openkylin
/
platform_system_core
mirror of https://gitee.com/openkylin/platform_system_core.git
9
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge changes from topic "gatekeeper_maintenance" 

* changes:
  Replace legacy trusty gatekeeper HAL with HIDLized version
  Gatekeeperd maintenance
This commit is contained in:
Janis Danisevskis 2019-06-28 00:43:10 +00:00 committed by Gerrit Code Review
parent c4117afdc9 7daa66aa07
commit e180ec52a2
21 changed files with 651 additions and 1368 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
gatekeeperd/Android.bp
View File

@ -23,8 +23,6 @@ cc_binary {
"-Wunused",
],
srcs: [
"SoftGateKeeperDevice.cpp",
"IGateKeeperService.cpp",
"gatekeeperd.cpp",
],
@ -43,9 +41,44 @@ cc_binary {
"libhidltransport",
"libhwbinder",
"android.hardware.gatekeeper@1.0",
"libgatekeeper_aidl",
],
static_libs: ["libscrypt_static"],
include_dirs: ["external/scrypt/lib/crypto"],
init_rc: ["gatekeeperd.rc"],
}
filegroup {
name: "gatekeeper_aidl",
srcs: [
"binder/android/service/gatekeeper/IGateKeeperService.aidl",
],
path: "binder",
}
cc_library_shared {
name: "libgatekeeper_aidl",
srcs: [
":gatekeeper_aidl",
"GateKeeperResponse.cpp",
],
aidl: {
export_aidl_headers: true,
include_dirs: [
"system/core/gatekeeperd/binder",
"frameworks/base/core/java/",
],
},
export_include_dirs: ["include"],
shared_libs: [
"libbase",
"libbinder",
"libcutils",
"liblog",
"libutils",
],
export_shared_lib_headers: [
"libbinder",
],
}

83
gatekeeperd/GateKeeperResponse.cpp Normal file
View File

@ -0,0 +1,83 @@
/*
**
** Copyright 2019, The Android Open Source Project
**
** Licensed under the Apache License, Version 2.0 (the "License");
** you may not use this file except in compliance with the License.
** You may obtain a copy of the License at
**
** http://www.apache.org/licenses/LICENSE-2.0
**
** Unless required by applicable law or agreed to in writing, software
** distributed under the License is distributed on an "AS IS" BASIS,
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
** See the License for the specific language governing permissions and
** limitations under the License.
*/
#define LOG_TAG "gatekeeperd"
#include <gatekeeper/GateKeeperResponse.h>
#include <binder/Parcel.h>
#include <android-base/logging.h>
namespace android {
namespace service {
namespace gatekeeper {
status_t GateKeeperResponse::readFromParcel(const Parcel* in) {
if (in == nullptr) {
LOG(ERROR) << "readFromParcel got null in parameter";
return BAD_VALUE;
}
timeout_ = 0;
should_reenroll_ = false;
payload_ = {};
response_code_ = ResponseCode(in->readInt32());
if (response_code_ == ResponseCode::OK) {
should_reenroll_ = in->readInt32();
ssize_t length = in->readInt32();
if (length > 0) {
length = in->readInt32();
const uint8_t* buf = reinterpret_cast<const uint8_t*>(in->readInplace(length));
if (buf == nullptr) {
LOG(ERROR) << "readInplace returned null buffer for length " << length;
return BAD_VALUE;
}
payload_.resize(length);
std::copy(buf, buf + length, payload_.data());
}
} else if (response_code_ == ResponseCode::RETRY) {
timeout_ = in->readInt32();
}
return NO_ERROR;
}
status_t GateKeeperResponse::writeToParcel(Parcel* out) const {
if (out == nullptr) {
LOG(ERROR) << "writeToParcel got null out parameter";
return BAD_VALUE;
}
out->writeInt32(int32_t(response_code_));
if (response_code_ == ResponseCode::OK) {
out->writeInt32(should_reenroll_);
out->writeInt32(payload_.size());
if (payload_.size() != 0) {
out->writeInt32(payload_.size());
uint8_t* buf = reinterpret_cast<uint8_t*>(out->writeInplace(payload_.size()));
if (buf == nullptr) {
LOG(ERROR) << "writeInplace returned null buffer for length " << payload_.size();
return BAD_VALUE;
}
std::copy(payload_.begin(), payload_.end(), buf);
}
} else if (response_code_ == ResponseCode::RETRY) {
out->writeInt32(timeout_);
}
return NO_ERROR;
}
} // namespace gatekeeper
} // namespace service
} // namespace android

