Renamed deviceuniqpair for JCardSim

Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMJCardSimApplet.java

@@ -15,10 +15,9 @@
  */
 package com.android.javacard.keymaster;
 
-import com.android.javacard.seprovider.KMDeviceUniqueKey;
+import com.android.javacard.seprovider.KMDeviceUniqueKeyPair;
 import com.android.javacard.seprovider.KMException;
 import com.android.javacard.seprovider.KMJCardSimulator;
-import com.licel.jcardsim.smartcardio.JCardSimProvider;
 import javacard.framework.APDU;
 import javacard.framework.ISO7816;
 import javacard.framework.ISOException;
@@ -36,9 +35,9 @@ public class KMJCardSimApplet extends KMKeymasterApplet {
   private static final byte INS_LOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 3;
   private static final byte INS_GET_PROVISION_STATUS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 4;
   private static final byte INS_SET_BOOT_PARAMS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 5;
-  private static final byte INS_PROVISION_DEVICE_UNIQUE_KEY_CMD =
+  private static final byte INS_PROVISION_RKP_DEVICE_UNIQUE_KEYPAIR_CMD =
       INS_KEYMINT_PROVIDER_APDU_START + 6;
-  private static final byte INS_PROVISION_ADDITIONAL_CERT_CHAIN_CMD =
+  private static final byte INS_PROVISION_RKP_ADDITIONAL_CERT_CHAIN_CMD =
       INS_KEYMINT_PROVIDER_APDU_START + 7;
   private static final byte INS_SET_BOOT_ENDED_CMD =
       INS_KEYMINT_PROVIDER_APDU_START + 8;
@@ -55,7 +54,7 @@ public class KMJCardSimApplet extends KMKeymasterApplet {
   private static final byte PROVISION_STATUS_ATTEST_IDS = 0x08;
   private static final byte PROVISION_STATUS_PRESHARED_SECRET = 0x10;
   private static final byte PROVISION_STATUS_PROVISIONING_LOCKED = 0x20;
-  private static final byte PROVISION_STATUS_DEVICE_UNIQUE_KEY = 0x40;
+  private static final byte PROVISION_STATUS_DEVICE_UNIQUE_KEYPAIR = 0x40;
   private static final byte PROVISION_STATUS_ADDITIONAL_CERT_CHAIN = (byte) 0x80;
 
   public static final short SHARED_SECRET_KEY_SIZE = 32;
@@ -144,12 +143,12 @@ public void process(APDU apdu) {
           processSetBootParamsCmd(apdu);
           break;
 
-        case INS_PROVISION_DEVICE_UNIQUE_KEY_CMD:
-          processProvisionDeviceUniqueKey(apdu);
+        case INS_PROVISION_RKP_DEVICE_UNIQUE_KEYPAIR_CMD:
+          processProvisionRkpDeviceUniqueKeyPair(apdu);
           break;
 
-        case INS_PROVISION_ADDITIONAL_CERT_CHAIN_CMD:
-          processProvisionAdditionalCertChain(apdu);
+        case INS_PROVISION_RKP_ADDITIONAL_CERT_CHAIN_CMD:
+          processProvisionRkpAdditionalCertChain(apdu);
           break;
 
         default:
@@ -180,7 +179,7 @@ private boolean isProvisioningComplete() {
     byte data[] = repository.getHeap();
     kmDataStore.getProvisionStatus(data, dInex);
     boolean result = false;
-    if ((0 != (data[dInex] & PROVISION_STATUS_DEVICE_UNIQUE_KEY))
+    if ((0 != (data[dInex] & PROVISION_STATUS_DEVICE_UNIQUE_KEYPAIR))
         && (0 != (data[dInex] & PROVISION_STATUS_ADDITIONAL_CERT_CHAIN))
         && (0 != (data[dInex]  & PROVISION_STATUS_PRESHARED_SECRET))) {
       result = true;
@@ -338,7 +337,7 @@ private short validateApdu(APDU apdu) {
     return apduBuffer[ISO7816.OFFSET_INS];
   }
 
