forked from trusty-ia/trusty_app_keymaster
-
Notifications
You must be signed in to change notification settings - Fork 0
/
secure_storage.h
156 lines (132 loc) · 4.96 KB
/
secure_storage.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
/*
* Copyright 2017 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef TRUSTY_APP_KEYMASTER_SECURE_STORAGE_H_
#define TRUSTY_APP_KEYMASTER_SECURE_STORAGE_H_
#include <hardware/keymaster_defs.h>
namespace keymaster {
template <typename>
struct TKeymasterBlob;
typedef TKeymasterBlob<keymaster_key_blob_t> KeymasterKeyBlob;
class AuthorizationSet;
class Key;
// RSA and ECDSA are set to be the same as keymaster_algorithm_t.
enum class AttestationKeySlot {
kInvalid = 0,
kRsa = 1,
kEcdsa = 3,
kEddsa = 4,
kEpid = 5,
// 'Claimable slots are for use with the claim_key HAL method.
kClaimable0 = 128,
// 'Som' slots are for Android Things SoM keys. These are generic, that is
// they are not associated with a particular model or product.
kSomRsa = 257,
kSomEcdsa = 259,
kSomEddsa = 260,
kSomEpid = 261,
};
/* The uuid size matches, by design, ATAP_HEX_UUID_LEN in
* system/iot/attestation/atap. */
static const size_t kAttestationUuidSize = 32;
/* ATAP_PRODUCT_ID_LEN in system/iot/attestation/atap. */
static const size_t kProductIdSize = 16;
/**
* These functions implement key and certificate chain storage on top Trusty's
* secure storage service. All data is stored in the RPMB filesystem.
*/
/**
* Writes |key_size| bytes at |key| to key file associated with |key_slot|.
*/
keymaster_error_t WriteKeyToStorage(AttestationKeySlot key_slot,
const uint8_t* key,
uint32_t key_size);
/**
* Reads key associated with |key_slot|.
*/
KeymasterKeyBlob ReadKeyFromStorage(AttestationKeySlot key_slot,
keymaster_error_t* error);
/**
* Checks if |key_slot| attestation key exists in RPMB. On success, writes to
* |exists|.
*/
keymaster_error_t AttestationKeyExists(AttestationKeySlot key_slot,
bool* exists);
/**
* Writes |cert_size| bytes at |cert| to cert file associated with |key_slot|
* and |index|. The caller can either write to an exising certificate entry, or
* one past the end of the chain to extend the chain length by 1 (|index| =
* chain length). Fails when |index| > chain length.
*/
keymaster_error_t WriteCertToStorage(AttestationKeySlot key_slot,
const uint8_t* cert,
uint32_t cert_size,
uint32_t index);
/**
* Reads cert chain associated with |key_slot|. Stores certificate chain in
* |cert_chain| and caller takes ownership of all allocated memory.
*/
keymaster_error_t ReadCertChainFromStorage(AttestationKeySlot key_slot,
keymaster_cert_chain_t* cert_chain);
/*
* Writes the new length of the stored |key_slot| attestation certificate chain.
* If less than the existing certificate chain length, the chain is truncated.
* Input cannot be larger than the current certificate chain length + 1.
*/
keymaster_error_t WriteCertChainLength(AttestationKeySlot key_slot,
uint32_t cert_chain_length);
/**
* Reads the current length of the stored |key_slot| attestation certificate
* chain. On success, writes the length to |cert_chain_length|.
*/
keymaster_error_t ReadCertChainLength(AttestationKeySlot key_slot,
uint32_t* cert_chain_length);
/**
* Writes the |attestation_uuid|.
*/
keymaster_error_t WriteAttestationUuid(
const uint8_t attestation_uuid[kAttestationUuidSize]);
/**
* Reads the |attestation_uuid|. If none exists, sets the uuid to all ascii
* zeros.
*/
keymaster_error_t ReadAttestationUuid(
uint8_t attestation_uuid[kAttestationUuidSize]);
/**
* Read the |product_id|. If none exists, sets it to all zeros.
*/
keymaster_error_t ReadProductId(uint8_t product_id[kProductIdSize]);
/**
* Set the |product_id|.
*/
keymaster_error_t SetProductId(const uint8_t product_id[kProductIdSize]);
/**
* Delete the |product_id|.
*/
keymaster_error_t DeleteProductId();
/**
* Deletes |key_slot| attestation key from RPMB.
*/
keymaster_error_t DeleteKey(AttestationKeySlot key_slot);
/**
* Deletes |key_slot| attestation certificate chain from RPMB.
*/
keymaster_error_t DeleteCertChain(AttestationKeySlot key_slot);
/**
* Delete all attestation keys and certificate chains from RPMB.
*/
keymaster_error_t DeleteAllAttestationData();
} // namespace keymaster
#endif // TRUSTY_APP_KEYMASTER_SECURE_STORAGE_H_