e3e33cc8688fbf037974d1f1ae22c11b9e67d361 |
|
24-Jun-2015 |
Shawn Willden <swillden@google.com> |
Limit dup_buffer to 16 MiB allocations. Bug: 21888473 Change-Id: I14c658f5c57bd551e4d136b7d6146b8efdfacf27
/system/keymaster/key_blob_test.cpp
|
0f906ec40f6ade7955c6b967ea522aade54ea2e4 |
|
20-Jun-2015 |
Shawn Willden <swillden@google.com> |
Add buffer wrap checks and disable throwing of std::bad_alloc. Android is built with exceptions disabled, but "operator new" and "operator new[]" still throw std::bad_alloc on failure rather than returning new. In general this is a good thing, because it will cause an immediate crash of the process rather than assigning a null pointer which is probably not checked. But most memory allocations in Keymaster are checked, because it's written to run in an environment where new does *not* throw. This CL updates the code to explicitly use the non-throwing new. A handful of throwing news remain, but only in places where a crash on failure is appropriate. In addition, this CL also inserts buffer wrap checks in key locations and changes the development-machine Makefile to build in 32-bit mode, to make memory problems more apparent. Bug: 21888473 Change-Id: I8ebc5ec12053e4f5274f6f57ce312abc10611cef
/system/keymaster/key_blob_test.cpp
|
951aa910f004d774883bab0255d64bfde510fb44 |
|
01-Jun-2015 |
Shawn Willden <swillden@google.com> |
Remove KM_TAG_CHUNK_LENGTH and add KM_TAG_AEAD_TAG. Change-Id: I14498aa57b375f045ea8bcf2122660b64a0554d7
/system/keymaster/key_blob_test.cpp
|
0cb6942d3efb6c056f96321c82a4b3d86af601d6 |
|
26-May-2015 |
Shawn Willden <swillden@google.com> |
Revert "Revert "Large refactor to move context out of AndroidKeymaster."" This reverts commit 13fbe3e93247943c26e7ca2ed27b6d650282b8bf. Bug: 20912868, 19799085 Change-Id: Iadd6ce5cbe94956c2a2fe277f1bf5b108e4bcf57
/system/keymaster/key_blob_test.cpp
|
13fbe3e93247943c26e7ca2ed27b6d650282b8bf |
|
23-May-2015 |
Shawn Willden <swillden@google.com> |
Revert "Large refactor to move context out of AndroidKeymaster." This reverts commit 8ba2a043f0d44ad3f58d4af518f9391c03eca9c3. I need to update the Volantis non-secure code in sync. Reverting while I get that done. Change-Id: I0fb9f928e7e624ad678050a04bb873b43b1c9a48
/system/keymaster/key_blob_test.cpp
|
8ba2a043f0d44ad3f58d4af518f9391c03eca9c3 |
|
18-May-2015 |
Shawn Willden <swillden@google.com> |
Large refactor to move context out of AndroidKeymaster. AndroidKeymaster made a number of assumptions about its context that are really only valid for TEE-based usage. In addition, KeyFactory made some similarly TEE-focused assumptions about key blob creation and parsing. Both concerns have been moved to a new KeymasterContext class, which is responsible for building and parsing key blobs in a manner appropriate for the context in which AndroidKeymaster is running, as well as providing other context-specific services, such as random number generation. In addition, the refactor reduces the need for the KeyBlob and UnencryptedKeyBlob classes, which encode too many assumptions about blob formatting and encryption, to the point that they can be removed and replaced by a handful of utility functions which are much cleaner and more flexible. How to review this CL: I looked hard at breaking this up into smaller CLs, but it's mostly not feasible. However, it's probably easier to approach it by starting with the fundamental changes, and then looking at the cascade effects. 1. Look at keymaster_context.h. The core of the change was pulling this set of features out of AndroidKeymaster. Note that the revised approach to key blob creation does not involve the KeyBlob and UnencryptedKeyBlob classes, but instead goes directly from raw key material plus ancillary data (e.g. auth sets) to a serialized buffer ready to return to keystore. The same is true in reverse direction for parsing key blobs. 2. Look at key.h. The revised KeyFactory GenerateKey, ImportKey and LoadKey methods are essential. GenerateKey and ImportKey no longer produce a Key object, because all that's needed is a returnable blob. LoadKey produces a Key object, but it starts with raw key material, rather than an UnencryptedKeyBlob. Also note the change to the Key class; because Key objects are only created by LoadKey, when there's a need to use a key, there's only one constructor. 3. Look at asymmetric_key.h, rsa_key.h and rsa_key.cpp. rsa_key.cpp provides a good example of how the new structure works. GenerateKey and ImportKey do all of the work necessary to produce an OpenSSL RSA key and extract the internal representation (using EvpToKeyMaterial; defined in asymmetric_key.h because it's the same for EC keys). Then, with the raw key data in hand, they call KeymasterContext::CreateKeyBlob to wrap the key data in a key blob that can be returned to the caller -- whatever that wrapping means in the current context. There's a subtlety not apparent here which is crucial to the rationale for the refactoring: RsaKeyFactory uses KeymasterContext::get_instance to retrieve the context, but key factories which depend on operating in a particular context can use a different way to get their context object, which may have a larger interface. RsaKeymaster0KeyFactory will do this. 4. Look at soft_keymaster_context. In particular, SoftKeymasterContext::CreateKeyBlob and ParseKeyBlob. CreateKeyBlob allocates authorization tags from key_description to hw_enforced and sw_enforced, then encrypts the key material and serializes it to a blob. This approach is compatible with the keys softkeymaster has been producing, but I'm going to change it (post M), because there's no reason to bother encrypting SW keys with a SW key. ParseKeyBlob reverses the process to recover the unencrypted key material and the auth lists. One debatable point was the decision to implement BuildHiddenAuthorizations and SetAuthorizations here, since all contexts will need something similar, and they really should all do it the same. I may refactor later to pull that functionality up to KeymasterContext; it will depend on what I learn implementing TrustyKeymasterContext and HybridKeymasterContext (used for the keymaster0 adapter). 5. Look at ocb_utils and auth_encrypted_key_blob. These contain the key encryption and key blob serialization code which was formerly split between AndroidKeymaster::SerializeKeyBlob, UnencryptedKeyBlob and KeyBlob, now divided into separate encryption and serialization utilities. Note the refactored key_blob_test.cpp, updated to use the new utilities rather than UnencryptedKeyBlob. 6. Look at soft_keymaster_device.cpp. Since KeyBlob no longer exists to provide a nice way to peer into a blob to extract the algorithm, for use in determining how to parse the keymaster0 signing key params (which come in as a void*, yuck), we now have to use get_key_characteristics to recover the params. This was the right way all along; the device layer should not depend on being able to parse key blobs. 7. The rest. Bug: 20912868, 19799085 Change-Id: Ieb74b8da39974f674eb8baa959bde75011fdd2e8
/system/keymaster/key_blob_test.cpp
|
b6837e7a62a1192e33beef586282812239ee8b28 |
|
16-May-2015 |
Shawn Willden <swillden@google.com> |
Remove references to Google in Android keymaster reference implementation. Change-Id: I05de61353fc806b90232fab7c1d1cf76aefa35fc
/system/keymaster/key_blob_test.cpp
|
72a5fdde1095cc012b232987d1f02de9b0507b89 |
|
18-Mar-2015 |
Shawn Willden <swillden@google.com> |
Modify unit tests to run on-device as well as on the dev machine. Change-Id: Icdab36a8e4fe97deb112df7ae59e97317f7e991b
/system/keymaster/key_blob_test.cpp
|
4a647f2340fb16fce88923dda3202099f72569b2 |
|
11-Mar-2015 |
Shawn Willden <swillden@google.com> |
Remove a bunch of unused variables. Change-Id: I784c5932dc02a7cb29a7fe351b50fe56075c23c8
/system/keymaster/key_blob_test.cpp
|
0b2d3330f083ae64fdfdd2f171bdf47fba107d86 |
|
08-Apr-2015 |
Shawn Willden <swillden@google.com> |
