Skip to content

Rot changes #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Apr 29, 2022
Merged

Rot changes #123

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4ffd8b3
Merge pull request #59 from divegeek/Javacard_KeyMint_100_master
subrahmanyaman Apr 27, 2022
ae9e180
Removed verifiedBootHash from ROT in hidden paramters
subrahmanyaman Apr 29, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 12 additions & 4 deletions Applet/src/com/android/javacard/keymaster/KMKeymasterApplet.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -218,6 +218,8 @@ public class KMKeymasterApplet extends Applet implements AppletEvent, ExtendedLe
// version number whenever you change anything related to
// KeyBlob (structure, encryption algorithm etc).
public static final short KEYBLOB_CURRENT_VERSION = 2;
// KeyBlob Verion 1 constant.
public static final short KEYBLOB_VERSION_1 = 1;
// KeyBlob array size constants.
public static final byte SYM_KEY_BLOB_SIZE_V2 = 6;
public static final byte ASYM_KEY_BLOB_SIZE_V2 = 7;
Expand Down Expand Up @@ -3798,7 +3800,7 @@ private static void makeKeyCharacteristics(byte[] scratchPad) {

private static void createEncryptedKeyBlob(byte[] scratchPad) {
// make root of trust blob
data[ROT] = readROT(scratchPad);
data[ROT] = readROT(scratchPad, KEYBLOB_CURRENT_VERSION);
if (data[ROT] == KMType.INVALID_VALUE) {
KMException.throwIt(KMError.UNKNOWN_ERROR);
}
Expand Down Expand Up @@ -4016,7 +4018,7 @@ private void processDecryptSecret(short version, short appId, short appData, byt
private void parseEncryptedKeyBlob(short keyBlob, short appId, short appData,
byte[] scratchPad, short version) {
// make root of trust blob
data[ROT] = readROT(scratchPad);
data[ROT] = readROT(scratchPad, version);
if (data[ROT] == KMType.INVALID_VALUE) {
KMException.throwIt(KMError.UNKNOWN_ERROR);
}
Expand All @@ -4029,10 +4031,16 @@ private void parseEncryptedKeyBlob(short keyBlob, short appId, short appData,
}

// Read RoT
public static short readROT(byte[] scratchPad) {
public static short readROT(byte[] scratchPad, short version) {
Util.arrayFillNonAtomic(scratchPad,(short)0, (short)256,(byte)0);
short len = kmDataStore.getBootKey(scratchPad, (short)0);
len += kmDataStore.getVerifiedBootHash(scratchPad, (short)len);
// As per IKeyMintDevice.aidl specification The root of trust
// consists of verifyBootKey, boot state and device locked.
if (version <= KEYBLOB_VERSION_1) {
// To parse old keyblobs verified boot hash is included in
// the root of trust.
len += kmDataStore.getVerifiedBootHash(scratchPad, (short)len);
}
short bootState = kmDataStore.getBootState();
len = Util.setShort(scratchPad, len, bootState);
if(kmDataStore.isDeviceBootLocked()){
Expand Down