| /* |
| * Copyright (C) 2016-2017 The Android Open Source Project |
| * |
| * Licensed under the Apache License, Version 2.0 (the "License"); |
| * you may not use this file except in compliance with the License. |
| * You may obtain a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 |
| * |
| * Unless required by applicable law or agreed to in writing, software |
| * distributed under the License is distributed on an "AS IS" BASIS, |
| * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions and |
| * limitations under the License. |
| */ |
| |
| #include <assert.h> |
| #include <lk/compiler.h> |
| #include <uapi/err.h> |
| #include <stddef.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| |
| #include <trusty_std.h> |
| #include <interface/hwkey/hwkey.h> |
| |
| #include "common.h" |
| #include "uuids.h" |
| #include "hwkey_srv_priv.h" |
| |
| #define TLOG_LVL TLOG_LVL_DEFAULT |
| #define TLOG_TAG "hwkey_srv" |
| #include "tlog.h" |
| |
| #define HWKEY_MAX_PAYLOAD_SIZE 2048 |
| |
| struct hwkey_chan_ctx { |
| tipc_event_handler_t evt_handler; |
| handle_t chan; |
| uuid_t uuid; |
| }; |
| |
| static void hwkey_port_handler(const uevent_t *ev, void *priv); |
| static void hwkey_chan_handler(const uevent_t *ev, void *priv); |
| |
| static tipc_event_handler_t hwkey_port_evt_handler = { |
| .proc = hwkey_port_handler, |
| }; |
| |
| /* Make sure that key_data and reg_data buffers are not crossing page boundary so it is |
| * safe to pass them to DMA. An extra byte for req_data buf is used to zero terminate string |
| * so it is OK to have it on separate page as it will never be accesed by DMA engine. |
| */ |
| static uint8_t key_data[HWKEY_MAX_PAYLOAD_SIZE] __attribute__((aligned(HWKEY_MAX_PAYLOAD_SIZE))); |
| static uint8_t req_data[HWKEY_MAX_PAYLOAD_SIZE+1] __attribute__((aligned(HWKEY_MAX_PAYLOAD_SIZE))); |
| |
| static uint key_slot_cnt; |
| static const struct hwkey_keyslot *key_slots; |
| |
| |
| #if WITH_HWCRYPTO_UNITTEST |
| /* |
| * Support for hwcrypto unittest keys should be only enabled |
| * to test hwcrypto related APIs |
| */ |
| |
| /* UUID of HWCRYPTO_UNITTEST application */ |
| static const uuid_t hwcrypto_unittest_uuid = HWCRYPTO_UNITTEST_APP_UUID; |
| |
| static uint8_t _unittest_key32[32] = "unittestkeyslotunittestkeyslotun"; |
| static uint32_t get_unittest_key32(const struct hwkey_keyslot *slot, |
| uint8_t *kbuf, size_t kbuf_len, size_t *klen) |
| { |
| assert(kbuf); |
| assert(klen); |
| assert(kbuf_len >= sizeof(_unittest_key32)); |
| |
| /* just return predefined key */ |
| memcpy(kbuf, _unittest_key32, sizeof(_unittest_key32)); |
| *klen = sizeof(_unittest_key32); |
| |
| return HWKEY_NO_ERROR; |
| } |
| |
| static const struct hwkey_keyslot test_key_slots[] = { |
| { |
| .uuid = &hwcrypto_unittest_uuid, |
| .key_id = "com.android.trusty.hwcrypto.unittest.key32", |
| .handler = get_unittest_key32, |
| }, |
| }; |
| #endif /* WITH_HWCRYPTO_UNITTEST */ |
| |
| /* |
| * Close specified hwkey context |
| */ |
| static void hwkey_ctx_close(struct hwkey_chan_ctx *ctx) |
| { |
| close(ctx->chan); |
| free(ctx); |
| } |
| |
| /* |
