1 /*
2
3 * Copyright 2021, The Android Open Source Project
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17
18 #include <trusty_keymaster/TrustyKeyMintDevice.h>
19
20 #define TAG TrustyKeyMintDevice
21 #include <android-base/logging.h>
22
23 #include <keymaster/android_keymaster_messages.h>
24 #include <keymaster/authorization_set.h>
25
26 #include <KeyMintUtils.h>
27
28 #include <trusty_keymaster/TrustyKeyMintOperation.h>
29
30 namespace aidl::android::hardware::security::keymint::trusty {
31
32 using keymaster::KeymasterBlob;
33 using keymaster::KeymasterKeyBlob;
34 using keymaster::TAG_APPLICATION_DATA;
35 using keymaster::TAG_APPLICATION_ID;
36 using keymaster::TAG_AUTH_TOKEN;
37 using km_utils::authToken2AidlVec;
38 using km_utils::kmBlob2vector;
39 using km_utils::kmError2ScopedAStatus;
40 using km_utils::kmParam2Aidl;
41 using km_utils::KmParamSet;
42 using km_utils::kmParamSet2Aidl;
43 using km_utils::legacy_enum_conversion;
44
45 namespace {
46
47 auto kSecurityLevel = SecurityLevel::TRUSTED_ENVIRONMENT;
48
convertAuthSet(SecurityLevel securityLevel,const keymaster::AuthorizationSet & authorizations)49 KeyCharacteristics convertAuthSet(SecurityLevel securityLevel,
50 const keymaster::AuthorizationSet& authorizations) {
51 KeyCharacteristics retval{securityLevel, {}};
52 std::transform(authorizations.begin(), authorizations.end(),
53 std::back_inserter(retval.authorizations), kmParam2Aidl);
54 return retval;
55 }
56
convertKeyCharacteristics(const keymaster::AuthorizationSet & sw_enforced,const keymaster::AuthorizationSet & hw_enforced,bool includeKeystoreEnforced=true)57 vector<KeyCharacteristics> convertKeyCharacteristics(const keymaster::AuthorizationSet& sw_enforced,
58 const keymaster::AuthorizationSet& hw_enforced,
59 bool includeKeystoreEnforced = true) {
60 KeyCharacteristics keyMintEnforced = convertAuthSet(kSecurityLevel, hw_enforced);
61 KeyCharacteristics keystoreEnforced = convertAuthSet(SecurityLevel::KEYSTORE, sw_enforced);
62
63 vector<KeyCharacteristics> retval;
64 retval.reserve(2);
65
66 if (!keyMintEnforced.authorizations.empty()) retval.push_back(std::move(keyMintEnforced));
67 if (includeKeystoreEnforced && !keystoreEnforced.authorizations.empty()) {
68 retval.push_back(std::move(keystoreEnforced));
69 }
70
71 return retval;
72 }
73
convertCertificate(const keymaster_blob_t & cert)74 Certificate convertCertificate(const keymaster_blob_t& cert) {
75 return {std::vector<uint8_t>(cert.data, cert.data + cert.data_length)};
76 }
77
convertCertificateChain(const keymaster::CertificateChain & chain)78 vector<Certificate> convertCertificateChain(const keymaster::CertificateChain& chain) {
79 vector<Certificate> retval;
80 std::transform(chain.begin(), chain.end(), std::back_inserter(retval), convertCertificate);
81 return retval;
82 }
83
addClientAndAppData(const vector<uint8_t> & clientId,const vector<uint8_t> & appData,::keymaster::AuthorizationSet * params)84 void addClientAndAppData(const vector<uint8_t>& clientId, const vector<uint8_t>& appData,
85 ::keymaster::AuthorizationSet* params) {
86 params->Clear();
87 if (clientId.size()) params->push_back(TAG_APPLICATION_ID, clientId.data(), clientId.size());
88 if (appData.size()) params->push_back(TAG_APPLICATION_DATA, appData.data(), appData.size());
89 }
90
91 } // namespace
92
getHardwareInfo(KeyMintHardwareInfo * info)93 ScopedAStatus TrustyKeyMintDevice::getHardwareInfo(KeyMintHardwareInfo* info) {
94 info->versionNumber = 3;
95 info->securityLevel = kSecurityLevel;
96 info->keyMintName = "TrustyKeyMintDevice";
97 info->keyMintAuthorName = "Google";
98 info->timestampTokenRequired = false;
99 return ScopedAStatus::ok();
100 }
101
addRngEntropy(const vector<uint8_t> & data)102 ScopedAStatus TrustyKeyMintDevice::addRngEntropy(const vector<uint8_t>& data) {
