Add SecurityLevel to key creation and operation logging.
This CL adds SecurityLevel to existing logging.
Test: android.keystore.cts.KeyGeneratorTest,
android.keystore.cts.RSACipherTest
Bug: 184301651
Merged-In: Ie61ba7392f0afca2790daebd7a1907a42c1eaed6
Change-Id: Ie61ba7392f0afca2790daebd7a1907a42c1eaed6
diff --git a/keystore2/src/metrics.rs b/keystore2/src/metrics.rs
index 9524cb2..c5dd582 100644
--- a/keystore2/src/metrics.rs
+++ b/keystore2/src/metrics.rs
@@ -20,14 +20,16 @@
Algorithm::Algorithm, BlockMode::BlockMode, Digest::Digest, EcCurve::EcCurve,
HardwareAuthenticatorType::HardwareAuthenticatorType, KeyOrigin::KeyOrigin,
KeyParameter::KeyParameter, KeyPurpose::KeyPurpose, PaddingMode::PaddingMode,
+ SecurityLevel::SecurityLevel,
};
use statslog_rust::keystore2_key_creation_event_reported::{
Algorithm as StatsdAlgorithm, EcCurve as StatsdEcCurve, KeyOrigin as StatsdKeyOrigin,
- Keystore2KeyCreationEventReported, UserAuthType as StatsdUserAuthType,
+ Keystore2KeyCreationEventReported, SecurityLevel as StatsdKeyCreationSecurityLevel,
+ UserAuthType as StatsdUserAuthType,
};
-
use statslog_rust::keystore2_key_operation_event_reported::{
Keystore2KeyOperationEventReported, Outcome as StatsdOutcome, Purpose as StatsdKeyPurpose,
+ SecurityLevel as StatsdKeyOperationSecurityLevel,
};
fn create_default_key_creation_atom() -> Keystore2KeyCreationEventReported {
@@ -52,6 +54,7 @@
// as per keystore2/ResponseCode.aidl, 1 is reserved for NO_ERROR
error_code: 1,
attestation_requested: false,
+ security_level: StatsdKeyCreationSecurityLevel::SecurityLevelUnspecified,
}
}
@@ -64,12 +67,18 @@
outcome: StatsdOutcome::OutcomeUnspecified,
error_code: 1,
key_upgraded: false,
+ security_level: StatsdKeyOperationSecurityLevel::SecurityLevelUnspecified,
}
}
/// Log key creation events via statsd API.
-pub fn log_key_creation_event_stats<U>(key_params: &[KeyParameter], result: &anyhow::Result<U>) {
- let key_creation_event_stats = construct_key_creation_event_stats(key_params, result);
+pub fn log_key_creation_event_stats<U>(
+ sec_level: SecurityLevel,
+ key_params: &[KeyParameter],
+ result: &anyhow::Result<U>,
+) {
+ let key_creation_event_stats =
+ construct_key_creation_event_stats(sec_level, key_params, result);
let logging_result = key_creation_event_stats.stats_write();
@@ -83,13 +92,19 @@
/// Log key operation events via statsd API.
pub fn log_key_operation_event_stats(
+ sec_level: SecurityLevel,
key_purpose: KeyPurpose,
op_params: &[KeyParameter],
op_outcome: &Outcome,
key_upgraded: bool,
) {
- let key_operation_event_stats =
- construct_key_operation_event_stats(key_purpose, op_params, op_outcome, key_upgraded);
+ let key_operation_event_stats = construct_key_operation_event_stats(
+ sec_level,
+ key_purpose,
+ op_params,
+ op_outcome,
+ key_upgraded,
+ );
let logging_result = key_operation_event_stats.stats_write();
@@ -102,6 +117,7 @@
}
fn construct_key_creation_event_stats<U>(
+ sec_level: SecurityLevel,
key_params: &[KeyParameter],
result: &anyhow::Result<U>,
) -> Keystore2KeyCreationEventReported {
@@ -111,6 +127,16 @@
key_creation_event_atom.error_code = get_error_code(e);
}
+ key_creation_event_atom.security_level = match sec_level {
+ SecurityLevel::SOFTWARE => StatsdKeyCreationSecurityLevel::SecurityLevelSoftware,
+ SecurityLevel::TRUSTED_ENVIRONMENT => {
+ StatsdKeyCreationSecurityLevel::SecurityLevelTrustedEnvironment
+ }
+ SecurityLevel::STRONGBOX => StatsdKeyCreationSecurityLevel::SecurityLevelStrongbox,
+ //KEYSTORE is not a valid variant here
+ _ => StatsdKeyCreationSecurityLevel::SecurityLevelUnspecified,
+ };
+
for key_param in key_params.iter().map(KsKeyParamValue::from) {
match key_param {
KsKeyParamValue::Algorithm(a) => {
