1 /*
2 * Copyright 2014 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "TrustyKeymaster"
18
19 #include <assert.h>
20 #include <openssl/evp.h>
21 #include <openssl/x509.h>
22 #include <stddef.h>
23 #include <stdio.h>
24 #include <stdlib.h>
25 #include <string.h>
26 #include <time.h>
27
28 #include <algorithm>
29 #include <type_traits>
30
31 #include <hardware/keymaster2.h>
32 #include <keymaster/authorization_set.h>
33 #include <log/log.h>
34
35 #include "keymaster_ipc.h"
36 #include "trusty_keymaster_device.h"
37 #include "trusty_keymaster_ipc.h"
38
39 const uint32_t RECV_BUF_SIZE = PAGE_SIZE;
40 const uint32_t SEND_BUF_SIZE = (PAGE_SIZE - sizeof(struct keymaster_message) - 16 /* tipc header */);
41
42 const size_t kMaximumAttestationChallengeLength = 128;
43 const size_t kMaximumFinishInputLength = 2048;
44
45 namespace keymaster {
46
translate_error(int err)47 static keymaster_error_t translate_error(int err) {
48 switch (err) {
49 case 0:
50 return KM_ERROR_OK;
51 case -EPERM:
52 case -EACCES:
53 return KM_ERROR_SECURE_HW_ACCESS_DENIED;
54
55 case -ECANCELED:
56 return KM_ERROR_OPERATION_CANCELLED;
57
58 case -ENODEV:
59 return KM_ERROR_UNIMPLEMENTED;
60
61 case -ENOMEM:
62 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
63
64 case -EBUSY:
65 return KM_ERROR_SECURE_HW_BUSY;
66
67 case -EIO:
68 return KM_ERROR_SECURE_HW_COMMUNICATION_FAILED;
69
70 case -EOVERFLOW:
71 return KM_ERROR_INVALID_INPUT_LENGTH;
72
73 default:
74 return KM_ERROR_UNKNOWN_ERROR;
75 }
76 }
77
TrustyKeymasterDevice(const hw_module_t * module)78 TrustyKeymasterDevice::TrustyKeymasterDevice(const hw_module_t* module) {
79 static_assert(std::is_standard_layout<TrustyKeymasterDevice>::value,
80 "TrustyKeymasterDevice must be standard layout");
81 static_assert(offsetof(TrustyKeymasterDevice, device_) == 0,
82 "device_ must be the first member of TrustyKeymasterDevice");
83 static_assert(offsetof(TrustyKeymasterDevice, device_.common) == 0,
84 "common must be the first member of keymaster2_device");
85
86 ALOGI("Creating device");
87 ALOGD("Device address: %p", this);
88
89 device_ = {};
90
91 device_.common.tag = HARDWARE_DEVICE_TAG;
92 device_.common.version = 1;
93 device_.common.module = const_cast<hw_module_t*>(module);
94 device_.common.close = close_device;
95
96 device_.flags = KEYMASTER_SUPPORTS_EC;
97
98 device_.configure = configure;
99 device_.add_rng_entropy = add_rng_entropy;
100 device_.generate_key = generate_key;
101 device_.get_key_characteristics = get_key_characteristics;
102 device_.import_key = import_key;
103 device_.export_key = export_key;
104 device_.attest_key = attest_key;
105 device_.upgrade_key = upgrade_key;
106 device_.delete_key = nullptr;
107 device_.delete_all_keys = nullptr;
108 device_.begin = begin;
109 device_.update = update;
110 device_.finish = finish;
111 device_.abort = abort;
112
113 int rc = trusty_keymaster_connect();
114 error_ = translate_error(rc);
115 if (rc < 0) {
116 ALOGE("failed to connect to keymaster (%d)", rc);
117 return;
118 }
119
120 GetVersionRequest version_request;
121 GetVersionResponse version_response;
122 error_ = Send(KM_GET_VERSION, version_request, &version_response);
123 if (error_ == KM_ERROR_INVALID_ARGUMENT || error_ == KM_ERROR_UNIMPLEMENTED) {
124 ALOGE("\"Bad parameters\" error on GetVersion call. Version 0 is not supported.");
125 error_ = KM_ERROR_VERSION_MISMATCH;
126 return;
127 }
128 message_version_ = MessageVersion(version_response.major_ver, version_response.minor_ver,
129 version_response.subminor_ver);
130 if (message_version_ < 0) {
131 // Can't translate version? Keymaster implementation must be newer.
