1
0
forked from brl/citadel-tools

386 lines
11 KiB
Rust

use std::cell::RefCell;
use std::fs::File;
use std::io::{Read, Write};
use std::path::Path;
use failure::ResultExt;
use toml;
use blockdev::AlignedBuffer;
use {BlockDev, Channel, Config, Result};
/// Expected magic value in header
const MAGIC: &[u8] = b"SGOS";
/// Offset into header of the start of the metainfo document
const METAINFO_OFFSET: usize = 8;
/// Signature is 64 bytes long
const SIGNATURE_LENGTH: usize = 64;
/// Maximum amount of space in block for metainfo document
const MAX_METAINFO_LEN: usize = (ImageHeader::HEADER_SIZE - (METAINFO_OFFSET + SIGNATURE_LENGTH));
fn is_valid_status_code(code: u8) -> bool {
code <= ImageHeader::STATUS_BAD_META
}
///
/// The Image Header structure is stored in a 4096 byte block at the start of
/// every resource image file. When an image is installed to a partition it
/// is stored at the last 4096 byte block of the block device for the partition.
///
/// The layout of this structure is the following:
///
/// field size (bytes) offset
/// ----- ------------ ------
///
/// magic 4 0
/// status 1 4
/// flags 1 5
/// length 2 6
///
/// metainfo <length> 8
///
/// signature 64 8 + length
///
/// magic : Must match ascii bytes 'SGOS' for the header to be considered valid
///
/// status : One of the `STATUS` constants defined below
///
/// flags : May contain 'FLAG' values defined below.
///
/// length : The size of the metainfo field in bytes as a 16-bit Big Endian value
///
/// metainfo : A utf-8 encoded TOML document with various fields describing the image
///
/// signature : ed25519 signature over the bytes of the metainfo field
///
#[derive(Clone)]
pub struct ImageHeader(RefCell<Vec<u8>>);
const CODE_TO_LABEL: [&str; 7] = [
"Invalid",
"New",
"Try Boot",
"Good",
"Failed Boot",
"Bad Signature",
"Bad Metainfo",
];
impl ImageHeader {
pub const FLAG_PREFER_BOOT: u8 = 0x01; // Set to override usual strategy for choosing a partition to boot and force this one.
pub const FLAG_HASH_TREE: u8 = 0x02; // dm-verity hash tree data is appended to the image
pub const FLAG_DATA_COMPRESSED: u8 = 0x04; // The image data is compressed and needs to be uncompressed before use.
pub const STATUS_INVALID: u8 = 0; // Set on partition before writing a new rootfs disk image
pub const STATUS_NEW: u8 = 1; // Set on partition after write of new rootfs disk image completes successfully
pub const STATUS_TRY_BOOT: u8 = 2; // Set on boot selected partition if in `STATUS_NEW` state.
pub const STATUS_GOOD: u8 = 3; // Set on boot when a `STATUS_TRY_BOOT` partition successfully launches desktop
pub const STATUS_FAILED: u8 = 4; // Set on boot for any partition in state `STATUS_TRY_BOOT`
pub const STATUS_BAD_SIG: u8 = 5; // Set on boot selected partition when signature fails to verify
pub const STATUS_BAD_META: u8 = 6; // Set on partition when metainfo cannot be parsed
/// Size of header block
pub const HEADER_SIZE: usize = 4096;
pub fn new() -> ImageHeader {
let v = vec![0u8; ImageHeader::HEADER_SIZE];
let header = ImageHeader(RefCell::new(v));
header.write_bytes(0, MAGIC);
header
}
pub fn from_file<P: AsRef<Path>>(path: P) -> Result<ImageHeader> {
// XXX check file size is at least HEADER_SIZE
