diff --git a/trusty/gatekeeper/Android.bp b/trusty/gatekeeper/Android.bp index 81f012fdc..0b4375420 100644 --- a/trusty/gatekeeper/Android.bp +++ b/trusty/gatekeeper/Android.bp @@ -24,11 +24,10 @@ package { } cc_binary { - name: "android.hardware.gatekeeper@1.0-service.trusty", - defaults: ["hidl_defaults"], + name: "android.hardware.gatekeeper-service.trusty", vendor: true, relative_install_path: "hw", - init_rc: ["android.hardware.gatekeeper@1.0-service.trusty.rc"], + init_rc: ["android.hardware.gatekeeper-service.trusty.rc"], srcs: [ "service.cpp", @@ -42,16 +41,21 @@ cc_binary { "-Werror", ], + static_libs: [ + "libgflags", + ], + shared_libs: [ - "android.hardware.gatekeeper@1.0", + "android.hardware.gatekeeper-V1-ndk", "libbase", - "libhidlbase", + "libbinder_ndk", "libgatekeeper", + "libhardware", "libutils", "liblog", "libcutils", "libtrusty", ], - vintf_fragments: ["android.hardware.gatekeeper@1.0-service.trusty.xml"], + vintf_fragments: ["android.hardware.gatekeeper-service.trusty.xml"], } diff --git a/trusty/gatekeeper/android.hardware.gatekeeper-service.trusty.rc b/trusty/gatekeeper/android.hardware.gatekeeper-service.trusty.rc new file mode 100644 index 000000000..66ecbd1f0 --- /dev/null +++ b/trusty/gatekeeper/android.hardware.gatekeeper-service.trusty.rc @@ -0,0 +1,4 @@ +service vendor.gatekeeper_default /vendor/bin/hw/android.hardware.gatekeeper-service.trusty + class hal + user system + group system diff --git a/trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.xml b/trusty/gatekeeper/android.hardware.gatekeeper-service.trusty.xml similarity index 60% rename from trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.xml rename to trusty/gatekeeper/android.hardware.gatekeeper-service.trusty.xml index 19714a83b..c35421ea2 100644 --- a/trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.xml +++ b/trusty/gatekeeper/android.hardware.gatekeeper-service.trusty.xml @@ -1,10 +1,9 @@ - + android.hardware.gatekeeper - hwbinder - 1.0 + 1 - IGatekeeper + IGatekeeper default diff --git a/trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.rc b/trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.rc deleted file mode 100644 index 5413a6c9f..000000000 --- a/trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.rc +++ /dev/null @@ -1,4 +0,0 @@ -service vendor.gatekeeper-1-0 /vendor/bin/hw/android.hardware.gatekeeper@1.0-service.trusty - class hal - user system - group system diff --git a/trusty/gatekeeper/service.cpp b/trusty/gatekeeper/service.cpp index c5ee4883f..d09804f9a 100644 --- a/trusty/gatekeeper/service.cpp +++ b/trusty/gatekeeper/service.cpp @@ -13,27 +13,28 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -#define LOG_TAG "android.hardware.gatekeeper@1.0-service.trusty" +#define LOG_TAG "android.hardware.gatekeeper-service.trusty" #include -#include - -#include +#include +#include #include "trusty_gatekeeper.h" -// Generated HIDL files -using android::hardware::gatekeeper::V1_0::IGatekeeper; -using gatekeeper::TrustyGateKeeperDevice; +using aidl::android::hardware::gatekeeper::TrustyGateKeeperDevice; int main() { - ::android::hardware::configureRpcThreadpool(1, true /* willJoinThreadpool */); - android::sp gatekeeper(new TrustyGateKeeperDevice()); - auto status = gatekeeper->registerAsService(); - if (status != android::OK) { - LOG(FATAL) << "Could not register service for Gatekeeper 1.0 (trusty) (" << status << ")"; - } + ABinderProcess_setThreadPoolMaxThreadCount(0); + + std::shared_ptr gatekeeper = + ndk::SharedRefBase::make(); + + const std::string instance = std::string() + TrustyGateKeeperDevice::descriptor + "/default"; + binder_status_t status = + AServiceManager_addService(gatekeeper->asBinder().get(), instance.c_str()); + CHECK_EQ(status, STATUS_OK); + + ABinderProcess_joinThreadPool(); - android::hardware::joinRpcThreadpool(); return -1; // Should never get here. } diff --git a/trusty/gatekeeper/trusty_gatekeeper.cpp b/trusty/gatekeeper/trusty_gatekeeper.cpp index ec4f81bf7..d0647dfbc 100644 --- a/trusty/gatekeeper/trusty_gatekeeper.cpp +++ b/trusty/gatekeeper/trusty_gatekeeper.cpp @@ -16,28 +16,26 @@ #define LOG_TAG "TrustyGateKeeper" -#include +#include #include +#include +#include +#include + +#include "gatekeeper_ipc.h" #include "trusty_gatekeeper.h" #include "trusty_gatekeeper_ipc.h" -#include "gatekeeper_ipc.h" -using ::android::hardware::hidl_vec; -using ::android::hardware::Return; -using ::android::hardware::gatekeeper::V1_0::GatekeeperStatusCode; -using ::gatekeeper::EnrollRequest; -using ::gatekeeper::EnrollResponse; +namespace aidl::android::hardware::gatekeeper { + using ::gatekeeper::ERROR_INVALID; -using ::gatekeeper::ERROR_MEMORY_ALLOCATION_FAILED; using ::gatekeeper::ERROR_NONE; using ::gatekeeper::ERROR_RETRY; using ::gatekeeper::SizedBuffer; using ::gatekeeper::VerifyRequest; using ::gatekeeper::VerifyResponse; -namespace gatekeeper { - constexpr const uint32_t SEND_BUF_SIZE = 8192; constexpr const uint32_t RECV_BUF_SIZE = 8192; @@ -54,89 +52,101 @@ TrustyGateKeeperDevice::~TrustyGateKeeperDevice() { trusty_gatekeeper_disconnect(); } -SizedBuffer hidl_vec2sized_buffer(const hidl_vec& vec) { +SizedBuffer vec2sized_buffer(const std::vector& vec) { if (vec.size() == 0 || vec.size() > std::numeric_limits::max()) return {}; auto buffer = new uint8_t[vec.size()]; std::copy(vec.begin(), vec.end(), buffer); return {buffer, static_cast(vec.size())}; } -Return TrustyGateKeeperDevice::enroll(uint32_t uid, - const hidl_vec& currentPasswordHandle, - const hidl_vec& currentPassword, - const hidl_vec& desiredPassword, - enroll_cb _hidl_cb) { +void sizedBuffer2AidlHWToken(SizedBuffer& buffer, + android::hardware::security::keymint::HardwareAuthToken* aidlToken) { + const hw_auth_token_t* authToken = + reinterpret_cast(buffer.Data()); + aidlToken->challenge = authToken->challenge; + aidlToken->userId = authToken->user_id; + aidlToken->authenticatorId = authToken->authenticator_id; + // these are in network order: translate to host + aidlToken->authenticatorType = + static_cast( + be32toh(authToken->authenticator_type)); + aidlToken->timestamp.milliSeconds = be64toh(authToken->timestamp); + aidlToken->mac.insert(aidlToken->mac.begin(), std::begin(authToken->hmac), + std::end(authToken->hmac)); +} + +::ndk::ScopedAStatus TrustyGateKeeperDevice::enroll( + int32_t uid, const std::vector& currentPasswordHandle, + const std::vector& currentPassword, const std::vector& desiredPassword, + GatekeeperEnrollResponse* rsp) { if (error_ != 0) { - _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}}); - return {}; + return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE)); } if (desiredPassword.size() == 0) { - _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}}); - return {}; + return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE)); } - EnrollRequest request(uid, hidl_vec2sized_buffer(currentPasswordHandle), - hidl_vec2sized_buffer(desiredPassword), - hidl_vec2sized_buffer(currentPassword)); + EnrollRequest request(uid, vec2sized_buffer(currentPasswordHandle), + vec2sized_buffer(desiredPassword), vec2sized_buffer(currentPassword)); EnrollResponse response; auto error = Send(request, &response); if (error != ERROR_NONE) { - _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}}); + return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE)); } else if (response.error == ERROR_RETRY) { - _hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}}); + *rsp = {ERROR_RETRY_TIMEOUT, static_cast(response.retry_timeout), 0, {}}; + return ndk::ScopedAStatus::ok(); } else if (response.error != ERROR_NONE) { - _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}}); + return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE)); } else { - hidl_vec new_handle(response.enrolled_password_handle.Data(), - response.enrolled_password_handle.Data() + - response.enrolled_password_handle.size()); - _hidl_cb({GatekeeperStatusCode::STATUS_OK, response.retry_timeout, new_handle}); + const ::gatekeeper::password_handle_t* password_handle = + response.enrolled_password_handle.Data<::gatekeeper::password_handle_t>(); + *rsp = {STATUS_OK, + 0, + static_cast(password_handle->user_id), + {response.enrolled_password_handle.Data(), + (response.enrolled_password_handle.Data() + + response.enrolled_password_handle.size())}}; } - return {}; + return ndk::ScopedAStatus::ok(); } -Return TrustyGateKeeperDevice::verify( - uint32_t uid, uint64_t challenge, - const ::android::hardware::hidl_vec& enrolledPasswordHandle, - const ::android::hardware::hidl_vec& providedPassword, verify_cb _hidl_cb) { +::ndk::ScopedAStatus