Merge "Convert Gatekeeper from HIDL to AIDL"
diff --git a/trusty/gatekeeper/Android.bp b/trusty/gatekeeper/Android.bp
index 81f012f..0b43754 100644
--- a/trusty/gatekeeper/Android.bp
+++ b/trusty/gatekeeper/Android.bp
@@ -24,11 +24,10 @@
}
cc_binary {
- name: "android.hardware.gatekeeper@1.0-service.trusty",
- defaults: ["hidl_defaults"],
+ name: "android.hardware.gatekeeper-service.trusty",
vendor: true,
relative_install_path: "hw",
- init_rc: ["android.hardware.gatekeeper@1.0-service.trusty.rc"],
+ init_rc: ["android.hardware.gatekeeper-service.trusty.rc"],
srcs: [
"service.cpp",
@@ -42,16 +41,21 @@
"-Werror",
],
+ static_libs: [
+ "libgflags",
+ ],
+
shared_libs: [
- "android.hardware.gatekeeper@1.0",
+ "android.hardware.gatekeeper-V1-ndk",
"libbase",
- "libhidlbase",
+ "libbinder_ndk",
"libgatekeeper",
+ "libhardware",
"libutils",
"liblog",
"libcutils",
"libtrusty",
],
- vintf_fragments: ["android.hardware.gatekeeper@1.0-service.trusty.xml"],
+ vintf_fragments: ["android.hardware.gatekeeper-service.trusty.xml"],
}
diff --git a/trusty/gatekeeper/android.hardware.gatekeeper-service.trusty.rc b/trusty/gatekeeper/android.hardware.gatekeeper-service.trusty.rc
new file mode 100644
index 0000000..66ecbd1
--- /dev/null
+++ b/trusty/gatekeeper/android.hardware.gatekeeper-service.trusty.rc
@@ -0,0 +1,4 @@
+service vendor.gatekeeper_default /vendor/bin/hw/android.hardware.gatekeeper-service.trusty
+ class hal
+ user system
+ group system
diff --git a/trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.xml b/trusty/gatekeeper/android.hardware.gatekeeper-service.trusty.xml
similarity index 60%
rename from trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.xml
rename to trusty/gatekeeper/android.hardware.gatekeeper-service.trusty.xml
index 19714a8..c35421e 100644
--- a/trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.xml
+++ b/trusty/gatekeeper/android.hardware.gatekeeper-service.trusty.xml
@@ -1,10 +1,9 @@
<manifest version="1.0" type="device">
- <hal format="hidl">
+ <hal format="aidl">
<name>android.hardware.gatekeeper</name>
- <transport>hwbinder</transport>
- <version>1.0</version>
+ <version>1</version>
<interface>
- <name>IGatekeeper</name>
+ <name>IGatekeeper</name>
<instance>default</instance>
</interface>
</hal>
diff --git a/trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.rc b/trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.rc
deleted file mode 100644
index 5413a6c..0000000
--- a/trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.rc
+++ /dev/null
@@ -1,4 +0,0 @@
-service vendor.gatekeeper-1-0 /vendor/bin/hw/android.hardware.gatekeeper@1.0-service.trusty
- class hal
- user system
- group system
diff --git a/trusty/gatekeeper/service.cpp b/trusty/gatekeeper/service.cpp
index c5ee488..d09804f 100644
--- a/trusty/gatekeeper/service.cpp
+++ b/trusty/gatekeeper/service.cpp
@@ -13,27 +13,28 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-#define LOG_TAG "android.hardware.gatekeeper@1.0-service.trusty"
+#define LOG_TAG "android.hardware.gatekeeper-service.trusty"
#include <android-base/logging.h>
-#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
-
-#include <hidl/LegacySupport.h>
+#include <android/binder_manager.h>
+#include <android/binder_process.h>
#include "trusty_gatekeeper.h"
-// Generated HIDL files
-using android::hardware::gatekeeper::V1_0::IGatekeeper;
-using gatekeeper::TrustyGateKeeperDevice;
+using aidl::android::hardware::gatekeeper::TrustyGateKeeperDevice;
int main() {
- ::android::hardware::configureRpcThreadpool(1, true /* willJoinThreadpool */);
- android::sp<TrustyGateKeeperDevice> gatekeeper(new TrustyGateKeeperDevice());
- auto status = gatekeeper->registerAsService();
- if (status != android::OK) {
- LOG(FATAL) << "Could not register service for Gatekeeper 1.0 (trusty) (" << status << ")";
- }
+ ABinderProcess_setThreadPoolMaxThreadCount(0);
- android::hardware::joinRpcThreadpool();
+ std::shared_ptr<TrustyGateKeeperDevice> gatekeeper =
+ ndk::SharedRefBase::make<TrustyGateKeeperDevice>();
+
+ const std::string instance = std::string() + TrustyGateKeeperDevice::descriptor + "/default";
+ binder_status_t status =
+ AServiceManager_addService(gatekeeper->asBinder().get(), instance.c_str());
+ CHECK_EQ(status, STATUS_OK);
+
+ ABinderProcess_joinThreadPool();
+
return -1; // Should never get here.
