diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-06-03 17:44:54 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-06-03 17:44:54 +0000 |
commit | 0a35b49e4ab19ba5784f7091da666e1a53992881 (patch) | |
tree | 1d3965abde805d2b3fed5cd5dd346d59883f843c | |
parent | ce7ee8c8c47acc7e96b728e43ddf1842ac6ede7d (diff) | |
parent | 529195438999bfc59f7c311ef0483701eb601039 (diff) | |
download | cuttlefish-0a35b49e4ab19ba5784f7091da666e1a53992881.tar.gz |
Snap for 8680285 from 529195438999bfc59f7c311ef0483701eb601039 to mainline-go-extservices-release
Change-Id: I79d8b4ae8bbc6acf4b479ad55bce1f2ac140c542
-rw-r--r-- | guest/hals/keymint/remote/remote_keymaster.cpp | 7 | ||||
-rw-r--r-- | guest/hals/keymint/remote/remote_keymaster.h | 1 | ||||
-rw-r--r-- | guest/hals/keymint/remote/remote_keymint_device.cpp | 17 | ||||
-rw-r--r-- | guest/hals/ril/reference-ril/reference-ril.c | 4 | ||||
-rw-r--r-- | host/commands/secure_env/keymaster_responder.cpp | 66 | ||||
-rw-r--r-- | host/commands/secure_env/proxy_keymaster_context.h | 4 | ||||
-rw-r--r-- | host/commands/secure_env/tpm_keymaster_context.cpp | 67 | ||||
-rw-r--r-- | host/commands/secure_env/tpm_keymaster_context.h | 27 | ||||
-rw-r--r-- | host/commands/secure_env/tpm_keymaster_enforcement.cpp | 109 | ||||
-rw-r--r-- | host/commands/secure_env/tpm_keymaster_enforcement.h | 22 |
10 files changed, 174 insertions, 150 deletions
diff --git a/guest/hals/keymint/remote/remote_keymaster.cpp b/guest/hals/keymint/remote/remote_keymaster.cpp index 6675810a0..763c13909 100644 --- a/guest/hals/keymint/remote/remote_keymaster.cpp +++ b/guest/hals/keymint/remote/remote_keymaster.cpp @@ -312,4 +312,11 @@ ConfigureVerifiedBootInfoResponse RemoteKeymaster::ConfigureVerifiedBootInfo( return response; } +GetRootOfTrustResponse RemoteKeymaster::GetRootOfTrust( + const GetRootOfTrustRequest& request) { + GetRootOfTrustResponse response(message_version()); + ForwardCommand(GET_ROOT_OF_TRUST, request, &response); + return response; +} + } // namespace keymaster diff --git a/guest/hals/keymint/remote/remote_keymaster.h b/guest/hals/keymint/remote/remote_keymaster.h index 240e6100e..2e0668f85 100644 --- a/guest/hals/keymint/remote/remote_keymaster.h +++ b/guest/hals/keymint/remote/remote_keymaster.h @@ -94,6 +94,7 @@ class RemoteKeymaster { const ConfigureVerifiedBootInfoRequest& request); void GenerateTimestampToken(GenerateTimestampTokenRequest& request, GenerateTimestampTokenResponse* response); + GetRootOfTrustResponse GetRootOfTrust(const GetRootOfTrustRequest& request); // CF HAL and remote sides are always compiled together, so will never // disagree about message versions. diff --git a/guest/hals/keymint/remote/remote_keymint_device.cpp b/guest/hals/keymint/remote/remote_keymint_device.cpp index 4f9606fc8..c6db2838c 100644 --- a/guest/hals/keymint/remote/remote_keymint_device.cpp +++ b/guest/hals/keymint/remote/remote_keymint_device.cpp @@ -449,9 +449,20 @@ ScopedAStatus RemoteKeyMintDevice::getRootOfTrustChallenge( } ScopedAStatus RemoteKeyMintDevice::getRootOfTrust( - const std::array<uint8_t, 16>& /* challenge */, - std::vector<uint8_t>* /* rootOfTrust */) { - return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED); + const std::array<uint8_t, 16>& challenge, + std::vector<uint8_t>* rootOfTrust) { + if (!rootOfTrust) { + return kmError2ScopedAStatus(KM_ERROR_UNEXPECTED_NULL_POINTER); + } + GetRootOfTrustRequest request(impl_.message_version(), + {challenge.begin(), challenge.end()}); + GetRootOfTrustResponse response = impl_.GetRootOfTrust(request); + if (response.error != KM_ERROR_OK) { + return kmError2ScopedAStatus(response.error); + } + + *rootOfTrust = std::move(response.rootOfTrust); + return ScopedAStatus::ok(); } ScopedAStatus RemoteKeyMintDevice::sendRootOfTrust( diff --git a/guest/hals/ril/reference-ril/reference-ril.c b/guest/hals/ril/reference-ril/reference-ril.c index 806a17869..f3d01e413 100644 --- a/guest/hals/ril/reference-ril/reference-ril.c +++ b/guest/hals/ril/reference-ril/reference-ril.c @@ -1555,8 +1555,8 @@ static void requestDeviceIdentity(int request __unused, void *data __unused, int count = 4; // Fixed values. TODO: Query modem - responseStr[0] = "----"; - responseStr[1] = "----"; + responseStr[0] ="358240051111110"; + responseStr[1] = ""; responseStr[2] = "77777777"; responseStr[3] = ""; // default empty for non-CDMA diff --git a/host/commands/secure_env/keymaster_responder.cpp b/host/commands/secure_env/keymaster_responder.cpp index 69186026b..688ddf3ed 100644 --- a/host/commands/secure_env/keymaster_responder.cpp +++ b/host/commands/secure_env/keymaster_responder.cpp @@ -20,10 +20,9 @@ namespace cuttlefish { -KeymasterResponder::KeymasterResponder( - cuttlefish::KeymasterChannel& channel, keymaster::AndroidKeymaster& keymaster) - : channel_(channel), keymaster_(keymaster) { -} +KeymasterResponder::KeymasterResponder(cuttlefish::KeymasterChannel& channel, + keymaster::AndroidKeymaster& keymaster) + : channel_(channel), keymaster_(keymaster) {} bool KeymasterResponder::ProcessMessage() { auto request = channel_.ReceiveMessage(); @@ -33,19 +32,19 @@ bool KeymasterResponder::ProcessMessage() { } const uint8_t* buffer = request->payload; const uint8_t* end = request->payload + request->payload_size; - switch(request->cmd) { + switch (request->cmd) { using namespace keymaster; -#define HANDLE_MESSAGE(ENUM_NAME, METHOD_NAME) \ - case ENUM_NAME: {\ - METHOD_NAME##Request request(keymaster_.message_version()); \ - if (!request.Deserialize(&buffer, end)) { \ - LOG(ERROR) << "Failed to deserialize " #METHOD_NAME "Request"; \ - return false; \ - } \ - METHOD_NAME##Response response(keymaster_.message_version()); \ - keymaster_.METHOD_NAME(request, &response); \ - return channel_.SendResponse(ENUM_NAME, response); \ - } +#define HANDLE_MESSAGE(ENUM_NAME, METHOD_NAME) \ + case ENUM_NAME: { \ + METHOD_NAME##Request request(keymaster_.message_version()); \ + if (!request.Deserialize(&buffer, end)) { \ + LOG(ERROR) << "Failed to deserialize " #METHOD_NAME "Request"; \ + return false; \ + } \ + METHOD_NAME##Response response(keymaster_.message_version()); \ + keymaster_.METHOD_NAME(request, &response); \ + return channel_.SendResponse(ENUM_NAME, response); \ + } HANDLE_MESSAGE(GENERATE_KEY, GenerateKey) HANDLE_MESSAGE(BEGIN_OPERATION, BeginOperation) HANDLE_MESSAGE(UPDATE_OPERATION, UpdateOperation) @@ -71,16 +70,16 @@ bool KeymasterResponder::ProcessMessage() { HANDLE_MESSAGE(GENERATE_CSR, GenerateCsr) HANDLE_MESSAGE(GENERATE_TIMESTAMP_TOKEN, GenerateTimestampToken) #undef HANDLE_MESSAGE -#define HANDLE_MESSAGE_W_RETURN(ENUM_NAME, METHOD_NAME) \ - case ENUM_NAME: {\ - METHOD_NAME##Request request(keymaster_.message_version()); \ - if (!request.Deserialize(&buffer, end)) { \ - LOG(ERROR) << "Failed to deserialize " #METHOD_NAME "Request"; \ - return false; \ - } \ - auto response = keymaster_.METHOD_NAME(request); \ - return channel_.SendResponse(ENUM_NAME, response); \ - } +#define HANDLE_MESSAGE_W_RETURN(ENUM_NAME, METHOD_NAME) \ + case ENUM_NAME: { \ + METHOD_NAME##Request request(keymaster_.message_version()); \ + if (!request.Deserialize(&buffer, end)) { \ + LOG(ERROR) << "Failed