diff options
author | Eran Messeri <eranm@google.com> | 2022-11-10 14:30:13 +0000 |
---|---|---|
committer | Eran Messeri <eranm@google.com> | 2022-12-01 21:03:07 +0000 |
commit | 19bb3e77faae84705a5bf743c271e51838501d62 (patch) | |
tree | 99b325315649ea862235af7a3de8c37144eba436 | |
parent | 4d0237444754a8e6e173f752729cac9f09707c52 (diff) | |
download | keymaster-19bb3e77faae84705a5bf743c271e51838501d62.tar.gz |
Implement 2nd IMEI attestation support
Support for attesting to a second IMEI sent by the platform:
* Copy the tag to the authorization list.
TODO: Will need to check that the 2nd IMEI is one after the 1st IMEI.
To generate the C source/header files from the proto, the following
command was used (run from the trusty checkout root):
protoc --plugin=protoc-gen-nanopb=$PWD/build-root/build-cloudripper-test-debug/proto/nanopb-c/generator/protoc-gen-nanopb -I$PWD/trusty/user/app/keymaster -I$PWD/build-root/build-cloudripper-test-debug/proto/nanopb-c/generator/proto $PWD/trusty/user/app/keymaster/keymaster_attributes.proto --nanopb_out=$PWD/trusty/user/app/keymaster
Bug: 244732345
Test: atest android.keystore.cts.DeviceOwnerKeyManagementTest
Change-Id: I6d8f0df6c46dfbfff0adbd48d3f486120e7389bf
-rw-r--r-- | keymaster_attributes.pb.c | 159 | ||||
-rw-r--r-- | keymaster_attributes.pb.h | 16 | ||||
-rw-r--r-- | keymaster_attributes.proto | 1 | ||||
-rw-r--r-- | trusty_keymaster_context.cpp | 6 |
4 files changed, 102 insertions, 80 deletions
diff --git a/keymaster_attributes.pb.c b/keymaster_attributes.pb.c index 83507d1..aeae7ef 100644 --- a/keymaster_attributes.pb.c +++ b/keymaster_attributes.pb.c @@ -1,5 +1,5 @@ /* Automatically generated nanopb constant definitions */ -/* Generated by nanopb-0.3.9.1 at Sun Jun 13 11:33:41 2021. */ +/* Generated by nanopb-0.3.9.8 at Thu Nov 10 13:28:07 2022. */ #include "keymaster_attributes.pb.h" @@ -16,79 +16,88 @@ const pb_field_t KeymasterAttributes_fields[3] = { PB_LAST_FIELD }; -const pb_field_t AttestationIds_fields[9] = {PB_FIELD(1, - BYTES, - OPTIONAL, - STATIC, - FIRST, - AttestationIds, - brand, - brand, - 0), - PB_FIELD(2, - BYTES, - OPTIONAL, - STATIC, - OTHER, - AttestationIds, - device, - brand, - 0), - PB_FIELD(3, - BYTES, - OPTIONAL, - STATIC, - OTHER, - AttestationIds, - product, - device, - 0), - PB_FIELD(4, - BYTES, - OPTIONAL, - STATIC, - OTHER, - AttestationIds, - serial, - product, - 0), - PB_FIELD(5, - BYTES, - OPTIONAL, - STATIC, - OTHER, - AttestationIds, - imei, - serial, - 0), - PB_FIELD(6, - BYTES, - OPTIONAL, - STATIC, - OTHER, - AttestationIds, - meid, - imei, - 0), - PB_FIELD(7, - BYTES, - OPTIONAL, - STATIC, - OTHER, - AttestationIds, - manufacturer, - meid, - 0), - PB_FIELD(8, - BYTES, - OPTIONAL, - STATIC, - OTHER, - AttestationIds, - model, - manufacturer, - 0), - PB_LAST_FIELD}; +const pb_field_t AttestationIds_fields[10] = {PB_FIELD(1, + BYTES, + OPTIONAL, + STATIC, + FIRST, + AttestationIds, + brand, + brand, + 0), + PB_FIELD(2, + BYTES, + OPTIONAL, + STATIC, + OTHER, + AttestationIds, + device, + brand, + 0), + PB_FIELD(3, + BYTES, + OPTIONAL, + STATIC, + OTHER, + AttestationIds, + product, + device, + 0), + PB_FIELD(4, + BYTES, + OPTIONAL, + STATIC, + OTHER, + AttestationIds, + serial, + product, + 0), + PB_FIELD(5, + BYTES, + OPTIONAL, + STATIC, + OTHER, + AttestationIds, + imei, + serial, + 0), + PB_FIELD(6, + BYTES, + OPTIONAL, + STATIC, + OTHER, + AttestationIds, + meid, + imei, + 0), + PB_FIELD(7, + BYTES, + OPTIONAL, + STATIC, + OTHER, + AttestationIds, + manufacturer, + meid, + 0), + PB_FIELD(8, + BYTES, + OPTIONAL, + STATIC, + OTHER, + AttestationIds, + model, + manufacturer, + 0), + PB_FIELD(9, + BYTES, + OPTIONAL, + STATIC, + OTHER, + AttestationIds, + second_imei, + model, + 0), + PB_LAST_FIELD}; const pb_field_t AttestationKey_fields[3] = { PB_FIELD( 1, BYTES , OPTIONAL, STATIC , FIRST, AttestationKey, key, key, 0), @@ -106,7 +115,7 @@ const pb_field_t AttestationCert_fields[2] = { #if !defined(PB_FIELD_32BIT) /* If you get an error here, it means that you need to define PB_FIELD_32BIT * compile-time option. You can do that in pb.h or on compiler command line. - * + * * The reason