Snap for 8730993 from 42c9a8b6aaece2868a7f23c36278f7a51f856778 to mainline-tzdata3-release
Change-Id: I1353572d7a3d7faf9038b4a08505eff863a4f09f
diff --git a/Android.bp b/Android.bp
index 009de4c..b789f23 100644
--- a/Android.bp
+++ b/Android.bp
@@ -178,7 +178,7 @@
// Language and vendor related defaults
cc_defaults {
name: "nos_cc_defaults",
-
+ clang: true,
cflags: [
"-pedantic",
"-Wall",
diff --git a/libnos_transport/transport.c b/libnos_transport/transport.c
index 855b884..85ba312 100644
--- a/libnos_transport/transport.c
+++ b/libnos_transport/transport.c
@@ -155,10 +155,6 @@
uint8_t data[STATUS_MAX_LENGTH];
} st;
int retries = CRC_RETRY_COUNT;
-
- /* All unset fields will be 0. */
- memset(out, 0, sizeof(*out));
-
while (retries--) {
/* Get the status from the device */
const uint32_t command = CMD_ID(ctx->app_id) | CMD_IS_READ | CMD_TRANSPORT;
@@ -167,6 +163,9 @@
return -1;
}
+ /* All unset fields will be 0. */
+ memset(out, 0, sizeof(*out));
+
/* Examine v0 fields */
out->status = le32toh(st.status.status);
out->reply_len = le16toh(st.status.reply_len);
@@ -296,7 +295,7 @@
/* Any further Writes needed to send all the args must set the MORE bit */
command |= CMD_MORE_TO_COME;
- if (args) args += ulen;
+ args += ulen;
arg_len -= ulen;
} while (arg_len);
diff --git a/nugget/include/app_nugget.h b/nugget/include/app_nugget.h
index f713299..1ef9f31 100644
--- a/nugget/include/app_nugget.h
+++ b/nugget/include/app_nugget.h
@@ -414,137 +414,6 @@
* @errors APP_ERROR_BOGUS_ARGS
*/
-#define GSC_DEBUG_DUMP_VERSION 0
-struct gsc_debug_dump_msg {
- uint8_t timestamp[6]; // Bottom 48 bits of system time; enough for 8 years @ 1 us
- uint8_t channel; // log channel (task_id or system call)
- uint8_t version; // gsc_debug_dump_msg struct version
- uint32_t error_code; // error code
- uint32_t reserved; // reserved for other useful log
-};
-
-#define DEBUG_MESSAGE_MAX_COUNT 64
-#define DEBUG_MESSAGE_BUFFER_SIZE (DEBUG_MESSAGE_MAX_COUNT * sizeof(struct gsc_debug_dump_msg))
-
-#define NUGGET_PARAM_DEBUG_DUMP 0x0016
-/*
- * Get GSC debug message from 1KB ring buffer
- *
- * @param args <none>
- * @param arg_len 0
- * @param reply recent debug buffer output
- * @param reply_len 1KB
- */
-
-#define GSA_GSC_PAIRING_VERSION 0
-#define EC_P256_PUBLIC_KEY_SIZE 64
-#define EC_P256_PRIVATE_KEY_SIZE 32
-#define PSK_KEY_SIZE 32
-#define HAS_GSA_PUBKEY 0xa3
-struct gsa_gsc_pairing_persist_storage {
- uint8_t version;
- uint8_t has_gsa_public_key_provision;
- uint8_t gsa_public_key[EC_P256_PUBLIC_KEY_SIZE];
- uint8_t gsc_private_key[EC_P256_PRIVATE_KEY_SIZE];
- uint8_t gsc_public_key[EC_P256_PUBLIC_KEY_SIZE];
-};
-
-#define GSA_GSC_PSK_VERSION 0
-#define HAS_GSA_GSC_PSK 0xa5
-struct gsa_gsc_psk_persist_storage {
- uint8_t version;
- uint8_t has_gsa_gsc_psk_provision;
- uint8_t gsa_gsc_psk[PSK_KEY_SIZE];
-};
-
-#define NUGGET_PARAM_GSA_KEY_PROVISION 0x0017
-/*
- * GSA key provision command
- *
- * @param args gsa unique public key
- * @param arg_len 32
- * @param reply gsc public key + sha256(pre-shared key)
- * @param reply_len 64 + 32
- */
-
-/**
- * enum gsa_gsc_psk_state - GSA-GSC PSK state
- * @GSA_GSC_PSK_STATE_UNKNOWN: Unknown state (initial state)
- * @GSA_GSC_PSK_STATE_KEY_VERIFY_SUCCESS: GSA and GSC PSK match
