diff options
| author | Shawn Willden <swillden@google.com> | 2015-02-24 09:17:38 -0700 |
|---|---|---|
| committer | Shawn Willden <swillden@google.com> | 2015-02-25 23:08:39 -0700 |
| commit | 302d252f2c655b50a8d1223105a0742d456ce206 (patch) | |
| tree | 56b3b763522ac271a319cc6c31f974397318becc | |
| parent | c07f425c6593080d76e2bf486cc8b9a40d000aab (diff) | |
| download | hardware_libhardware-302d252f2c655b50a8d1223105a0742d456ce206.zip hardware_libhardware-302d252f2c655b50a8d1223105a0742d456ce206.tar.gz hardware_libhardware-302d252f2c655b50a8d1223105a0742d456ce206.tar.bz2 | |
Separate keymaster0 and keymaster1 HALs.
For now the keymaster1 HAL still includes all of the keymaster0 entry
points, and soft_keymaster_device will continue to implement them. In
the near future the keymaster0 entry points will be removed, as soon as
we can ensure that keystore no longer needs them.
Change-Id: I5c54282c12d1c4b8b22ed4929b6e6c724a94ede4
| -rw-r--r-- | include/hardware/keymaster0.h | 149 | ||||
| -rw-r--r-- | include/hardware/keymaster1.h (renamed from include/hardware/keymaster.h) | 111 | ||||
| -rw-r--r-- | include/hardware/keymaster_common.h | 185 | ||||
| -rw-r--r-- | include/hardware/keymaster_defs.h | 118 | ||||
| -rw-r--r-- | tests/keymaster/keymaster_test.cpp | 16 |
5 files changed, 379 insertions, 200 deletions
diff --git a/include/hardware/keymaster0.h b/include/hardware/keymaster0.h new file mode 100644 index 0000000..f020e5b --- /dev/null +++ b/include/hardware/keymaster0.h @@ -0,0 +1,149 @@ +/* + * Copyright (C) 2011 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef ANDROID_HARDWARE_KEYMASTER_0_H +#define ANDROID_HARDWARE_KEYMASTER_0_H + +#include <hardware/keymaster_common.h> + +__BEGIN_DECLS + +/** + * Keymaster0 device definition. + */ +struct keymaster0_device { + /** + * Common methods of the keymaster device. This *must* be the first member of + * keymaster0_device as users of this structure will cast a hw_device_t to + * keymaster0_device pointer in contexts where it's known the hw_device_t references a + * keymaster0_device. + */ + struct hw_device_t common; + + /** + * THIS IS DEPRECATED. Use the new "module_api_version" and "hal_api_version" + * fields in the keymaster_module initialization instead. + */ + uint32_t client_version; + + /** + * See flags defined for keymaster0_device::flags in keymaster_common.h + */ + uint32_t flags; + + void* context; + + /** + * Generates a public and private key. The key-blob returned is opaque + * and must subsequently provided for signing and verification. + * + * Returns: 0 on success or an error code less than 0. + */ + int (*generate_keypair)(const struct keymaster0_device* dev, + const keymaster_keypair_t key_type, const void* key_params, + uint8_t** key_blob, size_t* key_blob_length); + + /** + * Imports a public and private key pair. The imported keys will be in + * PKCS#8 format with DER encoding (Java standard). The key-blob + * returned is opaque and will be subsequently provided for signing + * and verification. + * + * Returns: 0 on success or an error code less than 0. + */ + int (*import_keypair)(const struct keymaster0_device* dev, + const uint8_t* key, const size_t key_length, + uint8_t** key_blob, size_t* key_blob_length); + + /** + * Gets the public key part of a key pair. The public key must be in + * X.509 format (Java standard) encoded byte array. + * + * Returns: 0 on success or an error code less than 0. + * On error, x509_data should not be allocated. + */ + int (*get_keypair_public)(const struct keymaster0_device* dev, + const uint8_t* key_blob, const size_t key_blob_length, + uint8_t** x509_data, size_t* x509_data_length); + + /** + * Deletes