diff options
author | Shawn Willden <swillden@google.com> | 2015-06-25 06:26:05 -0700 |
---|---|---|
committer | Shawn Willden <swillden@google.com> | 2015-06-26 08:37:01 -0700 |
commit | ada4850659d484dd5ece26dde73072bef16c1517 (patch) | |
tree | a1174a1b2d933a3466b70cb04dd9ecc7de80b06c /include | |
parent | bf9fa99611e64aa797c10d5458624ed93cc4f50b (diff) | |
download | android_system_keymaster-ada4850659d484dd5ece26dde73072bef16c1517.tar.gz android_system_keymaster-ada4850659d484dd5ece26dde73072bef16c1517.tar.bz2 android_system_keymaster-ada4850659d484dd5ece26dde73072bef16c1517.zip |
Add authorization enforcement to AndroidKeymaster.
Note: Moving List.h into system/keymaster is unfortunate, but required
to allow Trusty to use it. b/22088154 tracks cleaning this up.
Bug: 19511945
Change-Id: Ia1dfe5fda5ea78935611b0a7656b323770edcbae
Diffstat (limited to 'include')
-rw-r--r-- | include/keymaster/keymaster_context.h | 6 | ||||
-rw-r--r-- | include/keymaster/keymaster_enforcement.h | 63 | ||||
-rw-r--r-- | include/keymaster/soft_keymaster_context.h | 5 | ||||
-rw-r--r-- | include/keymaster/soft_keymaster_device.h | 14 |
4 files changed, 34 insertions, 54 deletions
diff --git a/include/keymaster/keymaster_context.h b/include/keymaster/keymaster_context.h index be4f8d7..338b408 100644 --- a/include/keymaster/keymaster_context.h +++ b/include/keymaster/keymaster_context.h @@ -20,6 +20,7 @@ #include <assert.h> #include <hardware/keymaster_defs.h> +#include <keymaster/keymaster_enforcement.h> namespace keymaster { @@ -121,6 +122,11 @@ class KeymasterContext { */ virtual keymaster_error_t GenerateRandom(uint8_t* buf, size_t length) const = 0; + /** + * Return the enforcement policy for this context, or null if no enforcement should be done. + */ + virtual KeymasterEnforcement* enforcement_policy() = 0; + private: // Uncopyable. KeymasterContext(const KeymasterContext&); diff --git a/include/keymaster/keymaster_enforcement.h b/include/keymaster/keymaster_enforcement.h index a0fccdf..69ef5e3 100644 --- a/include/keymaster/keymaster_enforcement.h +++ b/include/keymaster/keymaster_enforcement.h @@ -19,8 +19,6 @@ #include <stdio.h> -#include <utils/List.h> - #include <keymaster/authorization_set.h> namespace keymaster { @@ -35,17 +33,16 @@ class KeymasterEnforcementContext { */ }; -class KeymasterEnforcement { +class AccessTimeMap; +class AccessCountMap; +class KeymasterEnforcement { public: /** - * Construct a KeymasterEnforcement. Takes ownership of the context. + * Construct a KeymasterEnforcement. */ - explicit KeymasterEnforcement(uint32_t max_access_time_map_size, - uint32_t max_access_count_map_size) - : access_time_map_(max_access_time_map_size), access_count_map_(max_access_count_map_size) { - } - virtual ~KeymasterEnforcement() {} + KeymasterEnforcement(uint32_t max_access_time_map_size, uint32_t max_access_count_map_size); + virtual ~KeymasterEnforcement(); /** * Iterates through the authorization set and returns the corresponding keymaster error. Will @@ -159,52 +156,10 @@ class KeymasterEnforcement { const keymaster_operation_handle_t op_handle, bool is_begin_operation) const; - class AccessTimeMap { - public: - AccessTimeMap(uint32_t max_size) : max_size_(max_size) {} - - /* If the key is found, returns true and fills \p last_access_time. If not found returns - * false. */ - bool LastKeyAccessTime(km_id_t keyid, uint32_t* last_access_time) const; - - /* Updates the last key access time with the currentTime parameter. Adds the key if - * needed, returning false if key cannot be added because list is full. */ - bool UpdateKeyAccessTime(km_id_t keyid, uint32_t current_time, uint32_t timeout); - - private: - struct AccessTime { - km_id_t keyid; - uint32_t access_time; - uint32_t timeout; - }; - android::List<AccessTime> last_access_list_; - const uint32_t max_size_; - }; - - class AccessCountMap { - public: - AccessCountMap(uint32_t max_size) : max_size_(max_size) {} - - /* If the key is found, returns true and fills \p count. If not found returns - * false. */ - bool KeyAccessCount(km_id_t keyid, uint32_t* count) const; - - /* Increments key access count, adding an entry if the key has never been used. Returns - * false if the list has reached maximum size. */ - bool IncrementKeyAccessCount(km_id_t keyid); - - private: - struct AccessCount { - km_id_t keyid; - uint64_t access_count; - }; - android::List<AccessCount> access_count_list_; - const uint32_t max_size_; - }; - - AccessTimeMap access_time_map_; - AccessCountMap access_count_map_; + AccessTimeMap* access_time_map_; + AccessCountMap* access_count_map_; }; + }; /* namespace keymaster */ #endif // ANDROID_LIBRARY_KEYMASTER_ENFORCEMENT_H diff --git a/include/keymaster/soft_keymaster_context.h b/include/keymaster/soft_keymaster_context.h index b0a4c1e..8f6fe2d 100644 --- a/include/keymaster/soft_keymaster_context.h +++ b/include/keymaster/soft_keymaster_context.h @@ -52,6 +52,11 @@ class SoftKeymasterContext : public KeymasterContext { keymaster_error_t AddRngEntropy(const uint8_t* buf, size_t length) const override; keymaster_error_t GenerateRandom(uint8_t* buf, size_t length) const override; + KeymasterEnforcement* enforcement_policy() override { + // SoftKeymaster does no enforcement; it's all done by Keystore. + return nullptr; + } + private: keymaster_error_t ParseOldSoftkeymasterBlob(const KeymasterKeyBlob& blob, KeymasterKeyBlob* key_material, diff --git a/include/keymaster/soft_keymaster_device.h b/include/keymaster/soft_keymaster_device.h index a4f85c4..75e0066 100644 --- a/include/keymaster/soft_keymaster_device.h +++ b/include/keymaster/soft_keymaster_device.h @@ -45,8 +45,20 @@ class AuthorizationSet; */ class SoftKeymasterDevice { public: + /** + * Create a SoftKeymasterDevice wrapping the specified HW keymaster0 device, which may be NULL. + * + * Uses SoftKeymaserContext. + */ SoftKeymasterDevice(keymaster0_device_t* keymaster0_device = nullptr); + /** + * Create a SoftKeymasterDevice that uses the specified KeymasterContext. + * + * TODO(swillden): Refactor SoftKeymasterDevice construction to make all components injectable. + */ + SoftKeymasterDevice(KeymasterContext* context); + hw_device_t* hw_device(); keymaster1_device_t* keymaster_device(); @@ -56,6 +68,8 @@ class SoftKeymasterDevice { } private: + void initialize(keymaster0_device_t* keymaster0_device); + static void StoreDefaultNewKeyParams(AuthorizationSet* auth_set); static keymaster_error_t GetPkcs8KeyAlgorithm(const uint8_t* key, size_t key_length, keymaster_algorithm_t* algorithm); |