ote_nvcrypto.h

Go to the documentation of this file.

/*
 * Copyright (c) 2013-2018, NVIDIA CORPORATION. All rights reserved.
 *
 * Permission is hereby granted, free of charge, to any person obtaining a
 * copy of this software and associated documentation files (the "Software"),
 * to deal in the Software without restriction, including without limitation
 * the rights to use, copy, modify, merge, publish, distribute, sublicense,
 * and/or sell copies of the Software, and to permit persons to whom the
 * Software is furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in
 * all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
 * DEALINGS IN THE SOFTWARE.
 */

#ifndef __OTE_NVCRYPTO_H
#define __OTE_NVCRYPTO_H

#include <common/ote_error.h>

// mobile and common cmd id (start from 0x00)
#define CRYPTO_SERVICE_SANITY_CHECK     0
#define CRYPTO_SERVICE_GET_KEYBOX       1
#define CRYPTO_SERVICE_GET_STORAGE_KEY      2
#define CRYPTO_SERVICE_GET_ROLLBACK_KEY     3
#define CRYPTO_SERVICE_GET_RO_TRUST_KEY     4
#define CRYPTO_SERVICE_GET_WV_SIG_RSA_KEY   5
#define CRYPTO_SERVICE_GET_GS_SIG_KEY       6
#define CRYPTO_SERVICE_GET_VUDU_PLATFORM_KEY    7   /* Deprecated */
#define CRYPTO_SERVICE_GET_HWRANDOM     8
#define CRYPTO_SERVICE_GET_EKS2_MAC_KEY     9U
#define CRYPTO_SERVICE_INSTALL_EKS2_KEYS    10U
#define CRYPTO_SERVICE_GET_WIDEVINE_KEY     11U
#define CRYPTO_SERVICE_GET_KEYBOX_ATTRIBUTE 12U

// auto cmd id (start from 0x80)
#define CRYPTO_SERVICE_GET_STORAGE_MASTER_KEY   CRYPTO_SERVICE_GET_STORAGE_KEY  // for compatibility
#define CRYPTO_SERVICE_GET_RANDOM_NUMBER    CRYPTO_SERVICE_GET_HWRANDOM
#define CRYPTO_SERVICE_DERIVE_KEY       0x80
#define CRYPTO_SERVICE_UPDATE_SE_KEYSLOT    0x81
#define CRYPTO_SERVICE_RSA_RAW_PRIVATE_ENCRYPT  0x82
#define CRYPTO_SERVICE_DO_CRYPT_FUNCTIONS   0x83
#define CRYPTO_SERVICE_GET_EFS_MASTER_KEY   0x84
/* Adding SE Keyslot access interface through crypto service */
#define CRYPTO_SERVICE_REQUEST_SE_KEYSLOT   0x85
#define CRYPTO_SERVICE_RELEASE_SE_KEYSLOT   0x86

// AES, RSA keyslot types registered at kernel using apps manifest.c
#define KEYSLOT_TYPE_AES            0
#define KEYSLOT_TYPE_RSA            1

// HW keyslot accessible setting
enum {
    KEYSLOT_RICH_OS_NO_READ_NO_WRITE_KEY_ACCESSIBLE = 0,
    KEYSLOT_CONFIG_ALL,
};

/*
 * @brief defines various key lookup schemes supported by NVCrypto
 *        for each lookup scheme, the key index has a different meaning
 * KEY_LOOKUP_ABSOLUTE Absolute lookup. Use this option when a client knows the
 *                     exact key index of the key slot. This option is for
 *                     backward compatibility as old key lookup implementation
 *                     uses absolute lookups. Ideally, this should be
 *                     deprecated
 * KEY_LOOKUP_RELATIVE Lookup relative to UUID. If there are more than one keys
 *                     present for a given UUID, clients can use this lookup
 *                     to get Nth key from the keyslots that they are allowed
 *                     to access (UUID is an access control field)
 * KEY_LOOKUP_BY_ID    Lookup by entry ID. Each Key is uniquely identified by
 *                     (UUID, Entry ID) tuple. Client can use this lookup if it
 *                     knows the exact tuple to access.
 */
typedef enum {
    KEYSTORE_LOOKUP_ABSOLUTE = 1,
    KEYSTORE_LOOKUP_RELATIVE,
    KEYSTORE_LOOKUP_BY_ID
} keystore_lookup_type;

/*
 * @brief defines various attributes that can be queried for a keybox entry
 *
 * KEYBOX_ATTR_SIZE The length of a particular keybox entry
 */
typedef enum {
    KEYBOX_ATTR_SIZE = 1,
} keybox_attr_type;

te_error_t ote_nvcrypto_init(void);

te_error_t ote_nvcrypto_deinit(void);

te_error_t ote_nvcrypto_get_keybox(uint32_t keybox_lookup_index,
keystore_lookup_type lookup_type, void *buf, uint32_t *len);

te_error_t ote_nvcrypto_get_keybox_size(uint32_t keybox_lookup_index,
keystore_lookup_type lookup_type, uint32_t *len);

te_error_t ote_nvcrypto_get_storage_key(uint8_t *key, uint32_t key_size);

te_error_t ote_nvcrypto_get_rollback_key(uint8_t *key, uint32_t key_size);

te_error_t ote_nvcrypto_get_ro_trust_key(uint8_t *key, uint32_t key_size);

/* Size limit for HW RNG request */
#define MAX_HWRANDOM_SIZE   4096

te_error_t ote_nvcrypto_get_random(uint8_t *buf, uint32_t buf_len);

te_error_t ote_nvcrypto_get_wv_rsa_sig_key(uint8_t *key, uint32_t *key_size);
te_error_t ote_nvcrypto_get_gs_key(uint8_t *key, uint32_t *key_size);

te_error_t ote_nvcrypto_get_key(uint8_t *key, uint32_t key_size, uint32_t key_type);

te_error_t ote_nvcrypto_derive_key(const uint8_t *src_buffer,
                    const uint32_t src_buf_len, uint8_t *dest);

te_error_t ote_nvcrypto_get_widevine_key(uint8_t *key, uint32_t key_size);

te_error_t ote_nvcrypto_update_se_keyslot(uint32_t KeySlotType, uint32_t KeySlotIdx,
                    uint32_t access_control, const uint32_t *pData, uint32_t pData_len);

te_error_t ote_nvcrypto_rsa_raw_private_encrypt(
            uint8_t *pri_key,uint32_t pri_key_len, uint32_t *data_in,
            uint32_t data_in_len, uint8_t* signedData, uint32_t signed_data_len);


te_error_t ote_nvcrypto_do_crypt_functions(
            uint32_t algo, uint32_t mode,
            uint8_t *inbuf,uint32_t inbuf_len,
            uint8_t *iv,uint32_t iv_len,
            uint8_t *key,uint32_t key_len,
            uint8_t *outbuf,uint32_t *outbuf_len);

te_error_t ote_nvcrypto_get_eks2_mac_key(uint8_t *key, uint32_t *key_size);

te_error_t ote_nvcrypto_install_eks2_keys(const uint8_t *buf, uint32_t buf_len, uint32_t num_keys);

#endif