diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-06-10 09:33:00 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-06-10 09:33:00 +0000 |
commit | 46474635123a5b4f6ae2572028fcf25b851fbbaf (patch) | |
tree | da0ad6ce3bf6ab27c42c992c3953df035bc2c0e8 | |
parent | 6fbf31e307542fdadb953521f52dea691da379a4 (diff) | |
parent | ccce73d1e1d76f357d055b5e3500df64f30bc3c4 (diff) | |
download | security-android13-frc-resolv-release.tar.gz |
Snap for 8706761 from ccce73d1e1d76f357d055b5e3500df64f30bc3c4 to tm-frc-resolv-releaset_frc_res_330443000android13-frc-resolv-release
Change-Id: Iabe97f4f7ed639800f8ee3a8496c5bc186b3918c
-rw-r--r-- | keystore2/src/shared_secret_negotiation.rs | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/keystore2/src/shared_secret_negotiation.rs b/keystore2/src/shared_secret_negotiation.rs index 1862f737..42d38d29 100644 --- a/keystore2/src/shared_secret_negotiation.rs +++ b/keystore2/src/shared_secret_negotiation.rs @@ -15,6 +15,7 @@ //! This module implements the shared secret negotiation. use crate::error::{map_binder_status, map_binder_status_code, Error}; +use crate::globals::get_keymint_device; use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel; use android_hardware_security_keymint::binder::Strong; use android_hardware_security_sharedsecret::aidl::android::hardware::security::sharedsecret::{ @@ -43,6 +44,10 @@ pub fn perform_shared_secret_negotiation() { let connected = connect_participants(participants); negotiate_shared_secret(connected); log::info!("Shared secret negotiation concluded successfully."); + + // Once shared secret negotiation is done, the StrongBox and TEE have a common key that + // can be used to authenticate a possible RootOfTrust transfer. + transfer_root_of_trust(); }); } @@ -278,3 +283,48 @@ fn negotiate_shared_secret( } } } + +/// Perform RootOfTrust transfer from TEE to StrongBox (if available). +pub fn transfer_root_of_trust() { + let strongbox = match get_keymint_device(&SecurityLevel::STRONGBOX) { + Ok((s, _, _)) => s, + Err(_e) => { + log::info!("No StrongBox Keymint available, so no RoT transfer"); + return; + } + }; + // Ask the StrongBox KeyMint for a challenge. + let challenge = match strongbox.getRootOfTrustChallenge() { + Ok(data) => data, + Err(e) => { + // If StrongBox doesn't provide a challenge, it might be because: + // - it already has RootOfTrust information + // - it's a KeyMint v1 implementation that doesn't understand the method. + // In either case, we're done. + log::info!("StrongBox does not provide a challenge, so no RoT transfer: {:?}", e); + return; + } + }; + // Get the RoT info from the TEE + let tee = match get_keymint_device(&SecurityLevel::TRUSTED_ENVIRONMENT) { + Ok((s, _, _)) => s, + Err(e) => { + log::error!("No TEE KeyMint implementation found! {:?}", e); + return; + } + }; + let root_of_trust = match tee.getRootOfTrust(&challenge) { + Ok(rot) => rot, + Err(e) => { + log::error!("TEE KeyMint failed to return RootOfTrust info: {:?}", e); + return; + } + }; + // The RootOfTrust information is CBOR-serialized data, but we don't need to parse it. + // Just pass it on to the StrongBox KeyMint instance. + let result = strongbox.sendRootOfTrust(&root_of_trust); + if let Err(e) = result { + log::error!("Failed to send RootOfTrust to StrongBox: {:?}", e); + } + log::info!("RootOfTrust transfer process complete"); +} |