tequilaOS/platform_hardware_libhardware
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "Separate keymaster0 and keymaster1 HALs."

Browse source
This commit is contained in:
Shawn Willden 2015-02-26 23:24:41 +00:00 committed by Gerrit Code Review
commit 17dde875dd
5 changed files with 379 additions and 200 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

149
include/hardware/keymaster0.h Normal file
View file

@ -0,0 +1,149 @@
/*
* Copyright (C) 2011 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef ANDROID_HARDWARE_KEYMASTER_0_H
#define ANDROID_HARDWARE_KEYMASTER_0_H
#include <hardware/keymaster_common.h>
__BEGIN_DECLS
/**
* Keymaster0 device definition.
*/
struct keymaster0_device {
/**
* Common methods of the keymaster device. This *must* be the first member of
* keymaster0_device as users of this structure will cast a hw_device_t to
* keymaster0_device pointer in contexts where it's known the hw_device_t references a
* keymaster0_device.
*/
struct hw_device_t common;
/**
* THIS IS DEPRECATED. Use the new "module_api_version" and "hal_api_version"
* fields in the keymaster_module initialization instead.
*/
uint32_t client_version;
/**
* See flags defined for keymaster0_device::flags in keymaster_common.h
*/
uint32_t flags;
void* context;
/**
* Generates a public and private key. The key-blob returned is opaque
* and must subsequently provided for signing and verification.
*
* Returns: 0 on success or an error code less than 0.
*/
int (*generate_keypair)(const struct keymaster0_device* dev,
const keymaster_keypair_t key_type, const void* key_params,
uint8_t** key_blob, size_t* key_blob_length);
/**
* Imports a public and private key pair. The imported keys will be in
* PKCS#8 format with DER encoding (Java standard). The key-blob
* returned is opaque and will be subsequently provided for signing
* and verification.
*
* Returns: 0 on success or an error code less than 0.
*/
int (*import_keypair)(const struct keymaster0_device* dev,
const uint8_t* key, const size_t key_length,
uint8_t** key_blob, size_t* key_blob_length);
/**
* Gets the public key part of a key pair. The public key must be in
* X.509 format (Java standard) encoded byte array.
*
* Returns: 0 on success or an error code less than 0.
* On error, x509_data should not be allocated.
*/
int (*get_keypair_public)(const struct keymaster0_device* dev,
const uint8_t* key_blob, const size_t key_blob_length,
uint8_t** x509_data, size_t* x509_data_length);
/**
* Deletes the key pair associated with the key blob.
*
* This function is optional and should be set to NULL if it is not
* implemented.
*
* Returns 0 on success or an error code less than 0.
*/
int (*delete_keypair)(const struct keymaster0_device* dev,
const uint8_t* key_blob, const size_t key_blob_length);
/**
* Deletes all keys in the hardware keystore. Used when keystore is
* reset completely.
*
* This function is optional and should be set to NULL if it is not
* implemented.
*
* Returns 0 on success or an error code less than 0.
*/
int (*delete_all)(const struct keymaster0_device* dev);
/**
* Signs data using a key-blob generated before. This can use either
* an asymmetric key or a secret key.
*
* Returns: 0 on success or an error code less than 0.
*/
int (*sign_data)(const struct keymaster0_device* dev,
const void* signing_params,
const uint8_t* key_blob, const size_t key_blob_length,
const uint8_t* data, const size_t data_length,
uint8_t** signed_data, size_t* signed_data_length);
/**
* Verifies data signed with a key-blob. This can use either
* an asymmetric key or a secret key.
*
* Returns: 0 on successful verification or an error code less than 0.
*/
int (*verify_data)(const struct keymaster0_device* dev,
const void* signing_params,
const uint8_t* key_blob, const size_t key_blob_length,
const uint8_t* signed_data, const size_t signed_data_length,
const uint8_t* signature, const size_t signature_length);
};
typedef struct keymaster0_device keymaster0_device_t;
/* Convenience API for opening and closing keymaster devices */
static inline int keymaster0_open(const struct hw_module_t* module,
keymaster0_device_t** device)
{
int rc = module->methods->open(module, KEYSTORE_KEYMASTER,
(struct hw_device_t**) device);
return rc;
}
static inline int keymaster0_close(keymaster0_device_t* device)
{
return device->common.close(&device->common);
}
__END_DECLS
#endif // ANDROID_HARDWARE_KEYMASTER_0_H

111
include/hardware/keymaster.h → include/hardware/keymaster1.h
View file

@ -1,5 +1,5 @@
/*
* Copyright (C) 2011 The Android Open Source Project
* Copyright (C) 2015 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
@ -14,57 +14,18 @@
* limitations under the License.
