1 /* 2 ** 3 ** Copyright 2016, The Android Open Source Project 4 ** 5 ** Licensed under the Apache License, Version 2.0 (the "License"); 6 ** you may not use this file except in compliance with the License. 7 ** You may obtain a copy of the License at 8 ** 9 ** http://www.apache.org/licenses/LICENSE-2.0 10 ** 11 ** Unless required by applicable law or agreed to in writing, software 12 ** distributed under the License is distributed on an "AS IS" BASIS, 13 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 14 ** See the License for the specific language governing permissions and 15 ** limitations under the License. 16 */ 17 18 #define LOG_TAG "android.hardware.keymaster (at) 3.0-impl" 19 20 #include "KeymasterDevice.h" 21 22 #include <cutils/log.h> 23 24 #include <hardware/keymaster_defs.h> 25 #include <keymaster/keymaster_configuration.h> 26 #include <keymaster/soft_keymaster_device.h> 27 28 namespace android { 29 namespace hardware { 30 namespace keymaster { 31 namespace V3_0 { 32 namespace implementation { 33 34 using ::keymaster::SoftKeymasterDevice; 35 36 class SoftwareOnlyHidlKeymasterEnforcement : public ::keymaster::KeymasterEnforcement { 37 public: 38 SoftwareOnlyHidlKeymasterEnforcement() : KeymasterEnforcement(64, 64) {} 39 40 uint32_t get_current_time() const override { 41 struct timespec tp; 42 int err = clock_gettime(CLOCK_MONOTONIC, &tp); 43 if (err || tp.tv_sec < 0) return 0; 44 return static_cast<uint32_t>(tp.tv_sec); 45 } 46 47 bool activation_date_valid(uint64_t) const override { return true; } 48 bool expiration_date_passed(uint64_t) const override { return false; } 49 bool auth_token_timed_out(const hw_auth_token_t&, uint32_t) const override { return false; } 50 bool ValidateTokenSignature(const hw_auth_token_t&) const override { return true; } 51 }; 52 53 class SoftwareOnlyHidlKeymasterContext : public ::keymaster::SoftKeymasterContext { 54 public: 55 SoftwareOnlyHidlKeymasterContext() : enforcement_(new SoftwareOnlyHidlKeymasterEnforcement) {} 56 57 ::keymaster::KeymasterEnforcement* enforcement_policy() override { return enforcement_.get(); } 58 59 private: 60 std::unique_ptr<::keymaster::KeymasterEnforcement> enforcement_; 61 }; 62 63 static int keymaster0_device_initialize(const hw_module_t* mod, keymaster2_device_t** dev) { 64 assert(mod->module_api_version < KEYMASTER_MODULE_API_VERSION_1_0); 65 ALOGI("Found keymaster0 module %s, version %x", mod->name, mod->module_api_version); 66 67 std::unique_ptr<SoftKeymasterDevice> soft_keymaster(new SoftKeymasterDevice); 68 keymaster0_device_t* km0_device = NULL; 69 keymaster_error_t error = KM_ERROR_OK; 70 71 int rc = keymaster0_open(mod, &km0_device); 72 if (rc) { 73 ALOGE("Error opening keystore keymaster0 device."); 74 goto err; 75 } 76 77 if (km0_device->flags & KEYMASTER_SOFTWARE_ONLY) { 78 ALOGI("Keymaster0 module is software-only. Using SoftKeymasterDevice instead."); 79 km0_device->common.close(&km0_device->common); 80 km0_device = NULL; 81 // SoftKeymasterDevice will be deleted by keymaster_device_release() 82 *dev = soft_keymaster.release()->keymaster2_device(); 83 return 0; 84 } 85 86 ALOGD("Wrapping keymaster0 module %s with SoftKeymasterDevice", mod->name); 87 error = soft_keymaster->SetHardwareDevice(km0_device); 88 km0_device = NULL; // SoftKeymasterDevice has taken ownership. 