Ethan Yonker | fefe591 | 2017-09-30 22:22:13 -0500 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2016 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | #include "Keymaster3.h" |
| 18 | |
| 19 | //#include <android-base/logging.h> |
| 20 | #include <keystore/keymaster_tags.h> |
| 21 | #include <keystore/authorization_set.h> |
| 22 | #include <keystore/keystore_hidl_support.h> |
| 23 | |
| 24 | #include <iostream> |
| 25 | #define ERROR 1 |
| 26 | #define LOG(x) std::cout |
| 27 | |
| 28 | using namespace ::keystore; |
| 29 | using android::hardware::hidl_string; |
| 30 | |
| 31 | namespace android { |
| 32 | namespace vold { |
| 33 | |
| 34 | KeymasterOperation::~KeymasterOperation() { |
| 35 | if (mDevice.get()) mDevice->abort(mOpHandle); |
| 36 | } |
| 37 | |
| 38 | bool KeymasterOperation::updateCompletely(const std::string& input, std::string* output) { |
| 39 | if (output) |
| 40 | output->clear(); |
| 41 | auto it = input.begin(); |
| 42 | uint32_t inputConsumed; |
| 43 | |
| 44 | ErrorCode km_error; |
| 45 | auto hidlCB = [&] (ErrorCode ret, uint32_t _inputConsumed, |
| 46 | const hidl_vec<KeyParameter>& /*ignored*/, const hidl_vec<uint8_t>& _output) { |
| 47 | km_error = ret; |
| 48 | if (km_error != ErrorCode::OK) return; |
| 49 | inputConsumed = _inputConsumed; |
| 50 | if (output) |
| 51 | output->append(reinterpret_cast<const char*>(&_output[0]), _output.size()); |
| 52 | }; |
| 53 | |
| 54 | while (it != input.end()) { |
| 55 | size_t toRead = static_cast<size_t>(input.end() - it); |
| 56 | auto inputBlob = blob2hidlVec(reinterpret_cast<const uint8_t*>(&*it), toRead); |
| 57 | auto error = mDevice->update(mOpHandle, hidl_vec<KeyParameter>(), inputBlob, hidlCB); |
| 58 | if (!error.isOk()) { |
| 59 | LOG(ERROR) << "update failed: " << error.description(); |
| 60 | mDevice = nullptr; |
| 61 | return false; |
| 62 | } |
| 63 | if (km_error != ErrorCode::OK) { |
| 64 | LOG(ERROR) << "update failed, code " << int32_t(km_error); |
| 65 | mDevice = nullptr; |
| 66 | return false; |
| 67 | } |
| 68 | if (inputConsumed > toRead) { |
| 69 | LOG(ERROR) << "update reported too much input consumed"; |
| 70 | mDevice = nullptr; |
| 71 | return false; |
| 72 | } |
| 73 | it += inputConsumed; |
| 74 | } |
| 75 | return true; |
| 76 | } |
| 77 | |
| 78 | bool KeymasterOperation::finish(std::string* output) { |
| 79 | ErrorCode km_error; |
| 80 | auto hidlCb = [&] (ErrorCode ret, const hidl_vec<KeyParameter>& /*ignored*/, |
| 81 | const hidl_vec<uint8_t>& _output) { |
| 82 | km_error = ret; |
| 83 | if (km_error != ErrorCode::OK) return; |
| 84 | if (output) |
| 85 | output->assign(reinterpret_cast<const char*>(&_output[0]), _output.size()); |
| 86 | }; |
| 87 | auto error = mDevice->finish(mOpHandle, hidl_vec<KeyParameter>(), hidl_vec<uint8_t>(), |
| 88 | hidl_vec<uint8_t>(), hidlCb); |
| 89 | mDevice = nullptr; |
| 90 | if (!error.isOk()) { |
| 91 | LOG(ERROR) << "finish failed: " << error.description(); |
| 92 | return false; |
| 93 | } |
| 94 | if (km_error != ErrorCode::OK) { |
| 95 | LOG(ERROR) << "finish failed, code " << int32_t(km_error); |
| 96 | return false; |
| 97 | } |
| 98 | return true; |
| 99 | } |
| 100 | |
| 101 | Keymaster::Keymaster() { |
| 102 | mDevice = ::android::hardware::keymaster::V3_0::IKeymasterDevice::getService(); |
