hwcryptohal: Adding hwcrypto hal vendor service
Adding hwcrypto hal vendor service delegator to forward kernel
binder requests to trusty.
Bug: 393162614
Test: cf build/ manual test
Change-Id: Ibded55a85b43d9c35322c0d3cee5af0417f5c039
diff --git a/security/see/hwcrypto/aidl/Android.bp b/security/see/hwcrypto/aidl/Android.bp
index c64b827..2115f19 100644
--- a/security/see/hwcrypto/aidl/Android.bp
+++ b/security/see/hwcrypto/aidl/Android.bp
@@ -31,6 +31,7 @@
},
frozen: true,
system_ext_specific: true,
+ vendor_available: true,
versions_with_info: [
{
version: "1",
diff --git a/security/see/hwcrypto/aidl/vts/functional/Android.bp b/security/see/hwcrypto/aidl/vts/functional/Android.bp
index 52c7feb..c2514d1 100644
--- a/security/see/hwcrypto/aidl/vts/functional/Android.bp
+++ b/security/see/hwcrypto/aidl/vts/functional/Android.bp
@@ -19,6 +19,8 @@
rust_defaults {
name: "hw_crypto_hal_aidl_rust_defaults",
enabled: false,
+ prefer_rlib: true,
+ vendor_available: true,
rustlibs: [
"libbinder_rs",
"android.hardware.security.see.hwcrypto-V1-rust",
@@ -29,6 +31,11 @@
"librpcbinder_rs",
"librustutils",
],
+ arch: {
+ arm64: {
+ enabled: true,
+ },
+ },
}
rust_library {
@@ -42,18 +49,14 @@
],
}
-rust_binary {
- name: "wait_hw_crypto",
- prefer_rlib: true,
+rust_test {
+ name: "VtsAidlHwCryptoConnTest",
+ srcs: ["connection_test.rs"],
+ require_root: true,
defaults: [
"hw_crypto_hal_aidl_rust_defaults",
],
- srcs: ["wait_service.rs"],
rustlibs: [
"libhwcryptohal_vts_test",
- "liblogger",
- "liblog_rust",
- "libanyhow",
- "libclap",
],
}
diff --git a/security/see/hwcrypto/aidl/vts/functional/AndroidTest.xml b/security/see/hwcrypto/aidl/vts/functional/AndroidTestSystem.xml
similarity index 92%
rename from security/see/hwcrypto/aidl/vts/functional/AndroidTest.xml
rename to security/see/hwcrypto/aidl/vts/functional/AndroidTestSystem.xml
index 73290cf..649be23 100644
--- a/security/see/hwcrypto/aidl/vts/functional/AndroidTest.xml
+++ b/security/see/hwcrypto/aidl/vts/functional/AndroidTestSystem.xml
@@ -27,8 +27,8 @@
<option name="push-file" key="trusty-wait-ready.sh" value="/data/local/tmp/trusty_test_vm/trusty-wait-ready.sh" />
<option name="push-file" key="wait_hw_crypto" value="/data/local/tmp/trusty_test_vm/wait_hw_crypto" />
<option name="push-file" key="trusty-test_vm-config.json" value="/data/local/tmp/trusty_test_vm/trusty-test_vm-config.json" />
- <option name="push-file" key="trusty_test_vm_elf" value="/data/local/tmp/trusty_test_vm/trusty_test_vm_elf" />
- <option name="push-file" key="VtsAidlHwCryptoConnTest" value="/data/local/tmp/VtsAidlHwCryptoConnTest" />
+ <option name="push-file" key="trusty_test_vm.elf" value="/data/local/tmp/trusty_test_vm/trusty_test_vm.elf" />
+ <option name="push-file" key="VtsAidlHwCryptoConnTestSystem" value="/data/local/tmp/VtsAidlHwCryptoConnTestSystem" />
</target_preparer>
<target_preparer class="com.android.tradefed.targetprep.RunCommandTargetPreparer">
<option name="throw-if-cmd-fail" value="true" />
@@ -47,7 +47,7 @@
<test class="com.android.tradefed.testtype.rust.RustBinaryTest" >
<option name="test-device-path" value="/data/local/tmp" />
- <option name="module-name" value="VtsAidlHwCryptoConnTest" />
+ <option name="module-name" value="VtsAidlHwCryptoConnTestSystem" />
<!-- Rust tests are run in parallel by default. Run these ones
single-threaded, so that one test's secrets don't affect
the behaviour of a different test. -->
diff --git a/security/see/hwcrypto/aidl/vts/functional/lib.rs b/security/see/hwcrypto/aidl/vts/functional/lib.rs
index e14ac83..81ae3fa 100644
--- a/security/see/hwcrypto/aidl/vts/functional/lib.rs
+++ b/security/see/hwcrypto/aidl/vts/functional/lib.rs
@@ -17,19 +17,32 @@
//! VTS test library for HwCrypto functionality.
//! It provides the base clases necessaries to write HwCrypto VTS tests
-use anyhow::{Context, Result};
+#[cfg(target_arch = "x86_64")]
+use anyhow::Context;
+use anyhow::Result;
+#[cfg(target_arch = "x86_64")]
use binder::{ExceptionCode, FromIBinder, IntoBinderResult, ParcelFileDescriptor};
+#[cfg(target_arch = "x86_64")]
use rpcbinder::RpcSession;
+#[cfg(target_arch = "x86_64")]
use vsock::VsockStream;
+#[cfg(target_arch = "x86_64")]
use std::os::fd::{FromRawFd, IntoRawFd};
+#[cfg(target_arch = "x86_64")]
use std::fs::File;
+#[cfg(target_arch = "x86_64")]
use std::io::Read;
+#[cfg(target_arch = "x86_64")]
use rustutils::system_properties;
+#[cfg(target_arch = "aarch64")]
+use android_hardware_security_see_hwcrypto::aidl::android::hardware::security::see::hwcrypto::IHwCryptoKey::BpHwCryptoKey;
use android_hardware_security_see_hwcrypto::aidl::android::hardware::security::see::hwcrypto::IHwCryptoKey::IHwCryptoKey;
+#[cfg(target_arch = "x86_64")]
const HWCRYPTO_SERVICE_PORT: u32 = 4;
/// Local function to connect to service
+#[cfg(target_arch = "x86_64")]
pub fn connect_service<T: FromIBinder + ?Sized>(
cid: u32,
port: u32,
@@ -44,7 +57,8 @@
})
}
-/// Get a HwCryptoKey binder service object
+/// Get a HwCryptoKey binder service object using a direct vsock connection
+#[cfg(target_arch = "x86_64")]
pub fn get_hwcryptokey() -> Result<binder::Strong<dyn IHwCryptoKey>, binder::Status> {
let cid = system_properties::read("trusty.test_vm.vm_cid")
.context("couldn't get vm cid")
@@ -55,3 +69,10 @@
.or_binder_exception(ExceptionCode::ILLEGAL_ARGUMENT)?;
Ok(connect_service(cid, HWCRYPTO_SERVICE_PORT)?)
