Snap for 8680285 from 529195438999bfc59f7c311ef0483701eb601039 to mainline-go-extservices-release

Change-Id: I79d8b4ae8bbc6acf4b479ad55bce1f2ac140c542

10 files changed, 174 insertions, 150 deletions

diff --git a/guest/hals/keymint/remote/remote_keymaster.cpp b/guest/hals/keymint/remote/remote_keymaster.cpp
index 6675810a0..763c13909 100644
--- a/guest/hals/keymint/remote/remote_keymaster.cpp
+++ b/guest/hals/keymint/remote/remote_keymaster.cpp
@@ -312,4 +312,11 @@ ConfigureVerifiedBootInfoResponse RemoteKeymaster::ConfigureVerifiedBootInfo(
   return response;
 }
 
+GetRootOfTrustResponse RemoteKeymaster::GetRootOfTrust(
+    const GetRootOfTrustRequest& request) {
+  GetRootOfTrustResponse response(message_version());
+  ForwardCommand(GET_ROOT_OF_TRUST, request, &response);
+  return response;
+}
+
 }  // namespace keymaster
diff --git a/guest/hals/keymint/remote/remote_keymaster.h b/guest/hals/keymint/remote/remote_keymaster.h
index 240e6100e..2e0668f85 100644
--- a/guest/hals/keymint/remote/remote_keymaster.h
+++ b/guest/hals/keymint/remote/remote_keymaster.h
@@ -94,6 +94,7 @@ class RemoteKeymaster {
       const ConfigureVerifiedBootInfoRequest& request);
   void GenerateTimestampToken(GenerateTimestampTokenRequest& request,
                               GenerateTimestampTokenResponse* response);
+  GetRootOfTrustResponse GetRootOfTrust(const GetRootOfTrustRequest& request);
 
   // CF HAL and remote sides are always compiled together, so will never
   // disagree about message versions.
diff --git a/guest/hals/keymint/remote/remote_keymint_device.cpp b/guest/hals/keymint/remote/remote_keymint_device.cpp
index 4f9606fc8..c6db2838c 100644
--- a/guest/hals/keymint/remote/remote_keymint_device.cpp
+++ b/guest/hals/keymint/remote/remote_keymint_device.cpp
@@ -449,9 +449,20 @@ ScopedAStatus RemoteKeyMintDevice::getRootOfTrustChallenge(
 }
 
 ScopedAStatus RemoteKeyMintDevice::getRootOfTrust(
-    const std::array<uint8_t, 16>& /* challenge */,
-    std::vector<uint8_t>* /* rootOfTrust */) {
-  return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
+    const std::array<uint8_t, 16>& challenge,
+    std::vector<uint8_t>* rootOfTrust) {
+  if (!rootOfTrust) {
+    return kmError2ScopedAStatus(KM_ERROR_UNEXPECTED_NULL_POINTER);
+  }
+  GetRootOfTrustRequest request(impl_.message_version(),
+                                {challenge.begin(), challenge.end()});
+  GetRootOfTrustResponse response = impl_.GetRootOfTrust(request);
+  if (response.error != KM_ERROR_OK) {
+    return kmError2ScopedAStatus(response.error);
+  }
+
+  *rootOfTrust = std::move(response.rootOfTrust);
+  return ScopedAStatus::ok();
 }
 
 ScopedAStatus RemoteKeyMintDevice::sendRootOfTrust(
diff --git a/guest/hals/ril/reference-ril/reference-ril.c b/guest/hals/ril/reference-ril/reference-ril.c
index 806a17869..f3d01e413 100644
--- a/guest/hals/ril/reference-ril/reference-ril.c
+++ b/guest/hals/ril/reference-ril/reference-ril.c
@@ -1555,8 +1555,8 @@ static void requestDeviceIdentity(int request __unused, void *data __unused,
     int count = 4;
 
     // Fixed values. TODO: Query modem
-    responseStr[0] = "----";
-    responseStr[1] = "----";
+    responseStr[0] ="358240051111110";
+    responseStr[1] =  "";
     responseStr[2] = "77777777";
     responseStr[3] = ""; // default empty for non-CDMA
 
diff --git a/host/commands/secure_env/keymaster_responder.cpp b/host/commands/secure_env/keymaster_responder.cpp
index 69186026b..688ddf3ed 100644
--- a/host/commands/secure_env/keymaster_responder.cpp
+++ b/host/commands/secure_env/keymaster_responder.cpp
@@ -20,10 +20,9 @@
 
