2 * Copyright (c) 2015-2021 Samsung Electronics Co., Ltd. All rights reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
18 * @author Bartłomiej Grzelewski (b.grzelewski@samsung.com)
19 * @author Lukasz Kostyra (l.kostyra@samsung.com)
22 #include <dpl/log/log.h>
24 #include <crypto-backend.h>
26 #include <platform/decider.h>
28 #include <generic-backend/exception.h>
30 #ifdef TZ_BACKEND_ENABLED
31 #include <tz-backend/tz-context.h>
32 #endif // TZ_BACKEND_ENABLED
38 : m_swStore(CryptoBackend::OpenSSL)
39 #ifdef TZ_BACKEND_ENABLED
40 , m_tzStore(CryptoBackend::TrustZone)
45 GStore &Decider::getStore(const Token &token)
47 GStore *gStore = NULL;
49 if (token.backendId == CryptoBackend::OpenSSL)
51 #ifdef TZ_BACKEND_ENABLED
52 if (token.backendId == CryptoBackend::TrustZone)
58 ThrowErr(Exc::Crypto::InternalError,
59 "Backend not available. BackendId: ",
60 static_cast<int>(token.backendId));
63 GStore* Decider::tryBackend(CryptoBackend backend)
66 case CryptoBackend::OpenSSL:
68 case CryptoBackend::TrustZone:
69 #ifdef TZ_BACKEND_ENABLED
71 LogDebug("Trying to open TA session...");
72 TZ::Internals::TrustZoneContext::Instance();
73 LogDebug("...succeeded. Selecting TZ backend.");
75 } catch (const Exc::Crypto::InternalError& e) {
76 LogDebug("...failed.");
86 * operation encrypted type extractable backend
87 * ----------------------------------------------
88 * import FALSE binary - TZ/SW
98 * generate - binary FALSE TZ/SW
106 std::deque<CryptoBackend> Decider::getCompatibleBackends(DataType data,
107 const Policy &policy,
111 std::deque<CryptoBackend> backends;
114 if (policy.backend != CKM::PolicyBackend::FORCE_HARDWARE)
115 backends.push_back(CryptoBackend::OpenSSL);
119 #ifdef TZ_BACKEND_ENABLED
120 if (policy.backend != CKM::PolicyBackend::FORCE_SOFTWARE)
121 backends.push_front(CryptoBackend::TrustZone);
129 if (data.isBinaryData() || (data.isSKey() && !policy.extractable))
131 } else { // generate/derive
134 if (!data.isCertificate() && !data.isChainCert()) {
137 if (!policy.extractable)
144 GStore &Decider::getStore(DataType data, const Policy &policy, bool import, bool encrypted)
146 auto backends = getCompatibleBackends(data, policy, import, encrypted);
147 if (backends.empty())
148 ThrowErr(Exc::Crypto::InputParam, "No backend supports this operation.");
150 for (auto id : backends) {
151 auto backend = tryBackend(id);
152 if (backend != nullptr)
155 ThrowErr(Exc::Crypto::InternalError, "Failed to connect to a compatible backend.");
158 bool Decider::checkStore(CryptoBackend requestedBackend, DataType data, const Policy &policy, bool import)
160 auto backends = getCompatibleBackends(data, policy, import);
161 for (auto id : backends) {
162 if (id == requestedBackend)
168 } // namespace Crypto