diff options
| author | Stricted <info@stricted.net> | 2025-01-17 11:31:54 +0100 |
|---|---|---|
| committer | Stricted <info@stricted.net> | 2025-01-17 11:31:54 +0100 |
| commit | 7a7c982313e0821898ef9c696d3e12da95cfe037 (patch) | |
| tree | 5ae01539ec680fcc916ed0b3067ae24e7ff3b176 | |
| parent | 47b57f7b16ca50387b6507a8d67d59657f72da28 (diff) | |
exynos5: remove unused libkeymaster and makefilesw16.0
Change-Id: Ifeb221b5cf887d64eb2e4bd9ebe0057457dd212c
| -rw-r--r-- | Android.mk | 27 | ||||
| -rw-r--r-- | CleanSpec.mk | 50 | ||||
| -rw-r--r-- | exynos5.mk | 22 | ||||
| -rw-r--r-- | libkeymaster/Android.mk | 35 | ||||
| -rw-r--r-- | libkeymaster/NOTICE | 190 | ||||
| -rw-r--r-- | libkeymaster/keymaster_mobicore.cpp | 503 | ||||
| -rw-r--r-- | libkeymaster/tci.h | 85 | ||||
| -rw-r--r-- | libkeymaster/tlTeeKeymaster_Api.h | 262 | ||||
| -rw-r--r-- | libkeymaster/tlTeeKeymaster_log.h | 48 | ||||
| -rw-r--r-- | libkeymaster/tlcTeeKeymaster_if.c | 1092 | ||||
| -rw-r--r-- | libkeymaster/tlcTeeKeymaster_if.h | 324 |
11 files changed, 0 insertions, 2638 deletions
diff --git a/Android.mk b/Android.mk deleted file mode 100644 index de582dc..0000000 --- a/Android.mk +++ /dev/null @@ -1,27 +0,0 @@ -# -# -# Copyright (C) 2009 The Android Open Source Project -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -ifeq ($(TARGET_SLSI_VARIANT),linaro) -ifeq ($(TARGET_BOARD_PLATFORM),exynos5) - -# exynos5_dirs := \ - libkeymaster - -include $(call all-named-subdir-makefiles,$(exynos5_dirs)) - -endif -endif diff --git a/CleanSpec.mk b/CleanSpec.mk deleted file mode 100644 index 461cf26..0000000 --- a/CleanSpec.mk +++ /dev/null @@ -1,50 +0,0 @@ -# Copyright (C) 2007 The Android Open Source Project -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# If you don't need to do a full clean build but would like to touch -# a file or delete some intermediate files, add a clean step to the end -# of the list. These steps will only be run once, if they haven't been -# run before. -# -# E.g.: -# $(call add-clean-step, touch -c external/sqlite/sqlite3.h) -# $(call add-clean-step, rm -rf $(PRODUCT_OUT)/obj/STATIC_LIBRARIES/libz_intermediates) -# -# Always use "touch -c" and "rm -f" or "rm -rf" to gracefully deal with -# files that are missing or have been moved. -# -# Use $(PRODUCT_OUT) to get to the "out/target/product/blah/" directory. -# Use $(OUT_DIR) to refer to the "out" directory. -# -# If you need to re-do something that's already mentioned, just copy -# the command and add it to the bottom of the list. E.g., if a change -# that you made last week required touching a file and a change you -# made today requires touching the same file, just copy the old -# touch step and add it to the end of the list. -# -# ************************************************ -# NEWER CLEAN STEPS MUST BE AT THE END OF THE LIST -# ************************************************ - -# For example: -#$(call add-clean-step, rm -rf $(OUT_DIR)/target/common/obj/APPS/AndroidTests_intermediates) -#$(call add-clean-step, rm -rf $(OUT_DIR)/target/common/obj/JAVA_LIBRARIES/core_intermediates) -#$(call add-clean-step, find $(OUT_DIR) -type f -name "IGTalkSession*" -print0 | xargs -0 rm -f) -#$(call add-clean-step, rm -rf $(PRODUCT_OUT)/data/*) - -# ************************************************ -# NEWER CLEAN STEPS MUST BE AT THE END OF THE LIST -# ************************************************ -$(call add-clean-step, rm -rf $(PRODUCT_OUT)/obj/SHARED_LIBRARIES/libMcClient_intermediates) diff --git a/exynos5.mk b/exynos5.mk deleted file mode 100644 index 3b56fda..0000000 --- a/exynos5.mk +++ /dev/null @@ -1,22 +0,0 @@ -# -# Copyright (C) 2012 The Android Open Source Project -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -PRODUCT_PACKAGES += \ - gralloc.exynos5 - -# MobiCore -#PRODUCT_PACKAGES += \ -# mcDriverDaemon diff --git a/libkeymaster/Android.mk b/libkeymaster/Android.mk deleted file mode 100644 index 9950c58..0000000 --- a/libkeymaster/Android.mk +++ /dev/null @@ -1,35 +0,0 @@ -# Copyright (C) 2012 The Android Open Source Project -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. - -LOCAL_PATH := $(call my-dir) - - -include $(CLEAR_VARS) - -MOBICORE_PATH := hardware/samsung_slsi-linaro/$(TARGET_SOC_BASE)/mobicore - -LOCAL_MODULE := keystore.exynos5 -LOCAL_PROPRIETARY_MODULE := true -LOCAL_MODULE_RELATIVE_PATH := hw - -LOCAL_SRC_FILES := keymaster_mobicore.cpp tlcTeeKeymaster_if.c -LOCAL_C_INCLUDES := \ - $(MOBICORE_PATH)/daemon/ClientLib/public \ - $(MOBICORE_PATH)/common/MobiCore/inc/ -LOCAL_C_FLAGS = -fvisibility=hidden -Wall -Werror -LOCAL_SHARED_LIBRARIES := libcrypto liblog libMcClient -LOCAL_MODULE_TAGS := optional -LOCAL_MODULE_CLASS := SHARED_LIBRARIES - -include $(BUILD_SHARED_LIBRARY) diff --git a/libkeymaster/NOTICE b/libkeymaster/NOTICE deleted file mode 100644 index 316b4eb..0000000 --- a/libkeymaster/NOTICE +++ /dev/null @@ -1,190 +0,0 @@ - - Copyright (c) 2014, The Android Open Source Project - - Licensed under the Apache License, Version 2.0 (the "License"); - you may not use this file except in compliance with the License. - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - See the License for the specific language governing permissions and - limitations under the License. - - - Apache License - Version 2.0, January 2004 - http://www.apache.org/licenses/ - - TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION - - 1. Definitions. - - "License" shall mean the terms and conditions for use, reproduction, - and distribution as defined by Sections 1 through 9 of this document. - - "Licensor" shall mean the copyright owner or entity authorized by - the copyright owner that is granting the License. - - "Legal Entity" shall mean the union of the acting entity and all - other entities that control, are controlled by, or are under common - control with that entity. For the purposes of this definition, - "control" means (i) the power, direct or indirect, to cause the - direction or management of such entity, whether by contract or - otherwise, or (ii) ownership of fifty percent (50%) or more of the - outstanding shares, or (iii) beneficial ownership of such entity. - - "You" (or "Your") shall mean an individual or Legal Entity - exercising permissions granted by this License. - - "Source" form shall mean the preferred form for making modifications, - including but not limited to software source code, documentation - source, and configuration files. - - "Object" form shall mean any form resulting from mechanical - transformation or translation of a Source form, including but - not limited to compiled object code, generated documentation, - and conversions to other media types. - - "Work" shall mean the work of authorship, whether in Source or - Object form, made available under the License, as indicated by a - copyright notice that is included in or attached to the work - (an example is provided in the Appendix below). - - "Derivative Works" shall mean any work, whether in Source or Object - form, that is based on (or derived from) the Work and for which the - editorial revisions, annotations, elaborations, or other modifications - represent, as a whole, an original work of authorship. For the purposes - of this License, Derivative Works shall not include works that remain - separable from, or merely link (or bind by name) to the interfaces of, - the Work and Derivative Works thereof. - - "Contribution" shall mean any work of authorship, including - the original version of the Work and any modifications or additions - to that Work or Derivative Works thereof, that is intentionally - submitted to Licensor for inclusion in the Work by the copyright owner - or by an individual or Legal Entity authorized to submit on behalf of - the copyright owner. For the purposes of this definition, "submitted" - means any form of electronic, verbal, or written communication sent - to the Licensor or its representatives, including but not limited to - communication on electronic mailing lists, source code control systems, - and issue tracking systems that are managed by, or on behalf of, the - Licensor for the purpose of discussing and improving the Work, but - excluding communication that is conspicuously marked or otherwise - designated in writing by the copyright owner as "Not a Contribution." - - "Contributor" shall mean Licensor and any individual or Legal Entity - on behalf of whom a Contribution has been received by Licensor and - subsequently incorporated within the Work. - - 2. Grant of Copyright License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - copyright license to reproduce, prepare Derivative Works of, - publicly display, publicly perform, sublicense, and distribute the - Work and such Derivative Works in Source or Object form. - - 3. Grant of Patent License. Subject to the terms and conditions of - this License, each Contributor hereby grants to You a perpetual, - worldwide, non-exclusive, no-charge, royalty-free, irrevocable - (except as stated in this section) patent