- * @GSA_GSC_PSK_STATE_KEY_MISMATCH: GSA and GSC PSK mismatch
- * @GSA_GSC_PSK_STATE_GSA_INTERNAL_ERROR: GSA has internal error
- * @GSA_GSC_PSK_STATE_GSA_HAS_NO_KEY: GSA has no PSK
- * @GSA_GSC_PSK_STATE_GSA_CRYPTO_PRNG_FAIL: GSA crypto prng function fail
- * @GSA_GSC_PSK_STATE_GSA_CRYPTO_HKDF_FAIL: GSA crypto HKDF function fail
- * @GSA_GSC_PSK_STATE_GSA_CRYPTO_HMAC_FAIL: GSA crypto HMAC function fail
- * @GSA_GSC_PSK_STATE_GSA_CRYPTO_DONE: GSA crypto operations complete
- * @GSA_GSC_PSK_STATE_GSC_HAS_NO_KEY: GSC has no PSK
- * @GSA_GSC_PSK_STATE_GSC_NOT_IN_BOOTLOADER: GSC is not in bootloader
- * @GSA_GSC_PSK_STATE_GSC_INVALID_PARAMETER: GSC received invalid request data
- * @GSA_GSC_PSK_STATE_GSC_INTERNAL_ERROR: GSC has internal error
- * @GSA_GSC_PSK_STATE_GSC_CRYPTO_HKDF_FAIL: GSC crypto HKDF function fail
- * @GSA_GSC_PSK_STATE_GSC_CRYPTO_HMAC_FAIL: GSC crypto HMAC function fail
- * @GSA_GSC_PSK_STATE_GSC_EXCEED_MAX_RETRY_COUNT: exceed max psk verification retry count (100)
- * @GSA_GSA_PSK_STATE_GSC_NOS_CALL_FAIL: GSC nos call fail
- */
-enum gsa_gsc_psk_state {
- GSA_GSC_PSK_STATE_UNKNOWN,
- GSA_GSC_PSK_STATE_KEY_VERIFY_SUCCESS,
- GSA_GSC_PSK_STATE_KEY_MISMATCH,
- GSA_GSC_PSK_STATE_GSA_INTERNAL_ERROR,
- GSA_GSC_PSK_STATE_GSA_HAS_NO_KEY,
- GSA_GSC_PSK_STATE_GSA_CRYPTO_PRNG_FAIL,
- GSA_GSC_PSK_STATE_GSA_CRYPTO_HKDF_FAIL,
- GSA_GSC_PSK_STATE_GSA_CRYPTO_HMAC_FAIL,
- GSA_GSC_PSK_STATE_GSA_CRYPTO_DONE,
- GSA_GSC_PSK_STATE_GSC_HAS_NO_KEY,
- GSA_GSC_PSK_STATE_GSC_NOT_IN_BOOTLOADER,
- GSA_GSC_PSK_STATE_GSC_INVALID_PARAMETER,
- GSA_GSC_PSK_STATE_GSC_INTERNAL_ERROR,
- GSA_GSC_PSK_STATE_GSC_CRYPTO_HKDF_FAIL,
- GSA_GSC_PSK_STATE_GSC_CRYPTO_HMAC_FAIL,
- GSA_GSC_PSK_STATE_GSC_EXCEED_MAX_RETRY_COUNT,
- GSA_GSA_PSK_STATE_GSC_NOS_CALL_FAIL,
-};
-
-#define VERIFY_PSK_REQ_HEADER_SIZE 17
-#define VERIFY_PSK_REQ_VERSION 0
-#define VERIFY_PSK_NONCE_SIZE 32
-#define VERIFY_PSK_HMAC_SIZE 32
-/**
- * struct verify_psk_request - verify gsa-gsc pre-shared key request
- * @version: struct verify_psk_request version
- * @header: header of verify_psk_request
- * @nonce: 12 bytes random number
- * @gsa_psk_state: GSA pre-shared key state
- * @hmac: hmac = HMAC-SHA256(key = derived-psk, data = version || header ||
- * nonce || gsa_psk_state)
- */
-struct verify_psk_request {
- char header[VERIFY_PSK_REQ_HEADER_SIZE];
- uint8_t version;
- uint8_t nonce[VERIFY_PSK_NONCE_SIZE];
- uint8_t gsa_psk_state;
- uint8_t hmac[VERIFY_PSK_HMAC_SIZE];
-};
-
-#define VERIFY_SECURE_CHANNEL_RETRY_COUNT_VERSION 0
-struct secure_channel_retry_count_persist_storage {
- uint8_t version;
- uint8_t verify_psk_retry_count;
- uint8_t reserved[2];
-};
-
-#define NUGGET_PARAM_VERIFY_GSA_GSC_PSK 0x0018
-/*
- * Verify GSA GSC pre-shared key command
- *
- * @param args struct verify_psk_request
- * @param arg_len 63 bytes
- * @param reply psk verification result
- * @param reply_len 1 bytes
- */
-
/****************************************************************************/
/* Test related commands */
diff --git a/nugget/include/citadel_events.h b/nugget/include/citadel_events.h
index 24babee..3e3a33e 100644
--- a/nugget/include/citadel_events.h
+++ b/nugget/include/citadel_events.h
@@ -64,7 +64,6 @@
EVENT_REBOOTED = 2, // Device rebooted.
