1*789431f2SAndroid Build Coastguard Worker /* 2*789431f2SAndroid Build Coastguard Worker * Copyright 2015 The Android Open Source Project 3*789431f2SAndroid Build Coastguard Worker * 4*789431f2SAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License"); 5*789431f2SAndroid Build Coastguard Worker * you may not use this file except in compliance with the License. 6*789431f2SAndroid Build Coastguard Worker * You may obtain a copy of the License at 7*789431f2SAndroid Build Coastguard Worker * 8*789431f2SAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0 9*789431f2SAndroid Build Coastguard Worker * 10*789431f2SAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software 11*789431f2SAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS, 12*789431f2SAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13*789431f2SAndroid Build Coastguard Worker * See the License for the specific language governing permissions and 14*789431f2SAndroid Build Coastguard Worker * limitations under the License. 15*789431f2SAndroid Build Coastguard Worker */ 16*789431f2SAndroid Build Coastguard Worker 17*789431f2SAndroid Build Coastguard Worker #pragma once 18*789431f2SAndroid Build Coastguard Worker 19*789431f2SAndroid Build Coastguard Worker #include <cstdlib> 20*789431f2SAndroid Build Coastguard Worker #include <map> 21*789431f2SAndroid Build Coastguard Worker #include <vector> 22*789431f2SAndroid Build Coastguard Worker 23*789431f2SAndroid Build Coastguard Worker #include <hardware/keymaster1.h> 24*789431f2SAndroid Build Coastguard Worker #include <hardware/keymaster2.h> 25*789431f2SAndroid Build Coastguard Worker 26*789431f2SAndroid Build Coastguard Worker #include <keymaster/UniquePtr.h> 27*789431f2SAndroid Build Coastguard Worker #include <keymaster/android_keymaster.h> 28*789431f2SAndroid Build Coastguard Worker #include <keymaster/contexts/soft_keymaster_context.h> 29*789431f2SAndroid Build Coastguard Worker 30*789431f2SAndroid Build Coastguard Worker namespace keymaster { 31*789431f2SAndroid Build Coastguard Worker 32*789431f2SAndroid Build Coastguard Worker class AuthorizationSet; 33*789431f2SAndroid Build Coastguard Worker 34*789431f2SAndroid Build Coastguard Worker /** 35*789431f2SAndroid Build Coastguard Worker * Keymaster1 device implementation. 36*789431f2SAndroid Build Coastguard Worker * 37*789431f2SAndroid Build Coastguard Worker * This is a hybrid software/hardware implementation which wraps a keymaster0_device_t, forwarding 38*789431f2SAndroid Build Coastguard Worker * RSA operations to secure hardware and doing everything else in software. 39*789431f2SAndroid Build Coastguard Worker * 40*789431f2SAndroid Build Coastguard Worker * IMPORTANT MAINTAINER NOTE: Pointers to instances of this class must be castable to hw_device_t 41*789431f2SAndroid Build Coastguard Worker * and keymaster_device. This means it must remain a standard layout class (no virtual functions and 42*789431f2SAndroid Build Coastguard Worker * no data members which aren't standard layout), and device_ must be the first data member. 43*789431f2SAndroid Build Coastguard Worker * Assertions in the constructor validate compliance with those constraints. 44*789431f2SAndroid Build Coastguard Worker */ 45*789431f2SAndroid Build Coastguard Worker class SoftKeymasterDevice { 46*789431f2SAndroid Build Coastguard Worker public: 47*789431f2SAndroid Build Coastguard Worker explicit SoftKeymasterDevice(KmVersion version); 48*789431f2SAndroid Build Coastguard Worker 49*789431f2SAndroid Build Coastguard Worker explicit SoftKeymasterDevice(SoftKeymasterContext* context); 50*789431f2SAndroid Build Coastguard Worker 51*789431f2SAndroid Build Coastguard Worker /** 52*789431f2SAndroid Build Coastguard Worker * Set SoftKeymasterDevice to wrap specified HW keymaster1 device. Takes ownership of the 53*789431f2SAndroid Build Coastguard Worker * specified device (will call keymaster1_device->common.close()); 54*789431f2SAndroid Build Coastguard Worker */ 55*789431f2SAndroid Build Coastguard Worker keymaster_error_t SetHardwareDevice(keymaster1_device_t* keymaster1_device); 56*789431f2SAndroid Build Coastguard Worker 57*789431f2SAndroid Build Coastguard Worker /** 58*789431f2SAndroid Build Coastguard Worker * Returns true if a keymaster1_device_t has been set as the hardware device, and if that 59*789431f2SAndroid Build Coastguard Worker * hardware device should be used directly. 