1 /* 2 * Copyright (c) 2015, Linaro Limited 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions are met: 7 * 8 * 1. Redistributions of source code must retain the above copyright notice, 9 * this list of conditions and the following disclaimer. 10 * 11 * 2. Redistributions in binary form must reproduce the above copyright notice, 12 * this list of conditions and the following disclaimer in the documentation 13 * and/or other materials provided with the distribution. 14 * 15 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 16 * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 17 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 18 * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE 19 * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 20 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 21 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 22 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 23 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 24 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 25 * POSSIBILITY OF SUCH DAMAGE. 26 */ 27 28 29 /* Acronyms: 30 * 31 * FEK - File Encryption Key 32 * SST - Secure Storage 33 * SSK - Secure Storage Key 34 * IV - Initial vector 35 * HUK - Hardware Unique Key 36 * RNG - Random Number Generator 37 * 38 * */ 39 40 #include <initcall.h> 41 #include <stdlib.h> 42 #include <string.h> 43 #include <kernel/tee_common_otp.h> 44 #include <kernel/tee_common_unpg.h> 45 #include <tee/tee_cryp_utl.h> 46 #include <tee/tee_cryp_provider.h> 47 #include <tee/tee_fs_key_manager.h> 48 #include <compiler.h> 49 #include <trace.h> 50 #include <util.h> 51 52 struct tee_fs_ssk { 53 bool is_init; 54 uint8_t key[TEE_FS_KM_SSK_SIZE]; 55 }; 56 57 struct aad { 58 const uint8_t *encrypted_key; 59 const uint8_t *iv; 60 }; 61 62 struct km_header { 63 struct aad aad; 64 uint8_t *tag; 65 }; 66 67 static struct tee_fs_ssk tee_fs_ssk; 68 static uint8_t string_for_ssk_gen[] = "ONLY_FOR_tee_fs_ssk"; 69 70 71 static TEE_Result fek_crypt(TEE_OperationMode mode, 72 uint8_t *key, int size) 73 { 74 TEE_Result res; 75 uint8_t *ctx = NULL; 76 size_t ctx_size; 77 uint8_t dst_key[TEE_FS_KM_FEK_SIZE]; 78 79 if (!key) 80 return TEE_ERROR_BAD_PARAMETERS; 81 82 if (size != TEE_FS_KM_FEK_SIZE) 83 return TEE_ERROR_BAD_PARAMETERS; 84 85 if (tee_fs_ssk.is_init == 0) 86 return TEE_ERROR_GENERIC; 87 88 res = crypto_ops.cipher.get_ctx_size(TEE_FS_KM_ENC_FEK_ALG, &ctx_size); 89 if (res != TEE_SUCCESS) 90 return res; 91 92 ctx = malloc(ctx_size); 93 if (!ctx) 94 return TEE_ERROR_OUT_OF_MEMORY; 95 96 res = crypto_ops.cipher.init(ctx, TEE_FS_KM_ENC_FEK_ALG, 97 mode, tee_fs_ssk.key, TEE_FS_KM_SSK_SIZE, 98 NULL, 0, NULL, 0); 99 if (res != TEE_SUCCESS) 100 goto exit; 101 102 res = crypto_ops.cipher.update(ctx, TEE_FS_KM_ENC_FEK_ALG, 103 mode, true, key, size, dst_key); 104 if (res != TEE_SUCCESS) 105 goto exit; 106 107 crypto_ops.cipher.final(ctx, TEE_FS_KM_ENC_FEK_ALG); 