Convert raw pointer members to references.
This is now allowed by the style guide. The benefit is to lock down
reassignment and make nullability clearer.
Test: launch_cvd
Change-Id: I180e5d8ff471306eb63fdae1004b3d329468918a
diff --git a/host/commands/secure_env/encrypted_serializable.cpp b/host/commands/secure_env/encrypted_serializable.cpp
index d18ee97..3845212 100644
--- a/host/commands/secure_env/encrypted_serializable.cpp
+++ b/host/commands/secure_env/encrypted_serializable.cpp
@@ -24,22 +24,22 @@
#include "host/commands/secure_env/tpm_serialize.h"
EncryptedSerializable::EncryptedSerializable(
- TpmResourceManager* resource_manager,
- std::function<TpmObjectSlot(TpmResourceManager*)> parent_key_fn,
- Serializable* wrapped) :
+ TpmResourceManager& resource_manager,
+ std::function<TpmObjectSlot(TpmResourceManager&)> parent_key_fn,
+ Serializable& wrapped) :
resource_manager_(resource_manager),
parent_key_fn_(parent_key_fn),
wrapped_(wrapped) {
}
static bool CreateKey(
- TpmResourceManager* resource_manager, // in
+ TpmResourceManager& resource_manager, // in
ESYS_TR parent_key, // in
TPM2B_PUBLIC* key_public_out, // out
TPM2B_PRIVATE* key_private_out, // out
TpmObjectSlot* key_slot_out) { // out
TPM2B_AUTH authValue = {};
- auto rc = Esys_TR_SetAuth(resource_manager->Esys(), parent_key, &authValue);
+ auto rc = Esys_TR_SetAuth(resource_manager.Esys(), parent_key, &authValue);
if (rc != TSS2_RC_SUCCESS) {
LOG(ERROR) << "Esys_TR_SetAuth failed with return code " << rc
<< " (" << Tss2_RC_Decode(rc) << ")";
@@ -76,7 +76,7 @@
TPM2B_SENSITIVE_CREATE in_sensitive = {};
- auto key_slot = resource_manager->ReserveSlot();
+ auto key_slot = resource_manager.ReserveSlot();
if (!key_slot) {
LOG(ERROR) << "No slots available";
return false;
@@ -87,7 +87,7 @@
TPM2B_PRIVATE* key_private = nullptr;
// TODO(schuffelen): Use Esys_Create when key_slot is NULL
rc = Esys_CreateLoaded(
- /* esysContext */ resource_manager->Esys(),
+ /* esysContext */ resource_manager.Esys(),
/* primaryHandle */ parent_key,
/* shandle1 */ ESYS_TR_PASSWORD,
/* shandle2 */ ESYS_TR_NONE,
@@ -110,7 +110,7 @@
Esys_Free(key_public);
Esys_Free(key_private);
if (key_slot_out) {
- rc = Esys_TR_SetAuth(resource_manager->Esys(), raw_handle, &authValue);
+ rc = Esys_TR_SetAuth(resource_manager.Esys(), raw_handle, &authValue);
if (rc != TSS2_RC_SUCCESS) {
LOG(ERROR) << "Esys_TR_SetAuth failed with return code " << rc
<< " (" << Tss2_RC_Decode(rc) << ")";
@@ -124,19 +124,19 @@
}
static TpmObjectSlot LoadKey(
- TpmResourceManager* resource_manager,
+ TpmResourceManager& resource_manager,
ESYS_TR parent_key,
const TPM2B_PUBLIC* key_public,
const TPM2B_PRIVATE* key_private) {
// TODO
ESYS_TR raw_handle;
- auto key_slot = resource_manager->ReserveSlot();
+ auto key_slot = resource_manager.ReserveSlot();
if (!key_slot) {
LOG(ERROR) << "No slots available";
return {};
}
auto rc = Esys_Load(
- resource_manager->Esys(),
+ resource_manager.Esys(),
parent_key,
ESYS_TR_PASSWORD,
ESYS_TR_NONE,
@@ -171,7 +171,7 @@
// Assumes all created keys will have the same size.
SerializeTpmKeyPublic serialize_public(&key_public);
SerializeTpmKeyPrivate serialize_private(&key_private);
- auto encrypted_size = RoundUpToBlockSize(wrapped_->SerializedSize());
+ auto encrypted_size = RoundUpToBlockSize(wrapped_.SerializedSize());
return serialize_public.SerializedSize()
+ serialize_private.SerializedSize()
+ sizeof(uint32_t)
@@ -195,19 +195,19 @@
return buf;
}
- auto wrapped_size = wrapped_->SerializedSize();
+ auto wrapped_size = wrapped_.SerializedSize();
auto encrypted_size = RoundUpToBlockSize(wrapped_size);
std::vector<uint8_t> unencrypted(encrypted_size + 1, 0);
auto unencrypted_buf = unencrypted.data();
auto unencrypted_buf_end = unencrypted_buf + unencrypted.size();
- auto next_buf = wrapped_->Serialize(unencrypted_buf, unencrypted_buf_end);
+ auto next_buf = wrapped_.Serialize(unencrypted_buf, unencrypted_buf_end);
if (next_buf - unencrypted_buf != wrapped_size) {
LOG(ERROR) << "Size mismatch on wrapped data";
return buf;
}
std::vector<uint8_t> encrypted(encrypted_size, 0);
if (!TpmEncrypt(
- resource_manager_->Esys(),
+ resource_manager_.Esys(),
key_slot->get(),
TpmAuth(ESYS_TR_PASSWORD),
unencrypted.data(),
@@ -276,7 +276,7 @@
}
std::vector<uint8_t> decrypted_data(encrypted_size, 0);
if (!TpmDecrypt(
- resource_manager_->Esys(),
+ resource_manager_.Esys(),
key_slot->get(),
TpmAuth(ESYS_TR_PASSWORD),
encrypted_data.data(),
@@ -287,7 +287,7 @@
}
auto decrypted_buf = decrypted_data.data();
auto decrypted_buf_end = decrypted_data.data() + wrapped_size;
- if (!wrapped_->Deserialize(
+ if (!wrapped_.Deserialize(
const_cast<const uint8_t **>(&decrypted_buf), decrypted_buf_end)) {
LOG(ERROR) << "Failed to deserialize wrapped type";
return false;
diff --git a/host/commands/secure_env/encrypted_serializable.h b/host/commands/secure_env/encrypted_serializable.h
index 14c28d5..c4a2e08 100644
--- a/host/commands/secure_env/encrypted_serializable.h
+++ b/host/commands/secure_env/encrypted_serializable.h
@@ -45,15 +45,15 @@
*/
class EncryptedSerializable : public keymaster::Serializable {
public:
- EncryptedSerializable(TpmResourceManager*,
- std::function<TpmObjectSlot(TpmResourceManager*)>,
- Serializable*);
+ EncryptedSerializable(TpmResourceManager&,
+ std::function<TpmObjectSlot(TpmResourceManager&)>,
+ Serializable&);
size_t SerializedSize() const override;
uint8_t* Serialize(uint8_t* buf, const uint8_t* end) const override;
bool Deserialize(const uint8_t** buf_ptr, const uint8_t* end) override;