EVENT_UPGRADED = 3, // Device has upgraded.
EVENT_ALERT_V2 = 4, // Globalsec Alertv2 fired
- EVENT_SEC_CH_STATE = 5, // Update GSA-GSC secure channel state.
};
/*
@@ -104,9 +103,6 @@
uint16_t temp_max;
uint32_t bus_err;
} alert_v2;
- struct {
- uint32_t state;
- } sec_ch_state;
/* uninterpreted */
union {
diff --git a/nugget/proto/BUILD b/nugget/proto/BUILD
index fc1df57..0b7219f 100644
--- a/nugget/proto/BUILD
+++ b/nugget/proto/BUILD
@@ -330,7 +330,6 @@
proto_library(
name = "nugget_app_avb_avb_proto",
- visibility = ["//visibility:public"],
srcs = [
"nugget/app/avb/avb.proto",
],
@@ -342,7 +341,6 @@
proto_library(
name = "nugget_app_keymaster_keymaster_proto",
- visibility = ["//visibility:public"],
srcs = [
"nugget/app/keymaster/keymaster.proto",
"nugget/app/keymaster/keymaster_defs.proto",
@@ -405,7 +403,6 @@
proto_library(
name = "nugget_app_weaver_weaver_proto",
- visibility = ["//visibility:public"],
srcs = [
"nugget/app/weaver/weaver.proto",
],
@@ -417,7 +414,6 @@
proto_library(
name = "nugget_app_identity_identity_proto",
- visibility = ["//visibility:public"],
srcs = [
"nugget/app/identity/identity.proto",
"nugget/app/identity/identity_defs.proto",
diff --git a/nugget/proto/nugget/app/avb/avb.proto b/nugget/proto/nugget/app/avb/avb.proto
index 9aec71e..bc0c700 100644
--- a/nugget/proto/nugget/app/avb/avb.proto
+++ b/nugget/proto/nugget/app/avb/avb.proto
@@ -53,16 +53,13 @@
}
// GetState
-message GetStateRequest {
- bool keysclear_reset = 1;
-}
+message GetStateRequest {}
message GetStateResponse {
uint64 version = 1;
bool bootloader = 2;
bool production = 3;
uint32 number_of_locks = 4;
bytes locks = 5;
- bool keysclear_required = 6;
}
// Load
diff --git a/nugget/proto/nugget/app/identity/identity.proto b/nugget/proto/nugget/app/identity/identity.proto
index 591a92a..10500cb 100644
--- a/nugget/proto/nugget/app/identity/identity.proto
+++ b/nugget/proto/nugget/app/identity/identity.proto
@@ -56,18 +56,6 @@
rpc ICfinishRetrieval (ICfinishRetrievalRequest) returns (ICfinishRetrievalResponse);
rpc ICdeleteCredential (ICdeleteCredentialRequest) returns (ICdeleteCredentialResponse);
rpc ICproveOwnership (ICproveOwnershipRequest) returns (ICproveOwnershipResponse);
- rpc GetSessionId (GetSessionIdRequest) returns (GetSessionIdResponse);
- rpc SessionShutdown(SessionShutdownRequest) returns (SessionShutdownResponse);
- rpc SessionInitialize (SessionInitializeRequest) returns (SessionInitializeResponse);
- rpc SessionSetReaderEphemeralPublicKey (SessionSetReaderEphemeralPublicKeyRequest) returns (SessionSetReaderEphemeralPublicKeyResponse);
- rpc SessionSetSessionTranscript (SessionSetSessionTranscriptRequest) returns (SessionSetSessionTranscriptResponse);
-}
-
-enum RequestType {
- unknown = 0;
- provision = 1;
