Snap for 8712302 from e643255e420183a8e9747033b054a2fe8828fc41 to tm-frc-scheduling-release
Change-Id: I57a0e0599b3b34cd2cb4406616395d6ce52c094a
diff --git a/guest/hals/keymint/remote/remote_keymaster.cpp b/guest/hals/keymint/remote/remote_keymaster.cpp
index 6675810..763c139 100644
--- a/guest/hals/keymint/remote/remote_keymaster.cpp
+++ b/guest/hals/keymint/remote/remote_keymaster.cpp
@@ -312,4 +312,11 @@
return response;
}
+GetRootOfTrustResponse RemoteKeymaster::GetRootOfTrust(
+ const GetRootOfTrustRequest& request) {
+ GetRootOfTrustResponse response(message_version());
+ ForwardCommand(GET_ROOT_OF_TRUST, request, &response);
+ return response;
+}
+
} // namespace keymaster
diff --git a/guest/hals/keymint/remote/remote_keymaster.h b/guest/hals/keymint/remote/remote_keymaster.h
index 240e610..2e0668f 100644
--- a/guest/hals/keymint/remote/remote_keymaster.h
+++ b/guest/hals/keymint/remote/remote_keymaster.h
@@ -94,6 +94,7 @@
const ConfigureVerifiedBootInfoRequest& request);
void GenerateTimestampToken(GenerateTimestampTokenRequest& request,
GenerateTimestampTokenResponse* response);
+ GetRootOfTrustResponse GetRootOfTrust(const GetRootOfTrustRequest& request);
// CF HAL and remote sides are always compiled together, so will never
// disagree about message versions.
diff --git a/guest/hals/keymint/remote/remote_keymint_device.cpp b/guest/hals/keymint/remote/remote_keymint_device.cpp
index 4f9606f..c6db283 100644
--- a/guest/hals/keymint/remote/remote_keymint_device.cpp
+++ b/guest/hals/keymint/remote/remote_keymint_device.cpp
@@ -449,9 +449,20 @@
}
ScopedAStatus RemoteKeyMintDevice::getRootOfTrust(
- const std::array<uint8_t, 16>& /* challenge */,
- std::vector<uint8_t>* /* rootOfTrust */) {
- return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
+ const std::array<uint8_t, 16>& challenge,
+ std::vector<uint8_t>* rootOfTrust) {
+ if (!rootOfTrust) {
+ return kmError2ScopedAStatus(KM_ERROR_UNEXPECTED_NULL_POINTER);
+ }
+ GetRootOfTrustRequest request(impl_.message_version(),
+ {challenge.begin(), challenge.end()});
+ GetRootOfTrustResponse response = impl_.GetRootOfTrust(request);
+ if (response.error != KM_ERROR_OK) {
+ return kmError2ScopedAStatus(response.error);
+ }
+
+ *rootOfTrust = std::move(response.rootOfTrust);
+ return ScopedAStatus::ok();
}
ScopedAStatus RemoteKeyMintDevice::sendRootOfTrust(
diff --git a/guest/hals/ril/reference-ril/reference-ril.c b/guest/hals/ril/reference-ril/reference-ril.c
index 806a178..f3d01e4 100644
--- a/guest/hals/ril/reference-ril/reference-ril.c
+++ b/guest/hals/ril/reference-ril/reference-ril.c
@@ -1555,8 +1555,8 @@
int count = 4;
// Fixed values. TODO: Query modem
- responseStr[0] = "----";
- responseStr[1] = "----";
+ responseStr[0] ="358240051111110";
+ responseStr[1] = "";
responseStr[2] = "77777777";
responseStr[3] = ""; // default empty for non-CDMA
diff --git a/host/commands/secure_env/keymaster_responder.cpp b/host/commands/secure_env/keymaster_responder.cpp
index 6918602..688ddf3 100644
--- a/host/commands/secure_env/keymaster_responder.cpp
+++ b/host/commands/secure_env/keymaster_responder.cpp
@@ -20,10 +20,9 @@
namespace cuttlefish {
-KeymasterResponder::KeymasterResponder(
- cuttlefish::KeymasterChannel& channel, keymaster::AndroidKeymaster& keymaster)