103 if (data.size() == 0) return ScopedAStatus::ok();
104 if (data.size() > 2048) {
105 LOG(DEBUG) << "Too-large entropy update of " << data.size() << " bytes.";
106 return kmError2ScopedAStatus(KM_ERROR_INVALID_INPUT_LENGTH);
107 }
108
109 keymaster::AddEntropyRequest request(impl_->message_version());
110 request.random_data.Reinitialize(data.data(), data.size());
111
112 keymaster::AddEntropyResponse response(impl_->message_version());
113 impl_->AddRngEntropy(request, &response);
114
115 return kmError2ScopedAStatus(response.error);
116 }
117
generateKey(const vector<KeyParameter> & keyParams,const optional<AttestationKey> & attestationKey,KeyCreationResult * creationResult)118 ScopedAStatus TrustyKeyMintDevice::generateKey(const vector<KeyParameter>& keyParams,
119 const optional<AttestationKey>& attestationKey,
120 KeyCreationResult* creationResult) {
121 keymaster::GenerateKeyRequest request(impl_->message_version());
122 request.key_description.Reinitialize(KmParamSet(keyParams));
123 if (attestationKey) {
124 request.attestation_signing_key_blob =
125 KeymasterKeyBlob(attestationKey->keyBlob.data(), attestationKey->keyBlob.size());
126 request.attest_key_params.Reinitialize(KmParamSet(attestationKey->attestKeyParams));
127 request.issuer_subject = KeymasterBlob(attestationKey->issuerSubjectName.data(),
128 attestationKey->issuerSubjectName.size());
129 }
130
131 keymaster::GenerateKeyResponse response(impl_->message_version());
132 impl_->GenerateKey(request, &response);
133
134 if (response.error != KM_ERROR_OK) return kmError2ScopedAStatus(response.error);
135
136 creationResult->keyBlob = kmBlob2vector(response.key_blob);
137 creationResult->keyCharacteristics =
138 convertKeyCharacteristics(response.unenforced, response.enforced);
139 creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
140 return ScopedAStatus::ok();
141 }
142
getKeyCharacteristics(const vector<uint8_t> & keyBlob,const vector<uint8_t> & clientId,const vector<uint8_t> & appData,vector<KeyCharacteristics> * characteristics)143 ScopedAStatus TrustyKeyMintDevice::getKeyCharacteristics(
144 const vector<uint8_t>& keyBlob,
145 const vector<uint8_t>& clientId, //
146 const vector<uint8_t>& appData, //
147 vector<KeyCharacteristics>* characteristics) {
148 keymaster::GetKeyCharacteristicsRequest request(impl_->message_version());
149 request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
150 addClientAndAppData(clientId, appData, &request.additional_params);
151
152 keymaster::GetKeyCharacteristicsResponse response(impl_->message_version());
153 impl_->GetKeyCharacteristics(request, &response);
154
155 if (response.error != KM_ERROR_OK) return kmError2ScopedAStatus(response.error);
156
157 *characteristics = convertKeyCharacteristics(response.unenforced, response.enforced,
158 false /* includeKeystoreEnforced */);
159 return ScopedAStatus::ok();
160 }
161
importKey(const vector<KeyParameter> & keyParams,KeyFormat keyFormat,const vector<uint8_t> & keyData,const optional<AttestationKey> & attestationKey,KeyCreationResult * creationResult)162 ScopedAStatus TrustyKeyMintDevice::importKey(const vector<KeyParameter>& keyParams,
163 KeyFormat keyFormat, const vector<uint8_t>& keyData,
164 const optional<AttestationKey>& attestationKey,
165 KeyCreationResult* creationResult) {
166 keymaster::ImportKeyRequest request(impl_->message_version());
167 request.key_description.Reinitialize(KmParamSet(keyParams));
168 request.key_format = legacy_enum_conversion(keyFormat);
169 request.key_data = KeymasterKeyBlob(keyData.data(), keyData.size());
170 if (attestationKey) {
171 request.attestation_signing_key_blob =
172 KeymasterKeyBlob(attestationKey->keyBlob.data(), attestationKey->keyBlob.size());
