1 #include <memory>
2
3 #include "gtest/gtest.h"
4 #include "avb_tools.h"
5 #include "nugget_tools.h"
6 #include "nugget/app/avb/avb.pb.h"
7 #include "Avb.client.h"
8 #include <avb.h>
9 #include <application.h>
10 #include <nos/AppClient.h>
11 #include <nos/NuggetClientInterface.h>
12 #include "util.h"
13
14 #include <openssl/bio.h>
15 #include <openssl/evp.h>
16 #include <openssl/pem.h>
17
18 using std::cout;
19 using std::string;
20 using std::unique_ptr;
21
22 using namespace nugget::app::avb;
23 using namespace avb_tools;
24
25 namespace {
26
27 class AvbTest: public testing::Test {
28 protected:
29 static unique_ptr<nos::NuggetClientInterface> client;
30 static unique_ptr<test_harness::TestHarness> uart_printer;
31
32 static void SetUpTestCase();
33 static void TearDownTestCase();
34
35 virtual void SetUp(void);
36
37 int ProductionResetTest(uint32_t selector, uint64_t nonce,
38 const uint8_t *device_data, size_t data_len,
39 const uint8_t *signature, size_t signature_len);
40 int SignChallenge(const struct ResetMessage *message,
41 uint8_t *signature, size_t *siglen);
42
43 int Load(uint8_t slot, uint64_t *version);
44 int Store(uint8_t slot, uint64_t version);
45 int SetDeviceLock(uint8_t locked);
46 int SetBootLock(uint8_t locked);
47 int SetOwnerLock(uint8_t locked, const uint8_t *metadata, size_t size);
48 int GetOwnerKey(uint32_t offset, uint8_t *metadata, size_t *size);
49 int SetCarrierLock(uint8_t locked, const uint8_t *metadata, size_t size);
50
51 public:
52 const uint64_t LAST_NONCE = 0x4141414141414140ULL;
53 const uint64_t VERSION = 1;
54 const uint64_t NONCE = 0x4141414141414141ULL;
55 const uint8_t DEVICE_DATA[AVB_DEVICE_DATA_SIZE] = {
56 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
57 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
58 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
59 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42, 0x42,
60 };
61 const uint8_t SIGNATURE[AVB_SIGNATURE_SIZE] = {
62 0x68, 0x86, 0x9a, 0x16, 0xca, 0x62, 0xea, 0xa9,
63 0x9b, 0xa0, 0x51, 0x03, 0xa6, 0x00, 0x3f, 0xe8,
64 0xf1, 0x43, 0xe6, 0xb7, 0xde, 0x76, 0xfe, 0x21,
65 0x65, 0x87, 0x78, 0xe5, 0x1d, 0x11, 0x6a, 0xe1,
66 0x7b, 0xc6, 0x2e, 0xe2, 0x96, 0x25, 0x48, 0xa7,
67 0x09, 0x43, 0x2c, 0xfd, 0x28, 0xa9, 0x66, 0x8a,
68 0x09, 0xd5, 0x83, 0x3b, 0xde, 0x18, 0x5d, 0xef,
69 0x50, 0x12, 0x8a, 0x8d, 0xfb, 0x2d, 0x46, 0x20,
70 0x69, 0x55, 0x4e, 0x86, 0x63, 0xf6, 0x10, 0xe3,
71 0x59, 0x3f, 0x55, 0x72, 0x18, 0xcb, 0x60, 0x80,
72 0x0d, 0x2e, 0x2f, 0xfc, 0xc2, 0xbf, 0xda, 0x3f,
73 0x4f, 0x2b, 0x6b, 0xf1, 0x5d, 0x28, 0x6b, 0x2b,
74 0x9b, 0x92, 0xf3, 0x4e, 0xf2, 0xb6, 0x23, 0x8e,
75 0x50, 0x64, 0xf6, 0xee, 0xc7, 0x78, 0x6a, 0xe0,
76 0xed, 0xce, 0x2c, 0x1f, 0x0a, 0x47, 0x43, 0x5c,
77 0xe4, 0x69, 0xc5, 0xc1, 0xf9, 0x52, 0x8c, 0xed,
78 0xfd, 0x71, 0x8f, 0x9a, 0xde, 0x62, 0xfc, 0x21,
79 0x07, 0xf9, 0x5f, 0xe1, 0x1e, 0xdc, 0x65, 0x95,
80 0x15, 0xc8, 0xe7, 0xf2, 0xce, 0xa9, 0xd0, 0x55,
81 0xf1, 0x18, 0x89, 0xae, 0xe8, 0x47, 0xd8, 0x8a,
82 0x1f, 0x68, 0xa8, 0x6f, 0x5e, 0x5c, 0xda, 0x3d,
83 0x98, 0xeb, 0x82, 0xf8, 0x1f, 0x7a, 0x43, 0x6d,
84 0x3a, 0x7c, 0x36, 0x76, 0x4f, 0x55, 0xa4, 0x55,
85 0x5f, 0x52, 0x47, 0xa5, 0x71, 0x17, 0x7b, 0x73,
86 0xaa, 0x5c, 0x85, 0x94, 0xb6, 0xe2, 0x37, 0x1f,
87 0x22, 0x29, 0x46, 0x59, 0x20, 0x1f, 0x49, 0x36,
88 0x50, 0xa9, 0x60, 0x5d, 0xeb, 0x99, 0x3f, 0x92,
89 0x31, 0xa0, 0x1d, 0xad, 0xdb, 0xde, 0x40, 0xf6,
90 0xaf, 0x9c, 0x36, 0xe4, 0x0c, 0xf4, 0xcc, 0xaf,
91 0x9f, 0x8b, 0xf9, 0xe6, 0x12, 0x53, 0x4e, 0x58,
92 0xeb, 0x9a, 0x57, 0x08, 0x89, 0xa5, 0x4f, 0x7c,
93 0xb9, 0x78, 0x07, 0x02, 0x17, 0x2c, 0xce, 0xb8,
94 };
95 };
96
97 unique_ptr<nos::NuggetClientInterface> AvbTest::client;
98 unique_ptr<test_harness::TestHarness> AvbTest::uart_printer;
99
SetUpTestCase()100 void AvbTest::SetUpTestCase() {
101 uart_printer = test_harness::TestHarness::MakeUnique();
102
103 client = nugget_tools::MakeNuggetClient();
104 client->Open();
105 EXPECT_TRUE(client->IsOpen()) << "Unable to connect";
106 }
107
TearDownTestCase()108 void AvbTest::TearDownTestCase() {
109 client->Close();
110 client = unique_ptr<nos::NuggetClientInterface>();
111
112 uart_printer = nullptr;
113 }
114
SetUp(void)115 void AvbTest::SetUp(void)
116 {
117 bool bootloader;
118 bool production;
119 uint8_t locks[4];
120 int code;
121
122 avb_tools::BootloaderDone(client.get()); // We don't need BL for setup.
