Keymaster key blob too large
moonhjh opened this issue · 10 comments
aosp version is 9.0, optee version is 3.3.0, run keymaster,log display "Keymaster key blob too large",device reboot:
vold log:
1-01 00:00:32.988 319 398 E vold : Buffer too small 2048 < 4544
01-01 00:00:32.988 319 398 E Cryptfs : Keymaster key blob too large
01-01 00:00:32.988 319 398 E Cryptfs : Failed to generate keypair
01-01 00:00:32.988 319 398 E Cryptfs : keymaster_create_key failed
01-01 00:00:32.988 319 398 E Cryptfs : Cannot create encrypted master key
01-01 00:00:32.988 319 398 E Cryptfs : Error enabling encryption after framework is shutdown[ 18.438653] <1>.(1)[153:disp_idlemgr][DISP][disp_lowpower]_vdo_mode_enter_idlekeymaster TA and CA log:
D/TA: TA_generate_key:437 i = 0 padding = 12
D/TA: TA_generate_key:464 i = 0 padding = 16 attr_size = 256
D/TA: TA_generate_key:467 i = 0 padding = 272 attr_size = 256
D/TA: TA_generate_key:437 i = 1 padding = 276
D/TA: TA_generate_key:464 i = 1 padding = 280 attr_size = 3
D/TA: TA_generate_key:467 i = 1 padding = 283 attr_size = 3
D/TA: TA_generate_key:437 i = 2 padding = 287
D/TA: TA_generate_key:464 i = 2 padding = 291 attr_size = 256
D/TA: TA_generate_key:467 i = 2 padding = 547 attr_size = 256
D/TA: TA_generate_key:437 i = 3 padding = 551
D/TA: TA_generate_key:464 i = 3 padding = 555 attr_size = 128
D/TA: TA_generate_key:467 i = 3 padding = 683 attr_size = 128
D/TA: TA_generate_key:437 i = 4 padding = 687
D/TA: TA_generate_key:464 i = 4 padding = 691 attr_size = 128
D/TA: TA_generate_key:467 i = 4 padding = 819 attr_size = 128
D/TA: TA_generate_key:437 i = 5 padding = 823
D/TA: TA_generate_key:464 i = 5 padding = 827 attr_size = 128
D/TA: TA_generate_key:467 i = 5 padding = 955 attr_size = 128
D/TA: TA_generate_key:437 i = 6 padding = 959
D/TA: TA_generate_key:464 i = 6 padding = 963 attr_size = 128
D/TA: TA_generate_key:467 i = 6 padding = 1091 attr_size = 128
D/TA: TA_generate_key:437 i = 7 padding = 1095
D/TA: TA_generate_key:464 i = 7 padding = 1099 attr_size = 128
D/TA: TA_generate_key:467 i = 7 padding = 1227 attr_size = 128
D/TA: TA_serialize_param_set:312 TA_serialize_param_set 312
D/TA: TA_encrypt:220 TA_encrypt 220
D/TA: TA_execute:155 TA_execute 155 size = 4544
D/TA: TA_open_secret_key:35 TA_open_secret_key 35
D/TA: TA_execute:190 tagLen = 16
D/TA: TA_execute:194 tagLen = 16
D/TA: TA_serialize_key_blob:270 TA_serialize_key_blob 270
D/TA: TA_serialize_characteristics:233 TA_serialize_characteristics 233
D/TA: TA_free_params:25 TA_free_params 25
D/TA: TA_free_params:25 TA_free_params 25
D/TA: TA_free_params:25 TA_free_params 25
01-01 00:00:32.987 318 318 D OpteeKeymaster_cpp: legacy_enum_conversion 67
01-01 00:00:32.987 318 318 D OpteeKeymaster_cpp: deserializeKeyBlob 1201@moonhjh Is this on boot, or are you running some kind of vold tests? We're not aware of any limitation on key blob size, so not sure why it's limited to 2048 only in vold? Is it something you can increase?
