Documentation ¶
Index ¶
- Constants
- func DumpBIOSEntry(amdFw *amd_manifest.AMDFirmware, biosLevel uint, ...) (int, error)
- func DumpPSPEntry(amdFw *amd_manifest.AMDFirmware, pspLevel uint, ...) (int, error)
- func ExtractBIOSEntry(amdFw *amd_manifest.AMDFirmware, biosLevel uint, ...) ([]byte, error)
- func ExtractPSPEntry(amdFw *amd_manifest.AMDFirmware, pspLevel uint, ...) ([]byte, error)
- func GetBIOSEntries(pspFirmware *amd_manifest.PSPFirmware, biosLevel uint, ...) ([]amd_manifest.BIOSDirectoryTableEntry, error)
- func GetBIOSEntry(pspFirmware *amd_manifest.PSPFirmware, biosLevel uint, ...) (*amd_manifest.BIOSDirectoryTableEntry, error)
- func GetEntries(pspFirmware *amd_manifest.PSPFirmware, directory DirectoryType, entryID uint32) ([]bytes2.Range, error)
- func GetPSPEntries(pspFirmware *amd_manifest.PSPFirmware, pspLevel uint, ...) ([]amd_manifest.PSPDirectoryTableEntry, error)
- func GetPSPEntry(pspFirmware *amd_manifest.PSPFirmware, pspLevel uint, ...) (*amd_manifest.PSPDirectoryTableEntry, error)
- func GetRangeBytes(image []byte, start, length uint64) ([]byte, error)
- func IsPSBEnabled(amdFw *amd_manifest.AMDFirmware) (bool, error)
- func NewMultiKeySignedBlob(signature []byte, signedData []byte, keySet KeySet) (*SignedBlob, *Key, error)
- func OutputBIOSEntries(amdFw *amd_manifest.AMDFirmware) error
- func OutputPSPEntries(amdFw *amd_manifest.AMDFirmware) error
- func ParseAMDFirmware(image []byte) (*amd_manifest.AMDFirmware, error)
- func PatchBIOSEntry(amdFw *amd_manifest.AMDFirmware, biosLevel uint, ...) (int, error)
- func PatchPSPEntry(amdFw *amd_manifest.AMDFirmware, pspLevel uint, ...) (int, error)
- type BIOSDirectoryEntryItem
- type BIOSEntryType
- type Buf16B
- type Buf32B
- type Buf36B
- type Buf3B
- type Buf44B
- type Buf4B
- type Buf8B
- type DirectoryType
- type ErrInvalidFormat
- type ErrNotFound
- type FirmwareItem
- type Key
- type KeyData
- type KeyID
- type KeyIDs
- type KeySet
- type KeyType
- type KeyUsageFlag
- type PSPBinary
- type PSPDirectoryEntryItem
- type PSPEntryType
- type PSPHeaderData
- type PlatformBindingInfo
- type PspHeader
- type SecurityFeatureVector
- type Signature
- type SignatureCheckError
- type SignatureValidationResult
- func ValidatePSPEntries(amdFw *amd_manifest.AMDFirmware, keyDB KeySet, directory DirectoryType, ...) ([]SignatureValidationResult, error)
- func ValidatePSPEntry(amdFw *amd_manifest.AMDFirmware, keyDB KeySet, offset, length uint64) (SignatureValidationResult, error)
- func ValidateRTM(amdFw *amd_manifest.AMDFirmware, biosLevel uint) (*SignatureValidationResult, error)
- type SignedBlob
- type UnknownSigningKeyError
Constants ¶
