1 //
2 // Copyright (C) 2020 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15
16 #include "tpm_key_blob_maker.h"
17
18 #include <vector>
19
20 #include <android-base/logging.h>
21 #include <tss2/tss2_mu.h>
22 #include <tss2/tss2_rc.h>
23
24 #include "host/commands/secure_env/composite_serialization.h"
25 #include "host/commands/secure_env/encrypted_serializable.h"
26 #include "host/commands/secure_env/hmac_serializable.h"
27 #include "host/commands/secure_env/primary_key_builder.h"
28
29 namespace cuttlefish {
30
31 using keymaster::AuthorizationSet;
32 using keymaster::KeymasterKeyBlob;
33 using keymaster::Serializable;
34
35 static constexpr char kUniqueKey[] = "TpmKeyBlobMaker";
36
37 /**
38 * Distinguish what properties the secure_env implementation handles. If
39 * secure_env handles it, the property is put in `hw_enforced`. Otherwise, the
40 * property is put in `sw_enforced`, and the Keystore process inside Android
41 * will try to enforce the property.
42 */
SplitEnforcedProperties(const keymaster::AuthorizationSet & key_description,keymaster::AuthorizationSet * hw_enforced,keymaster::AuthorizationSet * sw_enforced,keymaster::AuthorizationSet * hidden)43 static keymaster_error_t SplitEnforcedProperties(
44 const keymaster::AuthorizationSet& key_description,
45 keymaster::AuthorizationSet* hw_enforced,
46 keymaster::AuthorizationSet* sw_enforced,
47 keymaster::AuthorizationSet* hidden) {
48 for (auto& entry : key_description) {
49 switch (entry.tag) {
50 // These cannot be specified by the client.
51 case KM_TAG_BOOT_PATCHLEVEL:
52 case KM_TAG_ORIGIN:
53 case KM_TAG_OS_PATCHLEVEL:
54 case KM_TAG_OS_VERSION:
55 case KM_TAG_ROOT_OF_TRUST:
56 case KM_TAG_VENDOR_PATCHLEVEL:
57 LOG(DEBUG) << "Root of trust and origin tags may not be specified";
58 return KM_ERROR_INVALID_TAG;
59
60 // These are hidden
61 case KM_TAG_APPLICATION_DATA:
62 case KM_TAG_APPLICATION_ID:
63 hidden->push_back(entry);
64 break;
65
66 // These should not be in key descriptions because they're for operation
67 // parameters.
68 case KM_TAG_ASSOCIATED_DATA:
69 case KM_TAG_AUTH_TOKEN:
70 case KM_TAG_CONFIRMATION_TOKEN:
71 case KM_TAG_INVALID:
72 case KM_TAG_MAC_LENGTH:
73 case KM_TAG_NONCE:
74 LOG(DEBUG) << "Tag " << entry.tag
75 << " not allowed in key generation/import";
76 break;
77
78 // These are provided to support attestation key generation, but should
79 // not be included in the key characteristics.
80 case KM_TAG_ATTESTATION_APPLICATION_ID:
81 case KM_TAG_ATTESTATION_CHALLENGE:
82 case KM_TAG_ATTESTATION_ID_BRAND:
83 case KM_TAG_ATTESTATION_ID_DEVICE:
84 case KM_TAG_ATTESTATION_ID_IMEI:
85 case KM_TAG_ATTESTATION_ID_MANUFACTURER:
86 case KM_TAG_ATTESTATION_ID_MEID:
87 case KM_TAG_ATTESTATION_ID_MODEL:
88 case KM_TAG_ATTESTATION_ID_PRODUCT:
89 case KM_TAG_ATTESTATION_ID_SERIAL:
90 case KM_TAG_CERTIFICATE_SERIAL:
91 case KM_TAG_CERTIFICATE_SUBJECT:
92 case KM_TAG_CERTIFICATE_NOT_BEFORE:
93 case KM_TAG_CERTIFICATE_NOT_AFTER:
94 case KM_TAG_RESET_SINCE_ID_ROTATION:
95 break;
96
97 // strongbox-only tags
98 case KM_TAG_DEVICE_UNIQUE_ATTESTATION:
99 LOG(DEBUG) << "Strongbox-only tag: " << entry.tag;
100 return KM_ERROR_UNSUPPORTED_TAG;
101
102 case KM_TAG_ROLLBACK_RESISTANT:
103 return KM_ERROR_UNSUPPORTED_TAG;
104
105 case KM_TAG_ROLLBACK_RESISTANCE:
106 LOG(DEBUG) << "Rollback resistance is not implemented.";
107 return KM_ERROR_ROLLBACK_RESISTANCE_UNAVAILABLE;
108
109 // These are nominally HW tags, but we don't actually support HW key
110 // attestation yet.