173
gatekeeperd/IGateKeeperService.cpp
View File

@ -1,173 +0,0 @@
/*
* Copyright 2015, The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#define LOG_TAG "GateKeeperService"
#include <utils/Log.h>
#include "IGateKeeperService.h"
namespace android {
const android::String16 IGateKeeperService::descriptor("android.service.gatekeeper.IGateKeeperService");
const android::String16& IGateKeeperService::getInterfaceDescriptor() const {
return IGateKeeperService::descriptor;
}
status_t BnGateKeeperService::onTransact(
uint32_t code, const Parcel& data, Parcel* reply, uint32_t flags) {
switch(code) {
case ENROLL: {
CHECK_INTERFACE(IGateKeeperService, data, reply);
uint32_t uid = data.readInt32();
ssize_t currentPasswordHandleSize = data.readInt32();
const uint8_t *currentPasswordHandle =
static_cast<const uint8_t *>(data.readInplace(currentPasswordHandleSize));
if (!currentPasswordHandle) currentPasswordHandleSize = 0;
ssize_t currentPasswordSize = data.readInt32();
const uint8_t *currentPassword =
static_cast<const uint8_t *>(data.readInplace(currentPasswordSize));
if (!currentPassword) currentPasswordSize = 0;
ssize_t desiredPasswordSize = data.readInt32();
const uint8_t *desiredPassword =
static_cast<const uint8_t *>(data.readInplace(desiredPasswordSize));
if (!desiredPassword) desiredPasswordSize = 0;
uint8_t *out = NULL;
uint32_t outSize = 0;
int ret = enroll(uid, currentPasswordHandle, currentPasswordHandleSize,
currentPassword, currentPasswordSize, desiredPassword,
desiredPasswordSize, &out, &outSize);
reply->writeNoException();
reply->writeInt32(1);
if (ret == 0 && outSize > 0 && out != NULL) {
reply->writeInt32(GATEKEEPER_RESPONSE_OK);
reply->writeInt32(0);
reply->writeInt32(outSize);
reply->writeInt32(outSize);
void *buf = reply->writeInplace(outSize);
memcpy(buf, out, outSize);
delete[] out;
} else if (ret > 0) {
reply->writeInt32(GATEKEEPER_RESPONSE_RETRY);
reply->writeInt32(ret);
} else {
reply->writeInt32(GATEKEEPER_RESPONSE_ERROR);
}
return OK;
}
case VERIFY: {
CHECK_INTERFACE(IGateKeeperService, data, reply);
uint32_t uid = data.readInt32();
ssize_t currentPasswordHandleSize = data.readInt32();
const uint8_t *currentPasswordHandle =
static_cast<const uint8_t *>(data.readInplace(currentPasswordHandleSize));
if (!currentPasswordHandle) currentPasswordHandleSize = 0;
ssize_t currentPasswordSize = data.readInt32();
const uint8_t *currentPassword =
static_cast<const uint8_t *>(data.readInplace(currentPasswordSize));
if (!currentPassword) currentPasswordSize = 0;
bool request_reenroll = false;
int ret = verify(uid, (uint8_t *) currentPasswordHandle,
currentPasswordHandleSize, (uint8_t *) currentPassword, currentPasswordSize,
&request_reenroll);
reply->writeNoException();
reply->writeInt32(1);
if (ret == 0) {
reply->writeInt32(GATEKEEPER_RESPONSE_OK);
reply->writeInt32(request_reenroll ? 1 : 0);
reply->writeInt32(0); // no payload returned from this call
} else if (ret > 0) {
reply->writeInt32(GATEKEEPER_RESPONSE_RETRY);
reply->writeInt32(ret);
} else {
reply->writeInt32(GATEKEEPER_RESPONSE_ERROR);
}
return OK;
}
case VERIFY_CHALLENGE: {
CHECK_INTERFACE(IGateKeeperService, data, reply);
uint32_t uid = data.readInt32();
uint64_t challenge = data.readInt64();
ssize_t currentPasswordHandleSize = data.readInt32();
const uint8_t *currentPasswordHandle =
static_cast<const uint8_t *>(data.readInplace(currentPasswordHandleSize));
if (!currentPasswordHandle) currentPasswordHandleSize = 0;
ssize_t currentPasswordSize = data.readInt32();
const uint8_t *currentPassword =
static_cast<const uint8_t *>(data.readInplace(currentPasswordSize));
if (!currentPassword) currentPasswordSize = 0;
uint8_t *out = NULL;
uint32_t outSize = 0;
bool request_reenroll = false;
int ret = verifyChallenge(uid, challenge, (uint8_t *) currentPasswordHandle,
currentPasswordHandleSize, (uint8_t *) currentPassword, currentPasswordSize,
&out, &outSize, &request_reenroll);
reply->writeNoException();
reply->writeInt32(1);
if (ret == 0 && outSize > 0 && out != NULL) {
reply->writeInt32(GATEKEEPER_RESPONSE_OK);
reply->writeInt32(request_reenroll ? 1 : 0);
reply->writeInt32(outSize);
reply->writeInt32(outSize);
void *buf = reply->writeInplace(outSize);
memcpy(buf, out, outSize);
delete[] out;
} else if (ret > 0) {
reply->writeInt32(GATEKEEPER_RESPONSE_RETRY);
reply->writeInt32(ret);
} else {
reply->writeInt32(GATEKEEPER_RESPONSE_ERROR);
}
return OK;
}
case GET_SECURE_USER_ID: {
CHECK_INTERFACE(IGateKeeperService, data, reply);
uint32_t uid = data.readInt32();
uint64_t sid = getSecureUserId(uid);
reply->writeNoException();
reply->writeInt64(sid);
return OK;
}
case CLEAR_SECURE_USER_ID: {
CHECK_INTERFACE(IGateKeeperService, data, reply);
uint32_t uid = data.readInt32();
clearSecureUserId(uid);
reply->writeNoException();
return OK;
}
case REPORT_DEVICE_SETUP_COMPLETE: {
CHECK_INTERFACE(IGateKeeperService, data, reply);
reportDeviceSetupComplete();
reply->writeNoException();
return OK;
}
default:
return BBinder::onTransact(code, data, reply, flags);
}
};
}; // namespace android

