diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2020-03-10 02:04:45 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2020-03-10 02:04:45 +0000 |
commit | a397c081977806665b24e01302da50291746a87e (patch) | |
tree | 272c48eb5b6fe2fb5c84929ad6d63194957c5f9a | |
parent | cdb7b3da0e3b2d657110fc4ccaaef4f074f10b76 (diff) | |
parent | ff7e85efdac3fcf8c75ad23009470799bf75beea (diff) | |
download | security-a397c081977806665b24e01302da50291746a87e.tar.gz |
Snap for 6279178 from ff7e85efdac3fcf8c75ad23009470799bf75beea to rvc-release
Change-Id: I117842a61d55791a5bfc8df794fd43a0831cdbe9
-rw-r--r-- | fsverity_init/Android.bp | 1 | ||||
-rw-r--r-- | fsverity_init/fsverity_init.cpp | 32 | ||||
-rw-r--r-- | identity/Credential.cpp | 45 | ||||
-rw-r--r-- | keystore/keystore.rc | 2 | ||||
-rw-r--r-- | keystore/permissions.cpp | 2 |
5 files changed, 24 insertions, 58 deletions
diff --git a/fsverity_init/Android.bp b/fsverity_init/Android.bp index 407849d5..3c9ade00 100644 --- a/fsverity_init/Android.bp +++ b/fsverity_init/Android.bp @@ -9,7 +9,6 @@ cc_binary { ], shared_libs: [ "libbase", - "libkeystore_binder", "libkeyutils", "liblog", "liblogwrap", diff --git a/fsverity_init/fsverity_init.cpp b/fsverity_init/fsverity_init.cpp index 70523756..e2a8bf70 100644 --- a/fsverity_init/fsverity_init.cpp +++ b/fsverity_init/fsverity_init.cpp @@ -19,20 +19,14 @@ #include <sys/types.h> #include <filesystem> -#include <memory> #include <string> -#include <vector> #include <android-base/file.h> #include <android-base/logging.h> #include <android-base/properties.h> #include <android-base/strings.h> -#include <keystore/keystore_client.h> -#include <keystore/keystore_client_impl.h> -#include <keystore/keystore_get.h> #include <log/log.h> #include <mini_keyctl_utils.h> -#include <private/android_filesystem_config.h> bool LoadKeyToKeyring(key_serial_t keyring_id, const char* desc, const char* data, size_t size) { key_serial_t key = add_key("asymmetric", desc, data, size, keyring_id); @@ -61,31 +55,6 @@ void LoadKeyFromVerifiedPartitions(key_serial_t keyring_id) { } } -std::unique_ptr<keystore::KeystoreClient> CreateKeystoreInstance() { - return std::unique_ptr<keystore::KeystoreClient>( - static_cast<keystore::KeystoreClient*>(new keystore::KeystoreClientImpl)); -} - -void LoadKeysFromKeystore(key_serial_t keyring_id) { - auto client = CreateKeystoreInstance(); - - std::vector<std::string> aliases; - if (client == nullptr || !client->listKeysOfUid("FSV_", AID_FSVERITY_CERT, &aliases)) { - LOG(ERROR) << "Failed to list key"; - return; - } - - // Always try to load all keys even if some fails to load. The rest may still - // be important to have. - for (auto& alias : aliases) { - auto blob = client->getKey(alias, AID_FSVERITY_CERT); - if (!LoadKeyToKeyring(keyring_id, "fsv_user", reinterpret_cast<char*>(blob->data()), - blob->size())) { - LOG(ERROR) << "Failed to load key " << alias << " from keyring"; - } - } -} - int main(int /*argc*/, const char** /*argv*/) { key_serial_t keyring_id = android::GetKeyringId(".fs-verity"); if (keyring_id < 0) { @@ -100,7 +69,6 @@ int main(int /*argc*/, const char** /*argv*/) { } LoadKeyFromVerifiedPartitions(keyring_id); - LoadKeysFromKeystore(keyring_id); if (!android::base::GetBoolProperty("ro.debuggable", false)) { if (keyctl_restrict_keyring(keyring_id, nullptr, nullptr) < 0) { diff --git a/identity/Credential.cpp b/identity/Credential.cpp index 604d2621..05c31d3d 100644 --- a/identity/Credential.cpp +++ b/identity/Credential.cpp @@ -242,8 +242,28 @@ Status Credential::getEntries(const vector<uint8_t>& requestMessage, } } - Status status = halBinder_->startRetrieval(selectedProfiles, aidlAuthToken, requestMessage, - sessionTranscript, readerSignature, requestCounts); + // Note that the selectAuthKey() method is only called if a CryptoObject is involved at + // the Java layer. So we could end up with no previously selected auth key and we may + // need one. + const AuthKeyData* authKey = selectedAuthKey_; + if (sessionTranscript.size() > 0) { + if (authKey == nullptr) { + authKey = data_->selectAuthKey(allowUsingExhaustedKeys); + if (authKey == nullptr) { + return Status::fromServiceSpecificError( + ICredentialStore::ERROR_NO_AUTHENTICATION_KEY_AVAILABLE, + "No suitable authentication key available"); + } + } + } + vector<uint8_t> signingKeyBlob; + if (authKey != nullptr) { + signingKeyBlob = authKey->keyBlob; + } + + Status status = + halBinder_->startRetrieval(selectedProfiles, aidlAuthToken, requestMessage, signingKeyBlob, + sessionTranscript, readerSignature, requestCounts); if (!status.isOk() && status.exceptionCode() == binder::Status::EX_SERVICE_SPECIFIC) { int code = status.serviceSpecificErrorCode(); if (code == IIdentityCredentialStore::STATUS_EPHEMERAL_PUBLIC_KEY_NOT_FOUND) { @@ -319,26 +339,7 @@ Status Credential::getEntries(const vector<uint8_t>& requestMessage, ret.resultNamespaces.push_back(resultNamespaceParcel); } - // Note that the selectAuthKey() method is only called if a CryptoObject is involved at - // the Java layer. So we could end up with no previously selected auth key and we may - // need one. - const AuthKeyData* authKey = selectedAuthKey_; - if (sessionTranscript.size() > 0) { - if (authKey == nullptr) { - authKey = data_->selectAuthKey(allowUsingExhaustedKeys); - if (authKey == nullptr) { - return Status::fromServiceSpecificError( - ICredentialStore::ERROR_NO_AUTHENTICATION_KEY_AVAILABLE, - "No suitable authentication key available"); - } - } - } - - vector<uint8_t> signingKeyBlob; - if (authKey != nullptr) { - signingKeyBlob = authKey->keyBlob; - } - status = halBinder_->finishRetrieval(signingKeyBlob, &ret.mac, &ret.deviceNameSpaces); + status = halBinder_->finishRetrieval(&ret.mac, &ret.deviceNameSpaces); if (!status.isOk()) { return halStatusToGenericError(status); } diff --git a/keystore/keystore.rc b/keystore/keystore.rc index a688c5f4..132039a8 100644 --- a/keystore/keystore.rc +++ b/keystore/keystore.rc @@ -1,5 +1,5 @@ service keystore /system/bin/keystore /data/misc/keystore - class core + class main user keystore group keystore drmrpc readproc log writepid /dev/cpuset/foreground/tasks diff --git a/keystore/permissions.cpp b/keystore/permissions.cpp index 8b9e28da..2cd42cf2 100644 --- a/keystore/permissions.cpp +++ b/keystore/permissions.cpp @@ -57,8 +57,6 @@ struct user_euid { user_euid user_euids[] = {{AID_VPN, AID_SYSTEM}, {AID_WIFI, AID_SYSTEM}, {AID_ROOT, AID_SYSTEM}, - {AID_FSVERITY_CERT, AID_ROOT}, - {AID_FSVERITY_CERT, AID_SYSTEM}, #ifdef GRANT_ROOT_ALL_PERMISSIONS // Allow VTS tests to act on behalf of the wifi user |