1 /* 2 * Copyright (c) 2015, Linaro Limited 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright notice, 9 * this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright notice, 12 * this list of conditions and the following disclaimer in the documentation 13 * and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 16 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 19 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 * POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 29 /* 30 * Acronyms: 31 * 32 * FEK - File Encryption Key 33 * SSK - Secure Storage Key 34 * TSK - Trusted app Storage Key 35 * IV - Initial vector 36 * HUK - Hardware Unique Key 37 * RNG - Random Number Generator 38 */ 39 40 #include <initcall.h> 41 #include <stdlib.h> 42 #include <string.h> 43 #include <kernel/tee_common_otp.h> 44 #include <kernel/tee_common_unpg.h> 45 #include <kernel/tee_ta_manager.h> 46 #include <tee/tee_cryp_utl.h> 47 #include <tee/tee_cryp_provider.h> 48 #include <tee/tee_fs_key_manager.h> 49 #include <compiler.h> 50 #include <trace.h> 51 #include <util.h> 52 53 struct tee_fs_ssk { 54 bool is_init; 55 uint8_t key[TEE_FS_KM_SSK_SIZE]; 56 }; 57 58 struct aad { 59 const uint8_t *encrypted_key; 60 const uint8_t *iv; 61 }; 62 63 struct km_header { 64 struct aad aad; 65 uint8_t *tag; 66 }; 67 68 static struct tee_fs_ssk tee_fs_ssk; 69 static uint8_t string_for_ssk_gen[] = "ONLY_FOR_tee_fs_ssk"; 70 71 72 static TEE_Result do_hmac(uint8_t *out_key, uint32_t out_key_size, 73 const uint8_t *in_key, uint32_t in_key_size, 74 const uint8_t *message, uint32_t message_size) 75 { 76 TEE_Result res = TEE_ERROR_GENERIC; 77 uint8_t *ctx = NULL; 78 size_t hash_ctx_size = 0; 79 80 if (!out_key || !in_key || !message) 81 return TEE_ERROR_BAD_PARAMETERS; 82 83 res = crypto_ops.mac.get_ctx_size(TEE_FS_KM_HMAC_ALG, &hash_ctx_size); 84 if (res != TEE_SUCCESS) 85 return res; 86 87 ctx = malloc(hash_ctx_size); 88 if (!ctx) 89 return TEE_ERROR_OUT_OF_MEMORY; 90 91 res = crypto_ops.mac.init(ctx, TEE_FS_KM_HMAC_ALG, in_key, in_key_size); 92 if (res != TEE_SUCCESS) 93 goto exit; 94 95 res = crypto_ops.mac.update(ctx, TEE_FS_KM_HMAC_ALG, 96 message, message_size); 97 if (res != TEE_SUCCESS) 98 goto exit; 99 100 res = crypto_ops.mac.final(ctx, TEE_FS_KM_HMAC_ALG, out_key, 101 out_key_size); 102 if (res != TEE_SUCCESS) 103 goto exit; 104 105 res = TEE_SUCCESS; 106 107 exit: 108 free(ctx); 109 return res; 110 } 111 112 static TEE_Result fek_crypt(TEE_OperationMode mode, 113 uint8_t *key, int size) 114 { 115 TEE_Result res; 116 uint8_t *ctx = NULL; 117 size_t ctx_size; 118 uint8_t tsk[TEE_FS_KM_TSK_SIZE]; 119 uint8_t dst_key[TEE_FS_KM_FEK_SIZE]; 120 struct tee_ta_session *sess; 121 122 if (!key) 123 return TEE_ERROR_BAD_PARAMETERS; 124 125 if (size != TEE_FS_KM_FEK_SIZE) 126 return TEE_ERROR_BAD_PARAMETERS; 127 128 if (tee_fs_ssk.is_init == 0) 129 return TEE_ERROR_GENERIC; 