173 request.attest_key_params.Reinitialize(KmParamSet(attestationKey->attestKeyParams));
174 request.issuer_subject = KeymasterBlob(attestationKey->issuerSubjectName.data(),
175 attestationKey->issuerSubjectName.size());
176 }
177
178 keymaster::ImportKeyResponse response(impl_->message_version());
179 impl_->ImportKey(request, &response);
180
181 if (response.error != KM_ERROR_OK) {
182 return kmError2ScopedAStatus(response.error);
183 }
184
185 creationResult->keyBlob = kmBlob2vector(response.key_blob);
186 creationResult->keyCharacteristics =
187 convertKeyCharacteristics(response.unenforced, response.enforced);
188 creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
189
190 return ScopedAStatus::ok();
191 }
192
importWrappedKey(const vector<uint8_t> & wrappedKeyData,const vector<uint8_t> & wrappingKeyBlob,const vector<uint8_t> & maskingKey,const vector<KeyParameter> & unwrappingParams,int64_t passwordSid,int64_t biometricSid,KeyCreationResult * creationResult)193 ScopedAStatus TrustyKeyMintDevice::importWrappedKey(const vector<uint8_t>& wrappedKeyData,
194 const vector<uint8_t>& wrappingKeyBlob, //
195 const vector<uint8_t>& maskingKey,
196 const vector<KeyParameter>& unwrappingParams,
197 int64_t passwordSid, //
198 int64_t biometricSid,
199 KeyCreationResult* creationResult) {
200 keymaster::ImportWrappedKeyRequest request(impl_->message_version());
201 request.SetWrappedMaterial(wrappedKeyData.data(), wrappedKeyData.size());
202 request.SetWrappingMaterial(wrappingKeyBlob.data(), wrappingKeyBlob.size());
203 request.SetMaskingKeyMaterial(maskingKey.data(), maskingKey.size());
204 request.additional_params.Reinitialize(KmParamSet(unwrappingParams));
205 request.password_sid = static_cast<uint64_t>(passwordSid);
206 request.biometric_sid = static_cast<uint64_t>(biometricSid);
207
208 keymaster::ImportWrappedKeyResponse response(impl_->message_version());
209 impl_->ImportWrappedKey(request, &response);
210
211 if (response.error != KM_ERROR_OK) {
212 return kmError2ScopedAStatus(response.error);
213 }
214
215 creationResult->keyBlob = kmBlob2vector(response.key_blob);
216 creationResult->keyCharacteristics =
217 convertKeyCharacteristics(response.unenforced, response.enforced);
218 creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
219
220 return ScopedAStatus::ok();
221 }
222
upgradeKey(const vector<uint8_t> & keyBlobToUpgrade,const vector<KeyParameter> & upgradeParams,vector<uint8_t> * keyBlob)223 ScopedAStatus TrustyKeyMintDevice::upgradeKey(const vector<uint8_t>& keyBlobToUpgrade,
224 const vector<KeyParameter>& upgradeParams,
225 vector<uint8_t>* keyBlob) {
226 keymaster::UpgradeKeyRequest request(impl_->message_version());
227 request.SetKeyMaterial(keyBlobToUpgrade.data(), keyBlobToUpgrade.size());
228 request.upgrade_params.Reinitialize(KmParamSet(upgradeParams));
229
230 keymaster::UpgradeKeyResponse response(impl_->message_version());
231 impl_->UpgradeKey(request, &response);
232
233 if (response.error != KM_ERROR_OK) {
234 return kmError2ScopedAStatus(response.error);
235 }
236
237 *keyBlob = kmBlob2vector(response.upgraded_key);
238 return ScopedAStatus::ok();
239 }
240
deleteKey(const vector<uint8_t> & keyBlob)241 ScopedAStatus TrustyKeyMintDevice::deleteKey(const vector<uint8_t>& keyBlob) {
242 keymaster::DeleteKeyRequest request(impl_->message_version());
243 request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
244
245 keymaster::DeleteKeyResponse response(impl_->message_version());
246 impl_->DeleteKey(request, &response);
247
248 return kmError2ScopedAStatus(response.error);
249 }
250
deleteAllKeys()251 ScopedAStatus TrustyKeyMintDevice::deleteAllKeys() {
252 // There's nothing to be done to delete software key blobs.