TrustyGateKeeperDevice::verify( + int32_t uid, int64_t challenge, const std::vector& enrolledPasswordHandle, + const std::vector& providedPassword, GatekeeperVerifyResponse* rsp) { if (error_ != 0) { - _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}}); - return {}; + return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE)); } if (enrolledPasswordHandle.size() == 0) { - _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}}); - return {}; + return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE)); } - VerifyRequest request(uid, challenge, hidl_vec2sized_buffer(enrolledPasswordHandle), - hidl_vec2sized_buffer(providedPassword)); + VerifyRequest request(uid, challenge, vec2sized_buffer(enrolledPasswordHandle), + vec2sized_buffer(providedPassword)); VerifyResponse response; auto error = Send(request, &response); if (error != ERROR_NONE) { - _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}}); + return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE)); } else if (response.error == ERROR_RETRY) { - _hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}}); + *rsp = {ERROR_RETRY_TIMEOUT, static_cast(response.retry_timeout), {}}; + return ndk::ScopedAStatus::ok(); } else if (response.error != ERROR_NONE) { - _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}}); + return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE)); } else { - hidl_vec auth_token( - response.auth_token.Data(), - response.auth_token.Data() + response.auth_token.size()); - - _hidl_cb({response.request_reenroll ? GatekeeperStatusCode::STATUS_REENROLL - : GatekeeperStatusCode::STATUS_OK, - response.retry_timeout, auth_token}); + // On Success, return GatekeeperVerifyResponse with Success Status, timeout{0} and + // valid HardwareAuthToken. + *rsp = {response.request_reenroll ? STATUS_REENROLL : STATUS_OK, 0, {}}; + // Convert the hw_auth_token_t to HardwareAuthToken in the response. + sizedBuffer2AidlHWToken(response.auth_token, &rsp->hardwareAuthToken); } - return {}; + return ndk::ScopedAStatus::ok(); } -Return TrustyGateKeeperDevice::deleteUser(uint32_t uid, deleteUser_cb _hidl_cb) { +::ndk::ScopedAStatus TrustyGateKeeperDevice::deleteUser(int32_t uid) { if (error_ != 0) { - _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}}); - return {}; + return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE)); } DeleteUserRequest request(uid); @@ -144,21 +154,19 @@ Return TrustyGateKeeperDevice::deleteUser(uint32_t uid, deleteUser_cb _hid auto error = Send(request, &response); if (error != ERROR_NONE) { - _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}}); + return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE)); } else if (response.error == ERROR_NOT_IMPLEMENTED) { - _hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}}); + return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_NOT_IMPLEMENTED)); } else if (response.error != ERROR_NONE) { - _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}}); + return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE)); } else { - _hidl_cb({GatekeeperStatusCode::STATUS_OK, response.retry_timeout, {}}); + return ndk::ScopedAStatus::ok(); } - return {}; } -Return TrustyGateKeeperDevice::deleteAllUsers(deleteAllUsers_cb _hidl_cb) { +::ndk::ScopedAStatus TrustyGateKeeperDevice::deleteAllUsers() { if (error_ != 0) { - _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}}); - return {}; + return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE)); } DeleteAllUsersRequest request; @@ -166,16 +174,14 @@ Return TrustyGateKeeperDevice::deleteAllUsers(deleteAllUsers_cb _hidl_cb) auto error = Send(request, &response); if (error != ERROR_NONE) { - _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}}); + return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE)); } else if (response.error == ERROR_NOT_IMPLEMENTED) { - _hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}}); + return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_NOT_IMPLEMENTED)); } else if (response.error != ERROR_NONE) { - _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}}); + return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE)); } else { - _hidl_cb({GatekeeperStatusCode::STATUS_OK, response.retry_timeout, {}}); + return ndk::ScopedAStatus::ok(); } - - return {}; } gatekeeper_error_t TrustyGateKeeperDevice::Send(uint32_t command, const GateKeeperMessage& request, @@ -201,4 +207,4 @@ gatekeeper_error_t TrustyGateKeeperDevice::Send(uint32_t command, const GateKeep return response->Deserialize(payload, payload + response_size); } -}; +} // namespace aidl::android::hardware::gatekeeper diff --git a/trusty/gatekeeper/trusty_gatekeeper.h b/trusty/gatekeeper/trusty_gatekeeper.h index 420dd7a09..5cb5d4bca 100644 --- a/trusty/gatekeeper/trusty_gatekeeper.h +++ b/trusty/gatekeeper/trusty_gatekeeper.h @@ -17,18 +17,30 @@ #ifndef TRUSTY_GATEKEEPER_H #define TRUSTY_GATEKEEPER_H -#include -#include - #include +#include + #include #include "gatekeeper_ipc.h" -namespace gatekeeper { +namespace aidl::android::hardware::gatekeeper { -class TrustyGateKeeperDevice : public ::android::hardware::gatekeeper::V1_0::IGatekeeper { +using aidl::android::hardware::gatekeeper::GatekeeperEnrollResponse; +using aidl::android::hardware::gatekeeper::GatekeeperVerifyResponse; +using ::gatekeeper::DeleteAllUsersRequest; +using ::gatekeeper::DeleteAllUsersResponse; +using ::gatekeeper::DeleteUserRequest; +using ::gatekeeper::DeleteUserResponse; +using ::gatekeeper::EnrollRequest; +using ::gatekeeper::EnrollResponse; +using ::gatekeeper::gatekeeper_error_t; +using ::gatekeeper::GateKeeperMessage; +using ::gatekeeper::VerifyRequest; +using ::gatekeeper::VerifyResponse; + +class TrustyGateKeeperDevice : public BnGatekeeper { public: explicit TrustyGateKeeperDevice(); ~TrustyGateKeeperDevice(); @@ -40,11 +52,10 @@ class TrustyGateKeeperDevice : public ::android::hardware::gatekeeper::V1_0::IGa * Returns: 0 on success or an error code less than 0 on error. * On error, enrolled_password_handle will not be allocated. */ - ::android::hardware::Return enroll( - uint32_t uid, const ::android::hardware::hidl_vec& currentPasswordHandle, - const ::android::hardware::hidl_vec& currentPassword, - const ::android::hardware::hidl_vec& desiredPassword, - enroll_cb _hidl_cb) override; + ::ndk::ScopedAStatus enroll(int32_t uid, const std::vector& currentPasswordHandle, + const std::vector& currentPassword, + const std::vector& desiredPassword, + GatekeeperEnrollResponse* _aidl_return) override; /** * Verifies provided_password matches enrolled_password_handle. @@ -59,25 +70,24 @@ class TrustyGateKeeperDevice : public ::android::hardware::gatekeeper::V1_0::IGa * Returns: 0 on success or an error code less than 0 on error * On error, verification token will not be allocated */ - ::android::hardware::Return verify( - uint32_t uid, uint64_t challenge, - const ::android::hardware::hidl_vec& enrolledPasswordHandle, - const ::android::hardware::hidl_vec& providedPassword, - verify_cb _hidl_cb) override; + ::ndk::ScopedAStatus verify(int32_t uid, int64_t challenge, + const std::vector& enrolledPasswordHandle, + const std::vector& providedPassword, + GatekeeperVerifyResponse* _aidl_return) override; - ::android::hardware::Return deleteUser(uint32_t uid, deleteUser_cb _hidl_cb) override; + ::ndk::ScopedAStatus deleteAllUsers() override; - ::android::hardware::Return deleteAllUsers(deleteAllUsers_cb _hidl_cb) override; + ::ndk::ScopedAStatus deleteUser(int32_t uid) override; private: gatekeeper_error_t Send(uint32_t command, const GateKeeperMessage& request, GateKeeperMessage* response); - gatekeeper_error_t Send(const EnrollRequest& request, EnrollResponse *response) { + gatekeeper_error_t Send(const EnrollRequest& request, EnrollResponse* response) { return Send(GK_ENROLL, request, response); } - gatekeeper_error_t Send(const VerifyRequest& request, VerifyResponse *response) { + gatekeeper_error_t Send(const VerifyRequest& request, VerifyResponse* response) { return Send(GK_VERIFY, request, response); } @@ -93,7 +103,6 @@ class TrustyGateKeeperDevice : public ::android::hardware::gatekeeper::V1_0::IGa int error_; }; -} // namespace gatekeeper +} // namespace aidl::android::hardware::gatekeeper #endif - diff --git a/trusty/trusty-base.mk b/trusty/trusty-base.mk index 7b4aa2633..5a3a32090 100644 --- a/trusty/trusty-base.mk +++ b/trusty/trusty-base.mk @@ -37,7 +37,7 @@ endif PRODUCT_PACKAGES += \ $(LOCAL_KEYMINT_PRODUCT_PACKAGE) \ - android.hardware.gatekeeper@1.0-service.trusty \ + android.hardware.gatekeeper-service.trusty \ trusty_apploader \ RemoteProvisioner