diff options
author | Brian Young <bcyoung@google.com> | 2018-02-16 01:18:53 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2018-02-16 01:18:53 +0000 |
commit | 0f160fbaee9ecf472feb3e332f01c4ddb95caa0e (patch) | |
tree | dd0a4e587e1bcc58b11321d50b33d79284bb75b9 | |
parent | cef39477f9d5f52f716165be8fadcf94cab19b1e (diff) | |
parent | 05900c1ad8bb08646bdcbb68a90904b86ebf1c45 (diff) | |
download | security-0f160fbaee9ecf472feb3e332f01c4ddb95caa0e.tar.gz |
Merge "Restore "Add "Unlocked device required" parameter to keys""
-rw-r--r-- | keystore/Android.bp | 3 | ||||
-rw-r--r-- | keystore/binder/android/security/IKeystoreService.aidl | 2 | ||||
-rw-r--r-- | keystore/include/keystore/keymaster_types.h | 1 | ||||
-rw-r--r-- | keystore/key_store_service.cpp | 6 | ||||
-rw-r--r-- | keystore/key_store_service.h | 2 | ||||
-rw-r--r-- | keystore/keymaster_enforcement.cpp | 23 | ||||
-rw-r--r-- | keystore/keymaster_enforcement.h | 5 | ||||
-rw-r--r-- | keystore/keystore_keymaster_enforcement.h | 13 |
8 files changed, 51 insertions, 4 deletions
diff --git a/keystore/Android.bp b/keystore/Android.bp index 9e882e46..8b2cb620 100644 --- a/keystore/Android.bp +++ b/keystore/Android.bp @@ -84,6 +84,7 @@ cc_binary { srcs: ["keystore_cli.cpp"], shared_libs: [ "android.hardware.keymaster@3.0", + "android.hardware.keymaster@4.0", "libbinder", "libcrypto", "libcutils", @@ -109,8 +110,8 @@ cc_binary { srcs: ["keystore_cli_v2.cpp"], shared_libs: [ "android.hardware.confirmationui@1.0", - "android.hardware.keymaster@3.0", "libbinder", + "android.hardware.keymaster@4.0", "libchrome", "libutils", "libhidlbase", diff --git a/keystore/binder/android/security/IKeystoreService.aidl b/keystore/binder/android/security/IKeystoreService.aidl index 738eb686..45bc070e 100644 --- a/keystore/binder/android/security/IKeystoreService.aidl +++ b/keystore/binder/android/security/IKeystoreService.aidl @@ -71,7 +71,7 @@ interface IKeystoreService { in byte[] entropy); int abort(IBinder handle); boolean isOperationAuthorized(IBinder token); - int addAuthToken(in byte[] authToken); + int addAuthToken(in byte[] authToken, in int userId); int onUserAdded(int userId, int parentId); int onUserRemoved(int userId); int attestKey(String alias, in KeymasterArguments params, out KeymasterCertificateChain chain); diff --git a/keystore/include/keystore/keymaster_types.h b/keystore/include/keystore/keymaster_types.h index 62b43bee..bd612940 100644 --- a/keystore/include/keystore/keymaster_types.h +++ b/keystore/include/keystore/keymaster_types.h @@ -83,6 +83,7 @@ using keymaster::TAG_RESET_SINCE_ID_ROTATION; using keymaster::TAG_RSA_PUBLIC_EXPONENT; using keymaster::TAG_USAGE_EXPIRE_DATETIME; using keymaster::TAG_USER_AUTH_TYPE; +using keymaster::TAG_USER_ID; using keymaster::TAG_USER_SECURE_ID; using keymaster::NullOr; diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp index d59966f4..da1b9d85 100644 --- a/keystore/key_store_service.cpp +++ b/keystore/key_store_service.cpp @@ -367,6 +367,7 @@ Status KeyStoreService::lock(int32_t userId, int32_t* aidl_return) { return Status::ok(); } + enforcement_policy.set_device_locked(true, userId); mKeyStore->lock(userId); *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR); return Status::ok(); @@ -395,6 +396,7 @@ Status KeyStoreService::unlock(int32_t userId, const String16& pw, int32_t* aidl return Status::ok(); } + enforcement_policy.set_device_locked(false, userId); const String8 password8(pw); // read master key, decrypt with password, initialize mMasterKey*. *aidl_return = static_cast<int32_t>(mKeyStore->readMasterKey(password8, userId)); @@ -1470,7 +1472,7 @@ Status KeyStoreService::isOperationAuthorized(const sp<IBinder>& token, bool* ai } Status KeyStoreService::addAuthToken(const ::std::vector<uint8_t>& authTokenAsVector, - int32_t* aidl_return) { + int32_t userId, int32_t* aidl_return) { // TODO(swillden): When gatekeeper and fingerprint are ready, this should be updated to // receive a HardwareAuthToken, rather than an opaque byte array. @@ -1492,6 +1494,8 @@ Status KeyStoreService::addAuthToken(const ::std::vector<uint8_t>& authTokenAsVe return Status::ok(); } + enforcement_policy.set_device_locked(false, userId); + mAuthTokenTable.AddAuthenticationToken(hidlVec2AuthToken(hidl_vec<uint8_t>(authTokenAsVector))); *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR); return Status::ok(); diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h index ce809f87..b238dc4b 100644 --- a/keystore/key_store_service.h +++ b/keystore/key_store_service.h @@ -145,7 +145,7 @@ class KeyStoreService : public android::security::BnKeystoreService, int32_t* _aidl_return) override; ::android::binder::Status isOperationAuthorized(const ::android::sp<::android::IBinder>& token, bool* _aidl_return) override; - ::android::binder::Status addAuthToken(const ::std::vector<uint8_t>& authToken, + ::android::binder::Status addAuthToken(const ::std::vector<uint8_t>& authToken, int32_t userId, int32_t* _aidl_return) override; ::android::binder::Status onUserAdded(int32_t userId, int32_t parentId, int32_t* _aidl_return) override; diff --git a/keystore/keymaster_enforcement.cpp b/keystore/keymaster_enforcement.cpp index d78a5a63..5a6e591e 100644 --- a/keystore/keymaster_enforcement.cpp +++ b/keystore/keymaster_enforcement.cpp @@ -223,6 +223,8 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k bool caller_nonce_authorized_by_key = false; bool authentication_required = false; bool auth_token_matched = false; + bool unlocked_device_required = false; + int32_t user_id = -1; for (auto& param : auth_set) { @@ -282,10 +284,18 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k } break; + case Tag::USER_ID: + user_id = authorizationValue(TAG_USER_ID, param).value(); + break; + case Tag::CALLER_NONCE: caller_nonce_authorized_by_key = true; break; + case Tag::UNLOCKED_DEVICE_REQUIRED: + unlocked_device_required = true; + break; + /* Tags should never be in key auths. */ case Tag::INVALID: case Tag::ROOT_OF_TRUST: @@ -356,6 +366,19 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k } } + if (unlocked_device_required && is_device_locked(user_id)) { + switch (purpose) { + case KeyPurpose::ENCRYPT: + case KeyPurpose::VERIFY: + /* These are okay */ + break; + case KeyPurpose::DECRYPT: + case KeyPurpose::SIGN: + case KeyPurpose::WRAP_KEY: + return ErrorCode::DEVICE_LOCKED; + }; + } + if (authentication_required && !auth_token_matched) { ALOGE("Auth required but no matching auth token found"); return ErrorCode::KEY_USER_NOT_AUTHENTICATED; diff --git a/keystore/keymaster_enforcement.h b/keystore/keymaster_enforcement.h index d7b27fcd..6e6c54f2 100644 --- a/keystore/keymaster_enforcement.h +++ b/keystore/keymaster_enforcement.h @@ -142,6 +142,11 @@ class KeymasterEnforcement { */ virtual bool ValidateTokenSignature(const HardwareAuthToken& token) const = 0; + /* + * Returns true if the device screen is currently locked for the specified user. + */ + virtual bool is_device_locked(int32_t userId) const = 0; + private: ErrorCode AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set, const HardwareAuthToken& auth_token, uint64_t op_handle); diff --git a/keystore/keystore_keymaster_enforcement.h b/keystore/keystore_keymaster_enforcement.h index 3cdf6490..e114ea90 100644 --- a/keystore/keystore_keymaster_enforcement.h +++ b/keystore/keystore_keymaster_enforcement.h @@ -84,6 +84,19 @@ class KeystoreKeymasterEnforcement : public KeymasterEnforcement { // signing key. Assume the token is good. return true; } + + bool is_device_locked(int32_t userId) const override { + // If we haven't had a set call for this user yet, assume the device is locked. + if (mIsDeviceLockedForUser.count(userId) == 0) return true; + return mIsDeviceLockedForUser.find(userId)->second; + } + + void set_device_locked(bool isLocked, int32_t userId) { + mIsDeviceLockedForUser[userId] = isLocked; + } + + private: + std::map<int32_t, bool> mIsDeviceLockedForUser; }; } // namespace keystore |