xref: /aosp_15_r20/hardware/interfaces/keymaster/4.1/support/Keymaster.cpp (revision 4d7e907c777eeecc4c5bd7cf640a754fac206ff7) 
1*4d7e907cSAndroid Build Coastguard Worker /*
2*4d7e907cSAndroid Build Coastguard Worker  ** Copyright 2018, The Android Open Source Project
3*4d7e907cSAndroid Build Coastguard Worker  **
4*4d7e907cSAndroid Build Coastguard Worker  ** Licensed under the Apache License, Version 2.0 (the "License");
5*4d7e907cSAndroid Build Coastguard Worker  ** you may not use this file except in compliance with the License.
6*4d7e907cSAndroid Build Coastguard Worker  ** You may obtain a copy of the License at
7*4d7e907cSAndroid Build Coastguard Worker  **
8*4d7e907cSAndroid Build Coastguard Worker  **     http://www.apache.org/licenses/LICENSE-2.0
9*4d7e907cSAndroid Build Coastguard Worker  **
10*4d7e907cSAndroid Build Coastguard Worker  ** Unless required by applicable law or agreed to in writing, software
11*4d7e907cSAndroid Build Coastguard Worker  ** distributed under the License is distributed on an "AS IS" BASIS,
12*4d7e907cSAndroid Build Coastguard Worker  ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*4d7e907cSAndroid Build Coastguard Worker  ** See the License for the specific language governing permissions and
14*4d7e907cSAndroid Build Coastguard Worker  ** limitations under the License.
15*4d7e907cSAndroid Build Coastguard Worker  */
16*4d7e907cSAndroid Build Coastguard Worker 
17*4d7e907cSAndroid Build Coastguard Worker #include <keymasterV4_1/Keymaster.h>
18*4d7e907cSAndroid Build Coastguard Worker 
19*4d7e907cSAndroid Build Coastguard Worker #include <iomanip>
20*4d7e907cSAndroid Build Coastguard Worker 
21*4d7e907cSAndroid Build Coastguard Worker #include <android-base/logging.h>
22*4d7e907cSAndroid Build Coastguard Worker #include <android/hidl/manager/1.2/IServiceManager.h>
23*4d7e907cSAndroid Build Coastguard Worker #include <keymasterV4_0/key_param_output.h>
24*4d7e907cSAndroid Build Coastguard Worker #include <keymasterV4_0/keymaster_utils.h>
25*4d7e907cSAndroid Build Coastguard Worker #include <keymasterV4_1/Keymaster3.h>
26*4d7e907cSAndroid Build Coastguard Worker #include <keymasterV4_1/Keymaster4.h>
27*4d7e907cSAndroid Build Coastguard Worker 
28*4d7e907cSAndroid Build Coastguard Worker namespace android::hardware {
29*4d7e907cSAndroid Build Coastguard Worker 
30*4d7e907cSAndroid Build Coastguard Worker template <class T>
operator <<(std::ostream & os,const hidl_vec<T> & vec)31*4d7e907cSAndroid Build Coastguard Worker std::ostream& operator<<(std::ostream& os, const hidl_vec<T>& vec) {
32*4d7e907cSAndroid Build Coastguard Worker     os << "{ ";
33*4d7e907cSAndroid Build Coastguard Worker     if (vec.size()) {
34*4d7e907cSAndroid Build Coastguard Worker         for (size_t i = 0; i < vec.size() - 1; ++i) os << vec[i] << ", ";
35*4d7e907cSAndroid Build Coastguard Worker         os << vec[vec.size() - 1];
36*4d7e907cSAndroid Build Coastguard Worker     }
37*4d7e907cSAndroid Build Coastguard Worker     os << " }";
38*4d7e907cSAndroid Build Coastguard Worker     return os;
39*4d7e907cSAndroid Build Coastguard Worker }
40*4d7e907cSAndroid Build Coastguard Worker 
operator <<(std::ostream & os,const hidl_vec<uint8_t> & vec)41*4d7e907cSAndroid Build Coastguard Worker std::ostream& operator<<(std::ostream& os, const hidl_vec<uint8_t>& vec) {
42*4d7e907cSAndroid Build Coastguard Worker     std::ios_base::fmtflags flags(os.flags());