private:
- TpmResourceManager* resource_manager_;
- std::function<TpmObjectSlot(TpmResourceManager*)> parent_key_fn_;
- keymaster::Serializable* wrapped_;
+ TpmResourceManager& resource_manager_;
+ std::function<TpmObjectSlot(TpmResourceManager&)> parent_key_fn_;
+ keymaster::Serializable& wrapped_;
};
diff --git a/host/commands/secure_env/fragile_tpm_storage.cpp b/host/commands/secure_env/fragile_tpm_storage.cpp
index 3c68117..ae66164 100644
--- a/host/commands/secure_env/fragile_tpm_storage.cpp
+++ b/host/commands/secure_env/fragile_tpm_storage.cpp
@@ -28,7 +28,7 @@
static constexpr char kHandle[] = "handle";
FragileTpmStorage::FragileTpmStorage(
- TpmResourceManager* resource_manager, const std::string& index_file)
+ TpmResourceManager& resource_manager, const std::string& index_file)
: resource_manager_(resource_manager), index_file_(index_file) {
index_ = ReadProtectedJsonFromFile(resource_manager_, index_file);
if (!index_.isMember(kEntries)
@@ -45,7 +45,7 @@
}
TPM2_HANDLE FragileTpmStorage::GenerateRandomHandle() {
- TpmRandomSource random_source{resource_manager_->Esys()};
+ TpmRandomSource random_source{resource_manager_.Esys()};
TPM2_HANDLE handle = 0;
random_source.GenerateRandom(
reinterpret_cast<uint8_t*>(&handle), sizeof(handle));
@@ -79,10 +79,10 @@
}
};
TPM2B_AUTH auth = { .size = 0, .buffer = {} };
- Esys_TR_SetAuth(resource_manager_->Esys(), ESYS_TR_RH_OWNER, &auth);
+ Esys_TR_SetAuth(resource_manager_.Esys(), ESYS_TR_RH_OWNER, &auth);
ESYS_TR nv_handle;
auto rc = Esys_NV_DefineSpace(
- /* esysContext */ resource_manager_->Esys(),
+ /* esysContext */ resource_manager_.Esys(),
/* authHandle */ ESYS_TR_RH_OWNER,
/* shandle1 */ ESYS_TR_PASSWORD,
/* shandle2 */ ESYS_TR_NONE,
@@ -94,7 +94,7 @@
LOG(VERBOSE) << "Esys_NV_DefineSpace failed with TPM2_RC_NV_DEFINED";
continue;
} else if (rc == TPM2_RC_SUCCESS) {
- Esys_TR_Close(resource_manager_->Esys(), &nv_handle);
+ Esys_TR_Close(resource_manager_.Esys(), &nv_handle);
break;
} else {
LOG(DEBUG) << "Esys_NV_DefineSpace failed with " << rc << ": "
@@ -143,12 +143,12 @@
return {};
}
auto close_tr = [this](ESYS_TR* handle) {
- Esys_TR_Close(resource_manager_->Esys(), handle);
+ Esys_TR_Close(resource_manager_.Esys(), handle);
delete handle;
};
std::unique_ptr<ESYS_TR, decltype(close_tr)> nv_handle(new ESYS_TR, close_tr);
auto rc = Esys_TR_FromTPMPublic(
- /* esysContext */ resource_manager_->Esys(),
+ /* esysContext */ resource_manager_.Esys(),
/* tpm_handle */ handle,
/* optionalSession1 */ ESYS_TR_NONE,
/* optionalSession2 */ ESYS_TR_NONE,
@@ -160,11 +160,11 @@
return {};
}
TPM2B_AUTH auth = { .size = 0, .buffer = {} };
- Esys_TR_SetAuth(resource_manager_->Esys(), *nv_handle, &auth);
+ Esys_TR_SetAuth(resource_manager_.Esys(), *nv_handle, &auth);
TPM2B_NV_PUBLIC* public_area;
rc = Esys_NV_ReadPublic(
- /* esysContext */ resource_manager_->Esys(),
+ /* esysContext */ resource_manager_.Esys(),
/* nvIndex */ *nv_handle,
/* shandle1 */ ESYS_TR_NONE,
/* shandle2 */ ESYS_TR_NONE,
@@ -180,7 +180,7 @@
public_deleter(public_area, Esys_Free);
TPM2B_MAX_NV_BUFFER* buffer = nullptr;
rc = Esys_NV_Read(
- /* esysContext */ resource_manager_->Esys(),
+ /* esysContext */ resource_manager_.Esys(),
/* authHandle */ *nv_handle,
/* nvIndex */ *nv_handle,
/* shandle1 */ ESYS_TR_PASSWORD,
@@ -207,7 +207,7 @@
}
ESYS_TR nv_handle;
auto rc = Esys_TR_FromTPMPublic(
- /* esysContext */ resource_manager_->Esys(),
+ /* esysContext */ resource_manager_.Esys(),
/* tpm_handle */ handle,
/* optionalSession1 */ ESYS_TR_NONE,
/* optionalSession2 */ ESYS_TR_NONE,
@@ -219,10 +219,10 @@
return false;
}
TPM2B_AUTH auth = { .size = 0, .buffer = {} };
- Esys_TR_SetAuth(resource_manager_->Esys(), nv_handle, &auth);
+ Esys_TR_SetAuth(resource_manager_.Esys(), nv_handle, &auth);
rc = Esys_NV_Write(
- /* esysContext */ resource_manager_->Esys(),
+ /* esysContext */ resource_manager_.Esys(),
/* authHandle */ nv_handle,
/* nvIndex */ nv_handle,
/* shandle1 */ ESYS_TR_PASSWORD,
@@ -230,7 +230,7 @@
/* shandle3 */ ESYS_TR_NONE,
/* data */ &data,
/* offset */ 0);
- Esys_TR_Close(resource_manager_->Esys(), &nv_handle);
+ Esys_TR_Close(resource_manager_.Esys(), &nv_handle);
if (rc != TSS2_RC_SUCCESS) {
LOG(ERROR) << "Esys_NV_Write failed with return code " << rc
<< " (" << Tss2_RC_Decode(rc) << ")";
diff --git a/host/commands/secure_env/fragile_tpm_storage.h b/host/commands/secure_env/fragile_tpm_storage.h
index 03a17b1..b52b373 100644
--- a/host/commands/secure_env/fragile_tpm_storage.h
+++ b/host/commands/secure_env/fragile_tpm_storage.h
@@ -41,7 +41,7 @@
*/
class FragileTpmStorage : public GatekeeperStorage {
public:
- FragileTpmStorage(TpmResourceManager*, const std::string& index_file);
+ FragileTpmStorage(TpmResourceManager&, const std::string& index_file);
~FragileTpmStorage() = default;
bool Allocate(const Json::Value& key, uint16_t size) override;
@@ -54,7 +54,7 @@
TPM2_HANDLE GetHandle(const Json::Value& key) const;
TPM2_HANDLE GenerateRandomHandle();
- TpmResourceManager* resource_manager_;
+ TpmResourceManager& resource_manager_;
std::string index_file_;
Json::Value index_;
};
diff --git a/host/commands/secure_env/gatekeeper_responder.cpp b/host/commands/secure_env/gatekeeper_responder.cpp
index 3bfa16e..7d43a18 100644
--- a/host/commands/secure_env/gatekeeper_responder.cpp
+++ b/host/commands/secure_env/gatekeeper_responder.cpp
@@ -19,12 +19,12 @@
#include <gatekeeper/gatekeeper_messages.h>
GatekeeperResponder::GatekeeperResponder(
