1 // 2 // Copyright (C) 2020 The Android Open Source Project 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 16 #pragma once 17 18 #include <map> 19 #include <vector> 20 21 #include <keymaster/keymaster_context.h> 22 #include <keymaster/km_openssl/attestation_record.h> 23 24 #include "tpm_attestation_record.h" 25 26 namespace cuttlefish { 27 28 class TpmAttestationRecordContext; 29 class TpmResourceManager; 30 class TpmKeyBlobMaker; 31 class TpmRandomSource; 32 class TpmRemoteProvisioningContext; 33 34 /** 35 * Implementation of KeymasterContext that wraps its keys with a TPM. 36 * 37 * See the parent class for details: 38 * https://cs.android.com/android/platform/superproject/+/master:system/keymaster/include/keymaster/keymaster_context.h;drc=821acb74d7febb886a9b7cefee4ee3df4cc8c556 39 */ 40 class TpmKeymasterContext : public keymaster::KeymasterContext { 41 private: 42 TpmResourceManager& resource_manager_; 43 keymaster::KeymasterEnforcement& enforcement_; 44 std::unique_ptr<TpmKeyBlobMaker> key_blob_maker_; 45 std::unique_ptr<TpmRandomSource> random_source_; 46 std::unique_ptr<TpmAttestationRecordContext> attestation_context_; 47 std::unique_ptr<TpmRemoteProvisioningContext> remote_provisioning_context_; 48 std::map<keymaster_algorithm_t, std::unique_ptr<keymaster::KeyFactory>> 49 key_factories_; 50 std::vector<keymaster_algorithm_t> supported_algorithms_; 51 uint32_t os_version_; 52 uint32_t os_patchlevel_; 53 std::optional<uint32_t> vendor_patchlevel_; 54 std::optional<uint32_t> boot_patchlevel_; 55 std::optional<std::string> bootloader_state_; 56 std::optional<std::string> verified_boot_state_; 57 std::optional<std::vector<uint8_t>> vbmeta_digest_; 58 59 public: 60 TpmKeymasterContext(TpmResourceManager&, keymaster::KeymasterEnforcement&); 61 ~TpmKeymasterContext() = default; 62 GetKmVersion()63 keymaster::KmVersion GetKmVersion() const override { 64 return attestation_context_->GetKmVersion(); 65 } 66 67 keymaster_error_t SetSystemVersion(uint32_t os_version, 68 uint32_t os_patchlevel) override; 69 void GetSystemVersion(uint32_t* os_version, 70 uint32_t* os_patchlevel) const override; 71 72 const keymaster::KeyFactory* GetKeyFactory( 73 keymaster_algorithm_t algorithm) const override; 74 keymaster::OperationFactory* GetOperationFactory( 75 keymaster_algorithm_t algorithm, 76 keymaster_purpose_t purpose) const override; 77 const keymaster_algorithm_t* GetSupportedAlgorithms( 78 size_t* algorithms_count) const override; 79 80 keymaster_error_t UpgradeKeyBlob( 81 const keymaster::KeymasterKeyBlob& key_to_upgrade, 82 const keymaster::AuthorizationSet& upgrade_params, 83 keymaster::KeymasterKeyBlob* upgraded_key) const override; 84 85 keymaster_error_t ParseKeyBlob( 86 const keymaster::KeymasterKeyBlob& blob, 87 const keymaster::AuthorizationSet& additional_params, 88 keymaster::UniquePtr<keymaster::Key>* key) const override; 89 90 keymaster_error_t AddRngEntropy(const uint8_t* buf, 91 size_t length) const override; 92 93 keymaster::KeymasterEnforcement* enforcement_policy() override; 94 attestation_context()95 keymaster::AttestationContext* attestation_context() override { 96 return attestation_context_.get(); 97 } 98 99 keymaster::CertificateChain GenerateAttestation( 100 const keymaster::Key& key, 101 const keymaster::AuthorizationSet& attest_params, 102 keymaster::UniquePtr<keymaster::Key> attest_key, 103 const keymaster::KeymasterBlob& issuer_subject, 104 keymaster_error_t* error) const override; 105 106 keymaster::CertificateChain GenerateSelfSignedCertificate( 107 const keymaster::Key& key, const keymaster::AuthorizationSet& cert_params, 108 bool fake_signature, keymaster_error_t* error) const override; 109 110 keymaster_error_t UnwrapKey( 111 const keymaster::KeymasterKeyBlob& wrapped_key_blob, 112 const keymaster::KeymasterKeyBlob& wrapping_key_blob, 113 const keymaster::AuthorizationSet& wrapping_key_params, 114 const keymaster::KeymasterKeyBlob& masking_key, 115 keymaster::AuthorizationSet* wrapped_key_params, 116 keymaster_key_format_t* wrapped_key_format, 117 keymaster::KeymasterKeyBlob* wrapped_key_material) const override; 118 119 keymaster_error_t CheckConfirmationToken( 120 const std::uint8_t* input_data, size_t input_data_size, 121 const uint8_t confirmation_token[keymaster::kConfirmationTokenSize]) 122 const; 123 124 keymaster::RemoteProvisioningContext* GetRemoteProvisioningContext() 125 const override; 126 127 keymaster_error_t SetVerifiedBootInfo( 128 std::string_view verified_boot_state, std::string_view bootloader_state, 129 const std::vector<uint8_t>& vbmeta_digest) override; 130 131 keymaster_error_t SetVendorPatchlevel(uint32_t vendor_patchlevel) override; 132 keymaster_error_t SetBootPatchlevel(uint32_t boot_patchlevel) override; 133 std::optional<uint32_t> GetVendorPatchlevel() const override; 134 std::optional<uint32_t> GetBootPatchlevel() const override; 135 SetAttestationIds(const keymaster::SetAttestationIdsRequest & request)136 keymaster_error_t SetAttestationIds( 137 const keymaster::SetAttestationIdsRequest& request) override { 138 return attestation_context_->SetAttestationIds(request); 139 } 140 SetAttestationIdsKM3(const keymaster::SetAttestationIdsKM3Request & request)141 keymaster_error_t SetAttestationIdsKM3( 142 const keymaster::SetAttestationIdsKM3Request& request) override { 143 return attestation_context_->SetAttestationIdsKM3(request); 144 } 145 }; 146 147 } // namespace cuttlefish 148