From 95b5b0487253d89a1807924d1e6099ac1e241825 Mon Sep 17 00:00:00 2001 From: Max Bires Date: Wed, 9 Jun 2021 17:40:54 -0700 Subject: [PATCH] Client side implementation of Trusty IRPC HAL This change includes the code necessary to communicate to the IRemotelyProvisionedComponent backend implementation running in Trusty. It also makes the relevant changes to the manifest XML file to add the IRemotelyProvisionedComponent HAL. Bug: 192228022 Test: atest VtsHalRemotelyProvisionedComponentTargetTest Change-Id: I32c30ce2dc44e95ff91574ce405f10e3b5dc9699 Merged-In: I32c30ce2dc44e95ff91574ce405f10e3b5dc9699 --- trusty/keymaster/Android.bp | 2 +- trusty/keymaster/TrustyKeymaster.cpp | 10 ++ .../trusty_keymaster/TrustyKeymaster.h | 2 + ...TrustyRemotelyProvisionedComponentDevice.h | 53 ++++++++ .../trusty_keymaster/ipc/keymaster_ipc.h | 2 + ...ustyRemotelyProvisionedComponentDevice.cpp | 120 ++++++++++++++++++ ...rdware.security.keymint-service.trusty.xml | 4 + trusty/keymaster/keymint/service.cpp | 5 +- 8 files changed, 196 insertions(+), 2 deletions(-) create mode 100644 trusty/keymaster/include/trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h create mode 100644 trusty/keymaster/keymint/TrustyRemotelyProvisionedComponentDevice.cpp diff --git a/trusty/keymaster/Android.bp b/trusty/keymaster/Android.bp index 58dfa9400..aa610e78f 100644 --- a/trusty/keymaster/Android.bp +++ b/trusty/keymaster/Android.bp @@ -100,6 +100,7 @@ cc_binary { "ipc/trusty_keymaster_ipc.cpp", "keymint/TrustyKeyMintDevice.cpp", "keymint/TrustyKeyMintOperation.cpp", + "keymint/TrustyRemotelyProvisionedComponentDevice.cpp", "keymint/TrustySecureClock.cpp", "keymint/TrustySharedSecret.cpp", "keymint/service.cpp", @@ -118,7 +119,6 @@ cc_binary { "libtrusty", ], required: [ - "RemoteProvisioner", "android.hardware.hardware_keystore.xml", ], } diff --git a/trusty/keymaster/TrustyKeymaster.cpp b/trusty/keymaster/TrustyKeymaster.cpp index ef5fc3fc2..aee33331a 100644 --- a/trusty/keymaster/TrustyKeymaster.cpp +++ b/trusty/keymaster/TrustyKeymaster.cpp @@ -158,6 +158,16 @@ void TrustyKeymaster::GenerateKey(const GenerateKeyRequest& request, } } +void TrustyKeymaster::GenerateRkpKey(const GenerateRkpKeyRequest& request, + GenerateRkpKeyResponse* response) { + ForwardCommand(KM_GENERATE_RKP_KEY, request, response); +} + +void TrustyKeymaster::GenerateCsr(const GenerateCsrRequest& request, + GenerateCsrResponse* response) { + ForwardCommand(KM_GENERATE_CSR, request, response); +} + void TrustyKeymaster::GetKeyCharacteristics(const GetKeyCharacteristicsRequest& request, GetKeyCharacteristicsResponse* response) { ForwardCommand(KM_GET_KEY_CHARACTERISTICS, request, response); diff --git a/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h b/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h index 45ebf7fda..35eda459c 100644 --- a/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h +++ b/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h @@ -42,6 +42,8 @@ class TrustyKeymaster { void AddRngEntropy(const AddEntropyRequest& request, AddEntropyResponse* response); void Configure(const ConfigureRequest& request, ConfigureResponse* response); void GenerateKey(const GenerateKeyRequest& request, GenerateKeyResponse* response); + void GenerateRkpKey(const GenerateRkpKeyRequest& request, GenerateRkpKeyResponse* response); + void GenerateCsr(const GenerateCsrRequest& request, GenerateCsrResponse* response); void GetKeyCharacteristics(const GetKeyCharacteristicsRequest& request, GetKeyCharacteristicsResponse* response); void ImportKey(const ImportKeyRequest& request, ImportKeyResponse* response); diff --git a/trusty/keymaster/include/trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h