| * Send response message |
| */ |
| static int hwkey_send_rsp(struct hwkey_chan_ctx *ctx, |
| struct hwkey_msg *rsp_hdr, |
| uint8_t *rsp_data, size_t rsp_data_len) |
| { |
| rsp_hdr->cmd |= HWKEY_RESP_BIT; |
| return tipc_send_two_segments(ctx->chan, |
| rsp_hdr, sizeof(*rsp_hdr), |
| rsp_data, rsp_data_len); |
| } |
| |
| |
| static uint32_t _handle_slots(struct hwkey_chan_ctx *ctx, const char *slot_id, |
| const struct hwkey_keyslot *slots, uint slot_cnt, |
| uint8_t *kbuf, size_t kbuf_len, size_t *klen) |
| { |
| if (!slots) |
| return HWKEY_ERR_NOT_FOUND; |
| |
| for (uint i = 0; i < slot_cnt; i++, slots++) { |
| |
| /* check key id */ |
| if (strcmp(slots->key_id, slot_id)) |
| continue; |
| |
| /* Check if the caller is allowed to get that key */ |
| if (memcmp(&ctx->uuid, slots->uuid, sizeof(uuid_t)) == 0) { |
| if (slots->handler) { |
| return slots->handler(slots, kbuf, kbuf_len, klen); |
| } |
| } |
| } |
| return HWKEY_ERR_NOT_FOUND; |
| } |
| |
| |
| /* |
| * Handle get key slot command |
| */ |
| static int hwkey_handle_get_keyslot_cmd(struct hwkey_chan_ctx *ctx, |
| struct hwkey_msg *hdr, |
| const char *slot_id) |
| { |
| int rc; |
| size_t klen = 0; |
| |
| hdr->status = _handle_slots(ctx, slot_id, key_slots, key_slot_cnt, |
| key_data, sizeof(key_data), &klen); |
| |
| #if WITH_HWCRYPTO_UNITTEST |
| if (hdr->status == HWKEY_ERR_NOT_FOUND) { |
| /* also search test keys */ |
| hdr->status = _handle_slots(ctx, slot_id, |
| test_key_slots, countof(test_key_slots), |
| key_data, sizeof(key_data), &klen); |
| } |
| #endif |
| |
| rc = hwkey_send_rsp(ctx, hdr, key_data, klen); |
| if (klen) { |
| /* sanitize key buffer */ |
| memset(key_data, 0, klen); |
| } |
| return rc; |
| } |
| |
| /* |
| * Handle Derive key cmd |
| */ |
| static int hwkey_handle_derive_key_cmd(struct hwkey_chan_ctx *ctx, |
| struct hwkey_msg *hdr, |
| const uint8_t *ikm_data, size_t ikm_len) |
| { |
| int rc; |
| size_t key_len = sizeof(key_data); |
| |
| /* check requested key derivation function */ |
| if (hdr->arg1 == HWKEY_KDF_VERSION_BEST) |
| hdr->arg1 = HWKEY_KDF_VERSION_1; /* we only support V1 */ |
| |
| switch (hdr->arg1) { |
| case HWKEY_KDF_VERSION_1: |
| hdr->status = derive_key_v1(&ctx->uuid, ikm_data, ikm_len, |
| key_data, &key_len); |
| break; |
| |
| default: |
| TLOGE("%u is unsupported KDF function\n", hdr->arg1); |
| key_len = 0; |
| hdr->status = HWKEY_ERR_NOT_IMPLEMENTED; |
| } |
| |
| rc = hwkey_send_rsp(ctx, hdr, key_data, key_len); |
| if (key_len) { |
| /* sanitize key buffer */ |
| memset(key_data, 0, key_len); |
| } |
| return rc; |
| } |
| |
| /* |
| * Read and queue HWKEY request message |
| */ |
| static int hwkey_chan_handle_msg(struct hwkey_chan_ctx *ctx) |
| { |
| int rc; |
| size_t req_data_len; |
| struct hwkey_msg hdr; |
| |
| rc = tipc_recv_two_segments(ctx->chan, &hdr, sizeof(hdr), |
| req_data, sizeof(req_data) - 1); |
| if (rc < 0) { |
| TLOGE("failed (%d) to recv msg from chan %d\n", rc, ctx->chan); |
| return rc; |
| } |
| |
| /* calculate payload length */ |
| req_data_len = (size_t)rc - sizeof(hdr); |
| |
| /* handle it */ |