}
+
+/// Get a HwCryptoKey binder service object using the service manager
+#[cfg(target_arch = "aarch64")]
+pub fn get_hwcryptokey() -> Result<binder::Strong<dyn IHwCryptoKey>, binder::Status> {
+ let interface_name = <BpHwCryptoKey as IHwCryptoKey>::get_descriptor().to_owned() + "/default";
+ Ok(binder::get_interface(&interface_name)?)
+}
diff --git a/security/see/hwcrypto/aidl/vts/functional/wait_service.rs b/security/see/hwcrypto/aidl/vts/functional/wait_service.rs
deleted file mode 100644
index 13cbcb1..0000000
--- a/security/see/hwcrypto/aidl/vts/functional/wait_service.rs
+++ /dev/null
@@ -1,47 +0,0 @@
-// Copyright 2025, The Android Open Source Project
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-//! Small utility to wait for hwcrypto service to be up
-
-use anyhow::{/*Context,*/ Result};
-use clap::Parser;
-use log::info;
-use std::{thread, time};
-
-#[derive(Parser)]
-/// Collection of CLI for trusty_security_vm_launcher
-pub struct Args {
- /// Number of repetitions for the wait
- #[arg(long, default_value_t = 20)]
- number_repetitions: u32,
-
- /// Delay between repetitiond
- #[arg(long, default_value_t = 2)]
- delay_between_repetitions: u32,
-}
-
-fn main() -> Result<()> {
- let args = Args::parse();
-
- info!("Waiting for hwcrypto service");
- let delay = time::Duration::new(args.delay_between_repetitions.into(), 0);
- for _ in 0..args.number_repetitions {
- let hw_crypto_key = hwcryptohal_vts_test::get_hwcryptokey();
- if hw_crypto_key.is_ok() {
- break;
- }
- thread::sleep(delay);
- }
- Ok(())
-}
diff --git a/security/see/hwcrypto/default/Android.bp b/security/see/hwcrypto/default/Android.bp
new file mode 100644
index 0000000..ab23cfd
--- /dev/null
+++ b/security/see/hwcrypto/default/Android.bp
@@ -0,0 +1,140 @@
+// Copyright (C) 2025 The Android Open-Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+cc_library {
+ name: "hwcryptohallib",
+ enabled: false,
+ shared_libs: [
+ "libbase",
+ "liblog",
+ "libbinder",
+ "libbinder_ndk",
+ "libbinder_trusty",
+ "libtrusty",
+ "libutils",
+
+ // AIDL interface deps versions, please refer to below link
+ // https://source.android.com/docs/core/architecture/aidl/stable-aidl#module-naming-rules
+ "android.hardware.security.see.hwcrypto-V1-ndk",
+ "android.hardware.security.see.hwcrypto-V1-cpp",
+ ],
+ cflags: [
+ "-Wall",
+ "-Werror",
+ ],
+ srcs: ["hwcryptolib.cpp"],
+ proprietary: true,
+ arch: {
+ arm64: {
+ enabled: true,
+ },
+ },
+}
+
+cc_binary {
+ name: "android.hardware.trusty.hwcryptohal-service",
+ enabled: false,
+ relative_install_path: "hw",
+ srcs: [
+ "hwcrypto_delegator.cpp",
+ ],
+ shared_libs: [
+ "libbase",
+ "liblog",
+ "libbinder",
+ "libbinder_ndk",
+ "libbinder_trusty",
+ "libtrusty",
+ "libutils",
+ "hwcryptohallib",
+
+ // AIDL interface deps versions, please refer to below link
+ // https://source.android.com/docs/core/architecture/aidl/stable-aidl#module-naming-rules
+ "android.hardware.security.see.hwcrypto-V1-ndk",
+ "android.hardware.security.see.hwcrypto-V1-cpp",
+ ],
+ cflags: [
+ "-Wall",
+ "-Werror",
+ ],
+ proprietary: true,
+ vintf_fragments: ["android.hardware.security.see.hwcrypto-service.trusty.xml"],
+ init_rc: ["android.hardware.security.see.hwcrypto-service.trusty.rc"],
+ arch: {
+ arm64: {
+ enabled: true,
+ },
+ },
+}
+
+cc_fuzz {
+ name: "android.hardware.trusty.hwcryptohal-service_fuzzer",
+ enabled: false,
+ defaults: ["service_fuzzer_defaults"],
+ static_libs: [
+ "android.hardware.security.see.hwcrypto-V1-ndk",
+ "android.hardware.security.see.hwcrypto-V1-cpp",
+ "liblog",
+ "hwcryptohallib",
+ ],
+ shared_libs: [
+ "libbinder_trusty",
+ "libtrusty",
+ ],
+ srcs: ["fuzzer.cpp"],
+ fuzz_config: {
+ cc: [
+ "oarbildo@google.com",
+ ],
+ },
+ arch: {
+ arm64: {
+ enabled: true,
+ },
+ },
+}
+
+cc_test {
+ name: "HwCryptoHalDelegatorTests",
+ enabled: false,
+ srcs: [
+ "delegatorTest.cpp",
+ ],
+ cflags: [
+ "-Wall",
+ "-Werror",
+ "-Wextra",
+ ],
+
+ shared_libs: [
+ "libbase",
+ "liblog",
+ "libbinder",
+ "libbinder_ndk",
+ ],
+ static_libs: [
+ "android.hardware.security.see.hwcrypto-V1-ndk",
+ "android.hardware.security.see.hwcrypto-V1-cpp",
+ ],
+
+ arch: {
+ arm64: {
+ enabled: true,
+ },
+ },
+}
diff --git a/security/see/hwcrypto/default/android.hardware.security.see.hwcrypto-service.trusty.rc b/security/see/hwcrypto/default/android.hardware.security.see.hwcrypto-service.trusty.rc
