• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  * Copyright 2014 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef SYSTEM_KEYMASTER_GOOGLE_KEYMASTER_H_
18 #define SYSTEM_KEYMASTER_GOOGLE_KEYMASTER_H_
19 
20 #include <keymaster/authorization_set.h>
21 #include <keymaster/google_keymaster_messages.h>
22 #include <keymaster/logger.h>
23 
24 namespace keymaster {
25 
26 class Key;
27 class KeyBlob;
28 class Operation;
29 
30 /**
31  * OpenSSL-based Keymaster backing implementation, for use as a pure software implmentation
32  * (softkeymaster) and in a trusted execution environment (TEE), like ARM TrustZone.  This class
33  * doesn't actually implement the Keymaster HAL interface, instead it implements an alternative API
34  * which is similar to and based upon the HAL, but uses C++ "message" classes which support
35  * serialization.
36  *
37  * For non-secure, pure software implementation there is a HAL translation layer that converts the
38  * HAL's parameters to and from the message representations, which are then passed in to this
39  * API.
40  *
41  * For secure implementation there is another HAL translation layer that serializes the messages to
42  * the TEE. In the TEE implementation there's another component which deserializes the messages,
43  * extracts the relevant parameters and calls this API.
44  */
45 class GoogleKeymaster {
46   public:
47     GoogleKeymaster(size_t operation_table_size, Logger* logger);
48     virtual ~GoogleKeymaster();
49 
50     void SupportedAlgorithms(SupportedResponse<keymaster_algorithm_t>* response) const;
51     void SupportedBlockModes(keymaster_algorithm_t algorithm,
52                              SupportedResponse<keymaster_block_mode_t>* response) const;
53     void SupportedPaddingModes(keymaster_algorithm_t algorithm,
54                                SupportedResponse<keymaster_padding_t>* response) const;
55     void SupportedDigests(keymaster_algorithm_t algorithm,
56                           SupportedResponse<keymaster_digest_t>* response) const;
57     void SupportedImportFormats(keymaster_algorithm_t algorithm,
58                                 SupportedResponse<keymaster_key_format_t>* response) const;
59     void SupportedExportFormats(keymaster_algorithm_t algorithm,
60                                 SupportedResponse<keymaster_key_format_t>* response) const;
61 
AddRngEntropy(AddEntropyRequest &)62     virtual keymaster_error_t AddRngEntropy(AddEntropyRequest& /* request */) {
63         // Not going to implement until post-L.
64         return KM_ERROR_UNIMPLEMENTED;
65     }
66     void GenerateKey(const GenerateKeyRequest& request, GenerateKeyResponse* response);
67     void GetKeyCharacteristics(const GetKeyCharacteristicsRequest& request,
68                                GetKeyCharacteristicsResponse* response);
Rescope(const RescopeRequest &,RescopeResponse * response)69     void Rescope(const RescopeRequest& /* request */, RescopeResponse* response) {
70         // Not going to implement until post-L.
71         response->error = KM_ERROR_UNIMPLEMENTED;
72     }
73     void ImportKey(const ImportKeyRequest& request, ImportKeyResponse* response);
74     void ExportKey(const ExportKeyRequest& request, ExportKeyResponse* response);
75     void BeginOperation(const BeginOperationRequest& request, BeginOperationResponse* response);
76     void UpdateOperation(const UpdateOperationRequest& request, UpdateOperationResponse* response);
77     void FinishOperation(const FinishOperationRequest& request, FinishOperationResponse* response);
78     keymaster_error_t AbortOperation(const keymaster_operation_handle_t op_handle);
79 
logger()80     const Logger& logger() const { return *logger_; }
81 
82   private:
83     virtual bool is_enforced(keymaster_tag_t tag) = 0;
84     virtual keymaster_key_origin_t origin() = 0;
85     virtual keymaster_key_param_t RootOfTrustTag() = 0;
86     virtual keymaster_key_blob_t MasterKey() = 0;
87     virtual void GenerateNonce(uint8_t* nonce, size_t length) = 0;
88 
89     keymaster_error_t SerializeKey(const Key* key, keymaster_key_origin_t origin,
90                                    keymaster_key_blob_t* keymaster_blob, AuthorizationSet* enforced,
91                                    AuthorizationSet* unenforced);
92     Key* LoadKey(const keymaster_key_blob_t& key, const AuthorizationSet& client_params,
93                  keymaster_error_t* error);
94     KeyBlob* LoadKeyBlob(const keymaster_key_blob_t& key, const AuthorizationSet& client_params,
95                          keymaster_error_t* error);
96 
97     keymaster_error_t SetAuthorizations(const AuthorizationSet& key_description,
98                                         keymaster_key_origin_t origin, AuthorizationSet* enforced,
99                                         AuthorizationSet* unenforced);
100     keymaster_error_t BuildHiddenAuthorizations(const AuthorizationSet& input_set,
101                                                 AuthorizationSet* hidden);
102 
103     void AddAuthorization(const keymaster_key_param_t& auth, AuthorizationSet* enforced,
104                           AuthorizationSet* unenforced);
105     bool GenerateRsa(const AuthorizationSet& key_auths, GenerateKeyResponse* response,
106                      AuthorizationSet* hidden_auths);
107     bool GenerateDsa(const AuthorizationSet& key_auths, GenerateKeyResponse* response,
108                      AuthorizationSet* hidden_auths);
109     bool GenerateEcdsa(const AuthorizationSet& key_auths, GenerateKeyResponse* response,
110                        AuthorizationSet* hidden_auths);
111     keymaster_error_t WrapKey(const uint8_t* key_material, size_t key_material_length,
112                               KeyBlob* blob);
113     keymaster_error_t UnwrapKey(const KeyBlob* blob, uint8_t* key, size_t key_length);
114 
115     struct OpTableEntry {
OpTableEntryOpTableEntry116         OpTableEntry() {
117             handle = 0;
118             operation = NULL;
119         }
120         keymaster_operation_handle_t handle;
121         Operation* operation;
122     };
123 
124     keymaster_error_t AddOperation(Operation* operation, keymaster_operation_handle_t* op_handle);
125     OpTableEntry* FindOperation(keymaster_operation_handle_t op_handle);
126     void DeleteOperation(OpTableEntry* entry);
127     bool is_supported_export_format(keymaster_key_format_t test_format);
128     bool is_supported_import_format(keymaster_key_format_t test_format);
129 
130     UniquePtr<OpTableEntry[]> operation_table_;
131     size_t operation_table_size_;
132     UniquePtr<Logger> logger_;
133 };
134 
135 }  // namespace keymaster
136 
137 #endif  //  SYSTEM_KEYMASTER_GOOGLE_KEYMASTER_H_
138