diff options
author | Xin Li <delphij@google.com> | 2023-08-14 15:38:11 -0700 |
---|---|---|
committer | Xin Li <delphij@google.com> | 2023-08-14 15:38:11 -0700 |
commit | 9ed3d948d2f747a467d598882e13d68063bbe555 (patch) | |
tree | 309ffd81767b8867e52d601762e6f61fa80311d9 | |
parent | c3e1bcc586ce4824f4d2c873ff3ae786a8ad5740 (diff) | |
parent | dedc068adf3ea7ec3d0180d9691914d7457adc5a (diff) | |
download | generic-tmp_amf_298295554.tar.gz |
Merge Android U (ab/10368041)tmp_amf_298295554
Bug: 291102124
Merged-In: I471f36124dd23658ead8c54920e2eb9049103d73
Change-Id: I0c0c7274f61b9cf41d01a7a3891d73a68d3199e5
29 files changed, 754 insertions, 64 deletions
@@ -87,7 +87,7 @@ GEN_SERVICE_SOURCE = GEN_SERVICE + " --nos-client-cpp_out=source:$(genDir) " GEN_SERVICE_HEADER = GEN_SERVICE + " --nos-client-cpp_out=header:$(genDir) " GEN_SERVICE_MOCK = GEN_SERVICE + " --nos-client-cpp_out=mock:$(genDir) " -// A special target to be statically linkeed into recovery which is a system +// A special target to be statically linked into recovery which is a system // (not vendor) component. cc_library_static { name: "libnos_for_recovery", @@ -100,7 +100,6 @@ cc_library_static { export_include_dirs: [ "nugget/include", "libnos/include", - "libnos_datagram/include", "libnos_transport/include", ], srcs: [ @@ -113,7 +112,7 @@ cc_library_static { ], } -// A special target to be statically linkeed into fastboot hal. +// A special target to be statically linked into fastboot hal. cc_library_static { name: "libnos_for_fastboot", recovery: true, @@ -126,7 +125,6 @@ cc_library_static { export_include_dirs: [ "nugget/include", "libnos/include", - "libnos_datagram/include", "libnos_transport/include", ], srcs: [ @@ -139,7 +137,7 @@ cc_library_static { ], } -// A special target to be statically linkeed into recovery which is a system +// A special target to be statically linked into recovery which is a system // (not vendor) component. cc_library_static { name: "libnos_citadel_for_recovery", @@ -150,14 +148,17 @@ cc_library_static { ], srcs: [ ":libnos_client", - "libnos_datagram/citadel.c", + "libnos_datagram/citadel.cpp", ], static_libs: [ "libnos_for_recovery", ], + shared_libs: [ + "libbase", + ], } -// A special target to be statically linkeed into fastboot hal. +// A special target to be statically linked into fastboot hal. cc_library_static { name: "libnos_citadel_for_fastboot", recovery: true, @@ -168,11 +169,14 @@ cc_library_static { ], srcs: [ ":libnos_client", - "libnos_datagram/citadel.c", + "libnos_datagram/citadel.cpp", ], static_libs: [ "libnos_for_fastboot", ], + shared_libs: [ + "libbase", + ], } // Language and vendor related defaults @@ -215,5 +219,7 @@ cc_library { "libnos_client_defaults", "nos_cc_defaults", ], - shared_libs: ["libnos_datagram_citadel"], + shared_libs: [ + "libnos_datagram_citadel", + ], } @@ -6,10 +6,25 @@ cc_library( "nugget/include/application.h", "nugget/include/avb.h", "nugget/include/citadel_events.h", + "nugget/include/feature_map.h", "nugget/include/flash_layout.h", "nugget/include/keymaster.h", + "nugget/include/nos/device.h", "nugget/include/signed_header.h", ], + deps = [ + "nos_headers_hals", + ], + strip_include_prefix = "nugget/include/", + visibility = ["//visibility:public"], +) + +cc_library( + name = "nos_headers_hals", + hdrs = [ + "nugget/include/hals/common.h", + "nugget/include/hals/weaver.h", + ], strip_include_prefix = "nugget/include/", visibility = ["//visibility:public"], ) diff --git a/libnos/Android.bp b/libnos/Android.bp index f68df27..2fdb924 100644 --- a/libnos/Android.bp +++ b/libnos/Android.bp @@ -30,9 +30,17 @@ cc_library { ], defaults: ["nos_cc_host_supported_defaults"], header_libs: ["nos_headers"], - shared_libs: ["libnos_datagram"], export_include_dirs: ["include"], - export_shared_lib_headers: ["libnos_datagram"], +} + +cc_library { + name: "libnos_feature", + srcs: [ + "feature.cpp", + ], + defaults: ["nos_cc_host_supported_defaults"], + header_libs: ["nos_headers"], + export_include_dirs: ["include"], } // This part of libnos must be linked with the target's implementation of diff --git a/libnos/BUILD b/libnos/BUILD index a03ec8f..627b721 100644 --- a/libnos/BUILD +++ b/libnos/BUILD @@ -3,12 +3,14 @@ cc_library( srcs = [ "NuggetClient.cpp", "debug.cpp", + "feature.cpp", ], hdrs = [ "include/nos/AppClient.h", "include/nos/NuggetClient.h", "include/nos/NuggetClientInterface.h", "include/nos/debug.h", + "include/nos/feature.h", ], includes = [ "include", @@ -16,7 +18,6 @@ cc_library( visibility = ["//visibility:public"], deps = [ "//host/generic:nos_headers", - "//host/generic/libnos_datagram", "//host/generic/libnos_transport", ], ) diff --git a/libnos/NuggetClient.cpp b/libnos/NuggetClient.cpp index c361463..d27e19b 100644 --- a/libnos/NuggetClient.cpp +++ b/libnos/NuggetClient.cpp @@ -84,6 +84,15 @@ uint32_t NuggetClient::CallApp(uint32_t appId, uint16_t arg, return status_code; } +uint32_t NuggetClient::CallApp(uint32_t appId, uint16_t arg, + const void* req_ptr, uint32_t req_len, + void* resp_ptr, uint32_t* resp_len) { + if (!open_) return APP_ERROR_IO; + + return nos_call_application(&device_, appId, arg, (const uint8_t*)req_ptr, + req_len, (uint8_t*)resp_ptr, resp_len); +} + uint32_t NuggetClient::Reset() const { if (!open_) diff --git a/libnos/debug.cpp b/libnos/debug.cpp index 0398d54..cc8a2c2 100644 --- a/libnos/debug.cpp +++ b/libnos/debug.cpp @@ -35,6 +35,7 @@ std::string StatusCodeString(uint32_t code) { ErrorString_helper(APP_ERROR_CHECKSUM) ErrorString_helper(APP_ERROR_BUSY) ErrorString_helper(APP_ERROR_TIMEOUT) + ErrorString_helper(APP_ERROR_NOT_READY) default: if (code >= APP_LINE_NUMBER_BASE && code < MAX_APP_STATUS) { return "APP_LINE_NUMBER " + std::to_string(code - APP_LINE_NUMBER_BASE); diff --git a/libnos/feature.cpp b/libnos/feature.cpp new file mode 100644 index 0000000..6651319 --- /dev/null +++ b/libnos/feature.cpp @@ -0,0 +1,44 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <nos/feature.h> + +namespace nos { + +bool has_feature(NuggetClientInterface& nug, enum feature_support_app_id app_id, + uint32_t feature) { + uint32_t feature_id = (app_id << TA_OFFSET) | (feature & FEATURE_MASK); + + std::vector<uint8_t> req(sizeof(feature_id)); + memcpy(req.data(), &feature_id, sizeof(feature_id)); + + std::vector<uint8_t> resp; + resp.reserve(sizeof(uint8_t)); + + uint32_t rv = + nug.CallApp(APP_ID_NUGGET, NUGGET_PARAM_GET_FEATURE_SUPPORT, req, &resp); + if (rv != APP_SUCCESS) { + return false; + } + + if (resp.size() < 1) { + return false; // I guess? + } + + return !!resp[0]; +} + +} // namespace nos diff --git a/libnos/generator/test/test.cpp b/libnos/generator/test/test.cpp index 4542c88..f6a4835 100644 --- a/libnos/generator/test/test.cpp +++ b/libnos/generator/test/test.cpp @@ -79,7 +79,7 @@ TEST(GeneratedServiceClientTest, DataSuccessfullyExchanged) { GreetResponse response; response.set_greeting("Hello, Tester age 78"); - std::vector<uint8_t> responseBytes(response.ByteSize()); + std::vector<uint8_t> responseBytes(response.ByteSizeLong()); ASSERT_TRUE(response.SerializeToArray(responseBytes.data(), responseBytes.size())); EXPECT_CALL(client, CallApp(_, _, DecodesToProtoMessage(request), _)) @@ -114,7 +114,7 @@ TEST(GeneratedServiceClientTest, AppErrorsPropagatedWithoutResponseDecode) { GreetResponse response; response.set_greeting("Ignore me"); - std::vector<uint8_t> responseBytes(response.ByteSize()); + std::vector<uint8_t> responseBytes(response.ByteSizeLong()); ASSERT_TRUE(response.SerializeToArray(responseBytes.data(), responseBytes.size())); EXPECT_CALL(client, CallApp(_, _, _, _)) diff --git a/libnos/include/nos/AppClient.h b/libnos/include/nos/AppClient.h index 0a35d82..1299100 100644 --- a/libnos/include/nos/AppClient.h +++ b/libnos/include/nos/AppClient.h @@ -51,6 +51,21 @@ public: return _client.CallApp(_appId, arg, request, response); } + /** + * Call the app. + * + * @param arg Argument to pass to the app. + * @param req_ptr Data to send to the app. + * @param req_len Number of bytes to send to the app. + * @param resp_ptr Buffer to receive data from the app. + * @param resp_len In: Max number of bytes to receive from the app. + * Out: Actual number of bytes received from the app. + */ + uint32_t Call(uint16_t arg, const void* req_ptr, uint32_t req_len, + void* resp_ptr, uint32_t* resp_len) { + return _client.CallApp(_appId, arg, req_ptr, req_len, resp_ptr, + resp_len); + } private: NuggetClientInterface& _client; diff --git a/libnos/include/nos/NuggetClient.h b/libnos/include/nos/NuggetClient.h index 9484bd8..c4dc1cb 100644 --- a/libnos/include/nos/NuggetClient.h +++ b/libnos/include/nos/NuggetClient.h @@ -73,6 +73,22 @@ public: std::vector<uint8_t>* response) override; /** + * Call into an app running on Nugget. + * + * @param app_id The ID of the app to call. + * @param arg Argument to pass to the app. + * @param req_ptr Data to send to the app. + * @param req_len Number of bytes to send to the app. + * @param resp_ptr Buffer to receive data from the app. + * @param resp_len In: Max number of bytes to receive from the app. + * Out: Actual number of bytes received from the app. + * @return Status code from the app. + */ + uint32_t CallApp(uint32_t appId, uint16_t arg, const void* req_ptr, + uint32_t req_len, void* resp_ptr, + uint32_t* resp_len) override; + + /** * Reset the device. Use with caution; context may be lost. */ uint32_t Reset() const override; diff --git a/libnos/include/nos/NuggetClientInterface.h b/libnos/include/nos/NuggetClientInterface.h index 8d78185..e14c794 100644 --- a/libnos/include/nos/NuggetClientInterface.h +++ b/libnos/include/nos/NuggetClientInterface.h @@ -58,6 +58,23 @@ public: virtual uint32_t CallApp(uint32_t appId, uint16_t arg, const std::vector<uint8_t>& request, std::vector<uint8_t>* response) = 0; + + /** + * Call into an app running on Nugget. + * + * @param app_id The ID of the app to call. + * @param arg Argument to pass to the app. + * @param req_ptr Data to send to the app. + * @param req_len Number of bytes to send to the app. + * @param resp_ptr Buffer to receive data from the app. + * @param resp_len In: Max number of bytes to receive from the app. + * Out: Actual number of bytes received from the app. + * @return Status code from the app. + */ + virtual uint32_t CallApp(uint32_t appId, uint16_t arg, const void* req_ptr, + uint32_t req_len, void* resp_ptr, + uint32_t* resp_len) = 0; + /** * Reset the device. Use with caution; context may be lost. */ diff --git a/libnos/include/nos/feature.h b/libnos/include/nos/feature.h