Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 242460eac71bb16cdf6734966d8044e84b70f7a7 / . / keystore / keymaster_worker.cpp
blob: 7481a1e54b9b3487525b03f3cbae7341569231fb [file] [log] [blame]
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1/*
2**
3** Copyright 2018, The Android Open Source Project
4**
5** Licensed under the Apache License, Version 2.0 (the "License");
6** you may not use this file except in compliance with the License.
7** You may obtain a copy of the License at
8**
9** http://www.apache.org/licenses/LICENSE-2.0
10**
11** Unless required by applicable law or agreed to in writing, software
12** distributed under the License is distributed on an "AS IS" BASIS,
13** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14** See the License for the specific language governing permissions and
15** limitations under the License.
16*/
17#define LOG_TAG "keymaster_worker"
18
19#include "keymaster_worker.h"
20
21#include "keystore_utils.h"
22
23#include <android-base/logging.h>
24
Janis Danisevskis6a0d9982019-04-30 15:43:59 -0700[diff] [blame]25#include <log/log_event_list.h>
26
27#include <private/android_logger.h>
28
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]29#include "KeyStore.h"
30#include "keymaster_enforcement.h"
31
Hasini Gunasinghe4e55c2f2020-05-26 01:28:17 +0000[diff] [blame]32#include "key_creation_log_handler.h"
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]33#include "keystore_utils.h"
34
Janis Danisevskisc2f1f722019-08-16 14:54:55 -0700[diff] [blame]35#include <chrono>
36
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]37namespace keystore {
38
Janis Danisevskisc2f1f722019-08-16 14:54:55 -0700[diff] [blame]39using namespace std::chrono;
40
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]41constexpr size_t kMaxOperations = 15;
42
43using AndroidKeymasterArguments = android::security::keymaster::KeymasterArguments;
44using android::security::keymaster::ExportResult;
45using android::security::keymaster::operationFailed;
46using android::security::keymaster::OperationResult;
47
Janis Danisevskis5ec4c2a2018-11-12 10:39:48 -0800[diff] [blame]48Worker::Worker() {}
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]49Worker::~Worker() {
Janis Danisevskis5ec4c2a2018-11-12 10:39:48 -0800[diff] [blame]50 std::unique_lock<std::mutex> lock(pending_requests_mutex_);
Janis Danisevskisc2f1f722019-08-16 14:54:55 -0700[diff] [blame]51 terminate_ = true;
52 pending_requests_cond_var_.notify_all();
53 pending_requests_cond_var_.wait(lock, [this] { return !running_; });
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]54}
55void Worker::addRequest(WorkerTask request) {
56 std::unique_lock<std::mutex> lock(pending_requests_mutex_);
Janis Danisevskisc2f1f722019-08-16 14:54:55 -0700[diff] [blame]57 bool start_thread = !running_;
58 running_ = true;
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]59 pending_requests_.push(std::move(request));
60 lock.unlock();
Janis Danisevskisc2f1f722019-08-16 14:54:55 -0700[diff] [blame]61 pending_requests_cond_var_.notify_all();
Janis Danisevskis5ec4c2a2018-11-12 10:39:48 -0800[diff] [blame]62 if (start_thread) {
63 auto worker = std::thread([this] {
64 std::unique_lock<std::mutex> lock(pending_requests_mutex_);
Janis Danisevskisc2f1f722019-08-16 14:54:55 -0700[diff] [blame]65 while (running_) {
66 // Wait for 30s if the request queue is empty, then kill die.
67 // Die immediately if termiate_ was set which happens in the destructor.
68 auto status = pending_requests_cond_var_.wait_for(
69 lock, 30s, [this]() { return !pending_requests_.empty() || terminate_; });
70 if (status && !terminate_) {
71 auto request = std::move(pending_requests_.front());
72 lock.unlock();
73 request();
74 lock.lock();
75 pending_requests_.pop();
76 } else {
77 running_ = false;
78 }
Janis Danisevskis5ec4c2a2018-11-12 10:39:48 -0800[diff] [blame]79 pending_requests_cond_var_.notify_all();
80 }
81 });
82 worker.detach();
83 }
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]84}
85
86KeymasterWorker::KeymasterWorker(sp<Keymaster> keymasterDevice, KeyStore* keyStore)
87 : keymasterDevice_(std::move(keymasterDevice)), operationMap_(keyStore), keyStore_(keyStore) {
88 // make sure that hal version is cached.
89 if (keymasterDevice_) keymasterDevice_->halVersion();
90}
91
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]92void KeymasterWorker::logIfKeymasterVendorError(ErrorCode ec) const {
93 keymasterDevice_->logIfKeymasterVendorError(ec);
94}
95
Janis Danisevskis6a0d9982019-04-30 15:43:59 -0700[diff] [blame]96void KeymasterWorker::deleteOldKeyOnUpgrade(const LockedKeyBlobEntry& blobfile, Blob keyBlob) {
97 // if we got the blob successfully, we try and delete it from the keymaster device
98 auto& dev = keymasterDevice_;
99 uid_t uid = blobfile->uid();
100 const auto& alias = blobfile->alias();
101
102 if (keyBlob.getType() == ::TYPE_KEYMASTER_10) {
103 auto ret = KS_HANDLE_HIDL_ERROR(dev, dev->deleteKey(blob2hidlVec(keyBlob)));
104 // A device doesn't have to implement delete_key.
