1 #include <memory>
2
3 #include "gtest/gtest.h"
4 #include "avb_tools.h"
5 #include "nugget_tools.h"
6 #include "nugget/app/avb/avb.pb.h"
7 #include "Avb.client.h"
8 #include "src/test-data/test-keys/reset_key_data.h"
9 #include <avb.h>
10 #include <application.h>
11 #include <nos/AppClient.h>
12 #include <nos/NuggetClientInterface.h>
13 #include "util.h"
14
15 #include <openssl/bio.h>
16 #include <openssl/evp.h>
17 #include <openssl/pem.h>
18
19 using std::cout;
20 using std::string;
21 using std::unique_ptr;
22
23 using namespace nugget::app::avb;
24 using namespace avb_tools;
25
26 namespace {
27
28 class AvbTest: public testing::Test {
29 protected:
30 static unique_ptr<nos::NuggetClientInterface> client;
31 static unique_ptr<test_harness::TestHarness> uart_printer;
32
33 static void SetUpTestCase();
34 static void TearDownTestCase();
35
36 virtual void SetUp(void);
37
38 int ProductionResetTest(uint32_t selector, uint64_t nonce,
39 const uint8_t *device_data, size_t data_len,
40 const uint8_t *signature, size_t signature_len);
41 int SignChallenge(const struct ResetMessage *message,
42 uint8_t *signature, size_t *siglen);
43
44 int Load(uint8_t slot, uint64_t *version);
45 int Store(uint8_t slot, uint64_t version);
46 int SetDeviceLock(uint8_t locked);
47 int SetBootLock(uint8_t locked);
48 int SetOwnerLock(uint8_t locked, const uint8_t *metadata, size_t size);
49 int GetOwnerKey(uint32_t offset, uint8_t *metadata, size_t *size);
50 int SetCarrierLock(uint8_t locked, const uint8_t *metadata, size_t size);
51
52 public:
53 const uint64_t LAST_NONCE = 0x4141414141414140ULL;
54 const uint64_t VERSION = 1;
55 const uint64_t NONCE = 0x4141414141414141ULL;
56 const uint8_t DEVICE_DATA[AVB_DEVICE_DATA_SIZE] = {
57 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
58 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
59 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
60 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
61 };
62 const uint8_t SIGNATURE[AVB_SIGNATURE_SIZE] = {
63 0x68, 0x86, 0x9a, 0x16, 0xca, 0x62, 0xea, 0xa9,
64 0x9b, 0xa0, 0x51, 0x03, 0xa6, 0x00, 0x3f, 0xe8,
65 0xf1, 0x43, 0xe6, 0xb7, 0xde, 0x76, 0xfe, 0x21,
66 0x65, 0x87, 0x78, 0xe5, 0x1d, 0x11, 0x6a, 0xe1,
67 0x7b, 0xc6, 0x2e, 0xe2, 0x96, 0x25, 0x48, 0xa7,
68 0x09, 0x43, 0x2c, 0xfd, 0x28, 0xa9, 0x66, 0x8a,
69 0x09, 0xd5, 0x83, 0x3b, 0xde, 0x18, 0x5d, 0xef,
70 0x50, 0x12, 0x8a, 0x8d, 0xfb, 0x2d, 0x46, 0x20,
71 0x69, 0x55, 0x4e, 0x86, 0x63, 0xf6, 0x10, 0xe3,
72 0x59, 0x3f, 0x55, 0x72, 0x18, 0xcb, 0x60, 0x80,
73 0x0d, 0x2e, 0x2f, 0xfc, 0xc2, 0xbf, 0xda, 0x3f,
74 0x4f, 0x2b, 0x6b, 0xf1, 0x5d, 0x28, 0x6b, 0x2b,
75 0x9b, 0x92, 0xf3, 0x4e, 0xf2, 0xb6, 0x23, 0x8e,
76 0x50, 0x64, 0xf6, 0xee, 0xc7, 0x78, 0x6a, 0xe0,
77 0xed, 0xce, 0x2c, 0x1f, 0x0a, 0x47, 0x43, 0x5c,
78 0xe4, 0x69, 0xc5, 0xc1, 0xf9, 0x52, 0x8c, 0xed,
79 0xfd, 0x71, 0x8f, 0x9a, 0xde, 0x62, 0xfc, 0x21,
80 0x07, 0xf9, 0x5f, 0xe1, 0x1e, 0xdc, 0x65, 0x95,
81 0x15, 0xc8, 0xe7, 0xf2, 0xce, 0xa9, 0xd0, 0x55,
82 0xf1, 0x18, 0x89, 0xae, 0xe8, 0x47, 0xd8, 0x8a,
83 0x1f, 0x68, 0xa8, 0x6f, 0x5e, 0x5c, 0xda, 0x3d,
84 0x98, 0xeb, 0x82, 0xf8, 0x1f, 0x7a, 0x43, 0x6d,
85 0x3a, 0x7c, 0x36, 0x76, 0x4f, 0x55, 0xa4, 0x55,
86 0x5f, 0x52, 0x47, 0xa5, 0x71, 0x17, 0x7b, 0x73,
87 0xaa, 0x5c, 0x85, 0x94, 0xb6, 0xe2, 0x37, 0x1f,
88 0x22, 0x29, 0x46, 0x59, 0x20, 0x1f, 0x49, 0x36,
89 0x50, 0xa9, 0x60, 0x5d, 0xeb, 0x99, 0x3f, 0x92,
90 0x31, 0xa0, 0x1d, 0xad, 0xdb, 0xde, 0x40, 0xf6,
