Replace legacy trusty gatekeeper HAL with HIDLized version
This patch replaces the legacy libhardware based gatekeeper HAL with a true HIDL based implementation. Test: Workes with trusty gatekeeper Change-Id: I072b0c3fc74523400132aacd34e2f2cac9cf261b Merged-In: I072b0c3fc74523400132aacd34e2f2cac9cf261b
This commit is contained in:
parent
3a1eb672c5
commit
7daa66aa07
8 changed files with 197 additions and 295 deletions
|
@ -1,4 +1,3 @@
|
|||
//
|
||||
// Copyright (C) 2015 The Android Open-Source Project
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
|
@ -20,14 +19,15 @@
|
|||
// to only building on ARM if they include assembly. Individual makefiles
|
||||
// are responsible for having their own logic, for fine-grained control.
|
||||
|
||||
cc_library_shared {
|
||||
name: "gatekeeper.trusty",
|
||||
cc_binary {
|
||||
name: "android.hardware.gatekeeper@1.0-service.trusty",
|
||||
defaults: ["hidl_defaults"],
|
||||
vendor: true,
|
||||
|
||||
relative_install_path: "hw",
|
||||
init_rc: ["android.hardware.gatekeeper@1.0-service.trusty.rc"],
|
||||
|
||||
srcs: [
|
||||
"module.cpp",
|
||||
"service.cpp",
|
||||
"trusty_gatekeeper_ipc.c",
|
||||
"trusty_gatekeeper.cpp",
|
||||
],
|
||||
|
@ -39,10 +39,16 @@ cc_library_shared {
|
|||
],
|
||||
|
||||
shared_libs: [
|
||||
"android.hardware.gatekeeper@1.0",
|
||||
"libbase",
|
||||
"libhidlbase",
|
||||
"libhidltransport",
|
||||
"libgatekeeper",
|
||||
"libutils",
|
||||
"liblog",
|
||||
"libcutils",
|
||||
"libtrusty",
|
||||
],
|
||||
header_libs: ["libhardware_headers"],
|
||||
|
||||
vintf_fragments: ["android.hardware.gatekeeper@1.0-service.trusty.xml"],
|
||||
}
|
||||
|
|
|
@ -0,0 +1,4 @@
|
|||
service vendor.gatekeeper-1-0 /vendor/bin/hw/android.hardware.gatekeeper@1.0-service.trusty
|
||||
class hal
|
||||
user system
|
||||
group system
|
|
@ -0,0 +1,11 @@
|
|||
<manifest version="1.0" type="device">
|
||||
<hal format="hidl">
|
||||
<name>android.hardware.gatekeeper</name>
|
||||
<transport>hwbinder</transport>
|
||||
<version>1.0</version>
|
||||
<interface>
|
||||
<name>IGatekeeper</name>
|
||||
<instance>default</instance>
|
||||
</interface>
|
||||
</hal>
|
||||
</manifest>
|
|
@ -1,57 +0,0 @@
|
|||
/*
|
||||
* Copyright (C) 2015 The Android Open Source Project
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include <hardware/hardware.h>
|
||||
|
||||
#include <string.h>
|
||||
#include <errno.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#include "trusty_gatekeeper.h"
|
||||
|
||||
using gatekeeper::TrustyGateKeeperDevice;
|
||||
|
||||
static int trusty_gatekeeper_open(const hw_module_t *module, const char *name,
|
||||
hw_device_t **device) {
|
||||
|
||||
if (strcmp(name, HARDWARE_GATEKEEPER) != 0) {
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
TrustyGateKeeperDevice *gatekeeper = new TrustyGateKeeperDevice(module);
|
||||
if (gatekeeper == NULL) return -ENOMEM;
|
||||
*device = gatekeeper->hw_device();
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static struct hw_module_methods_t gatekeeper_module_methods = {
|
||||
.open = trusty_gatekeeper_open,
|
||||
};
|
||||
|
||||
struct gatekeeper_module HAL_MODULE_INFO_SYM __attribute__((visibility("default"))) = {
|
||||
.common = {
|
||||
.tag = HARDWARE_MODULE_TAG,
|
||||
.module_api_version = GATEKEEPER_MODULE_API_VERSION_0_1,
|
||||
.hal_api_version = HARDWARE_HAL_API_VERSION,
|
||||
.id = GATEKEEPER_HARDWARE_MODULE_ID,
