Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 1 | /* |
| 2 | ** |
| 3 | ** Copyright 2018, The Android Open Source Project |
| 4 | ** |
| 5 | ** Licensed under the Apache License, Version 2.0 (the "License"); |
| 6 | ** you may not use this file except in compliance with the License. |
| 7 | ** You may obtain a copy of the License at |
| 8 | ** |
| 9 | ** http://www.apache.org/licenses/LICENSE-2.0 |
| 10 | ** |
| 11 | ** Unless required by applicable law or agreed to in writing, software |
| 12 | ** distributed under the License is distributed on an "AS IS" BASIS, |
| 13 | ** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 14 | ** See the License for the specific language governing permissions and |
| 15 | ** limitations under the License. |
| 16 | */ |
| 17 | #define LOG_TAG "keymaster_worker" |
| 18 | |
| 19 | #include "keymaster_worker.h" |
| 20 | |
| 21 | #include "keystore_utils.h" |
| 22 | |
| 23 | #include <android-base/logging.h> |
| 24 | |
Janis Danisevskis | 6a0d998 | 2019-04-30 15:43:59 -0700 | [diff] [blame] | 25 | #include <log/log_event_list.h> |
| 26 | |
| 27 | #include <private/android_logger.h> |
| 28 | |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 29 | #include "KeyStore.h" |
| 30 | #include "keymaster_enforcement.h" |
| 31 | |
| 32 | #include "key_proto_handler.h" |
| 33 | #include "keystore_utils.h" |
| 34 | |
| 35 | namespace keystore { |
| 36 | |
| 37 | constexpr size_t kMaxOperations = 15; |
| 38 | |
| 39 | using AndroidKeymasterArguments = android::security::keymaster::KeymasterArguments; |
| 40 | using android::security::keymaster::ExportResult; |
| 41 | using android::security::keymaster::operationFailed; |
| 42 | using android::security::keymaster::OperationResult; |
| 43 | |
Janis Danisevskis | 5ec4c2a | 2018-11-12 10:39:48 -0800 | [diff] [blame] | 44 | Worker::Worker() {} |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 45 | Worker::~Worker() { |
Janis Danisevskis | 5ec4c2a | 2018-11-12 10:39:48 -0800 | [diff] [blame] | 46 | std::unique_lock<std::mutex> lock(pending_requests_mutex_); |
| 47 | pending_requests_cond_var_.wait(lock, [this] { return pending_requests_.empty(); }); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 48 | } |
| 49 | void Worker::addRequest(WorkerTask request) { |
| 50 | std::unique_lock<std::mutex> lock(pending_requests_mutex_); |
Janis Danisevskis | 5ec4c2a | 2018-11-12 10:39:48 -0800 | [diff] [blame] | 51 | bool start_thread = pending_requests_.empty(); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 52 | pending_requests_.push(std::move(request)); |
| 53 | lock.unlock(); |
Janis Danisevskis | 5ec4c2a | 2018-11-12 10:39:48 -0800 | [diff] [blame] | 54 | if (start_thread) { |
| 55 | auto worker = std::thread([this] { |
| 56 | std::unique_lock<std::mutex> lock(pending_requests_mutex_); |
| 57 | running_ = true; |
| 58 | while (!pending_requests_.empty()) { |
| 59 | auto request = std::move(pending_requests_.front()); |
| 60 | lock.unlock(); |
| 61 | request(); |
| 62 | lock.lock(); |
| 63 | pending_requests_.pop(); |
| 64 | pending_requests_cond_var_.notify_all(); |
| 65 | } |
| 66 | }); |
| 67 | worker.detach(); |
| 68 | } |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 69 | } |
| 70 | |
| 71 | KeymasterWorker::KeymasterWorker(sp<Keymaster> keymasterDevice, KeyStore* keyStore) |
| 72 | : keymasterDevice_(std::move(keymasterDevice)), operationMap_(keyStore), keyStore_(keyStore) { |
| 73 | // make sure that hal version is cached. |
| 74 | if (keymasterDevice_) keymasterDevice_->halVersion(); |
| 75 | } |
| 76 | |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 77 | void KeymasterWorker::logIfKeymasterVendorError(ErrorCode ec) const { |
| 78 | keymasterDevice_->logIfKeymasterVendorError(ec); |
| 79 | } |
| 80 | |
Janis Danisevskis | 6a0d998 | 2019-04-30 15:43:59 -0700 | [diff] [blame] | 81 | void KeymasterWorker::deleteOldKeyOnUpgrade(const LockedKeyBlobEntry& blobfile, Blob keyBlob) { |
| 82 | // if we got the blob successfully, we try and delete it from the keymaster device |
| 83 | auto& dev = keymasterDevice_; |
| 84 | uid_t uid = blobfile->uid(); |
| 85 | const auto& alias = blobfile->alias(); |
| 86 | |
| 87 | if (keyBlob.getType() == ::TYPE_KEYMASTER_10) { |
| 88 | auto ret = KS_HANDLE_HIDL_ERROR(dev, dev->deleteKey(blob2hidlVec(keyBlob))); |
| 89 | // A device doesn't have to implement delete_key. |
| 90 | bool success = ret == ErrorCode::OK || ret == ErrorCode::UNIMPLEMENTED; |
| 91 | if (__android_log_security()) { |
| 92 | android_log_event_list(SEC_TAG_KEY_DESTROYED) |
| 93 | << int32_t(success) << alias << int32_t(uid) << LOG_ID_SECURITY; |
| 94 | } |
| 95 | if (!success) { |
| 96 | LOG(ERROR) << "Keymaster delete for key " << alias << " of uid " << uid << " failed"; |
| 97 | } |
| 98 | } |
| 99 | } |
| 100 | |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 101 | std::tuple<KeyStoreServiceReturnCode, Blob> |
| 102 | KeymasterWorker::upgradeKeyBlob(const LockedKeyBlobEntry& lockedEntry, |
| 103 | const AuthorizationSet& params) { |
| 104 | LOG(INFO) << "upgradeKeyBlob " << lockedEntry->alias() << " " << (uint32_t)lockedEntry->uid(); |
| 105 | |
| 106 | std::tuple<KeyStoreServiceReturnCode, Blob> result; |
| 107 | |
| 108 | auto userState = keyStore_->getUserStateDB().getUserStateByUid(lockedEntry->uid()); |
| 109 | |
| 110 | Blob& blob = std::get<1>(result); |
| 111 | KeyStoreServiceReturnCode& error = std::get<0>(result); |
| 112 | |
| 113 | Blob charBlob; |
| 114 | ResponseCode rc; |
| 115 | |
| 116 | std::tie(rc, blob, charBlob) = |
| 117 | lockedEntry.readBlobs(userState->getEncryptionKey(), userState->getState()); |
| 118 | |
Janis Danisevskis | 265435f | 2018-11-16 14:10:46 -0800 | [diff] [blame] | 119 | userState = {}; |
| 120 | |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 121 | if (rc != ResponseCode::NO_ERROR) { |
| 122 | return error = rc, result; |
| 123 | } |
| 124 | |
| 125 | auto hidlKey = blob2hidlVec(blob); |
| 126 | auto& dev = keymasterDevice_; |
| 127 | |
| 128 | auto hidlCb = [&](ErrorCode ret, const ::std::vector<uint8_t>& upgradedKeyBlob) { |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 129 | dev->logIfKeymasterVendorError(ret); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 130 | error = ret; |
| 131 | if (!error.isOk()) { |
| 132 | if (error == ErrorCode::INVALID_KEY_BLOB) { |
| 133 | log_key_integrity_violation(lockedEntry->alias().c_str(), lockedEntry->uid()); |
| 134 | } |
| 135 | return; |
| 136 | } |
| 137 | |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 138 | Blob newBlob(&upgradedKeyBlob[0], upgradedKeyBlob.size(), nullptr /* info */, |
