tequilaOS/platform_system_security
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

identity: Replace RemotelyProvisionedKey with librkp_support

Browse source 
Test: m credstore
Change-Id: I0049d5ba59936943336c7a531d1b022d4d64e4a6
This commit is contained in:
Tri Vo 2023-03-07 21:59:31 -08:00
parent a9ebcd24e1
commit 1054237787
5 changed files with 5 additions and 261 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
identity/Android.bp
View file

@ -36,7 +36,6 @@ cc_binary {
"CredentialData.cpp", "CredentialData.cpp",
"CredentialStore.cpp", "CredentialStore.cpp",
"CredentialStoreFactory.cpp", "CredentialStoreFactory.cpp",
"RemotelyProvisionedKey.cpp",
"Session.cpp", "Session.cpp",
"Util.cpp", "Util.cpp",
"WritableCredential.cpp", "WritableCredential.cpp",
@ -55,6 +54,7 @@ cc_binary {
"libhidlbase", "libhidlbase",
"libkeymaster4support", "libkeymaster4support",
"libkeystore-attestation-application-id", "libkeystore-attestation-application-id",
"librkp_support",
"libutils", "libutils",
"libutilscallstack", "libutilscallstack",
"libvintf", "libvintf",

17
identity/CredentialStore.cpp
View file

@ -24,12 +24,12 @@
#include <android/hardware/security/keymint/RpcHardwareInfo.h> #include <android/hardware/security/keymint/RpcHardwareInfo.h>
#include <binder/IPCThreadState.h> #include <binder/IPCThreadState.h>
#include <binder/IServiceManager.h> #include <binder/IServiceManager.h>
#include <rkp/support/rkpd_client.h>
#include <vintf/VintfObject.h> #include <vintf/VintfObject.h>
#include "Credential.h" #include "Credential.h"
#include "CredentialData.h" #include "CredentialData.h"
#include "CredentialStore.h" #include "CredentialStore.h"
#include "RemotelyProvisionedKey.h"
#include "Session.h" #include "Session.h"
#include "Util.h" #include "Util.h"
#include "WritableCredential.h" #include "WritableCredential.h"
@ -39,7 +39,8 @@ namespace security {
namespace identity { namespace identity {
namespace { namespace {
using ::android::security::rkp::IRemoteProvisioning; using ::android::security::rkp::RemotelyProvisionedKey;
using ::android::security::rkp::support::getRpcKey;
} // namespace } // namespace
@ -183,17 +184,7 @@ Status CredentialStore::setRemotelyProvisionedAttestationKey(
LOG(INFO) << "Fetching attestation key from RKPD"; LOG(INFO) << "Fetching attestation key from RKPD";
uid_t callingUid = android::IPCThreadState::self()->getCallingUid(); uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
auto rpcKeyFuture = getRpcKeyFuture(rpc_, callingUid); std::optional<RemotelyProvisionedKey> key = getRpcKey(rpc_, callingUid);
if (!rpcKeyFuture) {
return Status::fromServiceSpecificError(ERROR_GENERIC, "Error in getRpcKeyFuture()");
}
if (rpcKeyFuture->wait_for(std::chrono::seconds(10)) != std::future_status::ready) {
return Status::fromServiceSpecificError(
ERROR_GENERIC, "Waiting for remotely provisioned attestation key timed out");
}
std::optional<::android::security::rkp::RemotelyProvisionedKey> key = rpcKeyFuture->get();
if (!key) { if (!key) {
return Status::fromServiceSpecificError( return Status::fromServiceSpecificError(
ERROR_GENERIC, "Failed to get remotely provisioned attestation key"); ERROR_GENERIC, "Failed to get remotely provisioned attestation key");

