avb_slot_verify.c revision 0f7de9479afef18835cdbfe3da07811a7993504e
1/* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Permission is hereby granted, free of charge, to any person 5 * obtaining a copy of this software and associated documentation 6 * files (the "Software"), to deal in the Software without 7 * restriction, including without limitation the rights to use, copy, 8 * modify, merge, publish, distribute, sublicense, and/or sell copies 9 * of the Software, and to permit persons to whom the Software is 10 * furnished to do so, subject to the following conditions: 11 * 12 * The above copyright notice and this permission notice shall be 13 * included in all copies or substantial portions of the Software. 14 * 15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS 19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN 20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 22 * SOFTWARE. 23 */ 24 25#include "avb_slot_verify.h" 26#include "avb_chain_partition_descriptor.h" 27#include "avb_footer.h" 28#include "avb_hash_descriptor.h" 29#include "avb_kernel_cmdline_descriptor.h" 30#include "avb_sha.h" 31#include "avb_util.h" 32#include "avb_vbmeta_image.h" 33#include "avb_version.h" 34 35/* Maximum allow length (in bytes) of a partition name, including 36 * ab_suffix. 37 */ 38#define PART_NAME_MAX_SIZE 32 39 40/* Maximum number of partitions that can be loaded with avb_slot_verify(). */ 41#define MAX_NUMBER_OF_LOADED_PARTITIONS 32 42 43/* Maximum number of vbmeta images that can be loaded with avb_slot_verify(). */ 44#define MAX_NUMBER_OF_VBMETA_IMAGES 32 45 46/* Maximum size of a vbmeta image - 64 KiB. */ 47#define VBMETA_MAX_SIZE (64 * 1024) 48 49/* Helper function to see if we should continue with verification in 50 * allow_verification_error=true mode if something goes wrong. See the 51 * comments for the avb_slot_verify() function for more information. 52 */ 53static inline bool result_should_continue(AvbSlotVerifyResult result) { 54 switch (result) { 55 case AVB_SLOT_VERIFY_RESULT_ERROR_OOM: 56 case AVB_SLOT_VERIFY_RESULT_ERROR_IO: 57 case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA: 58 case AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION: 59 return false; 60 61 case AVB_SLOT_VERIFY_RESULT_OK: 62 case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION: 63 case AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX: 64 case AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED: 65 return true; 66 } 67 68 return false; 69} 70 71static AvbSlotVerifyResult load_and_verify_hash_partition( 72 AvbOps* ops, 73 const char* const* requested_partitions, 74 const char* ab_suffix, 75 bool allow_verification_error, 76 const AvbDescriptor* descriptor, 77 AvbSlotVerifyData* slot_data) { 78 AvbHashDescriptor hash_desc; 79 const uint8_t* desc_partition_name = NULL; 80 const uint8_t* desc_salt; 81 const uint8_t* desc_digest; 82 char part_name[PART_NAME_MAX_SIZE]; 83 AvbSlotVerifyResult ret; 84 AvbIOResult io_ret; 85 uint8_t* image_buf = NULL; 86 size_t part_num_read; 87 uint8_t* digest; 88 size_t digest_len; 89 const char* found; 90 91 if (!avb_hash_descriptor_validate_and_byteswap( 92 (const AvbHashDescriptor*)descriptor, &hash_desc)) { 93 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 94 goto out; 95 } 96 97 desc_partition_name = 98 ((const uint8_t*)descriptor) + sizeof(AvbHashDescriptor); 99 desc_salt = desc_partition_name + hash_desc.partition_name_len; 100 desc_digest = desc_salt + hash_desc.salt_len; 101 102 if (!avb_validate_utf8(desc_partition_name, hash_desc.partition_name_len)) { 103 avb_error("Partition name is not valid UTF-8.\n"); 104 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 105 goto out; 106 } 107 108 if (!avb_str_concat(part_name, 109 sizeof part_name, 110 (const char*)desc_partition_name, 111 hash_desc.partition_name_len, 112 ab_suffix, 113 avb_strlen(ab_suffix))) { 114 avb_error("Partition name and suffix does not fit.\n"); 115 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 116 goto out; 117 } 118 119 image_buf = avb_malloc(hash_desc.image_size); 120 if (image_buf == NULL) { 121 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 122 goto out; 123 } 124 125 io_ret = ops->read_from_partition(ops, 126 part_name, 127 0 /* offset */, 128 hash_desc.image_size, 129 image_buf, 130 &part_num_read); 131 if (io_ret == AVB_IO_RESULT_ERROR_OOM) { 132 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 133 goto out; 134 } else if (io_ret != AVB_IO_RESULT_OK) { 135 avb_errorv(part_name, ": Error loading data from partition.\n", NULL); 136 ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO; 137 goto out; 138 } 139 if (part_num_read != hash_desc.image_size) { 140 avb_errorv(part_name, ": Read fewer than requested bytes.