|
||||
.name = "Trusty GateKeeper HAL",
|
||||
.author = "The Android Open Source Project",
|
||||
.methods = &gatekeeper_module_methods,
|
||||
.dso = 0,
|
||||
.reserved = {}
|
||||
},
|
||||
};
|
39
trusty/gatekeeper/service.cpp
Normal file
39
trusty/gatekeeper/service.cpp
Normal file
|
@ -0,0 +1,39 @@
|
|||
/*
|
||||
* Copyright (C) 2019 The Android Open Source Project
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
#define LOG_TAG "android.hardware.gatekeeper@1.0-service.trusty"
|
||||
|
||||
#include <android-base/logging.h>
|
||||
#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
|
||||
|
||||
#include <hidl/LegacySupport.h>
|
||||
|
||||
#include "trusty_gatekeeper.h"
|
||||
|
||||
// Generated HIDL files
|
||||
using android::hardware::gatekeeper::V1_0::IGatekeeper;
|
||||
using gatekeeper::TrustyGateKeeperDevice;
|
||||
|
||||
int main() {
|
||||
::android::hardware::configureRpcThreadpool(1, true /* willJoinThreadpool */);
|
||||
android::sp<TrustyGateKeeperDevice> gatekeeper(new TrustyGateKeeperDevice());
|
||||
auto status = gatekeeper->registerAsService();
|
||||
if (status != android::OK) {
|
||||
LOG(FATAL) << "Could not register service for Gatekeeper 1.0 (trusty) (" << status << ")";
|
||||
}
|
||||
|
||||
android::hardware::joinRpcThreadpool();
|
||||
return -1; // Should never get here.
|
||||
}
|
|
@ -16,147 +16,131 @@
|
|||
|
||||
#define LOG_TAG "TrustyGateKeeper"
|
||||
|
||||
#include <assert.h>
|
||||
#include <errno.h>
|
||||
#include <stdio.h>
|
||||
|
||||
#include <type_traits>
|
||||
|
||||
#include <log/log.h>
|
||||
#include <android-base/logging.h>
|
||||
#include <limits>
|
||||
|
||||
#include "trusty_gatekeeper.h"
|
||||
#include "trusty_gatekeeper_ipc.h"
|
||||
#include "gatekeeper_ipc.h"
|
||||
|
||||
using ::android::hardware::hidl_vec;
|
||||
using ::android::hardware::Return;
|
||||
using ::android::hardware::gatekeeper::V1_0::GatekeeperStatusCode;
|
||||
using ::gatekeeper::EnrollRequest;
|
||||
using ::gatekeeper::EnrollResponse;
|
||||
using ::gatekeeper::ERROR_INVALID;
|
||||
using ::gatekeeper::ERROR_MEMORY_ALLOCATION_FAILED;
|
||||
using ::gatekeeper::ERROR_NONE;
|
||||
using ::gatekeeper::ERROR_RETRY;
|
||||
using ::gatekeeper::SizedBuffer;
|
||||
using ::gatekeeper::VerifyRequest;
|
||||
using ::gatekeeper::VerifyResponse;
|
||||
|
||||
namespace gatekeeper {
|
||||
|
||||
const uint32_t SEND_BUF_SIZE = 8192;
|
||||
const uint32_t RECV_BUF_SIZE = 8192;
|
||||
|
||||
TrustyGateKeeperDevice::TrustyGateKeeperDevice(const hw_module_t *module) {
|
||||
#if __cplusplus >= 201103L || defined(__GXX_EXPERIMENTAL_CXX0X__)
|
||||
static_assert(std::is_standard_layout<TrustyGateKeeperDevice>::value,
|
||||
"TrustyGateKeeperDevice must be standard layout");
|
||||
static_assert(offsetof(TrustyGateKeeperDevice, device_) == 0,
|
||||
"device_ must be the first member of TrustyGateKeeperDevice");
|
||||
static_assert(offsetof(TrustyGateKeeperDevice, device_.common) == 0,
|
||||
"common must be the first member of gatekeeper_device");
|
||||
#else
|
||||
assert(reinterpret_cast<gatekeeper_device_t *>(this) == &device_);
|
||||
assert(reinterpret_cast<hw_device_t *>(this) == &(device_.common));
|
||||
#endif
|
||||
|
||||
memset(&device_, 0, sizeof(device_));
|
||||
device_.common.tag = HARDWARE_DEVICE_TAG;
|
||||
device_.common.version = 1;
|
||||
device_.common.module = const_cast<hw_module_t *>(module);
|
||||
