xref: /external/libese/apps/boot/card/src/com/android/verifiedboot/storage/CarrierLock.java

//
// Copyright (C) 2017 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
//      http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//

package com.android.verifiedboot.storage;

import javacard.framework.CardRuntimeException;
import javacard.framework.JCSystem;
import javacard.framework.Util;

import javacard.security.KeyBuilder;
import javacard.security.MessageDigest;
import javacard.security.RSAPublicKey;
import javacard.security.Signature;

import com.android.verifiedboot.storage.LockInterface;
import com.android.verifiedboot.globalstate.owner.OwnerInterface;

class CarrierLock implements LockInterface, BackupInterface {
    private final static byte VERSION = (byte) 1;
    private final static byte VERSION_SIZE = (byte) 8;
    private final static byte NONCE_SIZE = (byte) 8;
    private final static byte DEVICE_DATA_SIZE = (byte) (256 / 8);

    private final static byte[] PK_EXP = { (byte) 0x01, (byte) 0x00, (byte) 0x01 };  /* 65537 */
    // Production key.
    private final static byte[] PK_MOD = {
        (byte) 0xA3, (byte) 0x19, (byte) 0x27, (byte) 0x0B, (byte) 0xC6,
        (byte) 0x3C, (byte) 0xC0, (byte) 0x92, (byte) 0x38, (byte) 0x7D,
        (byte) 0xE3, (byte) 0xC1, (byte) 0xAE, (byte) 0xDD, (byte) 0x2C,
        (byte) 0xAA, (byte) 0x1C, (byte) 0x93, (byte) 0x23, (byte) 0xAA,
        (byte) 0x13, (byte) 0xF2, (byte) 0x0D, (byte) 0x03, (byte) 0x5F,
        (byte) 0xB8, (byte) 0x98, (byte) 0xA8, (byte) 0xFA, (byte) 0x57,
        (byte) 0xE9, (byte) 0xBF, (byte) 0x15, (byte) 0xE3, (byte) 0xAC,
        (byte) 0xB5, (byte) 0x64, (byte) 0xE7, (byte) 0x18, (byte) 0x85,
        (byte) 0xE1, (byte) 0xE4, (byte) 0xF0, (byte) 0x36, (byte) 0x81,
        (byte) 0x57, (byte) 0xA8, (byte) 0x78, (byte) 0x70, (byte) 0xDF,
        (byte) 0x92, (byte) 0x06, (byte) 0xCF, (byte) 0xEE, (byte) 0x1A,
        (byte) 0x6B, (byte) 0xE8, (byte) 0x50, (byte) 0x28, (byte) 0xD9,
        (byte) 0x54, (byte) 0x03, (byte) 0x6E, (byte) 0xF2, (byte) 0x6C,
        (byte) 0x06, (byte) 0xCE, (byte) 0x02, (byte) 0x8A, (byte) 0xF4,
        (byte) 0x86, (byte) 0x07, (byte) 0xA8, (byte) 0xE6, (byte) 0x6C,
        (byte) 0x1F, (byte) 0xFE, (byte) 0xB4, (byte) 0x83, (byte) 0x79,
        (byte) 0x40, (byte) 0x02, (byte) 0x25, (byte) 0xBD, (byte) 0x6B,
        (byte) 0x67, (byte) 0x03, (byte) 0xEB, (byte) 0xF2, (byte) 0xC7,