-  private static void processProvisionDeviceUniqueKey(APDU apdu) {
+  private static void processProvisionRkpDeviceUniqueKeyPair(APDU apdu) {
     // Re-purpose the apdu buffer as scratch pad.
     byte[] scratchPad = apdu.getBuffer();
     short arr = KMArray.instance((short) 1);
@@ -350,17 +349,17 @@ private static void processProvisionDeviceUniqueKey(APDU apdu) {
     short pubKeyLen = KMCoseKey.cast(coseKey).getEcdsa256PublicKey(scratchPad, (short) 0);
     short privKeyLen = KMCoseKey.cast(coseKey).getPrivateKey(scratchPad, pubKeyLen);
     //Store the Device unique Key.
-    kmDataStore.createDeviceUniqueKey(scratchPad, (short) 0, pubKeyLen, scratchPad,
+    kmDataStore.createRkpDeviceUniqueKeyPair(scratchPad, (short) 0, pubKeyLen, scratchPad,
         pubKeyLen, privKeyLen);
     short bcc = generateBcc(false, scratchPad);
     short len = KMKeymasterApplet.encodeToApduBuffer(bcc, scratchPad, (short) 0,
         MAX_COSE_BUF_SIZE);
     kmDataStore.persistBootCertificateChain(scratchPad, (short) 0, len);
-    kmDataStore.setProvisionStatus(PROVISION_STATUS_DEVICE_UNIQUE_KEY);
+    kmDataStore.setProvisionStatus(PROVISION_STATUS_DEVICE_UNIQUE_KEYPAIR);
     sendError(apdu, KMError.OK);
   }
 
-  private static void processProvisionAdditionalCertChain(APDU apdu) {
+  private static void processProvisionRkpAdditionalCertChain(APDU apdu) {
     // Prepare the expression to decode
     short headers = KMCoseHeaders.exp();
     short arrInst = KMArray.instance((short) 4);
@@ -393,7 +392,7 @@ private static void processProvisionAdditionalCertChain(APDU apdu) {
             srcBuffer, null);
     // Compare the DK_Pub.
     short pubKeyLen = KMCoseKey.cast(leafCoseKey).getEcdsa256PublicKey(srcBuffer, (short) 0);
-    KMDeviceUniqueKey uniqueKey = kmDataStore.getDeviceUniqueKey(false);
+    KMDeviceUniqueKeyPair uniqueKey = kmDataStore.getRkpDeviceUniqueKeyPair(false);
     if (uniqueKey == null) {
       KMException.throwIt(KMError.STATUS_FAILED);
     }

Applet/JCardSimProviderLib/src/com/android/javacard/seprovider/KMDataStoreConstants.java

@@ -4,7 +4,7 @@ public class KMDataStoreConstants {
   // INTERFACE Types
   public static final byte INTERFACE_TYPE_COMPUTED_HMAC_KEY = 0x01;
   public static final byte INTERFACE_TYPE_ATTESTATION_KEY = 0x02;
-  public static final byte INTERFACE_TYPE_DEVICE_UNIQUE_KEY = 0x03;
+  public static final byte INTERFACE_TYPE_DEVICE_UNIQUE_KEY_PAIR = 0x03;
   public static final byte INTERFACE_TYPE_MASTER_KEY = 0x04;
   public static final byte INTERFACE_TYPE_PRE_SHARED_KEY = 0x05;
   public static final byte INTERFACE_TYPE_RKP_MAC_KEY = 0x06;

Applet/JCardSimProviderLib/src/com/android/javacard/seprovider/KMDeviceUniqueKey.java → Applet/JCardSimProviderLib/src/com/android/javacard/seprovider/KMDeviceUniqueKeyPair.java

@@ -15,7 +15,7 @@
  */
 package com.android.javacard.seprovider;
 
-public interface KMDeviceUniqueKey {
+public interface KMDeviceUniqueKeyPair {
 
   short getPublicKey(byte[] buf, short offset);
 }

Applet/JCardSimProviderLib/src/com/android/javacard/seprovider/KMECDeviceUniqueKey.java

@@ -18,7 +18,7 @@
 import javacard.security.ECPublicKey;
 import javacard.security.KeyPair;
 
-public class KMECDeviceUniqueKey implements KMDeviceUniqueKey {
+public class KMECDeviceUniqueKey implements KMDeviceUniqueKeyPair {
 
   private KeyPair ecKeyPair;
 

Applet/JCardSimProviderLib/src/com/android/javacard/seprovider/KMJCardSimulator.java

