1 /* 2 ** Copyright 2018, The Android Open Source Project 3 ** 4 ** Licensed under the Apache License, Version 2.0 (the "License"); 5 ** you may not use this file except in compliance with the License. 6 ** You may obtain a copy of the License at 7 ** 8 ** http://www.apache.org/licenses/LICENSE-2.0 9 ** 10 ** Unless required by applicable law or agreed to in writing, software 11 ** distributed under the License is distributed on an "AS IS" BASIS, 12 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 ** See the License for the specific language governing permissions and 14 ** limitations under the License. 15 */ 16 17 #include <keymasterV4_0/Keymaster.h> 18 19 #include <iomanip> 20 21 #include <android-base/logging.h> 22 #include <android/hidl/manager/1.0/IServiceManager.h> 23 #include <keymasterV4_0/Keymaster3.h> 24 #include <keymasterV4_0/Keymaster4.h> 25 #include <keymasterV4_0/key_param_output.h> 26 #include <keymasterV4_0/keymaster_utils.h> 27 28 namespace android { 29 namespace hardware { 30 31 template <class T> 32 std::ostream& operator<<(std::ostream& os, const hidl_vec<T>& vec) { 33 os << "{ "; 34 if (vec.size()) { 35 for (size_t i = 0; i < vec.size() - 1; ++i) os << vec[i] << ", "; 36 os << vec[vec.size() - 1]; 37 } 38 os << " }"; 39 return os; 40 } 41 42 std::ostream& operator<<(std::ostream& os, const hidl_vec<uint8_t>& vec) { 43 std::ios_base::fmtflags flags(os.flags()); 44 os << std::setw(2) << std::setfill('0') << std::hex; 45 for (uint8_t c : vec) os << static_cast<int>(c); 46 os.flags(flags); 47 return os; 48 } 49 50 template <size_t N> 51 std::ostream& operator<<(std::ostream& os, const hidl_array<uint8_t, N>& vec) { 52 std::ios_base::fmtflags flags(os.flags()); 53 os << std::setw(2) << std::setfill('0') << std::hex; 54 for (size_t i = 0; i < N; ++i) os << static_cast<int>(vec[i]); 55 os.flags(flags); 56 return os; 57 } 58 59 namespace keymaster { 60 namespace V4_0 { 61 62 std::ostream& operator<<(std::ostream& os, const HmacSharingParameters& params) { 63 // Note that by design, although seed and nonce are used to compute a secret, they are 64 // not secrets and it's just fine to log them. 65 os << "(seed: " << params.seed << ", nonce: " << params.nonce << ')'; 66 return os; 67 } 68 69 namespace support { 70 71 using ::android::sp; 72 using ::android::hidl::manager::V1_0::IServiceManager; 73 74 std::ostream& operator<<(std::ostream& os, const Keymaster& keymaster) { 75 auto& version = keymaster.halVersion(); 76 os << version.keymasterName << " from " << version.authorName 77 << " SecurityLevel: " << toString(version.securityLevel) 78 << " HAL: " << keymaster.descriptor() << "/" << keymaster.instanceName(); 79 return os; 80 } 81 82 template <typename Wrapper> 83 std::vector<std::unique_ptr<Keymaster>> enumerateDevices( 84 const sp<IServiceManager>& serviceManager) { 85 Keymaster::KeymasterSet result; 86 87 bool foundDefault = false; 88 auto& descriptor = Wrapper::WrappedIKeymasterDevice::descriptor; 89 serviceManager->listByInterface(descriptor, [&](const hidl_vec<hidl_string>& names) { 90 for (auto& name : names) { 91 if (name == "default") foundDefault = true; 92 auto device = Wrapper::WrappedIKeymasterDevice::getService(name); 93 CHECK(device) << "Failed to get service for " << descriptor << " with interface name " 94 << name; 95 result.push_back(std::unique_ptr<Keymaster>(new Wrapper(device, name))); 96 } 97 }); 98 99 if (!foundDefault) { 100 // "default" wasn't provided by listByInterface. Maybe there's a passthrough 101 // implementation. 