Gatekeeperd maintenance
* Move gatekeeper aidl definition to system/core/gatekeeperd
* Retire hand written IGateKeeperService and use generated instead
* Adjust gatekeeperd to use the generated aidl stubs.
* Annotated enroll parameters with @nullable to match the
documentation and the way it was used. (The hand written
code was tolerant to null parameters, but it was undefined behavior.)
* Removed Software implementation from gatekeeperd.
* Also removed the upgrade path.
* Software implementation including test moved to
hardware/interfaces/gatekeeper/1.0/software
Change-Id: I72b734db6f67b79b29c2629764490d75d179908a
Merged-In: I72b734db6f67b79b29c2629764490d75d179908a
Test: Manually tested setting pin and login.
diff --git a/gatekeeperd/gatekeeperd.cpp b/gatekeeperd/gatekeeperd.cpp
index 8700c34..1d65b1c 100644
--- a/gatekeeperd/gatekeeperd.cpp
+++ b/gatekeeperd/gatekeeperd.cpp
@@ -16,7 +16,8 @@
#define LOG_TAG "gatekeeperd"
-#include "IGateKeeperService.h"
+#include <android/service/gatekeeper/BnGateKeeperService.h>
+#include <gatekeeper/GateKeeperResponse.h>
#include <errno.h>
#include <fcntl.h>
@@ -41,8 +42,6 @@
#include <utils/Log.h>
#include <utils/String16.h>
-#include "SoftGateKeeperDevice.h"
-
#include <hidl/HidlSupport.h>
#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
@@ -52,6 +51,11 @@
using android::hardware::gatekeeper::V1_0::GatekeeperResponse;
using android::hardware::Return;
+using ::android::binder::Status;
+using ::android::service::gatekeeper::BnGateKeeperService;
+using GKResponse = ::android::service::gatekeeper::GateKeeperResponse;
+using GKResponseCode = ::android::service::gatekeeper::ResponseCode;
+
namespace android {
static const String16 KEYGUARD_PERMISSION("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE");
@@ -64,9 +68,8 @@
hw_device = IGatekeeper::getService();
is_running_gsi = android::base::GetBoolProperty(android::gsi::kGsiBootedProp, false);
- if (hw_device == nullptr) {
- ALOGW("falling back to software GateKeeper");
- soft_device.reset(new SoftGateKeeperDevice());
+ if (!hw_device) {
+ LOG(ERROR) << "Could not find Gatekeeper device, which makes me very sad.";
}
}
@@ -92,7 +95,7 @@
if (mark_cold_boot() && !is_running_gsi) {
ALOGI("cold boot: clearing state");
- if (hw_device != nullptr) {
+ if (hw_device) {
hw_device->deleteAllUsers([](const GatekeeperResponse &){});
}
}
@@ -154,16 +157,16 @@
return uid;
}
- virtual int enroll(uint32_t uid,
- const uint8_t *current_password_handle, uint32_t current_password_handle_length,
- const uint8_t *current_password, uint32_t current_password_length,
- const uint8_t *desired_password, uint32_t desired_password_length,
- uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) {
+#define GK_ERROR *gkResponse = GKResponse::error(), Status::ok()
+
+ Status enroll(int32_t uid, const std::unique_ptr<std::vector<uint8_t>>& currentPasswordHandle,
+ const std::unique_ptr<std::vector<uint8_t>>& currentPassword,
+ const std::vector<uint8_t>& desiredPassword, GKResponse* gkResponse) override {
IPCThreadState* ipc = IPCThreadState::self();
const int calling_pid = ipc->getCallingPid();
const int calling_uid = ipc->getCallingUid();
if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
- return PERMISSION_DENIED;
+ return GK_ERROR;
}
// Make sure to clear any state from before factory reset as soon as a credential is
@@ -171,225 +174,189 @@
clear_state_if_needed();
// need a desired password to enroll
- if (desired_password_length == 0) return -EINVAL;
+ if (desiredPassword.size() == 0) return GK_ERROR;
- int ret;
- if (hw_device != nullptr) {
- const gatekeeper::password_handle_t *handle =
- reinterpret_cast<const gatekeeper::password_handle_t *>(current_password_handle);
+ if (!hw_device) {
+ LOG(ERROR) << "has no HAL to talk to";
+ return GK_ERROR;
+ }
- if (handle != NULL && handle->version != 0 && !handle->hardware_backed) {
- // handle is being re-enrolled from a software version. HAL probably won't accept
- // the handle as valid, so we nullify it and enroll from scratch