60*789431f2SAndroid Build Coastguard Worker */ 61*789431f2SAndroid Build Coastguard Worker bool Keymaster1DeviceIsGood(); 62*789431f2SAndroid Build Coastguard Worker 63*789431f2SAndroid Build Coastguard Worker hw_device_t* hw_device(); 64*789431f2SAndroid Build Coastguard Worker keymaster1_device_t* keymaster_device(); 65*789431f2SAndroid Build Coastguard Worker keymaster2_device_t* keymaster2_device(); 66*789431f2SAndroid Build Coastguard Worker 67*789431f2SAndroid Build Coastguard Worker // Public only for testing GetVersion(const GetVersionRequest & req,GetVersionResponse * rsp)68*789431f2SAndroid Build Coastguard Worker void GetVersion(const GetVersionRequest& req, GetVersionResponse* rsp) { 69*789431f2SAndroid Build Coastguard Worker impl_->GetVersion(req, rsp); 70*789431f2SAndroid Build Coastguard Worker } 71*789431f2SAndroid Build Coastguard Worker configured()72*789431f2SAndroid Build Coastguard Worker bool configured() const { return configured_; } 73*789431f2SAndroid Build Coastguard Worker supports_all_digests()74*789431f2SAndroid Build Coastguard Worker bool supports_all_digests() { return supports_all_digests_; } 75*789431f2SAndroid Build Coastguard Worker 76*789431f2SAndroid Build Coastguard Worker typedef std::pair<keymaster_algorithm_t, keymaster_purpose_t> AlgPurposePair; 77*789431f2SAndroid Build Coastguard Worker typedef std::map<AlgPurposePair, std::vector<keymaster_digest_t>> DigestMap; 78*789431f2SAndroid Build Coastguard Worker 79*789431f2SAndroid Build Coastguard Worker private: 80*789431f2SAndroid Build Coastguard Worker void initialize_device_struct(uint32_t flags); 81*789431f2SAndroid Build Coastguard Worker bool FindUnsupportedDigest(keymaster_algorithm_t algorithm, keymaster_purpose_t purpose, 82*789431f2SAndroid Build Coastguard Worker const AuthorizationSet& params, 83*789431f2SAndroid Build Coastguard Worker keymaster_digest_t* unsupported) const; 84*789431f2SAndroid Build Coastguard Worker bool RequiresSoftwareDigesting(keymaster_algorithm_t algorithm, keymaster_purpose_t purpose, 85*789431f2SAndroid Build Coastguard Worker const AuthorizationSet& params) const; 86*789431f2SAndroid Build Coastguard Worker bool KeyRequiresSoftwareDigesting(const AuthorizationSet& key_description) const; 87*789431f2SAndroid Build Coastguard Worker 88*789431f2SAndroid Build Coastguard Worker static void StoreDefaultNewKeyParams(keymaster_algorithm_t algorithm, 89*789431f2SAndroid Build Coastguard Worker AuthorizationSet* auth_set); 90*789431f2SAndroid Build Coastguard Worker static keymaster_error_t GetPkcs8KeyAlgorithm(const uint8_t* key, size_t key_length, 91*789431f2SAndroid Build Coastguard Worker keymaster_algorithm_t* algorithm); 92*789431f2SAndroid Build Coastguard Worker 93*789431f2SAndroid Build Coastguard Worker static int close_device(hw_device_t* dev); 94*789431f2SAndroid Build Coastguard Worker 95*789431f2SAndroid Build Coastguard Worker /* 96*789431f2SAndroid Build Coastguard Worker * These static methods are the functions referenced through the function pointers in 97*789431f2SAndroid Build Coastguard Worker * keymaster_device. 98*789431f2SAndroid Build Coastguard Worker */ 99*789431f2SAndroid Build Coastguard Worker 100*789431f2SAndroid Build Coastguard Worker // Keymaster1 methods -- needed for testing. 