Yes this is on boot, don't run some tests, It is limited by aosp vold, It is about FDE, source like this:
/* Create a new keymaster key and store it in this footer */
static int keymaster_create_key(struct crypt_mnt_ftr *ftr)
{
if (ftr->keymaster_blob_size) {
SLOGI("Already have key");
return 0;
}
int rc = keymaster_create_key_for_cryptfs_scrypt(RSA_KEY_SIZE, RSA_EXPONENT,
KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob, **KEYMASTER_BLOB_SIZE**,
&ftr->keymaster_blob_size);
if (rc) {
if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) {
SLOGE("Keymaster key blob too large");
ftr->keymaster_blob_size = 0;
}
SLOGE("Failed to generate keypair");
return -1;
}
return 0;
}I increase from 2048 to 8192,but device can not boot, FDE decrypt failed, when open FDE, this is bug appear.
I assume it's probably a bug in vold.
There is a strange definition of the maximum keymaster key blob size here https://android.googlesource.com/platform/system/vold/+/master/cryptfs.h#99, which doesn't have any reference/notice of the source of this value.
Even for the plain value of the key blob (not the final encrypted keyblob that keymaster provides for the caller) 2048 bytes for RSA-2048 probably won't be enough, as except of the key data we also need to store key characteristics and tags.
The key blob consists of these three parts:
- Key characteristics (key usage etc.).
- Key data, which consists of 8 bignums, so-called key attributes (we're allocating the space sufficient to store RSA-4096, where attributes can be up to 512bytes, i.e. modulus value). I'm not sure if we really need to allocate 512 bytes for other attributes (primes, private exponent etc, @jbech-linaro please provide your feedback), I guess it's done just for simplifying the logic of key serialization and avoiding handling different sizes for different attributes.
- Tags
@moonhjh I increase from 2048 to 8192,but device can not boot, FDE decrypt failed, when open FDE, this is bug appear.
When reading the Keymaster documentation it mentions that supported values are 1024, 2048, 3072 and 4096. That might explain why 8192 doesn't work. As @igoropaniuk said, we allocate 512 bytes (4096bits) as the upper limit, so we do indeed have this limit in the current implementation in accordance with the Keymaster specification.
@igoropaniuk I'm not sure if we really need to allocate 512 bytes for other attributes (primes, private exponent etc, @jbech-linaro please provide your feedback)
Since the public exponent only allows 3 or 65537 it seems overkill to allocated 512 bytes. The modulus is the big one that matches the size of of the key, likewise the private exponent, but the other attributes are small(er) (primes is key size / 2 etc, remember that n=pq etc). I think as you're saying that this is a bit of waste to allocate that much in general. In the future we should try to optimize it a bit.
When reading the Keymaster documentation it mentions that supported values are 1024, 2048, 3072 and 4096. That might explain why 8192 doesn't work. As @igoropaniuk said, we allocate 512 bytes (4096bits) as the upper limit, so we do indeed have this limit in the current implementation in accordance with the Keymaster specification.
Actually, he meant the value 2048 bytes for storing the final key blob, not the key size. The key size in vold is 2048 bits by default, but the strange thing is that the size of key blob generated by our keymaster TA) with RSA-2048 key data + key characteristics and tags is 4544 bytes, based on the output provided, so 8192 bytes should be sufficient.
@moonhjh could you please provide the output, but with KEYMASTER_BLOB_SIZE changed to 8192. Thanks!
@jbech-linaro or as an assumption (@jbech-linaro and seems you're right here) instead of changing KEYMASTER_BLOB_SIZE from 2048 to 8192, RSA_KEY_SIZE was changed by error.
Sorry, I try again, change KEYMASTER_BLOB_SIZE from 2048 to 8192, It works well,But I don't know why vold limit key blob size to 2048
@igoropaniuk it seems like they're busy atm, but even if not, not sure if they'll comment here directly. In any case, let's just close this for now since there's a 'workaround'. If we ever hear back from them, I'll add a comment about it later.
Submitted a ticket to google about this. See https://issuetracker.google.com/issues/132106312 for details/discussions.