tequilaOS/platform_system_security
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_security/keystore/keystore_utils.h

71 lines
2 KiB
C
Raw Normal View History

Refactor keystore. This CL isn't nearly as big as it looks. It doesn't change keystore functionality, it just moves all of the classes out of the former keystore.cpp into their own .h and .cpp files. Note that this is a cherry-pick from: https://android-review.googlesource.com/#/c/194971 Change-Id: Ide326c4f1d03984994d1bd9a76fa68d37da230dc
2016-01-27 06:44:56 +01:00
/*
* Copyright (C) 2016 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef KEYSTORE_KEYSTORE_UTILS_H_
#define KEYSTORE_KEYSTORE_UTILS_H_
Use libkeymaster4support in keystore. Test: CTS Change-Id: Iee8f308a5255a03b02fce162cc4184d45f75fd1b
2017-12-07 03:35:28 +01:00
#include <cstdint>
Fix grants get lost on key upgrade The upgrade routine used to call KeyStore->del which purges the given key blob from the keystore including all existing grants. With this patch, upgrade only calls Keymaster::delete on the keyblobs without purging it from the keystore. Also it only calls Keymaster::delete once the upgrade key was successfully written to disk. This patch also calls fsync on the directory containing keyblobs to narrow the window in which keyblob may be lost due to power loss. Bug: 110450771 Test: Upgrade path tested by manually creating a key, bumping the patchlevel, using the key subsequently and inspecting the logs. Change-Id: I89241b5d4033b270733ff61838ab9244fce28c60
2019-05-01 00:43:59 +02:00
#include <string>
Refactor keystore. This CL isn't nearly as big as it looks. It doesn't change keystore functionality, it just moves all of the classes out of the former keystore.cpp into their own .h and .cpp files. Note that this is a cherry-pick from: https://android-review.googlesource.com/#/c/194971 Change-Id: Ide326c4f1d03984994d1bd9a76fa68d37da230dc
2016-01-27 06:44:56 +01:00
#include <vector>
#include <openssl/evp.h>
#include <openssl/pem.h>
Remove use of UniquePtr from keystore Remove UniquePtr from keystore in favour of std::unique_ptr Change-Id: I8e02adab4326028e26dbf59ac836679abe2a40de
2017-05-01 20:02:51 +02:00
#include <memory>
Refactor keystore. This CL isn't nearly as big as it looks. It doesn't change keystore functionality, it just moves all of the classes out of the former keystore.cpp into their own .h and .cpp files. Note that this is a cherry-pick from: https://android-review.googlesource.com/#/c/194971 Change-Id: Ide326c4f1d03984994d1bd9a76fa68d37da230dc
2016-01-27 06:44:56 +01:00
Use libkeymaster4support in keystore. Test: CTS Change-Id: Iee8f308a5255a03b02fce162cc4184d45f75fd1b
2017-12-07 03:35:28 +01:00
#include <keystore/keymaster_types.h>
Port to binderized keymaster HAL This patch ports keystore to the HIDL based binderized keymaster HAL. Keystore has no more dependencies on legacy keymaster headers, and therefore data structures, constant declarations, or enums. All keymaster related data structures and enums used by keystore are the once defined by the HIDL based keymaster HAL definition. In the process of porting, keystore underwent some changes: * Keystore got a new implementation of AuthorizationSet that is fully based on the new HIDL data structures. Key parameters are now either organised as AuthorizationSets or hidl_vec<KeyParameter>. (Formerly, this was a mixture of keymaster's AuthorizationSet, std::vec<keymaster_key_param_t>, and keymaster_key_param_set_t.) The former is used for memory management and provides algorithms for assembling, joining, and subtracting sets of parameters. The latter is used as wire format for the HAL IPC; it can wrap the memory owned by an AuthorizationSet for this purpose. The AuthorizationSet is accompanied by a new implementation of type safe functions for creating and accessing tagged key parameters, Authorizations (keystore/keymaster_tags.h). * A new type (KSSReturnCode) was introduced that wraps keystore service response codes. Keystore has two sets of error codes. ErrorCode errors are less than 0 and use 0 as success value. ResponseCode errors are greater than zero and use 1 as success value. This patch changes ResponseCode to be an enum class so that is no longer assignable to int without a cast. The new return type can only be initialized by ResponseCode or ErrorCode and when accessed as int32_t, which happens on serialization when the response is send to a client, the success values are coalesced onto 1 as expected by the clients. KSSreturnCode is also comparable to ResponseCode and ErrorCode, and the predicate isOk() returns true if it was initialized with either ErrorCode::OK (0) or ReponseCode::NO_ERROR (1). * A bug was fixed, that caused the keystore verify function to return success, regardless of the input, internal errors, or lack of permissions. * The marshalling code in IKeystoreService.cpp was rewritten. For data structures that are known to keymaster, the client facing side of keystore uses HIDL based data structures as (target) source for (un)marshaling to avoid further conversion. hidl_vecs are used to wrap parcel memory without copying and taking ownership where possible. * Explicit use of malloc is reduced (malloc was required by the C nature of the old HAL). The new implementations avoid explicit use of malloc/new and waive the use of pointers for return values. Instead, functions return by value objects that take ownership of secondary memory allocations where required. Test: runtest --path=cts/tests/tests/keystore/src/android/keystore/cts Bug: 32020919 Change-Id: I59d3a0f4a6bdf6bb3bbf791ad8827c463effa286
