1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
|
// Copyright 2021, The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//! Offer keys based on the "boot level" for superencryption.
use crate::ks_err;
use crate::{
database::{KeyType, KeystoreDB},
key_parameter::KeyParameterValue,
raw_device::KeyMintDevice,
};
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Algorithm::Algorithm, Digest::Digest, KeyParameter::KeyParameter as KmKeyParameter,
KeyPurpose::KeyPurpose, SecurityLevel::SecurityLevel,
};
use anyhow::{Context, Result};
use keystore2_crypto::{hkdf_expand, ZVec, AES_256_KEY_LENGTH};
use std::{collections::VecDeque, convert::TryFrom};
/// Strategies used to prevent later boot stages from using the KM key that protects the level 0
/// key
#[derive(Debug, PartialEq, Eq, Clone, Copy)]
enum DenyLaterStrategy {
/// set MaxUsesPerBoot to 1. This is much less secure, since the attacker can replace the key
/// itself, and therefore create artifacts which appear to come from early boot.
MaxUsesPerBoot,
/// set the EarlyBootOnly property. This property is only supported in KM from 4.1 on, but
/// it ensures that the level 0 key was genuinely created in early boot
EarlyBootOnly,
}
/// Generally the L0 KM and strategy are chosen by probing KM versions in TEE and Strongbox.
/// However, once a device is launched the KM and strategy must never change, even if the
/// KM version in TEE or Strongbox is updated. Setting this property at build time using
/// `PRODUCT_VENDOR_PROPERTIES` means that the strategy can be fixed no matter what versions
/// of KM are present.
const PROPERTY_NAME: &str = "ro.keystore.boot_level_key.strategy";
fn lookup_level_zero_km_and_strategy() -> Result<Option<(SecurityLevel, DenyLaterStrategy)>> {
let property_val = rustutils::system_properties::read(PROPERTY_NAME)
.with_context(|| ks_err!("property read failed: {}", PROPERTY_NAME))?;
// TODO: use feature(let_else) when that's stabilized.
let property_val = if let Some(p) = property_val {
p
} else {
log::info!("{} not set, inferring from installed KM instances", PROPERTY_NAME);
return Ok(None);
};
let (level, strategy) = if let Some(c) = property_val.split_once(':') {
c
} else {
log::error!("Missing colon in {}: {:?}", PROPERTY_NAME, property_val);
return Ok(None);
};
let level = match level {
"TRUSTED_ENVIRONMENT" => SecurityLevel::TRUSTED_ENVIRONMENT,
"STRONGBOX" => SecurityLevel::STRONGBOX,
_ => {
log::error!("Unknown security level in {}: {:?}", PROPERTY_NAME, level);
return Ok(None);
}
};
let strategy = match strategy {
"EARLY_BOOT_ONLY" => DenyLaterStrategy::EarlyBootOnly,
"MAX_USES_PER_BOOT" => DenyLaterStrategy::MaxUsesPerBoot,
_ => {
log::error!("Unknown DenyLaterStrategy in {}: {:?}", PROPERTY_NAME, strategy);
return Ok(None);
}
};
log::info!("Set from {}: {}", PROPERTY_NAME, property_val);
Ok(Some((level, strategy)))
}
fn get_level_zero_key_km_and_strategy() -> Result<(KeyMintDevice, DenyLaterStrategy)> {
if let Some((level, strategy)) = lookup_level_zero_km_and_strategy()? {
return Ok((
KeyMintDevice::get(level).context(ks_err!("Get KM instance failed."))?,
strategy,
));
}
let tee = KeyMintDevice::get(SecurityLevel::TRUSTED_ENVIRONMENT)
.context(ks_err!("Get TEE instance failed."))?;
if tee.version() >= KeyMintDevice::KEY_MASTER_V4_1 {
Ok((tee, DenyLaterStrategy::EarlyBootOnly))
} else {
match KeyMintDevice::get_or_none(SecurityLevel::STRONGBOX)
.context(ks_err!("Get Strongbox instance failed."))?
{
Some(strongbox) if strongbox.version() >= KeyMintDevice::KEY_MASTER_V4_1 => {
Ok((strongbox, DenyLaterStrategy::EarlyBootOnly))
}
_ => Ok((tee, DenyLaterStrategy::MaxUsesPerBoot)),
}
}
}
/// This is not thread safe; caller must hold a lock before calling.
