blob: f002422a28536616d46ef2d878fea15c0da9c27d [file] [log] [blame]
David Drysdale30196cf2023-12-02 19:24:15 +00001/*
2 * Copyright (C) 2023 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17//! Local in-process implementation of the KeyMint TA. This is insecure and should
18//! only be used for testing purposes.
19
20// This crate is `std` using, but some of the code uses macros from a `no_std` world.
21extern crate alloc;
22
23use kmr_common::crypto;
24use kmr_crypto_boring::{
25 aes::BoringAes, aes_cmac::BoringAesCmac, des::BoringDes, ec::BoringEc, eq::BoringEq,
26 hmac::BoringHmac, rng::BoringRng, rsa::BoringRsa, sha256::BoringSha256,
27};
28use kmr_ta::device::{
29 BootloaderDone, CsrSigningAlgorithm, Implementation, TrustedPresenceUnsupported,
30};
31use kmr_ta::{HardwareInfo, KeyMintTa, RpcInfo, RpcInfoV3};
32use kmr_wire::keymint::SecurityLevel;
33use kmr_wire::rpc::MINIMUM_SUPPORTED_KEYS_IN_CSR;
34use log::info;
35
36pub mod attest;
37pub mod clock;
38pub mod rpc;
39pub mod soft;
40
41/// Build a set of crypto trait implementations based around BoringSSL and the standard library
42/// clock.
43pub fn boringssl_crypto_impls() -> crypto::Implementation {
44 let rng = BoringRng;
45 let clock = clock::StdClock::new();
46 let rsa = BoringRsa::default();
47 let ec = BoringEc::default();
48 crypto::Implementation {
49 rng: Box::new(rng),
50 clock: Some(Box::new(clock)),
51 compare: Box::new(BoringEq),
52 aes: Box::new(BoringAes),
53 des: Box::new(BoringDes),
54 hmac: Box::new(BoringHmac),
55 rsa: Box::new(rsa),
56 ec: Box::new(ec),
57 ckdf: Box::new(BoringAesCmac),
58 hkdf: Box::new(BoringHmac),
59 sha256: Box::new(BoringSha256),
60 }
61}
62
63/// Build a [`kmr_ta::KeyMintTa`] instance for nonsecure use.
64pub fn build_ta() -> kmr_ta::KeyMintTa {
65 info!("Building NON-SECURE KeyMint Rust TA");
66 let hw_info = HardwareInfo {
67 version_number: 1,
68 security_level: SecurityLevel::TrustedEnvironment,
69 impl_name: "Rust reference implementation",
70 author_name: "Google",
71 unique_id: "NON-SECURE KeyMint TA",
72 };
73 let rpc_sign_algo = CsrSigningAlgorithm::EdDSA;
74 let rpc_info_v3 = RpcInfoV3 {
75 author_name: "Google",
76 unique_id: "NON-SECURE KeyMint TA",
77 fused: false,
78 supported_num_of_keys_in_csr: MINIMUM_SUPPORTED_KEYS_IN_CSR,
79 };
80
81 let sign_info = attest::CertSignInfo::new();
82 let keys: Box<dyn kmr_ta::device::RetrieveKeyMaterial> = Box::new(soft::Keys);
83 let rpc: Box<dyn kmr_ta::device::RetrieveRpcArtifacts> = Box::new(soft::RpcArtifacts::new(
84 soft::Derive::default(),
85 rpc_sign_algo,
86 ));
87 let dev = Implementation {
88 keys,
David Drysdalefe5f33a2024-03-13 13:04:03 +000089 sign_info: Some(Box::new(sign_info)),
David Drysdale30196cf2023-12-02 19:24:15 +000090 // HAL populates attestation IDs from properties.
91 attest_ids: None,
92 sdd_mgr: None,
93 // `BOOTLOADER_ONLY` keys not supported.
94 bootloader: Box::new(BootloaderDone),
95 // `STORAGE_KEY` keys not supported.
96 sk_wrapper: None,
97 // `TRUSTED_USER_PRESENCE_REQUIRED` keys not supported
98 tup: Box::new(TrustedPresenceUnsupported),
99 // No support for converting previous implementation's keyblobs.
100 legacy_key: None,
101 rpc,
102 };
103 KeyMintTa::new(
104 hw_info,
105 RpcInfo::V3(rpc_info_v3),
106 boringssl_crypto_impls(),
107 dev,
108 )
109}