diff options
| author | David Drysdale <drysdale@google.com> | 2022-03-18 10:13:41 +0000 |
|---|---|---|
| committer | David Drysdale <drysdale@google.com> | 2022-06-06 08:04:08 +0100 |
| commit | ccce73d1e1d76f357d055b5e3500df64f30bc3c4 (patch) | |
| tree | da0ad6ce3bf6ab27c42c992c3953df035bc2c0e8 | |
| parent | d337c7727196f42af70aa93ab84f7c8b48cd9486 (diff) | |
| download | security-ccce73d1e1d76f357d055b5e3500df64f30bc3c4.tar.gz | |
keystore2: transfer RootOfTrust from TEE to SB
Bug: 219076736
Test: manual, RoT between locally modified KeyMints
Change-Id: Iad3f14afc9d853e91cc7f7810fd6e592b48cab2d
Merged-In: Iad3f14afc9d853e91cc7f7810fd6e592b48cab2d
Ignore-AOSP-First: manual cp from aosp/2031823
| -rw-r--r-- | keystore2/src/shared_secret_negotiation.rs | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/keystore2/src/shared_secret_negotiation.rs b/keystore2/src/shared_secret_negotiation.rs index 1862f737..42d38d29 100644 --- a/keystore2/src/shared_secret_negotiation.rs +++ b/keystore2/src/shared_secret_negotiation.rs @@ -15,6 +15,7 @@ //! This module implements the shared secret negotiation. use crate::error::{map_binder_status, map_binder_status_code, Error}; +use crate::globals::get_keymint_device; use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel; use android_hardware_security_keymint::binder::Strong; use android_hardware_security_sharedsecret::aidl::android::hardware::security::sharedsecret::{ @@ -43,6 +44,10 @@ pub fn perform_shared_secret_negotiation() { let connected = connect_participants(participants); negotiate_shared_secret(connected); log::info!("Shared secret negotiation concluded successfully."); + + // Once shared secret negotiation is done, the StrongBox and TEE have a common key that + // can be used to authenticate a possible RootOfTrust transfer. + transfer_root_of_trust(); }); } @@ -278,3 +283,48 @@ fn negotiate_shared_secret( } } } + +/// Perform RootOfTrust transfer from TEE to StrongBox (if available). +pub fn transfer_root_of_trust() { + let strongbox = match get_keymint_device(&SecurityLevel::STRONGBOX) { + Ok((s, _, _)) => s, + Err(_e) => { + log::info!("No StrongBox Keymint available, so no RoT transfer"); + return; + } + }; + // Ask the StrongBox KeyMint for a challenge. + let challenge = match strongbox.getRootOfTrustChallenge() { + Ok(data) => data, + Err(e) => { + // If StrongBox doesn't provide a challenge, it might be because: + // - it already has RootOfTrust information + // - it's a KeyMint v1 implementation that doesn't understand the method. + // In either case, we're done. + log::info!("StrongBox does not provide a challenge, so no RoT transfer: {:?}", e); + return; + } + }; + // Get the RoT info from the TEE + let tee = match get_keymint_device(&SecurityLevel::TRUSTED_ENVIRONMENT) { + Ok((s, _, _)) => s, + Err(e) => { + log::error!("No TEE KeyMint implementation found! {:?}", e); + return; + } + }; + let root_of_trust = match tee.getRootOfTrust(&challenge) { + Ok(rot) => rot, + Err(e) => { + log::error!("TEE KeyMint failed to return RootOfTrust info: {:?}", e); + return; + } + }; + // The RootOfTrust information is CBOR-serialized data, but we don't need to parse it. + // Just pass it on to the StrongBox KeyMint instance. + let result = strongbox.sendRootOfTrust(&root_of_trust); + if let Err(e) = result { + log::error!("Failed to send RootOfTrust to StrongBox: {:?}", e); + } + log::info!("RootOfTrust transfer process complete"); +} |