• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright (C) 2014 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef KEYSTORE_KEYMASTER_ENFORCEMENT_H
18 #define KEYSTORE_KEYMASTER_ENFORCEMENT_H
19 
20 #include <stdio.h>
21 
22 #include <keystore/keymaster_types.h>
23 
24 #include <list>
25 #include <mutex>
26 #include <optional>
27 
28 namespace keystore {
29 
30 typedef uint64_t km_id_t;
31 
32 class KeymasterEnforcementContext {
33   public:
~KeymasterEnforcementContext()34     virtual ~KeymasterEnforcementContext() {}
35     /*
36      * Get current time.
37      */
38 };
39 
40 class AccessTimeMap {
41   public:
AccessTimeMap(uint32_t max_size)42     explicit AccessTimeMap(uint32_t max_size) : max_size_(max_size) {}
43 
44     /* If the key is found, returns true and fills \p last_access_time.  If not found returns
45      * false. */
46     bool LastKeyAccessTime(km_id_t keyid, uint32_t* last_access_time) const;
47 
48     /* Updates the last key access time with the currentTime parameter.  Adds the key if
49      * needed, returning false if key cannot be added because list is full. */
50     bool UpdateKeyAccessTime(km_id_t keyid, uint32_t current_time, uint32_t timeout);
51 
52   private:
53     mutable std::mutex list_lock_;
54     struct AccessTime {
55         km_id_t keyid;
56         uint32_t access_time;
57         uint32_t timeout;
58     };
59     std::list<AccessTime> last_access_list_;
60     const uint32_t max_size_;
61 };
62 
63 class AccessCountMap {
64   public:
AccessCountMap(uint32_t max_size)65     explicit AccessCountMap(uint32_t max_size) : max_size_(max_size) {}
66 
67     /* If the key is found, returns true and fills \p count.  If not found returns
68      * false. */
69     bool KeyAccessCount(km_id_t keyid, uint32_t* count) const;
70 
71     /* Increments key access count, adding an entry if the key has never been used.  Returns
72      * false if the list has reached maximum size. */
73     bool IncrementKeyAccessCount(km_id_t keyid);
74 
75   private:
76     mutable std::mutex list_lock_;
77     struct AccessCount {
78         km_id_t keyid;
79         uint64_t access_count;
80     };
81     std::list<AccessCount> access_count_list_;
82     const uint32_t max_size_;
83 };
84 
85 class KeymasterEnforcement {
86   public:
87     /**
88      * Construct a KeymasterEnforcement.
89      */
90     KeymasterEnforcement(uint32_t max_access_time_map_size, uint32_t max_access_count_map_size);
91     virtual ~KeymasterEnforcement();
92 
93     /**
94      * Iterates through the authorization set and returns the corresponding keymaster error. Will
95      * return KM_ERROR_OK if all criteria is met for the given purpose in the authorization set with
96      * the given operation params and handle. Used for encrypt, decrypt sign, and verify.
97      */
98     ErrorCode AuthorizeOperation(const KeyPurpose purpose, const km_id_t keyid,
99                                  const AuthorizationSet& auth_set,
100                                  const AuthorizationSet& operation_params,
101                                  const HardwareAuthToken& auth_token, uint64_t op_handle,
102                                  bool is_begin_operation);
103 
104     /**
105      * Iterates through the authorization set and returns the corresponding keymaster error. Will
106      * return KM_ERROR_OK if all criteria is met for the given purpose in the authorization set with
107      * the given operation params. Used for encrypt, decrypt sign, and verify.
108      */
109     ErrorCode AuthorizeBegin(const KeyPurpose purpose, const km_id_t keyid,
110                              const AuthorizationSet& auth_set,
111                              const AuthorizationSet& operation_params,
112                              NullOr<const HardwareAuthToken&> auth_token);
113 
114     /**
115      * Iterates through the authorization set and returns the corresponding keymaster error. Will
116      * return KM_ERROR_OK if all criteria is met for the given purpose in the authorization set with
117      * the given operation params and handle. Used for encrypt, decrypt sign, and verify.
118      */
AuthorizeUpdate(const AuthorizationSet & auth_set,const HardwareAuthToken & auth_token,uint64_t op_handle)119     ErrorCode AuthorizeUpdate(const AuthorizationSet& auth_set, const HardwareAuthToken& auth_token,
120                               uint64_t op_handle) {
121         return AuthorizeUpdateOrFinish(auth_set, auth_token, op_handle);
122     }
123 
124     /**
125      * Iterates through the authorization set and returns the corresponding keymaster error. Will
126      * return KM_ERROR_OK if all criteria is met for the given purpose in the authorization set with
127      * the given operation params and handle. Used for encrypt, decrypt sign, and verify.
128      */
AuthorizeFinish(const AuthorizationSet & auth_set,const HardwareAuthToken & auth_token,uint64_t op_handle)129     ErrorCode AuthorizeFinish(const AuthorizationSet& auth_set, const HardwareAuthToken& auth_token,
130                               uint64_t op_handle) {
131         return AuthorizeUpdateOrFinish(auth_set, auth_token, op_handle);
132     }
133 
134     /**
135      * Creates a key ID for use in subsequent calls to AuthorizeOperation.  Clients needn't use this
136      * method of creating key IDs, as long as they use something consistent and unique.  This method
137      * hashes the key blob.
138      *
139      * Returns false if an error in the crypto library prevents creation of an ID.
140      */
141     static std::optional<km_id_t> CreateKeyId(const hidl_vec<uint8_t>& key_blob);
142 
143     //
144     // Methods that must be implemented by subclasses
145     //
146     // The time-related methods address the fact that different enforcement contexts may have
147     // different time-related capabilities.  In particular:
148     //
149     // - They may or may not be able to check dates against real-world clocks.
150     //
151     // - They may or may not be able to check timestampls against authentication trustlets (minters
152     //   of hw_auth_token_t structs).
153     //
154     // - They must have some time source for relative times, but may not be able to provide more
155     //   than reliability and monotonicity.
156 
157     /*
158      * Returns true if the specified activation date has passed, or if activation cannot be
159      * enforced.
160      */
161     virtual bool activation_date_valid(uint64_t activation_date) const = 0;
162 
163     /*
164      * Returns true if the specified expiration date has passed.  Returns false if it has not, or if
165      * expiration cannot be enforced.
166      */
167     virtual bool expiration_date_passed(uint64_t expiration_date) const = 0;
168 
169     /*
170      * Returns true if the specified auth_token is older than the specified timeout.
171      */
172     virtual bool auth_token_timed_out(const HardwareAuthToken& token, uint32_t timeout) const = 0;
173 
174     /*
175      * Get current time in seconds from some starting point.  This value is used to compute relative
176      * times between events.  It must be monotonically increasing, and must not skip or lag.  It
177      * need not have any relation to any external time standard (other than the duration of
178      * "second").
179      *
180      * On POSIX systems, it's recommented to use clock_gettime(CLOCK_MONOTONIC, ...) to implement
181      * this method.
182      */
183     virtual uint32_t get_current_time() const = 0;
184 
185     /*
186      * Returns true if the specified auth_token has a valid signature, or if signature validation is
187      * not available.
188      */
189     virtual bool ValidateTokenSignature(const HardwareAuthToken& token) const = 0;
190 
191     /*
192      * Returns true if the device screen is currently locked for the specified user.
193      */
194     virtual bool is_device_locked(int32_t userId) const = 0;
195 
196   private:
197     ErrorCode AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set,
198                                       const HardwareAuthToken& auth_token, uint64_t op_handle);
199 
200     bool MinTimeBetweenOpsPassed(uint32_t min_time_between, const km_id_t keyid);
201     bool MaxUsesPerBootNotExceeded(const km_id_t keyid, uint32_t max_uses);
202     bool AuthTokenMatches(const AuthorizationSet& auth_set, const HardwareAuthToken& auth_token,
203                           const uint64_t user_secure_id, const int auth_type_index,
204                           const int auth_timeout_index, const uint64_t op_handle,
205                           bool is_begin_operation) const;
206 
207     AccessTimeMap access_time_map_;
208     AccessCountMap access_count_map_;
209 };
210 
211 }; /* namespace keystore */
212 
213 #endif  // KEYSTORE_KEYMASTER_ENFORCEMENT_H
214