 namespace cuttlefish {
 
-KeymasterResponder::KeymasterResponder(
-    cuttlefish::KeymasterChannel& channel, keymaster::AndroidKeymaster& keymaster)
-    : channel_(channel), keymaster_(keymaster) {
-}
+KeymasterResponder::KeymasterResponder(cuttlefish::KeymasterChannel& channel,
+                                       keymaster::AndroidKeymaster& keymaster)
+    : channel_(channel), keymaster_(keymaster) {}
 
 bool KeymasterResponder::ProcessMessage() {
   auto request = channel_.ReceiveMessage();
@@ -33,19 +32,19 @@ bool KeymasterResponder::ProcessMessage() {
   }
   const uint8_t* buffer = request->payload;
   const uint8_t* end = request->payload + request->payload_size;
-  switch(request->cmd) {
+  switch (request->cmd) {
     using namespace keymaster;
-#define HANDLE_MESSAGE(ENUM_NAME, METHOD_NAME) \
-    case ENUM_NAME: {\
-      METHOD_NAME##Request request(keymaster_.message_version()); \
-      if (!request.Deserialize(&buffer, end)) { \
-        LOG(ERROR) << "Failed to deserialize " #METHOD_NAME "Request"; \
-        return false; \
-      } \
-      METHOD_NAME##Response response(keymaster_.message_version()); \
-      keymaster_.METHOD_NAME(request, &response); \
-      return channel_.SendResponse(ENUM_NAME, response); \
-    }
+#define HANDLE_MESSAGE(ENUM_NAME, METHOD_NAME)                       \
+  case ENUM_NAME: {                                                  \
+    METHOD_NAME##Request request(keymaster_.message_version());      \
+    if (!request.Deserialize(&buffer, end)) {                        \
+      LOG(ERROR) << "Failed to deserialize " #METHOD_NAME "Request"; \
+      return false;                                                  \
+    }                                                                \
+    METHOD_NAME##Response response(keymaster_.message_version());    \
+    keymaster_.METHOD_NAME(request, &response);                      \
+    return channel_.SendResponse(ENUM_NAME, response);               \
+  }
     HANDLE_MESSAGE(GENERATE_KEY, GenerateKey)
     HANDLE_MESSAGE(BEGIN_OPERATION, BeginOperation)
     HANDLE_MESSAGE(UPDATE_OPERATION, UpdateOperation)
@@ -71,16 +70,16 @@ bool KeymasterResponder::ProcessMessage() {
     HANDLE_MESSAGE(GENERATE_CSR, GenerateCsr)
     HANDLE_MESSAGE(GENERATE_TIMESTAMP_TOKEN, GenerateTimestampToken)
 #undef HANDLE_MESSAGE
-#define HANDLE_MESSAGE_W_RETURN(ENUM_NAME, METHOD_NAME) \
-    case ENUM_NAME: {\
-    METHOD_NAME##Request request(keymaster_.message_version());     \
-      if (!request.Deserialize(&buffer, end)) { \
-        LOG(ERROR) << "Failed to deserialize " #METHOD_NAME "Request"; \
-        return false; \
-      } \
-      auto response = keymaster_.METHOD_NAME(request); \
-      return channel_.SendResponse(ENUM_NAME, response); \
-    }
+#define HANDLE_MESSAGE_W_RETURN(ENUM_NAME, METHOD_NAME)              \
+  case ENUM_NAME: {                                                  \
+    METHOD_NAME##Request request(keymaster_.message_version());      \
+    if (!request.Deserialize(&buffer, end)) {                        \
+      LOG(ERROR) << "Failed to deserialize " #METHOD_NAME "Request"; \
+      return false;                                                  \
+    }                                                                \
+    auto response = keymaster_.METHOD_NAME(request);                 \
+    return channel_.SendResponse(ENUM_NAME, response);               \
+  }
     HANDLE_MESSAGE_W_RETURN(COMPUTE_SHARED_HMAC, ComputeSharedHmac)
     HANDLE_MESSAGE_W_RETURN(VERIFY_AUTHORIZATION, VerifyAuthorization)
     HANDLE_MESSAGE_W_RETURN(DEVICE_LOCKED, DeviceLocked)
@@ -90,13 +89,15 @@ bool KeymasterResponder::ProcessMessage() {
     HANDLE_MESSAGE_W_RETURN(CONFIGURE_BOOT_PATCHLEVEL, ConfigureBootPatchlevel)
     HANDLE_MESSAGE_W_RETURN(CONFIGURE_VERIFIED_BOOT_INFO,
                             ConfigureVerifiedBootInfo)
+    HANDLE_MESSAGE_W_RETURN(GET_ROOT_OF_TRUST, GetRootOfTrust)
 #undef HANDLE_MESSAGE_W_RETURN
 #define HANDLE_MESSAGE_W_RETURN_NO_ARG(ENUM_NAME, METHOD_NAME) \
-    case ENUM_NAME: {\
-      auto response = keymaster_.METHOD_NAME(); \
-      return channel_.SendResponse(ENUM_NAME, response); \
-    }
-    HANDLE_MESSAGE_W_RETURN_NO_ARG(GET_HMAC_SHARING_PARAMETERS, GetHmacSharingParameters)
+  case ENUM_NAME: {                                            \
+    auto response = keymaster_.METHOD_NAME();                  \
+    return channel_.SendResponse(ENUM_NAME, response);         \
+  }
+    HANDLE_MESSAGE_W_RETURN_NO_ARG(GET_HMAC_SHARING_PARAMETERS,
+                                   GetHmacSharingParameters)
     HANDLE_MESSAGE_W_RETURN_NO_ARG(EARLY_BOOT_ENDED, EarlyBootEnded)
 #undef HANDLE_MESSAGE_W_RETURN_NO_ARG
     case ADD_RNG_ENTROPY: {
@@ -105,7 +106,8 @@ bool KeymasterResponder::ProcessMessage() {
         LOG(ERROR) << "Failed to deserialize AddEntropyRequest";
         return false;
       }
-      AddEntropyResponse response(keymaster_.message_version());;
+      AddEntropyResponse response(keymaster_.message_version());
+      ;
       keymaster_.AddRngEntropy(request, &response);
       return channel_.SendResponse(ADD_RNG_ENTROPY, response);
     }
diff --git a/host/commands/secure_env/proxy_keymaster_context.h b/host/commands/secure_env/proxy_keymaster_context.h
index c3c93fcc6..e3bf426f8 100644
--- a/host/commands/secure_env/proxy_keymaster_context.h
+++ b/host/commands/secure_env/proxy_keymaster_context.h
@@ -97,6 +97,10 @@ class ProxyKeymasterContext : public keymaster::KeymasterContext {
     return wrapped_.enforcement_policy();
   }
 