118
gatekeeperd/IGateKeeperService.h
View File

@ -1,118 +0,0 @@
/*
* Copyright (C) 2015 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef IGATEKEEPER_SERVICE_H_
#define IGATEKEEPER_SERVICE_H_
#include <binder/IInterface.h>
#include <binder/Parcel.h>
namespace android {
/*
* This must be kept manually in sync with frameworks/base's IGateKeeperService.aidl
*/
class IGateKeeperService : public IInterface {
public:
enum {
ENROLL = IBinder::FIRST_CALL_TRANSACTION + 0,
VERIFY = IBinder::FIRST_CALL_TRANSACTION + 1,
VERIFY_CHALLENGE = IBinder::FIRST_CALL_TRANSACTION + 2,
GET_SECURE_USER_ID = IBinder::FIRST_CALL_TRANSACTION + 3,
CLEAR_SECURE_USER_ID = IBinder::FIRST_CALL_TRANSACTION + 4,
REPORT_DEVICE_SETUP_COMPLETE = IBinder::FIRST_CALL_TRANSACTION + 5,
};
enum {
GATEKEEPER_RESPONSE_OK = 0,
GATEKEEPER_RESPONSE_RETRY = 1,
GATEKEEPER_RESPONSE_ERROR = -1,
};
// DECLARE_META_INTERFACE - C++ client interface not needed
static const android::String16 descriptor;
virtual const android::String16& getInterfaceDescriptor() const;
IGateKeeperService() {}
virtual ~IGateKeeperService() {}
/**
* Enrolls a password with the GateKeeper. Returns 0 on success, negative on failure.
* Returns:
* - 0 on success
* - A timestamp T > 0 if the call has failed due to throttling and should not
* be reattempted until T milliseconds have elapsed
* - -1 on failure
*/
virtual int enroll(uint32_t uid,
const uint8_t *current_password_handle, uint32_t current_password_handle_length,
const uint8_t *current_password, uint32_t current_password_length,
const uint8_t *desired_password, uint32_t desired_password_length,
uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) = 0;
/**
* Verifies a password previously enrolled with the GateKeeper.
* Returns:
* - 0 on success
* - A timestamp T > 0 if the call has failed due to throttling and should not
* be reattempted until T milliseconds have elapsed
* - -1 on failure
*/
virtual int verify(uint32_t uid, const uint8_t *enrolled_password_handle,
uint32_t enrolled_password_handle_length,
const uint8_t *provided_password, uint32_t provided_password_length,
bool *request_reenroll) = 0;
/**
* Verifies a password previously enrolled with the GateKeeper.
* Returns:
* - 0 on success
* - A timestamp T > 0 if the call has failed due to throttling and should not
* be reattempted until T milliseconds have elapsed
* - -1 on failure
*/
virtual int verifyChallenge(uint32_t uid, uint64_t challenge,
const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
const uint8_t *provided_password, uint32_t provided_password_length,
uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) = 0;
/**
* Returns the secure user ID for the provided android user
*/
virtual uint64_t getSecureUserId(uint32_t uid) = 0;
/**
* Clears the secure user ID associated with the user.
*/
virtual void clearSecureUserId(uint32_t uid) = 0;
/**
* Notifies gatekeeper that device setup has been completed and any potentially still existing
* state from before a factory reset can be cleaned up (if it has not been already).
*/
virtual void reportDeviceSetupComplete() = 0;
};
// ----------------------------------------------------------------------------
class BnGateKeeperService: public BnInterface<IGateKeeperService> {
public:
virtual status_t onTransact(uint32_t code, const Parcel& data, Parcel* reply,
uint32_t flags = 0);
};
} // namespace android
#endif

