1*789431f2SAndroid Build Coastguard Worker /*
2*789431f2SAndroid Build Coastguard Worker * Copyright 2020, The Android Open Source Project
3*789431f2SAndroid Build Coastguard Worker *
4*789431f2SAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License");
5*789431f2SAndroid Build Coastguard Worker * you may not use this file except in compliance with the License.
6*789431f2SAndroid Build Coastguard Worker * You may obtain a copy of the License at
7*789431f2SAndroid Build Coastguard Worker *
8*789431f2SAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0
9*789431f2SAndroid Build Coastguard Worker *
10*789431f2SAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software
11*789431f2SAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS,
12*789431f2SAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*789431f2SAndroid Build Coastguard Worker * See the License for the specific language governing permissions and
14*789431f2SAndroid Build Coastguard Worker * limitations under the License.
15*789431f2SAndroid Build Coastguard Worker */
16*789431f2SAndroid Build Coastguard Worker
17*789431f2SAndroid Build Coastguard Worker #define LOG_TAG "android.hardware.security.keymint-impl"
18*789431f2SAndroid Build Coastguard Worker #include <android-base/logging.h>
19*789431f2SAndroid Build Coastguard Worker
20*789431f2SAndroid Build Coastguard Worker #include "AndroidKeyMintDevice.h"
21*789431f2SAndroid Build Coastguard Worker
22*789431f2SAndroid Build Coastguard Worker #include <aidl/android/hardware/security/keymint/ErrorCode.h>
23*789431f2SAndroid Build Coastguard Worker
24*789431f2SAndroid Build Coastguard Worker #include <keymaster/android_keymaster.h>
25*789431f2SAndroid Build Coastguard Worker #include <keymaster/contexts/pure_soft_keymaster_context.h>
26*789431f2SAndroid Build Coastguard Worker #include <keymaster/keymaster_configuration.h>
27*789431f2SAndroid Build Coastguard Worker
28*789431f2SAndroid Build Coastguard Worker #include "AndroidKeyMintOperation.h"
29*789431f2SAndroid Build Coastguard Worker #include "KeyMintUtils.h"
30*789431f2SAndroid Build Coastguard Worker
31*789431f2SAndroid Build Coastguard Worker namespace aidl::android::hardware::security::keymint {
32*789431f2SAndroid Build Coastguard Worker
33*789431f2SAndroid Build Coastguard Worker using namespace keymaster; // NOLINT(google-build-using-namespace)
34*789431f2SAndroid Build Coastguard Worker
35*789431f2SAndroid Build Coastguard Worker using km_utils::authToken2AidlVec;
36*789431f2SAndroid Build Coastguard Worker using km_utils::kmBlob2vector;
37*789431f2SAndroid Build Coastguard Worker using km_utils::kmError2ScopedAStatus;
38*789431f2SAndroid Build Coastguard Worker using km_utils::kmParam2Aidl;
39*789431f2SAndroid Build Coastguard Worker using km_utils::KmParamSet;
40*789431f2SAndroid Build Coastguard Worker using km_utils::kmParamSet2Aidl;
41*789431f2SAndroid Build Coastguard Worker using km_utils::legacy_enum_conversion;
42*789431f2SAndroid Build Coastguard Worker using secureclock::TimeStampToken;
43*789431f2SAndroid Build Coastguard Worker
44*789431f2SAndroid Build Coastguard Worker namespace {
45*789431f2SAndroid Build Coastguard Worker
convertKeyCharacteristics(SecurityLevel keyMintSecurityLevel,const AuthorizationSet & requestParams,const AuthorizationSet & sw_enforced,const AuthorizationSet & hw_enforced,bool include_keystore_enforced=true)46*789431f2SAndroid Build Coastguard Worker vector<KeyCharacteristics> convertKeyCharacteristics(SecurityLevel keyMintSecurityLevel,
47*789431f2SAndroid Build Coastguard Worker const AuthorizationSet& requestParams,
48*789431f2SAndroid Build Coastguard Worker const AuthorizationSet& sw_enforced,
49*789431f2SAndroid Build Coastguard Worker const AuthorizationSet& hw_enforced,
50*789431f2SAndroid Build Coastguard Worker bool include_keystore_enforced = true) {
51*789431f2SAndroid Build Coastguard Worker KeyCharacteristics keyMintEnforced{keyMintSecurityLevel, {}};
52*789431f2SAndroid Build Coastguard Worker
53*789431f2SAndroid Build Coastguard Worker if (keyMintSecurityLevel != SecurityLevel::SOFTWARE) {
54*789431f2SAndroid Build Coastguard Worker // We're pretending to be TRUSTED_ENVIRONMENT or STRONGBOX.
55*789431f2SAndroid Build Coastguard Worker keyMintEnforced.authorizations = kmParamSet2Aidl(hw_enforced);
56*789431f2SAndroid Build Coastguard Worker if (include_keystore_enforced && !sw_enforced.empty()) {
57*789431f2SAndroid Build Coastguard Worker // Put all the software authorizations in the keystore list.
58*789431f2SAndroid Build Coastguard Worker KeyCharacteristics keystoreEnforced{SecurityLevel::KEYSTORE,
59*789431f2SAndroid Build Coastguard Worker kmParamSet2Aidl(sw_enforced)};
60*789431f2SAndroid Build Coastguard Worker return {std::move(keyMintEnforced), std::move(keystoreEnforced)};
61*789431f2SAndroid Build Coastguard Worker } else {
62*789431f2SAndroid Build Coastguard Worker return {std::move(keyMintEnforced)};
63*789431f2SAndroid Build Coastguard Worker }
64*789431f2SAndroid Build Coastguard Worker }
65*789431f2SAndroid Build Coastguard Worker
66*789431f2SAndroid Build Coastguard Worker KeyCharacteristics keystoreEnforced{SecurityLevel::KEYSTORE, {}};
67*789431f2SAndroid Build Coastguard Worker CHECK(hw_enforced.empty()) << "Hardware-enforced list is non-empty for pure SW KeyMint";
68*789431f2SAndroid Build Coastguard Worker
69*789431f2SAndroid Build Coastguard Worker // This is a pure software implementation, so all tags are in sw_enforced.
70*789431f2SAndroid Build Coastguard Worker // We need to walk through the SW-enforced list and figure out which tags to
71*789431f2SAndroid Build Coastguard Worker // return in the software list and which in the keystore list.
72*789431f2SAndroid Build Coastguard Worker
73*789431f2SAndroid Build Coastguard Worker for (auto& entry : sw_enforced) {
74*789431f2SAndroid Build Coastguard Worker switch (entry.tag) {
75*789431f2SAndroid Build Coastguard Worker /* Invalid and unused */
76*789431f2SAndroid Build Coastguard Worker case KM_TAG_ECIES_SINGLE_HASH_MODE:
77*789431f2SAndroid Build Coastguard Worker case KM_TAG_INVALID:
78*789431f2SAndroid Build Coastguard Worker case KM_TAG_KDF:
79*789431f2SAndroid Build Coastguard Worker case KM_TAG_ROLLBACK_RESISTANCE:
80*789431f2SAndroid Build Coastguard Worker CHECK(false) << "We shouldn't see tag " << entry.tag;
81*789431f2SAndroid Build Coastguard Worker break;
82*789431f2SAndroid Build Coastguard Worker
83*789431f2SAndroid Build Coastguard Worker /* Unimplemented */
84*789431f2SAndroid Build Coastguard Worker case KM_TAG_ALLOW_WHILE_ON_BODY:
85*789431f2SAndroid Build Coastguard Worker case KM_TAG_BOOTLOADER_ONLY:
86*789431f2SAndroid Build Coastguard Worker case KM_TAG_ROLLBACK_RESISTANT:
87*789431f2SAndroid Build Coastguard Worker case KM_TAG_STORAGE_KEY:
88*789431f2SAndroid Build Coastguard Worker break;
89*789431f2SAndroid Build Coastguard Worker
90*789431f2SAndroid Build Coastguard Worker /* Keystore-enforced if not locally generated. */
91*789431f2SAndroid Build Coastguard Worker case KM_TAG_CREATION_DATETIME:
92*789431f2SAndroid Build Coastguard Worker // A KeyMaster implementation is required to add this tag to generated/imported keys.
93*789431f2SAndroid Build Coastguard Worker // A KeyMint implementation is not required to create this tag, only to echo it back if
94*789431f2SAndroid Build Coastguard Worker // it was included in the key generation/import request.
95*789431f2SAndroid Build Coastguard Worker if (requestParams.Contains(KM_TAG_CREATION_DATETIME)) {
96*789431f2SAndroid Build Coastguard Worker keystoreEnforced.authorizations.push_back(kmParam2Aidl(entry));
97*789431f2SAndroid Build Coastguard Worker }
98*789431f2SAndroid Build Coastguard Worker break;
99*789431f2SAndroid Build Coastguard Worker
100*789431f2SAndroid Build Coastguard Worker /* Disallowed in KeyCharacteristics */
101*789431f2SAndroid Build Coastguard Worker case KM_TAG_APPLICATION_DATA:
102*789431f2SAndroid Build Coastguard Worker case KM_TAG_ATTESTATION_APPLICATION_ID:
103*789431f2SAndroid Build Coastguard Worker break;
104*789431f2SAndroid Build Coastguard Worker
105*789431f2SAndroid Build Coastguard Worker /* Not key characteristics */
106*789431f2SAndroid Build Coastguard Worker case KM_TAG_ASSOCIATED_DATA:
107*789431f2SAndroid Build Coastguard Worker case KM_TAG_ATTESTATION_CHALLENGE:
108*789431f2SAndroid Build Coastguard Worker case KM_TAG_ATTESTATION_ID_BRAND:
109*789431f2SAndroid Build Coastguard Worker case KM_TAG_ATTESTATION_ID_DEVICE:
110*789431f2SAndroid Build Coastguard Worker case KM_TAG_ATTESTATION_ID_IMEI:
111*789431f2SAndroid Build Coastguard Worker case KM_TAG_ATTESTATION_ID_SECOND_IMEI:
112*789431f2SAndroid Build Coastguard Worker case KM_TAG_ATTESTATION_ID_MANUFACTURER:
113*789431f2SAndroid Build Coastguard Worker case KM_TAG_ATTESTATION_ID_MEID:
114*789431f2SAndroid Build Coastguard Worker case KM_TAG_ATTESTATION_ID_MODEL:
115*789431f2SAndroid Build Coastguard Worker case KM_TAG_ATTESTATION_ID_PRODUCT:
116*789431f2SAndroid Build Coastguard Worker case KM_TAG_ATTESTATION_ID_SERIAL:
117*789431f2SAndroid Build Coastguard Worker case KM_TAG_AUTH_TOKEN:
118*789431f2SAndroid Build Coastguard Worker case KM_TAG_CERTIFICATE_SERIAL:
119*789431f2SAndroid Build Coastguard Worker case KM_TAG_CERTIFICATE_SUBJECT:
120*789431f2SAndroid Build Coastguard Worker case KM_TAG_CERTIFICATE_NOT_AFTER:
121*789431f2SAndroid Build Coastguard Worker case KM_TAG_CERTIFICATE_NOT_BEFORE:
122*789431f2SAndroid Build Coastguard Worker case KM_TAG_CONFIRMATION_TOKEN:
123*789431f2SAndroid Build Coastguard Worker case KM_TAG_DEVICE_UNIQUE_ATTESTATION:
124*789431f2SAndroid Build Coastguard Worker case KM_TAG_IDENTITY_CREDENTIAL_KEY:
125*789431f2SAndroid Build Coastguard Worker case KM_TAG_INCLUDE_UNIQUE_ID:
126*789431f2SAndroid Build Coastguard Worker case KM_TAG_MAC_LENGTH:
127*789431f2SAndroid Build Coastguard Worker case KM_TAG_NONCE:
128*789431f2SAndroid Build Coastguard Worker case KM_TAG_RESET_SINCE_ID_ROTATION:
129*789431f2SAndroid Build Coastguard Worker case KM_TAG_ROOT_OF_TRUST:
130*789431f2SAndroid Build Coastguard Worker case KM_TAG_UNIQUE_ID:
131*789431f2SAndroid Build Coastguard Worker case KM_TAG_MODULE_HASH:
132*789431f2SAndroid Build Coastguard Worker break;
133*789431f2SAndroid Build Coastguard Worker
134*789431f2SAndroid Build Coastguard Worker /* KeyMint-enforced */
135*789431f2SAndroid Build Coastguard Worker case KM_TAG_ALGORITHM:
136*789431f2SAndroid Build Coastguard Worker case KM_TAG_APPLICATION_ID:
137*789431f2SAndroid Build Coastguard Worker case KM_TAG_AUTH_TIMEOUT:
138*789431f2SAndroid Build Coastguard Worker case KM_TAG_BLOB_USAGE_REQUIREMENTS:
139*789431f2SAndroid Build Coastguard Worker case KM_TAG_BLOCK_MODE:
140*789431f2SAndroid Build Coastguard Worker case KM_TAG_BOOT_PATCHLEVEL:
141*789431f2SAndroid Build Coastguard Worker case KM_TAG_CALLER_NONCE:
142*789431f2SAndroid Build Coastguard Worker case KM_TAG_DIGEST:
143*789431f2SAndroid Build Coastguard Worker case KM_TAG_EARLY_BOOT_ONLY:
144*789431f2SAndroid Build Coastguard Worker case KM_TAG_EC_CURVE:
145*789431f2SAndroid Build Coastguard Worker case KM_TAG_EXPORTABLE:
146*789431f2SAndroid Build Coastguard Worker case KM_TAG_KEY_SIZE:
147*789431f2SAndroid Build Coastguard Worker case KM_TAG_MAX_USES_PER_BOOT:
148*789431f2SAndroid Build Coastguard Worker case KM_TAG_MIN_MAC_LENGTH:
149*789431f2SAndroid Build Coastguard Worker case KM_TAG_MIN_SECONDS_BETWEEN_OPS:
150*789431f2SAndroid Build Coastguard Worker case KM_TAG_NO_AUTH_REQUIRED:
151*789431f2SAndroid Build Coastguard Worker case KM_TAG_ORIGIN:
152*789431f2SAndroid Build Coastguard Worker case KM_TAG_OS_PATCHLEVEL:
153*789431f2SAndroid Build Coastguard Worker case KM_TAG_OS_VERSION:
154*789431f2SAndroid Build Coastguard Worker case KM_TAG_PADDING:
155*789431f2SAndroid Build Coastguard Worker case KM_TAG_PURPOSE:
156*789431f2SAndroid Build Coastguard Worker case KM_TAG_RSA_OAEP_MGF_DIGEST:
157*789431f2SAndroid Build Coastguard Worker case KM_TAG_RSA_PUBLIC_EXPONENT:
158*789431f2SAndroid Build Coastguard Worker case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED:
159*789431f2SAndroid Build Coastguard Worker case KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED:
160*789431f2SAndroid Build Coastguard Worker case KM_TAG_UNLOCKED_DEVICE_REQUIRED:
161*789431f2SAndroid Build Coastguard Worker case KM_TAG_USER_AUTH_TYPE:
162*789431f2SAndroid Build Coastguard Worker case KM_TAG_USER_SECURE_ID:
163*789431f2SAndroid Build Coastguard Worker case KM_TAG_VENDOR_PATCHLEVEL:
164*789431f2SAndroid Build Coastguard Worker keyMintEnforced.authorizations.push_back(kmParam2Aidl(entry));
165*789431f2SAndroid Build Coastguard Worker break;
166*789431f2SAndroid Build Coastguard Worker
167*789431f2SAndroid Build Coastguard Worker /* Keystore-enforced */
168*789431f2SAndroid Build Coastguard Worker case KM_TAG_ACTIVE_DATETIME:
169*789431f2SAndroid Build Coastguard Worker case KM_TAG_ALL_APPLICATIONS:
170*789431f2SAndroid Build Coastguard Worker case KM_TAG_ALL_USERS:
171*789431f2SAndroid Build Coastguard Worker case KM_TAG_MAX_BOOT_LEVEL:
172*789431f2SAndroid Build Coastguard Worker case KM_TAG_ORIGINATION_EXPIRE_DATETIME:
173*789431f2SAndroid Build Coastguard Worker case KM_TAG_USAGE_EXPIRE_DATETIME:
174*789431f2SAndroid Build Coastguard Worker case KM_TAG_USER_ID:
175*789431f2SAndroid Build Coastguard Worker case KM_TAG_USAGE_COUNT_LIMIT:
176*789431f2SAndroid Build Coastguard Worker keystoreEnforced.authorizations.push_back(kmParam2Aidl(entry));
177*789431f2SAndroid Build Coastguard Worker break;
178*789431f2SAndroid Build Coastguard Worker }
179*789431f2SAndroid Build Coastguard Worker }
180*789431f2SAndroid Build Coastguard Worker
181*789431f2SAndroid Build Coastguard Worker vector<KeyCharacteristics> retval;
182*789431f2SAndroid Build Coastguard Worker retval.reserve(2);
183*789431f2SAndroid Build Coastguard Worker if (!keyMintEnforced.authorizations.empty()) retval.push_back(std::move(keyMintEnforced));
184*789431f2SAndroid Build Coastguard Worker if (include_keystore_enforced && !keystoreEnforced.authorizations.empty()) {
185*789431f2SAndroid Build Coastguard Worker retval.push_back(std::move(keystoreEnforced));
186*789431f2SAndroid Build Coastguard Worker }
187*789431f2SAndroid Build Coastguard Worker
188*789431f2SAndroid Build Coastguard Worker return retval;
189*789431f2SAndroid Build Coastguard Worker }
190*789431f2SAndroid Build Coastguard Worker
convertCertificate(const keymaster_blob_t & cert)191*789431f2SAndroid Build Coastguard Worker Certificate convertCertificate(const keymaster_blob_t& cert) {
192*789431f2SAndroid Build Coastguard Worker return {std::vector<uint8_t>(cert.data, cert.data + cert.data_length)};
193*789431f2SAndroid Build Coastguard Worker }
194*789431f2SAndroid Build Coastguard Worker
convertCertificateChain(const CertificateChain & chain)195*789431f2SAndroid Build Coastguard Worker vector<Certificate> convertCertificateChain(const CertificateChain& chain) {
196*789431f2SAndroid Build Coastguard Worker vector<Certificate> retval;
197*789431f2SAndroid Build Coastguard Worker retval.reserve(chain.entry_count);
198*789431f2SAndroid Build Coastguard Worker std::transform(chain.begin(), chain.end(), std::back_inserter(retval), convertCertificate);
199*789431f2SAndroid Build Coastguard Worker return retval;
200*789431f2SAndroid Build Coastguard Worker }
201*789431f2SAndroid Build Coastguard Worker
addClientAndAppData(const std::vector<uint8_t> & appId,const std::vector<uint8_t> & appData,::keymaster::AuthorizationSet * params)202*789431f2SAndroid Build Coastguard Worker void addClientAndAppData(const std::vector<uint8_t>& appId, const std::vector<uint8_t>& appData,
203*789431f2SAndroid Build Coastguard Worker ::keymaster::AuthorizationSet* params) {
204*789431f2SAndroid Build Coastguard Worker params->Clear();
205*789431f2SAndroid Build Coastguard Worker if (appId.size()) {
206*789431f2SAndroid Build Coastguard Worker params->push_back(::keymaster::TAG_APPLICATION_ID, appId.data(), appId.size());
207*789431f2SAndroid Build Coastguard Worker }
208*789431f2SAndroid Build Coastguard Worker if (appData.size()) {
209*789431f2SAndroid Build Coastguard Worker params->push_back(::keymaster::TAG_APPLICATION_DATA, appData.data(), appData.size());
210*789431f2SAndroid Build Coastguard Worker }
211*789431f2SAndroid Build Coastguard Worker }
212*789431f2SAndroid Build Coastguard Worker
213*789431f2SAndroid Build Coastguard Worker } // namespace
214*789431f2SAndroid Build Coastguard Worker
215*789431f2SAndroid Build Coastguard Worker constexpr size_t kOperationTableSize = 16;
