/* ** ** Copyright 2018, The Android Open Source Project ** ** Licensed under the Apache License, Version 2.0 (the "License"); ** you may not use this file except in compliance with the License. ** You may obtain a copy of the License at ** ** http://www.apache.org/licenses/LICENSE-2.0 ** ** Unless required by applicable law or agreed to in writing, software ** distributed under the License is distributed on an "AS IS" BASIS, ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ** See the License for the specific language governing permissions and ** limitations under the License. */ #define LOG_TAG "android.hardware.keymaster@4.0-impl.remote" #include "remote_keymaster4_device.h" #include #include #include #include using ::keymaster::AbortOperationRequest; using ::keymaster::AbortOperationResponse; using ::keymaster::AddEntropyRequest; using ::keymaster::AddEntropyResponse; using ::keymaster::AttestKeyRequest; using ::keymaster::AttestKeyResponse; using ::keymaster::AuthorizationSet; using ::keymaster::BeginOperationRequest; using ::keymaster::BeginOperationResponse; using ::keymaster::ExportKeyRequest; using ::keymaster::ExportKeyResponse; using ::keymaster::FinishOperationRequest; using ::keymaster::FinishOperationResponse; using ::keymaster::GenerateKeyRequest; using ::keymaster::GenerateKeyResponse; using ::keymaster::GetKeyCharacteristicsRequest; using ::keymaster::GetKeyCharacteristicsResponse; using ::keymaster::ImportKeyRequest; using ::keymaster::ImportKeyResponse; using ::keymaster::UpdateOperationRequest; using ::keymaster::UpdateOperationResponse; using ::keymaster::ng::Tag; typedef ::android::hardware::keymaster::V3_0::Tag Tag3; using ::android::hardware::keymaster::V4_0::Constants; namespace keymaster { namespace V4_1 { namespace { inline keymaster_tag_t legacy_enum_conversion(const Tag value) { return keymaster_tag_t(value); } inline Tag legacy_enum_conversion(const keymaster_tag_t value) { return Tag(value); } inline keymaster_purpose_t legacy_enum_conversion(const KeyPurpose value) { return keymaster_purpose_t(value); } inline keymaster_key_format_t legacy_enum_conversion(const KeyFormat value) { return keymaster_key_format_t(value); } inline SecurityLevel legacy_enum_conversion(const keymaster_security_level_t value) { return static_cast(value); } inline hw_authenticator_type_t legacy_enum_conversion(const HardwareAuthenticatorType value) { return static_cast(value); } inline ErrorCode legacy_enum_conversion(const keymaster_error_t value) { return ErrorCode(value); } inline keymaster_tag_type_t typeFromTag(const keymaster_tag_t tag) { return keymaster_tag_get_type(tag); } /* * injectAuthToken translates a KM4 authToken into a legacy AUTH_TOKEN tag * * Currently, system/keymaster's reference implementation only accepts this * method for passing an auth token, so until that changes we need to * translate to the old format. */ inline hidl_vec injectAuthToken(const hidl_vec& keyParamsBase, const HardwareAuthToken& authToken) { std::vector keyParams(keyParamsBase); const size_t mac_len = static_cast(Constants::AUTH_TOKEN_MAC_LENGTH); /* * mac.size() == 0 indicates no token provided, so we should not copy. * mac.size() != mac_len means it is incompatible with the old * hw_auth_token_t structure. This is forbidden by spec, but to be safe * we only copy if mac.size() == mac_len, e.g. there is an authToken * with a hw_auth_token_t compatible MAC. */ if (authToken.mac.size() == mac_len) { KeyParameter p; p.tag = static_cast(Tag3::AUTH_TOKEN); p.blob.resize(sizeof(hw_auth_token_t)); hw_auth_token_t* auth_token = reinterpret_cast(p.blob.data()); auth_token->version = 0; auth_token->challenge = authToken.challenge; auth_token->user_id = authToken.userId; auth_token->authenticator_id = authToken.authenticatorId; auth_token->authenticator_type = htobe32(static_cast(authToken.authenticatorType)); auth_token->timestamp = htobe64(authToken.timestamp); static_assert(mac_len == sizeof(auth_token->hmac)); memcpy(auth_token->hmac, authToken.mac.data(), mac_len); keyParams.push_back(p); } return hidl_vec(std::move(keyParams)); } class