- : channel_(channel), keymaster_(keymaster) {
-}
+KeymasterResponder::KeymasterResponder(cuttlefish::KeymasterChannel& channel,
+ keymaster::AndroidKeymaster& keymaster)
+ : channel_(channel), keymaster_(keymaster) {}
bool KeymasterResponder::ProcessMessage() {
auto request = channel_.ReceiveMessage();
@@ -33,19 +32,19 @@
}
const uint8_t* buffer = request->payload;
const uint8_t* end = request->payload + request->payload_size;
- switch(request->cmd) {
+ switch (request->cmd) {
using namespace keymaster;
-#define HANDLE_MESSAGE(ENUM_NAME, METHOD_NAME) \
- case ENUM_NAME: {\
- METHOD_NAME##Request request(keymaster_.message_version()); \
- if (!request.Deserialize(&buffer, end)) { \
- LOG(ERROR) << "Failed to deserialize " #METHOD_NAME "Request"; \
- return false; \
- } \
- METHOD_NAME##Response response(keymaster_.message_version()); \
- keymaster_.METHOD_NAME(request, &response); \
- return channel_.SendResponse(ENUM_NAME, response); \
- }
+#define HANDLE_MESSAGE(ENUM_NAME, METHOD_NAME) \
+ case ENUM_NAME: { \
+ METHOD_NAME##Request request(keymaster_.message_version()); \
+ if (!request.Deserialize(&buffer, end)) { \
+ LOG(ERROR) << "Failed to deserialize " #METHOD_NAME "Request"; \
+ return false; \
+ } \
+ METHOD_NAME##Response response(keymaster_.message_version()); \
+ keymaster_.METHOD_NAME(request, &response); \
+ return channel_.SendResponse(ENUM_NAME, response); \
+ }
HANDLE_MESSAGE(GENERATE_KEY, GenerateKey)
HANDLE_MESSAGE(BEGIN_OPERATION, BeginOperation)
HANDLE_MESSAGE(UPDATE_OPERATION, UpdateOperation)
@@ -71,16 +70,16 @@
HANDLE_MESSAGE(GENERATE_CSR, GenerateCsr)
HANDLE_MESSAGE(GENERATE_TIMESTAMP_TOKEN, GenerateTimestampToken)
#undef HANDLE_MESSAGE
-#define HANDLE_MESSAGE_W_RETURN(ENUM_NAME, METHOD_NAME) \
- case ENUM_NAME: {\
- METHOD_NAME##Request request(keymaster_.message_version()); \
- if (!request.Deserialize(&buffer, end)) { \
- LOG(ERROR) << "Failed to deserialize " #METHOD_NAME "Request"; \
- return false; \
- } \
- auto response = keymaster_.METHOD_NAME(request); \
- return channel_.SendResponse(ENUM_NAME, response); \
- }
+#define HANDLE_MESSAGE_W_RETURN(ENUM_NAME, METHOD_NAME) \
+ case ENUM_NAME: { \
+ METHOD_NAME##Request request(keymaster_.message_version()); \
+ if (!request.Deserialize(&buffer, end)) { \
+ LOG(ERROR) << "Failed to deserialize " #METHOD_NAME "Request"; \
+ return false; \
+ } \
+ auto response = keymaster_.METHOD_NAME(request); \
+ return channel_.SendResponse(ENUM_NAME, response); \
+ }
HANDLE_MESSAGE_W_RETURN(COMPUTE_SHARED_HMAC, ComputeSharedHmac)
HANDLE_MESSAGE_W_RETURN(VERIFY_AUTHORIZATION, VerifyAuthorization)
HANDLE_MESSAGE_W_RETURN(DEVICE_LOCKED, DeviceLocked)
@@ -90,13 +89,15 @@
HANDLE_MESSAGE_W_RETURN(CONFIGURE_BOOT_PATCHLEVEL, ConfigureBootPatchlevel)
HANDLE_MESSAGE_W_RETURN(CONFIGURE_VERIFIED_BOOT_INFO,
ConfigureVerifiedBootInfo)
+ HANDLE_MESSAGE_W_RETURN(GET_ROOT_OF_TRUST, GetRootOfTrust)
#undef HANDLE_MESSAGE_W_RETURN
#define HANDLE_MESSAGE_W_RETURN_NO_ARG(ENUM_NAME, METHOD_NAME) \
- case ENUM_NAME: {\
- auto response = keymaster_.METHOD_NAME(); \
- return channel_.SendResponse(ENUM_NAME, response); \
- }
- HANDLE_MESSAGE_W_RETURN_NO_ARG(GET_HMAC_SHARING_PARAMETERS, GetHmacSharingParameters)
+ case ENUM_NAME: { \
+ auto response = keymaster_.METHOD_NAME(); \
