1 // Copyright 2020, The Android Open Source Project 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 //! This crate implements the IKeystoreSecurityLevel interface. 16 17 use crate::attestation_key_utils::{get_attest_key_info, AttestationKeyInfo}; 18 use crate::audit_log::{ 19 log_key_deleted, log_key_generated, log_key_imported, log_key_integrity_violation, 20 }; 21 use crate::database::{BlobInfo, CertificateInfo, KeyIdGuard}; 22 use crate::error::{ 23 self, into_logged_binder, map_km_error, wrapped_rkpd_error_to_ks_error, Error, ErrorCode, 24 }; 25 use crate::globals::{ 26 get_remotely_provisioned_component_name, DB, ENFORCEMENTS, LEGACY_IMPORTER, SUPER_KEY, 27 }; 28 use crate::key_parameter::KeyParameter as KsKeyParam; 29 use crate::key_parameter::KeyParameterValue as KsKeyParamValue; 30 use crate::ks_err; 31 use crate::metrics_store::log_key_creation_event_stats; 32 use crate::remote_provisioning::RemProvState; 33 use crate::super_key::{KeyBlob, SuperKeyManager}; 34 use crate::utils::{ 35 check_device_attestation_permissions, check_key_permission, 36 check_unique_id_attestation_permissions, is_device_id_attestation_tag, 37 key_characteristics_to_internal, log_security_safe_params, uid_to_android_user, watchdog as wd, 38 UNDEFINED_NOT_AFTER, 39 }; 40 use crate::{ 41 database::{ 42 BlobMetaData, BlobMetaEntry, DateTime, KeyEntry, KeyEntryLoadBits, KeyMetaData, 43 KeyMetaEntry, KeyType, SubComponentType, Uuid, 44 }, 45 operation::KeystoreOperation, 46 operation::LoggingInfo, 47 operation::OperationDb, 48 permission::KeyPerm, 49 }; 50 use crate::{globals::get_keymint_device, id_rotation::IdRotationState}; 51 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{ 52 Algorithm::Algorithm, AttestationKey::AttestationKey, Certificate::Certificate, 53 HardwareAuthenticatorType::HardwareAuthenticatorType, IKeyMintDevice::IKeyMintDevice, 54 KeyCreationResult::KeyCreationResult, KeyFormat::KeyFormat, 55 KeyMintHardwareInfo::KeyMintHardwareInfo, KeyParameter::KeyParameter, 56 KeyParameterValue::KeyParameterValue, SecurityLevel::SecurityLevel, Tag::Tag, 57 }; 58 use android_hardware_security_keymint::binder::{BinderFeatures, Strong, ThreadState}; 59 use android_system_keystore2::aidl::android::system::keystore2::{ 60 AuthenticatorSpec::AuthenticatorSpec, CreateOperationResponse::CreateOperationResponse, 61 Domain::Domain, EphemeralStorageKeyResponse::EphemeralStorageKeyResponse, 62 IKeystoreOperation::IKeystoreOperation, IKeystoreSecurityLevel::BnKeystoreSecurityLevel, 63 IKeystoreSecurityLevel::IKeystoreSecurityLevel, KeyDescriptor::KeyDescriptor, 64 KeyMetadata::KeyMetadata, KeyParameters::KeyParameters, ResponseCode::ResponseCode, 65 }; 66 use anyhow::{anyhow, Context, Result}; 67 use postprocessor_client::process_certificate_chain; 68 use rkpd_client::store_rkpd_attestation_key; 69 use rustutils::system_properties::read_bool; 70 use std::convert::TryInto; 71 use std::time::SystemTime; 72 73 /// Implementation of the IKeystoreSecurityLevel Interface. 74 pub struct KeystoreSecurityLevel { 75 security_level: SecurityLevel, 76 keymint: Strong<dyn IKeyMintDevice>, 77 hw_info: KeyMintHardwareInfo, 78 km_uuid: Uuid, 79 operation_db: OperationDb, 80 rem_prov_state: RemProvState, 81 id_rotation_state: IdRotationState, 82 } 83 84 // Blob of 32 zeroes used as empty masking key. 85 static ZERO_BLOB_32: &[u8] = &[0; 32]; 86 87 impl KeystoreSecurityLevel { 88 /// Creates a new security level instance wrapped in a 89 /// BnKeystoreSecurityLevel proxy object. It also enables 90 /// `BinderFeatures::set_requesting_sid` on the new interface, because 91 /// we need it for checking keystore permissions. new_native_binder( security_level: SecurityLevel, id_rotation_state: IdRotationState, ) -> Result<(Strong<dyn IKeystoreSecurityLevel>, Uuid)>92 pub fn new_native_binder( 93 security_level: SecurityLevel, 94 id_rotation_state: IdRotationState, 95 ) -> Result<(Strong<dyn IKeystoreSecurityLevel>, Uuid)> { 96 let (dev, hw_info, km_uuid) = get_keymint_device(&security_level) 97 .context(ks_err!("KeystoreSecurityLevel::new_native_binder."))?; 98 let result = BnKeystoreSecurityLevel::new_binder( 99 Self { 100 security_level, 101 keymint: dev, 102 hw_info, 103 km_uuid, 104 operation_db: OperationDb::new(), 105 rem_prov_state: RemProvState::new(security_level), 106 id_rotation_state, 107 }, 108 BinderFeatures { set_requesting_sid: true, ..BinderFeatures::default() }, 109 ); 110 Ok((result, km_uuid)) 111 } 112 watch_millis(&self, id: &'static str, millis: u64) -> Option<wd::WatchPoint>113 fn watch_millis(&self, id: &'static str, millis: u64) -> Option<wd::WatchPoint> { 114 let sec_level = self.security_level; 115 wd::watch_millis_with(id, millis, sec_level) 116 } 117 watch(&self, id: &'static str) -> Option<wd::WatchPoint>118 fn watch(&self, id: &'static str) -> Option<wd::WatchPoint> { 119 let sec_level = self.security_level; 120 wd::watch_millis_with(id, wd::DEFAULT_TIMEOUT_MS, sec_level) 121 } 122 store_new_key( &self, key: KeyDescriptor, creation_result: KeyCreationResult, user_id: u32, flags: Option<i32>, ) -> Result<KeyMetadata>123 fn store_new_key( 124 &self, 125 key: KeyDescriptor, 126 creation_result: KeyCreationResult, 127 user_id: u32, 128 flags: Option<i32>, 129 ) -> Result<KeyMetadata> { 130 let KeyCreationResult { 131 keyBlob: key_blob, 132 keyCharacteristics: key_characteristics, 133 certificateChain: mut certificate_chain, 134 } = creation_result; 135 136 // Unify the possible contents of the certificate chain. The first entry in the `Vec` is 137 // always the leaf certificate (if present), but the rest of the chain may be present as 138 // either: 139 // - `certificate_chain[1..n]`: each entry holds a single certificate, as returned by 140 // KeyMint, or 141 // - `certificate[1`]: a single `Certificate` from RKP that actually (and confusingly) 142 // holds the DER-encoded certs of the chain concatenated together. 