130 131 res = tee_ta_get_current_session(&sess); 132 if (res != TEE_SUCCESS) 133 return res; 134 135 res = do_hmac(tsk, sizeof(tsk), tee_fs_ssk.key, TEE_FS_KM_SSK_SIZE, 136 (uint8_t *)&sess->ctx->uuid, sizeof(TEE_UUID)); 137 if (res != TEE_SUCCESS) 138 return res; 139 140 res = crypto_ops.cipher.get_ctx_size(TEE_FS_KM_ENC_FEK_ALG, &ctx_size); 141 if (res != TEE_SUCCESS) 142 return res; 143 144 ctx = malloc(ctx_size); 145 if (!ctx) 146 return TEE_ERROR_OUT_OF_MEMORY; 147 148 res = crypto_ops.cipher.init(ctx, TEE_FS_KM_ENC_FEK_ALG, mode, tsk, 149 sizeof(tsk), NULL, 0, NULL, 0); 150 if (res != TEE_SUCCESS) 151 goto exit; 152 153 res = crypto_ops.cipher.update(ctx, TEE_FS_KM_ENC_FEK_ALG, 154 mode, true, key, size, dst_key); 155 if (res != TEE_SUCCESS) 156 goto exit; 157 158 crypto_ops.cipher.final(ctx, TEE_FS_KM_ENC_FEK_ALG); 159 160 memcpy(key, dst_key, sizeof(dst_key)); 161 162 exit: 163 free(ctx); 164 165 return res; 166 } 167 168 static TEE_Result generate_fek(uint8_t *key, uint8_t len) 169 { 170 return crypto_ops.prng.read(key, len); 171 } 172 173 static TEE_Result generate_iv(uint8_t *iv, uint8_t len) 174 { 175 return crypto_ops.prng.read(iv, len); 176 } 177 178 static TEE_Result tee_fs_init_key_manager(void) 179 { 180 int res = TEE_SUCCESS; 181 struct tee_hw_unique_key huk; 182 uint8_t chip_id[TEE_FS_KM_CHIP_ID_LENGTH]; 183 uint8_t message[sizeof(chip_id) + sizeof(string_for_ssk_gen)]; 184 185 /* Secure Storage Key Generation: 186 * 187 * SSK = HMAC(HUK, message) 188 * message := concatenate(chip_id, static string) 189 * */ 190 tee_otp_get_hw_unique_key(&huk); 191 tee_otp_get_die_id(chip_id, sizeof(chip_id)); 192 193 memcpy(message, chip_id, sizeof(chip_id)); 194 memcpy(message + sizeof(chip_id), string_for_ssk_gen, 195 sizeof(string_for_ssk_gen)); 196 197 res = do_hmac(tee_fs_ssk.key, sizeof(tee_fs_ssk.key), 198 huk.data, sizeof(huk.data), 199 message, sizeof(message)); 200 201 if (res == TEE_SUCCESS) 202 tee_fs_ssk.is_init = 1; 203 204 return res; 205 } 206 207 static TEE_Result do_auth_enc(TEE_OperationMode mode, 208 struct km_header *hdr, 209 uint8_t *fek, int fek_len, 210 const uint8_t *data_in, size_t in_size, 211 uint8_t *data_out, size_t *out_size) 212 { 213 TEE_Result res = TEE_SUCCESS; 214 uint8_t *ctx = NULL; 215 size_t ctx_size; 216 size_t tag_len = TEE_FS_KM_MAX_TAG_LEN; 217 218 if ((mode != TEE_MODE_ENCRYPT) && (mode != TEE_MODE_DECRYPT)) 219 return TEE_ERROR_BAD_PARAMETERS; 220 221 if (*out_size < in_size) { 222 EMSG("output buffer(%zd) < input buffer(%zd)", 223 *out_size, in_size); 224 return TEE_ERROR_SHORT_BUFFER; 225 } 226 227 res = crypto_ops.authenc.get_ctx_size(TEE_FS_KM_AUTH_ENC_ALG, 228 &ctx_size); 229 if (res != TEE_SUCCESS) 230 return res; 231 232 ctx = malloc(ctx_size); 233 if (!ctx) { 234 EMSG("request memory size %zu failed", ctx_size); 235 return TEE_ERROR_OUT_OF_MEMORY; 236 } 237 238 res = crypto_ops.authenc.init(ctx, TEE_FS_KM_AUTH_ENC_ALG, 239 mode, fek, fek_len, hdr->aad.iv, 240 TEE_FS_KM_IV_LEN, TEE_FS_KM_MAX_TAG_LEN, 241 sizeof(struct aad), in_size); 242 if (res != TEE_SUCCESS) 243 goto exit; 244 245 res = crypto_ops.authenc.update_aad(ctx, TEE_FS_KM_AUTH_ENC_ALG, 246 mode, (uint8_t *)hdr->aad.encrypted_key, 247 TEE_FS_KM_FEK_SIZE); 248 if (res != TEE_SUCCESS) 249 goto exit; 250 251 res = crypto_ops.authenc.update_aad(ctx, TEE_FS_KM_AUTH_ENC_ALG, 252 mode, (uint8_t *)hdr->aad.iv, 253 TEE_FS_KM_IV_LEN); 254 if (res != TEE_SUCCESS) 255 goto exit; 256 257 if (mode == TEE_MODE_ENCRYPT) { 258 res = crypto_ops.authenc.enc_final(ctx, TEE_FS_KM_AUTH_ENC_ALG, 259 data_in, in_size, data_out, out_size, 260 hdr->tag, &tag_len); 261 } else { 262 res = crypto_ops.authenc.dec_final(ctx, TEE_FS_KM_AUTH_ENC_ALG, 263 data_in, in_size, data_out, out_size, 264 hdr->tag, tag_len); 265 } 266 267 if (res != TEE_SUCCESS) 268 goto exit; 269 270 crypto_ops.authenc.final(ctx, TEE_FS_KM_AUTH_ENC_ALG); 271 272 exit: 273 free(ctx); 274 return res; 275 } 276 277 size_t tee_fs_get_header_size(enum tee_fs_file_type type) 278 { 279 size_t header_size = 0; 280 281 switch (type) { 282 case META_FILE: 283 header_size = sizeof(struct meta_header); 284 break; 285 case BLOCK_FILE: 286 header_size = sizeof(struct block_header); 287 break; 288 default: 289 EMSG("Unknown file type, type=%d", type); 290 TEE_ASSERT(0); 291 } 292 293 return header_size; 294 } 295 296 TEE_Result tee_fs_generate_fek(uint8_t *buf, int buf_size) 297 { 298 TEE_Result res; 299 300 if (buf_size != TEE_FS_KM_FEK_SIZE) 301 return TEE_ERROR_BAD_PARAMETERS; 302 303 res = generate_fek(buf, TEE_FS_KM_FEK_SIZE); 304 if (res != TEE_SUCCESS) 305 return res; 306 307 return fek_crypt(TEE_MODE_ENCRYPT, buf, 308 TEE_FS_KM_FEK_SIZE); 309 } 310 311 TEE_Result tee_fs_encrypt_file(enum tee_fs_file_type file_type, 312 const uint8_t *data_in, size_t data_in_size, 313 uint8_t *data_out, size_t *data_out_size, 314 const uint8_t *encrypted_fek) 315 { 316 TEE_Result res = TEE_SUCCESS; 317 struct km_header hdr; 318 uint8_t iv[TEE_FS_KM_IV_LEN]; 319 uint8_t tag[TEE_FS_KM_MAX_TAG_LEN]; 320 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 321 uint8_t *ciphertext; 322 size_t cipher_size; 323 size_t header_size = tee_fs_get_header_size(file_type); 324 325 /* 326 * Meta File Format: |Header|Chipertext| 327 * Header Format: |AAD|Tag| 328 * AAD Format: |Encrypted_FEK|IV| 329 * 330 * Block File Format: |Header|Ciphertext| 331 * Header Format: |IV|Tag| 332 * 333 * TSK = HMAC(SSK, TA_UUID) 334 * FEK = AES_DECRYPT(TSK, Encrypted_FEK) 335 * Chipertext = AES_GCM_ENCRYPT(FEK, IV, Meta_Info, AAD) 336 */ 337 338 if (*data_out_size != (header_size + data_in_size)) 339 return TEE_ERROR_SHORT_BUFFER; 340 341 res = generate_iv(iv, TEE_FS_KM_IV_LEN); 342 if (res != TEE_SUCCESS) 343 goto fail; 344 345 memcpy(fek, encrypted_fek, TEE_FS_KM_FEK_SIZE); 