+ return channel_.SendResponse(ENUM_NAME, response); \
+ }
+ HANDLE_MESSAGE_W_RETURN_NO_ARG(GET_HMAC_SHARING_PARAMETERS,
+ GetHmacSharingParameters)
HANDLE_MESSAGE_W_RETURN_NO_ARG(EARLY_BOOT_ENDED, EarlyBootEnded)
#undef HANDLE_MESSAGE_W_RETURN_NO_ARG
case ADD_RNG_ENTROPY: {
@@ -105,7 +106,8 @@
LOG(ERROR) << "Failed to deserialize AddEntropyRequest";
return false;
}
- AddEntropyResponse response(keymaster_.message_version());;
+ AddEntropyResponse response(keymaster_.message_version());
+ ;
keymaster_.AddRngEntropy(request, &response);
return channel_.SendResponse(ADD_RNG_ENTROPY, response);
}
diff --git a/host/commands/secure_env/proxy_keymaster_context.h b/host/commands/secure_env/proxy_keymaster_context.h
index c3c93fc..e3bf426 100644
--- a/host/commands/secure_env/proxy_keymaster_context.h
+++ b/host/commands/secure_env/proxy_keymaster_context.h
@@ -97,6 +97,10 @@
return wrapped_.enforcement_policy();
}
+ keymaster::AttestationContext* attestation_context() override {
+ return wrapped_.attestation_context();
+ }
+
keymaster::CertificateChain GenerateAttestation(
const keymaster::Key& key,
const keymaster::AuthorizationSet& attest_params,
diff --git a/host/commands/secure_env/tpm_keymaster_context.cpp b/host/commands/secure_env/tpm_keymaster_context.cpp
index 2d4154e..4a60915 100644
--- a/host/commands/secure_env/tpm_keymaster_context.cpp
+++ b/host/commands/secure_env/tpm_keymaster_context.cpp
@@ -82,10 +82,10 @@
attestation_context_(new TpmAttestationRecordContext),
remote_provisioning_context_(
new TpmRemoteProvisioningContext(resource_manager_)) {
- key_factories_.emplace(
- KM_ALGORITHM_RSA, new keymaster::RsaKeyFactory(*key_blob_maker_, *this));
- key_factories_.emplace(
- KM_ALGORITHM_EC, new keymaster::EcKeyFactory(*key_blob_maker_, *this));
+ key_factories_.emplace(KM_ALGORITHM_RSA,
+ new keymaster::RsaKeyFactory(*key_blob_maker_, *this));
+ key_factories_.emplace(KM_ALGORITHM_EC,
+ new keymaster::EcKeyFactory(*key_blob_maker_, *this));
key_factories_.emplace(
KM_ALGORITHM_AES,
new keymaster::AesKeyFactory(*key_blob_maker_, *random_source_));
@@ -110,8 +110,8 @@
return KM_ERROR_OK;
}
-void TpmKeymasterContext::GetSystemVersion(
- uint32_t* os_version, uint32_t* os_patchlevel) const {
+void TpmKeymasterContext::GetSystemVersion(uint32_t* os_version,
+ uint32_t* os_patchlevel) const {
*os_version = os_version_;
*os_patchlevel = os_patchlevel_;
}
@@ -131,7 +131,7 @@
auto key_factory = GetKeyFactory(algorithm);
if (key_factory == nullptr) {
LOG(ERROR) << "Tried to get operation factory for " << purpose
- << " for invalid algorithm " << algorithm;
+ << " for invalid algorithm " << algorithm;
return nullptr;
}
auto operation_factory = key_factory->GetOperationFactory(purpose);
@@ -143,18 +143,16 @@
}
const keymaster_algorithm_t* TpmKeymasterContext::GetSupportedAlgorithms(
- size_t* algorithms_count) const {
+ size_t* algorithms_count) const {
*algorithms_count = supported_algorithms_.size();
return supported_algorithms_.data();
}
-// Based on https://cs.android.com/android/platform/superproject/+/master:system/keymaster/key_blob_utils/software_keyblobs.cpp;l=44;drc=master
+// Based on
+// https://cs.android.com/android/platform/superproject/+/master:system/keymaster/key_blob_utils/software_keyblobs.cpp;l=44;drc=master