| 139 | 0 /* infoLength */, ::TYPE_KEYMASTER_10); |
| 140 | newBlob.setSecurityLevel(blob.getSecurityLevel()); |
| 141 | newBlob.setEncrypted(blob.isEncrypted()); |
| 142 | newBlob.setSuperEncrypted(blob.isSuperEncrypted()); |
| 143 | newBlob.setCriticalToDeviceEncryption(blob.isCriticalToDeviceEncryption()); |
| 144 | |
| 145 | error = keyStore_->put(lockedEntry, newBlob, charBlob); |
| 146 | if (!error.isOk()) { |
Branden Archer | 7008074 | 2018-11-20 11:04:11 -0800 | [diff] [blame] | 147 | ALOGI("upgradeKeyBlob keystore->put failed %d", error.getErrorCode()); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 148 | return; |
| 149 | } |
Janis Danisevskis | 6a0d998 | 2019-04-30 15:43:59 -0700 | [diff] [blame] | 150 | |
| 151 | deleteOldKeyOnUpgrade(lockedEntry, std::move(blob)); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 152 | blob = std::move(newBlob); |
| 153 | }; |
| 154 | |
| 155 | KeyStoreServiceReturnCode error2; |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 156 | error2 = KS_HANDLE_HIDL_ERROR(dev, dev->upgradeKey(hidlKey, params.hidl_data(), hidlCb)); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 157 | if (!error2.isOk()) { |
| 158 | return error = error2, result; |
| 159 | } |
| 160 | |
| 161 | return result; |
| 162 | } |
| 163 | |
| 164 | std::tuple<KeyStoreServiceReturnCode, KeyCharacteristics, Blob, Blob> |
| 165 | KeymasterWorker::createKeyCharacteristicsCache(const LockedKeyBlobEntry& lockedEntry, |
| 166 | const hidl_vec<uint8_t>& clientId, |
| 167 | const hidl_vec<uint8_t>& appData, Blob keyBlob, |
| 168 | Blob charBlob) { |
| 169 | std::tuple<KeyStoreServiceReturnCode, KeyCharacteristics, Blob, Blob> result; |
| 170 | |
| 171 | #if __cplusplus == 201703L |
| 172 | auto& [rc, resultCharacteristics, outBlob, charOutBlob] = result; |
| 173 | #else |
| 174 | KeyStoreServiceReturnCode& rc = std::get<0>(result); |
| 175 | KeyCharacteristics& resultCharacteristics = std::get<1>(result); |
| 176 | Blob& outBlob = std::get<2>(result); |
| 177 | Blob& charOutBlob = std::get<3>(result); |
| 178 | #endif |
| 179 | |
| 180 | rc = ResponseCode::SYSTEM_ERROR; |
| 181 | if (!keyBlob) return result; |
| 182 | auto hidlKeyBlob = blob2hidlVec(keyBlob); |
| 183 | auto& dev = keymasterDevice_; |
| 184 | |
| 185 | KeyStoreServiceReturnCode error; |
| 186 | |
| 187 | AuthorizationSet hwEnforced, swEnforced; |
| 188 | bool success = true; |
| 189 | |
| 190 | if (charBlob) { |
| 191 | std::tie(success, hwEnforced, swEnforced) = charBlob.getKeyCharacteristics(); |
| 192 | } |
| 193 | if (!success) { |
| 194 | LOG(ERROR) << "Failed to read cached key characteristics"; |
| 195 | return rc = ResponseCode::SYSTEM_ERROR, result; |
| 196 | } |
| 197 | |
| 198 | auto hidlCb = [&](ErrorCode ret, const KeyCharacteristics& keyCharacteristics) { |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 199 | dev->logIfKeymasterVendorError(ret); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 200 | error = ret; |
| 201 | if (!error.isOk()) { |
| 202 | if (error == ErrorCode::INVALID_KEY_BLOB) { |
| 203 | log_key_integrity_violation(lockedEntry->alias().c_str(), lockedEntry->uid()); |
| 204 | } |
| 205 | return; |
| 206 | } |
| 207 | |
| 208 | // Replace the sw_enforced set with those persisted to disk, minus hw_enforced |
| 209 | AuthorizationSet softwareEnforced = keyCharacteristics.softwareEnforced; |
| 210 | hwEnforced = keyCharacteristics.hardwareEnforced; |
| 211 | swEnforced.Union(softwareEnforced); |
| 212 | softwareEnforced.Subtract(hwEnforced); |
| 213 | |
| 214 | // We only get the characteristics from keymaster if there was no cache file or the |
| 215 | // the chach file was a legacy cache file. So lets write a new cache file for the next time. |
| 216 | Blob newCharBlob; |
| 217 | success = newCharBlob.putKeyCharacteristics(hwEnforced, swEnforced); |
| 218 | if (!success) { |
| 219 | error = ResponseCode::SYSTEM_ERROR; |
| 220 | LOG(ERROR) << "Failed to serialize cached key characteristics"; |
| 221 | return; |
| 222 | } |
| 223 | |
| 224 | error = keyStore_->put(lockedEntry, {}, newCharBlob); |
| 225 | if (!error.isOk()) { |
| 226 | ALOGE("Failed to write key characteristics cache"); |
| 227 | return; |
| 228 | } |
| 229 | charBlob = std::move(newCharBlob); |
| 230 | }; |
| 231 | |
| 232 | if (!charBlob || charBlob.getType() == TYPE_KEY_CHARACTERISTICS) { |
| 233 | // this updates the key characteristics cache file to the new format or creates one in |
| 234 | // in the first place |
| 235 | rc = KS_HANDLE_HIDL_ERROR( |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 236 | dev, dev->getKeyCharacteristics(hidlKeyBlob, clientId, appData, hidlCb)); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 237 | if (!rc.isOk()) { |
| 238 | return result; |
| 239 | } |
| 240 | |
| 241 | if (error == ErrorCode::KEY_REQUIRES_UPGRADE) { |
| 242 | AuthorizationSet upgradeParams; |
| 243 | if (clientId.size()) { |
| 244 | upgradeParams.push_back(TAG_APPLICATION_ID, clientId); |
| 245 | } |
| 246 | if (appData.size()) { |
| 247 | upgradeParams.push_back(TAG_APPLICATION_DATA, appData); |
| 248 | } |
| 249 | std::tie(rc, keyBlob) = upgradeKeyBlob(lockedEntry, upgradeParams); |
| 250 | if (!rc.isOk()) { |
| 251 | return result; |
| 252 | } |
| 253 | |
| 254 | auto upgradedHidlKeyBlob = blob2hidlVec(keyBlob); |
| 255 | |
| 256 | rc = KS_HANDLE_HIDL_ERROR( |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 257 | dev, dev->getKeyCharacteristics(upgradedHidlKeyBlob, clientId, appData, hidlCb)); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 258 | if (!rc.isOk()) { |
| 259 | return result; |
| 260 | } |
| 261 | } |
| 262 | } |
| 263 | |
| 264 | resultCharacteristics.hardwareEnforced = hwEnforced.hidl_data(); |
| 265 | resultCharacteristics.softwareEnforced = swEnforced.hidl_data(); |
| 266 | |
| 267 | outBlob = std::move(keyBlob); |
| 268 | charOutBlob = std::move(charBlob); |
| 269 | rc = error; |
| 270 | return result; |
| 271 | } |
| 272 | |
| 273 | /** |
| 274 | * Get the auth token for this operation from the auth token table. |
| 275 | * |
| 276 | * Returns ResponseCode::NO_ERROR if the auth token was set or none was required. |
| 277 | * ::OP_AUTH_NEEDED if it is a per op authorization, no |
| 278 | * authorization token exists for that operation and |
| 279 | * failOnTokenMissing is false. |
| 280 | * KM_ERROR_KEY_USER_NOT_AUTHENTICATED if there is no valid auth |
| 281 | * token for the operation |
| 282 | */ |
| 283 | std::pair<KeyStoreServiceReturnCode, HardwareAuthToken> |
| 284 | KeymasterWorker::getAuthToken(const KeyCharacteristics& characteristics, uint64_t handle, |
