Merge "Allow attest to device properties"
This commit is contained in:
Treehugger Robot
Gerrit Code Review
commit
572c579ee3
1 changed files with 105 additions and 19 deletions
|
|
@ -961,21 +961,102 @@ Status KeyStoreService::getAuthTokenForCredstore(int64_t challenge, int64_t secu
|
|||
return Status::ok();
|
||||
}
|
||||
|
||||
bool isDeviceIdAttestationTag(Tag tag) {
|
||||
switch (tag) {
|
||||
case Tag::ATTESTATION_ID_BRAND:
|
||||
case Tag::ATTESTATION_ID_DEVICE:
|
||||
case Tag::ATTESTATION_ID_MANUFACTURER:
|
||||
case Tag::ATTESTATION_ID_MODEL:
|
||||
case Tag::ATTESTATION_ID_PRODUCT:
|
||||
case Tag::ATTESTATION_ID_IMEI:
|
||||
case Tag::ATTESTATION_ID_MEID:
|
||||
case Tag::ATTESTATION_ID_SERIAL:
|
||||
return true;
|
||||
case Tag::INVALID:
|
||||
case Tag::PURPOSE:
|
||||
case Tag::ALGORITHM:
|
||||
case Tag::KEY_SIZE:
|
||||
case Tag::BLOCK_MODE:
|
||||
case Tag::DIGEST:
|
||||
case Tag::PADDING:
|
||||
case Tag::CALLER_NONCE:
|
||||
case Tag::MIN_MAC_LENGTH:
|
||||
case Tag::EC_CURVE:
|
||||
case Tag::RSA_PUBLIC_EXPONENT:
|
||||
case Tag::INCLUDE_UNIQUE_ID:
|
||||
case Tag::BLOB_USAGE_REQUIREMENTS:
|
||||
case Tag::BOOTLOADER_ONLY:
|
||||
case Tag::ROLLBACK_RESISTANCE:
|
||||
case Tag::HARDWARE_TYPE:
|
||||
case Tag::ACTIVE_DATETIME:
|
||||
case Tag::ORIGINATION_EXPIRE_DATETIME:
|
||||
case Tag::USAGE_EXPIRE_DATETIME:
|
||||
case Tag::MIN_SECONDS_BETWEEN_OPS:
|
||||
case Tag::MAX_USES_PER_BOOT:
|
||||
case Tag::USER_ID:
|
||||
case Tag::USER_SECURE_ID:
|
||||
case Tag::NO_AUTH_REQUIRED:
|
||||
case Tag::USER_AUTH_TYPE:
|
||||
case Tag::AUTH_TIMEOUT:
|
||||
case Tag::ALLOW_WHILE_ON_BODY:
|
||||
case Tag::TRUSTED_USER_PRESENCE_REQUIRED:
|
||||
case Tag::TRUSTED_CONFIRMATION_REQUIRED:
|
||||
case Tag::UNLOCKED_DEVICE_REQUIRED:
|
||||
case Tag::APPLICATION_ID:
|
||||
case Tag::APPLICATION_DATA:
|
||||
case Tag::CREATION_DATETIME:
|
||||
case Tag::ORIGIN:
|
||||
case Tag::ROOT_OF_TRUST:
|
||||
case Tag::OS_VERSION:
|
||||
case Tag::OS_PATCHLEVEL:
|
||||
case Tag::UNIQUE_ID:
|
||||
case Tag::ATTESTATION_CHALLENGE:
|
||||
case Tag::ATTESTATION_APPLICATION_ID:
|
||||
case Tag::VENDOR_PATCHLEVEL:
|
||||
case Tag::BOOT_PATCHLEVEL:
|
||||
case Tag::ASSOCIATED_DATA:
|
||||
case Tag::NONCE:
|
||||
case Tag::MAC_LENGTH:
|
||||
case Tag::RESET_SINCE_ID_ROTATION:
|
||||
case Tag::CONFIRMATION_TOKEN:
|
||||
return false;
|
||||
// no default, all values must be present in the switch, in this way the compiler ensures
|
||||
// that new values added in the Tag enum are also added here.
