From e4ee4eb40471c61a956b0f40d14d9d19ea5f97a2 Mon Sep 17 00:00:00 2001 From: Alex Dale Date: Thu, 18 Feb 2021 19:33:33 -0800 Subject: [PATCH 1/2] Restructed reference root of trust (1/3 Keybox) [ Merge of http://go/wvgerrit/115550 ] This change is the first part of a three part change for restructing the root of trust used by the reference implementation. The API of the AuthenticationRoot class has been updated to reflect the OEMCrypto functions that relate to the root of trust. This involves changing the keybox and DRM Cert methods and adding in new stubs for OEM Certificates. The WvKeybox now uses a RAII-like interface to ensure that keyboxes are provisioned correctly or not at all. Bug: 135283522 Test: oemcrypto_unittests ce_cdm_tests Change-Id: I3f2baf29c1022e1806b6196fa6650d761785c626 --- .../oemcrypto/ref/src/oemcrypto_auth_ref.cpp | 250 ++++++++++++++++-- .../oemcrypto/ref/src/oemcrypto_auth_ref.h | 148 ++++++++--- .../ref/src/oemcrypto_engine_ref.cpp | 6 +- .../oemcrypto/ref/src/oemcrypto_engine_ref.h | 31 ++- .../ref/src/oemcrypto_keybox_ref.cpp | 145 ++++++---- .../oemcrypto/ref/src/oemcrypto_keybox_ref.h | 66 +++-- .../oemcrypto/ref/src/oemcrypto_ref.cpp | 75 +----- .../oemcrypto/ref/src/oemcrypto_session.cpp | 2 +- 8 files changed, 524 insertions(+), 199 deletions(-) diff --git a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_auth_ref.cpp b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_auth_ref.cpp index 9ed3f6de..e6ab7cec 100644 --- a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_auth_ref.cpp +++ b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_auth_ref.cpp @@ -6,14 +6,20 @@ // #include "oemcrypto_auth_ref.h" +#include + +#include #include #include "keys.h" #include "log.h" -#include "oemcrypto_rsa_key_shared.h" +namespace wvoec_ref { namespace { +// Fake device ID which is to be returned inplace of a real ID. +const std::string kFakeDeviceId = "device_with_no_keybox"; + // A 2048 bit RSA key in PKCS#8 PrivateKeyInfo format // This is the RSA Test Key. This key is not derived // from any Widevine authentication root. @@ -172,32 +178,240 @@ static const uint8_t kTestRSAPKCS8PrivateKeyInfo2_2048[] = { 0x56, 0xfe, 0x39, 0x28, 0x33, 0xe0, 0xdb, 0x03 }; +// Filler for returning vector references. +const std::vector kEmptyVector; } // namespace -namespace wvoec_ref { - -AuthenticationRoot::AuthenticationRoot(OEMCrypto_ProvisioningMethod method) : - provisioning_method_(method), - use_test_keybox_(false) { - if ((provisioning_method_ == OEMCrypto_DrmCertificate) && - !rsa_key_.LoadPkcs8RsaKey(kPrivateKey, kPrivateKeySize)) { - // This error message is OK in unit tests which use test certificate. - LOGE("FATAL ERROR: Platform uses a baked-in certificate instead of a " - "keybox, but the certificate could not be loaded."); +bool AuthenticationRoot::Initialize(OEMCrypto_ProvisioningMethod method) { + if (prov_method_ != OEMCrypto_ProvisioningError) { + // If provisioning method is something other than ProvisioningError + // indicates it has already been initialized before. Must + // existing data. + rsa_key_set_ = false; + rsa_key_.reset(); + test_rsa_key_.reset(); + keybox_.reset(); + test_keybox_.reset(); + } + prov_method_ = method; + switch (method) { + case OEMCrypto_DrmCertificate: { + rsa_key_set_ = rsa_key_.LoadPkcs8RsaKey(kPrivateKey, kPrivateKeySize); + if (!rsa_key_set_) { + // This error message is OK in unit tests which use test certificate. + LOGE( + "FATAL ERROR: Platform uses a baked-in certificate instead of a " + "keybox, but the certificate could not be loaded."); + } + return true; + } + case OEMCrypto_Keybox: + case OEMCrypto_OEMCertificate: + // Nothing to do yet. + return true; + case OEMCrypto_ProvisioningError: + default: { + LOGE("Invalid provisioning method: method = %d", + static_cast(method)); + prov_method_ = OEMCrypto_ProvisioningError; + return false; + } } } -KeyboxError AuthenticationRoot::ValidateKeybox() { - return keybox().Validate(); +bool AuthenticationRoot::IsValid() const { + switch (prov_method_) { + case OEMCrypto_DrmCertificate: { + return rsa_key_set_ && HasDeviceKey(); + } + case OEMCrypto_Keybox: { + return HasDeviceKey(); + } + case OEMCrypto_OEMCertificate: { + // TODO(sigquit): Add OEM Certificate validation. + return true; + } + default: { + LOGE("Root of trust is not properly initialized"); + return false; + } + } } -bool AuthenticationRoot::LoadTestRsaKey() { - return rsa_key_.LoadPkcs8RsaKey(kTestRSAPKCS8PrivateKeyInfo2_2048, - sizeof(kTestRSAPKCS8PrivateKeyInfo2_2048)); +OEMCryptoResult AuthenticationRoot::IsKeyboxOrOemCertValid() const { + switch (prov_method_) { + case OEMCrypto_Keybox: { + WvKeybox* kb = keybox(); + if (kb == nullptr) { + LOGW("Null keybox cannot be validated"); + return OEMCrypto_ERROR_KEYBOX_INVALID; + } + return kb->IsKeyboxValid(); + } + case OEMCrypto_OEMCertificate: { + LOGW("OEM certificate validation is not implemented"); + return OEMCrypto_ERROR_NOT_IMPLEMENTED; + } + case OEMCrypto_DrmCertificate: { + return OEMCrypto_ERROR_NOT_IMPLEMENTED; + } + default: + LOGE("Root of trust is not properly initialized"); + return OEMCrypto_ERROR_SYSTEM_INVALIDATED; + } } -bool AuthenticationRoot::Validate() { - return NO_ERROR == ValidateKeybox(); +OEMCryptoResult AuthenticationRoot::GetDeviceId( + uint8_t* device_id, size_t* device_id_length) const { + WvKeybox* kb = keybox(); + if (kb != nullptr) { + return kb->GetDeviceId(device_id, device_id_length); + } + if (prov_method_ == OEMCrypto_Keybox) { + // Keybox devices must have keybox for the source of the device + // ID. + LOGE("Expected keybox to be set for a device ID"); + return OEMCrypto_ERROR_NO_DEVICEID; + } + // For non-Keybox devices use fake device ID. + if (device_id_length == nullptr) { + LOGE("Output device ID length is null"); + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + if (device_id == nullptr && *device_id_length > 0) { + LOGE("Output device ID buffer is null"); + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + if (*device_id_length < kFakeDeviceId.size()) { + *device_id_length = kFakeDeviceId.size(); + return OEMCrypto_ERROR_SHORT_BUFFER; + } + *device_id_length = kFakeDeviceId.size(); + memcpy(device_id, kFakeDeviceId.data(), kFakeDeviceId.size()); + return OEMCrypto_SUCCESS; } +std::vector AuthenticationRoot::DeviceId() const { + WvKeybox* kb = keybox(); + if (kb != nullptr) { + return kb->DeviceId(); + } + if (prov_method_ == OEMCrypto_Keybox) { + LOGE("Expected keybox to be set for a device ID"); + return kEmptyVector; + } + return std::vector(kFakeDeviceId.begin(), kFakeDeviceId.end()); +} + +std::vector AuthenticationRoot::DeviceKey() const { + WvKeybox* kb = keybox(); + if (kb != nullptr) { + return kb->DeviceKey(); + } + LOGE("No device