\n", NULL); 141 ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO; 142 goto out; 143 } 144 145 if (avb_strcmp((const char*)hash_desc.hash_algorithm, "sha256") == 0) { 146 AvbSHA256Ctx sha256_ctx; 147 avb_sha256_init(&sha256_ctx); 148 avb_sha256_update(&sha256_ctx, desc_salt, hash_desc.salt_len); 149 avb_sha256_update(&sha256_ctx, image_buf, hash_desc.image_size); 150 digest = avb_sha256_final(&sha256_ctx); 151 digest_len = AVB_SHA256_DIGEST_SIZE; 152 } else if (avb_strcmp((const char*)hash_desc.hash_algorithm, "sha512") == 0) { 153 AvbSHA512Ctx sha512_ctx; 154 avb_sha512_init(&sha512_ctx); 155 avb_sha512_update(&sha512_ctx, desc_salt, hash_desc.salt_len); 156 avb_sha512_update(&sha512_ctx, image_buf, hash_desc.image_size); 157 digest = avb_sha512_final(&sha512_ctx); 158 digest_len = AVB_SHA512_DIGEST_SIZE; 159 } else { 160 avb_errorv(part_name, ": Unsupported hash algorithm.\n", NULL); 161 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 162 goto out; 163 } 164 165 if (digest_len != hash_desc.digest_len) { 166 avb_errorv( 167 part_name, ": Digest in descriptor not of expected size.\n", NULL); 168 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 169 goto out; 170 } 171 172 if (avb_safe_memcmp(digest, desc_digest, digest_len) != 0) { 173 avb_errorv(part_name, 174 ": Hash of data does not match digest in descriptor.\n", 175 NULL); 176 ret = AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION; 177 goto out; 178 } 179 180 ret = AVB_SLOT_VERIFY_RESULT_OK; 181 182out: 183 184 if (ret == AVB_SLOT_VERIFY_RESULT_OK || result_should_continue(ret)) { 185 /* If this is the requested partition, copy to slot_data. */ 186 found = avb_strv_find_str(requested_partitions, 187 (const char*)desc_partition_name, 188 hash_desc.partition_name_len); 189 if (found != NULL) { 190 AvbPartitionData* loaded_partition; 191 if (slot_data->num_loaded_partitions == MAX_NUMBER_OF_LOADED_PARTITIONS) { 192 avb_errorv(part_name, ": Too many loaded partitions.\n", NULL); 193 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 194 goto fail; 195 } 196 loaded_partition = 197 &slot_data->loaded_partitions[slot_data->num_loaded_partitions++]; 198 loaded_partition->partition_name = avb_strdup(found); 199 loaded_partition->data_size = hash_desc.image_size; 200 loaded_partition->data = image_buf; 201 image_buf = NULL; 202 } 203 } 204 205fail: 206 if (image_buf != NULL) { 207 avb_free(image_buf); 208 } 209 return ret; 210} 211 212static AvbSlotVerifyResult load_and_verify_vbmeta( 213 AvbOps* ops, 214 const char* const* requested_partitions, 215 const char* ab_suffix, 216 bool allow_verification_error, 217 AvbVBMetaImageFlags toplevel_vbmeta_flags, 218 int rollback_index_location, 219 const char* partition_name, 220 size_t partition_name_len, 221 const uint8_t* expected_public_key, 222 size_t expected_public_key_length, 223 AvbSlotVerifyData* slot_data, 224 AvbAlgorithmType* out_algorithm_type) { 225 char full_partition_name[PART_NAME_MAX_SIZE]; 226 AvbSlotVerifyResult ret; 227 AvbIOResult io_ret; 228 size_t vbmeta_offset; 229 size_t vbmeta_size; 230 uint8_t* vbmeta_buf = NULL; 231 size_t vbmeta_num_read; 232 AvbVBMetaVerifyResult vbmeta_ret; 233 const uint8_t* pk_data; 234 size_t pk_len; 235 AvbVBMetaImageHeader vbmeta_header; 236 uint64_t stored_rollback_index; 237 const AvbDescriptor** descriptors = NULL; 238 size_t num_descriptors; 239 size_t n; 240 bool is_main_vbmeta; 241 bool is_vbmeta_partition; 242 AvbVBMetaData* vbmeta_image_data = NULL; 243 244 ret = AVB_SLOT_VERIFY_RESULT_OK; 245 246 avb_assert(slot_data != NULL); 247 248 /* Since we allow top-level vbmeta in 'boot', use 249 * rollback_index_location to determine whether we're the main 250 * vbmeta struct. 251 */ 252 is_main_vbmeta = (rollback_index_location == 0); 253 is_vbmeta_partition = (avb_strcmp(partition_name, "vbmeta") == 0); 254 255 if (!avb_validate_utf8((const uint8_t*)partition_name, partition_name_len)) { 256 avb_error("Partition name is not valid UTF-8.\n"); 257 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 258 goto out; 259 } 260 261 /* Construct full partition name. */ 262 if (!avb_str_concat(full_partition_name, 263 sizeof full_partition_name, 264 partition_name, 265 partition_name_len, 266 ab_suffix, 267 avb_strlen(ab_suffix))) { 268 avb_error("Partition name and suffix does not fit.\n"); 269 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 270 goto out; 271 } 272 273 avb_debugv("Loading vbmeta struct from partition '", 274 full_partition_name, 275 "'.\n", 276 NULL); 277 278 /* If we're loading from the main vbmeta partition, the vbmeta 279 * struct is in the beginning. Otherwise we have to locate it via a 280 * footer. 