Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 5aa93e08a8715cfcec5f52fb4ffe41ba1a9bad50^! / . / keystore / IKeystoreService.cpp
commit5aa93e08a8715cfcec5f52fb4ffe41ba1a9bad50[log] [tgz]
authorBartosz Fabianowski <bartfab@google.com>Mon Apr 24 13:54:49 2017 +0200
committerBartosz Fabianowski <bartfab@google.com>Wed Apr 26 10:51:24 2017 +0200
tree0f08100ed68a4cce283a45c0379e7f61825415e8
parente0256a8dbb06b8cc4b38b6b475b44d369eec383e [diff] [blame]
Add device ID attestation method to keymaster

Device ID attestation consists of three steps:
* Generate a temporary key
* Attest the key and desired device IDs
* Delete the temporary key

Rather than being spread over three keymaster APIs, these operations
should happen automatically in a single keymaster method.

Bug: 34734938
Test: GTS com.google.android.gts.security.DeviceIdAttestationHostTest

Change-Id: Icbbc2dfc84f8b4f39d0e7ea880844d4f38b63f66

diff --git a/keystore/IKeystoreService.cpp b/keystore/IKeystoreService.cpp
index 4c26b60..344687b 100644
--- a/keystore/IKeystoreService.cpp
+++ b/keystore/IKeystoreService.cpp

@@ -878,6 +878,31 @@
         return ret;
     }
 
+    KeyStoreServiceReturnCode attestDeviceIds(const hidl_vec<KeyParameter>& params,
+                                              hidl_vec<hidl_vec<uint8_t>>* outChain) override {
+        if (!outChain) return ErrorCode::OUTPUT_PARAMETER_NULL;
+
+        Parcel data, reply;
+        data.writeInterfaceToken(IKeystoreService::getInterfaceDescriptor());
+        nullable(writeParamSetToParcel, params, &data);
+
+        status_t status = remote()->transact(BnKeystoreService::ATTEST_DEVICE_IDS, data, &reply);
+        if (status != NO_ERROR) {
+            ALOGD("attestDeviceIds() count not contact remote: %d\n", status);
+            return ResponseCode::SYSTEM_ERROR;
+        }
+        int32_t err = reply.readExceptionCode();
+        ResponseCode ret = ResponseCode(reply.readInt32());
+        if (err < 0) {
+            ALOGD("attestDeviceIds() caught exception %d\n", err);
+            return ResponseCode::SYSTEM_ERROR;
+        }
+        if (reply.readInt32() != 0) {
+            *outChain = readCertificateChainFromParcel(reply);
+        }
+        return ret;
+    }
+
     KeyStoreServiceReturnCode onDeviceOffBody() override {
         Parcel data, reply;
         data.writeInterfaceToken(IKeystoreService::getInterfaceDescriptor());
@@ -1305,6 +1330,19 @@
 
         return NO_ERROR;
     }
+
+    case ATTEST_DEVICE_IDS: {
+        CHECK_INTERFACE(IKeystoreService, data, reply);
+        auto params = nullable(readParamSetFromParcel, data);
+        hidl_vec<hidl_vec<uint8_t>> chain;
+        int ret = attestDeviceIds(params.value(), &chain);
+        reply->writeNoException();
+        reply->writeInt32(ret);
+        nullable(writeCertificateChainToParcel, chain, reply);
+
+        return NO_ERROR;
+    }
+
     case ON_DEVICE_OFF_BODY: {
         CHECK_INTERFACE(IKeystoreService, data, reply);
         int32_t ret = onDeviceOffBody();