Skip to content
This repository was archived by the owner on Jan 6, 2023. It is now read-only.
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions ipc/keymaster_ipc.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -29,8 +29,6 @@

#include "trusty_keymaster.h"
#include "trusty_logger.h"
#include <trusty_std.h>
#include <trusty_uuid.h>

using namespace keymaster;

Expand Down Expand Up @@ -334,7 +332,8 @@ static long keymaster_dispatch_secure(keymaster_chan_ctx* ctx,

// Returns true if |cmd| is called from the bootloader
static bool cmd_is_from_bootloader(uint32_t cmd) {
return (cmd == KM_SET_BOOT_PARAMS || cmd == KM_SET_ATTESTATION_KEY ||
return (cmd == KM_PROVISION_KEYBOX ||
cmd == KM_SET_BOOT_PARAMS || cmd == KM_SET_ATTESTATION_KEY ||
cmd == KM_APPEND_ATTESTATION_CERT_CHAIN ||
cmd == KM_ATAP_GET_CA_REQUEST ||
cmd == KM_ATAP_SET_CA_RESPONSE_BEGIN ||
Expand Down
2 changes: 1 addition & 1 deletion ipc/rules.mk
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,6 @@ CUR_DIR := $(GET_LOCAL_DIR)

MODULE_SRCS += $(CUR_DIR)/keymaster_ipc.cpp

MODULE_DEPS += interface/keymaster
MODULE_DEPS += trusty/user/base/interface/keymaster

CUR_DIR =
33 changes: 28 additions & 5 deletions provision/provision_keybox.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,7 @@ keymaster_error_t RetrieveKeybox(uint8_t** keybox, uint32_t* keybox_size) {
return KM_ERROR_MEMORY_ALLOCATION_FAILED;
memset(dev_info, 0, buffer_size);
rc = get_device_info(dev_info);
if(rc != 0) {
if ((rc != 0) || (dev_info->attkb_size == 0)) {
LOG_E("RetrieveKeybox failed!", 0);
ret = KM_ERROR_UNKNOWN_ERROR;
goto clear_sensitive_data;
Expand Down Expand Up @@ -217,11 +217,13 @@ keymaster_error_t keybox_xml_initialize(const uint8_t* keybox, XMLElement** xml_

if (doc->Error()) {
LOG_E("Parsing XML data failed!", 0);
delete doc;
return KM_ERROR_UNKNOWN_ERROR;
}
*xml_root = doc->RootElement();
if (*xml_root == NULL) {
LOG_E("Parsing XML data failed!", 0);
delete doc;
return KM_ERROR_UNKNOWN_ERROR;
}

Expand Down Expand Up @@ -297,10 +299,14 @@ keymaster_error_t get_prikey_from_keybox(XMLElement* xml_root,
}

decodedata = new uint8_t[count];
if (decodedata == NULL)
if (decodedata == NULL) {
delete [] base64data;
return KM_ERROR_MEMORY_ALLOCATION_FAILED;
}
if (!EVP_DecodeBase64(decodedata, (size_t *)&count, count, (const uint8_t *)base64data, strlen(base64data))) {
LOG_E("Failed to do base64 decode!", 0);
delete [] base64data;
delete [] decodedata;
return KM_ERROR_UNKNOWN_ERROR;
}
*key = decodedata;
Expand Down Expand Up @@ -417,9 +423,14 @@ keymaster_error_t get_cert_from_keybox(XMLElement* xml_root,

decodedata = new uint8_t[count];
if (decodedata == NULL)
{
delete [] base64data;
return KM_ERROR_MEMORY_ALLOCATION_FAILED;
}
if (!EVP_DecodeBase64(decodedata, (size_t *)&count, count, (const uint8_t *)base64data, strlen(base64data))) {
LOG_E("Failed to do base64 decode!", 0);
delete [] base64data;
delete [] decodedata;
return KM_ERROR_UNKNOWN_ERROR;
}
*cert = decodedata;
Expand Down Expand Up @@ -448,11 +459,13 @@ keymaster_error_t ParseKeyboxToStorage(
/* provision the private key to secure storage */
uint8_t* attest_key = NULL;
uint32_t attest_keysize = 0;
UniquePtr<uint8_t[]> attest_key_deleter;
error = get_prikey_from_keybox(xml_root, algorithm, &attest_key, &attest_keysize);
if (error != KM_ERROR_OK || !attest_key ||!attest_keysize) {
LOG_E("failed(%d) to get the prikey with algo(%d)", error, algorithm);
return KM_ERROR_UNKNOWN_ERROR;
}
attest_key_deleter.reset(attest_key);
bool exists;
error = AttestationKeyExists(key_slot, &exists);
if (error != KM_ERROR_OK) {
Expand All @@ -476,11 +489,13 @@ keymaster_error_t ParseKeyboxToStorage(
for (index = 0; index<cert_chain_len; index++) {
uint8_t* cert;
uint32_t cert_size = 0;
UniquePtr<uint8_t[]> cert_deleter;
error = get_cert_from_keybox(xml_root, algorithm, index, &cert, &cert_size);
if (error != KM_ERROR_OK || !cert ||!cert_size) {
LOG_E("failed(%d) to get the cert(%d) with algo(%d)", error, index, algorithm);
return KM_ERROR_UNKNOWN_ERROR;
}
cert_deleter.reset(cert);

uint32_t cert_chain_length = 0;
if (ReadCertChainLength(key_slot, &cert_chain_length) != KM_ERROR_OK) {
Expand Down Expand Up @@ -519,7 +534,7 @@ void ProvisionKeyboxOperation::ProvisionAttesationKeybox(
return;

uint32_t keybox_size = request.keybox_data.buffer_size();
const uint8_t* keybox = request.keybox_data.begin();
uint8_t* keybox = const_cast<uint8_t*>(request.keybox_data.begin());

