commit 3506d336f6f36250e4d400610a2a6994c83314c9
author Janis Danisevskis <jdanis@google.com> Tue Dec 19 16:27:28 2017 -0800
committer Janis Danisevskis <jdanis@google.com> Wed Dec 27 16:38:09 2017 -0800
tree 4e31a414f8d6fc40abd3e9e3d33614f5ae2d4462
parent c1460141c0eea24ae004edf7a964078611f45cc6

Add Hmac Key handshake to keystore initialization

Bug: 63931634
Test: Not testable until all supporting hals are in place
Change-Id: I19584e9481a8472f14ab2007deac14adf8bab8ca

keystore/keystore_main.cpp

diff --git a/keystore/keystore_main.cpp b/keystore/keystore_main.cpp
index 8a00a8d..31b9704 100644
--- a/keystore/keystore_main.cpp
+++ b/keystore/keystore_main.cpp
@@ -51,6 +51,8 @@
 using ::android::hardware::hidl_string;
 using ::android::hardware::hidl_vec;
 using ::android::hardware::keymaster::V4_0::SecurityLevel;
+using ::android::hardware::keymaster::V4_0::HmacSharingParameters;
+using ::android::hardware::keymaster::V4_0::ErrorCode;
 
 using keystore::Keymaster;
 using keystore::Keymaster3;
@@ -106,6 +108,52 @@
     return result;
 }
 
+void performHmacKeyHandshake(std::initializer_list<const sp<Keymaster>> keymasters) {
+    hidl_vec<HmacSharingParameters> hmacSharingParams(keymasters.size());
+    int index = 0;
+    for (const auto& km : keymasters) {
+        if (!km) continue;
+        ErrorCode ec = ErrorCode::OK;
+        auto rc =
+            km->getHmacSharingParameters([&](ErrorCode error, const HmacSharingParameters& params) {
+                ec = error;
+                if (error == ErrorCode::OK) hmacSharingParams[index] = params;
+            });
+        CHECK(rc.isOk()) << "Communication error while calling getHmacSharingParameters on"
+                            " Keymaster with index: "
+                         << index;
+        CHECK(ec == ErrorCode::OK) << "Failed to get HmacSharingParameters from"
+                                      " Keymaster with index: "
+                                   << index;
+        ++index;
+    }
+    hmacSharingParams.resize(index);
+    hidl_vec<uint8_t> sharingCheck;
+    index = 0;
+    for (const auto& km : keymasters) {
+        if (!km) continue;
+        ErrorCode ec = ErrorCode::OK;
+        auto rc = km->computeSharedHmac(
+            hmacSharingParams, [&](ErrorCode error, const hidl_vec<uint8_t>& sharingCheck_) {
+                ec = error;
+                if (error != ErrorCode::OK) return;
+                if (index == 0) {
+                    sharingCheck = sharingCheck_;
+                } else {
+                    CHECK(sharingCheck == sharingCheck_)
+                        << "Hmac Key computation failed (current index: " << index << ")";
+                }
+            });
+        CHECK(rc.isOk()) << "Communication error while calling computeSharedHmac on"
+                            " Keymaster with index: "
+                         << index;
+        CHECK(ec == ErrorCode::OK) << "Failed to compute shared hmac key from"
+                                      " Keymaster with index: "
+                                   << index;
+        ++index;
+    }
+}
+
 KeymasterDevices initializeKeymasters() {
     auto serviceManager = android::hidl::manager::V1_1::IServiceManager::getService();
     CHECK(serviceManager.get()) << "Failed to get ServiceManager";
@@ -113,7 +161,10 @@
     CHECK(result[SecurityLevel::TRUSTED_ENVIRONMENT] || !result[SecurityLevel::STRONGBOX])
         << "We cannot have a Strongbox keymaster implementation without a TEE implementation";
     auto softKeymaster = result[SecurityLevel::SOFTWARE];
-    if (!result[SecurityLevel::TRUSTED_ENVIRONMENT]) {
+    if (result[SecurityLevel::TRUSTED_ENVIRONMENT]) {
+        performHmacKeyHandshake(
+            {result[SecurityLevel::TRUSTED_ENVIRONMENT], result[SecurityLevel::STRONGBOX]});
+    } else {
         result = enumerateKeymasterDevices<Keymaster3>(serviceManager.get());
     }
     if (softKeymaster) result[SecurityLevel::SOFTWARE] = softKeymaster;