David Drysdale | 30196cf | 2023-12-02 19:24:15 +0000 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2023 The Android Open Source Project |
| 3 | * |
| 4 | * Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | * you may not use this file except in compliance with the License. |
| 6 | * You may obtain a copy of the License at |
| 7 | * |
| 8 | * http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | * |
| 10 | * Unless required by applicable law or agreed to in writing, software |
| 11 | * distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | * See the License for the specific language governing permissions and |
| 14 | * limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | //! Default implementation of the KeyMint HAL and related HALs. |
| 18 | //! |
| 19 | //! This implementation of the HAL is only intended to allow testing and policy compliance. A real |
David Drysdale | 33a132f | 2024-03-06 15:40:45 +0000 | [diff] [blame] | 20 | //! implementation **must implement the TA in a secure environment**, as per CDD 9.11 [C-1-1]: |
| 21 | //! "MUST back up the keystore implementation with an isolated execution environment." |
| 22 | //! |
| 23 | //! The additional device-specific components that are required for a real implementation of KeyMint |
| 24 | //! that is based on the Rust reference implementation are described in system/keymint/README.md. |
David Drysdale | 30196cf | 2023-12-02 19:24:15 +0000 | [diff] [blame] | 25 | |
| 26 | use kmr_hal::SerializedChannel; |
| 27 | use kmr_hal_nonsecure::{attestation_id_info, get_boot_info}; |
David Drysdale | 33a132f | 2024-03-06 15:40:45 +0000 | [diff] [blame] | 28 | use log::{debug, error, info, warn}; |
David Drysdale | 30196cf | 2023-12-02 19:24:15 +0000 | [diff] [blame] | 29 | use std::ops::DerefMut; |
| 30 | use std::sync::{mpsc, Arc, Mutex}; |
| 31 | |
| 32 | /// Name of KeyMint binder device instance. |
| 33 | static SERVICE_INSTANCE: &str = "default"; |
| 34 | |
| 35 | static KM_SERVICE_NAME: &str = "android.hardware.security.keymint.IKeyMintDevice"; |
| 36 | static RPC_SERVICE_NAME: &str = "android.hardware.security.keymint.IRemotelyProvisionedComponent"; |
| 37 | static CLOCK_SERVICE_NAME: &str = "android.hardware.security.secureclock.ISecureClock"; |
| 38 | static SECRET_SERVICE_NAME: &str = "android.hardware.security.sharedsecret.ISharedSecret"; |
| 39 | |
| 40 | /// Local error type for failures in the HAL service. |
| 41 | #[derive(Debug, Clone)] |
| 42 | struct HalServiceError(String); |
| 43 | |
| 44 | impl From<String> for HalServiceError { |
| 45 | fn from(s: String) -> Self { |
| 46 | Self(s) |
| 47 | } |
| 48 | } |
| 49 | |
| 50 | fn main() { |
Charisee | 5fc736d | 2024-04-03 20:04:29 +0000 | [diff] [blame] | 51 | if let Err(HalServiceError(e)) = inner_main() { |
David Drysdale | 30196cf | 2023-12-02 19:24:15 +0000 | [diff] [blame] | 52 | panic!("HAL service failed: {:?}", e); |
| 53 | } |
| 54 | } |
| 55 | |
| 56 | fn inner_main() -> Result<(), HalServiceError> { |
| 57 | // Initialize Android logging. |
| 58 | android_logger::init_once( |
| 59 | android_logger::Config::default() |
| 60 | .with_tag("keymint-hal-nonsecure") |
| 61 | .with_max_level(log::LevelFilter::Info) |
| 62 | .with_log_buffer(android_logger::LogId::System), |
| 63 | ); |
| 64 | // Redirect panic messages to logcat. |
| 65 | std::panic::set_hook(Box::new(|panic_info| { |
| 66 | error!("{}", panic_info); |
| 67 | })); |
| 68 | |
David Drysdale | 33a132f | 2024-03-06 15:40:45 +0000 | [diff] [blame] | 69 | warn!("Insecure KeyMint HAL service is starting."); |
David Drysdale | 30196cf | 2023-12-02 19:24:15 +0000 | [diff] [blame] | 70 | |
| 71 | info!("Starting thread pool now."); |
| 72 | binder::ProcessState::start_thread_pool(); |
| 73 | |
| 74 | // Create a TA in-process, which acts as a local channel for communication. |
| 75 | let channel = Arc::new(Mutex::new(LocalTa::new())); |
| 76 | |
A. Cody Schuffelen | fbc3089 | 2024-05-07 16:23:54 -0700 | [diff] [blame] | 77 | // Let the TA know information about the boot environment. In a real device this |
| 78 | // is communicated directly from the bootloader to the TA, but here we retrieve |
| 79 | // the information from system properties and send from the HAL service. |
| 80 | let boot_req = get_boot_info(); |
