1*e01b6f76SAndroid Build Coastguard Worker /* 2*e01b6f76SAndroid Build Coastguard Worker * Copyright (C) 2015 The Android Open Source Project 3*e01b6f76SAndroid Build Coastguard Worker * 4*e01b6f76SAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License"); 5*e01b6f76SAndroid Build Coastguard Worker * you may not use this file except in compliance with the License. 6*e01b6f76SAndroid Build Coastguard Worker * You may obtain a copy of the License at 7*e01b6f76SAndroid Build Coastguard Worker * 8*e01b6f76SAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0 9*e01b6f76SAndroid Build Coastguard Worker * 10*e01b6f76SAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software 11*e01b6f76SAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS, 12*e01b6f76SAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13*e01b6f76SAndroid Build Coastguard Worker * See the License for the specific language governing permissions and 14*e01b6f76SAndroid Build Coastguard Worker * limitations under the License. 15*e01b6f76SAndroid Build Coastguard Worker */ 16*e01b6f76SAndroid Build Coastguard Worker 17*e01b6f76SAndroid Build Coastguard Worker #ifndef ANDROID_HARDWARE_KEYMASTER_COMMON_H 18*e01b6f76SAndroid Build Coastguard Worker #define ANDROID_HARDWARE_KEYMASTER_COMMON_H 19*e01b6f76SAndroid Build Coastguard Worker 20*e01b6f76SAndroid Build Coastguard Worker #include <stdint.h> 21*e01b6f76SAndroid Build Coastguard Worker #include <sys/cdefs.h> 22*e01b6f76SAndroid Build Coastguard Worker #include <sys/types.h> 23*e01b6f76SAndroid Build Coastguard Worker 24*e01b6f76SAndroid Build Coastguard Worker #include <hardware/hardware.h> 25*e01b6f76SAndroid Build Coastguard Worker 26*e01b6f76SAndroid Build Coastguard Worker __BEGIN_DECLS 27*e01b6f76SAndroid Build Coastguard Worker 28*e01b6f76SAndroid Build Coastguard Worker /** 29*e01b6f76SAndroid Build Coastguard Worker * The id of this module 30*e01b6f76SAndroid Build Coastguard Worker */ 31*e01b6f76SAndroid Build Coastguard Worker #define KEYSTORE_HARDWARE_MODULE_ID "keystore" 32*e01b6f76SAndroid Build Coastguard Worker 33*e01b6f76SAndroid Build Coastguard Worker #define KEYSTORE_KEYMASTER "keymaster" 34*e01b6f76SAndroid Build Coastguard Worker 35*e01b6f76SAndroid Build Coastguard Worker 36*e01b6f76SAndroid Build Coastguard Worker /** 37*e01b6f76SAndroid Build Coastguard Worker * Settings for "module_api_version" and "hal_api_version" 38*e01b6f76SAndroid Build Coastguard Worker * fields in the keymaster_module initialization. 39*e01b6f76SAndroid Build Coastguard Worker */ 40*e01b6f76SAndroid Build Coastguard Worker 41*e01b6f76SAndroid Build Coastguard Worker /** 42*e01b6f76SAndroid Build Coastguard Worker * Keymaster 0.X module version provide the same APIs, but later versions add more options 43*e01b6f76SAndroid Build Coastguard Worker * for algorithms and flags. 