281 */ 282 if (is_vbmeta_partition) { 283 vbmeta_offset = 0; 284 vbmeta_size = VBMETA_MAX_SIZE; 285 } else { 286 uint8_t footer_buf[AVB_FOOTER_SIZE]; 287 size_t footer_num_read; 288 AvbFooter footer; 289 290 io_ret = ops->read_from_partition(ops, 291 full_partition_name, 292 -AVB_FOOTER_SIZE, 293 AVB_FOOTER_SIZE, 294 footer_buf, 295 &footer_num_read); 296 if (io_ret == AVB_IO_RESULT_ERROR_OOM) { 297 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 298 goto out; 299 } else if (io_ret != AVB_IO_RESULT_OK) { 300 avb_errorv(full_partition_name, ": Error loading footer.\n", NULL); 301 ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO; 302 goto out; 303 } 304 avb_assert(footer_num_read == AVB_FOOTER_SIZE); 305 306 if (!avb_footer_validate_and_byteswap((const AvbFooter*)footer_buf, 307 &footer)) { 308 avb_errorv(full_partition_name, ": Error validating footer.\n", NULL); 309 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 310 goto out; 311 } 312 313 /* Basic footer sanity check since the data is untrusted. */ 314 if (footer.vbmeta_size > VBMETA_MAX_SIZE) { 315 avb_errorv( 316 full_partition_name, ": Invalid vbmeta size in footer.\n", NULL); 317 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 318 goto out; 319 } 320 321 vbmeta_offset = footer.vbmeta_offset; 322 vbmeta_size = footer.vbmeta_size; 323 } 324 325 vbmeta_buf = avb_malloc(vbmeta_size); 326 if (vbmeta_buf == NULL) { 327 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 328 goto out; 329 } 330 331 io_ret = ops->read_from_partition(ops, 332 full_partition_name, 333 vbmeta_offset, 334 vbmeta_size, 335 vbmeta_buf, 336 &vbmeta_num_read); 337 if (io_ret == AVB_IO_RESULT_ERROR_OOM) { 338 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 339 goto out; 340 } else if (io_ret != AVB_IO_RESULT_OK) { 341 /* If we're looking for 'vbmeta' but there is no such partition, 342 * go try to get it from the boot partition instead. 343 */ 344 if (is_main_vbmeta && io_ret == AVB_IO_RESULT_ERROR_NO_SUCH_PARTITION && 345 is_vbmeta_partition) { 346 avb_debugv(full_partition_name, 347 ": No such partition. Trying 'boot' instead.\n", 348 NULL); 349 ret = load_and_verify_vbmeta(ops, 350 requested_partitions, 351 ab_suffix, 352 allow_verification_error, 353 0 /* toplevel_vbmeta_flags */, 354 0 /* rollback_index_location */, 355 "boot", 356 avb_strlen("boot"), 357 NULL /* expected_public_key */, 358 0 /* expected_public_key_length */, 359 slot_data, 360 out_algorithm_type); 361 goto out; 362 } else { 363 avb_errorv(full_partition_name, ": Error loading vbmeta data.\n", NULL); 364 ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO; 365 goto out; 366 } 367 } 368 avb_assert(vbmeta_num_read <= vbmeta_size); 369 370 /* Check if the image is properly signed and get the public key used 371 * to sign the image. 372 */ 373 vbmeta_ret = 374 avb_vbmeta_image_verify(vbmeta_buf, vbmeta_num_read, &pk_data, &pk_len); 375 switch (vbmeta_ret) { 376 case AVB_VBMETA_VERIFY_RESULT_OK: 377 avb_assert(pk_data != NULL && pk_len > 0); 378 break; 379 380 case AVB_VBMETA_VERIFY_RESULT_OK_NOT_SIGNED: 381 case AVB_VBMETA_VERIFY_RESULT_HASH_MISMATCH: 382 case AVB_VBMETA_VERIFY_RESULT_SIGNATURE_MISMATCH: 383 ret = AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION; 384 avb_errorv(full_partition_name, 385 ": Error verifying vbmeta image: ", 386 avb_vbmeta_verify_result_to_string(vbmeta_ret), 387 "\n", 388 NULL); 389 if (!allow_verification_error) { 390 goto out; 391 } 392 break; 393 394 case AVB_VBMETA_VERIFY_RESULT_INVALID_VBMETA_HEADER: 395 /* No way to continue this case. */ 396 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 397 avb_errorv(full_partition_name, 398 ": Error verifying vbmeta image: invalid vbmeta header\n", 399 NULL); 400 goto out; 401 402 case AVB_VBMETA_VERIFY_RESULT_UNSUPPORTED_VERSION: 403 /* No way to continue this case. */ 404 ret = AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION; 405 avb_errorv(full_partition_name, 406 ": Error verifying vbmeta image: unsupported AVB version\n", 407 NULL); 408 goto out; 409 } 410 411 /* Byteswap the header. */ 412 avb_vbmeta_image_header_to_host_byte_order((AvbVBMetaImageHeader*)vbmeta_buf, 413 &vbmeta_header); 414 415 /* If we're the toplevel, assign flags so they'll be passed down. */ 416 if (is_main_vbmeta) { 417 toplevel_vbmeta_flags = (AvbVBMetaImageFlags)vbmeta_header.flags; 418 } else { 419 if (vbmeta_header.flags != 0) { 420 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 421 avb_errorv(full_partition_name, 422 ": chained vbmeta image has non-zero flags\n", 423 NULL); 424 goto out; 425 } 426 } 427 428 /* Check if key used to make signature matches what is expected. */ 429 if (pk_data != NULL) { 430 if (expected_public_key != NULL) { 431 avb_assert(!is_main_vbmeta); 432 if (expected_public_key_length != pk_len || 433 avb_safe_memcmp(expected_public_key, pk_data, pk_len) != 0) { 434 avb_errorv(full_partition_name, 435 ": Public key used to sign data does not match key in chain " 436 "partition descriptor.