1 /*
2 ** Copyright 2018, The Android Open Source Project
3 **
4 ** Licensed under the Apache License, Version 2.0 (the "License");
5 ** you may not use this file except in compliance with the License.
6 ** You may obtain a copy of the License at
7 **
8 ** http://www.apache.org/licenses/LICENSE-2.0
9 **
10 ** Unless required by applicable law or agreed to in writing, software
11 ** distributed under the License is distributed on an "AS IS" BASIS,
12 ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 ** See the License for the specific language governing permissions and
14 ** limitations under the License.
15 */
16
17 #include <keymasterV4_1/Keymaster.h>
18
19 #include <iomanip>
20
21 #include <android-base/logging.h>
22 #include <android/hidl/manager/1.2/IServiceManager.h>
23 #include <keymasterV4_0/key_param_output.h>
24 #include <keymasterV4_0/keymaster_utils.h>
25 #include <keymasterV4_1/Keymaster3.h>
26 #include <keymasterV4_1/Keymaster4.h>
27
28 namespace android::hardware {
29
30 template <class T>
operator <<(std::ostream & os,const hidl_vec<T> & vec)31 std::ostream& operator<<(std::ostream& os, const hidl_vec<T>& vec) {
32 os << "{ ";
33 if (vec.size()) {
34 for (size_t i = 0; i < vec.size() - 1; ++i) os << vec[i] << ", ";
35 os << vec[vec.size() - 1];
36 }
37 os << " }";
38 return os;
39 }
40
operator <<(std::ostream & os,const hidl_vec<uint8_t> & vec)41 std::ostream& operator<<(std::ostream& os, const hidl_vec<uint8_t>& vec) {
42 std::ios_base::fmtflags flags(os.flags());
43 os << std::setw(2) << std::setfill('0') << std::hex;
44 for (uint8_t c : vec) os << static_cast<int>(c);
45 os.flags(flags);
46 return os;
47 }
48
49 template <size_t N>
operator <<(std::ostream & os,const hidl_array<uint8_t,N> & vec)50 std::ostream& operator<<(std::ostream& os, const hidl_array<uint8_t, N>& vec) {
51 std::ios_base::fmtflags flags(os.flags());
52 os << std::setw(2) << std::setfill('0') << std::hex;
53 for (size_t i = 0; i < N; ++i) os << static_cast<int>(vec[i]);
54 os.flags(flags);
55 return os;
56 }
57
58 namespace keymaster {
59
60 namespace V4_0 {
61
operator <<(std::ostream & os,const HmacSharingParameters & params)62 std::ostream& operator<<(std::ostream& os, const HmacSharingParameters& params) {
63 // Note that by design, although seed and nonce are used to compute a secret, they are
64 // not secrets and it's just fine to log them.
65 os << "(seed: " << params.seed << ", nonce: " << params.nonce << ')';
66 return os;
67 }
68
69 } // namespace V4_0
70
71 namespace V4_1::support {
72
73 using ::android::sp;
74 using ::android::hidl::manager::V1_2::IServiceManager;
75
operator <<(std::ostream & os,const Keymaster & keymaster)76 std::ostream& operator<<(std::ostream& os, const Keymaster& keymaster) {
77 auto& version = keymaster.halVersion();
78 os << version.keymasterName << " from " << version.authorName
79 << " SecurityLevel: " << toString(version.securityLevel)
80 << " HAL: " << keymaster.descriptor() << "/" << keymaster.instanceName();
81 return os;
82 }
83
84 template <typename Wrapper>
enumerateDevices(const sp<IServiceManager> & serviceManager)85 std::vector<std::unique_ptr<Keymaster>> enumerateDevices(
86 const sp<IServiceManager>& serviceManager) {
87 Keymaster::KeymasterSet result;
88
89 bool foundDefault = false;
90 auto& descriptor = Wrapper::WrappedIKeymasterDevice::descriptor;
91 serviceManager->listManifestByInterface(descriptor, [&](const hidl_vec<hidl_string>& names) {
92 for (auto& name : names) {
93 if (name == "default") foundDefault = true;
94 auto device = Wrapper::WrappedIKeymasterDevice::getService(name);
95 CHECK(device) << "Failed to get service for " << descriptor << " with interface name "
96 << name;
97 result.push_back(std::unique_ptr<Keymaster>(new Wrapper(device, name)));
98 }
99 });
100
101 if (!foundDefault) {
102 // "default" wasn't provided by listManifestByInterface. Maybe there's a passthrough
103 // implementation.