101*789431f2SAndroid Build Coastguard Worker static keymaster_error_t get_supported_algorithms(const keymaster1_device_t* dev, 102*789431f2SAndroid Build Coastguard Worker keymaster_algorithm_t** algorithms, 103*789431f2SAndroid Build Coastguard Worker size_t* algorithms_length); 104*789431f2SAndroid Build Coastguard Worker static keymaster_error_t get_supported_block_modes(const keymaster1_device_t* dev, 105*789431f2SAndroid Build Coastguard Worker keymaster_algorithm_t algorithm, 106*789431f2SAndroid Build Coastguard Worker keymaster_purpose_t purpose, 107*789431f2SAndroid Build Coastguard Worker keymaster_block_mode_t** modes, 108*789431f2SAndroid Build Coastguard Worker size_t* modes_length); 109*789431f2SAndroid Build Coastguard Worker static keymaster_error_t get_supported_padding_modes(const keymaster1_device_t* dev, 110*789431f2SAndroid Build Coastguard Worker keymaster_algorithm_t algorithm, 111*789431f2SAndroid Build Coastguard Worker keymaster_purpose_t purpose, 112*789431f2SAndroid Build Coastguard Worker keymaster_padding_t** modes, 113*789431f2SAndroid Build Coastguard Worker size_t* modes_length); 114*789431f2SAndroid Build Coastguard Worker static keymaster_error_t get_supported_digests(const keymaster1_device_t* dev, 115*789431f2SAndroid Build Coastguard Worker keymaster_algorithm_t algorithm, 116*789431f2SAndroid Build Coastguard Worker keymaster_purpose_t purpose, 117*789431f2SAndroid Build Coastguard Worker keymaster_digest_t** digests, 118*789431f2SAndroid Build Coastguard Worker size_t* digests_length); 119*789431f2SAndroid Build Coastguard Worker static keymaster_error_t get_supported_import_formats(const keymaster1_device_t* dev, 120*789431f2SAndroid Build Coastguard Worker keymaster_algorithm_t algorithm, 121*789431f2SAndroid Build Coastguard Worker keymaster_key_format_t** formats, 122*789431f2SAndroid Build Coastguard Worker size_t* formats_length); 123*789431f2SAndroid Build Coastguard Worker static keymaster_error_t get_supported_export_formats(const keymaster1_device_t* dev, 124*789431f2SAndroid Build Coastguard Worker keymaster_algorithm_t algorithm, 125*789431f2SAndroid Build Coastguard Worker keymaster_key_format_t** formats, 126*789431f2SAndroid Build Coastguard Worker size_t* formats_length); 127*789431f2SAndroid Build Coastguard Worker static keymaster_error_t add_rng_entropy(const keymaster1_device_t* dev, const uint8_t* data, 128*789431f2SAndroid Build Coastguard Worker size_t data_length); 129*789431f2SAndroid Build Coastguard Worker static keymaster_error_t generate_key(const keymaster1_device_t* dev, 130*789431f2SAndroid Build Coastguard Worker const keymaster_key_param_set_t* params, 131*789431f2SAndroid Build Coastguard Worker keymaster_key_blob_t* key_blob, 132*789431f2SAndroid Build Coastguard Worker keymaster_key_characteristics_t** characteristics); 133*789431f2SAndroid Build Coastguard Worker static keymaster_error_t get_key_characteristics(const keymaster1_device_t* dev, 134*789431f2SAndroid Build Coastguard Worker const keymaster_key_blob_t* key_blob, 135*789431f2SAndroid Build Coastguard Worker const keymaster_blob_t* client_id, 136*789431f2SAndroid Build Coastguard Worker const keymaster_blob_t* app_data, 137*789431f2SAndroid Build Coastguard Worker keymaster_key_characteristics_t** character); 138*789431f2SAndroid Build Coastguard Worker static keymaster_error_t import_key(const keymaster1_device_t* dev, // 139*789431f2SAndroid Build Coastguard Worker const keymaster_key_param_set_t* params, 140*789431f2SAndroid Build Coastguard Worker keymaster_key_format_t key_format, 141*789431f2SAndroid Build Coastguard Worker const keymaster_blob_t* key_data, 142*789431f2SAndroid Build Coastguard Worker keymaster_key_blob_t* key_blob, 143*789431f2SAndroid Build Coastguard Worker keymaster_key_characteristics_t** characteristics); 144*789431f2SAndroid Build Coastguard Worker static keymaster_error_t export_key(const keymaster1_device_t* dev, // 145*789431f2SAndroid Build Coastguard Worker keymaster_key_format_t export_format, 146*789431f2SAndroid Build Coastguard Worker const keymaster_key_blob_t* key_to_export, 147*789431f2SAndroid Build Coastguard Worker const keymaster_blob_t* client_id, 148*789431f2SAndroid Build Coastguard Worker const keymaster_blob_t* app_data, 149*789431f2SAndroid Build Coastguard Worker keymaster_blob_t* export_data); 150*789431f2SAndroid Build Coastguard Worker static keymaster_error_t delete_key(const keymaster1_device_t* dev, 151*789431f2SAndroid Build Coastguard Worker const keymaster_key_blob_t* key); 152*789431f2SAndroid