        (byte) 0x74, (byte) 0xB9, (byte) 0xE8, (byte) 0x35, (byte) 0x76,
        (byte) 0x4C, (byte) 0x1D, (byte) 0xE7, (byte) 0x34, (byte) 0x72,
        (byte) 0x6C, (byte) 0x0E, (byte) 0xCE, (byte) 0xD6, (byte) 0x2C,
        (byte) 0x86, (byte) 0x59, (byte) 0x58, (byte) 0x10, (byte) 0x00,
        (byte) 0x7F, (byte) 0x70, (byte) 0xF7, (byte) 0x4A, (byte) 0x2F,
        (byte) 0xED, (byte) 0x39, (byte) 0x46, (byte) 0xAC, (byte) 0x3A,
        (byte) 0x32, (byte) 0x32, (byte) 0x0F, (byte) 0x7A, (byte) 0x5C,
        (byte) 0x8A, (byte) 0x07, (byte) 0xDE, (byte) 0xA1, (byte) 0x8F,
        (byte) 0x74, (byte) 0xD8, (byte) 0x99, (byte) 0x3A, (byte) 0xE0,
        (byte) 0x9A, (byte) 0x40, (byte) 0x80, (byte) 0x51, (byte) 0x1F,
        (byte) 0xAD, (byte) 0x4D, (byte) 0x2A, (byte) 0x1D, (byte) 0x53,
        (byte) 0xC3, (byte) 0x66, (byte) 0x65, (byte) 0x59, (byte) 0x6D,
        (byte) 0x40, (byte) 0xB8, (byte) 0x71, (byte) 0xB5, (byte) 0xD4,
        (byte) 0x50, (byte) 0x3E, (byte) 0x41, (byte) 0xE0, (byte) 0x14,
        (byte) 0x25, (byte) 0x80, (byte) 0xA9, (byte) 0x0C, (byte) 0x76,
        (byte) 0xD4, (byte) 0x6C, (byte) 0x48, (byte) 0x0F, (byte) 0x08,
        (byte) 0x5A, (byte) 0xCD, (byte) 0xE5, (byte) 0x28, (byte) 0x58,
        (byte) 0xA5, (byte) 0x35, (byte) 0x10, (byte) 0x5D, (byte) 0x05,
        (byte) 0xB0, (byte) 0xE1, (byte) 0x26, (byte) 0xD3, (byte) 0x08,
        (byte) 0xE9, (byte) 0x5D, (byte) 0xB3, (byte) 0x77, (byte) 0x19,
        (byte) 0xD7, (byte) 0xC3, (byte) 0xA7, (byte) 0x3E, (byte) 0x09,
        (byte) 0x01, (byte) 0x75, (byte) 0x14, (byte) 0x49, (byte) 0x5D,
        (byte) 0x21, (byte) 0xBA, (byte) 0x8D, (byte) 0x74, (byte) 0x0A,
        (byte) 0x45, (byte) 0xCA, (byte) 0x39, (byte) 0x24, (byte) 0x94,
        (byte) 0x33, (byte) 0x0F, (byte) 0x35, (byte) 0x40, (byte) 0x70,
        (byte) 0x0B, (byte) 0x6C, (byte) 0xF7, (byte) 0x93, (byte) 0x35,
        (byte) 0x9A, (byte) 0x40, (byte) 0x72, (byte) 0xD7, (byte) 0xDD,
        (byte) 0xA5, (byte) 0xAA, (byte) 0x2A, (byte) 0x7B, (byte) 0x32,
        (byte) 0xF6, (byte) 0x56, (byte) 0x71, (byte) 0xC6, (byte) 0xAB,
        (byte) 0xEB, (byte) 0xFB, (byte) 0xCD, (byte) 0x27, (byte) 0xA1,
        (byte) 0x4C, (byte) 0xDA, (byte) 0xA4, (byte) 0xB1, (byte) 0x66,
        (byte) 0x2D, (byte) 0x57, (byte) 0x4B, (byte) 0x0D, (byte) 0x86,
        (byte) 0xD0, (byte) 0x98, (byte) 0x4B, (byte) 0x71, (byte) 0x8D,
        (byte) 0xF5,
    };