105 bool success = ret == ErrorCode::OK || ret == ErrorCode::UNIMPLEMENTED;
106 if (__android_log_security()) {
107 android_log_event_list(SEC_TAG_KEY_DESTROYED)
108 << int32_t(success) << alias << int32_t(uid) << LOG_ID_SECURITY;
109 }
110 if (!success) {
111 LOG(ERROR) << "Keymaster delete for key " << alias << " of uid " << uid << " failed";
112 }
113 }
114}
115
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]116std::tuple<KeyStoreServiceReturnCode, Blob>
117KeymasterWorker::upgradeKeyBlob(const LockedKeyBlobEntry& lockedEntry,
118 const AuthorizationSet& params) {
119 LOG(INFO) << "upgradeKeyBlob " << lockedEntry->alias() << " " << (uint32_t)lockedEntry->uid();
120
121 std::tuple<KeyStoreServiceReturnCode, Blob> result;
122
123 auto userState = keyStore_->getUserStateDB().getUserStateByUid(lockedEntry->uid());
124
125 Blob& blob = std::get<1>(result);
126 KeyStoreServiceReturnCode& error = std::get<0>(result);
127
128 Blob charBlob;
129 ResponseCode rc;
130
131 std::tie(rc, blob, charBlob) =
132 lockedEntry.readBlobs(userState->getEncryptionKey(), userState->getState());
133
Janis Danisevskis265435f2018-11-16 14:10:46 -0800[diff] [blame]134 userState = {};
135
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]136 if (rc != ResponseCode::NO_ERROR) {
137 return error = rc, result;
138 }
139
140 auto hidlKey = blob2hidlVec(blob);
141 auto& dev = keymasterDevice_;
142
143 auto hidlCb = [&](ErrorCode ret, const ::std::vector<uint8_t>& upgradedKeyBlob) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]144 dev->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]145 error = ret;
146 if (!error.isOk()) {
147 if (error == ErrorCode::INVALID_KEY_BLOB) {
148 log_key_integrity_violation(lockedEntry->alias().c_str(), lockedEntry->uid());
149 }
150 return;
151 }
152
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]153 Blob newBlob(&upgradedKeyBlob[0], upgradedKeyBlob.size(), nullptr /* info */,
154 0 /* infoLength */, ::TYPE_KEYMASTER_10);
155 newBlob.setSecurityLevel(blob.getSecurityLevel());
156 newBlob.setEncrypted(blob.isEncrypted());
157 newBlob.setSuperEncrypted(blob.isSuperEncrypted());
158 newBlob.setCriticalToDeviceEncryption(blob.isCriticalToDeviceEncryption());
159
160 error = keyStore_->put(lockedEntry, newBlob, charBlob);
161 if (!error.isOk()) {
Branden Archer70080742018-11-20 11:04:11 -0800[diff] [blame]162 ALOGI("upgradeKeyBlob keystore->put failed %d", error.getErrorCode());
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]163 return;
164 }
Janis Danisevskis6a0d9982019-04-30 15:43:59 -0700[diff] [blame]165
166 deleteOldKeyOnUpgrade(lockedEntry, std::move(blob));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]167 blob = std::move(newBlob);
168 };
169
170 KeyStoreServiceReturnCode error2;
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]171 error2 = KS_HANDLE_HIDL_ERROR(dev, dev->upgradeKey(hidlKey, params.hidl_data(), hidlCb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]172 if (!error2.isOk()) {
173 return error = error2, result;
174 }
175
176 return result;
177}
178
179std::tuple<KeyStoreServiceReturnCode, KeyCharacteristics, Blob, Blob>
180KeymasterWorker::createKeyCharacteristicsCache(const LockedKeyBlobEntry& lockedEntry,
181 const hidl_vec<uint8_t>& clientId,
182 const hidl_vec<uint8_t>& appData, Blob keyBlob,
183 Blob charBlob) {
184 std::tuple<KeyStoreServiceReturnCode, KeyCharacteristics, Blob, Blob> result;
185
186#if __cplusplus == 201703L
187 auto& [rc, resultCharacteristics, outBlob, charOutBlob] = result;
188#else
189 KeyStoreServiceReturnCode& rc = std::get<0>(result);
190 KeyCharacteristics& resultCharacteristics = std::get<1>(result);
191 Blob& outBlob = std::get<2>(result);
192 Blob& charOutBlob = std::get<3>(result);
193#endif
194
195 rc = ResponseCode::SYSTEM_ERROR;
196 if (!keyBlob) return result;
197 auto hidlKeyBlob = blob2hidlVec(keyBlob);
198 auto& dev = keymasterDevice_;
199
200 KeyStoreServiceReturnCode error;
201
202 AuthorizationSet hwEnforced, swEnforced;
203 bool success = true;
204
205 if (charBlob) {
206 std::tie(success, hwEnforced, swEnforced) = charBlob.getKeyCharacteristics();
207 }
208 if (!success) {
209 LOG(ERROR) << "Failed to read cached key characteristics";
210 return rc = ResponseCode::SYSTEM_ERROR, result;
211 }
212
213 auto hidlCb = [&](ErrorCode ret, const KeyCharacteristics& keyCharacteristics) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]214 dev->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]215 error = ret;
216 if (!error.isOk()) {
217 if (error == ErrorCode::INVALID_KEY_BLOB) {
218 log_key_integrity_violation(lockedEntry->alias().c_str(), lockedEntry->uid());
219 }
220 return;
221 }
222
223 // Replace the sw_enforced set with those persisted to disk, minus hw_enforced
224 AuthorizationSet softwareEnforced = keyCharacteristics.softwareEnforced;
225 hwEnforced = keyCharacteristics.hardwareEnforced;
226 swEnforced.Union(softwareEnforced);
227 softwareEnforced.Subtract(hwEnforced);
228
229 // We only get the characteristics from keymaster if there was no cache file or the
230 // the chach file was a legacy cache file. So lets write a new cache file for the next time.
231 Blob newCharBlob;
232 success = newCharBlob.putKeyCharacteristics(hwEnforced, swEnforced);
233 if (!success) {
234 error = ResponseCode::SYSTEM_ERROR;
235 LOG(ERROR) << "Failed to serialize cached key characteristics";
236 return;
237 }
238
239 error = keyStore_->put(lockedEntry, {}, newCharBlob);
240 if (!error.isOk()) {
241 ALOGE("Failed to write key characteristics cache");
242 return;
243 }
244 charBlob = std::move(newCharBlob);
245 };
246
247 if (!charBlob || charBlob.getType() == TYPE_KEY_CHARACTERISTICS) {
248 // this updates the key characteristics cache file to the new format or creates one in
249 // in the first place
250 rc = KS_HANDLE_HIDL_ERROR(
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]251 dev, dev->getKeyCharacteristics(hidlKeyBlob, clientId, appData, hidlCb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]252 if (!rc.isOk()) {
253 return result;
254 }
255
256 if (error == ErrorCode::KEY_REQUIRES_UPGRADE) {
257 AuthorizationSet upgradeParams;
258 if (clientId.size()) {
259 upgradeParams.push_back(TAG_APPLICATION_ID, clientId);
260 }
261 if (appData.size()) {
262 upgradeParams.push_back(TAG_APPLICATION_DATA, appData);
263 }
264 std::tie(rc, keyBlob) = upgradeKeyBlob(lockedEntry, upgradeParams);
265 if (!rc.isOk()) {
266 return result;
267 }
268
269 auto upgradedHidlKeyBlob = blob2hidlVec(keyBlob);
270
271 rc = KS_HANDLE_HIDL_ERROR(
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]272 dev, dev->getKeyCharacteristics(upgradedHidlKeyBlob, clientId, appData, hidlCb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]273 if (!rc.isOk()) {
274 return result;
275 }
276 }
277 }
278
279 resultCharacteristics.hardwareEnforced = hwEnforced.hidl_data();
280 resultCharacteristics.softwareEnforced = swEnforced.hidl_data();
281
282 outBlob = std::move(keyBlob);
283 charOutBlob = std::move(charBlob);
284 rc = error;
285 return result;
286}
287
288/**
289 * Get the auth token for this operation from the auth token table.
290 *
291 * Returns ResponseCode::NO_ERROR if the auth token was set or none was required.
292 * ::OP_AUTH_NEEDED if it is a per op authorization, no
293 * authorization token exists for that operation and
294 * failOnTokenMissing is false.
