Add utility method to perform HMAC agreement
To make it easier for clients (vold & keystore) to perform key
agreement, this CL adds a service method that does it. To make key
agreement consistent, this method sorts the HMAC sharing parameters
lexicographically. The requirement for sorting is documented in the
HAL.
Test: Boot device
Bug: 79307225
Bug: 78766190
Change-Id: Idb224f27f8e4426281d9a0105605ba22bf7c7e95
diff --git a/keymaster/4.0/support/Keymaster.cpp b/keymaster/4.0/support/Keymaster.cpp
index fac0017..066bca4 100644
--- a/keymaster/4.0/support/Keymaster.cpp
+++ b/keymaster/4.0/support/Keymaster.cpp
@@ -16,24 +16,73 @@
#include <keymasterV4_0/Keymaster.h>
+#include <iomanip>
+
#include <android-base/logging.h>
#include <android/hidl/manager/1.0/IServiceManager.h>
#include <keymasterV4_0/Keymaster3.h>
#include <keymasterV4_0/Keymaster4.h>
+#include <keymasterV4_0/key_param_output.h>
+#include <keymasterV4_0/keymaster_utils.h>
namespace android {
namespace hardware {
+
+template <class T>
+std::ostream& operator<<(std::ostream& os, const hidl_vec<T>& vec) {
+ os << "{ ";
+ if (vec.size()) {
+ for (size_t i = 0; i < vec.size() - 1; ++i) os << vec[i] << ", ";
+ os << vec[vec.size() - 1];
+ }
+ os << " }";
+ return os;
+}
+
+std::ostream& operator<<(std::ostream& os, const hidl_vec<uint8_t>& vec) {
+ std::ios_base::fmtflags flags(os.flags());
+ os << std::setw(2) << std::setfill('0') << std::hex;
+ for (uint8_t c : vec) os << static_cast<int>(c);
+ os.flags(flags);
+ return os;
+}
+
+template <size_t N>
+std::ostream& operator<<(std::ostream& os, const hidl_array<uint8_t, N>& vec) {
+ std::ios_base::fmtflags flags(os.flags());
+ os << std::setw(2) << std::setfill('0') << std::hex;
+ for (size_t i = 0; i < N; ++i) os << static_cast<int>(vec[i]);
+ os.flags(flags);
+ return os;
+}
+
namespace keymaster {
namespace V4_0 {
+
+std::ostream& operator<<(std::ostream& os, const HmacSharingParameters& params) {
+ // Note that by design, although seed and nonce are used to compute a secret, they are
+ // not secrets and it's just fine to log them.
+ os << "(seed: " << params.seed << ", nonce: " << params.nonce << ')';
+ return os;
+}
+
namespace support {
using ::android::sp;
using ::android::hidl::manager::V1_0::IServiceManager;
+std::ostream& operator<<(std::ostream& os, const Keymaster& keymaster) {
+ auto& version = keymaster.halVersion();
+ os << version.keymasterName << " from " << version.authorName
+ << " SecurityLevel: " << toString(version.securityLevel)
+ << " HAL: " << keymaster.descriptor() << "/" << keymaster.instanceName();
+ return os;
+}
+
template <typename Wrapper>
std::vector<std::unique_ptr<Keymaster>> enumerateDevices(
const sp<IServiceManager>& serviceManager) {
- std::vector<std::unique_ptr<Keymaster>> result;
+ Keymaster::KeymasterSet result;
bool foundDefault = false;
auto& descriptor = Wrapper::WrappedIKeymasterDevice::descriptor;
@@ -57,7 +106,7 @@
return result;
}
-std::vector<std::unique_ptr<Keymaster>> Keymaster::enumerateAvailableDevices() {
+Keymaster::KeymasterSet Keymaster::enumerateAvailableDevices() {
auto serviceManager = IServiceManager::getService();
CHECK(serviceManager) << "Could not retrieve ServiceManager";
@@ -73,18 +122,62 @@
size_t i = 1;
LOG(INFO) << "List of Keymaster HALs found:";
- for (auto& hal : result) {
- auto& version = hal->halVersion();
- LOG(INFO) << "Keymaster HAL #" << i << ": " << version.keymasterName << " from "
- << version.authorName << " SecurityLevel: " << toString(version.securityLevel)
- << " HAL : " << hal->descriptor() << " instance " << hal->instanceName();
- }
+ for (auto& hal : result) LOG(INFO) << "Keymaster HAL #" << i++ << ": " << *hal;
return result;
}
+static hidl_vec<HmacSharingParameters> getHmacParameters(
+ const Keymaster::KeymasterSet& keymasters) {
+ std::vector<HmacSharingParameters> params_vec;
+ params_vec.reserve(keymasters.size());
+ for (auto& keymaster : keymasters) {
+ if (keymaster->halVersion().majorVersion < 4) continue;
+ auto rc = keymaster->getHmacSharingParameters([&](auto error, auto& params) {
+ CHECK(error == ErrorCode::OK)
+ << "Failed to get HMAC parameters from " << *keymaster << " error " << error;
+ params_vec.push_back(params);
+ });
+ CHECK(rc.isOk()) << "Failed to communicate with " << *keymaster
+ << " error: " << rc.description();
+ }
+ std::sort(params_vec.begin(), params_vec.end());
+
+ return params_vec;
+}
+
+static void computeHmac(const Keymaster::KeymasterSet& keymasters,
+ const hidl_vec<HmacSharingParameters>& params) {
+ if (!params.size()) return;
+
+ hidl_vec<uint8_t> sharingCheck;
+ bool firstKeymaster = true;
+ LOG(DEBUG) << "Computing HMAC with params " << params;
+ for (auto& keymaster : keymasters) {
+ if (keymaster->halVersion().majorVersion < 4) continue;
+ LOG(DEBUG) << "Computing HMAC for " << *keymaster;
+ auto rc = keymaster->computeSharedHmac(params, [&](auto error, auto& curSharingCheck) {
+ CHECK(error == ErrorCode::OK)
+ << "Failed to get HMAC parameters from " << *keymaster << " error " << error;
+ if (firstKeymaster) {
+ sharingCheck = curSharingCheck;
+ firstKeymaster = false;
+ }
+ // TODO: Validate that curSharingCheck == sharingCheck. b/77588764
+ // CHECK(curSharingCheck == sharingCheck) << "HMAC computation failed for " <<
+ // *keymaster;
+ });
+ CHECK(rc.isOk()) << "Failed to communicate with " << *keymaster
+ << " error: " << rc.description();
+ }
+}
+
+void Keymaster::performHmacKeyAgreement(const KeymasterSet& keymasters) {
+ computeHmac(keymasters, getHmacParameters(keymasters));
+}
+
} // namespace support
} // namespace V4_0
} // namespace keymaster
} // namespace hardware
-}; // namespace android
+} // namespace android