132 ALOGE("Keymaster version %d.%d.%d not supported.", version_response.major_ver,
133 version_response.minor_ver, version_response.subminor_ver);
134 error_ = KM_ERROR_VERSION_MISMATCH;
135 }
136 }
137
~TrustyKeymasterDevice()138 TrustyKeymasterDevice::~TrustyKeymasterDevice() {
139 trusty_keymaster_disconnect();
140 }
141
142 namespace {
143
144 // Allocates a new buffer with malloc and copies the contents of |buffer| to it. Caller takes
145 // ownership of the returned buffer.
DuplicateBuffer(const uint8_t * buffer,size_t size)146 uint8_t* DuplicateBuffer(const uint8_t* buffer, size_t size) {
147 uint8_t* tmp = reinterpret_cast<uint8_t*>(malloc(size));
148 if (tmp) {
149 memcpy(tmp, buffer, size);
150 }
151 return tmp;
152 }
153
154 template <typename RequestType>
AddClientAndAppData(const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,RequestType * request)155 void AddClientAndAppData(const keymaster_blob_t* client_id, const keymaster_blob_t* app_data,
156 RequestType* request) {
157 request->additional_params.Clear();
158 if (client_id) {
159 request->additional_params.push_back(TAG_APPLICATION_ID, *client_id);
160 }
161 if (app_data) {
162 request->additional_params.push_back(TAG_APPLICATION_DATA, *app_data);
163 }
164 }
165
166 } // unnamed namespace
167
configure(const keymaster_key_param_set_t * params)168 keymaster_error_t TrustyKeymasterDevice::configure(const keymaster_key_param_set_t* params) {
169 ALOGD("Device received configure\n");
170
171 if (error_ != KM_ERROR_OK) {
172 return error_;
173 }
174 if (!params) {
175 return KM_ERROR_UNEXPECTED_NULL_POINTER;
176 }
177
178 AuthorizationSet params_copy(*params);
179 ConfigureRequest request;
180 if (!params_copy.GetTagValue(TAG_OS_VERSION, &request.os_version) ||
181 !params_copy.GetTagValue(TAG_OS_PATCHLEVEL, &request.os_patchlevel)) {
182 ALOGD("Configuration parameters must contain OS version and patch level");
183 return KM_ERROR_INVALID_ARGUMENT;
184 }
185
186 ConfigureResponse response;
187 keymaster_error_t err = Send(KM_CONFIGURE, request, &response);
188 if (err != KM_ERROR_OK) {
189 return err;
190 }
191
192 return KM_ERROR_OK;
193 }
194
add_rng_entropy(const uint8_t * data,size_t data_length)195 keymaster_error_t TrustyKeymasterDevice::add_rng_entropy(const uint8_t* data, size_t data_length) {
196 ALOGD("Device received add_rng_entropy");
197
198 if (error_ != KM_ERROR_OK) {
199 return error_;
200 }
201
202 AddEntropyRequest request;
203 request.random_data.Reinitialize(data, data_length);
204 AddEntropyResponse response;
205 return Send(KM_ADD_RNG_ENTROPY, request, &response);
206 }
207
generate_key(const keymaster_key_param_set_t * params,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t * characteristics)208 keymaster_error_t TrustyKeymasterDevice::generate_key(
209 const keymaster_key_param_set_t* params, keymaster_key_blob_t* key_blob,
210 keymaster_key_characteristics_t* characteristics) {
211 ALOGD("Device received generate_key");
212
213 if (error_ != KM_ERROR_OK) {
214 return error_;
215 }
216 if (!params) {
217 return KM_ERROR_UNEXPECTED_NULL_POINTER;
218 }
219 if (!key_blob) {
220 return KM_ERROR_OUTPUT_PARAMETER_NULL;
221 }
222
223 GenerateKeyRequest request(message_version_);
224 request.key_description.Reinitialize(*params);
225 request.key_description.push_back(TAG_CREATION_DATETIME, java_time(time(NULL)));
226
227 GenerateKeyResponse response(message_version_);
228 keymaster_error_t err = Send(KM_GENERATE_KEY, request, &response);
229 if (err != KM_ERROR_OK) {
230 return err;
231 }
232
233 key_blob->key_material_size = response.key_blob.key_material_size;
234 key_blob->key_material =
235 DuplicateBuffer(response.key_blob.key_material, response.key_blob.key_material_size);