43*4d7e907cSAndroid Build Coastguard Worker     os << std::setw(2) << std::setfill('0') << std::hex;
44*4d7e907cSAndroid Build Coastguard Worker     for (uint8_t c : vec) os << static_cast<int>(c);
45*4d7e907cSAndroid Build Coastguard Worker     os.flags(flags);
46*4d7e907cSAndroid Build Coastguard Worker     return os;
47*4d7e907cSAndroid Build Coastguard Worker }
48*4d7e907cSAndroid Build Coastguard Worker 
49*4d7e907cSAndroid Build Coastguard Worker template <size_t N>
operator <<(std::ostream & os,const hidl_array<uint8_t,N> & vec)50*4d7e907cSAndroid Build Coastguard Worker std::ostream& operator<<(std::ostream& os, const hidl_array<uint8_t, N>& vec) {
51*4d7e907cSAndroid Build Coastguard Worker     std::ios_base::fmtflags flags(os.flags());
52*4d7e907cSAndroid Build Coastguard Worker     os << std::setw(2) << std::setfill('0') << std::hex;
53*4d7e907cSAndroid Build Coastguard Worker     for (size_t i = 0; i < N; ++i) os << static_cast<int>(vec[i]);
54*4d7e907cSAndroid Build Coastguard Worker     os.flags(flags);
55*4d7e907cSAndroid Build Coastguard Worker     return os;
56*4d7e907cSAndroid Build Coastguard Worker }
57*4d7e907cSAndroid Build Coastguard Worker 
58*4d7e907cSAndroid Build Coastguard Worker namespace keymaster {
59*4d7e907cSAndroid Build Coastguard Worker 
60*4d7e907cSAndroid Build Coastguard Worker namespace V4_0 {
61*4d7e907cSAndroid Build Coastguard Worker 
operator <<(std::ostream & os,const HmacSharingParameters & params)62*4d7e907cSAndroid Build Coastguard Worker std::ostream& operator<<(std::ostream& os, const HmacSharingParameters& params) {
63*4d7e907cSAndroid Build Coastguard Worker     // Note that by design, although seed and nonce are used to compute a secret, they are
64*4d7e907cSAndroid Build Coastguard Worker     // not secrets and it's just fine to log them.
65*4d7e907cSAndroid Build Coastguard Worker     os << "(seed: " << params.seed << ", nonce: " << params.nonce << ')';
66*4d7e907cSAndroid Build Coastguard Worker     return os;
67*4d7e907cSAndroid Build Coastguard Worker }
68*4d7e907cSAndroid Build Coastguard Worker 
69*4d7e907cSAndroid Build Coastguard Worker }  // namespace V4_0
70*4d7e907cSAndroid Build Coastguard Worker 
71*4d7e907cSAndroid Build Coastguard Worker namespace V4_1::support {
72*4d7e907cSAndroid Build Coastguard Worker 
73*4d7e907cSAndroid Build Coastguard Worker using ::android::sp;
74*4d7e907cSAndroid Build Coastguard Worker using ::android::hidl::manager::V1_2::IServiceManager;
75*4d7e907cSAndroid Build Coastguard Worker 
operator <<(std::ostream & os,const Keymaster & keymaster)76*4d7e907cSAndroid Build Coastguard Worker std::ostream& operator<<(std::ostream& os, const Keymaster& keymaster) {
77*4d7e907cSAndroid Build Coastguard Worker     auto& version = keymaster.halVersion();
78*4d7e907cSAndroid Build Coastguard Worker     os << version.keymasterName << " from " << version.authorName
79*4d7e907cSAndroid Build Coastguard Worker        << " SecurityLevel: " << toString(version.securityLevel)
80*4d7e907cSAndroid Build Coastguard Worker        << " HAL: " << keymaster.descriptor() << "/" << keymaster.instanceName();
81*4d7e907cSAndroid Build Coastguard Worker     return os;
82*4d7e907cSAndroid Build Coastguard Worker }
83*4d7e907cSAndroid Build Coastguard Worker 
84*4d7e907cSAndroid Build Coastguard Worker template <typename Wrapper>
enumerateDevices(const sp<IServiceManager> & serviceManager)85*4d7e907cSAndroid Build Coastguard Worker Keymaster::KeymasterSet enumerateDevices(const sp<IServiceManager>& serviceManager) {