- cuttlefish::GatekeeperChannel* channel, gatekeeper::GateKeeper* gatekeeper)
+ cuttlefish::GatekeeperChannel& channel, gatekeeper::GateKeeper& gatekeeper)
: channel_(channel), gatekeeper_(gatekeeper) {
}
bool GatekeeperResponder::ProcessMessage() {
- auto request = channel_->ReceiveMessage();
+ auto request = channel_.ReceiveMessage();
if (!request) {
LOG(ERROR) << "Could not receive message";
return false;
@@ -41,8 +41,8 @@
return false;
}
EnrollResponse response;
- gatekeeper_->Enroll(enroll_request, &response);
- return channel_->SendResponse(ENROLL, response);
+ gatekeeper_.Enroll(enroll_request, &response);
+ return channel_.SendResponse(ENROLL, response);
}
case VERIFY: {
VerifyRequest verify_request;
@@ -52,8 +52,8 @@
return false;
}
VerifyResponse response;
- gatekeeper_->Verify(verify_request, &response);
- return channel_->SendResponse(VERIFY, response);
+ gatekeeper_.Verify(verify_request, &response);
+ return channel_.SendResponse(VERIFY, response);
}
default:
LOG(ERROR) << "Unrecognized message id " << request->cmd;
diff --git a/host/commands/secure_env/gatekeeper_responder.h b/host/commands/secure_env/gatekeeper_responder.h
index f1d09d1..bd27955 100644
--- a/host/commands/secure_env/gatekeeper_responder.h
+++ b/host/commands/secure_env/gatekeeper_responder.h
@@ -21,11 +21,11 @@
class GatekeeperResponder {
private:
- cuttlefish::GatekeeperChannel* channel_;
- gatekeeper::GateKeeper* gatekeeper_;
+ cuttlefish::GatekeeperChannel& channel_;
+ gatekeeper::GateKeeper& gatekeeper_;
public:
- GatekeeperResponder(cuttlefish::GatekeeperChannel* channel,
- gatekeeper::GateKeeper* gatekeeper);
+ GatekeeperResponder(cuttlefish::GatekeeperChannel& channel,
+ gatekeeper::GateKeeper& gatekeeper);
bool ProcessMessage();
};
diff --git a/host/commands/secure_env/hmac_serializable.cpp b/host/commands/secure_env/hmac_serializable.cpp
index 127aba0..c40b736 100644
--- a/host/commands/secure_env/hmac_serializable.cpp
+++ b/host/commands/secure_env/hmac_serializable.cpp
@@ -21,8 +21,8 @@
#include "host/commands/secure_env/tpm_hmac.h"
HmacSerializable::HmacSerializable(
- TpmResourceManager* resource_manager,
- std::function<TpmObjectSlot(TpmResourceManager*)> signing_key_fn,
+ TpmResourceManager& resource_manager,
+ std::function<TpmObjectSlot(TpmResourceManager&)> signing_key_fn,
uint32_t digest_size,
Serializable* wrapped) :
resource_manager_(resource_manager),
diff --git a/host/commands/secure_env/hmac_serializable.h b/host/commands/secure_env/hmac_serializable.h
index f86d98c..4b90124 100644
--- a/host/commands/secure_env/hmac_serializable.h
+++ b/host/commands/secure_env/hmac_serializable.h
@@ -38,8 +38,8 @@
*/
class HmacSerializable : public keymaster::Serializable {
public:
- HmacSerializable(TpmResourceManager*,
- std::function<TpmObjectSlot(TpmResourceManager*)>,
+ HmacSerializable(TpmResourceManager&,
+ std::function<TpmObjectSlot(TpmResourceManager&)>,
uint32_t digest_size,
Serializable*);
@@ -47,8 +47,8 @@
uint8_t* Serialize(uint8_t* buf, const uint8_t* end) const override;
bool Deserialize(const uint8_t** buf_ptr, const uint8_t* end) override;
private:
- TpmResourceManager* resource_manager_;
- std::function<TpmObjectSlot(TpmResourceManager*)> signing_key_fn_;
+ TpmResourceManager& resource_manager_;
+ std::function<TpmObjectSlot(TpmResourceManager&)> signing_key_fn_;
uint32_t digest_size_;
keymaster::Serializable* wrapped_;
};
diff --git a/host/commands/secure_env/insecure_fallback_storage.cpp b/host/commands/secure_env/insecure_fallback_storage.cpp
index 81e1209..f906bd5 100644
--- a/host/commands/secure_env/insecure_fallback_storage.cpp
+++ b/host/commands/secure_env/insecure_fallback_storage.cpp
@@ -28,7 +28,7 @@
static constexpr char kValue[] = "value";
InsecureFallbackStorage::InsecureFallbackStorage(
- TpmResourceManager* resource_manager, const std::string& index_file)
+ TpmResourceManager& resource_manager, const std::string& index_file)
: resource_manager_(resource_manager), index_file_(index_file) {
index_ = ReadProtectedJsonFromFile(resource_manager_, index_file);
if (!index_.isMember(kEntries)
diff --git a/host/commands/secure_env/insecure_fallback_storage.h b/host/commands/secure_env/insecure_fallback_storage.h
index ffd1270..93788a0 100644
--- a/host/commands/secure_env/insecure_fallback_storage.h
+++ b/host/commands/secure_env/insecure_fallback_storage.h
@@ -37,7 +37,7 @@
*/
class InsecureFallbackStorage : public GatekeeperStorage {
public:
- InsecureFallbackStorage(TpmResourceManager*, const std::string& index_file);
+ InsecureFallbackStorage(TpmResourceManager&, const std::string& index_file);
~InsecureFallbackStorage() = default;
bool Allocate(const Json::Value& key, uint16_t size) override;
@@ -50,7 +50,7 @@
Json::Value* GetEntry(const Json::Value& key);
const Json::Value* GetEntry(const Json::Value& key) const;
- TpmResourceManager* resource_manager_;
+ TpmResourceManager& resource_manager_;
std::string index_file_;
Json::Value index_;
};
diff --git a/host/commands/secure_env/json_serializable.cpp b/host/commands/secure_env/json_serializable.cpp
index 9ca0424..73b792e 100644
--- a/host/commands/secure_env/json_serializable.cpp
+++ b/host/commands/secure_env/json_serializable.cpp
@@ -28,7 +28,7 @@
class JsonSerializable : public keymaster::Serializable {
public:
- JsonSerializable(Json::Value* json);
+ JsonSerializable(Json::Value& json);
size_t SerializedSize() const override;
@@ -36,18 +36,18 @@
bool Deserialize(const uint8_t** buf_ptr, const uint8_t* buf_end) override;