89 if (error != KM_ERROR_OK) { 90 ALOGE("Got error %d from SetHardwareDevice", error); 91 rc = error; 92 goto err; 93 } 94 95 // SoftKeymasterDevice will be deleted by keymaster_device_release() 96 *dev = soft_keymaster.release()->keymaster2_device(); 97 return 0; 98 99 err: 100 if (km0_device) km0_device->common.close(&km0_device->common); 101 *dev = NULL; 102 return rc; 103 } 104 105 static int keymaster1_device_initialize(const hw_module_t* mod, keymaster2_device_t** dev, 106 bool* supports_all_digests) { 107 assert(mod->module_api_version >= KEYMASTER_MODULE_API_VERSION_1_0); 108 ALOGI("Found keymaster1 module %s, version %x", mod->name, mod->module_api_version); 109 110 std::unique_ptr<SoftKeymasterDevice> soft_keymaster(new SoftKeymasterDevice); 111 keymaster1_device_t* km1_device = nullptr; 112 keymaster_error_t error = KM_ERROR_OK; 113 114 int rc = keymaster1_open(mod, &km1_device); 115 if (rc) { 116 ALOGE("Error %d opening keystore keymaster1 device", rc); 117 goto err; 118 } 119 120 ALOGD("Wrapping keymaster1 module %s with SofKeymasterDevice", mod->name); 121 error = soft_keymaster->SetHardwareDevice(km1_device); 122 km1_device = nullptr; // SoftKeymasterDevice has taken ownership. 123 if (error != KM_ERROR_OK) { 124 ALOGE("Got error %d from SetHardwareDevice", error); 125 rc = error; 126 goto err; 127 } 128 129 // SoftKeymasterDevice will be deleted by keymaster_device_release() 130 *supports_all_digests = soft_keymaster->supports_all_digests(); 131 *dev = soft_keymaster.release()->keymaster2_device(); 132 return 0; 133 134 err: 135 if (km1_device) km1_device->common.close(&km1_device->common); 136 *dev = NULL; 137 return rc; 138 } 139 140 static int keymaster2_device_initialize(const hw_module_t* mod, keymaster2_device_t** dev) { 141 assert(mod->module_api_version >= KEYMASTER_MODULE_API_VERSION_2_0); 142 ALOGI("Found keymaster2 module %s, version %x", mod->name, mod->module_api_version); 143 144 keymaster2_device_t* km2_device = nullptr; 145 146 int rc = keymaster2_open(mod, &km2_device); 147 if (rc) { 148 ALOGE("Error %d opening keystore keymaster2 device", rc); 149 goto err; 150 } 151 152 *dev = km2_device; 153 return 0; 154 155 err: 156 if (km2_device) km2_device->common.close(&km2_device->common); 157 *dev = nullptr; 158 return rc; 159 } 160 161 static int keymaster_device_initialize(keymaster2_device_t** dev, uint32_t* version, 162 bool* supports_ec, bool* supports_all_digests) { 163 const hw_module_t* mod; 164 165 *supports_ec = true; 166 167 int rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 168 if (rc) { 169 ALOGI("Could not find any keystore module, using software-only implementation."); 170 // SoftKeymasterDevice will be deleted by keymaster_device_release() 171 *dev = (new SoftKeymasterDevice(new SoftwareOnlyHidlKeymasterContext))->keymaster2_device(); 172 *version = -1; 173 return 0; 174 } 175 176 if (mod->module_api_version < KEYMASTER_MODULE_API_VERSION_1_0) { 177 *version = 0; 178 *supports_all_digests = false; 179 int rc = keymaster0_device_initialize(mod, dev); 180 if (rc == 0 && ((*dev)->flags & KEYMASTER_SUPPORTS_EC) == 0) { 181 *supports_ec = false; 182 } 183 return rc; 184 } else if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) { 185 *version = 1; 186 return keymaster1_device_initialize(mod, dev, supports_all_digests); 