182
gatekeeperd/SoftGateKeeper.h
View File

@ -1,182 +0,0 @@
/*
* Copyright 2015 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*
*/
#ifndef SOFT_GATEKEEPER_H_
#define SOFT_GATEKEEPER_H_
extern "C" {
#include <openssl/rand.h>
#include <openssl/sha.h>
#include <crypto_scrypt.h>
}
#include <android-base/memory.h>
#include <gatekeeper/gatekeeper.h>
#include <iostream>
#include <unordered_map>
#include <memory>
namespace gatekeeper {
struct fast_hash_t {
uint64_t salt;
uint8_t digest[SHA256_DIGEST_LENGTH];
};
class SoftGateKeeper : public GateKeeper {
public:
static const uint32_t SIGNATURE_LENGTH_BYTES = 32;
// scrypt params
static const uint64_t N = 16384;
static const uint32_t r = 8;
static const uint32_t p = 1;
static const int MAX_UINT_32_CHARS = 11;
SoftGateKeeper() {
key_.reset(new uint8_t[SIGNATURE_LENGTH_BYTES]);
memset(key_.get(), 0, SIGNATURE_LENGTH_BYTES);
}
virtual ~SoftGateKeeper() {
}
virtual bool GetAuthTokenKey(const uint8_t **auth_token_key,
uint32_t *length) const {
if (auth_token_key == NULL || length == NULL) return false;
uint8_t *auth_token_key_copy = new uint8_t[SIGNATURE_LENGTH_BYTES];
memcpy(auth_token_key_copy, key_.get(), SIGNATURE_LENGTH_BYTES);
*auth_token_key = auth_token_key_copy;
*length = SIGNATURE_LENGTH_BYTES;
return true;
}
virtual void GetPasswordKey(const uint8_t **password_key, uint32_t *length) {
if (password_key == NULL || length == NULL) return;
uint8_t *password_key_copy = new uint8_t[SIGNATURE_LENGTH_BYTES];
memcpy(password_key_copy, key_.get(), SIGNATURE_LENGTH_BYTES);
*password_key = password_key_copy;
*length = SIGNATURE_LENGTH_BYTES;
}
virtual void ComputePasswordSignature(uint8_t *signature, uint32_t signature_length,
const uint8_t *, uint32_t, const uint8_t *password,
uint32_t password_length, salt_t salt) const {
if (signature == NULL) return;
crypto_scrypt(password, password_length, reinterpret_cast<uint8_t *>(&salt),
sizeof(salt), N, r, p, signature, signature_length);
}
virtual void GetRandom(void *random, uint32_t requested_length) const {
if (random == NULL) return;
RAND_pseudo_bytes((uint8_t *) random, requested_length);
}
virtual void ComputeSignature(uint8_t *signature, uint32_t signature_length,
const uint8_t *, uint32_t, const uint8_t *, const uint32_t) const {
if (signature == NULL) return;
memset(signature, 0, signature_length);
}
virtual uint64_t GetMillisecondsSinceBoot() const {
struct timespec time;
int res = clock_gettime(CLOCK_BOOTTIME, &time);
if (res < 0) return 0;
return (time.tv_sec * 1000) + (time.tv_nsec / 1000 / 1000);
}
virtual bool IsHardwareBacked() const {
return false;
}
virtual bool GetFailureRecord(uint32_t uid, secure_id_t user_id, failure_record_t *record,
bool /* secure */) {
failure_record_t *stored = &failure_map_[uid];
if (user_id != stored->secure_user_id) {
stored->secure_user_id = user_id;
stored->last_checked_timestamp = 0;
stored->failure_counter = 0;
}
memcpy(record, stored, sizeof(*record));
return true;
}
virtual bool ClearFailureRecord(uint32_t uid, secure_id_t user_id, bool /* secure */) {
failure_record_t *stored = &failure_map_[uid];
stored->secure_user_id = user_id;
stored->last_checked_timestamp = 0;
stored->failure_counter = 0;
return true;
}
virtual bool WriteFailureRecord(uint32_t uid, failure_record_t *record, bool /* secure */) {
failure_map_[uid] = *record;
return true;
}
fast_hash_t ComputeFastHash(const SizedBuffer &password, uint64_t salt) {
fast_hash_t fast_hash;
size_t digest_size = password.length + sizeof(salt);
std::unique_ptr<uint8_t[]> digest(new uint8_t[digest_size]);
memcpy(digest.get(), &salt, sizeof(salt));
memcpy(digest.get() + sizeof(salt), password.buffer.get(), password.length);
SHA256(digest.get(), digest_size, (uint8_t *) &fast_hash.digest);
fast_hash.salt = salt;
return fast_hash;
}
bool VerifyFast(const fast_hash_t &fast_hash, const SizedBuffer &password) {
fast_hash_t computed = ComputeFastHash(password, fast_hash.salt);
return memcmp(computed.digest, fast_hash.digest, SHA256_DIGEST_LENGTH) == 0;
}
bool DoVerify(const password_handle_t *expected_handle, const SizedBuffer &password) {
uint64_t user_id = android::base::get_unaligned<secure_id_t>(&expected_handle->user_id);
FastHashMap::const_iterator it = fast_hash_map_.find(user_id);
if (it != fast_hash_map_.end() && VerifyFast(it->second, password)) {
return true;
} else {
if (GateKeeper::DoVerify(expected_handle, password)) {
uint64_t salt;
GetRandom(&salt, sizeof(salt));
fast_hash_map_[user_id] = ComputeFastHash(password, salt);
return true;
}
}
return false;
}
private:
typedef std::unordered_map<uint32_t, failure_record_t> FailureRecordMap;
typedef std::unordered_map<uint64_t, fast_hash_t> FastHashMap;
std::unique_ptr<uint8_t[]> key_;
FailureRecordMap failure_map_;
FastHashMap fast_hash_map_;
};
}
#endif // SOFT_GATEKEEPER_H_