-static bool UpgradeIntegerTag(
- keymaster_tag_t tag,
- uint32_t value,
- AuthorizationSet* set,
- bool* set_changed) {
+static bool UpgradeIntegerTag(keymaster_tag_t tag, uint32_t value,
+ AuthorizationSet* set, bool* set_changed) {
int index = set->find(tag);
if (index == -1) {
keymaster_key_param_t param;
@@ -176,7 +174,8 @@
return true;
}
-// Based on https://cs.android.com/android/platform/superproject/+/master:system/keymaster/key_blob_utils/software_keyblobs.cpp;l=310;drc=master
+// Based on
+// https://cs.android.com/android/platform/superproject/+/master:system/keymaster/key_blob_utils/software_keyblobs.cpp;l=310;drc=master
keymaster_error_t TpmKeymasterContext::UpgradeKeyBlob(
const KeymasterKeyBlob& blob_to_upgrade,
@@ -230,8 +229,7 @@
}
keymaster_error_t TpmKeymasterContext::ParseKeyBlob(
- const KeymasterKeyBlob& blob,
- const AuthorizationSet& additional_params,
+ const KeymasterKeyBlob& blob, const AuthorizationSet& additional_params,
keymaster::UniquePtr<keymaster::Key>* key) const {
keymaster::AuthorizationSet hw_enforced;
keymaster::AuthorizationSet sw_enforced;
@@ -258,21 +256,16 @@
LOG(ERROR) << "Unable to find key factory for " << algorithm;
return KM_ERROR_UNSUPPORTED_ALGORITHM;
}
- rc =
- factory->LoadKey(
- std::move(key_material),
- additional_params,
- std::move(hw_enforced),
- std::move(sw_enforced),
- key);
+ rc = factory->LoadKey(std::move(key_material), additional_params,
+ std::move(hw_enforced), std::move(sw_enforced), key);
if (rc != KM_ERROR_OK) {
LOG(ERROR) << "Unable to load unwrapped key: " << rc;
}
return rc;
}
-keymaster_error_t TpmKeymasterContext::AddRngEntropy(
- const uint8_t* buffer, size_t size) const {
+keymaster_error_t TpmKeymasterContext::AddRngEntropy(const uint8_t* buffer,
+ size_t size) const {
return random_source_->AddRngEntropy(buffer, size);
}
@@ -280,7 +273,8 @@
return &enforcement_;
}
-// Based on https://cs.android.com/android/platform/superproject/+/master:system/keymaster/contexts/pure_soft_keymaster_context.cpp;l=261;drc=8367d5351c4d417a11f49b12394b63a413faa02d
+// Based on
+// https://cs.android.com/android/platform/superproject/+/master:system/keymaster/contexts/pure_soft_keymaster_context.cpp;l=261;drc=8367d5351c4d417a11f49b12394b63a413faa02d
keymaster::CertificateChain TpmKeymasterContext::GenerateAttestation(
const keymaster::Key& key, const keymaster::AuthorizationSet& attest_params,
@@ -337,22 +331,25 @@
const keymaster::Key& key, const keymaster::AuthorizationSet& cert_params,
bool fake_signature, keymaster_error_t* error) const {
keymaster_algorithm_t key_algorithm;
- if (!key.authorizations().GetTagValue(keymaster::TAG_ALGORITHM, &key_algorithm)) {
- *error = KM_ERROR_UNKNOWN_ERROR;
- return {};
+ if (!key.authorizations().GetTagValue(keymaster::TAG_ALGORITHM,
+ &key_algorithm)) {
+ *error = KM_ERROR_UNKNOWN_ERROR;
+ return {};
}
if ((key_algorithm != KM_ALGORITHM_RSA && key_algorithm != KM_ALGORITHM_EC)) {
- *error = KM_ERROR_INCOMPATIBLE_ALGORITHM;
- return {};
+ *error = KM_ERROR_INCOMPATIBLE_ALGORITHM;
+ return {};
}
- // We have established that the given key has the correct algorithm, and because this is the
- // SoftKeymasterContext we can assume that the Key is an AsymmetricKey. So we can downcast.
