1 /* 2 * Copyright 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef SYSTEM_KEYMASTER_SOFT_KEYMASTER_CONTEXT_H_ 18 #define SYSTEM_KEYMASTER_SOFT_KEYMASTER_CONTEXT_H_ 19 20 #include <memory> 21 #include <string> 22 23 #include <openssl/evp.h> 24 25 #include <hardware/keymaster0.h> 26 #include <hardware/keymaster1.h> 27 #include <keymaster/keymaster_context.h> 28 29 namespace keymaster { 30 31 class SoftKeymasterKeyRegistrations; 32 class Keymaster0Engine; 33 class Keymaster1Engine; 34 35 /** 36 * SoftKeymasterContext provides the context for a non-secure implementation of AndroidKeymaster. 37 */ 38 class SoftKeymasterContext : public KeymasterContext { 39 public: 40 explicit SoftKeymasterContext(const std::string& root_of_trust = "SW"); 41 ~SoftKeymasterContext() override; 42 43 /** 44 * Use the specified HW keymaster0 device for the operations it supports. Takes ownership of 45 * the specified device (will call keymaster0_device->common.close()); 46 */ 47 keymaster_error_t SetHardwareDevice(keymaster0_device_t* keymaster0_device); 48 49 /** 50 * Use the specified HW keymaster1 device for performing undigested RSA and EC operations after 51 * digesting has been done in software. Takes ownership of the specified device (will call 52 * keymaster1_device->common.close()); 53 */ 54 keymaster_error_t SetHardwareDevice(keymaster1_device_t* keymaster1_device); 55 GetSecurityLevel()56 keymaster_security_level_t GetSecurityLevel() const override { 57 return KM_SECURITY_LEVEL_SOFTWARE; 58 } 59 60 keymaster_error_t SetSystemVersion(uint32_t os_version, uint32_t os_patchlevel) override; 61 void GetSystemVersion(uint32_t* os_version, uint32_t* os_patchlevel) const override; 62 63 KeyFactory* GetKeyFactory(keymaster_algorithm_t algorithm) const override; 64 OperationFactory* GetOperationFactory(keymaster_algorithm_t algorithm, 65 keymaster_purpose_t purpose) const override; 66 keymaster_algorithm_t* GetSupportedAlgorithms(size_t* algorithms_count) const override; 67 keymaster_error_t CreateKeyBlob(const AuthorizationSet& auths, keymaster_key_origin_t origin, 68 const KeymasterKeyBlob& key_material, KeymasterKeyBlob* blob, 69 AuthorizationSet* hw_enforced, 70 AuthorizationSet* sw_enforced) const override; 71 keymaster_error_t UpgradeKeyBlob(const KeymasterKeyBlob& key_to_upgrade, 72 const AuthorizationSet& upgrade_params, 73 KeymasterKeyBlob* upgraded_key) const override; 74 keymaster_error_t ParseKeyBlob(const KeymasterKeyBlob& blob, 75 const AuthorizationSet& additional_params, 76 KeymasterKeyBlob* key_material, AuthorizationSet* hw_enforced, 77 AuthorizationSet* sw_enforced) const override; 78 keymaster_error_t DeleteKey(const KeymasterKeyBlob& blob) const override; 79 keymaster_error_t DeleteAllKeys() const override; 80 keymaster_error_t AddRngEntropy(const uint8_t* buf, size_t length) const override; 81 keymaster_error_t GenerateRandom(uint8_t* buf, size_t length) const override; 82 83 EVP_PKEY* AttestationKey(keymaster_algorithm_t algorithm, 84 keymaster_error_t* error) const override; 85 keymaster_cert_chain_t* AttestationChain(keymaster_algorithm_t algorithm, 86 keymaster_error_t* error) const override; 87 keymaster_error_t GenerateUniqueId(uint64_t creation_date_time, 88 const keymaster_blob_t& application_id, 89 bool reset_since_rotation, Buffer* unique_id) const override; 90 enforcement_policy()91 KeymasterEnforcement* enforcement_policy() override { 92 // SoftKeymaster does no enforcement; it's all done by Keystore. 93 return nullptr; 94 } 95 96 void AddSystemVersionToSet(AuthorizationSet* auth_set) const; 97 98 private: 99 keymaster_error_t ParseOldSoftkeymasterBlob(const KeymasterKeyBlob& blob, 100 KeymasterKeyBlob* key_material, 101 AuthorizationSet* hw_enforced, 102 AuthorizationSet* sw_enforced) const; 103 keymaster_error_t ParseKeymaster1HwBlob(const KeymasterKeyBlob& blob, 104 const AuthorizationSet& additional_params, 105 KeymasterKeyBlob* key_material, 106 AuthorizationSet* hw_enforced, 107 AuthorizationSet* sw_enforced) const; 108 keymaster_error_t ParseKeymaster0HwBlob(const KeymasterKeyBlob& blob, 109 KeymasterKeyBlob* key_material, 110 AuthorizationSet* hw_enforced, 111 AuthorizationSet* sw_enforced) const; 112 keymaster_error_t FakeKeyAuthorizations(EVP_PKEY* pubkey, AuthorizationSet* hw_enforced, 113 AuthorizationSet* sw_enforced) const; 114 keymaster_error_t BuildHiddenAuthorizations(const AuthorizationSet& input_set, 115 AuthorizationSet* hidden) const; 116 117 std::unique_ptr<Keymaster0Engine> km0_engine_; 118 std::unique_ptr<Keymaster1Engine> km1_engine_; 119 std::unique_ptr<KeyFactory> rsa_factory_; 120 std::unique_ptr<KeyFactory> ec_factory_; 121 std::unique_ptr<KeyFactory> aes_factory_; 122 std::unique_ptr<KeyFactory> hmac_factory_; 123 keymaster1_device* km1_dev_; 124 const std::string root_of_trust_; 125 uint32_t os_version_; 126 uint32_t os_patchlevel_; 127 }; 128 129 } // namespace keymaster 130 131 #endif // SYSTEM_KEYMASTER_SOFT_KEYMASTER_CONTEXT_H_ 132