143 let mut cert_info: CertificateInfo = CertificateInfo::new( 144 // Leaf is always a single cert in the first entry, if present. 145 match certificate_chain.len() { 146 0 => None, 147 _ => Some(certificate_chain.remove(0).encodedCertificate), 148 }, 149 // Remainder may be either `[1..n]` individual certs, or just `[1]` holding a 150 // concatenated chain. Convert the former to the latter. 151 match certificate_chain.len() { 152 0 => None, 153 _ => Some( 154 certificate_chain 155 .iter() 156 .flat_map(|c| c.encodedCertificate.iter()) 157 .copied() 158 .collect(), 159 ), 160 }, 161 ); 162 163 let mut key_parameters = key_characteristics_to_internal(key_characteristics); 164 165 key_parameters.push(KsKeyParam::new( 166 KsKeyParamValue::UserID(user_id as i32), 167 SecurityLevel::SOFTWARE, 168 )); 169 170 let creation_date = DateTime::now().context(ks_err!("Trying to make creation time."))?; 171 172 let key = match key.domain { 173 Domain::BLOB => KeyDescriptor { 174 domain: Domain::BLOB, 175 blob: Some(key_blob.to_vec()), 176 ..Default::default() 177 }, 178 _ => DB 179 .with::<_, Result<KeyDescriptor>>(|db| { 180 let mut db = db.borrow_mut(); 181 182 let (key_blob, mut blob_metadata) = SUPER_KEY 183 .read() 184 .unwrap() 185 .handle_super_encryption_on_key_init( 186 &mut db, 187 &LEGACY_IMPORTER, 188 &(key.domain), 189 &key_parameters, 190 flags, 191 user_id, 192 &key_blob, 193 ) 194 .context(ks_err!("Failed to handle super encryption."))?; 195 196 let mut key_metadata = KeyMetaData::new(); 197 key_metadata.add(KeyMetaEntry::CreationDate(creation_date)); 198 blob_metadata.add(BlobMetaEntry::KmUuid(self.km_uuid)); 199 200 let key_id = db 201 .store_new_key( 202 &key, 203 KeyType::Client, 204 &key_parameters, 205 &BlobInfo::new(&key_blob, &blob_metadata), 206 &cert_info, 207 &key_metadata, 208 &self.km_uuid, 209 ) 210 .context(ks_err!())?; 211 Ok(KeyDescriptor { 212 domain: Domain::KEY_ID, 213 nspace: key_id.id(), 214 ..Default::default() 215 }) 216 }) 217 .context(ks_err!())?, 218 }; 219 220 Ok(KeyMetadata { 221 key, 222 keySecurityLevel: self.security_level, 223 certificate: cert_info.take_cert(), 224 certificateChain: cert_info.take_cert_chain(), 225 authorizations: crate::utils::key_parameters_to_authorizations(key_parameters), 226 modificationTimeMs: creation_date.to_millis_epoch(), 227 }) 228 } 229 create_operation( &self, key: &KeyDescriptor, operation_parameters: &[KeyParameter], forced: bool, ) -> Result<CreateOperationResponse>230 fn create_operation( 231 &self, 232 key: &KeyDescriptor, 233 operation_parameters: &[KeyParameter], 234 forced: bool, 235 ) -> Result<CreateOperationResponse> { 236 let caller_uid = ThreadState::get_calling_uid(); 237 // We use `scoping_blob` to extend the life cycle of the blob loaded from the database, 238 // so that we can use it by reference like the blob provided by the key descriptor. 239 // Otherwise, we would have to clone the blob from the key descriptor. 240 let scoping_blob: Vec<u8>; 241 let (km_blob, key_properties, key_id_guard, blob_metadata) = match key.domain { 242 Domain::BLOB => { 243 check_key_permission(KeyPerm::Use, key, &None) 244 .context(ks_err!("checking use permission for Domain::BLOB."))?; 245 if forced { 246 check_key_permission(KeyPerm::ReqForcedOp, key, &None) 247 .context(ks_err!("checking forced permission for Domain::BLOB."))?; 248 } 249 ( 250 match &key.blob { 251 Some(blob) => blob, 252 None => { 253 return Err(Error::sys()).context(ks_err!( 254 "Key blob must be specified when \ 255 using Domain::BLOB." 256 )); 257 } 258 }, 259 None, 260 None, 261 BlobMetaData::new(), 262 ) 263 } 264 _ => { 265 let super_key = SUPER_KEY 266 .read() 267 .unwrap() 268 .get_after_first_unlock_key_by_user_id(uid_to_android_user(caller_uid)); 269 let (key_id_guard, mut key_entry) = DB 270 .with::<_, Result<(KeyIdGuard, KeyEntry)>>(|db| { 271 LEGACY_IMPORTER.with_try_import(key, caller_uid, super_key, || { 272 db.borrow_mut().load_key_entry( 273 key, 274 KeyType::Client, 275 KeyEntryLoadBits::KM, 276 caller_uid, 277 |k, av| { 278 check_key_permission(KeyPerm::Use, k, &av)?; 279 if forced { 280 check_key_permission(KeyPerm::ReqForcedOp, k, &av)?; 281 } 282 Ok(()) 283 }, 284 ) 285 }) 286 }) 287 .context(ks_err!("Failed to load key blob."))?; 288 289 let (blob, blob_metadata) = 290 key_entry.take_key_blob_info().ok_or_else(Error::sys).context(ks_err!( 291 "Successfully loaded key entry, \ 292 but KM blob was missing." 293 ))?; 294 scoping_blob = blob; 295 296 ( 297 &scoping_blob, 298 Some((key_id_guard.id(), key_entry.into_key_parameters())), 299 Some(key_id_guard), 300 blob_metadata, 301 ) 302 } 303 }; 304 305 let purpose = operation_parameters.iter().find(|p| p.tag == Tag::PURPOSE).map_or( 306 Err(Error::Km(ErrorCode::INVALID_ARGUMENT)) 307 .context(ks_err!