const ( // AMDPublicKeyEntry denotes AMD public key entry in PSP Directory table AMDPublicKeyEntry amd_manifest.PSPDirectoryTableEntryType = 0x00 // PSPRecoveryBootloader is a recovery instance of PSP bootloader PSPRecoveryBootloader amd_manifest.PSPDirectoryTableEntryType = 0x03 // SMUOffChipFirmwareEntry points to a region of firmware containing SMU offchip firmware SMUOffChipFirmwareEntry amd_manifest.PSPDirectoryTableEntryType = 0x08 // ABLPublicKey represents the key used to sign ABL firmware ABLPublicKey amd_manifest.PSPDirectoryTableEntryType = 0x0A // SMUOffChipFirmware2Entry points to a region of firmware containing SMU offchip firmware SMUOffChipFirmware2Entry amd_manifest.PSPDirectoryTableEntryType = 0x12 // UnlockDebugImageEntry points to a region of firmware containing PSP early secure unlock debug image UnlockDebugImageEntry amd_manifest.PSPDirectoryTableEntryType = 0x13 // SecurityPolicyBinaryEntry points to a region of firmware containing Security Policy Binary SecurityPolicyBinaryEntry amd_manifest.PSPDirectoryTableEntryType = 0x24 // MP5FirmwareEntry points to a region of firmware containing MP5 Firmware MP5FirmwareEntry amd_manifest.PSPDirectoryTableEntryType = 0x2A // AGESABinary0Entry points to a region of firmware containing PSP AGESA Binary 0 AGESABinary0Entry amd_manifest.PSPDirectoryTableEntryType = 0x30 // SEVCodeEntry points to a region of firmware containing SEV Code SEVCodeEntry amd_manifest.PSPDirectoryTableEntryType = 0x39 // DXIOPHYSRAMFirmwareEntry points to a region of firmware containing DXIO PHY SRAM firmware DXIOPHYSRAMFirmwareEntry amd_manifest.PSPDirectoryTableEntryType = 0x42 //DRTMTAEntry points to a region of firmware containing DRTM TA DRTMTAEntry amd_manifest.PSPDirectoryTableEntryType = 0x47 // KeyDatabaseEntry points to region of firmware containing key database KeyDatabaseEntry amd_manifest.PSPDirectoryTableEntryType = 0x50 // OEMSigningKeyEntry represents the OEM signing key OEMSigningKeyEntry amd_manifest.BIOSDirectoryTableEntryType = 0x05 // BIOSRTMVolumeEntry represents the RTM volume BIOSRTMVolumeEntry amd_manifest.BIOSDirectoryTableEntryType = 0x62 // BIOSRTMSignatureEntry represents the entry holding the RTM volume signature BIOSRTMSignatureEntry amd_manifest.BIOSDirectoryTableEntryType = 0x07 )
Variables ¶
This section is empty.
Functions ¶
func DumpBIOSEntry ¶
func DumpBIOSEntry(amdFw *amd_manifest.AMDFirmware, biosLevel uint, entryID amd_manifest.BIOSDirectoryTableEntryType, instance uint8, w io.Writer) (int, error)
DumpBIOSEntry dumps an entry from BIOS directory
func DumpPSPEntry ¶
func DumpPSPEntry(amdFw *amd_manifest.AMDFirmware, pspLevel uint, entryID amd_manifest.PSPDirectoryTableEntryType, w io.Writer) (int, error)
DumpPSPEntry dumps an entry from PSP Directory
func ExtractBIOSEntry ¶
func ExtractBIOSEntry(amdFw *amd_manifest.AMDFirmware, biosLevel uint, entryID amd_manifest.BIOSDirectoryTableEntryType, instance uint8) ([]byte, error)
ExtractBIOSEntry extracts a single generic raw entry from BIOS Directory.
