ff3d7f4b83
This patch transitions keystore a threading model with one dispatcher thread and one worker thread per keymaster instance, i.e. fallback, TEE, Strongbox (if available). Singleton objects, such as the user state database, the enforcement policy, and grant database have been moved to KeyStore and were made concurrency safe. Other noteworthy changes in this patch: * Cached key characteristics. The key characteristics file used to hold a limited set of parameters used generate or import the key. This patch introduces a new blob type that holds full characteristics as returned by generate, import, or getKeyCharacteristics, with the original parameters mixed into the software enforced list. When keystore encounters a lagacy characteristics file it will grab the characteristics from keymaster, merge them with the cached parameters, and update the cache file to the new format. If keystore encounters the new cache no call to keymaster will be made for retrieving the key characteristics. * Changed semantic of list. The list call takes a prefix used for filtering key entries. By the old semantic, list would return a list of aliases stripped of the given prefix. By the new semantic list always returns a filtered list of full alias string. Callers may strip prefixes if they are so inclined. * Entertain per keymaster instance operation maps. With the introduction of Strongbox keystore had to deal with multiple keymaster instances. But until now it would entertain a single operations map. Keystore also enforces the invariant that no more than 15 operation slots are used so there is always a free slot available for vold. With a single operation map, this means no more than 15 slots can ever be used although with TEE and Strongbox there are a total of 32 slots. With strongbox implementation that have significantly fewer slots we see another effect of the single operation map. If a slot needs to be freed on Stronbox but the oldest operations are on TEE, the latter will be unnecessarily pruned before a Strongbox slot is freed up. With this patch each keymaster instance has its own operation map and pruning is performed on a per keymaster instance basis. * Introduce KeyBlobEntries which are independent from files. To allow concurrent access to the key blob data base, entries can be individually locked so that operations on entries become atomic. LockedKeyBlobEntries are move only objects that track ownership of an Entry on the stack or in functor object representing keymaster worker requests. Entries must only be locked by the dispatcher Thread. Worker threads can only be granted access to a LockedKeyBlobEntry by the dispatcher thread. This allows the dispatcher thread to execute a barrier that waits until all locks held by workers have been relinquished to perform blob database maintenance operations, e.g., clearing a uid of all entries. * Verification tokens are now acquired asynchronously. When a begin operation requires a verification token a request is submitted to the other keymaster worker while the begin call returns. When the operation commences with update or finish, we block until the verification token becomes available. As of this patch the keystore IPC interface is still synchronous. That is, the dispatcher thread dispatches a request to a worker and then waits until the worker has finished. In a followup patch the IPC interface shall be made asynchronous so that multiple requests may be in flight. Test: Ran full CTS test suite atest android.keystore.cts Bug: 111443219 Bug: 110495056 Change-Id: I305e28d784295a0095a34810d83202f7423498bd
65 lines
2.1 KiB
C++
65 lines
2.1 KiB
C++
/*
|
|
* Copyright (C) 2018 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
#ifndef KEYSTORE_OPERATION_STRUCT_H_
|
|
#define KEYSTORE_OPERATION_STRUCT_H_
|
|
|
|
#include <binder/Binder.h>
|
|
#include <binder/IBinder.h>
|
|
#include <keymasterV4_0/Keymaster.h>
|
|
#include <utils/StrongPointer.h>
|
|
|
|
#include <keystore/keymaster_types.h>
|
|
#include <keystore/keystore_hidl_support.h>
|
|
#include <keystore/keystore_return_types.h>
|
|
|
|
#include <future>
|
|
|
|
namespace keystore {
|
|
|
|
using ::android::IBinder;
|
|
using ::android::sp;
|
|
using keymaster::support::Keymaster;
|
|
|
|
struct Operation {
|
|
Operation() = default;
|
|
Operation(uint64_t handle_, uint64_t keyid_, KeyPurpose purpose_, const sp<Keymaster>& device_,
|
|
KeyCharacteristics&& characteristics_, sp<IBinder> appToken_,
|
|
const hidl_vec<KeyParameter> params_)
|
|
: handle(handle_), keyid(keyid_), purpose(purpose_), device(device_),
|
|
characteristics(characteristics_), appToken(appToken_), authToken(), verificationToken(),
|
|
params(params_) {}
|
|
Operation(Operation&&) = default;
|
|
Operation(const Operation&) = delete;
|
|
|
|
bool hasAuthToken() const { return authToken.mac.size() != 0; }
|
|
|
|
uint64_t handle;
|
|
uint64_t keyid;
|
|
KeyPurpose purpose;
|
|
sp<Keymaster> device;
|
|
KeyCharacteristics characteristics;
|
|
sp<IBinder> appToken;
|
|
std::promise<KeyStoreServiceReturnCode> authTokenPromise;
|
|
std::future<KeyStoreServiceReturnCode> authTokenFuture;
|
|
HardwareAuthToken authToken;
|
|
VerificationToken verificationToken;
|
|
const hidl_vec<KeyParameter> params;
|
|
};
|
|
|
|
} // namespace keystore
|
|
|
|
#endif
|