new file mode 100644
index 0000000..8665755
--- /dev/null
+++ b/security/see/hwcrypto/default/android.hardware.security.see.hwcrypto-service.trusty.rc
@@ -0,0 +1,5 @@
+service trusty-hwcryptohal /vendor/bin/hw/android.hardware.trusty.hwcryptohal-service \
+-d ${ro.hardware.trusty_ipc_dev:-/dev/trusty-ipc-dev0}
+ class hal
+ user system
+ group system
diff --git a/security/see/hwcrypto/default/android.hardware.security.see.hwcrypto-service.trusty.xml b/security/see/hwcrypto/default/android.hardware.security.see.hwcrypto-service.trusty.xml
new file mode 100644
index 0000000..8ac0942
--- /dev/null
+++ b/security/see/hwcrypto/default/android.hardware.security.see.hwcrypto-service.trusty.xml
@@ -0,0 +1,10 @@
+<manifest version="1.0" type="device">
+ <hal format="aidl">
+ <name>android.hardware.security.see.hwcrypto</name>
+ <version>1</version>
+ <interface>
+ <name>IHwCryptoKey</name>
+ <instance>default</instance>
+ </interface>
+ </hal>
+</manifest>
\ No newline at end of file
diff --git a/security/see/hwcrypto/default/delegatorTest.cpp b/security/see/hwcrypto/default/delegatorTest.cpp
new file mode 100644
index 0000000..a80d6fd
--- /dev/null
+++ b/security/see/hwcrypto/default/delegatorTest.cpp
@@ -0,0 +1,49 @@
+#include <gtest/gtest.h>
+#include "hwcryptokeyimpl.h"
+
+int main(int argc, char** argv) {
+ ::testing::InitGoogleTest(&argc, argv);
+ return RUN_ALL_TESTS();
+}
+
+TEST(HwCryptoHalDelegator, keyPolicyCppToNdk) {
+ cpp_hwcrypto::KeyPolicy cppPolicy = cpp_hwcrypto::KeyPolicy();
+ cppPolicy.keyType = cpp_hwcrypto::types::KeyType::AES_128_CBC_PKCS7_PADDING;
+ cppPolicy.usage = cpp_hwcrypto::types::KeyUse::DECRYPT;
+ cppPolicy.keyLifetime = cpp_hwcrypto::types::KeyLifetime::PORTABLE;
+ cppPolicy.keyManagementKey = false;
+ cppPolicy.keyPermissions.push_back(
+ cpp_hwcrypto::types::KeyPermissions::ALLOW_PORTABLE_KEY_WRAPPING);
+ ndk_hwcrypto::KeyPolicy ndkPolicy = android::trusty::hwcryptohalservice::convertKeyPolicy<
+ ndk_hwcrypto::KeyPolicy, cpp_hwcrypto::KeyPolicy>(cppPolicy);
+ EXPECT_EQ(ndkPolicy.keyType, ndk_hwcrypto::types::KeyType::AES_128_CBC_PKCS7_PADDING);
+ EXPECT_EQ(ndkPolicy.usage, ndk_hwcrypto::types::KeyUse::DECRYPT);
+ EXPECT_EQ(ndkPolicy.keyLifetime, ndk_hwcrypto::types::KeyLifetime::PORTABLE);
+ EXPECT_EQ(ndkPolicy.keyManagementKey, false);
+ EXPECT_EQ(ndkPolicy.keyPermissions.size(), 1ul);
+ EXPECT_EQ(ndkPolicy.keyPermissions[0],
+ ndk_hwcrypto::types::KeyPermissions::ALLOW_PORTABLE_KEY_WRAPPING);
+}
+
+TEST(HwCryptoHalDelegator, keyPolicyNdkToCpp) {
+ ndk_hwcrypto::KeyPolicy ndkPolicy = ndk_hwcrypto::KeyPolicy();
+ ndkPolicy.keyType = ndk_hwcrypto::types::KeyType::AES_128_CTR;
+ ndkPolicy.usage = ndk_hwcrypto::types::KeyUse::ENCRYPT_DECRYPT;
+ ndkPolicy.keyLifetime = ndk_hwcrypto::types::KeyLifetime::HARDWARE;
+ ndkPolicy.keyManagementKey = true;
+ ndkPolicy.keyPermissions.push_back(
+ ndk_hwcrypto::types::KeyPermissions::ALLOW_EPHEMERAL_KEY_WRAPPING);
+ ndkPolicy.keyPermissions.push_back(
+ ndk_hwcrypto::types::KeyPermissions::ALLOW_HARDWARE_KEY_WRAPPING);
+ cpp_hwcrypto::KeyPolicy cppPolicy = android::trusty::hwcryptohalservice::convertKeyPolicy<
+ cpp_hwcrypto::KeyPolicy, ndk_hwcrypto::KeyPolicy>(ndkPolicy);
+ EXPECT_EQ(cppPolicy.keyType, cpp_hwcrypto::types::KeyType::AES_128_CTR);
+ EXPECT_EQ(cppPolicy.usage, cpp_hwcrypto::types::KeyUse::ENCRYPT_DECRYPT);
+ EXPECT_EQ(cppPolicy.keyLifetime, cpp_hwcrypto::types::KeyLifetime::HARDWARE);
+ EXPECT_EQ(cppPolicy.keyManagementKey, true);
+ EXPECT_EQ(cppPolicy.keyPermissions.size(), 2ul);
+ EXPECT_EQ(cppPolicy.keyPermissions[0],
+ cpp_hwcrypto::types::KeyPermissions::ALLOW_EPHEMERAL_KEY_WRAPPING);
+ EXPECT_EQ(cppPolicy.keyPermissions[1],
+ cpp_hwcrypto::types::KeyPermissions::ALLOW_HARDWARE_KEY_WRAPPING);
+}
\ No newline at end of file
diff --git a/security/see/hwcrypto/default/fuzzer.cpp b/security/see/hwcrypto/default/fuzzer.cpp
new file mode 100644
index 0000000..4673066
--- /dev/null
+++ b/security/see/hwcrypto/default/fuzzer.cpp
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2022 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#include <fuzzbinder/libbinder_ndk_driver.h>
+#include <fuzzer/FuzzedDataProvider.h>
+#include "hwcryptokeyimpl.h"
+
+using android::fuzzService;
+using ndk::SharedRefBase;
+