| 285 | KeyPurpose purpose, bool failOnTokenMissing) { |
| 286 | |
| 287 | AuthorizationSet allCharacteristics(characteristics.softwareEnforced); |
| 288 | allCharacteristics.append(characteristics.hardwareEnforced.begin(), |
| 289 | characteristics.hardwareEnforced.end()); |
| 290 | |
| 291 | HardwareAuthToken authToken; |
| 292 | AuthTokenTable::Error err; |
| 293 | std::tie(err, authToken) = keyStore_->getAuthTokenTable().FindAuthorization( |
| 294 | allCharacteristics, static_cast<KeyPurpose>(purpose), handle); |
| 295 | |
| 296 | KeyStoreServiceReturnCode rc; |
| 297 | |
| 298 | switch (err) { |
| 299 | case AuthTokenTable::OK: |
| 300 | case AuthTokenTable::AUTH_NOT_REQUIRED: |
| 301 | rc = ResponseCode::NO_ERROR; |
| 302 | break; |
| 303 | |
| 304 | case AuthTokenTable::AUTH_TOKEN_NOT_FOUND: |
| 305 | case AuthTokenTable::AUTH_TOKEN_EXPIRED: |
| 306 | case AuthTokenTable::AUTH_TOKEN_WRONG_SID: |
| 307 | ALOGE("getAuthToken failed: %d", err); // STOPSHIP: debug only, to be removed |
| 308 | rc = ErrorCode::KEY_USER_NOT_AUTHENTICATED; |
| 309 | break; |
| 310 | |
| 311 | case AuthTokenTable::OP_HANDLE_REQUIRED: |
| 312 | rc = failOnTokenMissing ? KeyStoreServiceReturnCode(ErrorCode::KEY_USER_NOT_AUTHENTICATED) |
| 313 | : KeyStoreServiceReturnCode(ResponseCode::OP_AUTH_NEEDED); |
| 314 | break; |
| 315 | |
| 316 | default: |
| 317 | ALOGE("Unexpected FindAuthorization return value %d", err); |
| 318 | rc = ErrorCode::INVALID_ARGUMENT; |
| 319 | } |
| 320 | |
| 321 | return {rc, std::move(authToken)}; |
| 322 | } |
| 323 | |
| 324 | KeyStoreServiceReturnCode KeymasterWorker::abort(const sp<IBinder>& token) { |
| 325 | auto op = operationMap_.removeOperation(token, false /* wasOpSuccessful */); |
| 326 | if (op) { |
| 327 | keyStore_->getAuthTokenTable().MarkCompleted(op->handle); |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 328 | return KS_HANDLE_HIDL_ERROR(keymasterDevice_, keymasterDevice_->abort(op->handle)); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 329 | } else { |
| 330 | return ErrorCode::INVALID_OPERATION_HANDLE; |
| 331 | } |
| 332 | } |
| 333 | |
| 334 | /** |
| 335 | * Prune the oldest pruneable operation. |
| 336 | */ |
| 337 | bool KeymasterWorker::pruneOperation() { |
| 338 | sp<IBinder> oldest = operationMap_.getOldestPruneableOperation(); |
| 339 | ALOGD("Trying to prune operation %p", oldest.get()); |
| 340 | size_t op_count_before_abort = operationMap_.getOperationCount(); |
| 341 | // We mostly ignore errors from abort() because all we care about is whether at least |
| 342 | // one operation has been removed. |
| 343 | auto rc = abort(oldest); |
| 344 | if (operationMap_.getOperationCount() >= op_count_before_abort) { |
Branden Archer | 7008074 | 2018-11-20 11:04:11 -0800 | [diff] [blame] | 345 | ALOGE("Failed to abort pruneable operation %p, error: %d", oldest.get(), rc.getErrorCode()); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 346 | return false; |
| 347 | } |
| 348 | return true; |
| 349 | } |
| 350 | |
| 351 | // My IDE defines "CAPTURE_MOVE(x) x" because it does not understand generalized lambda captures. |
| 352 | // It should never be redefined by a build system though. |
| 353 | #ifndef CAPTURE_MOVE |
| 354 | #define CAPTURE_MOVE(x) x = std::move(x) |
| 355 | #endif |
| 356 | |
| 357 | void KeymasterWorker::begin(LockedKeyBlobEntry lockedEntry, sp<IBinder> appToken, Blob keyBlob, |
| 358 | Blob charBlob, bool pruneable, KeyPurpose purpose, |
| 359 | AuthorizationSet opParams, hidl_vec<uint8_t> entropy, |
| 360 | worker_begin_cb worker_cb) { |
| 361 | |
| 362 | Worker::addRequest([this, CAPTURE_MOVE(lockedEntry), CAPTURE_MOVE(appToken), |
| 363 | CAPTURE_MOVE(keyBlob), CAPTURE_MOVE(charBlob), pruneable, purpose, |
| 364 | CAPTURE_MOVE(opParams), CAPTURE_MOVE(entropy), |
| 365 | CAPTURE_MOVE(worker_cb)]() mutable { |
| 366 | // Concurrently executed |
| 367 | |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 368 | auto& dev = keymasterDevice_; |
| 369 | |
| 370 | KeyCharacteristics characteristics; |
| 371 | |
| 372 | { |
| 373 | hidl_vec<uint8_t> clientId; |
| 374 | hidl_vec<uint8_t> appData; |
Chih-Hung Hsieh | b3bfdb0 | 2018-12-12 14:43:33 -0800 | [diff] [blame] | 375 | for (const auto& param : opParams) { |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 376 | if (param.tag == Tag::APPLICATION_ID) { |
| 377 | clientId = authorizationValue(TAG_APPLICATION_ID, param).value(); |
| 378 | } else if (param.tag == Tag::APPLICATION_DATA) { |
| 379 | appData = authorizationValue(TAG_APPLICATION_DATA, param).value(); |
| 380 | } |
| 381 | } |
| 382 | KeyStoreServiceReturnCode error; |
| 383 | std::tie(error, characteristics, keyBlob, charBlob) = createKeyCharacteristicsCache( |
| 384 | lockedEntry, clientId, appData, std::move(keyBlob), std::move(charBlob)); |
| 385 | if (!error.isOk()) { |
| 386 | worker_cb(operationFailed(error)); |
| 387 | return; |
| 388 | } |
| 389 | } |
| 390 | |
| 391 | KeyStoreServiceReturnCode rc, authRc; |
| 392 | HardwareAuthToken authToken; |
| 393 | std::tie(authRc, authToken) = getAuthToken(characteristics, 0 /* no challenge */, purpose, |
| 394 | /*failOnTokenMissing*/ false); |
| 395 | |
| 396 | // If per-operation auth is needed we need to begin the operation and |
| 397 | // the client will need to authorize that operation before calling |
| 398 | // update. Any other auth issues stop here. |
| 399 | if (!authRc.isOk() && authRc != ResponseCode::OP_AUTH_NEEDED) { |
| 400 | return worker_cb(operationFailed(authRc)); |
| 401 | } |
| 402 | |
| 403 | // Add entropy to the device first. |
| 404 | if (entropy.size()) { |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 405 | rc = KS_HANDLE_HIDL_ERROR(dev, dev->addRngEntropy(entropy)); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 406 | if (!rc.isOk()) { |
| 407 | return worker_cb(operationFailed(rc)); |
| 408 | } |
| 409 | } |
| 410 | |
| 411 | // Create a keyid for this key. |
Janis Danisevskis | 64eb3eb | 2018-11-27 20:41:52 -0800 | [diff] [blame] | 412 | auto keyid = KeymasterEnforcement::CreateKeyId(blob2hidlVec(keyBlob)); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 413 | if (!keyid) { |
| 414 | ALOGE("Failed to create a key ID for authorization checking."); |
| 415 | return worker_cb(operationFailed(ErrorCode::UNKNOWN_ERROR)); |
| 416 | } |
| 417 | |
| 418 | // Check that all key authorization policy requirements are met. |
| 419 | AuthorizationSet key_auths = characteristics.hardwareEnforced; |
| 420 | key_auths.append(characteristics.softwareEnforced.begin(), |
| 421 | characteristics.softwareEnforced.end()); |
| 422 | |
