diff options
author | Andrei Homescu <ahomescu@google.com> | 2024-02-16 04:53:44 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2024-02-16 04:53:44 +0000 |
commit | 5cd693cc1c4221c06c2bb20c44d0af5cb62c9c9f (patch) | |
tree | 3665ada2e6f2af375a253cbccc4d8e7cb8f3d98a | |
parent | c038e17915b602862d7a536375c84f896e921848 (diff) | |
parent | 5035f40ea1580fe552f24c0dfbd129100591026e (diff) | |
download | keymaster-master.tar.gz |
Original change: https://android-review.googlesource.com/c/trusty/app/keymaster/+/2849939
Change-Id: I378b6d5606773deeaef7c3db6613dc0a61b77101
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
-rw-r--r-- | atap/rules.mk | 32 | ||||
-rw-r--r-- | atap/trusty_atap_ops.cpp | 296 | ||||
-rw-r--r-- | atap/trusty_atap_ops.h | 74 | ||||
-rw-r--r-- | device_unittest/rules.mk | 1 | ||||
-rw-r--r-- | host_unittest/main.cpp | 68 | ||||
-rw-r--r-- | host_unittest/rules.mk | 4 | ||||
-rw-r--r-- | rules.mk | 1 | ||||
-rw-r--r-- | secure_storage_manager.cpp | 61 | ||||
-rw-r--r-- | secure_storage_manager.h | 20 | ||||
-rw-r--r-- | trusty_keymaster.cpp | 80 | ||||
-rw-r--r-- | trusty_keymaster.h | 8 |
11 files changed, 1 insertions, 644 deletions
diff --git a/atap/rules.mk b/atap/rules.mk deleted file mode 100644 index 8a7a4fd..0000000 --- a/atap/rules.mk +++ /dev/null @@ -1,32 +0,0 @@ -# Copyright (C) 2017 The Android Open Source Project -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -CUR_DIR := $(GET_LOCAL_DIR) - -ATAP_ROOT := $(TRUSTY_TOP)/system/iot/attestation/atap - -MODULE_SRCS += \ - $(ATAP_ROOT)/libatap/atap_commands.c \ - $(ATAP_ROOT)/libatap/atap_sysdeps_posix.c \ - $(ATAP_ROOT)/libatap/atap_util.c \ - $(ATAP_ROOT)/ops/atap_ops_provider.cpp \ - $(ATAP_ROOT)/ops/openssl_ops.cpp \ - $(CUR_DIR)/trusty_atap_ops.cpp - -MODULE_INCLUDES += \ - $(ATAP_ROOT) \ - $(CUR_DIR) - -CUR_DIR = diff --git a/atap/trusty_atap_ops.cpp b/atap/trusty_atap_ops.cpp deleted file mode 100644 index efab067..0000000 --- a/atap/trusty_atap_ops.cpp +++ /dev/null @@ -1,296 +0,0 @@ -/* - * Copyright (C) 2017 The Android Open Source Project - * - * Permission is hereby granted, free of charge, to any person - * obtaining a copy of this software and associated documentation - * files (the "Software"), to deal in the Software without - * restriction, including without limitation the rights to use, copy, - * modify, merge, publish, distribute, sublicense, and/or sell copies - * of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be - * included in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF - * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS - * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN - * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -#include "trusty_atap_ops.h" -#include "secure_storage_manager.h" -#include "trusty_logger.h" - -#include <keymaster/UniquePtr.h> -#include <openssl/crypto.h> -#include <openssl/evp.h> -#include <openssl/x509.h> - -namespace { - -using keymaster::AttestationKeySlot; - -AttestationKeySlot MapKeyTypeToSlot(const AtapKeyType atap_key_type) { - switch (atap_key_type) { - case ATAP_KEY_TYPE_RSA: - return AttestationKeySlot::kRsa; - case ATAP_KEY_TYPE_ECDSA: - return AttestationKeySlot::kEcdsa; - case ATAP_KEY_TYPE_edDSA: - return AttestationKeySlot::kEddsa; - case ATAP_KEY_TYPE_EPID: - return AttestationKeySlot::kEpid; - case ATAP_KEY_TYPE_SPECIAL: - return AttestationKeySlot::kClaimable0; - case ATAP_KEY_TYPE_RSA_SOM: - return