device_.common.close = close_device;
|
||||
|
||||
device_.enroll = enroll;
|
||||
device_.verify = verify;
|
||||
device_.delete_user = nullptr;
|
||||
device_.delete_all_users = nullptr;
|
||||
constexpr const uint32_t SEND_BUF_SIZE = 8192;
|
||||
constexpr const uint32_t RECV_BUF_SIZE = 8192;
|
||||
|
||||
TrustyGateKeeperDevice::TrustyGateKeeperDevice() {
|
||||
int rc = trusty_gatekeeper_connect();
|
||||
if (rc < 0) {
|
||||
ALOGE("Error initializing trusty session: %d", rc);
|
||||
LOG(ERROR) << "Error initializing trusty session: " << rc;
|
||||
}
|
||||
|
||||
error_ = rc;
|
||||
|
||||
}
|
||||
|
||||
hw_device_t* TrustyGateKeeperDevice::hw_device() {
|
||||
return &device_.common;
|
||||
}
|
||||
|
||||
int TrustyGateKeeperDevice::close_device(hw_device_t* dev) {
|
||||
delete reinterpret_cast<TrustyGateKeeperDevice *>(dev);
|
||||
return 0;
|
||||
}
|
||||
|
||||
TrustyGateKeeperDevice::~TrustyGateKeeperDevice() {
|
||||
trusty_gatekeeper_disconnect();
|
||||
}
|
||||
|
||||
int TrustyGateKeeperDevice::Enroll(uint32_t uid, const uint8_t *current_password_handle,
|
||||
uint32_t current_password_handle_length, const uint8_t *current_password,
|
||||
uint32_t current_password_length, const uint8_t *desired_password,
|
||||
uint32_t desired_password_length, uint8_t **enrolled_password_handle,
|
||||
uint32_t *enrolled_password_handle_length) {
|
||||
|
||||
if (error_ != 0) {
|
||||
return error_;
|
||||
}
|
||||
|
||||
SizedBuffer desired_password_buffer(desired_password_length);
|
||||
memcpy(desired_password_buffer.buffer.get(), desired_password, desired_password_length);
|
||||
|
||||
SizedBuffer current_password_handle_buffer(current_password_handle_length);
|
||||
if (current_password_handle) {
|
||||
memcpy(current_password_handle_buffer.buffer.get(), current_password_handle,
|
||||
current_password_handle_length);
|
||||
}
|
||||
|
||||
SizedBuffer current_password_buffer(current_password_length);
|
||||
if (current_password) {
|
||||
memcpy(current_password_buffer.buffer.get(), current_password, current_password_length);
|
||||
}
|
||||
|
||||
EnrollRequest request(uid, ¤t_password_handle_buffer, &desired_password_buffer,
|
||||
¤t_password_buffer);
|
||||
EnrollResponse response;
|
||||
|
||||
gatekeeper_error_t error = Send(request, &response);
|
||||
|
||||
if (error == ERROR_RETRY) {
|
||||
return response.retry_timeout;
|
||||
} else if (error != ERROR_NONE) {
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
*enrolled_password_handle = response.enrolled_password_handle.buffer.release();
|
||||
*enrolled_password_handle_length = response.enrolled_password_handle.length;
|
||||
|
||||
|
||||
return 0;
|
||||
SizedBuffer hidl_vec2sized_buffer(const hidl_vec<uint8_t>& vec) {
|
||||
if (vec.size() == 0 || vec.size() > std::numeric_limits<uint32_t>::max()) return {};
|
||||
auto dummy = new uint8_t[vec.size()];
|
||||
std::copy(vec.begin(), vec.end(), dummy);
|
||||
return {dummy, static_cast<uint32_t>(vec.size())};
|
||||
}
|
||||
|
||||
int TrustyGateKeeperDevice::Verify(uint32_t uid, uint64_t challenge,
|
||||
const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
|
||||
const uint8_t *provided_password, uint32_t provided_password_length,
|
||||
uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) {
|
||||
Return<void> TrustyGateKeeperDevice::enroll(uint32_t uid,
|
||||
const hidl_vec<uint8_t>& currentPasswordHandle,
|
||||
