Merge "Add cc static library for fsverity digests"
diff --git a/diced/src/error.rs b/diced/src/error.rs
index 92aa97c..3e230e4 100644
--- a/diced/src/error.rs
+++ b/diced/src/error.rs
@@ -14,9 +14,7 @@
use android_security_dice::aidl::android::security::dice::ResponseCode::ResponseCode;
use anyhow::Result;
-use binder::{
- public_api::Result as BinderResult, ExceptionCode, Status as BinderStatus, StatusCode,
-};
+use binder::{ExceptionCode, Result as BinderResult, Status as BinderStatus, StatusCode};
use keystore2_selinux as selinux;
use std::ffi::CString;
diff --git a/diced/src/error_vendor.rs b/diced/src/error_vendor.rs
index 10d50dd..e8657e0 100644
--- a/diced/src/error_vendor.rs
+++ b/diced/src/error_vendor.rs
@@ -14,9 +14,7 @@
use android_hardware_security_dice::aidl::android::hardware::security::dice::ResponseCode::ResponseCode;
use anyhow::Result;
-use binder::public_api::{
- ExceptionCode, Result as BinderResult, Status as BinderStatus, StatusCode,
-};
+use binder::{ExceptionCode, Result as BinderResult, Status as BinderStatus, StatusCode};
use std::ffi::CString;
/// This is the error type for DICE HAL implementations. It wraps
diff --git a/diced/src/hal_node.rs b/diced/src/hal_node.rs
index bac60b5..01a7577 100644
--- a/diced/src/hal_node.rs
+++ b/diced/src/hal_node.rs
@@ -33,7 +33,7 @@
InputValues::InputValues as BinderInputValues, Signature::Signature,
};
use anyhow::{Context, Result};
-use binder::public_api::{BinderFeatures, Result as BinderResult, Strong};
+use binder::{BinderFeatures, Result as BinderResult, Strong};
use dice::{ContextImpl, OpenDiceCborContext};
use diced_open_dice_cbor as dice;
use diced_utils as utils;
diff --git a/diced/src/lib.rs b/diced/src/lib.rs
index a663144..9594977 100644
--- a/diced/src/lib.rs
+++ b/diced/src/lib.rs
@@ -30,7 +30,7 @@
IDiceNode::IDiceNode, ResponseCode::ResponseCode,
};
use anyhow::{Context, Result};
-use binder::{public_api::Result as BinderResult, BinderFeatures, Strong, ThreadState};
+use binder::{BinderFeatures, Result as BinderResult, Strong, ThreadState};
pub use diced_open_dice_cbor as dice;
use error::{map_or_log_err, Error};
use keystore2_selinux as selinux;
diff --git a/diced/src/proxy_node_hal.rs b/diced/src/proxy_node_hal.rs
index 3f31419..8d883d2 100644
--- a/diced/src/proxy_node_hal.rs
+++ b/diced/src/proxy_node_hal.rs
@@ -23,7 +23,7 @@
InputValues::InputValues as BinderInputValues, Signature::Signature,
};
use anyhow::{Context, Result};
-use binder::public_api::Strong;
+use binder::Strong;
use std::collections::HashMap;
use std::sync::RwLock;
diff --git a/keystore2/legacykeystore/lib.rs b/keystore2/legacykeystore/lib.rs
index da60297..13a9143 100644
--- a/keystore2/legacykeystore/lib.rs
+++ b/keystore2/legacykeystore/lib.rs
@@ -25,8 +25,8 @@
};
use anyhow::{Context, Result};
use keystore2::{
- async_task::AsyncTask, legacy_blob::LegacyBlobLoader, maintenance::DeleteListener,
- maintenance::Domain, utils::watchdog as wd,
+ async_task::AsyncTask, error::anyhow_error_to_cstring, legacy_blob::LegacyBlobLoader,
+ maintenance::DeleteListener, maintenance::Domain, utils::watchdog as wd,
};
use rusqlite::{
params, Connection, OptionalExtension, Transaction, TransactionBehavior, NO_PARAMS,
@@ -226,7 +226,10 @@
if log_error {
log::error!("{:?}", e);
}
- Err(BinderStatus::new_service_specific_error(rc, None))
+ Err(BinderStatus::new_service_specific_error(
+ rc,
+ anyhow_error_to_cstring(&e).as_deref(),
+ ))
},
handle_ok,
)
diff --git a/keystore2/src/apc.rs b/keystore2/src/apc.rs
index 0096686..7d56dc9 100644
--- a/keystore2/src/apc.rs
+++ b/keystore2/src/apc.rs
@@ -21,6 +21,7 @@
sync::{mpsc::Sender, Arc, Mutex},
};
+use crate::error::anyhow_error_to_cstring;
use crate::utils::{compat_2_response_code, ui_opts_2_compat, watchdog as wd};
use android_security_apc::aidl::android::security::apc::{
IConfirmationCallback::IConfirmationCallback,
@@ -110,7 +111,10 @@
_ => ResponseCode::SYSTEM_ERROR.0,
},
};
- Err(BinderStatus::new_service_specific_error(rc, None))
+ Err(BinderStatus::new_service_specific_error(
+ rc,
+ anyhow_error_to_cstring(&e).as_deref(),
+ ))
},
handle_ok,
)
diff --git a/keystore2/src/authorization.rs b/keystore2/src/authorization.rs
index 04626bc..64b498f 100644
--- a/keystore2/src/authorization.rs
+++ b/keystore2/src/authorization.rs
@@ -15,6 +15,7 @@
//! This module implements IKeystoreAuthorization AIDL interface.
