1 /*
2  * Copyright 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <memory>
20 #include <string>
21 
22 #include <keymaster/attestation_context.h>
23 #include <keymaster/contexts/pure_soft_remote_provisioning_context.h>
24 #include <keymaster/contexts/soft_attestation_context.h>
25 #include <keymaster/keymaster_context.h>
26 #include <keymaster/km_openssl/attestation_record.h>
27 #include <keymaster/km_openssl/soft_keymaster_enforcement.h>
28 #include <keymaster/km_openssl/software_random_source.h>
29 #include <keymaster/pure_soft_secure_key_storage.h>
30 #include <keymaster/random_source.h>
31 #include <keymaster/soft_key_factory.h>
32 
33 namespace keymaster {
34 
35 class SoftKeymasterKeyRegistrations;
36 class Keymaster0Engine;
37 class Keymaster1Engine;
38 class Key;
39 
40 /**
41  * SoftKeymasterContext provides the context for a non-secure implementation of AndroidKeymaster.
42  */
43 class PureSoftKeymasterContext : public KeymasterContext,
44                                  protected SoftwareKeyBlobMaker,
45                                  public SoftAttestationContext,
46                                  SoftwareRandomSource {
47   public:
48     // Security level must only be used for testing.
49     explicit PureSoftKeymasterContext(
50         KmVersion version, keymaster_security_level_t security_level = KM_SECURITY_LEVEL_SOFTWARE);
51     ~PureSoftKeymasterContext() override;
52 
GetKmVersion()53     KmVersion GetKmVersion() const override { return AttestationContext::GetKmVersion(); }
54 
55     /*********************************************************************************************
56      * Implement KeymasterContext
57      */
58     keymaster_error_t SetSystemVersion(uint32_t os_version, uint32_t os_patchlevel) override;
59     void GetSystemVersion(uint32_t* os_version, uint32_t* os_patchlevel) const override;
60 
61     KeyFactory* GetKeyFactory(keymaster_algorithm_t algorithm) const override;
62     OperationFactory* GetOperationFactory(keymaster_algorithm_t algorithm,
63                                           keymaster_purpose_t purpose) const override;
64     keymaster_algorithm_t* GetSupportedAlgorithms(size_t* algorithms_count) const override;
65     keymaster_error_t UpgradeKeyBlob(const KeymasterKeyBlob& key_to_upgrade,
66                                      const AuthorizationSet& upgrade_params,
67                                      KeymasterKeyBlob* upgraded_key) const override;
68     keymaster_error_t ParseKeyBlob(const KeymasterKeyBlob& blob,
69                                    const AuthorizationSet& additional_params,
70                                    UniquePtr<Key>* key) const override;
71     keymaster_error_t DeleteKey(const KeymasterKeyBlob& blob) const override;
72     keymaster_error_t DeleteAllKeys() const override;
73     keymaster_error_t AddRngEntropy(const uint8_t* buf, size_t length) const override;
74     CertificateChain GenerateAttestation(const Key& key, const AuthorizationSet& attest_params,
75                                          UniquePtr<Key> attest_key,
76                                          const KeymasterBlob& issuer_subject,
77                                          keymaster_error_t* error) const override;
78     CertificateChain GenerateSelfSignedCertificate(const Key& key,
79                                                    const AuthorizationSet& cert_params,
80                                                    bool fake_signature,
81                                                    keymaster_error_t* error) const override;
enforcement_policy()82     KeymasterEnforcement* enforcement_policy() override {
83         // SoftKeymaster does no enforcement; it's all done by Keystore.
84         return &soft_keymaster_enforcement_;
85     }
86 
secure_key_storage()87     SecureKeyStorage* secure_key_storage() override { return pure_soft_secure_key_storage_.get(); }
88 
GetRemoteProvisioningContext()89     RemoteProvisioningContext* GetRemoteProvisioningContext() const override {
90         return pure_soft_remote_provisioning_context_.get();
91     }
92 
SetVendorPatchlevel(uint32_t vendor_patchlevel)93     keymaster_error_t SetVendorPatchlevel(uint32_t vendor_patchlevel) override {
94         if (vendor_patchlevel_.has_value() && vendor_patchlevel != vendor_patchlevel_.value()) {
95             // Can't set patchlevel to a different value.
96             return KM_ERROR_INVALID_ARGUMENT;
97         }
98         vendor_patchlevel_ = vendor_patchlevel;
99         return KM_ERROR_OK;
100     }
101 
SetBootPatchlevel(uint32_t boot_patchlevel)102     keymaster_error_t SetBootPatchlevel(uint32_t boot_patchlevel) override {
103         if (boot_patchlevel_.has_value() && boot_patchlevel != boot_patchlevel_.value()) {
104             // Can't set patchlevel to a different value.
105             return KM_ERROR_INVALID_ARGUMENT;
106         }
107         boot_patchlevel_ = boot_patchlevel;
108         return KM_ERROR_OK;
109     }
110 
GetVendorPatchlevel()111     std::optional<uint32_t> GetVendorPatchlevel() const override { return vendor_patchlevel_; }
112 
GetBootPatchlevel()113     std::optional<uint32_t> GetBootPatchlevel() const override { return boot_patchlevel_; }
114 
115     /*********************************************************************************************
116      * Implement SoftwareKeyBlobMaker
117      */
118     keymaster_error_t CreateKeyBlob(const AuthorizationSet& auths, keymaster_key_origin_t origin,
119                                     const KeymasterKeyBlob& key_material, KeymasterKeyBlob* blob,
120                                     AuthorizationSet* hw_enforced,
121                                     AuthorizationSet* sw_enforced) const override;
122 
123     keymaster_error_t
124     UnwrapKey(const KeymasterKeyBlob& wrapped_key_blob, const KeymasterKeyBlob& wrapping_key_blob,
125               const AuthorizationSet& wrapping_key_params, const KeymasterKeyBlob& masking_key,
126               AuthorizationSet* wrapped_key_params, keymaster_key_format_t* wrapped_key_format,
127               KeymasterKeyBlob* wrapped_key_material) const override;
128 
129     /*********************************************************************************************
130      * Implement AttestationContext
131      */
132 
133     const VerifiedBootParams* GetVerifiedBootParams(keymaster_error_t* error) const override;
134 
GetSecurityLevel()135     keymaster_security_level_t GetSecurityLevel() const override { return security_level_; }
136 
137   protected:
138     std::unique_ptr<KeyFactory> rsa_factory_;
139     std::unique_ptr<KeyFactory> ec_factory_;
140     std::unique_ptr<KeyFactory> aes_factory_;
141     std::unique_ptr<KeyFactory> tdes_factory_;
142     std::unique_ptr<KeyFactory> hmac_factory_;
143     uint32_t os_version_;
144     uint32_t os_patchlevel_;
145     std::optional<uint32_t> vendor_patchlevel_;
146     std::optional<uint32_t> boot_patchlevel_;
147     SoftKeymasterEnforcement soft_keymaster_enforcement_;
148     const keymaster_security_level_t security_level_;
149     std::unique_ptr<SecureKeyStorage> pure_soft_secure_key_storage_;
150     std::unique_ptr<RemoteProvisioningContext> pure_soft_remote_provisioning_context_;
151 };
152 
153 }  // namespace keymaster
154