108 109 memcpy(key, dst_key, sizeof(dst_key)); 110 111 exit: 112 free(ctx); 113 114 return res; 115 } 116 117 static TEE_Result generate_fek(uint8_t *key, uint8_t len) 118 { 119 return crypto_ops.prng.read(key, len); 120 } 121 122 static TEE_Result generate_iv(uint8_t *iv, uint8_t len) 123 { 124 return crypto_ops.prng.read(iv, len); 125 } 126 127 static TEE_Result generate_ssk(uint8_t *ssk, uint32_t ssk_size, 128 uint8_t *huk, uint32_t huk_size, 129 uint8_t *message, uint32_t message_size) 130 { 131 TEE_Result res = TEE_ERROR_GENERIC; 132 uint8_t *ctx = NULL; 133 size_t hash_ctx_size = 0; 134 135 if (!ssk || !huk || !message) 136 return TEE_ERROR_BAD_PARAMETERS; 137 138 res = crypto_ops.mac.get_ctx_size(TEE_FS_KM_HMAC_ALG, &hash_ctx_size); 139 if (res != TEE_SUCCESS) 140 return res; 141 142 ctx = malloc(hash_ctx_size); 143 if (!ctx) 144 return TEE_ERROR_OUT_OF_MEMORY; 145 146 res = crypto_ops.mac.init(ctx, TEE_FS_KM_HMAC_ALG, huk, huk_size); 147 if (res != TEE_SUCCESS) 148 goto exit; 149 150 res = crypto_ops.mac.update(ctx, TEE_FS_KM_HMAC_ALG, 151 message, message_size); 152 if (res != TEE_SUCCESS) 153 goto exit; 154 155 res = crypto_ops.mac.final(ctx, TEE_FS_KM_HMAC_ALG, ssk, ssk_size); 156 if (res != TEE_SUCCESS) 157 goto exit; 158 159 res = TEE_SUCCESS; 160 161 exit: 162 free(ctx); 163 return res; 164 } 165 166 static TEE_Result tee_fs_init_key_manager(void) 167 { 168 int res = TEE_SUCCESS; 169 struct tee_hw_unique_key huk; 170 uint8_t chip_id[TEE_FS_KM_CHIP_ID_LENGTH]; 171 uint8_t message[sizeof(chip_id) + sizeof(string_for_ssk_gen)]; 172 173 /* Secure Storage Key Generation: 174 * 175 * SSK = HMAC(HUK, message) 176 * message := concatenate(chip_id, static string) 177 * */ 178 tee_otp_get_hw_unique_key(&huk); 179 tee_otp_get_die_id(chip_id, sizeof(chip_id)); 180 181 memcpy(message, chip_id, sizeof(chip_id)); 182 memcpy(message + sizeof(chip_id), string_for_ssk_gen, 183 sizeof(string_for_ssk_gen)); 184 185 res = generate_ssk(tee_fs_ssk.key, sizeof(tee_fs_ssk.key), 186 huk.data, sizeof(huk.data), 187 message, sizeof(message)); 188 189 if (res == TEE_SUCCESS) 190 tee_fs_ssk.is_init = 1; 191 192 return res; 193 } 194 195 static TEE_Result do_auth_enc(TEE_OperationMode mode, 196 struct km_header *hdr, 197 uint8_t *fek, int fek_len, 198 const uint8_t *data_in, size_t in_size, 199 uint8_t *data_out, size_t *out_size) 200 { 201 TEE_Result res = TEE_SUCCESS; 202 uint8_t *ctx = NULL; 203 size_t ctx_size; 204 size_t tag_len = TEE_FS_KM_MAX_TAG_LEN; 205 206 if ((mode != TEE_MODE_ENCRYPT) && (mode != TEE_MODE_DECRYPT)) 207 return TEE_ERROR_BAD_PARAMETERS; 208 209 if (*out_size < in_size) { 210 EMSG("output buffer(%zd) < input buffer(%zd)", 211 *out_size, in_size); 212 return TEE_ERROR_SHORT_BUFFER; 213 } 214 215 res = crypto_ops.authenc.get_ctx_size(TEE_FS_KM_AUTH_ENC_ALG, 216 &ctx_size); 217 if (res != TEE_SUCCESS) 218 return res; 219 220 ctx = malloc(ctx_size); 