Merge "Use binder to get AIDL descriptor in Rust"
diff --git a/keystore2/Android.bp b/keystore2/Android.bp
index 79b938c..a47c2c2 100644
--- a/keystore2/Android.bp
+++ b/keystore2/Android.bp
@@ -31,6 +31,7 @@
],
rustlibs: [
+ "android.hardware.security.rkp-V3-rust",
"android.hardware.security.secureclock-V1-rust",
"android.hardware.security.sharedsecret-V1-rust",
"android.os.permissions_aidl-rust",
diff --git a/keystore2/src/globals.rs b/keystore2/src/globals.rs
index 10d6f46..0f899ed 100644
--- a/keystore2/src/globals.rs
+++ b/keystore2/src/globals.rs
@@ -16,8 +16,9 @@
//! database connections and connections to services that Keystore needs
//! to talk to.
-use crate::ks_err;
use crate::gc::Gc;
+use crate::km_compat::{BacklevelKeyMintWrapper, KeyMintV1};
+use crate::ks_err;
use crate::legacy_blob::LegacyBlobLoader;
use crate::legacy_importer::LegacyImporter;
use crate::super_key::SuperKeyManager;
@@ -28,20 +29,23 @@
database::Uuid,
error::{map_binder_status, map_binder_status_code, Error, ErrorCode},
};
-use crate::km_compat::{KeyMintV1, BacklevelKeyMintWrapper};
use crate::{enforcements::Enforcements, error::map_km_error};
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
IKeyMintDevice::BpKeyMintDevice, IKeyMintDevice::IKeyMintDevice,
KeyMintHardwareInfo::KeyMintHardwareInfo, SecurityLevel::SecurityLevel,
};
-use android_hardware_security_secureclock::aidl::android::hardware::security::secureclock::{
- ISecureClock::ISecureClock,
-};
use android_hardware_security_keymint::binder::{StatusCode, Strong};
+use android_hardware_security_rkp::aidl::android::hardware::security::keymint::{
+ IRemotelyProvisionedComponent::BpRemotelyProvisionedComponent,
+ IRemotelyProvisionedComponent::IRemotelyProvisionedComponent,
+};
+use android_hardware_security_secureclock::aidl::android::hardware::security::secureclock::{
+ ISecureClock::BpSecureClock, ISecureClock::ISecureClock,
+};
use android_security_compat::aidl::android::security::compat::IKeystoreCompatService::IKeystoreCompatService;
use anyhow::{Context, Result};
-use binder::FromIBinder;
use binder::get_declared_instances;
+use binder::FromIBinder;
use lazy_static::lazy_static;
use std::sync::{Arc, Mutex, RwLock};
use std::{cell::RefCell, sync::Once};
@@ -174,8 +178,8 @@
}
/// Determine the service name for a KeyMint device of the given security level
-/// which implements at least the specified version of the `IKeyMintDevice`
-/// interface.
+/// gotten by binder service from the device and determining what services
+/// are available.
fn keymint_service_name(security_level: &SecurityLevel) -> Result<Option<String>> {
let keymint_descriptor: &str = <BpKeyMintDevice as IKeyMintDevice>::get_descriptor();
let keymint_instances = get_declared_instances(keymint_descriptor).unwrap();
@@ -212,10 +216,10 @@
fn connect_keymint(
security_level: &SecurityLevel,
) -> Result<(Strong<dyn IKeyMintDevice>, KeyMintHardwareInfo)> {
- // Connects to binder to get the current keymint interface and
- // based on the security level returns a service name to connect
- // to.
- let service_name = keymint_service_name(security_level).context(ks_err!("Get service name"))?;
+ // Show the keymint interface that is registered in the binder
+ // service and use the security level to get the service name.
+ let service_name = keymint_service_name(security_level)
+ .context(ks_err!("Get service name from binder service"))?;
let (keymint, hal_version) = if let Some(service_name) = service_name {
let km: Strong<dyn IKeyMintDevice> =
@@ -359,19 +363,17 @@
KEY_MINT_DEVICES.lock().unwrap().devices()
}
-static TIME_STAMP_SERVICE_NAME: &str = "android.hardware.security.secureclock.ISecureClock";
-
/// Make a new connection to a secure clock service.
