1 /*
2  * Copyright (C) 2016 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #define TLOG_TAG "hwkey_fake_srv"
18 
19 #include <assert.h>
20 #include <lk/compiler.h>
21 #include <stdbool.h>
22 #include <stddef.h>
23 #include <stdio.h>
24 #include <stdlib.h>
25 #include <string.h>
26 #include <uapi/err.h>
27 
28 #include <openssl/aes.h>
29 #include <openssl/cipher.h>
30 #include <openssl/digest.h>
31 #include <openssl/err.h>
32 #include <openssl/hkdf.h>
33 
34 #include <interface/hwaes/hwaes.h>
35 #include <interface/hwkey/hwkey.h>
36 #include <lib/system_state/system_state.h>
37 #include <lib/tipc/tipc.h>
38 #include <trusty_log.h>
39 
40 #include <hwcrypto_consts.h>
41 #include "hwkey_srv_priv.h"
42 
43 #pragma message "Compiling FAKE HWKEY provider"
44 
45 /*
46  *  This module is a sample only. For real device, this code
47  *  needs to be rewritten to operate on real per device key that
48  *  should come directly or indirectly from hardware.
49  */
50 static uint8_t fake_device_key[32] = "this is a fake unique device key";
51 static uint8_t fake_shared_key[32] = "this is a fake shared device key";
52 
53 /*
54  * Fake rollback versions for testing the sample app. These versions should be
55  * pulled from a secure source of truth in a real implementation.
56  */
57 #define FAKE_TRUSTY_RUNNING_ROLLBACK_VERSION 2
58 #define FAKE_TRUSTY_COMMITTED_ROLLBACK_VERSION 1
59 
60 /* This input vector is taken from RFC 5869 (Extract-and-Expand HKDF) */
61 static const uint8_t IKM[] = {0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
62                               0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
63                               0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b};
64 
65 static const uint8_t salt[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
66                                0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c};
67 
68 static const uint8_t info[] = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4,
69                                0xf5, 0xf6, 0xf7, 0xf8, 0xf9};
70 
71 /* Expected pseudorandom key */
72 /*static const uint8_t exp_PRK[] = { 0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32,
73    0xdf, 0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b,
74    0xb5, 0x0f, 0x9c, 0x31, 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5 };*/
75 
76 /* Expected Output Key */
77 static const uint8_t exp_OKM[42] = {
78         0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43, 0x4f,
79         0x64, 0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a,
80         0x5a, 0x4c, 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34,
81         0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65};
82 
hkdf_self_test(void)83 static bool hkdf_self_test(void) {
84     int res;
85     uint8_t OKM[sizeof(exp_OKM)];
86 
87     TLOGI("hkdf self test\n");
88 
89     /* Check if OKM is OK */
90     memset(OKM, 0x55, sizeof(OKM));
91 
92     res = HKDF(OKM, sizeof(OKM), EVP_sha256(), IKM, sizeof(IKM), salt,
93                sizeof(salt), info, sizeof(info));
94     if (!res) {
95         TLOGE("hkdf: failed 0x%x\n", ERR_get_error());
96         return false;
97     }
98 
99     res = memcmp(OKM, exp_OKM, sizeof(OKM));
100     if (res) {
101         TLOGE("hkdf: data mismatch\n");
102         return false;
103     }
104 
105     TLOGI("hkdf self test: PASSED\n");
106     return true;
107 }
108 
109 /*
110  * Derive key V1 - HMAC SHA256 based Key derivation function
111  */
derive_key_v1(const uuid_t * uuid,const uint8_t * ikm_data,size_t ikm_len,uint8_t * key_buf,size_t key_len)112 uint32_t derive_key_v1(const uuid_t* uuid,
113                        const uint8_t* ikm_data,
114                        size_t ikm_len,
115                        uint8_t* key_buf,
116                        size_t key_len) {
117     if (!ikm_len) {
118         return HWKEY_ERR_BAD_LEN;
119     }
120 
121     if (!HKDF(key_buf, key_len, EVP_sha256(), (const uint8_t*)fake_device_key,
122               sizeof(fake_device_key), (const uint8_t*)uuid, sizeof(uuid_t),
123               ikm_data, ikm_len)) {
124         TLOGE("HDKF failed 0x%x\n", ERR_get_error());
125         memset(key_buf, 0, key_len);
126         return HWKEY_ERR_GENERIC;
127     }
128 
129     return HWKEY_NO_ERROR;
130 }
131 
132 /*
133  * Context labels for key derivation contexts, see derive_key_versioned_v1() for
134  * details.
135  */
136 #define HWKEY_DERIVE_VERSIONED_CONTEXT_LABEL "DERIVE VERSIONED"
137 #define ROOT_OF_TRUST_DERIVE_CONTEXT_LABEL "TZOS"
138 
139 #define HWKEY_DERIVE_VERSIONED_SALT "hwkey derive versioned salt"
140 
141 static uint8_t context_buf[4096];
142 
143 /**
144  * fill_context_buf() - Add data to context_buf
145  * @src: Pointer to data to copy into the context buf. If null, @len zero bytes
146  *       will be added.
147  * @len: Number of bytes of data to add.
148  * @cur_position: Pointer to the next unwritten byte of context_buf. Updated
149  *                with the new current position when successful.
150  *
151  * Return: HWKEY_NO_ERROR on success, HWKEY_ERR_BAD_LEN if @len will cause the
152  * buffer to overflow.