AttestationKeySlot::kSomRsa; - case ATAP_KEY_TYPE_ECDSA_SOM: - return AttestationKeySlot::kSomEcdsa; - case ATAP_KEY_TYPE_edDSA_SOM: - return AttestationKeySlot::kSomEddsa; - case ATAP_KEY_TYPE_EPID_SOM: - return AttestationKeySlot::kSomEpid; - default: - return AttestationKeySlot::kInvalid; - } - return AttestationKeySlot::kInvalid; -} - -} // namespace - -namespace keymaster { - -struct EVP_PKEY_Delete { - void operator()(EVP_PKEY* p) const { EVP_PKEY_free(p); } -}; -typedef UniquePtr<EVP_PKEY, EVP_PKEY_Delete> Unique_EVP_PKEY; - -TrustyAtapOps::TrustyAtapOps() {} -TrustyAtapOps::~TrustyAtapOps() {} - -struct PKCS8_PRIV_KEY_INFO_Delete { - void operator()(PKCS8_PRIV_KEY_INFO* p) const { - PKCS8_PRIV_KEY_INFO_free(p); - } -}; -typedef UniquePtr<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_Delete> - Unique_PKCS8_PRIV_KEY_INFO; -struct EVP_MD_CTX_Delete { - void operator()(EVP_MD_CTX* p) const { - EVP_MD_CTX_cleanup(p); - EVP_MD_CTX_destroy(p); - } -}; -typedef UniquePtr<EVP_MD_CTX, EVP_MD_CTX_Delete> Unique_EVP_MD_CTX; - -AtapResult TrustyAtapOps::read_product_id( - uint8_t product_id[ATAP_PRODUCT_ID_LEN]) { - SecureStorageManager* ss_manager = SecureStorageManager::get_instance(); - if (ss_manager == nullptr) - return ATAP_RESULT_ERROR_STORAGE; - if (ss_manager->ReadProductId(product_id) != KM_ERROR_OK) { - /* If we can't get permanent attributes, set product id to the test - product id (all zero). */ - LOG_E("Fail to read product id from storage, set as 0."); - memset(product_id, 0, ATAP_PRODUCT_ID_LEN); - } - return ATAP_RESULT_OK; -} - -AtapResult TrustyAtapOps::get_auth_key_type(AtapKeyType* key_type) { - if (_auth_key_type_init) { - *key_type = _auth_key_type; - return ATAP_RESULT_OK; - } - *key_type = ATAP_KEY_TYPE_NONE; - SecureStorageManager* ss_manager = SecureStorageManager::get_instance(); - if (ss_manager == nullptr) - return ATAP_RESULT_ERROR_STORAGE; - const AtapKeyType kAuthKeyTypes[3] = {ATAP_KEY_TYPE_EPID_SOM, - ATAP_KEY_TYPE_RSA_SOM, - ATAP_KEY_TYPE_ECDSA_SOM}; - - for (size_t i = 0; i < (sizeof(kAuthKeyTypes) / sizeof(AtapKeyType)); i++) { - AttestationKeySlot key_slot = MapKeyTypeToSlot(kAuthKeyTypes[i]); - bool key_exists; - if (ss_manager->AttestationKeyExists(key_slot, &key_exists) != - KM_ERROR_OK) { - return ATAP_RESULT_ERROR_STORAGE; - } - if (key_exists) { - *key_type = kAuthKeyTypes[i]; - break; - } - } - - _auth_key_type_init = true; - _auth_key_type = *key_type; - return ATAP_RESULT_OK; -} - -AtapResult TrustyAtapOps::read_auth_key_cert_chain(AtapCertChain* cert_chain) { - AtapKeyType key_type; - AtapResult atap_result = get_auth_key_type(&key_type); - if (atap_result != ATAP_RESULT_OK) { - LOG_E("Failed to get key type."); - return atap_result; - } - if (key_type == ATAP_KEY_TYPE_NONE) { - return ATAP_RESULT_ERROR_UNSUPPORTED_OPERATION; - } - SecureStorageManager* ss_manager = SecureStorageManager::get_instance(); - if (ss_manager == nullptr) { - return ATAP_RESULT_ERROR_STORAGE; - } - AttestationKeySlot key_slot = MapKeyTypeToSlot(key_type); - keymaster_error_t result = - ss_manager->ReadAtapCertChainFromStorage(key_slot, cert_chain); - if (result != KM_ERROR_OK) { - LOG_E("Failed to read som cert chain from slot %d (err = %d)", key_slot, - result); - return ATAP_RESULT_ERROR_STORAGE; - } - if (cert_chain->entry_count > ATAP_CERT_CHAIN_ENTRIES_MAX) { - LOG_E("Stored cert chain length is larger than the maximum cert chain length"); - return