diff options
author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2021-08-12 01:10:17 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2021-08-12 01:10:17 +0000 |
commit | 4af1e92a9001053adb6b287101c535ab66dcff08 (patch) | |
tree | 3b01ce281a399c5eba2720d418f9248577a0d41a | |
parent | d0054b3799d065a079a5f88551891a4f10dac0ba (diff) | |
parent | be7cc653e60252cf38ea77bf11caac5952b19a67 (diff) | |
download | security-4af1e92a9001053adb6b287101c535ab66dcff08.tar.gz |
Snap for 7633965 from be7cc653e60252cf38ea77bf11caac5952b19a67 to sc-releaseandroid-vts-12.0_r9android-vts-12.0_r8android-vts-12.0_r7android-vts-12.0_r6android-vts-12.0_r5android-vts-12.0_r4android-vts-12.0_r3android-vts-12.0_r2android-vts-12.0_r12android-vts-12.0_r11android-vts-12.0_r10android-vts-12.0_r1android-platform-12.0.0_r1android-cts-12.0_r9android-cts-12.0_r8android-cts-12.0_r7android-cts-12.0_r6android-cts-12.0_r5android-cts-12.0_r4android-cts-12.0_r3android-cts-12.0_r2android-cts-12.0_r12android-cts-12.0_r11android-cts-12.0_r10android-cts-12.0_r1android-12.0.0_r9android-12.0.0_r8android-12.0.0_r34android-12.0.0_r33android-12.0.0_r31android-12.0.0_r30android-12.0.0_r3android-12.0.0_r25android-12.0.0_r2android-12.0.0_r11android-12.0.0_r10android-12.0.0_r1android12-tests-releaseandroid12-s5-releaseandroid12-s4-releaseandroid12-s3-releaseandroid12-s2-releaseandroid12-s1-releaseandroid12-release
Change-Id: I68e89f8818ac37cbe217c9f765ea1bcea1e67957
-rw-r--r-- | keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl | 8 | ||||
-rw-r--r-- | keystore2/src/maintenance.rs | 82 | ||||
-rw-r--r-- | keystore2/src/permission.rs | 2 |
3 files changed, 65 insertions, 27 deletions
diff --git a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl index 5f91e799..6a37c786 100644 --- a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl +++ b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl @@ -123,4 +123,12 @@ interface IKeystoreMaintenance { * `ResponseCode::SYSTEM_ERROR` - An unexpected system error occurred. */ void migrateKeyNamespace(in KeyDescriptor source, in KeyDescriptor destination); + + /** + * Deletes all keys in all hardware keystores. Used when keystore is reset completely. After + * this function is called all keys with Tag::ROLLBACK_RESISTANCE in their hardware-enforced + * authorization lists must be rendered permanently unusable. Keys without + * Tag::ROLLBACK_RESISTANCE may or may not be rendered unusable. + */ + void deleteAllKeys(); } diff --git a/keystore2/src/maintenance.rs b/keystore2/src/maintenance.rs index 637fb612..3180e5df 100644 --- a/keystore2/src/maintenance.rs +++ b/keystore2/src/maintenance.rs @@ -152,47 +152,61 @@ impl Maintenance { } } - fn early_boot_ended_help(sec_level: SecurityLevel) -> Result<()> { + fn call_with_watchdog<F>(sec_level: SecurityLevel, name: &'static str, op: &F) -> Result<()> + where + F: Fn(Strong<dyn IKeyMintDevice>) -> binder::public_api::Result<()>, + { let (dev, _, _) = get_keymint_device(&sec_level) - .context("In early_boot_ended: getting keymint device")?; - let km_dev: Strong<dyn IKeyMintDevice> = - dev.get_interface().context("In early_boot_ended: getting keymint device interface")?; - - let _wp = wd::watch_millis_with( - "In early_boot_ended_help: calling earlyBootEnded()", - 500, - move || format!("Seclevel: {:?}", sec_level), - ); - map_km_error(km_dev.earlyBootEnded()) - .context("In keymint device: calling earlyBootEnded")?; + .context("In call_with_watchdog: getting keymint device")?; + let km_dev: Strong<dyn IKeyMintDevice> = dev + .get_interface() + .context("In call_with_watchdog: getting keymint device interface")?; + + let _wp = wd::watch_millis_with("In call_with_watchdog", 500, move || { + format!