*/
#ifndef ANDROID_HARDWARE_KEYMASTER_H
#define ANDROID_HARDWARE_KEYMASTER_H
#ifndef ANDROID_HARDWARE_KEYMASTER1_H
#define ANDROID_HARDWARE_KEYMASTER1_H
#include <stdint.h>
#include <sys/cdefs.h>
#include <sys/types.h>
#include <hardware/hardware.h>
#include <hardware/keymaster_common.h>
#include <hardware/keymaster_defs.h>
__BEGIN_DECLS
/**
* The id of this module
* Keymaster1 device definition
*/
#define KEYSTORE_HARDWARE_MODULE_ID "keystore"
#define KEYSTORE_KEYMASTER "keymaster"
/**
* Settings for "module_api_version" and "hal_api_version"
* fields in the keymaster_module initialization.
*/
#define KEYMASTER_HEADER_VERSION 4
#define KEYMASTER_MODULE_API_VERSION_0_2 HARDWARE_MODULE_API_VERSION(0, 2)
#define KEYMASTER_DEVICE_API_VERSION_0_2 \
HARDWARE_DEVICE_API_VERSION_2(0, 2, KEYMASTER_HEADER_VERSION)
#define KEYMASTER_MODULE_API_VERSION_0_3 HARDWARE_MODULE_API_VERSION(0, 3)
#define KEYMASTER_DEVICE_API_VERSION_0_3 \
HARDWARE_DEVICE_API_VERSION_2(0, 3, KEYMASTER_HEADER_VERSION)
#define KEYMASTER_MODULE_API_VERSION_0_4 HARDWARE_MODULE_API_VERSION(0, 4)
#define KEYMASTER_DEVICE_API_VERSION_0_4 \
HARDWARE_DEVICE_API_VERSION_2(0, 4, KEYMASTER_HEADER_VERSION)
struct keystore_module {
/**
* Common methods of the keystore module. This *must* be the first member of
* keystore_module as users of this structure will cast a hw_module_t to
* keystore_module pointer in contexts where it's known the hw_module_t references a
* keystore_module.
*/
hw_module_t common;
};
/**
* The parameters that can be set for a given keymaster implementation.
*/
struct keymaster_device {
struct keymaster1_device {
/**
* Common methods of the keymaster device. This *must* be the first member of
* keymaster_device as users of this structure will cast a hw_device_t to
@ -80,7 +41,7 @@ struct keymaster_device {
uint32_t client_version;
/**
* See flags defined for keymaster_device::flags above.
* See flags defined for keymaster0_devices::flags in keymaster_common.h
*/
uint32_t flags;
@ -92,7 +53,7 @@ struct keymaster_device {
*
* Returns: 0 on success or an error code less than 0.
*/
int (*generate_keypair)(const struct keymaster_device* dev, const keymaster_keypair_t key_type,
int (*generate_keypair)(const struct keymaster1_device* dev, const keymaster_keypair_t key_type,
const void* key_params, uint8_t** key_blob, size_t* key_blob_length);
/**
@ -102,7 +63,7 @@ struct keymaster_device {
*
* Returns: 0 on success or an error code less than 0.
*/
int (*import_keypair)(const struct keymaster_device* dev, const uint8_t* key,
int (*import_keypair)(const struct keymaster1_device* dev, const uint8_t* key,
const size_t key_length, uint8_t** key_blob, size_t* key_blob_length);
/**
@ -112,7 +73,7 @@ struct keymaster_device {
* Returns: 0 on success or an error code less than 0. On error, x509_data
* should not be allocated.
*/
int (*get_keypair_public)(const struct keymaster_device* dev, const uint8_t* key_blob,
int (*get_keypair_public)(const struct keymaster1_device* dev, const uint8_t* key_blob,
const size_t key_blob_length, uint8_t** x509_data,
size_t* x509_data_length);
@ -124,7 +85,7 @@ struct keymaster_device {
*
* Returns 0 on success or an error code less than 0.
