identity: Fix RKPD usage
Fixes:
- Revert to pre-RKPD behavior of getting an attestation key each time
a credential is created.
- Revert to pre-RKPD behavior of falling back to factory key.
- Check RKPD feature flag each time before calling into RKPD.
- Correct service name used to call into RKPD.
- Add another thread to handle async responses from RKPD.
- Switch to new RKPD build flag "remote_provisioning.enable_rkpd".
Bug: 261214100
Test: CtsIdentityTestCases
Change-Id: Idc11abb3c0e46de1a77609969e8539e9e96549d5
diff --git a/identity/Android.bp b/identity/Android.bp
index 7b81685..4f203e6 100644
--- a/identity/Android.bp
+++ b/identity/Android.bp
@@ -47,7 +47,7 @@
"android.hardware.identity-support-lib",
"android.hardware.keymaster@4.0",
"android.security.authorization-ndk",
- "android.security.remoteprovisioning-cpp",
+ "android.security.remoteprovisioning-cpp",
"libbase",
"libbinder",
"libbinder_ndk",
@@ -59,7 +59,6 @@
"libutils",
"libutilscallstack",
"libvintf",
- "server_configurable_flags",
],
static_libs: [
"android.hardware.security.rkp-V3-cpp",
diff --git a/identity/CredentialStore.cpp b/identity/CredentialStore.cpp
index eb9bdb6..fea4df9 100644
--- a/identity/CredentialStore.cpp
+++ b/identity/CredentialStore.cpp
@@ -20,18 +20,19 @@
#include <optional>
#include <android-base/logging.h>
+#include <android-base/properties.h>
#include <android/hardware/security/keymint/IRemotelyProvisionedComponent.h>
#include <android/hardware/security/keymint/RpcHardwareInfo.h>
#include <android/security/remoteprovisioning/IRemotelyProvisionedKeyPool.h>
#include <android/security/remoteprovisioning/RemotelyProvisionedKey.h>
#include <binder/IPCThreadState.h>
#include <binder/IServiceManager.h>
-#include <server_configurable_flags/get_flags.h>
#include <vintf/VintfObject.h>
#include "Credential.h"
#include "CredentialData.h"
#include "CredentialStore.h"
+#include "RemotelyProvisionedKey.h"
#include "Session.h"
#include "Util.h"
#include "WritableCredential.h"
@@ -45,10 +46,8 @@
using ::android::security::rkp::IRemoteProvisioning;
bool useRkpd() {
- std::string useRkpdFlagValue = server_configurable_flags::GetServerConfigurableFlag(
- "remote_key_provisioning_native", "enable_rkpd",
- /*default_value=*/"false");
- return useRkpdFlagValue == "true";
+ return android::base::GetBoolProperty("remote_provisioning.enable_rkpd",
+ /*default_value=*/false);
}
} // namespace
@@ -70,31 +69,14 @@
LOG(ERROR) << "Error getting remotely provisioned component: " << status;
return false;
}
- useRkpd_ = useRkpd();
-
- if (useRkpd_) {
- uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
- auto rpcKeyFuture = getRpcKeyFuture(rpc_, callingUid);
- if (!rpcKeyFuture) {
- LOG(ERROR) << "Error in getRpcKeyFuture()";
- return false;
- }
- rpcKeyFuture_ = std::move(*rpcKeyFuture);
- } else {
- keyPool_ = android::waitForService<IRemotelyProvisionedKeyPool>(
- IRemotelyProvisionedKeyPool::descriptor);
- if (!keyPool_) {
- LOG(ERROR) << "Error getting IRemotelyProvisionedKeyPool HAL with service name '"
- << IRemotelyProvisionedKeyPool::descriptor << "'";
- return false;
- }
- }
}
LOG(INFO) << "Connected to Identity Credential HAL with API version " << halApiVersion_
<< " and name '" << hwInfo_.credentialStoreName << "' authored by '"
<< hwInfo_.credentialStoreAuthorName << "' with chunk size " << hwInfo_.dataChunkSize
- << " and directoAccess set to " << (hwInfo_.isDirectAccess ? "true" : "false");
+ << " directoAccess set to " << (hwInfo_.isDirectAccess ? "true" : "false")
+ << " and remote key provisioning support "
+ << (hwInfo_.isRemoteKeyProvisioningSupported ? "enabled" : "disabled");
return true;
}
@@ -140,7 +122,9 @@
if (hwInfo_.isRemoteKeyProvisioningSupported) {
status = setRemotelyProvisionedAttestationKey(halWritableCredential.get());
if (!status.isOk()) {
- return halStatusToGenericError(status);
+ LOG(WARNING) << status.toString8()
+ << "\nUnable to fetch remotely provisioned attestation key, falling back "
+ << "to the factory-provisioned attestation key.";
}
}
@@ -205,13 +189,21 @@
std::vector<uint8_t> encodedCertChain;
Status status;
- if (useRkpd_) {
- if (rpcKeyFuture_.wait_for(std::chrono::seconds(10)) != std::future_status::ready) {
+ if (useRkpd()) {
+ LOG(INFO) << "Fetching attestation key from RKPD";
+
+ uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
+ auto rpcKeyFuture = getRpcKeyFuture(rpc_, callingUid);
+ if (!rpcKeyFuture) {
+ return Status::fromServiceSpecificError(ERROR_GENERIC, "Error in getRpcKeyFuture()");