KmParamSet : public keymaster_key_param_set_t { public: KmParamSet(const hidl_vec& keyParams) { params = new keymaster_key_param_t[keyParams.size()]; length = keyParams.size(); for (size_t i = 0; i < keyParams.size(); ++i) { auto tag = legacy_enum_conversion(keyParams[i].tag); switch (typeFromTag(tag)) { case KM_ENUM: case KM_ENUM_REP: params[i] = keymaster_param_enum(tag, keyParams[i].f.integer); break; case KM_UINT: case KM_UINT_REP: params[i] = keymaster_param_int(tag, keyParams[i].f.integer); break; case KM_ULONG: case KM_ULONG_REP: params[i] = keymaster_param_long(tag, keyParams[i].f.longInteger); break; case KM_DATE: params[i] = keymaster_param_date(tag, keyParams[i].f.dateTime); break; case KM_BOOL: if (keyParams[i].f.boolValue) params[i] = keymaster_param_bool(tag); else params[i].tag = KM_TAG_INVALID; break; case KM_BIGNUM: case KM_BYTES: params[i] = keymaster_param_blob(tag, &keyParams[i].blob[0], keyParams[i].blob.size()); break; case KM_INVALID: default: params[i].tag = KM_TAG_INVALID; /* just skip */ break; } } } KmParamSet(KmParamSet&& other) noexcept : keymaster_key_param_set_t{other.params, other.length} { other.length = 0; other.params = nullptr; } KmParamSet(const KmParamSet&) = delete; ~KmParamSet() { delete[] params; } }; inline hidl_vec kmBlob2hidlVec(const keymaster_key_blob_t& blob) { hidl_vec result; result.setToExternal(const_cast(blob.key_material), blob.key_material_size); return result; } inline hidl_vec kmBlob2hidlVec(const keymaster_blob_t& blob) { hidl_vec result; result.setToExternal(const_cast(blob.data), blob.data_length); return result; } inline hidl_vec kmBuffer2hidlVec(const ::keymaster::Buffer& buf) { hidl_vec result; result.setToExternal(const_cast(buf.peek_read()), buf.available_read()); return result; } inline static hidl_vec> kmCertChain2Hidl( const keymaster_cert_chain_t& cert_chain) { hidl_vec> result; if (!cert_chain.entry_count || !cert_chain.entries) return result; result.resize(cert_chain.entry_count); for (size_t i = 0; i < cert_chain.entry_count; ++i) { result[i] = kmBlob2hidlVec(cert_chain.entries[i]); } return result; } static inline hidl_vec kmParamSet2Hidl(const keymaster_key_param_set_t& set) { hidl_vec result; if (set.length == 0 || set.params == nullptr) return result; result.resize(set.length); keymaster_key_param_t* params = set.params; for (size_t i = 0; i < set.length; ++i) { auto tag = params[i].tag; result[i].tag = legacy_enum_conversion(tag); switch (typeFromTag(tag)) { case KM_ENUM: case KM_ENUM_REP: result[i].f.integer = params[i].enumerated; break; case KM_UINT: case KM_UINT_REP: result[i].f.integer = params[i].integer; break; case KM_ULONG: case KM_ULONG_REP: result[i].f.longInteger = params[i].long_integer; break; case KM_DATE: result[i].f.dateTime = params[i].date_time; break; case KM_BOOL: result[i].f.boolValue = params[i].boolean; break; case KM_BIGNUM: case KM_BYTES: result[i].blob.setToExternal(const_cast(params[i].blob.data), params[i].blob.data_length); break; case KM_INVALID: default: params[i].tag = KM_TAG_INVALID; /* just skip */ break; } } return result; } void addClientAndAppData(const hidl_vec& clientId, const hidl_vec& appData, ::keymaster::AuthorizationSet* params) { params->Clear(); if (clientId.size()) { params->push_back(::keymaster::TAG_APPLICATION_ID, clientId.data(), clientId.size()); } if (appData.size()) { params->push_back(::keymaster::TAG_APPLICATION_DATA, appData.data(), appData.size()); } } } // anonymous namespace RemoteKeymaster4Device::RemoteKeymaster4Device(RemoteKeymaster* impl) : impl_(impl) {} RemoteKeymaster4Device::~RemoteKeymaster4Device() {} Return RemoteKeymaster4Device::getHardwareInfo(getHardwareInfo_cb _hidl_cb) { _hidl_cb(SecurityLevel::TRUSTED_ENVIRONMENT, "RemoteKeymaster", "Google"); return Void(); } Return RemoteKeymaster4Device::getHmacSharingParameters( getHmacSharingParameters_cb _hidl_cb) { const GetHmacSharingParametersResponse response = impl_->GetHmacSharingParameters(); // response.params is not the same as the HIDL structure, we need to convert it HmacSharingParameters