1*00c7fec1SAndroid Build Coastguard Worker /*
2*00c7fec1SAndroid Build Coastguard Worker * Copyright (C) 2015 The Android Open Source Project
3*00c7fec1SAndroid Build Coastguard Worker *
4*00c7fec1SAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License");
5*00c7fec1SAndroid Build Coastguard Worker * you may not use this file except in compliance with the License.
6*00c7fec1SAndroid Build Coastguard Worker * You may obtain a copy of the License at
7*00c7fec1SAndroid Build Coastguard Worker *
8*00c7fec1SAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0
9*00c7fec1SAndroid Build Coastguard Worker *
10*00c7fec1SAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software
11*00c7fec1SAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS,
12*00c7fec1SAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*00c7fec1SAndroid Build Coastguard Worker * See the License for the specific language governing permissions and
14*00c7fec1SAndroid Build Coastguard Worker * limitations under the License.
15*00c7fec1SAndroid Build Coastguard Worker */
16*00c7fec1SAndroid Build Coastguard Worker #define LOG_TAG "gatekeeperd"
17*00c7fec1SAndroid Build Coastguard Worker
18*00c7fec1SAndroid Build Coastguard Worker #include "gatekeeperd.h"
19*00c7fec1SAndroid Build Coastguard Worker
20*00c7fec1SAndroid Build Coastguard Worker #include <endian.h>
21*00c7fec1SAndroid Build Coastguard Worker #include <errno.h>
22*00c7fec1SAndroid Build Coastguard Worker #include <fcntl.h>
23*00c7fec1SAndroid Build Coastguard Worker #include <unistd.h>
24*00c7fec1SAndroid Build Coastguard Worker #include <memory>
25*00c7fec1SAndroid Build Coastguard Worker
26*00c7fec1SAndroid Build Coastguard Worker #include <KeyMintUtils.h>
27*00c7fec1SAndroid Build Coastguard Worker #include <android-base/logging.h>
28*00c7fec1SAndroid Build Coastguard Worker #include <android-base/properties.h>
29*00c7fec1SAndroid Build Coastguard Worker #include <android/binder_ibinder.h>
30*00c7fec1SAndroid Build Coastguard Worker #include <android/binder_manager.h>
31*00c7fec1SAndroid Build Coastguard Worker #include <binder/IPCThreadState.h>
32*00c7fec1SAndroid Build Coastguard Worker #include <binder/IServiceManager.h>
33*00c7fec1SAndroid Build Coastguard Worker #include <binder/PermissionCache.h>
34*00c7fec1SAndroid Build Coastguard Worker #include <gatekeeper/password_handle.h> // for password_handle_t
35*00c7fec1SAndroid Build Coastguard Worker #include <hardware/hw_auth_token.h>
36*00c7fec1SAndroid Build Coastguard Worker #include <libgsi/libgsi.h>
37*00c7fec1SAndroid Build Coastguard Worker #include <log/log.h>
38*00c7fec1SAndroid Build Coastguard Worker #include <utils/String16.h>
39*00c7fec1SAndroid Build Coastguard Worker
40*00c7fec1SAndroid Build Coastguard Worker #include <aidl/android/hardware/security/keymint/HardwareAuthToken.h>
41*00c7fec1SAndroid Build Coastguard Worker #include <aidl/android/security/authorization/IKeystoreAuthorization.h>
42*00c7fec1SAndroid Build Coastguard Worker #include <hidl/HidlSupport.h>
43*00c7fec1SAndroid Build Coastguard Worker
44*00c7fec1SAndroid Build Coastguard Worker using android::sp;
45*00c7fec1SAndroid Build Coastguard Worker using android::hardware::Return;
46*00c7fec1SAndroid Build Coastguard Worker using android::hardware::gatekeeper::V1_0::GatekeeperResponse;
47*00c7fec1SAndroid Build Coastguard Worker using android::hardware::gatekeeper::V1_0::GatekeeperStatusCode;
48*00c7fec1SAndroid Build Coastguard Worker
49*00c7fec1SAndroid Build Coastguard Worker using AidlGatekeeperEnrollResp = aidl::android::hardware::gatekeeper::GatekeeperEnrollResponse;
50*00c7fec1SAndroid Build Coastguard Worker using AidlGatekeeperVerifyResp = aidl::android::hardware::gatekeeper::GatekeeperVerifyResponse;
51*00c7fec1SAndroid Build Coastguard Worker
52*00c7fec1SAndroid Build Coastguard Worker using GKResponseCode = ::android::service::gatekeeper::ResponseCode;
53*00c7fec1SAndroid Build Coastguard Worker using ::aidl::android::hardware::security::keymint::HardwareAuthenticatorType;
54*00c7fec1SAndroid Build Coastguard Worker using ::aidl::android::hardware::security::keymint::HardwareAuthToken;
55*00c7fec1SAndroid Build Coastguard Worker using ::aidl::android::hardware::security::keymint::km_utils::authToken2AidlVec;
56*00c7fec1SAndroid Build Coastguard Worker using ::aidl::android::security::authorization::IKeystoreAuthorization;
57*00c7fec1SAndroid Build Coastguard Worker
58*00c7fec1SAndroid Build Coastguard Worker namespace android {
59*00c7fec1SAndroid Build Coastguard Worker
60*00c7fec1SAndroid Build Coastguard Worker static const String16 KEYGUARD_PERMISSION("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE");
61*00c7fec1SAndroid Build Coastguard Worker static const String16 DUMP_PERMISSION("android.permission.DUMP");
62*00c7fec1SAndroid Build Coastguard Worker constexpr const char gatekeeperServiceName[] = "android.hardware.gatekeeper.IGatekeeper/default";
63*00c7fec1SAndroid Build Coastguard Worker
GateKeeperProxy()64*00c7fec1SAndroid Build Coastguard Worker GateKeeperProxy::GateKeeperProxy() {
65*00c7fec1SAndroid Build Coastguard Worker clear_state_if_needed_done = false;
66*00c7fec1SAndroid Build Coastguard Worker if (AServiceManager_isDeclared(gatekeeperServiceName)) {
67*00c7fec1SAndroid Build Coastguard Worker ::ndk::SpAIBinder ks2Binder(AServiceManager_waitForService(gatekeeperServiceName));
68*00c7fec1SAndroid Build Coastguard Worker aidl_hw_device = AidlIGatekeeper::fromBinder(ks2Binder);
69*00c7fec1SAndroid Build Coastguard Worker }
70*00c7fec1SAndroid Build Coastguard Worker if (!aidl_hw_device) {
71*00c7fec1SAndroid Build Coastguard Worker hw_device = IGatekeeper::getService();
72*00c7fec1SAndroid Build Coastguard Worker }
73*00c7fec1SAndroid Build Coastguard Worker is_running_gsi = android::base::GetBoolProperty(android::gsi::kGsiBootedProp, false);
74*00c7fec1SAndroid Build Coastguard Worker
75*00c7fec1SAndroid Build Coastguard Worker if (!aidl_hw_device && !hw_device) {
76*00c7fec1SAndroid Build Coastguard Worker LOG(ERROR) << "Could not find Gatekeeper device, which makes me very sad.";
77*00c7fec1SAndroid Build Coastguard Worker }
78*00c7fec1SAndroid Build Coastguard Worker }
79*00c7fec1SAndroid Build Coastguard Worker
store_sid(uint32_t userId,uint64_t sid)80*00c7fec1SAndroid Build Coastguard Worker void GateKeeperProxy::store_sid(uint32_t userId, uint64_t sid) {
81*00c7fec1SAndroid Build Coastguard Worker char filename[21];
82*00c7fec1SAndroid Build Coastguard Worker snprintf(filename, sizeof(filename), "%u", userId);
83*00c7fec1SAndroid Build Coastguard Worker int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
84*00c7fec1SAndroid Build Coastguard Worker if (fd < 0) {
85*00c7fec1SAndroid Build Coastguard Worker ALOGE("could not open file: %s: %s", filename, strerror(errno));
86*00c7fec1SAndroid Build Coastguard Worker return;
87*00c7fec1SAndroid Build Coastguard Worker }
88*00c7fec1SAndroid Build Coastguard Worker write(fd, &sid, sizeof(sid));
89*00c7fec1SAndroid Build Coastguard Worker close(fd);
90*00c7fec1SAndroid Build Coastguard Worker }
91*00c7fec1SAndroid Build Coastguard Worker
clear_state_if_needed()92*00c7fec1SAndroid Build Coastguard Worker void GateKeeperProxy::clear_state_if_needed() {
93*00c7fec1SAndroid Build Coastguard Worker if (clear_state_if_needed_done) {
94*00c7fec1SAndroid Build Coastguard Worker return;
95*00c7fec1SAndroid Build Coastguard Worker }
96*00c7fec1SAndroid Build Coastguard Worker
97*00c7fec1SAndroid Build Coastguard Worker if (mark_cold_boot() && !is_running_gsi) {
98*00c7fec1SAndroid Build Coastguard Worker ALOGI("cold boot: clearing state");
99*00c7fec1SAndroid Build Coastguard Worker if (aidl_hw_device) {
100*00c7fec1SAndroid Build Coastguard Worker aidl_hw_device->deleteAllUsers();
101*00c7fec1SAndroid Build Coastguard Worker } else if (hw_device) {
102*00c7fec1SAndroid Build Coastguard Worker hw_device->deleteAllUsers([](const GatekeeperResponse&) {});
103*00c7fec1SAndroid Build Coastguard Worker }
104*00c7fec1SAndroid Build Coastguard Worker }
105*00c7fec1SAndroid Build Coastguard Worker
106*00c7fec1SAndroid Build Coastguard Worker clear_state_if_needed_done = true;
107*00c7fec1SAndroid Build Coastguard Worker }
108*00c7fec1SAndroid Build Coastguard Worker
mark_cold_boot()109*00c7fec1SAndroid Build Coastguard Worker bool GateKeeperProxy::mark_cold_boot() {
110*00c7fec1SAndroid Build Coastguard Worker const char* filename = ".coldboot";
111*00c7fec1SAndroid Build Coastguard Worker if (access(filename, F_OK) == -1) {
112*00c7fec1SAndroid Build Coastguard Worker int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
113*00c7fec1SAndroid Build Coastguard Worker if (fd < 0) {
114*00c7fec1SAndroid Build Coastguard Worker ALOGE("could not open file: %s : %s", filename, strerror(errno));
115*00c7fec1SAndroid Build Coastguard Worker return false;
116*00c7fec1SAndroid Build Coastguard Worker }
117*00c7fec1SAndroid Build Coastguard Worker close(fd);
118*00c7fec1SAndroid Build Coastguard Worker return true;
119*00c7fec1SAndroid Build Coastguard Worker }
120*00c7fec1SAndroid Build Coastguard Worker return false;
121*00c7fec1SAndroid Build Coastguard Worker }
122*00c7fec1SAndroid Build Coastguard Worker
maybe_store_sid(uint32_t userId,uint64_t sid)123*00c7fec1SAndroid Build Coastguard Worker void GateKeeperProxy::maybe_store_sid(uint32_t userId, uint64_t sid) {
124*00c7fec1SAndroid Build Coastguard Worker char filename[21];