the key pair associated with the key blob. + * + * This function is optional and should be set to NULL if it is not + * implemented. + * + * Returns 0 on success or an error code less than 0. + */ + int (*delete_keypair)(const struct keymaster0_device* dev, + const uint8_t* key_blob, const size_t key_blob_length); + + /** + * Deletes all keys in the hardware keystore. Used when keystore is + * reset completely. + * + * This function is optional and should be set to NULL if it is not + * implemented. + * + * Returns 0 on success or an error code less than 0. + */ + int (*delete_all)(const struct keymaster0_device* dev); + + /** + * Signs data using a key-blob generated before. This can use either + * an asymmetric key or a secret key. + * + * Returns: 0 on success or an error code less than 0. + */ + int (*sign_data)(const struct keymaster0_device* dev, + const void* signing_params, + const uint8_t* key_blob, const size_t key_blob_length, + const uint8_t* data, const size_t data_length, + uint8_t** signed_data, size_t* signed_data_length); + + /** + * Verifies data signed with a key-blob. This can use either + * an asymmetric key or a secret key. + * + * Returns: 0 on successful verification or an error code less than 0. + */ + int (*verify_data)(const struct keymaster0_device* dev, + const void* signing_params, + const uint8_t* key_blob, const size_t key_blob_length, + const uint8_t* signed_data, const size_t signed_data_length, + const uint8_t* signature, const size_t signature_length); +}; +typedef struct keymaster0_device keymaster0_device_t; + + +/* Convenience API for opening and closing keymaster devices */ + +static inline int keymaster0_open(const struct hw_module_t* module, + keymaster0_device_t** device) +{ + int rc = module->methods->open(module, KEYSTORE_KEYMASTER, + (struct hw_device_t**) device); + + return rc; +} + +static inline int keymaster0_close(keymaster0_device_t* device) +{ + return device->common.close(&device->common); +} + +__END_DECLS + +#endif // ANDROID_HARDWARE_KEYMASTER_0_H diff --git a/include/hardware/keymaster.h b/include/hardware/keymaster1.h index db66a74..dae3b8e 100644 --- a/include/hardware/keymaster.h +++ b/include/hardware/keymaster1.h @@ -1,5 +1,5 @@ /* - * Copyright (C) 2011 The Android Open Source Project + * Copyright (C) 2015 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -14,57 +14,18 @@ * limitations under the License. */ -#ifndef ANDROID_HARDWARE_KEYMASTER_H -#define ANDROID_HARDWARE_KEYMASTER_H +#ifndef ANDROID_HARDWARE_KEYMASTER1_H +#define ANDROID_HARDWARE_KEYMASTER1_H -#include <stdint.h> -#include <sys/cdefs.h> -#include <sys/types.h> - -#include <hardware/hardware.h> +#include <hardware/keymaster_common.h> #include <hardware/keymaster_defs.h> __BEGIN_DECLS /** - * The id of this module - */ -#define KEYSTORE_HARDWARE_MODULE_ID "keystore" - -#define KEYSTORE_KEYMASTER "keymaster" - -/** - * Settings for "module_api_version" and "hal_api_version" - * fields in the keymaster_module initialization. - */ -#define KEYMASTER_HEADER_VERSION 4 - -#define KEYMASTER_MODULE_API_VERSION_0_2 HARDWARE_MODULE_API_VERSION(0, 2) -#define KEYMASTER_DEVICE_API_VERSION_0_2 \ - HARDWARE_DEVICE_API_VERSION_2(0, 2, KEYMASTER_HEADER_VERSION) - -#define KEYMASTER_MODULE_API_VERSION_0_3 HARDWARE_MODULE_API_VERSION(0, 3) -#define KEYMASTER_DEVICE_API_VERSION_0_3 \ - HARDWARE_DEVICE_API_VERSION_2(0, 3, KEYMASTER_HEADER_VERSION) - -#define KEYMASTER_MODULE_API_VERSION_0_4 HARDWARE_MODULE_API_VERSION(0, 4) -#define KEYMASTER_DEVICE_API_VERSION_0_4 \ - HARDWARE_DEVICE_API_VERSION_2(0, 4, KEYMASTER_HEADER_VERSION) - -struct keystore_module { - /** - * Common methods of the