Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / a820ef5dc2c355d285099e1326d6d82e8ec1be24 / . / keystore2 / src / security_level.rs
blob: a53ccec8eabc5ba6909fa2b1aa36ee4c2a9f725e [file] [log] [blame]
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]1// Copyright 2020, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]15//! This crate implements the IKeystoreSecurityLevel interface.
16
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]17use crate::attestation_key_utils::{get_attest_key_info, AttestationKeyInfo};
Pavel Grafovf45034a2021-05-12 22:35:45 +0100[diff] [blame]18use crate::audit_log::{
19 log_key_deleted, log_key_generated, log_key_imported, log_key_integrity_violation,
20};
Janis Danisevskisf84d0b02022-01-26 14:11:14 -0800[diff] [blame]21use crate::database::{BlobInfo, CertificateInfo, KeyIdGuard};
Alice Wang849cfe42023-11-10 12:43:36 +0000[diff] [blame]22use crate::error::{
David Drysdaledb7ddde2024-06-07 16:22:49 +0100[diff] [blame]23 self, into_logged_binder, map_km_error, wrapped_rkpd_error_to_ks_error, Error, ErrorCode,
Alice Wang849cfe42023-11-10 12:43:36 +0000[diff] [blame]24};
Alice Wangbf6a6932023-11-07 11:47:12 +0000[diff] [blame]25use crate::globals::{
26 get_remotely_provisioned_component_name, DB, ENFORCEMENTS, LEGACY_IMPORTER, SUPER_KEY,
27};
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]28use crate::key_parameter::KeyParameter as KsKeyParam;
29use crate::key_parameter::KeyParameterValue as KsKeyParamValue;
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]30use crate::ks_err;
Hasini Gunasinghe15891e62021-06-10 16:23:27 +0000[diff] [blame]31use crate::metrics_store::log_key_creation_event_stats;
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]32use crate::remote_provisioning::RemProvState;
33use crate::super_key::{KeyBlob, SuperKeyManager};
34use crate::utils::{
Seth Moore66d9e902022-03-16 17:20:31 -0700[diff] [blame]35 check_device_attestation_permissions, check_key_permission,
36 check_unique_id_attestation_permissions, is_device_id_attestation_tag,
Shaquille Johnson9a587a22024-02-28 19:54:24 +0000[diff] [blame]37 key_characteristics_to_internal, log_security_safe_params, uid_to_android_user, watchdog as wd,
38 UNDEFINED_NOT_AFTER,
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]39};
40use crate::{
41 database::{
42 BlobMetaData, BlobMetaEntry, DateTime, KeyEntry, KeyEntryLoadBits, KeyMetaData,
43 KeyMetaEntry, KeyType, SubComponentType, Uuid,
44 },
45 operation::KeystoreOperation,
46 operation::LoggingInfo,
47 operation::OperationDb,
48 permission::KeyPerm,
49};
Janis Danisevskis5cb52dc2021-04-07 16:31:18 -0700[diff] [blame]50use crate::{globals::get_keymint_device, id_rotation::IdRotationState};
Shawn Willden708744a2020-12-11 13:05:27 +0000[diff] [blame]51use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]52 Algorithm::Algorithm, AttestationKey::AttestationKey,
Shawn Willden8fde4c22021-02-14 13:58:22 -0700[diff] [blame]53 HardwareAuthenticatorType::HardwareAuthenticatorType, IKeyMintDevice::IKeyMintDevice,
54 KeyCreationResult::KeyCreationResult, KeyFormat::KeyFormat,
Max Bires8e93d2b2021-01-14 13:17:59 -0800[diff] [blame]55 KeyMintHardwareInfo::KeyMintHardwareInfo, KeyParameter::KeyParameter,
56 KeyParameterValue::KeyParameterValue, SecurityLevel::SecurityLevel, Tag::Tag,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]57};
Andrew Walbrande45c8b2021-04-13 14:42:38 +0000[diff] [blame]58use android_hardware_security_keymint::binder::{BinderFeatures, Strong, ThreadState};
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]59use android_system_keystore2::aidl::android::system::keystore2::{
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]60 AuthenticatorSpec::AuthenticatorSpec, CreateOperationResponse::CreateOperationResponse,
Janis Danisevskisb2434d02021-04-20 12:49:27 -0700[diff] [blame]61 Domain::Domain, EphemeralStorageKeyResponse::EphemeralStorageKeyResponse,
62 IKeystoreOperation::IKeystoreOperation, IKeystoreSecurityLevel::BnKeystoreSecurityLevel,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]63 IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor,
Janis Danisevskisd43c1b92021-11-09 14:56:17 +0000[diff] [blame]64 KeyMetadata::KeyMetadata, KeyParameters::KeyParameters, ResponseCode::ResponseCode,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]65};
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800[diff] [blame]66use anyhow::{anyhow, Context, Result};
Alice Wang01c16b62023-11-07 14:27:49 +0000[diff] [blame]67use rkpd_client::store_rkpd_attestation_key;
Janis Danisevskisd43c1b92021-11-09 14:56:17 +0000[diff] [blame]68use std::convert::TryInto;
69use std::time::SystemTime;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]70
71/// Implementation of the IKeystoreSecurityLevel Interface.
72pub struct KeystoreSecurityLevel {
73 security_level: SecurityLevel,
Janis Danisevskis5f3a0572021-06-18 11:26:42 -0700[diff] [blame]74 keymint: Strong<dyn IKeyMintDevice>,
Max Bires8e93d2b2021-01-14 13:17:59 -0800[diff] [blame]75 hw_info: KeyMintHardwareInfo,
76 km_uuid: Uuid,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]77 operation_db: OperationDb,
Max Bires97f96812021-02-23 23:44:57 -0800[diff] [blame]78 rem_prov_state: RemProvState,
Janis Danisevskis5cb52dc2021-04-07 16:31:18 -0700[diff] [blame]79 id_rotation_state: IdRotationState,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]80}
81
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]82// Blob of 32 zeroes used as empty masking key.
83static ZERO_BLOB_32: &[u8] = &[0; 32];
84
85impl KeystoreSecurityLevel {
86 /// Creates a new security level instance wrapped in a
Andrew Walbrande45c8b2021-04-13 14:42:38 +0000[diff] [blame]87 /// BnKeystoreSecurityLevel proxy object. It also enables
88 /// `BinderFeatures::set_requesting_sid` on the new interface, because
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]89 /// we need it for checking keystore permissions.
