commit 1a203e37e7384df8b6b51ea17e65f9eedd88e6c3
author Rubin Xu <rubinxu@google.com> Tue May 08 14:25:21 2018 +0100
committer Rubin Xu <rubinxu@google.com> Thu May 10 18:57:32 2018 +0100
tree e63997734a3db8e92b6f1d727e12ee72a632bbaf
parent 33aac2dda210791b4ba155d204ceff56b77a28a9

Allow KeyChain from work profile to do key attestation

KeyChain from work profile should be able to do key attestation
with basic device info; while KeyChain from user 0 can additionally
request attestation with unique device IDs.

Bug: 72658852
Test: cts-tradefed run cts-dev -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.MixedManagedProfileOwnerTest#testKeyManagement
Change-Id: I3f5f450c53e2269442d0338ebf1ee4054ae9b242

keystore/key_store_service.cpp

diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 87dccaf..191811a 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -64,6 +64,8 @@
 constexpr size_t kMaxOperations = 15;
 constexpr double kIdRotationPeriod = 30 * 24 * 60 * 60; /* Thirty days, in seconds */
 const char* kTimestampFilePath = "timestamp";
+const int ID_ATTESTATION_REQUEST_GENERIC_INFO = 1 << 0;
+const int ID_ATTESTATION_REQUEST_UNIQUE_DEVICE_ID = 1 << 1;
 
 struct BIGNUM_Delete {
     void operator()(BIGNUM* p) const { BN_free(p); }
@@ -1551,24 +1553,28 @@
     return Status::ok();
 }
 
-bool isDeviceIdAttestationRequested(const KeymasterArguments& params) {
+int isDeviceIdAttestationRequested(const KeymasterArguments& params) {
     const hardware::hidl_vec<KeyParameter> paramsVec = params.getParameters();
+    int result = 0;
     for (size_t i = 0; i < paramsVec.size(); ++i) {
         switch (paramsVec[i].tag) {
         case Tag::ATTESTATION_ID_BRAND:
         case Tag::ATTESTATION_ID_DEVICE:
-        case Tag::ATTESTATION_ID_IMEI:
         case Tag::ATTESTATION_ID_MANUFACTURER:
-        case Tag::ATTESTATION_ID_MEID:
         case Tag::ATTESTATION_ID_MODEL:
         case Tag::ATTESTATION_ID_PRODUCT:
-        case Tag::ATTESTATION_ID_SERIAL:
-            return true;
-        default:
+            result |= ID_ATTESTATION_REQUEST_GENERIC_INFO;
             break;
+        case Tag::ATTESTATION_ID_IMEI:
+        case Tag::ATTESTATION_ID_MEID:
+        case Tag::ATTESTATION_ID_SERIAL:
+            result |= ID_ATTESTATION_REQUEST_UNIQUE_DEVICE_ID;
+            break;
+        default:
+            continue;
         }
     }
-    return false;
+    return result;
 }
 
 Status KeyStoreService::attestKey(const String16& name, const KeymasterArguments& params,
@@ -1582,9 +1588,15 @@
 
     uid_t callingUid = IPCThreadState::self()->getCallingUid();
 
-    if (isDeviceIdAttestationRequested(params) && (callingUid != AID_SYSTEM)) {
-        // Only the system context may request Device ID attestation combined with key attestation.
-        // Otherwise, There is a dedicated attestDeviceIds() method for device ID attestation.
+    int needsIdAttestation = isDeviceIdAttestationRequested(params);
+    bool needsUniqueIdAttestation = needsIdAttestation & ID_ATTESTATION_REQUEST_UNIQUE_DEVICE_ID;
+    bool isPrimaryUserSystemUid = (callingUid == AID_SYSTEM);
+    bool isSomeUserSystemUid = (get_app_id(callingUid) == AID_SYSTEM);
+    // Allow system context from any user to request attestation with basic device information,
+    // while only allow system context from user 0 (device owner) to request attestation with
+    // unique device ID.
+    if ((needsIdAttestation && !isSomeUserSystemUid) ||
+        (needsUniqueIdAttestation && !isPrimaryUserSystemUid)) {
         *aidl_return = static_cast<int32_t>(KeyStoreServiceReturnCode(ErrorCode::INVALID_ARGUMENT));
         return Status::ok();
     }