1 /*
2  * Copyright 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "trusty_keymaster_context.h"
18 
19 #include <array>
20 #include <utility>
21 
22 #include <stdlib.h>
23 #include <string.h>
24 
25 #include <keymaster/android_keymaster_utils.h>
26 #include <keymaster/contexts/soft_attestation_cert.h>
27 #include <keymaster/key_blob_utils/auth_encrypted_key_blob.h>
28 #include <keymaster/key_blob_utils/ocb_utils.h>
29 #include <keymaster/km_openssl/aes_key.h>
30 #include <keymaster/km_openssl/asymmetric_key.h>
31 #include <keymaster/km_openssl/attestation_record.h>
32 #include <keymaster/km_openssl/attestation_utils.h>
33 #include <keymaster/km_openssl/certificate_utils.h>
34 #include <keymaster/km_openssl/ec_key_factory.h>
35 #include <keymaster/km_openssl/hmac_key.h>
36 #include <keymaster/km_openssl/openssl_err.h>
37 #include <keymaster/km_openssl/rsa_key_factory.h>
38 #include <keymaster/km_openssl/triple_des_key.h>
39 #include <keymaster/logger.h>
40 #include <keymaster/operation.h>
41 #include <keymaster/wrapped_key.h>
42 #include <lib/hwkey/hwkey.h>
43 #include <lib/rng/trusty_rng.h>
44 #include <openssl/hmac.h>
45 
46 #include "second_imei_attestation.h"
47 #include "secure_storage_manager.h"
48 #include "trusty_aes_key.h"
49 
50 constexpr bool kUseSecureDeletion = true;
51 uint8_t allZerosOrHashOfVerifiedBootKey[32] = {};
52 
53 #ifdef KEYMASTER_DEBUG
54 #pragma message \
55         "Compiling with fake Keymaster Root of Trust values! DO NOT SHIP THIS!"
56 #endif
57 
58 // TRUSTY_KM_WRAPPING_KEY_SIZE controls the size of the AES key that is used
59 // to wrap keys before allowing NS to hold on to them.
60 // Previously, it had a hardcoded value of 16 bytes, but current guidance is to
61 // expand this to a 256-bit (32-byte) key.
62 //
63 // The plan is to leave old devices as they are, and issue new devices with a
64 // 32-byte key to ensure compatibility. New devices should set
65 // TRUSTY_WRAPPING_KEY_SIZE to 32 in their device Makefile to control this.
66 
67 #ifndef TRUSTY_KM_WRAPPING_KEY_SIZE
68 #define TRUSTY_KM_WRAPPING_KEY_SIZE 16
69 #endif
70 
71 namespace keymaster {
72 
73 namespace {
74 static const int kAesKeySize = TRUSTY_KM_WRAPPING_KEY_SIZE;
75 static const int kCallsBetweenRngReseeds = 32;
76 static const int kRngReseedSize = 64;
77 static const uint8_t kMasterKeyDerivationData[kAesKeySize] = "KeymasterMaster";
78 
UpgradeIntegerTag(keymaster_tag_t tag,uint32_t value,AuthorizationSet * set,bool * set_changed)79 bool UpgradeIntegerTag(keymaster_tag_t tag,
80                        uint32_t value,
81                        AuthorizationSet* set,
82                        bool* set_changed) {
83     int index = set->find(tag);
84     if (index == -1) {
85         *set_changed = true;
86         set->push_back(keymaster_key_param_t{.tag = tag, .integer = value});
87         return true;
88     }
89 
90     if (set->params[index].integer > value) {
91         return false;
92     }
93 
94     if (set->params[index].integer != value) {
95         *set_changed = true;
96         set->params[index].integer = value;
97     }
98     return true;
99 }
100 
101 }  // anonymous namespace
102 
TrustyKeymasterContext()103 TrustyKeymasterContext::TrustyKeymasterContext()
104         : AttestationContext(KmVersion::KEYMASTER_4),
105           enforcement_policy_(this),
106           secure_deletion_secret_storage_(*this /* random_source */),
107           rng_initialized_(false),
108           calls_since_reseed_(0) {
109     LOG_D("Creating TrustyKeymaster");
110     rsa_factory_.reset(new (std::nothrow) RsaKeyFactory(*this /* blob_maker */,
111                                                         *this /* context */));
112     tdes_factory_.reset(new (std::nothrow) TripleDesKeyFactory(
113             *this /* blob_maker */, *this /* random_source */));
114     ec_factory_.reset(new (std::nothrow) EcKeyFactory(*this /* blob_maker */,
115                                                       *this /* context */));
116     aes_factory_.reset(new (std::nothrow) TrustyAesKeyFactory(
117             *this /* blob_maker */, *this /* random_source */));
118     hmac_factory_.reset(new (std::nothrow) HmacKeyFactory(
119             *this /* blob_maker */, *this /* random_source */));
120     boot_params_.verified_boot_key.Reinitialize("Unbound", 7);
121     trusty_remote_provisioning_context_.reset(
122             new (std::nothrow) TrustyRemoteProvisioningContext());
123 }
124 
GetKeyFactory(keymaster_algorithm_t algorithm) const125 const KeyFactory* TrustyKeymasterContext::GetKeyFactory(
126         keymaster_algorithm_t algorithm) const {
127     switch (algorithm) {
128     case KM_ALGORITHM_RSA:
129         return rsa_factory_.get();
130     case KM_ALGORITHM_EC:
131         return ec_factory_.get();
132     case KM_ALGORITHM_AES:
133         return aes_factory_.get();
134     case KM_ALGORITHM_HMAC:
135         return hmac_factory_.get();
136     case KM_ALGORITHM_TRIPLE_DES:
137         return tdes_factory_.get();
138     default:
139         return nullptr;
140     }
141 }
142 
143 static keymaster_algorithm_t supported_algorithms[] = {
144         KM_ALGORITHM_RSA, KM_ALGORITHM_EC, KM_ALGORITHM_AES, KM_ALGORITHM_HMAC,
145         KM_ALGORITHM_TRIPLE_DES};
146 
GetSupportedAlgorithms(size_t * algorithms_count) const147 const keymaster_algorithm_t* TrustyKeymasterContext::GetSupportedAlgorithms(
148         size_t* algorithms_count) const {
149     *algorithms_count = array_length(supported_algorithms);
150     return supported_algorithms;
151 }
152 
GetOperationFactory(keymaster_algorithm_t algorithm,keymaster_purpose_t purpose) const153 OperationFactory* TrustyKeymasterContext::GetOperationFactory(
154         keymaster_algorithm_t algorithm,
155         keymaster_purpose_t purpose) const {
156     const KeyFactory* key_factory = GetKeyFactory(algorithm);
157     if (!key_factory)
158         return nullptr;
159     return key_factory->GetOperationFactory(purpose);
160 }
161 
TranslateAuthorizationSetError(AuthorizationSet::Error err)162 static keymaster_error_t TranslateAuthorizationSetError(
163         AuthorizationSet::Error err) {
164     switch (err) {
165     case AuthorizationSet::OK:
166         return KM_ERROR_OK;
167     case AuthorizationSet::ALLOCATION_FAILURE:
168         return KM_ERROR_MEMORY_ALLOCATION_FAILED;
169     case AuthorizationSet::MALFORMED_DATA:
170         return KM_ERROR_UNKNOWN_ERROR;
171     }
172     return KM_ERROR_OK;
173 }
174 
SetAuthorizations(const AuthorizationSet & key_description,keymaster_key_origin_t origin,AuthorizationSet * hw_enforced,AuthorizationSet * sw_enforced,bool has_secure_deletion) const175 keymaster_error_t TrustyKeymasterContext::SetAuthorizations(
176         const AuthorizationSet& key_description,
177         keymaster_key_origin_t origin,
178         AuthorizationSet* hw_enforced,
179         AuthorizationSet* sw_enforced,
180         bool has_secure_deletion) const {
181     sw_enforced->Clear();
182     hw_enforced->Clear();
183 
184     for (auto& entry : key_description) {
185         switch (entry.tag) {
186         // Tags that should never appear in key descriptions.
187         case KM_TAG_ASSOCIATED_DATA:
188         case KM_TAG_AUTH_TOKEN:
189         case KM_TAG_BOOTLOADER_ONLY:
190         case KM_TAG_INVALID:
191         case KM_TAG_MAC_LENGTH:
192         case KM_TAG_NONCE:
193         case KM_TAG_ROOT_OF_TRUST:
194         case KM_TAG_UNIQUE_ID:
195         case KM_TAG_IDENTITY_CREDENTIAL_KEY:
196             return KM_ERROR_INVALID_KEY_BLOB;
197 
198         // Tags used only to provide information for certificate creation, but
199         // which should not be included in blobs.