1
identity/CredentialStore.h
View file

@ -22,7 +22,6 @@
#include <android/hardware/identity/IIdentityCredentialStore.h> #include <android/hardware/identity/IIdentityCredentialStore.h>
#include <android/security/identity/BnCredentialStore.h> #include <android/security/identity/BnCredentialStore.h>
#include <android/security/rkp/IRemoteProvisioning.h>
namespace android { namespace android {
namespace security { namespace security {

208
identity/RemotelyProvisionedKey.cpp
View file

@ -1,208 +0,0 @@
/*
* Copyright (c) 2019, The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#define LOG_TAG "credstore"
#include <atomic>
#include <android-base/logging.h>
#include <android/security/rkp/BnGetKeyCallback.h>
#include <android/security/rkp/BnGetRegistrationCallback.h>
#include <android/security/rkp/IGetKeyCallback.h>
#include <android/security/rkp/IRemoteProvisioning.h>
#include <binder/IServiceManager.h>
#include <binder/Status.h>
#include <vintf/VintfObject.h>
#include "RemotelyProvisionedKey.h"
namespace android {
namespace security {
namespace identity {
namespace {
using ::android::binder::Status;
using ::android::hardware::security::keymint::IRemotelyProvisionedComponent;
using ::android::hardware::security::keymint::RpcHardwareInfo;
using ::android::security::rkp::BnGetKeyCallback;
using ::android::security::rkp::BnGetRegistrationCallback;
using ::android::security::rkp::IGetKeyCallback;
using ::android::security::rkp::IRegistration;
using ::android::security::rkp::IRemoteProvisioning;
using ::android::security::rkp::RemotelyProvisionedKey;
constexpr const char* kRemoteProvisioningServiceName = "remote_provisioning";
std::optional<String16> findRpcNameById(std::string_view targetRpcId) {
auto deviceManifest = vintf::VintfObject::GetDeviceHalManifest();
auto instances = deviceManifest->getAidlInstances("android.hardware.security.keymint",
"IRemotelyProvisionedComponent");
for (const std::string& instance : instances) {
auto rpcName =
IRemotelyProvisionedComponent::descriptor + String16("/") + String16(instance.c_str());
sp<IRemotelyProvisionedComponent> rpc =
android::waitForService<IRemotelyProvisionedComponent>(rpcName);
auto rpcId = getRpcId(rpc);
if (!rpcId) {
continue;
}
if (*rpcId == targetRpcId) {
return rpcName;
}
}
LOG(ERROR) << "Remotely provisioned component with given unique ID: " << targetRpcId
<< " not found";
return std::nullopt;
}
std::optional<String16> getRpcName(const sp<IRemotelyProvisionedComponent>& rpc) {
std::optional<std::string> targetRpcId = getRpcId(rpc);
if (!targetRpcId) {
return std::nullopt;
}
return findRpcNameById(*targetRpcId);
}
class GetKeyCallback : public BnGetKeyCallback {
public:
GetKeyCallback(std::promise<std::optional<RemotelyProvisionedKey>> keyPromise)
: keyPromise_(std::move(keyPromise)), called_() {}
Status onSuccess(const RemotelyProvisionedKey& key) override {
if (called_.test_and_set()) {
return Status::ok();
}
keyPromise_.set_value(key);
return Status::ok();
}
Status onCancel() override {
if (called_.test_and_set()) {
return Status::ok();
}
LOG(ERROR) << "GetKeyCallback cancelled";
keyPromise_.set_value(std::nullopt);
return Status::ok();
}
Status onError(IGetKeyCallback::ErrorCode error, const String16& description) override {
if (called_.test_and_set()) {
return Status::ok();
}
LOG(ERROR) << "GetKeyCallback failed: " << static_cast<int>(error) << ", " << description;
keyPromise_.set_value(std::nullopt);
return Status::ok();
}
private:
std::promise<std::optional<RemotelyProvisionedKey>> keyPromise_;
// This callback can only be called into once