Remove refs to KM_ORIGIN_HARDWARE and KM_ORIGIN_SOFTWARE. We now just distinguish between KM_ORIGIN_GENERATED and KM_ORIGIN_IMPORTED, relying on the location of the tag in the hardware or software list to define whether the key is hardware or software-based. Change-Id: I8c7eedbd2dd72eb04338dcbec88bac283da06fc1
/system/keymaster/key_blob_test.cpp
|
5b87762fc8cb991475cb12ac7e8c410c89bd5396 |
|
17-Sep-2014 |
Shawn Willden <swillden@google.com> |
Add version & length fields to GoogleKeymaster key format. The GoogleKeymaster key format does not include a version field, making future changes harder, and assumes lengths for the nonce and tag fields. This CL addresses both of those issues and maintains compatibility with the old key format. Change-Id: I35aa04300a8ea1150effa28af2be6ce020bbd6a7
/system/keymaster/key_blob_test.cpp
|
72014adef83b0346859dbe82d77b09b4756d8e64 |
|
17-Sep-2014 |
Shawn Willden <swillden@google.com> |
Refactor KeyBlob to separate encryption functionality. This CL is in preparation for another which will refactor libkeymaster into libkeymaster and libkeymasterclient, the latter for use by programs which merely interface with keymaster and don't do any crypto on their own, but do need to parse key blobs to extract authorization list entries. To make that possible it moves KeyBlob's key encryption and decryption capabilities into a subclass, PlaintextKeyBlob. Change-Id: Ic6a65b6f237c122796ea70458655111316f902d8
/system/keymaster/key_blob_test.cpp
|
368bc7749eaa2e1321d552e45a96d83b5500ba47 |
|
27-Aug-2014 |
Shawn Willden <swillden@google.com> |
Move key_blob.h in to include/keymaster, to export it. Change-Id: If28db94840557e6ca3019b7bcf7b5f29f0ff6cf7
/system/keymaster/key_blob_test.cpp
|
98d9b92547a9a7553b99e3e941a4175926f95b62 |
|
26-Aug-2014 |
Shawn Willden <swillden@google.com> |
Reorganize system/keymaster. This CL moves the includes that should be exported to include/ and removes the trusty-specific code (some of which is moving to hardware/google and some of which is moving to the trusty tree.) Change-Id: Ie4fabf6b5c5f36b50c2f5ff356548ca2e9140fcb
/system/keymaster/key_blob_test.cpp
|
60ebf8e49977683bc8cabe4609ce8b0405db7711 |
|
12-Aug-2014 |
Shawn Willden <swillden@google.com> |
Change to enable KEYMASTER_NAME_TAGS globally. Selectively changing the size of the TypedTag structure causes subtle problems when inlining is disabled (e.g. -O0). Change-Id: I7f87a5a34eb574b0adaa8492f51fbcf2b172b4ca
/system/keymaster/key_blob_test.cpp
|
ebf627f0b50c0979e6cf53668464297703371eba |
|
12-Aug-2014 |
Shawn Willden <swillden@google.com> |
Allow building tests with Clang, and fix some bugs Clang diagnosed. Change-Id: Ie213deadabdb9c84d4ea1d2f69b1beaa87165717
/system/keymaster/key_blob_test.cpp
|
7636471bd1c553ac179f0dddc17133491d0e1faf |
|
12-Aug-2014 |
Shawn Willden <swillden@google.com> |
Implement GetKeyCharacteristics. Still need to add serialization to the messages. Change-Id: I572c48474bf4d4f553d53cad475b57fa8937a02a
/system/keymaster/key_blob_test.cpp
|
39b970bea81461af88f83e1c2329eb1b0f4d2e73 |
|
11-Aug-2014 |
Shawn Willden <swillden@google.com> |
Handle "hidden" authorization tags correctly. Change-Id: I9fa18f8ab465a2faa0f358e12f72daf18ca02fe7
/system/keymaster/key_blob_test.cpp
|
834e80747cbb960f8a4028c5c8604bf5218ecdb9 |
|
10-Aug-2014 |
Shawn Willden <swillden@google.com> |
Improve authorization_set test coverage. Change-Id: I8dd1830db8c19be07cef768c63c9ecfa3e16ae21
/system/keymaster/key_blob_test.cpp
|
8d336ae10df66da4c0433f17c2d42e85baea32c5 |
|
09-Aug-2014 |
Shawn Willden <swillden@google.com> |
Change authorization set serialization approach to ensure that 32 vs 64 bit size and alignment differences don't cause problems. Change-Id: I4a308cfac782161db2f1456adb2d6a56537e61f1
/system/keymaster/key_blob_test.cpp
|
4db3fbdda292c0c3120dfe160c1b49670aa18600 |
|
09-Aug-2014 |
Shawn Willden <swillden@google.com> |
Refactor and expand KeyBlob capabilities. KeyBlob's responsibilities have grown, it makes sense to make it a first-class class, and to use the Serializable infrastructure. Change-Id: I76a8dac5b4b4fe47d6677c27ab9eba2755f02dfe
/system/keymaster/key_blob_test.cpp
|