- presentation = 2;
- session = 3;
}
// WICinitialize
@@ -104,7 +92,6 @@
bytes entryCounts = 2;
bytes docType = 3;
uint32 expectedProofOfProvisioningSize = 4;
- bool supportInt32EntryCounts = 5;
}
message WICstartPersonalizationResponse{
Result result = 1;
@@ -163,8 +150,6 @@
bool testCredential = 1;
bytes docType = 2;
bytes encryptedCredentialKeys = 3;
- uint32 oemHalVersion = 4;
- uint32 sessionId = 5;
}
message ICinitializeResponse{
@@ -296,7 +281,6 @@
message ICstartRetrieveEntryValueResponse{
AccessResult accessCheckResult = 1;
- uint32 sessionCookie = 2;
}
// ICretrieveEntryValue
@@ -305,7 +289,6 @@
string nameSpace = 2;
string name = 3;
bytes accessControlProfileIds = 4;
- uint32 sessionCookie = 5;
}
message ICretrieveEntryValueResponse{
@@ -346,51 +329,4 @@
message ICproveOwnershipResponse{
Result result = 1;
bytes signatureOfToBeSigned = 2;
-}
-
-// GetSessionId
-message GetSessionIdRequest{
- RequestType requestType = 1;
-}
-
-message GetSessionIdResponse{
- Result result = 1;
- uint32 id = 2;
-}
-
-// SessionShutdown
-message SessionShutdownRequest{
- RequestType requestType = 1;
-}
-
-message SessionShutdownResponse{
- Result result = 1;
-}
-
-// SessionInitialize
-message SessionInitializeRequest{
-}
-
-message SessionInitializeResponse{
- Result result = 1;
- uint64 authChallenge = 2;
- bytes ephemeralPrivateKey = 3;
-}
-
-// SessionSetReaderEphemeralPublicKey
-message SessionSetReaderEphemeralPublicKeyRequest{
- bytes readerEphemeralPublicKey = 1;
-}
-
-message SessionSetReaderEphemeralPublicKeyResponse{
- Result result = 1;
-}
-
-// SessionSetSessionTranscript
-message SessionSetSessionTranscriptRequest{
- bytes sessionTranscript = 1;
-}
-
-message SessionSetSessionTranscriptResponse{
- Result result = 1;
-}
+}
\ No newline at end of file
diff --git a/nugget/proto/nugget/app/keymaster/keymaster.proto b/nugget/proto/nugget/app/keymaster/keymaster.proto
index 89710e6..e6fec75 100644
--- a/nugget/proto/nugget/app/keymaster/keymaster.proto
+++ b/nugget/proto/nugget/app/keymaster/keymaster.proto
@@ -138,17 +138,6 @@
rpc VigoReleaseSecret(VigoReleaseSecretRequest)
returns (VigoReleaseSecretResponse);
- /*
- * pKVM implementation
- */
- rpc GetPerFactoryResetValue(GetPerFactoryResetValueRequest) returns (GetPerFactoryResetValueResponse);
-
- /*
- * RKP implementation
- */
- rpc GenerateRkpKey(GenerateRkpKeyRequest) returns (GenerateRkpKeyResponse);
- rpc GenerateRkpCsr(GenerateRkpCsrRequest) returns (GenerateRkpCsrResponse);
-
// These are implemented with a enum, so new RPCs must be appended, and
// deprecated RPCs need placeholders.
}
@@ -413,7 +402,6 @@
uint32 system_version = 4; // Deprecated.
uint32 system_security_level = 5; // Patch level of the boot partition.
bytes boot_hash = 6; // This is a SHA256 digest.