91 0xaf, 0x9c, 0x36, 0xe4, 0x0c, 0xf4, 0xcc, 0xaf,
92 0x9f, 0x8b, 0xf9, 0xe6, 0x12, 0x53, 0x4e, 0x58,
93 0xeb, 0x9a, 0x57, 0x08, 0x89, 0xa5, 0x4f, 0x7c,
94 0xb9, 0x78, 0x07, 0x02, 0x17, 0x2c, 0xce, 0xb8,
95 };
96 };
97
98 unique_ptr<nos::NuggetClientInterface> AvbTest::client;
99 unique_ptr<test_harness::TestHarness> AvbTest::uart_printer;
100
SetUpTestCase()101 void AvbTest::SetUpTestCase() {
102 uart_printer = test_harness::TestHarness::MakeUnique();
103
104 client = nugget_tools::MakeNuggetClient();
105 client->Open();
106 EXPECT_TRUE(client->IsOpen()) << "Unable to connect";
107 }
108
TearDownTestCase()109 void AvbTest::TearDownTestCase() {
110 client->Close();
111 client = unique_ptr<nos::NuggetClientInterface>();
112
113 uart_printer = nullptr;
114 }
115
SetUp(void)116 void AvbTest::SetUp(void)
117 {
118 bool bootloader;
119 bool production;
120 uint8_t locks[4];
121 int code;
122
123 avb_tools::BootloaderDone(client.get()); // We don't need BL for setup.
124 // Perform a challenge/response. If this fails, either
125 // the reset path is broken or the image is probably not
126 // TEST_IMAGE=1.
127 // Note: the reset tests are not safe on -UTEST_IMAGE unless
128 // the storage can be reflashed.
129 ResetProduction(client.get());
130
131 code = Reset(client.get(), ResetRequest::LOCKS, NULL, 0);
132 ASSERT_NO_ERROR(code, "");
133
134 GetState(client.get(), &bootloader, &production, locks);
135 EXPECT_EQ(bootloader, false);
136 EXPECT_EQ(production, false);
137 EXPECT_EQ(locks[BOOT], 0x00);
138 EXPECT_EQ(locks[CARRIER], 0x00);
139 EXPECT_EQ(locks[DEVICE], 0x00);
140 EXPECT_EQ(locks[OWNER], 0x00);
141 }
142
GetResetKey()143 RSA *GetResetKey()
144 {
145 BIO *bio = BIO_new_mem_buf((void*)test_data::kResetKeyPem,
146 test_data::kResetKeyPemSize - 1);
147 RSA *rsa = PEM_read_bio_RSAPrivateKey(bio, NULL, 0, NULL);
148 BIO_free(bio);
149 return rsa;
150 }
151
ProductionResetTest(uint32_t selector,uint64_t nonce,const uint8_t * device_data,size_t data_len,const uint8_t * signature,size_t signature_len)152 int AvbTest::ProductionResetTest(uint32_t selector, uint64_t nonce,
153 const uint8_t *device_data, size_t data_len,
154 const uint8_t *signature, size_t signature_len)
155 {
156 ProductionResetTestRequest request;
157 request.set_selector(selector);
158 request.set_nonce(nonce);
159 if (signature && signature_len) {
160 request.set_signature(signature, signature_len);
161 }
162 if (device_data && data_len) {
163 request.set_device_data(device_data, data_len);
164 }
165 Avb service(*client);
166 return service.ProductionResetTest(request, nullptr);
167 }
168
SignChallenge(const struct ResetMessage * message,uint8_t * signature,size_t * maxsig)169 int AvbTest::SignChallenge(const struct ResetMessage *message,
170 uint8_t *signature, size_t *maxsig)
171 {
172 size_t siglen = *maxsig;
173 RSA *key = GetResetKey();
174 if (!key)
175 return -1;
176 EVP_PKEY *pkey = EVP_PKEY_new();
177 if (!pkey)
178 return -1;
179 if (!EVP_PKEY_set1_RSA(pkey, key))
180 return -1;
181 EVP_MD_CTX md_ctx;
182 EVP_MD_CTX_init(&md_ctx);
183 EVP_PKEY_CTX *pkey_ctx;
184 if (!EVP_DigestSignInit(&md_ctx, &pkey_ctx, EVP_sha256(), NULL, pkey))
185 return -1;
186 if (!EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING))
187 return -1;
188 if (!EVP_DigestSignUpdate(&md_ctx, (uint8_t *)message, sizeof(*message)))
189 return -1;
190 EVP_DigestSignFinal(&md_ctx, NULL, &siglen);
191 if (siglen > *maxsig) {
