tequilaOS/platform_system_security
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Revert "[keystore2] Fix binder import path""

Browse source
This commit is contained in:
Treehugger Robot 2022-01-19 02:43:02 +00:00 committed by Gerrit Code Review
commit 23504a190e
11 changed files with 48 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
diced/src/error.rs
View file

@ -14,7 +14,9 @@
use android_security_dice::aidl::android::security::dice::ResponseCode::ResponseCode;
use anyhow::Result;
use binder::{ExceptionCode, Result as BinderResult, Status as BinderStatus, StatusCode};
use binder::{
public_api::Result as BinderResult, ExceptionCode, Status as BinderStatus, StatusCode,
};
use keystore2_selinux as selinux;
use std::ffi::CString;

4
diced/src/error_vendor.rs
View file

@ -14,7 +14,9 @@
use android_hardware_security_dice::aidl::android::hardware::security::dice::ResponseCode::ResponseCode;
use anyhow::Result;
use binder::{ExceptionCode, Result as BinderResult, Status as BinderStatus, StatusCode};
use binder::public_api::{
ExceptionCode, Result as BinderResult, Status as BinderStatus, StatusCode,
};
use std::ffi::CString;
/// This is the error type for DICE HAL implementations. It wraps

2
diced/src/hal_node.rs
View file

@ -33,7 +33,7 @@ use android_hardware_security_dice::aidl::android::hardware::security::dice::{
InputValues::InputValues as BinderInputValues, Signature::Signature,
};
use anyhow::{Context, Result};
use binder::{BinderFeatures, Result as BinderResult, Strong};
use binder::public_api::{BinderFeatures, Result as BinderResult, Strong};
use dice::{ContextImpl, OpenDiceCborContext};
use diced_open_dice_cbor as dice;
use diced_utils as utils;

2
diced/src/lib.rs
View file

@ -30,7 +30,7 @@ use android_security_dice::aidl::android::security::dice::{
IDiceNode::IDiceNode, ResponseCode::ResponseCode,
};
use anyhow::{Context, Result};
use binder::{BinderFeatures, Result as BinderResult, Strong, ThreadState};
use binder::{public_api::Result as BinderResult, BinderFeatures, Strong, ThreadState};
pub use diced_open_dice_cbor as dice;
use error::{map_or_log_err, Error};
use keystore2_selinux as selinux;

2
diced/src/proxy_node_hal.rs
View file

@ -23,7 +23,7 @@ use android_hardware_security_dice::aidl::android::hardware::security::dice::{
InputValues::InputValues as BinderInputValues, Signature::Signature,
};
use anyhow::{Context, Result};
use binder::Strong;
use binder::public_api::Strong;
use std::collections::HashMap;
use std::sync::RwLock;

2
keystore2/src/authorization.rs
View file

@ -265,7 +265,7 @@ impl IKeystoreAuthorization for AuthorizationManager {
challenge: i64,
secure_user_id: i64,
auth_token_max_age_millis: i64,
) -> binder::Result<AuthorizationTokens> {
) -> binder::public_api::Result<AuthorizationTokens> {
let _wp = wd::watch_millis("IKeystoreAuthorization::getAuthTokensForCredStore", 500);
map_or_log_err(
self.get_auth_tokens_for_credstore(

4
keystore2/src/maintenance.rs
View file

@ -158,7 +158,7 @@ impl Maintenance {
fn call_with_watchdog<F>(sec_level: SecurityLevel, name: &'static str, op: &F) -> Result<()>
where
F: Fn(Strong<dyn IKeyMintDevice>) -> binder::Result<()>,
F: Fn(Strong<dyn IKeyMintDevice>) -> binder::public_api::Result<()>,
{
let (km_dev, _, _) = get_keymint_device(&sec_level)
.context("In call_with_watchdog: getting keymint device")?;
@ -172,7 +172,7 @@ impl Maintenance {
fn call_on_all_security_levels<F>(name: &'static str, op: F) -> Result<()>
where
F: Fn(Strong<dyn IKeyMintDevice>) -> binder::Result<()>,
F: Fn(Strong<dyn IKeyMintDevice>) -> binder::public_api::Result<()>,
{
let sec_levels = [
(SecurityLevel::TRUSTED_ENVIRONMENT, "TRUSTED_ENVIRONMENT"),

