Making changes to use cpp backend generated by aidl_interface
build system for KeyAttestationApplicationProvider.
Removed custom parcelables defined for AAID.
Updated the tests to use the aidl_interface generated bindings.
Bug: 267452060
Test: atest android.keystore.cts.KeyAttestationTest; atest
keystore_unit_tests; keystoreSignature_fuzzer;
keystorePackageInfo_fuzzer; keystoreApplicationId_fuzzer;
keystoreAttestationId_fuzzer
Change-Id: Ibdfb8e2837538d01a04b6771b1a71c38529d1307
The KeyMint HAL will soon be updated for a new version, which will in
turn induce a version bump for the keystore2 AIDL interface. To make
this process easier, add cc_defaults that references the "current"
version, and use this elsewhere. This should hopefully mean that a
future version bump only needs to happen in the defaults.
Test: TreeHugger
Change-Id: I8999de92443fd121a9515dccde8d76094dc93023
The ndk_platform backend will soon be deprecated because the ndk backend
can serve the same purpose. This is to eliminate the confusion about
having two variants (ndk and ndk_platform) for the same 'ndk' backend.
Bug: 161456198
Test: m
Change-Id: Ibeb4178f99857be75bb5f83a073a2d679058d921
This is the third CL on sending keystore logging to statsd.
This creates the logs for key attestation events.
Test: Adding tests for logging is yet to be decided.
Bug: 157664923
Merged-In: I412ac59fd6bb2dbcb380f8579740d02ce2fd8790
Change-Id: I16cac8c4ee950adc330659dcb648052e8b2b41a2
This is the second CL on migrating keystore logging to statsd.
This migrates the logging for key operation events.
Three new ResponseCodes are added for the logging purpose of the
abort operations.
Test: Adding tests for logging is yet to be decided.
Change-Id: Iede72341b0f4c80199c9e16cef96a5d98bca8754
Merged-In: I68c1d89beeb733e4b6ba493b8d95935b7e73df60
This is the first CL on migrating keystore logging to use statsd.
This migrates the logging for key creation events
(generation/import).
A work-around is implemented to handle repeated fields via bitmaps
because statsd does not support repeated fields as of now.
Test: Adding tests for logging is yet to be decided.
Bug: 157664923
Change-Id: Id23724cfbd21dca8ef5fd77e5712c0bc2e727f4b
Merged-In: Id23724cfbd21dca8ef5fd77e5712c0bc2e727f4b
This is needed because the Secure Areas backing the Identity
Credential HAL may exist in a different environment from where the
auth token is minted. In this case, the Secure Area needs a
verification token to make sense of the timestamp in the auth token.
Getting a verification token is an asynchronous operation so change
the binder method used by credstore to be asynchronous as well.
Bug: 156076333
Test: atest VtsHalIdentityTargetTest
Test: atest android.security.identity.cts
Change-Id: Id6cb6812a31d968069b7d72bd2b39b512d38d241
This is the first part of the update, adjusting keystore to use the
KM4.1 interface, but not call any of the new methods. That will come
in a subsequent CL.
Test: CtsKeystoreTestCases
Change-Id: Ib7486aad46c144471a1607eec31b8df1059a511d
Merged-In: Ib7486aad46c144471a1607eec31b8df1059a511d
This was needed because credstore needs to generate and pass the
generated AttestationApplicationId to the Identity Credential HAL.
Bug: 111446262
Test: atest android.security.identity.cts
Test: VtsHalIdentityCredentialTargetTest
Test: android.hardware.identity-support-lib-test
Change-Id: Id22b85ca083e23c7e1fbd3459910fba37a5db137
Since these were combined into libhidlbase.
Bug: 135686713
Test: build only (libhwbinder/libhidltransport are empty)
Change-Id: I940228446b6f5b747399b408ad9af652ac618fda
A VTS test for the Wifi Keystore HAL is being created. The test
is run as root and attempts various operations that directly
use the Keystore service. By default that test will not be
able to perform necessary actions to exercise the HAL code,
such as creating keys for tests.
This change will enable the root user to perform all key
operations, but only on userdebug and eng builds. In addition,
the root user will be able to perform actions on behalf of the
wifi user; this is necessary as some operations in the Wifi
Keystore HAL assume the wifi user.
