Merge "Remove workarounds by data_device_bins"
diff --git a/microdroid/Android.bp b/microdroid/Android.bp
index e078108..6f27ce1 100644
--- a/microdroid/Android.bp
+++ b/microdroid/Android.bp
@@ -73,7 +73,6 @@
"apexd",
"debuggerd",
"diced.microdroid",
- "keystore2_microdroid",
"linker",
"linkerconfig",
"servicemanager.microdroid",
@@ -81,15 +80,10 @@
"cgroups.json",
"public.libraries.android.txt",
- // TODO(b/185767624): remove hidl after full keymint support
- "hwservicemanager",
-
"microdroid_plat_sepolicy_and_mapping.sha256",
"microdroid_file_contexts",
- "microdroid_hwservice_contexts",
"microdroid_property_contexts",
"microdroid_service_contexts",
- "microdroid_keystore2_key_contexts",
"microdroid_compatibility_matrix",
"microdroid_manifest",
@@ -179,7 +173,6 @@
use_avb: true,
deps: [
"android.hardware.security.dice-service.microdroid",
- "android.hardware.security.keymint-service.microdroid",
"microdroid_fstab",
"microdroid_precompiled_sepolicy.plat_sepolicy_and_mapping.sha256",
"microdroid_vendor_manifest",
diff --git a/microdroid/init.rc b/microdroid/init.rc
index e76260e..ebe2464 100644
--- a/microdroid/init.rc
+++ b/microdroid/init.rc
@@ -83,9 +83,6 @@
setprop ro.debuggable ${ro.boot.microdroid.debuggable:-0}
- # TODO(b/185767624): remove hidl after full keymint support
- start hwservicemanager
-
on init && property:ro.boot.logd.enabled=1
# Start logd before any other services run to ensure we capture all of their logs.
start logd
@@ -138,21 +135,15 @@
# We restorecon /data in case the userdata partition has been reset.
restorecon /data
- # set up keystore directory structure first so that we can end early boot
+ # set up misc directory structure first so that we can end early boot
# and start apexd
mkdir /data/misc 01771 system misc
- mkdir /data/misc/keystore 0700 keystore keystore
# work around b/183668221
- restorecon /data/misc /data/misc/keystore
-
- start keystore2
+ restorecon /data/misc
mkdir /data/misc/authfs 0700 root root
start authfs_service
-on late-fs
- start vendor.keymint-microdroid
-
on post-fs-data
mark_post_data
@@ -169,12 +160,6 @@
start tombstoned
- # Boot level 30
- # odsign signing keys have MAX_BOOT_LEVEL=30
- # This is currently the earliest boot level, but we start at 30
- # to leave room for earlier levels.
- setprop keystore.boot_level 30
-
# For security reasons, /data/local/tmp should always be empty.
# Do not place files or directories in /data/local/tmp
mkdir /data/local 0751 root root
diff --git a/microdroid/keymint/Android.bp b/microdroid/keymint/Android.bp
deleted file mode 100644
index 7915ada..0000000
--- a/microdroid/keymint/Android.bp
+++ /dev/null
@@ -1,41 +0,0 @@
-package {
- default_applicable_licenses: ["Android-Apache-2.0"],
-}
-
-cc_binary {
- name: "android.hardware.security.keymint-service.microdroid",
- relative_install_path: "hw",
- init_rc: ["android.hardware.security.keymint-service.microdroid.rc"],
- vintf_fragments: [
- "android.hardware.security.keymint-service.microdroid.xml",
- ],
- vendor: true,
- cflags: [
- "-Wall",
- "-Wextra",
- ],
- defaults: [
- "keymint_use_latest_hal_aidl_ndk_shared",
- ],
- shared_libs: [
- "lib_android_keymaster_keymint_utils",
- "libbase",
- "libbinder_ndk",
- "libcppbor_external",
- "libcrypto",
- "libkeymaster_portable",
- "libkeymint",
- "liblog",
- "libpuresoftkeymasterdevice",
- "libsoft_attestation_cert",
- "libutils",
- ],
- local_include_dirs: [
- "include",
- ],
- srcs: [
- "MicrodroidKeyMintDevice.cpp",
- "MicrodroidKeymasterContext.cpp",
- "service.cpp",
- ],
-}
diff --git a/microdroid/keymint/MicrodroidKeyMintDevice.cpp b/microdroid/keymint/MicrodroidKeyMintDevice.cpp
deleted file mode 100644
index c2f01f2..0000000
--- a/microdroid/keymint/MicrodroidKeyMintDevice.cpp
+++ /dev/null
@@ -1,431 +0,0 @@
-/*
- * Copyright 2021, The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#define LOG_TAG "android.hardware.security.keymint-impl"
-#include "MicrodroidKeyMintDevice.h"
-
-#include <AndroidKeyMintOperation.h>
-#include <KeyMintUtils.h>
-#include <aidl/android/hardware/security/keymint/ErrorCode.h>
-#include <android-base/logging.h>
-#include <keymaster/android_keymaster.h>
-#include <keymaster/contexts/pure_soft_keymaster_context.h>
-#include <keymaster/keymaster_configuration.h>
-
-#include "MicrodroidKeyMintDevice.h"
-#include "MicrodroidKeymasterContext.h"
-
-namespace aidl::android::hardware::security::keymint {
-
-using namespace keymaster; // NOLINT(google-build-using-namespace)
-
-using km_utils::authToken2AidlVec;
-using km_utils::kmBlob2vector;
-using km_utils::kmError2ScopedAStatus;
-using km_utils::kmParam2Aidl;
-using km_utils::KmParamSet;
-using km_utils::kmParamSet2Aidl;
-using km_utils::legacy_enum_conversion;
-using secureclock::TimeStampToken;
-
-namespace {
-
-vector<KeyCharacteristics> convertKeyCharacteristics(const AuthorizationSet& requestParams,
- const AuthorizationSet& sw_enforced,
- const AuthorizationSet& hw_enforced,
- bool include_keystore_enforced = true) {
- KeyCharacteristics keyMintEnforced{SecurityLevel::SOFTWARE, {}};
- KeyCharacteristics keystoreEnforced{SecurityLevel::KEYSTORE, {}};
- CHECK(hw_enforced.empty()) << "Hardware-enforced list is non-empty for pure SW KeyMint";
-
- // This is a pure software implementation, so all tags are in sw_enforced.
- // We need to walk through the SW-enforced list and figure out which tags to
- // return in the software list and which in the keystore list.