to deserialize " #METHOD_NAME "Request"; \ + return false; \ + } \ + auto response = keymaster_.METHOD_NAME(request); \ + return channel_.SendResponse(ENUM_NAME, response); \ + } HANDLE_MESSAGE_W_RETURN(COMPUTE_SHARED_HMAC, ComputeSharedHmac) HANDLE_MESSAGE_W_RETURN(VERIFY_AUTHORIZATION, VerifyAuthorization) HANDLE_MESSAGE_W_RETURN(DEVICE_LOCKED, DeviceLocked) @@ -90,13 +89,15 @@ bool KeymasterResponder::ProcessMessage() { HANDLE_MESSAGE_W_RETURN(CONFIGURE_BOOT_PATCHLEVEL, ConfigureBootPatchlevel) HANDLE_MESSAGE_W_RETURN(CONFIGURE_VERIFIED_BOOT_INFO, ConfigureVerifiedBootInfo) + HANDLE_MESSAGE_W_RETURN(GET_ROOT_OF_TRUST, GetRootOfTrust) #undef HANDLE_MESSAGE_W_RETURN #define HANDLE_MESSAGE_W_RETURN_NO_ARG(ENUM_NAME, METHOD_NAME) \ - case ENUM_NAME: {\ - auto response = keymaster_.METHOD_NAME(); \ - return channel_.SendResponse(ENUM_NAME, response); \ - } - HANDLE_MESSAGE_W_RETURN_NO_ARG(GET_HMAC_SHARING_PARAMETERS, GetHmacSharingParameters) + case ENUM_NAME: { \ + auto response = keymaster_.METHOD_NAME(); \ + return channel_.SendResponse(ENUM_NAME, response); \ + } + HANDLE_MESSAGE_W_RETURN_NO_ARG(GET_HMAC_SHARING_PARAMETERS, + GetHmacSharingParameters) HANDLE_MESSAGE_W_RETURN_NO_ARG(EARLY_BOOT_ENDED, EarlyBootEnded) #undef HANDLE_MESSAGE_W_RETURN_NO_ARG case ADD_RNG_ENTROPY: { @@ -105,7 +106,8 @@ bool KeymasterResponder::ProcessMessage() { LOG(ERROR) << "Failed to deserialize AddEntropyRequest"; return false; } - AddEntropyResponse response(keymaster_.message_version());; + AddEntropyResponse response(keymaster_.message_version()); + ; keymaster_.AddRngEntropy(request, &response); return channel_.SendResponse(ADD_RNG_ENTROPY, response); } diff --git a/host/commands/secure_env/proxy_keymaster_context.h b/host/commands/secure_env/proxy_keymaster_context.h index c3c93fcc6..e3bf426f8 100644 --- a/host/commands/secure_env/proxy_keymaster_context.h +++ b/host/commands/secure_env/proxy_keymaster_context.h @@ -97,6 +97,10 @@ class ProxyKeymasterContext : public keymaster::KeymasterContext { return wrapped_.enforcement_policy(); } + keymaster::AttestationContext* attestation_context() override { + return wrapped_.attestation_context(); + } + keymaster::CertificateChain GenerateAttestation( const keymaster::Key& key, const keymaster::AuthorizationSet& attest_params, diff --git a/host/commands/secure_env/tpm_keymaster_context.cpp b/host/commands/secure_env/tpm_keymaster_context.cpp index 2d4154e20..4a6091501 100644 --- a/host/commands/secure_env/tpm_keymaster_context.cpp +++ b/host/commands/secure_env/tpm_keymaster_context.cpp @@ -82,10 +82,10 @@ TpmKeymasterContext::TpmKeymasterContext( attestation_context_(new TpmAttestationRecordContext), remote_provisioning_context_( new TpmRemoteProvisioningContext(resource_manager_)) { - key_factories_.emplace( - KM_ALGORITHM_RSA, new keymaster::RsaKeyFactory(*key_blob_maker_, *this)); - key_factories_.emplace( - KM_ALGORITHM_EC, new keymaster::EcKeyFactory(*key_blob_maker_, *this)); + key_factories_.emplace(KM_ALGORITHM_RSA, + new keymaster::RsaKeyFactory(*key_blob_maker_, *this)); + key_factories_.emplace(KM_ALGORITHM_EC, + new keymaster::EcKeyFactory(*key_blob_maker_, *this)); key_factories_.emplace( KM_ALGORITHM_AES, new keymaster::AesKeyFactory(*key_blob_maker_, *random_source_)); @@ -110,8 +110,8 @@ keymaster_error_t TpmKeymasterContext::SetSystemVersion( return KM_ERROR_OK; } -void TpmKeymasterContext::GetSystemVersion( - uint32_t* os_version, uint32_t* os_patchlevel) const { +void TpmKeymasterContext::GetSystemVersion(uint32_t* os_version, + uint32_t* os_patchlevel) const { *os_version = os_version_; *os_patchlevel = os_patchlevel_; } @@ -131,7 +131,7 @@ OperationFactory* TpmKeymasterContext::GetOperationFactory( auto key_factory = GetKeyFactory(algorithm); if (key_factory == nullptr) { LOG(ERROR) << "Tried to get operation factory for " << purpose - << " for invalid algorithm " << algorithm; + << " for invalid algorithm " << algorithm; return nullptr; } auto operation_factory = key_factory->GetOperationFactory(purpose); @@ -143,18 +143,16 @@ OperationFactory* TpmKeymasterContext::GetOperationFactory( } const keymaster_algorithm_t* TpmKeymasterContext::GetSupportedAlgorithms( - size_t* algorithms_count) const { + size_t* algorithms_count) const { *algorithms_count = supported_algorithms_.size(); return supported_algorithms_.data(); } -// Based on https://cs.android.com/android/platform/superproject/+/master:system/keymaster/key_blob_utils/software_keyblobs.cpp;l=44;drc=master +// Based on +// https://cs.android.com/android/platform/superproject/+/master:system/keymaster/key_blob_utils/software_keyblobs.cpp;l=44;drc=master -static bool UpgradeIntegerTag( - keymaster_tag_t tag, - uint32_t value, - AuthorizationSet* set, - bool* set_changed) { +static bool UpgradeIntegerTag(keymaster_tag_t tag, uint32_t value, + AuthorizationSet* set, bool* set_changed) { int index = set->find(tag); if (index == -1) { keymaster_key_param_t param; @@ -176,7 +174,8 @@ static bool UpgradeIntegerTag( return true; } -// Based on https://cs.android.com/android/platform/superproject/+/master:system/keymaster/key_blob_utils/software_keyblobs.cpp;l=310;drc=master +// Based on +// https://cs.android.com/android/platform/superproject/+/master:system/keymaster/key_blob_utils/software_keyblobs.cpp;l=310;drc=master keymaster_error_t TpmKeymasterContext::UpgradeKeyBlob( const KeymasterKeyBlob& blob_to_upgrade, @@ -230,8 +229,7 @@ keymaster_error_t TpmKeymasterContext::UpgradeKeyBlob( } keymaster_error_t TpmKeymasterContext::ParseKeyBlob( - const KeymasterKeyBlob& blob, - const AuthorizationSet& additional_params, + const KeymasterKeyBlob& blob, const AuthorizationSet& additional_params, keymaster::UniquePtr<keymaster::Key>* key) const { keymaster::AuthorizationSet hw_enforced; keymaster::AuthorizationSet sw_enforced; @@ -258,21 +256,16 @@ keymaster_error_t TpmKeymasterContext::ParseKeyBlob( LOG(ERROR) << "Unable to find key factory for " << algorithm; return KM_ERROR_UNSUPPORTED_ALGORITHM; } - rc = - factory->LoadKey( - std::move(key_material), - additional_params, - std::move(hw_enforced), - std::move(sw_enforced), - key); + rc = factory->LoadKey(std::move(key_material), additional_params, + std::move(hw_enforced), std::move(sw_enforced), key); if (rc != KM_ERROR_OK) { LOG(ERROR) << "Unable to load unwrapped key: " << rc; } return rc; } -keymaster_error_t TpmKeymasterContext::AddRngEntropy( - const uint8_t* buffer, size_t size) const { +keymaster_error_t TpmKeymasterContext::AddRngEntropy(const uint8_t* buffer, + size_t size) const { return random_source_->AddRngEntropy(buffer, size); } @@ -280,7 +273,8 @@ keymaster::KeymasterEnforcement* TpmKeymasterContext::enforcement_policy() { return &enforcement_; } -// Based on https://cs.android.com/android/platform/superproject/+/master:system/keymaster/contexts/pure_soft_keymaster_context.cpp;l=261;drc=8367d5351c4d417a11f49b12394b63a413faa02d +// Based on +// https://cs.android.com/android/platform/superproject/+/master:system/keymaster/contexts/pure_soft_keymaster_context.cpp;l=261;drc=8367d5351c4d417a11f49b12394b63a413faa02d keymaster::CertificateChain