187 } else { 188 *version = 2; 189 *supports_all_digests = true; 190 return keymaster2_device_initialize(mod, dev); 191 } 192 } 193 194 KeymasterDevice::~KeymasterDevice() { 195 if (keymaster_device_) keymaster_device_->common.close(&keymaster_device_->common); 196 } 197 198 static inline keymaster_tag_type_t typeFromTag(const keymaster_tag_t tag) { 199 return keymaster_tag_get_type(tag); 200 } 201 202 /** 203 * legacy_enum_conversion converts enums from hidl to keymaster and back. Currently, this is just a 204 * cast to make the compiler happy. One of two thigs should happen though: 205 * TODO The keymaster enums should become aliases for the hidl generated enums so that we have a 206 * single point of truth. Then this cast function can go away. 207 */ 208 inline static keymaster_tag_t legacy_enum_conversion(const Tag value) { 209 return keymaster_tag_t(value); 210 } 211 inline static Tag legacy_enum_conversion(const keymaster_tag_t value) { 212 return Tag(value); 213 } 214 inline static keymaster_purpose_t legacy_enum_conversion(const KeyPurpose value) { 215 return keymaster_purpose_t(value); 216 } 217 inline static keymaster_key_format_t legacy_enum_conversion(const KeyFormat value) { 218 return keymaster_key_format_t(value); 219 } 220 inline static ErrorCode legacy_enum_conversion(const keymaster_error_t value) { 221 return ErrorCode(value); 222 } 223 224 class KmParamSet : public keymaster_key_param_set_t { 225 public: 226 KmParamSet(const hidl_vec<KeyParameter>& keyParams) { 227 params = new keymaster_key_param_t[keyParams.size()]; 228 length = keyParams.size(); 229 for (size_t i = 0; i < keyParams.size(); ++i) { 230 auto tag = legacy_enum_conversion(keyParams[i].tag); 231 switch (typeFromTag(tag)) { 232 case KM_ENUM: 233 case KM_ENUM_REP: 234 params[i] = keymaster_param_enum(tag, keyParams[i].f.integer); 235 break; 236 case KM_UINT: 237 case KM_UINT_REP: 238 params[i] = keymaster_param_int(tag, keyParams[i].f.integer); 239 break; 240 case KM_ULONG: 241 case KM_ULONG_REP: 242 params[i] = keymaster_param_long(tag, keyParams[i].f.longInteger); 243 break; 244 case KM_DATE: 245 params[i] = keymaster_param_date(tag, keyParams[i].f.dateTime); 246 break; 247 case KM_BOOL: 248 if (keyParams[i].f.boolValue) 249 params[i] = keymaster_param_bool(tag); 250 else 251 params[i].tag = KM_TAG_INVALID; 252 break; 253 case KM_BIGNUM: 254 case KM_BYTES: 255 params[i] = 256 keymaster_param_blob(tag, &keyParams[i].blob[0], keyParams[i].blob.size()); 257 break; 258 case KM_INVALID: 259 default: 260 params[i].tag = KM_TAG_INVALID; 261 /* just skip */ 262 break; 263 } 264 } 265 } 266 KmParamSet(KmParamSet&& other) : keymaster_key_param_set_t{other.params, other.length} { 267 other.length = 0; 268 other.params = nullptr; 269 } 270 KmParamSet(const KmParamSet&) = delete; 271 ~KmParamSet() { delete[] params; } 272 }; 273 274 inline static KmParamSet hidlParams2KmParamSet(const hidl_vec<KeyParameter>& params) { 275 return KmParamSet(params); 276 } 277 278 inline static keymaster_blob_t hidlVec2KmBlob(const hidl_vec<uint8_t>& blob) { 279 /* hidl unmarshals funny pointers if the the blob is empty */ 280 if (blob.size()) return {&blob[0], blob.size()}; 281 return {nullptr, 0}; 282 } 283 284 inline static keymaster_key_blob_t hidlVec2KmKeyBlob(const hidl_vec<uint8_t>& blob) { 