192 std::cerr << "Signature length too long: " << siglen << " > "
193 << *maxsig << std::endl;
194 return -2;
195 }
196 *maxsig = siglen;
197 int code = EVP_DigestSignFinal(&md_ctx, signature, &siglen);
198 if (!code) {
199 std::cerr << "OpenSSL error: " << ERR_get_error() << ": "
200 << ERR_reason_error_string(ERR_get_error()) << std::endl;
201 return -3;
202 }
203 EVP_MD_CTX_cleanup(&md_ctx);
204 EVP_PKEY_free(pkey);
205 RSA_free(key);
206 // Feed it in
207 return 0;
208 }
209
Load(uint8_t slot,uint64_t * version)210 int AvbTest::Load(uint8_t slot, uint64_t *version)
211 {
212 LoadRequest request;
213 LoadResponse response;
214 int code;
215
216 request.set_slot(slot);
217
218 Avb service(*client);
219 code = service.Load(request, &response);
220 if (code == APP_SUCCESS) {
221 *version = response.version();
222 }
223
224 return code;
225 }
226
Store(uint8_t slot,uint64_t version)227 int AvbTest::Store(uint8_t slot, uint64_t version)
228 {
229 StoreRequest request;
230
231 request.set_slot(slot);
232 request.set_version(version);
233
234 Avb service(*client);
235 return service.Store(request, nullptr);
236 }
237
SetDeviceLock(uint8_t locked)238 int AvbTest::SetDeviceLock(uint8_t locked)
239 {
240 SetDeviceLockRequest request;
241
242 request.set_locked(locked);
243
244 Avb service(*client);
245 return service.SetDeviceLock(request, nullptr);
246 }
247
SetBootLock(uint8_t locked)248 int AvbTest::SetBootLock(uint8_t locked)
249 {
250 SetBootLockRequest request;
251
252 request.set_locked(locked);
253
254 Avb service(*client);
255 return service.SetBootLock(request, nullptr);
256 }
257
SetOwnerLock(uint8_t locked,const uint8_t * metadata,size_t size)258 int AvbTest::SetOwnerLock(uint8_t locked, const uint8_t *metadata, size_t size)
259 {
260 SetOwnerLockRequest request;
261
262 request.set_locked(locked);
263 if (metadata != NULL && size > 0) {
264 request.set_key(metadata, size);
265 }
266
267 Avb service(*client);
268 return service.SetOwnerLock(request, nullptr);
269 }
270
GetOwnerKey(uint32_t offset,uint8_t * metadata,size_t * size)271 int AvbTest::GetOwnerKey(uint32_t offset, uint8_t *metadata, size_t *size)
272 {
273 GetOwnerKeyRequest request;
274 GetOwnerKeyResponse response;
275 size_t i;
276 int code;
277
278 request.set_offset(offset);
279 if (size != NULL)
280 request.set_size(*size);
281
282 Avb service(*client);
283 code = service.GetOwnerKey(request, &response);
284
285 if (code == APP_SUCCESS) {
286 auto chunk = response.chunk();
287
288 if (metadata != NULL) {
289 for (i = 0; i < chunk.size(); i++)
290 metadata[i] = chunk[i];
291 }
292 if (size != NULL)
293 *size = chunk.size();
294 }
295
296 return code;
297 }
298
SetCarrierLock(uint8_t locked,const uint8_t * metadata,size_t size)299 int AvbTest::SetCarrierLock(uint8_t locked, const uint8_t *metadata, size_t size)
300 {
301 CarrierLockRequest request;
302
303 request.set_locked(locked);
304 if (metadata != NULL && size > 0) {
305 request.set_device_data(metadata, size);
306 }
307
308 Avb service(*client);
309 return service.CarrierLock(request, nullptr);
310 }
311
312 // Tests
313
TEST_F(AvbTest,CarrierLockTest)314 TEST_F(AvbTest, CarrierLockTest)
315 {
316 uint8_t carrier_data[AVB_DEVICE_DATA_SIZE];
317 uint8_t locks[4];
318 int code;
319
320 // Test we can set and unset the carrier lock in non production mode
321 memset(carrier_data, 0, sizeof(carrier_data));
322
323 code = SetCarrierLock(0x12, carrier_data, sizeof(carrier_data));
