diff options
author | Tri Vo <trong@google.com> | 2023-01-17 15:37:50 -0800 |
---|---|---|
committer | Tri Vo <trong@google.com> | 2023-01-25 20:42:07 +0000 |
commit | 71e8cc1107cea648484369930213e1fc2bc3f80c (patch) | |
tree | da16230940d11bf8430d44b6dd21ca0e9726b910 /identity | |
parent | 229fe25f6740150bac5f72ca51d7dd8464807dfb (diff) | |
download | security-71e8cc1107cea648484369930213e1fc2bc3f80c.tar.gz |
identity: Fix RKPD usage
Fixes:
- Revert to pre-RKPD behavior of getting an attestation key each time
a credential is created.
- Revert to pre-RKPD behavior of falling back to factory key.
- Check RKPD feature flag each time before calling into RKPD.
- Correct service name used to call into RKPD.
- Add another thread to handle async responses from RKPD.
- Switch to new RKPD build flag "remote_provisioning.enable_rkpd".
Bug: 261214100
Test: CtsIdentityTestCases
Change-Id: Idc11abb3c0e46de1a77609969e8539e9e96549d5
Diffstat (limited to 'identity')
-rw-r--r-- | identity/Android.bp | 3 | ||||
-rw-r--r-- | identity/CredentialStore.cpp | 66 | ||||
-rw-r--r-- | identity/CredentialStore.h | 6 | ||||
-rw-r--r-- | identity/RemotelyProvisionedKey.cpp | 4 | ||||
-rw-r--r-- | identity/main.cpp | 8 |
5 files changed, 43 insertions, 44 deletions
diff --git a/identity/Android.bp b/identity/Android.bp index 7b816855..4f203e6a 100644 --- a/identity/Android.bp +++ b/identity/Android.bp @@ -47,7 +47,7 @@ cc_binary { "android.hardware.identity-support-lib", "android.hardware.keymaster@4.0", "android.security.authorization-ndk", - "android.security.remoteprovisioning-cpp", + "android.security.remoteprovisioning-cpp", "libbase", "libbinder", "libbinder_ndk", @@ -59,7 +59,6 @@ cc_binary { "libutils", "libutilscallstack", "libvintf", - "server_configurable_flags", ], static_libs: [ "android.hardware.security.rkp-V3-cpp", diff --git a/identity/CredentialStore.cpp b/identity/CredentialStore.cpp index eb9bdb64..fea4df99 100644 --- a/identity/CredentialStore.cpp +++ b/identity/CredentialStore.cpp @@ -20,18 +20,19 @@ #include <optional> #include <android-base/logging.h> +#include <android-base/properties.h> #include <android/hardware/security/keymint/IRemotelyProvisionedComponent.h> #include <android/hardware/security/keymint/RpcHardwareInfo.h> #include <android/security/remoteprovisioning/IRemotelyProvisionedKeyPool.h> #include <android/security/remoteprovisioning/RemotelyProvisionedKey.h> #include <binder/IPCThreadState.h> #include <binder/IServiceManager.h> -#include <server_configurable_flags/get_flags.h> #include <vintf/VintfObject.h> #include "Credential.h" #include "CredentialData.h" #include "CredentialStore.h" +#include "RemotelyProvisionedKey.h" #include "Session.h" #include "Util.h" #include "WritableCredential.h" @@ -45,10 +46,8 @@ using ::android::security::remoteprovisioning::IRemotelyProvisionedKeyPool; using ::android::security::rkp::IRemoteProvisioning; bool useRkpd() { - std::string useRkpdFlagValue = server_configurable_flags::GetServerConfigurableFlag( - "remote_key_provisioning_native", "enable_rkpd", - /*default_value=*/"false"); - return useRkpdFlagValue == "true"; + return android::base::GetBoolProperty("remote_provisioning.enable_rkpd", + /*default_value=*/false); } } // namespace @@ -70,31 +69,14 @@ bool CredentialStore::init() { LOG(ERROR) << "Error getting remotely provisioned component: " << status; return false; } - useRkpd_ = useRkpd(); - - if (useRkpd_) { - uid_t callingUid = android::IPCThreadState::self()->getCallingUid(); - auto rpcKeyFuture = getRpcKeyFuture(rpc_, callingUid); - if (!rpcKeyFuture) { - LOG(ERROR) << "Error in getRpcKeyFuture()"; - return false; - } - rpcKeyFuture_ = std::move(*rpcKeyFuture); - } else { - keyPool_ = android::waitForService<IRemotelyProvisionedKeyPool>( - IRemotelyProvisionedKeyPool::descriptor); - if (!keyPool_) { - LOG(ERROR) << "Error getting IRemotelyProvisionedKeyPool HAL with service name '" - << IRemotelyProvisionedKeyPool::descriptor << "'"; - return false; - } - } } LOG(INFO) << "Connected to Identity Credential HAL with API version " << halApiVersion_ << " and name '" << hwInfo_.credentialStoreName << "' authored by '" << hwInfo_.credentialStoreAuthorName << "' with chunk size " << hwInfo_.dataChunkSize - << " and directoAccess set to " << (hwInfo_.isDirectAccess ? "true" : "false"); + << " directoAccess set to " << (hwInfo_.isDirectAccess ? "true" : "false") + << " and remote key provisioning support " + << (hwInfo_.isRemoteKeyProvisioningSupported ? "enabled" : "disabled"); return true; } @@ -140,7 +122,9 @@ Status CredentialStore::createCredential(const std::string& credentialName, if (hwInfo_.isRemoteKeyProvisioningSupported) { status = setRemotelyProvisionedAttestationKey(halWritableCredential.get()); if (!status.isOk()) { - return halStatusToGenericError(status); + LOG(WARNING) << status.toString8() + << "\nUnable to fetch remotely provisioned attestation key, falling back " + << "to the factory-provisioned attestation key."; } } @@ -205,13 +189,21 @@ Status CredentialStore::setRemotelyProvisionedAttestationKey( std::vector<uint8_t> encodedCertChain; Status status; - if (useRkpd_) { - if (rpcKeyFuture_.wait_for(std::chrono::seconds(10)) != std::future_status::ready) { + if (useRkpd()) { + LOG(INFO) << "Fetching attestation key from RKPD"; + + uid_t callingUid = android::IPCThreadState::self()->getCallingUid(); + auto rpcKeyFuture = getRpcKeyFuture(rpc_, callingUid); + if (!rpcKeyFuture) { + return Status::fromServiceSpecificError(ERROR_GENERIC, "Error in getRpcKeyFuture()"); + } + + if (rpcKeyFuture->wait_for(std::chrono::seconds(10)) != std::future_status::ready) { return Status::fromServiceSpecificError( ERROR_GENERIC, "Waiting for remotely provisioned attestation key timed out"); } - std::optional<::android::security::rkp::RemotelyProvisionedKey> key = rpcKeyFuture_.get(); + std::optional<::android::security::rkp::RemotelyProvisionedKey> key = rpcKeyFuture->get(); if (!key) { return Status::fromServiceSpecificError( ERROR_GENERIC, "Failed to get remotely provisioned attestation key"); @@ -225,6 +217,16 @@ Status CredentialStore::setRemotelyProvisionedAttestationKey( keyBlob = std::move(key->keyBlob); encodedCertChain = std::move(key->encodedCertChain); } else { + LOG(INFO) << "Fetching attestation key from remotely provisioned key pool."; + + sp<IRemotelyProvisionedKeyPool> keyPool = + android::waitForService<IRemotelyProvisionedKeyPool>( + IRemotelyProvisionedKeyPool::descriptor); + if (!keyPool) { + return Status::fromServiceSpecificError( + ERROR_GENERIC, "Error getting IRemotelyProvisionedKeyPool HAL"); + } + std::optional<std::string> rpcId = getRpcId(rpc_); if (!rpcId) { return Status::fromServiceSpecificError( @@ -233,11 +235,9 @@ Status CredentialStore::setRemotelyProvisionedAttestationKey( uid_t callingUid = android::IPCThreadState::self()->getCallingUid(); ::android::security::remoteprovisioning::RemotelyProvisionedKey