Merge "Add TrustyKeyMintDevice" (9a62860e) · Commits · e / os / android_system_core

trusty/keymaster/3.0/service.cpp

+1 −1

Original line number	Diff line number	Diff line
		@@ -24,7 +24,7 @@
		int main() {
		::android::hardware::configureRpcThreadpool(1, true);
		auto trustyKeymaster = new keymaster::TrustyKeymaster();
		int err = trustyKeymaster->Initialize();
		int err = trustyKeymaster->Initialize(keymaster::KmVersion::KEYMASTER_3);
		if (err != 0) {
		LOG(FATAL) << "Could not initialize TrustyKeymaster (" << err << ")";
		return -1;

trusty/keymaster/4.0/service.cpp

+1 −1

Original line number	Diff line number	Diff line
		@@ -24,7 +24,7 @@
		int main() {
		::android::hardware::configureRpcThreadpool(1, true);
		auto trustyKeymaster = new keymaster::TrustyKeymaster();
		int err = trustyKeymaster->Initialize();
		int err = trustyKeymaster->Initialize(keymaster::KmVersion::KEYMASTER_4);
		if (err != 0) {
		LOG(FATAL) << "Could not initialize TrustyKeymaster (" << err << ")";
		return -1;

trusty/keymaster/Android.bp

+43 −0

Original line number	Diff line number	Diff line
		@@ -80,6 +80,49 @@ cc_binary {
		vintf_fragments: ["4.0/android.hardware.keymaster@4.0-service.trusty.xml"],
		}

		cc_binary {
		name: "android.hardware.security.keymint-service.trusty",
		relative_install_path: "hw",
		init_rc: ["keymint/android.hardware.security.keymint-service.trusty.rc"],
		vintf_fragments: [
		"keymint/android.hardware.security.keymint-service.trusty.xml",
		],
		vendor: true,
		cflags: [
		"-Wall",
		"-Wextra",
		],
		local_include_dirs: [
		"include",
		],
		srcs: [
		"TrustyKeymaster.cpp",
		"ipc/trusty_keymaster_ipc.cpp",
		"keymint/TrustyKeyMintDevice.cpp",
		"keymint/TrustyKeyMintOperation.cpp",
		"keymint/TrustySecureClock.cpp",
		"keymint/TrustySharedSecret.cpp",
		"keymint/service.cpp",
		],
		shared_libs: [
		"android.hardware.security.keymint-V1-ndk_platform",
		"android.hardware.security.secureclock-V1-ndk_platform",
		"android.hardware.security.sharedsecret-V1-ndk_platform",
		"lib_android_keymaster_keymint_utils",
		"libbase",
		"libbinder_ndk",
		"libhardware",
		"libkeymaster_messages",
		"libkeymint",
		"liblog",
		"libtrusty",
		],
		required: [
		"RemoteProvisioner",
		"android.hardware.hardware_keystore.xml",
		],
		}

		prebuilt_etc {
		name: "keymaster_soft_attestation_keys.xml",
		vendor: true,

trusty/keymaster/TrustyKeymaster.cpp

+38 −15

Original line number	Diff line number	Diff line
		@@ -14,7 +14,9 @@
		* limitations under the License.
		*/

		#include <cutils/log.h>
		#define LOG_TAG "trusty_keymaster_hal"
		#include <android-base/logging.h>

		#include <keymaster/android_keymaster_messages.h>
		#include <keymaster/keymaster_configuration.h>
		#include <trusty_keymaster/TrustyKeymaster.h>
		@@ -22,24 +24,28 @@

		namespace keymaster {

		int TrustyKeymaster::Initialize() {
		int TrustyKeymaster::Initialize(KmVersion version) {
		int err;

		LOG(INFO) << "Initializing TrustyKeymaster as KmVersion: " << (int)version;

		err = trusty_keymaster_connect();
		if (err) {
		ALOGE("Failed to connect to trusty keymaster %d", err);
		LOG(ERROR) << "Failed to connect to trusty keymaster (1st try)" << err;
		return err;
		}

