KeyStore: use security level to chose keymaster device

Keymaster4 introduces security levels. Android devices may have multiple keymaster implementations, one for each possible security level, where the presence of a strong security level implies the presence of all lower levels. This patch adds code that enumerates all keymaster device implementations available from ServiceManager and populates Keystore's keymaster device database with at most one keymaster implementation per security level. It gives precedence to newer versions if multiple implementations exist for the same security level. The security level is chosen by a set of flags passed to the keystore operations generate, import, addRngEntropy. For existing keys the right security level is chosen by the blob flags. To that end a new flag KEYSTORE_FLAG_STRONGBOX was added, and the security level is expressed through a combination of KEYSTORE_FLAG_FALLBACK (F) and KEYSTORE_FLAG_STRONGBOX (S). Encoding is as follows: F S Software 1 X (don't care) TEE 0 0 Strongbox 0 1 Some operations in keystore cli2 where amended with the optional --seclevel flags. Allowing the user to chose the security level for the given operation. Possible options are "software", "strongbox", and "tee" where tee is the default value. Test: Existing KeyStore CTS tests run Change-Id: I01ef238f5e7067e480cf9b171630237236046bb1
author: Janis Danisevskis <jdanis@google.com> 2017-12-18 16:48:46 -0800
committer: Janis Danisevskis <jdanis@google.com> 2017-12-27 16:38:09 -0800
commit: c1460141c0eea24ae004edf7a964078611f45cc6 (patch)
tree: 7d3fcd6b6cf599b4547688f9d1db624751004757 /keystore/include
parent: bb22a6c50d609dffc7002f906f4d385d7c7cbfdc (diff)
download: security-c1460141c0eea24ae004edf7a964078611f45cc6.tar.gz
3 files changed, 11 insertions, 9 deletions
diff --git a/keystore/include/keystore/keystore.h b/keystore/include/keystore/keystore.h
index cb644987..07f645fd 100644
--- a/keystore/include/keystore/keystore.h
+++ b/keystore/include/keystore/keystore.h
@@ -63,6 +63,7 @@ enum KeyStoreFlag : uint8_t {
     // encrypted, and it will be stored separately under an unique UID instead. This flag should
     // only be available to system uid.
     KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION = 1 << 3,
+    KEYSTORE_FLAG_STRONGBOX = 1 << 4,
 };
 
 #endif
diff --git a/keystore/include/keystore/keystore_client.h b/keystore/include/keystore/keystore_client.h
index 67ebad39..d6a48076 100644
--- a/keystore/include/keystore/keystore_client.h
+++ b/keystore/include/keystore/keystore_client.h
@@ -62,7 +62,7 @@ class KeystoreClient {
     // Note: implementations may generate more than one key but they will always
     // have |key_name| as a prefix.
     virtual bool encryptWithAuthentication(const std::string& key_name, const std::string& data,
-                                           std::string* encrypted_data) = 0;
+                                           int32_t flags, std::string* encrypted_data) = 0;
 
     // Decrypts and authenticates |encrypted_data| as output by
     // EncryptWithAuthentication using the key(s) identified by |key_name|. On
@@ -85,8 +85,8 @@ class KeystoreClient {
 
     // Adds |entropy| to the random number generator. Returns KM_ERROR_OK on
     // success and a Keystore ResponseCode or keymaster_error_t on failure.
-    virtual KeyStoreNativeReturnCode
-    addRandomNumberGeneratorEntropy(const std::string& entropy) = 0;
+    virtual KeyStoreNativeReturnCode addRandomNumberGeneratorEntropy(const std::string& entropy,
+                                                                     int32_t flags) = 0;
 
     // Generates a key according to the given |key_parameters| and stores it with
     // the given |key_name|. The [hardware|software]_enforced_characteristics of
@@ -95,7 +95,7 @@ class KeystoreClient {
     // failure.
     virtual KeyStoreNativeReturnCode
     generateKey(const std::string& key_name, const keystore::AuthorizationSet& key_parameters,
-                keystore::AuthorizationSet* hardware_enforced_characteristics,
+                int32_t flags, keystore::AuthorizationSet* hardware_enforced_characteristics,
                 keystore::AuthorizationSet* software_enforced_characteristics) = 0;
 
     // Provides the [hardware|software]_enforced_characteristics of a key
diff --git a/keystore/include/keystore/keystore_client_impl.h b/keystore/include/keystore/keystore_client_impl.h
index a11e2fe8..9edd0824 100644
--- a/keystore/include/keystore/keystore_client_impl.h
+++ b/keystore/include/keystore/keystore_client_impl.h
@@ -35,7 +35,7 @@ class KeystoreClientImpl : public KeystoreClient {
 
     // KeystoreClient methods.
     bool encryptWithAuthentication(const std::string& key_name, const std::string& data,
-                                   std::string* encrypted_data) override;
+                                   int32_t flags, std::string* encrypted_data) override;
     bool decryptWithAuthentication(const std::string& key_name, const std::string& encrypted_data,
                                    std::string* data) override;
     bool oneShotOperation(KeyPurpose purpose, const std::string& key_name,
@@ -43,10 +43,11 @@ class KeystoreClientImpl : public KeystoreClient {
                           const std::string& input_data, const std::string& signature_to_verify,
                           keystore::AuthorizationSet* output_parameters,
                           std::string* output_data) override;
-    KeyStoreNativeReturnCode addRandomNumberGeneratorEntropy(const std::string& entropy) override;
+    KeyStoreNativeReturnCode addRandomNumberGeneratorEntropy(const std::string& entropy,
+                                                             int32_t flags) override;
     KeyStoreNativeReturnCode
     generateKey(const std::string& key_name, const keystore::AuthorizationSet& key_parameters,
-                keystore::AuthorizationSet* hardware_enforced_characteristics,
+                int32_t flags, keystore::AuthorizationSet* hardware_enforced_characteristics,
                 keystore::AuthorizationSet* software_enforced_characteristics) override;
     KeyStoreNativeReturnCode
     getKeyCharacteristics(const std::string& key_name,
@@ -90,11 +91,11 @@ class KeystoreClientImpl : public KeystoreClient {
 
     // Creates an encryption key suitable for EncryptWithAuthentication or
     // verifies attributes if the key already exists. Returns true on success.
-    bool createOrVerifyEncryptionKey(const std::string& key_name);
+    bool createOrVerifyEncryptionKey(const std::string& key_name, int32_t flags);
 
     // Creates an authentication key suitable for EncryptWithAuthentication or
     // verifies attributes if the key already exists. Returns true on success.
-    bool createOrVerifyAuthenticationKey(const std::string& key_name);
+    bool createOrVerifyAuthenticationKey(const std::string& key_name, int32_t flags);
 
     // Verifies attributes of an encryption key suitable for
     // EncryptWithAuthentication. Returns true on success and populates |verified|
author	Janis Danisevskis <jdanis@google.com>	2017-12-18 16:48:46 -0800
committer	Janis Danisevskis <jdanis@google.com>	2017-12-27 16:38:09 -0800
commit	c1460141c0eea24ae004edf7a964078611f45cc6 (patch)
tree	7d3fcd6b6cf599b4547688f9d1db624751004757 /keystore/include
parent	bb22a6c50d609dffc7002f906f4d385d7c7cbfdc (diff)
download	security-c1460141c0eea24ae004edf7a964078611f45cc6.tar.gz