1 files changed, 66 insertions, 0 deletions

diff --git a/android_keymaster/android_keymaster.cpp b/android_keymaster/android_keymaster.cpp
index 30e5505..420bbf2 100644
--- a/android_keymaster/android_keymaster.cpp
+++ b/android_keymaster/android_keymaster.cpp
@@ -28,6 +28,7 @@
 
 #include <keymaster/UniquePtr.h>
 #include <keymaster/android_keymaster_utils.h>
+#include <keymaster/attestation_context.h>
 #include <keymaster/cppcose/cppcose.h>
 #include <keymaster/key.h>
 #include <keymaster/key_blob_utils/ae.h>
@@ -128,7 +129,12 @@ cppcose::HmacSha256Function getMacFunction(bool test_mode,
     };
 }
 
+std::pair<const uint8_t*, size_t> blob2Pair(const keymaster_blob_t& blob) {
+    return {blob.data, blob.data_length};
+}
+
 constexpr int kP256AffinePointSize = 32;
+constexpr int kRoTVersion1 = 40001;
 
 }  // anonymous namespace
 
@@ -932,4 +938,64 @@ DeviceLockedResponse AndroidKeymaster::DeviceLocked(const DeviceLockedRequest& r
     return response;
 }
 
+GetRootOfTrustResponse AndroidKeymaster::GetRootOfTrust(const GetRootOfTrustRequest& request) {
+    GetRootOfTrustResponse response(message_version());
+
+    if (!context_->attestation_context()) {
+        LOG_E("Have no attestation context, cannot get RootOfTrust", 0);
+        response.error = KM_ERROR_UNIMPLEMENTED;
+        return response;
+    }
+
+    const AttestationContext::VerifiedBootParams* vbParams =
+        context_->attestation_context()->GetVerifiedBootParams(&response.error);
+    if (response.error != KM_ERROR_OK) {
+        LOG_E("Error retrieving verified boot params: %lu", response.error);
+        return response;
+    }
+
+    auto boot_patch_level = context_->GetBootPatchlevel();
+    if (!boot_patch_level) {
+        LOG_E("Error retrieving boot patch level: %lu", response.error);
+        response.error = KM_ERROR_UNIMPLEMENTED;
+        return response;
+    }
+
+    if (!context_->enforcement_policy()) {
+        LOG_E("Have no enforcement policy, cannot get RootOfTrust", 0);
+        response.error = KM_ERROR_UNIMPLEMENTED;
+        return response;
+    }
+
+    auto macFunction =
+        [&](const std::vector<uint8_t>& data) -> cppcose::ErrMsgOr<cppcose::HmacSha256> {
+        auto mac = context_->enforcement_policy()->ComputeHmac(data);
+        if (!mac) return "Failed to compute HMAC";
+        return *std::move(mac);
+    };
+
+    auto maced_root_of_trust = cppcose::constructCoseMac0(
+        macFunction,  //
+        request.challenge,
+        cppbor::SemanticTag(kRoTVersion1, cppbor::Array(                                //
+                                              blob2Pair(vbParams->verified_boot_key),   //
+                                              vbParams->device_locked,                  //
+                                              vbParams->verified_boot_state,            //
+                                              blob2Pair(vbParams->verified_boot_hash),  //
+                                              *boot_patch_level))
+            .encode());
+
+    if (!maced_root_of_trust) {
+        LOG_E("Error MACing RoT: %s", maced_root_of_trust.message().c_str());
+        response.error = KM_ERROR_UNKNOWN_ERROR;
+    } else {
+        response.error = KM_ERROR_OK;
+        response.rootOfTrust =
+            cppbor::SemanticTag(cppcose::kCoseMac0SemanticTag, *std::move(maced_root_of_trust))
+                .encode();
+    }
+
+    return response;
+}
+
 }  // namespace keymaster