("No operation purpose specified.")), 308 |kp| match kp.value { 309 KeyParameterValue::KeyPurpose(p) => Ok(p), 310 _ => Err(Error::Km(ErrorCode::INVALID_ARGUMENT)) 311 .context(ks_err!("Malformed KeyParameter.")), 312 }, 313 )?; 314 315 // Remove Tag::PURPOSE from the operation_parameters, since some keymaster devices return 316 // an error on begin() if Tag::PURPOSE is in the operation_parameters. 317 let op_params: Vec<KeyParameter> = 318 operation_parameters.iter().filter(|p| p.tag != Tag::PURPOSE).cloned().collect(); 319 let operation_parameters = op_params.as_slice(); 320 321 let (immediate_hat, mut auth_info) = ENFORCEMENTS 322 .authorize_create( 323 purpose, 324 key_properties.as_ref(), 325 operation_parameters.as_ref(), 326 self.hw_info.timestampTokenRequired, 327 ) 328 .context(ks_err!())?; 329 330 let km_blob = SUPER_KEY 331 .read() 332 .unwrap() 333 .unwrap_key_if_required(&blob_metadata, km_blob) 334 .context(ks_err!("Failed to handle super encryption."))?; 335 336 let (begin_result, upgraded_blob) = self 337 .upgrade_keyblob_if_required_with( 338 key_id_guard, 339 &km_blob, 340 blob_metadata.km_uuid().copied(), 341 operation_parameters, 342 |blob| loop { 343 match map_km_error({ 344 let _wp = self.watch( 345 "KeystoreSecurityLevel::create_operation: calling IKeyMintDevice::begin", 346 ); 347 self.keymint.begin( 348 purpose, 349 blob, 350 operation_parameters, 351 immediate_hat.as_ref(), 352 ) 353 }) { 354 Err(Error::Km(ErrorCode::TOO_MANY_OPERATIONS)) => { 355 self.operation_db.prune(caller_uid, forced)?; 356 continue; 357 } 358 v @ Err(Error::Km(ErrorCode::INVALID_KEY_BLOB)) => { 359 if let Some((key_id, _)) = key_properties { 360 if let Ok(Some(key)) = 361 DB.with(|db| db.borrow_mut().load_key_descriptor(key_id)) 362 { 363 log_key_integrity_violation(&key); 364 } else { 365 log::error!("Failed to load key descriptor for audit log"); 366 } 367 } 368 return v; 369 } 370 v => return v, 371 } 372 }, 373 ) 374 .context(ks_err!("Failed to begin operation."))?; 375 376 let operation_challenge = auth_info.finalize_create_authorization(begin_result.challenge); 377 378 let op_params: Vec<KeyParameter> = operation_parameters.to_vec(); 379 380 let operation = match begin_result.operation { 381 Some(km_op) => self.operation_db.create_operation( 382 km_op, 383 caller_uid, 384 auth_info, 385 forced, 386 LoggingInfo::new(self.security_level, purpose, op_params, upgraded_blob.is_some()), 387 ), 388 None => { 389 return Err(Error::sys()).context(ks_err!( 390 "Begin operation returned successfully, \ 391 but did not return a valid operation." 392 )); 393 } 394 }; 395 396 let op_binder: binder::Strong<dyn IKeystoreOperation> = 397 KeystoreOperation::new_native_binder(operation) 398 .as_binder() 399 .into_interface() 400 .context(ks_err!("Failed to create IKeystoreOperation."))?; 401 402 Ok(CreateOperationResponse { 403 iOperation: Some(op_binder), 404 operationChallenge: operation_challenge, 405 parameters: match begin_result.params.len() { 406 0 => None, 407 _ => Some(KeyParameters { keyParameter: begin_result.params }), 408 }, 409 // An upgraded blob should only be returned if the caller has permission 410 // to use Domain::BLOB keys. If we got to this point, we already checked 411 // that the caller had that permission. 412 upgradedBlob: if key.domain == Domain::BLOB { upgraded_blob } else { None }, 413 }) 414 } 415 add_required_parameters( &self, uid: u32, params: &[KeyParameter], key: &KeyDescriptor, ) -> Result<Vec<KeyParameter>>416 fn add_required_parameters( 417 &self, 418 uid: u32, 419 params: &[KeyParameter], 420 key: &KeyDescriptor, 421 ) -> Result<Vec<KeyParameter>> { 422 let mut result = params.to_vec(); 423 424 // Prevent callers from specifying the CREATION_DATETIME tag. 425 if params.iter().any(|kp| kp.tag == Tag::CREATION_DATETIME) { 426 return Err(Error::Rc(ResponseCode::INVALID_ARGUMENT)).context(ks_err!( 427 "KeystoreSecurityLevel::add_required_parameters: \ 428 Specifying Tag::CREATION_DATETIME is not allowed." 429 )); 430 } 431 432 // Use this variable to refer to notion of "now". This eliminates discrepancies from 433 // quering the clock multiple times. 434 let creation_datetime = SystemTime::now(); 435 436 // Add CREATION_DATETIME only if the backend version Keymint V1 (100) or newer. 437 if self.hw_info.versionNumber >= 100 { 438 result.push(KeyParameter { 439 tag: Tag::CREATION_DATETIME, 440 value: KeyParameterValue::DateTime( 441 creation_datetime 442 .duration_since(SystemTime::UNIX_EPOCH) 443 .context(ks_err!( 444 "KeystoreSecurityLevel::add_required_parameters: \ 445 Failed to get epoch time." 446 ))? 447 .as_millis() 448 .try_into() 449 .context(ks_err!( 450 "KeystoreSecurityLevel::add_required_parameters: \ 451 Failed to convert epoch time." 452 ))?, 453 ), 454 }); 455 } 456 457 // If there is an attestation challenge we need to get an application id. 458 if params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE) { 459 let _wp = 460 self.watch(" KeystoreSecurityLevel::add_required_parameters: calling get_aaid"); 461 match keystore2_aaid::get_aaid(uid) { 462 Ok(aaid_ok) => { 463 result.push(KeyParameter { 464 tag: Tag::ATTESTATION_APPLICATION_ID, 465 value: KeyParameterValue::Blob(aaid_ok), 466 }); 467 } 468 Err(e) if e == ResponseCode::GET_ATTESTATION_APPLICATION_ID_FAILED.0 as u32 => { 469 return Err(Error::Rc(ResponseCode::GET_ATTESTATION_APPLICATION_ID_FAILED)) 470 .context(ks_err!