From d0f7b356babbb3864791ea4e28bd3325c86a0210 Mon Sep 17 00:00:00 2001 From: Max Bires Date: Thu, 27 Jan 2022 18:30:46 -0800 Subject: [PATCH] Modifying extraction tool to support P256. This change alters the behavior of the factory extraction tool to query the underlying IRPC HAL implementation for which ECC curve it supports. The tool then chooses the correct corresponding production EEK chain based on that to pass back into the HAL implementation for CSR generation. Bug: 215445120 Test: run the extraction tool Change-Id: Ic80e38ec4c30eff970926ed269693ee1167b168c --- provisioner/Android.bp | 4 +++- provisioner/rkp_factory_extraction_tool.cpp | 20 ++++++++++++++------ 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/provisioner/Android.bp b/provisioner/Android.bp index aac4878a..665a9e71 100644 --- a/provisioner/Android.bp +++ b/provisioner/Android.bp @@ -47,8 +47,10 @@ cc_binary { name: "rkp_factory_extraction_tool", vendor: true, srcs: ["rkp_factory_extraction_tool.cpp"], + defaults: [ + "keymint_use_latest_hal_aidl_ndk_shared", + ], shared_libs: [ - "android.hardware.security.keymint-V1-ndk", "libbinder", "libbinder_ndk", "libcrypto", diff --git a/provisioner/rkp_factory_extraction_tool.cpp b/provisioner/rkp_factory_extraction_tool.cpp index 9786c3d1..c29bacbe 100644 --- a/provisioner/rkp_factory_extraction_tool.cpp +++ b/provisioner/rkp_factory_extraction_tool.cpp @@ -30,6 +30,7 @@ using aidl::android::hardware::security::keymint::DeviceInfo; using aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent; using aidl::android::hardware::security::keymint::MacedPublicKey; using aidl::android::hardware::security::keymint::ProtectedData; +using aidl::android::hardware::security::keymint::RpcHardwareInfo; using aidl::android::hardware::security::keymint::remote_prov::generateEekChain; using aidl::android::hardware::security::keymint::remote_prov::getProdEekChain; using aidl::android::hardware::security::keymint::remote_prov::jsonEncodeCsrWithBuild; @@ -113,10 +114,10 @@ Array composeCertificateRequest(const ProtectedData& protectedData, return certificateRequest; } -std::vector getEekChain() { +std::vector getEekChain(uint32_t curve) { if (FLAGS_test_mode) { const std::vector kFakeEekId = {'f', 'a', 'k', 'e', 0}; - auto eekOrErr = generateEekChain(3 /* chainlength */, kFakeEekId); + auto eekOrErr = generateEekChain(curve, 3 /* chainlength */, kFakeEekId); if (!eekOrErr) { std::cerr << "Failed to generate test EEK somehow: " << eekOrErr.message() << std::endl; exit(-1); @@ -128,7 +129,7 @@ std::vector getEekChain() { return eek; } - return getProdEekChain(); + return getProdEekChain(curve); } void writeOutput(const Array& csr) { @@ -169,9 +170,16 @@ void getCsrForInstance(const char* name, void* /*context*/) { std::vector emptyKeys; DeviceInfo verifiedDeviceInfo; ProtectedData protectedData; - ::ndk::ScopedAStatus status = rkp_service->generateCertificateRequest( - FLAGS_test_mode, emptyKeys, getEekChain(), challenge, &verifiedDeviceInfo, &protectedData, - &keysToSignMac); + RpcHardwareInfo hwInfo; + ::ndk::ScopedAStatus status = rkp_service->getHardwareInfo(&hwInfo); + if (!status.isOk()) { + std::cerr << "Failed to get hardware info for '" << fullName + << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl; + exit(-1); + } + status = rkp_service->generateCertificateRequest( + FLAGS_test_mode, emptyKeys, getEekChain(hwInfo.supportedEekCurve), challenge, + &verifiedDeviceInfo, &protectedData, &keysToSignMac); if (!status.isOk()) { std::cerr << "Bundle extraction failed for '" << fullName << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl;