1 //
2 // Copyright (C) 2020 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 
16 #pragma once
17 
18 #include <optional>
19 //
20 #include <keymaster/soft_key_factory.h>
21 //
22 #include "host/commands/secure_env/tpm_resource_manager.h"
23 
24 namespace cuttlefish {
25 
26 /**
27  * Encrypts key data using a TPM-resident key and signs it with a TPM-resident
28  * key for privacy and integrity.
29  *
30  * This class is used to encrypt KeyMint data when it leaves the secure_env
31  * process, and is sent for storage to Android. When the data comes back, this
32  * class decrypts it again for use in Keymaster and other HAL API calls.
33  */
34 class TpmKeyBlobMaker : public keymaster::SoftwareKeyBlobMaker {
35 public:
36   TpmKeyBlobMaker(TpmResourceManager& resource_manager);
37 
38   keymaster_error_t CreateKeyBlob(
39       const keymaster::AuthorizationSet& key_description,
40       keymaster_key_origin_t origin,
41       const keymaster::KeymasterKeyBlob& key_material,
42       keymaster::KeymasterKeyBlob* blob,
43       keymaster::AuthorizationSet* hw_enforced,
44       keymaster::AuthorizationSet* sw_enforced) const override;
45 
46   keymaster_error_t UnvalidatedCreateKeyBlob(
47       const keymaster::KeymasterKeyBlob& key_material,
48       const keymaster::AuthorizationSet& hw_enforced,
49       const keymaster::AuthorizationSet& sw_enforced,
50       const keymaster::AuthorizationSet& hidden,
51       keymaster::KeymasterKeyBlob* blob) const;
52 
53   /**
54    * Intermediate function between KeymasterContext::ParseKeyBlob and
55    * KeyFactory::LoadKey, The inputs of this function match the outputs of
56    * KeymasterContext::ParseKeyBlob and the outputs of this function match the
57    * inputs of KeyFactory::LoadKey.
58    *
59    * KeymasterContext::ParseKeyBlob is the common entry point for decoding all
60    * keys, and is expected to delegate to a KeyFactory depending on the type of
61    * the serialized key. This method performs decryption operations shared
62    * between all TPM-Keymaster keys.
63    */
64   keymaster_error_t UnwrapKeyBlob(
65       const keymaster_key_blob_t& blob,
66       keymaster::AuthorizationSet* hw_enforced,
67       keymaster::AuthorizationSet* sw_enforced,
68       const keymaster::AuthorizationSet& hidden,
69       keymaster::KeymasterKeyBlob* key_material) const;
70 
71   keymaster_error_t SetSystemVersion(uint32_t os_version, uint32_t os_patchlevel);
72   keymaster_error_t SetVendorPatchlevel(uint32_t vendor_patchlevel);
73   keymaster_error_t SetBootPatchlevel(uint32_t boot_patchlevel);
74 
75  private:
76   TpmResourceManager& resource_manager_;
77   uint32_t os_version_;
78   uint32_t os_patchlevel_;
79   std::optional<uint32_t> vendor_patchlevel_;
80   std::optional<uint32_t> boot_patchlevel_;
81 };
82 
83 }  // namespace cuttlefish
84