Gitiles
Code Review Sign In
gerrit.openfyde.cn / chromium.googlesource.com / chromiumos / platform2 / 019d59ceca3492305d6713950c0c2edfdaf266db / . / imageloader / component.cc
blob: e697f5043b5f24f8aa5f81f3054fc0b61785a24b [file] [log] [blame]
Greg Kerr019d59c2016-11-17 14:28:49 -0800[diff] [blame^]1// Copyright 2016 The Chromium OS Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#include "component.h"
6
7#include <fcntl.h>
8
9#include <algorithm>
10#include <string>
11#include <vector>
12
13#include <base/files/file.h>
14#include <base/files/file_path.h>
15#include <base/files/file_util.h>
16#include <base/files/scoped_file.h>
17#include <base/json/json_string_value_serializer.h>
18#include <base/logging.h>
19#include <base/numerics/safe_conversions.h>
20#include <base/strings/string_number_conversions.h>
21#include <base/posix/eintr_wrapper.h>
22#include <base/strings/string_util.h>
23#include <crypto/secure_hash.h>
24#include <crypto/sha2.h>
25#include <crypto/signature_verifier.h>
26
27namespace imageloader {
28
29namespace {
30
31// The name of the imageloader manifest file.
32constexpr char kManifestName[] = "imageloader.json";
33// The name of the fingerprint file.
34constexpr char kFingerprintName[] = "manifest.fingerprint";
35// The manifest signature.
36constexpr char kManifestSignatureName[] = "imageloader.sig.1";
37// The current version of the manifest file.
38constexpr int kCurrentManifestVersion = 1;
39// The name of the version field in the manifest.
40constexpr char kManifestVersionField[] = "manifest-version";
41// The name of the component version field in the manifest.
42constexpr char kVersionField[] = "version";
43// The name of the field containing the image hash.
44constexpr char kImageHashField[] = "image-sha256-hash";
45// The name of the image file.
46constexpr char kImageFileName[] = "image.squash";
47// The name of the field containing the table hash.
48constexpr char kTableHashField[] = "table-sha256-hash";
49// The name of the table file.
50constexpr char kTableFileName[] = "table";
51// The maximum size of any file to read into memory.
52constexpr size_t kMaximumFilesize = 4096 * 10;
53
54base::FilePath GetManifestPath(const base::FilePath& component_dir) {
55 return component_dir.Append(kManifestName);
56}
57
58base::FilePath GetSignaturePath(const base::FilePath& component_dir) {
59 return component_dir.Append(kManifestSignatureName);
60}
61
62base::FilePath GetFingerprintPath(const base::FilePath& component_dir) {
63 return component_dir.Append(kFingerprintName);
64}
65
66base::FilePath GetTablePath(const base::FilePath& component_dir) {
67 return component_dir.Append(kTableFileName);
68}
69
70base::FilePath GetImagePath(const base::FilePath& component_dir) {
71 return component_dir.Append(kImageFileName);
72}
73
74bool WriteFileToDisk(const base::FilePath& path, const std::string& contents) {
75 base::ScopedFD fd(HANDLE_EINTR(open(path.value().c_str(),
76 O_CREAT | O_WRONLY | O_EXCL,
77 kComponentFilePerms)));
78 if (!fd.is_valid()) {
79 PLOG(ERROR) << "Error creating file for " << path.value();
80 return false;
81 }
82
83 base::File file(fd.release());
84 int size = base::checked_cast<int>(contents.size());
85 return file.Write(0, contents.data(), contents.size()) == size;
86}
87
88bool GetSHA256FromString(const std::string& hash_str,
89 std::vector<uint8_t>* bytes) {
90 if (!base::HexStringToBytes(hash_str, bytes)) return false;
91 return bytes->size() == crypto::kSHA256Length;
92}
93
94bool GetAndVerifyTable(const base::FilePath& path,
95 const std::vector<uint8_t>& hash,
96 std::string* out_table) {
97 std::string table;
98 if (!base::ReadFileToStringWithMaxSize(path, &table, kMaximumFilesize)) {
99 return false;
100 }
101
102 std::vector<uint8_t> table_hash(crypto::kSHA256Length);
103 crypto::SHA256HashString(table, table_hash.data(), table_hash.size());
104 if (table_hash != hash) {
105 LOG(ERROR) << "dm-verity table file has the wrong hash.";
106 return false;
107 }
108
109 out_table->assign(table);
110 return true;
111}
112
113} // namespace
114
115Component::Component(const base::FilePath& component_dir)
116 : component_dir_(component_dir) {}
117
118bool Component::Init(const std::vector<uint8_t>& public_key) {
119 if (initialized_) {
120 NOTREACHED() << "Component already initialized";
121 return false;
122 }
123 initialized_ = LoadManifest(public_key);
124 return initialized_;
125}
126
127const Component::Manifest& Component::manifest() {
128 // If the manifest is accessed without initialization, crash.