keystore module. This *must* be the first member of - * keystore_module as users of this structure will cast a hw_module_t to - * keystore_module pointer in contexts where it's known the hw_module_t references a - * keystore_module. - */ - hw_module_t common; -}; - -/** - * The parameters that can be set for a given keymaster implementation. + * Keymaster1 device definition */ -struct keymaster_device { +struct keymaster1_device { /** * Common methods of the keymaster device. This *must* be the first member of * keymaster_device as users of this structure will cast a hw_device_t to @@ -80,7 +41,7 @@ struct keymaster_device { uint32_t client_version; /** - * See flags defined for keymaster_device::flags above. + * See flags defined for keymaster0_devices::flags in keymaster_common.h */ uint32_t flags; @@ -92,7 +53,7 @@ struct keymaster_device { * * Returns: 0 on success or an error code less than 0. */ - int (*generate_keypair)(const struct keymaster_device* dev, const keymaster_keypair_t key_type, + int (*generate_keypair)(const struct keymaster1_device* dev, const keymaster_keypair_t key_type, const void* key_params, uint8_t** key_blob, size_t* key_blob_length); /** @@ -102,7 +63,7 @@ struct keymaster_device { * * Returns: 0 on success or an error code less than 0. */ - int (*import_keypair)(const struct keymaster_device* dev, const uint8_t* key, + int (*import_keypair)(const struct keymaster1_device* dev, const uint8_t* key, const size_t key_length, uint8_t** key_blob, size_t* key_blob_length); /** @@ -112,7 +73,7 @@ struct keymaster_device { * Returns: 0 on success or an error code less than 0. On error, x509_data * should not be allocated. */ - int (*get_keypair_public)(const struct keymaster_device* dev, const uint8_t* key_blob, + int (*get_keypair_public)(const struct keymaster1_device* dev, const uint8_t* key_blob, const size_t key_blob_length, uint8_t** x509_data, size_t* x509_data_length); @@ -124,7 +85,7 @@ struct keymaster_device { * * Returns 0 on success or an error code less than 0. */ - int (*delete_keypair)(const struct keymaster_device* dev, const uint8_t* key_blob, + int (*delete_keypair)(const struct keymaster1_device* dev, const uint8_t* key_blob, const size_t key_blob_length); /** @@ -136,7 +97,7 @@ struct keymaster_device { * * Returns 0 on success or an error code less than 0. */ - int (*delete_all)(const struct keymaster_device* dev); + int (*delete_all)(const struct keymaster1_device* dev); /** * \deprecated Signs data using a key-blob generated before. This can use either an asymmetric @@ -144,7 +105,7 @@ struct keymaster_device { * * Returns: 0 on success or an error code less than 0. */ - int (*sign_data)(const struct keymaster_device* dev, const void* signing_params, + int (*sign_data)(const struct keymaster1_device* dev, const void* signing_params, const uint8_t* key_blob, const size_t key_blob_length, const uint8_t* data, const size_t data_length, uint8_t** signed_data, size_t* signed_data_length); @@ -154,7 +115,7 @@ struct keymaster_device { * * Returns: 0 on successful verification or an error code less than 0. */ - int (*verify_data)(const struct keymaster_device* dev, const void* signing_params, + int (*verify_data)(const struct keymaster1_device* dev, const void* signing_params, const uint8_t* key_blob, const size_t key_blob_length, const uint8_t* signed_data, const size_t signed_data_length, const uint8_t* signature, const size_t signature_length); @@ -169,7 +130,7 @@ struct keymaster_device { * * \param[out] algorithms_length Length of \p algorithms. */ - keymaster_error_t (*get_supported_algorithms)(const struct keymaster_device* dev, + keymaster_error_t (*get_supported_algorithms)(const