use crate::error::Error as KeystoreError;
+use crate::error::anyhow_error_to_cstring;
use crate::globals::{ENFORCEMENTS, SUPER_KEY, DB, LEGACY_MIGRATOR};
use crate::permission::KeystorePerm;
use crate::super_key::UserState;
@@ -88,7 +89,10 @@
// as well.
_ => ResponseCode::SYSTEM_ERROR.0,
};
- return Err(BinderStatus::new_service_specific_error(rc, None));
+ return Err(BinderStatus::new_service_specific_error(
+ rc,
+ anyhow_error_to_cstring(&e).as_deref(),
+ ));
}
let rc = match root_cause.downcast_ref::<Error>() {
Some(Error::Rc(rcode)) => rcode.0,
@@ -98,7 +102,10 @@
_ => ResponseCode::SYSTEM_ERROR.0,
},
};
- Err(BinderStatus::new_service_specific_error(rc, None))
+ Err(BinderStatus::new_service_specific_error(
+ rc,
+ anyhow_error_to_cstring(&e).as_deref(),
+ ))
},
handle_ok,
)
@@ -265,7 +272,7 @@
challenge: i64,
secure_user_id: i64,
auth_token_max_age_millis: i64,
- ) -> binder::public_api::Result<AuthorizationTokens> {
+ ) -> binder::Result<AuthorizationTokens> {
let _wp = wd::watch_millis("IKeystoreAuthorization::getAuthTokensForCredStore", 500);
map_or_log_err(
self.get_auth_tokens_for_credstore(
diff --git a/keystore2/src/error.rs b/keystore2/src/error.rs
index f969cb6..42dd3d2 100644
--- a/keystore2/src/error.rs
+++ b/keystore2/src/error.rs
@@ -37,6 +37,7 @@
};
use keystore2_selinux as selinux;
use std::cmp::PartialEq;
+use std::ffi::CString;
/// This is the main Keystore error type. It wraps the Keystore `ResponseCode` generated
/// from AIDL in the `Rc` variant and Keymint `ErrorCode` in the Km variant.
@@ -184,6 +185,20 @@
)
}
+/// This function turns an anyhow error into an optional CString.
+/// This is especially useful to add a message string to a service specific error.
+/// If the formatted string was not convertible because it contained a nul byte,
+/// None is returned and a warning is logged.
+pub fn anyhow_error_to_cstring(e: &anyhow::Error) -> Option<CString> {
+ match CString::new(format!("{:?}", e)) {
+ Ok(msg) => Some(msg),
+ Err(_) => {
+ log::warn!("Cannot convert error message to CStr. It contained a nul byte.");
+ None
+ }
+ }
+}
+
/// This function behaves similar to map_or_log_error, but it does not log the errors, instead
/// it calls map_err on the error before mapping it to a binder result allowing callers to
/// log or transform the error before mapping it.
