diff options
Diffstat (limited to 'keystore/keymaster_worker.h')
-rw-r--r-- | keystore/keymaster_worker.h | 307 |
1 files changed, 0 insertions, 307 deletions
diff --git a/keystore/keymaster_worker.h b/keystore/keymaster_worker.h deleted file mode 100644 index fbd52b4d..00000000 --- a/keystore/keymaster_worker.h +++ /dev/null @@ -1,307 +0,0 @@ -/* -** -** Copyright 2018, The Android Open Source Project -** -** Licensed under the Apache License, Version 2.0 (the "License"); -** you may not use this file except in compliance with the License. -** You may obtain a copy of the License at -** -** http://www.apache.org/licenses/LICENSE-2.0 -** -** Unless required by applicable law or agreed to in writing, software -** distributed under the License is distributed on an "AS IS" BASIS, -** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -** See the License for the specific language governing permissions and -** limitations under the License. -*/ - -#ifndef KEYSTORE_KEYMASTER_WORKER_H_ -#define KEYSTORE_KEYMASTER_WORKER_H_ - -#include <condition_variable> -#include <functional> -#include <keymasterV4_1/Keymaster.h> -#include <memory> -#include <mutex> -#include <optional> -#include <queue> -#include <thread> -#include <tuple> - -#include <keystore/ExportResult.h> -#include <keystore/KeyCharacteristics.h> -#include <keystore/KeymasterBlob.h> -#include <keystore/OperationResult.h> -#include <keystore/keymaster_types.h> -#include <keystore/keystore_return_types.h> - -#include "blob.h" -#include "operation.h" - -namespace keystore { - -using android::sp; -using ::android::hardware::hidl_vec; -using ::android::hardware::Return; -using ::android::hardware::Void; -using android::hardware::keymaster::V4_1::support::Keymaster; -using ::android::security::keymaster::KeymasterBlob; - -class KeyStore; - -class Worker { - - /* - * NonCopyableFunction works similar to std::function in that it wraps callable objects and - * erases their type. The rationale for using a custom class instead of - * std::function is that std::function requires the wrapped object to be copy contructible. - * NonCopyableFunction is itself not copyable and never attempts to copy the wrapped object. - * TODO use similar optimization as std::function to remove the extra make_unique allocation. - */ - template <typename Fn> class NonCopyableFunction; - - template <typename Ret, typename... Args> class NonCopyableFunction<Ret(Args...)> { - - class NonCopyableFunctionBase { - public: - NonCopyableFunctionBase() = default; - virtual ~NonCopyableFunctionBase() {} - virtual Ret operator()(Args... args) = 0; - NonCopyableFunctionBase(const NonCopyableFunctionBase&) = delete; - NonCopyableFunctionBase& operator=(const NonCopyableFunctionBase&) = delete; - }; - - template <typename Fn> - class NonCopyableFunctionTypeEraser : public NonCopyableFunctionBase { - private: - Fn f_; - - public: - NonCopyableFunctionTypeEraser() = default; - explicit NonCopyableFunctionTypeEraser(Fn f) : f_(std::move(f)) {} - Ret operator()(Args... args) override { return f_(std::move(args)...); } - }; - - private: - std::unique_ptr<NonCopyableFunctionBase> f_; - - public: - NonCopyableFunction() = default; - // NOLINTNEXTLINE(google-explicit-constructor) - template <typename F> NonCopyableFunction(F f) { - f_ = std::make_unique<NonCopyableFunctionTypeEraser<F>>(std::move(f)); - } - NonCopyableFunction(NonCopyableFunction&& other) = default; - NonCopyableFunction& operator=(NonCopyableFunction&& other) = default; - NonCopyableFunction(const NonCopyableFunction& other) = delete; - NonCopyableFunction& operator=(const NonCopyableFunction& other) = delete; - - Ret operator()(Args... args) { - if (f_) return (*f_)(std::move(args)...); - } - }; - - using WorkerTask = NonCopyableFunction<void()>; - - std::queue<WorkerTask> pending_requests_; - std::mutex pending_requests_mutex_; - std::condition_variable pending_requests_cond_var_; - bool running_ = false; - bool terminate_ = false; - - public: - Worker(); - ~Worker(); - void addRequest(WorkerTask request); -}; - -template <typename... Args> struct MakeKeymasterWorkerCB; - -template <typename ErrorType, typename... Args> -struct MakeKeymasterWorkerCB<ErrorType, std::function<void(Args...)>> { - using type = std::function<void(ErrorType, std::tuple<std::decay_t<Args>...