Home | History | Annotate | Download | only in keymaster
      1 /*
      2  *  Copyright (C) 2012 The Android Open Source Project
      3  *
      4  *  Licensed under the Apache License, Version 2.0 (the "License"); you
      5  *  may not use this file except in compliance with the License.  You may
      6  *  obtain a copy of the License at
      7  *
      8  *  http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  *  Unless required by applicable law or agreed to in writing, software
     11  *  distributed under the License is distributed on an "AS IS" BASIS,
     12  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
     13  *  implied.  See the License for the specific language governing
     14  *  permissions and limitations under the License.
     15  */
     16 
     17 #ifndef ANDROID_HARDWARE_QCOM_KEYMASTER_H
     18 #define ANDROID_HARDWARE_QCOM_KEYMASTER_H
     19 
     20 #include <stdint.h>
     21 #include <sys/cdefs.h>
     22 #include <sys/types.h>
     23 
     24 __BEGIN_DECLS
     25 
     26 #ifdef _ION_HEAP_MASK_COMPATIBILITY_WA
     27 #define ION_HEAP_MASK heap_mask
     28 #else
     29 #define ION_HEAP_MASK heap_id_mask
     30 #endif
     31 
     32 /**
     33  * The id of this module
     34  */
     35 #define QCOM_KEYSTORE_KEYMASTER "qcom_keymaster"
     36 /**
     37  * Operation result
     38  */
     39 #define KEYMATER_SUCCESS  0
     40 #define KEYMASTER_FAILURE  -1
     41 
     42 /**
     43  * The API level of this version of the header. The allows the implementing
     44  * module to recognize which API level of the client it is dealing with in
     45  * the case of pre-compiled binary clients.
     46  */
     47 #define QCOM_KEYMASTER_API_VERSION KEYMASTER_MODULE_API_VERSION_0_3
     48 
     49 #define KM_MAGIC_NUM     (0x4B4D4B42)    /* "KMKB" Key Master Key Blob in hex */
     50 #define KM_KEY_SIZE_MAX  (512)           /* 4096 bits */
     51 #define KM_IV_LENGTH     (16)            /* AES128 CBC IV */
     52 #define KM_HMAC_LENGTH   (32)            /* SHA2 will be used for HMAC  */
     53 
     54 struct  qcom_km_key_blob {
     55   uint32_t magic_num;
     56   uint32_t version_num;
     57   uint8_t  modulus[KM_KEY_SIZE_MAX];
     58   uint32_t modulus_size;
     59   uint8_t  public_exponent[KM_KEY_SIZE_MAX];
     60   uint32_t public_exponent_size;
     61   uint8_t  iv[KM_IV_LENGTH];
     62   uint8_t  encrypted_private_exponent[KM_KEY_SIZE_MAX];
     63   uint32_t encrypted_private_exponent_size;
     64   uint8_t  hmac[KM_HMAC_LENGTH];
     65 };
     66 typedef struct  qcom_km_key_blob qcom_km_key_blob_t;
     67 /**
     68  * Commands supported
     69  */
     70 enum  keymaster_cmd_t {
     71     /*
     72      * List the commands supportedin by the hardware.
     73      */
     74     KEYMASTER_GENERATE_KEYPAIR = 0x00000001,
     75     KEYMASTER_IMPORT_KEYPAIR = 0x00000002,
     76     KEYMASTER_SIGN_DATA = 0x00000003,
     77     KEYMASTER_VERIFY_DATA = 0x00000004,
     78 };
     79 
     80 
     81 /**
     82  * Command to Generate a public and private key. The key data returned
     83  * (by secure app) is in shared buffer at offset of "key_blob" and is opaque
     84  *
     85  * cmd_id       : Command issue to secure app
     86  * key_type     : Currently on RSA_TYPE is supported
     87  * rsa_params   : Parameters needed to generate an RSA key
     88  */
     89  struct keymaster_gen_keypair_cmd {
     90       keymaster_cmd_t               cmd_id;
     91       keymaster_keypair_t           key_type;
     92       keymaster_rsa_keygen_params_t rsa_params;
     93 };
     94 typedef struct keymaster_gen_keypair_cmd keymaster_gen_keypair_cmd_t;
     95 
     96 /**
     97  * Response to Generate a public and private key. The key data returned
     98  * (by secure app) is in shared buffer at offset of "key_blob" and is opaque
     99  *
    100  * cmd_id       : Command issue to secure app
    101  * key_blob     : key blob data
    102  * key_blob_len : Total length of key blob information
    103  * status       : Result (success 0, or failure -1)
    104  */
    105 struct keymaster_gen_keypair_resp {
    106       keymaster_cmd_t     cmd_id;
    107       qcom_km_key_blob_t  key_blob;
    108       size_t              key_blob_len;
    109       int32_t             status;
    110 };
    111 typedef struct keymaster_gen_keypair_resp keymaster_gen_keypair_resp_t;
    112 
    113 
    114 /**
    115  * Command to import a public and private key pair. The imported keys
    116  * will be in PKCS#8 format with DER encoding (Java standard). The key
    117  * data returned (by secure app) is in shared buffer at offset of
    118  * "key_blob" and is opaque
    119  *
    120  * cmd_id       : Command issue to secure app
    121  * pkcs8_key    : Pointer to  pkcs8 formatted key information
    122  * pkcs8_key_len: PKCS8 formatted key length
    123  */
    124 struct keymaster_import_keypair_cmd {
    125       keymaster_cmd_t cmd_id;
    126       uint32_t        pkcs8_key;
    127       size_t          pkcs8_key_len;
    128 };
    129 typedef struct keymaster_import_keypair_cmd keymaster_import_keypair_cmd_t;
    130 
    131 /**
    132  * Response to import a public and private key. The key data returned
    133  * (by secure app) is in shared buffer at offset of "key_blob" and is opaque
    134  *
    135  * cmd_id       : Command issue to secure app
    136  * key_blob     : key blob data
    137  * key_blob_len : Total length of key blob information
    138  * status       : Result (success 0, or failure -1)
    139  */
    140 struct keymaster_import_keypair_resp {
    141       keymaster_cmd_t     cmd_id;
    142       qcom_km_key_blob_t  key_blob;
    143       size_t              key_blob_len;
    144       int32_t             status;
    145 };
    146 typedef struct keymaster_import_keypair_resp keymaster_import_keypair_resp_t;
    147 
    148 /**
    149  * Command to sign data using a key info generated before. This can use either
    150  * an asymmetric key or a secret key.
    151  * The signed data is returned (by secure app) at offset of data + dlen.
    152  *
    153  * cmd_id      : Command issue to secure app
    154  * sign_param  :
    155  * key_blob    : Key data information (in shared buffer)
    156  * data        : Pointer to plain data buffer
    157  * dlen        : Plain data length
    158  */
    159 struct keymaster_sign_data_cmd {
    160       keymaster_cmd_t               cmd_id;
    161       keymaster_rsa_sign_params_t   sign_param;
    162       qcom_km_key_blob_t            key_blob;
    163       uint32_t                      data;
    164       size_t                        dlen;
    165 };
    166 typedef struct keymaster_sign_data_cmd keymaster_sign_data_cmd_t;
    167 
    168 /**
    169  * Response to sign data response
    170  *
    171  * cmd_id      : Command issue to secure app
    172  * signed_data : signature
    173  * sig_len     : Signed data length
    174  * status      : Result (success 0, or failure -1)
    175  */
    176 struct keymaster_sign_data_resp {
    177       keymaster_cmd_t     cmd_id;
    178       uint8_t             signed_data[KM_KEY_SIZE_MAX];
    179       size_t              sig_len;
    180       int32_t             status;
    181 };
    182 
    183 typedef struct keymaster_sign_data_resp keymaster_sign_data_resp_t;
    184 
    185 /**
    186  * Command to verify data using a key info generated before. This can use either
    187  * an asymmetric key or a secret key.
    188  *
    189  * cmd_id      : Command issue to secure app
    190  * sign_param  :
    191  * key_blob    : Key data information (in shared buffer)
    192  * key_blob_len: Total key length
    193  * signed_data : Pointer to signed data buffer
    194  * signed_dlen : Signed data length
    195  * signature   : Offset to the signature data buffer (from signed data buffer)
    196  * slen        : Signature data length
    197  */
    198 struct keymaster_verify_data_cmd {
    199       keymaster_cmd_t cmd_id;
    200       keymaster_rsa_sign_params_t   sign_param;
    201       qcom_km_key_blob_t            key_blob;
    202       uint32_t                      signed_data;
    203       size_t                        signed_dlen;
    204       uint32_t                      signature;
    205       size_t                        slen;
    206 };
    207 typedef struct keymaster_verify_data_cmd keymaster_verify_data_cmd_t;
    208 /**
    209  * Response to verify data
    210  *
    211  * cmd_id      : Command issue to secure app
    212  * status      : Result (success 0, or failure -1)
    213  */
    214 struct  keymaster_verify_data_resp {
    215       keymaster_cmd_t     cmd_id;
    216       int32_t             status;
    217 };
    218 typedef struct keymaster_verify_data_resp keymaster_verify_data_resp_t;
    219 
    220 __END_DECLS
    221 
    222 #endif  // ANDROID_HARDWARE_QCOM_KEYMASTER_H
    223