MA-13904 [Trusty] Pass root trust to keymaster service

Pass the verified boot key hash to keymaster, it will be treated as the root trust in keymaster service. Also set the 'initialized' flag after initializing the keymaster client or set keymaster boot parameters will fail. Test: Pass CTS cases: android.keystore.cts.KeyAttestationTest#testRsaAttestation android.keystore.cts.KeyAttestationTest#testEcAttestation Change-Id: I486b5493826160f42c61a3da0e6cd769df92254d Signed-off-by: Ji Luo <ji.luo@nxp.com>

MA-13904 [Trusty] Pass root trust to keymaster service
Pass the verified boot key hash to keymaster, it will be treated as the root trust in keymaster service. Also set the 'initialized' flag after initializing the keymaster client or set keymaster boot parameters will fail. Test: Pass CTS cases: android.keystore.cts.KeyAttestationTest#testRsaAttestation android.keystore.cts.KeyAttestationTest#testEcAttestation Change-Id: I486b5493826160f42c61a3da0e6cd769df92254d Signed-off-by: Ji Luo <ji.luo@nxp.com>
Ji Luo
1 parent 4bddbabb10
Showing 3 changed files with 19 additions and 7 deletions Side-by-side Diff
drivers/usb/gadget/f_fastboot.c
lib/trusty/ql-tipc/avb.c
lib/trusty/ql-tipc/keymaster.c
@@ -83,7 +83,7 @@
 #include "fastboot_lock_unlock.h"
 #endif
  
-#if defined(CONFIG_IMX_TRUSTY_OS) && defined(CONFIG_DUAL_BOOTLOADER)
+#ifdef CONFIG_IMX_TRUSTY_OS
 #include "u-boot/sha256.h"
 #endif
  
  
  
  
@@ -2125,12 +2125,21 @@
 	keymaster_verified_boot_t vbstatus;
 	FbLockState lock_status = fastboot_get_lock_stat();
  
-	uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE];
+	uint8_t boot_key_hash[AVB_SHA256_DIGEST_SIZE];
 #ifdef CONFIG_AVB_ATX
-	if (fsl_read_permanent_attributes_hash(&fsl_avb_atx_ops, permanent_attributes_hash)) {
+	if (fsl_read_permanent_attributes_hash(&fsl_avb_atx_ops, boot_key_hash)) {
 		printf("ERROR - failed to read permanent attributes hash for keymaster\n");
-		memset(permanent_attributes_hash, 0, AVB_SHA256_DIGEST_SIZE);
+		memset(boot_key_hash, 0, AVB_SHA256_DIGEST_SIZE);
 	}
+#else
+	uint8_t public_key_buf[AVB_MAX_BUFFER_LENGTH];
+	if (trusty_read_vbmeta_public_key(public_key_buf,
+						AVB_MAX_BUFFER_LENGTH) != 0) {
+		printf("ERROR - failed to read public key for keymaster\n");
+		memset(boot_key_hash, 0, AVB_SHA256_DIGEST_SIZE);
+	} else
+		sha256_csum_wd((unsigned char *)public_key_buf, AVB_SHA256_DIGEST_SIZE,
+				(unsigned char *)boot_key_hash, CHUNKSZ_SHA256);
 #endif
  
 	bool lock = (lock_status == FASTBOOT_LOCK)? true: false;
  
@@ -2147,11 +2156,11 @@
 	}
  
 	trusty_set_boot_params(os_ver_km, os_lvl_km, vbstatus, lock,
-			       permanent_attributes_hash, AVB_SHA256_DIGEST_SIZE,
+			       boot_key_hash, AVB_SHA256_DIGEST_SIZE,
 			       vbh, AVB_SHA256_DIGEST_SIZE);
 #else
 	trusty_set_boot_params(os_ver_km, os_lvl_km, vbstatus, lock,
-			       permanent_attributes_hash, AVB_SHA256_DIGEST_SIZE,
+			       boot_key_hash, AVB_SHA256_DIGEST_SIZE,
 			       NULL, 0);
 #endif
  
