Remove ATAP code
The ATAP code depends on libatap in the system/iot/attestation
repository which was removed from AOSP. Remove the ATAP code
from Keymaster as well in order to break the dependency.
Bug: 285203365
Test: Presubmit
Change-Id: I2218cbe2a24bb460d6937faadb2620a641b77f16
diff --git a/atap/rules.mk b/atap/rules.mk
deleted file mode 100644
index 8a7a4fd..0000000
--- a/atap/rules.mk
+++ /dev/null
@@ -1,32 +0,0 @@
-# Copyright (C) 2017 The Android Open Source Project
-#
-# Licensed under the Apache License, Version 2.0 (the "License");
-# you may not use this file except in compliance with the License.
-# You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-CUR_DIR := $(GET_LOCAL_DIR)
-
-ATAP_ROOT := $(TRUSTY_TOP)/system/iot/attestation/atap
-
-MODULE_SRCS += \
- $(ATAP_ROOT)/libatap/atap_commands.c \
- $(ATAP_ROOT)/libatap/atap_sysdeps_posix.c \
- $(ATAP_ROOT)/libatap/atap_util.c \
- $(ATAP_ROOT)/ops/atap_ops_provider.cpp \
- $(ATAP_ROOT)/ops/openssl_ops.cpp \
- $(CUR_DIR)/trusty_atap_ops.cpp
-
-MODULE_INCLUDES += \
- $(ATAP_ROOT) \
- $(CUR_DIR)
-
-CUR_DIR =
diff --git a/atap/trusty_atap_ops.cpp b/atap/trusty_atap_ops.cpp
deleted file mode 100644
index efab067..0000000
--- a/atap/trusty_atap_ops.cpp
+++ /dev/null
@@ -1,296 +0,0 @@
-/*
- * Copyright (C) 2017 The Android Open Source Project
- *
- * Permission is hereby granted, free of charge, to any person
- * obtaining a copy of this software and associated documentation
- * files (the "Software"), to deal in the Software without
- * restriction, including without limitation the rights to use, copy,
- * modify, merge, publish, distribute, sublicense, and/or sell copies
- * of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be
- * included in all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
- * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
- * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
- * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#include "trusty_atap_ops.h"
-#include "secure_storage_manager.h"
-#include "trusty_logger.h"
-
-#include <keymaster/UniquePtr.h>
-#include <openssl/crypto.h>
-#include <openssl/evp.h>
-#include <openssl/x509.h>
-
-namespace {
-
-using keymaster::AttestationKeySlot;
-
-AttestationKeySlot MapKeyTypeToSlot(const AtapKeyType atap_key_type) {
- switch (atap_key_type) {
- case ATAP_KEY_TYPE_RSA:
- return AttestationKeySlot::kRsa;
- case ATAP_KEY_TYPE_ECDSA:
- return AttestationKeySlot::kEcdsa;
- case ATAP_KEY_TYPE_edDSA:
- return AttestationKeySlot::kEddsa;
- case ATAP_KEY_TYPE_EPID:
- return AttestationKeySlot::kEpid;
- case ATAP_KEY_TYPE_SPECIAL:
- return AttestationKeySlot::kClaimable0;
- case ATAP_KEY_TYPE_RSA_SOM:
- return AttestationKeySlot::kSomRsa;
- case ATAP_KEY_TYPE_ECDSA_SOM:
- return AttestationKeySlot::kSomEcdsa;
- case ATAP_KEY_TYPE_edDSA_SOM:
- return AttestationKeySlot::kSomEddsa;
- case ATAP_KEY_TYPE_EPID_SOM:
- return AttestationKeySlot::kSomEpid;
- default:
- return AttestationKeySlot::kInvalid;
- }
- return AttestationKeySlot::kInvalid;
-}
-
-} // namespace
-
-namespace keymaster {
-
-struct EVP_PKEY_Delete {
- void operator()(EVP_PKEY* p) const { EVP_PKEY_free(p); }
-};
-typedef UniquePtr<EVP_PKEY, EVP_PKEY_Delete> Unique_EVP_PKEY;
-
-TrustyAtapOps::TrustyAtapOps() {}
-TrustyAtapOps::~TrustyAtapOps() {}
-
-struct PKCS8_PRIV_KEY_INFO_Delete {