ATAP_RESULT_ERROR_CRYPTO; - } - return ATAP_RESULT_OK; -} - -AtapResult TrustyAtapOps::write_attestation_key( - AtapKeyType key_type, - const AtapBlob* key, - const AtapCertChain* cert_chain) { - SecureStorageManager* ss_manager = SecureStorageManager::get_instance(); - if (ss_manager == nullptr) - return ATAP_RESULT_ERROR_STORAGE; - AttestationKeySlot slot = MapKeyTypeToSlot(key_type); - if (key_type == ATAP_KEY_TYPE_RSA_SOM || - key_type == ATAP_KEY_TYPE_ECDSA_SOM || - key_type == ATAP_KEY_TYPE_EPID_SOM || - key_type == ATAP_KEY_TYPE_edDSA_SOM) { - /* If writing a som key, invalidate the cached auth_key_type. */ - _auth_key_type_init = false; - } - if (slot == AttestationKeySlot::kInvalid) { - return ATAP_RESULT_ERROR_INVALID_INPUT; - } - - keymaster_error_t result = ss_manager->WriteAtapKeyAndCertsToStorage( - slot, key->data, key->data_length, cert_chain); - if (result != KM_ERROR_OK) { - LOG_E("Failed to write key and certs to slot %d (err = %d)", slot, - result); - return ATAP_RESULT_ERROR_STORAGE; - } - return ATAP_RESULT_OK; -} - -AtapResult TrustyAtapOps::read_attestation_public_key( - AtapKeyType key_type, - uint8_t pubkey[ATAP_KEY_LEN_MAX], - uint32_t* pubkey_len) { - return ATAP_RESULT_ERROR_UNSUPPORTED_OPERATION; -} - -AtapResult TrustyAtapOps::read_soc_global_key( - uint8_t global_key[ATAP_AES_128_KEY_LEN]) { - return ATAP_RESULT_ERROR_UNSUPPORTED_OPERATION; -} - -AtapResult TrustyAtapOps::write_hex_uuid( - const uint8_t uuid[ATAP_HEX_UUID_LEN]) { - SecureStorageManager* ss_manager = SecureStorageManager::get_instance(); - if (ss_manager == nullptr) - return ATAP_RESULT_ERROR_STORAGE; - if (ss_manager->WriteAttestationUuid(uuid) != KM_ERROR_OK) { - return ATAP_RESULT_ERROR_STORAGE; - } - return ATAP_RESULT_OK; -} - -AtapResult TrustyAtapOps::auth_key_sign(const uint8_t* nonce, - uint32_t nonce_len, - uint8_t sig[ATAP_SIGNATURE_LEN_MAX], - uint32_t* sig_len) { - AtapKeyType key_type; - keymaster_error_t result = KM_ERROR_OK; - AtapResult atap_result = get_auth_key_type(&key_type); - if (atap_result != ATAP_RESULT_OK) { - LOG_E("Failed to get key type"); - return atap_result; - } - if (key_type == ATAP_KEY_TYPE_NONE) { - return ATAP_RESULT_ERROR_UNSUPPORTED_OPERATION; - } - SecureStorageManager* ss_manager = SecureStorageManager::get_instance(); - if (ss_manager == nullptr) { - return ATAP_RESULT_ERROR_STORAGE; - } - AttestationKeySlot key_slot = MapKeyTypeToSlot(key_type); - - KeymasterKeyBlob key_blob = - ss_manager->ReadKeyFromStorage(key_slot, &result); - if (result != KM_ERROR_OK) { - LOG_E("Failed to read som cert chain from slot %d (err = %d)", key_slot, - result); - return ATAP_RESULT_ERROR_STORAGE; - } - - const uint8_t* pkcs_priv_key_p = key_blob.key_material; - - Unique_PKCS8_PRIV_KEY_INFO pkcs8(d2i_PKCS8_PRIV_KEY_INFO( - NULL, &pkcs_priv_key_p, key_blob.key_material_size)); - if (!pkcs8.get()) { - LOG_E("Error parsing pkcs8 format private key."); - return ATAP_RESULT_ERROR_INVALID_INPUT; - } - Unique_EVP_PKEY pkey(EVP_PKCS82PKEY(pkcs8.get())); - if (!pkey.get()) { - LOG_E("Error parsing pkcs8 private key to EVP_PKEY."); - return ATAP_RESULT_ERROR_INVALID_INPUT; - } - - Unique_EVP_MD_CTX mdctx(EVP_MD_CTX_create()); - - if (!mdctx.get()) { - LOG_E("Error creating md ctx."); - return ATAP_RESULT_ERROR_OOM; - } - EVP_PKEY_CTX* evp_pkey_ctx; - if (1 != EVP_DigestSignInit(mdctx.get(), &evp_pkey_ctx, EVP_sha512(), NULL, - pkey.get())) { - return ATAP_RESULT_ERROR_OOM; - } - if (key_type == ATAP_KEY_TYPE_RSA_SOM && - 1 != EVP_PKEY_CTX_set_rsa_padding(evp_pkey_ctx, RSA_PKCS1_PADDING)) { - return ATAP_RESULT_ERROR_CRYPTO; - } - - if (1 != EVP_DigestSignUpdate(mdctx.get(), nonce, nonce_len)) { - return ATAP_RESULT_ERROR_CRYPTO; - } - /* Get sig length. */ - size_t local_sig_len; - if (1 != EVP_DigestSignFinal(mdctx.get(), NULL, &local_sig_len)) { - return ATAP_RESULT_ERROR_CRYPTO; - } - if (local_sig_len > ATAP_SIGNATURE_LEN_MAX) { - LOG_E("Signature length larger than the supported maximum signature length."); - return ATAP_RESULT_ERROR_INVALID_INPUT; - } - /* Obtain the signature */ - if (1 != EVP_DigestSignFinal(mdctx.get(), sig, &local_sig_len)) { - return ATAP_RESULT_ERROR_CRYPTO; - } - *sig_len = (uint32_t)local_sig_len; - - return ATAP_RESULT_OK; -} - -} // namespace keymaster diff --git a/atap/trusty_atap_ops.h b/atap/trusty_atap_ops.h deleted file mode 100644 index ce25f58..0000000 --- a/atap/trusty_atap_ops.h +++ /dev/null @@ -1,74 +0,0 @@ -/* - * Copyright (C) 2017 The Android Open Source Project - * - * Permission is hereby granted, free of charge, to any person - * obtaining a copy of this software and associated documentation - * files (the "Software"), to deal in the Software without - * restriction, including without limitation the rights to use, copy, - * modify, merge, publish, distribute, sublicense, and/or sell copies - * of the Software, and to permit persons to whom the Software is - * furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be - * included in all copies or substantial portions of the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, - * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF - * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND - * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS - * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN - * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN - * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE - * SOFTWARE. - */ - -#ifndef TRUSTY_ATAP_OPS_H_ -#define TRUSTY_ATAP_OPS_H_ - -#include "ops/openssl_ops.h" - -namespace keymaster { - -// An ops implementation for Trusty. All instances of this class must be created -// on the same thread. This class is intended to be used with libatap and does -// not perform additional verification of data formats. Only use this class with -// sanitized inputs. -class TrustyAtapOps : public atap::OpensslOps { -public: - TrustyAtapOps(); - ~TrustyAtapOps() override; - - // AtapOpsDelegate methods. Other methods are handled by OpensslOps. - AtapResult read_product_id( - uint8_t product_id[ATAP_PRODUCT_ID_LEN]) override; - - AtapResult get_auth_key_type(AtapKeyType* key_type) override; - - AtapResult read_auth_key_cert_chain(AtapCertChain* cert_chain) override; - - AtapResult write_attestation_key(AtapKeyType key_type, - const AtapBlob* key, - const AtapCertChain* cert_chain) override; - - AtapResult read_attestation_public_key(AtapKeyType key_type, - uint8_t pubkey[ATAP_KEY_LEN_MAX], - uint32_t* pubkey_len) override; - - AtapResult read_soc_global_key( - uint8_t global_key[ATAP_AES_128_KEY_LEN]) override; - - AtapResult write_hex_uuid(const uint8_t uuid[ATAP_HEX_UUID_LEN]) override; - - AtapResult auth_key_sign(const uint8_t* nonce, - uint32_t nonce_len, - uint8_t sig[ATAP_SIGNATURE_LEN_MAX], - uint32_t* sig_len) override; - -private: - bool _auth_key_type_init = false; - AtapKeyType _auth_key_type; -}; - -} // namespace