summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDinesh K Garg <dineshg@codeaurora.org>2015-09-02 20:45:15 (GMT)
committerZhao Wei Liew <zhaoweiliew@gmail.com>2017-02-12 12:45:26 (GMT)
commit55fd88fafa074b54a1c455f3692a0853662d87b2 (patch)
treee6b1259e4652435f5f1594e70ace51eda65cc726
parent7223712c2a10e8b55e61231bca34ea00b6732eaf (diff)
downloadandroid_vendor_qcom_opensource_cryptfs_hw-55fd88fafa074b54a1c455f3692a0853662d87b2.zip
android_vendor_qcom_opensource_cryptfs_hw-55fd88fafa074b54a1c455f3692a0853662d87b2.tar.gz
android_vendor_qcom_opensource_cryptfs_hw-55fd88fafa074b54a1c455f3692a0853662d87b2.tar.bz2
cryptfs_hw: Tie HW FDE keys with keymaster
HW FDE keys would be tied to keymaster so that if someone changes Root of Trust (ROT), encrypted data can't be used. Cryptfs_hw module is exposing a new API so that caller can determine whether to create dependency between HW FDE keys and keymaster. Change-Id: I85c85ffd9086f6c060032e4ae701b10363d88529
-rw-r--r--Android.mk5
-rwxr-xr-xcryptfs_hw.c37
-rwxr-xr-xcryptfs_hw.h1
3 files changed, 42 insertions, 1 deletions
diff --git a/Android.mk b/Android.mk
index 8e59637..1d71c2a 100644
--- a/Android.mk
+++ b/Android.mk
@@ -8,7 +8,10 @@ sourceFiles := \
commonSharedLibraries := \
libcutils \
libutils \
- libdl
+ libdl \
+ libhardware
+commonIncludes := \
+ hardware/libhardware/include/hardware/
LOCAL_C_INCLUDES := $(commonIncludes)
LOCAL_SRC_FILES := $(sourceFiles)
diff --git a/cryptfs_hw.c b/cryptfs_hw.c
index 109d406..b2efa4a 100755
--- a/cryptfs_hw.c
+++ b/cryptfs_hw.c
@@ -38,6 +38,8 @@
#include "cutils/log.h"
#include "cutils/properties.h"
#include "cutils/android_reboot.h"
+#include "keymaster_common.h"
+#include "hardware.h"
#if defined(__LP64__)
#define QSEECOM_LIBRARY_PATH "/vendor/lib64/libQSEEComAPI.so"
@@ -63,6 +65,8 @@
#define SET_HW_DISK_ENC_KEY 1
#define UPDATE_HW_DISK_ENC_KEY 2
+#define KEYMASTER_PARTITION_NAME "/dev/block/bootdevice/by-name/keymaster"
+
static int loaded_library = 0;
static int (*qseecom_create_key)(int, void*);
static int (*qseecom_update_key)(int, void*, void*);
@@ -228,3 +232,36 @@ int clear_hw_device_encryption_key()
return 0;
}
+
+static int get_keymaster_version()
+{
+ int rc = -1;
+ const hw_module_t* mod;
+ rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
+ if (rc) {
+ SLOGE("could not find any keystore module");
+ return rc;
+ }
+
+ return mod->module_api_version;
+}
+
+int should_use_keymaster()
+{
+ /* HW FDE key would be tied to keymaster only if:
+ * New Keymaster is available
+ * keymaster partition exists on the device
+ */
+ int rc = 0;
+ if (get_keymaster_version() != KEYMASTER_MODULE_API_VERSION_1_0) {
+ SLOGI("Keymaster version is not 1.0");
+ return rc;
+ }
+
+ if (access(KEYMASTER_PARTITION_NAME, F_OK) == -1) {
+ SLOGI("Keymaster partition does not exists");
+ return rc;
+ }
+
+ return 1;
+}
diff --git a/cryptfs_hw.h b/cryptfs_hw.h
index c840d02..e857c47 100755
--- a/cryptfs_hw.h
+++ b/cryptfs_hw.h
@@ -38,6 +38,7 @@ int update_hw_device_encryption_key(const char*, const char*, const char*);
int clear_hw_device_encryption_key();
unsigned int is_hw_disk_encryption(const char*);
int is_ice_enabled(void);
+int should_use_keymaster();
#ifdef __cplusplus
}