1 /*
2 * Copyright 2020, The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include <android-base/logging.h>
18 #include <endian.h>
19 #include <memory>
20 #include <openssl/hmac.h>
21 #include <openssl/rand.h>
22 #include <openssl/sha.h>
23 #include <secure_input/evdev.h>
24 #include <secure_input/secure_input_device.h>
25 #include <teeui/utils.h>
26
27 #include <initializer_list>
28
29 using namespace secure_input;
30
31 using teeui::AuthTokenKey;
32 using teeui::ByteBufferProxy;
33 using teeui::Hmac;
34 using teeui::optional;
35 using teeui::ResponseCode;
36 using teeui::TestKeyBits;
37
38 constexpr const auto kTestKey = AuthTokenKey::fill(static_cast<uint8_t>(TestKeyBits::BYTE));
39
40 class SecureInputHMacer {
41 public:
hmac256(const AuthTokenKey & key,std::initializer_list<ByteBufferProxy> buffers)42 static optional<Hmac> hmac256(const AuthTokenKey& key,
43 std::initializer_list<ByteBufferProxy> buffers) {
44 HMAC_CTX hmacCtx;
45 HMAC_CTX_init(&hmacCtx);
46 if (!HMAC_Init_ex(&hmacCtx, key.data(), key.size(), EVP_sha256(), nullptr)) {
47 return {};
48 }
49 for (auto& buffer : buffers) {
50 if (!HMAC_Update(&hmacCtx, buffer.data(), buffer.size())) {
51 return {};
52 }
53 }
54 Hmac result;
55 if (!HMAC_Final(&hmacCtx, result.data(), nullptr)) {
56 return {};
57 }
58 return result;
59 }
60 };
61
62 using HMac = teeui::HMac<SecureInputHMacer>;
63
generateNonce()64 Nonce generateNonce() {
65 /*
66 * Completely random nonce.
67 * Running the secure input protocol from the HAL service is not secure
68 * because we don't trust the non-secure world (i.e., HLOS/Android/Linux). So
69 * using a constant "nonce" here does not weaken security. If this code runs
70 * on a truly trustworthy source of input events this function needs to return
71 * hight entropy nonces.
72 * As of this writing the call to RAND_bytes is commented, because the
73 * emulator this HAL service runs on does not have a good source of entropy.
74 * It would block the call to RAND_bytes indefinitely.
75 */
76 Nonce result{0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
77 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
78 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04};
79 // RAND_bytes(result.data(), result.size());
80 return result;
81 }
82
83 /**
84 * This is an implementation of the SecureInput protocol in unserspace. This is
85 * just an example and should not be used as is. The protocol implemented here
86 * should be used by a trusted input device that can assert user events with
87 * high assurance even if the HLOS kernel is compromised. A confirmationui HAL
88 * that links directly against this implementation is not secure and shal not be
89 * used on a production device.
90 */
91 class NotSoSecureInput : public SecureInput {
92 public:
NotSoSecureInput(HsBeginCb hsBeginCb,HsFinalizeCb hsFinalizeCb,DeliverEventCb deliverEventCb,InputResultCb inputResultCb)93 NotSoSecureInput(HsBeginCb hsBeginCb, HsFinalizeCb hsFinalizeCb, DeliverEventCb deliverEventCb,
94 InputResultCb inputResultCb)
95 : hsBeginCb_{hsBeginCb}, hsFinalizeCb_{hsFinalizeCb}, deliverEventCb_{deliverEventCb},
96 inputResultCb_{inputResultCb}, discardEvents_{true} {}
97
operator bool() const98 operator bool() const override { return true; }
99
handleEvent(const EventDev & evdev)100 void handleEvent(const EventDev& evdev) override {
101 bool gotEvent;
102 input_event evt;
103 std::tie(gotEvent, evt) = evdev.readEvent();
104 while (gotEvent) {
105 if (!(discardEvents_) && evt.type == EV_KEY &&
106 (evt.code == KEY_POWER || evt.code == KEY_VOLUMEDOWN || evt.code == KEY_VOLUMEUP) &&
107 evt.value == 1) {
108 DTupKeyEvent event = DTupKeyEvent::RESERVED;
109
110 // Translate the event code into DTupKeyEvent which the TA understands.
