Merge "Fix TpmKeymasterContext::UpgradeKeyBlob."
diff --git a/host/commands/secure_env/tpm_key_blob_maker.cpp b/host/commands/secure_env/tpm_key_blob_maker.cpp
index abd6910..64f344a 100644
--- a/host/commands/secure_env/tpm_key_blob_maker.cpp
+++ b/host/commands/secure_env/tpm_key_blob_maker.cpp
@@ -110,6 +110,7 @@
};
for (auto tag : protected_tags) {
if (key_description.Contains(tag)) {
+ LOG(ERROR) << "Invalid tag " << tag;
return KM_ERROR_INVALID_TAG;
}
}
@@ -124,10 +125,19 @@
hw_enforced->push_back(keymaster::TAG_OS_VERSION, os_version_);
hw_enforced->push_back(keymaster::TAG_OS_PATCHLEVEL, os_patchlevel_);
+ return UnvalidatedCreateKeyBlob(key_material, *hw_enforced, *sw_enforced,
+ blob);
+}
+
+keymaster_error_t TpmKeyBlobMaker::UnvalidatedCreateKeyBlob(
+ const KeymasterKeyBlob& key_material, const AuthorizationSet& hw_enforced,
+ const AuthorizationSet& sw_enforced, KeymasterKeyBlob* blob) const {
keymaster::Buffer key_material_buffer(
key_material.key_material, key_material.key_material_size);
+ AuthorizationSet hw_enforced_mutable = hw_enforced;
+ AuthorizationSet sw_enforced_mutable = sw_enforced;
CompositeSerializable sensitive_material(
- {&key_material_buffer, hw_enforced, sw_enforced});
+ {&key_material_buffer, &hw_enforced_mutable, &sw_enforced_mutable});
auto parent_key_fn = ParentKeyCreator(kUniqueKey);
EncryptedSerializable encryption(
resource_manager_, parent_key_fn, sensitive_material);
diff --git a/host/commands/secure_env/tpm_key_blob_maker.h b/host/commands/secure_env/tpm_key_blob_maker.h
index ddb694b..a0483b4 100644
--- a/host/commands/secure_env/tpm_key_blob_maker.h
+++ b/host/commands/secure_env/tpm_key_blob_maker.h
@@ -39,6 +39,12 @@
keymaster::AuthorizationSet* hw_enforced,
keymaster::AuthorizationSet* sw_enforced) const override;
+ keymaster_error_t UnvalidatedCreateKeyBlob(
+ const keymaster::KeymasterKeyBlob& key_material,
+ const keymaster::AuthorizationSet& hw_enforced,
+ const keymaster::AuthorizationSet& sw_enforced,
+ keymaster::KeymasterKeyBlob* blob) const;
+
/**
* Intermediate function between KeymasterContext::ParseKeyBlob and
* KeyFactory::LoadKey, The inputs of this function match the outputs of
diff --git a/host/commands/secure_env/tpm_keymaster_context.cpp b/host/commands/secure_env/tpm_keymaster_context.cpp
index b8ec9de..850d48b 100644
--- a/host/commands/secure_env/tpm_keymaster_context.cpp
+++ b/host/commands/secure_env/tpm_keymaster_context.cpp
@@ -146,6 +146,7 @@
keymaster::UniquePtr<keymaster::Key> key;
auto error = ParseKeyBlob(blob_to_upgrade, upgrade_params, &key);
if (error != KM_ERROR_OK) {
+ LOG(ERROR) << "Failed to parse key blob";
return error;
}
@@ -156,30 +157,26 @@
// from proper numbered releases to unnumbered development and preview
// releases.
- int key_os_version_pos = key->sw_enforced().find(keymaster::TAG_OS_VERSION);
+ int key_os_version_pos = key->hw_enforced().find(keymaster::TAG_OS_VERSION);
if (key_os_version_pos != -1) {
- uint32_t key_os_version = key->sw_enforced()[key_os_version_pos].integer;
+ uint32_t key_os_version = key->hw_enforced()[key_os_version_pos].integer;
if (key_os_version != 0) {
- key->sw_enforced()[key_os_version_pos].integer = os_version_;
+ key->hw_enforced()[key_os_version_pos].integer = os_version_;
set_changed = true;
}
}
}
- auto update_os = UpgradeIntegerTag(
- keymaster::TAG_OS_VERSION,
- os_version_,
- &key->sw_enforced(),
- &set_changed);
+ auto update_os = UpgradeIntegerTag(keymaster::TAG_OS_VERSION, os_version_,
+ &key->hw_enforced(), &set_changed);
- auto update_patchlevel = UpgradeIntegerTag(
- keymaster::TAG_OS_PATCHLEVEL,
- os_patchlevel_,
- &key->sw_enforced(),
- &set_changed);
+ auto update_patchlevel =
+ UpgradeIntegerTag(keymaster::TAG_OS_PATCHLEVEL, os_patchlevel_,
+ &key->hw_enforced(), &set_changed);
if (!update_os || !update_patchlevel) {
- // One of the version fields would have been a downgrade. Not allowed.
+ LOG(ERROR) << "One of the version fields would have been a downgrade. "
+ << "Not allowed.";
return KM_ERROR_INVALID_ARGUMENT;
}
@@ -188,25 +185,9 @@
return KM_ERROR_OK;
}
- AuthorizationSet combined_authorization;
- combined_authorization.Union(key->hw_enforced());
- combined_authorization.Union(key->sw_enforced());
-
- keymaster_key_origin_t origin = KM_ORIGIN_UNKNOWN;
- if (!combined_authorization.GetTagValue(keymaster::TAG_ORIGIN, &origin)) {
- LOG(WARNING) << "Key converted with unknown origin";
- }
-
- AuthorizationSet output_hw_enforced;
- AuthorizationSet output_sw_enforced;
-
- return key_blob_maker_->CreateKeyBlob(
- combined_authorization,
- origin,
- key->key_material(),
- upgraded_key,
- &output_hw_enforced,
- &output_sw_enforced);
+ return key_blob_maker_->UnvalidatedCreateKeyBlob(
+ key->key_material(), key->hw_enforced(), key->sw_enforced(),
+ upgraded_key);
}
keymaster_error_t TpmKeymasterContext::ParseKeyBlob(