*/
int (*delete_keypair)(const struct keymaster_device* dev, const uint8_t* key_blob,
int (*delete_keypair)(const struct keymaster1_device* dev, const uint8_t* key_blob,
const size_t key_blob_length);
/**
@ -136,7 +97,7 @@ struct keymaster_device {
*
* Returns 0 on success or an error code less than 0.
*/
int (*delete_all)(const struct keymaster_device* dev);
int (*delete_all)(const struct keymaster1_device* dev);
/**
* \deprecated Signs data using a key-blob generated before. This can use either an asymmetric
@ -144,7 +105,7 @@ struct keymaster_device {
*
* Returns: 0 on success or an error code less than 0.
*/
int (*sign_data)(const struct keymaster_device* dev, const void* signing_params,
int (*sign_data)(const struct keymaster1_device* dev, const void* signing_params,
const uint8_t* key_blob, const size_t key_blob_length, const uint8_t* data,
const size_t data_length, uint8_t** signed_data, size_t* signed_data_length);
@ -154,7 +115,7 @@ struct keymaster_device {
*
* Returns: 0 on successful verification or an error code less than 0.
*/
int (*verify_data)(const struct keymaster_device* dev, const void* signing_params,
int (*verify_data)(const struct keymaster1_device* dev, const void* signing_params,
const uint8_t* key_blob, const size_t key_blob_length,
const uint8_t* signed_data, const size_t signed_data_length,
const uint8_t* signature, const size_t signature_length);
@ -169,7 +130,7 @@ struct keymaster_device {
*
* \param[out] algorithms_length Length of \p algorithms.
*/
keymaster_error_t (*get_supported_algorithms)(const struct keymaster_device* dev,
keymaster_error_t (*get_supported_algorithms)(const struct keymaster1_device* dev,
keymaster_algorithm_t** algorithms,
size_t* algorithms_length);
@ -185,7 +146,7 @@ struct keymaster_device {
*
* \param[out] modes_length Length of \p modes.
*/
keymaster_error_t (*get_supported_block_modes)(const struct keymaster_device* dev,
keymaster_error_t (*get_supported_block_modes)(const struct keymaster1_device* dev,
keymaster_algorithm_t algorithm,
keymaster_purpose_t purpose,
keymaster_block_mode_t** modes,
@ -204,7 +165,7 @@ struct keymaster_device {
*
* \param[out] modes_length Length of \p modes.
*/
keymaster_error_t (*get_supported_padding_modes)(const struct keymaster_device* dev,
keymaster_error_t (*get_supported_padding_modes)(const struct keymaster1_device* dev,
keymaster_algorithm_t algorithm,
keymaster_purpose_t purpose,
keymaster_padding_t** modes,
@ -223,7 +184,7 @@ struct keymaster_device {
*
* \param[out] digests_length Length of \p digests.
*/
keymaster_error_t (*get_supported_digests)(const struct keymaster_device* dev,
keymaster_error_t (*get_supported_digests)(const struct keymaster1_device* dev,
keymaster_algorithm_t algorithm,
keymaster_purpose_t purpose,
keymaster_digest_t** digests,
@ -242,7 +203,7 @@ struct keymaster_device {
*
* \param[out] formats_length Length of \p formats.
*/
keymaster_error_t (*get_supported_import_formats)(const struct keymaster_device* dev,
keymaster_error_t (*get_supported_import_formats)(const struct keymaster1_device* dev,
keymaster_algorithm_t algorithm,
keymaster_key_format_t** formats,
size_t* formats_length);
@ -260,7 +221,7 @@ struct keymaster_device {
*
* \param[out] formats_length Length of \p formats.
*/
keymaster_error_t (*get_supported_export_formats)(const struct keymaster_device* dev,
keymaster_error_t (*get_supported_export_formats)(const struct keymaster1_device* dev,
keymaster_algorithm_t algorithm,
keymaster_key_format_t** formats,
size_t* formats_length);
@ -278,7 +239,7 @@ struct keymaster_device {
*
* \param[in] data_length Length of \p data.
*/
keymaster_error_t (*add_rng_entropy)(const struct keymaster_device* dev, const uint8_t* data,
keymaster_error_t (*add_rng_entropy)(const struct keymaster1_device* dev, const uint8_t* data,
size_t data_length);
/**
@ -336,7 +297,7 @@ struct keymaster_device {
* keymaster_free_characteristics(). Note that KM_TAG_ROOT_OF_TRUST, KM_TAG_APPLICATION_ID and
* KM_TAG_APPLICATION_DATA are never returned.