90 pub fn new_native_binder(
91 security_level: SecurityLevel,
Janis Danisevskis5cb52dc2021-04-07 16:31:18 -0700[diff] [blame]92 id_rotation_state: IdRotationState,
Stephen Crane221bbb52020-12-16 15:52:10 -0800[diff] [blame]93 ) -> Result<(Strong<dyn IKeystoreSecurityLevel>, Uuid)> {
Max Bires8e93d2b2021-01-14 13:17:59 -0800[diff] [blame]94 let (dev, hw_info, km_uuid) = get_keymint_device(&security_level)
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]95 .context(ks_err!("KeystoreSecurityLevel::new_native_binder."))?;
Andrew Walbrande45c8b2021-04-13 14:42:38 +0000[diff] [blame]96 let result = BnKeystoreSecurityLevel::new_binder(
97 Self {
98 security_level,
99 keymint: dev,
100 hw_info,
101 km_uuid,
102 operation_db: OperationDb::new(),
David Drysdale8c4c4f32023-10-31 12:14:11 +0000[diff] [blame]103 rem_prov_state: RemProvState::new(security_level),
Andrew Walbrande45c8b2021-04-13 14:42:38 +0000[diff] [blame]104 id_rotation_state,
105 },
106 BinderFeatures { set_requesting_sid: true, ..BinderFeatures::default() },
107 );
Max Bires8e93d2b2021-01-14 13:17:59 -0800[diff] [blame]108 Ok((result, km_uuid))
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]109 }
110
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]111 fn watch_millis(&self, id: &'static str, millis: u64) -> Option<wd::WatchPoint> {
112 let sec_level = self.security_level;
David Drysdale387c85b2024-06-10 14:40:45 +0100[diff] [blame]113 wd::watch_millis_with(id, millis, sec_level)
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]114 }
115
David Drysdale541846b2024-05-23 13:16:07 +0100[diff] [blame]116 fn watch(&self, id: &'static str) -> Option<wd::WatchPoint> {
117 let sec_level = self.security_level;
David Drysdale387c85b2024-06-10 14:40:45 +0100[diff] [blame]118 wd::watch_millis_with(id, wd::DEFAULT_TIMEOUT_MS, sec_level)
David Drysdale541846b2024-05-23 13:16:07 +0100[diff] [blame]119 }
120
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]121 fn store_new_key(
122 &self,
123 key: KeyDescriptor,
Shawn Willdendbdac602021-01-12 22:35:16 -0700[diff] [blame]124 creation_result: KeyCreationResult,
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]125 user_id: u32,
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]126 flags: Option<i32>,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]127 ) -> Result<KeyMetadata> {
Shawn Willdendbdac602021-01-12 22:35:16 -0700[diff] [blame]128 let KeyCreationResult {
129 keyBlob: key_blob,
130 keyCharacteristics: key_characteristics,
131 certificateChain: mut certificate_chain,
132 } = creation_result;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]133
Max Bires8e93d2b2021-01-14 13:17:59 -0800[diff] [blame]134 let mut cert_info: CertificateInfo = CertificateInfo::new(
Shawn Willdendbdac602021-01-12 22:35:16 -0700[diff] [blame]135 match certificate_chain.len() {
136 0 => None,
137 _ => Some(certificate_chain.remove(0).encodedCertificate),
138 },
139 match certificate_chain.len() {
140 0 => None,
141 _ => Some(
142 certificate_chain
143 .iter()
Chariseea1e1c482022-02-26 01:26:35 +0000[diff] [blame]144 .flat_map(|c| c.encodedCertificate.iter())
Shawn Willdendbdac602021-01-12 22:35:16 -0700[diff] [blame]145 .copied()
146 .collect(),
147 ),
148 },
149 );
150
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]151 let mut key_parameters = key_characteristics_to_internal(key_characteristics);
152
153 key_parameters.push(KsKeyParam::new(
154 KsKeyParamValue::UserID(user_id as i32),
155 SecurityLevel::SOFTWARE,
156 ));
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]157
Shaquille Johnsonaec2eca2022-11-30 17:08:05 +0000[diff] [blame]158 let creation_date = DateTime::now().context(ks_err!("Trying to make creation time."))?;
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]159
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]160 let key = match key.domain {
Satya Tangirala60671e32021-03-04 16:12:19 -0800[diff] [blame]161 Domain::BLOB => KeyDescriptor {
162 domain: Domain::BLOB,
163 blob: Some(key_blob.to_vec()),
164 ..Default::default()
165 },
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]166 _ => DB
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]167 .with::<_, Result<KeyDescriptor>>(|db| {
Satya Tangirala60671e32021-03-04 16:12:19 -0800[diff] [blame]168 let mut db = db.borrow_mut();
169
170 let (key_blob, mut blob_metadata) = SUPER_KEY
Janis Danisevskis0fd25a62022-01-04 19:53:37 -0800[diff] [blame]171 .read()
172 .unwrap()
Satya Tangirala60671e32021-03-04 16:12:19 -0800[diff] [blame]173 .handle_super_encryption_on_key_init(
174 &mut db,
Janis Danisevskis0ffb8a82022-02-06 22:37:21 -0800[diff] [blame]175 &LEGACY_IMPORTER,
Satya Tangirala60671e32021-03-04 16:12:19 -0800[diff] [blame]176 &(key.domain),
177 &key_parameters,
178 flags,
179 user_id,
180 &key_blob,
181 )
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]182 .context(ks_err!("Failed to handle super encryption."))?;
Satya Tangirala60671e32021-03-04 16:12:19 -0800[diff] [blame]183
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]184 let mut key_metadata = KeyMetaData::new();
185 key_metadata.add(KeyMetaEntry::CreationDate(creation_date));
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]186 blob_metadata.add(BlobMetaEntry::KmUuid(self.km_uuid));
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]187
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]188 let key_id = db
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]189 .store_new_key(
Janis Danisevskis66784c42021-01-27 08:40:25 -0800[diff] [blame]190 &key,
Janis Danisevskis0cabd712021-05-25 11:07:10 -0700[diff] [blame]191 KeyType::Client,
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]192 &key_parameters,
Janis Danisevskisf84d0b02022-01-26 14:11:14 -0800[diff] [blame]193 &BlobInfo::new(&key_blob, &blob_metadata),
Max Bires8e93d2b2021-01-14 13:17:59 -0800[diff] [blame]194 &cert_info,
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]195 &key_metadata,
Max Bires8e93d2b2021-01-14 13:17:59 -0800[diff] [blame]196 &self.km_uuid,
Janis Danisevskis93927dd2020-12-23 12:23:08 -0800[diff] [blame]197 )
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]198 .context(ks_err!())?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]199 Ok(KeyDescriptor {
200 domain: Domain::KEY_ID,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]201 nspace: key_id.id(),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]202 ..Default::default()
203 })
204 })
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]205 .context(ks_err!())?,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]206 };
207
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]208 Ok(KeyMetadata {
209 key,
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]210 keySecurityLevel: self.security_level,
Max Bires8e93d2b2021-01-14 13:17:59 -0800[diff] [blame]211 certificate: cert_info.take_cert(),
212 certificateChain: cert_info.take_cert_chain(),
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]213 authorizations: crate::utils::key_parameters_to_authorizations(key_parameters),
Janis Danisevskisb42fc182020-12-15 08:41:27 -0800[diff] [blame]214 modificationTimeMs: creation_date.to_millis_epoch(),
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]215 })
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]216 }
217
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]218 fn create_operation(
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]219 &self,
220 key: &KeyDescriptor,
221 operation_parameters: &[KeyParameter],
222 forced: bool,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]223 ) -> Result<CreateOperationResponse> {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]224 let caller_uid = ThreadState::get_calling_uid();
225 // We use `scoping_blob` to extend the life cycle of the blob loaded from the database,
226 // so that we can use it by reference like the blob provided by the key descriptor.
227 // Otherwise, we would have to clone the blob from the key descriptor.
228 let scoping_blob: Vec<u8>;
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]229 let (km_blob, key_properties, key_id_guard, blob_metadata) = match key.domain {
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]230 Domain::BLOB => {
Janis Danisevskis39d57e72021-10-19 16:56:20 -0700[diff] [blame]231 check_key_permission(KeyPerm::Use, key, &None)
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]232 .context(ks_err!("checking use permission for Domain::BLOB."))?;
Janis Danisevskis186d9f42021-03-03 14:40:52 -0800[diff] [blame]233 if forced {
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]234 check_key_permission(KeyPerm::ReqForcedOp, key, &None)
235 .context(ks_err!("checking forced permission for Domain::BLOB."))?;
Janis Danisevskis186d9f42021-03-03 14:40:52 -0800[diff] [blame]236 }
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]237 (
238 match &key.blob {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]239 Some(blob) => blob,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]240 None => {
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]241 return Err(Error::sys()).context(ks_err!(
242 "Key blob must be specified when \
243 using Domain::BLOB."
244 ));
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]245 }
246 },
247 None,
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]248 None,
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]249 BlobMetaData::new(),
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]250 )
251 }
252 _ => {
Janis Danisevskisf84d0b02022-01-26 14:11:14 -0800[diff] [blame]253 let super_key = SUPER_KEY
254 .read()
255 .unwrap()
Eric Biggers673d34a2023-10-18 01:54:18 +0000[diff] [blame]256 .get_after_first_unlock_key_by_user_id(uid_to_android_user(caller_uid));
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]257 let (key_id_guard, mut key_entry) = DB
258 .with::<_, Result<(KeyIdGuard, KeyEntry)>>(|db| {
Janis Danisevskisf84d0b02022-01-26 14:11:14 -0800[diff] [blame]259 LEGACY_IMPORTER.with_try_import(key, caller_uid, super_key, || {
Hasini Gunasinghe3ed5da72021-02-04 15:18:54 +0000[diff] [blame]260 db.borrow_mut().load_key_entry(
Chris Wailesd5aaaef2021-07-27 16:04:33 -0700[diff] [blame]261 key,
Hasini Gunasinghe3ed5da72021-02-04 15:18:54 +0000[diff] [blame]262 KeyType::Client,
263 KeyEntryLoadBits::KM,
264 caller_uid,
Janis Danisevskis186d9f42021-03-03 14:40:52 -0800[diff] [blame]265 |k, av| {
Janis Danisevskis39d57e72021-10-19 16:56:20 -0700[diff] [blame]266 check_key_permission(KeyPerm::Use, k, &av)?;
Janis Danisevskis186d9f42021-03-03 14:40:52 -0800[diff] [blame]267 if forced {
Janis Danisevskis39d57e72021-10-19 16:56:20 -0700[diff] [blame]268 check_key_permission(KeyPerm::ReqForcedOp, k, &av)?;
Janis Danisevskis186d9f42021-03-03 14:40:52 -0800[diff] [blame]269 }
270 Ok(())
271 },
Hasini Gunasinghe3ed5da72021-02-04 15:18:54 +0000[diff] [blame]272 )
273 })
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]274 })
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]275 .context(ks_err!("Failed to load key blob."))?;
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]276
277 let (blob, blob_metadata) =
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]278 key_entry.take_key_blob_info().ok_or_else(Error::sys).context(ks_err!(
279 "Successfully loaded key entry, \
280 but KM blob was missing."