44*e01b6f76SAndroid Build Coastguard Worker */ 45*e01b6f76SAndroid Build Coastguard Worker #define KEYMASTER_MODULE_API_VERSION_0_2 HARDWARE_MODULE_API_VERSION(0, 2) 46*e01b6f76SAndroid Build Coastguard Worker #define KEYMASTER_DEVICE_API_VERSION_0_2 HARDWARE_DEVICE_API_VERSION(0, 2) 47*e01b6f76SAndroid Build Coastguard Worker 48*e01b6f76SAndroid Build Coastguard Worker #define KEYMASTER_MODULE_API_VERSION_0_3 HARDWARE_MODULE_API_VERSION(0, 3) 49*e01b6f76SAndroid Build Coastguard Worker #define KEYMASTER_DEVICE_API_VERSION_0_3 HARDWARE_DEVICE_API_VERSION(0, 3) 50*e01b6f76SAndroid Build Coastguard Worker 51*e01b6f76SAndroid Build Coastguard Worker /** 52*e01b6f76SAndroid Build Coastguard Worker * Keymaster 1.0 module version provides a completely different API, incompatible with 0.X. 53*e01b6f76SAndroid Build Coastguard Worker */ 54*e01b6f76SAndroid Build Coastguard Worker #define KEYMASTER_MODULE_API_VERSION_1_0 HARDWARE_MODULE_API_VERSION(1, 0) 55*e01b6f76SAndroid Build Coastguard Worker #define KEYMASTER_DEVICE_API_VERSION_1_0 HARDWARE_DEVICE_API_VERSION(1, 0) 56*e01b6f76SAndroid Build Coastguard Worker 57*e01b6f76SAndroid Build Coastguard Worker /** 58*e01b6f76SAndroid Build Coastguard Worker * Keymaster 2.0 module version provides third API, slightly modified and extended from 1.0. 59*e01b6f76SAndroid Build Coastguard Worker */ 60*e01b6f76SAndroid Build Coastguard Worker #define KEYMASTER_MODULE_API_VERSION_2_0 HARDWARE_MODULE_API_VERSION(2, 0) 61*e01b6f76SAndroid Build Coastguard Worker #define KEYMASTER_DEVICE_API_VERSION_2_0 HARDWARE_DEVICE_API_VERSION(2, 0) 62*e01b6f76SAndroid Build Coastguard Worker 63*e01b6f76SAndroid Build Coastguard Worker struct keystore_module { 64*e01b6f76SAndroid Build Coastguard Worker /** 65*e01b6f76SAndroid Build Coastguard Worker * Common methods of the keystore module. This *must* be the first member of keystore_module as 66*e01b6f76SAndroid Build Coastguard Worker * users of this structure will cast a hw_module_t to keystore_module pointer in contexts where 67*e01b6f76SAndroid Build Coastguard Worker * it's known the hw_module_t references a keystore_module. 68*e01b6f76SAndroid Build Coastguard Worker */ 69*e01b6f76SAndroid Build Coastguard Worker hw_module_t common; 70*e01b6f76SAndroid Build Coastguard Worker 71*e01b6f76SAndroid Build Coastguard Worker /* There are no keystore module methods other than the common ones. */ 72*e01b6f76SAndroid Build Coastguard Worker }; 73*e01b6f76SAndroid Build Coastguard Worker 74*e01b6f76SAndroid Build Coastguard Worker /** 75*e01b6f76SAndroid Build Coastguard Worker * Flags for keymaster0_device::flags 76*e01b6f76SAndroid Build Coastguard Worker */ 77*e01b6f76SAndroid Build Coastguard Worker enum { 78*e01b6f76SAndroid Build Coastguard Worker /* 79*e01b6f76SAndroid Build Coastguard Worker * Indicates this keymaster implementation does not have hardware that 80*e01b6f76SAndroid Build Coastguard Worker * keeps private keys out of user space. 81*e01b6f76SAndroid Build Coastguard Worker * 82*e01b6f76SAndroid Build Coastguard Worker * This should not be implemented on anything other than the default 83*e01b6f76SAndroid Build Coastguard Worker * implementation. 84*e01b6f76SAndroid Build Coastguard Worker */ 85*e01b6f76SAndroid Build Coastguard Worker KEYMASTER_SOFTWARE_ONLY = 1 << 0, 86*e01b6f76SAndroid Build Coastguard Worker 87*e01b6f76SAndroid Build Coastguard Worker /* 88*e01b6f76SAndroid Build Coastguard Worker * This indicates that the key blobs returned via all the primitives 89*e01b6f76SAndroid Build Coastguard Worker * are sufficient to operate on their own without the trusted OS 90*e01b6f76SAndroid Build Coastguard Worker * querying userspace to retrieve some other data. Key blobs of 91*e01b6f76SAndroid Build Coastguard Worker * this type are normally returned encrypted with a 92*e01b6f76SAndroid Build Coastguard Worker * Key Encryption Key (KEK). 