    /* Development key
    private final static byte[] PK_MOD = {
        (byte) 0xAE, (byte) 0x14, (byte) 0xA4, (byte) 0x91, (byte) 0xA6,
        (byte) 0xC8, (byte) 0x2E, (byte) 0x4D, (byte) 0x6B, (byte) 0xB3,
        (byte) 0x4E, (byte) 0x23, (byte) 0x96, (byte) 0x57, (byte) 0x7C,
        (byte) 0x2C, (byte) 0x7E, (byte) 0x69, (byte) 0xE6, (byte) 0xBF,
        (byte) 0x5A, (byte) 0x9C, (byte) 0xD7, (byte) 0xA8, (byte) 0x38,
        (byte) 0x0C, (byte) 0x9A, (byte) 0x54, (byte) 0x43, (byte) 0x4C,
        (byte) 0x3C, (byte) 0xDA, (byte) 0xC5, (byte) 0xB1, (byte) 0x58,
        (byte) 0x56, (byte) 0x9B, (byte) 0x5A, (byte) 0x05, (byte) 0xBA,
        (byte) 0x2C, (byte) 0xAB, (byte) 0xC6, (byte) 0x50, (byte) 0x34,
        (byte) 0x3C, (byte) 0x3B, (byte) 0x8E, (byte) 0xD8, (byte) 0x55,
        (byte) 0xEB, (byte) 0xFA, (byte) 0x4F, (byte) 0x72, (byte) 0x81,
        (byte) 0xA3, (byte) 0x8F, (byte) 0xDD, (byte) 0x8E, (byte) 0x0E,
        (byte) 0xF2, (byte) 0xF6, (byte) 0xEF, (byte) 0x18, (byte) 0x95,
        (byte) 0xCF, (byte) 0x71, (byte) 0x7D, (byte) 0x33, (byte) 0xA1,
        (byte) 0xAE, (byte) 0xBE, (byte) 0x8C, (byte) 0xA5, (byte) 0x50,
        (byte) 0x4C, (byte) 0xF2, (byte) 0xDC, (byte) 0x7B, (byte) 0x6C,
        (byte) 0xAE, (byte) 0x14, (byte) 0x95, (byte) 0xB7, (byte) 0xE7,
        (byte) 0xCA, (byte) 0xEB, (byte) 0xB0, (byte) 0x24, (byte) 0x5B,
        (byte) 0xC9, (byte) 0x24, (byte) 0x2B, (byte) 0xC6, (byte) 0x96,
        (byte) 0x99, (byte) 0xE9, (byte) 0x8B, (byte) 0x10, (byte) 0xCA,
        (byte) 0x34, (byte) 0x2D, (byte) 0x84, (byte) 0x57, (byte) 0x09,
        (byte) 0x4C, (byte) 0x32, (byte) 0x35, (byte) 0x68, (byte) 0x37,
        (byte) 0x53, (byte) 0x0E, (byte) 0xF6, (byte) 0x93, (byte) 0x6C,
        (byte) 0x86, (byte) 0x84, (byte) 0xC1, (byte) 0x44, (byte) 0x70,
        (byte) 0x4A, (byte) 0x12, (byte) 0xAA, (byte) 0xC2, (byte) 0x9F,
        (byte) 0x68, (byte) 0x5C, (byte) 0x42, (byte) 0xC8, (byte) 0xEB,
        (byte) 0xD3, (byte) 0xAF, (byte) 0xD6, (byte) 0x34, (byte) 0x7F,
        (byte) 0x9D, (byte) 0xC9, (byte) 0xE8, (byte) 0x81, (byte) 0x4A,
        (byte) 0x5C, (byte) 0xDA, (byte) 0x36, (byte) 0x33, (byte) 0xFD,
        (byte) 0x5C, (byte) 0x67, (byte) 0xBB, (byte) 0x91, (byte) 0x1C,
        (byte) 0xF5, (byte) 0x21, (byte) 0xC0, (byte) 0x4E, (byte) 0x64,
        (byte) 0x87, (byte) 0x89, (byte) 0xB6, (byte) 0x8B, (byte) 0xFD,
        (byte) 0xDA, (byte) 0x30, (byte) 0x74, (byte) 0x1E, (byte) 0x00,
        (byte) 0x57, (byte) 0xE1, (byte) 0x5C, (byte) 0xC4, (byte) 0xF2,
        (byte) 0xEE, (byte) 0xF7, (byte) 0x05, (byte) 0x1C, (byte) 0xCE,
        (byte) 0xF1, (byte) 0xCA, (byte) 0x88, (byte) 0xA0, (byte) 0x28,
        (byte) 0x53, (byte) 0x2C, (byte) 0x84, (byte) 0xCD, (byte) 0xA3,
        (byte) 0x6C, (byte) 0x1D, (byte) 0x15, (byte) 0x00, (byte) 0x5A,
        (byte) 0x5D, (byte) 0x80, (byte) 0x40, (byte) 0x59, (byte) 0xE5,
        (byte) 0xEA, (byte) 0xD1, (byte) 0x2A, (byte) 0xD6, (byte) 0x5A,
        (byte) 0xE0, (byte) 0xE6, (byte) 0x9C, (byte) 0xEB, (byte) 0x23,
        (byte) 0x4D, (byte) 0xD0, (byte) 0xB1, (byte) 0x27, (byte) 0xEE,
        (byte) 0x41, (byte) 0x0D, (byte) 0xAA, (byte) 0x25, (byte) 0xBD,
        (byte) 0xA0, (byte) 0xD0, (byte) 0x20, (byte) 0x00, (byte) 0x16,
        (byte) 0x1F, (byte) 0x54, (byte) 0xC6, (byte) 0x4A, (byte) 0xDD,
        (byte) 0x2A, (byte) 0x7E, (byte) 0x32, (byte) 0x43, (byte) 0x7F,
        (byte) 0xD8, (byte) 0x74, (byte) 0x0F, (byte) 0x94, (byte) 0x88,
        (byte) 0x3F, (byte) 0x26, (byte) 0x27, (byte) 0x54, (byte) 0x5D,
        (byte) 0x01, (byte) 0x83, (byte) 0xAE, (byte) 0x47, (byte) 0x37,
        (byte) 0x03, (byte) 0x6C, (byte) 0x80, (byte) 0xFD, (byte) 0x6E,
        (byte) 0x08, (byte) 0xEB, (byte) 0xB4, (byte) 0x55, (byte) 0x81,
        (byte) 0x13,
    };
    */

