Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f418e1e7 authored by TreeHugger Robot's avatar TreeHugger Robot Committed by Android (Google) Code Review
Browse files

Merge changes from topics "switch_to_km_ng", "need_km_interface_fix" 

* changes:
  Switch to new NG AndroidKeymaster3Device
  Fix wrong origin assumption for wrapped KM0 hals
  Reflect: Removed KeymasterEnforcement dependencies on openssl
  Software keymaster attestations return 3 as keymaster version
  Relax finish result on RSA operations
parents 34c72216 5a07ed48

keymaster/3.0/default/Android.mk

+2 −0
Original line number Diff line number Diff line
@@ -13,6 +13,8 @@ LOCAL_SHARED_LIBRARIES := \ 
    libcrypto \

    libkeymaster_portable \

    libkeymaster_staging \

    libpuresoftkeymasterdevice \

    libkeymaster3device \

    libhidlbase \

    libhidltransport \

    libutils \

keymaster/3.0/default/KeymasterDevice.cpp

+36 −674

File changed.

Preview size limit exceeded, changes collapsed.

keymaster/3.0/default/KeymasterDevice.h

+0 −64
Original line number Diff line number Diff line
@@ -18,78 +18,14 @@ 
#ifndef HIDL_GENERATED_android_hardware_keymaster_V3_0_KeymasterDevice_H_

#define HIDL_GENERATED_android_hardware_keymaster_V3_0_KeymasterDevice_H_



#include <hardware/keymaster2.h>



#include <android/hardware/keymaster/3.0/IKeymasterDevice.h>

#include <hidl/Status.h>



#include <hidl/MQDescriptor.h>

namespace android {

namespace hardware {

namespace keymaster {

namespace V3_0 {

namespace implementation {



using ::android::hardware::keymaster::V3_0::ErrorCode;

using ::android::hardware::keymaster::V3_0::IKeymasterDevice;

using ::android::hardware::keymaster::V3_0::KeyCharacteristics;

using ::android::hardware::keymaster::V3_0::KeyFormat;

using ::android::hardware::keymaster::V3_0::KeyParameter;

using ::android::hardware::keymaster::V3_0::KeyPurpose;

using ::android::hardware::Return;

using ::android::hardware::Void;

using ::android::hardware::hidl_vec;

using ::android::hardware::hidl_string;

using ::android::sp;



class KeymasterDevice : public IKeymasterDevice {

  public:

    KeymasterDevice(keymaster2_device_t* dev, uint32_t hardware_version, bool hardware_supports_ec,

                    bool hardware_supports_all_digests)

        : keymaster_device_(dev), hardware_version_(hardware_version),

          hardware_supports_ec_(hardware_supports_ec),

          hardware_supports_all_digests_(hardware_supports_all_digests) {}

    virtual ~KeymasterDevice();



    // Methods from ::android::hardware::keymaster::V3_0::IKeymasterDevice follow.

    Return<void> getHardwareFeatures(getHardwareFeatures_cb _hidl_cb);

    Return<ErrorCode> addRngEntropy(const hidl_vec<uint8_t>& data) override;

    Return<void> generateKey(const hidl_vec<KeyParameter>& keyParams,

                             generateKey_cb _hidl_cb) override;

    Return<void> getKeyCharacteristics(const hidl_vec<uint8_t>& keyBlob,

                                       const hidl_vec<uint8_t>& clientId,

                                       const hidl_vec<uint8_t>& appData,

                                       getKeyCharacteristics_cb _hidl_cb) override;

    Return<void> importKey(const hidl_vec<KeyParameter>& params, KeyFormat keyFormat,

                           const hidl_vec<uint8_t>& keyData, importKey_cb _hidl_cb) override;

    Return<void> exportKey(KeyFormat exportFormat, const hidl_vec<uint8_t>& keyBlob,

                           const hidl_vec<uint8_t>& clientId, const hidl_vec<uint8_t>& appData,

                           exportKey_cb _hidl_cb) override;

    Return<void> attestKey(const hidl_vec<uint8_t>& keyToAttest,

                           const hidl_vec<KeyParameter>& attestParams,

                           attestKey_cb _hidl_cb) override;

    Return<void> upgradeKey(const hidl_vec<uint8_t>& keyBlobToUpgrade,

                            const hidl_vec<KeyParameter>& upgradeParams,

                            upgradeKey_cb _hidl_cb) override;

    Return<ErrorCode> deleteKey(const hidl_vec<uint8_t>& keyBlob) override;

    Return<ErrorCode> deleteAllKeys() override;

    Return<ErrorCode> destroyAttestationIds() override;

    Return<void> begin(KeyPurpose purpose, const hidl_vec<uint8_t>& key,

                       const hidl_vec<KeyParameter>& inParams, begin_cb _hidl_cb) override;

    Return<void> update(uint64_t operationHandle, const hidl_vec<KeyParameter>& inParams,

                        const hidl_vec<uint8_t>& input, update_cb _hidl_cb) override;

    Return<void> finish(uint64_t operationHandle, const hidl_vec<KeyParameter>& inParams,

                        const hidl_vec<uint8_t>& input, const hidl_vec<uint8_t>& signature,

                        finish_cb _hidl_cb) override;

    Return<ErrorCode> abort(uint64_t operationHandle) override;



  private:

    keymaster2_device_t* keymaster_device_;

    uint32_t hardware_version_;

    bool hardware_supports_ec_;

    bool hardware_supports_all_digests_;

};



extern "C" IKeymasterDevice* HIDL_FETCH_IKeymasterDevice(const char* name);



}  // namespace implementation

keymaster/3.0/vts/functional/keymaster_hidl_hal_test.cpp

+28 −13
Original line number Diff line number Diff line
@@ -898,13 +898,20 @@ class KeymasterHidlTest : public ::testing::VtsHalHidlTargetTestBase { 
        }

