| Max Bires | 148c08e | 2020-10-13 13:41:41 -0700 | [diff] [blame^] | 1 | // Copyright 2020, The Android Open Source Project |
| 2 | // |
| 3 | // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 | // you may not use this file except in compliance with the License. |
| 5 | // You may obtain a copy of the License at |
| 6 | // |
| 7 | // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 | // |
| 9 | // Unless required by applicable law or agreed to in writing, software |
| 10 | // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 | // See the License for the specific language governing permissions and |
| 13 | // limitations under the License. |
| 14 | |
| 15 | //! This is the implementation for the remote provisioning AIDL interface between |
| 16 | //! the network providers for remote provisioning and the system. This interface |
| 17 | //! allows the caller to prompt the Remote Provisioning HAL to generate keys and |
| 18 | //! CBOR blobs that can be ferried to a provisioning server that will return |
| 19 | //! certificate chains signed by some root authority and stored in a keystore SQLite |
| 20 | //! DB. |
| 21 | |
| 22 | use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel; |
| 23 | |
| 24 | use android_security_remoteprovisioning::aidl::android::security::remoteprovisioning::{ |
| 25 | AttestationPoolStatus::AttestationPoolStatus, IRemoteProvisioning::BnRemoteProvisioning, |
| 26 | IRemoteProvisioning::IRemoteProvisioning, |
| 27 | }; |
| 28 | use anyhow::Result; |
| 29 | |
| 30 | use crate::error::map_or_log_err; |
| 31 | use crate::globals::{get_keymint_device, DB}; |
| 32 | |
| 33 | /// Implementation of the IRemoteProvisioning service. |
| 34 | pub struct RemoteProvisioningService { |
| 35 | // TODO(b/179222809): Add the remote provisioner hal aidl interface when available |
| 36 | } |
| 37 | |
| 38 | impl RemoteProvisioningService { |
| 39 | /// Creates a new instance of the remote provisioning service |
| 40 | pub fn new_native_binder() -> Result<impl IRemoteProvisioning> { |
| 41 | let result = BnRemoteProvisioning::new_binder(Self {}); |
| 42 | Ok(result) |
| 43 | } |
| 44 | |
| 45 | /// Populates the AttestationPoolStatus parcelable with information about how many |
| 46 | /// certs will be expiring by the date provided in `expired_by` along with how many |
| 47 | /// keys have not yet been assigned. |
| 48 | pub fn get_pool_status( |
| 49 | &self, |
| 50 | expired_by: i64, |
| 51 | sec_level: SecurityLevel, |
| 52 | ) -> Result<AttestationPoolStatus> { |
| 53 | let (_, _, uuid) = get_keymint_device(&sec_level)?; |
| 54 | DB.with::<_, Result<AttestationPoolStatus>>(|db| { |
| 55 | let mut db = db.borrow_mut(); |
| 56 | Ok(db.get_attestation_pool_status(expired_by, &uuid)?) |
| 57 | }) |
| 58 | } |
| 59 | |
| 60 | /// Generates a CBOR blob which will be assembled by the calling code into a larger |
| 61 | /// CBOR blob intended for delivery to a provisioning serever. This blob will contain |
| 62 | /// `num_csr` certificate signing requests for attestation keys generated in the TEE, |
| 63 | /// along with a server provided `eek` and `challenge`. The endpoint encryption key will |
| 64 | /// be used to encrypt the sensitive contents being transmitted to the server, and the |
| 65 | /// challenge will ensure freshness. A `test_mode` flag will instruct the remote provisioning |
| 66 | /// HAL if it is okay to accept EEKs that aren't signed by something that chains back to the |