func ExtractPSPEntry ¶
func ExtractPSPEntry(amdFw *amd_manifest.AMDFirmware, pspLevel uint, entryID amd_manifest.PSPDirectoryTableEntryType) ([]byte, error)
ExtractPSPEntry extracts a single generic raw entry from PSP Directory. Returns an error if multiple entries are found as PSP directory is supposed to have no more than a single entry for each type
func GetBIOSEntries ¶
func GetBIOSEntries( pspFirmware *amd_manifest.PSPFirmware, biosLevel uint, entryID amd_manifest.BIOSDirectoryTableEntryType, ) ([]amd_manifest.BIOSDirectoryTableEntry, error)
GetBIOSEntries returns all entries of a certain type from BIOS directory sorted by instance
func GetBIOSEntry ¶
func GetBIOSEntry( pspFirmware *amd_manifest.PSPFirmware, biosLevel uint, entryID amd_manifest.BIOSDirectoryTableEntryType, instance uint8, ) (*amd_manifest.BIOSDirectoryTableEntry, error)
GetBIOSEntry returns a singe entry of a certain type from BIOS directory, returns error if multiple entries are found
func GetEntries ¶
func GetEntries(pspFirmware *amd_manifest.PSPFirmware, directory DirectoryType, entryID uint32) ([]bytes2.Range, error)
GetEntries returns a list of specific type PSP entries
func GetPSPEntries ¶
func GetPSPEntries( pspFirmware *amd_manifest.PSPFirmware, pspLevel uint, entryID amd_manifest.PSPDirectoryTableEntryType, ) ([]amd_manifest.PSPDirectoryTableEntry, error)
GetPSPEntries returns all entries of a certain type from PSP directory
func GetPSPEntry ¶
func GetPSPEntry( pspFirmware *amd_manifest.PSPFirmware, pspLevel uint, entryID amd_manifest.PSPDirectoryTableEntryType, ) (*amd_manifest.PSPDirectoryTableEntry, error)
GetPSPEntry returns a singe entry of a certain type from PSP directory, returns error if multiple entries are found
func GetRangeBytes ¶
GetRangeBytes converts firmware range to continues bytes sequence TODO: should be moved to fiano's bytes2
func IsPSBEnabled ¶
func IsPSBEnabled(amdFw *amd_manifest.AMDFirmware) (bool, error)
IsPSBEnabled checks if firmware has PSB enabled
func NewMultiKeySignedBlob ¶
func NewMultiKeySignedBlob(signature []byte, signedData []byte, keySet KeySet) (*SignedBlob, *Key, error)
NewMultiKeySignedBlob validates the signature of a blob against multiple possible keys stored in a KeySet, returning the key which validates the signature of the blob
func OutputBIOSEntries ¶
func OutputBIOSEntries(amdFw *amd_manifest.AMDFirmware) error
OutputBIOSEntries outputs the BIOS entries in an ASCII table format
func OutputPSPEntries ¶
func OutputPSPEntries(amdFw *amd_manifest.AMDFirmware) error
OutputPSPEntries outputs the PSP entries in an ASCII table format
func ParseAMDFirmware ¶
func ParseAMDFirmware(image []byte) (*amd_manifest.AMDFirmware, error)
ParseAMDFirmware parses AMD firmware from the image bytes
func PatchBIOSEntry ¶
func PatchBIOSEntry(amdFw *amd_manifest.AMDFirmware, biosLevel uint, entryID amd_manifest.BIOSDirectoryTableEntryType, instance uint8, r io.Reader, w io.Writer) (int, error)
PatchBIOSEntry takes an AmdFirmware object and modifies one entry in BIOS directory. The modified entry is read from `r` reader object, while the modified firmware is written into `w` writer object.
func PatchPSPEntry ¶
func PatchPSPEntry(amdFw *amd_manifest.AMDFirmware, pspLevel uint, entryID amd_manifest.PSPDirectoryTableEntryType, r io.Reader, w io.Writer) (int, error)
PatchPSPEntry takes an AmdFirmware object and modifies one entry in PSP directory. The modified entry is read from `r` reader object, while the modified firmware is written into `w` writer object.