324 ASSERT_NO_ERROR(code, "");
325
326 GetState(client.get(), NULL, NULL, locks);
327 ASSERT_EQ(locks[CARRIER], 0x12);
328
329 code = SetCarrierLock(0, NULL, 0);
330 ASSERT_NO_ERROR(code, "");
331
332 // Set production mode
333 avb_tools::SetBootloader(client.get());
334 code = SetProduction(client.get(), true, NULL, 0);
335 ASSERT_NO_ERROR(code, "");
336 avb_tools::BootloaderDone(client.get());
337
338 // Test we cannot set or unset the carrier lock in production mode
339 code = SetCarrierLock(0x12, carrier_data, sizeof(carrier_data));
340 ASSERT_EQ(code, APP_ERROR_AVB_AUTHORIZATION);
341
342 GetState(client.get(), NULL, NULL, locks);
343 ASSERT_EQ(locks[CARRIER], 0x00);
344
345 code = SetCarrierLock(0, NULL, 0);
346 ASSERT_EQ(code, APP_ERROR_AVB_AUTHORIZATION);
347 }
348
TEST_F(AvbTest,CarrierUnlockTest)349 TEST_F(AvbTest, CarrierUnlockTest)
350 {
351 CarrierLockTestRequest request;
352 CarrierLockTestResponse response;
353 CarrierUnlock *token;
354
355 token = new CarrierUnlock();
356 token->set_nonce(NONCE);
357 token->set_version(VERSION);
358 token->set_signature(SIGNATURE, sizeof(SIGNATURE));
359
360 request.set_last_nonce(LAST_NONCE);
361 request.set_version(VERSION);
362 request.set_device_data(DEVICE_DATA, sizeof(DEVICE_DATA));
363 request.set_allocated_token(token);
364
365 Avb service(*client);
366 ASSERT_NO_ERROR(service.CarrierLockTest(request, &response), "");
367
368 // The nonce is covered by the signature, so changing it should trip the
369 // signature verification
370 token->set_nonce(NONCE + 1);
371 ASSERT_EQ(service.CarrierLockTest(request, &response), APP_ERROR_AVB_AUTHORIZATION);
372 }
373
TEST_F(AvbTest,DeviceLockTest)374 TEST_F(AvbTest, DeviceLockTest)
375 {
376 bool bootloader;
377 bool production;
378 uint8_t locks[4];
379 int code;
380
381 // Test cannot set the lock
382 avb_tools::SetBootloader(client.get());
383 code = SetProduction(client.get(), true, NULL, 0);
384 ASSERT_NO_ERROR(code, "");
385
386 code = SetDeviceLock(0x12);
387 ASSERT_EQ(code, APP_ERROR_AVB_HLOS);
388
389 // Test can set lock
390 ResetProduction(client.get());
391 avb_tools::SetBootloader(client.get());
392
393 code = SetDeviceLock(0x34);
394 ASSERT_NO_ERROR(code, "");
395
396 GetState(client.get(), &bootloader, &production, locks);
397 ASSERT_TRUE(bootloader);
398 ASSERT_FALSE(production);
399 ASSERT_EQ(locks[DEVICE], 0x34);
400
401 // Test cannot set while set
402 code = SetDeviceLock(0x56);
403 ASSERT_EQ(code, APP_ERROR_AVB_DENIED);
404
405 GetState(client.get(), NULL, NULL, locks);
406 ASSERT_EQ(locks[DEVICE], 0x34);
407
408 // Test can unset
409 code = SetDeviceLock(0x00);
410 ASSERT_NO_ERROR(code, "");
411
412 GetState(client.get(), NULL, NULL, locks);
413 ASSERT_EQ(locks[DEVICE], 0x00);
414 }
415
TEST_F(AvbTest,SetDeviceLockIsIdempotent)416 TEST_F(AvbTest, SetDeviceLockIsIdempotent) {
417 ASSERT_NO_ERROR(SetDeviceLock(0x65), "");
418 ASSERT_NO_ERROR(SetDeviceLock(0x65), "");
419 }
420
TEST_F(AvbTest,BootLockTest)421 TEST_F(AvbTest, BootLockTest)
422 {
423 uint8_t locks[4];
424 int code;
425 // Test production logic.
426 code = SetProduction(client.get(), true, NULL, 0);
427 ASSERT_NO_ERROR(code, "");
428
429 // Test cannot set lock
430 code = SetBootLock(0x12);
431 ASSERT_EQ(code, APP_ERROR_AVB_BOOTLOADER);
432
433 GetState(client.get(), NULL, NULL, locks);
434 ASSERT_EQ(locks[BOOT], 0x00);
435
436 // Show the bootloader setting and unsetting.
