Keystore 2.0: Use secure clock service.
Test: CtsVerifier Fingerprint Bound Keys Test
Change-Id: Ia93794f7bcd9f5e26a4121a7bf689440fb1eeed4
diff --git a/keystore2/src/background_task_handler.rs b/keystore2/src/background_task_handler.rs
index fbb6778..b039506 100644
--- a/keystore2/src/background_task_handler.rs
+++ b/keystore2/src/background_task_handler.rs
@@ -16,8 +16,10 @@
//! the timestamp service (or TEE KeyMint in legacy devices), via a separate thread.
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
- HardwareAuthToken::HardwareAuthToken, IKeyMintDevice::IKeyMintDevice,
- SecurityLevel::SecurityLevel, VerificationToken::VerificationToken,
+ HardwareAuthToken::HardwareAuthToken,
+};
+use android_hardware_security_secureclock::aidl::android::hardware::security::secureclock::{
+ ISecureClock::ISecureClock, TimeStampToken::TimeStampToken,
};
use android_system_keystore2::aidl::android::system::keystore2::OperationChallenge::OperationChallenge;
use anyhow::Result;
@@ -25,16 +27,20 @@
use std::sync::mpsc::{Receiver, Sender};
use std::sync::Mutex;
use std::thread::{spawn, JoinHandle};
+
+use crate::globals::get_timestamp_service;
+
/// This is the struct encapsulating the thread which handles background tasks such as
-/// obtaining verification tokens.
+/// obtaining timestamp tokens.
pub struct BackgroundTaskHandler {
task_handler: Mutex<Option<JoinHandle<()>>>,
}
+
/// This enum defines the two variants of a message that can be passed down to the
/// BackgroundTaskHandler via the channel.
pub enum Message {
///This variant represents a message sent down the channel when requesting a timestamp token.
- Inputs((HardwareAuthToken, OperationChallenge, Sender<(HardwareAuthToken, VerificationToken)>)),
+ Inputs((HardwareAuthToken, OperationChallenge, Sender<(HardwareAuthToken, TimeStampToken)>)),
///This variant represents a message sent down the channel when signalling the thread to stop.
Shutdown,
}
@@ -65,34 +71,32 @@
// If either a timestamp service or a keymint instance is expected to be found and neither
// is found, an error is returned.
// If neither is expected to be found, make timestamp_service field None, and in the thread,
- // send a default verification token down the channel to the operation.
+ // send a default timestamp token down the channel to the operation.
// Until timestamp service is available and proper probing of legacy keymaster devices are
// done, the keymint service is initialized here as it is done in security_level module.
Ok(spawn(move || {
- while let Message::Inputs((auth_token, op_challenge, op_sender)) = receiver
- .recv()
- .expect(
- "In background task handler thread. Failed to receive message over the channel.",
- ) {
- // TODO: call the timestamp service/old TEE keymaster to get
- // timestamp/verification tokens and pass it down the sender that is
- // coupled with a particular operation's receiver.
- // If none of the services are available, pass the authtoken and a default
- // verification token down the channel.
- let km_dev: Box<dyn IKeyMintDevice> =
- crate::globals::get_keymint_device(SecurityLevel::TRUSTED_ENVIRONMENT)
- .expect("A TEE Keymint must be present.")
- .get_interface()
- .expect("Fatal: The keymint device does not implement IKeyMintDevice.");
- let result = km_dev.verifyAuthorization(op_challenge.challenge, &auth_token);
+ while let Message::Inputs((auth_token, op_challenge, op_sender)) =
+ receiver.recv().expect(
+ "In background task handler thread. Failed to
+ receive message over the channel.",
+ )
+ {
+ let dev: Box<dyn ISecureClock> = get_timestamp_service()
+ .expect(concat!(
+ "Secure Clock service must be present ",
+ "if TimeStampTokens are required."
+ ))
+ .get_interface()
+ .expect("Fatal: Timestamp service does not implement ISecureClock.");
+ let result = dev.generateTimeStamp(op_challenge.challenge);
match result {
- Ok(verification_token) => {
+ Ok(timestamp_token) => {
// this can fail if the operation is dropped and hence the channel
// is hung up.
- op_sender.send((auth_token, verification_token)).unwrap_or_else(|e| {
+ op_sender.send((auth_token, timestamp_token)).unwrap_or_else(|e| {
error!(
"In background task handler thread. Failed to send
- verification token to operation {} due to error {:?}.",
+ timestamp token to operation {} due to error {:?}.",
op_challenge.challenge, e
)
});
@@ -101,17 +105,17 @@
// log error
error!(
"In background task handler thread. Failed to receive
- verification token for operation {} due to error {:?}.",
+ timestamp token for operation {} due to error {:?}.",
op_challenge.challenge, e
);
- // send default verification token
+ // send default timestamp token
// this can fail if the operation is dropped and the channel is
// hung up.
- op_sender.send((auth_token, VerificationToken::default())).unwrap_or_else(
+ op_sender.send((auth_token, TimeStampToken::default())).unwrap_or_else(
|e| {
error!(
"In background task handler thread. Failed to send default
- verification token to operation {} due to error {:?}.",
+ timestamp token to operation {} due to error {:?}.",
op_challenge.challenge, e
)
},