Merge changes from topic "verbose-vendor-logging"
* changes:
Fix grants get lost on key upgrade
Clearly indicate vendor errors from keymaster in logcat
diff --git a/keystore/KeyStore.cpp b/keystore/KeyStore.cpp
index 6e8a4b2..d4219bd 100644
--- a/keystore/KeyStore.cpp
+++ b/keystore/KeyStore.cpp
@@ -309,8 +309,8 @@
auto dev = getDevice(keyBlob);
if (keyBlob.getType() == ::TYPE_KEYMASTER_10) {
- dev->deleteKey(blob2hidlVec(keyBlob), [alias, uid](Return<ErrorCode> rc) {
- auto ret = KS_HANDLE_HIDL_ERROR(rc);
+ dev->deleteKey(blob2hidlVec(keyBlob), [dev, alias, uid](Return<ErrorCode> rc) {
+ auto ret = KS_HANDLE_HIDL_ERROR(dev, rc);
// A device doesn't have to implement delete_key.
bool success = ret == ErrorCode::OK || ret == ErrorCode::UNIMPLEMENTED;
if (__android_log_security()) {
diff --git a/keystore/blob.cpp b/keystore/blob.cpp
index d1629cb..0987139 100644
--- a/keystore/blob.cpp
+++ b/keystore/blob.cpp
@@ -36,6 +36,7 @@
#include <string>
#include <android-base/logging.h>
+#include <android-base/unique_fd.h>
namespace {
@@ -341,22 +342,35 @@
size_t fileLength = offsetof(blobv3, value) + dataLength + rawBlob->info;
- int out =
- TEMP_FAILURE_RETRY(open(filename.c_str(), O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR));
- if (out < 0) {
- ALOGW("could not open file: %s: %s", filename.c_str(), strerror(errno));
+ char tmpFileName[] = ".tmpXXXXXX";
+ {
+ android::base::unique_fd out(TEMP_FAILURE_RETRY(mkstemp(tmpFileName)));
+ if (out < 0) {
+ LOG(ERROR) << "could not open temp file: " << tmpFileName
+ << " for writing blob file: " << filename.c_str()
+ << " because: " << strerror(errno);
+ return ResponseCode::SYSTEM_ERROR;
+ }
+
+ const size_t writtenBytes =
+ writeFully(out, reinterpret_cast<uint8_t*>(rawBlob), fileLength);
+
+ if (writtenBytes != fileLength) {
+ LOG(ERROR) << "blob not fully written " << writtenBytes << " != " << fileLength;
+ unlink(tmpFileName);
+ return ResponseCode::SYSTEM_ERROR;
+ }
+ }
+
+ if (rename(tmpFileName, filename.c_str()) == -1) {
+ LOG(ERROR) << "could not rename blob file to " << filename
+ << " because: " << strerror(errno);
+ unlink(tmpFileName);
return ResponseCode::SYSTEM_ERROR;
}
- const size_t writtenBytes = writeFully(out, reinterpret_cast<uint8_t*>(rawBlob), fileLength);
- if (close(out) != 0) {
- return ResponseCode::SYSTEM_ERROR;
- }
- if (writtenBytes != fileLength) {
- ALOGW("blob not fully written %zu != %zu", writtenBytes, fileLength);
- unlink(filename.c_str());
- return ResponseCode::SYSTEM_ERROR;
- }
+ fsyncDirectory(getContainingDirectory(filename));
+
return ResponseCode::NO_ERROR;
}
diff --git a/keystore/include/keystore/keystore_hidl_support.h b/keystore/include/keystore/keystore_hidl_support.h
index 781b153..d1d7f16 100644
--- a/keystore/include/keystore/keystore_hidl_support.h
+++ b/keystore/include/keystore/keystore_hidl_support.h
@@ -52,17 +52,20 @@
return s.str();
}
-template <typename... Msgs>