TpmKeymasterContext::GenerateAttestation( const keymaster::Key& key, const keymaster::AuthorizationSet& attest_params, @@ -337,22 +331,25 @@ keymaster::CertificateChain TpmKeymasterContext::GenerateSelfSignedCertificate( const keymaster::Key& key, const keymaster::AuthorizationSet& cert_params, bool fake_signature, keymaster_error_t* error) const { keymaster_algorithm_t key_algorithm; - if (!key.authorizations().GetTagValue(keymaster::TAG_ALGORITHM, &key_algorithm)) { - *error = KM_ERROR_UNKNOWN_ERROR; - return {}; + if (!key.authorizations().GetTagValue(keymaster::TAG_ALGORITHM, + &key_algorithm)) { + *error = KM_ERROR_UNKNOWN_ERROR; + return {}; } if ((key_algorithm != KM_ALGORITHM_RSA && key_algorithm != KM_ALGORITHM_EC)) { - *error = KM_ERROR_INCOMPATIBLE_ALGORITHM; - return {}; + *error = KM_ERROR_INCOMPATIBLE_ALGORITHM; + return {}; } - // We have established that the given key has the correct algorithm, and because this is the - // SoftKeymasterContext we can assume that the Key is an AsymmetricKey. So we can downcast. + // We have established that the given key has the correct algorithm, and + // because this is the SoftKeymasterContext we can assume that the Key is an + // AsymmetricKey. So we can downcast. const keymaster::AsymmetricKey& asymmetric_key = static_cast<const keymaster::AsymmetricKey&>(key); - return generate_self_signed_cert(asymmetric_key, cert_params, fake_signature, error); + return generate_self_signed_cert(asymmetric_key, cert_params, fake_signature, + error); } keymaster_error_t TpmKeymasterContext::UnwrapKey( diff --git a/host/commands/secure_env/tpm_keymaster_context.h b/host/commands/secure_env/tpm_keymaster_context.h index 0029c1d40..dbcdcb418 100644 --- a/host/commands/secure_env/tpm_keymaster_context.h +++ b/host/commands/secure_env/tpm_keymaster_context.h @@ -38,14 +38,15 @@ class TpmRemoteProvisioningContext; * https://cs.android.com/android/platform/superproject/+/master:system/keymaster/include/keymaster/keymaster_context.h;drc=821acb74d7febb886a9b7cefee4ee3df4cc8c556 */ class TpmKeymasterContext : public keymaster::KeymasterContext { -private: + private: TpmResourceManager& resource_manager_; keymaster::KeymasterEnforcement& enforcement_; std::unique_ptr<TpmKeyBlobMaker> key_blob_maker_; std::unique_ptr<TpmRandomSource> random_source_; std::unique_ptr<TpmAttestationRecordContext> attestation_context_; std::unique_ptr<TpmRemoteProvisioningContext> remote_provisioning_context_; - std::map<keymaster_algorithm_t, std::unique_ptr<keymaster::KeyFactory>> key_factories_; + std::map<keymaster_algorithm_t, std::unique_ptr<keymaster::KeyFactory>> + key_factories_; std::vector<keymaster_algorithm_t> supported_algorithms_; uint32_t os_version_; uint32_t os_patchlevel_; @@ -63,10 +64,10 @@ private: return attestation_context_->GetKmVersion(); } - keymaster_error_t SetSystemVersion( - uint32_t os_version, uint32_t os_patchlevel) override; - void GetSystemVersion( - uint32_t* os_version, uint32_t* os_patchlevel) const override; + keymaster_error_t SetSystemVersion(uint32_t os_version, + uint32_t os_patchlevel) override; + void GetSystemVersion(uint32_t* os_version, + uint32_t* os_patchlevel) const override; const keymaster::KeyFactory* GetKeyFactory( keymaster_algorithm_t algorithm) const override; @@ -86,11 +87,15 @@ private: const keymaster::AuthorizationSet& additional_params, keymaster::UniquePtr<keymaster::Key>* key) const override; - keymaster_error_t AddRngEntropy( - const uint8_t* buf, size_t length) const override; + keymaster_error_t AddRngEntropy(const uint8_t* buf, + size_t length) const