200         case KM_TAG_ATTESTATION_APPLICATION_ID:
201         case KM_TAG_ATTESTATION_CHALLENGE:
202         case KM_TAG_ATTESTATION_ID_BRAND:
203         case KM_TAG_ATTESTATION_ID_DEVICE:
204         case KM_TAG_ATTESTATION_ID_IMEI:
205         case KM_TAG_ATTESTATION_ID_SECOND_IMEI:
206         case KM_TAG_ATTESTATION_ID_MANUFACTURER:
207         case KM_TAG_ATTESTATION_ID_MEID:
208         case KM_TAG_ATTESTATION_ID_MODEL:
209         case KM_TAG_ATTESTATION_ID_PRODUCT:
210         case KM_TAG_ATTESTATION_ID_SERIAL:
211         case KM_TAG_CERTIFICATE_NOT_AFTER:
212         case KM_TAG_CERTIFICATE_NOT_BEFORE:
213         case KM_TAG_CERTIFICATE_SERIAL:
214         case KM_TAG_CERTIFICATE_SUBJECT:
215         case KM_TAG_RESET_SINCE_ID_ROTATION:
216             break;
217 
218         // Unimplemented tags for which we return an error.
219         case KM_TAG_DEVICE_UNIQUE_ATTESTATION:
220             return KM_ERROR_INVALID_ARGUMENT;
221 
222         // Unimplemented tags we silently ignore.
223         case KM_TAG_ALLOW_WHILE_ON_BODY:
224             break;
225 
226         // Obsolete tags we silently ignore.
227         case KM_TAG_ALL_APPLICATIONS:
228         case KM_TAG_ROLLBACK_RESISTANT:
229         case KM_TAG_CONFIRMATION_TOKEN:
230 
231         // Tags that should not be added to blobs.
232         case KM_TAG_APPLICATION_ID:
233         case KM_TAG_APPLICATION_DATA:
234             break;
235 
236         // Tags we ignore because they'll be set below.
237         case KM_TAG_BOOT_PATCHLEVEL:
238         case KM_TAG_ORIGIN:
239         case KM_TAG_OS_PATCHLEVEL:
240         case KM_TAG_OS_VERSION:
241         case KM_TAG_VENDOR_PATCHLEVEL:
242             break;
243 
244         // Tags that are hardware-enforced
245         case KM_TAG_ALGORITHM:
246         case KM_TAG_AUTH_TIMEOUT:
247         case KM_TAG_BLOB_USAGE_REQUIREMENTS:
248         case KM_TAG_BLOCK_MODE:
249         case KM_TAG_CALLER_NONCE:
250         case KM_TAG_DIGEST:
251         case KM_TAG_EARLY_BOOT_ONLY:
252         case KM_TAG_ECIES_SINGLE_HASH_MODE:
253         case KM_TAG_EC_CURVE:
254         case KM_TAG_KDF:
255         case KM_TAG_KEY_SIZE:
256         case KM_TAG_MAX_USES_PER_BOOT:
257         case KM_TAG_MIN_MAC_LENGTH:
258         case KM_TAG_MIN_SECONDS_BETWEEN_OPS:
259         case KM_TAG_NO_AUTH_REQUIRED:
260         case KM_TAG_PADDING:
261         case KM_TAG_PURPOSE:
262         case KM_TAG_ROLLBACK_RESISTANCE:
263         case KM_TAG_RSA_OAEP_MGF_DIGEST:
264         case KM_TAG_RSA_PUBLIC_EXPONENT:
265         case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED:
266         case KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED:
267         case KM_TAG_UNLOCKED_DEVICE_REQUIRED:
268         case KM_TAG_USER_SECURE_ID:
269             hw_enforced->push_back(entry);
270             break;
271 
272         // KM_TAG_STORAGE_KEY handling depends if the feature is enabled.
273         case KM_TAG_STORAGE_KEY:
274 #if WITH_HWWSK_SUPPORT
275             hw_enforced->push_back(entry);
276             break;
277 #else
278             return KM_ERROR_UNIMPLEMENTED;
279 #endif
280 
281         case KM_TAG_USER_AUTH_TYPE: {
282             keymaster_key_param_t elem = entry;
283 
284             // This implementation does support TEE enforced password auth
285             elem.enumerated = entry.enumerated & HW_AUTH_PASSWORD;
286 
287 #if TEE_FINGERPRINT_AUTH_SUPPORTED
288             // If HW_AUTH_FINGERPRINT is supported it needs to be included too
289             elem.enumerated |= entry.enumerated & HW_AUTH_FINGERPRINT;
290 #endif
291             hw_enforced->push_back(elem);
292         } break;
293 
294         case KM_TAG_USAGE_COUNT_LIMIT:
295             LOG_D("Found usage count limit tag: %u", entry.integer);
296             if (entry.integer == 1 && has_secure_deletion) {
297                 // We can enforce a usage count of 1 in HW.
298                 hw_enforced->push_back(entry);
299             } else {
300                 // Otherwise we delegate to keystore.
301                 sw_enforced->push_back(entry);
302             }
303             break;
304 
305         // Keystore-enforced tags
306         case KM_TAG_ACTIVE_DATETIME:
307         case KM_TAG_ALL_USERS:
308         case KM_TAG_CREATION_DATETIME:
309         case KM_TAG_EXPORTABLE:
310         case KM_TAG_INCLUDE_UNIQUE_ID:
311         case KM_TAG_MAX_BOOT_LEVEL:
312         case KM_TAG_ORIGINATION_EXPIRE_DATETIME:
313         case KM_TAG_USAGE_EXPIRE_DATETIME:
314         case KM_TAG_USER_ID:
315             sw_enforced->push_back(entry);
316             break;
317         }
318     }
319 
320     hw_enforced->push_back(TAG_ORIGIN, origin);
321 
322     // these values will be 0 if not set by bootloader
323     hw_enforced->push_back(TAG_OS_VERSION, boot_params_.boot_os_version);
324     hw_enforced->push_back(TAG_OS_PATCHLEVEL, boot_params_.boot_os_patchlevel);
325 
326     if (vendor_patchlevel_.has_value()) {
327         hw_enforced->push_back(TAG_VENDOR_PATCHLEVEL,
328                                vendor_patchlevel_.value());
329     }
330     if (boot_patchlevel_.has_value()) {
331         hw_enforced->push_back(TAG_BOOT_PATCHLEVEL, boot_patchlevel_.value());
332     }
333 
334     if (sw_enforced->is_valid() != AuthorizationSet::OK)
335         return TranslateAuthorizationSetError(sw_enforced->is_valid());
336     if (hw_enforced->is_valid() != AuthorizationSet::OK)
337         return TranslateAuthorizationSetError(hw_enforced->is_valid());
338     return KM_ERROR_OK;
339 }
340 
BuildHiddenAuthorizations(const AuthorizationSet & input_set,AuthorizationSet * hidden) const341 keymaster_error_t TrustyKeymasterContext::BuildHiddenAuthorizations(
342         const AuthorizationSet& input_set,
343         AuthorizationSet* hidden) const {
344     keymaster_blob_t entry;
345     if (input_set.GetTagValue(TAG_APPLICATION_ID, &entry))
346         hidden->push_back(TAG_APPLICATION_ID, entry.data, entry.data_length);
347     if (input_set.GetTagValue(TAG_APPLICATION_DATA, &entry))
348         hidden->push_back(TAG_APPLICATION_DATA, entry.data, entry.data_length);
349 
350     // Copy verified boot key, verified boot state, and device lock state to
351     // hidden authorization set for binding to key.
352     keymaster_key_param_t root_of_trust;
353     root_of_trust.tag = KM_TAG_ROOT_OF_TRUST;
354     root_of_trust.blob.data = boot_params_.verified_boot_key.begin();
355     root_of_trust.blob.data_length =
356             boot_params_.verified_boot_key.buffer_size();
357     hidden->push_back(root_of_trust);
358 
359     root_of_trust.blob.data =
360             reinterpret_cast<const uint8_t*>(&boot_params_.verified_boot_state);
361     root_of_trust.blob.data_length = sizeof(boot_params_.verified_boot_state);
362     hidden->push_back(root_of_trust);
363 
364     root_of_trust.blob.data =
365             reinterpret_cast<const uint8_t*>(&boot_params_.device_locked);
366     root_of_trust.blob.data_length = sizeof(boot_params_.device_locked);
367     hidden->push_back(root_of_trust);
368 
369     return TranslateAuthorizationSetError(hidden->is_valid());
370 }
371 
GetKdfState(EncryptedKey * info) const372 keymaster_error_t TrustyKeymasterContext::GetKdfState(
373         EncryptedKey* info) const {
374     long rc = hwkey_open();
375     if (rc < 0) {
376         LOG_S("Error failing to open a connection to hwkey: %ld", rc);
377         return KM_ERROR_UNKNOWN_ERROR;
378     }
379 
380     hwkey_session_t session = (hwkey_session_t)rc;
381     struct hwkey_versioned_key_options opt = {
382             .kdf_version = HWKEY_KDF_VERSION_BEST,
383             .shared_key = false,
384             .rollback_version_source = HWKEY_ROLLBACK_COMMITTED_VERSION,
385             .os_rollback_version = HWKEY_ROLLBACK_VERSION_CURRENT,
386             .context = NULL,
387             .context_len = 0,
388             .key = NULL,
389             .key_len = 0,
390     };
391     rc = hwkey_derive_versioned(session, &opt);
392     if (rc < 0) {
393         LOG_S("Error deriving versioned master key: %ld", rc);
394         hwkey_close(session);
395         return KM_ERROR_UNKNOWN_ERROR;
396     }
397     hwkey_close(session);
398     // Any versioned format will put the KDF selection into the correct mode.