+  keymaster::AttestationContext* attestation_context() override {
+    return wrapped_.attestation_context();
+  }
+
   keymaster::CertificateChain GenerateAttestation(
       const keymaster::Key& key,
       const keymaster::AuthorizationSet& attest_params,
diff --git a/host/commands/secure_env/tpm_keymaster_context.cpp b/host/commands/secure_env/tpm_keymaster_context.cpp
index 2d4154e20..4a6091501 100644
--- a/host/commands/secure_env/tpm_keymaster_context.cpp
+++ b/host/commands/secure_env/tpm_keymaster_context.cpp
@@ -82,10 +82,10 @@ TpmKeymasterContext::TpmKeymasterContext(
       attestation_context_(new TpmAttestationRecordContext),
       remote_provisioning_context_(
           new TpmRemoteProvisioningContext(resource_manager_)) {
-  key_factories_.emplace(
-      KM_ALGORITHM_RSA, new keymaster::RsaKeyFactory(*key_blob_maker_, *this));
-  key_factories_.emplace(
-      KM_ALGORITHM_EC, new keymaster::EcKeyFactory(*key_blob_maker_, *this));
+  key_factories_.emplace(KM_ALGORITHM_RSA,
+                         new keymaster::RsaKeyFactory(*key_blob_maker_, *this));
+  key_factories_.emplace(KM_ALGORITHM_EC,
+                         new keymaster::EcKeyFactory(*key_blob_maker_, *this));
   key_factories_.emplace(
       KM_ALGORITHM_AES,
       new keymaster::AesKeyFactory(*key_blob_maker_, *random_source_));
@@ -110,8 +110,8 @@ keymaster_error_t TpmKeymasterContext::SetSystemVersion(
   return KM_ERROR_OK;
 }
 