license to make, have made, - use, offer to sell, sell, import, and otherwise transfer the Work, - where such license applies only to those patent claims licensable - by such Contributor that are necessarily infringed by their - Contribution(s) alone or by combination of their Contribution(s) - with the Work to which such Contribution(s) was submitted. If You - institute patent litigation against any entity (including a - cross-claim or counterclaim in a lawsuit) alleging that the Work - or a Contribution incorporated within the Work constitutes direct - or contributory patent infringement, then any patent licenses - granted to You under this License for that Work shall terminate - as of the date such litigation is filed. - - 4. Redistribution. You may reproduce and distribute copies of the - Work or Derivative Works thereof in any medium, with or without - modifications, and in Source or Object form, provided that You - meet the following conditions: - - (a) You must give any other recipients of the Work or - Derivative Works a copy of this License; and - - (b) You must cause any modified files to carry prominent notices - stating that You changed the files; and - - (c) You must retain, in the Source form of any Derivative Works - that You distribute, all copyright, patent, trademark, and - attribution notices from the Source form of the Work, - excluding those notices that do not pertain to any part of - the Derivative Works; and - - (d) If the Work includes a "NOTICE" text file as part of its - distribution, then any Derivative Works that You distribute must - include a readable copy of the attribution notices contained - within such NOTICE file, excluding those notices that do not - pertain to any part of the Derivative Works, in at least one - of the following places: within a NOTICE text file distributed - as part of the Derivative Works; within the Source form or - documentation, if provided along with the Derivative Works; or, - within a display generated by the Derivative Works, if and - wherever such third-party notices normally appear. The contents - of the NOTICE file are for informational purposes only and - do not modify the License. You may add Your own attribution - notices within Derivative Works that You distribute, alongside - or as an addendum to the NOTICE text from the Work, provided - that such additional attribution notices cannot be construed - as modifying the License. - - You may add Your own copyright statement to Your modifications and - may provide additional or different license terms and conditions - for use, reproduction, or distribution of Your modifications, or - for any such Derivative Works as a whole, provided Your use, - reproduction, and distribution of the Work otherwise complies with - the conditions stated in this License. - - 5. Submission of Contributions. Unless You explicitly state otherwise, - any Contribution intentionally submitted for inclusion in the Work - by You to the Licensor shall be under the terms and conditions of - this License, without any additional terms or conditions. - Notwithstanding the above, nothing herein shall supersede or modify - the terms of any separate license agreement you may have executed - with Licensor regarding such Contributions. - - 6. Trademarks. This License does not grant permission to use the trade - names, trademarks, service marks, or product names of the Licensor, - except as required for reasonable and customary use in describing the - origin of the Work and reproducing the content of the NOTICE file. - - 7. Disclaimer of Warranty. Unless required by applicable law or - agreed to in writing, Licensor provides the Work (and each - Contributor provides its Contributions) on an "AS IS" BASIS, - WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or - implied, including, without limitation, any warranties or conditions - of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A - PARTICULAR PURPOSE. You are solely responsible for determining the - appropriateness of using or redistributing the Work and assume any - risks associated with Your exercise of permissions under this License. - - 8. Limitation of Liability. In no event and under no legal theory, - whether in tort (including negligence), contract, or otherwise, - unless required by applicable law (such as deliberate and grossly - negligent acts) or agreed to in writing, shall any Contributor be - liable to You for damages, including any direct, indirect, special, - incidental, or consequential damages of any character arising as a - result of this License or out of the use or inability to use the - Work (including but not limited to damages for loss of goodwill, - work stoppage, computer failure or malfunction, or any and all - other commercial damages or losses), even if such Contributor - has been advised of the possibility of such damages. - - 9. Accepting Warranty or Additional Liability. While redistributing - the Work or Derivative Works thereof, You may choose to offer, - and charge a fee for, acceptance of support, warranty, indemnity, - or other liability obligations and/or rights consistent with this - License. However, in accepting such obligations, You may act only - on Your own behalf and on Your sole responsibility, not on behalf - of any other Contributor, and only if You agree to indemnify, - defend, and hold each Contributor harmless for any liability - incurred by, or claims asserted against, such Contributor by reason - of your accepting any such warranty or additional liability. - - END OF TERMS AND CONDITIONS - diff --git a/libkeymaster/keymaster_mobicore.cpp b/libkeymaster/keymaster_mobicore.cpp deleted file mode 100644 index 0ef92e5..0000000 --- a/libkeymaster/keymaster_mobicore.cpp +++ /dev/null @@ -1,503 +0,0 @@ -/* - * Copyright (C) 2012 Samsung Electronics Co., LTD - * Copyright (C) 2012 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include <errno.h> -#include <string.h> -#include <stdint.h> - -#include <hardware/hardware.h> -#include <hardware/keymaster0.h> - -#include <openssl/evp.h> -#include <openssl/bio.h> -#include <openssl/rsa.h> -#include <openssl/err.h> -#include <openssl/x509.h> - -#include <UniquePtr.h> - -#define LOG_TAG "ExynosKeyMaster" -#include <cutils/log.h> - -#include <tlcTeeKeymaster_if.h> - -#define RSA_KEY_BUFFER_SIZE 1536 -#define RSA_KEY_MAX_SIZE (2048 >> 3) - -struct BIGNUM_Delete { - void operator()(BIGNUM* p) const { - BN_free(p); - } -}; -typedef UniquePtr<BIGNUM, BIGNUM_Delete> Unique_BIGNUM; - -struct EVP_PKEY_Delete { - void operator()(EVP_PKEY* p) const { - EVP_PKEY_free(p); - } -}; -typedef UniquePtr<EVP_PKEY, EVP_PKEY_Delete> Unique_EVP_PKEY; - -struct PKCS8_PRIV_KEY_INFO_Delete { - void operator()(PKCS8_PRIV_KEY_INFO* p) const { - PKCS8_PRIV_KEY_INFO_free(p); - } -}; -typedef UniquePtr<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_Delete> Unique_PKCS8_PRIV_KEY_INFO; - -struct RSA_Delete { - void operator()(RSA* p) const { - RSA_free(p); - } -}; -typedef UniquePtr<RSA, RSA_Delete> Unique_RSA; - -typedef UniquePtr<keymaster0_device_t> Unique_keymaster0_device_t; - -/** - * Many OpenSSL APIs take ownership of an argument on success but don't free the argument - * on failure. This means we need to tell our scoped pointers when we've transferred ownership, - * without triggering a warning by not using the result of release(). - */ -#define OWNERSHIP_TRANSFERRED(obj) \ - typeof (obj.release()) _dummy __attribute__((unused)) = obj.release() - -/* - * Checks this thread's error queue and logs if necessary. - */ -static void logOpenSSLError(const char* location) { - int error = ERR_get_error(); - - if (error != 0) { - char message[256]; - ERR_error_string_n(error, message, sizeof(message)); - ALOGE("OpenSSL error in %s %d: %s", location, error, message); - } - - ERR_clear_error(); - ERR_remove_state(0); -} - -static int exynos_km_generate_keypair(const keymaster0_device_t*, - const keymaster_keypair_t key_type, const void* key_params, - uint8_t** keyBlob, size_t* keyBlobLength) { - teeResult_t ret = TEE_ERR_NONE; - - if (key_type != TYPE_RSA) { - ALOGE("Unsupported key type %d", key_type); - return -1; - } else if (key_params == NULL) { - ALOGE("key_params == null"); - return -1; - } - - keymaster_rsa_keygen_params_t* rsa_params = (keymaster_rsa_keygen_params_t*) key_params; - - if ((rsa_params->modulus_size != 512) && - (rsa_params->modulus_size != 1024) && - (rsa_params->modulus_size != 2048)) { - ALOGE("key size(%d) is not supported\n", rsa_params->modulus_size); - return -1; - } - - UniquePtr<uint8_t> keyDataPtr(reinterpret_cast<uint8_t*>(malloc(RSA_KEY_BUFFER_SIZE))); - if (keyDataPtr.get() == NULL) { - ALOGE("memory allocation is failed"); - return -1; - } - - ret = TEE_RSAGenerateKeyPair(TEE_KEYPAIR_RSACRT, keyDataPtr.get(), RSA_KEY_BUFFER_SIZE, - rsa_params->modulus_size, (uint32_t)rsa_params->public_exponent, - (uint32_t *)keyBlobLength); - if (ret != TEE_ERR_NONE) { - ALOGE("TEE_RSAGenerateKeyPair() is failed: %d", ret); - return -1; - } - - *keyBlob = keyDataPtr.release(); - - return 0; -} - -static int exynos_km_import_keypair(const keymaster0_device_t*, - const uint8_t* key, const size_t key_length, - uint8_t** key_blob, size_t* key_blob_length) { - uint8_t kbuf[RSA_KEY_BUFFER_SIZE]; - teeRsaKeyMeta_t metadata; - uint32_t key_len = 0; - BIGNUM *tmp = NULL; - BN_CTX *ctx = NULL; - teeResult_t ret = TEE_ERR_NONE; - - if (key == NULL) { - ALOGE("input key == NULL"); - return -1; - } else if (key_blob == NULL || key_blob_length == NULL) { - ALOGE("output key blob or length == NULL"); - return -1; - } - - /* decoding */ - Unique_PKCS8_PRIV_KEY_INFO pkcs8(d2i_PKCS8_PRIV_KEY_INFO(NULL, &key, key_length)); - if (pkcs8.get() == NULL) { - logOpenSSLError("pkcs4.get"); - return -1; - } - - /* assign to EVP */ - Unique_EVP_PKEY pkey(EVP_PKCS82PKEY(pkcs8.get())); - if (pkey.get() == NULL) { - logOpenSSLError("pkey.get"); - return -1; - } - OWNERSHIP_TRANSFERRED(pkcs8); - - /* change key format */ - Unique_RSA rsa(EVP_PKEY_get1_RSA(pkey.get())); - if (rsa.get() == NULL) { - logOpenSSLError("get rsa key format"); - return -1; - } - - if (BN_cmp(rsa->p, rsa->q) < 0) { - /* p <-> q */ - tmp = rsa->p; - rsa->p = rsa->q; - rsa->q = tmp; - /* dp <-> dq */ - tmp = rsa->dmp1; - rsa->dmp1 = rsa->dmq1; - rsa->dmq1 = tmp; - /* calulate inverse of q mod p */ - ctx = BN_CTX_new(); - if (!BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx)) { - ALOGE("Calculating inverse of q mod p is failed\n"); - BN_CTX_free(ctx); - return -1; - } - BN_CTX_free(ctx); - } - - key_len += sizeof(metadata); - - metadata.lenpubmod = BN_bn2bin(rsa->n, kbuf + key_len); - key_len += metadata.lenpubmod; - if (metadata.lenpubmod == (512 >> 3)) - metadata.keysize = TEE_RSA_KEY_SIZE_512; - else if (metadata.lenpubmod == (1024 >> 3)) - metadata.keysize = TEE_RSA_KEY_SIZE_1024; - else if (metadata.lenpubmod == (2048 >> 3)) - metadata.keysize = TEE_RSA_KEY_SIZE_2048; - else { - ALOGE("key size(%d) is not supported\n", metadata.lenpubmod << 3); - return -1; - } - - metadata.lenpubexp = BN_bn2bin(rsa->e, kbuf + key_len); - key_len += metadata.lenpubexp; - - if ((rsa->p != NULL) && (rsa->q != NULL) && (rsa->dmp1 != NULL) && - (rsa->dmq1 != NULL) && (rsa->iqmp != NULL)) - { - metadata.keytype = TEE_KEYPAIR_RSACRT; - metadata.rsacrtpriv.lenp = BN_bn2bin(rsa->p, kbuf + key_len); - key_len += metadata.rsacrtpriv.lenp; - metadata.rsacrtpriv.lenq = BN_bn2bin(rsa->q, kbuf + key_len); - key_len += metadata.rsacrtpriv.lenq; - metadata.rsacrtpriv.lendp = BN_bn2bin(rsa->dmp1, kbuf + key_len); - key_len += metadata.rsacrtpriv.lendp; - metadata.rsacrtpriv.lendq = BN_bn2bin(rsa->dmq1, kbuf + key_len); - key_len += metadata.rsacrtpriv.lendq; - metadata.rsacrtpriv.lenqinv = BN_bn2bin(rsa->iqmp, kbuf + key_len); - key_len += metadata.rsacrtpriv.lenqinv; - } else { - metadata.keytype = TEE_KEYPAIR_RSA; - metadata.rsapriv.lenpriexp = BN_bn2bin(rsa->d, kbuf + key_len); - key_len += metadata.rsapriv.lenpriexp; - } - - metadata.rfu = 0; - metadata.rfulen = 0; - - memcpy(kbuf, &metadata, sizeof(metadata)); - - UniquePtr<uint8_t> outPtr(reinterpret_cast<uint8_t*>(malloc(RSA_KEY_BUFFER_SIZE))); - if (outPtr.get() == NULL) { - ALOGE("memory allocation is failed"); - return -1; - } - - *key_blob_length = RSA_KEY_BUFFER_SIZE; - - ret = TEE_KeyImport(kbuf, key_len, outPtr.get(), (uint32_t *)key_blob_length); - if (ret != TEE_ERR_NONE) { - ALOGE("TEE_KeyImport() is failed: %d", ret); - return -1; - } - - *key_blob = outPtr.release(); - - return 0; -} - -static int exynos_km_get_keypair_public(const struct keymaster0_device*, - const uint8_t* key_blob, const size_t key_blob_length, - uint8_t** x509_data, size_t* x509_data_length) { - uint32_t bin_mod_len; - uint32_t bin_exp_len; - teeResult_t ret = TEE_ERR_NONE; - - if (x509_data == NULL || x509_data_length == NULL) { - ALOGE("output public key buffer == NULL"); - return -1; - } - - UniquePtr<uint8_t> binModPtr(reinterpret_cast<uint8_t*>(malloc(RSA_KEY_MAX_SIZE))); - if (binModPtr.get() == NULL) { - ALOGE("memory allocation is failed"); - return -1; - } - - UniquePtr<uint8_t> binExpPtr(reinterpret_cast<uint8_t*>(malloc(sizeof(uint32_t)))); - if (binExpPtr.get() == NULL) { - ALOGE("memory allocation is failed"); - return -1; - } - - bin_mod_len = RSA_KEY_MAX_SIZE; - bin_exp_len = sizeof(uint32_t); - - ret = TEE_GetPubKey(key_blob, key_blob_length, binModPtr.get(), &bin_mod_len, binExpPtr.get(), - &bin_exp_len); - if (ret != TEE_ERR_NONE) { - ALOGE("TEE_GetPubKey() is failed: %d", ret); - return -1; - } - - Unique_BIGNUM bn_mod(BN_new()); - if (bn_mod.get() == NULL) { - ALOGE("memory allocation is failed"); - return -1; - } - - Unique_BIGNUM bn_exp(BN_new()); - if (bn_exp.get() == NULL) { - ALOGE("memory allocation is failed"); - return -1; - } - - BN_bin2bn(binModPtr.get(), bin_mod_len, bn_mod.get()); - BN_bin2bn(binExpPtr.get(), bin_exp_len, bn_exp.get()); - - /* assign to RSA */ - Unique_RSA rsa(RSA_new()); - if (rsa.get() == NULL) { - logOpenSSLError("rsa.get"); - return -1; - } - - RSA* rsa_tmp = rsa.get(); - - rsa_tmp->n = bn_mod.release(); - rsa_tmp->e = bn_exp.release(); - - /* assign to EVP */ - Unique_EVP_PKEY pkey(EVP_PKEY_new()); - if (pkey.get() == NULL) { - logOpenSSLError("allocate EVP_PKEY"); - return -1; - } - - if (EVP_PKEY_assign_RSA(pkey.get(), rsa.get()) == 0) { - logOpenSSLError("assing RSA to EVP_PKEY"); - return -1; - } - OWNERSHIP_TRANSFERRED(rsa); - - /* change to x.509 format */ - int len = i2d_PUBKEY(pkey.get(), NULL); - if (len <= 0) { - logOpenSSLError("i2d_PUBKEY"); - return -1; - } - - UniquePtr<uint8_t> key(static_cast<uint8_t*>(malloc(len))); - if (key.get() == NULL) { - ALOGE("Could not allocate memory for public key data"); - return -1; - } - - unsigned char* tmp = reinterpret_cast<unsigned char*>(key.get()); - if (i2d_PUBKEY(pkey.get(), &tmp) != len) { - logOpenSSLError("Compare results"); - return -1; - } - - *x509_data_length = len; - *x509_data = key.release(); - - return 0; -} - -static int exynos_km_sign_data(const keymaster0_device_t*, - const void* params, - const uint8_t* keyBlob, const size_t keyBlobLength, - const uint8_t* data, const size_t dataLength, - uint8_t** signedData, size_t* signedDataLength) { - teeResult_t ret = TEE_ERR_NONE; - - if (data == NULL) { - ALOGE("input data to sign == NULL"); - return -1; - } else if (signedData == NULL || signedDataLength == NULL) { - ALOGE("output signature buffer == NULL"); - return -1; - } - - keymaster_rsa_sign_params_t* sign_params = (keymaster_rsa_sign_params_t*) params; - if (sign_params->digest_type != DIGEST_NONE) { - ALOGE("Cannot handle digest type %d", sign_params->digest_type); - return -1; - } else if (sign_params->padding_type != PADDING_NONE) { - ALOGE("Cannot handle padding type %d", sign_params->padding_type); - return -1; - } - - UniquePtr<uint8_t> signedDataPtr(reinterpret_cast<uint8_t*>(malloc(RSA_KEY_MAX_SIZE))); - if (signedDataPtr.get() == NULL) { - ALOGE("memory allocation is failed"); - return -1; - } - - *signedDataLength = RSA_KEY_MAX_SIZE; - - /* binder gives us read-only mappings we can't use with mobicore */ - void *tmpData = malloc(dataLength); - memcpy(tmpData, data, dataLength); - ret = TEE_RSASign(keyBlob, keyBlobLength, (const uint8_t *)tmpData, dataLength, signedDataPtr.get(), - (uint32_t *)signedDataLength, TEE_RSA_NODIGEST_NOPADDING); - free(tmpData); - if (ret != TEE_ERR_NONE) { - ALOGE("TEE_RSASign() is failed: %d", ret); - return -1; - } - - *signedData = signedDataPtr.release(); - - return 0; -} - -static int exynos_km_verify_data(const keymaster0_device_t*, - const void* params, - const uint8_t* keyBlob, const size_t keyBlobLength, - const uint8_t* signedData, const size_t signedDataLength, - const uint8_t* signature, const size_t signatureLength) { - bool result; - teeResult_t ret = TEE_ERR_NONE; - - if (signedData == NULL || signature == NULL) { - ALOGE("data or signature buffers == NULL"); - return -1; - } - - keymaster_rsa_sign_params_t* sign_params = (keymaster_rsa_sign_params_t*) params; - if (sign_params->digest_type != DIGEST_NONE) { - ALOGE("Cannot handle digest type %d", sign_params->digest_type); - return -1; - } else if (sign_params->padding_type != PADDING_NONE) { - ALOGE("Cannot handle padding type %d", sign_params->padding_type); - return -1; - } else if (signatureLength != signedDataLength) { - ALOGE("signed data length must be signature length"); - return -1; - } - - void *tmpSignedData = malloc(signedDataLength); - memcpy(tmpSignedData, signedData, signedDataLength); - void *tmpSig = malloc(signatureLength); - memcpy(tmpSig, signature, signatureLength); - ret = TEE_RSAVerify(keyBlob, keyBlobLength, (const uint8_t*)tmpSignedData, signedDataLength, (const uint8_t *)tmpSig, - signatureLength, TEE_RSA_NODIGEST_NOPADDING, &result); - free(tmpSignedData); - free(tmpSig); - if (ret != TEE_ERR_NONE) { - ALOGE("TEE_RSAVerify() is failed: %d", ret); - return -1; - } - - return (result == true) ? 