129 CHECK(initialized_);
130 return manifest_;
131}
132
133bool Component::Mount(VerityMounter* mounter, const base::FilePath& dest_dir) {
134 if (!initialized_) {
135 NOTREACHED() << "Component not initialized";
136 return false;
137 }
138 // Now read the table in and verify the hash.
139 std::string table;
140 if (!GetAndVerifyTable(GetTablePath(component_dir_), manifest_.table_sha256,
141 &table)) {
142 LOG(ERROR) << "Could not read and verify dm-verity table.";
143 return false;
144 }
145
146 base::FilePath image_path(GetImagePath(component_dir_));
147 base::File image(image_path, base::File::FLAG_OPEN | base::File::FLAG_READ);
148 if (!image.IsValid()) {
149 LOG(ERROR) << "Could not open image file.";
150 return false;
151 }
152 base::ScopedFD image_fd(image.TakePlatformFile());
153
154 // The mount point is not yet taken, so go ahead.
155 if (!mounter->Mount(image_fd, dest_dir, table)) {
156 LOG(ERROR) << "Failed to mount image.";
157 return false;
158 }
159 return true;
160}
161
162bool Component::ParseManifest() {
163 // Now deserialize the manifest json and read out the rest of the component.
164 int error_code;
165 std::string error_message;
166 JSONStringValueDeserializer deserializer(manifest_raw_);
167 std::unique_ptr<base::Value> value =
168 deserializer.Deserialize(&error_code, &error_message);
169
170 if (!value) {
171 LOG(ERROR) << "Could not deserialize the manifest file. Error "
172 << error_code << ": " << error_message;
173 return false;
174 }
175
176 base::DictionaryValue* manifest_dict = nullptr;
177 if (!value->GetAsDictionary(&manifest_dict)) {
178 LOG(ERROR) << "Could not parse manifest file as JSON.";
179 return false;
180 }
181
182 // This will have to be changed if the manifest version is bumped.
183 int version;
184 if (!manifest_dict->GetInteger(kManifestVersionField, &version)) {
185 LOG(ERROR) << "Could not parse manifest version field from manifest.";
186 return false;
187 }
188 if (version != kCurrentManifestVersion) {
189 LOG(ERROR) << "Unsupported version of the manifest.";
190 return false;
191 }
192 manifest_.manifest_version = version;
193
194 std::string image_hash_str;
195 if (!manifest_dict->GetString(kImageHashField, &image_hash_str)) {
196 LOG(ERROR) << "Could not parse image hash from manifest.";
197 return false;
198 }
199
200 if (!GetSHA256FromString(image_hash_str, &(manifest_.image_sha256))) {
201 LOG(ERROR) << "Could not convert image hash to bytes.";
202 return false;
203 }
204
205 std::string table_hash_str;
206 if (!manifest_dict->GetString(kTableHashField, &table_hash_str)) {
207 LOG(ERROR) << "Could not parse table hash from manifest.";
208 return false;
209 }
210
211 if (!GetSHA256FromString(table_hash_str, &(manifest_.table_sha256))) {
212 LOG(ERROR) << "Could not convert table hash to bytes.";
213 return false;
214 }
215
216 if (!manifest_dict->GetString(kVersionField, &(manifest_.version))) {
217 LOG(ERROR) << "Could not parse component version from manifest.";
218 return false;
219 }
220
221 return true;
222}
223
224bool Component::LoadManifest(const std::vector<uint8_t>& public_key) {
225 if (!base::ReadFileToStringWithMaxSize(GetManifestPath(component_dir_),
226 &manifest_raw_, kMaximumFilesize)) {
227 LOG(ERROR) << "Could not read manifest file.";
228 return false;
229 }
230 if (!base::ReadFileToStringWithMaxSize(GetSignaturePath(component_dir_),
231 &manifest_sig_, kMaximumFilesize)) {
232 LOG(ERROR) << "Could not read signature file.";
233 return false;
234 }
235
236 crypto::SignatureVerifier verifier;
237
238 if (!verifier.VerifyInit(
239 crypto::SignatureVerifier::ECDSA_SHA256,
240 reinterpret_cast<const uint8_t*>(manifest_sig_.data()),
241 base::checked_cast<int>(manifest_sig_.size()), public_key.data(),
242 base::checked_cast<int>(public_key.size()))) {
243 LOG(ERROR) << "Failed to initialize signature verification.";
244 return false;
245 }
246
247 verifier.VerifyUpdate(reinterpret_cast<const uint8_t*>(manifest_raw_.data()),
248 base::checked_cast<int>(manifest_raw_.size()));
249
250 if (!verifier.VerifyFinal()) {
251 LOG(ERROR) << "Manifest failed signature verification.";
