• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2020 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #pragma once
18 
19 #include <optional>
20 #include <vector>
21 
22 #include <keymaster/authorization_set.h>
23 #include <keymaster/km_version.h>
24 
25 namespace keymaster {
26 
27 class Key;
28 
29 /**
30  * AttestationContext provides an abstract interface to the information needed
31  * to generate attestation certificates.
32  */
33 class AttestationContext {
34   protected:
~AttestationContext()35     virtual ~AttestationContext() {}
36 
37   public:
AttestationContext(KmVersion version)38     explicit AttestationContext(KmVersion version) : version_(version) {}
39 
GetKmVersion()40     KmVersion GetKmVersion() const { return version_; }
41 
42     /**
43      * Returns the security level (SW or TEE) of this keymaster implementation.
44      */
45     virtual keymaster_security_level_t GetSecurityLevel() const = 0;
46 
47     /**
48      * Verify that the device IDs provided in `attestation_params` match the device's actual IDs and
49      * copy the verified IDs into `attestation`.  If *any* of the IDs do not match or verification
50      * is not possible, return KM_ERROR_CANNOT_ATTEST_IDS.  If device ID attestation is unsupported,
51      * ignore all arguments and return KM_ERROR_UNIMPLEMENTED.  If ID attestation is supported and
52      * no ID mismatches are found, return KM_ERROR_OK;
53      */
54     virtual keymaster_error_t
VerifyAndCopyDeviceIds(const AuthorizationSet &,AuthorizationSet *)55     VerifyAndCopyDeviceIds(const AuthorizationSet& /* attestation_params */,
56                            AuthorizationSet* /* attestation */) const {
57         return KM_ERROR_UNIMPLEMENTED;
58     }
59 
60     /**
61      * Generate the current unique ID.  If unique IDs are not supported, set `error` to
62      * KM_ERROR_UNIMPLEMENTED.
63      */
GenerateUniqueId(uint64_t,const keymaster_blob_t &,bool,keymaster_error_t * error)64     virtual Buffer GenerateUniqueId(uint64_t /*creation_date_time*/,
65                                     const keymaster_blob_t& /*application_id*/,
66                                     bool /*reset_since_rotation*/, keymaster_error_t* error) const {
67         if (error) *error = KM_ERROR_UNIMPLEMENTED;
68         return {};
69     }
70 
71     struct VerifiedBootParams {
72         keymaster_blob_t verified_boot_key;
73         keymaster_blob_t verified_boot_hash;
74         keymaster_verified_boot_t verified_boot_state;
75         bool device_locked;
76     };
77 
78     /**
79      * Returns verified boot parameters for the Attestation Extension.  For hardware-based
80      * implementations, these will be the values reported by the bootloader. By default, verified
81      * boot state is unknown, and KM_ERROR_UNIMPLEMENTED is returned.
82      *
83      * The AttestationContext retains ownership of the VerifiedBootParams.
84      */
GetVerifiedBootParams(keymaster_error_t * error)85     virtual const VerifiedBootParams* GetVerifiedBootParams(keymaster_error_t* error) const {
86         *error = KM_ERROR_UNIMPLEMENTED;
87         return nullptr;
88     }
89 
90     /**
91      * Return the factory attestation signing key.  If not available, set `error` to
92      * KM_ERROR_UNIMPLEMENTED.
93      */
94     virtual KeymasterKeyBlob GetAttestationKey(keymaster_algorithm_t algorithm,
95                                                keymaster_error_t* error) const = 0;
96 
97     /**
98      * Return the factory attestation signing key certificate chain.  If not available, set `error`
99      * to KM_ERROR_UNIMPLEMENTED.
100      */
101     virtual CertificateChain GetAttestationChain(keymaster_algorithm_t algorithm,
102                                                  keymaster_error_t* error) const = 0;
103 
104     /**
105      * Return the current module hash value to be included in the attestation extension.
106      */
GetModuleHash()107     virtual std::optional<std::vector<uint8_t>> GetModuleHash() const { return std::nullopt; }
108 
109   protected:
110     KmVersion version_;
111 };
112 
113 }  // namespace keymaster
114