1 /*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define TLOG_TAG "hwkey_fake_srv"
18
19 #include <assert.h>
20 #include <lk/compiler.h>
21 #include <stdbool.h>
22 #include <stddef.h>
23 #include <stdio.h>
24 #include <stdlib.h>
25 #include <string.h>
26 #include <uapi/err.h>
27
28 #include <openssl/aes.h>
29 #include <openssl/cipher.h>
30 #include <openssl/digest.h>
31 #include <openssl/err.h>
32 #include <openssl/hkdf.h>
33
34 #include <interface/hwaes/hwaes.h>
35 #include <interface/hwkey/hwkey.h>
36 #include <lib/system_state/system_state.h>
37 #include <lib/tipc/tipc.h>
38 #include <trusty_log.h>
39
40 #include <hwcrypto_consts.h>
41 #include "hwkey_srv_priv.h"
42
43 #pragma message "Compiling FAKE HWKEY provider"
44
45 /*
46 * This module is a sample only. For real device, this code
47 * needs to be rewritten to operate on real per device key that
48 * should come directly or indirectly from hardware.
49 */
50 static uint8_t fake_device_key[32] = "this is a fake unique device key";
51 static uint8_t fake_shared_key[32] = "this is a fake shared device key";
52
53 /*
54 * Fake rollback versions for testing the sample app. These versions should be
55 * pulled from a secure source of truth in a real implementation.
56 */
57 #define FAKE_TRUSTY_RUNNING_ROLLBACK_VERSION 2
58 #define FAKE_TRUSTY_COMMITTED_ROLLBACK_VERSION 1
59
60 /* This input vector is taken from RFC 5869 (Extract-and-Expand HKDF) */
61 static const uint8_t IKM[] = {0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
62 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
63 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b};
64
65 static const uint8_t salt[] = {0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06,
66 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c};
67
68 static const uint8_t info[] = {0xf0, 0xf1, 0xf2, 0xf3, 0xf4,
69 0xf5, 0xf6, 0xf7, 0xf8, 0xf9};
70
71 /* Expected pseudorandom key */
72 /*static const uint8_t exp_PRK[] = { 0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32,
73 0xdf, 0x0d, 0xdc, 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b,
74 0xb5, 0x0f, 0x9c, 0x31, 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2, 0xb3, 0xe5 };*/
75
76 /* Expected Output Key */
77 static const uint8_t exp_OKM[42] = {
78 0x3c, 0xb2, 0x5f, 0x25, 0xfa, 0xac, 0xd5, 0x7a, 0x90, 0x43, 0x4f,
79 0x64, 0xd0, 0x36, 0x2f, 0x2a, 0x2d, 0x2d, 0x0a, 0x90, 0xcf, 0x1a,
80 0x5a, 0x4c, 0x5d, 0xb0, 0x2d, 0x56, 0xec, 0xc4, 0xc5, 0xbf, 0x34,
81 0x00, 0x72, 0x08, 0xd5, 0xb8, 0x87, 0x18, 0x58, 0x65};
82
hkdf_self_test(void)83 static bool hkdf_self_test(void) {
84 int res;
85 uint8_t OKM[sizeof(exp_OKM)];
86
87 TLOGI("hkdf self test\n");
88
89 /* Check if OKM is OK */
90 memset(OKM, 0x55, sizeof(OKM));
91
92 res = HKDF(OKM, sizeof(OKM), EVP_sha256(), IKM, sizeof(IKM), salt,
93 sizeof(salt), info, sizeof(info));
94 if (!res) {
95 TLOGE("hkdf: failed 0x%x\n", ERR_get_error());
96 return false;
97 }
98
99 res = memcmp(OKM, exp_OKM, sizeof(OKM));
100 if (res) {
101 TLOGE("hkdf: data mismatch\n");
102 return false;
103 }
104
105 TLOGI("hkdf self test: PASSED\n");
106 return true;
107 }
108
109 /*
110 * Derive key V1 - HMAC SHA256 based Key derivation function
111 */
derive_key_v1(const uuid_t * uuid,const uint8_t * ikm_data,size_t ikm_len,uint8_t * key_buf,size_t key_len)112 uint32_t derive_key_v1(const uuid_t* uuid,
113 const uint8_t* ikm_data,
114 size_t ikm_len,
115 uint8_t* key_buf,
116 size_t key_len) {
117 if (!ikm_len) {
118 return HWKEY_ERR_BAD_LEN;
119 }
120
121 if (!HKDF(key_buf, key_len, EVP_sha256(), (const uint8_t*)fake_device_key,
122 sizeof(fake_device_key), (const uint8_t*)uuid, sizeof(uuid_t),
123 ikm_data, ikm_len)) {
124 TLOGE("HDKF failed 0x%x\n", ERR_get_error());
125 memset(key_buf, 0, key_len);
126 return HWKEY_ERR_GENERIC;
127 }
128
129 return HWKEY_NO_ERROR;
130 }
131
132 /*
133 * Context labels for key derivation contexts, see derive_key_versioned_v1() for
134 * details.
135 */
136 #define HWKEY_DERIVE_VERSIONED_CONTEXT_LABEL "DERIVE VERSIONED"
137 #define ROOT_OF_TRUST_DERIVE_CONTEXT_LABEL "TZOS"
138
139 #define HWKEY_DERIVE_VERSIONED_SALT "hwkey derive versioned salt"
140
141 static uint8_t context_buf[4096];
142
143 /**
144 * fill_context_buf() - Add data to context_buf
145 * @src: Pointer to data to copy into the context buf. If null, @len zero bytes
146 * will be added.
147 * @len: Number of bytes of data to add.
148 * @cur_position: Pointer to the next unwritten byte of context_buf. Updated
149 * with the new current position when successful.
