1 // SPDX-License-Identifier: GPL-2.0+
2 /*
3 * (C) Copyright 2000
4 * Wolfgang Denk, DENX Software Engineering, wd@denx.de.
5 */
6
7 #include <config.h>
8 #include <autoboot.h>
9 #include <bootretry.h>
10 #include <cli.h>
11 #include <command.h>
12 #include <console.h>
13 #include <env.h>
14 #include <errno.h>
15 #include <fdtdec.h>
16 #include <hash.h>
17 #include <log.h>
18 #include <malloc.h>
19 #include <memalign.h>
20 #include <menu.h>
21 #include <post.h>
22 #include <time.h>
23 #include <asm/global_data.h>
24 #include <linux/delay.h>
25 #include <u-boot/sha256.h>
26 #include <bootcount.h>
27 #include <crypt.h>
28 #include <dm/ofnode.h>
29
30 DECLARE_GLOBAL_DATA_PTR;
31
32 #define DELAY_STOP_STR_MAX_LENGTH 64
33
34 #ifndef DEBUG_BOOTKEYS
35 #define DEBUG_BOOTKEYS 0
36 #endif
37 #define debug_bootkeys(fmt, args...) \
38 debug_cond(DEBUG_BOOTKEYS, fmt, ##args)
39
40 /* Stored value of bootdelay, used by autoboot_command() */
41 static int stored_bootdelay;
42 static int menukey;
43
44 #if defined(CONFIG_AUTOBOOT_STOP_STR_CRYPT)
45 #define AUTOBOOT_STOP_STR_CRYPT CONFIG_AUTOBOOT_STOP_STR_CRYPT
46 #else
47 #define AUTOBOOT_STOP_STR_CRYPT ""
48 #endif
49 #if defined(CONFIG_AUTOBOOT_STOP_STR_SHA256)
50 #define AUTOBOOT_STOP_STR_SHA256 CONFIG_AUTOBOOT_STOP_STR_SHA256
51 #else
52 #define AUTOBOOT_STOP_STR_SHA256 ""
53 #endif
54
55 #ifdef CONFIG_AUTOBOOT_USE_MENUKEY
56 #define AUTOBOOT_MENUKEY CONFIG_AUTOBOOT_MENUKEY
57 #else
58 #define AUTOBOOT_MENUKEY 0
59 #endif
60
61 /**
62 * passwd_abort_crypt() - check for a crypt-style hashed key sequence to abort booting
63 *
64 * This checks for the user entering a password within a given time.
65 *
66 * The entered password is hashed via one of the crypt-style hash methods
67 * and compared to the pre-defined value from either
68 * the environment variable "bootstopkeycrypt"
69 * or
70 * the config value CONFIG_AUTOBOOT_STOP_STR_CRYPT
71 *
72 * In case the config value CONFIG_AUTOBOOT_NEVER_TIMEOUT has been enabled
73 * this function never times out if the user presses the <Enter> key
74 * before starting to enter the password.
75 *
76 * @etime: Timeout value ticks (stop when get_ticks() reachs this)
77 * Return: 0 if autoboot should continue, 1 if it should stop
78 */
passwd_abort_crypt(uint64_t etime)79 static int passwd_abort_crypt(uint64_t etime)
80 {
81 const char *crypt_env_str = env_get("bootstopkeycrypt");
82 char presskey[DELAY_STOP_STR_MAX_LENGTH];
83 u_int presskey_len = 0;
84 int abort = 0;
85 int never_timeout = 0;
86 int err;
87
88 if (IS_ENABLED(CONFIG_AUTOBOOT_STOP_STR_ENABLE) && !crypt_env_str)
89 crypt_env_str = AUTOBOOT_STOP_STR_CRYPT;
90
91 if (!crypt_env_str)
92 return 0;
93
94 /* We expect the stop-string to be newline-terminated */
95 do {
96 if (tstc()) {
97 /* Check for input string overflow */
98 if (presskey_len >= sizeof(presskey))
99 return 0;
100
101 presskey[presskey_len] = getchar();
102
103 if ((presskey[presskey_len] == '\r') ||
104 (presskey[presskey_len] == '\n')) {
105 if (IS_ENABLED(CONFIG_AUTOBOOT_NEVER_TIMEOUT) &&
106 !presskey_len) {
107 never_timeout = 1;
108 continue;
109 }
110 presskey[presskey_len] = '\0';
111 err = crypt_compare(crypt_env_str, presskey,
112 &abort);
113 if (err)
114 debug_bootkeys(
115 "crypt_compare() failed with: %s\n",
116 errno_str(err));
117 /* you had one chance */
118 break;
119 } else {
120 presskey_len++;
121 }
122 }
123 udelay(10000);
124 } while (never_timeout || get_ticks() <= etime);
125
126 return abort;
127 }
128
129 /*
130 * Use a "constant-length" time compare function for this
131 * hash compare:
132 *
133 * https://crackstation.net/hashing-security.htm
134 */
slow_equals(u8 * a,u8 * b,int len)135 static int slow_equals(u8 *a, u8 *b, int len)
136 {
137 int diff = 0;
138 int i;
139
140 for (i = 0; i < len; i++)
141 diff |= a[i] ^ b[i];
142
143 return diff == 0;
144 }
145
146 /**
147 * passwd_abort_sha256() - check for a hashed key sequence to abort booting
148 *
149 * This checks for the user entering a SHA256 hash within a given time.