-void TpmKeymasterContext::GetSystemVersion(
-    uint32_t* os_version, uint32_t* os_patchlevel) const {
+void TpmKeymasterContext::GetSystemVersion(uint32_t* os_version,
+                                           uint32_t* os_patchlevel) const {
   *os_version = os_version_;
   *os_patchlevel = os_patchlevel_;
 }
@@ -131,7 +131,7 @@ OperationFactory* TpmKeymasterContext::GetOperationFactory(
   auto key_factory = GetKeyFactory(algorithm);
   if (key_factory == nullptr) {
     LOG(ERROR) << "Tried to get operation factory for " << purpose
-              << " for invalid algorithm " << algorithm;
+               << " for invalid algorithm " << algorithm;
     return nullptr;
   }
   auto operation_factory = key_factory->GetOperationFactory(purpose);
@@ -143,18 +143,16 @@ OperationFactory* TpmKeymasterContext::GetOperationFactory(
 }
 
 const keymaster_algorithm_t* TpmKeymasterContext::GetSupportedAlgorithms(
-      size_t* algorithms_count) const {
+    size_t* algorithms_count) const {
   *algorithms_count = supported_algorithms_.size();
   return supported_algorithms_.data();
 }
 
-// Based on https://cs.android.com/android/platform/superproject/+/master:system/keymaster/key_blob_utils/software_keyblobs.cpp;l=44;drc=master
+// Based on
+// https://cs.android.com/android/platform/superproject/+/master:system/keymaster/key_blob_utils/software_keyblobs.cpp;l=44;drc=master
 
-static bool UpgradeIntegerTag(
-    keymaster_tag_t tag,
-    uint32_t value,
-    AuthorizationSet* set,
-    bool* set_changed) {
+static bool UpgradeIntegerTag(keymaster_tag_t tag, uint32_t value,
+                              AuthorizationSet* set, bool* set_changed) {
   int index = set->find(tag);
   if (index == -1) {
     keymaster_key_param_t param;
@@ -176,7 +174,8 @@ static bool UpgradeIntegerTag(
   return true;
 }
 
-// Based on https://cs.android.com/android/platform/superproject/+/master:system/keymaster/key_blob_utils/software_keyblobs.cpp;l=310;drc=master
+// Based on
+// https://cs.android.com/android/platform/superproject/+/master:system/keymaster/key_blob_utils/software_keyblobs.cpp;l=310;drc=master
 
 keymaster_error_t TpmKeymasterContext::UpgradeKeyBlob(
     const KeymasterKeyBlob& blob_to_upgrade,
@@ -230,8 +229,7 @@ keymaster_error_t TpmKeymasterContext::UpgradeKeyBlob(
 }
 
 keymaster_error_t TpmKeymasterContext::ParseKeyBlob(
-    const KeymasterKeyBlob& blob,
-    const AuthorizationSet& additional_params,
+    const KeymasterKeyBlob& blob, const AuthorizationSet& additional_params,
     keymaster::UniquePtr<keymaster::Key>* key) const {
   keymaster::AuthorizationSet hw_enforced;
   keymaster::AuthorizationSet sw_enforced;
@@ -258,21 +256,16 @@ keymaster_error_t TpmKeymasterContext::ParseKeyBlob(
     LOG(ERROR) << "Unable to find key factory for " << algorithm;
     return KM_ERROR_UNSUPPORTED_ALGORITHM;
   }
-  rc =
-      factory->LoadKey(
-          std::move(key_material),
-          additional_params,
-          std::move(hw_enforced),
-          std::move(sw_enforced),
-          key);
+  rc = factory->LoadKey(std::move(key_material), additional_params,
+                        std::move(hw_enforced), std::move(sw_enforced), key);
   if (rc != KM_ERROR_OK) {
     LOG(ERROR) << "Unable to load unwrapped key: " << rc;
   }
   return rc;
 }
 
-keymaster_error_t TpmKeymasterContext::AddRngEntropy(
-    const uint8_t* buffer, size_t size) const {
+keymaster_error_t TpmKeymasterContext::AddRngEntropy(const uint8_t* buffer,
+                                                     size_t size) const {
   return random_source_->AddRngEntropy(buffer, size);
 }
 
@@ -280,7 +273,8 @@ keymaster::KeymasterEnforcement* TpmKeymasterContext::enforcement_policy() {
   return &enforcement_;
 }
 
-// Based on https://cs.android.com/android/platform/superproject/+/master:system/keymaster/contexts/pure_soft_keymaster_context.cpp;l=261;drc=8367d5351c4d417a11f49b12394b63a413faa02d
+// Based on
+// https://cs.android.com/android/platform/superproject/+/master:system/keymaster/contexts/pure_soft_keymaster_context.cpp;l=261;drc=8367d5351c4d417a11f49b12394b63a413faa02d
 
