diff options
Diffstat (limited to 'android_keymaster/android_keymaster.cpp')
-rw-r--r-- | android_keymaster/android_keymaster.cpp | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/android_keymaster/android_keymaster.cpp b/android_keymaster/android_keymaster.cpp index 30e5505..420bbf2 100644 --- a/android_keymaster/android_keymaster.cpp +++ b/android_keymaster/android_keymaster.cpp @@ -28,6 +28,7 @@ #include <keymaster/UniquePtr.h> #include <keymaster/android_keymaster_utils.h> +#include <keymaster/attestation_context.h> #include <keymaster/cppcose/cppcose.h> #include <keymaster/key.h> #include <keymaster/key_blob_utils/ae.h> @@ -128,7 +129,12 @@ cppcose::HmacSha256Function getMacFunction(bool test_mode, }; } +std::pair<const uint8_t*, size_t> blob2Pair(const keymaster_blob_t& blob) { + return {blob.data, blob.data_length}; +} + constexpr int kP256AffinePointSize = 32; +constexpr int kRoTVersion1 = 40001; } // anonymous namespace @@ -932,4 +938,64 @@ DeviceLockedResponse AndroidKeymaster::DeviceLocked(const DeviceLockedRequest& r return response; } +GetRootOfTrustResponse AndroidKeymaster::GetRootOfTrust(const GetRootOfTrustRequest& request) { + GetRootOfTrustResponse response(message_version()); + + if (!context_->attestation_context()) { + LOG_E("Have no attestation context, cannot get RootOfTrust", 0); + response.error = KM_ERROR_UNIMPLEMENTED; + return response; + } + + const AttestationContext::VerifiedBootParams* vbParams = + context_->attestation_context()->GetVerifiedBootParams(&response.error); + if (response.error != KM_ERROR_OK) { + LOG_E("Error retrieving verified boot params: %lu", response.error); + return response; + } + + auto boot_patch_level = context_->GetBootPatchlevel(); + if (!boot_patch_level) { + LOG_E("Error retrieving boot patch level: %lu", response.error); + response.error = KM_ERROR_UNIMPLEMENTED; + return response; + } + + if (!context_->enforcement_policy()) { + LOG_E("Have no enforcement policy, cannot get RootOfTrust", 0); + response.error = KM_ERROR_UNIMPLEMENTED; + return response; + } + + auto macFunction = + [&](const std::vector<uint8_t>& data) -> cppcose::ErrMsgOr<cppcose::HmacSha256> { + auto mac = context_->enforcement_policy()->ComputeHmac(data); + if (!mac) return "Failed to compute HMAC"; + return *std::move(mac); + }; + + auto maced_root_of_trust = cppcose::constructCoseMac0( + macFunction, // + request.challenge, + cppbor::SemanticTag(kRoTVersion1, cppbor::Array( // + blob2Pair(vbParams->verified_boot_key), // + vbParams->device_locked, // + vbParams->verified_boot_state, // + blob2Pair(vbParams->verified_boot_hash), // + *boot_patch_level)) + .encode()); + + if (!maced_root_of_trust) { + LOG_E("Error MACing RoT: %s", maced_root_of_trust.message().c_str()); + response.error = KM_ERROR_UNKNOWN_ERROR; + } else { + response.error = KM_ERROR_OK; + response.rootOfTrust = + cppbor::SemanticTag(cppcose::kCoseMac0SemanticTag, *std::move(maced_root_of_trust)) + .encode(); + } + + return response; +} + } // namespace keymaster |