tequilaOS/platform_system_security
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "Revert "[keystore2] Fix binder import path""

Browse source
This commit is contained in:
Treehugger Robot 2022-01-19 02:43:02 +00:00 committed by Gerrit Code Review
commit 23504a190e
11 changed files with 48 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
diced/src/error.rs
View file

@ -14,7 +14,9 @@
use android_security_dice::aidl::android::security::dice::ResponseCode::ResponseCode; use android_security_dice::aidl::android::security::dice::ResponseCode::ResponseCode;
use anyhow::Result; use anyhow::Result;
use binder::{ExceptionCode, Result as BinderResult, Status as BinderStatus, StatusCode}; use binder::{
public_api::Result as BinderResult, ExceptionCode, Status as BinderStatus, StatusCode,
};
use keystore2_selinux as selinux; use keystore2_selinux as selinux;
use std::ffi::CString; use std::ffi::CString;

4
diced/src/error_vendor.rs
View file

@ -14,7 +14,9 @@
use android_hardware_security_dice::aidl::android::hardware::security::dice::ResponseCode::ResponseCode; use android_hardware_security_dice::aidl::android::hardware::security::dice::ResponseCode::ResponseCode;
use anyhow::Result; use anyhow::Result;
use binder::{ExceptionCode, Result as BinderResult, Status as BinderStatus, StatusCode}; use binder::public_api::{
ExceptionCode, Result as BinderResult, Status as BinderStatus, StatusCode,
};
use std::ffi::CString; use std::ffi::CString;
/// This is the error type for DICE HAL implementations. It wraps /// This is the error type for DICE HAL implementations. It wraps

2
diced/src/hal_node.rs
View file

@ -33,7 +33,7 @@ use android_hardware_security_dice::aidl::android::hardware::security::dice::{
InputValues::InputValues as BinderInputValues, Signature::Signature, InputValues::InputValues as BinderInputValues, Signature::Signature,
}; };
use anyhow::{Context, Result}; use anyhow::{Context, Result};
use binder::{BinderFeatures, Result as BinderResult, Strong}; use binder::public_api::{BinderFeatures, Result as BinderResult, Strong};
use dice::{ContextImpl, OpenDiceCborContext}; use dice::{ContextImpl, OpenDiceCborContext};
use diced_open_dice_cbor as dice; use diced_open_dice_cbor as dice;
use diced_utils as utils; use diced_utils as utils;

2
diced/src/lib.rs
View file

@ -30,7 +30,7 @@ use android_security_dice::aidl::android::security::dice::{
IDiceNode::IDiceNode, ResponseCode::ResponseCode, IDiceNode::IDiceNode, ResponseCode::ResponseCode,
}; };
use anyhow::{Context, Result}; use anyhow::{Context, Result};
use binder::{BinderFeatures, Result as BinderResult, Strong, ThreadState}; use binder::{public_api::Result as BinderResult, BinderFeatures, Strong, ThreadState};
pub use diced_open_dice_cbor as dice; pub use diced_open_dice_cbor as dice;
use error::{map_or_log_err, Error}; use error::{map_or_log_err, Error};
use keystore2_selinux as selinux; use keystore2_selinux as selinux;

2
diced/src/proxy_node_hal.rs
View file

@ -23,7 +23,7 @@ use android_hardware_security_dice::aidl::android::hardware::security::dice::{
InputValues::InputValues as BinderInputValues, Signature::Signature, InputValues::InputValues as BinderInputValues, Signature::Signature,
}; };
use anyhow::{Context, Result}; use anyhow::{Context, Result};
use binder::Strong; use binder::public_api::Strong;
use std::collections::HashMap; use std::collections::HashMap;
use std::sync::RwLock; use std::sync::RwLock;

