Merge "Keystore2: Batching listing of key entries"
diff --git a/fsverity/libfsverity_rs/Android.bp b/fsverity/libfsverity_rs/Android.bp
new file mode 100644
index 0000000..91b1248
--- /dev/null
+++ b/fsverity/libfsverity_rs/Android.bp
@@ -0,0 +1,17 @@
+package {
+ default_applicable_licenses: ["Android-Apache-2.0"],
+}
+
+rust_library {
+ name: "libfsverity_rs",
+ crate_name: "fsverity",
+ srcs: ["lib.rs"],
+ edition: "2021",
+ rustlibs: [
+ "libnix",
+ ],
+ apex_available: [
+ "com.android.compos",
+ "com.android.virt",
+ ],
+}
diff --git a/fsverity/libfsverity_rs/lib.rs b/fsverity/libfsverity_rs/lib.rs
new file mode 100644
index 0000000..473b2d5
--- /dev/null
+++ b/fsverity/libfsverity_rs/lib.rs
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//! A wrapper library to use fs-verity
+
+mod sys;
+
+use crate::sys::*;
+use std::io;
+use std::os::fd::AsRawFd;
+use std::os::unix::io::BorrowedFd;
+
+fn read_metadata(fd: i32, metadata_type: u64, offset: u64, buf: &mut [u8]) -> io::Result<usize> {
+ let mut arg = fsverity_read_metadata_arg {
+ metadata_type,
+ offset,
+ length: buf.len() as u64,
+ buf_ptr: buf.as_mut_ptr() as u64,
+ __reserved: 0,
+ };
+ // SAFETY: the ioctl doesn't change the sematics in the current process
+ Ok(unsafe { read_verity_metadata(fd, &mut arg) }? as usize)
+}
+
+/// Read the raw Merkle tree from the fd, if it exists. The API semantics is similar to a regular
+/// pread(2), and may not return full requested buffer.
+pub fn read_merkle_tree(fd: i32, offset: u64, buf: &mut [u8]) -> io::Result<usize> {
+ read_metadata(fd, FS_VERITY_METADATA_TYPE_MERKLE_TREE, offset, buf)
+}
+
+/// Read the fs-verity signature from the fd (if exists). The returned signature should be complete.
+pub fn read_signature(fd: i32, buf: &mut [u8]) -> io::Result<usize> {
+ read_metadata(fd, FS_VERITY_METADATA_TYPE_SIGNATURE, 0 /* offset */, buf)
+}
+
+/// Enable fs-verity to the `fd`, with sha256 hash algorithm and 4KB block size.
+pub fn enable(fd: BorrowedFd) -> io::Result<()> {
+ let arg = fsverity_enable_arg {
+ version: 1,
+ hash_algorithm: FS_VERITY_HASH_ALG_SHA256,
+ block_size: 4096,
+ salt_size: 0,
+ salt_ptr: 0,
+ sig_size: 0,
+ __reserved1: 0,
+ sig_ptr: 0,
+ __reserved2: [0; 11],
+ };
+ // SAFETY: the ioctl doesn't change the sematics in the current process
+ if unsafe { enable_verity(fd.as_raw_fd(), &arg) } == Ok(0) {
+ Ok(())
+ } else {
+ Err(io::Error::last_os_error())
+ }
+}
diff --git a/fsverity/libfsverity_rs/sys.rs b/fsverity/libfsverity_rs/sys.rs
new file mode 100644
index 0000000..8ce0836
--- /dev/null
+++ b/fsverity/libfsverity_rs/sys.rs
@@ -0,0 +1,58 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+//! Stable API definition copied from uapi/linux/fsverity.h
+
+use nix::{ioctl_readwrite, ioctl_write_ptr};
+
+const FS_IOCTL_MAGIC: u8 = b'f';
+const FS_IOC_ENABLE_VERITY: u8 = 133;
+const FS_IOCTL_READ_VERITY_METADATA: u8 = 135;
+
+pub const FS_VERITY_HASH_ALG_SHA256: u32 = 1;
+pub const FS_VERITY_METADATA_TYPE_MERKLE_TREE: u64 = 1;
+pub const FS_VERITY_METADATA_TYPE_SIGNATURE: u64 = 3;
+
+#[repr(C)]
+pub struct fsverity_read_metadata_arg {
+ pub metadata_type: u64,
+ pub offset: u64,
+ pub length: u64,
+ pub buf_ptr: u64,
+ pub __reserved: u64,
+}
+
+ioctl_readwrite!(
+ read_verity_metadata,
+ FS_IOCTL_MAGIC,
+ FS_IOCTL_READ_VERITY_METADATA,
+ fsverity_read_metadata_arg
+);
+
+#[repr(C)]
+pub struct fsverity_enable_arg {
+ pub version: u32,
+ pub hash_algorithm: u32,
+ pub block_size: u32,
+ pub salt_size: u32,
+ pub salt_ptr: u64,
+ pub sig_size: u32,
+ pub __reserved1: u32,
+ pub sig_ptr: u64,
+ pub __reserved2: [u64; 11],
+}
+
+ioctl_write_ptr!(enable_verity, FS_IOCTL_MAGIC, FS_IOC_ENABLE_VERITY, fsverity_enable_arg);