b/trusty/keymaster/include/trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h new file mode 100644 index 000000000..d544b51d5 --- /dev/null +++ b/trusty/keymaster/include/trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h @@ -0,0 +1,53 @@ +/* + * Copyright 2021, The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include +#include +#include + +#include + +namespace aidl::android::hardware::security::keymint::trusty { + +using ::keymaster::TrustyKeymaster; +using ::ndk::ScopedAStatus; +using ::std::shared_ptr; + +class TrustyRemotelyProvisionedComponentDevice : public BnRemotelyProvisionedComponent { + public: + explicit TrustyRemotelyProvisionedComponentDevice(shared_ptr impl) + : impl_(std::move(impl)) {} + virtual ~TrustyRemotelyProvisionedComponentDevice() = default; + + ScopedAStatus getHardwareInfo(RpcHardwareInfo* info) override; + + ScopedAStatus generateEcdsaP256KeyPair(bool testMode, MacedPublicKey* macedPublicKey, + std::vector* privateKeyHandle) override; + + ScopedAStatus generateCertificateRequest(bool testMode, + const std::vector& keysToSign, + const std::vector& endpointEncCertChain, + const std::vector& challenge, + DeviceInfo* deviceInfo, ProtectedData* protectedData, + std::vector* keysToSignMac) override; + + private: + std::shared_ptr<::keymaster::TrustyKeymaster> impl_; +}; + +} // namespace aidl::android::hardware::security::keymint::trusty diff --git a/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h b/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h index a1229a391..6f4713b96 100644 --- a/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h +++ b/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h @@ -56,6 +56,8 @@ enum keymaster_command : uint32_t { KM_GET_VERSION_2 = (28 << KEYMASTER_REQ_SHIFT), KM_EARLY_BOOT_ENDED = (29 << KEYMASTER_REQ_SHIFT), KM_DEVICE_LOCKED = (30 << KEYMASTER_REQ_SHIFT), + KM_GENERATE_RKP_KEY = (31 << KEYMASTER_REQ_SHIFT), + KM_GENERATE_CSR = (32 << KEYMASTER_REQ_SHIFT), // Bootloader/provisioning calls. KM_SET_BOOT_PARAMS = (0x1000 << KEYMASTER_REQ_SHIFT), diff --git a/trusty/keymaster/keymint/TrustyRemotelyProvisionedComponentDevice.cpp b/trusty/keymaster/keymint/TrustyRemotelyProvisionedComponentDevice.cpp new file mode 100644 index 000000000..5664829d8 --- /dev/null +++ b/trusty/keymaster/keymint/TrustyRemotelyProvisionedComponentDevice.cpp @@ -0,0 +1,120 @@ +/* + * Copyright 2021, The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include + +#include +#include + +#include +#include + +#include + +namespace aidl::android::hardware::security::keymint::trusty { + +using keymaster::GenerateCsrRequest; +using keymaster::GenerateCsrResponse; +using keymaster::GenerateRkpKeyRequest; +using keymaster::GenerateRkpKeyResponse; +using keymaster::KeymasterBlob; +using ::std::string; +using ::std::unique_ptr; +using ::std::vector; +using bytevec = ::std::vector; + +namespace { + +constexpr auto STATUS_FAILED = IRemotelyProvisionedComponent::STATUS_FAILED; + +struct AStatusDeleter { + void operator()(AStatus* p) { AStatus_delete(p); } +}; + +class Status { + public: + Status() : status_(AStatus_newOk()) {} + Status(int32_t errCode, const std::string& errMsg) + : status_(AStatus_fromServiceSpecificErrorWithMessage(errCode, errMsg.c_str())) {} + explicit Status(const std::string& errMsg) + : status_(AStatus_fromServiceSpecificErrorWithMessage(STATUS_FAILED, errMsg.c_str())) {} + explicit Status(AStatus* status) : status_(status ? status : AStatus_newOk()) {} + + Status(Status&&) = default; + Status(const Status&) = delete; + + operator ::ndk::ScopedAStatus() && { // NOLINT(google-explicit-constructor) + return ndk::ScopedAStatus(status_.release()); + } + + bool isOk() const { return AStatus_isOk(status_.get()); } + + const char* getMessage() const { return AStatus_getMessage(status_.get()); } + + private: + std::unique_ptr status_; +}; + +} // namespace + +ScopedAStatus TrustyRemotelyProvisionedComponentDevice::getHardwareInfo(RpcHardwareInfo* info) { + info->versionNumber = 1; + info->rpcAuthorName = "Google"; + info->supportedEekCurve = RpcHardwareInfo::CURVE_25519; + return ScopedAStatus::ok(); +} + +ScopedAStatus TrustyRemotelyProvisionedComponentDevice::generateEcdsaP256KeyPair( + bool testMode, MacedPublicKey* macedPublicKey, bytevec* privateKeyHandle) { + GenerateRkpKeyRequest request(impl_->message_version()); + request.test_mode = testMode; + GenerateRkpKeyResponse response(impl_->message_version()); + impl_->GenerateRkpKey(request, &response); + if (response.error != KM_ERROR_OK) { + return Status(-static_cast(response.error), "Failure in key generation."); + } + + macedPublicKey->macedKey = km_utils::kmBlob2vector(response.maced_public_key); + *privateKeyHandle = km_utils::kmBlob2vector(response.key_blob); + return ScopedAStatus::ok(); +} + +ScopedAStatus TrustyRemotelyProvisionedComponentDevice::generateCertificateRequest( + bool testMode, const vector& keysToSign, + const bytevec& endpointEncCertChain, const bytevec& challenge, DeviceInfo* deviceInfo, + ProtectedData* protectedData, bytevec* keysToSignMac) { + GenerateCsrRequest request(impl_->message_version()); + request.test_mode = testMode; + request.num_keys = keysToSign.size(); + request.keys_to_sign_array = new KeymasterBlob[keysToSign.size()]; + for (size_t i = 0; i < keysToSign.size(); i++) { + request.SetKeyToSign(i, keysToSign[i].macedKey.data(), keysToSign[i].macedKey.size()); + } + request.SetEndpointEncCertChain(endpointEncCertChain.data(), endpointEncCertChain.size()); + request.SetChallenge(challenge.data(), challenge.size()); + GenerateCsrResponse response(impl_->message_version()); + impl_->GenerateCsr(request, &response); + + if (response.error != KM_ERROR_OK) { + return Status(-static_cast(response.error), "Failure in CSR Generation."); + } + deviceInfo->deviceInfo = km_utils::kmBlob2vector(response.device_info_blob); + protectedData->protectedData = km_utils::kmBlob2vector(response.protected_data_blob); + *keysToSignMac = km_utils::kmBlob2vector(response.keys_to_sign_mac); + return ScopedAStatus::ok(); +} + +} // namespace aidl::android::hardware::security::keymint::trusty diff --git a/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty.xml b/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty.xml index 0ab3d64cf..7ca50507d 100644 --- a/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty.xml +++ b/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty.xml @@ -11,4 +11,8 @@ android.hardware.security.sharedsecret ISharedSecret/default + + android.hardware.security.keymint + IRemotelyProvisionedComponent/default + diff --git a/trusty/keymaster/keymint/service.cpp b/trusty/keymaster/keymint/service.cpp index 8f5f0f815..4060278d4 100644 --- a/trusty/keymaster/keymint/service.cpp +++ b/trusty/keymaster/keymint/service.cpp @@ -20,10 +20,12 @@ #include #include +#include #include #include using aidl::android::hardware::security::keymint::trusty::TrustyKeyMintDevice; +using aidl::android::hardware::security::keymint::trusty::TrustyRemotelyProvisionedComponentDevice; using aidl::android::hardware::security::secureclock::trusty::TrustySecureClock; using aidl::android::hardware::security::sharedsecret::trusty::TrustySharedSecret; @@ -52,7 +54,8 @@ int main() { auto keyMint = addService(trustyKeymaster); auto secureClock = addService(trustyKeymaster); auto sharedSecret = addService(trustyKeymaster); - + auto remotelyProvisionedComponent = + addService(trustyKeymaster); ABinderProcess_joinThreadPool(); return EXIT_FAILURE; // should not reach }