diff options
author | Shawn Willden <swillden@google.com> | 2018-05-22 16:13:24 -0600 |
---|---|---|
committer | Shawn Willden <swillden@google.com> | 2018-05-22 17:00:26 -0600 |
commit | 2eef1356a8c0d2592f8d0e8af63ecbec81d59c5a (patch) | |
tree | 35d3a05dafc2a4656d0a808373d6296084b33196 | |
parent | 41705f271e14558e66125fed4b9b9510fd475fd8 (diff) | |
download | security-pie-dev.tar.gz |
Fix StrongBox verification token support.pie-dev
Change-Id: I7dd51b1443e607fcca330ffb679b27c68c36cf7d
Bug: 79698245
Test: Keystore CTS tests with dummy strongbox enabled
-rw-r--r-- | keystore/key_store_service.cpp | 23 | ||||
-rw-r--r-- | keystore/operation.cpp | 13 | ||||
-rw-r--r-- | keystore/operation.h | 3 | ||||
-rw-r--r-- | keystore/operation_struct.h | 1 |
4 files changed, 34 insertions, 6 deletions
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp index 191811aa..9d035c83 100644 --- a/keystore/key_store_service.cpp +++ b/keystore/key_store_service.cpp @@ -1345,6 +1345,24 @@ Status KeyStoreService::begin(const sp<IBinder>& appToken, const String16& name, return Status::ok(); } + VerificationToken verificationToken; + if (authResult.isOk() && authToken.mac.size() && + dev->halVersion().securityLevel == SecurityLevel::STRONGBOX) { + // This operation needs an auth token, but the device is a STRONGBOX, so it can't check the + // timestamp in the auth token. Get a VerificationToken from the TEE, which will be passed + // to update() and begin(). + rc = KS_HANDLE_HIDL_ERROR(mKeyStore->getDevice(SecurityLevel::TRUSTED_ENVIRONMENT) + ->verifyAuthorization(result->handle, + {} /* parametersToVerify */, authToken, + [&](auto error, const auto& token) { + result->resultCode = error; + verificationToken = token; + })); + + if (rc != ErrorCode::OK) result->resultCode = rc; + if (result->resultCode != ErrorCode::OK) return Status::ok(); + } + // Note: The operation map takes possession of the contents of "characteristics". // It is safe to use characteristics after the following line but it will be empty. sp<IBinder> operationToken = @@ -1355,6 +1373,7 @@ Status KeyStoreService::begin(const sp<IBinder>& appToken, const String16& name, result->token = operationToken; mOperationMap.setOperationAuthToken(operationToken, std::move(authToken)); + mOperationMap.setOperationVerificationToken(operationToken, std::move(verificationToken)); // Return the authentication lookup result. If this is a per operation // auth'd key then the resultCode will be ::OP_AUTH_NEEDED and the @@ -1428,7 +1447,7 @@ Status KeyStoreService::update(const sp<IBinder>& token, const KeymasterArgument }; KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR( - op.device->update(op.handle, inParams, data, authToken, VerificationToken(), hidlCb)); + op.device->update(op.handle, inParams, data, authToken, op.verificationToken, hidlCb)); // just a reminder: on success result->resultCode was set in the callback. So we only overwrite // it if there was a communication error indicated by the ErrorCode. @@ -1487,7 +1506,7 @@ Status KeyStoreService::finish(const sp<IBinder>& token, const KeymasterArgument KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR( op.device->finish(op.handle, inParams, ::std::vector<uint8_t>() /* TODO(swillden): wire up input to finish() */, - signature, authToken, VerificationToken(), hidlCb)); + signature, authToken, op.verificationToken, hidlCb)); bool wasOpSuccessful = true; // just a reminder: on success result->resultCode was set in the callback. So we only overwrite diff --git a/keystore/operation.cpp b/keystore/operation.cpp index 93b1e923..40690608 100644 --- a/keystore/operation.cpp +++ b/keystore/operation.cpp @@ -95,12 +95,19 @@ sp<IBinder> OperationMap::getOldestPruneableOperation() { return mLru.front(); } -bool OperationMap::setOperationAuthToken(const sp<IBinder>& token, HardwareAuthToken authToken) { +void OperationMap::setOperationAuthToken(const sp<IBinder>& token, HardwareAuthToken authToken) { auto entry = mMap.find(token); - if (entry == mMap.end()) return false; + if (entry == mMap.end()) return; entry->second.authToken = std::move(authToken); - return true; +} + +void OperationMap::setOperationVerificationToken(const sp<IBinder>& token, + VerificationToken verificationToken) { + auto entry = mMap.find(token); + if (entry == mMap.end()) return; + + entry->second.verificationToken = std::move(verificationToken); } std::vector<sp<IBinder>> OperationMap::getOperationsForToken(const sp<IBinder>& appToken) { diff --git a/keystore/operation.h b/keystore/operation.h index 2d81f9ca..4888bfac 100644 --- a/keystore/operation.h +++ b/keystore/operation.h @@ -56,7 +56,8 @@ class OperationMap { bool hasPruneableOperation() const; size_t getOperationCount() const { return mMap.size(); } size_t getPruneableOperationCount() const; - bool setOperationAuthToken(const sp<IBinder>& token, HardwareAuthToken authToken); + void setOperationAuthToken(const sp<IBinder>& token, HardwareAuthToken authToken); + void setOperationVerificationToken(const sp<IBinder>& token, VerificationToken authToken); sp<IBinder> getOldestPruneableOperation(); std::vector<sp<IBinder>> getOperationsForToken(const sp<IBinder>& appToken); diff --git a/keystore/operation_struct.h b/keystore/operation_struct.h index ea8a908d..00f1fe2b 100644 --- a/keystore/operation_struct.h +++ b/keystore/operation_struct.h @@ -50,6 +50,7 @@ struct Operation { KeyCharacteristics characteristics; sp<IBinder> appToken; HardwareAuthToken authToken; + VerificationToken verificationToken; const hidl_vec<KeyParameter> params; }; |