1 //
2 // Copyright (C) 2020 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 
16 #pragma once
17 
18 #include <keymaster/soft_key_factory.h>
19 
20 #include "host/commands/secure_env/tpm_resource_manager.h"
21 
22 /**
23  * Encrypts key data using a TPM-resident key and signs it with a TPM-resident
24  * key for privacy and integrity.
25  *
26  * This class is used to encrypt KeyMint data when it leaves the secure_env
27  * process, and is sent for storage to Android. When the data comes back, this
28  * class decrypts it again for use in Keymaster and other HAL API calls.
29  */
30 class TpmKeyBlobMaker : public keymaster::SoftwareKeyBlobMaker {
31 public:
32   TpmKeyBlobMaker(TpmResourceManager* resource_manager);
33 
34   keymaster_error_t CreateKeyBlob(
35       const keymaster::AuthorizationSet& key_description,
36       keymaster_key_origin_t origin,
37       const keymaster::KeymasterKeyBlob& key_material,
38       keymaster::KeymasterKeyBlob* blob,
39       keymaster::AuthorizationSet* hw_enforced,
40       keymaster::AuthorizationSet* sw_enforced) const override;
41 
42   /**
43    * Intermediate function between KeymasterContext::ParseKeyBlob and
44    * KeyFactory::LoadKey, The inputs of this function match the outputs of
45    * KeymasterContext::ParseKeyBlob and the outputs of this function match the
46    * inputs of KeyFactory::LoadKey.
47    *
48    * KeymasterContext::ParseKeyBlob is the common entry point for decoding all
49    * keys, and is expected to delegate to a KeyFactory depending on the type of
50    * the serialized key. This method performs decryption operations shared
51    * between all TPM-Keymaster keys.
52    */
53   keymaster_error_t UnwrapKeyBlob(
54       const keymaster_key_blob_t& blob,
55       keymaster::AuthorizationSet* hw_enforced,
56       keymaster::AuthorizationSet* sw_enforced,
57       keymaster::KeymasterKeyBlob* key_material) const;
58 private:
59   TpmResourceManager* resource_manager_;
60 };
61