[automerger skipped] Mark 2024-06 Release (ab/AP2A.240605.024) as merged in aosp-main-future am: 109d4d5b3f -s ours
am skip reason: Merged-In I3aa48d05f367fafab5151fa7eb6dd447840dae0d with SHA-1 b10745144a is already in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/27545532
Change-Id: I87980f3bc1b3709703773b86941ec73523b5b4d4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/keystore2/apc_compat/apc_compat.cpp b/keystore2/apc_compat/apc_compat.cpp
index ffe7595..0ff2fc5 100644
--- a/keystore2/apc_compat/apc_compat.cpp
+++ b/keystore2/apc_compat/apc_compat.cpp
@@ -26,6 +26,7 @@
#include <android/binder_manager.h>
#include <memory>
+#include <set>
#include <string>
#include <thread>
#include <vector>
@@ -214,6 +215,14 @@
return nullptr;
}
+ class DeathRecipientCookie {
+ public:
+ DeathRecipientCookie(std::weak_ptr<ConfuiAidlCompatSession> session)
+ : mAidlSession(session) {}
+ DeathRecipientCookie() = delete;
+ std::weak_ptr<ConfuiAidlCompatSession> mAidlSession;
+ };
+
uint32_t promptUserConfirmation(ApcCompatCallback callback, const char* prompt_text,
const uint8_t* extra_data, size_t extra_data_size,
const char* locale, ApcCompatUiOptions ui_options) {
@@ -234,12 +243,19 @@
if (!aidlService_) {
return APC_COMPAT_ERROR_SYSTEM_ERROR;
}
- auto linkRet =
- AIBinder_linkToDeath(aidlService_->asBinder().get(), death_recipient_.get(), this);
- if (linkRet != STATUS_OK) {
- LOG(ERROR) << "Communication error: promptUserConfirmation: "
- "Trying to register death recipient: ";
- return APC_COMPAT_ERROR_SYSTEM_ERROR;
+
+ {
+ auto cookieLock = std::lock_guard(deathRecipientCookie_lock_);
+ void* cookie = new DeathRecipientCookie(this->ref<ConfuiAidlCompatSession>());
+ auto linkRet = AIBinder_linkToDeath(aidlService_->asBinder().get(),
+ death_recipient_.get(), cookie);
+ if (linkRet != STATUS_OK) {
+ LOG(ERROR) << "Communication error: promptUserConfirmation: "
+ "Trying to register death recipient: ";
+ delete static_cast<DeathRecipientCookie*>(cookie);
+ return APC_COMPAT_ERROR_SYSTEM_ERROR;
+ }
+ deathRecipientCookie_.insert(cookie);
}
auto rc = aidlService_->promptUserConfirmation(ref<ConfuiAidlCompatSession>(), aidl_prompt,
@@ -275,8 +291,21 @@
if (callback.result != nullptr) {
if (aidlService_) {
- AIBinder_unlinkToDeath(aidlService_->asBinder().get(), death_recipient_.get(),
- this);
+ // unlink all of the registered death recipients in case there
+ // were multiple calls to promptUserConfirmation before a call
+ // to finalize
+ std::set<void*> cookiesToUnlink;
+ {
+ auto cookieLock = std::lock_guard(deathRecipientCookie_lock_);
+ cookiesToUnlink = deathRecipientCookie_;
+ deathRecipientCookie_.clear();
+ }
+
+ // Unlink these outside of the lock
+ for (void* cookie : cookiesToUnlink) {
+ AIBinder_unlinkToDeath(aidlService_->asBinder().get(), death_recipient_.get(),
+ cookie);
+ }
}
CompatSessionCB::finalize(responseCode2Compat(responseCode), callback, dataConfirmed,
confirmationToken);
@@ -293,17 +322,46 @@
void serviceDied() {
aidlService_.reset();
aidlService_ = nullptr;
+ {
+ std::lock_guard lock(deathRecipientCookie_lock_);
+ deathRecipientCookie_.clear();
+ }
finalize(AidlConfirmationUI::SYSTEM_ERROR, {}, {});
}
- static void binderDiedCallbackAidl(void* ptr) {
- LOG(ERROR) << __func__ << " : ConfuiAidlCompatSession Service died.";
- auto aidlSession = static_cast<ConfuiAidlCompatSession*>(ptr);
- if (aidlSession == nullptr) {
- LOG(ERROR) << __func__ << ": Null ConfuiAidlCompatSession HAL died.";
- return;
+ void serviceUnlinked(void* cookie) {
+ {
+ std::lock_guard lock(deathRecipientCookie_lock_);
+ deathRecipientCookie_.erase(cookie);
}
- aidlSession->serviceDied();
+ }
+
+ static void binderDiedCallbackAidl(void* ptr) {
+ auto aidlSessionCookie = static_cast<ConfuiAidlCompatSession::DeathRecipientCookie*>(ptr);
+ if (aidlSessionCookie == nullptr) {
+ LOG(ERROR) << __func__ << ": Null cookie for binderDiedCallbackAidl when HAL died!";
+ return;
+ } else if (auto aidlSession = aidlSessionCookie->mAidlSession.lock();
+ aidlSession != nullptr) {
+ LOG(WARNING) << __func__ << " : Notififying ConfuiAidlCompatSession Service died.";
+ aidlSession->serviceDied();
+ } else {
+ LOG(ERROR) << __func__
+ << " : ConfuiAidlCompatSession Service died but object is no longer around "
+ "to be able to notify.";
+ }
+ }
+
+ static void binderUnlinkedCallbackAidl(void* ptr) {
+ auto aidlSessionCookie = static_cast<ConfuiAidlCompatSession::DeathRecipientCookie*>(ptr);
+ if (aidlSessionCookie == nullptr) {
+ LOG(ERROR) << __func__ << ": Null cookie!";
+ return;
+ } else if (auto aidlSession = aidlSessionCookie->mAidlSession.lock();
+ aidlSession != nullptr) {
+ aidlSession->serviceUnlinked(ptr);
+ }
+ delete aidlSessionCookie;
}
int getReturnCode(const ::ndk::ScopedAStatus& result) {
@@ -343,6 +401,7 @@
: aidlService_(service), callback_{nullptr, nullptr} {
death_recipient_ = ::ndk::ScopedAIBinder_DeathRecipient(
AIBinder_DeathRecipient_new(binderDiedCallbackAidl));
+ AIBinder_DeathRecipient_setOnUnlinked(death_recipient_.get(), binderUnlinkedCallbackAidl);
}
virtual ~ConfuiAidlCompatSession() = default;
@@ -351,6 +410,8 @@
private:
std::shared_ptr<AidlConfirmationUI> aidlService_;
+ std::mutex deathRecipientCookie_lock_;
+ std::set<void*> deathRecipientCookie_;
// The callback_lock_ protects the callback_ field against concurrent modification.
// IMPORTANT: It must never be held while calling the call back.