111 case KM_TAG_ALLOW_WHILE_ON_BODY:
112 case KM_TAG_EXPORTABLE:
113 case KM_TAG_IDENTITY_CREDENTIAL_KEY:
114 case KM_TAG_STORAGE_KEY:
115
116 case KM_TAG_PURPOSE:
117 case KM_TAG_ALGORITHM:
118 case KM_TAG_KEY_SIZE:
119 case KM_TAG_RSA_PUBLIC_EXPONENT:
120 case KM_TAG_BLOB_USAGE_REQUIREMENTS:
121 case KM_TAG_DIGEST:
122 case KM_TAG_PADDING:
123 case KM_TAG_BLOCK_MODE:
124 case KM_TAG_MIN_SECONDS_BETWEEN_OPS:
125 case KM_TAG_MAX_USES_PER_BOOT:
126 case KM_TAG_USER_SECURE_ID:
127 case KM_TAG_NO_AUTH_REQUIRED:
128 case KM_TAG_AUTH_TIMEOUT:
129 case KM_TAG_CALLER_NONCE:
130 case KM_TAG_MIN_MAC_LENGTH:
131 case KM_TAG_KDF:
132 case KM_TAG_EC_CURVE:
133 case KM_TAG_ECIES_SINGLE_HASH_MODE:
134 case KM_TAG_USER_AUTH_TYPE:
135 case KM_TAG_EARLY_BOOT_ONLY:
136 case KM_TAG_UNLOCKED_DEVICE_REQUIRED:
137 hw_enforced->push_back(entry);
138 break;
139
140 // The remaining tags are all software.
141 case KM_TAG_ACTIVE_DATETIME:
142 case KM_TAG_ALL_APPLICATIONS:
143 case KM_TAG_ALL_USERS:
144 case KM_TAG_BOOTLOADER_ONLY:
145 case KM_TAG_CREATION_DATETIME:
146 case KM_TAG_INCLUDE_UNIQUE_ID:
147 case KM_TAG_MAX_BOOT_LEVEL:
148 case KM_TAG_ORIGINATION_EXPIRE_DATETIME:
149 case KM_TAG_RSA_OAEP_MGF_DIGEST:
150 case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED:
151 case KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED:
152 case KM_TAG_UNIQUE_ID:
153 case KM_TAG_USAGE_COUNT_LIMIT:
154 case KM_TAG_USAGE_EXPIRE_DATETIME:
155 case KM_TAG_USER_ID:
156 sw_enforced->push_back(entry);
157 break;
158 }
159 }
160
161 return KM_ERROR_OK;
162 }
163
SerializableToKeyBlob(const Serializable & serializable)164 static KeymasterKeyBlob SerializableToKeyBlob(
165 const Serializable& serializable) {
166 std::vector<uint8_t> data(serializable.SerializedSize() + 1);
167 uint8_t* buf = data.data();
168 uint8_t* buf_end = buf + data.size();
169 buf = serializable.Serialize(buf, buf_end);
170 if (buf != (buf_end - 1)) {
171 LOG(ERROR) << "Serialized size did not match up with actual usage.";
172 return {};
173 }
174 return KeymasterKeyBlob(data.data(), buf - data.data());
175 }
176
177
TpmKeyBlobMaker(TpmResourceManager & resource_manager)178 TpmKeyBlobMaker::TpmKeyBlobMaker(TpmResourceManager& resource_manager)
179 : resource_manager_(resource_manager) {
180 }
181
CreateKeyBlob(const AuthorizationSet & key_description,keymaster_key_origin_t origin,const KeymasterKeyBlob & key_material,KeymasterKeyBlob * blob,AuthorizationSet * hw_enforced,AuthorizationSet * sw_enforced) const182 keymaster_error_t TpmKeyBlobMaker::CreateKeyBlob(
183 const AuthorizationSet& key_description,
184 keymaster_key_origin_t origin,
185 const KeymasterKeyBlob& key_material,
186 KeymasterKeyBlob* blob,
187 AuthorizationSet* hw_enforced,
188 AuthorizationSet* sw_enforced) const {
189 AuthorizationSet hidden;
190 auto rc = SplitEnforcedProperties(key_description, hw_enforced, sw_enforced,
191 &hidden);
192 if (rc != KM_ERROR_OK) {
193 return rc;
194 }
195 hw_enforced->push_back(keymaster::TAG_ORIGIN, origin);
196
197 // TODO(schuffelen): Set the os level and patch level properly.