struct keymaster1_device* dev, keymaster_algorithm_t** algorithms, size_t* algorithms_length); @@ -185,7 +146,7 @@ struct keymaster_device { * * \param[out] modes_length Length of \p modes. */ - keymaster_error_t (*get_supported_block_modes)(const struct keymaster_device* dev, + keymaster_error_t (*get_supported_block_modes)(const struct keymaster1_device* dev, keymaster_algorithm_t algorithm, keymaster_purpose_t purpose, keymaster_block_mode_t** modes, @@ -204,7 +165,7 @@ struct keymaster_device { * * \param[out] modes_length Length of \p modes. */ - keymaster_error_t (*get_supported_padding_modes)(const struct keymaster_device* dev, + keymaster_error_t (*get_supported_padding_modes)(const struct keymaster1_device* dev, keymaster_algorithm_t algorithm, keymaster_purpose_t purpose, keymaster_padding_t** modes, @@ -223,7 +184,7 @@ struct keymaster_device { * * \param[out] digests_length Length of \p digests. */ - keymaster_error_t (*get_supported_digests)(const struct keymaster_device* dev, + keymaster_error_t (*get_supported_digests)(const struct keymaster1_device* dev, keymaster_algorithm_t algorithm, keymaster_purpose_t purpose, keymaster_digest_t** digests, @@ -242,7 +203,7 @@ struct keymaster_device { * * \param[out] formats_length Length of \p formats. */ - keymaster_error_t (*get_supported_import_formats)(const struct keymaster_device* dev, + keymaster_error_t (*get_supported_import_formats)(const struct keymaster1_device* dev, keymaster_algorithm_t algorithm, keymaster_key_format_t** formats, size_t* formats_length); @@ -260,7 +221,7 @@ struct keymaster_device { * * \param[out] formats_length Length of \p formats. */ - keymaster_error_t (*get_supported_export_formats)(const struct keymaster_device* dev, + keymaster_error_t (*get_supported_export_formats)(const struct keymaster1_device* dev, keymaster_algorithm_t algorithm, keymaster_key_format_t** formats, size_t* formats_length); @@ -278,7 +239,7 @@ struct keymaster_device { * * \param[in] data_length Length of \p data. */ - keymaster_error_t (*add_rng_entropy)(const struct keymaster_device* dev, const uint8_t* data, + keymaster_error_t (*add_rng_entropy)(const struct keymaster1_device* dev, const uint8_t* data, size_t data_length); /** @@ -336,7 +297,7 @@ struct keymaster_device { * keymaster_free_characteristics(). Note that KM_TAG_ROOT_OF_TRUST, KM_TAG_APPLICATION_ID and * KM_TAG_APPLICATION_DATA are never returned. */ - keymaster_error_t (*generate_key)(const struct keymaster_device* dev, + keymaster_error_t (*generate_key)(const struct keymaster1_device* dev, const keymaster_key_param_t* params, size_t params_count, keymaster_key_blob_t* key_blob, keymaster_key_characteristics_t** characteristics); @@ -361,7 +322,7 @@ struct keymaster_device { * * \param[out] characteristics The key characteristics. */ - keymaster_error_t (*get_key_characteristics)(const struct keymaster_device* dev, + keymaster_error_t (*get_key_characteristics)(const struct keymaster1_device* dev, const keymaster_key_blob_t* key_blob, const keymaster_blob_t* client_id, const keymaster_blob_t* app_data, @@ -396,7 +357,7 @@ struct keymaster_device { * hw_enforced and sw_enforced lists. The caller takes ownership and must call * keymaster_free_characteristics() to free. */ - keymaster_error_t (*rescope)(const struct keymaster_device* dev, + keymaster_error_t (*rescope)(const struct keymaster1_device* dev, const keymaster_key_param_t* new_params, size_t new_params_count, const keymaster_key_blob_t* key_blob, const keymaster_blob_t* client_id, @@ -456,7 +417,7 @@ struct keymaster_device { * NULL, in which case no characteristics will be returned. If non-NULL, the caller