\n", 437 NULL); 438 ret = AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED; 439 if (!allow_verification_error) { 440 goto out; 441 } 442 } 443 } else { 444 bool key_is_trusted = false; 445 const uint8_t* pk_metadata = NULL; 446 size_t pk_metadata_len = 0; 447 448 if (vbmeta_header.public_key_metadata_size > 0) { 449 pk_metadata = vbmeta_buf + sizeof(AvbVBMetaImageHeader) + 450 vbmeta_header.authentication_data_block_size + 451 vbmeta_header.public_key_metadata_offset; 452 pk_metadata_len = vbmeta_header.public_key_metadata_size; 453 } 454 455 avb_assert(is_main_vbmeta); 456 io_ret = ops->validate_vbmeta_public_key( 457 ops, pk_data, pk_len, pk_metadata, pk_metadata_len, &key_is_trusted); 458 if (io_ret == AVB_IO_RESULT_ERROR_OOM) { 459 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 460 goto out; 461 } else if (io_ret != AVB_IO_RESULT_OK) { 462 avb_errorv(full_partition_name, 463 ": Error while checking public key used to sign data.\n", 464 NULL); 465 ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO; 466 goto out; 467 } 468 if (!key_is_trusted) { 469 avb_errorv(full_partition_name, 470 ": Public key used to sign data rejected.\n", 471 NULL); 472 ret = AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED; 473 if (!allow_verification_error) { 474 goto out; 475 } 476 } 477 } 478 } 479 480 /* Check rollback index. */ 481 io_ret = ops->read_rollback_index( 482 ops, rollback_index_location, &stored_rollback_index); 483 if (io_ret == AVB_IO_RESULT_ERROR_OOM) { 484 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 485 goto out; 486 } else if (io_ret != AVB_IO_RESULT_OK) { 487 avb_errorv(full_partition_name, 488 ": Error getting rollback index for location.\n", 489 NULL); 490 ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO; 491 goto out; 492 } 493 if (vbmeta_header.rollback_index < stored_rollback_index) { 494 avb_errorv( 495 full_partition_name, 496 ": Image rollback index is less than the stored rollback index.\n", 497 NULL); 498 ret = AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX; 499 if (!allow_verification_error) { 500 goto out; 501 } 502 } 503 504 /* Copy vbmeta to vbmeta_images before recursing. */ 505 if (is_main_vbmeta) { 506 avb_assert(slot_data->num_vbmeta_images == 0); 507 } else { 508 avb_assert(slot_data->num_vbmeta_images > 0); 509 } 510 if (slot_data->num_vbmeta_images == MAX_NUMBER_OF_VBMETA_IMAGES) { 511 avb_errorv(full_partition_name, ": Too many vbmeta images.\n", NULL); 512 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 513 goto out; 514 } 515 vbmeta_image_data = &slot_data->vbmeta_images[slot_data->num_vbmeta_images++]; 516 vbmeta_image_data->partition_name = avb_strdup(partition_name); 517 vbmeta_image_data->vbmeta_data = vbmeta_buf; 518 /* Note that |vbmeta_buf| is actually |vbmeta_num_read| bytes long 519 * and this includes data past the end of the image. Pass the 520 * actual size of the vbmeta image. Also, no need to use 521 * avb_safe_add() since the header has already been verified. 522 */ 523 vbmeta_image_data->vbmeta_size = 524 sizeof(AvbVBMetaImageHeader) + 525 vbmeta_header.authentication_data_block_size + 526 vbmeta_header.auxiliary_data_block_size; 527 vbmeta_image_data->verify_result = vbmeta_ret; 528 529 /* Now go through all descriptors and take the appropriate action: 530 * 531 * - hash descriptor: Load data from partition, calculate hash, and 532 * checks that it matches what's in the hash descriptor. 533 * 534 * - hashtree descriptor: Do nothing since verification happens 535 * on-the-fly from within the OS. 536 * 537 * - chained partition descriptor: Load the footer, load the vbmeta 538 * image, verify vbmeta image (includes rollback checks, hash 539 * checks, bail on chained partitions). 540 */ 541 descriptors = 542 avb_descriptor_get_all(vbmeta_buf, vbmeta_num_read, &num_descriptors); 543 for (n = 0; n < num_descriptors; n++) { 544 AvbDescriptor desc; 545 546 if (!avb_descriptor_validate_and_byteswap(descriptors[n], &desc)) { 547 avb_errorv(full_partition_name, ": Descriptor is invalid.