1 /*
2  *  Copyright (C) 2012 The Android Open Source Project
3  *
4  *  Licensed under the Apache License, Version 2.0 (the "License"); you
5  *  may not use this file except in compliance with the License.  You may
6  *  obtain a copy of the License at
7  *
8  *  http://www.apache.org/licenses/LICENSE-2.0
9  *
10  *  Unless required by applicable law or agreed to in writing, software
11  *  distributed under the License is distributed on an "AS IS" BASIS,
12  *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
13  *  implied.  See the License for the specific language governing
14  *  permissions and limitations under the License.
15  */
16 
17 #ifndef ANDROID_HARDWARE_QCOM_KEYMASTER_H
18 #define ANDROID_HARDWARE_QCOM_KEYMASTER_H
19 
20 #include <stdint.h>
21 #include <sys/cdefs.h>
22 #include <sys/types.h>
23 
24 __BEGIN_DECLS
25 
26 #ifdef _ION_HEAP_MASK_COMPATIBILITY_WA
27 #define ION_HEAP_MASK heap_mask
28 #else
29 #define ION_HEAP_MASK heap_id_mask
30 #endif
31 
32 /**
33  * The id of this module
34  */
35 #define QCOM_KEYSTORE_KEYMASTER "qcom_keymaster"
36 /**
37  * Operation result
38  */
39 #define KEYMATER_SUCCESS  0
40 #define KEYMASTER_FAILURE  -1
41 
42 /**
43  * The API level of this version of the header. The allows the implementing
44  * module to recognize which API level of the client it is dealing with in
45  * the case of pre-compiled binary clients.
46  */
47 #define QCOM_KEYMASTER_API_VERSION KEYMASTER_MODULE_API_VERSION_0_3
48 
49 #define KM_MAGIC_NUM     (0x4B4D4B42)    /* "KMKB" Key Master Key Blob in hex */
50 #define KM_KEY_SIZE_MAX  (512)           /* 4096 bits */
51 #define KM_IV_LENGTH     (16)            /* AES128 CBC IV */
52 #define KM_HMAC_LENGTH   (32)            /* SHA2 will be used for HMAC  */
53 
54 struct  qcom_km_key_blob {
55   uint32_t magic_num;
56   uint32_t version_num;
57   uint8_t  modulus[KM_KEY_SIZE_MAX];
58   uint32_t modulus_size;
59   uint8_t  public_exponent[KM_KEY_SIZE_MAX];
60   uint32_t public_exponent_size;
61   uint8_t  iv[KM_IV_LENGTH];
62   uint8_t  encrypted_private_exponent[KM_KEY_SIZE_MAX];
63   uint32_t encrypted_private_exponent_size;
64   uint8_t  hmac[KM_HMAC_LENGTH];
65 };
66 typedef struct  qcom_km_key_blob qcom_km_key_blob_t;
67 /**
68  * Commands supported
69  */
70 enum  keymaster_cmd_t {
71     /*
72      * List the commands supportedin by the hardware.
73      */
74     KEYMASTER_GENERATE_KEYPAIR = 0x00000001,
75     KEYMASTER_IMPORT_KEYPAIR = 0x00000002,
76     KEYMASTER_SIGN_DATA = 0x00000003,
77     KEYMASTER_VERIFY_DATA = 0x00000004,
78 };
79 
80 
81 /**
82  * Command to Generate a public and private key. The key data returned
83  * (by secure app) is in shared buffer at offset of "key_blob" and is opaque
84  *
85  * cmd_id       : Command issue to secure app
86  * key_type     : Currently on RSA_TYPE is supported
87  * rsa_params   : Parameters needed to generate an RSA key
88  */
89  struct keymaster_gen_keypair_cmd {
90       keymaster_cmd_t               cmd_id;
91       keymaster_keypair_t           key_type;
92       keymaster_rsa_keygen_params_t rsa_params;
93 };
94 typedef struct keymaster_gen_keypair_cmd keymaster_gen_keypair_cmd_t;
95 
96 /**
97  * Response to Generate a public and private key. The key data returned
98  * (by secure app) is in shared buffer at offset of "key_blob" and is opaque
99  *
100  * cmd_id       : Command issue to secure app
101  * key_blob     : key blob data
102  * key_blob_len : Total length of key blob information
103  * status       : Result (success 0, or failure -1)
104  */
105 struct keymaster_gen_keypair_resp {
106       keymaster_cmd_t     cmd_id;
107       qcom_km_key_blob_t  key_blob;
108       size_t              key_blob_len;
109       int32_t             status;
110 };
111 typedef struct keymaster_gen_keypair_resp keymaster_gen_keypair_resp_t;
112 
113 
114 /**
115  * Command to import a public and private key pair. The imported keys
116  * will be in PKCS#8 format with DER encoding (Java standard). The key