diff --git a/keystore2/aidl/Android.bp b/keystore2/aidl/Android.bp
index e3961da..8f5c13b 100644
--- a/keystore2/aidl/Android.bp
+++ b/keystore2/aidl/Android.bp
@@ -103,28 +103,6 @@
}
aidl_interface {
- name: "android.security.remoteprovisioning",
- srcs: [ "android/security/remoteprovisioning/*.aidl" ],
- imports: [
- "android.hardware.security.keymint-V3",
- "android.hardware.security.rkp-V3",
- ],
- unstable: true,
- backend: {
- java: {
- platform_apis: true,
- },
- ndk: {
- enabled: true,
- apps_enabled: false,
- },
- rust: {
- enabled: true,
- },
- },
-}
-
-aidl_interface {
name: "android.security.maintenance",
srcs: [ "android/security/maintenance/*.aidl" ],
imports: [
diff --git a/keystore2/aidl/android/security/remoteprovisioning/AttestationPoolStatus.aidl b/keystore2/aidl/android/security/remoteprovisioning/AttestationPoolStatus.aidl
deleted file mode 100644
index 3528b42..0000000
--- a/keystore2/aidl/android/security/remoteprovisioning/AttestationPoolStatus.aidl
+++ /dev/null
@@ -1,45 +0,0 @@
-/*
- * Copyright 2020, The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.remoteprovisioning;
-
-/**
- * This parcelable provides information about the state of the attestation key pool.
- * @hide
- */
-parcelable AttestationPoolStatus {
- /**
- * The number of signed attestation certificate chains which will expire when the date provided
- * to keystore to check against is reached.
- */
- int expiring;
- /**
- * The number of signed attestation certificate chains which have not yet been assigned to an
- * app. This should be less than or equal to signed keys. The remainder of `signed` -
- * `unassigned` gives the number of signed keys that have been assigned to an app.
- */
- int unassigned;
- /**
- * The number of signed attestation keys. This should be less than or equal to `total`. The
- * remainder of `total` - `attested` gives the number of keypairs available to be sent off to
- * the server for signing.
- */
- int attested;
- /**
- * The total number of attestation keys.
- */
- int total;
-}
diff --git a/keystore2/aidl/android/security/remoteprovisioning/IRemoteProvisioning.aidl b/keystore2/aidl/android/security/remoteprovisioning/IRemoteProvisioning.aidl
deleted file mode 100644
index ecdc790..0000000
--- a/keystore2/aidl/android/security/remoteprovisioning/IRemoteProvisioning.aidl
+++ /dev/null
@@ -1,148 +0,0 @@
-/*
- * Copyright (C) 2020 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.remoteprovisioning;
-
-import android.hardware.security.keymint.DeviceInfo;
-import android.hardware.security.keymint.ProtectedData;
-import android.hardware.security.keymint.SecurityLevel;
-import android.security.remoteprovisioning.AttestationPoolStatus;
-import android.security.remoteprovisioning.ImplInfo;
-
-/**
- * `IRemoteProvisioning` is the interface provided to use the remote provisioning functionality
- * provided through KeyStore. The intent is for a higher level system component to use these
- * functions in order to drive the process through which the device can receive functioning
- * attestation certificates.
- *
- * ## Error conditions
- * Error conditions are reported as service specific errors.
- * Positive codes correspond to `android.security.remoteprovisioning.ResponseCode`
- * and indicate error conditions diagnosed by the Keystore 2.0 service.
- * TODO: Remote Provisioning HAL error code info
- *
- * `ResponseCode::PERMISSION_DENIED` if the caller does not have the permissions
- * to use the RemoteProvisioning API. This permission is defined under access_vectors in SEPolicy
- * in the keystore2 class: remotely_provision
- *
- * `ResponseCode::SYSTEM_ERROR` for any unexpected errors like IO or IPC failures.
