src/boot/efi/random-seed.c

   1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
   2
   3 #include <efi.h>
   4 #include <efilib.h>
   5
   6 #include "missing_efi.h"
   7 #include "random-seed.h"
   8 #include "secure-boot.h"
   9 #include "sha256.h"
  10 #include "util.h"
  11
  12 #define RANDOM_MAX_SIZE_MIN (32U)
  13 #define RANDOM_MAX_SIZE_MAX (32U*1024U)
  14
  15 #define EFI_RNG_GUID &(EFI_GUID) EFI_RNG_PROTOCOL_GUID
  16
  17 /* SHA256 gives us 256/8=32 bytes */
  18 #define HASH_VALUE_SIZE 32
  19
  20 static EFI_STATUS acquire_rng(UINTN size, VOID **ret) {
  21         _cleanup_freepool_ VOID *data = NULL;
  22         EFI_RNG_PROTOCOL *rng;
  23         EFI_STATUS err;
  24
  25         /* Try to acquire the specified number of bytes from the UEFI RNG */
  26
  27         err = LibLocateProtocol(EFI_RNG_GUID, (VOID**) &rng);
  28         if (EFI_ERROR(err))
  29                 return err;
  30         if (!rng)
  31                 return EFI_UNSUPPORTED;
  32
  33         data = AllocatePool(size);
  34         if (!data)
  35                 return log_oom();
  36
  37         err = uefi_call_wrapper(rng->GetRNG, 3, rng, NULL, size, data);
  38         if (EFI_ERROR(err)) {
  39                 Print(L"Failed to acquire RNG data: %r\n", err);
  40                 return err;
  41         }
  42
  43         *ret = TAKE_PTR(data);
  44         return EFI_SUCCESS;
  45 }
  46
  47 static VOID hash_once(
  48                 const VOID *old_seed,
  49                 const VOID *rng,
  50                 UINTN size,
  51                 const VOID *system_token,
  52                 UINTN system_token_size,
  53                 UINTN counter,
  54                 UINT8 ret[static HASH_VALUE_SIZE]) {
  55
  56         /* This hashes together:
  57          *
  58          *      1. The contents of the old seed file
  59          *      2. Some random data acquired from the UEFI RNG (optional)
  60          *      3. Some 'system token' the installer installed as EFI variable (optional)
  61          *      4. A counter value
  62          *
  63          * And writes the result to the specified buffer.
  64          */
  65
  66         struct sha256_ctx hash;
  67
  68         sha256_init_ctx(&hash);
  69         sha256_process_bytes(old_seed, size, &hash);
  70         if (rng)
  71                 sha256_process_bytes(rng, size, &hash);
  72         if (system_token_size > 0)
  73                 sha256_process_bytes(system_token, system_token_size, &hash);
  74         sha256_process_bytes(&counter, sizeof(counter), &hash);
  75         sha256_finish_ctx(&hash, ret);
  76 }
  77
  78 static EFI_STATUS hash_many(
  79                 const VOID *old_seed,
  80                 const VOID *rng,
  81                 UINTN size,
  82                 const VOID *system_token,
  83                 UINTN system_token_size,
  84                 UINTN counter_start,
  85                 UINTN n,
  86                 VOID **ret) {
  87
  88         _cleanup_freepool_ VOID *output = NULL;
  89
  90         /* Hashes the specified parameters in counter mode, generating n hash values, with the counter in the
  91          * range counter_start…counter_start+n-1. */
  92
  93         output = AllocatePool(n * HASH_VALUE_SIZE);
  94         if (!output)
  95                 return log_oom();
  96
  97         for (UINTN i = 0; i < n; i++)
  98                 hash_once(old_seed, rng, size,
  99                           system_token, system_token_size,
 100                           counter_start + i,
 101                           (UINT8*) output + (i * HASH_VALUE_SIZE));
 102
 103         *ret = TAKE_PTR(output);
 104         return EFI_SUCCESS;
 105 }
 106
 107 static EFI_STATUS mangle_random_seed(
 108                 const VOID *old_seed,
 109                 const VOID *rng,
 110                 UINTN size,
 111                 const VOID *system_token,
 112                 UINTN system_token_size,
 113                 VOID **ret_new_seed,
 114                 VOID **ret_for_kernel) {
 115
 116         _cleanup_freepool_ VOID *new_seed = NULL, *for_kernel = NULL;
 117         EFI_STATUS err;
 118         UINTN n;
 119
 120         /* This takes the old seed file contents, an (optional) random number acquired from the UEFI RNG, an
 121          * (optional) system 'token' installed once by the OS installer in an EFI variable, and hashes them
 122          * together in counter mode, generating a new seed (to replace the file on disk) and the seed for the