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]281 ))?;
282 scoping_blob = blob;
283
Qi Wub9433b52020-12-01 14:52:46 +0800[diff] [blame]284 (
285 &scoping_blob,
286 Some((key_id_guard.id(), key_entry.into_key_parameters())),
287 Some(key_id_guard),
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]288 blob_metadata,
Qi Wub9433b52020-12-01 14:52:46 +0800[diff] [blame]289 )
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]290 }
291 };
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]292
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]293 let purpose = operation_parameters.iter().find(|p| p.tag == Tag::PURPOSE).map_or(
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]294 Err(Error::Km(ErrorCode::INVALID_ARGUMENT))
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]295 .context(ks_err!("No operation purpose specified.")),
Janis Danisevskis398e6be2020-12-17 09:29:25 -0800[diff] [blame]296 |kp| match kp.value {
297 KeyParameterValue::KeyPurpose(p) => Ok(p),
298 _ => Err(Error::Km(ErrorCode::INVALID_ARGUMENT))
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]299 .context(ks_err!("Malformed KeyParameter.")),
Janis Danisevskis398e6be2020-12-17 09:29:25 -0800[diff] [blame]300 },
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]301 )?;
302
Satya Tangirala2642ff92021-04-15 01:57:00 -0700[diff] [blame]303 // Remove Tag::PURPOSE from the operation_parameters, since some keymaster devices return
304 // an error on begin() if Tag::PURPOSE is in the operation_parameters.
305 let op_params: Vec<KeyParameter> =
306 operation_parameters.iter().filter(|p| p.tag != Tag::PURPOSE).cloned().collect();
307 let operation_parameters = op_params.as_slice();
308
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800[diff] [blame]309 let (immediate_hat, mut auth_info) = ENFORCEMENTS
310 .authorize_create(
311 purpose,
Qi Wub9433b52020-12-01 14:52:46 +0800[diff] [blame]312 key_properties.as_ref(),
313 operation_parameters.as_ref(),
Janis Danisevskise3f7d202021-03-20 14:21:22 -0700[diff] [blame]314 self.hw_info.timestampTokenRequired,
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800[diff] [blame]315 )
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]316 .context(ks_err!())?;
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]317
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]318 let km_blob = SUPER_KEY
Janis Danisevskis0fd25a62022-01-04 19:53:37 -0800[diff] [blame]319 .read()
320 .unwrap()
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]321 .unwrap_key_if_required(&blob_metadata, km_blob)
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]322 .context(ks_err!("Failed to handle super encryption."))?;
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]323
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]324 let (begin_result, upgraded_blob) = self
325 .upgrade_keyblob_if_required_with(
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]326 key_id_guard,
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]327 &km_blob,
Max Bires55620ff2022-02-11 13:34:15 -0800[diff] [blame]328 blob_metadata.km_uuid().copied(),
Chris Wailesd5aaaef2021-07-27 16:04:33 -0700[diff] [blame]329 operation_parameters,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]330 |blob| loop {
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]331 match map_km_error({
David Drysdale541846b2024-05-23 13:16:07 +0100[diff] [blame]332 let _wp =
333 self.watch("In KeystoreSecurityLevel::create_operation: calling begin");
Janis Danisevskis5f3a0572021-06-18 11:26:42 -0700[diff] [blame]334 self.keymint.begin(
335 purpose,
336 blob,
Chris Wailesd5aaaef2021-07-27 16:04:33 -0700[diff] [blame]337 operation_parameters,
Janis Danisevskis5f3a0572021-06-18 11:26:42 -0700[diff] [blame]338 immediate_hat.as_ref(),
339 )
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]340 }) {
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]341 Err(Error::Km(ErrorCode::TOO_MANY_OPERATIONS)) => {
Janis Danisevskis186d9f42021-03-03 14:40:52 -0800[diff] [blame]342 self.operation_db.prune(caller_uid, forced)?;
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]343 continue;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]344 }
Pavel Grafovf45034a2021-05-12 22:35:45 +0100[diff] [blame]345 v @ Err(Error::Km(ErrorCode::INVALID_KEY_BLOB)) => {
346 if let Some((key_id, _)) = key_properties {
347 if let Ok(Some(key)) =
348 DB.with(|db| db.borrow_mut().load_key_descriptor(key_id))
349 {
350 log_key_integrity_violation(&key);
351 } else {
352 log::error!("Failed to load key descriptor for audit log");
353 }
354 }
355 return v;
356 }
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]357 v => return v,
358 }
359 },
360 )
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]361 .context(ks_err!("Failed to begin operation."))?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]362
Janis Danisevskis5ed8c532021-01-11 14:19:42 -0800[diff] [blame]363 let operation_challenge = auth_info.finalize_create_authorization(begin_result.challenge);
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]364
Hasini Gunasinghe0aba68a2021-03-19 00:43:52 +0000[diff] [blame]365 let op_params: Vec<KeyParameter> = operation_parameters.to_vec();
366
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]367 let operation = match begin_result.operation {
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]368 Some(km_op) => self.operation_db.create_operation(
369 km_op,
370 caller_uid,
371 auth_info,
372 forced,
373 LoggingInfo::new(self.security_level, purpose, op_params, upgraded_blob.is_some()),
374 ),
375 None => {
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]376 return Err(Error::sys()).context(ks_err!(
377 "Begin operation returned successfully, \
378 but did not return a valid operation."
379 ));
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]380 }
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]381 };
382
Stephen Crane23cf7242022-01-19 17:49:46 +0000[diff] [blame]383 let op_binder: binder::Strong<dyn IKeystoreOperation> =
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]384 KeystoreOperation::new_native_binder(operation)
385 .as_binder()
386 .into_interface()
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]387 .context(ks_err!("Failed to create IKeystoreOperation."))?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]388
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]389 Ok(CreateOperationResponse {
390 iOperation: Some(op_binder),
Hasini Gunasinghe888dd352020-11-17 23:08:39 +0000[diff] [blame]391 operationChallenge: operation_challenge,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]392 parameters: match begin_result.params.len() {
393 0 => None,
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]394 _ => Some(KeyParameters { keyParameter: begin_result.params }),
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]395 },
Satya Tangiralae2016a82021-03-05 09:28:30 -0800[diff] [blame]396 // An upgraded blob should only be returned if the caller has permission
397 // to use Domain::BLOB keys. If we got to this point, we already checked
398 // that the caller had that permission.
399 upgradedBlob: if key.domain == Domain::BLOB { upgraded_blob } else { None },
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]400 })
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]401 }
402
Janis Danisevskisd43c1b92021-11-09 14:56:17 +0000[diff] [blame]403 fn add_required_parameters(
Janis Danisevskis5cb52dc2021-04-07 16:31:18 -0700[diff] [blame]404 &self,
Janis Danisevskise766edc2021-02-06 12:16:26 -0800[diff] [blame]405 uid: u32,
406 params: &[KeyParameter],
407 key: &KeyDescriptor,
408 ) -> Result<Vec<KeyParameter>> {
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800[diff] [blame]409 let mut result = params.to_vec();
Janis Danisevskisd43c1b92021-11-09 14:56:17 +0000[diff] [blame]410
Tri Vo74997ed2023-07-20 17:57:19 -0400[diff] [blame]411 // Prevent callers from specifying the CREATION_DATETIME tag.
Janis Danisevskisd43c1b92021-11-09 14:56:17 +0000[diff] [blame]412 if params.iter().any(|kp| kp.tag == Tag::CREATION_DATETIME) {
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]413 return Err(Error::Rc(ResponseCode::INVALID_ARGUMENT)).context(ks_err!(
414 "KeystoreSecurityLevel::add_required_parameters: \
415 Specifying Tag::CREATION_DATETIME is not allowed."
416 ));
Janis Danisevskisd43c1b92021-11-09 14:56:17 +0000[diff] [blame]417 }
418
Tri Vo74997ed2023-07-20 17:57:19 -0400[diff] [blame]419 // Use this variable to refer to notion of "now". This eliminates discrepancies from
420 // quering the clock multiple times.
421 let creation_datetime = SystemTime::now();
422
Janis Danisevskis2b3c7232021-12-20 13:16:23 -0800[diff] [blame]423 // Add CREATION_DATETIME only if the backend version Keymint V1 (100) or newer.
424 if self.hw_info.versionNumber >= 100 {
425 result.push(KeyParameter {
426 tag: Tag::CREATION_DATETIME,
427 value: KeyParameterValue::DateTime(
Tri Vo74997ed2023-07-20 17:57:19 -0400[diff] [blame]428 creation_datetime
Janis Danisevskis2b3c7232021-12-20 13:16:23 -0800[diff] [blame]429 .duration_since(SystemTime::UNIX_EPOCH)
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]430 .context(ks_err!(
431 "KeystoreSecurityLevel::add_required_parameters: \
432 Failed to get epoch time."
433 ))?
