Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 731e3c8c2ac88e78f7bda47ed0a2d9b96aeee772 / . / keystore2 / src / authorization.rs
blob: 3190541149de8f9978775f2f761f925c3fe5cf12 [file] [log] [blame]
Janis Danisevskis9f10a6a2021-01-18 16:45:21 +0000[diff] [blame]1// Copyright 2020, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
Hasini Gunasinghe0e161452021-01-27 19:34:37 +0000[diff] [blame]15//! This module implements IKeystoreAuthorization AIDL interface.
Janis Danisevskis9f10a6a2021-01-18 16:45:21 +0000[diff] [blame]16
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]17use crate::error::Error as KeystoreError;
Janis Danisevskis9f10a6a2021-01-18 16:45:21 +0000[diff] [blame]18use crate::error::map_or_log_err;
Hasini Gunasinghe731e3c82021-02-06 00:56:28 +0000[diff] [blame^]19use crate::globals::{ENFORCEMENTS, SUPER_KEY, DB};
Janis Danisevskis9f10a6a2021-01-18 16:45:21 +0000[diff] [blame]20use crate::permission::KeystorePerm;
Hasini Gunasinghe731e3c82021-02-06 00:56:28 +0000[diff] [blame^]21use crate::super_key::UserState;
Janis Danisevskis9f10a6a2021-01-18 16:45:21 +0000[diff] [blame]22use crate::utils::check_keystore_permission;
23use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Hasini Gunasingheda895552021-01-27 19:34:37 +0000[diff] [blame]24 HardwareAuthToken::HardwareAuthToken,
Janis Danisevskis9f10a6a2021-01-18 16:45:21 +0000[diff] [blame]25};
Stephen Crane221bbb52020-12-16 15:52:10 -0800[diff] [blame]26use android_security_authorization::binder::{Interface, Result as BinderResult, Strong};
27use android_security_authorization::aidl::android::security::authorization::IKeystoreAuthorization::{
Janis Danisevskis9f10a6a2021-01-18 16:45:21 +0000[diff] [blame]28 BnKeystoreAuthorization, IKeystoreAuthorization,
29};
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]30use android_security_authorization:: aidl::android::security::authorization::LockScreenEvent::LockScreenEvent;
31use android_system_keystore2::aidl::android::system::keystore2::ResponseCode::ResponseCode;
Janis Danisevskis9f10a6a2021-01-18 16:45:21 +0000[diff] [blame]32use anyhow::{Context, Result};
33use binder::IBinder;
34
35/// This struct is defined to implement the aforementioned AIDL interface.
36/// As of now, it is an empty struct.
37pub struct AuthorizationManager;
38
39impl AuthorizationManager {
40 /// Create a new instance of Keystore Authorization service.
Stephen Crane221bbb52020-12-16 15:52:10 -0800[diff] [blame]41 pub fn new_native_binder() -> Result<Strong<dyn IKeystoreAuthorization>> {
Janis Danisevskis9f10a6a2021-01-18 16:45:21 +0000[diff] [blame]42 let result = BnKeystoreAuthorization::new_binder(Self);
43 result.as_binder().set_requesting_sid(true);
44 Ok(result)
45 }
46
47 fn add_auth_token(&self, auth_token: &HardwareAuthToken) -> Result<()> {
48 //check keystore permission
49 check_keystore_permission(KeystorePerm::add_auth()).context("In add_auth_token.")?;
50
Hasini Gunasingheda895552021-01-27 19:34:37 +0000[diff] [blame]51 ENFORCEMENTS.add_auth_token(auth_token.clone())?;
Janis Danisevskis9f10a6a2021-01-18 16:45:21 +0000[diff] [blame]52 Ok(())
53 }
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]54
55 fn on_lock_screen_event(
56 &self,
57 lock_screen_event: LockScreenEvent,
58 user_id: i32,
59 password: Option<&[u8]>,
60 ) -> Result<()> {
61 match (lock_screen_event, password) {
62 (LockScreenEvent::UNLOCK, Some(user_password)) => {
63 //This corresponds to the unlock() method in legacy keystore API.
64 //check permission
65 check_keystore_permission(KeystorePerm::unlock())
66 .context("In on_lock_screen_event: Unlock with password.")?;
67 ENFORCEMENTS.set_device_locked(user_id, false);
68 // Unlock super key.
Hasini Gunasinghe731e3c82021-02-06 00:56:28 +0000[diff] [blame^]69 if let UserState::Uninitialized = DB
70 .with(|db| {
71 UserState::get_with_password_unlock(
72 &mut db.borrow_mut(),
73 &SUPER_KEY,
74 user_id as u32,
75 user_password,
76 )
77 })
78 .context("In on_lock_screen_event: Unlock with password.")?
79 {
80 log::info!(
81 "In on_lock_screen_event. Trying to unlock when LSKF is uninitialized."
82 );
83 }
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]84
85 Ok(())
86 }
87 (LockScreenEvent::UNLOCK, None) => {
88 check_keystore_permission(KeystorePerm::unlock())
89 .context("In on_lock_screen_event: Unlock.")?;
90 ENFORCEMENTS.set_device_locked(user_id, false);
91 Ok(())
92 }
93 (LockScreenEvent::LOCK, None) => {
94 check_keystore_permission(KeystorePerm::lock())
95 .context("In on_lock_screen_event: Lock")?;
96 ENFORCEMENTS.set_device_locked(user_id, true);
97 Ok(())
98 }
99 _ => {
100 // Any other combination is not supported.
101 Err(KeystoreError::Rc(ResponseCode::INVALID_ARGUMENT))
102 .context("In on_lock_screen_event: Unknown event.")
103 }
104 }
105 }
Janis Danisevskis9f10a6a2021-01-18 16:45:21 +0000[diff] [blame]106}
107
108impl Interface for AuthorizationManager {}
109
110impl IKeystoreAuthorization for AuthorizationManager {
111 fn addAuthToken(&self, auth_token: &HardwareAuthToken) -> BinderResult<()> {
112 map_or_log_err(self.add_auth_token(auth_token), Ok)
113 }
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]114
115 fn onLockScreenEvent(
116 &self,
117 lock_screen_event: LockScreenEvent,
118 user_id: i32,
119 password: Option<&[u8]>,
120 ) -> BinderResult<()> {
121 map_or_log_err(self.on_lock_screen_event(lock_screen_event, user_id, password), Ok)
122 }
Janis Danisevskis9f10a6a2021-01-18 16:45:21 +0000[diff] [blame]123}