-inline static ErrorCode ksHandleHidlError(const Return<ErrorCode>& error, Msgs&&... msgs) {
+template <typename KMDevice, typename... Msgs>
+inline static ErrorCode ksHandleHidlError(KMDevice dev, const Return<ErrorCode>& error,
+ Msgs&&... msgs) {
if (!error.isOk()) {
- ALOGE("HIDL call failed with %s @ %s", error.description().c_str(),
- argsToString(msgs...).c_str());
+ LOG(ERROR) << "HIDL call failed with " << error.description().c_str() << " @ "
+ << argsToString(msgs...);
return ErrorCode::UNKNOWN_ERROR;
}
- return ErrorCode(error);
+ auto ec = ErrorCode(error);
+ dev->logIfKeymasterVendorError(ec);
+ return ec;
}
-template <typename... Msgs>
-inline static ErrorCode ksHandleHidlError(const Return<void>& error, Msgs&&... msgs) {
+template <typename KMDevice, typename... Msgs>
+inline static ErrorCode ksHandleHidlError(KMDevice, const Return<void>& error, Msgs&&... msgs) {
if (!error.isOk()) {
ALOGE("HIDL call failed with %s @ %s", error.description().c_str(),
argsToString(msgs...).c_str());
@@ -71,8 +74,8 @@
return ErrorCode::OK;
}
-#define KS_HANDLE_HIDL_ERROR(rc) \
- ::keystore::ksHandleHidlError(rc, __FILE__, ":", __LINE__, ":", __PRETTY_FUNCTION__)
+#define KS_HANDLE_HIDL_ERROR(dev, rc) \
+ ::keystore::ksHandleHidlError(dev, rc, __FILE__, ":", __LINE__, ":", __PRETTY_FUNCTION__)
template <typename T, typename OutIter>
inline static OutIter copy_bytes_to_iterator(const T& value, OutIter dest) {
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 8efc7c7..1319b23 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -644,8 +644,8 @@
return AIDL_RETURN(ErrorCode::HARDWARE_TYPE_UNAVAILABLE);
}
- device->addRngEntropy(entropy, [cb](Return<ErrorCode> rc) {
- cb->onFinished(KeyStoreServiceReturnCode(KS_HANDLE_HIDL_ERROR(rc)));
+ device->addRngEntropy(entropy, [device, cb](Return<ErrorCode> rc) {
+ cb->onFinished(KeyStoreServiceReturnCode(KS_HANDLE_HIDL_ERROR(device, rc)));
});
return AIDL_RETURN(ResponseCode::NO_ERROR);
@@ -1061,11 +1061,13 @@
auto hidlKey = blob2hidlVec(keyBlob);
dev->attestKey(
std::move(hidlKey), mutableParams.hidl_data(),
- [cb](Return<void> rc, std::tuple<ErrorCode, hidl_vec<hidl_vec<uint8_t>>>&& hidlResult) {
+ [dev, cb](Return<void> rc,
+ std::tuple<ErrorCode, hidl_vec<hidl_vec<uint8_t>>>&& hidlResult) {
auto& [ret, certChain] = hidlResult;
if (!rc.isOk()) {
cb->onFinished(KeyStoreServiceReturnCode(ResponseCode::SYSTEM_ERROR), {});
} else if (ret != ErrorCode::OK) {
+ dev->logIfKeymasterVendorError(ret);
cb->onFinished(KeyStoreServiceReturnCode(ret), {});
} else {
cb->onFinished(KeyStoreServiceReturnCode(ret),
@@ -1144,6 +1146,7 @@
return;
}
if (ret != ErrorCode::OK) {
+ dev->logIfKeymasterVendorError(ret);
cb->onFinished(KeyStoreServiceReturnCode(ret), {});
return;
}
@@ -1154,9 +1157,9 @@
std::tuple<ErrorCode, hidl_vec<hidl_vec<uint8_t>>>&& hidlResult) {
auto& [ret, certChain] = hidlResult;
// schedule temp key for deletion
- dev->deleteKey(std::move(hidlKeyBlob), [](Return<ErrorCode> rc) {
