2024.1 Updates

 1. Support for Authentication Optimization
 2. Minor Bug Fixes

Signed-off-by: Ramya Darapuneni <[email protected]>

Author: RamyaDarapuneni

authentication-versal.cpp

@@ -496,6 +496,61 @@ Section* VersalAuthenticationContext::CreateCertificate(BootImage& bi, Binary& c
     return acSection;
 }
 
+/******************************************************************************/
+static uint32_t ComputeWordChecksum(void* firstWordPtr, size_t length)
+{
+    uint32_t checksum = 0;
+    size_t numChecksumedWords = length / sizeof(uint32_t);
+    for (size_t i = 0; i< numChecksumedWords; i++)
+    {
+        checksum += ((uint32_t*)firstWordPtr)[i];
+    }
+    /* Invert the Checksum value */
+    checksum ^= 0xFFFFFFFF;
+    return checksum;
+}
+
+/******************************************************************************/
+void VersalAuthenticationContext::SetHashinOptionalData(BootImage& bi)
+{
+    uint32_t sectn_size_id = 0;
+    /* Optional Data Header + Optional Data Actual size (32 bit(4Bytes) partition Number + Hash Length in bytes) + Checksum */
+    uint16_t sectn_length = sizeof(uint32_t) + (bi.hashTable.size() * (sizeof(uint32_t) + SHA3_LENGTH_BYTES)) + sizeof(uint32_t);
+    /* Data ID for Hash block is fixed to 3 */
+    sectn_size_id = (uint32_t)((sectn_length / 4) << 16) | DATA_ID_PARTITION_HASHES;
+
+    memcpy(bi.iht_optional_data + (bi.copied_iht_optional_data_length / 4), &sectn_size_id, sizeof(uint32_t));
+    bi.copied_iht_optional_data_length += sizeof(uint32_t);
+    for (size_t i = 0; i < bi.hashTable.size(); i++)
+    {
+        uint32_t partition_num = bi.hashTable[i].first;
+        memcpy(bi.iht_optional_data + (bi.copied_iht_optional_data_length / 4), &partition_num, sizeof(uint32_t));
+        bi.copied_iht_optional_data_length += sizeof(uint32_t);
+        memcpy(bi.iht_optional_data + (bi.copied_iht_optional_data_length / 4), bi.hashTable[i].second, SHA3_LENGTH_BYTES);
+        bi.copied_iht_optional_data_length += SHA3_LENGTH_BYTES;
+    }
+
+    uint32_t checksum = ComputeWordChecksum(bi.iht_optional_data + ((bi.copied_iht_optional_data_length - sectn_length + sizeof(uint32_t)) / 4),
+        sectn_length - sizeof(uint32_t));
+    memcpy(bi.iht_optional_data + (bi.copied_iht_optional_data_length / 4), &checksum, sizeof(uint32_t));
+    bi.copied_iht_optional_data_length += sizeof(uint32_t);
+
+    if (bi.copied_iht_optional_data_length != 0)
+    {
+        uint32_t padLength = (bi.copied_iht_optional_data_length % 64 != 0) ? 64 - (bi.copied_iht_optional_data_length % 64) : 0;
+        if (bi.copied_iht_optional_data_length + padLength != bi.iht_optional_data_length)
+        {
+            LOG_ERROR("Optional Data Length doen't match the calculated length");
+        }
+    }
+
+    memcpy(bi.imageHeaderTable->section->Data + sizeof(VersalImageHeaderTableStructure) + (bi.copied_iht_optional_data_length - sectn_length),
+        bi.iht_optional_data + (bi.copied_iht_optional_data_length - sectn_length) / 4, sectn_length);
+    //bi.copied_iht_optional_data_length += sectn_length;
+    LOG_TRACE("Partition Hash processed to optional data");
+
+}
+
 /******************************************************************************/
 void VersalAuthenticationContext::Link(BootImage& bi, std::list<Section*> sections, AuthenticationCertificate* cert)
 {
@@ -507,25 +562,56 @@ void VersalAuthenticationContext::Link(BootImage& bi, std::list<Section*> sectio
     }
 
     /*  Copy meta header Signature when headers */
-    if (sections.front()->Name == "Headers")
-    {
-        CopyIHTSignature(bi, cert->section->Data + AC_BH_SIGN_OFFSET);
-    }
+    /* With authentication optimization */
+    if(bi.options.IsAuthOptimizationEnabled()){
+        if (sections.front()->Name == "Headers")
+        {
+            CopyPartitionSignature(bi, sections, cert->section->Data + AC_PARTITION_SIGN_OFFSET, cert->section);
+            SetHashinOptionalData(bi);
+            CopyIHTSignature(bi, cert->section->Data + AC_BH_SIGN_OFFSET);
+        }
 
