Loading keymaster/3.0/IKeymasterDevice.hal +0 −16 Original line number Diff line number Diff line Loading @@ -58,22 +58,6 @@ interface IKeymasterDevice { bool supportsAttestation, bool supportsAllDigests, string keymasterName, string keymasterAuthorName); /** * Parses a hardware authentication token blob to extract the details needed to determine if the * token is applicable to a given keymaster operation. This method is intended to be * implemented by the HAL, without requiring a call into the trusted hardware. It is not * necessary for this method to verify that the values in the blob are correct. * * @param token The token blob provided by the authentication app. * * @return error ErrorCode::OK or, if the blob is invalid, ErrorCode::INVALD_ARGUMENT if the * blob is the wrong size, the wrong version, or incorrectly structured. * * @return tokenInfo Information extracted from the auth token. */ parseHardwareAuthToken(vec<uint8_t> token) generates(ErrorCode error, HardwareAuthTokenInfo tokenInfo); /** * Adds entropy to the RNG used by keymaster. Entropy added through this method is guaranteed * not to be the only source of entropy used, and the mixing function is required to be secure, Loading keymaster/3.0/default/KeymasterDevice.cpp +2 −56 Original line number Diff line number Diff line Loading @@ -33,8 +33,6 @@ namespace implementation { using ::keymaster::SoftKeymasterDevice; namespace { class SoftwareOnlyHidlKeymasterEnforcement : public ::keymaster::KeymasterEnforcement { public: SoftwareOnlyHidlKeymasterEnforcement() : KeymasterEnforcement(64, 64) {} Loading Loading @@ -62,7 +60,7 @@ class SoftwareOnlyHidlKeymasterContext : public ::keymaster::SoftKeymasterContex std::unique_ptr<::keymaster::KeymasterEnforcement> enforcement_; }; int keymaster0_device_initialize(const hw_module_t* mod, keymaster2_device_t** dev) { static int keymaster0_device_initialize(const hw_module_t* mod, keymaster2_device_t** dev) { assert(mod->module_api_version < KEYMASTER_MODULE_API_VERSION_1_0); ALOGI("Found keymaster0 module %s, version %x", mod->name, mod->module_api_version); Loading Loading @@ -139,7 +137,7 @@ err: return rc; } int keymaster2_device_initialize(const hw_module_t* mod, keymaster2_device_t** dev) { static int keymaster2_device_initialize(const hw_module_t* mod, keymaster2_device_t** dev) { assert(mod->module_api_version >= KEYMASTER_MODULE_API_VERSION_2_0); ALOGI("Found keymaster2 module %s, version %x", mod->name, mod->module_api_version); Loading Loading @@ -193,30 +191,6 @@ static int keymaster_device_initialize(keymaster2_device_t** dev, uint32_t* vers } } template <typename IntType, uint32_t byteOrder> struct choose_ntoh; template <typename IntType> struct choose_ntoh<IntType, __ORDER_LITTLE_ENDIAN__> { inline static IntType ntoh(const IntType& value) { IntType result = 0; const unsigned char* inbytes = reinterpret_cast<const unsigned char*>(&value); unsigned char* outbytes = reinterpret_cast<unsigned char*>(&result); for (int i = sizeof(IntType) - 1; i >= 0; --i) { *(outbytes++) = inbytes[i]; } return result; } }; template <typename IntType> struct choose_ntoh<IntType, __ORDER_BIG_ENDIAN__> { inline static IntType hton(const IntType& value) { return value; } }; template <typename IntType> inline IntType ntoh(const IntType& value) { return choose_ntoh<IntType, __BYTE_ORDER__>::ntoh(value); } } // anonymous namespace KeymasterDevice::~KeymasterDevice() { if (keymaster_device_) keymaster_device_->common.close(&keymaster_device_->common); } Loading Loading @@ -402,34 +376,6 @@ Return<void> KeymasterDevice::getHardwareFeatures(getHardwareFeatures_cb _hidl_c return Void(); } Return<void> KeymasterDevice::parseHardwareAuthToken(const hidl_vec<uint8_t>& token, parseHardwareAuthToken_cb _hidl_cb) { HardwareAuthTokenInfo parsedToken; if (token.size() != sizeof(hw_auth_token_t)) { ALOGE("Received auth token of length %zu, expected %zu", token.size(), sizeof(hw_auth_token_t)); _hidl_cb(ErrorCode::INVALID_ARGUMENT, parsedToken); return Void(); } const hw_auth_token_t* authToken = reinterpret_cast<const hw_auth_token_t*>(token.data()); if (authToken->version != 0) { ALOGE("Auth token version %u, expected version ", authToken->version); _hidl_cb(ErrorCode::INVALID_ARGUMENT, parsedToken); return Void(); } parsedToken.challenge = authToken->challenge; parsedToken.userId = authToken->user_id; parsedToken.authenticatorId = authToken->authenticator_id; parsedToken.authenticatorType = static_cast<HardwareAuthenticatorType>(ntoh(authToken->authenticator_type)); parsedToken.timestamp = ntoh(authToken->timestamp); _hidl_cb(ErrorCode::OK, parsedToken); return Void(); } Return<ErrorCode> KeymasterDevice::addRngEntropy(const hidl_vec<uint8_t>& data) { if (!data.size()) return ErrorCode::OK; return legacy_enum_conversion( Loading keymaster/3.0/default/KeymasterDevice.h +0 −2 Original line number Diff line number Diff line Loading @@ -53,8 +53,6 @@ class KeymasterDevice : public IKeymasterDevice { // Methods from ::android::hardware::keymaster::V3_0::IKeymasterDevice follow. Return<void> getHardwareFeatures(getHardwareFeatures_cb _hidl_cb); Return<void> parseHardwareAuthToken(const hidl_vec<uint8_t>& token, parseHardwareAuthToken_cb _hidl_cb); Return<ErrorCode> addRngEntropy(const hidl_vec<uint8_t>& data) override; Return<void> generateKey(const hidl_vec<KeyParameter>& keyParams, generateKey_cb _hidl_cb) override; Loading keymaster/3.0/types.hal +11 −7 Original line number Diff line number Diff line Loading @@ -400,15 +400,19 @@ struct KeyCharacteristics { }; /** * Data used to describe an authentication. This data is retrieved from an authentication token by * calling the parseHardwareAuthToken method of the HAL. * Data used to prove successful authentication. */ struct HardwareAuthTokenInfo { struct HardwareAuthToken { uint64_t challenge; uint64_t userId; // Secure User ID, not Android user ID. uint64_t authenticatorId; // Secure authenticator ID. HardwareAuthenticatorType authenticatorType; uint64_t timestamp; uint32_t authenticatorType; // HardwareAuthenticatorType, in network order. uint64_t timestamp; // In network order. uint8_t[32] hmac; // HMAC is computed over 0 || challenge || user_id || // authenticator_id || authenticator_type || timestamp, with a // prefixed 0 byte (which was a version field in Keymaster1 and // Keymaster2) and the fields packed (no padding; so you probably // can't just compute over the bytes of the struct). }; enum SecurityLevel : uint32_t { Loading Loading
keymaster/3.0/IKeymasterDevice.hal +0 −16 Original line number Diff line number Diff line Loading @@ -58,22 +58,6 @@ interface IKeymasterDevice { bool supportsAttestation, bool supportsAllDigests, string keymasterName, string keymasterAuthorName); /** * Parses a hardware authentication token blob to extract the details needed to determine if the * token is applicable to a given keymaster operation. This method is intended to be * implemented by the HAL, without requiring a call into the trusted hardware. It is not * necessary for this method to verify that the values in the blob are correct. * * @param token The token blob provided by the authentication app. * * @return error ErrorCode::OK or, if the blob is invalid, ErrorCode::INVALD_ARGUMENT if the * blob is the wrong size, the wrong version, or incorrectly structured. * * @return tokenInfo Information extracted from the auth token. */ parseHardwareAuthToken(vec<uint8_t> token) generates(ErrorCode error, HardwareAuthTokenInfo tokenInfo); /** * Adds entropy to the RNG used by keymaster. Entropy added through this method is guaranteed * not to be the only source of entropy used, and the mixing function is required to be secure, Loading
keymaster/3.0/default/KeymasterDevice.cpp +2 −56 Original line number Diff line number Diff line Loading @@ -33,8 +33,6 @@ namespace implementation { using ::keymaster::SoftKeymasterDevice; namespace { class SoftwareOnlyHidlKeymasterEnforcement : public ::keymaster::KeymasterEnforcement { public: SoftwareOnlyHidlKeymasterEnforcement() : KeymasterEnforcement(64, 64) {} Loading Loading @@ -62,7 +60,7 @@ class SoftwareOnlyHidlKeymasterContext : public ::keymaster::SoftKeymasterContex std::unique_ptr<::keymaster::KeymasterEnforcement> enforcement_; }; int keymaster0_device_initialize(const hw_module_t* mod, keymaster2_device_t** dev) { static int keymaster0_device_initialize(const hw_module_t* mod, keymaster2_device_t** dev) { assert(mod->module_api_version < KEYMASTER_MODULE_API_VERSION_1_0); ALOGI("Found keymaster0 module %s, version %x", mod->name, mod->module_api_version); Loading Loading @@ -139,7 +137,7 @@ err: return rc; } int