| 81 | debug!("boot/HAL->TA: boot info is {:?}", boot_req); |
| 82 | kmr_hal::send_boot_info(channel.lock().unwrap().deref_mut(), boot_req) |
| 83 | .map_err(|e| HalServiceError(format!("Failed to send boot info: {:?}", e)))?; |
| 84 | |
| 85 | // Let the TA know information about the userspace environment. |
| 86 | if let Err(e) = kmr_hal::send_hal_info(channel.lock().unwrap().deref_mut()) { |
| 87 | error!("Failed to send HAL info: {:?}", e); |
| 88 | } |
| 89 | |
| 90 | // Let the TA know about attestation IDs. (In a real device these would be pre-provisioned into |
| 91 | // the TA.) |
| 92 | let attest_ids = attestation_id_info(); |
| 93 | if let Err(e) = kmr_hal::send_attest_ids(channel.lock().unwrap().deref_mut(), attest_ids) { |
| 94 | error!("Failed to send attestation ID info: {:?}", e); |
| 95 | } |
| 96 | |
| 97 | let secret_service = kmr_hal::sharedsecret::Device::new_as_binder(channel.clone()); |
| 98 | let service_name = format!("{}/{}", SECRET_SERVICE_NAME, SERVICE_INSTANCE); |
| 99 | binder::add_service(&service_name, secret_service.as_binder()).map_err(|e| { |
| 100 | HalServiceError(format!( |
| 101 | "Failed to register service {} because of {:?}.", |
| 102 | service_name, e |
| 103 | )) |
| 104 | })?; |
| 105 | |
David Drysdale | 30196cf | 2023-12-02 19:24:15 +0000 | [diff] [blame] | 106 | let km_service = kmr_hal::keymint::Device::new_as_binder(channel.clone()); |
| 107 | let service_name = format!("{}/{}", KM_SERVICE_NAME, SERVICE_INSTANCE); |
| 108 | binder::add_service(&service_name, km_service.as_binder()).map_err(|e| { |
| 109 | HalServiceError(format!( |
| 110 | "Failed to register service {} because of {:?}.", |
| 111 | service_name, e |
| 112 | )) |
| 113 | })?; |
| 114 | |
| 115 | let rpc_service = kmr_hal::rpc::Device::new_as_binder(channel.clone()); |
| 116 | let service_name = format!("{}/{}", RPC_SERVICE_NAME, SERVICE_INSTANCE); |
| 117 | binder::add_service(&service_name, rpc_service.as_binder()).map_err(|e| { |
| 118 | HalServiceError(format!( |
| 119 | "Failed to register service {} because of {:?}.", |
| 120 | service_name, e |
| 121 | )) |
| 122 | })?; |
| 123 | |
| 124 | let clock_service = kmr_hal::secureclock::Device::new_as_binder(channel.clone()); |
| 125 | let service_name = format!("{}/{}", CLOCK_SERVICE_NAME, SERVICE_INSTANCE); |
| 126 | binder::add_service(&service_name, clock_service.as_binder()).map_err(|e| { |
| 127 | HalServiceError(format!( |
| 128 | "Failed to register service {} because of {:?}.", |
| 129 | service_name, e |
| 130 | )) |
| 131 | })?; |
| 132 | |
David Drysdale | 30196cf | 2023-12-02 19:24:15 +0000 | [diff] [blame] | 133 | info!("Successfully registered KeyMint HAL services."); |
| 134 | binder::ProcessState::join_thread_pool(); |
| 135 | info!("KeyMint HAL service is terminating."); // should not reach here |
| 136 | Ok(()) |
| 137 | } |
| 138 | |
| 139 | /// Implementation of the KeyMint TA that runs locally in-process (and which is therefore |
| 140 | /// insecure). |
| 141 | #[derive(Debug)] |
| 142 | pub struct LocalTa { |
| 143 | in_tx: mpsc::Sender<Vec<u8>>, |
| 144 | out_rx: mpsc::Receiver<Vec<u8>>, |
| 145 | } |
| 146 | |
| 147 | impl LocalTa { |
| 148 | /// Create a new instance. |
| 149 | pub fn new() -> Self { |
| 150 | // Create a pair of channels to communicate with the TA thread. |
| 151 | let (in_tx, in_rx) = mpsc::channel(); |
| 152 | let (out_tx, out_rx) = mpsc::channel(); |
| 153 | |
| 154 | // The TA code expects to run single threaded, so spawn a thread to run it in. |
| 155 | std::thread::spawn(move || { |
| 156 | let mut ta = kmr_ta_nonsecure::build_ta(); |
| 157 | loop { |
| 158 | let req_data: Vec<u8> = in_rx.recv().expect("failed to receive next req"); |
| 159 | let rsp_data = ta.process(&req_data); |
| 160 | out_tx.send(rsp_data).expect("failed to send out rsp"); |
| 161 | } |
| 162 | }); |
| 163 | Self { in_tx, out_rx } |
| 164 | } |
| 165 | } |
| 166 | |
| 167 | impl SerializedChannel for LocalTa { |
| 168 | const MAX_SIZE: usize = usize::MAX; |
| 169 | |
| 170 | fn execute(&mut self, req_data: &[u8]) -> binder::Result<Vec<u8>> { |
| 171 | self.in_tx |
| 172 | .send(req_data.to_vec()) |
| 173 | .expect("failed to send in request"); |
| 174 | Ok(self.out_rx.recv().expect("failed to receive response")) |
| 175 | } |
| 176 | } |