Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_vold / c5fdb4b8d331ef287a80fa556f7e801420a8ce2e / . / KeyStorage.cpp
blob: d435539948e741c1215678415d4a7fdbba8e5c8d [file] [log] [blame]
Paul Crowley1ef25582016-01-21 20:26:12 +0000[diff] [blame]1/*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#include "KeyStorage.h"
18
19#include "Keymaster.h"
20#include "Utils.h"
21
22#include <vector>
23
24#include <errno.h>
25#include <sys/stat.h>
26#include <sys/types.h>
27#include <sys/wait.h>
28#include <unistd.h>
29
30#include <openssl/sha.h>
31
32#include <android-base/file.h>
33#include <android-base/logging.h>
34
35#include <keymaster/authorization_set.h>
36
37namespace android {
38namespace vold {
39
40static constexpr size_t AES_KEY_BYTES = 32;
41static constexpr size_t GCM_NONCE_BYTES = 12;
42static constexpr size_t GCM_MAC_BYTES = 16;
43// FIXME: better name than "secdiscardable" sought!
44static constexpr size_t SECDISCARDABLE_BYTES = 1<<14;
45
46static const char* kRmPath = "/system/bin/rm";
47static const char* kSecdiscardPath = "/system/bin/secdiscard";
48static const char* kFn_keymaster_key_blob = "keymaster_key_blob";
49static const char* kFn_encrypted_key = "encrypted_key";
50static const char* kFn_secdiscardable = "secdiscardable";
51
52static bool CheckSize(const std::string& kind, size_t actual, size_t expected) {
53 if (actual != expected) {
54 LOG(ERROR) << "Wrong number of bytes in " << kind << ", expected " << expected
55 << " got " << actual;
56 return false;
57 }
58 return true;
59}
60
61static std::string HashSecdiscardable(const std::string &secdiscardable) {
62 SHA512_CTX c;
63
64 SHA512_Init(&c);
65 // Personalise the hashing by introducing a fixed prefix.
66 // Hashing applications should use personalization except when there is a
67 // specific reason not to; see section 4.11 of https://www.schneier.com/skein1.3.pdf
68 std::string secdiscardable_hashing_prefix = "Android secdiscardable SHA512";
69 secdiscardable_hashing_prefix.resize(SHA512_CBLOCK);
70 SHA512_Update(&c, secdiscardable_hashing_prefix.data(), secdiscardable_hashing_prefix.size());
71 SHA512_Update(&c, secdiscardable.data(), secdiscardable.size());
72 std::string res(SHA512_DIGEST_LENGTH, '\0');
73 SHA512_Final(reinterpret_cast<uint8_t *>(&res[0]), &c);
74 return res;
75}
76
77static bool GenerateKeymasterKey(Keymaster &keymaster,
78 const keymaster::AuthorizationSet &extra_params,
79 std::string &key) {
80 keymaster::AuthorizationSetBuilder param_builder;
81 param_builder
82 .AesEncryptionKey(AES_KEY_BYTES * 8)
83 .Authorization(keymaster::TAG_BLOCK_MODE, KM_MODE_GCM)
84 .Authorization(keymaster::TAG_MIN_MAC_LENGTH, GCM_MAC_BYTES * 8)
85 .Authorization(keymaster::TAG_PADDING, KM_PAD_NONE)
86 .Authorization(keymaster::TAG_NO_AUTH_REQUIRED); // FIXME integrate with gatekeeper
87 auto params = param_builder.build();
88 params.push_back(extra_params);
89 return keymaster.GenerateKey(params, key);
90}
91
92static bool EncryptWithKeymasterKey(
93 Keymaster &keymaster,
94 const std::string &key,
95 const keymaster::AuthorizationSet &extra_params,
96 const std::string &message,
97 std::string &ciphertext) {
98 // FIXME fix repetition
99 keymaster::AuthorizationSetBuilder param_builder;
100 param_builder
101 .Authorization(keymaster::TAG_BLOCK_MODE, KM_MODE_GCM)
102 .Authorization(keymaster::TAG_MAC_LENGTH, GCM_MAC_BYTES * 8)
103 .Authorization(keymaster::TAG_PADDING, KM_PAD_NONE);
104 auto params = param_builder.build();
105 params.push_back(extra_params);
106 keymaster::AuthorizationSet out_params;
107 auto op_handle = keymaster.Begin(KM_PURPOSE_ENCRYPT, key, params, out_params);
108 if (!op_handle) return false;
109 keymaster_blob_t nonce_blob;
110 if (!out_params.GetTagValue(keymaster::TAG_NONCE, &nonce_blob)) {
111 LOG(ERROR) << "GCM encryption but no nonce generated";
112 return false;
113 }
114 // nonce_blob here is just a pointer into existing data, must not be freed
115 std::string nonce(reinterpret_cast<const char *>(nonce_blob.data), nonce_blob.data_length);
116 if (!CheckSize("nonce", nonce.size(), GCM_NONCE_BYTES)) return false;
117 std::string body;
118 if (!op_handle.UpdateCompletely(message, body)) return false;
119
120 std::string mac;
121 if (!op_handle.FinishWithOutput(mac)) return false;
122 if (!CheckSize("mac", mac.size(), GCM_MAC_BYTES)) return false;
123 ciphertext = nonce + body + mac;
124 return true;
125}
126
127static bool DecryptWithKeymasterKey(
128 Keymaster &keymaster, const std::string &key,
129 const keymaster::AuthorizationSet &extra_params,
130 const std::string &ciphertext,
131 std::string &message) {
132 auto nonce = ciphertext.substr(0, GCM_NONCE_BYTES);
133 auto body_mac = ciphertext.substr(GCM_NONCE_BYTES);
134 // FIXME fix repetition
135 keymaster::AuthorizationSetBuilder param_builder;
136 param_builder
137 .Authorization(keymaster::TAG_BLOCK_MODE, KM_MODE_GCM)
138 .Authorization(keymaster::TAG_MAC_LENGTH, GCM_MAC_BYTES * 8)
139 .Authorization(keymaster::TAG_PADDING, KM_PAD_NONE);
140 AddStringParam(param_builder, keymaster::TAG_NONCE, nonce);
141 auto params = param_builder.build();
142 params.push_back(extra_params);
143
144 auto op_handle = keymaster.Begin(KM_PURPOSE_DECRYPT, key, params);
145 if (!op_handle) return false;
146 if (!op_handle.UpdateCompletely(body_mac, message)) return false;
147 if (!op_handle.Finish()) return false;
148 return true;
149}
150
151bool StoreKey(const std::string &dir, const std::string &key) {
152 if (TEMP_FAILURE_RETRY(mkdir(dir.c_str(), 0700)) == -1) {
153 PLOG(ERROR) << "key mkdir " << dir;
154 return false;
155 }
156 std::string secdiscardable;
157 if (ReadRandomBytes(SECDISCARDABLE_BYTES, secdiscardable) != 0) {
158 // TODO status_t plays badly with PLOG, fix it.