+ dev->deleteKey(std::move(hidlKeyBlob), [dev](Return<ErrorCode> rc) {
// log error but don't return an error
- KS_HANDLE_HIDL_ERROR(rc);
+ KS_HANDLE_HIDL_ERROR(dev, rc);
});
if (!rc.isOk()) {
cb->onFinished(KeyStoreServiceReturnCode(ResponseCode::SYSTEM_ERROR), {});
@@ -1167,6 +1170,7 @@
KeyStoreServiceReturnCode(ret),
::android::security::keymaster::KeymasterCertificateChain(certChain));
} else {
+ dev->logIfKeymasterVendorError(ret);
cb->onFinished(KeyStoreServiceReturnCode(ret), {});
}
});
diff --git a/keystore/keymaster_worker.cpp b/keystore/keymaster_worker.cpp
index d2175b8..23a0023 100644
--- a/keystore/keymaster_worker.cpp
+++ b/keystore/keymaster_worker.cpp
@@ -22,6 +22,10 @@
#include <android-base/logging.h>
+#include <log/log_event_list.h>
+
+#include <private/android_logger.h>
+
#include "KeyStore.h"
#include "keymaster_enforcement.h"
@@ -70,6 +74,30 @@
if (keymasterDevice_) keymasterDevice_->halVersion();
}
+void KeymasterWorker::logIfKeymasterVendorError(ErrorCode ec) const {
+ keymasterDevice_->logIfKeymasterVendorError(ec);
+}
+
+void KeymasterWorker::deleteOldKeyOnUpgrade(const LockedKeyBlobEntry& blobfile, Blob keyBlob) {
+ // if we got the blob successfully, we try and delete it from the keymaster device
+ auto& dev = keymasterDevice_;
+ uid_t uid = blobfile->uid();
+ const auto& alias = blobfile->alias();
+
+ if (keyBlob.getType() == ::TYPE_KEYMASTER_10) {
+ auto ret = KS_HANDLE_HIDL_ERROR(dev, dev->deleteKey(blob2hidlVec(keyBlob)));
+ // A device doesn't have to implement delete_key.
+ bool success = ret == ErrorCode::OK || ret == ErrorCode::UNIMPLEMENTED;
+ if (__android_log_security()) {
+ android_log_event_list(SEC_TAG_KEY_DESTROYED)
+ << int32_t(success) << alias << int32_t(uid) << LOG_ID_SECURITY;
+ }
+ if (!success) {
+ LOG(ERROR) << "Keymaster delete for key " << alias << " of uid " << uid << " failed";
+ }
+ }
+}
+
std::tuple<KeyStoreServiceReturnCode, Blob>
KeymasterWorker::upgradeKeyBlob(const LockedKeyBlobEntry& lockedEntry,
const AuthorizationSet& params) {
@@ -98,6 +126,7 @@
auto& dev = keymasterDevice_;
auto hidlCb = [&](ErrorCode ret, const ::std::vector<uint8_t>& upgradedKeyBlob) {
+ dev->logIfKeymasterVendorError(ret);
error = ret;
if (!error.isOk()) {
if (error == ErrorCode::INVALID_KEY_BLOB) {
@@ -106,12 +135,6 @@
return;
}
- error = keyStore_->del(lockedEntry);
- if (!error.isOk()) {
- ALOGI("upgradeKeyBlob keystore->del failed %d", error.getErrorCode());
- return;
- }
-
Blob newBlob(&upgradedKeyBlob[0], upgradedKeyBlob.size(), nullptr /* info */,
0 /* infoLength */, ::TYPE_KEYMASTER_10);
newBlob.setSecurityLevel(blob.getSecurityLevel());
@@ -124,11 +147,13 @@
ALOGI("upgradeKeyBlob keystore->put failed %d", error.getErrorCode());
return;
}
+
+ deleteOldKeyOnUpgrade(lockedEntry, std::move(blob));
blob = std::move(newBlob);
};
KeyStoreServiceReturnCode error2;
- error2 = KS_HANDLE_HIDL_ERROR(dev->upgradeKey(hidlKey, params.hidl_data(), hidlCb));