- current_password_handle = NULL;
- current_password_handle_length = 0;
- current_password = NULL;
- current_password_length = 0;
+ android::hardware::hidl_vec<uint8_t> curPwdHandle;
+ android::hardware::hidl_vec<uint8_t> curPwd;
+
+ if (currentPasswordHandle && currentPassword) {
+ if (currentPasswordHandle->size() != sizeof(gatekeeper::password_handle_t)) {
+ LOG(INFO) << "Password handle has wrong length";
+ return GK_ERROR;
}
+ curPwdHandle.setToExternal(const_cast<uint8_t*>(currentPasswordHandle->data()),
+ currentPasswordHandle->size());
+ curPwd.setToExternal(const_cast<uint8_t*>(currentPassword->data()),
+ currentPassword->size());
+ }
- android::hardware::hidl_vec<uint8_t> curPwdHandle;
- curPwdHandle.setToExternal(const_cast<uint8_t*>(current_password_handle),
- current_password_handle_length);
- android::hardware::hidl_vec<uint8_t> curPwd;
- curPwd.setToExternal(const_cast<uint8_t*>(current_password),
- current_password_length);
- android::hardware::hidl_vec<uint8_t> newPwd;
- newPwd.setToExternal(const_cast<uint8_t*>(desired_password),
- desired_password_length);
+ android::hardware::hidl_vec<uint8_t> newPwd;
+ newPwd.setToExternal(const_cast<uint8_t*>(desiredPassword.data()), desiredPassword.size());
- uint32_t hw_uid = adjust_uid(uid);
- Return<void> hwRes = hw_device->enroll(hw_uid, curPwdHandle, curPwd, newPwd,
- [&ret, enrolled_password_handle, enrolled_password_handle_length]
- (const GatekeeperResponse &rsp) {
- ret = static_cast<int>(rsp.code); // propagate errors
- if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {
- if (enrolled_password_handle != nullptr &&
- enrolled_password_handle_length != nullptr) {
- *enrolled_password_handle = new uint8_t[rsp.data.size()];
- *enrolled_password_handle_length = rsp.data.size();
- memcpy(*enrolled_password_handle, rsp.data.data(),
- *enrolled_password_handle_length);
+ uint32_t hw_uid = adjust_uid(uid);
+ Return<void> hwRes = hw_device->enroll(
+ hw_uid, curPwdHandle, curPwd, newPwd, [&gkResponse](const GatekeeperResponse& rsp) {
+ if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {
+ *gkResponse = GKResponse::ok({rsp.data.begin(), rsp.data.end()});
+ } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT &&
+ rsp.timeout > 0) {
+ *gkResponse = GKResponse::retry(rsp.timeout);
+ } else {
+ *gkResponse = GKResponse::error();
}
- ret = 0; // all success states are reported as 0
- } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT && rsp.timeout > 0) {
- ret = rsp.timeout;
- }
- });
- if (!hwRes.isOk()) {
- ALOGE("enroll transaction failed\n");
- ret = -1;
+ });
+ if (!hwRes.isOk()) {
+ LOG(ERROR) << "enroll transaction failed";
+ return GK_ERROR;
+ }
+
+ if (gkResponse->response_code() == GKResponseCode::OK && !gkResponse->should_reenroll()) {
+ if (gkResponse->payload().size() != sizeof(gatekeeper::password_handle_t)) {
+ LOG(ERROR) << "HAL returned password handle of invalid length "
+ << gkResponse->payload().size();
+ return GK_ERROR;
}
- } else {
- ret = soft_device->enroll(uid,
- current_password_handle, current_password_handle_length,
- current_password, current_password_length,
- desired_password, desired_password_length,
- enrolled_password_handle, enrolled_password_handle_length);
- }
- if (ret == GATEKEEPER_RESPONSE_OK && (*enrolled_password_handle == nullptr ||
- *enrolled_password_handle_length != sizeof(password_handle_t))) {
- ret = GATEKEEPER_RESPONSE_ERROR;
- ALOGE("HAL: password_handle=%p size_of_handle=%" PRIu32 "\n",
- *enrolled_password_handle, *enrolled_password_handle_length);
- }
-
- if (ret == GATEKEEPER_RESPONSE_OK) {
- gatekeeper::password_handle_t *handle =
- reinterpret_cast<gatekeeper::password_handle_t *>(*enrolled_password_handle);
+ const gatekeeper::password_handle_t* handle =
+ reinterpret_cast<const gatekeeper::password_handle_t*>(
+ gkResponse->payload().data());
store_sid(uid, handle->user_id);
- bool rr;
+ GKResponse verifyResponse;
// immediately verify this password so we don't ask the user to enter it again
// if they just created it.