437 avb_tools::SetBootloader(client.get());
438 code = SetBootLock(0x12);
439 ASSERT_NO_ERROR(code, "");
440
441 GetState(client.get(), NULL, NULL, locks);
442 ASSERT_EQ(locks[BOOT], 0x12);
443
444 code = SetBootLock(0x0);
445 ASSERT_NO_ERROR(code, "");
446
447 GetState(client.get(), NULL, NULL, locks);
448 ASSERT_EQ(locks[BOOT], 0x00);
449
450 // Test cannot unset lock while carrier set
451 ResetProduction(client.get());
452 code = Reset(client.get(), ResetRequest::LOCKS, NULL, 0);
453 ASSERT_NO_ERROR(code, "");
454
455 code = SetCarrierLock(0x34, DEVICE_DATA, sizeof(DEVICE_DATA));
456 ASSERT_NO_ERROR(code, "");
457
458 code = SetProduction(client.get(), true, NULL, 0);
459 ASSERT_NO_ERROR(code, "");
460
461 // Can lock when carrier lock is set.
462 avb_tools::SetBootloader(client.get());
463 code = SetBootLock(0x56);
464 ASSERT_NO_ERROR(code, "");
465
466 // Cannot unlock.
467 code = SetBootLock(0x0);
468 ASSERT_EQ(code, APP_ERROR_AVB_DENIED);
469
470 // Or change the value.
471 code = SetBootLock(0x42);
472 ASSERT_EQ(code, APP_ERROR_AVB_DENIED);
473
474 GetState(client.get(), NULL, NULL, locks);
475 ASSERT_EQ(locks[CARRIER], 0x34);
476 ASSERT_EQ(locks[BOOT], 0x56);
477
478 // Clear the locks to show device lock enforcement.
479 ResetProduction(client.get());
480 code = Reset(client.get(), ResetRequest::LOCKS, NULL, 0);
481 ASSERT_NO_ERROR(code, "");
482 code = SetProduction(client.get(), true, NULL, 0);
483 ASSERT_NO_ERROR(code, "");
484 avb_tools::SetBootloader(client.get());
485
486 // Need to be in the HLOS.
487 code = SetDeviceLock(0x78);
488 ASSERT_EQ(code, APP_ERROR_AVB_HLOS);
489
490 avb_tools::BootloaderDone(client.get());
491 code = SetDeviceLock(0x78);
492 ASSERT_NO_ERROR(code, "");
493
494 // We can move to a locked state when
495 // device lock is true.
496 avb_tools::SetBootloader(client.get());
497 code = SetBootLock(0x9A);
498 ASSERT_NO_ERROR(code, "");
499
500 // But we can't move back.
501 code = SetBootLock(0x0);
502 ASSERT_EQ(code, APP_ERROR_AVB_DENIED);
503
504 GetState(client.get(), NULL, NULL, locks);
505 ASSERT_EQ(locks[DEVICE], 0x78);
506 ASSERT_EQ(locks[BOOT], 0x9A);
507 }
508
TEST_F(AvbTest,SetBootLockIsIdempotent)509 TEST_F(AvbTest, SetBootLockIsIdempotent) {
510 ASSERT_NO_ERROR(SetBootLock(0x12), "");
511 ASSERT_NO_ERROR(SetBootLock(0x12), "");
512 }
513
TEST_F(AvbTest,SetBootLockAfterWipingUserData)514 TEST_F(AvbTest, SetBootLockAfterWipingUserData) {
515 // This is a sequence of commands that the bootloader will issue
516 ASSERT_NO_ERROR(SetProduction(client.get(), true, NULL, 0), "");
517 avb_tools::SetBootloader(client.get());
518 ASSERT_TRUE(nugget_tools::WipeUserData(client.get()));
519 ASSERT_NO_ERROR(SetBootLock(0xdc), "");
520 }
521
TEST_F(AvbTest,OwnerLockTest)522 TEST_F(AvbTest, OwnerLockTest)