/// In practice the caller is SuperKeyManager and the lock is the
/// Mutex on its internal state.
pub fn get_level_zero_key(db: &mut KeystoreDB) -> Result<ZVec> {
let (km_dev, deny_later_strategy) = get_level_zero_key_km_and_strategy()
.context(ks_err!("get preferred KM instance failed"))?;
log::info!(
"In get_level_zero_key: security_level={:?}, deny_later_strategy={:?}",
km_dev.security_level(),
deny_later_strategy
);
let required_security_level = km_dev.security_level();
let required_param: KmKeyParameter = match deny_later_strategy {
DenyLaterStrategy::EarlyBootOnly => KeyParameterValue::EarlyBootOnly,
DenyLaterStrategy::MaxUsesPerBoot => KeyParameterValue::MaxUsesPerBoot(1),
}
.into();
let params = vec![
KeyParameterValue::Algorithm(Algorithm::HMAC).into(),
KeyParameterValue::Digest(Digest::SHA_2_256).into(),
KeyParameterValue::KeySize(256).into(),
KeyParameterValue::MinMacLength(256).into(),
KeyParameterValue::KeyPurpose(KeyPurpose::SIGN).into(),
KeyParameterValue::NoAuthRequired.into(),
required_param.clone(),
];
let key_desc = KeyMintDevice::internal_descriptor("boot_level_key".to_string());
let (key_id_guard, key_entry) = km_dev
.lookup_or_generate_key(db, &key_desc, KeyType::Client, ¶ms, |key_characteristics| {
key_characteristics.iter().any(|kc| {
if kc.securityLevel != required_security_level {
log::error!(
"In get_level_zero_key: security level expected={:?} got={:?}",
required_security_level,
kc.securityLevel
);
return false;
}
if !kc.authorizations.iter().any(|a| a == &required_param) {
log::error!(
"In get_level_zero_key: required param absent {:?}",
required_param
);
return false;
}
true
})
})
.context(ks_err!("lookup_or_generate_key failed"))?;
let params = [
KeyParameterValue::MacLength(256).into(),
KeyParameterValue::Digest(Digest::SHA_2_256).into(),
];
let level_zero_key = km_dev
.use_key_in_one_step(
db,
&key_id_guard,
&key_entry,
KeyPurpose::SIGN,
¶ms,
None,
b"Create boot level key",
)
.context(ks_err!("use_key_in_one_step failed"))?;
// TODO: this is rather unsatisfactory, we need a better way to handle
// sensitive binder returns.
let level_zero_key =
ZVec::try_from(level_zero_key).context(ks_err!("conversion to ZVec failed"))?;
Ok(level_zero_key)
}
/// Holds the key for the current boot level, and a cache of future keys generated as required.
/// When the boot level advances, keys prior to the current boot level are securely dropped.
pub struct BootLevelKeyCache {
/// Least boot level currently accessible, if any is.
current: usize,
/// Invariant: cache entry *i*, if it exists, holds the HKDF key for boot level
/// *i* + `current`. If the cache is non-empty it can be grown forwards, but it cannot be
/// grown backwards, so keys below `current` are inaccessible.
/// `cache.clear()` makes all keys inaccessible.
cache: VecDeque<ZVec>,
}
impl BootLevelKeyCache {
const HKDF_ADVANCE: &'static [u8] = b"Advance KDF one step";
const HKDF_AES: &'static [u8] = b"Generate AES-256-GCM key";
const HKDF_KEY_SIZE: usize = 32;
/// Initialize the cache with the level zero key.
pub fn new(level_zero_key: ZVec) -> Self {
let mut cache: VecDeque<ZVec> = VecDeque::new();
cache.push_back(level_zero_key);
Self { current: 0, cache }
}
/// Report whether the key for the given level can be inferred.
pub fn level_accessible(&self, boot_level: usize) -> bool {
// If the requested boot level is lower than the current boot level
// or if we have reached the end (`cache.empty()`) we can't retrieve
// the boot key.
boot_level >= self.current && !self.cache.is_empty()
}
/// Get the HKDF key for boot level `boot_level`. The key for level *i*+1
/// is calculated from the level *i* key using `hkdf_expand`.
fn get_hkdf_key(&mut self, boot_level: usize) -> Result<Option<&ZVec>> {
if !self.level_accessible(boot_level) {
return Ok(None);
}
// `self.cache.len()` represents the first entry not in the cache,
// so `self.current + self.cache.len()` is the first boot level not in the cache.
let first_not_cached = self.current + self.cache.len();
// Grow the cache forwards until it contains the desired boot level.
for _level in first_not_cached..=boot_level {
// We check at the start that cache is non-empty and future iterations only push,
// so this must unwrap.
let highest_key = self.cache.back().unwrap();
let next_key = hkdf_expand(Self::HKDF_KEY_SIZE, highest_key, Self::HKDF_ADVANCE)
.context(ks_err!("Advancing key one step"))?;
self.cache.push_back(next_key);
}
// If we reach this point, we should have a key at index boot_level - current.