| switch (hdr.cmd) { |
| case HWKEY_GET_KEYSLOT: |
| req_data[req_data_len] = 0; /* force zero termination */ |
| rc = hwkey_handle_get_keyslot_cmd(ctx, &hdr, (const char *)req_data); |
| break; |
| |
| case HWKEY_DERIVE: |
| rc = hwkey_handle_derive_key_cmd(ctx, &hdr, req_data, req_data_len); |
| memset(req_data, 0, req_data_len); /* sanitize request buffer */ |
| break; |
| |
| default: |
| TLOGE("Unsupported request: %d\n", (int)hdr.cmd); |
| hdr.status = HWKEY_ERR_NOT_IMPLEMENTED; |
| rc = hwkey_send_rsp(ctx, &hdr, NULL, 0); |
| } |
| |
| return rc; |
| } |
| |
| /* |
| * HWKEY service channel event handler |
| */ |
| static void hwkey_chan_handler(const uevent_t *ev, void *priv) |
| { |
| struct hwkey_chan_ctx *ctx = priv; |
| |
| assert(ctx); |
| assert(ev->handle == ctx->chan); |
| |
| tipc_handle_chan_errors(ev); |
| |
| if (ev->event & IPC_HANDLE_POLL_HUP) { |
| /* closed by peer. */ |
| hwkey_ctx_close(ctx); |
| return; |
| } |
| |
| if (ev->event & IPC_HANDLE_POLL_MSG) { |
| int rc = hwkey_chan_handle_msg(ctx); |
| if (rc < 0) { |
| /* report an error and close channel */ |
| TLOGE("failed (%d) to handle event on channel %d\n", |
| rc, ev->handle); |
| hwkey_ctx_close(ctx); |
| } |
| } |
| } |
| |
| /* |
| * HWKEY service port event handler |
| */ |
| static void hwkey_port_handler(const uevent_t *ev, void *priv) |
| { |
| uuid_t peer_uuid; |
| |
| tipc_handle_port_errors(ev); |
| |
| if (ev->event & IPC_HANDLE_POLL_READY) { |
| /* incoming connection: accept it */ |
| int rc = accept(ev->handle, &peer_uuid); |
| if (rc < 0) { |
| TLOGE("failed (%d) to accept on port %d\n", rc, ev->handle); |
| return; |
| } |
| |
| handle_t chan = (handle_t) rc; |
| struct hwkey_chan_ctx *ctx = calloc(1, sizeof(*ctx)); |
| if (!ctx) { |
| TLOGE("failed (%d) to allocate context on chan %d\n", rc, chan); |
| close(chan); |
| return; |
| } |
| |
| /* init channel state */ |
| ctx->evt_handler.priv = ctx; |
| ctx->evt_handler.proc = hwkey_chan_handler; |
| ctx->chan = chan; |
| ctx->uuid = peer_uuid; |
| |
| rc = set_cookie(chan, &ctx->evt_handler); |
| if (rc < 0) { |
| TLOGE("failed (%d) to set_cookie on chan %d\n", rc, chan); |
| hwkey_ctx_close(ctx); |
| return; |
| } |
| } |
| } |
| |
| /* |
| * Install Key slot provider |
| */ |
| void hwkey_install_keys(const struct hwkey_keyslot *keys, uint kcnt) |
| { |
| assert(key_slots == NULL); |
| assert(key_slot_cnt == 0); |
| assert(keys && kcnt); |
| |
| key_slots = keys; |
| key_slot_cnt = kcnt; |
| } |
| |
| /* |
| * Initialize HWKEY service |
| */ |
| int hwkey_start_service(void) |
| { |
| int rc; |
| handle_t port; |
| |
| TLOGI("Start HWKEY service\n"); |
| |
| /* Initialize service */ |
| rc = port_create(HWKEY_PORT, 1, sizeof(struct hwkey_msg) + HWKEY_MAX_PAYLOAD_SIZE, |
| IPC_PORT_ALLOW_TA_CONNECT); |
| if (rc < 0) { |
| TLOGE("Failed (%d) to create port %s\n", rc, HWKEY_PORT); |
| return rc; |
| } |
| |
| port = (handle_t) rc; |
| rc = set_cookie(port, &hwkey_port_evt_handler); |
| if (rc) { |
| TLOGE("failed (%d) to set_cookie on port %d\n", rc, port); |
| close(port); |
| return rc; |
| } |
| |
| return NO_ERROR; |
| } |