2
keystore2/src/authorization.rs
View file

@ -265,7 +265,7 @@ impl IKeystoreAuthorization for AuthorizationManager {
challenge: i64, challenge: i64,
secure_user_id: i64, secure_user_id: i64,
auth_token_max_age_millis: i64, auth_token_max_age_millis: i64,
) -> binder::Result<AuthorizationTokens> { ) -> binder::public_api::Result<AuthorizationTokens> {
let _wp = wd::watch_millis("IKeystoreAuthorization::getAuthTokensForCredStore", 500); let _wp = wd::watch_millis("IKeystoreAuthorization::getAuthTokensForCredStore", 500);
map_or_log_err( map_or_log_err(
self.get_auth_tokens_for_credstore( self.get_auth_tokens_for_credstore(

4
keystore2/src/maintenance.rs
View file

@ -158,7 +158,7 @@ impl Maintenance {
fn call_with_watchdog<F>(sec_level: SecurityLevel, name: &'static str, op: &F) -> Result<()> fn call_with_watchdog<F>(sec_level: SecurityLevel, name: &'static str, op: &F) -> Result<()>
where where
F: Fn(Strong<dyn IKeyMintDevice>) -> binder::Result<()>, F: Fn(Strong<dyn IKeyMintDevice>) -> binder::public_api::Result<()>,
{ {
let (km_dev, _, _) = get_keymint_device(&sec_level) let (km_dev, _, _) = get_keymint_device(&sec_level)
.context("In call_with_watchdog: getting keymint device")?; .context("In call_with_watchdog: getting keymint device")?;
@ -172,7 +172,7 @@ impl Maintenance {
fn call_on_all_security_levels<F>(name: &'static str, op: F) -> Result<()> fn call_on_all_security_levels<F>(name: &'static str, op: F) -> Result<()>
where where
F: Fn(Strong<dyn IKeyMintDevice>) -> binder::Result<()>, F: Fn(Strong<dyn IKeyMintDevice>) -> binder::public_api::Result<()>,
{ {
let sec_levels = [ let sec_levels = [
(SecurityLevel::TRUSTED_ENVIRONMENT, "TRUSTED_ENVIRONMENT"), (SecurityLevel::TRUSTED_ENVIRONMENT, "TRUSTED_ENVIRONMENT"),