- void operator()(PKCS8_PRIV_KEY_INFO* p) const {
- PKCS8_PRIV_KEY_INFO_free(p);
- }
-};
-typedef UniquePtr<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_Delete>
- Unique_PKCS8_PRIV_KEY_INFO;
-struct EVP_MD_CTX_Delete {
- void operator()(EVP_MD_CTX* p) const {
- EVP_MD_CTX_cleanup(p);
- EVP_MD_CTX_destroy(p);
- }
-};
-typedef UniquePtr<EVP_MD_CTX, EVP_MD_CTX_Delete> Unique_EVP_MD_CTX;
-
-AtapResult TrustyAtapOps::read_product_id(
- uint8_t product_id[ATAP_PRODUCT_ID_LEN]) {
- SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
- if (ss_manager == nullptr)
- return ATAP_RESULT_ERROR_STORAGE;
- if (ss_manager->ReadProductId(product_id) != KM_ERROR_OK) {
- /* If we can't get permanent attributes, set product id to the test
- product id (all zero). */
- LOG_E("Fail to read product id from storage, set as 0.");
- memset(product_id, 0, ATAP_PRODUCT_ID_LEN);
- }
- return ATAP_RESULT_OK;
-}
-
-AtapResult TrustyAtapOps::get_auth_key_type(AtapKeyType* key_type) {
- if (_auth_key_type_init) {
- *key_type = _auth_key_type;
- return ATAP_RESULT_OK;
- }
- *key_type = ATAP_KEY_TYPE_NONE;
- SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
- if (ss_manager == nullptr)
- return ATAP_RESULT_ERROR_STORAGE;
- const AtapKeyType kAuthKeyTypes[3] = {ATAP_KEY_TYPE_EPID_SOM,
- ATAP_KEY_TYPE_RSA_SOM,
- ATAP_KEY_TYPE_ECDSA_SOM};
-
- for (size_t i = 0; i < (sizeof(kAuthKeyTypes) / sizeof(AtapKeyType)); i++) {
- AttestationKeySlot key_slot = MapKeyTypeToSlot(kAuthKeyTypes[i]);
- bool key_exists;
- if (ss_manager->AttestationKeyExists(key_slot, &key_exists) !=
- KM_ERROR_OK) {
- return ATAP_RESULT_ERROR_STORAGE;
- }
- if (key_exists) {
- *key_type = kAuthKeyTypes[i];
- break;
- }
- }
-
- _auth_key_type_init = true;
- _auth_key_type = *key_type;
- return ATAP_RESULT_OK;
-}
-
-AtapResult TrustyAtapOps::read_auth_key_cert_chain(AtapCertChain* cert_chain) {
- AtapKeyType key_type;
- AtapResult atap_result = get_auth_key_type(&key_type);
- if (atap_result != ATAP_RESULT_OK) {
- LOG_E("Failed to get key type.");
- return atap_result;
- }
- if (key_type == ATAP_KEY_TYPE_NONE) {
- return ATAP_RESULT_ERROR_UNSUPPORTED_OPERATION;
- }
- SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
- if (ss_manager == nullptr) {
- return ATAP_RESULT_ERROR_STORAGE;
- }
- AttestationKeySlot key_slot = MapKeyTypeToSlot(key_type);
- keymaster_error_t result =
- ss_manager->ReadAtapCertChainFromStorage(key_slot, cert_chain);
- if (result != KM_ERROR_OK) {
- LOG_E("Failed to read som cert chain from slot %d (err = %d)", key_slot,
- result);
- return ATAP_RESULT_ERROR_STORAGE;
- }
- if (cert_chain->entry_count > ATAP_CERT_CHAIN_ENTRIES_MAX) {
- LOG_E("Stored cert chain length is larger than the maximum cert chain length");
- return ATAP_RESULT_ERROR_CRYPTO;
- }
- return ATAP_RESULT_OK;
-}
-
-AtapResult TrustyAtapOps::write_attestation_key(
- AtapKeyType key_type,
- const AtapBlob* key,
- const AtapCertChain* cert_chain) {
- SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
- if (ss_manager == nullptr)
- return ATAP_RESULT_ERROR_STORAGE;
- AttestationKeySlot slot = MapKeyTypeToSlot(key_type);
- if (key_type == ATAP_KEY_TYPE_RSA_SOM ||
- key_type == ATAP_KEY_TYPE_ECDSA_SOM ||
- key_type == ATAP_KEY_TYPE_EPID_SOM ||
- key_type == ATAP_KEY_TYPE_edDSA_SOM) {
- /* If writing a som key, invalidate the cached auth_key_type. */
