1 /*
2 * Copyright 2018 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "remote_keymaster.h"
18
19 #include <android-base/logging.h>
20 #include <android-base/properties.h>
21 #include <android-base/strings.h>
22 #include <keymaster/android_keymaster_messages.h>
23 #include <keymaster/keymaster_configuration.h>
24
25 namespace keymaster {
26
RemoteKeymaster(cuttlefish::SharedFdKeymasterChannel * channel,int32_t message_version)27 RemoteKeymaster::RemoteKeymaster(cuttlefish::SharedFdKeymasterChannel* channel,
28 int32_t message_version)
29 : channel_(channel), message_version_(message_version) {}
30
~RemoteKeymaster()31 RemoteKeymaster::~RemoteKeymaster() {}
32
ForwardCommand(AndroidKeymasterCommand command,const Serializable & req,KeymasterResponse * rsp)33 void RemoteKeymaster::ForwardCommand(AndroidKeymasterCommand command,
34 const Serializable& req,
35 KeymasterResponse* rsp) {
36 if (!channel_->SendRequest(command, req)) {
37 LOG(ERROR) << "Failed to send keymaster message: " << command;
38 rsp->error = KM_ERROR_UNKNOWN_ERROR;
39 return;
40 }
41 auto response = channel_->ReceiveMessage();
42 if (!response) {
43 LOG(ERROR) << "Failed to receive keymaster response: " << command;
44 rsp->error = KM_ERROR_UNKNOWN_ERROR;
45 return;
46 }
47 const uint8_t* buffer = response->payload;
48 const uint8_t* buffer_end = response->payload + response->payload_size;
49 if (!rsp->Deserialize(&buffer, buffer_end)) {
50 LOG(ERROR) << "Failed to deserialize keymaster response: " << command;
51 rsp->error = KM_ERROR_UNKNOWN_ERROR;
52 return;
53 }
54 }
55
Initialize()56 bool RemoteKeymaster::Initialize() {
57 // We don't need to bother with GetVersion, because CF HAL and remote sides
58 // are always compiled together, so will never disagree about message
59 // versions.
60 ConfigureRequest req(message_version());
61 req.os_version = GetOsVersion();
62 req.os_patchlevel = GetOsPatchlevel();
63
64 ConfigureResponse rsp(message_version());
65 Configure(req, &rsp);
66
67 if (rsp.error != KM_ERROR_OK) {
68 LOG(ERROR) << "Failed to configure keymaster: " << rsp.error;
69 return false;
70 }
71
72 // Set the vendor patchlevel to value retrieved from system property (which
73 // requires SELinux permission).
74 ConfigureVendorPatchlevelRequest vendor_req(message_version());
75 vendor_req.vendor_patchlevel = GetVendorPatchlevel();
76 ConfigureVendorPatchlevelResponse vendor_rsp =
77 ConfigureVendorPatchlevel(vendor_req);
78 if (vendor_rsp.error != KM_ERROR_OK) {
79 LOG(ERROR) << "Failed to configure keymaster vendor patchlevel: "
80 << vendor_rsp.error;
81 return false;
82 }
83
84 // Set the boot patchlevel to value retrieved from system property (which
85 // requires SELinux permission).
86 ConfigureBootPatchlevelRequest boot_req(message_version());
87 static constexpr char boot_prop_name[] = "ro.vendor.boot_security_patch";
88 auto boot_prop_value = android::base::GetProperty(boot_prop_name, "");
89 boot_prop_value = android::base::StringReplace(boot_prop_value.data(), "-",
90 "", /* all */ true);
91 boot_req.boot_patchlevel = std::stoi(boot_prop_value);
92 ConfigureBootPatchlevelResponse boot_rsp = ConfigureBootPatchlevel(boot_req);
93 if (boot_rsp.error != KM_ERROR_OK) {
94 LOG(ERROR) << "Failed to configure keymaster boot patchlevel: "
95 << boot_rsp.error;
96 return false;
97 }
98
99 // Pass verified boot information to the remote KM implementation
100 auto vbmeta_digest = GetVbmetaDigest();
101 if (vbmeta_digest) {
102 ConfigureVerifiedBootInfoRequest request(
103 message_version(), GetVerifiedBootState(), GetBootloaderState(),
104 *vbmeta_digest);
105 ConfigureVerifiedBootInfoResponse response =
106 ConfigureVerifiedBootInfo(request);
107 if (response.error != KM_ERROR_OK) {
108 LOG(ERROR) << "Failed to configure keymaster verified boot info: "
109 << response.error;
110 return false;
111 }
112 }
113
114 // Pass attestation IDs to the remote KM implementation.
