diff options
author | Roberto Pereira <rpere@google.com> | 2018-07-30 14:54:58 -0700 |
---|---|---|
committer | Roberto Pereira <rpere@google.com> | 2018-08-14 10:49:38 -0700 |
commit | 24261974008aeef097eb11dbd3237f959a960b0e (patch) | |
tree | a9ca95b57267e8fd18f943ed5f6a4a6ebe914c97 /trusty | |
parent | 890c5382d123a0871a23e12b960238f8dbef0131 (diff) | |
download | system_core-24261974008aeef097eb11dbd3237f959a960b0e.tar.gz system_core-24261974008aeef097eb11dbd3237f959a960b0e.tar.bz2 system_core-24261974008aeef097eb11dbd3237f959a960b0e.zip |
Add Keymaster 3.0 binderized Trusty HAL
Based on AndroidKeymaster3Device
Test: VtsHalKeymasterV3_0TargetTest
Bug:110153632
Change-Id: I682e5c9823ed3d8d8c0cfde0713ee64f96eab78a
Diffstat (limited to 'trusty')
-rw-r--r-- | trusty/keymaster/3.0/TrustyKeymaster3Device.cpp | 448 | ||||
-rw-r--r-- | trusty/keymaster/3.0/android.hardware.keymaster@3.0-service.trusty.rc | 4 | ||||
-rw-r--r-- | trusty/keymaster/3.0/service.cpp | 43 | ||||
-rw-r--r-- | trusty/keymaster/Android.bp | 31 | ||||
-rw-r--r-- | trusty/keymaster/TrustyKeymaster.cpp | 196 | ||||
-rw-r--r-- | trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h | 66 | ||||
-rw-r--r-- | trusty/keymaster/include/trusty_keymaster/TrustyKeymaster3Device.h | 84 | ||||
-rw-r--r-- | trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h | 7 |
8 files changed, 879 insertions, 0 deletions
diff --git a/trusty/keymaster/3.0/TrustyKeymaster3Device.cpp b/trusty/keymaster/3.0/TrustyKeymaster3Device.cpp new file mode 100644 index 000000000..8e3b3b127 --- /dev/null +++ b/trusty/keymaster/3.0/TrustyKeymaster3Device.cpp @@ -0,0 +1,448 @@ +/* + ** + ** Copyright 2018, The Android Open Source Project + ** + ** Licensed under the Apache License, Version 2.0 (the "License"); + ** you may not use this file except in compliance with the License. + ** You may obtain a copy of the License at + ** + ** http://www.apache.org/licenses/LICENSE-2.0 + ** + ** Unless required by applicable law or agreed to in writing, software + ** distributed under the License is distributed on an "AS IS" BASIS, + ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ** See the License for the specific language governing permissions and + ** limitations under the License. + */ + +#define LOG_TAG "android.hardware.keymaster@3.0-impl.trusty" + +#include <authorization_set.h> +#include <cutils/log.h> +#include <keymaster/android_keymaster_messages.h> +#include <trusty_keymaster/TrustyKeymaster3Device.h> + +using ::keymaster::AbortOperationRequest; +using ::keymaster::AbortOperationResponse; +using ::keymaster::AddEntropyRequest; +using ::keymaster::AddEntropyResponse; +using ::keymaster::AttestKeyRequest; +using ::keymaster::AttestKeyResponse; +using ::keymaster::AuthorizationSet; +using ::keymaster::BeginOperationRequest; +using ::keymaster::BeginOperationResponse; +using ::keymaster::ExportKeyRequest; +using ::keymaster::ExportKeyResponse; +using ::keymaster::FinishOperationRequest; +using ::keymaster::FinishOperationResponse; +using ::keymaster::GenerateKeyRequest; +using ::keymaster::GenerateKeyResponse; +using ::keymaster::GetKeyCharacteristicsRequest; +using ::keymaster::GetKeyCharacteristicsResponse; +using ::keymaster::ImportKeyRequest; +using ::keymaster::ImportKeyResponse; +using ::keymaster::UpdateOperationRequest; +using ::keymaster::UpdateOperationResponse; +using ::keymaster::ng::Tag; + +namespace keymaster { + +namespace { + +inline keymaster_tag_t legacy_enum_conversion(const Tag value) { + return keymaster_tag_t(value); +} +inline Tag legacy_enum_conversion(const keymaster_tag_t value) { + return Tag(value); +} +inline keymaster_purpose_t legacy_enum_conversion(const KeyPurpose value) { + return keymaster_purpose_t(value); +} +inline keymaster_key_format_t legacy_enum_conversion(const KeyFormat value) { + return keymaster_key_format_t(value); +} +inline ErrorCode legacy_enum_conversion(const keymaster_error_t value) { + return ErrorCode(value); +} + +inline keymaster_tag_type_t typeFromTag(const keymaster_tag_t tag) { + return keymaster_tag_get_type(tag); +} + +class KmParamSet : public keymaster_key_param_set_t { + public: + KmParamSet(const hidl_vec<KeyParameter>& keyParams) { + params = new keymaster_key_param_t[keyParams.size()]; + length = keyParams.size(); + for (size_t i = 0; i < keyParams.size(); ++i) { + auto tag = legacy_enum_conversion(keyParams[i].tag); + switch (typeFromTag(tag)) { + case KM_ENUM: + case KM_ENUM_REP: + params[i] = keymaster_param_enum(tag, keyParams[i].f.integer); + break; + case KM_UINT: + case KM_UINT_REP: + params[i] = keymaster_param_int(tag, keyParams[i].f.integer); + break; + case KM_ULONG: + case KM_ULONG_REP: + params[i] = keymaster_param_long(tag, keyParams[i].f.longInteger); + break; + case KM_DATE: + params[i] = keymaster_param_date(tag, keyParams[i].f.dateTime); + break; + case KM_BOOL: + if (keyParams[i].f.boolValue) + params[i] = keymaster_param_bool(tag); + else + params[i].tag = KM_TAG_INVALID; + break; + case KM_BIGNUM: + case KM_BYTES: + params[i] = keymaster_param_blob(tag, &keyParams[i].blob[0], + keyParams[i].blob.size()); + break; + case KM_INVALID: + default: + params[i].tag = KM_TAG_INVALID; + /* just skip */ + break; + } + } + } + KmParamSet(KmParamSet&& other) : keymaster_key_param_set_t{other.params, other.length} { + other.length = 0; + other.params = nullptr; + } + KmParamSet(const KmParamSet&) = delete; + ~KmParamSet() { delete[] params; } +}; + +inline hidl_vec<uint8_t> kmBlob2hidlVec(const keymaster_key_blob_t& blob) { + hidl_vec<uint8_t> result; + result.setToExternal(const_cast<unsigned char*>(blob.key_material), blob.key_material_size); + return result; +} + +inline hidl_vec<uint8_t> kmBlob2hidlVec(const keymaster_blob_t& blob) { + hidl_vec<uint8_t> result; + result.setToExternal(const_cast<unsigned char*>(blob.data), blob.data_length); + return result; +} + +inline hidl_vec<uint8_t> kmBuffer2hidlVec(const ::keymaster::Buffer& buf) { + hidl_vec<uint8_t> result; + result.setToExternal(const_cast<unsigned char*>(buf.peek_read()), buf.available_read()); + return result; +} + +inline static hidl_vec<hidl_vec<uint8_t>> kmCertChain2Hidl( + const keymaster_cert_chain_t& cert_chain) { + hidl_vec<hidl_vec<uint8_t>> result; + if (!cert_chain.entry_count || !cert_chain.entries) return result; + + result.resize(cert_chain.entry_count); + for (size_t i = 0; i < cert_chain.entry_count; ++i) { + result[i] = kmBlob2hidlVec(cert_chain.entries[i]); + } + + return result; +} + +static inline hidl_vec<KeyParameter> kmParamSet2Hidl(const keymaster_key_param_set_t& set) { + hidl_vec<KeyParameter> result; + if (set.length == 0 || set.params == nullptr) return result; + + result.resize(set.length); + keymaster_key_param_t* params = set.params; + for (size_t i = 0; i < set.length; ++i) { + auto tag = params[i].tag; + result[i].tag = legacy_enum_conversion(tag); + switch (typeFromTag(tag)) { + case KM_ENUM: + case KM_ENUM_REP: + result[i].f.integer = params[i].enumerated; + break; + case KM_UINT: + case KM_UINT_REP: + result[i].f.integer = params[i].integer; + break; + case KM_ULONG: + case KM_ULONG_REP: + result[i].f.longInteger = params[i].long_integer; + break; + case KM_DATE: + result[i].f.dateTime = params[i].date_time; + break; + case KM_BOOL: + result[i].f.boolValue = params[i].boolean; + break; + case KM_BIGNUM: + case KM_BYTES: + result[i].blob.setToExternal(const_cast<unsigned char*>(params[i].blob.data), + params[i].blob.data_length); + break; + case KM_INVALID: + default: + params[i].tag = KM_TAG_INVALID; + /* just skip */ + break; + } + } + return result; +} + +void addClientAndAppData(const hidl_vec<uint8_t>& clientId, const hidl_vec<uint8_t>& appData, + ::keymaster::AuthorizationSet* params) { + params->Clear(); + if (clientId.size()) { + params->push_back(::keymaster::TAG_APPLICATION_ID, clientId.data(), clientId.size()); + } + if (appData.size()) { + params->push_back(::keymaster::TAG_APPLICATION_DATA, appData.data(), appData.size()); + } +} + +} // anonymous namespace + +TrustyKeymaster3Device::TrustyKeymaster3Device(TrustyKeymaster* impl) : impl_(impl) {} + +TrustyKeymaster3Device::~TrustyKeymaster3Device() {} + +Return<void> TrustyKeymaster3Device::getHardwareFeatures(getHardwareFeatures_cb _hidl_cb) { + _hidl_cb(true /* is_secure */, true /* supports_ec */, + true /* supports_symmetric_cryptography */, true /* supports_attestation */, + true /* supportsAllDigests */, "TrustyKeymaster", "Google"); + return Void(); +} + +Return<ErrorCode> TrustyKeymaster3Device::addRngEntropy(const hidl_vec<uint8_t>& data) { + if (data.size() == 0) return ErrorCode::OK; + AddEntropyRequest request; + request.random_data.Reinitialize(data.data(), data.size()); + + AddEntropyResponse response; + impl_->AddRngEntropy(request, &response); + + return legacy_enum_conversion(response.error); +} + +Return<void> TrustyKeymaster3Device::generateKey(const hidl_vec<KeyParameter>& keyParams, + generateKey_cb _hidl_cb) { + GenerateKeyRequest request; + request.key_description.Reinitialize(KmParamSet(keyParams)); + + GenerateKeyResponse response; + impl_->GenerateKey(request, &response); + + KeyCharacteristics resultCharacteristics; + hidl_vec<uint8_t> resultKeyBlob; + if (response.error == KM_ERROR_OK) { + resultKeyBlob = kmBlob2hidlVec(response.key_blob); + resultCharacteristics.teeEnforced = kmParamSet2Hidl(response.enforced); + resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced); + } + _hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob, resultCharacteristics); + return Void(); +} + +Return<void> TrustyKeymaster3Device::getKeyCharacteristics(const hidl_vec<uint8_t>& keyBlob, + const hidl_vec<uint8_t>& clientId, + const hidl_vec<uint8_t>& appData, + getKeyCharacteristics_cb _hidl_cb) { + GetKeyCharacteristicsRequest request; + request.SetKeyMaterial(keyBlob.data(), keyBlob.size()); + addClientAndAppData(clientId, appData, &request.additional_params); + + GetKeyCharacteristicsResponse response; + impl_->GetKeyCharacteristics(request, &response); + + KeyCharacteristics resultCharacteristics; + if (response.error == KM_ERROR_OK) { + resultCharacteristics.teeEnforced = kmParamSet2Hidl(response.enforced); + resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced); + } + _hidl_cb(legacy_enum_conversion(response.error), resultCharacteristics); + return Void(); +} + +Return<void> TrustyKeymaster3Device::importKey(const hidl_vec<KeyParameter>& params, + KeyFormat keyFormat, + const hidl_vec<uint8_t>& keyData, + importKey_cb _hidl_cb) { + ImportKeyRequest request; + request.key_description.Reinitialize(KmParamSet(params)); + request.key_format = legacy_enum_conversion(keyFormat); + request.SetKeyMaterial(keyData.data(), keyData.size()); + + ImportKeyResponse response; + impl_->ImportKey(request, &response); + + KeyCharacteristics resultCharacteristics; + hidl_vec<uint8_t> resultKeyBlob; + if (response.error == KM_ERROR_OK) { + resultKeyBlob = kmBlob2hidlVec(response.key_blob); + resultCharacteristics.teeEnforced = kmParamSet2Hidl(response.enforced); + resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced); + } + _hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob, resultCharacteristics); + return Void(); +} + +Return<void> TrustyKeymaster3Device::exportKey(KeyFormat exportFormat, + const hidl_vec<uint8_t>& keyBlob, + const hidl_vec<uint8_t>& clientId, + const hidl_vec<uint8_t>& appData, + exportKey_cb _hidl_cb) { + ExportKeyRequest request; + request.key_format = legacy_enum_conversion(exportFormat); + request.SetKeyMaterial(keyBlob.data(), keyBlob.size()); + addClientAndAppData(clientId, appData, &request.additional_params); + + ExportKeyResponse response; + impl_->ExportKey(request, &response); + + hidl_vec<uint8_t> resultKeyBlob; + if (response.error == KM_ERROR_OK) { + resultKeyBlob.setToExternal(response.key_data, response.key_data_length); + } + _hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob); + return Void(); +} + +Return<void> TrustyKeymaster3Device::attestKey(const hidl_vec<uint8_t>& keyToAttest, + const hidl_vec<KeyParameter>& attestParams, + attestKey_cb _hidl_cb) { + AttestKeyRequest request; + request.SetKeyMaterial(keyToAttest.data(), keyToAttest.size()); + request.attest_params.Reinitialize(KmParamSet(attestParams)); + + AttestKeyResponse response; + impl_->AttestKey(request, &response); + + hidl_vec<hidl_vec<uint8_t>> resultCertChain; + if (response.error == KM_ERROR_OK) { + resultCertChain = kmCertChain2Hidl(response.certificate_chain); + } + _hidl_cb(legacy_enum_conversion(response.error), resultCertChain); + return Void(); +} + +Return<void> TrustyKeymaster3Device::upgradeKey(const