Merge "Rewrite fsverity_init in C++ and load keys from keystore"
diff --git a/keystore-engine/Android.bp b/keystore-engine/Android.bp
index 60f5940..6512c66 100644
--- a/keystore-engine/Android.bp
+++ b/keystore-engine/Android.bp
@@ -63,7 +63,6 @@
"libcrypto",
"liblog",
"libhidlbase",
- "libhidltransport",
"libcutils",
"libutils",
],
diff --git a/keystore/Android.bp b/keystore/Android.bp
index 356ac1b..93c537e 100644
--- a/keystore/Android.bp
+++ b/keystore/Android.bp
@@ -62,8 +62,6 @@
"libcutils",
"libhardware",
"libhidlbase",
- "libhidltransport",
- "libhwbinder",
"libkeymaster4support",
"libkeymaster_messages",
"libkeymaster_portable",
@@ -110,7 +108,6 @@
"libcrypto",
"libcutils",
"libhidlbase",
- "libhwbinder",
"libkeystore_aidl", // for IKeyStoreService.asInterface()
"libkeystore_binder",
"libkeystore_parcelables",
@@ -135,7 +132,6 @@
"libchrome",
"libutils",
"libhidlbase",
- "libhwbinder",
"libkeymaster4support",
"libkeystore_aidl",
"libkeystore_binder",
@@ -163,7 +159,6 @@
"libbinder",
"libhardware",
"libhidlbase",
- "libhwbinder",
"libkeymaster4support",
"liblog",
"libprotobuf-cpp-lite",
@@ -173,7 +168,6 @@
"android.hardware.keymaster@4.0",
"libbinder",
"libhidlbase",
- "libhwbinder",
"libkeymaster4support",
],
}
@@ -192,7 +186,6 @@
"android.hardware.keymaster@4.0",
"libbinder",
"libhidlbase",
- "libhwbinder",
"libkeymaster4support",
"libkeystore_aidl",
"libkeystore_parcelables",
@@ -214,7 +207,6 @@
"android.hardware.keymaster@4.0",
"libbinder",
"libhidlbase",
- "libhwbinder",
"libkeystore_aidl",
"libkeystore_parcelables",
],
@@ -230,7 +222,6 @@
"android.system.wifi.keystore@1.0",
"libbase",
"libhidlbase",
- "libhidltransport",
"liblog",
"libutils",
],
@@ -261,7 +252,6 @@
"libbinder",
"libcrypto",
"libhidlbase",
- "libhwbinder",
"libkeymaster4support",
"libutils",
"libkeystore_aidl",
@@ -270,7 +260,6 @@
export_shared_lib_headers: [
"android.hardware.keymaster@4.0",
"libhidlbase",
- "libhwbinder",
"libkeymaster4support",
],
@@ -308,8 +297,6 @@
"libcutils",
"libhardware",
"libhidlbase",
- "libhidltransport",
- "libhwbinder",
"libkeystore_parcelables",
"liblog",
"libselinux",
diff --git a/keystore/KeyStore.h b/keystore/KeyStore.h
index 69a02ae..a7fbab4 100644
--- a/keystore/KeyStore.h
+++ b/keystore/KeyStore.h
@@ -143,6 +143,23 @@
KeystoreKeymasterEnforcement& getEnforcementPolicy() { return mEnforcementPolicy; }
ConfirmationManager& getConfirmationManager() { return *mConfirmationManager; }
+ void addOperationDevice(sp<IBinder> token, std::shared_ptr<KeymasterWorker> dev) {
+ std::lock_guard<std::mutex> lock(operationDeviceMapMutex_);
+ operationDeviceMap_.emplace(std::move(token), std::move(dev));
+ }
+ std::shared_ptr<KeymasterWorker> getOperationDevice(const sp<IBinder>& token) {
+ std::lock_guard<std::mutex> lock(operationDeviceMapMutex_);
+ auto it = operationDeviceMap_.find(token);
+ if (it != operationDeviceMap_.end()) {
+ return it->second;
+ }
+ return {};
+ }
+ void removeOperationDevice(const sp<IBinder>& token) {
+ std::lock_guard<std::mutex> lock(operationDeviceMapMutex_);
+ operationDeviceMap_.erase(token);
+ }
+
private:
static const char* kOldMasterKey;
static const char* kMetaDataFile;
@@ -173,6 +190,9 @@
void writeMetaData();
bool upgradeKeystore();
+
+ std::mutex operationDeviceMapMutex_;
+ std::map<sp<IBinder>, std::shared_ptr<KeymasterWorker>> operationDeviceMap_;
};
} // namespace keystore
diff --git a/keystore/include/keystore/keystore_client.h b/keystore/include/keystore/keystore_client.h
index d6a4807..d8e63c4 100644
--- a/keystore/include/keystore/keystore_client.h
+++ b/keystore/include/keystore/keystore_client.h
@@ -15,6 +15,8 @@
#ifndef KEYSTORE_KEYSTORE_CLIENT_H_
#define KEYSTORE_KEYSTORE_CLIENT_H_
+#include <memory>
+#include <optional>
#include <set>
#include <string>
#include <vector>
@@ -173,6 +175,13 @@
// caller's key store starting with |prefix|. Returns true on success.
virtual bool listKeys(const std::string& prefix, std::vector<std::string>* key_name_list) = 0;
+ // Provides a |key_name_list| containing all existing key names in the
+ // caller's key store starting with |prefix|. Returns true on success.
