commit 7bf871492387130b972831fdbe10ea7118c13930
author David Zeuthen <zeuthen@google.com> Thu May 28 23:36:11 2020 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Thu May 28 23:36:11 2020 +0000
tree 9e5c10cbf3015c0d83188bdfa4ada79f7841b7d5
parent 5927822d8802570ba35a8bdbd391bcf9ce0b192b
parent f635cf0e311bfcc1f24aa1465af142ada57a4e64

[automerger skipped] keystore: Pass verification token to credstore along with requested auth token. am: f635cf0e31 -s ours

am skip reason: Change-Id Id6cb6812a31d968069b7d72bd2b39b512d38d241 with SHA-1 59102f388f is in history

Change-Id: I7f6ad31f47584db99969896edeb6d0a09b351dc4

METADATA

diff --git a/METADATA b/METADATA
new file mode 100644
index 0000000..d97975c
--- /dev/null
+++ b/METADATA
@@ -0,0 +1,3 @@
+third_party {
+  license_type: NOTICE
+}

fsverity_init/fsverity_init.cpp

diff --git a/fsverity_init/fsverity_init.cpp b/fsverity_init/fsverity_init.cpp
index e2a8bf7..4ed25cd 100644
--- a/fsverity_init/fsverity_init.cpp
+++ b/fsverity_init/fsverity_init.cpp
@@ -37,10 +37,8 @@
     return true;
 }
 
-void LoadKeyFromVerifiedPartitions(key_serial_t keyring_id) {
-    const char* dir = "/product/etc/security/fsverity";
+void LoadKeyFromDirectory(key_serial_t keyring_id, const char* keyname, const char* dir) {
     if (!std::filesystem::exists(dir)) {
-        LOG(ERROR) << "no such dir: " << dir;
         return;
     }
     for (const auto& entry : std::filesystem::directory_iterator(dir)) {
@@ -49,12 +47,19 @@
         if (!android::base::ReadFileToString(entry.path(), &content)) {
             continue;
         }
-        if (!LoadKeyToKeyring(keyring_id, "fsv_system", content.c_str(), content.size())) {
+        if (!LoadKeyToKeyring(keyring_id, keyname, content.c_str(), content.size())) {
             LOG(ERROR) << "Failed to load key from " << entry.path();
         }
     }
 }
 
+void LoadKeyFromVerifiedPartitions(key_serial_t keyring_id) {
+    // NB: Directories need to be synced with FileIntegrityService.java in
+    // frameworks/base.
+    LoadKeyFromDirectory(keyring_id, "fsv_system", "/system/etc/security/fsverity");
+    LoadKeyFromDirectory(keyring_id, "fsv_product", "/product/etc/security/fsverity");
+}
+
 int main(int /*argc*/, const char** /*argv*/) {
     key_serial_t keyring_id = android::GetKeyringId(".fs-verity");
     if (keyring_id < 0) {

keystore/key_store_service.cpp

diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index cdc0d64..583f5b6 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -1001,21 +1001,102 @@
     return Status::ok();
 }
 
