diff options
| author | David Drysdale <drysdale@google.com> | 2022-06-07 11:33:37 +0000 |
|---|---|---|
| committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2022-06-07 11:33:37 +0000 |
| commit | 7df9ab130b8301e8c0a2b6c8c8a9ca9299f539b5 (patch) | |
| tree | da0ad6ce3bf6ab27c42c992c3953df035bc2c0e8 | |
| parent | 05d97d36ad21a7178f4ea6322fa50cf038bf9144 (diff) | |
| parent | 9bad7b34d4f716254cd231cb67c55160b7a5988b (diff) | |
| download | security-7df9ab130b8301e8c0a2b6c8c8a9ca9299f539b5.tar.gz | |
keystore2: transfer RootOfTrust from TEE to SB am: ccce73d1e1 am: 9bad7b34d4
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/18751588
Change-Id: I7a616425143c24239213cd3b503c89004a4dae7b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
| -rw-r--r-- | keystore2/src/shared_secret_negotiation.rs | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/keystore2/src/shared_secret_negotiation.rs b/keystore2/src/shared_secret_negotiation.rs index 1862f737..42d38d29 100644 --- a/keystore2/src/shared_secret_negotiation.rs +++ b/keystore2/src/shared_secret_negotiation.rs @@ -15,6 +15,7 @@ //! This module implements the shared secret negotiation. use crate::error::{map_binder_status, map_binder_status_code, Error}; +use crate::globals::get_keymint_device; use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel; use android_hardware_security_keymint::binder::Strong; use android_hardware_security_sharedsecret::aidl::android::hardware::security::sharedsecret::{ @@ -43,6 +44,10 @@ pub fn perform_shared_secret_negotiation() { let connected = connect_participants(participants); negotiate_shared_secret(connected); log::info!("Shared secret negotiation concluded successfully."); + + // Once shared secret negotiation is done, the StrongBox and TEE have a common key that + // can be used to authenticate a possible RootOfTrust transfer. + transfer_root_of_trust(); }); } @@ -278,3 +283,48 @@ fn negotiate_shared_secret( } } } + +/// Perform RootOfTrust transfer from TEE to StrongBox (if available). +pub fn transfer_root_of_trust() { + let strongbox = match get_keymint_device(&SecurityLevel::STRONGBOX) { + Ok((s, _, _)) => s, + Err(_e) => { + log::info!("No StrongBox Keymint available, so no RoT transfer"); + return; + } + }; + // Ask the StrongBox KeyMint for a challenge. + let challenge = match strongbox.getRootOfTrustChallenge() { + Ok(data) => data, + Err(e) => { + // If StrongBox doesn't provide a challenge, it might be because: + // - it already has RootOfTrust information + // - it's a KeyMint v1 implementation that doesn't understand the method. + // In either case, we're done. + log::info!("StrongBox does not provide a challenge, so no RoT transfer: {:?}", e); + return; + } + }; + // Get the RoT info from the TEE + let tee = match get_keymint_device(&SecurityLevel::TRUSTED_ENVIRONMENT) { + Ok((s, _, _)) => s, + Err(e) => { + log::error!("No TEE KeyMint implementation found! {:?}", e); + return; + } + }; + let root_of_trust = match tee.getRootOfTrust(&challenge) { + Ok(rot) => rot, + Err(e) => { + log::error!("TEE KeyMint failed to return RootOfTrust info: {:?}", e); + return; + } + }; + // The RootOfTrust information is CBOR-serialized data, but we don't need to parse it. + // Just pass it on to the StrongBox KeyMint instance. + let result = strongbox.sendRootOfTrust(&root_of_trust); + if let Err(e) = result { + log::error!("Failed to send RootOfTrust to StrongBox: {:?}", e); + } + log::info!("RootOfTrust transfer process complete"); +} |