523 {
524 uint8_t owner_key[AVB_METADATA_MAX_SIZE];
525 uint8_t chunk[AVB_CHUNK_MAX_SIZE];
526 uint8_t locks[4];
527 int code;
528 size_t i;
529
530 for (i = 0; i < AVB_METADATA_MAX_SIZE; i += 2) {
531 owner_key[i + 0] = (i >> 8) & 0xFF;
532 owner_key[i + 1] = (i >> 8) & 0xFF;
533 }
534
535 // This should pass when BOOT lock is not set
536 code = SetOwnerLock(0x65, owner_key, sizeof(owner_key));
537 ASSERT_NO_ERROR(code, "");
538
539 GetState(client.get(), NULL, NULL, locks);
540 ASSERT_EQ(locks[OWNER], 0x65);
541
542 for (i = 0; i < AVB_METADATA_MAX_SIZE; i += AVB_CHUNK_MAX_SIZE) {
543 size_t size = sizeof(chunk);
544 size_t j;
545
546 code = GetOwnerKey(i, chunk, &size);
547 ASSERT_NO_ERROR(code, "");
548 ASSERT_EQ(size, sizeof(chunk));
549 for (j = 0; j < size; j++) {
550 ASSERT_EQ(chunk[j], owner_key[i + j]);
551 }
552 }
553
554 // Test setting the lock while set fails
555 code = SetOwnerLock(0x87, owner_key, sizeof(owner_key));
556 ASSERT_EQ(code, APP_ERROR_AVB_DENIED);
557
558 GetState(client.get(), NULL, NULL, locks);
559 ASSERT_EQ(locks[OWNER], 0x65);
560
561 // Clear it
562 code = SetOwnerLock(0x00, owner_key, sizeof(owner_key));
563 ASSERT_NO_ERROR(code, "");
564
565 GetState(client.get(), NULL, NULL, locks);
566 ASSERT_EQ(locks[OWNER], 0x00);
567
568 // Set the boot lock
569 avb_tools::SetBootloader(client.get());
570 code = SetBootLock(0x43);
571 ASSERT_NO_ERROR(code, "");
572
573 GetState(client.get(), NULL, NULL, locks);
574 ASSERT_EQ(locks[BOOT], 0x43);
575
576 // Test setting the lock while BOOT is locked fails
577 code = SetOwnerLock(0x21, owner_key, sizeof(owner_key));
578 ASSERT_EQ(code, APP_ERROR_AVB_DENIED);
579 }
580
TEST_F(AvbTest,ProductionMode)581 TEST_F(AvbTest, ProductionMode)
582 {
583 bool production;
584 uint8_t locks[4];
585 int code;
586
587 // Check we're not in production mode
588 GetState(client.get(), NULL, &production, NULL);
589 ASSERT_FALSE(production);
590
591 // Set some lock values to make sure production doesn't affect them
592 avb_tools::SetBootloader(client.get());
593 code = SetOwnerLock(0x11, NULL, 0);
594 ASSERT_NO_ERROR(code, "");
595
596 code = SetBootLock(0x22);
597 ASSERT_NO_ERROR(code, "");
598
599 code = SetCarrierLock(0x33, DEVICE_DATA, sizeof(DEVICE_DATA));
600 ASSERT_NO_ERROR(code, "");
601
602 code = SetDeviceLock(0x44);
603 ASSERT_NO_ERROR(code, "");
604
605 // Set production mode with a DUT hash
606 code = SetProduction(client.get(), true, NULL, 0);
607 ASSERT_NO_ERROR(code, "");
608
609 GetState(client.get(), NULL, &production, locks);
610 ASSERT_TRUE(production);
611 ASSERT_EQ(locks[OWNER], 0x11);
612 ASSERT_EQ(locks[BOOT], 0x22);
613 ASSERT_EQ(locks[CARRIER], 0x33);
614 ASSERT_EQ(locks[DEVICE], 0x44);
615
616 // Test production cannot be turned off.