>&&)>; -}; - -template <typename ErrorType> struct MakeKeymasterWorkerCB<ErrorType> { - using type = std::function<void(ErrorType)>; -}; - -template <typename... Args> -using MakeKeymasterWorkerCB_t = typename MakeKeymasterWorkerCB<Args...>::type; - -class KeymasterWorker : protected Worker { - private: - sp<Keymaster> keymasterDevice_; - OperationMap operationMap_; - KeyStore* keyStore_; - - /** - * Models the security level of this worker internal to KeyStore. - * - * When the device has only a software Keymaster, KeyStore will set it on the TEE slot and - * instantiate a new in-process software Keymaster. In that case there is a mismatch between the - * security level used by KeyStore and what is reported from the HAL. This represents the level - * used internally by KeyStore. - * - * This value is used to associate blobs to the corresponding Keymaster backend. It does not - * indicate an actual Keymaster HAL security level and should never be exposed to users. - */ - SecurityLevel internalSecurityLevel_; - - template <typename KMFn, typename ErrorType, typename... Args, size_t... I> - void unwrap_tuple(KMFn kmfn, std::function<void(ErrorType)> cb, - const std::tuple<Args...>& tuple, std::index_sequence<I...>) { - cb(((*keymasterDevice_).*kmfn)(std::get<I>(tuple)...)); - } - - template <typename KMFn, typename ErrorType, typename... ReturnTypes, typename... Args, - size_t... I> - void unwrap_tuple(KMFn kmfn, std::function<void(ErrorType, std::tuple<ReturnTypes...>&&)> cb, - const std::tuple<Args...>& tuple, std::index_sequence<I...>) { - std::tuple<ReturnTypes...> returnValue; - auto result = ((*keymasterDevice_).*kmfn)( - std::get<I>(tuple)..., - [&returnValue](const ReturnTypes&... args) { returnValue = std::make_tuple(args...); }); - cb(std::move(result), std::move(returnValue)); - } - - template <typename KMFn, typename ErrorType, typename... Args> - void addRequest(KMFn kmfn, std::function<void(ErrorType)> cb, Args&&... args) { - Worker::addRequest([this, kmfn, cb = std::move(cb), - tuple = std::make_tuple(std::forward<Args>(args)...)]() { - unwrap_tuple(kmfn, std::move(cb), tuple, std::index_sequence_for<Args...>{}); - }); - } - - template <typename KMFn, typename ErrorType, typename... ReturnTypes, typename... Args> - void addRequest(KMFn kmfn, std::function<void(ErrorType, std::tuple<ReturnTypes...>&&)> cb, - Args&&... args) { - Worker::addRequest([this, kmfn, cb = std::move(cb), - tuple = std::make_tuple(std::forward<Args>(args)...)]() { - unwrap_tuple(kmfn, std::move(cb), tuple, std::index_sequence_for<Args...>{}); - }); - } - - void deleteOldKeyOnUpgrade(const LockedKeyBlobEntry& blobfile, Blob keyBlob); - std::tuple<KeyStoreServiceReturnCode, Blob> - upgradeKeyBlob(const LockedKeyBlobEntry& lockedEntry, const AuthorizationSet& params); - std::tuple<KeyStoreServiceReturnCode, KeyCharacteristics, Blob, Blob> - createKeyCharacteristicsCache(const LockedKeyBlobEntry& lockedEntry, - const hidl_vec<uint8_t>& clientId, - const hidl_vec<uint8_t>& appData, Blob keyBlob, Blob charBlob); - - /** - * Get the auth token for this operation from the auth token table. - * - * Returns NO_ERROR if the auth token was found or none was required. If not needed, the - * token will be empty (which keymaster interprets as no auth token). - * OP_AUTH_NEEDED if it is a per op authorization, no authorization token exists for - * that operation and failOnTokenMissing is false. - * KM_ERROR_KEY_USER_NOT_AUTHENTICATED if there is no valid auth token for the operation - */ - std::pair<KeyStoreServiceReturnCode, HardwareAuthToken> - getAuthToken(const KeyCharacteristics& characteristics, uint64_t handle, KeyPurpose purpose, - bool failOnTokenMissing = true); - - KeyStoreServiceReturnCode abort(const sp<IBinder>& token, ResponseCode reason_for_abort); - - bool pruneOperation(); - - KeyStoreServiceReturnCode getOperationAuthTokenIfNeeded(std::shared_ptr<Operation> op); - - void appendConfirmationTokenIfNeeded(const KeyCharacteristics& keyCharacteristics, - hidl_vec<KeyParameter>* params); - - public: - KeymasterWorker(sp<Keymaster> keymasterDevice, KeyStore* keyStore, - SecurityLevel internalSecurityLevel); - - void logIfKeymasterVendorError(ErrorCode ec) const; - - using worker_begin_cb = std::function<void(::android::security::keymaster::OperationResult)>; - void