/* * Copyright 2015 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ #pragma once #include #include #include #include #include #include #include #include #include #include #include #include namespace keymaster { class SoftKeymasterKeyRegistrations; class Keymaster0Engine; class Keymaster1Engine; class Key; /** * SoftKeymasterContext provides the context for a non-secure implementation of AndroidKeymaster. */ class PureSoftKeymasterContext : public KeymasterContext, protected SoftwareKeyBlobMaker, public SoftAttestationContext, SoftwareRandomSource { public: // Security level must only be used for testing. explicit PureSoftKeymasterContext( KmVersion version, keymaster_security_level_t security_level = KM_SECURITY_LEVEL_SOFTWARE); ~PureSoftKeymasterContext() override; KmVersion GetKmVersion() const override { return AttestationContext::GetKmVersion(); } /********************************************************************************************* * Implement KeymasterContext */ keymaster_error_t SetSystemVersion(uint32_t os_version, uint32_t os_patchlevel) override; void GetSystemVersion(uint32_t* os_version, uint32_t* os_patchlevel) const override; KeyFactory* GetKeyFactory(keymaster_algorithm_t algorithm) const override; OperationFactory* GetOperationFactory(keymaster_algorithm_t algorithm, keymaster_purpose_t purpose) const override; keymaster_algorithm_t* GetSupportedAlgorithms(size_t* algorithms_count) const override; keymaster_error_t UpgradeKeyBlob(const KeymasterKeyBlob& key_to_upgrade, const AuthorizationSet& upgrade_params, KeymasterKeyBlob* upgraded_key) const override; keymaster_error_t ParseKeyBlob(const KeymasterKeyBlob& blob, const AuthorizationSet& additional_params, UniquePtr* key) const override; keymaster_error_t DeleteKey(const KeymasterKeyBlob& blob) const override; keymaster_error_t DeleteAllKeys() const override; keymaster_error_t AddRngEntropy(const uint8_t* buf, size_t length) const override; CertificateChain GenerateAttestation(const Key& key, const AuthorizationSet& attest_params, UniquePtr attest_key, const KeymasterBlob& issuer_subject, keymaster_error_t* error) const override; CertificateChain GenerateSelfSignedCertificate(const Key& key, const AuthorizationSet& cert_params, bool fake_signature, keymaster_error_t* error) const override; KeymasterEnforcement* enforcement_policy() override { // SoftKeymaster does no enforcement; it's all done by Keystore. return &soft_keymaster_enforcement_; } SecureKeyStorage* secure_key_storage() override { return pure_soft_secure_key_storage_.get(); } RemoteProvisioningContext* GetRemoteProvisioningContext() const override { return pure_soft_remote_provisioning_context_.get(); } keymaster_error_t SetVendorPatchlevel(uint32_t vendor_patchlevel) override { if (vendor_patchlevel_.has_value() && vendor_patchlevel != vendor_patchlevel_.value()) { // Can't set patchlevel to a different value. return KM_ERROR_INVALID_ARGUMENT; } vendor_patchlevel_ = vendor_patchlevel; return KM_ERROR_OK; } keymaster_error_t SetBootPatchlevel(uint32_t boot_patchlevel) override { if (boot_patchlevel_.has_value() && boot_patchlevel != boot_patchlevel_.value()) { // Can't set patchlevel to a different value. return KM_ERROR_INVALID_ARGUMENT; } boot_patchlevel_ = boot_patchlevel; return KM_ERROR_OK; } std::optional GetVendorPatchlevel() const override { return vendor_patchlevel_; } std::optional GetBootPatchlevel() const override { return boot_patchlevel_; } /********************************************************************************************* * Implement SoftwareKeyBlobMaker */ keymaster_error_t CreateKeyBlob(const AuthorizationSet& auths, keymaster_key_origin_t origin, const KeymasterKeyBlob& key_material, KeymasterKeyBlob* blob, AuthorizationSet* hw_enforced, AuthorizationSet* sw_enforced) const override; keymaster_error_t UnwrapKey(const KeymasterKeyBlob& wrapped_key_blob, const KeymasterKeyBlob& wrapping_key_blob, const AuthorizationSet& wrapping_key_params, const KeymasterKeyBlob& masking_key, AuthorizationSet* wrapped_key_params, keymaster_key_format_t* wrapped_key_format, KeymasterKeyBlob* wrapped_key_material) const override; /********************************************************************************************* * Implement AttestationContext */ const VerifiedBootParams* GetVerifiedBootParams(keymaster_error_t* error) const override; keymaster_security_level_t GetSecurityLevel() const override { return security_level_; } protected: std::unique_ptr rsa_factory_; std::unique_ptr ec_factory_; std::unique_ptr aes_factory_; std::unique_ptr tdes_factory_; std::unique_ptr hmac_factory_; uint32_t os_version_; uint32_t os_patchlevel_; std::optional vendor_patchlevel_; std::optional boot_patchlevel_; SoftKeymasterEnforcement soft_keymaster_enforcement_; const keymaster_security_level_t security_level_; std::unique_ptr pure_soft_secure_key_storage_; std::unique_ptr pure_soft_remote_provisioning_context_; }; } // namespace keymaster