diff options
author | Brian Young <bcyoung@google.com> | 2018-03-30 14:21:19 +0000 |
---|---|---|
committer | Android (Google) Code Review <android-gerrit@google.com> | 2018-03-30 14:21:19 +0000 |
commit | de5eee4f9e46881a0a7b389df1e64af5d20b0ca8 (patch) | |
tree | 3222dcd2fb0253f75433aa2bb68f77cdf8d822b2 | |
parent | c4b0565e83a7841d23b18944ade6faffbe9f28b7 (diff) | |
parent | 9a947d573bb1843bc742d5be1e518a640335363b (diff) | |
download | security-de5eee4f9e46881a0a7b389df1e64af5d20b0ca8.tar.gz |
Merge changes from topics "niap-asym-write-pi-dev", "niap-asym-write-api-pi-dev" into pi-dev
* changes:
Restore "Add "Unlocked device required" parameter to keys"
Add "unlocked device required" keystore API
-rw-r--r-- | keystore/Android.bp | 4 | ||||
-rw-r--r-- | keystore/binder/android/security/IKeystoreService.aidl | 1 | ||||
-rw-r--r-- | keystore/include/keystore/keymaster_types.h | 1 | ||||
-rw-r--r-- | keystore/key_store_service.cpp | 10 | ||||
-rw-r--r-- | keystore/key_store_service.h | 3 | ||||
-rw-r--r-- | keystore/keymaster_enforcement.cpp | 23 | ||||
-rw-r--r-- | keystore/keymaster_enforcement.h | 5 | ||||
-rw-r--r-- | keystore/keystore_keymaster_enforcement.h | 13 |
8 files changed, 58 insertions, 2 deletions
diff --git a/keystore/Android.bp b/keystore/Android.bp index 9e882e46..c98b78f1 100644 --- a/keystore/Android.bp +++ b/keystore/Android.bp @@ -83,7 +83,7 @@ cc_binary { srcs: ["keystore_cli.cpp"], shared_libs: [ - "android.hardware.keymaster@3.0", + "android.hardware.keymaster@4.0", "libbinder", "libcrypto", "libcutils", @@ -109,8 +109,8 @@ cc_binary { srcs: ["keystore_cli_v2.cpp"], shared_libs: [ "android.hardware.confirmationui@1.0", - "android.hardware.keymaster@3.0", "libbinder", + "android.hardware.keymaster@4.0", "libchrome", "libutils", "libhidlbase", diff --git a/keystore/binder/android/security/IKeystoreService.aidl b/keystore/binder/android/security/IKeystoreService.aidl index 538dd280..db55062e 100644 --- a/keystore/binder/android/security/IKeystoreService.aidl +++ b/keystore/binder/android/security/IKeystoreService.aidl @@ -85,4 +85,5 @@ interface IKeystoreService { in String locale, in int uiOptionsAsFlags); int cancelConfirmationPrompt(IBinder listener); boolean isConfirmationPromptSupported(); + int onKeyguardVisibilityChanged(in boolean isShowing, in int userId); } diff --git a/keystore/include/keystore/keymaster_types.h b/keystore/include/keystore/keymaster_types.h index 62b43bee..bd612940 100644 --- a/keystore/include/keystore/keymaster_types.h +++ b/keystore/include/keystore/keymaster_types.h @@ -83,6 +83,7 @@ using keymaster::TAG_RESET_SINCE_ID_ROTATION; using keymaster::TAG_RSA_PUBLIC_EXPONENT; using keymaster::TAG_USAGE_EXPIRE_DATETIME; using keymaster::TAG_USER_AUTH_TYPE; +using keymaster::TAG_USER_ID; using keymaster::TAG_USER_SECURE_ID; using keymaster::NullOr; diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp index 620e9724..9bd76fd1 100644 --- a/keystore/key_store_service.cpp +++ b/keystore/key_store_service.cpp @@ -367,6 +367,7 @@ Status KeyStoreService::lock(int32_t userId, int32_t* aidl_return) { return Status::ok(); } + enforcement_policy.set_device_locked(true, userId); mKeyStore->lock(userId); *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR); return Status::ok(); @@ -395,6 +396,7 @@ Status KeyStoreService::unlock(int32_t userId, const String16& pw, int32_t* aidl return Status::ok(); } + enforcement_policy.set_device_locked(false, userId); const String8 password8(pw); // read master key, decrypt with password, initialize mMasterKey*. *aidl_return = static_cast<int32_t>(mKeyStore->readMasterKey(password8, userId)); @@ -2229,4 +2231,12 @@ KeyStoreServiceReturnCode KeyStoreService::upgradeKeyBlob(const