153  */
fill_context_buf(const void * src,size_t len,size_t * cur_position)154 static uint32_t fill_context_buf(const void* src,
155                                  size_t len,
156                                  size_t* cur_position) {
157     size_t new_position;
158     if (len == 0) {
159         return HWKEY_NO_ERROR;
160     }
161     if (__builtin_add_overflow(*cur_position, len, &new_position) ||
162         new_position >= sizeof(context_buf)) {
163         return HWKEY_ERR_BAD_LEN;
164     }
165     if (src == NULL) {
166         memset(&context_buf[*cur_position], 0, len);
167     } else {
168         memcpy(&context_buf[*cur_position], src, len);
169     }
170     *cur_position = new_position;
171     return HWKEY_NO_ERROR;
172 }
173 
174 /*
175  * In a real implementation this portion of the derivation should be done by a
176  * trusted source of the Trusty OS rollback version. Doing the key derivation
177  * here in the hwkey service protects against some app-level compromises, but
178  * does not protect against compromise of any Trusty code that can derive
179  * directly using the secret key derivation input - which in this sample
180  * implementation would be the kernel and the hwkey service.
181  *
182  * This function MUST mix @rollback_version_source, @os_rollback_version, and
183  * @hwkey_context into the derivation context in a way that the client cannot
184  * forge.
185  */
root_of_trust_derive_key(bool shared,uint32_t rollback_version_source,int32_t os_rollback_version,const uint8_t * hwkey_context,size_t hwkey_context_len,uint8_t * key_buf,size_t key_len)186 static uint32_t root_of_trust_derive_key(bool shared,
187                                          uint32_t rollback_version_source,
188                                          int32_t os_rollback_version,
189                                          const uint8_t* hwkey_context,
190                                          size_t hwkey_context_len,
191                                          uint8_t* key_buf,
192                                          size_t key_len) {
193     size_t context_len = 0;
194     int rc;
195     const size_t root_of_trust_context_len =
196             sizeof(ROOT_OF_TRUST_DERIVE_CONTEXT_LABEL) +
197             sizeof(rollback_version_source) + sizeof(os_rollback_version);
198     const uint8_t* secret_key;
199     size_t secret_key_len;
200     size_t total_len;
201 
202     /*
203      * We need to move the hwkey_context (currently at the beginning of
204      * context_buf) over to make room for the root-of-trust context injected
205      * before it. We avoid the need for a separate buffer by memmoving it first
206      * then adding the context into the space we made.
207      */
208     if (__builtin_add_overflow(hwkey_context_len, root_of_trust_context_len,
209                                &total_len) ||
210         total_len >= sizeof(context_buf)) {
211         return HWKEY_ERR_BAD_LEN;
212     }
213     memmove(&context_buf[root_of_trust_context_len], hwkey_context,
214             hwkey_context_len);
215 
216     /*
217      * Add a fixed label to ensure that another user of the same key derivation
218      * primitive will not collide with this use, regardless of the provided
219      * hwkey_context (as long as other users also add a different fixed label).
220      */
221     rc = fill_context_buf(ROOT_OF_TRUST_DERIVE_CONTEXT_LABEL,
222                           sizeof(ROOT_OF_TRUST_DERIVE_CONTEXT_LABEL),
223                           &context_len);
224     if (rc) {
225         return rc;
226     }
227     /* Keys for different version limit sources must be different */
228     rc = fill_context_buf(&rollback_version_source,
229                           sizeof(rollback_version_source), &context_len);
230     if (rc) {
231         return rc;
232     }
233     /*
234      * Keys with different rollback versions must not be the same. This is part
235      * of the root-of-trust context to ensure that a compromised kernel cannot
236      * forge a version (if the root of trust is outside of Trusty)
237      */
238     rc = fill_context_buf(&os_rollback_version, sizeof(os_rollback_version),
239                           &context_len);
240     if (rc) {
241         return rc;
242     }
243 
244     assert(root_of_trust_context_len == context_len);
245 
246     /*
247      * We already moved the hwkey_context into place after the root of trust
248      * context.
249      */
250     context_len += hwkey_context_len;
251 
252     if (shared) {
253         secret_key = fake_shared_key;
254         secret_key_len = sizeof(fake_shared_key);
255     } else {
256         secret_key = fake_device_key;
257         secret_key_len = sizeof(fake_device_key);
258     }
259 
260     if (!HKDF(key_buf, key_len, EVP_sha256(), secret_key, secret_key_len,
261               (const uint8_t*)HWKEY_DERIVE_VERSIONED_SALT,
262               sizeof(HWKEY_DERIVE_VERSIONED_SALT), context_buf, context_len)) {
263         TLOGE("HDKF failed 0x%x\n", ERR_get_error());
264         memset(key_buf, 0, key_len);
265         return HWKEY_ERR_GENERIC;
266     }
267     return HWKEY_NO_ERROR;
268 }
269 
get_current_os_rollback_version(uint32_t source)270 int32_t get_current_os_rollback_version(uint32_t source) {
271     switch (source) {
272     case HWKEY_ROLLBACK_RUNNING_VERSION:
273         return FAKE_TRUSTY_RUNNING_ROLLBACK_VERSION;
274 
275     case HWKEY_ROLLBACK_COMMITTED_VERSION:
276         return FAKE_TRUSTY_COMMITTED_ROLLBACK_VERSION;
277 
278     default:
279         TLOGE("Unknown rollback version source: %u\n", source);
280         return ERR_NOT_VALID;
281     }
282 }
283 
284 /*
285  * Derive a versioned key - HMAC SHA256 based versioned key derivation function
286  */
derive_key_versioned_v1(const uuid_t * uuid,bool shared,uint32_t rollback_version_source,int32_t rollback_versions[HWKEY_ROLLBACK_VERSION_INDEX_COUNT],const uint8_t * user_context,size_t user_context_len,uint8_t * key_buf,size_t key_len)287 uint32_t derive_key_versioned_v1(
288         const uuid_t* uuid,
289         bool shared,
290         uint32_t rollback_version_source,
291         int32_t rollback_versions[HWKEY_ROLLBACK_VERSION_INDEX_COUNT],
292         const uint8_t* user_context,
293         size_t user_context_len,
294         uint8_t* key_buf,
295         size_t key_len) {
296     size_t context_len = 0;
297     int i;
298     uint32_t rc = HWKEY_NO_ERROR;
299     int32_t os_rollback_version =
300             rollback_versions[HWKEY_ROLLBACK_VERSION_OS_INDEX];
301     int32_t os_rollback_version_current =
302             get_current_os_rollback_version(rollback_version_source);
303 
304     if (os_rollback_version_current < 0) {
305         rc = HWKEY_ERR_NOT_VALID;
306         goto err;
307     }
308 
309     if (os_rollback_version > os_rollback_version_current) {
310         TLOGE("Requested rollback version too new: %u\n", os_rollback_version);
311         rc = HWKEY_ERR_NOT_FOUND;
312         goto err;
313     }
314 
315     /* short-circuit derivation if we have nothing to derive */
316     if (key_len == 0) {
317         rc = HWKEY_NO_ERROR;
318         goto err;
319     }
320 
321     /* for compatibility with unversioned derive, require a context */
322     if (!key_buf || !user_context || user_context_len == 0) {
323         rc = HWKEY_ERR_NOT_VALID;
324         goto err;
325     }
326 
327     /*
328      * This portion of the context may always be added by the hwkey service, as
329      * it deals with the identity of the client requesting the key derivation.