Janis Danisevskis2b3c7232021-12-20 13:16:23 -0800[diff] [blame]434 .as_millis()
435 .try_into()
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]436 .context(ks_err!(
437 "KeystoreSecurityLevel::add_required_parameters: \
438 Failed to convert epoch time."
439 ))?,
Janis Danisevskis2b3c7232021-12-20 13:16:23 -0800[diff] [blame]440 ),
441 });
442 }
Janis Danisevskisd43c1b92021-11-09 14:56:17 +0000[diff] [blame]443
Janis Danisevskis2c084012021-01-31 22:23:17 -0800[diff] [blame]444 // If there is an attestation challenge we need to get an application id.
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800[diff] [blame]445 if params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE) {
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]446 let aaid = {
David Drysdale541846b2024-05-23 13:16:07 +0100[diff] [blame]447 let _wp = self
448 .watch("In KeystoreSecurityLevel::add_required_parameters calling: get_aaid");
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]449 keystore2_aaid::get_aaid(uid)
450 .map_err(|e| anyhow!(ks_err!("get_aaid returned status {}.", e)))
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]451 }?;
452
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800[diff] [blame]453 result.push(KeyParameter {
454 tag: Tag::ATTESTATION_APPLICATION_ID,
455 value: KeyParameterValue::Blob(aaid),
456 });
457 }
Janis Danisevskis2c084012021-01-31 22:23:17 -0800[diff] [blame]458
Janis Danisevskise766edc2021-02-06 12:16:26 -0800[diff] [blame]459 if params.iter().any(|kp| kp.tag == Tag::INCLUDE_UNIQUE_ID) {
Seth Moore66d9e902022-03-16 17:20:31 -0700[diff] [blame]460 if check_key_permission(KeyPerm::GenUniqueId, key, &None).is_err()
461 && check_unique_id_attestation_permissions().is_err()
462 {
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]463 return Err(Error::perm()).context(ks_err!(
464 "Caller does not have the permission to generate a unique ID"
465 ));
Seth Moore66d9e902022-03-16 17:20:31 -0700[diff] [blame]466 }
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]467 if self
468 .id_rotation_state
Tri Vo74997ed2023-07-20 17:57:19 -0400[diff] [blame]469 .had_factory_reset_since_id_rotation(&creation_datetime)
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]470 .context(ks_err!("Call to had_factory_reset_since_id_rotation failed."))?
471 {
Janis Danisevskisd43c1b92021-11-09 14:56:17 +0000[diff] [blame]472 result.push(KeyParameter {
Janis Danisevskis5cb52dc2021-04-07 16:31:18 -0700[diff] [blame]473 tag: Tag::RESET_SINCE_ID_ROTATION,
474 value: KeyParameterValue::BoolValue(true),
475 })
476 }
Janis Danisevskise766edc2021-02-06 12:16:26 -0800[diff] [blame]477 }
478
Bram Bonné5d6c5102021-02-24 15:09:18 +0100[diff] [blame]479 // If the caller requests any device identifier attestation tag, check that they hold the
480 // correct Android permission.
481 if params.iter().any(|kp| is_device_id_attestation_tag(kp.tag)) {
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]482 check_device_attestation_permissions().context(ks_err!(
Bram Bonné5d6c5102021-02-24 15:09:18 +0100[diff] [blame]483 "Caller does not have the permission to attest device identifiers."
484 ))?;
485 }
486
Janis Danisevskis2c084012021-01-31 22:23:17 -0800[diff] [blame]487 // If we are generating/importing an asymmetric key, we need to make sure
488 // that NOT_BEFORE and NOT_AFTER are present.
489 match params.iter().find(|kp| kp.tag == Tag::ALGORITHM) {
490 Some(KeyParameter { tag: _, value: KeyParameterValue::Algorithm(Algorithm::RSA) })
491 | Some(KeyParameter { tag: _, value: KeyParameterValue::Algorithm(Algorithm::EC) }) => {
492 if !params.iter().any(|kp| kp.tag == Tag::CERTIFICATE_NOT_BEFORE) {
493 result.push(KeyParameter {
494 tag: Tag::CERTIFICATE_NOT_BEFORE,
495 value: KeyParameterValue::DateTime(0),
496 })
497 }
498 if !params.iter().any(|kp| kp.tag == Tag::CERTIFICATE_NOT_AFTER) {
499 result.push(KeyParameter {
500 tag: Tag::CERTIFICATE_NOT_AFTER,
501 value: KeyParameterValue::DateTime(UNDEFINED_NOT_AFTER),
502 })
503 }
504 }
505 _ => {}
506 }
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800[diff] [blame]507 Ok(result)
508 }
509
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]510 fn generate_key(
511 &self,
512 key: &KeyDescriptor,
Shawn Willden8fde4c22021-02-14 13:58:22 -0700[diff] [blame]513 attest_key_descriptor: Option<&KeyDescriptor>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]514 params: &[KeyParameter],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]515 flags: i32,
Paul Crowleyd5653e52021-03-25 09:46:31 -0700[diff] [blame]516 _entropy: &[u8],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]517 ) -> Result<KeyMetadata> {
Shaquille Johnsona820ef52024-06-20 13:48:23 +0000[diff] [blame^]518 log::info!("security_level: generate_key(key={:?})", key.alias);
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]519 if key.domain != Domain::BLOB && key.alias.is_none() {
520 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]521 .context(ks_err!("Alias must be specified"));
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]522 }
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]523 let caller_uid = ThreadState::get_calling_uid();
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]524
525 let key = match key.domain {
526 Domain::APP => KeyDescriptor {
527 domain: key.domain,
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]528 nspace: caller_uid as i64,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]529 alias: key.alias.clone(),
530 blob: None,
531 },
532 _ => key.clone(),
533 };
534
535 // generate_key requires the rebind permission.
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]536 // Must return on error for security reasons.
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]537 check_key_permission(KeyPerm::Rebind, &key, &None).context(ks_err!())?;
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]538
539 let attestation_key_info = match (key.domain, attest_key_descriptor) {
540 (Domain::BLOB, _) => None,
Satya Tangiralafdb9c762021-03-09 22:34:22 -0800[diff] [blame]541 _ => DB
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]542 .with(|db| {
543 get_attest_key_info(
Satya Tangiralafdb9c762021-03-09 22:34:22 -0800[diff] [blame]544 &key,
545 caller_uid,
546 attest_key_descriptor,
547 params,
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]548 &self.rem_prov_state,
Satya Tangiralafdb9c762021-03-09 22:34:22 -0800[diff] [blame]549 &mut db.borrow_mut(),
550 )
551 })
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]552 .context(ks_err!("Trying to get an attestation key"))?,
Satya Tangiralafdb9c762021-03-09 22:34:22 -0800[diff] [blame]553 };
Janis Danisevskis5cb52dc2021-04-07 16:31:18 -0700[diff] [blame]554 let params = self
Janis Danisevskisd43c1b92021-11-09 14:56:17 +0000[diff] [blame]555 .add_required_parameters(caller_uid, params, &key)
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]556 .context(ks_err!("Trying to get aaid."))?;
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800[diff] [blame]557
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]558 let creation_result = match attestation_key_info {
559 Some(AttestationKeyInfo::UserGenerated {
560 key_id_guard,
561 blob,
562 blob_metadata,
563 issuer_subject,
564 }) => self
565 .upgrade_keyblob_if_required_with(
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]566 Some(key_id_guard),
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]567 &KeyBlob::Ref(&blob),
Max Bires55620ff2022-02-11 13:34:15 -0800[diff] [blame]568 blob_metadata.km_uuid().copied(),
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]569 &params,
570 |blob| {
571 let attest_key = Some(AttestationKey {
572 keyBlob: blob.to_vec(),
573 attestKeyParams: vec![],
574 issuerSubjectName: issuer_subject.clone(),
575 });
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]576 map_km_error({
577 let _wp = self.watch_millis(
578 concat!(
579 "In KeystoreSecurityLevel::generate_key (UserGenerated): ",
580 "calling generate_key."
581 ),
582 5000, // Generate can take a little longer.
583 );
Janis Danisevskis5f3a0572021-06-18 11:26:42 -0700[diff] [blame]584 self.keymint.generateKey(&params, attest_key.as_ref())
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]585 })
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]586 },
587 )
Shaquille Johnson9a587a22024-02-28 19:54:24 +0000[diff] [blame]588 .context(ks_err!(
Shaquille Johnsona820ef52024-06-20 13:48:23 +0000[diff] [blame^]589 "While generating with a user-generated \
590 attestation key, params: {:?}.",
Shaquille Johnson9a587a22024-02-28 19:54:24 +0000[diff] [blame]591 log_security_safe_params(&params)
592 ))
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]593 .map(|(result, _)| result),
Tri Vob5e43d12022-12-21 08:54:14 -0800[diff] [blame]594 Some(AttestationKeyInfo::RkpdProvisioned { attestation_key, attestation_certs }) => {
595 self.upgrade_rkpd_keyblob_if_required_with(&attestation_key.keyBlob, &[], |blob| {
596 map_km_error({
597 let _wp = self.watch_millis(
598 concat!(
599 "In KeystoreSecurityLevel::generate_key (RkpdProvisioned): ",
600 "calling generate_key.",
601 ),
602 5000, // Generate can take a little longer.
