Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 3c8ea06269dad4b15e7cc8ef6aa7c8d3aefead4f / . / keystore / keymaster_worker.cpp
blob: cbb184c24411eb95f896c617fb1d78266e620e71 [file] [log] [blame]
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1/*
2**
3** Copyright 2018, The Android Open Source Project
4**
5** Licensed under the Apache License, Version 2.0 (the "License");
6** you may not use this file except in compliance with the License.
7** You may obtain a copy of the License at
8**
9** http://www.apache.org/licenses/LICENSE-2.0
10**
11** Unless required by applicable law or agreed to in writing, software
12** distributed under the License is distributed on an "AS IS" BASIS,
13** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14** See the License for the specific language governing permissions and
15** limitations under the License.
16*/
17#define LOG_TAG "keymaster_worker"
18
19#include "keymaster_worker.h"
20
21#include "keystore_utils.h"
22
23#include <android-base/logging.h>
24
Janis Danisevskis6a0d9982019-04-30 15:43:59 -0700[diff] [blame]25#include <log/log_event_list.h>
26
27#include <private/android_logger.h>
28
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]29#include "KeyStore.h"
30#include "keymaster_enforcement.h"
31
Hasini Gunasinghe4e55c2f2020-05-26 01:28:17 +0000[diff] [blame]32#include "key_creation_log_handler.h"
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]33#include "keystore_utils.h"
34
Janis Danisevskisc2f1f722019-08-16 14:54:55 -0700[diff] [blame]35#include <chrono>
36
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]37namespace keystore {
38
Janis Danisevskisc2f1f722019-08-16 14:54:55 -0700[diff] [blame]39using namespace std::chrono;
40
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]41constexpr size_t kMaxOperations = 15;
42
43using AndroidKeymasterArguments = android::security::keymaster::KeymasterArguments;
44using android::security::keymaster::ExportResult;
45using android::security::keymaster::operationFailed;
46using android::security::keymaster::OperationResult;
47
Janis Danisevskis5ec4c2a2018-11-12 10:39:48 -0800[diff] [blame]48Worker::Worker() {}
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]49Worker::~Worker() {
Janis Danisevskis5ec4c2a2018-11-12 10:39:48 -0800[diff] [blame]50 std::unique_lock<std::mutex> lock(pending_requests_mutex_);
Janis Danisevskisc2f1f722019-08-16 14:54:55 -0700[diff] [blame]51 terminate_ = true;
52 pending_requests_cond_var_.notify_all();
53 pending_requests_cond_var_.wait(lock, [this] { return !running_; });
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]54}
55void Worker::addRequest(WorkerTask request) {
56 std::unique_lock<std::mutex> lock(pending_requests_mutex_);
Janis Danisevskisc2f1f722019-08-16 14:54:55 -0700[diff] [blame]57 bool start_thread = !running_;
58 running_ = true;
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]59 pending_requests_.push(std::move(request));
60 lock.unlock();
Janis Danisevskisc2f1f722019-08-16 14:54:55 -0700[diff] [blame]61 pending_requests_cond_var_.notify_all();
Janis Danisevskis5ec4c2a2018-11-12 10:39:48 -0800[diff] [blame]62 if (start_thread) {
63 auto worker = std::thread([this] {
64 std::unique_lock<std::mutex> lock(pending_requests_mutex_);
Janis Danisevskisc2f1f722019-08-16 14:54:55 -0700[diff] [blame]65 while (running_) {
66 // Wait for 30s if the request queue is empty, then kill die.
67 // Die immediately if termiate_ was set which happens in the destructor.
68 auto status = pending_requests_cond_var_.wait_for(
69 lock, 30s, [this]() { return !pending_requests_.empty() || terminate_; });
70 if (status && !terminate_) {
71 auto request = std::move(pending_requests_.front());
72 lock.unlock();
73 request();
74 lock.lock();
75 pending_requests_.pop();
76 } else {
77 running_ = false;
78 }
Janis Danisevskis5ec4c2a2018-11-12 10:39:48 -0800[diff] [blame]79 pending_requests_cond_var_.notify_all();
80 }
81 });
82 worker.detach();
83 }
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]84}
85
Edman Anjosba9b7d32020-09-02 17:34:54 +0200[diff] [blame]86KeymasterWorker::KeymasterWorker(sp<Keymaster> keymasterDevice, KeyStore* keyStore,
87 SecurityLevel internalSecurityLevel)
88 : keymasterDevice_(std::move(keymasterDevice)), operationMap_(keyStore), keyStore_(keyStore),
89 internalSecurityLevel_(internalSecurityLevel) {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]90 // make sure that hal version is cached.
91 if (keymasterDevice_) keymasterDevice_->halVersion();
92}
93
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]94void KeymasterWorker::logIfKeymasterVendorError(ErrorCode ec) const {
95 keymasterDevice_->logIfKeymasterVendorError(ec);
96}
97
Janis Danisevskis6a0d9982019-04-30 15:43:59 -0700[diff] [blame]98void KeymasterWorker::deleteOldKeyOnUpgrade(const LockedKeyBlobEntry& blobfile, Blob keyBlob) {
99 // if we got the blob successfully, we try and delete it from the keymaster device
100 auto& dev = keymasterDevice_;
101 uid_t uid = blobfile->uid();
102 const auto& alias = blobfile->alias();
103
104 if (keyBlob.getType() == ::TYPE_KEYMASTER_10) {
105 auto ret = KS_HANDLE_HIDL_ERROR(dev, dev->deleteKey(blob2hidlVec(keyBlob)));
106 // A device doesn't have to implement delete_key.
