Adding remote provisioning AIDL interface
This commit adds the AIDL interface required to use remote provisioning,
as well as the implementation.
Test: tbd
Change-Id: I28ade347a00210f4bc3b74664873c2cf5221adb0
diff --git a/keystore2/Android.bp b/keystore2/Android.bp
index f9295ca..d254159 100644
--- a/keystore2/Android.bp
+++ b/keystore2/Android.bp
@@ -23,6 +23,7 @@
"android.security.apc-rust",
"android.security.authorization-rust",
"android.security.compat-rust",
+ "android.security.remoteprovisioning-rust",
"android.system.keystore2-V1-rust",
"libanyhow",
"libbinder_rs",
@@ -63,6 +64,7 @@
"android.security.apc-rust",
"android.security.authorization-rust",
"android.security.compat-rust",
+ "android.security.remoteprovisioning-rust",
"android.system.keystore2-V1-rust",
"libandroid_logger",
"libanyhow",
diff --git a/keystore2/aidl/Android.bp b/keystore2/aidl/Android.bp
index fac36e5..36cff16 100644
--- a/keystore2/aidl/Android.bp
+++ b/keystore2/aidl/Android.bp
@@ -83,3 +83,25 @@
}
},
}
+
+aidl_interface {
+ name: "android.security.remoteprovisioning",
+ srcs: [ "android/security/remoteprovisioning/*.aidl" ],
+ imports: [
+ "android.hardware.security.keymint",
+ ],
+ unstable: true,
+ backend: {
+ java: {
+ enabled: true,
+ sdk_version: "module_current",
+ platform_apis: true,
+ },
+ ndk: {
+ enabled: true,
+ },
+ rust: {
+ enabled: true,
+ },
+ },
+}
diff --git a/keystore2/aidl/android/security/remoteprovisioning/AttestationPoolStatus.aidl b/keystore2/aidl/android/security/remoteprovisioning/AttestationPoolStatus.aidl
new file mode 100644
index 0000000..3528b42
--- /dev/null
+++ b/keystore2/aidl/android/security/remoteprovisioning/AttestationPoolStatus.aidl
@@ -0,0 +1,45 @@
+/*
+ * Copyright 2020, The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.remoteprovisioning;
+
+/**
+ * This parcelable provides information about the state of the attestation key pool.
+ * @hide
+ */
+parcelable AttestationPoolStatus {
+ /**
+ * The number of signed attestation certificate chains which will expire when the date provided
+ * to keystore to check against is reached.
+ */
+ int expiring;
+ /**
+ * The number of signed attestation certificate chains which have not yet been assigned to an
+ * app. This should be less than or equal to signed keys. The remainder of `signed` -
+ * `unassigned` gives the number of signed keys that have been assigned to an app.
+ */
+ int unassigned;
+ /**
+ * The number of signed attestation keys. This should be less than or equal to `total`. The
+ * remainder of `total` - `attested` gives the number of keypairs available to be sent off to
+ * the server for signing.
+ */
+ int attested;
+ /**
+ * The total number of attestation keys.
+ */
+ int total;
+}
diff --git a/keystore2/aidl/android/security/remoteprovisioning/IRemoteProvisioning.aidl b/keystore2/aidl/android/security/remoteprovisioning/IRemoteProvisioning.aidl
new file mode 100644
index 0000000..d045345
--- /dev/null
+++ b/keystore2/aidl/android/security/remoteprovisioning/IRemoteProvisioning.aidl
@@ -0,0 +1,120 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.remoteprovisioning;
+
+import android.hardware.security.keymint.SecurityLevel;
+import android.security.remoteprovisioning.AttestationPoolStatus;
+
+/**
+ * `IRemoteProvisioning` is the interface provided to use the remote provisioning functionality
+ * provided through KeyStore. The intent is for a higher level system component to use these
+ * functions in order to drive the process through which the device can receive functioning
+ * attestation certificates.