159 LOG(ERROR) << "Random read failed";
160 return false;
161 }
162 // FIXME create a wrapper around reads and writes which handles error logging
163 if (!android::base::WriteStringToFile(secdiscardable, dir + "/" + kFn_secdiscardable)) {
164 PLOG(ERROR) << "Unable to write secdiscardable to " << dir;
165 return false;
166 }
167 keymaster::AuthorizationSetBuilder param_builder;
168 AddStringParam(param_builder, keymaster::TAG_APPLICATION_ID,
169 HashSecdiscardable(secdiscardable));
170 auto extra_params = param_builder.build();
171 Keymaster keymaster;
172 if (!keymaster) return false;
173 std::string km_key;
174 if (!GenerateKeymasterKey(keymaster, extra_params, km_key)) return false;
175 std::string encrypted_key;
176 if (!EncryptWithKeymasterKey(
177 keymaster, km_key, extra_params, key, encrypted_key)) return false;
178 if (!android::base::WriteStringToFile(km_key, dir + "/" + kFn_keymaster_key_blob)) {
179 PLOG(ERROR) << "Unable to write keymaster_key_blob to " << dir;
180 return false;
181 }
182 if (!android::base::WriteStringToFile(encrypted_key, dir + "/" + kFn_encrypted_key)) {
183 PLOG(ERROR) << "Unable to write encrypted_key to " << dir;
184 return false;
185 }
186 return true;
187}
188
189bool RetrieveKey(const std::string &dir, std::string &key) {
190 std::string secdiscardable;
191 if (!android::base::ReadFileToString(dir + "/" + kFn_secdiscardable, &secdiscardable)) {
192 PLOG(ERROR) << "Unable to read secdiscardable from " << dir;
193 return false;
194 }
195 keymaster::AuthorizationSetBuilder param_builder;
196 AddStringParam(param_builder, keymaster::TAG_APPLICATION_ID,
197 HashSecdiscardable(secdiscardable));
198 auto extra_params = param_builder.build();
199 std::string km_key;
200 if (!android::base::ReadFileToString(dir + "/" + kFn_keymaster_key_blob, &km_key)) {
201 PLOG(ERROR) << "Unable to read keymaster_key_blob from " << dir;
202 return false;
203 }
204 std::string encrypted_message;
205 if (!android::base::ReadFileToString(dir + "/" + kFn_encrypted_key, &encrypted_message)) {
206 PLOG(ERROR) << "Unable to read encrypted_key to " << dir;
207 return false;
208 }
209 Keymaster keymaster;
210 if (!keymaster) return false;
211 return DecryptWithKeymasterKey(keymaster, km_key, extra_params, encrypted_message, key);
212}
213
214static bool DeleteKey(const std::string &dir) {
215 std::string km_key;
216 if (!android::base::ReadFileToString(dir + "/" + kFn_keymaster_key_blob, &km_key)) {
217 PLOG(ERROR) << "Unable to read keymaster_key_blob from " << dir;
218 return false;
219 }
220 Keymaster keymaster;
221 if (!keymaster) return false;
222 if (!keymaster.DeleteKey(km_key)) return false;
223 return true;
224}
225
226static bool SecdiscardSecdiscardable(const std::string &dir) {
227 if (ForkExecvp(std::vector<std::string> {
228 kSecdiscardPath, "--", dir + "/" + kFn_secdiscardable}) != 0) {
229 LOG(ERROR) << "secdiscard failed";
230 return false;
231 }
232 return true;
233}
234
235static bool RecursiveDeleteKey(const std::string &dir) {
236 if (ForkExecvp(std::vector<std::string> {
237 kRmPath, "-rf", dir}) != 0) {
238 LOG(ERROR) << "recursive delete failed";
239 return false;
240 }
241 return true;
242}
243
244bool DestroyKey(const std::string &dir) {
245 bool success = true;
246 // Try each thing, even if previous things failed.
247 success &= DeleteKey(dir);
248 success &= SecdiscardSecdiscardable(dir);
249 success &= RecursiveDeleteKey(dir);
250 return success;
251}
252
253} // namespace vold
254} // namespace android