1 /* 2 * Copyright (c) 2015, Linaro Limited 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright notice, 9 * this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright notice, 12 * this list of conditions and the following disclaimer in the documentation 13 * and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 16 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 19 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 * POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 29 /* Acronyms: 30 * 31 * FEK - File Encryption Key 32 * SST - Secure Storage 33 * SSK - Secure Storage Key 34 * IV - Initial vector 35 * HUK - Hardware Unique Key 36 * RNG - Random Number Generator 37 * 38 * */ 39 40 #include <initcall.h> 41 #include <stdlib.h> 42 #include <string.h> 43 #include <kernel/tee_common_otp.h> 44 #include <kernel/tee_common_unpg.h> 45 #include <tee/tee_cryp_utl.h> 46 #include <tee/tee_cryp_provider.h> 47 #include <tee/tee_fs_key_manager.h> 48 #include <compiler.h> 49 #include <trace.h> 50 51 struct tee_fs_ssk { 52 bool is_init; 53 uint8_t key[TEE_FS_KM_SSK_SIZE]; 54 }; 55 56 struct aad { 57 const uint8_t *encrypted_key; 58 const uint8_t *iv; 59 }; 60 61 struct km_header { 62 struct aad aad; 63 uint8_t *tag; 64 }; 65 66 67 struct common_header { 68 uint8_t iv[TEE_FS_KM_IV_LEN]; 69 uint8_t tag[TEE_FS_KM_MAX_TAG_LEN]; 70 }; 71 72 struct meta_header { 73 uint8_t encrypted_key[TEE_FS_KM_FEK_SIZE]; 74 struct common_header common; 75 }; 76 77 struct block_header { 78 struct common_header common; 79 }; 80 81 static struct tee_fs_ssk tee_fs_ssk; 82 static uint8_t string_for_ssk_gen[] = "ONLY_FOR_tee_fs_ssk"; 83 84 85 static TEE_Result fek_crypt(TEE_OperationMode mode, 86 uint8_t *key, int size) 87 { 88 TEE_Result res; 89 uint8_t *ctx = NULL; 90 size_t ctx_size; 91 uint8_t dst_key[TEE_FS_KM_FEK_SIZE]; 92 93 if (!key) 94 return TEE_ERROR_BAD_PARAMETERS; 95 96 if (size != TEE_FS_KM_FEK_SIZE) 97 return TEE_ERROR_BAD_PARAMETERS; 98 99 if (tee_fs_ssk.is_init == 0) 100 return TEE_ERROR_GENERIC; 101 102 res = crypto_ops.cipher.get_ctx_size(TEE_FS_KM_ENC_FEK_ALG, &ctx_size); 103 if (res != TEE_SUCCESS) 104 return res; 105 106 ctx = malloc(ctx_size); 107 if (!ctx) 108 return TEE_ERROR_OUT_OF_MEMORY; 109 110 res = crypto_ops.cipher.init(ctx, TEE_FS_KM_ENC_FEK_ALG, 111 mode, tee_fs_ssk.key, TEE_FS_KM_SSK_SIZE, 112 NULL, 0, NULL, 0); 113 if (res != TEE_SUCCESS) 114 goto exit; 115 116 res = crypto_ops.cipher.update(ctx, TEE_FS_KM_ENC_FEK_ALG, 117 mode, true, key, size, dst_key); 118 if (res != TEE_SUCCESS) 119 goto exit; 120 121 crypto_ops.cipher.final(ctx, TEE_FS_KM_ENC_FEK_ALG); 122 123 memcpy(key, dst_key, sizeof(dst_key)); 124 125 exit: 126 free(ctx); 127 128 