+static const char* TIPC_DEFAULT_DEVNAME = "/dev/trusty-ipc-dev0";
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ auto hwCryptoServer =
+ android::trusty::hwcryptohalservice::HwCryptoKey::Create(TIPC_DEFAULT_DEVNAME);
+
+ fuzzService(hwCryptoServer->asBinder().get(), FuzzedDataProvider(data, size));
+
+ return 0;
+}
diff --git a/security/see/hwcrypto/default/hwcrypto_delegator.cpp b/security/see/hwcrypto/default/hwcrypto_delegator.cpp
new file mode 100644
index 0000000..1c3528c
--- /dev/null
+++ b/security/see/hwcrypto/default/hwcrypto_delegator.cpp
@@ -0,0 +1,81 @@
+/*
+ * Copyright (C) 2025 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <android-base/logging.h>
+#include <android/binder_manager.h>
+#include <android/binder_process.h>
+#include <getopt.h>
+#include <string>
+#include "hwcryptokeyimpl.h"
+
+static void showUsageAndExit(int code) {
+ LOG(ERROR) << "usage: android.hardware.trusty.hwcryptohal-service -d <trusty_dev>";
+ exit(code);
+}
+
+static void parseDeviceName(int argc, char* argv[], char*& device_name) {
+ static const char* _sopts = "h:d:";
+ static const struct option _lopts[] = {{"help", no_argument, nullptr, 'h'},
+ {"trusty_dev", required_argument, nullptr, 'd'},
+ {0, 0, 0, 0}};
+ int opt;
+ int oidx = 0;
+
+ while ((opt = getopt_long(argc, argv, _sopts, _lopts, &oidx)) != -1) {
+ switch (opt) {
+ case 'd':
+ device_name = strdup(optarg);
+ break;
+ case 'h':
+ showUsageAndExit(EXIT_SUCCESS);
+ break;
+ default:
+ LOG(ERROR) << "unrecognized option: " << opt;
+ showUsageAndExit(EXIT_FAILURE);
+ }
+ }
+
+ if (device_name == nullptr) {
+ LOG(ERROR) << "missing required argument(s)";
+ showUsageAndExit(EXIT_FAILURE);
+ }
+
+ LOG(INFO) << "starting android.hardware.trusty.hwcryptohal-service";
+ LOG(INFO) << "trusty dev: " << device_name;
+}
+
+int main(int argc, char* argv[]) {
+ char* device_name;
+ parseDeviceName(argc, argv, device_name);
+
+ auto hwCryptoServer = android::trusty::hwcryptohalservice::HwCryptoKey::Create(device_name);
+ if (hwCryptoServer == nullptr) {
+ LOG(ERROR) << "couldn't create hwcrypto service";
+ exit(EXIT_FAILURE);
+ }
+ ABinderProcess_setThreadPoolMaxThreadCount(0);
+ const std::string instance =
+ std::string() + ndk_hwcrypto::IHwCryptoKey::descriptor + "/default";
+ binder_status_t status =
+ AServiceManager_addService(hwCryptoServer->asBinder().get(), instance.c_str());
+ if (status != STATUS_OK) {
+ LOG(ERROR) << "couldn't register hwcrypto service";
+ }
+ CHECK_EQ(status, STATUS_OK);
+ ABinderProcess_joinThreadPool();
+
+ return 0;
+}
diff --git a/security/see/hwcrypto/default/hwcryptokeyimpl.h b/security/see/hwcrypto/default/hwcryptokeyimpl.h
new file mode 100644
index 0000000..19be8b4
--- /dev/null
+++ b/security/see/hwcrypto/default/hwcryptokeyimpl.h
@@ -0,0 +1,115 @@
+/*
+ * Copyright (C) 2025 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include <aidl/android/hardware/security/see/hwcrypto/BnHwCryptoKey.h>
+#include <aidl/android/hardware/security/see/hwcrypto/IHwCryptoKey.h>
+#include <aidl/android/hardware/security/see/hwcrypto/types/HalErrorCode.h>
+#include <android-base/logging.h>
+#include <android-base/result.h>
+#include <android/hardware/security/see/hwcrypto/IHwCryptoKey.h>
+#include <binder/RpcSession.h>
+
+// We use cpp interfaces to talk to Trusty, and ndk interfaces for the platform
+namespace cpp_hwcrypto = android::hardware::security::see::hwcrypto;
+namespace ndk_hwcrypto = aidl::android::hardware::security::see::hwcrypto;
+
+namespace android {
+namespace trusty {
+namespace hwcryptohalservice {
+
+class HwCryptoKey : public ndk_hwcrypto::BnHwCryptoKey {
+ private:
+ sp<cpp_hwcrypto::IHwCryptoKey> mHwCryptoServer;
+ sp<IBinder> mRoot;
+ sp<RpcSession> mSession;
+ android::base::Result<void> connectToTrusty(const char* tipcDev);
+
+ public:
+ HwCryptoKey();
+
+ static std::shared_ptr<HwCryptoKey> Create(const char* tipcDev);
+
+ ndk::ScopedAStatus deriveCurrentDicePolicyBoundKey(
+ const ndk_hwcrypto::IHwCryptoKey::DiceBoundDerivationKey& derivationKey,
+ ndk_hwcrypto::IHwCryptoKey::DiceCurrentBoundKeyResult* aidl_return);
+
+ ndk::ScopedAStatus deriveDicePolicyBoundKey(
+ const ndk_hwcrypto::IHwCryptoKey::DiceBoundDerivationKey& derivationKey,
+ const ::std::vector<uint8_t>& dicePolicyForKeyVersion,
+ ndk_hwcrypto::IHwCryptoKey::DiceBoundKeyResult* aidl_return);