104 auto device = Wrapper::WrappedIKeymasterDevice::getService("default");
105 if (device) result.push_back(std::unique_ptr<Keymaster>(new Wrapper(device, "default")));
106 }
107
108 return result;
109 }
110
logIfKeymasterVendorError(ErrorCode ec) const111 void Keymaster::logIfKeymasterVendorError(ErrorCode ec) const {
112 static constexpr int32_t k_keymaster_vendor_error_code_range_max = -10000;
113 if (static_cast<int32_t>(ec) <= k_keymaster_vendor_error_code_range_max) {
114 const auto& versionInfo = halVersion();
115 LOG(ERROR) << "Keymaster reported error: " << static_cast<int32_t>(ec) << "\n"
116 << "NOTE: This is an error in the vendor specific error range.\n"
117 << " Refer to the vendor of the implementation for details.\n"
118 << " Implementation name: " << versionInfo.keymasterName << "\n"
119 << " Vendor name: " << versionInfo.authorName << "\n"
120 << " MajorVersion: " << versionInfo.majorVersion;
121 }
122 }
123
enumerateAvailableDevices()124 Keymaster::KeymasterSet Keymaster::enumerateAvailableDevices() {
125 auto serviceManager = IServiceManager::getService();
126 CHECK(serviceManager) << "Could not retrieve ServiceManager";
127
128 auto km4s = enumerateDevices<Keymaster4>(serviceManager);
129 auto km3s = enumerateDevices<Keymaster3>(serviceManager);
130
131 auto result = std::move(km4s);
132 result.insert(result.end(), std::make_move_iterator(km3s.begin()),
133 std::make_move_iterator(km3s.end()));
134
135 std::sort(result.begin(), result.end(),
136 [](auto& a, auto& b) { return a->halVersion() > b->halVersion(); });
137
138 size_t i = 1;
139 LOG(INFO) << "List of Keymaster HALs found:";
140 for (auto& hal : result) LOG(INFO) << "Keymaster HAL #" << i++ << ": " << *hal;
141
142 return result;
143 }
144
getHmacParameters(const Keymaster::KeymasterSet & keymasters)145 static hidl_vec<HmacSharingParameters> getHmacParameters(
146 const Keymaster::KeymasterSet& keymasters) {
147 std::vector<HmacSharingParameters> params_vec;
148 params_vec.reserve(keymasters.size());
149 for (auto& keymaster : keymasters) {
150 if (keymaster->halVersion().majorVersion < 4) continue;
151 auto rc = keymaster->getHmacSharingParameters([&](auto error, auto& params) {
152 CHECK(error == V4_0::ErrorCode::OK)
153 << "Failed to get HMAC parameters from " << *keymaster << " error " << error;
154 params_vec.push_back(params);
155 });
156 CHECK(rc.isOk()) << "Failed to communicate with " << *keymaster
157 << " error: " << rc.description();
158 }
159 std::sort(params_vec.begin(), params_vec.end());
160
161 return params_vec;
162 }
163
computeHmac(const Keymaster::KeymasterSet & keymasters,const hidl_vec<HmacSharingParameters> & params)164 static void computeHmac(const Keymaster::KeymasterSet& keymasters,
165 const hidl_vec<HmacSharingParameters>& params) {
166 if (!params.size()) return;
167
168 hidl_vec<uint8_t> sharingCheck;
169 bool firstKeymaster = true;
170 LOG(DEBUG) << "Computing HMAC with params " << params;
171 for (auto& keymaster : keymasters) {
172 if (keymaster->halVersion().majorVersion < 4) continue;
173 LOG(DEBUG) << "Computing HMAC for " << *keymaster;
174 auto rc = keymaster->computeSharedHmac(
175 params, [&](V4_0::ErrorCode error, const hidl_vec<uint8_t>& curSharingCheck) {
176 CHECK(error == V4_0::ErrorCode::OK) << "Failed to get HMAC parameters from "
177 << *keymaster << " error " << error;
178 if (firstKeymaster) {
179 sharingCheck = curSharingCheck;
180 firstKeymaster = false;
181 }
182 if (curSharingCheck != sharingCheck)
183 LOG(WARNING) << "HMAC computation failed for " << *keymaster //
184 << " Expected: " << sharingCheck //
185 << " got: " << curSharingCheck;
186 });
187 CHECK(rc.isOk()) << "Failed to communicate with " << *keymaster
188 << " error: " << rc.description();
189 }
190 }
191
performHmacKeyAgreement(const KeymasterSet & keymasters)192 void Keymaster::performHmacKeyAgreement(const KeymasterSet& keymasters) {
193 computeHmac(keymasters, getHmacParameters(keymasters));
194 }
195
196 } // namespace V4_1::support
197 } // namespace keymaster
198 } // namespace android::hardware
199