diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2021-07-09 01:12:07 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2021-07-09 01:12:07 +0000 |
commit | af43d0dcf5bc19e9a0c303390b5c998c987be348 (patch) | |
tree | 24e66007ff7241fc7f700e4da994e786e6e5ed1f | |
parent | 29c21a5ec0fce36c28ae32540269b5cfea5f888d (diff) | |
parent | 91ef4dacce84ef72412cc033624dc66675cf52a0 (diff) | |
download | core-af43d0dcf5bc19e9a0c303390b5c998c987be348.tar.gz |
Snap for 7533212 from 91ef4dacce84ef72412cc033624dc66675cf52a0 to sc-release
Change-Id: I76df702f7b52fbe25c0af1b96aadbea7e60bf7c8
-rw-r--r-- | init/mount_namespace.cpp | 3 | ||||
-rw-r--r-- | init/util.cpp | 6 | ||||
-rw-r--r-- | trusty/keymaster/Android.bp | 2 | ||||
-rw-r--r-- | trusty/keymaster/TrustyKeymaster.cpp | 10 | ||||
-rw-r--r-- | trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h | 2 | ||||
-rw-r--r-- | trusty/keymaster/include/trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h | 53 | ||||
-rw-r--r-- | trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h | 2 | ||||
-rw-r--r-- | trusty/keymaster/keymint/TrustyRemotelyProvisionedComponentDevice.cpp | 120 | ||||
-rw-r--r-- | trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty.xml | 4 | ||||
-rw-r--r-- | trusty/keymaster/keymint/service.cpp | 5 |
10 files changed, 202 insertions, 5 deletions
diff --git a/init/mount_namespace.cpp b/init/mount_namespace.cpp index 15252a622..2a578082b 100644 --- a/init/mount_namespace.cpp +++ b/init/mount_namespace.cpp @@ -158,7 +158,8 @@ static bool ActivateFlattenedApexesIfPossible() { auto on_activate = [&](const std::string& apex_path, const apex::proto::ApexManifest& apex_manifest) { apex_infos.emplace_back(apex_manifest.name(), apex_path, apex_path, apex_manifest.version(), - apex_manifest.versionname(), /*isFactory=*/true, /*isActive=*/true); + apex_manifest.versionname(), /*isFactory=*/true, /*isActive=*/true, + /* lastUpdateMillis= */ 0); }; for (const auto& dir : kBuiltinDirsForApexes) { diff --git a/init/util.cpp b/init/util.cpp index a40d10416..9f7bfdb5b 100644 --- a/init/util.cpp +++ b/init/util.cpp @@ -253,8 +253,10 @@ void ImportBootconfig(const std::function<void(const std::string&, const std::st for (const auto& entry : android::base::Split(bootconfig, "\n")) { std::vector<std::string> pieces = android::base::Split(entry, "="); if (pieces.size() == 2) { - pieces[1].erase(std::remove(pieces[1].begin(), pieces[1].end(), '"'), pieces[1].end()); - fn(android::base::Trim(pieces[0]), android::base::Trim(pieces[1])); + // get rid of the extra space between a list of values and remove the quotes. + std::string value = android::base::StringReplace(pieces[1], "\", \"", ",", true); + value.erase(std::remove(value.begin(), value.end(), '"'), value.end()); + fn(android::base::Trim(pieces[0]), android::base::Trim(value)); } } } diff --git a/trusty/keymaster/Android.bp b/trusty/keymaster/Android.bp index 33eb335fb..ff6460de8 100644 --- a/trusty/keymaster/Android.bp +++ b/trusty/keymaster/Android.bp @@ -100,6 +100,7 @@ cc_binary { "ipc/trusty_keymaster_ipc.cpp", "keymint/TrustyKeyMintDevice.cpp", "keymint/TrustyKeyMintOperation.cpp", + "keymint/TrustyRemotelyProvisionedComponentDevice.cpp", "keymint/TrustySecureClock.cpp", "keymint/TrustySharedSecret.cpp", "keymint/service.cpp", @@ -118,7 +119,6 @@ cc_binary { "libtrusty", ], required: [ - "RemoteProvisioner", "android.hardware.hardware_keystore.xml", ], } diff --git