295 * KM_ERROR_KEY_USER_NOT_AUTHENTICATED if there is no valid auth
296 * token for the operation
297 */
298std::pair<KeyStoreServiceReturnCode, HardwareAuthToken>
299KeymasterWorker::getAuthToken(const KeyCharacteristics& characteristics, uint64_t handle,
300 KeyPurpose purpose, bool failOnTokenMissing) {
301
302 AuthorizationSet allCharacteristics(characteristics.softwareEnforced);
303 allCharacteristics.append(characteristics.hardwareEnforced.begin(),
304 characteristics.hardwareEnforced.end());
305
306 HardwareAuthToken authToken;
307 AuthTokenTable::Error err;
308 std::tie(err, authToken) = keyStore_->getAuthTokenTable().FindAuthorization(
309 allCharacteristics, static_cast<KeyPurpose>(purpose), handle);
310
311 KeyStoreServiceReturnCode rc;
312
313 switch (err) {
314 case AuthTokenTable::OK:
315 case AuthTokenTable::AUTH_NOT_REQUIRED:
316 rc = ResponseCode::NO_ERROR;
317 break;
318
319 case AuthTokenTable::AUTH_TOKEN_NOT_FOUND:
320 case AuthTokenTable::AUTH_TOKEN_EXPIRED:
321 case AuthTokenTable::AUTH_TOKEN_WRONG_SID:
322 ALOGE("getAuthToken failed: %d", err); // STOPSHIP: debug only, to be removed
323 rc = ErrorCode::KEY_USER_NOT_AUTHENTICATED;
324 break;
325
326 case AuthTokenTable::OP_HANDLE_REQUIRED:
327 rc = failOnTokenMissing ? KeyStoreServiceReturnCode(ErrorCode::KEY_USER_NOT_AUTHENTICATED)
328 : KeyStoreServiceReturnCode(ResponseCode::OP_AUTH_NEEDED);
329 break;
330
331 default:
332 ALOGE("Unexpected FindAuthorization return value %d", err);
333 rc = ErrorCode::INVALID_ARGUMENT;
334 }
335
336 return {rc, std::move(authToken)};
337}
338
Hasini Gunasinghe242460e2020-06-05 14:06:02 +0000[diff] [blame^]339KeyStoreServiceReturnCode KeymasterWorker::abort(const sp<IBinder>& token,
340 ResponseCode reason_for_abort) {
341 auto op = operationMap_.removeOperation(token, false /* wasOpSuccessful */,
342 static_cast<int32_t>(reason_for_abort));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]343 if (op) {
344 keyStore_->getAuthTokenTable().MarkCompleted(op->handle);
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]345 return KS_HANDLE_HIDL_ERROR(keymasterDevice_, keymasterDevice_->abort(op->handle));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]346 } else {
347 return ErrorCode::INVALID_OPERATION_HANDLE;
348 }
349}
350
351/**
352 * Prune the oldest pruneable operation.
353 */
354bool KeymasterWorker::pruneOperation() {
355 sp<IBinder> oldest = operationMap_.getOldestPruneableOperation();
356 ALOGD("Trying to prune operation %p", oldest.get());
357 size_t op_count_before_abort = operationMap_.getOperationCount();
358 // We mostly ignore errors from abort() because all we care about is whether at least
359 // one operation has been removed.
Hasini Gunasinghe242460e2020-06-05 14:06:02 +0000[diff] [blame^]360 auto rc = abort(oldest, ResponseCode::PRUNED);
Janis Danisevskisbec89992019-08-14 13:42:19 -0700[diff] [blame]361 keyStore_->removeOperationDevice(oldest);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]362 if (operationMap_.getOperationCount() >= op_count_before_abort) {
Branden Archer70080742018-11-20 11:04:11 -0800[diff] [blame]363 ALOGE("Failed to abort pruneable operation %p, error: %d", oldest.get(), rc.getErrorCode());
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]364 return false;
365 }
366 return true;
367}
368
369// My IDE defines "CAPTURE_MOVE(x) x" because it does not understand generalized lambda captures.
370// It should never be redefined by a build system though.
371#ifndef CAPTURE_MOVE
372#define CAPTURE_MOVE(x) x = std::move(x)
373#endif
374
375void KeymasterWorker::begin(LockedKeyBlobEntry lockedEntry, sp<IBinder> appToken, Blob keyBlob,
376 Blob charBlob, bool pruneable, KeyPurpose purpose,
377 AuthorizationSet opParams, hidl_vec<uint8_t> entropy,
378 worker_begin_cb worker_cb) {
379
380 Worker::addRequest([this, CAPTURE_MOVE(lockedEntry), CAPTURE_MOVE(appToken),
381 CAPTURE_MOVE(keyBlob), CAPTURE_MOVE(charBlob), pruneable, purpose,
382 CAPTURE_MOVE(opParams), CAPTURE_MOVE(entropy),
383 CAPTURE_MOVE(worker_cb)]() mutable {
384 // Concurrently executed
385
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]386 auto& dev = keymasterDevice_;
387
388 KeyCharacteristics characteristics;
389
390 {
391 hidl_vec<uint8_t> clientId;
392 hidl_vec<uint8_t> appData;
Chih-Hung Hsiehb3bfdb02018-12-12 14:43:33 -0800[diff] [blame]393 for (const auto& param : opParams) {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]394 if (param.tag == Tag::APPLICATION_ID) {
395 clientId = authorizationValue(TAG_APPLICATION_ID, param).value();
396 } else if (param.tag == Tag::APPLICATION_DATA) {
397 appData = authorizationValue(TAG_APPLICATION_DATA, param).value();
398 }
399 }
400 KeyStoreServiceReturnCode error;
401 std::tie(error, characteristics, keyBlob, charBlob) = createKeyCharacteristicsCache(
402 lockedEntry, clientId, appData, std::move(keyBlob), std::move(charBlob));
403 if (!error.isOk()) {
404 worker_cb(operationFailed(error));
405 return;
406 }
407 }
408
409 KeyStoreServiceReturnCode rc, authRc;
410 HardwareAuthToken authToken;
411 std::tie(authRc, authToken) = getAuthToken(characteristics, 0 /* no challenge */, purpose,
412 /*failOnTokenMissing*/ false);
413
414 // If per-operation auth is needed we need to begin the operation and
415 // the client will need to authorize that operation before calling
416 // update. Any other auth issues stop here.
417 if (!authRc.isOk() && authRc != ResponseCode::OP_AUTH_NEEDED) {
418 return worker_cb(operationFailed(authRc));
419 }
420
421 // Add entropy to the device first.
422 if (entropy.size()) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]423 rc = KS_HANDLE_HIDL_ERROR(dev, dev->addRngEntropy(entropy));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]424 if (!rc.isOk()) {
425 return worker_cb(operationFailed(rc));
426 }
427 }
428
429 // Create a keyid for this key.