\n", NULL); 548 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 549 goto out; 550 } 551 552 switch (desc.tag) { 553 case AVB_DESCRIPTOR_TAG_HASH: { 554 AvbSlotVerifyResult sub_ret; 555 sub_ret = load_and_verify_hash_partition(ops, 556 requested_partitions, 557 ab_suffix, 558 allow_verification_error, 559 descriptors[n], 560 slot_data); 561 if (sub_ret != AVB_SLOT_VERIFY_RESULT_OK) { 562 ret = sub_ret; 563 if (!allow_verification_error || !result_should_continue(ret)) { 564 goto out; 565 } 566 } 567 } break; 568 569 case AVB_DESCRIPTOR_TAG_CHAIN_PARTITION: { 570 AvbSlotVerifyResult sub_ret; 571 AvbChainPartitionDescriptor chain_desc; 572 const uint8_t* chain_partition_name; 573 const uint8_t* chain_public_key; 574 575 /* Only allow CHAIN_PARTITION descriptors in the main vbmeta image. */ 576 if (!is_main_vbmeta) { 577 avb_errorv(full_partition_name, 578 ": Encountered chain descriptor not in main image.\n", 579 NULL); 580 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 581 goto out; 582 } 583 584 if (!avb_chain_partition_descriptor_validate_and_byteswap( 585 (AvbChainPartitionDescriptor*)descriptors[n], &chain_desc)) { 586 avb_errorv(full_partition_name, 587 ": Chain partition descriptor is invalid.\n", 588 NULL); 589 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 590 goto out; 591 } 592 593 if (chain_desc.rollback_index_location == 0) { 594 avb_errorv(full_partition_name, 595 ": Chain partition has invalid " 596 "rollback_index_location field.\n", 597 NULL); 598 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 599 goto out; 600 } 601 602 chain_partition_name = ((const uint8_t*)descriptors[n]) + 603 sizeof(AvbChainPartitionDescriptor); 604 chain_public_key = chain_partition_name + chain_desc.partition_name_len; 605 606 sub_ret = load_and_verify_vbmeta(ops, 607 requested_partitions, 608 ab_suffix, 609 allow_verification_error, 610 toplevel_vbmeta_flags, 611 chain_desc.rollback_index_location, 612 (const char*)chain_partition_name, 613 chain_desc.partition_name_len, 614 chain_public_key, 615 chain_desc.public_key_len, 616 slot_data, 617 NULL /* out_algorithm_type */); 618 if (sub_ret != AVB_SLOT_VERIFY_RESULT_OK) { 619 ret = sub_ret; 620 if (!result_should_continue(ret)) { 621 goto out; 622 } 623 } 624 } break; 625 626 case AVB_DESCRIPTOR_TAG_KERNEL_CMDLINE: { 627 const uint8_t* kernel_cmdline; 628 AvbKernelCmdlineDescriptor kernel_cmdline_desc; 629 bool apply_cmdline; 630 631 if (!avb_kernel_cmdline_descriptor_validate_and_byteswap( 632 (AvbKernelCmdlineDescriptor*)descriptors[n], 633 &kernel_cmdline_desc)) { 634 avb_errorv(full_partition_name, 635 ": Kernel cmdline descriptor is invalid.\n", 636 NULL); 637 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 638 goto out; 639 } 640 641 kernel_cmdline = ((const uint8_t*)descriptors[n]) + 642 sizeof(AvbKernelCmdlineDescriptor); 643 644 if (!avb_validate_utf8(kernel_cmdline, 645 kernel_cmdline_desc.kernel_cmdline_length)) { 646 avb_errorv(full_partition_name, 647 ": Kernel cmdline is not valid UTF-8.\n", 648 NULL); 649 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 650 goto out; 651 } 652 653 /* Compare the flags for top-level VBMeta struct with flags in 654 * the command-line descriptor so command-line snippets only 655 * intended for a certain mode (dm-verity enabled/disabled) 656 * are skipped if applicable. 657 */ 658 apply_cmdline = true; 659 if (toplevel_vbmeta_flags & AVB_VBMETA_IMAGE_FLAGS_HASHTREE_DISABLED) { 660 if (kernel_cmdline_desc.flags & 661 AVB_KERNEL_CMDLINE_FLAGS_USE_ONLY_IF_HASHTREE_NOT_DISABLED) { 662 apply_cmdline = false; 663 } 664 } else { 665 if (kernel_cmdline_desc.flags & 666 AVB_KERNEL_CMDLINE_FLAGS_USE_ONLY_IF_HASHTREE_DISABLED) { 667 apply_cmdline = false; 668 } 669 } 670 671 if (apply_cmdline) { 672 if (slot_data->cmdline == NULL) { 673 slot_data->cmdline = 674 avb_calloc(kernel_cmdline_desc.kernel_cmdline_length + 1); 675 if (slot_data->cmdline == NULL) { 676 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 677 goto out; 678 } 679 avb_memcpy(slot_data->cmdline, 680 kernel_cmdline, 681 kernel_cmdline_desc.kernel_cmdline_length); 682 } else { 683 /* new cmdline is: <existing_cmdline> + ' ' + <newcmdline> + '\0' */ 684 size_t orig_size = avb_strlen(slot_data->cmdline); 685 size_t new_size = 686 orig_size + 1 + kernel_cmdline_desc.kernel_cmdline_length + 1; 687 char* new_cmdline = avb_calloc(new_size); 688 if (new_cmdline == NULL) { 689 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 690 goto out; 691 } 692 avb_memcpy(new_cmdline, slot_data->cmdline, orig_size); 693 new_cmdline[orig_size] = ' '; 694 avb_memcpy(new_cmdline + orig_size + 1, 695 kernel_cmdline, 696 kernel_cmdline_desc.kernel_cmdline_length); 697 avb_free(slot_data->cmdline); 698 slot_data->cmdline = new_cmdline; 699 } 700 } 701 } break; 702 703 /* Explicit fall-through */ 704 case AVB_DESCRIPTOR_TAG_PROPERTY: 705 case AVB_DESCRIPTOR_TAG_HASHTREE: 706 /* Do nothing. */ 707 break; 708 } 709 } 710 711 if (rollback_index_location >= AVB_MAX_NUMBER_OF_ROLLBACK_INDEX_LOCATIONS) { 712 avb_errorv( 713 full_partition_name, ": Invalid rollback_index_location.