diff options
| author | Ji Luo <ji.luo@nxp.com> | 2019-08-15 20:53:53 +0800 |
|---|---|---|
| committer | Ji Luo <ji.luo@nxp.com> | 2022-04-18 16:40:08 +0800 |
| commit | 0c13c04dbbb012ed58c43975afcc08f23a368fc6 (patch) | |
| tree | 4c188a9482f963f920938c418dd734f01fd53758 /lib/trusty | |
| parent | 7af6854dacab50440d395173b5a5dfa309fbaef3 (diff) | |
MA-15321-3 Support secure unlock feature
Decrypt and verify the secure credential in keymaster TA, unlock
operation can only be allowed after secure credential verify pass.
Since the mppubk can only be generated on hab closed imx8q, so secure
unlock feature can only supported when hab is closed.
Test: secure unlock credential verify on hab closed imx8mm_evk.
Change-Id: I1ab5e24df28d1e75ff853de3adf29f34da1d0a71
Signed-off-by: Ji Luo <ji.luo@nxp.com>
(cherry picked from commit 631149fc0fc8ce035311949db643c2708e41435a)
(cherry picked from commit 063d358ab4bbfea998e0c975f31724757243545a)
(cherry picked from commit 5980e3882093c522723aa6a3af6f85fb5b8a47c1)
Diffstat (limited to 'lib/trusty')
| -rw-r--r-- | lib/trusty/ql-tipc/keymaster.c | 31 | ||||
| -rw-r--r-- | lib/trusty/ql-tipc/keymaster_serializable.c | 21 |
2 files changed, 52 insertions, 0 deletions
diff --git a/lib/trusty/ql-tipc/keymaster.c b/lib/trusty/ql-tipc/keymaster.c index 01828e0bd7..210420496f 100644 --- a/lib/trusty/ql-tipc/keymaster.c +++ b/lib/trusty/ql-tipc/keymaster.c @@ -523,3 +523,34 @@ int trusty_get_mppubk(uint8_t *mppubk, uint32_t *size) memcpy(mppubk, resp.data, resp.data_size); return TRUSTY_ERR_NONE; } + +int trusty_verify_secure_unlock(uint8_t *unlock_credential, + uint32_t credential_size, + uint8_t *serial, uint32_t serial_size) +{ + int rc = TRUSTY_ERR_GENERIC; + uint8_t *req = NULL; + uint32_t req_size = 0; + + struct km_secure_unlock_data secure_unlock_data = { + .serial_size = serial_size, + .serial_data = serial, + .credential_size = credential_size, + .credential_data = unlock_credential, + }; + + rc = km_secure_unlock_data_serialize(&secure_unlock_data, + &req, &req_size); + + if (rc < 0) { + trusty_error("failed (%d) to serialize request\n", rc); + goto end; + } + rc = km_do_tipc(KM_VERIFY_SECURE_UNLOCK, req, req_size, NULL, NULL); + +end: + if (req) { + trusty_free(req); + } + return rc; +} diff --git a/lib/trusty/ql-tipc/keymaster_serializable.c b/lib/trusty/ql-tipc/keymaster_serializable.c index 65bcca0545..6d9297d099 100644 --- a/lib/trusty/ql-tipc/keymaster_serializable.c +++ b/lib/trusty/ql-tipc/keymaster_serializable.c @@ -97,6 +97,27 @@ int km_attestation_data_serialize(const struct km_attestation_data *data, return TRUSTY_ERR_NONE; } +int km_secure_unlock_data_serialize(const struct km_secure_unlock_data *data, + uint8_t** out, uint32_t *out_size) +{ + uint8_t *tmp; + + if (!out || !data || !out_size) { + return TRUSTY_ERR_INVALID_ARGS; + } + *out_size = (sizeof(data->serial_size) + sizeof(data->credential_size) + + data->serial_size + data->credential_size); + *out = trusty_calloc(*out_size, 1); + if (!*out) { + return TRUSTY_ERR_NO_MEMORY; + } + + tmp = append_sized_buf_to_buf(*out, data->serial_data, data->serial_size); + tmp = append_sized_buf_to_buf(tmp, data->credential_data, data->credential_size); + + return TRUSTY_ERR_NONE; +} + int km_raw_buffer_serialize(const struct km_raw_buffer *buf, uint8_t** out, uint32_t *out_size) { |