Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 4507f3bdddcae4a0eaf917fdfb2195a0f9f6ce27 / . / keystore2 / src / service.rs
blob: f8650e6cbaa8524a2c72a0e1a5f250fe40f5b73b [file] [log] [blame]
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]1// Copyright 2020, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15// TODO remove when fully implemented.
16#![allow(unused_variables)]
17
18//! This crate implement the core Keystore 2.0 service API as defined by the Keystore 2.0
19//! AIDL spec.
20
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]21use crate::globals::DB;
22use crate::permission;
Janis Danisevskise92a5e62020-12-02 12:57:41 -0800[diff] [blame]23use crate::permission::{KeyPerm, KeystorePerm};
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]24use crate::security_level::KeystoreSecurityLevel;
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]25use crate::utils::{
Janis Danisevskise92a5e62020-12-02 12:57:41 -0800[diff] [blame]26 check_grant_permission, check_key_permission, check_keystore_permission,
27 key_parameters_to_authorizations, Asp,
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]28};
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]29use crate::{
30 database::{KeyEntryLoadBits, KeyType, SubComponentType},
31 error::ResponseCode,
32};
Janis Danisevskis4507f3b2021-01-13 16:34:39 -0800[diff] [blame^]33use crate::{
34 error::{self, map_or_log_err, ErrorCode},
35 gc::Gc,
36};
Shawn Willden708744a2020-12-11 13:05:27 +0000[diff] [blame]37use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]38use android_system_keystore2::aidl::android::system::keystore2::{
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]39 Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
40 IKeystoreService::BnKeystoreService, IKeystoreService::IKeystoreService,
41 KeyDescriptor::KeyDescriptor, KeyEntryResponse::KeyEntryResponse, KeyMetadata::KeyMetadata,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]42};
43use anyhow::{anyhow, Context, Result};
44use binder::{IBinder, Interface, ThreadState};
Janis Danisevskise92a5e62020-12-02 12:57:41 -0800[diff] [blame]45use error::Error;
46use keystore2_selinux as selinux;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]47
48/// Implementation of the IKeystoreService.
49pub struct KeystoreService {
Janis Danisevskisba998992020-12-29 16:08:40 -0800[diff] [blame]50 sec_level_tee: Asp,
51 sec_level_strongbox: Option<Asp>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]52}
53
54impl KeystoreService {
55 /// Create a new instance of the Keystore 2.0 service.
56 pub fn new_native_binder() -> Result<impl IKeystoreService> {
Janis Danisevskisba998992020-12-29 16:08:40 -0800[diff] [blame]57 let tee = KeystoreSecurityLevel::new_native_binder(SecurityLevel::TRUSTED_ENVIRONMENT)
58 .map(|tee| Asp::new(tee.as_binder()))
59 .context(concat!(
60 "In KeystoreService::new_native_binder: ",
61 "Trying to construct mendatory security level TEE."
62 ))?;
63 // Strongbox is optional, so we ignore errors and turn the result into an Option.
64 let strongbox =
65 KeystoreSecurityLevel::new_native_binder(SecurityLevel::TRUSTED_ENVIRONMENT)
66 .map(|tee| Asp::new(tee.as_binder()))
67 .ok();
68
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]69 let result = BnKeystoreService::new_binder(Self {
Janis Danisevskisba998992020-12-29 16:08:40 -0800[diff] [blame]70 sec_level_tee: tee,
71 sec_level_strongbox: strongbox,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]72 });
73 result.as_binder().set_requesting_sid(true);
74 Ok(result)
75 }
76
Janis Danisevskisba998992020-12-29 16:08:40 -0800[diff] [blame]77 fn get_security_level_internal(
78 &self,
79 security_level: SecurityLevel,
80 ) -> Result<Option<Box<dyn IKeystoreSecurityLevel>>> {
81 Ok(match (security_level, &self.sec_level_strongbox) {
82 (SecurityLevel::TRUSTED_ENVIRONMENT, _) => Some(self.sec_level_tee.get_interface().context(
83 "In get_security_level_internal: Failed to get IKeystoreSecurityLevel (TEE).",
84 )?),
85 (SecurityLevel::STRONGBOX, Some(strongbox)) => Some(strongbox.get_interface().context(
86 "In get_security_level_internal: Failed to get IKeystoreSecurityLevel (Strongbox).",
87 )?),
88 _ => None,
89 })
90 }
91
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]92 fn get_security_level(
93 &self,
94 security_level: SecurityLevel,
95 ) -> Result<Box<dyn IKeystoreSecurityLevel>> {
Janis Danisevskisba998992020-12-29 16:08:40 -0800[diff] [blame]96 self.get_security_level_internal(security_level)
97 .context("In get_security_level.")?
98 .ok_or_else(|| anyhow!(error::Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE)))
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]99 }
100
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]101 fn get_key_entry(&self, key: &KeyDescriptor) -> Result<KeyEntryResponse> {
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]102 let (key_id_guard, mut key_entry) = DB
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]103 .with(|db| {
104 db.borrow_mut().load_key_entry(
105 key.clone(),
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]106 KeyType::Client,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]107 KeyEntryLoadBits::PUBLIC,
108 ThreadState::get_calling_uid(),
109 |k, av| check_key_permission(KeyPerm::get_info(), k, &av),
110 )
111 })
112 .context("In get_key_entry, while trying to load key info.")?;
113
Janis Danisevskisba998992020-12-29 16:08:40 -0800[diff] [blame]114 let i_sec_level = self
115 .get_security_level_internal(key_entry.sec_level())
116 .context("In get_key_entry.")?
117 .ok_or_else(|| {
118 anyhow!(error::Error::sys()).context(format!(
119 concat!(
120 "Found key with security level {:?} ",
121 "but no KeyMint instance of that security level."
122 ),
123 key_entry.sec_level()
124 ))
125 })?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]126
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]127 Ok(KeyEntryResponse {
128 iSecurityLevel: Some(i_sec_level),
129 metadata: KeyMetadata {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]130 key: KeyDescriptor {
131 domain: Domain::KEY_ID,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]132 nspace: key_id_guard.id(),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]133 ..Default::default()
134 },
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]135 keySecurityLevel: key_entry.sec_level(),
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]136 certificate: key_entry.take_cert(),
137 certificateChain: key_entry.take_cert_chain(),
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]138 modificationTimeMs: key_entry
139 .metadata()
140 .creation_date()
141 .map(|d| d.to_millis_epoch())
142 .ok_or(Error::Rc(ResponseCode::VALUE_CORRUPTED))
143 .context("In get_key_entry: Trying to get creation date.")?,
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]144 authorizations: key_parameters_to_authorizations(key_entry.into_key_parameters()),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]145 },
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]146 })
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]147 }
148
149 fn update_subcomponent(
150 &self,
151 key: &KeyDescriptor,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]152 public_cert: Option<&[u8]>,
153 certificate_chain: Option<&[u8]>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]154 ) -> Result<()> {
155 DB.with::<_, Result<()>>(|db| {
156 let mut db = db.borrow_mut();
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]157 let (key_id_guard, key_entry) = db
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]158 .load_key_entry(
159 key.clone(),
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]160 KeyType::Client,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]161 KeyEntryLoadBits::NONE,
162 ThreadState::get_calling_uid(),
163 |k, av| {
164 check_key_permission(KeyPerm::update(), k, &av)
165 .context("In update_subcomponent.")
166 },
167 )
168 .context("Failed to load key_entry.")?;
169
170 if let Some(cert) = public_cert {
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]171 db.insert_blob(&key_id_guard, SubComponentType::CERT, cert)
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]172 .context("Failed to update cert subcomponent.")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]173 }
174
175 if let Some(cert_chain) = certificate_chain {
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]176 db.insert_blob(&key_id_guard, SubComponentType::CERT_CHAIN, cert_chain)
177 .context("Failed to update cert chain subcomponent.")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]178 }
179 Ok(())
180 })
181 .context("In update_subcomponent.")
182 }
183
184 fn list_entries(&self, domain: Domain, namespace: i64) -> Result<Vec<KeyDescriptor>> {
Janis Danisevskise92a5e62020-12-02 12:57:41 -0800[diff] [blame]185 let mut k = match domain {
186 Domain::APP => KeyDescriptor {
187 domain,
188 nspace: ThreadState::get_calling_uid() as u64 as i64,
189 ..Default::default()
190 },
191 Domain::SELINUX => KeyDescriptor{domain, nspace: namespace, ..Default::default()},
192 _ => return Err(Error::perm()).context(
193 "In list_entries: List entries is only supported for Domain::APP and Domain::SELINUX."
194 ),
195 };
196
197 // First we check if the caller has the info permission for the selected domain/namespace.
198 // By default we use the calling uid as namespace if domain is Domain::APP.
199 // If the first check fails we check if the caller has the list permission allowing to list
200 // any namespace. In that case we also adjust the queried namespace if a specific uid was
201 // selected.
202 match check_key_permission(KeyPerm::get_info(), &k, &None) {
203 Err(e) => {
204 if let Some(selinux::Error::PermissionDenied) =
205 e.root_cause().downcast_ref::<selinux::Error>()
206 {
207 check_keystore_permission(KeystorePerm::list())
208 .context("In list_entries: While checking keystore permission.")?;
209 if namespace != -1 {
210 k.nspace = namespace;
211 }
212 } else {
213 return Err(e).context("In list_entries: While checking key permission.")?;
214 }
215 }
216 Ok(()) => {}
217 };
218
219 DB.with(|db| {
220 let mut db = db.borrow_mut();
221 db.list(k.domain, k.nspace)
222 })
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]223 }
224
225 fn delete_key(&self, key: &KeyDescriptor) -> Result<()> {
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]226 let caller_uid = ThreadState::get_calling_uid();
Janis Danisevskis4507f3b2021-01-13 16:34:39 -0800[diff] [blame^]227 let need_gc = DB
228 .with(|db| {
229 db.borrow_mut().unbind_key(key.clone(), KeyType::Client, caller_uid, |k, av| {
230 check_key_permission(KeyPerm::delete(), k, &av).context("During delete_key.")
231 })
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]232 })
Janis Danisevskis4507f3b2021-01-13 16:34:39 -0800[diff] [blame^]233 .context("In delete_key: Trying to unbind the key.")?;
234 if need_gc {
235 Gc::notify_gc();
236 }
Janis Danisevskisa51ccbc2020-11-25 21:04:24 -0800[diff] [blame]237 Ok(())
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]238 }
239
240 fn grant(
241 &self,
242 key: &KeyDescriptor,
243 grantee_uid: i32,
244 access_vector: permission::KeyPermSet,
245 ) -> Result<KeyDescriptor> {
246 DB.with(|db| {
247 db.borrow_mut().grant(
248 key.clone(),
249 ThreadState::get_calling_uid(),
250 grantee_uid as u32,
251 access_vector,
252 |k, av| check_grant_permission(*av, k).context("During grant."),
253 )
254 })
255 .context("In KeystoreService::grant.")
256 }
257
258 fn ungrant(&self, key: &KeyDescriptor, grantee_uid: i32) -> Result<()> {
259 DB.with(|db| {
260 db.borrow_mut().ungrant(
261 key.clone(),
262 ThreadState::get_calling_uid(),
263 grantee_uid as u32,
264 |k| check_key_permission(KeyPerm::grant(), k, &None),
265 )
266 })
267 .context("In KeystoreService::ungrant.")
268 }
269}
270
271impl binder::Interface for KeystoreService {}
272
273// Implementation of IKeystoreService. See AIDL spec at
274// system/security/keystore2/binder/android/security/keystore2/IKeystoreService.aidl
275impl IKeystoreService for KeystoreService {
276 fn getSecurityLevel(
277 &self,
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]278 security_level: SecurityLevel,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]279 ) -> binder::public_api::Result<Box<dyn IKeystoreSecurityLevel>> {
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]280 map_or_log_err(self.get_security_level(SecurityLevel(security_level.0)), Ok)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]281 }
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]282 fn getKeyEntry(&self, key: &KeyDescriptor) -> binder::public_api::Result<KeyEntryResponse> {
283 map_or_log_err(self.get_key_entry(key), Ok)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]284 }
285 fn updateSubcomponent(
286 &self,
287 key: &KeyDescriptor,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]288 public_cert: Option<&[u8]>,
289 certificate_chain: Option<&[u8]>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]290 ) -> binder::public_api::Result<()> {
291 map_or_log_err(self.update_subcomponent(key, public_cert, certificate_chain), Ok)
292 }
293 fn listEntries(
294 &self,
295 domain: Domain,
296 namespace: i64,
297 ) -> binder::public_api::Result<Vec<KeyDescriptor>> {
298 map_or_log_err(self.list_entries(domain, namespace), Ok)
299 }
300 fn deleteKey(&self, key: &KeyDescriptor) -> binder::public_api::Result<()> {
301 map_or_log_err(self.delete_key(key), Ok)
302 }
303 fn grant(
304 &self,
305 key: &KeyDescriptor,
306 grantee_uid: i32,
307 access_vector: i32,
308 ) -> binder::public_api::Result<KeyDescriptor> {
309 map_or_log_err(self.grant(key, grantee_uid, access_vector.into()), Ok)
310 }
311 fn ungrant(&self, key: &KeyDescriptor, grantee_uid: i32) -> binder::public_api::Result<()> {
312 map_or_log_err(self.ungrant(key, grantee_uid), Ok)
313 }
314}