std::atomic_flag called_;
};
class GetRegistrationCallback : public BnGetRegistrationCallback {
public:
GetRegistrationCallback(std::promise<std::optional<RemotelyProvisionedKey>> keyPromise,
uint32_t keyId)
: keyPromise_(std::move(keyPromise)), keyId_(keyId), called_() {}
Status onSuccess(const sp<IRegistration>& registration) override {
if (called_.test_and_set()) {
return Status::ok();
}
auto cb = sp<GetKeyCallback>::make(std::move(keyPromise_));
auto status = registration->getKey(keyId_, cb);
if (!status.isOk()) {
cb->onError(IGetKeyCallback::ErrorCode::ERROR_UNKNOWN,
String16("Failed to register GetKeyCallback"));
}
return Status::ok();
}
Status onCancel() override {
if (called_.test_and_set()) {
return Status::ok();
}
LOG(ERROR) << "GetRegistrationCallback cancelled";
keyPromise_.set_value(std::nullopt);
return Status::ok();
}
Status onError(const String16& error) override {
if (called_.test_and_set()) {
return Status::ok();
}
LOG(ERROR) << "GetRegistrationCallback failed: " << error;
keyPromise_.set_value(std::nullopt);
return Status::ok();
}
private:
std::promise<std::optional<RemotelyProvisionedKey>> keyPromise_;
int32_t keyId_;
// This callback can only be called into once
std::atomic_flag called_;
};
} // namespace
std::optional<std::string> getRpcId(const sp<IRemotelyProvisionedComponent>& rpc) {
RpcHardwareInfo rpcHwInfo;
Status status = rpc->getHardwareInfo(&rpcHwInfo);
if (!status.isOk()) {
LOG(ERROR) << "Error getting remotely provisioned component hardware info: " << status;
return std::nullopt;
}
if (!rpcHwInfo.uniqueId) {
LOG(ERROR) << "Remotely provisioned component is missing a unique id, which is "
<< "required for credential key remotely provisioned attestation keys. "
<< "This is a bug in the vendor implementation.";
return std::nullopt;
}
return *rpcHwInfo.uniqueId;
}
std::optional<std::future<std::optional<RemotelyProvisionedKey>>>
getRpcKeyFuture(const sp<IRemotelyProvisionedComponent>& rpc, int32_t keyId) {
std::promise<std::optional<RemotelyProvisionedKey>> keyPromise;
auto keyFuture = keyPromise.get_future();
auto rpcName = getRpcName(rpc);
if (!rpcName) {
LOG(ERROR) << "Failed to get IRemotelyProvisionedComponent name";
return std::nullopt;
}
sp<IRemoteProvisioning> remoteProvisioning =
android::waitForService<IRemoteProvisioning>(String16(kRemoteProvisioningServiceName));
if (!remoteProvisioning) {
LOG(ERROR) << "Failed to get IRemoteProvisioning HAL";
return std::nullopt;
}
auto cb = sp<GetRegistrationCallback>::make(std::move(keyPromise), keyId);
Status status = remoteProvisioning->getRegistration(*rpcName, cb);
if (!status.isOk()) {
LOG(ERROR) << "Failed getRegistration()";
return std::nullopt;
}
return keyFuture;
}
} // namespace identity
} // namespace security
} // namespace android

38
identity/RemotelyProvisionedKey.h
View file

@ -1,38 +0,0 @@
/*
* Copyright (c) 2022, The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#pragma once
#include <future>
#include <optional>
#include <android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
namespace android {
namespace security {
namespace identity {
using ::android::hardware::security::keymint::IRemotelyProvisionedComponent;
using ::android::security::rkp::RemotelyProvisionedKey;
std::optional<std::string> getRpcId(const sp<IRemotelyProvisionedComponent>& rpc);
std::optional<std::future<std::optional<RemotelyProvisionedKey>>>
getRpcKeyFuture(const sp<IRemotelyProvisionedComponent>& rpc, int32_t keyId);
} // namespace identity
} // namespace security
} // namespace android