tequilaOS/platform_system_security
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Modifying extraction tool to support P256.

Browse source 
This change alters the behavior of the factory extraction tool to query
the underlying IRPC HAL implementation for which ECC curve it supports.
The tool then chooses the correct corresponding production EEK chain
based on that to pass back into the HAL implementation for CSR
generation.

Bug: 215445120
Test: run the extraction tool
Change-Id: Ic80e38ec4c30eff970926ed269693ee1167b168c
This commit is contained in:
Max Bires 2022-01-27 18:30:46 -08:00
parent aea5a6bea2
commit d0f7b356ba
2 changed files with 17 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
provisioner/Android.bp
View file

@ -47,8 +47,10 @@ cc_binary {
name: "rkp_factory_extraction_tool", name: "rkp_factory_extraction_tool",
vendor: true, vendor: true,
srcs: ["rkp_factory_extraction_tool.cpp"], srcs: ["rkp_factory_extraction_tool.cpp"],
defaults: [
"keymint_use_latest_hal_aidl_ndk_shared",
],
shared_libs: [ shared_libs: [
"android.hardware.security.keymint-V1-ndk",
"libbinder", "libbinder",
"libbinder_ndk", "libbinder_ndk",
"libcrypto", "libcrypto",

20
provisioner/rkp_factory_extraction_tool.cpp
View file

@ -30,6 +30,7 @@ using aidl::android::hardware::security::keymint::DeviceInfo;
using aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent; using aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent;
using aidl::android::hardware::security::keymint::MacedPublicKey; using aidl::android::hardware::security::keymint::MacedPublicKey;
using aidl::android::hardware::security::keymint::ProtectedData; using aidl::android::hardware::security::keymint::ProtectedData;
using aidl::android::hardware::security::keymint::RpcHardwareInfo;
using aidl::android::hardware::security::keymint::remote_prov::generateEekChain; using aidl::android::hardware::security::keymint::remote_prov::generateEekChain;
using aidl::android::hardware::security::keymint::remote_prov::getProdEekChain; using aidl::android::hardware::security::keymint::remote_prov::getProdEekChain;
using aidl::android::hardware::security::keymint::remote_prov::jsonEncodeCsrWithBuild; using aidl::android::hardware::security::keymint::remote_prov::jsonEncodeCsrWithBuild;
@ -113,10 +114,10 @@ Array composeCertificateRequest(const ProtectedData& protectedData,
return certificateRequest; return certificateRequest;
} }
std::vector<uint8_t> getEekChain() { std::vector<uint8_t> getEekChain(uint32_t curve) {
if (FLAGS_test_mode) { if (FLAGS_test_mode) {
const std::vector<uint8_t> kFakeEekId = {'f', 'a', 'k', 'e', 0}; const std::vector<uint8_t> kFakeEekId = {'f', 'a', 'k', 'e', 0};
auto eekOrErr = generateEekChain(3 /* chainlength */, kFakeEekId); auto eekOrErr = generateEekChain(curve, 3 /* chainlength */, kFakeEekId);
if (!eekOrErr) { if (!eekOrErr) {
std::cerr << "Failed to generate test EEK somehow: " << eekOrErr.message() << std::endl; std::cerr << "Failed to generate test EEK somehow: " << eekOrErr.message() << std::endl;
exit(-1); exit(-1);
@ -128,7 +129,7 @@ std::vector<uint8_t> getEekChain() {
return eek; return eek;
} }
return getProdEekChain(); return getProdEekChain(curve);
} }
void writeOutput(const Array& csr) { void writeOutput(const Array& csr) {
@ -169,9 +170,16 @@ void getCsrForInstance(const char* name, void* /*context*/) {
std::vector<MacedPublicKey> emptyKeys; std::vector<MacedPublicKey> emptyKeys;
DeviceInfo verifiedDeviceInfo; DeviceInfo verifiedDeviceInfo;
ProtectedData protectedData; ProtectedData protectedData;
::ndk::ScopedAStatus status = rkp_service->generateCertificateRequest( RpcHardwareInfo hwInfo;
FLAGS_test_mode, emptyKeys, getEekChain(), challenge, &verifiedDeviceInfo, &protectedData, ::ndk::ScopedAStatus status = rkp_service->getHardwareInfo(&hwInfo);
&keysToSignMac); if (!status.isOk()) {
std::cerr << "Failed to get hardware info for '" << fullName
<< "'. Error code: " << status.getServiceSpecificError() << "." << std::endl;
exit(-1);
}
status = rkp_service->generateCertificateRequest(
FLAGS_test_mode, emptyKeys, getEekChain(hwInfo.supportedEekCurve), challenge,
&verifiedDeviceInfo, &protectedData, &keysToSignMac);
if (!status.isOk()) { if (!status.isOk()) {
std::cerr << "Bundle extraction failed for '" << fullName std::cerr << "Bundle extraction failed for '" << fullName
<< "'. Error code: " << status.getServiceSpecificError() << "." << std::endl; << "'. Error code: " << status.getServiceSpecificError() << "." << std::endl;