- _auth_key_type_init = false;
- }
- if (slot == AttestationKeySlot::kInvalid) {
- return ATAP_RESULT_ERROR_INVALID_INPUT;
- }
-
- keymaster_error_t result = ss_manager->WriteAtapKeyAndCertsToStorage(
- slot, key->data, key->data_length, cert_chain);
- if (result != KM_ERROR_OK) {
- LOG_E("Failed to write key and certs to slot %d (err = %d)", slot,
- result);
- return ATAP_RESULT_ERROR_STORAGE;
- }
- return ATAP_RESULT_OK;
-}
-
-AtapResult TrustyAtapOps::read_attestation_public_key(
- AtapKeyType key_type,
- uint8_t pubkey[ATAP_KEY_LEN_MAX],
- uint32_t* pubkey_len) {
- return ATAP_RESULT_ERROR_UNSUPPORTED_OPERATION;
-}
-
-AtapResult TrustyAtapOps::read_soc_global_key(
- uint8_t global_key[ATAP_AES_128_KEY_LEN]) {
- return ATAP_RESULT_ERROR_UNSUPPORTED_OPERATION;
-}
-
-AtapResult TrustyAtapOps::write_hex_uuid(
- const uint8_t uuid[ATAP_HEX_UUID_LEN]) {
- SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
- if (ss_manager == nullptr)
- return ATAP_RESULT_ERROR_STORAGE;
- if (ss_manager->WriteAttestationUuid(uuid) != KM_ERROR_OK) {
- return ATAP_RESULT_ERROR_STORAGE;
- }
- return ATAP_RESULT_OK;
-}
-
-AtapResult TrustyAtapOps::auth_key_sign(const uint8_t* nonce,
- uint32_t nonce_len,
- uint8_t sig[ATAP_SIGNATURE_LEN_MAX],
- uint32_t* sig_len) {
- AtapKeyType key_type;
- keymaster_error_t result = KM_ERROR_OK;
- AtapResult atap_result = get_auth_key_type(&key_type);
- if (atap_result != ATAP_RESULT_OK) {
- LOG_E("Failed to get key type");
- return atap_result;
- }
- if (key_type == ATAP_KEY_TYPE_NONE) {
- return ATAP_RESULT_ERROR_UNSUPPORTED_OPERATION;
- }
- SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
- if (ss_manager == nullptr) {
- return ATAP_RESULT_ERROR_STORAGE;
- }
- AttestationKeySlot key_slot = MapKeyTypeToSlot(key_type);
-
- KeymasterKeyBlob key_blob =
- ss_manager->ReadKeyFromStorage(key_slot, &result);
- if (result != KM_ERROR_OK) {
- LOG_E("Failed to read som cert chain from slot %d (err = %d)", key_slot,
- result);
- return ATAP_RESULT_ERROR_STORAGE;
- }
-
- const uint8_t* pkcs_priv_key_p = key_blob.key_material;
-
- Unique_PKCS8_PRIV_KEY_INFO pkcs8(d2i_PKCS8_PRIV_KEY_INFO(
- NULL, &pkcs_priv_key_p, key_blob.key_material_size));
- if (!pkcs8.get()) {
- LOG_E("Error parsing pkcs8 format private key.");
- return ATAP_RESULT_ERROR_INVALID_INPUT;
- }
- Unique_EVP_PKEY pkey(EVP_PKCS82PKEY(pkcs8.get()));
- if (!pkey.get()) {
- LOG_E("Error parsing pkcs8 private key to EVP_PKEY.");
- return ATAP_RESULT_ERROR_INVALID_INPUT;
- }
-
- Unique_EVP_MD_CTX mdctx(EVP_MD_CTX_create());
-
- if (!mdctx.get()) {
- LOG_E("Error creating md ctx.");
- return ATAP_RESULT_ERROR_OOM;
- }
- EVP_PKEY_CTX* evp_pkey_ctx;
- if (1 != EVP_DigestSignInit(mdctx.get(), &evp_pkey_ctx, EVP_sha512(), NULL,
- pkey.get())) {
- return ATAP_RESULT_ERROR_OOM;
- }
- if (key_type == ATAP_KEY_TYPE_RSA_SOM &&
- 1 != EVP_PKEY_CTX_set_rsa_padding(evp_pkey_ctx, RSA_PKCS1_PADDING)) {
- return ATAP_RESULT_ERROR_CRYPTO;
- }
-
- if (1 != EVP_DigestSignUpdate(mdctx.get(), nonce, nonce_len)) {
- return ATAP_RESULT_ERROR_CRYPTO;
- }
- /* Get sig length. */
- size_t local_sig_len;
- if (1 != EVP_DigestSignFinal(mdctx.get(), NULL, &local_sig_len)) {
- return ATAP_RESULT_ERROR_CRYPTO;
- }
- if (local_sig_len > ATAP_SIGNATURE_LEN_MAX) {
- LOG_E("Signature length larger than the supported maximum signature length.");
