1/*
2 *  Copyright (C) 2012 The Android Open Source Project
3 *
4 *  Licensed under the Apache License, Version 2.0 (the "License"); you
5 *  may not use this file except in compliance with the License.  You may
6 *  obtain a copy of the License at
7 *
8 *  http://www.apache.org/licenses/LICENSE-2.0
9 *
10 *  Unless required by applicable law or agreed to in writing, software
11 *  distributed under the License is distributed on an "AS IS" BASIS,
12 *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
13 *  implied.  See the License for the specific language governing
14 *  permissions and limitations under the License.
15 */
16
17#ifndef ANDROID_HARDWARE_QCOM_KEYMASTER_H
18#define ANDROID_HARDWARE_QCOM_KEYMASTER_H
19
20#include <stdint.h>
21#include <sys/cdefs.h>
22#include <sys/types.h>
23
24__BEGIN_DECLS
25
26#ifdef _ION_HEAP_MASK_COMPATIBILITY_WA
27#define ION_HEAP_MASK heap_mask
28#else
29#define ION_HEAP_MASK heap_id_mask
30#endif
31
32/**
33 * The id of this module
34 */
35#define QCOM_KEYSTORE_KEYMASTER "qcom_keymaster"
36/**
37 * Operation result
38 */
39#define KEYMATER_SUCCESS  0
40#define KEYMASTER_FAILURE  -1
41
42/**
43 * The API level of this version of the header. The allows the implementing
44 * module to recognize which API level of the client it is dealing with in
45 * the case of pre-compiled binary clients.
46 */
47#define QCOM_KEYMASTER_API_VERSION KEYMASTER_MODULE_API_VERSION_0_3
48
49#define KM_MAGIC_NUM     (0x4B4D4B42)    /* "KMKB" Key Master Key Blob in hex */
50#define KM_KEY_SIZE_MAX  (512)           /* 4096 bits */
51#define KM_IV_LENGTH     (16)            /* AES128 CBC IV */
52#define KM_HMAC_LENGTH   (32)            /* SHA2 will be used for HMAC  */
53
54struct  qcom_km_key_blob {
55  uint32_t magic_num;
56  uint32_t version_num;
57  uint8_t  modulus[KM_KEY_SIZE_MAX];
58  uint32_t modulus_size;
59  uint8_t  public_exponent[KM_KEY_SIZE_MAX];
60  uint32_t public_exponent_size;
61  uint8_t  iv[KM_IV_LENGTH];
62  uint8_t  encrypted_private_exponent[KM_KEY_SIZE_MAX];
63  uint32_t encrypted_private_exponent_size;
64  uint8_t  hmac[KM_HMAC_LENGTH];
65};
66typedef struct  qcom_km_key_blob qcom_km_key_blob_t;
67/**
68 * Commands supported
69 */
70enum  keymaster_cmd_t {
71    /*
72     * List the commands supportedin by the hardware.
73     */
74    KEYMASTER_GENERATE_KEYPAIR = 0x00000001,
75    KEYMASTER_IMPORT_KEYPAIR = 0x00000002,
76    KEYMASTER_SIGN_DATA = 0x00000003,
77    KEYMASTER_VERIFY_DATA = 0x00000004,
78};
79
80
81/**
82 * Command to Generate a public and private key. The key data returned
83 * (by secure app) is in shared buffer at offset of "key_blob" and is opaque
84 *
85 * cmd_id       : Command issue to secure app
86 * key_type     : Currently on RSA_TYPE is supported
87 * rsa_params   : Parameters needed to generate an RSA key
88 */
89 struct keymaster_gen_keypair_cmd {
90      keymaster_cmd_t               cmd_id;
91      keymaster_keypair_t           key_type;
92      keymaster_rsa_keygen_params_t rsa_params;
93};
94typedef struct keymaster_gen_keypair_cmd keymaster_gen_keypair_cmd_t;
95
96/**
97 * Response to Generate a public and private key. The key data returned
98 * (by secure app) is in shared buffer at offset of "key_blob" and is opaque
99 *
100 * cmd_id       : Command issue to secure app
101 * key_blob     : key blob data
102 * key_blob_len : Total length of key blob information
103 * status       : Result (success 0, or failure -1)
104 */
105struct keymaster_gen_keypair_resp {
106      keymaster_cmd_t     cmd_id;
107      qcom_km_key_blob_t  key_blob;
108      size_t              key_blob_len;
109      int32_t             status;
110};
111typedef struct keymaster_gen_keypair_resp keymaster_gen_keypair_resp_t;
112
113
114/**
115 * Command to import a public and private key pair. The imported keys
116 * will be in PKCS#8 format with DER encoding (Java standard). The key