Ok(Some(self.cache.get(boot_level - self.current).unwrap()))
}
/// Drop keys prior to the given boot level, while retaining the ability to generate keys for
/// that level and later.
pub fn advance_boot_level(&mut self, new_boot_level: usize) -> Result<()> {
if !self.level_accessible(new_boot_level) {
log::error!(
"Failed to advance boot level to {}, current is {}, cache size {}",
new_boot_level,
self.current,
self.cache.len()
);
return Ok(());
}
// We `get` the new boot level for the side effect of advancing the cache to a point
// where the new boot level is present.
self.get_hkdf_key(new_boot_level).context(ks_err!("Advancing cache"))?;
// Then we split the queue at the index of the new boot level and discard the front,
// keeping only the keys with the current boot level or higher.
self.cache = self.cache.split_off(new_boot_level - self.current);
// The new cache has the new boot level at index 0, so we set `current` to
// `new_boot_level`.
self.current = new_boot_level;
Ok(())
}
/// Drop all keys, effectively raising the current boot level to infinity; no keys can
/// be inferred from this point on.
pub fn finish(&mut self) {
self.cache.clear();
}
fn expand_key(
&mut self,
boot_level: usize,
out_len: usize,
info: &[u8],
) -> Result<Option<ZVec>> {
self.get_hkdf_key(boot_level)
.context(ks_err!("Looking up HKDF key"))?
.map(|k| hkdf_expand(out_len, k, info))
.transpose()
.context(ks_err!("Calling hkdf_expand"))
}
/// Return the AES-256-GCM key for the current boot level.
pub fn aes_key(&mut self, boot_level: usize) -> Result<Option<ZVec>> {
self.expand_key(boot_level, AES_256_KEY_LENGTH, BootLevelKeyCache::HKDF_AES)
.context(ks_err!("expand_key failed"))
}
}
#[cfg(test)]
mod test {
use super::*;
#[test]
fn test_output_is_consistent() -> Result<()> {
let initial_key = b"initial key";
let mut blkc = BootLevelKeyCache::new(ZVec::try_from(initial_key as &[u8])?);
assert!(blkc.level_accessible(0));
assert!(blkc.level_accessible(9));
assert!(blkc.level_accessible(10));
assert!(blkc.level_accessible(100));
let v0 = blkc.aes_key(0).unwrap().unwrap();
let v10 = blkc.aes_key(10).unwrap().unwrap();
assert_eq!(Some(&v0), blkc.aes_key(0)?.as_ref());
assert_eq!(Some(&v10), blkc.aes_key(10)?.as_ref());
blkc.advance_boot_level(5)?;
assert!(!blkc.level_accessible(0));
assert!(blkc.level_accessible(9));
assert!(blkc.level_accessible(10));
assert!(blkc.level_accessible(100));
assert_eq!(None, blkc.aes_key(0)?);
assert_eq!(Some(&v10), blkc.aes_key(10)?.as_ref());
blkc.advance_boot_level(10)?;
assert!(!blkc.level_accessible(0));
assert!(!blkc.level_accessible(9));
assert!(blkc.level_accessible(10));
assert!(blkc.level_accessible(100));
assert_eq!(None, blkc.aes_key(0)?);
assert_eq!(Some(&v10), blkc.aes_key(10)?.as_ref());
blkc.advance_boot_level(0)?;
assert!(!blkc.level_accessible(0));
assert!(!blkc.level_accessible(9));
assert!(blkc.level_accessible(10));
assert!(blkc.level_accessible(100));
assert_eq!(None, blkc.aes_key(0)?);
assert_eq!(Some(v10), blkc.aes_key(10)?);
blkc.finish();
assert!(!blkc.level_accessible(0));
assert!(!blkc.level_accessible(9));
assert!(!blkc.level_accessible(10));
assert!(!blkc.level_accessible(100));
assert_eq!(None, blkc.aes_key(0)?);
assert_eq!(None, blkc.aes_key(10)?);
Ok(())
}
}
|