330      */
331     /*
332      * Fixed label ensures that this derivation will not collide with a
333      * different user of root_of_trust_derive_key(), regardless of the provided
334      * user context (as long as other users also add a different fixed label).
335      */
336     rc = fill_context_buf(HWKEY_DERIVE_VERSIONED_CONTEXT_LABEL,
337                           sizeof(HWKEY_DERIVE_VERSIONED_CONTEXT_LABEL),
338                           &context_len);
339     if (rc) {
340         goto err;
341     }
342     /* Keys for different apps must be different */
343     rc = fill_context_buf(uuid, sizeof(*uuid), &context_len);
344     if (rc) {
345         goto err;
346     }
347     for (i = 0; i < HWKEY_ROLLBACK_VERSION_SUPPORTED_COUNT; ++i) {
348         /*
349          * We skip the OS version because the root-of-trust should be inserting
350          * that, and we don't want to mask a buggy implementation there in
351          * testing. If the root-of-trust somehow did not insert the OS version,
352          * we want to notice.
353          */
354         if (i == HWKEY_ROLLBACK_VERSION_OS_INDEX) {
355             continue;
356         }
357         rc = fill_context_buf(&rollback_versions[i], sizeof(*rollback_versions),
358                               &context_len);
359         if (rc) {
360             goto err;
361         }
362     }
363     /* Reserve space for additional versions in the future */
364     if (HWKEY_ROLLBACK_VERSION_SUPPORTED_COUNT <
365         HWKEY_ROLLBACK_VERSION_INDEX_COUNT) {
366         rc = fill_context_buf(NULL,
367                               sizeof(*rollback_versions) *
368                                       (HWKEY_ROLLBACK_VERSION_INDEX_COUNT -
369                                        HWKEY_ROLLBACK_VERSION_SUPPORTED_COUNT),
370                               &context_len);
371         if (rc) {
372             goto err;
373         }
374     }
375     /*
376      * Clients need to be able to generate multiple different keys in the same
377      * app.
378      */
379     rc = fill_context_buf(user_context, user_context_len, &context_len);
380     if (rc) {
381         goto err;
382     }
383 
384     rc = root_of_trust_derive_key(shared, rollback_version_source,
385                                   os_rollback_version, context_buf, context_len,
386                                   key_buf, key_len);
387     if (rc) {
388         goto err;
389     }
390 
391 err:
392     memset(context_buf, 0, sizeof(context_buf));
393     return rc;
394 }
395 
396 /* UUID of HWCRYPTO_UNITTEST application */
397 static const uuid_t hwcrypto_unittest_uuid = HWCRYPTO_UNITTEST_APP_UUID;
398 static const uuid_t hwcrypto_unittest_rust_uuid =
399         HWCRYPTO_UNITTEST_RUST_APP_UUID;
400 
401 #if WITH_HWCRYPTO_UNITTEST
402 /*
403  *  Support for hwcrypto unittest keys should be only enabled
404  *  to test hwcrypto related APIs
405  */
406 
407 static uint8_t _unittest_key32[32] = "unittestkeyslotunittestkeyslotun";
get_unittest_key32(uint8_t * kbuf,size_t kbuf_len,size_t * klen)408 static uint32_t get_unittest_key32(uint8_t* kbuf,
409                                    size_t kbuf_len,
410                                    size_t* klen) {
411     assert(kbuf);
412     assert(klen);
413     assert(kbuf_len >= sizeof(_unittest_key32));
414 
415     /* just return predefined key */
416     memcpy(kbuf, _unittest_key32, sizeof(_unittest_key32));
417     *klen = sizeof(_unittest_key32);
418 
419     return HWKEY_NO_ERROR;
420 }
421 
get_unittest_key32_handler(const struct hwkey_keyslot * slot,uint8_t * kbuf,size_t kbuf_len,size_t * klen)422 static uint32_t get_unittest_key32_handler(const struct hwkey_keyslot* slot,
423                                            uint8_t* kbuf,
424                                            size_t kbuf_len,
425                                            size_t* klen) {
426     return get_unittest_key32(kbuf, kbuf_len, klen);
427 }
428 
429 /*
430  * "unittestderivedkeyslotunittestde" encrypted with _unittest_key32 using an
431  * all 0 IV. IV is prepended to the ciphertext.