150 *
151 * Return: HWKEY_NO_ERROR on success, HWKEY_ERR_BAD_LEN if @len will cause the
152 * buffer to overflow.
153 */
fill_context_buf(const void * src,size_t len,size_t * cur_position)154 static uint32_t fill_context_buf(const void* src,
155 size_t len,
156 size_t* cur_position) {
157 size_t new_position;
158 if (len == 0) {
159 return HWKEY_NO_ERROR;
160 }
161 if (__builtin_add_overflow(*cur_position, len, &new_position) ||
162 new_position >= sizeof(context_buf)) {
163 return HWKEY_ERR_BAD_LEN;
164 }
165 if (src == NULL) {
166 memset(&context_buf[*cur_position], 0, len);
167 } else {
168 memcpy(&context_buf[*cur_position], src, len);
169 }
170 *cur_position = new_position;
171 return HWKEY_NO_ERROR;
172 }
173
174 /*
175 * In a real implementation this portion of the derivation should be done by a
176 * trusted source of the Trusty OS rollback version. Doing the key derivation
177 * here in the hwkey service protects against some app-level compromises, but
178 * does not protect against compromise of any Trusty code that can derive
179 * directly using the secret key derivation input - which in this sample
180 * implementation would be the kernel and the hwkey service.
181 *
182 * This function MUST mix @rollback_version_source, @os_rollback_version, and
183 * @hwkey_context into the derivation context in a way that the client cannot
184 * forge.
185 */
root_of_trust_derive_key(bool shared,uint32_t rollback_version_source,int32_t os_rollback_version,const uint8_t * hwkey_context,size_t hwkey_context_len,uint8_t * key_buf,size_t key_len)186 static uint32_t root_of_trust_derive_key(bool shared,
187 uint32_t rollback_version_source,
188 int32_t os_rollback_version,
189 const uint8_t* hwkey_context,
190 size_t hwkey_context_len,
191 uint8_t* key_buf,
192 size_t key_len) {
193 size_t context_len = 0;
194 int rc;
195 const size_t root_of_trust_context_len =
196 sizeof(ROOT_OF_TRUST_DERIVE_CONTEXT_LABEL) +
197 sizeof(rollback_version_source) + sizeof(os_rollback_version);
198 const uint8_t* secret_key;
199 size_t secret_key_len;
200 size_t total_len;
201
202 /*
203 * We need to move the hwkey_context (currently at the beginning of
204 * context_buf) over to make room for the root-of-trust context injected
205 * before it. We avoid the need for a separate buffer by memmoving it first
206 * then adding the context into the space we made.
207 */
208 if (__builtin_add_overflow(hwkey_context_len, root_of_trust_context_len,
209 &total_len) ||
210 total_len >= sizeof(context_buf)) {
211 return HWKEY_ERR_BAD_LEN;
212 }
213 memmove(&context_buf[root_of_trust_context_len], hwkey_context,
214 hwkey_context_len);
215
216 /*
217 * Add a fixed label to ensure that another user of the same key derivation
218 * primitive will not collide with this use, regardless of the provided
219 * hwkey_context (as long as other users also add a different fixed label).
220 */
221 rc = fill_context_buf(ROOT_OF_TRUST_DERIVE_CONTEXT_LABEL,
222 sizeof(ROOT_OF_TRUST_DERIVE_CONTEXT_LABEL),
223 &context_len);
224 if (rc) {
225 return rc;
226 }
227 /* Keys for different version limit sources must be different */
228 rc = fill_context_buf(&rollback_version_source,
229 sizeof(rollback_version_source), &context_len);
230 if (rc) {
231 return rc;
232 }
233 /*
234 * Keys with different rollback versions must not be the same. This is part
235 * of the root-of-trust context to ensure that a compromised kernel cannot
236 * forge a version (if the root of trust is outside of Trusty)
237 */
238 rc = fill_context_buf(&os_rollback_version, sizeof(os_rollback_version),
239 &context_len);
240 if (rc) {
241 return rc;
242 }
243
244 assert(root_of_trust_context_len == context_len);
245
246 /*
247 * We already moved the hwkey_context into place after the root of trust
248 * context.
