diff options
Diffstat (limited to 'trusty/keymaster/keymint/TrustyKeyMintDevice.cpp')
-rw-r--r-- | trusty/keymaster/keymint/TrustyKeyMintDevice.cpp | 324 |
1 files changed, 0 insertions, 324 deletions
diff --git a/trusty/keymaster/keymint/TrustyKeyMintDevice.cpp b/trusty/keymaster/keymint/TrustyKeyMintDevice.cpp deleted file mode 100644 index 5f8524b01..000000000 --- a/trusty/keymaster/keymint/TrustyKeyMintDevice.cpp +++ /dev/null @@ -1,324 +0,0 @@ -/* - - * Copyright 2021, The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include <trusty_keymaster/TrustyKeyMintDevice.h> - -#define TAG TrustyKeyMintDevice -#include <android-base/logging.h> - -#include <keymaster/android_keymaster_messages.h> -#include <keymaster/authorization_set.h> - -#include <KeyMintUtils.h> - -#include <trusty_keymaster/TrustyKeyMintOperation.h> - -namespace aidl::android::hardware::security::keymint::trusty { - -using keymaster::KeymasterBlob; -using keymaster::KeymasterKeyBlob; -using keymaster::TAG_APPLICATION_DATA; -using keymaster::TAG_APPLICATION_ID; -using keymaster::TAG_AUTH_TOKEN; -using km_utils::authToken2AidlVec; -using km_utils::kmBlob2vector; -using km_utils::kmError2ScopedAStatus; -using km_utils::kmParam2Aidl; -using km_utils::KmParamSet; -using km_utils::kmParamSet2Aidl; -using km_utils::legacy_enum_conversion; - -namespace { - -auto kSecurityLevel = SecurityLevel::TRUSTED_ENVIRONMENT; - -KeyCharacteristics convertAuthSet(SecurityLevel securityLevel, - const keymaster::AuthorizationSet& authorizations) { - KeyCharacteristics retval{securityLevel, {}}; - std::transform(authorizations.begin(), authorizations.end(), - std::back_inserter(retval.authorizations), kmParam2Aidl); - return retval; -} - -vector<KeyCharacteristics> convertKeyCharacteristics(const keymaster::AuthorizationSet& sw_enforced, - const keymaster::AuthorizationSet& hw_enforced, - bool includeKeystoreEnforced = true) { - KeyCharacteristics keyMintEnforced = convertAuthSet(kSecurityLevel, hw_enforced); - KeyCharacteristics keystoreEnforced = convertAuthSet(SecurityLevel::KEYSTORE, sw_enforced); - - vector<KeyCharacteristics> retval; - retval.reserve(2); - - if (!keyMintEnforced.authorizations.empty()) retval.push_back(std::move(keyMintEnforced)); - if (includeKeystoreEnforced && !keystoreEnforced.authorizations.empty()) { - retval.push_back(std::move(keystoreEnforced)); - } - - return retval; -} - -Certificate convertCertificate(const keymaster_blob_t& cert) { - return {std::vector<uint8_t>(cert.data, cert.data + cert.data_length)}; -} - -vector<Certificate> convertCertificateChain(const keymaster::CertificateChain& chain) { - vector<Certificate> retval; - std::transform(chain.begin(), chain.end(), std::back_inserter(retval), convertCertificate); - return retval; -} - -void addClientAndAppData(const vector<uint8_t>& clientId, const vector<uint8_t>& appData, - ::keymaster::AuthorizationSet* params) { - params->Clear(); - if (clientId.size()) params->push_back(TAG_APPLICATION_ID, clientId.data(), clientId.size()); - if (appData.size()) params->push_back(TAG_APPLICATION_DATA, appData.data(), appData.size()); -} - -} // namespace - -ScopedAStatus TrustyKeyMintDevice::getHardwareInfo(KeyMintHardwareInfo* info) { - info->versionNumber = 1; - info->securityLevel = kSecurityLevel; - info->keyMintName = "TrustyKeyMintDevice"; - info->keyMintAuthorName = "Google"; - info->timestampTokenRequired = false; - return ScopedAStatus::ok(); -} - -ScopedAStatus TrustyKeyMintDevice::addRngEntropy(const vector<uint8_t>& data) { - if (data.size() == 0) return ScopedAStatus::ok(); - if (data.size() > 2048) { - LOG(DEBUG) << "Too-large entropy update of " << data.size() << " bytes."; - return kmError2ScopedAStatus(KM_ERROR_INVALID_INPUT_LENGTH); - } - - keymaster::AddEntropyRequest request(impl_->message_version()); - request.random_data.Reinitialize(data.data(), data.size()); - - keymaster::AddEntropyResponse response(impl_->message_version()); - impl_->AddRngEntropy(request, &response); - - return kmError2ScopedAStatus(response.error); -} - -ScopedAStatus TrustyKeyMintDevice::generateKey(const vector<KeyParameter>& keyParams, - const optional<AttestationKey>& attestationKey, - KeyCreationResult* creationResult) { - keymaster::GenerateKeyRequest