hidl_vec<uint8_t>& keyBlobToUpgrade, + const hidl_vec<KeyParameter>& upgradeParams, + upgradeKey_cb _hidl_cb) { + UpgradeKeyRequest request; + request.SetKeyMaterial(keyBlobToUpgrade.data(), keyBlobToUpgrade.size()); + request.upgrade_params.Reinitialize(KmParamSet(upgradeParams)); + + UpgradeKeyResponse response; + impl_->UpgradeKey(request, &response); + + if (response.error == KM_ERROR_OK) { + _hidl_cb(ErrorCode::OK, kmBlob2hidlVec(response.upgraded_key)); + } else { + _hidl_cb(legacy_enum_conversion(response.error), hidl_vec<uint8_t>()); + } + return Void(); +} + +Return<ErrorCode> TrustyKeymaster3Device::deleteKey(const hidl_vec<uint8_t>& keyBlob) { + DeleteKeyRequest request; + request.SetKeyMaterial(keyBlob.data(), keyBlob.size()); + + DeleteKeyResponse response; + impl_->DeleteKey(request, &response); + + return legacy_enum_conversion(response.error); +} + +Return<ErrorCode> TrustyKeymaster3Device::deleteAllKeys() { + DeleteAllKeysRequest request; + DeleteAllKeysResponse response; + impl_->DeleteAllKeys(request, &response); + + return legacy_enum_conversion(response.error); +} + +Return<ErrorCode> TrustyKeymaster3Device::destroyAttestationIds() { + return ErrorCode::UNIMPLEMENTED; +} + +Return<void> TrustyKeymaster3Device::begin(KeyPurpose purpose, const hidl_vec<uint8_t>& key, + const hidl_vec<KeyParameter>& inParams, + begin_cb _hidl_cb) { + BeginOperationRequest request; + request.purpose = legacy_enum_conversion(purpose); + request.SetKeyMaterial(key.data(), key.size()); + request.additional_params.Reinitialize(KmParamSet(inParams)); + + BeginOperationResponse response; + impl_->BeginOperation(request, &response); + + hidl_vec<KeyParameter> resultParams; + if (response.error == KM_ERROR_OK) { + resultParams = kmParamSet2Hidl(response.output_params); + } + + _hidl_cb(legacy_enum_conversion(response.error), resultParams, response.op_handle); + return Void(); +} + +Return<void> TrustyKeymaster3Device::update(uint64_t operationHandle, + const hidl_vec<KeyParameter>& inParams, + const hidl_vec<uint8_t>& input, update_cb _hidl_cb) { + UpdateOperationRequest request; + request.op_handle = operationHandle; + request.input.Reinitialize(input.data(), input.size()); + request.additional_params.Reinitialize(KmParamSet(inParams)); + + UpdateOperationResponse response; + impl_->UpdateOperation(request, &response); + + uint32_t resultConsumed = 0; + hidl_vec<KeyParameter> resultParams; + hidl_vec<uint8_t> resultBlob; + if (response.error == KM_ERROR_OK) { + resultConsumed = response.input_consumed; + resultParams = kmParamSet2Hidl(response.output_params); + resultBlob = kmBuffer2hidlVec(response.output); + } + _hidl_cb(legacy_enum_conversion(response.error), resultConsumed, resultParams, resultBlob); + return Void(); +} + +Return<void> TrustyKeymaster3Device::finish(uint64_t operationHandle, + const hidl_vec<KeyParameter>& inParams, + const hidl_vec<uint8_t>& input, + const hidl_vec<uint8_t>& signature, + finish_cb _hidl_cb) { + FinishOperationRequest request; + request.op_handle = operationHandle; + request.input.Reinitialize(input.data(), input.size()); + request.signature.Reinitialize(signature.data(), signature.size()); + request.additional_params.Reinitialize(KmParamSet(inParams)); + + FinishOperationResponse response; + impl_->FinishOperation(request, &response); + + hidl_vec<KeyParameter> resultParams; + hidl_vec<uint8_t> resultBlob; + if (response.error == KM_ERROR_OK) { + resultParams = kmParamSet2Hidl(response.output_params); + resultBlob = kmBuffer2hidlVec(response.output); + } + _hidl_cb(legacy_enum_conversion(response.error), resultParams, resultBlob); + return Void(); +} + +Return<ErrorCode> TrustyKeymaster3Device::abort(uint64_t operationHandle) { + AbortOperationRequest request; + request.op_handle = operationHandle; + + AbortOperationResponse response; + impl_->AbortOperation(request, &response); + + return legacy_enum_conversion(response.error); +} +} // namespace keymaster diff --git a/trusty/keymaster/3.0/android.hardware.keymaster@3.0-service.trusty.rc b/trusty/keymaster/3.0/android.hardware.keymaster@3.0-service.trusty.rc new file mode 100644 index 000000000..e9d305412 --- /dev/null +++ b/trusty/keymaster/3.0/android.hardware.keymaster@3.0-service.trusty.rc @@ -0,0 +1,4 @@ +service vendor.keymaster-3-0 /vendor/bin/hw/android.hardware.keymaster@3.0-service.trusty + class early_hal + user nobody + group system drmrpc diff --git a/trusty/keymaster/3.0/service.cpp b/trusty/keymaster/3.0/service.cpp new file mode 100644 index 000000000..0d8436eff --- /dev/null +++ b/trusty/keymaster/3.0/service.cpp @@ -0,0 +1,43 @@ +/* +** +** Copyright 2018, The Android Open Source Project +** +** Licensed under the Apache License, Version 2.0 (the "License"); +** you may not use this file except in compliance with the License. +** You may obtain a copy of the License at +** +** http://www.apache.org/licenses/LICENSE-2.0 +** +** Unless required by applicable law or agreed to in writing, software +** distributed under the License is distributed on an "AS IS" BASIS, +** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +** See the License for the specific language governing permissions and +** limitations under the License. +*/ + +#include <android-base/logging.h> +#include <android/hardware/keymaster/3.0/IKeymasterDevice.h> +#include <hidl/HidlTransportSupport.h> +#include <trusty_keymaster/TrustyKeymaster.h> +#include <trusty_keymaster/TrustyKeymaster3Device.h> + +int main() { + ::android::hardware::configureRpcThreadpool(1, true); + auto trustyKeymaster = new keymaster::TrustyKeymaster(); + int err = trustyKeymaster->Initialize(); + if (err != 0) { + LOG(FATAL) << "Could not initialize TrustyKeymaster (" << err << ")"; + return -1; + } + + auto keymaster = new ::keymaster::TrustyKeymaster3Device(trustyKeymaster); + + auto status = keymaster->registerAsService(); + if (status != android::OK) { + LOG(FATAL) << "Could not register service for Keymaster 3.0 (" << status << ")"; + return -1; + } + + android::hardware::joinRpcThreadpool(); + return -1; // Should never get here. +} diff --git a/trusty/keymaster/Android.bp b/trusty/keymaster/Android.bp index 52a879e8d..819851fd3 100644 --- a/trusty/keymaster/Android.bp +++ b/trusty/keymaster/Android.bp @@ -77,3 +77,34 @@ cc_library_shared { ], header_libs: ["libhardware_headers"], } + +cc_binary { + name: "android.hardware.keymaster@3.0-service.trusty", + defaults: ["hidl_defaults"], + relative_install_path: "hw", + vendor: true, + init_rc: ["3.0/android.hardware.keymaster@3.0-service.trusty.rc"], + srcs: [ + "3.0/service.cpp", + "3.0/TrustyKeymaster3Device.cpp", + "ipc/trusty_keymaster_ipc.cpp", + "TrustyKeymaster.cpp", + ], + + local_include_dirs: ["include"], + + shared_libs: [ + "liblog", + "libcutils", + "libdl", + "libbase", + "libutils", + "libhardware", + "libhidlbase", + "libhidltransport", + "libtrusty", + "libkeymaster_messages", + "libkeymaster3device", + "android.hardware.keymaster@3.0" + ], +} diff --git a/trusty/keymaster/TrustyKeymaster.cpp b/trusty/keymaster/TrustyKeymaster.cpp new file mode 100644 index 000000000..7f5e87f71 --- /dev/null +++ b/trusty/keymaster/TrustyKeymaster.cpp @@ -0,0 +1,196 @@ +/* + * Copyright 2018 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <cutils/log.h> +#include <keymaster/android_keymaster_messages.h> +#include <keymaster/keymaster_configuration.h> +#include <trusty_keymaster/TrustyKeymaster.h> +#include <trusty_keymaster/ipc/trusty_keymaster_ipc.h> + +namespace keymaster { + +int TrustyKeymaster::Initialize() { + int err; + + err = trusty_keymaster_connect(); + if (err) { + ALOGE("Failed to connect to trusty keymaster %d", err); + return err; + } + + ConfigureRequest req; + req.os_version = GetOsVersion(); + req.os_patchlevel = GetOsPatchlevel(); + + ConfigureResponse rsp; + Configure(req, &rsp); + + if (rsp.error != KM_ERROR_OK) { + ALOGE("Failed to configure keymaster %d", rsp.error); + return -1; + } + + return 0; +} + +TrustyKeymaster::TrustyKeymaster() {} + +TrustyKeymaster::~TrustyKeymaster() { + trusty_keymaster_disconnect(); +} + +static void ForwardCommand(enum keymaster_command command, const Serializable& req, + KeymasterResponse* rsp) { + keymaster_error_t err; + err = trusty_keymaster_send(command, req, rsp); + if (err != KM_ERROR_OK) { + ALOGE("Failed to send cmd %d err: %d", command, err); + rsp->error = err; + } +} + +void TrustyKeymaster::GetVersion(const