("Attestation ID retrieval failed.")); 471 } 472 Err(e) => { 473 return Err(anyhow!(e)).context(ks_err!("Attestation ID retrieval error.")) 474 } 475 } 476 } 477 478 if params.iter().any(|kp| kp.tag == Tag::INCLUDE_UNIQUE_ID) { 479 if check_key_permission(KeyPerm::GenUniqueId, key, &None).is_err() 480 && check_unique_id_attestation_permissions().is_err() 481 { 482 return Err(Error::perm()).context(ks_err!( 483 "Caller does not have the permission to generate a unique ID" 484 )); 485 } 486 if self 487 .id_rotation_state 488 .had_factory_reset_since_id_rotation(&creation_datetime) 489 .context(ks_err!("Call to had_factory_reset_since_id_rotation failed."))? 490 { 491 result.push(KeyParameter { 492 tag: Tag::RESET_SINCE_ID_ROTATION, 493 value: KeyParameterValue::BoolValue(true), 494 }) 495 } 496 } 497 498 // If the caller requests any device identifier attestation tag, check that they hold the 499 // correct Android permission. 500 if params.iter().any(|kp| is_device_id_attestation_tag(kp.tag)) { 501 check_device_attestation_permissions().context(ks_err!( 502 "Caller does not have the permission to attest device identifiers." 503 ))?; 504 } 505 506 // If we are generating/importing an asymmetric key, we need to make sure 507 // that NOT_BEFORE and NOT_AFTER are present. 508 match params.iter().find(|kp| kp.tag == Tag::ALGORITHM) { 509 Some(KeyParameter { tag: _, value: KeyParameterValue::Algorithm(Algorithm::RSA) }) 510 | Some(KeyParameter { tag: _, value: KeyParameterValue::Algorithm(Algorithm::EC) }) => { 511 if !params.iter().any(|kp| kp.tag == Tag::CERTIFICATE_NOT_BEFORE) { 512 result.push(KeyParameter { 513 tag: Tag::CERTIFICATE_NOT_BEFORE, 514 value: KeyParameterValue::DateTime(0), 515 }) 516 } 517 if !params.iter().any(|kp| kp.tag == Tag::CERTIFICATE_NOT_AFTER) { 518 result.push(KeyParameter { 519 tag: Tag::CERTIFICATE_NOT_AFTER, 520 value: KeyParameterValue::DateTime(UNDEFINED_NOT_AFTER), 521 }) 522 } 523 } 524 _ => {} 525 } 526 Ok(result) 527 } 528 generate_key( &self, key: &KeyDescriptor, attest_key_descriptor: Option<&KeyDescriptor>, params: &[KeyParameter], flags: i32, _entropy: &[u8], ) -> Result<KeyMetadata>529 fn generate_key( 530 &self, 531 key: &KeyDescriptor, 532 attest_key_descriptor: Option<&KeyDescriptor>, 533 params: &[KeyParameter], 534 flags: i32, 535 _entropy: &[u8], 536 ) -> Result<KeyMetadata> { 537 if key.domain != Domain::BLOB && key.alias.is_none() { 538 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)) 539 .context(ks_err!("Alias must be specified")); 540 } 541 let caller_uid = ThreadState::get_calling_uid(); 542 543 let key = match key.domain { 544 Domain::APP => KeyDescriptor { 545 domain: key.domain, 546 nspace: caller_uid as i64, 547 alias: key.alias.clone(), 548 blob: None, 549 }, 550 _ => key.clone(), 551 }; 552 553 // generate_key requires the rebind permission. 554 // Must return on error for security reasons. 555 check_key_permission(KeyPerm::Rebind, &key, &None).context(ks_err!())?; 556 557 let attestation_key_info = match (key.domain, attest_key_descriptor) { 558 (Domain::BLOB, _) => None, 559 _ => DB 560 .with(|db| { 561 get_attest_key_info( 562 &key, 563 caller_uid, 564 attest_key_descriptor, 565 params, 566 &self.rem_prov_state, 567 &mut db.borrow_mut(), 568 ) 569 }) 570 .context(ks_err!("Trying to get an attestation key"))?, 571 }; 572 let params = self 573 .add_required_parameters(caller_uid, params, &key) 574 .context(ks_err!("Trying to get aaid."))?; 575 576 let creation_result = match attestation_key_info { 577 Some(AttestationKeyInfo::UserGenerated { 578 key_id_guard, 579 blob, 580 blob_metadata, 581 issuer_subject, 582 }) => self 583 .upgrade_keyblob_if_required_with( 584 Some(key_id_guard), 585 &KeyBlob::Ref(&blob), 586 blob_metadata.km_uuid().copied(), 587 ¶ms, 588 |blob| { 589 let attest_key = Some(AttestationKey { 590 keyBlob: blob.to_vec(), 591 attestKeyParams: vec![], 592 issuerSubjectName: issuer_subject.clone(), 593 }); 594 map_km_error({ 595 let _wp = self.watch_millis( 596 concat!( 597 "KeystoreSecurityLevel::generate_key (UserGenerated): ", 598 "calling IKeyMintDevice::generate_key" 599 ), 600 5000, // Generate can take a little longer. 601 ); 602 self.keymint.generateKey(¶ms, attest_key.as_ref()) 603 }) 604 }, 605 ) 606 .context(ks_err!( 607 "While generating with a user-generated \ 608 attestation key, params: {:?}.", 609 log_security_safe_params(¶ms) 610 )) 611 .map(|(result, _)| result), 612 Some(AttestationKeyInfo::RkpdProvisioned { attestation_key, attestation_certs }) => { 613 self.upgrade_rkpd_keyblob_if_required_with(&attestation_key.keyBlob, &[], |blob| { 614 map_km_error({ 615 let _wp = self.watch_millis( 616 concat!( 617 "KeystoreSecurityLevel::generate_key (RkpdProvisioned): ", 618 "calling IKeyMintDevice::generate_key", 619 ), 620 5000, // Generate can take a little longer. 621 ); 622 let dynamic_attest_key = Some(AttestationKey { 623 keyBlob: blob.to_vec(), 624 attestKeyParams: vec![], 625 issuerSubjectName: attestation_key.issuerSubjectName.clone(), 626 }); 627 self.keymint.generateKey(¶ms, dynamic_attest_key.as_ref()) 628 }) 629 }) 630 .context(ks_err!( 631 "While generating Key {:?} with remote \ 632 provisioned attestation key and params: {:?