Add support for target specific ACL
Bug: 165843730
Test: pin unlock, biometric enroll, biometric auth
Change-Id: Ie7f8c2e524501390fe8a99db8ce3c10ce778106b
diff --git a/ipc/keymaster_generic_access_policy.cpp b/ipc/keymaster_generic_access_policy.cpp
new file mode 100644
index 0000000..9c138aa
--- /dev/null
+++ b/ipc/keymaster_generic_access_policy.cpp
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) 2021 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <uapi/trusty_uuid.h>
+
+#include <interface/keymaster/keymaster.h>
+
+#define TLOG_TAG "KMAccessPolicy"
+#include <trusty_log.h>
+
+static uuid_t accessible_uuids[] = {
+ /* gatekeeper uuid */
+ {0x38ba0cdc,
+ 0xdf0e,
+ 0x11e4,
+ {0x98, 0x69, 0x23, 0x3f, 0xb6, 0xae, 0x47, 0x95}},
+ /* confirmation ui uuid */
+ {0x7dee2364,
+ 0xc036,
+ 0x425b,
+ {0xb0, 0x86, 0xdf, 0x0f, 0x6c, 0x23, 0x3c, 0x1b}},
+};
+
+bool keymaster_check_target_access_policy(uuid_t* uuid) {
+ for (auto accessible_uuid : accessible_uuids) {
+ if (memcmp(uuid, &accessible_uuid, sizeof(accessible_uuid)) == 0) {
+ return true;
+ }
+ }
+ return false;
+}
diff --git a/ipc/keymaster_ipc.cpp b/ipc/keymaster_ipc.cpp
index c39f5f2..d1c1e33 100644
--- a/ipc/keymaster_ipc.cpp
+++ b/ipc/keymaster_ipc.cpp
@@ -36,18 +36,6 @@
using namespace keymaster;
-static uuid_t accessible_uuids[] = {
- /* gatekeeper uuid */
- {0x38ba0cdc,
- 0xdf0e,
- 0x11e4,
- {0x98, 0x69, 0x23, 0x3f, 0xb6, 0xae, 0x47, 0x95}},
- /* confirmation ui uuid */
- {0x7dee2364,
- 0xc036,
- 0x425b,
- {0xb0, 0x86, 0xdf, 0x0f, 0x6c, 0x23, 0x3c, 0x1b}},
- };
typedef void (*event_handler_proc_t)(const uevent_t* ev, void* ctx);
struct tipc_event_handler {
@@ -595,18 +583,8 @@
}
}
-static bool keymaster_check_uuid_accessible(uuid_t* uuid) {
- for (auto accessible_uuid: accessible_uuids) {
- if (memcmp(uuid, &accessible_uuid, sizeof(accessible_uuid)) == 0) {
- return true;
- }
- }
- return false;
-}
-
static bool keymaster_port_accessible(uuid_t* uuid, bool secure) {
- return !secure ||
- keymaster_check_uuid_accessible(uuid);
+ return !secure || keymaster_check_target_access_policy(uuid);
}
static keymaster_chan_ctx* keymaster_ctx_open(handle_t chan,
diff --git a/ipc/keymaster_ipc.h b/ipc/keymaster_ipc.h
index 70deb1c..854c8d8 100644
--- a/ipc/keymaster_ipc.h
+++ b/ipc/keymaster_ipc.h
@@ -19,6 +19,8 @@
#define KEYMASTER_PORT "com.android.trusty.keymaster"
#define KEYMASTER_MAX_BUFFER_LENGTH 4096
+#include <uapi/trusty_uuid.h>
+
// Commands
enum keymaster_command {
KEYMASTER_RESP_BIT = 1,
@@ -66,6 +68,13 @@
KM_CLEAR_ATTESTATION_CERT_CHAIN = (0xa000 << KEYMASTER_REQ_SHIFT),
};
+/**
+ * check uuid against the target-specific acesss policy
+ *
+ * @uuid: the uuid of the requesting client
+ */
+bool keymaster_check_target_access_policy(uuid_t* uuid);
+
#ifdef __ANDROID__
/**
diff --git a/ipc/rules.mk b/ipc/rules.mk
index a8226e6..158e732 100644
--- a/ipc/rules.mk
+++ b/ipc/rules.mk
@@ -19,4 +19,10 @@
MODULE_DEPS += trusty/user/base/interface/keymaster
+ifdef TRUSTY_KM_TARGET_ACCESS_POLICY
+ MODULE_DEPS+= $(TRUSTY_KM_TARGET_ACCESS_POLICY)
+else
+ MODULE_SRCS+= $(CUR_DIR)/keymaster_generic_access_policy.cpp
+endif
+
CUR_DIR =