107 bool success = ret == ErrorCode::OK || ret == ErrorCode::UNIMPLEMENTED;
108 if (__android_log_security()) {
109 android_log_event_list(SEC_TAG_KEY_DESTROYED)
110 << int32_t(success) << alias << int32_t(uid) << LOG_ID_SECURITY;
111 }
112 if (!success) {
113 LOG(ERROR) << "Keymaster delete for key " << alias << " of uid " << uid << " failed";
114 }
115 }
116}
117
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]118std::tuple<KeyStoreServiceReturnCode, Blob>
119KeymasterWorker::upgradeKeyBlob(const LockedKeyBlobEntry& lockedEntry,
120 const AuthorizationSet& params) {
121 LOG(INFO) << "upgradeKeyBlob " << lockedEntry->alias() << " " << (uint32_t)lockedEntry->uid();
122
123 std::tuple<KeyStoreServiceReturnCode, Blob> result;
124
125 auto userState = keyStore_->getUserStateDB().getUserStateByUid(lockedEntry->uid());
126
127 Blob& blob = std::get<1>(result);
128 KeyStoreServiceReturnCode& error = std::get<0>(result);
129
130 Blob charBlob;
131 ResponseCode rc;
132
133 std::tie(rc, blob, charBlob) =
134 lockedEntry.readBlobs(userState->getEncryptionKey(), userState->getState());
135
Janis Danisevskis265435f2018-11-16 14:10:46 -0800[diff] [blame]136 userState = {};
137
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]138 if (rc != ResponseCode::NO_ERROR) {
139 return error = rc, result;
140 }
141
142 auto hidlKey = blob2hidlVec(blob);
143 auto& dev = keymasterDevice_;
144
145 auto hidlCb = [&](ErrorCode ret, const ::std::vector<uint8_t>& upgradedKeyBlob) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]146 dev->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]147 error = ret;
148 if (!error.isOk()) {
149 if (error == ErrorCode::INVALID_KEY_BLOB) {
150 log_key_integrity_violation(lockedEntry->alias().c_str(), lockedEntry->uid());
151 }
152 return;
153 }
154
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]155 Blob newBlob(&upgradedKeyBlob[0], upgradedKeyBlob.size(), nullptr /* info */,
156 0 /* infoLength */, ::TYPE_KEYMASTER_10);
157 newBlob.setSecurityLevel(blob.getSecurityLevel());
158 newBlob.setEncrypted(blob.isEncrypted());
159 newBlob.setSuperEncrypted(blob.isSuperEncrypted());
160 newBlob.setCriticalToDeviceEncryption(blob.isCriticalToDeviceEncryption());
161
162 error = keyStore_->put(lockedEntry, newBlob, charBlob);
163 if (!error.isOk()) {
Branden Archer70080742018-11-20 11:04:11 -0800[diff] [blame]164 ALOGI("upgradeKeyBlob keystore->put failed %d", error.getErrorCode());
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]165 return;
166 }
Janis Danisevskis6a0d9982019-04-30 15:43:59 -0700[diff] [blame]167
168 deleteOldKeyOnUpgrade(lockedEntry, std::move(blob));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]169 blob = std::move(newBlob);
170 };
171
172 KeyStoreServiceReturnCode error2;
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]173 error2 = KS_HANDLE_HIDL_ERROR(dev, dev->upgradeKey(hidlKey, params.hidl_data(), hidlCb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]174 if (!error2.isOk()) {
175 return error = error2, result;
176 }
177
178 return result;
179}
180
181std::tuple<KeyStoreServiceReturnCode, KeyCharacteristics, Blob, Blob>
182KeymasterWorker::createKeyCharacteristicsCache(const LockedKeyBlobEntry& lockedEntry,
183 const hidl_vec<uint8_t>& clientId,
184 const hidl_vec<uint8_t>& appData, Blob keyBlob,
185 Blob charBlob) {
186 std::tuple<KeyStoreServiceReturnCode, KeyCharacteristics, Blob, Blob> result;
187
188#if __cplusplus == 201703L
189 auto& [rc, resultCharacteristics, outBlob, charOutBlob] = result;
190#else
191 KeyStoreServiceReturnCode& rc = std::get<0>(result);
192 KeyCharacteristics& resultCharacteristics = std::get<1>(result);
193 Blob& outBlob = std::get<2>(result);
194 Blob& charOutBlob = std::get<3>(result);
195#endif
196
197 rc = ResponseCode::SYSTEM_ERROR;
198 if (!keyBlob) return result;
199 auto hidlKeyBlob = blob2hidlVec(keyBlob);
200 auto& dev = keymasterDevice_;
201
202 KeyStoreServiceReturnCode error;
203
204 AuthorizationSet hwEnforced, swEnforced;
205 bool success = true;
206
207 if (charBlob) {
208 std::tie(success, hwEnforced, swEnforced) = charBlob.getKeyCharacteristics();
209 }
210 if (!success) {
211 LOG(ERROR) << "Failed to read cached key characteristics";
212 return rc = ResponseCode::SYSTEM_ERROR, result;
213 }
214
215 auto hidlCb = [&](ErrorCode ret, const KeyCharacteristics& keyCharacteristics) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]216 dev->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]217 error = ret;
218 if (!error.isOk()) {
219 if (error == ErrorCode::INVALID_KEY_BLOB) {
220 log_key_integrity_violation(lockedEntry->alias().c_str(), lockedEntry->uid());
221 }
222 return;
223 }
224
225 // Replace the sw_enforced set with those persisted to disk, minus hw_enforced
226 AuthorizationSet softwareEnforced = keyCharacteristics.softwareEnforced;
227 hwEnforced = keyCharacteristics.hardwareEnforced;
228 swEnforced.Union(softwareEnforced);
229 softwareEnforced.Subtract(hwEnforced);
230
231 // We only get the characteristics from keymaster if there was no cache file or the
232 // the chach file was a legacy cache file. So lets write a new cache file for the next time.
233 Blob newCharBlob;
234 success = newCharBlob.putKeyCharacteristics(hwEnforced, swEnforced);
235 if (!success) {
236 error = ResponseCode::SYSTEM_ERROR;
237 LOG(ERROR) << "Failed to serialize cached key characteristics";
238 return;
239 }
240
241 error = keyStore_->put(lockedEntry, {}, newCharBlob);
242 if (!error.isOk()) {
243 ALOGE("Failed to write key characteristics cache");
244 return;
245 }
246 charBlob = std::move(newCharBlob);
247 };
248
249 if (!charBlob || charBlob.getType() == TYPE_KEY_CHARACTERISTICS) {
250 // this updates the key characteristics cache file to the new format or creates one in
251 // in the first place
252 rc = KS_HANDLE_HIDL_ERROR(
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]253 dev, dev->getKeyCharacteristics(hidlKeyBlob, clientId, appData, hidlCb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]254 if (!rc.isOk()) {
255 return result;
256 }
257
258 if (error == ErrorCode::KEY_REQUIRES_UPGRADE) {
259 AuthorizationSet upgradeParams;
260 if (clientId.size()) {
261 upgradeParams.push_back(TAG_APPLICATION_ID, clientId);
262 }
263 if (appData.size()) {
264 upgradeParams.push_back(TAG_APPLICATION_DATA, appData);
265 }
266 std::tie(rc, keyBlob) = upgradeKeyBlob(lockedEntry, upgradeParams);
267 if (!rc.isOk()) {
268 return result;
269 }
270
271 auto upgradedHidlKeyBlob = blob2hidlVec(keyBlob);
272
273 rc = KS_HANDLE_HIDL_ERROR(
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]274 dev, dev->getKeyCharacteristics(upgradedHidlKeyBlob, clientId, appData, hidlCb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]275 if (!rc.isOk()) {
276 return result;
277 }
278 }
279 }
280
281 resultCharacteristics.hardwareEnforced = hwEnforced.hidl_data();
282 resultCharacteristics.softwareEnforced = swEnforced.hidl_data();
283
284 outBlob = std::move(keyBlob);
285 charOutBlob = std::move(charBlob);
286 rc = error;
287 return result;
288}
289
290/**
291 * Get the auth token for this operation from the auth token table.
292 *
293 * Returns ResponseCode::NO_ERROR if the auth token was set or none was required.
294 * ::OP_AUTH_NEEDED if it is a per op authorization, no
295 * authorization token exists for that operation and
296 * failOnTokenMissing is false.
