diff options
9 files changed, 197 insertions, 3 deletions
diff --git a/trusty/confirmationui/fuzz/msg_fuzzer.cpp b/trusty/confirmationui/fuzz/msg_fuzzer.cpp index 8e4443c78..ee55f828d 100644 --- a/trusty/confirmationui/fuzz/msg_fuzzer.cpp +++ b/trusty/confirmationui/fuzz/msg_fuzzer.cpp @@ -37,7 +37,7 @@ using android::trusty::fuzz::TrustyApp; #define CONFIRMATIONUI_MODULE_NAME "confirmationui.syms.elf" /* A request to render to screen may take a while. */ -const size_t kTimeoutSeconds = 30; +const size_t kTimeoutSeconds = 60; /* ConfirmationUI TA's UUID is 7dee2364-c036-425b-b086-df0f6c233c1b */ static struct uuid confirmationui_uuid = { diff --git a/trusty/keymaster/Android.bp b/trusty/keymaster/Android.bp index 58dfa9400..aa610e78f 100644 --- a/trusty/keymaster/Android.bp +++ b/trusty/keymaster/Android.bp @@ -100,6 +100,7 @@ cc_binary { "ipc/trusty_keymaster_ipc.cpp", "keymint/TrustyKeyMintDevice.cpp", "keymint/TrustyKeyMintOperation.cpp", + "keymint/TrustyRemotelyProvisionedComponentDevice.cpp", "keymint/TrustySecureClock.cpp", "keymint/TrustySharedSecret.cpp", "keymint/service.cpp", @@ -118,7 +119,6 @@ cc_binary { "libtrusty", ], required: [ - "RemoteProvisioner", "android.hardware.hardware_keystore.xml", ], } diff --git a/trusty/keymaster/TrustyKeymaster.cpp b/trusty/keymaster/TrustyKeymaster.cpp index ef5fc3fc2..aee33331a 100644 --- a/trusty/keymaster/TrustyKeymaster.cpp +++ b/trusty/keymaster/TrustyKeymaster.cpp @@ -158,6 +158,16 @@ void TrustyKeymaster::GenerateKey(const GenerateKeyRequest& request, } } +void TrustyKeymaster::GenerateRkpKey(const GenerateRkpKeyRequest& request, + GenerateRkpKeyResponse* response) { + ForwardCommand(KM_GENERATE_RKP_KEY, request, response); +} + +void TrustyKeymaster::GenerateCsr(const GenerateCsrRequest& request, + GenerateCsrResponse* response) { + ForwardCommand(KM_GENERATE_CSR, request, response); +} + void TrustyKeymaster::GetKeyCharacteristics(const GetKeyCharacteristicsRequest& request, GetKeyCharacteristicsResponse* response) { ForwardCommand(KM_GET_KEY_CHARACTERISTICS, request, response); diff --git a/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h b/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h index 45ebf7fda..35eda459c 100644 --- a/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h +++ b/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h @@ -42,6 +42,8 @@ class TrustyKeymaster { void AddRngEntropy(const AddEntropyRequest& request, AddEntropyResponse* response); void Configure(const ConfigureRequest& request, ConfigureResponse* response); void GenerateKey(const GenerateKeyRequest& request, GenerateKeyResponse* response); + void GenerateRkpKey(const GenerateRkpKeyRequest& request, GenerateRkpKeyResponse* response); + void GenerateCsr(const GenerateCsrRequest& request, GenerateCsrResponse* response); void GetKeyCharacteristics(const GetKeyCharacteristicsRequest& request, GetKeyCharacteristicsResponse* response); void ImportKey(const ImportKeyRequest& request, ImportKeyResponse* response); diff --git a/trusty/keymaster/include/trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h b/trusty/keymaster/include/trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h new file mode 100644 index 000000000..d544b51d5 --- /dev/null +++ b/trusty/keymaster/include/trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h @@ -0,0 +1,53 @@ +/* + * Copyright 2021, The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include <aidl/android/hardware/security/keymint/BnRemotelyProvisionedComponent.h> +#include <aidl/android/hardware/security/keymint/RpcHardwareInfo.h> +#include <aidl/android/hardware/security/keymint/SecurityLevel.h> + +#include <trusty_keymaster/TrustyKeymaster.h> + +namespace aidl::android::hardware::security::keymint::trusty { + +using ::keymaster::TrustyKeymaster; +using ::ndk::ScopedAStatus; +using ::std::shared_ptr; + +class TrustyRemotelyProvisionedComponentDevice : public BnRemotelyProvisionedComponent { + public: + explicit TrustyRemotelyProvisionedComponentDevice(shared_ptr<TrustyKeymaster> impl) + : impl_(std::move(impl)) {} + virtual ~TrustyRemotelyProvisionedComponentDevice() = default; + + ScopedAStatus getHardwareInfo(RpcHardwareInfo* info) override; + + ScopedAStatus generateEcdsaP256KeyPair(bool testMode, MacedPublicKey* macedPublicKey, + std::vector<uint8_t>* privateKeyHandle) override; + + ScopedAStatus generateCertificateRequest(bool testMode, + const std::vector<MacedPublicKey>& keysToSign, + const std::vector<uint8_t>& endpointEncCertChain, + const std::vector<uint8_t>& challenge, + DeviceInfo* deviceInfo, ProtectedData* protectedData, + std::vector<uint8_t>* keysToSignMac) override; + + private: + std::shared_ptr<::keymaster::TrustyKeymaster> impl_; +}; + +} // namespace aidl::android::hardware::security::keymint::trusty diff --git a/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h b/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h index a1229a391..6f4713b96 100644 --- a/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h +++ b/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h @@ -56,6 +56,8 @@ enum keymaster_command : uint32_t { KM_GET_VERSION_2 = (28 << KEYMASTER_REQ_SHIFT), KM_EARLY_BOOT_ENDED = (29 << KEYMASTER_REQ_SHIFT), KM_DEVICE_LOCKED = (30 << KEYMASTER_REQ_SHIFT), + KM_GENERATE_RKP_KEY = (31 << KEYMASTER_REQ_SHIFT), + KM_GENERATE_CSR = (32 << KEYMASTER_REQ_SHIFT), // Bootloader/provisioning calls. KM_SET_BOOT_PARAMS = (0x1000 << KEYMASTER_REQ_SHIFT), diff --git a/trusty/keymaster/keymint/TrustyRemotelyProvisionedComponentDevice.cpp b/trusty/keymaster/keymint/TrustyRemotelyProvisionedComponentDevice.cpp new file mode 100644 index 000000000..5664829d8 --- /dev/null +++ b/trusty/keymaster/keymint/TrustyRemotelyProvisionedComponentDevice.cpp @@ -0,0 +1,120 @@ +/* + * Copyright 2021, The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h> + +#include <assert.h> +#include <variant> + +#include <KeyMintUtils.h> +#include <keymaster/keymaster_configuration.h> + +#include <trusty_keymaster/TrustyKeyMintDevice.h> + +namespace aidl::android::hardware::security::keymint::trusty { + +using keymaster::GenerateCsrRequest; +using keymaster::GenerateCsrResponse; +using keymaster::GenerateRkpKeyRequest; +using keymaster::GenerateRkpKeyResponse; +using keymaster::KeymasterBlob; +using ::std::string; +using ::std::unique_ptr; +using ::std::vector; +using bytevec = ::std::vector<uint8_t>; + +namespace { + +constexpr auto STATUS_FAILED = IRemotelyProvisionedComponent::STATUS_FAILED; + +struct AStatusDeleter { + void operator()(AStatus* p) { AStatus_delete(p); } +}; + +class Status { + public: + Status() : status_(AStatus_newOk()) {} + Status(int32_t errCode, const std::string& errMsg) + : status_(AStatus_fromServiceSpecificErrorWithMessage(errCode, errMsg.c_str())) {} + explicit Status(const std::string& errMsg) + : status_(AStatus_fromServiceSpecificErrorWithMessage(STATUS_FAILED, errMsg.c_str())) {} + explicit Status(AStatus* status) : status_(status ? status : AStatus_newOk()) {} + + Status(Status&&) = default; + Status(const Status&) = delete; + + operator ::ndk::ScopedAStatus() && { // NOLINT(google-explicit-constructor) + return ndk::ScopedAStatus(status_.release()); + } + + bool isOk() const { return AStatus_isOk(status_.get()); } + + const char* getMessage() const { return AStatus_getMessage(status_.get()); } + + private: + std::unique_ptr<AStatus, AStatusDeleter> status_; +}; + +} // namespace + +ScopedAStatus TrustyRemotelyProvisionedComponentDevice::getHardwareInfo(RpcHardwareInfo* info) { + info->versionNumber = 1; + info->rpcAuthorName = "Google"; + info->supportedEekCurve = RpcHardwareInfo::CURVE_25519; + return