236 if (!key_blob->key_material) {
237 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
238 }
239
240 if (characteristics) {
241 response.enforced.CopyToParamSet(&characteristics->hw_enforced);
242 response.unenforced.CopyToParamSet(&characteristics->sw_enforced);
243 }
244
245 return KM_ERROR_OK;
246 }
247
get_key_characteristics(const keymaster_key_blob_t * key_blob,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_key_characteristics_t * characteristics)248 keymaster_error_t TrustyKeymasterDevice::get_key_characteristics(
249 const keymaster_key_blob_t* key_blob, const keymaster_blob_t* client_id,
250 const keymaster_blob_t* app_data, keymaster_key_characteristics_t* characteristics) {
251 ALOGD("Device received get_key_characteristics");
252
253 if (error_ != KM_ERROR_OK) {
254 return error_;
255 }
256 if (!key_blob || !key_blob->key_material) {
257 return KM_ERROR_UNEXPECTED_NULL_POINTER;
258 }
259 if (!characteristics) {
260 return KM_ERROR_OUTPUT_PARAMETER_NULL;
261 }
262
263 GetKeyCharacteristicsRequest request;
264 request.SetKeyMaterial(*key_blob);
265 AddClientAndAppData(client_id, app_data, &request);
266
267 GetKeyCharacteristicsResponse response;
268 keymaster_error_t err = Send(KM_GET_KEY_CHARACTERISTICS, request, &response);
269 if (err != KM_ERROR_OK) {
270 return err;
271 }
272
273 response.enforced.CopyToParamSet(&characteristics->hw_enforced);
274 response.unenforced.CopyToParamSet(&characteristics->sw_enforced);
275
276 return KM_ERROR_OK;
277 }
278
import_key(const keymaster_key_param_set_t * params,keymaster_key_format_t key_format,const keymaster_blob_t * key_data,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t * characteristics)279 keymaster_error_t TrustyKeymasterDevice::import_key(
280 const keymaster_key_param_set_t* params, keymaster_key_format_t key_format,
281 const keymaster_blob_t* key_data, keymaster_key_blob_t* key_blob,
282 keymaster_key_characteristics_t* characteristics) {
283 ALOGD("Device received import_key");
284
285 if (error_ != KM_ERROR_OK) {
286 return error_;
287 }
288 if (!params || !key_data) {
289 return KM_ERROR_UNEXPECTED_NULL_POINTER;
290 }
291 if (!key_blob) {
292 return KM_ERROR_OUTPUT_PARAMETER_NULL;
293 }
294
295 ImportKeyRequest request(message_version_);
296 request.key_description.Reinitialize(*params);
297 request.key_description.push_back(TAG_CREATION_DATETIME, java_time(time(NULL)));
298
299 request.key_format = key_format;
300 request.SetKeyMaterial(key_data->data, key_data->data_length);
301
302 ImportKeyResponse response(message_version_);
303 keymaster_error_t err = Send(KM_IMPORT_KEY, request, &response);
304 if (err != KM_ERROR_OK) {
305 return err;
306 }
307
308 key_blob->key_material_size = response.key_blob.key_material_size;
309 key_blob->key_material =
310 DuplicateBuffer(response.key_blob.key_material, response.key_blob.key_material_size);
311 if (!key_blob->key_material) {
312 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
313 }
314
315 if (characteristics) {
316 response.enforced.CopyToParamSet(&characteristics->hw_enforced);
317 response.unenforced.CopyToParamSet(&characteristics->sw_enforced);
318 }
319
320 return KM_ERROR_OK;
321 }
322
export_key(keymaster_key_format_t export_format,const keymaster_key_blob_t * key_to_export,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_blob_t * export_data)323 keymaster_error_t TrustyKeymasterDevice::export_key(keymaster_key_format_t export_format,
324 const keymaster_key_blob_t* key_to_export,
325 const keymaster_blob_t* client_id,
326 const keymaster_blob_t* app_data,
327 keymaster_blob_t* export_data) {
328 ALOGD("Device received export_key");
329
330 if (error_ != KM_ERROR_OK) {
331 return error_;
332 }