key has been set"); + return kEmptyVector; +} + +bool AuthenticationRoot::HasDeviceKey() const { return keybox() != nullptr; } + +void AuthenticationRoot::Clear() { + RemoveTestRsaKey(); + RemoveTestKeybox(); +} + +OEMCryptoResult AuthenticationRoot::LoadTestRsaKey() { + if (prov_method_ != OEMCrypto_DrmCertificate) { + LOGE("System does not support DRM certificates"); + return OEMCrypto_ERROR_NOT_IMPLEMENTED; + } + if (test_rsa_key_.get() != nullptr) { + LOGE("Test RSA key is already loaded"); + return OEMCrypto_ERROR_INSUFFICIENT_RESOURCES; + } + if (!test_rsa_key_.LoadPkcs8RsaKey( + kTestRSAPKCS8PrivateKeyInfo2_2048, + sizeof(kTestRSAPKCS8PrivateKeyInfo2_2048))) { + LOGE("Failed to load test RSA key"); + return OEMCrypto_ERROR_UNKNOWN_FAILURE; + } + rsa_key_set_ = true; + return OEMCrypto_SUCCESS; +} + +OEMCryptoResult AuthenticationRoot::IsKeyboxValid() const { + WvKeybox* kb = keybox(); + if (kb == nullptr) { + return OEMCrypto_ERROR_KEYBOX_INVALID; + } + return kb->IsKeyboxValid(); +} + +OEMCryptoResult AuthenticationRoot::InstallKeybox(const uint8_t* keybox_data, + size_t keybox_length) { + if (keybox_) { + LOGE("Keybox already installed"); + return OEMCrypto_ERROR_INSUFFICIENT_RESOURCES; + } + const OEMCryptoResult result = + WvKeybox::ValidateData(keybox_data, keybox_length); + if (result != OEMCrypto_SUCCESS) { + LOGE("Cannot install an invalid keybox"); + return result; + } + keybox_ = WvKeybox::Create(keybox_data, keybox_length); + return OEMCrypto_SUCCESS; +} + +OEMCryptoResult AuthenticationRoot::InstallTestKeybox( + const uint8_t* keybox_data, size_t keybox_length) { + if (prov_method_ != OEMCrypto_Keybox) { + LOGE("System does not support keybox"); + return OEMCrypto_ERROR_NOT_IMPLEMENTED; + } + if (test_keybox_) { + LOGE("Test keybox already installed"); + return OEMCrypto_ERROR_INSUFFICIENT_RESOURCES; + } + const OEMCryptoResult result = + WvKeybox::ValidateData(keybox_data, keybox_length); + if (result != OEMCrypto_SUCCESS) { + LOGE("Cannot install an invalid test keybox"); + return result; + } + test_keybox_ = WvKeybox::Create(keybox_data, keybox_length); + return OEMCrypto_SUCCESS; +} + +OEMCryptoResult AuthenticationRoot::GetKeyData(uint8_t* key_data, + size_t* key_data_length) const { + if (prov_method_ != OEMCrypto_Keybox) { + LOGE("System does not support keybox"); + return OEMCrypto_ERROR_NOT_IMPLEMENTED; + } + WvKeybox* kb = keybox(); + if (kb == nullptr) { + LOGE("No keybox to be set for source of key data"); + return OEMCrypto_ERROR_NO_KEYDATA; + } + return kb->GetKeyData(key_data, key_data_length); +} + +OEMCryptoResult AuthenticationRoot::GetOemPublicCertificate( + uint8_t* public_cert, size_t* public_cert_length) const { + if (prov_method_ != OEMCrypto_OEMCertificate) { + LOGE("System does not support OEM certificates"); + return OEMCrypto_ERROR_NOT_IMPLEMENTED; + } + LOGE("OEM certificates have not been implemented on auth root"); + return OEMCrypto_ERROR_NOT_IMPLEMENTED; +} + +const std::vector& AuthenticationRoot::GetOemPrivateKey() const { + if (prov_method_ != OEMCrypto_OEMCertificate) { + LOGE("System does not support OEM certificates"); + return kEmptyVector; + } + LOGE("OEM certificates have not been implemented on auth root"); + return kEmptyVector; +} } // namespace wvoec_ref diff --git a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_auth_ref.h b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_auth_ref.h index f6ee9ded..3650c557 100644 --- a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_auth_ref.h +++ b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_auth_ref.h @@ -21,61 +21,141 @@ #include "oemcrypto_types.h" namespace wvoec_ref { - +// The AuthenticationRoot class contains the OEMCrypto information +// which makes up the "root of trust" of a device. class AuthenticationRoot { public: - explicit AuthenticationRoot(OEMCrypto_ProvisioningMethod method); + AuthenticationRoot() {} ~AuthenticationRoot() {} - bool Validate(); + // Initializes the root of authentication for the provided + // |method|. This will clear any previously initialied data. + bool Initialize(OEMCrypto_ProvisioningMethod method); - KeyboxError ValidateKeybox(); + // General root of trust API. - bool InstallKeybox(const uint8_t* keybox_data, size_t keybox_length) { - return keybox().InstallKeybox(keybox_data, keybox_length); + // Checks that the auth root has been properly initialized and can + // be used by the rest of OEMCrypto for the current provisioning + // method. + bool IsValid() const; + + // Checks the validity of the underlying Keybox or OEM Certificate + // depending on the provisioning method. + // Similar to the expected behavior of OEMCrypto_IsKeyboxOrOEMCertValid(). + OEMCryptoResult IsKeyboxOrOemCertValid() const; + + // Gets the device ID from the root of trust. + // Similar to the expected behavior of OEMCrypto_GetDeviceID(). + OEMCryptoResult GetDeviceId(uint8_t* device_id, + size_t* device_id_length) const; + + // Returns the device ID from the root of trust. Intended to be used + // for core message generation. + std::vector DeviceId() const; + + // Returns the device key from the root of trust. For keybox-based + // devices, this is the device key from the keybox (or test keybox + // if installed). For devices that use a non-keybox provisioning + // method, this will be a device specific key. + std::vector DeviceKey() const; + + // Check for the existence of a device key. + bool HasDeviceKey() const; + + // Clears any test data inside this root of trust. + void Clear(); + + // DRM Certificate-based root of trust API. + + // Returns the shared RSA private key from the built-in DRM + // Certificate. + RSA_shared_ptr& SharedRsaKey() { + return test_rsa_key_.get() != nullptr ? test_rsa_key_ : rsa_key_; + } + RSA* rsa_key() { + return test_rsa_key_.get() != nullptr ? test_rsa_key_.get() + : rsa_key_.get(); } - const std::vector& DeviceKey(bool use_real_keybox = false) { - return use_real_keybox ? real_keybox().device_key() : - keybox().device_key(); + // Loads the system's built-in RSA key. Only implemented for + // devices that are that pre-provisioned with a built-in DRM + // Certificate, + // This method implements the expected behavior of + // OEMCrypto_LoadTestRSAKey(). + OEMCryptoResult LoadTestRsaKey(); + + // Removes any installed test RSA key. + void RemoveTestRsaKey() { test_rsa_key_.reset(); } + + // Keybox-based root of trust API. + + // Returns the currently installed keybox (or test keybox) if any + // present. The test keybox takes priority over the standard. + WvKeybox* keybox() const { + return test_keybox_ ? test_keybox_.get() : keybox_.get(); } - const std::vector& DeviceId() { - return keybox().device_id(); - } + // Checks the validity of the keybox