123 // Perform a challenge/response. If this fails, either
124 // the reset path is broken or the image is probably not
125 // TEST_IMAGE=1.
126 // Note: the reset tests are not safe on -UTEST_IMAGE unless
127 // the storage can be reflashed.
128 ResetProduction(client.get());
129
130 code = Reset(client.get(), ResetRequest::LOCKS, NULL, 0);
131 ASSERT_NO_ERROR(code, "");
132
133 GetState(client.get(), &bootloader, &production, locks);
134 EXPECT_EQ(bootloader, false);
135 EXPECT_EQ(production, false);
136 EXPECT_EQ(locks[BOOT], 0x00);
137 EXPECT_EQ(locks[CARRIER], 0x00);
138 EXPECT_EQ(locks[DEVICE], 0x00);
139 EXPECT_EQ(locks[OWNER], 0x00);
140 }
141
142 static const uint8_t kResetKeyPem[] =
143 "-----BEGIN RSA PRIVATE KEY-----\n\
144 MIIEpAIBAAKCAQEAo0IoAa5cK7XyAj7u1jFStsfEcxkgAZVF9VWKzH1bofKxLioA\n\
145 r5Lo4D33glKehxkOlDo6GkBj1PoI8WuvYYvEUyxJNUdlVpa1C2lbewEL0rfyBrZ9\n\
146 4cp0ZeUknymYHn3ynW4Z8sYMlj7BNxGttV/jbxtgtT5WHJ+hg5/4/ifCPucN17Bt\n\
147 heUKIBoAjy6DlB/pMg1NUQ82DaASMFe89mEzI9Zk4CRtkWjEhknY0bYm46U1ABJb\n\
148 YmIsHlxdADskvWFDmq8CfJr/jXstTXxZeqaxPPdSP+WPwXN/ku5W7qkF2qimEKiy\n\
149 DYHzY65JhfWmHOLLGNuz6iHkq93uzkKsGIIPGQIDAQABAoIBABGTvdrwetv56uRz\n\
150 AiPti4pCV9RMkDWbbLzNSPRbStJU3t6phwlgN9Js2YkefBLvj7JF0pug8x6rDOtx\n\
151 PKCz+5841Wj3FuILt9JStZa4th0p0NUIMOVudrnBwf+g6s/dn5FzmTeaOyCyAPt8\n\
152 28b7W/FKcU8SNxM93JXfU1+JyFAdREqsXQfqLhCAXBb46fs5D8hg0c99RdWuJSuY\n\
153 HKyVXDrjmYAHS5qUDeMx0OY/q1qM03FBvHekvJ78WPpUKF7B/gYH9lBHIHE0KLJY\n\
154 JR6kKkzN/Ii6BsSubKKeuNntzlzd2ukvFdX4uc42dDpIXPdaQAn84KRYN7++KoGz\n\
155 2LqtAAECgYEAzQt5kt9c+xDeKMPR92XQ4uMeLxTufBei1PFGZbJnJT8aEMkVhKT/\n\
156 Pbh1Z8OnN9YvFprDNpEilUm7xyffrE7p0pI1/qiBXZExy6pIcGAo4ZcB8ayN0JV3\n\
157 k+RilE73x+sKAyWOm82b273PiyHNsQI4flkO5Ev9rpZbPMKlvZYsmxkCgYEAy9RR\n\
158 RwxwCpvFi3um0Rwz7CI2uvVXGaLVXyR2oNGLcJG7AhusYi4FX6XJQ3vAgiDmzu/c\n\
159 SaEF9w7uqeueIUA7L7njYP1ojfJAUJEtQRfVJF2tDntN5YgYUTsx8n3IKTs4xFT4\n\
160 dBthKo16zzLv92+8m4sWJhFW2zzFFLwk+G5jlAECgYEAln1piSZus8Y5h2nRXOZZ\n\
161 XWyb5qpSLrmaRPegV1uM4IVjuBYduPDwdHhBkxrCS/TjMo/73ry+yRsIuq7FN03j\n\
162 xyyQfItoByhdh8E+0VuCJbATOTEQFJre3KiuwXMD4LLc8lpKRIevcKPrA46XzOZ4\n\
163 WCM9DsnHMrAf3oRt6KujqWECgYEAyu43fWUEp4suwg/5pXdOumnV040vinZzuKW0\n\
164 9aeqDAkLBq5Gkfj/oJqOJoGux9+5640i5KtMJQzY0JOke7ZXNsz7dDTXQ3tMTOo9\n\
165 A/GWYv5grWpVw5AbpcQpliNkhKhRfCactfwMYTE6c89i2haE0NdI1d2te9ik3l/y\n\
166 7uP4gAECgYA3u2CumlkjHq+LbMK6Ry+Ajyy4ssM5PKJUqSogJDUkHsG/C7yaCdq/\n\
167 Ljt2x2220H0pM9885C3PpKxoYwRih9dzOamnARJocAElp2b5AQB+tKddlMdwx1pQ\n\
168 0IMGQ3fBYkDFLGYDk7hGYkLLlSJCZwi64xKmmfEwl83RL6JDSFupDg==\n\
169 -----END RSA PRIVATE KEY-----";
170
GetResetKey()171 static RSA *GetResetKey()
172 {
173 BIO *bio = BIO_new_mem_buf((void*)kResetKeyPem, sizeof(kResetKeyPem) - 1);
174 RSA *rsa = PEM_read_bio_RSAPrivateKey(bio, NULL, 0, NULL);
175 BIO_free(bio);
176 return rsa;
177 }
178
ProductionResetTest(uint32_t selector,uint64_t nonce,const uint8_t * device_data,size_t data_len,const uint8_t * signature,size_t signature_len)179 int AvbTest::ProductionResetTest(uint32_t selector, uint64_t nonce,
180 const uint8_t *device_data, size_t data_len,
181 const uint8_t *signature, size_t signature_len)
182 {
183 ProductionResetTestRequest request;
184 request.set_selector(selector);
185 request.set_nonce(nonce);
186 if (signature && signature_len) {
187 request.set_signature(signature, signature_len);
188 }
189 if (device_data && data_len) {
190 request.set_device_data(device_data, data_len);
191 }
192 Avb service(*client);
193 return service.ProductionResetTest(request, nullptr);
194 }
195
SignChallenge(const struct ResetMessage * message,uint8_t * signature,size_t * maxsig)196 int AvbTest::SignChallenge(const struct ResetMessage *message,
