1 /*
2 * Copyright 2017 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #include "trusty_keymaster.h"
18 #include "secure_storage_manager.h"
19
20 #include <lib/keybox/client/keybox.h>
21 #include <uapi/err.h>
22
23 #include <memory>
24
25 namespace keymaster {
26
GetVersion2(const GetVersion2Request & req)27 GetVersion2Response TrustyKeymaster::GetVersion2(
28 const GetVersion2Request& req) {
29 switch (req.max_message_version) {
30 case 3:
31 context_->SetKmVersion(KmVersion::KEYMASTER_4);
32 break;
33
34 case 4:
35 context_->SetKmVersion(KmVersion::KEYMINT_3);
36 break;
37
38 default:
39 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
40 // In a fuzzing build, if the fuzzer sends invalid messages we should
41 // log an error and continue, to allow the fuzzer to explore more of the
42 // code.
43 LOG_E("HAL sent invalid message version %d, struggling on as fuzzing build",
44 req.max_message_version);
45 context_->SetKmVersion((req.max_message_version & 0x01)
46 ? KmVersion::KEYMINT_3
47 : KmVersion::KEYMASTER_4);
48 #else
49 // By default, if the HAL service is sending invalid messages then the
50 // safest thing to do is to terminate.
51 LOG_E("HAL sent invalid message version %d, crashing",
52 req.max_message_version);
53 abort();
54 #endif
55 }
56
57 return AndroidKeymaster::GetVersion2(req);
58 }
59
GetAuthTokenKey(keymaster_key_blob_t * key)60 long TrustyKeymaster::GetAuthTokenKey(keymaster_key_blob_t* key) {
61 keymaster_error_t error = context_->GetAuthTokenKey(key);
62 if (error != KM_ERROR_OK)
63 return ERR_GENERIC;
64 return NO_ERROR;
65 }
66
GetDeviceInfo()67 std::unique_ptr<cppbor::Map> TrustyKeymaster::GetDeviceInfo() {
68 return context_->GetDeviceIds();
69 }
70
SetBootParams(const SetBootParamsRequest & request,SetBootParamsResponse * response)71 void TrustyKeymaster::SetBootParams(const SetBootParamsRequest& request,
72 SetBootParamsResponse* response) {
73 if (response == nullptr)
74 return;
75
76 response->error = context_->SetBootParams(
77 request.os_version, request.os_patchlevel,
78 request.verified_boot_key, request.verified_boot_state,
79 request.device_locked, request.verified_boot_hash);
80 }
81
keymaster_algorithm_to_key_slot(keymaster_algorithm_t algorithm)82 AttestationKeySlot keymaster_algorithm_to_key_slot(
83 keymaster_algorithm_t algorithm) {
84 switch (algorithm) {
85 case KM_ALGORITHM_RSA:
86 return AttestationKeySlot::kRsa;
87 case KM_ALGORITHM_EC:
88 return AttestationKeySlot::kEcdsa;
89 default:
90 return AttestationKeySlot::kInvalid;
91 }
92 }
93
SetAttestationKey(const SetAttestationKeyRequest & request,SetAttestationKeyResponse * response)94 void TrustyKeymaster::SetAttestationKey(const SetAttestationKeyRequest& request,
95 SetAttestationKeyResponse* response) {
96 if (response == nullptr)
97 return;
98
99 SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
100 if (ss_manager == nullptr) {
101 response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
102 return;
103 }
104
105 size_t key_size = request.key_data.buffer_size();
106 const uint8_t* key = request.key_data.begin();
107 AttestationKeySlot key_slot;
108
109 key_slot = keymaster_algorithm_to_key_slot(request.algorithm);
110 if (key_slot == AttestationKeySlot::kInvalid) {
111 response->error = KM_ERROR_UNSUPPORTED_ALGORITHM;
112 return;
113 }
114 if (key_size == 0) {
115 response->error = KM_ERROR_INVALID_INPUT_LENGTH;
116 return;
117 }
118 response->error = ss_manager->WriteKeyToStorage(key_slot, key, key_size);
119 }
120
DestroyAttestationIds(const DestroyAttestationIdsRequest & request,DestroyAttestationIdsResponse * response)121 void TrustyKeymaster::DestroyAttestationIds(
122 const DestroyAttestationIdsRequest& request,
123 DestroyAttestationIdsResponse* response) {
124 if (response == nullptr) {
125 return;
126 }
127 SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
128 if (ss_manager == nullptr) {
129 response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
130 return;
131 }
132 response->error = ss_manager->ClearAttestationIds();