    // Layout:
    // LockValue (byte) || lastNonce (byte[8]) || deviceDataHash (byte[32])
    private byte[] storage;
    private short storageOffset;
    RSAPublicKey verifyingKey;
    Signature verifier;
    MessageDigest md_sha256;  /* For creating the lock data hash from the input. */
    OwnerInterface globalState;

    /**
     * Initializes the instance objects.
     */
    public CarrierLock() {
        try {
            verifyingKey = (RSAPublicKey)KeyBuilder.buildKey(
                KeyBuilder.TYPE_RSA_PUBLIC, KeyBuilder.LENGTH_RSA_2048, false);
            verifyingKey.setExponent(PK_EXP, (short)0, (short)PK_EXP.length);
            verifyingKey.setModulus(PK_MOD, (short)0, (short)PK_MOD.length);
        } catch (CardRuntimeException e) {
          verifyingKey = null;
        }

        try {
            verifier = Signature.getInstance(Signature.ALG_RSA_SHA_256_PKCS1, false);
            verifier.init(verifyingKey, Signature.MODE_VERIFY);
        } catch (CardRuntimeException e) {
          verifier = null;
        }
        md_sha256 = MessageDigest.getInstance(MessageDigest.ALG_SHA_256, false);
    }

    /**
     * {@inheritDoc}
     *
     * Return the error states useful for diagnostics.
     */
    @Override
    public short initialized() {
      if (storage == null) {
          return 1;
      }
      if (verifyingKey == null) {
          return 2;
      }
      if (verifier == null) {
          return 3;
      }
      return 0;
    }
    /**
     * {@inheritDoc}
     *
     */
    @Override
    public short getStorageNeeded() {
        return NONCE_SIZE + DEVICE_DATA_SIZE + 1;
    }

    /**
     * Sets the backing store to use for state.
     *
     * @param globalStateOwner interface for querying global state
     * @param extStorage  external array to use for storage
     * @param extStorageOffset where to begin storing data
     *
     * This should be called before use.
     */
    @Override
    public void initialize(OwnerInterface globalStateOwner, byte[] extStorage,
                           short extStorageOffset) {
        globalState = globalStateOwner;
        // Zero it first (in case we are interrupted).
        Util.arrayFillNonAtomic(extStorage, extStorageOffset,
                                getStorageNeeded(), (byte) 0x00);
        storage = extStorage;
        storageOffset = extStorageOffset;
    }

    /**
     * {@inheritDoc}
     */
    @Override
    public short get(byte[] lockOut, short outOffset) {
        if (storage == null) {
            return 0x0001;
        }
        try {
            Util.arrayCopy(storage, lockOffset(),
                           lockOut, outOffset, (short) 1);
        } catch (CardRuntimeException e) {
          return 0x0002;
        }
        return 0;
    }

    /**
     * {@inheritDoc}
     *
     * Returns 0xffff if {@link #initialize()} has not yet been called.
     */
    @Override
    public short lockOffset() {
        if (storage == null) {
            return (short) 0xffff;
        }
        return storageOffset;
    }


    /**
     * {@inheritDoc}
     *
     * Returns 0xffff if {@link #initialize()} has not yet been called.
     */
    @Override
    public short metadataOffset() {
        if (storage == null) {
            return (short) 0xffff;
        }
        return (short)(storageOffset + NONCE_SIZE + 1);
    }

