diff --git a/trusty/keymaster/TrustyKeymaster.cpp b/trusty/keymaster/TrustyKeymaster.cpp index e4791e6ea..ac986951d 100644 --- a/trusty/keymaster/TrustyKeymaster.cpp +++ b/trusty/keymaster/TrustyKeymaster.cpp @@ -178,6 +178,11 @@ void TrustyKeymaster::GenerateCsr(const GenerateCsrRequest& request, ForwardCommand(KM_GENERATE_CSR, request, response); } +void TrustyKeymaster::GenerateCsrV2(const GenerateCsrV2Request& request, + GenerateCsrV2Response* response) { + ForwardCommand(KM_GENERATE_CSR_V2, request, response); +} + void TrustyKeymaster::GetKeyCharacteristics(const GetKeyCharacteristicsRequest& request, GetKeyCharacteristicsResponse* response) { ForwardCommand(KM_GET_KEY_CHARACTERISTICS, request, response); diff --git a/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h b/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h index ec5281103..60d3f87ae 100644 --- a/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h +++ b/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h @@ -44,6 +44,7 @@ class TrustyKeymaster { void GenerateKey(const GenerateKeyRequest& request, GenerateKeyResponse* response); void GenerateRkpKey(const GenerateRkpKeyRequest& request, GenerateRkpKeyResponse* response); void GenerateCsr(const GenerateCsrRequest& request, GenerateCsrResponse* response); + void GenerateCsrV2(const GenerateCsrV2Request& request, GenerateCsrV2Response* response); void GetKeyCharacteristics(const GetKeyCharacteristicsRequest& request, GetKeyCharacteristicsResponse* response); void ImportKey(const ImportKeyRequest& request, ImportKeyResponse* response); diff --git a/trusty/keymaster/include/trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h b/trusty/keymaster/include/trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h index d544b51d5..dbb7fffdb 100644 --- a/trusty/keymaster/include/trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h +++ b/trusty/keymaster/include/trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h @@ -46,6 +46,10 @@ class TrustyRemotelyProvisionedComponentDevice : public BnRemotelyProvisionedCom DeviceInfo* deviceInfo, ProtectedData* protectedData, std::vector* keysToSignMac) override; + ScopedAStatus generateCertificateRequestV2(const std::vector& keysToSign, + const std::vector& challenge, + std::vector* csr) override; + private: std::shared_ptr<::keymaster::TrustyKeymaster> impl_; }; diff --git a/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h b/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h index 9b55e9dd7..f767d40d6 100644 --- a/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h +++ b/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h @@ -61,6 +61,7 @@ enum keymaster_command : uint32_t { KM_CONFIGURE_VENDOR_PATCHLEVEL = (33 << KEYMASTER_REQ_SHIFT), KM_GET_ROOT_OF_TRUST = (34 << KEYMASTER_REQ_SHIFT), KM_GET_HW_INFO = (35 << KEYMASTER_REQ_SHIFT), + KM_GENERATE_CSR_V2 = (36 << KEYMASTER_REQ_SHIFT), // Bootloader/provisioning calls. KM_SET_BOOT_PARAMS = (0x1000 << KEYMASTER_REQ_SHIFT), diff --git a/trusty/keymaster/keymint/TrustyRemotelyProvisionedComponentDevice.cpp b/trusty/keymaster/keymint/TrustyRemotelyProvisionedComponentDevice.cpp index 7f03f8677..c6800cdc2 100644 --- a/trusty/keymaster/keymint/TrustyRemotelyProvisionedComponentDevice.cpp +++ b/trusty/keymaster/keymint/TrustyRemotelyProvisionedComponentDevice.cpp @@ -28,11 +28,14 @@ namespace aidl::android::hardware::security::keymint::trusty { using keymaster::GenerateCsrRequest; using keymaster::GenerateCsrResponse; +using keymaster::GenerateCsrV2Request; +using keymaster::GenerateCsrV2Response; using keymaster::GenerateRkpKeyRequest; using keymaster::GenerateRkpKeyResponse; using keymaster::GetHwInfoRequest; using keymaster::GetHwInfoResponse; using keymaster::KeymasterBlob; +using km_utils::kmError2ScopedAStatus; using ::std::string; using ::std::unique_ptr; using ::std::vector; @@ -125,4 +128,25 @@ ScopedAStatus TrustyRemotelyProvisionedComponentDevice::generateCertificateReque return ScopedAStatus::ok(); } +ScopedAStatus TrustyRemotelyProvisionedComponentDevice::generateCertificateRequestV2( + const std::vector& keysToSign, const std::vector& challenge, + std::vector* csr) { + GenerateCsrV2Request request(impl_->message_version()); + if (!request.InitKeysToSign(keysToSign.size())) { + return kmError2ScopedAStatus(static_cast(STATUS_FAILED)); + } + for (size_t i = 0; i < keysToSign.size(); i++) { + request.SetKeyToSign(i, keysToSign[i].macedKey.data(), keysToSign[i].macedKey.size()); + } + request.SetChallenge(challenge.data(), challenge.size()); + GenerateCsrV2Response response(impl_->message_version()); + impl_->GenerateCsrV2(request, &response); + + if (response.error != KM_ERROR_OK) { + return Status(-static_cast(response.error), "Failure in CSR v2 generation."); + } + *csr = km_utils::kmBlob2vector(response.csr); + return ScopedAStatus::ok(); +} + } // namespace aidl::android::hardware::security::keymint::trusty diff --git a/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty.xml b/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty.xml index 0b995a282..77dc854b3 100644 --- a/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty.xml +++ b/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty.xml @@ -14,7 +14,7 @@ android.hardware.security.keymint - 2 + 3 IRemotelyProvisionedComponent/default