2 * Copyright (C) 2016 The Android Open Source Project
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
16 // TODO: Maybe "Keymaster" should be replaced with Keystore2 everywhere?
17 #ifndef ANDROID_VOLD_KEYMASTER_H
18 #define ANDROID_VOLD_KEYMASTER_H
20 #include "KeyBuffer.h"
26 #include <android-base/macros.h>
27 #include <keymint_support/authorization_set.h>
28 #include <keymint_support/keymint_tags.h>
30 #include <aidl/android/hardware/security/keymint/ErrorCode.h>
31 #include <aidl/android/system/keystore2/IKeystoreService.h>
32 #include <android/binder_manager.h>
37 namespace ks2 = ::aidl::android::system::keystore2;
38 namespace km = ::aidl::android::hardware::security::keymint;
40 // C++ wrappers to the Keystore2 AIDL interface.
41 // This is tailored to the needs of KeyStorage, but could be extended to be
42 // a more general interface.
44 // Wrapper for a Keystore2 operation handle representing an
45 // ongoing Keystore2 operation. Aborts the operation
46 // in the destructor if it is unfinished. Methods log failures
48 class KeymasterOperation {
50 ~KeymasterOperation();
51 // Is this instance valid? This is false if creation fails, and becomes
52 // false on finish or if an update fails.
53 explicit operator bool() const { return (bool)ks2Operation; }
54 km::ErrorCode getErrorCode() const { return errorCode; }
55 std::optional<std::string> getUpgradedBlob() const { return upgradedBlob; }
56 // Call "update" repeatedly until all of the input is consumed, and
57 // concatenate the output. Return true on success.
58 template <class TI, class TO>
59 bool updateCompletely(TI& input, TO* output) {
60 if (output) output->clear();
61 return updateCompletely(input.data(), input.size(), [&](const char* b, size_t n) {
62 if (output) std::copy(b, b + n, std::back_inserter(*output));
66 // Finish and write the output to this string, unless pointer is null.
67 bool finish(std::string* output);
69 KeymasterOperation(KeymasterOperation&& rhs) { *this = std::move(rhs); }
70 // Construct an object in an error state for error returns
71 KeymasterOperation() { errorCode = km::ErrorCode::UNKNOWN_ERROR; }
73 KeymasterOperation& operator=(KeymasterOperation&& rhs) {
74 ks2Operation = rhs.ks2Operation;
75 rhs.ks2Operation = nullptr;
77 upgradedBlob = rhs.upgradedBlob;
78 rhs.upgradedBlob = std::nullopt;
80 errorCode = rhs.errorCode;
81 rhs.errorCode = km::ErrorCode::UNKNOWN_ERROR;
87 KeymasterOperation(std::shared_ptr<ks2::IKeystoreOperation> ks2Op,
88 std::optional<std::vector<uint8_t>> blob)
89 : ks2Operation{ks2Op}, errorCode{km::ErrorCode::OK} {
91 upgradedBlob = std::optional(std::string(blob->begin(), blob->end()));
93 upgradedBlob = std::nullopt;
96 KeymasterOperation(km::ErrorCode errCode) : errorCode{errCode} {}
98 bool updateCompletely(const char* input, size_t inputLen,
99 const std::function<void(const char*, size_t)> consumer);
101 std::shared_ptr<ks2::IKeystoreOperation> ks2Operation;
102 std::optional<std::string> upgradedBlob;
103 km::ErrorCode errorCode;
104 DISALLOW_COPY_AND_ASSIGN(KeymasterOperation);
105 friend class Keymaster;
108 // Wrapper for keystore2 methods that vold uses.
112 // false if we failed to get a keystore2 security level.
113 explicit operator bool() { return (bool)securityLevel; }
114 // Generate a key using keystore2 from the given params.
115 bool generateKey(const km::AuthorizationSet& inParams, std::string* key);
116 // Exports a keystore2 key with STORAGE_KEY tag wrapped with a per-boot ephemeral key
117 bool exportKey(const KeyBuffer& kmKey, std::string* key);
118 // If supported, permanently delete a key from the keymint device it belongs to.
119 bool deleteKey(const std::string& key);
120 // Begin a new cryptographic operation, collecting output parameters if pointer is non-null
121 // If the key was upgraded as a result of a call to this method, the returned KeymasterOperation
122 // also stores the upgraded key blob.
123 KeymasterOperation begin(const std::string& key, const km::AuthorizationSet& inParams,
124 km::AuthorizationSet* outParams);
126 // Tell all Keymint devices that early boot has ended and early boot-only keys can no longer
127 // be created or used.
128 static void earlyBootEnded();
131 std::shared_ptr<ks2::IKeystoreSecurityLevel> securityLevel;
132 DISALLOW_COPY_AND_ASSIGN(Keymaster);
136 } // namespace android