1 /*
2  * Copyright 2017 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include "trusty_keymaster.h"
18 #include "secure_storage_manager.h"
19 
20 #include <lib/keybox/client/keybox.h>
21 #include <uapi/err.h>
22 
23 #include <memory>
24 
25 namespace keymaster {
26 
GetVersion2(const GetVersion2Request & req)27 GetVersion2Response TrustyKeymaster::GetVersion2(
28         const GetVersion2Request& req) {
29     switch (req.max_message_version) {
30     case 3:
31         context_->SetKmVersion(KmVersion::KEYMASTER_4);
32         break;
33 
34     case 4:
35         context_->SetKmVersion(KmVersion::KEYMINT_3);
36         break;
37 
38     default:
39 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
40         // In a fuzzing build, if the fuzzer sends invalid messages we should
41         // log an error and continue, to allow the fuzzer to explore more of the
42         // code.
43         LOG_E("HAL sent invalid message version %d, struggling on as fuzzing build",
44               req.max_message_version);
45         context_->SetKmVersion((req.max_message_version & 0x01)
46                                        ? KmVersion::KEYMINT_3
47                                        : KmVersion::KEYMASTER_4);
48 #else
49         // By default, if the HAL service is sending invalid messages then the
50         // safest thing to do is to terminate.
51         LOG_E("HAL sent invalid message version %d, crashing",
52               req.max_message_version);
53         abort();
54 #endif
55     }
56 
57     return AndroidKeymaster::GetVersion2(req);
58 }
59 
GetAuthTokenKey(keymaster_key_blob_t * key)60 long TrustyKeymaster::GetAuthTokenKey(keymaster_key_blob_t* key) {
61     keymaster_error_t error = context_->GetAuthTokenKey(key);
62     if (error != KM_ERROR_OK)
63         return ERR_GENERIC;
64     return NO_ERROR;
65 }
66 
GetDeviceInfo()67 std::unique_ptr<cppbor::Map> TrustyKeymaster::GetDeviceInfo() {
68     return context_->GetDeviceIds();
69 }
70 
SetBootParams(const SetBootParamsRequest & request,SetBootParamsResponse * response)71 void TrustyKeymaster::SetBootParams(const SetBootParamsRequest& request,
72                                     SetBootParamsResponse* response) {
73     if (response == nullptr)
74         return;
75 
76     response->error = context_->SetBootParams(
77             request.os_version, request.os_patchlevel,
78             request.verified_boot_key, request.verified_boot_state,
79             request.device_locked, request.verified_boot_hash);
80 }
81 
keymaster_algorithm_to_key_slot(keymaster_algorithm_t algorithm)82 AttestationKeySlot keymaster_algorithm_to_key_slot(
83         keymaster_algorithm_t algorithm) {
84     switch (algorithm) {
85     case KM_ALGORITHM_RSA:
86         return AttestationKeySlot::kRsa;
87     case KM_ALGORITHM_EC:
88         return AttestationKeySlot::kEcdsa;
89     default:
90         return AttestationKeySlot::kInvalid;
91     }
92 }
93 
SetAttestationKey(const SetAttestationKeyRequest & request,SetAttestationKeyResponse * response)94 void TrustyKeymaster::SetAttestationKey(const SetAttestationKeyRequest& request,
95                                         SetAttestationKeyResponse* response) {
96     if (response == nullptr)
97         return;
98 
99     SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
100     if (ss_manager == nullptr) {
101         response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
102         return;
103     }
104 
105     size_t key_size = request.key_data.buffer_size();
106     const uint8_t* key = request.key_data.begin();
107     AttestationKeySlot key_slot;
108 
109     key_slot = keymaster_algorithm_to_key_slot(request.algorithm);
110     if (key_slot == AttestationKeySlot::kInvalid) {
111         response->error = KM_ERROR_UNSUPPORTED_ALGORITHM;
112         return;
113     }
114     if (key_size == 0) {
115         response->error = KM_ERROR_INVALID_INPUT_LENGTH;
116         return;
117     }
118     response->error = ss_manager->WriteKeyToStorage(key_slot, key, key_size);
119 }
120 
DestroyAttestationIds(const DestroyAttestationIdsRequest & request,DestroyAttestationIdsResponse * response)121 void TrustyKeymaster::DestroyAttestationIds(
122         const DestroyAttestationIdsRequest& request,
123         DestroyAttestationIdsResponse* response) {
124     if (response == nullptr) {
125         return;
126     }
127     SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
128     if (ss_manager == nullptr) {
129         response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
130         return;
131     }
132     response->error = ss_manager->ClearAttestationIds();