Types ¶
type BIOSDirectoryEntryItem ¶
type BIOSDirectoryEntryItem struct { Level uint8 Entry amd_manifest.BIOSDirectoryTableEntryType Instance uint8 }
BIOSDirectoryEntryItem determines a BIOS directory entry
func (BIOSDirectoryEntryItem) String ¶
func (biosEntry BIOSDirectoryEntryItem) String() string
type BIOSEntryType ¶
type BIOSEntryType uint8
BIOSEntryType defines the type to hold BIOS Entry Type fields
func (BIOSEntryType) String ¶
func (_type BIOSEntryType) String() string
* Nicely output human-readable names for BIOS Entry Types * * This doesn't have all the entries mapped, there are still * several more pages left. It does have all the types * encountered in the firmware images used to test * however. *
type DirectoryType ¶
type DirectoryType uint8
DirectoryType denotes specific firmware table in PSP firmware
const ( // PSPDirectoryLevel1 represents PSP directory table level 1 PSPDirectoryLevel1 DirectoryType = iota // PSPDirectoryLevel2 represents PSP directory table level 2 PSPDirectoryLevel2 // BIOSDirectoryLevel1 represents BIOS directory table level 1 BIOSDirectoryLevel1 // BIOSDirectoryLevel2 represents BIOS directory table level 2 BIOSDirectoryLevel2 )
func AllDirectoryTypes ¶
func AllDirectoryTypes() []DirectoryType
AllDirectoryTypes returns all directory types
func DirectoryTypeFromString ¶
func DirectoryTypeFromString(in string) (DirectoryType, error)
DirectoryTypeFromString converts a string into DirectoryType
func GetBIOSDirectoryOfLevel ¶
func GetBIOSDirectoryOfLevel(level uint) (DirectoryType, error)
GetBIOSDirectoryOfLevel returns the BIOS directory of a certain level
func GetPSPDirectoryOfLevel ¶
func GetPSPDirectoryOfLevel(level uint) (DirectoryType, error)
GetPSPDirectoryOfLevel returns the PSP directory of a certain level
func (DirectoryType) ShortName ¶
func (t DirectoryType) ShortName() string
ShortName returns a short name of directory type
func (DirectoryType) String ¶
func (t DirectoryType) String() string
type ErrInvalidFormat ¶
type ErrInvalidFormat struct {
// contains filtered or unexported fields
}
ErrInvalidFormat describes a situation when parsing of firmware failed because of invalid format
func (ErrInvalidFormat) Error ¶
func (err ErrInvalidFormat) Error() string
func (ErrInvalidFormat) GetItem ¶
func (err ErrInvalidFormat) GetItem() FirmwareItem
GetItem returns the affected item (could be nil)
func (ErrInvalidFormat) Unwrap ¶
func (err ErrInvalidFormat) Unwrap() error
type ErrNotFound ¶
type ErrNotFound struct {
// contains filtered or unexported fields
}
ErrNotFound describes a situation when firmware item is not found
func (ErrNotFound) Error ¶
func (err ErrNotFound) Error() string
Error returns the string representation of the UnknownSigningKeyError
func (ErrNotFound) GetItem ¶
func (err ErrNotFound) GetItem() FirmwareItem
GetItem returns a not found item
type FirmwareItem ¶
type FirmwareItem interface{}
FirmwareItem is a special item that references a PSP firmware item and could be one of the following types: DirectoryType or BIOSDirectoryEntryItem or PSPDirectoryEntryItem
type Key ¶
type Key struct {
// contains filtered or unexported fields
}
Key structure extracted from the firmware
func GetPSBSignBIOSKey ¶
func GetPSBSignBIOSKey(amdFw *amd_manifest.AMDFirmware, biosLevel uint) (*Key, error)
GetPSBSignBIOSKey returns and OEM Key that is used to sign BIOS during PSB enabled
func NewKeyFromDatabase ¶
NewKeyFromDatabase creates a new key object from key database entry
func NewRootKey ¶
NewRootKey creates a new root key object which is considered trusted without any need for signature check
func NewTokenKey ¶
NewTokenKey create a new key object from a signed token
func (*Key) Get ¶
Get returns the PublicKey object from golang standard library. AMD Milan supports only RSA Keys (2048, 4096), future platforms might add support for additional key types.
func (*Key) SignatureSize ¶
SignatureSize returns the size of the signature
type KeyData ¶
type KeyData struct { VersionID uint32 KeyID KeyID CertifyingKeyID Buf16B KeyUsageFlag KeyUsageFlag Reserved Buf16B ExponentSize uint32 ModulusSize uint32 Exponent []byte Modulus []byte }
KeyData represents the binary format (as it is stored in an image) of the information associated with a key
type KeyID ¶
type KeyID Buf16B
KeyID is the primary identifier of a key
type KeySet ¶
type KeySet struct {
// contains filtered or unexported fields
}
KeySet is a container for all keys known to the system
func GetKeys ¶
func GetKeys(amdFw *amd_manifest.AMDFirmware, level uint) (KeySet, error)
GetKeys returns all the keys known to the system in the form of a KeySet. The firmware itself contains a key database, but that is not comprehensive of all the keys known to the system (e.g. additional keys might be OEM key, ABL signing key, etc.).