/* if keybox is NULL, it means need to retrieve it from the CSE by HECI */
if (keybox == NULL) {
Expand All @@ -534,22 +549,30 @@ void ProvisionKeyboxOperation::ProvisionAttesationKeybox(
response->error = keybox_xml_initialize(keybox, &xml_root);
if (response->error != KM_ERROR_OK || !xml_root) {
LOG_E("failed(%d) to initialize the keybox", response->error);
free(keybox);
return;
}

response->error = ParseKeyboxToStorage(KM_ALGORITHM_RSA, xml_root);
if(response->error != KM_ERROR_OK) {
LOG_E("failed(%d) to parse the keybox wih KM_ALGORITHM_RSA", response->error);
return;
goto freememory;
}

response->error = ParseKeyboxToStorage(KM_ALGORITHM_EC, xml_root);
if(response->error != KM_ERROR_OK) {
LOG_E("failed(%d) to parse the keybox with KM_ALGORITHM_EC", response->error);
return;
goto freememory;
}

response->error = KM_ERROR_OK;

freememory:
/* free memory */
XMLDocument* doc;
doc = xml_root->GetDocument();
delete doc;
free(keybox);
}

} // namespace keymaster
23 changes: 9 additions & 14 deletions rules.mk
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,7 @@ LOCAL_DIR := $(GET_LOCAL_DIR)

MODULE := $(LOCAL_DIR)

ANDROID_ROOT := $(LOCAL_DIR)/../../..
KEYMASTER_ROOT := $(ANDROID_ROOT)/system/keymaster
KEYMASTER_ROOT := $(TRUSTY_TOP)/system/keymaster

MODULE_SRCS += \
$(KEYMASTER_ROOT)/android_keymaster/android_keymaster.cpp \
Expand Down Expand Up @@ -66,7 +65,7 @@ MODULE_SRCS += \
MODULE_INCLUDES := \
$(KEYMASTER_ROOT)/include \
$(KEYMASTER_ROOT) \
$(ANDROID_ROOT)/hardware/libhardware/include \
$(TRUSTY_TOP)/hardware/libhardware/include \
$(LOCAL_DIR)

MODULE_CPPFLAGS := -std=c++14 -fno-short-enums
Expand All @@ -78,20 +77,16 @@ MODULE_COMPILEFLAGS := -U__ANDROID__ -D__TRUSTY__
# trust from bootloader.
#
#MODULE_COMPILEFLAGS += -DKEYMASTER_DEBUG
MODULE_COMPILEFLAGS += -DDISABLE_ATAP_SUPPORT

MODULE_DEPS += \
app/trusty \
lib/libc-trusty \
lib/libstdc++-trusty \
lib/rng \
lib/storage \
lib/hwkey \
lib/tinyxml2 \
lib/lzma \
lib/trusty_syscall_x86
trusty/user/base/lib/libc-trusty \
trusty/user/base/lib/libstdc++-trusty \
trusty/user/base/lib/rng \
trusty/user/base/lib/hwkey \
trusty/user/base/lib/storage \
external/boringssl \

#include $(LOCAL_DIR)/atap/rules.mk
include $(LOCAL_DIR)/atap/rules.mk
include $(LOCAL_DIR)/ipc/rules.mk
include $(LOCAL_DIR)/provision/rules.mk

Expand Down
4 changes: 2 additions & 2 deletions secure_storage.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -291,7 +291,7 @@ keymaster_error_t ReadCertChainFromStorage(AttestationKeySlot key_slot,
sizeof(cert_chain->entries[0]) * cert_chain_length);

// Read |cert_chain_length| certs from storage
for (uint32_t i = 0; i < cert_chain_length; i++) {
for (size_t i = 0; i < cert_chain_length; i++) {
snprintf(cert_file.get(), kStorageIdLengthMax, "%s.%s.%d",
kAttestCertPrefix, GetKeySlotStr(key_slot), i);
if (!SecureStorageGetFileSize(cert_file.get(), &cert_size) ||
Expand Down Expand Up @@ -401,7 +401,7 @@ keymaster_error_t DeleteCertChain(AttestationKeySlot key_slot) {
if (ReadCertChainLength(key_slot, &cert_chain_length) != KM_ERROR_OK) {
return KM_ERROR_UNKNOWN_ERROR;
}
for (uint32_t i = 0; i < cert_chain_length; ++i) {
for (size_t i = 0; i < cert_chain_length; ++i) {
snprintf(cert_file.get(), kStorageIdLengthMax, "%s.%s.%d",
kAttestCertPrefix, GetKeySlotStr(key_slot), i);
if (!SecureStorageDeleteFile(cert_file.get())) {
Expand Down
2 changes: 1 addition & 1 deletion trusty_keymaster_enforcement.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@
#include <keymaster/km_openssl/openssl_err.h>

#include "trusty_keymaster_context.h"
#include <trusty_std.h>

namespace keymaster {

keymaster_security_level_t TrustyKeymasterEnforcement::SecurityLevel() const {
Expand Down