432  */
433 static uint8_t _unittest_encrypted_key32[48] = {
434         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
435         0x00, 0x00, 0x00, 0x00, 0x3e, 0x2b, 0x02, 0x54, 0x54, 0x8c, 0xa7, 0xb8,
436         0xa3, 0xfa, 0xf5, 0xd0, 0xbc, 0x1d, 0x40, 0x11, 0xac, 0x68, 0xbb, 0xf0,
437         0x55, 0xa3, 0xc5, 0x49, 0x3e, 0x77, 0x4a, 0x8b, 0x3f, 0x33, 0x56, 0x07,
438 };
439 
440 static unsigned int _unittest_encrypted_key32_size =
441         sizeof(_unittest_encrypted_key32);
442 
get_unittest_key32_derived(const struct hwkey_derived_keyslot_data * data,uint8_t * kbuf,size_t kbuf_len,size_t * klen)443 static uint32_t get_unittest_key32_derived(
444         const struct hwkey_derived_keyslot_data* data,
445         uint8_t* kbuf,
446         size_t kbuf_len,
447         size_t* klen) {
448     return get_unittest_key32(kbuf, kbuf_len, klen);
449 }
450 
451 static const struct hwkey_derived_keyslot_data hwcrypto_unittest_derived_data =
452         {
453                 .encrypted_key_data = _unittest_encrypted_key32,
454                 .encrypted_key_size_ptr = &_unittest_encrypted_key32_size,
455                 .retriever = get_unittest_key32_derived,
456 };
457 
derived_keyslot_handler(const struct hwkey_keyslot * slot,uint8_t * kbuf,size_t kbuf_len,size_t * klen)458 static uint32_t derived_keyslot_handler(const struct hwkey_keyslot* slot,
459                                         uint8_t* kbuf,
460                                         size_t kbuf_len,
461                                         size_t* klen) {
462     assert(slot);
463     return hwkey_get_derived_key(slot->priv, kbuf, kbuf_len, klen);
464 }
465 
466 static const uuid_t* unittest_allowed_opaque_key_uuids[] = {
467         &hwcrypto_unittest_uuid,
468         &hwcrypto_unittest_rust_uuid,
469 };
470 
get_unittest_key32_opaque(const struct hwkey_opaque_handle_data * data,uint8_t * kbuf,size_t kbuf_len,size_t * klen)471 static uint32_t get_unittest_key32_opaque(
472         const struct hwkey_opaque_handle_data* data,
473         uint8_t* kbuf,
474         size_t kbuf_len,
475         size_t* klen) {
476     return get_unittest_key32(kbuf, kbuf_len, klen);
477 }
478 
479 static struct hwkey_opaque_handle_data unittest_opaque_handle_data = {
480         .allowed_uuids = unittest_allowed_opaque_key_uuids,
481         .allowed_uuids_len = countof(unittest_allowed_opaque_key_uuids),
482         .retriever = get_unittest_key32_opaque,
483 };
484 
485 static struct hwkey_opaque_handle_data unittest_opaque_handle_data2 = {
486         .allowed_uuids = unittest_allowed_opaque_key_uuids,
487         .allowed_uuids_len = countof(unittest_allowed_opaque_key_uuids),
488         .retriever = get_unittest_key32_opaque,
489 };
490 
491 static struct hwkey_opaque_handle_data unittest_opaque_handle_data_noaccess = {
492         .allowed_uuids = NULL,
493         .allowed_uuids_len = 0,
494         .retriever = get_unittest_key32_opaque,
495 };
496 
497 /*
498  * Adapter to cast hwkey_opaque_handle_data.priv field to struct
499  * hwkey_derived_keyslot_data*
500  */
get_derived_key_opaque(const struct hwkey_opaque_handle_data * data,uint8_t * kbuf,size_t kbuf_len,size_t * klen)501 static uint32_t get_derived_key_opaque(
502         const struct hwkey_opaque_handle_data* data,
503         uint8_t* kbuf,
504         size_t kbuf_len,
505         size_t* klen) {
506     assert(data);
507     return hwkey_get_derived_key(data->priv, kbuf, kbuf_len, klen);
508 }
509 
510 static struct hwkey_opaque_handle_data unittest_opaque_derived_data = {
511         .allowed_uuids = unittest_allowed_opaque_key_uuids,
512         .allowed_uuids_len = countof(unittest_allowed_opaque_key_uuids),
513         .retriever = get_derived_key_opaque,
514         .priv = &hwcrypto_unittest_derived_data,
515 };
516 
517 #endif /* WITH_HWCRYPTO_UNITTEST */
518 
519 /*
520  *  RPMB Key support
521  */
522 #define RPMB_SS_AUTH_KEY_SIZE 32
523 #define RPMB_SS_AUTH_KEY_ID "com.android.trusty.storage_auth.rpmb"
524 
525 /* Secure storage service app uuid */
526 static const uuid_t ss_uuid = SECURE_STORAGE_SERVER_APP_UUID;
527 
528 static uint8_t rpmb_salt[RPMB_SS_AUTH_KEY_SIZE] = {
529         0x42, 0x18, 0xa9, 0xf2, 0xf6, 0xb1, 0xf5, 0x35, 0x06, 0x37, 0x9f,
530         0xba, 0xcc, 0x1a, 0xc9, 0x36, 0xf4, 0x83, 0x04, 0xd4, 0xf1, 0x65,
531         0x91, 0x32, 0xa6, 0xae, 0xda, 0x27, 0x4d, 0x21, 0xdb, 0x40};
532 
533 /*