}.", 633 key.alias, 634 log_security_safe_params(¶ms) 635 )) 636 .map(|(mut result, _)| { 637 if read_bool("remote_provisioning.use_cert_processor", false).unwrap_or(false) { 638 let _wp = self.watch_millis( 639 concat!( 640 "KeystoreSecurityLevel::generate_key (RkpdProvisioned): ", 641 "calling KeystorePostProcessor::process_certificate_chain", 642 ), 643 1000, // Post processing may take a little while due to network call. 644 ); 645 // process_certificate_chain would either replace the certificate chain if 646 // post-processing is successful or it would fallback to the original chain 647 // on failure. In either case, we should get back the certificate chain 648 // that is fit for storing with the newly generated key. 649 result.certificateChain = 650 process_certificate_chain(result.certificateChain, attestation_certs); 651 } else { 652 // The `certificateChain` in a `KeyCreationResult` should normally have one 653 // `Certificate` for each certificate in the chain. To avoid having to 654 // unnecessarily parse the RKP chain (which is concatenated DER-encoded 655 // certs), stuff the whole concatenated chain into a single `Certificate`. 656 // This is untangled by `store_new_key()`. 657 result 658 .certificateChain 659 .push(Certificate { encodedCertificate: attestation_certs }); 660 } 661 result 662 }) 663 } 664 None => map_km_error({ 665 let _wp = self.watch_millis( 666 concat!( 667 "KeystoreSecurityLevel::generate_key (No attestation key): ", 668 "calling IKeyMintDevice::generate_key", 669 ), 670 5000, // Generate can take a little longer. 671 ); 672 self.keymint.generateKey(¶ms, None) 673 }) 674 .context(ks_err!( 675 "While generating without a provided \ 676 attestation key and params: {:?}.", 677 log_security_safe_params(¶ms) 678 )), 679 } 680 .context(ks_err!())?; 681 682 let user_id = uid_to_android_user(caller_uid); 683 self.store_new_key(key, creation_result, user_id, Some(flags)).context(ks_err!()) 684 } 685 import_key( &self, key: &KeyDescriptor, _attestation_key: Option<&KeyDescriptor>, params: &[KeyParameter], flags: i32, key_data: &[u8], ) -> Result<KeyMetadata>686 fn import_key( 687 &self, 688 key: &KeyDescriptor, 689 _attestation_key: Option<&KeyDescriptor>, 690 params: &[KeyParameter], 691 flags: i32, 692 key_data: &[u8], 693 ) -> Result<KeyMetadata> { 694 if key.domain != Domain::BLOB && key.alias.is_none() { 695 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)) 696 .context(ks_err!("Alias must be specified")); 697 } 698 let caller_uid = ThreadState::get_calling_uid(); 699 700 let key = match key.domain { 701 Domain::APP => KeyDescriptor { 702 domain: key.domain, 703 nspace: caller_uid as i64, 704 alias: key.alias.clone(), 705 blob: None, 706 }, 707 _ => key.clone(), 708 }; 709 710 // import_key requires the rebind permission. 711 check_key_permission(KeyPerm::Rebind, &key, &None).context(ks_err!("In import_key."))?; 712 713 let params = self 714 .add_required_parameters(caller_uid, params, &key) 715 .context(ks_err!("Trying to get aaid."))?; 716 717 let format = params 718 .iter() 719 .find(|p| p.tag == Tag::ALGORITHM) 720 .ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT)) 721 .context(ks_err!("No KeyParameter 'Algorithm'.")) 722 .and_then(|p| match &p.value { 723 KeyParameterValue::Algorithm(Algorithm::AES) 724 | KeyParameterValue::Algorithm(Algorithm::HMAC) 725 | KeyParameterValue::Algorithm(Algorithm::TRIPLE_DES) => Ok(KeyFormat::RAW), 726 KeyParameterValue::Algorithm(Algorithm::RSA) 727 | KeyParameterValue::Algorithm(Algorithm::EC) => Ok(KeyFormat::PKCS8), 728 v => Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)) 729 .context(ks_err!("Unknown Algorithm {:?}.", v)), 730 }) 731 .context(ks_err!())?; 732 733 let km_dev = &self.keymint; 734 let creation_result = map_km_error({ 735 let _wp = 736 self.watch("KeystoreSecurityLevel::import_key: calling IKeyMintDevice::importKey."); 737 km_dev.importKey(¶ms, format, key_data, None /* attestKey */) 738 }) 739 .context(ks_err!("Trying to call importKey"))?; 740 741 let user_id = uid_to_android_user(caller_uid); 742 self.store_new_key(key, creation_result, user_id, Some(flags)).context(ks_err!()) 743 } 744 import_wrapped_key( &self, key: &KeyDescriptor, wrapping_key: &KeyDescriptor, masking_key: Option<&[u8]>, params: &[KeyParameter], authenticators: &[AuthenticatorSpec], ) -> Result<KeyMetadata>745 fn import_wrapped_key( 746 &self, 747 key: &KeyDescriptor, 748 wrapping_key: &KeyDescriptor, 749 masking_key: Option<&[u8]>, 750 params: &[KeyParameter], 751 authenticators: &[AuthenticatorSpec], 752 ) -> Result<KeyMetadata> { 753 let wrapped_data: &[u8] = match key { 754 KeyDescriptor { domain: Domain::APP, blob: Some(ref blob), alias: Some(_), .. } 755 | KeyDescriptor { 756 domain: Domain::SELINUX, blob: Some(ref blob), alias: Some(_), .. 757 } => blob, 758 _ => { 759 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)).context(ks_err!( 760 "Alias and blob must be specified and domain must be APP or SELINUX. {:?}", 761 key 762 )); 763 } 764 }; 765 766 if wrapping_key.domain == Domain::BLOB { 767 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)) 768 .context(ks_err!("Import wrapped key not supported for self managed blobs.")); 769 } 770 771 let caller_uid = ThreadState::get_calling_uid(); 772 let user_id = uid_to_android_user(caller_uid); 773 774 let key = match key.domain { 775 Domain::APP => KeyDescriptor { 776 domain: key.domain, 777 nspace: caller_uid as i64, 778 alias: key.alias.clone(), 779 blob: None, 780 }, 781 Domain::SELINUX => KeyDescriptor { 782 domain: Domain::SELINUX, 783 nspace: key.nspace, 784 alias: key.alias.clone(), 785 blob: None, 786 }, 787 _ => panic!