197 uint8_t *signature, size_t *maxsig)
198 {
199 size_t siglen = *maxsig;
200 RSA *key = GetResetKey();
201 if (!key)
202 return -1;
203 EVP_PKEY *pkey = EVP_PKEY_new();
204 if (!pkey)
205 return -1;
206 if (!EVP_PKEY_set1_RSA(pkey, key))
207 return -1;
208 EVP_MD_CTX md_ctx;
209 EVP_MD_CTX_init(&md_ctx);
210 EVP_PKEY_CTX *pkey_ctx;
211 if (!EVP_DigestSignInit(&md_ctx, &pkey_ctx, EVP_sha256(), NULL, pkey))
212 return -1;
213 if (!EVP_PKEY_CTX_set_rsa_padding(pkey_ctx, RSA_PKCS1_PSS_PADDING))
214 return -1;
215 if (!EVP_DigestSignUpdate(&md_ctx, (uint8_t *)message, sizeof(*message)))
216 return -1;
217 EVP_DigestSignFinal(&md_ctx, NULL, &siglen);
218 if (siglen > *maxsig) {
219 std::cerr << "Signature length too long: " << siglen << " > "
220 << *maxsig << std::endl;
221 return -2;
222 }
223 *maxsig = siglen;
224 int code = EVP_DigestSignFinal(&md_ctx, signature, &siglen);
225 if (!code) {
226 std::cerr << "OpenSSL error: " << ERR_get_error() << ": "
227 << ERR_reason_error_string(ERR_get_error()) << std::endl;
228 return -3;
229 }
230 EVP_MD_CTX_cleanup(&md_ctx);
231 EVP_PKEY_free(pkey);
232 RSA_free(key);
233 // Feed it in
234 return 0;
235 }
236
Load(uint8_t slot,uint64_t * version)237 int AvbTest::Load(uint8_t slot, uint64_t *version)
238 {
239 LoadRequest request;
240 LoadResponse response;
241 int code;
242
243 request.set_slot(slot);
244
245 Avb service(*client);
246 code = service.Load(request, &response);
247 if (code == APP_SUCCESS) {
248 *version = response.version();
249 }
250
251 return code;
252 }
253
Store(uint8_t slot,uint64_t version)254 int AvbTest::Store(uint8_t slot, uint64_t version)
255 {
256 StoreRequest request;
257
258 request.set_slot(slot);
259 request.set_version(version);
260
261 Avb service(*client);
262 return service.Store(request, nullptr);
263 }
264
SetDeviceLock(uint8_t locked)265 int AvbTest::SetDeviceLock(uint8_t locked)
266 {
267 SetDeviceLockRequest request;
268
269 request.set_locked(locked);
270
271 Avb service(*client);
272 return service.SetDeviceLock(request, nullptr);
273 }
274
SetBootLock(uint8_t locked)275 int AvbTest::SetBootLock(uint8_t locked)
276 {
277 SetBootLockRequest request;
278
279 request.set_locked(locked);
280
281 Avb service(*client);
282 return service.SetBootLock(request, nullptr);
283 }
284
SetOwnerLock(uint8_t locked,const uint8_t * metadata,size_t size)285 int AvbTest::SetOwnerLock(uint8_t locked, const uint8_t *metadata, size_t size)
286 {
287 SetOwnerLockRequest request;
288
289 request.set_locked(locked);
290 if (metadata != NULL && size > 0) {
291 request.set_key(metadata, size);
292 }
293
294 Avb service(*client);
295 return service.SetOwnerLock(request, nullptr);
296 }
297
GetOwnerKey(uint32_t offset,uint8_t * metadata,size_t * size)298 int AvbTest::GetOwnerKey(uint32_t offset, uint8_t *metadata, size_t *size)
299 {
300 GetOwnerKeyRequest request;
301 GetOwnerKeyResponse response;
302 size_t i;
303 int code;
304
305 request.set_offset(offset);
306 if (size != NULL)
307 request.set_size(*size);
308
309 Avb service(*client);
310 code = service.GetOwnerKey(request, &response);
311
312 if (code == APP_SUCCESS) {
313 auto chunk = response.chunk();
314
315 if (metadata != NULL) {
316 for (i = 0; i < chunk.size(); i++)
317 metadata[i] = chunk[i];
318 }
319 if (size != NULL)
320 *size = chunk.size();
321 }
322
323 return code;
324 }
325
SetCarrierLock(uint8_t locked,const uint8_t * metadata,size_t size)326 int AvbTest::SetCarrierLock(uint8_t locked, const uint8_t *metadata, size_t size)
327 {
328 CarrierLockRequest request;
329
330 request.set_locked(locked);
