diff --git a/authsecret/aidl/Android.bp b/authsecret/aidl/Android.bp new file mode 100644 index 0000000000..0a05034762 --- /dev/null +++ b/authsecret/aidl/Android.bp @@ -0,0 +1,16 @@ +aidl_interface { + name: "android.hardware.authsecret", + vendor_available: true, + srcs: ["android/hardware/authsecret/*.aidl"], + stability: "vintf", + backend: { + java: { + platform_apis: true, + }, + ndk: { + vndk: { + enabled: true, + }, + }, + }, +} diff --git a/authsecret/aidl/aidl_api/android.hardware.authsecret/current/android/hardware/authsecret/IAuthSecret.aidl b/authsecret/aidl/aidl_api/android.hardware.authsecret/current/android/hardware/authsecret/IAuthSecret.aidl new file mode 100644 index 0000000000..14e83257a6 --- /dev/null +++ b/authsecret/aidl/aidl_api/android.hardware.authsecret/current/android/hardware/authsecret/IAuthSecret.aidl @@ -0,0 +1,23 @@ +/////////////////////////////////////////////////////////////////////////////// +// THIS FILE IS IMMUTABLE. DO NOT EDIT IN ANY CASE. // +/////////////////////////////////////////////////////////////////////////////// + +// This file is a snapshot of an AIDL file. Do not edit it manually. There are +// two cases: +// 1). this is a frozen version file - do not edit this in any case. +// 2). this is a 'current' file. If you make a backwards compatible change to +// the interface (from the latest frozen version), the build system will +// prompt you to update this file with `m -update-api`. +// +// You must not make a backward incompatible change to any AIDL file built +// with the aidl_interface module type with versions property set. The module +// type is used to build AIDL files in a way that they can be used across +// independently updatable components of the system. If a device is shipped +// with such a backward incompatible change, it has a high risk of breaking +// later when a module using the interface is updated, e.g., Mainline modules. + +package android.hardware.authsecret; +@VintfStability +interface IAuthSecret { + oneway void setPrimaryUserCredential(in byte[] secret); +} diff --git a/authsecret/aidl/android/hardware/authsecret/IAuthSecret.aidl b/authsecret/aidl/android/hardware/authsecret/IAuthSecret.aidl new file mode 100644 index 0000000000..3849ec0d7c --- /dev/null +++ b/authsecret/aidl/android/hardware/authsecret/IAuthSecret.aidl @@ -0,0 +1,47 @@ +/* + * Copyright 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package android.hardware.authsecret; + +/** + * This security HAL allows vendor components to be cryptographically tied to + * the primary user's credential. For example, security hardware can require + * proof that the credential is known before applying updates. + * + */ +@VintfStability +interface IAuthSecret { + /** + * When the primary user is unlocked, this method is passed a secret to + * prove that is has been successfully unlocked. The primary user can either + * be unlocked by a person entering their credential or by another party + * using an escrow token e.g. a device administrator. + * + * The first time this is called, the secret must be used to provision state + * that depends on the primary user's secret. The same secret must be passed + * on each call until the next factory reset. + * + * Upon factory reset, any dependence on the secret must be removed as that + * secret is now lost and must never be derived again. A new secret must be + * created for the new primary user which must be used to newly provision + * state the first time this method is called after factory reset. + * + * The secret must be at least 16 bytes, or the secret must be dropped. + * + * @param secret blob derived from the primary user's credential. + */ + oneway void setPrimaryUserCredential(in byte[] secret); +} diff --git a/authsecret/aidl/default/Android.bp b/authsecret/aidl/default/Android.bp new file mode 100644 index 0000000000..d5983442f5 --- /dev/null +++ b/authsecret/aidl/default/Android.bp @@ -0,0 +1,32 @@ +// +// Copyright (C) 2020 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +cc_binary { + name: "android.hardware.authsecret-service.example", + relative_install_path: "hw", + init_rc: ["android.hardware.authsecret-service.example.rc"], + vintf_fragments: ["android.hardware.authsecret-service.example.xml"], + vendor: true, + srcs: [ + "service.cpp", + "AuthSecret.cpp", + ], + shared_libs: [ + "android.hardware.authsecret-ndk_platform", + "libbase", + "libbinder_ndk", + ], +} diff --git a/authsecret/aidl/default/AuthSecret.cpp b/authsecret/aidl/default/AuthSecret.cpp new file mode 100644 index 0000000000..9645e4d924 --- /dev/null +++ b/authsecret/aidl/default/AuthSecret.cpp @@ -0,0 +1,33 @@ +/* + * Copyright (C) 2018 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "AuthSecret.h" + +namespace aidl { +namespace android { +namespace hardware { +namespace authsecret { + +// Methods from ::android::hardware::authsecret::IAuthSecret follow. +::ndk::ScopedAStatus AuthSecret::setPrimaryUserCredential(const std::vector& in_secret) { + (void)in_secret; + return ::ndk::ScopedAStatus::ok(); +} + +} // namespace authsecret +} // namespace hardware +} // namespace android +} // aidl diff --git a/authsecret/aidl/default/AuthSecret.h b/authsecret/aidl/default/AuthSecret.h new file mode 100644 index 0000000000..b40fc48e92 --- /dev/null +++ b/authsecret/aidl/default/AuthSecret.h @@ -0,0 +1,37 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include + +namespace aidl { +namespace android { +namespace hardware { +namespace authsecret { + +struct AuthSecret : public BnAuthSecret { + AuthSecret() = default; + + // Methods from ::android::hardware::authsecret::IAuthSecret follow. + ::ndk::ScopedAStatus setPrimaryUserCredential(const std::vector& in_secret) override; + +}; + +} // namespace authsecret +} // namespace hardware +} // namespace android +} // aidl diff --git a/authsecret/aidl/default/android.hardware.authsecret-service.example.rc b/authsecret/aidl/default/android.hardware.authsecret-service.example.rc new file mode 100644 index 0000000000..fef6e2401e --- /dev/null +++ b/authsecret/aidl/default/android.hardware.authsecret-service.example.rc @@ -0,0 +1,4 @@ +service vendor.authsecret_default /vendor/bin/hw/android.hardware.authsecret-service.example + class hal + user hsm + group hsm diff --git a/authsecret/aidl/default/android.hardware.authsecret-service.example.xml b/authsecret/aidl/default/android.hardware.authsecret-service.example.xml new file mode 100644 index 0000000000..9d4e1622cf --- /dev/null +++ b/authsecret/aidl/default/android.hardware.authsecret-service.example.xml @@ -0,0 +1,10 @@ + + + android.hardware.authsecret + 1 + + IAuthSecret + default + + + diff --git a/authsecret/aidl/default/service.cpp b/authsecret/aidl/default/service.cpp new file mode 100644 index 0000000000..efecf10f55 --- /dev/null +++ b/authsecret/aidl/default/service.cpp @@ -0,0 +1,35 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include + +#include "AuthSecret.h" + +using ::aidl::android::hardware::authsecret::AuthSecret; + +int main() { + ABinderProcess_setThreadPoolMaxThreadCount(0); + std::shared_ptr authsecret = ndk::SharedRefBase::make(); + + const std::string instance = std::string() + AuthSecret::descriptor + "/default"; + binder_status_t status = AServiceManager_addService(authsecret->asBinder().get(), instance.c_str()); + CHECK(status == STATUS_OK); + + ABinderProcess_joinThreadPool(); + return -1; // Should never be reached +} diff --git a/authsecret/aidl/vts/Android.bp b/authsecret/aidl/vts/Android.bp new file mode 100644 index 0000000000..83a85b26ce --- /dev/null +++ b/authsecret/aidl/vts/Android.bp @@ -0,0 +1,31 @@ +// +// Copyright (C) 2018 The Android Open Source Project +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +// + +cc_test { + name: "VtsHalAuthSecretTargetTest", + defaults: [ + "VtsHalTargetTestDefaults", + "use_libaidlvintf_gtest_helper_static", + ], + srcs: ["VtsHalAuthSecretTargetTest.cpp"], + static_libs: ["android.hardware.authsecret-ndk_platform"], + shared_libs: ["libbinder_ndk"], + test_suites: [ + "general-tests", + "vts", + ], + require_root: true, +} diff --git a/authsecret/aidl/vts/VtsHalAuthSecretTargetTest.cpp b/authsecret/aidl/vts/VtsHalAuthSecretTargetTest.cpp new file mode 100644 index 0000000000..31c28346b5 --- /dev/null +++ b/authsecret/aidl/vts/VtsHalAuthSecretTargetTest.cpp @@ -0,0 +1,96 @@ +/* + * Copyright (C) 2020 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +#include +#include + +#include +#include +#include + +using ::aidl::android::hardware::authsecret::IAuthSecret; + +using ::ndk::SpAIBinder; + +/** + * There is no expected behaviour that can be tested so these tests check the + * HAL doesn't crash with different execution orders. + */ +class AuthSecretAidlTest : public testing::TestWithParam { + public: + virtual void SetUp() override { + authsecret = IAuthSecret::fromBinder( + SpAIBinder(AServiceManager_waitForService(GetParam().c_str()))); + ASSERT_NE(authsecret, nullptr); + + // Notify LSS to generate PIN code '1234' and corresponding secret. + (void)system("cmd lock_settings set-pin 1234"); + + // All tests must enroll the correct secret first as this cannot be changed + // without a factory reset and the order of tests could change. + authsecret->setPrimaryUserCredential(CORRECT_SECRET); + } + + static void TearDownTestSuite() { + // clean up PIN code after testing + (void)system("cmd lock_settings clear --old 1234"); + } + + std::shared_ptr authsecret; + std::vector CORRECT_SECRET{61, 93, 124, 240, 5, 0, 7, 201, 9, 129, 11, 12, 0, 14, 0, 16}; + std::vector WRONG_SECRET{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16}; +}; + +/* Provision the primary user with a secret. */ +TEST_P(AuthSecretAidlTest, provisionPrimaryUserCredential) { + // Secret provisioned by SetUp() +} + +/* Provision the primary user with a secret and pass the secret again. */ +TEST_P(AuthSecretAidlTest, provisionPrimaryUserCredentialAndPassAgain) { + // Secret provisioned by SetUp() + authsecret->setPrimaryUserCredential(CORRECT_SECRET); +} + +/* Provision the primary user with a secret and pass the secret again repeatedly. */ +TEST_P(AuthSecretAidlTest, provisionPrimaryUserCredentialAndPassAgainMultipleTimes) { + // Secret provisioned by SetUp() + constexpr int N = 5; + for (int i = 0; i < N; ++i) { + authsecret->setPrimaryUserCredential(CORRECT_SECRET); + } +} + +/* Provision the primary user with a secret and then pass the wrong secret. This + * should never happen and is an framework bug if it does. As the secret is + * wrong, the HAL implementation may not be able to function correctly but it + * should fail gracefully. */ +TEST_P(AuthSecretAidlTest, provisionPrimaryUserCredentialAndWrongSecret) { + // Secret provisioned by SetUp() + authsecret->setPrimaryUserCredential(WRONG_SECRET); +} + +GTEST_ALLOW_UNINSTANTIATED_PARAMETERIZED_TEST(AuthSecretAidlTest); +INSTANTIATE_TEST_SUITE_P( + PerInstance, AuthSecretAidlTest, + testing::ValuesIn(android::getAidlHalInstanceNames(IAuthSecret::descriptor)), + android::PrintInstanceNameToString); + +int main(int argc, char** argv) { + ::testing::InitGoogleTest(&argc, argv); + ABinderProcess_setThreadPoolMaxThreadCount(1); + ABinderProcess_startThreadPool(); + return RUN_ALL_TESTS(); +} diff --git a/compatibility_matrices/compatibility_matrix.current.xml b/compatibility_matrices/compatibility_matrix.current.xml index f086a6e769..910f051750 100644 --- a/compatibility_matrices/compatibility_matrix.current.xml +++ b/compatibility_matrices/compatibility_matrix.current.xml @@ -27,6 +27,14 @@ default + + android.hardware.authsecret + 1 + + IAuthSecret + default + + android.hardware.authsecret 1.0