1 //
2 // Copyright (C) 2020 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15
16 #include "tpm_key_blob_maker.h"
17
18 #include <vector>
19
20 #include <android-base/logging.h>
21 #include <tss2/tss2_mu.h>
22 #include <tss2/tss2_rc.h>
23
24 #include "host/commands/secure_env/composite_serialization.h"
25 #include "host/commands/secure_env/encrypted_serializable.h"
26 #include "host/commands/secure_env/hmac_serializable.h"
27 #include "host/commands/secure_env/primary_key_builder.h"
28
29 namespace cuttlefish {
30
31 using keymaster::AuthorizationSet;
32 using keymaster::KeymasterKeyBlob;
33 using keymaster::Serializable;
34
35 static constexpr char kUniqueKey[] = "TpmKeyBlobMaker";
36
37 /**
38 * Distinguish what properties the secure_env implementation handles. If
39 * secure_env handles it, the property is put in `hw_enforced`. Otherwise, the
40 * property is put in `sw_enforced`, and the Keystore process inside Android
41 * will try to enforce the property.
42 */
SplitEnforcedProperties(const keymaster::AuthorizationSet & key_description,keymaster::AuthorizationSet * hw_enforced,keymaster::AuthorizationSet * sw_enforced,keymaster::AuthorizationSet * hidden)43 static keymaster_error_t SplitEnforcedProperties(
44 const keymaster::AuthorizationSet& key_description,
45 keymaster::AuthorizationSet* hw_enforced,
46 keymaster::AuthorizationSet* sw_enforced,
47 keymaster::AuthorizationSet* hidden) {
48 for (auto& entry : key_description) {
49 switch (entry.tag) {
50 // These cannot be specified by the client.
51 case KM_TAG_BOOT_PATCHLEVEL:
52 case KM_TAG_ORIGIN:
53 case KM_TAG_OS_PATCHLEVEL:
54 case KM_TAG_OS_VERSION:
55 case KM_TAG_ROOT_OF_TRUST:
56 case KM_TAG_VENDOR_PATCHLEVEL:
57 case KM_TAG_MODULE_HASH:
58 LOG(DEBUG) << "Tag " << entry.tag << " may not be specified";
59 return KM_ERROR_INVALID_TAG;
60
61 // These are hidden
62 case KM_TAG_APPLICATION_DATA:
63 case KM_TAG_APPLICATION_ID:
64 hidden->push_back(entry);
65 break;
66
67 // These should not be in key descriptions because they're for operation
68 // parameters.
69 case KM_TAG_ASSOCIATED_DATA:
70 case KM_TAG_AUTH_TOKEN:
71 case KM_TAG_CONFIRMATION_TOKEN:
72 case KM_TAG_INVALID:
73 case KM_TAG_MAC_LENGTH:
74 case KM_TAG_NONCE:
75 LOG(DEBUG) << "Tag " << entry.tag
76 << " not allowed in key generation/import";
77 break;
78
79 // These are provided to support attestation key generation, but should
80 // not be included in the key characteristics.
81 case KM_TAG_ATTESTATION_APPLICATION_ID:
82 case KM_TAG_ATTESTATION_CHALLENGE:
83 case KM_TAG_ATTESTATION_ID_BRAND:
84 case KM_TAG_ATTESTATION_ID_DEVICE:
85 case KM_TAG_ATTESTATION_ID_IMEI:
86 case KM_TAG_ATTESTATION_ID_SECOND_IMEI:
87 case KM_TAG_ATTESTATION_ID_MANUFACTURER:
88 case KM_TAG_ATTESTATION_ID_MEID:
89 case KM_TAG_ATTESTATION_ID_MODEL:
90 case KM_TAG_ATTESTATION_ID_PRODUCT:
91 case KM_TAG_ATTESTATION_ID_SERIAL:
92 case KM_TAG_CERTIFICATE_SERIAL:
93 case KM_TAG_CERTIFICATE_SUBJECT:
94 case KM_TAG_CERTIFICATE_NOT_BEFORE:
95 case KM_TAG_CERTIFICATE_NOT_AFTER:
96 case KM_TAG_RESET_SINCE_ID_ROTATION:
97 break;
98
99 // strongbox-only tags
100 case KM_TAG_DEVICE_UNIQUE_ATTESTATION:
101 LOG(DEBUG) << "Strongbox-only tag: " << entry.tag;
102 return KM_ERROR_UNSUPPORTED_TAG;
103
104 case KM_TAG_ROLLBACK_RESISTANT:
105 return KM_ERROR_UNSUPPORTED_TAG;
106
107 case KM_TAG_ROLLBACK_RESISTANCE:
108 LOG(DEBUG) << "Rollback resistance is not implemented.";
109 return KM_ERROR_ROLLBACK_RESISTANCE_UNAVAILABLE;
110
111 // These are nominally HW tags, but we don't actually support HW key
112 // attestation yet.