*/
keymaster_error_t (*generate_key)(const struct keymaster_device* dev,
keymaster_error_t (*generate_key)(const struct keymaster1_device* dev,
const keymaster_key_param_t* params, size_t params_count,
keymaster_key_blob_t* key_blob,
keymaster_key_characteristics_t** characteristics);
@ -361,7 +322,7 @@ struct keymaster_device {
*
* \param[out] characteristics The key characteristics.
*/
keymaster_error_t (*get_key_characteristics)(const struct keymaster_device* dev,
keymaster_error_t (*get_key_characteristics)(const struct keymaster1_device* dev,
const keymaster_key_blob_t* key_blob,
const keymaster_blob_t* client_id,
const keymaster_blob_t* app_data,
@ -396,7 +357,7 @@ struct keymaster_device {
* hw_enforced and sw_enforced lists. The caller takes ownership and must call
* keymaster_free_characteristics() to free.
*/
keymaster_error_t (*rescope)(const struct keymaster_device* dev,
keymaster_error_t (*rescope)(const struct keymaster1_device* dev,
const keymaster_key_param_t* new_params, size_t new_params_count,
const keymaster_key_blob_t* key_blob,
const keymaster_blob_t* client_id,
@ -456,7 +417,7 @@ struct keymaster_device {
* NULL, in which case no characteristics will be returned. If non-NULL, the caller assumes
* ownership and must deallocate with keymaster_free_characteristics().
*/
keymaster_error_t (*import_key)(const struct keymaster_device* dev,
keymaster_error_t (*import_key)(const struct keymaster1_device* dev,
const keymaster_key_param_t* params, size_t params_count,
keymaster_key_format_t key_format, const uint8_t* key_data,
size_t key_data_length, keymaster_key_blob_t* key_blob,
@ -475,7 +436,7 @@ struct keymaster_device {
*
* \param[out] export_data_length The length of \p export_data.
*/
keymaster_error_t (*export_key)(const struct keymaster_device* dev,
keymaster_error_t (*export_key)(const struct keymaster1_device* dev,
keymaster_key_format_t export_format,
const keymaster_key_blob_t* key_to_export,
const keymaster_blob_t* client_id,
@ -494,7 +455,7 @@ struct keymaster_device {
*
* \param[in] key The key to be deleted.
*/
keymaster_error_t (*delete_key)(const struct keymaster_device* dev,
keymaster_error_t (*delete_key)(const struct keymaster1_device* dev,
const keymaster_key_blob_t* key);
/**
@ -508,7 +469,7 @@ struct keymaster_device {
*
* Returns 0 on success or an error code less than 0.
*/
int (*delete_all_keys)(const struct keymaster_device* dev);
int (*delete_all_keys)(const struct keymaster1_device* dev);
/**
* Begins a cryptographic operation using the specified key. If all is well, begin() will
@ -549,7 +510,7 @@ struct keymaster_device {
* \param[out] operation_handle The newly-created operation handle which must be passed to
* update(), finish() or abort().
*/
keymaster_error_t (*begin)(const struct keymaster_device* dev, keymaster_purpose_t purpose,
keymaster_error_t (*begin)(const struct keymaster1_device* dev, keymaster_purpose_t purpose,
const keymaster_key_blob_t* key, const keymaster_key_param_t* params,
size_t params_count, keymaster_key_param_t** out_params,
size_t* out_params_count,
@ -593,7 +554,7 @@ struct keymaster_device {
* Note that update() may not provide any output, in which case *output_length will be zero, and
* *output may be either NULL or zero-length (so the caller should always free() it).
*/
keymaster_error_t (*update)(const struct keymaster_device* dev,
keymaster_error_t (*update)(const struct keymaster1_device* dev,
keymaster_operation_handle_t operation_handle,
const keymaster_key_param_t* params, size_t params_count,
const uint8_t* input, size_t input_length, size_t* input_consumed,
@ -626,7 +587,7 @@ struct keymaster_device {
* If the operation being finished is a signature verification or an AEAD-mode decryption and
* verification fails then finish() will return KM_ERROR_VERIFICATION_FAILED.