+ ndk::ScopedAStatus deriveKey(const ndk_hwcrypto::IHwCryptoKey::DerivedKeyParameters& parameters,
+ ndk_hwcrypto::IHwCryptoKey::DerivedKey* aidl_return);
+
+ ndk::ScopedAStatus getHwCryptoOperations(
+ std::shared_ptr<ndk_hwcrypto::IHwCryptoOperations>* aidl_return);
+
+ ndk::ScopedAStatus importClearKey(const ndk_hwcrypto::types::ExplicitKeyMaterial& keyMaterial,
+ const ndk_hwcrypto::KeyPolicy& newKeyPolicy,
+ std::shared_ptr<ndk_hwcrypto::IOpaqueKey>* aidl_return);
+
+ ndk::ScopedAStatus getCurrentDicePolicy(std::vector<uint8_t>* aidl_return);
+
+ ndk::ScopedAStatus keyTokenImport(const ndk_hwcrypto::types::OpaqueKeyToken& requestedKey,
+ const ::std::vector<uint8_t>& sealingDicePolicy,
+ std::shared_ptr<ndk_hwcrypto::IOpaqueKey>* aidl_return);
+
+ ndk::ScopedAStatus getKeyslotData(ndk_hwcrypto::IHwCryptoKey::KeySlot slotId,
+ std::shared_ptr<ndk_hwcrypto::IOpaqueKey>* aidl_return);
+};
+
+template <typename LHP, typename RHP>
+LHP convertKeyPolicy(const RHP& policyToConvert) {
+ LHP policy = LHP();
+ policy.usage = static_cast<decltype(policy.usage)>(policyToConvert.usage);
+ policy.keyLifetime = static_cast<decltype(policy.keyLifetime)>(policyToConvert.keyLifetime);
+ policy.keyType = static_cast<decltype(policy.keyType)>(policyToConvert.keyType);
+ policy.keyManagementKey = policyToConvert.keyManagementKey;
+ for (auto permission : policyToConvert.keyPermissions) {
+ policy.keyPermissions.push_back(
+ std::move(reinterpret_cast<decltype(policy.keyPermissions[0])>(permission)));
+ }
+ return policy;
+}
+
+template <typename CPP, typename NDK,
+ std::map<std::weak_ptr<NDK>, wp<CPP>, std::owner_less<>>& mapping>
+sp<CPP> retrieveCppBinder(const std::shared_ptr<NDK>& ndkBinder) {
+ if (ndkBinder == nullptr) {
+ return nullptr;
+ }
+ if (mapping.find(ndkBinder) == mapping.end()) {
+ LOG(ERROR) << "couldn't find wrapped key";
+ return nullptr;
+ }
+ auto cppBbinder = mapping[ndkBinder];
+ return cppBbinder.promote();
+}
+
+template <typename CPP_BINDER, typename NDK_BINDER, typename NDK_BASE,
+ std::map<std::weak_ptr<NDK_BINDER>, wp<CPP_BINDER>, std::owner_less<>>& mapping>
+void insertBinderMapping(const sp<CPP_BINDER>& cppBinder, std::shared_ptr<NDK_BINDER>* ndkBinder) {
+ std::shared_ptr<NDK_BINDER> spNdkBinder = NDK_BASE::Create(cppBinder);
+ std::weak_ptr<NDK_BINDER> wptrNdkBinder = spNdkBinder;
+ wp<CPP_BINDER> wpCppBinder = cppBinder;
+ mapping.insert({wptrNdkBinder, wpCppBinder});
+ *ndkBinder = spNdkBinder;
+}
+
+} // namespace hwcryptohalservice
+} // namespace trusty
+} // namespace android
diff --git a/security/see/hwcrypto/default/hwcryptolib.cpp b/security/see/hwcrypto/default/hwcryptolib.cpp
new file mode 100644
index 0000000..0e15883
--- /dev/null
+++ b/security/see/hwcrypto/default/hwcryptolib.cpp
@@ -0,0 +1,412 @@
+/*
+ * Copyright (C) 2025 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <aidl/android/hardware/security/see/hwcrypto/BnCryptoOperationContext.h>
+#include <aidl/android/hardware/security/see/hwcrypto/BnHwCryptoOperations.h>
+#include <aidl/android/hardware/security/see/hwcrypto/BnOpaqueKey.h>
+#include <aidl/android/hardware/security/see/hwcrypto/IOpaqueKey.h>
+#include <android-base/logging.h>
+#include <android/hardware/security/see/hwcrypto/BnHwCryptoKey.h>
+#include <binder/RpcTrusty.h>
+#include <trusty/tipc.h>
+#include <optional>
+#include <string>
+#include "hwcryptokeyimpl.h"
+
+using android::IBinder;
+using android::IInterface;
+using android::RpcSession;
+using android::RpcTrustyConnectWithSessionInitializer;
+using android::sp;
+using android::wp;
+using android::base::ErrnoError;
+using android::base::Error;
+using android::base::Result;
+using android::binder::Status;
+
+namespace android {
+namespace trusty {
+namespace hwcryptohalservice {
+
+#define HWCRYPTO_KEY_PORT "com.android.trusty.rust.hwcryptohal.V1"
+
+// Even though we get the cpp_hwcrypto::IOpaqueKey and cpp_hwcrypto::ICryptoOperationContext and
+// create the ndk_hwcrypto wrappers on this library we cannot cast them back when we need them
+// because they are received on the function calls as binder objects and there is no reliable
+// we to do this cast yet. Because of that we are creating maps to hold the wrapped objects
+// and translate them on function calls.
+// TODO: Add cleanup of both keyMapping and contextMapping once we have more test infrastructure in
+// place.