- *
- * @hide
- */
-interface IRemoteProvisioning {
-
- /**
- * Returns the status of the attestation key pool in the database.
- *
- * @param expiredBy The date as seconds since epoch by which to judge expiration status of
- * certificates.
- *
- * @param secLevel The security level to specify which KM instance to get the pool for.
- *
- * @return The `AttestationPoolStatus` parcelable contains fields communicating information
- * relevant to making decisions about when to generate and provision
- * more attestation keys.
- */
- AttestationPoolStatus getPoolStatus(in long expiredBy, in SecurityLevel secLevel);
-
- /**
- * This is the primary entry point for beginning a remote provisioning flow. The caller
- * specifies how many CSRs should be generated and provides an X25519 ECDH public key along
- * with a challenge to encrypt privacy sensitive portions of the returned CBOR blob and
- * guarantee freshness of the request to the certifying third party.
- *
- * ## Error conditions
- * `ResponseCode::NO_UNSIGNED_KEYS` if there are no unsigned keypairs in the database that can
- * be used for the CSRs.
- *
- * A RemoteProvisioning HAL response code may indicate backend errors such as failed EEK
- * verification.
- *
- * @param testMode Whether or not the TA implementing the Remote Provisioning HAL should accept
- * any EEK (Endpoint Encryption Key), or only one signed by a chain
- * that verifies back to the Root of Trust baked into the TA. True
- * means that any key is accepted.
- *
- * @param numCsr How many certificate signing requests should be generated.
- *
- * @param eek A chain of certificates terminating in an X25519 public key, the Endpoint
- * Encryption Key.
- *
- * @param challenge A challenge to be included and MACed in the returned CBOR blob.
- *
- * @param secLevel The security level to specify which KM instance from which to generate a
- * CSR.
- *
- * @param protectedData The encrypted CBOR blob generated by the remote provisioner
- *
- * @return A CBOR blob composed of various elements required by the server to verify the
- * request.
- */
- byte[] generateCsr(in boolean testMode, in int numCsr, in byte[] eek, in byte[] challenge,
- in SecurityLevel secLevel, out ProtectedData protectedData, out DeviceInfo deviceInfo);
-
- /**
- * This method provides a way for the returned attestation certificate chains to be provisioned
- * to the attestation key database. When an app requests an attesation key, it will be assigned
- * one of these certificate chains along with the corresponding private key.
- *
- * @param publicKey The raw public key encoded in the leaf certificate.
- *
- * @param batchCert The batch certificate corresponding to the attestation key. Separated for
- * the purpose of making Subject lookup for KM attestation easier.
- *
- * @param certs An X.509, DER encoded certificate chain for the attestation key.
- *
- * @param expirationDate The expiration date on the certificate chain, provided by the caller
- * for convenience.
- *
- * @param secLevel The security level representing the KM instance containing the key that this
- * chain corresponds to.
- */
- void provisionCertChain(in byte[] publicKey, in byte[] batchCert, in byte[] certs,
- in long expirationDate, in SecurityLevel secLevel);
-
- /**
- * This method allows the caller to instruct KeyStore to generate and store a key pair to be
- * used for attestation in the `generateCsr` method. The caller should handle spacing out these
- * requests so as not to jam up the KeyStore work queue.
- *
- * @param is_test_mode Instructs the underlying HAL interface to mark the generated key with a
- * tag to indicate that it's for testing.
- *
- * @param secLevel The security level to specify which KM instance should generate a key pair.
- */
- void generateKeyPair(in boolean is_test_mode, in SecurityLevel secLevel);
-
- /**
- * This method returns implementation information for whichever instances of
- * IRemotelyProvisionedComponent are running on the device. The RemoteProvisioner app needs to
- * know which KM instances it should be generating and managing attestation keys for, and which
- * EC curves are supported in those instances.
- *
- * @return The array of ImplInfo parcelables.
- */
- ImplInfo[] getImplementationInfo();
-
- /**
- * This method deletes all remotely provisioned attestation keys in the database, regardless
- * of what state in their life cycle they are in. This is primarily useful to facilitate
- * testing.
- *
- * @return Number of keys deleted
- */
- long deleteAllKeys();
-}
diff --git a/keystore2/aidl/android/security/remoteprovisioning/IRemotelyProvisionedKeyPool.aidl b/keystore2/aidl/android/security/remoteprovisioning/IRemotelyProvisionedKeyPool.aidl
deleted file mode 100644
index 7d45e52..0000000
--- a/keystore2/aidl/android/security/remoteprovisioning/IRemotelyProvisionedKeyPool.aidl
+++ /dev/null
@@ -1,49 +0,0 @@
-/*
- * Copyright (C) 2021 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.remoteprovisioning;
-
-import android.security.remoteprovisioning.RemotelyProvisionedKey;
-
-/**
- * This is the interface providing access to remotely-provisioned attestation keys
- * for an `IRemotelyProvisionedComponent`.