| 103 | } |
| 104 | |
| 105 | /*bool Keymaster::generateKey(const AuthorizationSet& inParams, std::string* key) { |
| 106 | ErrorCode km_error; |
| 107 | auto hidlCb = [&] (ErrorCode ret, const hidl_vec<uint8_t>& keyBlob, |
| 108 | const KeyCharacteristics& /*ignored* /) { |
| 109 | km_error = ret; |
| 110 | if (km_error != ErrorCode::OK) return; |
| 111 | if (key) |
| 112 | key->assign(reinterpret_cast<const char*>(&keyBlob[0]), keyBlob.size()); |
| 113 | }; |
| 114 | |
| 115 | auto error = mDevice->generateKey(inParams.hidl_data(), hidlCb); |
| 116 | if (!error.isOk()) { |
| 117 | LOG(ERROR) << "generate_key failed: " << error.description(); |
| 118 | return false; |
| 119 | } |
| 120 | if (km_error != ErrorCode::OK) { |
| 121 | LOG(ERROR) << "generate_key failed, code " << int32_t(km_error); |
| 122 | return false; |
| 123 | } |
| 124 | return true; |
| 125 | }*/ |
| 126 | |
| 127 | bool Keymaster::deleteKey(const std::string& key) { |
| 128 | LOG(ERROR) << "NOT deleting key in TWRP"; |
| 129 | return false; |
| 130 | /*auto keyBlob = blob2hidlVec(key); |
| 131 | auto error = mDevice->deleteKey(keyBlob); |
| 132 | if (!error.isOk()) { |
| 133 | LOG(ERROR) << "delete_key failed: " << error.description(); |
| 134 | return false; |
| 135 | } |
| 136 | if (ErrorCode(error) != ErrorCode::OK) { |
| 137 | LOG(ERROR) << "delete_key failed, code " << uint32_t(ErrorCode(error)); |
| 138 | return false; |
| 139 | } |
| 140 | return true;*/ |
| 141 | } |
| 142 | |
| 143 | bool Keymaster::upgradeKey(const std::string& oldKey, const AuthorizationSet& inParams, |
| 144 | std::string* newKey) { |
| 145 | auto oldKeyBlob = blob2hidlVec(oldKey); |
| 146 | ErrorCode km_error; |
| 147 | auto hidlCb = [&] (ErrorCode ret, const hidl_vec<uint8_t>& upgradedKeyBlob) { |
| 148 | km_error = ret; |
| 149 | if (km_error != ErrorCode::OK) return; |
| 150 | if (newKey) |
| 151 | newKey->assign(reinterpret_cast<const char*>(&upgradedKeyBlob[0]), |
| 152 | upgradedKeyBlob.size()); |
| 153 | }; |
| 154 | auto error = mDevice->upgradeKey(oldKeyBlob, inParams.hidl_data(), hidlCb); |
| 155 | if (!error.isOk()) { |
| 156 | LOG(ERROR) << "upgrade_key failed: " << error.description(); |
| 157 | return false; |
| 158 | } |
| 159 | if (km_error != ErrorCode::OK) { |
| 160 | LOG(ERROR) << "upgrade_key failed, code " << int32_t(km_error); |
| 161 | return false; |
| 162 | } |
| 163 | return true; |
| 164 | } |
| 165 | |
| 166 | KeymasterOperation Keymaster::begin(KeyPurpose purpose, const std::string& key, |
| 167 | const AuthorizationSet& inParams, |
| 168 | AuthorizationSet* outParams) { |
| 169 | auto keyBlob = blob2hidlVec(key); |
| 170 | uint64_t mOpHandle; |
| 171 | ErrorCode km_error; |
| 172 | |
| 173 | auto hidlCb = [&] (ErrorCode ret, const hidl_vec<KeyParameter>& _outParams, |
| 174 | uint64_t operationHandle) { |
| 175 | km_error = ret; |
| 176 | if (km_error != ErrorCode::OK) return; |
| 177 | if (outParams) |
| 178 | *outParams = _outParams; |
| 179 | mOpHandle = operationHandle; |
| 180 | }; |
| 181 | |
| 182 | auto error = mDevice->begin(purpose, keyBlob, inParams.hidl_data(), hidlCb); |
| 183 | if (!error.isOk()) { |
| 184 | LOG(ERROR) << "begin failed: " << error.description(); |