86*4d7e907cSAndroid Build Coastguard Worker     Keymaster::KeymasterSet result;
87*4d7e907cSAndroid Build Coastguard Worker 
88*4d7e907cSAndroid Build Coastguard Worker     bool foundDefault = false;
89*4d7e907cSAndroid Build Coastguard Worker     auto& descriptor = Wrapper::WrappedIKeymasterDevice::descriptor;
90*4d7e907cSAndroid Build Coastguard Worker     serviceManager->listManifestByInterface(descriptor, [&](const hidl_vec<hidl_string>& names) {
91*4d7e907cSAndroid Build Coastguard Worker         for (auto& name : names) {
92*4d7e907cSAndroid Build Coastguard Worker             if (name == "default") foundDefault = true;
93*4d7e907cSAndroid Build Coastguard Worker             auto device = Wrapper::WrappedIKeymasterDevice::getService(name);
94*4d7e907cSAndroid Build Coastguard Worker             CHECK(device) << "Failed to get service for " << descriptor << " with interface name "
95*4d7e907cSAndroid Build Coastguard Worker                           << name;
96*4d7e907cSAndroid Build Coastguard Worker             result.push_back(new Wrapper(device, name));
97*4d7e907cSAndroid Build Coastguard Worker         }
98*4d7e907cSAndroid Build Coastguard Worker     });
99*4d7e907cSAndroid Build Coastguard Worker 
100*4d7e907cSAndroid Build Coastguard Worker     if (!foundDefault) {
101*4d7e907cSAndroid Build Coastguard Worker         // "default" wasn't provided by listManifestByInterface.  Maybe there's a passthrough
102*4d7e907cSAndroid Build Coastguard Worker         // implementation.
103*4d7e907cSAndroid Build Coastguard Worker         auto device = Wrapper::WrappedIKeymasterDevice::getService("default");
104*4d7e907cSAndroid Build Coastguard Worker         if (device) result.push_back(new Wrapper(device, "default"));
105*4d7e907cSAndroid Build Coastguard Worker     }
106*4d7e907cSAndroid Build Coastguard Worker 
107*4d7e907cSAndroid Build Coastguard Worker     return result;
108*4d7e907cSAndroid Build Coastguard Worker }
109*4d7e907cSAndroid Build Coastguard Worker 
logIfKeymasterVendorError(ErrorCode ec) const110*4d7e907cSAndroid Build Coastguard Worker void Keymaster::logIfKeymasterVendorError(ErrorCode ec) const {
111*4d7e907cSAndroid Build Coastguard Worker     static constexpr int32_t k_keymaster_vendor_error_code_range_max = -10000;
112*4d7e907cSAndroid Build Coastguard Worker     if (static_cast<int32_t>(ec) <= k_keymaster_vendor_error_code_range_max) {
113*4d7e907cSAndroid Build Coastguard Worker         const auto& versionInfo = halVersion();
114*4d7e907cSAndroid Build Coastguard Worker         LOG(ERROR) << "Keymaster reported error: " << static_cast<int32_t>(ec) << "\n"
115*4d7e907cSAndroid Build Coastguard Worker                    << "NOTE: This is an error in the vendor specific error range.\n"
116*4d7e907cSAndroid Build Coastguard Worker                    << "      Refer to the vendor of the implementation for details.\n"
117*4d7e907cSAndroid Build Coastguard Worker                    << "      Implementation name: " << versionInfo.keymasterName << "\n"
118*4d7e907cSAndroid Build Coastguard Worker                    << "      Vendor name:         " << versionInfo.authorName << "\n"
119*4d7e907cSAndroid Build Coastguard Worker                    << "      MajorVersion:        " << versionInfo.majorVersion;
120*4d7e907cSAndroid Build Coastguard Worker     }
121*4d7e907cSAndroid Build Coastguard Worker }