133 }
134
SetAttestationIds(const SetAttestationIdsRequest & request,EmptyKeymasterResponse * response)135 void TrustyKeymaster::SetAttestationIds(const SetAttestationIdsRequest& request,
136 EmptyKeymasterResponse* response) {
137 if (response == nullptr) {
138 return;
139 }
140 SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
141 if (ss_manager == nullptr) {
142 response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
143 return;
144 }
145 response->error = ss_manager->SetAttestationIds(request);
146 }
147
SetAttestationIdsKM3(const SetAttestationIdsKM3Request & request,EmptyKeymasterResponse * response)148 void TrustyKeymaster::SetAttestationIdsKM3(
149 const SetAttestationIdsKM3Request& request,
150 EmptyKeymasterResponse* response) {
151 if (response == nullptr) {
152 return;
153 }
154 SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
155 if (ss_manager == nullptr) {
156 response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
157 return;
158 }
159 response->error = ss_manager->SetAttestationIdsKM3(request);
160 }
161
SetWrappedAttestationKey(const SetAttestationKeyRequest & request,SetAttestationKeyResponse * response)162 void TrustyKeymaster::SetWrappedAttestationKey(
163 const SetAttestationKeyRequest& request,
164 SetAttestationKeyResponse* response) {
165 if (response == nullptr) {
166 return;
167 }
168 AttestationKeySlot key_slot =
169 keymaster_algorithm_to_key_slot(request.algorithm);
170 if (key_slot == AttestationKeySlot::kInvalid) {
171 response->error = KM_ERROR_UNSUPPORTED_ALGORITHM;
172 return;
173 }
174 /*
175 * This assumes unwrapping decreases size.
176 * If it doesn't, the unwrap call will fail.
177 */
178 size_t unwrapped_buf_size = request.key_data.buffer_size();
179 size_t unwrapped_key_size;
180 std::unique_ptr<uint8_t[]> unwrapped_key(
181 new (std::nothrow) uint8_t[unwrapped_buf_size]);
182 if (!unwrapped_key) {
183 response->error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
184 return;
185 }
186 int rc = keybox_unwrap(request.key_data.begin(),
187 request.key_data.buffer_size(), unwrapped_key.get(),
188 unwrapped_buf_size, &unwrapped_key_size);
189 if (rc != NO_ERROR) {
190 response->error = KM_ERROR_VERIFICATION_FAILED;
191 return;
192 }
193
194 SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
195 if (ss_manager == nullptr) {
196 response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
197 return;
198 }
199
200 response->error = ss_manager->WriteKeyToStorage(
201 key_slot, unwrapped_key.get(), unwrapped_key_size);
202 }
203
ClearAttestationCertChain(const ClearAttestationCertChainRequest & request,ClearAttestationCertChainResponse * response)204 void TrustyKeymaster::ClearAttestationCertChain(
205 const ClearAttestationCertChainRequest& request,
206 ClearAttestationCertChainResponse* response) {
207 if (response == nullptr)
208 return;
209
210 SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
211 if (ss_manager == nullptr) {
212 response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
213 return;
214 }
215
216 AttestationKeySlot key_slot;
217
218 key_slot = keymaster_algorithm_to_key_slot(request.algorithm);
219 if (key_slot == AttestationKeySlot::kInvalid) {
220 response->error = KM_ERROR_UNSUPPORTED_ALGORITHM;
221 return;
222 }
223
224 keymaster_error_t err = ss_manager->DeleteCertChainFromStorage(key_slot);
225 if (err != KM_ERROR_OK) {
226 LOG_E("Failed to delete cert chain.\n");
227 response->error = err;
228 return;
229 }
230
231 uint32_t cert_chain_length = 0;
232 err = ss_manager->ReadCertChainLength(key_slot, &cert_chain_length);
233 if (err != KM_ERROR_OK) {
234 LOG_E("Failed to read cert chain length.\n");
235 response->error = err;
236 return;
237 }
238 if (cert_chain_length != 0) {
239 LOG_E("Cert chain could not be deleted.\n");
240 response->error = err;
241 return;
242 }
243
244 response->error = KM_ERROR_OK;
245 }
246
AppendAttestationCertChain(const AppendAttestationCertChainRequest & request,AppendAttestationCertChainResponse * response)247 void TrustyKeymaster::AppendAttestationCertChain(
