1 /*
2 * Copyright 2018 The Android Open Source Project
3 * Copyright (C) 2017 GlobalLogic
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 */
17
18 #define LOG_TAG "optee_keymaster_hal"
19 #include <android-base/logging.h>
20
21 #include <keymaster/android_keymaster_messages.h>
22 #include <keymaster/keymaster_configuration.h>
23 #include <optee_keymaster/OpteeKeymaster.h>
24 #include <optee_keymaster/ipc/optee_keymaster_ipc.h>
25
26 namespace keymaster {
27
Initialize(KmVersion version)28 int OpteeKeymaster::Initialize(KmVersion version) {
29 int err;
30
31 LOG(INFO) << "Initializing OpteeKeymaster as KmVersion: " << (int)version;
32
33 err = optee_keymaster_connect();
34 if (err) {
35 LOG(ERROR) << "Failed to connect to optee keymaster (1st try)" << err;
36 return err;
37 }
38
39 // Try GetVersion2 first.
40 GetVersion2Request versionReq;
41 versionReq.max_message_version = MessageVersion(version);
42 GetVersion2Response versionRsp = GetVersion2(versionReq);
43 if (versionRsp.error != KM_ERROR_OK) {
44 LOG(WARNING) << "TA appears not to support GetVersion2, falling back (err = "
45 << versionRsp.error << ")";
46
47 err = optee_keymaster_connect();
48 if (err) {
49 LOG(FATAL) << "Failed to connect to optee keymaster (2nd try) " << err;
50 return err;
51 }
52
53 GetVersionRequest versionReq;
54 GetVersionResponse versionRsp;
55 GetVersion(versionReq, &versionRsp);
56 if (versionRsp.error != KM_ERROR_OK) {
57 LOG(FATAL) << "Failed to get TA version " << versionRsp.error;
58 return -1;
59 } else {
60 keymaster_error_t error;
61 message_version_ = NegotiateMessageVersion(versionRsp, &error);
62 if (error != KM_ERROR_OK) {
63 LOG(FATAL) << "Failed to negotiate message version " << error;
64 return -1;
65 }
66 }
67 } else {
68 message_version_ = NegotiateMessageVersion(versionReq, versionRsp);
69 }
70
71 ConfigureRequest req(message_version());
72 req.os_version = GetOsVersion();
73 req.os_patchlevel = GetOsPatchlevel();
74
75 ConfigureResponse rsp(message_version());
76 Configure(req, &rsp);
77
78 if (rsp.error != KM_ERROR_OK) {
79 LOG(FATAL) << "Failed to configure keymaster " << rsp.error;
80 return -1;
81 }
82
83 // Set the vendor patchlevel to value retrieved from system property (which
84 // requires SELinux permission).
85 ConfigureVendorPatchlevelRequest vendor_req(message_version());
86 vendor_req.vendor_patchlevel = GetVendorPatchlevel();
87 ConfigureVendorPatchlevelResponse vendor_rsp = ConfigureVendorPatchlevel(vendor_req);
88 if (vendor_rsp.error != KM_ERROR_OK) {
89 LOG(ERROR) << "Failed to configure keymaster vendor patchlevel: " << vendor_rsp.error;
90 // Don't fail if this message isn't understood.
91 }
92
93 return 0;
94 }
95
OpteeKeymaster()96 OpteeKeymaster::OpteeKeymaster() {}
97
~OpteeKeymaster()98 OpteeKeymaster::~OpteeKeymaster() {
99 optee_keymaster_disconnect();
100 }
101
ForwardCommand(enum keymaster_command command,const KeymasterMessage & req,KeymasterResponse * rsp)102 static void ForwardCommand(enum keymaster_command command, const KeymasterMessage& req,
103 KeymasterResponse* rsp) {
104 keymaster_error_t err;
105 err = optee_keymaster_send(command, req, rsp);
106 if (err != KM_ERROR_OK) {
107 LOG(ERROR) << "Cmd " << command << " returned error: " << err;
108 rsp->error = err;
109 }
110 }
111
GetVersion(const GetVersionRequest & request,GetVersionResponse * response)112 void OpteeKeymaster::GetVersion(const GetVersionRequest& request, GetVersionResponse* response) {
113 ForwardCommand(KM_GET_VERSION, request, response);
114 }
115
SupportedAlgorithms(const SupportedAlgorithmsRequest & request,SupportedAlgorithmsResponse * response)116 void OpteeKeymaster::SupportedAlgorithms(const SupportedAlgorithmsRequest& request,
117 SupportedAlgorithmsResponse* response) {
118 ForwardCommand(KM_GET_SUPPORTED_ALGORITHMS, request, response);
119 }
120
SupportedBlockModes(const SupportedBlockModesRequest & request,SupportedBlockModesResponse * response)121 void OpteeKeymaster::SupportedBlockModes(const SupportedBlockModesRequest& request,
122 SupportedBlockModesResponse* response) {
123 ForwardCommand(KM_GET_SUPPORTED_BLOCK_MODES, request, response);
124 }
125
SupportedPaddingModes(const SupportedPaddingModesRequest & request,SupportedPaddingModesResponse * response)126 void OpteeKeymaster::SupportedPaddingModes(const SupportedPaddingModesRequest& request,
127 SupportedPaddingModesResponse* response) {
128 ForwardCommand(KM_GET_SUPPORTED_PADDING_MODES, request, response);
129 }
130
SupportedDigests(const SupportedDigestsRequest & request,SupportedDigestsResponse * response)131 void OpteeKeymaster::SupportedDigests(const SupportedDigestsRequest& request,
132 SupportedDigestsResponse* response) {
133 ForwardCommand(KM_GET_SUPPORTED_DIGESTS, request, response);
134 }
135
SupportedImportFormats(const SupportedImportFormatsRequest & request,SupportedImportFormatsResponse * response)136 void OpteeKeymaster::SupportedImportFormats(const SupportedImportFormatsRequest& request,
137 SupportedImportFormatsResponse* response) {
138 ForwardCommand(KM_GET_SUPPORTED_IMPORT_FORMATS, request, response);
139 }
140
SupportedExportFormats(const SupportedExportFormatsRequest & request,SupportedExportFormatsResponse * response)141 void OpteeKeymaster::SupportedExportFormats(const SupportedExportFormatsRequest& request,
142 SupportedExportFormatsResponse* response) {
143 ForwardCommand(KM_GET_SUPPORTED_EXPORT_FORMATS, request, response);
144 }
145
AddRngEntropy(const AddEntropyRequest & request,AddEntropyResponse * response)146 void OpteeKeymaster::AddRngEntropy(const AddEntropyRequest& request,
147 AddEntropyResponse* response) {
148 ForwardCommand(KM_ADD_RNG_ENTROPY, request, response);
149 }
150
Configure(const ConfigureRequest & request,ConfigureResponse * response)151 void OpteeKeymaster::Configure(const ConfigureRequest& request, ConfigureResponse* response) {
152 ForwardCommand(KM_CONFIGURE, request, response);
153 }
154
GenerateKey(const GenerateKeyRequest & request,GenerateKeyResponse * response)155 void OpteeKeymaster::GenerateKey(const GenerateKeyRequest& request,
156 GenerateKeyResponse* response) {
157 if (message_version_ < 4) {
158 // Pre-KeyMint we need to add TAG_CREATION_DATETIME if not provided by the caller.
