Update Keystore to use keymaster2 HAL.
This CL doesn't wire in any of the new keymaster2 features, it just uses
the keymaster2 HAL rather than the keymaster1 HAL. This means that if
keymaster1 hardware is found, it is unconditionally wrapped in
SoftKeymasterDevice, so keymaster2 functionality can (eventually) be
provided.
Change-Id: Ica2cb0751e4e0a82c56c36b03f94da54ef62d9a3
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 9db333b..9fbb6bc 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -560,8 +560,8 @@
}
int32_t KeyStoreService::addRngEntropy(const uint8_t* data, size_t dataLength) {
- const keymaster1_device_t* device = mKeyStore->getDevice();
- const keymaster1_device_t* fallback = mKeyStore->getFallbackDevice();
+ const auto* device = mKeyStore->getDevice();
+ const auto* fallback = mKeyStore->getFallbackDevice();
int32_t devResult = KM_ERROR_UNIMPLEMENTED;
int32_t fallbackResult = KM_ERROR_UNIMPLEMENTED;
if (device->common.module->module_api_version >= KEYMASTER_MODULE_API_VERSION_1_0 &&
@@ -592,10 +592,10 @@
rc = KM_ERROR_UNIMPLEMENTED;
bool isFallback = false;
keymaster_key_blob_t blob;
- keymaster_key_characteristics_t* out = NULL;
+ keymaster_key_characteristics_t out = {{nullptr, 0}, {nullptr, 0}};
- const keymaster1_device_t* device = mKeyStore->getDevice();
- const keymaster1_device_t* fallback = mKeyStore->getFallbackDevice();
+ const auto* device = mKeyStore->getDevice();
+ const auto* fallback = mKeyStore->getFallbackDevice();
std::vector<keymaster_key_param_t> opParams(params.params);
const keymaster_key_param_set_t inParams = {opParams.data(), opParams.size()};
if (device == NULL) {
@@ -612,7 +612,8 @@
rc = KM_ERROR_UNIMPLEMENTED;
}
if (rc == KM_ERROR_OK) {
- rc = device->generate_key(device, &inParams, &blob, &out);
+ rc =
+ device->generate_key(device, &inParams, &blob, outCharacteristics ? &out : nullptr);
}
}
// If the HW device didn't support generate_key or generate_key failed
@@ -628,17 +629,13 @@
rc = KM_ERROR_UNIMPLEMENTED;
}
if (rc == KM_ERROR_OK) {
- rc = fallback->generate_key(fallback, &inParams, &blob, &out);
+ rc = fallback->generate_key(fallback, &inParams, &blob,
+ outCharacteristics ? &out : nullptr);
}
}
- if (out) {
- if (outCharacteristics) {
- outCharacteristics->characteristics = *out;
- } else {
- keymaster_free_characteristics(out);
- }
- free(out);
+ if (outCharacteristics) {
+ outCharacteristics->characteristics = out;
}
if (rc) {
@@ -679,18 +676,19 @@
keymaster_key_blob_t key;
key.key_material_size = keyBlob.getLength();
key.key_material = keyBlob.getValue();
- keymaster1_device_t* dev = mKeyStore->getDeviceForBlob(keyBlob);
- keymaster_key_characteristics_t* out = NULL;
+ auto* dev = mKeyStore->getDeviceForBlob(keyBlob);
+ keymaster_key_characteristics_t out = {{nullptr, 0}, {nullptr, 0}};
if (!dev->get_key_characteristics) {
- ALOGW("device does not implement get_key_characteristics");
+ ALOGE("device does not implement get_key_characteristics");
return KM_ERROR_UNIMPLEMENTED;
}
rc = dev->get_key_characteristics(dev, &key, clientId, appData, &out);
- if (out) {
- outCharacteristics->characteristics = *out;
- free(out);
+ if (rc != KM_ERROR_OK) {
+ return rc;
}
- return rc ? rc : ::NO_ERROR;
+
+ outCharacteristics->characteristics = out;
+ return ::NO_ERROR;
}
int32_t KeyStoreService::importKey(const String16& name, const KeymasterArguments& params,
@@ -706,10 +704,10 @@
rc = KM_ERROR_UNIMPLEMENTED;
bool isFallback = false;
keymaster_key_blob_t blob;
