1 /*
2  * Copyright 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <memory>
20 #include <string>
21 #include <string_view>
22 
23 #include <keymaster/attestation_context.h>
24 #include <keymaster/contexts/pure_soft_remote_provisioning_context.h>
25 #include <keymaster/contexts/soft_attestation_context.h>
26 #include <keymaster/keymaster_context.h>
27 #include <keymaster/km_openssl/attestation_record.h>
28 #include <keymaster/km_openssl/soft_keymaster_enforcement.h>
29 #include <keymaster/km_openssl/software_random_source.h>
30 #include <keymaster/pure_soft_secure_key_storage.h>
31 #include <keymaster/random_source.h>
32 #include <keymaster/soft_key_factory.h>
33 
34 namespace keymaster {
35 
36 class SoftKeymasterKeyRegistrations;
37 class Keymaster0Engine;
38 class Keymaster1Engine;
39 class Key;
40 
41 /**
42  * SoftKeymasterContext provides the context for a non-secure implementation of AndroidKeymaster.
43  */
44 class PureSoftKeymasterContext : public KeymasterContext,
45                                  protected SoftwareKeyBlobMaker,
46                                  public SoftAttestationContext,
47                                  SoftwareRandomSource {
48   public:
49     // Security level must only be used for testing.
50     explicit PureSoftKeymasterContext(
51         KmVersion version, keymaster_security_level_t security_level = KM_SECURITY_LEVEL_SOFTWARE);
52     ~PureSoftKeymasterContext() override;
53 
GetKmVersion()54     KmVersion GetKmVersion() const override { return AttestationContext::GetKmVersion(); }
55 
56     /*********************************************************************************************
57      * Implement KeymasterContext
58      */
59     keymaster_error_t SetSystemVersion(uint32_t os_version, uint32_t os_patchlevel) override;
60     void GetSystemVersion(uint32_t* os_version, uint32_t* os_patchlevel) const override;
61 
62     KeyFactory* GetKeyFactory(keymaster_algorithm_t algorithm) const override;
63     OperationFactory* GetOperationFactory(keymaster_algorithm_t algorithm,
64                                           keymaster_purpose_t purpose) const override;
65     keymaster_algorithm_t* GetSupportedAlgorithms(size_t* algorithms_count) const override;
66     keymaster_error_t UpgradeKeyBlob(const KeymasterKeyBlob& key_to_upgrade,
67                                      const AuthorizationSet& upgrade_params,
68                                      KeymasterKeyBlob* upgraded_key) const override;
69     keymaster_error_t ParseKeyBlob(const KeymasterKeyBlob& blob,
70                                    const AuthorizationSet& additional_params,
71                                    UniquePtr<Key>* key) const override;
72     keymaster_error_t DeleteKey(const KeymasterKeyBlob& blob) const override;
73     keymaster_error_t DeleteAllKeys() const override;
74     keymaster_error_t AddRngEntropy(const uint8_t* buf, size_t length) const override;
75     CertificateChain GenerateAttestation(const Key& key, const AuthorizationSet& attest_params,
76                                          UniquePtr<Key> attest_key,
77                                          const KeymasterBlob& issuer_subject,
78                                          keymaster_error_t* error) const override;
79     CertificateChain GenerateSelfSignedCertificate(const Key& key,
80                                                    const AuthorizationSet& cert_params,
81                                                    bool fake_signature,
82                                                    keymaster_error_t* error) const override;
83     Buffer GenerateUniqueId(uint64_t creation_date_time, const keymaster_blob_t& application_id,
84                             bool reset_since_rotation, keymaster_error_t* error) const override;
85 
enforcement_policy()86     KeymasterEnforcement* enforcement_policy() override {
87         // SoftKeymaster does no enforcement; it's all done by Keystore.
88         return &soft_keymaster_enforcement_;
89     }
90 
secure_key_storage()91     SecureKeyStorage* secure_key_storage() override { return pure_soft_secure_key_storage_.get(); }
92 
GetRemoteProvisioningContext()93     RemoteProvisioningContext* GetRemoteProvisioningContext() const override {
94         return pure_soft_remote_provisioning_context_.get();
95     }
96 
97     keymaster_error_t SetVerifiedBootInfo(std::string_view boot_state,
98                                           std::string_view bootloader_state,
99                                           const std::vector<uint8_t>& vbmeta_digest) override;
100 
101     keymaster_error_t SetVendorPatchlevel(uint32_t vendor_patchlevel) override;
102 
103     keymaster_error_t SetBootPatchlevel(uint32_t boot_patchlevel) override;
104 
GetVendorPatchlevel()105     std::optional<uint32_t> GetVendorPatchlevel() const override { return vendor_patchlevel_; }
106 
GetBootPatchlevel()107     std::optional<uint32_t> GetBootPatchlevel() const override { return boot_patchlevel_; }
108 
109     /*********************************************************************************************
110      * Implement SoftwareKeyBlobMaker
111      */
112     keymaster_error_t CreateKeyBlob(const AuthorizationSet& auths, keymaster_key_origin_t origin,
113                                     const KeymasterKeyBlob& key_material, KeymasterKeyBlob* blob,
114                                     AuthorizationSet* hw_enforced,
115                                     AuthorizationSet* sw_enforced) const override;
116 
117     keymaster_error_t
118     UnwrapKey(const KeymasterKeyBlob& wrapped_key_blob, const KeymasterKeyBlob& wrapping_key_blob,
119               const AuthorizationSet& wrapping_key_params, const KeymasterKeyBlob& masking_key,
120               AuthorizationSet* wrapped_key_params, keymaster_key_format_t* wrapped_key_format,
121               KeymasterKeyBlob* wrapped_key_material) const override;
122 
123     /*********************************************************************************************
124      * Implement AttestationContext
125      */
126 
127     const VerifiedBootParams* GetVerifiedBootParams(keymaster_error_t* error) const override;
128 
GetSecurityLevel()129     keymaster_security_level_t GetSecurityLevel() const override { return security_level_; }
130 
131   protected:
132     std::unique_ptr<KeyFactory> rsa_factory_;
133     std::unique_ptr<KeyFactory> ec_factory_;
134     std::unique_ptr<KeyFactory> aes_factory_;
135     std::unique_ptr<KeyFactory> tdes_factory_;
136     std::unique_ptr<KeyFactory> hmac_factory_;
137     uint32_t os_version_;
138     uint32_t os_patchlevel_;
139     std::optional<std::string> bootloader_state_;
140     std::optional<std::string> verified_boot_state_;
141     std::optional<std::vector<uint8_t>> vbmeta_digest_;
142     std::optional<uint32_t> vendor_patchlevel_;
143     std::optional<uint32_t> boot_patchlevel_;
144     SoftKeymasterEnforcement soft_keymaster_enforcement_;
145     const keymaster_security_level_t security_level_;
146     std::unique_ptr<SecureKeyStorage> pure_soft_secure_key_storage_;
147     std::unique_ptr<PureSoftRemoteProvisioningContext> pure_soft_remote_provisioning_context_;
148 };
149 
150 }  // namespace keymaster
151