93*e01b6f76SAndroid Build Coastguard Worker * 94*e01b6f76SAndroid Build Coastguard Worker * This is currently used by "vold" to know whether the whole disk 95*e01b6f76SAndroid Build Coastguard Worker * encryption secret can be unwrapped without having some external 96*e01b6f76SAndroid Build Coastguard Worker * service started up beforehand since the "/data" partition will 97*e01b6f76SAndroid Build Coastguard Worker * be unavailable at that point. 98*e01b6f76SAndroid Build Coastguard Worker */ 99*e01b6f76SAndroid Build Coastguard Worker KEYMASTER_BLOBS_ARE_STANDALONE = 1 << 1, 100*e01b6f76SAndroid Build Coastguard Worker 101*e01b6f76SAndroid Build Coastguard Worker /* 102*e01b6f76SAndroid Build Coastguard Worker * Indicates that the keymaster module supports DSA keys. 103*e01b6f76SAndroid Build Coastguard Worker */ 104*e01b6f76SAndroid Build Coastguard Worker KEYMASTER_SUPPORTS_DSA = 1 << 2, 105*e01b6f76SAndroid Build Coastguard Worker 106*e01b6f76SAndroid Build Coastguard Worker /* 107*e01b6f76SAndroid Build Coastguard Worker * Indicates that the keymaster module supports EC keys. 108*e01b6f76SAndroid Build Coastguard Worker */ 109*e01b6f76SAndroid Build Coastguard Worker KEYMASTER_SUPPORTS_EC = 1 << 3, 110*e01b6f76SAndroid Build Coastguard Worker }; 111*e01b6f76SAndroid Build Coastguard Worker 112*e01b6f76SAndroid Build Coastguard Worker /** 113*e01b6f76SAndroid Build Coastguard Worker * Asymmetric key pair types. 114*e01b6f76SAndroid Build Coastguard Worker */ 115*e01b6f76SAndroid Build Coastguard Worker typedef enum { 116*e01b6f76SAndroid Build Coastguard Worker TYPE_RSA = 1, 117*e01b6f76SAndroid Build Coastguard Worker TYPE_DSA = 2, 118*e01b6f76SAndroid Build Coastguard Worker TYPE_EC = 3, 119*e01b6f76SAndroid Build Coastguard Worker } keymaster_keypair_t; 120*e01b6f76SAndroid Build Coastguard Worker 121*e01b6f76SAndroid Build Coastguard Worker /** 122*e01b6f76SAndroid Build Coastguard Worker * Parameters needed to generate an RSA key. 123*e01b6f76SAndroid Build Coastguard Worker */ 124*e01b6f76SAndroid Build Coastguard Worker typedef struct { 125*e01b6f76SAndroid Build Coastguard Worker uint32_t modulus_size; 126*e01b6f76SAndroid Build Coastguard Worker uint64_t public_exponent; 127*e01b6f76SAndroid Build Coastguard Worker } keymaster_rsa_keygen_params_t; 128*e01b6f76SAndroid Build Coastguard Worker 129*e01b6f76SAndroid Build Coastguard Worker /** 130*e01b6f76SAndroid Build Coastguard Worker * Parameters needed to generate a DSA key. 131*e01b6f76SAndroid Build Coastguard Worker */ 132*e01b6f76SAndroid Build Coastguard Worker typedef struct { 133*e01b6f76SAndroid Build Coastguard Worker uint32_t key_size; 134*e01b6f76SAndroid Build Coastguard Worker uint32_t generator_len; 135*e01b6f76SAndroid Build Coastguard Worker uint32_t prime_p_len; 136*e01b6f76SAndroid Build Coastguard Worker uint32_t prime_q_len; 137*e01b6f76SAndroid Build Coastguard Worker const uint8_t* generator; 138*e01b6f76SAndroid Build Coastguard Worker const uint8_t* prime_p; 139*e01b6f76SAndroid Build Coastguard Worker const uint8_t* prime_q; 140*e01b6f76SAndroid Build Coastguard Worker } keymaster_dsa_keygen_params_t; 