+std::map<std::weak_ptr<ndk_hwcrypto::IOpaqueKey>, wp<cpp_hwcrypto::IOpaqueKey>, std::owner_less<>>
+ keyMapping;
+std::map<std::weak_ptr<ndk_hwcrypto::ICryptoOperationContext>,
+ wp<cpp_hwcrypto::ICryptoOperationContext>, std::owner_less<>>
+ contextMapping;
+
+static ndk::ScopedAStatus convertStatus(Status status) {
+ if (status.isOk()) {
+ return ndk::ScopedAStatus::ok();
+ } else {
+ auto exCode = status.exceptionCode();
+ if (exCode == Status::Exception::EX_SERVICE_SPECIFIC) {
+ return ndk::ScopedAStatus::fromServiceSpecificErrorWithMessage(
+ status.serviceSpecificErrorCode(), status.exceptionMessage());
+ } else {
+ return ndk::ScopedAStatus::fromExceptionCodeWithMessage(exCode,
+ status.exceptionMessage());
+ }
+ }
+}
+
+static std::optional<cpp_hwcrypto::types::ExplicitKeyMaterial> convertExplicitKeyMaterial(
+ const ndk_hwcrypto::types::ExplicitKeyMaterial& keyMaterial) {
+ auto explicitKeyCpp = cpp_hwcrypto::types::ExplicitKeyMaterial();
+
+ if (keyMaterial.getTag() == ndk_hwcrypto::types::ExplicitKeyMaterial::aes) {
+ auto aesKey = keyMaterial.get<ndk_hwcrypto::types::ExplicitKeyMaterial::aes>();
+ auto aesKeyCpp = cpp_hwcrypto::types::AesKey();
+ if (aesKey.getTag() == ndk_hwcrypto::types::AesKey::aes128) {
+ aesKeyCpp.set<cpp_hwcrypto::types::AesKey::aes128>(
+ aesKey.get<ndk_hwcrypto::types::AesKey::aes128>());
+ explicitKeyCpp.set<cpp_hwcrypto::types::ExplicitKeyMaterial::aes>(aesKeyCpp);
+ } else if (aesKey.getTag() == ndk_hwcrypto::types::AesKey::aes256) {
+ aesKeyCpp.set<cpp_hwcrypto::types::AesKey::aes256>(
+ aesKey.get<ndk_hwcrypto::types::AesKey::aes256>());
+ explicitKeyCpp.set<cpp_hwcrypto::types::ExplicitKeyMaterial::aes>(aesKeyCpp);
+ } else {
+ LOG(ERROR) << "unknown AesKey type";
+ return std::nullopt;
+ }
+ } else if (keyMaterial.getTag() == ndk_hwcrypto::types::ExplicitKeyMaterial::hmac) {
+ auto hmacKey = keyMaterial.get<ndk_hwcrypto::types::ExplicitKeyMaterial::hmac>();
+ auto hmacKeyCpp = cpp_hwcrypto::types::HmacKey();
+ if (hmacKey.getTag() == ndk_hwcrypto::types::HmacKey::sha256) {
+ hmacKeyCpp.set<cpp_hwcrypto::types::HmacKey::sha256>(
+ hmacKey.get<ndk_hwcrypto::types::HmacKey::sha256>());
+ explicitKeyCpp.set<cpp_hwcrypto::types::ExplicitKeyMaterial::hmac>(hmacKeyCpp);
+ } else if (hmacKey.getTag() == ndk_hwcrypto::types::HmacKey::sha512) {
+ hmacKeyCpp.set<cpp_hwcrypto::types::HmacKey::sha512>(
+ hmacKey.get<ndk_hwcrypto::types::HmacKey::sha512>());
+ explicitKeyCpp.set<cpp_hwcrypto::types::ExplicitKeyMaterial::hmac>(hmacKeyCpp);
+ } else {
+ LOG(ERROR) << "unknown HmacKey type";
+ return std::nullopt;
+ }
+ } else {
+ LOG(ERROR) << "unknown Key type";
+ return std::nullopt;
+ }
+ return explicitKeyCpp;
+}
+
+class HwCryptoOperationContextNdk : public ndk_hwcrypto::BnCryptoOperationContext {
+ private:
+ sp<cpp_hwcrypto::ICryptoOperationContext> mContext;
+
+ public:
+ HwCryptoOperationContextNdk(sp<cpp_hwcrypto::ICryptoOperationContext> operations)
+ : mContext(std::move(operations)) {}
+
+ static std::shared_ptr<HwCryptoOperationContextNdk> Create(
+ sp<cpp_hwcrypto::ICryptoOperationContext> operations) {
+ if (operations == nullptr) {
+ return nullptr;
+ }
+ std::shared_ptr<HwCryptoOperationContextNdk> contextNdk =
+ ndk::SharedRefBase::make<HwCryptoOperationContextNdk>(std::move(operations));
+
+ if (!contextNdk) {
+ LOG(ERROR) << "failed to allocate HwCryptoOperationContext";
+ return nullptr;
+ }
+ return contextNdk;
+ }
+};
+
+// TODO: Check refactoring opportunities like returning a Result<cpp_hwcrypto::types::OperationData>
+// once we add the code that uses this function.