@@ -1253,16 +1253,16 @@ public short getAttestationKeyAlgorithm(){
   }
 
   @Override
-  public com.android.javacard.seprovider.KMDeviceUniqueKey createDeviceUniqueKey(
-      com.android.javacard.seprovider.KMDeviceUniqueKey key, byte[] pubKey, short pubKeyOff,
+  public KMDeviceUniqueKeyPair createRkpDeviceUniqueKeyPair(
+      KMDeviceUniqueKeyPair key, byte[] pubKey, short pubKeyOff,
       short pubKeyLen, byte[] privKey, short privKeyOff, short privKeyLen) {
     if (key == null) {
       KeyPair ecKeyPair = new KeyPair(KeyPair.ALG_EC_FP, KeyBuilder.LENGTH_EC_FP_256);
       key = new KMECDeviceUniqueKey(ecKeyPair);
     }
     ((KMECDeviceUniqueKey) key).setS(privKey, privKeyOff, privKeyLen);
     ((KMECDeviceUniqueKey) key).setW(pubKey, pubKeyOff, pubKeyLen);
-    return (KMDeviceUniqueKey) key;
+    return (KMDeviceUniqueKeyPair) key;
   }
 
   @Override
@@ -1307,7 +1307,7 @@ public short ecSign256(KMAttestationKey attestationKey,
 
 
   @Override
-  public short ecSign256(KMDeviceUniqueKey deviceUniqueKey, byte[] inputDataBuf, short inputDataStart,
+  public short ecSign256(KMDeviceUniqueKeyPair deviceUniqueKey, byte[] inputDataBuf, short inputDataStart,
                          short inputDataLength, byte[] outputDataBuf, short outputDataStart) {
     ECPrivateKey key = ((KMECDeviceUniqueKey) deviceUniqueKey).getPrivateKey();
     Signature signer = Signature

Applet/JCardSimProviderLib/src/com/android/javacard/seprovider/KMSEProvider.java

@@ -479,7 +479,7 @@ boolean ecVerify256(
    * @return length of the decrypted data.
    */
   short ecSign256(
-      KMDeviceUniqueKey ecPrivKey,
+      KMDeviceUniqueKeyPair ecPrivKey,
       byte[] inputDataBuf,
       short inputDataStart,
       short inputDataLength,
@@ -626,7 +626,7 @@ KMOperation initAsymmetricOperation(
    * @param privKeyLen private key buffer length.
    * @return instance of KMDeviceUniqueKey.
    */
-  KMDeviceUniqueKey createDeviceUniqueKey(KMDeviceUniqueKey key,
+  KMDeviceUniqueKeyPair createRkpDeviceUniqueKeyPair(KMDeviceUniqueKeyPair key,
       byte[] pubKey, short pubKeyOff, short pubKeyLen,
       byte[] privKey, short privKeyOff, short privKeyLen);
 

Applet/src/com/android/javacard/keymaster/KMRepository.java

@@ -90,6 +90,7 @@ public void reclaimMemory(short length) {
     if (reclaimIndex < heapIndex[0]) {
       ISOException.throwIt(ISO7816.SW_CONDITIONS_NOT_SATISFIED);
     }
+    Util.arrayFillNonAtomic(heap, reclaimIndex, length, (byte) 0);
     reclaimIndex += length;
   }
 

aosp_integration_patches/goldfish_target_only/device_generic_goldfish.patch

@@ -13,3 +13,18 @@ index 8b27fd14..09b8588e 100644
  PRODUCT_COPY_FILES += \
      frameworks/native/data/etc/android.hardware.keystore.app_attest_key.xml:$(TARGET_COPY_OUT_VENDOR)/etc/permissions/android.hardware.keystore.app_attest_key.xml
 