Janis Danisevskis64eb3eb2018-11-27 20:41:52 -0800[diff] [blame]430 auto keyid = KeymasterEnforcement::CreateKeyId(blob2hidlVec(keyBlob));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]431 if (!keyid) {
432 ALOGE("Failed to create a key ID for authorization checking.");
433 return worker_cb(operationFailed(ErrorCode::UNKNOWN_ERROR));
434 }
435
436 // Check that all key authorization policy requirements are met.
437 AuthorizationSet key_auths = characteristics.hardwareEnforced;
438 key_auths.append(characteristics.softwareEnforced.begin(),
439 characteristics.softwareEnforced.end());
440
441 rc = keyStore_->getEnforcementPolicy().AuthorizeOperation(
442 purpose, *keyid, key_auths, opParams, authToken, 0 /* op_handle */,
443 true /* is_begin_operation */);
444 if (!rc.isOk()) {
445 return worker_cb(operationFailed(rc));
446 }
447
448 // If there are more than kMaxOperations, abort the oldest operation that was started as
449 // pruneable.
450 while (operationMap_.getOperationCount() >= kMaxOperations) {
451 ALOGD("Reached or exceeded concurrent operations limit");
452 if (!pruneOperation()) {
453 break;
454 }
455 }
456
457 android::security::keymaster::OperationResult result;
458
459 auto hidlCb = [&](ErrorCode ret, const hidl_vec<KeyParameter>& outParams,
460 uint64_t operationHandle) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]461 dev->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]462 result.resultCode = ret;
463 if (!result.resultCode.isOk()) {
464 if (result.resultCode == ErrorCode::INVALID_KEY_BLOB) {
465 log_key_integrity_violation(lockedEntry->alias().c_str(), lockedEntry->uid());
466 }
467 return;
468 }
469 result.handle = operationHandle;
470 result.outParams = outParams;
471 };
472
473 do {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]474 rc = KS_HANDLE_HIDL_ERROR(dev, dev->begin(purpose, blob2hidlVec(keyBlob),
475 opParams.hidl_data(), authToken, hidlCb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]476 if (!rc.isOk()) {
477 LOG(ERROR) << "Got error " << rc << " from begin()";
478 return worker_cb(operationFailed(ResponseCode::SYSTEM_ERROR));
479 }
Janis Danisevskis64eb3eb2018-11-27 20:41:52 -0800[diff] [blame]480
481 if (result.resultCode == ErrorCode::KEY_REQUIRES_UPGRADE) {
482 std::tie(rc, keyBlob) = upgradeKeyBlob(lockedEntry, opParams);
483 if (!rc.isOk()) {
484 return worker_cb(operationFailed(rc));
485 }
486
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]487 rc = KS_HANDLE_HIDL_ERROR(dev, dev->begin(purpose, blob2hidlVec(keyBlob),
488 opParams.hidl_data(), authToken, hidlCb));
Janis Danisevskis64eb3eb2018-11-27 20:41:52 -0800[diff] [blame]489 if (!rc.isOk()) {
490 LOG(ERROR) << "Got error " << rc << " from begin()";
491 return worker_cb(operationFailed(ResponseCode::SYSTEM_ERROR));
492 }
493 }
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]494 // If there are too many operations abort the oldest operation that was
495 // started as pruneable and try again.
496 } while (result.resultCode == ErrorCode::TOO_MANY_OPERATIONS && pruneOperation());
497
498 rc = result.resultCode;
499 if (!rc.isOk()) {
500 return worker_cb(operationFailed(rc));
501 }
502
503 // Note: The operation map takes possession of the contents of "characteristics".
504 // It is safe to use characteristics after the following line but it will be empty.
505 sp<IBinder> operationToken =
506 operationMap_.addOperation(result.handle, *keyid, purpose, dev, appToken,
507 std::move(characteristics), opParams.hidl_data(), pruneable);
508 assert(characteristics.hardwareEnforced.size() == 0);
509 assert(characteristics.softwareEnforced.size() == 0);
510 result.token = operationToken;
511
512 auto operation = operationMap_.getOperation(operationToken);
513 if (!operation) {
514 return worker_cb(operationFailed(ResponseCode::SYSTEM_ERROR));
515 }
516
517 if (authRc.isOk() && authToken.mac.size() &&
518 dev->halVersion().securityLevel == SecurityLevel::STRONGBOX) {
519 operation->authTokenFuture = operation->authTokenPromise.get_future();
520 std::weak_ptr<Operation> weak_operation = operation;
521
522 auto verifyTokenCB = [weak_operation](KeyStoreServiceReturnCode rc,
523 HardwareAuthToken authToken,
524 VerificationToken verificationToken) {
525 auto operation = weak_operation.lock();
526 if (!operation) {
527 // operation aborted, nothing to do
528 return;
529 }
530 if (rc.isOk()) {
531 operation->authToken = std::move(authToken);
532 operation->verificationToken = std::move(verificationToken);
533 }
534 operation->authTokenPromise.set_value(rc);
535 };
536 auto teeKmDevice = keyStore_->getDevice(SecurityLevel::TRUSTED_ENVIRONMENT);
537 teeKmDevice->verifyAuthorization(result.handle, {}, std::move(authToken),
538 std::move(verifyTokenCB));
539 }
540
541 // Return the authentication lookup result. If this is a per operation
542 // auth'd key then the resultCode will be ::OP_AUTH_NEEDED and the
543 // application should get an auth token using the handle before the
544 // first call to update, which will fail if keystore hasn't received the
545 // auth token.
546 if (result.resultCode.isOk()) {
547 result.resultCode = authRc;
548 }
549 return worker_cb(result);
550 });
551}
552
553KeyStoreServiceReturnCode
554KeymasterWorker::getOperationAuthTokenIfNeeded(std::shared_ptr<Operation> op) {
555 if (!op) return ErrorCode::INVALID_OPERATION_HANDLE;
556
557 if (op->authTokenFuture.valid()) {
558 LOG(INFO) << "Waiting for verification token";
559 op->authTokenFuture.wait();
560 auto rc = op->authTokenFuture.get();
561 if (!rc.isOk()) {
562 return rc;
563 }
564 op->authTokenFuture = {};
565 } else if (!op->hasAuthToken()) {
566 KeyStoreServiceReturnCode rc;
567 HardwareAuthToken found;
568 std::tie(rc, found) = getAuthToken(op->characteristics, op->handle, op->purpose);
569 if (!rc.isOk()) return rc;
570 op->authToken = std::move(found);
571 }
572
573 return ResponseCode::NO_ERROR;
574}
575
576namespace {
577
578class Finalize {
579 private:
580 std::function<void()> f_;
581
582 public:
Chih-Hung Hsieh4fa39ef2019-01-04 13:34:17 -0800[diff] [blame]583 explicit Finalize(std::function<void()> f) : f_(f) {}
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]584 ~Finalize() {
585 if (f_) f_();
586 }
587 void release() { f_ = {}; }
588};
589
590} // namespace
591
592void KeymasterWorker::update(sp<IBinder> token, AuthorizationSet params, hidl_vec<uint8_t> data,
593 update_cb worker_cb) {
594 Worker::addRequest([this, CAPTURE_MOVE(token), CAPTURE_MOVE(params), CAPTURE_MOVE(data),
595 CAPTURE_MOVE(worker_cb)]() {
596 KeyStoreServiceReturnCode rc;
597 auto op = operationMap_.getOperation(token);
598 if (!op) {
599 return worker_cb(operationFailed(ErrorCode::INVALID_OPERATION_HANDLE));
600 }
601
602 Finalize abort_operation_in_case_of_error([&] {
Hasini Gunasinghe242460e2020-06-05 14:06:02 +0000[diff] [blame^]603 operationMap_.removeOperation(token, false, rc.getErrorCode());
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]604 keyStore_->getAuthTokenTable().MarkCompleted(op->handle);
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]605 KS_HANDLE_HIDL_ERROR(keymasterDevice_, keymasterDevice_->abort(op->handle));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]606 });
607
608 rc = getOperationAuthTokenIfNeeded(op);
609 if (!rc.isOk()) return worker_cb(operationFailed(rc));
610
611 // Check that all key authorization policy requirements are met.