+ *
+ * ## Error conditions
+ * Error conditions are reported as service specific errors.
+ * Positive codes correspond to `android.security.remoteprovisioning.ResponseCode`
+ * and indicate error conditions diagnosed by the Keystore 2.0 service.
+ * TODO: Remote Provisioning HAL error code info
+ *
+ * `ResponseCode::PERMISSION_DENIED` if the caller does not have the permissions
+ * to use the RemoteProvisioning API. This permission is defined under access_vectors in SEPolicy
+ * in the keystore2 class: remotely_provision
+ *
+ * `ResponseCode::SYSTEM_ERROR` for any unexpected errors like IO or IPC failures.
+ *
+ * @hide
+ */
+interface IRemoteProvisioning {
+
+ /**
+ * Returns the status of the attestation key pool in the database.
+ *
+ * @param expiredBy The date as seconds since epoch by which to judge expiration status of
+ * certificates.
+ *
+ * @param secLevel The security level to specify which KM instance to get the pool for.
+ *
+ * @return The `AttestationPoolStatus` parcelable contains fields communicating information
+ * relevant to making decisions about when to generate and provision
+ * more attestation keys.
+ */
+ AttestationPoolStatus getPoolStatus(in long expiredBy, in SecurityLevel secLevel);
+
+ /**
+ * This is the primary entry point for beginning a remote provisioning flow. The caller
+ * specifies how many CSRs should be generated and provides an X25519 ECDH public key along
+ * with a challenge to encrypt privacy sensitive portions of the returned CBOR blob and
+ * guarantee freshness of the request to the certifying third party.
+ *
+ * ## Error conditions
+ * `ResponseCode::NO_UNSIGNED_KEYS` if there are no unsigned keypairs in the database that can
+ * be used for the CSRs.
+ *
+ * A RemoteProvisioning HAL response code may indicate backend errors such as failed EEK
+ * verification.
+ *
+ * @param testMode Whether or not the TA implementing the Remote Provisioning HAL should accept
+ * any EEK (Endpoint Encryption Key), or only one signed by a chain
+ * that verifies back to the Root of Trust baked into the TA. True
+ * means that any key is accepted.
+ *
+ * @param numCsr How many certificate signing requests should be generated.
+ *
+ * @param eek A chain of certificates terminating in an X25519 public key, the Endpoint
+ * Encryption Key.
+ *
+ * @param challenge A challenge to be included and MACed in the returned CBOR blob.
+ *
+ * @param secLevel The security level to specify which KM instance from which to generate a
+ * CSR.
+ *
+ * @return A CBOR blob composed of various encrypted/signed elements from the TA in a byte[]
+ */
+ byte[] generateCsr(in boolean testMode, in int numCsr, in byte[] eek, in byte[] challenge,
+ in SecurityLevel secLevel);
+
+ /**
+ * This method provides a way for the returned attestation certificate chains to be provisioned
+ * to the attestation key database. When an app requests an attesation key, it will be assigned
+ * one of these certificate chains along with the corresponding private key.
+ *
+ * @param publicKey The raw public key encoded in the leaf certificate.
+ *
+ * @param cert An X.509, DER encoded certificate chain.
+ *
+ * @param expirationDate The expiration date on the certificate chain, provided by the caller
+ * for convenience.
+ *
+ * @param secLevel The security level representing the KM instance containing the key that this
+ * chain corresponds to.
+ */
+ void provisionCertChain(in byte[] publicKey, in byte[] certs, in long expirationDate,
+ in SecurityLevel secLevel);
+
+ /**
+ * This method allows the caller to instruct KeyStore to generate and store a key pair to be
+ * used for attestation in the `generateCsr` method. The caller should handle spacing out these
+ * requests so as not to jam up the KeyStore work queue.
+ *
+ * @param is_test_mode Instructs the underlying HAL interface to mark the generated key with a
+ * tag to indicate that it's for testing.
+ *
+ * @param secLevel The security level to specify which KM instance should generate a key pair.