+diff --git a/vendor.mk b/vendor.mk
+index bc29713e..b9f23962 100644
+--- a/vendor.mk
++++ b/vendor.mk
+@@ -101,7 +101,9 @@ PRODUCT_PACKAGES += \
+     android.hardware.neuralnetworks@1.3-service-sample-limited
+
+ PRODUCT_PACKAGES += \
+-    android.hardware.security.keymint-service
++    android.hardware.security.keymint-service \
++    android.hardware.security.keymint-service.strongbox
++
+ PRODUCT_COPY_FILES += \
+     frameworks/native/data/etc/android.hardware.keystore.app_attest_key.xml:$(TARGET_COPY_OUT_VENDOR)/etc/permissions/android.hardware.keystore.app_attest_key.xml
+

aosp_integration_patches/goldfish_target_only/system_sepolicy.patch

@@ -1,8 +1,8 @@
 diff --git a/private/service_contexts b/private/service_contexts
-index c7f881136..6c3bfc06c 100644
+index cac6ea822..1d076d07a 100644
 --- a/private/service_contexts
 +++ b/private/service_contexts
-@@ -53,6 +53,9 @@ android.hardware.security.keymint.IKeyMintDevice/default             u:object_r:
+@@ -55,6 +55,9 @@ android.hardware.security.keymint.IKeyMintDevice/default             u:object_r:
  android.hardware.security.keymint.IRemotelyProvisionedComponent/default u:object_r:hal_remotelyprovisionedcomponent_service:s0
  android.hardware.security.secureclock.ISecureClock/default             u:object_r:hal_secureclock_service:s0
  android.hardware.security.sharedsecret.ISharedSecret/default             u:object_r:hal_sharedsecret_service:s0
@@ -13,34 +13,36 @@ index c7f881136..6c3bfc06c 100644
  android.hardware.soundtrigger3.ISoundTriggerHw/default               u:object_r:hal_audio_service:s0
  android.hardware.tv.tuner.ITuner/default                             u:object_r:hal_tv_tuner_service:s0
 diff --git a/vendor/file_contexts b/vendor/file_contexts
-index 0cfb7cf39..65b8a8205 100644
+index 5a8d0aaed..9336123dc 100644
 --- a/vendor/file_contexts
 +++ b/vendor/file_contexts
-@@ -84,6 +84,7 @@
+@@ -85,6 +85,7 @@
  /(vendor|system/vendor)/bin/hw/android\.hardware\.secure_element@1\.0-service u:object_r:hal_secure_element_default_exec:s0
  /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.dice-service\.non-secure-software   u:object_r:hal_dice_default_exec:s0
  /(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service   u:object_r:hal_keymint_default_exec:s0
-+/vendor/bin/hw/android\.hardware\.security\.keymint-service\.strongbox  u:object_r:hal_keymint_strongbox_exec:s0
++/(vendor|system/vendor)/bin/hw/android\.hardware\.security\.keymint-service\.strongbox   u:object_r:hal_keymint_strongbox_exec:s0
  /(vendor|system/vendor)/bin/hw/rild                                           u:object_r:rild_exec:s0
  /(vendor|system/vendor)/bin/hw/android\.hardware\.thermal@1\.[01]-service        u:object_r:hal_thermal_default_exec:s0
  /(vendor|system/vendor)/bin/hw/android\.hardware\.tv\.cec@1\.[01]-service        u:object_r:hal_tv_cec_default_exec:s0
 diff --git a/vendor/hal_keymint_strongbox.te b/vendor/hal_keymint_strongbox.te
 new file mode 100644
-index 000000000..40cb82c3f
+index 000000000..4073d0790
 --- /dev/null
 +++ b/vendor/hal_keymint_strongbox.te
-@@ -0,0 +1,14 @@
-+type hal_keymaster_strongbox, domain;
-+hal_server_domain(hal_keymaster_strongbox, hal_keymaster)
+@@ -0,0 +1,16 @@
++type hal_keymint_strongbox, domain;
++hal_server_domain(hal_keymint_strongbox, hal_keymint)
 +
-+type hal_keymaster_strongbox_exec, exec_type, vendor_file_type, file_type;
-+init_daemon_domain(hal_keymaster_strongbox)
++type hal_keymint_strongbox_exec, exec_type, vendor_file_type, file_type;
++init_daemon_domain(hal_keymint_strongbox)
 +
-+vndbinder_use(hal_keymaster_strongbox)
-+get_prop(hal_keymaster_strongbox, vendor_security_patch_level_prop);
++vndbinder_use(hal_keymint_strongbox)
++get_prop(hal_keymint_strongbox, vendor_security_patch_level_prop);
++
++allow hal_keymint_strongbox secure_element_service:service_manager find;
 +
 +# Allow access to sockets
-+allow hal_keymaster_strongbox self:tcp_socket { connect create write read getattr getopt setopt };
-+allow hal_keymaster_strongbox port_type:tcp_socket name_connect;
-+allow hal_keymaster_strongbox port:tcp_socket { name_connect };
-+allow hal_keymaster_strongbox vendor_data_file:file { open read getattr };
++allow hal_keymint_strongbox self:tcp_socket { connect create write read getattr getopt setopt };
++allow hal_keymint_strongbox port_type:tcp_socket name_connect;
++allow hal_keymint_strongbox port:tcp_socket { name_connect };
++allow hal_keymint_strongbox vendor_data_file:file { open read getattr };