| 423 | rc = keyStore_->getEnforcementPolicy().AuthorizeOperation( |
| 424 | purpose, *keyid, key_auths, opParams, authToken, 0 /* op_handle */, |
| 425 | true /* is_begin_operation */); |
| 426 | if (!rc.isOk()) { |
| 427 | return worker_cb(operationFailed(rc)); |
| 428 | } |
| 429 | |
| 430 | // If there are more than kMaxOperations, abort the oldest operation that was started as |
| 431 | // pruneable. |
| 432 | while (operationMap_.getOperationCount() >= kMaxOperations) { |
| 433 | ALOGD("Reached or exceeded concurrent operations limit"); |
| 434 | if (!pruneOperation()) { |
| 435 | break; |
| 436 | } |
| 437 | } |
| 438 | |
| 439 | android::security::keymaster::OperationResult result; |
| 440 | |
| 441 | auto hidlCb = [&](ErrorCode ret, const hidl_vec<KeyParameter>& outParams, |
| 442 | uint64_t operationHandle) { |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 443 | dev->logIfKeymasterVendorError(ret); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 444 | result.resultCode = ret; |
| 445 | if (!result.resultCode.isOk()) { |
| 446 | if (result.resultCode == ErrorCode::INVALID_KEY_BLOB) { |
| 447 | log_key_integrity_violation(lockedEntry->alias().c_str(), lockedEntry->uid()); |
| 448 | } |
| 449 | return; |
| 450 | } |
| 451 | result.handle = operationHandle; |
| 452 | result.outParams = outParams; |
| 453 | }; |
| 454 | |
| 455 | do { |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 456 | rc = KS_HANDLE_HIDL_ERROR(dev, dev->begin(purpose, blob2hidlVec(keyBlob), |
| 457 | opParams.hidl_data(), authToken, hidlCb)); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 458 | if (!rc.isOk()) { |
| 459 | LOG(ERROR) << "Got error " << rc << " from begin()"; |
| 460 | return worker_cb(operationFailed(ResponseCode::SYSTEM_ERROR)); |
| 461 | } |
Janis Danisevskis | 64eb3eb | 2018-11-27 20:41:52 -0800 | [diff] [blame] | 462 | |
| 463 | if (result.resultCode == ErrorCode::KEY_REQUIRES_UPGRADE) { |
| 464 | std::tie(rc, keyBlob) = upgradeKeyBlob(lockedEntry, opParams); |
| 465 | if (!rc.isOk()) { |
| 466 | return worker_cb(operationFailed(rc)); |
| 467 | } |
| 468 | |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 469 | rc = KS_HANDLE_HIDL_ERROR(dev, dev->begin(purpose, blob2hidlVec(keyBlob), |
| 470 | opParams.hidl_data(), authToken, hidlCb)); |
Janis Danisevskis | 64eb3eb | 2018-11-27 20:41:52 -0800 | [diff] [blame] | 471 | if (!rc.isOk()) { |
| 472 | LOG(ERROR) << "Got error " << rc << " from begin()"; |
| 473 | return worker_cb(operationFailed(ResponseCode::SYSTEM_ERROR)); |
| 474 | } |
| 475 | } |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 476 | // If there are too many operations abort the oldest operation that was |
| 477 | // started as pruneable and try again. |
| 478 | } while (result.resultCode == ErrorCode::TOO_MANY_OPERATIONS && pruneOperation()); |
| 479 | |
| 480 | rc = result.resultCode; |
| 481 | if (!rc.isOk()) { |
| 482 | return worker_cb(operationFailed(rc)); |
| 483 | } |
| 484 | |
| 485 | // Note: The operation map takes possession of the contents of "characteristics". |
| 486 | // It is safe to use characteristics after the following line but it will be empty. |
| 487 | sp<IBinder> operationToken = |
| 488 | operationMap_.addOperation(result.handle, *keyid, purpose, dev, appToken, |
| 489 | std::move(characteristics), opParams.hidl_data(), pruneable); |
| 490 | assert(characteristics.hardwareEnforced.size() == 0); |
| 491 | assert(characteristics.softwareEnforced.size() == 0); |
| 492 | result.token = operationToken; |
| 493 | |
| 494 | auto operation = operationMap_.getOperation(operationToken); |
| 495 | if (!operation) { |
| 496 | return worker_cb(operationFailed(ResponseCode::SYSTEM_ERROR)); |
| 497 | } |
| 498 | |
| 499 | if (authRc.isOk() && authToken.mac.size() && |
| 500 | dev->halVersion().securityLevel == SecurityLevel::STRONGBOX) { |
| 501 | operation->authTokenFuture = operation->authTokenPromise.get_future(); |
| 502 | std::weak_ptr<Operation> weak_operation = operation; |
| 503 | |
| 504 | auto verifyTokenCB = [weak_operation](KeyStoreServiceReturnCode rc, |
| 505 | HardwareAuthToken authToken, |
| 506 | VerificationToken verificationToken) { |
| 507 | auto operation = weak_operation.lock(); |
| 508 | if (!operation) { |
| 509 | // operation aborted, nothing to do |
| 510 | return; |
| 511 | } |
| 512 | if (rc.isOk()) { |
| 513 | operation->authToken = std::move(authToken); |
| 514 | operation->verificationToken = std::move(verificationToken); |
| 515 | } |
| 516 | operation->authTokenPromise.set_value(rc); |
| 517 | }; |
| 518 | auto teeKmDevice = keyStore_->getDevice(SecurityLevel::TRUSTED_ENVIRONMENT); |
| 519 | teeKmDevice->verifyAuthorization(result.handle, {}, std::move(authToken), |
| 520 | std::move(verifyTokenCB)); |
| 521 | } |
| 522 | |
| 523 | // Return the authentication lookup result. If this is a per operation |
| 524 | // auth'd key then the resultCode will be ::OP_AUTH_NEEDED and the |
| 525 | // application should get an auth token using the handle before the |
| 526 | // first call to update, which will fail if keystore hasn't received the |
| 527 | // auth token. |
| 528 | if (result.resultCode.isOk()) { |
| 529 | result.resultCode = authRc; |
| 530 | } |
| 531 | return worker_cb(result); |
| 532 | }); |
| 533 | } |
| 534 | |
| 535 | KeyStoreServiceReturnCode |
| 536 | KeymasterWorker::getOperationAuthTokenIfNeeded(std::shared_ptr<Operation> op) { |
| 537 | if (!op) return ErrorCode::INVALID_OPERATION_HANDLE; |
| 538 | |
| 539 | if (op->authTokenFuture.valid()) { |
| 540 | LOG(INFO) << "Waiting for verification token"; |
| 541 | op->authTokenFuture.wait(); |
| 542 | auto rc = op->authTokenFuture.get(); |
| 543 | if (!rc.isOk()) { |
| 544 | return rc; |
| 545 | } |
| 546 | op->authTokenFuture = {}; |
| 547 | } else if (!op->hasAuthToken()) { |
| 548 | KeyStoreServiceReturnCode rc; |
| 549 | HardwareAuthToken found; |
| 550 | std::tie(rc, found) = getAuthToken(op->characteristics, op->handle, op->purpose); |
| 551 | if (!rc.isOk()) return rc; |
| 552 | op->authToken = std::move(found); |
| 553 | } |
| 554 | |
| 555 | return ResponseCode::NO_ERROR; |
| 556 | } |
| 557 | |
| 558 | namespace { |
| 559 | |
| 560 | class Finalize { |
| 561 | private: |
| 562 | std::function<void()> f_; |
| 563 | |
| 564 | public: |
Chih-Hung Hsieh | 4fa39ef | 2019-01-04 13:34:17 -0800 | [diff] [blame] | 565 | explicit Finalize(std::function<void()> f) : f_(f) {} |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 566 | ~Finalize() { |
| 567 | if (f_) f_(); |
| 568 | } |
| 569 | void release() { f_ = {}; } |
| 570 | }; |
| 571 | |
| 572 | } // namespace |