@@ -200,7 +215,10 @@
|e| {
let e = map_err(e);
let rc = get_error_code(&e);
- Err(BinderStatus::new_service_specific_error(rc, None))
+ Err(BinderStatus::new_service_specific_error(
+ rc,
+ anyhow_error_to_cstring(&e).as_deref(),
+ ))
},
handle_ok,
)
diff --git a/keystore2/src/maintenance.rs b/keystore2/src/maintenance.rs
index 39958a3..d5feee1 100644
--- a/keystore2/src/maintenance.rs
+++ b/keystore2/src/maintenance.rs
@@ -158,7 +158,7 @@
fn call_with_watchdog<F>(sec_level: SecurityLevel, name: &'static str, op: &F) -> Result<()>
where
- F: Fn(Strong<dyn IKeyMintDevice>) -> binder::public_api::Result<()>,
+ F: Fn(Strong<dyn IKeyMintDevice>) -> binder::Result<()>,
{
let (km_dev, _, _) = get_keymint_device(&sec_level)
.context("In call_with_watchdog: getting keymint device")?;
@@ -172,7 +172,7 @@
fn call_on_all_security_levels<F>(name: &'static str, op: F) -> Result<()>
where
- F: Fn(Strong<dyn IKeyMintDevice>) -> binder::public_api::Result<()>,
+ F: Fn(Strong<dyn IKeyMintDevice>) -> binder::Result<()>,
{
let sec_levels = [
(SecurityLevel::TRUSTED_ENVIRONMENT, "TRUSTED_ENVIRONMENT"),
diff --git a/keystore2/src/operation.rs b/keystore2/src/operation.rs
index 7e08f4e..5da3b32 100644
--- a/keystore2/src/operation.rs
+++ b/keystore2/src/operation.rs
@@ -493,7 +493,7 @@
/// owner uid and returns a new Operation wrapped in a `std::sync::Arc`.
pub fn create_operation(
&self,
- km_op: binder::public_api::Strong<dyn IKeyMintOperation>,
+ km_op: binder::Strong<dyn IKeyMintOperation>,
owner: u32,
auth_info: AuthInfo,
forced: bool,
@@ -771,9 +771,7 @@
/// BnKeystoreOperation proxy object. It also enables
/// `BinderFeatures::set_requesting_sid` on the new interface, because
/// we need it for checking Keystore permissions.
- pub fn new_native_binder(
- operation: Arc<Operation>,
- ) -> binder::public_api::Strong<dyn IKeystoreOperation> {
+ pub fn new_native_binder(operation: Arc<Operation>) -> binder::Strong<dyn IKeystoreOperation> {
BnKeystoreOperation::new_binder(
Self { operation: Mutex::new(Some(operation)) },
BinderFeatures { set_requesting_sid: true, ..BinderFeatures::default() },
@@ -821,7 +819,7 @@
impl binder::Interface for KeystoreOperation {}
impl IKeystoreOperation for KeystoreOperation {
- fn updateAad(&self, aad_input: &[u8]) -> binder::public_api::Result<()> {
+ fn updateAad(&self, aad_input: &[u8]) -> binder::Result<()> {
let _wp = wd::watch_millis("IKeystoreOperation::updateAad", 500);
map_or_log_err(
self.with_locked_operation(
@@ -832,7 +830,7 @@
)
}
- fn update(&self, input: &[u8]) -> binder::public_api::Result<Option<Vec<u8>>> {
+ fn update(&self, input: &[u8]) -> binder::Result<Option<Vec<u8>>> {
let _wp = wd::watch_millis("IKeystoreOperation::update", 500);
map_or_log_err(
self.with_locked_operation(
@@ -846,7 +844,7 @@
&self,
input: Option<&[u8]>,
signature: Option<&[u8]>,
- ) -> binder::public_api::Result<Option<Vec<u8>>> {
+ ) -> binder::Result<Option<Vec<u8>>> {
let _wp = wd::watch_millis("IKeystoreOperation::finish", 500);
map_or_log_err(
self.with_locked_operation(
@@ -857,7 +855,7 @@
)
}
- fn abort(&self) -> binder::public_api::Result<()> {
+ fn abort(&self) -> binder::Result<()> {
let _wp = wd::watch_millis("IKeystoreOperation::abort", 500);
map_err_with(
self.with_locked_operation(
diff --git a/keystore2/src/remote_provisioning.rs b/keystore2/src/remote_provisioning.rs
index 66e1988..132ffbe 100644
--- a/keystore2/src/remote_provisioning.rs
