blob: 47bd946d79c549f2aa6eb7fb711a54863ba48cc9 [file] [log] [blame]
Hasini Gunasingheda895552021-01-27 19:34:37 +00001// Copyright 2021, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
Janis Danisevskis34a0cf22021-03-08 09:19:03 -080015//! This module implements IKeystoreMaintenance AIDL interface.
Hasini Gunasingheda895552021-01-27 19:34:37 +000016
Satya Tangirala5b9e5b12021-03-09 12:54:21 -080017use crate::error::map_km_error;
Hasini Gunasingheda895552021-01-27 19:34:37 +000018use crate::error::Error as KeystoreError;
Satya Tangirala5b9e5b12021-03-09 12:54:21 -080019use crate::globals::get_keymint_device;
Hasini Gunasinghe3ed5da72021-02-04 15:18:54 +000020use crate::globals::{DB, LEGACY_MIGRATOR, SUPER_KEY};
Hasini Gunasingheda895552021-01-27 19:34:37 +000021use crate::permission::KeystorePerm;
22use crate::super_key::UserState;
23use crate::utils::check_keystore_permission;
Janis Danisevskis333b7c02021-03-23 18:57:41 -070024use crate::{database::MonotonicRawTime, error::map_or_log_err};
Satya Tangirala5b9e5b12021-03-09 12:54:21 -080025use android_hardware_security_keymint::aidl::android::hardware::security::keymint::IKeyMintDevice::IKeyMintDevice;
26use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel;
Hasini Gunasinghe9ee18412021-03-11 20:12:44 +000027use android_security_maintenance::aidl::android::security::maintenance::{
28 IKeystoreMaintenance::{BnKeystoreMaintenance, IKeystoreMaintenance},
29 UserState::UserState as AidlUserState,
Hasini Gunasingheda895552021-01-27 19:34:37 +000030};
Janis Danisevskis34a0cf22021-03-08 09:19:03 -080031use android_security_maintenance::binder::{Interface, Result as BinderResult};
Janis Danisevskisddd6e752021-02-22 18:46:55 -080032use android_system_keystore2::aidl::android::system::keystore2::Domain::Domain;
Hasini Gunasingheda895552021-01-27 19:34:37 +000033use android_system_keystore2::aidl::android::system::keystore2::ResponseCode::ResponseCode;
34use anyhow::{Context, Result};
Andrew Walbran808e8602021-03-16 13:58:28 +000035use binder::{IBinderInternal, Strong};
Paul Crowleyf61fee72021-03-17 14:38:44 -070036use keystore2_crypto::Password;
Hasini Gunasingheda895552021-01-27 19:34:37 +000037
38/// This struct is defined to implement the aforementioned AIDL interface.
39/// As of now, it is an empty struct.
Janis Danisevskis34a0cf22021-03-08 09:19:03 -080040pub struct Maintenance;
Hasini Gunasingheda895552021-01-27 19:34:37 +000041
Janis Danisevskis34a0cf22021-03-08 09:19:03 -080042impl Maintenance {
Hasini Gunasingheda895552021-01-27 19:34:37 +000043 /// Create a new instance of Keystore User Manager service.
Janis Danisevskis34a0cf22021-03-08 09:19:03 -080044 pub fn new_native_binder() -> Result<Strong<dyn IKeystoreMaintenance>> {
45 let result = BnKeystoreMaintenance::new_binder(Self);
Hasini Gunasingheda895552021-01-27 19:34:37 +000046 result.as_binder().set_requesting_sid(true);
47 Ok(result)
48 }
49
Paul Crowleyf61fee72021-03-17 14:38:44 -070050 fn on_user_password_changed(user_id: i32, password: Option<Password>) -> Result<()> {
Hasini Gunasingheda895552021-01-27 19:34:37 +000051 //Check permission. Function should return if this failed. Therefore having '?' at the end
52 //is very important.
