commit 38cea65f68a04d7f6e3df3dc04d85203ccd5a32c
author Treehugger Robot <treehugger-gerrit@google.com> Wed Nov 16 08:11:04 2022 +0000
committer Gerrit Code Review <noreply-gerritcodereview@google.com> Wed Nov 16 08:11:04 2022 +0000
tree 947b657d107099ed40ef7a01f7438b8236b56d72
parent 7002b154defd0b2ac1d324e79ad6550ecd5144dc
parent 91d02f323eaddfee88d718ba25e61f0585403ae6

Merge "Refactor: disambiguate fs-verity helper functions"

identity/Android.bp

diff --git a/identity/Android.bp b/identity/Android.bp
index 4e4b79a..9117b7f 100644
--- a/identity/Android.bp
+++ b/identity/Android.bp
@@ -59,6 +59,7 @@
         "libutilscallstack",
     ],
     static_libs: [
+        "android.hardware.security.rkp-V3-cpp",
         "android.hardware.keymaster-V3-cpp",
         "libcppbor_external",
     ],

keystore2/Android.bp

diff --git a/keystore2/Android.bp b/keystore2/Android.bp
index 0e5afd9..51ce9d1 100644
--- a/keystore2/Android.bp
+++ b/keystore2/Android.bp
@@ -31,6 +31,7 @@
     ],
 
     rustlibs: [
+        "android.hardware.security.rkp-V3-rust",
         "android.hardware.security.secureclock-V1-rust",
         "android.hardware.security.sharedsecret-V1-rust",
         "android.os.permissions_aidl-rust",
@@ -84,6 +85,7 @@
         "keystore2_use_latest_aidl_rust",
     ],
     rustlibs: [
+        "android.hardware.security.rkp-V3-rust",
         "libbinder_rs",
         "libkeystore2_selinux",
         "liblog_rust",
@@ -121,6 +123,7 @@
     auto_gen_config: true,
     compile_multilib: "first",
     rustlibs: [
+        "android.hardware.security.rkp-V3-rust",
         "libbinder_rs",
         "libkeystore2_selinux",
         "liblog_rust",

keystore2/aidl/Android.bp

diff --git a/keystore2/aidl/Android.bp b/keystore2/aidl/Android.bp
index 8ea227b..1e6d4dc 100644
--- a/keystore2/aidl/Android.bp
+++ b/keystore2/aidl/Android.bp
@@ -107,6 +107,7 @@
     srcs: [ "android/security/remoteprovisioning/*.aidl" ],
     imports: [
         "android.hardware.security.keymint-V3",
+        "android.hardware.security.rkp-V3",
     ],
     unstable: true,
     backend: {

keystore2/src/globals.rs

diff --git a/keystore2/src/globals.rs b/keystore2/src/globals.rs
index c617240..425812f 100644
--- a/keystore2/src/globals.rs
+++ b/keystore2/src/globals.rs
@@ -31,9 +31,10 @@
 use crate::km_compat::{KeyMintV1, BacklevelKeyMintWrapper};
 use crate::{enforcements::Enforcements, error::map_km_error};
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
-    IKeyMintDevice::IKeyMintDevice, IRemotelyProvisionedComponent::IRemotelyProvisionedComponent,
-    KeyMintHardwareInfo::KeyMintHardwareInfo, SecurityLevel::SecurityLevel,
+    IKeyMintDevice::IKeyMintDevice, KeyMintHardwareInfo::KeyMintHardwareInfo,
+    SecurityLevel::SecurityLevel,
 };
+use android_hardware_security_rkp::aidl::android::hardware::security::keymint::IRemotelyProvisionedComponent::IRemotelyProvisionedComponent;
 use android_hardware_security_secureclock::aidl::android::hardware::security::secureclock::{
     ISecureClock::ISecureClock,
 };