\n", NULL); 714 ret = AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA; 715 goto out; 716 } 717 718 slot_data->rollback_indexes[rollback_index_location] = 719 vbmeta_header.rollback_index; 720 721 if (out_algorithm_type != NULL) { 722 *out_algorithm_type = (AvbAlgorithmType)vbmeta_header.algorithm_type; 723 } 724 725out: 726 /* If |vbmeta_image_data| isn't NULL it means that it adopted 727 * |vbmeta_buf| so in that case don't free it here. 728 */ 729 if (vbmeta_image_data == NULL) { 730 if (vbmeta_buf != NULL) { 731 avb_free(vbmeta_buf); 732 } 733 } 734 if (descriptors != NULL) { 735 avb_free(descriptors); 736 } 737 return ret; 738} 739 740#define NUM_GUIDS 3 741 742/* Substitutes all variables (e.g. $(ANDROID_SYSTEM_PARTUUID)) with 743 * values. Returns NULL on OOM, otherwise the cmdline with values 744 * replaced. 745 */ 746static char* sub_cmdline(AvbOps* ops, 747 const char* cmdline, 748 const char* ab_suffix, 749 bool using_boot_for_vbmeta) { 750 const char* part_name_str[NUM_GUIDS] = {"system", "boot", "vbmeta"}; 751 const char* replace_str[NUM_GUIDS] = {"$(ANDROID_SYSTEM_PARTUUID)", 752 "$(ANDROID_BOOT_PARTUUID)", 753 "$(ANDROID_VBMETA_PARTUUID)"}; 754 char* ret = NULL; 755 AvbIOResult io_ret; 756 757 /* Special-case for when the top-level vbmeta struct is in the boot 758 * partition. 759 */ 760 if (using_boot_for_vbmeta) { 761 part_name_str[2] = "boot"; 762 } 763 764 /* Replace unique partition GUIDs */ 765 for (size_t n = 0; n < NUM_GUIDS; n++) { 766 char part_name[PART_NAME_MAX_SIZE]; 767 char guid_buf[37]; 768 769 if (!avb_str_concat(part_name, 770 sizeof part_name, 771 part_name_str[n], 772 avb_strlen(part_name_str[n]), 773 ab_suffix, 774 avb_strlen(ab_suffix))) { 775 avb_error("Partition name and suffix does not fit.\n"); 776 goto fail; 777 } 778 779 io_ret = ops->get_unique_guid_for_partition( 780 ops, part_name, guid_buf, sizeof guid_buf); 781 if (io_ret == AVB_IO_RESULT_ERROR_OOM) { 782 return NULL; 783 } else if (io_ret != AVB_IO_RESULT_OK) { 784 avb_error("Error getting unique GUID for partition.\n"); 785 goto fail; 786 } 787 788 if (ret == NULL) { 789 ret = avb_replace(cmdline, replace_str[n], guid_buf); 790 } else { 791 char* new_ret = avb_replace(ret, replace_str[n], guid_buf); 792 avb_free(ret); 793 ret = new_ret; 794 } 795 if (ret == NULL) { 796 goto fail; 797 } 798 } 799 800 return ret; 801 802fail: 803 if (ret != NULL) { 804 avb_free(ret); 805 } 806 return NULL; 807} 808 809static int cmdline_append_option(AvbSlotVerifyData* slot_data, 810 const char* key, 811 const char* value) { 812 size_t offset, key_len, value_len; 813 char* new_cmdline; 814 815 key_len = avb_strlen(key); 816 value_len = avb_strlen(value); 817 818 offset = 0; 819 if (slot_data->cmdline != NULL) { 820 offset = avb_strlen(slot_data->cmdline); 821 if (offset > 0) { 822 offset += 1; 823 } 824 } 825 826 new_cmdline = avb_calloc(offset + key_len + value_len + 2); 827 if (new_cmdline == NULL) { 828 return 0; 829 } 830 if (offset > 0) { 831 avb_memcpy(new_cmdline, slot_data->cmdline, offset - 1); 832 new_cmdline[offset - 1] = ' '; 833 } 834 avb_memcpy(new_cmdline + offset, key, key_len); 835 new_cmdline[offset + key_len] = '='; 836 avb_memcpy(new_cmdline + offset + key_len + 1, value, value_len); 837 if (slot_data->cmdline != NULL) { 838 avb_free(slot_data->cmdline); 839 } 840 slot_data->cmdline = new_cmdline; 841 842 return 1; 843} 844 845#define AVB_MAX_DIGITS_UINT64 32 846 847/* Writes |value| to |digits| in base 10 followed by a NUL byte. 848 * Returns number of characters written excluding the NUL byte. 849 */ 850static size_t uint64_to_base10(uint64_t value, 851 char digits[AVB_MAX_DIGITS_UINT64]) { 852 char rev_digits[AVB_MAX_DIGITS_UINT64]; 853 size_t n, num_digits; 854 855 for (num_digits = 0; num_digits < AVB_MAX_DIGITS_UINT64 - 1;) { 856 rev_digits[num_digits++] = (value % 10) + '0'; 857 value /= 10; 858 if (value == 0) { 859 break; 860 } 861 } 862 863 for (n = 0; n < num_digits; n++) { 864 digits[n] = rev_digits[num_digits - 1 - n]; 865 } 866 digits[n] = '\0'; 867 return n; 868} 869 870static int cmdline_append_version(AvbSlotVerifyData* slot_data, 871 const char* key, 872 uint64_t major_version, 873 uint64_t minor_version) { 874 char major_digits[AVB_MAX_DIGITS_UINT64]; 875 char minor_digits[AVB_MAX_DIGITS_UINT64]; 876 char combined[AVB_MAX_DIGITS_UINT64 * 2 + 1]; 877 size_t num_major_digits, num_minor_digits; 878 879 num_major_digits = uint64_to_base10(major_version, major_digits); 880 num_minor_digits = uint64_to_base10(minor_version, minor_digits); 881 avb_memcpy(combined, major_digits, num_major_digits); 882 combined[num_major_digits] = '.'; 883 