+ */
+ void generateKeyPair(in boolean is_test_mode, in SecurityLevel secLevel);
+}
diff --git a/keystore2/aidl/android/security/remoteprovisioning/ResponseCode.aidl b/keystore2/aidl/android/security/remoteprovisioning/ResponseCode.aidl
new file mode 100644
index 0000000..c9877db
--- /dev/null
+++ b/keystore2/aidl/android/security/remoteprovisioning/ResponseCode.aidl
@@ -0,0 +1,34 @@
+/*
+ * Copyright 2020, The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package android.security.remoteprovisioning;
+
+@Backing(type="int")
+/** @hide */
+enum ResponseCode {
+ /**
+ * Returned if there are no keys available in the database to be used in a CSR
+ */
+ NO_UNSIGNED_KEYS = 1,
+ /**
+ * The caller has imrproper SELinux permissions to access the Remote Provisioning API.
+ */
+ PERMISSION_DENIED = 2,
+ /**
+ * An unexpected error occurred, likely with IO or IPC.
+ */
+ SYSTEM_ERROR = 3,
+}
diff --git a/keystore2/src/lib.rs b/keystore2/src/lib.rs
index 811db91..f9554ea 100644
--- a/keystore2/src/lib.rs
+++ b/keystore2/src/lib.rs
@@ -26,6 +26,7 @@
pub mod legacy_blob;
pub mod operation;
pub mod permission;
+pub mod remote_provisioning;
pub mod security_level;
pub mod service;
pub mod utils;
diff --git a/keystore2/src/remote_provisioning.rs b/keystore2/src/remote_provisioning.rs
new file mode 100644
index 0000000..eb21671
--- /dev/null
+++ b/keystore2/src/remote_provisioning.rs
@@ -0,0 +1,155 @@
+// Copyright 2020, The Android Open Source Project
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//! This is the implementation for the remote provisioning AIDL interface between
+//! the network providers for remote provisioning and the system. This interface
+//! allows the caller to prompt the Remote Provisioning HAL to generate keys and
+//! CBOR blobs that can be ferried to a provisioning server that will return
+//! certificate chains signed by some root authority and stored in a keystore SQLite
+//! DB.
+
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel;
+
+use android_security_remoteprovisioning::aidl::android::security::remoteprovisioning::{
+ AttestationPoolStatus::AttestationPoolStatus, IRemoteProvisioning::BnRemoteProvisioning,
+ IRemoteProvisioning::IRemoteProvisioning,
+};
+use anyhow::Result;
+
+use crate::error::map_or_log_err;
+use crate::globals::{get_keymint_device, DB};
+
+/// Implementation of the IRemoteProvisioning service.
+pub struct RemoteProvisioningService {
+ // TODO(b/179222809): Add the remote provisioner hal aidl interface when available
+}
+
+impl RemoteProvisioningService {
+ /// Creates a new instance of the remote provisioning service
+ pub fn new_native_binder() -> Result<impl IRemoteProvisioning> {
+ let result = BnRemoteProvisioning::new_binder(Self {});
+ Ok(result)
+ }
+
+ /// Populates the AttestationPoolStatus parcelable with information about how many
+ /// certs will be expiring by the date provided in `expired_by` along with how many
+ /// keys have not yet been assigned.
+ pub fn get_pool_status(
+ &self,
+ expired_by: i64,
+ sec_level: SecurityLevel,
+ ) -> Result<AttestationPoolStatus> {
+ let (_, _, uuid) = get_keymint_device(&sec_level)?;
+ DB.with::<_, Result<AttestationPoolStatus>>(|db| {
+ let mut db = db.borrow_mut();
+ Ok(db.get_attestation_pool_status(expired_by, &uuid)?)