331 if (metadata != NULL && size > 0) {
332 request.set_device_data(metadata, size);
333 }
334
335 Avb service(*client);
336 return service.CarrierLock(request, nullptr);
337 }
338
339 // Tests
340
TEST_F(AvbTest,CarrierLockTest)341 TEST_F(AvbTest, CarrierLockTest)
342 {
343 uint8_t carrier_data[AVB_DEVICE_DATA_SIZE];
344 uint8_t locks[4];
345 int code;
346
347 // Test we can set and unset the carrier lock in non production mode
348 memset(carrier_data, 0, sizeof(carrier_data));
349
350 code = SetCarrierLock(0x12, carrier_data, sizeof(carrier_data));
351 ASSERT_NO_ERROR(code, "");
352
353 GetState(client.get(), NULL, NULL, locks);
354 ASSERT_EQ(locks[CARRIER], 0x12);
355
356 code = SetCarrierLock(0, NULL, 0);
357 ASSERT_NO_ERROR(code, "");
358
359 // Set production mode
360 avb_tools::SetBootloader(client.get());
361 code = SetProduction(client.get(), true, NULL, 0);
362 ASSERT_NO_ERROR(code, "");
363 avb_tools::BootloaderDone(client.get());
364
365 // Test we cannot set or unset the carrier lock in production mode
366 code = SetCarrierLock(0x12, carrier_data, sizeof(carrier_data));
367 ASSERT_EQ(code, APP_ERROR_AVB_AUTHORIZATION);
368
369 GetState(client.get(), NULL, NULL, locks);
370 ASSERT_EQ(locks[CARRIER], 0x00);
371
372 code = SetCarrierLock(0, NULL, 0);
373 ASSERT_EQ(code, APP_ERROR_AVB_AUTHORIZATION);
374 }
375
TEST_F(AvbTest,CarrierUnlockTest)376 TEST_F(AvbTest, CarrierUnlockTest)
377 {
378 CarrierLockTestRequest request;
379 CarrierLockTestResponse response;
380 CarrierUnlock *token;
381
382 token = new CarrierUnlock();
383 token->set_nonce(NONCE);
384 token->set_version(VERSION);
385 token->set_signature(SIGNATURE, sizeof(SIGNATURE));
386
387 request.set_last_nonce(LAST_NONCE);
388 request.set_version(VERSION);
389 request.set_device_data(DEVICE_DATA, sizeof(DEVICE_DATA));
390 request.set_allocated_token(token);
391
392 Avb service(*client);
393 ASSERT_NO_ERROR(service.CarrierLockTest(request, &response), "");
394
395 // The nonce is covered by the signature, so changing it should trip the
396 // signature verification
397 token->set_nonce(NONCE + 1);
398 ASSERT_EQ(service.CarrierLockTest(request, &response), APP_ERROR_AVB_AUTHORIZATION);
399 }
400
TEST_F(AvbTest,DeviceLockTest)401 TEST_F(AvbTest, DeviceLockTest)
402 {
403 bool bootloader;
404 bool production;
405 uint8_t locks[4];
406 int code;
407
408 // Test cannot set the lock
409 avb_tools::SetBootloader(client.get());
410 code = SetProduction(client.get(), true, NULL, 0);
411 ASSERT_NO_ERROR(code, "");
412
413 code = SetDeviceLock(0x12);
414 ASSERT_EQ(code, APP_ERROR_AVB_HLOS);
415
416 // Test can set lock
417 ResetProduction(client.get());
418 avb_tools::SetBootloader(client.get());
419
420 code = SetDeviceLock(0x34);
421 ASSERT_NO_ERROR(code, "");
422
423 GetState(client.get(), &bootloader, &production, locks);
424 ASSERT_TRUE(bootloader);
425 ASSERT_FALSE(production);
426 ASSERT_EQ(locks[DEVICE], 0x34);
427
428 // Test cannot set while set
429 code = SetDeviceLock(0x56);
430 ASSERT_EQ(code, APP_ERROR_AVB_DENIED);
431
432 GetState(client.get(), NULL, NULL, locks);
433 ASSERT_EQ(locks[DEVICE], 0x34);
434
435 // Test can unset
436 code = SetDeviceLock(0x00);
437 ASSERT_NO_ERROR(code, "");
438
439 GetState(client.get(), NULL, NULL, locks);
440 ASSERT_EQ(locks[DEVICE], 0x00);
441 }
442
TEST_F(AvbTest,SetDeviceLockIsIdempotent)443 TEST_F(AvbTest, SetDeviceLockIsIdempotent) {
444 ASSERT_NO_ERROR(SetDeviceLock(0x65), "");
445 ASSERT_NO_ERROR(SetDeviceLock(0x65), "");
446 }
447
TEST_F(AvbTest,BootLockTest)448 TEST_F(AvbTest, BootLockTest)
449 {
450 uint8_t locks[4];
451 int code;
452 // Test production logic.