key; - Status status = keyPool_->getAttestationKey(callingUid, *rpcId, &key); + Status status = keyPool->getAttestationKey(callingUid, *rpcId, &key); if (!status.isOk()) { - LOG(WARNING) << "Unable to fetch remotely provisioned attestation key, falling back " - << "to the factory-provisioned attestation key."; - return Status::ok(); + return status; } keyBlob = std::move(key.keyBlob); diff --git a/identity/CredentialStore.h b/identity/CredentialStore.h index 495841be..57c94e04 100644 --- a/identity/CredentialStore.h +++ b/identity/CredentialStore.h @@ -17,7 +17,6 @@ #ifndef SYSTEM_SECURITY_CREDENTIAL_STORE_H_ #define SYSTEM_SECURITY_CREDENTIAL_STORE_H_ -#include <future> #include <string> #include <vector> @@ -26,8 +25,6 @@ #include <android/security/remoteprovisioning/IRemotelyProvisionedKeyPool.h> #include <android/security/rkp/IRemoteProvisioning.h> -#include "RemotelyProvisionedKey.h" - namespace android { namespace security { namespace identity { @@ -80,10 +77,7 @@ class CredentialStore : public BnCredentialStore { HardwareInformation hwInfo_; - bool useRkpd_; sp<IRemotelyProvisionedComponent> rpc_; - sp<IRemotelyProvisionedKeyPool> keyPool_; - std::future<std::optional<RemotelyProvisionedKey>> rpcKeyFuture_; }; } // namespace identity diff --git a/identity/RemotelyProvisionedKey.cpp b/identity/RemotelyProvisionedKey.cpp index 46a42f40..7e90d634 100644 --- a/identity/RemotelyProvisionedKey.cpp +++ b/identity/RemotelyProvisionedKey.cpp @@ -42,6 +42,8 @@ using ::android::security::rkp::IRegistration; using ::android::security::rkp::IRemoteProvisioning; using ::android::security::rkp::RemotelyProvisionedKey; +constexpr const char* kRemoteProvisioningServiceName = "remote_provisioning"; + std::optional<String16> findRpcNameById(std::string_view targetRpcId) { auto deviceManifest = vintf::VintfObject::GetDeviceHalManifest(); auto instances = deviceManifest->getAidlInstances("android.hardware.security.keymint", @@ -182,7 +184,7 @@ getRpcKeyFuture(const sp<IRemotelyProvisionedComponent>& rpc, int32_t keyId) { } sp<IRemoteProvisioning> remoteProvisioning = - android::waitForService<IRemoteProvisioning>(IRemoteProvisioning::descriptor); + android::waitForService<IRemoteProvisioning>(String16(kRemoteProvisioningServiceName)); if (!remoteProvisioning) { LOG(ERROR) << "Failed to get IRemoteProvisioning HAL"; return std::nullopt; diff --git a/identity/main.cpp b/identity/main.cpp index 25597898..b3a41eca 100644 --- a/identity/main.cpp +++ b/identity/main.cpp @@ -23,6 +23,7 @@ #include <android-base/logging.h> #include <binder/IPCThreadState.h> #include <binder/IServiceManager.h> +#include <binder/ProcessState.h> #include "CredentialStoreFactory.h" @@ -32,6 +33,7 @@ using ::std::string; using ::android::IPCThreadState; using ::android::IServiceManager; +using ::android::ProcessState; using ::android::sp; using ::android::String16; using ::android::base::InitLogging; @@ -53,8 +55,10 @@ int main(int argc, char* argv[]) { CHECK(ret == ::android::OK) << "Couldn't register binder service"; LOG(INFO) << "Registered binder service"; - // Credstore is a single-threaded process. So devote the main thread - // to handling binder messages. + // Credstore needs one thread to handle binder messages and one to handle + // asynchronous responses from RKPD. + ProcessState::self()->setThreadPoolMaxThreadCount(2); + ProcessState::self()->startThreadPool(); IPCThreadState::self()->joinThreadPool(); return 0; |