*/
keymaster_error_t (*finish)(const struct keymaster_device* dev,
keymaster_error_t (*finish)(const struct keymaster1_device* dev,
keymaster_operation_handle_t operation_handle,
const keymaster_key_param_t* params, size_t params_count,
const uint8_t* signature, size_t signature_length, uint8_t** output,
@ -636,21 +597,21 @@ struct keymaster_device {
* Aborts a cryptographic operation begun with begin(), freeing all internal resources and
* invalidating operation_handle.
*/
keymaster_error_t (*abort)(const struct keymaster_device* dev,
keymaster_error_t (*abort)(const struct keymaster1_device* dev,
keymaster_operation_handle_t operation_handle);
};
typedef struct keymaster_device keymaster_device_t;
typedef struct keymaster1_device keymaster1_device_t;
/* Convenience API for opening and closing keymaster devices */
static inline int keymaster_open(const struct hw_module_t* module, keymaster_device_t** device) {
static inline int keymaster1_open(const struct hw_module_t* module, keymaster1_device_t** device) {
return module->methods->open(module, KEYSTORE_KEYMASTER, (struct hw_device_t**)device);
}
static inline int keymaster_close(keymaster_device_t* device) {
static inline int keymaster1_close(keymaster1_device_t* device) {
return device->common.close(&device->common);
}
__END_DECLS
#endif // ANDROID_HARDWARE_KEYMASTER_H
#endif // ANDROID_HARDWARE_KEYMASTER1_H

185
include/hardware/keymaster_common.h Normal file
View file

@ -0,0 +1,185 @@
/*
* Copyright (C) 2015 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef ANDROID_HARDWARE_KEYMASTER_COMMON_H
#define ANDROID_HARDWARE_KEYMASTER_COMMON_H
#include <stdint.h>
#include <sys/cdefs.h>
#include <sys/types.h>
#include <hardware/hardware.h>
__BEGIN_DECLS
/**
* The id of this module
*/
#define KEYSTORE_HARDWARE_MODULE_ID "keystore"
#define KEYSTORE_KEYMASTER "keymaster"
/**
* Settings for "module_api_version" and "hal_api_version"
* fields in the keymaster_module initialization.
*/
/**
* Keymaster 0.X module version provide the same APIs, but later versions add more options
* for algorithms and flags.
*/
#define KEYMASTER_MODULE_API_VERSION_0_2 HARDWARE_MODULE_API_VERSION(0, 2)
#define KEYMASTER_DEVICE_API_VERSION_0_2 HARDWARE_DEVICE_API_VERSION(0, 2)
#define KEYMASTER_MODULE_API_VERSION_0_3 HARDWARE_MODULE_API_VERSION(0, 3)
#define KEYMASTER_DEVICE_API_VERSION_0_3 HARDWARE_DEVICE_API_VERSION(0, 3)
/**
* Keymaster 1.0 module version provides a completely different API, incompatible with 0.X.
*/
#define KEYMASTER_MODULE_API_VERSION_1_0 HARDWARE_MODULE_API_VERSION(1, 0)
#define KEYMASTER_DEVICE_API_VERSION_1_0 HARDWARE_DEVICE_API_VERSION(1, 0)
struct keystore_module {
/**
* Common methods of the keystore module. This *must* be the first member of keystore_module as
* users of this structure will cast a hw_module_t to keystore_module pointer in contexts where
* it's known the hw_module_t references a keystore_module.
*/
hw_module_t common;
/* There are no keystore module methods other than the common ones. */
};
/**
* Flags for keymaster0_device::flags
*/
enum {
/*
* Indicates this keymaster implementation does not have hardware that
* keeps private keys out of user space.
*
* This should not be implemented on anything other than the default
* implementation.
*/
KEYMASTER_SOFTWARE_ONLY = 1 << 0,
/*
* This indicates that the key blobs returned via all the primitives
* are sufficient to operate on their own without the trusted OS
* querying userspace to retrieve some other data. Key blobs of
* this type are normally returned encrypted with a
* Key Encryption Key (KEK).
*
* This is currently used by "vold" to know whether the whole disk
* encryption secret can be unwrapped without having some external
* service started up beforehand since the "/data" partition will
* be unavailable at that point.
*/
KEYMASTER_BLOBS_ARE_STANDALONE = 1 << 1,
/*
* Indicates that the keymaster module supports DSA keys.
*/
KEYMASTER_SUPPORTS_DSA = 1 << 2,
/*
* Indicates that the keymaster module supports EC keys.