0 : -1; -} - -/* Close an opened Exynos KM instance */ -static int exynos_km_close(hw_device_t *dev) { - free(dev); - return 0; -} - -/* - * Generic device handling - */ -static int exynos_km_open(const hw_module_t* module, const char* name, - hw_device_t** device) { - if (strcmp(name, KEYSTORE_KEYMASTER) != 0) - return -EINVAL; - - Unique_keymaster0_device_t dev(new keymaster0_device_t); - if (dev.get() == NULL) - return -ENOMEM; - - dev->common.tag = HARDWARE_DEVICE_TAG; - dev->common.version = 1; - dev->common.module = (struct hw_module_t*) module; - dev->common.close = exynos_km_close; - - dev->flags = 0; - - dev->generate_keypair = exynos_km_generate_keypair; - dev->import_keypair = exynos_km_import_keypair; - dev->get_keypair_public = exynos_km_get_keypair_public; - dev->delete_keypair = NULL; - dev->delete_all = NULL; - dev->sign_data = exynos_km_sign_data; - dev->verify_data = exynos_km_verify_data; - - ERR_load_crypto_strings(); - ERR_load_BIO_strings(); - - *device = reinterpret_cast<hw_device_t*>(dev.release()); - - return 0; -} - -static struct hw_module_methods_t keystore_module_methods = { - open: exynos_km_open, -}; - -struct keystore_module HAL_MODULE_INFO_SYM -__attribute__ ((visibility ("default"))) = { - common: { - tag: HARDWARE_MODULE_TAG, - version_major: 1, - version_minor: 0, - id: KEYSTORE_HARDWARE_MODULE_ID, - name: "Keymaster Exynos HAL", - author: "Samsung S.LSI", - methods: &keystore_module_methods, - dso: 0, - reserved: {}, - }, -}; diff --git a/libkeymaster/tci.h b/libkeymaster/tci.h deleted file mode 100644 index 0979df3..0000000 --- a/libkeymaster/tci.h +++ /dev/null @@ -1,85 +0,0 @@ -/** - * @file tci.h - * @brief Contains TCI (Trustlet Control - * Interface) definitions and data structures - * - * Copyright Giesecke & Devrient GmbH 2012 - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS - * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE - * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef __TCI_H__ -#define __TCI_H__ - - -typedef uint32_t tciCommandId_t; -typedef uint32_t tciResponseId_t; -typedef uint32_t tciReturnCode_t; - - -/**< Responses have bit 31 set */ -#define RSP_ID_MASK (1U << 31) -#define RSP_ID(cmdId) (((uint32_t)(cmdId)) | RSP_ID_MASK) -#define IS_CMD(cmdId) ((((uint32_t)(cmdId)) & RSP_ID_MASK) == 0) -#define IS_RSP(cmdId) ((((uint32_t)(cmdId)) & RSP_ID_MASK) == RSP_ID_MASK) - - -/** - * Return codes - */ -#define RET_OK 0 -#define RET_ERR_UNKNOWN_CMD 1 -#define RET_ERR_NOT_SUPPORTED 2 -#define RET_ERR_INVALID_BUFFER 3 -#define RET_ERR_INVALID_KEY_SIZE 4 -#define RET_ERR_INVALID_KEY_TYPE 5 -#define RET_ERR_INVALID_LENGTH 6 -#define RET_ERR_INVALID_EXPONENT 7 -#define RET_ERR_KEY_GENERATION 8 -#define RET_ERR_SIGN 9 -#define RET_ERR_VERIFY 10 -#define RET_ERR_DIGEST 11 -#define RET_ERR_SECURE_OBJECT 12 -#define RET_ERR_INTERNAL_ERROR 13 -/* ... add more error codes when needed */ - - -/** - * TCI command header. - */ -typedef struct{ - tciCommandId_t commandId; /**< Command ID */ -} tciCommandHeader_t; - - -/** - * TCI response header. - */ -typedef struct{ - tciResponseId_t responseId; /**< Response ID (must be command ID | RSP_ID_MASK )*/ - tciReturnCode_t returnCode; /**< Return code of command */ -} tciResponseHeader_t; - -#endif // __TCI_H__ diff --git a/libkeymaster/tlTeeKeymaster_Api.h b/libkeymaster/tlTeeKeymaster_Api.h deleted file mode 100644 index 24adeca..0000000 --- a/libkeymaster/tlTeeKeymaster_Api.h +++ /dev/null @@ -1,262 +0,0 @@ -/** - * @file tlTeeKeymaster_Api.h - * @brief Contains TCI command definitions and data structures - * - * Copyright Giesecke & Devrient GmbH 2012 - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS - * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE - * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef __TLTEEKEYMASTERAPI_H__ -#define __TLTEEKEYMASTERAPI_H__ - -#include "tci.h" - - - -/** - * Command ID's - */ -#define CMD_ID_TEE_RSA_GEN_KEY_PAIR 1 -#define CMD_ID_TEE_RSA_SIGN 2 -#define CMD_ID_TEE_RSA_VERIFY 3 -#define CMD_ID_TEE_HMAC_GEN_KEY 4 -#define CMD_ID_TEE_HMAC_SIGN 5 -#define CMD_ID_TEE_HMAC_VERIFY 6 -#define CMD_ID_TEE_KEY_IMPORT 7 -#define CMD_ID_TEE_GET_PUB_KEY 8 -/*... add more command ids when needed */ - - -/** - * Command message. - * - * @param len Length of the data to process. - * @param data Data to be processed - */ -typedef struct { - tciCommandHeader_t header; /**< Command header */ - uint32_t len; /**< Length of data to process */ -} command_t; - - -/** - * Response structure - */ -typedef struct { - tciResponseHeader_t header; /**< Response header */ - uint32_t len; -} response_t; - - -/** - * Generate key data - * Response data contains generated RSA key pair data is - * wrapped as below: - * - * |-- Key metadata --|-- Public key (plaintext) --|-- Private key (encrypted) --| - */ -typedef struct { - uint32_t type; /**< Key pair type. RSA or RSACRT */ - uint32_t keysize; /**< Key size in bits, e.g. 1024, 2048,.. */ - uint32_t exponent; /**< Exponent number */ - uint32_t keydata; /**< Key data buffer passed by TLC */ - uint32_t keydatalen; /**< Length of key data buffer */ - uint32_t solen; /**< Secure object length (of key data) (provided by the trustlet) */ -} rsagenkey_t; - - -/** - * RSA sign data structure - */ -typedef struct { - uint32_t keydata; /**< Key data buffer */ - uint32_t keydatalen; /**< Length of key data buffer */ - uint32_t plaindata; /**< Plaintext data buffer */ - uint32_t plaindatalen; /**< Length of plaintext data buffer */ - uint32_t signaturedata; /**< Signature data buffer */ - uint32_t signaturedatalen; /**< Length of signature data buffer */ - uint32_t algorithm; /**< Signing algorithm */ -} rsasign_t; - - -/** - * RSA signature verify data structure - */ -typedef struct { - uint32_t keydata; /**< Key data buffer */ - uint32_t keydatalen; /**< Length of key data buffer */ - uint32_t plaindata; /**< Plaintext data buffer */ - uint32_t plaindatalen; /**< Length of plaintext data buffer */ - uint32_t signaturedata; /**< Signature data buffer */ - uint32_t signaturedatalen; /**< Length of signature data buffer */ - uint32_t algorithm; /**< Signing algorithm */ - bool validity; /**< Signature validity */ -} rsaverify_t; - - -/** - * Generate HMAC key data - * Response data contains generated HMAC key data that is - * wrapped as below: - * - * |-- HMAC key (encrypted) --| - */ -typedef struct { - uint32_t keydata; /**< Key data buffer passed by TLC */ - uint32_t keydatalen; /**< Length of key data buffer */ - uint32_t solen; /**< Secure object length (of key data) (provided by the trustlet) */ -} hmacgenkey_t; - - -/** - * HMAC sign data structure - */ -typedef struct { - uint32_t keydata; /**< Key data buffer */ - uint32_t keydatalen; /**< Length of key data buffer */ - uint32_t plaindata; /**< Plaintext data buffer */ - uint32_t plaindatalen; /**< Length of plaintext data buffer */ - uint32_t signaturedata; /**< Signature data buffer */ - uint32_t signaturedatalen; /**< Length of signature data buffer */ - uint32_t digest; /**< Digest algorithm */ -} hmacsign_t; - - -/** - * HMAC signature verify data structure - */ -typedef struct { - uint32_t keydata; /**< Key data buffer */ - uint32_t keydatalen; /**< Length of key data buffer */ - uint32_t plaindata; /**< Plaintext data buffer */ - uint32_t plaindatalen; /**< Length of plaintext data buffer */ - uint32_t signaturedata; /**< Signature data buffer */ - uint32_t signaturedatalen; /**< Length of signature data buffer */ - uint32_t digest; /**< Digest algorithm */ - bool validity; /**< Signature validity */ -} hmacverify_t; - -/** - * RSA private key metadata (Private modulus and exponent lengths) - */ -typedef struct { - uint32_t lenprimod; /**< Private key modulus length */ - uint32_t lenpriexp; /**< Private key exponent length */ -} rsaprivkeymeta_t; - - -/** - * RSA CRT private key metadata - */ -typedef struct { - uint32_t lenprimod; /**< Private key modulus length */ - uint32_t lenp; /**< Prime p length */ - uint32_t lenq; /**< Prime q length */ - uint32_t lendp; /**< DP length */ - uint32_t lendq; /**< DQ length */ - uint32_t lenqinv; /**< QP length */ -} rsacrtprivkeymeta_t; - - -/** - * Key metadata (key size, modulus/exponent lengths, etc..) - */ -typedef struct { - uint32_t keytype; /**< RSA key pair type. RSA or RSA CRT */ - uint32_t keysize; /**< RSA key size */ - uint32_t lenpubmod; /**< Public key modulus length */ - uint32_t lenpubexp; /**< Public key exponent length */ - union { - rsaprivkeymeta_t rsapriv; /**< RSA private key */ - rsacrtprivkeymeta_t rsacrtpriv; /**< RSA CRT private key */ - }; - uint32_t rfu; /**< Reserved for future use */ - uint32_t rfulen; /**< Reserved for future use */ -} rsakeymeta_t; - -/** - * Key import data structure - */ -typedef struct { - uint32_t keydata; /**< Key data buffer */ - uint32_t keydatalen; /**< Length of key data buffer */ - uint32_t sodata; /**< Wrapped buffer */ - uint32_t sodatalen; /**< Length of wrapped data buffer */ -} keyimport_t; - - -/** - * Get public key data structure - */ -typedef struct { - uint32_t type; /**< Key type */ - uint32_t keydata; /**< Key data