249 */
250 context_len += hwkey_context_len;
251
252 if (shared) {
253 secret_key = fake_shared_key;
254 secret_key_len = sizeof(fake_shared_key);
255 } else {
256 secret_key = fake_device_key;
257 secret_key_len = sizeof(fake_device_key);
258 }
259
260 if (!HKDF(key_buf, key_len, EVP_sha256(), secret_key, secret_key_len,
261 (const uint8_t*)HWKEY_DERIVE_VERSIONED_SALT,
262 sizeof(HWKEY_DERIVE_VERSIONED_SALT), context_buf, context_len)) {
263 TLOGE("HDKF failed 0x%x\n", ERR_get_error());
264 memset(key_buf, 0, key_len);
265 return HWKEY_ERR_GENERIC;
266 }
267 return HWKEY_NO_ERROR;
268 }
269
get_current_os_rollback_version(uint32_t source)270 int32_t get_current_os_rollback_version(uint32_t source) {
271 switch (source) {
272 case HWKEY_ROLLBACK_RUNNING_VERSION:
273 return FAKE_TRUSTY_RUNNING_ROLLBACK_VERSION;
274
275 case HWKEY_ROLLBACK_COMMITTED_VERSION:
276 return FAKE_TRUSTY_COMMITTED_ROLLBACK_VERSION;
277
278 default:
279 TLOGE("Unknown rollback version source: %u\n", source);
280 return ERR_NOT_VALID;
281 }
282 }
283
284 /*
285 * Derive a versioned key - HMAC SHA256 based versioned key derivation function
286 */
derive_key_versioned_v1(const uuid_t * uuid,bool shared,uint32_t rollback_version_source,int32_t rollback_versions[HWKEY_ROLLBACK_VERSION_INDEX_COUNT],const uint8_t * user_context,size_t user_context_len,uint8_t * key_buf,size_t key_len)287 uint32_t derive_key_versioned_v1(
288 const uuid_t* uuid,
289 bool shared,
290 uint32_t rollback_version_source,
291 int32_t rollback_versions[HWKEY_ROLLBACK_VERSION_INDEX_COUNT],
292 const uint8_t* user_context,
293 size_t user_context_len,
294 uint8_t* key_buf,
295 size_t key_len) {
296 size_t context_len = 0;
297 int i;
298 uint32_t rc = HWKEY_NO_ERROR;
299 int32_t os_rollback_version =
300 rollback_versions[HWKEY_ROLLBACK_VERSION_OS_INDEX];
301 int32_t os_rollback_version_current =
302 get_current_os_rollback_version(rollback_version_source);
303
304 if (os_rollback_version_current < 0) {
305 rc = HWKEY_ERR_NOT_VALID;
306 goto err;
307 }
308
309 if (os_rollback_version > os_rollback_version_current) {
310 TLOGE("Requested rollback version too new: %u\n", os_rollback_version);
311 rc = HWKEY_ERR_NOT_FOUND;
312 goto err;
313 }
314
315 /* short-circuit derivation if we have nothing to derive */
316 if (key_len == 0) {
317 rc = HWKEY_NO_ERROR;
318 goto err;
319 }
320
321 /* for compatibility with unversioned derive, require a context */
322 if (!key_buf || !user_context || user_context_len == 0) {
323 rc = HWKEY_ERR_NOT_VALID;
324 goto err;
325 }
326
327 /*
328 * This portion of the context may always be added by the hwkey service, as
329 * it deals with the identity of the client requesting the key derivation.
330 */
331 /*
332 * Fixed label ensures that this derivation will not collide with a
333 * different user of root_of_trust_derive_key(), regardless of the provided
334 * user context (as long as other users also add a different fixed label).
335 */
336 rc = fill_context_buf(HWKEY_DERIVE_VERSIONED_CONTEXT_LABEL,
337 sizeof(HWKEY_DERIVE_VERSIONED_CONTEXT_LABEL),
338 &context_len);
339 if (rc) {
340 goto err;
341 }
342 /* Keys for different apps must be different */
343 rc = fill_context_buf(uuid, sizeof(*uuid), &context_len);
344 if (rc) {
345 goto err;
346 }
347 for (i = 0; i < HWKEY_ROLLBACK_VERSION_SUPPORTED_COUNT; ++i) {
348 /*
349 * We skip the OS version because the root-of-trust should be inserting
350 * that, and we don't want to mask a buggy implementation there in
351 * testing. If the root-of-trust somehow did not insert the OS version,
352 * we want to notice.
353 */
354 if (i == HWKEY_ROLLBACK_VERSION_OS_INDEX) {
355 continue;
356 }
357 rc = fill_context_buf(&rollback_versions[i], sizeof(*rollback_versions),
358 &context_len);
359 if (rc) {
360 goto err;
361 }
362 }
363 /* Reserve space for additional versions in the future */
364 if (HWKEY_ROLLBACK_VERSION_SUPPORTED_COUNT <
365 HWKEY_ROLLBACK_VERSION_INDEX_COUNT) {
366 rc = fill_context_buf(NULL,
367 sizeof(*rollback_versions) *
368 (HWKEY_ROLLBACK_VERSION_INDEX_COUNT -
369 HWKEY_ROLLBACK_VERSION_SUPPORTED_COUNT),
370 &context_len);
371 if (rc) {
372 goto err;
373 }
374 }
375 /*
376 * Clients need to be able to generate multiple different keys in the same
377 * app.
378 */
379 rc = fill_context_buf(user_context, user_context_len, &context_len);
380 if (rc) {
381 goto err;
382 }
383
384 rc = root_of_trust_derive_key(shared, rollback_version_source,
385 os_rollback_version, context_buf, context_len,
386 key_buf, key_len);
387 if (rc) {
388 goto err;
389 }
390
391 err:
392 memset(context_buf, 0, sizeof(context_buf));
393 return rc;
394 }
395
396 /* UUID of HWCRYPTO_UNITTEST application */
397 static const uuid_t hwcrypto_unittest_uuid = HWCRYPTO_UNITTEST_APP_UUID;
398 static const uuid_t hwcrypto_unittest_rust_uuid =
399 HWCRYPTO_UNITTEST_RUST_APP_UUID;
400
401 #if WITH_HWCRYPTO_UNITTEST
402 /*
403 * Support for hwcrypto unittest keys should be only enabled
404 * to test hwcrypto related APIs
405 */
406
407 static uint8_t _unittest_key32[32] = "unittestkeyslotunittestkeyslotun";
get_unittest_key32(uint8_t * kbuf,size_t kbuf_len,size_t * klen)408 static uint32_t get_unittest_key32(uint8_t* kbuf,
409 size_t kbuf_len,
410 size_t* klen) {
411 assert(kbuf);
412 assert(klen);
413 assert(kbuf_len >= sizeof(_unittest_key32));
414
415 /* just return predefined key */
416 memcpy(kbuf, _unittest_key32, sizeof(_unittest_key32));
417 *klen = sizeof(_unittest_key32);
418
419 return HWKEY_NO_ERROR;
420 }
421
get_unittest_key32_handler(const struct hwkey_keyslot * slot,uint8_t * kbuf,size_t kbuf_len,size_t * klen)422 static uint32_t get_unittest_key32_handler(const struct hwkey_keyslot* slot,
423 uint8_t* kbuf,
424 size_t kbuf_len,
425 size_t* klen) {
426 return get_unittest_key32(kbuf, kbuf_len, klen);
427 }
428
429 /*
430 * "unittestderivedkeyslotunittestde" encrypted with _unittest_key32 using an
431 * all 0 IV. IV is prepended to the ciphertext.
