blob: 1100840b41c79811521e39b5d7aa136e9ebb5ca8 [file] [log] [blame]
Paul Crowley1ef25582016-01-21 20:26:12 +00001/*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
Satya Tangiralae8de4ff2021-02-28 22:32:07 -080016// TODO: Maybe "Keymaster" should be replaced with Keystore2 everywhere?
Paul Crowley0323afd2016-03-15 17:04:39 -070017#ifndef ANDROID_VOLD_KEYMASTER_H
18#define ANDROID_VOLD_KEYMASTER_H
Paul Crowley1ef25582016-01-21 20:26:12 +000019
Pavel Grafove2e2d302017-08-01 17:15:53 +010020#include "KeyBuffer.h"
21
Paul Crowley0323afd2016-03-15 17:04:39 -070022#include <memory>
Paul Crowley1ef25582016-01-21 20:26:12 +000023#include <string>
Paul Crowley0323afd2016-03-15 17:04:39 -070024#include <utility>
Paul Crowley1ef25582016-01-21 20:26:12 +000025
Steven Moreland25e8b4b2017-05-01 12:45:32 -070026#include <android-base/macros.h>
Satya Tangiralae8de4ff2021-02-28 22:32:07 -080027#include <keymint_support/authorization_set.h>
28#include <keymint_support/keymint_tags.h>
29
30#include <aidl/android/hardware/security/keymint/ErrorCode.h>
31#include <aidl/android/system/keystore2/IKeystoreService.h>
32#include <android/binder_manager.h>
Paul Crowley1ef25582016-01-21 20:26:12 +000033
34namespace android {
35namespace vold {
Shawn Willden35351812018-01-22 09:08:32 -070036
Satya Tangiralae8de4ff2021-02-28 22:32:07 -080037namespace ks2 = ::aidl::android::system::keystore2;
38namespace km = ::aidl::android::hardware::security::keymint;
Shawn Willdenae8f06f2020-01-16 13:21:42 -070039
Satya Tangiralae8de4ff2021-02-28 22:32:07 -080040// C++ wrappers to the Keystore2 AIDL interface.
Paul Crowley1ef25582016-01-21 20:26:12 +000041// This is tailored to the needs of KeyStorage, but could be extended to be
42// a more general interface.
43
Satya Tangiralae8de4ff2021-02-28 22:32:07 -080044// Wrapper for a Keystore2 operation handle representing an
45// ongoing Keystore2 operation. Aborts the operation
Paul Crowley1ef25582016-01-21 20:26:12 +000046// in the destructor if it is unfinished. Methods log failures
47// to LOG(ERROR).
48class KeymasterOperation {
Paul Crowleydf528a72016-03-09 09:31:37 -080049 public:
Paul Crowley0323afd2016-03-15 17:04:39 -070050 ~KeymasterOperation();
Paul Crowley1ef25582016-01-21 20:26:12 +000051 // Is this instance valid? This is false if creation fails, and becomes
52 // false on finish or if an update fails.
Satya Tangiralae8de4ff2021-02-28 22:32:07 -080053 explicit operator bool() const { return (bool)ks2Operation; }
54 km::ErrorCode getErrorCode() const { return errorCode; }
55 std::optional<std::string> getUpgradedBlob() const { return upgradedBlob; }
Paul Crowley13ffd8e2016-01-27 14:30:22 +000056 // Call "update" repeatedly until all of the input is consumed, and
Paul Crowley1ef25582016-01-21 20:26:12 +000057 // concatenate the output. Return true on success.
Pavel Grafove2e2d302017-08-01 17:15:53 +010058 template <class TI, class TO>
59 bool updateCompletely(TI& input, TO* output) {
60 if (output) output->clear();
61 return updateCompletely(input.data(), input.size(), [&](const char* b, size_t n) {
Shawn Willden785365b2018-01-20 09:37:36 -070062 if (output) std::copy(b, b + n, std::back_inserter(*output));
Pavel Grafove2e2d302017-08-01 17:15:53 +010063 });
64 }
65
Paul Crowleydff8c722016-05-16 08:14:56 -070066 // Finish and write the output to this string, unless pointer is null.