+ error2 = KS_HANDLE_HIDL_ERROR(dev, dev->upgradeKey(hidlKey, params.hidl_data(), hidlCb));
if (!error2.isOk()) {
return error = error2, result;
}
@@ -171,6 +196,7 @@
}
auto hidlCb = [&](ErrorCode ret, const KeyCharacteristics& keyCharacteristics) {
+ dev->logIfKeymasterVendorError(ret);
error = ret;
if (!error.isOk()) {
if (error == ErrorCode::INVALID_KEY_BLOB) {
@@ -207,7 +233,7 @@
// this updates the key characteristics cache file to the new format or creates one in
// in the first place
rc = KS_HANDLE_HIDL_ERROR(
- dev->getKeyCharacteristics(hidlKeyBlob, clientId, appData, hidlCb));
+ dev, dev->getKeyCharacteristics(hidlKeyBlob, clientId, appData, hidlCb));
if (!rc.isOk()) {
return result;
}
@@ -228,7 +254,7 @@
auto upgradedHidlKeyBlob = blob2hidlVec(keyBlob);
rc = KS_HANDLE_HIDL_ERROR(
- dev->getKeyCharacteristics(upgradedHidlKeyBlob, clientId, appData, hidlCb));
+ dev, dev->getKeyCharacteristics(upgradedHidlKeyBlob, clientId, appData, hidlCb));
if (!rc.isOk()) {
return result;
}
@@ -299,7 +325,7 @@
auto op = operationMap_.removeOperation(token, false /* wasOpSuccessful */);
if (op) {
keyStore_->getAuthTokenTable().MarkCompleted(op->handle);
- return KS_HANDLE_HIDL_ERROR(keymasterDevice_->abort(op->handle));
+ return KS_HANDLE_HIDL_ERROR(keymasterDevice_, keymasterDevice_->abort(op->handle));
} else {
return ErrorCode::INVALID_OPERATION_HANDLE;
}
@@ -376,7 +402,7 @@
// Add entropy to the device first.
if (entropy.size()) {
- rc = KS_HANDLE_HIDL_ERROR(dev->addRngEntropy(entropy));
+ rc = KS_HANDLE_HIDL_ERROR(dev, dev->addRngEntropy(entropy));
if (!rc.isOk()) {
return worker_cb(operationFailed(rc));
}
@@ -414,6 +440,7 @@
auto hidlCb = [&](ErrorCode ret, const hidl_vec<KeyParameter>& outParams,
uint64_t operationHandle) {
+ dev->logIfKeymasterVendorError(ret);
result.resultCode = ret;
if (!result.resultCode.isOk()) {
if (result.resultCode == ErrorCode::INVALID_KEY_BLOB) {
@@ -426,8 +453,8 @@
};
do {
- rc = KS_HANDLE_HIDL_ERROR(dev->begin(purpose, blob2hidlVec(keyBlob),
- opParams.hidl_data(), authToken, hidlCb));
+ rc = KS_HANDLE_HIDL_ERROR(dev, dev->begin(purpose, blob2hidlVec(keyBlob),
+ opParams.hidl_data(), authToken, hidlCb));
if (!rc.isOk()) {
LOG(ERROR) << "Got error " << rc << " from begin()";
return worker_cb(operationFailed(ResponseCode::SYSTEM_ERROR));
@@ -439,8 +466,8 @@
return worker_cb(operationFailed(rc));
}
- rc = KS_HANDLE_HIDL_ERROR(dev->begin(purpose, blob2hidlVec(keyBlob),
- opParams.hidl_data(), authToken, hidlCb));
+ rc = KS_HANDLE_HIDL_ERROR(dev, dev->begin(purpose, blob2hidlVec(keyBlob),
+ opParams.hidl_data(), authToken, hidlCb));
if (!rc.isOk()) {
LOG(ERROR) << "Got error " << rc << " from begin()";
return worker_cb(operationFailed(ResponseCode::SYSTEM_ERROR));
@@ -557,7 +584,7 @@
Finalize abort_operation_in_case_of_error([&] {
operationMap_.removeOperation(token, false);
keyStore_->getAuthTokenTable().MarkCompleted(op->handle);
- KS_HANDLE_HIDL_ERROR(keymasterDevice_->abort(op->handle));