func (KeySet) GetKey ¶
GetKey returns a key if known to the KeySet. If the key is not known, null is returned
func (KeySet) KeysetFromType ¶
KeysetFromType returns a KeySet containing all KeyIDs of a specific type
type KeyType ¶
type KeyType string
KeyType represents the type of the key stored in KeySet
const ( // OEMKey represents the OEM signing key OEMKey KeyType = "OEMKey" // AMDRootKey represents the AMD signing key AMDRootKey KeyType = "AMDRootKey" // KeyDatabaseKey represents a key extracted from KeyDatabase KeyDatabaseKey KeyType = "KeyDatabaseKey" // ABLKey represents the ABL signing key ABLKey KeyType = "ALBKey" )
type KeyUsageFlag ¶
type KeyUsageFlag uint32
KeyUsageFlag describes a known values for KeyUsageFlag field of AMD PSP Key structure
const ( // SignAMDBootloaderPSPSMU tells that the corresponding key is authorized to sign AMD developed PSP Boot // Loader and AMD developed PSP FW components and SMU FW. // See Table 26. RSA Key Format Fields of AMD Platform Security Processor BIOS Architecture Design Guide for AMD Family 17h and 19h Processors // Revision 1.11 SignAMDBootloaderPSPSMU KeyUsageFlag = 0 // SignBIOS tells that the corresponding key is authorized to sign BIOS SignBIOS KeyUsageFlag = 1 // SignAMDOEMPSP tells that the corresponding key is authorized to sign PSP FW (both AMD developed and OEM developed) SignAMDOEMPSP KeyUsageFlag = 2 // PSBSignBIOS tells that a key is authorized to sign BIOS for platform secure boot. // See Table 8. RSA Key Format Fields of Enabling Platform Secure Boot // for AMD Family 17h Models 00h–0Fh and 30h–3Fh and Family 19h Models 00h–0Fh Processor-Based Server Platforms // Revision 0.91 PSBSignBIOS KeyUsageFlag = 8 )
type PSPBinary ¶
type PSPBinary struct {
// contains filtered or unexported fields
}
PSPBinary represents a generic PSPBinary with pre-pended header structure
type PSPDirectoryEntryItem ¶
type PSPDirectoryEntryItem struct { Level uint8 Entry amd_manifest.PSPDirectoryTableEntryType }
PSPDirectoryEntryItem determines a PSP directory entry
func (PSPDirectoryEntryItem) String ¶
func (pspEntry PSPDirectoryEntryItem) String() string
type PSPEntryType ¶
type PSPEntryType uint8
PSPEntryType defines the type to hold PSP Entry Type fields
func (PSPEntryType) String ¶
func (_type PSPEntryType) String() string
* Nicely output human-readable names for PSP Entry Types * * This doesn't have all the entries mapped, there are still * several more pages left. It does have all the types * encountered in the firmware images used to test * however. *
type PSPHeaderData ¶
type PSPHeaderData struct { Nonce Buf16B HeaderVersion uint32 SizeSigned uint32 EncryptionOptions uint32 IKEKType uint8 Reserved0 Buf3B EncryptionParameters Buf16B SignatureOption uint32 SignatureAlgorithmID uint32 SignatureParameters Buf16B CompressionOptions uint32 SecurityPatchLevel uint32 UncompressedImageSize uint32 CompressedImageSize uint32 CompressionParameters Buf8B ImageVersion uint32 ApuFamilyID uint32 FirmwareLoadAddress uint32 SizeImage uint32 SizeFwUnsigned uint32 FirmwareSplitAddress uint32 Reserved Buf4B FwType uint8 FwSubType uint8 Reserved1 uint16 EncryptionKey Buf16B SigningInfo Buf16B FwSpecificData Buf32B DebugEncKey Buf16B }
PSPHeaderData embeds the data of PspHeader
type PlatformBindingInfo ¶
PlatformBindingInfo describes information of BIOS Signing Key to Platform Binding information
func GetPlatformBindingInfo ¶
func GetPlatformBindingInfo(k *Key) (PlatformBindingInfo, error)
GetPlatformBindingInfo for PSBSignBIOS key returns BIOS Signing Key to Platform Binding information
func (PlatformBindingInfo) String ¶
func (b PlatformBindingInfo) String() string
type PspHeader ¶
type PspHeader struct {
// contains filtered or unexported fields
}
PspHeader models the header pre-pended to PSP binaries
type SecurityFeatureVector ¶
type SecurityFeatureVector struct { DisableBIOSKeyAntiRollback bool DisableAMDBIOSKeyUse bool DisableSecureDebugUnlock bool }