const hidl_vec<uint8_t>& currentPassword,
|
||||
const hidl_vec<uint8_t>& desiredPassword,
|
||||
enroll_cb _hidl_cb) {
|
||||
if (error_ != 0) {
|
||||
return error_;
|
||||
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
|
||||
return {};
|
||||
}
|
||||
|
||||
SizedBuffer password_handle_buffer(enrolled_password_handle_length);
|
||||
memcpy(password_handle_buffer.buffer.get(), enrolled_password_handle,
|
||||
enrolled_password_handle_length);
|
||||
SizedBuffer provided_password_buffer(provided_password_length);
|
||||
memcpy(provided_password_buffer.buffer.get(), provided_password, provided_password_length);
|
||||
if (desiredPassword.size() == 0) {
|
||||
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
|
||||
return {};
|
||||
}
|
||||
|
||||
VerifyRequest request(uid, challenge, &password_handle_buffer, &provided_password_buffer);
|
||||
EnrollRequest request(uid, hidl_vec2sized_buffer(currentPasswordHandle),
|
||||
hidl_vec2sized_buffer(desiredPassword),
|
||||
hidl_vec2sized_buffer(currentPassword));
|
||||
EnrollResponse response;
|
||||
auto error = Send(request, &response);
|
||||
if (error != ERROR_NONE) {
|
||||
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
|
||||
} else if (response.error == ERROR_RETRY) {
|
||||
_hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}});
|
||||
} else if (response.error != ERROR_NONE) {
|
||||
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
|
||||
} else {
|
||||
hidl_vec<uint8_t> new_handle(response.enrolled_password_handle.Data<uint8_t>(),
|
||||
response.enrolled_password_handle.Data<uint8_t>() +
|
||||
response.enrolled_password_handle.size());
|
||||
_hidl_cb({GatekeeperStatusCode::STATUS_OK, response.retry_timeout, new_handle});
|
||||
}
|
||||
return {};
|
||||
}
|
||||
|
||||
Return<void> TrustyGateKeeperDevice::verify(
|
||||
uint32_t uid, uint64_t challenge,
|
||||
const ::android::hardware::hidl_vec<uint8_t>& enrolledPasswordHandle,
|
||||
const ::android::hardware::hidl_vec<uint8_t>& providedPassword, verify_cb _hidl_cb) {
|
||||
if (error_ != 0) {
|
||||
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
|
||||
return {};
|
||||
}
|
||||
|
||||
if (enrolledPasswordHandle.size() == 0) {
|
||||
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
|
||||
return {};
|
||||
}
|
||||
|
||||
VerifyRequest request(uid, challenge, hidl_vec2sized_buffer(enrolledPasswordHandle),
|
||||
hidl_vec2sized_buffer(providedPassword));
|
||||
VerifyResponse response;
|
||||
|
||||
gatekeeper_error_t error = Send(request, &response);
|
||||
auto error = Send(request, &response);
|
||||
if (error != ERROR_NONE) {
|
||||
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
|
||||
} else if (response.error == ERROR_RETRY) {
|
||||
_hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}});
|
||||
} else if (response.error != ERROR_NONE) {
|
||||
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
|
||||
} else {
|
||||
hidl_vec<uint8_t> auth_token(
|
||||
response.auth_token.Data<uint8_t>(),
|
||||
response.auth_token.Data<uint8_t>() + response.auth_token.size());
|
||||
|
||||
if (error == ERROR_RETRY) {
|
||||
return response.retry_timeout;
|
||||
} else if (error != ERROR_NONE) {
|
||||
return -EINVAL;
|
||||
_hidl_cb({response.request_reenroll ? GatekeeperStatusCode::STATUS_REENROLL
|
||||
: GatekeeperStatusCode::STATUS_OK,
|
||||
response.retry_timeout, auth_token});
|
||||
}
|
||||
return {};
|
||||
}
|