 123          * kernel. To keep things simple, the new seed and kernel data have the same size as the old seed and
 124          * RNG data. */
 125
 126         n = (size + HASH_VALUE_SIZE - 1) / HASH_VALUE_SIZE;
 127
 128         /* Begin hashing in counter mode at counter 0 for the new seed for the disk */
 129         err = hash_many(old_seed, rng, size, system_token, system_token_size, 0, n, &new_seed);
 130         if (EFI_ERROR(err))
 131                 return err;
 132
 133         /* Continue counting at 'n' for the seed for the kernel */
 134         err = hash_many(old_seed, rng, size, system_token, system_token_size, n, n, &for_kernel);
 135         if (EFI_ERROR(err))
 136                 return err;
 137
 138         *ret_new_seed = TAKE_PTR(new_seed);
 139         *ret_for_kernel = TAKE_PTR(for_kernel);
 140
 141         return EFI_SUCCESS;
 142 }
 143
 144 static EFI_STATUS acquire_system_token(VOID **ret, UINTN *ret_size) {
 145         _cleanup_freepool_ CHAR8 *data = NULL;
 146         EFI_STATUS err;
 147         UINTN size;
 148
 149         err = efivar_get_raw(LOADER_GUID, L"LoaderSystemToken", &data, &size);
 150         if (EFI_ERROR(err)) {
 151                 if (err != EFI_NOT_FOUND)
 152                         Print(L"Failed to read LoaderSystemToken EFI variable: %r", err);
 153                 return err;
 154         }
 155
 156         if (size <= 0) {
 157                 Print(L"System token too short, ignoring.");
 158                 return EFI_NOT_FOUND;
 159         }
 160
 161         *ret = TAKE_PTR(data);
 162         *ret_size = size;
 163
 164         return EFI_SUCCESS;
 165 }
 166
 167 static VOID validate_sha256(void) {
 168
 169 #ifndef __OPTIMIZE__
 170         /* Let's validate our SHA256 implementation. We stole it from glibc, and converted it to UEFI
 171          * style. We better check whether it does the right stuff. We use the simpler test vectors from the
 172          * SHA spec. Note that we strip this out in optimization builds. */
 173
 174         static const struct {
 175                 const char *string;
 176                 uint8_t hash[HASH_VALUE_SIZE];
 177         } array[] = {
 178                 { "abc",
 179                   { 0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea,
 180                     0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23,
 181                     0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c,
 182                     0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad }},
 183
 184                 { "",
 185                   { 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14,
 186                     0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24,
 187                     0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c,
 188                     0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55 }},
 189
 190                 { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
 191                   { 0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8,
 192                     0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39,
 193                     0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67,
 194                     0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1 }},
 195
 196                 { "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu",
 197                   { 0xcf, 0x5b, 0x16, 0xa7, 0x78, 0xaf, 0x83, 0x80,
 198                     0x03, 0x6c, 0xe5, 0x9e, 0x7b, 0x04, 0x92, 0x37,
 199                     0x0b, 0x24, 0x9b, 0x11, 0xe8, 0xf0, 0x7a, 0x51,
 200                     0xaf, 0xac, 0x45, 0x03, 0x7a, 0xfe, 0xe9, 0xd1 }},
 201         };
 202
 203         for (UINTN i = 0; i < ELEMENTSOF(array); i++) {
 204                 struct sha256_ctx hash;
 205                 uint8_t result[HASH_VALUE_SIZE];
 206
 207                 sha256_init_ctx(&hash);
 208                 sha256_process_bytes(array[i].string, strlena((const CHAR8*) array[i].string), &hash);
 209                 sha256_finish_ctx(&hash, result);
 210
 211                 if (CompareMem(result, array[i].hash, HASH_VALUE_SIZE) != 0) {
 212                         Print(L"SHA256 failed validation.\n");
 213                         uefi_call_wrapper(BS->Stall, 1, 120 * 1000 * 1000);
 214                         return;
 215                 }
 216         }
 217
 218         Print(L"SHA256 validated\n");
 219 #endif
 220 }
 221
 222 EFI_STATUS process_random_seed(EFI_FILE *root_dir, RandomSeedMode mode) {