| 573 | |
| 574 | void KeymasterWorker::update(sp<IBinder> token, AuthorizationSet params, hidl_vec<uint8_t> data, |
| 575 | update_cb worker_cb) { |
| 576 | Worker::addRequest([this, CAPTURE_MOVE(token), CAPTURE_MOVE(params), CAPTURE_MOVE(data), |
| 577 | CAPTURE_MOVE(worker_cb)]() { |
| 578 | KeyStoreServiceReturnCode rc; |
| 579 | auto op = operationMap_.getOperation(token); |
| 580 | if (!op) { |
| 581 | return worker_cb(operationFailed(ErrorCode::INVALID_OPERATION_HANDLE)); |
| 582 | } |
| 583 | |
| 584 | Finalize abort_operation_in_case_of_error([&] { |
| 585 | operationMap_.removeOperation(token, false); |
| 586 | keyStore_->getAuthTokenTable().MarkCompleted(op->handle); |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 587 | KS_HANDLE_HIDL_ERROR(keymasterDevice_, keymasterDevice_->abort(op->handle)); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 588 | }); |
| 589 | |
| 590 | rc = getOperationAuthTokenIfNeeded(op); |
| 591 | if (!rc.isOk()) return worker_cb(operationFailed(rc)); |
| 592 | |
| 593 | // Check that all key authorization policy requirements are met. |
| 594 | AuthorizationSet key_auths(op->characteristics.hardwareEnforced); |
| 595 | key_auths.append(op->characteristics.softwareEnforced.begin(), |
| 596 | op->characteristics.softwareEnforced.end()); |
| 597 | |
| 598 | rc = keyStore_->getEnforcementPolicy().AuthorizeOperation(op->purpose, op->keyid, key_auths, |
| 599 | params, op->authToken, op->handle, |
| 600 | false /* is_begin_operation */); |
| 601 | if (!rc.isOk()) return worker_cb(operationFailed(rc)); |
| 602 | |
| 603 | OperationResult result; |
| 604 | auto hidlCb = [&](ErrorCode ret, uint32_t inputConsumed, |
| 605 | const hidl_vec<KeyParameter>& outParams, |
| 606 | const ::std::vector<uint8_t>& output) { |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 607 | op->device->logIfKeymasterVendorError(ret); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 608 | result.resultCode = ret; |
| 609 | if (result.resultCode.isOk()) { |
| 610 | result.inputConsumed = inputConsumed; |
| 611 | result.outParams = outParams; |
| 612 | result.data = output; |
| 613 | } |
| 614 | }; |
| 615 | |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 616 | rc = KS_HANDLE_HIDL_ERROR(op->device, |
| 617 | op->device->update(op->handle, params.hidl_data(), data, |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 618 | op->authToken, op->verificationToken, hidlCb)); |
| 619 | |
| 620 | // just a reminder: on success result->resultCode was set in the callback. So we only |
| 621 | // overwrite it if there was a communication error indicated by the ErrorCode. |
| 622 | if (!rc.isOk()) result.resultCode = rc; |
| 623 | if (result.resultCode.isOk()) { |
| 624 | // if everything went well we don't abort the operation. |
| 625 | abort_operation_in_case_of_error.release(); |
| 626 | } |
| 627 | return worker_cb(std::move(result)); |
| 628 | }); |
| 629 | } |
| 630 | |
| 631 | /** |
| 632 | * Check that all KeyParameters provided by the application are allowed. Any parameter that keystore |
| 633 | * adds itself should be disallowed here. |
| 634 | */ |
| 635 | template <typename ParamsIter> |
| 636 | static bool checkAllowedOperationParams(ParamsIter begin, const ParamsIter end) { |
| 637 | while (begin != end) { |
| 638 | switch (begin->tag) { |
| 639 | case Tag::ATTESTATION_APPLICATION_ID: |
| 640 | case Tag::RESET_SINCE_ID_ROTATION: |
| 641 | return false; |
| 642 | default: |
| 643 | break; |
| 644 | } |
| 645 | ++begin; |
| 646 | } |
| 647 | return true; |
| 648 | } |
| 649 | |
| 650 | void KeymasterWorker::finish(sp<IBinder> token, AuthorizationSet params, hidl_vec<uint8_t> input, |
| 651 | hidl_vec<uint8_t> signature, hidl_vec<uint8_t> entropy, |
| 652 | finish_cb worker_cb) { |
| 653 | Worker::addRequest([this, CAPTURE_MOVE(token), CAPTURE_MOVE(params), CAPTURE_MOVE(input), |
| 654 | CAPTURE_MOVE(signature), CAPTURE_MOVE(entropy), |
| 655 | CAPTURE_MOVE(worker_cb)]() mutable { |
| 656 | KeyStoreServiceReturnCode rc; |
| 657 | auto op = operationMap_.getOperation(token); |
| 658 | if (!op) { |
| 659 | return worker_cb(operationFailed(ErrorCode::INVALID_OPERATION_HANDLE)); |
| 660 | } |
| 661 | |
| 662 | bool finished = false; |
| 663 | Finalize abort_operation_in_case_of_error([&] { |
| 664 | operationMap_.removeOperation(token, finished && rc.isOk()); |
| 665 | keyStore_->getAuthTokenTable().MarkCompleted(op->handle); |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 666 | if (!finished) |
| 667 | KS_HANDLE_HIDL_ERROR(keymasterDevice_, keymasterDevice_->abort(op->handle)); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 668 | }); |
| 669 | |
| 670 | if (!checkAllowedOperationParams(params.begin(), params.end())) { |
| 671 | return worker_cb(operationFailed(ErrorCode::INVALID_ARGUMENT)); |
| 672 | } |
| 673 | |
| 674 | rc = getOperationAuthTokenIfNeeded(op); |
| 675 | if (!rc.isOk()) return worker_cb(operationFailed(rc)); |
| 676 | |
| 677 | // Check that all key authorization policy requirements are met. |
| 678 | AuthorizationSet key_auths(op->characteristics.hardwareEnforced); |
| 679 | key_auths.append(op->characteristics.softwareEnforced.begin(), |
| 680 | op->characteristics.softwareEnforced.end()); |
| 681 | |
| 682 | if (key_auths.Contains(Tag::TRUSTED_CONFIRMATION_REQUIRED)) { |
| 683 | hidl_vec<uint8_t> confirmationToken = |
| 684 | keyStore_->getConfirmationManager().getLatestConfirmationToken(); |
| 685 | if (confirmationToken.size() == 0) { |
| 686 | LOG(ERROR) << "Confirmation token required but none found"; |
| 687 | return worker_cb(operationFailed(ErrorCode::NO_USER_CONFIRMATION)); |
| 688 | } |
| 689 | params.push_back(keymaster::TAG_CONFIRMATION_TOKEN, std::move(confirmationToken)); |
| 690 | } |
| 691 | |
| 692 | rc = keyStore_->getEnforcementPolicy().AuthorizeOperation(op->purpose, op->keyid, key_auths, |
| 693 | params, op->authToken, op->handle, |
| 694 | false /* is_begin_operation */); |
| 695 | if (!rc.isOk()) return worker_cb(operationFailed(rc)); |
| 696 | |
| 697 | if (entropy.size()) { |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 698 | rc = KS_HANDLE_HIDL_ERROR(op->device, op->device->addRngEntropy(entropy)); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 699 | if (!rc.isOk()) { |
| 700 | return worker_cb(operationFailed(rc)); |
| 701 | } |
| 702 | } |
| 703 | |
| 704 | OperationResult result; |
| 705 | auto hidlCb = [&](ErrorCode ret, const hidl_vec<KeyParameter>& outParams, |
| 706 | const ::std::vector<uint8_t>& output) { |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 707 | op->device->logIfKeymasterVendorError(ret); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 708 | result.resultCode = ret; |
