From baca2ae10d02f534da1a2b3dcf63947ce0ab85c0 Mon Sep 17 00:00:00 2001 From: avinashhedage Date: Wed, 3 Aug 2022 06:15:26 +0000 Subject: [PATCH 1/2] updated provision status condition check for INS_OEM_LOCK_PROVISIONING_CMD command --- .../src/com/android/javacard/keymaster/KMAndroidSEApplet.java | 4 ++-- .../src/com/android/javacard/keymaster/KMJCardSimApplet.java | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java index e09e1ec1..c487bbab 100644 --- a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java +++ b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java @@ -1,4 +1,4 @@ -/* +///* * Copyright(C) 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -505,7 +505,7 @@ private void processGetProvisionStatusCmd(APDU apdu) { private boolean isProvisioningComplete() { short pStatus = kmDataStore.getProvisionStatus(); short pCompleteStatus = PROVISION_STATUS_DEVICE_UNIQUE_KEYPAIR | PROVISION_STATUS_ADDITIONAL_CERT_CHAIN | - PROVISION_STATUS_PRESHARED_SECRET | PROVISION_STATUS_ATTEST_IDS; + PROVISION_STATUS_PRESHARED_SECRET | PROVISION_STATUS_ATTEST_IDS | PROVISION_STATUS_OEM_PUBLIC_KEY; if (kmDataStore.isProvisionLocked() || (pCompleteStatus == (pStatus & pCompleteStatus))) { return true; } diff --git a/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMJCardSimApplet.java b/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMJCardSimApplet.java index 81103c3b..2777556a 100644 --- a/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMJCardSimApplet.java +++ b/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMJCardSimApplet.java @@ -561,7 +561,7 @@ private void processSetBootParamsCmd(APDU apdu) { private boolean isProvisioningComplete() { short pStatus = kmDataStore.getProvisionStatus(); short pCompleteStatus = PROVISION_STATUS_DEVICE_UNIQUE_KEYPAIR | PROVISION_STATUS_ADDITIONAL_CERT_CHAIN | - PROVISION_STATUS_PRESHARED_SECRET | PROVISION_STATUS_ATTEST_IDS; + PROVISION_STATUS_PRESHARED_SECRET | PROVISION_STATUS_ATTEST_IDS | PROVISION_STATUS_OEM_PUBLIC_KEY; if (kmDataStore.isProvisionLocked() || (pCompleteStatus == (pStatus & pCompleteStatus))) { return true; } From 047e05071f4592b76d7d7f28484756afa0bc443d Mon Sep 17 00:00:00 2001 From: avinashhedage Date: Wed, 3 Aug 2022 11:13:55 +0000 Subject: [PATCH 2/2] Aligned keymint provision instruction commands with keymaster --- .../javacard/keymaster/KMAndroidSEApplet.java | 26 +++++++------- .../javacard/keymaster/KMJCardSimApplet.java | 36 +++++++++---------- ProvisioningTool/include/constants.h | 22 ++++++------ 3 files changed, 43 insertions(+), 41 deletions(-) diff --git a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java index c487bbab..f2ae1c64 100644 --- a/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java +++ b/Applet/AndroidSEProvider/src/com/android/javacard/keymaster/KMAndroidSEApplet.java @@ -1,4 +1,4 @@ -///* +/* * Copyright(C) 2020 The Android Open Source Project * * Licensed under the Apache License, Version 2.0 (the "License"); @@ -43,22 +43,22 @@ public class KMAndroidSEApplet extends KMKeymasterApplet implements OnUpgradeLis // Provider specific Commands private static final byte INS_KEYMINT_PROVIDER_APDU_START = 0x00; - private static final byte INS_PROVISION_ATTEST_IDS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 1; + private static final byte INS_PROVISION_ATTEST_IDS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 3; private