216*789431f2SAndroid Build Coastguard Worker
AndroidKeyMintDevice(SecurityLevel securityLevel)217*789431f2SAndroid Build Coastguard Worker AndroidKeyMintDevice::AndroidKeyMintDevice(SecurityLevel securityLevel)
218*789431f2SAndroid Build Coastguard Worker : impl_(new(std::nothrow)::keymaster::AndroidKeymaster(
219*789431f2SAndroid Build Coastguard Worker [&]() -> auto {
220*789431f2SAndroid Build Coastguard Worker auto context = new (std::nothrow) PureSoftKeymasterContext(
221*789431f2SAndroid Build Coastguard Worker KmVersion::KEYMINT_4, static_cast<keymaster_security_level_t>(securityLevel));
222*789431f2SAndroid Build Coastguard Worker context->SetSystemVersion(::keymaster::GetOsVersion(),
223*789431f2SAndroid Build Coastguard Worker ::keymaster::GetOsPatchlevel());
224*789431f2SAndroid Build Coastguard Worker context->SetVendorPatchlevel(::keymaster::GetVendorPatchlevel());
225*789431f2SAndroid Build Coastguard Worker // Software devices cannot be configured by the boot loader but they have
226*789431f2SAndroid Build Coastguard Worker // to return a boot patch level. So lets just return the OS patch level.
227*789431f2SAndroid Build Coastguard Worker // The OS patch level only has a year and a month so we just add the 1st
228*789431f2SAndroid Build Coastguard Worker // of the month as day field.
229*789431f2SAndroid Build Coastguard Worker context->SetBootPatchlevel(GetOsPatchlevel() * 100 + 1);
230*789431f2SAndroid Build Coastguard Worker auto digest = ::keymaster::GetVbmetaDigest();
231*789431f2SAndroid Build Coastguard Worker if (digest) {
232*789431f2SAndroid Build Coastguard Worker std::string bootState = ::keymaster::GetVerifiedBootState();
233*789431f2SAndroid Build Coastguard Worker std::string bootloaderState = ::keymaster::GetBootloaderState();
234*789431f2SAndroid Build Coastguard Worker context->SetVerifiedBootInfo(bootState, bootloaderState, *digest);
235*789431f2SAndroid Build Coastguard Worker } else {
236*789431f2SAndroid Build Coastguard Worker LOG(ERROR) << "Unable to read vb_meta digest";
237*789431f2SAndroid Build Coastguard Worker }
238*789431f2SAndroid Build Coastguard Worker return context;
239*789431f2SAndroid Build Coastguard Worker }(),
240*789431f2SAndroid Build Coastguard Worker kOperationTableSize)),
241*789431f2SAndroid Build Coastguard Worker securityLevel_(securityLevel) {}
242*789431f2SAndroid Build Coastguard Worker
~AndroidKeyMintDevice()243*789431f2SAndroid Build Coastguard Worker AndroidKeyMintDevice::~AndroidKeyMintDevice() {}
244*789431f2SAndroid Build Coastguard Worker
getHardwareInfo(KeyMintHardwareInfo * info)245*789431f2SAndroid Build Coastguard Worker ScopedAStatus AndroidKeyMintDevice::getHardwareInfo(KeyMintHardwareInfo* info) {
246*789431f2SAndroid Build Coastguard Worker info->versionNumber = 4;
247*789431f2SAndroid Build Coastguard Worker info->securityLevel = securityLevel_;
248*789431f2SAndroid Build Coastguard Worker info->keyMintName = "FakeKeyMintDevice";
249*789431f2SAndroid Build Coastguard Worker info->keyMintAuthorName = "Google";
250*789431f2SAndroid Build Coastguard Worker info->timestampTokenRequired = false;
251*789431f2SAndroid Build Coastguard Worker return ScopedAStatus::ok();
252*789431f2SAndroid Build Coastguard Worker }
253*789431f2SAndroid Build Coastguard Worker
addRngEntropy(const vector<uint8_t> & data)254*789431f2SAndroid Build Coastguard Worker ScopedAStatus AndroidKeyMintDevice::addRngEntropy(const vector<uint8_t>& data) {
255*789431f2SAndroid Build Coastguard Worker if (data.size() == 0) {
256*789431f2SAndroid Build Coastguard Worker return ScopedAStatus::ok();
257*789431f2SAndroid Build Coastguard Worker }
258*789431f2SAndroid Build Coastguard Worker
259*789431f2SAndroid Build Coastguard Worker AddEntropyRequest request(impl_->message_version());
260*789431f2SAndroid Build Coastguard Worker request.random_data.Reinitialize(data.data(), data.size());
261*789431f2SAndroid Build Coastguard Worker
262*789431f2SAndroid Build Coastguard Worker AddEntropyResponse response(impl_->message_version());
263*789431f2SAndroid Build Coastguard Worker impl_->AddRngEntropy(request, &response);
264*789431f2SAndroid Build Coastguard Worker
265*789431f2SAndroid Build Coastguard Worker return kmError2ScopedAStatus(response.error);
266*789431f2SAndroid Build Coastguard Worker }
267*789431f2SAndroid Build Coastguard Worker
generateKey(const vector<KeyParameter> & keyParams,const optional<AttestationKey> & attestationKey,KeyCreationResult * creationResult)268*789431f2SAndroid Build Coastguard Worker ScopedAStatus AndroidKeyMintDevice::generateKey(const vector<KeyParameter>& keyParams,
269*789431f2SAndroid Build Coastguard Worker const optional<AttestationKey>& attestationKey,
270*789431f2SAndroid Build Coastguard Worker KeyCreationResult* creationResult) {
271*789431f2SAndroid Build Coastguard Worker
272*789431f2SAndroid Build Coastguard Worker GenerateKeyRequest request(impl_->message_version());
273*789431f2SAndroid Build Coastguard Worker request.key_description.Reinitialize(KmParamSet(keyParams));
274*789431f2SAndroid Build Coastguard Worker if (attestationKey) {
275*789431f2SAndroid Build Coastguard Worker request.attestation_signing_key_blob =
276*789431f2SAndroid Build Coastguard Worker KeymasterKeyBlob(attestationKey->keyBlob.data(), attestationKey->keyBlob.size());
277*789431f2SAndroid Build Coastguard Worker request.attest_key_params.Reinitialize(KmParamSet(attestationKey->attestKeyParams));