+Result<void> setOperationData(const ndk_hwcrypto::types::OperationData& ndkOperationData,
+ cpp_hwcrypto::types::OperationData* cppOperationData) {
+ cpp_hwcrypto::types::MemoryBufferReference cppMemBuffRef;
+ switch (ndkOperationData.getTag()) {
+ case ndk_hwcrypto::types::OperationData::dataBuffer:
+ cppOperationData->set<cpp_hwcrypto::types::OperationData::dataBuffer>(
+ ndkOperationData.get<ndk_hwcrypto::types::OperationData::dataBuffer>());
+ break;
+ case ndk_hwcrypto::types::OperationData::memoryBufferReference:
+ cppMemBuffRef.startOffset =
+ ndkOperationData
+ .get<ndk_hwcrypto::types::OperationData::memoryBufferReference>()
+ .startOffset;
+ cppMemBuffRef.sizeBytes =
+ ndkOperationData
+ .get<ndk_hwcrypto::types::OperationData::memoryBufferReference>()
+ .sizeBytes;
+ cppOperationData->set<cpp_hwcrypto::types::OperationData::memoryBufferReference>(
+ std::move(cppMemBuffRef));
+ break;
+ default:
+ // This shouldn't happen with the current definitions
+ return ErrnoError() << "received unknown operation data type";
+ }
+ return {};
+}
+
+class HwCryptoOperationsNdk : public ndk_hwcrypto::BnHwCryptoOperations {
+ private:
+ sp<cpp_hwcrypto::IHwCryptoOperations> mHwCryptoOperations;
+
+ public:
+ HwCryptoOperationsNdk(sp<cpp_hwcrypto::IHwCryptoOperations> operations)
+ : mHwCryptoOperations(std::move(operations)) {}
+
+ static std::shared_ptr<HwCryptoOperationsNdk> Create(
+ sp<cpp_hwcrypto::IHwCryptoOperations> operations) {
+ if (operations == nullptr) {
+ return nullptr;
+ }
+ std::shared_ptr<HwCryptoOperationsNdk> operationsNdk =
+ ndk::SharedRefBase::make<HwCryptoOperationsNdk>(std::move(operations));
+
+ if (!operationsNdk) {
+ LOG(ERROR) << "failed to allocate HwCryptoOperations";
+ return nullptr;
+ }
+ return operationsNdk;
+ }
+
+ ndk::ScopedAStatus processCommandList(
+ std::vector<ndk_hwcrypto::CryptoOperationSet>* /*operationSets*/,
+ std::vector<ndk_hwcrypto::CryptoOperationResult>* /*aidl_return*/) {
+ return ndk::ScopedAStatus::ok();
+ }
+};
+
+class OpaqueKeyNdk : public ndk_hwcrypto::BnOpaqueKey {
+ private:
+ sp<cpp_hwcrypto::IOpaqueKey> mOpaqueKey;
+
+ public:
+ OpaqueKeyNdk(sp<cpp_hwcrypto::IOpaqueKey> opaqueKey) : mOpaqueKey(std::move(opaqueKey)) {}
+
+ static std::shared_ptr<OpaqueKeyNdk> Create(sp<cpp_hwcrypto::IOpaqueKey> opaqueKey) {
+ if (opaqueKey == nullptr) {
+ return nullptr;
+ }
+ std::shared_ptr<OpaqueKeyNdk> opaqueKeyNdk =
+ ndk::SharedRefBase::make<OpaqueKeyNdk>(std::move(opaqueKey));
+
+ if (!opaqueKeyNdk) {
+ LOG(ERROR) << "failed to allocate HwCryptoKey";
+ return nullptr;
+ }
+ return opaqueKeyNdk;
+ }
+
+ ndk::ScopedAStatus exportWrappedKey(
+ const std::shared_ptr<ndk_hwcrypto::IOpaqueKey>& wrappingKey,
+ ::std::vector<uint8_t>* aidl_return) {
+ Status status = Status::fromExceptionCode(Status::EX_ILLEGAL_ARGUMENT);
+ auto wrappingKeyNdk =
+ retrieveCppBinder<cpp_hwcrypto::IOpaqueKey, ndk_hwcrypto::IOpaqueKey, keyMapping>(
+ wrappingKey);
+ if (wrappingKeyNdk == nullptr) {
+ LOG(ERROR) << "couldn't get wrapped key";
+ return convertStatus(status);
+ }
+ status = mOpaqueKey->exportWrappedKey(wrappingKeyNdk, aidl_return);
+ return convertStatus(status);
+ }
+
+ ndk::ScopedAStatus getKeyPolicy(ndk_hwcrypto::KeyPolicy* aidl_return) {
+ Status status = Status::fromExceptionCode(Status::EX_ILLEGAL_ARGUMENT);
+ if (aidl_return == nullptr) {
+ LOG(ERROR) << "return value passed to getKeyPolicy is nullptr";
+ return convertStatus(status);
+ }
+ cpp_hwcrypto::KeyPolicy cppPolicy = cpp_hwcrypto::KeyPolicy();
+
+ status = mOpaqueKey->getKeyPolicy(&cppPolicy);
+ if (status.isOk()) {
+ auto ndkPolicy =
+ convertKeyPolicy<ndk_hwcrypto::KeyPolicy, cpp_hwcrypto::KeyPolicy>(cppPolicy);
+ *aidl_return = std::move(ndkPolicy);
+ }
+ return convertStatus(status);
+ }
+
+ ndk::ScopedAStatus getPublicKey(::std::vector<uint8_t>* aidl_return) {
+ auto status = mOpaqueKey->getPublicKey(aidl_return);
+ return convertStatus(status);
+ }
+
+ ndk::ScopedAStatus getShareableToken(const ::std::vector<uint8_t>& sealingDicePolicy,
+ ndk_hwcrypto::types::OpaqueKeyToken* aidl_return) {
+ Status status = Status::fromExceptionCode(Status::EX_ILLEGAL_ARGUMENT);
+ if (aidl_return == nullptr) {
+ LOG(ERROR) << "return value passed to getShareableToken is nullptr";
+ return convertStatus(status);
+ }
+ cpp_hwcrypto::types::OpaqueKeyToken binder_return;
+ status = mOpaqueKey->getShareableToken(sealingDicePolicy, &binder_return);
+ if (status.isOk()) {
+ aidl_return->keyToken = std::move(binder_return.keyToken);
+ }
+ return convertStatus(status);
+ }
+
+ ndk::ScopedAStatus setProtectionId(
+ const ndk_hwcrypto::types::ProtectionId /*protectionId*/,
+ const ::std::vector<ndk_hwcrypto::types::OperationType>& /*allowedOperations*/) {
+ return ndk::ScopedAStatus::ok();
+ }
+};
+
+Result<void> HwCryptoKey::connectToTrusty(const char* tipcDev) {
+ assert(!mSession);
+ mSession = RpcTrustyConnectWithSessionInitializer(tipcDev, HWCRYPTO_KEY_PORT, [](auto) {});
+ if (!mSession) {
