diff options
author | TreeHugger Robot <treehugger-gerrit@google.com> | 2022-06-02 20:44:44 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2022-06-02 20:44:44 +0000 |
commit | 529195438999bfc59f7c311ef0483701eb601039 (patch) | |
tree | 1d3965abde805d2b3fed5cd5dd346d59883f843c | |
parent | aaeb517ed1b12748340c0dd2ef98444e3f93abe4 (diff) | |
parent | 1a94f7b2453af9ce2c28e84f7b44e053ec37ce6e (diff) | |
download | cuttlefish-529195438999bfc59f7c311ef0483701eb601039.tar.gz |
Merge "Implement SE root of trust provisioning." into tm-dev
8 files changed, 52 insertions, 3 deletions
diff --git a/guest/hals/keymint/remote/remote_keymaster.cpp b/guest/hals/keymint/remote/remote_keymaster.cpp index 6675810a0..763c13909 100644 --- a/guest/hals/keymint/remote/remote_keymaster.cpp +++ b/guest/hals/keymint/remote/remote_keymaster.cpp @@ -312,4 +312,11 @@ ConfigureVerifiedBootInfoResponse RemoteKeymaster::ConfigureVerifiedBootInfo( return response; } +GetRootOfTrustResponse RemoteKeymaster::GetRootOfTrust( + const GetRootOfTrustRequest& request) { + GetRootOfTrustResponse response(message_version()); + ForwardCommand(GET_ROOT_OF_TRUST, request, &response); + return response; +} + } // namespace keymaster diff --git a/guest/hals/keymint/remote/remote_keymaster.h b/guest/hals/keymint/remote/remote_keymaster.h index 240e6100e..2e0668f85 100644 --- a/guest/hals/keymint/remote/remote_keymaster.h +++ b/guest/hals/keymint/remote/remote_keymaster.h @@ -94,6 +94,7 @@ class RemoteKeymaster { const ConfigureVerifiedBootInfoRequest& request); void GenerateTimestampToken(GenerateTimestampTokenRequest& request, GenerateTimestampTokenResponse* response); + GetRootOfTrustResponse GetRootOfTrust(const GetRootOfTrustRequest& request); // CF HAL and remote sides are always compiled together, so will never // disagree about message versions. diff --git a/guest/hals/keymint/remote/remote_keymint_device.cpp b/guest/hals/keymint/remote/remote_keymint_device.cpp index 4f9606fc8..c6db2838c 100644 --- a/guest/hals/keymint/remote/remote_keymint_device.cpp +++ b/guest/hals/keymint/remote/remote_keymint_device.cpp @@ -449,9 +449,20 @@ ScopedAStatus RemoteKeyMintDevice::getRootOfTrustChallenge( } ScopedAStatus RemoteKeyMintDevice::getRootOfTrust( - const std::array<uint8_t, 16>& /* challenge */, - std::vector<uint8_t>* /* rootOfTrust */) { - return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED); + const std::array<uint8_t, 16>& challenge, + std::vector<uint8_t>* rootOfTrust) { + if (!rootOfTrust) { + return kmError2ScopedAStatus(KM_ERROR_UNEXPECTED_NULL_POINTER); + } + GetRootOfTrustRequest request(impl_.message_version(), + {challenge.begin(), challenge.end()}); + GetRootOfTrustResponse response = impl_.GetRootOfTrust(request); + if (response.error != KM_ERROR_OK) { + return kmError2ScopedAStatus(response.error); + } + + *rootOfTrust = std::move(response.rootOfTrust); + return ScopedAStatus::ok(); } ScopedAStatus RemoteKeyMintDevice::sendRootOfTrust( diff --git a/host/commands/secure_env/keymaster_responder.cpp b/host/commands/secure_env/keymaster_responder.cpp index c5d4e3b44..688ddf3ed 100644 --- a/host/commands/secure_env/keymaster_responder.cpp +++ b/host/commands/secure_env/keymaster_responder.cpp @@ -89,6 +89,7 @@ bool