- return ATAP_RESULT_ERROR_INVALID_INPUT;
- }
- /* Obtain the signature */
- if (1 != EVP_DigestSignFinal(mdctx.get(), sig, &local_sig_len)) {
- return ATAP_RESULT_ERROR_CRYPTO;
- }
- *sig_len = (uint32_t)local_sig_len;
-
- return ATAP_RESULT_OK;
-}
-
-} // namespace keymaster
diff --git a/atap/trusty_atap_ops.h b/atap/trusty_atap_ops.h
deleted file mode 100644
index ce25f58..0000000
--- a/atap/trusty_atap_ops.h
+++ /dev/null
@@ -1,74 +0,0 @@
-/*
- * Copyright (C) 2017 The Android Open Source Project
- *
- * Permission is hereby granted, free of charge, to any person
- * obtaining a copy of this software and associated documentation
- * files (the "Software"), to deal in the Software without
- * restriction, including without limitation the rights to use, copy,
- * modify, merge, publish, distribute, sublicense, and/or sell copies
- * of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be
- * included in all copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
- * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
- * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
- * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
- * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
- * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
- * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
-
-#ifndef TRUSTY_ATAP_OPS_H_
-#define TRUSTY_ATAP_OPS_H_
-
-#include "ops/openssl_ops.h"
-
-namespace keymaster {
-
-// An ops implementation for Trusty. All instances of this class must be created
-// on the same thread. This class is intended to be used with libatap and does
-// not perform additional verification of data formats. Only use this class with
-// sanitized inputs.
-class TrustyAtapOps : public atap::OpensslOps {
-public:
- TrustyAtapOps();
- ~TrustyAtapOps() override;
-
- // AtapOpsDelegate methods. Other methods are handled by OpensslOps.
- AtapResult read_product_id(
- uint8_t product_id[ATAP_PRODUCT_ID_LEN]) override;
-
- AtapResult get_auth_key_type(AtapKeyType* key_type) override;
-
- AtapResult read_auth_key_cert_chain(AtapCertChain* cert_chain) override;
-
- AtapResult write_attestation_key(AtapKeyType key_type,
- const AtapBlob* key,
- const AtapCertChain* cert_chain) override;
-
- AtapResult read_attestation_public_key(AtapKeyType key_type,
- uint8_t pubkey[ATAP_KEY_LEN_MAX],
- uint32_t* pubkey_len) override;
-
- AtapResult read_soc_global_key(
- uint8_t global_key[ATAP_AES_128_KEY_LEN]) override;
-
- AtapResult write_hex_uuid(const uint8_t uuid[ATAP_HEX_UUID_LEN]) override;
-
- AtapResult auth_key_sign(const uint8_t* nonce,
- uint32_t nonce_len,
- uint8_t sig[ATAP_SIGNATURE_LEN_MAX],
- uint32_t* sig_len) override;
-
-private:
- bool _auth_key_type_init = false;
- AtapKeyType _auth_key_type;
-};
-
-} // namespace keymaster
-
-#endif /* TRUSTY_ATAP_OPS_H_ */
diff --git a/device_unittest/rules.mk b/device_unittest/rules.mk
index df3e209..a216ba7 100644
--- a/device_unittest/rules.mk
+++ b/device_unittest/rules.mk
@@ -61,7 +61,6 @@
lib/lib/storage/include \
lib/interface/storage/include \
$(NANOPB_DIR) \
- $(TRUSTY_TOP)/system/iot/attestation/atap \
include make/trusted_app.mk
diff --git a/host_unittest/main.cpp b/host_unittest/main.cpp
index 5099c00..3a27283 100644
--- a/host_unittest/main.cpp
+++ b/host_unittest/main.cpp
@@ -44,10 +44,6 @@
#define typeof(x) __typeof__(x)