return res; 129 } 130 131 static TEE_Result generate_fek(uint8_t *key, uint8_t len) 132 { 133 return crypto_ops.prng.read(key, len); 134 } 135 136 static TEE_Result generate_iv(uint8_t *iv, uint8_t len) 137 { 138 return crypto_ops.prng.read(iv, len); 139 } 140 141 static TEE_Result generate_ssk(uint8_t *ssk, uint32_t ssk_size, 142 uint8_t *huk, uint32_t huk_size, 143 uint8_t *message, uint32_t message_size) 144 { 145 TEE_Result res = TEE_ERROR_GENERIC; 146 uint8_t *ctx = NULL; 147 size_t hash_ctx_size = 0; 148 149 if (!ssk || !huk || !message) 150 return TEE_ERROR_BAD_PARAMETERS; 151 152 res = crypto_ops.mac.get_ctx_size(TEE_FS_KM_HMAC_ALG, &hash_ctx_size); 153 if (res != TEE_SUCCESS) 154 return res; 155 156 ctx = malloc(hash_ctx_size); 157 if (!ctx) 158 return TEE_ERROR_OUT_OF_MEMORY; 159 160 res = crypto_ops.mac.init(ctx, TEE_FS_KM_HMAC_ALG, huk, huk_size); 161 if (res != TEE_SUCCESS) 162 goto exit; 163 164 res = crypto_ops.mac.update(ctx, TEE_FS_KM_HMAC_ALG, 165 message, message_size); 166 if (res != TEE_SUCCESS) 167 goto exit; 168 169 res = crypto_ops.hash.final(ctx, TEE_FS_KM_HMAC_ALG, ssk, ssk_size); 170 if (res != TEE_SUCCESS) 171 goto exit; 172 173 res = TEE_SUCCESS; 174 175 exit: 176 free(ctx); 177 return res; 178 } 179 180 static TEE_Result tee_fs_init_key_manager(void) 181 { 182 int res = TEE_SUCCESS; 183 struct tee_hw_unique_key huk; 184 uint8_t chip_id[TEE_FS_KM_CHIP_ID_LENGTH]; 185 uint8_t message[sizeof(chip_id) + sizeof(string_for_ssk_gen)]; 186 187 /* Secure Storage Key Generation: 188 * 189 * SSK = HMAC(HUK, message) 190 * message := concatenate(chip_id, static string) 191 * */ 192 tee_otp_get_hw_unique_key(&huk); 193 tee_otp_get_die_id(chip_id, sizeof(chip_id)); 194 195 memcpy(message, chip_id, sizeof(chip_id)); 196 memcpy(message + sizeof(chip_id), string_for_ssk_gen, 197 sizeof(string_for_ssk_gen)); 198 199 res = generate_ssk(tee_fs_ssk.key, sizeof(tee_fs_ssk.key), 200 huk.data, sizeof(huk.data), 201 message, sizeof(message)); 202 203 if (res == TEE_SUCCESS) 204 tee_fs_ssk.is_init = 1; 205 206 return res; 207 } 208 209 static TEE_Result do_auth_enc(TEE_OperationMode mode, 210 struct km_header *hdr, 211 uint8_t *fek, int fek_len, 212 const uint8_t *data_in, size_t in_size, 213 uint8_t *data_out, size_t *out_size) 214 { 215 TEE_Result res = TEE_SUCCESS; 216 uint8_t *ctx = NULL; 217 size_t ctx_size; 218 size_t tag_len = TEE_FS_KM_MAX_TAG_LEN; 219 220 if ((mode != TEE_MODE_ENCRYPT) && (mode != TEE_MODE_DECRYPT)) 221 return TEE_ERROR_BAD_PARAMETERS; 222 223 if (*out_size < in_size) { 224 EMSG("output buffer(%zd) < input buffer(%zd)", 225 *out_size, in_size); 226 return TEE_ERROR_SHORT_BUFFER; 227 } 228 229 res = crypto_ops.authenc.get_ctx_size(TEE_FS_KM_AUTH_ENC_ALG, 