-    if (presignFile == "")
-    {
-        CopyPartitionSignature(bi, sections, cert->section->Data + AC_PARTITION_SIGN_OFFSET, cert->section);
+        if (presignFile == "")
+        {
+            if(sections.front()->Name != "Headers"){
+                CopyPartitionSignature(bi, sections, cert->section->Data + AC_PARTITION_SIGN_OFFSET, cert->section);
+            }
+        }
+        else
+        {
+            int index = acIndex;
+            if (cert->section->index != 0)
+            {
+                index = cert->section->index;
+            }
+            GetPresign(presignFile, cert->section->Data + AC_PARTITION_SIGN_OFFSET, index);
+            acIndex++;
+        }
     }
+    /* Normal flow -- Without authentication optimization */
     else
     {
-        int index = acIndex;
-        if (cert->section->index != 0)
+        if (sections.front()->Name == "Headers")
         {
-            index = cert->section->index;
+            CopyIHTSignature(bi, cert->section->Data + AC_BH_SIGN_OFFSET);
         }
-        GetPresign(presignFile, cert->section->Data + AC_PARTITION_SIGN_OFFSET, index);
-        acIndex++;
-    }
+
+        if (presignFile == "")
+        {
+            CopyPartitionSignature(bi, sections, cert->section->Data + AC_PARTITION_SIGN_OFFSET, cert->section);
+        }
+        else
+        {
+            int index = acIndex;
+            if (cert->section->index != 0)
+            {
+                index = cert->section->index;
+            }
+            GetPresign(presignFile, cert->section->Data + AC_PARTITION_SIGN_OFFSET, index);
+            acIndex++;
+        }
+   }
+
 }
 
 /******************************************************************************/
@@ -906,21 +992,30 @@ void VersalAuthenticationContext::CopyPartitionSignature(BootImage& bi, std::lis
     {
         hashSecLen = (*section)->firstChunkSize + hashLength;
     }
+
     /* Update with AC and then Partition */
-    uint8_t *partitionAc = new uint8_t[hashSecLen + (acSection->Length - signatureLength)];
+    int signSecLength  = acSection->Length - signatureLength;
+    /*Remove the IHT signature length from sign section in case of auth optimization*/
+    if (bi.options.IsAuthOptimizationEnabled() && (*section)->Name == "Headers")
+    {
+        signSecLength -= signatureLength;
+        (*section)->partitionNum = 0x00;
+    }
+
+    uint8_t *partitionAc = new uint8_t[hashSecLen + signSecLength];
 
     /* Update with authentication certificate except the last 256 bytes - which is the partition signature that we are calculating now.
     Once calculated, the partition signature will sit there */
-    memcpy(partitionAc, acSection->Data, acSection->Length - signatureLength);
+    memcpy(partitionAc, acSection->Data, signSecLength);
 
     /* Update with Partition */
-    memcpy(partitionAc + acSection->Length - signatureLength, (*section)->Data, hashSecLen);
+    memcpy(partitionAc + signSecLength, (*section)->Data, hashSecLen);
 
     /* Calculate the final hash */
-    Versalcrypto_hash(shaHash, partitionAc, hashSecLen + (acSection->Length - signatureLength), !((*section)->isBootloader && !bi.options.IsVersalNetSeries()));
+    Versalcrypto_hash(shaHash, partitionAc, hashSecLen + signSecLength, !((*section)->isBootloader && !bi.options.IsVersalNetSeries()));
     LOG_TRACE("Hash of %s (LE):", acSection->Name.c_str());
     LOG_DUMP_BYTES(shaHash, hashLength);
-    if (bi.options.IsAuthOptimizationEnabled() && ((*section)->Name != "Headers") && !((*section)->isBootloader))
+    if (bi.options.IsAuthOptimizationEnabled() && !((*section)->isBootloader))
     {
         uint8_t* hash = new uint8_t[hashLength];
         bi.hashTable.push_back(std::pair<uint32_t, uint8_t*>((*section)->partitionNum, hash));

authentication-versal.h

@@ -284,6 +284,7 @@ class VersalAuthenticationContext : public AuthenticationContext
     void SetKeyLength(Authentication::Type type);
     AuthenticationAlgorithm* GetAuthenticationAlgorithm(Authentication::Type type);
     uint32_t GetCertificateSize();
+    void SetHashinOptionalData(BootImage& bi);
 
 private:
     void CopybHSignature(BootImage& bi, uint8_t* ptr);