603 );
604 let dynamic_attest_key = Some(AttestationKey {
605 keyBlob: blob.to_vec(),
606 attestKeyParams: vec![],
607 issuerSubjectName: attestation_key.issuerSubjectName.clone(),
608 });
609 self.keymint.generateKey(&params, dynamic_attest_key.as_ref())
610 })
611 })
Shaquille Johnson9a587a22024-02-28 19:54:24 +0000[diff] [blame]612 .context(ks_err!(
613 "While generating Key {:?} with remote \
614 provisioned attestation key and params: {:?}.",
615 key.alias,
616 log_security_safe_params(&params)
617 ))
Tri Vob5e43d12022-12-21 08:54:14 -0800[diff] [blame]618 .map(|(mut result, _)| {
619 result.certificateChain.push(attestation_certs);
620 result
621 })
622 }
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]623 None => map_km_error({
624 let _wp = self.watch_millis(
625 concat!(
626 "In KeystoreSecurityLevel::generate_key (No attestation): ",
627 "calling generate_key.",
628 ),
629 5000, // Generate can take a little longer.
630 );
Janis Danisevskis5f3a0572021-06-18 11:26:42 -0700[diff] [blame]631 self.keymint.generateKey(&params, None)
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]632 })
Shaquille Johnson9a587a22024-02-28 19:54:24 +0000[diff] [blame]633 .context(ks_err!(
Shaquille Johnsona820ef52024-06-20 13:48:23 +0000[diff] [blame^]634 "While generating without a provided \
635 attestation key and params: {:?}.",
Shaquille Johnson9a587a22024-02-28 19:54:24 +0000[diff] [blame]636 log_security_safe_params(&params)
637 )),
Max Bires97f96812021-02-23 23:44:57 -0800[diff] [blame]638 }
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]639 .context(ks_err!())?;
Janis Danisevskis3541f3e2021-03-20 14:18:52 -0700[diff] [blame]640
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]641 let user_id = uid_to_android_user(caller_uid);
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]642 self.store_new_key(key, creation_result, user_id, Some(flags)).context(ks_err!())
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]643 }
644
645 fn import_key(
646 &self,
647 key: &KeyDescriptor,
Paul Crowleyd5653e52021-03-25 09:46:31 -0700[diff] [blame]648 _attestation_key: Option<&KeyDescriptor>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]649 params: &[KeyParameter],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]650 flags: i32,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]651 key_data: &[u8],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]652 ) -> Result<KeyMetadata> {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]653 if key.domain != Domain::BLOB && key.alias.is_none() {
654 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]655 .context(ks_err!("Alias must be specified"));
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]656 }
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]657 let caller_uid = ThreadState::get_calling_uid();
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]658
659 let key = match key.domain {
660 Domain::APP => KeyDescriptor {
661 domain: key.domain,
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]662 nspace: caller_uid as i64,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]663 alias: key.alias.clone(),
664 blob: None,
665 },
666 _ => key.clone(),
667 };
668
669 // import_key requires the rebind permission.
Shaquille Johnsone8b152a2023-02-09 15:15:50 +0000[diff] [blame]670 check_key_permission(KeyPerm::Rebind, &key, &None).context(ks_err!("In import_key."))?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]671
Janis Danisevskis5cb52dc2021-04-07 16:31:18 -0700[diff] [blame]672 let params = self
Janis Danisevskisd43c1b92021-11-09 14:56:17 +0000[diff] [blame]673 .add_required_parameters(caller_uid, params, &key)
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]674 .context(ks_err!("Trying to get aaid."))?;
Janis Danisevskis212c68b2021-01-14 22:29:28 -0800[diff] [blame]675
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]676 let format = params
677 .iter()
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]678 .find(|p| p.tag == Tag::ALGORITHM)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]679 .ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
Shaquille Johnsone8b152a2023-02-09 15:15:50 +0000[diff] [blame]680 .context(ks_err!("No KeyParameter 'Algorithm'."))
Janis Danisevskis398e6be2020-12-17 09:29:25 -0800[diff] [blame]681 .and_then(|p| match &p.value {
682 KeyParameterValue::Algorithm(Algorithm::AES)
683 | KeyParameterValue::Algorithm(Algorithm::HMAC)
684 | KeyParameterValue::Algorithm(Algorithm::TRIPLE_DES) => Ok(KeyFormat::RAW),
685 KeyParameterValue::Algorithm(Algorithm::RSA)
686 | KeyParameterValue::Algorithm(Algorithm::EC) => Ok(KeyFormat::PKCS8),
687 v => Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
Shaquille Johnsonaec2eca2022-11-30 17:08:05 +0000[diff] [blame]688 .context(ks_err!("Unknown Algorithm {:?}.", v)),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]689 })
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]690 .context(ks_err!())?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]691
Janis Danisevskis5f3a0572021-06-18 11:26:42 -0700[diff] [blame]692 let km_dev = &self.keymint;
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]693 let creation_result = map_km_error({
David Drysdale541846b2024-05-23 13:16:07 +0100[diff] [blame]694 let _wp = self.watch("In KeystoreSecurityLevel::import_key: calling importKey.");
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]695 km_dev.importKey(&params, format, key_data, None /* attestKey */)
696 })
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]697 .context(ks_err!("Trying to call importKey"))?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]698
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]699 let user_id = uid_to_android_user(caller_uid);
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]700 self.store_new_key(key, creation_result, user_id, Some(flags)).context(ks_err!())
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]701 }
702
703 fn import_wrapped_key(
704 &self,
705 key: &KeyDescriptor,
706 wrapping_key: &KeyDescriptor,
707 masking_key: Option<&[u8]>,
708 params: &[KeyParameter],
709 authenticators: &[AuthenticatorSpec],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]710 ) -> Result<KeyMetadata> {
Janis Danisevskis32adc7d2021-02-07 14:04:01 -0800[diff] [blame]711 let wrapped_data: &[u8] = match key {
712 KeyDescriptor { domain: Domain::APP, blob: Some(ref blob), alias: Some(_), .. }
713 | KeyDescriptor {
714 domain: Domain::SELINUX, blob: Some(ref blob), alias: Some(_), ..
715 } => blob,
716 _ => {
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]717 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)).context(ks_err!(
718 "Alias and blob must be specified and domain must be APP or SELINUX. {:?}",
Janis Danisevskis32adc7d2021-02-07 14:04:01 -0800[diff] [blame]719 key
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]720 ));
Janis Danisevskis32adc7d2021-02-07 14:04:01 -0800[diff] [blame]721 }
722 };
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]723
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]724 if wrapping_key.domain == Domain::BLOB {
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]725 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
726 .context(ks_err!("Import wrapped key not supported for self managed blobs."));
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]727 }
728
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]729 let caller_uid = ThreadState::get_calling_uid();
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]730 let user_id = uid_to_android_user(caller_uid);
731
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]732 let key = match key.domain {
733 Domain::APP => KeyDescriptor {
734 domain: key.domain,
Hasini Gunasinghea020b532021-01-07 21:42:35 +0000[diff] [blame]735 nspace: caller_uid as i64,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]736 alias: key.alias.clone(),
737 blob: None,
738 },
Janis Danisevskis32adc7d2021-02-07 14:04:01 -0800[diff] [blame]739 Domain::SELINUX => KeyDescriptor {
740 domain: Domain::SELINUX,
741 nspace: key.nspace,
742 alias: key.alias.clone(),
743 blob: None,
744 },
745 _ => panic!("Unreachable."),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]746 };
747
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]748 // Import_wrapped_key requires the rebind permission for the new key.
