[OpenBIOS] r666 - cpu/x86/pc/olpc
svn at openbios.org
svn at openbios.org
Thu Oct 4 10:19:31 CEST 2007
Author: wmb
Date: 2007-10-04 10:19:30 +0200 (Thu, 04 Oct 2007)
New Revision: 666
Added:
cpu/x86/pc/olpc/fsupdate.fth
Modified:
cpu/x86/pc/olpc/copynand.fth
cpu/x86/pc/olpc/crypto.bth
cpu/x86/pc/olpc/crypto.fth
cpu/x86/pc/olpc/fw.bth
cpu/x86/pc/olpc/loaddropins.fth
cpu/x86/pc/olpc/security.fth
cpu/x86/pc/olpc/versions.fth
Log:
OLPC - Secure NAND file system update.
Modified: cpu/x86/pc/olpc/copynand.fth
===================================================================
--- cpu/x86/pc/olpc/copynand.fth 2007-10-02 07:52:21 UTC (rev 665)
+++ cpu/x86/pc/olpc/copynand.fth 2007-10-04 08:19:30 UTC (rev 666)
@@ -198,6 +198,8 @@
defer show-done
' cr to show-done
+: >eblock# ( page# -- eblock# ) nand-pages/block / ;
+
: copy-nand ( "devspec" -- )
open-nand
get-img-filename
@@ -206,7 +208,7 @@
['] noop to show-progress
- #nand-pages nand-pages/block / dup show-init ( #eblocks )
+ #nand-pages >eblock# dup show-init ( #eblocks )
show-erasing ( )
['] show-bad ['] show-erased ['] show-bbt-block " (wipe)" $call-nand
@@ -219,7 +221,7 @@
load-base " copy-block" $call-nand ( page# error? )
" Error writing to NAND FLASH" ?nand-abort ( page# )
?skip-oob
- nand-pages/block / show-written ( )
+ >eblock# show-written ( )
loop
show-cleaning
@@ -319,7 +321,7 @@
;
: alloc-crc-buf ( -- )
- #nand-pages nand-pages/block / to #crc-records
+ #nand-pages >eblock# to #crc-records
#crc-records /l* alloc-mem to crc-buf
;
@@ -370,7 +372,7 @@
\ The stack is empty at the end of each line unless otherwise noted
dump-oob? if #nand-pages else " usable-page-limit" $call-nand then
0 do
- (cr i nand-pages/block / .
+ (cr i >eblock# .
load-base i nand-pages/block " read-blocks" $call-nand
nand-pages/block = if
load-base /nand-block written? if
Modified: cpu/x86/pc/olpc/crypto.bth
===================================================================
--- cpu/x86/pc/olpc/crypto.bth 2007-10-02 07:52:21 UTC (rev 665)
+++ cpu/x86/pc/olpc/crypto.bth 2007-10-04 08:19:30 UTC (rev 666)
@@ -6,9 +6,9 @@
fload ${BP}/cpu/x86/pc/olpc/versions.fth
" wget http://dev.laptop.org/pub/firmware/crypto/bios_verify-${CRYPTO_VERSION}.img -O verify.img" expand$ $sh
-" wget http://dev.laptop.org/pub/firmware/crypto/bios_hash-${CRYPTO_VERSION}.img -O hasher.img" expand$ $sh
" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/os.public -O os.public" expand$ $sh
" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/fw.public -O fw.public" expand$ $sh
+" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/fs.public -O fs.public" expand$ $sh
" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/lease.public -O lease.public" expand$ $sh
" wget http://dev.laptop.org/pub/firmware/crypto/testkeys/developer.public -O developer.public" expand$ $sh
Modified: cpu/x86/pc/olpc/crypto.fth
===================================================================
--- cpu/x86/pc/olpc/crypto.fth 2007-10-02 07:52:21 UTC (rev 665)
+++ cpu/x86/pc/olpc/crypto.fth 2007-10-04 08:19:30 UTC (rev 666)
@@ -5,29 +5,6 @@
h# d0000 constant verify-bss \ The address the code is linked to run at
h# 10000 constant /verify-bss
-1 [if]
-h# 70000 constant hasher-base \ The address the code is linked to run at
-h# 80000 constant hasher-bss
-h# 18000 constant /hasher-bss
-variable hashlen
-d# 128 buffer: hashbuf
-
-: get-hasher ( -- )
- " hasher" find-drop-in 0= if 4drop true exit then ( prog$ )
- 2dup hasher-base swap move free-mem ( hashname$ )
-;
-
-: hash ( data$ hashname$ -- result$ )
- d# 128 hashlen !