||||
|
||||
if (auth_token != NULL && auth_token_length != NULL) {
|
||||
*auth_token = response.auth_token.buffer.release();
|
||||
*auth_token_length = response.auth_token.length;
|
||||
}
|
||||
Return<void> TrustyGateKeeperDevice::deleteUser(uint32_t /*uid*/, deleteUser_cb _hidl_cb) {
|
||||
_hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}});
|
||||
return {};
|
||||
}
|
||||
|
||||
if (request_reenroll != NULL) {
|
||||
*request_reenroll = response.request_reenroll;
|
||||
}
|
||||
|
||||
return 0;
|
||||
Return<void> TrustyGateKeeperDevice::deleteAllUsers(deleteAllUsers_cb _hidl_cb) {
|
||||
_hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}});
|
||||
return {};
|
||||
}
|
||||
|
||||
gatekeeper_error_t TrustyGateKeeperDevice::Send(uint32_t command, const GateKeeperMessage& request,
|
||||
|
@ -172,7 +156,7 @@ gatekeeper_error_t TrustyGateKeeperDevice::Send(uint32_t command, const GateKeep
|
|||
uint32_t response_size = RECV_BUF_SIZE;
|
||||
int rc = trusty_gatekeeper_call(command, send_buf, request_size, recv_buf, &response_size);
|
||||
if (rc < 0) {
|
||||
ALOGE("error (%d) calling gatekeeper TA", rc);
|
||||
LOG(ERROR) << "error (" << rc << ") calling gatekeeper TA";
|
||||
return ERROR_INVALID;
|
||||
}
|
||||
|
||||
|
@ -182,51 +166,4 @@ gatekeeper_error_t TrustyGateKeeperDevice::Send(uint32_t command, const GateKeep
|
|||
return response->Deserialize(payload, payload + response_size);
|
||||
}
|
||||
|
||||
static inline TrustyGateKeeperDevice *convert_device(const gatekeeper_device *dev) {
|
||||
return reinterpret_cast<TrustyGateKeeperDevice *>(const_cast<gatekeeper_device *>(dev));
|
||||
}
|
||||
|
||||
/* static */
|
||||
int TrustyGateKeeperDevice::enroll(const struct gatekeeper_device *dev, uint32_t uid,
|
||||
const uint8_t *current_password_handle, uint32_t current_password_handle_length,
|
||||
const uint8_t *current_password, uint32_t current_password_length,
|
||||
const uint8_t *desired_password, uint32_t desired_password_length,
|
||||
uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) {
|
||||
|
||||
if (dev == NULL ||
|
||||
enrolled_password_handle == NULL || enrolled_password_handle_length == NULL ||
|
||||
desired_password == NULL || desired_password_length == 0)
|
||||
return -EINVAL;
|
||||
|
||||
// Current password and current password handle go together
|
||||
if (current_password_handle == NULL || current_password_handle_length == 0 ||
|
||||
current_password == NULL || current_password_length == 0) {
|
||||
current_password_handle = NULL;
|
||||
current_password_handle_length = 0;
|
||||
current_password = NULL;
|
||||
current_password_length = 0;
|
||||
}
|
||||
|
||||
return convert_device(dev)->Enroll(uid, current_password_handle, current_password_handle_length,
|
||||
current_password, current_password_length, desired_password, desired_password_length,
|
||||
enrolled_password_handle, enrolled_password_handle_length);
|
||||
|
||||
}
|
||||
|
||||
/* static */
|
||||
int TrustyGateKeeperDevice::verify(const struct gatekeeper_device *dev, uint32_t uid,
|
||||
uint64_t challenge, const uint8_t *enrolled_password_handle,
|
||||
uint32_t enrolled_password_handle_length, const uint8_t *provided_password,
|
||||
uint32_t provided_password_length, uint8_t **auth_token, uint32_t *auth_token_length,
|
||||
bool *request_reenroll) {
|
||||
|
||||
if (dev == NULL || enrolled_password_handle == NULL ||
|
||||