SecurityFeatureVector represents a security feature selection vector of BIOS OEM key
func GetSecurityFeatureVector ¶
func GetSecurityFeatureVector(k *Key) (SecurityFeatureVector, error)
GetSecurityFeatureVector for PSBSignBIOS key returns a security feature selection vector
func (SecurityFeatureVector) String ¶
func (sfv SecurityFeatureVector) String() string
type Signature ¶
type Signature struct {
// contains filtered or unexported fields
}
Signature represents the raw signature bytes of a blob
func NewSignature ¶
NewSignature creates a new signature object
func (*Signature) SigningKey ¶
SigningKey returns the signing key associated to the signature
type SignatureCheckError ¶
type SignatureCheckError struct {
// contains filtered or unexported fields
}
SignatureCheckError is an error type which indicates that signature of an element cannot be validated against its signing key
func (*SignatureCheckError) Error ¶
func (m *SignatureCheckError) Error() string
Error returns the string representation of SignatureCheckError
func (*SignatureCheckError) SignedElement ¶
func (m *SignatureCheckError) SignedElement() FirmwareItem
SignedElement returns an optional item whose signature check failed
func (*SignatureCheckError) SigningKey ¶
func (m *SignatureCheckError) SigningKey() *Key
SigningKey returns the SigningKey associated to the error. Might return nil value
func (*SignatureCheckError) Unwrap ¶
func (m *SignatureCheckError) Unwrap() error
type SignatureValidationResult ¶
type SignatureValidationResult struct {
// contains filtered or unexported fields
}
SignatureValidationResult represents the result of a signature validate
func ValidatePSPEntries ¶
func ValidatePSPEntries(amdFw *amd_manifest.AMDFirmware, keyDB KeySet, directory DirectoryType, entries []uint32) ([]SignatureValidationResult, error)
ValidatePSPEntries validates signature of PSP entries given their entry values in PSP/BIOS Table
func ValidatePSPEntry ¶
func ValidatePSPEntry(amdFw *amd_manifest.AMDFirmware, keyDB KeySet, offset, length uint64) (SignatureValidationResult, error)
ValidatePSPEntry validates signature of a PSP entry
func ValidateRTM ¶
func ValidateRTM(amdFw *amd_manifest.AMDFirmware, biosLevel uint) (*SignatureValidationResult, error)
ValidateRTM validates signature of RTM volume and BIOS directory table concatenated
func (*SignatureValidationResult) Error ¶
func (v *SignatureValidationResult) Error() error
Error returns a signature verification error if any
func (*SignatureValidationResult) SigningKey ¶
func (v *SignatureValidationResult) SigningKey() *Key
SigningKey returns a key that was used to validate the signature
func (*SignatureValidationResult) String ¶
func (v *SignatureValidationResult) String() string
String returns a string representation of the signature validation result
type SignedBlob ¶
type SignedBlob struct {
// contains filtered or unexported fields
}
SignedBlob represents an object whose signature is guaranteed to be validated
func NewSignedBlob ¶
func NewSignedBlob(signature []byte, signedData []byte, signingKey *Key) (*SignedBlob, error)
NewSignedBlob creates a new signed blob object and validates its signature
func (*SignedBlob) Signature ¶
func (b *SignedBlob) Signature() *Signature
Signature returns the signature of the blob
func (*SignedBlob) SignedData ¶
func (b *SignedBlob) SignedData() []byte
SignedData returns a buffer of signed data held by the SignedBlob object
type UnknownSigningKeyError ¶
type UnknownSigningKeyError struct {
// contains filtered or unexported fields
}
UnknownSigningKeyError is an error type which indicates that the signing key is unknown
func (*UnknownSigningKeyError) Error ¶
func (s *UnknownSigningKeyError) Error() string
Error returns the string representation of the UnknownSigningKeyError
func (*UnknownSigningKeyError) SignedElement ¶
func (s *UnknownSigningKeyError) SignedElement() FirmwareItem
SignedElement returns an optional item whose signature check failed