GetVersionRequest& request, GetVersionResponse* response) { + ForwardCommand(KM_GET_VERSION, request, response); +} + +void TrustyKeymaster::SupportedAlgorithms(const SupportedAlgorithmsRequest& request, + SupportedAlgorithmsResponse* response) { + ForwardCommand(KM_GET_SUPPORTED_ALGORITHMS, request, response); +} + +void TrustyKeymaster::SupportedBlockModes(const SupportedBlockModesRequest& request, + SupportedBlockModesResponse* response) { + ForwardCommand(KM_GET_SUPPORTED_BLOCK_MODES, request, response); +} + +void TrustyKeymaster::SupportedPaddingModes(const SupportedPaddingModesRequest& request, + SupportedPaddingModesResponse* response) { + ForwardCommand(KM_GET_SUPPORTED_PADDING_MODES, request, response); +} + +void TrustyKeymaster::SupportedDigests(const SupportedDigestsRequest& request, + SupportedDigestsResponse* response) { + ForwardCommand(KM_GET_SUPPORTED_DIGESTS, request, response); +} + +void TrustyKeymaster::SupportedImportFormats(const SupportedImportFormatsRequest& request, + SupportedImportFormatsResponse* response) { + ForwardCommand(KM_GET_SUPPORTED_IMPORT_FORMATS, request, response); +} + +void TrustyKeymaster::SupportedExportFormats(const SupportedExportFormatsRequest& request, + SupportedExportFormatsResponse* response) { + ForwardCommand(KM_GET_SUPPORTED_EXPORT_FORMATS, request, response); +} + +void TrustyKeymaster::AddRngEntropy(const AddEntropyRequest& request, + AddEntropyResponse* response) { + ForwardCommand(KM_ADD_RNG_ENTROPY, request, response); +} + +void TrustyKeymaster::Configure(const ConfigureRequest& request, ConfigureResponse* response) { + ForwardCommand(KM_CONFIGURE, request, response); +} + +void TrustyKeymaster::GenerateKey(const GenerateKeyRequest& request, + GenerateKeyResponse* response) { + GenerateKeyRequest datedRequest(request.message_version); + datedRequest.key_description = request.key_description; + + if (!request.key_description.Contains(TAG_CREATION_DATETIME)) { + datedRequest.key_description.push_back(TAG_CREATION_DATETIME, java_time(time(NULL))); + } + + ForwardCommand(KM_GENERATE_KEY, datedRequest, response); +} + +void TrustyKeymaster::GetKeyCharacteristics(const GetKeyCharacteristicsRequest& request, + GetKeyCharacteristicsResponse* response) { + ForwardCommand(KM_GET_KEY_CHARACTERISTICS, request, response); +} + +void TrustyKeymaster::ImportKey(const ImportKeyRequest& request, ImportKeyResponse* response) { + ForwardCommand(KM_IMPORT_KEY, request, response); +} + +void TrustyKeymaster::ImportWrappedKey(const ImportWrappedKeyRequest& request, + ImportWrappedKeyResponse* response) { + ForwardCommand(KM_IMPORT_WRAPPED_KEY, request, response); +} + +void TrustyKeymaster::ExportKey(const ExportKeyRequest& request, ExportKeyResponse* response) { + ForwardCommand(KM_EXPORT_KEY, request, response); +} + +void TrustyKeymaster::AttestKey(const AttestKeyRequest& request, AttestKeyResponse* response) { + ForwardCommand(KM_ATTEST_KEY, request, response); +} + +void TrustyKeymaster::UpgradeKey(const UpgradeKeyRequest& request, UpgradeKeyResponse* response) { + ForwardCommand(KM_UPGRADE_KEY, request, response); +} + +void TrustyKeymaster::DeleteKey(const DeleteKeyRequest& request, DeleteKeyResponse* response) { + ForwardCommand(KM_DELETE_KEY, request, response); +} + +void TrustyKeymaster::DeleteAllKeys(const DeleteAllKeysRequest& request, + DeleteAllKeysResponse* response) { + ForwardCommand(KM_DELETE_ALL_KEYS, request, response); +} + +void TrustyKeymaster::BeginOperation(const BeginOperationRequest& request, + BeginOperationResponse* response) { + ForwardCommand(KM_BEGIN_OPERATION, request, response); +} + +void TrustyKeymaster::UpdateOperation(const UpdateOperationRequest& request, + UpdateOperationResponse* response) { + ForwardCommand(KM_UPDATE_OPERATION, request, response); +} + +void TrustyKeymaster::FinishOperation(const FinishOperationRequest& request, + FinishOperationResponse* response) { + ForwardCommand(KM_FINISH_OPERATION, request, response); +} + +void TrustyKeymaster::AbortOperation(const AbortOperationRequest& request, + AbortOperationResponse* response) { + ForwardCommand(KM_ABORT_OPERATION, request, response); +} + +/* Methods for Keymaster 4.0 functionality -- not yet implemented */ +GetHmacSharingParametersResponse