534  * Generate RPMB Secure Storage Authentication key
535  */
get_rpmb_ss_auth_key(const struct hwkey_keyslot * slot,uint8_t * kbuf,size_t kbuf_len,size_t * klen)536 static uint32_t get_rpmb_ss_auth_key(const struct hwkey_keyslot* slot,
537                                      uint8_t* kbuf,
538                                      size_t kbuf_len,
539                                      size_t* klen) {
540     int rc;
541     int out_len;
542     EVP_CIPHER_CTX evp;
543 
544     assert(kbuf);
545     assert(klen);
546 
547     EVP_CIPHER_CTX_init(&evp);
548 
549     rc = EVP_EncryptInit_ex(&evp, EVP_aes_256_cbc(), NULL, fake_device_key,
550                             NULL);
551     if (!rc)
552         goto evp_err;
553 
554     rc = EVP_CIPHER_CTX_set_padding(&evp, 0);
555     if (!rc)
556         goto evp_err;
557 
558     size_t min_kbuf_len =
559             RPMB_SS_AUTH_KEY_SIZE + EVP_CIPHER_CTX_key_length(&evp);
560     if (kbuf_len < min_kbuf_len) {
561         TLOGE("buffer too small: (%zd vs. %zd )\n", kbuf_len, min_kbuf_len);
562         goto other_err;
563     }
564 
565     rc = EVP_EncryptUpdate(&evp, kbuf, &out_len, rpmb_salt, sizeof(rpmb_salt));
566     if (!rc)
567         goto evp_err;
568 
569     if ((size_t)out_len != RPMB_SS_AUTH_KEY_SIZE) {
570         TLOGE("output length mismatch (%zd vs %zd)\n", (size_t)out_len,
571               sizeof(rpmb_salt));
572         goto other_err;
573     }
574 
575     rc = EVP_EncryptFinal_ex(&evp, NULL, &out_len);
576     if (!rc)
577         goto evp_err;
578 
579     *klen = RPMB_SS_AUTH_KEY_SIZE;
580 
581     EVP_CIPHER_CTX_cleanup(&evp);
582     return HWKEY_NO_ERROR;
583 
584 evp_err:
585     TLOGE("EVP err 0x%x\n", ERR_get_error());
586 other_err:
587     EVP_CIPHER_CTX_cleanup(&evp);
588     return HWKEY_ERR_GENERIC;
589 }
590 
591 /*
592  * Keymint KAK support
593  */
594 #define KM_KAK_SIZE 32
595 /* TODO import this constant from KM TA when build support is ready */
596 #define KM_KAK_ID "com.android.trusty.keymint.kak"
597 
598 /* KM app uuid */
599 static const uuid_t km_uuid = KM_APP_UUID;
600 
601 /* KM rust app uuid */
602 static const uuid_t km_rust_uuid = KM_RUST_APP_UUID;
603 
604 #if TEST_BUILD
605 /* KM rust unit test uuid */
606 static const uuid_t km_rust_unittest_uuid = KM_RUST_UNITTEST_UUID;
607 
608 /* HWCrypto HAL rust unit test uuid */
609 static const uuid_t hwcryptohal_rust_unittest_uuid =
610         HWCRYPTOHAL_UNITTEST_RUST_APP_UUID;
611 #endif
612 
613 /* HWCrypto HAL rust unit test uuid */
614 static const uuid_t hwcryptohal_rust_uuid = HWCRYPTOHAL_RUST_APP_UUID;
615 
616 static uint8_t kak_salt[KM_KAK_SIZE] = {
617         0x70, 0xc4, 0x7c, 0xfa, 0x2c, 0xb1, 0xee, 0xdc, 0xa5, 0xdf, 0xbc,
618         0x8d, 0xd4, 0xf7, 0x0d, 0x42, 0x93, 0x3b, 0x7f, 0x7b, 0xc2, 0x9e,
619         0x6d, 0xa5, 0xb2, 0x92, 0x7a, 0x21, 0x8e, 0xc9, 0xe6, 0x9a,
620 };
621 
622 /*
623  * This should be replaced with a device-specific implementation such that
624  * any Strongbox on the device will have the same KAK.
625  */
get_km_kak_key(const struct hwkey_keyslot * slot,uint8_t * kbuf,size_t kbuf_len,size_t * klen)626 static uint32_t get_km_kak_key(const struct hwkey_keyslot* slot,
627                                uint8_t* kbuf,
628                                size_t kbuf_len,
629                                size_t* klen) {
630     assert(kbuf);
631     assert(klen);
632 
633     if (kbuf_len < KM_KAK_SIZE) {
634         return HWKEY_ERR_BAD_LEN;
635     }
636     *klen = KM_KAK_SIZE;
637 
638     return derive_key_v1(slot->uuid, kak_salt, KM_KAK_SIZE, kbuf, *klen);
639 }
640 
641 static const uuid_t hwaes_uuid = SAMPLE_HWAES_APP_UUID;
642 
643 #if WITH_HWCRYPTO_UNITTEST
644 static const uuid_t hwaes_unittest_uuid = HWAES_UNITTEST_APP_UUID;
645 static const uuid_t hwaes_bench_uuid = HWAES_BENCH_APP_UUID;
646 
647 static const uuid_t* hwaes_unittest_allowed_opaque_key_uuids[] = {
648         &hwaes_uuid,
649 };
650 
651 static struct hwkey_opaque_handle_data hwaes_unittest_opaque_handle_data = {
652         .allowed_uuids = hwaes_unittest_allowed_opaque_key_uuids,
653         .allowed_uuids_len = countof(hwaes_unittest_allowed_opaque_key_uuids),
654         .retriever = get_unittest_key32_opaque,
655 };
656 #endif
657 
658 /*
659  * Apploader key(s)
660  */
661 struct apploader_key {
662     const uint8_t* key_data;
663 
664     // Pointer to the symbol holding the size of the key.