+ return ErrnoError() << "failed to connect to hwcrypto";
+ }
+ mRoot = mSession->getRootObject();
+ mHwCryptoServer = cpp_hwcrypto::IHwCryptoKey::asInterface(mRoot);
+ return {};
+}
+
+HwCryptoKey::HwCryptoKey() {}
+
+std::shared_ptr<HwCryptoKey> HwCryptoKey::Create(const char* tipcDev) {
+ std::shared_ptr<HwCryptoKey> hwCrypto = ndk::SharedRefBase::make<HwCryptoKey>();
+
+ if (!hwCrypto) {
+ LOG(ERROR) << "failed to allocate HwCryptoKey";
+ return nullptr;
+ }
+
+ auto ret = hwCrypto->connectToTrusty(tipcDev);
+ if (!ret.ok()) {
+ LOG(ERROR) << "failed to connect HwCryptoKey to Trusty: " << ret.error();
+ return nullptr;
+ }
+
+ return hwCrypto;
+}
+
+ndk::ScopedAStatus HwCryptoKey::deriveCurrentDicePolicyBoundKey(
+ const ndk_hwcrypto::IHwCryptoKey::DiceBoundDerivationKey& /*derivationKey*/,
+ ndk_hwcrypto::IHwCryptoKey::DiceCurrentBoundKeyResult* /*aidl_return*/) {
+ // return mHwCryptoServer->deriveCurrentDicePolicyBoundKey(derivationKey, aidl_return);
+ return ndk::ScopedAStatus::ok();
+}
+
+ndk::ScopedAStatus HwCryptoKey::deriveDicePolicyBoundKey(
+ const ndk_hwcrypto::IHwCryptoKey::DiceBoundDerivationKey& /*derivationKey*/,
+ const ::std::vector<uint8_t>& /*dicePolicyForKeyVersion*/,
+ ndk_hwcrypto::IHwCryptoKey::DiceBoundKeyResult* /*aidl_return*/) {
+ // return mHwCryptoServer->deriveDicePolicyBoundKey(derivationKey, dicePolicyForKeyVersion,
+ // aidl_return);
+ return ndk::ScopedAStatus::ok();
+}
+
+ndk::ScopedAStatus HwCryptoKey::deriveKey(
+ const ndk_hwcrypto::IHwCryptoKey::DerivedKeyParameters& /*parameters*/,
+ ndk_hwcrypto::IHwCryptoKey::DerivedKey* /*aidl_return*/) {
+ // return mHwCryptoServer->deriveKey(parameters, aidl_return);
+ return ndk::ScopedAStatus::ok();
+}
+
+ndk::ScopedAStatus HwCryptoKey::getHwCryptoOperations(
+ std::shared_ptr<ndk_hwcrypto::IHwCryptoOperations>* aidl_return) {
+ Status status = Status::fromExceptionCode(Status::EX_ILLEGAL_ARGUMENT);
+ if (aidl_return == nullptr) {
+ LOG(ERROR) << "return value passed to getHwCryptoOperations is nullptr";
+ return convertStatus(status);
+ }
+ sp<cpp_hwcrypto::IHwCryptoOperations> binder_return;
+ status = mHwCryptoServer->getHwCryptoOperations(&binder_return);
+ if (status.isOk()) {
+ std::shared_ptr<ndk_hwcrypto::IHwCryptoOperations> operations =
+ HwCryptoOperationsNdk::Create(binder_return);
+ *aidl_return = operations;
+ }
+ return convertStatus(status);
+}
+
+ndk::ScopedAStatus HwCryptoKey::importClearKey(
+ const ndk_hwcrypto::types::ExplicitKeyMaterial& keyMaterial,
+ const ndk_hwcrypto::KeyPolicy& newKeyPolicy,
+ std::shared_ptr<ndk_hwcrypto::IOpaqueKey>* aidl_return) {
+ sp<cpp_hwcrypto::IOpaqueKey> binder_return = nullptr;
+ Status status = Status::fromExceptionCode(Status::EX_ILLEGAL_ARGUMENT);
+ if (aidl_return == nullptr) {
+ LOG(ERROR) << "return value passed to importClearKey is nullptr";
+ return convertStatus(status);
+ }
+ auto cppKeyPolicy =
+ convertKeyPolicy<cpp_hwcrypto::KeyPolicy, ndk_hwcrypto::KeyPolicy>(newKeyPolicy);
+ auto explicitKeyCpp = convertExplicitKeyMaterial(keyMaterial);
+ if (!explicitKeyCpp.has_value()) {
+ LOG(ERROR) << "couldn't convert key material";
+ return convertStatus(status);
+ }
+ status = mHwCryptoServer->importClearKey(explicitKeyCpp.value(), cppKeyPolicy, &binder_return);
+ if (status.isOk()) {
+ if ((binder_return != nullptr)) {
+ insertBinderMapping<cpp_hwcrypto::IOpaqueKey, ndk_hwcrypto::IOpaqueKey, OpaqueKeyNdk,
+ keyMapping>(binder_return, aidl_return);
+ } else {
+ *aidl_return = nullptr;
+ }
+ }
+ return convertStatus(status);
+}
+
+ndk::ScopedAStatus HwCryptoKey::getCurrentDicePolicy(std::vector<uint8_t>* aidl_return) {
+ auto status = mHwCryptoServer->getCurrentDicePolicy(aidl_return);
+ return convertStatus(status);
+}
+
+ndk::ScopedAStatus HwCryptoKey::keyTokenImport(
+ const ndk_hwcrypto::types::OpaqueKeyToken& requestedKey,
+ const ::std::vector<uint8_t>& sealingDicePolicy,
+ std::shared_ptr<ndk_hwcrypto::IOpaqueKey>* aidl_return) {
+ Status status = Status::fromExceptionCode(Status::EX_ILLEGAL_ARGUMENT);
+ if (aidl_return == nullptr) {
+ LOG(ERROR) << "return value passed to keyTokenImport is nullptr";
+ return convertStatus(status);
+ }
+ sp<cpp_hwcrypto::IOpaqueKey> binder_return;
+ cpp_hwcrypto::types::OpaqueKeyToken requestedKeyCpp;
+ // trying first a shallow copy of the vector
+ requestedKeyCpp.keyToken = requestedKey.keyToken;
+ status = mHwCryptoServer->keyTokenImport(requestedKeyCpp, sealingDicePolicy, &binder_return);
+ if (status.isOk()) {
+ std::shared_ptr<ndk_hwcrypto::IOpaqueKey> opaqueKey = OpaqueKeyNdk::Create(binder_return);
+ *aidl_return = opaqueKey;
+ }
+ return convertStatus(status);
+}
+
+ndk::ScopedAStatus HwCryptoKey::getKeyslotData(
+ ndk_hwcrypto::IHwCryptoKey::KeySlot /*slotId*/,
+ std::shared_ptr<ndk_hwcrypto::IOpaqueKey>* /*aidl_return*/) {
+ return ndk::ScopedAStatus::fromServiceSpecificError(
+ ndk_hwcrypto::types::HalErrorCode::UNAUTHORIZED);
+}
+
+} // namespace hwcryptohalservice
+} // namespace trusty
+} // namespace android