Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / bf15d7344f87ed7169b1e54279c062aafd2fb2ef / . / keystore2 / src / service.rs
blob: eb0d01b73f814fbfa829cd0834c5cea13b52af34 [file] [log] [blame]
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]1// Copyright 2020, The Android Open Source Project
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7// http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14
15// TODO remove when fully implemented.
16#![allow(unused_variables)]
17
18//! This crate implement the core Keystore 2.0 service API as defined by the Keystore 2.0
19//! AIDL spec.
20
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]21use crate::database::{KeyEntryLoadBits, SubComponentType};
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]22use crate::error::{self, map_or_log_err, ErrorCode};
23use crate::globals::DB;
24use crate::permission;
25use crate::permission::KeyPerm;
26use crate::security_level::KeystoreSecurityLevel;
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]27use crate::utils::{
28 check_grant_permission, check_key_permission, key_parameters_to_authorizations, Asp,
29};
Shawn Willden708744a2020-12-11 13:05:27 +0000[diff] [blame]30use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]31use android_system_keystore2::aidl::android::system::keystore2::{
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]32 Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
33 IKeystoreService::BnKeystoreService, IKeystoreService::IKeystoreService,
34 KeyDescriptor::KeyDescriptor, KeyEntryResponse::KeyEntryResponse, KeyMetadata::KeyMetadata,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]35};
36use anyhow::{anyhow, Context, Result};
37use binder::{IBinder, Interface, ThreadState};
38
39/// Implementation of the IKeystoreService.
40pub struct KeystoreService {
41 sec_level: Asp,
42}
43
44impl KeystoreService {
45 /// Create a new instance of the Keystore 2.0 service.
46 pub fn new_native_binder() -> Result<impl IKeystoreService> {
47 let result = BnKeystoreService::new_binder(Self {
48 sec_level: Asp::new({
49 let sec_level =
50 KeystoreSecurityLevel::new_native_binder(SecurityLevel::TRUSTED_ENVIRONMENT)
51 .context("While trying to create IKeystoreSecurityLevel")?;
52 sec_level.as_binder()
53 }),
54 });
55 result.as_binder().set_requesting_sid(true);
56 Ok(result)
57 }
58
59 fn get_security_level(
60 &self,
61 security_level: SecurityLevel,
62 ) -> Result<Box<dyn IKeystoreSecurityLevel>> {
63 match security_level {
64 SecurityLevel::TRUSTED_ENVIRONMENT => self
65 .sec_level
66 .get_interface()
67 .context("In get_security_level: Failed to get IKeystoreSecurityLevel."),
68 _ => Err(anyhow!(error::Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE))),
69 }
70 }
71
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]72 fn get_key_entry(&self, key: &KeyDescriptor) -> Result<KeyEntryResponse> {
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]73 let (key_id_guard, mut key_entry) = DB
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]74 .with(|db| {
75 db.borrow_mut().load_key_entry(
76 key.clone(),
77 KeyEntryLoadBits::PUBLIC,
78 ThreadState::get_calling_uid(),
79 |k, av| check_key_permission(KeyPerm::get_info(), k, &av),
80 )
81 })
82 .context("In get_key_entry, while trying to load key info.")?;
83
84 let i_sec_level = match key_entry.sec_level() {
85 SecurityLevel::TRUSTED_ENVIRONMENT => self
86 .sec_level
87 .get_interface()
88 .context("In get_key_entry: Failed to get IKeystoreSecurityLevel.")?,
89 _ => return Err(anyhow!(error::Error::Km(ErrorCode::HARDWARE_TYPE_UNAVAILABLE))),
90 };
91
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]92 Ok(KeyEntryResponse {
93 iSecurityLevel: Some(i_sec_level),
94 metadata: KeyMetadata {
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]95 key: KeyDescriptor {
96 domain: Domain::KEY_ID,
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]97 nspace: key_id_guard.id(),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]98 ..Default::default()
99 },
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]100 keySecurityLevel: key_entry.sec_level(),
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]101 certificate: key_entry.take_cert(),
102 certificateChain: key_entry.take_cert_chain(),
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]103 authorizations: key_parameters_to_authorizations(key_entry.into_key_parameters()),
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]104 ..Default::default()
105 },
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]106 })
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]107 }
108
109 fn update_subcomponent(
110 &self,
111 key: &KeyDescriptor,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]112 public_cert: Option<&[u8]>,
113 certificate_chain: Option<&[u8]>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]114 ) -> Result<()> {
115 DB.with::<_, Result<()>>(|db| {
116 let mut db = db.borrow_mut();
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]117 let (key_id_guard, key_entry) = db
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]118 .load_key_entry(
119 key.clone(),
120 KeyEntryLoadBits::NONE,
121 ThreadState::get_calling_uid(),
122 |k, av| {
123 check_key_permission(KeyPerm::update(), k, &av)
124 .context("In update_subcomponent.")