-
- for (auto& entry : sw_enforced) {
- switch (entry.tag) {
- /* Invalid and unused */
- case KM_TAG_ECIES_SINGLE_HASH_MODE:
- case KM_TAG_INVALID:
- case KM_TAG_KDF:
- case KM_TAG_ROLLBACK_RESISTANCE:
- CHECK(false) << "We shouldn't see tag " << entry.tag;
- break;
-
- /* Unimplemented */
- case KM_TAG_ALLOW_WHILE_ON_BODY:
- case KM_TAG_BOOTLOADER_ONLY:
- case KM_TAG_EARLY_BOOT_ONLY:
- case KM_TAG_ROLLBACK_RESISTANT:
- case KM_TAG_STORAGE_KEY:
- case KM_TAG_TRUSTED_CONFIRMATION_REQUIRED:
- case KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED:
- break;
-
- /* Keystore-enforced if not locally generated. */
- case KM_TAG_CREATION_DATETIME:
- // A KeyMaster implementation is required to add this tag to generated/imported
- // keys. A KeyMint implementation is not required to create this tag, only to echo
- // it back if it was included in the key generation/import request.
- if (requestParams.Contains(KM_TAG_CREATION_DATETIME)) {
- keystoreEnforced.authorizations.push_back(kmParam2Aidl(entry));
- }
- break;
-
- /* Disallowed in KeyCharacteristics */
- case KM_TAG_APPLICATION_DATA:
- case KM_TAG_ATTESTATION_APPLICATION_ID:
- break;
-
- /* Not key characteristics */
- case KM_TAG_ASSOCIATED_DATA:
- case KM_TAG_ATTESTATION_CHALLENGE:
- case KM_TAG_ATTESTATION_ID_BRAND:
- case KM_TAG_ATTESTATION_ID_DEVICE:
- case KM_TAG_ATTESTATION_ID_IMEI:
- case KM_TAG_ATTESTATION_ID_MANUFACTURER:
- case KM_TAG_ATTESTATION_ID_MEID:
- case KM_TAG_ATTESTATION_ID_MODEL:
- case KM_TAG_ATTESTATION_ID_PRODUCT:
- case KM_TAG_ATTESTATION_ID_SERIAL:
- case KM_TAG_AUTH_TOKEN:
- case KM_TAG_CERTIFICATE_SERIAL:
- case KM_TAG_CERTIFICATE_SUBJECT:
- case KM_TAG_CERTIFICATE_NOT_AFTER:
- case KM_TAG_CERTIFICATE_NOT_BEFORE:
- case KM_TAG_CONFIRMATION_TOKEN:
- case KM_TAG_DEVICE_UNIQUE_ATTESTATION:
- case KM_TAG_IDENTITY_CREDENTIAL_KEY:
- case KM_TAG_MAC_LENGTH:
- case KM_TAG_NONCE:
- case KM_TAG_RESET_SINCE_ID_ROTATION:
- case KM_TAG_ROOT_OF_TRUST:
- case KM_TAG_UNIQUE_ID:
- break;
-
- /* KeyMint-enforced */
- case KM_TAG_ALGORITHM:
- case KM_TAG_APPLICATION_ID:
- case KM_TAG_AUTH_TIMEOUT:
- case KM_TAG_BLOB_USAGE_REQUIREMENTS:
- case KM_TAG_BLOCK_MODE:
- case KM_TAG_BOOT_PATCHLEVEL:
- case KM_TAG_CALLER_NONCE:
- case KM_TAG_DIGEST:
- case KM_TAG_EC_CURVE:
- case KM_TAG_EXPORTABLE:
- case KM_TAG_INCLUDE_UNIQUE_ID:
- case KM_TAG_KEY_SIZE:
- case KM_TAG_MAX_USES_PER_BOOT:
- case KM_TAG_MIN_MAC_LENGTH:
- case KM_TAG_MIN_SECONDS_BETWEEN_OPS:
- case KM_TAG_NO_AUTH_REQUIRED:
- case KM_TAG_ORIGIN:
- case KM_TAG_OS_PATCHLEVEL:
- case KM_TAG_OS_VERSION:
- case KM_TAG_PADDING:
- case KM_TAG_PURPOSE:
- case KM_TAG_RSA_OAEP_MGF_DIGEST:
- case KM_TAG_RSA_PUBLIC_EXPONENT:
- case KM_TAG_UNLOCKED_DEVICE_REQUIRED:
- case KM_TAG_USER_AUTH_TYPE:
- case KM_TAG_USER_SECURE_ID:
- case KM_TAG_VENDOR_PATCHLEVEL:
- keyMintEnforced.authorizations.push_back(kmParam2Aidl(entry));
- break;
-
- /* Keystore-enforced */
- case KM_TAG_ACTIVE_DATETIME:
- case KM_TAG_ALL_APPLICATIONS:
- case KM_TAG_ALL_USERS:
- case KM_TAG_MAX_BOOT_LEVEL:
- case KM_TAG_ORIGINATION_EXPIRE_DATETIME:
- case KM_TAG_USAGE_EXPIRE_DATETIME:
- case KM_TAG_USER_ID:
- case KM_TAG_USAGE_COUNT_LIMIT:
- keystoreEnforced.authorizations.push_back(kmParam2Aidl(entry));
- break;
- }
- }
-
- vector<KeyCharacteristics> retval;
- retval.reserve(2);
- if (!keyMintEnforced.authorizations.empty()) retval.push_back(std::move(keyMintEnforced));
- if (include_keystore_enforced && !keystoreEnforced.authorizations.empty()) {
- retval.push_back(std::move(keystoreEnforced));
- }
-
- return retval;
-}
-
-Certificate convertCertificate(const keymaster_blob_t& cert) {
- return {std::vector<uint8_t>(cert.data, cert.data + cert.data_length)};
-}
-
-vector<Certificate> convertCertificateChain(const CertificateChain& chain) {
- vector<Certificate> retval;
- retval.reserve(chain.entry_count);
- std::transform(chain.begin(), chain.end(), std::back_inserter(retval), convertCertificate);
- return retval;
-}
-
-void addClientAndAppData(const std::vector<uint8_t>& appId, const std::vector<uint8_t>& appData,
- ::keymaster::AuthorizationSet* params) {
- params->Clear();
- if (appId.size()) {
- params->push_back(::keymaster::TAG_APPLICATION_ID, appId.data(), appId.size());
- }
- if (appData.size()) {
- params->push_back(::keymaster::TAG_APPLICATION_DATA, appData.data(), appData.size());
- }
-}
-
-} // namespace
-
-constexpr size_t kOperationTableSize = 16;
-
-MicrodroidKeyMintDevice::MicrodroidKeyMintDevice(::keymaster::KeymasterKeyBlob& rootKey)
- : impl_(new ::keymaster::AndroidKeymaster(
- [&]() -> auto {
- auto context = new MicrodroidKeymasterContext(KmVersion::KEYMINT_1, rootKey);
- context->SetSystemVersion(::keymaster::GetOsVersion(),
- ::keymaster::GetOsPatchlevel());
- return context;
- }(),
- kOperationTableSize)) {}
-
-MicrodroidKeyMintDevice::~MicrodroidKeyMintDevice() {}
-
-ScopedAStatus MicrodroidKeyMintDevice::getHardwareInfo(KeyMintHardwareInfo* info) {
- info->versionNumber = 1;
- info->securityLevel = SecurityLevel::SOFTWARE;
- info->keyMintName = "MicrodroidKeyMintDevice";
- info->keyMintAuthorName = "Google";
- info->timestampTokenRequired = false;
- return ScopedAStatus::ok();
-}
-
-ScopedAStatus MicrodroidKeyMintDevice::addRngEntropy(const vector<uint8_t>& data) {
- if (data.size() == 0) {
- return ScopedAStatus::ok();
- }
-
- AddEntropyRequest request(impl_->message_version());
- request.random_data.Reinitialize(data.data(), data.size());
-
- AddEntropyResponse response(impl_->message_version());
- impl_->AddRngEntropy(request, &response);
-
- return kmError2ScopedAStatus(response.error);
-}
-
-ScopedAStatus MicrodroidKeyMintDevice::generateKey(const vector<KeyParameter>& keyParams,
- const optional<AttestationKey>& attestationKey,
- KeyCreationResult* creationResult) {
- GenerateKeyRequest request(impl_->message_version());
- request.key_description.Reinitialize(KmParamSet(keyParams));
- if (attestationKey) {
- request.attestation_signing_key_blob =
- KeymasterKeyBlob(attestationKey->keyBlob.data(), attestationKey->keyBlob.size());
- request.attest_key_params.Reinitialize(KmParamSet(attestationKey->attestKeyParams));
- request.issuer_subject = KeymasterBlob(attestationKey->issuerSubjectName.data(),
- attestationKey->issuerSubjectName.size());
- }
-
- GenerateKeyResponse response(impl_->message_version());
- impl_->GenerateKey(request, &response);
-
- if (response.error != KM_ERROR_OK) {
- // Note a key difference between this current aidl and previous hal, is
- // that hal returns void where as aidl returns the error status. If
- // aidl returns error, then aidl will not return any change you may make
- // to the out parameters. This is quite different from hal where all
- // output variable can be modified due to hal returning void.
- //
- // So the caller need to be aware not to expect aidl functions to clear
- // the output variables for you in case of error. If you left some
- // wrong data set in the out parameters, they will stay there.
- return kmError2ScopedAStatus(response.error);
- }
-
- creationResult->keyBlob = kmBlob2vector(response.key_blob);
- creationResult->keyCharacteristics =
- convertKeyCharacteristics(request.key_description, response.unenforced,
- response.enforced);
- creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
- return ScopedAStatus::ok();
-}
-
-ScopedAStatus MicrodroidKeyMintDevice::importKey(const vector<KeyParameter>& keyParams,
- KeyFormat keyFormat,
- const vector<uint8_t>& keyData,
- const optional<AttestationKey>& attestationKey,
- KeyCreationResult* creationResult) {
- ImportKeyRequest request(impl_->message_version());
- request.key_description.Reinitialize(KmParamSet(keyParams));
- request.key_format = legacy_enum_conversion(keyFormat);
- request.key_data = KeymasterKeyBlob(keyData.data(), keyData.size());
- if (attestationKey) {
- request.attestation_signing_key_blob =
- KeymasterKeyBlob(attestationKey->keyBlob.data(), attestationKey->keyBlob.size());
- request.attest_key_params.Reinitialize(KmParamSet(attestationKey->attestKeyParams));
- request.issuer_subject = KeymasterBlob(attestationKey->issuerSubjectName.data(),
- attestationKey->issuerSubjectName.size());
- }
-
- ImportKeyResponse response(impl_->message_version());
- impl_->ImportKey(request, &response);
-
- if (response.error != KM_ERROR_OK) {
- return kmError2ScopedAStatus(response.error);
- }
-
- creationResult->keyBlob = kmBlob2vector(response.key_blob);
- creationResult->keyCharacteristics =
- convertKeyCharacteristics(request.key_description, response.unenforced,
- response.enforced);
- creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
-
- return ScopedAStatus::ok();
-}
-
-ScopedAStatus MicrodroidKeyMintDevice::importWrappedKey(
- const vector<uint8_t>& wrappedKeyData, const vector<uint8_t>& wrappingKeyBlob,
- const vector<uint8_t>& maskingKey, const vector<KeyParameter>& unwrappingParams,
- int64_t passwordSid, int64_t biometricSid, KeyCreationResult* creationResult) {
- ImportWrappedKeyRequest request(impl_->message_version());
- request.SetWrappedMaterial(wrappedKeyData.data(), wrappedKeyData.size());
- request.SetWrappingMaterial(wrappingKeyBlob.data(), wrappingKeyBlob.size());
- request.SetMaskingKeyMaterial(maskingKey.data(), maskingKey.size());
- request.additional_params.Reinitialize(KmParamSet(unwrappingParams));
- request.password_sid = static_cast<uint64_t>(passwordSid);
- request.biometric_sid = static_cast<uint64_t>(biometricSid);
-
- ImportWrappedKeyResponse response(impl_->message_version());
- impl_->ImportWrappedKey(request, &response);
-
- if (response.error != KM_ERROR_OK) {
- return kmError2ScopedAStatus(response.error);
- }
-
- creationResult->keyBlob = kmBlob2vector(response.key_blob);
- creationResult->keyCharacteristics =
- convertKeyCharacteristics(request.additional_params, response.unenforced,
- response.enforced);
- creationResult->certificateChain = convertCertificateChain(response.certificate_chain);
-
- return ScopedAStatus::ok();
-}
-
-ScopedAStatus MicrodroidKeyMintDevice::upgradeKey(const vector<uint8_t>& keyBlobToUpgrade,
- const vector<KeyParameter>& upgradeParams,
- vector<uint8_t>* keyBlob) {
- UpgradeKeyRequest request(impl_->message_version());
- request.SetKeyMaterial(keyBlobToUpgrade.data(), keyBlobToUpgrade.size());
- request.upgrade_params.Reinitialize(KmParamSet(upgradeParams));
-
- UpgradeKeyResponse response(impl_->message_version());
- impl_->UpgradeKey(request, &response);
-
- if (response.error != KM_ERROR_OK) {
- return kmError2ScopedAStatus(response.error);
- }
-
- *keyBlob = kmBlob2vector(response.upgraded_key);
- return ScopedAStatus::ok();
-}
-
-ScopedAStatus MicrodroidKeyMintDevice::deleteKey(const vector<uint8_t>&) {
- // There's nothing to be done to delete software key blobs.