- *
- * @hide
- */
-interface IRemotelyProvisionedKeyPool {
-
- /**
- * Fetches an attestation key for the given uid and `IRemotelyProvisionedComponent`, as
- * identified by the given id.
-
- * Callers require the keystore2::get_attestation_key permission.
- *
- * ## Error conditions
- * `android.system.keystore2.ResponseCode::PERMISSION_DENIED` if the caller does not have the
- * `keystore2::get_attestation_key` permission
- *
- * @param clientUid The client application for which an attestation key is needed.
- *
- * @param irpcId The unique identifier for the `IRemotelyProvisionedComponent` for which a key
- * is requested. This id may be retrieved from a given component via the
- * `IRemotelyProvisionedComponent::getHardwareInfo` function.
- *
- * @return A `RemotelyProvisionedKey` parcelable containing a key and certification chain for
- * the given `IRemotelyProvisionedComponent`.
- */
- RemotelyProvisionedKey getAttestationKey(in int clientUid, in @utf8InCpp String irpcId);
-}
diff --git a/keystore2/aidl/android/security/remoteprovisioning/ImplInfo.aidl b/keystore2/aidl/android/security/remoteprovisioning/ImplInfo.aidl
deleted file mode 100644
index 9baeb24..0000000
--- a/keystore2/aidl/android/security/remoteprovisioning/ImplInfo.aidl
+++ /dev/null
@@ -1,37 +0,0 @@
-/*
- * Copyright 2021, The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.remoteprovisioning;
-
-import android.hardware.security.keymint.SecurityLevel;
-
-/**
- * This parcelable provides information about the underlying IRemotelyProvisionedComponent
- * implementation.
- * @hide
- */
-parcelable ImplInfo {
- /**
- * The security level of the underlying implementation: TEE or StrongBox.
- */
- SecurityLevel secLevel;
- /**
- * An integer denoting which EC curve is supported in the underlying implementation. The current
- * options are either P256 or 25519, with values defined in
- * hardware/interfaces/security/keymint/aidl/.../RpcHardwareInfo.aidl
- */
- int supportedCurve;
-}
diff --git a/keystore2/aidl/android/security/remoteprovisioning/RemotelyProvisionedKey.aidl b/keystore2/aidl/android/security/remoteprovisioning/RemotelyProvisionedKey.aidl
deleted file mode 100644
index ae21855..0000000
--- a/keystore2/aidl/android/security/remoteprovisioning/RemotelyProvisionedKey.aidl
+++ /dev/null
@@ -1,42 +0,0 @@
-/*
- * Copyright 2021, The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.remoteprovisioning;
-
-/**
- * A `RemotelyProvisionedKey` holds an attestation key and the corresponding remotely provisioned
- * certificate chain.
- *
- * @hide
- */
-@RustDerive(Eq=true, PartialEq=true)
-parcelable RemotelyProvisionedKey {
- /**
- * The remotely-provisioned key that may be used to sign attestations. The format of this key
- * is opaque, and need only be understood by the IRemotelyProvisionedComponent that generated
- * it.
- *
- * Any private key material contained within this blob must be encrypted.
- */
- byte[] keyBlob;
-
- /**
- * Sequence of DER-encoded X.509 certificates that make up the attestation key's certificate
- * chain. This is the binary encoding for a chain that is supported by Java's
- * CertificateFactory.generateCertificates API.
- */
- byte[] encodedCertChain;
-}
diff --git a/keystore2/aidl/android/security/remoteprovisioning/ResponseCode.aidl b/keystore2/aidl/android/security/remoteprovisioning/ResponseCode.aidl
deleted file mode 100644
index c9877db..0000000
--- a/keystore2/aidl/android/security/remoteprovisioning/ResponseCode.aidl
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright 2020, The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package android.security.remoteprovisioning;
-
-@Backing(type="int")
-/** @hide */
-enum ResponseCode {
- /**
- * Returned if there are no keys available in the database to be used in a CSR
- */
- NO_UNSIGNED_KEYS = 1,
- /**
- * The caller has imrproper SELinux permissions to access the Remote Provisioning API.
- */
- PERMISSION_DENIED = 2,
- /**
- * An unexpected error occurred, likely with IO or IPC.
- */
- SYSTEM_ERROR = 3,
-}