Bug: 120182820
Test: atest system/hardware/interfaces/wifi/keystore/1.0/vts/
functional/VtsHalWifiKeystoreV1_0TargetTest.cpp
Change-Id: Ic6eb5748e0e19b64a44c4bdf88a7074f7367db3d
/dev/urandom is not an approved random number generator
for NIAP certification. Changing to use BoringSSL's
RAND_bytes(), which is approved.
Bug: 121272336
Test: Ran Keystore CTS tests against Walleye
Change-Id: I579d140ef56c90b477b0d8989e3b02375681aee8
The key name is encoded into the filename containing the (encrypted) key
material.
Since the key name might contain characters that are not valid in a
filename, the name is encoded using a multi-character custom encoding
scheme.
However, the decoding function did not decode the key name correctly -
in particular, spaces were decoded to 'P', causing CtsVerifier tests
that install a key with a space in the name to fail (due to internal
inconsistency between the key names in KeyChain's DB and key names
obtained from Keystore).
Fix by correctly compensating for the "carrier" character.
Test: atest keystore_unit_tests
Bug: 116716944
Change-Id: I0326a9d9e6912b04bb13b3b350ead8ddcfcc12f8
This patches changes the keystore to use the asychronous api model for
begin, update, finish, and abort.
Also removes unused class KeystoreArguments (aidl and implementation).
Test: Keystore CTS tests
Bug: 111443219
Change-Id: Icc6def9ff6dbe32193272d7d015079a006ebc430
This patch transitions keystore a threading model with one dispatcher
thread and one worker thread per keymaster instance, i.e. fallback, TEE,
Strongbox (if available). Singleton objects, such as the user state
database, the enforcement policy, and grant database have been moved to
KeyStore and were made concurrency safe.
Other noteworthy changes in this patch:
* Cached key characteristics. The key characteristics file used to hold
a limited set of parameters used generate or import the key. This
patch introduces a new blob type that holds full characteristics as
returned by generate, import, or getKeyCharacteristics, with the
original parameters mixed into the software enforced list. When
keystore encounters a lagacy characteristics file it will grab the
characteristics from keymaster, merge them with the cached parameters,
and update the cache file to the new format. If keystore encounters
the new cache no call to keymaster will be made for retrieving the
key characteristics.
* Changed semantic of list. The list call takes a prefix used for
filtering key entries. By the old semantic, list would return a list
of aliases stripped of the given prefix. By the new semantic list
always returns a filtered list of full alias string. Callers may
strip prefixes if they are so inclined.
* Entertain per keymaster instance operation maps. With the introduction
of Strongbox keystore had to deal with multiple keymaster instances.
But until now it would entertain a single operations map. Keystore
also enforces the invariant that no more than 15 operation slots are
used so there is always a free slot available for vold. With a single
operation map, this means no more than 15 slots can ever be used
although with TEE and Strongbox there are a total of 32 slots. With
strongbox implementation that have significantly fewer slots we see
another effect of the single operation map. If a slot needs to be
freed on Stronbox but the oldest operations are on TEE, the latter
will be unnecessarily pruned before a Strongbox slot is freed up.
With this patch each keymaster instance has its own operation map and
pruning is performed on a per keymaster instance basis.
* Introduce KeyBlobEntries which are independent from files. To allow
concurrent access to the key blob data base, entries can be
individually locked so that operations on entries become atomic.
LockedKeyBlobEntries are move only objects that track ownership of an
Entry on the stack or in functor object representing keymaster worker
requests. Entries must only be locked by the dispatcher Thread. Worker
threads can only be granted access to a LockedKeyBlobEntry by the
dispatcher thread. This allows the dispatcher thread to execute a
barrier that waits until all locks held by workers have been
relinquished to perform blob database maintenance operations, e.g.,
clearing a uid of all entries.
* Verification tokens are now acquired asynchronously. When a begin
operation requires a verification token a request is submitted to the
other keymaster worker while the begin call returns. When the
operation commences with update or finish, we block until the
verification token becomes available.
As of this patch the keystore IPC interface is still synchronous. That
is, the dispatcher thread dispatches a request to a worker and then
waits until the worker has finished. In a followup patch the IPC
interface shall be made asynchronous so that multiple requests may be in
flight.