221 if (!ctx) { 222 EMSG("request memory size %zu failed", ctx_size); 223 return TEE_ERROR_OUT_OF_MEMORY; 224 } 225 226 res = crypto_ops.authenc.init(ctx, TEE_FS_KM_AUTH_ENC_ALG, 227 mode, fek, fek_len, hdr->aad.iv, 228 TEE_FS_KM_IV_LEN, TEE_FS_KM_MAX_TAG_LEN, 229 sizeof(struct aad), in_size); 230 if (res != TEE_SUCCESS) 231 goto exit; 232 233 res = crypto_ops.authenc.update_aad(ctx, TEE_FS_KM_AUTH_ENC_ALG, 234 mode, (uint8_t *)hdr->aad.encrypted_key, 235 TEE_FS_KM_FEK_SIZE); 236 if (res != TEE_SUCCESS) 237 goto exit; 238 239 res = crypto_ops.authenc.update_aad(ctx, TEE_FS_KM_AUTH_ENC_ALG, 240 mode, (uint8_t *)hdr->aad.iv, 241 TEE_FS_KM_IV_LEN); 242 if (res != TEE_SUCCESS) 243 goto exit; 244 245 if (mode == TEE_MODE_ENCRYPT) { 246 res = crypto_ops.authenc.enc_final(ctx, TEE_FS_KM_AUTH_ENC_ALG, 247 data_in, in_size, data_out, out_size, 248 hdr->tag, &tag_len); 249 } else { 250 res = crypto_ops.authenc.dec_final(ctx, TEE_FS_KM_AUTH_ENC_ALG, 251 data_in, in_size, data_out, out_size, 252 hdr->tag, tag_len); 253 } 254 255 if (res != TEE_SUCCESS) 256 goto exit; 257 258 crypto_ops.authenc.final(ctx, TEE_FS_KM_AUTH_ENC_ALG); 259 260 exit: 261 free(ctx); 262 return res; 263 } 264 265 size_t tee_fs_get_header_size(enum tee_fs_file_type type) 266 { 267 size_t header_size = 0; 268 269 switch (type) { 270 case META_FILE: 271 header_size = sizeof(struct meta_header); 272 break; 273 case BLOCK_FILE: 274 header_size = sizeof(struct block_header); 275 break; 276 default: 277 EMSG("Unknown file type, type=%d", type); 278 TEE_ASSERT(0); 279 } 280 281 return header_size; 282 } 283 284 TEE_Result tee_fs_generate_fek(uint8_t *buf, int buf_size) 285 { 286 TEE_Result res; 287 288 if (buf_size != TEE_FS_KM_FEK_SIZE) 289 return TEE_ERROR_SHORT_BUFFER; 290 291 res = generate_fek(buf, TEE_FS_KM_FEK_SIZE); 292 if (res != TEE_SUCCESS) 293 return res; 294 295 return fek_crypt(TEE_MODE_ENCRYPT, buf, 296 TEE_FS_KM_FEK_SIZE); 297 } 298 299 TEE_Result tee_fs_encrypt_file(enum tee_fs_file_type file_type, 300 const uint8_t *data_in, size_t data_in_size, 301 uint8_t *data_out, size_t *data_out_size, 302 const uint8_t *encrypted_fek) 303 { 304 TEE_Result res = TEE_SUCCESS; 305 struct km_header hdr; 306 uint8_t iv[TEE_FS_KM_IV_LEN]; 307 uint8_t tag[TEE_FS_KM_MAX_TAG_LEN]; 308 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 309 uint8_t *ciphertext; 310 size_t cipher_size; 311 size_t header_size = tee_fs_get_header_size(file_type); 312 313 /* 314 * Meta File Format: |Header|Chipertext| 315 * Header Format: |AAD|Tag| 316 * AAD Format: |Encrypted_FEK|IV| 317 * 318 * Block File Format: |Header|Ciphertext| 319 * Header Format: |IV|Tag| 320 * 321 * FEK = AES_DECRYPT(SSK, Encrypted_FEK) 322 * Chipertext = AES_GCM_ENCRYPT(FEK, IV, Meta_Info, AAD) 323 */ 324 325 if (*data_out_size != (header_size + data_in_size)) 326 return TEE_ERROR_SHORT_BUFFER; 327 328 res = generate_iv(iv, TEE_FS_KM_IV_LEN); 329 if (res != TEE_SUCCESS) 330 goto fail; 331 332 memcpy(fek, encrypted_fek, TEE_FS_KM_FEK_SIZE); 333 res = fek_crypt(TEE_MODE_DECRYPT, fek, TEE_FS_KM_FEK_SIZE); 334 if (res != TEE_SUCCESS) 335 goto fail; 336 337 ciphertext = data_out + header_size; 338 cipher_size = data_in_size; 339 340 hdr.aad.iv = iv; 341 hdr.aad.encrypted_key = encrypted_fek; 342 hdr.tag = tag; 343 344 res = do_auth_enc(TEE_MODE_ENCRYPT, &hdr, 345 fek, TEE_FS_KM_FEK_SIZE, 346 data_in, data_in_size, 347 ciphertext, &cipher_size); 348 349 if (res == TEE_SUCCESS) { 350 if (file_type == META_FILE) { 351 memcpy(data_out, encrypted_fek, TEE_FS_KM_FEK_SIZE); 352 data_out += TEE_FS_KM_FEK_SIZE; 353 } 354 355 memcpy(data_out, iv, TEE_FS_KM_IV_LEN); 356 data_out += TEE_FS_KM_IV_LEN; 357 memcpy(data_out, tag, TEE_FS_KM_MAX_TAG_LEN); 358 359 *data_out_size = header_size + cipher_size; 360 } 361 362 fail: 363 return res; 364 } 365 366 TEE_Result tee_fs_decrypt_file(enum tee_fs_file_type file_type, 367 const uint8_t *data_in, size_t data_in_size, 368 uint8_t *plaintext, size_t *plaintext_size, 369 uint8_t *encrypted_fek) 370 { 371 TEE_Result res = TEE_SUCCESS; 372 struct km_header km_hdr; 373 size_t file_hdr_size = tee_fs_get_header_size(file_type); 374 const uint8_t *cipher = data_in + file_hdr_size; 375 int cipher_size = data_in_size - file_hdr_size; 376 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 377 378 if (file_type == META_FILE) { 379 struct meta_header *hdr = (struct meta_header *)data_in; 380 381 km_hdr.aad.encrypted_key = hdr->encrypted_key; 382 km_hdr.aad.iv = hdr->common.iv; 383 km_hdr.tag = hdr->common.tag; 384 385 /* return encrypted FEK to tee_fs which is used for block 386 * encryption/decryption */ 387 memcpy(encrypted_fek, hdr->encrypted_key, TEE_FS_KM_FEK_SIZE); 388 } else { 389 struct block_header *hdr = (struct block_header *)data_in; 390 391 km_hdr.aad.encrypted_key = encrypted_fek; 392 km_hdr.aad.iv = hdr->common.iv; 393 km_hdr.tag = hdr->common.tag; 394 } 395 396 memcpy(fek, km_hdr.aad.encrypted_key, TEE_FS_KM_FEK_SIZE); 397 res = fek_crypt(TEE_MODE_DECRYPT, fek, TEE_FS_KM_FEK_SIZE); 398 if (res != TEE_SUCCESS) { 399 EMSG("Failed to decrypt FEK, res=0x%x", res); 400 return res; 401 } 402 403 return do_auth_enc(TEE_MODE_DECRYPT, &km_hdr, fek, TEE_FS_KM_FEK_SIZE, 404 cipher, cipher_size, plaintext, plaintext_size); 405 } 406 407 static TEE_Result sha256(uint8_t *out, size_t out_size, const uint8_t *in, 408 size_t in_size) 409 { 410 TEE_Result res; 411 uint8_t *ctx = NULL; 412 size_t ctx_size; 413 uint32_t algo = TEE_ALG_SHA256; 414 415 res = crypto_ops.hash.get_ctx_size(algo, &ctx_size); 416 if (res != TEE_SUCCESS) 417 return res; 418 419 ctx = malloc(ctx_size); 420 if (!ctx) 421 return TEE_ERROR_OUT_OF_MEMORY; 422 423 res = crypto_ops.hash.init(ctx, algo); 424 if (res != TEE_SUCCESS) 425 goto out; 426 427 res = crypto_ops.hash.update(ctx, algo, in, in_size); 428 if (res != TEE_SUCCESS) 