avb_memcpy(combined + num_major_digits + 1, minor_digits, num_minor_digits); 884 combined[num_major_digits + 1 + num_minor_digits] = '\0'; 885 886 return cmdline_append_option(slot_data, key, combined); 887} 888 889static int cmdline_append_uint64_base10(AvbSlotVerifyData* slot_data, 890 const char* key, 891 uint64_t value) { 892 char digits[AVB_MAX_DIGITS_UINT64]; 893 uint64_to_base10(value, digits); 894 return cmdline_append_option(slot_data, key, digits); 895} 896 897static int cmdline_append_hex(AvbSlotVerifyData* slot_data, 898 const char* key, 899 const uint8_t* data, 900 size_t data_len) { 901 char hex_digits[17] = "0123456789abcdef"; 902 char* hex_data; 903 int ret; 904 size_t n; 905 906 hex_data = avb_malloc(data_len * 2 + 1); 907 if (hex_data == NULL) { 908 return 0; 909 } 910 911 for (n = 0; n < data_len; n++) { 912 hex_data[n * 2] = hex_digits[data[n] >> 4]; 913 hex_data[n * 2 + 1] = hex_digits[data[n] & 0x0f]; 914 } 915 hex_data[n * 2] = '\0'; 916 917 ret = cmdline_append_option(slot_data, key, hex_data); 918 avb_free(hex_data); 919 return ret; 920} 921 922AvbSlotVerifyResult avb_slot_verify(AvbOps* ops, 923 const char* const* requested_partitions, 924 const char* ab_suffix, 925 bool allow_verification_error, 926 AvbSlotVerifyData** out_data) { 927 AvbSlotVerifyResult ret; 928 AvbSlotVerifyData* slot_data = NULL; 929 AvbAlgorithmType algorithm_type = AVB_ALGORITHM_TYPE_NONE; 930 AvbIOResult io_ret; 931 bool using_boot_for_vbmeta = false; 932 933 if (out_data != NULL) { 934 *out_data = NULL; 935 } 936 937 slot_data = avb_calloc(sizeof(AvbSlotVerifyData)); 938 if (slot_data == NULL) { 939 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 940 goto fail; 941 } 942 slot_data->vbmeta_images = 943 avb_calloc(sizeof(AvbVBMetaData) * MAX_NUMBER_OF_VBMETA_IMAGES); 944 if (slot_data->vbmeta_images == NULL) { 945 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 946 goto fail; 947 } 948 slot_data->loaded_partitions = 949 avb_calloc(sizeof(AvbPartitionData) * MAX_NUMBER_OF_LOADED_PARTITIONS); 950 if (slot_data->loaded_partitions == NULL) { 951 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 952 goto fail; 953 } 954 955 ret = load_and_verify_vbmeta(ops, 956 requested_partitions, 957 ab_suffix, 958 allow_verification_error, 959 0 /* toplevel_vbmeta_flags */, 960 0 /* rollback_index_location */, 961 "vbmeta", 962 avb_strlen("vbmeta"), 963 NULL /* expected_public_key */, 964 0 /* expected_public_key_length */, 965 slot_data, 966 &algorithm_type); 967 if (!allow_verification_error && ret != AVB_SLOT_VERIFY_RESULT_OK) { 968 goto fail; 969 } 970 971 if (avb_strcmp(slot_data->vbmeta_images[0].partition_name, "vbmeta") != 0) { 972 avb_assert(avb_strcmp(slot_data->vbmeta_images[0].partition_name, "boot") == 973 0); 974 using_boot_for_vbmeta = true; 975 } 976 977 /* If things check out, mangle the kernel command-line as needed. */ 978 if (result_should_continue(ret)) { 979 /* Fill in |ab_suffix| field. */ 980 slot_data->ab_suffix = avb_strdup(ab_suffix); 981 if (slot_data->ab_suffix == NULL) { 982 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 983 goto fail; 984 } 985 986 /* Add androidboot.vbmeta.device option. */ 987 if (!cmdline_append_option(slot_data, 988 "androidboot.vbmeta.device", 989 "PARTUUID=$(ANDROID_VBMETA_PARTUUID)")) { 990 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 991 goto fail; 992 } 993 994 /* Add androidboot.vbmeta.avb_version option. */ 995 if (!cmdline_append_version(slot_data, 996 "androidboot.vbmeta.avb_version", 997 AVB_VERSION_MAJOR, 998 AVB_VERSION_MINOR)) { 999 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 1000 goto fail; 1001 } 1002 1003 /* Substitute $(ANDROID_SYSTEM_PARTUUID) and friends. */ 1004 if (slot_data->cmdline != NULL) { 1005 char* new_cmdline; 1006 new_cmdline = sub_cmdline( 1007 ops, slot_data->cmdline, ab_suffix, using_boot_for_vbmeta); 1008 if (new_cmdline == NULL) { 1009 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 1010 goto fail; 1011 } 1012 avb_free(slot_data->cmdline); 1013 slot_data->cmdline = new_cmdline; 1014 } 1015 1016 /* Set androidboot.avb.device_state to "locked" or "unlocked". */ 1017 bool is_device_unlocked; 1018 io_ret = ops->read_is_device_unlocked(ops, &is_device_unlocked); 1019 if (io_ret == AVB_IO_RESULT_ERROR_OOM) { 1020 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 1021 goto fail; 1022 } else if (io_ret != AVB_IO_RESULT_OK) { 1023 avb_error("Error getting device state.\n"); 1024 ret = AVB_SLOT_VERIFY_RESULT_ERROR_IO; 1025 goto fail; 1026 } 1027 if (!cmdline_append_option(slot_data, 1028 "androidboot.vbmeta.device_state", 1029 is_device_unlocked ? "unlocked" : "locked")) { 1030 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 1031 goto fail; 1032 } 1033 1034 /* Set androidboot.vbmeta.