14
keystore2/src/operation.rs
View file

@ -493,7 +493,7 @@ impl OperationDb {
/// owner uid and returns a new Operation wrapped in a `std::sync::Arc`. /// owner uid and returns a new Operation wrapped in a `std::sync::Arc`.
pub fn create_operation( pub fn create_operation(
&self, &self,
km_op: binder::Strong<dyn IKeyMintOperation>, km_op: binder::public_api::Strong<dyn IKeyMintOperation>,
owner: u32, owner: u32,
auth_info: AuthInfo, auth_info: AuthInfo,
forced: bool, forced: bool,
@ -771,7 +771,9 @@ impl KeystoreOperation {
/// BnKeystoreOperation proxy object. It also enables /// BnKeystoreOperation proxy object. It also enables
/// `BinderFeatures::set_requesting_sid` on the new interface, because /// `BinderFeatures::set_requesting_sid` on the new interface, because
/// we need it for checking Keystore permissions. /// we need it for checking Keystore permissions.
pub fn new_native_binder(operation: Arc<Operation>) -> binder::Strong<dyn IKeystoreOperation> { pub fn new_native_binder(
operation: Arc<Operation>,
) -> binder::public_api::Strong<dyn IKeystoreOperation> {
BnKeystoreOperation::new_binder( BnKeystoreOperation::new_binder(
Self { operation: Mutex::new(Some(operation)) }, Self { operation: Mutex::new(Some(operation)) },
BinderFeatures { set_requesting_sid: true, ..BinderFeatures::default() }, BinderFeatures { set_requesting_sid: true, ..BinderFeatures::default() },
@ -819,7 +821,7 @@ impl KeystoreOperation {
impl binder::Interface for KeystoreOperation {} impl binder::Interface for KeystoreOperation {}
impl IKeystoreOperation for KeystoreOperation { impl IKeystoreOperation for KeystoreOperation {
fn updateAad(&self, aad_input: &[u8]) -> binder::Result<()> { fn updateAad(&self, aad_input: &[u8]) -> binder::public_api::Result<()> {
let _wp = wd::watch_millis("IKeystoreOperation::updateAad", 500); let _wp = wd::watch_millis("IKeystoreOperation::updateAad", 500);
map_or_log_err( map_or_log_err(
self.with_locked_operation( self.with_locked_operation(
@ -830,7 +832,7 @@ impl IKeystoreOperation for KeystoreOperation {
) )
} }
fn update(&self, input: &[u8]) -> binder::Result<Option<Vec<u8>>> { fn update(&self, input: &[u8]) -> binder::public_api::Result<Option<Vec<u8>>> {
let _wp = wd::watch_millis("IKeystoreOperation::update", 500); let _wp = wd::watch_millis("IKeystoreOperation::update", 500);
map_or_log_err( map_or_log_err(
self.with_locked_operation( self.with_locked_operation(
@ -844,7 +846,7 @@ impl IKeystoreOperation for KeystoreOperation {
&self, &self,
input: Option<&[u8]>, input: Option<&[u8]>,
signature: Option<&[u8]>, signature: Option<&[u8]>,
) -> binder::Result<Option<Vec<u8>>> { ) -> binder::public_api::Result<Option<Vec<u8>>> {
let _wp = wd::watch_millis("IKeystoreOperation::finish", 500); let _wp = wd::watch_millis("IKeystoreOperation::finish", 500);
map_or_log_err( map_or_log_err(
self.with_locked_operation( self.with_locked_operation(
@ -855,7 +857,7 @@ impl IKeystoreOperation for KeystoreOperation {
) )
} }
fn abort(&self) -> binder::Result<()> { fn abort(&self) -> binder::public_api::Result<()> {
let _wp = wd::watch_millis("IKeystoreOperation::abort", 500); let _wp = wd::watch_millis("IKeystoreOperation::abort", 500);
map_err_with( map_err_with(
self.with_locked_operation( self.with_locked_operation(

