1 // 2 // Copyright (C) 2020 The Android Open Source Project 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 16 #pragma once 17 18 #include <keymaster/soft_key_factory.h> 19 20 #include "host/commands/secure_env/tpm_resource_manager.h" 21 22 /** 23 * Encrypts key data using a TPM-resident key and signs it with a TPM-resident 24 * key for privacy and integrity. 25 * 26 * This class is used to encrypt KeyMint data when it leaves the secure_env 27 * process, and is sent for storage to Android. When the data comes back, this 28 * class decrypts it again for use in Keymaster and other HAL API calls. 29 */ 30 class TpmKeyBlobMaker : public keymaster::SoftwareKeyBlobMaker { 31 public: 32 TpmKeyBlobMaker(TpmResourceManager& resource_manager); 33 34 keymaster_error_t CreateKeyBlob( 35 const keymaster::AuthorizationSet& key_description, 36 keymaster_key_origin_t origin, 37 const keymaster::KeymasterKeyBlob& key_material, 38 keymaster::KeymasterKeyBlob* blob, 39 keymaster::AuthorizationSet* hw_enforced, 40 keymaster::AuthorizationSet* sw_enforced) const override; 41 42 keymaster_error_t UnvalidatedCreateKeyBlob( 43 const keymaster::KeymasterKeyBlob& key_material, 44 const keymaster::AuthorizationSet& hw_enforced, 45 const keymaster::AuthorizationSet& sw_enforced, 46 keymaster::KeymasterKeyBlob* blob) const; 47 48 /** 49 * Intermediate function between KeymasterContext::ParseKeyBlob and 50 * KeyFactory::LoadKey, The inputs of this function match the outputs of 51 * KeymasterContext::ParseKeyBlob and the outputs of this function match the 52 * inputs of KeyFactory::LoadKey. 53 * 54 * KeymasterContext::ParseKeyBlob is the common entry point for decoding all 55 * keys, and is expected to delegate to a KeyFactory depending on the type of 56 * the serialized key. This method performs decryption operations shared 57 * between all TPM-Keymaster keys. 58 */ 59 keymaster_error_t UnwrapKeyBlob( 60 const keymaster_key_blob_t& blob, 61 keymaster::AuthorizationSet* hw_enforced, 62 keymaster::AuthorizationSet* sw_enforced, 63 keymaster::KeymasterKeyBlob* key_material) const; 64 65 keymaster_error_t SetSystemVersion(uint32_t os_version, uint32_t os_patchlevel); 66 private: 67 TpmResourceManager& resource_manager_; 68 uint32_t os_version_; 69 uint32_t os_patchlevel_; 70 }; 71