1 /* 2 * Copyright (c) 2015, Linaro Limited 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright notice, 9 * this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright notice, 12 * this list of conditions and the following disclaimer in the documentation 13 * and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 16 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 19 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 * POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 29 /* 30 * Acronyms: 31 * 32 * FEK - File Encryption Key 33 * SSK - Secure Storage Key 34 * TSK - Trusted app Storage Key 35 * IV - Initial vector 36 * HUK - Hardware Unique Key 37 * RNG - Random Number Generator 38 */ 39 40 #include <initcall.h> 41 #include <stdlib.h> 42 #include <string.h> 43 #include <kernel/panic.h> 44 #include <kernel/tee_common_otp.h> 45 #include <kernel/tee_ta_manager.h> 46 #include <tee/tee_cryp_utl.h> 47 #include <tee/tee_cryp_provider.h> 48 #include <tee/tee_fs_key_manager.h> 49 #include <compiler.h> 50 #include <trace.h> 51 #include <util.h> 52 53 struct tee_fs_ssk { 54 bool is_init; 55 uint8_t key[TEE_FS_KM_SSK_SIZE]; 56 }; 57 58 static struct tee_fs_ssk tee_fs_ssk; 59 static uint8_t string_for_ssk_gen[] = "ONLY_FOR_tee_fs_ssk"; 60 61 62 static TEE_Result do_hmac(void *out_key, size_t out_key_size, 63 const void *in_key, size_t in_key_size, 64 const void *message, size_t message_size) 65 { 66 TEE_Result res = TEE_ERROR_GENERIC; 67 uint8_t *ctx = NULL; 68 size_t hash_ctx_size = 0; 69 70 if (!out_key || !in_key || !message) 71 return TEE_ERROR_BAD_PARAMETERS; 72 73 res = crypto_ops.mac.get_ctx_size(TEE_FS_KM_HMAC_ALG, &hash_ctx_size); 74 if (res != TEE_SUCCESS) 75 return res; 76 77 ctx = malloc(hash_ctx_size); 78 if (!ctx) 79 return TEE_ERROR_OUT_OF_MEMORY; 80 81 res = crypto_ops.mac.init(ctx, TEE_FS_KM_HMAC_ALG, in_key, in_key_size); 82 if (res != TEE_SUCCESS) 83 goto exit; 84 85 res = crypto_ops.mac.update(ctx, TEE_FS_KM_HMAC_ALG, 86 message, message_size); 87 if (res != TEE_SUCCESS) 88 goto exit; 89 90 res = crypto_ops.mac.final(ctx, TEE_FS_KM_HMAC_ALG, out_key, 91 out_key_size); 92 if (res != TEE_SUCCESS) 93 goto exit; 94 95 res = TEE_SUCCESS; 96 97 exit: 98 free(ctx); 99 return res; 100 } 101 102 TEE_Result tee_fs_fek_crypt(const TEE_UUID *uuid, TEE_OperationMode mode, 103 const uint8_t *in_key, size_t size, 104 uint8_t *out_key) 105 { 106 TEE_Result res; 107 uint8_t *ctx = NULL; 108 size_t ctx_size; 109 uint8_t tsk[TEE_FS_KM_TSK_SIZE]; 110 uint8_t dst_key[size]; 111 112 if (!in_key || !out_key) 113 return TEE_ERROR_BAD_PARAMETERS; 114 115 if (size != TEE_FS_KM_FEK_SIZE) 116 return TEE_ERROR_BAD_PARAMETERS; 117 118 if (tee_fs_ssk.is_init == 0) 119 return TEE_ERROR_GENERIC; 120 121 if (uuid) { 122 res = do_hmac(tsk, sizeof(tsk), tee_fs_ssk.key, 123 TEE_FS_KM_SSK_SIZE, uuid, sizeof(*uuid)); 124 if (res != TEE_SUCCESS) 125 return res; 126 } else { 127 /* 128 * Pick something of a different size than TEE_UUID to 129 * guarantee that there's never a conflict. 