150 *
151 * @etime: Timeout value ticks (stop when get_ticks() reachs this)
152 * Return: 0 if autoboot should continue, 1 if it should stop
153 */
passwd_abort_sha256(uint64_t etime)154 static int passwd_abort_sha256(uint64_t etime)
155 {
156 const char *sha_env_str = env_get("bootstopkeysha256");
157 u8 sha_env[SHA256_SUM_LEN];
158 u8 *sha;
159 char *presskey;
160 char *c;
161 const char *algo_name = "sha256";
162 u_int presskey_len = 0;
163 int abort = 0;
164 int size = sizeof(sha);
165 int ret;
166
167 if (sha_env_str == NULL)
168 sha_env_str = AUTOBOOT_STOP_STR_SHA256;
169
170 presskey = malloc_cache_aligned(DELAY_STOP_STR_MAX_LENGTH);
171 if (!presskey)
172 return -ENOMEM;
173
174 c = strstr(sha_env_str, ":");
175 if (c && (c - sha_env_str < DELAY_STOP_STR_MAX_LENGTH)) {
176 /* preload presskey with salt */
177 memcpy(presskey, sha_env_str, c - sha_env_str);
178 presskey_len = c - sha_env_str;
179 sha_env_str = c + 1;
180 }
181 /*
182 * Generate the binary value from the environment hash value
183 * so that we can compare this value with the computed hash
184 * from the user input
185 */
186 ret = hash_parse_string(algo_name, sha_env_str, sha_env);
187 if (ret) {
188 printf("Hash %s not supported!\n", algo_name);
189 free(presskey);
190 return 0;
191 }
192
193 sha = malloc_cache_aligned(SHA256_SUM_LEN);
194 if (!sha) {
195 free(presskey);
196 return -ENOMEM;
197 }
198 size = SHA256_SUM_LEN;
199 /*
200 * We don't know how long the stop-string is, so we need to
201 * generate the sha256 hash upon each input character and
202 * compare the value with the one saved in the environment
203 */
204 do {
205 if (tstc()) {
206 /* Check for input string overflow */
207 if (presskey_len >= DELAY_STOP_STR_MAX_LENGTH) {
208 free(presskey);
209 free(sha);
210 return 0;
211 }
212
213 presskey[presskey_len++] = getchar();
214
215 /* Calculate sha256 upon each new char */
216 hash_block(algo_name, (const void *)presskey,
217 presskey_len, sha, &size);
218
219 /* And check if sha matches saved value in env */
220 if (slow_equals(sha, sha_env, SHA256_SUM_LEN))
221 abort = 1;
222 }
223 udelay(10000);
224 } while (!abort && get_ticks() <= etime);
225
226 free(presskey);
227 free(sha);
228 return abort;
229 }
230
231 /**
232 * passwd_abort_key() - check for a key sequence to aborted booting
233 *
234 * This checks for the user entering a string within a given time.
235 *
236 * @etime: Timeout value ticks (stop when get_ticks() reachs this)
237 * Return: 0 if autoboot should continue, 1 if it should stop
238 */
passwd_abort_key(uint64_t etime)239 static int passwd_abort_key(uint64_t etime)
240 {
241 int abort = 0;
242 struct {
243 char *str;
244 u_int len;
245 int retry;
246 }
247 delaykey[] = {
248 { .str = env_get("bootdelaykey"), .retry = 1 },
249 { .str = env_get("bootstopkey"), .retry = 0 },
250 };
251
252 char presskey[DELAY_STOP_STR_MAX_LENGTH];
253 int presskey_len = 0;
254 int presskey_max = 0;
255 int i;
256
257 # ifdef CONFIG_AUTOBOOT_DELAY_STR
258 if (delaykey[0].str == NULL)
259 delaykey[0].str = CONFIG_AUTOBOOT_DELAY_STR;
260 # endif
261 # ifdef CONFIG_AUTOBOOT_STOP_STR
262 if (delaykey[1].str == NULL)
263 delaykey[1].str = CONFIG_AUTOBOOT_STOP_STR;
264 # endif
265
266 for (i = 0; i < sizeof(delaykey) / sizeof(delaykey[0]); i++) {
267 delaykey[i].len = delaykey[i].str == NULL ?
