tequilaOS/platform_system_core
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Convert Gatekeeper from HIDL to AIDL

Browse source 
Replaced HIDL spec implementation with AIDL spec in gatekeeper
module. Based on the changes in aosp/2161796.

Bug: 268342724
Test: VtsHalGatekeeperTargetTest, CtsVerifier
Change-Id: Ic322e5c5a7d0577df28410a546cbad88549158bc
This commit is contained in:
David Drysdale 2023-02-03 18:25:03 +00:00 committed by Subrahmanya Manikanta Venkateswarlu Bhamidipati Kameswara Sri
parent 3d11890797
commit d0149e8e9a
8 changed files with 139 additions and 120 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
trusty/gatekeeper/Android.bp
View file

@ -24,11 +24,10 @@ package {
}
cc_binary {
name: "android.hardware.gatekeeper@1.0-service.trusty",
defaults: ["hidl_defaults"],
name: "android.hardware.gatekeeper-service.trusty",
vendor: true,
relative_install_path: "hw",
init_rc: ["android.hardware.gatekeeper@1.0-service.trusty.rc"],
init_rc: ["android.hardware.gatekeeper-service.trusty.rc"],
srcs: [
"service.cpp",
@ -42,16 +41,21 @@ cc_binary {
"-Werror",
],
static_libs: [
"libgflags",
],
shared_libs: [
"android.hardware.gatekeeper@1.0",
"android.hardware.gatekeeper-V1-ndk",
"libbase",
"libhidlbase",
"libbinder_ndk",
"libgatekeeper",
"libhardware",
"libutils",
"liblog",
"libcutils",
"libtrusty",
],
vintf_fragments: ["android.hardware.gatekeeper@1.0-service.trusty.xml"],
vintf_fragments: ["android.hardware.gatekeeper-service.trusty.xml"],
}

4
trusty/gatekeeper/android.hardware.gatekeeper-service.trusty.rc Normal file
View file

@ -0,0 +1,4 @@
service vendor.gatekeeper_default /vendor/bin/hw/android.hardware.gatekeeper-service.trusty
class hal
user system
group system

7
trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.xml → trusty/gatekeeper/android.hardware.gatekeeper-service.trusty.xml
View file

@ -1,10 +1,9 @@
<manifest version="1.0" type="device">
<hal format="hidl">
<hal format="aidl">
<name>android.hardware.gatekeeper</name>
<transport>hwbinder</transport>
<version>1.0</version>
<version>1</version>
<interface>
<name>IGatekeeper</name>
<name>IGatekeeper</name>
<instance>default</instance>
</interface>
</hal>

4
trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.rc
View file

@ -1,4 +0,0 @@
service vendor.gatekeeper-1-0 /vendor/bin/hw/android.hardware.gatekeeper@1.0-service.trusty
class hal
user system
group system

29
trusty/gatekeeper/service.cpp
View file

@ -13,27 +13,28 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#define LOG_TAG "android.hardware.gatekeeper@1.0-service.trusty"
#define LOG_TAG "android.hardware.gatekeeper-service.trusty"
#include <android-base/logging.h>
#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
#include <hidl/LegacySupport.h>
#include <android/binder_manager.h>
#include <android/binder_process.h>
#include "trusty_gatekeeper.h"
// Generated HIDL files
using android::hardware::gatekeeper::V1_0::IGatekeeper;
using gatekeeper::TrustyGateKeeperDevice;
using aidl::android::hardware::gatekeeper::TrustyGateKeeperDevice;
int main() {
::android::hardware::configureRpcThreadpool(1, true /* willJoinThreadpool */);
android::sp<TrustyGateKeeperDevice> gatekeeper(new TrustyGateKeeperDevice());
auto status = gatekeeper->registerAsService();
if (status != android::OK) {
LOG(FATAL) << "Could not register service for Gatekeeper 1.0 (trusty) (" << status << ")";
}
ABinderProcess_setThreadPoolMaxThreadCount(0);
std::shared_ptr<TrustyGateKeeperDevice> gatekeeper =
ndk::SharedRefBase::make<TrustyGateKeeperDevice>();
const std::string instance = std::string() + TrustyGateKeeperDevice::descriptor + "/default";
binder_status_t status =
AServiceManager_addService(gatekeeper->asBinder().get(), instance.c_str());
CHECK_EQ(status, STATUS_OK);
ABinderProcess_joinThreadPool();
android::hardware::joinRpcThreadpool();
return -1; // Should never get here.
}