+++ b/keystore2/src/remote_provisioning.rs
@@ -489,7 +489,7 @@
&self,
expired_by: i64,
sec_level: SecurityLevel,
- ) -> binder::public_api::Result<AttestationPoolStatus> {
+ ) -> binder::Result<AttestationPoolStatus> {
let _wp = wd::watch_millis("IRemoteProvisioning::getPoolStatus", 500);
map_or_log_err(get_pool_status(expired_by, sec_level), Ok)
}
@@ -503,7 +503,7 @@
sec_level: SecurityLevel,
protected_data: &mut ProtectedData,
device_info: &mut DeviceInfo,
- ) -> binder::public_api::Result<Vec<u8>> {
+ ) -> binder::Result<Vec<u8>> {
let _wp = wd::watch_millis("IRemoteProvisioning::generateCsr", 500);
map_or_log_err(
self.generate_csr(
@@ -526,7 +526,7 @@
certs: &[u8],
expiration_date: i64,
sec_level: SecurityLevel,
- ) -> binder::public_api::Result<()> {
+ ) -> binder::Result<()> {
let _wp = wd::watch_millis("IRemoteProvisioning::provisionCertChain", 500);
map_or_log_err(
self.provision_cert_chain(public_key, batch_cert, certs, expiration_date, sec_level),
@@ -534,21 +534,17 @@
)
}
- fn generateKeyPair(
- &self,
- is_test_mode: bool,
- sec_level: SecurityLevel,
- ) -> binder::public_api::Result<()> {
+ fn generateKeyPair(&self, is_test_mode: bool, sec_level: SecurityLevel) -> binder::Result<()> {
let _wp = wd::watch_millis("IRemoteProvisioning::generateKeyPair", 500);
map_or_log_err(self.generate_key_pair(is_test_mode, sec_level), Ok)
}
- fn getImplementationInfo(&self) -> binder::public_api::Result<Vec<ImplInfo>> {
+ fn getImplementationInfo(&self) -> binder::Result<Vec<ImplInfo>> {
let _wp = wd::watch_millis("IRemoteProvisioning::getSecurityLevels", 500);
map_or_log_err(self.get_implementation_info(), Ok)
}
- fn deleteAllKeys(&self) -> binder::public_api::Result<i64> {
+ fn deleteAllKeys(&self) -> binder::Result<i64> {
let _wp = wd::watch_millis("IRemoteProvisioning::deleteAllKeys", 500);
map_or_log_err(self.delete_all_keys(), Ok)
}
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 31bf294..9334930 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -368,7 +368,7 @@
}
};
- let op_binder: binder::public_api::Strong<dyn IKeystoreOperation> =
+ let op_binder: binder::Strong<dyn IKeystoreOperation> =
KeystoreOperation::new_native_binder(operation)
.as_binder()
.into_interface()
@@ -985,7 +985,7 @@
key: &KeyDescriptor,
operation_parameters: &[KeyParameter],
forced: bool,
- ) -> binder::public_api::Result<CreateOperationResponse> {
+ ) -> binder::Result<CreateOperationResponse> {
let _wp = self.watch_millis("IKeystoreSecurityLevel::createOperation", 500);
map_or_log_err(self.create_operation(key, operation_parameters, forced), Ok)
}
@@ -996,7 +996,7 @@
params: &[KeyParameter],
flags: i32,
entropy: &[u8],
- ) -> binder::public_api::Result<KeyMetadata> {
+ ) -> binder::Result<KeyMetadata> {
// Duration is set to 5 seconds, because generateKey - especially for RSA keys, takes more
// time than other operations
let _wp = self.watch_millis("IKeystoreSecurityLevel::generateKey", 5000);
@@ -1012,7 +1012,7 @@
params: &[KeyParameter],
flags: i32,
key_data: &[u8],
- ) -> binder::public_api::Result<KeyMetadata> {
+ ) -> binder::Result<KeyMetadata> {
let _wp = self.watch_millis("IKeystoreSecurityLevel::importKey", 500);
let result = self.import_key(key, attestation_key, params, flags, key_data);
log_key_creation_event_stats(self.security_level, params, &result);
@@ -1026,7 +1026,7 @@
masking_key: Option<&[u8]>,
params: &[KeyParameter],