		// Try GetVersion2 first.
		GetVersion2Request versionReq;
		versionReq.max_message_version = MessageVersion(version);
		GetVersion2Response versionRsp = GetVersion2(versionReq);
		if (versionRsp.error != KM_ERROR_OK) {
		ALOGW("TA appears not to support GetVersion2, falling back (err = %d)", versionRsp.error);
		LOG(WARNING) << "TA appears not to support GetVersion2, falling back (err = "
		<< versionRsp.error << ")";

		err = trusty_keymaster_connect();
		if (err) {
		ALOGE("Failed to connect to trusty keymaster %d", err);
		LOG(FATAL) << "Failed to connect to trusty keymaster (2nd try) " << err;
		return err;
		}

		@@ -47,13 +53,13 @@ int TrustyKeymaster::Initialize() {
		GetVersionResponse versionRsp;
		GetVersion(versionReq, &versionRsp);
		if (versionRsp.error != KM_ERROR_OK) {
		ALOGE("Failed to get TA version %d", versionRsp.error);
		LOG(FATAL) << "Failed to get TA version " << versionRsp.error;
		return -1;
		} else {
		keymaster_error_t error;
		message_version_ = NegotiateMessageVersion(versionRsp, &error);
		if (error != KM_ERROR_OK) {
		ALOGE("Failed to negotiate message version %d", error);
		LOG(FATAL) << "Failed to negotiate message version " << error;
		return -1;
		}
		}
		@@ -69,7 +75,7 @@ int TrustyKeymaster::Initialize() {
		Configure(req, &rsp);

		if (rsp.error != KM_ERROR_OK) {
		ALOGE("Failed to configure keymaster %d", rsp.error);
		LOG(FATAL) << "Failed to configure keymaster " << rsp.error;
		return -1;
		}

		@@ -87,7 +93,7 @@ static void ForwardCommand(enum keymaster_command command, const KeymasterMessag
		keymaster_error_t err;
		err = trusty_keymaster_send(command, req, rsp);
		if (err != KM_ERROR_OK) {
		ALOGE("Failed to send cmd %d err: %d", command, err);
		LOG(ERROR) << "Cmd " << command << " returned error: " << err;
		rsp->error = err;
		}
		}
		@@ -137,6 +143,8 @@ void TrustyKeymaster::Configure(const ConfigureRequest& request, ConfigureRespon

		void TrustyKeymaster::GenerateKey(const GenerateKeyRequest& request,
		GenerateKeyResponse* response) {
		if (message_version_ < 4) {
		// Pre-KeyMint we need to add TAG_CREATION_DATETIME if not provided by the caller.
		GenerateKeyRequest datedRequest(request.message_version);
		datedRequest.key_description = request.key_description;

		@@ -145,6 +153,9 @@ void TrustyKeymaster::GenerateKey(const GenerateKeyRequest& request,
		}

		ForwardCommand(KM_GENERATE_KEY, datedRequest, response);
		} else {
		ForwardCommand(KM_GENERATE_KEY, request, response);
		}
		}

		void TrustyKeymaster::GetKeyCharacteristics(const GetKeyCharacteristicsRequest& request,
		@@ -229,4 +240,16 @@ GetVersion2Response TrustyKeymaster::GetVersion2(const GetVersion2Request& reque
		return response;
		}

		EarlyBootEndedResponse TrustyKeymaster::EarlyBootEnded() {
		EarlyBootEndedResponse response(message_version());
		ForwardCommand(KM_EARLY_BOOT_ENDED, EarlyBootEndedRequest(message_version()), &response);
		return response;
		}

		DeviceLockedResponse TrustyKeymaster::DeviceLocked(const DeviceLockedRequest& request) {
		DeviceLockedResponse response(message_version());
		ForwardCommand(KM_DEVICE_LOCKED, request, &response);
		return response;
		}