268 0 : strlen(delaykey[i].str);
269 delaykey[i].len = delaykey[i].len > DELAY_STOP_STR_MAX_LENGTH ?
270 DELAY_STOP_STR_MAX_LENGTH : delaykey[i].len;
271
272 presskey_max = presskey_max > delaykey[i].len ?
273 presskey_max : delaykey[i].len;
274
275 debug_bootkeys("%s key:<%s>\n",
276 delaykey[i].retry ? "delay" : "stop",
277 delaykey[i].str ? delaykey[i].str : "NULL");
278 }
279
280 /* In order to keep up with incoming data, check timeout only
281 * when catch up.
282 */
283 do {
284 if (tstc()) {
285 if (presskey_len < presskey_max) {
286 presskey[presskey_len++] = getchar();
287 } else {
288 for (i = 0; i < presskey_max - 1; i++)
289 presskey[i] = presskey[i + 1];
290
291 presskey[i] = getchar();
292 }
293 }
294
295 for (i = 0; i < sizeof(delaykey) / sizeof(delaykey[0]); i++) {
296 if (delaykey[i].len > 0 &&
297 presskey_len >= delaykey[i].len &&
298 memcmp(presskey + presskey_len -
299 delaykey[i].len, delaykey[i].str,
300 delaykey[i].len) == 0) {
301 debug_bootkeys("got %skey\n",
302 delaykey[i].retry ? "delay" :
303 "stop");
304
305 /* don't retry auto boot */
306 if (!delaykey[i].retry)
307 bootretry_dont_retry();
308 abort = 1;
309 }
310 }
311 udelay(10000);
312 } while (!abort && get_ticks() <= etime);
313
314 return abort;
315 }
316
317 /**
318 * flush_stdin() - drops all pending characters from stdin
319 */
flush_stdin(void)320 static void flush_stdin(void)
321 {
322 while (tstc())
323 (void)getchar();
324 }
325
326 /**
327 * fallback_to_sha256() - check whether we should fall back to sha256
328 * password checking
329 *
330 * This checks for the environment variable `bootstopusesha256` in case
331 * sha256-fallback has been enabled via the config setting
332 * `AUTOBOOT_SHA256_FALLBACK`.
333 *
334 * Return: `false` if we must not fall-back, `true` if plain sha256 should be tried
335 */
fallback_to_sha256(void)336 static bool fallback_to_sha256(void)
337 {
338 if (IS_ENABLED(CONFIG_AUTOBOOT_SHA256_FALLBACK))
339 return env_get_yesno("bootstopusesha256") == 1;
340 else if (IS_ENABLED(CONFIG_CRYPT_PW))
341 return false;
342 else
343 return true;
344 }
345
346 /***************************************************************************
347 * Watch for 'delay' seconds for autoboot stop or autoboot delay string.
348 * returns: 0 - no key string, allow autoboot 1 - got key string, abort
349 */
abortboot_key_sequence(int bootdelay)350 static int abortboot_key_sequence(int bootdelay)
351 {
352 int abort;
353 uint64_t etime = endtick(bootdelay);
354
355 if (IS_ENABLED(CONFIG_AUTOBOOT_FLUSH_STDIN))
356 flush_stdin();
357 # ifdef CONFIG_AUTOBOOT_PROMPT
358 /*
359 * CONFIG_AUTOBOOT_PROMPT includes the %d for all boards.
360 * To print the bootdelay value upon bootup.