285 /* hidl unmarshals funny pointers if the the blob is empty */ 286 if (blob.size()) return {&blob[0], blob.size()}; 287 return {nullptr, 0}; 288 } 289 290 inline static hidl_vec<uint8_t> kmBlob2hidlVec(const keymaster_key_blob_t& blob) { 291 hidl_vec<uint8_t> result; 292 result.setToExternal(const_cast<unsigned char*>(blob.key_material), blob.key_material_size); 293 return result; 294 } 295 inline static hidl_vec<uint8_t> kmBlob2hidlVec(const keymaster_blob_t& blob) { 296 hidl_vec<uint8_t> result; 297 result.setToExternal(const_cast<unsigned char*>(blob.data), blob.data_length); 298 return result; 299 } 300 301 inline static hidl_vec<hidl_vec<uint8_t>> 302 kmCertChain2Hidl(const keymaster_cert_chain_t* cert_chain) { 303 hidl_vec<hidl_vec<uint8_t>> result; 304 if (!cert_chain || cert_chain->entry_count == 0 || !cert_chain->entries) return result; 305 306 result.resize(cert_chain->entry_count); 307 for (size_t i = 0; i < cert_chain->entry_count; ++i) { 308 auto& entry = cert_chain->entries[i]; 309 result[i] = kmBlob2hidlVec(entry); 310 } 311 312 return result; 313 } 314 315 static inline hidl_vec<KeyParameter> kmParamSet2Hidl(const keymaster_key_param_set_t& set) { 316 hidl_vec<KeyParameter> result; 317 if (set.length == 0 || set.params == nullptr) return result; 318 319 result.resize(set.length); 320 keymaster_key_param_t* params = set.params; 321 for (size_t i = 0; i < set.length; ++i) { 322 auto tag = params[i].tag; 323 result[i].tag = legacy_enum_conversion(tag); 324 switch (typeFromTag(tag)) { 325 case KM_ENUM: 326 case KM_ENUM_REP: 327 result[i].f.integer = params[i].enumerated; 328 break; 329 case KM_UINT: 330 case KM_UINT_REP: 331 result[i].f.integer = params[i].integer; 332 break; 333 case KM_ULONG: 334 case KM_ULONG_REP: 335 result[i].f.longInteger = params[i].long_integer; 336 break; 337 case KM_DATE: 338 result[i].f.dateTime = params[i].date_time; 339 break; 340 case KM_BOOL: 341 result[i].f.boolValue = params[i].boolean; 342 break; 343 case KM_BIGNUM: 344 case KM_BYTES: 345 result[i].blob.setToExternal(const_cast<unsigned char*>(params[i].blob.data), 346 params[i].blob.data_length); 347 break; 348 case KM_INVALID: 349 default: 350 params[i].tag = KM_TAG_INVALID; 351 /* just skip */ 352 break; 353 } 354 } 355 return result; 356 } 357 358 // Methods from ::android::hardware::keymaster::V3_0::IKeymasterDevice follow. 359 Return<void> KeymasterDevice::getHardwareFeatures(getHardwareFeatures_cb _hidl_cb) { 360 bool is_secure = !(keymaster_device_->flags & KEYMASTER_SOFTWARE_ONLY); 361 bool supports_symmetric_cryptography = false; 362 bool supports_attestation = false; 363 364 switch (hardware_version_) { 365 case 2: 366 supports_attestation = true; 367 /* Falls through */ 368 case 1: 369 supports_symmetric_cryptography = true; 370 break; 371 }; 372 373 _hidl_cb(is_secure, hardware_supports_ec_, supports_symmetric_cryptography, 374 supports_attestation, hardware_supports_all_digests_, 375 keymaster_device_->common.module->name, keymaster_device_->common.module->author); 376 return Void(); 377 } 378 379 Return<ErrorCode> KeymasterDevice::addRngEntropy(const hidl_vec<uint8_t>& data) { 380 if (!data.size()) return ErrorCode::OK; 381 return legacy_enum_conversion( 382 keymaster_device_->add_rng_entropy(keymaster_device_, &data[0], data.size())); 383 } 384 385 