Test: Ran full CTS test suite
atest android.keystore.cts
Bug: 111443219
Bug: 110495056
Change-Id: I305e28d784295a0095a34810d83202f7423498bd
In order for the build system to track updates to the header files
during incremental builds, always specify the src files using the same
path as the package for C++ compilations.
Bug: 112114177
Test: m
Change-Id: Ia82483523a9398ad597ee128faffa2b4b1927f0d
Rather than trying to store the active user ID, use
multiuser_get_user_id to pull the actual ID for the caller. This will
now behave correctly when called by background processes.
Test: CtsKeystoreTestCases, from both owner and guest users
Bug: 113280004
Change-Id: I73fd2ef2ac4b1ceb7ec3792761e827d801d0d905
Limit the size of the Application ID attestation vector _prior_ to
sending it for attestation by Keymaster.
Previously, the Attestation Application ID vector would be DER-encoded
to contain all packages belonging to the caller UID, and only then
truncated to the max value that could be sent to Keymaster (1K),
potentially resulting in malformed DER-encoded data.
This makes clients' lives hard, as they would have to deal with
malformed DER, and breaks CTS tests that expect to parse this field in
the attestation record, when the device has too many packages running on
the system UID.
This change limits the size of the DER-encoded vector that would be
passed into Keymaster by estimating the encoded size and refraining from
adding any more package information into it if it'd exceed 1K when
encoded.
Also, cope with PackageManager failure to provide the list of packages.
Merged-In: I39ab9338922f7be358d27e1b2dae5d0a36009109
Test: keystore_unit_tests (adb pushed to /data/local/tmp, then: LD_LIBRARY_PATH=/data/local/tmp /data/local/tmp/keystore_unit_tests)
Test: runtest --path cts/tests/tests/keystore/src/android/keystore/cts/KeyAttestationTest.java
Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testKeyManagement
Bug: 112179406
Bug: 112061724
Bug: 111260028
Change-Id: I0759a632fbf678814f6b1c258f0b2e2524edb85c
The tags property is (and has always been) unused by Soong. The property has
been defined as a list of strings, and the `androidmk` converted any
LOCAL_MODULE_TAGS entries over to it, but we've never done anything with it.
In preparation for removing the definition from Soong, I'm removing it from all
Android.bp files in the tree.
Since this has never done anything, this is a no-op, but if you really did want
the Android.mk behavior, the proper way to define a module to be installed in
userdebug / eng builds is to use PRODUCT_PACKAGES_DEBUG or PRODUCT_PACKAGES_ENG
in the appropriate product makefile.
Change-Id: I5fcb36529115f6bce1a14677f894b25fabfe4383
Exempt-From-Owner-Approval: global no-op build change
Test: remove `tags` from Soong, see errors go away.
This will allow us to track the actual usage patterns of keystore
functions and error occurences.
Bug: 36549319
Test: DropBox logging works for keystore tags
Change-Id: Iadfba3afebaa0be753212b1111b68f50b77f9978
(cherry picked from commit d6d8952b34)
dd a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.
This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.
This reverts commit ccb492da44.
Test: CTS tests in I8a5affd1eaed176756175158e3057e44934fffed
Bug: 67752510
Merged-In: I485e0855c4a09073e067c1a628f7d93eab489483
Change-Id: I485e0855c4a09073e067c1a628f7d93eab489483
(cherry picked from f6125de02d)
Add a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.
This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.
This commit adds the API only, full functionality will be added in a
later change.
Test: CTS tests in CtsKeystoreTestCases
Bug: 67752510
Merged-In: I210fbb635a2c98e3d6208859387a5eb3f10ab976
Change-Id: I210fbb635a2c98e3d6208859387a5eb3f10ab976
(cherry picked from commit 947877a55c)
Add a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.
This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.
This reverts commit 1b75929a58.
Test: CTS tests in I8a5affd1eaed176756175158e3057e44934fffed
Bug: 67752510
Change-Id: I4becf698f8bc34b7a9d53ab2200480480fdd1a9c
This commit moves "IConfirmationPromptCallback.aidl" and
"IKeystoreService.aidl" to "system/security/keystore/binder" so that
"libkeystore_aidl" can be built in PDK builds.
Test: Run `cts-tradefed run cts -m CtsKeystoreTestCases` on Pixel 2017
and the test results are idential with and without this CL.