125*00c7fec1SAndroid Build Coastguard Worker snprintf(filename, sizeof(filename), "%u", userId);
126*00c7fec1SAndroid Build Coastguard Worker if (access(filename, F_OK) == -1) {
127*00c7fec1SAndroid Build Coastguard Worker store_sid(userId, sid);
128*00c7fec1SAndroid Build Coastguard Worker }
129*00c7fec1SAndroid Build Coastguard Worker }
130*00c7fec1SAndroid Build Coastguard Worker
read_sid(uint32_t userId)131*00c7fec1SAndroid Build Coastguard Worker uint64_t GateKeeperProxy::read_sid(uint32_t userId) {
132*00c7fec1SAndroid Build Coastguard Worker char filename[21];
133*00c7fec1SAndroid Build Coastguard Worker uint64_t sid;
134*00c7fec1SAndroid Build Coastguard Worker snprintf(filename, sizeof(filename), "%u", userId);
135*00c7fec1SAndroid Build Coastguard Worker int fd = open(filename, O_RDONLY);
136*00c7fec1SAndroid Build Coastguard Worker if (fd < 0) return 0;
137*00c7fec1SAndroid Build Coastguard Worker read(fd, &sid, sizeof(sid));
138*00c7fec1SAndroid Build Coastguard Worker close(fd);
139*00c7fec1SAndroid Build Coastguard Worker return sid;
140*00c7fec1SAndroid Build Coastguard Worker }
141*00c7fec1SAndroid Build Coastguard Worker
clear_sid(uint32_t userId)142*00c7fec1SAndroid Build Coastguard Worker void GateKeeperProxy::clear_sid(uint32_t userId) {
143*00c7fec1SAndroid Build Coastguard Worker char filename[21];
144*00c7fec1SAndroid Build Coastguard Worker snprintf(filename, sizeof(filename), "%u", userId);
145*00c7fec1SAndroid Build Coastguard Worker if (remove(filename) < 0 && errno != ENOENT) {
146*00c7fec1SAndroid Build Coastguard Worker ALOGE("%s: could not remove file [%s], attempting 0 write", __func__, strerror(errno));
147*00c7fec1SAndroid Build Coastguard Worker store_sid(userId, 0);
148*00c7fec1SAndroid Build Coastguard Worker }
149*00c7fec1SAndroid Build Coastguard Worker }
150*00c7fec1SAndroid Build Coastguard Worker
adjust_userId(uint32_t userId,uint32_t * hw_userId)151*00c7fec1SAndroid Build Coastguard Worker Status GateKeeperProxy::adjust_userId(uint32_t userId, uint32_t* hw_userId) {
152*00c7fec1SAndroid Build Coastguard Worker static constexpr uint32_t kGsiOffset = 1000000;
153*00c7fec1SAndroid Build Coastguard Worker if (userId >= kGsiOffset) {
154*00c7fec1SAndroid Build Coastguard Worker return Status::fromExceptionCode(Status::EX_ILLEGAL_ARGUMENT);
155*00c7fec1SAndroid Build Coastguard Worker }
156*00c7fec1SAndroid Build Coastguard Worker
157*00c7fec1SAndroid Build Coastguard Worker if ((aidl_hw_device == nullptr) && (hw_device == nullptr)) {
158*00c7fec1SAndroid Build Coastguard Worker return Status::fromExceptionCode(Status::EX_ILLEGAL_STATE);
159*00c7fec1SAndroid Build Coastguard Worker }
160*00c7fec1SAndroid Build Coastguard Worker
161*00c7fec1SAndroid Build Coastguard Worker if (is_running_gsi) {
162*00c7fec1SAndroid Build Coastguard Worker *hw_userId = userId + kGsiOffset;
163*00c7fec1SAndroid Build Coastguard Worker return Status::ok();
164*00c7fec1SAndroid Build Coastguard Worker }
165*00c7fec1SAndroid Build Coastguard Worker *hw_userId = userId;
166*00c7fec1SAndroid Build Coastguard Worker return Status::ok();
167*00c7fec1SAndroid Build Coastguard Worker }
168*00c7fec1SAndroid Build Coastguard Worker
169*00c7fec1SAndroid Build Coastguard Worker #define GK_ERROR *gkResponse = GKResponse::error(), Status::ok()
170*00c7fec1SAndroid Build Coastguard Worker
enroll(int32_t userId,const std::optional<std::vector<uint8_t>> & currentPasswordHandle,const std::optional<std::vector<uint8_t>> & currentPassword,const std::vector<uint8_t> & desiredPassword,GKResponse * gkResponse)171*00c7fec1SAndroid Build Coastguard Worker Status GateKeeperProxy::enroll(int32_t userId,
172*00c7fec1SAndroid Build Coastguard Worker const std::optional<std::vector<uint8_t>>& currentPasswordHandle,
173*00c7fec1SAndroid Build Coastguard Worker const std::optional<std::vector<uint8_t>>& currentPassword,
174*00c7fec1SAndroid Build Coastguard Worker const std::vector<uint8_t>& desiredPassword,
175*00c7fec1SAndroid Build Coastguard Worker GKResponse* gkResponse) {
176*00c7fec1SAndroid Build Coastguard Worker IPCThreadState* ipc = IPCThreadState::self();
177*00c7fec1SAndroid Build Coastguard Worker const int calling_pid = ipc->getCallingPid();
178*00c7fec1SAndroid Build Coastguard Worker const int calling_uid = ipc->getCallingUid();
179*00c7fec1SAndroid Build Coastguard Worker if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
180*00c7fec1SAndroid Build Coastguard Worker return GK_ERROR;
181*00c7fec1SAndroid Build Coastguard Worker }
182*00c7fec1SAndroid Build Coastguard Worker
183*00c7fec1SAndroid Build Coastguard Worker // Make sure to clear any state from before factory reset as soon as a credential is
184*00c7fec1SAndroid Build Coastguard Worker // enrolled (which may happen during device setup).