432 */
433 static uint8_t _unittest_encrypted_key32[48] = {
434 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
435 0x00, 0x00, 0x00, 0x00, 0x3e, 0x2b, 0x02, 0x54, 0x54, 0x8c, 0xa7, 0xb8,
436 0xa3, 0xfa, 0xf5, 0xd0, 0xbc, 0x1d, 0x40, 0x11, 0xac, 0x68, 0xbb, 0xf0,
437 0x55, 0xa3, 0xc5, 0x49, 0x3e, 0x77, 0x4a, 0x8b, 0x3f, 0x33, 0x56, 0x07,
438 };
439
440 static unsigned int _unittest_encrypted_key32_size =
441 sizeof(_unittest_encrypted_key32);
442
get_unittest_key32_derived(const struct hwkey_derived_keyslot_data * data,uint8_t * kbuf,size_t kbuf_len,size_t * klen)443 static uint32_t get_unittest_key32_derived(
444 const struct hwkey_derived_keyslot_data* data,
445 uint8_t* kbuf,
446 size_t kbuf_len,
447 size_t* klen) {
448 return get_unittest_key32(kbuf, kbuf_len, klen);
449 }
450
451 static const struct hwkey_derived_keyslot_data hwcrypto_unittest_derived_data =
452 {
453 .encrypted_key_data = _unittest_encrypted_key32,
454 .encrypted_key_size_ptr = &_unittest_encrypted_key32_size,
455 .retriever = get_unittest_key32_derived,
456 };
457
derived_keyslot_handler(const struct hwkey_keyslot * slot,uint8_t * kbuf,size_t kbuf_len,size_t * klen)458 static uint32_t derived_keyslot_handler(const struct hwkey_keyslot* slot,
459 uint8_t* kbuf,
460 size_t kbuf_len,
461 size_t* klen) {
462 assert(slot);
463 return hwkey_get_derived_key(slot->priv, kbuf, kbuf_len, klen);
464 }
465
466 static const uuid_t* unittest_allowed_opaque_key_uuids[] = {
467 &hwcrypto_unittest_uuid,
468 &hwcrypto_unittest_rust_uuid,
469 };
470
get_unittest_key32_opaque(const struct hwkey_opaque_handle_data * data,uint8_t * kbuf,size_t kbuf_len,size_t * klen)471 static uint32_t get_unittest_key32_opaque(
472 const struct hwkey_opaque_handle_data* data,
473 uint8_t* kbuf,
474 size_t kbuf_len,
475 size_t* klen) {
476 return get_unittest_key32(kbuf, kbuf_len, klen);
477 }
478
479 static struct hwkey_opaque_handle_data unittest_opaque_handle_data = {
480 .allowed_uuids = unittest_allowed_opaque_key_uuids,
481 .allowed_uuids_len = countof(unittest_allowed_opaque_key_uuids),
482 .retriever = get_unittest_key32_opaque,
483 };
484
485 static struct hwkey_opaque_handle_data unittest_opaque_handle_data2 = {
486 .allowed_uuids = unittest_allowed_opaque_key_uuids,
487 .allowed_uuids_len = countof(unittest_allowed_opaque_key_uuids),
488 .retriever = get_unittest_key32_opaque,
489 };
490
491 static struct hwkey_opaque_handle_data unittest_opaque_handle_data_noaccess = {
492 .allowed_uuids = NULL,
493 .allowed_uuids_len = 0,
494 .retriever = get_unittest_key32_opaque,
495 };
496
497 /*
498 * Adapter to cast hwkey_opaque_handle_data.priv field to struct
499 * hwkey_derived_keyslot_data*
500 */
get_derived_key_opaque(const struct hwkey_opaque_handle_data * data,uint8_t * kbuf,size_t kbuf_len,size_t * klen)501 static uint32_t get_derived_key_opaque(
502 const struct hwkey_opaque_handle_data* data,
503 uint8_t* kbuf,
504 size_t kbuf_len,
505 size_t* klen) {
506 assert(data);
507 return hwkey_get_derived_key(data->priv, kbuf, kbuf_len, klen);
508 }
509
510 static struct hwkey_opaque_handle_data unittest_opaque_derived_data = {
511 .allowed_uuids = unittest_allowed_opaque_key_uuids,
512 .allowed_uuids_len = countof(unittest_allowed_opaque_key_uuids),
513 .retriever = get_derived_key_opaque,
514 .priv = &hwcrypto_unittest_derived_data,
515 };
516
517 #endif /* WITH_HWCRYPTO_UNITTEST */
518
519 /*
520 * RPMB Key support
521 */
522 #define RPMB_SS_AUTH_KEY_SIZE 32
523 #define RPMB_SS_AUTH_KEY_ID "com.android.trusty.storage_auth.rpmb"
524
525 /* Secure storage service app uuid */
526 static const uuid_t ss_uuid = SECURE_STORAGE_SERVER_APP_UUID;
527
528 static uint8_t rpmb_salt[RPMB_SS_AUTH_KEY_SIZE] = {
529 0x42, 0x18, 0xa9, 0xf2, 0xf6, 0xb1, 0xf5, 0x35, 0x06, 0x37, 0x9f,
530 0xba, 0xcc, 0x1a, 0xc9, 0x36, 0xf4, 0x83, 0x04, 0xd4, 0xf1, 0x65,
531 0x91, 0x32, 0xa6, 0xae, 0xda, 0x27, 0x4d, 0x21, 0xdb, 0x40};