- verify(uid, *enrolled_password_handle, sizeof(password_handle_t), desired_password,
- desired_password_length, &rr);
+ auto status = verify(uid, gkResponse->payload(), desiredPassword, &verifyResponse);
+ if (!status.isOk() || verifyResponse.response_code() != GKResponseCode::OK) {
+ LOG(ERROR) << "Failed to verify password after enrolling";
+ }
}
- return ret;
+ return Status::ok();
}
- virtual int verify(uint32_t uid,
- const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
- const uint8_t *provided_password, uint32_t provided_password_length, bool *request_reenroll) {
- uint8_t *auth_token = nullptr;
- uint32_t auth_token_length;
- int ret = verifyChallenge(uid, 0, enrolled_password_handle, enrolled_password_handle_length,
- provided_password, provided_password_length,
- &auth_token, &auth_token_length, request_reenroll);
- delete [] auth_token;
- return ret;
+ Status verify(int32_t uid, const ::std::vector<uint8_t>& enrolledPasswordHandle,
+ const ::std::vector<uint8_t>& providedPassword, GKResponse* gkResponse) override {
+ return verifyChallenge(uid, 0 /* challenge */, enrolledPasswordHandle, providedPassword,
+ gkResponse);
}
- virtual int verifyChallenge(uint32_t uid, uint64_t challenge,
- const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
- const uint8_t *provided_password, uint32_t provided_password_length,
- uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) {
+ Status verifyChallenge(int32_t uid, int64_t challenge,
+ const std::vector<uint8_t>& enrolledPasswordHandle,
+ const std::vector<uint8_t>& providedPassword,
+ GKResponse* gkResponse) override {
IPCThreadState* ipc = IPCThreadState::self();
const int calling_pid = ipc->getCallingPid();
const int calling_uid = ipc->getCallingUid();
if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
- return PERMISSION_DENIED;
+ return GK_ERROR;
}
// can't verify if we're missing either param
- if ((enrolled_password_handle_length | provided_password_length) == 0)
- return -EINVAL;
+ if (enrolledPasswordHandle.size() == 0 || providedPassword.size() == 0) return GK_ERROR;
- int ret;
- if (hw_device != nullptr) {
- const gatekeeper::password_handle_t *handle =
- reinterpret_cast<const gatekeeper::password_handle_t *>(enrolled_password_handle);
- // handle version 0 does not have hardware backed flag, and thus cannot be upgraded to
- // a HAL if there was none before
- if (handle->version == 0 || handle->hardware_backed) {
- uint32_t hw_uid = adjust_uid(uid);
- android::hardware::hidl_vec<uint8_t> curPwdHandle;
- curPwdHandle.setToExternal(const_cast<uint8_t*>(enrolled_password_handle),
- enrolled_password_handle_length);
- android::hardware::hidl_vec<uint8_t> enteredPwd;
- enteredPwd.setToExternal(const_cast<uint8_t*>(provided_password),
- provided_password_length);
- Return<void> hwRes = hw_device->verify(hw_uid, challenge, curPwdHandle, enteredPwd,
- [&ret, request_reenroll, auth_token, auth_token_length]
- (const GatekeeperResponse &rsp) {
- ret = static_cast<int>(rsp.code); // propagate errors
- if (auth_token != nullptr && auth_token_length != nullptr &&
- rsp.code >= GatekeeperStatusCode::STATUS_OK) {
- *auth_token = new uint8_t[rsp.data.size()];
- *auth_token_length = rsp.data.size();
- memcpy(*auth_token, rsp.data.data(), *auth_token_length);
- if (request_reenroll != nullptr) {
- *request_reenroll = (rsp.code == GatekeeperStatusCode::STATUS_REENROLL);
- }
- ret = 0; // all success states are reported as 0
- } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT &&
- rsp.timeout > 0) {
- ret = rsp.timeout;
+ if (!hw_device) return GK_ERROR;
+
+ if (enrolledPasswordHandle.size() != sizeof(gatekeeper::password_handle_t)) {
+ LOG(INFO) << "Password handle has wrong length";
+ return GK_ERROR;
+ }
+ const gatekeeper::password_handle_t* handle =
+ reinterpret_cast<const gatekeeper::password_handle_t*>(
+ enrolledPasswordHandle.data());
+
+ uint32_t hw_uid = adjust_uid(uid);
+ android::hardware::hidl_vec<uint8_t> curPwdHandle;
+ curPwdHandle.setToExternal(const_cast<uint8_t*>(enrolledPasswordHandle.data()),
+ enrolledPasswordHandle.size());
+ android::hardware::hidl_vec<uint8_t> enteredPwd;
+ enteredPwd.setToExternal(const_cast<uint8_t*>(providedPassword.data()),
+ providedPassword.size());
+
+ Return<void> hwRes = hw_device->verify(
+ hw_uid, challenge, curPwdHandle, enteredPwd,
+ [&gkResponse](const GatekeeperResponse& rsp) {