regardless of the provisioning + // method. + OEMCryptoResult IsKeyboxValid() const; - size_t DeviceTokenLength() { - return keybox().key_data_length(); - } + // Installs a clear WV keybox as the root of trust. + // A keybox can only be installed once, however, the provisioning + // method stated at initialization remains the same. + // + // This method is similar to the expected behavior of + // OEMCrypto_InstallKeyboxOrOEMCert() for keybox devices except + // that the keybox provided here must be decrypted before installing. + OEMCryptoResult InstallKeybox(const uint8_t* keybox_data, + size_t keybox_length); - const uint8_t* DeviceToken() { - return keybox().key_data(); - } + // Installs a clear test WV keybox. Only settable for devices that + // uses a keybox for provisioning. + // + // This method is similar to the expected behavior of + // OEMCrypto_LoadTestKeybox() for keybox devices except that + // the keybox provided here must be decrypted before installing. + OEMCryptoResult InstallTestKeybox(const uint8_t* keybox_data, + size_t keybox_length); - WvKeybox& keybox() { return use_test_keybox_ ? test_keybox_ : keybox_; } - bool UseTestKeybox(const uint8_t* keybox_data, size_t keybox_length) { - use_test_keybox_ = true; - return test_keybox_.InstallKeybox(keybox_data, keybox_length); - } + // Removes any installed test keybox. + void RemoveTestKeybox() { test_keybox_.reset(); } - RSA_shared_ptr& SharedRsaKey() { return rsa_key_; } - RSA* rsa_key() { return rsa_key_.get(); } - bool LoadTestRsaKey(); - void Clear() { use_test_keybox_ = false; } + // Gets the keybox key data. + // Implements the expected behavior of OEMCrypto_GetKeyData(). + OEMCryptoResult GetKeyData(uint8_t* key_data, size_t* key_data_length) const; + + // OEM Certificate-base root of trust API. + + // For OEM Cert-based devices, returns the OEM Public Certificate + // component of the OEM Certificate. + // This method implements the expected behavior of + // OEMCrypto_GetOEMPublicCertificate(). + OEMCryptoResult GetOemPublicCertificate(uint8_t* public_cert, + size_t* public_cert_length) const; + + // Returns the OEM private key. Intended to be used when loading + // the OEM private key into a session. + // Should only be called for devices that use OEM Certificates + // for provisioning. + const std::vector& GetOemPrivateKey() const; private: - OEMCrypto_ProvisioningMethod provisioning_method_; - WvKeybox& real_keybox() { return keybox_; } - - WvKeybox keybox_; - WvKeybox test_keybox_; - bool use_test_keybox_; + OEMCrypto_ProvisioningMethod prov_method_ = OEMCrypto_ProvisioningError; + // DRM certificate. + // TODO(b/168544740): Remove |rsa_key_set_| when RSA_shared_ptr has + // been replaced with scoped RsaPrivateKey. + bool rsa_key_set_ = false; RSA_shared_ptr rsa_key_; // If no keybox, this is baked in certificate. + RSA_shared_ptr test_rsa_key_; + + // Keybox data. + std::unique_ptr keybox_; + std::unique_ptr test_keybox_; CORE_DISALLOW_COPY_AND_ASSIGN(AuthenticationRoot); }; - } // namespace wvoec_ref #endif // OEMCRYPTO_AUTH_REF_H_ diff --git a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_engine_ref.cpp b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_engine_ref.cpp index e329f271..e85cebff 100644 --- a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_engine_ref.cpp +++ b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_engine_ref.cpp @@ -39,9 +39,7 @@ namespace wvoec_ref { // for methods that are configured for specific configurations. CryptoEngine::CryptoEngine(std::unique_ptr&& file_system) - : root_of_trust_(config_provisioning_method()), - file_system_(std::move(file_system)), - usage_table_() { + : file_system_(std::move(file_system)), usage_table_() { ERR_load_crypto_strings(); } @@ -53,7 +51,7 @@ bool CryptoEngine::Initialize() { std::string file_path = GetUsageTimeFileFullPath(); LoadOfflineTimeInfo(file_path); usage_table_.reset(MakeUsageTable()); - return true; + return root_of_trust_.Initialize(config_provisioning_method()); } void CryptoEngine::Terminate() { diff --git a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_engine_ref.h b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_engine_ref.h index 07d31cfc..394c17e7 100644 --- a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_engine_ref.h +++ b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_engine_ref.h @@ -65,31 +65,40 @@ class CryptoEngine { virtual bool Initialize(); - bool ValidRootOfTrust() { return root_of_trust_.Validate(); } + bool ValidRootOfTrust() const { return root_of_trust_.IsValid(); } - bool InstallKeybox(const uint8_t* keybox, size_t keybox_length) { + OEMCryptoResult InstallKeybox(const uint8_t* keybox, size_t keybox_length) { return root_of_trust_.InstallKeybox(keybox, keybox_length); } - bool UseTestKeybox(const uint8_t* keybox_data, size_t keybox_length) { - return root_of_trust_.UseTestKeybox(keybox_data, keybox_length); + OEMCryptoResult InstallTestKeybox(const uint8_t* keybox_data, + size_t keybox_length) { + return root_of_trust_.InstallTestKeybox(keybox_data, keybox_length); } - bool LoadTestRsaKey() { return root_of_trust_.LoadTestRsaKey(); } + OEMCryptoResult LoadTestRsaKey() { return root_of_trust_.LoadTestRsaKey(); } - KeyboxError ValidateKeybox() { return root_of_trust_.ValidateKeybox(); } + OEMCryptoResult IsKeyboxValid() const { + return root_of_trust_.IsKeyboxValid(); + } - const std::vector& DeviceRootKey() { + std::vector DeviceRootKey() const { return root_of_trust_.DeviceKey(); } - const std::vector& DeviceRootId() { + OEMCryptoResult GetDeviceRootId(uint8_t* device_id, + size_t* device_id_length) const { + return root_of_trust_.GetDeviceId(device_id, device_id_length); + } + + std::vector DeviceRootId() const { return root_of_trust_.DeviceId(); } - size_t DeviceRootTokenLength() { return root_of_trust_.DeviceTokenLength(); } - - const uint8_t* DeviceRootToken() { return root_of_trust_.DeviceToken(); } + OEMCryptoResult GetRootKeyData(uint8_t* key_data, + size_t* key_data_length) const { + return root_of_trust_.GetKeyData(key_data, key_data_length); + } virtual void Terminate(); diff --git a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_keybox_ref.cpp b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_keybox_ref.cpp index 0e4a6307..cfb070ad 100644 --- a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_keybox_ref.cpp +++ b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_keybox_ref.cpp @@ -17,58 +17,113 @@ #include "wvcrc32.h" namespace wvoec_ref { +namespace { +constexpr size_t kKeyboxSize = 128; +constexpr size_t kDeviceIdSize = 32; +constexpr size_t kKeyDataSize = 72; +constexpr size_t kMagicOffset = 120; +const uint8_t kMagic[4] = {'k', 'b', 'o', 'x'}; +constexpr size_t kCrcKeyboxSize = 