532
533 /*
534 * Generate RPMB Secure Storage Authentication key
535 */
get_rpmb_ss_auth_key(const struct hwkey_keyslot * slot,uint8_t * kbuf,size_t kbuf_len,size_t * klen)536 static uint32_t get_rpmb_ss_auth_key(const struct hwkey_keyslot* slot,
537 uint8_t* kbuf,
538 size_t kbuf_len,
539 size_t* klen) {
540 int rc;
541 int out_len;
542 EVP_CIPHER_CTX evp;
543
544 assert(kbuf);
545 assert(klen);
546
547 EVP_CIPHER_CTX_init(&evp);
548
549 rc = EVP_EncryptInit_ex(&evp, EVP_aes_256_cbc(), NULL, fake_device_key,
550 NULL);
551 if (!rc)
552 goto evp_err;
553
554 rc = EVP_CIPHER_CTX_set_padding(&evp, 0);
555 if (!rc)
556 goto evp_err;
557
558 size_t min_kbuf_len =
559 RPMB_SS_AUTH_KEY_SIZE + EVP_CIPHER_CTX_key_length(&evp);
560 if (kbuf_len < min_kbuf_len) {
561 TLOGE("buffer too small: (%zd vs. %zd )\n", kbuf_len, min_kbuf_len);
562 goto other_err;
563 }
564
565 rc = EVP_EncryptUpdate(&evp, kbuf, &out_len, rpmb_salt, sizeof(rpmb_salt));
566 if (!rc)
567 goto evp_err;
568
569 if ((size_t)out_len != RPMB_SS_AUTH_KEY_SIZE) {
570 TLOGE("output length mismatch (%zd vs %zd)\n", (size_t)out_len,
571 sizeof(rpmb_salt));
572 goto other_err;
573 }
574
575 rc = EVP_EncryptFinal_ex(&evp, NULL, &out_len);
576 if (!rc)
577 goto evp_err;
578
579 *klen = RPMB_SS_AUTH_KEY_SIZE;
580
581 EVP_CIPHER_CTX_cleanup(&evp);
582 return HWKEY_NO_ERROR;
583
584 evp_err:
585 TLOGE("EVP err 0x%x\n", ERR_get_error());
586 other_err:
587 EVP_CIPHER_CTX_cleanup(&evp);
588 return HWKEY_ERR_GENERIC;
589 }
590
591 /*
592 * Keymint KAK support
593 */
594 #define KM_KAK_SIZE 32
595 /* TODO import this constant from KM TA when build support is ready */
596 #define KM_KAK_ID "com.android.trusty.keymint.kak"
597
598 /* KM app uuid */
599 static const uuid_t km_uuid = KM_APP_UUID;
600
601 /* KM rust app uuid */
602 static const uuid_t km_rust_uuid = KM_RUST_APP_UUID;
603
604 #if TEST_BUILD
605 /* KM rust unit test uuid */
606 static const uuid_t km_rust_unittest_uuid = KM_RUST_UNITTEST_UUID;
607
608 /* HWCrypto HAL rust unit test uuid */
609 static const uuid_t hwcryptohal_rust_unittest_uuid =
610 HWCRYPTOHAL_UNITTEST_RUST_APP_UUID;
611 #endif
612
613 /* HWCrypto HAL rust unit test uuid */
614 static const uuid_t hwcryptohal_rust_uuid = HWCRYPTOHAL_RUST_APP_UUID;
615
616 static uint8_t kak_salt[KM_KAK_SIZE] = {
617 0x70, 0xc4, 0x7c, 0xfa, 0x2c, 0xb1, 0xee, 0xdc, 0xa5, 0xdf, 0xbc,
618 0x8d, 0xd4, 0xf7, 0x0d, 0x42, 0x93, 0x3b, 0x7f, 0x7b, 0xc2, 0x9e,
619 0x6d, 0xa5, 0xb2, 0x92, 0x7a, 0x21, 0x8e, 0xc9, 0xe6, 0x9a,
620 };
621
622 /*
623 * This should be replaced with a device-specific implementation such that
624 * any Strongbox on the device will have the same KAK.
625 */
get_km_kak_key(const struct hwkey_keyslot * slot,uint8_t * kbuf,size_t kbuf_len,size_t * klen)626 static uint32_t get_km_kak_key(const struct hwkey_keyslot* slot,
627 uint8_t* kbuf,
628 size_t kbuf_len,
629 size_t* klen) {
630 assert(kbuf);
631 assert(klen);
632
633 if (kbuf_len < KM_KAK_SIZE) {
634 return HWKEY_ERR_BAD_LEN;
635 }
636 *klen = KM_KAK_SIZE;
637
638 return derive_key_v1(slot->uuid, kak_salt, KM_KAK_SIZE, kbuf, *klen);
639 }
640
641 static const uuid_t hwaes_uuid = SAMPLE_HWAES_APP_UUID;
642
643 #if WITH_HWCRYPTO_UNITTEST
644 static const uuid_t hwaes_unittest_uuid = HWAES_UNITTEST_APP_UUID;
645 static const uuid_t hwaes_bench_uuid = HWAES_BENCH_APP_UUID;
646
647 static const uuid_t* hwaes_unittest_allowed_opaque_key_uuids[] = {
648 &hwaes_uuid,
649 };
650
651 static struct hwkey_opaque_handle_data hwaes_unittest_opaque_handle_data = {
652 .allowed_uuids = hwaes_unittest_allowed_opaque_key_uuids,
653 .allowed_uuids_len = countof(hwaes_unittest_allowed_opaque_key_uuids),
654 .retriever = get_unittest_key32_opaque,
655 };
656 #endif
657
658 /*
659 * Apploader key(s)
660 */
661 struct apploader_key {
662 const uint8_t* key_data;
663
664 // Pointer to the symbol holding the size of the key.