399     info->format = AES_GCM_WITH_SW_ENFORCED_VERSIONED;
400     info->kdf_version = opt.kdf_version;
401     info->addl_info = opt.os_rollback_version;
402     return KM_ERROR_OK;
403 }
404 
CreateAuthEncryptedKeyBlob(const AuthorizationSet & key_description,const KeymasterKeyBlob & key_material,const AuthorizationSet & hw_enforced,const AuthorizationSet & sw_enforced,const std::optional<SecureDeletionData> & secure_deletion_data,KeymasterKeyBlob * blob) const405 keymaster_error_t TrustyKeymasterContext::CreateAuthEncryptedKeyBlob(
406         const AuthorizationSet& key_description,
407         const KeymasterKeyBlob& key_material,
408         const AuthorizationSet& hw_enforced,
409         const AuthorizationSet& sw_enforced,
410         const std::optional<SecureDeletionData>& secure_deletion_data,
411         KeymasterKeyBlob* blob) const {
412     AuthorizationSet hidden;
413     keymaster_error_t error =
414             BuildHiddenAuthorizations(key_description, &hidden);
415     if (error != KM_ERROR_OK)
416         return error;
417 
418     KeymasterKeyBlob master_key;
419     EncryptedKey info;
420     error = GetKdfState(&info);
421     if (error != KM_ERROR_OK) {
422         return error;
423     }
424     error = DeriveMasterKey(&master_key, info);
425     if (error != KM_ERROR_OK) {
426         return error;
427     }
428 
429     KmErrorOr<EncryptedKey> encrypted_key;
430     if (secure_deletion_data) {
431         encrypted_key = EncryptKey(
432                 key_material, AES_GCM_WITH_SECURE_DELETION_VERSIONED,
433                 hw_enforced, sw_enforced, hidden, *secure_deletion_data,
434                 master_key, *this /* random */);
435     } else {
436         encrypted_key = EncryptKey(
437                 key_material, AES_GCM_WITH_SW_ENFORCED_VERSIONED, hw_enforced,
438                 sw_enforced, hidden, SecureDeletionData{}, master_key,
439                 *this /* random */);
440     }
441     if (!encrypted_key) {
442         return encrypted_key.error();
443     }
444 
445     encrypted_key->kdf_version = info.kdf_version;
446     encrypted_key->addl_info = info.addl_info;
447     KmErrorOr<KeymasterKeyBlob> serialized_key = SerializeAuthEncryptedBlob(
448             *encrypted_key, hw_enforced, sw_enforced,
449             secure_deletion_data ? secure_deletion_data->key_slot : 0);
450 
451     if (!serialized_key) {
452         return serialized_key.error();
453     }
454 
455     *blob = std::move(*serialized_key);
456     return KM_ERROR_OK;
457 }
458 
459 class KeySlotCleanup {
460 public:
KeySlotCleanup(const SecureDeletionSecretStorage & storage,uint32_t key_slot)461     KeySlotCleanup(const SecureDeletionSecretStorage& storage,
462                    uint32_t key_slot)
463             : storage_(storage), key_slot_(key_slot) {}
~KeySlotCleanup()464     ~KeySlotCleanup() {
465         if (key_slot_ != 0) {
466             storage_.DeleteKey(key_slot_);
467         }
468     }
469 
release()470     void release() { key_slot_ = 0; }
471 
472 private:
473     const SecureDeletionSecretStorage& storage_;
474     uint32_t key_slot_;
475 };
476 
CreateKeyBlob(const AuthorizationSet & key_description,keymaster_key_origin_t origin,const KeymasterKeyBlob & key_material,KeymasterKeyBlob * blob,AuthorizationSet * hw_enforced,AuthorizationSet * sw_enforced) const477 keymaster_error_t TrustyKeymasterContext::CreateKeyBlob(
478         const AuthorizationSet& key_description,
479         keymaster_key_origin_t origin,
480         const KeymasterKeyBlob& key_material,
481         KeymasterKeyBlob* blob,
482         AuthorizationSet* hw_enforced,
483         AuthorizationSet* sw_enforced) const {
484     bool request_rollback_resistance =
485             key_description.Contains(TAG_ROLLBACK_RESISTANCE);
486     bool request_usage_limit =
487             key_description.Contains(TAG_USAGE_COUNT_LIMIT, 1);
488     bool request_secure_deletion =
489             request_rollback_resistance || request_usage_limit;
490 
491     LOG_D("Getting secure deletion data");
492     std::optional<SecureDeletionData> sdd;
493     if (kUseSecureDeletion) {
494         sdd = secure_deletion_secret_storage_.CreateDataForNewKey(
495                 request_secure_deletion,
496                 /* is_upgrade */ false);
497     }
498 
499     if (sdd) {
500         LOG_D("Got secure deletion data, FR size = %zu, SD size = %zu, slot = %u",
501               sdd->factory_reset_secret.buffer_size(),
502               sdd->secure_deletion_secret.buffer_size(), sdd->key_slot);
503     } else if (!kUseSecureDeletion) {
504         LOG_I("Not using secure deletion");
505     } else {
506         LOG_W("Failed to get secure deletion data. storageproxy not up?");
507     }
508 
509     uint32_t key_slot = sdd ? sdd->key_slot : 0;
510     bool has_secure_deletion = key_slot != 0;
511     if (request_secure_deletion && !has_secure_deletion) {
512         LOG_E("Secure deletion requested (rollback_resistance:%d, usage_limit:%d) but no slot available!",
513               request_rollback_resistance, request_usage_limit);
514         return KM_ERROR_ROLLBACK_RESISTANCE_UNAVAILABLE;
515     }
516 
517     // At this point we may have stored a secure deletion secret for this key.
518     // If something goes wrong before we return the blob, that slot will leak.
519     // Create an object to clean up on the error paths.
520     KeySlotCleanup key_slot_cleanup(secure_deletion_secret_storage_, key_slot);
521 
522     keymaster_error_t error =
523             SetAuthorizations(key_description, origin, hw_enforced, sw_enforced,
524                               has_secure_deletion);
525 
526     if (error != KM_ERROR_OK) {
527         return error;
528     }
529 
530     error = CreateAuthEncryptedKeyBlob(key_description, key_material,
531                                        *hw_enforced, *sw_enforced,
532                                        std::move(sdd), blob);
533     if (error != KM_ERROR_OK) {
534         return error;
535     }
536 
537     key_slot_cleanup.release();
538     return KM_ERROR_OK;
539 }
540 
UpgradeKeyBlob(const KeymasterKeyBlob & key_to_upgrade,const AuthorizationSet & upgrade_params,KeymasterKeyBlob * upgraded_key) const541 keymaster_error_t TrustyKeymasterContext::UpgradeKeyBlob(
542         const KeymasterKeyBlob& key_to_upgrade,
543         const AuthorizationSet& upgrade_params,
544         KeymasterKeyBlob* upgraded_key) const {
545     UniquePtr<Key> key;
546     keymaster_error_t error =
547             ParseKeyBlob(key_to_upgrade, upgrade_params, &key);
548     LOG_I("Upgrading key blob");
549     if (error != KM_ERROR_OK) {
550         return error;
551     }
552 
553     bool set_changed = false;
554     if (boot_params_.boot_os_version == 0) {
555         // We need to allow "upgrading" OS version to zero, to support upgrading
556         // from proper numbered releases to unnumbered development and preview
557         // releases.
558 
559         if (int pos = key->sw_enforced().find(TAG_OS_VERSION);
560             pos != -1 &&
561             key->sw_enforced()[pos].integer != boot_params_.boot_os_version) {
562             set_changed = true;
563             key->sw_enforced()[pos].integer = boot_params_.boot_os_version;
564         }
565     }
566 
567     if (!UpgradeIntegerTag(TAG_OS_VERSION, boot_params_.boot_os_version,
568                            &key->hw_enforced(), &set_changed) ||
569         !UpgradeIntegerTag(TAG_OS_PATCHLEVEL, boot_params_.boot_os_patchlevel,
570                            &key->hw_enforced(), &set_changed) ||
571         (vendor_patchlevel_.has_value() &&
572          !UpgradeIntegerTag(TAG_VENDOR_PATCHLEVEL, vendor_patchlevel_.value(),
573                             &key->hw_enforced(), &set_changed)) ||
574         (boot_patchlevel_.has_value() &&
575          !UpgradeIntegerTag(TAG_BOOT_PATCHLEVEL, boot_patchlevel_.value(),
576                             &key->hw_enforced(), &set_changed))) {
577         // One of the version fields would have been a downgrade. Not allowed.