}
diff --git a/trusty/gatekeeper/trusty_gatekeeper.cpp b/trusty/gatekeeper/trusty_gatekeeper.cpp
index ec4f81b..d0647df 100644
--- a/trusty/gatekeeper/trusty_gatekeeper.cpp
+++ b/trusty/gatekeeper/trusty_gatekeeper.cpp
@@ -16,28 +16,26 @@
#define LOG_TAG "TrustyGateKeeper"
-#include <android-base/logging.h>
+#include <endian.h>
#include <limits>
+#include <android-base/logging.h>
+#include <gatekeeper/password_handle.h>
+#include <hardware/hw_auth_token.h>
+
+#include "gatekeeper_ipc.h"
#include "trusty_gatekeeper.h"
#include "trusty_gatekeeper_ipc.h"
-#include "gatekeeper_ipc.h"
-using ::android::hardware::hidl_vec;
-using ::android::hardware::Return;
-using ::android::hardware::gatekeeper::V1_0::GatekeeperStatusCode;
-using ::gatekeeper::EnrollRequest;
-using ::gatekeeper::EnrollResponse;
+namespace aidl::android::hardware::gatekeeper {
+
using ::gatekeeper::ERROR_INVALID;
-using ::gatekeeper::ERROR_MEMORY_ALLOCATION_FAILED;
using ::gatekeeper::ERROR_NONE;
using ::gatekeeper::ERROR_RETRY;
using ::gatekeeper::SizedBuffer;
using ::gatekeeper::VerifyRequest;
using ::gatekeeper::VerifyResponse;
-namespace gatekeeper {
-
constexpr const uint32_t SEND_BUF_SIZE = 8192;
constexpr const uint32_t RECV_BUF_SIZE = 8192;
@@ -54,89 +52,101 @@
trusty_gatekeeper_disconnect();
}
-SizedBuffer hidl_vec2sized_buffer(const hidl_vec<uint8_t>& vec) {
+SizedBuffer vec2sized_buffer(const std::vector<uint8_t>& vec) {
if (vec.size() == 0 || vec.size() > std::numeric_limits<uint32_t>::max()) return {};
auto buffer = new uint8_t[vec.size()];
std::copy(vec.begin(), vec.end(), buffer);
return {buffer, static_cast<uint32_t>(vec.size())};
}
-Return<void> TrustyGateKeeperDevice::enroll(uint32_t uid,
- const hidl_vec<uint8_t>& currentPasswordHandle,
- const hidl_vec<uint8_t>& currentPassword,
- const hidl_vec<uint8_t>& desiredPassword,
- enroll_cb _hidl_cb) {
+void sizedBuffer2AidlHWToken(SizedBuffer& buffer,
+ android::hardware::security::keymint::HardwareAuthToken* aidlToken) {
+ const hw_auth_token_t* authToken =
+ reinterpret_cast<const hw_auth_token_t*>(buffer.Data<uint8_t>());
+ aidlToken->challenge = authToken->challenge;
+ aidlToken->userId = authToken->user_id;
+ aidlToken->authenticatorId = authToken->authenticator_id;
+ // these are in network order: translate to host
+ aidlToken->authenticatorType =
+ static_cast<android::hardware::security::keymint::HardwareAuthenticatorType>(
+ be32toh(authToken->authenticator_type));
+ aidlToken->timestamp.milliSeconds = be64toh(authToken->timestamp);
+ aidlToken->mac.insert(aidlToken->mac.begin(), std::begin(authToken->hmac),
+ std::end(authToken->hmac));
+}
+
+::ndk::ScopedAStatus TrustyGateKeeperDevice::enroll(
+ int32_t uid, const std::vector<uint8_t>& currentPasswordHandle,
+ const std::vector<uint8_t>& currentPassword, const std::vector<uint8_t>& desiredPassword,
+ GatekeeperEnrollResponse* rsp) {
if (error_ != 0) {
- _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
- return {};
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
}
if (desiredPassword.size() == 0) {
- _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
- return {};
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
}
- EnrollRequest request(uid, hidl_vec2sized_buffer(currentPasswordHandle),
- hidl_vec2sized_buffer(desiredPassword),
