Snap for 4778776 from 41705f271e14558e66125fed4b9b9510fd475fd8 to pi-release
Change-Id: I0864a9b4be3bef4977d4c129bc53a634f0208d1d
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 87dccaf..191811a 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -64,6 +64,8 @@
constexpr size_t kMaxOperations = 15;
constexpr double kIdRotationPeriod = 30 * 24 * 60 * 60; /* Thirty days, in seconds */
const char* kTimestampFilePath = "timestamp";
+const int ID_ATTESTATION_REQUEST_GENERIC_INFO = 1 << 0;
+const int ID_ATTESTATION_REQUEST_UNIQUE_DEVICE_ID = 1 << 1;
struct BIGNUM_Delete {
void operator()(BIGNUM* p) const { BN_free(p); }
@@ -1551,24 +1553,28 @@
return Status::ok();
}
-bool isDeviceIdAttestationRequested(const KeymasterArguments& params) {
+int isDeviceIdAttestationRequested(const KeymasterArguments& params) {
const hardware::hidl_vec<KeyParameter> paramsVec = params.getParameters();
+ int result = 0;
for (size_t i = 0; i < paramsVec.size(); ++i) {
switch (paramsVec[i].tag) {
case Tag::ATTESTATION_ID_BRAND:
case Tag::ATTESTATION_ID_DEVICE:
- case Tag::ATTESTATION_ID_IMEI:
case Tag::ATTESTATION_ID_MANUFACTURER:
- case Tag::ATTESTATION_ID_MEID:
case Tag::ATTESTATION_ID_MODEL:
case Tag::ATTESTATION_ID_PRODUCT:
- case Tag::ATTESTATION_ID_SERIAL:
- return true;
- default:
+ result |= ID_ATTESTATION_REQUEST_GENERIC_INFO;
break;
+ case Tag::ATTESTATION_ID_IMEI:
+ case Tag::ATTESTATION_ID_MEID:
+ case Tag::ATTESTATION_ID_SERIAL:
+ result |= ID_ATTESTATION_REQUEST_UNIQUE_DEVICE_ID;
+ break;
+ default:
+ continue;
}
}
- return false;
+ return result;
}
Status KeyStoreService::attestKey(const String16& name, const KeymasterArguments& params,
@@ -1582,9 +1588,15 @@
uid_t callingUid = IPCThreadState::self()->getCallingUid();
- if (isDeviceIdAttestationRequested(params) && (callingUid != AID_SYSTEM)) {
- // Only the system context may request Device ID attestation combined with key attestation.
- // Otherwise, There is a dedicated attestDeviceIds() method for device ID attestation.
+ int needsIdAttestation = isDeviceIdAttestationRequested(params);
+ bool needsUniqueIdAttestation = needsIdAttestation & ID_ATTESTATION_REQUEST_UNIQUE_DEVICE_ID;
+ bool isPrimaryUserSystemUid = (callingUid == AID_SYSTEM);
+ bool isSomeUserSystemUid = (get_app_id(callingUid) == AID_SYSTEM);
+ // Allow system context from any user to request attestation with basic device information,
+ // while only allow system context from user 0 (device owner) to request attestation with
+ // unique device ID.
+ if ((needsIdAttestation && !isSomeUserSystemUid) ||
+ (needsUniqueIdAttestation && !isPrimaryUserSystemUid)) {
*aidl_return = static_cast<int32_t>(KeyStoreServiceReturnCode(ErrorCode::INVALID_ARGUMENT));
return Status::ok();
}
diff --git a/keystore/keystore_main.cpp b/keystore/keystore_main.cpp
index 58f0733..82d4e69 100644
--- a/keystore/keystore_main.cpp
+++ b/keystore/keystore_main.cpp
@@ -108,61 +108,12 @@
return result;
}
-void performHmacKeyHandshake(std::initializer_list<const sp<Keymaster>> keymasters) {
- hidl_vec<HmacSharingParameters> hmacSharingParams(keymasters.size());
- int index = 0;
- for (const auto& km : keymasters) {
- if (!km) continue;
- ErrorCode ec = ErrorCode::OK;
- auto rc =
- km->getHmacSharingParameters([&](ErrorCode error, const HmacSharingParameters& params) {
- ec = error;
- if (error == ErrorCode::OK) hmacSharingParams[index] = params;
- });
- CHECK(rc.isOk()) << "Communication error while calling getHmacSharingParameters on"
- " Keymaster with index: "
- << index;
- CHECK(ec == ErrorCode::OK) << "Failed to get HmacSharingParameters from Keymaster "
- << km->halVersion().keymasterName << " at index: " << index;
- ++index;
- }
- hmacSharingParams.resize(index);
- hidl_vec<uint8_t> sharingCheck;
- index = 0;
- for (const auto& km : keymasters) {
- if (!km) continue;
- ErrorCode ec = ErrorCode::OK;
- auto rc = km->computeSharedHmac(
- hmacSharingParams, [&](ErrorCode error, const hidl_vec<uint8_t>& sharingCheck_) {
- ec = error;
- if (error != ErrorCode::OK) return;
- if (index == 0) {
- sharingCheck = sharingCheck_;
- } else {
- CHECK(sharingCheck == sharingCheck_)
- << "Hmac Key computation failed (current index: " << index << ")";
- }
- });
- CHECK(rc.isOk()) << "Communication error while calling computeSharedHmac on"
- " Keymaster with index: "
- << index;
- CHECK(ec == ErrorCode::OK) << "Failed to compute shared hmac key from"
- " Keymaster with index: "
- << index;
- ++index;
- }
-}
-
KeymasterDevices initializeKeymasters() {
auto serviceManager = android::hidl::manager::V1_1::IServiceManager::getService();
CHECK(serviceManager.get()) << "Failed to get ServiceManager";
auto result = enumerateKeymasterDevices<Keymaster4>(serviceManager.get());
auto softKeymaster = result[SecurityLevel::SOFTWARE];
- if (result[SecurityLevel::TRUSTED_ENVIRONMENT]) {
- // TODO(swillden): Put this back when StrongBox KM works. b/77533310
- // performHmacKeyHandshake(
- // {result[SecurityLevel::TRUSTED_ENVIRONMENT], result[SecurityLevel::STRONGBOX]});
- } else {
+ if (!result[SecurityLevel::TRUSTED_ENVIRONMENT]) {
result = enumerateKeymasterDevices<Keymaster3>(serviceManager.get());
}
if (softKeymaster) result[SecurityLevel::SOFTWARE] = softKeymaster;