252 return false;
253 }
254 return ParseManifest();
255}
256
257bool Component::CopyTo(const base::FilePath& dest_dir) {
258 if (!initialized_) {
259 NOTREACHED() << "Component not initialized";
260 return false;
261 }
262
263 if (!WriteFileToDisk(GetManifestPath(dest_dir), manifest_raw_) ||
264 !WriteFileToDisk(GetSignaturePath(dest_dir), manifest_sig_)) {
265 LOG(ERROR) << "Could not write manifest and signature to disk.";
266 return false;
267 }
268
269 base::FilePath table_src(GetTablePath(component_dir_));
270 base::FilePath table_dest(GetTablePath(dest_dir));
271 if (!CopyComponentFile(table_src, table_dest, manifest_.table_sha256)) {
272 LOG(ERROR) << "Could not copy table file.";
273 return false;
274 }
275
276 base::FilePath image_src(GetImagePath(component_dir_));
277 base::FilePath image_dest(GetImagePath(dest_dir));
278 if (!CopyComponentFile(image_src, image_dest, manifest_.image_sha256)) {
279 LOG(ERROR) << "Could not copy image file.";
280 return false;
281 }
282
283 if (!CopyFingerprintFile(component_dir_, dest_dir)) {
284 LOG(ERROR) << "Could not copy manifest.fingerprint file.";
285 return false;
286 }
287
288 return true;
289}
290
291bool Component::CopyComponentFile(const base::FilePath& src,
292 const base::FilePath& dest_path,
293 const std::vector<uint8_t>& expected_hash) {
294 base::File file(src, base::File::FLAG_OPEN | base::File::FLAG_READ);
295 if (!file.IsValid()) return false;
296
297 base::ScopedFD dest(
298 HANDLE_EINTR(open(dest_path.value().c_str(), O_CREAT | O_WRONLY | O_EXCL,
299 kComponentFilePerms)));
300 if (!dest.is_valid()) return false;
301
302 base::File out_file(dest.release());
303 std::unique_ptr<crypto::SecureHash> sha256(
304 crypto::SecureHash::Create(crypto::SecureHash::SHA256));
305
306 std::vector<uint8_t> file_hash(crypto::kSHA256Length);
307 if (!ReadHashAndCopyFile(&file, &file_hash, &out_file)) {
308 LOG(ERROR) << "Failed to read image file.";
309 return false;
310 }
311
312 if (expected_hash != file_hash) {
313 LOG(ERROR) << "Image is corrupt or modified.";
314 return false;
315 }
316 return true;
317}
318
319bool Component::ReadHashAndCopyFile(base::File* file,
320 std::vector<uint8_t>* file_hash,
321 base::File* out_file) {
322 std::unique_ptr<crypto::SecureHash> sha256(
323 crypto::SecureHash::Create(crypto::SecureHash::SHA256));
324 int size = file->GetLength();
325 if (size <= 0) return false;
326
327 int rv = 0, bytes_read = 0;
328 char buf[4096];
329 do {
330 int remaining = size - bytes_read;
331 int bytes_to_read =
332 std::min(remaining, base::checked_cast<int>(sizeof(buf)));
333
334 rv = file->ReadAtCurrentPos(buf, bytes_to_read);
335 if (rv <= 0) break;
336
337 bytes_read += rv;
338 sha256->Update(buf, rv);
339 if (out_file) {
340 out_file->WriteAtCurrentPos(buf, rv);
341 }
342 } while (bytes_read <= size);
343
344 sha256->Finish(file_hash->data(), file_hash->size());
345 return bytes_read == size;
346}
347
348bool Component::CopyFingerprintFile(const base::FilePath& src,
349 const base::FilePath& dest) {
350 base::FilePath fingerprint_path(GetFingerprintPath(src));
351 if (base::PathExists(fingerprint_path)) {
352 std::string fingerprint_contents;
353 if (!base::ReadFileToStringWithMaxSize(
354 fingerprint_path, &fingerprint_contents, kMaximumFilesize)) {
355 return false;
356 }
357
358 if (!IsValidFingerprintFile(fingerprint_contents)) return false;
359
360 if (!WriteFileToDisk(GetFingerprintPath(dest), fingerprint_contents)) {
361 return false;
362 }
363 }
364 return true;
365}
366
367// The client inserts manifest.fingerprint into components after unpacking the
368// CRX. The file is used for delta updates. Since Chrome OS doesn't rely on it
369// for security of the disk image, we are fine with sanity checking the contents
370// and then preserving the unsigned file.
371bool Component::IsValidFingerprintFile(const std::string& contents) {
372 return contents.size() <= 256 &&
373 std::find_if_not(contents.begin(), contents.end(), [](char ch) {
374 return base::IsAsciiAlpha(ch) || base::IsAsciiDigit(ch) || ch == '.';
375 }) == contents.end();
376}
377
378} // namespace imageloader