333 if (!key_to_export || !key_to_export->key_material) {
334 return KM_ERROR_UNEXPECTED_NULL_POINTER;
335 }
336 if (!export_data) {
337 return KM_ERROR_OUTPUT_PARAMETER_NULL;
338 }
339
340 export_data->data = nullptr;
341 export_data->data_length = 0;
342
343 ExportKeyRequest request(message_version_);
344 request.key_format = export_format;
345 request.SetKeyMaterial(*key_to_export);
346 AddClientAndAppData(client_id, app_data, &request);
347
348 ExportKeyResponse response(message_version_);
349 keymaster_error_t err = Send(KM_EXPORT_KEY, request, &response);
350 if (err != KM_ERROR_OK) {
351 return err;
352 }
353
354 export_data->data_length = response.key_data_length;
355 export_data->data = DuplicateBuffer(response.key_data, response.key_data_length);
356 if (!export_data->data) {
357 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
358 }
359
360 return KM_ERROR_OK;
361 }
362
attest_key(const keymaster_key_blob_t * key_to_attest,const keymaster_key_param_set_t * attest_params,keymaster_cert_chain_t * cert_chain)363 keymaster_error_t TrustyKeymasterDevice::attest_key(const keymaster_key_blob_t* key_to_attest,
364 const keymaster_key_param_set_t* attest_params,
365 keymaster_cert_chain_t* cert_chain) {
366 ALOGD("Device received attest_key");
367
368 if (error_ != KM_ERROR_OK) {
369 return error_;
370 }
371 if (!key_to_attest || !attest_params) {
372 return KM_ERROR_UNEXPECTED_NULL_POINTER;
373 }
374 if (!cert_chain) {
375 return KM_ERROR_OUTPUT_PARAMETER_NULL;
376 }
377
378 cert_chain->entry_count = 0;
379 cert_chain->entries = nullptr;
380
381 AttestKeyRequest request;
382 request.SetKeyMaterial(*key_to_attest);
383 request.attest_params.Reinitialize(*attest_params);
384
385 keymaster_blob_t attestation_challenge = {};
386 request.attest_params.GetTagValue(TAG_ATTESTATION_CHALLENGE, &attestation_challenge);
387 if (attestation_challenge.data_length > kMaximumAttestationChallengeLength) {
388 ALOGE("%zu-byte attestation challenge; only %zu bytes allowed",
389 attestation_challenge.data_length, kMaximumAttestationChallengeLength);
390 return KM_ERROR_INVALID_INPUT_LENGTH;
391 }
392
393 AttestKeyResponse response;
394 keymaster_error_t err = Send(KM_ATTEST_KEY, request, &response);
395 if (err != KM_ERROR_OK) {
396 return err;
397 }
398
399 // Allocate and clear storage for cert_chain.
400 keymaster_cert_chain_t& rsp_chain = response.certificate_chain;
401 cert_chain->entries = reinterpret_cast<keymaster_blob_t*>(
402 malloc(rsp_chain.entry_count * sizeof(*cert_chain->entries)));
403 if (!cert_chain->entries) {
404 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
405 }
406 cert_chain->entry_count = rsp_chain.entry_count;
407 for (keymaster_blob_t& entry : array_range(cert_chain->entries, cert_chain->entry_count)) {
408 entry = {};
409 }
410
411 // Copy cert_chain contents
412 size_t i = 0;
413 for (keymaster_blob_t& entry : array_range(rsp_chain.entries, rsp_chain.entry_count)) {
414 cert_chain->entries[i].data = DuplicateBuffer(entry.data, entry.data_length);
415 if (!cert_chain->entries[i].data) {
416 keymaster_free_cert_chain(cert_chain);
417 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
418 }
419 cert_chain->entries[i].data_length = entry.data_length;
420 ++i;
421 }
422
423 return KM_ERROR_OK;
424 }
425
upgrade_key(const keymaster_key_blob_t * key_to_upgrade,const keymaster_key_param_set_t * upgrade_params,keymaster_key_blob_t * upgraded_key)426 keymaster_error_t TrustyKeymasterDevice::upgrade_key(const keymaster_key_blob_t* key_to_upgrade,
427 const keymaster_key_param_set_t* upgrade_params,
428 keymaster_key_blob_t* upgraded_key) {
429 ALOGD("Device received upgrade_key");
430
431 if (error_ != KM_ERROR_OK) {
432 return error_;
433 }
434 if (!key_to_upgrade || !upgrade_params) {