params; params.seed.setToExternal(const_cast(response.params.seed.data), response.params.seed.data_length); static_assert(sizeof(response.params.nonce) == params.nonce.size(), "Nonce sizes don't match"); memcpy(params.nonce.data(), response.params.nonce, params.nonce.size()); _hidl_cb(legacy_enum_conversion(response.error), params); return Void(); } Return RemoteKeymaster4Device::computeSharedHmac( const hidl_vec& params, computeSharedHmac_cb _hidl_cb) { ComputeSharedHmacRequest request; request.params_array.params_array = new keymaster::HmacSharingParameters[params.size()]; request.params_array.num_params = params.size(); for (size_t i = 0; i < params.size(); ++i) { request.params_array.params_array[i].seed = {params[i].seed.data(), params[i].seed.size()}; static_assert(sizeof(request.params_array.params_array[i].nonce) == decltype(params[i].nonce)::size(), "Nonce sizes don't match"); memcpy(request.params_array.params_array[i].nonce, params[i].nonce.data(), params[i].nonce.size()); } auto response = impl_->ComputeSharedHmac(request); hidl_vec sharing_check; if (response.error == KM_ERROR_OK) { sharing_check = kmBlob2hidlVec(response.sharing_check); } _hidl_cb(legacy_enum_conversion(response.error), sharing_check); return Void(); } Return RemoteKeymaster4Device::verifyAuthorization( uint64_t challenge, const hidl_vec& parametersToVerify, const HardwareAuthToken& authToken, verifyAuthorization_cb _hidl_cb) { VerifyAuthorizationRequest request; request.challenge = challenge; request.parameters_to_verify.Reinitialize(KmParamSet(parametersToVerify)); request.auth_token.challenge = authToken.challenge; request.auth_token.user_id = authToken.userId; request.auth_token.authenticator_id = authToken.authenticatorId; request.auth_token.authenticator_type = legacy_enum_conversion(authToken.authenticatorType); request.auth_token.timestamp = authToken.timestamp; KeymasterBlob mac(authToken.mac.data(), authToken.mac.size()); request.auth_token.mac = mac; auto response = impl_->VerifyAuthorization(request); ::android::hardware::keymaster::V4_0::VerificationToken token; token.challenge = response.token.challenge; token.timestamp = response.token.timestamp; token.parametersVerified = kmParamSet2Hidl(response.token.parameters_verified); token.securityLevel = legacy_enum_conversion(response.token.security_level); token.mac = kmBlob2hidlVec(response.token.mac); _hidl_cb(legacy_enum_conversion(response.error), token); return Void(); } Return RemoteKeymaster4Device::addRngEntropy(const hidl_vec& data) { if (data.size() == 0) return ErrorCode::OK; AddEntropyRequest request; request.random_data.Reinitialize(data.data(), data.size()); AddEntropyResponse response; impl_->AddRngEntropy(request, &response); return legacy_enum_conversion(response.error); } Return RemoteKeymaster4Device::generateKey(const hidl_vec& keyParams, generateKey_cb _hidl_cb) { GenerateKeyRequest request; request.key_description.Reinitialize(KmParamSet(keyParams)); GenerateKeyResponse response; impl_->GenerateKey(request, &response); KeyCharacteristics resultCharacteristics; hidl_vec resultKeyBlob; if (response.error == KM_ERROR_OK) { resultKeyBlob = kmBlob2hidlVec(response.key_blob); resultCharacteristics.hardwareEnforced = kmParamSet2Hidl(response.enforced); resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced); } _hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob, resultCharacteristics); return Void(); } Return RemoteKeymaster4Device::getKeyCharacteristics(const hidl_vec& keyBlob, const hidl_vec& clientId, const hidl_vec& appData, getKeyCharacteristics_cb _hidl_cb) { GetKeyCharacteristicsRequest request; request.SetKeyMaterial(keyBlob.data(), keyBlob.size()); addClientAndAppData(clientId, appData, &request.additional_params); GetKeyCharacteristicsResponse response; impl_->GetKeyCharacteristics(request, &response); KeyCharacteristics resultCharacteristics; if (response.error == KM_ERROR_OK) { resultCharacteristics.hardwareEnforced = kmParamSet2Hidl(response.enforced); resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced); } _hidl_cb(legacy_enum_conversion(response.error), resultCharacteristics); return