keymaster2_device_initialize(const hw_module_t* mod, keymaster2_device_t** dev) { static int keymaster2_device_initialize(const hw_module_t* mod, keymaster2_device_t** dev) { assert(mod->module_api_version >= KEYMASTER_MODULE_API_VERSION_2_0); ALOGI("Found keymaster2 module %s, version %x", mod->name, mod->module_api_version); Loading Loading @@ -193,30 +191,6 @@ static int keymaster_device_initialize(keymaster2_device_t** dev, uint32_t* vers } } template <typename IntType, uint32_t byteOrder> struct choose_ntoh; template <typename IntType> struct choose_ntoh<IntType, __ORDER_LITTLE_ENDIAN__> { inline static IntType ntoh(const IntType& value) { IntType result = 0; const unsigned char* inbytes = reinterpret_cast<const unsigned char*>(&value); unsigned char* outbytes = reinterpret_cast<unsigned char*>(&result); for (int i = sizeof(IntType) - 1; i >= 0; --i) { *(outbytes++) = inbytes[i]; } return result; } }; template <typename IntType> struct choose_ntoh<IntType, __ORDER_BIG_ENDIAN__> { inline static IntType hton(const IntType& value) { return value; } }; template <typename IntType> inline IntType ntoh(const IntType& value) { return choose_ntoh<IntType, __BYTE_ORDER__>::ntoh(value); } } // anonymous namespace KeymasterDevice::~KeymasterDevice() { if (keymaster_device_) keymaster_device_->common.close(&keymaster_device_->common); } Loading Loading @@ -402,34 +376,6 @@ Return<void> KeymasterDevice::getHardwareFeatures(getHardwareFeatures_cb _hidl_c return Void(); } Return<void> KeymasterDevice::parseHardwareAuthToken(const hidl_vec<uint8_t>& token, parseHardwareAuthToken_cb _hidl_cb) { HardwareAuthTokenInfo parsedToken; if (token.size() != sizeof(hw_auth_token_t)) { ALOGE("Received auth token of length %zu, expected %zu", token.size(), sizeof(hw_auth_token_t)); _hidl_cb(ErrorCode::INVALID_ARGUMENT, parsedToken); return Void(); } const hw_auth_token_t* authToken = reinterpret_cast<const hw_auth_token_t*>(token.data()); if (authToken->version != 0) { ALOGE("Auth token version %u, expected version ", authToken->version); _hidl_cb(ErrorCode::INVALID_ARGUMENT, parsedToken); return Void(); } parsedToken.challenge = authToken->challenge; parsedToken.userId = authToken->user_id; parsedToken.authenticatorId = authToken->authenticator_id; parsedToken.authenticatorType = static_cast<HardwareAuthenticatorType>(ntoh(authToken->authenticator_type)); parsedToken.timestamp = ntoh(authToken->timestamp); _hidl_cb(ErrorCode::OK, parsedToken); return Void(); } Return<ErrorCode> KeymasterDevice::addRngEntropy(const hidl_vec<uint8_t>& data) { if (!data.size()) return ErrorCode::OK; return legacy_enum_conversion( Loading
keymaster/3.0/default/KeymasterDevice.h +0 −2 Original line number Diff line number Diff line Loading @@ -53,8 +53,6 @@ class KeymasterDevice : public IKeymasterDevice { // Methods from ::android::hardware::keymaster::V3_0::IKeymasterDevice follow. Return<void> getHardwareFeatures(getHardwareFeatures_cb _hidl_cb); Return<void> parseHardwareAuthToken(const hidl_vec<uint8_t>& token, parseHardwareAuthToken_cb _hidl_cb); Return<ErrorCode> addRngEntropy(const hidl_vec<uint8_t>& data) override; Return<void> generateKey(const hidl_vec<KeyParameter>& keyParams, generateKey_cb _hidl_cb) override; Loading
keymaster/3.0/types.hal +11 −7 Original line number Diff line number Diff line Loading @@ -400,15 +400,19 @@ struct KeyCharacteristics { }; /** * Data used to describe an authentication. This data is retrieved from an authentication token by * calling the parseHardwareAuthToken method of the HAL. * Data used to prove successful authentication. */ struct HardwareAuthTokenInfo { struct HardwareAuthToken { uint64_t challenge; uint64_t userId; // Secure User ID, not Android user ID. uint64_t authenticatorId; // Secure authenticator ID. HardwareAuthenticatorType authenticatorType; uint64_t timestamp; uint32_t authenticatorType; // HardwareAuthenticatorType, in network order. uint64_t timestamp; // In network order. uint8_t[32] hmac; // HMAC is computed over 0 || challenge || user_id || // authenticator_id || authenticator_type || timestamp, with a // prefixed 0 byte (which was a version field in Keymaster1 and // Keymaster2) and the fields packed (no padding; so you probably // can't just compute over the bytes of the struct). }; enum SecurityLevel : uint32_t { Loading
