From e29e4022c5e236fb2ebbcc719724feef738e269f Mon Sep 17 00:00:00 2001 From: Ji Luo Date: Mon, 7 Jan 2019 17:18:44 +0800 Subject: [PATCH] MA-13904 [Trusty] Pass root trust to keymaster service Pass the verified boot key hash to keymaster, it will be treated as the root trust in keymaster service. Also set the 'initialized' flag after initializing the keymaster client or set keymaster boot parameters will fail. Test: Pass CTS cases: android.keystore.cts.KeyAttestationTest#testRsaAttestation android.keystore.cts.KeyAttestationTest#testEcAttestation Change-Id: I486b5493826160f42c61a3da0e6cd769df92254d Signed-off-by: Ji Luo --- drivers/usb/gadget/f_fastboot.c | 21 +++++++++++++++------ lib/trusty/ql-tipc/avb.c | 2 +- lib/trusty/ql-tipc/keymaster.c | 3 +++ 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/drivers/usb/gadget/f_fastboot.c b/drivers/usb/gadget/f_fastboot.c index 640dc45a63..3f300d0e56 100644 --- a/drivers/usb/gadget/f_fastboot.c +++ b/drivers/usb/gadget/f_fastboot.c @@ -83,7 +83,7 @@ extern void trusty_os_init(void); #include "fastboot_lock_unlock.h" #endif -#if defined(CONFIG_IMX_TRUSTY_OS) && defined(CONFIG_DUAL_BOOTLOADER) +#ifdef CONFIG_IMX_TRUSTY_OS #include "u-boot/sha256.h" #endif @@ -2125,12 +2125,21 @@ int trusty_setbootparameter(struct andr_img_hdr *hdr, AvbABFlowResult avb_result keymaster_verified_boot_t vbstatus; FbLockState lock_status = fastboot_get_lock_stat(); - uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE]; + uint8_t boot_key_hash[AVB_SHA256_DIGEST_SIZE]; #ifdef CONFIG_AVB_ATX - if (fsl_read_permanent_attributes_hash(&fsl_avb_atx_ops, permanent_attributes_hash)) { + if (fsl_read_permanent_attributes_hash(&fsl_avb_atx_ops, boot_key_hash)) { printf("ERROR - failed to read permanent attributes hash for keymaster\n"); - memset(permanent_attributes_hash, 0, AVB_SHA256_DIGEST_SIZE); + memset(boot_key_hash, 0, AVB_SHA256_DIGEST_SIZE); } +#else + uint8_t public_key_buf[AVB_MAX_BUFFER_LENGTH]; + if (trusty_read_vbmeta_public_key(public_key_buf, + AVB_MAX_BUFFER_LENGTH) != 0) { + printf("ERROR - failed to read public key for keymaster\n"); + memset(boot_key_hash, 0, AVB_SHA256_DIGEST_SIZE); + } else + sha256_csum_wd((unsigned char *)public_key_buf, AVB_SHA256_DIGEST_SIZE, + (unsigned char *)boot_key_hash, CHUNKSZ_SHA256); #endif bool lock = (lock_status == FASTBOOT_LOCK)? true: false; @@ -2147,11 +2156,11 @@ int trusty_setbootparameter(struct andr_img_hdr *hdr, AvbABFlowResult avb_result } trusty_set_boot_params(os_ver_km, os_lvl_km, vbstatus, lock, - permanent_attributes_hash, AVB_SHA256_DIGEST_SIZE, + boot_key_hash, AVB_SHA256_DIGEST_SIZE, vbh, AVB_SHA256_DIGEST_SIZE); #else trusty_set_boot_params(os_ver_km, os_lvl_km, vbstatus, lock, - permanent_attributes_hash, AVB_SHA256_DIGEST_SIZE, + boot_key_hash, AVB_SHA256_DIGEST_SIZE, NULL, 0); #endif diff --git a/lib/trusty/ql-tipc/avb.c b/lib/trusty/ql-tipc/avb.c index b8dab40a4a..95b26fd2f8 100644 --- a/lib/trusty/ql-tipc/avb.c +++ b/lib/trusty/ql-tipc/avb.c @@ -230,7 +230,7 @@ int trusty_read_vbmeta_public_key(uint8_t *publickey, uint32_t size) return rc; } /* ensure caller passed size matches size returned by Trusty */ - if (size != resp_size) { + if (size < resp_size) { return TRUSTY_ERR_INVALID_ARGS; } trusty_memcpy(publickey, resp_buf, resp_size); diff --git a/lib/trusty/ql-tipc/keymaster.c b/lib/trusty/ql-tipc/keymaster.c index 21e0e6cf4b..eaa43e3874 100644 --- a/lib/trusty/ql-tipc/keymaster.c +++ b/lib/trusty/ql-tipc/keymaster.c @@ -290,6 +290,9 @@ int km_tipc_init(struct trusty_ipc_dev *dev) return TRUSTY_ERR_GENERIC; } + /* mark as initialized */ + initialized = true; + return TRUSTY_ERR_NONE; }