Ability for KS2 to select remotely provisioned key
This patch adds the functionality needed by keystore2 in order to make
use of remotely provisioned attestation certificates, if they are
available. The code checks if an IRemotelyProvisionedComponent exists
for the given security level, and if the remote provisioning app has
been enabled to fetch keys for said instance before attempting to assign
these keys to apps.
If remote provisioning is not enabled for the given security level, the
code defaults back to passing None to allow the underlying KM instance
to choose its own factory provisioned attestation key. This is only
relevant in hybrid systems that take advantage of both factory key
provisioning and remote key provisioning.
Test: atest CtsKeystoreTestCases
Change-Id: I44586753afd3f4e63a76263145f1da9f8106af3d
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index b187d3b..aee3b82 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -18,7 +18,7 @@
use crate::globals::get_keymint_device;
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- Algorithm::Algorithm, AttestationKey::AttestationKey,
+ Algorithm::Algorithm, AttestationKey::AttestationKey, Certificate::Certificate,
HardwareAuthenticatorType::HardwareAuthenticatorType, IKeyMintDevice::IKeyMintDevice,
KeyCreationResult::KeyCreationResult, KeyFormat::KeyFormat,
KeyMintHardwareInfo::KeyMintHardwareInfo, KeyParameter::KeyParameter,
@@ -32,10 +32,11 @@
KeyMetadata::KeyMetadata, KeyParameters::KeyParameters,
};
-use crate::database::{CertificateInfo, KeyIdGuard};
+use crate::database::{CertificateInfo, KeyIdGuard, KeystoreDB};
use crate::globals::{DB, ENFORCEMENTS, LEGACY_MIGRATOR, SUPER_KEY};
use crate::key_parameter::KeyParameter as KsKeyParam;
use crate::key_parameter::KeyParameterValue as KsKeyParamValue;
+use crate::remote_provisioning::RemProvState;
use crate::super_key::{KeyBlob, SuperKeyManager};
use crate::utils::{check_key_permission, uid_to_android_user, Asp};
use crate::{
@@ -63,6 +64,7 @@
hw_info: KeyMintHardwareInfo,
km_uuid: Uuid,
operation_db: OperationDb,
+ rem_prov_state: RemProvState,
}
// Blob of 32 zeroes used as empty masking key.
@@ -88,6 +90,7 @@
hw_info,
km_uuid,
operation_db: OperationDb::new(),
+ rem_prov_state: RemProvState::new(security_level, km_uuid),
});
result.as_binder().set_requesting_sid(true);
Ok((result, km_uuid))
@@ -405,28 +408,56 @@
// generate_key requires the rebind permission.
check_key_permission(KeyPerm::rebind(), &key, &None).context("In generate_key.")?;
-
- let attest_key = match attest_key_descriptor {
- None => None,
- Some(key) => Some(
- self.get_attest_key(key, caller_uid)
- .context("In generate_key: Trying to load attest key")?,
- ),
- };
-
+ let (attest_key, cert_chain) = DB
+ .with::<_, Result<(Option<AttestationKey>, Option<Certificate>)>>(|db| {
+ self.get_attest_key_and_cert_chain(
+ &key,
+ caller_uid,
+ attest_key_descriptor,
+ params,
+ &mut db.borrow_mut(),
+ )
+ })
+ .context("In generate_key: Trying to get an attestation key")?;
let params = Self::add_certificate_parameters(caller_uid, params, &key)
.context("In generate_key: Trying to get aaid.")?;
let km_dev: Strong<dyn IKeyMintDevice> = self.keymint.get_interface()?;
map_km_error(km_dev.addRngEntropy(entropy))
.context("In generate_key: Trying to add entropy.")?;
- let creation_result = map_km_error(km_dev.generateKey(¶ms, attest_key.as_ref()))
+ let mut creation_result = map_km_error(km_dev.generateKey(¶ms, attest_key.as_ref()))
.context("In generate_key: While generating Key")?;
-
+ // The certificate chain ultimately gets flattened into a big DER encoded byte array,
+ // so providing that blob upfront in a single certificate entry should be fine.
+ if let Some(cert) = cert_chain {
+ creation_result.certificateChain.push(cert);
+ }
let user_id = uid_to_android_user(caller_uid);
self.store_new_key(key, creation_result, user_id, Some(flags)).context("In generate_key.")
}
+ fn get_attest_key_and_cert_chain(
+ &self,
+ key: &KeyDescriptor,
+ caller_uid: u32,
+ attest_key_descriptor: Option<&KeyDescriptor>,
+ params: &[KeyParameter],
+ db: &mut KeystoreDB,
+ ) -> Result<(Option<AttestationKey>, Option<Certificate>)> {
+ match attest_key_descriptor {
+ None => self
+ .rem_prov_state
+ .get_remote_provisioning_key_and_certs(&key, caller_uid, params, db),
+ Some(attest_key) => Ok((
+ Some(
+ self.get_attest_key(&attest_key, caller_uid)
+ .context("In generate_key: Trying to load attest key")?,
+ ),
+ None,
+ )),
+ }
+ }
+
fn get_attest_key(&self, key: &KeyDescriptor, caller_uid: u32) -> Result<AttestationKey> {
let (km_blob, cert) = self
.load_attest_key_blob_and_cert(&key, caller_uid)