435 return KM_ERROR_UNEXPECTED_NULL_POINTER;
436 }
437 if (!upgraded_key) {
438 return KM_ERROR_OUTPUT_PARAMETER_NULL;
439 }
440
441 UpgradeKeyRequest request;
442 request.SetKeyMaterial(*key_to_upgrade);
443 request.upgrade_params.Reinitialize(*upgrade_params);
444
445 UpgradeKeyResponse response;
446 keymaster_error_t err = Send(KM_UPGRADE_KEY, request, &response);
447 if (err != KM_ERROR_OK) {
448 return err;
449 }
450
451 upgraded_key->key_material_size = response.upgraded_key.key_material_size;
452 upgraded_key->key_material = DuplicateBuffer(response.upgraded_key.key_material,
453 response.upgraded_key.key_material_size);
454 if (!upgraded_key->key_material) {
455 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
456 }
457
458 return KM_ERROR_OK;
459 }
460
begin(keymaster_purpose_t purpose,const keymaster_key_blob_t * key,const keymaster_key_param_set_t * in_params,keymaster_key_param_set_t * out_params,keymaster_operation_handle_t * operation_handle)461 keymaster_error_t TrustyKeymasterDevice::begin(keymaster_purpose_t purpose,
462 const keymaster_key_blob_t* key,
463 const keymaster_key_param_set_t* in_params,
464 keymaster_key_param_set_t* out_params,
465 keymaster_operation_handle_t* operation_handle) {
466 ALOGD("Device received begin");
467
468 if (error_ != KM_ERROR_OK) {
469 return error_;
470 }
471 if (!key || !key->key_material) {
472 return KM_ERROR_UNEXPECTED_NULL_POINTER;
473 }
474 if (!operation_handle) {
475 return KM_ERROR_OUTPUT_PARAMETER_NULL;
476 }
477
478 if (out_params) {
479 *out_params = {};
480 }
481
482 BeginOperationRequest request;
483 request.purpose = purpose;
484 request.SetKeyMaterial(*key);
485 request.additional_params.Reinitialize(*in_params);
486
487 BeginOperationResponse response;
488 keymaster_error_t err = Send(KM_BEGIN_OPERATION, request, &response);
489 if (err != KM_ERROR_OK) {
490 return err;
491 }
492
493 if (response.output_params.size() > 0) {
494 if (out_params) {
495 response.output_params.CopyToParamSet(out_params);
496 } else {
497 return KM_ERROR_OUTPUT_PARAMETER_NULL;
498 }
499 }
500 *operation_handle = response.op_handle;
501
502 return KM_ERROR_OK;
503 }
504
update(keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * in_params,const keymaster_blob_t * input,size_t * input_consumed,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)505 keymaster_error_t TrustyKeymasterDevice::update(keymaster_operation_handle_t operation_handle,
506 const keymaster_key_param_set_t* in_params,
507 const keymaster_blob_t* input,
508 size_t* input_consumed,
509 keymaster_key_param_set_t* out_params,
510 keymaster_blob_t* output) {
511 ALOGD("Device received update");
512
513 if (error_ != KM_ERROR_OK) {
514 return error_;
515 }
516 if (!input) {
517 return KM_ERROR_UNEXPECTED_NULL_POINTER;
518 }
519 if (!input_consumed) {
520 return KM_ERROR_OUTPUT_PARAMETER_NULL;
521 }
522
523 if (out_params) {
524 *out_params = {};
525 }
526 if (output) {
527 *output = {};
528 }
529
530 UpdateOperationRequest request;
531 request.op_handle = operation_handle;
532 if (in_params) {
533 request.additional_params.Reinitialize(*in_params);
534 }
535 if (input && input->data_length > 0) {
536 size_t max_input_size = SEND_BUF_SIZE - request.SerializedSize();
537 request.input.Reinitialize(input->data, std::min(input->data_length, max_input_size));
538 }
539
540 UpdateOperationResponse response;
541 keymaster_error_t err = Send(KM_UPDATE_OPERATION, request, &response);
542 if (err != KM_ERROR_OK) {
543 return err;
544 }
545
546 if (response.output_params.size() > 0) {
547 if (out_params) {
548 response.output_params.CopyToParamSet(out_params);
549 } else {
550 return KM_ERROR_OUTPUT_PARAMETER_NULL;
551 }
552 }