146
trusty/gatekeeper/trusty_gatekeeper.cpp
View file

@ -16,28 +16,26 @@
#define LOG_TAG "TrustyGateKeeper"
#include <android-base/logging.h>
#include <endian.h>
#include <limits>
#include <android-base/logging.h>
#include <gatekeeper/password_handle.h>
#include <hardware/hw_auth_token.h>
#include "gatekeeper_ipc.h"
#include "trusty_gatekeeper.h"
#include "trusty_gatekeeper_ipc.h"
#include "gatekeeper_ipc.h"
using ::android::hardware::hidl_vec;
using ::android::hardware::Return;
using ::android::hardware::gatekeeper::V1_0::GatekeeperStatusCode;
using ::gatekeeper::EnrollRequest;
using ::gatekeeper::EnrollResponse;
namespace aidl::android::hardware::gatekeeper {
using ::gatekeeper::ERROR_INVALID;
using ::gatekeeper::ERROR_MEMORY_ALLOCATION_FAILED;
using ::gatekeeper::ERROR_NONE;
using ::gatekeeper::ERROR_RETRY;
using ::gatekeeper::SizedBuffer;
using ::gatekeeper::VerifyRequest;
using ::gatekeeper::VerifyResponse;
namespace gatekeeper {
constexpr const uint32_t SEND_BUF_SIZE = 8192;
constexpr const uint32_t RECV_BUF_SIZE = 8192;
@ -54,89 +52,101 @@ TrustyGateKeeperDevice::~TrustyGateKeeperDevice() {
trusty_gatekeeper_disconnect();
}
SizedBuffer hidl_vec2sized_buffer(const hidl_vec<uint8_t>& vec) {
SizedBuffer vec2sized_buffer(const std::vector<uint8_t>& vec) {
if (vec.size() == 0 || vec.size() > std::numeric_limits<uint32_t>::max()) return {};
auto buffer = new uint8_t[vec.size()];
std::copy(vec.begin(), vec.end(), buffer);
return {buffer, static_cast<uint32_t>(vec.size())};
}
Return<void> TrustyGateKeeperDevice::enroll(uint32_t uid,
const hidl_vec<uint8_t>& currentPasswordHandle,
const hidl_vec<uint8_t>& currentPassword,
const hidl_vec<uint8_t>& desiredPassword,
enroll_cb _hidl_cb) {
void sizedBuffer2AidlHWToken(SizedBuffer& buffer,
android::hardware::security::keymint::HardwareAuthToken* aidlToken) {
const hw_auth_token_t* authToken =
reinterpret_cast<const hw_auth_token_t*>(buffer.Data<uint8_t>());
aidlToken->challenge = authToken->challenge;
aidlToken->userId = authToken->user_id;
aidlToken->authenticatorId = authToken->authenticator_id;
// these are in network order: translate to host
aidlToken->authenticatorType =
static_cast<android::hardware::security::keymint::HardwareAuthenticatorType>(
be32toh(authToken->authenticator_type));
aidlToken->timestamp.milliSeconds = be64toh(authToken->timestamp);
aidlToken->mac.insert(aidlToken->mac.begin(), std::begin(authToken->hmac),
std::end(authToken->hmac));
}
::ndk::ScopedAStatus TrustyGateKeeperDevice::enroll(
int32_t uid, const std::vector<uint8_t>& currentPasswordHandle,
const std::vector<uint8_t>& currentPassword, const std::vector<uint8_t>& desiredPassword,
GatekeeperEnrollResponse* rsp) {
if (error_ != 0) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return {};
return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
}
if (desiredPassword.size() == 0) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return {};
return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
}
EnrollRequest request(uid, hidl_vec2sized_buffer(currentPasswordHandle),
hidl_vec2sized_buffer(desiredPassword),
hidl_vec2sized_buffer(currentPassword));
EnrollRequest request(uid, vec2sized_buffer(currentPasswordHandle),
vec2sized_buffer(desiredPassword), vec2sized_buffer(currentPassword));
EnrollResponse response;
auto error = Send(request, &response);
if (error != ERROR_NONE) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
} else if (response.error == ERROR_RETRY) {
_hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}});
*rsp = {ERROR_RETRY_TIMEOUT, static_cast<int32_t>(response.retry_timeout), 0, {}};
return ndk::ScopedAStatus::ok();
} else if (response.error != ERROR_NONE) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
} else {
hidl_vec<uint8_t> new_handle(response.enrolled_password_handle.Data<uint8_t>(),
response.enrolled_password_handle.Data<uint8_t>() +
response.enrolled_password_handle.size());
_hidl_cb({GatekeeperStatusCode::STATUS_OK, response.retry_timeout, new_handle});
const ::gatekeeper::password_handle_t* password_handle =
response.enrolled_password_handle.Data<::gatekeeper::password_handle_t>();
*rsp = {STATUS_OK,
0,
static_cast<int64_t>(password_handle->user_id),
{response.enrolled_password_handle.Data<uint8_t>(),
(response.enrolled_password_handle.Data<uint8_t>() +
response.enrolled_password_handle.size())}};
}
return {};