- hidl_vec2sized_buffer(currentPassword));
+ EnrollRequest request(uid, vec2sized_buffer(currentPasswordHandle),
+ vec2sized_buffer(desiredPassword), vec2sized_buffer(currentPassword));
EnrollResponse response;
auto error = Send(request, &response);
if (error != ERROR_NONE) {
- _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
} else if (response.error == ERROR_RETRY) {
- _hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}});
+ *rsp = {ERROR_RETRY_TIMEOUT, static_cast<int32_t>(response.retry_timeout), 0, {}};
+ return ndk::ScopedAStatus::ok();
} else if (response.error != ERROR_NONE) {
- _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
} else {
- hidl_vec<uint8_t> new_handle(response.enrolled_password_handle.Data<uint8_t>(),
- response.enrolled_password_handle.Data<uint8_t>() +
- response.enrolled_password_handle.size());
- _hidl_cb({GatekeeperStatusCode::STATUS_OK, response.retry_timeout, new_handle});
+ const ::gatekeeper::password_handle_t* password_handle =
+ response.enrolled_password_handle.Data<::gatekeeper::password_handle_t>();
+ *rsp = {STATUS_OK,
+ 0,
+ static_cast<int64_t>(password_handle->user_id),
+ {response.enrolled_password_handle.Data<uint8_t>(),
+ (response.enrolled_password_handle.Data<uint8_t>() +
+ response.enrolled_password_handle.size())}};
}
- return {};
+ return ndk::ScopedAStatus::ok();
}
-Return<void> TrustyGateKeeperDevice::verify(
- uint32_t uid, uint64_t challenge,
- const ::android::hardware::hidl_vec<uint8_t>& enrolledPasswordHandle,
- const ::android::hardware::hidl_vec<uint8_t>& providedPassword, verify_cb _hidl_cb) {
+::ndk::ScopedAStatus TrustyGateKeeperDevice::verify(
+ int32_t uid, int64_t challenge, const std::vector<uint8_t>& enrolledPasswordHandle,
+ const std::vector<uint8_t>& providedPassword, GatekeeperVerifyResponse* rsp) {
if (error_ != 0) {
- _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
- return {};
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
}
if (enrolledPasswordHandle.size() == 0) {
- _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
- return {};
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
}
- VerifyRequest request(uid, challenge, hidl_vec2sized_buffer(enrolledPasswordHandle),
- hidl_vec2sized_buffer(providedPassword));
+ VerifyRequest request(uid, challenge, vec2sized_buffer(enrolledPasswordHandle),
+ vec2sized_buffer(providedPassword));
VerifyResponse response;
auto error = Send(request, &response);
if (error != ERROR_NONE) {
- _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
} else if (response.error == ERROR_RETRY) {
- _hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}});
+ *rsp = {ERROR_RETRY_TIMEOUT, static_cast<int32_t>(response.retry_timeout), {}};
+ return ndk::ScopedAStatus::ok();
} else if (response.error != ERROR_NONE) {
- _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
} else {
- hidl_vec<uint8_t> auth_token(
- response.auth_token.Data<uint8_t>(),
- response.auth_token.Data<uint8_t>() + response.auth_token.size());
-
- _hidl_cb({response.request_reenroll ? GatekeeperStatusCode::STATUS_REENROLL
- : GatekeeperStatusCode::STATUS_OK,
- response.retry_timeout, auth_token});
+ // On Success, return GatekeeperVerifyResponse with Success Status, timeout{0} and
+ // valid HardwareAuthToken.