authenticators: &[AuthenticatorSpec],
- ) -> binder::public_api::Result<KeyMetadata> {
+ ) -> binder::Result<KeyMetadata> {
let _wp = self.watch_millis("IKeystoreSecurityLevel::importWrappedKey", 500);
let result =
self.import_wrapped_key(key, wrapping_key, masking_key, params, authenticators);
@@ -1037,11 +1037,11 @@
fn convertStorageKeyToEphemeral(
&self,
storage_key: &KeyDescriptor,
- ) -> binder::public_api::Result<EphemeralStorageKeyResponse> {
+ ) -> binder::Result<EphemeralStorageKeyResponse> {
let _wp = self.watch_millis("IKeystoreSecurityLevel::convertStorageKeyToEphemeral", 500);
map_or_log_err(self.convert_storage_key_to_ephemeral(storage_key), Ok)
}
- fn deleteKey(&self, key: &KeyDescriptor) -> binder::public_api::Result<()> {
+ fn deleteKey(&self, key: &KeyDescriptor) -> binder::Result<()> {
let _wp = self.watch_millis("IKeystoreSecurityLevel::deleteKey", 500);
let result = self.delete_key(key);
log_key_deleted(key, ThreadState::get_calling_uid(), result.is_ok());
diff --git a/keystore2/src/service.rs b/keystore2/src/service.rs
index 13723f0..2725dc2 100644
--- a/keystore2/src/service.rs
+++ b/keystore2/src/service.rs
@@ -341,13 +341,13 @@
fn getSecurityLevel(
&self,
security_level: SecurityLevel,
- ) -> binder::public_api::Result<Strong<dyn IKeystoreSecurityLevel>> {
+ ) -> binder::Result<Strong<dyn IKeystoreSecurityLevel>> {
let _wp = wd::watch_millis_with("IKeystoreService::getSecurityLevel", 500, move || {
format!("security_level: {}", security_level.0)
});
map_or_log_err(self.get_security_level(security_level), Ok)
}
- fn getKeyEntry(&self, key: &KeyDescriptor) -> binder::public_api::Result<KeyEntryResponse> {
+ fn getKeyEntry(&self, key: &KeyDescriptor) -> binder::Result<KeyEntryResponse> {
let _wp = wd::watch_millis("IKeystoreService::get_key_entry", 500);
map_or_log_err(self.get_key_entry(key), Ok)
}
@@ -356,19 +356,15 @@
key: &KeyDescriptor,
public_cert: Option<&[u8]>,
certificate_chain: Option<&[u8]>,
- ) -> binder::public_api::Result<()> {
+ ) -> binder::Result<()> {
let _wp = wd::watch_millis("IKeystoreService::updateSubcomponent", 500);
map_or_log_err(self.update_subcomponent(key, public_cert, certificate_chain), Ok)
}
- fn listEntries(
- &self,
- domain: Domain,
- namespace: i64,
- ) -> binder::public_api::Result<Vec<KeyDescriptor>> {
+ fn listEntries(&self, domain: Domain, namespace: i64) -> binder::Result<Vec<KeyDescriptor>> {
let _wp = wd::watch_millis("IKeystoreService::listEntries", 500);
map_or_log_err(self.list_entries(domain, namespace), Ok)
}
- fn deleteKey(&self, key: &KeyDescriptor) -> binder::public_api::Result<()> {
+ fn deleteKey(&self, key: &KeyDescriptor) -> binder::Result<()> {
let _wp = wd::watch_millis("IKeystoreService::deleteKey", 500);
let result = self.delete_key(key);
log_key_deleted(key, ThreadState::get_calling_uid(), result.is_ok());
@@ -379,11 +375,11 @@
key: &KeyDescriptor,
grantee_uid: i32,
access_vector: i32,
- ) -> binder::public_api::Result<KeyDescriptor> {
+ ) -> binder::Result<KeyDescriptor> {
let _wp = wd::watch_millis("IKeystoreService::grant", 500);
map_or_log_err(self.grant(key, grantee_uid, access_vector.into()), Ok)
}
- fn ungrant(&self, key: &KeyDescriptor, grantee_uid: i32) -> binder::public_api::Result<()> {
+ fn ungrant(&self, key: &KeyDescriptor, grantee_uid: i32) -> binder::Result<()> {
let _wp = wd::watch_millis("IKeystoreService::ungrant", 500);
map_or_log_err(self.ungrant(key, grantee_uid), Ok)
}