278*789431f2SAndroid Build Coastguard Worker request.issuer_subject = KeymasterBlob(attestationKey->issuerSubjectName.data(),
279*789431f2SAndroid Build Coastguard Worker attestationKey->issuerSubjectName.size());
280*789431f2SAndroid Build Coastguard Worker }
281*789431f2SAndroid Build Coastguard Worker
282*789431f2SAndroid Build Coastguard Worker GenerateKeyResponse response(impl_->message_version());
283*789431f2SAndroid Build Coastguard Worker impl_->GenerateKey(request, &response);
284*789431f2SAndroid Build Coastguard Worker
285*789431f2SAndroid Build Coastguard Worker if (response.error != KM_ERROR_OK) {
286*789431f2SAndroid Build Coastguard Worker // Note a key difference between this current aidl and previous hal, is
287*789431f2SAndroid Build Coastguard Worker // that hal returns void where as aidl returns the error status. If
288*789431f2SAndroid Build Coastguard Worker // aidl returns error, then aidl will not return any change you may make
289*789431f2SAndroid Build Coastguard Worker // to the out parameters. This is quite different from hal where all
290*789431f2SAndroid Build Coastguard Worker // output variable can be modified due to hal returning void.
291*789431f2SAndroid Build Coastguard Worker //
292*789431f2SAndroid Build Coastguard Worker // So the caller need to be aware not to expect aidl functions to clear
293*789431f2SAndroid Build Coastguard Worker // the output variables for you in case of error. If you left some
294*789431f2SAndroid Build Coastguard Worker // wrong data set in the out parameters, they will stay there.
295*789431f2SAndroid Build Coastguard Worker return kmError2ScopedAStatus(response.error);
296*789431f2SAndroid Build Coastguard Worker }
297*789431f2SAndroid Build Coastguard Worker
298*789431f2SAndroid Build Coastguard Worker creationResult->keyBlob = kmBlob2vector(response.key_blob);
299*789431f2SAndroid Build Coastguard Worker creationResult->keyCharacteristics = convertKeyCharacteristics(
300*789431f2SAndroid Build Coastguard Worker securityLevel_, request.key_description, response.unenforced, response.enforced);
301*789431f2SAndroid Build Coastguard Worker creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
302*789431f2SAndroid Build Coastguard Worker return ScopedAStatus::ok();
303*789431f2SAndroid Build Coastguard Worker }
304*789431f2SAndroid Build Coastguard Worker
importKey(const vector<KeyParameter> & keyParams,KeyFormat keyFormat,const vector<uint8_t> & keyData,const optional<AttestationKey> & attestationKey,KeyCreationResult * creationResult)305*789431f2SAndroid Build Coastguard Worker ScopedAStatus AndroidKeyMintDevice::importKey(const vector<KeyParameter>& keyParams,
306*789431f2SAndroid Build Coastguard Worker KeyFormat keyFormat, const vector<uint8_t>& keyData,
307*789431f2SAndroid Build Coastguard Worker const optional<AttestationKey>& attestationKey,
308*789431f2SAndroid Build Coastguard Worker KeyCreationResult* creationResult) {
309*789431f2SAndroid Build Coastguard Worker
310*789431f2SAndroid Build Coastguard Worker ImportKeyRequest request(impl_->message_version());
311*789431f2SAndroid Build Coastguard Worker request.key_description.Reinitialize(KmParamSet(keyParams));
312*789431f2SAndroid Build Coastguard Worker request.key_format = legacy_enum_conversion(keyFormat);
313*789431f2SAndroid Build Coastguard Worker request.key_data = KeymasterKeyBlob(keyData.data(), keyData.size());
314*789431f2SAndroid Build Coastguard Worker if (attestationKey) {
315*789431f2SAndroid Build Coastguard Worker request.attestation_signing_key_blob =
316*789431f2SAndroid Build Coastguard Worker KeymasterKeyBlob(attestationKey->keyBlob.data(), attestationKey->keyBlob.size());
317*789431f2SAndroid Build Coastguard Worker request.attest_key_params.Reinitialize(KmParamSet(attestationKey->attestKeyParams));
318*789431f2SAndroid Build Coastguard Worker request.issuer_subject = KeymasterBlob(attestationKey->issuerSubjectName.data(),
319*789431f2SAndroid Build Coastguard Worker attestationKey->issuerSubjectName.size());
320*789431f2SAndroid Build Coastguard Worker }
321*789431f2SAndroid Build Coastguard Worker
322*789431f2SAndroid Build Coastguard Worker ImportKeyResponse response(impl_->message_version());
323*789431f2SAndroid Build Coastguard Worker impl_->ImportKey(request, &response);
324*789431f2SAndroid Build Coastguard Worker
325*789431f2SAndroid Build Coastguard Worker if (response.error != KM_ERROR_OK) {
326*789431f2SAndroid Build Coastguard Worker return kmError2ScopedAStatus(response.error);
327*789431f2SAndroid Build Coastguard Worker }
328*789431f2SAndroid Build Coastguard Worker
329*789431f2SAndroid Build Coastguard Worker creationResult->keyBlob = kmBlob2vector(response.key_blob);
330*789431f2SAndroid Build Coastguard Worker creationResult->keyCharacteristics = convertKeyCharacteristics(
331*789431f2SAndroid Build Coastguard Worker securityLevel_, request.key_description, response.unenforced, response.enforced);
332*789431f2SAndroid Build Coastguard Worker creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
333*789431f2SAndroid Build Coastguard Worker
334*789431f2SAndroid Build Coastguard Worker return ScopedAStatus::ok();
335*789431f2SAndroid Build Coastguard Worker }
336*789431f2SAndroid Build Coastguard Worker
337*789431f2SAndroid Build Coastguard Worker ScopedAStatus