private:
- Json::Value* json_;
+ Json::Value& json_;
};
-JsonSerializable::JsonSerializable(Json::Value* json) : json_(json) {}
+JsonSerializable::JsonSerializable(Json::Value& json) : json_(json) {}
size_t JsonSerializable::SerializedSize() const {
- auto serialized = Json::FastWriter().write(*json_);
+ auto serialized = Json::FastWriter().write(json_);
return serialized.size() + sizeof(uint32_t);
}
uint8_t* JsonSerializable::Serialize(uint8_t* buf, const uint8_t* end) const {
- auto serialized = Json::FastWriter().write(*json_);
+ auto serialized = Json::FastWriter().write(json_);
if (end - buf < serialized.size() + sizeof(uint32_t)) {
LOG(ERROR) << "Not enough space to serialize json";
return buf;
@@ -68,7 +68,7 @@
}
auto doc_begin = reinterpret_cast<const char*>(json_bytes.get());
auto doc_end = doc_begin + size;
- success = Json::Reader().parse(doc_begin, doc_end, *json_);
+ success = Json::Reader().parse(doc_begin, doc_end, json_);
if (!success) {
LOG(ERROR) << "Failed to parse json";
return false;
@@ -77,13 +77,13 @@
}
bool WriteProtectedJsonToFile(
- TpmResourceManager* resource_manager,
+ TpmResourceManager& resource_manager,
const std::string& filename,
Json::Value json) {
- JsonSerializable sensitive_material(&json);
+ JsonSerializable sensitive_material(json);
auto parent_key_fn = ParentKeyCreator(kUniqueKey);
EncryptedSerializable encryption(
- resource_manager, parent_key_fn, &sensitive_material);
+ resource_manager, parent_key_fn, sensitive_material);
auto signing_key_fn = SigningKeyCreator(kUniqueKey);
HmacSerializable sign_check(
resource_manager, signing_key_fn, TPM2_SHA256_DIGEST_SIZE, &encryption);
@@ -109,7 +109,7 @@
}
Json::Value ReadProtectedJsonFromFile(
- TpmResourceManager* resource_manager, const std::string& filename) {
+ TpmResourceManager& resource_manager, const std::string& filename) {
std::ifstream file_stream(filename, std::ios::binary | std::ios::ate);
std::streamsize size = file_stream.tellg();
file_stream.seekg(0, std::ios::beg);
@@ -130,10 +130,10 @@
}
Json::Value json;
- JsonSerializable sensitive_material(&json);
+ JsonSerializable sensitive_material(json);
auto parent_key_fn = ParentKeyCreator(kUniqueKey);
EncryptedSerializable encryption(
- resource_manager, parent_key_fn, &sensitive_material);
+ resource_manager, parent_key_fn, sensitive_material);
auto signing_key_fn = SigningKeyCreator(kUniqueKey);
HmacSerializable sign_check(
resource_manager, signing_key_fn, TPM2_SHA256_DIGEST_SIZE, &encryption);
diff --git a/host/commands/secure_env/json_serializable.h b/host/commands/secure_env/json_serializable.h
index dca80b4..f96aab3 100644
--- a/host/commands/secure_env/json_serializable.h
+++ b/host/commands/secure_env/json_serializable.h
@@ -20,6 +20,6 @@
#include "host/commands/secure_env/tpm_resource_manager.h"
bool WriteProtectedJsonToFile(
- TpmResourceManager*, const std::string& filename, Json::Value);
+ TpmResourceManager&, const std::string& filename, Json::Value);
Json::Value ReadProtectedJsonFromFile(
- TpmResourceManager*, const std::string& filename);
+ TpmResourceManager&, const std::string& filename);
diff --git a/host/commands/secure_env/keymaster_responder.cpp b/host/commands/secure_env/keymaster_responder.cpp
index 5bfb358..1f12803 100644
--- a/host/commands/secure_env/keymaster_responder.cpp
+++ b/host/commands/secure_env/keymaster_responder.cpp
@@ -19,12 +19,12 @@
#include <keymaster/android_keymaster_messages.h>
KeymasterResponder::KeymasterResponder(
- cuttlefish::KeymasterChannel* channel, keymaster::AndroidKeymaster* keymaster)
+ cuttlefish::KeymasterChannel& channel, keymaster::AndroidKeymaster& keymaster)
: channel_(channel), keymaster_(keymaster) {
}
bool KeymasterResponder::ProcessMessage() {
- auto request = channel_->ReceiveMessage();
+ auto request = channel_.ReceiveMessage();
if (!request) {
LOG(ERROR) << "Could not receive message";
return false;
@@ -41,8 +41,8 @@
return false; \
} \
METHOD_NAME##Response response; \
- keymaster_->METHOD_NAME(request, &response); \
- return channel_->SendResponse(ENUM_NAME, response); \
+ keymaster_.METHOD_NAME(request, &response); \
+ return channel_.SendResponse(ENUM_NAME, response); \
}
HANDLE_MESSAGE(GENERATE_KEY, GenerateKey)
HANDLE_MESSAGE(BEGIN_OPERATION, BeginOperation)
@@ -73,8 +73,8 @@
LOG(ERROR) << "Failed to deserialize " #METHOD_NAME "Request"; \
return false; \
} \
- auto response = keymaster_->METHOD_NAME(request); \
- return channel_->SendResponse(ENUM_NAME, response); \
+ auto response = keymaster_.METHOD_NAME(request); \
+ return channel_.SendResponse(ENUM_NAME, response); \
}
HANDLE_MESSAGE(COMPUTE_SHARED_HMAC, ComputeSharedHmac)
HANDLE_MESSAGE(VERIFY_AUTHORIZATION, VerifyAuthorization)
@@ -82,8 +82,8 @@
#undef HANDLE_MESSAGE
#define HANDLE_MESSAGE(ENUM_NAME, METHOD_NAME) \
case ENUM_NAME: {\
- auto response = keymaster_->METHOD_NAME(); \
- return channel_->SendResponse(ENUM_NAME, response); \
+ auto response = keymaster_.METHOD_NAME(); \
+ return channel_.SendResponse(ENUM_NAME, response); \
}
HANDLE_MESSAGE(GET_HMAC_SHARING_PARAMETERS, GetHmacSharingParameters)
HANDLE_MESSAGE(EARLY_BOOT_ENDED, EarlyBootEnded)
@@ -95,8 +95,8 @@
return false;
}
AddEntropyResponse response;
- keymaster_->AddRngEntropy(request, &response);
- return channel_->SendResponse(ADD_RNG_ENTROPY, response);
+ keymaster_.AddRngEntropy(request, &response);
+ return channel_.SendResponse(ADD_RNG_ENTROPY, response);
}
case DESTROY_ATTESTATION_IDS: // Not defined in AndroidKeymaster?