133 }
134 
SetAttestationIds(const SetAttestationIdsRequest & request,EmptyKeymasterResponse * response)135 void TrustyKeymaster::SetAttestationIds(const SetAttestationIdsRequest& request,
136                                         EmptyKeymasterResponse* response) {
137     if (response == nullptr) {
138         return;
139     }
140     SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
141     if (ss_manager == nullptr) {
142         response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
143         return;
144     }
145     response->error = ss_manager->SetAttestationIds(request);
146 }
147 
SetAttestationIdsKM3(const SetAttestationIdsKM3Request & request,EmptyKeymasterResponse * response)148 void TrustyKeymaster::SetAttestationIdsKM3(
149         const SetAttestationIdsKM3Request& request,
150         EmptyKeymasterResponse* response) {
151     if (response == nullptr) {
152         return;
153     }
154     SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
155     if (ss_manager == nullptr) {
156         response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
157         return;
158     }
159     response->error = ss_manager->SetAttestationIdsKM3(request);
160 }
161 
SetWrappedAttestationKey(const SetAttestationKeyRequest & request,SetAttestationKeyResponse * response)162 void TrustyKeymaster::SetWrappedAttestationKey(
163         const SetAttestationKeyRequest& request,
164         SetAttestationKeyResponse* response) {
165     if (response == nullptr) {
166         return;
167     }
168     AttestationKeySlot key_slot =
169             keymaster_algorithm_to_key_slot(request.algorithm);
170     if (key_slot == AttestationKeySlot::kInvalid) {
171         response->error = KM_ERROR_UNSUPPORTED_ALGORITHM;
172         return;
173     }
174     /*
175      * This assumes unwrapping decreases size.
176      * If it doesn't, the unwrap call will fail.
177      */
178     size_t unwrapped_buf_size = request.key_data.buffer_size();
179     size_t unwrapped_key_size;
180     std::unique_ptr<uint8_t[]> unwrapped_key(
181             new (std::nothrow) uint8_t[unwrapped_buf_size]);
182     if (!unwrapped_key) {
183         response->error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
184         return;
185     }
186     int rc = keybox_unwrap(request.key_data.begin(),
187                            request.key_data.buffer_size(), unwrapped_key.get(),
188                            unwrapped_buf_size, &unwrapped_key_size);
189     if (rc != NO_ERROR) {
190         response->error = KM_ERROR_VERIFICATION_FAILED;
191         return;
192     }
193 
194     SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
195     if (ss_manager == nullptr) {
196         response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
197         return;
198     }
199 
200     response->error = ss_manager->WriteKeyToStorage(
201             key_slot, unwrapped_key.get(), unwrapped_key_size);
202 }
203 
ClearAttestationCertChain(const ClearAttestationCertChainRequest & request,ClearAttestationCertChainResponse * response)204 void TrustyKeymaster::ClearAttestationCertChain(
205         const ClearAttestationCertChainRequest& request,
206         ClearAttestationCertChainResponse* response) {
207     if (response == nullptr)
208         return;
209 
210     SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
211     if (ss_manager == nullptr) {
212         response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
213         return;
214     }
215 
216     AttestationKeySlot key_slot;
217 
218     key_slot = keymaster_algorithm_to_key_slot(request.algorithm);
219     if (key_slot == AttestationKeySlot::kInvalid) {
220         response->error = KM_ERROR_UNSUPPORTED_ALGORITHM;
221         return;
222     }
223 
224     keymaster_error_t err = ss_manager->DeleteCertChainFromStorage(key_slot);
225     if (err != KM_ERROR_OK) {
226         LOG_E("Failed to delete cert chain.\n");
227         response->error = err;
228         return;
229     }
230 
231     uint32_t cert_chain_length = 0;
232     err = ss_manager->ReadCertChainLength(key_slot, &cert_chain_length);
233     if (err != KM_ERROR_OK) {
234         LOG_E("Failed to read cert chain length.\n");
235         response->error = err;
236         return;
237     }
238     if (cert_chain_length != 0) {
239         LOG_E("Cert chain could not be deleted.\n");
240         response->error = err;
241         return;
242     }
243 
244     response->error = KM_ERROR_OK;
245 }
246 
AppendAttestationCertChain(const AppendAttestationCertChainRequest & request,AppendAttestationCertChainResponse * response)247 void TrustyKeymaster::AppendAttestationCertChain(