185*00c7fec1SAndroid Build Coastguard Worker clear_state_if_needed();
186*00c7fec1SAndroid Build Coastguard Worker
187*00c7fec1SAndroid Build Coastguard Worker // need a desired password to enroll
188*00c7fec1SAndroid Build Coastguard Worker if (desiredPassword.size() == 0) return GK_ERROR;
189*00c7fec1SAndroid Build Coastguard Worker
190*00c7fec1SAndroid Build Coastguard Worker if (!aidl_hw_device && !hw_device) {
191*00c7fec1SAndroid Build Coastguard Worker LOG(ERROR) << "has no HAL to talk to";
192*00c7fec1SAndroid Build Coastguard Worker return GK_ERROR;
193*00c7fec1SAndroid Build Coastguard Worker }
194*00c7fec1SAndroid Build Coastguard Worker
195*00c7fec1SAndroid Build Coastguard Worker android::hardware::hidl_vec<uint8_t> curPwdHandle;
196*00c7fec1SAndroid Build Coastguard Worker android::hardware::hidl_vec<uint8_t> curPwd;
197*00c7fec1SAndroid Build Coastguard Worker
198*00c7fec1SAndroid Build Coastguard Worker if (currentPasswordHandle && currentPassword) {
199*00c7fec1SAndroid Build Coastguard Worker if (hw_device) {
200*00c7fec1SAndroid Build Coastguard Worker // Hidl Implementations expects passwordHandle to be in
201*00c7fec1SAndroid Build Coastguard Worker // gatekeeper::password_handle_t format.
202*00c7fec1SAndroid Build Coastguard Worker if (currentPasswordHandle->size() != sizeof(gatekeeper::password_handle_t)) {
203*00c7fec1SAndroid Build Coastguard Worker LOG(INFO) << "Password handle has wrong length";
204*00c7fec1SAndroid Build Coastguard Worker return GK_ERROR;
205*00c7fec1SAndroid Build Coastguard Worker }
206*00c7fec1SAndroid Build Coastguard Worker }
207*00c7fec1SAndroid Build Coastguard Worker curPwdHandle.setToExternal(const_cast<uint8_t*>(currentPasswordHandle->data()),
208*00c7fec1SAndroid Build Coastguard Worker currentPasswordHandle->size());
209*00c7fec1SAndroid Build Coastguard Worker curPwd.setToExternal(const_cast<uint8_t*>(currentPassword->data()),
210*00c7fec1SAndroid Build Coastguard Worker currentPassword->size());
211*00c7fec1SAndroid Build Coastguard Worker }
212*00c7fec1SAndroid Build Coastguard Worker
213*00c7fec1SAndroid Build Coastguard Worker android::hardware::hidl_vec<uint8_t> newPwd;
214*00c7fec1SAndroid Build Coastguard Worker newPwd.setToExternal(const_cast<uint8_t*>(desiredPassword.data()), desiredPassword.size());
215*00c7fec1SAndroid Build Coastguard Worker
216*00c7fec1SAndroid Build Coastguard Worker uint32_t hw_userId = 0;
217*00c7fec1SAndroid Build Coastguard Worker Status result = adjust_userId(userId, &hw_userId);
218*00c7fec1SAndroid Build Coastguard Worker if (!result.isOk()) {
219*00c7fec1SAndroid Build Coastguard Worker return result;
220*00c7fec1SAndroid Build Coastguard Worker }
221*00c7fec1SAndroid Build Coastguard Worker
222*00c7fec1SAndroid Build Coastguard Worker uint64_t secureUserId = 0;
223*00c7fec1SAndroid Build Coastguard Worker if (aidl_hw_device) {
224*00c7fec1SAndroid Build Coastguard Worker // AIDL gatekeeper service
225*00c7fec1SAndroid Build Coastguard Worker AidlGatekeeperEnrollResp rsp;
226*00c7fec1SAndroid Build Coastguard Worker auto result = aidl_hw_device->enroll(hw_userId, curPwdHandle, curPwd, newPwd, &rsp);
227*00c7fec1SAndroid Build Coastguard Worker if (!result.isOk()) {
228*00c7fec1SAndroid Build Coastguard Worker LOG(ERROR) << "enroll transaction failed";
229*00c7fec1SAndroid Build Coastguard Worker return GK_ERROR;
230*00c7fec1SAndroid Build Coastguard Worker }
231*00c7fec1SAndroid Build Coastguard Worker if (rsp.statusCode >= AidlIGatekeeper::STATUS_OK) {
232*00c7fec1SAndroid Build Coastguard Worker *gkResponse = GKResponse::ok({rsp.data.begin(), rsp.data.end()});
233*00c7fec1SAndroid Build Coastguard Worker secureUserId = static_cast<uint64_t>(rsp.secureUserId);
234*00c7fec1SAndroid Build Coastguard Worker } else if (rsp.statusCode == AidlIGatekeeper::ERROR_RETRY_TIMEOUT && rsp.timeoutMs > 0) {
235*00c7fec1SAndroid Build Coastguard Worker *gkResponse = GKResponse::retry(rsp.timeoutMs);
236*00c7fec1SAndroid Build Coastguard Worker } else {
237*00c7fec1SAndroid Build Coastguard Worker *gkResponse = GKResponse::error();
238*00c7fec1SAndroid Build Coastguard Worker }
239*00c7fec1SAndroid Build Coastguard Worker } else if (hw_device) {
240*00c7fec1SAndroid Build Coastguard Worker // HIDL gatekeeper service
