• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2 **
3 ** Copyright 2017, The Android Open Source Project
4 **
5 ** Licensed under the Apache License, Version 2.0 (the "License");
6 ** you may not use this file except in compliance with the License.
7 ** You may obtain a copy of the License at
8 **
9 **     http://www.apache.org/licenses/LICENSE-2.0
10 **
11 ** Unless required by applicable law or agreed to in writing, software
12 ** distributed under the License is distributed on an "AS IS" BASIS,
13 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 ** See the License for the specific language governing permissions and
15 ** limitations under the License.
16 */
17 
18 #ifndef SOFTWARE_CONTEXT_KEYMASTER2_PASSTHROUGH_CONTEXT_H_
19 #define SOFTWARE_CONTEXT_KEYMASTER2_PASSTHROUGH_CONTEXT_H_
20 
21 #include <unordered_map>
22 
23 #include <hardware/keymaster2.h>
24 #include <hardware/keymaster_defs.h>
25 
26 #include <keymaster/keymaster_context.h>
27 #include <keymaster/legacy_support/keymaster_passthrough_engine.h>
28 #include <keymaster/legacy_support/keymaster_passthrough_key.h>
29 
30 namespace keymaster {
31 
32 class Keymaster2PassthroughContext : public KeymasterContext {
33   public:
34     explicit Keymaster2PassthroughContext(keymaster2_device_t* dev);
35 
36     /**
37      * Sets the system version as reported by the system *itself*.  This is used to verify that the
38      * system believes itself to be running the same version that is reported by the bootloader, in
39      * hardware implementations.  For SoftKeymasterDevice, this sets the version information used.
40      *
41      * If the specified values don't match the bootloader-provided values, this method must return
42      * KM_ERROR_INVALID_ARGUMENT;
43      */
44     keymaster_error_t SetSystemVersion(uint32_t os_version, uint32_t os_patchlevel) override;
45 
46     /**
47      * Returns the system version.  For hardware-based implementations this will be the value
48      * reported by the bootloader.  For SoftKeymasterDevice it will be the verion information set by
49      * SetSystemVersion above.
50      */
51     void GetSystemVersion(uint32_t* os_version, uint32_t* os_patchlevel) const override;
52 
53     KeyFactory* GetKeyFactory(keymaster_algorithm_t algorithm) const override;
54     OperationFactory* GetOperationFactory(keymaster_algorithm_t algorithm,
55                                           keymaster_purpose_t purpose) const override;
56     keymaster_algorithm_t* GetSupportedAlgorithms(size_t* algorithms_count) const override;
57 
58     /**
59      * UpgradeKeyBlob takes an existing blob, parses out key material and constructs a new blob with
60      * the current format and OS version info.
61      */
62     keymaster_error_t UpgradeKeyBlob(const KeymasterKeyBlob& key_to_upgrade,
63                                      const AuthorizationSet& upgrade_params,
64                                      KeymasterKeyBlob* upgraded_key) const override;
65 
66     /**
67      * ParseKeyBlob takes a blob and extracts authorization sets and key material, returning an
68      * error if the blob fails integrity checking or decryption.  Note that the returned key
69      * material may itself be an opaque blob usable only by secure hardware (in the hybrid case).
70      *
71      * This method is called by AndroidKeymaster.
72      */
73     keymaster_error_t ParseKeyBlob(const KeymasterKeyBlob& blob,
74                                    const AuthorizationSet& additional_params,
75                                    UniquePtr<Key>* key) const override;
76 
77     /**
78      * Take whatever environment-specific action is appropriate (if any) to delete the specified
79      * key.
80      */
81     keymaster_error_t DeleteKey(const KeymasterKeyBlob& /* blob */) const override;
82 
83     /**
84      * Take whatever environment-specific action is appropriate to delete all keys.
85      */
86     keymaster_error_t DeleteAllKeys() const override;
87 
88     /**
89      * Adds entropy to the Cryptographic Pseudo Random Number Generator used to generate key
90      * material, and other cryptographic protocol elements.  Note that if the underlying CPRNG
91      * tracks the size of its entropy pool, it should not assume that the provided data contributes
92      * any entropy, and it should also ensure that data provided through this interface cannot
93      * "poison" the CPRNG outputs, making them predictable.
94      */
95     keymaster_error_t AddRngEntropy(const uint8_t* buf, size_t length) const override;
96 
97     /**
98      * Return the enforcement policy for this context, or null if no enforcement should be done.
99      */
100     KeymasterEnforcement* enforcement_policy() override;
101 
102     keymaster_error_t GenerateAttestation(const Key& key, const AuthorizationSet& attest_params,
103                                           CertChainPtr* cert_chain) const override;
104 
105     keymaster_error_t
106     UnwrapKey(const KeymasterKeyBlob& wrapped_key_blob, const KeymasterKeyBlob& wrapping_key_blob,
107               const AuthorizationSet& wrapping_key_params, const KeymasterKeyBlob& masking_key,
108               AuthorizationSet* wrapped_key_params, keymaster_key_format_t* wrapped_key_format,
109               KeymasterKeyBlob* wrapped_key_material) const override;
110 
111   private:
112     keymaster2_device_t* device_;
113     mutable std::unordered_map<keymaster_algorithm_t, UniquePtr<KeymasterPassthroughKeyFactory>>
114         factories_;
115     UniquePtr<KeymasterPassthroughEngine> engine_;
116     uint32_t os_version_;
117     uint32_t os_patchlevel_;
118 };
119 
120 }  // namespace keymaster
121 
122 #endif  // SOFTWARE_CONTEXT_KEYMASTER2_PASSTHROUGH_CONTEXT_H_
123