diff --git a/ipc/keymaster_ipc.cpp b/ipc/keymaster_ipc.cpp index 95d2d17..274bb44 100644 --- a/ipc/keymaster_ipc.cpp +++ b/ipc/keymaster_ipc.cpp @@ -29,8 +29,6 @@ #include "trusty_keymaster.h" #include "trusty_logger.h" -#include -#include using namespace keymaster; @@ -334,7 +332,8 @@ static long keymaster_dispatch_secure(keymaster_chan_ctx* ctx, // Returns true if |cmd| is called from the bootloader static bool cmd_is_from_bootloader(uint32_t cmd) { - return (cmd == KM_SET_BOOT_PARAMS || cmd == KM_SET_ATTESTATION_KEY || + return (cmd == KM_PROVISION_KEYBOX || + cmd == KM_SET_BOOT_PARAMS || cmd == KM_SET_ATTESTATION_KEY || cmd == KM_APPEND_ATTESTATION_CERT_CHAIN || cmd == KM_ATAP_GET_CA_REQUEST || cmd == KM_ATAP_SET_CA_RESPONSE_BEGIN || diff --git a/ipc/rules.mk b/ipc/rules.mk index a74428d..a8226e6 100644 --- a/ipc/rules.mk +++ b/ipc/rules.mk @@ -17,6 +17,6 @@ CUR_DIR := $(GET_LOCAL_DIR) MODULE_SRCS += $(CUR_DIR)/keymaster_ipc.cpp -MODULE_DEPS += interface/keymaster +MODULE_DEPS += trusty/user/base/interface/keymaster CUR_DIR = diff --git a/provision/provision_keybox.cpp b/provision/provision_keybox.cpp index 7c4c325..b926796 100644 --- a/provision/provision_keybox.cpp +++ b/provision/provision_keybox.cpp @@ -171,7 +171,7 @@ keymaster_error_t RetrieveKeybox(uint8_t** keybox, uint32_t* keybox_size) { return KM_ERROR_MEMORY_ALLOCATION_FAILED; memset(dev_info, 0, buffer_size); rc = get_device_info(dev_info); - if(rc != 0) { + if ((rc != 0) || (dev_info->attkb_size == 0)) { LOG_E("RetrieveKeybox failed!", 0); ret = KM_ERROR_UNKNOWN_ERROR; goto clear_sensitive_data; @@ -217,11 +217,13 @@ keymaster_error_t keybox_xml_initialize(const uint8_t* keybox, XMLElement** xml_ if (doc->Error()) { LOG_E("Parsing XML data failed!", 0); + delete doc; return KM_ERROR_UNKNOWN_ERROR; } *xml_root = doc->RootElement(); if (*xml_root == NULL) { LOG_E("Parsing XML data failed!", 0); + delete doc; return KM_ERROR_UNKNOWN_ERROR; } @@ -297,10 +299,14 @@ keymaster_error_t get_prikey_from_keybox(XMLElement* xml_root, } decodedata = new uint8_t[count]; - if (decodedata == NULL) + if (decodedata == NULL) { + delete [] base64data; return KM_ERROR_MEMORY_ALLOCATION_FAILED; + } if (!EVP_DecodeBase64(decodedata, (size_t *)&count, count, (const uint8_t *)base64data, strlen(base64data))) { LOG_E("Failed to do base64 decode!", 0); + delete [] base64data; + delete [] decodedata; return KM_ERROR_UNKNOWN_ERROR; } *key = decodedata; @@ -417,9 +423,14 @@ keymaster_error_t get_cert_from_keybox(XMLElement* xml_root, decodedata = new uint8_t[count]; if (decodedata == NULL) + { + delete [] base64data; return KM_ERROR_MEMORY_ALLOCATION_FAILED; + } if (!EVP_DecodeBase64(decodedata, (size_t *)&count, count, (const uint8_t *)base64data, strlen(base64data))) { LOG_E("Failed to do base64 decode!", 0); + delete [] base64data; + delete [] decodedata; return KM_ERROR_UNKNOWN_ERROR; } *cert = decodedata; @@ -448,11 +459,13 @@ keymaster_error_t ParseKeyboxToStorage( /* provision the private key to secure storage */ uint8_t* attest_key = NULL; uint32_t attest_keysize = 0; + UniquePtr attest_key_deleter; error = get_prikey_from_keybox(xml_root, algorithm, &attest_key, &attest_keysize); if (error != KM_ERROR_OK || !attest_key ||!attest_keysize) { LOG_E("failed(%d) to get the prikey with algo(%d)", error, algorithm); return KM_ERROR_UNKNOWN_ERROR; } + attest_key_deleter.reset(attest_key); bool exists; error = AttestationKeyExists(key_slot, &exists); if (error != KM_ERROR_OK) { @@ -476,11 +489,13 @@ keymaster_error_t ParseKeyboxToStorage( for (index = 0; index cert_deleter; error = get_cert_from_keybox(xml_root, algorithm, index, &cert, &cert_size); if (error != KM_ERROR_OK || !cert ||!cert_size) { LOG_E("failed(%d) to get the cert(%d) with algo(%d)", error, index, algorithm); return KM_ERROR_UNKNOWN_ERROR; } + cert_deleter.reset(cert); uint32_t cert_chain_length = 0; if (ReadCertChainLength(key_slot, &cert_chain_length) != KM_ERROR_OK) { @@ -519,7 +534,7 @@ void