a/trusty/keymaster/TrustyKeymaster.cpp b/trusty/keymaster/TrustyKeymaster.cpp index ef5fc3fc2..aee33331a 100644 --- a/trusty/keymaster/TrustyKeymaster.cpp +++ b/trusty/keymaster/TrustyKeymaster.cpp @@ -158,6 +158,16 @@ void TrustyKeymaster::GenerateKey(const GenerateKeyRequest& request, } } +void TrustyKeymaster::GenerateRkpKey(const GenerateRkpKeyRequest& request, + GenerateRkpKeyResponse* response) { + ForwardCommand(KM_GENERATE_RKP_KEY, request, response); +} + +void TrustyKeymaster::GenerateCsr(const GenerateCsrRequest& request, + GenerateCsrResponse* response) { + ForwardCommand(KM_GENERATE_CSR, request, response); +} + void TrustyKeymaster::GetKeyCharacteristics(const GetKeyCharacteristicsRequest& request, GetKeyCharacteristicsResponse* response) { ForwardCommand(KM_GET_KEY_CHARACTERISTICS, request, response); diff --git a/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h b/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h index 45ebf7fda..35eda459c 100644 --- a/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h +++ b/trusty/keymaster/include/trusty_keymaster/TrustyKeymaster.h @@ -42,6 +42,8 @@ class TrustyKeymaster { void AddRngEntropy(const AddEntropyRequest& request, AddEntropyResponse* response); void Configure(const ConfigureRequest& request, ConfigureResponse* response); void GenerateKey(const GenerateKeyRequest& request, GenerateKeyResponse* response); + void GenerateRkpKey(const GenerateRkpKeyRequest& request, GenerateRkpKeyResponse* response); + void GenerateCsr(const GenerateCsrRequest& request, GenerateCsrResponse* response); void GetKeyCharacteristics(const GetKeyCharacteristicsRequest& request, GetKeyCharacteristicsResponse* response); void ImportKey(const ImportKeyRequest& request, ImportKeyResponse* response); diff --git a/trusty/keymaster/include/trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h b/trusty/keymaster/include/trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h new file mode 100644 index 000000000..d544b51d5 --- /dev/null +++ b/trusty/keymaster/include/trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h @@ -0,0 +1,53 @@ +/* + * Copyright 2021, The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include <aidl/android/hardware/security/keymint/BnRemotelyProvisionedComponent.h> +#include <aidl/android/hardware/security/keymint/RpcHardwareInfo.h> +#include <aidl/android/hardware/security/keymint/SecurityLevel.h> + +#include <trusty_keymaster/TrustyKeymaster.h> + +namespace aidl::android::hardware::security::keymint::trusty { + +using ::keymaster::TrustyKeymaster; +using ::ndk::ScopedAStatus; +using ::std::shared_ptr; + +class TrustyRemotelyProvisionedComponentDevice : public BnRemotelyProvisionedComponent { + public: + explicit TrustyRemotelyProvisionedComponentDevice(shared_ptr<TrustyKeymaster> impl) + : impl_(std::move(impl)) {} + virtual ~TrustyRemotelyProvisionedComponentDevice() = default; + + ScopedAStatus getHardwareInfo(RpcHardwareInfo* info) override; + + ScopedAStatus generateEcdsaP256KeyPair(bool testMode, MacedPublicKey* macedPublicKey, + std::vector<uint8_t>* privateKeyHandle) override; + + ScopedAStatus generateCertificateRequest(bool testMode, + const std::vector<MacedPublicKey>& keysToSign, + const std::vector<uint8_t>& endpointEncCertChain, + const std::vector<uint8_t>& challenge, + DeviceInfo* deviceInfo, ProtectedData* protectedData, + std::vector<uint8_t>* keysToSignMac) override; + + private: + std::shared_ptr<::keymaster::TrustyKeymaster> impl_; +}; + +} // namespace