241*00c7fec1SAndroid Build Coastguard Worker Return<void> hwRes = hw_device->enroll(
242*00c7fec1SAndroid Build Coastguard Worker hw_userId, curPwdHandle, curPwd, newPwd,
243*00c7fec1SAndroid Build Coastguard Worker [&gkResponse](const GatekeeperResponse& rsp) {
244*00c7fec1SAndroid Build Coastguard Worker if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {
245*00c7fec1SAndroid Build Coastguard Worker *gkResponse = GKResponse::ok({rsp.data.begin(), rsp.data.end()});
246*00c7fec1SAndroid Build Coastguard Worker } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT &&
247*00c7fec1SAndroid Build Coastguard Worker rsp.timeout > 0) {
248*00c7fec1SAndroid Build Coastguard Worker *gkResponse = GKResponse::retry(rsp.timeout);
249*00c7fec1SAndroid Build Coastguard Worker } else {
250*00c7fec1SAndroid Build Coastguard Worker *gkResponse = GKResponse::error();
251*00c7fec1SAndroid Build Coastguard Worker }
252*00c7fec1SAndroid Build Coastguard Worker });
253*00c7fec1SAndroid Build Coastguard Worker if (!hwRes.isOk()) {
254*00c7fec1SAndroid Build Coastguard Worker LOG(ERROR) << "enroll transaction failed";
255*00c7fec1SAndroid Build Coastguard Worker return GK_ERROR;
256*00c7fec1SAndroid Build Coastguard Worker }
257*00c7fec1SAndroid Build Coastguard Worker if (gkResponse->response_code() == GKResponseCode::OK) {
258*00c7fec1SAndroid Build Coastguard Worker if (gkResponse->payload().size() != sizeof(gatekeeper::password_handle_t)) {
259*00c7fec1SAndroid Build Coastguard Worker LOG(ERROR) << "HAL returned password handle of invalid length "
260*00c7fec1SAndroid Build Coastguard Worker << gkResponse->payload().size();
261*00c7fec1SAndroid Build Coastguard Worker return GK_ERROR;
262*00c7fec1SAndroid Build Coastguard Worker }
263*00c7fec1SAndroid Build Coastguard Worker
264*00c7fec1SAndroid Build Coastguard Worker const gatekeeper::password_handle_t* handle =
265*00c7fec1SAndroid Build Coastguard Worker reinterpret_cast<const gatekeeper::password_handle_t*>(
266*00c7fec1SAndroid Build Coastguard Worker gkResponse->payload().data());
267*00c7fec1SAndroid Build Coastguard Worker secureUserId = handle->user_id;
268*00c7fec1SAndroid Build Coastguard Worker }
269*00c7fec1SAndroid Build Coastguard Worker }
270*00c7fec1SAndroid Build Coastguard Worker
271*00c7fec1SAndroid Build Coastguard Worker if (gkResponse->response_code() == GKResponseCode::OK && !gkResponse->should_reenroll()) {
272*00c7fec1SAndroid Build Coastguard Worker store_sid(userId, secureUserId);
273*00c7fec1SAndroid Build Coastguard Worker
274*00c7fec1SAndroid Build Coastguard Worker GKResponse verifyResponse;
275*00c7fec1SAndroid Build Coastguard Worker // immediately verify this password so we don't ask the user to enter it again
276*00c7fec1SAndroid Build Coastguard Worker // if they just created it.
277*00c7fec1SAndroid Build Coastguard Worker auto status = verify(userId, gkResponse->payload(), desiredPassword, &verifyResponse);
278*00c7fec1SAndroid Build Coastguard Worker if (!status.isOk() || verifyResponse.response_code() != GKResponseCode::OK) {
279*00c7fec1SAndroid Build Coastguard Worker LOG(ERROR) << "Failed to verify password after enrolling";
280*00c7fec1SAndroid Build Coastguard Worker }
281*00c7fec1SAndroid Build Coastguard Worker }
282*00c7fec1SAndroid Build Coastguard Worker
283*00c7fec1SAndroid Build Coastguard Worker return Status::ok();
284*00c7fec1SAndroid Build Coastguard Worker }
285*00c7fec1SAndroid Build Coastguard Worker
verify(int32_t userId,const::std::vector<uint8_t> & enrolledPasswordHandle,const::std::vector<uint8_t> & providedPassword,GKResponse * gkResponse)286*00c7fec1SAndroid Build Coastguard Worker Status GateKeeperProxy::verify(int32_t userId, const ::std::vector<uint8_t>& enrolledPasswordHandle,
287*00c7fec1SAndroid Build Coastguard Worker const ::std::vector<uint8_t>& providedPassword,
288*00c7fec1SAndroid Build Coastguard Worker GKResponse* gkResponse) {
289*00c7fec1SAndroid Build Coastguard Worker return verifyChallenge(userId, 0 /* challenge */, enrolledPasswordHandle, providedPassword,
290*00c7fec1SAndroid Build Coastguard Worker gkResponse);
291*00c7fec1SAndroid Build Coastguard Worker }
292*00c7fec1SAndroid Build Coastguard Worker