113 case KM_TAG_ALLOW_WHILE_ON_BODY:
114 case KM_TAG_EXPORTABLE:
115 case KM_TAG_IDENTITY_CREDENTIAL_KEY:
116 case KM_TAG_STORAGE_KEY:
117
118 case KM_TAG_PURPOSE:
119 case KM_TAG_ALGORITHM:
120 case KM_TAG_KEY_SIZE:
121 case KM_TAG_RSA_PUBLIC_EXPONENT:
122 case KM_TAG_BLOB_USAGE_REQUIREMENTS:
123 case KM_TAG_DIGEST:
124 case KM_TAG_RSA_OAEP_MGF_DIGEST:
125 case KM_TAG_PADDING:
126 case KM_TAG_BLOCK_MODE:
127 case KM_TAG_MIN_SECONDS_BETWEEN_OPS:
128 case KM_TAG_MAX_USES_PER_BOOT:
129 case KM_TAG_USER_SECURE_ID:
130 case KM_TAG_NO_AUTH_REQUIRED:
131 case KM_TAG_AUTH_TIMEOUT:
132 case KM_TAG_CALLER_NONCE:
133 case KM_TAG_MIN_MAC_LENGTH:
134 case KM_TAG_KDF:
135 case KM_TAG_EC_CURVE:
136 case KM_TAG_ECIES_SINGLE_HASH_MODE:
137 case KM_TAG_USER_AUTH_TYPE:
138 case KM_TAG_EARLY_BOOT_ONLY:
139 case KM_TAG_UNLOCKED_DEVICE_REQUIRED:
140 hw_enforced->push_back(entry);
141 break;
142
143 // The remaining tags are all software.
144 case KM_TAG_ACTIVE_DATETIME:
145 case KM_TAG_ALL_APPLICATIONS:
146 case KM_TAG_ALL_USERS:
147 case KM_TAG_BOOTLOADER_ONLY:
148 case KM_TAG_CREATION_DATETIME:
149 case KM_TAG_INCLUDE_UNIQUE_ID:
150 case KM_TAG_MAX_BOOT_LEVEL:
151 case KM_TAG_ORIGINATION_EXPIRE_DATETIME:
152 case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED:
153 case KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED:
154 case KM_TAG_UNIQUE_ID:
155 case KM_TAG_USAGE_COUNT_LIMIT:
156 case KM_TAG_USAGE_EXPIRE_DATETIME:
157 case KM_TAG_USER_ID:
158 sw_enforced->push_back(entry);
159 break;
160 }
161 }
162
163 return KM_ERROR_OK;
164 }
165
SerializableToKeyBlob(const Serializable & serializable)166 static KeymasterKeyBlob SerializableToKeyBlob(
167 const Serializable& serializable) {
168 std::vector<uint8_t> data(serializable.SerializedSize() + 1);
169 uint8_t* buf = data.data();
170 uint8_t* buf_end = buf + data.size();
171 buf = serializable.Serialize(buf, buf_end);
172 if (buf != (buf_end - 1)) {
173 LOG(ERROR) << "Serialized size did not match up with actual usage.";
174 return {};
175 }
176 return KeymasterKeyBlob(data.data(), buf - data.data());
177 }
178
179
TpmKeyBlobMaker(TpmResourceManager & resource_manager)180 TpmKeyBlobMaker::TpmKeyBlobMaker(TpmResourceManager& resource_manager)
181 : resource_manager_(resource_manager) {
182 }
183
CreateKeyBlob(const AuthorizationSet & key_description,keymaster_key_origin_t origin,const KeymasterKeyBlob & key_material,KeymasterKeyBlob * blob,AuthorizationSet * hw_enforced,AuthorizationSet * sw_enforced) const184 keymaster_error_t TpmKeyBlobMaker::CreateKeyBlob(
185 const AuthorizationSet& key_description,
186 keymaster_key_origin_t origin,
187 const KeymasterKeyBlob& key_material,
188 KeymasterKeyBlob* blob,
189 AuthorizationSet* hw_enforced,
190 AuthorizationSet* sw_enforced) const {
191 AuthorizationSet hidden;
192 auto rc = SplitEnforcedProperties(key_description, hw_enforced, sw_enforced,
193 &hidden);
194 if (rc != KM_ERROR_OK) {
195 return rc;
196 }
197 hw_enforced->push_back(keymaster::TAG_ORIGIN, origin);
198
199 // TODO(schuffelen): Set the os level and patch level properly.