ProvisionKeyboxOperation::ProvisionAttesationKeybox( return; uint32_t keybox_size = request.keybox_data.buffer_size(); - const uint8_t* keybox = request.keybox_data.begin(); + uint8_t* keybox = const_cast(request.keybox_data.begin()); /* if keybox is NULL, it means need to retrieve it from the CSE by HECI */ if (keybox == NULL) { @@ -534,22 +549,30 @@ void ProvisionKeyboxOperation::ProvisionAttesationKeybox( response->error = keybox_xml_initialize(keybox, &xml_root); if (response->error != KM_ERROR_OK || !xml_root) { LOG_E("failed(%d) to initialize the keybox", response->error); + free(keybox); return; } response->error = ParseKeyboxToStorage(KM_ALGORITHM_RSA, xml_root); if(response->error != KM_ERROR_OK) { LOG_E("failed(%d) to parse the keybox wih KM_ALGORITHM_RSA", response->error); - return; + goto freememory; } response->error = ParseKeyboxToStorage(KM_ALGORITHM_EC, xml_root); if(response->error != KM_ERROR_OK) { LOG_E("failed(%d) to parse the keybox with KM_ALGORITHM_EC", response->error); - return; + goto freememory; } response->error = KM_ERROR_OK; + +freememory: + /* free memory */ + XMLDocument* doc; + doc = xml_root->GetDocument(); + delete doc; + free(keybox); } } // namespace keymaster diff --git a/rules.mk b/rules.mk index 96bd8d1..78bfce0 100644 --- a/rules.mk +++ b/rules.mk @@ -17,8 +17,7 @@ LOCAL_DIR := $(GET_LOCAL_DIR) MODULE := $(LOCAL_DIR) -ANDROID_ROOT := $(LOCAL_DIR)/../../.. -KEYMASTER_ROOT := $(ANDROID_ROOT)/system/keymaster +KEYMASTER_ROOT := $(TRUSTY_TOP)/system/keymaster MODULE_SRCS += \ $(KEYMASTER_ROOT)/android_keymaster/android_keymaster.cpp \ @@ -66,7 +65,7 @@ MODULE_SRCS += \ MODULE_INCLUDES := \ $(KEYMASTER_ROOT)/include \ $(KEYMASTER_ROOT) \ - $(ANDROID_ROOT)/hardware/libhardware/include \ + $(TRUSTY_TOP)/hardware/libhardware/include \ $(LOCAL_DIR) MODULE_CPPFLAGS := -std=c++14 -fno-short-enums @@ -78,20 +77,16 @@ MODULE_COMPILEFLAGS := -U__ANDROID__ -D__TRUSTY__ # trust from bootloader. # #MODULE_COMPILEFLAGS += -DKEYMASTER_DEBUG -MODULE_COMPILEFLAGS += -DDISABLE_ATAP_SUPPORT MODULE_DEPS += \ - app/trusty \ - lib/libc-trusty \ - lib/libstdc++-trusty \ - lib/rng \ - lib/storage \ - lib/hwkey \ - lib/tinyxml2 \ - lib/lzma \ - lib/trusty_syscall_x86 + trusty/user/base/lib/libc-trusty \ + trusty/user/base/lib/libstdc++-trusty \ + trusty/user/base/lib/rng \ + trusty/user/base/lib/hwkey \ + trusty/user/base/lib/storage \ + external/boringssl \ -#include $(LOCAL_DIR)/atap/rules.mk +include $(LOCAL_DIR)/atap/rules.mk include $(LOCAL_DIR)/ipc/rules.mk include $(LOCAL_DIR)/provision/rules.mk diff --git a/secure_storage.cpp b/secure_storage.cpp index 6ce5606..2ceb57b 100644 --- a/secure_storage.cpp +++ b/secure_storage.cpp @@ -291,7 +291,7 @@ keymaster_error_t ReadCertChainFromStorage(AttestationKeySlot key_slot, sizeof(cert_chain->entries[0]) * cert_chain_length); // Read |cert_chain_length| certs from storage - for (uint32_t i = 0; i < cert_chain_length; i++) { + for (size_t i = 0; i < cert_chain_length; i++) { snprintf(cert_file.get(), kStorageIdLengthMax, "%s.%s.%d", kAttestCertPrefix, GetKeySlotStr(key_slot), i); if (!SecureStorageGetFileSize(cert_file.get(), &cert_size) || @@ -401,7 +401,7 @@ keymaster_error_t DeleteCertChain(AttestationKeySlot key_slot) { if (ReadCertChainLength(key_slot, &cert_chain_length) != KM_ERROR_OK) { return KM_ERROR_UNKNOWN_ERROR; } - for (uint32_t i = 0; i < cert_chain_length; ++i) { + for (size_t i = 0; i < cert_chain_length; ++i) { snprintf(cert_file.get(), kStorageIdLengthMax, "%s.%s.%d", kAttestCertPrefix, GetKeySlotStr(key_slot), i); if (!SecureStorageDeleteFile(cert_file.get())) { diff --git a/trusty_keymaster_enforcement.cpp b/trusty_keymaster_enforcement.cpp index 77c1df9..6560132 100644 --- a/trusty_keymaster_enforcement.cpp +++ b/trusty_keymaster_enforcement.cpp @@ -23,7 +23,7 @@ #include #include "trusty_keymaster_context.h" -#include + namespace keymaster { keymaster_security_level_t TrustyKeymasterEnforcement::SecurityLevel() const {