2016-10-13 19:43:45 +02:00
Refactor keystore. This CL isn't nearly as big as it looks. It doesn't change keystore functionality, it just moves all of the classes out of the former keystore.cpp into their own .h and .cpp files. Note that this is a cherry-pick from: https://android-review.googlesource.com/#/c/194971 Change-Id: Ide326c4f1d03984994d1bd9a76fa68d37da230dc
2016-01-27 06:44:56 +01:00
size_t readFully(int fd, uint8_t* data, size_t size);
size_t writeFully(int fd, uint8_t* data, size_t size);
Fix grants get lost on key upgrade The upgrade routine used to call KeyStore->del which purges the given key blob from the keystore including all existing grants. With this patch, upgrade only calls Keymaster::delete on the keyblobs without purging it from the keystore. Also it only calls Keymaster::delete once the upgrade key was successfully written to disk. This patch also calls fsync on the directory containing keyblobs to narrow the window in which keyblob may be lost due to power loss. Bug: 110450771 Test: Upgrade path tested by manually creating a key, bumping the patchlevel, using the key subsequently and inspecting the logs. Change-Id: I89241b5d4033b270733ff61838ab9244fce28c60
2019-05-01 00:43:59 +02:00
std::string getContainingDirectory(const std::string& filename);
void fsyncDirectory(const std::string& path);
Refactor keystore. This CL isn't nearly as big as it looks. It doesn't change keystore functionality, it just moves all of the classes out of the former keystore.cpp into their own .h and .cpp files. Note that this is a cherry-pick from: https://android-review.googlesource.com/#/c/194971 Change-Id: Ide326c4f1d03984994d1bd9a76fa68d37da230dc
2016-01-27 06:44:56 +01:00
Port to binderized keymaster HAL This patch ports keystore to the HIDL based binderized keymaster HAL. Keystore has no more dependencies on legacy keymaster headers, and therefore data structures, constant declarations, or enums. All keymaster related data structures and enums used by keystore are the once defined by the HIDL based keymaster HAL definition. In the process of porting, keystore underwent some changes: * Keystore got a new implementation of AuthorizationSet that is fully based on the new HIDL data structures. Key parameters are now either organised as AuthorizationSets or hidl_vec<KeyParameter>. (Formerly, this was a mixture of keymaster's AuthorizationSet, std::vec<keymaster_key_param_t>, and keymaster_key_param_set_t.) The former is used for memory management and provides algorithms for assembling, joining, and subtracting sets of parameters. The latter is used as wire format for the HAL IPC; it can wrap the memory owned by an AuthorizationSet for this purpose. The AuthorizationSet is accompanied by a new implementation of type safe functions for creating and accessing tagged key parameters, Authorizations (keystore/keymaster_tags.h). * A new type (KSSReturnCode) was introduced that wraps keystore service response codes. Keystore has two sets of error codes. ErrorCode errors are less than 0 and use 0 as success value. ResponseCode errors are greater than zero and use 1 as success value. This patch changes ResponseCode to be an enum class so that is no longer assignable to int without a cast. The new return type can only be initialized by ResponseCode or ErrorCode and when accessed as int32_t, which happens on serialization when the response is send to a client, the success values are coalesced onto 1 as expected by the clients. KSSreturnCode is also comparable to ResponseCode and ErrorCode, and the predicate isOk() returns true if it was initialized with either ErrorCode::OK (0) or ReponseCode::NO_ERROR (1). * A bug was fixed, that caused the keystore verify function to return success, regardless of the input, internal errors, or lack of permissions. * The marshalling code in IKeystoreService.cpp was rewritten. For data structures that are known to keymaster, the client facing side of keystore uses HIDL based data structures as (target) source for (un)marshaling to avoid further conversion. hidl_vecs are used to wrap parcel memory without copying and taking ownership where possible. * Explicit use of malloc is reduced (malloc was required by the C nature of the old HAL). The new implementations avoid explicit use of malloc/new and waive the use of pointers for return values. Instead, functions return by value objects that take ownership of secondary memory allocations where required. Test: runtest --path=cts/tests/tests/keystore/src/android/keystore/cts Bug: 32020919 Change-Id: I59d3a0f4a6bdf6bb3bbf791ad8827c463effa286
2016-10-13 19:43:45 +02:00
void add_legacy_key_authorizations(int keyType, keystore::AuthorizationSet* params);
Refactor keystore. This CL isn't nearly as big as it looks. It doesn't change keystore functionality, it just moves all of the classes out of the former keystore.cpp into their own .h and .cpp files. Note that this is a cherry-pick from: https://android-review.googlesource.com/#/c/194971 Change-Id: Ide326c4f1d03984994d1bd9a76fa68d37da230dc
2016-01-27 06:44:56 +01:00
/**
* Returns the app ID (in the Android multi-user sense) for the current
* UNIX UID.