provided_password == NULL) {
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
return convert_device(dev)->Verify(uid, challenge, enrolled_password_handle,
|
||||
enrolled_password_handle_length, provided_password, provided_password_length,
|
||||
auth_token, auth_token_length, request_reenroll);
|
||||
}
|
||||
};
|
||||
|
|
|
@ -17,84 +17,34 @@
|
|||
#ifndef TRUSTY_GATEKEEPER_H
|
||||
#define TRUSTY_GATEKEEPER_H
|
||||
|
||||
#include <hardware/gatekeeper.h>
|
||||
#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
|
||||
#include <hidl/Status.h>
|
||||
|
||||
#include <memory>
|
||||
|
||||
#include <gatekeeper/gatekeeper_messages.h>
|
||||
|
||||
#include "gatekeeper_ipc.h"
|
||||
|
||||
namespace gatekeeper {
|
||||
|
||||
class TrustyGateKeeperDevice {
|
||||
public:
|
||||
|
||||
explicit TrustyGateKeeperDevice(const hw_module_t* module);
|
||||
class TrustyGateKeeperDevice : public ::android::hardware::gatekeeper::V1_0::IGatekeeper {
|
||||
public:
|
||||
explicit TrustyGateKeeperDevice();
|
||||
~TrustyGateKeeperDevice();
|
||||
|
||||
hw_device_t* hw_device();
|
||||
|
||||
/**
|
||||
* Enrolls password_payload, which should be derived from a user selected pin or password,
|
||||
* with the authentication factor private key used only for enrolling authentication
|
||||
* factor data.
|
||||
*
|
||||
* Returns: 0 on success or an error code less than 0 on error.
|
||||
* On error, enrolled_password will not be allocated.
|
||||
*/
|
||||
int Enroll(uint32_t uid, const uint8_t *current_password_handle,
|
||||
uint32_t current_password_handle_length, const uint8_t *current_password,
|
||||
uint32_t current_password_length, const uint8_t *desired_password,
|
||||
uint32_t desired_password_length, uint8_t **enrolled_password_handle,
|
||||
uint32_t *enrolled_password_handle_length);
|
||||
|
||||
/**
|
||||
* Verifies provided_password matches expected_password after enrolling
|
||||
* with the authentication factor private key.
|
||||
*
|
||||
* Implementations of this module may retain the result of this call
|
||||
* to attest to the recency of authentication.
|
||||
*
|
||||
* On success, writes the address of a verification token to verification_token,
|
||||
*
|
||||
* Returns: 0 on success or an error code less than 0 on error
|
||||
* On error, verification token will not be allocated
|
||||
*/
|
||||
int Verify(uint32_t uid, uint64_t challenge, const uint8_t *enrolled_password_handle,
|
||||
uint32_t enrolled_password_handle_length, const uint8_t *provided_password,
|
||||
uint32_t provided_password_length, uint8_t **auth_token, uint32_t *auth_token_length,
|
||||
bool *request_reenroll);
|
||||
|
||||
private:
|
||||
|
||||
gatekeeper_error_t Send(uint32_t command, const GateKeeperMessage& request,
|
||||
GateKeeperMessage* response);
|
||||
|
||||
gatekeeper_error_t Send(const EnrollRequest& request, EnrollResponse *response) {
|
||||
return Send(GK_ENROLL, request, response);
|
||||
}
|
||||
|
||||
gatekeeper_error_t Send(const VerifyRequest& request, VerifyResponse *response) {
|
||||
return Send(GK_VERIFY, request, response);
|
||||
}
|
||||
|
||||
// Static methods interfacing the HAL API with the TrustyGateKeeper device
|
||||
|
||||
/**
|
||||
* Enrolls desired_password, which should be derived from a user selected pin or password,
|
||||
* with the authentication factor private key used only for enrolling authentication
|
||||
* factor data.