130 */ 131 uint8_t dummy[1] = { 0 }; 132 133 res = do_hmac(tsk, sizeof(tsk), tee_fs_ssk.key, 134 TEE_FS_KM_SSK_SIZE, dummy, sizeof(dummy)); 135 if (res != TEE_SUCCESS) 136 return res; 137 } 138 139 res = crypto_ops.cipher.get_ctx_size(TEE_FS_KM_ENC_FEK_ALG, &ctx_size); 140 if (res != TEE_SUCCESS) 141 return res; 142 143 ctx = malloc(ctx_size); 144 if (!ctx) 145 return TEE_ERROR_OUT_OF_MEMORY; 146 147 res = crypto_ops.cipher.init(ctx, TEE_FS_KM_ENC_FEK_ALG, mode, tsk, 148 sizeof(tsk), NULL, 0, NULL, 0); 149 if (res != TEE_SUCCESS) 150 goto exit; 151 152 res = crypto_ops.cipher.update(ctx, TEE_FS_KM_ENC_FEK_ALG, 153 mode, true, in_key, size, dst_key); 154 if (res != TEE_SUCCESS) 155 goto exit; 156 157 crypto_ops.cipher.final(ctx, TEE_FS_KM_ENC_FEK_ALG); 158 159 memcpy(out_key, dst_key, sizeof(dst_key)); 160 161 exit: 162 free(ctx); 163 164 return res; 165 } 166 167 static TEE_Result generate_fek(uint8_t *key, uint8_t len) 168 { 169 return crypto_rng_read(key, len); 170 } 171 172 static TEE_Result tee_fs_init_key_manager(void) 173 { 174 int res = TEE_SUCCESS; 175 struct tee_hw_unique_key huk; 176 uint8_t chip_id[TEE_FS_KM_CHIP_ID_LENGTH]; 177 uint8_t message[sizeof(chip_id) + sizeof(string_for_ssk_gen)]; 178 179 /* Secure Storage Key Generation: 180 * 181 * SSK = HMAC(HUK, message) 182 * message := concatenate(chip_id, static string) 183 * */ 184 tee_otp_get_hw_unique_key(&huk); 185 tee_otp_get_die_id(chip_id, sizeof(chip_id)); 186 187 memcpy(message, chip_id, sizeof(chip_id)); 188 memcpy(message + sizeof(chip_id), string_for_ssk_gen, 189 sizeof(string_for_ssk_gen)); 190 191 res = do_hmac(tee_fs_ssk.key, sizeof(tee_fs_ssk.key), 192 huk.data, sizeof(huk.data), 193 message, sizeof(message)); 194 195 if (res == TEE_SUCCESS) 196 tee_fs_ssk.is_init = 1; 197 198 return res; 199 } 200 201 TEE_Result tee_fs_generate_fek(const TEE_UUID *uuid, void *buf, size_t buf_size) 202 { 203 TEE_Result res; 204 205 if (buf_size != TEE_FS_KM_FEK_SIZE) 206 return TEE_ERROR_BAD_PARAMETERS; 207 208 res = generate_fek(buf, TEE_FS_KM_FEK_SIZE); 209 if (res != TEE_SUCCESS) 210 return res; 211 212 return tee_fs_fek_crypt(uuid, TEE_MODE_ENCRYPT, buf, 213 TEE_FS_KM_FEK_SIZE, buf); 214 } 215 216 static TEE_Result sha256(uint8_t *out, size_t out_size, const uint8_t *in, 217 size_t in_size) 218 { 219 TEE_Result res; 220 uint8_t *ctx = NULL; 221 size_t ctx_size; 222 uint32_t algo = TEE_ALG_SHA256; 223 224 res = crypto_ops.hash.get_ctx_size(algo, &ctx_size); 225 if (res != TEE_SUCCESS) 226 return res; 227 228 ctx = malloc(ctx_size); 229 if (!ctx) 230 return TEE_ERROR_OUT_OF_MEMORY; 231 232 res = crypto_ops.hash.init(ctx, algo); 233 if (res != TEE_SUCCESS) 234 goto out; 235 236 res = crypto_ops.hash.update(ctx, algo, in, in_size); 237 if (res != TEE_SUCCESS) 238 goto out; 239 240 res = crypto_ops.hash.final(ctx, algo, out, out_size); 241 242 out: 243 free(ctx); 244 return res; 245 } 246 247 static TEE_Result aes_ecb(uint8_t out[TEE_AES_BLOCK_SIZE], 248 const uint8_t in[TEE_AES_BLOCK_SIZE], 249 const uint8_t *key, size_t key_size) 250 { 251 TEE_Result res; 252 uint8_t *ctx = NULL; 253 size_t ctx_size; 254 uint32_t algo = TEE_ALG_AES_ECB_NOPAD; 255 256 res = crypto_ops.cipher.get_ctx_size(algo, &ctx_size); 257 if (res != TEE_SUCCESS) 258 return res; 259 260 ctx = malloc(ctx_size); 261 if (!ctx) 262 return TEE_ERROR_OUT_OF_MEMORY; 263 264 res = crypto_ops.cipher.init(ctx, algo, TEE_MODE_ENCRYPT, key, 265 key_size, NULL, 0, NULL, 0); 266 if (res != TEE_SUCCESS) 267 goto out; 268 269 res = crypto_ops.cipher.update(ctx, algo, TEE_MODE_ENCRYPT, true, in, 270 TEE_AES_BLOCK_SIZE, out); 271 if (res != TEE_SUCCESS) 272 goto out; 273 274 crypto_ops.cipher.final(ctx, algo); 275 res = TEE_SUCCESS; 276 277 out: 278 free(ctx); 279 return res; 280 } 281 282 static TEE_Result essiv(uint8_t iv[TEE_AES_BLOCK_SIZE], 283 const uint8_t fek[TEE_FS_KM_FEK_SIZE], 284 uint16_t blk_idx) 285 { 286 TEE_Result res; 287 uint8_t sha[TEE_SHA256_HASH_SIZE]; 288 uint8_t pad_blkid[TEE_AES_BLOCK_SIZE] = { 0, }; 289 290 res = sha256(sha, sizeof(sha), fek, TEE_FS_KM_FEK_SIZE); 291 if (res != TEE_SUCCESS) 292 return res; 293 294 pad_blkid[0] = (blk_idx & 0xFF); 295 pad_blkid[1] = (blk_idx & 0xFF00) >> 8; 296 297 return aes_ecb(iv, pad_blkid, sha, 16); 298 } 299 300 /* 301 * Encryption/decryption of RPMB FS file data. This is AES CBC with ESSIV. 302 */ 303 TEE_Result tee_fs_crypt_block(const TEE_UUID *uuid, uint8_t *out, 304 const uint8_t *in, size_t size, 305 uint16_t blk_idx, const uint8_t *encrypted_fek, 306 TEE_OperationMode mode) 307 { 308 TEE_Result res; 309 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 310 uint8_t iv[TEE_AES_BLOCK_SIZE]; 311 uint8_t *ctx; 312 size_t ctx_size; 313 uint32_t algo = TEE_ALG_AES_CBC_NOPAD; 314 315 DMSG("%scrypt block #%u", (mode == TEE_MODE_ENCRYPT) ? "En" : "De", 316 blk_idx); 317 318 /* Decrypt FEK */ 319 res = tee_fs_fek_crypt(uuid, TEE_MODE_DECRYPT, encrypted_fek, 320 TEE_FS_KM_FEK_SIZE, fek); 321 if (res != TEE_SUCCESS) 322 return res; 323 324 /* Compute initialization vector for this block */ 325 res = essiv(iv, fek, blk_idx); 326 327 /* Run AES CBC */ 328 res = crypto_ops.cipher.get_ctx_size(algo, &ctx_size); 329 if (res != TEE_SUCCESS) 330 return res; 331 ctx = malloc(ctx_size); 332 if (!ctx) 333 return TEE_ERROR_OUT_OF_MEMORY; 334 335 res = crypto_ops.cipher.init(ctx, algo, mode, fek, sizeof(fek), NULL, 336 0, iv, TEE_AES_BLOCK_SIZE); 337 if (res != TEE_SUCCESS) 338 goto exit; 339 res = crypto_ops.cipher.update(ctx, algo, mode, true, in, size, out); 340 if (res != TEE_SUCCESS) 341 goto exit; 342 343 crypto_ops.cipher.final(ctx, algo); 344 345 exit: 346 free(ctx); 347 return res; 348 } 349 350 service_init_late(tee_fs_init_key_manager); 351