1 /* 2 * Copyright 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef SYSTEM_KEYMASTER_SOFT_KEYMASTER_DEVICE_H_ 18 #define SYSTEM_KEYMASTER_SOFT_KEYMASTER_DEVICE_H_ 19 20 #include <cstdlib> 21 #include <map> 22 #include <vector> 23 24 #include <hardware/keymaster0.h> 25 #include <hardware/keymaster1.h> 26 #include <hardware/keymaster2.h> 27 28 #include <keymaster/android_keymaster.h> 29 #include <keymaster/soft_keymaster_context.h> 30 31 #include <UniquePtr.h> 32 33 namespace keymaster { 34 35 class AuthorizationSet; 36 37 /** 38 * Keymaster1 device implementation. 39 * 40 * This is a hybrid software/hardware implementation which wraps a keymaster0_device_t, forwarding 41 * RSA operations to secure hardware and doing everything else in software. 42 * 43 * IMPORTANT MAINTAINER NOTE: Pointers to instances of this class must be castable to hw_device_t 44 * and keymaster_device. This means it must remain a standard layout class (no virtual functions and 45 * no data members which aren't standard layout), and device_ must be the first data member. 46 * Assertions in the constructor validate compliance with those constraints. 47 */ 48 class SoftKeymasterDevice { 49 public: 50 SoftKeymasterDevice(); 51 52 explicit SoftKeymasterDevice(SoftKeymasterContext* context); 53 54 /** 55 * Set SoftKeymasterDevice to wrap the speicified HW keymaster0 device. Takes ownership of the 56 * specified device (will call keymaster0_device->common.close()); 57 */ 58 keymaster_error_t SetHardwareDevice(keymaster0_device_t* keymaster0_device); 59 60 /** 61 * Set SoftKeymasterDevice to wrap specified HW keymaster1 device. Takes ownership of the 62 * specified device (will call keymaster1_device->common.close()); 63 */ 64 keymaster_error_t SetHardwareDevice(keymaster1_device_t* keymaster1_device); 65 66 /** 67 * Returns true if a keymaster1_device_t has been set as the hardware device, and if that 68 * hardware device should be used directly. 69 */ 70 bool Keymaster1DeviceIsGood(); 71 72 hw_device_t* hw_device(); 73 keymaster1_device_t* keymaster_device(); 74 keymaster2_device_t* keymaster2_device(); 75 76 // Public only for testing 77 void GetVersion(const GetVersionRequest& req, GetVersionResponse* rsp) { 78 impl_->GetVersion(req, rsp); 79 } 80 81 bool configured() const { return configured_; } 82 83 bool supports_all_digests() { return supports_all_digests_; } 84 85 typedef std::pair<keymaster_algorithm_t, keymaster_purpose_t> AlgPurposePair; 86 typedef std::map<AlgPurposePair, std::vector<keymaster_digest_t>> DigestMap; 87 88 private: 89 void initialize_device_struct(uint32_t flags); 90 bool FindUnsupportedDigest(keymaster_algorithm_t algorithm, keymaster_purpose_t purpose, 91 const AuthorizationSet& params, 92 keymaster_digest_t* unsupported) const; 93 bool RequiresSoftwareDigesting(keymaster_algorithm_t algorithm, keymaster_purpose_t purpose, 94 const AuthorizationSet& params) const; 95 bool KeyRequiresSoftwareDigesting(const AuthorizationSet& key_description) const; 96 97 static void StoreDefaultNewKeyParams(keymaster_algorithm_t algorithm, 98 AuthorizationSet* auth_set); 99 static keymaster_error_t GetPkcs8KeyAlgorithm(const uint8_t* key, size_t key_length, 100 keymaster_algorithm_t* algorithm); 101 102 static int close_device(hw_device_t* dev); 103 104 /* 105 * These static methods are the functions referenced through the function pointers in 106 * keymaster_device. 107 */ 108 109 // Keymaster1 methods -- needed for testing. 