110
gatekeeperd/SoftGateKeeperDevice.cpp
View File

@ -1,110 +0,0 @@
/*
* Copyright (C) 2015 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include "SoftGateKeeper.h"
#include "SoftGateKeeperDevice.h"
namespace android {
int SoftGateKeeperDevice::enroll(uint32_t uid,
const uint8_t *current_password_handle, uint32_t current_password_handle_length,
const uint8_t *current_password, uint32_t current_password_length,
const uint8_t *desired_password, uint32_t desired_password_length,
uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) {
if (enrolled_password_handle == NULL || enrolled_password_handle_length == NULL ||
desired_password == NULL || desired_password_length == 0)
return -EINVAL;
// Current password and current password handle go together
if (current_password_handle == NULL || current_password_handle_length == 0 ||
current_password == NULL || current_password_length == 0) {
current_password_handle = NULL;
current_password_handle_length = 0;
current_password = NULL;
current_password_length = 0;
}
SizedBuffer desired_password_buffer(desired_password_length);
memcpy(desired_password_buffer.buffer.get(), desired_password, desired_password_length);
SizedBuffer current_password_handle_buffer(current_password_handle_length);
if (current_password_handle) {
memcpy(current_password_handle_buffer.buffer.get(), current_password_handle,
current_password_handle_length);
}
SizedBuffer current_password_buffer(current_password_length);
if (current_password) {
memcpy(current_password_buffer.buffer.get(), current_password, current_password_length);
}
EnrollRequest request(uid, &current_password_handle_buffer, &desired_password_buffer,
&current_password_buffer);
EnrollResponse response;
impl_->Enroll(request, &response);
if (response.error == ERROR_RETRY) {
return response.retry_timeout;
} else if (response.error != ERROR_NONE) {
return -EINVAL;
}
*enrolled_password_handle = response.enrolled_password_handle.buffer.release();
*enrolled_password_handle_length = response.enrolled_password_handle.length;
return 0;
}
int SoftGateKeeperDevice::verify(uint32_t uid,
uint64_t challenge, const uint8_t *enrolled_password_handle,
uint32_t enrolled_password_handle_length, const uint8_t *provided_password,
uint32_t provided_password_length, uint8_t **auth_token, uint32_t *auth_token_length,
bool *request_reenroll) {
if (enrolled_password_handle == NULL ||
provided_password == NULL) {
return -EINVAL;
}
SizedBuffer password_handle_buffer(enrolled_password_handle_length);
memcpy(password_handle_buffer.buffer.get(), enrolled_password_handle,
enrolled_password_handle_length);
SizedBuffer provided_password_buffer(provided_password_length);
memcpy(provided_password_buffer.buffer.get(), provided_password, provided_password_length);
VerifyRequest request(uid, challenge, &password_handle_buffer, &provided_password_buffer);
VerifyResponse response;
impl_->Verify(request, &response);
if (response.error == ERROR_RETRY) {
return response.retry_timeout;
} else if (response.error != ERROR_NONE) {
return -EINVAL;
}
if (auth_token != NULL && auth_token_length != NULL) {
*auth_token = response.auth_token.buffer.release();
*auth_token_length = response.auth_token.length;
}
if (request_reenroll != NULL) {
*request_reenroll = response.request_reenroll;
}
return 0;
}
} // namespace android

76
gatekeeperd/SoftGateKeeperDevice.h
View File

@ -1,76 +0,0 @@
/*
* Copyright 2015 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef SOFT_GATEKEEPER_DEVICE_H_
#define SOFT_GATEKEEPER_DEVICE_H_
#include "SoftGateKeeper.h"
#include <memory>
using namespace gatekeeper;
namespace android {
/**
* Software based GateKeeper implementation
*/
class SoftGateKeeperDevice {
public:
SoftGateKeeperDevice() {
impl_.reset(new SoftGateKeeper());
}
// Wrappers to translate the gatekeeper HAL API to the Kegyuard Messages API.
/**
* Enrolls password_payload, which should be derived from a user selected pin or password,
* with the authentication factor private key used only for enrolling authentication
* factor data.
*
* Returns: 0 on success or an error code less than 0 on error.
* On error, enrolled_password_handle will not be allocated.
*/
int enroll(uint32_t uid,
const uint8_t *current_password_handle, uint32_t current_password_handle_length,
const uint8_t *current_password, uint32_t current_password_length,
const uint8_t *desired_password, uint32_t desired_password_length,
uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length);
/**
* Verifies provided_password matches enrolled_password_handle.
*
* Implementations of this module may retain the result of this call
* to attest to the recency of authentication.
*
* On success, writes the address of a verification token to auth_token,
* usable to attest password verification to other trusted services. Clients
* may pass NULL for this value.
*
* Returns: 0 on success or an error code less than 0 on error
* On error, verification token will not be allocated
*/
int verify(uint32_t uid, uint64_t challenge,
const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
const uint8_t *provided_password, uint32_t provided_password_length,
uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll);
private:
std::unique_ptr<SoftGateKeeper> impl_;
};
} // namespace gatekeeper
#endif //SOFT_GATEKEEPER_DEVICE_H_

24
gatekeeperd/binder/android/service/gatekeeper/GateKeeperResponse.aidl Normal file
View File

@ -0,0 +1,24 @@
/*
* Copyright (C) 2015 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.service.gatekeeper;
/**
* Response object for a GateKeeper verification request.
* @hide
*/
parcelable GateKeeperResponse cpp_header "gatekeeper/GateKeeperResponse.h";

87
gatekeeperd/binder/android/service/gatekeeper/IGateKeeperService.aidl Normal file
View File