KeymasterResponder::ProcessMessage() { HANDLE_MESSAGE_W_RETURN(CONFIGURE_BOOT_PATCHLEVEL, ConfigureBootPatchlevel) HANDLE_MESSAGE_W_RETURN(CONFIGURE_VERIFIED_BOOT_INFO, ConfigureVerifiedBootInfo) + HANDLE_MESSAGE_W_RETURN(GET_ROOT_OF_TRUST, GetRootOfTrust) #undef HANDLE_MESSAGE_W_RETURN #define HANDLE_MESSAGE_W_RETURN_NO_ARG(ENUM_NAME, METHOD_NAME) \ case ENUM_NAME: { \ diff --git a/host/commands/secure_env/proxy_keymaster_context.h b/host/commands/secure_env/proxy_keymaster_context.h index c3c93fcc6..e3bf426f8 100644 --- a/host/commands/secure_env/proxy_keymaster_context.h +++ b/host/commands/secure_env/proxy_keymaster_context.h @@ -97,6 +97,10 @@ class ProxyKeymasterContext : public keymaster::KeymasterContext { return wrapped_.enforcement_policy(); } + keymaster::AttestationContext* attestation_context() override { + return wrapped_.attestation_context(); + } + keymaster::CertificateChain GenerateAttestation( const keymaster::Key& key, const keymaster::AuthorizationSet& attest_params, diff --git a/host/commands/secure_env/tpm_keymaster_context.h b/host/commands/secure_env/tpm_keymaster_context.h index afd8f6f1a..dbcdcb418 100644 --- a/host/commands/secure_env/tpm_keymaster_context.h +++ b/host/commands/secure_env/tpm_keymaster_context.h @@ -92,6 +92,10 @@ class TpmKeymasterContext : public keymaster::KeymasterContext { keymaster::KeymasterEnforcement* enforcement_policy() override; + keymaster::AttestationContext* attestation_context() override { + return attestation_context_.get(); + } + keymaster::CertificateChain GenerateAttestation( const keymaster::Key& key, const keymaster::AuthorizationSet& attest_params, diff --git a/host/commands/secure_env/tpm_keymaster_enforcement.cpp b/host/commands/secure_env/tpm_keymaster_enforcement.cpp index e73c57bef..a5368c57e 100644 --- a/host/commands/secure_env/tpm_keymaster_enforcement.cpp +++ b/host/commands/secure_env/tpm_keymaster_enforcement.cpp @@ -303,6 +303,24 @@ keymaster_error_t TpmKeymasterEnforcement::GenerateTimestampToken( return KM_ERROR_OK; } +keymaster::KmErrorOr<std::array<uint8_t, 32>> +TpmKeymasterEnforcement::ComputeHmac( + const std::vector<uint8_t>& data_to_mac) const { + std::array<uint8_t, 32> result; + + const uint8_t* auth_token_key = nullptr; + uint32_t auth_token_key_len = 0; + if (!gatekeeper_.GetAuthTokenKey(&auth_token_key, &auth_token_key_len)) { + LOG(WARNING) << "Unable to get gatekeeper auth token"; + return KM_ERROR_UNKNOWN_ERROR; + } + + gatekeeper_.ComputeSignature(result.data(), result.size(), auth_token_key, + auth_token_key_len, data_to_mac.data(), + data_to_mac.size()); + return result; +} + bool TpmKeymasterEnforcement::CreateKeyId(const keymaster_key_blob_t& key_blob, km_id_t* keyid) const { auto signing_key_builder = PrimaryKeyBuilder(); diff --git a/host/commands/secure_env/tpm_keymaster_enforcement.h b/host/commands/secure_env/tpm_keymaster_enforcement.h index e1de8c7d8..1178932b5 100644 --- a/host/commands/secure_env/tpm_keymaster_enforcement.h +++ b/host/commands/secure_env/tpm_keymaster_enforcement.h @@ -54,6 +54,9 @@ class TpmKeymasterEnforcement : public keymaster::KeymasterEnforcement { keymaster_error_t GenerateTimestampToken( keymaster::TimestampToken* token) override; + keymaster::KmErrorOr<std::array<uint8_t, 32>> ComputeHmac( + const std::vector<uint8_t>& data_to_mac) const override; + bool CreateKeyId(const keymaster_key_blob_t& key_blob, keymaster::km_id_t* keyid) const override; |