- return kmError2ScopedAStatus(KM_ERROR_OK);
-}
-
-ScopedAStatus MicrodroidKeyMintDevice::deleteAllKeys() {
- // There's nothing to be done to delete software key blobs.
- return kmError2ScopedAStatus(KM_ERROR_OK);
-}
-
-ScopedAStatus MicrodroidKeyMintDevice::destroyAttestationIds() {
- return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
-}
-
-ScopedAStatus MicrodroidKeyMintDevice::begin(KeyPurpose purpose, const vector<uint8_t>& keyBlob,
- const vector<KeyParameter>& params,
- const optional<HardwareAuthToken>& authToken,
- BeginResult* result) {
- BeginOperationRequest request(impl_->message_version());
- request.purpose = legacy_enum_conversion(purpose);
- request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
- request.additional_params.Reinitialize(KmParamSet(params));
-
- vector<uint8_t> vector_token = authToken2AidlVec(authToken);
- request.additional_params.push_back(TAG_AUTH_TOKEN,
- reinterpret_cast<uint8_t*>(vector_token.data()),
- vector_token.size());
-
- BeginOperationResponse response(impl_->message_version());
- impl_->BeginOperation(request, &response);
-
- if (response.error != KM_ERROR_OK) {
- return kmError2ScopedAStatus(response.error);
- }
-
- result->params = kmParamSet2Aidl(response.output_params);
- result->challenge = response.op_handle;
- result->operation =
- ndk::SharedRefBase::make<AndroidKeyMintOperation>(impl_, response.op_handle);
- return ScopedAStatus::ok();
-}
-
-ScopedAStatus MicrodroidKeyMintDevice::deviceLocked(
- bool, const std::optional<secureclock::TimeStampToken>&) {
- // Microdroid doesn't yet have a concept of a locked device.
- return kmError2ScopedAStatus(KM_ERROR_OK);
-}
-
-ScopedAStatus MicrodroidKeyMintDevice::earlyBootEnded() {
- return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
-}
-
-ScopedAStatus MicrodroidKeyMintDevice::convertStorageKeyToEphemeral(
- const std::vector<uint8_t>& /* storageKeyBlob */,
- std::vector<uint8_t>* /* ephemeralKeyBlob */) {
- return kmError2ScopedAStatus(KM_ERROR_UNIMPLEMENTED);
-}
-
-ScopedAStatus MicrodroidKeyMintDevice::getKeyCharacteristics(
- const std::vector<uint8_t>& keyBlob, const std::vector<uint8_t>& appId,
- const std::vector<uint8_t>& appData, std::vector<KeyCharacteristics>* keyCharacteristics) {
- GetKeyCharacteristicsRequest request(impl_->message_version());
- request.SetKeyMaterial(keyBlob.data(), keyBlob.size());
- addClientAndAppData(appId, appData, &request.additional_params);
-
- GetKeyCharacteristicsResponse response(impl_->message_version());
- impl_->GetKeyCharacteristics(request, &response);
-
- if (response.error != KM_ERROR_OK) {
- return kmError2ScopedAStatus(response.error);
- }
-
- AuthorizationSet emptySet;
- *keyCharacteristics =
- convertKeyCharacteristics(emptySet, response.unenforced, response.enforced,
- /* include_keystore_enforced = */ false);
-
- return ScopedAStatus::ok();
-}
-
-} // namespace aidl::android::hardware::security::keymint
diff --git a/microdroid/keymint/MicrodroidKeymasterContext.cpp b/microdroid/keymint/MicrodroidKeymasterContext.cpp
deleted file mode 100644
index 1d1346b..0000000
--- a/microdroid/keymint/MicrodroidKeymasterContext.cpp
+++ /dev/null
@@ -1,152 +0,0 @@
-/*
- * Copyright 2021, The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "MicrodroidKeymasterContext.h"
-
-#include <android-base/logging.h>
-#include <keymaster/key.h>
-#include <keymaster/key_blob_utils/auth_encrypted_key_blob.h>
-#include <keymaster/key_blob_utils/software_keyblobs.h>
-
-using namespace ::keymaster;
-
-// This value is used for the ROOT_OF_TRUST tag which is only used in
-// attestation records which aren't supported in this implementation so a
-// constant doesn't cause any hard. MicroDroid SoftWare root-of-trust.
-static uint8_t SWROT[] = {'M', 'D', 'S', 'W'};
-static const KeymasterBlob microdroidSoftwareRootOfTrust(SWROT);
-
-keymaster_error_t MicrodroidKeymasterContext::CreateKeyBlob(const AuthorizationSet& key_description,
- keymaster_key_origin_t origin,
- const KeymasterKeyBlob& key_material,
- KeymasterKeyBlob* blob,
- AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const {
- keymaster_error_t error;
-
- if (key_description.GetTagValue(TAG_ROLLBACK_RESISTANCE)) {
- return KM_ERROR_ROLLBACK_RESISTANCE_UNAVAILABLE;
- }
-
- error = SetKeyBlobAuthorizations(key_description, origin, os_version_, os_patchlevel_,
- hw_enforced, sw_enforced);
- if (error != KM_ERROR_OK) return error;
-
- AuthorizationSet hidden;
- error = BuildHiddenAuthorizations(key_description, &hidden, microdroidSoftwareRootOfTrust);
- if (error != KM_ERROR_OK) return error;
-
- CHECK(hw_enforced->empty());
-
- // Note that the authorizations included in the blob are not encrypted. This
- // doesn't pose a problem for the current applications but may be a
- // candidate for hardening.
- auto encrypted_key = EncryptKey(key_material, AES_GCM_WITH_SW_ENFORCED, *hw_enforced,
- *sw_enforced, hidden, SecureDeletionData{}, root_key_, random_);
- if (!encrypted_key) return encrypted_key.error();
-
- auto serialized = SerializeAuthEncryptedBlob(*encrypted_key, *hw_enforced, *sw_enforced,
- 0 /* key_slot */);
- if (!serialized) return serialized.error();
- *blob = *serialized;
- return KM_ERROR_OK;
-}
-
-keymaster_error_t MicrodroidKeymasterContext::ParseKeyBlob(
- const KeymasterKeyBlob& blob, const AuthorizationSet& additional_params,
- UniquePtr<Key>* key) const {
- keymaster_error_t error;
-
- AuthorizationSet hidden;
- error = BuildHiddenAuthorizations(additional_params, &hidden, microdroidSoftwareRootOfTrust);
- if (error != KM_ERROR_OK) return error;
-
- auto deserialized_key = DeserializeAuthEncryptedBlob(blob);
- if (!deserialized_key) return deserialized_key.error();
-
- keymaster_algorithm_t algorithm;
- if (!deserialized_key->sw_enforced.GetTagValue(TAG_ALGORITHM, &algorithm)) {
- return KM_ERROR_INVALID_ARGUMENT;
- }
-
- auto key_material = DecryptKey(*deserialized_key, hidden, SecureDeletionData{}, root_key_);
- if (!key_material) return key_material.error();
-
- auto factory = GetKeyFactory(algorithm);
- return factory->LoadKey(move(*key_material), additional_params,
- move(deserialized_key->hw_enforced),
- move(deserialized_key->sw_enforced), key);
-}
-
-static bool UpgradeIntegerTag(keymaster_tag_t tag, uint32_t value, AuthorizationSet* set) {
- int index = set->find(tag);
- if (index == -1) {
- keymaster_key_param_t param;
- param.tag = tag;
- param.integer = value;
- set->push_back(param);
- return true;
- }
-
- if (set->params[index].integer > value) return false;
-
- if (set->params[index].integer != value) {
- set->params[index].integer = value;
- }
- return true;
-}
-
-keymaster_error_t MicrodroidKeymasterContext::UpgradeKeyBlob(const KeymasterKeyBlob& key_to_upgrade,
- const AuthorizationSet& upgrade_params,
- KeymasterKeyBlob* upgraded_key) const {
- UniquePtr<Key> key;
- keymaster_error_t error = ParseKeyBlob(key_to_upgrade, upgrade_params, &key);
- if (error != KM_ERROR_OK) return error;
-
- if (os_version_ == 0) {
- // We need to allow "upgrading" OS version to zero, to support upgrading from proper
- // numbered releases to unnumbered development and preview releases.
-
- int key_os_version_pos = key->sw_enforced().find(TAG_OS_VERSION);
- if (key_os_version_pos != -1) {
- uint32_t key_os_version = key->sw_enforced()[key_os_version_pos].integer;
- if (key_os_version != 0) {
- key->sw_enforced()[key_os_version_pos].integer = os_version_;
- }
- }
- }
-
- if (!UpgradeIntegerTag(TAG_OS_VERSION, os_version_, &key->sw_enforced()) ||
- !UpgradeIntegerTag(TAG_OS_PATCHLEVEL, os_patchlevel_, &key->sw_enforced()))
- // One of the version fields would have been a downgrade. Not allowed.
- return KM_ERROR_INVALID_ARGUMENT;
-
- AuthorizationSet hidden;
- error = BuildHiddenAuthorizations(upgrade_params, &hidden, microdroidSoftwareRootOfTrust);
- if (error != KM_ERROR_OK) return error;
-
- auto encrypted_key =
- EncryptKey(key->key_material(), AES_GCM_WITH_SW_ENFORCED, key->hw_enforced(),
- key->sw_enforced(), hidden, SecureDeletionData{}, root_key_, random_);
- if (!encrypted_key) return encrypted_key.error();
-
- auto serialized = SerializeAuthEncryptedBlob(*encrypted_key, key->hw_enforced(),
- key->sw_enforced(), 0 /* key_slot */);
- if (!serialized) return serialized.error();
-
- *upgraded_key = std::move(*serialized);
- return error;
-}
diff --git a/microdroid/keymint/android.hardware.security.keymint-service.microdroid.rc b/microdroid/keymint/android.hardware.security.keymint-service.microdroid.rc
deleted file mode 100644
index d6851bd..0000000
--- a/microdroid/keymint/android.hardware.security.keymint-service.microdroid.rc
+++ /dev/null
@@ -1,3 +0,0 @@
-service vendor.keymint-microdroid /vendor/bin/hw/android.hardware.security.keymint-service.microdroid
- class early_hal
- user nobody
diff --git a/microdroid/keymint/android.hardware.security.keymint-service.microdroid.xml b/microdroid/keymint/android.hardware.security.keymint-service.microdroid.xml
deleted file mode 100644
index 73d15a8..0000000
--- a/microdroid/keymint/android.hardware.security.keymint-service.microdroid.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-<manifest version="1.0" type="device">
- <hal format="aidl">
- <name>android.hardware.security.keymint</name>
- <fqname>IKeyMintDevice/default</fqname>
- </hal>
-</manifest>
diff --git a/microdroid/keymint/include/MicrodroidKeyMintDevice.h b/microdroid/keymint/include/MicrodroidKeyMintDevice.h
deleted file mode 100644
index dec7baa..0000000
--- a/microdroid/keymint/include/MicrodroidKeyMintDevice.h
+++ /dev/null
@@ -1,91 +0,0 @@
-/*
- * Copyright 2021, The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#pragma once
-
-#include <aidl/android/hardware/security/keymint/BnKeyMintDevice.h>
-#include <aidl/android/hardware/security/keymint/BnKeyMintOperation.h>
-#include <aidl/android/hardware/security/keymint/HardwareAuthToken.h>
-#include <keymaster/android_keymaster_utils.h>
-
-namespace keymaster {
-class AndroidKeymaster;
-}
-
-namespace aidl::android::hardware::security::keymint {
-using ::ndk::ScopedAStatus;
-using std::optional;
-using std::shared_ptr;
-using std::vector;
-
-using secureclock::TimeStampToken;
-
-class MicrodroidKeyMintDevice : public BnKeyMintDevice {
-public:
- explicit MicrodroidKeyMintDevice(::keymaster::KeymasterKeyBlob& rootKey);
- virtual ~MicrodroidKeyMintDevice();
-
- ScopedAStatus getHardwareInfo(KeyMintHardwareInfo* info) override;
-
- ScopedAStatus addRngEntropy(const vector<uint8_t>& data) override;
-
- ScopedAStatus generateKey(const vector<KeyParameter>& keyParams,
- const optional<AttestationKey>& attestationKey,
- KeyCreationResult* creationResult) override;
-
- ScopedAStatus importKey(const vector<KeyParameter>& keyParams, KeyFormat keyFormat,
- const vector<uint8_t>& keyData,
- const optional<AttestationKey>& attestationKey,
- KeyCreationResult* creationResult) override;
-
- ScopedAStatus importWrappedKey(const vector<uint8_t>& wrappedKeyData,
- const vector<uint8_t>& wrappingKeyBlob,
- const vector<uint8_t>& maskingKey,
