Integrate keymaster libraries and related images

BUG=25833244

Change-Id: Iaa42dabd30422ff8ea458a4b639ffff2be6f84f9

6 files changed, 122 insertions, 0 deletions

diff --git a/peripheral/keystore/Android.mk b/peripheral/keystore/Android.mk
new file mode 100755
index 0000000..d878a63
--- /dev/null
+++ b/peripheral/keystore/Android.mk
@@ -0,0 +1,47 @@
+# Copyright (C) 2016 The Android Open Source Project
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := keystore.iap140
+LOCAL_MODULE_SUFFIX := .so
+LOCAL_MODULE_CLASS := SHARED_LIBRARIES
+LOCAL_PREBUILT_MODULE_FILE := $(TOP)/vendor/bsp/marvell/device/abox_edge/hal/keystore/keystore.iap140.so
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_ARCH)
+LOCAL_MODULE_RELATIVE_PATH := hw
+include $(BUILD_PREBUILT)
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := libtee_client
+LOCAL_MODULE_SUFFIX := .so
+LOCAL_MODULE_CLASS := SHARED_LIBRARIES
+LOCAL_PREBUILT_MODULE_FILE := $(TOP)/vendor/bsp/marvell/device/abox_edge/hal/keystore/libtee_client.so
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_ARCH)
+include $(BUILD_PREBUILT)
+
+
+include $(CLEAR_VARS)
+
+LOCAL_MODULE := teec_sstd_ca
+LOCAL_MODULE_CLASS := EXECUTABLES
+LOCAL_PREBUILT_MODULE_FILE := $(TOP)/vendor/bsp/marvell/device/abox_edge/hal/keystore/teec_sstd_ca
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE_TARGET_ARCH := $(TARGET_ARCH)
+include $(BUILD_PREBUILT)
diff --git a/peripheral/keystore/sepolicy/file_contexts b/peripheral/keystore/sepolicy/file_contexts
new file mode 100755
index 0000000..93fdac1
--- /dev/null
+++ b/peripheral/keystore/sepolicy/file_contexts
@@ -0,0 +1,4 @@
+# teesst
+/dev/tzdd                 u:object_r:teecsstdca_device:s0
+/system/bin/teec_sstd_ca  u:object_r:teecsstdca_exec:s0
+/teesst(/.*)?             u:object_r:teesst_data_file:s0
diff --git a/peripheral/keystore/sepolicy/teesst.te b/peripheral/keystore/sepolicy/teesst.te
new file mode 100755
index 0000000..715a9e4
--- /dev/null
+++ b/peripheral/keystore/sepolicy/teesst.te
@@ -0,0 +1,34 @@
+# TEE file types

+init_daemon_domain(teecsstdca)

+type teecsstdca_device, dev_type;

+type teesst_data_file, file_type, data_file_type;

+

+# init

+# allow init teecsstdca_exec:file setattr;

+

+# shell

+allow shell teesst_data_file:dir getattr;

+allow shell teecsstdca_device:chr_file getattr;

+

+# teecsstdca

+

+type teecsstdca, domain;

+type teecsstdca_exec, exec_type, file_type;

+

+

+allow teecsstdca teecsstdca_device:chr_file create_file_perms;

+allow teecsstdca teesst_data_file:dir create_dir_perms;

+allow teecsstdca teesst_data_file:file create_file_perms;

+allow teecsstdca shell_exec:file rx_file_perms;

+allow teecsstdca self:capability { dac_override setuid ipc_lock setgid };

+

+# untrusted_app

+

+allow untrusted_app teesst_data_file:dir getattr;

+

+allow untrusted_app teecsstdca_exec:file rx_file_perms;

+allow untrusted_app teecsstdca_device:chr_file getattr;

+

+# keystore

+allow keystore teecsstdca_device:chr_file rw_file_perms;

+

diff --git a/soc/iap140/hal_modules.mk b/soc/iap140/hal_modules.mk
index 60e20ce..91a10e4 100644..100755
--- a/soc/iap140/hal_modules.mk
+++ b/soc/iap140/hal_modules.mk
@@ -20,6 +20,7 @@
 -include hardware/bsp/marvell/soc/iap140/modules/power_hal_module.mk
 -include hardware/bsp/marvell/soc/iap140/modules/wifi_hal_module.mk
 -include hardware/bsp/marvell/soc/iap140/modules/bluetooth_hal_moduel.mk
+-include hardware/bsp/marvell/soc/iap140/modules/keystore_hal_module.mk
 
 # the client and server of the wireless daemon
 -include hardware/bsp/marvell/soc/iap140/modules/libwireless.mk
diff --git a/soc/iap140/init.iap140.rc b/soc/iap140/init.iap140.rc
index 80b9b4c..aef79a2 100644..100755
--- a/soc/iap140/init.iap140.rc
+++ b/soc/iap140/init.iap140.rc
@@ -36,3 +36,18 @@ on post-fs-data
     mkdir /data/misc/wifi/wapi_certs 0777 wifi wifi
     mkdir /data/misc/dhcp 0770 dhcp dhcp
     chown dhcp dhcp /data/misc/dhcp
+
+on fs
+    mkdir /teesst 0700 root root
+    setprop ro.frp.pst /dev/block/mmcblk0p15
+    chown keystore keystore /dev/tzdd
+
+on post-fs
+    start teecsstdca
+
+service teecsstdca /system/bin/teec_sstd_ca /teesst
+    class core
+    user root
+    oneshot
+    disabled
+
diff --git a/soc/iap140/modules/keystore_hal_module.mk b/soc/iap140/modules/keystore_hal_module.mk
new file mode 100755
index 0000000..e4f2d5b
--- /dev/null
+++ b/soc/iap140/modules/keystore_hal_module.mk
@@ -0,0 +1,21 @@
+#

+# Copyright 2015 The Android Open Source Project

+#

+# Licensed under the Apache License, Version 2.0 (the "License");

+# you may not use this file except in compliance with the License.

+# You may obtain a copy of the License at

+#

+#      http://www.apache.org/licenses/LICENSE-2.0

+#

+# Unless required by applicable law or agreed to in writing, software

+# distributed under the License is distributed on an "AS IS" BASIS,

+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+# See the License for the specific language governing permissions and

+# limitations under the License.

+#

+

+# KeyStore modules

+DEVICE_PACKAGES += \

+    keystore.iap140   libtee_client teec_sstd_ca

+

+BOARD_SEPOLICY_DIRS += hardware/bsp/marvell/peripheral/keystore/sepolicy