665 // This needs to be a pointer because the size is not a
666 // constant known to the compiler at compile time,
667 // so it cannot be used to initialize the field directly.
668 const unsigned int* key_size_ptr;
669 };
670
671 #define INCLUDE_APPLOADER_KEY(key, key_file) \
672 INCFILE(key##_data, key##_size, key_file); \
673 static struct apploader_key key = { \
674 .key_data = key##_data, \
675 .key_size_ptr = &key##_size, \
676 };
677
678 #undef APPLOADER_HAS_SIGNING_KEYS
679 #undef APPLOADER_HAS_ENCRYPTION_KEYS
680
681 #ifdef APPLOADER_SIGN_PUBLIC_KEY_0_FILE
682 INCLUDE_APPLOADER_KEY(apploader_sign_key_0, APPLOADER_SIGN_PUBLIC_KEY_0_FILE);
683 #define APPLOADER_SIGN_KEY_0 "com.android.trusty.apploader.sign.key.0"
684 #define APPLOADER_HAS_SIGNING_KEYS
685 #ifdef APPLOADER_SIGN_KEY_0_UNLOCKED_ONLY
686 #define APPLOADER_SIGN_KEY_0_HANDLER get_apploader_sign_unlocked_key
687 #else
688 #define APPLOADER_SIGN_KEY_0_HANDLER get_apploader_sign_key
689 #endif
690 #endif
691
692 #ifdef APPLOADER_SIGN_PUBLIC_KEY_1_FILE
693 INCLUDE_APPLOADER_KEY(apploader_sign_key_1, APPLOADER_SIGN_PUBLIC_KEY_1_FILE);
694 #define APPLOADER_SIGN_KEY_1 "com.android.trusty.apploader.sign.key.1"
695 #define APPLOADER_HAS_SIGNING_KEYS
696 #ifdef APPLOADER_SIGN_KEY_1_UNLOCKED_ONLY
697 #define APPLOADER_SIGN_KEY_1_HANDLER get_apploader_sign_unlocked_key
698 #else
699 /*
700 * Rather than rely on a correct build configuration, a real hwkey
701 * implementation should ensure that dev signing keys are not allowed in
702 * unlocked state by either hard-coding dev key slot handlers to a handler that
703 * checks the unlock state or by erroring out here if the build configuration is
704 * unexpected.
705 */
706 #pragma message "Apploader signing key 1 is not gated on unlock status"
707 #define APPLOADER_SIGN_KEY_1_HANDLER get_apploader_sign_key
708 #endif
709 #endif
710
711 #ifdef APPLOADER_ENCRYPT_KEY_0_FILE
712 INCLUDE_APPLOADER_KEY(apploader_encrypt_key_0, APPLOADER_ENCRYPT_KEY_0_FILE);
713 #define APPLOADER_ENCRYPT_KEY_0 "com.android.trusty.apploader.encrypt.key.0"
714 #define APPLOADER_HAS_ENCRYPTION_KEYS
715 #endif
716
717 #ifdef APPLOADER_ENCRYPT_KEY_1_FILE
718 INCLUDE_APPLOADER_KEY(apploader_encrypt_key_1, APPLOADER_ENCRYPT_KEY_1_FILE);
719 #define APPLOADER_ENCRYPT_KEY_1 "com.android.trusty.apploader.encrypt.key.1"
720 #define APPLOADER_HAS_ENCRYPTION_KEYS
721 #endif
722
723 #if defined(APPLOADER_HAS_SIGNING_KEYS) || \
724 defined(APPLOADER_HAS_ENCRYPTION_KEYS)
725 /* Apploader app uuid */
726 static const uuid_t apploader_uuid = APPLOADER_APP_UUID;
727
get_apploader_key(const struct apploader_key * key,uint8_t * kbuf,size_t kbuf_len,size_t * klen)728 static uint32_t get_apploader_key(const struct apploader_key* key,
729 uint8_t* kbuf,
730 size_t kbuf_len,
731 size_t* klen) {
732 assert(kbuf);
733 assert(klen);
734 assert(key);
735 assert(key->key_size_ptr);
736
737 size_t key_size = (size_t)*key->key_size_ptr;
738 assert(kbuf_len >= key_size);
739
740 memcpy(kbuf, key->key_data, key_size);
741 *klen = key_size;
742
743 return HWKEY_NO_ERROR;
744 }
745 #endif
746
747 #ifdef APPLOADER_HAS_SIGNING_KEYS
get_apploader_sign_key(const struct hwkey_keyslot * slot,uint8_t * kbuf,size_t kbuf_len,size_t * klen)748 static uint32_t get_apploader_sign_key(const struct hwkey_keyslot* slot,
749 uint8_t* kbuf,
750 size_t kbuf_len,
751 size_t* klen) {
752 assert(slot);
753 return get_apploader_key(slot->priv, kbuf, kbuf_len, klen);
754 }
755
756 /*
757 * Retrieve the respective key only if the system state APP_LOADING_UNLOCKED
758 * flag is true
759 */
get_apploader_sign_unlocked_key(const struct hwkey_keyslot * slot,uint8_t * kbuf,size_t kbuf_len,size_t * klen)760 static uint32_t get_apploader_sign_unlocked_key(
761 const struct hwkey_keyslot* slot,
762 uint8_t* kbuf,
763 size_t kbuf_len,
764 size_t* klen) {
765 assert(slot);
766 if (system_state_app_loading_unlocked()) {
767 return get_apploader_key(slot->priv, kbuf, kbuf_len, klen);
768 } else {
769 return HWKEY_ERR_NOT_FOUND;
770 }