230 &ctx_size); 231 if (res != TEE_SUCCESS) 232 return res; 233 234 ctx = malloc(ctx_size); 235 if (!ctx) { 236 EMSG("request memory size %zu failed", ctx_size); 237 return TEE_ERROR_OUT_OF_MEMORY; 238 } 239 240 res = crypto_ops.authenc.init(ctx, TEE_FS_KM_AUTH_ENC_ALG, 241 mode, fek, fek_len, hdr->aad.iv, 242 TEE_FS_KM_IV_LEN, TEE_FS_KM_MAX_TAG_LEN, 243 sizeof(struct aad), in_size); 244 if (res != TEE_SUCCESS) 245 goto exit; 246 247 res = crypto_ops.authenc.update_aad(ctx, TEE_FS_KM_AUTH_ENC_ALG, 248 mode, (uint8_t *)hdr->aad.encrypted_key, 249 TEE_FS_KM_FEK_SIZE); 250 if (res != TEE_SUCCESS) 251 goto exit; 252 253 res = crypto_ops.authenc.update_aad(ctx, TEE_FS_KM_AUTH_ENC_ALG, 254 mode, (uint8_t *)hdr->aad.iv, 255 TEE_FS_KM_IV_LEN); 256 if (res != TEE_SUCCESS) 257 goto exit; 258 259 if (mode == TEE_MODE_ENCRYPT) { 260 res = crypto_ops.authenc.enc_final(ctx, TEE_FS_KM_AUTH_ENC_ALG, 261 data_in, in_size, data_out, out_size, 262 hdr->tag, &tag_len); 263 } else { 264 res = crypto_ops.authenc.dec_final(ctx, TEE_FS_KM_AUTH_ENC_ALG, 265 data_in, in_size, data_out, out_size, 266 hdr->tag, tag_len); 267 } 268 269 if (res != TEE_SUCCESS) 270 goto exit; 271 272 crypto_ops.authenc.final(ctx, TEE_FS_KM_AUTH_ENC_ALG); 273 274 exit: 275 free(ctx); 276 return res; 277 } 278 279 size_t tee_fs_get_header_size(enum tee_fs_file_type type) 280 { 281 size_t header_size = 0; 282 283 switch (type) { 284 case META_FILE: 285 header_size = sizeof(struct meta_header); 286 break; 287 case BLOCK_FILE: 288 header_size = sizeof(struct block_header); 289 break; 290 default: 291 EMSG("Unknown file type, type=%d", type); 292 TEE_ASSERT(0); 293 } 294 295 return header_size; 296 } 297 298 TEE_Result tee_fs_generate_fek(uint8_t *buf, int buf_size) 299 { 300 TEE_Result res; 301 302 if (buf_size != TEE_FS_KM_FEK_SIZE) 303 return TEE_ERROR_SHORT_BUFFER; 304 305 res = generate_fek(buf, TEE_FS_KM_FEK_SIZE); 306 if (res != TEE_SUCCESS) 307 return res; 308 309 return fek_crypt(TEE_MODE_ENCRYPT, buf, 310 TEE_FS_KM_FEK_SIZE); 311 } 312 313 TEE_Result tee_fs_encrypt_file(enum tee_fs_file_type file_type, 314 const uint8_t *data_in, size_t data_in_size, 315 uint8_t *data_out, size_t *data_out_size, 316 const uint8_t *encrypted_fek) 317 { 318 TEE_Result res = TEE_SUCCESS; 319 struct km_header hdr; 320 uint8_t iv[TEE_FS_KM_IV_LEN]; 321 uint8_t tag[TEE_FS_KM_MAX_TAG_LEN]; 322 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 323 uint8_t *ciphertext; 324 size_t cipher_size; 325 size_t header_size = tee_fs_get_header_size(file_type); 326 327 /* 328 * Meta File Format: |Header|Chipertext| 329 * Header Format: |AAD|Tag| 330 * AAD Format: |Encrypted_FEK|IV| 331 * 332 * Block File Format: |Header|Ciphertext| 333 * Header Format: |IV|Tag| 334 * 335 * FEK = AES_DECRYPT(SSK, Encrypted_FEK) 336 * Chipertext = AES_GCM_ENCRYPT(FEK, IV, Meta_Info, AAD) 337 */ 338 339 if (*data_out_size != (header_size + data_in_size)) 340 return TEE_ERROR_SHORT_BUFFER; 341 342 res = generate_iv(iv, TEE_FS_KM_IV_LEN); 343 if (res != TEE_SUCCESS) 344 goto fail; 345 346 memcpy(fek, encrypted_fek, TEE_FS_KM_FEK_SIZE); 347 res = fek_crypt(TEE_MODE_DECRYPT, fek, TEE_FS_KM_FEK_SIZE); 348 if (res != TEE_SUCCESS) 349 goto fail; 350 351 ciphertext = data_out + header_size; 352 cipher_size = data_in_size; 353 354 hdr.aad.iv = iv; 355 hdr.aad.encrypted_key = encrypted_fek; 356 hdr.tag = tag; 357 358 res = do_auth_enc(TEE_MODE_ENCRYPT, &hdr, 359 fek, TEE_FS_KM_FEK_SIZE, 360 data_in, data_in_size, 361 ciphertext, &cipher_size); 362 363 if (res == TEE_SUCCESS) { 364 if (file_type == META_FILE) { 365 memcpy(data_out, encrypted_fek, TEE_FS_KM_FEK_SIZE); 366 data_out += TEE_FS_KM_FEK_SIZE; 367 } 368 369 memcpy(data_out, iv, TEE_FS_KM_IV_LEN); 370 data_out += TEE_FS_KM_IV_LEN; 371 memcpy(data_out, tag, TEE_FS_KM_MAX_TAG_LEN); 372 373 *data_out_size = header_size + cipher_size; 374 } 375 376 fail: 377 return res; 378 } 379 380 TEE_Result tee_fs_decrypt_file(enum tee_fs_file_type file_type, 381 const uint8_t *data_in, size_t data_in_size, 382 uint8_t *plaintext, size_t *plaintext_size, 383 uint8_t *encrypted_fek) 384 { 385 TEE_Result res = TEE_SUCCESS; 386 struct km_header km_hdr; 387 size_t file_hdr_size = tee_fs_get_header_size(file_type); 388 const uint8_t *cipher = data_in + file_hdr_size; 389 int cipher_size = data_in_size - file_hdr_size; 390 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 391 392 if (file_type == META_FILE) { 393 struct meta_header *hdr = (struct meta_header *)data_in; 394 395 km_hdr.aad.encrypted_key = hdr->encrypted_key; 396 km_hdr.aad.iv = hdr->common.iv; 397 km_hdr.tag = hdr->common.tag; 398 399 /* return encrypted FEK to tee_fs which is used for block 400 * encryption/decryption */ 401 memcpy(encrypted_fek, hdr->encrypted_key, TEE_FS_KM_FEK_SIZE); 402 } else { 403 struct block_header *hdr = (struct block_header *)data_in; 404 405 km_hdr.aad.encrypted_key = encrypted_fek; 406 km_hdr.aad.iv = hdr->common.iv; 407 km_hdr.tag = hdr->common.tag; 408 } 409 410 memcpy(fek, km_hdr.aad.encrypted_key, TEE_FS_KM_FEK_SIZE); 411 res = fek_crypt(TEE_MODE_DECRYPT, fek, TEE_FS_KM_FEK_SIZE); 412 if (res != TEE_SUCCESS) { 413 EMSG("Failed to decrypt FEK, res=0x%x", res); 414 return res; 415 } 416 417 return do_auth_enc(TEE_MODE_DECRYPT, &km_hdr, fek, TEE_FS_KM_FEK_SIZE, 418 cipher, cipher_size, plaintext, plaintext_size); 419 } 420 421 service_init(tee_fs_init_key_manager); 422 423