124; +constexpr size_t kCrcOffset = 124; -WvKeybox::WvKeybox() : loaded_(false) { - static std::string fake_device_id = "device_with_no_keybox"; - device_id_.assign(fake_device_id.begin(), fake_device_id.end()); +static_assert(sizeof(wvoec::WidevineKeybox) == kKeyboxSize, + "Unexpected keybox size"); + +template +std::vector ToVector(const uint8_t (&field)[N]) { + return std::vector(field, &field[N]); +} +} // namespace + +// static +OEMCryptoResult WvKeybox::ValidateData(const uint8_t* keybox, + size_t keybox_length) { + if (keybox == nullptr) { + LOGE("Keybox data buffer is null"); + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + if (keybox_length != kKeyboxSize) { + LOGE("Invalid keybox length: length = %zu", keybox_length); + return OEMCrypto_ERROR_KEYBOX_INVALID; + } + if (memcmp(&keybox[kMagicOffset], kMagic, sizeof(kMagic))) { + LOGE("Invalid keybox magic"); + return OEMCrypto_ERROR_BAD_MAGIC; + } + uint32_t crc_provided; + memcpy(&crc_provided, &keybox[kCrcOffset], sizeof(crc_provided)); + const uint32_t crc_computed = wvcrc32n(keybox, kCrcKeyboxSize); + if (crc_provided != crc_computed) { + LOGE("Invalid keybox CRC: provided = %08x, computed = %08x", crc_provided, + crc_computed); + return OEMCrypto_ERROR_BAD_CRC; + } + return OEMCrypto_SUCCESS; } -KeyboxError WvKeybox::Validate() { - if (!loaded_) { - LOGE("[KEYBOX NOT LOADED]"); - return OTHER_ERROR; +// static +std::unique_ptr WvKeybox::Create(const uint8_t* keybox_data, + size_t keybox_length) { + std::unique_ptr keybox; + if (keybox_length != kKeyboxSize) { + LOGE("Invalid keybox length: length = %zu", keybox_length); + return keybox; } - if (strncmp(reinterpret_cast(magic_), "kbox", 4) != 0) { - LOGE("[KEYBOX HAS BAD MAGIC]"); - return BAD_MAGIC; - } - uint32_t crc_computed; - uint32_t crc_stored; - uint8_t* crc_stored_bytes = (uint8_t*)&crc_stored; - memcpy(crc_stored_bytes, crc_, sizeof(crc_)); - wvoec::WidevineKeybox keybox; - memset(&keybox, 0, sizeof(keybox)); - memcpy(keybox.device_id_, &device_id_[0], device_id_.size()); - memcpy(keybox.device_key_, &device_key_[0], sizeof(keybox.device_key_)); - memcpy(keybox.data_, key_data_, sizeof(keybox.data_)); - memcpy(keybox.magic_, magic_, sizeof(keybox.magic_)); - - crc_computed = ntohl(wvcrc32(reinterpret_cast(&keybox), - sizeof(keybox) - 4)); // Drop last 4 bytes. - if (crc_computed != crc_stored) { - LOGE("[KEYBOX CRC problem: computed = %08x, stored = %08x]\n", - crc_computed, crc_stored); - return BAD_CRC; - } - return NO_ERROR; + keybox.reset(new WvKeybox()); + memcpy(reinterpret_cast(&keybox->raw_keybox_), keybox_data, + kKeyboxSize); + return keybox; } -bool WvKeybox::InstallKeybox(const uint8_t* buffer, size_t keyBoxLength) { - if (keyBoxLength != 128) { - return false; +OEMCryptoResult WvKeybox::GetDeviceId(uint8_t* device_id, + size_t* device_id_length) const { + if (device_id_length == nullptr) { + LOGE("Output device ID length buffer is null"); + return OEMCrypto_ERROR_INVALID_CONTEXT; } - const wvoec::WidevineKeybox* keybox = - reinterpret_cast(buffer); - size_t device_id_length = - strnlen(reinterpret_cast(keybox->device_id_), 32); - device_id_.assign(keybox->device_id_, keybox->device_id_ + device_id_length); - device_key_.assign(keybox->device_key_, - keybox->device_key_ + sizeof(keybox->device_key_)); - memcpy(key_data_, keybox->data_, sizeof(keybox->data_)); - memcpy(magic_, keybox->magic_, sizeof(keybox->magic_)); - memcpy(crc_, keybox->crc_, sizeof(keybox->crc_)); - loaded_ = true; - return true; + if (device_id == nullptr && *device_id_length > 0) { + LOGE("Output device ID buffer is null"); + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + if (*device_id_length < kDeviceIdSize) { + *device_id_length = kDeviceIdSize; + return OEMCrypto_ERROR_SHORT_BUFFER; + } + *device_id_length = kDeviceIdSize; + memcpy(device_id, raw_keybox_.device_id_, kDeviceIdSize); + return OEMCrypto_SUCCESS; +} + +std::vector WvKeybox::DeviceId() const { + return ToVector(raw_keybox_.device_id_); +} + +std::vector WvKeybox::DeviceKey() const { + return ToVector(raw_keybox_.device_key_); +} + +OEMCryptoResult WvKeybox::GetKeyData(uint8_t* key_data, + size_t* key_data_length) const { + if (key_data_length == nullptr) { + LOGE("Output key data length buffer is null"); + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + if (key_data == nullptr && *key_data_length > 0) { + LOGE("Output key data buffer is null"); + return OEMCrypto_ERROR_INVALID_CONTEXT; + } + if (*key_data_length < kKeyDataSize) { + *key_data_length = kKeyDataSize; + return OEMCrypto_ERROR_SHORT_BUFFER; + } + *key_data_length = kKeyDataSize; + memcpy(key_data, raw_keybox_.data_, kKeyDataSize); + return OEMCrypto_SUCCESS; +} + +OEMCryptoResult WvKeybox::IsKeyboxValid() const { + return ValidateData(reinterpret_cast(&raw_keybox_), + kKeyboxSize); } } // namespace wvoec_ref diff --git a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_keybox_ref.h b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_keybox_ref.h index 5f65ea70..47b8c070 100644 --- a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_keybox_ref.h +++ b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_keybox_ref.h @@ -7,38 +7,58 @@ #ifndef OEMCRYPTO_KEYBOX_REF_H_ #define OEMCRYPTO_KEYBOX_REF_H_ -#include "oemcrypto_key_ref.h" +#include +#include + +#include "OEMCryptoCENCCommon.h" +#include "oemcrypto_types.h" namespace wvoec_ref { -const int DEVICE_KEY_LENGTH = 16; -typedef uint8_t WvKeyboxKey[DEVICE_KEY_LENGTH]; - -const int KEY_DATA_LENGTH = 72; -typedef uint8_t WvKeyboxKeyData[KEY_DATA_LENGTH]; - -enum KeyboxError { NO_ERROR, BAD_CRC, BAD_MAGIC, OTHER_ERROR }; - // Widevine keybox class WvKeybox { public: - WvKeybox(); + // Validates keybox data using the following rules: + // 1. Data is not null + // 2. Keybox size + // 3. Matching magic + // 4. CRC-32 check + static OEMCryptoResult ValidateData(const uint8_t* keybox_data, + size_t keybox_length); + + // Creates a keybox from the provided keybox data. + // Provided keybox data must be the proper length, but does + // not need to be valid. + // Once created, keyboxes are immutable. + static std::unique_ptr Create(const uint8_t* keybox_data, + size_t keybox_length); + + // Gets the device ID from the keybox. + // Similar to the expected behavior of OEMCrypto_GetDeviceID(). + OEMCryptoResult GetDeviceId(uint8_t* device_id, + size_t* device_id_length) const; + // Returns the keybox device ID directly. Intended to be used + // for core message generation. + std::vector DeviceId() const; + + // Returns the keybox device key directly. Intended to be used + // for key derivation. + std::vector DeviceKey() const; + + // Gets the keybox data. + // Similar to the expected behavior of OEMCrypto_GetKeyData(). + OEMCryptoResult