diff --git a/keystore2/legacykeystore/lib.rs b/keystore2/legacykeystore/lib.rs
index db3eff6..d407416 100644
--- a/keystore2/legacykeystore/lib.rs
+++ b/keystore2/legacykeystore/lib.rs
@@ -551,19 +551,19 @@
impl ILegacyKeystore for LegacyKeystoreService {
fn get(&self, alias: &str, uid: i32) -> BinderResult<Vec<u8>> {
- let _wp = wd::watch_millis("ILegacyKeystore::get", 500);
+ let _wp = wd::watch("ILegacyKeystore::get");
map_or_log_err(self.legacy_keystore.get(alias, uid), Ok)
}
fn put(&self, alias: &str, uid: i32, entry: &[u8]) -> BinderResult<()> {
- let _wp = wd::watch_millis("ILegacyKeystore::put", 500);
+ let _wp = wd::watch("ILegacyKeystore::put");
map_or_log_err(self.legacy_keystore.put(alias, uid, entry), Ok)
}
fn remove(&self, alias: &str, uid: i32) -> BinderResult<()> {
- let _wp = wd::watch_millis("ILegacyKeystore::remove", 500);
+ let _wp = wd::watch("ILegacyKeystore::remove");
map_or_log_err(self.legacy_keystore.remove(alias, uid), Ok)
}
fn list(&self, prefix: &str, uid: i32) -> BinderResult<Vec<String>> {
- let _wp = wd::watch_millis("ILegacyKeystore::list", 500);
+ let _wp = wd::watch("ILegacyKeystore::list");
map_or_log_err(self.legacy_keystore.list(prefix, uid), Ok)
}
}
diff --git a/keystore2/src/apc.rs b/keystore2/src/apc.rs
index 6abe849..bdde5ae 100644
--- a/keystore2/src/apc.rs
+++ b/keystore2/src/apc.rs
@@ -363,11 +363,11 @@
&self,
listener: &binder::Strong<dyn IConfirmationCallback>,
) -> BinderResult<()> {
- let _wp = wd::watch_millis("IProtectedConfirmation::cancelPrompt", 500);
+ let _wp = wd::watch("IProtectedConfirmation::cancelPrompt");
map_or_log_err(self.cancel_prompt(listener), Ok)
}
fn isSupported(&self) -> BinderResult<bool> {
- let _wp = wd::watch_millis("IProtectedConfirmation::isSupported", 500);
+ let _wp = wd::watch("IProtectedConfirmation::isSupported");
map_or_log_err(Self::is_supported(), Ok)
}
}
diff --git a/keystore2/src/authorization.rs b/keystore2/src/authorization.rs
index 243abf1..5810c35 100644
--- a/keystore2/src/authorization.rs
+++ b/keystore2/src/authorization.rs
@@ -271,12 +271,12 @@
impl IKeystoreAuthorization for AuthorizationManager {
fn addAuthToken(&self, auth_token: &HardwareAuthToken) -> BinderResult<()> {
- let _wp = wd::watch_millis("IKeystoreAuthorization::addAuthToken", 500);
+ let _wp = wd::watch("IKeystoreAuthorization::addAuthToken");
map_or_log_err(self.add_auth_token(auth_token), Ok)
}
fn onDeviceUnlocked(&self, user_id: i32, password: Option<&[u8]>) -> BinderResult<()> {
- let _wp = wd::watch_millis("IKeystoreAuthorization::onDeviceUnlocked", 500);
+ let _wp = wd::watch("IKeystoreAuthorization::onDeviceUnlocked");
map_or_log_err(self.on_device_unlocked(user_id, password.map(|pw| pw.into())), Ok)
}
@@ -286,17 +286,17 @@
unlocking_sids: &[i64],
weak_unlock_enabled: bool,
) -> BinderResult<()> {
- let _wp = wd::watch_millis("IKeystoreAuthorization::onDeviceLocked", 500);
+ let _wp = wd::watch("IKeystoreAuthorization::onDeviceLocked");
map_or_log_err(self.on_device_locked(user_id, unlocking_sids, weak_unlock_enabled), Ok)
}
fn onWeakUnlockMethodsExpired(&self, user_id: i32) -> BinderResult<()> {
- let _wp = wd::watch_millis("IKeystoreAuthorization::onWeakUnlockMethodsExpired", 500);
+ let _wp = wd::watch("IKeystoreAuthorization::onWeakUnlockMethodsExpired");
map_or_log_err(self.on_weak_unlock_methods_expired(user_id), Ok)
}
fn onNonLskfUnlockMethodsExpired(&self, user_id: i32) -> BinderResult<()> {
- let _wp = wd::watch_millis("IKeystoreAuthorization::onNonLskfUnlockMethodsExpired", 500);
+ let _wp = wd::watch("IKeystoreAuthorization::onNonLskfUnlockMethodsExpired");
map_or_log_err(self.on_non_lskf_unlock_methods_expired(user_id), Ok)
}
@@ -306,7 +306,7 @@
secure_user_id: i64,
auth_token_max_age_millis: i64,
) -> binder::Result<AuthorizationTokens> {
- let _wp = wd::watch_millis("IKeystoreAuthorization::getAuthTokensForCredStore", 500);
+ let _wp = wd::watch("IKeystoreAuthorization::getAuthTokensForCredStore");
map_or_log_err(
self.get_auth_tokens_for_credstore(
challenge,
diff --git a/keystore2/src/database.rs b/keystore2/src/database.rs
index ee9d246..50cd3ba 100644
--- a/keystore2/src/database.rs
+++ b/keystore2/src/database.rs
@@ -82,7 +82,7 @@
types::FromSqlResult,
types::ToSqlOutput,
types::{FromSqlError, Value, ValueRef},
- Connection, OptionalExtension, ToSql, Transaction, TransactionBehavior,
+ Connection, OptionalExtension, ToSql, Transaction,
};
use std::{
@@ -92,9 +92,37 @@
time::{Duration, SystemTime},
};
+use TransactionBehavior::Immediate;
+
#[cfg(test)]
use tests::random;
+/// Wrapper for `rusqlite::TransactionBehavior` which includes information about the transaction
+/// being performed.
+#[derive(Clone, Copy)]
+enum TransactionBehavior {
+ Deferred,
+ Immediate(&'static str),
+}
+
+impl From<TransactionBehavior> for rusqlite::TransactionBehavior {
+ fn from(val: TransactionBehavior) -> Self {
+ match val {
+ TransactionBehavior::Deferred => rusqlite::TransactionBehavior::Deferred,
+ TransactionBehavior::Immediate(_) => rusqlite::TransactionBehavior::Immediate,
+ }
+ }
+}
+
+impl TransactionBehavior {
+ fn name(&self) -> Option<&'static str> {
+ match self {
+ TransactionBehavior::Deferred => None,
+ TransactionBehavior::Immediate(v) => Some(v),
+ }
+ }
+}
+
/// If the database returns a busy error code, retry after this interval.
const DB_BUSY_RETRY_INTERVAL: Duration = Duration::from_micros(500);
/// If the database returns a busy error code, keep retrying for this long.
@@ -857,13 +885,13 @@
/// KeystoreDB cannot be used by multiple threads.
/// Each thread should open their own connection using `thread_local!`.
pub fn new(db_root: &Path, gc: Option<Arc<Gc>>) -> Result<Self> {
- let _wp = wd::watch_millis("KeystoreDB::new", 500);
+ let _wp = wd::watch("KeystoreDB::new");
let persistent_path = Self::make_persistent_path(db_root)?;
let conn = Self::make_connection(&persistent_path)?;
let mut db = Self { conn, gc, perboot: perboot::PERBOOT_DB.clone() };
- db.with_transaction(TransactionBehavior::Immediate, |tx| {
+ db.with_transaction(Immediate("TX_new"), |tx| {
versioning::upgrade_database(tx, Self::CURRENT_DB_VERSION, Self::UPGRADERS)
.context(ks_err!("KeystoreDB::new: trying to upgrade database."))?;
Self::init_tables(tx).context("Trying to initialize tables.").no_gc()
@@ -1092,7 +1120,7 @@
/// types that map to a table, information about the table's storage is
/// returned. Requests for storage types that are not DB tables return None.
pub fn get_storage_stat(&mut self, storage_type: MetricsStorage) -> Result<StorageStats> {
- let _wp = wd::watch_millis("KeystoreDB::get_storage_stat", 500);
+ let _wp = wd::watch("KeystoreDB::get_storage_stat");
match storage_type {
MetricsStorage::DATABASE => self.get_total_size(),
@@ -1155,8 +1183,8 @@
blob_ids_to_delete: &[i64],
max_blobs: usize,
) -> Result<Vec<(i64, Vec<u8>, BlobMetaData)>> {
- let _wp = wd::watch_millis("KeystoreDB::handle_next_superseded_blob", 500);
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ let _wp = wd::watch("KeystoreDB::handle_next_superseded_blob");
+ self.with_transaction(Immediate("TX_handle_next_superseded_blob"), |tx| {
// Delete the given blobs.
for blob_id in blob_ids_to_delete {
tx.execute(
@@ -1243,9 +1271,9 @@
/// Unlike with `mark_unreferenced`, we don't need to purge grants, because only keys that made
/// it to `KeyLifeCycle::Live` may have grants.