617 code = SetProduction(client.get(), false, NULL, 0);
618 ASSERT_EQ(code, APP_ERROR_AVB_AUTHORIZATION);
619 avb_tools::BootloaderDone(client.get());
620 code = SetProduction(client.get(), false, NULL, 0);
621 ASSERT_EQ(code, APP_ERROR_AVB_AUTHORIZATION);
622 }
623
TEST_F(AvbTest,Rollback)624 TEST_F(AvbTest, Rollback)
625 {
626 uint64_t value = ~0ULL;
627 int code, i;
628
629 // Test we cannot change values in normal mode
630 code = SetProduction(client.get(), true, NULL, 0);
631 ASSERT_NO_ERROR(code, "");
632 for (i = 0; i < 8; i++) {
633 code = Store(i, 0xFF00000011223344 + i);
634 ASSERT_EQ(code, APP_ERROR_AVB_BOOTLOADER);
635
636 code = Load(i, &value);
637 ASSERT_NO_ERROR(code, "");
638 ASSERT_EQ(value, 0x00ULL);
639 }
640
641 // Test we can change values in bootloader mode
642 avb_tools::SetBootloader(client.get());
643 for (i = 0; i < 8; i++) {
644 code = Store(i, 0xFF00000011223344 + i);
645 ASSERT_NO_ERROR(code, "");
646
647 code = Load(i, &value);
648 ASSERT_NO_ERROR(code, "");
649 ASSERT_EQ(value, 0xFF00000011223344 + i);
650
651 code = Store(i, 0x8800000011223344 - i);
652 ASSERT_NO_ERROR(code, "");
653
654 code = Load(i, &value);
655 ASSERT_NO_ERROR(code, "");
656 ASSERT_EQ(value, 0x8800000011223344 - i);
657 }
658 }
659
TEST_F(AvbTest,Reset)660 TEST_F(AvbTest, Reset)
661 {
662 bool bootloader;
663 bool production;
664 uint8_t locks[4];
665 int code;
666
667 // Set some locks and production mode*/
668 avb_tools::SetBootloader(client.get());
669 code = SetBootLock(0x12);
670 ASSERT_NO_ERROR(code, "");
671
672 code = SetDeviceLock(0x34);
673 ASSERT_NO_ERROR(code, "");
674
675 code = SetProduction(client.get(), true, NULL, 0);
676 ASSERT_NO_ERROR(code, "");
677
678 avb_tools::BootloaderDone(client.get());
679
680 GetState(client.get(), &bootloader, &production, locks);
681 ASSERT_FALSE(bootloader);
682 ASSERT_TRUE(production);
683 ASSERT_EQ(locks[BOOT], 0x12);
684 ASSERT_EQ(locks[DEVICE], 0x34);
685
686 // Try reset, should fail
687 code = Reset(client.get(), ResetRequest::LOCKS, NULL, 0);
688 ASSERT_EQ(code, APP_ERROR_AVB_DENIED);
689
690 GetState(client.get(), &bootloader, &production, locks);
691 ASSERT_FALSE(bootloader);
692 ASSERT_TRUE(production);
693 ASSERT_EQ(locks[BOOT], 0x12);
694 ASSERT_EQ(locks[DEVICE], 0x34);
695
696 // Disable production, try reset, should pass
697 ResetProduction(client.get());
698 code = Reset(client.get(), ResetRequest::LOCKS, NULL, 0);
699 ASSERT_NO_ERROR(code, "");
700
701 GetState(client.get(), &bootloader, &production, locks);
702 ASSERT_FALSE(bootloader);
703 ASSERT_FALSE(production);
704 ASSERT_EQ(locks[BOOT], 0x00);
705 ASSERT_EQ(locks[DEVICE], 0x00);
706 }
707
TEST_F(AvbTest,GetResetChallengeTest)708 TEST_F(AvbTest, GetResetChallengeTest)
709 {
710 int code;
711 uint32_t selector;
712 uint64_t nonce;
713 uint8_t data[32];
714 uint8_t empty[32];
715 size_t len = sizeof(data);
716
717 memset(data, 0, sizeof(data));
718 memset(empty, 0, sizeof(empty));
719 code = GetResetChallenge(client.get(), &selector, &nonce, data, &len);
720 ASSERT_LE(sizeof(data), len);
721 ASSERT_NO_ERROR(code, "");
722 EXPECT_NE(0ULL, nonce);
723 EXPECT_LE(selector, (uint32_t)ResetToken::CURRENT);
724 EXPECT_EQ(32UL, len);
725 // We didn't set a device id.
726 EXPECT_EQ(0, memcmp(data, empty, sizeof(empty)));
727 }
728
729 // TODO(drewry) move to new test suite since this is unsafe on
730 // non-TEST_IMAGE builds.
TEST_F(AvbTest,ResetProductionValid)731 TEST_F(AvbTest, ResetProductionValid)
732 {
733 static const uint8_t kDeviceHash[] = {
734 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8,
735 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8,
736 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8,
737 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8
738 };
739 struct ResetMessage message;
740 int code;
741 uint32_t selector;
742 size_t len = sizeof(message.data);
743 uint8_t signature[2048/8 + 1];
744 size_t siglen = sizeof(signature);
745
746 // Lock in a fixed device hash
747 code = SetProduction(client.get(), true, kDeviceHash, sizeof(kDeviceHash));
748 EXPECT_EQ(0, code);
749
750 memset(message.data, 0, sizeof(message.data));
751 code = GetResetChallenge(client.get(), &selector, &message.nonce, message.data, &len);
752 ASSERT_NO_ERROR(code, "");
753 // Expect, not assert, just in case something goes weird, we may still
754 // exit cleanly.
755 EXPECT_EQ(0, memcmp(message.data, kDeviceHash, sizeof(kDeviceHash)));
756 ASSERT_EQ(0, SignChallenge(&message, signature, &siglen));
757
758 // Try a bad challenge, wasting the nonce.
