1 //
2 // Copyright (C) 2020 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15
16 #include "tpm_encrypt_decrypt.h"
17
18 #include <algorithm>
19 #include <cstring>
20 #include <vector>
21
22 #include <android-base/logging.h>
23 #include <tss2/tss2_rc.h>
24
25 namespace cuttlefish {
26
27 using keymaster::KeymasterBlob;
28
TpmEncryptDecrypt(ESYS_CONTEXT * esys,ESYS_TR key_handle,TpmAuth auth,const TPM2B_IV & iv,uint8_t * data_in,uint8_t * data_out,size_t data_size,bool decrypt)29 static bool TpmEncryptDecrypt( //
30 ESYS_CONTEXT* esys, ESYS_TR key_handle, TpmAuth auth, const TPM2B_IV& iv,
31 uint8_t* data_in, uint8_t* data_out, size_t data_size, bool decrypt) {
32 if (iv.size != sizeof(iv.buffer)) {
33 LOG(ERROR) << "Input IV had wrong size: " << iv.size;
34 return false;
35 }
36 // TODO(schuffelen): Pipeline this for performance. Will require reevaluating
37 // the initialization vector logic.
38 std::vector<unsigned char> converted(data_size);
39 // malloc for parity with Esys_EncryptDecrypt2
40 TPM2B_IV* init_vector_in = (TPM2B_IV*) malloc(sizeof(TPM2B_IV));
41 *init_vector_in = iv;
42 for (auto processed = 0; processed < data_size;) {
43 TPM2B_MAX_BUFFER in_data;
44 in_data.size =
45 std::min(data_size - processed, sizeof(in_data.buffer));
46 std::memcpy(in_data.buffer, &data_in[processed], in_data.size);
47 TPM2B_IV* init_vector_out = nullptr;
48 TPM2B_MAX_BUFFER* out_data = nullptr;
49 auto rc = Esys_EncryptDecrypt2(
50 esys,
51 key_handle,
52 auth.auth1(),
53 auth.auth2(),
54 auth.auth3(),
55 &in_data,
56 decrypt ? TPM2_YES : TPM2_NO,
57 TPM2_ALG_NULL,
58 init_vector_in,
59 &out_data,
60 &init_vector_out);
61 if (rc != TPM2_RC_SUCCESS) {
62 LOG(ERROR) << "Esys_EncryptDecrypt2 failed: " << Tss2_RC_Decode(rc)
63 << "(" << rc << ")";
64 Esys_Free(init_vector_in);
65 return false;
66 }
67 CHECK(init_vector_out != nullptr) << "init_vector_out was NULL";
68 CHECK(out_data != nullptr) << "out_data was NULL";
69 CHECK(out_data->size == in_data.size) << "data size mismatch";
70 std::memcpy(&data_out[processed], out_data->buffer, out_data->size);
71 Esys_Free(out_data);
72 Esys_Free(init_vector_in);
73 init_vector_in = init_vector_out;
74 processed += in_data.size;
75 }
76 Esys_Free(init_vector_in);
77 return true;
78 }
79
TpmEncrypt(ESYS_CONTEXT * esys,ESYS_TR key_handle,TpmAuth auth,const TPM2B_IV & iv,uint8_t * data_in,uint8_t * data_out,size_t data_size)80 bool TpmEncrypt(ESYS_CONTEXT* esys, ESYS_TR key_handle, TpmAuth auth,
81 const TPM2B_IV& iv, uint8_t* data_in, uint8_t* data_out,
82 size_t data_size) {
83 return TpmEncryptDecrypt( //
84 esys, key_handle, auth, iv, data_in, data_out, data_size, false);
85 }
86
TpmDecrypt(ESYS_CONTEXT * esys,ESYS_TR key_handle,TpmAuth auth,const TPM2B_IV & iv,uint8_t * data_in,uint8_t * data_out,size_t data_size)87 bool TpmDecrypt(ESYS_CONTEXT* esys, ESYS_TR key_handle, TpmAuth auth,
88 const TPM2B_IV& iv, uint8_t* data_in, uint8_t* data_out,
89 size_t data_size) {
90 return TpmEncryptDecrypt( //
91 esys, key_handle, auth, iv, data_in, data_out, data_size, true);
92 }
93
94 } // namespace cuttlefish
95