@@ -230,7 +230,7 @@
         return rc;
     }
     /* ensure caller passed size matches size returned by Trusty */
-    if (size != resp_size) {
+    if (size < resp_size) {
         return TRUSTY_ERR_INVALID_ARGS;
     }
     trusty_memcpy(publickey, resp_buf, resp_size);
@@ -290,6 +290,9 @@
         return TRUSTY_ERR_GENERIC;
     }
  
+    /* mark as initialized */
+    initialized = true;
+
     return TRUSTY_ERR_NONE;
 }
...	...	@@ -83,7 +83,7 @@
83	83	#include "fastboot_lock_unlock.h"
84	84	#endif
85	85
86		-#if defined(CONFIG_IMX_TRUSTY_OS) && defined(CONFIG_DUAL_BOOTLOADER)
	86	+#ifdef CONFIG_IMX_TRUSTY_OS
87	87	#include "u-boot/sha256.h"
88	88	#endif
89	89
90	90
91	91
92	92
...	...	@@ -2125,12 +2125,21 @@
2125	2125	keymaster_verified_boot_t vbstatus;
2126	2126	FbLockState lock_status = fastboot_get_lock_stat();
2127	2127
2128		- uint8_t permanent_attributes_hash[AVB_SHA256_DIGEST_SIZE];
	2128	+ uint8_t boot_key_hash[AVB_SHA256_DIGEST_SIZE];
2129	2129	#ifdef CONFIG_AVB_ATX
2130		- if (fsl_read_permanent_attributes_hash(&fsl_avb_atx_ops, permanent_attributes_hash)) {
	2130	+ if (fsl_read_permanent_attributes_hash(&fsl_avb_atx_ops, boot_key_hash)) {
2131	2131	printf("ERROR - failed to read permanent attributes hash for keymaster\n");
2132		- memset(permanent_attributes_hash, 0, AVB_SHA256_DIGEST_SIZE);
	2132	+ memset(boot_key_hash, 0, AVB_SHA256_DIGEST_SIZE);
2133	2133	}
	2134	+#else
	2135	+ uint8_t public_key_buf[AVB_MAX_BUFFER_LENGTH];
	2136	+ if (trusty_read_vbmeta_public_key(public_key_buf,
	2137	+ AVB_MAX_BUFFER_LENGTH) != 0) {
	2138	+ printf("ERROR - failed to read public key for keymaster\n");
	2139	+ memset(boot_key_hash, 0, AVB_SHA256_DIGEST_SIZE);
	2140	+ } else
	2141	+ sha256_csum_wd((unsigned char *)public_key_buf, AVB_SHA256_DIGEST_SIZE,
	2142	+ (unsigned char *)boot_key_hash, CHUNKSZ_SHA256);
2134	2143	#endif
2135	2144
2136	2145	bool lock = (lock_status == FASTBOOT_LOCK)? true: false;
2137	2146
...	...	@@ -2147,11 +2156,11 @@
2147	2156	}
2148	2157
2149	2158	trusty_set_boot_params(os_ver_km, os_lvl_km, vbstatus, lock,
2150		- permanent_attributes_hash, AVB_SHA256_DIGEST_SIZE,
	2159	+ boot_key_hash, AVB_SHA256_DIGEST_SIZE,
2151	2160	vbh, AVB_SHA256_DIGEST_SIZE);
2152	2161	#else
2153	2162	trusty_set_boot_params(os_ver_km, os_lvl_km, vbstatus, lock,
2154		- permanent_attributes_hash, AVB_SHA256_DIGEST_SIZE,
	2163	+ boot_key_hash, AVB_SHA256_DIGEST_SIZE,
2155	2164	NULL, 0);
2156	2165	#endif
2157	2166
...	...	@@ -230,7 +230,7 @@
230	230	return rc;
231	231	}
232	232	/* ensure caller passed size matches size returned by Trusty */
233		- if (size != resp_size) {
	233	+ if (size < resp_size) {
234	234	return TRUSTY_ERR_INVALID_ARGS;
235	235	}
236	236	trusty_memcpy(publickey, resp_buf, resp_size);
...	...	@@ -290,6 +290,9 @@
290	290	return TRUSTY_ERR_GENERIC;
291	291	}
292	292
	293	+ /* mark as initialized */
	294	+ initialized = true;
	295	+
293	296	return TRUSTY_ERR_NONE;
294	297	}
295	298