102 auto device = Wrapper::WrappedIKeymasterDevice::getService("default"); 103 if (device) result.push_back(std::unique_ptr<Keymaster>(new Wrapper(device, "default"))); 104 } 105 106 return result; 107 } 108 109 void Keymaster::logIfKeymasterVendorError(ErrorCode ec) const { 110 static constexpr int32_t k_keymaster_vendor_error_code_range_max = -10000; 111 if (static_cast<int32_t>(ec) <= k_keymaster_vendor_error_code_range_max) { 112 const auto& versionInfo = halVersion(); 113 LOG(ERROR) << "Keymaster reported error: " << static_cast<int32_t>(ec) << "\n" 114 << "NOTE: This is an error in the vendor specific error range.\n" 115 << " Refer to the vendor of the implementation for details.\n" 116 << " Implementation name: " << versionInfo.keymasterName << "\n" 117 << " Vendor name: " << versionInfo.authorName << "\n" 118 << " MajorVersion: " << versionInfo.majorVersion; 119 } 120 } 121 122 Keymaster::KeymasterSet Keymaster::enumerateAvailableDevices() { 123 auto serviceManager = IServiceManager::getService(); 124 CHECK(serviceManager) << "Could not retrieve ServiceManager"; 125 126 auto km4s = enumerateDevices<Keymaster4>(serviceManager); 127 auto km3s = enumerateDevices<Keymaster3>(serviceManager); 128 129 auto result = std::move(km4s); 130 result.insert(result.end(), std::make_move_iterator(km3s.begin()), 131 std::make_move_iterator(km3s.end())); 132 133 std::sort(result.begin(), result.end(), 134 [](auto& a, auto& b) { return a->halVersion() > b->halVersion(); }); 135 136 size_t i = 1; 137 LOG(INFO) << "List of Keymaster HALs found:"; 138 for (auto& hal : result) LOG(INFO) << "Keymaster HAL #" << i++ << ": " << *hal; 139 140 return result; 141 } 142 143 static hidl_vec<HmacSharingParameters> getHmacParameters( 144 const Keymaster::KeymasterSet& keymasters) { 145 std::vector<HmacSharingParameters> params_vec; 146 params_vec.reserve(keymasters.size()); 147 for (auto& keymaster : keymasters) { 148 if (keymaster->halVersion().majorVersion < 4) continue; 149 auto rc = keymaster->getHmacSharingParameters([&](auto error, auto& params) { 150 CHECK(error == ErrorCode::OK) 151 << "Failed to get HMAC parameters from " << *keymaster << " error " << error; 152 params_vec.push_back(params); 153 }); 154 CHECK(rc.isOk()) << "Failed to communicate with " << *keymaster 155 << " error: " << rc.description(); 156 } 157 std::sort(params_vec.begin(), params_vec.end()); 158 159 return params_vec; 160 } 161 162 static void computeHmac(const Keymaster::KeymasterSet& keymasters, 163 const hidl_vec<HmacSharingParameters>& params) { 164 if (!params.size()) return; 165 166 hidl_vec<uint8_t> sharingCheck; 167 bool firstKeymaster = true; 168 LOG(DEBUG) << "Computing HMAC with params " << params; 169 for (auto& keymaster : keymasters) { 170 if (keymaster->halVersion().majorVersion < 4) continue; 171 LOG(DEBUG) << "Computing HMAC for " << *keymaster; 172 auto rc = keymaster->computeSharedHmac( 173 params, [&](ErrorCode error, const hidl_vec<uint8_t>& curSharingCheck) { 174 CHECK(error == ErrorCode::OK) 175 << "Failed to get HMAC parameters from " << *keymaster << " error " << error; 176 if (firstKeymaster) { 177 sharingCheck = curSharingCheck; 178 firstKeymaster = false; 179 } 180 if (curSharingCheck != sharingCheck) 181 LOG(WARNING) << "HMAC computation failed for " << *keymaster // 182 << " Expected: " << sharingCheck // 183 << " got: " << curSharingCheck; 184 }); 185 CHECK(rc.isOk()) << "Failed to communicate with " << *keymaster 186 << " error: " << rc.description(); 187 } 188 } 189 190 void Keymaster::performHmacKeyAgreement(const KeymasterSet& keymasters) { 191 computeHmac(keymasters, getHmacParameters(keymasters)); 192 } 193 194 } // namespace support 195 } // namespace V4_0 196 } // namespace keymaster 197 } // namespace hardware 198 } // namespace android 199