authentication-zynqmp.cpp

@@ -362,7 +362,14 @@ Section* ZynqMpAuthenticationContext::CreateCertificate(BootImage& bi, Binary& c
     /* Secondary key is must for authenticating */
     if (!secondaryKey->Loaded)
     {
-        LOG_ERROR("Authentication Error !!!\n           Secondary key must be specified in BIF file for %s", dataSection->Name.c_str());
+        if (acFile != "")
+        {
+            // ok
+        }
+        else
+        {
+            LOG_ERROR("Authentication Error !!!\n           Secondary key must be specified in BIF file for %s", dataSection->Name.c_str());
+        }
     }
 
     if (!secondaryKey->isSecret)
@@ -371,6 +378,10 @@ Section* ZynqMpAuthenticationContext::CreateCertificate(BootImage& bi, Binary& c
         {
             // ok
         }
+        else if (acFile != "")
+        {
+            // ok
+        }
         else if (bi.options.GetNonBootingFlag() && (dataSection->Name.find("ImageHeaderTable") != std::string::npos))
         {
             // ok
@@ -404,6 +415,10 @@ Section* ZynqMpAuthenticationContext::CreateCertificate(BootImage& bi, Binary& c
         {
             LOG_WARNING("Either PSK or spksignature is needed to authenticate bootimage or generate partition hashes. Because they are not provided, the bootimage and partition hashes will not be usable. However SPK hash and bootheader hash files generated can be used for offline signing.");
         }
+        else if (acFile != "")
+        {
+            // ok
+        }
         else
         {
             LOG_ERROR("Authentication Error !!!\n           Either PSK or SPK signature file must be specified in BIF file.");
@@ -429,32 +444,38 @@ Section* ZynqMpAuthenticationContext::CreateCertificate(BootImage& bi, Binary& c
         LOG_ERROR("Authentication Error !!!");
     }
     memset(authCert, 0, certSize);
-
-    uint32_t acHdr = AUTH_HDR_ZYNQMP;
-    acHdr |= ppkSelect << AC_HDR_PPK_SELECT_BIT_SHIFT;
-    acHdr |= spkSelect << AC_HDR_SPK_SELECT_BIT_SHIFT;
-    acHdr |= ((bi.GetAuthHashAlgo()) ? 0 : 1) << AC_HDR_SHA_2_3_BIT_SHIFT;
-
-    WriteLittleEndian32(&authCert->acHeader, acHdr);
-    WriteLittleEndian32(&authCert->spkId, spkIdentification);
-
-    if (udfFile != "")
+    if (acFile != "")
     {
-        LoadUdfData(udfFile, udf_data);
-        RearrangeEndianess(udf_data, sizeof(udf_data));
-        memcpy(authCert->acUdf, udf_data, UDF_DATA_SIZE);
+        // ok
     }
+    else
+    {
+        uint32_t acHdr = AUTH_HDR_ZYNQMP;
+        acHdr |= ppkSelect << AC_HDR_PPK_SELECT_BIT_SHIFT;
+        acHdr |= spkSelect << AC_HDR_SPK_SELECT_BIT_SHIFT;
+        acHdr |= ((bi.GetAuthHashAlgo()) ? 0 : 1) << AC_HDR_SHA_2_3_BIT_SHIFT;
+
+        WriteLittleEndian32(&authCert->acHeader, acHdr);
+        WriteLittleEndian32(&authCert->spkId, spkIdentification);
 
-    primaryKey->Export(&authCert->acPpk);
-    RearrangeEndianess(authCert->acPpk.N, sizeof(authCert->acPpk.N));
-    RearrangeEndianess(authCert->acPpk.N_extension, sizeof(authCert->acPpk.N_extension));
-    RearrangeEndianess(authCert->acPpk.E, sizeof(authCert->acPpk.E));
-    secondaryKey->Export(&authCert->acSpk);
-    RearrangeEndianess(authCert->acSpk.N, sizeof(authCert->acSpk.N));
-    RearrangeEndianess(authCert->acSpk.N_extension, sizeof(authCert->acSpk.N_extension));
-    RearrangeEndianess(authCert->acSpk.E, sizeof(authCert->acSpk.E));
+        if (udfFile != "")
+        {
+            LoadUdfData(udfFile, udf_data);
+            RearrangeEndianess(udf_data, sizeof(udf_data));
+            memcpy(authCert->acUdf, udf_data, UDF_DATA_SIZE);
+        }
 