@@ -183,6 +209,7 @@
}
fn construct_key_operation_event_stats(
+ sec_level: SecurityLevel,
key_purpose: KeyPurpose,
op_params: &[KeyParameter],
op_outcome: &Outcome,
@@ -190,6 +217,16 @@
) -> Keystore2KeyOperationEventReported {
let mut key_operation_event_atom = create_default_key_operation_atom();
+ key_operation_event_atom.security_level = match sec_level {
+ SecurityLevel::SOFTWARE => StatsdKeyOperationSecurityLevel::SecurityLevelSoftware,
+ SecurityLevel::TRUSTED_ENVIRONMENT => {
+ StatsdKeyOperationSecurityLevel::SecurityLevelTrustedEnvironment
+ }
+ SecurityLevel::STRONGBOX => StatsdKeyOperationSecurityLevel::SecurityLevelStrongbox,
+ //KEYSTORE is not a valid variant here
+ _ => StatsdKeyOperationSecurityLevel::SecurityLevelUnspecified,
+ };
+
key_operation_event_atom.key_upgraded = key_upgraded;
key_operation_event_atom.purpose = match key_purpose {
diff --git a/keystore2/src/operation.rs b/keystore2/src/operation.rs
index f71577b..c2539a7 100644
--- a/keystore2/src/operation.rs
+++ b/keystore2/src/operation.rs
@@ -131,6 +131,7 @@
use crate::utils::Asp;
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
IKeyMintOperation::IKeyMintOperation, KeyParameter::KeyParameter, KeyPurpose::KeyPurpose,
+ SecurityLevel::SecurityLevel,
};
use android_system_keystore2::aidl::android::system::keystore2::{
IKeystoreOperation::BnKeystoreOperation, IKeystoreOperation::IKeystoreOperation,
@@ -181,6 +182,7 @@
/// Keeps track of the information required for logging operations.
#[derive(Debug)]
pub struct LoggingInfo {
+ sec_level: SecurityLevel,
purpose: KeyPurpose,
op_params: Vec<KeyParameter>,
key_upgraded: bool,
@@ -189,11 +191,12 @@
impl LoggingInfo {
/// Constructor
pub fn new(
+ sec_level: SecurityLevel,
purpose: KeyPurpose,
op_params: Vec<KeyParameter>,
key_upgraded: bool,
) -> LoggingInfo {
- Self { purpose, op_params, key_upgraded }
+ Self { sec_level, purpose, op_params, key_upgraded }
}
}
@@ -468,6 +471,7 @@
fn drop(&mut self) {
let guard = self.outcome.lock().expect("In drop.");
log_key_operation_event_stats(
+ self.logging_info.sec_level,
self.logging_info.purpose,
&(self.logging_info.op_params),
&guard,
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index ec6c4d7..20f7226 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -326,7 +326,8 @@
let operation = match begin_result.operation {
Some(km_op) => {
self.operation_db.create_operation(km_op, caller_uid, auth_info, forced,
- LoggingInfo::new(purpose, op_params, upgraded_blob.is_some()))
+ LoggingInfo::new(self.security_level, purpose, op_params,
+ upgraded_blob.is_some()))
},
None => return Err(Error::sys()).context("In create_operation: Begin operation returned successfully, but did not return a valid operation."),
};
@@ -832,7 +833,7 @@
entropy: &[u8],
) -> binder::public_api::Result<KeyMetadata> {
let result = self.generate_key(key, attestation_key, params, flags, entropy);
- log_key_creation_event_stats(params, &result);
+ log_key_creation_event_stats(self.security_level, params, &result);
map_or_log_err(result, Ok)
}
fn importKey(
@@ -844,7 +845,7 @@
key_data: &[u8],
) -> binder::public_api::Result<KeyMetadata> {
let result = self.import_key(key, attestation_key, params, flags, key_data);
- log_key_creation_event_stats(params, &result);
+ log_key_creation_event_stats(self.security_level, params, &result);
map_or_log_err(result, Ok)
}
fn importWrappedKey(
@@ -857,7 +858,7 @@
) -> binder::public_api::Result<KeyMetadata> {
let result =
self.import_wrapped_key(key, wrapping_key, masking_key, params, authenticators);
- log_key_creation_event_stats(params, &result);
+ log_key_creation_event_stats(self.security_level, params, &result);
map_or_log_err(result, Ok)
}
fn convertStorageKeyToEphemeral(