- $cstr hashbuf hashlen ( databuf datalen hashname-cstr resbuf &reslen )
-
- hasher-bss /hasher-bss erase
-
- hasher-base dup h# 10 - sp-call abort" Hash failed" drop 4drop ( )
- hashbuf hashlen @
-;
-[then]
-
0 value crypto-loaded?
: load-crypto ( -- error? )
crypto-loaded? if false exit then
@@ -43,14 +20,23 @@
$cstr
verify-bss /verify-bss erase ( data$ sig$ key$ 'hashname )
verify-base dup h# 10 - sp-call >r 3drop 4drop r> ( result )
-
-\ XXX free-mem in suspend.fth and fw.bth after find-drop-in
-\ XXX clean out dead code in usb.fth
;
-: getbin " usb8388.bin" find-drop-in 0= abort" No usb8388.bin" ;
-: getsig " usb8388.sig" find-drop-in 0= abort" No usb8388.sig" ;
+\ This is a hack that saves a lot of memory. The crypto verifier
+\ code has a mode where it will just compute and return the hash value,
+\ instead of going on to verify the hash's signature. In that mode,
+\ we use sig$ for the address and length of the result buffer, key-adr
+\ to return the actual return length, and pass in key-len = 0 to denote
+\ that we want only hashing.
+variable hashlen
+d# 128 buffer: hashbuf
+: hash ( data$ hashname$ -- result$ )
+ 2>r hashbuf d# 128 hashlen 0 2r> ( data$ sig$ key$ hashname$ )
+ signature-bad? abort" Hash failed" ( )
+ hashbuf hashlen @
+;
+
\ LICENSE_BEGIN
\ Copyright (c) 2007 FirmWorks
\
Added: cpu/x86/pc/olpc/fsupdate.fth
===================================================================
--- cpu/x86/pc/olpc/fsupdate.fth (rev 0)
+++ cpu/x86/pc/olpc/fsupdate.fth 2007-10-04 08:19:30 UTC (rev 666)
@@ -0,0 +1,125 @@
+purpose: Secure NAND updater
+
+\ Depends on words from security.fth and copynand.fth
+
+: get-hex# ( -- n )
+ safe-parse-word
+ push-hex
+ $number " Bad number" ?nand-abort
+ pop-base
+;
+
+\ XXX implement this
+: map-eblock# ( block# -- block#' ) ;
+
+
+vocabulary nand-commands
+also nand-commands definitions
+
+: data: ( "filename" -- )
+ safe-parse-word fn-buf place
+ bundle-name$ image-name-buf place
+ open-img
+;
+
+: erase-all ( -- )
+ #nand-pages >eblock# show-erasing
+ ['] show-bad ['] show-erased ['] show-bbt-block " (wipe)" $call-nand
+ #image-eblocks show-writing
+;
+
+: eblock: ( "eblock#" "hashname" "hash-of-128KiB" -- )
+ get-hex# ( eblock# )
+ read-image-block
+ load-base /nand-block safe-parse-word ( eblock# data$ hashname$ )
+ hash ( eblock# result$ )
+ safe-parse-word hex-decode " Malformed hash string" ?nand-abort
+ $= if ( eblock# )
+ drop
+ else ( eblock# )
+ ." Bad hash for eblock# " .x cr
+ abort
+ then ( )
+
+ load-base " copy-block" $call-nand ( page# error? )
+ " Error writing to NAND FLASH" ?nand-abort ( page# )
+ >eblock# show-written ( )
+;
+
+: bytes: ( "eblock#" "page#" "offset" "length" "data" -- )
+ get-hex# get-hex# 2>r ( r: eblock# page# )
+ get-hex# get-hex# ( offset length r: eblock# page# )
+ 2dup + h# 840 >= abort" Offset + length exceeds page + OOB size"
+ safe-parse-word hex-decode ( offset length data$ )
+ rot over <> abort" Length mismatch" ( offset data$ )
+ r> r> map-eblock# nand-pages/block * + ( offset data$ page#')
+ -rot 2swap swap ( data$ page# offset )
+ " pio-write-raw" $call-nand abort" NAND write error"
+;
+
+: cleanmarkers ( -- )
+ show-cleaning
+ ['] show-clean " put-cleanmarkers" $call-nand
+;
+
+: mark-pending: ( "eblock#" -- )
+ get-hex# map-eblock# nand-pages/block * ( page# )
+ " COMP" rot h# 838
+ " pio-write-raw" $call-nand abort" NAND write error"
+;
+
+: mark-complete: ( "eblock#" -- )
+ get-hex# map-eblock# nand-pages/block *
+ " LETE" rot h# 83c
+ " pio-write-raw" $call-nand abort" NAND write error"
+;
+
+previous definitions
+
+: do-fs-update ( img$ -- )
+ tuck load-base h# 100000 + swap move ( len )
+ load-base h# 100000 + swap
+ open-nand
+ ['] noop to show-progress
+ #nand-pages >eblock# show-init
+
+\ clear-context nand-commands
+also nand-commands
+
+ ['] include-buffer catch if nip nip .error security-failure then
+
+previous
+\ only forth also definitions
+
+ show-done
+ close-nand-ihs
+;
+
+: fs-update-from-list ( devlist$ -- )
+ load-crypto if visible ." Crytpo load failed" cr show-sad security-failure then
+
+ visible ( devlist$ )
+ begin dup while ( rem$ )
+ bl left-parse-string ( rem$ dev$ )
+ dn-buf place ( rem$ )
+
+ null$ pn-buf place ( rem$ )
+ null$ cn-buf place ( rem$ )
+ " fs" bundle-present? if ( rem$ )
+ " Filesystem image found - " ?lease-debug
+ fskey$ to pubkey$ ( rem$ )
+ img$ sig$ sha-valid? if ( rem$ )
+ 2drop ( )
+ show-unlock ( )
+ img$ do-fs-update ( )
+ exit
+ then ( rem$ )
+ show-lock ( rem$ )
+ then ( rem$ )
+ repeat ( rem$ )
+ 2drop
+;
+: try-fs-update ( -- )
+ ." Searching for a NAND file system update image." cr
+ all-devices$ fs-update-from-list
+;
Modified: cpu/x86/pc/olpc/fw.bth
===================================================================
--- cpu/x86/pc/olpc/fw.bth 2007-10-02 07:52:21 UTC (rev 665)
+++ cpu/x86/pc/olpc/fw.bth 2007-10-04 08:19:30 UTC (rev 666)
@@ -334,6 +334,7 @@
fload ${BP}/cpu/x86/pc/olpc/gamekeys.fth
fload ${BP}/cpu/x86/pc/olpc/linux.fth
fload ${BP}/cpu/x86/pc/olpc/security.fth
+fload ${BP}/cpu/x86/pc/olpc/fsupdate.fth
fload ${BP}/cpu/x86/pc/olpc/setwp.fth
fload ${BP}/ofw/gui/ofpong.fth
fload ${BP}/cpu/x86/pc/olpc/life.fth
@@ -496,6 +497,12 @@
time&date 5drop 1 and if pong else life-demo then
then
;
+: ?fs-update ( -- )
+ button-check button-x or button-o or button-square or ( mask )
+ game-key-mask over and = if
+ try-fs-update
+ then
+;
: open-keyboard ( -- )
" keyboard" open-dev ?dup if set-stdin then
;
@@ -521,6 +528,7 @@
['] false to interrupt-auto-boot?
probe-usb
interpreter-init
+ ?fs-update
secure-startup
['] (interrupt-auto-boot?) to interrupt-auto-boot?
screen-ih stdout !
Modified: cpu/x86/pc/olpc/loaddropins.fth
===================================================================
--- cpu/x86/pc/olpc/loaddropins.fth 2007-10-02 07:52:21 UTC (rev 665)
+++ cpu/x86/pc/olpc/loaddropins.fth 2007-10-04 08:19:30 UTC (rev 666)
@@ -55,6 +55,7 @@
" verify.img" " verify" $add-deflated-dropin
" os.public" " ospubkey" $add-dropin \ Incompressible
" fw.public" " fwpubkey" $add-dropin \ Incompressible
+ " fs.public" " fspubkey" $add-dropin \ Incompressible
" lease.public" " leasepubkey" $add-dropin \ Incompressible
" developer.public" " develpubkey" $add-dropin \ Incompressible
Modified: cpu/x86/pc/olpc/security.fth
===================================================================
--- cpu/x86/pc/olpc/security.fth 2007-10-02 07:52:21 UTC (rev 665)
+++ cpu/x86/pc/olpc/security.fth 2007-10-04 08:19:30 UTC (rev 666)
@@ -3,8 +3,6 @@
\ Specs at http://wiki.laptop.org/go/Firmware_Security
-: boot-device-list " disk sd nand" ;
-
true value debug-security?
: ?lease-debug ( msg$ -- )
debug-security? if type else 2drop then
@@ -53,6 +51,7 @@
then
rot >r 2dup r> 2! ( key$ )
;
+" fspubkey" key: fskey$
" ospubkey" key: oskey$
" fwpubkey" key: fwkey$
" develpubkey" key: develkey$
@@ -73,10 +72,6 @@
\ binary form at sig-buf. It returns the adr,len of the binary string.
