trusty/confirmationui/NotSoSecureInput.cpp - third_party/android/platform/system/core - Git at Google

 /*
  * Copyright 2020, The Android Open Source Project
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at
  *
  *     http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */

 #include <android-base/logging.h>
 #include <endian.h>
 #include <memory>
 #include <openssl/hmac.h>
 #include <openssl/rand.h>
 #include <openssl/sha.h>
 #include <secure_input/evdev.h>
 #include <secure_input/secure_input_device.h>
 #include <teeui/utils.h>

 #include <initializer_list>

 using namespace secure_input;

 using teeui::AuthTokenKey;
 using teeui::ByteBufferProxy;
 using teeui::Hmac;
 using teeui::optional;
 using teeui::ResponseCode;
 using teeui::TestKeyBits;

 constexpr const auto kTestKey = AuthTokenKey::fill(static_cast<uint8_t>(TestKeyBits::BYTE));

 class SecureInputHMacer {
   public:
     static optional<Hmac> hmac256(const AuthTokenKey& key,
                                   std::initializer_list<ByteBufferProxy> buffers) {
         HMAC_CTX hmacCtx;
         HMAC_CTX_init(&hmacCtx);
         if (!HMAC_Init_ex(&hmacCtx, key.data(), key.size(), EVP_sha256(), nullptr)) {
             return {};
         }
         for (auto& buffer : buffers) {
             if (!HMAC_Update(&hmacCtx, buffer.data(), buffer.size())) {
                 return {};
             }
         }
         Hmac result;
         if (!HMAC_Final(&hmacCtx, result.data(), nullptr)) {
             return {};
         }
         return result;
     }
 };

 using HMac = teeui::HMac<SecureInputHMacer>;

 Nonce generateNonce() {
     /*
      * Completely random nonce.
      * Running the secure input protocol from the HAL service is not secure
      * because we don't trust the non-secure world (i.e., HLOS/Android/Linux). So
      * using a constant "nonce" here does not weaken security. If this code runs
      * on a truly trustworthy source of input events this function needs to return
      * hight entropy nonces.
      * As of this writing the call to RAND_bytes is commented, because the
      * emulator this HAL service runs on does not have a good source of entropy.
      * It would block the call to RAND_bytes indefinitely.
      */
     Nonce result{0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
                  0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
                  0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04};
     // RAND_bytes(result.data(), result.size());
     return result;
 }

 /**
  * This is an implementation of the SecureInput protocol in unserspace. This is
  * just an example and should not be used as is. The protocol implemented her
  * should be used by a trusted input device that can assert user events with
  * high assurance even if the HLOS kernel is compromised. A confirmationui HAL
  * that links directly against this implementation is not secure and shal not be
  * used on a production device.
  */
 class NotSoSecureInput : public SecureInput {
   public:
     NotSoSecureInput(HsBeginCb hsBeginCb, HsFinalizeCb hsFinalizeCb, DeliverEventCb deliverEventCb,
                      InputResultCb inputResultCb)
         : hsBeginCb_{hsBeginCb}, hsFinalizeCb_{hsFinalizeCb}, deliverEventCb_{deliverEventCb},
           inputResultCb_{inputResultCb}, discardEvents_{true} {}

     operator bool() const override { return true; }

     void handleEvent(const EventDev& evdev) override {
         bool gotEvent;
         input_event evt;
         std::tie(gotEvent, evt) = evdev.readEvent();
         while (gotEvent) {
             if (!(discardEvents_) && evt.type == EV_KEY &&
                 (evt.code == KEY_POWER || evt.code == KEY_VOLUMEDOWN || evt.code == KEY_VOLUMEUP) &&
                 evt.value == 1) {
                 DTupKeyEvent event = DTupKeyEvent::RESERVED;

                 // Translate the event code into DTupKeyEvent which the TA understands.
                 switch (evt.code) {
                 case KEY_POWER:
                     event = DTupKeyEvent::PWR;
                     break;
                 case KEY_VOLUMEDOWN:
                     event = DTupKeyEvent::VOL_DOWN;
                     break;
                 case KEY_VOLUMEUP:
                     event = DTupKeyEvent::VOL_UP;
                     break;
                 }

