diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2018-05-24 07:22:54 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-05-24 07:22:54 +0000 |
commit | 762b2b64c9e84f5972d41850e47f1454c8134d1f (patch) | |
tree | 35d3a05dafc2a4656d0a808373d6296084b33196 | |
parent | 8fbf69d3732826747ccbecab31718ae8a63c9f77 (diff) | |
parent | 2eef1356a8c0d2592f8d0e8af63ecbec81d59c5a (diff) | |
download | security-pie-release-2.tar.gz |
Snap for 4801384 from 2eef1356a8c0d2592f8d0e8af63ecbec81d59c5a to pi-releaseandroid-wear-9.0.0_r9android-wear-9.0.0_r8android-wear-9.0.0_r7android-wear-9.0.0_r6android-wear-9.0.0_r5android-wear-9.0.0_r4android-wear-9.0.0_r34android-wear-9.0.0_r33android-wear-9.0.0_r32android-wear-9.0.0_r31android-wear-9.0.0_r30android-wear-9.0.0_r3android-wear-9.0.0_r29android-wear-9.0.0_r28android-wear-9.0.0_r27android-wear-9.0.0_r26android-wear-9.0.0_r25android-wear-9.0.0_r24android-wear-9.0.0_r23android-wear-9.0.0_r22android-wear-9.0.0_r21android-wear-9.0.0_r20android-wear-9.0.0_r2android-wear-9.0.0_r19android-wear-9.0.0_r18android-wear-9.0.0_r17android-wear-9.0.0_r16android-wear-9.0.0_r15android-wear-9.0.0_r14android-wear-9.0.0_r13android-wear-9.0.0_r12android-wear-9.0.0_r11android-wear-9.0.0_r10android-wear-9.0.0_r1android-vts-9.0_r9android-vts-9.0_r8android-vts-9.0_r7android-vts-9.0_r6android-vts-9.0_r5android-vts-9.0_r4android-vts-9.0_r19android-vts-9.0_r18android-vts-9.0_r17android-vts-9.0_r16android-vts-9.0_r15android-vts-9.0_r14android-vts-9.0_r13android-vts-9.0_r12android-vts-9.0_r11android-vts-9.0_r10android-cts-9.0_r9android-cts-9.0_r8android-cts-9.0_r7android-cts-9.0_r6android-cts-9.0_r5android-cts-9.0_r4android-cts-9.0_r3android-cts-9.0_r20android-cts-9.0_r2android-cts-9.0_r19android-cts-9.0_r18android-cts-9.0_r17android-cts-9.0_r16android-cts-9.0_r15android-cts-9.0_r14android-cts-9.0_r13android-cts-9.0_r12android-cts-9.0_r11android-cts-9.0_r10android-cts-9.0_r1android-9.0.0_r9android-9.0.0_r8android-9.0.0_r7android-9.0.0_r6android-9.0.0_r5android-9.0.0_r3android-9.0.0_r2android-9.0.0_r18android-9.0.0_r17android-9.0.0_r10android-9.0.0_r1pie-vts-releasepie-s2-releasepie-release-2pie-releasepie-r2-s2-releasepie-r2-s1-releasepie-r2-releasepie-cts-release
Change-Id: I93ed99a7f3ffb36a1b26b55f69369925b4d3008c
-rw-r--r-- | keystore/key_store_service.cpp | 23 | ||||
-rw-r--r-- | keystore/operation.cpp | 13 | ||||
-rw-r--r-- | keystore/operation.h | 3 | ||||
-rw-r--r-- | keystore/operation_struct.h | 1 |
4 files changed, 34 insertions, 6 deletions
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp index 191811aa..9d035c83 100644 --- a/keystore/key_store_service.cpp +++ b/keystore/key_store_service.cpp @@ -1345,6 +1345,24 @@ Status KeyStoreService::begin(const sp<IBinder>& appToken, const String16& name, return Status::ok(); } + VerificationToken verificationToken; + if (authResult.isOk() && authToken.mac.size() && + dev->halVersion().securityLevel == SecurityLevel::STRONGBOX) { + // This operation needs an auth token, but the device is a STRONGBOX, so it can't check the + // timestamp in the auth token. Get a VerificationToken from the TEE, which will be passed + // to update() and begin(). + rc = KS_HANDLE_HIDL_ERROR(mKeyStore->getDevice(SecurityLevel::TRUSTED_ENVIRONMENT) + ->verifyAuthorization(result->handle, + {} /* parametersToVerify */, authToken, + [&](auto error, const auto& token) { + result->resultCode = error; + verificationToken = token; + })); + + if (rc != ErrorCode::OK) result->resultCode = rc; + if (result->resultCode != ErrorCode::OK) return Status::ok(); + } + // Note: The operation map takes possession of the contents of "characteristics". // It is safe to use characteristics after the following line but it will be empty. sp<IBinder> operationToken = @@ -1355,6 +1373,7 @@ Status KeyStoreService::begin(const sp<IBinder>& appToken, const String16& name, result->token = operationToken; mOperationMap.setOperationAuthToken(operationToken, std::move(authToken)); + mOperationMap.setOperationVerificationToken(operationToken, std::move(verificationToken)); // Return the authentication lookup result. If this is a per operation // auth'd key then the resultCode will be ::OP_AUTH_NEEDED and the @@ -1428,7 +1447,7 @@ Status KeyStoreService::update(const sp<IBinder>& token, const KeymasterArgument }; KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR( - op.device->update(op.handle, inParams, data, authToken, VerificationToken(), hidlCb)); + op.device->update(op.handle, inParams, data, authToken, op.verificationToken, hidlCb)); // just a reminder: on success result->resultCode was set in the callback. So we only overwrite // it if there was a communication error indicated by the ErrorCode. @@ -1487,7 +1506,7 @@ Status KeyStoreService::finish(const sp<IBinder>& token, const KeymasterArgument KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR( op.device->finish(op.handle, inParams, ::std::vector<uint8_t>() /* TODO(swillden): wire up input to finish() */, - signature, authToken, VerificationToken(), hidlCb)); + signature, authToken, op.verificationToken, hidlCb)); bool wasOpSuccessful = true; // just a reminder: on success result->resultCode was set in the callback. So we only overwrite diff --git a/keystore/operation.cpp b/keystore/operation.cpp index 93b1e923..40690608 100644 --- a/keystore/operation.cpp +++ b/keystore/operation.cpp @@ -95,12 +95,19 @@ sp<IBinder> OperationMap::getOldestPruneableOperation() { return mLru.front(); } -bool OperationMap::setOperationAuthToken(const sp<IBinder>& token, HardwareAuthToken authToken) { +void OperationMap::setOperationAuthToken(const sp<IBinder>& token, HardwareAuthToken authToken) { auto entry = mMap.find(token); - if (entry == mMap.end()) return false; + if (entry == mMap.end()) return; entry->second.authToken = std::move(authToken); - return true; +} + +void OperationMap::setOperationVerificationToken(const sp<IBinder>& token, + VerificationToken verificationToken) { + auto entry = mMap.find(token); + if (entry == mMap.end()) return; + + entry->second.verificationToken = std::move(verificationToken); } std::vector<sp<IBinder>> OperationMap::getOperationsForToken(const sp<IBinder>& appToken) { diff --git a/keystore/operation.h b/keystore/operation.h index 2d81f9ca..4888bfac 100644 --- a/keystore/operation.h +++ b/keystore/operation.h @@ -56,7 +56,8 @@ class OperationMap { bool hasPruneableOperation() const; size_t getOperationCount() const { return mMap.size(); } size_t getPruneableOperationCount() const; - bool setOperationAuthToken(const sp<IBinder>& token, HardwareAuthToken authToken); + void setOperationAuthToken(const sp<IBinder>& token, HardwareAuthToken authToken); + void setOperationVerificationToken(const sp<IBinder>& token, VerificationToken authToken); sp<IBinder> getOldestPruneableOperation(); std::vector<sp<IBinder>> getOperationsForToken(const sp<IBinder>& appToken); diff --git a/keystore/operation_struct.h b/keystore/operation_struct.h index ea8a908d..00f1fe2b 100644 --- a/keystore/operation_struct.h +++ b/keystore/operation_struct.h @@ -50,6 +50,7 @@ struct Operation { KeyCharacteristics characteristics; sp<IBinder> appToken; HardwareAuthToken authToken; + VerificationToken verificationToken; const hidl_vec<KeyParameter> params; }; |