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]749 check_key_permission(KeyPerm::Rebind, &key, &None).context(ks_err!())?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]750
Eric Biggers673d34a2023-10-18 01:54:18 +0000[diff] [blame]751 let super_key = SUPER_KEY.read().unwrap().get_after_first_unlock_key_by_user_id(user_id);
Janis Danisevskisf84d0b02022-01-26 14:11:14 -0800[diff] [blame]752
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]753 let (wrapping_key_id_guard, mut wrapping_key_entry) = DB
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]754 .with(|db| {
Janis Danisevskisf84d0b02022-01-26 14:11:14 -0800[diff] [blame]755 LEGACY_IMPORTER.with_try_import(&key, caller_uid, super_key, || {
Hasini Gunasinghe3ed5da72021-02-04 15:18:54 +0000[diff] [blame]756 db.borrow_mut().load_key_entry(
Chris Wailesd5aaaef2021-07-27 16:04:33 -0700[diff] [blame]757 wrapping_key,
Hasini Gunasinghe3ed5da72021-02-04 15:18:54 +0000[diff] [blame]758 KeyType::Client,
759 KeyEntryLoadBits::KM,
760 caller_uid,
Janis Danisevskis39d57e72021-10-19 16:56:20 -0700[diff] [blame]761 |k, av| check_key_permission(KeyPerm::Use, k, &av),
Hasini Gunasinghe3ed5da72021-02-04 15:18:54 +0000[diff] [blame]762 )
763 })
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]764 })
Shaquille Johnsone8b152a2023-02-09 15:15:50 +0000[diff] [blame]765 .context(ks_err!("Failed to load wrapping key."))?;
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]766
Shaquille Johnsonaec2eca2022-11-30 17:08:05 +0000[diff] [blame]767 let (wrapping_key_blob, wrapping_blob_metadata) =
768 wrapping_key_entry.take_key_blob_info().ok_or_else(error::Error::sys).context(
769 ks_err!("No km_blob after successfully loading key. This should never happen."),
770 )?;
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]771
Janis Danisevskis0fd25a62022-01-04 19:53:37 -0800[diff] [blame]772 let wrapping_key_blob = SUPER_KEY
773 .read()
774 .unwrap()
775 .unwrap_key_if_required(&wrapping_blob_metadata, &wrapping_key_blob)
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]776 .context(ks_err!("Failed to handle super encryption for wrapping key."))?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]777
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]778 // km_dev.importWrappedKey does not return a certificate chain.
779 // TODO Do we assume that all wrapped keys are symmetric?
780 // let certificate_chain: Vec<KmCertificate> = Default::default();
781
782 let pw_sid = authenticators
783 .iter()
784 .find_map(|a| match a.authenticatorType {
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]785 HardwareAuthenticatorType::PASSWORD => Some(a.authenticatorId),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]786 _ => None,
787 })
Janis Danisevskis32adc7d2021-02-07 14:04:01 -0800[diff] [blame]788 .unwrap_or(-1);
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]789
790 let fp_sid = authenticators
791 .iter()
792 .find_map(|a| match a.authenticatorType {
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]793 HardwareAuthenticatorType::FINGERPRINT => Some(a.authenticatorId),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]794 _ => None,
795 })
Janis Danisevskis32adc7d2021-02-07 14:04:01 -0800[diff] [blame]796 .unwrap_or(-1);
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]797
798 let masking_key = masking_key.unwrap_or(ZERO_BLOB_32);
799
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800[diff] [blame]800 let (creation_result, _) = self
801 .upgrade_keyblob_if_required_with(
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800[diff] [blame]802 Some(wrapping_key_id_guard),
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]803 &wrapping_key_blob,
Max Bires55620ff2022-02-11 13:34:15 -0800[diff] [blame]804 wrapping_blob_metadata.km_uuid().copied(),
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800[diff] [blame]805 &[],
806 |wrapping_blob| {
David Drysdale541846b2024-05-23 13:16:07 +0100[diff] [blame]807 let _wp = self.watch(
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]808 "In KeystoreSecurityLevel::import_wrapped_key: calling importWrappedKey.",
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]809 );
Janis Danisevskis5f3a0572021-06-18 11:26:42 -0700[diff] [blame]810 let creation_result = map_km_error(self.keymint.importWrappedKey(
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800[diff] [blame]811 wrapped_data,
Janis Danisevskis7e8b4622021-02-13 10:01:59 -0800[diff] [blame]812 wrapping_blob,
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800[diff] [blame]813 masking_key,
Chris Wailesd5aaaef2021-07-27 16:04:33 -0700[diff] [blame]814 params,
Janis Danisevskis104d8e42021-01-14 22:49:27 -0800[diff] [blame]815 pw_sid,
816 fp_sid,
817 ))?;
818 Ok(creation_result)
819 },
820 )
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]821 .context(ks_err!())?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]822
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]823 self.store_new_key(key, creation_result, user_id, None)
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]824 .context(ks_err!("Trying to store the new key."))
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]825 }
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]826
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]827 fn store_upgraded_keyblob(
828 key_id_guard: KeyIdGuard,
Max Bires55620ff2022-02-11 13:34:15 -0800[diff] [blame]829 km_uuid: Option<Uuid>,
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]830 key_blob: &KeyBlob,
831 upgraded_blob: &[u8],
832 ) -> Result<()> {
833 let (upgraded_blob_to_be_stored, new_blob_metadata) =
Chris Wailesd5aaaef2021-07-27 16:04:33 -0700[diff] [blame]834 SuperKeyManager::reencrypt_if_required(key_blob, upgraded_blob)
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]835 .context(ks_err!("Failed to handle super encryption."))?;
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]836
Paul Crowley44c02da2021-04-08 17:04:43 +0000[diff] [blame]837 let mut new_blob_metadata = new_blob_metadata.unwrap_or_default();
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]838 if let Some(uuid) = km_uuid {
Max Bires55620ff2022-02-11 13:34:15 -0800[diff] [blame]839 new_blob_metadata.add(BlobMetaEntry::KmUuid(uuid));
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]840 }
841
842 DB.with(|db| {
843 let mut db = db.borrow_mut();
844 db.set_blob(
845 &key_id_guard,
846 SubComponentType::KEY_BLOB,
847 Some(&upgraded_blob_to_be_stored),
848 Some(&new_blob_metadata),
849 )
850 })
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]851 .context(ks_err!("Failed to insert upgraded blob into the database."))
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]852 }
853
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]854 fn upgrade_keyblob_if_required_with<T, F>(
855 &self,
Janis Danisevskisf84d0b02022-01-26 14:11:14 -0800[diff] [blame]856 mut key_id_guard: Option<KeyIdGuard>,
Paul Crowley7a658392021-03-18 17:08:20 -0700[diff] [blame]857 key_blob: &KeyBlob,
Max Bires55620ff2022-02-11 13:34:15 -0800[diff] [blame]858 km_uuid: Option<Uuid>,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]859 params: &[KeyParameter],
860 f: F,
861 ) -> Result<(T, Option<Vec<u8>>)>
862 where
863 F: Fn(&[u8]) -> Result<T, Error>,
864 {
Janis Danisevskisf84d0b02022-01-26 14:11:14 -0800[diff] [blame]865 let (v, upgraded_blob) = crate::utils::upgrade_keyblob_if_required_with(
David Drysdale5accbaa2023-04-12 18:47:10 +0100[diff] [blame]866 &*self.keymint,
867 self.hw_info.versionNumber,
Janis Danisevskisf84d0b02022-01-26 14:11:14 -0800[diff] [blame]868 key_blob,
869 params,
870 f,
871 |upgraded_blob| {
872 if key_id_guard.is_some() {
873 // Unwrap cannot panic, because the is_some was true.
874 let kid = key_id_guard.take().unwrap();
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]875 Self::store_upgraded_keyblob(kid, km_uuid, key_blob, upgraded_blob)
876 .context(ks_err!("store_upgraded_keyblob failed"))
Janis Danisevskisf84d0b02022-01-26 14:11:14 -0800[diff] [blame]877 } else {
878 Ok(())
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]879 }
Janis Danisevskisf84d0b02022-01-26 14:11:14 -0800[diff] [blame]880 },
881 )
Shaquille Johnsona820ef52024-06-20 13:48:23 +0000[diff] [blame^]882 .context(ks_err!("upgrade_keyblob_if_required_with(key_id={:?})", key_id_guard))?;
Hasini Gunasinghedeab85d2021-02-01 21:10:02 +0000[diff] [blame]883
Janis Danisevskisf84d0b02022-01-26 14:11:14 -0800[diff] [blame]884 // If no upgrade was needed, use the opportunity to reencrypt the blob if required
885 // and if the a key_id_guard is held. Note: key_id_guard can only be Some if no
886 // upgrade was performed above and if one was given in the first place.
