1*789431f2SAndroid Build Coastguard Worker /* 2*789431f2SAndroid Build Coastguard Worker * Copyright 2020 The Android Open Source Project 3*789431f2SAndroid Build Coastguard Worker * 4*789431f2SAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License"); 5*789431f2SAndroid Build Coastguard Worker * you may not use this file except in compliance with the License. 6*789431f2SAndroid Build Coastguard Worker * You may obtain a copy of the License at 7*789431f2SAndroid Build Coastguard Worker * 8*789431f2SAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0 9*789431f2SAndroid Build Coastguard Worker * 10*789431f2SAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software 11*789431f2SAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS, 12*789431f2SAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13*789431f2SAndroid Build Coastguard Worker * See the License for the specific language governing permissions and 14*789431f2SAndroid Build Coastguard Worker * limitations under the License. 15*789431f2SAndroid Build Coastguard Worker */ 16*789431f2SAndroid Build Coastguard Worker 17*789431f2SAndroid Build Coastguard Worker #pragma once 18*789431f2SAndroid Build Coastguard Worker 19*789431f2SAndroid Build Coastguard Worker #include <keymaster/authorization_set.h> 20*789431f2SAndroid Build Coastguard Worker #include <keymaster/km_version.h> 21*789431f2SAndroid Build Coastguard Worker 22*789431f2SAndroid Build Coastguard Worker namespace keymaster { 23*789431f2SAndroid Build Coastguard Worker 24*789431f2SAndroid Build Coastguard Worker class Key; 25*789431f2SAndroid Build Coastguard Worker 26*789431f2SAndroid Build Coastguard Worker /** 27*789431f2SAndroid Build Coastguard Worker * AttestationContext provides an abstract interface to the information needed 28*789431f2SAndroid Build Coastguard Worker * to generate attestation certificates. 29*789431f2SAndroid Build Coastguard Worker */ 30*789431f2SAndroid Build Coastguard Worker class AttestationContext { 31*789431f2SAndroid Build Coastguard Worker protected: ~AttestationContext()32*789431f2SAndroid Build Coastguard Worker virtual ~AttestationContext() {} 33*789431f2SAndroid Build Coastguard Worker 34*789431f2SAndroid Build Coastguard Worker public: AttestationContext(KmVersion version)35*789431f2SAndroid Build Coastguard Worker explicit AttestationContext(KmVersion version) : version_(version) {} 36*789431f2SAndroid Build Coastguard Worker GetKmVersion()37*789431f2SAndroid Build Coastguard Worker KmVersion GetKmVersion() const { return version_; } 38*789431f2SAndroid Build Coastguard Worker 39*789431f2SAndroid Build Coastguard Worker /** 40*789431f2SAndroid Build Coastguard Worker * Returns the security level (SW or TEE) of this keymaster implementation. 41*789431f2SAndroid Build Coastguard Worker */ 42*789431f2SAndroid Build Coastguard Worker virtual keymaster_security_level_t GetSecurityLevel() const = 0; 43*789431f2SAndroid Build Coastguard Worker 44*789431f2SAndroid Build Coastguard Worker /** 45*789431f2SAndroid Build Coastguard Worker * Verify that the device IDs provided in `attestation_params` match the device's actual IDs and 46*789431f2SAndroid Build Coastguard Worker * copy the verified IDs into `attestation`. If *any* of the IDs do not match or verification 47*789431f2SAndroid Build Coastguard Worker * is not possible, return KM_ERROR_CANNOT_ATTEST_IDS. If device ID attestation is unsupported, 48*789431f2SAndroid Build Coastguard Worker * ignore all arguments and return KM_ERROR_UNIMPLEMENTED. If ID attestation is supported and 49*789431f2SAndroid Build Coastguard Worker * no ID mismatches are found, return KM_ERROR_OK; 50*789431f2SAndroid Build Coastguard Worker */ 51*789431f2SAndroid Build Coastguard Worker virtual keymaster_error_t VerifyAndCopyDeviceIds(const AuthorizationSet &,AuthorizationSet *)52*789431f2SAndroid Build Coastguard Worker VerifyAndCopyDeviceIds(const AuthorizationSet& /* attestation_params */, 53*789431f2SAndroid Build Coastguard Worker AuthorizationSet* /* attestation */) const { 54*789431f2SAndroid Build Coastguard Worker return KM_ERROR_UNIMPLEMENTED; 55*789431f2SAndroid Build Coastguard Worker } 56*789431f2SAndroid Build Coastguard Worker 57*789431f2SAndroid Build Coastguard Worker /** 58*789431f2SAndroid Build Coastguard Worker * Generate the current unique ID. If unique IDs are not supported, set `error` to 59*789431f2SAndroid Build Coastguard Worker * KM_ERROR_UNIMPLEMENTED. 