759 uint8_t orig = signature[0];
760 signature[0] += 1;
761 code = Reset(client.get(), ResetRequest::PRODUCTION, signature, siglen);
762 // TODO: expect the LINENO error
763 EXPECT_NE(0, code);
764 signature[0] = orig;
765 // Re-lock since TEST_IMAGE will unlock on failure.
766 code = SetProduction(client.get(), true, kDeviceHash, sizeof(kDeviceHash));
767 EXPECT_EQ(0, code);
768
769 // Now use a good one, but without getting a new nonce.
770 code = Reset(client.get(), ResetRequest::PRODUCTION, signature, siglen);
771 EXPECT_EQ(code, APP_ERROR_AVB_DENIED);
772
773 // Now get the nonce and use a good signature.
774 code = GetResetChallenge(client.get(), &selector, &message.nonce, message.data, &len);
775 ASSERT_NO_ERROR(code, "");
776 ASSERT_EQ(0, SignChallenge(&message, signature, &siglen));
777 code = Reset(client.get(), ResetRequest::PRODUCTION, signature, siglen);
778 ASSERT_NO_ERROR(code, "");
779 }
780
TEST_F(AvbTest,ProductionResetTestValid)781 TEST_F(AvbTest, ProductionResetTestValid)
782 {
783 static const uint8_t kDeviceHash[] = {
784 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8,
785 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8,
786 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8,
787 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8
788 };
789 struct ResetMessage message;
790 int code;
791 uint32_t selector = ResetToken::CURRENT;
792 size_t len = sizeof(message.data);
793 uint8_t signature[2048/8 + 1];
794 size_t siglen = sizeof(signature);
795
796 memcpy(message.data, kDeviceHash, sizeof(message.data));
797 message.nonce = 123456;
798 ASSERT_EQ(0, SignChallenge(&message, signature, &siglen));
799
800 // Try a bad challenge, wasting the nonce.
801 uint8_t orig = signature[0];
802 signature[0] += 1;
803 code = ProductionResetTest(selector, message.nonce, message.data, len,
804 signature, siglen);
805 EXPECT_NE(0, code);
806 signature[0] = orig;
807
808 // Now use a good signature.
809 code = ProductionResetTest(selector, message.nonce, message.data, len,
810 signature, siglen);
811 ASSERT_NO_ERROR(code, "");
812
813 // Note, testing nonce expiration is handled in the Reset(PRODUCTION)
814 // test. This just checks a second signature over an app sourced nonce.
815 code = GetResetChallenge(client.get(), &selector, &message.nonce, message.data, &len);
816 ASSERT_NO_ERROR(code, "");
817 ASSERT_EQ(0, SignChallenge(&message, signature, &siglen));
818 code = Reset(client.get(), ResetRequest::PRODUCTION, signature, siglen);
819 ASSERT_NO_ERROR(code, "");
820
821 // Now test a null signature as we will for the real keys
822 message.nonce = 0;
823 memset(message.data, 0, sizeof(message.data));
824 code = ProductionResetTest(selector, message.nonce, message.data, len,
825 test_data::kResetSignatures[selector],
826 test_data::kResetSignatureLengths[selector]);
827 ASSERT_NO_ERROR(code, "");
828 }
829
TEST_F(AvbTest,WipeUserDataDoesNotLockDeviceLock)830 TEST_F(AvbTest, WipeUserDataDoesNotLockDeviceLock) {
831 ASSERT_NO_ERROR(SetDeviceLock(0x00), "");
832 ASSERT_TRUE(nugget_tools::WipeUserData(client.get()));
833
834 uint8_t locks[4];
835 GetState(client.get(), nullptr, nullptr, locks);
836 EXPECT_EQ(locks[DEVICE], 0x00);
837 }
838
TEST_F(AvbTest,ResetKeyNullTokenSignatureTest)839 TEST_F(AvbTest, ResetKeyNullTokenSignatureTest)
840 {
841 struct ResetMessage message;
842 int code;
843
844 uint32_t selector;
845 uint64_t nonce;
846 uint8_t device_data[AVB_DEVICE_DATA_SIZE];
847 size_t len = sizeof(device_data);
848
849 // Get the selector
850 code = GetResetChallenge(client.get(), &selector, &nonce,
851 device_data, &len);
852 ASSERT_NO_ERROR(code, "");
853 ASSERT_LT(selector, test_data::kResetSignatureCount);
854
855 memset(&message, 0, sizeof(message));
856 // Now use a good one, but without getting a new nonce.
857 cout << "Testing key: " << selector << "\n";
858 code = ProductionResetTest(selector, message.nonce, message.data, 32,
859 test_data::kResetSignatures[selector],
860 test_data::kResetSignatureLengths[selector]);
861 ASSERT_NO_ERROR(code, "");
862 }
863
864 } // namespace
865