Attestation key: write attestation key to secure storage
Split attestation key into AttestationKey.ec and AttestationKey.rsa, then write to secure storage. Change-Id: I8e00d602c4174a002e6ecad2e4cfa846f32a681f Signed-off-by: Tony Xu <tony.xu@rock-chips.com>
This commit is contained in:
Tony Xu
Jianhong Chen
parent
da54d0c8b4
commit
1e8c0e44aa
|
|
@ -12,7 +12,7 @@
|
|||
|
||||
#include <optee_include/OpteeClientApiLib.h>
|
||||
|
||||
/* attestation data offset*/
|
||||
/* attestation data offset */
|
||||
#define ATTESTATION_DATA_OFFSET 65536
|
||||
|
||||
/* block size */
|
||||
|
|
@ -24,6 +24,15 @@
|
|||
#define ATAP_BLOB_LEN_MAX 2048
|
||||
#define ATAP_CERT_CHAIN_LEN_MAX 8192
|
||||
#define ATAP_CERT_CHAIN_ENTRIES_MAX 8
|
||||
#define CA_HEADER_LEN 16
|
||||
|
||||
/*
|
||||
* Name of the attestation key file is
|
||||
* ATTESTATION_KEY_PREFIX.%algorithm,
|
||||
* which include PrivateKey and CertificateChain,
|
||||
* where algorithm is either "EC" or "RSA"
|
||||
*/
|
||||
#define ATTESTATION_KEY_FILE "AttestationKey"
|
||||
|
||||
/*
|
||||
* Name of the attestation key file is
|
||||
|
|
@ -58,7 +67,7 @@ typedef struct {
|
|||
} atap_certchain;
|
||||
|
||||
uint32_t write_to_keymaster(uint8_t *filename, uint32_t filename_size,
|
||||
uint8_t *data, uint32_t data_size);
|
||||
uint8_t *data, uint32_t data_size);
|
||||
|
||||
static const char *get_keyslot_str(keymaster_algorithm_t key_type)
|
||||
{
|
||||
|
|
@ -87,7 +96,6 @@ static void free_cert_chain(atap_certchain cert_chain)
|
|||
for (i = 0; i < cert_chain.entry_count; ++i) {
|
||||
if (cert_chain.entries[i].data)
|
||||
free(cert_chain.entries[i].data);
|
||||
|
||||
cert_chain.entries[i].data_length = 0;
|
||||
}
|
||||
memset(&cert_chain, 0, sizeof(atap_certchain));
|
||||
|
|
@ -195,7 +203,7 @@ static uint32_t write_key(keymaster_algorithm_t key_type,
|
|||
{
|
||||
char key_file[STORAGE_ID_LENGTH_MAX] = {0};
|
||||
|
||||
snprintf(key_file, STORAGE_ID_LENGTH_MAX, "%s.%s", ATTESTATION_KEY_PREFIX,
|
||||
snprintf(key_file, STORAGE_ID_LENGTH_MAX, "%s.%s", ATTESTATION_KEY_FILE,
|
||||
get_keyslot_str(key_type));
|
||||
write_to_keymaster((uint8_t *)key_file, strlen(key_file),
|
||||
(uint8_t *)key, key_size);
|
||||
|
|
@ -379,3 +387,88 @@ atap_result load_attestation_key(struct blk_desc *dev_desc,
|
|||
|
||||
return ATAP_RESULT_OK;
|
||||
}
|
||||
|
||||
atap_result read_key_data(uint8_t **key_buf, uint8_t *key_data,
|
||||
uint32_t *key_data_length)
|
||||
{
|
||||
atap_blob key;
|
||||
atap_certchain certchain;
|
||||
|
||||
/* read private key */
|
||||
if (copy_blob_from_buf(key_buf, &key) == false) {
|
||||
printf("copy_blob_from_buf failed!\n");
|
||||
return ATAP_RESULT_ERROR_BUF_COPY;
|
||||
}
|
||||
memcpy(key_data, &key.data_length, sizeof(uint32_t));
|
||||
memcpy(key_data + 4, key.data, key.data_length);
|
||||
*key_data_length = 4 + key.data_length;
|
||||
|
||||
/* read certchain */
|
||||
if (copy_cert_chain_from_buf(key_buf, &certchain) == false) {
|
||||
printf("copy_cert_chain_from_buf failed!\n");
|
||||
return ATAP_RESULT_ERROR_BUF_COPY;
|
||||
}
|
||||
memcpy(key_data + *key_data_length,
|
||||
&certchain.entry_count, sizeof(uint32_t));
|
||||
*key_data_length += 4;
|
||||
for (int i = 0; i < certchain.entry_count; ++i) {
|
||||
memcpy(key_data + *key_data_length,
|
||||
&certchain.entries[i].data_length, sizeof(uint32_t));
|
||||
*key_data_length += 4;
|
||||
memcpy(key_data + *key_data_length, certchain.entries[i].data,
|
||||
certchain.entries[i].data_length);
|
||||
*key_data_length += certchain.entries[i].data_length;
|
||||
}
|
||||
|
||||
free_blob(key);
|
||||
free_cert_chain(certchain);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
atap_result write_attestation_key_to_secure_storage(uint8_t *received_data,
|
||||
uint32_t len)
|
||||
{
|
||||
unsigned char keybuf[ATTESTATION_DATA_OFFSET] = {0};