+ })
+ }
+
+ /// Generates a CBOR blob which will be assembled by the calling code into a larger
+ /// CBOR blob intended for delivery to a provisioning serever. This blob will contain
+ /// `num_csr` certificate signing requests for attestation keys generated in the TEE,
+ /// along with a server provided `eek` and `challenge`. The endpoint encryption key will
+ /// be used to encrypt the sensitive contents being transmitted to the server, and the
+ /// challenge will ensure freshness. A `test_mode` flag will instruct the remote provisioning
+ /// HAL if it is okay to accept EEKs that aren't signed by something that chains back to the
+ /// baked in root of trust in the underlying IRemotelyProvisionedComponent instance.
+ pub fn generate_csr(
+ &self,
+ _test_mode: bool,
+ _num_csr: i32,
+ _eek: &[u8],
+ _challenge: &[u8],
+ _sec_level: SecurityLevel,
+ ) -> Result<Vec<u8>> {
+ // TODO(b/179222809): implement with actual remote provisioner AIDL when available. For now
+ // it isnice to have some junk values
+ Ok(vec![0, 1, 3, 3])
+ }
+
+ /// Provisions a certificate chain for a key whose CSR was included in generate_csr. The
+ /// `public_key` is used to index into the SQL database in order to insert the `certs` blob
+ /// which represents a PEM encoded X.509 certificate chain. The `expiration_date` is provided
+ /// as a convenience from the caller to avoid having to parse the certificates semantically
+ /// here.
+ pub fn provision_cert_chain(
+ &self,
+ public_key: &[u8],
+ certs: &[u8],
+ expiration_date: i64,
+ sec_level: SecurityLevel,
+ ) -> Result<()> {
+ DB.with::<_, Result<()>>(|db| {
+ let mut db = db.borrow_mut();
+ let (_, _, uuid) = get_keymint_device(&sec_level)?;
+ Ok(db.store_signed_attestation_certificate_chain(
+ public_key,
+ certs, /* DER encoded certificate chain */
+ expiration_date,
+ &uuid,
+ )?)
+ })
+ }
+
+ /// Submits a request to the Remote Provisioner HAL to generate a signing key pair.
+ /// `is_test_mode` indicates whether or not the returned public key should be marked as being
+ /// for testing in order to differentiate them from private keys. If the call is successful,
+ /// the key pair is then added to the database.
+ pub fn generate_key_pair(&self, _is_test_mode: bool, _sec_level: SecurityLevel) -> Result<()> {
+ Ok(())
+ }
+}
+
+impl binder::Interface for RemoteProvisioningService {}
+
+// Implementation of IRemoteProvisioning. See AIDL spec at
+// :aidl/android/security/remoteprovisioning/IRemoteProvisioning.aidl
+impl IRemoteProvisioning for RemoteProvisioningService {
+ fn getPoolStatus(
+ &self,
+ expired_by: i64,
+ sec_level: SecurityLevel,
+ ) -> binder::public_api::Result<AttestationPoolStatus> {
+ map_or_log_err(self.get_pool_status(expired_by, sec_level), Ok)
+ }
+
+ fn generateCsr(
+ &self,
+ test_mode: bool,
+ num_csr: i32,
+ eek: &[u8],
+ challenge: &[u8],
+ sec_level: SecurityLevel,
+ ) -> binder::public_api::Result<Vec<u8>> {
+ map_or_log_err(self.generate_csr(test_mode, num_csr, eek, challenge, sec_level), Ok)
+ }
+
+ fn provisionCertChain(
+ &self,
+ public_key: &[u8],
+ certs: &[u8],
+ expiration_date: i64,
+ sec_level: SecurityLevel,
+ ) -> binder::public_api::Result<()> {
+ map_or_log_err(self.provision_cert_chain(public_key, certs, expiration_date, sec_level), Ok)
+ }
+
+ fn generateKeyPair(
+ &self,
+ is_test_mode: bool,
+ sec_level: SecurityLevel,
+ ) -> binder::public_api::Result<()> {
+ map_or_log_err(self.generate_key_pair(is_test_mode, sec_level), Ok)
+ }
+}