static final byte INS_PROVISION_PRESHARED_SECRET_CMD = - INS_KEYMINT_PROVIDER_APDU_START + 2; - private static final byte INS_OEM_LOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 3; - private static final byte INS_GET_PROVISION_STATUS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 4; + INS_KEYMINT_PROVIDER_APDU_START + 4; private static final byte INS_SET_BOOT_PARAMS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 5; // Unused + private static final byte INS_OEM_LOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 6; + private static final byte INS_GET_PROVISION_STATUS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 7; + //0x08 was reserved for INS_INIT_STRONGBOX_CMD + //0x09 was reserved for INS_SET_BOOT_ENDED_CMD earlier. it is unused now. + private static final byte INS_SE_FACTORY_PROVISIONING_LOCK_CMD = INS_KEYMINT_PROVIDER_APDU_START + 10; + private static final byte INS_PROVISION_OEM_ROOT_PUBLIC_KEY_CMD = INS_KEYMINT_PROVIDER_APDU_START + 11; + private static final byte INS_OEM_UNLOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 12; private static final byte INS_PROVISION_RKP_DEVICE_UNIQUE_KEYPAIR_CMD = - INS_KEYMINT_PROVIDER_APDU_START + 6; + INS_KEYMINT_PROVIDER_APDU_START + 13; private static final byte INS_PROVISION_RKP_ADDITIONAL_CERT_CHAIN_CMD = - INS_KEYMINT_PROVIDER_APDU_START + 7; - private static final byte INS_SET_BOOT_ENDED_CMD = - INS_KEYMINT_PROVIDER_APDU_START + 8; //unused - private static final byte INS_SE_FACTORY_PROVISIONING_LOCK_CMD = INS_KEYMINT_PROVIDER_APDU_START + 9; - private static final byte INS_PROVISION_OEM_ROOT_PUBLIC_KEY_CMD = INS_KEYMINT_PROVIDER_APDU_START + 10; - private static final byte INS_OEM_UNLOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 11; - + INS_KEYMINT_PROVIDER_APDU_START + 14; + private static final byte INS_KEYMINT_PROVIDER_APDU_END = 0x1F; public static final byte BOOT_KEY_MAX_SIZE = 32; public static final byte BOOT_HASH_MAX_SIZE = 32; diff --git a/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMJCardSimApplet.java b/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMJCardSimApplet.java index 2777556a..9d4a6bef 100644 --- a/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMJCardSimApplet.java +++ b/Applet/JCardSimProvider/src/com/android/javacard/keymaster/KMJCardSimApplet.java @@ -30,24 +30,24 @@ public class KMJCardSimApplet extends KMKeymasterApplet { private static final byte ILLEGAL_STATE = KM_BEGIN_STATE + 1; private static final short POWER_RESET_MASK_FLAG = (short) 0x4000; - // Provider specific Commands - private static final byte INS_KEYMINT_PROVIDER_APDU_START = 0x00; - private static final byte INS_PROVISION_ATTEST_IDS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 1; - private static final byte INS_PROVISION_PRESHARED_SECRET_CMD = - INS_KEYMINT_PROVIDER_APDU_START + 2; - private static final byte INS_OEM_LOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 3; - private static final byte INS_GET_PROVISION_STATUS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 4; - private static final byte INS_SET_BOOT_PARAMS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 5; - private static final byte INS_PROVISION_RKP_DEVICE_UNIQUE_KEYPAIR_CMD = - INS_KEYMINT_PROVIDER_APDU_START + 6; - private static final byte INS_PROVISION_RKP_ADDITIONAL_CERT_CHAIN_CMD = - INS_KEYMINT_PROVIDER_APDU_START + 7; - private