aidl::android::hardware::security::keymint::trusty diff --git a/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h b/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h index 71f3ccf5b..17fee15f3 100644 --- a/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h +++ b/trusty/keymaster/include/trusty_keymaster/ipc/keymaster_ipc.h @@ -56,6 +56,8 @@ enum keymaster_command : uint32_t { KM_GET_VERSION_2 = (28 << KEYMASTER_REQ_SHIFT), KM_EARLY_BOOT_ENDED = (29 << KEYMASTER_REQ_SHIFT), KM_DEVICE_LOCKED = (30 << KEYMASTER_REQ_SHIFT), + KM_GENERATE_RKP_KEY = (31 << KEYMASTER_REQ_SHIFT), + KM_GENERATE_CSR = (32 << KEYMASTER_REQ_SHIFT), // Bootloader/provisioning calls. KM_SET_BOOT_PARAMS = (0x1000 << KEYMASTER_REQ_SHIFT), diff --git a/trusty/keymaster/keymint/TrustyRemotelyProvisionedComponentDevice.cpp b/trusty/keymaster/keymint/TrustyRemotelyProvisionedComponentDevice.cpp new file mode 100644 index 000000000..5664829d8 --- /dev/null +++ b/trusty/keymaster/keymint/TrustyRemotelyProvisionedComponentDevice.cpp @@ -0,0 +1,120 @@ +/* + * Copyright 2021, The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include <trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h> + +#include <assert.h> +#include <variant> + +#include <KeyMintUtils.h> +#include <keymaster/keymaster_configuration.h> + +#include <trusty_keymaster/TrustyKeyMintDevice.h> + +namespace aidl::android::hardware::security::keymint::trusty { + +using keymaster::GenerateCsrRequest; +using keymaster::GenerateCsrResponse; +using keymaster::GenerateRkpKeyRequest; +using keymaster::GenerateRkpKeyResponse; +using keymaster::KeymasterBlob; +using ::std::string; +using ::std::unique_ptr; +using ::std::vector; +using bytevec = ::std::vector<uint8_t>; + +namespace { + +constexpr auto STATUS_FAILED = IRemotelyProvisionedComponent::STATUS_FAILED; + +struct AStatusDeleter { + void operator()(AStatus* p) { AStatus_delete(p); } +}; + +class Status { + public: + Status() : status_(AStatus_newOk()) {} + Status(int32_t errCode, const std::string& errMsg) + : status_(AStatus_fromServiceSpecificErrorWithMessage(errCode, errMsg.c_str())) {} + explicit Status(const std::string& errMsg) + : status_(AStatus_fromServiceSpecificErrorWithMessage(STATUS_FAILED, errMsg.c_str())) {} + explicit Status(AStatus* status) : status_(status ? status : AStatus_newOk()) {} + + Status(Status&&) = default; + Status(const Status&) = delete; + + operator ::ndk::ScopedAStatus() && { // NOLINT(google-explicit-constructor) + return ndk::ScopedAStatus(status_.release()); + } + + bool isOk() const { return AStatus_isOk(status_.get()); } + + const char* getMessage() const { return AStatus_getMessage(status_.get()); } + + private: + std::unique_ptr<AStatus, AStatusDeleter> status_; +}; + +} // namespace + +ScopedAStatus TrustyRemotelyProvisionedComponentDevice::getHardwareInfo(RpcHardwareInfo* info) { + info->versionNumber = 1; + info->rpcAuthorName = "Google"; + info->supportedEekCurve = RpcHardwareInfo::CURVE_25519; + return ScopedAStatus::ok(); +} + +ScopedAStatus TrustyRemotelyProvisionedComponentDevice::generateEcdsaP256KeyPair( + bool testMode, MacedPublicKey* macedPublicKey, bytevec* privateKeyHandle) { + GenerateRkpKeyRequest request(impl_->message_version()); + request.test_mode = testMode; + GenerateRkpKeyResponse response(impl_->message_version()); + impl_->GenerateRkpKey(request, &response); + if (response.error != KM_ERROR_OK) { + return