1/* 2 * Copyright (C) 2012 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); you 5 * may not use this file except in compliance with the License. You may 6 * obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 13 * implied. See the License for the specific language governing 14 * permissions and limitations under the License. 15 */ 16 17#ifndef ANDROID_HARDWARE_QCOM_KEYMASTER_H 18#define ANDROID_HARDWARE_QCOM_KEYMASTER_H 19 20#include <stdint.h> 21#include <sys/cdefs.h> 22#include <sys/types.h> 23 24__BEGIN_DECLS 25 26#ifdef _ION_HEAP_MASK_COMPATIBILITY_WA 27#define ION_HEAP_MASK heap_mask 28#else 29#define ION_HEAP_MASK heap_id_mask 30#endif 31 32/** 33 * The id of this module 34 */ 35#define QCOM_KEYSTORE_KEYMASTER "qcom_keymaster" 36/** 37 * Operation result 38 */ 39#define KEYMATER_SUCCESS 0 40#define KEYMASTER_FAILURE -1 41 42/** 43 * The API level of this version of the header. The allows the implementing 44 * module to recognize which API level of the client it is dealing with in 45 * the case of pre-compiled binary clients. 46 */ 47#define QCOM_KEYMASTER_API_VERSION KEYMASTER_MODULE_API_VERSION_0_3 48 49#define KM_MAGIC_NUM (0x4B4D4B42) /* "KMKB" Key Master Key Blob in hex */ 50#define KM_KEY_SIZE_MAX (512) /* 4096 bits */ 51#define KM_IV_LENGTH (16) /* AES128 CBC IV */ 52#define KM_HMAC_LENGTH (32) /* SHA2 will be used for HMAC */ 53 54struct qcom_km_key_blob { 55 uint32_t magic_num; 56 uint32_t version_num; 57 uint8_t modulus[KM_KEY_SIZE_MAX]; 58 uint32_t modulus_size; 59 uint8_t public_exponent[KM_KEY_SIZE_MAX]; 60 uint32_t public_exponent_size; 61 uint8_t iv[KM_IV_LENGTH]; 62 uint8_t encrypted_private_exponent[KM_KEY_SIZE_MAX]; 63 uint32_t encrypted_private_exponent_size; 64 uint8_t hmac[KM_HMAC_LENGTH]; 65}; 66typedef struct qcom_km_key_blob qcom_km_key_blob_t; 67/** 68 * Commands supported 69 */ 70enum keymaster_cmd_t { 71 /* 72 * List the commands supportedin by the hardware. 73 */ 74 KEYMASTER_GENERATE_KEYPAIR = 0x00000001, 75 KEYMASTER_IMPORT_KEYPAIR = 0x00000002, 76 KEYMASTER_SIGN_DATA = 0x00000003, 77 KEYMASTER_VERIFY_DATA = 0x00000004, 78}; 79 80 81/** 82 * Command to Generate a public and private key. The key data returned 83 * (by secure app) is in shared buffer at offset of "key_blob" and is opaque 84 * 85 * cmd_id : Command issue to secure app 86 * key_type : Currently on RSA_TYPE is supported 87 * rsa_params : Parameters needed to generate an RSA key 88 */ 89 struct keymaster_gen_keypair_cmd { 90 keymaster_cmd_t cmd_id; 91 keymaster_keypair_t key_type; 92 keymaster_rsa_keygen_params_t rsa_params; 93}; 94typedef struct keymaster_gen_keypair_cmd keymaster_gen_keypair_cmd_t; 95 96/** 97 * Response to Generate a public and private key. The key data returned 98 * (by secure app) is in shared buffer at offset of "key_blob" and is opaque 99 * 100 * cmd_id : Command issue to secure app 101 * key_blob : key blob data 102 * key_blob_len : Total length of key blob information 103 * status : Result (success 0, or failure -1) 104 */ 105struct keymaster_gen_keypair_resp { 106 keymaster_cmd_t cmd_id; 107 qcom_km_key_blob_t key_blob; 108 size_t key_blob_len; 109 int32_t status; 110}; 111typedef struct keymaster_gen_keypair_resp keymaster_gen_keypair_resp_t; 112 113 114/** 115 * Command to import a public and private key pair. The imported keys 116 * will be in PKCS#8 format with DER encoding (Java standard). The