_owner(hal_ks_t *ks,
                                   const unsigned blockno,
                                   const hal_client_handle_t client,
                                   const hal_session_handle_t session)
{
  return HAL_OK;
}

static hal_error_t ks_token_test_owner(hal_ks_t *ks, const
                                    unsigned blockno,
                                    const hal_client_handle_t client,
                                    const hal_session_handle_t session)
{
  return HAL_OK;
}

/*
 * Forward reference.
 */

static hal_error_t fetch_pin_block(unsigned *b, ks_block_t **block);

/*
 * Initialize keystore.
 */

static hal_error_t ks_token_init(hal_ks_t *ks, const int alloc)
{
  if (ks != hal_ks_token)
    return HAL_ERROR_IMPOSSIBLE;

  hal_error_t err = HAL_OK;

  hal_ks_lock();

  if (alloc && (err = hal_ks_alloc_common(ks, NUM_FLASH_BLOCKS, KS_TOKEN_CACHE_SIZE, NULL, 0)) != HAL_OK)
    goto done;

  if ((err = hal_ks_init_common(ks)) != HAL_OK)
    goto done;

  /*
   * Fetch or create the PIN block.
   */

  memset(&db->wheel_pin, 0, sizeof(db->wheel_pin));
  memset(&db->so_pin,    0, sizeof(db->so_pin));
  memset(&db->user_pin,  0, sizeof(db->user_pin));

  err = fetch_pin_block(NULL, &block);

  if (err == HAL_OK) {
    db->wheel_pin = block->pin.wheel_pin;
    db->so_pin    = block->pin.so_pin;
    db->user_pin  = block->pin.user_pin;
  }

  else if (err != HAL_ERROR_KEY_NOT_FOUND)
    goto done;

  else {
    /*
     * We found no PIN block, so create one, with the user and so PINs
     * cleared and the wheel PIN set to the last-gasp value.  The
     * last-gasp WHEEL PIN is a terrible answer, but we need some kind
     * of bootstrapping mechanism when all else fails.  If you have a
     * better suggestion, we'd love to hear it.
     */

    unsigned b;

    memset(block, 0xFF, sizeof(*block));

    block->header.block_type   = HAL_KS_BLOCK_TYPE_PIN;
    block->header.block_status = HAL_KS_BLOCK_STATUS_LIVE;

    block->pin.wheel_pin = db->wheel_pin = hal_last_gasp_pin;
    block->pin.so_pin    = db->so_pin;
    block->pin.user_pin  = db->user_pin;

    if ((err = hal_ks_index_add(ks, &pin_uuid, &b, NULL)) != HAL_OK)
      goto done;

    cache_mark_used(block, b);

    err = ks_token_write(b, block);

    cache_release(block);

    if (err != HAL_OK)
      goto done;
  }

  err = HAL_OK;

 done:
  hal_ks_unlock();
  return err;
}

/*
 * Dispatch vector and keystore definition, now that we've defined all
 * the driver functions.
 */

static const hal_ks_driver_t ks_token_driver = {
  .init                 = ks_token_init,
  .read               	= ks_token_read,
  .write                = ks_token_write,
  .deprecate		= ks_token_deprecate,
  .zero                 = ks_token_zero,
  .erase                = ks_token_erase,
  .erase_maybe		= ks_token_erase_maybe,
  .set_owner            = ks_token_set_owner,
  .test_owner           = ks_token_test_owner
};

static ks_token_db_t _db = { .ks.driver = &ks_token_driver };

hal_ks_t * const hal_ks_token = &_db.ks;

/*
 * The remaining functions aren't really part of the keystore API per se,
 * but they all involve non-key data which we keep in the keystore
 * because it's the flash we've got.
 */

