tequilaOS/platform_hardware_interfaces
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "insecure keymint: in-process initialization ordering" into main am: 75b081dad1

Browse source 
Original change: https://android-review.googlesource.com/c/platform/hardware/interfaces/+/3077417

Change-Id: Ia35ff3883a1890cb58482b0f62dea99a308399b7
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
This commit is contained in:
Treehugger Robot 2024-05-08 18:31:35 +00:00 committed by Automerger Merge Worker
commit 67a1607700
1 changed files with 29 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
security/keymint/aidl/default/main.rs
View file

@ -74,6 +74,35 @@ fn inner_main() -> Result<(), HalServiceError> {
// Create a TA in-process, which acts as a local channel for communication.
let channel = Arc::new(Mutex::new(LocalTa::new()));
// Let the TA know information about the boot environment. In a real device this
// is communicated directly from the bootloader to the TA, but here we retrieve
// the information from system properties and send from the HAL service.
let boot_req = get_boot_info();
debug!("boot/HAL->TA: boot info is {:?}", boot_req);
kmr_hal::send_boot_info(channel.lock().unwrap().deref_mut(), boot_req)
.map_err(|e| HalServiceError(format!("Failed to send boot info: {:?}", e)))?;
// Let the TA know information about the userspace environment.
if let Err(e) = kmr_hal::send_hal_info(channel.lock().unwrap().deref_mut()) {
error!("Failed to send HAL info: {:?}", e);
}
// Let the TA know about attestation IDs. (In a real device these would be pre-provisioned into
// the TA.)
let attest_ids = attestation_id_info();
if let Err(e) = kmr_hal::send_attest_ids(channel.lock().unwrap().deref_mut(), attest_ids) {
error!("Failed to send attestation ID info: {:?}", e);
}
let secret_service = kmr_hal::sharedsecret::Device::new_as_binder(channel.clone());
let service_name = format!("{}/{}", SECRET_SERVICE_NAME, SERVICE_INSTANCE);
binder::add_service(&service_name, secret_service.as_binder()).map_err(|e| {
HalServiceError(format!(
"Failed to register service {} because of {:?}.",
service_name, e
))
})?;
let km_service = kmr_hal::keymint::Device::new_as_binder(channel.clone());
let service_name = format!("{}/{}", KM_SERVICE_NAME, SERVICE_INSTANCE);
binder::add_service(&service_name, km_service.as_binder()).map_err(|e| {
@ -101,37 +130,6 @@ fn inner_main() -> Result<(), HalServiceError> {
))
})?;
let secret_service = kmr_hal::sharedsecret::Device::new_as_binder(channel.clone());
let service_name = format!("{}/{}", SECRET_SERVICE_NAME, SERVICE_INSTANCE);
binder::add_service(&service_name, secret_service.as_binder()).map_err(|e| {
HalServiceError(format!(
"Failed to register service {} because of {:?}.",
service_name, e
))
})?;
info!("Successfully registered KeyMint HAL services.");
// Let the TA know information about the boot environment. In a real device this
// is communicated directly from the bootloader to the TA, but here we retrieve
// the information from system properties and send from the HAL service.
let boot_req = get_boot_info();
debug!("boot/HAL->TA: boot info is {:?}", boot_req);
kmr_hal::send_boot_info(channel.lock().unwrap().deref_mut(), boot_req)
.map_err(|e| HalServiceError(format!("Failed to send boot info: {:?}", e)))?;
// Let the TA know information about the userspace environment.
if let Err(e) = kmr_hal::send_hal_info(channel.lock().unwrap().deref_mut()) {
error!("Failed to send HAL info: {:?}", e);
}
// Let the TA know about attestation IDs. (In a real device these would be pre-provisioned into
// the TA.)
let attest_ids = attestation_id_info();
if let Err(e) = kmr_hal::send_attest_ids(channel.lock().unwrap().deref_mut(), attest_ids) {
error!("Failed to send attestation ID info: {:?}", e);
}
info!("Successfully registered KeyMint HAL services.");
binder::ProcessState::join_thread_pool();
info!("KeyMint HAL service is terminating."); // should not reach here