578         return KM_ERROR_INVALID_ARGUMENT;
579     }
580 
581     if (!set_changed) {
582         return KM_ERROR_OK;
583     }
584 
585     bool has_secure_deletion = false;
586     if (key->secure_deletion_slot() != 0) {
587         LOG_D("Upgrading rollback-protected key blob in slot %u",
588               key->secure_deletion_slot());
589         has_secure_deletion = true;
590     }
591     if (!has_secure_deletion &&
592         upgrade_params.Contains(TAG_ROLLBACK_RESISTANCE)) {
593         LOG_D("Upgrading non rollback-protected key, adding rollback protection");
594         has_secure_deletion = true;
595     }
596 
597     std::optional<SecureDeletionData> sdd;
598     if (kUseSecureDeletion) {
599         sdd = secure_deletion_secret_storage_.CreateDataForNewKey(
600                 has_secure_deletion, true /* is_upgrade */);
601     }
602 
603     // At this point we may have stored a secure deletion secret for this key.
604     // If something goes wrong before we return the blob, that slot will leak.
605     // Create an object to clean up on the error paths.
606     KeySlotCleanup key_slot_cleanup(secure_deletion_secret_storage_,
607                                     sdd ? sdd->key_slot : 0);
608 
609     error = CreateAuthEncryptedKeyBlob(upgrade_params, key->key_material(),
610                                        key->hw_enforced(), key->sw_enforced(),
611                                        std::move(sdd), upgraded_key);
612     if (error != KM_ERROR_OK) {
613         return error;
614     }
615 
616     key_slot_cleanup.release();
617     return KM_ERROR_OK;
618 }
619 
620 constexpr std::array<uint8_t, 7> kKeystoreKeyBlobMagic = {'p', 'K', 'M', 'b',
621                                                           'l', 'o', 'b'};
622 constexpr size_t kKeystoreKeyTypeOffset = kKeystoreKeyBlobMagic.size();
623 constexpr size_t kKeystoreKeyBlobPrefixSize = kKeystoreKeyTypeOffset + 1;
624 
DeserializeKmCompatKeyBlob(const KeymasterKeyBlob & blob) const625 KmErrorOr<DeserializedKey> TrustyKeymasterContext::DeserializeKmCompatKeyBlob(
626         const KeymasterKeyBlob& blob) const {
627     // This blob has a keystore km_compat prefix.  This means that it was
628     // created by keystore calling TrustyKeymaster through the km_compat layer.
629     // The km_compat layer adds this prefix to determine whether it's actually a
630     // hardware blob that should be passed through to Keymaster, or whether it's
631     // a software only key and should be used by the emulation layer.
632     //
633     // In the case of hardware blobs, km_compat strips the prefix before handing
634     // the blob to Keymaster.  In the case of software blobs, km_compat never
635     // hands the blob to Keymaster.
636     //
637     // The fact that we've received this prefixed blob means that it was created
638     // through km_compat... but the device has now been upgraded from
639     // TrustyKeymaster to TrustyKeyMint, and so keystore is no longer using the
640     // km_compat layer, and the blob is just passed through with its prefix
641     // intact.
642     auto keyType = *(blob.begin() + kKeystoreKeyTypeOffset);
643     switch (keyType) {
644     case 0:
645         // This is a hardware blob. Strip the prefix and use the blob.
646         return DeserializeAuthEncryptedBlob(
647                 KeymasterKeyBlob(blob.begin() + kKeystoreKeyBlobPrefixSize,
648                                  blob.size() - kKeystoreKeyBlobPrefixSize));
649 
650     case 1:
651         LOG_E("Software key blobs are not supported.");
652         return KM_ERROR_INVALID_KEY_BLOB;
653 
654     default:
655         LOG_E("Invalid keystore blob prefix value %d", keyType);
656         return KM_ERROR_INVALID_KEY_BLOB;
657     }
658 }
659 
is_km_compat_blob(const KeymasterKeyBlob & blob)660 bool is_km_compat_blob(const KeymasterKeyBlob& blob) {
661     return blob.size() >= kKeystoreKeyBlobPrefixSize &&
662            std::equal(kKeystoreKeyBlobMagic.begin(),
663                       kKeystoreKeyBlobMagic.end(), blob.begin());
664 }
665 
DeserializeKeyBlob(const KeymasterKeyBlob & blob) const666 KmErrorOr<DeserializedKey> TrustyKeymasterContext::DeserializeKeyBlob(
667         const KeymasterKeyBlob& blob) const {
668     if (is_km_compat_blob(blob)) {
669         return DeserializeKmCompatKeyBlob(blob);
670     } else {
671         return DeserializeAuthEncryptedBlob(blob);
672     }
673 }
674 
ParseKeyBlob(const KeymasterKeyBlob & blob,const AuthorizationSet & additional_params,UniquePtr<Key> * key) const675 keymaster_error_t TrustyKeymasterContext::ParseKeyBlob(
676         const KeymasterKeyBlob& blob,
677         const AuthorizationSet& additional_params,
678         UniquePtr<Key>* key) const {
679     keymaster_error_t error;
680 
681     if (!key) {
682         return KM_ERROR_UNEXPECTED_NULL_POINTER;
683     }
684 
685     KmErrorOr<DeserializedKey> deserialized_key = DeserializeKeyBlob(blob);
686     if (!deserialized_key) {
687         return deserialized_key.error();
688     }
689     LOG_D("Deserialized blob with format: %d",
690           deserialized_key->encrypted_key.format);
691 
692     KeymasterKeyBlob master_key;
693     error = DeriveMasterKey(&master_key, deserialized_key->encrypted_key);
694     if (error != KM_ERROR_OK) {
695         return error;
696     }
697 
698     AuthorizationSet hidden;
699     error = BuildHiddenAuthorizations(additional_params, &hidden);
700     if (error != KM_ERROR_OK) {
701         return error;
702     }
703 
704     SecureDeletionData sdd;
705     if (deserialized_key->encrypted_key.format ==
706                 AES_GCM_WITH_SECURE_DELETION ||
707         deserialized_key->encrypted_key.format ==
708                 AES_GCM_WITH_SECURE_DELETION_VERSIONED) {
709         // This key requires secure deletion data.
710         sdd = secure_deletion_secret_storage_.GetDataForKey(
711                 deserialized_key->key_slot);
712     }
713 
714     LOG_D("Decrypting blob with format: %d",
715           deserialized_key->encrypted_key.format);
716     KmErrorOr<KeymasterKeyBlob> key_material =
717             DecryptKey(*deserialized_key, hidden, sdd, master_key);
718     if (!key_material) {
719         return key_material.error();
720     }
721 
722     keymaster_algorithm_t algorithm;
723     if (!deserialized_key->hw_enforced.GetTagValue(TAG_ALGORITHM, &algorithm)) {
724         return KM_ERROR_INVALID_KEY_BLOB;
725     }
726 
727     auto factory = GetKeyFactory(algorithm);
728     error = factory->LoadKey(std::move(*key_material), additional_params,
729                              std::move(deserialized_key->hw_enforced),
730                              std::move(deserialized_key->sw_enforced), key);
731     if (key && key->get()) {
732         (*key)->set_secure_deletion_slot(deserialized_key->key_slot);
733     }
734 
735     return error;
736 }
737 
DeleteKey(const KeymasterKeyBlob & blob) const738 keymaster_error_t TrustyKeymasterContext::DeleteKey(
739         const KeymasterKeyBlob& blob) const {
740     KmErrorOr<DeserializedKey> deserialized_key = DeserializeKeyBlob(blob);
741     if (deserialized_key) {
742         LOG_D("Deserialized blob with format: %u",
743               deserialized_key->encrypted_key.format);
744         secure_deletion_secret_storage_.DeleteKey(deserialized_key->key_slot);
745     }
746 
747     return KM_ERROR_OK;
748 }
749 
DeleteAllKeys() const750 keymaster_error_t TrustyKeymasterContext::DeleteAllKeys() const {
751     secure_deletion_secret_storage_.DeleteAllKeys();
752     return KM_ERROR_OK;
753 }
754 
AddRngEntropy(const uint8_t * buf,size_t length) const755 keymaster_error_t TrustyKeymasterContext::AddRngEntropy(const uint8_t* buf,
756                                                         size_t length) const {
757     if (trusty_rng_add_entropy(buf, length) != 0)
758         return KM_ERROR_UNKNOWN_ERROR;
759     return KM_ERROR_OK;
760 }
761 
SeedRngIfNeeded() const762 bool TrustyKeymasterContext::SeedRngIfNeeded() const {
763     if (ShouldReseedRng())
764         const_cast<TrustyKeymasterContext*>(this)->ReseedRng();
765     return rng_initialized_;
766 }
767 
ShouldReseedRng() const768 bool TrustyKeymasterContext::ShouldReseedRng() const {
769     if (!rng_initialized_) {
770         LOG_I("RNG not initialized, reseed");
771         return true;
772     }
773 
774     if (++calls_since_reseed_ % kCallsBetweenRngReseeds == 0) {
775         LOG_I("Periodic reseed");
776         return true;
777     }
778     return false;
779 }
780 
ReseedRng()781 bool TrustyKeymasterContext::ReseedRng() {
782     uint8_t rand_seed[kRngReseedSize];
783     memset(rand_seed, 0, kRngReseedSize);
784     if (trusty_rng_hw_rand(rand_seed, kRngReseedSize) != 0) {
785         LOG_E("Failed to get bytes from HW RNG");
786         return false;
787     }
788     LOG_I("Reseeding with %d bytes from HW RNG", kRngReseedSize);
789     trusty_rng_add_entropy(rand_seed, kRngReseedSize);
790 
791     rng_initialized_ = true;
792     return true;
793 }
794 
795 // Gee wouldn't it be nice if the crypto service headers defined this.
