Add rollback resistance support to keymaster impl.
Test: VtsHalKeymasterV4_0TargetTest (on cuttlefish)
Change-Id: I06736e9bf74f4aa6f518773a60f50bbca50875bc
Merged-In: I06736e9bf74f4aa6f518773a60f50bbca50875bc
diff --git a/android_keymaster/keymaster_enforcement.cpp b/android_keymaster/keymaster_enforcement.cpp
index dc533a0..8f07cbf 100644
--- a/android_keymaster/keymaster_enforcement.cpp
+++ b/android_keymaster/keymaster_enforcement.cpp
@@ -337,6 +337,7 @@
/* Informational tags. */
case KM_TAG_CREATION_DATETIME:
case KM_TAG_ORIGIN:
+ case KM_TAG_ROLLBACK_RESISTANCE:
case KM_TAG_ROLLBACK_RESISTANT:
/* Tags handled when KM_TAG_USER_SECURE_ID is handled */
diff --git a/android_keymaster/keymaster_tags.cpp b/android_keymaster/keymaster_tags.cpp
index b26d0ee..8716c1f 100644
--- a/android_keymaster/keymaster_tags.cpp
+++ b/android_keymaster/keymaster_tags.cpp
@@ -77,6 +77,8 @@
return "KM_TAG_CREATION_DATETIME";
case KM_TAG_ORIGIN:
return "KM_TAG_ORIGIN";
+ case KM_TAG_ROLLBACK_RESISTANCE:
+ return "KM_TAG_ROLLBACK_RESISTANCE";
case KM_TAG_ROLLBACK_RESISTANT:
return "KM_TAG_ROLLBACK_RESISTANT";
case KM_TAG_ROOT_OF_TRUST:
@@ -164,6 +166,7 @@
DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_APPLICATION_ID);
DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_APPLICATION_DATA);
DEFINE_KEYMASTER_TAG(KM_DATE, TAG_CREATION_DATETIME);
+DEFINE_KEYMASTER_TAG(KM_BOOL, TAG_ROLLBACK_RESISTANCE);
DEFINE_KEYMASTER_TAG(KM_BOOL, TAG_ROLLBACK_RESISTANT);
DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ROOT_OF_TRUST);
DEFINE_KEYMASTER_TAG(KM_BYTES, TAG_ASSOCIATED_DATA);
diff --git a/contexts/pure_soft_keymaster_context.cpp b/contexts/pure_soft_keymaster_context.cpp
index d782a6b..06be0fd 100644
--- a/contexts/pure_soft_keymaster_context.cpp
+++ b/contexts/pure_soft_keymaster_context.cpp
@@ -111,6 +111,10 @@
KeymasterKeyBlob* blob,
AuthorizationSet* hw_enforced,
AuthorizationSet* sw_enforced) const {
+ if (key_description.GetTagValue(TAG_ROLLBACK_RESISTANCE)) {
+ return KM_ERROR_ROLLBACK_RESISTANCE_UNAVAILABLE;
+ }
+
keymaster_error_t error = SetKeyBlobAuthorizations(key_description, origin, os_version_,
os_patchlevel_, hw_enforced, sw_enforced);
if (error != KM_ERROR_OK)
diff --git a/include/keymaster/attestation_record.h b/include/keymaster/attestation_record.h
index 1f662d6..758f716 100644
--- a/include/keymaster/attestation_record.h
+++ b/include/keymaster/attestation_record.h
@@ -79,6 +79,7 @@
ASN1_OCTET_STRING* application_id;
ASN1_INTEGER* creation_date_time;
ASN1_INTEGER* origin;
+ ASN1_NULL* rollback_resistance;
ASN1_NULL* rollback_resistant;
KM_ROOT_OF_TRUST* root_of_trust;
ASN1_INTEGER* os_version;
@@ -124,6 +125,8 @@
ASN1_EXP_OPT(KM_AUTH_LIST, creation_date_time, ASN1_INTEGER,
TAG_CREATION_DATETIME.masked_tag()),
ASN1_EXP_OPT(KM_AUTH_LIST, origin, ASN1_INTEGER, TAG_ORIGIN.masked_tag()),
+ ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistance, ASN1_NULL,
+ TAG_ROLLBACK_RESISTANCE.masked_tag()),
ASN1_EXP_OPT(KM_AUTH_LIST, rollback_resistant, ASN1_NULL, TAG_ROLLBACK_RESISTANT.masked_tag()),
ASN1_EXP_OPT(KM_AUTH_LIST, root_of_trust, KM_ROOT_OF_TRUST, TAG_ROOT_OF_TRUST.masked_tag()),
ASN1_EXP_OPT(KM_AUTH_LIST, os_version, ASN1_INTEGER, TAG_OS_VERSION.masked_tag()),
diff --git a/include/keymaster/keymaster_tags.h b/include/keymaster/keymaster_tags.h
index daa7b19..071f0b1 100644
--- a/include/keymaster/keymaster_tags.h
+++ b/include/keymaster/keymaster_tags.h
@@ -159,6 +159,7 @@
DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_APPLICATION_ID);
DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_APPLICATION_DATA);
DECLARE_KEYMASTER_TAG(KM_DATE, TAG_CREATION_DATETIME);
+DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_ROLLBACK_RESISTANCE);
DECLARE_KEYMASTER_TAG(KM_BOOL, TAG_ROLLBACK_RESISTANT);
DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_ROOT_OF_TRUST);
DECLARE_KEYMASTER_TAG(KM_BYTES, TAG_ASSOCIATED_DATA);
diff --git a/km_openssl/attestation_record.cpp b/km_openssl/attestation_record.cpp
index 35114ca..b1687ce 100644
--- a/km_openssl/attestation_record.cpp
+++ b/km_openssl/attestation_record.cpp
@@ -220,6 +220,9 @@
case KM_TAG_ROLLBACK_RESISTANT:
bool_ptr = &record->rollback_resistant;
break;
+ case KM_TAG_ROLLBACK_RESISTANCE:
+ bool_ptr = &record->rollback_resistance;
+ break;
case KM_TAG_ALLOW_WHILE_ON_BODY:
bool_ptr = &record->allow_while_on_body;
break;