/*
 * Special bonus init routine used only by the bootloader, so that it
 * can read PINs set by the main firmware.  Yes, this is a kludge.  We
 * could of course call the real ks_init() routine instead, but it's
 * slow, and we don't want to allow anything that would modify the
 * flash here, so having a special entry point for this kludge is
 * simplest, overall.  Sigh.
 */

void hal_ks_init_read_only_pins_only(void)
{
  unsigned b, best_seen = ~0;
  ks_block_t block[1];

  hal_ks_lock();

  for (b = 0; b < NUM_FLASH_BLOCKS; b++) {
    if (block_read(b, block) != HAL_OK || ks_token_get_type(block) != HAL_KS_BLOCK_TYPE_PIN)
      continue;
    best_seen = b;
    if (block_get_status(block) == HAL_KS_BLOCK_STATUS_LIVE)
      break;
  }

  if (b != best_seen && best_seen != ~0 && ks_token_read(best_seen, block) != HAL_OK)
    best_seen = ~0;

  if (best_seen == ~0) {
    memset(block, 0xFF, sizeof(*block));
    block->pin.wheel_pin = hal_last_gasp_pin;
  }

  db->wheel_pin = block->pin.wheel_pin;
  db->so_pin    = block->pin.so_pin;
  db->user_pin  = block->pin.user_pin;

  hal_ks_unlock();
}

/*
 * Fetch PIN.  This is always cached, so just returned cached value.
 */

hal_error_t hal_get_pin(const hal_user_t user,
                        const hal_ks_pin_t **pin)
{
  if (pin == NULL)
    return HAL_ERROR_BAD_ARGUMENTS;

  hal_error_t err = HAL_OK;

  hal_ks_lock();

  switch (user) {
  case HAL_USER_WHEEL:  *pin = &db->wheel_pin;  break;
  case HAL_USER_SO:     *pin = &db->so_pin;     break;
  case HAL_USER_NORMAL: *pin = &db->user_pin;   break;
  default:               err = HAL_ERROR_BAD_ARGUMENTS;
  }

  hal_ks_unlock();

  return err;
}

/*
 * Fetch PIN block.  hint = 0 because we know that the all-zeros UUID
 * should always sort to first slot in the index.
 */

static hal_error_t fetch_pin_block(unsigned *b, ks_block_t **block)
{
  if (block == NULL)
    return HAL_ERROR_IMPOSSIBLE;

  hal_error_t err;
  int hint = 0;
  unsigned b_;

  if (b == NULL)
    b = &b_;

  if ((err = hal_ks_index_find(hal_ks_token, &pin_uuid, b, &hint)) != HAL_OK ||
      (err = ks_token_read_cached(*b, block))                      != HAL_OK)
    return err;

  cache_mark_used(*block, *b);

  if (block_get_type(*block) != HAL_KS_BLOCK_TYPE_PIN)
    return HAL_ERROR_IMPOSSIBLE;

  return HAL_OK;
}

/*
 * Update the PIN block.  This block should always be present, but we
 * have to do the zombie jamboree to make sure we write the new PIN
 * block before destroying the old one.  hint = 0 because we know that
 * the all-zeros UUID should always sort to first slot in the index.
 */

static hal_error_t update_pin_block(const unsigned b,
                                    ks_block_t *block,
                                    const flash_pin_block_t * const new_data)
{
  if (block == NULL || new_data == NULL || ks_token_get_type(block) != HAL_KS_BLOCK_TYPE_PIN)
    return HAL_ERROR_IMPOSSIBLE;

  int hint = 0;

  block->pin = *new_data;

  return ks_token_update(b, block, &pin_uuid, &hint);
}

/*
 * Change a PIN.
 */

hal_error_t hal_set_pin(const hal_user_t user,
                        const hal_ks_pin_t * const pin)
{
  if (pin == NULL)
    return HAL_ERROR_BAD_ARGUMENTS;

  ks_block_t *block;
  hal_error_t err;
  unsigned b;

  hal_ks_lock();

  if ((err = fetch_pin_block(&b, &block)) != HAL_OK)
    goto done;