453 code = SetProduction(client.get(), true, NULL, 0);
454 ASSERT_NO_ERROR(code, "");
455
456 // Test cannot set lock
457 code = SetBootLock(0x12);
458 ASSERT_EQ(code, APP_ERROR_AVB_BOOTLOADER);
459
460 GetState(client.get(), NULL, NULL, locks);
461 ASSERT_EQ(locks[BOOT], 0x00);
462
463 // Show the bootloader setting and unsetting.
464 avb_tools::SetBootloader(client.get());
465 code = SetBootLock(0x12);
466 ASSERT_NO_ERROR(code, "");
467
468 GetState(client.get(), NULL, NULL, locks);
469 ASSERT_EQ(locks[BOOT], 0x12);
470
471 code = SetBootLock(0x0);
472 ASSERT_NO_ERROR(code, "");
473
474 GetState(client.get(), NULL, NULL, locks);
475 ASSERT_EQ(locks[BOOT], 0x00);
476
477 // Test cannot unset lock while carrier set
478 ResetProduction(client.get());
479 code = Reset(client.get(), ResetRequest::LOCKS, NULL, 0);
480 ASSERT_NO_ERROR(code, "");
481
482 code = SetCarrierLock(0x34, DEVICE_DATA, sizeof(DEVICE_DATA));
483 ASSERT_NO_ERROR(code, "");
484
485 code = SetProduction(client.get(), true, NULL, 0);
486 ASSERT_NO_ERROR(code, "");
487
488 // Can lock when carrier lock is set.
489 avb_tools::SetBootloader(client.get());
490 code = SetBootLock(0x56);
491 ASSERT_NO_ERROR(code, "");
492
493 // Cannot unlock.
494 code = SetBootLock(0x0);
495 ASSERT_EQ(code, APP_ERROR_AVB_DENIED);
496
497 // Or change the value.
498 code = SetBootLock(0x42);
499 ASSERT_EQ(code, APP_ERROR_AVB_DENIED);
500
501 GetState(client.get(), NULL, NULL, locks);
502 ASSERT_EQ(locks[CARRIER], 0x34);
503 ASSERT_EQ(locks[BOOT], 0x56);
504
505 // Clear the locks to show device lock enforcement.
506 ResetProduction(client.get());
507 code = Reset(client.get(), ResetRequest::LOCKS, NULL, 0);
508 ASSERT_NO_ERROR(code, "");
509 code = SetProduction(client.get(), true, NULL, 0);
510 ASSERT_NO_ERROR(code, "");
511 avb_tools::SetBootloader(client.get());
512
513 // Need to be in the HLOS.
514 code = SetDeviceLock(0x78);
515 ASSERT_EQ(code, APP_ERROR_AVB_HLOS);
516
517 avb_tools::BootloaderDone(client.get());
518 code = SetDeviceLock(0x78);
519 ASSERT_NO_ERROR(code, "");
520
521 // We can move to a locked state when
522 // device lock is true.
523 avb_tools::SetBootloader(client.get());
524 code = SetBootLock(0x9A);
525 ASSERT_NO_ERROR(code, "");
526
527 // But we can't move back.
528 code = SetBootLock(0x0);
529 ASSERT_EQ(code, APP_ERROR_AVB_DENIED);
530
531 GetState(client.get(), NULL, NULL, locks);
532 ASSERT_EQ(locks[DEVICE], 0x78);
533 ASSERT_EQ(locks[BOOT], 0x9A);
534 }
535
TEST_F(AvbTest,SetBootLockIsIdempotent)536 TEST_F(AvbTest, SetBootLockIsIdempotent) {
537 ASSERT_NO_ERROR(SetBootLock(0x12), "");
538 ASSERT_NO_ERROR(SetBootLock(0x12), "");
539 }
540
TEST_F(AvbTest,SetBootLockAfterWipingUserData)541 TEST_F(AvbTest, SetBootLockAfterWipingUserData) {
542 // This is a sequence of commands that the bootloader will issue
543 ASSERT_NO_ERROR(SetProduction(client.get(), true, NULL, 0), "");
544 avb_tools::SetBootloader(client.get());
545 ASSERT_TRUE(nugget_tools::WipeUserData(client.get()));
546 ASSERT_NO_ERROR(SetBootLock(0xdc), "");
547 }
548
TEST_F(AvbTest,OwnerLockTest)549 TEST_F(AvbTest, OwnerLockTest)
550 {
551 uint8_t owner_key[AVB_METADATA_MAX_SIZE];
552 uint8_t chunk[AVB_CHUNK_MAX_SIZE];
553 uint8_t locks[4];
554 int code;
555 size_t i;
556
557 for (i = 0; i < AVB_METADATA_MAX_SIZE; i += 2) {
558 owner_key[i + 0] = (i >> 8) & 0xFF;
559 owner_key[i + 1] = (i >> 8) & 0xFF;
560 }
561
562 // This should pass when BOOT lock is not set
563 code = SetOwnerLock(0x65, owner_key, sizeof(owner_key));
564 ASSERT_NO_ERROR(code, "");
565
566 GetState(client.get(), NULL, NULL, locks);
567 ASSERT_EQ(locks[OWNER], 0x65);
568
569 for (i = 0; i < AVB_METADATA_MAX_SIZE; i += AVB_CHUNK_MAX_SIZE) {
570 size_t size = sizeof(chunk);
571 size_t j;
572
573 code = GetOwnerKey(i, chunk, &size);
574 ASSERT_NO_ERROR(code, "");
575 ASSERT_EQ(size, sizeof(chunk));
576 for (j = 0; j < size; j++) {
577 ASSERT_EQ(chunk[j], owner_key[i + j]);
578 }
579 }
580
581 // Test setting the lock while set fails
582 code = SetOwnerLock(0x87, owner_key, sizeof(owner_key));
583 ASSERT_EQ(code, APP_ERROR_AVB_DENIED);
584
585 GetState(client.get(), NULL, NULL, locks);
586 ASSERT_EQ(locks[OWNER], 0x65);
587
588 // Clear it
589 code = SetOwnerLock(0x00, owner_key, sizeof(owner_key));
590 ASSERT_NO_ERROR(code, "");
591
592 GetState(client.get(), NULL, NULL, locks);
593 ASSERT_EQ(locks[OWNER], 0x00);
594
595 // Set the boot lock
596 avb_tools::SetBootloader(client.get());
597 code = SetBootLock(0x43);
598 ASSERT_NO_ERROR(code, "");
599
600 GetState(client.get(), NULL, NULL, locks);
601 ASSERT_EQ(locks[BOOT], 0x43);
602
603 // Test setting the lock while BOOT is locked fails
604 code = SetOwnerLock(0x21, owner_key, sizeof(owner_key));
605 ASSERT_EQ(code, APP_ERROR_AVB_DENIED);
606 }
607
TEST_F(AvbTest,ProductionMode)608 TEST_F(AvbTest, ProductionMode)
609 {
610 bool production;
611 uint8_t locks[4];
612 int code;
613
614 // Check we're not in production mode
615 GetState(client.get(), NULL, &production, NULL);
616 ASSERT_FALSE(production);
617
618 // Set some lock values to make sure production doesn't affect them
619 avb_tools::SetBootloader(client.get());
620 code = SetOwnerLock(0x11, NULL, 0);
621 ASSERT_NO_ERROR(code, "");
622
623 code = SetBootLock(0x22);
624 ASSERT_NO_ERROR(code, "");
625
626 code = SetCarrierLock(0x33, DEVICE_DATA, sizeof(DEVICE_DATA));
627 ASSERT_NO_ERROR(code, "");
628
629 code = SetDeviceLock(0x44);
630 ASSERT_NO_ERROR(code, "");
631
632 // Set production mode with a DUT hash
633 code = SetProduction(client.get(), true, NULL, 0);
634 ASSERT_NO_ERROR(code, "");
635
636 GetState(client.get(), NULL, &production, locks);
637 ASSERT_TRUE(production);
638 ASSERT_EQ(locks[OWNER], 0x11);
639 ASSERT_EQ(locks[BOOT], 0x22);
640 ASSERT_EQ(locks[CARRIER], 0x33);
641 ASSERT_EQ(locks[DEVICE], 0x44);
642
643 // Test production cannot be turned off.
644 code = SetProduction(client.get(), false, NULL, 0);
645 ASSERT_EQ(code, APP_ERROR_AVB_AUTHORIZATION);
646 avb_tools::BootloaderDone(client.get());
647 code = SetProduction(client.get(), false, NULL, 0);
648 ASSERT_EQ(code, APP_ERROR_AVB_AUTHORIZATION);
649 }
650
TEST_F(AvbTest,Rollback)651 TEST_F(AvbTest, Rollback)
652 {
653 uint64_t value = ~0ULL;
654 int code, i;
655
656 // Test we cannot change values in normal mode
657 code = SetProduction(client.get(), true, NULL, 0);
658 ASSERT_NO_ERROR(code, "");
659 for (i = 0; i < 8; i++) {
660 code = Store(i, 0xFF00000011223344 + i);
661 ASSERT_EQ(code, APP_ERROR_AVB_BOOTLOADER);
662
663 code = Load(i, &value);
664 ASSERT_NO_ERROR(code, "");
665 ASSERT_EQ(value, 0x00ULL);
666 }
667
668 // Test we can change values in bootloader mode
669 avb_tools::SetBootloader(client.get());
670 for (i = 0; i < 8; i++) {
671 code = Store(i, 0xFF00000011223344 + i);
672 ASSERT_NO_ERROR(code, "");
673
674 code = Load(i, &value);
675 ASSERT_NO_ERROR(code, "");
676 ASSERT_EQ(value, 0xFF00000011223344 + i);
677
678 code = Store(i, 0x8800000011223344 - i);
679 ASSERT_NO_ERROR(code, "");
680
681 code = Load(i, &value);
682 ASSERT_NO_ERROR(code, "");
683 ASSERT_EQ(value, 0x8800000011223344 - i);
684 }
685 }
686
TEST_F(AvbTest,Reset)687 TEST_F(AvbTest, Reset)
688 {
689 bool bootloader;
690 bool production;
691 uint8_t locks[4];
692 int code;
693
694 // Set some locks and production mode*/
695 avb_tools::SetBootloader(client.get());