Return<void> KeymasterDevice::generateKey(const hidl_vec<KeyParameter>& keyParams, 386 generateKey_cb _hidl_cb) { 387 // result variables for the wire 388 KeyCharacteristics resultCharacteristics; 389 hidl_vec<uint8_t> resultKeyBlob; 390 391 // result variables the backend understands 392 keymaster_key_blob_t key_blob{nullptr, 0}; 393 keymaster_key_characteristics_t key_characteristics{{nullptr, 0}, {nullptr, 0}}; 394 395 // convert the parameter set to something our backend understands 396 auto kmParams = hidlParams2KmParamSet(keyParams); 397 398 auto rc = keymaster_device_->generate_key(keymaster_device_, &kmParams, &key_blob, 399 &key_characteristics); 400 401 if (rc == KM_ERROR_OK) { 402 // on success convert the result to wire format 403 resultKeyBlob = kmBlob2hidlVec(key_blob); 404 resultCharacteristics.softwareEnforced = kmParamSet2Hidl(key_characteristics.sw_enforced); 405 resultCharacteristics.teeEnforced = kmParamSet2Hidl(key_characteristics.hw_enforced); 406 } 407 408 // send results off to the client 409 _hidl_cb(legacy_enum_conversion(rc), resultKeyBlob, resultCharacteristics); 410 411 // free buffers that we are responsible for 412 if (key_blob.key_material) free(const_cast<uint8_t*>(key_blob.key_material)); 413 keymaster_free_characteristics(&key_characteristics); 414 415 return Void(); 416 } 417 418 Return<void> KeymasterDevice::getKeyCharacteristics(const hidl_vec<uint8_t>& keyBlob, 419 const hidl_vec<uint8_t>& clientId, 420 const hidl_vec<uint8_t>& appData, 421 getKeyCharacteristics_cb _hidl_cb) { 422 // result variables for the wire 423 KeyCharacteristics resultCharacteristics; 424 425 // result variables the backend understands 426 keymaster_key_characteristics_t key_characteristics{{nullptr, 0}, {nullptr, 0}}; 427 428 auto kmKeyBlob = hidlVec2KmKeyBlob(keyBlob); 429 auto kmClientId = hidlVec2KmBlob(clientId); 430 auto kmAppData = hidlVec2KmBlob(appData); 431 432 auto rc = keymaster_device_->get_key_characteristics( 433 keymaster_device_, keyBlob.size() ? &kmKeyBlob : nullptr, 434 clientId.size() ? &kmClientId : nullptr, appData.size() ? &kmAppData : nullptr, 435 &key_characteristics); 436 437 if (rc == KM_ERROR_OK) { 438 resultCharacteristics.softwareEnforced = kmParamSet2Hidl(key_characteristics.sw_enforced); 439 resultCharacteristics.teeEnforced = kmParamSet2Hidl(key_characteristics.hw_enforced); 440 } 441 442 _hidl_cb(legacy_enum_conversion(rc), resultCharacteristics); 443 444 keymaster_free_characteristics(&key_characteristics); 445 446 return Void(); 447 } 448 449 Return<void> KeymasterDevice::importKey(const hidl_vec<KeyParameter>& params, KeyFormat keyFormat, 450 const hidl_vec<uint8_t>& keyData, importKey_cb _hidl_cb) { 451 // result variables for the wire 452 KeyCharacteristics resultCharacteristics; 453 hidl_vec<uint8_t> resultKeyBlob; 454 455 // result variables the backend understands 456 keymaster_key_blob_t key_blob{nullptr, 0}; 457 keymaster_key_characteristics_t key_characteristics{{nullptr, 0}, {nullptr, 0}}; 458 459 auto kmParams = hidlParams2KmParamSet(params); 460 auto kmKeyData = hidlVec2KmBlob(keyData); 461 462 auto rc = keymaster_device_->import_key(keymaster_device_, &kmParams, 463 legacy_enum_conversion(keyFormat), &kmKeyData, 464 &key_blob, &key_characteristics); 465 466 if (rc == KM_ERROR_OK) { 467 // on success convert the result to wire format 468 // (Can we assume that key_blob is {nullptr, 0} or a valid buffer description?) 