16
keystore2/src/remote_provisioning.rs
View file

@ -489,7 +489,7 @@ impl IRemoteProvisioning for RemoteProvisioningService {
&self, &self,
expired_by: i64, expired_by: i64,
sec_level: SecurityLevel, sec_level: SecurityLevel,
) -> binder::Result<AttestationPoolStatus> { ) -> binder::public_api::Result<AttestationPoolStatus> {
let _wp = wd::watch_millis("IRemoteProvisioning::getPoolStatus", 500); let _wp = wd::watch_millis("IRemoteProvisioning::getPoolStatus", 500);
map_or_log_err(get_pool_status(expired_by, sec_level), Ok) map_or_log_err(get_pool_status(expired_by, sec_level), Ok)
} }
@ -503,7 +503,7 @@ impl IRemoteProvisioning for RemoteProvisioningService {
sec_level: SecurityLevel, sec_level: SecurityLevel,
protected_data: &mut ProtectedData, protected_data: &mut ProtectedData,
device_info: &mut DeviceInfo, device_info: &mut DeviceInfo,
) -> binder::Result<Vec<u8>> { ) -> binder::public_api::Result<Vec<u8>> {
let _wp = wd::watch_millis("IRemoteProvisioning::generateCsr", 500); let _wp = wd::watch_millis("IRemoteProvisioning::generateCsr", 500);
map_or_log_err( map_or_log_err(
self.generate_csr( self.generate_csr(
@ -526,7 +526,7 @@ impl IRemoteProvisioning for RemoteProvisioningService {
certs: &[u8], certs: &[u8],
expiration_date: i64, expiration_date: i64,
sec_level: SecurityLevel, sec_level: SecurityLevel,
) -> binder::Result<()> { ) -> binder::public_api::Result<()> {
let _wp = wd::watch_millis("IRemoteProvisioning::provisionCertChain", 500); let _wp = wd::watch_millis("IRemoteProvisioning::provisionCertChain", 500);
map_or_log_err( map_or_log_err(
self.provision_cert_chain(public_key, batch_cert, certs, expiration_date, sec_level), self.provision_cert_chain(public_key, batch_cert, certs, expiration_date, sec_level),
@ -534,17 +534,21 @@ impl IRemoteProvisioning for RemoteProvisioningService {
) )
} }
fn generateKeyPair(&self, is_test_mode: bool, sec_level: SecurityLevel) -> binder::Result<()> { fn generateKeyPair(
&self,
is_test_mode: bool,
sec_level: SecurityLevel,
) -> binder::public_api::Result<()> {
let _wp = wd::watch_millis("IRemoteProvisioning::generateKeyPair", 500); let _wp = wd::watch_millis("IRemoteProvisioning::generateKeyPair", 500);
map_or_log_err(self.generate_key_pair(is_test_mode, sec_level), Ok) map_or_log_err(self.generate_key_pair(is_test_mode, sec_level), Ok)
} }
fn getImplementationInfo(&self) -> binder::Result<Vec<ImplInfo>> { fn getImplementationInfo(&self) -> binder::public_api::Result<Vec<ImplInfo>> {
let _wp = wd::watch_millis("IRemoteProvisioning::getSecurityLevels", 500); let _wp = wd::watch_millis("IRemoteProvisioning::getSecurityLevels", 500);
map_or_log_err(self.get_implementation_info(), Ok) map_or_log_err(self.get_implementation_info(), Ok)
} }
fn deleteAllKeys(&self) -> binder::Result<i64> { fn deleteAllKeys(&self) -> binder::public_api::Result<i64> {
let _wp = wd::watch_millis("IRemoteProvisioning::deleteAllKeys", 500); let _wp = wd::watch_millis("IRemoteProvisioning::deleteAllKeys", 500);
map_or_log_err(self.delete_all_keys(), Ok) map_or_log_err(self.delete_all_keys(), Ok)
} }