*/
uid_t get_app_id(uid_t uid);
/**
* Returns the user ID (in the Android multi-user sense) for the current
* UNIX UID.
*/
uid_t get_user_id(uid_t uid);
KeyStore: use security level to chose keymaster device Keymaster4 introduces security levels. Android devices may have multiple keymaster implementations, one for each possible security level, where the presence of a strong security level implies the presence of all lower levels. This patch adds code that enumerates all keymaster device implementations available from ServiceManager and populates Keystore's keymaster device database with at most one keymaster implementation per security level. It gives precedence to newer versions if multiple implementations exist for the same security level. The security level is chosen by a set of flags passed to the keystore operations generate, import, addRngEntropy. For existing keys the right security level is chosen by the blob flags. To that end a new flag KEYSTORE_FLAG_STRONGBOX was added, and the security level is expressed through a combination of KEYSTORE_FLAG_FALLBACK (F) and KEYSTORE_FLAG_STRONGBOX (S). Encoding is as follows: F S Software 1 X (don't care) TEE 0 0 Strongbox 0 1 Some operations in keystore cli2 where amended with the optional --seclevel flags. Allowing the user to chose the security level for the given operation. Possible options are "software", "strongbox", and "tee" where tee is the default value. Test: Existing KeyStore CTS tests run Change-Id: I01ef238f5e7067e480cf9b171630237236046bb1
2017-12-19 01:48:46 +01:00
class Blob;
NIAP: Log key integrity failure to audit log. Logs key integrity violation in two cases: 1. software-detected corruption of key blob. 2. keymaster operation returning INVALID_KEY_BLOB Changed AES_gcm_decrypt to return VALUE_CORRUPTED on decryption errors to be consistent with digest check for older version blob. Bug: 70886042 Test: manual, by patching some bytes in the blob. Test: cts-tradefed run cts -m CtsKeystoreTestCases Change-Id: Ic8f6b7a2a49aee01253b429644af409e568d7deb
2018-02-12 19:45:02 +01:00
// Tags for audit logging. Be careful and don't log sensitive data.