assumes * ownership and must deallocate with keymaster_free_characteristics(). */ - keymaster_error_t (*import_key)(const struct keymaster_device* dev, + keymaster_error_t (*import_key)(const struct keymaster1_device* dev, const keymaster_key_param_t* params, size_t params_count, keymaster_key_format_t key_format, const uint8_t* key_data, size_t key_data_length, keymaster_key_blob_t* key_blob, @@ -475,7 +436,7 @@ struct keymaster_device { * * \param[out] export_data_length The length of \p export_data. */ - keymaster_error_t (*export_key)(const struct keymaster_device* dev, + keymaster_error_t (*export_key)(const struct keymaster1_device* dev, keymaster_key_format_t export_format, const keymaster_key_blob_t* key_to_export, const keymaster_blob_t* client_id, @@ -494,7 +455,7 @@ struct keymaster_device { * * \param[in] key The key to be deleted. */ - keymaster_error_t (*delete_key)(const struct keymaster_device* dev, + keymaster_error_t (*delete_key)(const struct keymaster1_device* dev, const keymaster_key_blob_t* key); /** @@ -508,7 +469,7 @@ struct keymaster_device { * * Returns 0 on success or an error code less than 0. */ - int (*delete_all_keys)(const struct keymaster_device* dev); + int (*delete_all_keys)(const struct keymaster1_device* dev); /** * Begins a cryptographic operation using the specified key. If all is well, begin() will @@ -549,7 +510,7 @@ struct keymaster_device { * \param[out] operation_handle The newly-created operation handle which must be passed to * update(), finish() or abort(). */ - keymaster_error_t (*begin)(const struct keymaster_device* dev, keymaster_purpose_t purpose, + keymaster_error_t (*begin)(const struct keymaster1_device* dev, keymaster_purpose_t purpose, const keymaster_key_blob_t* key, const keymaster_key_param_t* params, size_t params_count, keymaster_key_param_t** out_params, size_t* out_params_count, @@ -593,7 +554,7 @@ struct keymaster_device { * Note that update() may not provide any output, in which case *output_length will be zero, and * *output may be either NULL or zero-length (so the caller should always free() it). */ - keymaster_error_t (*update)(const struct keymaster_device* dev, + keymaster_error_t (*update)(const struct keymaster1_device* dev, keymaster_operation_handle_t operation_handle, const keymaster_key_param_t* params, size_t params_count, const uint8_t* input, size_t input_length, size_t* input_consumed, @@ -626,7 +587,7 @@ struct keymaster_device { * If the operation being finished is a signature verification or an AEAD-mode decryption and * verification fails then finish() will return KM_ERROR_VERIFICATION_FAILED. */ - keymaster_error_t (*finish)(const struct keymaster_device* dev, + keymaster_error_t (*finish)(const struct keymaster1_device* dev, keymaster_operation_handle_t operation_handle, const keymaster_key_param_t* params, size_t params_count, const uint8_t* signature, size_t signature_length, uint8_t** output, @@ -636,21 +597,21 @@ struct keymaster_device { * Aborts a cryptographic operation begun with begin(), freeing all internal resources and * invalidating operation_handle. */ - keymaster_error_t (*abort)(const struct keymaster_device* dev, + keymaster_error_t (*abort)(const struct keymaster1_device* dev, keymaster_operation_handle_t operation_handle); }; -typedef struct keymaster_device keymaster_device_t; +typedef struct keymaster1_device keymaster1_device_t; /* Convenience API for opening and closing keymaster devices */ -static inline int keymaster_open(const struct hw_module_t* module, keymaster_device_t** device) { +static inline int keymaster1_open(const struct hw_module_t* module, keymaster1_device_t** device) { return