: hex-decode ( hex$ -- true | sig$ false )
- dup /sig 2* <> if
- ( ." Bad signature length" cr )
- 2drop true exit
- then ( hex$ )
sig-buf -rot ( adr hex$ )
bounds ?do ( adr )
i 2 push-hex $number pop-base if ( adr )
@@ -97,6 +92,8 @@
bl left-parse-string dup d# 6 <> if 4drop true exit then 2swap ( hash$ rem$ )
bl left-parse-string nip d# 64 <> if 4drop true exit then ( hash$ rem$ )
newline left-parse-string 2swap nip 0<> if 4drop true exit then ( hash$ data$ )
+ dup /sig 2* <> if ( ." Bad signature length" cr ) 2drop true exit then ( hash$ data$ )
+
hex-decode if 2drop true else false then
;
@@ -141,8 +138,6 @@
\ hashname remembers the most recently used hashname to guard against
\ attacks based on reuse of the same (presumably compromized) hash.
-d# 32 buffer: hashname
-
\ invalid? checks the validity of data$ against the ASCII signature
\ record sig01$, using the public key that pubkey$ points to.
\ It also verifies that the hashname contained in sig01$ is the
@@ -344,7 +339,6 @@
\ a tree-state flag; see check-lease.)
: check-machine-signature ( sig$ expiration$ -- -1|1 )
- 0 hashname c!
machine-id-buf d# 51 + swap move ( sig$ )
machine-id-buf d# 67 2swap sha-valid? if 1 else -1 then
;
@@ -510,7 +504,6 @@
r> to load-path
" RD found - " ?lease-debug
- 0 hashname c!
img$ sig$ sha-valid? if
show-unlock
load-base to ramdisk-adr
@@ -606,7 +599,6 @@
else
" minus" show-icon
" new - " ?lease-debug
- 0 hashname c!
fwkey$ to pubkey$
img$ sig$ fw-valid? if
visible
@@ -617,6 +609,12 @@
true to file-loaded?
" Updating firmware" ?lease-debug-cr
+ ['] ?enough-power catch ?dup if
+ visible
+ .error
+ security-failure
+ then
+
\ Latch alternate? flag for next startup
alternate? if [char] A h# 82 cmos! then
@@ -636,7 +634,6 @@
d# 16 0 +icon-xy show-dot
" os" bundle-present? if
" OS found - " ?lease-debug
- 0 hashname c!
oskey$ to pubkey$
img$ sig$ sha-valid? if
img$ tuck load-base swap move !load-size
@@ -667,17 +664,18 @@
icon-xy to base-xy
icon-xy image-width 0 d+ to next-xy ( list$ )
- filesystem-present? if
+ filesystem-present? if ( list$ )
- d# 5 d# 77 +icon-xy show-dot
- has-developer-key? if
+ d# 5 d# 77 +icon-xy show-dot ( list$ )
+ has-developer-key? if ( list$ )
+ 2drop ( )
visible
show-unlock
true exit
- then
+ then ( list$ )
- load-from-device if
- 2drop
+ load-from-device if ( list$ )
+ 2drop ( )
['] secure-load-ramdisk to load-ramdisk
" init-program" $find if
execute show-going go
@@ -685,12 +683,12 @@
show-x
security-failure
then
- then
+ then ( list$ )
- next-xy to icon-xy
+ next-xy to icon-xy ( list$ )
repeat ( list$ )
- " sad" show-icon
- 2drop false
+ " sad" show-icon ( list$ )
+ 2drop false ( )
;
: persistent-devkey? ( -- flag ) " dk" find-tag dup if nip nip then ;
Modified: cpu/x86/pc/olpc/versions.fth
===================================================================
--- cpu/x86/pc/olpc/versions.fth 2007-10-02 07:52:21 UTC (rev 665)
+++ cpu/x86/pc/olpc/versions.fth 2007-10-04 08:19:30 UTC (rev 666)
@@ -2,7 +2,7 @@
\ The overall firmware revision
macro: FW_MAJOR C
-macro: FW_MINOR 28
+macro: FW_MINOR 28b
\ The EC microcode
macro: EC_VERSION c24
@@ -16,4 +16,4 @@
macro: WLAN_VERSION 5.110.16.p1
\ The bios_verify image
-macro: CRYPTO_VERSION 0.1
+macro: CRYPTO_VERSION 0.2
More information about the OpenBIOS
mailing list