begin(LockedKeyBlobEntry, sp<IBinder> appToken, Blob keyBlob, Blob charBlob, - bool pruneable, KeyPurpose purpose, AuthorizationSet opParams, - hidl_vec<uint8_t> entropy, worker_begin_cb worker_cb); - - using update_cb = std::function<void(::android::security::keymaster::OperationResult)>; - void update(sp<IBinder> token, AuthorizationSet params, hidl_vec<uint8_t> data, - update_cb _hidl_cb); - - using finish_cb = std::function<void(::android::security::keymaster::OperationResult)>; - void finish(sp<IBinder> token, AuthorizationSet params, hidl_vec<uint8_t> input, - hidl_vec<uint8_t> signature, hidl_vec<uint8_t> entorpy, finish_cb worker_cb); - - using abort_cb = std::function<void(KeyStoreServiceReturnCode)>; - void abort(sp<IBinder> token, abort_cb _hidl_cb); - - using getHardwareInfo_cb = MakeKeymasterWorkerCB_t<Return<void>, Keymaster::getHardwareInfo_cb>; - void getHardwareInfo(getHardwareInfo_cb _hidl_cb); - - using getHmacSharingParameters_cb = - MakeKeymasterWorkerCB_t<Return<void>, Keymaster::getHmacSharingParameters_cb>; - void getHmacSharingParameters(getHmacSharingParameters_cb _hidl_cb); - - using computeSharedHmac_cb = - MakeKeymasterWorkerCB_t<Return<void>, Keymaster::computeSharedHmac_cb>; - void computeSharedHmac(hidl_vec<HmacSharingParameters> params, computeSharedHmac_cb _hidl_cb); - - using verifyAuthorization_cb = - std::function<void(KeyStoreServiceReturnCode ec, HardwareAuthToken, VerificationToken)>; - void verifyAuthorization(uint64_t challenge, hidl_vec<KeyParameter> params, - HardwareAuthToken token, verifyAuthorization_cb _hidl_cb); - - using addRngEntropy_cb = MakeKeymasterWorkerCB_t<Return<ErrorCode>>; - void addRngEntropy(hidl_vec<uint8_t> data, addRngEntropy_cb _hidl_cb); - - using generateKey_cb = std::function<void( - KeyStoreServiceReturnCode, ::android::hardware::keymaster::V4_0::KeyCharacteristics)>; - void generateKey(LockedKeyBlobEntry, hidl_vec<KeyParameter> keyParams, - hidl_vec<uint8_t> entropy, int flags, generateKey_cb _hidl_cb); - - using generateKey2_cb = MakeKeymasterWorkerCB_t<Return<void>, Keymaster::generateKey_cb>; - void generateKey(hidl_vec<KeyParameter> keyParams, generateKey2_cb _hidl_cb); - - using getKeyCharacteristics_cb = std::function<void( - KeyStoreServiceReturnCode, ::android::hardware::keymaster::V4_0::KeyCharacteristics)>; - void getKeyCharacteristics(LockedKeyBlobEntry lockedEntry, hidl_vec<uint8_t> clientId, - hidl_vec<uint8_t> appData, Blob keyBlob, Blob charBlob, - getKeyCharacteristics_cb _hidl_cb); - - using importKey_cb = std::function<void( - KeyStoreServiceReturnCode, ::android::hardware::keymaster::V4_0::KeyCharacteristics)>; - void importKey(LockedKeyBlobEntry lockedEntry, hidl_vec<KeyParameter> params, - KeyFormat keyFormat, hidl_vec<uint8_t> keyData, int flags, - importKey_cb _hidl_cb); - - using importWrappedKey_cb = std::function<void( - KeyStoreServiceReturnCode, ::android::hardware::keymaster::V4_0::KeyCharacteristics)>; - void importWrappedKey(LockedKeyBlobEntry wrappingLockedEntry, - LockedKeyBlobEntry wrapppedLockedEntry, hidl_vec<uint8_t> wrappedKeyData, - hidl_vec<uint8_t> maskingKey, hidl_vec<KeyParameter> unwrappingParams, - Blob wrappingBlob, Blob wrappingCharBlob, uint64_t passwordSid, - uint64_t biometricSid, importWrappedKey_cb worker_cb); - - using exportKey_cb = std::function<void(::android::security::keymaster::ExportResult)>; - void exportKey(LockedKeyBlobEntry lockedEntry, KeyFormat exportFormat, - hidl_vec<uint8_t> clientId, hidl_vec<uint8_t> appData, Blob keyBlob, - Blob charBlob, exportKey_cb _hidl_cb); - - using attestKey_cb = MakeKeymasterWorkerCB_t<Return<void>, Keymaster::attestKey_cb>; - void attestKey(hidl_vec<uint8_t> keyToAttest, hidl_vec<KeyParameter> attestParams, - attestKey_cb _hidl_cb); - - using deleteKey_cb = MakeKeymasterWorkerCB_t<Return<ErrorCode>>; - void deleteKey(hidl_vec<uint8_t> keyBlob, deleteKey_cb _hidl_cb); - - using begin_cb = MakeKeymasterWorkerCB_t<Return<void>, Keymaster::begin_cb>; - void begin(KeyPurpose purpose, hidl_vec<uint8_t> key, hidl_vec<KeyParameter> inParams, - HardwareAuthToken authToken, begin_cb _hidl_cb); - - void binderDied(android::wp<IBinder> who); - - const Keymaster::VersionResult& halVersion() { return keymasterDevice_->halVersion(); } -}; - -} // namespace keystore - -#endif // KEYSTORE_KEYMASTER_WORKER_H_ |