198 hw_enforced->push_back(keymaster::TAG_OS_VERSION, os_version_);
199 hw_enforced->push_back(keymaster::TAG_OS_PATCHLEVEL, os_patchlevel_);
200
201 if (vendor_patchlevel_) {
202 hw_enforced->push_back(keymaster::TAG_VENDOR_PATCHLEVEL,
203 *vendor_patchlevel_);
204 }
205 if (boot_patchlevel_) {
206 hw_enforced->push_back(keymaster::TAG_BOOT_PATCHLEVEL, *boot_patchlevel_);
207 }
208
209 return UnvalidatedCreateKeyBlob(key_material, *hw_enforced, *sw_enforced,
210 hidden, blob);
211 }
212
UnvalidatedCreateKeyBlob(const KeymasterKeyBlob & key_material,const AuthorizationSet & hw_enforced,const AuthorizationSet & sw_enforced,const AuthorizationSet & hidden,KeymasterKeyBlob * blob) const213 keymaster_error_t TpmKeyBlobMaker::UnvalidatedCreateKeyBlob(
214 const KeymasterKeyBlob& key_material, const AuthorizationSet& hw_enforced,
215 const AuthorizationSet& sw_enforced, const AuthorizationSet& hidden,
216 KeymasterKeyBlob* blob) const {
217 keymaster::Buffer key_material_buffer(
218 key_material.key_material, key_material.key_material_size);
219 AuthorizationSet hw_enforced_mutable = hw_enforced;
220 AuthorizationSet sw_enforced_mutable = sw_enforced;
221 CompositeSerializable sensitive_material(
222 {&key_material_buffer, &hw_enforced_mutable, &sw_enforced_mutable});
223 auto parent_key_fn = ParentKeyCreator(kUniqueKey);
224 EncryptedSerializable encryption(
225 resource_manager_, parent_key_fn, sensitive_material);
226 auto signing_key_fn = SigningKeyCreator(kUniqueKey);
227 // TODO(b/154956668) The "hidden" tags should also be mixed into the TPM ACL
228 // so that the TPM requires them to be presented to unwrap the key. This is
229 // necessary to meet the requirement that full breach of KeyMint means an
230 // attacker cannot unwrap keys w/o the application id/data.
231 HmacSerializable sign_check(resource_manager_, signing_key_fn,
232 TPM2_SHA256_DIGEST_SIZE, &encryption, &hidden);
233 auto generated_blob = SerializableToKeyBlob(sign_check);
234 LOG(VERBOSE) << "Keymaster key size: " << generated_blob.key_material_size;
235 if (generated_blob.key_material_size != 0) {
236 *blob = generated_blob;
237 return KM_ERROR_OK;
238 }
239 LOG(ERROR) << "Failed to serialize key.";
240 return KM_ERROR_UNKNOWN_ERROR;
241 }
242
UnwrapKeyBlob(const keymaster_key_blob_t & blob,AuthorizationSet * hw_enforced,AuthorizationSet * sw_enforced,const AuthorizationSet & hidden,KeymasterKeyBlob * key_material) const243 keymaster_error_t TpmKeyBlobMaker::UnwrapKeyBlob(
244 const keymaster_key_blob_t& blob, AuthorizationSet* hw_enforced,
245 AuthorizationSet* sw_enforced, const AuthorizationSet& hidden,
246 KeymasterKeyBlob* key_material) const {
247 keymaster::Buffer key_material_buffer(blob.key_material_size);
248 CompositeSerializable sensitive_material(
249 {&key_material_buffer, hw_enforced, sw_enforced});
250 auto parent_key_fn = ParentKeyCreator(kUniqueKey);
251 EncryptedSerializable encryption(
252 resource_manager_, parent_key_fn, sensitive_material);
253 auto signing_key_fn = SigningKeyCreator(kUniqueKey);
254 HmacSerializable sign_check(resource_manager_, signing_key_fn,
255 TPM2_SHA256_DIGEST_SIZE, &encryption, &hidden);
256 auto buf = blob.key_material;
257 auto buf_end = buf + blob.key_material_size;
258 if (!sign_check.Deserialize(&buf, buf_end)) {
259 LOG(ERROR) << "Failed to deserialize key.";
260 return KM_ERROR_INVALID_KEY_BLOB;
261 }
262 if (key_material_buffer.available_read() == 0) {
263 LOG(ERROR) << "Key material was corrupted and the size was too large";
264 return KM_ERROR_INVALID_KEY_BLOB;
265 }
266 *key_material = KeymasterKeyBlob(
267 key_material_buffer.peek_read(), key_material_buffer.available_read());
268 return KM_ERROR_OK;
269 }
270
SetSystemVersion(uint32_t os_version,uint32_t os_patchlevel)271 keymaster_error_t TpmKeyBlobMaker::SetSystemVersion(
272 uint32_t os_version, uint32_t os_patchlevel) {
273 // TODO(b/201561154): Only accept new values of these from the bootloader
274 os_version_ = os_version;
275 os_patchlevel_ = os_patchlevel;
276 return KM_ERROR_OK;
277 }
278
SetVendorPatchlevel(uint32_t patchlevel)279 keymaster_error_t TpmKeyBlobMaker::SetVendorPatchlevel(uint32_t patchlevel) {
280 // TODO(b/201561154): Only accept new values of these from the bootloader
281 vendor_patchlevel_ = patchlevel;
282 return KM_ERROR_OK;
283 }
284
SetBootPatchlevel(uint32_t boot_patchlevel)285 keymaster_error_t TpmKeyBlobMaker::SetBootPatchlevel(uint32_t boot_patchlevel) {
286 // TODO(b/201561154): Only accept new values of these from the bootloader
287 boot_patchlevel_ = boot_patchlevel;
288 return KM_ERROR_OK;
289 }
290
291 } // namespace cuttlefish
292