+ // We have established that the given key has the correct algorithm, and
+ // because this is the SoftKeymasterContext we can assume that the Key is an
+ // AsymmetricKey. So we can downcast.
const keymaster::AsymmetricKey& asymmetric_key =
static_cast<const keymaster::AsymmetricKey&>(key);
- return generate_self_signed_cert(asymmetric_key, cert_params, fake_signature, error);
+ return generate_self_signed_cert(asymmetric_key, cert_params, fake_signature,
+ error);
}
keymaster_error_t TpmKeymasterContext::UnwrapKey(
diff --git a/host/commands/secure_env/tpm_keymaster_context.h b/host/commands/secure_env/tpm_keymaster_context.h
index 0029c1d..dbcdcb4 100644
--- a/host/commands/secure_env/tpm_keymaster_context.h
+++ b/host/commands/secure_env/tpm_keymaster_context.h
@@ -38,14 +38,15 @@
* https://cs.android.com/android/platform/superproject/+/master:system/keymaster/include/keymaster/keymaster_context.h;drc=821acb74d7febb886a9b7cefee4ee3df4cc8c556
*/
class TpmKeymasterContext : public keymaster::KeymasterContext {
-private:
+ private:
TpmResourceManager& resource_manager_;
keymaster::KeymasterEnforcement& enforcement_;
std::unique_ptr<TpmKeyBlobMaker> key_blob_maker_;
std::unique_ptr<TpmRandomSource> random_source_;
std::unique_ptr<TpmAttestationRecordContext> attestation_context_;
std::unique_ptr<TpmRemoteProvisioningContext> remote_provisioning_context_;
- std::map<keymaster_algorithm_t, std::unique_ptr<keymaster::KeyFactory>> key_factories_;
+ std::map<keymaster_algorithm_t, std::unique_ptr<keymaster::KeyFactory>>
+ key_factories_;
std::vector<keymaster_algorithm_t> supported_algorithms_;
uint32_t os_version_;
uint32_t os_patchlevel_;
@@ -63,10 +64,10 @@
return attestation_context_->GetKmVersion();
}
- keymaster_error_t SetSystemVersion(
- uint32_t os_version, uint32_t os_patchlevel) override;
- void GetSystemVersion(
- uint32_t* os_version, uint32_t* os_patchlevel) const override;
+ keymaster_error_t SetSystemVersion(uint32_t os_version,
+ uint32_t os_patchlevel) override;
+ void GetSystemVersion(uint32_t* os_version,
+ uint32_t* os_patchlevel) const override;
const keymaster::KeyFactory* GetKeyFactory(
keymaster_algorithm_t algorithm) const override;
@@ -86,11 +87,15 @@
const keymaster::AuthorizationSet& additional_params,
keymaster::UniquePtr<keymaster::Key>* key) const override;
- keymaster_error_t AddRngEntropy(
- const uint8_t* buf, size_t length) const override;
+ keymaster_error_t AddRngEntropy(const uint8_t* buf,
+ size_t length) const override;
keymaster::KeymasterEnforcement* enforcement_policy() override;
+ keymaster::AttestationContext* attestation_context() override {
+ return attestation_context_.get();
+ }
+
keymaster::CertificateChain GenerateAttestation(
const keymaster::Key& key,
const keymaster::AuthorizationSet& attest_params,
@@ -99,10 +104,8 @@
keymaster_error_t* error) const override;
keymaster::CertificateChain GenerateSelfSignedCertificate(
- const keymaster::Key& key,
- const keymaster::AuthorizationSet& cert_params,
- bool fake_signature,
- keymaster_error_t* error) const override;
+ const keymaster::Key& key, const keymaster::AuthorizationSet& cert_params,
+ bool fake_signature, keymaster_error_t* error) const override;
keymaster_error_t UnwrapKey(
const keymaster::KeymasterKeyBlob& wrapped_key_blob,