/// If no native SecureClock device can be found brings up the compatibility service and attempts
/// to connect to the legacy wrapper.
fn connect_secureclock() -> Result<Strong<dyn ISecureClock>> {
- let secureclock_instances =
- get_declared_instances("android.hardware.security.secureclock.ISecureClock").unwrap();
+ let secure_clock_descriptor: &str = <BpSecureClock as ISecureClock>::get_descriptor();
+ let secureclock_instances = get_declared_instances(secure_clock_descriptor).unwrap();
let secure_clock_available =
secureclock_instances.iter().any(|instance| *instance == "default");
- let default_time_stamp_service_name = format!("{}/default", TIME_STAMP_SERVICE_NAME);
+ let default_time_stamp_service_name = format!("{}/default", secure_clock_descriptor);
let secureclock = if secure_clock_available {
map_binder_status_code(binder::get_interface(&default_time_stamp_service_name))
@@ -411,25 +413,23 @@
}
}
-static REMOTE_PROVISIONING_HAL_SERVICE_NAME: &str =
- "android.hardware.security.keymint.IRemotelyProvisionedComponent";
-
/// Get the service name of a remotely provisioned component corresponding to given security level.
pub fn get_remotely_provisioned_component_name(security_level: &SecurityLevel) -> Result<String> {
- let remotely_prov_instances =
- get_declared_instances(REMOTE_PROVISIONING_HAL_SERVICE_NAME).unwrap();
+ let remote_prov_descriptor: &str =
+ <BpRemotelyProvisionedComponent as IRemotelyProvisionedComponent>::get_descriptor();
+ let remotely_prov_instances = get_declared_instances(remote_prov_descriptor).unwrap();
match *security_level {
SecurityLevel::TRUSTED_ENVIRONMENT => {
if remotely_prov_instances.iter().any(|instance| *instance == "default") {
- Some(format!("{}/default", REMOTE_PROVISIONING_HAL_SERVICE_NAME))
+ Some(format!("{}/default", remote_prov_descriptor))
} else {
None
}
}
SecurityLevel::STRONGBOX => {
if remotely_prov_instances.iter().any(|instance| *instance == "strongbox") {
- Some(format!("{}/strongbox", REMOTE_PROVISIONING_HAL_SERVICE_NAME))
+ Some(format!("{}/strongbox", remote_prov_descriptor))
} else {
None
}
diff --git a/keystore2/src/shared_secret_negotiation.rs b/keystore2/src/shared_secret_negotiation.rs
index 1941419..ff0ddf8 100644
--- a/keystore2/src/shared_secret_negotiation.rs
+++ b/keystore2/src/shared_secret_negotiation.rs
@@ -19,7 +19,8 @@
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel;
use android_hardware_security_keymint::binder::Strong;
use android_hardware_security_sharedsecret::aidl::android::hardware::security::sharedsecret::{
- ISharedSecret::ISharedSecret, SharedSecretParameters::SharedSecretParameters,
+ ISharedSecret::BpSharedSecret, ISharedSecret::ISharedSecret,
+ SharedSecretParameters::SharedSecretParameters,
};
use android_security_compat::aidl::android::security::compat::IKeystoreCompatService::IKeystoreCompatService;
use anyhow::Result;
@@ -63,11 +64,9 @@
impl Display for SharedSecretParticipant {
fn fmt(&self, f: &mut Formatter) -> fmt::Result {
match self {
- Self::Aidl(instance) => write!(
- f,
- "{}.{}/{}",
- SHARED_SECRET_PACKAGE_NAME, SHARED_SECRET_INTERFACE_NAME, instance
- ),
+ Self::Aidl(instance) => {
+ write!(f, "{}/{}", <BpSharedSecret as ISharedSecret>::get_descriptor(), instance)
+ }
Self::Hidl { is_strongbox, version: (ma, mi) } => write!(
f,
"{}@V{}.{}::{}/{}",
@@ -110,10 +109,6 @@
static KEYMASTER_PACKAGE_NAME: &str = "android.hardware.keymaster";
static KEYMASTER_INTERFACE_NAME: &str = "IKeymasterDevice";
-static SHARED_SECRET_PACKAGE_NAME: &str = "android.hardware.security.sharedsecret";
-static SHARED_SECRET_INTERFACE_NAME: &str = "ISharedSecret";
-static SHARED_SECRET_PACKAGE_AND_INTERFACE_NAME: &str =
- "android.hardware.security.sharedsecret.ISharedSecret";
static COMPAT_PACKAGE_NAME: &str = "android.security.compat";
/// Lists participants.
@@ -144,7 +139,7 @@
.collect::<Vec<SharedSecretParticipant>>()
})
.chain({
- get_declared_instances(SHARED_SECRET_PACKAGE_AND_INTERFACE_NAME)
+ get_declared_instances(<BpSharedSecret as ISharedSecret>::get_descriptor())
.unwrap()
.into_iter()
.map(SharedSecretParticipant::Aidl)
@@ -166,8 +161,9 @@
match e {
SharedSecretParticipant::Aidl(instance_name) => {
let service_name = format!(
- "{}.{}/{}",
- SHARED_SECRET_PACKAGE_NAME, SHARED_SECRET_INTERFACE_NAME, instance_name
+ "{}/{}",
+ <BpSharedSecret as ISharedSecret>::get_descriptor(),
+ instance_name
);
match map_binder_status_code(binder::get_interface(&service_name)) {
Err(e) => {