/* * Copyright (C) 2012 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); you * may not use this file except in compliance with the License. You may * obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or * implied. See the License for the specific language governing * permissions and limitations under the License. */ #ifndef ANDROID_HARDWARE_QCOM_KEYMASTER_H #define ANDROID_HARDWARE_QCOM_KEYMASTER_H #include <stdint.h> #include <sys/cdefs.h> #include <sys/types.h> __BEGIN_DECLS #ifdef _ION_HEAP_MASK_COMPATIBILITY_WA #define ION_HEAP_MASK heap_mask #else #define ION_HEAP_MASK heap_id_mask #endif /** * The id of this module */ #define QCOM_KEYSTORE_KEYMASTER "qcom_keymaster" /** * Operation result */ #define KEYMATER_SUCCESS 0 #define KEYMASTER_FAILURE -1 /** * The API level of this version of the header. The allows the implementing * module to recognize which API level of the client it is dealing with in * the case of pre-compiled binary clients. */ #define QCOM_KEYMASTER_API_VERSION KEYMASTER_MODULE_API_VERSION_0_3 #define KM_MAGIC_NUM (0x4B4D4B42) /* "KMKB" Key Master Key Blob in hex */ #define KM_KEY_SIZE_MAX (512) /* 4096 bits */ #define KM_IV_LENGTH (16) /* AES128 CBC IV */ #define KM_HMAC_LENGTH (32) /* SHA2 will be used for HMAC */ struct qcom_km_key_blob { uint32_t magic_num; uint32_t version_num; uint8_t modulus[KM_KEY_SIZE_MAX]; uint32_t modulus_size; uint8_t public_exponent[KM_KEY_SIZE_MAX]; uint32_t public_exponent_size; uint8_t iv[KM_IV_LENGTH]; uint8_t encrypted_private_exponent[KM_KEY_SIZE_MAX]; uint32_t encrypted_private_exponent_size; uint8_t hmac[KM_HMAC_LENGTH]; }; typedef struct qcom_km_key_blob qcom_km_key_blob_t; /** * Commands supported */ enum keymaster_cmd_t { /* * List the commands supportedin by the hardware. */ KEYMASTER_GENERATE_KEYPAIR = 0x00000001, KEYMASTER_IMPORT_KEYPAIR = 0x00000002, KEYMASTER_SIGN_DATA = 0x00000003, KEYMASTER_VERIFY_DATA = 0x00000004, }; /** * Command to Generate a public and private key. The key data returned * (by secure app) is in shared buffer at offset of "key_blob" and is opaque * * cmd_id : Command issue to secure app * key_type : Currently on RSA_TYPE is supported * rsa_params : Parameters needed to generate an RSA key */ struct keymaster_gen_keypair_cmd { keymaster_cmd_t cmd_id; keymaster_keypair_t key_type; keymaster_rsa_keygen_params_t rsa_params; }; typedef struct keymaster_gen_keypair_cmd keymaster_gen_keypair_cmd_t; /** * Response to Generate a public and private key. The key data returned * (by secure app) is in shared buffer at offset of "key_blob" and is opaque * * cmd_id : Command issue to secure app * key_blob : key blob data * key_blob_len : Total length of key blob information * status : Result (success 0, or failure -1) */ struct keymaster_gen_keypair_resp { keymaster_cmd_t cmd_id; qcom_km_key_blob_t key_blob; size_t key_blob_len; int32_t status; }; typedef struct keymaster_gen_keypair_resp keymaster_gen_keypair_resp_t; /** * Command to import a public and private key pair. The imported keys * will be in PKCS#8 format with DER encoding (Java standard). The key * data returned (by secure app) is in shared buffer at offset of * "key_blob" and is opaque * * cmd_id : Command issue to secure app * pkcs8_key : Pointer to pkcs8 formatted key information * pkcs8_key_len: PKCS8 formatted key length */ struct keymaster_import_keypair_cmd { keymaster_cmd_t cmd_id; uint32_t pkcs8_key; size_t pkcs8_key_len; }; typedef struct keymaster_import_keypair_cmd keymaster_import_keypair_cmd_t; /** * Response to import a public and private key. The key data returned * (by secure app) is in shared buffer at offset of "key_blob" and is opaque * * cmd_id : Command issue to secure app * key_blob : key blob data * key_blob_len : Total length of key blob information * status : Result (success 0, or failure -1) */ struct keymaster_import_keypair_resp { keymaster_cmd_t cmd_id; qcom_km_key_blob_t key_blob; size_t key_blob_len; int32_t status; }; typedef struct keymaster_import_keypair_resp keymaster_import_keypair_resp_t; /** * Command to sign data using a key info generated before. This can use either * an asymmetric key or a secret key. * The signed data is returned (by secure app) at offset of data + dlen. * * cmd_id : Command issue to secure app * sign_param : * key_blob : Key data information (in shared buffer) * data : Pointer to plain data buffer * dlen : Plain data length */ struct keymaster_sign_data_cmd { keymaster_cmd_t cmd_id; keymaster_rsa_sign_params_t sign_param; qcom_km_key_blob_t key_blob; uint32_t data; size_t dlen; }; typedef struct keymaster_sign_data_cmd keymaster_sign_data_cmd_t; /** * Response to sign data response * * cmd_id : Command issue to secure app * signed_data : signature * sig_len : Signed data length * status : Result (success 0, or failure -1) */ struct keymaster_sign_data_resp { keymaster_cmd_t cmd_id; uint8_t signed_data[KM_KEY_SIZE_MAX]; size_t sig_len; int32_t status; }; typedef struct keymaster_sign_data_resp keymaster_sign_data_resp_t; /** * Command to verify data using a key info generated before. This can use either * an asymmetric key or a secret key. * * cmd_id : Command issue to secure app * sign_param : * key_blob : Key data information (in shared buffer) * key_blob_len: Total key length * signed_data : Pointer to signed data buffer * signed_dlen : Signed data length * signature : Offset to the signature data buffer (from signed data buffer) * slen : Signature data length */ struct keymaster_verify_data_cmd { keymaster_cmd_t cmd_id; keymaster_rsa_sign_params_t sign_param; qcom_km_key_blob_t key_blob; uint32_t signed_data; size_t signed_dlen; uint32_t signature; size_t slen; }; typedef struct keymaster_verify_data_cmd keymaster_verify_data_cmd_t; /** * Response to verify data * * cmd_id : Command issue to secure app * status : Result (success 0, or failure -1) */ struct keymaster_verify_data_resp { keymaster_cmd_t cmd_id; int32_t status; }; typedef struct keymaster_verify_data_resp keymaster_verify_data_resp_t; __END_DECLS #endif // ANDROID_HARDWARE_QCOM_KEYMASTER_H