diff --git a/host/commands/secure_env/tpm_keymaster_enforcement.cpp b/host/commands/secure_env/tpm_keymaster_enforcement.cpp
index 60a9a5a..a5368c5 100644
--- a/host/commands/secure_env/tpm_keymaster_enforcement.cpp
+++ b/host/commands/secure_env/tpm_keymaster_enforcement.cpp
@@ -25,11 +25,11 @@
namespace cuttlefish {
-using keymaster::km_id_t;
using keymaster::HmacSharingParameters;
using keymaster::HmacSharingParametersArray;
using keymaster::KeymasterBlob;
using keymaster::KeymasterEnforcement;
+using keymaster::km_id_t;
using keymaster::VerifyAuthorizationRequest;
using keymaster::VerifyAuthorizationResponse;
namespace {
@@ -46,9 +46,9 @@
}
} // namespace
class CompareHmacSharingParams {
-public:
- bool operator()(
- const HmacSharingParameters& a, const HmacSharingParameters& b) const {
+ public:
+ bool operator()(const HmacSharingParameters& a,
+ const HmacSharingParameters& b) const {
if (a.seed.data_length != b.seed.data_length) {
return a.seed.data_length < b.seed.data_length;
}
@@ -86,11 +86,9 @@
TpmResourceManager& resource_manager, TpmGatekeeper& gatekeeper)
: KeymasterEnforcement(64, 64),
resource_manager_(resource_manager),
- gatekeeper_(gatekeeper) {
-}
+ gatekeeper_(gatekeeper) {}
-TpmKeymasterEnforcement::~TpmKeymasterEnforcement() {
-}
+TpmKeymasterEnforcement::~TpmKeymasterEnforcement() {}
bool TpmKeymasterEnforcement::activation_date_valid(
uint64_t activation_date) const {
@@ -102,10 +100,10 @@
return expiration_date < get_wall_clock_time_ms();
}
-bool TpmKeymasterEnforcement::auth_token_timed_out(
- const hw_auth_token_t& token, uint32_t timeout) const {
+bool TpmKeymasterEnforcement::auth_token_timed_out(const hw_auth_token_t& token,
+ uint32_t timeout) const {
// timeout comes in seconds, token.timestamp comes in milliseconds
- uint64_t timeout_ms = 1000 * (uint64_t) timeout;
+ uint64_t timeout_ms = 1000 * (uint64_t)timeout;
return (be64toh(token.timestamp) + timeout_ms) < get_current_time_ms();
}
@@ -132,32 +130,24 @@
* GateKeeper::MintAuthToken
*/
- const uint8_t *auth_token_key = nullptr;
+ const uint8_t* auth_token_key = nullptr;
uint32_t auth_token_key_len = 0;
if (!gatekeeper_.GetAuthTokenKey(&auth_token_key, &auth_token_key_len)) {
LOG(WARNING) << "Unable to get gatekeeper auth token";
return false;
}
+ constexpr uint32_t hashable_length =
+ sizeof(token.version) + sizeof(token.challenge) + sizeof(token.user_id) +
+ sizeof(token.authenticator_id) + sizeof(token.authenticator_type) +
+ sizeof(token.timestamp);
- constexpr uint32_t hashable_length = sizeof(token.version) +
- sizeof(token.challenge) +
- sizeof(token.user_id) +
- sizeof(token.authenticator_id) +
- sizeof(token.authenticator_type) +
- sizeof(token.timestamp);
-
- static_assert(
- offsetof(hw_auth_token_t, hmac) == hashable_length,
- "hw_auth_token_t does not appear to be packed");
-
+ static_assert(offsetof(hw_auth_token_t, hmac) == hashable_length,
+ "hw_auth_token_t does not appear to be packed");
gatekeeper_.ComputeSignature(
- comparison_token.hmac,
- sizeof(comparison_token.hmac),
- auth_token_key,
- auth_token_key_len,
- reinterpret_cast<uint8_t*>(&comparison_token),
+ comparison_token.hmac, sizeof(comparison_token.hmac), auth_token_key,
+ auth_token_key_len, reinterpret_cast<uint8_t*>(&comparison_token),
hashable_length);