pub fn cleanup_leftovers(&mut self) -> Result<usize> {
- let _wp = wd::watch_millis("KeystoreDB::cleanup_leftovers", 500);
+ let _wp = wd::watch("KeystoreDB::cleanup_leftovers");
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_cleanup_leftovers"), |tx| {
tx.execute(
"UPDATE persistent.keyentry SET state = ? WHERE state = ?;",
params![KeyLifeCycle::Unreferenced, KeyLifeCycle::Existing],
@@ -1264,9 +1292,9 @@
alias: &str,
key_type: KeyType,
) -> Result<bool> {
- let _wp = wd::watch_millis("KeystoreDB::key_exists", 500);
+ let _wp = wd::watch("KeystoreDB::key_exists");
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_key_exists"), |tx| {
let key_descriptor =
KeyDescriptor { domain, nspace, alias: Some(alias.to_string()), blob: None };
let result = Self::load_key_entry_id(tx, &key_descriptor, key_type);
@@ -1291,9 +1319,9 @@
blob_metadata: &BlobMetaData,
key_metadata: &KeyMetaData,
) -> Result<KeyEntry> {
- let _wp = wd::watch_millis("KeystoreDB::store_super_key", 500);
+ let _wp = wd::watch("KeystoreDB::store_super_key");
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_store_super_key"), |tx| {
let key_id = Self::insert_with_retry(|id| {
tx.execute(
"INSERT into persistent.keyentry
@@ -1336,9 +1364,9 @@
key_type: &SuperKeyType,
user_id: u32,
) -> Result<Option<(KeyIdGuard, KeyEntry)>> {
- let _wp = wd::watch_millis("KeystoreDB::load_super_key", 500);
+ let _wp = wd::watch("KeystoreDB::load_super_key");
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_load_super_key"), |tx| {
let key_descriptor = KeyDescriptor {
domain: Domain::APP,
nspace: user_id as i64,
@@ -1381,12 +1409,16 @@
F: Fn(&Transaction) -> Result<(bool, T)>,
{
let start = std::time::Instant::now();
+ let name = behavior.name();
loop {
let result = self
.conn
- .transaction_with_behavior(behavior)
+ .transaction_with_behavior(behavior.into())
.context(ks_err!())
- .and_then(|tx| f(&tx).map(|result| (result, tx)))
+ .and_then(|tx| {
+ let _wp = name.map(wd::watch);
+ f(&tx).map(|result| (result, tx))
+ })
.and_then(|(result, tx)| {
tx.commit().context(ks_err!("Failed to commit transaction."))?;
Ok(result)
@@ -1470,9 +1502,9 @@
blob: Option<&[u8]>,
blob_metadata: Option<&BlobMetaData>,
) -> Result<()> {
- let _wp = wd::watch_millis("KeystoreDB::set_blob", 500);
+ let _wp = wd::watch("KeystoreDB::set_blob");
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_set_blob"), |tx| {
Self::set_blob_internal(tx, key_id.0, sc_type, blob, blob_metadata).need_gc()
})
.context(ks_err!())
@@ -1483,9 +1515,9 @@
/// We use this to insert key blobs into the database which can then be garbage collected
/// lazily by the key garbage collector.
pub fn set_deleted_blob(&mut self, blob: &[u8], blob_metadata: &BlobMetaData) -> Result<()> {
- let _wp = wd::watch_millis("KeystoreDB::set_deleted_blob", 500);
+ let _wp = wd::watch("KeystoreDB::set_deleted_blob");
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_set_deleted_blob"), |tx| {
Self::set_blob_internal(
tx,
Self::UNASSIGNED_KEY_ID,
@@ -1544,7 +1576,7 @@
/// and associates them with the given `key_id`.
#[cfg(test)]
fn insert_keyparameter(&mut self, key_id: &KeyIdGuard, params: &[KeyParameter]) -> Result<()> {
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_insert_keyparameter"), |tx| {
Self::insert_keyparameter_internal(tx, key_id, params).no_gc()
})
.context(ks_err!())
@@ -1577,7 +1609,7 @@
/// Insert a set of key entry specific metadata into the database.
#[cfg(test)]
fn insert_key_metadata(&mut self, key_id: &KeyIdGuard, metadata: &KeyMetaData) -> Result<()> {
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_insert_key_metadata"), |tx| {
metadata.store_in_db(key_id.0, tx).no_gc()
})
.context(ks_err!())
@@ -1645,7 +1677,7 @@
caller_uid: u32,
check_permission: impl Fn(&KeyDescriptor) -> Result<()>,
) -> Result<()> {
- let _wp = wd::watch_millis("KeystoreDB::migrate_key_namespace", 500);
+ let _wp = wd::watch("KeystoreDB::migrate_key_namespace");
let destination = match destination.domain {
Domain::APP => KeyDescriptor { nspace: caller_uid as i64, ..(*destination).clone() },
@@ -1665,7 +1697,7 @@
.ok_or(KsError::Rc(ResponseCode::INVALID_ARGUMENT))
.context(ks_err!("Alias must be specified."))?;
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_migrate_key_namespace"), |tx| {
// Query the destination location. If there is a key, the migration request fails.
if tx
.query_row(
@@ -1716,7 +1748,7 @@
metadata: &KeyMetaData,
km_uuid: &Uuid,
) -> Result<KeyIdGuard> {
- let _wp = wd::watch_millis("KeystoreDB::store_new_key", 500);
+ let _wp = wd::watch("KeystoreDB::store_new_key");
let (alias, domain, namespace) = match key {
KeyDescriptor { alias: Some(alias), domain: Domain::APP, nspace, blob: None }
@@ -1728,7 +1760,7 @@
.context(ks_err!("Need alias and domain must be APP or SELINUX."));
}
};
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_store_new_key"), |tx| {
let key_id = Self::create_key_entry_internal(tx, &domain, namespace, key_type, km_uuid)
.context("Trying to create new key entry.")?;
let BlobInfo { blob, metadata: blob_metadata, superseded_blob } = *blob_info;
@@ -1795,7 +1827,7 @@
cert: &[u8],
km_uuid: &Uuid,
) -> Result<KeyIdGuard> {
- let _wp = wd::watch_millis("KeystoreDB::store_new_certificate", 500);
+ let _wp = wd::watch("KeystoreDB::store_new_certificate");
let (alias, domain, namespace) = match key {
KeyDescriptor { alias: Some(alias), domain: Domain::APP, nspace, blob: None }
@@ -1807,7 +1839,7 @@
.context(ks_err!("Need alias and domain must be APP or SELINUX."));
}
};
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_store_new_certificate"), |tx| {
let key_id = Self::create_key_entry_internal(tx, &domain, namespace, key_type, km_uuid)
.context("Trying to create new key entry.")?;
@@ -2075,9 +2107,9 @@
/// zero, the key also gets marked unreferenced and scheduled for deletion.
/// Returns Ok(true) if the key was marked unreferenced as a hint to the garbage collector.
pub fn check_and_update_key_usage_count(&mut self, key_id: i64) -> Result<()> {
- let _wp = wd::watch_millis("KeystoreDB::check_and_update_key_usage_count", 500);
+ let _wp = wd::watch("KeystoreDB::check_and_update_key_usage_count");
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_check_and_update_key_usage_count"), |tx| {
let limit: Option<i32> = tx
.query_row(
"SELECT data FROM persistent.keyparameter WHERE keyentryid = ? AND tag = ?;",
@@ -2123,7 +2155,7 @@
caller_uid: u32,
check_permission: impl Fn(&KeyDescriptor, Option<KeyPermSet>) -> Result<()>,
) -> Result<(KeyIdGuard, KeyEntry)> {
- let _wp = wd::watch_millis("KeystoreDB::load_key_entry", 500);
+ let _wp = wd::watch("KeystoreDB::load_key_entry");
let start = std::time::Instant::now();
loop {
@@ -2253,9 +2285,9 @@
caller_uid: u32,
check_permission: impl Fn(&KeyDescriptor, Option<KeyPermSet>) -> Result<()>,
) -> Result<()> {
- let _wp = wd::watch_millis("KeystoreDB::unbind_key", 500);
+ let _wp = wd::watch("KeystoreDB::unbind_key");
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_unbind_key"), |tx| {
let (key_id, access_key_descriptor, access_vector) =
Self::load_access_tuple(tx, key, key_type, caller_uid)
.context("Trying to get access tuple.")?;
@@ -2284,12 +2316,12 @@
/// Delete all artifacts belonging to the namespace given by the domain-namespace tuple.