("Seclevel: {:?} Op: {}", sec_level, name) + }); + map_km_error(op(km_dev)).with_context(|| format!("In keymint device: calling {}", name))?; Ok(()) } - fn early_boot_ended() -> Result<()> { - check_keystore_permission(KeystorePerm::early_boot_ended()) - .context("In early_boot_ended. Checking permission")?; - log::info!("In early_boot_ended."); - - if let Err(e) = DB.with(|db| SUPER_KEY.set_up_boot_level_cache(&mut db.borrow_mut())) { - log::error!("SUPER_KEY.set_up_boot_level_cache failed:\n{:?}\n:(", e); - } - + fn call_on_all_security_levels<F>(name: &'static str, op: F) -> Result<()> + where + F: Fn(Strong<dyn IKeyMintDevice>) -> binder::public_api::Result<()>, + { let sec_levels = [ (SecurityLevel::TRUSTED_ENVIRONMENT, "TRUSTED_ENVIRONMENT"), (SecurityLevel::STRONGBOX, "STRONGBOX"), ]; - sec_levels.iter().fold(Ok(()), |result, (sec_level, sec_level_string)| { - let curr_result = Maintenance::early_boot_ended_help(*sec_level); - if curr_result.is_err() { - log::error!( - "Call to earlyBootEnded failed for security level {}.", + sec_levels.iter().fold(Ok(()), move |result, (sec_level, sec_level_string)| { + let curr_result = Maintenance::call_with_watchdog(*sec_level, name, &op); + match curr_result { + Ok(()) => log::info!( + "Call to {} succeeded for security level {}.", + name, &sec_level_string - ); + ), + Err(ref e) => log::error!( + "Call to {} failed for security level {}: {}.", + name, + &sec_level_string, + e + ), } result.and(curr_result) }) } + fn early_boot_ended() -> Result<()> { + check_keystore_permission(KeystorePerm::early_boot_ended()) + .context("In early_boot_ended. Checking permission")?; + log::info!("In early_boot_ended."); + + if let Err(e) = DB.with(|db| SUPER_KEY.set_up_boot_level_cache(&mut db.borrow_mut())) { + log::error!("SUPER_KEY.set_up_boot_level_cache failed:\n{:?}\n:(", e); + } + Maintenance::call_on_all_security_levels("earlyBootEnded", |dev| dev.earlyBootEnded()) + } + fn on_device_off_body() -> Result<()> { // Security critical permission check. This statement must return on fail. check_keystore_permission(KeystorePerm::report_off_body()) @@ -238,6 +252,15 @@ impl Maintenance { }) }) } + + fn delete_all_keys() -> Result<()> { + // Security critical permission check. This statement must return on fail. + check_keystore_permission(KeystorePerm::delete_all_keys()) + .context("In delete_all_keys. Checking permission")?; + log::info!("In delete_all_keys."); + + Maintenance::call_on_all_security_levels("deleteAllKeys", |dev| dev.deleteAllKeys()) + } } impl Interface for Maintenance {} @@ -286,4 +309,9 @@ impl IKeystoreMaintenance for Maintenance { let _wp = wd::watch_millis("IKeystoreMaintenance::migrateKeyNamespace", 500); map_or_log_err(Self::migrate_key_namespace(source, destination), Ok) } + + fn deleteAllKeys(&self) -> BinderResult<()> { + let _wp = wd::watch_millis("IKeystoreMaintenance::deleteAllKeys", 500); + map_or_log_err(Self::delete_all_keys(), Ok) + } } diff --git a/keystore2/src/permission.rs b/keystore2/src/permission.rs index 8343a299..4add8992 100644 --- a/keystore2/src/permission.rs +++ b/keystore2/src/permission.rs @@ -317,6 +317,8 @@ implement_permission!( ReportOffBody = 0x1000, selinux name: report_off_body; /// Checked when IkeystoreMetrics::pullMetris is called. PullMetrics = 0x2000, selinux name: pull_metrics; + /// Checked when IKeystoreMaintenance::deleteAllKeys is called. + DeleteAllKeys = 0x4000, selinux name: delete_all_keys; } ); |