importWrappedKey(const vector<uint8_t> & wrappedKeyData,const vector<uint8_t> & wrappingKeyBlob,const vector<uint8_t> & maskingKey,const vector<KeyParameter> & unwrappingParams,int64_t passwordSid,int64_t biometricSid,KeyCreationResult * creationResult)338*789431f2SAndroid Build Coastguard Worker AndroidKeyMintDevice::importWrappedKey(const vector<uint8_t>& wrappedKeyData, //
339*789431f2SAndroid Build Coastguard Worker const vector<uint8_t>& wrappingKeyBlob, //
340*789431f2SAndroid Build Coastguard Worker const vector<uint8_t>& maskingKey, //
341*789431f2SAndroid Build Coastguard Worker const vector<KeyParameter>& unwrappingParams, //
342*789431f2SAndroid Build Coastguard Worker int64_t passwordSid, int64_t biometricSid, //
343*789431f2SAndroid Build Coastguard Worker KeyCreationResult* creationResult) {
344*789431f2SAndroid Build Coastguard Worker
345*789431f2SAndroid Build Coastguard Worker ImportWrappedKeyRequest request(impl_->message_version());
346*789431f2SAndroid Build Coastguard Worker request.SetWrappedMaterial(wrappedKeyData.data(), wrappedKeyData.size());
347*789431f2SAndroid Build Coastguard Worker request.SetWrappingMaterial(wrappingKeyBlob.data(), wrappingKeyBlob.size());
348*789431f2SAndroid Build Coastguard Worker request.SetMaskingKeyMaterial(maskingKey.data(), maskingKey.size());
349*789431f2SAndroid Build Coastguard Worker request.additional_params.Reinitialize(KmParamSet(unwrappingParams));
350*789431f2SAndroid Build Coastguard Worker request.password_sid = static_cast<uint64_t>(passwordSid);
351*789431f2SAndroid Build Coastguard Worker request.biometric_sid = static_cast<uint64_t>(biometricSid);
352*789431f2SAndroid Build Coastguard Worker
353*789431f2SAndroid Build Coastguard Worker ImportWrappedKeyResponse response(impl_->message_version());
354*789431f2SAndroid Build Coastguard Worker impl_->ImportWrappedKey(request, &response);
355*789431f2SAndroid Build Coastguard Worker
356*789431f2SAndroid Build Coastguard Worker if (response.error != KM_ERROR_OK) {
357*789431f2SAndroid Build Coastguard Worker return kmError2ScopedAStatus(response.error);
358*789431f2SAndroid Build Coastguard Worker }
359*789431f2SAndroid Build Coastguard Worker
360*789431f2SAndroid Build Coastguard Worker creationResult->keyBlob = kmBlob2vector(response.key_blob);
361*789431f2SAndroid Build Coastguard Worker creationResult->keyCharacteristics = convertKeyCharacteristics(
362*789431f2SAndroid Build Coastguard Worker securityLevel_, request.additional_params, response.unenforced, response.enforced);
363*789431f2SAndroid Build Coastguard Worker creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
364*789431f2SAndroid Build Coastguard Worker
365*789431f2SAndroid Build Coastguard Worker return ScopedAStatus::ok();
366*789431f2SAndroid Build Coastguard Worker }
367*789431f2SAndroid Build Coastguard Worker
upgradeKey(const vector<uint8_t> & keyBlobToUpgrade,const vector<KeyParameter> & upgradeParams,vector<uint8_t> * keyBlob)368*789431f2SAndroid Build Coastguard Worker ScopedAStatus AndroidKeyMintDevice::upgradeKey(const vector<uint8_t>& keyBlobToUpgrade,
369*789431f2SAndroid Build Coastguard Worker const vector<KeyParameter>& upgradeParams,
370*789431f2SAndroid Build Coastguard Worker vector<uint8_t>* keyBlob) {
371*789431f2SAndroid Build Coastguard Worker
372*789431f2SAndroid Build Coastguard Worker UpgradeKeyRequest request(impl_->message_version());
373*789431f2SAndroid Build Coastguard Worker request.SetKeyMaterial(keyBlobToUpgrade.data(), keyBlobToUpgrade.size());
374*789431f2SAndroid Build Coastguard Worker request.upgrade_params.Reinitialize(KmParamSet(upgradeParams));
375*789431f2SAndroid Build Coastguard Worker
376*789431f2SAndroid Build Coastguard Worker UpgradeKeyResponse response(impl_->message_version());
377*789431f2SAndroid Build Coastguard Worker impl_->UpgradeKey(request, &response);
378*789431f2SAndroid Build Coastguard Worker
379*789431f2SAndroid Build Coastguard Worker if (response.error != KM_ERROR_OK) {
380*789431f2SAndroid Build Coastguard Worker return kmError2ScopedAStatus(response.error);
381*789431f2SAndroid Build Coastguard Worker }
382*789431f2SAndroid Build Coastguard Worker
383*789431f2SAndroid Build Coastguard Worker *keyBlob = kmBlob2vector(response.upgraded_key);
384*789431f2SAndroid Build Coastguard Worker return ScopedAStatus::ok();
385*789431f2SAndroid Build Coastguard Worker }
386*789431f2SAndroid Build Coastguard Worker
deleteKey(const vector<uint8_t> & keyBlob)387*789431f2SAndroid Build Coastguard Worker ScopedAStatus AndroidKeyMintDevice::deleteKey(const vector<uint8_t>& keyBlob) {
388*789431f2SAndroid Build Coastguard Worker DeleteKeyRequest request(impl_->message_version());
389*789431f2SAndroid Build Coastguard Worker request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
390*789431f2SAndroid Build Coastguard Worker
391*789431f2SAndroid Build Coastguard Worker DeleteKeyResponse response(impl_->message_version());
392*789431f2SAndroid Build Coastguard Worker impl_->DeleteKey(request, &response);
393*789431f2SAndroid Build Coastguard Worker
394*789431f2SAndroid Build Coastguard Worker return kmError2ScopedAStatus(response.error);
395*789431f2SAndroid Build Coastguard Worker }
396*789431f2SAndroid Build Coastguard Worker
deleteAllKeys()397*789431f2SAndroid Build Coastguard Worker ScopedAStatus AndroidKeyMintDevice::deleteAllKeys() {
398*789431f2SAndroid Build Coastguard Worker // There's nothing to be done to delete software key blobs.