14
keystore2/src/security_level.rs
View file

@ -368,7 +368,7 @@ impl KeystoreSecurityLevel {
} }
}; };
let op_binder: binder::Strong<dyn IKeystoreOperation> = let op_binder: binder::public_api::Strong<dyn IKeystoreOperation> =
KeystoreOperation::new_native_binder(operation) KeystoreOperation::new_native_binder(operation)
.as_binder() .as_binder()
.into_interface() .into_interface()
@ -985,7 +985,7 @@ impl IKeystoreSecurityLevel for KeystoreSecurityLevel {
key: &KeyDescriptor, key: &KeyDescriptor,
operation_parameters: &[KeyParameter], operation_parameters: &[KeyParameter],
forced: bool, forced: bool,
) -> binder::Result<CreateOperationResponse> { ) -> binder::public_api::Result<CreateOperationResponse> {
let _wp = self.watch_millis("IKeystoreSecurityLevel::createOperation", 500); let _wp = self.watch_millis("IKeystoreSecurityLevel::createOperation", 500);
map_or_log_err(self.create_operation(key, operation_parameters, forced), Ok) map_or_log_err(self.create_operation(key, operation_parameters, forced), Ok)
} }
@ -996,7 +996,7 @@ impl IKeystoreSecurityLevel for KeystoreSecurityLevel {
params: &[KeyParameter], params: &[KeyParameter],
flags: i32, flags: i32,
entropy: &[u8], entropy: &[u8],
) -> binder::Result<KeyMetadata> { ) -> binder::public_api::Result<KeyMetadata> {
// Duration is set to 5 seconds, because generateKey - especially for RSA keys, takes more // Duration is set to 5 seconds, because generateKey - especially for RSA keys, takes more
// time than other operations // time than other operations
let _wp = self.watch_millis("IKeystoreSecurityLevel::generateKey", 5000); let _wp = self.watch_millis("IKeystoreSecurityLevel::generateKey", 5000);
@ -1012,7 +1012,7 @@ impl IKeystoreSecurityLevel for KeystoreSecurityLevel {
params: &[KeyParameter], params: &[KeyParameter],
flags: i32, flags: i32,
key_data: &[u8], key_data: &[u8],
) -> binder::Result<KeyMetadata> { ) -> binder::public_api::Result<KeyMetadata> {
let _wp = self.watch_millis("IKeystoreSecurityLevel::importKey", 500); let _wp = self.watch_millis("IKeystoreSecurityLevel::importKey", 500);
let result = self.import_key(key, attestation_key, params, flags, key_data); let result = self.import_key(key, attestation_key, params, flags, key_data);
log_key_creation_event_stats(self.security_level, params, &result); log_key_creation_event_stats(self.security_level, params, &result);
@ -1026,7 +1026,7 @@ impl IKeystoreSecurityLevel for KeystoreSecurityLevel {
masking_key: Option<&[u8]>, masking_key: Option<&[u8]>,
params: &[KeyParameter], params: &[KeyParameter],
authenticators: &[AuthenticatorSpec], authenticators: &[AuthenticatorSpec],
) -> binder::Result<KeyMetadata> { ) -> binder::public_api::Result<KeyMetadata> {
let _wp = self.watch_millis("IKeystoreSecurityLevel::importWrappedKey", 500); let _wp = self.watch_millis("IKeystoreSecurityLevel::importWrappedKey", 500);
let result = let result =
self.import_wrapped_key(key, wrapping_key, masking_key, params, authenticators); self.import_wrapped_key(key, wrapping_key, masking_key, params, authenticators);
@ -1037,11 +1037,11 @@ impl IKeystoreSecurityLevel for KeystoreSecurityLevel {
fn convertStorageKeyToEphemeral( fn convertStorageKeyToEphemeral(
&self, &self,
storage_key: &KeyDescriptor, storage_key: &KeyDescriptor,
) -> binder::Result<EphemeralStorageKeyResponse> { ) -> binder::public_api::Result<EphemeralStorageKeyResponse> {
let _wp = self.watch_millis("IKeystoreSecurityLevel::convertStorageKeyToEphemeral", 500); let _wp = self.watch_millis("IKeystoreSecurityLevel::convertStorageKeyToEphemeral", 500);
map_or_log_err(self.convert_storage_key_to_ephemeral(storage_key), Ok) map_or_log_err(self.convert_storage_key_to_ephemeral(storage_key), Ok)
} }
fn deleteKey(&self, key: &KeyDescriptor) -> binder::Result<()> { fn deleteKey(&self, key: &KeyDescriptor) -> binder::public_api::Result<()> {
let _wp = self.watch_millis("IKeystoreSecurityLevel::deleteKey", 500); let _wp = self.watch_millis("IKeystoreSecurityLevel::deleteKey", 500);
let result = self.delete_key(key); let result = self.delete_key(key);
log_key_deleted(key, ThreadState::get_calling_uid(), result.is_ok()); log_key_deleted(key, ThreadState::get_calling_uid(), result.is_ok());