117 * data returned (by secure app) is in shared buffer at offset of
118 * "key_blob" and is opaque
119 *
120 * cmd_id       : Command issue to secure app
121 * pkcs8_key    : Pointer to  pkcs8 formatted key information
122 * pkcs8_key_len: PKCS8 formatted key length
123 */
124struct keymaster_import_keypair_cmd {
125      keymaster_cmd_t cmd_id;
126      uint32_t        pkcs8_key;
127      size_t          pkcs8_key_len;
128};
129typedef struct keymaster_import_keypair_cmd keymaster_import_keypair_cmd_t;
130
131/**
132 * Response to import a public and private key. The key data returned
133 * (by secure app) is in shared buffer at offset of "key_blob" and is opaque
134 *
135 * cmd_id       : Command issue to secure app
136 * key_blob     : key blob data
137 * key_blob_len : Total length of key blob information
138 * status       : Result (success 0, or failure -1)
139 */
140struct keymaster_import_keypair_resp {
141      keymaster_cmd_t     cmd_id;
142      qcom_km_key_blob_t  key_blob;
143      size_t              key_blob_len;
144      int32_t             status;
145};
146typedef struct keymaster_import_keypair_resp keymaster_import_keypair_resp_t;
147
148/**
149 * Command to sign data using a key info generated before. This can use either
150 * an asymmetric key or a secret key.
151 * The signed data is returned (by secure app) at offset of data + dlen.
152 *
153 * cmd_id      : Command issue to secure app
154 * sign_param  :
155 * key_blob    : Key data information (in shared buffer)
156 * data        : Pointer to plain data buffer
157 * dlen        : Plain data length
158 */
159struct keymaster_sign_data_cmd {
160      keymaster_cmd_t               cmd_id;
161      keymaster_rsa_sign_params_t   sign_param;
162      qcom_km_key_blob_t            key_blob;
163      uint32_t                      data;
164      size_t                        dlen;
165};
166typedef struct keymaster_sign_data_cmd keymaster_sign_data_cmd_t;
167
168/**
169 * Response to sign data response
170 *
171 * cmd_id      : Command issue to secure app
172 * signed_data : signature
173 * sig_len     : Signed data length
174 * status      : Result (success 0, or failure -1)
175 */
176struct keymaster_sign_data_resp {
177      keymaster_cmd_t     cmd_id;
178      uint8_t             signed_data[KM_KEY_SIZE_MAX];
179      size_t              sig_len;
180      int32_t             status;
181};
182
183typedef struct keymaster_sign_data_resp keymaster_sign_data_resp_t;
184
185/**
186 * Command to verify data using a key info generated before. This can use either
187 * an asymmetric key or a secret key.
188 *
189 * cmd_id      : Command issue to secure app
190 * sign_param  :
191 * key_blob    : Key data information (in shared buffer)
192 * key_blob_len: Total key length
193 * signed_data : Pointer to signed data buffer
194 * signed_dlen : Signed data length
195 * signature   : Offset to the signature data buffer (from signed data buffer)
196 * slen        : Signature data length
197 */
198struct keymaster_verify_data_cmd {
199      keymaster_cmd_t cmd_id;
200      keymaster_rsa_sign_params_t   sign_param;
201      qcom_km_key_blob_t            key_blob;
202      uint32_t                      signed_data;
203      size_t                        signed_dlen;
204      uint32_t                      signature;
205      size_t                        slen;
206};
207typedef struct keymaster_verify_data_cmd keymaster_verify_data_cmd_t;
208/**
209 * Response to verify data
210 *
211 * cmd_id      : Command issue to secure app
212 * status      : Result (success 0, or failure -1)
213 */
214struct  keymaster_verify_data_resp {
215      keymaster_cmd_t     cmd_id;
216      int32_t             status;
217};
218typedef struct keymaster_verify_data_resp keymaster_verify_data_resp_t;
219
220__END_DECLS
221
222#endif  // ANDROID_HARDWARE_QCOM_KEYMASTER_H
223