Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 92648b6a812d6bfaaf265b37e85e9e4087adc374^! / . / keystore2 / src / keystore2_main.rs
commit92648b6a812d6bfaaf265b37e85e9e4087adc374[log] [tgz]
authorSeth Moore <sethmo@google.com>Wed Feb 02 13:26:18 2022 -0800
committerSeth Moore <sethmo@google.com>Wed Feb 02 16:17:05 2022 -0800
tree7c6820d33271ddc9e338f25c53e5ca7951ee9d13
parent2f31252e4c1f6f1ede8e898f80ca2ea18bcee215 [diff] [blame]
Refactor RKP key pool in keystore

Split the IRemotelyProvisionedKeyPool binder implementation to its own
struct, as we cannot have two rust objects backing the same native
binder.

Test: keystore2_test
Test: keystore2_test --ignored
Bug: 194696876
Change-Id: I188bc2e2daf277f4a3543c7ec8320002d57f60ba

diff --git a/keystore2/src/keystore2_main.rs b/keystore2/src/keystore2_main.rs
index abab4b6..bea5f08 100644
--- a/keystore2/src/keystore2_main.rs
+++ b/keystore2/src/keystore2_main.rs

@@ -19,7 +19,9 @@
 use keystore2::maintenance::Maintenance;
 use keystore2::metrics::Metrics;
 use keystore2::metrics_store;
-use keystore2::remote_provisioning::RemoteProvisioningService;
+use keystore2::remote_provisioning::{
+    RemoteProvisioningService, RemotelyProvisionedKeyPoolService,
+};
 use keystore2::service::KeystoreService;
 use keystore2::{apc::ApcManager, shared_secret_negotiation};
 use keystore2::{authorization::AuthorizationManager, id_rotation::IdRotationState};
@@ -33,6 +35,8 @@
 static AUTHORIZATION_SERVICE_NAME: &str = "android.security.authorization";
 static METRICS_SERVICE_NAME: &str = "android.security.metrics";
 static REMOTE_PROVISIONING_SERVICE_NAME: &str = "android.security.remoteprovisioning";
+static REMOTELY_PROVISIONED_KEY_POOL_SERVICE_NAME: &str =
+    "android.security.remoteprovisioning.IRemotelyProvisionedKeyPool";
 static USER_MANAGER_SERVICE_NAME: &str = "android.security.maintenance";
 static LEGACY_KEYSTORE_SERVICE_NAME: &str = "android.security.legacykeystore";
 
@@ -145,6 +149,22 @@
         });
     }
 
+    // Even if the IRemotelyProvisionedComponent HAL is implemented, it doesn't mean that the keys
+    // may be fetched via the key pool. The HAL must be a new version that exports a unique id. If
+    // none of the HALs support this, then the key pool service is not published.
+    if let Ok(key_pool_service) = RemotelyProvisionedKeyPoolService::new_native_binder() {
+        binder::add_service(
+            REMOTELY_PROVISIONED_KEY_POOL_SERVICE_NAME,
+            key_pool_service.as_binder(),
+        )
+        .unwrap_or_else(|e| {
+            panic!(
+                "Failed to register service {} because of {:?}.",
+                REMOTELY_PROVISIONED_KEY_POOL_SERVICE_NAME, e
+            );
+        });
+    }
+
     binder::add_service(LEGACY_KEYSTORE_SERVICE_NAME, legacykeystore.as_binder()).unwrap_or_else(
         |e| {
             panic!(