399*789431f2SAndroid Build Coastguard Worker DeleteAllKeysRequest request(impl_->message_version());
400*789431f2SAndroid Build Coastguard Worker DeleteAllKeysResponse response(impl_->message_version());
401*789431f2SAndroid Build Coastguard Worker impl_->DeleteAllKeys(request, &response);
402*789431f2SAndroid Build Coastguard Worker
403*789431f2SAndroid Build Coastguard Worker return kmError2ScopedAStatus(response.error);
404*789431f2SAndroid Build Coastguard Worker }
405*789431f2SAndroid Build Coastguard Worker
destroyAttestationIds()406*789431f2SAndroid Build Coastguard Worker ScopedAStatus AndroidKeyMintDevice::destroyAttestationIds() {
407*789431f2SAndroid Build Coastguard Worker return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
408*789431f2SAndroid Build Coastguard Worker }
409*789431f2SAndroid Build Coastguard Worker
begin(KeyPurpose purpose,const vector<uint8_t> & keyBlob,const vector<KeyParameter> & params,const optional<HardwareAuthToken> & authToken,BeginResult * result)410*789431f2SAndroid Build Coastguard Worker ScopedAStatus AndroidKeyMintDevice::begin(KeyPurpose purpose, const vector<uint8_t>& keyBlob,
411*789431f2SAndroid Build Coastguard Worker const vector<KeyParameter>& params,
412*789431f2SAndroid Build Coastguard Worker const optional<HardwareAuthToken>& authToken,
413*789431f2SAndroid Build Coastguard Worker BeginResult* result) {
414*789431f2SAndroid Build Coastguard Worker
415*789431f2SAndroid Build Coastguard Worker BeginOperationRequest request(impl_->message_version());
416*789431f2SAndroid Build Coastguard Worker request.purpose = legacy_enum_conversion(purpose);
417*789431f2SAndroid Build Coastguard Worker request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
418*789431f2SAndroid Build Coastguard Worker request.additional_params.Reinitialize(KmParamSet(params));
419*789431f2SAndroid Build Coastguard Worker
420*789431f2SAndroid Build Coastguard Worker vector<uint8_t> vector_token = authToken2AidlVec(authToken);
421*789431f2SAndroid Build Coastguard Worker request.additional_params.push_back(
422*789431f2SAndroid Build Coastguard Worker TAG_AUTH_TOKEN, reinterpret_cast<uint8_t*>(vector_token.data()), vector_token.size());
423*789431f2SAndroid Build Coastguard Worker
424*789431f2SAndroid Build Coastguard Worker BeginOperationResponse response(impl_->message_version());
425*789431f2SAndroid Build Coastguard Worker impl_->BeginOperation(request, &response);
426*789431f2SAndroid Build Coastguard Worker
427*789431f2SAndroid Build Coastguard Worker if (response.error != KM_ERROR_OK) {
428*789431f2SAndroid Build Coastguard Worker return kmError2ScopedAStatus(response.error);
429*789431f2SAndroid Build Coastguard Worker }
430*789431f2SAndroid Build Coastguard Worker
431*789431f2SAndroid Build Coastguard Worker result->params = kmParamSet2Aidl(response.output_params);
432*789431f2SAndroid Build Coastguard Worker result->challenge = response.op_handle;
433*789431f2SAndroid Build Coastguard Worker result->operation =
434*789431f2SAndroid Build Coastguard Worker ndk::SharedRefBase::make<AndroidKeyMintOperation>(impl_, response.op_handle);
435*789431f2SAndroid Build Coastguard Worker return ScopedAStatus::ok();
436*789431f2SAndroid Build Coastguard Worker }
437*789431f2SAndroid Build Coastguard Worker
deviceLocked(bool passwordOnly,const std::optional<secureclock::TimeStampToken> & timestampToken)438*789431f2SAndroid Build Coastguard Worker ScopedAStatus AndroidKeyMintDevice::deviceLocked(
439*789431f2SAndroid Build Coastguard Worker bool passwordOnly, const std::optional<secureclock::TimeStampToken>& timestampToken) {
440*789431f2SAndroid Build Coastguard Worker DeviceLockedRequest request(impl_->message_version());
441*789431f2SAndroid Build Coastguard Worker request.passwordOnly = passwordOnly;
442*789431f2SAndroid Build Coastguard Worker if (timestampToken.has_value()) {
443*789431f2SAndroid Build Coastguard Worker request.token.challenge = timestampToken->challenge;
444*789431f2SAndroid Build Coastguard Worker request.token.mac = {timestampToken->mac.data(), timestampToken->mac.size()};
445*789431f2SAndroid Build Coastguard Worker request.token.timestamp = timestampToken->timestamp.milliSeconds;
446*789431f2SAndroid Build Coastguard Worker }
447*789431f2SAndroid Build Coastguard Worker DeviceLockedResponse response = impl_->DeviceLocked(request);
448*789431f2SAndroid Build Coastguard Worker return kmError2ScopedAStatus(response.error);
449*789431f2SAndroid Build Coastguard Worker }
450*789431f2SAndroid Build Coastguard Worker
earlyBootEnded()451*789431f2SAndroid Build Coastguard Worker ScopedAStatus AndroidKeyMintDevice::earlyBootEnded() {
452*789431f2SAndroid Build Coastguard Worker EarlyBootEndedResponse response = impl_->EarlyBootEnded();
453*789431f2SAndroid Build Coastguard Worker return kmError2ScopedAStatus(response.error);
454*789431f2SAndroid Build Coastguard Worker }
455*789431f2SAndroid Build Coastguard Worker
456*789431f2SAndroid Build Coastguard Worker ScopedAStatus
convertStorageKeyToEphemeral(const std::vector<uint8_t> &,std::vector<uint8_t> *)457*789431f2SAndroid Build Coastguard Worker AndroidKeyMintDevice::convertStorageKeyToEphemeral(const std::vector<uint8_t>& /* storageKeyBlob */,