110 static keymaster_error_t get_supported_algorithms(const keymaster1_device_t* dev, 111 keymaster_algorithm_t** algorithms, 112 size_t* algorithms_length); 113 static keymaster_error_t get_supported_block_modes(const keymaster1_device_t* dev, 114 keymaster_algorithm_t algorithm, 115 keymaster_purpose_t purpose, 116 keymaster_block_mode_t** modes, 117 size_t* modes_length); 118 static keymaster_error_t get_supported_padding_modes(const keymaster1_device_t* dev, 119 keymaster_algorithm_t algorithm, 120 keymaster_purpose_t purpose, 121 keymaster_padding_t** modes, 122 size_t* modes_length); 123 static keymaster_error_t get_supported_digests(const keymaster1_device_t* dev, 124 keymaster_algorithm_t algorithm, 125 keymaster_purpose_t purpose, 126 keymaster_digest_t** digests, 127 size_t* digests_length); 128 static keymaster_error_t get_supported_import_formats(const keymaster1_device_t* dev, 129 keymaster_algorithm_t algorithm, 130 keymaster_key_format_t** formats, 131 size_t* formats_length); 132 static keymaster_error_t get_supported_export_formats(const keymaster1_device_t* dev, 133 keymaster_algorithm_t algorithm, 134 keymaster_key_format_t** formats, 135 size_t* formats_length); 136 static keymaster_error_t add_rng_entropy(const keymaster1_device_t* dev, const uint8_t* data, 137 size_t data_length); 138 static keymaster_error_t generate_key(const keymaster1_device_t* dev, 139 const keymaster_key_param_set_t* params, 140 keymaster_key_blob_t* key_blob, 141 keymaster_key_characteristics_t** characteristics); 142 static keymaster_error_t get_key_characteristics(const keymaster1_device_t* dev, 143 const keymaster_key_blob_t* key_blob, 144 const keymaster_blob_t* client_id, 145 const keymaster_blob_t* app_data, 146 keymaster_key_characteristics_t** character); 147 static keymaster_error_t import_key(const keymaster1_device_t* dev, // 148 const keymaster_key_param_set_t* params, 149 keymaster_key_format_t key_format, 150 const keymaster_blob_t* key_data, 151 keymaster_key_blob_t* key_blob, 152 keymaster_key_characteristics_t** characteristics); 153 static keymaster_error_t export_key(const keymaster1_device_t* dev, // 154 keymaster_key_format_t export_format, 155 const keymaster_key_blob_t* key_to_export, 156 const keymaster_blob_t* client_id, 157 const keymaster_blob_t* app_data, 158 keymaster_blob_t* export_data); 159 static keymaster_error_t delete_key(const keymaster1_device_t* dev, 160 const keymaster_key_blob_t* key); 161 static keymaster_error_t delete_all_keys(const keymaster1_device_t* dev); 162 static keymaster_error_t begin(const keymaster1_device_t* dev, keymaster_purpose_t purpose, 163 const keymaster_key_blob_t* key, 164 const keymaster_key_param_set_t* in_params, 165 keymaster_key_param_set_t* out_params, 166 keymaster_operation_handle_t* operation_handle); 167 static keymaster_error_t update(const keymaster1_device_t* dev, // 168 keymaster_operation_handle_t operation_handle, 169 const keymaster_key_param_set_t* in_params, 170 const keymaster_blob_t* input, size_t* input_consumed, 171 keymaster_key_param_set_t* out_params, 172 keymaster_blob_t* output); 173 static keymaster_error_t finish(const keymaster1_device_t* dev, // 174 keymaster_operation_handle_t operation_handle, 175 const keymaster_key_param_set_t* in_params, 176 const keymaster_blob_t* signature, 177 keymaster_key_param_set_t* out_params, 178 keymaster_blob_t* output); 179 static keymaster_error_t abort(const keymaster1_device_t* dev, 180 