commit e766edca9154aab12d6d709d99f0c62bd8e3c9b9
author Janis Danisevskis <jdanis@google.com> Sat Feb 06 12:16:26 2021 -0800
committer Janis Danisevskis <jdanis@google.com> Mon Feb 08 09:11:51 2021 -0800
tree 9fa3eba8d8b50d213cd45621bb0ac33622f0189b
parent f49ca074c165e6bc2a4f01b8ac0dbf1680d1dc6a

Keystore 2.0: Implement UNIQUE_ID permission check.

Gating UNIQUE_ID generation by sepolicy permision
keystore2_key:gen_uniqu_id

Test: atest android.keystore.cts.KeyAttestationTest#testEcAttestation_KeyStoreExceptionWhenRequestingUniqueId
Change-Id: Ie410e2abdf0d6b291c25d3cd393d40c25024ec9f

keystore2/src/security_level.rs

diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index ec133f8..fe9a27d 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -309,7 +309,11 @@
         })
     }
 
-    fn add_certificate_parameters(uid: u32, params: &[KeyParameter]) -> Result<Vec<KeyParameter>> {
+    fn add_certificate_parameters(
+        uid: u32,
+        params: &[KeyParameter],
+        key: &KeyDescriptor,
+    ) -> Result<Vec<KeyParameter>> {
         let mut result = params.to_vec();
         // If there is an attestation challenge we need to get an application id.
         if params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE) {
@@ -322,6 +326,13 @@
             });
         }
 
+        if params.iter().any(|kp| kp.tag == Tag::INCLUDE_UNIQUE_ID) {
+            check_key_permission(KeyPerm::gen_unique_id(), key, &None).context(concat!(
+                "In add_certificate_parameters: ",
+                "Caller does not have the permission for device unique attestation."
+            ))?;
+        }
+
         // If we are generating/importing an asymmetric key, we need to make sure
         // that NOT_BEFORE and NOT_AFTER are present.
         match params.iter().find(|kp| kp.tag == Tag::ALGORITHM) {
@@ -372,7 +383,7 @@
         // generate_key requires the rebind permission.
         check_key_permission(KeyPerm::rebind(), &key, &None).context("In generate_key.")?;
 
-        let params = Self::add_certificate_parameters(caller_uid, params)
+        let params = Self::add_certificate_parameters(caller_uid, params, &key)
             .context("In generate_key: Trying to get aaid.")?;
 
         let km_dev: Box<dyn IKeyMintDevice> = self.keymint.get_interface()?;
@@ -412,7 +423,7 @@
         // import_key requires the rebind permission.
         check_key_permission(KeyPerm::rebind(), &key, &None).context("In import_key.")?;
 
-        let params = Self::add_certificate_parameters(caller_uid, params)
+        let params = Self::add_certificate_parameters(caller_uid, params, &key)
             .context("In import_key: Trying to get aaid.")?;
 
         let format = params