796 enum DerivationParams {
797     DERIVATION_DATA_PARAM = 0,
798     OUTPUT_BUFFER_PARAM = 1,
799 };
800 
DeriveMasterKey(KeymasterKeyBlob * master_key,const EncryptedKey & enc_key) const801 keymaster_error_t TrustyKeymasterContext::DeriveMasterKey(
802         KeymasterKeyBlob* master_key,
803         const EncryptedKey& enc_key) const {
804     LOG_D("Deriving master key");
805 
806     long rc = hwkey_open();
807     if (rc < 0) {
808         return KM_ERROR_UNKNOWN_ERROR;
809     }
810 
811     hwkey_session_t session = (hwkey_session_t)rc;
812 
813     if (!master_key->Reset(kAesKeySize)) {
814         LOG_S("Could not allocate memory for master key buffer");
815         hwkey_close(session);
816         return KM_ERROR_MEMORY_ALLOCATION_FAILED;
817     }
818 
819     if (enc_key.format < AES_GCM_WITH_SW_ENFORCED_VERSIONED) {
820         uint32_t kdf_version = HWKEY_KDF_VERSION_1;
821         rc = hwkey_derive(session, &kdf_version, kMasterKeyDerivationData,
822                           master_key->writable_data(), kAesKeySize);
823         if (rc < 0) {
824             LOG_S("Error deriving legacy master key: %ld", rc);
825             hwkey_close(session);
826             return KM_ERROR_UNKNOWN_ERROR;
827         }
828     } else {
829         struct hwkey_versioned_key_options opt = {
830                 .kdf_version = enc_key.kdf_version,
831                 .shared_key = false,
832                 .rollback_version_source = HWKEY_ROLLBACK_COMMITTED_VERSION,
833                 .os_rollback_version = enc_key.addl_info,
834                 .context = kMasterKeyDerivationData,
835                 .context_len = sizeof(kMasterKeyDerivationData),
836                 .key = master_key->writable_data(),
837                 .key_len = kAesKeySize,
838         };
839         rc = hwkey_derive_versioned(session, &opt);
840         if (rc < 0) {
841             LOG_S("Error deriving versioned master key: %ld", rc);
842             hwkey_close(session);
843             return KM_ERROR_UNKNOWN_ERROR;
844         }
845     }
846 
847     hwkey_close(session);
848     LOG_D("Key derivation complete");
849     return KM_ERROR_OK;
850 }
851 
InitializeAuthTokenKey()852 bool TrustyKeymasterContext::InitializeAuthTokenKey() {
853     if (auth_token_key_initialized_)
854         return true;
855 
856     keymaster_key_blob_t key;
857     key.key_material = auth_token_key_;
858     key.key_material_size = kAuthTokenKeySize;
859     keymaster_error_t error = enforcement_policy_.GetHmacKey(&key);
860     if (error == KM_ERROR_OK)
861         auth_token_key_initialized_ = true;
862     else
863         auth_token_key_initialized_ = false;
864 
865     return auth_token_key_initialized_;
866 }
867 
GetAuthTokenKey(keymaster_key_blob_t * key) const868 keymaster_error_t TrustyKeymasterContext::GetAuthTokenKey(
869         keymaster_key_blob_t* key) const {
870     if (!auth_token_key_initialized_ &&
871         !const_cast<TrustyKeymasterContext*>(this)->InitializeAuthTokenKey())
872         return KM_ERROR_UNKNOWN_ERROR;
873 
874     key->key_material = auth_token_key_;
875     key->key_material_size = kAuthTokenKeySize;
876     return KM_ERROR_OK;
877 }
878 
SetSystemVersion(uint32_t os_version,uint32_t os_patchlevel)879 keymaster_error_t TrustyKeymasterContext::SetSystemVersion(
880         uint32_t os_version,
881         uint32_t os_patchlevel) {
882     if (!version_info_set_) {
883         // Note that version info is now set by Configure, rather than by the
884         // bootloader.  This is to ensure that system-only updates can be done,
885         // to avoid breaking Project Treble.
886         boot_params_.boot_os_version = os_version;
887         boot_params_.boot_os_patchlevel = os_patchlevel;
888         version_info_set_ = true;
889     }
890 
891 #ifdef KEYMASTER_DEBUG
892     Buffer fake_root_of_trust("000111222333444555666777888999000", 32);
893     Buffer verified_boot_hash_none;
894     if (!root_of_trust_set_) {
895         /* Sets bootloader parameters to what is expected on a 'good' device,
896          * will pass attestation CTS tests. FOR DEBUGGING ONLY.
897          */
898         SetBootParams(os_version, os_patchlevel, fake_root_of_trust,
899                       KM_VERIFIED_BOOT_VERIFIED, true, verified_boot_hash_none);
900     }
901 #endif
902 
903     return KM_ERROR_OK;
904 }
905 
GetSystemVersion(uint32_t * os_version,uint32_t * os_patchlevel) const906 void TrustyKeymasterContext::GetSystemVersion(uint32_t* os_version,
907                                               uint32_t* os_patchlevel) const {
908     *os_version = boot_params_.boot_os_version;
909     *os_patchlevel = boot_params_.boot_os_patchlevel;
910 }
911 
912 const AttestationContext::VerifiedBootParams*
GetVerifiedBootParams(keymaster_error_t * error) const913 TrustyKeymasterContext::GetVerifiedBootParams(keymaster_error_t* error) const {
914     VerifiedBootParams& vb_parms =
915             const_cast<VerifiedBootParams&>(verified_boot_params_);
916 
917     if (boot_params_.verified_boot_key.buffer_size() == 0) {
918         // If an empty verified boot key was passed by the boot loader, set the
919         // verfified boot key in attestation parameters to 32 bytes of all
920         // zeros.
921         vb_parms.verified_boot_key = {allZerosOrHashOfVerifiedBootKey,
922                                       sizeof(allZerosOrHashOfVerifiedBootKey)};
923     } else if (boot_params_.verified_boot_key.buffer_size() > 0 &&
924                boot_params_.verified_boot_key.buffer_size() <= 32) {
925         vb_parms.verified_boot_key = {
926                 boot_params_.verified_boot_key.begin(),
927                 boot_params_.verified_boot_key.buffer_size()};
928     } else if (boot_params_.verified_boot_key.buffer_size() > 32) {
929         // If the verified boot key itself was passed by the boot loader, set
930         // SHA-256 hash of it to the verified boot key parameter of the
931         // attetation information.