+ KS_HANDLE_HIDL_ERROR(keymasterDevice_, keymasterDevice_->abort(op->handle));
});
rc = getOperationAuthTokenIfNeeded(op);
@@ -577,6 +604,7 @@
auto hidlCb = [&](ErrorCode ret, uint32_t inputConsumed,
const hidl_vec<KeyParameter>& outParams,
const ::std::vector<uint8_t>& output) {
+ op->device->logIfKeymasterVendorError(ret);
result.resultCode = ret;
if (result.resultCode.isOk()) {
result.inputConsumed = inputConsumed;
@@ -585,7 +613,8 @@
}
};
- rc = KS_HANDLE_HIDL_ERROR(op->device->update(op->handle, params.hidl_data(), data,
+ rc = KS_HANDLE_HIDL_ERROR(op->device,
+ op->device->update(op->handle, params.hidl_data(), data,
op->authToken, op->verificationToken, hidlCb));
// just a reminder: on success result->resultCode was set in the callback. So we only
@@ -634,7 +663,8 @@
Finalize abort_operation_in_case_of_error([&] {
operationMap_.removeOperation(token, finished && rc.isOk());
keyStore_->getAuthTokenTable().MarkCompleted(op->handle);
- if (!finished) KS_HANDLE_HIDL_ERROR(keymasterDevice_->abort(op->handle));
+ if (!finished)
+ KS_HANDLE_HIDL_ERROR(keymasterDevice_, keymasterDevice_->abort(op->handle));
});
if (!checkAllowedOperationParams(params.begin(), params.end())) {
@@ -665,7 +695,7 @@
if (!rc.isOk()) return worker_cb(operationFailed(rc));
if (entropy.size()) {
- rc = KS_HANDLE_HIDL_ERROR(op->device->addRngEntropy(entropy));
+ rc = KS_HANDLE_HIDL_ERROR(op->device, op->device->addRngEntropy(entropy));
if (!rc.isOk()) {
return worker_cb(operationFailed(rc));
}
@@ -674,6 +704,7 @@
OperationResult result;
auto hidlCb = [&](ErrorCode ret, const hidl_vec<KeyParameter>& outParams,
const ::std::vector<uint8_t>& output) {
+ op->device->logIfKeymasterVendorError(ret);
result.resultCode = ret;
if (result.resultCode.isOk()) {
result.outParams = outParams;
@@ -681,9 +712,9 @@
}
};
- rc = KS_HANDLE_HIDL_ERROR(op->device->finish(op->handle, params.hidl_data(), input,
- signature, op->authToken,
- op->verificationToken, hidlCb));
+ rc = KS_HANDLE_HIDL_ERROR(op->device, op->device->finish(op->handle, params.hidl_data(),
+ input, signature, op->authToken,
+ op->verificationToken, hidlCb));
if (rc.isOk()) {
// inform the finalizer that the finish call went through
@@ -709,11 +740,14 @@
CAPTURE_MOVE(worker_cb)]() {
KeyStoreServiceReturnCode error;
VerificationToken verificationToken;
- KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR(keymasterDevice_->verifyAuthorization(
- challenge, params, token, [&](ErrorCode error_, const VerificationToken& vToken) {
- error = error_;
- verificationToken = vToken;
- }));
+ KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR(
+ keymasterDevice_,
+ keymasterDevice_->verifyAuthorization(
+ challenge, params, token, [&](ErrorCode ret, const VerificationToken& vToken) {
+ keymasterDevice_->logIfKeymasterVendorError(ret);
+ error = ret;
+ verificationToken = vToken;
+ }));
worker_cb(rc.isOk() ? error : rc, std::move(token), std::move(verificationToken));