+ virtual bool listKeysOfUid(const std::string& prefix, int uid,
+ std::vector<std::string>* key_name_list) = 0;
+
+ virtual std::optional<std::vector<uint8_t>> getKey(const std::string& alias, int uid) = 0;
+
private:
DISALLOW_COPY_AND_ASSIGN(KeystoreClient);
};
diff --git a/keystore/include/keystore/keystore_client_impl.h b/keystore/include/keystore/keystore_client_impl.h
index 0bcef98..6726fe5 100644
--- a/keystore/include/keystore/keystore_client_impl.h
+++ b/keystore/include/keystore/keystore_client_impl.h
@@ -19,6 +19,7 @@
#include <future>
#include <map>
+#include <optional>
#include <string>
#include <vector>
@@ -81,6 +82,9 @@
KeyStoreNativeReturnCode abortOperation(uint64_t handle) override;
bool doesKeyExist(const std::string& key_name) override;
bool listKeys(const std::string& prefix, std::vector<std::string>* key_name_list) override;
+ bool listKeysOfUid(const std::string& prefix, int uid,
+ std::vector<std::string>* key_name_list) override;
+ std::optional<std::vector<uint8_t>> getKey(const std::string& alias, int uid) override;
private:
// Returns an available virtual operation handle.
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index ba8a3f3..c57012e 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -118,7 +118,8 @@
auto asn1_attestation_id_result = security::gather_attestation_application_id(callingUid);
if (!asn1_attestation_id_result.isOk()) {
ALOGE("failed to gather attestation_id");
- return ErrorCode::ATTESTATION_APPLICATION_ID_MISSING;
+ // Couldn't get attestation ID; just use an empty one rather than failing.
+ asn1_attestation_id_result = std::vector<uint8_t>();
}
std::vector<uint8_t>& asn1_attestation_id = asn1_attestation_id_result;
@@ -883,7 +884,7 @@
[this, cb, dev](OperationResult result_) {
if (result_.resultCode.isOk() ||
result_.resultCode == ResponseCode::OP_AUTH_NEEDED) {
- addOperationDevice(result_.token, dev);
+ mKeyStore->addOperationDevice(result_.token, dev);
}
cb->onFinished(result_);
});
@@ -900,14 +901,14 @@
return AIDL_RETURN(ErrorCode::INVALID_ARGUMENT);
}
- auto dev = getOperationDevice(token);
+ auto dev = mKeyStore->getOperationDevice(token);
if (!dev) {
return AIDL_RETURN(ErrorCode::INVALID_OPERATION_HANDLE);
}
dev->update(token, params.getParameters(), input, [this, cb, token](OperationResult result_) {
if (!result_.resultCode.isOk()) {
- removeOperationDevice(token);
+ mKeyStore->removeOperationDevice(token);
}
cb->onFinished(result_);
});
@@ -925,7 +926,7 @@
return AIDL_RETURN(ErrorCode::INVALID_ARGUMENT);
}
- auto dev = getOperationDevice(token);
+ auto dev = mKeyStore->getOperationDevice(token);
if (!dev) {
return AIDL_RETURN(ErrorCode::INVALID_OPERATION_HANDLE);
}
@@ -933,7 +934,7 @@
dev->finish(token, params.getParameters(), {}, signature, entropy,
[this, cb, token](OperationResult result_) {
if (!result_.resultCode.isOk()) {
- removeOperationDevice(token);
+ mKeyStore->removeOperationDevice(token);
}
cb->onFinished(result_);
});
@@ -945,12 +946,15 @@
const ::android::sp<::android::IBinder>& token,
int32_t* _aidl_return) {
KEYSTORE_SERVICE_LOCK;
- auto dev = getOperationDevice(token);
+ auto dev = mKeyStore->getOperationDevice(token);
if (!dev) {
return AIDL_RETURN(ErrorCode::INVALID_OPERATION_HANDLE);
}
- dev->abort(token, [cb](KeyStoreServiceReturnCode rc) { cb->onFinished(rc); });
+ dev->abort(token, [this, cb, token](KeyStoreServiceReturnCode rc) {
+ mKeyStore->removeOperationDevice(token);
+ cb->onFinished(rc);
+ });
return AIDL_RETURN(ResponseCode::NO_ERROR);
}
diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h
index 2fdc3dd..96d0c07 100644
--- a/keystore/key_store_service.h
+++ b/keystore/key_store_service.h
@@ -243,25 +243,6 @@
*/