696 code = SetBootLock(0x12);
697 ASSERT_NO_ERROR(code, "");
698
699 code = SetDeviceLock(0x34);
700 ASSERT_NO_ERROR(code, "");
701
702 code = SetProduction(client.get(), true, NULL, 0);
703 ASSERT_NO_ERROR(code, "");
704
705 avb_tools::BootloaderDone(client.get());
706
707 GetState(client.get(), &bootloader, &production, locks);
708 ASSERT_FALSE(bootloader);
709 ASSERT_TRUE(production);
710 ASSERT_EQ(locks[BOOT], 0x12);
711 ASSERT_EQ(locks[DEVICE], 0x34);
712
713 // Try reset, should fail
714 code = Reset(client.get(), ResetRequest::LOCKS, NULL, 0);
715 ASSERT_EQ(code, APP_ERROR_AVB_DENIED);
716
717 GetState(client.get(), &bootloader, &production, locks);
718 ASSERT_FALSE(bootloader);
719 ASSERT_TRUE(production);
720 ASSERT_EQ(locks[BOOT], 0x12);
721 ASSERT_EQ(locks[DEVICE], 0x34);
722
723 // Disable production, try reset, should pass
724 ResetProduction(client.get());
725 code = Reset(client.get(), ResetRequest::LOCKS, NULL, 0);
726 ASSERT_NO_ERROR(code, "");
727
728 GetState(client.get(), &bootloader, &production, locks);
729 ASSERT_FALSE(bootloader);
730 ASSERT_FALSE(production);
731 ASSERT_EQ(locks[BOOT], 0x00);
732 ASSERT_EQ(locks[DEVICE], 0x00);
733 }
734
TEST_F(AvbTest,GetResetChallengeTest)735 TEST_F(AvbTest, GetResetChallengeTest)
736 {
737 int code;
738 uint32_t selector;
739 uint64_t nonce;
740 uint8_t data[32];
741 uint8_t empty[32];
742 size_t len = sizeof(data);
743
744 memset(data, 0, sizeof(data));
745 memset(empty, 0, sizeof(empty));
746 code = GetResetChallenge(client.get(), &selector, &nonce, data, &len);
747 ASSERT_LE(sizeof(data), len);
748 ASSERT_NO_ERROR(code, "");
749 EXPECT_NE(0ULL, nonce);
750 EXPECT_EQ((uint32_t)ResetToken::CURRENT, selector);
751 EXPECT_EQ(32UL, len);
752 // We didn't set a device id.
753 EXPECT_EQ(0, memcmp(data, empty, sizeof(empty)));
754 }
755
756 // TODO(drewry) move to new test suite since this is unsafe on
757 // non-TEST_IMAGE builds.
TEST_F(AvbTest,ResetProductionValid)758 TEST_F(AvbTest, ResetProductionValid)
759 {
760 static const uint8_t kDeviceHash[] = {
761 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8,
762 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8,
763 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8,
764 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8
765 };
766 struct ResetMessage message;
767 int code;
768 uint32_t selector;
769 size_t len = sizeof(message.data);
770 uint8_t signature[2048/8 + 1];
771 size_t siglen = sizeof(signature);
772
773 // Lock in a fixed device hash
774 code = SetProduction(client.get(), true, kDeviceHash, sizeof(kDeviceHash));
775 EXPECT_EQ(0, code);
776
777 memset(message.data, 0, sizeof(message.data));
778 code = GetResetChallenge(client.get(), &selector, &message.nonce, message.data, &len);
779 ASSERT_NO_ERROR(code, "");
780 // Expect, not assert, just in case something goes weird, we may still
781 // exit cleanly.
782 EXPECT_EQ(0, memcmp(message.data, kDeviceHash, sizeof(kDeviceHash)));
783 ASSERT_EQ(0, SignChallenge(&message, signature, &siglen));
784
785 // Try a bad challenge, wasting the nonce.
786 uint8_t orig = signature[0];
787 signature[0] += 1;
788 code = Reset(client.get(), ResetRequest::PRODUCTION, signature, siglen);
789 // TODO: expect the LINENO error
790 EXPECT_NE(0, code);
791 signature[0] = orig;
792 // Re-lock since TEST_IMAGE will unlock on failure.
793 code = SetProduction(client.get(), true, kDeviceHash, sizeof(kDeviceHash));
794 EXPECT_EQ(0, code);
795
796 // Now use a good one, but without getting a new nonce.
797 code = Reset(client.get(), ResetRequest::PRODUCTION, signature, siglen);
798 EXPECT_EQ(code, APP_ERROR_AVB_DENIED);
799
800 // Now get the nonce and use a good signature.