});
}
@@ -739,7 +773,7 @@
Worker::addRequest([this, CAPTURE_MOVE(lockedEntry), CAPTURE_MOVE(keyParams),
CAPTURE_MOVE(entropy), CAPTURE_MOVE(worker_cb), flags]() mutable {
KeyStoreServiceReturnCode rc =
- KS_HANDLE_HIDL_ERROR(keymasterDevice_->addRngEntropy(entropy));
+ KS_HANDLE_HIDL_ERROR(keymasterDevice_, keymasterDevice_->addRngEntropy(entropy));
if (!rc.isOk()) {
return worker_cb(rc, {});
}
@@ -757,6 +791,7 @@
KeyStoreServiceReturnCode error;
auto hidl_cb = [&](ErrorCode ret, const hidl_vec<uint8_t>& hidlKeyBlob,
const KeyCharacteristics& keyCharacteristics) {
+ keymasterDevice_->logIfKeymasterVendorError(ret);
error = ret;
if (!error.isOk()) {
return;
@@ -788,7 +823,8 @@
error = keyStore_->put(lockedEntry, std::move(keyBlob), std::move(keyCharBlob));
};
- rc = KS_HANDLE_HIDL_ERROR(keymasterDevice_->generateKey(keyParams, hidl_cb));
+ rc = KS_HANDLE_HIDL_ERROR(keymasterDevice_,
+ keymasterDevice_->generateKey(keyParams, hidl_cb));
if (!rc.isOk()) {
return worker_cb(rc, {});
}
@@ -859,6 +895,7 @@
KeyStoreServiceReturnCode error;
auto hidl_cb = [&](ErrorCode ret, const hidl_vec<uint8_t>& hidlKeyBlob,
const KeyCharacteristics& keyCharacteristics) {
+ keymasterDevice_->logIfKeymasterVendorError(ret);
error = ret;
if (!error.isOk()) {
LOG(INFO) << "importKey failed";
@@ -892,7 +929,7 @@
};
KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR(
- keymasterDevice_->importKey(keyParams, keyFormat, keyData, hidl_cb));
+ keymasterDevice_, keymasterDevice_->importKey(keyParams, keyFormat, keyData, hidl_cb));
if (!rc.isOk()) {
return worker_cb(rc, {});
}
@@ -949,6 +986,7 @@
auto hidlCb = [&](ErrorCode ret, const hidl_vec<uint8_t>& hidlKeyBlob,
const KeyCharacteristics& keyCharacteristics) {
+ keymasterDevice_->logIfKeymasterVendorError(ret);
error = ret;
if (!error.isOk()) {
return;
@@ -972,9 +1010,10 @@
error = keyStore_->put(wrapppedLockedEntry, std::move(keyBlob), std::move(keyCharBlob));
};
- KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR(keymasterDevice_->importWrappedKey(
- wrappedKeyData, hidlWrappingKey, maskingKey, unwrappingParams, passwordSid,
- biometricSid, hidlCb));
+ KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR(
+ keymasterDevice_, keymasterDevice_->importWrappedKey(
+ wrappedKeyData, hidlWrappingKey, maskingKey, unwrappingParams,
+ passwordSid, biometricSid, hidlCb));
// possible hidl error
if (!rc.isOk()) {
@@ -989,9 +1028,10 @@
auto upgradedHidlKeyBlob = blob2hidlVec(wrappingBlob);
- rc = KS_HANDLE_HIDL_ERROR(keymasterDevice_->importWrappedKey(
- wrappedKeyData, upgradedHidlKeyBlob, maskingKey, unwrappingParams, passwordSid,
- biometricSid, hidlCb));
+ rc = KS_HANDLE_HIDL_ERROR(keymasterDevice_,
+ keymasterDevice_->importWrappedKey(
+ wrappedKeyData, upgradedHidlKeyBlob, maskingKey,
+ unwrappingParams, passwordSid, biometricSid, hidlCb));
if (!rc.isOk()) {
error = rc;
}
@@ -1011,6 +1051,7 @@
ExportResult result;
auto hidlCb = [&](ErrorCode ret,