keymaster - -#endif /* TRUSTY_ATAP_OPS_H_ */ diff --git a/device_unittest/rules.mk b/device_unittest/rules.mk index df3e209..a216ba7 100644 --- a/device_unittest/rules.mk +++ b/device_unittest/rules.mk @@ -61,7 +61,6 @@ MODULE_INCLUDES += \ lib/lib/storage/include \ lib/interface/storage/include \ $(NANOPB_DIR) \ - $(TRUSTY_TOP)/system/iot/attestation/atap \ include make/trusted_app.mk diff --git a/host_unittest/main.cpp b/host_unittest/main.cpp index 5099c00..3a27283 100644 --- a/host_unittest/main.cpp +++ b/host_unittest/main.cpp @@ -44,10 +44,6 @@ #define typeof(x) __typeof__(x) #include <trusty_unittest.h> -extern "C" { -#include <libatap/atap_util.h> -} - #include <keymaster/android_keymaster_utils.h> #include "second_imei_attestation.h" #include "secure_storage_manager.h" @@ -153,65 +149,6 @@ void TestCertChainStorage(AttestationKeySlot key_slot, bool chain_exists) { test_abort:; } -void TestAtapCertChainStorage(AttestationKeySlot key_slot, bool chain_exists) { - keymaster_error_t error = KM_ERROR_OK; - keymaster::UniquePtr<uint8_t[]> write_cert[CHAIN_LENGTH]; - keymaster::UniquePtr<uint8_t[]> write_key; - KeymasterKeyBlob key_blob; - bool key_exists = false; - uint32_t cert_chain_length; - AtapCertChain read_chain; - AtapCertChain write_chain; - memset(&read_chain, 0, sizeof(AtapCertChain)); - memset(&write_chain, 0, sizeof(AtapCertChain)); - - SecureStorageManager* ss_manager = SecureStorageManager::get_instance(); - ASSERT_NE(nullptr, ss_manager); - write_chain.entry_count = CHAIN_LENGTH; - - for (size_t i = 0; i < CHAIN_LENGTH; ++i) { - write_cert[i].reset(NewRandBuf(DATA_SIZE)); - ASSERT_NE(nullptr, write_cert[i].get()); - write_chain.entries[i].data_length = DATA_SIZE; - write_chain.entries[i].data = - reinterpret_cast<uint8_t*>(atap_malloc(DATA_SIZE)); - ASSERT_NE(nullptr, write_chain.entries[i].data); - memcpy(write_chain.entries[i].data, write_cert[i].get(), DATA_SIZE); - } - write_key.reset(NewRandBuf(DATA_SIZE)); - ASSERT_NE(nullptr, write_key.get()); - error = ss_manager->WriteAtapKeyAndCertsToStorage(key_slot, write_key.get(), - DATA_SIZE, &write_chain); - ASSERT_EQ(KM_ERROR_OK, error); - - error = ss_manager->ReadCertChainLength(key_slot, &cert_chain_length); - ASSERT_EQ(KM_ERROR_OK, error); - ASSERT_EQ(3, cert_chain_length); - - memset(&read_chain, 0, sizeof(AtapCertChain)); - error = ss_manager->ReadAtapCertChainFromStorage(key_slot, &read_chain); - ASSERT_EQ(KM_ERROR_OK, error); - ASSERT_EQ(CHAIN_LENGTH, read_chain.entry_count); - for (size_t i = 0; i < CHAIN_LENGTH; ++i) { - ASSERT_EQ(DATA_SIZE, read_chain.entries[i].data_length); - ASSERT_EQ(0, memcmp(write_cert[i].get(), read_chain.entries[i].data, - DATA_SIZE)); - } - key_blob = ss_manager->ReadKeyFromStorage(key_slot, &error); - ASSERT_EQ(KM_ERROR_OK, error); - ASSERT_EQ(DATA_SIZE, key_blob.key_material_size); - ASSERT_NE(nullptr, write_key.get()); - ASSERT_EQ(0, memcmp(write_key.get(), key_blob.writable_data(), DATA_SIZE)); - - error = ss_manager->AttestationKeyExists(key_slot, &key_exists); - ASSERT_EQ(KM_ERROR_OK, error); - ASSERT_EQ(true, key_exists); - -test_abort: - free_cert_chain(read_chain); - free_cert_chain(write_chain); -} - void TestCertStorageInvalid(AttestationKeySlot key_slot) { keymaster_error_t error = KM_ERROR_OK; keymaster::UniquePtr<uint8_t[]> write_cert; @@ -504,12 +441,10 @@ TEST_F(KeymasterTest, TestKeyStorageEcdsa) { TEST_F(KeymasterTest, TestCertChainStorageRsa) { TestCertChainStorage(AttestationKeySlot::kRsa, false); - TestAtapCertChainStorage(AttestationKeySlot::kRsa, false); } TEST_F(KeymasterTest, TestCertChainStorageEcdsa) { TestCertChainStorage(AttestationKeySlot::kEcdsa, false); - TestAtapCertChainStorage(AttestationKeySlot::kEcdsa, false); } TEST_F(KeymasterTest, TestRewriteKey) { @@ -520,8 +455,7 @@ TEST_F(KeymasterTest, TestRewriteKey) { TEST_F(KeymasterTest, TestRewriteChain) { TestCertChainStorage(AttestationKeySlot::kRsa, false); - TestAtapCertChainStorage(AttestationKeySlot::kRsa, false); - TestCertChainStorage(AttestationKeySlot::kRsa, true); + TestCertChainStorage(AttestationKeySlot::kRsa, false); } TEST_F(KeymasterTest, TestCertStorageInvalid) { diff --git a/host_unittest/rules.mk b/host_unittest/rules.mk index 816f582..bd9817d 100644 --- a/host_unittest/rules.mk +++ b/host_unittest/rules.mk @@ -13,7 +13,6 @@ # limitations under the License. # -ATAP_DIR := $(TRUSTY_TOP)/system/iot/attestation/atap KEYMASTER_ROOT := system/keymaster KEYMASTER_DIR := trusty/user/app/keymaster NANOPB_DIR := external/nanopb-c @@ -24,8 +23,6 @@ HOST_SRCS += \ $(KEYMASTER_DIR)/second_imei_attestation.cpp \ $(KEYMASTER_DIR)/host_unittest/main.cpp \ $(KEYMASTER_ROOT)/android_keymaster/logger.cpp \ - $(ATAP_DIR)/libatap/atap_util.c \ - $(ATAP_DIR)/libatap/atap_sysdeps_posix.c \ $(KEYMASTER_DIR)/keymaster_attributes.pb.c \ $(NANOPB_DIR)/pb_common.c \ $(NANOPB_DIR)/pb_encode.c \ @@ -40,7 +37,6 @@ HOST_INCLUDE_DIRS := \ lib/lib/storage/include \ lib/interface/storage/include \ $(NANOPB_DIR) \ - $(ATAP_DIR) \ HOST_FLAGS := -Wpointer-arith \ -Wno-deprecated-declarations -fno-exceptions \ @@ -172,7 +172,6 @@ ifdef TRUSTY_KM_RKP_VERSION MODULE_COMPILEFLAGS += -DTRUSTY_KM_RKP_VERSION=$(TRUSTY_KM_RKP_VERSION) endif -include $(LOCAL_DIR)/atap/rules.mk include $(LOCAL_DIR)/ipc/rules.mk include make/trusted_app.mk diff --git a/secure_storage_manager.cpp b/secure_storage_manager.cpp index 745c138..fc91daf 100644 --- a/secure_storage_manager.cpp +++ b/secure_storage_manager.cpp @@ -294,36 +294,6 @@ keymaster_error_t SecureStorageManager::DeleteCertChainFromStorage( return err; } -keymaster_error_t SecureStorageManager::ReadAtapCertChainFromStorage( - AttestationKeySlot key_slot, - AtapCertChain* cert_chain) { - AttestationKey* attestation_key_p; - keymaster_error_t err = ReadAttestationKey(key_slot, &attestation_key_p); - if (err != KM_ERROR_OK) { - CloseSession(); - return err; - } - UniquePtr<AttestationKey> attestation_key(attestation_key_p); - uint32_t cert_chain_length = attestation_key->certs_count; - cert_chain->entry_count = cert_chain_length; - if (cert_chain_length == 0) { - return KM_ERROR_OK; - } - - for (size_t i = 0; i < cert_chain_length; i++) { - uint32_t content_size = attestation_key->certs[i].content.size; - cert_chain->entries[i].data_length = content_size; - uint8_t* buffer = new (std::nothrow) uint8_t[content_size]; - if (buffer == nullptr) { - return KM_ERROR_MEMORY_ALLOCATION_FAILED; - } - memcpy(buffer, attestation_key->certs[i].content.bytes, content_size); - cert_chain->entries[i].data = buffer; - } - - return KM_ERROR_OK; -} - keymaster_error_t SecureStorageManager::ReadCertChainLength( AttestationKeySlot key_slot, uint32_t* cert_chain_length) { @@ -338,37 +308,6 @@ keymaster_error_t SecureStorageManager::ReadCertChainLength( return KM_ERROR_OK; } -keymaster_error_t SecureStorageManager::WriteAtapKeyAndCertsToStorage( - AttestationKeySlot key_slot, - const uint8_t* key, - const uint32_t key_size, - const AtapCertChain* cert_chain) { - if (key_size > kKeySizeMax || cert_chain->entry_count > kCertSizeMax) { - return KM_ERROR_INVALID_ARGUMENT; - } - UniquePtr<AttestationKey> attestation_key( - new (std::nothrow) AttestationKey(AttestationKey_init_zero)); - if (attestation_key.get() == nullptr) { - return KM_ERROR_MEMORY_ALLOCATION_FAILED; - } - attestation_key->has_key = true; - attestation_key->key.size = key_size; - memcpy(attestation_key->key.bytes, key, key_size); - for (size_t i = 0; i < cert_chain->entry_count; i++) { - attestation_key->certs[i].content.size = - cert_chain->entries[i].data_length; - memcpy(attestation_key->certs[i].content.bytes, - cert_chain->entries[i].data, cert_chain->entries[i].data_length); - } - attestation_key->certs_count = cert_chain->entry_count; - keymaster_error_t err = - WriteAttestationKey(key_slot, attestation_key.get(), true); - if (err != KM_ERROR_OK) { - CloseSession(); - } - return err; -} - keymaster_error_t SecureStorageManager::DeleteKey(AttestationKeySlot key_slot, bool commit) { char key_file[kStorageIdLengthMax]; diff --git a/secure_storage_manager.h b/secure_storage_manager.h index ade5b4d..b02040f 100644 --- a/secure_storage_manager.h +++ b/secure_storage_manager.h @@ -23,7 +23,6 @@ extern "C" { #include <hardware/keymaster_defs.h> -#include <libatap/atap_types.h> } #include "keymaster_attributes.pb.h" #include "trusty_keymaster_messages.h" @@ -122,14 +121,6 @@ public: */ keymaster_error_t DeleteCertChainFromStorage(AttestationKeySlot key_slot); - /** - * Reads cert chain associated with |key_slot| in ATAP format. Stores - * certificate chain in |cert_chain| and caller takes ownership of all - * allocated memory. - */ - keymaster_error_t ReadAtapCertChainFromStorage(AttestationKeySlot key_slot, - AtapCertChain* cert_chain); - /* * Writes the new length of the stored |key_slot| attestation certificate * chain. If less than the existing certificate chain length, the chain is @@ -146,17 +137,6 @@ public: keymaster_error_t ReadCertChainLength(AttestationKeySlot key_slot, uint32_t* cert_chain_length); - /* - * Write a key along with the cert chain to the key/cert file associated - * with |key_slot|. cert_cahin is in ATAP types and is intended to be used - * by trusty_atap_ops. - */ - keymaster_error_t WriteAtapKeyAndCertsToStorage( - AttestationKeySlot key_slot, - const uint8_t* key, - const uint32_t key_size, - const AtapCertChain* cert_chain); - /** * Writes the |attestation_uuid|. */ diff --git a/trusty_keymaster.cpp b/trusty_keymaster.cpp index fbbbe98..309fdb1 100644 --- a/trusty_keymaster.cpp +++ b/trusty_keymaster.cpp @@ -22,13 +22,6 @@ #include <memory> -#ifndef DISABLE_ATAP_SUPPORT -#include <libatap/libatap.h> -// This assumes EC cert chains do not exceed 1k and other cert chains do not -// exceed 5k. -const size_t kMaxCaResponseSize = 20000; -#endif - namespace keymaster { GetVersion2Response TrustyKeymaster::GetVersion2( @@ -297,29 +290,8 @@ void TrustyKeymaster::AtapGetCaRequest(const AtapGetCaRequestRequest& request, if (response == nullptr) return; -#ifdef DISABLE_ATAP_SUPPORT // Not implemented. response->error = KM_ERROR_UNKNOWN_ERROR; - return; -#else - uint8_t* ca_request; - uint32_t ca_request_size; - const Buffer& operation_start = request.data; - AtapResult result = atap_get_ca_request( - atap_ops_provider_.atap_ops(), operation_start.begin(), - operation_start.available_read(), &ca_request, &ca_request_size); - response->error = KM_ERROR_UNKNOWN_ERROR; - if (result != ATAP_RESULT_OK) { - return; - } - response->error = KM_ERROR_MEMORY_ALLOCATION_FAILED; - if (!response->data.Reinitialize(ca_request, ca_request_size)) { - atap_free(ca_request); - return; - } - atap_free(ca_request); - response->error = KM_ERROR_OK; -#endif } void TrustyKeymaster::AtapSetCaResponseBegin( @@ -328,21 +300,8 @@ void TrustyKeymaster::AtapSetCaResponseBegin( if (response == nullptr) return; -#ifdef DISABLE_ATAP_SUPPORT // Not implemented. response->error = KM_ERROR_UNKNOWN_ERROR; - return; -#else - response->error = KM_ERROR_INVALID_ARGUMENT; - if (request.ca_response_size > kMaxCaResponseSize) { - return; - } - response->error = KM_ERROR_MEMORY_ALLOCATION_FAILED; - if (!ca_response_.reserve(request.ca_response_size)) { - return; - } - response->error = KM_ERROR_OK; -#endif } void TrustyKeymaster::AtapSetCaResponseUpdate( @@ -351,17 +310,8 @@ void TrustyKeymaster::AtapSetCaResponseUpdate( if (response == nullptr) return; -#ifdef DISABLE_ATAP_SUPPORT // Not implemented. response->error = KM_ERROR_UNKNOWN_ERROR; - return; -#else - response->error = KM_ERROR_INSUFFICIENT_BUFFER_SPACE; - if (!ca_response_.write(request.data.begin(), request.data.buffer_size())) { - return; - } - response->error = KM_ERROR_OK; -#endif } void TrustyKeymaster::AtapSetCaResponseFinish( @@ -370,26 +320,8 @@ void TrustyKeymaster::AtapSetCaResponseFinish( if (response == nullptr) return; -#ifdef DISABLE_ATAP_SUPPORT // Not implemented. response->error = KM_ERROR_UNKNOWN_ERROR; - return; -#else - response->error = KM_ERROR_INVALID_INPUT_LENGTH; - if (ca_response_.available_read() != ca_response_.buffer_size()) { - LOG_E("Did not receive full CA Response message: %zu / %zu\n", - ca_response_.available_read(), ca_response_.buffer_size()); - return; - } - response->error = KM_ERROR_UNKNOWN_ERROR; - AtapResult result = atap_set_ca_response(atap_ops_provider_.atap_ops(), - ca_response_.begin(), - ca_response_.available_read()); - if (result == ATAP_RESULT_OK) { - response->error = KM_ERROR_OK; - } - ca_response_.Clear(); -#endif } void TrustyKeymaster::AtapReadUuid(const AtapReadUuidRequest& request, @@ -423,19 +355,7 @@ void TrustyKeymaster::AtapSetProductId(const AtapSetProductIdRequest& request, return; } -#ifdef DISABLE_ATAP_SUPPORT // Not implemented. response->error = KM_ERROR_UNKNOWN_ERROR; - return; -#else - response->error = KM_ERROR_UNKNOWN_ERROR; - const Buffer& product_id = request.data; - uint32_t product_id_size = product_id.available_read(); - if (product_id_size != kProductIdSize) { - response->error = KM_ERROR_INVALID_INPUT_LENGTH; - return; - } - response->error = ss_manager->SetProductId(product_id.begin()); -#endif } } // namespace keymaster diff --git a/trusty_keymaster.h b/trusty_keymaster.h index 483673d..df4dd34 100644 --- a/trusty_keymaster.h +++ b/trusty_keymaster.h @@ -21,10 +21,6 @@ #include "trusty_keymaster_context.h" #include "trusty_keymaster_messages.h" -#ifndef DISABLE_ATAP_SUPPORT -#include "atap/trusty_atap_ops.h" -#include "ops/atap_ops_provider.h" -#endif namespace keymaster { @@ -137,10 +133,6 @@ private: TrustyKeymasterContext* context_; keymaster_error_t configure_error_ = KM_ERROR_KEYMASTER_NOT_CONFIGURED; Buffer ca_response_; -#ifndef DISABLE_ATAP_SUPPORT - TrustyAtapOps atap_ops_; - atap::AtapOpsProvider atap_ops_provider_{&atap_ops_}; -#endif }; } // namespace keymaster |