Google Git
Sign in
android / platform / system / security / d5aaaef8 / . / keystore2 / src / utils.rs
blob: d71a4fc8fd4d0ebd3396b7131861e2774ba3e63f [file] [log] [blame]
// Copyright 2020, The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//! This module implements utility functions used by the Keystore 2.0 service
//! implementation.
use crate::error::{map_binder_status, Error, ErrorCode};
use crate::permission;
use crate::permission::{KeyPerm, KeyPermSet, KeystorePerm};
use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
KeyCharacteristics::KeyCharacteristics, Tag::Tag,
};
use android_os_permissions_aidl::aidl::android::os::IPermissionController;
use android_security_apc::aidl::android::security::apc::{
IProtectedConfirmation::{FLAG_UI_OPTION_INVERTED, FLAG_UI_OPTION_MAGNIFIED},
ResponseCode::ResponseCode as ApcResponseCode,
};
use android_system_keystore2::aidl::android::system::keystore2::{
Authorization::Authorization, KeyDescriptor::KeyDescriptor,
};
use anyhow::Context;
use binder::{Strong, ThreadState};
use keystore2_apc_compat::{
ApcCompatUiOptions, APC_COMPAT_ERROR_ABORTED, APC_COMPAT_ERROR_CANCELLED,
APC_COMPAT_ERROR_IGNORED, APC_COMPAT_ERROR_OK, APC_COMPAT_ERROR_OPERATION_PENDING,
APC_COMPAT_ERROR_SYSTEM_ERROR,
};
/// This function uses its namesake in the permission module and in
/// combination with with_calling_sid from the binder crate to check
/// if the caller has the given keystore permission.
pub fn check_keystore_permission(perm: KeystorePerm) -> anyhow::Result<()> {
ThreadState::with_calling_sid(|calling_sid| {
permission::check_keystore_permission(
calling_sid.ok_or_else(Error::sys).context(
"In check_keystore_permission: Cannot check permission without calling_sid.",
)?,
perm,
)
})
}
/// This function uses its namesake in the permission module and in
/// combination with with_calling_sid from the binder crate to check
/// if the caller has the given grant permission.
pub fn check_grant_permission(access_vec: KeyPermSet, key: &KeyDescriptor) -> anyhow::Result<()> {
ThreadState::with_calling_sid(|calling_sid| {
permission::check_grant_permission(
calling_sid.ok_or_else(Error::sys).context(
"In check_grant_permission: Cannot check permission without calling_sid.",
)?,
access_vec,
key,
)
})
}
/// This function uses its namesake in the permission module and in
/// combination with with_calling_sid from the binder crate to check
/// if the caller has the given key permission.
pub fn check_key_permission(
perm: KeyPerm,
key: &KeyDescriptor,
access_vector: &Option<KeyPermSet>,
) -> anyhow::Result<()> {
ThreadState::with_calling_sid(|calling_sid| {
permission::check_key_permission(
ThreadState::get_calling_uid(),
calling_sid
.ok_or_else(Error::sys)
.context("In check_key_permission: Cannot check permission without calling_sid.")?,
perm,
key,
access_vector,
)
})
}
/// This function checks whether a given tag corresponds to the access of device identifiers.
pub fn is_device_id_attestation_tag(tag: Tag) -> bool {
matches!(
tag,
Tag::ATTESTATION_ID_IMEI
| Tag::ATTESTATION_ID_MEID
| Tag::ATTESTATION_ID_SERIAL
| Tag::DEVICE_UNIQUE_ATTESTATION
)
}
/// This function checks whether the calling app has the Android permissions needed to attest device
/// identifiers. It throws an error if the permissions cannot be verified, or if the caller doesn't
/// have the right permissions, and returns silently otherwise.
pub fn check_device_attestation_permissions() -> anyhow::Result<()> {
let permission_controller: Strong<dyn IPermissionController::IPermissionController> =
binder::get_interface("permission")?;
let binder_result = {
let _wp = watchdog::watch_millis(
"In check_device_attestation_permissions: calling checkPermission.",
500,
);
permission_controller.checkPermission(
"android.permission.READ_PRIVILEGED_PHONE_STATE",
ThreadState::get_calling_pid(),
ThreadState::get_calling_uid() as i32,
)
};
let has_permissions = map_binder_status(binder_result)
.context("In check_device_attestation_permissions: checkPermission failed")?;
match has_permissions {
true => Ok(()),
false => Err(Error::Km(ErrorCode::CANNOT_ATTEST_IDS)).context(concat!(
"In check_device_attestation_permissions: ",
"caller does not have the permission to attest device IDs"
)),
}
}
/// Converts a set of key characteristics as returned from KeyMint into the internal
/// representation of the keystore service.
pub fn key_characteristics_to_internal(
key_characteristics: Vec<KeyCharacteristics>,
) -> Vec<crate::key_parameter::KeyParameter> {
key_characteristics
.into_iter()
.flat_map(|aidl_key_char| {
let sec_level = aidl_key_char.securityLevel;
aidl_key_char.authorizations.into_iter().map(move |aidl_kp| {
crate::key_parameter::KeyParameter::new(aidl_kp.into(), sec_level)
})
})
.collect()
}
/// Converts a set of key characteristics from the internal representation into a set of
/// Authorizations as they are used to convey key characteristics to the clients of keystore.