458*789431f2SAndroid Build Coastguard Worker std::vector<uint8_t>* /* ephemeralKeyBlob */) {
459*789431f2SAndroid Build Coastguard Worker return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
460*789431f2SAndroid Build Coastguard Worker }
461*789431f2SAndroid Build Coastguard Worker
getKeyCharacteristics(const std::vector<uint8_t> & keyBlob,const std::vector<uint8_t> & appId,const std::vector<uint8_t> & appData,std::vector<KeyCharacteristics> * keyCharacteristics)462*789431f2SAndroid Build Coastguard Worker ScopedAStatus AndroidKeyMintDevice::getKeyCharacteristics(
463*789431f2SAndroid Build Coastguard Worker const std::vector<uint8_t>& keyBlob, const std::vector<uint8_t>& appId,
464*789431f2SAndroid Build Coastguard Worker const std::vector<uint8_t>& appData, std::vector<KeyCharacteristics>* keyCharacteristics) {
465*789431f2SAndroid Build Coastguard Worker GetKeyCharacteristicsRequest request(impl_->message_version());
466*789431f2SAndroid Build Coastguard Worker request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
467*789431f2SAndroid Build Coastguard Worker addClientAndAppData(appId, appData, &request.additional_params);
468*789431f2SAndroid Build Coastguard Worker
469*789431f2SAndroid Build Coastguard Worker GetKeyCharacteristicsResponse response(impl_->message_version());
470*789431f2SAndroid Build Coastguard Worker impl_->GetKeyCharacteristics(request, &response);
471*789431f2SAndroid Build Coastguard Worker
472*789431f2SAndroid Build Coastguard Worker if (response.error != KM_ERROR_OK) {
473*789431f2SAndroid Build Coastguard Worker return kmError2ScopedAStatus(response.error);
474*789431f2SAndroid Build Coastguard Worker }
475*789431f2SAndroid Build Coastguard Worker
476*789431f2SAndroid Build Coastguard Worker AuthorizationSet emptySet;
477*789431f2SAndroid Build Coastguard Worker *keyCharacteristics =
478*789431f2SAndroid Build Coastguard Worker convertKeyCharacteristics(securityLevel_, emptySet, response.unenforced, response.enforced,
479*789431f2SAndroid Build Coastguard Worker /* include_keystore_enforced = */ false);
480*789431f2SAndroid Build Coastguard Worker
481*789431f2SAndroid Build Coastguard Worker return ScopedAStatus::ok();
482*789431f2SAndroid Build Coastguard Worker }
483*789431f2SAndroid Build Coastguard Worker
getRootOfTrustChallenge(array<uint8_t,16> *)484*789431f2SAndroid Build Coastguard Worker ScopedAStatus AndroidKeyMintDevice::getRootOfTrustChallenge(array<uint8_t, 16>* /* challenge */) {
485*789431f2SAndroid Build Coastguard Worker return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
486*789431f2SAndroid Build Coastguard Worker }
487*789431f2SAndroid Build Coastguard Worker
getRootOfTrust(const array<uint8_t,16> &,vector<uint8_t> *)488*789431f2SAndroid Build Coastguard Worker ScopedAStatus AndroidKeyMintDevice::getRootOfTrust(const array<uint8_t, 16>& /* challenge */,
489*789431f2SAndroid Build Coastguard Worker vector<uint8_t>* /* rootOfTrust */) {
490*789431f2SAndroid Build Coastguard Worker return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
491*789431f2SAndroid Build Coastguard Worker }
492*789431f2SAndroid Build Coastguard Worker
sendRootOfTrust(const vector<uint8_t> &)493*789431f2SAndroid Build Coastguard Worker ScopedAStatus AndroidKeyMintDevice::sendRootOfTrust(const vector<uint8_t>& /* rootOfTrust */) {
494*789431f2SAndroid Build Coastguard Worker return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
495*789431f2SAndroid Build Coastguard Worker }
496*789431f2SAndroid Build Coastguard Worker
setAdditionalAttestationInfo(const vector<KeyParameter> & info)497*789431f2SAndroid Build Coastguard Worker ScopedAStatus AndroidKeyMintDevice::setAdditionalAttestationInfo(const vector<KeyParameter>& info) {
498*789431f2SAndroid Build Coastguard Worker SetAdditionalAttestationInfoRequest request(impl_->message_version());
499*789431f2SAndroid Build Coastguard Worker request.info.Reinitialize(KmParamSet(info));
500*789431f2SAndroid Build Coastguard Worker
501*789431f2SAndroid Build Coastguard Worker SetAdditionalAttestationInfoResponse response = impl_->SetAdditionalAttestationInfo(request);
502*789431f2SAndroid Build Coastguard Worker
503*789431f2SAndroid Build Coastguard Worker if (response.error != KM_ERROR_OK) {
504*789431f2SAndroid Build Coastguard Worker return kmError2ScopedAStatus(response.error);
505*789431f2SAndroid Build Coastguard Worker } else {
506*789431f2SAndroid Build Coastguard Worker return ScopedAStatus::ok();
507*789431f2SAndroid Build Coastguard Worker }
508*789431f2SAndroid Build Coastguard Worker }
509*789431f2SAndroid Build Coastguard Worker
CreateKeyMintDevice(SecurityLevel securityLevel)510*789431f2SAndroid Build Coastguard Worker std::shared_ptr<IKeyMintDevice> CreateKeyMintDevice(SecurityLevel securityLevel) {
511*789431f2SAndroid Build Coastguard Worker return ndk::SharedRefBase::make<AndroidKeyMintDevice>(securityLevel);
512*789431f2SAndroid Build Coastguard Worker }
513*789431f2SAndroid Build Coastguard Worker
514*789431f2SAndroid Build Coastguard Worker } // namespace aidl::android::hardware::security::keymint
515