60*789431f2SAndroid Build Coastguard Worker */ GenerateUniqueId(uint64_t,const keymaster_blob_t &,bool,keymaster_error_t * error)61*789431f2SAndroid Build Coastguard Worker virtual Buffer GenerateUniqueId(uint64_t /*creation_date_time*/, 62*789431f2SAndroid Build Coastguard Worker const keymaster_blob_t& /*application_id*/, 63*789431f2SAndroid Build Coastguard Worker bool /*reset_since_rotation*/, keymaster_error_t* error) const { 64*789431f2SAndroid Build Coastguard Worker if (error) *error = KM_ERROR_UNIMPLEMENTED; 65*789431f2SAndroid Build Coastguard Worker return {}; 66*789431f2SAndroid Build Coastguard Worker } 67*789431f2SAndroid Build Coastguard Worker 68*789431f2SAndroid Build Coastguard Worker struct VerifiedBootParams { 69*789431f2SAndroid Build Coastguard Worker keymaster_blob_t verified_boot_key; 70*789431f2SAndroid Build Coastguard Worker keymaster_blob_t verified_boot_hash; 71*789431f2SAndroid Build Coastguard Worker keymaster_verified_boot_t verified_boot_state; 72*789431f2SAndroid Build Coastguard Worker bool device_locked; 73*789431f2SAndroid Build Coastguard Worker }; 74*789431f2SAndroid Build Coastguard Worker 75*789431f2SAndroid Build Coastguard Worker /** 76*789431f2SAndroid Build Coastguard Worker * Returns verified boot parameters for the Attestation Extension. For hardware-based 77*789431f2SAndroid Build Coastguard Worker * implementations, these will be the values reported by the bootloader. By default, verified 78*789431f2SAndroid Build Coastguard Worker * boot state is unknown, and KM_ERROR_UNIMPLEMENTED is returned. 79*789431f2SAndroid Build Coastguard Worker * 80*789431f2SAndroid Build Coastguard Worker * The AttestationContext retains ownership of the VerifiedBootParams. 81*789431f2SAndroid Build Coastguard Worker */ GetVerifiedBootParams(keymaster_error_t * error)82*789431f2SAndroid Build Coastguard Worker virtual const VerifiedBootParams* GetVerifiedBootParams(keymaster_error_t* error) const { 83*789431f2SAndroid Build Coastguard Worker *error = KM_ERROR_UNIMPLEMENTED; 84*789431f2SAndroid Build Coastguard Worker return nullptr; 85*789431f2SAndroid Build Coastguard Worker } 86*789431f2SAndroid Build Coastguard Worker 87*789431f2SAndroid Build Coastguard Worker /** 88*789431f2SAndroid Build Coastguard Worker * Return the factory attestation signing key. If not available, set `error` to 89*789431f2SAndroid Build Coastguard Worker * KM_ERROR_UNIMPLEMENTED. 90*789431f2SAndroid Build Coastguard Worker */ 91*789431f2SAndroid Build Coastguard Worker virtual KeymasterKeyBlob GetAttestationKey(keymaster_algorithm_t algorithm, 92*789431f2SAndroid Build Coastguard Worker keymaster_error_t* error) const = 0; 93*789431f2SAndroid Build Coastguard Worker 94*789431f2SAndroid Build Coastguard Worker /** 95*789431f2SAndroid Build Coastguard Worker * Return the factory attestation signing key certificate chain. If not available, set `error` 96*789431f2SAndroid Build Coastguard Worker * to KM_ERROR_UNIMPLEMENTED. 97*789431f2SAndroid Build Coastguard Worker */ 98*789431f2SAndroid Build Coastguard Worker virtual CertificateChain GetAttestationChain(keymaster_algorithm_t algorithm, 99*789431f2SAndroid Build Coastguard Worker keymaster_error_t* error) const = 0; 100*789431f2SAndroid Build Coastguard Worker 101*789431f2SAndroid Build Coastguard Worker protected: 102*789431f2SAndroid Build Coastguard Worker KmVersion version_; 103*789431f2SAndroid Build Coastguard Worker }; 104*789431f2SAndroid Build Coastguard Worker 105*789431f2SAndroid Build Coastguard Worker } // namespace keymaster 106