		} // namespace keymaster

trusty/keymaster/include/trusty_keymaster/TrustyKeyMintDevice.h

0 → 100644

+88 −0

Original line number	Diff line number	Diff line
		/*
		* Copyright 2021, The Android Open Source Project
		*
		* Licensed under the Apache License, Version 2.0 (the "License");
		* you may not use this file except in compliance with the License.
		* You may obtain a copy of the License at
		*
		* http://www.apache.org/licenses/LICENSE-2.0
		*
		* Unless required by applicable law or agreed to in writing, software
		* distributed under the License is distributed on an "AS IS" BASIS,
		* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		* See the License for the specific language governing permissions and
		* limitations under the License.
		*/

		#pragma once

		#include <aidl/android/hardware/security/keymint/BnKeyMintDevice.h>
		#include <aidl/android/hardware/security/keymint/BnKeyMintOperation.h>
		#include <aidl/android/hardware/security/keymint/HardwareAuthToken.h>

		#include <trusty_keymaster/TrustyKeymaster.h>

		namespace aidl::android::hardware::security::keymint::trusty {

		using ::keymaster::TrustyKeymaster;
		using ::ndk::ScopedAStatus;
		using secureclock::TimeStampToken;
		using ::std::optional;
		using ::std::shared_ptr;
		using ::std::vector;

		class TrustyKeyMintDevice : public BnKeyMintDevice {
		public:
		explicit TrustyKeyMintDevice(shared_ptr<TrustyKeymaster> impl) : impl_(std::move(impl)) {}
		virtual ~TrustyKeyMintDevice() = default;

		ScopedAStatus getHardwareInfo(KeyMintHardwareInfo* info) override;

		ScopedAStatus addRngEntropy(const vector<uint8_t>& data) override;

		ScopedAStatus generateKey(const vector<KeyParameter>& keyParams,
		const optional<AttestationKey>& attestationKey,
		KeyCreationResult* creationResult) override;

		ScopedAStatus getKeyCharacteristics(const vector<uint8_t>& keyBlob,
		const vector<uint8_t>& clientId,
		const vector<uint8_t>& appData,
		vector<KeyCharacteristics>* characteristics) override;

		ScopedAStatus importKey(const vector<KeyParameter>& keyParams, KeyFormat keyFormat,
		const vector<uint8_t>& keyData,
		const optional<AttestationKey>& attestationKey,
		KeyCreationResult* creationResult) override;

		ScopedAStatus importWrappedKey(const vector<uint8_t>& wrappedKeyData,
		const vector<uint8_t>& wrappingKeyBlob,
		const vector<uint8_t>& maskingKey,
		const vector<KeyParameter>& unwrappingParams,
		int64_t passwordSid, int64_t biometricSid,
		KeyCreationResult* creationResult) override;

		ScopedAStatus upgradeKey(const vector<uint8_t>& keyBlobToUpgrade,
		const vector<KeyParameter>& upgradeParams,
		vector<uint8_t>* keyBlob) override;

		ScopedAStatus deleteKey(const vector<uint8_t>& keyBlob) override;
		ScopedAStatus deleteAllKeys() override;
		ScopedAStatus destroyAttestationIds() override;

		ScopedAStatus begin(KeyPurpose purpose, const vector<uint8_t>& keyBlob,
		const vector<KeyParameter>& params,
		const optional<HardwareAuthToken>& authToken, BeginResult* result) override;

		ScopedAStatus deviceLocked(bool passwordOnly,
		const optional<TimeStampToken>& timestampToken) override;
		ScopedAStatus earlyBootEnded() override;

		ScopedAStatus convertStorageKeyToEphemeral(const std::vector<uint8_t>& storageKeyBlob,
		std::vector<uint8_t>* ephemeralKeyBlob) override;

		protected:
		std::shared_ptr<TrustyKeymaster> impl_;
		SecurityLevel securityLevel_;
		};

		} // namespace aidl::android::hardware::security::keymint::trusty