    /**
     * {@inheritDoc}
     *
     * Returns length of metadata.
     *
     * @return length of metadata.
     */
    public short metadataLength() {
        return (short) DEVICE_DATA_SIZE;
    }

    /**
     * {@inheritDoc}
     *
     * Always returns false. Locking CarrierLock requires
     * device data and unlocking (val=0x0) requires a signed
     * assertion.
     */
    @Override
    public short set(byte val) {
        return (short)0xffff;  // Not implemented.
    }

    /**
     * Performs the verification of the incoming unlock token.
     *
     * This will check the version code, the nonce value, and the signature.
     *
     *
     * @param deviceData
     * @param deviceDataOffset
     * @param lastNonce
     * @param lastNonceOffset
     * @param unlockToken
     * @param unlockTokenOffset
     * @param unlockTokenLength
     * @return 0x0 on verified and an error code if not.
     */
    private short verifyUnlock(byte[] deviceData, short deviceDataOffset,
                               byte[] lastNonce, short lastNonceOffset,
                               byte[] unlockToken, short unlockTokenOffset,
                               short unlockTokenLength) {
        if (unlockTokenLength < (short)(VERSION_SIZE + NONCE_SIZE + PK_MOD.length)) {
            return 0x0002;
        }
        // Only supported version is the uint64le_t 1
        if (unlockToken[unlockTokenOffset] != VERSION) {
            return 0x0003;
        }

        byte[] message = JCSystem.makeTransientByteArray(
            (short)(NONCE_SIZE + DEVICE_DATA_SIZE), JCSystem.CLEAR_ON_DESELECT);
        // Collect the incoming nonce.
        Util.arrayCopy(unlockToken, (short)(unlockTokenOffset + VERSION_SIZE),
                       message, (short) 0x0, (short) NONCE_SIZE);
        // Append the internallty stored device data.
        Util.arrayCopy(deviceData, deviceDataOffset,
            message, (short)NONCE_SIZE, (short) DEVICE_DATA_SIZE);

        // Verify it against the incoming signature.
        if (verifier.verify(
                message, (short) 0, (short) message.length, unlockToken,
                (short)(unlockTokenOffset + VERSION_SIZE + NONCE_SIZE),
                (short)(unlockTokenLength - (VERSION_SIZE + NONCE_SIZE))) ==
                false) {
            return 0x0004;
        }
        if (littleEndianUnsignedGreaterThan(NONCE_SIZE,
                unlockToken, (short)(unlockTokenOffset + VERSION_SIZE),
                lastNonce, lastNonceOffset) == true) {
            return 0;
        }
        return 0x0005;
    }

    /**
     * Compares two little endian byte streams and returns
     * true if lhs is greater than rhs.
     *
     * @param len number of bytes to compare
     * @param lhs left hand size buffer
     * @param lhsBase starting offset
     * @param rhs right hand size buffer
     * @param rhsBase starting offset
     */
    private boolean littleEndianUnsignedGreaterThan(
            byte len,
            byte[] lhs, short lhsBase,
            byte[] rhs, short rhsBase) {
        // Start with the most significant byte.
        short i = len;
        do {
            i -= 1;
            if (lhs[(short)(lhsBase +i)] > rhs[(short)(rhsBase + i)]) {
                return true;
            }
            if (lhs[(short)(lhsBase +i)] < rhs[(short)(rhsBase + i)]) {
                return false;
            }
            // Only proceed if the current bytes are equal.
        } while (i > 0);
        return false;
    }