801 code = GetResetChallenge(client.get(), &selector, &message.nonce, message.data, &len);
802 ASSERT_NO_ERROR(code, "");
803 ASSERT_EQ(0, SignChallenge(&message, signature, &siglen));
804 code = Reset(client.get(), ResetRequest::PRODUCTION, signature, siglen);
805 ASSERT_NO_ERROR(code, "");
806 }
807
808 static const uint8_t kNullSig[] = {
809 0x95, 0x35, 0x5a, 0xb6, 0xe3, 0x8e, 0x43, 0x03, 0xd9, 0xd9, 0xd5, 0x6e,
810 0x99, 0x86, 0xff, 0x8e, 0x6a, 0xf1, 0x54, 0x6f, 0xa8, 0xff, 0x37, 0x38,
811 0xc6, 0x9b, 0x4d, 0xc6, 0x99, 0x1f, 0x37, 0x5c, 0xec, 0xf4, 0x32, 0xd8,
812 0xe6, 0x00, 0xcc, 0x74, 0xde, 0xa9, 0x68, 0x1a, 0xab, 0x6a, 0x6e, 0xe7,
813 0xa7, 0xa1, 0x59, 0xe0, 0x7c, 0x86, 0x95, 0x28, 0x94, 0x18, 0x3f, 0x0f,
814 0xb9, 0x0f, 0x05, 0x6c, 0x86, 0x5a, 0x6a, 0xe4, 0x6d, 0x36, 0x71, 0x86,
815 0x38, 0xab, 0x7a, 0x2d, 0x9c, 0xa5, 0xfa, 0xc8, 0x7c, 0x48, 0x02, 0x8c,
816 0x6b, 0x4d, 0xda, 0xa4, 0xb5, 0xa8, 0x17, 0x39, 0x5e, 0xe3, 0x1a, 0xd5,
817 0xf8, 0x87, 0x6e, 0xd9, 0xc0, 0x0c, 0x29, 0x4d, 0x93, 0xa2, 0x3b, 0xfc,
818 0x2d, 0x38, 0x8e, 0x2b, 0xc7, 0x49, 0x26, 0xd9, 0xcb, 0x47, 0x89, 0x4c,
819 0x79, 0xd3, 0x60, 0x62, 0xf9, 0x71, 0xa7, 0x73, 0x6a, 0x03, 0x65, 0x1f,
820 0x11, 0x0d, 0x9e, 0x27, 0x99, 0x6b, 0xa7, 0x46, 0x85, 0x75, 0xec, 0xff,
821 0x5b, 0x1d, 0x8d, 0x1b, 0x34, 0xd8, 0xb9, 0x4f, 0x63, 0x88, 0x08, 0xa8,
822 0x16, 0xba, 0xfc, 0xe7, 0x66, 0xa4, 0xe5, 0xde, 0x4e, 0x0b, 0x98, 0x80,
823 0xd5, 0x16, 0x55, 0xfb, 0xdb, 0xe8, 0xa2, 0x90, 0x85, 0x4e, 0xa9, 0xb6,
824 0x81, 0x55, 0xef, 0xbf, 0x12, 0xe3, 0xd2, 0xa9, 0xae, 0x2c, 0x43, 0x67,
825 0x4c, 0x09, 0x6d, 0x95, 0xaf, 0x44, 0xc2, 0xb9, 0x9d, 0x7c, 0xb1, 0x88,
826 0xf8, 0x6c, 0xa0, 0x13, 0x4c, 0xbf, 0x85, 0xa2, 0x8b, 0x9d, 0x06, 0xc8,
827 0x11, 0xdb, 0x1f, 0xfb, 0x05, 0x15, 0xd6, 0x1f, 0xe5, 0x52, 0x9c, 0xd5,
828 0xbd, 0xff, 0xb0, 0xce, 0x29, 0xec, 0xd8, 0x9e, 0xdb, 0x5b, 0xc9, 0x52,
829 0x24, 0xaf, 0x22, 0xeb, 0xce, 0x15, 0x0d, 0xfd, 0x6c, 0x76, 0x90, 0x3e,
830 0x4f, 0x63, 0xfd, 0xb1
831 };
832
833 const static unsigned int kNullSigLen = 256;
834
TEST_F(AvbTest,ProductionResetTestValid)835 TEST_F(AvbTest, ProductionResetTestValid)
836 {
837 static const uint8_t kDeviceHash[] = {
838 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8,
839 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8,
840 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8,
841 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8
842 };
843 struct ResetMessage message;
844 int code;
845 uint32_t selector = ResetToken::CURRENT;
846 size_t len = sizeof(message.data);
847 uint8_t signature[2048/8 + 1];
848 size_t siglen = sizeof(signature);
849
850 memcpy(message.data, kDeviceHash, sizeof(message.data));
851 message.nonce = 123456;
852 ASSERT_EQ(0, SignChallenge(&message, signature, &siglen));
853
854 // Try a bad challenge, wasting the nonce.
855 uint8_t orig = signature[0];
856 signature[0] += 1;
857 code = ProductionResetTest(selector, message.nonce, message.data, len,
858 signature, siglen);
859 EXPECT_NE(0, code);
860 signature[0] = orig;
861
862 // Now use a good signature.
863 code = ProductionResetTest(selector, message.nonce, message.data, len,
864 signature, siglen);
865 ASSERT_NO_ERROR(code, "");
866
867 // Note, testing nonce expiration is handled in the Reset(PRODUCTION)
868 // test. This just checks a second signature over an app sourced nonce.
869 code = GetResetChallenge(client.get(), &selector, &message.nonce, message.data, &len);
870 ASSERT_NO_ERROR(code, "");
871 ASSERT_EQ(0, SignChallenge(&message, signature, &siglen));
872 code = Reset(client.get(), ResetRequest::PRODUCTION, signature, siglen);
873 ASSERT_NO_ERROR(code, "");
874
875 // Now test a null signature as we will for the real keys
876 message.nonce = 0;
877 memset(message.data, 0, sizeof(message.data));
878 code = ProductionResetTest(selector, message.nonce, message.data, len,
879 kNullSig, kNullSigLen);
880 ASSERT_NO_ERROR(code, "");
881 }
882
TEST_F(AvbTest,WipeUserDataDoesNotLockDeviceLock)883 TEST_F(AvbTest, WipeUserDataDoesNotLockDeviceLock) {
884 ASSERT_NO_ERROR(SetDeviceLock(0x00), "");
885 ASSERT_TRUE(nugget_tools::WipeUserData(client.get()));
886
887 uint8_t locks[4];
888 GetState(client.get(), nullptr, nullptr, locks);
889 EXPECT_EQ(locks[DEVICE], 0x00);
890 }
891
892 } // namespace
893