Merge "insecure keymint: in-process initialization ordering" into main
diff --git a/security/keymint/aidl/default/main.rs b/security/keymint/aidl/default/main.rs
index 47143f4..007aded 100644
--- a/security/keymint/aidl/default/main.rs
+++ b/security/keymint/aidl/default/main.rs
@@ -74,6 +74,35 @@
// Create a TA in-process, which acts as a local channel for communication.
let channel = Arc::new(Mutex::new(LocalTa::new()));
+ // Let the TA know information about the boot environment. In a real device this
+ // is communicated directly from the bootloader to the TA, but here we retrieve
+ // the information from system properties and send from the HAL service.
+ let boot_req = get_boot_info();
+ debug!("boot/HAL->TA: boot info is {:?}", boot_req);
+ kmr_hal::send_boot_info(channel.lock().unwrap().deref_mut(), boot_req)
+ .map_err(|e| HalServiceError(format!("Failed to send boot info: {:?}", e)))?;
+
+ // Let the TA know information about the userspace environment.
+ if let Err(e) = kmr_hal::send_hal_info(channel.lock().unwrap().deref_mut()) {
+ error!("Failed to send HAL info: {:?}", e);
+ }
+
+ // Let the TA know about attestation IDs. (In a real device these would be pre-provisioned into
+ // the TA.)
+ let attest_ids = attestation_id_info();
+ if let Err(e) = kmr_hal::send_attest_ids(channel.lock().unwrap().deref_mut(), attest_ids) {
+ error!("Failed to send attestation ID info: {:?}", e);
+ }
+
+ let secret_service = kmr_hal::sharedsecret::Device::new_as_binder(channel.clone());
+ let service_name = format!("{}/{}", SECRET_SERVICE_NAME, SERVICE_INSTANCE);
+ binder::add_service(&service_name, secret_service.as_binder()).map_err(|e| {
+ HalServiceError(format!(
+ "Failed to register service {} because of {:?}.",
+ service_name, e
+ ))
+ })?;
+
let km_service = kmr_hal::keymint::Device::new_as_binder(channel.clone());
let service_name = format!("{}/{}", KM_SERVICE_NAME, SERVICE_INSTANCE);
binder::add_service(&service_name, km_service.as_binder()).map_err(|e| {
@@ -101,37 +130,6 @@
))
})?;
- let secret_service = kmr_hal::sharedsecret::Device::new_as_binder(channel.clone());
- let service_name = format!("{}/{}", SECRET_SERVICE_NAME, SERVICE_INSTANCE);
- binder::add_service(&service_name, secret_service.as_binder()).map_err(|e| {
- HalServiceError(format!(
- "Failed to register service {} because of {:?}.",
- service_name, e
- ))
- })?;
-
- info!("Successfully registered KeyMint HAL services.");
-
- // Let the TA know information about the boot environment. In a real device this
- // is communicated directly from the bootloader to the TA, but here we retrieve
- // the information from system properties and send from the HAL service.
- let boot_req = get_boot_info();
- debug!("boot/HAL->TA: boot info is {:?}", boot_req);
- kmr_hal::send_boot_info(channel.lock().unwrap().deref_mut(), boot_req)
- .map_err(|e| HalServiceError(format!("Failed to send boot info: {:?}", e)))?;
-
- // Let the TA know information about the userspace environment.
- if let Err(e) = kmr_hal::send_hal_info(channel.lock().unwrap().deref_mut()) {
- error!("Failed to send HAL info: {:?}", e);
- }
-
- // Let the TA know about attestation IDs. (In a real device these would be pre-provisioned into
- // the TA.)
- let attest_ids = attestation_id_info();
- if let Err(e) = kmr_hal::send_attest_ids(channel.lock().unwrap().deref_mut(), attest_ids) {
- error!("Failed to send attestation ID info: {:?}", e);
- }
-
info!("Successfully registered KeyMint HAL services.");
binder::ProcessState::join_thread_pool();
info!("KeyMint HAL service is terminating."); // should not reach here