297 * KM_ERROR_KEY_USER_NOT_AUTHENTICATED if there is no valid auth
298 * token for the operation
299 */
300std::pair<KeyStoreServiceReturnCode, HardwareAuthToken>
301KeymasterWorker::getAuthToken(const KeyCharacteristics& characteristics, uint64_t handle,
302 KeyPurpose purpose, bool failOnTokenMissing) {
303
304 AuthorizationSet allCharacteristics(characteristics.softwareEnforced);
305 allCharacteristics.append(characteristics.hardwareEnforced.begin(),
306 characteristics.hardwareEnforced.end());
307
308 HardwareAuthToken authToken;
309 AuthTokenTable::Error err;
310 std::tie(err, authToken) = keyStore_->getAuthTokenTable().FindAuthorization(
311 allCharacteristics, static_cast<KeyPurpose>(purpose), handle);
312
313 KeyStoreServiceReturnCode rc;
314
315 switch (err) {
316 case AuthTokenTable::OK:
317 case AuthTokenTable::AUTH_NOT_REQUIRED:
318 rc = ResponseCode::NO_ERROR;
319 break;
320
321 case AuthTokenTable::AUTH_TOKEN_NOT_FOUND:
322 case AuthTokenTable::AUTH_TOKEN_EXPIRED:
323 case AuthTokenTable::AUTH_TOKEN_WRONG_SID:
324 ALOGE("getAuthToken failed: %d", err); // STOPSHIP: debug only, to be removed
325 rc = ErrorCode::KEY_USER_NOT_AUTHENTICATED;
326 break;
327
328 case AuthTokenTable::OP_HANDLE_REQUIRED:
329 rc = failOnTokenMissing ? KeyStoreServiceReturnCode(ErrorCode::KEY_USER_NOT_AUTHENTICATED)
330 : KeyStoreServiceReturnCode(ResponseCode::OP_AUTH_NEEDED);
331 break;
332
333 default:
334 ALOGE("Unexpected FindAuthorization return value %d", err);
335 rc = ErrorCode::INVALID_ARGUMENT;
336 }
337
338 return {rc, std::move(authToken)};
339}
340
Hasini Gunasinghe242460e2020-06-05 14:06:02 +0000[diff] [blame]341KeyStoreServiceReturnCode KeymasterWorker::abort(const sp<IBinder>& token,
342 ResponseCode reason_for_abort) {
343 auto op = operationMap_.removeOperation(token, false /* wasOpSuccessful */,
344 static_cast<int32_t>(reason_for_abort));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]345 if (op) {
346 keyStore_->getAuthTokenTable().MarkCompleted(op->handle);
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]347 return KS_HANDLE_HIDL_ERROR(keymasterDevice_, keymasterDevice_->abort(op->handle));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]348 } else {
349 return ErrorCode::INVALID_OPERATION_HANDLE;
350 }
351}
352
353/**
354 * Prune the oldest pruneable operation.
355 */
356bool KeymasterWorker::pruneOperation() {
357 sp<IBinder> oldest = operationMap_.getOldestPruneableOperation();
358 ALOGD("Trying to prune operation %p", oldest.get());
359 size_t op_count_before_abort = operationMap_.getOperationCount();
360 // We mostly ignore errors from abort() because all we care about is whether at least
361 // one operation has been removed.
Hasini Gunasinghe242460e2020-06-05 14:06:02 +0000[diff] [blame]362 auto rc = abort(oldest, ResponseCode::PRUNED);
Janis Danisevskisbec89992019-08-14 13:42:19 -0700[diff] [blame]363 keyStore_->removeOperationDevice(oldest);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]364 if (operationMap_.getOperationCount() >= op_count_before_abort) {
Branden Archer70080742018-11-20 11:04:11 -0800[diff] [blame]365 ALOGE("Failed to abort pruneable operation %p, error: %d", oldest.get(), rc.getErrorCode());
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]366 return false;
367 }
368 return true;
369}
370
371// My IDE defines "CAPTURE_MOVE(x) x" because it does not understand generalized lambda captures.
372// It should never be redefined by a build system though.
373#ifndef CAPTURE_MOVE
374#define CAPTURE_MOVE(x) x = std::move(x)
375#endif
376
377void KeymasterWorker::begin(LockedKeyBlobEntry lockedEntry, sp<IBinder> appToken, Blob keyBlob,
378 Blob charBlob, bool pruneable, KeyPurpose purpose,
379 AuthorizationSet opParams, hidl_vec<uint8_t> entropy,
380 worker_begin_cb worker_cb) {
381
382 Worker::addRequest([this, CAPTURE_MOVE(lockedEntry), CAPTURE_MOVE(appToken),
383 CAPTURE_MOVE(keyBlob), CAPTURE_MOVE(charBlob), pruneable, purpose,
384 CAPTURE_MOVE(opParams), CAPTURE_MOVE(entropy),
385 CAPTURE_MOVE(worker_cb)]() mutable {
386 // Concurrently executed
387
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]388 auto& dev = keymasterDevice_;
389
390 KeyCharacteristics characteristics;
391
392 {
393 hidl_vec<uint8_t> clientId;
394 hidl_vec<uint8_t> appData;
Chih-Hung Hsiehb3bfdb02018-12-12 14:43:33 -0800[diff] [blame]395 for (const auto& param : opParams) {
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]396 if (param.tag == Tag::APPLICATION_ID) {
397 clientId = authorizationValue(TAG_APPLICATION_ID, param).value();
398 } else if (param.tag == Tag::APPLICATION_DATA) {
399 appData = authorizationValue(TAG_APPLICATION_DATA, param).value();
400 }
401 }
402 KeyStoreServiceReturnCode error;
403 std::tie(error, characteristics, keyBlob, charBlob) = createKeyCharacteristicsCache(
404 lockedEntry, clientId, appData, std::move(keyBlob), std::move(charBlob));
405 if (!error.isOk()) {
406 worker_cb(operationFailed(error));
407 return;
408 }
409 }
410
411 KeyStoreServiceReturnCode rc, authRc;
412 HardwareAuthToken authToken;
413 std::tie(authRc, authToken) = getAuthToken(characteristics, 0 /* no challenge */, purpose,
414 /*failOnTokenMissing*/ false);
415
416 // If per-operation auth is needed we need to begin the operation and
417 // the client will need to authorize that operation before calling
418 // update. Any other auth issues stop here.
419 if (!authRc.isOk() && authRc != ResponseCode::OP_AUTH_NEEDED) {
420 return worker_cb(operationFailed(authRc));
421 }
422
423 // Add entropy to the device first.
424 if (entropy.size()) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]425 rc = KS_HANDLE_HIDL_ERROR(dev, dev->addRngEntropy(entropy));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]426 if (!rc.isOk()) {
427 return worker_cb(operationFailed(rc));
428 }
429 }
430
431 // Create a keyid for this key.
Janis Danisevskis64eb3eb2018-11-27 20:41:52 -0800[diff] [blame]432 auto keyid = KeymasterEnforcement::CreateKeyId(blob2hidlVec(keyBlob));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]433 if (!keyid) {
434 ALOGE("Failed to create a key ID for authorization checking.");
435 return worker_cb(operationFailed(ErrorCode::UNKNOWN_ERROR));
436 }
437
438 // Check that all key authorization policy requirements are met.
439 AuthorizationSet key_auths = characteristics.hardwareEnforced;
440 key_auths.append(characteristics.softwareEnforced.begin(),
441 characteristics.softwareEnforced.end());
442
443 rc = keyStore_->getEnforcementPolicy().AuthorizeOperation(
444 purpose, *keyid, key_auths, opParams, authToken, 0 /* op_handle */,
445 true /* is_begin_operation */);
446 if (!rc.isOk()) {
447 return worker_cb(operationFailed(rc));
448 }
449
450 // If there are more than kMaxOperations, abort the oldest operation that was started as
451 // pruneable.
452 while (operationMap_.getOperationCount() >= kMaxOperations) {
453 ALOGD("Reached or exceeded concurrent operations limit");
454 if (!pruneOperation()) {
455 break;
456 }
457 }
458
459 android::security::keymaster::OperationResult result;
460
461 auto hidlCb = [&](ErrorCode ret, const hidl_vec<KeyParameter>& outParams,
462 uint64_t operationHandle) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]463 dev->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]464 result.resultCode = ret;
465 if (!result.resultCode.isOk()) {
466 if (result.resultCode == ErrorCode::INVALID_KEY_BLOB) {
467 log_key_integrity_violation(lockedEntry->alias().c_str(), lockedEntry->uid());
468 }
469 return;
470 }
471 result.handle = operationHandle;
472 result.outParams = outParams;
473 };
474
475 do {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]476 rc = KS_HANDLE_HIDL_ERROR(dev, dev->begin(purpose, blob2hidlVec(keyBlob),
477 opParams.hidl_data(), authToken, hidlCb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]478 if (!rc.isOk()) {
479 LOG(ERROR) << "Got error " << rc << " from begin()";
480 return worker_cb(operationFailed(ResponseCode::SYSTEM_ERROR));
481 }
Janis Danisevskis64eb3eb2018-11-27 20:41:52 -0800[diff] [blame]482
483 if (result.resultCode == ErrorCode::KEY_REQUIRES_UPGRADE) {
484 std::tie(rc, keyBlob) = upgradeKeyBlob(lockedEntry, opParams);
485 if (!rc.isOk()) {
486 return worker_cb(operationFailed(rc));
487 }
488
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]489 rc = KS_HANDLE_HIDL_ERROR(dev, dev->begin(purpose, blob2hidlVec(keyBlob),
490 opParams.hidl_data(), authToken, hidlCb));
Janis Danisevskis64eb3eb2018-11-27 20:41:52 -0800[diff] [blame]491 if (!rc.isOk()) {
492 LOG(ERROR) << "Got error " << rc << " from begin()";
493 return worker_cb(operationFailed(ResponseCode::SYSTEM_ERROR));
494 }
495 }
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]496 // If there are too many operations abort the oldest operation that was
497 // started as pruneable and try again.
498 } while (result.resultCode == ErrorCode::TOO_MANY_OPERATIONS && pruneOperation());
499
500 rc = result.resultCode;
501 if (!rc.isOk()) {
502 return worker_cb(operationFailed(rc));
503 }
504
505 // Note: The operation map takes possession of the contents of "characteristics".
506 // It is safe to use characteristics after the following line but it will be empty.
507 sp<IBinder> operationToken =
508 operationMap_.addOperation(result.handle, *keyid, purpose, dev, appToken,
509 std::move(characteristics), opParams.hidl_data(), pruneable);
510 assert(characteristics.hardwareEnforced.size() == 0);
511 assert(characteristics.softwareEnforced.size() == 0);
512 result.token = operationToken;
513
514 auto operation = operationMap_.getOperation(operationToken);
515 if (!operation) {
516 return worker_cb(operationFailed(ResponseCode::SYSTEM_ERROR));
517 }
518
519 if (authRc.isOk() && authToken.mac.size() &&
520 dev->halVersion().securityLevel == SecurityLevel::STRONGBOX) {
521 operation->authTokenFuture = operation->authTokenPromise.get_future();
522 std::weak_ptr<Operation> weak_operation = operation;
523
524 auto verifyTokenCB = [weak_operation](KeyStoreServiceReturnCode rc,
525 HardwareAuthToken authToken,
526 VerificationToken verificationToken) {
527 auto operation = weak_operation.lock();
528 if (!operation) {
529 // operation aborted, nothing to do
530 return;
531 }
532 if (rc.isOk()) {
533 operation->authToken = std::move(authToken);
534 operation->verificationToken = std::move(verificationToken);
535 }
536 operation->authTokenPromise.set_value(rc);
537 };
538 auto teeKmDevice = keyStore_->getDevice(SecurityLevel::TRUSTED_ENVIRONMENT);
539 teeKmDevice->verifyAuthorization(result.handle, {}, std::move(authToken),
540 std::move(verifyTokenCB));
541 }
542
543 // Return the authentication lookup result. If this is a per operation
544 // auth'd key then the resultCode will be ::OP_AUTH_NEEDED and the
545 // application should get an auth token using the handle before the
546 // first call to update, which will fail if keystore hasn't received the
547 // auth token.
548 if (result.resultCode.isOk()) {
549 result.resultCode = authRc;
550 }
551 return worker_cb(result);
552 });
553}
554
555KeyStoreServiceReturnCode
556KeymasterWorker::getOperationAuthTokenIfNeeded(std::shared_ptr<Operation> op) {
557 if (!op) return ErrorCode::INVALID_OPERATION_HANDLE;
558
559 if (op->authTokenFuture.valid()) {
560 LOG(INFO) << "Waiting for verification token";
561 op->authTokenFuture.wait();
562 auto rc = op->authTokenFuture.get();
563 if (!rc.isOk()) {
564 return rc;
565 }
566 op->authTokenFuture = {};
567 } else if (!op->hasAuthToken()) {
568 KeyStoreServiceReturnCode rc;
569 HardwareAuthToken found;
570 std::tie(rc, found) = getAuthToken(op->characteristics, op->handle, op->purpose);
571 if (!rc.isOk()) return rc;
572 op->authToken = std::move(found);
573 }
574
575 return ResponseCode::NO_ERROR;
576}
577
578namespace {
579
580class Finalize {
581 private:
582 std::function<void()> f_;
583
584 public:
Chih-Hung Hsieh4fa39ef2019-01-04 13:34:17 -0800[diff] [blame]585 explicit Finalize(std::function<void()> f) : f_(f) {}
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]586 ~Finalize() {
587 if (f_) f_();
588 }
589 void release() { f_ = {}; }
590};
591
592} // namespace
593
594void KeymasterWorker::update(sp<IBinder> token, AuthorizationSet params, hidl_vec<uint8_t> data,
595 update_cb worker_cb) {
596 Worker::addRequest([this, CAPTURE_MOVE(token), CAPTURE_MOVE(params), CAPTURE_MOVE(data),
597 CAPTURE_MOVE(worker_cb)]() {
598 KeyStoreServiceReturnCode rc;
599 auto op = operationMap_.getOperation(token);
600 if (!op) {
601 return worker_cb(operationFailed(ErrorCode::INVALID_OPERATION_HANDLE));
602 }
603
604 Finalize abort_operation_in_case_of_error([&] {
Hasini Gunasinghe242460e2020-06-05 14:06:02 +0000[diff] [blame]605 operationMap_.removeOperation(token, false, rc.getErrorCode());
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]606 keyStore_->getAuthTokenTable().MarkCompleted(op->handle);
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]607 KS_HANDLE_HIDL_ERROR(keymasterDevice_, keymasterDevice_->abort(op->handle));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]608 });
609
610 rc = getOperationAuthTokenIfNeeded(op);
611 if (!rc.isOk()) return worker_cb(operationFailed(rc));
612
613 // Check that all key authorization policy requirements are met.
614 AuthorizationSet key_auths(op->characteristics.hardwareEnforced);
615 key_auths.append(op->characteristics.softwareEnforced.begin(),
616 op->characteristics.softwareEnforced.end());
617
618 rc = keyStore_->getEnforcementPolicy().AuthorizeOperation(op->purpose, op->keyid, key_auths,
619 params, op->authToken, op->handle,
620 false /* is_begin_operation */);
621 if (!rc.isOk()) return worker_cb(operationFailed(rc));
622
623 OperationResult result;
624 auto hidlCb = [&](ErrorCode ret, uint32_t inputConsumed,
625 const hidl_vec<KeyParameter>& outParams,
626 const ::std::vector<uint8_t>& output) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]627 op->device->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]628 result.resultCode = ret;
629 if (result.resultCode.isOk()) {
630 result.inputConsumed = inputConsumed;
631 result.outParams = outParams;
632 result.data = output;
633 }
634 };
635
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]636 rc = KS_HANDLE_HIDL_ERROR(op->device,
637 op->device->update(op->handle, params.hidl_data(), data,
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]638 op->authToken, op->verificationToken, hidlCb));
639
640 // just a reminder: on success result->resultCode was set in the callback. So we only
641 // overwrite it if there was a communication error indicated by the ErrorCode.
642 if (!rc.isOk()) result.resultCode = rc;
643 if (result.resultCode.isOk()) {
644 // if everything went well we don't abort the operation.
645 abort_operation_in_case_of_error.release();
646 }
647 return worker_cb(std::move(result));
648 });
649}
650
651/**
652 * Check that all KeyParameters provided by the application are allowed. Any parameter that keystore
653 * adds itself should be disallowed here.
654 */
655template <typename ParamsIter>
656static bool checkAllowedOperationParams(ParamsIter begin, const ParamsIter end) {
657 while (begin != end) {
658 switch (begin->tag) {
659 case Tag::ATTESTATION_APPLICATION_ID:
660 case Tag::RESET_SINCE_ID_ROTATION:
661 return false;
662 default:
663 break;
664 }
665 ++begin;
666 }
667 return true;
668}
669
670void KeymasterWorker::finish(sp<IBinder> token, AuthorizationSet params, hidl_vec<uint8_t> input,
671 hidl_vec<uint8_t> signature, hidl_vec<uint8_t> entropy,
672 finish_cb worker_cb) {
673 Worker::addRequest([this, CAPTURE_MOVE(token), CAPTURE_MOVE(params), CAPTURE_MOVE(input),
674 CAPTURE_MOVE(signature), CAPTURE_MOVE(entropy),
675 CAPTURE_MOVE(worker_cb)]() mutable {
676 KeyStoreServiceReturnCode rc;
677 auto op = operationMap_.getOperation(token);
678 if (!op) {
679 return worker_cb(operationFailed(ErrorCode::INVALID_OPERATION_HANDLE));
680 }
681
682 bool finished = false;
683 Finalize abort_operation_in_case_of_error([&] {
Hasini Gunasinghe242460e2020-06-05 14:06:02 +0000[diff] [blame]684 operationMap_.removeOperation(token, finished && rc.isOk(), rc.getErrorCode());
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]685 keyStore_->getAuthTokenTable().MarkCompleted(op->handle);
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]686 if (!finished)
687 KS_HANDLE_HIDL_ERROR(keymasterDevice_, keymasterDevice_->abort(op->handle));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]688 });
689
690 if (!checkAllowedOperationParams(params.begin(), params.end())) {
691 return worker_cb(operationFailed(ErrorCode::INVALID_ARGUMENT));
692 }
693
694 rc = getOperationAuthTokenIfNeeded(op);
695 if (!rc.isOk()) return worker_cb(operationFailed(rc));
696
697 // Check that all key authorization policy requirements are met.
698 AuthorizationSet key_auths(op->characteristics.hardwareEnforced);
699 key_auths.append(op->characteristics.softwareEnforced.begin(),
700 op->characteristics.softwareEnforced.end());
701
702 if (key_auths.Contains(Tag::TRUSTED_CONFIRMATION_REQUIRED)) {
703 hidl_vec<uint8_t> confirmationToken =
704 keyStore_->getConfirmationManager().getLatestConfirmationToken();
705 if (confirmationToken.size() == 0) {
706 LOG(ERROR) << "Confirmation token required but none found";
707 return worker_cb(operationFailed(ErrorCode::NO_USER_CONFIRMATION));
708 }
709 params.push_back(keymaster::TAG_CONFIRMATION_TOKEN, std::move(confirmationToken));
710 }
711
712 rc = keyStore_->getEnforcementPolicy().AuthorizeOperation(op->purpose, op->keyid, key_auths,
713 params, op->authToken, op->handle,
714 false /* is_begin_operation */);
715 if (!rc.isOk()) return worker_cb(operationFailed(rc));
716
717 if (entropy.size()) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]718 rc = KS_HANDLE_HIDL_ERROR(op->device, op->device->addRngEntropy(entropy));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]719 if (!rc.isOk()) {
720 return worker_cb(operationFailed(rc));
721 }
722 }
723
724 OperationResult result;
725 auto hidlCb = [&](ErrorCode ret, const hidl_vec<KeyParameter>& outParams,
726 const ::std::vector<uint8_t>& output) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]727 op->device->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]728 result.resultCode = ret;
729 if (result.resultCode.isOk()) {
730 result.outParams = outParams;
731 result.data = output;
732 }
733 };
734
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]735 rc = KS_HANDLE_HIDL_ERROR(op->device, op->device->finish(op->handle, params.hidl_data(),
736 input, signature, op->authToken,
737 op->verificationToken, hidlCb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]738
739 if (rc.isOk()) {
740 // inform the finalizer that the finish call went through
741 finished = true;
742 // and what the result was
743 rc = result.resultCode;
744 } else {
745 return worker_cb(operationFailed(rc));
746 }
747 return worker_cb(std::move(result));
748 });
749}
750
751void KeymasterWorker::abort(sp<IBinder> token, abort_cb worker_cb) {
Hasini Gunasinghe242460e2020-06-05 14:06:02 +0000[diff] [blame]752 Worker::addRequest([this, CAPTURE_MOVE(token), CAPTURE_MOVE(worker_cb)]() {
753 return worker_cb(abort(token, ResponseCode::ABORT_CALLED));
754 });
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]755}
756
757void KeymasterWorker::verifyAuthorization(uint64_t challenge, hidl_vec<KeyParameter> params,
758 HardwareAuthToken token,
759 verifyAuthorization_cb worker_cb) {
760 Worker::addRequest([this, challenge, CAPTURE_MOVE(params), CAPTURE_MOVE(token),
761 CAPTURE_MOVE(worker_cb)]() {
762 KeyStoreServiceReturnCode error;
763 VerificationToken verificationToken;
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]764 KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR(
765 keymasterDevice_,
766 keymasterDevice_->verifyAuthorization(
767 challenge, params, token, [&](ErrorCode ret, const VerificationToken& vToken) {
768 keymasterDevice_->logIfKeymasterVendorError(ret);
769 error = ret;
770 verificationToken = vToken;
771 }));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]772 worker_cb(rc.isOk() ? error : rc, std::move(token), std::move(verificationToken));
773 });
774}
775
776void KeymasterWorker::addRngEntropy(hidl_vec<uint8_t> data, addRngEntropy_cb _hidl_cb) {
777 addRequest(&Keymaster::addRngEntropy, std::move(_hidl_cb), std::move(data));
778}
779
780namespace {
781bool containsTag(const hidl_vec<KeyParameter>& params, Tag tag) {
782 return params.end() !=
783 std::find_if(params.begin(), params.end(),
784 [&](const KeyParameter& param) { return param.tag == tag; });
785}
786
787bool isAuthenticationBound(const hidl_vec<KeyParameter>& params) {
788 return !containsTag(params, Tag::NO_AUTH_REQUIRED);
789}
790} // namespace
791
792void KeymasterWorker::generateKey(LockedKeyBlobEntry lockedEntry, hidl_vec<KeyParameter> keyParams,
793 hidl_vec<uint8_t> entropy, int flags, generateKey_cb worker_cb) {
794 Worker::addRequest([this, CAPTURE_MOVE(lockedEntry), CAPTURE_MOVE(keyParams),
795 CAPTURE_MOVE(entropy), CAPTURE_MOVE(worker_cb), flags]() mutable {
796 KeyStoreServiceReturnCode rc =
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]797 KS_HANDLE_HIDL_ERROR(keymasterDevice_, keymasterDevice_->addRngEntropy(entropy));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]798 if (!rc.isOk()) {
799 return worker_cb(rc, {});
800 }
801
802 SecurityLevel securityLevel = keymasterDevice_->halVersion().securityLevel;
803
804 // Fallback cannot be considered for Strongbox. Further versions restrictions are enforced
805 // by KeyStore::getFallbackDevice()
806 bool consider_fallback = securityLevel == SecurityLevel::TRUSTED_ENVIRONMENT;
807
Hasini Gunasinghe4e55c2f2020-05-26 01:28:17 +0000[diff] [blame]808 Finalize logOnFail([&] {
809 logKeystoreKeyCreationEvent(keyParams, false /*wasCreationSuccessful*/,
810 rc.getErrorCode());
811 });
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]812
813 KeyCharacteristics outCharacteristics;
814 KeyStoreServiceReturnCode error;
815 auto hidl_cb = [&](ErrorCode ret, const hidl_vec<uint8_t>& hidlKeyBlob,
816 const KeyCharacteristics& keyCharacteristics) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]817 keymasterDevice_->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]818 error = ret;
819 if (!error.isOk()) {
820 return;
821 }
822 consider_fallback = false;
823 outCharacteristics = keyCharacteristics;
824
825 Blob keyBlob(&hidlKeyBlob[0], hidlKeyBlob.size(), nullptr, 0, ::TYPE_KEYMASTER_10);
Edman Anjosba9b7d32020-09-02 17:34:54 +0200[diff] [blame]826 keyBlob.setSecurityLevel(internalSecurityLevel_);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]827 keyBlob.setCriticalToDeviceEncryption(flags &
828 KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION);
829 if (isAuthenticationBound(keyParams) && !keyBlob.isCriticalToDeviceEncryption()) {
830 keyBlob.setSuperEncrypted(true);
831 }
832 keyBlob.setEncrypted(flags & KEYSTORE_FLAG_ENCRYPTED);
833
834 AuthorizationSet sw_enforced = keyParams;
835 sw_enforced.Subtract(outCharacteristics.hardwareEnforced);
836 sw_enforced.Union(outCharacteristics.softwareEnforced);
837 sw_enforced.Filter([](const KeyParameter& param) -> bool {
838 return !(param.tag == Tag::APPLICATION_DATA || param.tag == Tag::APPLICATION_ID);
839 });
840 if (!sw_enforced.Contains(Tag::USER_ID)) {
841 // Most Java processes don't have access to this tag
842 sw_enforced.push_back(keymaster::TAG_USER_ID, get_user_id(lockedEntry->uid()));
843 }
844 Blob keyCharBlob;
845 keyCharBlob.putKeyCharacteristics(outCharacteristics.hardwareEnforced, sw_enforced);
846 error = keyStore_->put(lockedEntry, std::move(keyBlob), std::move(keyCharBlob));
847 };
848
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]849 rc = KS_HANDLE_HIDL_ERROR(keymasterDevice_,
850 keymasterDevice_->generateKey(keyParams, hidl_cb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]851 if (!rc.isOk()) {
852 return worker_cb(rc, {});
853 }
854
855 if (consider_fallback && !error.isOk()) {
856 auto fallback = keyStore_->getFallbackDevice();
857 if (!fallback) {
858 return worker_cb(error, {});
859 }
860 // No fallback for 3DES
861 for (auto& param : keyParams) {
862 auto algorithm = authorizationValue(TAG_ALGORITHM, param);
863 if (algorithm.isOk() && algorithm.value() == Algorithm::TRIPLE_DES) {
864 return worker_cb(ErrorCode::UNSUPPORTED_ALGORITHM, {});
865 }
866 }
867
868 // delegate to fallback worker
869 fallback->generateKey(std::move(lockedEntry), std::move(keyParams), std::move(entropy),
870 flags, std::move(worker_cb));
871 // let fallback do the logging
872 logOnFail.release();
873 return;
874 }
875
876 if (!error.isOk()) return worker_cb(error, {});
877
878 // log on success
879 logOnFail.release();
Hasini Gunasinghe4e55c2f2020-05-26 01:28:17 +0000[diff] [blame]880 logKeystoreKeyCreationEvent(keyParams, true /*wasCreationSuccessful*/,
881 error.getErrorCode());
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]882
883 return worker_cb(error, std::move(outCharacteristics));
884 });
885}
886
887void KeymasterWorker::generateKey(hidl_vec<KeyParameter> keyParams, generateKey2_cb worker_cb) {
888 addRequest(&Keymaster::generateKey, std::move(worker_cb), std::move(keyParams));
889}
890
891void KeymasterWorker::getKeyCharacteristics(LockedKeyBlobEntry lockedEntry,
892 hidl_vec<uint8_t> clientId, hidl_vec<uint8_t> appData,
893 Blob keyBlob, Blob charBlob,
894 getKeyCharacteristics_cb worker_cb) {
895 Worker::addRequest([this, CAPTURE_MOVE(lockedEntry), CAPTURE_MOVE(clientId),
896 CAPTURE_MOVE(appData), CAPTURE_MOVE(keyBlob), CAPTURE_MOVE(charBlob),
897 CAPTURE_MOVE(worker_cb)]() {
898 auto result = createKeyCharacteristicsCache(lockedEntry, clientId, appData,
899 std::move(keyBlob), std::move(charBlob));
900 return worker_cb(std::get<0>(result), std::move(std::get<1>(result)));
901 });
902}
903
904void KeymasterWorker::importKey(LockedKeyBlobEntry lockedEntry, hidl_vec<KeyParameter> keyParams,
905 KeyFormat keyFormat, hidl_vec<uint8_t> keyData, int flags,
906 importKey_cb worker_cb) {
907 Worker::addRequest([this, CAPTURE_MOVE(lockedEntry), CAPTURE_MOVE(keyParams), keyFormat,
908 CAPTURE_MOVE(keyData), flags, CAPTURE_MOVE(worker_cb)]() mutable {
909 SecurityLevel securityLevel = keymasterDevice_->halVersion().securityLevel;
910
911 // Fallback cannot be considered for Strongbox. Further versions restrictions are enforced
912 // by KeyStore::getFallbackDevice()
913 bool consider_fallback = securityLevel == SecurityLevel::TRUSTED_ENVIRONMENT;
914
Hasini Gunasinghe4e55c2f2020-05-26 01:28:17 +0000[diff] [blame]915 KeyStoreServiceReturnCode error;
916 Finalize logOnFail([&] {
917 logKeystoreKeyCreationEvent(keyParams, false /*wasCreationSuccessful*/,
918 error.getErrorCode());
919 });
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]920
921 KeyCharacteristics outCharacteristics;
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]922 auto hidl_cb = [&](ErrorCode ret, const hidl_vec<uint8_t>& hidlKeyBlob,
923 const KeyCharacteristics& keyCharacteristics) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]924 keymasterDevice_->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]925 error = ret;
926 if (!error.isOk()) {
927 LOG(INFO) << "importKey failed";
928 return;
929 }
930 consider_fallback = false;
931 outCharacteristics = keyCharacteristics;
932
933 Blob keyBlob(&hidlKeyBlob[0], hidlKeyBlob.size(), nullptr, 0, ::TYPE_KEYMASTER_10);
Edman Anjosba9b7d32020-09-02 17:34:54 +0200[diff] [blame]934 keyBlob.setSecurityLevel(internalSecurityLevel_);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]935 keyBlob.setCriticalToDeviceEncryption(flags &
936 KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION);
937 if (isAuthenticationBound(keyParams) && !keyBlob.isCriticalToDeviceEncryption()) {
938 keyBlob.setSuperEncrypted(true);
939 }
940 keyBlob.setEncrypted(flags & KEYSTORE_FLAG_ENCRYPTED);
941
942 AuthorizationSet sw_enforced = keyParams;
943 sw_enforced.Subtract(outCharacteristics.hardwareEnforced);
944 sw_enforced.Union(outCharacteristics.softwareEnforced);
945 sw_enforced.Filter([](const KeyParameter& param) -> bool {
946 return !(param.tag == Tag::APPLICATION_DATA || param.tag == Tag::APPLICATION_ID);
947 });
948 if (!sw_enforced.Contains(Tag::USER_ID)) {
949 // Most Java processes don't have access to this tag
950 sw_enforced.push_back(keymaster::TAG_USER_ID, get_user_id(lockedEntry->uid()));
951 }
952 Blob keyCharBlob;
953 keyCharBlob.putKeyCharacteristics(outCharacteristics.hardwareEnforced, sw_enforced);
954 error = keyStore_->put(lockedEntry, std::move(keyBlob), std::move(keyCharBlob));
955 };
956
957 KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR(
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]958 keymasterDevice_, keymasterDevice_->importKey(keyParams, keyFormat, keyData, hidl_cb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]959 if (!rc.isOk()) {
960 return worker_cb(rc, {});
961 }
962
963 if (consider_fallback && !error.isOk()) {
964 auto fallback = keyStore_->getFallbackDevice();
965 if (!fallback) {
966 return worker_cb(error, {});
967 }
968 // No fallback for 3DES
969 for (auto& param : keyParams) {
970 auto algorithm = authorizationValue(TAG_ALGORITHM, param);
971 if (algorithm.isOk() && algorithm.value() == Algorithm::TRIPLE_DES) {
972 return worker_cb(ErrorCode::UNSUPPORTED_ALGORITHM, {});
973 }
974 }
975
976 // delegate to fallback worker
977 fallback->importKey(std::move(lockedEntry), std::move(keyParams), keyFormat,
978 std::move(keyData), flags, std::move(worker_cb));
979 // let fallback to the logging
980 logOnFail.release();
981 return;
982 }
983
984 if (!error.isOk()) return worker_cb(error, {});
985
986 // log on success
987 logOnFail.release();
Hasini Gunasinghe4e55c2f2020-05-26 01:28:17 +0000[diff] [blame]988 logKeystoreKeyCreationEvent(keyParams, true /*wasCreationSuccessful*/,
989 error.getErrorCode());
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]990
991 return worker_cb(error, std::move(outCharacteristics));
992 });
993}
994
995void KeymasterWorker::importWrappedKey(LockedKeyBlobEntry wrappingLockedEntry,
996 LockedKeyBlobEntry wrapppedLockedEntry,
997 hidl_vec<uint8_t> wrappedKeyData,
998 hidl_vec<uint8_t> maskingKey,
999 hidl_vec<KeyParameter> unwrappingParams, Blob wrappingBlob,
1000 Blob wrappingCharBlob, uint64_t passwordSid,
1001 uint64_t biometricSid, importWrappedKey_cb worker_cb) {
1002 Worker::addRequest([this, CAPTURE_MOVE(wrappingLockedEntry), CAPTURE_MOVE(wrapppedLockedEntry),
1003 CAPTURE_MOVE(wrappedKeyData), CAPTURE_MOVE(maskingKey),
1004 CAPTURE_MOVE(unwrappingParams), CAPTURE_MOVE(wrappingBlob),
1005 CAPTURE_MOVE(wrappingCharBlob), passwordSid, biometricSid,
1006 CAPTURE_MOVE(worker_cb)]() mutable {
1007 auto hidlWrappingKey = blob2hidlVec(wrappingBlob);
1008
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1009 KeyCharacteristics outCharacteristics;
1010 KeyStoreServiceReturnCode error;
1011
1012 auto hidlCb = [&](ErrorCode ret, const hidl_vec<uint8_t>& hidlKeyBlob,
1013 const KeyCharacteristics& keyCharacteristics) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]1014 keymasterDevice_->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1015 error = ret;
1016 if (!error.isOk()) {
1017 return;
1018 }
1019 outCharacteristics = keyCharacteristics;
1020
1021 Blob keyBlob(hidlKeyBlob.data(), hidlKeyBlob.size(), nullptr, 0, ::TYPE_KEYMASTER_10);
Edman Anjosba9b7d32020-09-02 17:34:54 +0200[diff] [blame]1022 keyBlob.setSecurityLevel(internalSecurityLevel_);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1023 if (isAuthenticationBound(keyCharacteristics.hardwareEnforced)) {
1024 keyBlob.setSuperEncrypted(true);
1025 }
1026
1027 AuthorizationSet sw_enforced = outCharacteristics.softwareEnforced;
1028 if (!sw_enforced.Contains(Tag::USER_ID)) {
1029 // Most Java processes don't have access to this tag
1030 sw_enforced.push_back(keymaster::TAG_USER_ID,
1031 get_user_id(wrapppedLockedEntry->uid()));
1032 }
1033 Blob keyCharBlob;
1034 keyCharBlob.putKeyCharacteristics(outCharacteristics.hardwareEnforced, sw_enforced);
1035 error = keyStore_->put(wrapppedLockedEntry, std::move(keyBlob), std::move(keyCharBlob));
1036 };
1037
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]1038 KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR(
1039 keymasterDevice_, keymasterDevice_->importWrappedKey(
1040 wrappedKeyData, hidlWrappingKey, maskingKey, unwrappingParams,
1041 passwordSid, biometricSid, hidlCb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1042
1043 // possible hidl error
1044 if (!rc.isOk()) {
1045 return worker_cb(rc, {});
1046 }
1047
1048 if (error == ErrorCode::KEY_REQUIRES_UPGRADE) {
1049 std::tie(rc, wrappingBlob) = upgradeKeyBlob(wrappingLockedEntry, {});
1050 if (!rc.isOk()) {
1051 return worker_cb(rc, {});
1052 }
1053
1054 auto upgradedHidlKeyBlob = blob2hidlVec(wrappingBlob);
1055
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]1056 rc = KS_HANDLE_HIDL_ERROR(keymasterDevice_,
1057 keymasterDevice_->importWrappedKey(
1058 wrappedKeyData, upgradedHidlKeyBlob, maskingKey,
1059 unwrappingParams, passwordSid, biometricSid, hidlCb));
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1060 if (!rc.isOk()) {
1061 error = rc;
1062 }
1063 }
1064 return worker_cb(error, std::move(outCharacteristics));
1065 });
1066}
1067
1068void KeymasterWorker::exportKey(LockedKeyBlobEntry lockedEntry, KeyFormat exportFormat,
1069 hidl_vec<uint8_t> clientId, hidl_vec<uint8_t> appData, Blob keyBlob,
1070 Blob charBlob, exportKey_cb worker_cb) {
1071 Worker::addRequest([this, CAPTURE_MOVE(lockedEntry), exportFormat, CAPTURE_MOVE(clientId),
1072 CAPTURE_MOVE(appData), CAPTURE_MOVE(keyBlob), CAPTURE_MOVE(charBlob),
1073 CAPTURE_MOVE(worker_cb)]() mutable {
1074 auto key = blob2hidlVec(keyBlob);
1075
1076 ExportResult result;
1077 auto hidlCb = [&](ErrorCode ret,
1078 const ::android::hardware::hidl_vec<uint8_t>& keyMaterial) {
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]1079 keymasterDevice_->logIfKeymasterVendorError(ret);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1080 result.resultCode = ret;
1081 if (!result.resultCode.isOk()) {
1082 if (result.resultCode == ErrorCode::INVALID_KEY_BLOB) {
1083 log_key_integrity_violation(lockedEntry->alias().c_str(), lockedEntry->uid());
1084 }
1085 return;
1086 }
1087 result.exportData = keyMaterial;
1088 };
1089 KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR(
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]1090 keymasterDevice_,
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1091 keymasterDevice_->exportKey(exportFormat, key, clientId, appData, hidlCb));
1092
1093 // Overwrite result->resultCode only on HIDL error. Otherwise we want the result set in the
1094 // callback hidlCb.
1095 if (!rc.isOk()) {
1096 result.resultCode = rc;
1097 }
1098
1099 if (result.resultCode == ErrorCode::KEY_REQUIRES_UPGRADE) {
1100 AuthorizationSet upgradeParams;
1101 if (clientId.size()) {
1102 upgradeParams.push_back(TAG_APPLICATION_ID, clientId);
1103 }
1104 if (appData.size()) {
1105 upgradeParams.push_back(TAG_APPLICATION_DATA, appData);
1106 }
1107 std::tie(rc, keyBlob) = upgradeKeyBlob(lockedEntry, upgradeParams);
1108 if (!rc.isOk()) {
1109 return worker_cb(std::move(result));
1110 }
1111
1112 auto upgradedHidlKeyBlob = blob2hidlVec(keyBlob);
1113
Janis Danisevskis37896102019-03-14 17:15:06 -0700[diff] [blame]1114 rc = KS_HANDLE_HIDL_ERROR(keymasterDevice_,
1115 keymasterDevice_->exportKey(exportFormat, upgradedHidlKeyBlob,
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1116 clientId, appData, hidlCb));
1117 if (!rc.isOk()) {
1118 result.resultCode = rc;
1119 }
1120 }
1121 return worker_cb(std::move(result));
1122 });
1123}
1124void KeymasterWorker::attestKey(hidl_vec<uint8_t> keyToAttest, hidl_vec<KeyParameter> attestParams,
1125 attestKey_cb worker_cb) {
1126 addRequest(&Keymaster::attestKey, std::move(worker_cb), std::move(keyToAttest),
1127 std::move(attestParams));
1128}
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1129
1130void KeymasterWorker::deleteKey(hidl_vec<uint8_t> keyBlob, deleteKey_cb _hidl_cb) {
1131 addRequest(&Keymaster::deleteKey, std::move(_hidl_cb), std::move(keyBlob));
1132}
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1133
1134void KeymasterWorker::binderDied(android::wp<IBinder> who) {
1135 Worker::addRequest([this, who]() {
1136 auto operations = operationMap_.getOperationsForToken(who.unsafe_get());
1137 for (const auto& token : operations) {
Hasini Gunasinghe242460e2020-06-05 14:06:02 +0000[diff] [blame]1138 abort(token, ResponseCode::BINDER_DIED);
Janis Danisevskisbec89992019-08-14 13:42:19 -0700[diff] [blame]1139 keyStore_->removeOperationDevice(token);
Janis Danisevskisff3d7f42018-10-08 07:15:09 -0700[diff] [blame]1140 }
1141 });
1142}
1143
1144} // namespace keystore