|
||||
*
|
||||
* If there was already a password enrolled, it should be provided in
|
||||
* current_password_handle, along with the current password in current_password
|
||||
* that should validate against current_password_handle.
|
||||
*
|
||||
* Returns: 0 on success or an error code less than 0 on error.
|
||||
* On error, enrolled_password_handle will not be allocated.
|
||||
*/
|
||||
static int enroll(const struct gatekeeper_device *dev, uint32_t uid,
|
||||
const uint8_t *current_password_handle, uint32_t current_password_handle_length,
|
||||
const uint8_t *current_password, uint32_t current_password_length,
|
||||
const uint8_t *desired_password, uint32_t desired_password_length,
|
||||
uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length);
|
||||
::android::hardware::Return<void> enroll(
|
||||
uint32_t uid, const ::android::hardware::hidl_vec<uint8_t>& currentPasswordHandle,
|
||||
const ::android::hardware::hidl_vec<uint8_t>& currentPassword,
|
||||
const ::android::hardware::hidl_vec<uint8_t>& desiredPassword,
|
||||
enroll_cb _hidl_cb) override;
|
||||
|
||||
/**
|
||||
* Verifies provided_password matches enrolled_password_handle.
|
||||
|
@ -109,18 +59,32 @@ class TrustyGateKeeperDevice {
|
|||
* Returns: 0 on success or an error code less than 0 on error
|
||||
* On error, verification token will not be allocated
|
||||
*/
|
||||
static int verify(const struct gatekeeper_device *dev, uint32_t uid, uint64_t challenge,
|
||||
const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
|
||||
const uint8_t *provided_password, uint32_t provided_password_length,
|
||||
uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll);
|
||||
::android::hardware::Return<void> verify(
|
||||
uint32_t uid, uint64_t challenge,
|
||||
const ::android::hardware::hidl_vec<uint8_t>& enrolledPasswordHandle,
|
||||
const ::android::hardware::hidl_vec<uint8_t>& providedPassword,
|
||||
verify_cb _hidl_cb) override;
|
||||
|
||||
static int close_device(hw_device_t* dev);
|
||||
::android::hardware::Return<void> deleteUser(uint32_t uid, deleteUser_cb _hidl_cb) override;
|
||||
|
||||
::android::hardware::Return<void> deleteAllUsers(deleteAllUsers_cb _hidl_cb) override;
|
||||
|
||||
private:
|
||||
gatekeeper_error_t Send(uint32_t command, const GateKeeperMessage& request,
|
||||
GateKeeperMessage* response);
|
||||
|
||||
gatekeeper_error_t Send(const EnrollRequest& request, EnrollResponse *response) {
|
||||
return Send(GK_ENROLL, request, response);
|
||||
}
|
||||
|
||||
gatekeeper_error_t Send(const VerifyRequest& request, VerifyResponse *response) {
|
||||
return Send(GK_VERIFY, request, response);
|
||||
}
|
||||
|
||||
gatekeeper_device device_;
|
||||
int error_;
|
||||
|
||||
};
|
||||
}
|
||||
|
||||
} // namespace gatekeeper
|
||||
|
||||
#endif
|
||||
|
||||
|
|
|
@ -24,9 +24,7 @@
|
|||
|
||||
PRODUCT_PACKAGES += \
|
||||
android.hardware.keymaster@4.0-service.trusty \
|
||||
android.hardware.gatekeeper@1.0-service \
|
||||
android.hardware.gatekeeper@1.0-impl \
|
||||
gatekeeper.trusty
|
||||
android.hardware.gatekeeper@1.0-service.trusty
|
||||
|
||||
PRODUCT_PROPERTY_OVERRIDES += \
|
||||
ro.hardware.keystore=trusty \
|
||||
|
|
Loading…
Reference in a new issue