Test: Build PDK with special manifest described in
http://b/69539820#comment18 and http://b/69539820#comment19.
Test: Build a target (described in http://b/72961456) with
`platform.zip` built from master FSK source tree.
Bug: 69539820
Bug: 72961456
Change-Id: Ia0979568835efaf24508b0fac97357c85fd3f44c
Add a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.
This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.
Test: go/asym-write-test-plan
Bug: 67752510
Change-Id: Ie526a1beb2ddb6aa10eb77e896e74363db14adaa
This code implements new keystore APIs for confirmations.
Also add new 'confirmation' verb to the keystore_cli_v2 command to be
used for testing confirmations. It will block until there's a
callback. Example invocations:
phone:/ # keystore_cli_v2 confirmation --prompt_text="Hello World" --extra_data=010203 --ui_options=1,2,3
Waiting for prompt to complete - use Ctrl+C to abort...
Confirmation prompt completed
responseCode = 0
dataThatWasConfirmed[30] = {0xa2, 0x66, 0x70, 0x72, 0x6f, 0x6d, 0x70, 0x74, 0x6b, 0x48, 0x65, 0x6c, 0x6c, 0x6f, 0x20, 0x57, 0x6f, 0x72, 0x6c, 0x64, 0x65, 0x65, 0x78, 0x74, 0x72, 0x61, 0x43, 0x01, 0x02, 0x03}
phone:/ #
If a prompt is already being shown, the |OperationPending| return code
(code 3) is returned:
phone:/ # keystore_cli_v2 confirmation --prompt_text="Hello World" --extra_data=010203 --ui_options=1,2,3
Presenting confirmation prompt failed with return code 3.
Canceling a prompt:
phone:/# keystore_cli_v2 confirmation --prompt_text="Hello World" --extra_data=010203 --cancel_after=1.5
Sleeping 1.5 seconds before canceling prompt...
Waiting for prompt to complete - use Ctrl+C to abort...
Confirmation prompt completed
responseCode = 2
dataThatWasConfirmed[0] = {}
Bug: 63928580
Test: Manually tested.
Change-Id: Ida14706ad066d5350b9081eb7821c7b1a1472dd2
Keymaster4 introduces security levels. Android devices
may have multiple keymaster implementations, one for each
possible security level, where the presence of a strong
security level implies the presence of all lower levels.
This patch adds code that enumerates all keymaster device
implementations available from ServiceManager and populates
Keystore's keymaster device database with at most one keymaster
implementation per security level. It gives precedence to
newer versions if multiple implementations exist for the same security
level.
The security level is chosen by a set of flags passed to the keystore
operations generate, import, addRngEntropy.
For existing keys the right security level is chosen by the blob flags.
To that end a new flag KEYSTORE_FLAG_STRONGBOX was added, and the
security level is expressed through a combination of
KEYSTORE_FLAG_FALLBACK (F) and KEYSTORE_FLAG_STRONGBOX (S).
Encoding is as follows:
F S
Software 1 X (don't care)
TEE 0 0
Strongbox 0 1
Some operations in keystore cli2 where amended with the optional
--seclevel flags. Allowing the user to chose the security level for the
given operation. Possible options are "software", "strongbox", and "tee"
where tee is the default value.
Test: Existing KeyStore CTS tests run
Change-Id: I01ef238f5e7067e480cf9b171630237236046bb1
The "Keymaster" class provides an abstraction that hides the
underlying implementation. It will always inherit the current
IKeymasterDevice version and extend it with additional pure virtual methods
that are used by keystore to query for meta information. This class
will in turn have subclasses which will wrap an instance of each
different version of IKeymasterDevice that we support.
Test: CTS
Change-Id: I62420dc0a8c196bb3f19753a8f304d46a75fae0e
We currently have two different keystore.h files. This renames one of
them, and the corresponding implementation, to KeyStore.h, which
tracks the class name.
Test: runtest --path cts/tests/tests/keystore/src/android/keystore/cts
Change-Id: I910e3d60d165b65d055e7da92acd04d3ee73a6d3
Add back keystore_cli_v2 to the system image, which was missing after switching
to Android.bp. Ideally we should only build this for userdebug/eng builds.
Bug: 69351686
Test: builds
Change-Id: Id2cbc024af79b042e3d49913758cc39c4cf9f432