361 */
362 printf(CONFIG_AUTOBOOT_PROMPT, bootdelay);
363 # endif
364
365 if (IS_ENABLED(CONFIG_AUTOBOOT_ENCRYPTION)) {
366 if (IS_ENABLED(CONFIG_CRYPT_PW) && !fallback_to_sha256())
367 abort = passwd_abort_crypt(etime);
368 else
369 abort = passwd_abort_sha256(etime);
370 } else {
371 abort = passwd_abort_key(etime);
372 }
373 if (!abort)
374 debug_bootkeys("key timeout\n");
375
376 return abort;
377 }
378
abortboot_single_key(int bootdelay)379 static int abortboot_single_key(int bootdelay)
380 {
381 int abort = 0;
382 unsigned long ts;
383
384 printf("Hit any key to stop autoboot: %2d ", bootdelay);
385
386 /*
387 * Check if key already pressed
388 */
389 if (tstc()) { /* we got a key press */
390 getchar(); /* consume input */
391 puts("\b\b\b 0");
392 abort = 1; /* don't auto boot */
393 }
394
395 while ((bootdelay > 0) && (!abort)) {
396 --bootdelay;
397 /* delay 1000 ms */
398 ts = get_timer(0);
399 do {
400 if (tstc()) { /* we got a key press */
401 int key;
402
403 abort = 1; /* don't auto boot */
404 bootdelay = 0; /* no more delay */
405 key = getchar();/* consume input */
406 if (IS_ENABLED(CONFIG_AUTOBOOT_USE_MENUKEY))
407 menukey = key;
408 break;
409 }
410 udelay(10000);
411 } while (!abort && get_timer(ts) < 1000);
412
413 printf("\rHit any key to stop autoboot: %1d\033[K", bootdelay);
414 }
415
416 putc('\n');
417
418 return abort;
419 }
420
abortboot(int bootdelay)421 static int abortboot(int bootdelay)
422 {
423 int abort = 0;
424
425 if (bootdelay >= 0) {
426 if (autoboot_keyed())
427 abort = abortboot_key_sequence(bootdelay);
428 else
429 abort = abortboot_single_key(bootdelay);
430 }
431
432 if (IS_ENABLED(CONFIG_SILENT_CONSOLE) && abort)
433 gd->flags &= ~GD_FLG_SILENT;
434
435 return abort;
436 }
437
process_fdt_options(void)438 static void process_fdt_options(void)
439 {
440 #ifdef CONFIG_TEXT_BASE
441 ulong addr;
442
443 /* Add an env variable to point to a kernel payload, if available */
444 addr = ofnode_conf_read_int("kernel-offset", 0);
445 if (addr)
446 env_set_addr("kernaddr", (void *)(CONFIG_TEXT_BASE + addr));
447
448 /* Add an env variable to point to a root disk, if available */
449 addr = ofnode_conf_read_int("rootdisk-offset", 0);
450 if (addr)
451 env_set_addr("rootaddr", (void *)(CONFIG_TEXT_BASE + addr));
452 #endif /* CONFIG_TEXT_BASE */
453 }
454
bootdelay_process(void)455 const char *bootdelay_process(void)
456 {
457 char *s;
458 int bootdelay;
459
460 bootcount_inc();
461
462 s = env_get("bootdelay");
463 bootdelay = s ? (int)simple_strtol(s, NULL, 10) : CONFIG_BOOTDELAY;
464
465 /*
466 * Does it really make sense that the devicetree overrides the user
467 * setting? It is possibly helpful for security since the device tree
468 * may be signed whereas the environment is often loaded from storage.
469 */
470 if (IS_ENABLED(CONFIG_OF_CONTROL))
471 bootdelay = ofnode_conf_read_int("bootdelay", bootdelay);
472
473 debug("### main_loop entered: bootdelay=%d\n\n", bootdelay);
474
475 if (IS_ENABLED(CONFIG_AUTOBOOT_MENU_SHOW))
476 bootdelay = menu_show(bootdelay);
477 bootretry_init_cmd_timeout();
478
479 #ifdef CONFIG_POST
480 if (gd->flags & GD_FLG_POSTFAIL) {
481 s = env_get("failbootcmd");
482 } else
483 #endif /* CONFIG_POST */
484 if (bootcount_error())
485 s = env_get("altbootcmd");
486 else
487 s = env_get("bootcmd");
488
489 if (IS_ENABLED(CONFIG_OF_CONTROL))
490 process_fdt_options();
491 stored_bootdelay = bootdelay;
492
493 return s;
494 }
495
autoboot_command(const char * s)496 void autoboot_command(const char *s)
497 {
498 debug("### main_loop: bootcmd=\"%s\"\n", s ? s : "<UNDEFINED>");
499
500 if (s && (stored_bootdelay == -2 ||
501 (stored_bootdelay != -1 && !abortboot(stored_bootdelay)))) {
502 bool lock;
503 int prev;
504
505 lock = autoboot_keyed() &&
506 !IS_ENABLED(CONFIG_AUTOBOOT_KEYED_CTRLC);
507 if (lock)
508 prev = disable_ctrlc(1); /* disable Ctrl-C checking */
509
510 run_command_list(s, -1, 0);
511
512 if (lock)
513 disable_ctrlc(prev); /* restore Ctrl-C checking */
514 }
515
516 if (IS_ENABLED(CONFIG_AUTOBOOT_USE_MENUKEY) &&
517 menukey == AUTOBOOT_MENUKEY) {
518 s = env_get("menucmd");
519 if (s)
520 run_command_list(s, -1, 0);
521 }
522 }
523