887 if key_blob.force_reencrypt() {
888 if let Some(kid) = key_id_guard {
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]889 Self::store_upgraded_keyblob(kid, km_uuid, key_blob, key_blob)
890 .context(ks_err!("store_upgraded_keyblob failed in forced reencrypt"))?;
Paul Crowley8d5b2532021-03-19 10:53:07 -0700[diff] [blame]891 }
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]892 }
Janis Danisevskisf84d0b02022-01-26 14:11:14 -0800[diff] [blame]893 Ok((v, upgraded_blob))
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]894 }
Satya Tangirala3361b612021-03-08 14:36:11 -0800[diff] [blame]895
Tri Vob5e43d12022-12-21 08:54:14 -0800[diff] [blame]896 fn upgrade_rkpd_keyblob_if_required_with<T, F>(
897 &self,
898 key_blob: &[u8],
899 params: &[KeyParameter],
900 f: F,
901 ) -> Result<(T, Option<Vec<u8>>)>
902 where
903 F: Fn(&[u8]) -> Result<T, Error>,
904 {
Alice Wangbf6a6932023-11-07 11:47:12 +0000[diff] [blame]905 let rpc_name = get_remotely_provisioned_component_name(&self.security_level)
906 .context(ks_err!("Trying to get IRPC name."))?;
Tri Vob5e43d12022-12-21 08:54:14 -0800[diff] [blame]907 crate::utils::upgrade_keyblob_if_required_with(
908 &*self.keymint,
David Drysdale5accbaa2023-04-12 18:47:10 +0100[diff] [blame]909 self.hw_info.versionNumber,
Tri Vob5e43d12022-12-21 08:54:14 -0800[diff] [blame]910 key_blob,
911 params,
912 f,
913 |upgraded_blob| {
David Drysdale541846b2024-05-23 13:16:07 +0100[diff] [blame]914 let _wp = wd::watch("Calling store_rkpd_attestation_key()");
Alice Wang849cfe42023-11-10 12:43:36 +0000[diff] [blame]915 if let Err(e) = store_rkpd_attestation_key(&rpc_name, key_blob, upgraded_blob) {
916 Err(wrapped_rkpd_error_to_ks_error(&e)).context(format!("{e:?}"))
917 } else {
918 Ok(())
919 }
Tri Vob5e43d12022-12-21 08:54:14 -0800[diff] [blame]920 },
921 )
Shaquille Johnsona820ef52024-06-20 13:48:23 +0000[diff] [blame^]922 .context(ks_err!(
923 "upgrade_rkpd_keyblob_if_required_with(params={:?})",
924 log_security_safe_params(params)
925 ))
Tri Vob5e43d12022-12-21 08:54:14 -0800[diff] [blame]926 }
927
Janis Danisevskisb2434d02021-04-20 12:49:27 -0700[diff] [blame]928 fn convert_storage_key_to_ephemeral(
929 &self,
930 storage_key: &KeyDescriptor,
931 ) -> Result<EphemeralStorageKeyResponse> {
Satya Tangirala3361b612021-03-08 14:36:11 -0800[diff] [blame]932 if storage_key.domain != Domain::BLOB {
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]933 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
934 .context(ks_err!("Key must be of Domain::BLOB"));
Satya Tangirala3361b612021-03-08 14:36:11 -0800[diff] [blame]935 }
936 let key_blob = storage_key
937 .blob
938 .as_ref()
939 .ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]940 .context(ks_err!("No key blob specified"))?;
Satya Tangirala3361b612021-03-08 14:36:11 -0800[diff] [blame]941
942 // convert_storage_key_to_ephemeral requires the associated permission
Janis Danisevskis39d57e72021-10-19 16:56:20 -0700[diff] [blame]943 check_key_permission(KeyPerm::ConvertStorageKeyToEphemeral, storage_key, &None)
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]944 .context(ks_err!("Check permission"))?;
Satya Tangirala3361b612021-03-08 14:36:11 -0800[diff] [blame]945
Janis Danisevskis5f3a0572021-06-18 11:26:42 -0700[diff] [blame]946 let km_dev = &self.keymint;
James Farrellefe1a2f2024-02-28 21:36:47 +0000[diff] [blame]947 let res = {
David Drysdale541846b2024-05-23 13:16:07 +0100[diff] [blame]948 let _wp = self.watch(concat!(
949 "In IKeystoreSecurityLevel::convert_storage_key_to_ephemeral: ",
950 "calling convertStorageKeyToEphemeral (1)"
951 ));
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]952 map_km_error(km_dev.convertStorageKeyToEphemeral(key_blob))
James Farrellefe1a2f2024-02-28 21:36:47 +0000[diff] [blame]953 };
954 match res {
Janis Danisevskisb2434d02021-04-20 12:49:27 -0700[diff] [blame]955 Ok(result) => {
956 Ok(EphemeralStorageKeyResponse { ephemeralKey: result, upgradedBlob: None })
957 }
958 Err(error::Error::Km(ErrorCode::KEY_REQUIRES_UPGRADE)) => {
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]959 let upgraded_blob = {
David Drysdale541846b2024-05-23 13:16:07 +0100[diff] [blame]960 let _wp = self.watch("In convert_storage_key_to_ephemeral: calling upgradeKey");
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]961 map_km_error(km_dev.upgradeKey(key_blob, &[]))
962 }
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]963 .context(ks_err!("Failed to upgrade key blob."))?;
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]964 let ephemeral_key = {
David Drysdale541846b2024-05-23 13:16:07 +0100[diff] [blame]965 let _wp = self.watch(
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]966 "In convert_storage_key_to_ephemeral: calling convertStorageKeyToEphemeral (2)",
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]967 );
Janis Danisevskis84af4d12021-07-22 17:39:15 -0700[diff] [blame]968 map_km_error(km_dev.convertStorageKeyToEphemeral(&upgraded_blob))
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]969 }
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]970 .context(ks_err!(
Janis Danisevskisb2434d02021-04-20 12:49:27 -0700[diff] [blame]971 "Failed to retrieve ephemeral key (after upgrade)."
972 ))?;
973 Ok(EphemeralStorageKeyResponse {
974 ephemeralKey: ephemeral_key,
975 upgradedBlob: Some(upgraded_blob),
976 })
977 }
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]978 Err(e) => Err(e).context(ks_err!("Failed to retrieve ephemeral key.")),
Janis Danisevskisb2434d02021-04-20 12:49:27 -0700[diff] [blame]979 }
Satya Tangirala3361b612021-03-08 14:36:11 -0800[diff] [blame]980 }
Satya Tangirala04bca0d2021-03-08 22:27:54 -0800[diff] [blame]981
982 fn delete_key(&self, key: &KeyDescriptor) -> Result<()> {
983 if key.domain != Domain::BLOB {
984 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]985 .context(ks_err!("delete_key: Key must be of Domain::BLOB"));
Satya Tangirala04bca0d2021-03-08 22:27:54 -0800[diff] [blame]986 }
987
988 let key_blob = key
989 .blob
990 .as_ref()
991 .ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT))
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]992 .context(ks_err!("delete_key: No key blob specified"))?;
Satya Tangirala04bca0d2021-03-08 22:27:54 -0800[diff] [blame]993
Janis Danisevskis39d57e72021-10-19 16:56:20 -0700[diff] [blame]994 check_key_permission(KeyPerm::Delete, key, &None)
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]995 .context(ks_err!("delete_key: Checking delete permissions"))?;
Satya Tangirala04bca0d2021-03-08 22:27:54 -0800[diff] [blame]996
Janis Danisevskis5f3a0572021-06-18 11:26:42 -0700[diff] [blame]997 let km_dev = &self.keymint;
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]998 {
David Drysdale541846b2024-05-23 13:16:07 +0100[diff] [blame]999 let _wp = self.watch("In KeystoreSecuritylevel::delete_key: calling deleteKey");
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +0000[diff] [blame]1000 map_km_error(km_dev.deleteKey(key_blob)).context(ks_err!("keymint device deleteKey"))
Janis Danisevskis2ee014b2021-05-05 14:29:08 -0700[diff] [blame]1001 }
Satya Tangirala04bca0d2021-03-08 22:27:54 -0800[diff] [blame]1002 }
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]1003}
1004
1005impl binder::Interface for KeystoreSecurityLevel {}
1006
1007impl IKeystoreSecurityLevel for KeystoreSecurityLevel {
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]1008 fn createOperation(
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]1009 &self,
1010 key: &KeyDescriptor,
1011 operation_parameters: &[KeyParameter],
1012 forced: bool,
Stephen Crane23cf7242022-01-19 17:49:46 +0000[diff] [blame]1013 ) -> binder::Result<CreateOperationResponse> {
David Drysdale541846b2024-05-23 13:16:07 +0100[diff] [blame]1014 let _wp = self.watch("IKeystoreSecurityLevel::createOperation");
David Drysdaledb7ddde2024-06-07 16:22:49 +0100[diff] [blame]1015 self.create_operation(key, operation_parameters, forced).map_err(into_logged_binder)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]1016 }
