cryptfs_hw: Tie HW FDE keys with keymaster

HW FDE keys would be tied to keymaster so that if someone changes Root of Trust (ROT), encrypted data can't be used. Cryptfs_hw module is exposing a new API so that caller can determine whether to create dependency between HW FDE keys and keymaster. Change-Id: I85c85ffd9086f6c060032e4ae701b10363d88529
2015-09-02 13:45:15 -07:00 · 2015-09-02 13:45:15 -07:00 · 8ec7a6597d
parent a37dc2d875
commit 8ec7a6597d
3 changed files with 42 additions and 1 deletions
--- a/cryptfs_hw/Android.mk
+++ b/cryptfs_hw/Android.mk
@ -8,7 +8,10 @@ sourceFiles := \
 commonSharedLibraries := \
                        libcutils \
                        libutils \
-                        libdl
+                        libdl \
+                        libhardware
+commonIncludes := \
+                  hardware/libhardware/include/hardware/

 LOCAL_C_INCLUDES := $(commonIncludes)
 LOCAL_SRC_FILES := $(sourceFiles)
--- a/cryptfs_hw/cryptfs_hw.c
+++ b/cryptfs_hw/cryptfs_hw.c
@ -38,6 +38,8 @@
 #include "cutils/log.h"
 #include "cutils/properties.h"
 #include "cutils/android_reboot.h"
+#include "keymaster_common.h"
+#include "hardware.h"

 #if defined(__LP64__)
 #define QSEECOM_LIBRARY_PATH "/vendor/lib64/libQSEEComAPI.so"
@ -63,6 +65,8 @@
 #define SET_HW_DISK_ENC_KEY 1
 #define UPDATE_HW_DISK_ENC_KEY 2

+#define KEYMASTER_PARTITION_NAME "/dev/block/bootdevice/by-name/keymaster"
+
 static int loaded_library = 0;
 static int (*qseecom_create_key)(int, void*);
 static int (*qseecom_update_key)(int, void*, void*);
@ -228,3 +232,36 @@ int clear_hw_device_encryption_key()

    return 0;
 }
+
+static int get_keymaster_version()
+{
+    int rc = -1;
+    const hw_module_t* mod;
+    rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
+    if (rc) {
+        SLOGE("could not find any keystore module");
+        return rc;
+    }
+
+    return mod->module_api_version;
+}
+
+int should_use_keymaster()
+{
+    /* HW FDE key would be tied to keymaster only if:
+     * New Keymaster is available
+     * keymaster partition exists on the device
+     */
+    int rc = 0;
+    if (get_keymaster_version() != KEYMASTER_MODULE_API_VERSION_1_0) {
+        SLOGI("Keymaster version is not 1.0");
+        return rc;
+    }
+
+    if (access(KEYMASTER_PARTITION_NAME, F_OK) == -1) {
+        SLOGI("Keymaster partition does not exists");
+        return rc;
+    }
+
+    return 1;
+}
--- a/cryptfs_hw/cryptfs_hw.h
+++ b/cryptfs_hw/cryptfs_hw.h
@ -38,6 +38,7 @@ int update_hw_device_encryption_key(const char*, const char*, const char*);
 int clear_hw_device_encryption_key();
 unsigned int is_hw_disk_encryption(const char*);
 int is_ice_enabled(void);
+int should_use_keymaster();

 #ifdef __cplusplus
 }