612 AuthorizationSet key_auths(op->characteristics.hardwareEnforced);
613 key_auths.append(op->characteristics.softwareEnforced.begin(),
614 op->characteristics.softwareEnforced.end());
615
616 rc = keyStore_->getEnforcementPolicy().AuthorizeOperation(op->purpose, op->keyid, key_auths,
617 params, op->authToken, op->handle,
618 false /* is_begin_operation */);
619 if (!rc.isOk()) return worker_cb(operationFailed(rc));
620
621 OperationResult result;
622 auto hidlCb = [&](ErrorCode ret, uint32_t inputConsumed,
623 const hidl_vec<KeyParameter>& outParams,
624 const ::std::vector<uint8_t>& output) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]625 op->device->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]626 result.resultCode = ret;
627 if (result.resultCode.isOk()) {
628 result.inputConsumed = inputConsumed;
629 result.outParams = outParams;
630 result.data = output;
631 }
632 };
633
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]634 rc = KS_HANDLE_HIDL_ERROR(op->device,
635 op->device->update(op->handle, params.hidl_data(), data,
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]636 op->authToken, op->verificationToken, hidlCb));
637
638 // just a reminder: on success result->resultCode was set in the callback. So we only
639 // overwrite it if there was a communication error indicated by the ErrorCode.
640 if (!rc.isOk()) result.resultCode = rc;
641 if (result.resultCode.isOk()) {
642 // if everything went well we don't abort the operation.
643 abort_operation_in_case_of_error.release();
644 }
645 return worker_cb(std::move(result));
646 });
647}
648
649/**
650 * Check that all KeyParameters provided by the application are allowed. Any parameter that keystore
651 * adds itself should be disallowed here.
652 */
653template <typename ParamsIter>
654static bool checkAllowedOperationParams(ParamsIter begin, const ParamsIter end) {
655 while (begin != end) {
656 switch (begin->tag) {
657 case Tag::ATTESTATION_APPLICATION_ID:
658 case Tag::RESET_SINCE_ID_ROTATION:
659 return false;
660 default:
661 break;
662 }
663 ++begin;
664 }
665 return true;
666}
667
668void KeymasterWorker::finish(sp<IBinder> token, AuthorizationSet params, hidl_vec<uint8_t> input,
669 hidl_vec<uint8_t> signature, hidl_vec<uint8_t> entropy,
670 finish_cb worker_cb) {
671 Worker::addRequest([this, CAPTURE_MOVE(token), CAPTURE_MOVE(params), CAPTURE_MOVE(input),
672 CAPTURE_MOVE(signature), CAPTURE_MOVE(entropy),
673 CAPTURE_MOVE(worker_cb)]() mutable {
674 KeyStoreServiceReturnCode rc;
675 auto op = operationMap_.getOperation(token);
676 if (!op) {
677 return worker_cb(operationFailed(ErrorCode::INVALID_OPERATION_HANDLE));
678 }
679
680 bool finished = false;
681 Finalize abort_operation_in_case_of_error([&] {
Hasini Gunasinghe242460e2020-06-05 14:06:02 +0000[diff] [blame^]682 operationMap_.removeOperation(token, finished && rc.isOk(), rc.getErrorCode());
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]683 keyStore_->getAuthTokenTable().MarkCompleted(op->handle);
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]684 if (!finished)
685 KS_HANDLE_HIDL_ERROR(keymasterDevice_, keymasterDevice_->abort(op->handle));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]686 });
687
688 if (!checkAllowedOperationParams(params.begin(), params.end())) {
689 return worker_cb(operationFailed(ErrorCode::INVALID_ARGUMENT));
690 }
691
692 rc = getOperationAuthTokenIfNeeded(op);
693 if (!rc.isOk()) return worker_cb(operationFailed(rc));
694
695 // Check that all key authorization policy requirements are met.