|
||||
}
|
||||
}
|
||||
|
||||
// These are attestation id tags that are not unique per device and don't require special permission
|
||||
// to be attested. Any addition to this list needs privacy review and approval (PWG).
|
||||
bool isDevicePropertyAttestationTag(Tag tag) {
|
||||
switch (tag) {
|
||||
case Tag::ATTESTATION_ID_BRAND:
|
||||
case Tag::ATTESTATION_ID_DEVICE:
|
||||
case Tag::ATTESTATION_ID_MANUFACTURER:
|
||||
case Tag::ATTESTATION_ID_MODEL:
|
||||
case Tag::ATTESTATION_ID_PRODUCT:
|
||||
return true;
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
bool isDeviceIdAttestationRequested(const KeymasterArguments& params) {
|
||||
const hardware::hidl_vec<KeyParameter>& paramsVec = params.getParameters();
|
||||
for (size_t i = 0; i < paramsVec.size(); ++i) {
|
||||
switch (paramsVec[i].tag) {
|
||||
case Tag::ATTESTATION_ID_BRAND:
|
||||
case Tag::ATTESTATION_ID_DEVICE:
|
||||
case Tag::ATTESTATION_ID_MANUFACTURER:
|
||||
case Tag::ATTESTATION_ID_MODEL:
|
||||
case Tag::ATTESTATION_ID_PRODUCT:
|
||||
case Tag::ATTESTATION_ID_IMEI:
|
||||
case Tag::ATTESTATION_ID_MEID:
|
||||
case Tag::ATTESTATION_ID_SERIAL:
|
||||
if (isDeviceIdAttestationTag(paramsVec[i].tag)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
}
|
||||
|
||||
// Device properties can be attested safely without special permission
|
||||
bool needsPermissionToAttestDeviceIds(const KeymasterArguments& params) {
|
||||
const hardware::hidl_vec<KeyParameter>& paramsVec = params.getParameters();
|
||||
for (size_t i = 0; i < paramsVec.size(); ++i) {
|
||||
if (isDeviceIdAttestationTag(paramsVec[i].tag) &&
|
||||
!isDevicePropertyAttestationTag(paramsVec[i].tag)) {
|
||||
return true;
|
||||
default:
|
||||
continue;
|
||||
}
|
||||
}
|
||||
return false;
|
||||
|
|
@ -1055,14 +1136,19 @@ Status KeyStoreService::attestDeviceIds(
|
|||
}
|
||||
|
||||
uid_t callingUid = IPCThreadState::self()->getCallingUid();
|
||||
sp<IBinder> binder = defaultServiceManager()->getService(String16("permission"));
|
||||
if (binder == nullptr) {
|
||||
return AIDL_RETURN(ErrorCode::CANNOT_ATTEST_IDS);
|
||||
}
|
||||
if (!interface_cast<IPermissionController>(binder)->checkPermission(
|
||||
String16("android.permission.READ_PRIVILEGED_PHONE_STATE"),
|
||||
IPCThreadState::self()->getCallingPid(), callingUid)) {
|
||||
return AIDL_RETURN(ErrorCode::CANNOT_ATTEST_IDS);
|
||||
|
||||
// Request special permission only for unique ids
|
||||
if (needsPermissionToAttestDeviceIds(params)) {
|
||||
sp<IBinder> binder = defaultServiceManager()->getService(String16("permission"));
|
||||
if (binder == nullptr) {
|
||||
return AIDL_RETURN(ErrorCode::CANNOT_ATTEST_IDS);
|
||||
}
|
||||
|
||||
if (!interface_cast<IPermissionController>(binder)->checkPermission(
|
||||
String16("android.permission.READ_PRIVILEGED_PHONE_STATE"),
|
||||
IPCThreadState::self()->getCallingPid(), callingUid)) {
|
||||
return AIDL_RETURN(ErrorCode::CANNOT_ATTEST_IDS);
|
||||
}
|
||||
}
|
||||
|
||||
AuthorizationSet mutableParams = params.getParameters();
|
||||
|
|
|
|||
Loading…
Reference in a new issue