Implement secretkeeper HAL v2
V2 of the HAL includes an operation to get the secretkeeper public key.
Conditionally (when the new HAL version is available) use this
operation to get the key instead of reading it from the device tree.
Test: TH
Bug: 372223451
Change-Id: I893604ce5fc25d3e1c7261afa0de915902154be6
diff --git a/android/virtmgr/src/aidl.rs b/android/virtmgr/src/aidl.rs
index 1cae344..ccfcc2e 100644
--- a/android/virtmgr/src/aidl.rs
+++ b/android/virtmgr/src/aidl.rs
@@ -53,6 +53,7 @@
};
use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper::ISecretkeeper::{BnSecretkeeper, ISecretkeeper};
use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper::SecretId::SecretId;
+use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper::PublicKey::PublicKey;
use android_hardware_security_authgraph::aidl::android::hardware::security::authgraph::{
Arc::Arc as AuthgraphArc, IAuthGraphKeyExchange::IAuthGraphKeyExchange,
IAuthGraphKeyExchange::BnAuthGraphKeyExchange, Identity::Identity, KeInitResult::KeInitResult,
@@ -865,16 +866,33 @@
.context("Failed to extract vendor hashtree digest")
.or_service_specific_exception(-1)?;
- let trusted_props = if let Some(ref vendor_hashtree_digest) = vendor_hashtree_digest {
+ let vendor_hashtree_digest = if let Some(ref vendor_hashtree_digest) = vendor_hashtree_digest {
info!(
"Passing vendor hashtree digest to pvmfw. This will be rejected if it doesn't \
match the trusted digest in the pvmfw config, causing the VM to fail to start."
);
- vec![(cstr!("vendor_hashtree_descriptor_root_digest"), vendor_hashtree_digest.as_slice())]
+ Some((cstr!("vendor_hashtree_descriptor_root_digest"), vendor_hashtree_digest.as_slice()))
} else {
- vec![]
+ None
};
+ let key_material;
+ let secretkeeper_public_key = if is_secretkeeper_supported() {
+ let sk: Strong<dyn ISecretkeeper> = binder::wait_for_interface(SECRETKEEPER_IDENTIFIER)?;
+ if sk.getInterfaceVersion()? >= 2 {
+ let PublicKey { keyMaterial } = sk.getSecretkeeperIdentity()?;
+ key_material = keyMaterial;
+ Some((cstr!("secretkeeper_public_key"), key_material.as_slice()))
+ } else {
+ None
+ }
+ } else {
+ None
+ };
+
+ let trusted_props: Vec<(&CStr, &[u8])> =
+ vec![vendor_hashtree_digest, secretkeeper_public_key].into_iter().flatten().collect();
+
let instance_id;
let mut untrusted_props = Vec::with_capacity(2);
if cfg!(llpvm_changes) {
@@ -2014,6 +2032,14 @@
fn deleteAll(&self) -> binder::Result<()> {
self.0.deleteAll()
}
+
+ fn getSecretkeeperIdentity(&self) -> binder::Result<PublicKey> {
+ // SecretkeeperProxy is really a RPC binder service for PVM (It is called by
+ // MicrodroidManager). PVMs do not & must not (for security reason) rely on
+ // getSecretKeeperIdentity, so we throw an exception if someone attempts to
+ // use this API from the proxy.
+ Err(ExceptionCode::SECURITY.into())
+ }
}
struct AuthGraphKeyExchangeProxy(Strong<dyn IAuthGraphKeyExchange>);
diff --git a/android/virtualizationservice/aidl/Android.bp b/android/virtualizationservice/aidl/Android.bp
index 79a9d40..db7be71 100644
--- a/android/virtualizationservice/aidl/Android.bp
+++ b/android/virtualizationservice/aidl/Android.bp
@@ -111,7 +111,7 @@
name: "android.system.virtualmachineservice",
srcs: ["android/system/virtualmachineservice/**/*.aidl"],
imports: [
- "android.hardware.security.secretkeeper-V1",
+ "android.hardware.security.secretkeeper-V2",
"android.system.virtualizationcommon",
],
unstable: true,
diff --git a/android/virtualizationservice/src/maintenance.rs b/android/virtualizationservice/src/maintenance.rs
index 8e04075..87ba412 100644
--- a/android/virtualizationservice/src/maintenance.rs
+++ b/android/virtualizationservice/src/maintenance.rs
@@ -297,7 +297,9 @@
mod tests {
use super::*;
use android_hardware_security_authgraph::aidl::android::hardware::security::authgraph;
- use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper;
+ use android_hardware_security_secretkeeper::aidl::android::hardware::security::secretkeeper::{
+ self, PublicKey::PublicKey,
+ };
use authgraph::IAuthGraphKeyExchange::IAuthGraphKeyExchange;
use secretkeeper::ISecretkeeper::BnSecretkeeper;
use std::sync::{Arc, Mutex};
@@ -335,6 +337,10 @@
self.history.lock().unwrap().push(SkOp::DeleteAll);
Ok(())
}
+
+ fn getSecretkeeperIdentity(&self) -> binder::Result<PublicKey> {
+ unimplemented!()
+ }
}
impl binder::Interface for FakeSk {}