Status(-static_cast<int32_t>(response.error), "Failure in key generation."); + } + + macedPublicKey->macedKey = km_utils::kmBlob2vector(response.maced_public_key); + *privateKeyHandle = km_utils::kmBlob2vector(response.key_blob); + return ScopedAStatus::ok(); +} + +ScopedAStatus TrustyRemotelyProvisionedComponentDevice::generateCertificateRequest( + bool testMode, const vector<MacedPublicKey>& keysToSign, + const bytevec& endpointEncCertChain, const bytevec& challenge, DeviceInfo* deviceInfo, + ProtectedData* protectedData, bytevec* keysToSignMac) { + GenerateCsrRequest request(impl_->message_version()); + request.test_mode = testMode; + request.num_keys = keysToSign.size(); + request.keys_to_sign_array = new KeymasterBlob[keysToSign.size()]; + for (size_t i = 0; i < keysToSign.size(); i++) { + request.SetKeyToSign(i, keysToSign[i].macedKey.data(), keysToSign[i].macedKey.size()); + } + request.SetEndpointEncCertChain(endpointEncCertChain.data(), endpointEncCertChain.size()); + request.SetChallenge(challenge.data(), challenge.size()); + GenerateCsrResponse response(impl_->message_version()); + impl_->GenerateCsr(request, &response); + + if (response.error != KM_ERROR_OK) { + return Status(-static_cast<int32_t>(response.error), "Failure in CSR Generation."); + } + deviceInfo->deviceInfo = km_utils::kmBlob2vector(response.device_info_blob); + protectedData->protectedData = km_utils::kmBlob2vector(response.protected_data_blob); + *keysToSignMac = km_utils::kmBlob2vector(response.keys_to_sign_mac); + return ScopedAStatus::ok(); +} + +} // namespace aidl::android::hardware::security::keymint::trusty diff --git a/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty.xml b/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty.xml index 0ab3d64cf..7ca50507d 100644 --- a/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty.xml +++ b/trusty/keymaster/keymint/android.hardware.security.keymint-service.trusty.xml @@ -11,4 +11,8 @@ <name>android.hardware.security.sharedsecret</name> <fqname>ISharedSecret/default</fqname> </hal> + <hal format="aidl"> + <name>android.hardware.security.keymint</name> + <fqname>IRemotelyProvisionedComponent/default</fqname> + </hal> </manifest> diff --git a/trusty/keymaster/keymint/service.cpp b/trusty/keymaster/keymint/service.cpp index 8f5f0f815..4060278d4 100644 --- a/trusty/keymaster/keymint/service.cpp +++ b/trusty/keymaster/keymint/service.cpp @@ -20,10 +20,12 @@ #include <android/binder_process.h> #include <trusty_keymaster/TrustyKeyMintDevice.h> +#include <trusty_keymaster/TrustyRemotelyProvisionedComponentDevice.h> #include <trusty_keymaster/TrustySecureClock.h> #include <trusty_keymaster/TrustySharedSecret.h> using aidl::android::hardware::security::keymint::trusty::TrustyKeyMintDevice; +using aidl::android::hardware::security::keymint::trusty::TrustyRemotelyProvisionedComponentDevice; using aidl::android::hardware::security::secureclock::trusty::TrustySecureClock; using aidl::android::hardware::security::sharedsecret::trusty::TrustySharedSecret; @@ -52,7 +54,8 @@ int main() { auto keyMint = addService<TrustyKeyMintDevice>(trustyKeymaster); auto secureClock = addService<TrustySecureClock>(trustyKeymaster); auto sharedSecret = addService<TrustySharedSecret>(trustyKeymaster); - + auto remotelyProvisionedComponent = + addService<TrustyRemotelyProvisionedComponentDevice>(trustyKeymaster); ABinderProcess_joinThreadPool(); return EXIT_FAILURE; // should not reach } |