Build Coastguard Worker static keymaster_error_t delete_all_keys(const keymaster1_device_t* dev); 153*789431f2SAndroid Build Coastguard Worker static keymaster_error_t begin(const keymaster1_device_t* dev, keymaster_purpose_t purpose, 154*789431f2SAndroid Build Coastguard Worker const keymaster_key_blob_t* key, 155*789431f2SAndroid Build Coastguard Worker const keymaster_key_param_set_t* in_params, 156*789431f2SAndroid Build Coastguard Worker keymaster_key_param_set_t* out_params, 157*789431f2SAndroid Build Coastguard Worker keymaster_operation_handle_t* operation_handle); 158*789431f2SAndroid Build Coastguard Worker static keymaster_error_t update(const keymaster1_device_t* dev, // 159*789431f2SAndroid Build Coastguard Worker keymaster_operation_handle_t operation_handle, 160*789431f2SAndroid Build Coastguard Worker const keymaster_key_param_set_t* in_params, 161*789431f2SAndroid Build Coastguard Worker const keymaster_blob_t* input, size_t* input_consumed, 162*789431f2SAndroid Build Coastguard Worker keymaster_key_param_set_t* out_params, 163*789431f2SAndroid Build Coastguard Worker keymaster_blob_t* output); 164*789431f2SAndroid Build Coastguard Worker static keymaster_error_t finish(const keymaster1_device_t* dev, // 165*789431f2SAndroid Build Coastguard Worker keymaster_operation_handle_t operation_handle, 166*789431f2SAndroid Build Coastguard Worker const keymaster_key_param_set_t* in_params, 167*789431f2SAndroid Build Coastguard Worker const keymaster_blob_t* signature, 168*789431f2SAndroid Build Coastguard Worker keymaster_key_param_set_t* out_params, 169*789431f2SAndroid Build Coastguard Worker keymaster_blob_t* output); 170*789431f2SAndroid Build Coastguard Worker static keymaster_error_t abort(const keymaster1_device_t* dev, 171*789431f2SAndroid Build Coastguard Worker keymaster_operation_handle_t operation_handle); 172*789431f2SAndroid Build Coastguard Worker 173*789431f2SAndroid Build Coastguard Worker // Keymaster2 methods 174*789431f2SAndroid Build Coastguard Worker static keymaster_error_t configure(const keymaster2_device_t* dev, 175*789431f2SAndroid Build Coastguard Worker const keymaster_key_param_set_t* params); 176*789431f2SAndroid Build Coastguard Worker static keymaster_error_t add_rng_entropy(const keymaster2_device_t* dev, const uint8_t* data, 177*789431f2SAndroid Build Coastguard Worker size_t data_length); 178*789431f2SAndroid Build Coastguard Worker static keymaster_error_t generate_key(const keymaster2_device_t* dev, 179*789431f2SAndroid Build Coastguard Worker const keymaster_key_param_set_t* params, 180*789431f2SAndroid Build Coastguard Worker keymaster_key_blob_t* key_blob, 181*789431f2SAndroid Build Coastguard Worker keymaster_key_characteristics_t* characteristics); 182*789431f2SAndroid Build Coastguard Worker static keymaster_error_t get_key_characteristics(const keymaster2_device_t* dev, 183*789431f2SAndroid Build Coastguard Worker const keymaster_key_blob_t* key_blob, 184*789431f2SAndroid Build Coastguard Worker const keymaster_blob_t* client_id, 185*789431f2SAndroid Build Coastguard Worker const keymaster_blob_t* app_data, 186*789431f2SAndroid Build Coastguard Worker keymaster_key_characteristics_t* character); 187*789431f2SAndroid Build Coastguard Worker static keymaster_error_t import_key(const keymaster2_device_t* dev, // 188*789431f2SAndroid Build Coastguard Worker const keymaster_key_param_set_t* params, 189*789431f2SAndroid Build Coastguard Worker keymaster_key_format_t key_format, 190*789431f2SAndroid Build Coastguard Worker const keymaster_blob_t* key_data, 191*789431f2SAndroid Build Coastguard Worker keymaster_key_blob_t* key_blob, 192*789431f2SAndroid Build Coastguard Worker keymaster_key_characteristics_t* characteristics); 193*789431f2SAndroid Build Coastguard Worker static keymaster_error_t export_key(const keymaster2_device_t* dev, // 194*789431f2SAndroid Build Coastguard Worker keymaster_key_format_t export_format, 195*789431f2SAndroid Build Coastguard Worker const keymaster_key_blob_t* key_to_export, 196*789431f2SAndroid Build Coastguard Worker const