static_assert(sizeof(token.hmac) == sizeof(comparison_token.hmac));
@@ -170,9 +160,8 @@
if (!have_saved_params_) {
saved_params_.seed = {};
TpmRandomSource random_source{resource_manager_.Esys()};
- auto rc =
- random_source.GenerateRandom(
- saved_params_.nonce, sizeof(saved_params_.nonce));
+ auto rc = random_source.GenerateRandom(saved_params_.nonce,
+ sizeof(saved_params_.nonce));
if (rc != KM_ERROR_OK) {
LOG(ERROR) << "Failed to generate HmacSharingParameters nonce";
return rc;
@@ -185,18 +174,15 @@
}
keymaster_error_t TpmKeymasterEnforcement::ComputeSharedHmac(
- const HmacSharingParametersArray& hmac_array,
- KeymasterBlob* sharingCheck) {
+ const HmacSharingParametersArray& hmac_array, KeymasterBlob* sharingCheck) {
std::set<HmacSharingParameters, CompareHmacSharingParams> sorted_hmac_inputs;
bool found_mine = false;
for (int i = 0; i < hmac_array.num_params; i++) {
HmacSharingParameters sharing_params;
sharing_params.seed =
keymaster::KeymasterBlob(hmac_array.params_array[i].seed);
- memcpy(
- sharing_params.nonce,
- hmac_array.params_array[i].nonce,
- sizeof(sharing_params.nonce));
+ memcpy(sharing_params.nonce, hmac_array.params_array[i].nonce,
+ sizeof(sharing_params.nonce));
found_mine = found_mine || (sharing_params == saved_params_);
sorted_hmac_inputs.emplace(std::move(sharing_params));
}
@@ -218,7 +204,6 @@
}
}
-
auto signing_key_builder = PrimaryKeyBuilder();
signing_key_builder.SigningKey();
signing_key_builder.UniqueData(std::string(unique_data, sizeof(unique_data)));
@@ -230,12 +215,9 @@
static const uint8_t signing_input[] = "Keymaster HMAC Verification";
- auto hmac = TpmHmac(
- resource_manager_,
- signing_key->get(),
- TpmAuth(ESYS_TR_PASSWORD),
- signing_input,
- sizeof(signing_input));
+ auto hmac =
+ TpmHmac(resource_manager_, signing_key->get(), TpmAuth(ESYS_TR_PASSWORD),
+ signing_input, sizeof(signing_input));
if (!hmac) {
LOG(ERROR) << "Unable to complete signing check";
@@ -260,10 +242,10 @@
response.token.timestamp = get_current_time_ms();
response.token.security_level = SecurityLevel();
- VerificationData verify_data {
- .challenge = response.token.challenge,
- .timestamp = response.token.timestamp,
- .security_level = response.token.security_level,
+ VerificationData verify_data{
+ .challenge = response.token.challenge,
+ .timestamp = response.token.timestamp,
+ .security_level = response.token.security_level,
};
auto signing_key_builder = PrimaryKeyBuilder();
@@ -274,12 +256,9 @@
LOG(ERROR) << "Could not make signing key for verifying authorization";
return response;
}
- auto hmac = TpmHmac(
- resource_manager_,
- signing_key->get(),
- TpmAuth(ESYS_TR_PASSWORD),
- reinterpret_cast<uint8_t*>(&verify_data),
- sizeof(verify_data));
+ auto hmac =
+ TpmHmac(resource_manager_, signing_key->get(), TpmAuth(ESYS_TR_PASSWORD),
+ reinterpret_cast<uint8_t*>(&verify_data), sizeof(verify_data));
if (!hmac) {
LOG(ERROR) << "Could not calculate verification hmac";
@@ -324,8 +303,26 @@
return KM_ERROR_OK;
}
-bool TpmKeymasterEnforcement::CreateKeyId(
- const keymaster_key_blob_t& key_blob, km_id_t* keyid) const {
+keymaster::KmErrorOr<std::array<uint8_t, 32>>
+TpmKeymasterEnforcement::ComputeHmac(
+ const std::vector<uint8_t>& data_to_mac) const {
+ std::array<uint8_t, 32> result;
+
+ const uint8_t* auth_token_key = nullptr;