+ *rsp = {response.request_reenroll ? STATUS_REENROLL : STATUS_OK, 0, {}};
+ // Convert the hw_auth_token_t to HardwareAuthToken in the response.
+ sizedBuffer2AidlHWToken(response.auth_token, &rsp->hardwareAuthToken);
}
- return {};
+ return ndk::ScopedAStatus::ok();
}
-Return<void> TrustyGateKeeperDevice::deleteUser(uint32_t uid, deleteUser_cb _hidl_cb) {
+::ndk::ScopedAStatus TrustyGateKeeperDevice::deleteUser(int32_t uid) {
if (error_ != 0) {
- _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
- return {};
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
}
DeleteUserRequest request(uid);
@@ -144,21 +154,19 @@
auto error = Send(request, &response);
if (error != ERROR_NONE) {
- _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
} else if (response.error == ERROR_NOT_IMPLEMENTED) {
- _hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}});
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_NOT_IMPLEMENTED));
} else if (response.error != ERROR_NONE) {
- _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
} else {
- _hidl_cb({GatekeeperStatusCode::STATUS_OK, response.retry_timeout, {}});
+ return ndk::ScopedAStatus::ok();
}
- return {};
}
-Return<void> TrustyGateKeeperDevice::deleteAllUsers(deleteAllUsers_cb _hidl_cb) {
+::ndk::ScopedAStatus TrustyGateKeeperDevice::deleteAllUsers() {
if (error_ != 0) {
- _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
- return {};
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
}
DeleteAllUsersRequest request;
@@ -166,16 +174,14 @@
auto error = Send(request, &response);
if (error != ERROR_NONE) {
- _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
} else if (response.error == ERROR_NOT_IMPLEMENTED) {
- _hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}});
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_NOT_IMPLEMENTED));
} else if (response.error != ERROR_NONE) {
- _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
+ return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
} else {
- _hidl_cb({GatekeeperStatusCode::STATUS_OK, response.retry_timeout, {}});
+ return ndk::ScopedAStatus::ok();
}
-
- return {};
}
gatekeeper_error_t TrustyGateKeeperDevice::Send(uint32_t command, const GateKeeperMessage& request,
@@ -201,4 +207,4 @@
return response->Deserialize(payload, payload + response_size);
}
-};
+} // namespace aidl::android::hardware::gatekeeper
diff --git a/trusty/gatekeeper/trusty_gatekeeper.h b/trusty/gatekeeper/trusty_gatekeeper.h
index 420dd7a..5cb5d4b 100644
--- a/trusty/gatekeeper/trusty_gatekeeper.h
+++ b/trusty/gatekeeper/trusty_gatekeeper.h
@@ -17,18 +17,30 @@
#ifndef TRUSTY_GATEKEEPER_H
#define TRUSTY_GATEKEEPER_H
-#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
-#include <hidl/Status.h>
-
#include <memory>
+#include <aidl/android/hardware/gatekeeper/BnGatekeeper.h>
+
#include <gatekeeper/gatekeeper_messages.h>
#include "gatekeeper_ipc.h"
-namespace gatekeeper {
+namespace aidl::android::hardware::gatekeeper {
-class TrustyGateKeeperDevice : public ::android::hardware::gatekeeper::V1_0::IGatekeeper {
+using aidl::android::hardware::gatekeeper::GatekeeperEnrollResponse;
+using aidl::android::hardware::gatekeeper::GatekeeperVerifyResponse;
+using ::gatekeeper::DeleteAllUsersRequest;
+using ::gatekeeper::DeleteAllUsersResponse;
+using ::gatekeeper::DeleteUserRequest;
+using ::gatekeeper::DeleteUserResponse;
+using ::gatekeeper::EnrollRequest;
+using ::gatekeeper::EnrollResponse;
+using ::gatekeeper::gatekeeper_error_t;
+using ::gatekeeper::GateKeeperMessage;
+using ::gatekeeper::VerifyRequest;
+using ::gatekeeper::VerifyResponse;
+
+class TrustyGateKeeperDevice : public BnGatekeeper {
public:
explicit TrustyGateKeeperDevice();
~TrustyGateKeeperDevice();
@@ -40,11 +52,10 @@
* Returns: 0 on success or an error code less than 0 on error.