@ -0,0 +1,87 @@
/*
* Copyright (C) 2015 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package android.service.gatekeeper;
import android.service.gatekeeper.GateKeeperResponse;
/**
* Interface for communication with GateKeeper, the
* secure password storage daemon.
*
* This must be kept manually in sync with system/core/gatekeeperd
* until AIDL can generate both C++ and Java bindings.
*
* @hide
*/
interface IGateKeeperService {
/**
* Enrolls a password, returning the handle to the enrollment to be stored locally.
* @param uid The Android user ID associated to this enrollment
* @param currentPasswordHandle The previously enrolled handle, or null if none
* @param currentPassword The previously enrolled plaintext password, or null if none.
* If provided, must verify against the currentPasswordHandle.
* @param desiredPassword The new desired password, for which a handle will be returned
* upon success.
* @return an EnrollResponse or null on failure
*/
GateKeeperResponse enroll(int uid, in @nullable byte[] currentPasswordHandle,
in @nullable byte[] currentPassword, in byte[] desiredPassword);
/**
* Verifies an enrolled handle against a provided, plaintext blob.
* @param uid The Android user ID associated to this enrollment
* @param enrolledPasswordHandle The handle against which the provided password will be
* verified.
* @param The plaintext blob to verify against enrolledPassword.
* @return a VerifyResponse, or null on failure.
*/
GateKeeperResponse verify(int uid, in byte[] enrolledPasswordHandle, in byte[] providedPassword);
/**
* Verifies an enrolled handle against a provided, plaintext blob.
* @param uid The Android user ID associated to this enrollment
* @param challenge a challenge to authenticate agaisnt the device credential. If successful
* authentication occurs, this value will be written to the returned
* authentication attestation.
* @param enrolledPasswordHandle The handle against which the provided password will be
* verified.
* @param The plaintext blob to verify against enrolledPassword.
* @return a VerifyResponse with an attestation, or null on failure.
*/
GateKeeperResponse verifyChallenge(int uid, long challenge, in byte[] enrolledPasswordHandle,
in byte[] providedPassword);
/**
* Retrieves the secure identifier for the user with the provided Android ID,
* or 0 if none is found.
* @param uid the Android user id
*/
long getSecureUserId(int uid);
/**
* Clears secure user id associated with the provided Android ID.
* Must be called when password is set to NONE.
* @param uid the Android user id.
*/
void clearSecureUserId(int uid);
/**
* Notifies gatekeeper that device setup has been completed and any potentially still existing
* state from before a factory reset can be cleaned up (if it has not been already).
*/
void reportDeviceSetupComplete();
}

