1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
/*
* Copyright (c) 2015 - 2019 Samsung Electronics Co., Ltd All Rights Reserved
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License
*/
/*
* @file decider.cpp
* @author Bartłomiej Grzelewski (b.grzelewski@samsung.com)
* @author Lukasz Kostyra (l.kostyra@samsung.com)
* @version 1.0
*/
#include <dpl/log/log.h>
#include <crypto-backend.h>
#include <platform/decider.h>
#include <generic-backend/exception.h>
#include <sw-backend/store.h>
#ifdef TZ_BACKEND_ENABLED
#include <tz-backend/store.h>
#include <tz-backend/tz-context.h>
#include <tee_client_api.h>
#include <km_ta_defines.h>
#endif // TZ_BACKEND_ENABLED
#include <sstream>
#include <fstream>
#include <iomanip>
namespace CKM {
namespace Crypto {
namespace {
template <typename T>
std::string ValueToString(const T& value)
{
std::stringstream str;
// we need to re-cast because otherwise stringstream
// will write our value incorrectly
str << std::setfill('0') << std::setw(2 * sizeof(T)) << std::hex
<< static_cast<uint64_t>(value);
return str.str();
}
CryptoBackend chooseCryptoBackend(const DataParams& params)
{
#ifdef TZ_BACKEND_ENABLED
if (params.size() != 1 && params.size() != 2) {
ThrowErr(Exc::Crypto::InternalError, "Invalid number of key parameters provided to decider");
}
// user directly point proper backend - we will not discuss with it
if (params[0].policy.backend == CKM::PolicyBackend::FORCE_SOFTWARE)
return CryptoBackend::OpenSSL;
// user directly point proper backend - we will not discuss with it
if (params[0].policy.backend == CKM::PolicyBackend::FORCE_HARDWARE)
return CryptoBackend::TrustZone;
if (params.size() == 1) {
// For now only software backend supports device encyption key
// TODO tz-backend could support the master key, but it would require
// hardcoding a known key ID and querying TA whether the key is
// reachable
if (params[0].encrypted)
return CryptoBackend::OpenSSL;
// tz-backend allows only for data binary export
if (params[0].policy.extractable && !params[0].data.isBinaryData())
return CryptoBackend::OpenSSL;
// Use TrustZone only with symmetric keys or unencrypted binary
// data until asymmetric cryptography is implemented
if (!params[0].data.isSKey() && !params[0].data.isBinaryData())
return CryptoBackend::OpenSSL;
} else if (params.size() == 2) {
LogDebug("2 keys - asymmetric encryption not yet supported, selecting OpenSSL");
return CryptoBackend::OpenSSL;
}
try {
LogDebug("Trying to open TA session...");
TZ::Internals::TrustZoneContext::Instance();
} catch (const Exc::Crypto::InternalError& e) {
LogDebug("...failed. Selecting SW backend.");
return CryptoBackend::OpenSSL;
}
LogDebug("...succeeded. Selecting TZ backend.");
return CryptoBackend::TrustZone;
#else // TZ_BACKEND_ENABLED
(void) params;
return CryptoBackend::OpenSSL;
#endif // TZ_BACKEND_ENABLED
}
} // namespace
Decider::Decider()
: m_swStore(new SW::Store(CryptoBackend::OpenSSL))
#ifdef TZ_BACKEND_ENABLED
, m_tzStore(new TZ::Store(CryptoBackend::TrustZone))
#endif
{
}
GStore &Decider::getStore(const Token &token) const
{
return getStore(token.backendId);
};
GStore &Decider::getStore(CryptoBackend cryptoBackend) const
{
GStore *gStore = NULL;
if (cryptoBackend == CryptoBackend::OpenSSL)
gStore = m_swStore.get();
#ifdef TZ_BACKEND_ENABLED
if (cryptoBackend == CryptoBackend::TrustZone)
gStore = m_tzStore.get();
#endif
if (gStore)
return *gStore;
ThrowErr(Exc::Crypto::InternalError,
"Backend not available. BackendId: ", (int)cryptoBackend);
}
GStore &Decider::getStore(DataType data, const Policy &policy, bool encrypted) const
{
DataParams params{
DataParam(data, policy, encrypted)
};
return getStore(chooseCryptoBackend(params));
}
GStore &Decider::getStore(const DataParams& params) const
{
return getStore(chooseCryptoBackend(params));
}
} // namespace Crypto
} // namespace CKM
|