new file mode 100644 index 0000000..0ed6d0a --- /dev/null +++ b/libnos/include/nos/feature.h @@ -0,0 +1,29 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include <app_nugget.h> +#include <application.h> +#include <feature_map.h> +#include <nos/NuggetClientInterface.h> + +namespace nos { + +bool has_feature(NuggetClientInterface& nug, enum feature_support_app_id app_id, + uint32_t feature); + +} // namespace nos diff --git a/libnos/test/include/nos/MockNuggetClient.h b/libnos/test/include/nos/MockNuggetClient.h index 48814c9..19e7f00 100644 --- a/libnos/test/include/nos/MockNuggetClient.h +++ b/libnos/test/include/nos/MockNuggetClient.h @@ -33,6 +33,9 @@ struct MockNuggetClient : public NuggetClientInterface { MOCK_METHOD4(CallApp, uint32_t(uint32_t, uint16_t, const std::vector<uint8_t>&, std::vector<uint8_t>*)); + MOCK_METHOD6(CallApp, uint32_t(uint32_t, uint16_t, + const void*, uint32_t, + void*, uint32_t*)); MOCK_CONST_METHOD0(Reset, uint32_t()); }; diff --git a/libnos_datagram/Android.bp b/libnos_datagram/Android.bp index 0176e00..f854bd8 100644 --- a/libnos_datagram/Android.bp +++ b/libnos_datagram/Android.bp @@ -36,15 +36,17 @@ license { cc_library { name: "libnos_datagram", defaults: ["nos_cc_host_supported_defaults"], - export_include_dirs: ["include"], } cc_library { name: "libnos_datagram_citadel", - srcs: ["citadel.c"], + srcs: ["citadel.cpp"], + header_libs: ["nos_headers"], defaults: ["nos_cc_defaults"], shared_libs: [ + "libbase", "liblog", + "libnos_transport", "libnos_datagram", ], } diff --git a/libnos_datagram/BUILD b/libnos_datagram/BUILD deleted file mode 100644 index e6f029c..0000000 --- a/libnos_datagram/BUILD +++ /dev/null @@ -1,10 +0,0 @@ -cc_library( - name = "libnos_datagram", - hdrs = [ - "include/nos/device.h", - ], - includes = [ - "./include", - ], - visibility = ["//visibility:public"], -) diff --git a/libnos_datagram/citadel.c b/libnos_datagram/citadel.cpp index 7d1d893..199635c 100644 --- a/libnos_datagram/citadel.c +++ b/libnos_datagram/citadel.cpp @@ -35,6 +35,9 @@ #include <sys/types.h> #include <unistd.h> +#include <android-base/properties.h> +#include <application.h> + /*****************************************************************************/ /* Ideally, this should be in <linux/citadel.h> */ #define CITADEL_IOC_MAGIC 'c' @@ -43,14 +46,33 @@ struct citadel_ioc_tpm_datagram { __u32 len; __u32 command; }; + +/* GSA nos call request struct */ +struct gsa_ioc_nos_call_req { + __u8 app_id; + __u8 reserved; + __u16 params; + __u32 arg_len; + __u64 buf; + __u32 reply_len; + __u32 call_status; +}; + #define CITADEL_IOC_TPM_DATAGRAM _IOW(CITADEL_IOC_MAGIC, 1, \ struct citadel_ioc_tpm_datagram) #define CITADEL_IOC_RESET _IO(CITADEL_IOC_MAGIC, 2) +#define GSC_IOC_GSA_NOS_CALL _IOW(CITADEL_IOC_MAGIC, 3, \ + struct gsa_ioc_nos_call_req) /*****************************************************************************/ #define DEV_CITADEL "/dev/citadel0" #define DEV_DAUNTLESS "/dev/gsc0" +/* Allocate 4KB buffer for GSA mbox data transmission */ +#define MAX_GSA_NOS_CALL_TRANSFER 4096 +static uint8_t gsa_nos_call_buf[MAX_GSA_NOS_CALL_TRANSFER]; +static pthread_mutex_t nos_call_buf_mutex = PTHREAD_MUTEX_INITIALIZER; + static pthread_mutex_t in_buf_mutex = PTHREAD_MUTEX_INITIALIZER; static uint8_t in_buf[MAX_DEVICE_TRANSFER]; static int read_datagram(void *ctx, uint32_t command, uint8_t *buf, uint32_t len) { @@ -206,6 +228,112 @@ static void close_device(void *ctx) { free(ctx); } +/* Detect if GSA kernel support nos_call interface + * Returns true on success or false on failure. + */ +static bool detect_gsa_nos_call_interface(int fd) { + int ret; + errno = 0; + + if (fd < 0) { + ALOGE("invalid device handle (%d)", fd); + return false; + } + + /* Send app_id = 0 and params = 0 to detect GSA IOCTL interface */ + struct gsa_ioc_nos_call_req gsa_nos_call_req = { + .app_id = 0, + .reserved = 0, + .params = 0, + .arg_len = 0, + .buf = (unsigned long)gsa_nos_call_buf, + .reply_len = 0, + .call_status = 0, + }; + + ret = ioctl(fd, GSC_IOC_GSA_NOS_CALL, &gsa_nos_call_req); + if (ret < 0) { + ALOGE("can't send GSA mbox command: %s", strerror(errno)); + } + + /* GSA kernel is not support GSA_NOS_CALL if return EINVAL or ENOTTY */ + if (!errno) { + return true; + } else { + return false; + } +} + +static int one_pass_call(void *ctx, uint8_t app_id, uint16_t params, + const uint8_t *args, uint32_t arg_len, + uint8_t *reply, uint32_t *reply_len, + uint32_t *status_code) { + *status_code = APP_SUCCESS; + int ret; + int fd; + + struct gsa_ioc_nos_call_req gsa_nos_call_req = { + .app_id = app_id, + .reserved = 0, + .params = params, + .arg_len = arg_len, + .buf = (unsigned long)gsa_nos_call_buf, + .reply_len = *reply_len, + .call_status = *status_code, + }; + + ALOGD("Calling App 0x%02x with params 0x%04x", app_id, params); + + if (!ctx || (arg_len && !args) || + (reply_len && *reply_len && !reply) || + (arg_len > MAX_GSA_NOS_CALL_TRANSFER) || + (reply_len && *reply_len > MAX_GSA_NOS_CALL_TRANSFER) || + !status_code) { + ALOGE("Invalid args to %s()", __func__); + return -EINVAL; + } + + fd = *(int *)ctx; + if (fd < 0) { + ALOGE("%s: invalid device\n", __func__); + return -ENODEV; + } + + /* Lock the out buffer while it is used for this transaction */ + if (pthread_mutex_lock(&nos_call_buf_mutex) != 0) { + ALOGE("%s: failed to lock nos_call_buf_mutex: %s", __func__, strerror(errno)); + return -errno; + } + + if (arg_len) { + memcpy(gsa_nos_call_buf, args, arg_len); + } + + ret = ioctl(fd, GSC_IOC_GSA_NOS_CALL, &gsa_nos_call_req); + if (ret < 0) { + ALOGE("can't send GSA mbox command: %s", strerror(errno)); + goto exit; + } + + *status_code = gsa_nos_call_req.call_status; + if (reply_len != NULL) { + *reply_len = gsa_nos_call_req.reply_len; + if (*reply_len) { + memcpy(reply, gsa_nos_call_buf, *reply_len); + } + } + +exit: + if (pthread_mutex_unlock(&nos_call_buf_mutex) != 0) { + ALOGE("%s: failed to unlock nos_call_buf_mutex: %s", __func__, + strerror(errno)); + return -errno; + } + + ALOGD("App 0x%02x returning 0x%x", app_id, *status_code); + return ret; +} + static const char *default_device(void) { struct stat statbuf; int rv; @@ -256,5 +384,7 @@ int nos_device_open(const char *device_name, struct nos_device *dev) { dev->ops.wait_for_interrupt = wait_for_interrupt; dev->ops.reset = reset; dev->ops.close = close_device; + dev->ops.one_pass_call = one_pass_call; + dev->use_one_pass_call = detect_gsa_nos_call_interface(fd); return 0; } diff --git a/libnos_transport/Android.bp b/libnos_transport/Android.bp index 1dd8992..ee519c5 100644 --- a/libnos_transport/Android.bp +++ b/libnos_transport/Android.bp @@ -47,7 +47,6 @@ cc_library { shared_libs: [ "libbase", "liblog", - "libnos_datagram", ], export_include_dirs: ["include"], } diff --git a/libnos_transport/BUILD b/libnos_transport/BUILD index 9fc9017..0d70a0d 100644 --- a/libnos_transport/BUILD +++ b/libnos_transport/BUILD @@ -14,7 +14,6 @@ cc_library( visibility = ["//visibility:public"], deps = [ "//host/generic:nos_headers", - "//host/generic/libnos_datagram", ], ) diff --git a/libnos_transport/transport.c b/libnos_transport/transport.c index 855b884..b3a3a40 100644 --- a/libnos_transport/transport.c +++ b/libnos_transport/transport.c @@ -191,7 +191,7 @@ static int get_status(const struct transport_context *ctx, /* Check the CRC, if it fails we will retry */ if (out->crc != our_crc) { - NLOGW("App %d status CRC mismatch: theirs=%04x ours=%04x", + NLOGW("App 0x%02x status CRC mismatch: theirs=%04x ours=%04x", ctx->app_id, out->crc, our_crc); continue; } @@ -227,8 +227,9 @@ static uint32_t make_ready(const struct transport_context *ctx) { NLOGE("Failed to inspect app %d", ctx->app_id); return APP_ERROR_IO; } - NLOGD("App %d inspection status=0x%08x reply_len=%d protocol=%d flags=0x%04x", - ctx->app_id, status.status, status.reply_len, status.version, status.flags); + NLOGD("App 0x%02x check status=0x%08x reply_len=%d protocol=%d flags=0x%04x", + ctx->app_id, status.status, status.reply_len, status.version, + status.flags); /* If it's already idle then we're ready to proceed */ if (status.status == APP_STATUS_IDLE) { @@ -236,7 +237,7 @@ static uint32_t make_ready(const struct transport_context *ctx) { && (status.flags & STATUS_FLAG_WORKING)) { /* The app is still working when we don't expect it to be. We won't be * able to clear the state so might need to force a reset to recover. */ - NLOGE("App %d is still working", ctx->app_id); + NLOGE("App 0x%02x is still working", ctx->app_id); return APP_ERROR_BUSY; } return APP_SUCCESS; @@ -259,7 +260,7 @@ static uint32_t make_ready(const struct transport_context *ctx) { /* It's ignoring us and is still not ready, so it's broken */ if (status.status != APP_STATUS_IDLE) { - NLOGE("App %d is not responding", ctx->app_id); + NLOGE("App 0x%02x is not responding", ctx->app_id); return APP_ERROR_IO; } @@ -369,17 +370,20 @@ static uint32_t poll_until_done(const struct transport_context *ctx, poll_count++; /* Log at higher priority every 16 polls */ if ((poll_count & (16 - 1)) == 0) { - NLOGD("App %d poll=%d status=0x%08x reply_len=%d flags=0x%04x", - ctx->app_id, poll_count, status->status, status->reply_len, status->flags); + NLOGD("App 0x%02x poll=%d status=0x%08x reply_len=%d flags=0x%04x", + ctx->app_id, poll_count, status->status, status->reply_len, + status->flags); } else { - NLOGV("App %d poll=%d status=0x%08x reply_len=%d flags=0x%04x", - ctx->app_id, poll_count, status->status, status->reply_len, status->flags); + NLOGV("App 0x%02x poll=%d status=0x%08x reply_len=%d flags=0x%04x", + ctx->app_id, poll_count, status->status, status->reply_len, + status->flags); } /* Check whether the app is done */ if (status->status & APP_STATUS_DONE) { - NLOGD("App %d polled=%d status=0x%08x reply_len=%d flags=0x%04x", - ctx->app_id, poll_count, status->status, status->reply_len, status->flags); + NLOGD("App 0x%02x polled=%d status=0x%08x reply_len=%d flags=0x%04x", + ctx->app_id, poll_count, status->status, status->reply_len, + status->flags); return APP_STATUS_CODE(status->status); } @@ -387,7 +391,7 @@ static uint32_t poll_until_done(const struct transport_context *ctx, if (status->version != TRANSPORT_V0 && !