break;
diff --git a/host/commands/secure_env/keymaster_responder.h b/host/commands/secure_env/keymaster_responder.h
index 1fc662e..f8fb6ec 100644
--- a/host/commands/secure_env/keymaster_responder.h
+++ b/host/commands/secure_env/keymaster_responder.h
@@ -21,11 +21,11 @@
class KeymasterResponder {
private:
- cuttlefish::KeymasterChannel* channel_;
- keymaster::AndroidKeymaster* keymaster_;
+ cuttlefish::KeymasterChannel& channel_;
+ keymaster::AndroidKeymaster& keymaster_;
public:
- KeymasterResponder(cuttlefish::KeymasterChannel* channel,
- keymaster::AndroidKeymaster* keymaster);
+ KeymasterResponder(cuttlefish::KeymasterChannel& channel,
+ keymaster::AndroidKeymaster& keymaster);
bool ProcessMessage();
};
diff --git a/host/commands/secure_env/primary_key_builder.cpp b/host/commands/secure_env/primary_key_builder.cpp
index 6e12520..a44ff24 100644
--- a/host/commands/secure_env/primary_key_builder.cpp
+++ b/host/commands/secure_env/primary_key_builder.cpp
@@ -62,10 +62,10 @@
}
TpmObjectSlot PrimaryKeyBuilder::CreateKey(
- TpmResourceManager* resource_manager) {
+ TpmResourceManager& resource_manager) {
TPM2B_AUTH authValue = {};
auto rc =
- Esys_TR_SetAuth(resource_manager->Esys(), ESYS_TR_RH_OWNER, &authValue);
+ Esys_TR_SetAuth(resource_manager.Esys(), ESYS_TR_RH_OWNER, &authValue);
if (rc != TSS2_RC_SUCCESS) {
LOG(ERROR) << "Esys_TR_SetAuth failed with return code " << rc
<< " (" << Tss2_RC_Decode(rc) << ")";
@@ -85,7 +85,7 @@
TPM2B_SENSITIVE_CREATE in_sensitive = {};
- auto key_slot = resource_manager->ReserveSlot();
+ auto key_slot = resource_manager.ReserveSlot();
if (!key_slot) {
LOG(ERROR) << "No slots available";
return {};
@@ -95,7 +95,7 @@
// Since this is a primary key, it's generated deterministically. It would
// also be possible to generate this once and hold it in storage.
rc = Esys_CreateLoaded(
- /* esysContext */ resource_manager->Esys(),
+ /* esysContext */ resource_manager.Esys(),
/* primaryHandle */ ESYS_TR_RH_OWNER,
/* shandle1 */ ESYS_TR_PASSWORD,
/* shandle2 */ ESYS_TR_NONE,
@@ -114,9 +114,9 @@
return key_slot;
}
-std::function<TpmObjectSlot(TpmResourceManager*)>
+std::function<TpmObjectSlot(TpmResourceManager&)>
SigningKeyCreator(const std::string& unique) {
- return [unique](TpmResourceManager* resource_manager) {
+ return [unique](TpmResourceManager& resource_manager) {
PrimaryKeyBuilder key_builder;
key_builder.SigningKey();
key_builder.UniqueData(unique);
@@ -124,9 +124,9 @@
};
}
-std::function<TpmObjectSlot(TpmResourceManager*)>
+std::function<TpmObjectSlot(TpmResourceManager&)>
ParentKeyCreator(const std::string& unique) {
- return [unique](TpmResourceManager* resource_manager) {
+ return [unique](TpmResourceManager& resource_manager) {
PrimaryKeyBuilder key_builder;
key_builder.ParentKey();
key_builder.UniqueData(unique);
diff --git a/host/commands/secure_env/primary_key_builder.h b/host/commands/secure_env/primary_key_builder.h
index d5d2298..46e5461 100644
--- a/host/commands/secure_env/primary_key_builder.h
+++ b/host/commands/secure_env/primary_key_builder.h
@@ -30,13 +30,13 @@
void ParentKey();
void UniqueData(const std::string&);
- TpmObjectSlot CreateKey(TpmResourceManager*);
+ TpmObjectSlot CreateKey(TpmResourceManager&);
private:
TPMT_PUBLIC public_area_;
};
-std::function<TpmObjectSlot(TpmResourceManager*)>
+std::function<TpmObjectSlot(TpmResourceManager&)>
SigningKeyCreator(const std::string& unique);
-std::function<TpmObjectSlot(TpmResourceManager*)>
+std::function<TpmObjectSlot(TpmResourceManager&)>
ParentKeyCreator(const std::string& unique);
diff --git a/host/commands/secure_env/secure_env.cpp b/host/commands/secure_env/secure_env.cpp
index a80edb3..8848820 100644
--- a/host/commands/secure_env/secure_env.cpp
+++ b/host/commands/secure_env/secure_env.cpp
@@ -85,17 +85,14 @@
new keymaster::SoftKeymasterEnforcement(64, 64));
} else if (FLAGS_gatekeeper_impl == "in_process_tpm") {
secure_storage.reset(
- new FragileTpmStorage(resource_manager.get(), "gatekeeper_secure"));
- insecure_storage.reset(new InsecureFallbackStorage(
- resource_manager.get(), "gatekeeper_insecure"));
+ new FragileTpmStorage(*resource_manager, "gatekeeper_secure"));
+ insecure_storage.reset(
+ new InsecureFallbackStorage(*resource_manager, "gatekeeper_insecure"));
TpmGatekeeper* tpm_gatekeeper =
- new TpmGatekeeper(
- resource_manager.get(),
- secure_storage.get(),
- insecure_storage.get());
+ new TpmGatekeeper(*resource_manager, *secure_storage, *insecure_storage);
gatekeeper.reset(tpm_gatekeeper);
keymaster_enforcement.reset(
- new TpmKeymasterEnforcement(resource_manager.get(), tpm_gatekeeper));