932         vb_parms.verified_boot_key = {
933                 SHA256(boot_params_.verified_boot_key.begin(),
934                        boot_params_.verified_boot_key.buffer_size(),
935                        allZerosOrHashOfVerifiedBootKey),
936                 SHA256_DIGEST_LENGTH};
937     }
938 
939     vb_parms.verified_boot_hash = {
940             boot_params_.verified_boot_hash.begin(),
941             boot_params_.verified_boot_hash.buffer_size()};
942     vb_parms.verified_boot_state = boot_params_.verified_boot_state;
943     vb_parms.device_locked = boot_params_.device_locked;
944 
945     *error = KM_ERROR_OK;
946     return &verified_boot_params_;
947 }
948 
949 #define PROTO_BYTES_DOES_NOT_MATCH_BLOB(blob, proto) \
950     ((blob).data_length != (proto).size) ||          \
951             (memcmp((blob).data, (proto).bytes, (proto).size) != 0)
952 
VerifyAndCopyDeviceIds(const AuthorizationSet & attestation_params,AuthorizationSet * values_to_attest) const953 keymaster_error_t TrustyKeymasterContext::VerifyAndCopyDeviceIds(
954         const AuthorizationSet& attestation_params,
955         AuthorizationSet* values_to_attest) const {
956     SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
957     if (ss_manager == nullptr) {
958         LOG_E("Failed to open secure storage session.");
959         return KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
960     }
961 
962     AttestationIds ids;
963     auto err = ss_manager->ReadAttestationIds(&ids);
964     if (err != KM_ERROR_OK) {
965         return err;
966     }
967 
968     bool found_mismatch = false;
969     for (auto& entry : attestation_params) {
970         switch (entry.tag) {
971         case KM_TAG_ATTESTATION_ID_BRAND:
972             found_mismatch |=
973                     PROTO_BYTES_DOES_NOT_MATCH_BLOB(entry.blob, ids.brand);
974             values_to_attest->push_back(entry);
975             break;
976 
977         case KM_TAG_ATTESTATION_ID_DEVICE:
978             found_mismatch |=
979                     PROTO_BYTES_DOES_NOT_MATCH_BLOB(entry.blob, ids.device);
980             values_to_attest->push_back(entry);
981             break;
982 
983         case KM_TAG_ATTESTATION_ID_PRODUCT:
984             found_mismatch |=
985                     PROTO_BYTES_DOES_NOT_MATCH_BLOB(entry.blob, ids.product);
986             values_to_attest->push_back(entry);
987             break;
988 
989         case KM_TAG_ATTESTATION_ID_SERIAL:
990             found_mismatch |=
991                     PROTO_BYTES_DOES_NOT_MATCH_BLOB(entry.blob, ids.serial);
992             values_to_attest->push_back(entry);
993             break;
994 
995         case KM_TAG_ATTESTATION_ID_IMEI:
996             found_mismatch |=
997                     PROTO_BYTES_DOES_NOT_MATCH_BLOB(entry.blob, ids.imei);
998             values_to_attest->push_back(entry);
999             break;
1000 
1001         case KM_TAG_ATTESTATION_ID_SECOND_IMEI: {
1002             // Validate directly against storage if it is present.
1003             if (ids.second_imei.size > 0) {
1004                 found_mismatch |= PROTO_BYTES_DOES_NOT_MATCH_BLOB(
1005                         entry.blob, ids.second_imei);
1006                 values_to_attest->push_back(entry);
1007             } else {
1008 #ifndef KEYMASTER_NO_AUTO_SECOND_IMEI
1009                 // Typically dual-SIM devices ship with two sequential IMEIs.
1010                 // As the second IMEI was not provisioned to the KeyMint
1011                 // instance, it is still possible to attest to the second IMEI
1012                 // by validating that the second IMEI is the one after the first
1013                 // IMEI, which was provisoned to the KeyMint instance.
1014                 std::string imei_str(
1015                         reinterpret_cast<const char*>(ids.imei.bytes),
1016                         ids.imei.size);
1017 
1018                 long imei_numeric = strtol(imei_str.c_str(), NULL, 10);
1019                 bool second_imei_mismatch =
1020                         !validate_second_imei(entry.blob, imei_numeric);
1021                 if (second_imei_mismatch) {
1022                     LOG_E("Mismatch in second IMEI.");
1023                 }
1024                 found_mismatch |= second_imei_mismatch;
1025                 values_to_attest->push_back(entry);
1026 #endif
1027             }
1028         } break;
1029 
1030         case KM_TAG_ATTESTATION_ID_MEID:
1031             found_mismatch |=
1032                     PROTO_BYTES_DOES_NOT_MATCH_BLOB(entry.blob, ids.meid);
1033             values_to_attest->push_back(entry);
1034             break;
1035 
1036         case KM_TAG_ATTESTATION_ID_MANUFACTURER:
1037             found_mismatch |= PROTO_BYTES_DOES_NOT_MATCH_BLOB(entry.blob,
1038                                                               ids.manufacturer);
1039             values_to_attest->push_back(entry);
1040             break;
1041 
1042         case KM_TAG_ATTESTATION_ID_MODEL:
1043             found_mismatch |=
1044                     PROTO_BYTES_DOES_NOT_MATCH_BLOB(entry.blob, ids.model);
1045             values_to_attest->push_back(entry);
1046             break;
1047 
1048         default:
1049             // Ignore non-ID tags.
1050             break;
1051         }
1052     }
1053 
1054     if (found_mismatch) {
1055         values_to_attest->Clear();
1056         return KM_ERROR_CANNOT_ATTEST_IDS;
1057     }
1058 
1059     return KM_ERROR_OK;
1060 }
1061 
GenerateUniqueId(uint64_t creation_date_time,const keymaster_blob_t & application_id,bool reset_since_rotation,keymaster_error_t * error) const1062 Buffer TrustyKeymasterContext::GenerateUniqueId(
1063         uint64_t creation_date_time,
1064         const keymaster_blob_t& application_id,
1065         bool reset_since_rotation,
1066         keymaster_error_t* error) const {
1067     if (unique_id_hbk_.empty()) {
1068         KeymasterKeyBlob hbk;
1069         keymaster_error_t derive_error =
1070                 enforcement_policy_.GetUniqueIdKey(&hbk);
1071         if (derive_error != KM_ERROR_OK) {
1072             LOG_E("Failed to derive unique ID HBK: %d", derive_error);
1073             *error = derive_error;
1074             return {};
1075         }
1076         unique_id_hbk_ = std::vector(hbk.begin(), hbk.end());
1077     }
1078 
1079     Buffer unique_id;
1080     *error = keymaster::generate_unique_id(unique_id_hbk_, creation_date_time,
1081                                            application_id, reset_since_rotation,
1082                                            &unique_id);
1083     return unique_id;
1084 }
1085 
GetAttestationKey(keymaster_algorithm_t algorithm,keymaster_error_t * error) const1086 KeymasterKeyBlob TrustyKeymasterContext::GetAttestationKey(
1087         keymaster_algorithm_t algorithm,
1088         keymaster_error_t* error) const {
1089     AttestationKeySlot key_slot;
1090 
1091     switch (algorithm) {
1092     case KM_ALGORITHM_RSA:
1093         key_slot = AttestationKeySlot::kRsa;
1094         break;
1095 
1096     case KM_ALGORITHM_EC:
1097         key_slot = AttestationKeySlot::kEcdsa;
1098         break;
1099 
1100     default:
1101         *error = KM_ERROR_UNSUPPORTED_ALGORITHM;
1102         return {};
1103     }
1104 
1105     SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
1106     if (ss_manager == nullptr) {
1107         LOG_E("Failed to open secure storage session.");
1108         *error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
1109         return {};
1110     }
1111     auto result = ss_manager->ReadKeyFromStorage(key_slot, error);
1112 #if KEYMASTER_SOFT_ATTESTATION_FALLBACK
1113     if (*error != KM_ERROR_OK) {
1114         LOG_I("Failed to read attestation key from RPMB, falling back to test key");
1115         auto key = getAttestationKey(algorithm, error);
1116         if (*error != KM_ERROR_OK) {
1117             LOG_D("Software attestation key missing: %d", *error);
1118             return {};
1119         }
1120         result = KeymasterKeyBlob(*key);
1121         if (!result.key_material)
1122             *error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
1123     }
1124 #endif
1125     return result;
1126 }
1127 
GetAttestationChain(keymaster_algorithm_t algorithm,keymaster_error_t * error) const1128 CertificateChain TrustyKeymasterContext::GetAttestationChain(
1129         keymaster_algorithm_t algorithm,
1130         keymaster_error_t* error) const {
1131     AttestationKeySlot key_slot;
1132     switch (algorithm) {
1133     case KM_ALGORITHM_RSA:
1134         key_slot = AttestationKeySlot::kRsa;
1135         break;
1136     case KM_ALGORITHM_EC:
1137         key_slot = AttestationKeySlot::kEcdsa;
1138         break;
1139     default:
1140         *error = KM_ERROR_UNSUPPORTED_ALGORITHM;
1141         return {};
1142     }
1143 
1144     CertificateChain chain;
1145     SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
1146     if (ss_manager == nullptr) {
1147         LOG_E("Failed to open secure storage session.");
1148         *error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
1149     } else {
1150         *error = ss_manager->ReadCertChainFromStorage(key_slot, &chain);
1151     }
1152 #if KEYMASTER_SOFT_ATTESTATION_FALLBACK
1153     if ((*error != KM_ERROR_OK) || (chain.entry_count == 0)) {
1154         LOG_I("Failed to read attestation chain from RPMB, falling back to test chain");
1155         chain = getAttestationChain(algorithm, error);
1156     }
1157 #endif
1158     return chain;
1159 }
1160 
GenerateAttestation(const Key & key,const AuthorizationSet & attest_params,UniquePtr<Key> attest_key,const KeymasterBlob & issuer_subject,keymaster_error_t * error) const1161 CertificateChain TrustyKeymasterContext::GenerateAttestation(
1162         const Key& key,
1163         const AuthorizationSet& attest_params,
1164         UniquePtr<Key> attest_key,
1165         const KeymasterBlob& issuer_subject,
1166         keymaster_error_t* error) const {
1167     *error = KM_ERROR_OK;
1168     keymaster_algorithm_t key_algorithm;
1169     if (!key.authorizations().GetTagValue(TAG_ALGORITHM, &key_algorithm)) {
1170         *error = KM_ERROR_UNKNOWN_ERROR;
1171         return {};
1172     }
1173 
1174     if ((key_algorithm != KM_ALGORITHM_RSA &&
1175          key_algorithm != KM_ALGORITHM_EC)) {
1176         *error = KM_ERROR_INCOMPATIBLE_ALGORITHM;
1177         return {};
1178     }
1179 
1180     // We have established that the given key has the correct algorithm, and
1181     // because this is the TrustyKeymasterContext we can assume that the Key is
1182     // an AsymmetricKey. So we can downcast.