override; keymaster::KeymasterEnforcement* enforcement_policy() override; + keymaster::AttestationContext* attestation_context() override { + return attestation_context_.get(); + } + keymaster::CertificateChain GenerateAttestation( const keymaster::Key& key, const keymaster::AuthorizationSet& attest_params, @@ -99,10 +104,8 @@ private: keymaster_error_t* error) const override; keymaster::CertificateChain GenerateSelfSignedCertificate( - const keymaster::Key& key, - const keymaster::AuthorizationSet& cert_params, - bool fake_signature, - keymaster_error_t* error) const override; + const keymaster::Key& key, const keymaster::AuthorizationSet& cert_params, + bool fake_signature, keymaster_error_t* error) const override; keymaster_error_t UnwrapKey( const keymaster::KeymasterKeyBlob& wrapped_key_blob, diff --git a/host/commands/secure_env/tpm_keymaster_enforcement.cpp b/host/commands/secure_env/tpm_keymaster_enforcement.cpp index 60a9a5a28..a5368c57e 100644 --- a/host/commands/secure_env/tpm_keymaster_enforcement.cpp +++ b/host/commands/secure_env/tpm_keymaster_enforcement.cpp @@ -25,11 +25,11 @@ namespace cuttlefish { -using keymaster::km_id_t; using keymaster::HmacSharingParameters; using keymaster::HmacSharingParametersArray; using keymaster::KeymasterBlob; using keymaster::KeymasterEnforcement; +using keymaster::km_id_t; using keymaster::VerifyAuthorizationRequest; using keymaster::VerifyAuthorizationResponse; namespace { @@ -46,9 +46,9 @@ bool operator==(const HmacSharingParameters& a, } } // namespace class CompareHmacSharingParams { -public: - bool operator()( - const HmacSharingParameters& a, const HmacSharingParameters& b) const { + public: + bool operator()(const HmacSharingParameters& a, + const HmacSharingParameters& b) const { if (a.seed.data_length != b.seed.data_length) { return a.seed.data_length < b.seed.data_length; } @@ -86,11 +86,9 @@ TpmKeymasterEnforcement::TpmKeymasterEnforcement( TpmResourceManager& resource_manager, TpmGatekeeper& gatekeeper) : KeymasterEnforcement(64, 64), resource_manager_(resource_manager), - gatekeeper_(gatekeeper) { -} + gatekeeper_(gatekeeper) {} -TpmKeymasterEnforcement::~TpmKeymasterEnforcement() { -} +TpmKeymasterEnforcement::~TpmKeymasterEnforcement() {} bool TpmKeymasterEnforcement::activation_date_valid( uint64_t activation_date) const { @@ -102,10 +100,10 @@ bool TpmKeymasterEnforcement::expiration_date_passed( return expiration_date < get_wall_clock_time_ms(); } -bool TpmKeymasterEnforcement::auth_token_timed_out( - const hw_auth_token_t& token, uint32_t timeout) const { +bool TpmKeymasterEnforcement::auth_token_timed_out(const hw_auth_token_t& token, + uint32_t timeout) const { // timeout comes in seconds, token.timestamp comes in milliseconds - uint64_t timeout_ms = 1000 * (uint64_t) timeout; + uint64_t timeout_ms = 1000 * (uint64_t)timeout; return (be64toh(token.timestamp) + timeout_ms) < get_current_time_ms(); } @@ -132,32 +130,24 @@ bool TpmKeymasterEnforcement::ValidateTokenSignature( * GateKeeper::MintAuthToken */ - const uint8_t *auth_token_key = nullptr; + const uint8_t* auth_token_key = nullptr; uint32_t auth_token_key_len = 0; if (!gatekeeper_.GetAuthTokenKey(&auth_token_key, &auth_token_key_len)) { LOG(WARNING) << "Unable to get gatekeeper auth token"; return false; } + constexpr uint32_t hashable_length = + sizeof(token.version) + sizeof(token.challenge) + sizeof(token.user_id) + + sizeof(token.authenticator_id) + sizeof(token.authenticator_type) + + sizeof(token.timestamp); - constexpr uint32_t hashable_length = sizeof(token.version) + - sizeof(token.challenge) + - sizeof(token.user_id) + - sizeof(token.authenticator_id) + - sizeof(token.authenticator_type) + - sizeof(token.timestamp); - - static_assert( - offsetof(hw_auth_token_t, hmac) == hashable_length, - "hw_auth_token_t does not appear to be packed"); - + static_assert(offsetof(hw_auth_token_t, hmac) == hashable_length, + "hw_auth_token_t does not appear to be packed"); gatekeeper_.ComputeSignature( - comparison_token.hmac, - sizeof(comparison_token.hmac), - auth_token_key, - auth_token_key_len, - reinterpret_cast<uint8_t*>(&comparison_token), + comparison_token.hmac, sizeof(comparison_token.hmac), auth_token_key, + auth_token_key_len, reinterpret_cast<uint8_t*>(&comparison_token), hashable_length); static_assert(sizeof(token.hmac) == sizeof(comparison_token.hmac)); @@ -170,9 +160,8 @@ keymaster_error_t TpmKeymasterEnforcement::GetHmacSharingParameters( if (!have_saved_params_) { saved_params_.seed = {}; TpmRandomSource random_source{resource_manager_.Esys()}; - auto rc = - random_source.GenerateRandom( - saved_params_.nonce, sizeof(saved_params_.nonce)); + auto rc = random_source.GenerateRandom(saved_params_.nonce, + sizeof(saved_params_.nonce)); if (rc != KM_ERROR_OK) { LOG(ERROR) << "Failed to generate HmacSharingParameters nonce"; return rc; @@ -185,18 +174,15 @@ keymaster_error_t TpmKeymasterEnforcement::GetHmacSharingParameters( } keymaster_error_t TpmKeymasterEnforcement::ComputeSharedHmac( - const HmacSharingParametersArray& hmac_array, - KeymasterBlob* sharingCheck) { + const HmacSharingParametersArray& hmac_array, KeymasterBlob* sharingCheck) { std::set<HmacSharingParameters, CompareHmacSharingParams> sorted_hmac_inputs; bool found_mine = false; for (int i = 0; i < hmac_array.num_params; i++) { HmacSharingParameters sharing_params; sharing_params.seed = keymaster::KeymasterBlob(hmac_array.params_array[i].seed); - memcpy( - sharing_params.nonce, - hmac_array.params_array[i].nonce, - sizeof(sharing_params.nonce)); + memcpy(sharing_params.nonce, hmac_array.params_array[i].nonce, + sizeof(sharing_params.nonce)); found_mine = found_mine || (sharing_params == saved_params_); sorted_hmac_inputs.emplace(std::move(sharing_params)); } @@ -218,7 +204,6 @@ keymaster_error_t TpmKeymasterEnforcement::ComputeSharedHmac( } } - auto signing_key_builder = PrimaryKeyBuilder(); signing_key_builder.SigningKey(); signing_key_builder.UniqueData(std::string(unique_data, sizeof(unique_data))); @@ -230,12 +215,9 @@ keymaster_error_t TpmKeymasterEnforcement::ComputeSharedHmac( static const uint8_t signing_input[] = "Keymaster HMAC Verification"; - auto hmac = TpmHmac( - resource_manager_, - signing_key->get(), - TpmAuth(ESYS_TR_PASSWORD), - signing_input, - sizeof(signing_input)); + auto hmac = + TpmHmac(resource_manager_, signing_key->get(), TpmAuth(ESYS_TR_PASSWORD), + signing_input, sizeof(signing_input)); if (!hmac) { LOG(ERROR) << "Unable to complete signing check"; @@ -260,10 +242,10 @@ VerifyAuthorizationResponse TpmKeymasterEnforcement::VerifyAuthorization( response.token.timestamp = get_current_time_ms(); response.token.security_level = SecurityLevel(); - VerificationData verify_data { - .challenge = response.token.challenge, - .timestamp = response.token.timestamp, - .security_level = response.token.security_level, + VerificationData verify_data{ + .challenge = response.token.challenge, + .timestamp = response.token.timestamp, + .security_level = response.token.security_level, }; auto signing_key_builder = PrimaryKeyBuilder(); @@ -274,12 +256,9 @@ VerifyAuthorizationResponse TpmKeymasterEnforcement::VerifyAuthorization( LOG(ERROR) << "Could