std::mutex keystoreServiceMutex_;
- std::mutex operationDeviceMapMutex_;
- std::map<sp<IBinder>, std::shared_ptr<KeymasterWorker>> operationDeviceMap_;
-
- void addOperationDevice(sp<IBinder> token, std::shared_ptr<KeymasterWorker> dev) {
- std::lock_guard<std::mutex> lock(operationDeviceMapMutex_);
- operationDeviceMap_.emplace(std::move(token), std::move(dev));
- }
- std::shared_ptr<KeymasterWorker> getOperationDevice(const sp<IBinder>& token) {
- std::lock_guard<std::mutex> lock(operationDeviceMapMutex_);
- auto it = operationDeviceMap_.find(token);
- if (it != operationDeviceMap_.end()) {
- return it->second;
- }
- return {};
- }
- void removeOperationDevice(const sp<IBinder>& token) {
- std::lock_guard<std::mutex> lock(operationDeviceMapMutex_);
- operationDeviceMap_.erase(token);
- }
};
}; // namespace keystore
diff --git a/keystore/keymaster_worker.cpp b/keystore/keymaster_worker.cpp
index 23a0023..f6d5621 100644
--- a/keystore/keymaster_worker.cpp
+++ b/keystore/keymaster_worker.cpp
@@ -341,6 +341,7 @@
// We mostly ignore errors from abort() because all we care about is whether at least
// one operation has been removed.
auto rc = abort(oldest);
+ keyStore_->removeOperationDevice(oldest);
if (operationMap_.getOperationCount() >= op_count_before_abort) {
ALOGE("Failed to abort pruneable operation %p, error: %d", oldest.get(), rc.getErrorCode());
return false;
@@ -1111,6 +1112,7 @@
auto operations = operationMap_.getOperationsForToken(who.unsafe_get());
for (const auto& token : operations) {
abort(token);
+ keyStore_->removeOperationDevice(token);
}
});
}
diff --git a/keystore/keystore_client_impl.cpp b/keystore/keystore_client_impl.cpp
index b9a142e..3fca4c9 100644
--- a/keystore/keystore_client_impl.cpp
+++ b/keystore/keystore_client_impl.cpp
@@ -17,6 +17,7 @@
#include "keystore/keystore_client_impl.h"
#include <future>
+#include <optional>
#include <string>
#include <vector>
@@ -441,9 +442,14 @@
bool KeystoreClientImpl::listKeys(const std::string& prefix,
std::vector<std::string>* key_name_list) {
+ return listKeysOfUid(prefix, kDefaultUID, key_name_list);
+}
+
+bool KeystoreClientImpl::listKeysOfUid(const std::string& prefix, int uid,
+ std::vector<std::string>* key_name_list) {
String16 prefix16(prefix.data(), prefix.size());
std::vector<::android::String16> matches;
- auto binder_result = keystore_->list(prefix16, kDefaultUID, &matches);
+ auto binder_result = keystore_->list(prefix16, uid, &matches);
if (!binder_result.isOk()) return false;
for (const auto& match : matches) {
@@ -453,6 +459,14 @@
return true;
}
+std::optional<std::vector<uint8_t>> KeystoreClientImpl::getKey(const std::string& alias, int uid) {
+ String16 alias16(alias.data(), alias.size());
+ std::vector<uint8_t> output;
+ auto binder_result = keystore_->get(alias16, uid, &output);
+ if (!binder_result.isOk()) return std::nullopt;
+ return output;
+}
+
uint64_t KeystoreClientImpl::getNextVirtualHandle() {
return next_virtual_handle_++;
}
diff --git a/keystore/permissions.cpp b/keystore/permissions.cpp
index 05454cb..d17fcdd 100644
--- a/keystore/permissions.cpp
+++ b/keystore/permissions.cpp
@@ -59,6 +59,8 @@
{AID_ROOT, AID_SYSTEM},
{AID_WIFI, AID_KEYSTORE},
{AID_KEYSTORE, AID_WIFI},
+ {AID_FSVERITY_CERT, AID_ROOT},
+ {AID_FSVERITY_CERT, AID_SYSTEM},
#ifdef GRANT_ROOT_ALL_PERMISSIONS
// Allow VTS tests to act on behalf of the wifi user
diff --git a/keystore/tests/Android.bp b/keystore/tests/Android.bp
index 25fa10b..cb662d1 100644
--- a/keystore/tests/Android.bp
+++ b/keystore/tests/Android.bp
@@ -19,7 +19,7 @@
static_libs: [
"android.hardware.confirmationui@1.0",
"libbase",
- "libcrypto",
+ "libcrypto_static",
"libcutils",
"libgtest_main",
"libhidlbase",