115 // Skip MEID as it is not present on emulators.
116 SetAttestationIdsKM3Request requestKM3(message_version());
117
118 static constexpr char brand_prop_name[] = "ro.product.brand";
119 static constexpr char device_prop_name[] = "ro.product.device";
120 static constexpr char product_prop_name[] = "ro.product.name";
121 static constexpr char serial_prop_name[] = "ro.serialno";
122 static constexpr char manufacturer_prop_name[] = "ro.product.manufacturer";
123 static constexpr char model_prop_name[] = "ro.product.model";
124
125 std::string brand_prop_value =
126 android::base::GetProperty(brand_prop_name, "");
127 std::string device_prop_value =
128 android::base::GetProperty(device_prop_name, "");
129 std::string product_prop_value =
130 android::base::GetProperty(product_prop_name, "");
131 std::string serial_prop_value =
132 android::base::GetProperty(serial_prop_name, "");
133 std::string manufacturer_prop_value =
134 android::base::GetProperty(manufacturer_prop_name, "");
135 std::string model_prop_value =
136 android::base::GetProperty(model_prop_name, "");
137
138 // Currently modem_simulator always returns one fixed value. See
139 // `handleGetIMEI` in
140 // device/google/cuttlefish/host/commands/modem_simulator/misc_service.cpp for
141 // more details.
142 // This should be updated once the below bug is fixed -
143 // b/263188546 - Use device-specific IMEI values rather than one hardcoded
144 // value.
145 std::string imei_value = "867400022047199";
146 requestKM3.base.imei.Reinitialize(imei_value.data(), imei_value.size());
147
148 requestKM3.base.brand.Reinitialize(brand_prop_value.data(),
149 brand_prop_value.size());
150 requestKM3.base.device.Reinitialize(device_prop_value.data(),
151 device_prop_value.size());
152 requestKM3.base.product.Reinitialize(product_prop_value.data(),
153 product_prop_value.size());
154 requestKM3.base.serial.Reinitialize(serial_prop_value.data(),
155 serial_prop_value.size());
156 requestKM3.base.manufacturer.Reinitialize(manufacturer_prop_value.data(),
157 manufacturer_prop_value.size());
158 requestKM3.base.model.Reinitialize(model_prop_value.data(),
159 model_prop_value.size());
160
161 std::string second_imei_value = "867400022047199";
162 requestKM3.second_imei.Reinitialize(second_imei_value.data(),
163 second_imei_value.size());
164
165 SetAttestationIdsKM3Response responseKM3 = SetAttestationIdsKM3(requestKM3);
166 if (responseKM3.error != KM_ERROR_OK) {
167 LOG(ERROR) << "Failed to configure keymaster attestation IDs: "
168 << responseKM3.error;
169 return false;
170 }
171
172 return true;
173 }
174
GetVersion(const GetVersionRequest & request,GetVersionResponse * response)175 void RemoteKeymaster::GetVersion(const GetVersionRequest& request,
176 GetVersionResponse* response) {
177 ForwardCommand(GET_VERSION, request, response);
178 }
179
SupportedAlgorithms(const SupportedAlgorithmsRequest & request,SupportedAlgorithmsResponse * response)180 void RemoteKeymaster::SupportedAlgorithms(
181 const SupportedAlgorithmsRequest& request,
182 SupportedAlgorithmsResponse* response) {
183 ForwardCommand(GET_SUPPORTED_ALGORITHMS, request, response);
184 }
185
SupportedBlockModes(const SupportedBlockModesRequest & request,SupportedBlockModesResponse * response)186 void RemoteKeymaster::SupportedBlockModes(
187 const SupportedBlockModesRequest& request,
188 SupportedBlockModesResponse* response) {
189 ForwardCommand(GET_SUPPORTED_BLOCK_MODES, request, response);
190 }
191
SupportedPaddingModes(const SupportedPaddingModesRequest & request,SupportedPaddingModesResponse * response)192 void RemoteKeymaster::SupportedPaddingModes(
