2 * Copyright (c) 2015-2021 Samsung Electronics Co., Ltd. All rights reserved
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License
18 * @author Bartłomiej Grzelewski (b.grzelewski@samsung.com)
19 * @author Lukasz Kostyra (l.kostyra@samsung.com)
22 #include <dpl/log/log.h>
24 #include <crypto-backend.h>
26 #include <platform/decider.h>
28 #include <generic-backend/exception.h>
30 #ifdef TZ_BACKEND_ENABLED
31 #include <tz-backend/tz-context.h>
32 #endif // TZ_BACKEND_ENABLED
38 : m_swStore(CryptoBackend::OpenSSL)
39 #ifdef TZ_BACKEND_ENABLED
40 , m_tzStore(CryptoBackend::TrustZone)
45 GStore* Decider::getStore(const CryptoBackend &backendId)
47 GStore *gStore = nullptr;
49 if (backendId == CryptoBackend::OpenSSL)
51 #ifdef TZ_BACKEND_ENABLED
52 if (backendId == CryptoBackend::TrustZone)
58 GStore &Decider::getStore(const Token &token)
60 auto store = getStore(token.backendId);
64 ThrowErr(Exc::Crypto::InternalError,
65 "Backend not available. BackendId: ",
66 static_cast<int>(token.backendId));
69 GStore* Decider::tryBackend(CryptoBackend backend)
72 case CryptoBackend::OpenSSL:
74 case CryptoBackend::TrustZone:
75 #ifdef TZ_BACKEND_ENABLED
77 LogDebug("Trying to open TA session...");
78 TZ::Internals::TrustZoneContext::Instance();
79 LogDebug("...succeeded. Selecting TZ backend.");
81 } catch (const Exc::Crypto::InternalError& e) {
82 LogDebug("...failed.");
92 * operation encrypted type extractable backend
93 * ----------------------------------------------
94 * import FALSE binary * TZ/SW
100 * ----------------------------------------------
101 * import TRUE binary * TZ
107 * ----------------------------------------------
108 * generate N/A binary * TZ/SW
115 std::deque<CryptoBackend> Decider::getCompatibleBackends(DataType data,
116 const Policy &policy,
120 std::deque<CryptoBackend> backends;
123 if (policy.backend != CKM::PolicyBackend::FORCE_HARDWARE)
124 backends.push_back(CryptoBackend::OpenSSL);
128 #ifdef TZ_BACKEND_ENABLED
129 if (policy.backend != CKM::PolicyBackend::FORCE_SOFTWARE)
130 backends.push_front(CryptoBackend::TrustZone);
138 if (data.isBinaryData() || (data.isKey() && !policy.extractable))
140 } else { // generate/derive
143 if (!data.isCertificate() && !data.isChainCert()) {
146 if (data.isBinaryData() || !policy.extractable)
153 GStore &Decider::getStore(DataType data, const Policy &policy, bool import, bool encrypted)
155 auto backends = getCompatibleBackends(data, policy, import, encrypted);
156 if (backends.empty())
157 ThrowErr(Exc::Crypto::InputParam, "No backend supports this operation.");
159 for (auto id : backends) {
160 auto backend = tryBackend(id);
161 if (backend != nullptr)
164 ThrowErr(Exc::Crypto::InternalError, "Failed to connect to a compatible backend.");
167 bool Decider::checkStore(CryptoBackend requestedBackend,
169 const Policy &policy,
173 auto backends = getCompatibleBackends(data, policy, import, encrypted);
174 for (auto id : backends) {
175 if (id == requestedBackend)
181 } // namespace Crypto