("Unreachable."), 788 }; 789 790 // Import_wrapped_key requires the rebind permission for the new key. 791 check_key_permission(KeyPerm::Rebind, &key, &None).context(ks_err!())?; 792 793 let super_key = SUPER_KEY.read().unwrap().get_after_first_unlock_key_by_user_id(user_id); 794 795 let (wrapping_key_id_guard, mut wrapping_key_entry) = DB 796 .with(|db| { 797 LEGACY_IMPORTER.with_try_import(&key, caller_uid, super_key, || { 798 db.borrow_mut().load_key_entry( 799 wrapping_key, 800 KeyType::Client, 801 KeyEntryLoadBits::KM, 802 caller_uid, 803 |k, av| check_key_permission(KeyPerm::Use, k, &av), 804 ) 805 }) 806 }) 807 .context(ks_err!("Failed to load wrapping key."))?; 808 809 let (wrapping_key_blob, wrapping_blob_metadata) = 810 wrapping_key_entry.take_key_blob_info().ok_or_else(error::Error::sys).context( 811 ks_err!("No km_blob after successfully loading key. This should never happen."), 812 )?; 813 814 let wrapping_key_blob = SUPER_KEY 815 .read() 816 .unwrap() 817 .unwrap_key_if_required(&wrapping_blob_metadata, &wrapping_key_blob) 818 .context(ks_err!("Failed to handle super encryption for wrapping key."))?; 819 820 // km_dev.importWrappedKey does not return a certificate chain. 821 // TODO Do we assume that all wrapped keys are symmetric? 822 // let certificate_chain: Vec<KmCertificate> = Default::default(); 823 824 let pw_sid = authenticators 825 .iter() 826 .find_map(|a| match a.authenticatorType { 827 HardwareAuthenticatorType::PASSWORD => Some(a.authenticatorId), 828 _ => None, 829 }) 830 .unwrap_or(-1); 831 832 let fp_sid = authenticators 833 .iter() 834 .find_map(|a| match a.authenticatorType { 835 HardwareAuthenticatorType::FINGERPRINT => Some(a.authenticatorId), 836 _ => None, 837 }) 838 .unwrap_or(-1); 839 840 let masking_key = masking_key.unwrap_or(ZERO_BLOB_32); 841 842 let (creation_result, _) = self 843 .upgrade_keyblob_if_required_with( 844 Some(wrapping_key_id_guard), 845 &wrapping_key_blob, 846 wrapping_blob_metadata.km_uuid().copied(), 847 &[], 848 |wrapping_blob| { 849 let _wp = self.watch( 850 "KeystoreSecurityLevel::import_wrapped_key: calling IKeyMintDevice::importWrappedKey.", 851 ); 852 let creation_result = map_km_error(self.keymint.importWrappedKey( 853 wrapped_data, 854 wrapping_blob, 855 masking_key, 856 params, 857 pw_sid, 858 fp_sid, 859 ))?; 860 Ok(creation_result) 861 }, 862 ) 863 .context(ks_err!())?; 864 865 self.store_new_key(key, creation_result, user_id, None) 866 .context(ks_err!("Trying to store the new key.")) 867 } 868 store_upgraded_keyblob( key_id_guard: KeyIdGuard, km_uuid: Option<Uuid>, key_blob: &KeyBlob, upgraded_blob: &[u8], ) -> Result<()>869 fn store_upgraded_keyblob( 870 key_id_guard: KeyIdGuard, 871 km_uuid: Option<Uuid>, 872 key_blob: &KeyBlob, 873 upgraded_blob: &[u8], 874 ) -> Result<()> { 875 let (upgraded_blob_to_be_stored, new_blob_metadata) = 876 SuperKeyManager::reencrypt_if_required(key_blob, upgraded_blob) 877 .context(ks_err!("Failed to handle super encryption."))?; 878 879 let mut new_blob_metadata = new_blob_metadata.unwrap_or_default(); 880 if let Some(uuid) = km_uuid { 881 new_blob_metadata.add(BlobMetaEntry::KmUuid(uuid)); 882 } 883 884 DB.with(|db| { 885 let mut db = db.borrow_mut(); 886 db.set_blob( 887 &key_id_guard, 888 SubComponentType::KEY_BLOB, 889 Some(&upgraded_blob_to_be_stored), 890 Some(&new_blob_metadata), 891 ) 892 }) 893 .context(ks_err!("Failed to insert upgraded blob into the database.")) 894 } 895 upgrade_keyblob_if_required_with<T, F>( &self, mut key_id_guard: Option<KeyIdGuard>, key_blob: &KeyBlob, km_uuid: Option<Uuid>, params: &[KeyParameter], f: F, ) -> Result<(T, Option<Vec<u8>>)> where F: Fn(&[u8]) -> Result<T, Error>,896 fn upgrade_keyblob_if_required_with<T, F>( 897 &self, 898 mut key_id_guard: Option<KeyIdGuard>, 899 key_blob: &KeyBlob, 900 km_uuid: Option<Uuid>, 901 params: &[KeyParameter], 902 f: F, 903 ) -> Result<(T, Option<Vec<u8>>)> 904 where 905 F: Fn(&[u8]) -> Result<T, Error>, 906 { 907 let (v, upgraded_blob) = crate::utils::upgrade_keyblob_if_required_with( 908 &*self.keymint, 909 self.hw_info.versionNumber, 910 key_blob, 911 params, 912 f, 913 |upgraded_blob| { 914 if key_id_guard.is_some() { 915 // Unwrap cannot panic, because the is_some was true. 916 let kid = key_id_guard.take().unwrap(); 917 Self::store_upgraded_keyblob(kid, km_uuid, key_blob, upgraded_blob) 918 .context(ks_err!("store_upgraded_keyblob failed")) 919 } else { 920 Ok(()) 921 } 922 }, 923 ) 924 .context(ks_err!("upgrade_keyblob_if_required_with(key_id={:?})", key_id_guard))?; 925 926 // If no upgrade was needed, use the opportunity to reencrypt the blob if required 927 // and if the a key_id_guard is held. Note: key_id_guard can only be Some if no 928 // upgrade was performed above and if one was given in the first place. 929 if key_blob.force_reencrypt() { 930 if let Some(kid) = key_id_guard { 931 Self::store_upgraded_keyblob(kid, km_uuid, key_blob, key_blob) 932 .context(ks_err!