Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 93927dd3e90b6d91d0a33e48a92aa087f72b925e / . / keystore2 / src / service.rs
blob: 9c5a697fad59987930e157d81d1b92c5a1e10736 [file] [log] [blame]
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]1// Copyright 2020, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15// TODO remove when fully implemented.
16#![allow(unused_variables)]
17
18//! This crate implement the core Keystore 2.0 service API as defined by the Keystore 2.0
19//! AIDL spec.
20
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]21use crate::error::{self, map_or_log_err, ErrorCode};
22use crate::globals::DB;
23use crate::permission;
Janis Danisevskise92a5e62020-12-02 12:57:41 -0800[diff] [blame]24use crate::permission::{KeyPerm, KeystorePerm};
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]25use crate::security_level::KeystoreSecurityLevel;
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]26use crate::utils::{
Janis Danisevskise92a5e62020-12-02 12:57:41 -0800[diff] [blame]27 check_grant_permission, check_key_permission, check_keystore_permission,
28 key_parameters_to_authorizations, Asp,
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]29};
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]30use crate::{
31 database::{KeyEntryLoadBits, KeyType, SubComponentType},
32 error::ResponseCode,
33};
Shawn Willden708744a2020-12-11 13:05:27 +0000[diff] [blame]34use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]35use android_system_keystore2::aidl::android::system::keystore2::{
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]36 Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
37 IKeystoreService::BnKeystoreService, IKeystoreService::IKeystoreService,
38 KeyDescriptor::KeyDescriptor, KeyEntryResponse::KeyEntryResponse, KeyMetadata::KeyMetadata,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]39};
40use anyhow::{anyhow, Context, Result};
41use binder::{IBinder, Interface, ThreadState};
Janis Danisevskise92a5e62020-12-02 12:57:41 -0800[diff] [blame]42use error::Error;
43use keystore2_selinux as selinux;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]44
45/// Implementation of the IKeystoreService.
46pub struct KeystoreService {
Janis Danisevskisba998992020-12-29 16:08:40 -0800[diff] [blame]47 sec_level_tee: Asp,
48 sec_level_strongbox: Option<Asp>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]49}
50
51impl KeystoreService {
52 /// Create a new instance of the Keystore 2.0 service.
53 pub fn new_native_binder() -> Result<impl IKeystoreService> {
Janis Danisevskisba998992020-12-29 16:08:40 -0800[diff] [blame]54 let tee = KeystoreSecurityLevel::new_native_binder(SecurityLevel::TRUSTED_ENVIRONMENT)
55 .map(|tee| Asp::new(tee.as_binder()))
56 .context(concat!(
57 "In KeystoreService::new_native_binder: ",
58 "Trying to construct mendatory security level TEE."
59 ))?;
60 // Strongbox is optional, so we ignore errors and turn the result into an Option.
61 let strongbox =
62 KeystoreSecurityLevel::new_native_binder(SecurityLevel::TRUSTED_ENVIRONMENT)
63 .map(|tee| Asp::new(tee.as_binder()))
64 .ok();
65
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]66 let result = BnKeystoreService::new_binder(Self {
Janis Danisevskisba998992020-12-29 16:08:40 -0800[diff] [blame]67 sec_level_tee: tee,
68 sec_level_strongbox: strongbox,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]69 });
70 result.as_binder().set_requesting_sid(true);
71 Ok(result)
72 }
73
Janis Danisevskisba998992020-12-29 16:08:40 -0800[diff] [blame]74 fn get_security_level_internal(
75 &self,
76 security_level: SecurityLevel,
77 ) -> Result<Option<Box<dyn IKeystoreSecurityLevel>>> {
78 Ok(match (security_level, &self.sec_level_strongbox) {
79 (SecurityLevel::TRUSTED_ENVIRONMENT, _) => Some(self.sec_level_tee.get_interface().context(
80 "In get_security_level_internal: Failed to get IKeystoreSecurityLevel (TEE).",
81 )?),
82 (SecurityLevel::STRONGBOX, Some(strongbox)) => Some(strongbox.get_interface().context(
83 "In get_security_level_internal: Failed to get IKeystoreSecurityLevel (Strongbox).",
84 )?),
85 _ => None,
86 })
87 }
88
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]89 fn get_security_level(
90 &self,
91 security_level: SecurityLevel,
92 ) -> Result<Box<dyn IKeystoreSecurityLevel>> {
Janis Danisevskisba998992020-12-29 16:08:40 -0800[diff] [blame]93 self.get_security_level_internal(security_level)
94 .context("In get_security_level.")?