const ::android::hardware::hidl_vec<uint8_t>& keyMaterial) {
+ keymasterDevice_->logIfKeymasterVendorError(ret);
result.resultCode = ret;
if (!result.resultCode.isOk()) {
if (result.resultCode == ErrorCode::INVALID_KEY_BLOB) {
@@ -1021,6 +1062,7 @@
result.exportData = keyMaterial;
};
KeyStoreServiceReturnCode rc = KS_HANDLE_HIDL_ERROR(
+ keymasterDevice_,
keymasterDevice_->exportKey(exportFormat, key, clientId, appData, hidlCb));
// Overwrite result->resultCode only on HIDL error. Otherwise we want the result set in the
@@ -1044,7 +1086,8 @@
auto upgradedHidlKeyBlob = blob2hidlVec(keyBlob);
- rc = KS_HANDLE_HIDL_ERROR(keymasterDevice_->exportKey(exportFormat, upgradedHidlKeyBlob,
+ rc = KS_HANDLE_HIDL_ERROR(keymasterDevice_,
+ keymasterDevice_->exportKey(exportFormat, upgradedHidlKeyBlob,
clientId, appData, hidlCb));
if (!rc.isOk()) {
result.resultCode = rc;
@@ -1058,21 +1101,10 @@
addRequest(&Keymaster::attestKey, std::move(worker_cb), std::move(keyToAttest),
std::move(attestParams));
}
-void KeymasterWorker::upgradeKey(hidl_vec<uint8_t> keyBlobToUpgrade,
- hidl_vec<KeyParameter> upgradeParams, upgradeKey_cb _hidl_cb) {
- addRequest(&Keymaster::upgradeKey, std::move(_hidl_cb), std::move(keyBlobToUpgrade),
- std::move(upgradeParams));
-}
void KeymasterWorker::deleteKey(hidl_vec<uint8_t> keyBlob, deleteKey_cb _hidl_cb) {
addRequest(&Keymaster::deleteKey, std::move(_hidl_cb), std::move(keyBlob));
}
-void KeymasterWorker::deleteAllKeys(deleteAllKeys_cb _hidl_cb) {
- addRequest(&Keymaster::deleteAllKeys, std::move(_hidl_cb));
-}
-void KeymasterWorker::destroyAttestationIds(destroyAttestationIds_cb _hidl_cb) {
- addRequest(&Keymaster::destroyAttestationIds, move(_hidl_cb));
-}
void KeymasterWorker::binderDied(android::wp<IBinder> who) {
Worker::addRequest([this, who]() {
diff --git a/keystore/keymaster_worker.h b/keystore/keymaster_worker.h
index c02d389..2c72c80 100644
--- a/keystore/keymaster_worker.h
+++ b/keystore/keymaster_worker.h
@@ -175,6 +175,8 @@
unwrap_tuple(kmfn, std::move(cb), tuple, std::index_sequence_for<Args...>{});
});
}
+
+ void deleteOldKeyOnUpgrade(const LockedKeyBlobEntry& blobfile, Blob keyBlob);
std::tuple<KeyStoreServiceReturnCode, Blob>
upgradeKeyBlob(const LockedKeyBlobEntry& lockedEntry, const AuthorizationSet& params);
std::tuple<KeyStoreServiceReturnCode, KeyCharacteristics, Blob, Blob>
@@ -207,6 +209,8 @@
public:
KeymasterWorker(sp<Keymaster> keymasterDevice, KeyStore* keyStore);
+ void logIfKeymasterVendorError(ErrorCode ec) const;
+
using worker_begin_cb = std::function<void(::android::security::keymaster::OperationResult)>;
void begin(LockedKeyBlobEntry, sp<IBinder> appToken, Blob keyBlob, Blob charBlob,
bool pruneable, KeyPurpose purpose, AuthorizationSet opParams,
@@ -279,19 +283,9 @@
void attestKey(hidl_vec<uint8_t> keyToAttest, hidl_vec<KeyParameter> attestParams,
attestKey_cb _hidl_cb);
- using upgradeKey_cb = MakeKeymasterWorkerCB_t<Return<void>, Keymaster::upgradeKey_cb>;