 223         _cleanup_freepool_ VOID *seed = NULL, *new_seed = NULL, *rng = NULL, *for_kernel = NULL, *system_token = NULL;
 224         _cleanup_(FileHandleClosep) EFI_FILE_HANDLE handle = NULL;
 225         UINTN size, rsize, wsize, system_token_size = 0;
 226         _cleanup_freepool_ EFI_FILE_INFO *info = NULL;
 227         EFI_STATUS err;
 228
 229         validate_sha256();
 230
 231         if (mode == RANDOM_SEED_OFF)
 232                 return EFI_NOT_FOUND;
 233
 234         /* Let's better be safe than sorry, and for now disable this logic in SecureBoot mode, so that we
 235          * don't credit a random seed that is not authenticated. */
 236         if (secure_boot_enabled())
 237                 return EFI_NOT_FOUND;
 238
 239         /* Get some system specific seed that the installer might have placed in an EFI variable. We include
 240          * it in our hash. This is protection against golden master image sloppiness, and it remains on the
 241          * system, even when disk images are duplicated or swapped out. */
 242         err = acquire_system_token(&system_token, &system_token_size);
 243         if (mode != RANDOM_SEED_ALWAYS && EFI_ERROR(err))
 244                 return err;
 245
 246         err = uefi_call_wrapper(root_dir->Open, 5, root_dir, &handle, L"\\loader\\random-seed", EFI_FILE_MODE_READ|EFI_FILE_MODE_WRITE, 0ULL);
 247         if (EFI_ERROR(err)) {
 248                 if (err != EFI_NOT_FOUND)
 249                         Print(L"Failed to open random seed file: %r\n", err);
 250                 return err;
 251         }
 252
 253         info = LibFileInfo(handle);
 254         if (!info)
 255                 return log_oom();
 256
 257         size = info->FileSize;
 258         if (size < RANDOM_MAX_SIZE_MIN) {
 259                 Print(L"Random seed file is too short?\n");
 260                 return EFI_INVALID_PARAMETER;
 261         }
 262
 263         if (size > RANDOM_MAX_SIZE_MAX) {
 264                 Print(L"Random seed file is too large?\n");
 265                 return EFI_INVALID_PARAMETER;
 266         }
 267
 268         seed = AllocatePool(size);
 269         if (!seed)
 270                 return log_oom();
 271
 272         rsize = size;
 273         err = uefi_call_wrapper(handle->Read, 3, handle, &rsize, seed);
 274         if (EFI_ERROR(err)) {
 275                 Print(L"Failed to read random seed file: %r\n", err);
 276                 return err;
 277         }
 278         if (rsize != size) {
 279                 Print(L"Short read on random seed file\n");
 280                 return EFI_PROTOCOL_ERROR;
 281         }
 282
 283         err = uefi_call_wrapper(handle->SetPosition, 2, handle, 0);
 284         if (EFI_ERROR(err)) {
 285                 Print(L"Failed to seek to beginning of random seed file: %r\n", err);
 286                 return err;
 287         }
 288
 289         /* Request some random data from the UEFI RNG. We don't need this to work safely, but it's a good
 290          * idea to use it because it helps us for cases where users mistakenly include a random seed in
 291          * golden master images that are replicated many times. */
 292         (VOID) acquire_rng(size, &rng); /* It's fine if this fails */
 293
 294         /* Calculate new random seed for the disk and what to pass to the kernel */
 295         err = mangle_random_seed(seed, rng, size, system_token, system_token_size, &new_seed, &for_kernel);
 296         if (EFI_ERROR(err))
 297                 return err;
 298
 299         /* Update the random seed on disk before we use it */
 300         wsize = size;
 301         err = uefi_call_wrapper(handle->Write, 3, handle, &wsize, new_seed);
 302         if (EFI_ERROR(err)) {
 303                 Print(L"Failed to write random seed file: %r\n", err);
 304                 return err;
 305         }
 306         if (wsize != size) {
 307                 Print(L"Short write on random seed file\n");
 308                 return EFI_PROTOCOL_ERROR;
 309         }
 310
 311         err = uefi_call_wrapper(handle->Flush, 1, handle);
 312         if (EFI_ERROR(err)) {
 313                 Print(L"Failed to flush random seed file: %r\n");
 314                 return err;
 315         }
 316
 317         /* We are good to go */
 318         err = efivar_set_raw(LOADER_GUID, L"LoaderRandomSeed", for_kernel, size, 0);
 319         if (EFI_ERROR(err)) {
 320                 Print(L"Failed to write random seed to EFI variable: %r\n", err);
 321                 return err;
 322         }
 323
 324         return EFI_SUCCESS;
 325 }