- const vector<KeyParameter>& unwrappingParams,
- int64_t passwordSid, int64_t biometricSid,
- KeyCreationResult* creationResult) override;
-
- ScopedAStatus upgradeKey(const vector<uint8_t>& keyBlobToUpgrade,
- const vector<KeyParameter>& upgradeParams,
- vector<uint8_t>* keyBlob) override;
-
- ScopedAStatus deleteKey(const vector<uint8_t>& keyBlob) override;
- ScopedAStatus deleteAllKeys() override;
- ScopedAStatus destroyAttestationIds() override;
-
- ScopedAStatus begin(KeyPurpose purpose, const vector<uint8_t>& keyBlob,
- const vector<KeyParameter>& params,
- const optional<HardwareAuthToken>& authToken, BeginResult* result) override;
-
- ScopedAStatus deviceLocked(bool passwordOnly,
- const optional<TimeStampToken>& timestampToken) override;
- ScopedAStatus earlyBootEnded() override;
-
- ScopedAStatus convertStorageKeyToEphemeral(const std::vector<uint8_t>& storageKeyBlob,
- std::vector<uint8_t>* ephemeralKeyBlob) override;
-
- ScopedAStatus getKeyCharacteristics(
- const std::vector<uint8_t>& keyBlob, const std::vector<uint8_t>& appId,
- const std::vector<uint8_t>& appData,
- std::vector<KeyCharacteristics>* keyCharacteristics) override;
-
- shared_ptr<::keymaster::AndroidKeymaster>& getKeymasterImpl() { return impl_; }
-
-protected:
- std::shared_ptr<::keymaster::AndroidKeymaster> impl_;
-};
-
-} // namespace aidl::android::hardware::security::keymint
diff --git a/microdroid/keymint/include/MicrodroidKeymasterContext.h b/microdroid/keymint/include/MicrodroidKeymasterContext.h
deleted file mode 100644
index 636d240..0000000
--- a/microdroid/keymint/include/MicrodroidKeymasterContext.h
+++ /dev/null
@@ -1,44 +0,0 @@
-/*
- * Copyright 2021, The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <keymaster/contexts/pure_soft_keymaster_context.h>
-#include <keymaster/km_openssl/software_random_source.h>
-
-class MicrodroidKeymasterContext : public ::keymaster::PureSoftKeymasterContext {
-public:
- explicit MicrodroidKeymasterContext(::keymaster::KmVersion version,
- ::keymaster::KeymasterKeyBlob& root_key)
- : PureSoftKeymasterContext(version, KM_SECURITY_LEVEL_SOFTWARE), root_key_(root_key) {}
-
- keymaster_error_t CreateKeyBlob(const ::keymaster::AuthorizationSet& auths,
- keymaster_key_origin_t origin,
- const ::keymaster::KeymasterKeyBlob& key_material,
- ::keymaster::KeymasterKeyBlob* blob,
- ::keymaster::AuthorizationSet* hw_enforced,
- ::keymaster::AuthorizationSet* sw_enforced) const override;
-
- keymaster_error_t ParseKeyBlob(const ::keymaster::KeymasterKeyBlob& blob,
- const ::keymaster::AuthorizationSet& additional_params,
- ::keymaster::UniquePtr<::keymaster::Key>* key) const override;
-
- keymaster_error_t UpgradeKeyBlob(const ::keymaster::KeymasterKeyBlob& key_to_upgrade,
- const ::keymaster::AuthorizationSet& upgrade_params,
- ::keymaster::KeymasterKeyBlob* upgraded_key) const override;
-
-private:
- ::keymaster::SoftwareRandomSource random_;
- ::keymaster::KeymasterKeyBlob root_key_;
-};
diff --git a/microdroid/keymint/service.cpp b/microdroid/keymint/service.cpp
deleted file mode 100644
index 5fc0bd2..0000000
--- a/microdroid/keymint/service.cpp
+++ /dev/null
@@ -1,114 +0,0 @@
-/*
- * Copyright 2021, The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#define LOG_TAG "android.hardware.security.keymint-service"
-
-#include <AndroidKeyMintDevice.h>
-#include <android-base/logging.h>
-#include <android-base/properties.h>
-#include <android-base/result.h>
-#include <android/binder_manager.h>
-#include <android/binder_process.h>
-#include <keymaster/android_keymaster_utils.h>
-#include <keymaster/mem.h>
-#include <keymaster/soft_keymaster_logger.h>
-#include <openssl/digest.h>
-#include <openssl/hkdf.h>
-#include <openssl/is_boringssl.h>
-#include <openssl/sha.h>
-
-#include "MicrodroidKeyMintDevice.h"
-
-using aidl::android::hardware::security::keymint::MicrodroidKeyMintDevice;
-using aidl::android::hardware::security::keymint::SecurityLevel;
-
-using android::base::Error;
-using android::base::GetProperty;
-using android::base::Result;
-
-using keymaster::KeymasterBlob;
-using keymaster::KeymasterKeyBlob;
-using keymaster::memset_s;
-
-namespace {
-
-template <typename T, class... Args>
-std::shared_ptr<T> addService(Args&&... args) {
- std::shared_ptr<T> ser = ndk::SharedRefBase::make<T>(std::forward<Args>(args)...);
- auto instanceName = std::string(T::descriptor) + "/default";
- LOG(INFO) << "adding keymint service instance: " << instanceName;
- binder_status_t status =
- AServiceManager_addService(ser->asBinder().get(), instanceName.c_str());
- CHECK(status == STATUS_OK);
- return ser;
-}
-
-Result<KeymasterKeyBlob> getRootKey() {
- const std::string prop = "ro.vmsecret.keymint";
- const std::chrono::seconds timeout(15);
- while (!android::base::WaitForPropertyCreation(prop, timeout)) {
- LOG(WARNING) << "waited " << timeout.count() << "seconds for " << prop
- << ", still waiting...";
- }
-
- // In a small effort to avoid spreading the secret around too widely in
- // memory, move the secert into a buffer that will wipe itself and clear
- // the original string.
- std::string secretProp = GetProperty(prop, "");
- KeymasterBlob secret(reinterpret_cast<const uint8_t*>(secretProp.data()), secretProp.size());
- memset_s(secretProp.data(), 0, secretProp.size());
- if (secret.size() < 64u) return Error() << "secret is too small";
-
- // Derive the root key from the secret to avoid getting locked into using
- // the secret directly.
- KeymasterKeyBlob rootKey(SHA512_DIGEST_LENGTH);
- const uint8_t kRootKeyIkm[] = "keymint_root_key";
- const uint8_t* kNoSalt = nullptr;
- const size_t kNoSaltLen = 0;
- if (!HKDF(rootKey.writable_data(), rootKey.size(), EVP_sha512(), (uint8_t*)secret.begin(),
- secret.size(), kNoSalt, kNoSaltLen, kRootKeyIkm, sizeof(kRootKeyIkm))) {
- return Error() << "Failed to derive a key";
- }
- if (rootKey.size() < 64u) return Error() << "root key is too small";
-
- LOG(INFO) << "root key obtained";
- return rootKey;
-}
-
-} // namespace
-
-int main() {
- auto rootKey = getRootKey();
- if (!rootKey.ok()) {
- LOG(FATAL) << "Failed to get root key: " << rootKey.error();
- }
-
- // Zero threads seems like a useless pool, but below we'll join this thread
- // to it, increasing the pool size to 1.