18
keystore2/src/service.rs
View file

@ -341,13 +341,13 @@ impl IKeystoreService for KeystoreService {
fn getSecurityLevel( fn getSecurityLevel(
&self, &self,
security_level: SecurityLevel, security_level: SecurityLevel,
) -> binder::Result<Strong<dyn IKeystoreSecurityLevel>> { ) -> binder::public_api::Result<Strong<dyn IKeystoreSecurityLevel>> {
let _wp = wd::watch_millis_with("IKeystoreService::getSecurityLevel", 500, move || { let _wp = wd::watch_millis_with("IKeystoreService::getSecurityLevel", 500, move || {
format!("security_level: {}", security_level.0) format!("security_level: {}", security_level.0)
}); });
map_or_log_err(self.get_security_level(security_level), Ok) map_or_log_err(self.get_security_level(security_level), Ok)
} }
fn getKeyEntry(&self, key: &KeyDescriptor) -> binder::Result<KeyEntryResponse> { fn getKeyEntry(&self, key: &KeyDescriptor) -> binder::public_api::Result<KeyEntryResponse> {
let _wp = wd::watch_millis("IKeystoreService::get_key_entry", 500); let _wp = wd::watch_millis("IKeystoreService::get_key_entry", 500);
map_or_log_err(self.get_key_entry(key), Ok) map_or_log_err(self.get_key_entry(key), Ok)
} }
@ -356,15 +356,19 @@ impl IKeystoreService for KeystoreService {
key: &KeyDescriptor, key: &KeyDescriptor,
public_cert: Option<&[u8]>, public_cert: Option<&[u8]>,
certificate_chain: Option<&[u8]>, certificate_chain: Option<&[u8]>,
) -> binder::Result<()> { ) -> binder::public_api::Result<()> {
let _wp = wd::watch_millis("IKeystoreService::updateSubcomponent", 500); let _wp = wd::watch_millis("IKeystoreService::updateSubcomponent", 500);
map_or_log_err(self.update_subcomponent(key, public_cert, certificate_chain), Ok) map_or_log_err(self.update_subcomponent(key, public_cert, certificate_chain), Ok)
} }
fn listEntries(&self, domain: Domain, namespace: i64) -> binder::Result<Vec<KeyDescriptor>> { fn listEntries(
&self,
domain: Domain,
namespace: i64,
) -> binder::public_api::Result<Vec<KeyDescriptor>> {
let _wp = wd::watch_millis("IKeystoreService::listEntries", 500); let _wp = wd::watch_millis("IKeystoreService::listEntries", 500);
map_or_log_err(self.list_entries(domain, namespace), Ok) map_or_log_err(self.list_entries(domain, namespace), Ok)
} }
fn deleteKey(&self, key: &KeyDescriptor) -> binder::Result<()> { fn deleteKey(&self, key: &KeyDescriptor) -> binder::public_api::Result<()> {
let _wp = wd::watch_millis("IKeystoreService::deleteKey", 500); let _wp = wd::watch_millis("IKeystoreService::deleteKey", 500);
let result = self.delete_key(key); let result = self.delete_key(key);
log_key_deleted(key, ThreadState::get_calling_uid(), result.is_ok()); log_key_deleted(key, ThreadState::get_calling_uid(), result.is_ok());
@ -375,11 +379,11 @@ impl IKeystoreService for KeystoreService {
key: &KeyDescriptor, key: &KeyDescriptor,
grantee_uid: i32, grantee_uid: i32,
access_vector: i32, access_vector: i32,
) -> binder::Result<KeyDescriptor> { ) -> binder::public_api::Result<KeyDescriptor> {
let _wp = wd::watch_millis("IKeystoreService::grant", 500); let _wp = wd::watch_millis("IKeystoreService::grant", 500);
map_or_log_err(self.grant(key, grantee_uid, access_vector.into()), Ok) map_or_log_err(self.grant(key, grantee_uid, access_vector.into()), Ok)
} }
fn ungrant(&self, key: &KeyDescriptor, grantee_uid: i32) -> binder::Result<()> { fn ungrant(&self, key: &KeyDescriptor, grantee_uid: i32) -> binder::public_api::Result<()> {
let _wp = wd::watch_millis("IKeystoreService::ungrant", 500); let _wp = wd::watch_millis("IKeystoreService::ungrant", 500);
map_or_log_err(self.ungrant(key, grantee_uid), Ok) map_or_log_err(self.ungrant(key, grantee_uid), Ok)
} }