1183     const AsymmetricKey& asymmetric_key =
1184             static_cast<const AsymmetricKey&>(key);
1185 
1186     AttestKeyInfo attest_key_info(attest_key, &issuer_subject, error);
1187     if (*error != KM_ERROR_OK) {
1188         return {};
1189     }
1190 
1191     return generate_attestation(asymmetric_key, attest_params,
1192                                 std::move(attest_key_info), *this, error);
1193 }
1194 
GenerateSelfSignedCertificate(const Key & key,const AuthorizationSet & cert_params,bool fake_signature,keymaster_error_t * error) const1195 CertificateChain TrustyKeymasterContext::GenerateSelfSignedCertificate(
1196         const Key& key,
1197         const AuthorizationSet& cert_params,
1198         bool fake_signature,
1199         keymaster_error_t* error) const {
1200     keymaster_algorithm_t key_algorithm;
1201     if (!key.authorizations().GetTagValue(TAG_ALGORITHM, &key_algorithm)) {
1202         *error = KM_ERROR_UNKNOWN_ERROR;
1203         return {};
1204     }
1205 
1206     if ((key_algorithm != KM_ALGORITHM_RSA &&
1207          key_algorithm != KM_ALGORITHM_EC)) {
1208         *error = KM_ERROR_INCOMPATIBLE_ALGORITHM;
1209         return {};
1210     }
1211 
1212     const AsymmetricKey& asymmetric_key =
1213             static_cast<const AsymmetricKey&>(key);
1214 
1215     return generate_self_signed_cert(asymmetric_key, cert_params,
1216                                      fake_signature, error);
1217 }
1218 
SetBootParams(uint32_t,uint32_t,const Buffer & verified_boot_key,keymaster_verified_boot_t verified_boot_state,bool device_locked,const Buffer & verified_boot_hash)1219 keymaster_error_t TrustyKeymasterContext::SetBootParams(
1220         uint32_t /* os_version */,
1221         uint32_t /* os_patchlevel */,
1222         const Buffer& verified_boot_key,
1223         keymaster_verified_boot_t verified_boot_state,
1224         bool device_locked,
1225         const Buffer& verified_boot_hash) {
1226     if (root_of_trust_set_)
1227         return KM_ERROR_ROOT_OF_TRUST_ALREADY_SET;
1228     boot_params_.verified_boot_hash.Reinitialize(verified_boot_hash);
1229     root_of_trust_set_ = true;
1230     boot_params_.verified_boot_state = verified_boot_state;
1231     boot_params_.device_locked = device_locked;
1232     boot_params_.verified_boot_key.Reinitialize("", 0);
1233 
1234     if (verified_boot_key.buffer_size()) {
1235         boot_params_.verified_boot_key.Reinitialize(verified_boot_key);
1236     } else {
1237         // If no boot key was passed, default to unverified/unlocked
1238         boot_params_.verified_boot_state = KM_VERIFIED_BOOT_UNVERIFIED;
1239     }
1240 
1241     if ((verified_boot_state != KM_VERIFIED_BOOT_VERIFIED) &&
1242         (verified_boot_state != KM_VERIFIED_BOOT_SELF_SIGNED)) {
1243         // If the device image was not verified or self signed, it cannot be
1244         // locked
1245         boot_params_.device_locked = false;
1246     }
1247 
1248     trusty_remote_provisioning_context_->SetBootParams(&boot_params_);
1249 
1250     return KM_ERROR_OK;
1251 }
1252 
1253 // Mostly adapted from pure_soft_keymaster_context.cpp
UnwrapKey(const KeymasterKeyBlob & wrapped_key_blob,const KeymasterKeyBlob & wrapping_key_blob,const AuthorizationSet & wrapping_key_params,const KeymasterKeyBlob & masking_key,AuthorizationSet * wrapped_key_params,keymaster_key_format_t * wrapped_key_format,KeymasterKeyBlob * wrapped_key_material) const1254 keymaster_error_t TrustyKeymasterContext::UnwrapKey(
1255         const KeymasterKeyBlob& wrapped_key_blob,
1256         const KeymasterKeyBlob& wrapping_key_blob,
1257         const AuthorizationSet& wrapping_key_params,
1258         const KeymasterKeyBlob& masking_key,
1259         AuthorizationSet* wrapped_key_params,
1260         keymaster_key_format_t* wrapped_key_format,
1261         KeymasterKeyBlob* wrapped_key_material) const {
1262     LOG_D("UnwrapKey:0");
1263 
1264     keymaster_error_t error = KM_ERROR_OK;
1265 
1266     if (wrapped_key_material == NULL) {
1267         return KM_ERROR_UNEXPECTED_NULL_POINTER;
1268     }
1269 
1270     LOG_D("UnwrapKey:1");
1271     // Step 1 from IKeymasterDevice.hal file spec
1272     // Parse wrapping key
1273     UniquePtr<Key> wrapping_key;
1274     error = ParseKeyBlob(wrapping_key_blob, wrapping_key_params, &wrapping_key);
1275     if (error != KM_ERROR_OK) {
1276         LOG_E("Failed to parse wrapping key");
1277         return error;
1278     }
1279 
1280     AuthProxy wrapping_key_auths(wrapping_key->hw_enforced(),
1281                                  wrapping_key->sw_enforced());
1282 
1283     // Check Wrapping Key Purpose
1284     if (!wrapping_key_auths.Contains(TAG_PURPOSE, KM_PURPOSE_WRAP)) {
1285         LOG_E("Wrapping key did not have KM_PURPOSE_WRAP");
1286         return KM_ERROR_INCOMPATIBLE_PURPOSE;
1287     }
1288 
1289     // Check Padding mode is RSA_OAEP and digest is SHA_2_256 (spec
1290     // mandated)
1291     if (!wrapping_key_auths.Contains(TAG_DIGEST, KM_DIGEST_SHA_2_256)) {
1292         LOG_E("Wrapping key lacks authorization for SHA2-256");
1293         return KM_ERROR_INCOMPATIBLE_DIGEST;
1294     }
1295     if (!wrapping_key_auths.Contains(TAG_PADDING, KM_PAD_RSA_OAEP)) {
1296         LOG_E("Wrapping key lacks authorization for padding OAEP");
1297         return KM_ERROR_INCOMPATIBLE_PADDING_MODE;
1298     }
1299 
1300     // Check that that was also the padding mode and digest specified
1301     if (!wrapping_key_params.Contains(TAG_DIGEST, KM_DIGEST_SHA_2_256)) {
1302         LOG_E("Wrapping key must use SHA2-256");
1303         return KM_ERROR_INCOMPATIBLE_DIGEST;
1304     }
1305     if (!wrapping_key_params.Contains(TAG_PADDING, KM_PAD_RSA_OAEP)) {
1306         LOG_E("Wrapping key must use OAEP padding");
1307         return KM_ERROR_INCOMPATIBLE_PADDING_MODE;
1308     }
1309 
1310     LOG_D("UnwrapKey:2");
1311     // Step 2 from IKeymasterDevice.hal spec
1312     // Parse wrapped key
1313     KeymasterBlob iv;
1314     KeymasterKeyBlob transit_key;
1315     KeymasterKeyBlob secure_key;
1316     KeymasterBlob tag;
1317     KeymasterBlob wrapped_key_description;
1318     error = parse_wrapped_key(wrapped_key_blob, &iv, &transit_key, &secure_key,
1319                               &tag, wrapped_key_params, wrapped_key_format,
1320                               &wrapped_key_description);
1321     if (error != KM_ERROR_OK) {
1322         return error;
1323     }
1324 
1325     // Decrypt encryptedTransportKey (transit_key) with wrapping_key
1326     auto operation_factory = wrapping_key->key_factory()->GetOperationFactory(
1327             KM_PURPOSE_DECRYPT);
1328     if (operation_factory == NULL) {
1329         return KM_ERROR_UNKNOWN_ERROR;
1330     }
1331 
1332     AuthorizationSet out_params;
1333     OperationPtr operation(operation_factory->CreateOperation(
1334             std::move(*wrapping_key), wrapping_key_params, &error));
1335     if ((operation.get() == NULL) || (error != KM_ERROR_OK)) {
1336         return error;
1337     }
1338 
1339     error = operation->Begin(wrapping_key_params, &out_params);
1340     if (error != KM_ERROR_OK) {
1341         return error;
1342     }
1343 
1344     Buffer input;
1345     Buffer output;
1346     // Explicitly reinitialize rather than constructing in order to report
1347     // allocation failure.
