tequilaOS/platform_system_security
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "rkp_factory_extraction_tool: append drm CSRs" into main

Browse source
This commit is contained in:
Treehugger Robot 2023-07-13 00:33:30 +00:00 committed by Gerrit Code Review
commit 3b2ded4544
2 changed files with 28 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
provisioner/Android.bp
View file

@ -29,18 +29,20 @@ cc_defaults {
"keymint_use_latest_hal_aidl_ndk_static",
],
shared_libs: [
"libbinder",
"libbinder_ndk",
"libcrypto",
"liblog",
],
static_libs: [
"android.hardware.common-V2-ndk",
"android.hardware.drm-V1-ndk",
"android.hardware.security.rkp-V3-ndk",
"libbase",
"libcppbor_external",
"libcppcose_rkp",
"libjsoncpp",
"libkeymint_remote_prov_support",
"libmediadrmrkp",
],
}
@ -90,7 +92,6 @@ cc_binary {
suffix: "64",
},
},
stl: "libc++_static",
target: {
android_arm: {
dist: {

35
provisioner/rkp_factory_extraction_tool.cpp
View file

@ -14,6 +14,7 @@
* limitations under the License.
*/
#include <aidl/android/hardware/drm/IDrmFactory.h>
#include <aidl/android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
#include <android/binder_manager.h>
#include <cppbor.h>
@ -26,8 +27,10 @@
#include <string>
#include <vector>
#include "DrmRkpAdapter.h"
#include "rkp_factory_extraction_lib.h"
using aidl::android::hardware::drm::IDrmFactory;
using aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent;
using aidl::android::hardware::security::keymint::remote_prov::jsonEncodeCsrWithBuild;
@ -47,6 +50,10 @@ constexpr std::string_view kBinaryCsrOutput = "csr"; // Just the raw csr as
constexpr std::string_view kBuildPlusCsr = "build+csr"; // Text-encoded (JSON) build
// fingerprint plus CSR.
std::string getFullServiceName(const char* descriptor, const char* name) {
return std::string(descriptor) + "/" + name;
}
void writeOutput(const std::string instance_name, const Array& csr) {
if (FLAGS_output_format == kBinaryCsrOutput) {
auto bytes = csr.encode();
@ -67,12 +74,21 @@ void writeOutput(const std::string instance_name, const Array& csr) {
}
}
void getCsrForIRpc(const char* descriptor, const char* name, IRemotelyProvisionedComponent* irpc) {
auto [request, errMsg] = getCsr(name, irpc, FLAGS_self_test);
auto fullName = getFullServiceName(descriptor, name);
if (!request) {
std::cerr << "Unable to build CSR for '" << fullName << ": " << errMsg << std::endl;
exit(-1);
}
writeOutput(std::string(name), *request);
}
// Callback for AServiceManager_forEachDeclaredInstance that writes out a CSR
// for every IRemotelyProvisionedComponent.
void getCsrForInstance(const char* name, void* /*context*/) {
const std::vector<uint8_t> challenge = generateChallenge();
auto fullName = std::string(IRemotelyProvisionedComponent::descriptor) + "/" + name;
auto fullName = getFullServiceName(IRemotelyProvisionedComponent::descriptor, name);
AIBinder* rkpAiBinder = AServiceManager_getService(fullName.c_str());
::ndk::SpAIBinder rkp_binder(rkpAiBinder);
auto rkp_service = IRemotelyProvisionedComponent::fromBinder(rkp_binder);
@ -81,13 +97,7 @@ void getCsrForInstance(const char* name, void* /*context*/) {
exit(-1);
}
auto [request, errMsg] = getCsr(name, rkp_service.get(), FLAGS_self_test);
if (!request) {
std::cerr << "Unable to build CSR for '" << fullName << ": " << errMsg << std::endl;
exit(-1);
}
writeOutput(std::string(name), *request);
getCsrForIRpc(IRemotelyProvisionedComponent::descriptor, name, rkp_service.get());
}
} // namespace
@ -98,5 +108,10 @@ int main(int argc, char** argv) {
AServiceManager_forEachDeclaredInstance(IRemotelyProvisionedComponent::descriptor,
/*context=*/nullptr, getCsrForInstance);
// Append drm csr's
for (auto const& e : android::mediadrm::getDrmRemotelyProvisionedComponents()) {
getCsrForIRpc(IDrmFactory::descriptor, e.first.c_str(), e.second.get());
}
return 0;
}