 keymaster::CertificateChain TpmKeymasterContext::GenerateAttestation(
     const keymaster::Key& key, const keymaster::AuthorizationSet& attest_params,
@@ -337,22 +331,25 @@ keymaster::CertificateChain TpmKeymasterContext::GenerateSelfSignedCertificate(
     const keymaster::Key& key, const keymaster::AuthorizationSet& cert_params,
     bool fake_signature, keymaster_error_t* error) const {
   keymaster_algorithm_t key_algorithm;
-  if (!key.authorizations().GetTagValue(keymaster::TAG_ALGORITHM, &key_algorithm)) {
-      *error = KM_ERROR_UNKNOWN_ERROR;
-      return {};
+  if (!key.authorizations().GetTagValue(keymaster::TAG_ALGORITHM,
+                                        &key_algorithm)) {
+    *error = KM_ERROR_UNKNOWN_ERROR;
+    return {};
   }
 
   if ((key_algorithm != KM_ALGORITHM_RSA && key_algorithm != KM_ALGORITHM_EC)) {
-      *error = KM_ERROR_INCOMPATIBLE_ALGORITHM;
-      return {};
+    *error = KM_ERROR_INCOMPATIBLE_ALGORITHM;
+    return {};
   }
 
-  // We have established that the given key has the correct algorithm, and because this is the
-  // SoftKeymasterContext we can assume that the Key is an AsymmetricKey. So we can downcast.
+  // We have established that the given key has the correct algorithm, and
+  // because this is the SoftKeymasterContext we can assume that the Key is an
+  // AsymmetricKey. So we can downcast.
   const keymaster::AsymmetricKey& asymmetric_key =
       static_cast<const keymaster::AsymmetricKey&>(key);
 
-  return generate_self_signed_cert(asymmetric_key, cert_params, fake_signature, error);
+  return generate_self_signed_cert(asymmetric_key, cert_params, fake_signature,
+                                   error);
 }
 
 keymaster_error_t TpmKeymasterContext::UnwrapKey(
diff --git a/host/commands/secure_env/tpm_keymaster_context.h b/host/commands/secure_env/tpm_keymaster_context.h
index 0029c1d40..dbcdcb418 100644
--- a/host/commands/secure_env/tpm_keymaster_context.h
+++ b/host/commands/secure_env/tpm_keymaster_context.h
@@ -38,14 +38,15 @@ class TpmRemoteProvisioningContext;
  * https://cs.android.com/android/platform/superproject/+/master:system/keymaster/include/keymaster/keymaster_context.h;drc=821acb74d7febb886a9b7cefee4ee3df4cc8c556
  */
 class TpmKeymasterContext : public keymaster::KeymasterContext {
-private:
+ private:
   TpmResourceManager& resource_manager_;
   keymaster::KeymasterEnforcement& enforcement_;
   std::unique_ptr<TpmKeyBlobMaker> key_blob_maker_;
   std::unique_ptr<TpmRandomSource> random_source_;
   std::unique_ptr<TpmAttestationRecordContext> attestation_context_;
   std::unique_ptr<TpmRemoteProvisioningContext> remote_provisioning_context_;
-  std::map<keymaster_algorithm_t, std::unique_ptr<keymaster::KeyFactory>> key_factories_;
+  std::map<keymaster_algorithm_t, std::unique_ptr<keymaster::KeyFactory>>
+      key_factories_;
   std::vector<keymaster_algorithm_t> supported_algorithms_;
   uint32_t os_version_;
   uint32_t os_patchlevel_;
@@ -63,10 +64,10 @@ private:
     return attestation_context_->GetKmVersion();
   }
 
-  keymaster_error_t SetSystemVersion(
-      uint32_t os_version, uint32_t os_patchlevel) override;
-  void GetSystemVersion(
-      uint32_t* os_version, uint32_t* os_patchlevel) const override;
+  keymaster_error_t SetSystemVersion(uint32_t os_version,
+                                     uint32_t os_patchlevel) override;
+  void GetSystemVersion(uint32_t* os_version,
+                        uint32_t* os_patchlevel) const override;
 
   const keymaster::KeyFactory* GetKeyFactory(
       keymaster_algorithm_t algorithm) const override;
@@ -86,11 +87,15 @@ private:
       const keymaster::AuthorizationSet& additional_params,
       keymaster::UniquePtr<keymaster::Key>* key) const override;
 
-  keymaster_error_t AddRngEntropy(
-      const uint8_t* buf, size_t length) const override;
+  keymaster_error_t AddRngEntropy(const uint8_t* buf,
+                                  size_t length) const override;
 
   keymaster::KeymasterEnforcement* enforcement_policy() override;
 
