Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit aac0fc73 authored by Bartosz Fabianowski's avatar Bartosz Fabianowski
Browse files

Add device id attestation 

This adds device id attestation to the Keymaster 3.0 HAL. Device
id attestation must only be offered if the device can permanently
destroy device ids on request. The default implementation cannot
do this because it lacks storage that would survive device wipes.
Hence, the implementation refuses all device id attestation requests.

Bug: 34597337
Test: CTS CtsKeystoreTestCases and GTS DeviceIdAttestationHostTest

Change-Id: I6ff6146fad4656b8e1367650de922124b3d7f7b2
parent 5b70f3d3

keymaster/3.0/IKeymasterDevice.hal

+15 −0
Original line number Diff line number Diff line
@@ -208,6 +208,21 @@ interface IKeymasterDevice { 
     */

    deleteAllKeys() generates(ErrorCode error);



    /**

     * Destroys knowledge of the device's ids. This prevents all device id attestation in the

     * future. The destruction must be permanent so that not even a factory reset will restore the

     * device ids.

     *

     * Device id attestation may be provided only if this method is fully implemented, allowing the

     * user to permanently disable device id attestation. If this cannot be guaranteed, the device

     * must never attest any device ids.

     *

     * This is a NOP if device id attestation is not supported.

     *

     * @return error See the ErrorCode enum.

     */

    destroyAttestationIds() generates(ErrorCode error);



    /**

     * Begins a cryptographic operation using the specified key. If all is well, begin() will return

     * ErrorCode::OK and create an operation handle which must be passed to subsequent calls to

keymaster/3.0/default/KeymasterDevice.cpp

+25 −0
Original line number Diff line number Diff line
@@ -516,6 +516,24 @@ Return<void> KeymasterDevice::attestKey(const hidl_vec<uint8_t>& keyToAttest, 


    hidl_vec<hidl_vec<uint8_t>> resultCertChain;



    for (size_t i = 0; i < attestParams.size(); ++i) {

        switch (attestParams[i].tag) {

            case Tag::ATTESTATION_ID_BRAND:

            case Tag::ATTESTATION_ID_DEVICE:

            case Tag::ATTESTATION_ID_PRODUCT:

            case Tag::ATTESTATION_ID_SERIAL:

            case Tag::ATTESTATION_ID_IMEI:

            case Tag::ATTESTATION_ID_MEID:

                // Device id attestation may only be supported if the device is able to permanently

                // destroy its knowledge of the ids. This device is unable to do this, so it must

                // never perform any device id attestation.

                _hidl_cb(ErrorCode::CANNOT_ATTEST_IDS, resultCertChain);

                return Void();

            default:

                break;

        }

    }



    keymaster_cert_chain_t cert_chain{nullptr, 0};



    auto kmKeyToAttest = hidlVec2KmKeyBlob(keyToAttest);
@@ -569,9 +587,16 @@ Return<ErrorCode> KeymasterDevice::deleteKey(const hidl_vec<uint8_t>& keyBlob) { 
}



Return<ErrorCode> KeymasterDevice::deleteAllKeys() {

    if (keymaster_device_->delete_all_keys == nullptr) {

        return ErrorCode::UNIMPLEMENTED;

    }

    return legacy_enum_conversion(keymaster_device_->delete_all_keys(keymaster_device_));

}



Return<ErrorCode> KeymasterDevice::destroyAttestationIds() {

    return ErrorCode::UNIMPLEMENTED;

}



Return<void> KeymasterDevice::begin(KeyPurpose purpose, const hidl_vec<uint8_t>& key,

                                    const hidl_vec<KeyParameter>& inParams, begin_cb _hidl_cb) {

keymaster/3.0/default/KeymasterDevice.h

+1 −0
Original line number Diff line number Diff line
@@ -71,6 +71,7 @@ class KeymasterDevice : public IKeymasterDevice { 
                            upgradeKey_cb _hidl_cb) override;

    Return<ErrorCode> deleteKey(const hidl_vec<uint8_t>& keyBlob) override;

    Return<ErrorCode> deleteAllKeys() override;

    Return<ErrorCode> destroyAttestationIds() override;

    Return<void> begin(KeyPurpose purpose, const hidl_vec<uint8_t>& key,

                       const hidl_vec<KeyParameter>& inParams, begin_cb _hidl_cb) override;

    Return<void> update(uint64_t operationHandle, const hidl_vec<KeyParameter>& inParams,

keymaster/3.0/types.hal

+14 −0
Original line number Diff line number Diff line
@@ -123,6 +123,19 @@ enum Tag : uint32_t { 
    ATTESTATION_APPLICATION_ID = TagType:BYTES | 709, /* Used to identify the set of possible

                                                       * applications of which one has initiated a

                                                       * key attestation */

    ATTESTATION_ID_BRAND = TagType:BYTES | 710,  /* Used to provide the device's brand name to be

                                                    included in attestation */

    ATTESTATION_ID_DEVICE = TagType:BYTES | 711, /* Used to provide the device's device name to be

                                                    included in attestation */

    ATTESTATION_ID_PRODUCT = TagType:BYTES | 712, /* Used to provide the device's product name to be

                                                     included in attestation */

    ATTESTATION_ID_SERIAL = TagType:BYTES | 713, /* Used to provide the device's serial number to be

                                                    included in attestation */

    ATTESTATION_ID_IMEI = TagType:BYTES | 714,   /* Used to provide the device's IMEI to be included

                                                    in attestation */

    ATTESTATION_ID_MEID = TagType:BYTES | 715,   /* Used to provide the device's MEID to be included

                                                    in attestation */





    /* Tags used only to provide data to or receive data from operations */

    ASSOCIATED_DATA = TagType:BYTES | 1000, /* Used to provide associated data for AEAD modes. */
@@ -312,6 +325,7 @@ enum ErrorCode : uint32_t { 
    ATTESTATION_CHALLENGE_MISSING = -63,

    KEYMASTER_NOT_CONFIGURED = -64,

    ATTESTATION_APPLICATION_ID_MISSING = -65,

    CANNOT_ATTEST_IDS = -66,



    UNIMPLEMENTED = -100,

    VERSION_MISMATCH = -101,