+bool isDeviceIdAttestationTag(Tag tag) {
+    switch (tag) {
+    case Tag::ATTESTATION_ID_BRAND:
+    case Tag::ATTESTATION_ID_DEVICE:
+    case Tag::ATTESTATION_ID_MANUFACTURER:
+    case Tag::ATTESTATION_ID_MODEL:
+    case Tag::ATTESTATION_ID_PRODUCT:
+    case Tag::ATTESTATION_ID_IMEI:
+    case Tag::ATTESTATION_ID_MEID:
+    case Tag::ATTESTATION_ID_SERIAL:
+        return true;
+    case Tag::INVALID:
+    case Tag::PURPOSE:
+    case Tag::ALGORITHM:
+    case Tag::KEY_SIZE:
+    case Tag::BLOCK_MODE:
+    case Tag::DIGEST:
+    case Tag::PADDING:
+    case Tag::CALLER_NONCE:
+    case Tag::MIN_MAC_LENGTH:
+    case Tag::EC_CURVE:
+    case Tag::RSA_PUBLIC_EXPONENT:
+    case Tag::INCLUDE_UNIQUE_ID:
+    case Tag::BLOB_USAGE_REQUIREMENTS:
+    case Tag::BOOTLOADER_ONLY:
+    case Tag::ROLLBACK_RESISTANCE:
+    case Tag::HARDWARE_TYPE:
+    case Tag::ACTIVE_DATETIME:
+    case Tag::ORIGINATION_EXPIRE_DATETIME:
+    case Tag::USAGE_EXPIRE_DATETIME:
+    case Tag::MIN_SECONDS_BETWEEN_OPS:
+    case Tag::MAX_USES_PER_BOOT:
+    case Tag::USER_ID:
+    case Tag::USER_SECURE_ID:
+    case Tag::NO_AUTH_REQUIRED:
+    case Tag::USER_AUTH_TYPE:
+    case Tag::AUTH_TIMEOUT:
+    case Tag::ALLOW_WHILE_ON_BODY:
+    case Tag::TRUSTED_USER_PRESENCE_REQUIRED:
+    case Tag::TRUSTED_CONFIRMATION_REQUIRED:
+    case Tag::UNLOCKED_DEVICE_REQUIRED:
+    case Tag::APPLICATION_ID:
+    case Tag::APPLICATION_DATA:
+    case Tag::CREATION_DATETIME:
+    case Tag::ORIGIN:
+    case Tag::ROOT_OF_TRUST:
+    case Tag::OS_VERSION:
+    case Tag::OS_PATCHLEVEL:
+    case Tag::UNIQUE_ID:
+    case Tag::ATTESTATION_CHALLENGE:
+    case Tag::ATTESTATION_APPLICATION_ID:
+    case Tag::VENDOR_PATCHLEVEL:
+    case Tag::BOOT_PATCHLEVEL:
+    case Tag::ASSOCIATED_DATA:
+    case Tag::NONCE:
+    case Tag::MAC_LENGTH:
+    case Tag::RESET_SINCE_ID_ROTATION:
+    case Tag::CONFIRMATION_TOKEN:
+        return false;
+        // no default, all values must be present in the switch, in this way the compiler ensures
+        // that new values added in the Tag enum are also added here.
+    }
+}
+
+// These are attestation id tags that are not unique per device and don't require special permission
+// to be attested. Any addition to this list needs privacy review and approval (PWG).
+bool isDevicePropertyAttestationTag(Tag tag) {
+    switch (tag) {
+    case Tag::ATTESTATION_ID_BRAND:
+    case Tag::ATTESTATION_ID_DEVICE:
+    case Tag::ATTESTATION_ID_MANUFACTURER:
+    case Tag::ATTESTATION_ID_MODEL:
+    case Tag::ATTESTATION_ID_PRODUCT:
+        return true;
+    default:
+        return false;
+    }
+}
+
 bool isDeviceIdAttestationRequested(const KeymasterArguments& params) {
     const hardware::hidl_vec<KeyParameter>& paramsVec = params.getParameters();
     for (size_t i = 0; i < paramsVec.size(); ++i) {
-        switch (paramsVec[i].tag) {
-        case Tag::ATTESTATION_ID_BRAND:
-        case Tag::ATTESTATION_ID_DEVICE:
-        case Tag::ATTESTATION_ID_MANUFACTURER:
-        case Tag::ATTESTATION_ID_MODEL:
-        case Tag::ATTESTATION_ID_PRODUCT:
-        case Tag::ATTESTATION_ID_IMEI:
-        case Tag::ATTESTATION_ID_MEID:
-        case Tag::ATTESTATION_ID_SERIAL:
+        if (isDeviceIdAttestationTag(paramsVec[i].tag)) {
             return true;
-        default:
-            continue;
+        }
+    }
+    return false;
+}
+
+// Device properties can be attested safely without special permission
+bool needsPermissionToAttestDeviceIds(const KeymasterArguments& params) {
+    const hardware::hidl_vec<KeyParameter>& paramsVec = params.getParameters();
+    for (size_t i = 0; i < paramsVec.size(); ++i) {
+        if (isDeviceIdAttestationTag(paramsVec[i].tag) &&
+            !isDevicePropertyAttestationTag(paramsVec[i].tag)) {
+            return true;
         }
     }
     return false;
@@ -1031,7 +1112,7 @@
 
     uid_t callingUid = IPCThreadState::self()->getCallingUid();
 
-    if (isDeviceIdAttestationRequested(params) && (get_app_id(callingUid) != AID_SYSTEM)) {
+    if (needsPermissionToAttestDeviceIds(params) && (get_app_id(callingUid) != AID_SYSTEM)) {
         return AIDL_RETURN(KeyStoreServiceReturnCode(ErrorCode::INVALID_ARGUMENT));
     }
 
@@ -1095,14 +1176,19 @@
     }
 
     uid_t callingUid = IPCThreadState::self()->getCallingUid();
-    sp<IBinder> binder = defaultServiceManager()->getService(String16("permission"));
-    if (binder == nullptr) {
-        return AIDL_RETURN(ErrorCode::CANNOT_ATTEST_IDS);
-    }
-    if (!interface_cast<IPermissionController>(binder)->checkPermission(
-            String16("android.permission.READ_PRIVILEGED_PHONE_STATE"),
-            IPCThreadState::self()->getCallingPid(), callingUid)) {
-        return AIDL_RETURN(ErrorCode::CANNOT_ATTEST_IDS);
+
+    // Request special permission only for unique ids
+    if (needsPermissionToAttestDeviceIds(params)) {
+        sp<IBinder> binder = defaultServiceManager()->getService(String16("permission"));
+        if (binder == nullptr) {
+            return AIDL_RETURN(ErrorCode::CANNOT_ATTEST_IDS);
+        }
+
+        if (!interface_cast<IPermissionController>(binder)->checkPermission(
+                String16("android.permission.READ_PRIVILEGED_PHONE_STATE"),
+                IPCThreadState::self()->getCallingPid(), callingUid)) {
+            return AIDL_RETURN(ErrorCode::CANNOT_ATTEST_IDS);
+        }
     }
 
     AuthorizationSet mutableParams = params.getParameters();