1 //
2 // Copyright (C) 2020 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 
16 #pragma once
17 
18 #include "gatekeeper/gatekeeper.h"
19 #include "tss2/tss2_esys.h"
20 
21 #include "host/commands/secure_env/gatekeeper_storage.h"
22 #include "host/commands/secure_env/storage/storage.h"
23 #include "host/commands/secure_env/tpm_resource_manager.h"
24 
25 namespace cuttlefish {
26 
27 /**
28  * See method descriptions for this class in
29  * system/gatekeeper/include/gatekeeper/gatekeeper.h
30  */
31 class TpmGatekeeper : public gatekeeper::GateKeeper {
32 public:
33   TpmGatekeeper(
34       TpmResourceManager& resource_manager,
35       secure_env::Storage& secure_storage,
36       secure_env::Storage& insecure_storage);
37 
38   bool GetAuthTokenKey(
39       const uint8_t** auth_token_key, uint32_t* length) const override;
40 
41   void GetPasswordKey(const uint8_t** pasword_key, uint32_t* length) override;
42 
43   void ComputePasswordSignature(
44       uint8_t* signature,
45       uint32_t signature_length,
46       const uint8_t* key,
47       uint32_t key_length,
48       const uint8_t* password,
49       uint32_t password_length,
50       gatekeeper::salt_t salt) const override;
51 
52   void GetRandom(void* random, uint32_t requested_size) const override;
53 
54   void ComputeSignature(
55       uint8_t* signature,
56       uint32_t signature_length,
57       const uint8_t* key,
58       uint32_t key_length,
59       const uint8_t* message,
60       uint32_t length) const override;
61 
62   uint64_t GetMillisecondsSinceBoot() const override;
63 
64   /**
65    * Retrieves the failure record for user `uid`, assuming a user secret value
66    * of `user_id`. If the secret value `user_id` is incorrect, the original
67    * secret `user_id` value will be lost and cannot be recovered.
68    */
69   bool GetFailureRecord(
70       uint32_t uid,
71       gatekeeper::secure_id_t user_id,
72       gatekeeper::failure_record_t *record,
73       bool secure) override;
74 
75   bool ClearFailureRecord(
76       uint32_t uid, gatekeeper::secure_id_t user_id, bool secure) override;
77 
78   bool WriteFailureRecord(
79       uint32_t uid, gatekeeper::failure_record_t *record, bool secure) override;
80 
81   bool IsHardwareBacked() const override;
82 private:
83   TpmResourceManager& resource_manager_;
84   secure_env::Storage& secure_storage_;
85   secure_env::Storage& insecure_storage_;
86 };
87 
88 }  // namespace cuttlefish
89