+  keymaster::AttestationContext* attestation_context() override {
+    return attestation_context_.get();
+  }
+
   keymaster::CertificateChain GenerateAttestation(
       const keymaster::Key& key,
       const keymaster::AuthorizationSet& attest_params,
@@ -99,10 +104,8 @@ private:
       keymaster_error_t* error) const override;
 
   keymaster::CertificateChain GenerateSelfSignedCertificate(
-      const keymaster::Key& key,
-      const keymaster::AuthorizationSet& cert_params,
-      bool fake_signature,
-      keymaster_error_t* error) const override;
+      const keymaster::Key& key, const keymaster::AuthorizationSet& cert_params,
+      bool fake_signature, keymaster_error_t* error) const override;
 
   keymaster_error_t UnwrapKey(
       const keymaster::KeymasterKeyBlob& wrapped_key_blob,
diff --git a/host/commands/secure_env/tpm_keymaster_enforcement.cpp b/host/commands/secure_env/tpm_keymaster_enforcement.cpp
index 60a9a5a28..a5368c57e 100644
--- a/host/commands/secure_env/tpm_keymaster_enforcement.cpp
+++ b/host/commands/secure_env/tpm_keymaster_enforcement.cpp
@@ -25,11 +25,11 @@
 
 namespace cuttlefish {
 
-using keymaster::km_id_t;
 using keymaster::HmacSharingParameters;
 using keymaster::HmacSharingParametersArray;
 using keymaster::KeymasterBlob;
 using keymaster::KeymasterEnforcement;
+using keymaster::km_id_t;
 using keymaster::VerifyAuthorizationRequest;
 using keymaster::VerifyAuthorizationResponse;
 namespace {
@@ -46,9 +46,9 @@ bool operator==(const HmacSharingParameters& a,
 }
 }  // namespace
 class CompareHmacSharingParams {
-public:
-  bool operator()(
-      const HmacSharingParameters& a, const HmacSharingParameters& b) const {
+ public:
+  bool operator()(const HmacSharingParameters& a,
+                  const HmacSharingParameters& b) const {
     if (a.seed.data_length != b.seed.data_length) {
       return a.seed.data_length < b.seed.data_length;
     }
@@ -86,11 +86,9 @@ TpmKeymasterEnforcement::TpmKeymasterEnforcement(
     TpmResourceManager& resource_manager, TpmGatekeeper& gatekeeper)
     : KeymasterEnforcement(64, 64),
       resource_manager_(resource_manager),
-      gatekeeper_(gatekeeper) {
-}
+      gatekeeper_(gatekeeper) {}
 
-TpmKeymasterEnforcement::~TpmKeymasterEnforcement() {
-}
+TpmKeymasterEnforcement::~TpmKeymasterEnforcement() {}
 
 bool TpmKeymasterEnforcement::activation_date_valid(
     uint64_t activation_date) const {
@@ -102,10 +100,10 @@ bool TpmKeymasterEnforcement::expiration_date_passed(
   return expiration_date < get_wall_clock_time_ms();
 }
 
-bool TpmKeymasterEnforcement::auth_token_timed_out(
-    const hw_auth_token_t& token, uint32_t timeout) const {
+bool TpmKeymasterEnforcement::auth_token_timed_out(const hw_auth_token_t& token,
+                                                   uint32_t timeout) const {
   // timeout comes in seconds, token.timestamp comes in milliseconds
-  uint64_t timeout_ms = 1000 * (uint64_t) timeout;
+  uint64_t timeout_ms = 1000 * (uint64_t)timeout;
   return (be64toh(token.timestamp) + timeout_ms) < get_current_time_ms();
 }
 
@@ -132,32 +130,24 @@ bool TpmKeymasterEnforcement::ValidateTokenSignature(
    * GateKeeper::MintAuthToken
    */
 
-  const uint8_t *auth_token_key = nullptr;
+  const uint8_t* auth_token_key = nullptr;
   uint32_t auth_token_key_len = 0;
   if (!gatekeeper_.GetAuthTokenKey(&auth_token_key, &auth_token_key_len)) {
     LOG(WARNING) << "Unable to get gatekeeper auth token";
     return false;
   }
 
+  constexpr uint32_t hashable_length =
+      sizeof(token.version) + sizeof(token.challenge) + sizeof(token.user_id) +
+      sizeof(token.authenticator_id) + sizeof(token.authenticator_type) +
+      sizeof(token.timestamp);
 