                 // The event goes into the HMAC in network byte order.
                 uint32_t keyEventBE = htobe32(static_cast<uint32_t>(event));
                 auto signature = HMac::hmac256(kTestKey, kConfirmationUIEventLabel,
                                                teeui::bytesCast(keyEventBE), nCi_);

                 teeui::ResponseCode rc;
                 InputResponse ir;
                 auto response = std::tie(rc, ir);
                 if (event != DTupKeyEvent::RESERVED) {
                     response = deliverEventCb_(event, *signature);
                     if (rc != ResponseCode::OK) {
                         LOG(ERROR) << "DeliverInputEvent returned with " << uint32_t(rc);
                         inputResultCb_(rc);
                     } else {
                         switch (ir) {
                         case InputResponse::OK:
                             inputResultCb_(rc);
                             break;
                         case InputResponse::PENDING_MORE:
                             rc = performDTUPHandshake();
                             if (rc != ResponseCode::OK) {
                                 inputResultCb_(rc);
                             }
                             break;
                         case InputResponse::TIMED_OUT:
                             inputResultCb_(rc);
                             break;
                         }
                     }
                 }
             }
             std::tie(gotEvent, evt) = evdev.readEvent();
         }
     }

     void start() override {
         auto rc = performDTUPHandshake();
         if (rc != ResponseCode::OK) {
             inputResultCb_(rc);
         }
         discardEvents_ = false;
     };

   private:
     teeui::ResponseCode performDTUPHandshake() {
         ResponseCode rc;
         LOG(INFO) << "Start handshake";
         Nonce nCo;
         std::tie(rc, nCo) = hsBeginCb_();
         if (rc != ResponseCode::OK) {
             LOG(ERROR) << "Failed to begin secure input handshake (" << uint32_t(rc) << ")";
             return rc;
         }

         nCi_ = generateNonce();
         rc =
             hsFinalizeCb_(*HMac::hmac256(kTestKey, kConfirmationUIHandshakeLabel, nCo, nCi_), nCi_);

         if (rc != ResponseCode::OK) {
             LOG(ERROR) << "Failed to finalize secure input handshake (" << uint32_t(rc) << ")";
             return rc;
         }
         return ResponseCode::OK;
     }

     HsBeginCb hsBeginCb_;
     HsFinalizeCb hsFinalizeCb_;
     DeliverEventCb deliverEventCb_;
     InputResultCb inputResultCb_;

     std::atomic_bool discardEvents_;
     Nonce nCi_;
 };

 namespace secure_input {

 std::shared_ptr<SecureInput> createSecureInput(SecureInput::HsBeginCb hsBeginCb,
                                                SecureInput::HsFinalizeCb hsFinalizeCb,
                                                SecureInput::DeliverEventCb deliverEventCb,
                                                SecureInput::InputResultCb inputResultCb) {
     return std::make_shared<NotSoSecureInput>(hsBeginCb, hsFinalizeCb, deliverEventCb,
                                               inputResultCb);
 }

 }  // namespace secure_input
	/*
	* Copyright 2020, The Android Open Source Project
	*
	* Licensed under the Apache License, Version 2.0 (the "License");
	* you may not use this file except in compliance with the License.
	* You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing, software
	* distributed under the License is distributed on an "AS IS" BASIS,
	* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	* See the License for the specific language governing permissions and
	* limitations under the License.
	*/

	#include <android-base/logging.h>
	#include <endian.h>
	#include <memory>
	#include <openssl/hmac.h>
	#include <openssl/rand.h>
	#include <openssl/sha.h>
	#include <secure_input/evdev.h>
	#include <secure_input/secure_input_device.h>
	#include <teeui/utils.h>

	#include <initializer_list>

	using namespace secure_input;

	using teeui::AuthTokenKey;
	using teeui::ByteBufferProxy;
	using teeui::Hmac;
	using teeui::optional;
	using teeui::ResponseCode;
	using teeui::TestKeyBits;

	constexpr const auto kTestKey = AuthTokenKey::fill(static_cast<uint8_t>(TestKeyBits::BYTE));

	class SecureInputHMacer {
	public:
	static optional<Hmac> hmac256(const AuthTokenKey& key,
	std::initializer_list<ByteBufferProxy> buffers) {
	HMAC_CTX hmacCtx;
	HMAC_CTX_init(&hmacCtx);
	if (!HMAC_Init_ex(&hmacCtx, key.data(), key.size(), EVP_sha256(), nullptr)) {
	return {};
	}
	for (auto& buffer : buffers) {
	if (!HMAC_Update(&hmacCtx, buffer.data(), buffer.size())) {
	return {};
	}
	}
	Hmac result;
	if (!HMAC_Final(&hmacCtx, result.data(), nullptr)) {
	return {};
	}
	return result;
	}
	};

	using HMac = teeui::HMac<SecureInputHMacer>;

	Nonce generateNonce() {
	/*
	* Completely random nonce.
	* Running the secure input protocol from the HAL service is not secure
	* because we don't trust the non-secure world (i.e., HLOS/Android/Linux). So
	* using a constant "nonce" here does not weaken security. If this code runs
	* on a truly trustworthy source of input events this function needs to return
	* hight entropy nonces.
	* As of this writing the call to RAND_bytes is commented, because the
	* emulator this HAL service runs on does not have a good source of entropy.
	* It would block the call to RAND_bytes indefinitely.
	*/
	Nonce result{0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04,
	0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04};
	// RAND_bytes(result.data(), result.size());
	return result;
	}