key 117 * data returned (by secure app) is in shared buffer at offset of 118 * "key_blob" and is opaque 119 * 120 * cmd_id : Command issue to secure app 121 * pkcs8_key : Pointer to pkcs8 formatted key information 122 * pkcs8_key_len: PKCS8 formatted key length 123 */ 124struct keymaster_import_keypair_cmd { 125 keymaster_cmd_t cmd_id; 126 uint32_t pkcs8_key; 127 size_t pkcs8_key_len; 128}; 129typedef struct keymaster_import_keypair_cmd keymaster_import_keypair_cmd_t; 130 131/** 132 * Response to import a public and private key. The key data returned 133 * (by secure app) is in shared buffer at offset of "key_blob" and is opaque 134 * 135 * cmd_id : Command issue to secure app 136 * key_blob : key blob data 137 * key_blob_len : Total length of key blob information 138 * status : Result (success 0, or failure -1) 139 */ 140struct keymaster_import_keypair_resp { 141 keymaster_cmd_t cmd_id; 142 qcom_km_key_blob_t key_blob; 143 size_t key_blob_len; 144 int32_t status; 145}; 146typedef struct keymaster_import_keypair_resp keymaster_import_keypair_resp_t; 147 148/** 149 * Command to sign data using a key info generated before. This can use either 150 * an asymmetric key or a secret key. 151 * The signed data is returned (by secure app) at offset of data + dlen. 152 * 153 * cmd_id : Command issue to secure app 154 * sign_param : 155 * key_blob : Key data information (in shared buffer) 156 * data : Pointer to plain data buffer 157 * dlen : Plain data length 158 */ 159struct keymaster_sign_data_cmd { 160 keymaster_cmd_t cmd_id; 161 keymaster_rsa_sign_params_t sign_param; 162 qcom_km_key_blob_t key_blob; 163 uint32_t data; 164 size_t dlen; 165}; 166typedef struct keymaster_sign_data_cmd keymaster_sign_data_cmd_t; 167 168/** 169 * Response to sign data response 170 * 171 * cmd_id : Command issue to secure app 172 * signed_data : signature 173 * sig_len : Signed data length 174 * status : Result (success 0, or failure -1) 175 */ 176struct keymaster_sign_data_resp { 177 keymaster_cmd_t cmd_id; 178 uint8_t signed_data[KM_KEY_SIZE_MAX]; 179 size_t sig_len; 180 int32_t status; 181}; 182 183typedef struct keymaster_sign_data_resp keymaster_sign_data_resp_t; 184 185/** 186 * Command to verify data using a key info generated before. This can use either 187 * an asymmetric key or a secret key. 188 * 189 * cmd_id : Command issue to secure app 190 * sign_param : 191 * key_blob : Key data information (in shared buffer) 192 * key_blob_len: Total key length 193 * signed_data : Pointer to signed data buffer 194 * signed_dlen : Signed data length 195 * signature : Offset to the signature data buffer (from signed data buffer) 196 * slen : Signature data length 197 */ 198struct keymaster_verify_data_cmd { 199 keymaster_cmd_t cmd_id; 200 keymaster_rsa_sign_params_t sign_param; 201 qcom_km_key_blob_t key_blob; 202 uint32_t signed_data; 203 size_t signed_dlen; 204 uint32_t signature; 205 size_t slen; 206}; 207typedef struct keymaster_verify_data_cmd keymaster_verify_data_cmd_t; 208/** 209 * Response to verify data 210 * 211 * cmd_id : Command issue to secure app 212 * status : Result (success 0, or failure -1) 213 */ 214struct keymaster_verify_data_resp { 215 keymaster_cmd_t cmd_id; 216 int32_t status; 217}; 218typedef struct keymaster_verify_data_resp keymaster_verify_data_resp_t; 219 220__END_DECLS 221 222#endif // ANDROID_HARDWARE_QCOM_KEYMASTER_H 223