1 /* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef KEYSTORE_KEYMASTER_ENFORCEMENT_H 18 #define KEYSTORE_KEYMASTER_ENFORCEMENT_H 19 20 #include <stdio.h> 21 22 #include <keystore/authorization_set.h> 23 24 namespace keystore { 25 26 typedef uint64_t km_id_t; 27 28 class KeymasterEnforcementContext { 29 public: 30 virtual ~KeymasterEnforcementContext() {} 31 /* 32 * Get current time. 33 */ 34 }; 35 36 class AccessTimeMap; 37 class AccessCountMap; 38 39 class KeymasterEnforcement { 40 public: 41 /** 42 * Construct a KeymasterEnforcement. 43 */ 44 KeymasterEnforcement(uint32_t max_access_time_map_size, uint32_t max_access_count_map_size); 45 virtual ~KeymasterEnforcement(); 46 47 /** 48 * Iterates through the authorization set and returns the corresponding keymaster error. Will 49 * return KM_ERROR_OK if all criteria is met for the given purpose in the authorization set with 50 * the given operation params and handle. Used for encrypt, decrypt sign, and verify. 51 */ 52 ErrorCode AuthorizeOperation(const KeyPurpose purpose, const km_id_t keyid, 53 const AuthorizationSet& auth_set, 54 const AuthorizationSet& operation_params, uint64_t op_handle, 55 bool is_begin_operation); 56 57 /** 58 * Iterates through the authorization set and returns the corresponding keymaster error. Will 59 * return KM_ERROR_OK if all criteria is met for the given purpose in the authorization set with 60 * the given operation params. Used for encrypt, decrypt sign, and verify. 61 */ 62 ErrorCode AuthorizeBegin(const KeyPurpose purpose, const km_id_t keyid, 63 const AuthorizationSet& auth_set, 64 const AuthorizationSet& operation_params); 65 66 /** 67 * Iterates through the authorization set and returns the corresponding keymaster error. Will 68 * return KM_ERROR_OK if all criteria is met for the given purpose in the authorization set with 69 * the given operation params and handle. Used for encrypt, decrypt sign, and verify. 70 */ 71 ErrorCode AuthorizeUpdate(const AuthorizationSet& auth_set, 72 const AuthorizationSet& operation_params, uint64_t op_handle) { 73 return AuthorizeUpdateOrFinish(auth_set, operation_params, op_handle); 74 } 75 76 /** 77 * Iterates through the authorization set and returns the corresponding keymaster error. Will 78 * return KM_ERROR_OK if all criteria is met for the given purpose in the authorization set with 79 * the given operation params and handle. Used for encrypt, decrypt sign, and verify. 80 */ 81 ErrorCode AuthorizeFinish(const AuthorizationSet& auth_set, 82 const AuthorizationSet& operation_params, uint64_t op_handle) { 83 return AuthorizeUpdateOrFinish(auth_set, operation_params, op_handle); 84 } 85 86 /** 87 * Creates a key ID for use in subsequent calls to AuthorizeOperation. Clients needn't use this 88 * method of creating key IDs, as long as they use something consistent and unique. This method 89 * hashes the key blob. 90 * 91 * Returns false if an error in the crypto library prevents creation of an ID. 92 */ 93 static bool CreateKeyId(const hidl_vec<uint8_t>& key_blob, km_id_t* keyid); 94 95 // 96 // Methods that must be implemented by subclasses 97 // 98 // The time-related methods address the fact that different enforcement contexts may have 99 // different time-related capabilities. In particular: 100 // 101 // - They may or may not be able to check dates against real-world clocks. 102 // 103 // - They may or may not be able to check timestampls against authentication trustlets (minters 104 // of hw_auth_token_t structs). 105 // 106 // - They must have some time source for relative times, but may not be able to provide more 107 // than reliability and monotonicity. 108 109 /* 110 * Returns true if the specified activation date has passed, or if activation cannot be 111 * enforced. 112 */ 113 virtual bool activation_date_valid(uint64_t activation_date) const = 0; 114 115 /* 116 * Returns true if the specified expiration date has passed. Returns false if it has not, or if 117 * expiration cannot be enforced. 118 */ 119 virtual bool expiration_date_passed(uint64_t expiration_date) const = 0; 120 121 /* 122 * Returns true if the specified auth_token is older than the specified timeout. 123 */ 124 virtual bool auth_token_timed_out(const hw_auth_token_t& token, uint32_t timeout) const = 0; 125 126 /* 127 * Get current time in seconds from some starting point. This value is used to compute relative 128 * times between events. It must be monotonically increasing, and must not skip or lag. It 129 * need not have any relation to any external time standard (other than the duration of 130 * "second"). 131 * 132 * On POSIX systems, it's recommented to use clock_gettime(CLOCK_MONOTONIC, ...) to implement 133 * this method. 134 */ 135 virtual uint32_t get_current_time() const = 0; 136 137 /* 138 * Returns true if the specified auth_token has a valid signature, or if signature validation is 139 * not available. 140 */ 141 virtual bool ValidateTokenSignature(const hw_auth_token_t& token) const = 0; 142 143 private: 144 ErrorCode AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set, 145 const AuthorizationSet& operation_params, uint64_t op_handle); 146 147 bool MinTimeBetweenOpsPassed(uint32_t min_time_between, const km_id_t keyid); 148 bool MaxUsesPerBootNotExceeded(const km_id_t keyid, uint32_t max_uses); 149 bool AuthTokenMatches(const AuthorizationSet& auth_set, 150 const AuthorizationSet& operation_params, const uint64_t user_secure_id, 151 const int auth_type_index, const int auth_timeout_index, 152 const uint64_t op_handle, bool is_begin_operation) const; 153 154 AccessTimeMap* access_time_map_; 155 AccessCountMap* access_count_map_; 156 }; 157 158 }; /* namespace keystore */ 159 160 #endif // KEYSTORE_KEYMASTER_ENFORCEMENT_H 161