| 185 | return KeymasterOperation(ErrorCode::UNKNOWN_ERROR); |
| 186 | } |
| 187 | if (km_error != ErrorCode::OK) { |
| 188 | LOG(ERROR) << "begin failed, code " << int32_t(km_error); |
| 189 | return KeymasterOperation(km_error); |
| 190 | } |
| 191 | return KeymasterOperation(mDevice, mOpHandle); |
| 192 | } |
| 193 | bool Keymaster::isSecure() { |
| 194 | bool _isSecure = false; |
| 195 | auto rc = mDevice->getHardwareFeatures( |
| 196 | [&] (bool isSecure, bool, bool, bool, bool, const hidl_string&, const hidl_string&) { |
| 197 | _isSecure = isSecure; }); |
| 198 | return rc.isOk() && _isSecure; |
| 199 | } |
| 200 | |
| 201 | } // namespace vold |
| 202 | } // namespace android |
| 203 | |
| 204 | using namespace ::android::vold; |
| 205 | |
Ethan Yonker | 98661c1 | 2018-10-17 08:39:28 -0500 | [diff] [blame] | 206 | /* |
Ethan Yonker | fefe591 | 2017-09-30 22:22:13 -0500 | [diff] [blame] | 207 | int keymaster_compatibility_cryptfs_scrypt() { |
| 208 | Keymaster dev; |
| 209 | if (!dev) { |
| 210 | LOG(ERROR) << "Failed to initiate keymaster session"; |
| 211 | return -1; |
| 212 | } |
| 213 | return dev.isSecure(); |
| 214 | } |
Ethan Yonker | 98661c1 | 2018-10-17 08:39:28 -0500 | [diff] [blame] | 215 | */ |
Ethan Yonker | fefe591 | 2017-09-30 22:22:13 -0500 | [diff] [blame] | 216 | |
| 217 | /*int keymaster_create_key_for_cryptfs_scrypt(uint32_t rsa_key_size, |
| 218 | uint64_t rsa_exponent, |
| 219 | uint32_t ratelimit, |
| 220 | uint8_t* key_buffer, |
| 221 | uint32_t key_buffer_size, |
| 222 | uint32_t* key_out_size) |
| 223 | { |
| 224 | Keymaster dev; |
| 225 | std::string key; |
| 226 | if (!dev) { |
| 227 | LOG(ERROR) << "Failed to initiate keymaster session"; |
| 228 | return -1; |
| 229 | } |
| 230 | if (!key_buffer || !key_out_size) { |
| 231 | LOG(ERROR) << __FILE__ << ":" << __LINE__ << ":Invalid argument"; |
| 232 | return -1; |
| 233 | } |
| 234 | if (key_out_size) { |
| 235 | *key_out_size = 0; |
| 236 | } |
| 237 | |
| 238 | auto paramBuilder = AuthorizationSetBuilder() |
| 239 | .Authorization(TAG_ALGORITHM, Algorithm::RSA) |
| 240 | .Authorization(TAG_KEY_SIZE, rsa_key_size) |
| 241 | .Authorization(TAG_RSA_PUBLIC_EXPONENT, rsa_exponent) |
| 242 | .Authorization(TAG_PURPOSE, KeyPurpose::SIGN) |
| 243 | .Authorization(TAG_PADDING, PaddingMode::NONE) |
| 244 | .Authorization(TAG_DIGEST, Digest::NONE) |
| 245 | .Authorization(TAG_BLOB_USAGE_REQUIREMENTS, |
| 246 | KeyBlobUsageRequirements::STANDALONE) |
| 247 | .Authorization(TAG_NO_AUTH_REQUIRED) |
| 248 | .Authorization(TAG_MIN_SECONDS_BETWEEN_OPS, ratelimit); |
| 249 | |
| 250 | if (!dev.generateKey(paramBuilder, &key)) { |
| 251 | return -1; |
| 252 | } |
| 253 | |
| 254 | if (key_out_size) { |
| 255 | *key_out_size = key.size(); |
| 256 | } |
| 257 | |
| 258 | if (key_buffer_size < key.size()) { |
| 259 | return -1; |
| 260 | } |
| 261 | |
| 262 | std::copy(key.data(), key.data() + key.size(), key_buffer); |
| 263 | return 0; |
Ethan Yonker | 98661c1 | 2018-10-17 08:39:28 -0500 | [diff] [blame] | 264 | }*/ |
Ethan Yonker | fefe591 | 2017-09-30 22:22:13 -0500 | [diff] [blame] | 265 | |
| 266 | int keymaster_sign_object_for_cryptfs_scrypt(const uint8_t* key_blob, |
| 267 | size_t key_blob_size, |
| 268 | uint32_t ratelimit, |
| 269 | const uint8_t* object, |