  flash_pin_block_t new_data = block->pin;
  hal_ks_pin_t *dp, *bp;

  switch (user) {
  case HAL_USER_WHEEL:  bp = &new_data.wheel_pin; dp = &db->wheel_pin; break;
  case HAL_USER_SO:     bp = &new_data.so_pin;    dp = &db->so_pin;    break;
  case HAL_USER_NORMAL: bp = &new_data.user_pin;  dp = &db->user_pin;  break;
  default:              err = HAL_ERROR_BAD_ARGUMENTS;  goto done;
  }

  const hal_ks_pin_t old_pin = *dp;
  *dp = *bp = *pin;

  if ((err = update_pin_block(b, block, &new_data)) != HAL_OK)
    *dp = old_pin;

 done:
  hal_ks_unlock();
  return err;
}

#if HAL_MKM_FLASH_BACKUP_KLUDGE

/*
 * Horrible insecure kludge in lieu of a battery for the MKM.
 *
 * API here is a little strange: all calls pass a length parameter,
 * but any length other than the compiled in constant just returns an
 * immediate error, there's no notion of buffer max length vs buffer
 * used length, querying for the size of buffer really needed, or
 * anything like that.
 *
 * We might want to rewrite this some day, if we don't replace it with
 * a battery first.  For now we just preserve the API as we found it
 * while re-implementing it on top of the new keystore.
 */

hal_error_t hal_mkm_flash_read_no_lock(uint8_t *buf, const size_t len)
{
  if (buf != NULL && len != KEK_LENGTH)
    return HAL_ERROR_MASTERKEY_BAD_LENGTH;

  ks_block_t *block;
  hal_error_t err;
  unsigned b;

  if ((err = fetch_pin_block(&b, &block)) != HAL_OK)
    return err;

  if (block->pin.kek_set != FLASH_KEK_SET)
    return HAL_ERROR_MASTERKEY_NOT_SET;

  if (buf != NULL)
    memcpy(buf, block->pin.kek, len);

  return HAL_OK;
}

hal_error_t hal_mkm_flash_read(uint8_t *buf, const size_t len)
{
  hal_ks_lock();
  const hal_error_t err = hal_mkm_flash_read_no_lock(buf, len);
  hal_ks_unlock();
  return err;
}

hal_error_t hal_mkm_flash_write(const uint8_t * const buf, const size_t len)
{
  if (buf == NULL)
    return HAL_ERROR_BAD_ARGUMENTS;

  if (len != KEK_LENGTH)
    return HAL_ERROR_MASTERKEY_BAD_LENGTH;

  ks_block_t *block;
  hal_error_t err;
  unsigned b;

  hal_ks_lock();

  if ((err = fetch_pin_block(&b, &block)) != HAL_OK)
    goto done;

  flash_pin_block_t new_data = block->pin;

  new_data.kek_set = FLASH_KEK_SET;
  memcpy(new_data.kek, buf, len);

  err = update_pin_block(b, block, &new_data);

 done:
  hal_ks_unlock();
  return err;
}

hal_error_t hal_mkm_flash_erase(const size_t len)
{
  if (len != KEK_LENGTH)
    return HAL_ERROR_MASTERKEY_BAD_LENGTH;

  ks_block_t *block;
  hal_error_t err;
  unsigned b;

  hal_ks_lock();

  if ((err = fetch_pin_block(&b, &block)) != HAL_OK)
    goto done;

  flash_pin_block_t new_data = block->pin;

  new_data.kek_set = FLASH_KEK_SET;
  memset(new_data.kek, 0, len);

  err = update_pin_block(b, block, &new_data);

 done:
  hal_ks_unlock();
  return err;
}

#endif /* HAL_MKM_FLASH_BACKUP_KLUDGE */


/*
 * Local variables:
 * indent-tabs-mode: nil
 * End:
 */