92973c7820129b724e589268cfcba4600ffb168c |
|
02-Apr-2017 |
Will Drewry <wad@google.com> |
apps/boot: boot applet, library, and tool. This change covers a lot of ground (sorry). It provides an applet and three packages for use on an NXP smartcard with some additional APIs. The applet and packages provide secure storage for bootloader use: - rollback indices - boot behavior "locks" (carrier, device, boot, owner) Rollback index storage is implemented in VersionStorage.java. Applet state (pre-production/production) and hardware state (inBootloader) are provided via GlobalStateImpl.java. This file is an implementation of the globalstate.OwnerInterface, a shareable interface which gets its own .cap file (via OwnerInterface.java). The client interface is implemented in CallbackInterface.java and is primarily used to allow the primary applet to indicate a data clearing operation to other applets. Storage.java provides the overall Applet interface. All the locks are implemented in CarrierLock.java and BasicLock.java. Each lock can only be toggled if the required locks are unlocked. (addRequiredLock(x)). The CarrierLock, relies on a (test, in this CL) key for RSA_SHA256 PKCS#1 padded signature over a device specific hash and a server provided rollback nonce (monotonically increasing 64-bit value). The OwnerLock also has specific behavior. It is a lock that impacts the behavior of the system when BootLock is set. It indicates to the boot loader to use a different verifying key than the one provided by the bootloader itself. That key (or its hash) is stored as OwnerLock metadata. With the applets, is an ant build.xml. As building applets is not trivially supported in the Android build system, they can be built by running 'ant' in the same directory as the build file. This will fetch any necessary third party dependencies, then build the cap files. The globalstate*.caps must be installed before avb_storage.cap. This change also includes an interface library built on top of libese and an example command line tool for using the applet. The tool and library setup a logical channel and communicate with the applet and some initial unittests are in place with a stubbed C++ Ese hardware instance. The library errors codes and applet status codes need to be refined. As is, there is a baseline for OS and APPLET errors which include the embedded status. While those statuses may change, the primary value is still stable. In the future, the applet should implement its errors via an exception class that gets translated to the prefix status codes (as long as they don't overlap with the APDU status codes for the most part). This change also includes documentation for the work in README.md and a single extension to the pn80t common code to handle cooldown data collection requests. (Building the applet requires software from NXP which is not (yet) easily available.) NOTE: CarrierLock is using a _dev_ key. Test: all functions tested manually with the tool and ese-replay except ese-boot-tool verify-key auto # passes Tested each nonce edge case manually too -- msb >, ==, < and lsb >, ==, < Bug: 34460238 Bug: 34467857 Bug: 34684505 Change-Id: I64223548b5c95f24044eb98c9f999468c73bcf4a
/external/libese/apps/boot/card/src/com/android/verifiedboot/storage/JcopBackupImpl.java
|