Void(); } Return RemoteKeymaster4Device::importKey(const hidl_vec& params, KeyFormat keyFormat, const hidl_vec& keyData, importKey_cb _hidl_cb) { ImportKeyRequest request; request.key_description.Reinitialize(KmParamSet(params)); request.key_format = legacy_enum_conversion(keyFormat); request.SetKeyMaterial(keyData.data(), keyData.size()); ImportKeyResponse response; impl_->ImportKey(request, &response); KeyCharacteristics resultCharacteristics; hidl_vec resultKeyBlob; if (response.error == KM_ERROR_OK) { resultKeyBlob = kmBlob2hidlVec(response.key_blob); resultCharacteristics.hardwareEnforced = kmParamSet2Hidl(response.enforced); resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced); } _hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob, resultCharacteristics); return Void(); } Return RemoteKeymaster4Device::importWrappedKey( const hidl_vec& wrappedKeyData, const hidl_vec& wrappingKeyBlob, const hidl_vec& maskingKey, const hidl_vec& unwrappingParams, uint64_t passwordSid, uint64_t biometricSid, importWrappedKey_cb _hidl_cb) { ImportWrappedKeyRequest request; request.SetWrappedMaterial(wrappedKeyData.data(), wrappedKeyData.size()); request.SetWrappingMaterial(wrappingKeyBlob.data(), wrappingKeyBlob.size()); request.SetMaskingKeyMaterial(maskingKey.data(), maskingKey.size()); request.additional_params.Reinitialize(KmParamSet(unwrappingParams)); request.password_sid = passwordSid; request.biometric_sid = biometricSid; ImportWrappedKeyResponse response; impl_->ImportWrappedKey(request, &response); KeyCharacteristics resultCharacteristics; hidl_vec resultKeyBlob; if (response.error == KM_ERROR_OK) { resultKeyBlob = kmBlob2hidlVec(response.key_blob); resultCharacteristics.hardwareEnforced = kmParamSet2Hidl(response.enforced); resultCharacteristics.softwareEnforced = kmParamSet2Hidl(response.unenforced); } _hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob, resultCharacteristics); return Void(); } Return RemoteKeymaster4Device::exportKey(KeyFormat exportFormat, const hidl_vec& keyBlob, const hidl_vec& clientId, const hidl_vec& appData, exportKey_cb _hidl_cb) { ExportKeyRequest request; request.key_format = legacy_enum_conversion(exportFormat); request.SetKeyMaterial(keyBlob.data(), keyBlob.size()); addClientAndAppData(clientId, appData, &request.additional_params); ExportKeyResponse response; impl_->ExportKey(request, &response); hidl_vec resultKeyBlob; if (response.error == KM_ERROR_OK) { resultKeyBlob.setToExternal(response.key_data, response.key_data_length); } _hidl_cb(legacy_enum_conversion(response.error), resultKeyBlob); return Void(); } Return RemoteKeymaster4Device::attestKey(const hidl_vec& keyToAttest, const hidl_vec& attestParams, attestKey_cb _hidl_cb) { AttestKeyRequest request; request.SetKeyMaterial(keyToAttest.data(), keyToAttest.size()); request.attest_params.Reinitialize(KmParamSet(attestParams)); AttestKeyResponse response; impl_->AttestKey(request, &response); hidl_vec> resultCertChain; if (response.error == KM_ERROR_OK) { resultCertChain = kmCertChain2Hidl(response.certificate_chain); } _hidl_cb(legacy_enum_conversion(response.error), resultCertChain); return Void(); } Return RemoteKeymaster4Device::upgradeKey(const hidl_vec& keyBlobToUpgrade, const hidl_vec& upgradeParams, upgradeKey_cb _hidl_cb) { UpgradeKeyRequest request; request.SetKeyMaterial(keyBlobToUpgrade.data(), keyBlobToUpgrade.size()); request.upgrade_params.Reinitialize(KmParamSet(upgradeParams)); UpgradeKeyResponse response; impl_->UpgradeKey(request, &response); if (response.error == KM_ERROR_OK) { _hidl_cb(ErrorCode::OK, kmBlob2hidlVec(response.upgraded_key)); } else { _hidl_cb(legacy_enum_conversion(response.error), hidl_vec()); } return Void(); } Return RemoteKeymaster4Device::deleteKey(const hidl_vec& keyBlob) { DeleteKeyRequest request; request.SetKeyMaterial(keyBlob.data(), keyBlob.size()); DeleteKeyResponse response; impl_->DeleteKey(request, &response); return legacy_enum_conversion(response.error); } Return RemoteKeymaster4Device::deleteAllKeys() { DeleteAllKeysRequest