553 *input_consumed = response.input_consumed;
554 if (output) {
555 output->data_length = response.output.available_read();
556 output->data = DuplicateBuffer(response.output.peek_read(), output->data_length);
557 if (!output->data) {
558 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
559 }
560 } else if (response.output.available_read() > 0) {
561 return KM_ERROR_OUTPUT_PARAMETER_NULL;
562 }
563
564 return KM_ERROR_OK;
565 }
566
finish(keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * in_params,const keymaster_blob_t * input,const keymaster_blob_t * signature,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)567 keymaster_error_t TrustyKeymasterDevice::finish(keymaster_operation_handle_t operation_handle,
568 const keymaster_key_param_set_t* in_params,
569 const keymaster_blob_t* input,
570 const keymaster_blob_t* signature,
571 keymaster_key_param_set_t* out_params,
572 keymaster_blob_t* output) {
573 ALOGD("Device received finish");
574
575 if (error_ != KM_ERROR_OK) {
576 return error_;
577 }
578 if (input && input->data_length > kMaximumFinishInputLength) {
579 return KM_ERROR_INVALID_ARGUMENT;
580 }
581
582 if (out_params) {
583 *out_params = {};
584 }
585 if (output) {
586 *output = {};
587 }
588
589 FinishOperationRequest request;
590 request.op_handle = operation_handle;
591 if (signature && signature->data && signature->data_length > 0) {
592 request.signature.Reinitialize(signature->data, signature->data_length);
593 }
594 if (input && input->data && input->data_length) {
595 request.input.Reinitialize(input->data, input->data_length);
596 }
597 if (in_params) {
598 request.additional_params.Reinitialize(*in_params);
599 }
600
601 FinishOperationResponse response;
602 keymaster_error_t err = Send(KM_FINISH_OPERATION, request, &response);
603 if (err != KM_ERROR_OK) {
604 return err;
605 }
606
607 if (response.output_params.size() > 0) {
608 if (out_params) {
609 response.output_params.CopyToParamSet(out_params);
610 } else {
611 return KM_ERROR_OUTPUT_PARAMETER_NULL;
612 }
613 }
614 if (output) {
615 output->data_length = response.output.available_read();
616 output->data = DuplicateBuffer(response.output.peek_read(), output->data_length);
617 if (!output->data) {
618 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
619 }
620 } else if (response.output.available_read() > 0) {
621 return KM_ERROR_OUTPUT_PARAMETER_NULL;
622 }
623
624 return KM_ERROR_OK;
625 }
626
abort(keymaster_operation_handle_t operation_handle)627 keymaster_error_t TrustyKeymasterDevice::abort(keymaster_operation_handle_t operation_handle) {
628 ALOGD("Device received abort");
629
630 if (error_ != KM_ERROR_OK) {
631 return error_;
632 }
633
634 AbortOperationRequest request;
635 request.op_handle = operation_handle;
636 AbortOperationResponse response;
637 return Send(KM_ABORT_OPERATION, request, &response);
638 }
639
hw_device()640 hw_device_t* TrustyKeymasterDevice::hw_device() {
641 return &device_.common;
642 }
643
convert_device(const keymaster2_device_t * dev)644 static inline TrustyKeymasterDevice* convert_device(const keymaster2_device_t* dev) {
645 return reinterpret_cast<TrustyKeymasterDevice*>(const_cast<keymaster2_device_t*>(dev));
646 }
647
648 /* static */
close_device(hw_device_t * dev)649 int TrustyKeymasterDevice::close_device(hw_device_t* dev) {
650 delete reinterpret_cast<TrustyKeymasterDevice*>(dev);
651 return 0;
652 }
653
654 /* static */
configure(const keymaster2_device_t * dev,const keymaster_key_param_set_t * params)655 keymaster_error_t TrustyKeymasterDevice::configure(const keymaster2_device_t* dev,
656 const keymaster_key_param_set_t* params) {
657 return convert_device(dev)->configure(params);
658 }
659
660 /* static */
