libavb_aftl/avb_aftl_types.h

/*
 * Copyright (C) 2020 The Android Open Source Project
 *
 * Permission is hereby granted, free of charge, to any person
 * obtaining a copy of this software and associated documentation
 * files (the "Software"), to deal in the Software without
 * restriction, including without limitation the rights to use, copy,
 * modify, merge, publish, distribute, sublicense, and/or sell copies
 * of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be
 * included in all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 * SOFTWARE.
 */

#ifdef AVB_INSIDE_LIBAVB_AFTL_H
#error "You can't include avb_aftl_types.h in the public header libavb_aftl.h."
#endif

#ifndef AVB_COMPILATION
#error "Never include this file, it may only be used from internal avb code."
#endif

#ifndef AVB_AFTL_TYPES_H_
#define AVB_AFTL_TYPES_H_

#include <libavb/libavb.h>

#ifdef __cplusplus
extern "C" {
#endif

#define AVB_AFTL_UINT64_MAX 0xfffffffffffffffful
#define AVB_AFTL_HASH_SIZE 32ul
#define AVB_AFTL_SIGNATURE_SIZE 512ul
/* Raw key size used for signature validation. */
#define AVB_AFTL_PUB_KEY_SIZE 1032ul
/* Limit AftlImage size to 64KB. */
#define AVB_AFTL_MAX_AFTL_IMAGE_SIZE 65536ul
/* Limit version.incremental size to 256 characters. */
#define AVB_AFTL_MAX_VERSION_INCREMENTAL_SIZE 256ul
/* AFTL trees require at most 64 hashes to reconstruct the root */
#define AVB_AFTL_MAX_PROOF_SIZE 64 * AVB_AFTL_HASH_SIZE
/* Max URL limit. */
#define AVB_AFTL_MAX_URL_SIZE 2048ul
/* Minimum valid size for an Annotation leaf. */
#define AVB_AFTL_MIN_ANNOTATION_SIZE 18ul
/* Minimum valid size for a TrillianLogRootDescriptor. See the
   TrillianLogRootDescriptor struct for details. The values here cover:
   version: sizeof(uint16_t)
   tree_size: sizeof(uint64_t)
   root_hash_size: sizeof(uint8_t)
   root_hash: AVB_AFTL_HASH_SIZE
   timestamp; sizeof(uint64_t)
   revision; sizeof(uint64_t)
   metadata_size: sizeof(uint16_t)
   metadata is optional, so it's not required for the minimum size. */
#define AVB_AFTL_MIN_TLRD_SIZE                                \
  (sizeof(uint16_t) + sizeof(uint64_t) + sizeof(uint8_t) +    \
   AVB_AFTL_HASH_SIZE + sizeof(uint64_t) + sizeof(uint64_t) + \
   sizeof(uint16_t))
/* Minimum valid size for an AftlIcpEntry structure. See the
   AftlIcpEntry struct for details. The values here cover:
   log_url_size: sizeof(uint32_t)
   leaf_index: sizeof(uint64_t)
   log_root_descriptor_size: sizeof(uint32_t)
   annotation_leaf_size: sizeof(uint32_t)
   log_root_sig_size: sizeof(uint32_t)
   proof_hash_count: sizeof(uint8_t)
   inc_proof_size: sizeof(uint32_t)
   log_url: 4 (shortest practical URL)
   log_root_descriptor: AVB_AFTL_MIN_TLRD_SIZE
   annotation_leaf: AVB_AFTL_MIN_ANNOTATION_SIZE
   log_root_signature: AVB_AFTL_SIGNATURE_SIZE
   proofs: AVB_AFTL_HASH_SIZE as there must be at least one hash. */
#define AVB_AFTL_MIN_AFTL_ICP_ENTRY_SIZE                                       \
  (sizeof(uint32_t) + sizeof(uint64_t) + sizeof(uint32_t) + sizeof(uint32_t) + \
   sizeof(uint32_t) + sizeof(uint8_t) + sizeof(uint32_t) + 4 +                 \
   AVB_AFTL_MIN_TLRD_SIZE + AVB_AFTL_MIN_ANNOTATION_SIZE +                     \
   AVB_AFTL_SIGNATURE_SIZE + AVB_AFTL_HASH_SIZE)
/* The maximum AftlIcpEntrySize is the max AftlImage size minus the size
   of the AftlImageHeader. */
#define AVB_AFTL_MAX_AFTL_ICP_ENTRY_SIZE \
  (AVB_AFTL_MAX_AFTL_IMAGE_SIZE - sizeof(AftlImageHeader))
/* The maximum Annotation size is the max AftlImage size minus the
   size of the smallest valid AftlIcpEntry. */
#define AVB_AFTL_MAX_ANNOTATION_SIZE \
  (AVB_AFTL_MAX_AFTL_IMAGE_SIZE - AVB_AFTL_MIN_AFTL_ICP_ENTRY_SIZE)
/* The maximum metadata size in a TrillianLogRootDescriptor for AFTL is the
   max AftlImage size minus the smallest valid AftlIcpEntry size. */
#define AVB_AFTL_MAX_METADATA_SIZE \
  (AVB_AFTL_MAX_AFTL_IMAGE_SIZE - AVB_AFTL_MIN_AFTL_ICP_ENTRY_SIZE)
/* The maximum TrillianLogRootDescriptor is the size of the smallest valid
TrillianLogRootDescriptor + the largest possible metadata size. */
#define AVB_AFTL_MAX_TLRD_SIZE \
  (AVB_AFTL_MIN_TLRD_SIZE + AVB_AFTL_MAX_METADATA_SIZE)