request(impl_->message_version()); - request.key_description.Reinitialize(KmParamSet(keyParams)); - if (attestationKey) { - request.attestation_signing_key_blob = - KeymasterKeyBlob(attestationKey->keyBlob.data(), attestationKey->keyBlob.size()); - request.attest_key_params.Reinitialize(KmParamSet(attestationKey->attestKeyParams)); - request.issuer_subject = KeymasterBlob(attestationKey->issuerSubjectName.data(), - attestationKey->issuerSubjectName.size()); - } - - keymaster::GenerateKeyResponse response(impl_->message_version()); - impl_->GenerateKey(request, &response); - - if (response.error != KM_ERROR_OK) return kmError2ScopedAStatus(response.error); - - creationResult->keyBlob = kmBlob2vector(response.key_blob); - creationResult->keyCharacteristics = - convertKeyCharacteristics(response.unenforced, response.enforced); - creationResult->certificateChain = convertCertificateChain(response.certificate_chain); - return ScopedAStatus::ok(); -} - -ScopedAStatus TrustyKeyMintDevice::getKeyCharacteristics( - const vector<uint8_t>& keyBlob, - const vector<uint8_t>& clientId, // - const vector<uint8_t>& appData, // - vector<KeyCharacteristics>* characteristics) { - keymaster::GetKeyCharacteristicsRequest request(impl_->message_version()); - request.SetKeyMaterial(keyBlob.data(), keyBlob.size()); - addClientAndAppData(clientId, appData, &request.additional_params); - - keymaster::GetKeyCharacteristicsResponse response(impl_->message_version()); - impl_->GetKeyCharacteristics(request, &response); - - if (response.error != KM_ERROR_OK) return kmError2ScopedAStatus(response.error); - - *characteristics = convertKeyCharacteristics(response.unenforced, response.enforced, - false /* includeKeystoreEnforced */); - return ScopedAStatus::ok(); -} - -ScopedAStatus TrustyKeyMintDevice::importKey(const vector<KeyParameter>& keyParams, - KeyFormat keyFormat, const vector<uint8_t>& keyData, - const optional<AttestationKey>& attestationKey, - KeyCreationResult* creationResult) { - keymaster::ImportKeyRequest request(impl_->message_version()); - request.key_description.Reinitialize(KmParamSet(keyParams)); - request.key_format = legacy_enum_conversion(keyFormat); - request.key_data = KeymasterKeyBlob(keyData.data(), keyData.size()); - if (attestationKey) { - request.attestation_signing_key_blob = - KeymasterKeyBlob(attestationKey->keyBlob.data(), attestationKey->keyBlob.size()); - request.attest_key_params.Reinitialize(KmParamSet(attestationKey->attestKeyParams)); - request.issuer_subject = KeymasterBlob(attestationKey->issuerSubjectName.data(), - attestationKey->issuerSubjectName.size()); - } - - keymaster::ImportKeyResponse response(impl_->message_version()); - impl_->ImportKey(request, &response); - - if (response.error != KM_ERROR_OK) { - return kmError2ScopedAStatus(response.error); - } - - creationResult->keyBlob = kmBlob2vector(response.key_blob); - creationResult->keyCharacteristics = - convertKeyCharacteristics(response.unenforced, response.enforced); - creationResult->certificateChain = convertCertificateChain(response.certificate_chain); - - return ScopedAStatus::ok(); -} - -ScopedAStatus TrustyKeyMintDevice::importWrappedKey(const vector<uint8_t>& wrappedKeyData, - const vector<uint8_t>& wrappingKeyBlob, // - const vector<uint8_t>& maskingKey, - const vector<KeyParameter>& unwrappingParams, - int64_t passwordSid, // - int64_t biometricSid, - KeyCreationResult* creationResult) { - keymaster::ImportWrappedKeyRequest request(impl_->message_version()); - request.SetWrappedMaterial(wrappedKeyData.data(), wrappedKeyData.size()); - request.SetWrappingMaterial(wrappingKeyBlob.data(), wrappingKeyBlob.size()); - request.SetMaskingKeyMaterial(maskingKey.data(), maskingKey.size()); - request.additional_params.Reinitialize(KmParamSet(unwrappingParams)); - request.password_sid = static_cast<uint64_t>(passwordSid); - request.biometric_sid = static_cast<uint64_t>(biometricSid); - - keymaster::ImportWrappedKeyResponse response(impl_->message_version()); - impl_->ImportWrappedKey(request, &response); - - if (response.error != KM_ERROR_OK) { - return kmError2ScopedAStatus(response.error); - } - - creationResult->keyBlob = kmBlob2vector(response.key_blob); - creationResult->keyCharacteristics = - convertKeyCharacteristics(response.unenforced, response.enforced); - creationResult->certificateChain = convertCertificateChain(response.certificate_chain); - - return ScopedAStatus::ok(); -} - -ScopedAStatus TrustyKeyMintDevice::upgradeKey(const vector<uint8_t>& keyBlobToUpgrade, - const vector<KeyParameter>& upgradeParams, - vector<uint8_t>* keyBlob) { - keymaster::UpgradeKeyRequest request(impl_->message_version()); - request.SetKeyMaterial(keyBlobToUpgrade.data(), keyBlobToUpgrade.size()); - request.upgrade_params.Reinitialize(KmParamSet(upgradeParams)); - - keymaster::UpgradeKeyResponse response(impl_->message_version()); - impl_->UpgradeKey(request, &response); - - if (response.error != KM_ERROR_OK) { - return kmError2ScopedAStatus(response.error); - } - - *keyBlob = kmBlob2vector(response.upgraded_key); - return ScopedAStatus::ok(); -} - -ScopedAStatus TrustyKeyMintDevice::deleteKey(const vector<uint8_t>& keyBlob) { - keymaster::DeleteKeyRequest request(impl_->message_version()); - request.SetKeyMaterial(keyBlob.data(), keyBlob.size()); - - keymaster::DeleteKeyResponse response(impl_->message_version()); - impl_->DeleteKey(request, &response); - - return kmError2ScopedAStatus(response.error); -} - -ScopedAStatus TrustyKeyMintDevice::deleteAllKeys() { - // There's nothing to be done to delete software key blobs. - keymaster::DeleteAllKeysRequest request(impl_->message_version()); - keymaster::DeleteAllKeysResponse response(impl_->message_version()); - impl_->DeleteAllKeys(request, &response); - - return kmError2ScopedAStatus(response.error); -} - -ScopedAStatus TrustyKeyMintDevice::destroyAttestationIds() { - return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED); -} - -ScopedAStatus TrustyKeyMintDevice::begin(KeyPurpose purpose, const vector<uint8_t>& keyBlob, - const vector<KeyParameter>& params, - const optional<HardwareAuthToken>& authToken, - BeginResult* result) { - keymaster::BeginOperationRequest request(impl_->message_version()); - request.purpose = legacy_enum_conversion(purpose); - request.SetKeyMaterial(keyBlob.data(), keyBlob.size()); - request.additional_params.Reinitialize(KmParamSet(params)); - - vector<uint8_t> vector_token = authToken2AidlVec(authToken); - request.additional_params.push_back( - TAG_AUTH_TOKEN, reinterpret_cast<uint8_t*>(vector_token.data()), vector_token.size()); - - keymaster::BeginOperationResponse response(impl_->message_version()); - impl_->BeginOperation(request, &response); - - if (response.error != KM_ERROR_OK) { - return kmError2ScopedAStatus(response.error); - } - - result->params = kmParamSet2Aidl(response.output_params); - result->challenge = response.op_handle; - result->operation = ndk::SharedRefBase::make<TrustyKeyMintOperation>(impl_, response.op_handle); - return ScopedAStatus::ok(); -} - -ScopedAStatus TrustyKeyMintDevice::deviceLocked( - bool passwordOnly, const std::optional<secureclock::TimeStampToken>& timestampToken) { - keymaster::DeviceLockedRequest request(impl_->message_version()); - request.passwordOnly = passwordOnly; - if (timestampToken.has_value()) { - request.token.challenge = timestampToken->challenge; - request.token.mac = {timestampToken->mac.data(), timestampToken->mac.size()}; - request.token.timestamp = timestampToken->timestamp.milliSeconds; - } - keymaster::DeviceLockedResponse response = impl_->DeviceLocked(request); - return kmError2ScopedAStatus(response.error); -} - -ScopedAStatus TrustyKeyMintDevice::earlyBootEnded() { - keymaster::EarlyBootEndedResponse response = impl_->EarlyBootEnded(); - return kmError2ScopedAStatus(response.error); -} - -ScopedAStatus TrustyKeyMintDevice::convertStorageKeyToEphemeral( - const std::vector<uint8_t>& storageKeyBlob, std::vector<uint8_t>* ephemeralKeyBlob) { - keymaster::ExportKeyRequest request(impl_->message_version()); - request.SetKeyMaterial(storageKeyBlob.data(), storageKeyBlob.size()); - request.key_format = KM_KEY_FORMAT_RAW; - - keymaster::ExportKeyResponse response(impl_->message_version()); - impl_->ExportKey(request, &response); - - if (response.error != KM_ERROR_OK) return kmError2ScopedAStatus(response.error); - if (response.key_data) { - *ephemeralKeyBlob = {response.key_data, response.key_data + response.key_data_length}; - } - return ScopedAStatus::ok(); -} - -} // namespace aidl::android::hardware::security::keymint::trusty |