* On error, enrolled_password_handle will not be allocated.
*/
- ::android::hardware::Return<void> enroll(
- uint32_t uid, const ::android::hardware::hidl_vec<uint8_t>& currentPasswordHandle,
- const ::android::hardware::hidl_vec<uint8_t>& currentPassword,
- const ::android::hardware::hidl_vec<uint8_t>& desiredPassword,
- enroll_cb _hidl_cb) override;
+ ::ndk::ScopedAStatus enroll(int32_t uid, const std::vector<uint8_t>& currentPasswordHandle,
+ const std::vector<uint8_t>& currentPassword,
+ const std::vector<uint8_t>& desiredPassword,
+ GatekeeperEnrollResponse* _aidl_return) override;
/**
* Verifies provided_password matches enrolled_password_handle.
@@ -59,25 +70,24 @@
* Returns: 0 on success or an error code less than 0 on error
* On error, verification token will not be allocated
*/
- ::android::hardware::Return<void> verify(
- uint32_t uid, uint64_t challenge,
- const ::android::hardware::hidl_vec<uint8_t>& enrolledPasswordHandle,
- const ::android::hardware::hidl_vec<uint8_t>& providedPassword,
- verify_cb _hidl_cb) override;
+ ::ndk::ScopedAStatus verify(int32_t uid, int64_t challenge,
+ const std::vector<uint8_t>& enrolledPasswordHandle,
+ const std::vector<uint8_t>& providedPassword,
+ GatekeeperVerifyResponse* _aidl_return) override;
- ::android::hardware::Return<void> deleteUser(uint32_t uid, deleteUser_cb _hidl_cb) override;
+ ::ndk::ScopedAStatus deleteAllUsers() override;
- ::android::hardware::Return<void> deleteAllUsers(deleteAllUsers_cb _hidl_cb) override;
+ ::ndk::ScopedAStatus deleteUser(int32_t uid) override;
private:
gatekeeper_error_t Send(uint32_t command, const GateKeeperMessage& request,
GateKeeperMessage* response);
- gatekeeper_error_t Send(const EnrollRequest& request, EnrollResponse *response) {
+ gatekeeper_error_t Send(const EnrollRequest& request, EnrollResponse* response) {
return Send(GK_ENROLL, request, response);
}
- gatekeeper_error_t Send(const VerifyRequest& request, VerifyResponse *response) {
+ gatekeeper_error_t Send(const VerifyRequest& request, VerifyResponse* response) {
return Send(GK_VERIFY, request, response);
}
@@ -93,7 +103,6 @@
int error_;
};
-} // namespace gatekeeper
+} // namespace aidl::android::hardware::gatekeeper
#endif
-
diff --git a/trusty/trusty-base.mk b/trusty/trusty-base.mk
index 7b4aa26..5a3a320 100644
--- a/trusty/trusty-base.mk
+++ b/trusty/trusty-base.mk
@@ -37,7 +37,7 @@
PRODUCT_PACKAGES += \
$(LOCAL_KEYMINT_PRODUCT_PACKAGE) \
- android.hardware.gatekeeper@1.0-service.trusty \
+ android.hardware.gatekeeper-service.trusty \
trusty_apploader \
RemoteProvisioner