add_rng_entropy(const keymaster2_device_t * dev,const uint8_t * data,size_t data_length)661 keymaster_error_t TrustyKeymasterDevice::add_rng_entropy(const keymaster2_device_t* dev,
662 const uint8_t* data, size_t data_length) {
663 return convert_device(dev)->add_rng_entropy(data, data_length);
664 }
665
666 /* static */
generate_key(const keymaster2_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t * characteristics)667 keymaster_error_t TrustyKeymasterDevice::generate_key(
668 const keymaster2_device_t* dev, const keymaster_key_param_set_t* params,
669 keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t* characteristics) {
670 return convert_device(dev)->generate_key(params, key_blob, characteristics);
671 }
672
673 /* static */
get_key_characteristics(const keymaster2_device_t * dev,const keymaster_key_blob_t * key_blob,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_key_characteristics_t * characteristics)674 keymaster_error_t TrustyKeymasterDevice::get_key_characteristics(
675 const keymaster2_device_t* dev, const keymaster_key_blob_t* key_blob,
676 const keymaster_blob_t* client_id, const keymaster_blob_t* app_data,
677 keymaster_key_characteristics_t* characteristics) {
678 return convert_device(dev)->get_key_characteristics(key_blob, client_id, app_data,
679 characteristics);
680 }
681
682 /* static */
import_key(const keymaster2_device_t * dev,const keymaster_key_param_set_t * params,keymaster_key_format_t key_format,const keymaster_blob_t * key_data,keymaster_key_blob_t * key_blob,keymaster_key_characteristics_t * characteristics)683 keymaster_error_t TrustyKeymasterDevice::import_key(
684 const keymaster2_device_t* dev, const keymaster_key_param_set_t* params,
685 keymaster_key_format_t key_format, const keymaster_blob_t* key_data,
686 keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t* characteristics) {
687 return convert_device(dev)->import_key(params, key_format, key_data, key_blob, characteristics);
688 }
689
690 /* static */
export_key(const keymaster2_device_t * dev,keymaster_key_format_t export_format,const keymaster_key_blob_t * key_to_export,const keymaster_blob_t * client_id,const keymaster_blob_t * app_data,keymaster_blob_t * export_data)691 keymaster_error_t TrustyKeymasterDevice::export_key(const keymaster2_device_t* dev,
692 keymaster_key_format_t export_format,
693 const keymaster_key_blob_t* key_to_export,
694 const keymaster_blob_t* client_id,
695 const keymaster_blob_t* app_data,
696 keymaster_blob_t* export_data) {
697 return convert_device(dev)->export_key(export_format, key_to_export, client_id, app_data,
698 export_data);
699 }
700
701 /* static */
attest_key(const keymaster2_device_t * dev,const keymaster_key_blob_t * key_to_attest,const keymaster_key_param_set_t * attest_params,keymaster_cert_chain_t * cert_chain)702 keymaster_error_t TrustyKeymasterDevice::attest_key(const keymaster2_device_t* dev,
703 const keymaster_key_blob_t* key_to_attest,
704 const keymaster_key_param_set_t* attest_params,
705 keymaster_cert_chain_t* cert_chain) {
706 return convert_device(dev)->attest_key(key_to_attest, attest_params, cert_chain);
707 }
708
709 /* static */
upgrade_key(const keymaster2_device_t * dev,const keymaster_key_blob_t * key_to_upgrade,const keymaster_key_param_set_t * upgrade_params,keymaster_key_blob_t * upgraded_key)710 keymaster_error_t TrustyKeymasterDevice::upgrade_key(const keymaster2_device_t* dev,
711 const keymaster_key_blob_t* key_to_upgrade,
712 const keymaster_key_param_set_t* upgrade_params,
713 keymaster_key_blob_t* upgraded_key) {
714 return convert_device(dev)->upgrade_key(key_to_upgrade, upgrade_params, upgraded_key);
715 }
716
717 /* static */