248         const AppendAttestationCertChainRequest& request,
249         AppendAttestationCertChainResponse* response) {
250     if (response == nullptr)
251         return;
252 
253     SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
254     if (ss_manager == nullptr) {
255         response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
256         return;
257     }
258 
259     size_t cert_size = request.cert_data.buffer_size();
260     const uint8_t* cert = request.cert_data.begin();
261     AttestationKeySlot key_slot;
262 
263     response->error = KM_ERROR_UNSUPPORTED_ALGORITHM;
264     switch (request.algorithm) {
265     case KM_ALGORITHM_RSA:
266         key_slot = AttestationKeySlot::kRsa;
267         break;
268     case KM_ALGORITHM_EC:
269         key_slot = AttestationKeySlot::kEcdsa;
270         break;
271     default:
272         return;
273     }
274     response->error = KM_ERROR_INVALID_INPUT_LENGTH;
275     if (cert_size == 0) {
276         return;
277     }
278     uint32_t cert_chain_length = 0;
279     if (ss_manager->ReadCertChainLength(key_slot, &cert_chain_length) !=
280         KM_ERROR_OK) {
281         LOG_E("Failed to read cert chain length, initialize to 0.\n");
282         cert_chain_length = 0;
283     }
284     response->error = ss_manager->WriteCertToStorage(key_slot, cert, cert_size,
285                                                      cert_chain_length);
286 }
287 
AtapGetCaRequest(const AtapGetCaRequestRequest & request,AtapGetCaRequestResponse * response)288 void TrustyKeymaster::AtapGetCaRequest(const AtapGetCaRequestRequest& request,
289                                        AtapGetCaRequestResponse* response) {
290     if (response == nullptr)
291         return;
292 
293     // Not implemented.
294     response->error = KM_ERROR_UNKNOWN_ERROR;
295 }
296 
AtapSetCaResponseBegin(const AtapSetCaResponseBeginRequest & request,AtapSetCaResponseBeginResponse * response)297 void TrustyKeymaster::AtapSetCaResponseBegin(
298         const AtapSetCaResponseBeginRequest& request,
299         AtapSetCaResponseBeginResponse* response) {
300     if (response == nullptr)
301         return;
302 
303     // Not implemented.
304     response->error = KM_ERROR_UNKNOWN_ERROR;
305 }
306 
AtapSetCaResponseUpdate(const AtapSetCaResponseUpdateRequest & request,AtapSetCaResponseUpdateResponse * response)307 void TrustyKeymaster::AtapSetCaResponseUpdate(
308         const AtapSetCaResponseUpdateRequest& request,
309         AtapSetCaResponseUpdateResponse* response) {
310     if (response == nullptr)
311         return;
312 
313     // Not implemented.
314     response->error = KM_ERROR_UNKNOWN_ERROR;
315 }
316 
AtapSetCaResponseFinish(const AtapSetCaResponseFinishRequest & request,AtapSetCaResponseFinishResponse * response)317 void TrustyKeymaster::AtapSetCaResponseFinish(
318         const AtapSetCaResponseFinishRequest& request,
319         AtapSetCaResponseFinishResponse* response) {
320     if (response == nullptr)
321         return;
322 
323     // Not implemented.
324     response->error = KM_ERROR_UNKNOWN_ERROR;
325 }
326 
AtapReadUuid(const AtapReadUuidRequest & request,AtapReadUuidResponse * response)327 void TrustyKeymaster::AtapReadUuid(const AtapReadUuidRequest& request,
328                                    AtapReadUuidResponse* response) {
329     if (response == nullptr)
330         return;
331 
332     SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
333     if (ss_manager == nullptr) {
334         response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
335         return;
336     }
337 
338     uint8_t uuid[kAttestationUuidSize]{};
339     response->error = ss_manager->ReadAttestationUuid(uuid);
340 
341     if (response->error == KM_ERROR_OK) {
342         response->data.reserve(kAttestationUuidSize);
343         response->data.write(uuid, kAttestationUuidSize);
344     }
345 }
346 
AtapSetProductId(const AtapSetProductIdRequest & request,AtapSetProductIdResponse * response)347 void TrustyKeymaster::AtapSetProductId(const AtapSetProductIdRequest& request,
348                                        AtapSetProductIdResponse* response) {
349     if (response == nullptr)
350         return;
351 
352     SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
353     if (ss_manager == nullptr) {
354         response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
355         return;
356     }
357 
358     // Not implemented.
359     response->error = KM_ERROR_UNKNOWN_ERROR;
360 }
361 }  // namespace keymaster
362