(status->flags & STATUS_FLAG_WORKING)) { /* The slave has stopped working without being done so it's misbehaving */ - NLOGE("App %d just stopped working", ctx->app_id); + NLOGE("App 0x%02x just stopped working", ctx->app_id); return APP_ERROR_INTERNAL; } if (clock_gettime(CLOCK_MONOTONIC, &now) != 0) { @@ -396,8 +400,8 @@ static uint32_t poll_until_done(const struct transport_context *ctx, } } while (timespec_before(&now, &abort_at)); - NLOGE("App %d not done after polling %d times in %d seconds", - ctx->app_id, poll_count, POLL_LIMIT_SECONDS); + NLOGE("App 0x%02x not done after polling %d times in %d seconds", ctx->app_id, + poll_count, POLL_LIMIT_SECONDS); return APP_ERROR_TIMEOUT; } @@ -440,7 +444,8 @@ static uint32_t receive_reply(const struct transport_context *ctx, if (status->version == TRANSPORT_V0) return APP_SUCCESS; if (crc == status->reply_crc) return APP_SUCCESS; - NLOGW("App %d reply CRC mismatch: theirs=%04x ours=%04x", ctx->app_id, status->reply_crc, crc); + NLOGW("App 0x%02x reply CRC mismatch: theirs=%04x ours=%04x", ctx->app_id, + status->reply_crc, crc); } NLOGE("Unable to get valid checksum on app %d reply data", ctx->app_id); @@ -456,6 +461,7 @@ uint32_t nos_call_application(const struct nos_device *dev, uint8_t *reply, uint32_t *reply_len) { uint32_t res; + uint32_t status_code; const struct transport_context ctx = { .dev = dev, .app_id = app_id, @@ -472,10 +478,28 @@ uint32_t nos_call_application(const struct nos_device *dev, return APP_ERROR_IO; } - NLOGD("Calling App %d with params 0x%04x", app_id, params); +#ifdef ANDROID + if (!dev) { + NLOGE("Invalid args to %s()", __func__); + return APP_ERROR_IO; + } + + // Call GSA nos_call IOCTL interface if needed + if (dev->use_one_pass_call) { + int err = dev->ops.one_pass_call(dev->ctx, app_id, params, args, arg_len, + reply, reply_len, &status_code); + if (err < 0) { + NLOGE("one_pass_call failed: %s", strerror(-err)); + status_code = APP_ERROR_IO; + } + + return status_code; + } +#endif + + NLOGD("Calling App 0x%02x with params 0x%04x", app_id, params); struct transport_status status; - uint32_t status_code; int retries = CRC_RETRY_COUNT; while (retries--) { /* Wake up and wait for Citadel to be ready */ @@ -493,16 +517,16 @@ uint32_t nos_call_application(const struct nos_device *dev, * or more than it can accept but this should not happen. Give to the chip a * little bit of time and retry calling again. */ if (status_code == APP_ERROR_TOO_MUCH) { - NLOGD("App %d returning 0x%x, give a retry(%d/%d)", - app_id, status_code, retries, CRC_RETRY_COUNT); + NLOGD("App 0x%02x returning 0x%x, give a retry(%d/%d)", app_id, + status_code, retries, CRC_RETRY_COUNT); usleep(RETRY_WAIT_TIME_US); continue; } if (status_code != APP_ERROR_CHECKSUM) break; - NLOGW("App %d request checksum error", app_id); + NLOGW("App 0x%02x request checksum error", app_id); } if (status_code == APP_ERROR_CHECKSUM) { - NLOGE("App %d request checksum failed too many times", app_id); + NLOGE("App 0x%02x request checksum failed too many times", app_id); status_code = APP_ERROR_IO; } @@ -519,6 +543,6 @@ uint32_t nos_call_application(const struct nos_device *dev, * next call will try again. */ (void)clear_status(&ctx); - NLOGD("App %d returning 0x%x", app_id, status_code); + NLOGD("App 0x%02x returning 0x%x", app_id, status_code); return status_code; } diff --git a/nugget/include/app_nugget.h b/nugget/include/app_nugget.h index 82554c5..8852b18 100644 --- a/nugget/include/app_nugget.h +++ b/nugget/include/app_nugget.h @@ -29,8 +29,9 @@ extern "C" { /* App-specific errors (across all commands) */ enum { - NUGGET_ERROR_LOCKED = APP_SPECIFIC_ERROR, + NUGGET_ERROR_LOCKED = APP_SPECIFIC_ERROR + 0, NUGGET_ERROR_RETRY, + NUGGET_ERROR_VERIFY, }; /****************************************************************************/ @@ -551,7 +552,8 @@ struct secure_channel_retry_count_persist_storage { * * @param args GSA EC public_key + AES_GCM256("MSGA") + AES_GSC_TAG * @param arg_len 64 + 4 + 16 bytes = 84 - * @param reply GSC EC public_key + AES_GCM256("MSGB") + AES_GSC_TAG OR 1 byte error state + * @param reply GSC EC public_key + AES_GCM256("MSGB") + AES_GSC_TAG + * OR 1 byte error state * @param reply_len 64 + 4 + 16 bytes = 84 OR 1 */ @@ -559,11 +561,12 @@ struct secure_channel_retry_count_persist_storage { /* * Secure transport report noise handshake state command * - * @param args GSA noise handshake state - * @param arg_len 1 + * @param args GSA noise handshake state + report suez state + * @param arg_len 2 * @param reply <none> * @param reply_len 1 */ + #define NUGGET_PARAM_GET_BIG_EVENT_REPORT 0x001b /* * This retrieves one pending big_event_report (defined in citadel_events.h). @@ -574,15 +577,39 @@ struct secure_channel_retry_count_persist_storage { * @param reply struct big_event_report * @param reply_len sizeof struct big_event_report OR 0 */ -#define NUGGET_PARAM_GET_BIG_EVENT_REPORT 0x001b + +#define NUGGET_PARAM_GET_FEATURE_SUPPORT 0x001c /* - * This retrieves one pending big_event_report (defined in citadel_events.h). - * If none are pending, it returns nothing. + * Get the specific feature supportness from the specific TA. * - * @param args <none> - * @param arg_len 0 - * @param reply struct big_event_report - * @param reply_len sizeof struct big_event_report OR 0 + * @param args feature_id + * @param arg_len 4 byte + * @param reply 0 or 1 + * @param reply_len 1 byte + * + * @errors APP_ERROR_BOGUS_ARGS + */ + +#define NUGGET_PARAM_SECURE_TRANSPORT_USECASE_HANDSHAKE 0x001d +/* + * Secure transport usecase handshake command + * + * @param args AES_GCM256(struct secure_transport_usecase) + + * AES_GCM_TAG_SIZE + * @param arg_len 64 + 16 = 80 bytes + * @param reply AES_GCM256(struct secure_transport_usecase) + + * AES_GCM_TAG_SIZE OR 1 byte error state + * @param reply_len 64 + 16 = 80 OR 1 bytes + */ + +#define NUGGET_PARAM_SECURE_TRANSPORT_TEST 0x001e +/* + * Secure transport test command + * + * @param args 1008 (1024 - 16 bytes AES_TAG_SIZE) bytes test data + * @param arg_len 1008 bytes + * @param reply 1008 (1024 - 16 bytes AES_TAG_SIZE) bytes test data + * @param reply_len 1008 bytes */ /****************************************************************************/ diff --git a/nugget/include/application.h b/nugget/include/application.h index 2f897b6..053d016 100644 --- a/nugget/include/application.h +++ b/nugget/include/application.h @@ -79,9 +79,13 @@ typedef const void * const __private; #define APP_ID_AVB_TEST 0x11 #define APP_ID_TRANSPORT_TEST 0x12 #define APP_ID_FACEAUTH_TEST 0x13 +#define APP_ID_TEST 0x7f -/* This app ID should only be used by tests. */ -#define APP_ID_TEST 0xff +/* OR this with the APP_ID to request no-protobuf messages */ +#define APP_ID_NO_PROTO_FLAG 0x80 + +/* No-protobuf app, experimental for now */ +#define APP_ID_WEAVER2 (APP_ID_WEAVER | APP_ID_NO_PROTO_FLAG) /****************************************************************************/ /* Other command fields */ @@ -90,7 +94,7 @@ typedef const void * const __private; * The Command encoding is: * * Bits 31-24 Control flags (reserved) - * Bits 23-16 Application ID + * Bits 23-16 Application ID (bit 23 indicates C protocol, not protobuf) * Bits 15-0 Parameters (application-specific) */ diff --git a/nugget/include/feature_map.h b/nugget/include/feature_map.h new file mode 100644 index 0000000..141b52d --- /dev/null +++ b/nugget/include/feature_map.h @@ -0,0 +1,59 @@ +/** + * \file + * Feature ID format and inline decode functions + */ + +#pragma once + +/*****************************************************************************/ + +#define TA_MASK 0xFF000000 +#define TA_OFFSET 24 +#define TA_FIELD 8 // Max 256 TAs + +#define FEATURE_MASK 0x00FFFFFF +#define FEATURE_OFFSET 0 +#define FEATURE_FIELD 24 // Can support up to 2^24 features + +#define TA_FROM_FEATURE_ID(id) \ + ((enum feature_support_app_id)((id & TA_MASK) >> TA_OFFSET)) +#define MODULE_FROM_FEATURE_ID(id) ((id & FEATURE_MASK) >> FEATURE_OFFSET) +/*****************************************************************************/ + +enum feature_support_app_id { + feature_id_avb = 0, + feature_id_gfa = 1, + feature_id_identity = 2, + feature_id_keymint = 3, + feature_id_nugget = 4, + feature_id_weaver = 5, + + /* Please do not change numbers after they've been released */ + + feature_id_count, // used in sparse lookup table + feature_id_max = 0xff, // 8-bit TA_FIELD +}; +static_assert(feature_id_count <= feature_id_max, + "Too many enum feature_support_app_id values"); + +enum km_feature_list { + km_feature_individual_attest = 0, + km_feature_batch_attest = 1, + km_feature_gnubby_attest = 2, + km_feature_rkp = 3, + km_feature_rkp_dice = 4, + km_feature_dice = 5, + km_feature_multimei = 6, + + /* Please do not change numbers after they've been released */ + + km_feature_max = FEATURE_MASK, // 24-bit FEATURE_FIELD +}; + +enum weaver_feature_list { + weaver_feature_api_no_proto = 0, + + /* Please do not change numbers after they've been released */ + + weaver_feature_max = FEATURE_MASK, // 24-bit FEATURE_FIELD +}; diff --git a/nugget/include/hals/common.h b/nugget/include/hals/common.h new file mode 100644 index 0000000..ed02484 --- /dev/null +++ b/nugget/include/hals/common.h @@ -0,0 +1,79 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#pragma once + +#ifdef __cplusplus +extern "C" { +#endif + +#include <stdint.h> + +#ifndef __packed +#define __packed __attribute__((packed)) +#endif + +/****************************************************************************/ +/** + * This should be the start of EVERY request and response struct. + * + * We don't really need a struct just to hold one integer, but if we need to add + * to it later, we'll be glad we did. + */ +struct nos2_cmd_hal { + uint32_t version; +} __packed; +/** + * IMPORTANT IMPORTANT IMPORTANT IMPORTANT IMPORTANT IMPORTANT IMPORTANT + * + * Do *NOT* increment the version number with each new dessert release! + * + * We'll use a (major << 16) | (minor) value for the version. The major + * versionn indicates when the command was first supported, and the minor + * indicates variations to it since then. + * + * We're currently working on Android 14 (UDC), so start with that. Bump minor + * values ONLY if the behavior changes. + * + * By including the version struct in every request and response, we can + * support multiple minor HAL changes independently. Add a new version + * constant below IF AND ONLY IF a command's struct changes or its behavior is + * different. THEN use that version internally to + * + * 1. Reject the command if the version is one you don't know about, AND + * + * 2. Verify that the incoming struct matches expectations for the versions + * you do know about, AND + * + * 3. Support as many versions as possible, in case Android is downgraded and + * Nugget OS is not (or vice-versa), SO + * + * 4) Make sure to indicate the version in the output