("store_upgraded_keyblob failed in forced reencrypt"))?; 933 } 934 } 935 Ok((v, upgraded_blob)) 936 } 937 upgrade_rkpd_keyblob_if_required_with<T, F>( &self, key_blob: &[u8], params: &[KeyParameter], f: F, ) -> Result<(T, Option<Vec<u8>>)> where F: Fn(&[u8]) -> Result<T, Error>,938 fn upgrade_rkpd_keyblob_if_required_with<T, F>( 939 &self, 940 key_blob: &[u8], 941 params: &[KeyParameter], 942 f: F, 943 ) -> Result<(T, Option<Vec<u8>>)> 944 where 945 F: Fn(&[u8]) -> Result<T, Error>, 946 { 947 let rpc_name = get_remotely_provisioned_component_name(&self.security_level) 948 .context(ks_err!("Trying to get IRPC name."))?; 949 crate::utils::upgrade_keyblob_if_required_with( 950 &*self.keymint, 951 self.hw_info.versionNumber, 952 key_blob, 953 params, 954 f, 955 |upgraded_blob| { 956 let _wp = wd::watch("Calling store_rkpd_attestation_key()"); 957 if let Err(e) = store_rkpd_attestation_key(&rpc_name, key_blob, upgraded_blob) { 958 Err(wrapped_rkpd_error_to_ks_error(&e)).context(format!("{e:?}")) 959 } else { 960 Ok(()) 961 } 962 }, 963 ) 964 .context(ks_err!( 965 "upgrade_rkpd_keyblob_if_required_with(params={:?})", 966 log_security_safe_params(params) 967 )) 968 } 969 convert_storage_key_to_ephemeral( &self, storage_key: &KeyDescriptor, ) -> Result<EphemeralStorageKeyResponse>970 fn convert_storage_key_to_ephemeral( 971 &self, 972 storage_key: &KeyDescriptor, 973 ) -> Result<EphemeralStorageKeyResponse> { 974 if storage_key.domain != Domain::BLOB { 975 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)) 976 .context(ks_err!("Key must be of Domain::BLOB")); 977 } 978 let key_blob = storage_key 979 .blob 980 .as_ref() 981 .ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT)) 982 .context(ks_err!("No key blob specified"))?; 983 984 // convert_storage_key_to_ephemeral requires the associated permission 985 check_key_permission(KeyPerm::ConvertStorageKeyToEphemeral, storage_key, &None) 986 .context(ks_err!("Check permission"))?; 987 988 let km_dev = &self.keymint; 989 let res = { 990 let _wp = self.watch(concat!( 991 "IKeystoreSecurityLevel::convert_storage_key_to_ephemeral: ", 992 "calling IKeyMintDevice::convertStorageKeyToEphemeral (1)" 993 )); 994 map_km_error(km_dev.convertStorageKeyToEphemeral(key_blob)) 995 }; 996 match res { 997 Ok(result) => { 998 Ok(EphemeralStorageKeyResponse { ephemeralKey: result, upgradedBlob: None }) 999 } 1000 Err(error::Error::Km(ErrorCode::KEY_REQUIRES_UPGRADE)) => { 1001 let upgraded_blob = { 1002 let _wp = self.watch("IKeystoreSecurityLevel::convert_storage_key_to_ephemeral: calling IKeyMintDevice::upgradeKey"); 1003 map_km_error(km_dev.upgradeKey(key_blob, &[])) 1004 } 1005 .context(ks_err!("Failed to upgrade key blob."))?; 1006 let ephemeral_key = { 1007 let _wp = self.watch(concat!( 1008 "IKeystoreSecurityLevel::convert_storage_key_to_ephemeral: ", 1009 "calling IKeyMintDevice::convertStorageKeyToEphemeral (2)" 1010 )); 1011 map_km_error(km_dev.convertStorageKeyToEphemeral(&upgraded_blob)) 1012 } 1013 .context(ks_err!("Failed to retrieve ephemeral key (after upgrade)."))?; 1014 Ok(EphemeralStorageKeyResponse { 1015 ephemeralKey: ephemeral_key, 1016 upgradedBlob: Some(upgraded_blob), 1017 }) 1018 } 1019 Err(e) => Err(e).context(ks_err!("Failed to retrieve ephemeral key.")), 1020 } 1021 } 1022 delete_key(&self, key: &KeyDescriptor) -> Result<()>1023 fn delete_key(&self, key: &KeyDescriptor) -> Result<()> { 1024 if key.domain != Domain::BLOB { 1025 return Err(error::Error::Km(ErrorCode::INVALID_ARGUMENT)) 1026 .context(ks_err!("delete_key: Key must be of Domain::BLOB")); 1027 } 1028 1029 let key_blob = key 1030 .blob 1031 .as_ref() 1032 .ok_or(error::Error::Km(ErrorCode::INVALID_ARGUMENT)) 1033 .context(ks_err!("delete_key: No key blob specified"))?; 1034 1035 check_key_permission(KeyPerm::Delete, key, &None) 1036 .context(ks_err!("delete_key: Checking delete permissions"))?; 1037 1038 let km_dev = &self.keymint; 1039 { 1040 let _wp = 1041 self.watch("KeystoreSecuritylevel::delete_key: calling IKeyMintDevice::deleteKey"); 1042 map_km_error(km_dev.deleteKey(key_blob)).context(ks_err!("keymint device deleteKey")) 1043 } 1044 } 1045 } 1046 1047 impl binder::Interface for KeystoreSecurityLevel {} 1048 1049 impl IKeystoreSecurityLevel for KeystoreSecurityLevel { createOperation( &self, key: &KeyDescriptor, operation_parameters: &[KeyParameter], forced: bool, ) -> binder::Result<CreateOperationResponse>1050 fn createOperation( 1051 &self, 1052 key: &KeyDescriptor, 1053 operation_parameters: &[KeyParameter], 1054 forced: bool, 1055 ) -> binder::Result<CreateOperationResponse> { 1056 let _wp = self.watch("IKeystoreSecurityLevel::createOperation"); 1057 self.create_operation(key, operation_parameters, forced).map_err(into_logged_binder) 1058 } generateKey( &self, key: &KeyDescriptor, attestation_key: Option<&KeyDescriptor>, params: &[KeyParameter], flags: i32, entropy: &[u8], ) -> binder::Result<KeyMetadata>1059 fn generateKey( 1060 &self, 1061 key: &KeyDescriptor, 1062 attestation_key: Option<&KeyDescriptor>, 1063 params: &[KeyParameter], 1064 flags: i32, 1065 entropy: &[u8], 1066 ) -> binder::Result<KeyMetadata> { 1067 // Duration is set to 5 seconds, because generateKey - especially for RSA keys, takes more 1068 // time than other operations 1069 let _wp = self.watch_millis("IKeystoreSecurityLevel::generateKey", 5000); 1070 let result = self.generate_key(key, attestation_key, params, flags, entropy); 1071 log_key_creation_event_stats(self.security_level, params, &result); 1072 