verifyChallenge(int32_t userId,int64_t challenge,const std::vector<uint8_t> & enrolledPasswordHandle,const std::vector<uint8_t> & providedPassword,GKResponse * gkResponse)293*00c7fec1SAndroid Build Coastguard Worker Status GateKeeperProxy::verifyChallenge(int32_t userId, int64_t challenge,
294*00c7fec1SAndroid Build Coastguard Worker const std::vector<uint8_t>& enrolledPasswordHandle,
295*00c7fec1SAndroid Build Coastguard Worker const std::vector<uint8_t>& providedPassword,
296*00c7fec1SAndroid Build Coastguard Worker GKResponse* gkResponse) {
297*00c7fec1SAndroid Build Coastguard Worker IPCThreadState* ipc = IPCThreadState::self();
298*00c7fec1SAndroid Build Coastguard Worker const int calling_pid = ipc->getCallingPid();
299*00c7fec1SAndroid Build Coastguard Worker const int calling_uid = ipc->getCallingUid();
300*00c7fec1SAndroid Build Coastguard Worker if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
301*00c7fec1SAndroid Build Coastguard Worker return GK_ERROR;
302*00c7fec1SAndroid Build Coastguard Worker }
303*00c7fec1SAndroid Build Coastguard Worker
304*00c7fec1SAndroid Build Coastguard Worker // can't verify if we're missing either param
305*00c7fec1SAndroid Build Coastguard Worker if (enrolledPasswordHandle.size() == 0 || providedPassword.size() == 0) return GK_ERROR;
306*00c7fec1SAndroid Build Coastguard Worker
307*00c7fec1SAndroid Build Coastguard Worker if (!aidl_hw_device && !hw_device) {
308*00c7fec1SAndroid Build Coastguard Worker LOG(ERROR) << "has no HAL to talk to";
309*00c7fec1SAndroid Build Coastguard Worker return GK_ERROR;
310*00c7fec1SAndroid Build Coastguard Worker }
311*00c7fec1SAndroid Build Coastguard Worker
312*00c7fec1SAndroid Build Coastguard Worker if (hw_device) {
313*00c7fec1SAndroid Build Coastguard Worker // Hidl Implementations expects passwordHandle to be in gatekeeper::password_handle_t
314*00c7fec1SAndroid Build Coastguard Worker if (enrolledPasswordHandle.size() != sizeof(gatekeeper::password_handle_t)) {
315*00c7fec1SAndroid Build Coastguard Worker LOG(INFO) << "Password handle has wrong length";
316*00c7fec1SAndroid Build Coastguard Worker return GK_ERROR;
317*00c7fec1SAndroid Build Coastguard Worker }
318*00c7fec1SAndroid Build Coastguard Worker }
319*00c7fec1SAndroid Build Coastguard Worker
320*00c7fec1SAndroid Build Coastguard Worker uint32_t hw_userId = 0;
321*00c7fec1SAndroid Build Coastguard Worker Status result = adjust_userId(userId, &hw_userId);
322*00c7fec1SAndroid Build Coastguard Worker if (!result.isOk()) {
323*00c7fec1SAndroid Build Coastguard Worker return result;
324*00c7fec1SAndroid Build Coastguard Worker }
325*00c7fec1SAndroid Build Coastguard Worker
326*00c7fec1SAndroid Build Coastguard Worker android::hardware::hidl_vec<uint8_t> curPwdHandle;
327*00c7fec1SAndroid Build Coastguard Worker curPwdHandle.setToExternal(const_cast<uint8_t*>(enrolledPasswordHandle.data()),
328*00c7fec1SAndroid Build Coastguard Worker enrolledPasswordHandle.size());
329*00c7fec1SAndroid Build Coastguard Worker android::hardware::hidl_vec<uint8_t> enteredPwd;
330*00c7fec1SAndroid Build Coastguard Worker enteredPwd.setToExternal(const_cast<uint8_t*>(providedPassword.data()),
331*00c7fec1SAndroid Build Coastguard Worker providedPassword.size());
332*00c7fec1SAndroid Build Coastguard Worker
333*00c7fec1SAndroid Build Coastguard Worker uint64_t secureUserId = 0;
334*00c7fec1SAndroid Build Coastguard Worker if (aidl_hw_device) {
335*00c7fec1SAndroid Build Coastguard Worker // AIDL gatekeeper service
336*00c7fec1SAndroid Build Coastguard Worker AidlGatekeeperVerifyResp rsp;
337*00c7fec1SAndroid Build Coastguard Worker auto result = aidl_hw_device->verify(hw_userId, challenge, curPwdHandle, enteredPwd, &rsp);
338*00c7fec1SAndroid Build Coastguard Worker if (!result.isOk()) {
339*00c7fec1SAndroid Build Coastguard Worker LOG(ERROR) << "verify transaction failed";
340*00c7fec1SAndroid Build Coastguard Worker return GK_ERROR;
341*00c7fec1SAndroid Build Coastguard Worker }
342*00c7fec1SAndroid Build Coastguard Worker if (rsp.statusCode >= AidlIGatekeeper::STATUS_OK) {
343*00c7fec1SAndroid Build Coastguard Worker secureUserId = rsp.hardwareAuthToken.userId;
344*00c7fec1SAndroid Build Coastguard Worker // Serialize HardwareAuthToken to a vector as hw_auth_token_t.
