The keymaster service is required by vold which starts very early
during boot up. This leads to the dependency loop:
init->installkey->vdc->vold->keymaster-service->init
This patch resolves this issue by adding service keymaster to the class
early-hal which will get started right after hwservicemanager on devices
that get treble.
Bug: 35764921
Test: Device boots. And lshal shows that service keymaster has two
clients, keystore and vold.
Change-Id: Id0b6722de900b5513d46adb81d76b02fa6e155df
The tests added verify that a generated key is no longer usable
after it was
- explicictely deleted with deleteKey, or
- all keys where deleted with deleteAllKeys.
Bug: 32022681
Test: make vts -j30 BUILD_GOOGLE_VTS=true TARGET_PRODUCT=aosp_arm64 &&
vts-tradefed run commandAndExit vts --skip-all-system-status-check
--primary-abi-only --skip-preconditions
--module VtsHalKeymasterV3_0TargetTest -l INFO
Change-Id: I172ee5d3ccf1850c3c92d3a1a9e991f46b07a0e3
Note: Recent Google devices have keymaster implementations that don't
pass this test suite. See https://goo.gl/6hsGwa for a summary.
Bug: 32022681
Test: This is the test suite.
Change-Id: Ib200b68e0c7844df02eb9f086385d6c36e306d45
Auth tokens have an unfortunate dual character. To most of the system
they are opaque blobs that are intended only to be obtained from one
HAL (e.g. gatekeeper or fingerprint) and passed to another
HAL (keymaster), but keystore actually needs to extract some bits of
information from them in order to determine which of the available blobs
should be provided for a given keymaster key operation.
This CL adds a method that resolves this dual nature by moving the
responsibility of parsing blobs to the HAL so that no component of the
framework has to make any assumptions about their content and all can
treat them as fully opaque. This still means that the various HAL
implementers have to agree on content, but they also have to agree on an
HMAC key which much be securely distributed to all at every boot, so
asking them to agree on an auth token format is perfectly
acceptable. But now the Android system doesn't have to care about the
format.
Bug: 32962548
Test: CTS tests pass, plus manual testing.
Change-Id: I78aa6e4ea9c5d8f34906b0969909387e2c5894e6
This is needed to support the keystore statistics gathering initiative.
It will allow us to get information about what kinds of keymaster
implementations exist in the ecosystem, and which ones fail in which
ways.
Bug: 36549319
Test: Will add to VTS tests
Change-Id: I49ee4623656060d69a6de7723b11cd715150451a
delete_key is optional and may not be implemented by
a legacy hal. So the function pointer must be checked for
nullptr prior to being used.
Bug: 36500704
Test: run VTS tests with legacy hal that does not implement delete_key
Change-Id: Ie51dd173314826ef260319153c7df96d88b8a42f
Discussions have shown that in addition to brand, device and product,
we should also allow devices to attest their manufacturer and model.
Bug: 36433192
Test: GTS com.google.android.gts.security.DeviceIdAttestationHostTest
Change-Id: I5a9fd839497976cdb1e44cbe4a2d5b7730732b4c
The getService() and registerAsService() methods of interface objects
now have default parameters of "default" for the service name. HALs
will not have to use any service name unless they want to register
more than one service.
Test: marlin boots
Bug: 33844934
Change-Id: I6533e4fe0e63e2d0b0158148f5e438bb4b6b5886
KeyStore.generateKey() takes an entropy parameter. This is optional
and can be null. That is how KeyStore used to work but a recent
refactor made us always feed the entropy to keymaster, even if it
is empty (null or byte[0] on the Java side). This CL makes us ignore
such empty entropy again.
We only noticed this because a recently added GTS test that happens
to set the entropy to null is failing on some hardware (other
keymaster implementations silently ignore this invalid attempt to
set entropy).
Bug: 35156555
Test: gts-tradefed run gts --module GtsGmscoreHostTestCases
--test com.google.android.gts.security.DeviceIdAttestationHostTest
Change-Id: Iadaf40e69350c17dd18e4dc2a1dab97fa911e1bf
We need google shims on the vendor partition because they are providing
an implementation of a vendor defined interface. They were written by
google just as a courtesy/to make the transition easier. They're
basically a set for vendors to assemble their hal implementations
from.
Bug: 34135607
Test: marlin persist.hal.binderization on/off
Change-Id: I2e2af5af39264cf290259755bb9b2eb9827a21f5
This adds device id attestation to the Keymaster 3.0 HAL. Device
id attestation must only be offered if the device can permanently
destroy device ids on request. The default implementation cannot
do this because it lacks storage that would survive device wipes.
Hence, the implementation refuses all device id attestation requests.
Bug: 34597337
Test: CTS CtsKeystoreTestCases and GTS DeviceIdAttestationHostTest
Change-Id: I6ff6146fad4656b8e1367650de922124b3d7f7b2
Threadpool can now be configured/joined if needed with
configureRpcThreadpool() / joinRpcThreadpool().
Bug: 31226656
Test: mma
Change-Id: I0d7d9924cc8c8851cc2b61ebdae906204909890e
The default implementation loads the device's legacy keymaster hal
and wraps in a softkeymasterdevice if the capabilities of the
device is less than keymaster 2.
Test: builds
Bug: 32020919
Change-Id: Ia7e274673b77c2712c386d573715ed3725b0c158