ScopedAStatus::ok(); +} + +ScopedAStatus TrustyRemotelyProvisionedComponentDevice::generateEcdsaP256KeyPair( + bool testMode, MacedPublicKey* macedPublicKey, bytevec* privateKeyHandle) { + GenerateRkpKeyRequest request(impl_->message_version()); + request.test_mode = testMode; + GenerateRkpKeyResponse response(impl_->message_version()); + impl_->GenerateRkpKey(request, &response); + if (response.error != KM_ERROR_OK) { + return Status(-static_cast<int32_t>(response.error), "Failure in key generation."); + } + + macedPublicKey->macedKey = km_utils::kmBlob2vector(response.maced_public_key); + *privateKeyHandle = km_utils::kmBlob2vector(response.key_blob); + return ScopedAStatus::ok(); +} + +ScopedAStatus TrustyRemotelyProvisionedComponentDevice::generateCertificateRequest( + bool testMode, const vector<MacedPublicKey>& keysToSign, + const bytevec& endpointEncCertChain, const bytevec& challenge, DeviceInfo* deviceInfo, + ProtectedData* protectedData, bytevec* keysToSignMac) { + GenerateCsrRequest request(impl_->message_version()); + request.test_mode = testMode; + request.num_keys = keysToSign.size(); + request.keys_to_sign_array = new KeymasterBlob[keysToSign.size()]; + for (size_t i = 0; i < keysToSign.size(); i++) { + request.SetKeyToSign(i, keysToSign[i].macedKey.data(), keysToSign[i].macedKey.size()); + } + request.SetEndpointEncCertChain(endpointEncCertChain.data(), endpointEncCertChain.size()); + request.SetChallenge(challenge.data(), challenge.size()); + GenerateCsrResponse response(impl_->message_version()); + impl_->GenerateCsr(request, &response); + + if (response.error != KM_ERROR_OK) { + return Status(-static_cast<int32_t>(response.error), "Failure in CSR Generation."); + } + deviceInfo->deviceInfo = km_utils::kmBlob2vector(response.device_info_blob); + protectedData->protectedData = km_utils::kmBlob2vector(response.protected_data_blob); + *keysToSignMac = km_utils::kmBlob2vector(response.keys_to_sign_mac); + return ScopedAStatus::ok(); +} + +} // namespace aidl::android::hardware::security::keymint::trusty diff --git a/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty.xml b/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty.xml index 0ab3d64cf..7ca50507d 100644 --- a/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty.xml +++ b/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty.xml @@ -11,4 +11,8 @@ <name>android.hardware.security.sharedsecret</name> <fqname>ISharedSecret/default</fqname> </hal> + <hal format="aidl"> + <name>android.hardware.security.keymint</name> + <fqname>IRemotelyProvisionedComponent/default</fqname> + </hal> </manifest> diff --git a/trusty/keymaster/keymint/service.cpp b/trusty/keymaster/keymint/service.cpp index 8f5f0f815..4060278d4 100644 --- a/trusty/keymaster/keymint/service.cpp +++ b/trusty/keymaster/keymint/service.cpp @@ -20,10 +20,12 @@ #include <android/binder_process.h> #include <trusty_keymaster/TrustyKeyMintDevice.h> +#include <trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h> #include <trusty_keymaster/TrustySecureClock.h> #include <trusty_keymaster/TrustySharedSecret.h> using aidl::android::hardware::security::keymint::trusty::TrustyKeyMintDevice; +using aidl::android::hardware::security::keymint::trusty::TrustyRemotelyProvisionedComponentDevice; using aidl::android::hardware::security::secureclock::trusty::TrustySecureClock; using aidl::android::hardware::security::sharedsecret::trusty::TrustySharedSecret; @@ -52,7 +54,8 @@ int main() { auto keyMint = addService<TrustyKeyMintDevice>(trustyKeymaster); auto secureClock = addService<TrustySecureClock>(trustyKeymaster); auto sharedSecret = addService<TrustySharedSecret>(trustyKeymaster); - + auto remotelyProvisionedComponent = + addService<TrustyRemotelyProvisionedComponentDevice>(trustyKeymaster); ABinderProcess_joinThreadPool(); return EXIT_FAILURE; // should not reach } |