159 GenerateKeyRequest datedRequest(request.message_version);
160 datedRequest.key_description = request.key_description;
161
162 if (!request.key_description.Contains(TAG_CREATION_DATETIME)) {
163 datedRequest.key_description.push_back(TAG_CREATION_DATETIME, java_time(time(NULL)));
164 }
165
166 ForwardCommand(KM_GENERATE_KEY, datedRequest, response);
167 } else {
168 ForwardCommand(KM_GENERATE_KEY, request, response);
169 }
170 }
171
GenerateRkpKey(const GenerateRkpKeyRequest & request,GenerateRkpKeyResponse * response)172 void OpteeKeymaster::GenerateRkpKey(const GenerateRkpKeyRequest& request,
173 GenerateRkpKeyResponse* response) {
174 ForwardCommand(KM_GENERATE_RKP_KEY, request, response);
175 }
176
GenerateCsr(const GenerateCsrRequest & request,GenerateCsrResponse * response)177 void OpteeKeymaster::GenerateCsr(const GenerateCsrRequest& request,
178 GenerateCsrResponse* response) {
179 ForwardCommand(KM_GENERATE_CSR, request, response);
180 }
181
GenerateCsrV2(const GenerateCsrV2Request & request,GenerateCsrV2Response * response)182 void OpteeKeymaster::GenerateCsrV2(const GenerateCsrV2Request& request,
183 GenerateCsrV2Response* response) {
184 ForwardCommand(KM_GENERATE_CSR_V2, request, response);
185 }
186
GetKeyCharacteristics(const GetKeyCharacteristicsRequest & request,GetKeyCharacteristicsResponse * response)187 void OpteeKeymaster::GetKeyCharacteristics(const GetKeyCharacteristicsRequest& request,
188 GetKeyCharacteristicsResponse* response) {
189 ForwardCommand(KM_GET_KEY_CHARACTERISTICS, request, response);
190 }
191
ImportKey(const ImportKeyRequest & request,ImportKeyResponse * response)192 void OpteeKeymaster::ImportKey(const ImportKeyRequest& request, ImportKeyResponse* response) {
193 ForwardCommand(KM_IMPORT_KEY, request, response);
194 }
195
ImportWrappedKey(const ImportWrappedKeyRequest & request,ImportWrappedKeyResponse * response)196 void OpteeKeymaster::ImportWrappedKey(const ImportWrappedKeyRequest& request,
197 ImportWrappedKeyResponse* response) {
198 ForwardCommand(KM_IMPORT_WRAPPED_KEY, request, response);
199 }
200
ExportKey(const ExportKeyRequest & request,ExportKeyResponse * response)201 void OpteeKeymaster::ExportKey(const ExportKeyRequest& request, ExportKeyResponse* response) {
202 ForwardCommand(KM_EXPORT_KEY, request, response);
203 }
204
AttestKey(const AttestKeyRequest & request,AttestKeyResponse * response)205 void OpteeKeymaster::AttestKey(const AttestKeyRequest& request, AttestKeyResponse* response) {
206 ForwardCommand(KM_ATTEST_KEY, request, response);
207 }
208
UpgradeKey(const UpgradeKeyRequest & request,UpgradeKeyResponse * response)209 void OpteeKeymaster::UpgradeKey(const UpgradeKeyRequest& request, UpgradeKeyResponse* response) {
210 ForwardCommand(KM_UPGRADE_KEY, request, response);
211 }
212
DeleteKey(const DeleteKeyRequest & request,DeleteKeyResponse * response)213 void OpteeKeymaster::DeleteKey(const DeleteKeyRequest& request, DeleteKeyResponse* response) {
214 ForwardCommand(KM_DELETE_KEY, request, response);
215 }
216
DeleteAllKeys(const DeleteAllKeysRequest & request,DeleteAllKeysResponse * response)217 void OpteeKeymaster::DeleteAllKeys(const DeleteAllKeysRequest& request,
218 DeleteAllKeysResponse* response) {
219 ForwardCommand(KM_DELETE_ALL_KEYS, request, response);
220 }
221
BeginOperation(const BeginOperationRequest & request,BeginOperationResponse * response)222 void OpteeKeymaster::BeginOperation(const BeginOperationRequest& request,
223 BeginOperationResponse* response) {
224 ForwardCommand(KM_BEGIN_OPERATION, request, response);
225 }
226