53 check_keystore_permission(KeystorePerm::change_password())
54 .context("In on_user_password_changed.")?;
55
56 match DB
57 .with(|db| {
58 UserState::get_with_password_changed(
59 &mut db.borrow_mut(),
Hasini Gunasinghe3ed5da72021-02-04 15:18:54 +000060 &LEGACY_MIGRATOR,
Hasini Gunasingheda895552021-01-27 19:34:37 +000061 &SUPER_KEY,
62 user_id as u32,
Paul Crowleyf61fee72021-03-17 14:38:44 -070063 password.as_ref(),
Hasini Gunasingheda895552021-01-27 19:34:37 +000064 )
65 })
66 .context("In on_user_password_changed.")?
67 {
68 UserState::LskfLocked => {
Janis Danisevskiseed69842021-02-18 20:04:10 -080069 // Error - password can not be changed when the device is locked
Hasini Gunasingheda895552021-01-27 19:34:37 +000070 Err(KeystoreError::Rc(ResponseCode::LOCKED))
71 .context("In on_user_password_changed. Device is locked.")
72 }
73 _ => {
Janis Danisevskiseed69842021-02-18 20:04:10 -080074 // LskfLocked is the only error case for password change
Hasini Gunasingheda895552021-01-27 19:34:37 +000075 Ok(())
76 }
77 }
78 }
79
80 fn add_or_remove_user(user_id: i32) -> Result<()> {
81 // Check permission. Function should return if this failed. Therefore having '?' at the end
82 // is very important.
83 check_keystore_permission(KeystorePerm::change_user()).context("In add_or_remove_user.")?;
Janis Danisevskiseed69842021-02-18 20:04:10 -080084 DB.with(|db| {
85 UserState::reset_user(
86 &mut db.borrow_mut(),
87 &SUPER_KEY,
88 &LEGACY_MIGRATOR,
89 user_id as u32,
90 false,
91 )
92 })
93 .context("In add_or_remove_user: Trying to delete keys from db.")
Hasini Gunasingheda895552021-01-27 19:34:37 +000094 }
Janis Danisevskisddd6e752021-02-22 18:46:55 -080095
96 fn clear_namespace(domain: Domain, nspace: i64) -> Result<()> {
97 // Permission check. Must return on error. Do not touch the '?'.
98 check_keystore_permission(KeystorePerm::clear_uid()).context("In clear_namespace.")?;
99
100 LEGACY_MIGRATOR
101 .bulk_delete_uid(domain, nspace)
102 .context("In clear_namespace: Trying to delete legacy keys.")?;
103 DB.with(|db| db.borrow_mut().unbind_keys_for_namespace(domain, nspace))
104 .context("In clear_namespace: Trying to delete keys from db.")
105 }
Hasini Gunasinghe9ee18412021-03-11 20:12:44 +0000106
107 fn get_state(user_id: i32) -> Result<AidlUserState> {
108 // Check permission. Function should return if this failed. Therefore having '?' at the end
109 // is very important.
