1 /* 2 * Copyright 2020 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #pragma once 18 19 #include <keymaster/authorization_set.h> 20 #include <keymaster/km_version.h> 21 22 namespace keymaster { 23 24 class Key; 25 26 /** 27 * AttestationContext provides an abstract interface to the information needed 28 * to generate attestation certificates. 29 */ 30 class AttestationContext { 31 protected: ~AttestationContext()32 virtual ~AttestationContext() {} 33 34 public: AttestationContext(KmVersion version)35 explicit AttestationContext(KmVersion version) : version_(version) {} 36 GetKmVersion()37 KmVersion GetKmVersion() const { return version_; } 38 39 /** 40 * Returns the security level (SW or TEE) of this keymaster implementation. 41 */ 42 virtual keymaster_security_level_t GetSecurityLevel() const = 0; 43 44 /** 45 * Verify that the device IDs provided in `attestation_params` match the device's actual IDs and 46 * copy the verified IDs into `attestation`. If *any* of the IDs do not match or verification 47 * is not possible, return KM_ERROR_CANNOT_ATTEST_IDS. If device ID attestation is unsupported, 48 * ignore all arguments and return KM_ERROR_UNIMPLEMENTED. If ID attestation is supported and 49 * no ID mismatches are found, return KM_ERROR_OK; 50 */ 51 virtual keymaster_error_t VerifyAndCopyDeviceIds(const AuthorizationSet &,AuthorizationSet *)52 VerifyAndCopyDeviceIds(const AuthorizationSet& /* attestation_params */, 53 AuthorizationSet* /* attestation */) const { 54 return KM_ERROR_UNIMPLEMENTED; 55 } 56 57 /** 58 * Generate the current unique ID. If unique IDs are not supported, set `error` to 59 * KM_ERROR_UNIMPLEMENTED. 60 */ GenerateUniqueId(uint64_t,const keymaster_blob_t &,bool,keymaster_error_t * error)61 virtual Buffer GenerateUniqueId(uint64_t /*creation_date_time*/, 62 const keymaster_blob_t& /*application_id*/, 63 bool /*reset_since_rotation*/, keymaster_error_t* error) const { 64 if (error) *error = KM_ERROR_UNIMPLEMENTED; 65 return {}; 66 } 67 68 struct VerifiedBootParams { 69 keymaster_blob_t verified_boot_key; 70 keymaster_blob_t verified_boot_hash; 71 keymaster_verified_boot_t verified_boot_state; 72 bool device_locked; 73 }; 74 75 /** 76 * Returns verified boot parameters for the Attestation Extension. For hardware-based 77 * implementations, these will be the values reported by the bootloader. By default, verified 78 * boot state is unknown, and KM_ERROR_UNIMPLEMENTED is returned. 79 * 80 * The AttestationContext retains ownership of the VerifiedBootParams. 81 */ GetVerifiedBootParams(keymaster_error_t * error)82 virtual const VerifiedBootParams* GetVerifiedBootParams(keymaster_error_t* error) const { 83 *error = KM_ERROR_UNIMPLEMENTED; 84 return nullptr; 85 } 86 87 /** 88 * Return the factory attestation signing key. If not available, set `error` to 89 * KM_ERROR_UNIMPLEMENTED. 90 */ 91 virtual KeymasterKeyBlob GetAttestationKey(keymaster_algorithm_t algorithm, 92 keymaster_error_t* error) const = 0; 93 94 /** 95 * Return the factory attestation signing key certificate chain. If not available, set `error` 96 * to KM_ERROR_UNIMPLEMENTED. 97 */ 98 virtual CertificateChain GetAttestationChain(keymaster_algorithm_t algorithm, 99 keymaster_error_t* error) const = 0; 100 101 protected: 102 KmVersion version_; 103 }; 104 105 } // namespace keymaster 106