Strip out unused parts of keymint
This implementation of keymint is just software-based so can't support
things like key deletion and it's not aware of the device lock state.
Constant fold the security level and stub out operations at the top
level to make the behaviour easier to find.
Bug: 190578423
Test: atest MicrodroidHostTestCases
Change-Id: Ic49c4515ea0490ba864b56b5487ac0a877970616
diff --git a/microdroid/keymint/MicrodroidKeyMintDevice.cpp b/microdroid/keymint/MicrodroidKeyMintDevice.cpp
index 62d6942..aa3447e 100644
--- a/microdroid/keymint/MicrodroidKeyMintDevice.cpp
+++ b/microdroid/keymint/MicrodroidKeyMintDevice.cpp
@@ -41,26 +41,11 @@
namespace {
-vector<KeyCharacteristics> convertKeyCharacteristics(SecurityLevel keyMintSecurityLevel,
- const AuthorizationSet& requestParams,
+vector<KeyCharacteristics> convertKeyCharacteristics(const AuthorizationSet& requestParams,
const AuthorizationSet& sw_enforced,
const AuthorizationSet& hw_enforced,
bool include_keystore_enforced = true) {
- KeyCharacteristics keyMintEnforced{keyMintSecurityLevel, {}};
-
- if (keyMintSecurityLevel != SecurityLevel::SOFTWARE) {
- // We're pretending to be TRUSTED_ENVIRONMENT or STRONGBOX.
- keyMintEnforced.authorizations = kmParamSet2Aidl(hw_enforced);
- if (include_keystore_enforced) {
- // Put all the software authorizations in the keystore list.
- KeyCharacteristics keystoreEnforced{SecurityLevel::KEYSTORE,
- kmParamSet2Aidl(sw_enforced)};
- return {std::move(keyMintEnforced), std::move(keystoreEnforced)};
- } else {
- return {std::move(keyMintEnforced)};
- }
- }
-
+ KeyCharacteristics keyMintEnforced{SecurityLevel::SOFTWARE, {}};
KeyCharacteristics keystoreEnforced{SecurityLevel::KEYSTORE, {}};
CHECK(hw_enforced.empty()) << "Hardware-enforced list is non-empty for pure SW KeyMint";
@@ -210,26 +195,23 @@
constexpr size_t kOperationTableSize = 16;
-MicrodroidKeyMintDevice::MicrodroidKeyMintDevice(SecurityLevel securityLevel)
+MicrodroidKeyMintDevice::MicrodroidKeyMintDevice()
: impl_(new ::keymaster::AndroidKeymaster(
[&]() -> auto {
- auto context =
- new PureSoftKeymasterContext(KmVersion::KEYMINT_1,
- static_cast<keymaster_security_level_t>(
- securityLevel));
+ auto context = new PureSoftKeymasterContext(KmVersion::KEYMINT_1,
+ KM_SECURITY_LEVEL_SOFTWARE);
context->SetSystemVersion(::keymaster::GetOsVersion(),
::keymaster::GetOsPatchlevel());
return context;
}(),
- kOperationTableSize)),
- securityLevel_(securityLevel) {}
+ kOperationTableSize)) {}
MicrodroidKeyMintDevice::~MicrodroidKeyMintDevice() {}
ScopedAStatus MicrodroidKeyMintDevice::getHardwareInfo(KeyMintHardwareInfo* info) {
info->versionNumber = 1;
- info->securityLevel = securityLevel_;
- info->keyMintName = "FakeKeyMintDevice";
+ info->securityLevel = SecurityLevel::SOFTWARE;
+ info->keyMintName = "MicrodroidKeyMintDevice";
info->keyMintAuthorName = "Google";
info->timestampTokenRequired = false;
return ScopedAStatus::ok();
@@ -280,7 +262,7 @@
creationResult->keyBlob = kmBlob2vector(response.key_blob);
creationResult->keyCharacteristics =
- convertKeyCharacteristics(securityLevel_, request.key_description, response.unenforced,
+ convertKeyCharacteristics(request.key_description, response.unenforced,
response.enforced);
creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
return ScopedAStatus::ok();
@@ -312,7 +294,7 @@
creationResult->keyBlob = kmBlob2vector(response.key_blob);
creationResult->keyCharacteristics =
- convertKeyCharacteristics(securityLevel_, request.key_description, response.unenforced,
+ convertKeyCharacteristics(request.key_description, response.unenforced,
response.enforced);
creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
@@ -320,12 +302,9 @@
}
ScopedAStatus MicrodroidKeyMintDevice::importWrappedKey(
- const vector<uint8_t>& wrappedKeyData, //
- const vector<uint8_t>& wrappingKeyBlob, //
- const vector<uint8_t>& maskingKey, //
- const vector<KeyParameter>& unwrappingParams, //
- int64_t passwordSid, int64_t biometricSid, //
- KeyCreationResult* creationResult) {
+ const vector<uint8_t>& wrappedKeyData, const vector<uint8_t>& wrappingKeyBlob,
+ const vector<uint8_t>& maskingKey, const vector<KeyParameter>& unwrappingParams,
+ int64_t passwordSid, int64_t biometricSid, KeyCreationResult* creationResult) {
ImportWrappedKeyRequest request(impl_->message_version());
request.SetWrappedMaterial(wrappedKeyData.data(), wrappedKeyData.size());
request.SetWrappingMaterial(wrappingKeyBlob.data(), wrappingKeyBlob.size());
@@ -343,8 +322,8 @@
creationResult->keyBlob = kmBlob2vector(response.key_blob);
creationResult->keyCharacteristics =
- convertKeyCharacteristics(securityLevel_, request.additional_params,
- response.unenforced, response.enforced);
+ convertKeyCharacteristics(request.additional_params, response.unenforced,
+ response.enforced);
creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
return ScopedAStatus::ok();
@@ -368,23 +347,14 @@
return ScopedAStatus::ok();
}
-ScopedAStatus MicrodroidKeyMintDevice::deleteKey(const vector<uint8_t>& keyBlob) {
- DeleteKeyRequest request(impl_->message_version());
- request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
-
- DeleteKeyResponse response(impl_->message_version());
- impl_->DeleteKey(request, &response);
-
- return kmError2ScopedAStatus(response.error);
+ScopedAStatus MicrodroidKeyMintDevice::deleteKey(const vector<uint8_t>&) {
+ // There's nothing to be done to delete software key blobs.