/// This leaves all of the blob entries orphaned for subsequent garbage collection.
pub fn unbind_keys_for_namespace(&mut self, domain: Domain, namespace: i64) -> Result<()> {
- let _wp = wd::watch_millis("KeystoreDB::unbind_keys_for_namespace", 500);
+ let _wp = wd::watch("KeystoreDB::unbind_keys_for_namespace");
if !(domain == Domain::APP || domain == Domain::SELINUX) {
return Err(KsError::Rc(ResponseCode::INVALID_ARGUMENT)).context(ks_err!());
}
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_unbind_keys_for_namespace"), |tx| {
tx.execute(
"DELETE FROM persistent.keymetadata
WHERE keyentryid IN (
@@ -2329,7 +2361,7 @@
}
fn cleanup_unreferenced(tx: &Transaction) -> Result<()> {
- let _wp = wd::watch_millis("KeystoreDB::cleanup_unreferenced", 500);
+ let _wp = wd::watch("KeystoreDB::cleanup_unreferenced");
{
tx.execute(
"DELETE FROM persistent.keymetadata
@@ -2378,9 +2410,9 @@
user_id: u32,
keep_non_super_encrypted_keys: bool,
) -> Result<()> {
- let _wp = wd::watch_millis("KeystoreDB::unbind_keys_for_user", 500);
+ let _wp = wd::watch("KeystoreDB::unbind_keys_for_user");
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_unbind_keys_for_user"), |tx| {
let mut stmt = tx
.prepare(&format!(
"SELECT id from persistent.keyentry
@@ -2455,9 +2487,9 @@
/// be unlocked should remain usable when the lock screen is set to Swipe or None, as the device
/// is always considered "unlocked" in that case.
pub fn unbind_auth_bound_keys_for_user(&mut self, user_id: u32) -> Result<()> {
- let _wp = wd::watch_millis("KeystoreDB::unbind_auth_bound_keys_for_user", 500);
+ let _wp = wd::watch("KeystoreDB::unbind_auth_bound_keys_for_user");
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_unbind_auth_bound_keys_for_user"), |tx| {
let mut stmt = tx
.prepare(&format!(
"SELECT id from persistent.keyentry
@@ -2550,7 +2582,7 @@
key_type: KeyType,
start_past_alias: Option<&str>,
) -> Result<Vec<KeyDescriptor>> {
- let _wp = wd::watch_millis("KeystoreDB::list_past_alias", 500);
+ let _wp = wd::watch("KeystoreDB::list_past_alias");
let query = format!(
"SELECT DISTINCT alias FROM persistent.keyentry
@@ -2605,7 +2637,7 @@
namespace: i64,
key_type: KeyType,
) -> Result<usize> {
- let _wp = wd::watch_millis("KeystoreDB::countKeys", 500);
+ let _wp = wd::watch("KeystoreDB::countKeys");
let num_keys = self.with_transaction(TransactionBehavior::Deferred, |tx| {
tx.query_row(
@@ -2638,9 +2670,9 @@
access_vector: KeyPermSet,
check_permission: impl Fn(&KeyDescriptor, &KeyPermSet) -> Result<()>,
) -> Result<KeyDescriptor> {
- let _wp = wd::watch_millis("KeystoreDB::grant", 500);
+ let _wp = wd::watch("KeystoreDB::grant");
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_grant"), |tx| {
// Load the key_id and complete the access control tuple.
// We ignore the access vector here because grants cannot be granted.
// The access vector returned here expresses the permissions the
@@ -2704,9 +2736,9 @@
grantee_uid: u32,
check_permission: impl Fn(&KeyDescriptor) -> Result<()>,
) -> Result<()> {
- let _wp = wd::watch_millis("KeystoreDB::ungrant", 500);
+ let _wp = wd::watch("KeystoreDB::ungrant");
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_ungrant"), |tx| {
// Load the key_id and complete the access control tuple.
// We ignore the access vector here because grants cannot be granted.
let (key_id, access_key_descriptor, _) =
@@ -2770,7 +2802,7 @@
/// Load descriptor of a key by key id
pub fn load_key_descriptor(&mut self, key_id: i64) -> Result<Option<KeyDescriptor>> {
- let _wp = wd::watch_millis("KeystoreDB::load_key_descriptor", 500);
+ let _wp = wd::watch("KeystoreDB::load_key_descriptor");
self.with_transaction(TransactionBehavior::Deferred, |tx| {
tx.query_row(
@@ -2801,9 +2833,9 @@
user_id: i32,
secure_user_id: i64,
) -> Result<Vec<i64>> {
- let _wp = wd::watch_millis("KeystoreDB::get_app_uids_affected_by_sid", 500);
+ let _wp = wd::watch("KeystoreDB::get_app_uids_affected_by_sid");
- let key_ids_and_app_uids = self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ let ids = self.with_transaction(Immediate("TX_get_app_uids_affected_by_sid"), |tx| {
let mut stmt = tx
.prepare(&format!(
"SELECT id, namespace from persistent.keyentry
@@ -2832,13 +2864,13 @@
Ok(key_ids_and_app_uids).no_gc()
})?;
let mut app_uids_affected_by_sid: HashSet<i64> = Default::default();
- for (key_id, app_uid) in key_ids_and_app_uids {
+ for (key_id, app_uid) in ids {
// Read the key parameters for each key in its own transaction. It is OK to ignore
// an error to get the properties of a particular key since it might have been deleted
// under our feet after the previous transaction concluded. If the key was deleted
// then it is no longer applicable if it was auth-bound or not.
if let Ok(is_key_bound_to_sid) =
- self.with_transaction(TransactionBehavior::Immediate, |tx| {
+ self.with_transaction(Immediate("TX_get_app_uids_affects_by_sid 2"), |tx| {
let params = Self::load_key_parameters(key_id, tx)
.context("Failed to load key parameters.")?;
// Check if the key is bound to this secure user ID.
@@ -2881,7 +2913,6 @@
use android_hardware_security_secureclock::aidl::android::hardware::security::secureclock::{
Timestamp::Timestamp,
};
- use rusqlite::TransactionBehavior;
use std::cell::RefCell;
use std::collections::BTreeMap;
use std::fmt::Write;
@@ -2897,7 +2928,7 @@
let conn = KeystoreDB::make_connection("file::memory:")?;
let mut db = KeystoreDB { conn, gc: None, perboot: Arc::new(perboot::PerbootDB::new()) };
- db.with_transaction(TransactionBehavior::Immediate, |tx| {
+ db.with_transaction(Immediate("TX_new_test_db"), |tx| {
KeystoreDB::init_tables(tx).context("Failed to initialize tables.").no_gc()
})?;
Ok(db)
@@ -2910,7 +2941,7 @@
domain: Domain,
namespace: i64,
) -> Result<bool> {
- db.with_transaction(TransactionBehavior::Immediate, |tx| {
+ db.with_transaction(Immediate("TX_rebind_alias"), |tx| {
KeystoreDB::rebind_alias(tx, newid, alias, &domain, &namespace, KeyType::Client).no_gc()
})
.context(ks_err!())
@@ -3037,7 +3068,7 @@
key_type: KeyType,
km_uuid: &Uuid,
) -> Result<KeyIdGuard> {
- db.with_transaction(TransactionBehavior::Immediate, |tx| {
+ db.with_transaction(Immediate("TX_create_key_entry"), |tx| {
KeystoreDB::create_key_entry_internal(tx, domain, namespace, key_type, km_uuid).no_gc()
})
}
@@ -3352,7 +3383,7 @@
drop(stmt);
assert_eq!(
- db.with_transaction(TransactionBehavior::Immediate, |tx| {
+ db.with_transaction(Immediate("TX_test"), |tx| {
BlobMetaData::load_from_db(id, tx).no_gc()
})
.expect("Should find blob metadata."),
@@ -4027,10 +4058,8 @@
.unwrap();
assert_eq!(key_entry, make_bootlevel_test_key_entry_test_vector(key_id_deleted, true));
- db.with_transaction(TransactionBehavior::Immediate, |tx| {
- KeystoreDB::from_0_to_1(tx).no_gc()
- })
- .unwrap();
+ db.with_transaction(Immediate("TX_test"), |tx| KeystoreDB::from_0_to_1(tx).no_gc())
+ .unwrap();
let (_, key_entry) = db
.load_key_entry(
@@ -4183,12 +4212,12 @@
let _tx1 = db1
.conn
- .transaction_with_behavior(TransactionBehavior::Immediate)
+ .transaction_with_behavior(rusqlite::TransactionBehavior::Immediate)
.expect("Failed to create first transaction.");
let error = db2
.conn
- .transaction_with_behavior(TransactionBehavior::Immediate)
+ .transaction_with_behavior(rusqlite::TransactionBehavior::Immediate)
.context("Transaction begin failed.")
