1 // 2 // Copyright (C) 2020 The Android Open Source Project 3 // 4 // Licensed under the Apache License, Version 2.0 (the "License"); 5 // you may not use this file except in compliance with the License. 6 // You may obtain a copy of the License at 7 // 8 // http://www.apache.org/licenses/LICENSE-2.0 9 // 10 // Unless required by applicable law or agreed to in writing, software 11 // distributed under the License is distributed on an "AS IS" BASIS, 12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 // See the License for the specific language governing permissions and 14 // limitations under the License. 15 16 #pragma once 17 18 #include <memory> 19 20 #include <tss2/tss2_esys.h> 21 22 #include "host/commands/secure_env/tpm_auth.h" 23 24 namespace cuttlefish { 25 26 class TpmResourceManager; 27 28 struct EsysDeleter { operatorEsysDeleter29 void operator()(void* data) { Esys_Free(data); } 30 }; 31 32 template<typename T> 33 using UniqueEsysPtr = std::unique_ptr<T, EsysDeleter>; 34 35 /** 36 * Returns a HMAC signature for `data` with the key loaded into the TPM at 37 * `key_handle`. 38 * 39 * The signature is a byte string that certifies a process that can make TPM 40 * API calls has signed off on using another byte string (`data`) for some 41 * purpose, which is implicitly tied to the signing key. In this case, the 42 * secure_env process is the only process that should have TPM access. 43 * secure_env can then transmit some data together with a signature over that 44 * data, an external system (Android) can hold onto this data and the signature, 45 * and then the secure_env process can receive the data back. The signature 46 * is used to check that the data has not been tampered with. 47 */ 48 UniqueEsysPtr<TPM2B_DIGEST> TpmHmac( 49 TpmResourceManager& resource_manager, 50 ESYS_TR key_handle, 51 TpmAuth auth, 52 const uint8_t* data, 53 size_t data_size); 54 55 } // namespace cuttlefish 56