String16& name, return error; } +Status KeyStoreService::onKeyguardVisibilityChanged(bool isShowing, int32_t userId, + int32_t* aidl_return) { + enforcement_policy.set_device_locked(isShowing, userId); + *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR); + + return Status::ok(); +} + } // namespace keystore diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h index 70a56ca3..8d3f1f26 100644 --- a/keystore/key_store_service.h +++ b/keystore/key_store_service.h @@ -177,6 +177,9 @@ class KeyStoreService : public android::security::BnKeystoreService, int32_t* _aidl_return) override; ::android::binder::Status isConfirmationPromptSupported(bool* _aidl_return) override; + ::android::binder::Status onKeyguardVisibilityChanged(bool isShowing, int32_t userId, + int32_t* _aidl_return); + private: static const int32_t UID_SELF = -1; diff --git a/keystore/keymaster_enforcement.cpp b/keystore/keymaster_enforcement.cpp index d78a5a63..5a6e591e 100644 --- a/keystore/keymaster_enforcement.cpp +++ b/keystore/keymaster_enforcement.cpp @@ -223,6 +223,8 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k bool caller_nonce_authorized_by_key = false; bool authentication_required = false; bool auth_token_matched = false; + bool unlocked_device_required = false; + int32_t user_id = -1; for (auto& param : auth_set) { @@ -282,10 +284,18 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k } break; + case Tag::USER_ID: + user_id = authorizationValue(TAG_USER_ID, param).value(); + break; + case Tag::CALLER_NONCE: caller_nonce_authorized_by_key = true; break; + case Tag::UNLOCKED_DEVICE_REQUIRED: + unlocked_device_required = true; + break; + /* Tags should never be in key auths. */ case Tag::INVALID: case Tag::ROOT_OF_TRUST: @@ -356,6 +366,19 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k } } + if (unlocked_device_required && is_device_locked(user_id)) { + switch (purpose) { + case KeyPurpose::ENCRYPT: + case KeyPurpose::VERIFY: + /* These are okay */ + break; + case KeyPurpose::DECRYPT: + case KeyPurpose::SIGN: + case KeyPurpose::WRAP_KEY: + return ErrorCode::DEVICE_LOCKED; + }; + } + if (authentication_required && !auth_token_matched) { ALOGE("Auth required but no matching auth token found"); return ErrorCode::KEY_USER_NOT_AUTHENTICATED; diff --git a/keystore/keymaster_enforcement.h b/keystore/keymaster_enforcement.h index d7b27fcd..6e6c54f2 100644 --- a/keystore/keymaster_enforcement.h +++ b/keystore/keymaster_enforcement.h @@ -142,6 +142,11 @@ class KeymasterEnforcement { */ virtual bool ValidateTokenSignature(const HardwareAuthToken& token) const = 0; + /* + * Returns true if the device screen is currently locked for the specified user. + */ + virtual bool is_device_locked(int32_t userId) const = 0; + private: ErrorCode AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set, const HardwareAuthToken& auth_token, uint64_t op_handle); diff --git a/keystore/keystore_keymaster_enforcement.h b/keystore/keystore_keymaster_enforcement.h index 3cdf6490..e114ea90 100644 --- a/keystore/keystore_keymaster_enforcement.h +++ b/keystore/keystore_keymaster_enforcement.h @@ -84,6 +84,19 @@ class KeystoreKeymasterEnforcement : public KeymasterEnforcement { // signing key. Assume the token is good. return true; } + + bool is_device_locked(int32_t userId) const override { + // If we haven't had a set call for this user yet, assume the device is locked. + if (mIsDeviceLockedForUser.count(userId) == 0) return true; + return mIsDeviceLockedForUser.find(userId)->second; + } + + void set_device_locked(bool isLocked, int32_t userId) { + mIsDeviceLockedForUser[userId] = isLocked; + } + + private: + std::map<int32_t, bool> mIsDeviceLockedForUser; }; } // namespace keystore |