.expect_err("This should fail.");
let root_cause = error.root_cause();
@@ -5527,10 +5556,8 @@
// Make sure the other thread has initialized its database access before we lock it out.
a_receiver.recv().unwrap();
- let _result = db.with_transaction_timeout(
- TransactionBehavior::Immediate,
- Duration::from_secs(3),
- |_tx| {
+ let _result =
+ db.with_transaction_timeout(Immediate("TX_test"), Duration::from_secs(3), |_tx| {
// Notify the other thread that we're inside the immediate transaction...
a_sender.send(()).unwrap();
// ...then wait to be sure that the other thread has the `KeyIdGuard` before
@@ -5539,8 +5566,7 @@
let _guard = KEY_ID_LOCK.get(key_id);
Ok(()).no_gc()
- },
- );
+ });
});
// Second thread gets the `KeyIdGuard`, then waits before trying to perform an immediate
@@ -5559,11 +5585,10 @@
// this thread also tries to do one.
b_receiver.recv().unwrap();
- let result = db.with_transaction_timeout(
- TransactionBehavior::Immediate,
- Duration::from_secs(3),
- |_tx| Ok(()).no_gc(),
- );
+ let result =
+ db.with_transaction_timeout(Immediate("TX_test"), Duration::from_secs(3), |_tx| {
+ Ok(()).no_gc()
+ });
// Expect the attempt to get an immediate transaction to fail, and then this thread will
// exit and release the `KeyIdGuard`, allowing the other thread to complete.
assert!(result.is_err());
diff --git a/keystore2/src/globals.rs b/keystore2/src/globals.rs
index 7ac1038..2d5c20a 100644
--- a/keystore2/src/globals.rs
+++ b/keystore2/src/globals.rs
@@ -165,7 +165,7 @@
(
Box::new(|uuid, blob| {
let km_dev = get_keymint_dev_by_uuid(uuid).map(|(dev, _)| dev)?;
- let _wp = wd::watch_millis("In invalidate key closure: calling deleteKey", 500);
+ let _wp = wd::watch("In invalidate key closure: calling deleteKey");
map_km_error(km_dev.deleteKey(blob))
.context(ks_err!("Trying to invalidate key blob."))
}),
@@ -306,7 +306,7 @@
}
};
- let wp = wd::watch_millis("In connect_keymint: calling getHardwareInfo()", 500);
+ let wp = wd::watch("In connect_keymint: calling getHardwareInfo()");
let mut hw_info =
map_km_error(keymint.getHardwareInfo()).context(ks_err!("Failed to get hardware info."))?;
drop(wp);
diff --git a/keystore2/src/legacy_importer.rs b/keystore2/src/legacy_importer.rs
index 7dcb98d..f64af0b 100644
--- a/keystore2/src/legacy_importer.rs
+++ b/keystore2/src/legacy_importer.rs
@@ -202,7 +202,7 @@
/// List all aliases for uid in the legacy database.
pub fn list_uid(&self, domain: Domain, namespace: i64) -> Result<Vec<KeyDescriptor>> {
- let _wp = wd::watch_millis("LegacyImporter::list_uid", 500);
+ let _wp = wd::watch("LegacyImporter::list_uid");
let uid = match (domain, namespace) {
(Domain::APP, namespace) => namespace as u32,
@@ -299,7 +299,7 @@
where
F: Fn() -> Result<T>,
{
- let _wp = wd::watch_millis("LegacyImporter::with_try_import", 500);
+ let _wp = wd::watch("LegacyImporter::with_try_import");
// Access the key and return on success.
match key_accessor() {
@@ -355,7 +355,7 @@
where
F: FnMut() -> Result<Option<T>>,
{
- let _wp = wd::watch_millis("LegacyImporter::with_try_import_super_key", 500);
+ let _wp = wd::watch("LegacyImporter::with_try_import_super_key");
match key_accessor() {
Ok(Some(result)) => return Ok(Some(result)),
@@ -379,7 +379,7 @@
/// Deletes all keys belonging to the given namespace, importing them into the database
/// for subsequent garbage collection if necessary.
pub fn bulk_delete_uid(&self, domain: Domain, nspace: i64) -> Result<()> {
- let _wp = wd::watch_millis("LegacyImporter::bulk_delete_uid", 500);
+ let _wp = wd::watch("LegacyImporter::bulk_delete_uid");
let uid = match (domain, nspace) {
(Domain::APP, nspace) => nspace as u32,
@@ -402,7 +402,7 @@
user_id: u32,
keep_non_super_encrypted_keys: bool,
) -> Result<()> {
- let _wp = wd::watch_millis("LegacyImporter::bulk_delete_user", 500);
+ let _wp = wd::watch("LegacyImporter::bulk_delete_user");
let result = self.do_serialized(move |importer_state| {
importer_state
@@ -923,7 +923,7 @@
blob,
&[],
|blob| {
- let _wd = wd::watch_millis("Calling GetKeyCharacteristics.", 500);
+ let _wd = wd::watch("Calling GetKeyCharacteristics.");
map_km_error(km_dev.getKeyCharacteristics(blob, &[], &[]))
},
|_| Ok(()),
diff --git a/keystore2/src/maintenance.rs b/keystore2/src/maintenance.rs
index 8780e9e..644e7e5 100644
--- a/keystore2/src/maintenance.rs
+++ b/keystore2/src/maintenance.rs
@@ -302,13 +302,13 @@
user_id,
password.is_some()
);
- let _wp = wd::watch_millis("IKeystoreMaintenance::onUserPasswordChanged", 500);
+ let _wp = wd::watch("IKeystoreMaintenance::onUserPasswordChanged");
map_or_log_err(Self::on_user_password_changed(user_id, password.map(|pw| pw.into())), Ok)
}
fn onUserAdded(&self, user_id: i32) -> BinderResult<()> {
log::info!("onUserAdded(user={user_id})");
- let _wp = wd::watch_millis("IKeystoreMaintenance::onUserAdded", 500);
+ let _wp = wd::watch("IKeystoreMaintenance::onUserAdded");
map_or_log_err(self.add_or_remove_user(user_id), Ok)
}
@@ -319,31 +319,31 @@
allow_existing: bool,
) -> BinderResult<()> {
log::info!("initUserSuperKeys(user={user_id}, allow_existing={allow_existing})");
- let _wp = wd::watch_millis("IKeystoreMaintenance::initUserSuperKeys", 500);
+ let _wp = wd::watch("IKeystoreMaintenance::initUserSuperKeys");
map_or_log_err(self.init_user_super_keys(user_id, password.into(), allow_existing), Ok)
}
fn onUserRemoved(&self, user_id: i32) -> BinderResult<()> {
log::info!("onUserRemoved(user={user_id})");
- let _wp = wd::watch_millis("IKeystoreMaintenance::onUserRemoved", 500);
+ let _wp = wd::watch("IKeystoreMaintenance::onUserRemoved");
map_or_log_err(self.add_or_remove_user(user_id), Ok)
}
fn onUserLskfRemoved(&self, user_id: i32) -> BinderResult<()> {
log::info!("onUserLskfRemoved(user={user_id})");
- let _wp = wd::watch_millis("IKeystoreMaintenance::onUserLskfRemoved", 500);
+ let _wp = wd::watch("IKeystoreMaintenance::onUserLskfRemoved");
map_or_log_err(Self::on_user_lskf_removed(user_id), Ok)
}
fn clearNamespace(&self, domain: Domain, nspace: i64) -> BinderResult<()> {
log::info!("clearNamespace({domain:?}, nspace={nspace})");
- let _wp = wd::watch_millis("IKeystoreMaintenance::clearNamespace", 500);
+ let _wp = wd::watch("IKeystoreMaintenance::clearNamespace");
map_or_log_err(self.clear_namespace(domain, nspace), Ok)
}
fn earlyBootEnded(&self) -> BinderResult<()> {
log::info!("earlyBootEnded()");
- let _wp = wd::watch_millis("IKeystoreMaintenance::earlyBootEnded", 500);
+ let _wp = wd::watch("IKeystoreMaintenance::earlyBootEnded");
map_or_log_err(Self::early_boot_ended(), Ok)
}
@@ -353,13 +353,13 @@
destination: &KeyDescriptor,
) -> BinderResult<()> {
log::info!("migrateKeyNamespace(src={source:?}, dest={destination:?})");
- let _wp = wd::watch_millis("IKeystoreMaintenance::migrateKeyNamespace", 500);
+ let _wp = wd::watch("IKeystoreMaintenance::migrateKeyNamespace");
map_or_log_err(Self::migrate_key_namespace(source, destination), Ok)
}
fn deleteAllKeys(&self) -> BinderResult<()> {
log::warn!("deleteAllKeys()");
- let _wp = wd::watch_millis("IKeystoreMaintenance::deleteAllKeys", 500);
+ let _wp = wd::watch("IKeystoreMaintenance::deleteAllKeys");
map_or_log_err(Self::delete_all_keys(), Ok)
}
@@ -369,7 +369,7 @@
secure_user_id: i64,
) -> BinderResult<std::vec::Vec<i64>> {
log::info!("getAppUidsAffectedBySid(secure_user_id={secure_user_id:?})");
- let _wp = wd::watch_millis("IKeystoreMaintenance::getAppUidsAffectedBySid", 500);
+ let _wp = wd::watch("IKeystoreMaintenance::getAppUidsAffectedBySid");
map_or_log_err(Self::get_app_uids_affected_by_sid(user_id, secure_user_id), Ok)
}
}
diff --git a/keystore2/src/metrics.rs b/keystore2/src/metrics.rs
index cd1cd75..c114c8b 100644
--- a/keystore2/src/metrics.rs
+++ b/keystore2/src/metrics.rs
@@ -51,7 +51,7 @@
impl IKeystoreMetrics for Metrics {
fn pullMetrics(&self, atom_id: AtomID) -> BinderResult<Vec<KeystoreAtom>> {
- let _wp = wd::watch_millis("IKeystoreMetrics::pullMetrics", 500);
+ let _wp = wd::watch("IKeystoreMetrics::pullMetrics");
map_or_log_err(self.pull_metrics(atom_id), Ok)
}
}
diff --git a/keystore2/src/operation.rs b/keystore2/src/operation.rs
index 11eaf17..290bc74 100644
--- a/keystore2/src/operation.rs
+++ b/keystore2/src/operation.rs
@@ -286,7 +286,7 @@
}
*locked_outcome = Outcome::Pruned;
- let _wp = wd::watch_millis("In Operation::prune: calling abort()", 500);
+ let _wp = wd::watch("In Operation::prune: calling abort()");
// We abort the operation. If there was an error we log it but ignore it.
if let Err(e) = map_km_error(self.km_op.abort()) {
@@ -362,7 +362,7 @@
.context(ks_err!("Trying to get auth tokens."))?;
self.update_outcome(&mut outcome, {
- let _wp = wd::watch_millis("Operation::update_aad: calling updateAad", 500);
+ let _wp = wd::watch("Operation::update_aad: calling updateAad");
map_km_error(self.km_op.updateAad(aad_input, hat.as_ref(), tst.as_ref()))
})
.context(ks_err!("Update failed."))?;
@@ -386,7 +386,7 @@
let output = self
.update_outcome(&mut outcome, {
- let _wp = wd::watch_millis("Operation::update: calling update", 500);
+ let _wp = wd::watch("Operation::update: calling update");
map_km_error(self.km_op.update(input, hat.as_ref(), tst.as_ref()))
})
.context(ks_err!("Update failed."))?;
@@ -416,7 +416,7 @@
let output = self
.update_outcome(&mut outcome, {
- let _wp = wd::watch_millis("Operation::finish: calling finish", 500);
+ let _wp = wd::watch("Operation::finish: calling finish");
map_km_error(self.km_op.finish(
input,
signature,
@@ -447,7 +447,7 @@
*locked_outcome = outcome;
{
- let _wp = wd::watch_millis("Operation::abort: calling abort", 500);
+ let _wp = wd::watch("Operation::abort: calling abort");
map_km_error(self.km_op.abort()).context(ks_err!("KeyMint::abort failed."))
}
}
@@ -821,7 +821,7 @@
impl IKeystoreOperation for KeystoreOperation {
fn updateAad(&self, aad_input: &[u8]) -> binder::Result<()> {
- let _wp = wd::watch_millis("IKeystoreOperation::updateAad", 500);
+ let _wp = wd::watch("IKeystoreOperation::updateAad");
map_or_log_err(
self.with_locked_operation(
|op| op.update_aad(aad_input).context(ks_err!("KeystoreOperation::updateAad")),
@@ -832,7 +832,7 @@
}
fn update(&self, input: &[u8]) -> binder::Result<Option<Vec<u8>>> {
- let _wp = wd::watch_millis("IKeystoreOperation::update", 500);
+ let _wp = wd::watch("IKeystoreOperation::update");
map_or_log_err(
self.with_locked_operation(
|op| op.update(input).context(ks_err!("KeystoreOperation::update")),
@@ -846,7 +846,7 @@
input: Option<&[u8]>,
signature: Option<&[u8]>,
) -> binder::Result<Option<Vec<u8>>> {
- let _wp = wd::watch_millis("IKeystoreOperation::finish", 500);
+ let _wp = wd::watch("IKeystoreOperation::finish");
map_or_log_err(
self.with_locked_operation(
|op| op.finish(input, signature).context(ks_err!("KeystoreOperation::finish")),
@@ -857,7 +857,7 @@
}
fn abort(&self) -> binder::Result<()> {
- let _wp = wd::watch_millis("IKeystoreOperation::abort", 500);
+ let _wp = wd::watch("IKeystoreOperation::abort");
map_err_with(
self.with_locked_operation(
|op| op.abort(Outcome::Abort).context(ks_err!("KeystoreOperation::abort")),
diff --git a/keystore2/src/raw_device.rs b/keystore2/src/raw_device.rs
index 44d805c..a8a88d2 100644
--- a/keystore2/src/raw_device.rs
+++ b/keystore2/src/raw_device.rs
@@ -211,13 +211,10 @@
KeyBlob::NonSensitive(key_blob_vec),
|key_blob| {
map_km_error({
- let _wp = wd::watch_millis(
- concat!(
- "In KeyMintDevice::lookup_or_generate_key: ",
- "calling getKeyCharacteristics."
- ),
- 500,
- );
+ let _wp = wd::watch(concat!(
+ "In KeyMintDevice::lookup_or_generate_key: ",
+ "calling getKeyCharacteristics."
+ ));
self.km_dev.getKeyCharacteristics(key_blob, &[], &[])
})
},
@@ -308,7 +305,7 @@
let (begin_result, _) = self
.upgrade_keyblob_if_required_with(db, key_id_guard, key_blob, |blob| {
map_km_error({
- let _wp = wd::watch_millis("In use_key_in_one_step: calling: begin", 500);
+ let _wp = wd::watch("In use_key_in_one_step: calling: begin");
self.km_dev.begin(purpose, blob, operation_parameters, auth_token)
})
})
@@ -316,7 +313,7 @@
let operation: Strong<dyn IKeyMintOperation> =
begin_result.operation.ok_or_else(Error::sys).context(ks_err!("Operation missing"))?;
map_km_error({
- let _wp = wd::watch_millis("In use_key_in_one_step: calling: finish", 500);
+ let _wp = wd::watch("In use_key_in_one_step: calling: finish");
operation.finish(Some(input), None, None, None, None)
})
.context(ks_err!("Failed to finish operation."))
diff --git a/keystore2/src/remote_provisioning.rs b/keystore2/src/remote_provisioning.rs
index d70fe22..cda93b3 100644
--- a/keystore2/src/remote_provisioning.rs
+++ b/keystore2/src/remote_provisioning.rs
@@ -129,6 +129,6 @@
// by the calling function and allow for natural fallback to the factory key.
let rpc_name = get_remotely_provisioned_component_name(security_level)
.context(ks_err!("Trying to get IRPC name."))?;
- let _wd = wd::watch_millis("Calling get_rkpd_attestation_key()", 500);
+ let _wd = wd::watch("Calling get_rkpd_attestation_key()");
rkpd_client::get_rkpd_attestation_key(&rpc_name, caller_uid)
}
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index cd15527..59f2315 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -112,6 +112,13 @@
wd::watch_millis_with(id, millis, move || format!("SecurityLevel {:?}", sec_level))
}
+ fn watch(&self, id: &'static str) -> Option<wd::WatchPoint> {
+ let sec_level = self.security_level;
+ wd::watch_millis_with(id, wd::DEFAULT_TIMEOUT_MS, move || {
+ format!("SecurityLevel {:?}", sec_level)
+ })
+ }
+
fn store_new_key(
&self,
key: KeyDescriptor,
@@ -323,10 +330,8 @@
operation_parameters,
|blob| loop {
match map_km_error({
- let _wp = self.watch_millis(
- "In KeystoreSecurityLevel::create_operation: calling begin",
- 500,
- );
+ let _wp =
+ self.watch("In KeystoreSecurityLevel::create_operation: calling begin");
self.keymint.begin(
purpose,
blob,
@@ -440,10 +445,8 @@
// If there is an attestation challenge we need to get an application id.
if params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE) {
let aaid = {
- let _wp = self.watch_millis(
- "In KeystoreSecurityLevel::add_required_parameters calling: get_aaid",
- 500,
- );
+ let _wp = self
+ .watch("In KeystoreSecurityLevel::add_required_parameters calling: get_aaid");
keystore2_aaid::get_aaid(uid)
.map_err(|e| anyhow!(ks_err!("get_aaid returned status {}.", e)))
}?;
@@ -675,8 +678,7 @@
let km_dev = &self.keymint;
let creation_result = map_km_error({
- let _wp =
- self.watch_millis("In KeystoreSecurityLevel::import_key: calling importKey.", 500);
+ let _wp = self.watch("In KeystoreSecurityLevel::import_key: calling importKey.");
km_dev.importKey(¶ms, format, key_data, None /* attestKey */)
})
.context(ks_err!("Trying to call importKey"))?;
@@ -789,9 +791,8 @@
wrapping_blob_metadata.km_uuid().copied(),
&[],
|wrapping_blob| {
- let _wp = self.watch_millis(
+ let _wp = self.watch(
"In KeystoreSecurityLevel::import_wrapped_key: calling importWrappedKey.",
- 500,
);
let creation_result = map_km_error(self.keymint.importWrappedKey(
wrapped_data,
@@ -897,7 +898,7 @@
params,
f,
|upgraded_blob| {
- let _wp = wd::watch_millis("Calling store_rkpd_attestation_key()", 500);
+ let _wp = wd::watch("Calling store_rkpd_attestation_key()");
if let Err(e) = store_rkpd_attestation_key(&rpc_name, key_blob, upgraded_blob) {
Err(wrapped_rkpd_error_to_ks_error(&e)).context(format!("{e:?}"))
} else {
@@ -928,13 +929,10 @@
let km_dev = &self.keymint;
let res = {
- let _wp = self.watch_millis(
- concat!(
- "In IKeystoreSecurityLevel::convert_storage_key_to_ephemeral: ",
- "calling convertStorageKeyToEphemeral (1)"
- ),
- 500,
- );
+ let _wp = self.watch(concat!(
+ "In IKeystoreSecurityLevel::convert_storage_key_to_ephemeral: ",
+ "calling convertStorageKeyToEphemeral (1)"
+ ));
map_km_error(km_dev.convertStorageKeyToEphemeral(key_blob))
};
match res {
@@ -943,17 +941,13 @@
}
Err(error::Error::Km(ErrorCode::KEY_REQUIRES_UPGRADE)) => {
let upgraded_blob = {
- let _wp = self.watch_millis(
- "In convert_storage_key_to_ephemeral: calling upgradeKey",
- 500,
- );
+ let _wp = self.watch("In convert_storage_key_to_ephemeral: calling upgradeKey");
map_km_error(km_dev.upgradeKey(key_blob, &[]))
}
.context(ks_err!("Failed to upgrade key blob."))?;
let ephemeral_key = {
- let _wp = self.watch_millis(
+ let _wp = self.watch(
"In convert_storage_key_to_ephemeral: calling convertStorageKeyToEphemeral (2)",
- 500,
);
map_km_error(km_dev.convertStorageKeyToEphemeral(&upgraded_blob))
}
@@ -986,8 +980,7 @@
let km_dev = &self.keymint;
{
- let _wp =
- self.watch_millis("In KeystoreSecuritylevel::delete_key: calling deleteKey", 500);
+ let _wp = self.watch("In KeystoreSecuritylevel::delete_key: calling deleteKey");
map_km_error(km_dev.deleteKey(key_blob)).context(ks_err!("keymint device deleteKey"))
}
}
@@ -1002,7 +995,7 @@
operation_parameters: &[KeyParameter],
forced: bool,
) -> binder::Result<CreateOperationResponse> {
- let _wp = self.watch_millis("IKeystoreSecurityLevel::createOperation", 500);
+ let _wp = self.watch("IKeystoreSecurityLevel::createOperation");
map_or_log_err(self.create_operation(key, operation_parameters, forced), Ok)
}
fn generateKey(
@@ -1029,7 +1022,7 @@
flags: i32,
key_data: &[u8],
) -> binder::Result<KeyMetadata> {
- let _wp = self.watch_millis("IKeystoreSecurityLevel::importKey", 500);
+ let _wp = self.watch("IKeystoreSecurityLevel::importKey");
let result = self.import_key(key, attestation_key, params, flags, key_data);
log_key_creation_event_stats(self.security_level, params, &result);
log_key_imported(key, ThreadState::get_calling_uid(), result.is_ok());
@@ -1043,7 +1036,7 @@
params: &[KeyParameter],
authenticators: &[AuthenticatorSpec],
) -> binder::Result<KeyMetadata> {
- let _wp = self.watch_millis("IKeystoreSecurityLevel::importWrappedKey", 500);
+ let _wp = self.watch("IKeystoreSecurityLevel::importWrappedKey");
let result =
self.import_wrapped_key(key, wrapping_key, masking_key, params, authenticators);
log_key_creation_event_stats(self.security_level, params, &result);
@@ -1054,11 +1047,11 @@
&self,
storage_key: &KeyDescriptor,
) -> binder::Result<EphemeralStorageKeyResponse> {
- let _wp = self.watch_millis("IKeystoreSecurityLevel::convertStorageKeyToEphemeral", 500);
+ let _wp = self.watch("IKeystoreSecurityLevel::convertStorageKeyToEphemeral");
map_or_log_err(self.convert_storage_key_to_ephemeral(storage_key), Ok)
}
fn deleteKey(&self, key: &KeyDescriptor) -> binder::Result<()> {
- let _wp = self.watch_millis("IKeystoreSecurityLevel::deleteKey", 500);
+ let _wp = self.watch("IKeystoreSecurityLevel::deleteKey");
let result = self.delete_key(key);
log_key_deleted(key, ThreadState::get_calling_uid(), result.is_ok());
map_or_log_err(result, Ok)
@@ -1130,7 +1123,7 @@
|new_blob| {
// This handler is only executed if a key upgrade was performed.
