diff options
author | Dinesh K Garg <dineshg@codeaurora.org> | 2015-09-02 13:45:15 -0700 |
---|---|---|
committer | Zhao Wei Liew <zhaoweiliew@gmail.com> | 2017-02-12 20:45:26 +0800 |
commit | 55fd88fafa074b54a1c455f3692a0853662d87b2 (patch) | |
tree | e6b1259e4652435f5f1594e70ace51eda65cc726 | |
parent | 7223712c2a10e8b55e61231bca34ea00b6732eaf (diff) | |
download | android_vendor_qcom_opensource_cryptfs_hw-55fd88fafa074b54a1c455f3692a0853662d87b2.tar.gz android_vendor_qcom_opensource_cryptfs_hw-55fd88fafa074b54a1c455f3692a0853662d87b2.tar.bz2 android_vendor_qcom_opensource_cryptfs_hw-55fd88fafa074b54a1c455f3692a0853662d87b2.zip |
cryptfs_hw: Tie HW FDE keys with keymaster
HW FDE keys would be tied to keymaster so that if someone changes
Root of Trust (ROT), encrypted data can't be used. Cryptfs_hw module
is exposing a new API so that caller can determine whether to create
dependency between HW FDE keys and keymaster.
Change-Id: I85c85ffd9086f6c060032e4ae701b10363d88529
-rw-r--r-- | Android.mk | 5 | ||||
-rwxr-xr-x | cryptfs_hw.c | 37 | ||||
-rwxr-xr-x | cryptfs_hw.h | 1 |
3 files changed, 42 insertions, 1 deletions
@@ -8,7 +8,10 @@ sourceFiles := \ commonSharedLibraries := \ libcutils \ libutils \ - libdl + libdl \ + libhardware +commonIncludes := \ + hardware/libhardware/include/hardware/ LOCAL_C_INCLUDES := $(commonIncludes) LOCAL_SRC_FILES := $(sourceFiles) diff --git a/cryptfs_hw.c b/cryptfs_hw.c index 109d406..b2efa4a 100755 --- a/cryptfs_hw.c +++ b/cryptfs_hw.c @@ -38,6 +38,8 @@ #include "cutils/log.h" #include "cutils/properties.h" #include "cutils/android_reboot.h" +#include "keymaster_common.h" +#include "hardware.h" #if defined(__LP64__) #define QSEECOM_LIBRARY_PATH "/vendor/lib64/libQSEEComAPI.so" @@ -63,6 +65,8 @@ #define SET_HW_DISK_ENC_KEY 1 #define UPDATE_HW_DISK_ENC_KEY 2 +#define KEYMASTER_PARTITION_NAME "/dev/block/bootdevice/by-name/keymaster" + static int loaded_library = 0; static int (*qseecom_create_key)(int, void*); static int (*qseecom_update_key)(int, void*, void*); @@ -228,3 +232,36 @@ int clear_hw_device_encryption_key() return 0; } + +static int get_keymaster_version() +{ + int rc = -1; + const hw_module_t* mod; + rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); + if (rc) { + SLOGE("could not find any keystore module"); + return rc; + } + + return mod->module_api_version; +} + +int should_use_keymaster() +{ + /* HW FDE key would be tied to keymaster only if: + * New Keymaster is available + * keymaster partition exists on the device + */ + int rc = 0; + if (get_keymaster_version() != KEYMASTER_MODULE_API_VERSION_1_0) { + SLOGI("Keymaster version is not 1.0"); + return rc; + } + + if (access(KEYMASTER_PARTITION_NAME, F_OK) == -1) { + SLOGI("Keymaster partition does not exists"); + return rc; + } + + return 1; +} diff --git a/cryptfs_hw.h b/cryptfs_hw.h index c840d02..e857c47 100755 --- a/cryptfs_hw.h +++ b/cryptfs_hw.h @@ -38,6 +38,7 @@ int update_hw_device_encryption_key(const char*, const char*, const char*); int clear_hw_device_encryption_key(); unsigned int is_hw_disk_encryption(const char*); int is_ice_enabled(void); +int should_use_keymaster(); #ifdef __cplusplus } |