diff options
Diffstat (limited to 'keystore/keystore_main.cpp')
-rw-r--r-- | keystore/keystore_main.cpp | 162 |
1 files changed, 0 insertions, 162 deletions
diff --git a/keystore/keystore_main.cpp b/keystore/keystore_main.cpp deleted file mode 100644 index 02c2139a..00000000 --- a/keystore/keystore_main.cpp +++ /dev/null @@ -1,162 +0,0 @@ -/* - * Copyright (C) 2009 The Android Open Source Project - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#define LOG_TAG "keystore" - -#include <android-base/logging.h> -#include <android/hidl/manager/1.2/IServiceManager.h> -#include <android/security/keystore/IKeystoreService.h> -#include <binder/IPCThreadState.h> -#include <binder/IServiceManager.h> -#include <keymasterV4_1/Keymaster3.h> -#include <keymasterV4_1/Keymaster4.h> -#include <utils/StrongPointer.h> - -#include <keystore/keystore_hidl_support.h> -#include <keystore/keystore_return_types.h> - -#include "KeyStore.h" -#include "key_store_service.h" -#include "legacy_keymaster_device_wrapper.h" -#include "permissions.h" - -/* KeyStore is a secured storage for key-value pairs. In this implementation, - * each file stores one key-value pair. Keys are encoded in file names, and - * values are encrypted with checksums. The encryption key is protected by a - * user-defined password. To keep things simple, buffers are always larger than - * the maximum space we needed, so boundary checks on buffers are omitted. */ - -using ::android::sp; -using ::android::hardware::hidl_string; -using ::android::hardware::hidl_vec; -using ::android::hardware::keymaster::V4_0::ErrorCode; -using ::android::hardware::keymaster::V4_0::HmacSharingParameters; -using ::android::hardware::keymaster::V4_0::SecurityLevel; -using ::android::hidl::manager::V1_2::IServiceManager; - -using ::keystore::keymaster::support::Keymaster; -using ::keystore::keymaster::support::Keymaster3; -using ::keystore::keymaster::support::Keymaster4; - -using keystore::KeymasterDevices; - -template <typename Wrapper> -KeymasterDevices enumerateKeymasterDevices(IServiceManager* serviceManager) { - KeymasterDevices result; - serviceManager->listManifestByInterface( - Wrapper::WrappedIKeymasterDevice::descriptor, [&](const hidl_vec<hidl_string>& names) { - auto try_get_device = [&](const auto& name, bool fail_silent) { - auto device = Wrapper::WrappedIKeymasterDevice::getService(name); - if (fail_silent && !device) return; - CHECK(device) << "Failed to get service for \"" - << Wrapper::WrappedIKeymasterDevice::descriptor - << "\" with interface name \"" << name << "\""; - - sp<Keymaster> kmDevice(new Wrapper(device, name)); - auto halVersion = kmDevice->halVersion(); - SecurityLevel securityLevel = halVersion.securityLevel; - LOG(INFO) << "found " << Wrapper::WrappedIKeymasterDevice::descriptor - << " with interface name " << name << " and seclevel " - << toString(securityLevel); - CHECK(static_cast<uint32_t>(securityLevel) < result.size()) - << "Security level of \"" << Wrapper::WrappedIKeymasterDevice::descriptor - << "\" with interface name \"" << name << "\" out of range"; - auto& deviceSlot = result[securityLevel]; - if (deviceSlot) { - if (!fail_silent) { - LOG(WARNING) << "Implementation of \"" - << Wrapper::WrappedIKeymasterDevice::descriptor - << "\" with interface name \"" << name - << "\" and security level: " << toString(securityLevel) - << " Masked by other implementation of Keymaster"; - } - } else { - deviceSlot = kmDevice; - } - }; - bool has_default = false; - for (auto& n : names) { - try_get_device(n, false); - if (n == "default") has_default = true; - } - // Make sure that we always check the default device. If we enumerate only what is - // known to hwservicemanager, we miss a possible passthrough HAL. - if (!has_default) { - try_get_device("default", true /* fail_silent */); - } - }); - return result; -} - -KeymasterDevices initializeKeymasters() { - auto serviceManager = IServiceManager::getService(); - CHECK(serviceManager.get()) << "Failed to get ServiceManager"; - auto result = enumerateKeymasterDevices<Keymaster4>(serviceManager.get()); - auto softKeymaster = result[SecurityLevel::SOFTWARE]; - if (!result[SecurityLevel::TRUSTED_ENVIRONMENT]) { - result = enumerateKeymasterDevices<Keymaster3>(serviceManager.get()); - } - if (softKeymaster) result[SecurityLevel::SOFTWARE] = softKeymaster; - if (result[SecurityLevel::SOFTWARE] && !result[SecurityLevel::TRUSTED_ENVIRONMENT]) { - LOG(WARNING) << "No secure Keymaster implementation found, but device offers insecure" - " Keymaster HAL. Using as default."; - result[SecurityLevel::TRUSTED_ENVIRONMENT] = result[SecurityLevel::SOFTWARE]; - result[SecurityLevel::SOFTWARE] = nullptr; - } - if (!result[SecurityLevel::SOFTWARE]) { - auto fbdev = android::keystore::makeSoftwareKeymasterDevice(); - CHECK(fbdev.get()) << "Unable to create Software Keymaster Device"; - result[SecurityLevel::SOFTWARE] = new Keymaster3(fbdev, "Software"); - } - return result; -} - -int main(int argc, char* argv[]) { - using android::hardware::hidl_string; - CHECK(argc >= 2) << "A directory must be specified!"; - CHECK(chdir(argv[1]) != -1) << "chdir: " << argv[1] << ": " << strerror(errno); - - auto kmDevices = initializeKeymasters(); - - CHECK(kmDevices[SecurityLevel::SOFTWARE]) << "Missing software Keymaster device"; - CHECK(kmDevices[SecurityLevel::TRUSTED_ENVIRONMENT]) - << "Error no viable keymaster device found"; - - CHECK(configure_selinux() != -1) << "Failed to configure SELinux."; - - auto halVersion = kmDevices[SecurityLevel::TRUSTED_ENVIRONMENT]->halVersion(); - - // If the hardware is keymaster 2.0 or higher we will not allow the fallback device for import - // or generation of keys. The fallback device is only used for legacy keys present on the - // device. - SecurityLevel minimalAllowedSecurityLevelForNewKeys = - halVersion.majorVersion >= 2 ? SecurityLevel::TRUSTED_ENVIRONMENT : SecurityLevel::SOFTWARE; - - android::sp<keystore::KeyStore> keyStore( - new keystore::KeyStore(kmDevices, minimalAllowedSecurityLevelForNewKeys)); - keyStore->initialize(); - android::sp<android::IServiceManager> sm = android::defaultServiceManager(); - android::sp<keystore::KeyStoreService> service = new keystore::KeyStoreService(keyStore); - service->setRequestingSid(true); - android::status_t ret = sm->addService(android::String16("android.security.keystore"), service); - CHECK(ret == android::OK) << "Couldn't register binder service!"; - - /* - * This thread is just going to process Binder transactions. - */ - android::IPCThreadState::self()->joinThreadPool(); - return 1; -} |