- keymaster_key_characteristics_t* out = NULL;
+ keymaster_key_characteristics_t out = {{nullptr, 0}, {nullptr, 0}};
- const keymaster1_device_t* device = mKeyStore->getDevice();
- const keymaster1_device_t* fallback = mKeyStore->getFallbackDevice();
+ const auto* device = mKeyStore->getDevice();
+ const auto* fallback = mKeyStore->getFallbackDevice();
std::vector<keymaster_key_param_t> opParams(params.params);
const keymaster_key_param_set_t inParams = {opParams.data(), opParams.size()};
const keymaster_blob_t input = {keyData, keyLength};
@@ -718,21 +716,19 @@
}
if (device->common.module->module_api_version >= KEYMASTER_MODULE_API_VERSION_1_0 &&
device->import_key != NULL) {
- rc = device->import_key(device, &inParams, format, &input, &blob, &out);
+ rc = device->import_key(device, &inParams, format, &input, &blob,
+ outCharacteristics ? &out : nullptr);
}
if (rc && fallback->import_key != NULL) {
ALOGW("Primary keymaster device failed to import key, falling back to SW.");
isFallback = true;
- rc = fallback->import_key(fallback, &inParams, format, &input, &blob, &out);
+ rc = fallback->import_key(fallback, &inParams, format, &input, &blob,
+ outCharacteristics ? &out : nullptr);
}
- if (out) {
- if (outCharacteristics) {
- outCharacteristics->characteristics = *out;
- } else {
- keymaster_free_characteristics(out);
- }
- free(out);
+ if (outCharacteristics) {
+ outCharacteristics->characteristics = out;
}
+
if (rc) {
return rc;
}
@@ -744,7 +740,7 @@
keyBlob.setFallback(isFallback);
keyBlob.setEncrypted(flags & KEYSTORE_FLAG_ENCRYPTED);
- free((void*)blob.key_material);
+ free(const_cast<uint8_t*>(blob.key_material));
return mKeyStore->put(filename.string(), &keyBlob, get_user_id(uid));
}
@@ -768,7 +764,7 @@
keymaster_key_blob_t key;
key.key_material_size = keyBlob.getLength();
key.key_material = keyBlob.getValue();
- keymaster1_device_t* dev = mKeyStore->getDeviceForBlob(keyBlob);
+ auto* dev = mKeyStore->getDeviceForBlob(keyBlob);
if (!dev->export_key) {
result->resultCode = KM_ERROR_UNIMPLEMENTED;
return;
@@ -806,7 +802,7 @@
key.key_material_size = keyBlob.getLength();
key.key_material = keyBlob.getValue();
keymaster_operation_handle_t handle;
- keymaster1_device_t* dev = mKeyStore->getDeviceForBlob(keyBlob);
+ auto* dev = mKeyStore->getDeviceForBlob(keyBlob);
keymaster_error_t err = KM_ERROR_UNIMPLEMENTED;
std::vector<keymaster_key_param_t> opParams(params.params);
Unique_keymaster_key_characteristics characteristics;
@@ -915,7 +911,7 @@
result->resultCode = KM_ERROR_INVALID_ARGUMENT;
return;
}
- const keymaster1_device_t* dev;
+ const keymaster2_device_t* dev;
keymaster_operation_handle_t handle;
keymaster_purpose_t purpose;
keymaster::km_id_t keyid;
@@ -966,7 +962,7 @@
result->resultCode = KM_ERROR_INVALID_ARGUMENT;
return;
}
- const keymaster1_device_t* dev;
+ const keymaster2_device_t* dev;
keymaster_operation_handle_t handle;
keymaster_purpose_t purpose;
keymaster::km_id_t keyid;
@@ -995,9 +991,10 @@
}
keymaster_key_param_set_t inParams = {opParams.data(), opParams.size()};
- keymaster_blob_t input = {signature, signatureLength};
- keymaster_blob_t output = {NULL, 0};
- keymaster_key_param_set_t outParams = {NULL, 0};
+ keymaster_blob_t input = {nullptr, 0};
+ keymaster_blob_t sig = {signature, signatureLength};
+ keymaster_blob_t output = {nullptr, 0};
+ keymaster_key_param_set_t outParams = {nullptr, 0};
// Check that all key authorization policy requirements are met.