+ if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {
+ *gkResponse = GKResponse::ok(
+ {rsp.data.begin(), rsp.data.end()},
+ rsp.code == GatekeeperStatusCode::STATUS_REENROLL /* reenroll */);
+ } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT) {
+ *gkResponse = GKResponse::retry(rsp.timeout);
+ } else {
+ *gkResponse = GKResponse::error();
}
});
- if (!hwRes.isOk()) {
- ALOGE("verify transaction failed\n");
- ret = -1;
- }
- } else {
- // upgrade scenario, a HAL has been added to this device where there was none before
- SoftGateKeeperDevice soft_dev;
- ret = soft_dev.verify(uid, challenge,
- enrolled_password_handle, enrolled_password_handle_length,
- provided_password, provided_password_length, auth_token, auth_token_length,
- request_reenroll);
- if (ret == 0) {
- // success! re-enroll with HAL
- *request_reenroll = true;
+ if (!hwRes.isOk()) {
+ LOG(ERROR) << "verify transaction failed";
+ return GK_ERROR;
+ }
+
+ if (gkResponse->response_code() == GKResponseCode::OK) {
+ if (gkResponse->payload().size() != 0) {
+ sp<IServiceManager> sm = defaultServiceManager();
+ sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
+ sp<security::keystore::IKeystoreService> service =
+ interface_cast<security::keystore::IKeystoreService>(binder);
+
+ if (service) {
+ int result = 0;
+ auto binder_result = service->addAuthToken(gkResponse->payload(), &result);
+ if (!binder_result.isOk() ||
+ !keystore::KeyStoreServiceReturnCode(result).isOk()) {
+ LOG(ERROR) << "Failure sending auth token to KeyStore: " << result;
+ }
+ } else {
+ LOG(ERROR) << "Cannot deliver auth token. Unable to communicate with Keystore.";
}
}
- } else {
- ret = soft_device->verify(uid, challenge,
- enrolled_password_handle, enrolled_password_handle_length,
- provided_password, provided_password_length, auth_token, auth_token_length,
- request_reenroll);
+
+ maybe_store_sid(uid, handle->user_id);
}
- if (ret == 0 && *auth_token != NULL && *auth_token_length > 0) {
- // TODO: cache service?
- sp<IServiceManager> sm = defaultServiceManager();
- sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
- sp<security::keystore::IKeystoreService> service =
- interface_cast<security::keystore::IKeystoreService>(binder);
- if (service != NULL) {
- std::vector<uint8_t> auth_token_vector(*auth_token,
- (*auth_token) + *auth_token_length);
- int result = 0;
- auto binder_result = service->addAuthToken(auth_token_vector, &result);
- if (!binder_result.isOk() || !keystore::KeyStoreServiceReturnCode(result).isOk()) {
- ALOGE("Failure sending auth token to KeyStore: %" PRId32, result);
- }
- } else {
- ALOGE("Unable to communicate with KeyStore");
- }
- }
-
- if (ret == 0) {
- maybe_store_sid(uid, reinterpret_cast<const gatekeeper::password_handle_t *>(
- enrolled_password_handle)->user_id);
- }
-
- return ret;
+ return Status::ok();
}
- virtual uint64_t getSecureUserId(uint32_t uid) { return read_sid(uid); }
+ Status getSecureUserId(int32_t uid, int64_t* sid) override {
+ *sid = read_sid(uid);
+ return Status::ok();
+ }
- virtual void clearSecureUserId(uint32_t uid) {
+ Status clearSecureUserId(int32_t uid) override {
IPCThreadState* ipc = IPCThreadState::self();
const int calling_pid = ipc->getCallingPid();
const int calling_uid = ipc->getCallingUid();
if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid);
- return;
+ return Status::ok();
}
clear_sid(uid);
- if (hw_device != nullptr) {
+ if (hw_device) {
uint32_t hw_uid = adjust_uid(uid);
hw_device->deleteUser(hw_uid, [] (const GatekeeperResponse &){});
}
+ return Status::ok();
}
- virtual void reportDeviceSetupComplete() {
+ Status reportDeviceSetupComplete() override {
IPCThreadState* ipc = IPCThreadState::self();
const int calling_pid = ipc->getCallingPid();
const int calling_uid = ipc->getCallingUid();
if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid);
- return;
+ return Status::ok();
}
clear_state_if_needed();
+ return Status::ok();
}
- virtual status_t dump(int fd, const Vector<String16> &) {
+ status_t dump(int fd, const Vector<String16>&) override {
IPCThreadState* ipc = IPCThreadState::self();
const int pid = ipc->getCallingPid();
const int uid = ipc->getCallingUid();
@@ -410,7 +377,6 @@
private:
sp<IGatekeeper> hw_device;
- std::unique_ptr<SoftGateKeeperDevice> soft_device;
bool clear_state_if_needed_done;
bool is_running_gsi;