771 }
772 #endif
773
774 #ifdef APPLOADER_HAS_ENCRYPTION_KEYS
775
776 static const uuid_t* apploader_allowed_opaque_key_uuids[] = {
777 &hwaes_uuid,
778 };
779
780 /* Adapter to cast hwkey_opaque_handle_data.priv to struct apploader_key* */
get_apploader_key_opaque(const struct hwkey_opaque_handle_data * data,uint8_t * kbuf,size_t kbuf_len,size_t * klen)781 static uint32_t get_apploader_key_opaque(
782 const struct hwkey_opaque_handle_data* data,
783 uint8_t* kbuf,
784 size_t kbuf_len,
785 size_t* klen) {
786 assert(data);
787 return get_apploader_key(data->priv, kbuf, kbuf_len, klen);
788 }
789
790 #ifdef APPLOADER_ENCRYPT_KEY_0
791 static struct hwkey_opaque_handle_data
792 apploader_encrypt_key_0_opaque_handle_data = {
793 .allowed_uuids = apploader_allowed_opaque_key_uuids,
794 .allowed_uuids_len =
795 countof(apploader_allowed_opaque_key_uuids),
796 .retriever = get_apploader_key_opaque,
797 .priv = &apploader_encrypt_key_0,
798 };
799 #endif
800
801 #ifdef APPLOADER_ENCRYPT_KEY_1
802 static struct hwkey_opaque_handle_data
803 apploader_encrypt_key_1_opaque_handle_data = {
804 .allowed_uuids = apploader_allowed_opaque_key_uuids,
805 .allowed_uuids_len =
806 countof(apploader_allowed_opaque_key_uuids),
807 .retriever = get_apploader_key_opaque,
808 .priv = &apploader_encrypt_key_1,
809 };
810 #endif
811
812 #endif
813
814 static const uuid_t gatekeeper_uuid = GATEKEEPER_APP_UUID;
815 static const uuid_t hwbcc_uuid = SAMPLE_HWBCC_APP_UUID;
816 static const uuid_t hwbcc_unittest_uuid = HWBCC_UNITTEST_APP_UUID;
817
818 /* Clients that are allowed to connect to this service */
819 static const uuid_t* allowed_clients[] = {
820 /* Needs to derive keys and access keyslot RPMB_SS_AUTH_KEY_ID */
821 &ss_uuid,
822 /* Needs to derive keys and access keyslot KM_KAK_ID */
823 &km_uuid,
824 &km_rust_uuid,
825 #if TEST_BUILD
826 &km_rust_unittest_uuid,
827 /*HWCrypto HAL needs to derive key and access keylots*/
828 &hwcryptohal_rust_unittest_uuid,
829 #endif
830 &hwcryptohal_rust_uuid,
831 /* Needs access to opaque keys */
832 &hwaes_uuid,
833 /* Needs to derive keys */
834 &gatekeeper_uuid,
835
836 #if defined(APPLOADER_HAS_SIGNING_KEYS) || \
837 defined(APPLOADER_HAS_ENCRYPTION_KEYS)
838 /* Needs to access apploader keys */
839 &apploader_uuid,
840 #endif
841
842 /* Needs to derive keys even if it doesn't have test keyslots */
843 &hwcrypto_unittest_uuid,
844 &hwcrypto_unittest_rust_uuid,
845
846 #if WITH_HWCRYPTO_UNITTEST
847 &hwaes_unittest_uuid,
848 &hwaes_bench_uuid,
849 #endif
850 /* Needs to derive keys */
851 &hwbcc_uuid,
852 /* Needs to derive keys */
853 &hwbcc_unittest_uuid,
854 };
855
hwkey_client_allowed(const uuid_t * uuid)856 bool hwkey_client_allowed(const uuid_t* uuid) {
857 assert(uuid);
858 for (unsigned int i = 0; i < countof(allowed_clients); i++) {
859 if (memcmp(allowed_clients[i], uuid, sizeof(uuid_t)) == 0) {
860 return true;
861 }
862 }
863 return false;
864 }
865
866 /*
867 * List of keys slots that hwkey service supports
868 */
869 static const struct hwkey_keyslot _keys[] = {
870 {
871 .uuid = &ss_uuid,
872 .key_id = RPMB_SS_AUTH_KEY_ID,
873 .handler = get_rpmb_ss_auth_key,
874 },
875 {
876 .uuid = &km_uuid,
877 .key_id = KM_KAK_ID,
878 .handler = get_km_kak_key,
879 },
880 {
881 .uuid = &km_rust_uuid,
882 .key_id = KM_KAK_ID,
883 .handler = get_km_kak_key,
884 },
885 #if TEST_BUILD
886 {
887 .uuid = &km_rust_unittest_uuid,
888 .key_id = KM_KAK_ID,
889 .handler = get_km_kak_key,
890 },
891 #endif
892 #ifdef APPLOADER_SIGN_KEY_0
893 {
894 .uuid = &apploader_uuid,
895 .key_id = APPLOADER_SIGN_KEY_0,
896 .handler = APPLOADER_SIGN_KEY_0_HANDLER,
897 .priv = &apploader_sign_key_0,
898 },
899 #endif
900 #ifdef APPLOADER_SIGN_KEY_1
901 {
902 .uuid = &apploader_uuid,
903 .key_id = APPLOADER_SIGN_KEY_1,
904 .handler = APPLOADER_SIGN_KEY_1_HANDLER,
905 .priv = &apploader_sign_key_1,
906 },
907 #endif
908 #ifdef APPLOADER_ENCRYPT_KEY_0
909 {
910 .uuid = &apploader_uuid,
911 .key_id = APPLOADER_ENCRYPT_KEY_0,
912 .handler = get_key_handle,