122*4d7e907cSAndroid Build Coastguard Worker 
enumerateAvailableDevices()123*4d7e907cSAndroid Build Coastguard Worker Keymaster::KeymasterSet Keymaster::enumerateAvailableDevices() {
124*4d7e907cSAndroid Build Coastguard Worker     auto serviceManager = IServiceManager::getService();
125*4d7e907cSAndroid Build Coastguard Worker     CHECK(serviceManager) << "Could not retrieve ServiceManager";
126*4d7e907cSAndroid Build Coastguard Worker 
127*4d7e907cSAndroid Build Coastguard Worker     auto km4s = enumerateDevices<Keymaster4>(serviceManager);
128*4d7e907cSAndroid Build Coastguard Worker     auto km3s = enumerateDevices<Keymaster3>(serviceManager);
129*4d7e907cSAndroid Build Coastguard Worker 
130*4d7e907cSAndroid Build Coastguard Worker     auto result = std::move(km4s);
131*4d7e907cSAndroid Build Coastguard Worker     result.insert(result.end(), std::make_move_iterator(km3s.begin()),
132*4d7e907cSAndroid Build Coastguard Worker                   std::make_move_iterator(km3s.end()));
133*4d7e907cSAndroid Build Coastguard Worker 
134*4d7e907cSAndroid Build Coastguard Worker     std::sort(result.begin(), result.end(),
135*4d7e907cSAndroid Build Coastguard Worker               [](auto& a, auto& b) { return a->halVersion() > b->halVersion(); });
136*4d7e907cSAndroid Build Coastguard Worker 
137*4d7e907cSAndroid Build Coastguard Worker     size_t i = 1;
138*4d7e907cSAndroid Build Coastguard Worker     LOG(INFO) << "List of Keymaster HALs found:";
139*4d7e907cSAndroid Build Coastguard Worker     for (auto& hal : result) LOG(INFO) << "Keymaster HAL #" << i++ << ": " << *hal;
140*4d7e907cSAndroid Build Coastguard Worker 
141*4d7e907cSAndroid Build Coastguard Worker     return result;
142*4d7e907cSAndroid Build Coastguard Worker }
143*4d7e907cSAndroid Build Coastguard Worker 
getHmacParameters(const Keymaster::KeymasterSet & keymasters)144*4d7e907cSAndroid Build Coastguard Worker static hidl_vec<HmacSharingParameters> getHmacParameters(
145*4d7e907cSAndroid Build Coastguard Worker         const Keymaster::KeymasterSet& keymasters) {
146*4d7e907cSAndroid Build Coastguard Worker     std::vector<HmacSharingParameters> params_vec;
147*4d7e907cSAndroid Build Coastguard Worker     params_vec.reserve(keymasters.size());
148*4d7e907cSAndroid Build Coastguard Worker     for (auto& keymaster : keymasters) {
149*4d7e907cSAndroid Build Coastguard Worker         if (keymaster->halVersion().majorVersion < 4) continue;
150*4d7e907cSAndroid Build Coastguard Worker         auto rc = keymaster->getHmacSharingParameters([&](auto error, auto& params) {
151*4d7e907cSAndroid Build Coastguard Worker             CHECK(error == V4_0::ErrorCode::OK)
152*4d7e907cSAndroid Build Coastguard Worker                     << "Failed to get HMAC parameters from " << *keymaster << " error " << error;
153*4d7e907cSAndroid Build Coastguard Worker             params_vec.push_back(params);
154*4d7e907cSAndroid Build Coastguard Worker         });
155*4d7e907cSAndroid Build Coastguard Worker         CHECK(rc.isOk()) << "Failed to communicate with " << *keymaster
156*4d7e907cSAndroid Build Coastguard Worker                          << " error: " << rc.description();
157*4d7e907cSAndroid Build Coastguard Worker     }
158*4d7e907cSAndroid Build Coastguard Worker     std::sort(params_vec.begin(), params_vec.end());
159*4d7e907cSAndroid Build Coastguard Worker 
160*4d7e907cSAndroid Build Coastguard Worker     return params_vec;
161*4d7e907cSAndroid Build Coastguard Worker }
