1 /*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "Keymaster.h"
18
19 #include <android-base/logging.h>
20 #include <hardware/hardware.h>
21 #include <hardware/keymaster1.h>
22 #include <hardware/keymaster2.h>
23
24 namespace android {
25 namespace vold {
26
27 class IKeymasterDevice {
28 public:
IKeymasterDevice()29 IKeymasterDevice() {}
~IKeymasterDevice()30 virtual ~IKeymasterDevice() {}
31 virtual keymaster_error_t generate_key(const keymaster_key_param_set_t* params,
32 keymaster_key_blob_t* key_blob) const = 0;
33 virtual keymaster_error_t delete_key(const keymaster_key_blob_t* key) const = 0;
34 virtual keymaster_error_t begin(keymaster_purpose_t purpose, const keymaster_key_blob_t* key,
35 const keymaster_key_param_set_t* in_params,
36 keymaster_key_param_set_t* out_params,
37 keymaster_operation_handle_t* operation_handle) const = 0;
38 virtual keymaster_error_t update(keymaster_operation_handle_t operation_handle,
39 const keymaster_key_param_set_t* in_params,
40 const keymaster_blob_t* input, size_t* input_consumed,
41 keymaster_key_param_set_t* out_params,
42 keymaster_blob_t* output) const = 0;
43 virtual keymaster_error_t finish(keymaster_operation_handle_t operation_handle,
44 const keymaster_key_param_set_t* in_params,
45 const keymaster_blob_t* signature,
46 keymaster_key_param_set_t* out_params,
47 keymaster_blob_t* output) const = 0;
48 virtual keymaster_error_t abort(keymaster_operation_handle_t operation_handle) const = 0;
49
50 protected:
51 DISALLOW_COPY_AND_ASSIGN(IKeymasterDevice);
52 };
53
54 template <typename T> class KeymasterDevice : public IKeymasterDevice {
55 public:
KeymasterDevice(T * d)56 KeymasterDevice(T* d) : mDevice{d} {}
generate_key(const keymaster_key_param_set_t * params,keymaster_key_blob_t * key_blob) const57 keymaster_error_t generate_key(const keymaster_key_param_set_t* params,
58 keymaster_key_blob_t* key_blob) const override final {
59 return mDevice->generate_key(mDevice, params, key_blob, nullptr);
60 }
delete_key(const keymaster_key_blob_t * key) const61 keymaster_error_t delete_key(const keymaster_key_blob_t* key) const override final {
62 if (mDevice->delete_key == nullptr) return KM_ERROR_OK;
63 return mDevice->delete_key(mDevice, key);
64 }
begin(keymaster_purpose_t purpose,const keymaster_key_blob_t * key,const keymaster_key_param_set_t * in_params,keymaster_key_param_set_t * out_params,keymaster_operation_handle_t * operation_handle) const65 keymaster_error_t begin(keymaster_purpose_t purpose, const keymaster_key_blob_t* key,
66 const keymaster_key_param_set_t* in_params,
67 keymaster_key_param_set_t* out_params,
68 keymaster_operation_handle_t* operation_handle) const override final {
69 return mDevice->begin(mDevice, purpose, key, in_params, out_params, operation_handle);
70 }
update(keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * in_params,const keymaster_blob_t * input,size_t * input_consumed,keymaster_key_param_set_t * out_params,keymaster_blob_t * output) const71 keymaster_error_t update(keymaster_operation_handle_t operation_handle,
72 const keymaster_key_param_set_t* in_params,
73 const keymaster_blob_t* input, size_t* input_consumed,
74 keymaster_key_param_set_t* out_params,
75 keymaster_blob_t* output) const override final {
76 return mDevice->update(mDevice, operation_handle, in_params, input, input_consumed,
77 out_params, output);
78 }
abort(keymaster_operation_handle_t operation_handle) const79 keymaster_error_t abort(keymaster_operation_handle_t operation_handle) const override final {
80 return mDevice->abort(mDevice, operation_handle);
81 }
82
83 protected:
84 T* const mDevice;
85 };
86
87 class Keymaster1Device : public KeymasterDevice<keymaster1_device_t> {
88 public:
Keymaster1Device(keymaster1_device_t * d)89 Keymaster1Device(keymaster1_device_t* d) : KeymasterDevice<keymaster1_device_t>{d} {}
~Keymaster1Device()90 ~Keymaster1Device() override final { keymaster1_close(mDevice); }
finish(keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * in_params,const keymaster_blob_t * signature,keymaster_key_param_set_t * out_params,keymaster_blob_t * output) const91 keymaster_error_t finish(keymaster_operation_handle_t operation_handle,
92 const keymaster_key_param_set_t* in_params,
93 const keymaster_blob_t* signature,
94 keymaster_key_param_set_t* out_params,
95 keymaster_blob_t* output) const override final {
96 return mDevice->finish(mDevice, operation_handle, in_params, signature, out_params, output);
97 }
98 };
99
100 class Keymaster2Device : public KeymasterDevice<keymaster2_device_t> {
101 public:
Keymaster2Device(keymaster2_device_t * d)102 Keymaster2Device(keymaster2_device_t* d) : KeymasterDevice<keymaster2_device_t>{d} {}
~Keymaster2Device()103 ~Keymaster2Device() override final { keymaster2_close(mDevice); }
finish(keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * in_params,const keymaster_blob_t * signature,keymaster_key_param_set_t * out_params,keymaster_blob_t * output) const104 keymaster_error_t finish(keymaster_operation_handle_t operation_handle,
105 const keymaster_key_param_set_t* in_params,
106 const keymaster_blob_t* signature,
107 keymaster_key_param_set_t* out_params,
108 keymaster_blob_t* output) const override final {
109 return mDevice->finish(mDevice, operation_handle, in_params, nullptr, signature, out_params,
110 output);
111 }
112 };
113
~KeymasterOperation()114 KeymasterOperation::~KeymasterOperation() {
115 if (mDevice) mDevice->abort(mOpHandle);
116 }
117
updateCompletely(const std::string & input,std::string * output)118 bool KeymasterOperation::updateCompletely(const std::string& input, std::string* output) {
119 output->clear();
120 auto it = input.begin();
121 while (it != input.end()) {
122 size_t toRead = static_cast<size_t>(input.end() - it);
123 keymaster_blob_t inputBlob{reinterpret_cast<const uint8_t*>(&*it), toRead};
124 keymaster_blob_t outputBlob;
125 size_t inputConsumed;
126 auto error =
127 mDevice->update(mOpHandle, nullptr, &inputBlob, &inputConsumed, nullptr, &outputBlob);
128 if (error != KM_ERROR_OK) {
129 LOG(ERROR) << "update failed, code " << error;
130 mDevice = nullptr;
131 return false;
132 }
133 output->append(reinterpret_cast<const char*>(outputBlob.data), outputBlob.data_length);
134 free(const_cast<uint8_t*>(outputBlob.data));
135 if (inputConsumed > toRead) {
136 LOG(ERROR) << "update reported too much input consumed";
137 mDevice = nullptr;
138 return false;
139 }
140 it += inputConsumed;
141 }
142 return true;
143 }
144
finish()145 bool KeymasterOperation::finish() {
146 auto error = mDevice->finish(mOpHandle, nullptr, nullptr, nullptr, nullptr);
147 mDevice = nullptr;
148 if (error != KM_ERROR_OK) {
149 LOG(ERROR) << "finish failed, code " << error;
150 return false;
151 }
152 return true;
153 }
154
finishWithOutput(std::string * output)155 bool KeymasterOperation::finishWithOutput(std::string* output) {
156 keymaster_blob_t outputBlob;
157 auto error = mDevice->finish(mOpHandle, nullptr, nullptr, nullptr, &outputBlob);
158 mDevice = nullptr;
159 if (error != KM_ERROR_OK) {
160 LOG(ERROR) << "finish failed, code " << error;
161 return false;
162 }
163 output->assign(reinterpret_cast<const char*>(outputBlob.data), outputBlob.data_length);