345*00c7fec1SAndroid Build Coastguard Worker *gkResponse = GKResponse::ok(
346*00c7fec1SAndroid Build Coastguard Worker authToken2AidlVec(rsp.hardwareAuthToken),
347*00c7fec1SAndroid Build Coastguard Worker rsp.statusCode == AidlIGatekeeper::STATUS_REENROLL /* reenroll */);
348*00c7fec1SAndroid Build Coastguard Worker } else if (rsp.statusCode == AidlIGatekeeper::ERROR_RETRY_TIMEOUT) {
349*00c7fec1SAndroid Build Coastguard Worker *gkResponse = GKResponse::retry(rsp.timeoutMs);
350*00c7fec1SAndroid Build Coastguard Worker } else {
351*00c7fec1SAndroid Build Coastguard Worker *gkResponse = GKResponse::error();
352*00c7fec1SAndroid Build Coastguard Worker }
353*00c7fec1SAndroid Build Coastguard Worker } else if (hw_device) {
354*00c7fec1SAndroid Build Coastguard Worker // HIDL gatekeeper service
355*00c7fec1SAndroid Build Coastguard Worker Return<void> hwRes = hw_device->verify(
356*00c7fec1SAndroid Build Coastguard Worker hw_userId, challenge, curPwdHandle, enteredPwd,
357*00c7fec1SAndroid Build Coastguard Worker [&gkResponse](const GatekeeperResponse& rsp) {
358*00c7fec1SAndroid Build Coastguard Worker if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {
359*00c7fec1SAndroid Build Coastguard Worker *gkResponse = GKResponse::ok(
360*00c7fec1SAndroid Build Coastguard Worker {rsp.data.begin(), rsp.data.end()},
361*00c7fec1SAndroid Build Coastguard Worker rsp.code == GatekeeperStatusCode::STATUS_REENROLL /* reenroll */);
362*00c7fec1SAndroid Build Coastguard Worker } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT) {
363*00c7fec1SAndroid Build Coastguard Worker *gkResponse = GKResponse::retry(rsp.timeout);
364*00c7fec1SAndroid Build Coastguard Worker } else {
365*00c7fec1SAndroid Build Coastguard Worker *gkResponse = GKResponse::error();
366*00c7fec1SAndroid Build Coastguard Worker }
367*00c7fec1SAndroid Build Coastguard Worker });
368*00c7fec1SAndroid Build Coastguard Worker
369*00c7fec1SAndroid Build Coastguard Worker if (!hwRes.isOk()) {
370*00c7fec1SAndroid Build Coastguard Worker LOG(ERROR) << "verify transaction failed";
371*00c7fec1SAndroid Build Coastguard Worker return GK_ERROR;
372*00c7fec1SAndroid Build Coastguard Worker }
373*00c7fec1SAndroid Build Coastguard Worker const gatekeeper::password_handle_t* handle =
374*00c7fec1SAndroid Build Coastguard Worker reinterpret_cast<const gatekeeper::password_handle_t*>(
375*00c7fec1SAndroid Build Coastguard Worker enrolledPasswordHandle.data());
376*00c7fec1SAndroid Build Coastguard Worker secureUserId = handle->user_id;
377*00c7fec1SAndroid Build Coastguard Worker }
378*00c7fec1SAndroid Build Coastguard Worker
379*00c7fec1SAndroid Build Coastguard Worker if (gkResponse->response_code() == GKResponseCode::OK) {
380*00c7fec1SAndroid Build Coastguard Worker if (gkResponse->payload().size() != 0) {
381*00c7fec1SAndroid Build Coastguard Worker // try to connect to IKeystoreAuthorization AIDL service first.
382*00c7fec1SAndroid Build Coastguard Worker AIBinder* authzAIBinder = AServiceManager_getService("android.security.authorization");
383*00c7fec1SAndroid Build Coastguard Worker ::ndk::SpAIBinder authzBinder(authzAIBinder);
384*00c7fec1SAndroid Build Coastguard Worker auto authzService = IKeystoreAuthorization::fromBinder(authzBinder);
385*00c7fec1SAndroid Build Coastguard Worker if (authzService) {
386*00c7fec1SAndroid Build Coastguard Worker if (gkResponse->payload().size() != sizeof(hw_auth_token_t)) {
387*00c7fec1SAndroid Build Coastguard Worker LOG(ERROR) << "Incorrect size of AuthToken payload.";
388*00c7fec1SAndroid Build Coastguard Worker return GK_ERROR;
389*00c7fec1SAndroid Build Coastguard Worker }
390*00c7fec1SAndroid Build Coastguard Worker
391*00c7fec1SAndroid Build Coastguard Worker const hw_auth_token_t* hwAuthToken =
392*00c7fec1SAndroid Build Coastguard Worker reinterpret_cast<const hw_auth_token_t*>(gkResponse->payload().data());
393*00c7fec1SAndroid Build Coastguard Worker HardwareAuthToken authToken;
394*00c7fec1SAndroid Build Coastguard Worker
395*00c7fec1SAndroid Build Coastguard Worker authToken.timestamp.milliSeconds = betoh64(hwAuthToken->timestamp);
396*00c7fec1SAndroid Build Coastguard Worker authToken.challenge = hwAuthToken->challenge;
397*00c7fec1SAndroid Build Coastguard Worker authToken.userId = hwAuthToken->user_id;
398*00c7fec1SAndroid Build Coastguard Worker authToken.authenticatorId = hwAuthToken->authenticator_id;
399*00c7fec1SAndroid Build Coastguard Worker authToken.authenticatorType = static_cast<HardwareAuthenticatorType>(
400*00c7fec1SAndroid Build Coastguard Worker betoh32(hwAuthToken->authenticator_type));
401*00c7fec1SAndroid Build Coastguard Worker authToken.mac.assign(&hwAuthToken->hmac[0], &hwAuthToken->hmac[32]);
402*00c7fec1SAndroid Build Coastguard Worker auto result = authzService->addAuthToken(authToken);
403*00c7fec1SAndroid Build Coastguard Worker if (!result.isOk()) {
404*00c7fec1SAndroid Build Coastguard Worker LOG(ERROR) << "Failure in sending AuthToken to AuthorizationService.";
405*00c7fec1SAndroid Build Coastguard Worker return GK_ERROR;
406*00c7fec1SAndroid Build Coastguard Worker }
407*00c7fec1SAndroid Build Coastguard Worker } else {
408*00c7fec1SAndroid Build Coastguard Worker LOG(ERROR) << "Cannot deliver auth token. Unable to communicate with "