| 270 | const size_t object_size, |
| 271 | uint8_t** signature_buffer, |
Ethan Yonker | 98661c1 | 2018-10-17 08:39:28 -0500 | [diff] [blame] | 272 | size_t* signature_buffer_size, |
| 273 | uint8_t* key_buffer, |
| 274 | uint32_t key_buffer_size, |
| 275 | uint32_t* key_out_size) |
Ethan Yonker | fefe591 | 2017-09-30 22:22:13 -0500 | [diff] [blame] | 276 | { |
| 277 | Keymaster dev; |
| 278 | if (!dev) { |
| 279 | LOG(ERROR) << "Failed to initiate keymaster session"; |
| 280 | return -1; |
| 281 | } |
| 282 | if (!key_blob || !object || !signature_buffer || !signature_buffer_size) { |
| 283 | LOG(ERROR) << __FILE__ << ":" << __LINE__ << ":Invalid argument"; |
| 284 | return -1; |
| 285 | } |
| 286 | |
| 287 | AuthorizationSet outParams; |
| 288 | std::string key(reinterpret_cast<const char*>(key_blob), key_blob_size); |
| 289 | std::string input(reinterpret_cast<const char*>(object), object_size); |
| 290 | std::string output; |
| 291 | KeymasterOperation op; |
| 292 | |
| 293 | auto paramBuilder = AuthorizationSetBuilder() |
| 294 | .Authorization(TAG_PADDING, PaddingMode::NONE) |
| 295 | .Authorization(TAG_DIGEST, Digest::NONE); |
| 296 | |
| 297 | while (true) { |
| 298 | op = dev.begin(KeyPurpose::SIGN, key, paramBuilder, &outParams); |
| 299 | if (op.errorCode() == ErrorCode::KEY_RATE_LIMIT_EXCEEDED) { |
| 300 | sleep(ratelimit); |
| 301 | continue; |
Ethan Yonker | 98661c1 | 2018-10-17 08:39:28 -0500 | [diff] [blame] | 302 | } else if (op.errorCode() == ErrorCode::KEY_REQUIRES_UPGRADE) { |
| 303 | std::string newKey; |
| 304 | bool ret = dev.upgradeKey(key, paramBuilder, &newKey); |
| 305 | if(ret == false) { |
| 306 | LOG(ERROR) << "Error upgradeKey: "; |
| 307 | return -1; |
| 308 | } |
| 309 | |
| 310 | if (key_out_size) { |
| 311 | *key_out_size = newKey.size(); |
| 312 | } |
| 313 | |
| 314 | if (key_buffer_size < newKey.size()) { |
| 315 | LOG(ERROR) << "key buffer size is too small"; |
| 316 | return -1; |
| 317 | } |
| 318 | |
| 319 | std::copy(newKey.data(), newKey.data() + newKey.size(), key_buffer); |
| 320 | key = newKey; |
Ethan Yonker | fefe591 | 2017-09-30 22:22:13 -0500 | [diff] [blame] | 321 | } else break; |
| 322 | } |
| 323 | |
| 324 | if (op.errorCode() != ErrorCode::OK) { |
| 325 | LOG(ERROR) << "Error starting keymaster signature transaction: " << int32_t(op.errorCode()); |
| 326 | return -1; |
| 327 | } |
| 328 | |
| 329 | if (!op.updateCompletely(input, &output)) { |
| 330 | LOG(ERROR) << "Error sending data to keymaster signature transaction: " |
| 331 | << uint32_t(op.errorCode()); |
| 332 | return -1; |
| 333 | } |
| 334 | |
| 335 | if (!op.finish(&output)) { |
| 336 | LOG(ERROR) << "Error finalizing keymaster signature transaction: " << int32_t(op.errorCode()); |
| 337 | return -1; |
| 338 | } |
| 339 | |
| 340 | *signature_buffer = reinterpret_cast<uint8_t*>(malloc(output.size())); |
| 341 | if (*signature_buffer == nullptr) { |
| 342 | LOG(ERROR) << "Error allocation buffer for keymaster signature"; |
| 343 | return -1; |
| 344 | } |
| 345 | *signature_buffer_size = output.size(); |
| 346 | std::copy(output.data(), output.data() + output.size(), *signature_buffer); |
| 347 | return 0; |
Ethan Yonker | 98661c1 | 2018-10-17 08:39:28 -0500 | [diff] [blame] | 348 | } |