you need to do this is that some of your messages contain tag * numbers or field sizes that are larger than what can fit in 8 or 16 bit * field descriptors. diff --git a/keymaster_attributes.pb.h b/keymaster_attributes.pb.h index 2be1672..6599ad0 100644 --- a/keymaster_attributes.pb.h +++ b/keymaster_attributes.pb.h @@ -1,5 +1,5 @@ /* Automatically generated nanopb header */ -/* Generated by nanopb-0.3.9.1 at Sun Jun 13 11:33:41 2021. */ +/* Generated by nanopb-0.3.9.8 at Thu Nov 10 13:28:07 2022. */ #ifndef PB_KEYMASTER_ATTRIBUTES_PB_H_INCLUDED #define PB_KEYMASTER_ATTRIBUTES_PB_H_INCLUDED @@ -29,6 +29,7 @@ typedef PB_BYTES_ARRAY_T(64) AttestationIds_imei_t; typedef PB_BYTES_ARRAY_T(64) AttestationIds_meid_t; typedef PB_BYTES_ARRAY_T(64) AttestationIds_manufacturer_t; typedef PB_BYTES_ARRAY_T(64) AttestationIds_model_t; +typedef PB_BYTES_ARRAY_T(64) AttestationIds_second_imei_t; typedef struct _AttestationIds { bool has_brand; AttestationIds_brand_t brand; @@ -46,6 +47,8 @@ typedef struct _AttestationIds { AttestationIds_manufacturer_t manufacturer; bool has_model; AttestationIds_model_t model; + bool has_second_imei; + AttestationIds_second_imei_t second_imei; /* @@protoc_insertion_point(struct:AttestationIds) */ } AttestationIds; @@ -75,7 +78,8 @@ typedef struct _AttestationKey { #define AttestationIds_init_default \ { \ false, {0, {0}}, false, {0, {0}}, false, {0, {0}}, false, {0, {0}}, \ - false, {0, {0}}, false, {0, {0}}, false, {0, {0}}, false, { \ + false, {0, {0}}, false, {0, {0}}, false, {0, {0}}, false, \ + {0, {0}}, false, { \ 0, { 0 } \ } \ } @@ -85,7 +89,8 @@ typedef struct _AttestationKey { #define AttestationIds_init_zero \ { \ false, {0, {0}}, false, {0, {0}}, false, {0, {0}}, false, {0, {0}}, \ - false, {0, {0}}, false, {0, {0}}, false, {0, {0}}, false, { \ + false, {0, {0}}, false, {0, {0}}, false, {0, {0}}, false, \ + {0, {0}}, false, { \ 0, { 0 } \ } \ } @@ -102,6 +107,7 @@ typedef struct _AttestationKey { #define AttestationIds_meid_tag 6 #define AttestationIds_manufacturer_tag 7 #define AttestationIds_model_tag 8 +#define AttestationIds_second_imei_tag 9 #define KeymasterAttributes_uuid_tag 1 #define KeymasterAttributes_product_id_tag 2 #define AttestationKey_key_tag 1 @@ -109,13 +115,13 @@ typedef struct _AttestationKey { /* Struct field encoding specification for nanopb */ extern const pb_field_t KeymasterAttributes_fields[3]; -extern const pb_field_t AttestationIds_fields[9]; +extern const pb_field_t AttestationIds_fields[10]; extern const pb_field_t AttestationKey_fields[3]; extern const pb_field_t AttestationCert_fields[2]; /* Maximum encoded size of messages (where known) */ #define KeymasterAttributes_size 52 -#define AttestationIds_size 528 +#define AttestationIds_size 594 #define AttestationKey_size 8213 #define AttestationCert_size 2051 diff --git a/keymaster_attributes.proto b/keymaster_attributes.proto index b0b807f..03e8e58 100644 --- a/keymaster_attributes.proto +++ b/keymaster_attributes.proto @@ -53,6 +53,7 @@ message AttestationIds { optional bytes meid = 6 [(nanopb).max_size=64]; optional bytes manufacturer = 7 [(nanopb).max_size=64]; optional bytes model = 8 [(nanopb).max_size=64]; + optional bytes second_imei = 9 [(nanopb).max_size=64]; }; message AttestationKey { diff --git a/trusty_keymaster_context.cpp b/trusty_keymaster_context.cpp index b6b0810..039e717 100644 --- a/trusty_keymaster_context.cpp +++ b/trusty_keymaster_context.cpp @@ -198,6 +198,7 @@ keymaster_error_t TrustyKeymasterContext::SetAuthorizations( case KM_TAG_ATTESTATION_ID_BRAND: case KM_TAG_ATTESTATION_ID_DEVICE: case KM_TAG_ATTESTATION_ID_IMEI: + case KM_TAG_ATTESTATION_ID_SECOND_IMEI: case KM_TAG_ATTESTATION_ID_MANUFACTURER: case KM_TAG_ATTESTATION_ID_MEID: case KM_TAG_ATTESTATION_ID_MODEL: @@ -994,6 +995,11 @@ keymaster_error_t TrustyKeymasterContext::VerifyAndCopyDeviceIds( values_to_attest->push_back(entry); break; + case KM_TAG_ATTESTATION_ID_SECOND_IMEI: + // TODO: Check that the second IMEI matches. + values_to_attest->push_back(entry); + break; + case KM_TAG_ATTESTATION_ID_MEID: found_mismatch |= PROTO_BYTES_DOES_NOT_MATCH_BLOB(entry.blob, ids.meid); |