193 const SupportedPaddingModesRequest& request,
194 SupportedPaddingModesResponse* response) {
195 ForwardCommand(GET_SUPPORTED_PADDING_MODES, request, response);
196 }
197
SupportedDigests(const SupportedDigestsRequest & request,SupportedDigestsResponse * response)198 void RemoteKeymaster::SupportedDigests(const SupportedDigestsRequest& request,
199 SupportedDigestsResponse* response) {
200 ForwardCommand(GET_SUPPORTED_DIGESTS, request, response);
201 }
202
SupportedImportFormats(const SupportedImportFormatsRequest & request,SupportedImportFormatsResponse * response)203 void RemoteKeymaster::SupportedImportFormats(
204 const SupportedImportFormatsRequest& request,
205 SupportedImportFormatsResponse* response) {
206 ForwardCommand(GET_SUPPORTED_IMPORT_FORMATS, request, response);
207 }
208
SupportedExportFormats(const SupportedExportFormatsRequest & request,SupportedExportFormatsResponse * response)209 void RemoteKeymaster::SupportedExportFormats(
210 const SupportedExportFormatsRequest& request,
211 SupportedExportFormatsResponse* response) {
212 ForwardCommand(GET_SUPPORTED_EXPORT_FORMATS, request, response);
213 }
214
AddRngEntropy(const AddEntropyRequest & request,AddEntropyResponse * response)215 void RemoteKeymaster::AddRngEntropy(const AddEntropyRequest& request,
216 AddEntropyResponse* response) {
217 ForwardCommand(ADD_RNG_ENTROPY, request, response);
218 }
219
Configure(const ConfigureRequest & request,ConfigureResponse * response)220 void RemoteKeymaster::Configure(const ConfigureRequest& request,
221 ConfigureResponse* response) {
222 ForwardCommand(CONFIGURE, request, response);
223 }
224
GenerateKey(const GenerateKeyRequest & request,GenerateKeyResponse * response)225 void RemoteKeymaster::GenerateKey(const GenerateKeyRequest& request,
226 GenerateKeyResponse* response) {
227 if (message_version_ < MessageVersion(KmVersion::KEYMINT_1) &&
228 !request.key_description.Contains(TAG_CREATION_DATETIME)) {
229 GenerateKeyRequest datedRequest(request.message_version);
230 datedRequest.key_description.push_back(TAG_CREATION_DATETIME,
231 java_time(time(NULL)));
232 ForwardCommand(GENERATE_KEY, datedRequest, response);
233 } else {
234 ForwardCommand(GENERATE_KEY, request, response);
235 }
236 }
237
GenerateRkpKey(const GenerateRkpKeyRequest & request,GenerateRkpKeyResponse * response)238 void RemoteKeymaster::GenerateRkpKey(const GenerateRkpKeyRequest& request,
239 GenerateRkpKeyResponse* response) {
240 ForwardCommand(GENERATE_RKP_KEY, request, response);
241 }
242
GenerateCsr(const GenerateCsrRequest & request,GenerateCsrResponse * response)243 void RemoteKeymaster::GenerateCsr(const GenerateCsrRequest& request,
244 GenerateCsrResponse* response) {
245 ForwardCommand(GENERATE_CSR, request, response);
246 }
247
GenerateCsrV2(const GenerateCsrV2Request & request,GenerateCsrV2Response * response)248 void RemoteKeymaster::GenerateCsrV2(const GenerateCsrV2Request& request,
249 GenerateCsrV2Response* response) {
250 ForwardCommand(GENERATE_CSR_V2, request, response);
251 }
252
GetKeyCharacteristics(const GetKeyCharacteristicsRequest & request,GetKeyCharacteristicsResponse * response)253 void RemoteKeymaster::GetKeyCharacteristics(
254 const GetKeyCharacteristicsRequest& request,
255 GetKeyCharacteristicsResponse* response) {
256 ForwardCommand(GET_KEY_CHARACTERISTICS, request, response);
257 }
258
ImportKey(const ImportKeyRequest & request,ImportKeyResponse * response)259 void RemoteKeymaster::ImportKey(const ImportKeyRequest& request,