117  * data returned (by secure app) is in shared buffer at offset of
118  * "key_blob" and is opaque
119  *
120  * cmd_id       : Command issue to secure app
121  * pkcs8_key    : Pointer to  pkcs8 formatted key information
122  * pkcs8_key_len: PKCS8 formatted key length
123  */
124 struct keymaster_import_keypair_cmd {
125       keymaster_cmd_t cmd_id;
126       uint32_t        pkcs8_key;
127       size_t          pkcs8_key_len;
128 };
129 typedef struct keymaster_import_keypair_cmd keymaster_import_keypair_cmd_t;
130 
131 /**
132  * Response to import a public and private key. The key data returned
133  * (by secure app) is in shared buffer at offset of "key_blob" and is opaque
134  *
135  * cmd_id       : Command issue to secure app
136  * key_blob     : key blob data
137  * key_blob_len : Total length of key blob information
138  * status       : Result (success 0, or failure -1)
139  */
140 struct keymaster_import_keypair_resp {
141       keymaster_cmd_t     cmd_id;
142       qcom_km_key_blob_t  key_blob;
143       size_t              key_blob_len;
144       int32_t             status;
145 };
146 typedef struct keymaster_import_keypair_resp keymaster_import_keypair_resp_t;
147 
148 /**
149  * Command to sign data using a key info generated before. This can use either
150  * an asymmetric key or a secret key.
151  * The signed data is returned (by secure app) at offset of data + dlen.
152  *
153  * cmd_id      : Command issue to secure app
154  * sign_param  :
155  * key_blob    : Key data information (in shared buffer)
156  * data        : Pointer to plain data buffer
157  * dlen        : Plain data length
158  */
159 struct keymaster_sign_data_cmd {
160       keymaster_cmd_t               cmd_id;
161       keymaster_rsa_sign_params_t   sign_param;
162       qcom_km_key_blob_t            key_blob;
163       uint32_t                      data;
164       size_t                        dlen;
165 };
166 typedef struct keymaster_sign_data_cmd keymaster_sign_data_cmd_t;
167 
168 /**
169  * Response to sign data response
170  *
171  * cmd_id      : Command issue to secure app
172  * signed_data : signature
173  * sig_len     : Signed data length
174  * status      : Result (success 0, or failure -1)
175  */
176 struct keymaster_sign_data_resp {
177       keymaster_cmd_t     cmd_id;
178       uint8_t             signed_data[KM_KEY_SIZE_MAX];
179       size_t              sig_len;
180       int32_t             status;
181 };
182 
183 typedef struct keymaster_sign_data_resp keymaster_sign_data_resp_t;
184 
185 /**
186  * Command to verify data using a key info generated before. This can use either
187  * an asymmetric key or a secret key.
188  *
189  * cmd_id      : Command issue to secure app
190  * sign_param  :
191  * key_blob    : Key data information (in shared buffer)
192  * key_blob_len: Total key length
193  * signed_data : Pointer to signed data buffer
194  * signed_dlen : Signed data length
195  * signature   : Offset to the signature data buffer (from signed data buffer)
196  * slen        : Signature data length
197  */
198 struct keymaster_verify_data_cmd {
199       keymaster_cmd_t cmd_id;
200       keymaster_rsa_sign_params_t   sign_param;
201       qcom_km_key_blob_t            key_blob;
202       uint32_t                      signed_data;
203       size_t                        signed_dlen;
204       uint32_t                      signature;
205       size_t                        slen;
206 };
207 typedef struct keymaster_verify_data_cmd keymaster_verify_data_cmd_t;
208 /**
209  * Response to verify data
210  *
211  * cmd_id      : Command issue to secure app
212  * status      : Result (success 0, or failure -1)
213  */
214 struct  keymaster_verify_data_resp {
215       keymaster_cmd_t     cmd_id;
216       int32_t             status;
217 };
218 typedef struct keymaster_verify_data_resp keymaster_verify_data_resp_t;
219 
220 __END_DECLS
221 
222 #endif  // ANDROID_HARDWARE_QCOM_KEYMASTER_H
223