#include <trusty_unittest.h>
-extern "C" {
-#include <libatap/atap_util.h>
-}
-
#include <keymaster/android_keymaster_utils.h>
#include "second_imei_attestation.h"
#include "secure_storage_manager.h"
@@ -153,65 +149,6 @@
test_abort:;
}
-void TestAtapCertChainStorage(AttestationKeySlot key_slot, bool chain_exists) {
- keymaster_error_t error = KM_ERROR_OK;
- keymaster::UniquePtr<uint8_t[]> write_cert[CHAIN_LENGTH];
- keymaster::UniquePtr<uint8_t[]> write_key;
- KeymasterKeyBlob key_blob;
- bool key_exists = false;
- uint32_t cert_chain_length;
- AtapCertChain read_chain;
- AtapCertChain write_chain;
- memset(&read_chain, 0, sizeof(AtapCertChain));
- memset(&write_chain, 0, sizeof(AtapCertChain));
-
- SecureStorageManager* ss_manager = SecureStorageManager::get_instance();
- ASSERT_NE(nullptr, ss_manager);
- write_chain.entry_count = CHAIN_LENGTH;
-
- for (size_t i = 0; i < CHAIN_LENGTH; ++i) {
- write_cert[i].reset(NewRandBuf(DATA_SIZE));
- ASSERT_NE(nullptr, write_cert[i].get());
- write_chain.entries[i].data_length = DATA_SIZE;
- write_chain.entries[i].data =
- reinterpret_cast<uint8_t*>(atap_malloc(DATA_SIZE));
- ASSERT_NE(nullptr, write_chain.entries[i].data);
- memcpy(write_chain.entries[i].data, write_cert[i].get(), DATA_SIZE);
- }
- write_key.reset(NewRandBuf(DATA_SIZE));
- ASSERT_NE(nullptr, write_key.get());
- error = ss_manager->WriteAtapKeyAndCertsToStorage(key_slot, write_key.get(),
- DATA_SIZE, &write_chain);
- ASSERT_EQ(KM_ERROR_OK, error);
-
- error = ss_manager->ReadCertChainLength(key_slot, &cert_chain_length);
- ASSERT_EQ(KM_ERROR_OK, error);
- ASSERT_EQ(3, cert_chain_length);
-
- memset(&read_chain, 0, sizeof(AtapCertChain));
- error = ss_manager->ReadAtapCertChainFromStorage(key_slot, &read_chain);
- ASSERT_EQ(KM_ERROR_OK, error);
- ASSERT_EQ(CHAIN_LENGTH, read_chain.entry_count);
- for (size_t i = 0; i < CHAIN_LENGTH; ++i) {
- ASSERT_EQ(DATA_SIZE, read_chain.entries[i].data_length);
- ASSERT_EQ(0, memcmp(write_cert[i].get(), read_chain.entries[i].data,
- DATA_SIZE));
- }
- key_blob = ss_manager->ReadKeyFromStorage(key_slot, &error);
- ASSERT_EQ(KM_ERROR_OK, error);
- ASSERT_EQ(DATA_SIZE, key_blob.key_material_size);
- ASSERT_NE(nullptr, write_key.get());
- ASSERT_EQ(0, memcmp(write_key.get(), key_blob.writable_data(), DATA_SIZE));
-
- error = ss_manager->AttestationKeyExists(key_slot, &key_exists);
- ASSERT_EQ(KM_ERROR_OK, error);
- ASSERT_EQ(true, key_exists);
-
-test_abort:
- free_cert_chain(read_chain);
- free_cert_chain(write_chain);
-}
-
void TestCertStorageInvalid(AttestationKeySlot key_slot) {
keymaster_error_t error = KM_ERROR_OK;
keymaster::UniquePtr<uint8_t[]> write_cert;
@@ -504,12 +441,10 @@
TEST_F(KeymasterTest, TestCertChainStorageRsa) {
TestCertChainStorage(AttestationKeySlot::kRsa, false);
- TestAtapCertChainStorage(AttestationKeySlot::kRsa, false);
}
TEST_F(KeymasterTest, TestCertChainStorageEcdsa) {
TestCertChainStorage(AttestationKeySlot::kEcdsa, false);
- TestAtapCertChainStorage(AttestationKeySlot::kEcdsa, false);
}
TEST_F(KeymasterTest, TestRewriteKey) {
@@ -520,8 +455,7 @@
TEST_F(KeymasterTest, TestRewriteChain) {
TestCertChainStorage(AttestationKeySlot::kRsa, false);
- TestAtapCertChainStorage(AttestationKeySlot::kRsa, false);
- TestCertChainStorage(AttestationKeySlot::kRsa, true);
+ TestCertChainStorage(AttestationKeySlot::kRsa, false);