696 AuthorizationSet key_auths(op->characteristics.hardwareEnforced);
697 key_auths.append(op->characteristics.softwareEnforced.begin(),
698 op->characteristics.softwareEnforced.end());
699
700 if (key_auths.Contains(Tag::TRUSTED_CONFIRMATION_REQUIRED)) {
701 hidl_vec<uint8_t> confirmationToken =
702 keyStore_->getConfirmationManager().getLatestConfirmationToken();
703 if (confirmationToken.size() == 0) {
704 LOG(ERROR) << "Confirmation token required but none found";
705 return worker_cb(operationFailed(ErrorCode::NO_USER_CONFIRMATION));
706 }
707 params.push_back(keymaster::TAG_CONFIRMATION_TOKEN, std::move(confirmationToken));
708 }
709
710 rc = keyStore_->getEnforcementPolicy().AuthorizeOperation(op->purpose, op->keyid, key_auths,
711 params, op->authToken, op->handle,
712 false /* is_begin_operation */);
713 if (!rc.isOk()) return worker_cb(operationFailed(rc));
714
715 if (entropy.size()) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]716 rc = KS_HANDLE_HIDL_ERROR(op->device, op->device->addRngEntropy(entropy));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]717 if (!rc.isOk()) {
718 return worker_cb(operationFailed(rc));
719 }
720 }
721
722 OperationResult result;
723 auto hidlCb = [&](ErrorCode ret, const hidl_vec<KeyParameter>& outParams,
724 const ::std::vector<uint8_t>& output) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]725 op->device->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]726 result.resultCode = ret;
727 if (result.resultCode.isOk()) {
728 result.outParams = outParams;
729 result.data = output;
730 }
731 };
732
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]733 rc = KS_HANDLE_HIDL_ERROR(op->device, op->device->finish(op->handle, params.hidl_data(),
734 input, signature, op->authToken,
735 op->verificationToken, hidlCb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]736
737 if (rc.isOk()) {
738 // inform the finalizer that the finish call went through
739 finished = true;
740 // and what the result was
741 rc = result.resultCode;
742 } else {
743 return worker_cb(operationFailed(rc));
744 }
745 return worker_cb(std::move(result));
746 });
747}
748
749void KeymasterWorker::abort(sp<IBinder> token, abort_cb worker_cb) {
Hasini Gunasinghe242460e2020-06-05 14:06:02 +0000[diff] [blame^]750 Worker::addRequest([this, CAPTURE_MOVE(token), CAPTURE_MOVE(worker_cb)]() {
751 return worker_cb(abort(token, ResponseCode::ABORT_CALLED));
752 });
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]753}
754
755void KeymasterWorker::verifyAuthorization(uint64_t challenge, hidl_vec<KeyParameter> params,
756 HardwareAuthToken token,
757 verifyAuthorization_cb worker_cb) {
758 Worker::addRequest([this, challenge, CAPTURE_MOVE(params), CAPTURE_MOVE(token),
759 CAPTURE_MOVE(worker_cb)]() {
760 KeyStoreServiceReturnCode error;
761 VerificationToken verificationToken;
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]762 KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR(
763 keymasterDevice_,
764 keymasterDevice_->verifyAuthorization(
765 challenge, params, token, [&](ErrorCode ret, const VerificationToken& vToken) {
766 keymasterDevice_->logIfKeymasterVendorError(ret);
767 error = ret;
768 verificationToken = vToken;
769 }));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]770 worker_cb(rc.isOk() ? error : rc, std::move(token), std::move(verificationToken));
771 });
772}
773
774void KeymasterWorker::addRngEntropy(hidl_vec<uint8_t> data, addRngEntropy_cb _hidl_cb) {
775 addRequest(&Keymaster::addRngEntropy, std::move(_hidl_cb), std::move(data));
776}
777
778namespace {
779bool containsTag(const hidl_vec<KeyParameter>& params, Tag tag) {
780 return params.end() !=
781 std::find_if(params.begin(), params.end(),
782 [&](const KeyParameter& param) { return param.tag == tag; });
783}
784
785bool isAuthenticationBound(const hidl_vec<KeyParameter>& params) {
786 return !containsTag(params, Tag::NO_AUTH_REQUIRED);
787}
788} // namespace
789
790void KeymasterWorker::generateKey(LockedKeyBlobEntry lockedEntry, hidl_vec<KeyParameter> keyParams,
791 hidl_vec<uint8_t> entropy, int flags, generateKey_cb worker_cb) {
792 Worker::addRequest([this, CAPTURE_MOVE(lockedEntry), CAPTURE_MOVE(keyParams),
793 CAPTURE_MOVE(entropy), CAPTURE_MOVE(worker_cb), flags]() mutable {
794 KeyStoreServiceReturnCode rc =
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]795 KS_HANDLE_HIDL_ERROR(keymasterDevice_, keymasterDevice_->addRngEntropy(entropy));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]796 if (!rc.isOk()) {
797 return worker_cb(rc, {});
798 }
799
800 SecurityLevel securityLevel = keymasterDevice_->halVersion().securityLevel;
801
802 // Fallback cannot be considered for Strongbox. Further versions restrictions are enforced
803 // by KeyStore::getFallbackDevice()
804 bool consider_fallback = securityLevel == SecurityLevel::TRUSTED_ENVIRONMENT;
805
Hasini Gunasinghe4e55c2f2020-05-26 01:28:17 +0000[diff] [blame]806 Finalize logOnFail([&] {
807 logKeystoreKeyCreationEvent(keyParams, false /*wasCreationSuccessful*/,
808 rc.getErrorCode());
809 });
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]810
811 KeyCharacteristics outCharacteristics;
812 KeyStoreServiceReturnCode error;
813 auto hidl_cb = [&](ErrorCode ret, const hidl_vec<uint8_t>& hidlKeyBlob,
814 const KeyCharacteristics& keyCharacteristics) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]815 keymasterDevice_->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]816 error = ret;
817 if (!error.isOk()) {
818 return;
819 }
820 consider_fallback = false;
821 outCharacteristics = keyCharacteristics;
822
823 Blob keyBlob(&hidlKeyBlob[0], hidlKeyBlob.size(), nullptr, 0, ::TYPE_KEYMASTER_10);
824 keyBlob.setSecurityLevel(securityLevel);
825 keyBlob.setCriticalToDeviceEncryption(flags &
826 KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION);
827 if (isAuthenticationBound(keyParams) && !keyBlob.isCriticalToDeviceEncryption()) {
828 keyBlob.setSuperEncrypted(true);
829 }
830 keyBlob.setEncrypted(flags & KEYSTORE_FLAG_ENCRYPTED);
831
832 AuthorizationSet sw_enforced = keyParams;
833 sw_enforced.Subtract(outCharacteristics.hardwareEnforced);
834 sw_enforced.Union(outCharacteristics.softwareEnforced);
835 sw_enforced.Filter([](const KeyParameter& param) -> bool {
836 return !(param.tag == Tag::APPLICATION_DATA || param.tag == Tag::APPLICATION_ID);
837 });
838 if (!sw_enforced.Contains(Tag::USER_ID)) {
839 // Most Java processes don't have access to this tag
840 sw_enforced.push_back(keymaster::TAG_USER_ID, get_user_id(lockedEntry->uid()));