| 67 | /// baked in root of trust in the underlying IRemotelyProvisionedComponent instance. |
| 68 | pub fn generate_csr( |
| 69 | &self, |
| 70 | _test_mode: bool, |
| 71 | _num_csr: i32, |
| 72 | _eek: &[u8], |
| 73 | _challenge: &[u8], |
| 74 | _sec_level: SecurityLevel, |
| 75 | ) -> Result<Vec<u8>> { |
| 76 | // TODO(b/179222809): implement with actual remote provisioner AIDL when available. For now |
| 77 | // it isnice to have some junk values |
| 78 | Ok(vec![0, 1, 3, 3]) |
| 79 | } |
| 80 | |
| 81 | /// Provisions a certificate chain for a key whose CSR was included in generate_csr. The |
| 82 | /// `public_key` is used to index into the SQL database in order to insert the `certs` blob |
| 83 | /// which represents a PEM encoded X.509 certificate chain. The `expiration_date` is provided |
| 84 | /// as a convenience from the caller to avoid having to parse the certificates semantically |
| 85 | /// here. |
| 86 | pub fn provision_cert_chain( |
| 87 | &self, |
| 88 | public_key: &[u8], |
| 89 | certs: &[u8], |
| 90 | expiration_date: i64, |
| 91 | sec_level: SecurityLevel, |
| 92 | ) -> Result<()> { |
| 93 | DB.with::<_, Result<()>>(|db| { |
| 94 | let mut db = db.borrow_mut(); |
| 95 | let (_, _, uuid) = get_keymint_device(&sec_level)?; |
| 96 | Ok(db.store_signed_attestation_certificate_chain( |
| 97 | public_key, |
| 98 | certs, /* DER encoded certificate chain */ |
| 99 | expiration_date, |
| 100 | &uuid, |
| 101 | )?) |
| 102 | }) |
| 103 | } |
| 104 | |
| 105 | /// Submits a request to the Remote Provisioner HAL to generate a signing key pair. |
| 106 | /// `is_test_mode` indicates whether or not the returned public key should be marked as being |
| 107 | /// for testing in order to differentiate them from private keys. If the call is successful, |
| 108 | /// the key pair is then added to the database. |
| 109 | pub fn generate_key_pair(&self, _is_test_mode: bool, _sec_level: SecurityLevel) -> Result<()> { |
| 110 | Ok(()) |
| 111 | } |
| 112 | } |
| 113 | |
| 114 | impl binder::Interface for RemoteProvisioningService {} |
| 115 | |
| 116 | // Implementation of IRemoteProvisioning. See AIDL spec at |
| 117 | // :aidl/android/security/remoteprovisioning/IRemoteProvisioning.aidl |
| 118 | impl IRemoteProvisioning for RemoteProvisioningService { |
| 119 | fn getPoolStatus( |
| 120 | &self, |
| 121 | expired_by: i64, |
| 122 | sec_level: SecurityLevel, |
| 123 | ) -> binder::public_api::Result<AttestationPoolStatus> { |
| 124 | map_or_log_err(self.get_pool_status(expired_by, sec_level), Ok) |
| 125 | } |
| 126 | |
| 127 | fn generateCsr( |
| 128 | &self, |
| 129 | test_mode: bool, |
| 130 | num_csr: i32, |
| 131 | eek: &[u8], |
| 132 | challenge: &[u8], |
| 133 | sec_level: SecurityLevel, |
| 134 | ) -> binder::public_api::Result<Vec<u8>> { |
| 135 | map_or_log_err(self.generate_csr(test_mode, num_csr, eek, challenge, sec_level), Ok) |
| 136 | } |
| 137 | |
| 138 | fn provisionCertChain( |
| 139 | &self, |
| 140 | public_key: &[u8], |
| 141 | certs: &[u8], |
| 142 | expiration_date: i64, |
| 143 | sec_level: SecurityLevel, |
| 144 | ) -> binder::public_api::Result<()> { |
| 145 | map_or_log_err(self.provision_cert_chain(public_key, certs, expiration_date, sec_level), Ok) |
| 146 | } |
| 147 | |
| 148 | fn generateKeyPair( |
| 149 | &self, |
| 150 | is_test_mode: bool, |
| 151 | sec_level: SecurityLevel, |
| 152 | ) -> binder::public_api::Result<()> { |
| 153 | map_or_log_err(self.generate_key_pair(is_test_mode, sec_level), Ok) |
| 154 | } |
| 155 | } |