665     // This needs to be a pointer because the size is not a
666     // constant known to the compiler at compile time,
667     // so it cannot be used to initialize the field directly.
668     const unsigned int* key_size_ptr;
669 };
670 
671 #define INCLUDE_APPLOADER_KEY(key, key_file)   \
672     INCFILE(key##_data, key##_size, key_file); \
673     static struct apploader_key key = {        \
674             .key_data = key##_data,            \
675             .key_size_ptr = &key##_size,       \
676     };
677 
678 #undef APPLOADER_HAS_SIGNING_KEYS
679 #undef APPLOADER_HAS_ENCRYPTION_KEYS
680 
681 #ifdef APPLOADER_SIGN_PUBLIC_KEY_0_FILE
682 INCLUDE_APPLOADER_KEY(apploader_sign_key_0, APPLOADER_SIGN_PUBLIC_KEY_0_FILE);
683 #define APPLOADER_SIGN_KEY_0 "com.android.trusty.apploader.sign.key.0"
684 #define APPLOADER_HAS_SIGNING_KEYS
685 #ifdef APPLOADER_SIGN_KEY_0_UNLOCKED_ONLY
686 #define APPLOADER_SIGN_KEY_0_HANDLER get_apploader_sign_unlocked_key
687 #else
688 #define APPLOADER_SIGN_KEY_0_HANDLER get_apploader_sign_key
689 #endif
690 #endif
691 
692 #ifdef APPLOADER_SIGN_PUBLIC_KEY_1_FILE
693 INCLUDE_APPLOADER_KEY(apploader_sign_key_1, APPLOADER_SIGN_PUBLIC_KEY_1_FILE);
694 #define APPLOADER_SIGN_KEY_1 "com.android.trusty.apploader.sign.key.1"
695 #define APPLOADER_HAS_SIGNING_KEYS
696 #ifdef APPLOADER_SIGN_KEY_1_UNLOCKED_ONLY
697 #define APPLOADER_SIGN_KEY_1_HANDLER get_apploader_sign_unlocked_key
698 #else
699 /*
700  * Rather than rely on a correct build configuration, a real hwkey
701  * implementation should ensure that dev signing keys are not allowed in
702  * unlocked state by either hard-coding dev key slot handlers to a handler that
703  * checks the unlock state or by erroring out here if the build configuration is
704  * unexpected.
705  */
706 #pragma message "Apploader signing key 1 is not gated on unlock status"
707 #define APPLOADER_SIGN_KEY_1_HANDLER get_apploader_sign_key
708 #endif
709 #endif
710 
711 #ifdef APPLOADER_ENCRYPT_KEY_0_FILE
712 INCLUDE_APPLOADER_KEY(apploader_encrypt_key_0, APPLOADER_ENCRYPT_KEY_0_FILE);
713 #define APPLOADER_ENCRYPT_KEY_0 "com.android.trusty.apploader.encrypt.key.0"
714 #define APPLOADER_HAS_ENCRYPTION_KEYS
715 #endif
716 
717 #ifdef APPLOADER_ENCRYPT_KEY_1_FILE
718 INCLUDE_APPLOADER_KEY(apploader_encrypt_key_1, APPLOADER_ENCRYPT_KEY_1_FILE);
719 #define APPLOADER_ENCRYPT_KEY_1 "com.android.trusty.apploader.encrypt.key.1"
720 #define APPLOADER_HAS_ENCRYPTION_KEYS
721 #endif
722 
723 #if defined(APPLOADER_HAS_SIGNING_KEYS) || \
724         defined(APPLOADER_HAS_ENCRYPTION_KEYS)
725 /* Apploader app uuid */
726 static const uuid_t apploader_uuid = APPLOADER_APP_UUID;
727 
get_apploader_key(const struct apploader_key * key,uint8_t * kbuf,size_t kbuf_len,size_t * klen)728 static uint32_t get_apploader_key(const struct apploader_key* key,
729                                   uint8_t* kbuf,
730                                   size_t kbuf_len,
731                                   size_t* klen) {
732     assert(kbuf);
733     assert(klen);
734     assert(key);
735     assert(key->key_size_ptr);
736 
737     size_t key_size = (size_t)*key->key_size_ptr;
738     assert(kbuf_len >= key_size);
739 
740     memcpy(kbuf, key->key_data, key_size);
741     *klen = key_size;
742 
743     return HWKEY_NO_ERROR;
744 }
745 #endif
746 
747 #ifdef APPLOADER_HAS_SIGNING_KEYS
get_apploader_sign_key(const struct hwkey_keyslot * slot,uint8_t * kbuf,size_t kbuf_len,size_t * klen)748 static uint32_t get_apploader_sign_key(const struct hwkey_keyslot* slot,
749                                        uint8_t* kbuf,
750                                        size_t kbuf_len,
751                                        size_t* klen) {
752     assert(slot);
753     return get_apploader_key(slot->priv, kbuf, kbuf_len, klen);
754 }
755 
756 /*
757  * Retrieve the respective key only if the system state APP_LOADING_UNLOCKED
758  * flag is true
759  */
get_apploader_sign_unlocked_key(const struct hwkey_keyslot * slot,uint8_t * kbuf,size_t kbuf_len,size_t * klen)760 static uint32_t get_apploader_sign_unlocked_key(
761         const struct hwkey_keyslot* slot,
762         uint8_t* kbuf,
763         size_t kbuf_len,
764         size_t* klen) {
765     assert(slot);
766     if (system_state_app_loading_unlocked()) {
767         return get_apploader_key(slot->priv, kbuf, kbuf_len, klen);
768     } else {
769         return HWKEY_ERR_NOT_FOUND;
770     }
771 }
772 #endif
773 
774 #ifdef APPLOADER_HAS_ENCRYPTION_KEYS
775 
776 static const uuid_t* apploader_allowed_opaque_key_uuids[] = {
777         &hwaes_uuid,
778 };
779 
780 /* Adapter to cast hwkey_opaque_handle_data.priv to struct apploader_key* */
get_apploader_key_opaque(const struct hwkey_opaque_handle_data * data,uint8_t * kbuf,size_t kbuf_len,size_t * klen)781 static uint32_t get_apploader_key_opaque(
782         const struct hwkey_opaque_handle_data* data,