111 switch (evt.code) {
112 case KEY_POWER:
113 event = DTupKeyEvent::PWR;
114 break;
115 case KEY_VOLUMEDOWN:
116 event = DTupKeyEvent::VOL_DOWN;
117 break;
118 case KEY_VOLUMEUP:
119 event = DTupKeyEvent::VOL_UP;
120 break;
121 }
122
123 // The event goes into the HMAC in network byte order.
124 uint32_t keyEventBE = htobe32(static_cast<uint32_t>(event));
125 auto signature = HMac::hmac256(kTestKey, kConfirmationUIEventLabel,
126 teeui::bytesCast(keyEventBE), nCi_);
127
128 teeui::ResponseCode rc;
129 InputResponse ir;
130 auto response = std::tie(rc, ir);
131 if (event != DTupKeyEvent::RESERVED) {
132 response = deliverEventCb_(event, *signature);
133 if (rc != ResponseCode::OK) {
134 LOG(ERROR) << "DeliverInputEvent returned with " << uint32_t(rc);
135 inputResultCb_(rc);
136 } else {
137 switch (ir) {
138 case InputResponse::OK:
139 inputResultCb_(rc);
140 break;
141 case InputResponse::PENDING_MORE:
142 rc = performDTUPHandshake();
143 if (rc != ResponseCode::OK) {
144 inputResultCb_(rc);
145 }
146 break;
147 case InputResponse::TIMED_OUT:
148 inputResultCb_(rc);
149 break;
150 }
151 }
152 }
153 }
154 std::tie(gotEvent, evt) = evdev.readEvent();
155 }
156 }
157
start()158 void start() override {
159 auto rc = performDTUPHandshake();
160 if (rc != ResponseCode::OK) {
161 inputResultCb_(rc);
162 }
163 discardEvents_ = false;
164 };
165
166 private:
performDTUPHandshake()167 teeui::ResponseCode performDTUPHandshake() {
168 ResponseCode rc;
169 LOG(INFO) << "Start handshake";
170 Nonce nCo;
171 std::tie(rc, nCo) = hsBeginCb_();
172 if (rc != ResponseCode::OK) {
173 LOG(ERROR) << "Failed to begin secure input handshake (" << uint32_t(rc) << ")";
174 return rc;
175 }
176
177 nCi_ = generateNonce();
178 rc =
179 hsFinalizeCb_(*HMac::hmac256(kTestKey, kConfirmationUIHandshakeLabel, nCo, nCi_), nCi_);
180
181 if (rc != ResponseCode::OK) {
182 LOG(ERROR) << "Failed to finalize secure input handshake (" << uint32_t(rc) << ")";
183 return rc;
184 }
185 return ResponseCode::OK;
186 }
187
188 HsBeginCb hsBeginCb_;
189 HsFinalizeCb hsFinalizeCb_;
190 DeliverEventCb deliverEventCb_;
191 InputResultCb inputResultCb_;
192
193 std::atomic_bool discardEvents_;
194 Nonce nCi_;
195 };
196
197 namespace secure_input {
198
createSecureInput(SecureInput::HsBeginCb hsBeginCb,SecureInput::HsFinalizeCb hsFinalizeCb,SecureInput::DeliverEventCb deliverEventCb,SecureInput::InputResultCb inputResultCb)199 std::shared_ptr<SecureInput> createSecureInput(SecureInput::HsBeginCb hsBeginCb,
200 SecureInput::HsFinalizeCb hsFinalizeCb,
201 SecureInput::DeliverEventCb deliverEventCb,
202 SecureInput::InputResultCb inputResultCb) {
203 return std::make_shared<NotSoSecureInput>(hsBeginCb, hsFinalizeCb, deliverEventCb,
204 inputResultCb);
205 }
206
207 } // namespace secure_input
208