141*e01b6f76SAndroid Build Coastguard Worker 142*e01b6f76SAndroid Build Coastguard Worker /** 143*e01b6f76SAndroid Build Coastguard Worker * Parameters needed to generate an EC key. 144*e01b6f76SAndroid Build Coastguard Worker * 145*e01b6f76SAndroid Build Coastguard Worker * Field size is the only parameter in version 2. The sizes correspond to these required curves: 146*e01b6f76SAndroid Build Coastguard Worker * 147*e01b6f76SAndroid Build Coastguard Worker * 192 = NIST P-192 148*e01b6f76SAndroid Build Coastguard Worker * 224 = NIST P-224 149*e01b6f76SAndroid Build Coastguard Worker * 256 = NIST P-256 150*e01b6f76SAndroid Build Coastguard Worker * 384 = NIST P-384 151*e01b6f76SAndroid Build Coastguard Worker * 521 = NIST P-521 152*e01b6f76SAndroid Build Coastguard Worker * 153*e01b6f76SAndroid Build Coastguard Worker * The parameters for these curves are available at: http://www.nsa.gov/ia/_files/nist-routines.pdf 154*e01b6f76SAndroid Build Coastguard Worker * in Chapter 4. 155*e01b6f76SAndroid Build Coastguard Worker */ 156*e01b6f76SAndroid Build Coastguard Worker typedef struct { 157*e01b6f76SAndroid Build Coastguard Worker uint32_t field_size; 158*e01b6f76SAndroid Build Coastguard Worker } keymaster_ec_keygen_params_t; 159*e01b6f76SAndroid Build Coastguard Worker 160*e01b6f76SAndroid Build Coastguard Worker 161*e01b6f76SAndroid Build Coastguard Worker /** 162*e01b6f76SAndroid Build Coastguard Worker * Digest type. 163*e01b6f76SAndroid Build Coastguard Worker */ 164*e01b6f76SAndroid Build Coastguard Worker typedef enum { 165*e01b6f76SAndroid Build Coastguard Worker DIGEST_NONE, 166*e01b6f76SAndroid Build Coastguard Worker } keymaster_digest_algorithm_t; 167*e01b6f76SAndroid Build Coastguard Worker 168*e01b6f76SAndroid Build Coastguard Worker /** 169*e01b6f76SAndroid Build Coastguard Worker * Type of padding used for RSA operations. 170*e01b6f76SAndroid Build Coastguard Worker */ 171*e01b6f76SAndroid Build Coastguard Worker typedef enum { 172*e01b6f76SAndroid Build Coastguard Worker PADDING_NONE, 173*e01b6f76SAndroid Build Coastguard Worker } keymaster_rsa_padding_t; 174*e01b6f76SAndroid Build Coastguard Worker 175*e01b6f76SAndroid Build Coastguard Worker 176*e01b6f76SAndroid Build Coastguard Worker typedef struct { 177*e01b6f76SAndroid Build Coastguard Worker keymaster_digest_algorithm_t digest_type; 178*e01b6f76SAndroid Build Coastguard Worker } keymaster_dsa_sign_params_t; 179*e01b6f76SAndroid Build Coastguard Worker 180*e01b6f76SAndroid Build Coastguard Worker typedef struct { 181*e01b6f76SAndroid Build Coastguard Worker keymaster_digest_algorithm_t digest_type; 182*e01b6f76SAndroid Build Coastguard Worker } keymaster_ec_sign_params_t; 183*e01b6f76SAndroid Build Coastguard Worker 184*e01b6f76SAndroid Build Coastguard Worker typedef struct { 185*e01b6f76SAndroid Build Coastguard Worker keymaster_digest_algorithm_t digest_type; 186*e01b6f76SAndroid Build Coastguard Worker keymaster_rsa_padding_t padding_type; 187*e01b6f76SAndroid Build Coastguard Worker } keymaster_rsa_sign_params_t; 188*e01b6f76SAndroid Build Coastguard Worker 189*e01b6f76SAndroid Build Coastguard Worker __END_DECLS 190*e01b6f76SAndroid Build Coastguard Worker 191*e01b6f76SAndroid Build Coastguard Worker #endif // ANDROID_HARDWARE_KEYMASTER_COMMON_H 192