783         uint8_t* kbuf,
784         size_t kbuf_len,
785         size_t* klen) {
786     assert(data);
787     return get_apploader_key(data->priv, kbuf, kbuf_len, klen);
788 }
789 
790 #ifdef APPLOADER_ENCRYPT_KEY_0
791 static struct hwkey_opaque_handle_data
792         apploader_encrypt_key_0_opaque_handle_data = {
793                 .allowed_uuids = apploader_allowed_opaque_key_uuids,
794                 .allowed_uuids_len =
795                         countof(apploader_allowed_opaque_key_uuids),
796                 .retriever = get_apploader_key_opaque,
797                 .priv = &apploader_encrypt_key_0,
798 };
799 #endif
800 
801 #ifdef APPLOADER_ENCRYPT_KEY_1
802 static struct hwkey_opaque_handle_data
803         apploader_encrypt_key_1_opaque_handle_data = {
804                 .allowed_uuids = apploader_allowed_opaque_key_uuids,
805                 .allowed_uuids_len =
806                         countof(apploader_allowed_opaque_key_uuids),
807                 .retriever = get_apploader_key_opaque,
808                 .priv = &apploader_encrypt_key_1,
809 };
810 #endif
811 
812 #endif
813 
814 static const uuid_t gatekeeper_uuid = GATEKEEPER_APP_UUID;
815 static const uuid_t hwbcc_uuid = SAMPLE_HWBCC_APP_UUID;
816 static const uuid_t hwbcc_unittest_uuid = HWBCC_UNITTEST_APP_UUID;
817 
818 /* Clients that are allowed to connect to this service */
819 static const uuid_t* allowed_clients[] = {
820         /* Needs to derive keys and access keyslot RPMB_SS_AUTH_KEY_ID */
821         &ss_uuid,
822         /* Needs to derive keys and access keyslot KM_KAK_ID */
823         &km_uuid,
824         &km_rust_uuid,
825 #if TEST_BUILD
826         &km_rust_unittest_uuid,
827         /*HWCrypto HAL needs to derive key and access keylots*/
828         &hwcryptohal_rust_unittest_uuid,
829 #endif
830         &hwcryptohal_rust_uuid,
831         /* Needs access to opaque keys */
832         &hwaes_uuid,
833         /* Needs to derive keys */
834         &gatekeeper_uuid,
835 
836 #if defined(APPLOADER_HAS_SIGNING_KEYS) || \
837         defined(APPLOADER_HAS_ENCRYPTION_KEYS)
838         /* Needs to access apploader keys */
839         &apploader_uuid,
840 #endif
841 
842         /* Needs to derive keys even if it doesn't have test keyslots */
843         &hwcrypto_unittest_uuid,
844         &hwcrypto_unittest_rust_uuid,
845 
846 #if WITH_HWCRYPTO_UNITTEST
847         &hwaes_unittest_uuid,
848         &hwaes_bench_uuid,
849 #endif
850         /* Needs to derive keys */
851         &hwbcc_uuid,
852         /* Needs to derive keys */
853         &hwbcc_unittest_uuid,
854 };
855 
hwkey_client_allowed(const uuid_t * uuid)856 bool hwkey_client_allowed(const uuid_t* uuid) {
857     assert(uuid);
858     for (unsigned int i = 0; i < countof(allowed_clients); i++) {
859         if (memcmp(allowed_clients[i], uuid, sizeof(uuid_t)) == 0) {
860             return true;
861         }
862     }
863     return false;
864 }
865 
866 /*
867  *  List of keys slots that hwkey service supports
868  */
869 static const struct hwkey_keyslot _keys[] = {
870         {
871                 .uuid = &ss_uuid,
872                 .key_id = RPMB_SS_AUTH_KEY_ID,
873                 .handler = get_rpmb_ss_auth_key,
874         },
875         {
876                 .uuid = &km_uuid,
877                 .key_id = KM_KAK_ID,
878                 .handler = get_km_kak_key,
879         },
880         {
881                 .uuid = &km_rust_uuid,
882                 .key_id = KM_KAK_ID,
883                 .handler = get_km_kak_key,
884         },
885 #if TEST_BUILD
886         {
887                 .uuid = &km_rust_unittest_uuid,
888                 .key_id = KM_KAK_ID,
889                 .handler = get_km_kak_key,
890         },
891 #endif
892 #ifdef APPLOADER_SIGN_KEY_0
893         {
894                 .uuid = &apploader_uuid,
895                 .key_id = APPLOADER_SIGN_KEY_0,
896                 .handler = APPLOADER_SIGN_KEY_0_HANDLER,
897                 .priv = &apploader_sign_key_0,
898         },
899 #endif
900 #ifdef APPLOADER_SIGN_KEY_1
901         {
902                 .uuid = &apploader_uuid,
903                 .key_id = APPLOADER_SIGN_KEY_1,
904                 .handler = APPLOADER_SIGN_KEY_1_HANDLER,
905                 .priv = &apploader_sign_key_1,
906         },
907 #endif
908 #ifdef APPLOADER_ENCRYPT_KEY_0
909         {
910                 .uuid = &apploader_uuid,
911                 .key_id = APPLOADER_ENCRYPT_KEY_0,
912                 .handler = get_key_handle,
913                 .priv = &apploader_encrypt_key_0_opaque_handle_data,
914         },
915 #endif
916 #ifdef APPLOADER_ENCRYPT_KEY_1
917         {
918                 .uuid = &apploader_uuid,
919                 .key_id = APPLOADER_ENCRYPT_KEY_1,
920                 .handler = get_key_handle,
921                 .priv = &apploader_encrypt_key_1_opaque_handle_data,
922         },
923 #endif
924 
925 #if WITH_HWCRYPTO_UNITTEST