*/
KEYMASTER_SUPPORTS_EC = 1 << 3,
};
/**
* Asymmetric key pair types.
*/
typedef enum {
TYPE_RSA = 1,
TYPE_DSA = 2,
TYPE_EC = 3,
} keymaster_keypair_t;
/**
* Parameters needed to generate an RSA key.
*/
typedef struct {
uint32_t modulus_size;
uint64_t public_exponent;
} keymaster_rsa_keygen_params_t;
/**
* Parameters needed to generate a DSA key.
*/
typedef struct {
uint32_t key_size;
uint32_t generator_len;
uint32_t prime_p_len;
uint32_t prime_q_len;
const uint8_t* generator;
const uint8_t* prime_p;
const uint8_t* prime_q;
} keymaster_dsa_keygen_params_t;
/**
* Parameters needed to generate an EC key.
*
* Field size is the only parameter in version 2. The sizes correspond to these required curves:
*
* 192 = NIST P-192
* 224 = NIST P-224
* 256 = NIST P-256
* 384 = NIST P-384
* 521 = NIST P-521
*
* The parameters for these curves are available at: http://www.nsa.gov/ia/_files/nist-routines.pdf
* in Chapter 4.
*/
typedef struct {
uint32_t field_size;
} keymaster_ec_keygen_params_t;
/**
* Digest type.
*/
typedef enum {
DIGEST_NONE,
} keymaster_digest_algorithm_t;
/**
* Type of padding used for RSA operations.
*/
typedef enum {
PADDING_NONE,
} keymaster_rsa_padding_t;
typedef struct {
keymaster_digest_algorithm_t digest_type;
} keymaster_dsa_sign_params_t;
typedef struct {
keymaster_digest_algorithm_t digest_type;
} keymaster_ec_sign_params_t;
typedef struct {
keymaster_digest_algorithm_t digest_type;
keymaster_rsa_padding_t padding_type;
} keymaster_rsa_sign_params_t;
__END_DECLS
#endif // ANDROID_HARDWARE_KEYMASTER_COMMON_H

118
include/hardware/keymaster_defs.h
View file

@ -25,57 +25,6 @@
extern "C" {
#endif // defined(__cplusplus)
/*!
* \deprecated Flags for keymaster_device::flags
*
* keymaster_device::flags is deprecated and will be removed in the
* next version of the API in favor of the more detailed information
* available from TODO:
*/
enum {
/*
* Indicates this keymaster implementation does not have hardware that
* keeps private keys out of user space.
*
* This should not be implemented on anything other than the default
* implementation.
*/
KEYMASTER_SOFTWARE_ONLY = 1 << 0,
/*
* This indicates that the key blobs returned via all the primitives
* are sufficient to operate on their own without the trusted OS
* querying userspace to retrieve some other data. Key blobs of
* this type are normally returned encrypted with a
* Key Encryption Key (KEK).
*
* This is currently used by "vold" to know whether the whole disk
* encryption secret can be unwrapped without having some external
* service started up beforehand since the "/data" partition will
* be unavailable at that point.
*/
KEYMASTER_BLOBS_ARE_STANDALONE = 1 << 1,
/*
* Indicates that the keymaster module supports DSA keys.
*/
KEYMASTER_SUPPORTS_DSA = 1 << 2,
/*
* Indicates that the keymaster module supports EC keys.
*/
KEYMASTER_SUPPORTS_EC = 1 << 3,
};
/**
* \deprecated Asymmetric key pair types.
*/
typedef enum {
TYPE_RSA = 1,
TYPE_DSA = 2,
TYPE_EC = 3,
} keymaster_keypair_t;
/**
* Authorization tags each have an associated type. This enumeration facilitates tagging each with
* a type, by using the high four bits (of an implied 32-bit unsigned enum value) to specify up to
@ -183,9 +132,7 @@ typedef enum {
/**
* Algorithms that may be provided by keymaster implementations. Those that must be provided by all
* implementations are tagged as "required". Note that where the values in this enumeration overlap
* with the values for the deprecated keymaster_keypair_t, the same algorithm must be
* specified. This type is new in 0_4 and replaces the deprecated keymaster_keypair_t.
* implementations are tagged as "required".