return ndk::ScopedAStatus::ok();
}
Return<void> TrustyGateKeeperDevice::verify(
uint32_t uid, uint64_t challenge,
const ::android::hardware::hidl_vec<uint8_t>& enrolledPasswordHandle,
const ::android::hardware::hidl_vec<uint8_t>& providedPassword, verify_cb _hidl_cb) {
::ndk::ScopedAStatus TrustyGateKeeperDevice::verify(
int32_t uid, int64_t challenge, const std::vector<uint8_t>& enrolledPasswordHandle,
const std::vector<uint8_t>& providedPassword, GatekeeperVerifyResponse* rsp) {
if (error_ != 0) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return {};
return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
}
if (enrolledPasswordHandle.size() == 0) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return {};
return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
}
VerifyRequest request(uid, challenge, hidl_vec2sized_buffer(enrolledPasswordHandle),
hidl_vec2sized_buffer(providedPassword));
VerifyRequest request(uid, challenge, vec2sized_buffer(enrolledPasswordHandle),
vec2sized_buffer(providedPassword));
VerifyResponse response;
auto error = Send(request, &response);
if (error != ERROR_NONE) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
} else if (response.error == ERROR_RETRY) {
_hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}});
*rsp = {ERROR_RETRY_TIMEOUT, static_cast<int32_t>(response.retry_timeout), {}};
return ndk::ScopedAStatus::ok();
} else if (response.error != ERROR_NONE) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
} else {
hidl_vec<uint8_t> auth_token(
response.auth_token.Data<uint8_t>(),
response.auth_token.Data<uint8_t>() + response.auth_token.size());
_hidl_cb({response.request_reenroll ? GatekeeperStatusCode::STATUS_REENROLL
: GatekeeperStatusCode::STATUS_OK,
response.retry_timeout, auth_token});
// On Success, return GatekeeperVerifyResponse with Success Status, timeout{0} and
// valid HardwareAuthToken.
*rsp = {response.request_reenroll ? STATUS_REENROLL : STATUS_OK, 0, {}};
// Convert the hw_auth_token_t to HardwareAuthToken in the response.
sizedBuffer2AidlHWToken(response.auth_token, &rsp->hardwareAuthToken);
}
return {};
return ndk::ScopedAStatus::ok();
}
Return<void> TrustyGateKeeperDevice::deleteUser(uint32_t uid, deleteUser_cb _hidl_cb) {
::ndk::ScopedAStatus TrustyGateKeeperDevice::deleteUser(int32_t uid) {
if (error_ != 0) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return {};
return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
}
DeleteUserRequest request(uid);
@ -144,21 +154,19 @@ Return<void> TrustyGateKeeperDevice::deleteUser(uint32_t uid, deleteUser_cb _hid
auto error = Send(request, &response);
if (error != ERROR_NONE) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
} else if (response.error == ERROR_NOT_IMPLEMENTED) {
_hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}});
return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_NOT_IMPLEMENTED));
} else if (response.error != ERROR_NONE) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
} else {
_hidl_cb({GatekeeperStatusCode::STATUS_OK, response.retry_timeout, {}});
return ndk::ScopedAStatus::ok();
}
return {};
}
Return<void> TrustyGateKeeperDevice::deleteAllUsers(deleteAllUsers_cb _hidl_cb) {
::ndk::ScopedAStatus TrustyGateKeeperDevice::deleteAllUsers() {
if (error_ != 0) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return {};
return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
}
DeleteAllUsersRequest request;
@ -166,16 +174,14 @@ Return<void> TrustyGateKeeperDevice::deleteAllUsers(deleteAllUsers_cb _hidl_cb)
auto error = Send(request, &response);
if (error != ERROR_NONE) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
} else if (response.error == ERROR_NOT_IMPLEMENTED) {
_hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}});
return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_NOT_IMPLEMENTED));
} else if (response.error != ERROR_NONE) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
} else {
_hidl_cb({GatekeeperStatusCode::STATUS_OK, response.retry_timeout, {}});
return ndk::ScopedAStatus::ok();
}
return {};
}
gatekeeper_error_t TrustyGateKeeperDevice::Send(uint32_t command, const GateKeeperMessage& request,
@ -201,4 +207,4 @@ gatekeeper_error_t TrustyGateKeeperDevice::Send(uint32_t command, const GateKeep
return response->Deserialize(payload, payload + response_size);
}
};
} // namespace aidl::android::hardware::gatekeeper

