+CryptoBackend chooseCryptoBackend(const DataParams& params)
+{
+#ifdef TZ_BACKEND_ENABLED
+ if (params.size() != 1 && params.size() != 2) {
+ ThrowErr(Exc::Crypto::InternalError, "Invalid number of key parameters provided to decider");
+ }
+
+ // user directly point proper backend - we will not discuss with it
+ if (params[0].policy.backend == CKM::PolicyBackend::FORCE_SOFTWARE)
+ return CryptoBackend::OpenSSL;
+
+ // user directly point proper backend - we will not discuss with it
+ if (params[0].policy.backend == CKM::PolicyBackend::FORCE_HARDWARE)
+ return CryptoBackend::TrustZone;
+
+ if (params.size() == 1) {
+ // For now only software backend supports device encyption key
+ // TODO tz-backend could support the master key, but it would require
+ // hardcoding a known key ID and querying TA whether the key is
+ // reachable
+ if (params[0].encrypted) {
+ return CryptoBackend::OpenSSL;
+ }
+
+ // tz-backend allows only for data binary export
+ if (params[0].policy.extractable && !params[0].data.isBinaryData()) {
+ return CryptoBackend::OpenSSL;
+ }
+
+ // Use TrustZone only with symmetric keys or unencrypted binary
+ // data until asymmetric cryptography is implemented
+ if (!params[0].data.isSKey() && !params[0].data.isBinaryData()) {
+ return CryptoBackend::OpenSSL;
+ }
+ } else if (params.size() == 2) {
+ // extractable private key can only be handled by OpenSSL
+ if (params[0].policy.extractable) {
+ return CryptoBackend::OpenSSL;
+ }
+
+ // ECDSA algorithm is unsupported by GP API 1.0
+ if (params[0].data.isEllipticCurve() || params[1].data.isEllipticCurve()) {
+ return CryptoBackend::OpenSSL;
+ }
+ }
+
+ try {
+ LogDebug("Trying to open TA session...");
+ TZ::Internals::TrustZoneContext::Instance();
+ } catch (const Exc::Crypto::InternalError& e) {
+ LogDebug("...failed. Selecting SW backend.");
+ return CryptoBackend::OpenSSL;
+ }
+
+ LogDebug("...succeeded. Selecting TZ backend.");
+ return CryptoBackend::TrustZone;
+
+#else // TZ_BACKEND_ENABLED
+ (void) params;
+ return CryptoBackend::OpenSSL;
+#endif // TZ_BACKEND_ENABLED