260 ImportKeyResponse* response) {
261 ForwardCommand(IMPORT_KEY, request, response);
262 }
263
ImportWrappedKey(const ImportWrappedKeyRequest & request,ImportWrappedKeyResponse * response)264 void RemoteKeymaster::ImportWrappedKey(const ImportWrappedKeyRequest& request,
265 ImportWrappedKeyResponse* response) {
266 ForwardCommand(IMPORT_WRAPPED_KEY, request, response);
267 }
268
ExportKey(const ExportKeyRequest & request,ExportKeyResponse * response)269 void RemoteKeymaster::ExportKey(const ExportKeyRequest& request,
270 ExportKeyResponse* response) {
271 ForwardCommand(EXPORT_KEY, request, response);
272 }
273
AttestKey(const AttestKeyRequest & request,AttestKeyResponse * response)274 void RemoteKeymaster::AttestKey(const AttestKeyRequest& request,
275 AttestKeyResponse* response) {
276 ForwardCommand(ATTEST_KEY, request, response);
277 }
278
UpgradeKey(const UpgradeKeyRequest & request,UpgradeKeyResponse * response)279 void RemoteKeymaster::UpgradeKey(const UpgradeKeyRequest& request,
280 UpgradeKeyResponse* response) {
281 ForwardCommand(UPGRADE_KEY, request, response);
282 }
283
DeleteKey(const DeleteKeyRequest & request,DeleteKeyResponse * response)284 void RemoteKeymaster::DeleteKey(const DeleteKeyRequest& request,
285 DeleteKeyResponse* response) {
286 ForwardCommand(DELETE_KEY, request, response);
287 }
288
DeleteAllKeys(const DeleteAllKeysRequest & request,DeleteAllKeysResponse * response)289 void RemoteKeymaster::DeleteAllKeys(const DeleteAllKeysRequest& request,
290 DeleteAllKeysResponse* response) {
291 ForwardCommand(DELETE_ALL_KEYS, request, response);
292 }
293
BeginOperation(const BeginOperationRequest & request,BeginOperationResponse * response)294 void RemoteKeymaster::BeginOperation(const BeginOperationRequest& request,
295 BeginOperationResponse* response) {
296 ForwardCommand(BEGIN_OPERATION, request, response);
297 }
298
UpdateOperation(const UpdateOperationRequest & request,UpdateOperationResponse * response)299 void RemoteKeymaster::UpdateOperation(const UpdateOperationRequest& request,
300 UpdateOperationResponse* response) {
301 ForwardCommand(UPDATE_OPERATION, request, response);
302 }
303
FinishOperation(const FinishOperationRequest & request,FinishOperationResponse * response)304 void RemoteKeymaster::FinishOperation(const FinishOperationRequest& request,
305 FinishOperationResponse* response) {
306 ForwardCommand(FINISH_OPERATION, request, response);
307 }
308
AbortOperation(const AbortOperationRequest & request,AbortOperationResponse * response)309 void RemoteKeymaster::AbortOperation(const AbortOperationRequest& request,
310 AbortOperationResponse* response) {
311 ForwardCommand(ABORT_OPERATION, request, response);
312 }
313
GetHmacSharingParameters()314 GetHmacSharingParametersResponse RemoteKeymaster::GetHmacSharingParameters() {
315 // Unused empty buffer to allow ForwardCommand to have something to serialize
316 Buffer request;
317 GetHmacSharingParametersResponse response(message_version());
318 ForwardCommand(GET_HMAC_SHARING_PARAMETERS, request, &response);
319 return response;
320 }
321
ComputeSharedHmac(const ComputeSharedHmacRequest & request)322 ComputeSharedHmacResponse RemoteKeymaster::ComputeSharedHmac(
323 const ComputeSharedHmacRequest& request) {
324 ComputeSharedHmacResponse response(message_version());
325 ForwardCommand(COMPUTE_SHARED_HMAC, request, &response);
326 return response;
327 }
328
VerifyAuthorization(const VerifyAuthorizationRequest & request)329 VerifyAuthorizationResponse RemoteKeymaster::VerifyAuthorization(