key_upgraded = true;
- let _wp = wd::watch_millis("Calling store_rkpd_attestation_key()", 500);
+ let _wp = wd::watch("Calling store_rkpd_attestation_key()");
store_rkpd_attestation_key(&rpc_name, &key.keyBlob, new_blob).unwrap();
Ok(())
},
diff --git a/keystore2/src/service.rs b/keystore2/src/service.rs
index 1459254..1eab8a8 100644
--- a/keystore2/src/service.rs
+++ b/keystore2/src/service.rs
@@ -387,7 +387,7 @@
map_or_log_err(self.get_security_level(security_level), Ok)
}
fn getKeyEntry(&self, key: &KeyDescriptor) -> binder::Result<KeyEntryResponse> {
- let _wp = wd::watch_millis("IKeystoreService::get_key_entry", 500);
+ let _wp = wd::watch("IKeystoreService::get_key_entry");
map_or_log_err(self.get_key_entry(key), Ok)
}
fn updateSubcomponent(
@@ -396,15 +396,15 @@
public_cert: Option<&[u8]>,
certificate_chain: Option<&[u8]>,
) -> binder::Result<()> {
- let _wp = wd::watch_millis("IKeystoreService::updateSubcomponent", 500);
+ let _wp = wd::watch("IKeystoreService::updateSubcomponent");
map_or_log_err(self.update_subcomponent(key, public_cert, certificate_chain), Ok)
}
fn listEntries(&self, domain: Domain, namespace: i64) -> binder::Result<Vec<KeyDescriptor>> {
- let _wp = wd::watch_millis("IKeystoreService::listEntries", 500);
+ let _wp = wd::watch("IKeystoreService::listEntries");
map_or_log_err(self.list_entries(domain, namespace), Ok)
}
fn deleteKey(&self, key: &KeyDescriptor) -> binder::Result<()> {
- let _wp = wd::watch_millis("IKeystoreService::deleteKey", 500);
+ let _wp = wd::watch("IKeystoreService::deleteKey");
let result = self.delete_key(key);
log_key_deleted(key, ThreadState::get_calling_uid(), result.is_ok());
map_or_log_err(result, Ok)
@@ -415,11 +415,11 @@
grantee_uid: i32,
access_vector: i32,
) -> binder::Result<KeyDescriptor> {
- let _wp = wd::watch_millis("IKeystoreService::grant", 500);
+ let _wp = wd::watch("IKeystoreService::grant");
map_or_log_err(self.grant(key, grantee_uid, access_vector.into()), Ok)
}
fn ungrant(&self, key: &KeyDescriptor, grantee_uid: i32) -> binder::Result<()> {
- let _wp = wd::watch_millis("IKeystoreService::ungrant", 500);
+ let _wp = wd::watch("IKeystoreService::ungrant");
map_or_log_err(self.ungrant(key, grantee_uid), Ok)
}
fn listEntriesBatched(
@@ -428,12 +428,12 @@
namespace: i64,
start_past_alias: Option<&str>,
) -> binder::Result<Vec<KeyDescriptor>> {
- let _wp = wd::watch_millis("IKeystoreService::listEntriesBatched", 500);
+ let _wp = wd::watch("IKeystoreService::listEntriesBatched");
map_or_log_err(self.list_entries_batched(domain, namespace, start_past_alias), Ok)
}
fn getNumberOfEntries(&self, domain: Domain, namespace: i64) -> binder::Result<i32> {
- let _wp = wd::watch_millis("IKeystoreService::getNumberOfEntries", 500);
+ let _wp = wd::watch("IKeystoreService::getNumberOfEntries");
map_or_log_err(self.count_num_entries(domain, namespace), Ok)
}
}
diff --git a/keystore2/src/super_key.rs b/keystore2/src/super_key.rs
index 11ab734..1f9f5f8 100644
--- a/keystore2/src/super_key.rs
+++ b/keystore2/src/super_key.rs
@@ -919,10 +919,8 @@
&key_desc,
KeyType::Client, /* TODO Should be Super b/189470584 */
|dev| {
- let _wp = wd::watch_millis(
- "In lock_unlocked_device_required_keys: calling importKey.",
- 500,
- );
+ let _wp =
+ wd::watch("In lock_unlocked_device_required_keys: calling importKey.");
dev.importKey(key_params.as_slice(), KeyFormat::RAW, &encrypting_key, None)
},
)?;
diff --git a/keystore2/src/utils.rs b/keystore2/src/utils.rs
index a3fd882..196cac5 100644
--- a/keystore2/src/utils.rs
+++ b/keystore2/src/utils.rs
@@ -143,10 +143,8 @@
binder::get_interface("permission")?;
let binder_result = {
- let _wp = watchdog::watch_millis(
- "In check_device_attestation_permissions: calling checkPermission.",
- 500,
- );
+ let _wp =
+ watchdog::watch("In check_device_attestation_permissions: calling checkPermission.");
permission_controller.checkPermission(
permission,
ThreadState::get_calling_pid(),
@@ -263,10 +261,7 @@
log::debug!("import parameters={import_params:?}");
let creation_result = {
- let _wp = watchdog::watch_millis(
- "In utils::import_keyblob_and_perform_op: calling importKey.",
- 500,
- );
+ let _wp = watchdog::watch("In utils::import_keyblob_and_perform_op: calling importKey.");
map_km_error(km_dev.importKey(&import_params, format, &key_material, None))
}
.context(ks_err!("Upgrade failed."))?;
@@ -306,10 +301,7 @@
NewBlobHandler: FnOnce(&[u8]) -> Result<()>,
{
let upgraded_blob = {
- let _wp = watchdog::watch_millis(
- "In utils::upgrade_keyblob_and_perform_op: calling upgradeKey.",
- 500,
- );
+ let _wp = watchdog::watch("In utils::upgrade_keyblob_and_perform_op: calling upgradeKey.");
map_km_error(km_dev.upgradeKey(key_blob, upgrade_params))
}
.context(ks_err!("Upgrade failed."))?;
diff --git a/keystore2/src/watchdog_helper.rs b/keystore2/src/watchdog_helper.rs
index 92a0abc..03c7740 100644
--- a/keystore2/src/watchdog_helper.rs
+++ b/keystore2/src/watchdog_helper.rs
@@ -23,6 +23,11 @@
pub use watchdog_rs::WatchPoint;
use watchdog_rs::Watchdog;
+ /// Default timeout interval, in milliseconds.
+ pub const DEFAULT_TIMEOUT_MS: u64 = 500;
+
+ const DEFAULT_TIMEOUT: Duration = Duration::from_millis(DEFAULT_TIMEOUT_MS);
+
lazy_static! {
/// A Watchdog thread, that can be used to create watch points.
static ref WD: Arc<Watchdog> = Watchdog::new(Duration::from_secs(10));
@@ -33,6 +38,11 @@
Watchdog::watch(&WD, id, Duration::from_millis(millis))
}
+ /// Sets a watch point with `id` and a default timeout of [`DEFAULT_TIMEOUT_MS`] milliseconds.
+ pub fn watch(id: &'static str) -> Option<WatchPoint> {
+ Watchdog::watch(&WD, id, DEFAULT_TIMEOUT)
+ }
+
/// Like `watch_millis` but with a callback that is called every time a report
/// is printed about this watch point.
pub fn watch_millis_with(
@@ -53,6 +63,10 @@
fn watch_millis(_: &'static str, _: u64) -> Option<WatchPoint> {
None
}
+ /// Sets a Noop watch point.
+ fn watch(_: &'static str) -> Option<WatchPoint> {
+ None
+ }
pub fn watch_millis_with(
_: &'static str,