begin(const keymaster2_device_t * dev,keymaster_purpose_t purpose,const keymaster_key_blob_t * key,const keymaster_key_param_set_t * in_params,keymaster_key_param_set_t * out_params,keymaster_operation_handle_t * operation_handle)718 keymaster_error_t TrustyKeymasterDevice::begin(const keymaster2_device_t* dev,
719 keymaster_purpose_t purpose,
720 const keymaster_key_blob_t* key,
721 const keymaster_key_param_set_t* in_params,
722 keymaster_key_param_set_t* out_params,
723 keymaster_operation_handle_t* operation_handle) {
724 return convert_device(dev)->begin(purpose, key, in_params, out_params, operation_handle);
725 }
726
727 /* static */
update(const keymaster2_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * in_params,const keymaster_blob_t * input,size_t * input_consumed,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)728 keymaster_error_t TrustyKeymasterDevice::update(
729 const keymaster2_device_t* dev, keymaster_operation_handle_t operation_handle,
730 const keymaster_key_param_set_t* in_params, const keymaster_blob_t* input,
731 size_t* input_consumed, keymaster_key_param_set_t* out_params, keymaster_blob_t* output) {
732 return convert_device(dev)->update(operation_handle, in_params, input, input_consumed,
733 out_params, output);
734 }
735
736 /* static */
finish(const keymaster2_device_t * dev,keymaster_operation_handle_t operation_handle,const keymaster_key_param_set_t * in_params,const keymaster_blob_t * input,const keymaster_blob_t * signature,keymaster_key_param_set_t * out_params,keymaster_blob_t * output)737 keymaster_error_t TrustyKeymasterDevice::finish(const keymaster2_device_t* dev,
738 keymaster_operation_handle_t operation_handle,
739 const keymaster_key_param_set_t* in_params,
740 const keymaster_blob_t* input,
741 const keymaster_blob_t* signature,
742 keymaster_key_param_set_t* out_params,
743 keymaster_blob_t* output) {
744 return convert_device(dev)->finish(operation_handle, in_params, input, signature, out_params,
745 output);
746 }
747
748 /* static */
abort(const keymaster2_device_t * dev,keymaster_operation_handle_t operation_handle)749 keymaster_error_t TrustyKeymasterDevice::abort(const keymaster2_device_t* dev,
750 keymaster_operation_handle_t operation_handle) {
751 return convert_device(dev)->abort(operation_handle);
752 }
753
Send(uint32_t command,const Serializable & req,KeymasterResponse * rsp)754 keymaster_error_t TrustyKeymasterDevice::Send(uint32_t command, const Serializable& req,
755 KeymasterResponse* rsp) {
756 uint32_t req_size = req.SerializedSize();
757 if (req_size > SEND_BUF_SIZE) {
758 return KM_ERROR_MEMORY_ALLOCATION_FAILED;
759 }
760 uint8_t send_buf[SEND_BUF_SIZE];
761 Eraser send_buf_eraser(send_buf, SEND_BUF_SIZE);
762 req.Serialize(send_buf, send_buf + req_size);
763
764 // Send it
765 uint8_t recv_buf[RECV_BUF_SIZE];
766 Eraser recv_buf_eraser(recv_buf, RECV_BUF_SIZE);
767 uint32_t rsp_size = RECV_BUF_SIZE;
768 ALOGV("Sending %d byte request\n", (int)req.SerializedSize());
769 int rc = trusty_keymaster_call(command, send_buf, req_size, recv_buf, &rsp_size);
770 if (rc < 0) {
771 ALOGE("tipc error: %d\n", rc);
772 // TODO(swillden): Distinguish permanent from transient errors and set error_ appropriately.
773 return translate_error(rc);
774 } else {
775 ALOGV("Received %d byte response\n", rsp_size);
776 }
777
778 const keymaster_message* msg = (keymaster_message*)recv_buf;
779 const uint8_t* p = msg->payload;
780 if (!rsp->Deserialize(&p, p + rsp_size)) {
781 ALOGE("Error deserializing response of size %d\n", (int)rsp_size);
782 return KM_ERROR_UNKNOWN_ERROR;
783 } else if (rsp->error != KM_ERROR_OK) {
784 ALOGE("Response of size %d contained error code %d\n", (int)rsp_size, (int)rsp->error);
785 return rsp->error;
786 }
787 return rsp->error;
788 }
789
790 } // namespace keymaster
791