469 resultKeyBlob = kmBlob2hidlVec(key_blob); 470 resultCharacteristics.softwareEnforced = kmParamSet2Hidl(key_characteristics.sw_enforced); 471 resultCharacteristics.teeEnforced = kmParamSet2Hidl(key_characteristics.hw_enforced); 472 } 473 474 _hidl_cb(legacy_enum_conversion(rc), resultKeyBlob, resultCharacteristics); 475 476 // free buffers that we are responsible for 477 if (key_blob.key_material) free(const_cast<uint8_t*>(key_blob.key_material)); 478 keymaster_free_characteristics(&key_characteristics); 479 480 return Void(); 481 } 482 483 Return<void> KeymasterDevice::exportKey(KeyFormat exportFormat, const hidl_vec<uint8_t>& keyBlob, 484 const hidl_vec<uint8_t>& clientId, 485 const hidl_vec<uint8_t>& appData, exportKey_cb _hidl_cb) { 486 487 // result variables for the wire 488 hidl_vec<uint8_t> resultKeyBlob; 489 490 // result variables the backend understands 491 keymaster_blob_t out_blob{nullptr, 0}; 492 493 auto kmKeyBlob = hidlVec2KmKeyBlob(keyBlob); 494 auto kmClientId = hidlVec2KmBlob(clientId); 495 auto kmAppData = hidlVec2KmBlob(appData); 496 497 auto rc = keymaster_device_->export_key(keymaster_device_, legacy_enum_conversion(exportFormat), 498 keyBlob.size() ? &kmKeyBlob : nullptr, 499 clientId.size() ? &kmClientId : nullptr, 500 appData.size() ? &kmAppData : nullptr, &out_blob); 501 502 if (rc == KM_ERROR_OK) { 503 // on success convert the result to wire format 504 // (Can we assume that key_blob is {nullptr, 0} or a valid buffer description?) 505 resultKeyBlob = kmBlob2hidlVec(out_blob); 506 } 507 508 _hidl_cb(legacy_enum_conversion(rc), resultKeyBlob); 509 510 // free buffers that we are responsible for 511 if (out_blob.data) free(const_cast<uint8_t*>(out_blob.data)); 512 513 return Void(); 514 } 515 516 Return<void> KeymasterDevice::attestKey(const hidl_vec<uint8_t>& keyToAttest, 517 const hidl_vec<KeyParameter>& attestParams, 518 attestKey_cb _hidl_cb) { 519 520 hidl_vec<hidl_vec<uint8_t>> resultCertChain; 521 522 bool foundAttestationApplicationId = false; 523 for (size_t i = 0; i < attestParams.size(); ++i) { 524 switch (attestParams[i].tag) { 525 case Tag::ATTESTATION_ID_BRAND: 526 case Tag::ATTESTATION_ID_DEVICE: 527 case Tag::ATTESTATION_ID_PRODUCT: 528 case Tag::ATTESTATION_ID_SERIAL: 529 case Tag::ATTESTATION_ID_IMEI: 530 case Tag::ATTESTATION_ID_MEID: 531 case Tag::ATTESTATION_ID_MANUFACTURER: 532 case Tag::ATTESTATION_ID_MODEL: 533 // Device id attestation may only be supported if the device is able to permanently 534 // destroy its knowledge of the ids. This device is unable to do this, so it must 535 // never perform any device id attestation. 536 _hidl_cb(ErrorCode::CANNOT_ATTEST_IDS, resultCertChain); 537 return Void(); 538 539 case Tag::ATTESTATION_APPLICATION_ID: 540 foundAttestationApplicationId = true; 541 break; 542 543 default: 544 break; 545 } 546 } 547 548 // KM3 devices reject missing attest application IDs. KM2 devices do not. 549 if (!foundAttestationApplicationId) { 550 _hidl_cb(ErrorCode::ATTESTATION_APPLICATION_ID_MISSING, 551 resultCertChain); 552 return Void(); 553 } 554 555 keymaster_cert_chain_t cert_chain{nullptr, 0}; 556 557 auto kmKeyToAttest = hidlVec2KmKeyBlob(keyToAttest); 558 auto