346 res = fek_crypt(TEE_MODE_DECRYPT, fek, TEE_FS_KM_FEK_SIZE); 347 if (res != TEE_SUCCESS) 348 goto fail; 349 350 ciphertext = data_out + header_size; 351 cipher_size = data_in_size; 352 353 hdr.aad.iv = iv; 354 hdr.aad.encrypted_key = encrypted_fek; 355 hdr.tag = tag; 356 357 res = do_auth_enc(TEE_MODE_ENCRYPT, &hdr, 358 fek, TEE_FS_KM_FEK_SIZE, 359 data_in, data_in_size, 360 ciphertext, &cipher_size); 361 362 if (res == TEE_SUCCESS) { 363 if (file_type == META_FILE) { 364 memcpy(data_out, encrypted_fek, TEE_FS_KM_FEK_SIZE); 365 data_out += TEE_FS_KM_FEK_SIZE; 366 } 367 368 memcpy(data_out, iv, TEE_FS_KM_IV_LEN); 369 data_out += TEE_FS_KM_IV_LEN; 370 memcpy(data_out, tag, TEE_FS_KM_MAX_TAG_LEN); 371 372 *data_out_size = header_size + cipher_size; 373 } 374 375 fail: 376 return res; 377 } 378 379 TEE_Result tee_fs_decrypt_file(enum tee_fs_file_type file_type, 380 const uint8_t *data_in, size_t data_in_size, 381 uint8_t *plaintext, size_t *plaintext_size, 382 uint8_t *encrypted_fek) 383 { 384 TEE_Result res = TEE_SUCCESS; 385 struct km_header km_hdr; 386 size_t file_hdr_size = tee_fs_get_header_size(file_type); 387 const uint8_t *cipher = data_in + file_hdr_size; 388 int cipher_size = data_in_size - file_hdr_size; 389 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 390 391 if (file_type == META_FILE) { 392 struct meta_header *hdr = (struct meta_header *)data_in; 393 394 km_hdr.aad.encrypted_key = hdr->encrypted_key; 395 km_hdr.aad.iv = hdr->common.iv; 396 km_hdr.tag = hdr->common.tag; 397 398 /* return encrypted FEK to tee_fs which is used for block 399 * encryption/decryption */ 400 memcpy(encrypted_fek, hdr->encrypted_key, TEE_FS_KM_FEK_SIZE); 401 } else { 402 struct block_header *hdr = (struct block_header *)data_in; 403 404 km_hdr.aad.encrypted_key = encrypted_fek; 405 km_hdr.aad.iv = hdr->common.iv; 406 km_hdr.tag = hdr->common.tag; 407 } 408 409 memcpy(fek, km_hdr.aad.encrypted_key, TEE_FS_KM_FEK_SIZE); 410 res = fek_crypt(TEE_MODE_DECRYPT, fek, TEE_FS_KM_FEK_SIZE); 411 if (res != TEE_SUCCESS) { 412 EMSG("Failed to decrypt FEK, res=0x%x", res); 413 return res; 414 } 415 416 return do_auth_enc(TEE_MODE_DECRYPT, &km_hdr, fek, TEE_FS_KM_FEK_SIZE, 417 cipher, cipher_size, plaintext, plaintext_size); 418 } 419 420 static TEE_Result sha256(uint8_t *out, size_t out_size, const uint8_t *in, 421 size_t in_size) 422 { 423 TEE_Result res; 424 uint8_t *ctx = NULL; 425 size_t ctx_size; 426 uint32_t algo = TEE_ALG_SHA256; 427 428 res = crypto_ops.hash.get_ctx_size(algo, &ctx_size); 429 if (res != TEE_SUCCESS) 430 return res; 431 432 ctx = malloc(ctx_size); 433 if (!ctx) 434 return TEE_ERROR_OUT_OF_MEMORY; 435 436 res = crypto_ops.hash.init(ctx, algo); 437 if (res != TEE_SUCCESS) 438 goto out; 439 440 res = crypto_ops.hash.update(ctx, algo, in, in_size); 441 if (res != TEE_SUCCESS) 442 goto out; 443 444 res = crypto_ops.hash.final(ctx, algo, out, out_size); 445 446 out: 447 free(ctx); 448 return res; 449 } 450 451 static TEE_Result aes_ecb(uint8_t out[TEE_AES_BLOCK_SIZE], 452 const uint8_t in[TEE_AES_BLOCK_SIZE], 453 const uint8_t *key, size_t key_size) 454 { 455 TEE_Result res; 456 uint8_t *ctx = NULL; 457 size_t ctx_size; 458 uint32_t algo = TEE_ALG_AES_ECB_NOPAD; 459 460 res = crypto_ops.cipher.get_ctx_size(algo, &ctx_size); 461 if (res != TEE_SUCCESS) 462 return res; 463 464 ctx = malloc(ctx_size); 465 if (!ctx) 466 return TEE_ERROR_OUT_OF_MEMORY; 467 468 res = crypto_ops.cipher.init(ctx, algo, TEE_MODE_ENCRYPT, key, 469 key_size, NULL, 0, NULL, 0); 470 if (res != TEE_SUCCESS) 471 goto out; 472 473 res = crypto_ops.cipher.update(ctx, algo, TEE_MODE_ENCRYPT, true, in, 474 TEE_AES_BLOCK_SIZE, out); 475 if (res != TEE_SUCCESS) 476 goto out; 477 478 crypto_ops.cipher.final(ctx, algo); 479 res = TEE_SUCCESS; 480 481 out: 482 free(ctx); 483 return res; 484 } 485 486 static TEE_Result essiv(uint8_t iv[TEE_AES_BLOCK_SIZE], 487 const uint8_t fek[TEE_FS_KM_FEK_SIZE], 488 uint16_t blk_idx) 489 { 490 TEE_Result res; 491 uint8_t sha[TEE_SHA256_HASH_SIZE]; 492 uint8_t pad_blkid[TEE_AES_BLOCK_SIZE] = { 0, }; 493 494 res = sha256(sha, sizeof(sha), fek, TEE_FS_KM_FEK_SIZE); 495 if (res != TEE_SUCCESS) 496 return res; 497 498 pad_blkid[0] = (blk_idx & 0xFF); 499 pad_blkid[1] = (blk_idx & 0xFF00) >> 8; 500 501 return aes_ecb(iv, pad_blkid, sha, 16); 502 } 503 504 /* 505 * Encryption/decryption of RPMB FS file data. This is AES CBC with ESSIV. 506 */ 507 TEE_Result tee_fs_crypt_block(uint8_t *out, const uint8_t *in, size_t size, 508 uint16_t blk_idx, const uint8_t *encrypted_fek, 509 TEE_OperationMode mode) 510 { 511 TEE_Result res; 512 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 513 uint8_t iv[TEE_AES_BLOCK_SIZE]; 514 uint8_t *ctx; 515 size_t ctx_size; 516 uint32_t algo = TEE_ALG_AES_CBC_NOPAD; 517 518 DMSG("%scrypt block #%u", (mode == TEE_MODE_ENCRYPT) ? "En" : "De", 519 blk_idx); 520 521 /* Decrypt FEK */ 522 memcpy(fek, encrypted_fek, TEE_FS_KM_FEK_SIZE); 523 res = fek_crypt(TEE_MODE_DECRYPT, fek, TEE_FS_KM_FEK_SIZE); 524 if (res != TEE_SUCCESS) 525 return res; 526 527 /* Compute initialization vector for this block */ 528 res = essiv(iv, fek, blk_idx); 529 530 /* Run AES CBC */ 531 res = crypto_ops.cipher.get_ctx_size(algo, &ctx_size); 532 if (res != TEE_SUCCESS) 533 return res; 534 ctx = malloc(ctx_size); 535 if (!ctx) 536 return TEE_ERROR_OUT_OF_MEMORY; 537 538 res = crypto_ops.cipher.init(ctx, algo, mode, fek, sizeof(fek), NULL, 539 0, iv, TEE_AES_BLOCK_SIZE); 540 if (res != TEE_SUCCESS) 541 goto exit; 542 res = crypto_ops.cipher.update(ctx, algo, mode, true, in, size, out); 543 if (res != TEE_SUCCESS) 544 goto exit; 545 546 crypto_ops.cipher.final(ctx, algo); 547 548 exit: 549 free(ctx); 550 return res; 551 } 552 553 service_init(tee_fs_init_key_manager); 554 555