| 5c2c3b94617a29e9ada91649b5775a24fdc7c886 |
|
09-May-2017 |
Will Drewry <wad@google.com> |
apps/boot: Clean up applet
The applet had a few todos and a few gaps:
- setWithMetadata was not enforcing requiredLocks.
- extended apdu support for incoming data was added
- a metadata staging interface added to work around
communication constraints on different devices.
- setting or unsetting a lock with 0 metadata and
useMetadata, will clear the metadata contents.
- adds inBootloaderRaw to state output for diagnostics.
The libese interface did not change, but the
implementation reflects the new behavior.
The applet version is updated appropriately.
(This change increases the flash footprint by 2k, but
attempts to avoid actually writing to it.)
Test: submit a 4k key and it writes and reads.
all ese-boot-tool functions pass.
LOCK_OWNER behavior is enforced even when using metadata.
Bug: 38150381
Change-Id: I0759db7388f8f42a7828b699b7b05b6046ec5a53
/external/libese/apps/boot/card/src/com/android/verifiedboot/storage/Storage.java
|
| 8055858133dca4e507f7d17b9c931f2547a988af |
|
18-Apr-2017 |
Will Drewry <wad@google.com> |
avb_storage: fix nonce update; enable clearing
Nonce updating was copying without the
incoming offset and was not using the VERSION_SIZE
constant. This changes fixes the storage as well as
adds a mechanism for resetting the nonce when not
in production mode (without a reinstall) and binds it into
the ese_boot_tool and the boot interface (making a
framework for factory rese without adding it explicitly).
Test: Used increasing nonces and made sure they were single use and only
newer ones worked by: set-carrier, set-production, unlock-last,
unlock-newer, unset-production, set-carrier, ...
Bug: none
Change-Id: I038229c1bb089b2d5f98faeed81714dfc1c32e36
/external/libese/apps/boot/card/src/com/android/verifiedboot/storage/Storage.java
|
| 92973c7820129b724e589268cfcba4600ffb168c |
|
02-Apr-2017 |
Will Drewry <wad@google.com> |
apps/boot: boot applet, library, and tool.
This change covers a lot of ground (sorry).
It provides an applet and three packages for use on an NXP smartcard
with some additional APIs. The applet and packages provide secure
storage for bootloader use:
- rollback indices
- boot behavior "locks" (carrier, device, boot, owner)
Rollback index storage is implemented in VersionStorage.java.
Applet state (pre-production/production) and hardware state
(inBootloader) are provided via GlobalStateImpl.java. This file is an
implementation of the globalstate.OwnerInterface, a shareable interface
which gets its own .cap file (via OwnerInterface.java). The client
interface is implemented in CallbackInterface.java and is primarily used
to allow the primary applet to indicate a data clearing operation to
other applets.
Storage.java provides the overall Applet interface.
All the locks are implemented in CarrierLock.java and BasicLock.java.
Each lock can only be toggled if the required locks are unlocked.
(addRequiredLock(x)).
The CarrierLock, relies on a (test, in this CL) key for
RSA_SHA256 PKCS#1 padded signature over a device specific hash and a
server provided rollback nonce (monotonically increasing 64-bit value).
The OwnerLock also has specific behavior. It is a lock that impacts the
behavior of the system when BootLock is set. It indicates to the boot
loader to use a different verifying key than the one provided by the
bootloader itself. That key (or its hash) is stored as OwnerLock
metadata.
With the applets, is an ant build.xml. As building applets is not
trivially supported in the Android build system, they can be built by
running 'ant' in the same directory as the build file. This will fetch
any necessary third party dependencies, then build the cap files. The
globalstate*.caps must be installed before avb_storage.cap.
This change also includes an interface library built on top of libese
and an example command line tool for using the applet. The tool and
library setup a logical channel and communicate with the applet and some
initial unittests are in place with a stubbed C++ Ese hardware instance.
The library errors codes and applet status codes need to be refined. As
is, there is a baseline for OS and APPLET errors which include the
embedded status. While those statuses may change, the primary value is
still stable. In the future, the applet should implement its errors
via an exception class that gets translated to the prefix status codes
(as long as they don't overlap with the APDU status codes for the most
part).
This change also includes documentation for the work in
README.md and a single extension to the pn80t common code to handle
cooldown data collection requests.
(Building the applet requires software from NXP which is not (yet)
easily available.)
NOTE: CarrierLock is using a _dev_ key.
Test: all functions tested manually with the tool and ese-replay except
ese-boot-tool verify-key auto # passes
Tested each nonce edge case manually too -- msb >, ==, < and lsb >, ==, <
Bug: 34460238
Bug: 34467857
Bug: 34684505
Change-Id: I64223548b5c95f24044eb98c9f999468c73bcf4a
/external/libese/apps/boot/card/src/com/android/verifiedboot/storage/Storage.java
|