}
TEST_F(KeymasterTest, TestCertStorageInvalid) {
diff --git a/host_unittest/rules.mk b/host_unittest/rules.mk
index 816f582..bd9817d 100644
--- a/host_unittest/rules.mk
+++ b/host_unittest/rules.mk
@@ -13,7 +13,6 @@
# limitations under the License.
#
-ATAP_DIR := $(TRUSTY_TOP)/system/iot/attestation/atap
KEYMASTER_ROOT := system/keymaster
KEYMASTER_DIR := trusty/user/app/keymaster
NANOPB_DIR := external/nanopb-c
@@ -24,8 +23,6 @@
$(KEYMASTER_DIR)/second_imei_attestation.cpp \
$(KEYMASTER_DIR)/host_unittest/main.cpp \
$(KEYMASTER_ROOT)/android_keymaster/logger.cpp \
- $(ATAP_DIR)/libatap/atap_util.c \
- $(ATAP_DIR)/libatap/atap_sysdeps_posix.c \
$(KEYMASTER_DIR)/keymaster_attributes.pb.c \
$(NANOPB_DIR)/pb_common.c \
$(NANOPB_DIR)/pb_encode.c \
@@ -40,7 +37,6 @@
lib/lib/storage/include \
lib/interface/storage/include \
$(NANOPB_DIR) \
- $(ATAP_DIR) \
HOST_FLAGS := -Wpointer-arith \
-Wno-deprecated-declarations -fno-exceptions \
diff --git a/rules.mk b/rules.mk
index 9032889..1d1c97d 100644
--- a/rules.mk
+++ b/rules.mk
@@ -172,7 +172,6 @@
MODULE_COMPILEFLAGS += -DTRUSTY_KM_RKP_VERSION=$(TRUSTY_KM_RKP_VERSION)
endif
-include $(LOCAL_DIR)/atap/rules.mk
include $(LOCAL_DIR)/ipc/rules.mk
include make/trusted_app.mk
diff --git a/secure_storage_manager.cpp b/secure_storage_manager.cpp
index 745c138..fc91daf 100644
--- a/secure_storage_manager.cpp
+++ b/secure_storage_manager.cpp
@@ -294,36 +294,6 @@
return err;
}
-keymaster_error_t SecureStorageManager::ReadAtapCertChainFromStorage(
- AttestationKeySlot key_slot,
- AtapCertChain* cert_chain) {
- AttestationKey* attestation_key_p;
- keymaster_error_t err = ReadAttestationKey(key_slot, &attestation_key_p);
- if (err != KM_ERROR_OK) {
- CloseSession();
- return err;
- }
- UniquePtr<AttestationKey> attestation_key(attestation_key_p);
- uint32_t cert_chain_length = attestation_key->certs_count;
- cert_chain->entry_count = cert_chain_length;
- if (cert_chain_length == 0) {
- return KM_ERROR_OK;
- }
-
- for (size_t i = 0; i < cert_chain_length; i++) {
- uint32_t content_size = attestation_key->certs[i].content.size;
- cert_chain->entries[i].data_length = content_size;
- uint8_t* buffer = new (std::nothrow) uint8_t[content_size];
- if (buffer == nullptr) {
- return KM_ERROR_MEMORY_ALLOCATION_FAILED;
- }
- memcpy(buffer, attestation_key->certs[i].content.bytes, content_size);
- cert_chain->entries[i].data = buffer;
- }
-
- return KM_ERROR_OK;
-}
-
keymaster_error_t SecureStorageManager::ReadCertChainLength(
AttestationKeySlot key_slot,
uint32_t* cert_chain_length) {
@@ -338,37 +308,6 @@
return KM_ERROR_OK;
}
-keymaster_error_t SecureStorageManager::WriteAtapKeyAndCertsToStorage(
- AttestationKeySlot key_slot,
- const uint8_t* key,
- const uint32_t key_size,
- const AtapCertChain* cert_chain) {