GetKeyData(uint8_t* key_data, size_t* key_data_length) const; + + // Checks the current keybox instantiation that it is valid. + // Similar to the expected behavior of OEMCrypto_IsKeyboxValid(). + OEMCryptoResult IsKeyboxValid() const; + ~WvKeybox() {} - KeyboxError Validate(); - const std::vector& device_id() { return device_id_; } - std::vector& device_key() { return device_key_; } - const WvKeyboxKeyData& key_data() { return key_data_; } - size_t key_data_length() { return KEY_DATA_LENGTH; } - bool InstallKeybox(const uint8_t* keybox, size_t keyBoxLength); - private: - bool loaded_; - std::vector device_id_; - std::vector device_key_; - WvKeyboxKeyData key_data_; - uint8_t magic_[4]; - uint8_t crc_[4]; + WvKeybox() {} + + wvoec::WidevineKeybox raw_keybox_; }; } // namespace wvoec_ref diff --git a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_ref.cpp b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_ref.cpp index 3f256466..68728809 100644 --- a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_ref.cpp +++ b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_ref.cpp @@ -733,7 +733,7 @@ OEMCRYPTO_API OEMCryptoResult OEMCrypto_WrapKeyboxOrOEMCert( } OEMCRYPTO_API OEMCryptoResult -OEMCrypto_InstallKeyboxOrOEMCert(const uint8_t* keybox, size_t keyBoxLength) { +OEMCrypto_InstallKeyboxOrOEMCert(const uint8_t* keybox, size_t keybox_length) { if (crypto_engine == nullptr) { LOGE("OEMCrypto_InstallKeyboxOrOEMCert: OEMCrypto Not Initialized."); return OEMCrypto_ERROR_UNKNOWN_FAILURE; @@ -741,10 +741,7 @@ OEMCrypto_InstallKeyboxOrOEMCert(const uint8_t* keybox, size_t keyBoxLength) { if (crypto_engine->config_provisioning_method() != OEMCrypto_Keybox) { return OEMCrypto_ERROR_NOT_IMPLEMENTED; } - if (crypto_engine->InstallKeybox(keybox, keyBoxLength)) { - return OEMCrypto_SUCCESS; - } - return OEMCrypto_ERROR_WRITE_KEYBOX; + return crypto_engine->InstallKeybox(keybox, keybox_length); } OEMCRYPTO_API OEMCryptoResult OEMCrypto_LoadTestKeybox(const uint8_t* buffer, @@ -756,10 +753,7 @@ OEMCRYPTO_API OEMCryptoResult OEMCrypto_LoadTestKeybox(const uint8_t* buffer, if (crypto_engine->config_provisioning_method() != OEMCrypto_Keybox) { return OEMCrypto_ERROR_NOT_IMPLEMENTED; } - if (crypto_engine->UseTestKeybox(buffer, length)) { - return OEMCrypto_SUCCESS; - } - return OEMCrypto_ERROR_UNKNOWN_FAILURE; + return crypto_engine->InstallTestKeybox(buffer, length); } OEMCRYPTO_API OEMCryptoResult OEMCrypto_IsKeyboxOrOEMCertValid(void) { @@ -771,22 +765,10 @@ OEMCRYPTO_API OEMCryptoResult OEMCrypto_IsKeyboxOrOEMCertValid(void) { case OEMCrypto_DrmCertificate: return OEMCrypto_SUCCESS; case OEMCrypto_Keybox: - switch (crypto_engine->ValidateKeybox()) { - case NO_ERROR: - return OEMCrypto_SUCCESS; - case BAD_CRC: - return OEMCrypto_ERROR_BAD_CRC; - case BAD_MAGIC: - return OEMCrypto_ERROR_BAD_MAGIC; - default: - case OTHER_ERROR: - return OEMCrypto_ERROR_UNKNOWN_FAILURE; - } - break; + return crypto_engine->IsKeyboxValid(); case OEMCrypto_OEMCertificate: - // TODO(fredgc): verify that the certificate exists and is valid. + // TODO(sigquit): verify that the certificate exists and is valid. return OEMCrypto_SUCCESS; - break; default: LOGE("Invalid provisioning method: %d.", crypto_engine->config_provisioning_method()); @@ -835,32 +817,17 @@ OEMCRYPTO_API OEMCryptoResult OEMCrypto_GetOEMPublicCertificate( return crypto_engine->get_oem_certificate(public_cert, public_cert_length); } -OEMCRYPTO_API OEMCryptoResult OEMCrypto_GetDeviceID(uint8_t* deviceID, - size_t* idLength) { +OEMCRYPTO_API OEMCryptoResult OEMCrypto_GetDeviceID(uint8_t* device_id, + size_t* device_id_length) { if (crypto_engine == nullptr) { LOGE("OEMCrypto_GetDeviceID: OEMCrypto Not Initialized."); return OEMCrypto_ERROR_UNKNOWN_FAILURE; } - const std::vector& dev_id_string = crypto_engine->DeviceRootId(); - if (dev_id_string.empty()) { - LOGE("[OEMCrypto_GetDeviceId(): Keybox Invalid]"); - return OEMCrypto_ERROR_KEYBOX_INVALID; - } - - size_t dev_id_len = dev_id_string.size(); - if (*idLength < dev_id_len) { - *idLength = dev_id_len; - LOGE("[OEMCrypto_GetDeviceId(): ERROR_SHORT_BUFFER]"); - return OEMCrypto_ERROR_SHORT_BUFFER; - } - memset(deviceID, 0, *idLength); - memcpy(deviceID, &dev_id_string[0], dev_id_len); - *idLength = dev_id_len; - return OEMCrypto_SUCCESS; + return crypto_engine->GetDeviceRootId(device_id, device_id_length); } -OEMCRYPTO_API OEMCryptoResult OEMCrypto_GetKeyData(uint8_t* keyData, - size_t* keyDataLength) { +OEMCRYPTO_API OEMCryptoResult OEMCrypto_GetKeyData(uint8_t* key_data, + size_t* key_data_length) { if (crypto_engine == nullptr) { LOGE("OEMCrypto_GetKeyData: OEMCrypto Not Initialized."); return OEMCrypto_ERROR_UNKNOWN_FAILURE; @@ -868,24 +835,7 @@ OEMCRYPTO_API OEMCryptoResult OEMCrypto_GetKeyData(uint8_t* keyData, if (crypto_engine->config_provisioning_method() != OEMCrypto_Keybox) { return OEMCrypto_ERROR_NOT_IMPLEMENTED; } - size_t length = crypto_engine->DeviceRootTokenLength(); - if (keyDataLength == nullptr) { - LOGE("[OEMCrypto_GetKeyData(): null pointer. ERROR_UNKNOWN_FAILURE]"); - return OEMCrypto_ERROR_UNKNOWN_FAILURE; - } - if (*keyDataLength < length) { - *keyDataLength = length; - LOGE("[OEMCrypto_GetKeyData(): ERROR_SHORT_BUFFER]"); - return OEMCrypto_ERROR_SHORT_BUFFER; - } - if (keyData == nullptr) { - LOGE("[OEMCrypto_GetKeyData(): null pointer. ERROR_UNKNOWN_FAILURE]"); - return OEMCrypto_ERROR_UNKNOWN_FAILURE; - } - memset(keyData, 0, *keyDataLength); - memcpy(keyData, crypto_engine->DeviceRootToken(), length); - *keyDataLength = length; - return OEMCrypto_SUCCESS; + return crypto_engine->GetRootKeyData(key_data, key_data_length); } OEMCRYPTO_API OEMCryptoResult OEMCrypto_GetRandom(uint8_t* randomData, @@ -1259,8 +1209,7 @@ OEMCRYPTO_API OEMCryptoResult OEMCrypto_LoadTestRSAKey() { LOGE("OEMCrypto_LoadTestRSAKey: OEMCrypto Not Initialized."); return OEMCrypto_ERROR_UNKNOWN_FAILURE; } - if (crypto_engine->LoadTestRsaKey()) return OEMCrypto_SUCCESS; - return OEMCrypto_ERROR_UNKNOWN_FAILURE; + return crypto_engine->LoadTestRsaKey(); } OEMCRYPTO_API OEMCryptoResult OEMCrypto_GenerateRSASignature( diff --git a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_session.cpp b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_session.cpp index 15671234..ed58fcf0 100644 --- a/libwvdrmengine/oemcrypto/ref/src/oemcrypto_session.cpp +++ b/libwvdrmengine/oemcrypto/ref/src/oemcrypto_session.cpp @@ -430,7 +430,7 @@ OEMCryptoResult SessionContext::PrepAndSignProvisioningRequest( } const size_t required_signature_size = ROTSignatureSize(); if (required_signature_size == 0) return OEMCrypto_ERROR_UNKNOWN_FAILURE; - const std::vector& device_id = ce_->DeviceRootId(); + const std::vector device_id = ce_->DeviceRootId(); OEMCryptoResult