+ uint32_t auth_token_key_len = 0;
+ if (!gatekeeper_.GetAuthTokenKey(&auth_token_key, &auth_token_key_len)) {
+ LOG(WARNING) << "Unable to get gatekeeper auth token";
+ return KM_ERROR_UNKNOWN_ERROR;
+ }
+
+ gatekeeper_.ComputeSignature(result.data(), result.size(), auth_token_key,
+ auth_token_key_len, data_to_mac.data(),
+ data_to_mac.size());
+ return result;
+}
+
+bool TpmKeymasterEnforcement::CreateKeyId(const keymaster_key_blob_t& key_blob,
+ km_id_t* keyid) const {
auto signing_key_builder = PrimaryKeyBuilder();
signing_key_builder.SigningKey();
signing_key_builder.UniqueData("key_id");
diff --git a/host/commands/secure_env/tpm_keymaster_enforcement.h b/host/commands/secure_env/tpm_keymaster_enforcement.h
index 8db5930..1178932 100644
--- a/host/commands/secure_env/tpm_keymaster_enforcement.h
+++ b/host/commands/secure_env/tpm_keymaster_enforcement.h
@@ -28,22 +28,22 @@
* system/keymaster/include/keymaster/keymaster_enforcement.h
*/
class TpmKeymasterEnforcement : public keymaster::KeymasterEnforcement {
-public:
- TpmKeymasterEnforcement(
- TpmResourceManager& resource_manager, TpmGatekeeper& gatekeeper);
+ public:
+ TpmKeymasterEnforcement(TpmResourceManager& resource_manager,
+ TpmGatekeeper& gatekeeper);
~TpmKeymasterEnforcement();
bool activation_date_valid(uint64_t activation_date) const override;
bool expiration_date_passed(uint64_t expiration_date) const override;
- bool auth_token_timed_out(
- const hw_auth_token_t& token, uint32_t timeout) const override;
+ bool auth_token_timed_out(const hw_auth_token_t& token,
+ uint32_t timeout) const override;
uint64_t get_current_time_ms() const override;
keymaster_security_level_t SecurityLevel() const override;
bool ValidateTokenSignature(const hw_auth_token_t& token) const override;
keymaster_error_t GetHmacSharingParameters(
- keymaster::HmacSharingParameters* params) override;
+ keymaster::HmacSharingParameters* params) override;
keymaster_error_t ComputeSharedHmac(
const keymaster::HmacSharingParametersArray& params_array,
keymaster::KeymasterBlob* sharingCheck) override;
@@ -54,11 +54,13 @@
keymaster_error_t GenerateTimestampToken(
keymaster::TimestampToken* token) override;
- bool CreateKeyId(
- const keymaster_key_blob_t& key_blob,
- keymaster::km_id_t* keyid) const override;
+ keymaster::KmErrorOr<std::array<uint8_t, 32>> ComputeHmac(
+ const std::vector<uint8_t>& data_to_mac) const override;
-private:
+ bool CreateKeyId(const keymaster_key_blob_t& key_blob,
+ keymaster::km_id_t* keyid) const override;
+
+ private:
TpmResourceManager& resource_manager_;
TpmGatekeeper& gatekeeper_;
bool have_saved_params_ = false;
diff --git a/shared/sepolicy/vendor/genfs_contexts b/shared/sepolicy/vendor/genfs_contexts
index 0242dea..542db04 100644
--- a/shared/sepolicy/vendor/genfs_contexts
+++ b/shared/sepolicy/vendor/genfs_contexts
@@ -48,7 +48,7 @@
genfscon sysfs /devices/virtual/mac80211_hwsim/hwsim1/net u:object_r:sysfs_net:s0
# crosvm (arm64)
-cf_pci_block_device(/devices/platform/10000.pci, 0xb, 10)
+cf_pci_block_device(/devices/platform/10000.pci/pci0000:00, 0xb, 10)
cf_pci_gpu_device(/devices/platform/10000.pci/pci0000:00, 0x2)
## find /sys/devices/platform/* -type d -name 'rtc[0-9]' | sed 's,/rtc[0-9],,'
genfscon sysfs /devices/platform/2000.rtc/rtc u:object_r:sysfs_rtc:s0