- if (key_size > kKeySizeMax || cert_chain->entry_count > kCertSizeMax) {
- return KM_ERROR_INVALID_ARGUMENT;
- }
- UniquePtr<AttestationKey> attestation_key(
- new (std::nothrow) AttestationKey(AttestationKey_init_zero));
- if (attestation_key.get() == nullptr) {
- return KM_ERROR_MEMORY_ALLOCATION_FAILED;
- }
- attestation_key->has_key = true;
- attestation_key->key.size = key_size;
- memcpy(attestation_key->key.bytes, key, key_size);
- for (size_t i = 0; i < cert_chain->entry_count; i++) {
- attestation_key->certs[i].content.size =
- cert_chain->entries[i].data_length;
- memcpy(attestation_key->certs[i].content.bytes,
- cert_chain->entries[i].data, cert_chain->entries[i].data_length);
- }
- attestation_key->certs_count = cert_chain->entry_count;
- keymaster_error_t err =
- WriteAttestationKey(key_slot, attestation_key.get(), true);
- if (err != KM_ERROR_OK) {
- CloseSession();
- }
- return err;
-}
-
keymaster_error_t SecureStorageManager::DeleteKey(AttestationKeySlot key_slot,
bool commit) {
char key_file[kStorageIdLengthMax];
diff --git a/secure_storage_manager.h b/secure_storage_manager.h
index ade5b4d..b02040f 100644
--- a/secure_storage_manager.h
+++ b/secure_storage_manager.h
@@ -23,7 +23,6 @@
extern "C" {
#include <hardware/keymaster_defs.h>
-#include <libatap/atap_types.h>
}
#include "keymaster_attributes.pb.h"
#include "trusty_keymaster_messages.h"
@@ -122,14 +121,6 @@
*/
keymaster_error_t DeleteCertChainFromStorage(AttestationKeySlot key_slot);
- /**
- * Reads cert chain associated with |key_slot| in ATAP format. Stores
- * certificate chain in |cert_chain| and caller takes ownership of all
- * allocated memory.
- */
- keymaster_error_t ReadAtapCertChainFromStorage(AttestationKeySlot key_slot,
- AtapCertChain* cert_chain);
-
/*
* Writes the new length of the stored |key_slot| attestation certificate
* chain. If less than the existing certificate chain length, the chain is
@@ -146,17 +137,6 @@
keymaster_error_t ReadCertChainLength(AttestationKeySlot key_slot,
uint32_t* cert_chain_length);
- /*
- * Write a key along with the cert chain to the key/cert file associated
- * with |key_slot|. cert_cahin is in ATAP types and is intended to be used
- * by trusty_atap_ops.
- */
- keymaster_error_t WriteAtapKeyAndCertsToStorage(
- AttestationKeySlot key_slot,
- const uint8_t* key,
- const uint32_t key_size,
- const AtapCertChain* cert_chain);
-
/**
* Writes the |attestation_uuid|.
*/
diff --git a/trusty_keymaster.cpp b/trusty_keymaster.cpp
index fbbbe98..309fdb1 100644
--- a/trusty_keymaster.cpp
+++ b/trusty_keymaster.cpp
@@ -22,13 +22,6 @@
#include <memory>
-#ifndef DISABLE_ATAP_SUPPORT
-#include <libatap/libatap.h>
-// This assumes EC cert chains do not exceed 1k and other cert chains do not
-// exceed 5k.