| 709 | if (result.resultCode.isOk()) { |
| 710 | result.outParams = outParams; |
| 711 | result.data = output; |
| 712 | } |
| 713 | }; |
| 714 | |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 715 | rc = KS_HANDLE_HIDL_ERROR(op->device, op->device->finish(op->handle, params.hidl_data(), |
| 716 | input, signature, op->authToken, |
| 717 | op->verificationToken, hidlCb)); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 718 | |
| 719 | if (rc.isOk()) { |
| 720 | // inform the finalizer that the finish call went through |
| 721 | finished = true; |
| 722 | // and what the result was |
| 723 | rc = result.resultCode; |
| 724 | } else { |
| 725 | return worker_cb(operationFailed(rc)); |
| 726 | } |
| 727 | return worker_cb(std::move(result)); |
| 728 | }); |
| 729 | } |
| 730 | |
| 731 | void KeymasterWorker::abort(sp<IBinder> token, abort_cb worker_cb) { |
| 732 | Worker::addRequest( |
| 733 | [this, CAPTURE_MOVE(token), CAPTURE_MOVE(worker_cb)]() { return worker_cb(abort(token)); }); |
| 734 | } |
| 735 | |
| 736 | void KeymasterWorker::verifyAuthorization(uint64_t challenge, hidl_vec<KeyParameter> params, |
| 737 | HardwareAuthToken token, |
| 738 | verifyAuthorization_cb worker_cb) { |
| 739 | Worker::addRequest([this, challenge, CAPTURE_MOVE(params), CAPTURE_MOVE(token), |
| 740 | CAPTURE_MOVE(worker_cb)]() { |
| 741 | KeyStoreServiceReturnCode error; |
| 742 | VerificationToken verificationToken; |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 743 | KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR( |
| 744 | keymasterDevice_, |
| 745 | keymasterDevice_->verifyAuthorization( |
| 746 | challenge, params, token, [&](ErrorCode ret, const VerificationToken& vToken) { |
| 747 | keymasterDevice_->logIfKeymasterVendorError(ret); |
| 748 | error = ret; |
| 749 | verificationToken = vToken; |
| 750 | })); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 751 | worker_cb(rc.isOk() ? error : rc, std::move(token), std::move(verificationToken)); |
| 752 | }); |
| 753 | } |
| 754 | |
| 755 | void KeymasterWorker::addRngEntropy(hidl_vec<uint8_t> data, addRngEntropy_cb _hidl_cb) { |
| 756 | addRequest(&Keymaster::addRngEntropy, std::move(_hidl_cb), std::move(data)); |
| 757 | } |
| 758 | |
| 759 | namespace { |
| 760 | bool containsTag(const hidl_vec<KeyParameter>& params, Tag tag) { |
| 761 | return params.end() != |
| 762 | std::find_if(params.begin(), params.end(), |
| 763 | [&](const KeyParameter& param) { return param.tag == tag; }); |
| 764 | } |
| 765 | |
| 766 | bool isAuthenticationBound(const hidl_vec<KeyParameter>& params) { |
| 767 | return !containsTag(params, Tag::NO_AUTH_REQUIRED); |
| 768 | } |
| 769 | } // namespace |
| 770 | |
| 771 | void KeymasterWorker::generateKey(LockedKeyBlobEntry lockedEntry, hidl_vec<KeyParameter> keyParams, |
| 772 | hidl_vec<uint8_t> entropy, int flags, generateKey_cb worker_cb) { |
| 773 | Worker::addRequest([this, CAPTURE_MOVE(lockedEntry), CAPTURE_MOVE(keyParams), |
| 774 | CAPTURE_MOVE(entropy), CAPTURE_MOVE(worker_cb), flags]() mutable { |
| 775 | KeyStoreServiceReturnCode rc = |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 776 | KS_HANDLE_HIDL_ERROR(keymasterDevice_, keymasterDevice_->addRngEntropy(entropy)); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 777 | if (!rc.isOk()) { |
| 778 | return worker_cb(rc, {}); |
| 779 | } |
| 780 | |
| 781 | SecurityLevel securityLevel = keymasterDevice_->halVersion().securityLevel; |
| 782 | |
| 783 | // Fallback cannot be considered for Strongbox. Further versions restrictions are enforced |
| 784 | // by KeyStore::getFallbackDevice() |
| 785 | bool consider_fallback = securityLevel == SecurityLevel::TRUSTED_ENVIRONMENT; |
| 786 | |
| 787 | Finalize logOnFail( |
| 788 | [&] { uploadKeyCharacteristicsAsProto(keyParams, false /* wasCreationSuccessful */); }); |
| 789 | |
| 790 | KeyCharacteristics outCharacteristics; |
| 791 | KeyStoreServiceReturnCode error; |
| 792 | auto hidl_cb = [&](ErrorCode ret, const hidl_vec<uint8_t>& hidlKeyBlob, |
| 793 | const KeyCharacteristics& keyCharacteristics) { |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 794 | keymasterDevice_->logIfKeymasterVendorError(ret); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 795 | error = ret; |
| 796 | if (!error.isOk()) { |
| 797 | return; |
| 798 | } |
| 799 | consider_fallback = false; |
| 800 | outCharacteristics = keyCharacteristics; |
| 801 | |
| 802 | Blob keyBlob(&hidlKeyBlob[0], hidlKeyBlob.size(), nullptr, 0, ::TYPE_KEYMASTER_10); |
| 803 | keyBlob.setSecurityLevel(securityLevel); |
| 804 | keyBlob.setCriticalToDeviceEncryption(flags & |
| 805 | KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION); |
| 806 | if (isAuthenticationBound(keyParams) && !keyBlob.isCriticalToDeviceEncryption()) { |
| 807 | keyBlob.setSuperEncrypted(true); |
| 808 | } |
| 809 | keyBlob.setEncrypted(flags & KEYSTORE_FLAG_ENCRYPTED); |
| 810 | |
| 811 | AuthorizationSet sw_enforced = keyParams; |
| 812 | sw_enforced.Subtract(outCharacteristics.hardwareEnforced); |
| 813 | sw_enforced.Union(outCharacteristics.softwareEnforced); |
| 814 | sw_enforced.Filter([](const KeyParameter& param) -> bool { |
| 815 | return !(param.tag == Tag::APPLICATION_DATA || param.tag == Tag::APPLICATION_ID); |
| 816 | }); |
| 817 | if (!sw_enforced.Contains(Tag::USER_ID)) { |
| 818 | // Most Java processes don't have access to this tag |
| 819 | sw_enforced.push_back(keymaster::TAG_USER_ID, get_user_id(lockedEntry->uid())); |
| 820 | } |
| 821 | Blob keyCharBlob; |
| 822 | keyCharBlob.putKeyCharacteristics(outCharacteristics.hardwareEnforced, sw_enforced); |
| 823 | error = keyStore_->put(lockedEntry, std::move(keyBlob), std::move(keyCharBlob)); |
| 824 | }; |
| 825 | |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 826 | rc = KS_HANDLE_HIDL_ERROR(keymasterDevice_, |
| 827 | keymasterDevice_->generateKey(keyParams, hidl_cb)); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 828 | if (!rc.isOk()) { |
| 829 | return worker_cb(rc, {}); |
| 830 | } |
| 831 | |
| 832 | if (consider_fallback && !error.isOk()) { |
| 833 | auto fallback = keyStore_->getFallbackDevice(); |
| 834 | if (!fallback) { |
| 835 | return worker_cb(error, {}); |
| 836 | } |
| 837 | // No fallback for 3DES |
| 838 | for (auto& param : keyParams) { |
| 839 | auto algorithm = authorizationValue(TAG_ALGORITHM, param); |
| 840 | if (algorithm.isOk() && algorithm.value() == Algorithm::TRIPLE_DES) { |
| 841 | return worker_cb(ErrorCode::UNSUPPORTED_ALGORITHM, {}); |