pub fn key_parameters_to_authorizations(
parameters: Vec<crate::key_parameter::KeyParameter>,
) -> Vec<Authorization> {
parameters.into_iter().map(|p| p.into_authorization()).collect()
}
/// This returns the current time (in milliseconds) as an instance of a monotonic clock,
/// by invoking the system call since Rust does not support getting monotonic time instance
/// as an integer.
pub fn get_current_time_in_milliseconds() -> i64 {
let mut current_time = libc::timespec { tv_sec: 0, tv_nsec: 0 };
// Following unsafe block includes one system call to get monotonic time.
// Therefore, it is not considered harmful.
unsafe { libc::clock_gettime(libc::CLOCK_MONOTONIC_RAW, &mut current_time) };
current_time.tv_sec as i64 * 1000 + (current_time.tv_nsec as i64 / 1_000_000)
}
/// Converts a response code as returned by the Android Protected Confirmation HIDL compatibility
/// module (keystore2_apc_compat) into a ResponseCode as defined by the APC AIDL
/// (android.security.apc) spec.
pub fn compat_2_response_code(rc: u32) -> ApcResponseCode {
match rc {
APC_COMPAT_ERROR_OK => ApcResponseCode::OK,
APC_COMPAT_ERROR_CANCELLED => ApcResponseCode::CANCELLED,
APC_COMPAT_ERROR_ABORTED => ApcResponseCode::ABORTED,
APC_COMPAT_ERROR_OPERATION_PENDING => ApcResponseCode::OPERATION_PENDING,
APC_COMPAT_ERROR_IGNORED => ApcResponseCode::IGNORED,
APC_COMPAT_ERROR_SYSTEM_ERROR => ApcResponseCode::SYSTEM_ERROR,
_ => ApcResponseCode::SYSTEM_ERROR,
}
}
/// Converts the UI Options flags as defined by the APC AIDL (android.security.apc) spec into
/// UI Options flags as defined by the Android Protected Confirmation HIDL compatibility
/// module (keystore2_apc_compat).
pub fn ui_opts_2_compat(opt: i32) -> ApcCompatUiOptions {
ApcCompatUiOptions {
inverted: (opt & FLAG_UI_OPTION_INVERTED) != 0,
magnified: (opt & FLAG_UI_OPTION_MAGNIFIED) != 0,
}
}
/// AID offset for uid space partitioning.
pub const AID_USER_OFFSET: u32 = cutils_bindgen::AID_USER_OFFSET;
/// AID of the keystore process itself, used for keys that
/// keystore generates for its own use.
pub const AID_KEYSTORE: u32 = cutils_bindgen::AID_KEYSTORE;
/// Extracts the android user from the given uid.
pub fn uid_to_android_user(uid: u32) -> u32 {
// Safety: No memory access
unsafe { cutils_bindgen::multiuser_get_user_id(uid) }
}
/// This module provides helpers for simplified use of the watchdog module.
#[cfg(feature = "watchdog")]
pub mod watchdog {
pub use crate::watchdog::WatchPoint;
use crate::watchdog::Watchdog;
use lazy_static::lazy_static;
use std::sync::Arc;
use std::time::Duration;
lazy_static! {
/// A Watchdog thread, that can be used to create watch points.
static ref WD: Arc<Watchdog> = Watchdog::new(Duration::from_secs(10));
}
/// Sets a watch point with `id` and a timeout of `millis` milliseconds.
pub fn watch_millis(id: &'static str, millis: u64) -> Option<WatchPoint> {
Watchdog::watch(&WD, id, Duration::from_millis(millis))
}
/// Like `watch_millis` but with a callback that is called every time a report
/// is printed about this watch point.
pub fn watch_millis_with(
id: &'static str,
millis: u64,
callback: impl Fn() -> String + Send + 'static,
) -> Option<WatchPoint> {
Watchdog::watch_with(&WD, id, Duration::from_millis(millis), callback)
}
}
/// This module provides empty/noop implementations of the watch dog utility functions.
#[cfg(not(feature = "watchdog"))]
pub mod watchdog {
/// Noop watch point.
pub struct WatchPoint();
/// Sets a Noop watch point.
fn watch_millis(_: &'static str, _: u64) -> Option<WatchPoint> {
None
}
pub fn watch_millis_with(
_: &'static str,
_: u64,
_: impl Fn() -> String + Send + 'static,
) -> Option<WatchPoint> {
None
}
}
#[cfg(test)]
mod tests {
use super::*;
use anyhow::Result;
#[test]
fn check_device_attestation_permissions_test() -> Result<()> {
check_device_attestation_permissions().or_else(|error| {
match error.root_cause().downcast_ref::<Error>() {
// Expected: the context for this test might not be allowed to attest device IDs.
Some(Error::Km(ErrorCode::CANNOT_ATTEST_IDS)) => Ok(()),
// Other errors are unexpected
_ => Err(error),
}
})
}
}