+ new TpmKeymasterEnforcement(*resource_manager, *tpm_gatekeeper));
}
// keymaster::AndroidKeymaster puts the given pointer into a UniquePtr,
@@ -106,8 +103,7 @@
new keymaster::PureSoftKeymasterContext(KM_SECURITY_LEVEL_SOFTWARE);
} else if (FLAGS_keymaster_impl == "in_process_tpm") {
keymaster_context =
- new TpmKeymasterContext(
- resource_manager.get(), keymaster_enforcement.get());
+ new TpmKeymasterContext(*resource_manager, *keymaster_enforcement);
} else {
LOG(FATAL) << "Unknown keymaster implementation " << FLAGS_keymaster_impl;
return -1;
@@ -137,7 +133,7 @@
<< keymaster_conn->StrError();
cuttlefish::KeymasterChannel keymaster_channel(keymaster_conn);
- KeymasterResponder keymaster_responder(&keymaster_channel, &keymaster);
+ KeymasterResponder keymaster_responder(keymaster_channel, keymaster);
while (keymaster_responder.ProcessMessage()) {
}
@@ -151,8 +147,7 @@
<< gatekeeper_conn->StrError();
cuttlefish::GatekeeperChannel gatekeeper_channel(gatekeeper_conn);
- GatekeeperResponder gatekeeper_responder(
- &gatekeeper_channel, gatekeeper.get());
+ GatekeeperResponder gatekeeper_responder(gatekeeper_channel, *gatekeeper);
while (gatekeeper_responder.ProcessMessage()) {
}
diff --git a/host/commands/secure_env/tpm_gatekeeper.cpp b/host/commands/secure_env/tpm_gatekeeper.cpp
index adfa2a5..e4f61e7 100644
--- a/host/commands/secure_env/tpm_gatekeeper.cpp
+++ b/host/commands/secure_env/tpm_gatekeeper.cpp
@@ -27,15 +27,15 @@
#include "host/commands/secure_env/primary_key_builder.h"
#include "host/commands/secure_env/tpm_auth.h"
#include "host/commands/secure_env/tpm_hmac.h"
+#include "host/commands/secure_env/tpm_random_source.h"
TpmGatekeeper::TpmGatekeeper(
- TpmResourceManager* resource_manager,
- GatekeeperStorage* secure_storage,
- GatekeeperStorage* insecure_storage)
+ TpmResourceManager& resource_manager,
+ GatekeeperStorage& secure_storage,
+ GatekeeperStorage& insecure_storage)
: resource_manager_(resource_manager)
, secure_storage_(secure_storage)
- , insecure_storage_(insecure_storage)
- , random_source_(resource_manager->Esys()) {
+ , insecure_storage_(insecure_storage) {
}
/*
@@ -80,7 +80,8 @@
void TpmGatekeeper::GetRandom(void* random, uint32_t requested_size) const {
auto random_uint8 = reinterpret_cast<uint8_t*>(random);
- random_source_.GenerateRandom(random_uint8, requested_size);
+ TpmRandomSource(resource_manager_.Esys())
+ .GenerateRandom(random_uint8, requested_size);
}
void TpmGatekeeper::ComputeSignature(
@@ -154,23 +155,23 @@
}
static bool GetFailureRecordImpl(
- GatekeeperStorage* storage,
+ GatekeeperStorage& storage,
uint32_t uid,
gatekeeper::secure_id_t secure_user_id,
gatekeeper::failure_record_t *record) {
Json::Value key{std::to_string(uid)}; // jsoncpp integer comparisons are janky
- if (!storage->HasKey(key)) {
- if (!storage->Allocate(key, sizeof(gatekeeper::failure_record_t))) {
+ if (!storage.HasKey(key)) {
+ if (!storage.Allocate(key, sizeof(gatekeeper::failure_record_t))) {
LOG(ERROR) << "Allocation failed for user " << uid;
return false;
}
auto buf = RecordToNvBuffer(DefaultRecord(secure_user_id));
- if (!storage->Write(key, *buf)) {
+ if (!storage.Write(key, *buf)) {
LOG(ERROR) << "Failed to write record for " << uid;
return false;
}
}
- auto record_read = storage->Read(key);
+ auto record_read = storage.Read(key);
if (!record_read) {
LOG(ERROR) << "Failed to read record for " << uid;
return false;
@@ -186,7 +187,7 @@
}
LOG(DEBUG) << "User id mismatch for " << uid;
auto buf = RecordToNvBuffer(DefaultRecord(secure_user_id));
- if (!storage->Write(key, *buf)) {
+ if (!storage.Write(key, *buf)) {
LOG(ERROR) << "Failed to write record for " << uid;
return false;
}
@@ -199,23 +200,23 @@
gatekeeper::secure_id_t secure_user_id,
gatekeeper::failure_record_t *record,
bool secure) {
- GatekeeperStorage* storage = secure ? secure_storage_ : insecure_storage_;
+ GatekeeperStorage& storage = secure ? secure_storage_ : insecure_storage_;
return GetFailureRecordImpl(storage, uid, secure_user_id, record);
}
static bool WriteFailureRecordImpl(
- GatekeeperStorage* storage,
+ GatekeeperStorage& storage,
uint32_t uid,
gatekeeper::failure_record_t* record) {
Json::Value key{std::to_string(uid)}; // jsoncpp integer comparisons are janky
- if (!storage->HasKey(key)) {
- if (!storage->Allocate(key, sizeof(gatekeeper::failure_record_t))) {
+ if (!storage.HasKey(key)) {
+ if (!storage.Allocate(key, sizeof(gatekeeper::failure_record_t))) {
LOG(ERROR) << "Allocation failed for user " << uid;
return false;
}
}
auto buf = RecordToNvBuffer(*record);
- if (!storage->Write(key, *buf)) {
+ if (!storage.Write(key, *buf)) {
