1 /* 2 * Copyright (C) 2014 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef KEYSTORE_KEYMASTER_ENFORCEMENT_H 18 #define KEYSTORE_KEYMASTER_ENFORCEMENT_H 19 20 #include <stdio.h> 21 22 #include <keystore/keymaster_types.h> 23 24 namespace keystore { 25 26 typedef uint64_t km_id_t; 27 28 class KeymasterEnforcementContext { 29 public: 30 virtual ~KeymasterEnforcementContext() {} 31 /* 32 * Get current time. 33 */ 34 }; 35 36 class AccessTimeMap; 37 class AccessCountMap; 38 39 class KeymasterEnforcement { 40 public: 41 /** 42 * Construct a KeymasterEnforcement. 43 */ 44 KeymasterEnforcement(uint32_t max_access_time_map_size, uint32_t max_access_count_map_size); 45 virtual ~KeymasterEnforcement(); 46 47 /** 48 * Iterates through the authorization set and returns the corresponding keymaster error. Will 49 * return KM_ERROR_OK if all criteria is met for the given purpose in the authorization set with 50 * the given operation params and handle. Used for encrypt, decrypt sign, and verify. 51 */ 52 ErrorCode AuthorizeOperation(const KeyPurpose purpose, const km_id_t keyid, 53 const AuthorizationSet& auth_set, 54 const AuthorizationSet& operation_params, 55 const HardwareAuthToken& auth_token, uint64_t op_handle, 56 bool is_begin_operation); 57 58 /** 59 * Iterates through the authorization set and returns the corresponding keymaster error. Will 60 * return KM_ERROR_OK if all criteria is met for the given purpose in the authorization set with 61 * the given operation params. Used for encrypt, decrypt sign, and verify. 62 */ 63 ErrorCode AuthorizeBegin(const KeyPurpose purpose, const km_id_t keyid, 64 const AuthorizationSet& auth_set, 65 const AuthorizationSet& operation_params, 66 NullOr<const HardwareAuthToken&> auth_token); 67 68 /** 69 * Iterates through the authorization set and returns the corresponding keymaster error. Will 70 * return KM_ERROR_OK if all criteria is met for the given purpose in the authorization set with 71 * the given operation params and handle. Used for encrypt, decrypt sign, and verify. 72 */ 73 ErrorCode AuthorizeUpdate(const AuthorizationSet& auth_set, const HardwareAuthToken& auth_token, 74 uint64_t op_handle) { 75 return AuthorizeUpdateOrFinish(auth_set, auth_token, op_handle); 76 } 77 78 /** 79 * Iterates through the authorization set and returns the corresponding keymaster error. Will 80 * return KM_ERROR_OK if all criteria is met for the given purpose in the authorization set with 81 * the given operation params and handle. Used for encrypt, decrypt sign, and verify. 82 */ 83 ErrorCode AuthorizeFinish(const AuthorizationSet& auth_set, const HardwareAuthToken& auth_token, 84 uint64_t op_handle) { 85 return AuthorizeUpdateOrFinish(auth_set, auth_token, op_handle); 86 } 87 88 /** 89 * Creates a key ID for use in subsequent calls to AuthorizeOperation. Clients needn't use this 90 * method of creating key IDs, as long as they use something consistent and unique. This method 91 * hashes the key blob. 92 * 93 * Returns false if an error in the crypto library prevents creation of an ID. 94 */ 95 static bool CreateKeyId(const hidl_vec<uint8_t>& key_blob, km_id_t* keyid); 96 97 // 98 // Methods that must be implemented by subclasses 99 // 100 // The time-related methods address the fact that different enforcement contexts may have 101 // different time-related capabilities. In particular: 102 // 103 // - They may or may not be able to check dates against real-world clocks. 104 // 105 // - They may or may not be able to check timestampls against authentication trustlets (minters 106 // of hw_auth_token_t structs). 107 // 108 // - They must have some time source for relative times, but may not be able to provide more 109 // than reliability and monotonicity. 110 111 /* 112 * Returns true if the specified activation date has passed, or if activation cannot be 113 * enforced. 114 */ 115 virtual bool activation_date_valid(uint64_t activation_date) const = 0; 116 117 /* 118 * Returns true if the specified expiration date has passed. Returns false if it has not, or if 119 * expiration cannot be enforced. 120 */ 121 virtual bool expiration_date_passed(uint64_t expiration_date) const = 0; 122 123 /* 124 * Returns true if the specified auth_token is older than the specified timeout. 125 */ 126 virtual bool auth_token_timed_out(const HardwareAuthToken& token, uint32_t timeout) const = 0; 127 128 /* 129 * Get current time in seconds from some starting point. This value is used to compute relative 130 * times between events. It must be monotonically increasing, and must not skip or lag. It 131 * need not have any relation to any external time standard (other than the duration of 132 * "second"). 133 * 134 * On POSIX systems, it's recommented to use clock_gettime(CLOCK_MONOTONIC, ...) to implement 135 * this method. 136 */ 137 virtual uint32_t get_current_time() const = 0; 138 139 /* 140 * Returns true if the specified auth_token has a valid signature, or if signature validation is 141 * not available. 142 */ 143 virtual bool ValidateTokenSignature(const HardwareAuthToken& token) const = 0; 144 145 /* 146 * Returns true if the device screen is currently locked for the specified user. 147 */ 148 virtual bool is_device_locked(int32_t userId) const = 0; 149 150 private: 151 ErrorCode AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set, 152 const HardwareAuthToken& auth_token, uint64_t op_handle); 153 154 bool MinTimeBetweenOpsPassed(uint32_t min_time_between, const km_id_t keyid); 155 bool MaxUsesPerBootNotExceeded(const km_id_t keyid, uint32_t max_uses); 156 bool AuthTokenMatches(const AuthorizationSet& auth_set, const HardwareAuthToken& auth_token, 157 const uint64_t user_secure_id, const int auth_type_index, 158 const int auth_timeout_index, const uint64_t op_handle, 159 bool is_begin_operation) const; 160 161 AccessTimeMap* access_time_map_; 162 AccessCountMap* access_count_map_; 163 }; 164 165 }; /* namespace keystore */ 166 167 #endif // KEYSTORE_KEYMASTER_ENFORCEMENT_H 168