-const size_t kMaxCaResponseSize = 20000;
-#endif
-
namespace keymaster {
GetVersion2Response TrustyKeymaster::GetVersion2(
@@ -297,29 +290,8 @@
if (response == nullptr)
return;
-#ifdef DISABLE_ATAP_SUPPORT
// Not implemented.
response->error = KM_ERROR_UNKNOWN_ERROR;
- return;
-#else
- uint8_t* ca_request;
- uint32_t ca_request_size;
- const Buffer& operation_start = request.data;
- AtapResult result = atap_get_ca_request(
- atap_ops_provider_.atap_ops(), operation_start.begin(),
- operation_start.available_read(), &ca_request, &ca_request_size);
- response->error = KM_ERROR_UNKNOWN_ERROR;
- if (result != ATAP_RESULT_OK) {
- return;
- }
- response->error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
- if (!response->data.Reinitialize(ca_request, ca_request_size)) {
- atap_free(ca_request);
- return;
- }
- atap_free(ca_request);
- response->error = KM_ERROR_OK;
-#endif
}
void TrustyKeymaster::AtapSetCaResponseBegin(
@@ -328,21 +300,8 @@
if (response == nullptr)
return;
-#ifdef DISABLE_ATAP_SUPPORT
// Not implemented.
response->error = KM_ERROR_UNKNOWN_ERROR;
- return;
-#else
- response->error = KM_ERROR_INVALID_ARGUMENT;
- if (request.ca_response_size > kMaxCaResponseSize) {
- return;
- }
- response->error = KM_ERROR_MEMORY_ALLOCATION_FAILED;
- if (!ca_response_.reserve(request.ca_response_size)) {
- return;
- }
- response->error = KM_ERROR_OK;
-#endif
}
void TrustyKeymaster::AtapSetCaResponseUpdate(
@@ -351,17 +310,8 @@
if (response == nullptr)
return;
-#ifdef DISABLE_ATAP_SUPPORT
// Not implemented.
response->error = KM_ERROR_UNKNOWN_ERROR;
- return;
-#else
- response->error = KM_ERROR_INSUFFICIENT_BUFFER_SPACE;
- if (!ca_response_.write(request.data.begin(), request.data.buffer_size())) {
- return;
- }
- response->error = KM_ERROR_OK;
-#endif
}
void TrustyKeymaster::AtapSetCaResponseFinish(
@@ -370,26 +320,8 @@
if (response == nullptr)
return;
-#ifdef DISABLE_ATAP_SUPPORT
// Not implemented.
response->error = KM_ERROR_UNKNOWN_ERROR;
- return;
-#else
- response->error = KM_ERROR_INVALID_INPUT_LENGTH;
- if (ca_response_.available_read() != ca_response_.buffer_size()) {
- LOG_E("Did not receive full CA Response message: %zu / %zu\n",
- ca_response_.available_read(), ca_response_.buffer_size());
- return;
- }
- response->error = KM_ERROR_UNKNOWN_ERROR;
- AtapResult result = atap_set_ca_response(atap_ops_provider_.atap_ops(),
- ca_response_.begin(),
- ca_response_.available_read());
- if (result == ATAP_RESULT_OK) {
- response->error = KM_ERROR_OK;
- }
- ca_response_.Clear();
-#endif
}
void TrustyKeymaster::AtapReadUuid(const AtapReadUuidRequest& request,
@@ -423,19 +355,7 @@
return;
}
-#ifdef DISABLE_ATAP_SUPPORT
// Not implemented.
response->error = KM_ERROR_UNKNOWN_ERROR;
- return;
-#else
- response->error = KM_ERROR_UNKNOWN_ERROR;
- const Buffer& product_id = request.data;
- uint32_t product_id_size = product_id.available_read();
- if (product_id_size != kProductIdSize) {
- response->error = KM_ERROR_INVALID_INPUT_LENGTH;
- return;
- }
- response->error = ss_manager->SetProductId(product_id.begin());
-#endif
}
} // namespace keymaster
diff --git a/trusty_keymaster.h b/trusty_keymaster.h
index 483673d..df4dd34 100644
--- a/trusty_keymaster.h
+++ b/trusty_keymaster.h
@@ -21,10 +21,6 @@
#include "trusty_keymaster_context.h"
#include "trusty_keymaster_messages.h"
-#ifndef DISABLE_ATAP_SUPPORT
-#include "atap/trusty_atap_ops.h"
-#include "ops/atap_ops_provider.h"
-#endif
namespace keymaster {
@@ -137,10 +133,6 @@
TrustyKeymasterContext* context_;
keymaster_error_t configure_error_ = KM_ERROR_KEYMASTER_NOT_CONFIGURED;
Buffer ca_response_;
-#ifndef DISABLE_ATAP_SUPPORT
- TrustyAtapOps atap_ops_;
- atap::AtapOpsProvider atap_ops_provider_{&atap_ops_};
-#endif
};
} // namespace keymaster