164 free(const_cast<uint8_t*>(outputBlob.data));
165 return true;
166 }
167
Keymaster()168 Keymaster::Keymaster() {
169 mDevice = nullptr;
170 const hw_module_t* module;
171 int ret = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &module);
172 if (ret != 0) {
173 LOG(ERROR) << "hw_get_module_by_class returned " << ret;
174 return;
175 }
176 if (module->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
177 keymaster1_device_t* device;
178 ret = keymaster1_open(module, &device);
179 if (ret != 0) {
180 LOG(ERROR) << "keymaster1_open returned " << ret;
181 return;
182 }
183 mDevice = std::make_shared<Keymaster1Device>(device);
184 } else if (module->module_api_version == KEYMASTER_MODULE_API_VERSION_2_0) {
185 keymaster2_device_t* device;
186 ret = keymaster2_open(module, &device);
187 if (ret != 0) {
188 LOG(ERROR) << "keymaster2_open returned " << ret;
189 return;
190 }
191 mDevice = std::make_shared<Keymaster2Device>(device);
192 } else {
193 LOG(ERROR) << "module_api_version is " << module->module_api_version;
194 return;
195 }
196 }
197
generateKey(const keymaster::AuthorizationSet & inParams,std::string * key)198 bool Keymaster::generateKey(const keymaster::AuthorizationSet& inParams, std::string* key) {
199 keymaster_key_blob_t keyBlob;
200 auto error = mDevice->generate_key(&inParams, &keyBlob);
201 if (error != KM_ERROR_OK) {
202 LOG(ERROR) << "generate_key failed, code " << error;
203 return false;
204 }
205 key->assign(reinterpret_cast<const char*>(keyBlob.key_material), keyBlob.key_material_size);
206 free(const_cast<uint8_t*>(keyBlob.key_material));
207 return true;
208 }
209
deleteKey(const std::string & key)210 bool Keymaster::deleteKey(const std::string& key) {
211 keymaster_key_blob_t keyBlob{reinterpret_cast<const uint8_t*>(key.data()), key.size()};
212 auto error = mDevice->delete_key(&keyBlob);
213 if (error != KM_ERROR_OK) {
214 LOG(ERROR) << "delete_key failed, code " << error;
215 return false;
216 }
217 return true;
218 }
219
begin(keymaster_purpose_t purpose,const std::string & key,const keymaster::AuthorizationSet & inParams,keymaster::AuthorizationSet * outParams)220 KeymasterOperation Keymaster::begin(keymaster_purpose_t purpose, const std::string& key,
221 const keymaster::AuthorizationSet& inParams,
222 keymaster::AuthorizationSet* outParams) {
223 keymaster_key_blob_t keyBlob{reinterpret_cast<const uint8_t*>(key.data()), key.size()};
224 keymaster_operation_handle_t mOpHandle;
225 keymaster_key_param_set_t outParams_set;
226 auto error = mDevice->begin(purpose, &keyBlob, &inParams, &outParams_set, &mOpHandle);
227 if (error != KM_ERROR_OK) {
228 LOG(ERROR) << "begin failed, code " << error;
229 return KeymasterOperation(nullptr, mOpHandle);
230 }
231 outParams->Clear();
232 outParams->push_back(outParams_set);
233 keymaster_free_param_set(&outParams_set);
234 return KeymasterOperation(mDevice, mOpHandle);
235 }
236
begin(keymaster_purpose_t purpose,const std::string & key,const keymaster::AuthorizationSet & inParams)237 KeymasterOperation Keymaster::begin(keymaster_purpose_t purpose, const std::string& key,
238 const keymaster::AuthorizationSet& inParams) {
239 keymaster_key_blob_t keyBlob{reinterpret_cast<const uint8_t*>(key.data()), key.size()};
240 keymaster_operation_handle_t mOpHandle;
241 auto error = mDevice->begin(purpose, &keyBlob, &inParams, nullptr, &mOpHandle);
242 if (error != KM_ERROR_OK) {
243 LOG(ERROR) << "begin failed, code " << error;
244 return KeymasterOperation(nullptr, mOpHandle);
245 }
246 return KeymasterOperation(mDevice, mOpHandle);
247 }
248
249 } // namespace vold
250 } // namespace android
251