not make signing key for verifying authorization"; return response; } - auto hmac = TpmHmac( - resource_manager_, - signing_key->get(), - TpmAuth(ESYS_TR_PASSWORD), - reinterpret_cast<uint8_t*>(&verify_data), - sizeof(verify_data)); + auto hmac = + TpmHmac(resource_manager_, signing_key->get(), TpmAuth(ESYS_TR_PASSWORD), + reinterpret_cast<uint8_t*>(&verify_data), sizeof(verify_data)); if (!hmac) { LOG(ERROR) << "Could not calculate verification hmac"; @@ -324,8 +303,26 @@ keymaster_error_t TpmKeymasterEnforcement::GenerateTimestampToken( return KM_ERROR_OK; } -bool TpmKeymasterEnforcement::CreateKeyId( - const keymaster_key_blob_t& key_blob, km_id_t* keyid) const { +keymaster::KmErrorOr<std::array<uint8_t, 32>> +TpmKeymasterEnforcement::ComputeHmac( + const std::vector<uint8_t>& data_to_mac) const { + std::array<uint8_t, 32> result; + + const uint8_t* auth_token_key = nullptr; + uint32_t auth_token_key_len = 0; + if (!gatekeeper_.GetAuthTokenKey(&auth_token_key, &auth_token_key_len)) { + LOG(WARNING) << "Unable to get gatekeeper auth token"; + return KM_ERROR_UNKNOWN_ERROR; + } + + gatekeeper_.ComputeSignature(result.data(), result.size(), auth_token_key, + auth_token_key_len, data_to_mac.data(), + data_to_mac.size()); + return result; +} + +bool TpmKeymasterEnforcement::CreateKeyId(const keymaster_key_blob_t& key_blob, + km_id_t* keyid) const { auto signing_key_builder = PrimaryKeyBuilder(); signing_key_builder.SigningKey(); signing_key_builder.UniqueData("key_id"); diff --git a/host/commands/secure_env/tpm_keymaster_enforcement.h b/host/commands/secure_env/tpm_keymaster_enforcement.h index 8db59301c..1178932b5 100644 --- a/host/commands/secure_env/tpm_keymaster_enforcement.h +++ b/host/commands/secure_env/tpm_keymaster_enforcement.h @@ -28,22 +28,22 @@ namespace cuttlefish { * system/keymaster/include/keymaster/keymaster_enforcement.h */ class TpmKeymasterEnforcement : public keymaster::KeymasterEnforcement { -public: - TpmKeymasterEnforcement( - TpmResourceManager& resource_manager, TpmGatekeeper& gatekeeper); + public: + TpmKeymasterEnforcement(TpmResourceManager& resource_manager, + TpmGatekeeper& gatekeeper); ~TpmKeymasterEnforcement(); bool activation_date_valid(uint64_t activation_date) const override; bool expiration_date_passed(uint64_t expiration_date) const override; - bool auth_token_timed_out( - const hw_auth_token_t& token, uint32_t timeout) const override; + bool auth_token_timed_out(const hw_auth_token_t& token, + uint32_t timeout) const override; uint64_t get_current_time_ms() const override; keymaster_security_level_t SecurityLevel() const override; bool ValidateTokenSignature(const hw_auth_token_t& token) const override; keymaster_error_t GetHmacSharingParameters( - keymaster::HmacSharingParameters* params) override; + keymaster::HmacSharingParameters* params) override; keymaster_error_t ComputeSharedHmac( const keymaster::HmacSharingParametersArray& params_array, keymaster::KeymasterBlob* sharingCheck) override; @@ -54,11 +54,13 @@ public: keymaster_error_t GenerateTimestampToken( keymaster::TimestampToken* token) override; - bool CreateKeyId( - const keymaster_key_blob_t& key_blob, - keymaster::km_id_t* keyid) const override; + keymaster::KmErrorOr<std::array<uint8_t, 32>> ComputeHmac( + const std::vector<uint8_t>& data_to_mac) const override; -private: + bool CreateKeyId(const keymaster_key_blob_t& key_blob, + keymaster::km_id_t* keyid) const override; + + private: TpmResourceManager& resource_manager_; TpmGatekeeper& gatekeeper_; bool have_saved_params_ = false; |