keystore2/src/km_compat/km_compat.cpp

diff --git a/keystore2/src/km_compat/km_compat.cpp b/keystore2/src/km_compat/km_compat.cpp
index d513db0..e27cd1c 100644
--- a/keystore2/src/km_compat/km_compat.cpp
+++ b/keystore2/src/km_compat/km_compat.cpp
@@ -500,8 +500,30 @@
 ScopedAStatus KeyMintDevice::importKey(const std::vector<KeyParameter>& inKeyParams,
                                        KeyFormat in_inKeyFormat,
                                        const std::vector<uint8_t>& in_inKeyData,
-                                       const std::optional<AttestationKey>& /* in_attestationKey */,
+                                       const std::optional<AttestationKey>& in_attestationKey,
                                        KeyCreationResult* out_creationResult) {
+    // Since KeyMaster doesn't support ECDH, route all ECDH key import requests to
+    // soft-KeyMint.
+    //
+    // For this to work we'll need to also route begin() and deleteKey() calls to
+    // soft-KM. In order to do that, we'll prefix all keyblobs with whether it was
+    // created by the real underlying KeyMaster HAL or whether it was created by
+    // soft-KeyMint.
+    //
+    // See keyBlobPrefix() for more discussion.
+    //
+    for (const auto& keyParam : inKeyParams) {
+        if (keyParam.tag == Tag::PURPOSE &&
+            keyParam.value.get<KeyParameterValue::Tag::keyPurpose>() == KeyPurpose::AGREE_KEY) {
+            auto ret = softKeyMintDevice_->importKey(inKeyParams, in_inKeyFormat, in_inKeyData,
+                                                     in_attestationKey, out_creationResult);
+            if (ret.isOk()) {
+                out_creationResult->keyBlob = keyBlobPrefix(out_creationResult->keyBlob, true);
+            }
+            return ret;
+        }
+    }
+
     auto legacyKeyGENParams = convertKeyParametersToLegacy(extractGenerationParams(inKeyParams));
     auto legacyKeyFormat = convertKeyFormatToLegacy(in_inKeyFormat);
     KMV1::ErrorCode errorCode;

keystore2/src/km_compat/km_compat_type_conversion.h

diff --git a/keystore2/src/km_compat/km_compat_type_conversion.h b/keystore2/src/km_compat/km_compat_type_conversion.h
index 33248a4..5db7e3d 100644
--- a/keystore2/src/km_compat/km_compat_type_conversion.h
+++ b/keystore2/src/km_compat/km_compat_type_conversion.h
@@ -750,6 +750,7 @@
     case KMV1::Tag::CERTIFICATE_SUBJECT:
     case KMV1::Tag::CERTIFICATE_NOT_BEFORE:
     case KMV1::Tag::CERTIFICATE_NOT_AFTER:
+    case KMV1::Tag::ATTESTATION_ID_SECOND_IMEI:
         // These tags do not exist in KM < KeyMint 1.0.
         break;
     case KMV1::Tag::MAX_BOOT_LEVEL:

keystore2/src/remote_provisioning.rs

diff --git a/keystore2/src/remote_provisioning.rs b/keystore2/src/remote_provisioning.rs
index 00fb572..fec1b92 100644
--- a/keystore2/src/remote_provisioning.rs
+++ b/keystore2/src/remote_provisioning.rs
@@ -23,11 +23,13 @@
 
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
     Algorithm::Algorithm, AttestationKey::AttestationKey, Certificate::Certificate,
-    DeviceInfo::DeviceInfo, IRemotelyProvisionedComponent::IRemotelyProvisionedComponent,
-    KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue,
-    MacedPublicKey::MacedPublicKey, ProtectedData::ProtectedData, SecurityLevel::SecurityLevel,
+    KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue, SecurityLevel::SecurityLevel,
     Tag::Tag,
 };
+use android_hardware_security_rkp::aidl::android::hardware::security::keymint::{
+    DeviceInfo::DeviceInfo, IRemotelyProvisionedComponent::IRemotelyProvisionedComponent,
+    MacedPublicKey::MacedPublicKey, ProtectedData::ProtectedData,
+};
 use android_security_remoteprovisioning::aidl::android::security::remoteprovisioning::{
     AttestationPoolStatus::AttestationPoolStatus, IRemoteProvisioning::BnRemoteProvisioning,
     IRemoteProvisioning::IRemoteProvisioning,
@@ -692,7 +694,7 @@
     use serde_cbor::Value;
     use std::collections::BTreeMap;
     use std::sync::{Arc, Mutex};
-    use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+    use android_hardware_security_rkp::aidl::android::hardware::security::keymint::{
         RpcHardwareInfo::RpcHardwareInfo,
     };
 

provisioner/Android.bp

diff --git a/provisioner/Android.bp b/provisioner/Android.bp
index 87f39d0..b548973 100644
--- a/provisioner/Android.bp
+++ b/provisioner/Android.bp
@@ -55,6 +55,7 @@
         "liblog",
     ],
     static_libs: [
+        "android.hardware.security.rkp-V3-ndk",
         "libbase",
         "libcppbor_external",
         "libcppcose_rkp",