314
gatekeeperd/gatekeeperd.cpp
View File

@ -16,7 +16,8 @@
#define LOG_TAG "gatekeeperd"
#include "IGateKeeperService.h"
#include <android/service/gatekeeper/BnGateKeeperService.h>
#include <gatekeeper/GateKeeperResponse.h>
#include <errno.h>
#include <fcntl.h>
@ -41,8 +42,6 @@
#include <utils/Log.h>
#include <utils/String16.h>
#include "SoftGateKeeperDevice.h"
#include <hidl/HidlSupport.h>
#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
@ -52,6 +51,11 @@ using android::hardware::gatekeeper::V1_0::GatekeeperStatusCode;
using android::hardware::gatekeeper::V1_0::GatekeeperResponse;
using android::hardware::Return;
using ::android::binder::Status;
using ::android::service::gatekeeper::BnGateKeeperService;
using GKResponse = ::android::service::gatekeeper::GateKeeperResponse;
using GKResponseCode = ::android::service::gatekeeper::ResponseCode;
namespace android {
static const String16 KEYGUARD_PERMISSION("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE");
@ -64,9 +68,8 @@ public:
hw_device = IGatekeeper::getService();
is_running_gsi = android::base::GetBoolProperty(android::gsi::kGsiBootedProp, false);
if (hw_device == nullptr) {
ALOGW("falling back to software GateKeeper");
soft_device.reset(new SoftGateKeeperDevice());
if (!hw_device) {
LOG(ERROR) << "Could not find Gatekeeper device, which makes me very sad.";
}
}
@ -92,7 +95,7 @@ public:
if (mark_cold_boot() && !is_running_gsi) {
ALOGI("cold boot: clearing state");
if (hw_device != nullptr) {
if (hw_device) {
hw_device->deleteAllUsers([](const GatekeeperResponse &){});
}
}
@ -154,16 +157,16 @@ public:
return uid;
}
virtual int enroll(uint32_t uid,
const uint8_t *current_password_handle, uint32_t current_password_handle_length,
const uint8_t *current_password, uint32_t current_password_length,
const uint8_t *desired_password, uint32_t desired_password_length,
uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) {
#define GK_ERROR *gkResponse = GKResponse::error(), Status::ok()
Status enroll(int32_t uid, const std::unique_ptr<std::vector<uint8_t>>& currentPasswordHandle,
const std::unique_ptr<std::vector<uint8_t>>& currentPassword,
const std::vector<uint8_t>& desiredPassword, GKResponse* gkResponse) override {
IPCThreadState* ipc = IPCThreadState::self();
const int calling_pid = ipc->getCallingPid();
const int calling_uid = ipc->getCallingUid();
if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
return PERMISSION_DENIED;
return GK_ERROR;
}
// Make sure to clear any state from before factory reset as soon as a credential is
@ -171,225 +174,189 @@ public:
clear_state_if_needed();
// need a desired password to enroll
if (desired_password_length == 0) return -EINVAL;
if (desiredPassword.size() == 0) return GK_ERROR;
int ret;
if (hw_device != nullptr) {
const gatekeeper::password_handle_t *handle =
reinterpret_cast<const gatekeeper::password_handle_t *>(current_password_handle);