926         {
927                 .uuid = &hwcrypto_unittest_uuid,
928                 .key_id = "com.android.trusty.hwcrypto.unittest.key32",
929                 .handler = get_unittest_key32_handler,
930         },
931         {
932                 .uuid = &hwcrypto_unittest_rust_uuid,
933                 .key_id = "com.android.trusty.hwcrypto.unittest.key32",
934                 .handler = get_unittest_key32_handler,
935         },
936         {
937                 .uuid = &hwcrypto_unittest_uuid,
938                 .key_id = "com.android.trusty.hwcrypto.unittest.derived_key32",
939                 .priv = &hwcrypto_unittest_derived_data,
940                 .handler = derived_keyslot_handler,
941         },
942         {
943                 .uuid = &hwcrypto_unittest_rust_uuid,
944                 .key_id = "com.android.trusty.hwcrypto.unittest.derived_key32",
945                 .priv = &hwcrypto_unittest_derived_data,
946                 .handler = derived_keyslot_handler,
947         },
948         {
949                 .uuid = &hwcrypto_unittest_uuid,
950                 .key_id = "com.android.trusty.hwcrypto.unittest.opaque_handle",
951                 .handler = get_key_handle,
952                 .priv = &unittest_opaque_handle_data,
953         },
954         {
955                 .uuid = &hwcrypto_unittest_rust_uuid,
956                 .key_id = "com.android.trusty.hwcrypto.unittest.opaque_handle",
957                 .handler = get_key_handle,
958                 .priv = &unittest_opaque_handle_data,
959         },
960         {
961                 .uuid = &hwcrypto_unittest_uuid,
962                 .key_id = "com.android.trusty.hwcrypto.unittest.opaque_handle2",
963                 .handler = get_key_handle,
964                 .priv = &unittest_opaque_handle_data2,
965         },
966         {
967                 .uuid = &hwcrypto_unittest_rust_uuid,
968                 .key_id = "com.android.trusty.hwcrypto.unittest.opaque_handle2",
969                 .handler = get_key_handle,
970                 .priv = &unittest_opaque_handle_data2,
971         },
972         {
973                 .uuid = &hwcrypto_unittest_uuid,
974                 .key_id =
975                         "com.android.trusty.hwcrypto.unittest.opaque_handle_noaccess",
976                 .handler = get_key_handle,
977                 .priv = &unittest_opaque_handle_data_noaccess,
978         },
979         {
980                 .uuid = &hwcrypto_unittest_rust_uuid,
981                 .key_id =
982                         "com.android.trusty.hwcrypto.unittest.opaque_handle_noaccess",
983                 .handler = get_key_handle,
984                 .priv = &unittest_opaque_handle_data_noaccess,
985         },
986         {
987                 .uuid = &hwcrypto_unittest_uuid,
988                 .key_id = "com.android.trusty.hwcrypto.unittest.opaque_derived",
989                 .handler = get_key_handle,
990                 .priv = &unittest_opaque_derived_data,
991         },
992         {
993                 .uuid = &hwcrypto_unittest_rust_uuid,
994                 .key_id = "com.android.trusty.hwcrypto.unittest.opaque_derived",
995                 .handler = get_key_handle,
996                 .priv = &unittest_opaque_derived_data,
997         },
998         {
999                 .uuid = &hwaes_unittest_uuid,
1000                 .key_id = "com.android.trusty.hwaes.unittest.opaque_handle",
1001                 .handler = get_key_handle,
1002                 .priv = &hwaes_unittest_opaque_handle_data,
1003         },
1004         {
1005                 .uuid = &hwaes_bench_uuid,
1006                 .key_id = "com.android.trusty.hwaes.unittest.opaque_handle",
1007                 .handler = get_key_handle,
1008                 .priv = &hwaes_unittest_opaque_handle_data,
1009         },
1010 #endif /* WITH_HWCRYPTO_UNITTEST */
1011 };
1012 
1013 /*
1014  *  Run Self test
1015  */
hwkey_self_test(void)1016 static bool hwkey_self_test(void) {
1017     TLOGI("hwkey self test\n");
1018 
1019     if (!hkdf_self_test())
1020         return false;
1021 
1022     TLOGI("hwkey self test: PASSED\n");
1023     return true;
1024 }
1025 
1026 /*
1027  *  Initialize Fake HWKEY service provider
1028  */
hwkey_init_srv_provider(void)1029 void hwkey_init_srv_provider(void) {
1030     int rc;
1031 
1032     TLOGE("Init FAKE!!!! HWKEY service provider\n");
1033     TLOGE("FAKE HWKEY service provider MUST be replaced with the REAL one\n");
1034 
1035     /* run self test */
1036     if (!hwkey_self_test()) {
1037         TLOGE("hwkey_self_test failed\n");
1038         abort();
1039     }
1040 
1041     /* install key handlers */
1042     hwkey_install_keys(_keys, countof(_keys));
1043 
1044     /* start service */
1045     rc = hwkey_start_service();
1046     if (rc != NO_ERROR) {
1047         TLOGE("failed (%d) to start HWKEY service\n", rc);
1048     }
1049 }
1050