429 goto out; 430 431 res = crypto_ops.hash.final(ctx, algo, out, out_size); 432 433 out: 434 free(ctx); 435 return res; 436 } 437 438 static TEE_Result aes_ecb(uint8_t out[TEE_AES_BLOCK_SIZE], 439 const uint8_t in[TEE_AES_BLOCK_SIZE], 440 const uint8_t *key, size_t key_size) 441 { 442 TEE_Result res; 443 uint8_t *ctx = NULL; 444 size_t ctx_size; 445 uint32_t algo = TEE_ALG_AES_ECB_NOPAD; 446 447 res = crypto_ops.cipher.get_ctx_size(algo, &ctx_size); 448 if (res != TEE_SUCCESS) 449 return res; 450 451 ctx = malloc(ctx_size); 452 if (!ctx) 453 return TEE_ERROR_OUT_OF_MEMORY; 454 455 res = crypto_ops.cipher.init(ctx, algo, TEE_MODE_ENCRYPT, key, 456 key_size, NULL, 0, NULL, 0); 457 if (res != TEE_SUCCESS) 458 goto out; 459 460 res = crypto_ops.cipher.update(ctx, algo, TEE_MODE_ENCRYPT, true, in, 461 TEE_AES_BLOCK_SIZE, out); 462 if (res != TEE_SUCCESS) 463 goto out; 464 465 crypto_ops.cipher.final(ctx, algo); 466 res = TEE_SUCCESS; 467 468 out: 469 free(ctx); 470 return res; 471 } 472 473 static TEE_Result essiv(uint8_t iv[TEE_AES_BLOCK_SIZE], 474 const uint8_t fek[TEE_FS_KM_FEK_SIZE], 475 uint16_t blk_idx) 476 { 477 TEE_Result res; 478 uint8_t sha[TEE_SHA256_HASH_SIZE]; 479 uint8_t pad_blkid[TEE_AES_BLOCK_SIZE] = { 0, }; 480 481 res = sha256(sha, sizeof(sha), fek, TEE_FS_KM_FEK_SIZE); 482 if (res != TEE_SUCCESS) 483 return res; 484 485 pad_blkid[0] = (blk_idx & 0xFF); 486 pad_blkid[1] = (blk_idx & 0xFF00) >> 8; 487 488 return aes_ecb(iv, pad_blkid, sha, 16); 489 } 490 491 /* 492 * Encryption/decryption of RPMB FS file data. This is AES CBC with ESSIV. 493 */ 494 TEE_Result tee_fs_crypt_block(uint8_t *out, const uint8_t *in, size_t size, 495 uint16_t blk_idx, const uint8_t *encrypted_fek, 496 TEE_OperationMode mode) 497 { 498 TEE_Result res; 499 uint8_t fek[TEE_FS_KM_FEK_SIZE]; 500 uint8_t iv[TEE_AES_BLOCK_SIZE]; 501 uint8_t *ctx; 502 size_t ctx_size; 503 uint32_t algo = TEE_ALG_AES_CBC_NOPAD; 504 505 DMSG("%scrypt block #%u", (mode == TEE_MODE_ENCRYPT) ? "En" : "De", 506 blk_idx); 507 508 /* Decrypt FEK */ 509 memcpy(fek, encrypted_fek, TEE_FS_KM_FEK_SIZE); 510 res = fek_crypt(TEE_MODE_DECRYPT, fek, TEE_FS_KM_FEK_SIZE); 511 if (res != TEE_SUCCESS) 512 return res; 513 514 /* Compute initialization vector for this block */ 515 res = essiv(iv, fek, blk_idx); 516 517 /* Run AES CBC */ 518 res = crypto_ops.cipher.get_ctx_size(algo, &ctx_size); 519 if (res != TEE_SUCCESS) 520 return res; 521 ctx = malloc(ctx_size); 522 if (!ctx) 523 return TEE_ERROR_OUT_OF_MEMORY; 524 525 res = crypto_ops.cipher.init(ctx, algo, mode, fek, sizeof(fek), NULL, 526 0, iv, TEE_AES_BLOCK_SIZE); 527 if (res != TEE_SUCCESS) 528 goto exit; 529 res = crypto_ops.cipher.update(ctx, algo, mode, true, in, size, out); 530 if (res != TEE_SUCCESS) 531 goto exit; 532 533 crypto_ops.cipher.final(ctx, algo); 534 535 exit: 536 free(ctx); 537 return res; 538 } 539 540 service_init(tee_fs_init_key_manager); 541 542