+ }
+
+ if (rpcKeyFuture->wait_for(std::chrono::seconds(10)) != std::future_status::ready) {
return Status::fromServiceSpecificError(
ERROR_GENERIC, "Waiting for remotely provisioned attestation key timed out");
}
- std::optional<::android::security::rkp::RemotelyProvisionedKey> key = rpcKeyFuture_.get();
+ std::optional<::android::security::rkp::RemotelyProvisionedKey> key = rpcKeyFuture->get();
if (!key) {
return Status::fromServiceSpecificError(
ERROR_GENERIC, "Failed to get remotely provisioned attestation key");
@@ -225,6 +217,16 @@
keyBlob = std::move(key->keyBlob);
encodedCertChain = std::move(key->encodedCertChain);
} else {
+ LOG(INFO) << "Fetching attestation key from remotely provisioned key pool.";
+
+ sp<IRemotelyProvisionedKeyPool> keyPool =
+ android::waitForService<IRemotelyProvisionedKeyPool>(
+ IRemotelyProvisionedKeyPool::descriptor);
+ if (!keyPool) {
+ return Status::fromServiceSpecificError(
+ ERROR_GENERIC, "Error getting IRemotelyProvisionedKeyPool HAL");
+ }
+
std::optional<std::string> rpcId = getRpcId(rpc_);
if (!rpcId) {
return Status::fromServiceSpecificError(
@@ -233,11 +235,9 @@
uid_t callingUid = android::IPCThreadState::self()->getCallingUid();
::android::security::remoteprovisioning::RemotelyProvisionedKey key;
- Status status = keyPool_->getAttestationKey(callingUid, *rpcId, &key);
+ Status status = keyPool->getAttestationKey(callingUid, *rpcId, &key);
if (!status.isOk()) {
- LOG(WARNING) << "Unable to fetch remotely provisioned attestation key, falling back "
- << "to the factory-provisioned attestation key.";
- return Status::ok();
+ return status;
}
keyBlob = std::move(key.keyBlob);
diff --git a/identity/CredentialStore.h b/identity/CredentialStore.h
index 495841b..57c94e0 100644
--- a/identity/CredentialStore.h
+++ b/identity/CredentialStore.h
@@ -17,7 +17,6 @@
#ifndef SYSTEM_SECURITY_CREDENTIAL_STORE_H_
#define SYSTEM_SECURITY_CREDENTIAL_STORE_H_
-#include <future>
#include <string>
#include <vector>
@@ -26,8 +25,6 @@
#include <android/security/remoteprovisioning/IRemotelyProvisionedKeyPool.h>
#include <android/security/rkp/IRemoteProvisioning.h>
-#include "RemotelyProvisionedKey.h"
-
namespace android {
namespace security {
namespace identity {
@@ -80,10 +77,7 @@
HardwareInformation hwInfo_;
- bool useRkpd_;
sp<IRemotelyProvisionedComponent> rpc_;
- sp<IRemotelyProvisionedKeyPool> keyPool_;
- std::future<std::optional<RemotelyProvisionedKey>> rpcKeyFuture_;
};
} // namespace identity
diff --git a/identity/RemotelyProvisionedKey.cpp b/identity/RemotelyProvisionedKey.cpp
index 46a42f4..7e90d63 100644
--- a/identity/RemotelyProvisionedKey.cpp
+++ b/identity/RemotelyProvisionedKey.cpp
@@ -42,6 +42,8 @@
using ::android::security::rkp::IRemoteProvisioning;
using ::android::security::rkp::RemotelyProvisionedKey;
+constexpr const char* kRemoteProvisioningServiceName = "remote_provisioning";
+
std::optional<String16> findRpcNameById(std::string_view targetRpcId) {
auto deviceManifest = vintf::VintfObject::GetDeviceHalManifest();
auto instances = deviceManifest->getAidlInstances("android.hardware.security.keymint",
@@ -182,7 +184,7 @@
}
sp<IRemoteProvisioning> remoteProvisioning =
- android::waitForService<IRemoteProvisioning>(IRemoteProvisioning::descriptor);
+ android::waitForService<IRemoteProvisioning>(String16(kRemoteProvisioningServiceName));
if (!remoteProvisioning) {
LOG(ERROR) << "Failed to get IRemoteProvisioning HAL";
return std::nullopt;
diff --git a/identity/main.cpp b/identity/main.cpp
index 2559789..b3a41ec 100644
--- a/identity/main.cpp
+++ b/identity/main.cpp
@@ -23,6 +23,7 @@
#include <android-base/logging.h>
#include <binder/IPCThreadState.h>
#include <binder/IServiceManager.h>
+#include <binder/ProcessState.h>
#include "CredentialStoreFactory.h"
@@ -32,6 +33,7 @@
using ::android::IPCThreadState;
using ::android::IServiceManager;
+using ::android::ProcessState;
using ::android::sp;
using ::android::String16;
using ::android::base::InitLogging;
@@ -53,8 +55,10 @@
CHECK(ret == ::android::OK) << "Couldn't register binder service";
LOG(INFO) << "Registered binder service";
- // Credstore is a single-threaded process. So devote the main thread
- // to handling binder messages.
+ // Credstore needs one thread to handle binder messages and one to handle
+ // asynchronous responses from RKPD.
+ ProcessState::self()->setThreadPoolMaxThreadCount(2);
+ ProcessState::self()->startThreadPool();
IPCThreadState::self()->joinThreadPool();
return 0;