1 /*
2 ** Copyright 2018, The Android Open Source Project
3 **
4 ** Licensed under the Apache License, Version 2.0 (the "License");
5 ** you may not use this file except in compliance with the License.
6 ** You may obtain a copy of the License at
7 **
8 ** http://www.apache.org/licenses/LICENSE-2.0
9 **
10 ** Unless required by applicable law or agreed to in writing, software
11 ** distributed under the License is distributed on an "AS IS" BASIS,
12 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 ** See the License for the specific language governing permissions and
14 ** limitations under the License.
15 */
16
17 #include <keymasterV4_1/Keymaster.h>
18
19 #include <iomanip>
20
21 #include <android-base/logging.h>
22 #include <android/hidl/manager/1.2/IServiceManager.h>
23 #include <keymasterV4_0/key_param_output.h>
24 #include <keymasterV4_0/keymaster_utils.h>
25 #include <keymasterV4_1/Keymaster3.h>
26 #include <keymasterV4_1/Keymaster4.h>
27
28 namespace android::hardware {
29
30 template <class T>
operator <<(std::ostream & os,const hidl_vec<T> & vec)31 std::ostream& operator<<(std::ostream& os, const hidl_vec<T>& vec) {
32 os << "{ ";
33 if (vec.size()) {
34 for (size_t i = 0; i < vec.size() - 1; ++i) os << vec[i] << ", ";
35 os << vec[vec.size() - 1];
36 }
37 os << " }";
38 return os;
39 }
40
operator <<(std::ostream & os,const hidl_vec<uint8_t> & vec)41 std::ostream& operator<<(std::ostream& os, const hidl_vec<uint8_t>& vec) {
42 std::ios_base::fmtflags flags(os.flags());
43 os << std::setw(2) << std::setfill('0') << std::hex;
44 for (uint8_t c : vec) os << static_cast<int>(c);
45 os.flags(flags);
46 return os;
47 }
48
49 template <size_t N>
operator <<(std::ostream & os,const hidl_array<uint8_t,N> & vec)50 std::ostream& operator<<(std::ostream& os, const hidl_array<uint8_t, N>& vec) {
51 std::ios_base::fmtflags flags(os.flags());
52 os << std::setw(2) << std::setfill('0') << std::hex;
53 for (size_t i = 0; i < N; ++i) os << static_cast<int>(vec[i]);
54 os.flags(flags);
55 return os;
56 }
57
58 namespace keymaster {
59
60 namespace V4_0 {
61
operator <<(std::ostream & os,const HmacSharingParameters & params)62 std::ostream& operator<<(std::ostream& os, const HmacSharingParameters& params) {
63 // Note that by design, although seed and nonce are used to compute a secret, they are
64 // not secrets and it's just fine to log them.
65 os << "(seed: " << params.seed << ", nonce: " << params.nonce << ')';
66 return os;
67 }
68
69 } // namespace V4_0
70
71 namespace V4_1::support {
72
73 using ::android::sp;
74 using ::android::hidl::manager::V1_2::IServiceManager;
75
operator <<(std::ostream & os,const Keymaster & keymaster)76 std::ostream& operator<<(std::ostream& os, const Keymaster& keymaster) {
77 auto& version = keymaster.halVersion();
78 os << version.keymasterName << " from " << version.authorName
79 << " SecurityLevel: " << toString(version.securityLevel)
80 << " HAL: " << keymaster.descriptor() << "/" << keymaster.instanceName();
81 return os;
82 }
83
84 template <typename Wrapper>
enumerateDevices(const sp<IServiceManager> & serviceManager)85 Keymaster::KeymasterSet enumerateDevices(const sp<IServiceManager>& serviceManager) {
86 Keymaster::KeymasterSet result;
87
88 bool foundDefault = false;
89 auto& descriptor = Wrapper::WrappedIKeymasterDevice::descriptor;
90 serviceManager->listManifestByInterface(descriptor, [&](const hidl_vec<hidl_string>& names) {
91 for (auto& name : names) {
92 if (name == "default") foundDefault = true;
93 auto device = Wrapper::WrappedIKeymasterDevice::getService(name);
94 CHECK(device) << "Failed to get service for " << descriptor << " with interface name "
95 << name;
96 result.push_back(new Wrapper(device, name));
97 }
98 });
99
100 if (!foundDefault) {
101 // "default" wasn't provided by listManifestByInterface. Maybe there's a passthrough
102 // implementation.