-  constexpr uint32_t hashable_length = sizeof(token.version) +
-                                       sizeof(token.challenge) +
-                                       sizeof(token.user_id) +
-                                       sizeof(token.authenticator_id) +
-                                       sizeof(token.authenticator_type) +
-                                       sizeof(token.timestamp);
-
-  static_assert(
-      offsetof(hw_auth_token_t, hmac) == hashable_length,
-      "hw_auth_token_t does not appear to be packed");
-
+  static_assert(offsetof(hw_auth_token_t, hmac) == hashable_length,
+                "hw_auth_token_t does not appear to be packed");
 
   gatekeeper_.ComputeSignature(
-      comparison_token.hmac,
-      sizeof(comparison_token.hmac),
-      auth_token_key,
-      auth_token_key_len,
-      reinterpret_cast<uint8_t*>(&comparison_token),
+      comparison_token.hmac, sizeof(comparison_token.hmac), auth_token_key,
+      auth_token_key_len, reinterpret_cast<uint8_t*>(&comparison_token),
       hashable_length);
 
   static_assert(sizeof(token.hmac) == sizeof(comparison_token.hmac));
@@ -170,9 +160,8 @@ keymaster_error_t TpmKeymasterEnforcement::GetHmacSharingParameters(
   if (!have_saved_params_) {
     saved_params_.seed = {};
     TpmRandomSource random_source{resource_manager_.Esys()};
-    auto rc =
-        random_source.GenerateRandom(
-            saved_params_.nonce, sizeof(saved_params_.nonce));
+    auto rc = random_source.GenerateRandom(saved_params_.nonce,
+                                           sizeof(saved_params_.nonce));
     if (rc != KM_ERROR_OK) {
       LOG(ERROR) << "Failed to generate HmacSharingParameters nonce";
       return rc;
@@ -185,18 +174,15 @@ keymaster_error_t TpmKeymasterEnforcement::GetHmacSharingParameters(
 }
 
 keymaster_error_t TpmKeymasterEnforcement::ComputeSharedHmac(
-    const HmacSharingParametersArray& hmac_array,
-    KeymasterBlob* sharingCheck) {
+    const HmacSharingParametersArray& hmac_array, KeymasterBlob* sharingCheck) {
   std::set<HmacSharingParameters, CompareHmacSharingParams> sorted_hmac_inputs;
   bool found_mine = false;
   for (int i = 0; i < hmac_array.num_params; i++) {
     HmacSharingParameters sharing_params;
     sharing_params.seed =
         keymaster::KeymasterBlob(hmac_array.params_array[i].seed);
-    memcpy(
-        sharing_params.nonce,
-        hmac_array.params_array[i].nonce,
-        sizeof(sharing_params.nonce));
+    memcpy(sharing_params.nonce, hmac_array.params_array[i].nonce,
+           sizeof(sharing_params.nonce));
     found_mine = found_mine || (sharing_params == saved_params_);
     sorted_hmac_inputs.emplace(std::move(sharing_params));
   }
@@ -218,7 +204,6 @@ keymaster_error_t TpmKeymasterEnforcement::ComputeSharedHmac(
     }
   }
 
-
   auto signing_key_builder = PrimaryKeyBuilder();
   signing_key_builder.SigningKey();
   signing_key_builder.UniqueData(std::string(unique_data, sizeof(unique_data)));
@@ -230,12 +215,9 @@ keymaster_error_t TpmKeymasterEnforcement::ComputeSharedHmac(
 
   static const uint8_t signing_input[] = "Keymaster HMAC Verification";
 
-  auto hmac = TpmHmac(
-      resource_manager_,
-      signing_key->get(),
-      TpmAuth(ESYS_TR_PASSWORD),
-      signing_input,
-      sizeof(signing_input));
+  auto hmac =
+      TpmHmac(resource_manager_, signing_key->get(), TpmAuth(ESYS_TR_PASSWORD),
+              signing_input, sizeof(signing_input));
 
   if (!hmac) {
     LOG(ERROR) << "Unable to complete signing check";
@@ -260,10 +242,10 @@ VerifyAuthorizationResponse TpmKeymasterEnforcement::VerifyAuthorization(
   response.token.timestamp = get_current_time_ms();
   response.token.security_level = SecurityLevel();
 