67 bool finish(std::string* output);
Paul Crowley1ef25582016-01-21 20:26:12 +000068 // Move constructor
Shawn Willden35351812018-01-22 09:08:32 -070069 KeymasterOperation(KeymasterOperation&& rhs) { *this = std::move(rhs); }
Paul Crowleydff8c722016-05-16 08:14:56 -070070 // Construct an object in an error state for error returns
Satya Tangiralae8de4ff2021-02-28 22:32:07 -080071 KeymasterOperation() { errorCode = km::ErrorCode::UNKNOWN_ERROR; }
Janis Danisevskis015ec302017-01-31 11:31:08 +000072 // Move Assignment
Shawn Willden785365b2018-01-20 09:37:36 -070073 KeymasterOperation& operator=(KeymasterOperation&& rhs) {
Satya Tangiralae8de4ff2021-02-28 22:32:07 -080074 ks2Operation = rhs.ks2Operation;
75 rhs.ks2Operation = nullptr;
Shawn Willden3e02df82018-02-07 15:06:06 -070076
Satya Tangiralae8de4ff2021-02-28 22:32:07 -080077 upgradedBlob = rhs.upgradedBlob;
78 rhs.upgradedBlob = std::nullopt;
Shawn Willden3e02df82018-02-07 15:06:06 -070079
Satya Tangiralae8de4ff2021-02-28 22:32:07 -080080 errorCode = rhs.errorCode;
81 rhs.errorCode = km::ErrorCode::UNKNOWN_ERROR;
Shawn Willden3e02df82018-02-07 15:06:06 -070082
Janis Danisevskis015ec302017-01-31 11:31:08 +000083 return *this;
84 }
Paul Crowleydf528a72016-03-09 09:31:37 -080085
86 private:
Satya Tangiralae8de4ff2021-02-28 22:32:07 -080087 KeymasterOperation(std::shared_ptr<ks2::IKeystoreOperation> ks2Op,
88 std::optional<std::vector<uint8_t>> blob)
89 : ks2Operation{ks2Op}, errorCode{km::ErrorCode::OK} {
90 if (blob)
91 upgradedBlob = std::optional(std::string(blob->begin(), blob->end()));
92 else
93 upgradedBlob = std::nullopt;
94 }
95
96 KeymasterOperation(km::ErrorCode errCode) : errorCode{errCode} {}
Pavel Grafove2e2d302017-08-01 17:15:53 +010097
98 bool updateCompletely(const char* input, size_t inputLen,
99 const std::function<void(const char*, size_t)> consumer);
100
Satya Tangiralae8de4ff2021-02-28 22:32:07 -0800101 std::shared_ptr<ks2::IKeystoreOperation> ks2Operation;
102 std::optional<std::string> upgradedBlob;
103 km::ErrorCode errorCode;
Paul Crowley1ef25582016-01-21 20:26:12 +0000104 DISALLOW_COPY_AND_ASSIGN(KeymasterOperation);
105 friend class Keymaster;
106};
107
Satya Tangiralae8de4ff2021-02-28 22:32:07 -0800108// Wrapper for keystore2 methods that vold uses.
Paul Crowley1ef25582016-01-21 20:26:12 +0000109class Keymaster {
Paul Crowleydf528a72016-03-09 09:31:37 -0800110 public:
Paul Crowley1ef25582016-01-21 20:26:12 +0000111 Keymaster();
Satya Tangiralae8de4ff2021-02-28 22:32:07 -0800112 // false if we failed to get a keystore2 security level.
113 explicit operator bool() { return (bool)securityLevel; }
114 // Generate a key using keystore2 from the given params.
Shawn Willden35351812018-01-22 09:08:32 -0700115 bool generateKey(const km::AuthorizationSet& inParams, std::string* key);
Satya Tangiralae8de4ff2021-02-28 22:32:07 -0800116 // Exports a keystore2 key with STORAGE_KEY tag wrapped with a per-boot ephemeral key
Barani Muthukumaran3dfb0942020-02-03 13:06:45 -0800117 bool exportKey(const KeyBuffer& kmKey, std::string* key);
Satya Tangiralae8de4ff2021-02-28 22:32:07 -0800118 // If supported, permanently delete a key from the keymint device it belongs to.
Paul Crowleydf528a72016-03-09 09:31:37 -0800119 bool deleteKey(const std::string& key);
Paul Crowleydff8c722016-05-16 08:14:56 -0700120 // Begin a new cryptographic operation, collecting output parameters if pointer is non-null
Satya Tangiralae8de4ff2021-02-28 22:32:07 -0800121 // If the key was upgraded as a result of a call to this method, the returned KeymasterOperation
122 // also stores the upgraded key blob.
123 KeymasterOperation begin(const std::string& key, const km::AuthorizationSet& inParams,
Shawn Willden35351812018-01-22 09:08:32 -0700124 km::AuthorizationSet* outParams);
Paul Crowleydf528a72016-03-09 09:31:37 -0800125
Satya Tangiralae8de4ff2021-02-28 22:32:07 -0800126 // Tell all Keymint devices that early boot has ended and early boot-only keys can no longer
Shawn Willden50397a72020-04-01 10:02:16 -0600127 // be created or used.
128 static void earlyBootEnded();
Shawn Willden2b1ff5a2020-01-16 14:08:36 -0700129
Paul Crowleydf528a72016-03-09 09:31:37 -0800130 private:
Satya Tangiralae8de4ff2021-02-28 22:32:07 -0800131 std::shared_ptr<ks2::IKeystoreSecurityLevel> securityLevel;
Paul Crowley1ef25582016-01-21 20:26:12 +0000132 DISALLOW_COPY_AND_ASSIGN(Keymaster);
133};
134
Paul Crowley1ef25582016-01-21 20:26:12 +0000135} // namespace vold
136} // namespace android
137
Paul Crowley1ef25582016-01-21 20:26:12 +0000138#endif