kmAttestParams = hidlParams2KmParamSet(attestParams); 559 560 auto rc = keymaster_device_->attest_key(keymaster_device_, &kmKeyToAttest, &kmAttestParams, 561 &cert_chain); 562 563 if (rc == KM_ERROR_OK) { 564 resultCertChain = kmCertChain2Hidl(&cert_chain); 565 } 566 567 _hidl_cb(legacy_enum_conversion(rc), resultCertChain); 568 569 keymaster_free_cert_chain(&cert_chain); 570 571 return Void(); 572 } 573 574 Return<void> KeymasterDevice::upgradeKey(const hidl_vec<uint8_t>& keyBlobToUpgrade, 575 const hidl_vec<KeyParameter>& upgradeParams, 576 upgradeKey_cb _hidl_cb) { 577 578 // result variables for the wire 579 hidl_vec<uint8_t> resultKeyBlob; 580 581 // result variables the backend understands 582 keymaster_key_blob_t key_blob{nullptr, 0}; 583 584 auto kmKeyBlobToUpgrade = hidlVec2KmKeyBlob(keyBlobToUpgrade); 585 auto kmUpgradeParams = hidlParams2KmParamSet(upgradeParams); 586 587 auto rc = keymaster_device_->upgrade_key(keymaster_device_, &kmKeyBlobToUpgrade, 588 &kmUpgradeParams, &key_blob); 589 590 if (rc == KM_ERROR_OK) { 591 // on success convert the result to wire format 592 resultKeyBlob = kmBlob2hidlVec(key_blob); 593 } 594 595 _hidl_cb(legacy_enum_conversion(rc), resultKeyBlob); 596 597 if (key_blob.key_material) free(const_cast<uint8_t*>(key_blob.key_material)); 598 599 return Void(); 600 } 601 602 Return<ErrorCode> KeymasterDevice::deleteKey(const hidl_vec<uint8_t>& keyBlob) { 603 if (keymaster_device_->delete_key == nullptr) { 604 return ErrorCode::UNIMPLEMENTED; 605 } 606 auto kmKeyBlob = hidlVec2KmKeyBlob(keyBlob); 607 auto rc = legacy_enum_conversion( 608 keymaster_device_->delete_key(keymaster_device_, &kmKeyBlob)); 609 // Keymaster 3.0 requires deleteKey to return ErrorCode::OK if the key 610 // blob is unusable after the call. This is equally true if the key blob was 611 // unusable before. 612 if (rc == ErrorCode::INVALID_KEY_BLOB) return ErrorCode::OK; 613 return rc; 614 } 615 616 Return<ErrorCode> KeymasterDevice::deleteAllKeys() { 617 if (keymaster_device_->delete_all_keys == nullptr) { 618 return ErrorCode::UNIMPLEMENTED; 619 } 620 return legacy_enum_conversion(keymaster_device_->delete_all_keys(keymaster_device_)); 621 } 622 623 Return<ErrorCode> KeymasterDevice::destroyAttestationIds() { 624 return ErrorCode::UNIMPLEMENTED; 625 } 626 627 Return<void> KeymasterDevice::begin(KeyPurpose purpose, const hidl_vec<uint8_t>& key, 628 const hidl_vec<KeyParameter>& inParams, begin_cb _hidl_cb) { 629 630 // result variables for the wire 631 hidl_vec<KeyParameter> resultParams; 632 uint64_t resultOpHandle = 0; 633 634 // result variables the backend understands 635 keymaster_key_param_set_t out_params{nullptr, 0}; 636 keymaster_operation_handle_t& operation_handle = resultOpHandle; 637 638 auto kmKey = hidlVec2KmKeyBlob(key); 639 auto kmInParams = hidlParams2KmParamSet(inParams); 640 641 auto rc = keymaster_device_->begin(keymaster_device_, legacy_enum_conversion(purpose), &kmKey, 642 &kmInParams, &out_params, &operation_handle); 643 644 if (rc == KM_ERROR_OK) resultParams = kmParamSet2Hidl(out_params); 645 646 _hidl_cb(legacy_enum_conversion(rc), resultParams, resultOpHandle); 647 648 keymaster_free_param_set(&out_params); 649 650 return Void(); 651 } 652 653 Return<void> KeymasterDevice::update(uint64_t operationHandle, 654 const hidl_vec<KeyParameter>& inParams, 