log_key_generated(key, ThreadState::get_calling_uid(), result.is_ok()); 1073 result.map_err(into_logged_binder) 1074 } importKey( &self, key: &KeyDescriptor, attestation_key: Option<&KeyDescriptor>, params: &[KeyParameter], flags: i32, key_data: &[u8], ) -> binder::Result<KeyMetadata>1075 fn importKey( 1076 &self, 1077 key: &KeyDescriptor, 1078 attestation_key: Option<&KeyDescriptor>, 1079 params: &[KeyParameter], 1080 flags: i32, 1081 key_data: &[u8], 1082 ) -> binder::Result<KeyMetadata> { 1083 let _wp = self.watch("IKeystoreSecurityLevel::importKey"); 1084 let result = self.import_key(key, attestation_key, params, flags, key_data); 1085 log_key_creation_event_stats(self.security_level, params, &result); 1086 log_key_imported(key, ThreadState::get_calling_uid(), result.is_ok()); 1087 result.map_err(into_logged_binder) 1088 } importWrappedKey( &self, key: &KeyDescriptor, wrapping_key: &KeyDescriptor, masking_key: Option<&[u8]>, params: &[KeyParameter], authenticators: &[AuthenticatorSpec], ) -> binder::Result<KeyMetadata>1089 fn importWrappedKey( 1090 &self, 1091 key: &KeyDescriptor, 1092 wrapping_key: &KeyDescriptor, 1093 masking_key: Option<&[u8]>, 1094 params: &[KeyParameter], 1095 authenticators: &[AuthenticatorSpec], 1096 ) -> binder::Result<KeyMetadata> { 1097 let _wp = self.watch("IKeystoreSecurityLevel::importWrappedKey"); 1098 let result = 1099 self.import_wrapped_key(key, wrapping_key, masking_key, params, authenticators); 1100 log_key_creation_event_stats(self.security_level, params, &result); 1101 log_key_imported(key, ThreadState::get_calling_uid(), result.is_ok()); 1102 result.map_err(into_logged_binder) 1103 } convertStorageKeyToEphemeral( &self, storage_key: &KeyDescriptor, ) -> binder::Result<EphemeralStorageKeyResponse>1104 fn convertStorageKeyToEphemeral( 1105 &self, 1106 storage_key: &KeyDescriptor, 1107 ) -> binder::Result<EphemeralStorageKeyResponse> { 1108 let _wp = self.watch("IKeystoreSecurityLevel::convertStorageKeyToEphemeral"); 1109 self.convert_storage_key_to_ephemeral(storage_key).map_err(into_logged_binder) 1110 } deleteKey(&self, key: &KeyDescriptor) -> binder::Result<()>1111 fn deleteKey(&self, key: &KeyDescriptor) -> binder::Result<()> { 1112 let _wp = self.watch("IKeystoreSecurityLevel::deleteKey"); 1113 let result = self.delete_key(key); 1114 log_key_deleted(key, ThreadState::get_calling_uid(), result.is_ok()); 1115 result.map_err(into_logged_binder) 1116 } 1117 } 1118 1119 #[cfg(test)] 1120 mod tests { 1121 use super::*; 1122 use crate::error::map_km_error; 1123 use crate::globals::get_keymint_device; 1124 use crate::utils::upgrade_keyblob_if_required_with; 1125 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{ 1126 Algorithm::Algorithm, AttestationKey::AttestationKey, KeyParameter::KeyParameter, 1127 KeyParameterValue::KeyParameterValue, Tag::Tag, 1128 }; 1129 use keystore2_crypto::parse_subject_from_certificate; 1130 use rkpd_client::get_rkpd_attestation_key; 1131 1132 #[test] 1133 // This is a helper for a manual test. We want to check that after a system upgrade RKPD 1134 // attestation keys can also be upgraded and stored again with RKPD. The steps are: 1135 // 1. Run this test and check in stdout that no key upgrade happened. 1136 // 2. Perform a system upgrade. 1137 // 3. Run this test and check in stdout that key upgrade did happen. 1138 // 1139 // Note that this test must be run with that same UID every time. Running as root, i.e. UID 0, 1140 // should do the trick. Also, use "--nocapture" flag to get stdout. test_rkpd_attestation_key_upgrade()1141 fn test_rkpd_attestation_key_upgrade() { 1142 binder::ProcessState::start_thread_pool(); 1143 let security_level = SecurityLevel::TRUSTED_ENVIRONMENT; 1144 let (keymint, info, _) = get_keymint_device(&security_level).unwrap(); 1145 let key_id = 0; 1146 let mut key_upgraded = false; 1147 1148 let rpc_name = get_remotely_provisioned_component_name(&security_level).unwrap(); 1149 let key = get_rkpd_attestation_key(&rpc_name, key_id).unwrap(); 1150 assert!(!key.keyBlob.is_empty()); 1151 assert!(!key.encodedCertChain.is_empty()); 1152 1153 upgrade_keyblob_if_required_with( 1154 &*keymint, 1155 info.versionNumber, 1156 &key.keyBlob, 1157 /*upgrade_params=*/ &[], 1158 /*km_op=*/ 1159 |blob| { 1160 let params = vec![ 1161 KeyParameter { 1162 tag: Tag::ALGORITHM, 1163 value: KeyParameterValue::Algorithm(Algorithm::AES), 1164 }, 1165 KeyParameter { 1166 tag: Tag::ATTESTATION_CHALLENGE, 1167 value: KeyParameterValue::Blob(vec![0; 16]), 1168 }, 1169 KeyParameter { tag: Tag::KEY_SIZE, value: KeyParameterValue::Integer(128) }, 1170 ]; 1171 let attestation_key = AttestationKey { 1172 keyBlob: blob.to_vec(), 1173 attestKeyParams: vec![], 1174 issuerSubjectName: parse_subject_from_certificate(&key.encodedCertChain) 1175 .unwrap(), 1176 }; 1177 1178 map_km_error(keymint.generateKey(¶ms, Some(&attestation_key))) 1179 }, 1180 /*new_blob_handler=*/ 1181 |new_blob| { 1182 // This handler is only executed if a key upgrade was performed. 1183 key_upgraded = true; 1184 let _wp = wd::watch("Calling store_rkpd_attestation_key()"); 1185 store_rkpd_attestation_key(&rpc_name, &key.keyBlob, new_blob).unwrap(); 1186 Ok(()) 1187 }, 1188 ) 1189 .unwrap(); 1190 1191 if key_upgraded { 1192 println!("RKPD key was upgraded and stored with RKPD."); 1193 } else { 1194 println!("RKPD key was NOT upgraded."); 1195 } 1196 } 1197 } 1198