- ABinderProcess_setThreadPoolMaxThreadCount(0);
-
- // Add Keymint Service
- std::shared_ptr<MicrodroidKeyMintDevice> keyMint =
- ndk::SharedRefBase::make<MicrodroidKeyMintDevice>(*rootKey);
- auto instanceName = std::string(MicrodroidKeyMintDevice::descriptor) + "/default";
- LOG(INFO) << "adding keymint service instance: " << instanceName;
- binder_status_t status =
- AServiceManager_addService(keyMint->asBinder().get(), instanceName.c_str());
- CHECK(status == STATUS_OK);
-
- ABinderProcess_joinThreadPool();
- return EXIT_FAILURE; // should not reach
-}
diff --git a/microdroid/microdroid_compatibility_matrix.xml b/microdroid/microdroid_compatibility_matrix.xml
index dbc12a8..a345e30 100644
--- a/microdroid/microdroid_compatibility_matrix.xml
+++ b/microdroid/microdroid_compatibility_matrix.xml
@@ -1,10 +1,10 @@
<?xml version="1.0" encoding="UTF-8"?>
<compatibility-matrix version="1.0" type="framework">
<hal format="aidl" optional="true">
- <name>android.hardware.security.keymint</name>
+ <name>android.hardware.security.dice</name>
<version>1</version>
<interface>
- <name>IKeyMintDevice</name>
+ <name>IDiceDevice</name>
<instance>default</instance>
</interface>
</hal>
diff --git a/microdroid/microdroid_manifest.xml b/microdroid/microdroid_manifest.xml
index 28a374f..b84ba8f 100644
--- a/microdroid/microdroid_manifest.xml
+++ b/microdroid/microdroid_manifest.xml
@@ -1,24 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<manifest version="1.0" type="framework">
- <!--TODO(b/185767624): remove hidl after full keymint support-->
- <hal format="hidl">
- <name>android.hidl.manager</name>
- <transport>hwbinder</transport>
- <version>1.2</version>
- <interface>
- <name>IServiceManager</name>
- <instance>default</instance>
- </interface>
- <fqname>@1.2::IServiceManager/default</fqname>
- </hal>
- <hal format="hidl">
- <name>android.hidl.token</name>
- <transport>hwbinder</transport>
- <version>1.0</version>
- <interface>
- <name>ITokenManager</name>
- <instance>default</instance>
- </interface>
- <fqname>@1.0::ITokenManager/default</fqname>
- </hal>
+ <!-- empty -->
</manifest>
diff --git a/microdroid/microdroid_vendor_compatibility_matrix.xml b/microdroid/microdroid_vendor_compatibility_matrix.xml
index efa1c98..44735d8 100644
--- a/microdroid/microdroid_vendor_compatibility_matrix.xml
+++ b/microdroid/microdroid_vendor_compatibility_matrix.xml
@@ -1,27 +1,4 @@
<?xml version="1.0" encoding="UTF-8"?>
<compatibility-matrix version="1.0" type="device">
- <hal format="aidl">
- <name>android.system.keystore2</name>
- <interface>
- <name>IKeystoreService</name>
- <instance>default</instance>
- </interface>
- </hal>
- <!--TODO(b/185767624): remove hidl after full keymint support-->
- <hal format="hidl" optional="true">
- <name>android.hidl.manager</name>
- <version>1.0</version>
- <interface>
- <name>IServiceManager</name>
- <instance>default</instance>
- </interface>
- </hal>
- <hal format="hidl" optional="true">
- <name>android.hidl.token</name>
- <version>1.0</version>
- <interface>
- <name>ITokenManager</name>
- <instance>default</instance>
- </interface>
- </hal>
+ <!-- empty -->
</compatibility-matrix>
diff --git a/microdroid_manager/src/main.rs b/microdroid_manager/src/main.rs
index 4420a49..960759e 100644
--- a/microdroid_manager/src/main.rs
+++ b/microdroid_manager/src/main.rs
@@ -26,7 +26,7 @@
use glob::glob;
use idsig::V4Signature;
use itertools::sorted;
-use log::{error, info, warn};
+use log::{error, info};
use microdroid_metadata::{write_metadata, Metadata};
use microdroid_payload_config::{Task, TaskType, VmPayloadConfig};
use once_cell::sync::OnceCell;
@@ -182,11 +182,6 @@
}
mount_extra_apks(&config)?;
- let fake_secret = "This is a placeholder for a value that is derived from the images that are loaded in the VM.";
- if let Err(err) = rustutils::system_properties::write("ro.vmsecret.keymint", fake_secret) {
- warn!("failed to set ro.vmsecret.keymint: {}", err);
- }
-
// Wait until apex config is done. (e.g. linker configuration for apexes)
// TODO(jooyung): wait until sys.boot_completed?
