• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2016 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef KEYSTORE_KEYSTORE_H_
18 #define KEYSTORE_KEYSTORE_H_
19 
20 #include <android/hardware/keymaster/3.0/IKeymasterDevice.h>
21 #include <keymasterV4_0/Keymaster.h>
22 #include <utils/Vector.h>
23 
24 #include <keystore/keymaster_types.h>
25 
26 #include "auth_token_table.h"
27 #include "blob.h"
28 #include "confirmation_manager.h"
29 #include "grant_store.h"
30 #include "keymaster_worker.h"
31 #include "keystore_keymaster_enforcement.h"
32 #include "operation.h"
33 #include "user_state.h"
34 
35 #include <array>
36 #include <optional>
37 #include <tuple>
38 
39 namespace keystore {
40 
41 using ::android::sp;
42 using keymaster::support::Keymaster;
43 
44 template <typename T, size_t count> class Devices : public std::array<T, count> {
45   public:
46     T& operator[](SecurityLevel secLevel) {
47         static_assert(uint32_t(SecurityLevel::SOFTWARE) == 0 &&
48                           uint32_t(SecurityLevel::TRUSTED_ENVIRONMENT) == 1 &&
49                           uint32_t(SecurityLevel::STRONGBOX) == 2,
50                       "Numeric values of security levels have changed");
51         return std::array<T, count>::at(static_cast<uint32_t>(secLevel));
52     }
53     T operator[](SecurityLevel secLevel) const {
54         if (static_cast<uint32_t>(secLevel) > static_cast<uint32_t>(SecurityLevel::STRONGBOX)) {
55             LOG(ERROR) << "Invalid security level requested";
56             return {};
57         }
58         return (*const_cast<Devices*>(this))[secLevel];
59     }
60 };
61 
62 }  // namespace keystore
63 
64 namespace std {
65 template <typename T, size_t count> struct tuple_size<keystore::Devices<T, count>> {
66   public:
67     static constexpr size_t value = std::tuple_size<std::array<T, count>>::value;
68 };
69 }  // namespace std
70 
71 namespace keystore {
72 
73 using KeymasterWorkers = Devices<std::shared_ptr<KeymasterWorker>, 3>;
74 using KeymasterDevices = Devices<sp<Keymaster>, 3>;
75 
76 class KeyStore : public ::android::IBinder::DeathRecipient {
77   public:
78     KeyStore(const KeymasterDevices& kmDevices,
79              SecurityLevel minimalAllowedSecurityLevelForNewKeys);
80     ~KeyStore();
81 
82     std::shared_ptr<KeymasterWorker> getDevice(SecurityLevel securityLevel) const {
83         return mKmDevices[securityLevel];
84     }
85 
86     std::shared_ptr<KeymasterWorker> getFallbackDevice() const {
87         // we only return the fallback device if the creation of new fallback key blobs is
88         // allowed. (also see getDevice below)
89         if (mAllowNewFallback) {
90             return mKmDevices[SecurityLevel::SOFTWARE];
91         } else {
92             return nullptr;
93         }
94     }
95 
96     std::shared_ptr<KeymasterWorker> getDevice(const Blob& blob) {
97         return mKmDevices[blob.getSecurityLevel()];
98     }
99 
100     ResponseCode initialize();
101 
102     State getState(uid_t userId) { return mUserStateDB.getUserState(userId)->getState(); }
103 
104     ResponseCode initializeUser(const android::String8& pw, uid_t userId);
105 
106     ResponseCode copyMasterKey(uid_t srcUser, uid_t dstUser);
107     ResponseCode writeMasterKey(const android::String8& pw, uid_t userId);
108     ResponseCode readMasterKey(const android::String8& pw, uid_t userId);
109 
110     LockedKeyBlobEntry getLockedBlobEntryIfNotExists(const std::string& alias, uid_t uid);
111     std::optional<KeyBlobEntry> getBlobEntryIfExists(const std::string& alias, uid_t uid);
112     LockedKeyBlobEntry getLockedBlobEntryIfExists(const std::string& alias, uid_t uid);
113     /*
114      * Delete entries owned by userId. If keepUnencryptedEntries is true
115      * then only encrypted entries will be removed, otherwise all entries will
116      * be removed.
117      */
118     void resetUser(uid_t userId, bool keepUnenryptedEntries);
119     bool isEmpty(uid_t userId) const;
120 
121     void lock(uid_t userId);
122 
123     std::tuple<ResponseCode, Blob, Blob> get(const LockedKeyBlobEntry& blobfile);
124     ResponseCode put(const LockedKeyBlobEntry& blobfile, Blob keyBlob, Blob characteristicsBlob);
125     ResponseCode del(const LockedKeyBlobEntry& blobfile);
126 
127     std::string addGrant(const LockedKeyBlobEntry& blobfile, uid_t granteeUid);
128     bool removeGrant(const LockedKeyBlobEntry& blobfile, const uid_t granteeUid);
129     void removeAllGrantsToUid(const uid_t granteeUid);
130 
131     ResponseCode importKey(const uint8_t* key, size_t keyLen, const LockedKeyBlobEntry& blobfile,
132                            uid_t userId, int32_t flags);
133 
134     bool isHardwareBacked(const android::String16& keyType) const;
135 
136     std::tuple<ResponseCode, Blob, Blob, LockedKeyBlobEntry>
137     getKeyForName(const android::String8& keyName, const uid_t uid, const BlobType type);
138 
139     void binderDied(const ::android::wp<IBinder>& who) override;
140 
141     UserStateDB& getUserStateDB() { return mUserStateDB; }
142     AuthTokenTable& getAuthTokenTable() { return mAuthTokenTable; }
143     KeystoreKeymasterEnforcement& getEnforcementPolicy() { return mEnforcementPolicy; }
144     ConfirmationManager& getConfirmationManager() { return *mConfirmationManager; }
145 
146   private:
147     static const char* kOldMasterKey;
148     static const char* kMetaDataFile;
149     static const android::String16 kRsaKeyType;
150     static const android::String16 kEcKeyType;
151 
152     KeymasterWorkers mKmDevices;
153 
154     bool mAllowNewFallback;
155 
156     UserStateDB mUserStateDB;
157     AuthTokenTable mAuthTokenTable;
158     KeystoreKeymasterEnforcement mEnforcementPolicy;
159     sp<ConfirmationManager> mConfirmationManager;
160 
161     ::keystore::GrantStore mGrants;
162 
163     typedef struct { uint32_t version; } keystore_metadata_t;
164 
165     keystore_metadata_t mMetaData;
166 
167     /**
168      * Upgrade the key from the current version to whatever is newest.
169      */
170     bool upgradeBlob(Blob* blob, const uint8_t oldVersion);
171 
172     void readMetaData();
173     void writeMetaData();
174 
175     bool upgradeKeystore();
176 };
177 
178 }  // namespace keystore
179 
180 #endif  // KEYSTORE_KEYSTORE_H_
181