diff --git a/rebootescrow/aidl/default/Android.bp b/rebootescrow/aidl/default/Android.bp index eb228ad827..c8cbf48834 100644 --- a/rebootescrow/aidl/default/Android.bp +++ b/rebootescrow/aidl/default/Android.bp @@ -14,6 +14,47 @@ // limitations under the License. // +cc_library_static { + name: "librebootescrowdefaultimpl", + vendor: true, + shared_libs: [ + "libbase", + "libbinder_ndk", + "vintf-rebootescrow-ndk_platform", + ], + export_include_dirs: ["include"], + srcs: [ + "RebootEscrow.cpp", + ], + visibility: [ + ":__subpackages__", + ], +} + +cc_binary { + name: "android.hardware.rebootescrow-service.default", + init_rc: ["rebootescrow-default.rc"], + relative_install_path: "hw", + vintf_fragments: ["rebootescrow-default.xml"], + vendor: true, + srcs: [ + "service.cpp", + ], + cflags: [ + "-Wall", + "-Werror", + ], + shared_libs: [ + "libbase", + "libbinder_ndk", + "vintf-rebootescrow-ndk_platform", + ], + static_libs: [ + "libhadamardutils", + "librebootescrowdefaultimpl", + ], +} + cc_library_static { name: "libhadamardutils", vendor_available: true, diff --git a/rebootescrow/aidl/default/RebootEscrow.cpp b/rebootescrow/aidl/default/RebootEscrow.cpp new file mode 100644 index 0000000000..94d09010d9 --- /dev/null +++ b/rebootescrow/aidl/default/RebootEscrow.cpp @@ -0,0 +1,75 @@ +/* + * Copyright (C) 2019 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include +#include +#include + +#include "HadamardUtils.h" +#include "rebootescrow-impl/RebootEscrow.h" + +namespace aidl { +namespace android { +namespace hardware { +namespace rebootescrow { + +using ::android::base::unique_fd; + +ndk::ScopedAStatus RebootEscrow::storeKey(const std::vector& kek) { + int rawFd = TEMP_FAILURE_RETRY(::open(REBOOT_ESCROW_DEVICE, O_WRONLY | O_NOFOLLOW | O_CLOEXEC)); + unique_fd fd(rawFd); + if (fd.get() < 0) { + LOG(WARNING) << "Could not open reboot escrow device"; + return ndk::ScopedAStatus(AStatus_fromExceptionCode(EX_UNSUPPORTED_OPERATION)); + } + + std::vector ukek(kek.begin(), kek.end()); + auto encoded = hadamard::EncodeKey(ukek); + + if (!::android::base::WriteFully(fd, encoded.data(), encoded.size())) { + LOG(WARNING) << "Could not write data fully to character device"; + return ndk::ScopedAStatus(AStatus_fromExceptionCode(EX_UNSUPPORTED_OPERATION)); + } + + return ndk::ScopedAStatus::ok(); +} + +ndk::ScopedAStatus RebootEscrow::retrieveKey(std::vector* _aidl_return) { + int rawFd = TEMP_FAILURE_RETRY(::open(REBOOT_ESCROW_DEVICE, O_RDONLY | O_NOFOLLOW | O_CLOEXEC)); + unique_fd fd(rawFd); + if (fd.get() < 0) { + LOG(WARNING) << "Could not open reboot escrow device"; + return ndk::ScopedAStatus(AStatus_fromExceptionCode(EX_UNSUPPORTED_OPERATION)); + } + + std::string encodedString; + if (!::android::base::ReadFdToString(fd, &encodedString)) { + LOG(WARNING) << "Could not read device to string"; + return ndk::ScopedAStatus(AStatus_fromExceptionCode(EX_UNSUPPORTED_OPERATION)); + } + + std::vector encodedBytes(encodedString.begin(), encodedString.end()); + auto keyBytes = hadamard::DecodeKey(encodedBytes); + + std::vector signedKeyBytes(keyBytes.begin(), keyBytes.end()); + *_aidl_return = signedKeyBytes; + return ndk::ScopedAStatus::ok(); +} + +} // namespace rebootescrow +} // namespace hardware +} // namespace android +} // namespace aidl diff --git a/rebootescrow/aidl/default/include/rebootescrow-impl/RebootEscrow.h b/rebootescrow/aidl/default/include/rebootescrow-impl/RebootEscrow.h new file mode 100644 index 0000000000..1ed73978d9 --- /dev/null +++ b/rebootescrow/aidl/default/include/rebootescrow-impl/RebootEscrow.h @@ -0,0 +1,36 @@ +/* + * Copyright (C) 2019 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#pragma once + +#include + +namespace aidl { +namespace android { +namespace hardware { +namespace rebootescrow { + +static const char* REBOOT_ESCROW_DEVICE = "/dev/access-kregistry"; + +class RebootEscrow : public BnRebootEscrow { + ndk::ScopedAStatus storeKey(const std::vector& kek) override; + ndk::ScopedAStatus retrieveKey(std::vector* _aidl_return) override; +}; + +} // namespace rebootescrow +} // namespace hardware +} // namespace android +} // namespace aidl diff --git a/rebootescrow/aidl/default/rebootescrow-default.rc b/rebootescrow/aidl/default/rebootescrow-default.rc new file mode 100644 index 0000000000..e7a9cfcb70 --- /dev/null +++ b/rebootescrow/aidl/default/rebootescrow-default.rc @@ -0,0 +1,9 @@ +service vendor.rebootescrow-default /vendor/bin/hw/android.hardware.rebootescrow-service.default + interface aidl android.hardware.rebootescrow.IRebootEscrow/default + class hal + user system + group system + +on boot + chmod 770 /dev/access-kregistry + chown system system /dev/access-kregistry diff --git a/rebootescrow/aidl/default/rebootescrow-default.xml b/rebootescrow/aidl/default/rebootescrow-default.xml new file mode 100644 index 0000000000..0499fccdf3 --- /dev/null +++ b/rebootescrow/aidl/default/rebootescrow-default.xml @@ -0,0 +1,6 @@ + + + android.hardware.rebootescrow + IRebootEscrow/default + + diff --git a/rebootescrow/aidl/default/service.cpp b/rebootescrow/aidl/default/service.cpp new file mode 100644 index 0000000000..bd2378e513 --- /dev/null +++ b/rebootescrow/aidl/default/service.cpp @@ -0,0 +1,35 @@ +/* + * Copyright (C) 2019 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.1 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.1 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "rebootescrow-impl/RebootEscrow.h" + +#include +#include +#include + +using aidl::android::hardware::rebootescrow::RebootEscrow; + +int main() { + ABinderProcess_setThreadPoolMaxThreadCount(0); + + auto re = ndk::SharedRefBase::make(); + const std::string instance = std::string() + RebootEscrow::descriptor + "/default"; + binder_status_t status = AServiceManager_addService(re->asBinder().get(), instance.c_str()); + CHECK(status == STATUS_OK); + + ABinderProcess_joinThreadPool(); + return EXIT_FAILURE; +}