request; DeleteAllKeysResponse response; impl_->DeleteAllKeys(request, &response); return legacy_enum_conversion(response.error); } Return RemoteKeymaster4Device::destroyAttestationIds() { return ErrorCode::UNIMPLEMENTED; } Return RemoteKeymaster4Device::begin(KeyPurpose purpose, const hidl_vec& key, const hidl_vec& inParams, const HardwareAuthToken& authToken, begin_cb _hidl_cb) { hidl_vec extendedParams = injectAuthToken(inParams, authToken); BeginOperationRequest request; request.purpose = legacy_enum_conversion(purpose); request.SetKeyMaterial(key.data(), key.size()); request.additional_params.Reinitialize(KmParamSet(extendedParams)); BeginOperationResponse response; impl_->BeginOperation(request, &response); hidl_vec resultParams; if (response.error == KM_ERROR_OK) { resultParams = kmParamSet2Hidl(response.output_params); } _hidl_cb(legacy_enum_conversion(response.error), resultParams, response.op_handle); return Void(); } Return RemoteKeymaster4Device::update(uint64_t operationHandle, const hidl_vec& inParams, const hidl_vec& input, const HardwareAuthToken& authToken, const VerificationToken& verificationToken, update_cb _hidl_cb) { (void)verificationToken; UpdateOperationRequest request; UpdateOperationResponse response; hidl_vec resultParams; hidl_vec resultBlob; hidl_vec extendedParams = injectAuthToken(inParams, authToken); uint32_t resultConsumed = 0; request.op_handle = operationHandle; request.additional_params.Reinitialize(KmParamSet(extendedParams)); // TODO(schuffelen): Set a buffer size limit. request.input.Reinitialize(input.data(), input.size()); impl_->UpdateOperation(request, &response); if (response.error == KM_ERROR_OK) { resultConsumed = response.input_consumed; resultParams = kmParamSet2Hidl(response.output_params); resultBlob = kmBuffer2hidlVec(response.output); } _hidl_cb(legacy_enum_conversion(response.error), resultConsumed, resultParams, resultBlob); return Void(); } Return RemoteKeymaster4Device::finish(uint64_t operationHandle, const hidl_vec& inParams, const hidl_vec& input, const hidl_vec& signature, const HardwareAuthToken& authToken, const VerificationToken& verificationToken, finish_cb _hidl_cb) { (void)verificationToken; FinishOperationRequest request; hidl_vec extendedParams = injectAuthToken(inParams, authToken); request.op_handle = operationHandle; request.input.Reinitialize(input.data(), input.size()); request.signature.Reinitialize(signature.data(), signature.size()); request.additional_params.Reinitialize(KmParamSet(extendedParams)); FinishOperationResponse response; impl_->FinishOperation(request, &response); hidl_vec resultParams; hidl_vec resultBlob; if (response.error == KM_ERROR_OK) { resultParams = kmParamSet2Hidl(response.output_params); resultBlob = kmBuffer2hidlVec(response.output); } _hidl_cb(legacy_enum_conversion(response.error), resultParams, resultBlob); return Void(); } Return RemoteKeymaster4Device::abort(uint64_t operationHandle) { AbortOperationRequest request; request.op_handle = operationHandle; AbortOperationResponse response; impl_->AbortOperation(request, &response); return legacy_enum_conversion(response.error); } Return RemoteKeymaster4Device::deviceLocked( bool passwordOnly, const VerificationToken& verificationToken) { keymaster::VerificationToken internal_verification_token; internal_verification_token.challenge = verificationToken.challenge; internal_verification_token.timestamp = verificationToken.timestamp; internal_verification_token.parameters_verified.Reinitialize( KmParamSet(verificationToken.parametersVerified)); internal_verification_token.security_level = static_cast(verificationToken.securityLevel); internal_verification_token.mac = KeymasterBlob(verificationToken.mac.data(), verificationToken.mac.size()); DeviceLockedRequest request( passwordOnly, std::move(internal_verification_token)); auto response = impl_->DeviceLocked(request); return ErrorCodeV41(response.error); } Return RemoteKeymaster4Device::earlyBootEnded() { auto response = impl_->EarlyBootEnded(); return ErrorCodeV41(response.error); } } // namespace V4_1 } // namespace keymaster