Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / d9f8ae5004661bb210d381b37af29e991d677846^! / . / keystore / key_store_service.cpp
commitd9f8ae5004661bb210d381b37af29e991d677846[log] [tgz]
authorEran Messeri <eranm@google.com>Wed Oct 24 13:54:00 2018 +0100
committerEran Messeri <eranm@google.com>Fri Nov 16 08:44:52 2018 +0000
tree38d8f78d73cbacaa4c68c1f0362130080c81dda7
parent7e24f72f8f479420cf1b6b87103059c72aec4d94 [diff] [blame]
Allow Device ID attestation profile owner

The profile owner is allowed to request attestation that includes device
identifiers if it has been granted this permission during set-up
(particularly for corporate-owned devices).

Relax the check in key_store_service to allow that.

Bug: 111335970
Test: Manual, using TestDPC + ADB command.
Test: atest com.android.cts.devicepolicy.ProfileOwnerTest#testDeviceIdAttestationForProfileOwner
Test: atest FrameworksServicesTests:DevicePolicyManagerTest
Change-Id: I018dc1363a257a788c977ae34872a78c9ffd3bcd

diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 2f07fbf..76db1d9 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp

@@ -69,8 +69,6 @@
 
 constexpr double kIdRotationPeriod = 30 * 24 * 60 * 60; /* Thirty days, in seconds */
 const char* kTimestampFilePath = "timestamp";
-const int ID_ATTESTATION_REQUEST_GENERIC_INFO = 1 << 0;
-const int ID_ATTESTATION_REQUEST_UNIQUE_DEVICE_ID = 1 << 1;
 
 struct BIGNUM_Delete {
     void operator()(BIGNUM* p) const { BN_free(p); }
@@ -900,9 +898,8 @@
     return Status::ok();
 }
 
-int isDeviceIdAttestationRequested(const KeymasterArguments& params) {
+bool isDeviceIdAttestationRequested(const KeymasterArguments& params) {
     const hardware::hidl_vec<KeyParameter>& paramsVec = params.getParameters();
-    int result = 0;
     for (size_t i = 0; i < paramsVec.size(); ++i) {
         switch (paramsVec[i].tag) {
         case Tag::ATTESTATION_ID_BRAND:
@@ -910,18 +907,15 @@
         case Tag::ATTESTATION_ID_MANUFACTURER:
         case Tag::ATTESTATION_ID_MODEL:
         case Tag::ATTESTATION_ID_PRODUCT:
-            result |= ID_ATTESTATION_REQUEST_GENERIC_INFO;
-            break;
         case Tag::ATTESTATION_ID_IMEI:
         case Tag::ATTESTATION_ID_MEID:
         case Tag::ATTESTATION_ID_SERIAL:
-            result |= ID_ATTESTATION_REQUEST_UNIQUE_DEVICE_ID;
-            break;
+            return true;
         default:
             continue;
         }
     }
-    return result;
+    return false;
 }
 
 Status KeyStoreService::attestKey(
@@ -934,15 +928,7 @@
 
     uid_t callingUid = IPCThreadState::self()->getCallingUid();
 
-    int needsIdAttestation = isDeviceIdAttestationRequested(params);
-    bool needsUniqueIdAttestation = needsIdAttestation & ID_ATTESTATION_REQUEST_UNIQUE_DEVICE_ID;
-    bool isPrimaryUserSystemUid = (callingUid == AID_SYSTEM);
-    bool isSomeUserSystemUid = (get_app_id(callingUid) == AID_SYSTEM);
-    // Allow system context from any user to request attestation with basic device information,
-    // while only allow system context from user 0 (device owner) to request attestation with
-    // unique device ID.
-    if ((needsIdAttestation && !isSomeUserSystemUid) ||
-        (needsUniqueIdAttestation && !isPrimaryUserSystemUid)) {
+    if (isDeviceIdAttestationRequested(params) && (get_app_id(callingUid) != AID_SYSTEM)) {
         return AIDL_RETURN(KeyStoreServiceReturnCode(ErrorCode::INVALID_ARGUMENT));
     }