Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 8e93d2be1e6e75b4afee87a3ca772d9d25dc63f1^! / . / keystore2 / src / security_level.rs
commit8e93d2be1e6e75b4afee87a3ca772d9d25dc63f1[log] [tgz]
authorMax Bires <jbires@google.com>Thu Jan 14 13:17:59 2021 -0800
committerJanis Danisevskis <jdanis@google.com>Tue Feb 02 14:27:17 2021 -0800
tree4951f06f66f8e5189551ede26b5d4f7198ee6c9e
parent660cedaaea798930802835e0803c9f51b889b2da [diff] [blame]
Keystore 2.0: Adding uuid field to persistent.keyentry

This change adds a uuid field to map keys to KM devices to the keyentry
table. For now, the security level reported by the KeyMint instance's
hardware info is uased as uuid until the hardware info returns an
actual uuid. This security level may differ from the security level
requested by keystore clients in some situations, e.g., when running a
pure software implementation or on chrome os.

Test: atest keystore2_test
Change-Id: I4b9556804eb6a435ac48d5929fc238e22c23d94d

diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 994b2c8..f6d8108 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs

@@ -16,12 +16,12 @@
 
 //! This crate implements the IKeystoreSecurityLevel interface.
 
-use crate::gc::Gc;
+use crate::{database::Uuid, gc::Gc, globals::get_keymint_device};
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
     Algorithm::Algorithm, HardwareAuthenticatorType::HardwareAuthenticatorType,
     IKeyMintDevice::IKeyMintDevice, KeyCreationResult::KeyCreationResult, KeyFormat::KeyFormat,
-    KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue, SecurityLevel::SecurityLevel,
-    Tag::Tag,
+    KeyMintHardwareInfo::KeyMintHardwareInfo, KeyParameter::KeyParameter,
+    KeyParameterValue::KeyParameterValue, SecurityLevel::SecurityLevel, Tag::Tag,
 };
 use android_system_keystore2::aidl::android::system::keystore2::{
     AuthenticatorSpec::AuthenticatorSpec, CreateOperationResponse::CreateOperationResponse,
@@ -35,7 +35,10 @@
 use crate::key_parameter::KeyParameter as KsKeyParam;
 use crate::key_parameter::KeyParameterValue as KsKeyParamValue;
 use crate::utils::{check_key_permission, uid_to_android_user, Asp};
-use crate::{database::KeyIdGuard, globals::DB};
+use crate::{
+    database::{CertificateInfo, KeyIdGuard},
+    globals::DB,
+};
 use crate::{
     database::{DateTime, KeyMetaData, KeyMetaEntry, KeyType},
     permission::KeyPerm,
@@ -56,6 +59,9 @@
 pub struct KeystoreSecurityLevel {
     security_level: SecurityLevel,
     keymint: Asp,
+    #[allow(dead_code)]
+    hw_info: KeyMintHardwareInfo,
+    km_uuid: Uuid,
     operation_db: OperationDb,
 }
 
@@ -69,15 +75,18 @@
     /// we need it for checking keystore permissions.
     pub fn new_native_binder(
         security_level: SecurityLevel,
-    ) -> Result<impl IKeystoreSecurityLevel + Send> {
+    ) -> Result<(impl IKeystoreSecurityLevel + Send, Uuid)> {
+        let (dev, hw_info, km_uuid) = get_keymint_device(&security_level)
+            .context("In KeystoreSecurityLevel::new_native_binder.")?;
         let result = BnKeystoreSecurityLevel::new_binder(Self {
             security_level,
-            keymint: crate::globals::get_keymint_device(security_level)
-                .context("In KeystoreSecurityLevel::new_native_binder.")?,
+            keymint: dev,
+            hw_info,
+            km_uuid,
             operation_db: OperationDb::new(),
         });
         result.as_binder().set_requesting_sid(true);
-        Ok(result)
+        Ok((result, km_uuid))
     }
 
     fn store_new_key(
@@ -92,7 +101,7 @@
             certificateChain: mut certificate_chain,
         } = creation_result;
 
-        let (cert, cert_chain): (Option<Vec<u8>>, Option<Vec<u8>>) = (
+        let mut cert_info: CertificateInfo = CertificateInfo::new(
             match certificate_chain.len() {
                 0 => None,
                 _ => Some(certificate_chain.remove(0).encodedCertificate),
@@ -134,9 +143,9 @@
                             key,
                             &key_parameters,
                             &key_blob,
-                            cert.as_deref(),
-                            cert_chain.as_deref(),
+                            &cert_info,
                             &metadata,
+                            &self.km_uuid,
                         )
                         .context("In store_new_key.")?;
                     if need_gc {
@@ -154,8 +163,8 @@
         Ok(KeyMetadata {
             key,
             keySecurityLevel: self.security_level,
-            certificate: cert,
-            certificateChain: cert_chain,
+            certificate: cert_info.take_cert(),
+            certificateChain: cert_info.take_cert_chain(),
             authorizations: crate::utils::key_parameters_to_authorizations(key_parameters),
             modificationTimeMs: creation_date.to_millis_epoch(),
         })