+ return kmError2ScopedAStatus(KM_ERROR_OK);
}
ScopedAStatus MicrodroidKeyMintDevice::deleteAllKeys() {
// There's nothing to be done to delete software key blobs.
- DeleteAllKeysRequest request(impl_->message_version());
- DeleteAllKeysResponse response(impl_->message_version());
- impl_->DeleteAllKeys(request, &response);
-
- return kmError2ScopedAStatus(response.error);
+ return kmError2ScopedAStatus(KM_ERROR_OK);
}
ScopedAStatus MicrodroidKeyMintDevice::destroyAttestationIds() {
@@ -420,21 +390,13 @@
}
ScopedAStatus MicrodroidKeyMintDevice::deviceLocked(
- bool passwordOnly, const std::optional<secureclock::TimeStampToken>& timestampToken) {
- DeviceLockedRequest request(impl_->message_version());
- request.passwordOnly = passwordOnly;
- if (timestampToken.has_value()) {
- request.token.challenge = timestampToken->challenge;
- request.token.mac = {timestampToken->mac.data(), timestampToken->mac.size()};
- request.token.timestamp = timestampToken->timestamp.milliSeconds;
- }
- DeviceLockedResponse response = impl_->DeviceLocked(request);
- return kmError2ScopedAStatus(response.error);
+ bool, const std::optional<secureclock::TimeStampToken>&) {
+ // Microdroid doesn't yet have a concept of a locked device.
+ return kmError2ScopedAStatus(KM_ERROR_OK);
}
ScopedAStatus MicrodroidKeyMintDevice::earlyBootEnded() {
- EarlyBootEndedResponse response = impl_->EarlyBootEnded();
- return kmError2ScopedAStatus(response.error);
+ return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
}
ScopedAStatus MicrodroidKeyMintDevice::convertStorageKeyToEphemeral(
@@ -458,15 +420,11 @@
}
AuthorizationSet emptySet;
- *keyCharacteristics = convertKeyCharacteristics(securityLevel_, emptySet, response.unenforced,
- response.enforced,
- /* include_keystore_enforced = */ false);
+ *keyCharacteristics =
+ convertKeyCharacteristics(emptySet, response.unenforced, response.enforced,
+ /* include_keystore_enforced = */ false);
return ScopedAStatus::ok();
}
-IKeyMintDevice* CreateKeyMintDevice(SecurityLevel securityLevel) {
- return ::new MicrodroidKeyMintDevice(securityLevel);
-}
-
} // namespace aidl::android::hardware::security::keymint
diff --git a/microdroid/keymint/include/MicrodroidKeyMintDevice.h b/microdroid/keymint/include/MicrodroidKeyMintDevice.h
index 34d09bf..db2c806 100644
--- a/microdroid/keymint/include/MicrodroidKeyMintDevice.h
+++ b/microdroid/keymint/include/MicrodroidKeyMintDevice.h
@@ -34,7 +34,7 @@
class MicrodroidKeyMintDevice : public BnKeyMintDevice {
public:
- explicit MicrodroidKeyMintDevice(SecurityLevel securityLevel);
+ MicrodroidKeyMintDevice();
virtual ~MicrodroidKeyMintDevice();
ScopedAStatus getHardwareInfo(KeyMintHardwareInfo* info) override;
@@ -85,9 +85,6 @@
protected:
std::shared_ptr<::keymaster::AndroidKeymaster> impl_;
- SecurityLevel securityLevel_;
};
-IKeyMintDevice* CreateKeyMintDevice(SecurityLevel securityLevel);
-
} // namespace aidl::android::hardware::security::keymint
diff --git a/microdroid/keymint/service.cpp b/microdroid/keymint/service.cpp
index 2cdad0f..325e852 100644
--- a/microdroid/keymint/service.cpp
+++ b/microdroid/keymint/service.cpp
@@ -34,7 +34,7 @@
// Add Keymint Service
std::shared_ptr<MicrodroidKeyMintDevice> keyMint =
- ndk::SharedRefBase::make<MicrodroidKeyMintDevice>(SecurityLevel::SOFTWARE);
+ ndk::SharedRefBase::make<MicrodroidKeyMintDevice>();
auto instanceName = std::string(MicrodroidKeyMintDevice::descriptor) + "/default";
LOG(INFO) << "adding keymint service instance: " << instanceName;
binder_status_t status =