14
keystore2/src/operation.rs
View file

@ -493,7 +493,7 @@ impl OperationDb {
/// owner uid and returns a new Operation wrapped in a `std::sync::Arc`.
pub fn create_operation(
&self,
km_op: binder::Strong<dyn IKeyMintOperation>,
km_op: binder::public_api::Strong<dyn IKeyMintOperation>,
owner: u32,
auth_info: AuthInfo,
forced: bool,
@ -771,7 +771,9 @@ impl KeystoreOperation {
/// BnKeystoreOperation proxy object. It also enables
/// `BinderFeatures::set_requesting_sid` on the new interface, because
/// we need it for checking Keystore permissions.
pub fn new_native_binder(operation: Arc<Operation>) -> binder::Strong<dyn IKeystoreOperation> {
pub fn new_native_binder(
operation: Arc<Operation>,
) -> binder::public_api::Strong<dyn IKeystoreOperation> {
BnKeystoreOperation::new_binder(
Self { operation: Mutex::new(Some(operation)) },
BinderFeatures { set_requesting_sid: true, ..BinderFeatures::default() },
@ -819,7 +821,7 @@ impl KeystoreOperation {
impl binder::Interface for KeystoreOperation {}
impl IKeystoreOperation for KeystoreOperation {
fn updateAad(&self, aad_input: &[u8]) -> binder::Result<()> {
fn updateAad(&self, aad_input: &[u8]) -> binder::public_api::Result<()> {
let _wp = wd::watch_millis("IKeystoreOperation::updateAad", 500);
map_or_log_err(
self.with_locked_operation(
@ -830,7 +832,7 @@ impl IKeystoreOperation for KeystoreOperation {
)
}
fn update(&self, input: &[u8]) -> binder::Result<Option<Vec<u8>>> {
fn update(&self, input: &[u8]) -> binder::public_api::Result<Option<Vec<u8>>> {
let _wp = wd::watch_millis("IKeystoreOperation::update", 500);
map_or_log_err(
self.with_locked_operation(
@ -844,7 +846,7 @@ impl IKeystoreOperation for KeystoreOperation {
&self,
input: Option<&[u8]>,
signature: Option<&[u8]>,
) -> binder::Result<Option<Vec<u8>>> {
) -> binder::public_api::Result<Option<Vec<u8>>> {
let _wp = wd::watch_millis("IKeystoreOperation::finish", 500);
map_or_log_err(
self.with_locked_operation(
@ -855,7 +857,7 @@ impl IKeystoreOperation for KeystoreOperation {
)
}
fn abort(&self) -> binder::Result<()> {
fn abort(&self) -> binder::public_api::Result<()> {
let _wp = wd::watch_millis("IKeystoreOperation::abort", 500);
map_err_with(
self.with_locked_operation(

16
keystore2/src/remote_provisioning.rs
View file

@ -489,7 +489,7 @@ impl IRemoteProvisioning for RemoteProvisioningService {
&self,
expired_by: i64,
sec_level: SecurityLevel,
) -> binder::Result<AttestationPoolStatus> {
) -> binder::public_api::Result<AttestationPoolStatus> {
let _wp = wd::watch_millis("IRemoteProvisioning::getPoolStatus", 500);
map_or_log_err(get_pool_status(expired_by, sec_level), Ok)
}
@ -503,7 +503,7 @@ impl IRemoteProvisioning for RemoteProvisioningService {
sec_level: SecurityLevel,
protected_data: &mut ProtectedData,
device_info: &mut DeviceInfo,
) -> binder::Result<Vec<u8>> {
) -> binder::public_api::Result<Vec<u8>> {
let _wp = wd::watch_millis("IRemoteProvisioning::generateCsr", 500);
map_or_log_err(
self.generate_csr(
@ -526,7 +526,7 @@ impl IRemoteProvisioning for RemoteProvisioningService {
certs: &[u8],
expiration_date: i64,
sec_level: SecurityLevel,
) -> binder::Result<()> {
) -> binder::public_api::Result<()> {
let _wp = wd::watch_millis("IRemoteProvisioning::provisionCertChain", 500);
map_or_log_err(
self.provision_cert_chain(public_key, batch_cert, certs, expiration_date, sec_level),
@ -534,17 +534,21 @@ impl IRemoteProvisioning for RemoteProvisioningService {
)
}
fn generateKeyPair(&self, is_test_mode: bool, sec_level: SecurityLevel) -> binder::Result<()> {
fn generateKeyPair(
&self,
is_test_mode: bool,
sec_level: SecurityLevel,
) -> binder::public_api::Result<()> {
let _wp = wd::watch_millis("IRemoteProvisioning::generateKeyPair", 500);
map_or_log_err(self.generate_key_pair(is_test_mode, sec_level), Ok)
}
fn getImplementationInfo(&self) -> binder::Result<Vec<ImplInfo>> {
fn getImplementationInfo(&self) -> binder::public_api::Result<Vec<ImplInfo>> {
let _wp = wd::watch_millis("IRemoteProvisioning::getSecurityLevels", 500);
map_or_log_err(self.get_implementation_info(), Ok)
}
fn deleteAllKeys(&self) -> binder::Result<i64> {
fn deleteAllKeys(&self) -> binder::public_api::Result<i64> {
let _wp = wd::watch_millis("IRemoteProvisioning::deleteAllKeys", 500);
map_or_log_err(self.delete_all_keys(), Ok)
}

14
keystore2/src/security_level.rs
View file

@ -368,7 +368,7 @@ impl KeystoreSecurityLevel {
}
};
let op_binder: binder::Strong<dyn IKeystoreOperation> =
let op_binder: binder::public_api::Strong<dyn IKeystoreOperation> =
KeystoreOperation::new_native_binder(operation)
.as_binder()
.into_interface()
@ -985,7 +985,7 @@ impl IKeystoreSecurityLevel for KeystoreSecurityLevel {
key: &KeyDescriptor,
operation_parameters: &[KeyParameter],
forced: bool,
) -> binder::Result<CreateOperationResponse> {
) -> binder::public_api::Result<CreateOperationResponse> {
let _wp = self.watch_millis("IKeystoreSecurityLevel::createOperation", 500);
map_or_log_err(self.create_operation(key, operation_parameters, forced), Ok)
}
@ -996,7 +996,7 @@ impl IKeystoreSecurityLevel for KeystoreSecurityLevel {
params: &[KeyParameter],
flags: i32,
entropy: &[u8],
) -> binder::Result<KeyMetadata> {
) -> binder::public_api::Result<KeyMetadata> {
// Duration is set to 5 seconds, because generateKey - especially for RSA keys, takes more
// time than other operations
let _wp = self.watch_millis("IKeystoreSecurityLevel::generateKey", 5000);
@ -1012,7 +1012,7 @@ impl IKeystoreSecurityLevel for KeystoreSecurityLevel {
params: &[KeyParameter],
flags: i32,
key_data: &[u8],
) -> binder::Result<KeyMetadata> {
) -> binder::public_api::Result<KeyMetadata> {
let _wp = self.watch_millis("IKeystoreSecurityLevel::importKey", 500);
let result = self.import_key(key, attestation_key, params, flags, key_data);
log_key_creation_event_stats(self.security_level, params, &result);
@ -1026,7 +1026,7 @@ impl IKeystoreSecurityLevel for KeystoreSecurityLevel {
masking_key: Option<&[u8]>,
params: &[KeyParameter],
authenticators: &[AuthenticatorSpec],
) -> binder::Result<KeyMetadata> {
) -> binder::public_api::Result<KeyMetadata> {
let _wp = self.watch_millis("IKeystoreSecurityLevel::importWrappedKey", 500);
let result =
self.import_wrapped_key(key, wrapping_key, masking_key, params, authenticators);
@ -1037,11 +1037,11 @@ impl IKeystoreSecurityLevel for KeystoreSecurityLevel {
fn convertStorageKeyToEphemeral(
&self,
storage_key: &KeyDescriptor,
) -> binder::Result<EphemeralStorageKeyResponse> {
) -> binder::public_api::Result<EphemeralStorageKeyResponse> {
let _wp = self.watch_millis("IKeystoreSecurityLevel::convertStorageKeyToEphemeral", 500);
map_or_log_err(self.convert_storage_key_to_ephemeral(storage_key), Ok)
}
fn deleteKey(&self, key: &KeyDescriptor) -> binder::Result<()> {
fn deleteKey(&self, key: &KeyDescriptor) -> binder::public_api::Result<()> {
let _wp = self.watch_millis("IKeystoreSecurityLevel::deleteKey", 500);
let result = self.delete_key(key);
log_key_deleted(key, ThreadState::get_calling_uid(), result.is_ok());

18
keystore2/src/service.rs
View file

@ -341,13 +341,13 @@ impl IKeystoreService for KeystoreService {
fn getSecurityLevel(
&self,
security_level: SecurityLevel,
) -> binder::Result<Strong<dyn IKeystoreSecurityLevel>> {
) -> binder::public_api::Result<Strong<dyn IKeystoreSecurityLevel>> {
let _wp = wd::watch_millis_with("IKeystoreService::getSecurityLevel", 500, move || {
format!("security_level: {}", security_level.0)
});
map_or_log_err(self.get_security_level(security_level), Ok)
}
fn getKeyEntry(&self, key: &KeyDescriptor) -> binder::Result<KeyEntryResponse> {
fn getKeyEntry(&self, key: &KeyDescriptor) -> binder::public_api::Result<KeyEntryResponse> {
let _wp = wd::watch_millis("IKeystoreService::get_key_entry", 500);
map_or_log_err(self.get_key_entry(key), Ok)
}
@ -356,15 +356,19 @@ impl IKeystoreService for KeystoreService {
key: &KeyDescriptor,
public_cert: Option<&[u8]>,
certificate_chain: Option<&[u8]>,
) -> binder::Result<()> {
) -> binder::public_api::Result<()> {
let _wp = wd::watch_millis("IKeystoreService::updateSubcomponent", 500);
map_or_log_err(self.update_subcomponent(key, public_cert, certificate_chain), Ok)
}
fn listEntries(&self, domain: Domain, namespace: i64) -> binder::Result<Vec<KeyDescriptor>> {
fn listEntries(
&self,
domain: Domain,
namespace: i64,
) -> binder::public_api::Result<Vec<KeyDescriptor>> {
let _wp = wd::watch_millis("IKeystoreService::listEntries", 500);
map_or_log_err(self.list_entries(domain, namespace), Ok)
}
fn deleteKey(&self, key: &KeyDescriptor) -> binder::Result<()> {
fn deleteKey(&self, key: &KeyDescriptor) -> binder::public_api::Result<()> {
let _wp = wd::watch_millis("IKeystoreService::deleteKey", 500);
let result = self.delete_key(key);
log_key_deleted(key, ThreadState::get_calling_uid(), result.is_ok());
@ -375,11 +379,11 @@ impl IKeystoreService for KeystoreService {
key: &KeyDescriptor,
grantee_uid: i32,
access_vector: i32,
) -> binder::Result<KeyDescriptor> {
) -> binder::public_api::Result<KeyDescriptor> {
let _wp = wd::watch_millis("IKeystoreService::grant", 500);
map_or_log_err(self.grant(key, grantee_uid, access_vector.into()), Ok)
}
fn ungrant(&self, key: &KeyDescriptor, grantee_uid: i32) -> binder::Result<()> {
fn ungrant(&self, key: &KeyDescriptor, grantee_uid: i32) -> binder::public_api::Result<()> {
let _wp = wd::watch_millis("IKeystoreService::ungrant", 500);
map_or_log_err(self.ungrant(key, grantee_uid), Ok)
}