- void upgradeKey(hidl_vec<uint8_t> keyBlobToUpgrade, hidl_vec<KeyParameter> upgradeParams,
- upgradeKey_cb _hidl_cb);
-
using deleteKey_cb = MakeKeymasterWorkerCB_t<Return<ErrorCode>>;
void deleteKey(hidl_vec<uint8_t> keyBlob, deleteKey_cb _hidl_cb);
- using deleteAllKeys_cb = MakeKeymasterWorkerCB_t<Return<ErrorCode>>;
- void deleteAllKeys(deleteAllKeys_cb _hidl_cb);
-
- using destroyAttestationIds_cb = MakeKeymasterWorkerCB_t<Return<ErrorCode>>;
- void destroyAttestationIds(destroyAttestationIds_cb _hidl_cb);
-
using begin_cb = MakeKeymasterWorkerCB_t<Return<void>, Keymaster::begin_cb>;
void begin(KeyPurpose purpose, hidl_vec<uint8_t> key, hidl_vec<KeyParameter> inParams,
HardwareAuthToken authToken, begin_cb _hidl_cb);
diff --git a/keystore/keystore_utils.cpp b/keystore/keystore_utils.cpp
index 78056d6..f0f6098 100644
--- a/keystore/keystore_utils.cpp
+++ b/keystore/keystore_utils.cpp
@@ -31,6 +31,9 @@
#include <keystore/keymaster_types.h>
#include <keystore/keystore_client.h>
+#include <android-base/logging.h>
+#include <android-base/unique_fd.h>
+
#include "blob.h"
size_t readFully(int fd, uint8_t* data, size_t size) {
@@ -64,6 +67,44 @@
return size;
}
+std::string getContainingDirectory(const std::string& filename) {
+ std::string containing_dir;
+ size_t last_pos;
+ size_t pos = std::string::npos;
+
+ __builtin_add_overflow(filename.size(), -1, &last_pos);
+
+ // strip all trailing '/'
+ while ((pos = filename.find_last_of('/', last_pos)) == last_pos && pos != 0) {
+ --last_pos;
+ }
+
+ if (pos == 0) {
+ containing_dir = "/";
+ } else if (pos == std::string::npos) {
+ containing_dir = ".";
+ } else {
+ containing_dir = filename.substr(0, pos);
+ }
+
+ return containing_dir;
+}
+
+void fsyncDirectory(const std::string& path) {
+ android::base::unique_fd dir_fd(TEMP_FAILURE_RETRY(open(path.c_str(), O_DIRECTORY | O_RDONLY)));
+
+ if (dir_fd < 0) {
+ LOG(WARNING) << "Could not open dir: " << path << " error: " << strerror(errno);
+ return;
+ }
+
+ if (TEMP_FAILURE_RETRY(fsync(dir_fd)) == -1) {
+ LOG(WARNING) << "Failed to fsync the directory " << path << " error: " << strerror(errno);
+ }
+
+ return;
+}
+
void add_legacy_key_authorizations(int keyType, keystore::AuthorizationSet* params) {
using namespace keystore;
params->push_back(TAG_PURPOSE, KeyPurpose::SIGN);
diff --git a/keystore/keystore_utils.h b/keystore/keystore_utils.h
index 3bc9c01..380eb4e 100644
--- a/keystore/keystore_utils.h
+++ b/keystore/keystore_utils.h
@@ -18,6 +18,7 @@
#define KEYSTORE_KEYSTORE_UTILS_H_
#include <cstdint>
+#include <string>
#include <vector>
#include <openssl/evp.h>
@@ -29,6 +30,8 @@
size_t readFully(int fd, uint8_t* data, size_t size);
size_t writeFully(int fd, uint8_t* data, size_t size);
+std::string getContainingDirectory(const std::string& filename);
+void fsyncDirectory(const std::string& path);
void add_legacy_key_authorizations(int keyType, keystore::AuthorizationSet* params);