keymaster_operation_handle_t operation_handle); 181 182 // Keymaster2 methods 183 static keymaster_error_t configure(const keymaster2_device_t* dev, 184 const keymaster_key_param_set_t* params); 185 static keymaster_error_t add_rng_entropy(const keymaster2_device_t* dev, const uint8_t* data, 186 size_t data_length); 187 static keymaster_error_t generate_key(const keymaster2_device_t* dev, 188 const keymaster_key_param_set_t* params, 189 keymaster_key_blob_t* key_blob, 190 keymaster_key_characteristics_t* characteristics); 191 static keymaster_error_t get_key_characteristics(const keymaster2_device_t* dev, 192 const keymaster_key_blob_t* key_blob, 193 const keymaster_blob_t* client_id, 194 const keymaster_blob_t* app_data, 195 keymaster_key_characteristics_t* character); 196 static keymaster_error_t import_key(const keymaster2_device_t* dev, // 197 const keymaster_key_param_set_t* params, 198 keymaster_key_format_t key_format, 199 const keymaster_blob_t* key_data, 200 keymaster_key_blob_t* key_blob, 201 keymaster_key_characteristics_t* characteristics); 202 static keymaster_error_t export_key(const keymaster2_device_t* dev, // 203 keymaster_key_format_t export_format, 204 const keymaster_key_blob_t* key_to_export, 205 const keymaster_blob_t* client_id, 206 const keymaster_blob_t* app_data, 207 keymaster_blob_t* export_data); 208 static keymaster_error_t attest_key(const keymaster2_device_t* dev, 209 const keymaster_key_blob_t* key_to_attest, 210 const keymaster_key_param_set_t* attest_params, 211 keymaster_cert_chain_t* cert_chain); 212 static keymaster_error_t upgrade_key(const keymaster2_device_t* dev, 213 const keymaster_key_blob_t* key_to_upgrade, 214 const keymaster_key_param_set_t* upgrade_params, 215 keymaster_key_blob_t* upgraded_key); 216 static keymaster_error_t delete_key(const keymaster2_device_t* dev, 217 const keymaster_key_blob_t* key); 218 static keymaster_error_t delete_all_keys(const keymaster2_device_t* dev); 219 static keymaster_error_t begin(const keymaster2_device_t* dev, keymaster_purpose_t purpose, 220 const keymaster_key_blob_t* key, 221 const keymaster_key_param_set_t* in_params, 222 keymaster_key_param_set_t* out_params, 223 keymaster_operation_handle_t* operation_handle); 224 static keymaster_error_t update(const keymaster2_device_t* dev, // 225 keymaster_operation_handle_t operation_handle, 226 const keymaster_key_param_set_t* in_params, 227 const keymaster_blob_t* input, size_t* input_consumed, 228 keymaster_key_param_set_t* out_params, 229 keymaster_blob_t* output); 230 static keymaster_error_t finish(const keymaster2_device_t* dev, // 231 keymaster_operation_handle_t operation_handle, 232 const keymaster_key_param_set_t* in_params, 233 const keymaster_blob_t* input, 234 const keymaster_blob_t* signature, 235 keymaster_key_param_set_t* out_params, 236 keymaster_blob_t* output); 237 static keymaster_error_t abort(const keymaster2_device_t* dev, 238 keymaster_operation_handle_t operation_handle); 239 240 keymaster1_device_t km1_device_; 241 keymaster2_device_t km2_device_; 242 243 keymaster0_device_t* wrapped_km0_device_; 244 keymaster1_device_t* wrapped_km1_device_; 245 DigestMap km1_device_digests_; 246 SoftKeymasterContext* context_; 247 UniquePtr<AndroidKeymaster> impl_; 248 std::string module_name_; 249 hw_module_t updated_module_; 250 bool configured_; 251 bool supports_all_digests_; 252 }; 253 254 } // namespace keymaster 255 256 #endif // EXTERNAL_KEYMASTER_TRUSTY_KEYMASTER_DEVICE_H_ 257
