MA-13904 [Trusty] Pass root trust to keymaster service

Pass the verified boot key hash to keymaster, it will be treated as the root trust in keymaster service. Also set the 'initialized' flag after initializing the keymaster client or set keymaster boot parameters will fail. Test: Pass CTS cases: android.keystore.cts.KeyAttestationTest#testRsaAttestation android.keystore.cts.KeyAttestationTest#testEcAttestation Change-Id: I486b5493826160f42c61a3da0e6cd769df92254d Signed-off-by: Ji Luo <ji.luo@nxp.com>
2019-01-07 17:18:44 +08:00 · 2019-01-07 17:18:44 +08:00 · e29e4022c5
parent 4bddbabb10
commit e29e4022c5
3 changed files with 19 additions and 7 deletions
--- a/drivers/usb/gadget/f_fastboot.c
+++ b/drivers/usb/gadget/f_fastboot.c
@ -83,7 +83,7 @@ extern void trusty_os_init(void);
 #include "fastboot_lock_unlock.h"
 #endif

-#if defined(CONFIG_IMX_TRUSTY_OS) && defined(CONFIG_DUAL_BOOTLOADER)
+#ifdef CONFIG_IMX_TRUSTY_OS
 #include "u-boot/sha256.h"
 #endif

@ -2125,12 +2125,21 @@ int trusty_setbootparameter(struct andr_img_hdr *hdr, AvbABFlowResult avb_result
 	keymaster_verified_boot_t vbstatus;
 	FbLockState lock_status = fastboot_get_lock_stat();

-	uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE];
+	uint8_t boot_key_hash[AVB_SHA256_DIGEST_SIZE];
 #ifdef CONFIG_AVB_ATX
-	if (fsl_read_permanent_attributes_hash(&fsl_avb_atx_ops, permanent_attributes_hash)) {
+	if (fsl_read_permanent_attributes_hash(&fsl_avb_atx_ops, boot_key_hash)) {
 		printf("ERROR - failed to read permanent attributes hash for keymaster\n");
-		memset(permanent_attributes_hash, 0, AVB_SHA256_DIGEST_SIZE);
+		memset(boot_key_hash, 0, AVB_SHA256_DIGEST_SIZE);
 	}
+#else
+	uint8_t public_key_buf[AVB_MAX_BUFFER_LENGTH];
+	if (trusty_read_vbmeta_public_key(public_key_buf,
+						AVB_MAX_BUFFER_LENGTH) != 0) {
+		printf("ERROR - failed to read public key for keymaster\n");
+		memset(boot_key_hash, 0, AVB_SHA256_DIGEST_SIZE);
+	} else
+		sha256_csum_wd((unsigned char *)public_key_buf, AVB_SHA256_DIGEST_SIZE,
+				(unsigned char *)boot_key_hash, CHUNKSZ_SHA256);
 #endif

 	bool lock = (lock_status == FASTBOOT_LOCK)? true: false;
@ -2147,11 +2156,11 @@ int trusty_setbootparameter(struct andr_img_hdr *hdr, AvbABFlowResult avb_result
 	}

 	trusty_set_boot_params(os_ver_km, os_lvl_km, vbstatus, lock,
-			       permanent_attributes_hash, AVB_SHA256_DIGEST_SIZE,
+			       boot_key_hash, AVB_SHA256_DIGEST_SIZE,
 			       vbh, AVB_SHA256_DIGEST_SIZE);
 #else
 	trusty_set_boot_params(os_ver_km, os_lvl_km, vbstatus, lock,
-			       permanent_attributes_hash, AVB_SHA256_DIGEST_SIZE,
+			       boot_key_hash, AVB_SHA256_DIGEST_SIZE,
 			       NULL, 0);
 #endif

--- a/lib/trusty/ql-tipc/avb.c
+++ b/lib/trusty/ql-tipc/avb.c
@ -230,7 +230,7 @@ int trusty_read_vbmeta_public_key(uint8_t *publickey, uint32_t size)
        return rc;
    }
    /* ensure caller passed size matches size returned by Trusty */
-    if (size != resp_size) {
+    if (size < resp_size) {
        return TRUSTY_ERR_INVALID_ARGS;
    }
    trusty_memcpy(publickey, resp_buf, resp_size);
--- a/lib/trusty/ql-tipc/keymaster.c
+++ b/lib/trusty/ql-tipc/keymaster.c
@ -290,6 +290,9 @@ int km_tipc_init(struct trusty_ipc_dev *dev)
        return TRUSTY_ERR_GENERIC;
    }

+    /* mark as initialized */
+    initialized = true;
+
    return TRUSTY_ERR_NONE;
 }