Adding plumbing for supported EC curve on impl
This change replaces getSecurityLevels() with getImplementationInfo().
Instead of returning an array of integers that only indicates which
security levels the underlying implementations are running as, the new
method returns a parcelable with additional info. Specifically, the
supported EC curve is now sent back to the caller in this Parcelable as
well as the security level.
This change is part of the alterations necessary to support P256 EEKs.
The component sitting between the provisioning server and keystore2 will
need to know which signed EEK certificate chain to pass down to keystore
for a given security level.
Bug: 189018262
Test: atest RemoteProvisionerUnitTests
Change-Id: I416922edad6e0d0245b65fb02983210e790c1221
diff --git a/keystore2/src/remote_provisioning.rs b/keystore2/src/remote_provisioning.rs
index 9e2424b..8fef506 100644
--- a/keystore2/src/remote_provisioning.rs
+++ b/keystore2/src/remote_provisioning.rs
@@ -30,7 +30,7 @@
};
use android_security_remoteprovisioning::aidl::android::security::remoteprovisioning::{
AttestationPoolStatus::AttestationPoolStatus, IRemoteProvisioning::BnRemoteProvisioning,
- IRemoteProvisioning::IRemoteProvisioning,
+ IRemoteProvisioning::IRemoteProvisioning, ImplInfo::ImplInfo,
};
use android_security_remoteprovisioning::binder::{BinderFeatures, Strong};
use android_system_keystore2::aidl::android::system::keystore2::{
@@ -205,6 +205,7 @@
#[derive(Default)]
pub struct RemoteProvisioningService {
device_by_sec_level: HashMap<SecurityLevel, Strong<dyn IRemotelyProvisionedComponent>>,
+ curve_by_sec_level: HashMap<SecurityLevel, i32>,
}
impl RemoteProvisioningService {
@@ -227,8 +228,20 @@
let mut result: Self = Default::default();
let dev = get_remotely_provisioned_component(&SecurityLevel::TRUSTED_ENVIRONMENT)
.context("In new_native_binder: Failed to get TEE Remote Provisioner instance.")?;
+ result.curve_by_sec_level.insert(
+ SecurityLevel::TRUSTED_ENVIRONMENT,
+ dev.getHardwareInfo()
+ .context("In new_native_binder: Failed to get hardware info for the TEE.")?
+ .supportedEekCurve,
+ );
result.device_by_sec_level.insert(SecurityLevel::TRUSTED_ENVIRONMENT, dev);
if let Ok(dev) = get_remotely_provisioned_component(&SecurityLevel::STRONGBOX) {
+ result.curve_by_sec_level.insert(
+ SecurityLevel::STRONGBOX,
+ dev.getHardwareInfo()
+ .context("In new_native_binder: Failed to get hardware info for StrongBox.")?
+ .supportedEekCurve,
+ );
result.device_by_sec_level.insert(SecurityLevel::STRONGBOX, dev);
}
Ok(BnRemoteProvisioning::new_binder(result, BinderFeatures::default()))
@@ -375,8 +388,12 @@
/// Checks the security level of each available IRemotelyProvisionedComponent hal and returns
/// all levels in an array to the caller.
- pub fn get_security_levels(&self) -> Result<Vec<SecurityLevel>> {
- Ok(self.device_by_sec_level.keys().cloned().collect())
+ pub fn get_implementation_info(&self) -> Result<Vec<ImplInfo>> {
+ Ok(self
+ .curve_by_sec_level
+ .iter()
+ .map(|(sec_level, curve)| ImplInfo { secLevel: *sec_level, supportedCurve: *curve })
+ .collect())
}
/// Deletes all attestation keys generated by the IRemotelyProvisionedComponent from the device,
@@ -452,9 +469,9 @@
map_or_log_err(self.generate_key_pair(is_test_mode, sec_level), Ok)
}
- fn getSecurityLevels(&self) -> binder::public_api::Result<Vec<SecurityLevel>> {
+ fn getImplementationInfo(&self) -> binder::public_api::Result<Vec<ImplInfo>> {
let _wp = wd::watch_millis("IRemoteProvisioning::getSecurityLevels", 500);
- map_or_log_err(self.get_security_levels(), Ok)
+ map_or_log_err(self.get_implementation_info(), Ok)
}
fn deleteAllKeys(&self) -> binder::public_api::Result<i64> {