apps/boot: boot applet, library, and tool.
This change covers a lot of ground (sorry).
It provides an applet and three packages for use on an NXP smartcard
with some additional APIs. The applet and packages provide secure
storage for bootloader use:
- rollback indices
- boot behavior "locks" (carrier, device, boot, owner)
Rollback index storage is implemented in VersionStorage.java.
Applet state (pre-production/production) and hardware state
(inBootloader) are provided via GlobalStateImpl.java. This file is an
implementation of the globalstate.OwnerInterface, a shareable interface
which gets its own .cap file (via OwnerInterface.java). The client
interface is implemented in CallbackInterface.java and is primarily used
to allow the primary applet to indicate a data clearing operation to
other applets.
Storage.java provides the overall Applet interface.
All the locks are implemented in CarrierLock.java and BasicLock.java.
Each lock can only be toggled if the required locks are unlocked.
(addRequiredLock(x)).
The CarrierLock, relies on a (test, in this CL) key for
RSA_SHA256 PKCS#1 padded signature over a device specific hash and a
server provided rollback nonce (monotonically increasing 64-bit value).
The OwnerLock also has specific behavior. It is a lock that impacts the
behavior of the system when BootLock is set. It indicates to the boot
loader to use a different verifying key than the one provided by the
bootloader itself. That key (or its hash) is stored as OwnerLock
metadata.
With the applets, is an ant build.xml. As building applets is not
trivially supported in the Android build system, they can be built by
running 'ant' in the same directory as the build file. This will fetch
any necessary third party dependencies, then build the cap files. The
globalstate*.caps must be installed before avb_storage.cap.
This change also includes an interface library built on top of libese
and an example command line tool for using the applet. The tool and
library setup a logical channel and communicate with the applet and some
initial unittests are in place with a stubbed C++ Ese hardware instance.
The library errors codes and applet status codes need to be refined. As
is, there is a baseline for OS and APPLET errors which include the
embedded status. While those statuses may change, the primary value is
still stable. In the future, the applet should implement its errors
via an exception class that gets translated to the prefix status codes
(as long as they don't overlap with the APDU status codes for the most
part).
This change also includes documentation for the work in
README.md and a single extension to the pn80t common code to handle
cooldown data collection requests.
(Building the applet requires software from NXP which is not (yet)
easily available.)
NOTE: CarrierLock is using a _dev_ key.
Test: all functions tested manually with the tool and ese-replay except
ese-boot-tool verify-key auto # passes
Tested each nonce edge case manually too -- msb >, ==, < and lsb >, ==, <
Bug: 34460238
Bug: 34467857
Bug: 34684505
Change-Id: I64223548b5c95f24044eb98c9f999468c73bcf4a
diff --git a/Android.bp b/Android.bp
index 6fe8a42..4a27106 100644
--- a/Android.bp
+++ b/Android.bp
@@ -19,6 +19,7 @@
"libese",
"libese-teq1",
"libese-hw",
+ "apps",
"examples",
"tools",
"esed",