*/
typedef enum {
/* Asymmetric algorithms. */
@ -271,7 +218,6 @@ typedef enum {
*/
typedef enum {
KM_DIGEST_NONE = 0, /* new, required */
DIGEST_NONE = KM_DIGEST_NONE, /* For 0_2 compatibility */
KM_DIGEST_MD5 = 1, /* new, for compatibility with old protocols only */
KM_DIGEST_SHA1 = 2, /* new */
KM_DIGEST_SHA_2_224 = 3, /* new */
@ -433,68 +379,6 @@ typedef enum {
KM_ERROR_UNKNOWN_ERROR = -1000,
} keymaster_error_t;
/**
* \deprecated Parameters needed to generate an RSA key.
*/
typedef struct {
uint32_t modulus_size; /* bits */
uint64_t public_exponent;
} keymaster_rsa_keygen_params_t;
/**
* \deprecated Parameters needed to generate a DSA key.
*/
typedef struct {
uint32_t key_size; /* bits */
uint32_t generator_len;
uint32_t prime_p_len;
uint32_t prime_q_len;
const uint8_t* generator;
const uint8_t* prime_p;
const uint8_t* prime_q;
} keymaster_dsa_keygen_params_t;
/**
* \deprecated Parameters needed to generate an EC key.
*
* Field size is the only parameter in version 4. The sizes correspond to these required curves:
*
* 192 = NIST P-192
* 224 = NIST P-224
* 256 = NIST P-256
* 384 = NIST P-384
* 521 = NIST P-521
*
* The parameters for these curves are available at: http://www.nsa.gov/ia/_files/nist-routines.pdf
* in Chapter 4.
*/
typedef struct { uint32_t field_size; /* bits */ } keymaster_ec_keygen_params_t;
/**
* \deprecated Type of padding used for RSA operations.
*/
typedef enum {
PADDING_NONE,
} keymaster_rsa_padding_t;
/**
* \deprecated
*/
typedef struct { keymaster_digest_t digest_type; } keymaster_dsa_sign_params_t;
/**
* \deprecated
*/
typedef struct { keymaster_digest_t digest_type; } keymaster_ec_sign_params_t;
/**
*\deprecated
*/
typedef struct {
keymaster_digest_t digest_type;
keymaster_rsa_padding_t padding_type;
} keymaster_rsa_sign_params_t;
/* Convenience functions for manipulating keymaster tag types */
static inline keymaster_tag_type_t keymaster_tag_get_type(keymaster_tag_t tag) {

16
tests/keymaster/keymaster_test.cpp
View file

@ -35,7 +35,7 @@
#include <UniquePtr.h>
#include <hardware/keymaster.h>
#include <hardware/keymaster0.h>
namespace android {
@ -92,13 +92,13 @@ std::ostream &operator<<(std::ostream &stream, const UniqueBlob& blob) {
class UniqueKey : public UniqueBlob {
public:
UniqueKey(keymaster_device_t** dev, uint8_t* bytes, size_t length) :
UniqueKey(keymaster0_device_t** dev, uint8_t* bytes, size_t length) :
UniqueBlob(bytes, length), mDevice(dev) {
}
~UniqueKey() {
if (mDevice != NULL && *mDevice != NULL) {
keymaster_device_t* dev = *mDevice;
keymaster0_device_t* dev = *mDevice;
if (dev->delete_keypair != NULL) {
dev->delete_keypair(dev, get(), length());
}
@ -106,7 +106,7 @@ public:
}
private:
keymaster_device_t** mDevice;
keymaster0_device_t** mDevice;
};
class UniqueReadOnlyBlob {
@ -341,7 +341,7 @@ public:
std::cout << "Using keymaster module: " << mod->name << std::endl;
ASSERT_EQ(0, keymaster_open(mod, &sDevice))
ASSERT_EQ(0, keymaster0_open(mod, &sDevice))
<< "Should be able to open the keymaster device";
ASSERT_EQ(KEYMASTER_MODULE_API_VERSION_0_2, mod->module_api_version)
@ -364,14 +364,14 @@ public:
}
static void TearDownTestCase() {
ASSERT_EQ(0, keymaster_close(sDevice));
ASSERT_EQ(0, keymaster0_close(sDevice));
}
protected:
static keymaster_device_t* sDevice;
static keymaster0_device_t* sDevice;
};
keymaster_device_t* KeymasterBaseTest::sDevice = NULL;
keymaster0_device_t* KeymasterBaseTest::sDevice = NULL;
class KeymasterTest : public KeymasterBaseTest {
};