    }



    void CheckOrigin() {

    void CheckOrigin(bool asymmetric = false) {

        SCOPED_TRACE("CheckOrigin");

        if (is_secure_ && supports_symmetric_) {

            EXPECT_TRUE(

                contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::IMPORTED));

        } else if (is_secure_) {

            EXPECT_TRUE(contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::UNKNOWN));

            // wrapped KM0

            if (asymmetric) {

                EXPECT_TRUE(

                    contains(key_characteristics_.teeEnforced, TAG_ORIGIN, KeyOrigin::UNKNOWN));

            } else {

                EXPECT_TRUE(contains(key_characteristics_.softwareEnforced, TAG_ORIGIN,

                                     KeyOrigin::IMPORTED));

            }

        } else {

            EXPECT_TRUE(

                contains(key_characteristics_.softwareEnforced, TAG_ORIGIN, KeyOrigin::IMPORTED));
@@ -993,8 +1000,8 @@ bool verify_attestation_record(const string& challenge, const string& app_id, 
                                   HidlBuf(app_id));



    if (!KeymasterHidlTest::IsSecure()) {

        // SW is KM2

        EXPECT_EQ(att_keymaster_version, 2U);

        // SW is KM3

        EXPECT_EQ(att_keymaster_version, 3U);

    }



    if (KeymasterHidlTest::SupportsSymmetric()) {
@@ -1059,13 +1066,17 @@ TEST_F(KeymasterVersionTest, SensibleFeatures) { 


class NewKeyGenerationTest : public KeymasterHidlTest {

  protected:

    void CheckBaseParams(const KeyCharacteristics& keyCharacteristics) {

    void CheckBaseParams(const KeyCharacteristics& keyCharacteristics, bool asymmetric = false) {

        // TODO(swillden): Distinguish which params should be in which auth list.



        AuthorizationSet auths(keyCharacteristics.teeEnforced);

        auths.push_back(AuthorizationSet(keyCharacteristics.softwareEnforced));



        if (!SupportsSymmetric() && asymmetric) {

            EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::UNKNOWN));

        } else {

            EXPECT_TRUE(auths.Contains(TAG_ORIGIN, KeyOrigin::GENERATED));

        }



        EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::SIGN));

        EXPECT_TRUE(auths.Contains(TAG_PURPOSE, KeyPurpose::VERIFY));
@@ -1114,7 +1125,7 @@ TEST_F(NewKeyGenerationTest, Rsa) { 
                                             &key_blob, &key_characteristics));



        ASSERT_GT(key_blob.size(), 0U);

        CheckBaseParams(key_characteristics);

        CheckBaseParams(key_characteristics, true /* asymmetric */);



        AuthorizationSet crypto_params;

        if (IsSecure()) {
@@ -1160,7 +1171,7 @@ TEST_F(NewKeyGenerationTest, Ecdsa) { 
                                                 .Authorizations(UserAuths()),

                                             &key_blob, &key_characteristics));

        ASSERT_GT(key_blob.size(), 0U);

        CheckBaseParams(key_characteristics);

        CheckBaseParams(key_characteristics, true /* asymmetric */);



        AuthorizationSet crypto_params;

        if (IsSecure()) {
@@ -1565,7 +1576,9 @@ TEST_F(SigningOperationsTest, RsaNoPaddingTooLong) { 
                                          .Digest(Digest::NONE)

                                          .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));

    string result;

    EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &result));

    ErrorCode finish_error_code = Finish(message, &result);

    EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||

                finish_error_code == ErrorCode::INVALID_ARGUMENT);



    // Very large message that should exceed the transfer buffer size of any reasonable TEE.

    message = string(128 * 1024, 'a');
@@ -1573,7 +1586,9 @@ TEST_F(SigningOperationsTest, RsaNoPaddingTooLong) { 
              Begin(KeyPurpose::SIGN, AuthorizationSetBuilder()

                                          .Digest(Digest::NONE)

                                          .Padding(PaddingMode::RSA_PKCS1_1_5_SIGN)));

    EXPECT_EQ(ErrorCode::INVALID_INPUT_LENGTH, Finish(message, &result));

    finish_error_code = Finish(message, &result);

    EXPECT_TRUE(finish_error_code == ErrorCode::INVALID_INPUT_LENGTH ||

                finish_error_code == ErrorCode::INVALID_ARGUMENT);

}



/*
@@ -2355,7 +2370,7 @@ TEST_F(ImportKeyTest, RsaSuccess) { 
    CheckKm0CryptoParam(TAG_RSA_PUBLIC_EXPONENT, 65537U);

    CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256);

    CheckKm1CryptoParam(TAG_PADDING, PaddingMode::RSA_PSS);

    CheckOrigin();

    CheckOrigin(true /* asymmetric */);



    string message(1024 / 8, 'a');

    auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256).Padding(PaddingMode::RSA_PSS);
@@ -2411,7 +2426,7 @@ TEST_F(ImportKeyTest, EcdsaSuccess) { 
    CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256);

    CheckKm2CryptoParam(TAG_EC_CURVE, EcCurve::P_256);



    CheckOrigin();

    CheckOrigin(true /* asymmetric */);



    string message(32, 'a');

    auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);
@@ -2437,7 +2452,7 @@ TEST_F(ImportKeyTest, Ecdsa521Success) { 
    CheckKm1CryptoParam(TAG_DIGEST, Digest::SHA_2_256);

    CheckKm2CryptoParam(TAG_EC_CURVE, EcCurve::P_521);



    CheckOrigin();

    CheckOrigin(true /* asymmetric */);



    string message(32, 'a');

    auto params = AuthorizationSetBuilder().Digest(Digest::SHA_2_256);