Google Git
Sign in
android / platform / system / security / cbc2860 / . / keystore2 / src / maintenance.rs
blob: 637fb612f580593e6866b757717598cf5c4f03ea [file] [log] [blame]
// Copyright 2021, The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//! This module implements IKeystoreMaintenance AIDL interface.
use crate::database::{KeyEntryLoadBits, KeyType, MonotonicRawTime};
use crate::error::map_km_error;
use crate::error::map_or_log_err;
use crate::error::Error;
use crate::globals::get_keymint_device;
use crate::globals::{DB, LEGACY_MIGRATOR, SUPER_KEY};
use crate::permission::{KeyPerm, KeystorePerm};
use crate::super_key::UserState;
use crate::utils::{check_key_permission, check_keystore_permission, watchdog as wd};
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::IKeyMintDevice::IKeyMintDevice;
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel;
use android_security_maintenance::aidl::android::security::maintenance::{
IKeystoreMaintenance::{BnKeystoreMaintenance, IKeystoreMaintenance},
UserState::UserState as AidlUserState,
};
use android_security_maintenance::binder::{
BinderFeatures, Interface, Result as BinderResult, Strong, ThreadState,
};
use android_system_keystore2::aidl::android::system::keystore2::KeyDescriptor::KeyDescriptor;
use android_system_keystore2::aidl::android::system::keystore2::ResponseCode::ResponseCode;
use anyhow::{Context, Result};
use keystore2_crypto::Password;
/// Reexport Domain for the benefit of DeleteListener
pub use android_system_keystore2::aidl::android::system::keystore2::Domain::Domain;
/// The Maintenance module takes a delete listener argument which observes user and namespace
/// deletion events.
pub trait DeleteListener {
/// Called by the maintenance module when an app/namespace is deleted.
fn delete_namespace(&self, domain: Domain, namespace: i64) -> Result<()>;
/// Called by the maintenance module when a user is deleted.
fn delete_user(&self, user_id: u32) -> Result<()>;
}
/// This struct is defined to implement the aforementioned AIDL interface.
pub struct Maintenance {
delete_listener: Box<dyn DeleteListener + Send + Sync + 'static>,
}
impl Maintenance {
/// Create a new instance of Keystore Maintenance service.
pub fn new_native_binder(
delete_listener: Box<dyn DeleteListener + Send + Sync + 'static>,
) -> Result<Strong<dyn IKeystoreMaintenance>> {
Ok(BnKeystoreMaintenance::new_binder(
Self { delete_listener },
BinderFeatures { set_requesting_sid: true, ..BinderFeatures::default() },
))
}
fn on_user_password_changed(user_id: i32, password: Option<Password>) -> Result<()> {
//Check permission. Function should return if this failed. Therefore having '?' at the end
//is very important.
check_keystore_permission(KeystorePerm::change_password())
.context("In on_user_password_changed.")?;
if let Some(pw) = password.as_ref() {
DB.with(|db| {
SUPER_KEY.unlock_screen_lock_bound_key(&mut db.borrow_mut(), user_id as u32, pw)
})
.context("In on_user_password_changed: unlock_screen_lock_bound_key failed")?;
}
match DB
.with(|db| {
UserState::get_with_password_changed(
&mut db.borrow_mut(),
&LEGACY_MIGRATOR,
&SUPER_KEY,
user_id as u32,
password.as_ref(),
)
})
.context("In on_user_password_changed.")?
{
UserState::LskfLocked => {
// Error - password can not be changed when the device is locked
Err(Error::Rc(ResponseCode::LOCKED))
.context("In on_user_password_changed. Device is locked.")
}
_ => {
// LskfLocked is the only error case for password change
Ok(())
}
}
}
fn add_or_remove_user(&self, user_id: i32) -> Result<()> {
// Check permission. Function should return if this failed. Therefore having '?' at the end
// is very important.
check_keystore_permission(KeystorePerm::change_user()).context("In add_or_remove_user.")?;
DB.with(|db| {
UserState::reset_user(
&mut db.borrow_mut(),
&SUPER_KEY,
&LEGACY_MIGRATOR,
user_id as u32,
false,
)
})
.context("In add_or_remove_user: Trying to delete keys from db.")?;
self.delete_listener
.delete_user(user_id as u32)
.context("In add_or_remove_user: While invoking the delete listener.")
}
fn clear_namespace(&self, domain: Domain, nspace: i64) -> Result<()> {
// Permission check. Must return on error. Do not touch the '?'.
check_keystore_permission(KeystorePerm::clear_uid()).context("In clear_namespace.")?;
LEGACY_MIGRATOR
.bulk_delete_uid(domain, nspace)
.context("In clear_namespace: Trying to delete legacy keys.")?;
DB.with(|db| db.borrow_mut().unbind_keys_for_namespace(domain, nspace))
.context("In clear_namespace: Trying to delete keys from db.")?;
self.delete_listener
.delete_namespace(domain, nspace)
.context("In clear_namespace: While invoking the delete listener.")