-    CopySPKSignature(&authCert->acSpkSignature);
+        primaryKey->Export(&authCert->acPpk);
+        RearrangeEndianess(authCert->acPpk.N, sizeof(authCert->acPpk.N));
+        RearrangeEndianess(authCert->acPpk.N_extension, sizeof(authCert->acPpk.N_extension));
+        RearrangeEndianess(authCert->acPpk.E, sizeof(authCert->acPpk.E));
+        secondaryKey->Export(&authCert->acSpk);
+        RearrangeEndianess(authCert->acSpk.N, sizeof(authCert->acSpk.N));
+        RearrangeEndianess(authCert->acSpk.N_extension, sizeof(authCert->acSpk.N_extension));
+        RearrangeEndianess(authCert->acSpk.E, sizeof(authCert->acSpk.E));
+
+        CopySPKSignature(&authCert->acSpkSignature);
+    }
     certIndex++;
     return acSection;
 }
@@ -466,7 +487,18 @@ void ZynqMpAuthenticationContext::Link(BootImage& bi, std::list<Section*> sectio
     uint8_t* signatureBlock = (uint8_t*)&authCert->acPartitionSignature;
     CopyBHSignature(bi, &authCert->acBhSignature);
 
-    if (presignFile == "")
+    if (acFile != "")
+    {
+        /* If the parition AC file present */
+        int index = acIndex;
+        if (cert->section->index != 0)
+        {
+            index = cert->section->index;
+        }
+        GetAC(acFile, cert->section->Data, index);
+        acIndex++;
+    }
+    else if (presignFile == "")
     {
         /* If the parition is not presigned / presign file not present */
         std::list<Section*>::iterator section = sections.begin();
@@ -527,6 +559,10 @@ void ZynqMpAuthenticationContext::CopyBHSignature(BootImage& bi, ACSignature4096
             warningGiven = true;
         }
     }
+    else if (acFile != "")
+    {
+        // ok
+    }
     else
     {
         LOG_ERROR("Authentication Error !!!\n          Either SSK or BH signature file must be specified in the BIF file.");

authentication.cpp

@@ -44,11 +44,19 @@ bool AuthenticationContext::zynpmpVerEs1 = false;
 *****************************************************   F U N C T I O N S   ***
 -------------------------------------------------------------------------------
 */
-void AuthenticationContext::SetPresignFile(const std::string& filename) 
+
+/******************************************************************************/
+void AuthenticationContext::SetPresignFile(const std::string& filename)
 {
     presignFile = filename;
 }
 
+/******************************************************************************/
+void AuthenticationContext::SetACFile(const std::string& filename)
+{
+    acFile = filename;
+}
+
 /******************************************************************************/
 void AuthenticationContext::SetUdfFile(const std::string& filename)
 {
@@ -270,6 +278,54 @@ void AuthenticationContext::GetPresign(const std::string& presignFilename, uint8
     }
 }
 
+/******************************************************************************/
+void AuthenticationContext::GetAC(const std::string& acFilename, uint8_t* ac, uint32_t index)
+{
+    std::string filename(acFilename);
+    std::string baseFile = StringUtils::BaseName(filename);
+
+    if (index != 0)
+    {
+        size_t x = filename.find(".0.");
+        if (x == std::string::npos)
+        {
+            LOG_ERROR("AC file %s does not have partition index (*.0.*)", baseFile.c_str());
+        }
+        // nudge the '0' to index number
+        std::string sindex = std::to_string(index);
+        filename.replace(x + 1, 1, sindex);
+    }
+
+    LOG_TRACE("Reading AC from - %s", filename.c_str());
+    FILE* filePtr;
+    filePtr = fopen(filename.c_str(), "rb");
+    if (filePtr)
+    {
+        fseek(filePtr, 0, SEEK_END);
+        long size = ftell(filePtr);
+        fclose(filePtr);
+        if (size == GetCertificateSize())
+        {
+            // read binary
+            filePtr = fopen(filename.c_str(), "rb");
+            long read_size = fread(ac, 1, GetCertificateSize(), filePtr);
+            if (read_size != GetCertificateSize())
+            {
+                LOG_ERROR("Authentication Error !!!\n           AC file %s should be of %d bytes", baseFile.c_str(), GetCertificateSize());
+            }
+            fclose(filePtr);
+        }
+        else
+        {
+            LOG_ERROR("Authentication Error !!!\n           AC file %s should be of %d bytes", baseFile.c_str(), GetCertificateSize());
+        }
+    }
+    else
+    {
+        LOG_ERROR("Failure opening AC file - %s", baseFile.c_str());
+    }
+}
+
 /******************************************************************************/
 void AuthenticationContext::LoadUdfData(const std::string& udfFilename, uint8_t* signature)
 {