KeyStore: use security level to chose keymaster device
Keymaster4 introduces security levels. Android devices
may have multiple keymaster implementations, one for each
possible security level, where the presence of a strong
security level implies the presence of all lower levels.
This patch adds code that enumerates all keymaster device
implementations available from ServiceManager and populates
Keystore's keymaster device database with at most one keymaster
implementation per security level. It gives precedence to
newer versions if multiple implementations exist for the same security
level.
The security level is chosen by a set of flags passed to the keystore
operations generate, import, addRngEntropy.
For existing keys the right security level is chosen by the blob flags.
To that end a new flag KEYSTORE_FLAG_STRONGBOX was added, and the
security level is expressed through a combination of
KEYSTORE_FLAG_FALLBACK (F) and KEYSTORE_FLAG_STRONGBOX (S).
Encoding is as follows:
F S
Software 1 X (don't care)
TEE 0 0
Strongbox 0 1
Some operations in keystore cli2 where amended with the optional
--seclevel flags. Allowing the user to chose the security level for the
given operation. Possible options are "software", "strongbox", and "tee"
where tee is the default value.
Test: Existing KeyStore CTS tests run
Change-Id: I01ef238f5e7067e480cf9b171630237236046bb1
diff --git a/keystore/KeyStore.h b/keystore/KeyStore.h
index 463ed8e..cfc5c31 100644
--- a/keystore/KeyStore.h
+++ b/keystore/KeyStore.h
@@ -32,29 +32,42 @@
using ::android::sp;
+class KeymasterDevices : public std::array<sp<Keymaster>, 3> {
+ public:
+ sp<Keymaster>& operator[](SecurityLevel secLevel);
+ sp<Keymaster> operator[](SecurityLevel secLevel) const;
+};
+
class KeyStore {
public:
- KeyStore(Entropy* entropy, const sp<Keymaster>& device, const sp<Keymaster>& fallback,
- bool allowNewFallback);
+ KeyStore(Entropy* entropy, const KeymasterDevices& kmDevices,
+ SecurityLevel minimalAllowedSecurityLevelForNewKeys);
~KeyStore();
- sp<Keymaster>& getDevice() { return mDevice; }
+ sp<Keymaster> getDevice(SecurityLevel securityLevel) const { return mKmDevices[securityLevel]; }
- NullOr<sp<Keymaster>&> getFallbackDevice() {
+ std::pair<sp<Keymaster>, SecurityLevel> getMostSecureDevice() const {
+ SecurityLevel level = SecurityLevel::STRONGBOX;
+ do {
+ if (mKmDevices[level].get()) {
+ return {mKmDevices[level], level};
+ }
+ level = static_cast<SecurityLevel>(static_cast<uint32_t>(level) - 1);
+ } while (level != SecurityLevel::SOFTWARE);
+ return {nullptr, SecurityLevel::SOFTWARE};
+ }
+
+ sp<Keymaster> getFallbackDevice() const {
// we only return the fallback device if the creation of new fallback key blobs is
// allowed. (also see getDevice below)
if (mAllowNewFallback) {
- return mFallbackDevice;
+ return mKmDevices[SecurityLevel::SOFTWARE];
} else {
- return {};
+ return nullptr;
}
}
- sp<Keymaster>& getDevice(const Blob& blob) {
- // We return a device, based on the nature of the blob to provide backward
- // compatibility with old key blobs generated using the fallback device.
- return blob.isFallback() ? mFallbackDevice : mDevice;
- }
+ sp<Keymaster> getDevice(const Blob& blob) { return mKmDevices[blob.getSecurityLevel()]; }
ResponseCode initialize();
@@ -129,8 +142,7 @@
static const android::String16 kEcKeyType;
Entropy* mEntropy;
- sp<Keymaster> mDevice;
- sp<Keymaster> mFallbackDevice;
+ KeymasterDevices mKmDevices;
bool mAllowNewFallback;
android::Vector<UserState*> mMasterKeys;