diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/keymaster/android_keymaster.h | 1 | ||||
-rw-r--r-- | include/keymaster/android_keymaster_messages.h | 36 | ||||
-rw-r--r-- | include/keymaster/android_keymaster_utils.h | 2 | ||||
-rw-r--r-- | include/keymaster/cppcose/cppcose.h | 2 | ||||
-rw-r--r-- | include/keymaster/keymaster_context.h | 7 | ||||
-rw-r--r-- | include/keymaster/keymaster_enforcement.h | 13 | ||||
-rw-r--r-- | include/keymaster/keymaster_utils.h | 5 |
7 files changed, 62 insertions, 4 deletions
diff --git a/include/keymaster/android_keymaster.h b/include/keymaster/android_keymaster.h index d8033b4..6c3acc5 100644 --- a/include/keymaster/android_keymaster.h +++ b/include/keymaster/android_keymaster.h @@ -99,6 +99,7 @@ class AndroidKeymaster { ConfigureBootPatchlevel(const ConfigureBootPatchlevelRequest& request); ConfigureVerifiedBootInfoResponse ConfigureVerifiedBootInfo(const ConfigureVerifiedBootInfoRequest& request); + GetRootOfTrustResponse GetRootOfTrust(const GetRootOfTrustRequest& request); bool has_operation(keymaster_operation_handle_t op_handle) const; diff --git a/include/keymaster/android_keymaster_messages.h b/include/keymaster/android_keymaster_messages.h index 7d43043..6e38860 100644 --- a/include/keymaster/android_keymaster_messages.h +++ b/include/keymaster/android_keymaster_messages.h @@ -68,6 +68,7 @@ enum AndroidKeymasterCommand : uint32_t { CONFIGURE_VENDOR_PATCHLEVEL = 32, CONFIGURE_BOOT_PATCHLEVEL = 33, CONFIGURE_VERIFIED_BOOT_INFO = 34, + GET_ROOT_OF_TRUST = 35, }; /** @@ -838,7 +839,8 @@ struct ComputeSharedHmacRequest : public KeymasterMessage { struct ComputeSharedHmacResponse : public KeymasterResponse { explicit ComputeSharedHmacResponse(int32_t ver) : KeymasterResponse(ver) {} - ComputeSharedHmacResponse(ComputeSharedHmacResponse&& other) : KeymasterResponse(move(other)) { + ComputeSharedHmacResponse(ComputeSharedHmacResponse&& other) + : KeymasterResponse(other.message_version) { sharing_check = move(other.sharing_check); } @@ -1215,4 +1217,36 @@ struct ConfigureVerifiedBootInfoRequest : public KeymasterMessage { using ConfigureVerifiedBootInfoResponse = EmptyKeymasterResponse; +struct GetRootOfTrustRequest : public KeymasterMessage { + explicit GetRootOfTrustRequest(int32_t ver) : GetRootOfTrustRequest(ver, {}) {} + GetRootOfTrustRequest(int32_t ver, std::vector<uint8_t> challenge_param) + : KeymasterMessage(ver), challenge(std::move(challenge_param)){}; + + size_t SerializedSize() const override { return sizeof(uint32_t) + challenge.size(); } + uint8_t* Serialize(uint8_t* buf, const uint8_t* end) const override { + return append_collection_to_buf(buf, end, challenge); + } + bool Deserialize(const uint8_t** buf_ptr, const uint8_t* end) override { + return copy_collection_from_buf(buf_ptr, end, &challenge); + } + + std::vector<uint8_t> challenge; +}; + +struct GetRootOfTrustResponse : public KeymasterResponse { + explicit GetRootOfTrustResponse(uint32_t ver) : GetRootOfTrustResponse(ver, {}) {} + GetRootOfTrustResponse(uint32_t ver, std::vector<uint8_t> rootOfTrust_param) + : KeymasterResponse(ver), rootOfTrust(std::move(rootOfTrust_param)){}; + + size_t NonErrorSerializedSize() const override { return sizeof(uint32_t) + rootOfTrust.size(); } + uint8_t* NonErrorSerialize(uint8_t* buf, const uint8_t* end) const override { + return append_collection_to_buf(buf, end, rootOfTrust); + } + bool NonErrorDeserialize(const uint8_t** buf_ptr, const uint8_t* end) override { + return copy_collection_from_buf(buf_ptr, end, &rootOfTrust); + } + + std::vector<uint8_t> rootOfTrust; +}; + } // namespace keymaster diff --git a/include/keymaster/android_keymaster_utils.h b/include/keymaster/android_keymaster_utils.h index a23694b..324287a 100644 --- a/include/keymaster/android_keymaster_utils.h +++ b/include/keymaster/android_keymaster_utils.h @@ -326,7 +326,7 @@ struct CertificateChain : public keymaster_cert_chain_t { // Insert the provided blob at the front of the chain. CertificateChain takes ownership of the // contents of `new_entry`. bool push_front(const keymaster_blob_t& new_entry) { - keymaster_blob_t* new_entries = new keymaster_blob_t[entry_count + 1]; + keymaster_blob_t* new_entries = new (std::nothrow) keymaster_blob_t[entry_count + 1]; if (!new_entries) return false; new_entries[0] = new_entry; diff --git a/include/keymaster/cppcose/cppcose.h b/include/keymaster/cppcose/cppcose.h index 5803d2d..c000ebe 100644 --- a/include/keymaster/cppcose/cppcose.h +++ b/include/keymaster/cppcose/cppcose.h @@ -66,6 +66,8 @@ constexpr int kCoseEncryptUnprotectedParams = 1; constexpr int kCoseEncryptPayload = 2; constexpr int kCoseEncryptRecipients = 3; +constexpr int kCoseMac0SemanticTag = 17; + enum Label : int { ALGORITHM = 1, KEY_ID = 4, diff --git a/include/keymaster/keymaster_context.h b/include/keymaster/keymaster_context.h index 052ccf2..8c4bb57 100644 --- a/include/keymaster/keymaster_context.h +++ b/include/keymaster/keymaster_context.h @@ -23,6 +23,7 @@ #include <assert.h> #include <hardware/keymaster_defs.h> + #include <keymaster/android_keymaster_utils.h> #include <keymaster/keymaster_enforcement.h> #include <keymaster/km_version.h> @@ -32,6 +33,7 @@ namespace keymaster { class AuthorizationSet; +class AttestationContext; class KeyFactory; class OperationFactory; class SecureDeletionSecretStorage; @@ -151,6 +153,11 @@ class KeymasterContext { virtual KeymasterEnforcement* enforcement_policy() = 0; /** + * Return the attestation context for this context. + */ + virtual AttestationContext* attestation_context() { return nullptr; } + + /** * Generate an attestation certificate, with chain. * * If attest_key is null, the certificate will be signed with the factory attestation key (from diff --git a/include/keymaster/keymaster_enforcement.h b/include/keymaster/keymaster_enforcement.h index 1d783ba..5400d8f 100644 --- a/include/keymaster/keymaster_enforcement.h +++ b/include/keymaster/keymaster_enforcement.h @@ -17,10 +17,13 @@ #ifndef ANDROID_LIBRARY_KEYMASTER_ENFORCEMENT_H #define ANDROID_LIBRARY_KEYMASTER_ENFORCEMENT_H +#include <array> + #include <stdio.h> #include <keymaster/android_keymaster_messages.h> #include <keymaster/authorization_set.h> +#include <keymaster/keymaster_utils.h> namespace keymaster { @@ -181,6 +184,16 @@ class KeymasterEnforcement { virtual keymaster_error_t GenerateTimestampToken(TimestampToken* token); /** + * Compute an HMAC using the auth token HMAC key. + * + * Note: Use with caution. MACed data must contain enough structure that it's unambiguous. + */ + virtual KmErrorOr<std::array<uint8_t, 32>> + ComputeHmac(const std::vector<uint8_t>& /* data_to_mac */) const { + return KM_ERROR_UNIMPLEMENTED; + } + + /** * Creates a key ID for use in subsequent calls to AuthorizeOperation. AndroidKeymaster * uses this method for creating key IDs. The generated id must be stable in that the same * key_blob bits yield the same keyid. diff --git a/include/keymaster/keymaster_utils.h b/include/keymaster/keymaster_utils.h index 1cfc756..8154c71 100644 --- a/include/keymaster/keymaster_utils.h +++ b/include/keymaster/keymaster_utils.h @@ -14,6 +14,8 @@ * limitations under the License. */ +#pragma once + #include <optional> #include <keymaster/logger.h> @@ -88,8 +90,7 @@ template <typename T> class KmErrorOr { T& operator*() & { return value_.value(); } const T& operator*() const& { return value_.value(); } - T&& operator*() && { return value_.value(); } - const T&& operator*() const&& { return value_.value(); } + T&& operator*() && { return std::move(value_).value(); } private: keymaster_error_t error_ = KM_ERROR_OK; |