// Should be in sync with frameworks/base/core/java/android/app/admin/SecurityLogTags.logtags
constexpr int SEC_TAG_KEY_DESTROYED = 210026;
constexpr int SEC_TAG_KEY_INTEGRITY_VIOLATION = 210032;
constexpr int SEC_TAG_AUTH_KEY_GENERATED = 210024;
constexpr int SEC_TAG_KEY_IMPORTED = 210025;
void log_key_integrity_violation(const char* name, uid_t uid);
Port to binderized keymaster HAL This patch ports keystore to the HIDL based binderized keymaster HAL. Keystore has no more dependencies on legacy keymaster headers, and therefore data structures, constant declarations, or enums. All keymaster related data structures and enums used by keystore are the once defined by the HIDL based keymaster HAL definition. In the process of porting, keystore underwent some changes: * Keystore got a new implementation of AuthorizationSet that is fully based on the new HIDL data structures. Key parameters are now either organised as AuthorizationSets or hidl_vec<KeyParameter>. (Formerly, this was a mixture of keymaster's AuthorizationSet, std::vec<keymaster_key_param_t>, and keymaster_key_param_set_t.) The former is used for memory management and provides algorithms for assembling, joining, and subtracting sets of parameters. The latter is used as wire format for the HAL IPC; it can wrap the memory owned by an AuthorizationSet for this purpose. The AuthorizationSet is accompanied by a new implementation of type safe functions for creating and accessing tagged key parameters, Authorizations (keystore/keymaster_tags.h). * A new type (KSSReturnCode) was introduced that wraps keystore service response codes. Keystore has two sets of error codes. ErrorCode errors are less than 0 and use 0 as success value. ResponseCode errors are greater than zero and use 1 as success value. This patch changes ResponseCode to be an enum class so that is no longer assignable to int without a cast. The new return type can only be initialized by ResponseCode or ErrorCode and when accessed as int32_t, which happens on serialization when the response is send to a client, the success values are coalesced onto 1 as expected by the clients. KSSreturnCode is also comparable to ResponseCode and ErrorCode, and the predicate isOk() returns true if it was initialized with either ErrorCode::OK (0) or ReponseCode::NO_ERROR (1). * A bug was fixed, that caused the keystore verify function to return success, regardless of the input, internal errors, or lack of permissions. * The marshalling code in IKeystoreService.cpp was rewritten. For data structures that are known to keymaster, the client facing side of keystore uses HIDL based data structures as (target) source for (un)marshaling to avoid further conversion. hidl_vecs are used to wrap parcel memory without copying and taking ownership where possible. * Explicit use of malloc is reduced (malloc was required by the C nature of the old HAL). The new implementations avoid explicit use of malloc/new and waive the use of pointers for return values. Instead, functions return by value objects that take ownership of secondary memory allocations where required. Test: runtest --path=cts/tests/tests/keystore/src/android/keystore/cts Bug: 32020919 Change-Id: I59d3a0f4a6bdf6bb3bbf791ad8827c463effa286
2016-10-13 19:43:45 +02:00
namespace keystore {
KeyStore: use security level to chose keymaster device Keymaster4 introduces security levels. Android devices may have multiple keymaster implementations, one for each possible security level, where the presence of a strong security level implies the presence of all lower levels. This patch adds code that enumerates all keymaster device implementations available from ServiceManager and populates Keystore's keymaster device database with at most one keymaster implementation per security level. It gives precedence to newer versions if multiple implementations exist for the same security level. The security level is chosen by a set of flags passed to the keystore operations generate, import, addRngEntropy. For existing keys the right security level is chosen by the blob flags. To that end a new flag KEYSTORE_FLAG_STRONGBOX was added, and the security level is expressed through a combination of KEYSTORE_FLAG_FALLBACK (F) and KEYSTORE_FLAG_STRONGBOX (S). Encoding is as follows: F S Software 1 X (don't care) TEE 0 0 Strongbox 0 1 Some operations in keystore cli2 where amended with the optional --seclevel flags. Allowing the user to chose the security level for the given operation. Possible options are "software", "strongbox", and "tee" where tee is the default value. Test: Existing KeyStore CTS tests run Change-Id: I01ef238f5e7067e480cf9b171630237236046bb1
2017-12-19 01:48:46 +01:00
hidl_vec<uint8_t> blob2hidlVec(const Blob& blob);
SecurityLevel flagsToSecurityLevel(int32_t flags);
uint32_t securityLevelToFlags(SecurityLevel secLevel);
Port to binderized keymaster HAL This patch ports keystore to the HIDL based binderized keymaster HAL. Keystore has no more dependencies on legacy keymaster headers, and therefore data structures, constant declarations, or enums. All keymaster related data structures and enums used by keystore are the once defined by the HIDL based keymaster HAL definition. In the process of porting, keystore underwent some changes: * Keystore got a new implementation of AuthorizationSet that is fully based on the new HIDL data structures. Key parameters are now either organised as AuthorizationSets or hidl_vec<KeyParameter>. (Formerly, this was a mixture of keymaster's AuthorizationSet, std::vec<keymaster_key_param_t>, and keymaster_key_param_set_t.) The former is used for memory management and provides algorithms for assembling, joining, and subtracting sets of parameters. The latter is used as wire format for the HAL IPC; it can wrap the memory owned by an AuthorizationSet for this purpose. The AuthorizationSet is accompanied by a new implementation of type safe functions for creating and accessing tagged key parameters, Authorizations (keystore/keymaster_tags.h). * A new type (KSSReturnCode) was introduced that wraps keystore service response codes. Keystore has two sets of error codes. ErrorCode errors are less than 0 and use 0 as success value. ResponseCode errors are greater than zero and use 1 as success value. This patch changes ResponseCode to be an enum class so that is no longer assignable to int without a cast. The new return type can only be initialized by ResponseCode or ErrorCode and when accessed as int32_t, which happens on serialization when the response is send to a client, the success values are coalesced onto 1 as expected by the clients. KSSreturnCode is also comparable to ResponseCode and ErrorCode, and the predicate isOk() returns true if it was initialized with either ErrorCode::OK (0) or ReponseCode::NO_ERROR (1). * A bug was fixed, that caused the keystore verify function to return success, regardless of the input, internal errors, or lack of permissions. * The marshalling code in IKeystoreService.cpp was rewritten. For data structures that are known to keymaster, the client facing side of keystore uses HIDL based data structures as (target) source for (un)marshaling to avoid further conversion. hidl_vecs are used to wrap parcel memory without copying and taking ownership where possible. * Explicit use of malloc is reduced (malloc was required by the C nature of the old HAL). The new implementations avoid explicit use of malloc/new and waive the use of pointers for return values. Instead, functions return by value objects that take ownership of secondary memory allocations where required. Test: runtest --path=cts/tests/tests/keystore/src/android/keystore/cts Bug: 32020919 Change-Id: I59d3a0f4a6bdf6bb3bbf791ad8827c463effa286
2016-10-13 19:43:45 +02:00
Use libkeymaster4support in keystore. Test: CTS Change-Id: Iee8f308a5255a03b02fce162cc4184d45f75fd1b
2017-12-07 03:35:28 +01:00
} // namespace keystore
Port to binderized keymaster HAL This patch ports keystore to the HIDL based binderized keymaster HAL. Keystore has no more dependencies on legacy keymaster headers, and therefore data structures, constant declarations, or enums. All keymaster related data structures and enums used by keystore are the once defined by the HIDL based keymaster HAL definition. In the process of porting, keystore underwent some changes: * Keystore got a new implementation of AuthorizationSet that is fully based on the new HIDL data structures. Key parameters are now either organised as AuthorizationSets or hidl_vec<KeyParameter>. (Formerly, this was a mixture of keymaster's AuthorizationSet, std::vec<keymaster_key_param_t>, and keymaster_key_param_set_t.) The former is used for memory management and provides algorithms for assembling, joining, and subtracting sets of parameters. The latter is used as wire format for the HAL IPC; it can wrap the memory owned by an AuthorizationSet for this purpose. The AuthorizationSet is accompanied by a new implementation of type safe functions for creating and accessing tagged key parameters, Authorizations (keystore/keymaster_tags.h). * A new type (KSSReturnCode) was introduced that wraps keystore service response codes. Keystore has two sets of error codes. ErrorCode errors are less than 0 and use 0 as success value. ResponseCode errors are greater than zero and use 1 as success value. This patch changes ResponseCode to be an enum class so that is no longer assignable to int without a cast. The new return type can only be initialized by ResponseCode or ErrorCode and when accessed as int32_t, which happens on serialization when the response is send to a client, the success values are coalesced onto 1 as expected by the clients. KSSreturnCode is also comparable to ResponseCode and ErrorCode, and the predicate isOk() returns true if it was initialized with either ErrorCode::OK (0) or ReponseCode::NO_ERROR (1). * A bug was fixed, that caused the keystore verify function to return success, regardless of the input, internal errors, or lack of permissions. * The marshalling code in IKeystoreService.cpp was rewritten. For data structures that are known to keymaster, the client facing side of keystore uses HIDL based data structures as (target) source for (un)marshaling to avoid further conversion. hidl_vecs are used to wrap parcel memory without copying and taking ownership where possible. * Explicit use of malloc is reduced (malloc was required by the C nature of the old HAL). The new implementations avoid explicit use of malloc/new and waive the use of pointers for return values. Instead, functions return by value objects that take ownership of secondary memory allocations where required. Test: runtest --path=cts/tests/tests/keystore/src/android/keystore/cts Bug: 32020919 Change-Id: I59d3a0f4a6bdf6bb3bbf791ad8827c463effa286
2016-10-13 19:43:45 +02:00
Refactor keystore. This CL isn't nearly as big as it looks. It doesn't change keystore functionality, it just moves all of the classes out of the former keystore.cpp into their own .h and .cpp files. Note that this is a cherry-pick from: https://android-review.googlesource.com/#/c/194971 Change-Id: Ide326c4f1d03984994d1bd9a76fa68d37da230dc
2016-01-27 06:44:56 +01:00
#endif // KEYSTORE_KEYSTORE_UTILS_H_
Reference in a new issue Copy permalink