structs too, in case the + * command has no input args but the output later changes. + * + * IMPORTANT IMPORTANT IMPORTANT IMPORTANT IMPORTANT IMPORTANT IMPORTANT + */ +#define NOS2_HAL_VERSION_UDC (14U << 16) +/* STOP! Don't just randomly add new values here! Read the comment above! */ + +/****************************************************************************/ +/* Common types */ + +/* TODO(b/257251378): We'll need some <tag,len,bytes[]> stuff here. */ + +/****************************************************************************/ +#ifdef __cplusplus +} +#endif diff --git a/nugget/include/hals/weaver.h b/nugget/include/hals/weaver.h new file mode 100644 index 0000000..29bd67c --- /dev/null +++ b/nugget/include/hals/weaver.h @@ -0,0 +1,119 @@ +/* + * Copyright (C) 2022 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#pragma once + +#ifdef __cplusplus +extern "C" { +#endif + +#include "application.h" +#include "hals/common.h" + +/****************************************************************************/ +/* Magic constants + * + * Only Acropora knows these numbers. The AP has to ask. + * + * It's a pain to create multiple variable-length arrays using strictly correct + * C, but the Weaver service is in the Nugget OS repo so we can hard-code the + * sizes here. If it ever changes we'll use the hal.version field to distinguish + * which one we're using. + * + * Still, we want to match the AIDL definitions as closely as possible, to + * make our code easier to understand and maintain. + */ +#define NOS2_WEAVER_NUM_SLOTS 64 +#define NOS2_WEAVER_KEY_BYTES (128 / 8) +#define NOS2_WEAVER_VALUE_BYTES (128 / 8) +static_assert((NOS2_WEAVER_KEY_BYTES & 0x4) == 0, + "NOS2_WEAVER_KEY_BYTES is not a multiple of 4"); +static_assert((NOS2_WEAVER_VALUE_BYTES & 0x4) == 0, + "NOS2_WEAVER_VALUE_BYTES is not a multiple of 4"); + +typedef uint8_t nos2_weaver_key_t[NOS2_WEAVER_KEY_BYTES]; +typedef uint8_t nos2_weaver_value_t[NOS2_WEAVER_VALUE_BYTES]; + +/****************************************************************************/ +/* The command is sent separately from any data */ + +enum nos2_weaver_cmd { + NOS2_WEAVER_GET_CONFIG, + NOS2_WEAVER_WRITE, + NOS2_WEAVER_READ, + NOS2_WEAVER_ERASE_VALUE, + + NOS2_WEAVER_NUM_CMDS +}; + +/****************************************************************************/ +/* Request/Response data. Both are optional and depend on the command. */ + +/** NOS2_WEAVER_GET_CONFIG */ +/* There is no struct nos2_weaver_get_config_request */ +struct nos2_weaver_get_config_response { + struct nos2_cmd_hal hal; + + uint32_t slots; + uint32_t key_size; + uint32_t value_size; +}; + +/** NOS2_WEAVER_WRITE */ +struct nos2_weaver_write_request { + struct nos2_cmd_hal hal; + + uint32_t slot_id; + nos2_weaver_key_t key; + nos2_weaver_value_t value; +}; +/* There is no struct nos2_weaver_write_response */ + +/** NOS2_WEAVER_READ */ +struct nos2_weaver_read_request { + struct nos2_cmd_hal hal; + + uint32_t slot_id; + nos2_weaver_key_t key; +}; + +enum nos2_weaver_read_status { + NOS2_WEAVER_READ_STATUS_OK, + NOS2_WEAVER_READ_STATUS_FAILED, + NOS2_WEAVER_READ_STATUS_INCORRECT_KEY, + NOS2_WEAVER_READ_STATUS_THROTTLE, +}; + +struct nos2_weaver_read_response { + struct nos2_cmd_hal hal; + + uint32_t timeout; + uint32_t status; /* enum nos2_weaver_read_status, but of specified size */ + /* Put potentially variable-length members at the end. It's NOT, though */ + nos2_weaver_value_t value; +}; + +/** NOS2_WEAVER_ERASE_VALUE */ +struct nos2_weaver_erase_request { + struct nos2_cmd_hal hal; + + uint32_t slot_id; +}; +/* There is no struct nos2_weaver_erase_response */ + +/****************************************************************************/ +#ifdef __cplusplus +} +#endif diff --git a/libnos_datagram/include/nos/device.h b/nugget/include/nos/device.h index 2ba57e0..d1fb0d6 100644 --- a/libnos_datagram/include/nos/device.h +++ b/nugget/include/nos/device.h @@ -16,6 +16,9 @@ #ifndef NOS_DEVICE_H #define NOS_DEVICE_H +#ifdef ANDROID +#include <stdbool.h> +#endif #include <stdint.h> #ifdef __cplusplus @@ -69,12 +72,28 @@ struct nos_device_ops { * The device must not be used after closing. */ void (*close)(void *ctx); + +#ifdef ANDROID + /** + * one_pass_call: sending whole data payload directly to GSA FW + * and rely on GSA libnos_transport library to communicate with GSC. + * + * Return 0 on success. A negative value on I/O failure. + */ + int (*one_pass_call)(void *ctx, uint8_t app_id, uint16_t params, + const uint8_t *args, uint32_t arg_len, + uint8_t *reply, uint32_t *reply_len, + uint32_t *status_code); +#endif }; struct nos_device { void *ctx; struct nos_device_ops ops; uint32_t config; +#ifdef ANDROID + bool use_one_pass_call; +#endif }; /* diff --git a/nugget/proto/nugget/app/avb/avb.proto b/nugget/proto/nugget/app/avb/avb.proto index 9aec71e..99e1882 100644 --- a/nugget/proto/nugget/app/avb/avb.proto +++ b/nugget/proto/nugget/app/avb/avb.proto @@ -43,6 +43,7 @@ service Avb { rpc GetOwnerKey (GetOwnerKeyRequest) returns (GetOwnerKeyResponse); rpc GetResetChallenge (GetResetChallengeRequest) returns (GetResetChallengeResponse); rpc ProductionResetTest (ProductionResetTestRequest) returns (ProductionResetTestResponse); + rpc GetCarrierLockName (GetCarrierLockNameRequest) returns (GetCarrierLockNameResponse); } enum LockIndex { @@ -192,3 +193,10 @@ message ProductionResetTestResponse {} message BootloaderDoneRequest {} message BootloaderDoneResponse {} + +// Carrier lock name +message GetCarrierLockNameRequest {} + +message GetCarrierLockNameResponse { + string name = 1; +} diff --git a/nugget/proto/nugget/app/identity/identity.proto b/nugget/proto/nugget/app/identity/identity.proto index 8532f6a..41af08e 100644 --- a/nugget/proto/nugget/app/identity/identity.proto +++ b/nugget/proto/nugget/app/identity/identity.proto @@ -61,6 +61,11 @@ service Identity { rpc SessionInitialize (SessionInitializeRequest) returns (SessionInitializeResponse); rpc SessionSetReaderEphemeralPublicKey (SessionSetReaderEphemeralPublicKeyRequest) returns (SessionSetReaderEphemeralPublicKeyResponse); rpc SessionSetSessionTranscript (SessionSetSessionTranscriptRequest) returns (SessionSetSessionTranscriptResponse); + + // For Android 14 new APIs + rpc ICprepareDeviceAuthentication (ICprepareDeviceAuthenticationRequest) returns (ICprepareDeviceAuthenticationResponse); + rpc ICfinishRetrievalWithSignature (ICfinishRetrievalWithSignatureRequest) returns (ICfinishRetrievalWithSignatureResponse); + rpc SessionGetEphemeralKeyPair (SessionGetEphemeralKeyPairRequest) returns (SessionGetEphemeralKeyPairResponse); } enum RequestType { @@ -285,6 +290,20 @@ message ICcalcMacKeyResponse{ Result result = 1; } +// ICprepareDeviceAuthentication +message ICprepareDeviceAuthenticationRequest{ + bytes sessionTranscript = 1; + bytes readerEphemeralPublicKey = 2; + bytes signingKeyBlob = 3; + bytes docType = 4; + uint32 numNamespacesWithValues = 5; + uint32 expectedDeviceNamespacesSize = 6; +} + +message ICprepareDeviceAuthenticationResponse{ + Result result = 1; +} + // ICstartRetrieveEntryValue message ICstartRetrieveEntryValueRequest{ string nameSpace = 1; @@ -323,6 +342,16 @@ message ICfinishRetrievalResponse{ bytes mac = 2; } +// ICfinishRetrievalWithSignature +message ICfinishRetrievalWithSignatureRequest{ +} + +message ICfinishRetrievalWithSignatureResponse{ + Result result = 1; + bytes mac = 2; + bytes ecdsaSignature = 3; +} + // ICdeleteCredential message ICdeleteCredentialRequest{ bytes docType = 1; @@ -370,6 +399,7 @@ message SessionShutdownResponse{ // SessionInitialize message SessionInitializeRequest{ + uint32 oemHalVersion = 1; } message SessionInitializeResponse{ @@ -395,3 +425,12 @@ message SessionSetSessionTranscriptRequest{ message SessionSetSessionTranscriptResponse{ Result result = 1; } + +// SessionGetEphemeralKeyPair +message SessionGetEphemeralKeyPairRequest{ +} + +message SessionGetEphemeralKeyPairResponse{ + Result result = 1; + bytes ephemeralPrivateKey = 2; +} diff --git a/nugget/proto/nugget/app/keymaster/keymaster.proto b/nugget/proto/nugget/app/keymaster/keymaster.proto index d4c5a6f..496018a 100644 --- a/nugget/proto/nugget/app/keymaster/keymaster.proto +++ b/nugget/proto/nugget/app/keymaster/keymaster.proto @@ -154,6 +154,10 @@ service Keymaster { */ rpc ExportDeviceIds(ExportDeviceIdsRequest) returns (ExportDeviceIdsResponse); + /* + * RKP v3 implementation + */ + rpc GenerateRkpCsrV2(GenerateRkpCsrV2Request) returns (GenerateRkpCsrV2Response); // These are implemented with a enum, so new RPCs must be appended, and // deprecated RPCs need placeholders. } @@ -436,6 +440,7 @@ message ProvisionDeviceIdsRequest { bytes product_model = 6; bytes imei = 7; bytes meid = 8; + bytes imei2 = 9; } message ProvisionDeviceIdsResponse { // Specified in keymaster_defs.proto:ErrorCode @@ -496,6 +501,7 @@ message SetSystemVersionInfoRequest { uint32 system_version = 1; // getprop "ro.build.version.release" uint32 system_security_level = 2; // getprop "ro.build.version.security_patch" uint32 vendor_security_level = 3; // getprop "ro.vendor.build.security_patch" + uint32 vendor_api_level = 4; } message SetSystemVersionInfoResponse { @@ -635,3 +641,18 @@ message GenerateRkpCsrResponse{ bytes device_info_blob = 3; bytes protected_data_blob = 4; } + +message GenerateRkpCsrV2Request{ + RkpCsrV2Operation step = 1; + bytes challenge = 2; + uint32 num_of_public_keys = 3; + MacedKey key_to_sign = 4; + OperationHandle handle = 5; +} +message GenerateRkpCsrV2Response{ + ErrorCode error_code = 1; + OperationHandle handle = 2; + bytes device_info_blob = 3; + bytes dice_cert_chain = 4; + bytes signature = 5; +} diff --git a/nugget/proto/nugget/app/keymaster/keymaster_defs.proto b/nugget/proto/nugget/app/keymaster/keymaster_defs.proto index dfdfeeb..db352c7 100644 --- a/nugget/proto/nugget/app/keymaster/keymaster_defs.proto +++ b/nugget/proto/nugget/app/keymaster/keymaster_defs.proto @@ -99,6 +99,7 @@ enum Tag { DEVICE_UNIQUE_ATTESTATION = 0x702d0; // (TagType:BOOL | 720) IDENTITY_CREDENTIAL_KEY = 0x702d1; // (TagType:BOOL | 721) STORAGE_KEY = 0x702d2; // (TagType:BOOL | 722) + ATTESTATION_ID_SECOND_IMEI = 0x902d3; // (TagType:BYTES | 723) ASSOCIATED_DATA = 0x903e8; // (TagType:BYTES | 1000) NONCE = 0x903e9; // (TagType:BYTES | 1001) /* RESERVED: AUTH_TOKEN = 0x903ea; // (TagType:BYTES | 1002) */ @@ -331,3 +332,9 @@ enum CertificateStatus { CERT_UNKNOWN_ERROR = 3; CERT_WRONG_PACKET = 4; } + +enum RkpCsrV2Operation { + RKP_CSR_V2_BEGIN = 0; + RKP_CSR_V2_UPDATE = 1; + RKP_CSR_V2_FINISH = 2; +} |