103 auto device = Wrapper::WrappedIKeymasterDevice::getService("default");
104 if (device) result.push_back(new Wrapper(device, "default"));
105 }
106
107 return result;
108 }
109
logIfKeymasterVendorError(ErrorCode ec) const110 void Keymaster::logIfKeymasterVendorError(ErrorCode ec) const {
111 static constexpr int32_t k_keymaster_vendor_error_code_range_max = -10000;
112 if (static_cast<int32_t>(ec) <= k_keymaster_vendor_error_code_range_max) {
113 const auto& versionInfo = halVersion();
114 LOG(ERROR) << "Keymaster reported error: " << static_cast<int32_t>(ec) << "\n"
115 << "NOTE: This is an error in the vendor specific error range.\n"
116 << " Refer to the vendor of the implementation for details.\n"
117 << " Implementation name: " << versionInfo.keymasterName << "\n"
118 << " Vendor name: " << versionInfo.authorName << "\n"
119 << " MajorVersion: " << versionInfo.majorVersion;
120 }
121 }
122
enumerateAvailableDevices()123 Keymaster::KeymasterSet Keymaster::enumerateAvailableDevices() {
124 auto serviceManager = IServiceManager::getService();
125 CHECK(serviceManager) << "Could not retrieve ServiceManager";
126
127 auto km4s = enumerateDevices<Keymaster4>(serviceManager);
128 auto km3s = enumerateDevices<Keymaster3>(serviceManager);
129
130 auto result = std::move(km4s);
131 result.insert(result.end(), std::make_move_iterator(km3s.begin()),
132 std::make_move_iterator(km3s.end()));
133
134 std::sort(result.begin(), result.end(),
135 [](auto& a, auto& b) { return a->halVersion() > b->halVersion(); });
136
137 size_t i = 1;
138 LOG(INFO) << "List of Keymaster HALs found:";
139 for (auto& hal : result) LOG(INFO) << "Keymaster HAL #" << i++ << ": " << *hal;
140
141 return result;
142 }
143
getHmacParameters(const Keymaster::KeymasterSet & keymasters)144 static hidl_vec<HmacSharingParameters> getHmacParameters(
145 const Keymaster::KeymasterSet& keymasters) {
146 std::vector<HmacSharingParameters> params_vec;
147 params_vec.reserve(keymasters.size());
148 for (auto& keymaster : keymasters) {
149 if (keymaster->halVersion().majorVersion < 4) continue;
150 auto rc = keymaster->getHmacSharingParameters([&](auto error, auto& params) {
151 CHECK(error == V4_0::ErrorCode::OK)
152 << "Failed to get HMAC parameters from " << *keymaster << " error " << error;
153 params_vec.push_back(params);
154 });
155 CHECK(rc.isOk()) << "Failed to communicate with " << *keymaster
156 << " error: " << rc.description();
157 }
158 std::sort(params_vec.begin(), params_vec.end());
159
160 return params_vec;
161 }
162
computeHmac(const Keymaster::KeymasterSet & keymasters,const hidl_vec<HmacSharingParameters> & params)163 static void computeHmac(const Keymaster::KeymasterSet& keymasters,
164 const hidl_vec<HmacSharingParameters>& params) {
165 if (!params.size()) return;
166
167 hidl_vec<uint8_t> sharingCheck;
168 bool firstKeymaster = true;
169 LOG(DEBUG) << "Computing HMAC with params " << params;
170 for (auto& keymaster : keymasters) {
171 if (keymaster->halVersion().majorVersion < 4) continue;
172 LOG(DEBUG) << "Computing HMAC for " << *keymaster;
173 auto rc = keymaster->computeSharedHmac(
174 params, [&](V4_0::ErrorCode error, const hidl_vec<uint8_t>& curSharingCheck) {
175 CHECK(error == V4_0::ErrorCode::OK) << "Failed to get HMAC parameters from "
176 << *keymaster << " error " << error;
177 if (firstKeymaster) {
178 sharingCheck = curSharingCheck;
179 firstKeymaster = false;
180 }
181 if (curSharingCheck != sharingCheck)
182 LOG(WARNING) << "HMAC computation failed for " << *keymaster //
183 << " Expected: " << sharingCheck //
184 << " got: " << curSharingCheck;
185 });
186 CHECK(rc.isOk()) << "Failed to communicate with " << *keymaster
187 << " error: " << rc.description();
188 }
189 }
190
performHmacKeyAgreement(const KeymasterSet & keymasters)191 void Keymaster::performHmacKeyAgreement(const KeymasterSet& keymasters) {
192 computeHmac(keymasters, getHmacParameters(keymasters));
193 }
194
195 } // namespace V4_1::support
196 } // namespace keymaster
197 } // namespace android::hardware
198