95 .ok_or_else(|| anyhow!(error::Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE)))
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]96 }
97
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]98 fn get_key_entry(&self, key: &KeyDescriptor) -> Result<KeyEntryResponse> {
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]99 let (key_id_guard, mut key_entry) = DB
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]100 .with(|db| {
101 db.borrow_mut().load_key_entry(
102 key.clone(),
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]103 KeyType::Client,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]104 KeyEntryLoadBits::PUBLIC,
105 ThreadState::get_calling_uid(),
106 |k, av| check_key_permission(KeyPerm::get_info(), k, &av),
107 )
108 })
109 .context("In get_key_entry, while trying to load key info.")?;
110
Janis Danisevskisba998992020-12-29 16:08:40 -0800[diff] [blame]111 let i_sec_level = self
112 .get_security_level_internal(key_entry.sec_level())
113 .context("In get_key_entry.")?
114 .ok_or_else(|| {
115 anyhow!(error::Error::sys()).context(format!(
116 concat!(
117 "Found key with security level {:?} ",
118 "but no KeyMint instance of that security level."
119 ),
120 key_entry.sec_level()
121 ))
122 })?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]123
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]124 Ok(KeyEntryResponse {
125 iSecurityLevel: Some(i_sec_level),
126 metadata: KeyMetadata {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]127 key: KeyDescriptor {
128 domain: Domain::KEY_ID,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]129 nspace: key_id_guard.id(),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]130 ..Default::default()
131 },
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]132 keySecurityLevel: key_entry.sec_level(),
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]133 certificate: key_entry.take_cert(),
134 certificateChain: key_entry.take_cert_chain(),
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]135 modificationTimeMs: key_entry
136 .metadata()
137 .creation_date()
138 .map(|d| d.to_millis_epoch())
139 .ok_or(Error::Rc(ResponseCode::VALUE_CORRUPTED))
140 .context("In get_key_entry: Trying to get creation date.")?,
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]141 authorizations: key_parameters_to_authorizations(key_entry.into_key_parameters()),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]142 },
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]143 })
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]144 }
145
146 fn update_subcomponent(
147 &self,
148 key: &KeyDescriptor,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]149 public_cert: Option<&[u8]>,
150 certificate_chain: Option<&[u8]>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]151 ) -> Result<()> {
152 DB.with::<_, Result<()>>(|db| {
153 let mut db = db.borrow_mut();
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]154 let (key_id_guard, key_entry) = db
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]155 .load_key_entry(
156 key.clone(),
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]157 KeyType::Client,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]158 KeyEntryLoadBits::NONE,
159 ThreadState::get_calling_uid(),
160 |k, av| {
161 check_key_permission(KeyPerm::update(), k, &av)
162 .context("In update_subcomponent.")
163 },
164 )
165 .context("Failed to load key_entry.")?;
166
167 if let Some(cert) = public_cert {
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame^]168 db.insert_blob(&key_id_guard, SubComponentType::CERT, cert)
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]169 .context("Failed to update cert subcomponent.")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]170 }
171
172 if let Some(cert_chain) = certificate_chain {
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame^]173 db.insert_blob(&key_id_guard, SubComponentType::CERT_CHAIN, cert_chain)
174 .context("Failed to update cert chain subcomponent.")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]175 }
176 Ok(())
177 })
178 .context("In update_subcomponent.")
179 }
180
181 fn list_entries(&self, domain: Domain, namespace: i64) -> Result<Vec<KeyDescriptor>> {
Janis Danisevskise92a5e62020-12-02 12:57:41 -0800[diff] [blame]182 let mut k = match domain {
183 Domain::APP => KeyDescriptor {
184 domain,
185 nspace: ThreadState::get_calling_uid() as u64 as i64,
186 ..Default::default()
187 },
188 Domain::SELINUX => KeyDescriptor{domain, nspace: namespace, ..Default::default()},
189 _ => return Err(Error::perm()).context(
190 "In list_entries: List entries is only supported for Domain::APP and Domain::SELINUX."
191 ),
192 };
193
194 // First we check if the caller has the info permission for the selected domain/namespace.
195 // By default we use the calling uid as namespace if domain is Domain::APP.
196 // If the first check fails we check if the caller has the list permission allowing to list
197 // any namespace. In that case we also adjust the queried namespace if a specific uid was
198 // selected.