static final byte INS_SET_BOOT_ENDED_CMD = - INS_KEYMINT_PROVIDER_APDU_START + 8; //unused - private static final byte INS_SE_FACTORY_PROVISIONING_LOCK_CMD = INS_KEYMINT_PROVIDER_APDU_START + 9; - private static final byte INS_PROVISION_OEM_ROOT_PUBLIC_KEY_CMD = INS_KEYMINT_PROVIDER_APDU_START + 10; - private static final byte INS_OEM_UNLOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 11; - +//Provider specific Commands + private static final byte INS_KEYMINT_PROVIDER_APDU_START = 0x00; + private static final byte INS_PROVISION_ATTEST_IDS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 3; + private static final byte INS_PROVISION_PRESHARED_SECRET_CMD = + INS_KEYMINT_PROVIDER_APDU_START + 4; + private static final byte INS_SET_BOOT_PARAMS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 5; // Unused + private static final byte INS_OEM_LOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 6; + private static final byte INS_GET_PROVISION_STATUS_CMD = INS_KEYMINT_PROVIDER_APDU_START + 7; + //0x08 was reserved for INS_INIT_STRONGBOX_CMD + //0x09 was reserved for INS_SET_BOOT_ENDED_CMD earlier. it is unused now. + private static final byte INS_SE_FACTORY_PROVISIONING_LOCK_CMD = INS_KEYMINT_PROVIDER_APDU_START + 10; + private static final byte INS_PROVISION_OEM_ROOT_PUBLIC_KEY_CMD = INS_KEYMINT_PROVIDER_APDU_START + 11; + private static final byte INS_OEM_UNLOCK_PROVISIONING_CMD = INS_KEYMINT_PROVIDER_APDU_START + 12; + private static final byte INS_PROVISION_RKP_DEVICE_UNIQUE_KEYPAIR_CMD = + INS_KEYMINT_PROVIDER_APDU_START + 13; + private static final byte INS_PROVISION_RKP_ADDITIONAL_CERT_CHAIN_CMD = + INS_KEYMINT_PROVIDER_APDU_START + 14; + private static final byte INS_KEYMINT_PROVIDER_APDU_END = 0x1F; public static final byte BOOT_KEY_MAX_SIZE = 32; public static final byte BOOT_HASH_MAX_SIZE = 32; diff --git a/ProvisioningTool/include/constants.h b/ProvisioningTool/include/constants.h index 62c2efcc..89d7413a 100644 --- a/ProvisioningTool/include/constants.h +++ b/ProvisioningTool/include/constants.h @@ -101,14 +101,16 @@ constexpr char kSeFactoryProvisionLock[] = "se_factory_lock"; constexpr char kUnLockProvision[] = "unlock_provision"; // Instruction constatnts -// TODO Modify according to keymint -constexpr int kAttestationIdsCmd = INS_BEGIN_KM_CMD + 1; -constexpr int kPresharedSecretCmd = INS_BEGIN_KM_CMD + 2; -constexpr int kOemLockProvisionCmd = INS_BEGIN_KM_CMD + 3; -constexpr int kGetProvisionStatusCmd = INS_BEGIN_KM_CMD + 4; +constexpr int kAttestationIdsCmd = INS_BEGIN_KM_CMD + 3; +constexpr int kPresharedSecretCmd = INS_BEGIN_KM_CMD + 4; constexpr int kBootParamsCmd = INS_BEGIN_KM_CMD + 5; -constexpr int kDeviceUniqueKeyCmd = INS_BEGIN_KM_CMD + 6; -constexpr int kAdditionalCertChainCmd = INS_BEGIN_KM_CMD + 7; -constexpr int kSeFactoryLockCmd = INS_BEGIN_KM_CMD + 9; -constexpr int kOemRootPublicKeyCmd = INS_BEGIN_KM_CMD + 10; -constexpr int kOemUnLockProvisionCmd = INS_BEGIN_KM_CMD + 11; +constexpr int kOemLockProvisionCmd = INS_BEGIN_KM_CMD + 6; +constexpr int kGetProvisionStatusCmd = INS_BEGIN_KM_CMD + 7; +constexpr int kSeFactoryLockCmd = INS_BEGIN_KM_CMD + 10; +constexpr int kOemRootPublicKeyCmd = INS_BEGIN_KM_CMD + 11; +constexpr int kOemUnLockProvisionCmd = INS_BEGIN_KM_CMD + 12; +constexpr int kDeviceUniqueKeyCmd = INS_BEGIN_KM_CMD + 13; +constexpr int kAdditionalCertChainCmd = INS_BEGIN_KM_CMD + 14; + + +