}
fn get_state(user_id: i32) -> Result<AidlUserState> {
// Check permission. Function should return if this failed. Therefore having '?' at the end
// is very important.
check_keystore_permission(KeystorePerm::get_state()).context("In get_state.")?;
let state = DB
.with(|db| {
UserState::get(&mut db.borrow_mut(), &LEGACY_MIGRATOR, &SUPER_KEY, user_id as u32)
})
.context("In get_state. Trying to get UserState.")?;
match state {
UserState::Uninitialized => Ok(AidlUserState::UNINITIALIZED),
UserState::LskfUnlocked(_) => Ok(AidlUserState::LSKF_UNLOCKED),
UserState::LskfLocked => Ok(AidlUserState::LSKF_LOCKED),
}
}
fn early_boot_ended_help(sec_level: SecurityLevel) -> Result<()> {
let (dev, _, _) = get_keymint_device(&sec_level)
.context("In early_boot_ended: getting keymint device")?;
let km_dev: Strong<dyn IKeyMintDevice> =
dev.get_interface().context("In early_boot_ended: getting keymint device interface")?;
let _wp = wd::watch_millis_with(
"In early_boot_ended_help: calling earlyBootEnded()",
500,
move || format!("Seclevel: {:?}", sec_level),
);
map_km_error(km_dev.earlyBootEnded())
.context("In keymint device: calling earlyBootEnded")?;
Ok(())
}
fn early_boot_ended() -> Result<()> {
check_keystore_permission(KeystorePerm::early_boot_ended())
.context("In early_boot_ended. Checking permission")?;
log::info!("In early_boot_ended.");
if let Err(e) = DB.with(|db| SUPER_KEY.set_up_boot_level_cache(&mut db.borrow_mut())) {
log::error!("SUPER_KEY.set_up_boot_level_cache failed:\n{:?}\n:(", e);
}
let sec_levels = [
(SecurityLevel::TRUSTED_ENVIRONMENT, "TRUSTED_ENVIRONMENT"),
(SecurityLevel::STRONGBOX, "STRONGBOX"),
];
sec_levels.iter().fold(Ok(()), |result, (sec_level, sec_level_string)| {
let curr_result = Maintenance::early_boot_ended_help(*sec_level);
if curr_result.is_err() {
log::error!(
"Call to earlyBootEnded failed for security level {}.",
&sec_level_string
);
}
result.and(curr_result)
})
}
fn on_device_off_body() -> Result<()> {
// Security critical permission check. This statement must return on fail.
check_keystore_permission(KeystorePerm::report_off_body())
.context("In on_device_off_body.")?;
DB.with(|db| db.borrow_mut().update_last_off_body(MonotonicRawTime::now()));
Ok(())
}
fn migrate_key_namespace(source: &KeyDescriptor, destination: &KeyDescriptor) -> Result<()> {
let caller_uid = ThreadState::get_calling_uid();
DB.with(|db| {
let key_id_guard = match source.domain {
Domain::APP | Domain::SELINUX | Domain::KEY_ID => {
let (key_id_guard, _) = LEGACY_MIGRATOR
.with_try_migrate(&source, caller_uid, || {
db.borrow_mut().load_key_entry(
&source,
KeyType::Client,
KeyEntryLoadBits::NONE,
caller_uid,
|k, av| {
check_key_permission(KeyPerm::use_(), k, &av)?;
check_key_permission(KeyPerm::delete(), k, &av)?;
check_key_permission(KeyPerm::grant(), k, &av)
},
)
})
.context("In migrate_key_namespace: Failed to load key blob.")?;
key_id_guard
}
_ => {
return Err(Error::Rc(ResponseCode::INVALID_ARGUMENT)).context(concat!(
"In migrate_key_namespace: ",
"Source domain must be one of APP, SELINUX, or KEY_ID."
))
}
};
db.borrow_mut().migrate_key_namespace(key_id_guard, destination, caller_uid, |k| {
check_key_permission(KeyPerm::rebind(), k, &None)
})
})
}
}
impl Interface for Maintenance {}
impl IKeystoreMaintenance for Maintenance {
fn onUserPasswordChanged(&self, user_id: i32, password: Option<&[u8]>) -> BinderResult<()> {
let _wp = wd::watch_millis("IKeystoreMaintenance::onUserPasswordChanged", 500);
map_or_log_err(Self::on_user_password_changed(user_id, password.map(|pw| pw.into())), Ok)
}
fn onUserAdded(&self, user_id: i32) -> BinderResult<()> {
let _wp = wd::watch_millis("IKeystoreMaintenance::onUserAdded", 500);
map_or_log_err(self.add_or_remove_user(user_id), Ok)
}
fn onUserRemoved(&self, user_id: i32) -> BinderResult<()> {
let _wp = wd::watch_millis("IKeystoreMaintenance::onUserRemoved", 500);
map_or_log_err(self.add_or_remove_user(user_id), Ok)
}
fn clearNamespace(&self, domain: Domain, nspace: i64) -> BinderResult<()> {
let _wp = wd::watch_millis("IKeystoreMaintenance::clearNamespace", 500);
map_or_log_err(self.clear_namespace(domain, nspace), Ok)
}
fn getState(&self, user_id: i32) -> BinderResult<AidlUserState> {
let _wp = wd::watch_millis("IKeystoreMaintenance::getState", 500);
map_or_log_err(Self::get_state(user_id), Ok)
}
fn earlyBootEnded(&self) -> BinderResult<()> {
let _wp = wd::watch_millis("IKeystoreMaintenance::earlyBootEnded", 500);
map_or_log_err(Self::early_boot_ended(), Ok)
}
fn onDeviceOffBody(&self) -> BinderResult<()> {
let _wp = wd::watch_millis("IKeystoreMaintenance::onDeviceOffBody", 500);
map_or_log_err(Self::on_device_off_body(), Ok)
}
fn migrateKeyNamespace(
&self,
source: &KeyDescriptor,
destination: &KeyDescriptor,
) -> BinderResult<()> {
let _wp = wd::watch_millis("IKeystoreMaintenance::migrateKeyNamespace", 500);
map_or_log_err(Self::migrate_key_namespace(source, destination), Ok)
}
}