330 const VerifyAuthorizationRequest& request) {
331 VerifyAuthorizationResponse response(message_version());
332 ForwardCommand(VERIFY_AUTHORIZATION, request, &response);
333 return response;
334 }
335
DeviceLocked(const DeviceLockedRequest & request)336 DeviceLockedResponse RemoteKeymaster::DeviceLocked(
337 const DeviceLockedRequest& request) {
338 DeviceLockedResponse response(message_version());
339 ForwardCommand(DEVICE_LOCKED, request, &response);
340 return response;
341 }
342
EarlyBootEnded()343 EarlyBootEndedResponse RemoteKeymaster::EarlyBootEnded() {
344 // Unused empty buffer to allow ForwardCommand to have something to serialize
345 Buffer request;
346 EarlyBootEndedResponse response(message_version());
347 ForwardCommand(EARLY_BOOT_ENDED, request, &response);
348 return response;
349 }
350
GenerateTimestampToken(GenerateTimestampTokenRequest & request,GenerateTimestampTokenResponse * response)351 void RemoteKeymaster::GenerateTimestampToken(
352 GenerateTimestampTokenRequest& request,
353 GenerateTimestampTokenResponse* response) {
354 ForwardCommand(GENERATE_TIMESTAMP_TOKEN, request, response);
355 }
356
ConfigureVendorPatchlevel(const ConfigureVendorPatchlevelRequest & request)357 ConfigureVendorPatchlevelResponse RemoteKeymaster::ConfigureVendorPatchlevel(
358 const ConfigureVendorPatchlevelRequest& request) {
359 ConfigureVendorPatchlevelResponse response(message_version());
360 ForwardCommand(CONFIGURE_VENDOR_PATCHLEVEL, request, &response);
361 return response;
362 }
363
ConfigureBootPatchlevel(const ConfigureBootPatchlevelRequest & request)364 ConfigureBootPatchlevelResponse RemoteKeymaster::ConfigureBootPatchlevel(
365 const ConfigureBootPatchlevelRequest& request) {
366 ConfigureBootPatchlevelResponse response(message_version());
367 ForwardCommand(CONFIGURE_BOOT_PATCHLEVEL, request, &response);
368 return response;
369 }
370
ConfigureVerifiedBootInfo(const ConfigureVerifiedBootInfoRequest & request)371 ConfigureVerifiedBootInfoResponse RemoteKeymaster::ConfigureVerifiedBootInfo(
372 const ConfigureVerifiedBootInfoRequest& request) {
373 ConfigureVerifiedBootInfoResponse response(message_version());
374 ForwardCommand(CONFIGURE_VERIFIED_BOOT_INFO, request, &response);
375 return response;
376 }
377
GetRootOfTrust(const GetRootOfTrustRequest & request)378 GetRootOfTrustResponse RemoteKeymaster::GetRootOfTrust(
379 const GetRootOfTrustRequest& request) {
380 GetRootOfTrustResponse response(message_version());
381 ForwardCommand(GET_ROOT_OF_TRUST, request, &response);
382 return response;
383 }
384
GetHwInfo()385 GetHwInfoResponse RemoteKeymaster::GetHwInfo() {
386 // Unused empty buffer to allow ForwardCommand to have something to serialize
387 Buffer request;
388 GetHwInfoResponse response(message_version());
389 ForwardCommand(GET_HW_INFO, request, &response);
390 return response;
391 }
392
SetAttestationIds(const SetAttestationIdsRequest & request)393 SetAttestationIdsResponse RemoteKeymaster::SetAttestationIds(
394 const SetAttestationIdsRequest& request) {
395 SetAttestationIdsResponse response(message_version());
396 ForwardCommand(SET_ATTESTATION_IDS, request, &response);
397 return response;
398 }
399
SetAttestationIdsKM3(const SetAttestationIdsKM3Request & request)400 SetAttestationIdsKM3Response RemoteKeymaster::SetAttestationIdsKM3(
401 const SetAttestationIdsKM3Request& request) {
402 SetAttestationIdsKM3Response response(message_version());
403 ForwardCommand(SET_ATTESTATION_IDS_KM3, request, &response);
404 return response;
405 }
406
407 } // namespace keymaster
408