253 keymaster::DeleteAllKeysRequest request(impl_->message_version());
254 keymaster::DeleteAllKeysResponse response(impl_->message_version());
255 impl_->DeleteAllKeys(request, &response);
256
257 return kmError2ScopedAStatus(response.error);
258 }
259
destroyAttestationIds()260 ScopedAStatus TrustyKeyMintDevice::destroyAttestationIds() {
261 keymaster::DestroyAttestationIdsRequest request(impl_->message_version());
262 keymaster::DestroyAttestationIdsResponse response(impl_->message_version());
263 impl_->DestroyAttestationIds(request, &response);
264
265 return kmError2ScopedAStatus(response.error);
266 }
267
begin(KeyPurpose purpose,const vector<uint8_t> & keyBlob,const vector<KeyParameter> & params,const optional<HardwareAuthToken> & authToken,BeginResult * result)268 ScopedAStatus TrustyKeyMintDevice::begin(KeyPurpose purpose, const vector<uint8_t>& keyBlob,
269 const vector<KeyParameter>& params,
270 const optional<HardwareAuthToken>& authToken,
271 BeginResult* result) {
272 keymaster::BeginOperationRequest request(impl_->message_version());
273 request.purpose = legacy_enum_conversion(purpose);
274 request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
275 request.additional_params.Reinitialize(KmParamSet(params));
276
277 vector<uint8_t> vector_token = authToken2AidlVec(authToken);
278 request.additional_params.push_back(
279 TAG_AUTH_TOKEN, reinterpret_cast<uint8_t*>(vector_token.data()), vector_token.size());
280
281 keymaster::BeginOperationResponse response(impl_->message_version());
282 impl_->BeginOperation(request, &response);
283
284 if (response.error != KM_ERROR_OK) {
285 return kmError2ScopedAStatus(response.error);
286 }
287
288 result->params = kmParamSet2Aidl(response.output_params);
289 result->challenge = response.op_handle;
290 result->operation = ndk::SharedRefBase::make<TrustyKeyMintOperation>(impl_, response.op_handle);
291 return ScopedAStatus::ok();
292 }
293
deviceLocked(bool passwordOnly,const std::optional<secureclock::TimeStampToken> & timestampToken)294 ScopedAStatus TrustyKeyMintDevice::deviceLocked(
295 bool passwordOnly, const std::optional<secureclock::TimeStampToken>& timestampToken) {
296 keymaster::DeviceLockedRequest request(impl_->message_version());
297 request.passwordOnly = passwordOnly;
298 if (timestampToken.has_value()) {
299 request.token.challenge = timestampToken->challenge;
300 request.token.mac = {timestampToken->mac.data(), timestampToken->mac.size()};
301 request.token.timestamp = timestampToken->timestamp.milliSeconds;
302 }
303 keymaster::DeviceLockedResponse response = impl_->DeviceLocked(request);
304 return kmError2ScopedAStatus(response.error);
305 }
306
earlyBootEnded()307 ScopedAStatus TrustyKeyMintDevice::earlyBootEnded() {
308 keymaster::EarlyBootEndedResponse response = impl_->EarlyBootEnded();
309 return kmError2ScopedAStatus(response.error);
310 }
311
convertStorageKeyToEphemeral(const vector<uint8_t> & storageKeyBlob,vector<uint8_t> * ephemeralKeyBlob)312 ScopedAStatus TrustyKeyMintDevice::convertStorageKeyToEphemeral(
313 const vector<uint8_t>& storageKeyBlob, vector<uint8_t>* ephemeralKeyBlob) {
314 keymaster::ExportKeyRequest request(impl_->message_version());
315 request.SetKeyMaterial(storageKeyBlob.data(), storageKeyBlob.size());
316 request.key_format = KM_KEY_FORMAT_RAW;
317
318 keymaster::ExportKeyResponse response(impl_->message_version());
319 impl_->ExportKey(request, &response);
320
321 if (response.error != KM_ERROR_OK) return kmError2ScopedAStatus(response.error);
322 if (response.key_data) {
323 *ephemeralKeyBlob = {response.key_data, response.key_data + response.key_data_length};
324 }
325 return ScopedAStatus::ok();
326 }
327
getRootOfTrustChallenge(array<uint8_t,16> *)328 ScopedAStatus TrustyKeyMintDevice::getRootOfTrustChallenge(array<uint8_t, 16>* /* challenge */) {
329 return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
330 }
331
getRootOfTrust(const array<uint8_t,16> & challenge,vector<uint8_t> * rootOfTrust)332 ScopedAStatus TrustyKeyMintDevice::getRootOfTrust(const array<uint8_t, 16>& challenge,
333 vector<uint8_t>* rootOfTrust) {
334 if (!rootOfTrust) {
335 return kmError2ScopedAStatus(KM_ERROR_UNEXPECTED_NULL_POINTER);
336 }
337 keymaster::GetRootOfTrustRequest request(impl_->message_version(),
338 {challenge.begin(), challenge.end()});
339 keymaster::GetRootOfTrustResponse response = impl_->GetRootOfTrust(request);
340 if (response.error != KM_ERROR_OK) {
341 return kmError2ScopedAStatus(response.error);
342 }
343
344 *rootOfTrust = std::move(response.rootOfTrust);
345 return ScopedAStatus::ok();
346 }
347
sendRootOfTrust(const vector<uint8_t> &)348 ScopedAStatus TrustyKeyMintDevice::sendRootOfTrust(const vector<uint8_t>& /* rootOfTrust */) {
349 return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
350 }
351
352 } // namespace aidl::android::hardware::security::keymint::trusty
353