{hash_alg, size, digest} - use same hash 1035 * function as is used to sign vbmeta. 1036 */ 1037 switch (algorithm_type) { 1038 /* Explicit fallthrough. */ 1039 case AVB_ALGORITHM_TYPE_NONE: 1040 case AVB_ALGORITHM_TYPE_SHA256_RSA2048: 1041 case AVB_ALGORITHM_TYPE_SHA256_RSA4096: 1042 case AVB_ALGORITHM_TYPE_SHA256_RSA8192: { 1043 AvbSHA256Ctx ctx; 1044 size_t n, total_size = 0; 1045 avb_sha256_init(&ctx); 1046 for (n = 0; n < slot_data->num_vbmeta_images; n++) { 1047 avb_sha256_update(&ctx, 1048 slot_data->vbmeta_images[n].vbmeta_data, 1049 slot_data->vbmeta_images[n].vbmeta_size); 1050 total_size += slot_data->vbmeta_images[n].vbmeta_size; 1051 } 1052 if (!cmdline_append_option( 1053 slot_data, "androidboot.vbmeta.hash_alg", "sha256") || 1054 !cmdline_append_uint64_base10( 1055 slot_data, "androidboot.vbmeta.size", total_size) || 1056 !cmdline_append_hex(slot_data, 1057 "androidboot.vbmeta.digest", 1058 avb_sha256_final(&ctx), 1059 AVB_SHA256_DIGEST_SIZE)) { 1060 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 1061 goto fail; 1062 } 1063 } break; 1064 /* Explicit fallthrough. */ 1065 case AVB_ALGORITHM_TYPE_SHA512_RSA2048: 1066 case AVB_ALGORITHM_TYPE_SHA512_RSA4096: 1067 case AVB_ALGORITHM_TYPE_SHA512_RSA8192: { 1068 AvbSHA512Ctx ctx; 1069 size_t n, total_size = 0; 1070 avb_sha512_init(&ctx); 1071 for (n = 0; n < slot_data->num_vbmeta_images; n++) { 1072 avb_sha512_update(&ctx, 1073 slot_data->vbmeta_images[n].vbmeta_data, 1074 slot_data->vbmeta_images[n].vbmeta_size); 1075 total_size += slot_data->vbmeta_images[n].vbmeta_size; 1076 } 1077 if (!cmdline_append_option( 1078 slot_data, "androidboot.vbmeta.hash_alg", "sha512") || 1079 !cmdline_append_uint64_base10( 1080 slot_data, "androidboot.vbmeta.size", total_size) || 1081 !cmdline_append_hex(slot_data, 1082 "androidboot.vbmeta.digest", 1083 avb_sha512_final(&ctx), 1084 AVB_SHA512_DIGEST_SIZE)) { 1085 ret = AVB_SLOT_VERIFY_RESULT_ERROR_OOM; 1086 goto fail; 1087 } 1088 } break; 1089 case _AVB_ALGORITHM_NUM_TYPES: 1090 avb_assert_not_reached(); 1091 break; 1092 } 1093 1094 if (out_data != NULL) { 1095 *out_data = slot_data; 1096 } else { 1097 avb_slot_verify_data_free(slot_data); 1098 } 1099 } 1100 1101 if (!allow_verification_error) { 1102 avb_assert(ret == AVB_SLOT_VERIFY_RESULT_OK); 1103 } 1104 1105 return ret; 1106 1107fail: 1108 if (slot_data != NULL) { 1109 avb_slot_verify_data_free(slot_data); 1110 } 1111 return ret; 1112} 1113 1114void avb_slot_verify_data_free(AvbSlotVerifyData* data) { 1115 if (data->ab_suffix != NULL) { 1116 avb_free(data->ab_suffix); 1117 } 1118 if (data->cmdline != NULL) { 1119 avb_free(data->cmdline); 1120 } 1121 if (data->vbmeta_images != NULL) { 1122 size_t n; 1123 for (n = 0; n < data->num_vbmeta_images; n++) { 1124 AvbVBMetaData* vbmeta_image = &data->vbmeta_images[n]; 1125 if (vbmeta_image->partition_name != NULL) { 1126 avb_free(vbmeta_image->partition_name); 1127 } 1128 if (vbmeta_image->vbmeta_data != NULL) { 1129 avb_free(vbmeta_image->vbmeta_data); 1130 } 1131 } 1132 avb_free(data->vbmeta_images); 1133 } 1134 if (data->loaded_partitions != NULL) { 1135 size_t n; 1136 for (n = 0; n < data->num_loaded_partitions; n++) { 1137 AvbPartitionData* loaded_partition = &data->loaded_partitions[n]; 1138 if (loaded_partition->partition_name != NULL) { 1139 avb_free(loaded_partition->partition_name); 1140 } 1141 if (loaded_partition->data != NULL) { 1142 avb_free(loaded_partition->data); 1143 } 1144 } 1145 avb_free(data->loaded_partitions); 1146 } 1147 avb_free(data); 1148} 1149 1150const char* avb_slot_verify_result_to_string(AvbSlotVerifyResult result) { 1151 const char* ret = NULL; 1152 1153 switch (result) { 1154 case AVB_SLOT_VERIFY_RESULT_OK: 1155 ret = "OK"; 1156 break; 1157 case AVB_SLOT_VERIFY_RESULT_ERROR_OOM: 1158 ret = "ERROR_OOM"; 1159 break; 1160 case AVB_SLOT_VERIFY_RESULT_ERROR_IO: 1161 ret = "ERROR_IO"; 1162 break; 1163 case AVB_SLOT_VERIFY_RESULT_ERROR_VERIFICATION: 1164 ret = "ERROR_VERIFICATION"; 1165 break; 1166 case AVB_SLOT_VERIFY_RESULT_ERROR_ROLLBACK_INDEX: 1167 ret = "ERROR_ROLLBACK_INDEX"; 1168 break; 1169 case AVB_SLOT_VERIFY_RESULT_ERROR_PUBLIC_KEY_REJECTED: 1170 ret = "ERROR_PUBLIC_KEY_REJECTED"; 1171 break; 1172 case AVB_SLOT_VERIFY_RESULT_ERROR_INVALID_METADATA: 1173 ret = "ERROR_INVALID_METADATA"; 1174 break; 1175 case AVB_SLOT_VERIFY_RESULT_ERROR_UNSUPPORTED_VERSION: 1176 ret = "ERROR_UNSUPPORTED_VERSION"; 1177 break; 1178 /* Do not add a 'default:' case here because of -Wswitch. */ 1179 } 1180 1181 if (ret == NULL) { 1182 avb_error("Unknown AvbSlotVerifyResult value.\n"); 1183 ret = "(unknown)"; 1184 } 1185 1186 return ret; 1187} 1188