blob: 490ff01d7cdecfdcc66e7cf311ada672497f7fff [file] [log] [blame]
Alice Wang15f6d082023-08-25 09:11:07 +00001// Copyright 2023, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15//! IRemotelyProvisionedComponent HAL implementation.
16
Alice Wangf3482602023-09-08 11:51:29 +000017use crate::rkpvm;
Alice Wang15f6d082023-08-25 09:11:07 +000018use android_hardware_security_rkp::aidl::android::hardware::security::keymint::{
19 DeviceInfo::DeviceInfo,
20 IRemotelyProvisionedComponent::{
Alice Wangf3482602023-09-08 11:51:29 +000021 BnRemotelyProvisionedComponent, IRemotelyProvisionedComponent, STATUS_FAILED,
Alice Wangd80e99e2023-09-15 13:26:01 +000022 STATUS_INVALID_MAC, STATUS_REMOVED,
Alice Wang15f6d082023-08-25 09:11:07 +000023 },
24 MacedPublicKey::MacedPublicKey,
25 ProtectedData::ProtectedData,
26 RpcHardwareInfo::{RpcHardwareInfo, CURVE_NONE, MIN_SUPPORTED_NUM_KEYS_IN_CSR},
27};
Alice Wangf3482602023-09-08 11:51:29 +000028use anyhow::Context;
Alice Wang15f6d082023-08-25 09:11:07 +000029use avflog::LogResult;
Alice Wangb5b90322023-11-14 07:38:18 +000030use binder::{
31 BinderFeatures, ExceptionCode, Interface, IntoBinderResult, Result as BinderResult, Status,
32 Strong,
33};
34use hypervisor_props::is_protected_vm_supported;
Alice Wangeec580d2024-06-07 08:48:06 +000035use rustutils::system_properties;
Alice Wangd80e99e2023-09-15 13:26:01 +000036use service_vm_comm::{RequestProcessingError, Response};
Alice Wang15f6d082023-08-25 09:11:07 +000037
38/// Constructs a binder object that implements `IRemotelyProvisionedComponent`.
39pub(crate) fn new_binder() -> Strong<dyn IRemotelyProvisionedComponent> {
40 BnRemotelyProvisionedComponent::new_binder(
41 AvfRemotelyProvisionedComponent {},
42 BinderFeatures::default(),
43 )
44}
45
46struct AvfRemotelyProvisionedComponent {}
47
48impl Interface for AvfRemotelyProvisionedComponent {}
49
50#[allow(non_snake_case)]
51impl IRemotelyProvisionedComponent for AvfRemotelyProvisionedComponent {
52 fn getHardwareInfo(&self) -> BinderResult<RpcHardwareInfo> {
Alice Wangeec580d2024-06-07 08:48:06 +000053 check_remote_attestation_is_supported()?;
Alice Wangb5b90322023-11-14 07:38:18 +000054
Alice Wang15f6d082023-08-25 09:11:07 +000055 Ok(RpcHardwareInfo {
56 versionNumber: 3,
57 rpcAuthorName: String::from("Android Virtualization Framework"),
58 supportedEekCurve: CURVE_NONE,
Alice Wangb5b90322023-11-14 07:38:18 +000059 uniqueId: Some(String::from("AVF Remote Provisioning 1")),
Alice Wang15f6d082023-08-25 09:11:07 +000060 supportedNumKeysInCsr: MIN_SUPPORTED_NUM_KEYS_IN_CSR,
61 })
62 }
63
64 fn generateEcdsaP256KeyPair(
65 &self,
Alice Wanga723fe62023-09-06 12:38:59 +000066 testMode: bool,
Alice Wangf3482602023-09-08 11:51:29 +000067 macedPublicKey: &mut MacedPublicKey,
Alice Wang15f6d082023-08-25 09:11:07 +000068 ) -> BinderResult<Vec<u8>> {
Alice Wangeec580d2024-06-07 08:48:06 +000069 check_remote_attestation_is_supported()?;
Alice Wangb5b90322023-11-14 07:38:18 +000070
Alice Wanga723fe62023-09-06 12:38:59 +000071 if testMode {
72 return Err(Status::new_service_specific_error_str(
73 STATUS_REMOVED,
74 Some("generateEcdsaP256KeyPair does not support test mode in IRPC v3+ HAL."),
75 ))
76 .with_log();
77 }
Alice Wangd80e99e2023-09-15 13:26:01 +000078 let res = rkpvm::generate_ecdsa_p256_key_pair()
Alice Wangf3482602023-09-08 11:51:29 +000079 .context("Failed to generate ECDSA P-256 key pair")
80 .with_log()
81 .or_service_specific_exception(STATUS_FAILED)?;
Alice Wangd80e99e2023-09-15 13:26:01 +000082 match res {