199 match check_key_permission(KeyPerm::get_info(), &k, &None) {
200 Err(e) => {
201 if let Some(selinux::Error::PermissionDenied) =
202 e.root_cause().downcast_ref::<selinux::Error>()
203 {
204 check_keystore_permission(KeystorePerm::list())
205 .context("In list_entries: While checking keystore permission.")?;
206 if namespace != -1 {
207 k.nspace = namespace;
208 }
209 } else {
210 return Err(e).context("In list_entries: While checking key permission.")?;
211 }
212 }
213 Ok(()) => {}
214 };
215
216 DB.with(|db| {
217 let mut db = db.borrow_mut();
218 db.list(k.domain, k.nspace)
219 })
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]220 }
221
222 fn delete_key(&self, key: &KeyDescriptor) -> Result<()> {
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame^]223 let caller_uid = ThreadState::get_calling_uid();
224 DB.with(|db| {
225 db.borrow_mut().unbind_key(key.clone(), KeyType::Client, caller_uid, |k, av| {
226 check_key_permission(KeyPerm::delete(), k, &av).context("During delete_key.")
227 })
228 })
229 .context("In delete_key: Trying to unbind the key.")?;
Janis Danisevskisa51ccbc2020-11-25 21:04:24 -0800[diff] [blame]230 Ok(())
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]231 }
232
233 fn grant(
234 &self,
235 key: &KeyDescriptor,
236 grantee_uid: i32,
237 access_vector: permission::KeyPermSet,
238 ) -> Result<KeyDescriptor> {
239 DB.with(|db| {
240 db.borrow_mut().grant(
241 key.clone(),
242 ThreadState::get_calling_uid(),
243 grantee_uid as u32,
244 access_vector,
245 |k, av| check_grant_permission(*av, k).context("During grant."),
246 )
247 })
248 .context("In KeystoreService::grant.")
249 }
250
251 fn ungrant(&self, key: &KeyDescriptor, grantee_uid: i32) -> Result<()> {
252 DB.with(|db| {
253 db.borrow_mut().ungrant(
254 key.clone(),
255 ThreadState::get_calling_uid(),
256 grantee_uid as u32,
257 |k| check_key_permission(KeyPerm::grant(), k, &None),
258 )
259 })
260 .context("In KeystoreService::ungrant.")
261 }
262}
263
264impl binder::Interface for KeystoreService {}
265
266// Implementation of IKeystoreService. See AIDL spec at
267// system/security/keystore2/binder/android/security/keystore2/IKeystoreService.aidl
268impl IKeystoreService for KeystoreService {
269 fn getSecurityLevel(
270 &self,
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]271 security_level: SecurityLevel,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]272 ) -> binder::public_api::Result<Box<dyn IKeystoreSecurityLevel>> {
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]273 map_or_log_err(self.get_security_level(SecurityLevel(security_level.0)), Ok)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]274 }
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]275 fn getKeyEntry(&self, key: &KeyDescriptor) -> binder::public_api::Result<KeyEntryResponse> {
276 map_or_log_err(self.get_key_entry(key), Ok)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]277 }
278 fn updateSubcomponent(
279 &self,
280 key: &KeyDescriptor,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]281 public_cert: Option<&[u8]>,
282 certificate_chain: Option<&[u8]>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]283 ) -> binder::public_api::Result<()> {
284 map_or_log_err(self.update_subcomponent(key, public_cert, certificate_chain), Ok)
285 }
286 fn listEntries(
287 &self,
288 domain: Domain,
289 namespace: i64,
290 ) -> binder::public_api::Result<Vec<KeyDescriptor>> {
291 map_or_log_err(self.list_entries(domain, namespace), Ok)
292 }
293 fn deleteKey(&self, key: &KeyDescriptor) -> binder::public_api::Result<()> {
294 map_or_log_err(self.delete_key(key), Ok)
295 }
296 fn grant(
297 &self,
298 key: &KeyDescriptor,
299 grantee_uid: i32,
300 access_vector: i32,
301 ) -> binder::public_api::Result<KeyDescriptor> {
302 map_or_log_err(self.grant(key, grantee_uid, access_vector.into()), Ok)
303 }
304 fn ungrant(&self, key: &KeyDescriptor, grantee_uid: i32) -> binder::public_api::Result<()> {
305 map_or_log_err(self.ungrant(key, grantee_uid), Ok)
306 }
307}