diff options
| author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-06-07 19:14:55 +0000 |
|---|---|---|
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2022-06-07 19:14:55 +0000 |
| commit | 2c5b413a91c502996bf372d8333318c27973c440 (patch) | |
| tree | da0ad6ce3bf6ab27c42c992c3953df035bc2c0e8 | |
| parent | 754103e1d8acc6b1f5ee9219322d0ba32917d80f (diff) | |
| parent | ccce73d1e1d76f357d055b5e3500df64f30bc3c4 (diff) | |
| download | security-android13-frc-odp-release.tar.gz | |
Snap for 8692753 from ccce73d1e1d76f357d055b5e3500df64f30bc3c4 to tm-frc-odp-releaset_frc_odp_330442040t_frc_odp_330442000android13-frc-odp-release
Change-Id: I1f9bc6e871d6670d5d092d9b45d3815fcc8a79e4
| -rw-r--r-- | keystore2/src/database.rs | 16 | ||||
| -rw-r--r-- | keystore2/src/shared_secret_negotiation.rs | 50 | ||||
| -rw-r--r-- | ondevice-signing/odsign_main.cpp | 6 |
3 files changed, 63 insertions, 9 deletions
diff --git a/keystore2/src/database.rs b/keystore2/src/database.rs index 6b74e3c8..a3979bd5 100644 --- a/keystore2/src/database.rs +++ b/keystore2/src/database.rs @@ -2893,33 +2893,33 @@ impl KeystoreDB { "DELETE FROM persistent.keymetadata WHERE keyentryid IN ( SELECT id FROM persistent.keyentry - WHERE domain = ? AND namespace = ? AND key_type = ? + WHERE domain = ? AND namespace = ? AND (key_type = ? OR key_type = ?) );", - params![domain.0, namespace, KeyType::Client], + params![domain.0, namespace, KeyType::Client, KeyType::Attestation], ) .context("Trying to delete keymetadata.")?; tx.execute( "DELETE FROM persistent.keyparameter WHERE keyentryid IN ( SELECT id FROM persistent.keyentry - WHERE domain = ? AND namespace = ? AND key_type = ? + WHERE domain = ? AND namespace = ? AND (key_type = ? OR key_type = ?) );", - params![domain.0, namespace, KeyType::Client], + params![domain.0, namespace, KeyType::Client, KeyType::Attestation], ) .context("Trying to delete keyparameters.")?; tx.execute( "DELETE FROM persistent.grant WHERE keyentryid IN ( SELECT id FROM persistent.keyentry - WHERE domain = ? AND namespace = ? AND key_type = ? + WHERE domain = ? AND namespace = ? AND (key_type = ? OR key_type = ?) );", - params![domain.0, namespace, KeyType::Client], + params![domain.0, namespace, KeyType::Client, KeyType::Attestation], ) .context("Trying to delete grants.")?; tx.execute( "DELETE FROM persistent.keyentry - WHERE domain = ? AND namespace = ? AND key_type = ?;", - params![domain.0, namespace, KeyType::Client], + WHERE domain = ? AND namespace = ? AND (key_type = ? OR key_type = ?);", + params![domain.0, namespace, KeyType::Client, KeyType::Attestation], ) .context("Trying to delete keyentry.")?; Ok(()).need_gc() diff --git a/keystore2/src/shared_secret_negotiation.rs b/keystore2/src/shared_secret_negotiation.rs index 1862f737..42d38d29 100644 --- a/keystore2/src/shared_secret_negotiation.rs +++ b/keystore2/src/shared_secret_negotiation.rs @@ -15,6 +15,7 @@ //! This module implements the shared secret negotiation. use crate::error::{map_binder_status, map_binder_status_code, Error}; +use crate::globals::get_keymint_device; use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel; use android_hardware_security_keymint::binder::Strong; use android_hardware_security_sharedsecret::aidl::android::hardware::security::sharedsecret::{ @@ -43,6 +44,10 @@ pub fn perform_shared_secret_negotiation() { let connected = connect_participants(participants); negotiate_shared_secret(connected); log::info!("Shared secret negotiation concluded successfully."); + + // Once shared secret negotiation is done, the StrongBox and TEE have a common key that + // can be used to authenticate a possible RootOfTrust transfer. + transfer_root_of_trust(); }); } @@ -278,3 +283,48 @@ fn negotiate_shared_secret( } } } + +/// Perform RootOfTrust transfer from TEE to StrongBox (if available). +pub fn transfer_root_of_trust() { + let strongbox = match get_keymint_device(&SecurityLevel::STRONGBOX) { + Ok((s, _, _)) => s, + Err(_e) => { + log::info!("No StrongBox Keymint available, so no RoT transfer"); + return; + } + }; + // Ask the StrongBox KeyMint for a challenge. + let challenge = match strongbox.getRootOfTrustChallenge() { + Ok(data) => data, + Err(e) => { + // If StrongBox doesn't provide a challenge, it might be because: + // - it already has RootOfTrust information + // - it's a KeyMint v1 implementation that doesn't understand the method. + // In either case, we're done. + log::info!("StrongBox does not provide a challenge, so no RoT transfer: {:?}", e); + return; + } + }; + // Get the RoT info from the TEE + let tee = match get_keymint_device(&SecurityLevel::TRUSTED_ENVIRONMENT) { + Ok((s, _, _)) => s, + Err(e) => { + log::error!("No TEE KeyMint implementation found! {:?}", e); + return; + } + }; + let root_of_trust = match tee.getRootOfTrust(&challenge) { + Ok(rot) => rot, + Err(e) => { + log::error!("TEE KeyMint failed to return RootOfTrust info: {:?}", e); + return; + } + }; + // The RootOfTrust information is CBOR-serialized data, but we don't need to parse it. + // Just pass it on to the StrongBox KeyMint instance. + let result = strongbox.sendRootOfTrust(&root_of_trust); + if let Err(e) = result { + log::error!("Failed to send RootOfTrust to StrongBox: {:?}", e); + } + log::info!("RootOfTrust transfer process complete"); +} diff --git a/ondevice-signing/odsign_main.cpp b/ondevice-signing/odsign_main.cpp index 04679a59..c45e3085 100644 --- a/ondevice-signing/odsign_main.cpp +++ b/ondevice-signing/odsign_main.cpp @@ -374,7 +374,11 @@ art::odrefresh::ExitCode CheckCompOsPendingArtifacts(const SigningKey& signing_k if (!directoryHasContent(kCompOsPendingArtifactsDir)) { // No pending CompOS artifacts, all that matters is the current ones. - return checkArtifacts(); + art::odrefresh::ExitCode odrefresh_status = checkArtifacts(); + if (odrefresh_status == art::odrefresh::ExitCode::kOkay) { + compos_check_record->current_artifacts_ok = true; + } + return odrefresh_status; } compos_check_record->comp_os_pending_artifacts_exists = true; |