83 Response::GenerateEcdsaP256KeyPair(key_pair) => {
84 macedPublicKey.macedKey = key_pair.maced_public_key;
85 Ok(key_pair.key_blob)
86 }
87 _ => Err(to_service_specific_error(res)),
88 }
89 .with_log()
Alice Wang15f6d082023-08-25 09:11:07 +000090 }
91
92 fn generateCertificateRequest(
93 &self,
94 _testMode: bool,
95 _keysToSign: &[MacedPublicKey],
96 _endpointEncryptionCertChain: &[u8],
97 _challenge: &[u8],
98 _deviceInfo: &mut DeviceInfo,
99 _protectedData: &mut ProtectedData,
100 ) -> BinderResult<Vec<u8>> {
101 Err(Status::new_service_specific_error_str(
102 STATUS_REMOVED,
103 Some("This method was deprecated in v3 of the interface."),
104 ))
105 .with_log()
106 }
107
108 fn generateCertificateRequestV2(
109 &self,
Alice Wangf3482602023-09-08 11:51:29 +0000110 keysToSign: &[MacedPublicKey],
111 challenge: &[u8],
Alice Wang15f6d082023-08-25 09:11:07 +0000112 ) -> BinderResult<Vec<u8>> {
Alice Wangeec580d2024-06-07 08:48:06 +0000113 check_remote_attestation_is_supported()?;
Alice Wangb5b90322023-11-14 07:38:18 +0000114
Alice Wang2628d332023-09-13 14:48:37 +0000115 const MAX_CHALLENGE_SIZE: usize = 64;
116 if challenge.len() > MAX_CHALLENGE_SIZE {
117 let message = format!(
118 "Challenge is too big. Actual: {:?}. Maximum: {:?}.",
119 challenge.len(),
120 MAX_CHALLENGE_SIZE
121 );
122 return Err(Status::new_service_specific_error_str(STATUS_FAILED, Some(message)))
123 .with_log();
124 }
Alice Wangd80e99e2023-09-15 13:26:01 +0000125 let res = rkpvm::generate_certificate_request(keysToSign, challenge)
Alice Wangf3482602023-09-08 11:51:29 +0000126 .context("Failed to generate certificate request")
127 .with_log()
Alice Wangd80e99e2023-09-15 13:26:01 +0000128 .or_service_specific_exception(STATUS_FAILED)?;
129 match res {
130 Response::GenerateCertificateRequest(res) => Ok(res),
131 _ => Err(to_service_specific_error(res)),
132 }
133 .with_log()
134 }
135}
136
Alice Wangeec580d2024-06-07 08:48:06 +0000137pub(crate) fn check_remote_attestation_is_supported() -> BinderResult<()> {
138 if !is_protected_vm_supported().unwrap_or(false) {
139 return Err(Status::new_exception_str(
Alice Wangb5b90322023-11-14 07:38:18 +0000140 ExceptionCode::UNSUPPORTED_OPERATION,
141 Some("Protected VM support is missing for this operation"),
142 ))
Alice Wangeec580d2024-06-07 08:48:06 +0000143 .with_log();
Alice Wangb5b90322023-11-14 07:38:18 +0000144 }
Alice Wangeec580d2024-06-07 08:48:06 +0000145 if !is_remote_attestation_supported() {
146 return Err(Status::new_exception_str(
147 ExceptionCode::UNSUPPORTED_OPERATION,
148 Some("Remote attestation is disabled"),
149 ))
150 .with_log();
151 }
152 Ok(())
153}
154
155pub(crate) fn is_remote_attestation_supported() -> bool {
156 // Remote attestation is enabled by default.
157 system_properties::read_bool("avf.remote_attestation.enabled", true).unwrap_or(true)
Alice Wangb5b90322023-11-14 07:38:18 +0000158}
159
Alice Wange64dd182024-01-17 15:57:55 +0000160pub(crate) fn to_service_specific_error(response: Response) -> Status {
Alice Wangd80e99e2023-09-15 13:26:01 +0000161 match response {
162 Response::Err(e) => match e {
163 RequestProcessingError::InvalidMac => {
164 Status::new_service_specific_error_str(STATUS_INVALID_MAC, Some(format!("{e}")))
165 }
166 _ => Status::new_service_specific_error_str(
167 STATUS_FAILED,
168 Some(format!("Failed to process request: {e}.")),
169 ),
170 },
171 other => Status::new_service_specific_error_str(
172 STATUS_FAILED,
173 Some(format!("Incorrect response type: {other:?}")),
174 ),
Alice Wang15f6d082023-08-25 09:11:07 +0000175 }
176}