diff options
author | Janis Danisevskis <jdanis@google.com> | 2017-12-18 16:48:46 -0800 |
---|---|---|
committer | Janis Danisevskis <jdanis@google.com> | 2017-12-27 16:38:09 -0800 |
commit | c1460141c0eea24ae004edf7a964078611f45cc6 (patch) | |
tree | 7d3fcd6b6cf599b4547688f9d1db624751004757 /keystore/include | |
parent | bb22a6c50d609dffc7002f906f4d385d7c7cbfdc (diff) | |
download | security-c1460141c0eea24ae004edf7a964078611f45cc6.tar.gz |
KeyStore: use security level to chose keymaster device
Keymaster4 introduces security levels. Android devices
may have multiple keymaster implementations, one for each
possible security level, where the presence of a strong
security level implies the presence of all lower levels.
This patch adds code that enumerates all keymaster device
implementations available from ServiceManager and populates
Keystore's keymaster device database with at most one keymaster
implementation per security level. It gives precedence to
newer versions if multiple implementations exist for the same security
level.
The security level is chosen by a set of flags passed to the keystore
operations generate, import, addRngEntropy.
For existing keys the right security level is chosen by the blob flags.
To that end a new flag KEYSTORE_FLAG_STRONGBOX was added, and the
security level is expressed through a combination of
KEYSTORE_FLAG_FALLBACK (F) and KEYSTORE_FLAG_STRONGBOX (S).
Encoding is as follows:
F S
Software 1 X (don't care)
TEE 0 0
Strongbox 0 1
Some operations in keystore cli2 where amended with the optional
--seclevel flags. Allowing the user to chose the security level for the
given operation. Possible options are "software", "strongbox", and "tee"
where tee is the default value.
Test: Existing KeyStore CTS tests run
Change-Id: I01ef238f5e7067e480cf9b171630237236046bb1
Diffstat (limited to 'keystore/include')
-rw-r--r-- | keystore/include/keystore/keystore.h | 1 | ||||
-rw-r--r-- | keystore/include/keystore/keystore_client.h | 8 | ||||
-rw-r--r-- | keystore/include/keystore/keystore_client_impl.h | 11 |
3 files changed, 11 insertions, 9 deletions
diff --git a/keystore/include/keystore/keystore.h b/keystore/include/keystore/keystore.h index cb644987..07f645fd 100644 --- a/keystore/include/keystore/keystore.h +++ b/keystore/include/keystore/keystore.h @@ -63,6 +63,7 @@ enum KeyStoreFlag : uint8_t { // encrypted, and it will be stored separately under an unique UID instead. This flag should // only be available to system uid. KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION = 1 << 3, + KEYSTORE_FLAG_STRONGBOX = 1 << 4, }; #endif diff --git a/keystore/include/keystore/keystore_client.h b/keystore/include/keystore/keystore_client.h index 67ebad39..d6a48076 100644 --- a/keystore/include/keystore/keystore_client.h +++ b/keystore/include/keystore/keystore_client.h @@ -62,7 +62,7 @@ class KeystoreClient { // Note: implementations may generate more than one key but they will always // have |key_name| as a prefix. virtual bool encryptWithAuthentication(const std::string& key_name, const std::string& data, - std::string* encrypted_data) = 0; + int32_t flags, std::string* encrypted_data) = 0; // Decrypts and authenticates |encrypted_data| as output by // EncryptWithAuthentication using the key(s) identified by |key_name|. On @@ -85,8 +85,8 @@ class KeystoreClient { // Adds |entropy| to the random number generator. Returns KM_ERROR_OK on // success and a Keystore ResponseCode or keymaster_error_t on failure. - virtual KeyStoreNativeReturnCode - addRandomNumberGeneratorEntropy(const std::string& entropy) = 0; + virtual KeyStoreNativeReturnCode addRandomNumberGeneratorEntropy(const std::string& entropy, + int32_t flags) = 0; // Generates a key according to the given |key_parameters| and stores it with // the given |key_name|. The [hardware|software]_enforced_characteristics of @@ -95,7 +95,7 @@ class KeystoreClient { // failure. virtual KeyStoreNativeReturnCode generateKey(const std::string& key_name, const keystore::AuthorizationSet& key_parameters, - keystore::AuthorizationSet* hardware_enforced_characteristics, + int32_t flags, keystore::AuthorizationSet* hardware_enforced_characteristics, keystore::AuthorizationSet* software_enforced_characteristics) = 0; // Provides the [hardware|software]_enforced_characteristics of a key diff --git a/keystore/include/keystore/keystore_client_impl.h b/keystore/include/keystore/keystore_client_impl.h index a11e2fe8..9edd0824 100644 --- a/keystore/include/keystore/keystore_client_impl.h +++ b/keystore/include/keystore/keystore_client_impl.h @@ -35,7 +35,7 @@ class KeystoreClientImpl : public KeystoreClient { // KeystoreClient methods. bool encryptWithAuthentication(const std::string& key_name, const std::string& data, - std::string* encrypted_data) override; + int32_t flags, std::string* encrypted_data) override; bool decryptWithAuthentication(const std::string& key_name, const std::string& encrypted_data, std::string* data) override; bool oneShotOperation(KeyPurpose purpose, const std::string& key_name, @@ -43,10 +43,11 @@ class KeystoreClientImpl : public KeystoreClient { const std::string& input_data, const std::string& signature_to_verify, keystore::AuthorizationSet* output_parameters, std::string* output_data) override; - KeyStoreNativeReturnCode addRandomNumberGeneratorEntropy(const std::string& entropy) override; + KeyStoreNativeReturnCode addRandomNumberGeneratorEntropy(const std::string& entropy, + int32_t flags) override; KeyStoreNativeReturnCode generateKey(const std::string& key_name, const keystore::AuthorizationSet& key_parameters, - keystore::AuthorizationSet* hardware_enforced_characteristics, + int32_t flags, keystore::AuthorizationSet* hardware_enforced_characteristics, keystore::AuthorizationSet* software_enforced_characteristics) override; KeyStoreNativeReturnCode getKeyCharacteristics(const std::string& key_name, @@ -90,11 +91,11 @@ class KeystoreClientImpl : public KeystoreClient { // Creates an encryption key suitable for EncryptWithAuthentication or // verifies attributes if the key already exists. Returns true on success. - bool createOrVerifyEncryptionKey(const std::string& key_name); + bool createOrVerifyEncryptionKey(const std::string& key_name, int32_t flags); // Creates an authentication key suitable for EncryptWithAuthentication or // verifies attributes if the key already exists. Returns true on success. - bool createOrVerifyAuthenticationKey(const std::string& key_name); + bool createOrVerifyAuthenticationKey(const std::string& key_name, int32_t flags); // Verifies attributes of an encryption key suitable for // EncryptWithAuthentication. Returns true on success and populates |verified| |