| 842 | } |
| 843 | } |
| 844 | |
| 845 | // delegate to fallback worker |
| 846 | fallback->generateKey(std::move(lockedEntry), std::move(keyParams), std::move(entropy), |
| 847 | flags, std::move(worker_cb)); |
| 848 | // let fallback do the logging |
| 849 | logOnFail.release(); |
| 850 | return; |
| 851 | } |
| 852 | |
| 853 | if (!error.isOk()) return worker_cb(error, {}); |
| 854 | |
| 855 | // log on success |
| 856 | logOnFail.release(); |
| 857 | uploadKeyCharacteristicsAsProto(keyParams, true /* wasCreationSuccessful */); |
| 858 | |
| 859 | return worker_cb(error, std::move(outCharacteristics)); |
| 860 | }); |
| 861 | } |
| 862 | |
| 863 | void KeymasterWorker::generateKey(hidl_vec<KeyParameter> keyParams, generateKey2_cb worker_cb) { |
| 864 | addRequest(&Keymaster::generateKey, std::move(worker_cb), std::move(keyParams)); |
| 865 | } |
| 866 | |
| 867 | void KeymasterWorker::getKeyCharacteristics(LockedKeyBlobEntry lockedEntry, |
| 868 | hidl_vec<uint8_t> clientId, hidl_vec<uint8_t> appData, |
| 869 | Blob keyBlob, Blob charBlob, |
| 870 | getKeyCharacteristics_cb worker_cb) { |
| 871 | Worker::addRequest([this, CAPTURE_MOVE(lockedEntry), CAPTURE_MOVE(clientId), |
| 872 | CAPTURE_MOVE(appData), CAPTURE_MOVE(keyBlob), CAPTURE_MOVE(charBlob), |
| 873 | CAPTURE_MOVE(worker_cb)]() { |
| 874 | auto result = createKeyCharacteristicsCache(lockedEntry, clientId, appData, |
| 875 | std::move(keyBlob), std::move(charBlob)); |
| 876 | return worker_cb(std::get<0>(result), std::move(std::get<1>(result))); |
| 877 | }); |
| 878 | } |
| 879 | |
| 880 | void KeymasterWorker::importKey(LockedKeyBlobEntry lockedEntry, hidl_vec<KeyParameter> keyParams, |
| 881 | KeyFormat keyFormat, hidl_vec<uint8_t> keyData, int flags, |
| 882 | importKey_cb worker_cb) { |
| 883 | Worker::addRequest([this, CAPTURE_MOVE(lockedEntry), CAPTURE_MOVE(keyParams), keyFormat, |
| 884 | CAPTURE_MOVE(keyData), flags, CAPTURE_MOVE(worker_cb)]() mutable { |
| 885 | SecurityLevel securityLevel = keymasterDevice_->halVersion().securityLevel; |
| 886 | |
| 887 | // Fallback cannot be considered for Strongbox. Further versions restrictions are enforced |
| 888 | // by KeyStore::getFallbackDevice() |
| 889 | bool consider_fallback = securityLevel == SecurityLevel::TRUSTED_ENVIRONMENT; |
| 890 | |
| 891 | Finalize logOnFail( |
| 892 | [&] { uploadKeyCharacteristicsAsProto(keyParams, false /* wasCreationSuccessful */); }); |
| 893 | |
| 894 | KeyCharacteristics outCharacteristics; |
| 895 | KeyStoreServiceReturnCode error; |
| 896 | auto hidl_cb = [&](ErrorCode ret, const hidl_vec<uint8_t>& hidlKeyBlob, |
| 897 | const KeyCharacteristics& keyCharacteristics) { |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 898 | keymasterDevice_->logIfKeymasterVendorError(ret); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 899 | error = ret; |
| 900 | if (!error.isOk()) { |
| 901 | LOG(INFO) << "importKey failed"; |
| 902 | return; |
| 903 | } |
| 904 | consider_fallback = false; |
| 905 | outCharacteristics = keyCharacteristics; |
| 906 | |
| 907 | Blob keyBlob(&hidlKeyBlob[0], hidlKeyBlob.size(), nullptr, 0, ::TYPE_KEYMASTER_10); |
| 908 | keyBlob.setSecurityLevel(securityLevel); |
| 909 | keyBlob.setCriticalToDeviceEncryption(flags & |
| 910 | KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION); |
| 911 | if (isAuthenticationBound(keyParams) && !keyBlob.isCriticalToDeviceEncryption()) { |
| 912 | keyBlob.setSuperEncrypted(true); |
| 913 | } |
| 914 | keyBlob.setEncrypted(flags & KEYSTORE_FLAG_ENCRYPTED); |
| 915 | |
| 916 | AuthorizationSet sw_enforced = keyParams; |
| 917 | sw_enforced.Subtract(outCharacteristics.hardwareEnforced); |
| 918 | sw_enforced.Union(outCharacteristics.softwareEnforced); |
| 919 | sw_enforced.Filter([](const KeyParameter& param) -> bool { |
| 920 | return !(param.tag == Tag::APPLICATION_DATA || param.tag == Tag::APPLICATION_ID); |
| 921 | }); |
| 922 | if (!sw_enforced.Contains(Tag::USER_ID)) { |
| 923 | // Most Java processes don't have access to this tag |
| 924 | sw_enforced.push_back(keymaster::TAG_USER_ID, get_user_id(lockedEntry->uid())); |
| 925 | } |
| 926 | Blob keyCharBlob; |
| 927 | keyCharBlob.putKeyCharacteristics(outCharacteristics.hardwareEnforced, sw_enforced); |
| 928 | error = keyStore_->put(lockedEntry, std::move(keyBlob), std::move(keyCharBlob)); |
| 929 | }; |
| 930 | |
| 931 | KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR( |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 932 | keymasterDevice_, keymasterDevice_->importKey(keyParams, keyFormat, keyData, hidl_cb)); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 933 | if (!rc.isOk()) { |
| 934 | return worker_cb(rc, {}); |
| 935 | } |
| 936 | |
| 937 | if (consider_fallback && !error.isOk()) { |
| 938 | auto fallback = keyStore_->getFallbackDevice(); |
| 939 | if (!fallback) { |
| 940 | return worker_cb(error, {}); |
| 941 | } |
| 942 | // No fallback for 3DES |
| 943 | for (auto& param : keyParams) { |
| 944 | auto algorithm = authorizationValue(TAG_ALGORITHM, param); |
| 945 | if (algorithm.isOk() && algorithm.value() == Algorithm::TRIPLE_DES) { |
| 946 | return worker_cb(ErrorCode::UNSUPPORTED_ALGORITHM, {}); |
| 947 | } |
| 948 | } |
| 949 | |
| 950 | // delegate to fallback worker |
| 951 | fallback->importKey(std::move(lockedEntry), std::move(keyParams), keyFormat, |
| 952 | std::move(keyData), flags, std::move(worker_cb)); |
| 953 | // let fallback to the logging |
| 954 | logOnFail.release(); |
| 955 | return; |
| 956 | } |
| 957 | |
| 958 | if (!error.isOk()) return worker_cb(error, {}); |
| 959 | |
| 960 | // log on success |
| 961 | logOnFail.release(); |
| 962 | uploadKeyCharacteristicsAsProto(keyParams, true /* wasCreationSuccessful */); |
| 963 | |
| 964 | return worker_cb(error, std::move(outCharacteristics)); |
| 965 | }); |
| 966 | } |
| 967 | |
| 968 | void KeymasterWorker::importWrappedKey(LockedKeyBlobEntry wrappingLockedEntry, |
| 969 | LockedKeyBlobEntry wrapppedLockedEntry, |
| 970 | hidl_vec<uint8_t> wrappedKeyData, |
| 971 | hidl_vec<uint8_t> maskingKey, |
| 972 | hidl_vec<KeyParameter> unwrappingParams, Blob wrappingBlob, |
| 973 | Blob wrappingCharBlob, uint64_t passwordSid, |
| 974 | uint64_t biometricSid, importWrappedKey_cb worker_cb) { |
| 975 | Worker::addRequest([this, CAPTURE_MOVE(wrappingLockedEntry), CAPTURE_MOVE(wrapppedLockedEntry), |
| 976 | CAPTURE_MOVE(wrappedKeyData), CAPTURE_MOVE(maskingKey), |
| 977 | CAPTURE_MOVE(unwrappingParams), CAPTURE_MOVE(wrappingBlob), |
| 978 | CAPTURE_MOVE(wrappingCharBlob), passwordSid, biometricSid, |
| 979 | CAPTURE_MOVE(worker_cb)]() mutable { |