let mut f = File::open(path.as_ref())?;
ImageHeader::from_reader(&mut f)
}
pub fn from_reader<R: Read>(r: &mut R) -> Result<ImageHeader> {
let mut v = vec![0u8; ImageHeader::HEADER_SIZE];
r.read_exact(&mut v)?;
Ok(ImageHeader(RefCell::new(v)))
}
pub fn from_partition<P: AsRef<Path>>(path: P) -> Result<ImageHeader> {
let mut dev = BlockDev::open_ro(path.as_ref())?;
let nsectors = dev.nsectors()?;
ensure!(
nsectors >= 8,
"{} is a block device bit it's too short ({} sectors)",
path.as_ref().display(),
nsectors
);
let mut buffer = AlignedBuffer::new(ImageHeader::HEADER_SIZE);
dev.read_sectors(nsectors - 8, buffer.as_mut())?;
let header = ImageHeader(RefCell::new(buffer.as_ref().into()));
Ok(header)
}
pub fn write_partition<P: AsRef<Path>>(&self, path: P) -> Result<()> {
let mut dev = BlockDev::open_rw(path.as_ref())?;
let nsectors = dev.nsectors()?;
ensure!(
nsectors >= 8,
"{} is a block device bit it's too short ({} sectors)",
path.as_ref().display(),
nsectors
);
let buffer = AlignedBuffer::from_slice(&self.0.borrow());
dev.write_sectors(nsectors - 8, buffer.as_ref())?;
Ok(())
}
pub fn metainfo(&self) -> Result<MetaInfo> {
let mlen = self.metainfo_len();
if mlen == 0 || mlen > MAX_METAINFO_LEN {
bail!("Invalid metainfo-len field: {}", mlen);
}
let mbytes = self.metainfo_bytes();
let mut metainfo = MetaInfo::new(mbytes);
metainfo.parse_toml()?;
Ok(metainfo)
}
pub fn is_magic_valid(&self) -> bool {
self.read_bytes(0, 4) == MAGIC
}
pub fn status(&self) -> u8 {
self.read_u8(4)
}
pub fn set_status(&self, status: u8) {
self.write_u8(4, status);
}
pub fn status_code_label(&self) -> String {
let code = self.status();
if is_valid_status_code(code) {
CODE_TO_LABEL[code as usize].to_string()
} else {
format!("Invalid status code: {}", code)
}
}
pub fn flags(&self) -> u8 {
self.read_u8(5)
}
pub fn has_flag(&self, flag: u8) -> bool {
(self.flags() & flag) == flag
}
/// Return `true` if flag value changed
pub fn set_flag(&self, flag: u8) -> bool {
self.change_flag(flag, true)
}
pub fn clear_flag(&self, flag: u8) -> bool {
self.change_flag(flag, false)
}
fn change_flag(&self, flag: u8, set: bool) -> bool {
let old = self.flags();
let new = if set { old | flag } else { old & !flag };
self.write_u8(5, new);
old == new
}
pub fn metainfo_len(&self) -> usize {
self.read_u16(6) as usize
}
pub fn set_metainfo_len(&self, len: usize) {
self.write_u16(6, len as u16);
}
pub fn set_metainfo_bytes(&self, bytes: &[u8]) {
self.set_metainfo_len(bytes.len());
self.write_bytes(8, bytes);
}
pub fn metainfo_bytes(&self) -> Vec<u8> {
let mlen = self.metainfo_len();
assert!(mlen > 0 && mlen < MAX_METAINFO_LEN);
self.read_bytes(METAINFO_OFFSET, mlen)
}
pub fn signature(&self) -> Vec<u8> {
let mlen = self.metainfo_len();
assert!(mlen > 0 && mlen < MAX_METAINFO_LEN);
self.read_bytes(METAINFO_OFFSET + mlen, SIGNATURE_LENGTH)
}
pub fn sign_metainfo(&self, channel: &Channel) -> Result<()> {
let mlen = self.metainfo_len();
// XXX assert mlen is good
let sig = channel.sign(&self.0.borrow()[8..8 + mlen])?;
self.write_bytes(8 + mlen, sig.to_bytes());
Ok(())
}
pub fn verify_signature(&self, config: &Config) -> Result<()> {
let metainfo = self.metainfo()?;
let channel = match config.channel(metainfo.channel()) {
Some(channel) => channel,
None => bail!("Cannot verify signature for channel '{}' because it does not exist in configuration file", metainfo.channel()),
};
channel
.verify(metainfo.bytes(), &self.signature())
.context("failed to verify header signature")?;
Ok(())
}
pub fn write_header<W: Write>(&self, mut writer: W) -> Result<()> {
writer.write_all(&self.0.borrow())?;
Ok(())
}
pub fn clear(&self) {
for b in &mut self.0.borrow_mut()[..] {
*b = 0;
}
self.write_bytes(0, MAGIC);
}
fn read_u8(&self, idx: usize) -> u8 {
self.0.borrow()[idx]
}
fn read_u16(&self, idx: usize) -> u16 {
let hi = self.read_u8(idx) as u16;
let lo = self.read_u8(idx + 1) as u16;
(hi << 8) | lo
}
fn write_u8(&self, idx: usize, val: u8) {
self.0.borrow_mut()[idx] = val;
}
fn write_u16(&self, idx: usize, val: u16) {
let hi = (val >> 8) as u8;
let lo = val as u8;
self.write_u8(idx, hi);
self.write_u8(idx + 1, lo);
}
fn write_bytes(&self, offset: usize, data: &[u8]) {
self.0.borrow_mut()[offset..offset + data.len()].copy_from_slice(data)
}
fn read_bytes(&self, offset: usize, len: usize) -> Vec<u8> {
Vec::from(&self.0.borrow()[offset..offset + len])
}
}
#[derive(Clone)]
pub struct MetaInfo {
bytes: Vec<u8>,
is_parsed: bool,
toml: Option<MetaInfoToml>,
}
#[derive(Deserialize, Serialize, Clone)]
struct MetaInfoToml {
#[serde(rename = "image-type")]
image_type: String,
channel: String,
#[serde(rename = "kernel-version")]
kernel_version: Option<String>,
version: u32,
#[serde(rename = "base-version")]
base_version: Option<u32>,
date: Option<String>,
gitrev: Option<String>,
nblocks: u32,
shasum: String,
#[serde(rename = "verity-salt")]
verity_salt: String,
#[serde(rename = "verity-root")]
verity_root: String,
}
impl MetaInfo {
fn new(bytes: Vec<u8>) -> MetaInfo {
MetaInfo {
bytes,
is_parsed: false,
toml: None,
}
}
fn bytes(&self) -> &[u8] {
&self.bytes
}
pub fn parse_toml(&mut self) -> Result<()> {
if !self.is_parsed {
self.is_parsed = true;
let toml =
toml::from_slice::<MetaInfoToml>(&self.bytes).context("parsing header metainfo")?;
self.toml = Some(toml);
}
Ok(())
}
pub fn verify(&self, config: &Config, signature: &[u8]) -> Result<()> {
let channel = match config.channel(self.channel()) {
Some(channel) => channel,
None => bail!("Channel '{}' not found in config file", self.channel()),
};
channel
.verify(&self.bytes, signature)
.context("Bad metainfo signature in header")?;
Ok(())
}
fn toml(&self) -> &MetaInfoToml {
self.toml.as_ref().unwrap()
}
pub fn image_type(&self) -> &str {
self.toml().image_type.as_str()
}
pub fn channel(&self) -> &str {
self.toml().channel.as_str()
}
pub fn kernel_version(&self) -> Option<&str> { self.toml().kernel_version.as_ref().map(|s| s.as_str()) }
pub fn version(&self) -> u32 {
self.toml().version
}
pub fn date(&self) -> Option<&str> {
self.toml().date.as_ref().map(|s| s.as_str())
}
pub fn gitrev(&self) -> Option<&str> {
self.toml().gitrev.as_ref().map(|s| s.as_str())
}
pub fn nblocks(&self) -> usize {
self.toml().nblocks as usize
}
pub fn shasum(&self) -> &str {
&self.toml().shasum
}
pub fn verity_root(&self) -> &str {
&self.toml().verity_root
}
pub fn verity_salt(&self) -> &str {
&self.toml().verity_salt
}
}