-  VerificationData verify_data {
-    .challenge = response.token.challenge,
-    .timestamp = response.token.timestamp,
-    .security_level = response.token.security_level,
+  VerificationData verify_data{
+      .challenge = response.token.challenge,
+      .timestamp = response.token.timestamp,
+      .security_level = response.token.security_level,
   };
 
   auto signing_key_builder = PrimaryKeyBuilder();
@@ -274,12 +256,9 @@ VerifyAuthorizationResponse TpmKeymasterEnforcement::VerifyAuthorization(
     LOG(ERROR) << "Could not make signing key for verifying authorization";
     return response;
   }
-  auto hmac = TpmHmac(
-      resource_manager_,
-      signing_key->get(),
-      TpmAuth(ESYS_TR_PASSWORD),
-      reinterpret_cast<uint8_t*>(&verify_data),
-      sizeof(verify_data));
+  auto hmac =
+      TpmHmac(resource_manager_, signing_key->get(), TpmAuth(ESYS_TR_PASSWORD),
+              reinterpret_cast<uint8_t*>(&verify_data), sizeof(verify_data));
 
   if (!hmac) {
     LOG(ERROR) << "Could not calculate verification hmac";
@@ -324,8 +303,26 @@ keymaster_error_t TpmKeymasterEnforcement::GenerateTimestampToken(
   return KM_ERROR_OK;
 }
 
-bool TpmKeymasterEnforcement::CreateKeyId(
-    const keymaster_key_blob_t& key_blob, km_id_t* keyid) const {
+keymaster::KmErrorOr<std::array<uint8_t, 32>>
+TpmKeymasterEnforcement::ComputeHmac(
+    const std::vector<uint8_t>& data_to_mac) const {
+  std::array<uint8_t, 32> result;
+
+  const uint8_t* auth_token_key = nullptr;
+  uint32_t auth_token_key_len = 0;
+  if (!gatekeeper_.GetAuthTokenKey(&auth_token_key, &auth_token_key_len)) {
+    LOG(WARNING) << "Unable to get gatekeeper auth token";
+    return KM_ERROR_UNKNOWN_ERROR;
+  }
+
+  gatekeeper_.ComputeSignature(result.data(), result.size(), auth_token_key,
+                               auth_token_key_len, data_to_mac.data(),
+                               data_to_mac.size());
+  return result;
+}
+
+bool TpmKeymasterEnforcement::CreateKeyId(const keymaster_key_blob_t& key_blob,
+                                          km_id_t* keyid) const {
   auto signing_key_builder = PrimaryKeyBuilder();
   signing_key_builder.SigningKey();
   signing_key_builder.UniqueData("key_id");
diff --git a/host/commands/secure_env/tpm_keymaster_enforcement.h b/host/commands/secure_env/tpm_keymaster_enforcement.h
index 8db59301c..1178932b5 100644
--- a/host/commands/secure_env/tpm_keymaster_enforcement.h
+++ b/host/commands/secure_env/tpm_keymaster_enforcement.h
@@ -28,22 +28,22 @@ namespace cuttlefish {
  * system/keymaster/include/keymaster/keymaster_enforcement.h
  */
 class TpmKeymasterEnforcement : public keymaster::KeymasterEnforcement {
-public:
-  TpmKeymasterEnforcement(
-      TpmResourceManager& resource_manager, TpmGatekeeper& gatekeeper);
+ public:
+  TpmKeymasterEnforcement(TpmResourceManager& resource_manager,
+                          TpmGatekeeper& gatekeeper);
   ~TpmKeymasterEnforcement();
 
   bool activation_date_valid(uint64_t activation_date) const override;
   bool expiration_date_passed(uint64_t expiration_date) const override;
-  bool auth_token_timed_out(
-      const hw_auth_token_t& token, uint32_t timeout) const override;
+  bool auth_token_timed_out(const hw_auth_token_t& token,
+                            uint32_t timeout) const override;
   uint64_t get_current_time_ms() const override;
 
   keymaster_security_level_t SecurityLevel() const override;
   bool ValidateTokenSignature(const hw_auth_token_t& token) const override;
 
   keymaster_error_t GetHmacSharingParameters(
-        keymaster::HmacSharingParameters* params) override;
+      keymaster::HmacSharingParameters* params) override;
   keymaster_error_t ComputeSharedHmac(
       const keymaster::HmacSharingParametersArray& params_array,
       keymaster::KeymasterBlob* sharingCheck) override;
@@ -54,11 +54,13 @@ public:
   keymaster_error_t GenerateTimestampToken(
       keymaster::TimestampToken* token) override;
 
-  bool CreateKeyId(
-      const keymaster_key_blob_t& key_blob,
-      keymaster::km_id_t* keyid) const override;
+  keymaster::KmErrorOr<std::array<uint8_t, 32>> ComputeHmac(
+      const std::vector<uint8_t>& data_to_mac) const override;
 
-private:
+  bool CreateKeyId(const keymaster_key_blob_t& key_blob,
+                   keymaster::km_id_t* keyid) const override;
+
+ private:
   TpmResourceManager& resource_manager_;
   TpmGatekeeper& gatekeeper_;
   bool have_saved_params_ = false;