125 },
126 )
127 .context("Failed to load key_entry.")?;
128
129 if let Some(cert) = public_cert {
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]130 db.insert_blob(&key_id_guard, SubComponentType::CERT, cert, key_entry.sec_level())
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]131 .context("Failed to update cert subcomponent.")?;
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]132 }
133
134 if let Some(cert_chain) = certificate_chain {
135 db.insert_blob(
Janis Danisevskisaec14592020-11-12 09:41:49 -0800[diff] [blame]136 &key_id_guard,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]137 SubComponentType::CERT_CHAIN,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]138 cert_chain,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]139 key_entry.sec_level(),
140 )
141 .context("Failed to update cert chain subcomponent.")?;
142 }
143 Ok(())
144 })
145 .context("In update_subcomponent.")
146 }
147
148 fn list_entries(&self, domain: Domain, namespace: i64) -> Result<Vec<KeyDescriptor>> {
149 // TODO implement.
150 Err(anyhow!(error::Error::sys()))
151 }
152
153 fn delete_key(&self, key: &KeyDescriptor) -> Result<()> {
154 // TODO implement.
155 Err(anyhow!(error::Error::sys()))
156 }
157
158 fn grant(
159 &self,
160 key: &KeyDescriptor,
161 grantee_uid: i32,
162 access_vector: permission::KeyPermSet,
163 ) -> Result<KeyDescriptor> {
164 DB.with(|db| {
165 db.borrow_mut().grant(
166 key.clone(),
167 ThreadState::get_calling_uid(),
168 grantee_uid as u32,
169 access_vector,
170 |k, av| check_grant_permission(*av, k).context("During grant."),
171 )
172 })
173 .context("In KeystoreService::grant.")
174 }
175
176 fn ungrant(&self, key: &KeyDescriptor, grantee_uid: i32) -> Result<()> {
177 DB.with(|db| {
178 db.borrow_mut().ungrant(
179 key.clone(),
180 ThreadState::get_calling_uid(),
181 grantee_uid as u32,
182 |k| check_key_permission(KeyPerm::grant(), k, &None),
183 )
184 })
185 .context("In KeystoreService::ungrant.")
186 }
187}
188
189impl binder::Interface for KeystoreService {}
190
191// Implementation of IKeystoreService. See AIDL spec at
192// system/security/keystore2/binder/android/security/keystore2/IKeystoreService.aidl
193impl IKeystoreService for KeystoreService {
194 fn getSecurityLevel(
195 &self,
Janis Danisevskisa53c9cf2020-10-26 11:52:33 -0700[diff] [blame]196 security_level: SecurityLevel,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]197 ) -> binder::public_api::Result<Box<dyn IKeystoreSecurityLevel>> {
Janis Danisevskis04b02832020-10-26 09:21:40 -0700[diff] [blame]198 map_or_log_err(self.get_security_level(SecurityLevel(security_level.0)), Ok)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]199 }
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]200 fn getKeyEntry(&self, key: &KeyDescriptor) -> binder::public_api::Result<KeyEntryResponse> {
201 map_or_log_err(self.get_key_entry(key), Ok)
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]202 }
203 fn updateSubcomponent(
204 &self,
205 key: &KeyDescriptor,
Janis Danisevskis2c7f9622020-09-30 16:30:31 -0700[diff] [blame]206 public_cert: Option<&[u8]>,
207 certificate_chain: Option<&[u8]>,
Janis Danisevskis1af91262020-08-10 14:58:08 -0700[diff] [blame]208 ) -> binder::public_api::Result<()> {
209 map_or_log_err(self.update_subcomponent(key, public_cert, certificate_chain), Ok)
210 }
211 fn listEntries(
212 &self,
213 domain: Domain,
214 namespace: i64,
215 ) -> binder::public_api::Result<Vec<KeyDescriptor>> {
216 map_or_log_err(self.list_entries(domain, namespace), Ok)
217 }
218 fn deleteKey(&self, key: &KeyDescriptor) -> binder::public_api::Result<()> {
219 map_or_log_err(self.delete_key(key), Ok)
220 }
221 fn grant(
222 &self,
223 key: &KeyDescriptor,
224 grantee_uid: i32,
225 access_vector: i32,
226 ) -> binder::public_api::Result<KeyDescriptor> {
227 map_or_log_err(self.grant(key, grantee_uid, access_vector.into()), Ok)
228 }
229 fn ungrant(&self, key: &KeyDescriptor, grantee_uid: i32) -> binder::public_api::Result<()> {
230 map_or_log_err(self.ungrant(key, grantee_uid), Ok)
231 }
232}