409*00c7fec1SAndroid Build Coastguard Worker "Keystore.";
410*00c7fec1SAndroid Build Coastguard Worker return GK_ERROR;
411*00c7fec1SAndroid Build Coastguard Worker }
412*00c7fec1SAndroid Build Coastguard Worker }
413*00c7fec1SAndroid Build Coastguard Worker
414*00c7fec1SAndroid Build Coastguard Worker maybe_store_sid(userId, secureUserId);
415*00c7fec1SAndroid Build Coastguard Worker }
416*00c7fec1SAndroid Build Coastguard Worker
417*00c7fec1SAndroid Build Coastguard Worker return Status::ok();
418*00c7fec1SAndroid Build Coastguard Worker }
419*00c7fec1SAndroid Build Coastguard Worker
getSecureUserId(int32_t userId,int64_t * sid)420*00c7fec1SAndroid Build Coastguard Worker Status GateKeeperProxy::getSecureUserId(int32_t userId, int64_t* sid) {
421*00c7fec1SAndroid Build Coastguard Worker *sid = read_sid(userId);
422*00c7fec1SAndroid Build Coastguard Worker return Status::ok();
423*00c7fec1SAndroid Build Coastguard Worker }
424*00c7fec1SAndroid Build Coastguard Worker
clearSecureUserId(int32_t userId)425*00c7fec1SAndroid Build Coastguard Worker Status GateKeeperProxy::clearSecureUserId(int32_t userId) {
426*00c7fec1SAndroid Build Coastguard Worker IPCThreadState* ipc = IPCThreadState::self();
427*00c7fec1SAndroid Build Coastguard Worker const int calling_pid = ipc->getCallingPid();
428*00c7fec1SAndroid Build Coastguard Worker const int calling_uid = ipc->getCallingUid();
429*00c7fec1SAndroid Build Coastguard Worker if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
430*00c7fec1SAndroid Build Coastguard Worker ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid);
431*00c7fec1SAndroid Build Coastguard Worker return Status::ok();
432*00c7fec1SAndroid Build Coastguard Worker }
433*00c7fec1SAndroid Build Coastguard Worker clear_sid(userId);
434*00c7fec1SAndroid Build Coastguard Worker
435*00c7fec1SAndroid Build Coastguard Worker uint32_t hw_userId = 0;
436*00c7fec1SAndroid Build Coastguard Worker Status result = adjust_userId(userId, &hw_userId);
437*00c7fec1SAndroid Build Coastguard Worker if (!result.isOk()) {
438*00c7fec1SAndroid Build Coastguard Worker return result;
439*00c7fec1SAndroid Build Coastguard Worker }
440*00c7fec1SAndroid Build Coastguard Worker
441*00c7fec1SAndroid Build Coastguard Worker if (aidl_hw_device) {
442*00c7fec1SAndroid Build Coastguard Worker aidl_hw_device->deleteUser(hw_userId);
443*00c7fec1SAndroid Build Coastguard Worker } else if (hw_device) {
444*00c7fec1SAndroid Build Coastguard Worker hw_device->deleteUser(hw_userId, [](const GatekeeperResponse&) {});
445*00c7fec1SAndroid Build Coastguard Worker }
446*00c7fec1SAndroid Build Coastguard Worker return Status::ok();
447*00c7fec1SAndroid Build Coastguard Worker }
448*00c7fec1SAndroid Build Coastguard Worker
reportDeviceSetupComplete()449*00c7fec1SAndroid Build Coastguard Worker Status GateKeeperProxy::reportDeviceSetupComplete() {
450*00c7fec1SAndroid Build Coastguard Worker IPCThreadState* ipc = IPCThreadState::self();
451*00c7fec1SAndroid Build Coastguard Worker const int calling_pid = ipc->getCallingPid();
452*00c7fec1SAndroid Build Coastguard Worker const int calling_uid = ipc->getCallingUid();
453*00c7fec1SAndroid Build Coastguard Worker if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
454*00c7fec1SAndroid Build Coastguard Worker ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid);
455*00c7fec1SAndroid Build Coastguard Worker return Status::ok();
456*00c7fec1SAndroid Build Coastguard Worker }
457*00c7fec1SAndroid Build Coastguard Worker
458*00c7fec1SAndroid Build Coastguard Worker clear_state_if_needed();
459*00c7fec1SAndroid Build Coastguard Worker return Status::ok();
460*00c7fec1SAndroid Build Coastguard Worker }
461*00c7fec1SAndroid Build Coastguard Worker
dump(int fd,const Vector<String16> &)462*00c7fec1SAndroid Build Coastguard Worker status_t GateKeeperProxy::dump(int fd, const Vector<String16>&) {
463*00c7fec1SAndroid Build Coastguard Worker IPCThreadState* ipc = IPCThreadState::self();
464*00c7fec1SAndroid Build Coastguard Worker const int pid = ipc->getCallingPid();
465*00c7fec1SAndroid Build Coastguard Worker const int uid = ipc->getCallingUid();
466*00c7fec1SAndroid Build Coastguard Worker if (!PermissionCache::checkPermission(DUMP_PERMISSION, pid, uid)) {
467*00c7fec1SAndroid Build Coastguard Worker return PERMISSION_DENIED;
468*00c7fec1SAndroid Build Coastguard Worker }
469*00c7fec1SAndroid Build Coastguard Worker
470*00c7fec1SAndroid Build Coastguard Worker if (aidl_hw_device == nullptr && hw_device == nullptr) {
471*00c7fec1SAndroid Build Coastguard Worker const char* result = "Device not available";
472*00c7fec1SAndroid Build Coastguard Worker write(fd, result, strlen(result) + 1);
473*00c7fec1SAndroid Build Coastguard Worker } else {
474*00c7fec1SAndroid Build Coastguard Worker const char* result = "OK";
475*00c7fec1SAndroid Build Coastguard Worker write(fd, result, strlen(result) + 1);
476*00c7fec1SAndroid Build Coastguard Worker }
477*00c7fec1SAndroid Build Coastguard Worker
478*00c7fec1SAndroid Build Coastguard Worker return OK;
479*00c7fec1SAndroid Build Coastguard Worker }
480*00c7fec1SAndroid Build Coastguard Worker } // namespace android
481