- uint32 boot_security_level = 7;
}
message SetBootStateResponse {
// Specified in keymaster_defs.proto:ErrorCode
@@ -558,7 +546,6 @@
bytes not_after = 6; // strftime('%y%m%d%H%M%SZ') [15 octects]
uint64 creation_time_ms = 7; // Rough current time (ms since epoch).
bool use_km_attest_key = 8;
- bytes caller_issuer_subj_name = 9;
}
message IdentityStartAttestKeyResponse {
ErrorCode error_code = 1;
@@ -570,7 +557,6 @@
message IdentityFinishAttestKeyRequest {
OperationHandle handle = 1;
bool use_km_attest_key = 2;
- KeyBlob caller_blob = 3;
}
message IdentityFinishAttestKeyResponse {
ErrorCode error_code = 1;
@@ -578,37 +564,3 @@
ChipFusing chip_fusing = 3;
bool nodelocked_ro = 4;
}
-
-// pKVM messages
-message GetPerFactoryResetValueRequest {
- bool bootloader_only = 1;
- bytes input = 2;
-}
-message GetPerFactoryResetValueResponse {
- ErrorCode error_code = 1;
- bytes output = 2;
-}
-
-// RKP messages
-message GenerateRkpKeyRequest{
- bool test_mode = 1;
- KeyParameters params = 2;
- KeyBlob blob = 3;
-}
-message GenerateRkpKeyResponse{
- ErrorCode error_code = 1;
- bytes maced_public_key = 2;
-}
-
-message GenerateRkpCsrRequest{
- bool test_mode = 1;
- KeysToSign keys_to_sign = 2;
- bytes endpoint_enc_cert_chain = 3;
- bytes challenge = 4;
-}
-message GenerateRkpCsrResponse{
- ErrorCode error_code = 1;
- bytes keys_to_sign_mac = 2;
- bytes device_info_blob = 3;
- bytes protected_data_blob = 4;
-}
diff --git a/nugget/proto/nugget/app/keymaster/keymaster_defs.proto b/nugget/proto/nugget/app/keymaster/keymaster_defs.proto
index dfdfeeb..da597b1 100644
--- a/nugget/proto/nugget/app/keymaster/keymaster_defs.proto
+++ b/nugget/proto/nugget/app/keymaster/keymaster_defs.proto
@@ -267,10 +267,6 @@
STORAGE_KEY_UNSUPPORTED = 81;
INCOMPATIBLE_MGF_DIGEST = 82;
UNSUPPORTED_MGF_DIGEST = 83;
- INVALID_MAC = 84; // RKP specific.
- PRODUCTION_KEY_IN_TEST_REQUEST = 85; // RKP specific.
- TEST_KEY_IN_PRODUCTION_REQUEST = 86; // RKP specific.
- INVALID_EEK = 87; // RKP specific.
};
enum SecurityLevel {
@@ -321,7 +317,6 @@
FUSING_PVT_1 = 3; // Strongbox gen v1 certs.
FUSING_D_PVT = 4; // Dauntless gen v0 certs.
FUSING_D_PVT_1 = 5; // Dauntless gen v1 certs.
- FUSING_D_PVT_2 = 6; // Dauntless gen v2 certs (D3M2).
}
enum CertificateStatus {
diff --git a/nugget/proto/nugget/app/keymaster/keymaster_types.options b/nugget/proto/nugget/app/keymaster/keymaster_types.options
index 417e181..02853bc 100644
--- a/nugget/proto/nugget/app/keymaster/keymaster_types.options
+++ b/nugget/proto/nugget/app/keymaster/keymaster_types.options
@@ -9,4 +9,3 @@
nugget.app.keymaster.VigoSecret.material max_size:32
nugget.app.keymaster.VigoSecret.iv max_size:16
nugget.app.keymaster.VigoSecret.tag max_size:16
-nugget.app.keymaster.KeysToSign.keys max_count:20
diff --git a/nugget/proto/nugget/app/keymaster/keymaster_types.proto b/nugget/proto/nugget/app/keymaster/keymaster_types.proto
index 1a4c539..4a66d4e 100644
--- a/nugget/proto/nugget/app/keymaster/keymaster_types.proto
+++ b/nugget/proto/nugget/app/keymaster/keymaster_types.proto
@@ -126,11 +126,3 @@
bytes iv = 2;
bytes tag = 3;
}
-
-message MacedKey{
- bytes blob = 1;
-}
-
-message KeysToSign {
- repeated MacedKey keys = 1;
-}