1 /* 2 * Copyright 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef SYSTEM_KEYMASTER_SOFT_KEYMASTER_CONTEXT_H_ 18 #define SYSTEM_KEYMASTER_SOFT_KEYMASTER_CONTEXT_H_ 19 20 #include <memory> 21 #include <string> 22 23 #include <openssl/evp.h> 24 25 #include <hardware/keymaster0.h> 26 #include <hardware/keymaster1.h> 27 28 #include <keymaster/attestation_record.h> 29 #include <keymaster/keymaster_context.h> 30 #include <keymaster/km_openssl/software_random_source.h> 31 #include <keymaster/soft_key_factory.h> 32 #include <keymaster/random_source.h> 33 34 namespace keymaster { 35 36 class SoftKeymasterKeyRegistrations; 37 class Keymaster0Engine; 38 class Keymaster1Engine; 39 class Key; 40 41 /** 42 * SoftKeymasterContext provides the context for a non-secure implementation of AndroidKeymaster. 43 */ 44 class SoftKeymasterContext: public KeymasterContext, SoftwareKeyBlobMaker, SoftwareRandomSource, 45 AttestationRecordContext { 46 public: 47 explicit SoftKeymasterContext(const std::string& root_of_trust = "SW"); 48 ~SoftKeymasterContext() override; 49 50 /** 51 * Use the specified HW keymaster0 device for the operations it supports. Takes ownership of 52 * the specified device (will call keymaster0_device->common.close()); 53 */ 54 keymaster_error_t SetHardwareDevice(keymaster0_device_t* keymaster0_device); 55 56 /** 57 * Use the specified HW keymaster1 device for performing undigested RSA and EC operations after 58 * digesting has been done in software. Takes ownership of the specified device (will call 59 * keymaster1_device->common.close()); 60 */ 61 keymaster_error_t SetHardwareDevice(keymaster1_device_t* keymaster1_device); 62 63 /********************************************************************************************* 64 * Implement KeymasterContext 65 */ 66 keymaster_error_t SetSystemVersion(uint32_t os_version, uint32_t os_patchlevel) override; 67 void GetSystemVersion(uint32_t* os_version, uint32_t* os_patchlevel) const override; 68 69 KeyFactory* GetKeyFactory(keymaster_algorithm_t algorithm) const override; 70 OperationFactory* GetOperationFactory(keymaster_algorithm_t algorithm, 71 keymaster_purpose_t purpose) const override; 72 keymaster_algorithm_t* GetSupportedAlgorithms(size_t* algorithms_count) const override; 73 keymaster_error_t UpgradeKeyBlob(const KeymasterKeyBlob& key_to_upgrade, 74 const AuthorizationSet& upgrade_params, 75 KeymasterKeyBlob* upgraded_key) const override; 76 keymaster_error_t ParseKeyBlob(const KeymasterKeyBlob& blob, 77 const AuthorizationSet& additional_params, 78 UniquePtr<Key>* key) const override; 79 keymaster_error_t DeleteKey(const KeymasterKeyBlob& blob) const override; 80 keymaster_error_t DeleteAllKeys() const override; 81 keymaster_error_t AddRngEntropy(const uint8_t* buf, size_t length) const override; 82 83 keymaster_error_t GenerateAttestation(const Key& key, 84 const AuthorizationSet& attest_params, 85 CertChainPtr* cert_chain) const override; 86 87 keymaster_error_t 88 UnwrapKey(const KeymasterKeyBlob& wrapped_key_blob, const KeymasterKeyBlob& wrapping_key_blob, 89 const AuthorizationSet& wrapping_key_params, const KeymasterKeyBlob& masking_key, 90 AuthorizationSet* wrapped_key_params, keymaster_key_format_t* wrapped_key_format, 91 KeymasterKeyBlob* wrapped_key_material) const override; 92 enforcement_policy()93 KeymasterEnforcement* enforcement_policy() override { 94 // SoftKeymaster does no enforcement; it's all done by Keystore. 95 return nullptr; 96 } 97 98 /********************************************************************************************* 99 * Implement SoftwareKeyBlobMaker 100 */ 101 keymaster_error_t CreateKeyBlob(const AuthorizationSet& auths, keymaster_key_origin_t origin, 102 const KeymasterKeyBlob& key_material, KeymasterKeyBlob* blob, 103 AuthorizationSet* hw_enforced, 104 AuthorizationSet* sw_enforced) const override; 105 /*********************************************************************************************/ 106 107 /********************************************************************************************* 108 * Implement AttestationRecordContext 109 */ 110 111 keymaster_error_t GetVerifiedBootParams(keymaster_blob_t* verified_boot_key, 112 keymaster_blob_t* verified_boot_hash, 113 keymaster_verified_boot_t* verified_boot_state, 114 bool* device_locked) const override; 115 116 private: 117 keymaster_error_t ParseKeymaster1HwBlob(const KeymasterKeyBlob& blob, 118 const AuthorizationSet& additional_params, 119 KeymasterKeyBlob* key_material, 120 AuthorizationSet* hw_enforced, 121 AuthorizationSet* sw_enforced) const; 122 keymaster_error_t ParseKeymaster0HwBlob(const KeymasterKeyBlob& blob, 123 KeymasterKeyBlob* key_material, 124 AuthorizationSet* hw_enforced, 125 AuthorizationSet* sw_enforced) const; 126 127 std::unique_ptr<Keymaster0Engine> km0_engine_; 128 std::unique_ptr<Keymaster1Engine> km1_engine_; 129 std::unique_ptr<KeyFactory> rsa_factory_; 130 std::unique_ptr<KeyFactory> ec_factory_; 131 std::unique_ptr<KeyFactory> aes_factory_; 132 std::unique_ptr<KeyFactory> tdes_factory_; 133 std::unique_ptr<KeyFactory> hmac_factory_; 134 keymaster1_device* km1_dev_; 135 const KeymasterBlob root_of_trust_; 136 uint32_t os_version_; 137 uint32_t os_patchlevel_; 138 }; 139 140 } // namespace keymaster 141 142 #endif // SYSTEM_KEYMASTER_SOFT_KEYMASTER_CONTEXT_H_ 143