xref: /aosp_15_r20/system/keymaster/include/keymaster/operation.h (revision 789431f29546679ab5188a97751fb38e3018d44d) 
1 /*
2  * Copyright 2014 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef SYSTEM_KEYMASTER_OPERATION_H_
18 #define SYSTEM_KEYMASTER_OPERATION_H_
19 
20 #include <utility>
21 
22 #include <assert.h>
23 #include <stdint.h>
24 #include <stdlib.h>
25 
26 #include <hardware/keymaster_defs.h>
27 #include <keymaster/android_keymaster_utils.h>
28 #include <keymaster/authorization_set.h>
29 #include <keymaster/logger.h>
30 
31 namespace keymaster {
32 
33 class AuthorizationSet;
34 class Key;
35 class Operation;
36 using OperationPtr = UniquePtr<Operation>;
37 
38 class OperationFactory {
39   public:
~OperationFactory()40     virtual ~OperationFactory() {}
41 
42     // Required for registry
43     struct KeyType {
KeyTypeKeyType44         KeyType(keymaster_algorithm_t alg, keymaster_purpose_t purp)
45             : algorithm(alg), purpose(purp) {}
46 
47         keymaster_algorithm_t algorithm;
48         keymaster_purpose_t purpose;
49 
50         bool operator==(const KeyType& rhs) const {
51             return algorithm == rhs.algorithm && purpose == rhs.purpose;
52         }
53     };
54     virtual KeyType registry_key() const = 0;
55 
56     // Factory methods
57     virtual OperationPtr CreateOperation(Key&& key, const AuthorizationSet& begin_params,
58                                          keymaster_error_t* error) = 0;
59 
60     // Informational methods.  The returned arrays reference static memory and must not be
61     // deallocated or modified.
SupportedPaddingModes(size_t * padding_count)62     virtual const keymaster_padding_t* SupportedPaddingModes(size_t* padding_count) const {
63         *padding_count = 0;
64         return nullptr;
65     }
SupportedBlockModes(size_t * block_mode_count)66     virtual const keymaster_block_mode_t* SupportedBlockModes(size_t* block_mode_count) const {
67         *block_mode_count = 0;
68         return nullptr;
69     }
SupportedDigests(size_t * digest_count)70     virtual const keymaster_digest_t* SupportedDigests(size_t* digest_count) const {
71         *digest_count = 0;
72         return nullptr;
73     }
74 
75     // Convenience methods
76     bool supported(keymaster_padding_t padding) const;
77     bool supported(keymaster_block_mode_t padding) const;
78     bool supported(keymaster_digest_t padding) const;
79 
80     bool is_public_key_operation() const;
81 
82     bool GetAndValidatePadding(const AuthorizationSet& begin_params, const Key& key,
83                                keymaster_padding_t* padding, keymaster_error_t* error) const;
84     bool GetAndValidateDigest(const AuthorizationSet& begin_params, const Key& key,
85                               keymaster_digest_t* digest, keymaster_error_t* error) const;
86     bool GetAndValidateDigest(const AuthorizationSet& begin_params, const Key& key,
87                               keymaster_digest_t* digest, keymaster_error_t* error,
88                               bool require_explicit_digest) const;
89 };
90 
91 /**
92  * Abstract base for all cryptographic operations.
93  */
94 class Operation {
95   public:
Operation(keymaster_purpose_t purpose,AuthorizationSet && hw_enforced,AuthorizationSet && sw_enforced)96     explicit Operation(keymaster_purpose_t purpose, AuthorizationSet&& hw_enforced,
97                        AuthorizationSet&& sw_enforced)
98         : purpose_(purpose), hw_enforced_(std::move(hw_enforced)),
99           sw_enforced_(std::move(sw_enforced)) {}
~Operation()100     virtual ~Operation() {}
101 
102     Operation(const Operation&) = delete;
103     void operator=(const Operation&) = delete;
104 
purpose()105     keymaster_purpose_t purpose() const { return purpose_; }
106 
set_key_id(uint64_t key_id)107     void set_key_id(uint64_t key_id) { key_id_ = key_id; }
key_id()108     uint64_t key_id() const { return key_id_; }
set_secure_deletion_slot(uint32_t secure_deletion_slot)109     void set_secure_deletion_slot(uint32_t secure_deletion_slot) {
110         secure_deletion_slot_ = secure_deletion_slot;
111     }
secure_deletion_slot()112     uint32_t secure_deletion_slot() const { return secure_deletion_slot_; }
operation_handle()113     virtual keymaster_operation_handle_t operation_handle() const { return operation_handle_; }
114 
authorizations()115     AuthProxy authorizations() const { return AuthProxy(hw_enforced_, sw_enforced_); }
hw_enforced()116     AuthorizationSet hw_enforced() const { return hw_enforced_; }
sw_enforced()117     AuthorizationSet sw_enforced() const { return sw_enforced_; }
118 
119     // Creates and initializes |confirmation_verifier_buffer_| that can be retrieved with
120     // get_confirmation_verifier_buffer().
121     //
122     // Returns false on allocation failure.
create_confirmation_verifier_buffer()123     bool create_confirmation_verifier_buffer() {
124         if (!confirmation_verifier_buffer_) {
125             Buffer* buffer = new (std::nothrow)
126                 Buffer(kConfirmationTokenMessageTag, kConfirmationTokenMessageTagSize);
127             if (buffer == nullptr) {
128                 return false;
129             }
130             confirmation_verifier_buffer_.reset(buffer);
131         }
132         return true;
133     }
134 
135     // If a Buffer for ConfirmationUI verification was created with
136     // create_confirmation_verifier_buffer(), returns it. If not, returns |nullptr|.
get_confirmation_verifier_buffer()137     Buffer* get_confirmation_verifier_buffer() { return confirmation_verifier_buffer_.get(); }
138 
139     virtual keymaster_error_t Begin(const AuthorizationSet& input_params,
140                                     AuthorizationSet* output_params) = 0;
141     virtual keymaster_error_t Update(const AuthorizationSet& input_params, const Buffer& input,
142                                      AuthorizationSet* output_params, Buffer* output,
143                                      size_t* input_consumed) = 0;
144     virtual keymaster_error_t Finish(const AuthorizationSet& input_params, const Buffer& input,
145                                      const Buffer& signature, AuthorizationSet* output_params,
146                                      Buffer* output) = 0;
147     virtual keymaster_error_t Abort() = 0;
148 
149   protected:
150     // Helper function for implementing Finish() methods that need to call Update() to process
151     // input, but don't expect any output.
152     keymaster_error_t UpdateForFinish(const AuthorizationSet& input_params, const Buffer& input);
153     keymaster_operation_handle_t operation_handle_;
154 
155   private:
156     const keymaster_purpose_t purpose_;
157     AuthorizationSet hw_enforced_;
158     AuthorizationSet sw_enforced_;
159     uint64_t key_id_;
160     uint32_t secure_deletion_slot_ = 0;
161     UniquePtr<Buffer> confirmation_verifier_buffer_;
162 };
163 
164 }  // namespace keymaster
165 
166 #endif  // SYSTEM_KEYMASTER_OPERATION_H_
167