Implement a back-level KeyMint compatibility wrapper
- Implement a general back-level KeyMint wrapper, which forwards
requests to either a back-level real device, or an up-level
software device. Keyblobs from the latter are given a marker
prefix and an authentication suffix.
- Add an FFI wrapper function to allow calculation of HMAC-SHA256,
so this can be used to give an authenticated suffix to wrapped
keyblobs.
- Abstract out the decision process for whether emulation is required
to a EmulationDetector trait, and provide implementations for
KeyMint V1 and for a km_compat-wrapped Keymaster.
- Impose the KeyMint V1 wrapper whenever the real device is detected to
be a V1 implementation.
- Add support to the IKeystoreCompatService for returning a device for
SecurityLevel::SOFTWARE. This device will always be the most recent
KeyMint version.
- Clarify what level of IKeyMint implementation gets returned from
the IKeystoreCompatService for the other security levels.
- Add an inner function to the km_compat code to allow unit tests
to still work.
Co-authored-by: Janis Danisevskis <jdanis@google.com>
Bug: 194358913
Test: CtsKeystoreTestCases on oriole/bramble/cuttlefish
Change-Id: I297e8ad1cf00fd15cd5358b2760cd2ca88f53abb
diff --git a/keystore2/src/crypto/error.rs b/keystore2/src/crypto/error.rs
index c6476f9..48a2d4c 100644
--- a/keystore2/src/crypto/error.rs
+++ b/keystore2/src/crypto/error.rs
@@ -95,6 +95,10 @@
#[error("Failed to extract certificate subject.")]
ExtractSubjectFailed,
+ /// This is returned if the C implementation of hmacSha256 failed.
+ #[error("Failed to calculate HMAC-SHA256.")]
+ HmacSha256Failed,
+
/// Zvec error.
#[error(transparent)]
ZVec(#[from] zvec::Error),