655 const hidl_vec<uint8_t>& input, update_cb _hidl_cb) { 656 // result variables for the wire 657 uint32_t resultConsumed = 0; 658 hidl_vec<KeyParameter> resultParams; 659 hidl_vec<uint8_t> resultBlob; 660 661 // result variables the backend understands 662 size_t consumed = 0; 663 keymaster_key_param_set_t out_params{nullptr, 0}; 664 keymaster_blob_t out_blob{nullptr, 0}; 665 666 auto kmInParams = hidlParams2KmParamSet(inParams); 667 auto kmInput = hidlVec2KmBlob(input); 668 669 auto rc = keymaster_device_->update(keymaster_device_, operationHandle, &kmInParams, &kmInput, 670 &consumed, &out_params, &out_blob); 671 672 if (rc == KM_ERROR_OK) { 673 resultConsumed = consumed; 674 resultParams = kmParamSet2Hidl(out_params); 675 resultBlob = kmBlob2hidlVec(out_blob); 676 } 677 678 _hidl_cb(legacy_enum_conversion(rc), resultConsumed, resultParams, resultBlob); 679 680 keymaster_free_param_set(&out_params); 681 if (out_blob.data) free(const_cast<uint8_t*>(out_blob.data)); 682 683 return Void(); 684 } 685 686 Return<void> KeymasterDevice::finish(uint64_t operationHandle, 687 const hidl_vec<KeyParameter>& inParams, 688 const hidl_vec<uint8_t>& input, 689 const hidl_vec<uint8_t>& signature, finish_cb _hidl_cb) { 690 // result variables for the wire 691 hidl_vec<KeyParameter> resultParams; 692 hidl_vec<uint8_t> resultBlob; 693 694 // result variables the backend understands 695 keymaster_key_param_set_t out_params{nullptr, 0}; 696 keymaster_blob_t out_blob{nullptr, 0}; 697 698 auto kmInParams = hidlParams2KmParamSet(inParams); 699 auto kmInput = hidlVec2KmBlob(input); 700 auto kmSignature = hidlVec2KmBlob(signature); 701 702 auto rc = keymaster_device_->finish(keymaster_device_, operationHandle, &kmInParams, &kmInput, 703 &kmSignature, &out_params, &out_blob); 704 705 if (rc == KM_ERROR_OK) { 706 resultParams = kmParamSet2Hidl(out_params); 707 resultBlob = kmBlob2hidlVec(out_blob); 708 } 709 710 _hidl_cb(legacy_enum_conversion(rc), resultParams, resultBlob); 711 712 keymaster_free_param_set(&out_params); 713 if (out_blob.data) free(const_cast<uint8_t*>(out_blob.data)); 714 715 return Void(); 716 } 717 718 Return<ErrorCode> KeymasterDevice::abort(uint64_t operationHandle) { 719 return legacy_enum_conversion(keymaster_device_->abort(keymaster_device_, operationHandle)); 720 } 721 722 IKeymasterDevice* HIDL_FETCH_IKeymasterDevice(const char* name) { 723 keymaster2_device_t* dev = nullptr; 724 725 ALOGI("Fetching keymaster device name %s", name); 726 727 uint32_t version = -1; 728 bool supports_ec = false; 729 bool supports_all_digests = false; 730 731 if (name && strcmp(name, "softwareonly") == 0) { 732 dev = (new SoftKeymasterDevice(new SoftwareOnlyHidlKeymasterContext))->keymaster2_device(); 733 } else if (name && strcmp(name, "default") == 0) { 734 auto rc = keymaster_device_initialize(&dev, &version, &supports_ec, &supports_all_digests); 735 if (rc) return nullptr; 736 } 737 738 auto kmrc = ::keymaster::ConfigureDevice(dev); 739 if (kmrc != KM_ERROR_OK) { 740 dev->common.close(&dev->common); 741 return nullptr; 742 } 743 744 return new KeymasterDevice(dev, version, supports_ec, supports_all_digests); 745 } 746 747 } // namespace implementation 748 } // namespace V3_0 749 } // namespace keymaster 750 } // namespace hardware 751 } // namespace android 752