Skip to content

Commit

Permalink
Call increment when new witness identity for both MMC and RPMB cases.
Browse files Browse the repository at this point in the history
  • Loading branch information
jiggoha committed Jan 17, 2024
1 parent f8b221c commit b6378b2
Show file tree
Hide file tree
Showing 3 changed files with 46 additions and 3 deletions.
6 changes: 3 additions & 3 deletions trusted_os/flash.go
Original file line number Diff line number Diff line change
Expand Up @@ -181,8 +181,8 @@ func incrementWitnessIdentityMMC(card Card) error {
}

rBuf := bytes.NewReader(b)
var counter uint64
if err := binary.Read(rBuf, binary.LittleEndian, &counter); err != nil {
var counter uint32
if err := binary.Read(rBuf, binary.BigEndian, &counter); err != nil {
return err
}

Expand All @@ -191,7 +191,7 @@ func incrementWitnessIdentityMMC(card Card) error {

// Write
wBuf := new(bytes.Buffer)
if err := binary.Write(wBuf, binary.LittleEndian, counter); err != nil {
if err := binary.Write(wBuf, binary.BigEndian, counter); err != nil {
return err
}

Expand Down
12 changes: 12 additions & 0 deletions trusted_os/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,18 @@ func main() {
log.Printf("Failed to determine OS MMC block (no OS installed?): %v", err)
}

newIdentity, err := newWitnessIdentity(Storage)
if err != nil {
log.Printf("Failed to read new witness identity MMC block: %v", err)
}
if newIdentity {
if false && imx6ul.SNVS.Available() {
rpmb.incrementWitnessIdentity()
} else {
incrementWitnessIdentityMMC(Storage)
}
}

log.Printf("SM log verification pub: %s", LogVerifier)
logVerifier, err := note.NewVerifier(LogVerifier)
if err != nil {
Expand Down
31 changes: 31 additions & 0 deletions trusted_os/rpmb.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,19 +37,26 @@ import (
const (
// RPMB sector for CVE-2020-13799 mitigation
dummySector = 0

// version epoch length
versionLength = 4
// RPMB sector for OS rollback protection
osVersionSector = 1
// RPMB sector for TA rollback protection
taVersionSector = 2

// RPMB sector for TA use
taUserSector = 3
// RPMB OTP flag bank
rpmbFuseBank = 4
// RPMB OTP flag word
rpmbFuseWord = 6

// witness identity counter length - uint32
witnessIdentityCounterLength = 4
// RPMB witness identity counter
rpmbWitnessIdentityCounter = 7

diversifierMAC = "ArmoryWitnessMAC"
iter = 4096
)
Expand Down Expand Up @@ -184,6 +191,30 @@ func (r *RPMB) checkVersion(offset uint16, s string) (err error) {
return
}

// incrementWitnessIdentity increments the counter in the RPMB area to
// differentiate a new witness identity.
func (r *RPMB) incrementWitnessIdentity() (err error) {
if r.partition == nil {
return errors.New("RPMB has not been initialized")
}

// Read
rBuf := make([]byte, witnessIdentityCounterLength)
if err = r.partition.Read(rpmbWitnessIdentityCounter, rBuf); err != nil {
return err
}
counter := binary.BigEndian.Uint32(rBuf)

// Increment
counter++

// Write
wBuf := make([]byte, witnessIdentityCounterLength)
binary.BigEndian.PutUint32(wBuf, counter)

return r.partition.Write(rpmbWitnessIdentityCounter, wBuf)
}

// transfer performs an authenticated data transfer to the card RPMB partition,
// the input buffer can contain up to 256 bytes of data, n can be passed to
// retrieve the partition write counter.
Expand Down

0 comments on commit b6378b2

Please sign in to comment.