LOG(ERROR) << "Failed to write record for " << uid;
return false;
}
@@ -224,14 +225,14 @@
bool TpmGatekeeper::ClearFailureRecord(
uint32_t uid, gatekeeper::secure_id_t secure_user_id, bool secure) {
- GatekeeperStorage* storage = secure ? secure_storage_ : insecure_storage_;
+ GatekeeperStorage& storage = secure ? secure_storage_ : insecure_storage_;
gatekeeper::failure_record_t record = DefaultRecord(secure_user_id);
return WriteFailureRecordImpl(storage, uid, &record);
}
bool TpmGatekeeper::WriteFailureRecord(
uint32_t uid, gatekeeper::failure_record_t *record, bool secure) {
- GatekeeperStorage* storage = secure ? secure_storage_ : insecure_storage_;
+ GatekeeperStorage& storage = secure ? secure_storage_ : insecure_storage_;
return WriteFailureRecordImpl(storage, uid, record);
}
diff --git a/host/commands/secure_env/tpm_gatekeeper.h b/host/commands/secure_env/tpm_gatekeeper.h
index b545811..021ab58 100644
--- a/host/commands/secure_env/tpm_gatekeeper.h
+++ b/host/commands/secure_env/tpm_gatekeeper.h
@@ -19,7 +19,6 @@
#include "tss2/tss2_esys.h"
#include "host/commands/secure_env/gatekeeper_storage.h"
-#include "host/commands/secure_env/tpm_random_source.h"
#include "host/commands/secure_env/tpm_resource_manager.h"
/**
@@ -29,9 +28,9 @@
class TpmGatekeeper : public gatekeeper::GateKeeper {
public:
TpmGatekeeper(
- TpmResourceManager* resource_manager,
- GatekeeperStorage* secure_storage,
- GatekeeperStorage* insecure_storage);
+ TpmResourceManager& resource_manager,
+ GatekeeperStorage& secure_storage,
+ GatekeeperStorage& insecure_storage);
bool GetAuthTokenKey(
const uint8_t** auth_token_key, uint32_t* length) const override;
@@ -78,8 +77,7 @@
bool IsHardwareBacked() const override;
private:
- TpmResourceManager* resource_manager_;
- GatekeeperStorage* secure_storage_;
- GatekeeperStorage* insecure_storage_;
- TpmRandomSource random_source_;
+ TpmResourceManager& resource_manager_;
+ GatekeeperStorage& secure_storage_;
+ GatekeeperStorage& insecure_storage_;
};
diff --git a/host/commands/secure_env/tpm_hmac.cpp b/host/commands/secure_env/tpm_hmac.cpp
index d20cca3..80003d0 100644
--- a/host/commands/secure_env/tpm_hmac.cpp
+++ b/host/commands/secure_env/tpm_hmac.cpp
@@ -22,7 +22,7 @@
/* For data large enough to fit in a single TPM2_HMAC call. */
static UniqueEsysPtr<TPM2B_DIGEST> OneshotHmac(
- TpmResourceManager* resource_manager,
+ TpmResourceManager& resource_manager,
ESYS_TR key_handle,
TpmAuth auth,
const uint8_t* data,
@@ -38,7 +38,7 @@
memcpy(buffer.buffer, data, data_size);
TPM2B_DIGEST* out_hmac = nullptr;
auto rc = Esys_HMAC(
- resource_manager->Esys(),
+ resource_manager.Esys(),
key_handle,
auth.auth1(),
auth.auth2(),
@@ -59,7 +59,7 @@
/* For data too large to fit in a single TPM2_HMAC call. */
static UniqueEsysPtr<TPM2B_DIGEST> SegmentedHmac(
- TpmResourceManager* resource_manager,
+ TpmResourceManager& resource_manager,
ESYS_TR key_handle,
TpmAuth key_auth,
const uint8_t* data,
@@ -69,13 +69,13 @@
sequence_auth.size = sizeof(rand());
*reinterpret_cast<decltype(rand())*>(sequence_auth.buffer) = rand();
ESYS_TR sequence_handle;
- auto slot = resource_manager->ReserveSlot();
+ auto slot = resource_manager.ReserveSlot();
if (!slot) {
LOG(ERROR) << "No slots available";
return {};
}
auto rc = Esys_HMAC_Start(
- resource_manager->Esys(),
+ resource_manager.Esys(),
key_handle,
key_auth.auth1(),
key_auth.auth2(),
@@ -90,7 +90,7 @@
}
slot->set(sequence_handle);
rc = Esys_TR_SetAuth(
- resource_manager->Esys(), sequence_handle, &sequence_auth);
+ resource_manager.Esys(), sequence_handle, &sequence_auth);
if (rc != TPM2_RC_SUCCESS) {
LOG(ERROR) << "Esys_TR_SetAuth failed: " << Tss2_RC_Decode(rc)
<< "(" << rc << ")";
@@ -103,7 +103,7 @@
memcpy(buffer.buffer, &data[hashed], TPM2_MAX_DIGEST_BUFFER);
hashed += TPM2_MAX_DIGEST_BUFFER;
rc = Esys_SequenceUpdate(
- resource_manager->Esys(),
+ resource_manager.Esys(),
sequence_handle,
ESYS_TR_PASSWORD,
ESYS_TR_NONE,
@@ -120,7 +120,7 @@
TPM2B_DIGEST* out_hmac = nullptr;
TPMT_TK_HASHCHECK* validation = nullptr;
rc = Esys_SequenceComplete(
- resource_manager->Esys(),
+ resource_manager.Esys(),
sequence_handle,
ESYS_TR_PASSWORD,
ESYS_TR_NONE,
@@ -145,7 +145,7 @@
}
UniqueEsysPtr<TPM2B_DIGEST> TpmHmac(
- TpmResourceManager* resource_manager,
+ TpmResourceManager& resource_manager,
ESYS_TR key_handle,
TpmAuth auth,
const uint8_t* data,
diff --git a/host/commands/secure_env/tpm_hmac.h b/host/commands/secure_env/tpm_hmac.h
index 4d179d3..e4686b6 100644
--- a/host/commands/secure_env/tpm_hmac.h
+++ b/host/commands/secure_env/tpm_hmac.h
@@ -44,7 +44,7 @@
* is used to check that the data has not been tampered with.