module->methods->open(module, KEYSTORE_KEYMASTER, (struct hw_device_t**)device); } -static inline int keymaster_close(keymaster_device_t* device) { +static inline int keymaster1_close(keymaster1_device_t* device) { return device->common.close(&device->common); } __END_DECLS -#endif // ANDROID_HARDWARE_KEYMASTER_H +#endif // ANDROID_HARDWARE_KEYMASTER1_H diff --git a/include/hardware/keymaster_common.h b/include/hardware/keymaster_common.h new file mode 100644 index 0000000..772d7e4 --- /dev/null +++ b/include/hardware/keymaster_common.h @@ -0,0 +1,185 @@ +/* + * Copyright (C) 2015 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef ANDROID_HARDWARE_KEYMASTER_COMMON_H +#define ANDROID_HARDWARE_KEYMASTER_COMMON_H + +#include <stdint.h> +#include <sys/cdefs.h> +#include <sys/types.h> + +#include <hardware/hardware.h> + +__BEGIN_DECLS + +/** + * The id of this module + */ +#define KEYSTORE_HARDWARE_MODULE_ID "keystore" + +#define KEYSTORE_KEYMASTER "keymaster" + + +/** + * Settings for "module_api_version" and "hal_api_version" + * fields in the keymaster_module initialization. + */ + +/** + * Keymaster 0.X module version provide the same APIs, but later versions add more options + * for algorithms and flags. + */ +#define KEYMASTER_MODULE_API_VERSION_0_2 HARDWARE_MODULE_API_VERSION(0, 2) +#define KEYMASTER_DEVICE_API_VERSION_0_2 HARDWARE_DEVICE_API_VERSION(0, 2) + +#define KEYMASTER_MODULE_API_VERSION_0_3 HARDWARE_MODULE_API_VERSION(0, 3) +#define KEYMASTER_DEVICE_API_VERSION_0_3 HARDWARE_DEVICE_API_VERSION(0, 3) + +/** + * Keymaster 1.0 module version provides a completely different API, incompatible with 0.X. + */ +#define KEYMASTER_MODULE_API_VERSION_1_0 HARDWARE_MODULE_API_VERSION(1, 0) +#define KEYMASTER_DEVICE_API_VERSION_1_0 HARDWARE_DEVICE_API_VERSION(1, 0) + +struct keystore_module { + /** + * Common methods of the keystore module. This *must* be the first member of keystore_module as + * users of this structure will cast a hw_module_t to keystore_module pointer in contexts where + * it's known the hw_module_t references a keystore_module. + */ + hw_module_t common; + + /* There are no keystore module methods other than the common ones. */ +}; + +/** + * Flags for keymaster0_device::flags + */ +enum { + /* + * Indicates this keymaster implementation does not have hardware that + * keeps private keys out of user space. + * + * This should not be implemented on anything other than the default + * implementation. + */ + KEYMASTER_SOFTWARE_ONLY = 1 << 0, + + /* + * This indicates that the key blobs returned via all the primitives + * are sufficient to operate on their own without the trusted OS + * querying userspace to retrieve some other data. Key blobs of + * this type are normally returned encrypted with a + * Key Encryption Key (KEK). + * + * This is currently used by "vold" to know whether the whole disk + * encryption secret can be unwrapped without having some external + * service started up beforehand since the "/data" partition will + * be unavailable at that point. + */ + KEYMASTER_BLOBS_ARE_STANDALONE = 1 << 1, + + /* + * Indicates that the keymaster module supports DSA keys. + */ + KEYMASTER_SUPPORTS_DSA = 1 << 2, + + /* + * Indicates that the keymaster module supports EC keys. + */ + KEYMASTER_SUPPORTS_EC = 1 << 3, +}; + +/** + * Asymmetric key pair types. + */ +typedef enum { + TYPE_RSA = 1, + TYPE_DSA = 2, + TYPE_EC = 3, +} keymaster_keypair_t; + +/** + * Parameters needed to generate an RSA key. + */ +typedef struct { + uint32_t modulus_size; + uint64_t public_exponent; +} keymaster_rsa_keygen_params_t; + +/** + * Parameters needed to generate a DSA key. + */ +typedef struct { + uint32_t key_size; + uint32_t