TrustyKeymaster::GetHmacSharingParameters() { + GetHmacSharingParametersResponse response; + response.error = KM_ERROR_UNIMPLEMENTED; + return response; +} + +ComputeSharedHmacResponse TrustyKeymaster::ComputeSharedHmac( + const ComputeSharedHmacRequest& /* request */) { + ComputeSharedHmacResponse response; + response.error = KM_ERROR_UNIMPLEMENTED; + return response; +} + +VerifyAuthorizationResponse TrustyKeymaster::VerifyAuthorization( + const VerifyAuthorizationRequest& /* request */) { + VerifyAuthorizationResponse response; + response.error = KM_ERROR_UNIMPLEMENTED; + return response; +} + +} // namespace keymaster diff --git a/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h b/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h new file mode 100644 index 000000000..030b64598 --- /dev/null +++ b/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h @@ -0,0 +1,66 @@ +/* + * Copyright 2018 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef TRUSTY_KEYMASTER_H_ +#define TRUSTY_KEYMASTER_H_ + +#include <keymaster/android_keymaster_messages.h> + +namespace keymaster { + +class TrustyKeymaster { + public: + TrustyKeymaster(); + ~TrustyKeymaster(); + int Initialize(); + void GetVersion(const GetVersionRequest& request, GetVersionResponse* response); + void SupportedAlgorithms(const SupportedAlgorithmsRequest& request, + SupportedAlgorithmsResponse* response); + void SupportedBlockModes(const SupportedBlockModesRequest& request, + SupportedBlockModesResponse* response); + void SupportedPaddingModes(const SupportedPaddingModesRequest& request, + SupportedPaddingModesResponse* response); + void SupportedDigests(const SupportedDigestsRequest& request, + SupportedDigestsResponse* response); + void SupportedImportFormats(const SupportedImportFormatsRequest& request, + SupportedImportFormatsResponse* response); + void SupportedExportFormats(const SupportedExportFormatsRequest& request, + SupportedExportFormatsResponse* response); + void AddRngEntropy(const AddEntropyRequest& request, AddEntropyResponse* response); + void Configure(const ConfigureRequest& request, ConfigureResponse* response); + void GenerateKey(const GenerateKeyRequest& request, GenerateKeyResponse* response); + void GetKeyCharacteristics(const GetKeyCharacteristicsRequest& request, + GetKeyCharacteristicsResponse* response); + void ImportKey(const ImportKeyRequest& request, ImportKeyResponse* response); + void ImportWrappedKey(const ImportWrappedKeyRequest& request, + ImportWrappedKeyResponse* response); + void ExportKey(const ExportKeyRequest& request, ExportKeyResponse* response); + void AttestKey(const AttestKeyRequest& request, AttestKeyResponse* response); + void UpgradeKey(const UpgradeKeyRequest& request, UpgradeKeyResponse* response); + void DeleteKey(const DeleteKeyRequest& request, DeleteKeyResponse* response); + void DeleteAllKeys(const DeleteAllKeysRequest& request, DeleteAllKeysResponse* response); + void BeginOperation(const BeginOperationRequest& request, BeginOperationResponse* response); + void UpdateOperation(const UpdateOperationRequest& request, UpdateOperationResponse* response); + void FinishOperation(const FinishOperationRequest& request, FinishOperationResponse* response); + void AbortOperation(const AbortOperationRequest& request, AbortOperationResponse* response); + GetHmacSharingParametersResponse GetHmacSharingParameters(); + ComputeSharedHmacResponse ComputeSharedHmac(const ComputeSharedHmacRequest& request); + VerifyAuthorizationResponse VerifyAuthorization(const VerifyAuthorizationRequest& request); +}; + +} // namespace keymaster + +#endif // TRUSTY_KEYMASTER_H_ diff --git a/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster3Device.h b/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster3Device.h new file mode 100644 index 000000000..6fc79ce68 --- /dev/null +++ b/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster3Device.h @@ -0,0 +1,84 @@ +/* + ** + ** Copyright 2018, The Android Open Source Project + ** + ** Licensed under the Apache License, Version 2.0 (the "License"); + ** you may not use this file except in compliance with the License. + ** You may obtain a copy of the License at + ** + ** http://www.apache.org/licenses/LICENSE-2.0 + ** + ** Unless required by applicable law or agreed to in writing, software + ** distributed under the License is distributed on an "AS IS" BASIS, + ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + ** See the License for the specific language governing permissions and + ** limitations under the License. + */ + +#ifndef HIDL_android_hardware_keymaster_V3_0_TrustyKeymaster3Device_H_ +#define HIDL_android_hardware_keymaster_V3_0_TrustyKeymaster3Device_H_ + +#include <android/hardware/keymaster/3.0/IKeymasterDevice.h> + +#include <hidl/MQDescriptor.h> +#include <hidl/Status.h> + +#include <trusty_keymaster/TrustyKeymaster.h> + +namespace keymaster { + +using ::android::sp; +using ::android::hardware::hidl_string; +using ::android::hardware::hidl_vec; +using ::android::hardware::Return; +using ::android::hardware::Void; +using ::android::hardware::keymaster::V3_0::ErrorCode; +using ::android::hardware::keymaster::V3_0::IKeymasterDevice; +using ::android::hardware::keymaster::V3_0::KeyCharacteristics; +using ::android::hardware::keymaster::V3_0::KeyFormat; +using ::android::hardware::keymaster::V3_0::KeyParameter; +using ::android::hardware::keymaster::V3_0::KeyPurpose; + +class TrustyKeymaster3Device : public IKeymasterDevice { + public: + TrustyKeymaster3Device(TrustyKeymaster* impl); + virtual ~TrustyKeymaster3Device(); + + Return<void> getHardwareFeatures(getHardwareFeatures_cb _hidl_cb); + Return<ErrorCode> addRngEntropy(const hidl_vec<uint8_t>& data) override; + Return<void> generateKey(const hidl_vec<KeyParameter>& keyParams, + generateKey_cb _hidl_cb) override; + Return<void> getKeyCharacteristics(const hidl_vec<uint8_t>& keyBlob, + const hidl_vec<uint8_t>& clientId, + const hidl_vec<uint8_t>& appData, + getKeyCharacteristics_cb _hidl_cb) override; + Return<void> importKey(const hidl_vec<KeyParameter>& params, KeyFormat keyFormat, + const hidl_vec<uint8_t>& keyData, importKey_cb _hidl_cb) override; + Return<void> exportKey(KeyFormat exportFormat, const hidl_vec<uint8_t>& keyBlob, + const hidl_vec<uint8_t>& clientId, const hidl_vec<uint8_t>& appData, + exportKey_cb _hidl_cb) override; + Return<void> attestKey(const hidl_vec<uint8_t>& keyToAttest, + const hidl_vec<KeyParameter>& attestParams, + attestKey_cb _hidl_cb) override; + Return<void> upgradeKey(const hidl_vec<uint8_t>& keyBlobToUpgrade, + const hidl_vec<KeyParameter>& upgradeParams, + upgradeKey_cb _hidl_cb) override; + Return<ErrorCode> deleteKey(const hidl_vec<uint8_t>& keyBlob) override; + Return<ErrorCode> deleteAllKeys() override; + Return<ErrorCode> destroyAttestationIds() override; + Return<void> begin(KeyPurpose purpose, const hidl_vec<uint8_t>& key, + const hidl_vec<KeyParameter>& inParams, begin_cb _hidl_cb) override; + Return<void> update(uint64_t operationHandle, const hidl_vec<KeyParameter>& inParams, + const hidl_vec<uint8_t>& input, update_cb _hidl_cb) override; + Return<void> finish(uint64_t operationHandle, const hidl_vec<KeyParameter>& inParams, + const hidl_vec<uint8_t>& input, const hidl_vec<uint8_t>& signature, + finish_cb _hidl_cb) override; + Return<ErrorCode> abort(uint64_t operationHandle) override; + + private: + std::unique_ptr<TrustyKeymaster> impl_; +}; + +} // namespace keymaster + +#endif // HIDL_android_hardware_keymaster_V3_0_TrustyKeymaster3Device_H_ diff --git a/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h b/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h index d63757b36..13e672573 100644 --- a/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h +++ b/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h @@ -46,6 +46,13 @@ enum keymaster_command : uint32_t { KM_ATTEST_KEY = (16 << KEYMASTER_REQ_SHIFT), KM_UPGRADE_KEY = (17 << KEYMASTER_REQ_SHIFT), KM_CONFIGURE = (18 << KEYMASTER_REQ_SHIFT), + KM_GET_HMAC_SHARING_PARAMETERS = (19 << KEYMASTER_REQ_SHIFT), + KM_COMPUTE_SHARED_HMAC = (20 << KEYMASTER_REQ_SHIFT), + KM_VERIFY_AUTHORIZATION = (21 << KEYMASTER_REQ_SHIFT), + KM_DELETE_KEY = (22 << KEYMASTER_REQ_SHIFT), + KM_DELETE_ALL_KEYS = (23 << KEYMASTER_REQ_SHIFT), + KM_DESTROY_ATTESTATION_IDS = (24 << KEYMASTER_REQ_SHIFT), + KM_IMPORT_WRAPPED_KEY = (25 << KEYMASTER_REQ_SHIFT), }; #ifdef __ANDROID__ |