	/**
	* This is an implementation of the SecureInput protocol in unserspace. This is
	* just an example and should not be used as is. The protocol implemented her
	* should be used by a trusted input device that can assert user events with
	* high assurance even if the HLOS kernel is compromised. A confirmationui HAL
	* that links directly against this implementation is not secure and shal not be
	* used on a production device.
	*/
	class NotSoSecureInput : public SecureInput {
	public:
	NotSoSecureInput(HsBeginCb hsBeginCb, HsFinalizeCb hsFinalizeCb, DeliverEventCb deliverEventCb,
	InputResultCb inputResultCb)
	: hsBeginCb_{hsBeginCb}, hsFinalizeCb_{hsFinalizeCb}, deliverEventCb_{deliverEventCb},
	inputResultCb_{inputResultCb}, discardEvents_{true} {}

	operator bool() const override { return true; }

	void handleEvent(const EventDev& evdev) override {
	bool gotEvent;
	input_event evt;
	std::tie(gotEvent, evt) = evdev.readEvent();
	while (gotEvent) {
	if (!(discardEvents_) && evt.type == EV_KEY &&
	(evt.code == KEY_POWER \|\| evt.code == KEY_VOLUMEDOWN \|\| evt.code == KEY_VOLUMEUP) &&
	evt.value == 1) {
	DTupKeyEvent event = DTupKeyEvent::RESERVED;

	// Translate the event code into DTupKeyEvent which the TA understands.
	switch (evt.code) {
	case KEY_POWER:
	event = DTupKeyEvent::PWR;
	break;
	case KEY_VOLUMEDOWN:
	event = DTupKeyEvent::VOL_DOWN;
	break;
	case KEY_VOLUMEUP:
	event = DTupKeyEvent::VOL_UP;
	break;
	}

	// The event goes into the HMAC in network byte order.
	uint32_t keyEventBE = htobe32(static_cast<uint32_t>(event));
	auto signature = HMac::hmac256(kTestKey, kConfirmationUIEventLabel,
	teeui::bytesCast(keyEventBE), nCi_);

	teeui::ResponseCode rc;
	InputResponse ir;
	auto response = std::tie(rc, ir);
	if (event != DTupKeyEvent::RESERVED) {
	response = deliverEventCb_(event, *signature);
	if (rc != ResponseCode::OK) {
	LOG(ERROR) << "DeliverInputEvent returned with " << uint32_t(rc);
	inputResultCb_(rc);
	} else {
	switch (ir) {
	case InputResponse::OK:
	inputResultCb_(rc);
	break;
	case InputResponse::PENDING_MORE:
	rc = performDTUPHandshake();
	if (rc != ResponseCode::OK) {
	inputResultCb_(rc);
	}
	break;
	case InputResponse::TIMED_OUT:
	inputResultCb_(rc);
	break;
	}
	}
	}
	}
	std::tie(gotEvent, evt) = evdev.readEvent();
	}
	}

	void start() override {
	auto rc = performDTUPHandshake();
	if (rc != ResponseCode::OK) {
	inputResultCb_(rc);
	}
	discardEvents_ = false;
	};

	private:
	teeui::ResponseCode performDTUPHandshake() {
	ResponseCode rc;
	LOG(INFO) << "Start handshake";
	Nonce nCo;
	std::tie(rc, nCo) = hsBeginCb_();
	if (rc != ResponseCode::OK) {
	LOG(ERROR) << "Failed to begin secure input handshake (" << uint32_t(rc) << ")";
	return rc;
	}

	nCi_ = generateNonce();
	rc =
	hsFinalizeCb_(*HMac::hmac256(kTestKey, kConfirmationUIHandshakeLabel, nCo, nCi_), nCi_);

	if (rc != ResponseCode::OK) {
	LOG(ERROR) << "Failed to finalize secure input handshake (" << uint32_t(rc) << ")";
	return rc;
	}
	return ResponseCode::OK;
	}

	HsBeginCb hsBeginCb_;
	HsFinalizeCb hsFinalizeCb_;
	DeliverEventCb deliverEventCb_;
	InputResultCb inputResultCb_;

	std::atomic_bool discardEvents_;
	Nonce nCi_;
	};

	namespace secure_input {

	std::shared_ptr<SecureInput> createSecureInput(SecureInput::HsBeginCb hsBeginCb,
	SecureInput::HsFinalizeCb hsFinalizeCb,
	SecureInput::DeliverEventCb deliverEventCb,
	SecureInput::InputResultCb inputResultCb) {
	return std::make_shared<NotSoSecureInput>(hsBeginCb, hsFinalizeCb, deliverEventCb,
	inputResultCb);
	}

	} // namespace secure_input