buffer */ - uint32_t keydatalen; /**< Length of key data buffer */ - uint32_t modulus; /**< Modulus */ - uint32_t moduluslen; /**< Modulus length */ - uint32_t exponent; /**< Exponent */ - uint32_t exponentlen; /**< Exponent length */ -} getpubkey_t; - - -/** - * TCI message data. - */ -typedef struct { - union { - command_t command; - response_t response; - }; - - union { - rsagenkey_t rsagenkey; - rsasign_t rsasign; - rsaverify_t rsaverify; - hmacgenkey_t hmacgenkey; - hmacsign_t hmacsign; - hmacverify_t hmacverify; - keyimport_t keyimport; - getpubkey_t getpubkey; - }; - -} tciMessage_t, *tciMessage_ptr; - - -/** - * Overall TCI structure. - */ -typedef struct { - tciMessage_t message; /**< TCI message */ -} tci_t; - - -/** - * Trustlet UUID - */ -#define TEE_KEYMASTER_TL_UUID { { 7, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } } - - -#endif // __TLTEEKEYMASTERAPI_H__ diff --git a/libkeymaster/tlTeeKeymaster_log.h b/libkeymaster/tlTeeKeymaster_log.h deleted file mode 100644 index cc1636b..0000000 --- a/libkeymaster/tlTeeKeymaster_log.h +++ /dev/null @@ -1,48 +0,0 @@ -/** - * @file tlTeeKeymaster_log.h - * @brief Contains debug & log macro definitions - * - * Copyright Giesecke & Devrient GmbH 2012 - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS - * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE - * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef __TLTEEKEYMASTERLOG_H__ -#define __TLTEEKEYMASTERLOG_H__ - -#include <android/log.h> - -#ifndef LOG_TAG -#define LOG_TAG "TlcTeeKeyMaster" -#endif // LOG_TAG - -/* Macro definitions */ -#define LOG_D(...) __android_log_print(ANDROID_LOG_DEBUG , LOG_TAG, __VA_ARGS__) -#define LOG_I(...) __android_log_print(ANDROID_LOG_INFO , LOG_TAG, __VA_ARGS__) -#define LOG_W(...) __android_log_print(ANDROID_LOG_WARN , LOG_TAG, __VA_ARGS__) -#define LOG_E(...) __android_log_print(ANDROID_LOG_ERROR , LOG_TAG, __VA_ARGS__) - - -#endif // __TLTEEKEYMASTERLOG_H__ diff --git a/libkeymaster/tlcTeeKeymaster_if.c b/libkeymaster/tlcTeeKeymaster_if.c deleted file mode 100644 index 384e17d..0000000 --- a/libkeymaster/tlcTeeKeymaster_if.c +++ /dev/null @@ -1,1092 +0,0 @@ -/** - * @file tlcTeeKeymaster_if.c - * @brief Contains trustlet connector interface implementations to - * handle key operations with TEE Keymaster trustlet - * - * Copyright Giesecke & Devrient GmbH 2012 - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS - * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE - * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#include <stdlib.h> - -#include "MobiCoreDriverApi.h" -#include "tlTeeKeymaster_Api.h" -#include "tlTeeKeymaster_log.h" -#include "tlcTeeKeymaster_if.h" - - -/* Global definitions */ -static const uint32_t gDeviceId = MC_DEVICE_ID_DEFAULT; -static const mcUuid_t gUuid = TEE_KEYMASTER_TL_UUID; - -/** - * TEE_Open - * - * Open session to the TEE Keymaster trustlet - * - * @param pSessionHandle [out] Return pointer to the session handle - */ -static tciMessage_ptr TEE_Open( - mcSessionHandle_t *pSessionHandle -){ - tciMessage_ptr pTci = NULL; - mcResult_t mcRet; - - do - { - - /* Validate session handle */ - if (!pSessionHandle) - { - LOG_E("TEE_Open(): Invalid session handle\n"); - break; - } - - /* Initialize session handle data */ - bzero(pSessionHandle, sizeof(mcSessionHandle_t)); - - /* Open MobiCore device */ - mcRet = mcOpenDevice(gDeviceId); - if (MC_DRV_OK != mcRet) - { - LOG_E("TEE_Open(): mcOpenDevice returned: %d\n", mcRet); - break; - } - - /* Allocating WSM for TCI */ - mcRet = mcMallocWsm(gDeviceId, 0, sizeof(tciMessage_t), (uint8_t **) &pTci, 0); - if (MC_DRV_OK != mcRet) - { - LOG_E("TEE_Open(): mcMallocWsm returned: %d\n", mcRet); - break; - } - - /* Open session the TEE Keymaster trustlet */ - pSessionHandle->deviceId = gDeviceId; - mcRet = mcOpenSession(pSessionHandle, - &gUuid, - (uint8_t *) pTci, - (uint32_t) sizeof(tciMessage_t)); - if (MC_DRV_OK != mcRet) - { - LOG_E("TEE_Open(): mcOpenSession returned: %d\n", mcRet); - break; - } - - } while (false); - - LOG_I("TEE_Open(): returning pointer to TCI buffer: 0x%.8x\n", pTci); - - return pTci; -} - - -/** - * TEE_Close - * - * Close session to the TEE Keymaster trustlet - * - * @param sessionHandle [in] Session handle - */ -static void TEE_Close( - mcSessionHandle_t *pSessionHandle -){ - teeResult_t ret = TEE_ERR_NONE; - mcResult_t mcRet; - - do { - - /* Validate session handle */ - if (!pSessionHandle) - { - LOG_E("TEE_Close(): Invalid session handle\n"); - break; - } - - /* Close session */ - mcRet = mcCloseSession(pSessionHandle); - if (MC_DRV_OK != mcRet) - { - LOG_E("TEE_Close(): mcCloseSession returned: %d\n", mcRet); - ret = TEE_ERR_SESSION; - break; - } - - /* Close MobiCore device */ - mcRet = mcCloseDevice(gDeviceId); - if (MC_DRV_OK != mcRet) - { - LOG_E("TEE_Close(): mcCloseDevice returned: %d\n", mcRet); - ret = TEE_ERR_MC_DEVICE; - } - - } while (false); -} - - -/** - * TEE_RSAGenerateKeyPair - * - * Generates RSA key pair and returns key pair data as wrapped object - * - * @param keyType [in] Key pair type. RSA or RSACRT - * @param keyData [in] Pointer to the key data buffer - * @param keyDataLength [in] Key data buffer length - * @param keySize [in] Key size - * @param exponent [in] Exponent number - * @param soLen [out] Key data secure object length - */ -teeResult_t TEE_RSAGenerateKeyPair( - teeRsaKeyPairType_t keyType, - uint8_t* keyData, - uint32_t keyDataLength, - uint32_t keySize, - uint32_t exponent, - uint32_t* soLen -){ - teeResult_t ret = TEE_ERR_NONE; - tciMessage_ptr pTci = NULL; - mcSessionHandle_t sessionHandle; - mcBulkMap_t mapInfo; - mcResult_t mcRet; - - do { - - /* Open session to the trustlet */ - pTci = TEE_Open(&sessionHandle); - if (!pTci) { - ret = TEE_ERR_MEMORY; - break; - } - - /* Map memory to the secure world */ - mcRet = mcMap(&sessionHandle, keyData, keyDataLength, &mapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - /* Update TCI buffer */ - pTci->command.header.commandId = CMD_ID_TEE_RSA_GEN_KEY_PAIR; - pTci->rsagenkey.type = keyType; - pTci->rsagenkey.keysize = keySize; - pTci->rsagenkey.keydata = (uint32_t)mapInfo.sVirtualAddr; - pTci->rsagenkey.keydatalen = keyDataLength; - pTci->rsagenkey.exponent = exponent; - - /* Notify the trustlet */ - mcRet = mcNotify(&sessionHandle); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_NOTIFICATION; - break; - } - - /* Wait for response from the trustlet */ - if (MC_DRV_OK != mcWaitNotification(&sessionHandle, MC_INFINITE_TIMEOUT)) - { - ret = TEE_ERR_NOTIFICATION; - break; - } - - /* Unmap memory */ - mcRet = mcUnmap(&sessionHandle, keyData, &mapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - if (RET_OK != pTci->response.header.returnCode) - { - LOG_E("TEE_RSAGenerateKeyPair(): TEE Keymaster trustlet returned: 0x%.8x\n", - pTci->response.header.returnCode); - ret = TEE_ERR_FAIL; - break; - } - - /* Update secure object length */ - *soLen = pTci->rsagenkey.solen; - - } while (false); - - /* Close session to the trustlet */ - TEE_Close(&sessionHandle); - - LOG_I("TEE_RSAGenerateKeyPair(): returning: 0x%.8x\n", ret); - - return ret; -} - - -/** - * TEE_RSASign - * - * Signs given plain data and returns signature data - * - * @param keyData [in] Pointer to key data buffer - * @param keyDataLength [in] Key data buffer length - * @param plainData [in] Pointer to plain data to be signed - * @param plainDataLength [in] Plain data length - * @param signatureData [out] Pointer to signature data - * @param signatureDataLength [out] Signature data length - * @param algorithm [in] RSA signature algorithm - */ -teeResult_t TEE_RSASign( - const uint8_t* keyData, - const uint32_t keyDataLength, - const uint8_t* plainData, - const uint32_t plainDataLength, - uint8_t* signatureData, - uint32_t* signatureDataLength, - teeRsaSigAlg_t algorithm -){ - teeResult_t ret = TEE_ERR_NONE; - tciMessage_ptr pTci = NULL; - mcSessionHandle_t sessionHandle; - mcBulkMap_t keyMapInfo; - mcBulkMap_t plainMapInfo; - mcBulkMap_t signatureMapInfo; - mcResult_t mcRet; - - do { - - /* Open session to the trustlet */ - pTci = TEE_Open(&sessionHandle); - if (!pTci) { - ret = TEE_ERR_MEMORY; - break; - } - - /* Map memory to the secure world */ - mcRet = mcMap(&sessionHandle, (void*)keyData, keyDataLength, &keyMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcMap(&sessionHandle, (void*)plainData, plainDataLength, &plainMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcMap(&sessionHandle, (void*)signatureData, *signatureDataLength, &signatureMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - /* Update TCI buffer */ - pTci->command.header.commandId = CMD_ID_TEE_RSA_SIGN; - pTci->rsasign.keydata = (uint32_t)keyMapInfo.sVirtualAddr; - pTci->rsasign.keydatalen = keyDataLength; - - pTci->rsasign.plaindata = (uint32_t)plainMapInfo.sVirtualAddr; - pTci->rsasign.plaindatalen = plainDataLength; - - pTci->rsasign.signaturedata = (uint32_t)signatureMapInfo.sVirtualAddr; - pTci->rsasign.signaturedatalen = *signatureDataLength; - - pTci->rsasign.algorithm = algorithm; - - /* Notify the trustlet */ - mcRet = mcNotify(&sessionHandle); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_NOTIFICATION; - break; - } - - /* Wait for response from the trustlet */ - if (MC_DRV_OK != mcWaitNotification(&sessionHandle, MC_INFINITE_TIMEOUT)) - { - ret = TEE_ERR_NOTIFICATION; - break; - } - - /* Unmap memory */ - mcRet = mcUnmap(&sessionHandle, (void*)keyData, &keyMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcUnmap(&sessionHandle, (void*)plainData, &plainMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcUnmap(&sessionHandle, (void*)signatureData, &signatureMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - if (RET_OK != pTci->response.header.returnCode) - { - LOG_E("TEE_RSASign(): TEE Keymaster trustlet returned: 0x%.8x\n", - pTci->response.header.returnCode); - ret = TEE_ERR_FAIL; - break; - } - - /* Retrieve signature data length */ - *signatureDataLength = pTci->rsasign.signaturedatalen; - - } while (false); - - /* Close session to the trustlet */ - TEE_Close(&sessionHandle); - - LOG_I("TEE_RSASign(): returning: 0x%.8x\n", ret); - - return ret; -} - - -/** - * TEE_RSAVerify - * - * Verifies given data with RSA public key and return status - * - * @param keyData [in] Pointer to key data buffer - * @param keyDataLength [in] Key data buffer length - * @param plainData [in] Pointer to plain data to be signed - * @param plainDataLength [in] Plain data length - * @param signatureData [in] Pointer to signed data - * @param signatureData [in] Plain data length - * @param algorithm [in] RSA signature algorithm - * @param validity [out] Signature validity - */ -teeResult_t TEE_RSAVerify( - const uint8_t* keyData, - const uint32_t keyDataLength, - const uint8_t* plainData, - const uint32_t plainDataLength, - const uint8_t* signatureData, - const uint32_t signatureDataLength, - teeRsaSigAlg_t algorithm, - bool *validity -){ - teeResult_t ret = TEE_ERR_NONE; - tciMessage_ptr pTci = NULL; - mcSessionHandle_t sessionHandle; - mcBulkMap_t keyMapInfo; - mcBulkMap_t plainMapInfo; - mcBulkMap_t signatureMapInfo; - mcResult_t mcRet; - - do { - - /* Open session to the trustlet */ - pTci = TEE_Open(&sessionHandle); - if (!pTci) { - ret = TEE_ERR_MEMORY; - break; - } - - /* Map memory to the secure world */ - mcRet = mcMap(&sessionHandle, (void*)keyData, keyDataLength, &keyMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcMap(&sessionHandle, (void*)plainData, plainDataLength, &plainMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcMap(&sessionHandle, (void*)signatureData, signatureDataLength, &signatureMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - /* Update TCI buffer */ - pTci->command.header.commandId = CMD_ID_TEE_RSA_VERIFY; - pTci->rsaverify.keydata = (uint32_t)keyMapInfo.sVirtualAddr; - pTci->rsaverify.keydatalen = keyDataLength; - - pTci->rsaverify.plaindata = (uint32_t)plainMapInfo.sVirtualAddr; - pTci->rsaverify.plaindatalen = plainDataLength; - - pTci->rsaverify.signaturedata = (uint32_t)signatureMapInfo.sVirtualAddr; - pTci->rsaverify.signaturedatalen = signatureDataLength; - - pTci->rsaverify.algorithm = algorithm; - pTci->rsaverify.validity = false; - - /* Notify the trustlet */ - mcRet = mcNotify(&sessionHandle); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_NOTIFICATION; - break; - } - - /* Wait for response from the trustlet */ - if (MC_DRV_OK != mcWaitNotification(&sessionHandle, MC_INFINITE_TIMEOUT)) - { - ret = TEE_ERR_NOTIFICATION; - break; - } - - /* Unmap memory */ - mcRet = mcUnmap(&sessionHandle, (void*)keyData, &keyMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcUnmap(&sessionHandle, (void*)plainData, &plainMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcUnmap(&sessionHandle, (void*)signatureData, &signatureMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - if (RET_OK != pTci->response.header.returnCode) - { - LOG_E("TEE_RSAVerify(): TEE Keymaster trustlet returned: 0x%.8x\n", - pTci->response.header.returnCode); - ret = TEE_ERR_FAIL; - break; - } - - *validity = pTci->rsaverify.validity; - - } while (false); - - /* Close session to the trustlet */ - TEE_Close(&sessionHandle); - - LOG_I("TEE_RSAVerify(): returning: 0x%.8x\n", ret); - - return ret; -} - - -/** - * TEE_HMACKeyGenerate - * - * Generates random key for HMAC calculation and returns key data as wrapped object - * (key is encrypted) - * - * @param keyData [out] Pointer to key data - * @param keyDataLength [in] Key data buffer length - * @param soLen [out] Key data secure object length - */ -teeResult_t TEE_HMACKeyGenerate( - uint8_t* keyData, - uint32_t keyDataLength, - uint32_t* soLen -){ - teeResult_t ret = TEE_ERR_NONE; - tciMessage_ptr pTci = NULL; - mcSessionHandle_t sessionHandle; - mcBulkMap_t keyMapInfo; - mcResult_t mcRet; - - do { - - /* Open session to the trustlet */ - pTci = TEE_Open(&sessionHandle); - if (!pTci) { - ret = TEE_ERR_MEMORY; - break; - } - - /* Map memory to the secure world */ - mcRet = mcMap(&sessionHandle, (void*)keyData, keyDataLength, &keyMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - /* Update TCI buffer */ - pTci->command.header.commandId = CMD_ID_TEE_HMAC_GEN_KEY; - pTci->hmacgenkey.keydata = (uint32_t)keyMapInfo.sVirtualAddr; - pTci->hmacgenkey.keydatalen = keyDataLength; - - /* Notify the trustlet */ - mcRet = mcNotify(&sessionHandle); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_NOTIFICATION; - break; - } - - /* Wait for response from the trustlet */ - if (MC_DRV_OK != mcWaitNotification(&sessionHandle, MC_INFINITE_TIMEOUT)) - { - ret = TEE_ERR_NOTIFICATION; - break; - } - - /* Unmap memory */ - mcRet = mcUnmap(&sessionHandle, (void*)keyData, &keyMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - if (RET_OK != pTci->response.header.returnCode) - { - LOG_E("TEE_RSAVerify(): TEE Keymaster trustlet returned: 0x%.8x\n", - pTci->response.header.returnCode); - ret = TEE_ERR_FAIL; - } - - /* Update secure object length */ - *soLen = pTci->hmacgenkey.solen; - - }while (false); - - /* Close session to the trustlet */ - TEE_Close(&sessionHandle); - - LOG_I("TEE_HMACKeyGenerate(): returning: 0x%.8x\n", ret); - - return ret; -} - -/** - * TEE_HMACSign - * - * Signs given plain data and returns HMAC signature data - * - * @param keyData [in] Pointer to key data buffer - * @param keyDataLength [in] Key data buffer length - * @param plainData [in] Pointer to plain data to be signed - * @param plainDataLength [in] Plain data length - * @param signatureData [out] Pointer to signature data - * @param signatureDataLength [out] Signature data length - * @param digest [in] Digest type - */ -teeResult_t TEE_HMACSign( - const uint8_t* keyData, - const uint32_t keyDataLength, - const uint8_t* plainData, - const uint32_t plainDataLength, - uint8_t* signatureData, - uint32_t* signatureDataLength, - teeDigest_t digest -){ - teeResult_t ret = TEE_ERR_NONE; - tciMessage_ptr pTci = NULL; - mcSessionHandle_t sessionHandle; - mcBulkMap_t keyMapInfo; - mcBulkMap_t plainMapInfo; - mcBulkMap_t signatureMapInfo; - mcResult_t mcRet; - - do { - - /* Open session to the trustlet */ - pTci = TEE_Open(&sessionHandle); - if (!pTci) { - ret = TEE_ERR_MEMORY; - break; - } - - /* Map memory to the secure world */ - mcRet = mcMap(&sessionHandle, (void*)keyData, keyDataLength, &keyMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcMap(&sessionHandle, (void*)plainData, plainDataLength, &plainMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcMap(&sessionHandle, (void*)signatureData, *signatureDataLength, &signatureMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - /* Update TCI buffer */ - pTci->command.header.commandId = CMD_ID_TEE_HMAC_SIGN; - pTci->hmacsign.keydata = (uint32_t)keyMapInfo.sVirtualAddr; - pTci->hmacsign.keydatalen = keyDataLength; - - pTci->hmacsign.plaindata = (uint32_t)plainMapInfo.sVirtualAddr; - pTci->hmacsign.plaindatalen = plainDataLength; - - pTci->hmacsign.signaturedata = (uint32_t)signatureMapInfo.sVirtualAddr; - pTci->hmacsign.signaturedatalen = *signatureDataLength; - - pTci->hmacsign.digest = digest; - - /* Notify the trustlet */ - mcRet = mcNotify(&sessionHandle); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_NOTIFICATION; - break; - } - - /* Wait for response from the trustlet */ - if (MC_DRV_OK != mcWaitNotification(&sessionHandle, MC_INFINITE_TIMEOUT)) - { - ret = TEE_ERR_NOTIFICATION; - break; - } - - /* Unmap memory */ - mcRet = mcUnmap(&sessionHandle, (void*)keyData, &keyMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcUnmap(&sessionHandle, (void*)plainData, &plainMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcUnmap(&sessionHandle, (void*)signatureData, &signatureMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - if (RET_OK != pTci->response.header.returnCode) - { - LOG_E("TEE_HMACSign(): TEE Keymaster trustlet returned: 0x%.8x\n", - pTci->response.header.returnCode); - ret = TEE_ERR_FAIL; - break; - } - - /* Retrieve signature data length */ - *signatureDataLength = pTci->hmacsign.signaturedatalen; - - } while (false); - - /* Close session to the trustlet */ - TEE_Close(&sessionHandle); - - LOG_I("TEE_HMACSign(): returning: 0x%.8x\n", ret); - - return ret; -} - - -/** - * TEE_HMACVerify - * - * Verifies given data HMAC key data and return status - * - * @param plainData [in] Pointer to plain data to be signed - * @param plainDataLength [in] Plain data length - * @param signatureData [in] Pointer to signed data - * @param signatureData [in] Plain data length - * @param digest [in] Digest type - * @param validity [out] Signature validity - */ -teeResult_t TEE_HMACVerify( - const uint8_t* keyData, - const uint32_t keyDataLength, - const uint8_t* plainData, - const uint32_t plainDataLength, - const uint8_t* signatureData, - const uint32_t signatureDataLength, - teeDigest_t digest, - bool *validity -){ - teeResult_t ret = TEE_ERR_NONE; - tciMessage_ptr pTci = NULL; - mcSessionHandle_t sessionHandle; - mcBulkMap_t keyMapInfo; - mcBulkMap_t plainMapInfo; - mcBulkMap_t signatureMapInfo; - mcResult_t mcRet; - - do { - - /* Open session to the trustlet */ - pTci = TEE_Open(&sessionHandle); - if (!pTci) { - ret = TEE_ERR_MEMORY; - break; - } - - /* Map memory to the secure world */ - mcRet = mcMap(&sessionHandle, (void*)keyData, keyDataLength, &keyMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcMap(&sessionHandle, (void*)plainData, plainDataLength, &plainMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcMap(&sessionHandle, (void*)signatureData, signatureDataLength, &signatureMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - /* Update TCI buffer */ - pTci->command.header.commandId = CMD_ID_TEE_HMAC_VERIFY; - pTci->hmacverify.keydata = (uint32_t)keyMapInfo.sVirtualAddr; - pTci->hmacverify.keydatalen = keyDataLength; - - pTci->hmacverify.plaindata = (uint32_t)plainMapInfo.sVirtualAddr; - pTci->hmacverify.plaindatalen = plainDataLength; - - pTci->hmacverify.signaturedata = (uint32_t)signatureMapInfo.sVirtualAddr; - pTci->hmacverify.signaturedatalen = signatureDataLength; - - pTci->hmacverify.digest = digest; - pTci->hmacverify.validity = false; - - /* Notify the trustlet */ - mcRet = mcNotify(&sessionHandle); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_NOTIFICATION; - break; - } - - /* Wait for response from the trustlet */ - if (MC_DRV_OK != mcWaitNotification(&sessionHandle, MC_INFINITE_TIMEOUT)) - { - ret = TEE_ERR_NOTIFICATION; - break; - } - - /* Unmap memory */ - mcRet = mcUnmap(&sessionHandle, (void*)keyData, &keyMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcUnmap(&sessionHandle, (void*)plainData, &plainMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcUnmap(&sessionHandle, (void*)signatureData, &signatureMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - if (RET_OK != pTci->response.header.returnCode) - { - LOG_E("TEE_HMACVerify(): TEE Keymaster trustlet returned: 0x%.8x\n", - pTci->response.header.returnCode); - ret = TEE_ERR_FAIL; - break; - } - - *validity = pTci->hmacverify.validity; - - } while (false); - - /* Close session to the trustlet */ - TEE_Close(&sessionHandle); - - LOG_I("TEE_HMACVerify(): returning: 0x%.8x\n", ret); - - return ret; -} - - -/** - * TEE_KeyImport - * - * Imports key data and returns key data as secure object - * - * Key data needs to be in the following format - * - * RSA key data: - * |--key metadata--|--public modulus--|--public exponent--|--private exponent--| - * - * RSA CRT key data: - * |--key metadata--|--public modulus--|--public exponent--|--P--|--Q--|--DP--|--DQ--|--Qinv--| - * - * Where: - * P: secret prime factor - * Q: secret prime factor - * DP: d mod (p-1) - * DQ: d mod (q-1) - * Qinv: q^-1 mod p - * - * @param keyData [in] Pointer to key data - * @param keyDataLength [in] Key data length - * @param soData [out] Pointer to wrapped key data - * @param soDataLength [out] Wrapped key data length - */ -teeResult_t TEE_KeyImport( - const uint8_t* keyData, - const uint32_t keyDataLength, - uint8_t* soData, - uint32_t* soDataLength -){ - teeResult_t ret = TEE_ERR_NONE; - tciMessage_ptr pTci = NULL; - mcSessionHandle_t sessionHandle; - mcBulkMap_t keyMapInfo; - mcBulkMap_t soMapInfo; - mcResult_t mcRet; - - do { - - /* Open session to the trustlet */ - pTci = TEE_Open(&sessionHandle); - if (!pTci) { - ret = TEE_ERR_MEMORY; - break; - } - - /* Map memory to the secure world */ - mcRet = mcMap(&sessionHandle, (void*)keyData, keyDataLength, &keyMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcMap(&sessionHandle, (void*)soData, *soDataLength, &soMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - /* Update TCI buffer */ - pTci->command.header.commandId = CMD_ID_TEE_KEY_IMPORT; - pTci->keyimport.keydata = (uint32_t)keyMapInfo.sVirtualAddr; - pTci->keyimport.keydatalen = keyDataLength; - pTci->keyimport.sodata = (uint32_t)soMapInfo.sVirtualAddr; - pTci->keyimport.sodatalen = *soDataLength; - - /* Notify the trustlet */ - mcRet = mcNotify(&sessionHandle); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_NOTIFICATION; - break; - } - - /* Wait for response from the trustlet */ - if (MC_DRV_OK != mcWaitNotification(&sessionHandle, MC_INFINITE_TIMEOUT)) - { - ret = TEE_ERR_NOTIFICATION; - break; - } - - /* Unmap memory */ - mcRet = mcUnmap(&sessionHandle, (void*)keyData, &keyMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcUnmap(&sessionHandle, (void*)soData, &soMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - if (RET_OK != pTci->response.header.returnCode) - { - LOG_E("TEE_KeyWrap(): TEE Keymaster trustlet returned: 0x%.8x\n", - pTci->response.header.returnCode); - ret = TEE_ERR_FAIL; - break; - } - - /* Update secure object length */ - *soDataLength = pTci->keyimport.sodatalen; - - } while (false); - - /* Close session to the trustlet */ - TEE_Close(&sessionHandle); - - LOG_I("TEE_KeyWrap(): returning: 0x%.8x\n", ret); - - return ret; -} - - -/** * TEE_GetPubKey - * - * Retrieves public key daya (modulus and exponent) from wrapped key data - * - * @param keyData [in] Pointer to key data - * @param keyDataLength [in] Key data length - * @param modulus [out] Pointer to public key modulus data - * @param modulusLength [out] Modulus data length - * @param exponent [out] Pointer to public key exponent data - * @param exponentLength [out] Exponent data length - */ -teeResult_t TEE_GetPubKey( - const uint8_t* keyData, - const uint32_t keyDataLength, - uint8_t* modulus, - uint32_t* modulusLength, - uint8_t* exponent, - uint32_t* exponentLength -){ - teeResult_t ret = TEE_ERR_NONE; - tciMessage_ptr pTci = NULL; - mcSessionHandle_t sessionHandle; - mcBulkMap_t keyMapInfo; - mcBulkMap_t modMapInfo; - mcBulkMap_t expMapInfo; - mcResult_t mcRet; - - do { - - /* Open session to the trustlet */ - pTci = TEE_Open(&sessionHandle); - if (!pTci) { - ret = TEE_ERR_MEMORY; - break; - } - - /* Map memory to the secure world */ - mcRet = mcMap(&sessionHandle, (void*)keyData, keyDataLength, &keyMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcMap(&sessionHandle, (void*)modulus, *modulusLength, &modMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcMap(&sessionHandle, (void*)exponent, *exponentLength, &expMapInfo); - if (MC_DRV_OK != mcRet) { - ret = TEE_ERR_MAP; - break; - } - - /* Update TCI buffer */ - pTci->command.header.commandId = CMD_ID_TEE_GET_PUB_KEY; - pTci->getpubkey.keydata = (uint32_t)keyMapInfo.sVirtualAddr; - pTci->getpubkey.keydatalen = keyDataLength; - pTci->getpubkey.modulus = (uint32_t)modMapInfo.sVirtualAddr; - pTci->getpubkey.moduluslen = *modulusLength; - pTci->getpubkey.exponent = (uint32_t)expMapInfo.sVirtualAddr; - pTci->getpubkey.exponentlen = *exponentLength; - - /* Notify the trustlet */ - mcRet = mcNotify(&sessionHandle); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_NOTIFICATION; - break; - } - - /* Wait for response from the trustlet */ - if (MC_DRV_OK != mcWaitNotification(&sessionHandle, MC_INFINITE_TIMEOUT)) - { - ret = TEE_ERR_NOTIFICATION; - break; - } - - /* Unmap memory */ - mcRet = mcUnmap(&sessionHandle, (void*)keyData, &keyMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcUnmap(&sessionHandle, (void*)modulus, &modMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - mcRet = mcUnmap(&sessionHandle, (void*)exponent, &expMapInfo); - if (MC_DRV_OK != mcRet) - { - ret = TEE_ERR_MAP; - break; - } - - if (RET_OK != pTci->response.header.returnCode) - { - LOG_E("TEE_GetPubKey(): TEE Keymaster trustlet returned: 0x%.8x\n", - pTci->response.header.returnCode); - ret = TEE_ERR_FAIL; - break; - } - - /* Update modulus and exponent lengths */ - *modulusLength = pTci->getpubkey.moduluslen; - *exponentLength = pTci->getpubkey.exponentlen; - - } while (false); - - /* Close session to the trustlet */ - TEE_Close(&sessionHandle); - - LOG_I("TEE_GetPubKey(): returning: 0x%.8x\n", ret); - - return ret; -} diff --git a/libkeymaster/tlcTeeKeymaster_if.h b/libkeymaster/tlcTeeKeymaster_if.h deleted file mode 100644 index 0c378ca..0000000 --- a/libkeymaster/tlcTeeKeymaster_if.h +++ /dev/null @@ -1,324 +0,0 @@ -/** - * @file tlcTeeKeymaster_if.h - * @brief Contains TEE Keymaster trustlet connector interface definitions - * - * Copyright Giesecke & Devrient GmbH 2012 - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the author may not be used to endorse or promote - * products derived from this software without specific prior - * written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS - * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED - * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY - * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE - * GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, - * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING - * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS - * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ - -#ifndef __TLCTEEKEYMASTERIF_H__ -#define __TLCTEEKEYMASTERIF_H__ - -#ifdef __cplusplus -extern "C" { -#endif - -#include <stdint.h> -#include <stdbool.h> - - -/** - * Key sizes - */ -#define TEE_RSA_KEY_SIZE_512 512 -#define TEE_RSA_KEY_SIZE_1024 1024 -#define TEE_RSA_KEY_SIZE_2048 2048 - - -/* error codes */ -typedef enum -{ - TEE_ERR_NONE = 0, - TEE_ERR_FAIL = 1, - TEE_ERR_INVALID_BUFFER = 2, - TEE_ERR_BUFFER_TOO_SMALL = 3, - TEE_ERR_NOT_IMPLEMENTED = 4, - TEE_ERR_SESSION = 5, - TEE_ERR_MC_DEVICE = 6, - TEE_ERR_NOTIFICATION = 7, - TEE_ERR_MEMORY = 8, - TEE_ERR_MAP = 9 - /* more can be added as required */ -} teeResult_t; - - -/* RSA key pair types */ -typedef enum { - TEE_KEYPAIR_RSA = 1, /**< RSA public and RSA private key. */ - TEE_KEYPAIR_RSACRT = 2 /**< RSA public and RSA CRT private key. */ -} teeRsaKeyPairType_t; - - -/* Supported RSA signature algorithms */ -typedef enum -{ - /* RSA */ - TEE_RSA_SHA_ISO9796 = 1, /**< 20-byte SHA-1 digest, padded according to the ISO 9796-2 scheme as specified in EMV '96 and EMV 2000, encrypted using RSA. */ - TEE_RSA_SHA_ISO9796_MR = 2, /**< 20-byte SHA-1 digest, padded according to the ISO9796-2 specification and encrypted using RSA. */ - TEE_RSA_SHA_PKCS1 = 3, /**< 20-byte SHA-1 digest, padded according to the PKCS#1 (v1.5) scheme, and encrypted using RSA. */ - TEE_RSA_SHA256_PSS = 4, /**< SHA-256 digest and PSS padding */ - TEE_RSA_SHA1_PSS = 5, /**< SHA-256 digest and PSS padding */ - TEE_RSA_NODIGEST_NOPADDING = 6, /**< No digest and padding */ -} teeRsaSigAlg_t; - - -/* Digest types */ -typedef enum -{ - TEE_DIGEST_SHA1, - TEE_DIGEST_SHA256 -} teeDigest_t; - - -/** - * RSA private key metadata (Private modulus and exponent lengths) - */ -typedef struct { - uint32_t lenprimod; /**< Private key modulus length */ - uint32_t lenpriexp; /**< Private key exponent length */ -} teeRsaPrivKeyMeta_t; - - -/** - * RSA CRT private key metadata (Private modulus and exponent lengths) - */ -typedef struct { - uint32_t lenprimod; /**< Private key modulus length */ - uint32_t lenp; /**< Prime p length */ - uint32_t lenq; /**< Prime q length */ - uint32_t lendp; /**< DP length */ - uint32_t lendq; /**< DQ length */ - uint32_t lenqinv; /**< QP length */ -} teeRsaCrtPrivKeyMeta_t; - - -/** - * Key metadata (public key hash, key size, modulus/exponent lengths, etc..) - */ -typedef struct { - uint32_t keytype; /**< Key type, e.g. RSA */ - uint32_t keysize; /**< Key size, e.g. 1024, 2048 */ - uint32_t lenpubmod; /**< Public key modulus length */ - uint32_t lenpubexp; /**< Public key exponent length */ - union { - teeRsaPrivKeyMeta_t rsapriv; /**< RSA private key */ - teeRsaCrtPrivKeyMeta_t rsacrtpriv; /**< RSA CRT private key */ - }; - uint32_t rfu; /**< Reserved for future use */ - uint32_t rfulen; /**< Reserved for future use */ -} teeRsaKeyMeta_t; - -/** - * TEE_RSAGenerateKeyPair - * - * Generates RSA key pair and returns key pair data as wrapped object - * - * @param keyType [in] Key pair type. RSA or RSACRT - * @param keyData [in] Pointer to the key data buffer - * @param keyDataLength [in] Key data buffer length - * @param keySize [in] Key size - * @param exponent [in] Exponent number - * @param soLen [out] Key data secure object length - */ -teeResult_t TEE_RSAGenerateKeyPair( - teeRsaKeyPairType_t keyType, - uint8_t* keyData, - uint32_t keyDataLength, - uint32_t keySize, - uint32_t exponent, - uint32_t* soLen); - - -/** - * TEE_RSASign - * - * Signs given plain data and returns signature data - * - * @param keyData [in] Pointer to key data buffer - * @param keyDataLength [in] Key data buffer length - * @param plainData [in] Pointer to plain data to be signed - * @param plainDataLength [in] Plain data length - * @param signatureData [out] Pointer to signature data - * @param signatureDataLength [out] Signature data length - * @param algorithm [in] RSA signature algorithm - */ -teeResult_t TEE_RSASign( - const uint8_t* keyData, - const uint32_t keyDataLength, - const uint8_t* plainData, - const uint32_t plainDataLength, - uint8_t* signatureData, - uint32_t* signatureDataLength, - teeRsaSigAlg_t algorithm); - - -/** - * TEE_RSAVerify - * - * Verifies given data with RSA public key and return status - * - * @param keyData [in] Pointer to key data buffer - * @param keyDataLength [in] Key data buffer length - * @param plainData [in] Pointer to plain data to be signed - * @param plainDataLength [in] Plain data length - * @param signatureData [in] Pointer to signed data - * @param signatureData [in] Plain data length - * @param algorithm [in] RSA signature algorithm - * @param validity [out] Signature validity - */ -teeResult_t TEE_RSAVerify( - const uint8_t* keyData, - const uint32_t keyDataLength, - const uint8_t* plainData, - const uint32_t plainDataLength, - const uint8_t* signatureData, - const uint32_t signatureDataLength, - teeRsaSigAlg_t algorithm, - bool *validity); - - -/** - * TEE_HMACKeyGenerate - * - * Generates random key for HMAC calculation and returns key data as wrapped object - * (key is encrypted) - * - * @param keyData [out] Pointer to key data - * @param keyDataLength [in] Key data buffer length - * @param soLen [out] Key data secure object length - */ -teeResult_t TEE_HMACKeyGenerate( - uint8_t* keyData, - uint32_t keyDataLength, - uint32_t* soLen); - - -/** - * TEE_HMACSign - * - * Signs given plain data and returns HMAC signature data - * - * @param keyData [in] Pointer to key data buffer - * @param keyDataLength [in] Key data buffer length - * @param plainData [in] Pointer to plain data to be signed - * @param plainDataLength [in] Plain data length - * @param signatureData [out] Pointer to signature data - * @param signatureDataLength [out] Signature data length - * @param digest [in] Digest type - */ -teeResult_t TEE_HMACSign( - const uint8_t* keyData, - const uint32_t keyDataLength, - const uint8_t* plainData, - const uint32_t plainDataLength, - uint8_t* signatureData, - uint32_t* signatureDataLength, - teeDigest_t digest); - - -/** - * TEE_HMACVerify - * - * Verifies given data HMAC key data and return status - * - * @param keyData [in] Pointer to key data buffer - * @param keyDataLength [in] Key data buffer length - * @param plainData [in] Pointer to plain data to be signed - * @param plainDataLength [in] Plain data length - * @param signatureData [in] Pointer to signed data - * @param signatureData [in] Plain data length - * @param digest [in] Digest type - * @param validity [out] Signature validity - */ -teeResult_t TEE_HMACVerify( - const uint8_t* keyData, - const uint32_t keyDataLength, - const uint8_t* plainData, - const uint32_t plainDataLength, - const uint8_t* signatureData, - const uint32_t signatureDataLength, - teeDigest_t digest, - bool *validity); - - -/** - * TEE_KeyImport - * - * Imports key data and returns key data as secure object - * - * Key data needs to be in the following format - * - * RSA key data: - * |--key metadata--|--public modulus--|--public exponent--|--private exponent--| - * - * RSA CRT key data: - * |--key metadata--|--public modulus--|--public exponent--|--P--|--Q--|--DP--|--DQ--|--Qinv--| - * - * Where: - * P: secret prime factor - * Q: secret prime factor - * DP: d mod (p-1) - * DQ: d mod (q-1) - * Qinv: q^-1 mod p - * - * @param keyData [in] Pointer to key data - * @param keyDataLength [in] Key data length - * @param soData [out] Pointer to wrapped key data - * @param soDataLength [out] Wrapped key data length - */ -teeResult_t TEE_KeyImport( - const uint8_t* keyData, - const uint32_t keyDataLength, - uint8_t* soData, - uint32_t* soDataLength); - - -/** - * TEE_GetPubKey - * - * Retrieves public key daya (modulus and exponent) from wrapped key data - * - * @param keyData [in] Pointer to key data - * @param keyDataLength [in] Key data length - * @param modulus [out] Pointer to public key modulus data - * @param modulusLength [out] Modulus data length - * @param exponent [out] Pointer to public key exponent data - * @param exponentLength [out] Exponent data length - */ -teeResult_t TEE_GetPubKey( - const uint8_t* keyData, - const uint32_t keyDataLength, - uint8_t* modulus, - uint32_t* modulusLength, - uint8_t* exponent, - uint32_t* exponentLength); - - -#ifdef __cplusplus -} -#endif - -#endif // __TLCTEEKEYMASTERIF_H__ |