200 hw_enforced->push_back(keymaster::TAG_OS_VERSION, os_version_);
201 hw_enforced->push_back(keymaster::TAG_OS_PATCHLEVEL, os_patchlevel_);
202
203 if (vendor_patchlevel_) {
204 hw_enforced->push_back(keymaster::TAG_VENDOR_PATCHLEVEL,
205 *vendor_patchlevel_);
206 }
207 if (boot_patchlevel_) {
208 hw_enforced->push_back(keymaster::TAG_BOOT_PATCHLEVEL, *boot_patchlevel_);
209 }
210
211 return UnvalidatedCreateKeyBlob(key_material, *hw_enforced, *sw_enforced,
212 hidden, blob);
213 }
214
UnvalidatedCreateKeyBlob(const KeymasterKeyBlob & key_material,const AuthorizationSet & hw_enforced,const AuthorizationSet & sw_enforced,const AuthorizationSet & hidden,KeymasterKeyBlob * blob) const215 keymaster_error_t TpmKeyBlobMaker::UnvalidatedCreateKeyBlob(
216 const KeymasterKeyBlob& key_material, const AuthorizationSet& hw_enforced,
217 const AuthorizationSet& sw_enforced, const AuthorizationSet& hidden,
218 KeymasterKeyBlob* blob) const {
219 keymaster::Buffer key_material_buffer(
220 key_material.key_material, key_material.key_material_size);
221 AuthorizationSet hw_enforced_mutable = hw_enforced;
222 AuthorizationSet sw_enforced_mutable = sw_enforced;
223 CompositeSerializable sensitive_material(
224 {&key_material_buffer, &hw_enforced_mutable, &sw_enforced_mutable});
225 auto parent_key_fn = ParentKeyCreator(kUniqueKey);
226 EncryptedSerializable encryption(
227 resource_manager_, parent_key_fn, sensitive_material);
228 auto signing_key_fn = SigningKeyCreator(kUniqueKey);
229 // TODO(b/154956668) The "hidden" tags should also be mixed into the TPM ACL
230 // so that the TPM requires them to be presented to unwrap the key. This is
231 // necessary to meet the requirement that full breach of KeyMint means an
232 // attacker cannot unwrap keys w/o the application id/data.
233 HmacSerializable sign_check(resource_manager_, signing_key_fn,
234 TPM2_SHA256_DIGEST_SIZE, &encryption, &hidden);
235 auto generated_blob = SerializableToKeyBlob(sign_check);
236 LOG(VERBOSE) << "Keymaster key size: " << generated_blob.key_material_size;
237 if (generated_blob.key_material_size != 0) {
238 *blob = generated_blob;
239 return KM_ERROR_OK;
240 }
241 LOG(ERROR) << "Failed to serialize key.";
242 return KM_ERROR_UNKNOWN_ERROR;
243 }
244
UnwrapKeyBlob(const keymaster_key_blob_t & blob,AuthorizationSet * hw_enforced,AuthorizationSet * sw_enforced,const AuthorizationSet & hidden,KeymasterKeyBlob * key_material) const245 keymaster_error_t TpmKeyBlobMaker::UnwrapKeyBlob(
246 const keymaster_key_blob_t& blob, AuthorizationSet* hw_enforced,
247 AuthorizationSet* sw_enforced, const AuthorizationSet& hidden,
248 KeymasterKeyBlob* key_material) const {
249 keymaster::Buffer key_material_buffer(blob.key_material_size);
250 CompositeSerializable sensitive_material(
251 {&key_material_buffer, hw_enforced, sw_enforced});
252 auto parent_key_fn = ParentKeyCreator(kUniqueKey);
253 EncryptedSerializable encryption(
254 resource_manager_, parent_key_fn, sensitive_material);
255 auto signing_key_fn = SigningKeyCreator(kUniqueKey);
256 HmacSerializable sign_check(resource_manager_, signing_key_fn,
257 TPM2_SHA256_DIGEST_SIZE, &encryption, &hidden);
258 auto buf = blob.key_material;
259 auto buf_end = buf + blob.key_material_size;
260 if (!sign_check.Deserialize(&buf, buf_end)) {
261 LOG(ERROR) << "Failed to deserialize key.";
262 return KM_ERROR_INVALID_KEY_BLOB;
263 }
264 if (key_material_buffer.available_read() == 0) {
265 LOG(ERROR) << "Key material was corrupted and the size was too large";
266 return KM_ERROR_INVALID_KEY_BLOB;
267 }
268 *key_material = KeymasterKeyBlob(
269 key_material_buffer.peek_read(), key_material_buffer.available_read());
270 return KM_ERROR_OK;
271 }
272
SetSystemVersion(uint32_t os_version,uint32_t os_patchlevel)273 keymaster_error_t TpmKeyBlobMaker::SetSystemVersion(
274 uint32_t os_version, uint32_t os_patchlevel) {
275 // TODO(b/201561154): Only accept new values of these from the bootloader
276 os_version_ = os_version;
277 os_patchlevel_ = os_patchlevel;
278 return KM_ERROR_OK;
279 }
280
SetVendorPatchlevel(uint32_t patchlevel)281 keymaster_error_t TpmKeyBlobMaker::SetVendorPatchlevel(uint32_t patchlevel) {
282 // TODO(b/201561154): Only accept new values of these from the bootloader
283 vendor_patchlevel_ = patchlevel;
284 return KM_ERROR_OK;
285 }
286
SetBootPatchlevel(uint32_t boot_patchlevel)287 keymaster_error_t TpmKeyBlobMaker::SetBootPatchlevel(uint32_t boot_patchlevel) {
288 // TODO(b/201561154): Only accept new values of these from the bootloader
289 boot_patchlevel_ = boot_patchlevel;
290 return KM_ERROR_OK;
291 }
292
293 } // namespace cuttlefish
294