913 .priv = &apploader_encrypt_key_0_opaque_handle_data,
914 },
915 #endif
916 #ifdef APPLOADER_ENCRYPT_KEY_1
917 {
918 .uuid = &apploader_uuid,
919 .key_id = APPLOADER_ENCRYPT_KEY_1,
920 .handler = get_key_handle,
921 .priv = &apploader_encrypt_key_1_opaque_handle_data,
922 },
923 #endif
924
925 #if WITH_HWCRYPTO_UNITTEST
926 {
927 .uuid = &hwcrypto_unittest_uuid,
928 .key_id = "com.android.trusty.hwcrypto.unittest.key32",
929 .handler = get_unittest_key32_handler,
930 },
931 {
932 .uuid = &hwcrypto_unittest_rust_uuid,
933 .key_id = "com.android.trusty.hwcrypto.unittest.key32",
934 .handler = get_unittest_key32_handler,
935 },
936 {
937 .uuid = &hwcrypto_unittest_uuid,
938 .key_id = "com.android.trusty.hwcrypto.unittest.derived_key32",
939 .priv = &hwcrypto_unittest_derived_data,
940 .handler = derived_keyslot_handler,
941 },
942 {
943 .uuid = &hwcrypto_unittest_rust_uuid,
944 .key_id = "com.android.trusty.hwcrypto.unittest.derived_key32",
945 .priv = &hwcrypto_unittest_derived_data,
946 .handler = derived_keyslot_handler,
947 },
948 {
949 .uuid = &hwcrypto_unittest_uuid,
950 .key_id = "com.android.trusty.hwcrypto.unittest.opaque_handle",
951 .handler = get_key_handle,
952 .priv = &unittest_opaque_handle_data,
953 },
954 {
955 .uuid = &hwcrypto_unittest_rust_uuid,
956 .key_id = "com.android.trusty.hwcrypto.unittest.opaque_handle",
957 .handler = get_key_handle,
958 .priv = &unittest_opaque_handle_data,
959 },
960 {
961 .uuid = &hwcrypto_unittest_uuid,
962 .key_id = "com.android.trusty.hwcrypto.unittest.opaque_handle2",
963 .handler = get_key_handle,
964 .priv = &unittest_opaque_handle_data2,
965 },
966 {
967 .uuid = &hwcrypto_unittest_rust_uuid,
968 .key_id = "com.android.trusty.hwcrypto.unittest.opaque_handle2",
969 .handler = get_key_handle,
970 .priv = &unittest_opaque_handle_data2,
971 },
972 {
973 .uuid = &hwcrypto_unittest_uuid,
974 .key_id =
975 "com.android.trusty.hwcrypto.unittest.opaque_handle_noaccess",
976 .handler = get_key_handle,
977 .priv = &unittest_opaque_handle_data_noaccess,
978 },
979 {
980 .uuid = &hwcrypto_unittest_rust_uuid,
981 .key_id =
982 "com.android.trusty.hwcrypto.unittest.opaque_handle_noaccess",
983 .handler = get_key_handle,
984 .priv = &unittest_opaque_handle_data_noaccess,
985 },
986 {
987 .uuid = &hwcrypto_unittest_uuid,
988 .key_id = "com.android.trusty.hwcrypto.unittest.opaque_derived",
989 .handler = get_key_handle,
990 .priv = &unittest_opaque_derived_data,
991 },
992 {
993 .uuid = &hwcrypto_unittest_rust_uuid,
994 .key_id = "com.android.trusty.hwcrypto.unittest.opaque_derived",
995 .handler = get_key_handle,
996 .priv = &unittest_opaque_derived_data,
997 },
998 {
999 .uuid = &hwaes_unittest_uuid,
1000 .key_id = "com.android.trusty.hwaes.unittest.opaque_handle",
1001 .handler = get_key_handle,
1002 .priv = &hwaes_unittest_opaque_handle_data,
1003 },
1004 {
1005 .uuid = &hwaes_bench_uuid,
1006 .key_id = "com.android.trusty.hwaes.unittest.opaque_handle",
1007 .handler = get_key_handle,
1008 .priv = &hwaes_unittest_opaque_handle_data,
1009 },
1010 #endif /* WITH_HWCRYPTO_UNITTEST */
1011 };
1012
1013 /*
1014 * Run Self test
1015 */
hwkey_self_test(void)1016 static bool hwkey_self_test(void) {
1017 TLOGI("hwkey self test\n");
1018
1019 if (!hkdf_self_test())
1020 return false;
1021
1022 TLOGI("hwkey self test: PASSED\n");
1023 return true;
1024 }
1025
1026 /*
1027 * Initialize Fake HWKEY service provider
1028 */
hwkey_init_srv_provider(void)1029 void hwkey_init_srv_provider(void) {
1030 int rc;
1031
1032 TLOGE("Init FAKE!!!! HWKEY service provider\n");
1033 TLOGE("FAKE HWKEY service provider MUST be replaced with the REAL one\n");
1034
1035 /* run self test */
1036 if (!hwkey_self_test()) {
1037 TLOGE("hwkey_self_test failed\n");
1038 abort();
1039 }
1040
1041 /* install key handlers */
1042 hwkey_install_keys(_keys, countof(_keys));
1043
1044 /* start service */
1045 rc = hwkey_start_service();
1046 if (rc != NO_ERROR) {
1047 TLOGE("failed (%d) to start HWKEY service\n", rc);
1048 }
1049 }
1050