wait_for_apex_config_done()?;
diff --git a/tests/testapk/Android.bp b/tests/testapk/Android.bp
index 6cd16c2..4cca538 100644
--- a/tests/testapk/Android.bp
+++ b/tests/testapk/Android.bp
@@ -22,7 +22,6 @@
name: "MicrodroidTestNativeLib",
srcs: ["src/native/testbinary.cpp"],
shared_libs: [
- "android.system.keystore2-V1-ndk",
"android.system.virtualmachineservice-ndk",
"com.android.microdroid.testservice-ndk",
"libbase",
diff --git a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
index 032ecfd..bd44a3c 100644
--- a/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
+++ b/tests/testapk/src/java/com/android/microdroid/test/MicrodroidTests.java
@@ -176,9 +176,6 @@
testService.readProperty("debug.microdroid.app.sublib.run"),
"true");
assertEquals(
- testService.readProperty("debug.microdroid.test.keystore"),
- "PASS");
- assertEquals(
testService.readProperty("debug.microdroid.test.extra_apk"),
"PASS");
} catch (Exception e) {
diff --git a/tests/testapk/src/native/testbinary.cpp b/tests/testapk/src/native/testbinary.cpp
index c748b2a..301328a 100644
--- a/tests/testapk/src/native/testbinary.cpp
+++ b/tests/testapk/src/native/testbinary.cpp
@@ -13,13 +13,11 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-#include <aidl/android/system/keystore2/IKeystoreService.h>
#include <aidl/android/system/virtualmachineservice/IVirtualMachineService.h>
#include <aidl/com/android/microdroid/testservice/BnTestService.h>
#include <android-base/file.h>
#include <android-base/properties.h>
#include <android-base/result.h>
-#include <android-base/unique_fd.h>
#include <android/binder_auto_utils.h>
#include <android/binder_manager.h>
#include <fcntl.h>
@@ -34,159 +32,16 @@
#include <binder_rpc_unstable.hpp>
#include <string>
-using aidl::android::hardware::security::keymint::Algorithm;
-using aidl::android::hardware::security::keymint::Digest;
-using aidl::android::hardware::security::keymint::KeyParameter;
-using aidl::android::hardware::security::keymint::KeyParameterValue;
-using aidl::android::hardware::security::keymint::KeyPurpose;
-using aidl::android::hardware::security::keymint::SecurityLevel;
-using aidl::android::hardware::security::keymint::Tag;
-
-using aidl::android::system::keystore2::CreateOperationResponse;
-using aidl::android::system::keystore2::Domain;
-using aidl::android::system::keystore2::IKeystoreSecurityLevel;
-using aidl::android::system::keystore2::IKeystoreService;
-using aidl::android::system::keystore2::KeyDescriptor;
-using aidl::android::system::keystore2::KeyMetadata;
-
using aidl::android::system::virtualmachineservice::IVirtualMachineService;
using android::base::ErrnoError;
using android::base::Error;
using android::base::Result;
-using android::base::unique_fd;
extern void testlib_sub();
namespace {
-Result<void> test_keystore() {
- // Connect to Keystore.
- ndk::SpAIBinder binder(
- AServiceManager_waitForService("android.system.keystore2.IKeystoreService/default"));
- auto service = IKeystoreService::fromBinder(binder);
- if (service == nullptr) {
- return Error() << "Failed to find Keystore";
- }
- std::shared_ptr<IKeystoreSecurityLevel> securityLevel;
- auto status = service->getSecurityLevel(SecurityLevel::TRUSTED_ENVIRONMENT, &securityLevel);
- if (!status.isOk()) {
- return Error() << "Failed to get security level";
- }
-
- // Create a signing key.
- std::vector<KeyParameter> params;
-
- KeyParameter algo;
- algo.tag = Tag::ALGORITHM;
- algo.value = KeyParameterValue::make<KeyParameterValue::algorithm>(Algorithm::HMAC);
- params.push_back(algo);
-
- KeyParameter key_size;
- key_size.tag = Tag::KEY_SIZE;
- key_size.value = KeyParameterValue::make<KeyParameterValue::integer>(256);
- params.push_back(key_size);
-
- KeyParameter min_mac_length;
- min_mac_length.tag = Tag::MIN_MAC_LENGTH;
- min_mac_length.value = KeyParameterValue::make<KeyParameterValue::integer>(256);
- params.push_back(min_mac_length);
-
- KeyParameter digest;
- digest.tag = Tag::DIGEST;
- digest.value = KeyParameterValue::make<KeyParameterValue::digest>(Digest::SHA_2_256);
- params.push_back(digest);
-
- KeyParameter purposeSign;
- purposeSign.tag = Tag::PURPOSE;
- purposeSign.value = KeyParameterValue::make<KeyParameterValue::keyPurpose>(KeyPurpose::SIGN);
- params.push_back(purposeSign);
-
- KeyParameter purposeVerify;
- purposeVerify.tag = Tag::PURPOSE;
- purposeVerify.value =
- KeyParameterValue::make<KeyParameterValue::keyPurpose>(KeyPurpose::VERIFY);
- params.push_back(purposeVerify);
-
- KeyParameter auth;
- auth.tag = Tag::NO_AUTH_REQUIRED;
- auth.value = KeyParameterValue::make<KeyParameterValue::boolValue>(true);
- params.push_back(auth);
-
- KeyDescriptor descriptor;
- descriptor.domain = Domain::SELINUX;
- descriptor.alias = "payload-test-key";
- descriptor.nspace = 140; // vm_payload_key
-
- KeyMetadata metadata;
- status = securityLevel->generateKey(descriptor, {}, params, 0, {}, &metadata);
- if (!status.isOk()) {
- return Error() << "Failed to create new HMAC key";
- }
-
- // Sign something.
- params.clear();
- params.push_back(algo);
- params.push_back(digest);
- params.push_back(purposeSign);
-
- KeyParameter mac_length;
- mac_length.tag = Tag::MAC_LENGTH;
- mac_length.value = KeyParameterValue::make<KeyParameterValue::integer>(256);
- params.push_back(mac_length);
-
- CreateOperationResponse opResponse;
- status = securityLevel->createOperation(descriptor, params, false, &opResponse);
- if (!status.isOk()) {
- return Error() << "Failed to create keystore signing operation: "
- << status.getServiceSpecificError();
- }
- auto operation = opResponse.iOperation;
-
- std::string message = "This is the message to sign";
- std::optional<std::vector<uint8_t>> out;
- status = operation->update({message.begin(), message.end()}, &out);
- if (!status.isOk()) {
- return Error() << "Failed to call keystore update operation.";
- }
-
- std::optional<std::vector<uint8_t>> signature;
- status = operation->finish({}, {}, &signature);
- if (!status.isOk()) {
- return Error() << "Failed to call keystore finish operation.";
- }
-
- if (!signature.has_value()) {
- return Error() << "Didn't receive a signature from keystore finish operation.";
- }
-
- // Verify the signature.
- params.clear();
- params.push_back(algo);
- params.push_back(digest);
- params.push_back(purposeVerify);
-
- status = securityLevel->createOperation(descriptor, params, false, &opResponse);
- if (!status.isOk()) {
- return Error() << "Failed to create keystore verification operation: "
- << status.getServiceSpecificError();
- }
- operation = opResponse.iOperation;
-
- status = operation->update({message.begin(), message.end()}, &out);
- if (!status.isOk()) {
- return Error() << "Failed to call keystore update operation.";
- }
-
- std::optional<std::vector<uint8_t>> out_signature;
- status = operation->finish({}, signature.value(), &out_signature);
- if (!status.isOk()) {
- return Error() << "Failed to call keystore finish operation.";
- }
-
- return {};
-}
-
template <typename T>
Result<T> report_test(std::string name, Result<T> result) {
auto property = "debug.microdroid.test." + name;
@@ -283,7 +138,6 @@
report_test("extra_apk", verify_apk());
__system_property_set("debug.microdroid.app.run", "true");
- if (!report_test("keystore", test_keystore()).ok()) return 1;
if (auto res = start_test_service(); res.ok()) {
return 0;