/* Data structure containing a Trillian LogRootDescriptor, from
   https://github.com/google/trillian/blob/master/trillian.proto#L255
   The log_root_signature is calculated over this structure. */
typedef struct TrillianLogRootDescriptor {
  uint16_t version;
  uint64_t tree_size;
  uint8_t root_hash_size;
  uint8_t* root_hash;
  uint64_t timestamp;
  uint64_t revision;
  uint16_t metadata_size;
  uint8_t* metadata;
} TrillianLogRootDescriptor;

typedef enum {
  AVB_AFTL_HASH_SHA256,
  _AVB_AFTL_HASH_ALGORITHM_NUM
} HashAlgorithm;

typedef enum {
  AVB_AFTL_SIGNATURE_RSA,    // RSA with PKCS1v15
  AVB_AFTL_SIGNATURE_ECDSA,  // ECDSA with P256 curve
  _AVB_AFTL_SIGNATURE_ALGORITHM_NUM
} SignatureAlgorithm;

/* Data structure containing the signature within a leaf of the VBMeta
 * annotation. This signature is made using the manufacturer key which is
 * generally not available at boot time. Therefore, this structure is not
 * verified by the bootloader. */
typedef struct {
  uint8_t hash_algorithm;
  uint8_t signature_algorithm;
  uint16_t signature_size;
  uint8_t* signature;
} Signature;

/* Data structure containing the VBMeta annotation. */
typedef struct {
  uint8_t vbmeta_hash_size;
  uint8_t* vbmeta_hash;
  uint8_t version_incremental_size;
  uint8_t* version_incremental;
  uint8_t manufacturer_key_hash_size;
  uint8_t* manufacturer_key_hash;
  uint16_t description_size;
  uint8_t* description;
} VBMetaPrimaryAnnotation;

#define AVB_AFTL_VBMETA_LEAF 0
#define AVB_AFTL_SIGNED_VBMETA_PRIMARY_ANNOTATION_LEAF 1

/* Data structure containing the leaf that is stored in the
   transparency log. */
typedef struct {
  uint8_t version;
  uint64_t timestamp;
  uint8_t leaf_type;
  Signature* signature;
  VBMetaPrimaryAnnotation* annotation;
} SignedVBMetaPrimaryAnnotationLeaf;

/* Data structure containing AFTL inclusion proof data from a single
   transparency log. */
typedef struct AftlIcpEntry {
  uint32_t log_url_size;
  uint64_t leaf_index;
  uint32_t log_root_descriptor_size;
  uint32_t annotation_leaf_size;
  uint16_t log_root_sig_size;
  uint8_t proof_hash_count;
  uint32_t inc_proof_size;
  uint8_t* log_url;
  TrillianLogRootDescriptor log_root_descriptor;
  uint8_t* log_root_descriptor_raw;
  SignedVBMetaPrimaryAnnotationLeaf* annotation_leaf;
  uint8_t* annotation_leaf_raw;
  uint8_t* log_root_signature;
  uint8_t (*proofs)[AVB_AFTL_HASH_SIZE];
} AftlIcpEntry;

/* Data structure containing AFTL header information. */
typedef struct AftlImageHeader {
  uint32_t magic;
  uint32_t required_icp_version_major;
  uint32_t required_icp_version_minor;
  uint32_t image_size; /* Total size of the AftlImage, including this header */
  uint16_t icp_count;
} AVB_ATTR_PACKED AftlImageHeader;

/* Main data structure for an AFTL image. */
typedef struct AftlImage {
  AftlImageHeader header;
  AftlIcpEntry** entries;
} AftlImage;

#ifdef __cplusplus
}
#endif

#endif /* AVB_AFTL_TYPES_H_ */