keymaster_blob_t* client_id, 197*789431f2SAndroid Build Coastguard Worker const keymaster_blob_t* app_data, 198*789431f2SAndroid Build Coastguard Worker keymaster_blob_t* export_data); 199*789431f2SAndroid Build Coastguard Worker static keymaster_error_t attest_key(const keymaster2_device_t* dev, 200*789431f2SAndroid Build Coastguard Worker const keymaster_key_blob_t* key_to_attest, 201*789431f2SAndroid Build Coastguard Worker const keymaster_key_param_set_t* attest_params, 202*789431f2SAndroid Build Coastguard Worker keymaster_cert_chain_t* cert_chain); 203*789431f2SAndroid Build Coastguard Worker static keymaster_error_t upgrade_key(const keymaster2_device_t* dev, 204*789431f2SAndroid Build Coastguard Worker const keymaster_key_blob_t* key_to_upgrade, 205*789431f2SAndroid Build Coastguard Worker const keymaster_key_param_set_t* upgrade_params, 206*789431f2SAndroid Build Coastguard Worker keymaster_key_blob_t* upgraded_key); 207*789431f2SAndroid Build Coastguard Worker static keymaster_error_t delete_key(const keymaster2_device_t* dev, 208*789431f2SAndroid Build Coastguard Worker const keymaster_key_blob_t* key); 209*789431f2SAndroid Build Coastguard Worker static keymaster_error_t delete_all_keys(const keymaster2_device_t* dev); 210*789431f2SAndroid Build Coastguard Worker static keymaster_error_t begin(const keymaster2_device_t* dev, keymaster_purpose_t purpose, 211*789431f2SAndroid Build Coastguard Worker const keymaster_key_blob_t* key, 212*789431f2SAndroid Build Coastguard Worker const keymaster_key_param_set_t* in_params, 213*789431f2SAndroid Build Coastguard Worker keymaster_key_param_set_t* out_params, 214*789431f2SAndroid Build Coastguard Worker keymaster_operation_handle_t* operation_handle); 215*789431f2SAndroid Build Coastguard Worker static keymaster_error_t update(const keymaster2_device_t* dev, // 216*789431f2SAndroid Build Coastguard Worker keymaster_operation_handle_t operation_handle, 217*789431f2SAndroid Build Coastguard Worker const keymaster_key_param_set_t* in_params, 218*789431f2SAndroid Build Coastguard Worker const keymaster_blob_t* input, size_t* input_consumed, 219*789431f2SAndroid Build Coastguard Worker keymaster_key_param_set_t* out_params, 220*789431f2SAndroid Build Coastguard Worker keymaster_blob_t* output); 221*789431f2SAndroid Build Coastguard Worker static keymaster_error_t finish(const keymaster2_device_t* dev, // 222*789431f2SAndroid Build Coastguard Worker keymaster_operation_handle_t operation_handle, 223*789431f2SAndroid Build Coastguard Worker const keymaster_key_param_set_t* in_params, 224*789431f2SAndroid Build Coastguard Worker const keymaster_blob_t* input, 225*789431f2SAndroid Build Coastguard Worker const keymaster_blob_t* signature, 226*789431f2SAndroid Build Coastguard Worker keymaster_key_param_set_t* out_params, 227*789431f2SAndroid Build Coastguard Worker keymaster_blob_t* output); 228*789431f2SAndroid Build Coastguard Worker static keymaster_error_t abort(const keymaster2_device_t* dev, 229*789431f2SAndroid Build Coastguard Worker keymaster_operation_handle_t operation_handle); 230*789431f2SAndroid Build Coastguard Worker 231*789431f2SAndroid Build Coastguard Worker keymaster1_device_t km1_device_; 232*789431f2SAndroid Build Coastguard Worker keymaster2_device_t km2_device_; 233*789431f2SAndroid Build Coastguard Worker 234*789431f2SAndroid Build Coastguard Worker keymaster1_device_t* wrapped_km1_device_; 235*789431f2SAndroid Build Coastguard Worker DigestMap km1_device_digests_; 236*789431f2SAndroid Build Coastguard Worker SoftKeymasterContext* context_; 237*789431f2SAndroid Build Coastguard Worker UniquePtr<AndroidKeymaster> impl_; 238*789431f2SAndroid Build Coastguard Worker std::string module_name_; 239*789431f2SAndroid Build Coastguard Worker hw_module_t updated_module_; 240*789431f2SAndroid Build Coastguard Worker bool configured_; 241*789431f2SAndroid Build Coastguard Worker bool supports_all_digests_; 242*789431f2SAndroid Build Coastguard Worker }; 243*789431f2SAndroid Build Coastguard Worker 244*789431f2SAndroid Build Coastguard Worker } // namespace keymaster 245