result = ODK_PrepareCoreProvisioningRequest( message, message_length, core_message_length, &nonce_values_, device_id.data(), device_id.size()); From 7f34e59ce636036efb6e44131310c5a022f3739a Mon Sep 17 00:00:00 2001 From: Bob Badour Date: Thu, 25 Mar 2021 09:52:52 -0700 Subject: [PATCH 2/2] [LSC] Add LOCAL_LICENSE_KINDS to vendor/widevine Added SPDX-license-identifier-Apache-2.0 legacy_by_exception_only to: Android.bp libwvdrmengine/Android.bp libwvdrmengine/vts/vendor_module/Android.bp Added legacy_by_exception_only to: libwvdrmengine/cdm/Android.bp libwvdrmengine/cdm/core/src/Android.bp libwvdrmengine/cdm/core/test/Android.bp libwvdrmengine/cdm/metrics/src/Android.bp libwvdrmengine/cdm/test/integration-test.mk libwvdrmengine/cdm/test/unit-test.mk libwvdrmengine/level3/Android.bp libwvdrmengine/mediacrypto/Android.bp libwvdrmengine/mediacrypto/test/Android.mk libwvdrmengine/mediadrm/Android.bp libwvdrmengine/mediadrm/test/Android.mk libwvdrmengine/oemcrypto/odk/Android.bp libwvdrmengine/oemcrypto/odk/test/fuzzing/Android.bp libwvdrmengine/oemcrypto/odk/test/fuzzing/corpus_generator/Android.bp libwvdrmengine/oemcrypto/test/Android.mk libwvdrmengine/test/unit/Android.mk libwvdrmengine/tools/metrics_dump/Android.bp Added SPDX-license-identifier-Apache-2.0 legacy_by_exception_only to: libwvdrmengine/Android.mk libwvdrmengine/vts/vendor_module/Android.mk Added legacy_by_exception_only to: libwvdrmengine/level3/arm/Android.mk libwvdrmengine/level3/arm64/Android.mk libwvdrmengine/level3/mips/Android.mk libwvdrmengine/level3/mips64/Android.mk libwvdrmengine/level3/x86/Android.mk libwvdrmengine/level3/x86_64/Android.mk libwvdrmengine/mediacrypto/Android.mk libwvdrmengine/mediadrm/Android.mk libwvdrmengine/oemcrypto/test/XtsTest.mk Bug: 68860345 Bug: 151177513 Bug: 151953481 Test: m all Exempt-From-Owner-Approval: janitorial work Change-Id: I41ef520b6e394a7708f453a706e6ef1a5f46c36a Merged-in: I41ef520b6e394a7708f453a706e6ef1a5f46c36a --- Android.bp | 45 +++++++++++++++++++++ libwvdrmengine/Android.mk | 16 ++++++++ libwvdrmengine/cdm/Android.bp | 12 ++++++ libwvdrmengine/cdm/core/src/Android.bp | 29 +++++++++++++ libwvdrmengine/cdm/metrics/src/Android.bp | 27 +++++++++++++ libwvdrmengine/cdm/test/integration-test.mk | 2 + libwvdrmengine/cdm/test/unit-test.mk | 2 + libwvdrmengine/level3/arm/Android.mk | 2 + libwvdrmengine/level3/arm64/Android.mk | 2 + libwvdrmengine/level3/mips/Android.mk | 2 + libwvdrmengine/level3/mips64/Android.mk | 2 + libwvdrmengine/level3/x86/Android.mk | 2 + libwvdrmengine/level3/x86_64/Android.mk | 2 + libwvdrmengine/mediacrypto/Android.mk | 4 ++ libwvdrmengine/mediacrypto/test/Android.mk | 4 ++ libwvdrmengine/mediadrm/Android.mk | 4 ++ libwvdrmengine/mediadrm/test/Android.mk | 7 +++- libwvdrmengine/oemcrypto/odk/Android.bp | 12 ++++++ libwvdrmengine/oemcrypto/test/Android.mk | 2 + libwvdrmengine/oemcrypto/test/XtsTest.mk | 2 + libwvdrmengine/test/unit/Android.mk | 4 ++ libwvdrmengine/vts/vendor_module/Android.mk | 2 + 22 files changed, 185 insertions(+), 1 deletion(-) create mode 100644 Android.bp diff --git a/Android.bp b/Android.bp new file mode 100644 index 00000000..292b5255 --- /dev/null +++ b/Android.bp @@ -0,0 +1,45 @@ +// +// Copyright (C) 2021 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// *** THIS PACKAGE HAS SPECIAL LICENSING CONDITIONS. PLEASE +// CONSULT THE OWNERS AND opensource-licensing@google.com BEFORE +// DEPENDING ON IT IN YOUR PROJECT. *** +package { + default_applicable_licenses: ["vendor_widevine_license"], +} + +// Added automatically by a large-scale-change that took the approach of +// 'apply every license found to every target'. While this makes sure we respect +// every license restriction, it may not be entirely correct. +// +// e.g. GPL in an MIT project might only apply to the contrib/ directory. +// +// Please consider splitting the single license below into multiple licenses, +// taking care not to lose any license_kind information, and overriding the +// default license using the 'licenses: [...]' property on targets as needed. +// +// For unused files, consider creating a 'fileGroup' with "//visibility:private" +// to attach the license to, and including a comment whether the files may be +// used in the current project. +// See: http://go/android-license-faq +license { + name: "vendor_widevine_license", + visibility: [":__subpackages__"], + license_kinds: [ + "SPDX-license-identifier-Apache-2.0", + "legacy_by_exception_only", // by exception only + ], + // large-scale-change unable to identify any license_text files +} diff --git a/libwvdrmengine/Android.mk b/libwvdrmengine/Android.mk index 31f2e751..c19a38da 100644 --- a/libwvdrmengine/Android.mk +++ b/libwvdrmengine/Android.mk @@ -33,6 +33,8 @@ include $(CLEAR_VARS) LOCAL_SRC_FILES := move_widevine_data.sh LOCAL_MODULE_CLASS := EXECUTABLES LOCAL_MODULE := $(LOCAL_SRC_FILES) +LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only notice LOCAL_MODULE_TAGS := optional LOCAL_MODULE_OWNER := widevine @@ -47,6 +49,8 @@ include $(CLEAR_VARS) include $(LOCAL_PATH)/common_widevine_service.mk LOCAL_SRC_FILES := src_hidl/service.cpp LOCAL_MODULE := android.hardware.drm@1.2-service.widevine +LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only notice LOCAL_INIT_RC := src_hidl/android.hardware.drm@1.2-service.widevine.rc LOCAL_VINTF_FRAGMENTS := manifest_android.hardware.drm@1.2-service.widevine.xml @@ -60,6 +64,8 @@ include $(CLEAR_VARS) include $(LOCAL_PATH)/common_widevine_service.mk LOCAL_SRC_FILES := src_hidl/serviceLazy.cpp LOCAL_MODULE := android.hardware.drm@1.2-service-lazy.widevine +LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only notice LOCAL_OVERRIDES_MODULES := android.hardware.drm@1.2-service.widevine LOCAL_INIT_RC := src_hidl/android.hardware.drm@1.2-service-lazy.widevine.rc LOCAL_VINTF_FRAGMENTS := manifest_android.hardware.drm@1.2-service.widevine.xml @@ -74,6 +80,8 @@ include $(CLEAR_VARS) include $(LOCAL_PATH)/common_widevine_service.mk LOCAL_SRC_FILES := src_hidl/service.cpp LOCAL_MODULE := android.hardware.drm@1.3-service.widevine +LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only notice LOCAL_INIT_RC := src_hidl/android.hardware.drm@1.3-service.widevine.rc LOCAL_VINTF_FRAGMENTS := manifest_android.hardware.drm@1.3-service.widevine.xml @@ -87,6 +95,8 @@ include $(CLEAR_VARS) include $(LOCAL_PATH)/common_widevine_service.mk LOCAL_SRC_FILES := src_hidl/serviceLazy.cpp LOCAL_MODULE := android.hardware.drm@1.3-service-lazy.widevine +LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only notice LOCAL_OVERRIDES_MODULES := android.hardware.drm@1.3-service.widevine LOCAL_INIT_RC := src_hidl/android.hardware.drm@1.3-service-lazy.widevine.rc LOCAL_VINTF_FRAGMENTS := manifest_android.hardware.drm@1.3-service.widevine.xml @@ -99,6 +109,8 @@ include $(BUILD_EXECUTABLE) include $(CLEAR_VARS) LOCAL_MODULE := libcdm_utils +LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only notice LOCAL_MODULE_CLASS := STATIC_LIBRARIES LOCAL_PROPRIETARY_MODULE := true @@ -184,6 +196,8 @@ LOCAL_HEADER_LIBRARIES := \ libstagefright_headers LOCAL_MODULE := libwvdrmengine +LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only notice LOCAL_MODULE_RELATIVE_PATH := mediadrm @@ -251,6 +265,8 @@ LOCAL_HEADER_LIBRARIES := \ libstagefright_foundation_headers \ LOCAL_MODULE := libwvhidl +LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only notice LOCAL_MODULE_TAGS := optional diff --git a/libwvdrmengine/cdm/Android.bp b/libwvdrmengine/cdm/Android.bp index 4ad49ab4..8a2ba34a 100644 --- a/libwvdrmengine/cdm/Android.bp +++ b/libwvdrmengine/cdm/Android.bp @@ -2,6 +2,18 @@ // Builds libcdm.a // +// *** THIS PACKAGE HAS SPECIAL LICENSING CONDITIONS. PLEASE +// CONSULT THE OWNERS AND opensource-licensing@google.com BEFORE +// DEPENDING ON IT IN YOUR PROJECT. *** +package { + // See: http://go/android-license-faq + // A large-scale-change added 'default_applicable_licenses' to import + // all of the 'license_kinds' from "vendor_widevine_license" + // to get the below license kinds: + // legacy_by_exception_only (by exception only) + default_applicable_licenses: ["vendor_widevine_license"], +} + SRC_DIR = "src" CORE_SRC_DIR = "core/src" METRICS_SRC_DIR = "metrics/src" diff --git a/libwvdrmengine/cdm/core/src/Android.bp b/libwvdrmengine/cdm/core/src/Android.bp index b0bdff09..d6631060 100644 --- a/libwvdrmengine/cdm/core/src/Android.bp +++ b/libwvdrmengine/cdm/core/src/Android.bp @@ -1,3 +1,32 @@ +// *** THIS PACKAGE HAS SPECIAL LICENSING CONDITIONS. PLEASE +// CONSULT THE OWNERS AND opensource-licensing@google.com BEFORE +// DEPENDING ON IT IN YOUR PROJECT. *** +package { + default_applicable_licenses: [ + "vendor_widevine_libwvdrmengine_cdm_core_src_license", + ], +} + +// Added automatically by a large-scale-change +// +// large-scale-change included anything that looked like it might be a license +// text as a license_text. e.g. LICENSE, NOTICE, COPYING etc. +// +// Please consider removing redundant or irrelevant files from 'license_text:'. +// See: http://go/android-license-faq +license { + name: "vendor_widevine_libwvdrmengine_cdm_core_src_license", + visibility: [":__subpackages__"], + license_kinds: [ + "legacy_by_exception_only", // by exception only + ], + license_text: [ + "license.cpp", + "license_key_status.cpp", + "license_protocol.proto", + ], +} + cc_library { name: "libcdm_protos", diff --git a/libwvdrmengine/cdm/metrics/src/Android.bp b/libwvdrmengine/cdm/metrics/src/Android.bp index 041d737b..b8dbf981 100644 --- a/libwvdrmengine/cdm/metrics/src/Android.bp +++ b/libwvdrmengine/cdm/metrics/src/Android.bp @@ -1,3 +1,30 @@ +// Copyright (C) 2020 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Build host library for metrics_dump tool. +// *** THIS PACKAGE HAS SPECIAL LICENSING CONDITIONS. PLEASE +// CONSULT THE OWNERS AND opensource-licensing@google.com BEFORE +// DEPENDING ON IT IN YOUR PROJECT. *** +package { + // See: http://go/android-license-faq + // A large-scale-change added 'default_applicable_licenses' to import + // all of the 'license_kinds' from "vendor_widevine_license" + // to get the below license kinds: + // legacy_by_exception_only (by exception only) + default_applicable_licenses: ["vendor_widevine_license"], +} + cc_library { name: "libcdm_metrics_protos", diff --git a/libwvdrmengine/cdm/test/integration-test.mk b/libwvdrmengine/cdm/test/integration-test.mk index d9301caf..d1d00e6c 100644 --- a/libwvdrmengine/cdm/test/integration-test.mk +++ b/libwvdrmengine/cdm/test/integration-test.mk @@ -7,6 +7,8 @@ $(call assert-not-null,test_name) include $(CLEAR_VARS) LOCAL_MODULE := $(test_name) +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_MODULE_TAGS := tests LOCAL_SRC_FILES := \ diff --git a/libwvdrmengine/cdm/test/unit-test.mk b/libwvdrmengine/cdm/test/unit-test.mk index cf51670e..0547f87a 100644 --- a/libwvdrmengine/cdm/test/unit-test.mk +++ b/libwvdrmengine/cdm/test/unit-test.mk @@ -7,6 +7,8 @@ $(call assert-not-null,test_name) include $(CLEAR_VARS) LOCAL_MODULE := $(test_name) +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_MODULE_TAGS := tests LOCAL_SRC_FILES := \ diff --git a/libwvdrmengine/level3/arm/Android.mk b/libwvdrmengine/level3/arm/Android.mk index 055513a5..0722e28b 100644 --- a/libwvdrmengine/level3/arm/Android.mk +++ b/libwvdrmengine/level3/arm/Android.mk @@ -14,6 +14,8 @@ LOCAL_C_INCLUDES := \ vendor/widevine/libwvdrmengine/oemcrypto/odk/include \ vendor/widevine/libwvdrmengine/oemcrypto/odk/src LOCAL_MODULE := libwvlevel3 +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_MODULE_CLASS := STATIC_LIBRARIES LOCAL_SRC_FILES := libl3oemcrypto.cpp \ ../src/generate_entropy_android.cpp \ diff --git a/libwvdrmengine/level3/arm64/Android.mk b/libwvdrmengine/level3/arm64/Android.mk index d2bb93f4..6ebc5967 100644 --- a/libwvdrmengine/level3/arm64/Android.mk +++ b/libwvdrmengine/level3/arm64/Android.mk @@ -14,6 +14,8 @@ LOCAL_C_INCLUDES := \ vendor/widevine/libwvdrmengine/oemcrypto/odk/include \ vendor/widevine/libwvdrmengine/oemcrypto/odk/src LOCAL_MODULE := libwvlevel3 +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_MODULE_CLASS := STATIC_LIBRARIES LOCAL_SRC_FILES := libl3oemcrypto.cpp \ ../src/generate_entropy_android.cpp \ diff --git a/libwvdrmengine/level3/mips/Android.mk b/libwvdrmengine/level3/mips/Android.mk index 85aeaf57..d45ae117 100644 --- a/libwvdrmengine/level3/mips/Android.mk +++ b/libwvdrmengine/level3/mips/Android.mk @@ -12,6 +12,8 @@ LOCAL_C_INCLUDES := \ vendor/widevine/libwvdrmengine/level3/include \ vendor/widevine/libwvdrmengine/oemcrypto/include LOCAL_MODULE := libwvlevel3 +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_MODULE_CLASS := STATIC_LIBRARIES LOCAL_SRC_FILES := libl3oemcrypto.cpp \ ../src/generate_entropy_android.cpp \ diff --git a/libwvdrmengine/level3/mips64/Android.mk b/libwvdrmengine/level3/mips64/Android.mk index 133589b8..2c9e7062 100644 --- a/libwvdrmengine/level3/mips64/Android.mk +++ b/libwvdrmengine/level3/mips64/Android.mk @@ -12,6 +12,8 @@ LOCAL_C_INCLUDES := \ vendor/widevine/libwvdrmengine/level3/include \ vendor/widevine/libwvdrmengine/oemcrypto/include LOCAL_MODULE := libwvlevel3 +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_MODULE_CLASS := STATIC_LIBRARIES LOCAL_SRC_FILES := libl3oemcrypto.cpp \ ../src/generate_entropy_android.cpp \ diff --git a/libwvdrmengine/level3/x86/Android.mk b/libwvdrmengine/level3/x86/Android.mk index dd3a0104..02a67ab4 100644 --- a/libwvdrmengine/level3/x86/Android.mk +++ b/libwvdrmengine/level3/x86/Android.mk @@ -14,6 +14,8 @@ LOCAL_C_INCLUDES := \ vendor/widevine/libwvdrmengine/oemcrypto/odk/include \ vendor/widevine/libwvdrmengine/oemcrypto/odk/src LOCAL_MODULE := libwvlevel3 +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_MODULE_CLASS := STATIC_LIBRARIES LOCAL_SRC_FILES := libl3oemcrypto.cpp \ ../src/generate_entropy_android.cpp \ diff --git a/libwvdrmengine/level3/x86_64/Android.mk b/libwvdrmengine/level3/x86_64/Android.mk index 199bfcfe..f76df747 100644 --- a/libwvdrmengine/level3/x86_64/Android.mk +++ b/libwvdrmengine/level3/x86_64/Android.mk @@ -14,6 +14,8 @@ LOCAL_C_INCLUDES := \ vendor/widevine/libwvdrmengine/oemcrypto/odk/include \ vendor/widevine/libwvdrmengine/oemcrypto/odk/src LOCAL_MODULE := libwvlevel3 +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_MODULE_CLASS := STATIC_LIBRARIES LOCAL_SRC_FILES := libl3oemcrypto.cpp \ ../src/generate_entropy_android.cpp \ diff --git a/libwvdrmengine/mediacrypto/Android.mk b/libwvdrmengine/mediacrypto/Android.mk index af10f4b1..9b4f6b79 100644 --- a/libwvdrmengine/mediacrypto/Android.mk +++ b/libwvdrmengine/mediacrypto/Android.mk @@ -32,6 +32,8 @@ LOCAL_SHARED_LIBRARIES := \ liblog LOCAL_MODULE := libwvdrmcryptoplugin +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_PROPRIETARY_MODULE := true LOCAL_MODULE_TAGS := optional @@ -77,6 +79,8 @@ LOCAL_SHARED_LIBRARIES := \ liblog LOCAL_MODULE := libwvdrmcryptoplugin_hidl +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_PROPRIETARY_MODULE := true LOCAL_MODULE_TAGS := optional diff --git a/libwvdrmengine/mediacrypto/test/Android.mk b/libwvdrmengine/mediacrypto/test/Android.mk index 08534c04..d420cb1e 100644 --- a/libwvdrmengine/mediacrypto/test/Android.mk +++ b/libwvdrmengine/mediacrypto/test/Android.mk @@ -44,6 +44,8 @@ LOCAL_C_INCLUDES += \ external/protobuf/src \ LOCAL_MODULE := libwvdrmmediacrypto_test +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_MODULE_TAGS := tests @@ -115,6 +117,8 @@ LOCAL_C_INCLUDES += \ external/protobuf/src \ LOCAL_MODULE := libwvdrmmediacrypto_hidl_test +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_MODULE_TAGS := tests diff --git a/libwvdrmengine/mediadrm/Android.mk b/libwvdrmengine/mediadrm/Android.mk index 85c1590a..448d660a 100644 --- a/libwvdrmengine/mediadrm/Android.mk +++ b/libwvdrmengine/mediadrm/Android.mk @@ -32,6 +32,8 @@ LOCAL_STATIC_LIBRARIES := \ libcdm_protos LOCAL_MODULE := libwvdrmdrmplugin +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_PROPRIETARY_MODULE := true LOCAL_MODULE_TAGS := optional @@ -79,6 +81,8 @@ LOCAL_SHARED_LIBRARIES := \ liblog LOCAL_MODULE := libwvdrmdrmplugin_hidl +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_PROPRIETARY_MODULE := true LOCAL_MODULE_TAGS := optional diff --git a/libwvdrmengine/mediadrm/test/Android.mk b/libwvdrmengine/mediadrm/test/Android.mk index f52c02fd..38a5bd30 100644 --- a/libwvdrmengine/mediadrm/test/Android.mk +++ b/libwvdrmengine/mediadrm/test/Android.mk @@ -47,6 +47,8 @@ LOCAL_C_INCLUDES += \ external/protobuf/src \ LOCAL_MODULE := libwvdrmdrmplugin_test +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_MODULE_TAGS := tests @@ -119,6 +121,8 @@ LOCAL_C_INCLUDES += \ external/protobuf/src \ LOCAL_MODULE := libwvdrmdrmplugin_hidl_test +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_MODULE_TAGS := tests @@ -180,6 +184,8 @@ LOCAL_C_INCLUDES += \ external/protobuf/src \ LOCAL_MODULE := hidl_metrics_adapter_unittest +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_MODULE_TAGS := tests @@ -194,4 +200,3 @@ LOCAL_MODULE_TARGET_ARCH := arm x86 mips endif include $(BUILD_EXECUTABLE) - diff --git a/libwvdrmengine/oemcrypto/odk/Android.bp b/libwvdrmengine/oemcrypto/odk/Android.bp index 41aa3e3a..01af3332 100644 --- a/libwvdrmengine/oemcrypto/odk/Android.bp +++ b/libwvdrmengine/oemcrypto/odk/Android.bp @@ -5,6 +5,18 @@ // ---------------------------------------------------------------- // Builds libwv_odk.a, The ODK Library (libwv_odk) is used by // the CDM and by oemcrypto implementations. +// *** THIS PACKAGE HAS SPECIAL LICENSING CONDITIONS. PLEASE +// CONSULT THE OWNERS AND opensource-licensing@google.com BEFORE +// DEPENDING ON IT IN YOUR PROJECT. *** +package { + // See: http://go/android-license-faq + // A large-scale-change added 'default_applicable_licenses' to import + // all of the 'license_kinds' from "vendor_widevine_license" + // to get the below license kinds: + // legacy_by_exception_only (by exception only) + default_applicable_licenses: ["vendor_widevine_license"], +} + cc_library_static { name: "libwv_odk", include_dirs: [ diff --git a/libwvdrmengine/oemcrypto/test/Android.mk b/libwvdrmengine/oemcrypto/test/Android.mk index 3b8ed93e..5d86cda5 100644 --- a/libwvdrmengine/oemcrypto/test/Android.mk +++ b/libwvdrmengine/oemcrypto/test/Android.mk @@ -6,6 +6,8 @@ LOCAL_C_INCLUDES := \ vendor/widevine/libwvdrmengine/cdm/util/include \ LOCAL_MODULE:=oemcrypto_test +LOCAL_LICENSE_KINDS:=legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS:=by_exception_only LOCAL_MODULE_TAGS := tests LOCAL_MODULE_OWNER := widevine diff --git a/libwvdrmengine/oemcrypto/test/XtsTest.mk b/libwvdrmengine/oemcrypto/test/XtsTest.mk index e6ef7a92..1120057e 100644 --- a/libwvdrmengine/oemcrypto/test/XtsTest.mk +++ b/libwvdrmengine/oemcrypto/test/XtsTest.mk @@ -3,6 +3,8 @@ LOCAL_PATH:= $(call my-dir) include $(CLEAR_VARS) LOCAL_MODULE := XtsOEMCryptoTestCases +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_MODULE_TAGS := optional LOCAL_MODULE_PATH := $(TARGET_OUT_DATA) diff --git a/libwvdrmengine/test/unit/Android.mk b/libwvdrmengine/test/unit/Android.mk index 2a4c9fba..29f21c2c 100644 --- a/libwvdrmengine/test/unit/Android.mk +++ b/libwvdrmengine/test/unit/Android.mk @@ -33,6 +33,8 @@ LOCAL_HEADER_LIBRARIES := \ libstagefright_foundation_headers \ LOCAL_MODULE := libwvdrmengine_test +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_MODULE_TAGS := tests @@ -89,6 +91,8 @@ LOCAL_HEADER_LIBRARIES := \ libstagefright_foundation_headers \ LOCAL_MODULE := libwvdrmengine_hidl_test +LOCAL_LICENSE_KINDS := legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only LOCAL_MODULE_TAGS := tests diff --git a/libwvdrmengine/vts/vendor_module/Android.mk b/libwvdrmengine/vts/vendor_module/Android.mk index 1e5dfea1..8279a16e 100644 --- a/libwvdrmengine/vts/vendor_module/Android.mk +++ b/libwvdrmengine/vts/vendor_module/Android.mk @@ -34,6 +34,8 @@ LOCAL_SHARED_LIBRARIES := \ libutils \ LOCAL_MODULE := libvtswidevine +LOCAL_LICENSE_KINDS := SPDX-license-identifier-Apache-2.0 legacy_by_exception_only +LOCAL_LICENSE_CONDITIONS := by_exception_only notice LOCAL_MODULE_RELATIVE_PATH := drm-vts-test-libs LOCAL_MODULE_TAGS := optional LOCAL_PROPRIETARY_MODULE := true