1 /*
2  * Copyright 2021, The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *     http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <hardware/keymaster_defs.h>
20 
21 namespace keymaster {
22 
23 typedef uint64_t km_id_t;
24 template <typename BlobType> struct TKeymasterBlob;
25 typedef TKeymasterBlob<keymaster_key_blob_t> KeymasterKeyBlob;
26 
27 /**
28  * This is the reference implementation of secure key storage of Keymaster. It implements
29  * key storage on top TEE's secure storage service. All data is stored in the secure hardware,
30  * such as RPMB filesystem.
31  */
32 class SecureKeyStorage {
33   public:
SecureKeyStorage()34     SecureKeyStorage() {}
~SecureKeyStorage()35     virtual ~SecureKeyStorage(){};
36 
37     /**
38      * Writes the key blob into secure key storage and uses the key ID as the index of this
39      * key blob. The key ID must be the same id created by KeymasterEnforcement.CreateKeyId,
40      * which means the generated id must be stable in that the same key blob bits yield the
41      * same keyid.
42      */
43     virtual keymaster_error_t WriteKey(const km_id_t keyid, const KeymasterKeyBlob& blob) = 0;
44 
45     /**
46      * Checks if the key blob with key id exists in secure key storage. On success, writes to
47      * exists.
48      */
49     virtual keymaster_error_t KeyExists(const km_id_t keyid, bool* exists) = 0;
50 
51     /**
52      * Deletes the key blob with key id from secure key storage.
53      */
54     virtual keymaster_error_t DeleteKey(const km_id_t keyid) = 0;
55 
56     /**
57      * Deletes all the key blob from secure key storage.
58      */
59     virtual keymaster_error_t DeleteAllKeys() = 0;
60 
61     /**
62      * Checks if the secure key storage still has available slot. On success, writes to has_slot.
63      */
64     virtual keymaster_error_t HasSlot(bool* has_slot) = 0;
65 };
66 
67 }  // namespace keymaster
68