162*4d7e907cSAndroid Build Coastguard Worker 
computeHmac(const Keymaster::KeymasterSet & keymasters,const hidl_vec<HmacSharingParameters> & params)163*4d7e907cSAndroid Build Coastguard Worker static void computeHmac(const Keymaster::KeymasterSet& keymasters,
164*4d7e907cSAndroid Build Coastguard Worker                         const hidl_vec<HmacSharingParameters>& params) {
165*4d7e907cSAndroid Build Coastguard Worker     if (!params.size()) return;
166*4d7e907cSAndroid Build Coastguard Worker 
167*4d7e907cSAndroid Build Coastguard Worker     hidl_vec<uint8_t> sharingCheck;
168*4d7e907cSAndroid Build Coastguard Worker     bool firstKeymaster = true;
169*4d7e907cSAndroid Build Coastguard Worker     LOG(DEBUG) << "Computing HMAC with params " << params;
170*4d7e907cSAndroid Build Coastguard Worker     for (auto& keymaster : keymasters) {
171*4d7e907cSAndroid Build Coastguard Worker         if (keymaster->halVersion().majorVersion < 4) continue;
172*4d7e907cSAndroid Build Coastguard Worker         LOG(DEBUG) << "Computing HMAC for " << *keymaster;
173*4d7e907cSAndroid Build Coastguard Worker         auto rc = keymaster->computeSharedHmac(
174*4d7e907cSAndroid Build Coastguard Worker                 params, [&](V4_0::ErrorCode error, const hidl_vec<uint8_t>& curSharingCheck) {
175*4d7e907cSAndroid Build Coastguard Worker                     CHECK(error == V4_0::ErrorCode::OK) << "Failed to get HMAC parameters from "
176*4d7e907cSAndroid Build Coastguard Worker                                                         << *keymaster << " error " << error;
177*4d7e907cSAndroid Build Coastguard Worker                     if (firstKeymaster) {
178*4d7e907cSAndroid Build Coastguard Worker                         sharingCheck = curSharingCheck;
179*4d7e907cSAndroid Build Coastguard Worker                         firstKeymaster = false;
180*4d7e907cSAndroid Build Coastguard Worker                     }
181*4d7e907cSAndroid Build Coastguard Worker                     if (curSharingCheck != sharingCheck)
182*4d7e907cSAndroid Build Coastguard Worker                         LOG(WARNING) << "HMAC computation failed for " << *keymaster  //
183*4d7e907cSAndroid Build Coastguard Worker                                      << " Expected: " << sharingCheck                 //
184*4d7e907cSAndroid Build Coastguard Worker                                      << " got: " << curSharingCheck;
185*4d7e907cSAndroid Build Coastguard Worker                 });
186*4d7e907cSAndroid Build Coastguard Worker         CHECK(rc.isOk()) << "Failed to communicate with " << *keymaster
187*4d7e907cSAndroid Build Coastguard Worker                          << " error: " << rc.description();
188*4d7e907cSAndroid Build Coastguard Worker     }
189*4d7e907cSAndroid Build Coastguard Worker }
190*4d7e907cSAndroid Build Coastguard Worker 
performHmacKeyAgreement(const KeymasterSet & keymasters)191*4d7e907cSAndroid Build Coastguard Worker void Keymaster::performHmacKeyAgreement(const KeymasterSet& keymasters) {
192*4d7e907cSAndroid Build Coastguard Worker     computeHmac(keymasters, getHmacParameters(keymasters));
193*4d7e907cSAndroid Build Coastguard Worker }
194*4d7e907cSAndroid Build Coastguard Worker 
195*4d7e907cSAndroid Build Coastguard Worker }  // namespace V4_1::support
196*4d7e907cSAndroid Build Coastguard Worker }  // namespace keymaster
197*4d7e907cSAndroid Build Coastguard Worker }  // namespace android::hardware
198