| 980 | auto hidlWrappingKey = blob2hidlVec(wrappingBlob); |
| 981 | |
| 982 | SecurityLevel securityLevel = keymasterDevice_->halVersion().securityLevel; |
| 983 | |
| 984 | KeyCharacteristics outCharacteristics; |
| 985 | KeyStoreServiceReturnCode error; |
| 986 | |
| 987 | auto hidlCb = [&](ErrorCode ret, const hidl_vec<uint8_t>& hidlKeyBlob, |
| 988 | const KeyCharacteristics& keyCharacteristics) { |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 989 | keymasterDevice_->logIfKeymasterVendorError(ret); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 990 | error = ret; |
| 991 | if (!error.isOk()) { |
| 992 | return; |
| 993 | } |
| 994 | outCharacteristics = keyCharacteristics; |
| 995 | |
| 996 | Blob keyBlob(hidlKeyBlob.data(), hidlKeyBlob.size(), nullptr, 0, ::TYPE_KEYMASTER_10); |
| 997 | keyBlob.setSecurityLevel(securityLevel); |
| 998 | if (isAuthenticationBound(keyCharacteristics.hardwareEnforced)) { |
| 999 | keyBlob.setSuperEncrypted(true); |
| 1000 | } |
| 1001 | |
| 1002 | AuthorizationSet sw_enforced = outCharacteristics.softwareEnforced; |
| 1003 | if (!sw_enforced.Contains(Tag::USER_ID)) { |
| 1004 | // Most Java processes don't have access to this tag |
| 1005 | sw_enforced.push_back(keymaster::TAG_USER_ID, |
| 1006 | get_user_id(wrapppedLockedEntry->uid())); |
| 1007 | } |
| 1008 | Blob keyCharBlob; |
| 1009 | keyCharBlob.putKeyCharacteristics(outCharacteristics.hardwareEnforced, sw_enforced); |
| 1010 | error = keyStore_->put(wrapppedLockedEntry, std::move(keyBlob), std::move(keyCharBlob)); |
| 1011 | }; |
| 1012 | |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 1013 | KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR( |
| 1014 | keymasterDevice_, keymasterDevice_->importWrappedKey( |
| 1015 | wrappedKeyData, hidlWrappingKey, maskingKey, unwrappingParams, |
| 1016 | passwordSid, biometricSid, hidlCb)); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 1017 | |
| 1018 | // possible hidl error |
| 1019 | if (!rc.isOk()) { |
| 1020 | return worker_cb(rc, {}); |
| 1021 | } |
| 1022 | |
| 1023 | if (error == ErrorCode::KEY_REQUIRES_UPGRADE) { |
| 1024 | std::tie(rc, wrappingBlob) = upgradeKeyBlob(wrappingLockedEntry, {}); |
| 1025 | if (!rc.isOk()) { |
| 1026 | return worker_cb(rc, {}); |
| 1027 | } |
| 1028 | |
| 1029 | auto upgradedHidlKeyBlob = blob2hidlVec(wrappingBlob); |
| 1030 | |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 1031 | rc = KS_HANDLE_HIDL_ERROR(keymasterDevice_, |
| 1032 | keymasterDevice_->importWrappedKey( |
| 1033 | wrappedKeyData, upgradedHidlKeyBlob, maskingKey, |
| 1034 | unwrappingParams, passwordSid, biometricSid, hidlCb)); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 1035 | if (!rc.isOk()) { |
| 1036 | error = rc; |
| 1037 | } |
| 1038 | } |
| 1039 | return worker_cb(error, std::move(outCharacteristics)); |
| 1040 | }); |
| 1041 | } |
| 1042 | |
| 1043 | void KeymasterWorker::exportKey(LockedKeyBlobEntry lockedEntry, KeyFormat exportFormat, |
| 1044 | hidl_vec<uint8_t> clientId, hidl_vec<uint8_t> appData, Blob keyBlob, |
| 1045 | Blob charBlob, exportKey_cb worker_cb) { |
| 1046 | Worker::addRequest([this, CAPTURE_MOVE(lockedEntry), exportFormat, CAPTURE_MOVE(clientId), |
| 1047 | CAPTURE_MOVE(appData), CAPTURE_MOVE(keyBlob), CAPTURE_MOVE(charBlob), |
| 1048 | CAPTURE_MOVE(worker_cb)]() mutable { |
| 1049 | auto key = blob2hidlVec(keyBlob); |
| 1050 | |
| 1051 | ExportResult result; |
| 1052 | auto hidlCb = [&](ErrorCode ret, |
| 1053 | const ::android::hardware::hidl_vec<uint8_t>& keyMaterial) { |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 1054 | keymasterDevice_->logIfKeymasterVendorError(ret); |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 1055 | result.resultCode = ret; |
| 1056 | if (!result.resultCode.isOk()) { |
| 1057 | if (result.resultCode == ErrorCode::INVALID_KEY_BLOB) { |
| 1058 | log_key_integrity_violation(lockedEntry->alias().c_str(), lockedEntry->uid()); |
| 1059 | } |
| 1060 | return; |
| 1061 | } |
| 1062 | result.exportData = keyMaterial; |
| 1063 | }; |
| 1064 | KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR( |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 1065 | keymasterDevice_, |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 1066 | keymasterDevice_->exportKey(exportFormat, key, clientId, appData, hidlCb)); |
| 1067 | |
| 1068 | // Overwrite result->resultCode only on HIDL error. Otherwise we want the result set in the |
| 1069 | // callback hidlCb. |
| 1070 | if (!rc.isOk()) { |
| 1071 | result.resultCode = rc; |
| 1072 | } |
| 1073 | |
| 1074 | if (result.resultCode == ErrorCode::KEY_REQUIRES_UPGRADE) { |
| 1075 | AuthorizationSet upgradeParams; |
| 1076 | if (clientId.size()) { |
| 1077 | upgradeParams.push_back(TAG_APPLICATION_ID, clientId); |
| 1078 | } |
| 1079 | if (appData.size()) { |
| 1080 | upgradeParams.push_back(TAG_APPLICATION_DATA, appData); |
| 1081 | } |
| 1082 | std::tie(rc, keyBlob) = upgradeKeyBlob(lockedEntry, upgradeParams); |
| 1083 | if (!rc.isOk()) { |
| 1084 | return worker_cb(std::move(result)); |
| 1085 | } |
| 1086 | |
| 1087 | auto upgradedHidlKeyBlob = blob2hidlVec(keyBlob); |
| 1088 | |
Janis Danisevskis | 3789610 | 2019-03-14 17:15:06 -0700 | [diff] [blame] | 1089 | rc = KS_HANDLE_HIDL_ERROR(keymasterDevice_, |
| 1090 | keymasterDevice_->exportKey(exportFormat, upgradedHidlKeyBlob, |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 1091 | clientId, appData, hidlCb)); |
| 1092 | if (!rc.isOk()) { |
| 1093 | result.resultCode = rc; |
| 1094 | } |
| 1095 | } |
| 1096 | return worker_cb(std::move(result)); |
| 1097 | }); |
| 1098 | } |
| 1099 | void KeymasterWorker::attestKey(hidl_vec<uint8_t> keyToAttest, hidl_vec<KeyParameter> attestParams, |
| 1100 | attestKey_cb worker_cb) { |
| 1101 | addRequest(&Keymaster::attestKey, std::move(worker_cb), std::move(keyToAttest), |
| 1102 | std::move(attestParams)); |
| 1103 | } |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 1104 | |
| 1105 | void KeymasterWorker::deleteKey(hidl_vec<uint8_t> keyBlob, deleteKey_cb _hidl_cb) { |
| 1106 | addRequest(&Keymaster::deleteKey, std::move(_hidl_cb), std::move(keyBlob)); |
| 1107 | } |
Janis Danisevskis | ff3d7f4 | 2018-10-08 07:15:09 -0700 | [diff] [blame] | 1108 | |
| 1109 | void KeymasterWorker::binderDied(android::wp<IBinder> who) { |
| 1110 | Worker::addRequest([this, who]() { |
| 1111 | auto operations = operationMap_.getOperationsForToken(who.unsafe_get()); |
| 1112 | for (const auto& token : operations) { |
| 1113 | abort(token); |
| 1114 | } |
| 1115 | }); |
| 1116 | } |
| 1117 | |
| 1118 | } // namespace keystore |