UpdateOperation(const UpdateOperationRequest & request,UpdateOperationResponse * response)227 void OpteeKeymaster::UpdateOperation(const UpdateOperationRequest& request,
228 UpdateOperationResponse* response) {
229 ForwardCommand(KM_UPDATE_OPERATION, request, response);
230 }
231
FinishOperation(const FinishOperationRequest & request,FinishOperationResponse * response)232 void OpteeKeymaster::FinishOperation(const FinishOperationRequest& request,
233 FinishOperationResponse* response) {
234 ForwardCommand(KM_FINISH_OPERATION, request, response);
235 }
236
AbortOperation(const AbortOperationRequest & request,AbortOperationResponse * response)237 void OpteeKeymaster::AbortOperation(const AbortOperationRequest& request,
238 AbortOperationResponse* response) {
239 ForwardCommand(KM_ABORT_OPERATION, request, response);
240 }
241
GetHmacSharingParameters()242 GetHmacSharingParametersResponse OpteeKeymaster::GetHmacSharingParameters() {
243 GetHmacSharingParametersRequest request(message_version());
244 GetHmacSharingParametersResponse response(message_version());
245 ForwardCommand(KM_GET_HMAC_SHARING_PARAMETERS, request, &response);
246 return response;
247 }
248
ComputeSharedHmac(const ComputeSharedHmacRequest & request)249 ComputeSharedHmacResponse OpteeKeymaster::ComputeSharedHmac(
250 const ComputeSharedHmacRequest& request) {
251 ComputeSharedHmacResponse response(message_version());
252 ForwardCommand(KM_COMPUTE_SHARED_HMAC, request, &response);
253 return response;
254 }
255
VerifyAuthorization(const VerifyAuthorizationRequest & request)256 VerifyAuthorizationResponse OpteeKeymaster::VerifyAuthorization(
257 const VerifyAuthorizationRequest& request) {
258 VerifyAuthorizationResponse response(message_version());
259 ForwardCommand(KM_VERIFY_AUTHORIZATION, request, &response);
260 return response;
261 }
262
GetVersion2(const GetVersion2Request & request)263 GetVersion2Response OpteeKeymaster::GetVersion2(const GetVersion2Request& request) {
264 GetVersion2Response response(message_version());
265 ForwardCommand(KM_GET_VERSION_2, request, &response);
266 return response;
267 }
268
EarlyBootEnded()269 EarlyBootEndedResponse OpteeKeymaster::EarlyBootEnded() {
270 EarlyBootEndedResponse response(message_version());
271 ForwardCommand(KM_EARLY_BOOT_ENDED, EarlyBootEndedRequest(message_version()), &response);
272 return response;
273 }
274
DeviceLocked(const DeviceLockedRequest & request)275 DeviceLockedResponse OpteeKeymaster::DeviceLocked(const DeviceLockedRequest& request) {
276 DeviceLockedResponse response(message_version());
277 ForwardCommand(KM_DEVICE_LOCKED, request, &response);
278 return response;
279 }
280
ConfigureVendorPatchlevel(const ConfigureVendorPatchlevelRequest & request)281 ConfigureVendorPatchlevelResponse OpteeKeymaster::ConfigureVendorPatchlevel(
282 const ConfigureVendorPatchlevelRequest& request) {
283 ConfigureVendorPatchlevelResponse response(message_version());
284 ForwardCommand(KM_CONFIGURE_VENDOR_PATCHLEVEL, request, &response);
285 return response;
286 }
287
GetRootOfTrust(const GetRootOfTrustRequest & request)288 GetRootOfTrustResponse OpteeKeymaster::GetRootOfTrust(const GetRootOfTrustRequest& request) {
289 GetRootOfTrustResponse response(message_version());
290 ForwardCommand(KM_GET_ROOT_OF_TRUST, request, &response);
291 return response;
292 }
293
GetHwInfo()294 GetHwInfoResponse OpteeKeymaster::GetHwInfo() {
295 GetHwInfoResponse response(message_version());
296 ForwardCommand(KM_GET_HW_INFO, GetHwInfoRequest(message_version()), &response);
297 return response;
298 }
299
300 } // namespace keymaster
301