generator_len; + uint32_t prime_p_len; + uint32_t prime_q_len; + const uint8_t* generator; + const uint8_t* prime_p; + const uint8_t* prime_q; +} keymaster_dsa_keygen_params_t; + +/** + * Parameters needed to generate an EC key. + * + * Field size is the only parameter in version 2. The sizes correspond to these required curves: + * + * 192 = NIST P-192 + * 224 = NIST P-224 + * 256 = NIST P-256 + * 384 = NIST P-384 + * 521 = NIST P-521 + * + * The parameters for these curves are available at: http://www.nsa.gov/ia/_files/nist-routines.pdf + * in Chapter 4. + */ +typedef struct { + uint32_t field_size; +} keymaster_ec_keygen_params_t; + + +/** + * Digest type. + */ +typedef enum { + DIGEST_NONE, +} keymaster_digest_algorithm_t; + +/** + * Type of padding used for RSA operations. + */ +typedef enum { + PADDING_NONE, +} keymaster_rsa_padding_t; + + +typedef struct { + keymaster_digest_algorithm_t digest_type; +} keymaster_dsa_sign_params_t; + +typedef struct { + keymaster_digest_algorithm_t digest_type; +} keymaster_ec_sign_params_t; + +typedef struct { + keymaster_digest_algorithm_t digest_type; + keymaster_rsa_padding_t padding_type; +} keymaster_rsa_sign_params_t; + +__END_DECLS + +#endif // ANDROID_HARDWARE_KEYMASTER_COMMON_H diff --git a/include/hardware/keymaster_defs.h b/include/hardware/keymaster_defs.h index f8e90b6..2e93dc6 100644 --- a/include/hardware/keymaster_defs.h +++ b/include/hardware/keymaster_defs.h @@ -25,57 +25,6 @@ extern "C" { #endif // defined(__cplusplus) -/*! - * \deprecated Flags for keymaster_device::flags - * - * keymaster_device::flags is deprecated and will be removed in the - * next version of the API in favor of the more detailed information - * available from TODO: - */ -enum { - /* - * Indicates this keymaster implementation does not have hardware that - * keeps private keys out of user space. - * - * This should not be implemented on anything other than the default - * implementation. - */ - KEYMASTER_SOFTWARE_ONLY = 1 << 0, - - /* - * This indicates that the key blobs returned via all the primitives - * are sufficient to operate on their own without the trusted OS - * querying userspace to retrieve some other data. Key blobs of - * this type are normally returned encrypted with a - * Key Encryption Key (KEK). - * - * This is currently used by "vold" to know whether the whole disk - * encryption secret can be unwrapped without having some external - * service started up beforehand since the "/data" partition will - * be unavailable at that point. - */ - KEYMASTER_BLOBS_ARE_STANDALONE = 1 << 1, - - /* - * Indicates that the keymaster module supports DSA keys. - */ - KEYMASTER_SUPPORTS_DSA = 1 << 2, - - /* - * Indicates that the keymaster module supports EC keys. - */ - KEYMASTER_SUPPORTS_EC = 1 << 3, -}; - -/** - * \deprecated Asymmetric key pair types. - */ -typedef enum { - TYPE_RSA = 1, - TYPE_DSA = 2, - TYPE_EC = 3, -} keymaster_keypair_t; - /** * Authorization tags each have an associated type. This enumeration facilitates tagging each with * a type, by using the high four bits (of an implied 32-bit unsigned enum value) to specify up to @@ -183,9 +132,7 @@ typedef enum { /** * Algorithms that may be provided by keymaster implementations. Those that must be provided by all - * implementations are tagged as "required". Note that where the values in this enumeration overlap - * with the values for the deprecated keymaster_keypair_t, the same algorithm must be - * specified. This type is new in 0_4 and replaces the deprecated keymaster_keypair_t. + * implementations are tagged as "required". */ typedef enum { /* Asymmetric algorithms. */ @@ -271,7 +218,6 @@ typedef enum { */ typedef enum { KM_DIGEST_NONE = 0, /* new, required */ - DIGEST_NONE = KM_DIGEST_NONE, /* For 0_2 compatibility */ KM_DIGEST_MD5 = 1, /* new, for compatibility with old protocols only */ KM_DIGEST_SHA1 = 2, /* new */ KM_DIGEST_SHA_2_224 = 3, /* new */ @@ -433,68 +379,6 @@ typedef enum { KM_ERROR_UNKNOWN_ERROR = -1000, } keymaster_error_t; -/** - * \deprecated Parameters needed to generate an RSA key. - */ -typedef struct { - uint32_t modulus_size; /* bits */ - uint64_t public_exponent; -} keymaster_rsa_keygen_params_t; - -/** - * \deprecated Parameters needed to generate a DSA key. - */ -typedef struct { - uint32_t key_size; /* bits */ - uint32_t generator_len; - uint32_t prime_p_len; - uint32_t prime_q_len; - const uint8_t* generator; - const uint8_t* prime_p; - const uint8_t* prime_q; -} keymaster_dsa_keygen_params_t; - -/** - * \deprecated Parameters needed to generate an EC key. - * - * Field size is the only parameter in version 4. The sizes correspond to these required curves: - * - * 192 = NIST P-192 - * 224 = NIST P-224 - * 256 = NIST P-256 - * 384 = NIST P-384 - * 521 = NIST P-521 - * - * The parameters for these curves are available at: http://www.nsa.gov/ia/_files/nist-routines.pdf - * in Chapter 4. - */ -typedef struct { uint32_t field_size; /* bits */ } keymaster_ec_keygen_params_t; - -/** - * \deprecated Type of padding used for RSA operations. - */ -typedef enum { - PADDING_NONE, -} keymaster_rsa_padding_t; - -/** - * \deprecated - */ -typedef struct { keymaster_digest_t digest_type; } keymaster_dsa_sign_params_t; - -/** - * \deprecated - */ -typedef struct { keymaster_digest_t digest_type; } keymaster_ec_sign_params_t; - -/** - *\deprecated - */ -typedef struct { - keymaster_digest_t digest_type; - keymaster_rsa_padding_t padding_type; -} keymaster_rsa_sign_params_t; - /* Convenience functions for manipulating keymaster tag types */ static inline keymaster_tag_type_t keymaster_tag_get_type(keymaster_tag_t tag) { diff --git a/tests/keymaster/keymaster_test.cpp b/tests/keymaster/keymaster_test.cpp index 6b76ccb..e5e1dfd 100644 --- a/tests/keymaster/keymaster_test.cpp +++ b/tests/keymaster/keymaster_test.cpp @@ -35,7 +35,7 @@ #include <UniquePtr.h> -#include <hardware/keymaster.h> +#include <hardware/keymaster0.h> namespace android { @@ -92,13 +92,13 @@ std::ostream &operator<<(std::ostream &stream, const UniqueBlob& blob) { class UniqueKey : public UniqueBlob { public: - UniqueKey(keymaster_device_t** dev, uint8_t* bytes, size_t length) : + UniqueKey(keymaster0_device_t** dev, uint8_t* bytes, size_t length) : UniqueBlob(bytes, length), mDevice(dev) { } ~UniqueKey() { if (mDevice != NULL && *mDevice != NULL) { - keymaster_device_t* dev = *mDevice; + keymaster0_device_t* dev = *mDevice; if (dev->delete_keypair != NULL) { dev->delete_keypair(dev, get(), length()); } @@ -106,7 +106,7 @@ public: } private: - keymaster_device_t** mDevice; + keymaster0_device_t** mDevice; }; class UniqueReadOnlyBlob { @@ -341,7 +341,7 @@ public: std::cout << "Using keymaster module: " << mod->name << std::endl; - ASSERT_EQ(0, keymaster_open(mod, &sDevice)) + ASSERT_EQ(0, keymaster0_open(mod, &sDevice)) << "Should be able to open the keymaster device"; ASSERT_EQ(KEYMASTER_MODULE_API_VERSION_0_2, mod->module_api_version) @@ -364,14 +364,14 @@ public: } static void TearDownTestCase() { - ASSERT_EQ(0, keymaster_close(sDevice)); + ASSERT_EQ(0, keymaster0_close(sDevice)); } protected: - static keymaster_device_t* sDevice; + static keymaster0_device_t* sDevice; }; -keymaster_device_t* KeymasterBaseTest::sDevice = NULL; +keymaster0_device_t* KeymasterBaseTest::sDevice = NULL; class KeymasterTest : public KeymasterBaseTest { }; |