keymaster::AuthorizationSet key_auths(characteristics->hw_enforced);
@@ -1010,7 +1007,9 @@
return;
}
- err = dev->finish(dev, handle, &inParams, &input, &outParams, &output);
+ err =
+ dev->finish(dev, handle, &inParams, &input /* TODO(swillden): wire up input to finish() */,
+ &sig, &outParams, &output);
// Remove the operation regardless of the result
mOperationMap.removeOperation(token);
mAuthTokenTable.MarkCompleted(handle);
@@ -1025,7 +1024,7 @@
}
int32_t KeyStoreService::abort(const sp<IBinder>& token) {
- const keymaster1_device_t* dev;
+ const keymaster2_device_t* dev;
keymaster_operation_handle_t handle;
keymaster_purpose_t purpose;
keymaster::km_id_t keyid;
@@ -1047,7 +1046,7 @@
}
bool KeyStoreService::isOperationAuthorized(const sp<IBinder>& token) {
- const keymaster1_device_t* dev;
+ const keymaster2_device_t* dev;
keymaster_operation_handle_t handle;
const keymaster_key_characteristics_t* characteristics;
keymaster_purpose_t purpose;
@@ -1185,7 +1184,7 @@
return false;
}
-bool KeyStoreService::isKeyTypeSupported(const keymaster1_device_t* device,
+bool KeyStoreService::isKeyTypeSupported(const keymaster2_device_t* device,
keymaster_keypair_t keyType) {
const int32_t device_api = device->common.module->module_api_version;
if (device_api == KEYMASTER_MODULE_API_VERSION_0_2) {
@@ -1231,7 +1230,7 @@
}
keymaster_error_t KeyStoreService::getOperationCharacteristics(
- const keymaster_key_blob_t& key, const keymaster1_device_t* dev,
+ const keymaster_key_blob_t& key, const keymaster2_device_t* dev,
const std::vector<keymaster_key_param_t>& params, keymaster_key_characteristics_t* out) {
UniquePtr<keymaster_blob_t> appId;
UniquePtr<keymaster_blob_t> appData;
@@ -1246,15 +1245,14 @@
appData->data_length = param.blob.data_length;
}
}
- keymaster_key_characteristics_t* result = NULL;
+ keymaster_key_characteristics_t result = {{nullptr, 0}, {nullptr, 0}};
if (!dev->get_key_characteristics) {
return KM_ERROR_UNIMPLEMENTED;
}
keymaster_error_t error =
dev->get_key_characteristics(dev, &key, appId.get(), appData.get(), &result);
- if (result) {
- *out = *result;
- free(result);
+ if (error == KM_ERROR_OK) {
+ *out = result;
}
return error;
}
@@ -1324,7 +1322,7 @@
const hw_auth_token_t* authToken = NULL;
mOperationMap.getOperationAuthToken(token, &authToken);
if (!authToken) {
- const keymaster1_device_t* dev;
+ const keymaster2_device_t* dev;
keymaster_operation_handle_t handle;
const keymaster_key_characteristics_t* characteristics = NULL;
keymaster_purpose_t purpose;