248 const AppendAttestationCertChainRequest& request,
249 AppendAttestationCertChainResponse* response) {
250 if (response == nullptr)
251 return;
252
253 SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
254 if (ss_manager == nullptr) {
255 response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
256 return;
257 }
258
259 size_t cert_size = request.cert_data.buffer_size();
260 const uint8_t* cert = request.cert_data.begin();
261 AttestationKeySlot key_slot;
262
263 response->error = KM_ERROR_UNSUPPORTED_ALGORITHM;
264 switch (request.algorithm) {
265 case KM_ALGORITHM_RSA:
266 key_slot = AttestationKeySlot::kRsa;
267 break;
268 case KM_ALGORITHM_EC:
269 key_slot = AttestationKeySlot::kEcdsa;
270 break;
271 default:
272 return;
273 }
274 response->error = KM_ERROR_INVALID_INPUT_LENGTH;
275 if (cert_size == 0) {
276 return;
277 }
278 uint32_t cert_chain_length = 0;
279 if (ss_manager->ReadCertChainLength(key_slot, &cert_chain_length) !=
280 KM_ERROR_OK) {
281 LOG_E("Failed to read cert chain length, initialize to 0.\n");
282 cert_chain_length = 0;
283 }
284 response->error = ss_manager->WriteCertToStorage(key_slot, cert, cert_size,
285 cert_chain_length);
286 }
287
AtapGetCaRequest(const AtapGetCaRequestRequest & request,AtapGetCaRequestResponse * response)288 void TrustyKeymaster::AtapGetCaRequest(const AtapGetCaRequestRequest& request,
289 AtapGetCaRequestResponse* response) {
290 if (response == nullptr)
291 return;
292
293 // Not implemented.
294 response->error = KM_ERROR_UNKNOWN_ERROR;
295 }
296
AtapSetCaResponseBegin(const AtapSetCaResponseBeginRequest & request,AtapSetCaResponseBeginResponse * response)297 void TrustyKeymaster::AtapSetCaResponseBegin(
298 const AtapSetCaResponseBeginRequest& request,
299 AtapSetCaResponseBeginResponse* response) {
300 if (response == nullptr)
301 return;
302
303 // Not implemented.
304 response->error = KM_ERROR_UNKNOWN_ERROR;
305 }
306
AtapSetCaResponseUpdate(const AtapSetCaResponseUpdateRequest & request,AtapSetCaResponseUpdateResponse * response)307 void TrustyKeymaster::AtapSetCaResponseUpdate(
308 const AtapSetCaResponseUpdateRequest& request,
309 AtapSetCaResponseUpdateResponse* response) {
310 if (response == nullptr)
311 return;
312
313 // Not implemented.
314 response->error = KM_ERROR_UNKNOWN_ERROR;
315 }
316
AtapSetCaResponseFinish(const AtapSetCaResponseFinishRequest & request,AtapSetCaResponseFinishResponse * response)317 void TrustyKeymaster::AtapSetCaResponseFinish(
318 const AtapSetCaResponseFinishRequest& request,
319 AtapSetCaResponseFinishResponse* response) {
320 if (response == nullptr)
321 return;
322
323 // Not implemented.
324 response->error = KM_ERROR_UNKNOWN_ERROR;
325 }
326
AtapReadUuid(const AtapReadUuidRequest & request,AtapReadUuidResponse * response)327 void TrustyKeymaster::AtapReadUuid(const AtapReadUuidRequest& request,
328 AtapReadUuidResponse* response) {
329 if (response == nullptr)
330 return;
331
332 SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
333 if (ss_manager == nullptr) {
334 response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
335 return;
336 }
337
338 uint8_t uuid[kAttestationUuidSize]{};
339 response->error = ss_manager->ReadAttestationUuid(uuid);
340
341 if (response->error == KM_ERROR_OK) {
342 response->data.reserve(kAttestationUuidSize);
343 response->data.write(uuid, kAttestationUuidSize);
344 }
345 }
346
AtapSetProductId(const AtapSetProductIdRequest & request,AtapSetProductIdResponse * response)347 void TrustyKeymaster::AtapSetProductId(const AtapSetProductIdRequest& request,
348 AtapSetProductIdResponse* response) {
349 if (response == nullptr)
350 return;
351
352 SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
353 if (ss_manager == nullptr) {
354 response->error = KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
355 return;
356 }
357
358 // Not implemented.
359 response->error = KM_ERROR_UNKNOWN_ERROR;
360 }
361 } // namespace keymaster
362