|
||||
uint32_t device_id_size = 0;
|
||||
uint8_t device_id[32] = {0};
|
||||
uint8_t *key_buf = NULL;
|
||||
uint32_t algorithm;
|
||||
uint8_t *key_data;
|
||||
uint32_t key_data_length = 0;
|
||||
/* skip the tag(4 byte) and the size of key(4 byte) */
|
||||
memcpy(keybuf, received_data + 8, ATTESTATION_DATA_OFFSET);
|
||||
key_data = malloc(ATTESTATION_DATA_OFFSET);
|
||||
/* read device id from keybuf */
|
||||
memcpy(&device_id_size, keybuf + CA_HEADER_LEN, sizeof(uint32_t));
|
||||
if (device_id_size < 0 || device_id_size > sizeof(device_id)) {
|
||||
printf("invalidate device_id_size:%d\n", device_id_size);
|
||||
return ATAP_RESULT_ERROR_INVALID_DEVICE_ID;
|
||||
}
|
||||
|
||||
memcpy(device_id, keybuf + CA_HEADER_LEN + sizeof(uint32_t),
|
||||
device_id_size);
|
||||
printf("device_id:%s\n", device_id);
|
||||
|
||||
/* read algorithm(RSA) from keybuf */
|
||||
key_buf = keybuf + CA_HEADER_LEN + sizeof(uint32_t) + device_id_size;
|
||||
copy_uint32_from_buf(&key_buf, &algorithm);
|
||||
printf("\n algorithm: %d\n", algorithm);
|
||||
/* read rsa key and certchain */
|
||||
read_key_data(&key_buf, key_data, &key_data_length);
|
||||
printf("write attestation key: RSA\n");
|
||||
write_key(KM_ALGORITHM_RSA, key_data, key_data_length);
|
||||
|
||||
/* read algorithm(EC) from keybuf */
|
||||
copy_uint32_from_buf(&key_buf, &algorithm);
|
||||
printf("\n algorithm: %d\n", algorithm);
|
||||
/* read ec key and certchain */
|
||||
read_key_data(&key_buf, key_data, &key_data_length);
|
||||
printf("write attestation key: EC\n");
|
||||
write_key(KM_ALGORITHM_EC, key_data, key_data_length);
|
||||
|
||||
memset(keybuf, 0, sizeof(keybuf));
|
||||
free(key_data);
|
||||
|
||||
return ATAP_RESULT_OK;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,5 +26,14 @@ typedef enum {
|
|||
/* load attestation key from misc partition. */
|
||||
atap_result load_attestation_key(struct blk_desc *dev_desc,
|
||||
disk_partition_t *misc_partition);
|
||||
|
||||
atap_result read_key_data(uint8_t **key_buf, uint8_t *key_data,
|
||||
uint32_t *key_data_length);
|
||||
/*
|
||||
* write attestation key to secure storage.
|
||||
* @received_data: received data from usb
|
||||
* @len: the size of received_data
|
||||
* @return ATAP_RESULT_OK if ok, or ATAP_RESULT_ERROR_* on error
|
||||
*/
|
||||
atap_result write_attestation_key_to_secure_storage(uint8_t *received_data,
|
||||
uint32_t len);
|
||||
#endif //ATTESTATION_KEY_H_
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@
|
|||
#include <optee_include/tee_api_defines.h>
|
||||
#include <boot_rkimg.h>
|
||||
#include <stdlib.h>
|
||||
#include <attestation_key.h>
|
||||
|
||||
#define BOOT_FROM_EMMC (1 << 1)
|
||||
#define WIDEVINE_TAG "KBOX"
|
||||
|
|
@ -131,11 +132,12 @@ int write_keybox_to_secure_storage(uint8_t *uboot_data, uint32_t len)
|
|||
uint32_t key_size;
|
||||
uint32_t data_size;
|
||||
uint32_t object_id;
|
||||
TEEC_Result ret;
|
||||
int rc = 0;
|
||||
|
||||
if (memcmp(uboot_data, WIDEVINE_TAG, 4) == 0) {
|
||||
/* widevine keybox */
|
||||
TEEC_Result ret;
|
||||
|
||||
TEEC_UUID widevine_uuid = { 0xc11fe8ac, 0xb997, 0x48cf,
|
||||
{ 0xa2, 0x8d, 0xe2, 0xa5, 0x5e, 0x52, 0x40, 0xef} };
|
||||
object_id = 101;
|
||||
|
|
@ -159,9 +161,17 @@ int write_keybox_to_secure_storage(uint8_t *uboot_data, uint32_t len)
|
|||
}
|
||||
} else if (memcmp(uboot_data, ATTESTATION_TAG, 4) == 0) {
|
||||
/* attestation key */
|
||||
atap_result ret;
|
||||
|
||||
ret = write_attestation_key_to_secure_storage(uboot_data, len);
|
||||
if (ret == ATAP_RESULT_OK) {
|
||||
rc = 0;
|
||||
printf("write attestation key to secure storage success\n");
|
||||
} else {
|
||||
rc = -EIO;
|
||||
printf("write attestation key to secure storage fail\n");
|
||||
}
|
||||
}
|
||||
|
||||
return rc;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue