blob: 811ad98a0b0c4834b1c6461ff7c41c414b376734 [file] [log] [blame]
Max Bires148c08e2020-10-13 13:41:41 -07001// Copyright 2020, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15//! This is the implementation for the remote provisioning AIDL interface between
16//! the network providers for remote provisioning and the system. This interface
17//! allows the caller to prompt the Remote Provisioning HAL to generate keys and
18//! CBOR blobs that can be ferried to a provisioning server that will return
19//! certificate chains signed by some root authority and stored in a keystore SQLite
20//! DB.
21
Max Biresb2e1d032021-02-08 21:35:05 -080022use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
Max Bires97f96812021-02-23 23:44:57 -080023 Algorithm::Algorithm, AttestationKey::AttestationKey, Certificate::Certificate,
Seth Moorecd6e9182022-11-04 17:39:05 +000024 KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue, SecurityLevel::SecurityLevel,
Max Bires834dd362021-03-23 13:01:57 -070025 Tag::Tag,
Max Biresb2e1d032021-02-08 21:35:05 -080026};
Max Bires97f96812021-02-23 23:44:57 -080027use android_system_keystore2::aidl::android::system::keystore2::{
Tri Voa1634bb2022-12-01 15:54:19 -080028 Domain::Domain, KeyDescriptor::KeyDescriptor,
Max Bires97f96812021-02-23 23:44:57 -080029};
Max Biresb2e1d032021-02-08 21:35:05 -080030use anyhow::{Context, Result};
Max Bires97f96812021-02-23 23:44:57 -080031use keystore2_crypto::parse_subject_from_certificate;
Max Bires148c08e2020-10-13 13:41:41 -070032
Tri Voa1634bb2022-12-01 15:54:19 -080033use crate::database::Uuid;
Shaquille Johnson9da2e1c2022-09-19 12:39:01 +000034use crate::ks_err;
Hasini Gunasinghe8a1a2242021-08-02 22:28:39 +000035use crate::metrics_store::log_rkp_error_stats;
Tri Vob5e43d12022-12-21 08:54:14 -080036use crate::rkpd_client::get_rkpd_attestation_key;
Hasini Gunasinghe8a1a2242021-08-02 22:28:39 +000037use android_security_metrics::aidl::android::security::metrics::RkpError::RkpError as MetricsRkpError;
Max Bires148c08e2020-10-13 13:41:41 -070038
Max Bires97f96812021-02-23 23:44:57 -080039/// Contains helper functions to check if remote provisioning is enabled on the system and, if so,
40/// to assign and retrieve attestation keys and certificate chains.
41#[derive(Default)]
42pub struct RemProvState {
43 security_level: SecurityLevel,
44 km_uuid: Uuid,
Max Bires97f96812021-02-23 23:44:57 -080045}
46
47impl RemProvState {
48 /// Creates a RemProvState struct.
49 pub fn new(security_level: SecurityLevel, km_uuid: Uuid) -> Self {
Tri Voa1634bb2022-12-01 15:54:19 -080050 Self { security_level, km_uuid }
Max Bires97f96812021-02-23 23:44:57 -080051 }
52
Max Bires55620ff2022-02-11 13:34:15 -080053 /// Returns the uuid for the KM instance attached to this RemProvState struct.
54 pub fn get_uuid(&self) -> Uuid {
55 self.km_uuid
56 }
57
Seth Mooredfdcb872022-04-20 14:33:19 -070058 fn is_rkp_only(&self) -> bool {
Max Bires65207b52022-03-29 23:58:08 -070059 let default_value = false;
60
Seth Mooredfdcb872022-04-20 14:33:19 -070061 let property_name = match self.security_level {
62 SecurityLevel::STRONGBOX => "remote_provisioning.strongbox.rkp_only",
63 SecurityLevel::TRUSTED_ENVIRONMENT => "remote_provisioning.tee.rkp_only",
Max Bires65207b52022-03-29 23:58:08 -070064 _ => return default_value,
65 };
66
67 rustutils::system_properties::read_bool(property_name, default_value)
68 .unwrap_or(default_value)
69 }
70
Max Bires97f96812021-02-23 23:44:57 -080071 fn is_asymmetric_key(&self, params: &[KeyParameter]) -> bool {
72 params.iter().any(|kp| {
73 matches!(
74 kp,
75 KeyParameter {
76 tag: Tag::ALGORITHM,
77 value: KeyParameterValue::Algorithm(Algorithm::RSA)
78 } | KeyParameter {
79 tag: Tag::ALGORITHM,
80 value: KeyParameterValue::Algorithm(Algorithm::EC)
81 }
82 )
83 })
84 }
85
Tri Vob5e43d12022-12-21 08:54:14 -080086 /// Fetches attestation key and corresponding certificates from RKPD.
87 pub fn get_rkpd_attestation_key_and_certs(
88 &self,
89 key: &KeyDescriptor,
90 caller_uid: u32,
91 params: &[KeyParameter],
92 ) -> Result<Option<(AttestationKey, Certificate)>> {
93 if !self.is_asymmetric_key(params) || key.domain != Domain::APP {
94 Ok(None)
95 } else {
96 match get_rkpd_attestation_key(&self.security_level, caller_uid) {
97 Err(e) => {
98 if self.is_rkp_only() {
99 log::error!("Error occurred: {:?}", e);
100 return Err(e);
101 }
102 log::warn!("Error occurred: {:?}", e);
103 log_rkp_error_stats(
104 MetricsRkpError::FALL_BACK_DURING_HYBRID,
105 &self.security_level,
106 );
107 Ok(None)
108 }
109 Ok(rkpd_key) => Ok(Some((
110 AttestationKey {
111 keyBlob: rkpd_key.keyBlob,
112 attestKeyParams: vec![],
113 // Batch certificate is at the beginning of the certificate chain.
114 issuerSubjectName: parse_subject_from_certificate(
115 &rkpd_key.encodedCertChain,
116 )
117 .context(ks_err!("Failed to parse subject."))?,
118 },
119 Certificate { encodedCertificate: rkpd_key.encodedCertChain },
120 ))),
121 }
122 }
123 }
Max Bires97f96812021-02-23 23:44:57 -0800124}