aosp_integration_patches_aosp_12_r15/JavacardKeymaster_remove_omapi.patch

@@ -1,7 +1,20 @@
 diff --git a/HAL/Android.bp b/HAL/Android.bp
-index 557f204..69fead7 100644
+index 557f204..25f0e22 100644
 --- a/HAL/Android.bp
 +++ b/HAL/Android.bp
+@@ -30,9 +30,9 @@ cc_library {
+     ],
+     cflags:["-O0",],
+     shared_libs: [
+-        "android.hardware.security.keymint-V1-ndk",
+-        "android.hardware.security.secureclock-V1-ndk",
+-        "android.hardware.security.sharedsecret-V1-ndk",
++	"android.hardware.security.keymint-V1-ndk_platform",
++        "android.hardware.security.secureclock-V1-ndk_platform",
++        "android.hardware.security.sharedsecret-V1-ndk_platform",
+     	"libbase",
+         "libcppbor_external",
+         "libkeymaster_portable",
 @@ -55,17 +55,13 @@ cc_library {
      vendor_available: true,
      srcs: [
@@ -20,6 +33,17 @@ index 557f204..69fead7 100644
      ],
  }
 
+@@ -83,8 +79,8 @@ cc_binary {
+         "-Wextra",
+     ],
+     shared_libs: [
+-        "android.hardware.security.keymint-V1-ndk",
+-        "android.hardware.security.sharedsecret-V1-ndk",
++	"android.hardware.security.keymint-V1-ndk_platform",
++        "android.hardware.security.sharedsecret-V1-ndk_platform",
+         "libbase",
+         "libbinder_ndk",
+         "libcppbor_external",
 @@ -94,7 +90,6 @@ cc_binary {
          "libjc_keymint_transport",
          "liblog",
@@ -30,7 +54,7 @@ index 557f204..69fead7 100644
          "service.cpp",
 diff --git a/HAL/OmapiTransport.cpp b/HAL/OmapiTransport.cpp
 deleted file mode 100644
-index b7e1dc0..0000000
+index 7c353d8..0000000
 --- a/HAL/OmapiTransport.cpp
 +++ /dev/null
 @@ -1,221 +0,0 @@
@@ -74,7 +98,7 @@ index b7e1dc0..0000000
 -    LOG(DEBUG) << "Initialize the secure element connection";
 -
 -    // Get OMAPI vendor stable service handler
--    ::ndk::SpAIBinder ks2Binder(AServiceManager_getService(omapiServiceName));
+-    ::ndk::SpAIBinder ks2Binder(AServiceManager_checkService(omapiServiceName));
 -    omapiSeService = aidl::android::se::omapi::ISecureElementService::fromBinder(ks2Binder);
 -
 -    if (omapiSeService == nullptr) {
@@ -322,6 +346,15 @@ index 2a53787..0000000
 -};
 -
 -}
+diff --git a/HAL/android.hardware.security.keymint-service.strongbox.rc b/HAL/android.hardware.security.keymint-service.strongbox.rc
+index 7bb96f0..e81bc25 100644
+--- a/HAL/android.hardware.security.keymint-service.strongbox.rc
++++ b/HAL/android.hardware.security.keymint-service.strongbox.rc
+@@ -1,3 +1,3 @@
+ service vendor.keymint-strongbox /vendor/bin/hw/android.hardware.security.keymint-service.strongbox
+     class early_hal
+-    user jc_strongbox
++    user system
 diff --git a/HAL/service.cpp b/HAL/service.cpp
 index 14580f8..3d51877 100644
 --- a/HAL/service.cpp