841 }
842 Blob keyCharBlob;
843 keyCharBlob.putKeyCharacteristics(outCharacteristics.hardwareEnforced, sw_enforced);
844 error = keyStore_->put(lockedEntry, std::move(keyBlob), std::move(keyCharBlob));
845 };
846
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]847 rc = KS_HANDLE_HIDL_ERROR(keymasterDevice_,
848 keymasterDevice_->generateKey(keyParams, hidl_cb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]849 if (!rc.isOk()) {
850 return worker_cb(rc, {});
851 }
852
853 if (consider_fallback && !error.isOk()) {
854 auto fallback = keyStore_->getFallbackDevice();
855 if (!fallback) {
856 return worker_cb(error, {});
857 }
858 // No fallback for 3DES
859 for (auto& param : keyParams) {
860 auto algorithm = authorizationValue(TAG_ALGORITHM, param);
861 if (algorithm.isOk() && algorithm.value() == Algorithm::TRIPLE_DES) {
862 return worker_cb(ErrorCode::UNSUPPORTED_ALGORITHM, {});
863 }
864 }
865
866 // delegate to fallback worker
867 fallback->generateKey(std::move(lockedEntry), std::move(keyParams), std::move(entropy),
868 flags, std::move(worker_cb));
869 // let fallback do the logging
870 logOnFail.release();
871 return;
872 }
873
874 if (!error.isOk()) return worker_cb(error, {});
875
876 // log on success
877 logOnFail.release();
Hasini Gunasinghe4e55c2f2020-05-26 01:28:17 +0000[diff] [blame]878 logKeystoreKeyCreationEvent(keyParams, true /*wasCreationSuccessful*/,
879 error.getErrorCode());
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]880
881 return worker_cb(error, std::move(outCharacteristics));
882 });
883}
884
885void KeymasterWorker::generateKey(hidl_vec<KeyParameter> keyParams, generateKey2_cb worker_cb) {
886 addRequest(&Keymaster::generateKey, std::move(worker_cb), std::move(keyParams));
887}
888
889void KeymasterWorker::getKeyCharacteristics(LockedKeyBlobEntry lockedEntry,
890 hidl_vec<uint8_t> clientId, hidl_vec<uint8_t> appData,
891 Blob keyBlob, Blob charBlob,
892 getKeyCharacteristics_cb worker_cb) {
893 Worker::addRequest([this, CAPTURE_MOVE(lockedEntry), CAPTURE_MOVE(clientId),
894 CAPTURE_MOVE(appData), CAPTURE_MOVE(keyBlob), CAPTURE_MOVE(charBlob),
895 CAPTURE_MOVE(worker_cb)]() {
896 auto result = createKeyCharacteristicsCache(lockedEntry, clientId, appData,
897 std::move(keyBlob), std::move(charBlob));
898 return worker_cb(std::get<0>(result), std::move(std::get<1>(result)));
899 });
900}
901
902void KeymasterWorker::importKey(LockedKeyBlobEntry lockedEntry, hidl_vec<KeyParameter> keyParams,
903 KeyFormat keyFormat, hidl_vec<uint8_t> keyData, int flags,
904 importKey_cb worker_cb) {
905 Worker::addRequest([this, CAPTURE_MOVE(lockedEntry), CAPTURE_MOVE(keyParams), keyFormat,
906 CAPTURE_MOVE(keyData), flags, CAPTURE_MOVE(worker_cb)]() mutable {
907 SecurityLevel securityLevel = keymasterDevice_->halVersion().securityLevel;
908
909 // Fallback cannot be considered for Strongbox. Further versions restrictions are enforced
910 // by KeyStore::getFallbackDevice()
911 bool consider_fallback = securityLevel == SecurityLevel::TRUSTED_ENVIRONMENT;
912
Hasini Gunasinghe4e55c2f2020-05-26 01:28:17 +0000[diff] [blame]913 KeyStoreServiceReturnCode error;
914 Finalize logOnFail([&] {
915 logKeystoreKeyCreationEvent(keyParams, false /*wasCreationSuccessful*/,
916 error.getErrorCode());
917 });
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]918
919 KeyCharacteristics outCharacteristics;
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]920 auto hidl_cb = [&](ErrorCode ret, const hidl_vec<uint8_t>& hidlKeyBlob,
921 const KeyCharacteristics& keyCharacteristics) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]922 keymasterDevice_->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]923 error = ret;
924 if (!error.isOk()) {
925 LOG(INFO) << "importKey failed";
926 return;
927 }
928 consider_fallback = false;
929 outCharacteristics = keyCharacteristics;
930
931 Blob keyBlob(&hidlKeyBlob[0], hidlKeyBlob.size(), nullptr, 0, ::TYPE_KEYMASTER_10);
932 keyBlob.setSecurityLevel(securityLevel);
933 keyBlob.setCriticalToDeviceEncryption(flags &
934 KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION);
935 if (isAuthenticationBound(keyParams) && !keyBlob.isCriticalToDeviceEncryption()) {
936 keyBlob.setSuperEncrypted(true);
937 }
938 keyBlob.setEncrypted(flags & KEYSTORE_FLAG_ENCRYPTED);
939
940 AuthorizationSet sw_enforced = keyParams;
941 sw_enforced.Subtract(outCharacteristics.hardwareEnforced);
942 sw_enforced.Union(outCharacteristics.softwareEnforced);
943 sw_enforced.Filter([](const KeyParameter& param) -> bool {
944 return !(param.tag == Tag::APPLICATION_DATA || param.tag == Tag::APPLICATION_ID);
945 });
946 if (!sw_enforced.Contains(Tag::USER_ID)) {
947 // Most Java processes don't have access to this tag
948 sw_enforced.push_back(keymaster::TAG_USER_ID, get_user_id(lockedEntry->uid()));
949 }
950 Blob keyCharBlob;
951 keyCharBlob.putKeyCharacteristics(outCharacteristics.hardwareEnforced, sw_enforced);
952 error = keyStore_->put(lockedEntry, std::move(keyBlob), std::move(keyCharBlob));
953 };
954
955 KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR(
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]956 keymasterDevice_, keymasterDevice_->importKey(keyParams, keyFormat, keyData, hidl_cb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]957 if (!rc.isOk()) {
958 return worker_cb(rc, {});
959 }
960
961 if (consider_fallback && !error.isOk()) {
962 auto fallback = keyStore_->getFallbackDevice();
963 if (!fallback) {
964 return worker_cb(error, {});
965 }
966 // No fallback for 3DES
967 for (auto& param : keyParams) {
968 auto algorithm = authorizationValue(TAG_ALGORITHM, param);
969 if (algorithm.isOk() && algorithm.value() == Algorithm::TRIPLE_DES) {
970 return worker_cb(ErrorCode::UNSUPPORTED_ALGORITHM, {});
971 }
972 }
973
974 // delegate to fallback worker
975 fallback->importKey(std::move(lockedEntry), std::move(keyParams), keyFormat,
976 std::move(keyData), flags, std::move(worker_cb));
977 // let fallback to the logging
978 logOnFail.release();
979 return;
980 }
981
982 if (!error.isOk()) return worker_cb(error, {});
983
984 // log on success
985 logOnFail.release();
Hasini Gunasinghe4e55c2f2020-05-26 01:28:17 +0000[diff] [blame]986 logKeystoreKeyCreationEvent(keyParams, true /*wasCreationSuccessful*/,
987 error.getErrorCode());
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]988
989 return worker_cb(error, std::move(outCharacteristics));
990 });
991}
992
993void KeymasterWorker::importWrappedKey(LockedKeyBlobEntry wrappingLockedEntry,
994 LockedKeyBlobEntry wrapppedLockedEntry,
995 hidl_vec<uint8_t> wrappedKeyData,
996 hidl_vec<uint8_t> maskingKey,
997 hidl_vec<KeyParameter> unwrappingParams, Blob wrappingBlob,
998 Blob wrappingCharBlob, uint64_t passwordSid,
999 uint64_t biometricSid, importWrappedKey_cb worker_cb) {
1000 Worker::addRequest([this, CAPTURE_MOVE(wrappingLockedEntry), CAPTURE_MOVE(wrapppedLockedEntry),
1001 CAPTURE_MOVE(wrappedKeyData), CAPTURE_MOVE(maskingKey),
1002 CAPTURE_MOVE(unwrappingParams), CAPTURE_MOVE(wrappingBlob),
1003 CAPTURE_MOVE(wrappingCharBlob), passwordSid, biometricSid,
1004 CAPTURE_MOVE(worker_cb)]() mutable {
1005 auto hidlWrappingKey = blob2hidlVec(wrappingBlob);
1006
1007 SecurityLevel securityLevel = keymasterDevice_->halVersion().securityLevel;
1008
1009 KeyCharacteristics outCharacteristics;
1010 KeyStoreServiceReturnCode error;
1011
1012 auto hidlCb = [&](ErrorCode ret, const hidl_vec<uint8_t>& hidlKeyBlob,
1013 const KeyCharacteristics& keyCharacteristics) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]1014 keymasterDevice_->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1015 error = ret;
1016 if (!error.isOk()) {
1017 return;
1018 }
1019 outCharacteristics = keyCharacteristics;
1020
1021 Blob keyBlob(hidlKeyBlob.data(), hidlKeyBlob.size(), nullptr, 0, ::TYPE_KEYMASTER_10);
1022 keyBlob.setSecurityLevel(securityLevel);
1023 if (isAuthenticationBound(keyCharacteristics.hardwareEnforced)) {
1024 keyBlob.setSuperEncrypted(true);
1025 }
1026
1027 AuthorizationSet sw_enforced = outCharacteristics.softwareEnforced;
1028 if (!sw_enforced.Contains(Tag::USER_ID)) {
1029 // Most Java processes don't have access to this tag
1030 sw_enforced.push_back(keymaster::TAG_USER_ID,
1031 get_user_id(wrapppedLockedEntry->uid()));
1032 }
1033 Blob keyCharBlob;
1034 keyCharBlob.putKeyCharacteristics(outCharacteristics.hardwareEnforced, sw_enforced);
1035 error = keyStore_->put(wrapppedLockedEntry, std::move(keyBlob), std::move(keyCharBlob));
1036 };
1037
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]1038 KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR(
1039 keymasterDevice_, keymasterDevice_->importWrappedKey(
1040 wrappedKeyData, hidlWrappingKey, maskingKey, unwrappingParams,
1041 passwordSid, biometricSid, hidlCb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1042
1043 // possible hidl error
1044 if (!rc.isOk()) {
1045 return worker_cb(rc, {});
1046 }
1047
1048 if (error == ErrorCode::KEY_REQUIRES_UPGRADE) {
1049 std::tie(rc, wrappingBlob) = upgradeKeyBlob(wrappingLockedEntry, {});
1050 if (!rc.isOk()) {
1051 return worker_cb(rc, {});
1052 }
1053
1054 auto upgradedHidlKeyBlob = blob2hidlVec(wrappingBlob);
1055
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]1056 rc = KS_HANDLE_HIDL_ERROR(keymasterDevice_,
1057 keymasterDevice_->importWrappedKey(
1058 wrappedKeyData, upgradedHidlKeyBlob, maskingKey,
1059 unwrappingParams, passwordSid, biometricSid, hidlCb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1060 if (!rc.isOk()) {
1061 error = rc;
1062 }
1063 }
1064 return worker_cb(error, std::move(outCharacteristics));
1065 });
1066}
1067
1068void KeymasterWorker::exportKey(LockedKeyBlobEntry lockedEntry, KeyFormat exportFormat,
1069 hidl_vec<uint8_t> clientId, hidl_vec<uint8_t> appData, Blob keyBlob,
1070 Blob charBlob, exportKey_cb worker_cb) {
1071 Worker::addRequest([this, CAPTURE_MOVE(lockedEntry), exportFormat, CAPTURE_MOVE(clientId),
1072 CAPTURE_MOVE(appData), CAPTURE_MOVE(keyBlob), CAPTURE_MOVE(charBlob),
1073 CAPTURE_MOVE(worker_cb)]() mutable {
1074 auto key = blob2hidlVec(keyBlob);
1075
1076 ExportResult result;
1077 auto hidlCb = [&](ErrorCode ret,
1078 const ::android::hardware::hidl_vec<uint8_t>& keyMaterial) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]1079 keymasterDevice_->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1080 result.resultCode = ret;
1081 if (!result.resultCode.isOk()) {
1082 if (result.resultCode == ErrorCode::INVALID_KEY_BLOB) {
1083 log_key_integrity_violation(lockedEntry->alias().c_str(), lockedEntry->uid());
1084 }
1085 return;
1086 }
1087 result.exportData = keyMaterial;
1088 };
1089 KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR(
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]1090 keymasterDevice_,
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1091 keymasterDevice_->exportKey(exportFormat, key, clientId, appData, hidlCb));
1092
1093 // Overwrite result->resultCode only on HIDL error. Otherwise we want the result set in the
1094 // callback hidlCb.
1095 if (!rc.isOk()) {
1096 result.resultCode = rc;
1097 }
1098
1099 if (result.resultCode == ErrorCode::KEY_REQUIRES_UPGRADE) {
1100 AuthorizationSet upgradeParams;
1101 if (clientId.size()) {
1102 upgradeParams.push_back(TAG_APPLICATION_ID, clientId);
1103 }
1104 if (appData.size()) {
1105 upgradeParams.push_back(TAG_APPLICATION_DATA, appData);
1106 }
1107 std::tie(rc, keyBlob) = upgradeKeyBlob(lockedEntry, upgradeParams);
1108 if (!rc.isOk()) {
1109 return worker_cb(std::move(result));
1110 }
1111
1112 auto upgradedHidlKeyBlob = blob2hidlVec(keyBlob);
1113
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]1114 rc = KS_HANDLE_HIDL_ERROR(keymasterDevice_,
1115 keymasterDevice_->exportKey(exportFormat, upgradedHidlKeyBlob,
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1116 clientId, appData, hidlCb));
1117 if (!rc.isOk()) {
1118 result.resultCode = rc;
1119 }
1120 }
1121 return worker_cb(std::move(result));
1122 });
1123}
1124void KeymasterWorker::attestKey(hidl_vec<uint8_t> keyToAttest, hidl_vec<KeyParameter> attestParams,
1125 attestKey_cb worker_cb) {
1126 addRequest(&Keymaster::attestKey, std::move(worker_cb), std::move(keyToAttest),
1127 std::move(attestParams));
1128}
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1129
1130void KeymasterWorker::deleteKey(hidl_vec<uint8_t> keyBlob, deleteKey_cb _hidl_cb) {
1131 addRequest(&Keymaster::deleteKey, std::move(_hidl_cb), std::move(keyBlob));
1132}
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1133
1134void KeymasterWorker::binderDied(android::wp<IBinder> who) {
1135 Worker::addRequest([this, who]() {
1136 auto operations = operationMap_.getOperationsForToken(who.unsafe_get());
1137 for (const auto& token : operations) {
Hasini Gunasinghe242460e2020-06-05 14:06:02 +0000[diff] [blame^]1138 abort(token, ResponseCode::BINDER_DIED);
Janis Danisevskisbec89992019-08-14 13:42:19 -0700[diff] [blame]1139 keyStore_->removeOperationDevice(token);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1140 }
1141 });
1142}
1143
1144} // namespace keystore