*/
UniqueEsysPtr<TPM2B_DIGEST> TpmHmac(
- TpmResourceManager* resource_manager,
+ TpmResourceManager& resource_manager,
ESYS_TR key_handle,
TpmAuth auth,
const uint8_t* data,
diff --git a/host/commands/secure_env/tpm_key_blob_maker.cpp b/host/commands/secure_env/tpm_key_blob_maker.cpp
index b87a393..a7bfab9 100644
--- a/host/commands/secure_env/tpm_key_blob_maker.cpp
+++ b/host/commands/secure_env/tpm_key_blob_maker.cpp
@@ -91,7 +91,7 @@
}
-TpmKeyBlobMaker::TpmKeyBlobMaker(TpmResourceManager* resource_manager)
+TpmKeyBlobMaker::TpmKeyBlobMaker(TpmResourceManager& resource_manager)
: resource_manager_(resource_manager) {
}
@@ -126,7 +126,7 @@
{&key_material_buffer, hw_enforced, sw_enforced});
auto parent_key_fn = ParentKeyCreator(kUniqueKey);
EncryptedSerializable encryption(
- resource_manager_, parent_key_fn, &sensitive_material);
+ resource_manager_, parent_key_fn, sensitive_material);
auto signing_key_fn = SigningKeyCreator(kUniqueKey);
HmacSerializable sign_check(
resource_manager_, signing_key_fn, TPM2_SHA256_DIGEST_SIZE, &encryption);
@@ -150,7 +150,7 @@
{&key_material_buffer, hw_enforced, sw_enforced});
auto parent_key_fn = ParentKeyCreator(kUniqueKey);
EncryptedSerializable encryption(
- resource_manager_, parent_key_fn, &sensitive_material);
+ resource_manager_, parent_key_fn, sensitive_material);
auto signing_key_fn = SigningKeyCreator(kUniqueKey);
HmacSerializable sign_check(
resource_manager_, signing_key_fn, TPM2_SHA256_DIGEST_SIZE, &encryption);
diff --git a/host/commands/secure_env/tpm_key_blob_maker.h b/host/commands/secure_env/tpm_key_blob_maker.h
index 3b5ce43..2fa2b64 100644
--- a/host/commands/secure_env/tpm_key_blob_maker.h
+++ b/host/commands/secure_env/tpm_key_blob_maker.h
@@ -29,7 +29,7 @@
*/
class TpmKeyBlobMaker : public keymaster::SoftwareKeyBlobMaker {
public:
- TpmKeyBlobMaker(TpmResourceManager* resource_manager);
+ TpmKeyBlobMaker(TpmResourceManager& resource_manager);
keymaster_error_t CreateKeyBlob(
const keymaster::AuthorizationSet& key_description,
@@ -56,5 +56,5 @@
keymaster::AuthorizationSet* sw_enforced,
keymaster::KeymasterKeyBlob* key_material) const;
private:
- TpmResourceManager* resource_manager_;
+ TpmResourceManager& resource_manager_;
};
diff --git a/host/commands/secure_env/tpm_keymaster_context.cpp b/host/commands/secure_env/tpm_keymaster_context.cpp
index 9ea685f..b32f68f 100644
--- a/host/commands/secure_env/tpm_keymaster_context.cpp
+++ b/host/commands/secure_env/tpm_keymaster_context.cpp
@@ -36,12 +36,12 @@
using keymaster::OperationFactory;
TpmKeymasterContext::TpmKeymasterContext(
- TpmResourceManager* resource_manager,
- keymaster::KeymasterEnforcement* enforcement)
+ TpmResourceManager& resource_manager,
+ keymaster::KeymasterEnforcement& enforcement)
: resource_manager_(resource_manager)
, enforcement_(enforcement)
, key_blob_maker_(new TpmKeyBlobMaker(resource_manager_))
- , random_source_(new TpmRandomSource(resource_manager_->Esys()))
+ , random_source_(new TpmRandomSource(resource_manager_.Esys()))
, attestation_context_(new TpmAttestationRecordContext()) {
key_factories_.emplace(
KM_ALGORITHM_RSA, new keymaster::RsaKeyFactory(key_blob_maker_.get()));
@@ -260,7 +260,7 @@
}
keymaster::KeymasterEnforcement* TpmKeymasterContext::enforcement_policy() {
- return enforcement_;
+ return &enforcement_;
}
// Based on https://cs.android.com/android/platform/superproject/+/master:system/keymaster/contexts/pure_soft_keymaster_context.cpp;l=261;drc=8367d5351c4d417a11f49b12394b63a413faa02d
diff --git a/host/commands/secure_env/tpm_keymaster_context.h b/host/commands/secure_env/tpm_keymaster_context.h
index f4acbad..eb77af4 100644
--- a/host/commands/secure_env/tpm_keymaster_context.h
+++ b/host/commands/secure_env/tpm_keymaster_context.h
@@ -34,8 +34,8 @@
*/
class TpmKeymasterContext : public keymaster::KeymasterContext {
private:
- TpmResourceManager* resource_manager_;
- keymaster::KeymasterEnforcement* enforcement_;
+ TpmResourceManager& resource_manager_;
+ keymaster::KeymasterEnforcement& enforcement_;
std::unique_ptr<TpmKeyBlobMaker> key_blob_maker_;
std::unique_ptr<TpmRandomSource> random_source_;
std::unique_ptr<TpmAttestationRecordContext> attestation_context_;
@@ -44,7 +44,7 @@
uint32_t os_version_;
uint32_t os_patchlevel_;
public:
- TpmKeymasterContext(TpmResourceManager*, keymaster::KeymasterEnforcement*);
+ TpmKeymasterContext(TpmResourceManager&, keymaster::KeymasterEnforcement&);
~TpmKeymasterContext() = default;
keymaster_error_t SetSystemVersion(
diff --git a/host/commands/secure_env/tpm_keymaster_enforcement.cpp b/host/commands/secure_env/tpm_keymaster_enforcement.cpp
index 720e7aa..4c8e41c 100644
--- a/host/commands/secure_env/tpm_keymaster_enforcement.cpp
+++ b/host/commands/secure_env/tpm_keymaster_enforcement.cpp
@@ -48,7 +48,7 @@
};
TpmKeymasterEnforcement::TpmKeymasterEnforcement(
- TpmResourceManager* resource_manager, TpmGatekeeper* gatekeeper)
+ TpmResourceManager& resource_manager, TpmGatekeeper& gatekeeper)
: KeymasterEnforcement(64, 64),
resource_manager_(resource_manager),
gatekeeper_(gatekeeper) {
@@ -99,7 +99,7 @@
const uint8_t *auth_token_key = nullptr;
uint32_t auth_token_key_len = 0;
- if (!gatekeeper_->GetAuthTokenKey(&auth_token_key, &auth_token_key_len)) {
+ if (!gatekeeper_.GetAuthTokenKey(&auth_token_key, &auth_token_key_len)) {
LOG(WARNING) << "Unable to get gatekeeper auth token";
return false;
}
@@ -117,7 +117,7 @@
"hw_auth_token_t does not appear to be packed");
- gatekeeper_->ComputeSignature(
+ gatekeeper_.ComputeSignature(
comparison_token.hmac,
sizeof(comparison_token.hmac),
auth_token_key,
@@ -134,7 +134,7 @@
HmacSharingParameters* params) {
if (!have_saved_params_) {
saved_params_.seed = {};
- TpmRandomSource random_source{resource_manager_->Esys()};
+ TpmRandomSource random_source{resource_manager_.Esys()};
auto rc =
random_source.GenerateRandom(
saved_params_.nonce, sizeof(saved_params_.nonce));
diff --git a/host/commands/secure_env/tpm_keymaster_enforcement.h b/host/commands/secure_env/tpm_keymaster_enforcement.h
index f95c795..1d6a1e5 100644
--- a/host/commands/secure_env/tpm_keymaster_enforcement.h
+++ b/host/commands/secure_env/tpm_keymaster_enforcement.h
@@ -28,7 +28,7 @@
class TpmKeymasterEnforcement : public keymaster::KeymasterEnforcement {
public:
TpmKeymasterEnforcement(
- TpmResourceManager* resource_manager, TpmGatekeeper* gatekeeper);
+ TpmResourceManager& resource_manager, TpmGatekeeper& gatekeeper);
~TpmKeymasterEnforcement();
bool activation_date_valid(uint64_t activation_date) const override;
@@ -54,8 +54,8 @@
keymaster::km_id_t* keyid) const override;
private:
- TpmResourceManager* resource_manager_;
- TpmGatekeeper* gatekeeper_;
+ TpmResourceManager& resource_manager_;
+ TpmGatekeeper& gatekeeper_;
bool have_saved_params_ = false;
keymaster::HmacSharingParameters saved_params_;
};
