commit b0836ab0a9055fe5cfabaada83eb6c06e47c1519
author Seth Moore <sethmo@google.com> Fri Jan 07 17:45:53 2022 -0800
committer Seth Moore <sethmo@google.com> Mon Jan 10 09:35:28 2022 -0800
tree 0656ff85ff6932ce75aae2d8eb74bcf6d901900e
parent f735757a258d90d4fd49363994b117fd18f1126a

Implement GenerateUniqueId for PureSoftKeymasterContext

Without this, KM_TAG_INCLUDE_UNIQUE_ID is not supported by the default
implementation of KeyMint.

Test: VtsAidlKeyMintTargetTest
Change-Id: I0bc25869eee8baef53664e16dedbeda7fa28a9a7

contexts/pure_soft_keymaster_context.cpp

diff --git a/contexts/pure_soft_keymaster_context.cpp b/contexts/pure_soft_keymaster_context.cpp
index ee8bc20..292d5a0 100644
--- a/contexts/pure_soft_keymaster_context.cpp
+++ b/contexts/pure_soft_keymaster_context.cpp
@@ -387,6 +387,22 @@
     return generate_self_signed_cert(asymmetric_key, cert_params, fake_signature, error);
 }
 
+keymaster::Buffer PureSoftKeymasterContext::GenerateUniqueId(uint64_t creation_date_time,
+                                                             const keymaster_blob_t& application_id,
+                                                             bool reset_since_rotation,
+                                                             keymaster_error_t* error) const {
+    *error = KM_ERROR_OK;
+    // The default implementation fakes the hardware bound key with an arbitrary 128-bit value.
+    // Any real implementation must follow the guidance from the interface definition
+    // hardware/interfaces/security/keymint/aidl/android/hardware/security/keymint/Tag.aidl:
+    // "..a unique hardware-bound secret known to the secure environment and never revealed by it.
+    // The secret must contain at least 128 bits of entropy and be unique to the individual device"
+    const std::vector<uint8_t> fake_hbk = {'M', 'u', 's', 't', 'B', 'e', 'R', 'a',
+                                           'n', 'd', 'o', 'm', 'B', 'i', 't', 's'};
+    return keymaster::generate_unique_id(fake_hbk, creation_date_time, application_id,
+                                         reset_since_rotation);
+}
+
 static keymaster_error_t TranslateAuthorizationSetError(AuthorizationSet::Error err) {
     switch (err) {
     case AuthorizationSet::OK:

include/keymaster/contexts/pure_soft_keymaster_context.h

diff --git a/include/keymaster/contexts/pure_soft_keymaster_context.h b/include/keymaster/contexts/pure_soft_keymaster_context.h
index 2f7f098..5cd74b9 100644
--- a/include/keymaster/contexts/pure_soft_keymaster_context.h
+++ b/include/keymaster/contexts/pure_soft_keymaster_context.h
@@ -79,6 +79,9 @@
                                                    const AuthorizationSet& cert_params,
                                                    bool fake_signature,
                                                    keymaster_error_t* error) const override;
+    Buffer GenerateUniqueId(uint64_t creation_date_time, const keymaster_blob_t& application_id,
+                            bool reset_since_rotation, keymaster_error_t* error) const override;
+
     KeymasterEnforcement* enforcement_policy() override {
         // SoftKeymaster does no enforcement; it's all done by Keystore.
         return &soft_keymaster_enforcement_;