1348     if (!input.Reinitialize(transit_key.key_material,
1349                             transit_key.key_material_size)) {
1350         return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1351     }
1352 
1353     error = operation->Finish(wrapping_key_params, input,
1354                               Buffer() /* signature */, &out_params, &output);
1355     if (error != KM_ERROR_OK) {
1356         return error;
1357     }
1358 
1359     KeymasterKeyBlob transport_key = {
1360             output.peek_read(),
1361             output.available_read(),
1362     };
1363 
1364     LOG_D("UnwrapKey:3");
1365     // Step 3 of IKeymasterDevice.hal
1366     // XOR the transit key with the masking key
1367     if (transport_key.key_material_size != masking_key.key_material_size) {
1368         return KM_ERROR_INVALID_ARGUMENT;
1369     }
1370     for (size_t i = 0; i < transport_key.key_material_size; i++) {
1371         transport_key.writable_data()[i] ^= masking_key.key_material[i];
1372     }
1373 
1374     LOG_D("UnwrapKey:4");
1375     // Step 4 of IKeymasterDevice.hal
1376     // transit_key_authorizations is defined by spec
1377     // TODO the mac len is NOT in the spec, but probably should be
1378     auto transport_key_authorizations =
1379             AuthorizationSetBuilder()
1380                     .AesEncryptionKey(256)
1381                     .Padding(KM_PAD_NONE)
1382                     .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
1383                     .Authorization(TAG_NONCE, iv)
1384                     .Authorization(TAG_MIN_MAC_LENGTH, 128)
1385                     .build();
1386     auto validity = transport_key_authorizations.is_valid();
1387     if (validity != AuthorizationSet::Error::OK) {
1388         return TranslateAuthorizationSetError(validity);
1389     }
1390 
1391     // gcm_params is also defined by spec
1392     // TODO same problem with mac len not being specced
1393     auto gcm_params = AuthorizationSetBuilder()
1394                               .Padding(KM_PAD_NONE)
1395                               .Authorization(TAG_BLOCK_MODE, KM_MODE_GCM)
1396                               .Authorization(TAG_NONCE, iv)
1397                               .Authorization(TAG_MAC_LENGTH, 128)
1398                               .build();
1399     validity = gcm_params.is_valid();
1400     if (validity != AuthorizationSet::Error::OK) {
1401         return TranslateAuthorizationSetError(validity);
1402     }
1403 
1404     auto aes_factory = GetKeyFactory(KM_ALGORITHM_AES);
1405     if (aes_factory == NULL) {
1406         return KM_ERROR_UNKNOWN_ERROR;
1407     }
1408 
1409     UniquePtr<Key> aes_transport_key;
1410     error = aes_factory->LoadKey(std::move(transport_key), gcm_params,
1411                                  std::move(transport_key_authorizations),
1412                                  AuthorizationSet(), &aes_transport_key);
1413     if (error != KM_ERROR_OK) {
1414         return error;
1415     }
1416 
1417     auto aes_operation_factory =
1418             GetOperationFactory(KM_ALGORITHM_AES, KM_PURPOSE_DECRYPT);
1419     if (aes_operation_factory == NULL) {
1420         return KM_ERROR_UNKNOWN_ERROR;
1421     }
1422 
1423     OperationPtr aes_operation(aes_operation_factory->CreateOperation(
1424             std::move(*aes_transport_key), gcm_params, &error));
1425     if ((aes_operation.get() == NULL) || (error != KM_ERROR_OK)) {
1426         return error;
1427     }
1428 
1429     error = aes_operation->Begin(gcm_params, &out_params);
1430     if (error != KM_ERROR_OK) {
1431         return error;
1432     }
1433 
1434     size_t update_consumed = 0;
1435     AuthorizationSet update_outparams;
1436 
1437     Buffer encrypted_key;
1438     Buffer plaintext_key;
1439 
1440     // Separate initialization to catch memory errors
1441     size_t total_key_size = secure_key.key_material_size + tag.data_length;
1442     if (!plaintext_key.Reinitialize(total_key_size)) {
1443         return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1444     }
1445     if (!encrypted_key.Reinitialize(total_key_size)) {
1446         return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1447     }
1448 
1449     // Concatenate key data
1450     if (!encrypted_key.write(secure_key.key_material,
1451                              secure_key.key_material_size)) {
1452         return KM_ERROR_UNKNOWN_ERROR;
1453     }
1454     if (!encrypted_key.write(tag.data, tag.data_length)) {
1455         return KM_ERROR_UNKNOWN_ERROR;
1456     }
1457 
1458     auto update_params =
1459             AuthorizationSetBuilder()
1460                     .Authorization(TAG_ASSOCIATED_DATA,
1461                                    wrapped_key_description.data,
1462                                    wrapped_key_description.data_length)
1463                     .build();
1464     validity = update_params.is_valid();
1465     if (validity != AuthorizationSet::Error::OK) {
1466         return TranslateAuthorizationSetError(validity);
1467     }
1468 
1469     error = aes_operation->Update(update_params, encrypted_key,
1470                                   &update_outparams, &plaintext_key,
1471                                   &update_consumed);
1472     if (error != KM_ERROR_OK) {
1473         return error;
1474     }
1475 
1476     AuthorizationSet finish_params;
1477     AuthorizationSet finish_out_params;
1478     Buffer finish_input;
1479     error = aes_operation->Finish(finish_params, finish_input,
1480                                   Buffer() /* signature */, &finish_out_params,
1481                                   &plaintext_key);
1482     if (error != KM_ERROR_OK) {
1483         return error;
1484     }
1485 
1486     *wrapped_key_material = {plaintext_key.peek_read(),
1487                              plaintext_key.available_read()};
1488 
1489     if (!wrapped_key_material->key_material && plaintext_key.peek_read()) {
1490         return KM_ERROR_MEMORY_ALLOCATION_FAILED;
1491     }
1492 
1493     LOG_D("UnwrapKey:Done");
1494     return error;
1495 }
1496 
CheckConfirmationToken(const uint8_t * input_data,size_t input_data_size,const uint8_t confirmation_token[kConfirmationTokenSize]) const1497 keymaster_error_t TrustyKeymasterContext::CheckConfirmationToken(
1498         const uint8_t* input_data,
1499         size_t input_data_size,
1500         const uint8_t confirmation_token[kConfirmationTokenSize]) const {
1501     // Note: ConfirmationUI is using the same secret key as auth tokens, the
1502     // difference is that messages are prefixed using the message tag
1503     // "confirmation token".
1504     keymaster_key_blob_t auth_token_key;
1505     keymaster_error_t error = GetAuthTokenKey(&auth_token_key);
1506     if (error != KM_ERROR_OK) {
1507         return error;
1508     }
1509 
1510     uint8_t computed_hash[EVP_MAX_MD_SIZE];
1511     unsigned int computed_hash_length;
1512     if (!HMAC(EVP_sha256(), auth_token_key.key_material,
1513               auth_token_key.key_material_size, input_data, input_data_size,
1514               computed_hash, &computed_hash_length)) {
1515         return KM_ERROR_UNKNOWN_ERROR;
1516     }
1517 
1518     if (computed_hash_length != kConfirmationTokenSize ||
1519         memcmp_s(computed_hash, confirmation_token, kConfirmationTokenSize) !=
1520                 0) {
1521         return KM_ERROR_NO_USER_CONFIRMATION;
1522     }
1523 
1524     return KM_ERROR_OK;
1525 }
1526 
GetDeviceIds() const1527 std::unique_ptr<cppbor::Map> TrustyKeymasterContext::GetDeviceIds() const {
1528     // Use the most up to date version of device info, back compat is
1529     // unnecessary here.
1530     return trusty_remote_provisioning_context_->CreateDeviceInfo(
1531             3 /* csrVersion */);
1532 }
1533 
1534 }  // namespace keymaster
1535