110 check_keystore_permission(KeystorePerm::get_state()).context("In get_state.")?;
111 let state = DB
112 .with(|db| {
113 UserState::get(&mut db.borrow_mut(), &LEGACY_MIGRATOR, &SUPER_KEY, user_id as u32)
114 })
115 .context("In get_state. Trying to get UserState.")?;
116
117 match state {
118 UserState::Uninitialized => Ok(AidlUserState::UNINITIALIZED),
119 UserState::LskfUnlocked(_) => Ok(AidlUserState::LSKF_UNLOCKED),
120 UserState::LskfLocked => Ok(AidlUserState::LSKF_LOCKED),
121 }
122 }
Janis Danisevskis333b7c02021-03-23 18:57:41 -0700123
Satya Tangirala5b9e5b12021-03-09 12:54:21 -0800124 fn early_boot_ended_help(sec_level: &SecurityLevel) -> Result<()> {
125 let (dev, _, _) =
126 get_keymint_device(sec_level).context("In early_boot_ended: getting keymint device")?;
127 let km_dev: Strong<dyn IKeyMintDevice> =
128 dev.get_interface().context("In early_boot_ended: getting keymint device interface")?;
129 map_km_error(km_dev.earlyBootEnded())
130 .context("In keymint device: calling earlyBootEnded")?;
131 Ok(())
132 }
133
134 fn early_boot_ended() -> Result<()> {
135 check_keystore_permission(KeystorePerm::early_boot_ended())
136 .context("In early_boot_ended. Checking permission")?;
137
138 let sec_levels = [
139 (SecurityLevel::TRUSTED_ENVIRONMENT, "TRUSTED_ENVIRONMENT"),
140 (SecurityLevel::STRONGBOX, "STRONGBOX"),
141 ];
142 sec_levels.iter().fold(Ok(()), |result, (sec_level, sec_level_string)| {
143 let curr_result = Maintenance::early_boot_ended_help(sec_level);
144 if curr_result.is_err() {
145 log::error!(
146 "Call to earlyBootEnded failed for security level {}.",
147 &sec_level_string
148 );
149 }
150 result.and(curr_result)
151 })
152 }
153
Janis Danisevskis333b7c02021-03-23 18:57:41 -0700154 fn on_device_off_body() -> Result<()> {
155 // Security critical permission check. This statement must return on fail.
156 check_keystore_permission(KeystorePerm::report_off_body())
157 .context("In on_device_off_body.")?;
158
159 DB.with(|db| db.borrow_mut().update_last_off_body(MonotonicRawTime::now()))
160 .context("In on_device_off_body: Trying to update last off body time.")
161 }
Hasini Gunasingheda895552021-01-27 19:34:37 +0000162}
163
Janis Danisevskis34a0cf22021-03-08 09:19:03 -0800164impl Interface for Maintenance {}
Hasini Gunasingheda895552021-01-27 19:34:37 +0000165
Janis Danisevskis34a0cf22021-03-08 09:19:03 -0800166impl IKeystoreMaintenance for Maintenance {
Hasini Gunasingheda895552021-01-27 19:34:37 +0000167 fn onUserPasswordChanged(&self, user_id: i32, password: Option<&[u8]>) -> BinderResult<()> {
Paul Crowleyf61fee72021-03-17 14:38:44 -0700168 map_or_log_err(Self::on_user_password_changed(user_id, password.map(|pw| pw.into())), Ok)
Hasini Gunasingheda895552021-01-27 19:34:37 +0000169 }
170
171 fn onUserAdded(&self, user_id: i32) -> BinderResult<()> {
172 map_or_log_err(Self::add_or_remove_user(user_id), Ok)
173 }
174
175 fn onUserRemoved(&self, user_id: i32) -> BinderResult<()> {
176 map_or_log_err(Self::add_or_remove_user(user_id), Ok)
177 }
Janis Danisevskisddd6e752021-02-22 18:46:55 -0800178
179 fn clearNamespace(&self, domain: Domain, nspace: i64) -> BinderResult<()> {
180 map_or_log_err(Self::clear_namespace(domain, nspace), Ok)
181 }
Hasini Gunasinghe9ee18412021-03-11 20:12:44 +0000182
Janis Danisevskis333b7c02021-03-23 18:57:41 -0700183 fn getState(&self, user_id: i32) -> BinderResult<AidlUserState> {
Hasini Gunasinghe9ee18412021-03-11 20:12:44 +0000184 map_or_log_err(Self::get_state(user_id), Ok)
185 }
Janis Danisevskis333b7c02021-03-23 18:57:41 -0700186
Satya Tangirala5b9e5b12021-03-09 12:54:21 -0800187 fn earlyBootEnded(&self) -> BinderResult<()> {
188 map_or_log_err(Self::early_boot_ended(), Ok)
189 }
190
Janis Danisevskis333b7c02021-03-23 18:57:41 -0700191 fn onDeviceOffBody(&self) -> BinderResult<()> {
192 map_or_log_err(Self::on_device_off_body(), Ok)
193 }
Hasini Gunasingheda895552021-01-27 19:34:37 +0000194}