    /**
     * {@inheritDoc}
     * Returns true if the lock is changed with associated metadata.
     *
     * If |lockValue| is non-zero, then |lockMeta| should contain a series of
     * ASCII (or hex) values separated by short lengths.  These will be SHA256
     * hashed together to create a "device data hash". Its use is covered next.
     *
     * If |lockValue| is zero, then |lockMeta| should contain the following
     * (all little endian): 8-bit version tag (0x01) || byte[8] "64-bit nonce"
     * || byte[] Signature(nonce||deviceDataHash) The signature is using the
     * embedded key {@link #pkModulus} and the format is ALG_RSA_SHA_256_PKCS1.
     * If the signature verifies using the internally stored deviceDataHash and
     * the provided nonce, then one last check is applied.  If the nonce,
     * treated as a little endian uint64_t, is greater than the stored nonce then
     * it will be rejected.  Note, once unlocked, the device data hash is deleted
     * and the CarrierLock cannot be reapplied unless the device is taken out
     * of production mode (bootloader RMA path).
     *
     * If {@link #globalState} indicates that the device is not yet in production
     * mode, then the lock values can be toggled arbitrarily.
     * The lock values may also be changed in the bootloader or in the HLOS as
     * the transitions are either one-way (lock) or authenticated.  It is required
     * that the lock state is assigned prior to transitioning to production as that
     * ensures that an unlocked device cannot be re-locked maliciously from the HLOS.
     */
    @Override
    public short setWithMetadata(byte lockValue, byte[] lockMeta,
                                 short lockMetaOffset, short lockMetaLength) {
        if (storage == null) {
            // TODO: move to constants.
            return 0x0001;
        }
        // Ensure we don't update the nonce if we didn't go through verify.
        short resp = (short) 0xffff;
        if (lockValue == LOCK_UNLOCKED) {  // SHUT IT DOWN.
            // If we're already unlocked, allow another call to make sure all the
            // data is cleared.
            if (storage[storageOffset] != LOCK_UNLOCKED &&
                globalState.production() == true) {
                // RSA PKCS#1 signature should be the same length as the modulus but we'll allow it to
                // be larger because ???. XXX TODO
                resp = verifyUnlock(storage, (short)(storageOffset + 1 + NONCE_SIZE),
                                    storage, (short)(storageOffset + 1),
                                    lockMeta, lockMetaOffset, lockMetaLength);
                if (resp != (short) 0) {
                  return resp;
                }
            }
            JCSystem.beginTransaction();
            storage[storageOffset] = lockValue;
            // Update the monotonically increasing "nonce" value.
            // Note that the nonce is only ever updated if a signed value
            // was seen or if we're not production() to assure it doesn't get
            // rolled forward.
            if (resp == 0) {
                Util.arrayCopy(lockMeta, (short)(VERSION_SIZE + lockMetaOffset),
                               storage, (short)(1 + storageOffset),
                               (short)NONCE_SIZE);
            }
            // Delete the device-unique data.
            Util.arrayFillNonAtomic(storage, (short)(NONCE_SIZE + 1 + storageOffset),
                (short)DEVICE_DATA_SIZE, (byte)0x00);
            JCSystem.commitTransaction();
        } else {  // Locking. Expect a lockMeta of the device data.
            if (globalState.production() == true) {
                // Locking can only be done prior to production.
                return 0x0006;
            }
            md_sha256.reset();
            JCSystem.beginTransaction();
            // Hash all the input data and store the result as the device data
            // digest.
            md_sha256.doFinal(lockMeta, lockMetaOffset, lockMetaLength,
                              storage, metadataOffset());
            // Note that we never clear or overwrite the nonce.
            storage[storageOffset] = lockValue;
            JCSystem.commitTransaction();
        }
        return 0x0000;
    }

    /**
     * Given all the data, tests if the key actually works.
     *
     * buffer should contain:
     *   fakeLastNonce | fakeDeviceData | version (8) | testNonce | signature
     *
     * @param buffer Array with the test data.
     * @param offset offset into the buffer.
     * @param length total length from offset.
     * @return 0x0 on verify and an error code otherwise.
     */
    public short testVector(byte[] buffer, short offset, short length) {
        return verifyUnlock(buffer, (short)(offset + NONCE_SIZE), // device data
                            buffer, offset,  // fake last nonce.
                            // unlock data
                            buffer, (short)(offset + NONCE_SIZE + DEVICE_DATA_SIZE),
                            (short)(length - (NONCE_SIZE + DEVICE_DATA_SIZE)));
    }

    /**
     * {@inheritDoc}
     */
    @Override
    public short backupSize() {
        return getStorageNeeded();
    }


    /**
     * {@inheritDoc}
     */
    @Override
    public short backup(byte[] outBytes, short outBytesOffset) {
        Util.arrayCopy(storage, storageOffset,
                       outBytes, outBytesOffset,
                       backupSize());
        return backupSize();
    }

    /**
     * {@inheritDoc}
     */
    @Override
    public boolean restore(byte[] inBytes, short inBytesOffset,
                           short inBytesLength) {
        if (inBytesLength > backupSize() || inBytesLength == (short)0) {
            return false;
        }
        Util.arrayCopy(inBytes, inBytesOffset,
                       storage, storageOffset,
                       inBytesLength);
        return true;
    }


}