1017 fn generateKey(
1018 &self,
1019 key: &KeyDescriptor,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]1020 attestation_key: Option<&KeyDescriptor>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]1021 params: &[KeyParameter],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]1022 flags: i32,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]1023 entropy: &[u8],
Stephen Crane23cf7242022-01-19 17:49:46 +0000[diff] [blame]1024 ) -> binder::Result<KeyMetadata> {
Hasini Gunasinghe5a893e82021-05-05 14:32:32 +0000[diff] [blame]1025 // Duration is set to 5 seconds, because generateKey - especially for RSA keys, takes more
1026 // time than other operations
1027 let _wp = self.watch_millis("IKeystoreSecurityLevel::generateKey", 5000);
Hasini Gunasingheb7142972021-02-20 03:11:27 +0000[diff] [blame]1028 let result = self.generate_key(key, attestation_key, params, flags, entropy);
Hasini Gunasinghe9617fd92021-04-01 22:27:07 +0000[diff] [blame]1029 log_key_creation_event_stats(self.security_level, params, &result);
Pavel Grafov94243c22021-04-21 18:03:11 +0100[diff] [blame]1030 log_key_generated(key, ThreadState::get_calling_uid(), result.is_ok());
David Drysdaledb7ddde2024-06-07 16:22:49 +0100[diff] [blame]1031 result.map_err(into_logged_binder)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]1032 }
1033 fn importKey(
1034 &self,
1035 key: &KeyDescriptor,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]1036 attestation_key: Option<&KeyDescriptor>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]1037 params: &[KeyParameter],
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]1038 flags: i32,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]1039 key_data: &[u8],
Stephen Crane23cf7242022-01-19 17:49:46 +0000[diff] [blame]1040 ) -> binder::Result<KeyMetadata> {
David Drysdale541846b2024-05-23 13:16:07 +0100[diff] [blame]1041 let _wp = self.watch("IKeystoreSecurityLevel::importKey");
Hasini Gunasingheb7142972021-02-20 03:11:27 +0000[diff] [blame]1042 let result = self.import_key(key, attestation_key, params, flags, key_data);
Hasini Gunasinghe9617fd92021-04-01 22:27:07 +0000[diff] [blame]1043 log_key_creation_event_stats(self.security_level, params, &result);
Pavel Grafov94243c22021-04-21 18:03:11 +0100[diff] [blame]1044 log_key_imported(key, ThreadState::get_calling_uid(), result.is_ok());
David Drysdaledb7ddde2024-06-07 16:22:49 +0100[diff] [blame]1045 result.map_err(into_logged_binder)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]1046 }
1047 fn importWrappedKey(
1048 &self,
1049 key: &KeyDescriptor,
1050 wrapping_key: &KeyDescriptor,
1051 masking_key: Option<&[u8]>,
1052 params: &[KeyParameter],
1053 authenticators: &[AuthenticatorSpec],
Stephen Crane23cf7242022-01-19 17:49:46 +0000[diff] [blame]1054 ) -> binder::Result<KeyMetadata> {
David Drysdale541846b2024-05-23 13:16:07 +0100[diff] [blame]1055 let _wp = self.watch("IKeystoreSecurityLevel::importWrappedKey");
Hasini Gunasingheb7142972021-02-20 03:11:27 +0000[diff] [blame]1056 let result =
1057 self.import_wrapped_key(key, wrapping_key, masking_key, params, authenticators);
Hasini Gunasinghe9617fd92021-04-01 22:27:07 +0000[diff] [blame]1058 log_key_creation_event_stats(self.security_level, params, &result);
Pavel Grafov94243c22021-04-21 18:03:11 +0100[diff] [blame]1059 log_key_imported(key, ThreadState::get_calling_uid(), result.is_ok());
David Drysdaledb7ddde2024-06-07 16:22:49 +0100[diff] [blame]1060 result.map_err(into_logged_binder)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]1061 }
Satya Tangirala3361b612021-03-08 14:36:11 -0800[diff] [blame]1062 fn convertStorageKeyToEphemeral(
1063 &self,
1064 storage_key: &KeyDescriptor,
Stephen Crane23cf7242022-01-19 17:49:46 +0000[diff] [blame]1065 ) -> binder::Result<EphemeralStorageKeyResponse> {
David Drysdale541846b2024-05-23 13:16:07 +0100[diff] [blame]1066 let _wp = self.watch("IKeystoreSecurityLevel::convertStorageKeyToEphemeral");
David Drysdaledb7ddde2024-06-07 16:22:49 +0100[diff] [blame]1067 self.convert_storage_key_to_ephemeral(storage_key).map_err(into_logged_binder)
Satya Tangirala3361b612021-03-08 14:36:11 -0800[diff] [blame]1068 }
Stephen Crane23cf7242022-01-19 17:49:46 +0000[diff] [blame]1069 fn deleteKey(&self, key: &KeyDescriptor) -> binder::Result<()> {
David Drysdale541846b2024-05-23 13:16:07 +0100[diff] [blame]1070 let _wp = self.watch("IKeystoreSecurityLevel::deleteKey");
Pavel Grafov94243c22021-04-21 18:03:11 +0100[diff] [blame]1071 let result = self.delete_key(key);
1072 log_key_deleted(key, ThreadState::get_calling_uid(), result.is_ok());
David Drysdaledb7ddde2024-06-07 16:22:49 +0100[diff] [blame]1073 result.map_err(into_logged_binder)
Satya Tangirala04bca0d2021-03-08 22:27:54 -0800[diff] [blame]1074 }
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]1075}
Alice Wangbf6a6932023-11-07 11:47:12 +0000[diff] [blame]1076
1077#[cfg(test)]
1078mod tests {
1079 use super::*;
1080 use crate::error::map_km_error;
1081 use crate::globals::get_keymint_device;
Alice Wangbf6a6932023-11-07 11:47:12 +0000[diff] [blame]1082 use crate::utils::upgrade_keyblob_if_required_with;
1083 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
1084 Algorithm::Algorithm, AttestationKey::AttestationKey, KeyParameter::KeyParameter,
1085 KeyParameterValue::KeyParameterValue, Tag::Tag,
1086 };
1087 use keystore2_crypto::parse_subject_from_certificate;
Alice Wang01c16b62023-11-07 14:27:49 +0000[diff] [blame]1088 use rkpd_client::get_rkpd_attestation_key;
Alice Wangbf6a6932023-11-07 11:47:12 +0000[diff] [blame]1089
1090 #[test]
1091 // This is a helper for a manual test. We want to check that after a system upgrade RKPD
1092 // attestation keys can also be upgraded and stored again with RKPD. The steps are:
1093 // 1. Run this test and check in stdout that no key upgrade happened.
1094 // 2. Perform a system upgrade.
1095 // 3. Run this test and check in stdout that key upgrade did happen.
1096 //
1097 // Note that this test must be run with that same UID every time. Running as root, i.e. UID 0,
1098 // should do the trick. Also, use "--nocapture" flag to get stdout.
1099 fn test_rkpd_attestation_key_upgrade() {
1100 binder::ProcessState::start_thread_pool();
1101 let security_level = SecurityLevel::TRUSTED_ENVIRONMENT;
1102 let (keymint, info, _) = get_keymint_device(&security_level).unwrap();
1103 let key_id = 0;
1104 let mut key_upgraded = false;
1105
1106 let rpc_name = get_remotely_provisioned_component_name(&security_level).unwrap();
1107 let key = get_rkpd_attestation_key(&rpc_name, key_id).unwrap();
1108 assert!(!key.keyBlob.is_empty());
1109 assert!(!key.encodedCertChain.is_empty());
1110
1111 upgrade_keyblob_if_required_with(
1112 &*keymint,
1113 info.versionNumber,
1114 &key.keyBlob,
1115 /*upgrade_params=*/ &[],
1116 /*km_op=*/
1117 |blob| {
1118 let params = vec![
1119 KeyParameter {
1120 tag: Tag::ALGORITHM,
1121 value: KeyParameterValue::Algorithm(Algorithm::AES),
1122 },
1123 KeyParameter {
1124 tag: Tag::ATTESTATION_CHALLENGE,
1125 value: KeyParameterValue::Blob(vec![0; 16]),
1126 },
1127 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) },
1128 ];
1129 let attestation_key = AttestationKey {
1130 keyBlob: blob.to_vec(),
1131 attestKeyParams: vec![],
1132 issuerSubjectName: parse_subject_from_certificate(&key.encodedCertChain)
1133 .unwrap(),
1134 };
1135
1136 map_km_error(keymint.generateKey(&params, Some(&attestation_key)))
1137 },
1138 /*new_blob_handler=*/
1139 |new_blob| {
1140 // This handler is only executed if a key upgrade was performed.
1141 key_upgraded = true;
David Drysdale541846b2024-05-23 13:16:07 +0100[diff] [blame]1142 let _wp = wd::watch("Calling store_rkpd_attestation_key()");
Alice Wangbf6a6932023-11-07 11:47:12 +0000[diff] [blame]1143 store_rkpd_attestation_key(&rpc_name, &key.keyBlob, new_blob).unwrap();
1144 Ok(())
1145 },
1146 )
1147 .unwrap();
1148
1149 if key_upgraded {
1150 println!("RKPD key was upgraded and stored with RKPD.");
1151 } else {
1152 println!("RKPD key was NOT upgraded.");
1153 }
1154 }
1155}