51
trusty/gatekeeper/trusty_gatekeeper.h
View file

@ -17,18 +17,30 @@
#ifndef TRUSTY_GATEKEEPER_H
#define TRUSTY_GATEKEEPER_H
#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
#include <hidl/Status.h>
#include <memory>
#include <aidl/android/hardware/gatekeeper/BnGatekeeper.h>
#include <gatekeeper/gatekeeper_messages.h>
#include "gatekeeper_ipc.h"
namespace gatekeeper {
namespace aidl::android::hardware::gatekeeper {
class TrustyGateKeeperDevice : public ::android::hardware::gatekeeper::V1_0::IGatekeeper {
using aidl::android::hardware::gatekeeper::GatekeeperEnrollResponse;
using aidl::android::hardware::gatekeeper::GatekeeperVerifyResponse;
using ::gatekeeper::DeleteAllUsersRequest;
using ::gatekeeper::DeleteAllUsersResponse;
using ::gatekeeper::DeleteUserRequest;
using ::gatekeeper::DeleteUserResponse;
using ::gatekeeper::EnrollRequest;
using ::gatekeeper::EnrollResponse;
using ::gatekeeper::gatekeeper_error_t;
using ::gatekeeper::GateKeeperMessage;
using ::gatekeeper::VerifyRequest;
using ::gatekeeper::VerifyResponse;
class TrustyGateKeeperDevice : public BnGatekeeper {
public:
explicit TrustyGateKeeperDevice();
~TrustyGateKeeperDevice();
@ -40,11 +52,10 @@ class TrustyGateKeeperDevice : public ::android::hardware::gatekeeper::V1_0::IGa
* Returns: 0 on success or an error code less than 0 on error.
* On error, enrolled_password_handle will not be allocated.
*/
::android::hardware::Return<void> enroll(
uint32_t uid, const ::android::hardware::hidl_vec<uint8_t>& currentPasswordHandle,
const ::android::hardware::hidl_vec<uint8_t>& currentPassword,
const ::android::hardware::hidl_vec<uint8_t>& desiredPassword,
enroll_cb _hidl_cb) override;
::ndk::ScopedAStatus enroll(int32_t uid, const std::vector<uint8_t>& currentPasswordHandle,
const std::vector<uint8_t>& currentPassword,
const std::vector<uint8_t>& desiredPassword,
GatekeeperEnrollResponse* _aidl_return) override;
/**
* Verifies provided_password matches enrolled_password_handle.
@ -59,25 +70,24 @@ class TrustyGateKeeperDevice : public ::android::hardware::gatekeeper::V1_0::IGa
* Returns: 0 on success or an error code less than 0 on error
* On error, verification token will not be allocated
*/
::android::hardware::Return<void> verify(
uint32_t uid, uint64_t challenge,
const ::android::hardware::hidl_vec<uint8_t>& enrolledPasswordHandle,
const ::android::hardware::hidl_vec<uint8_t>& providedPassword,
verify_cb _hidl_cb) override;
::ndk::ScopedAStatus verify(int32_t uid, int64_t challenge,
const std::vector<uint8_t>& enrolledPasswordHandle,
const std::vector<uint8_t>& providedPassword,
GatekeeperVerifyResponse* _aidl_return) override;
::android::hardware::Return<void> deleteUser(uint32_t uid, deleteUser_cb _hidl_cb) override;
::ndk::ScopedAStatus deleteAllUsers() override;
::android::hardware::Return<void> deleteAllUsers(deleteAllUsers_cb _hidl_cb) override;
::ndk::ScopedAStatus deleteUser(int32_t uid) override;
private:
gatekeeper_error_t Send(uint32_t command, const GateKeeperMessage& request,
GateKeeperMessage* response);
gatekeeper_error_t Send(const EnrollRequest& request, EnrollResponse *response) {
gatekeeper_error_t Send(const EnrollRequest& request, EnrollResponse* response) {
return Send(GK_ENROLL, request, response);
}
gatekeeper_error_t Send(const VerifyRequest& request, VerifyResponse *response) {
gatekeeper_error_t Send(const VerifyRequest& request, VerifyResponse* response) {
return Send(GK_VERIFY, request, response);
}
@ -93,7 +103,6 @@ class TrustyGateKeeperDevice : public ::android::hardware::gatekeeper::V1_0::IGa
int error_;
};
} // namespace gatekeeper
} // namespace aidl::android::hardware::gatekeeper
#endif

2
trusty/trusty-base.mk
View file

@ -37,7 +37,7 @@ endif
PRODUCT_PACKAGES += \
$(LOCAL_KEYMINT_PRODUCT_PACKAGE) \
android.hardware.gatekeeper@1.0-service.trusty \
android.hardware.gatekeeper-service.trusty \
trusty_apploader \
RemoteProvisioner