if (!hw_device) {
LOG(ERROR) << "has no HAL to talk to";
return GK_ERROR;
}
if (handle != NULL && handle->version != 0 && !handle->hardware_backed) {
// handle is being re-enrolled from a software version. HAL probably won't accept
// the handle as valid, so we nullify it and enroll from scratch
current_password_handle = NULL;
current_password_handle_length = 0;
current_password = NULL;
current_password_length = 0;
android::hardware::hidl_vec<uint8_t> curPwdHandle;
android::hardware::hidl_vec<uint8_t> curPwd;
if (currentPasswordHandle && currentPassword) {
if (currentPasswordHandle->size() != sizeof(gatekeeper::password_handle_t)) {
LOG(INFO) << "Password handle has wrong length";
return GK_ERROR;
}
curPwdHandle.setToExternal(const_cast<uint8_t*>(currentPasswordHandle->data()),
currentPasswordHandle->size());
curPwd.setToExternal(const_cast<uint8_t*>(currentPassword->data()),
currentPassword->size());
}
android::hardware::hidl_vec<uint8_t> curPwdHandle;
curPwdHandle.setToExternal(const_cast<uint8_t*>(current_password_handle),
current_password_handle_length);
android::hardware::hidl_vec<uint8_t> curPwd;
curPwd.setToExternal(const_cast<uint8_t*>(current_password),
current_password_length);
android::hardware::hidl_vec<uint8_t> newPwd;
newPwd.setToExternal(const_cast<uint8_t*>(desired_password),
desired_password_length);
android::hardware::hidl_vec<uint8_t> newPwd;
newPwd.setToExternal(const_cast<uint8_t*>(desiredPassword.data()), desiredPassword.size());
uint32_t hw_uid = adjust_uid(uid);
Return<void> hwRes = hw_device->enroll(hw_uid, curPwdHandle, curPwd, newPwd,
[&ret, enrolled_password_handle, enrolled_password_handle_length]
(const GatekeeperResponse &rsp) {
ret = static_cast<int>(rsp.code); // propagate errors
if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {
if (enrolled_password_handle != nullptr &&
enrolled_password_handle_length != nullptr) {
*enrolled_password_handle = new uint8_t[rsp.data.size()];
*enrolled_password_handle_length = rsp.data.size();
memcpy(*enrolled_password_handle, rsp.data.data(),
*enrolled_password_handle_length);
uint32_t hw_uid = adjust_uid(uid);
Return<void> hwRes = hw_device->enroll(
hw_uid, curPwdHandle, curPwd, newPwd, [&gkResponse](const GatekeeperResponse& rsp) {
if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {
*gkResponse = GKResponse::ok({rsp.data.begin(), rsp.data.end()});
} else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT &&
rsp.timeout > 0) {
*gkResponse = GKResponse::retry(rsp.timeout);
} else {
*gkResponse = GKResponse::error();
}
ret = 0; // all success states are reported as 0
} else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT && rsp.timeout > 0) {
ret = rsp.timeout;
}
});
if (!hwRes.isOk()) {
ALOGE("enroll transaction failed\n");
ret = -1;
});
if (!hwRes.isOk()) {
LOG(ERROR) << "enroll transaction failed";
return GK_ERROR;
}
if (gkResponse->response_code() == GKResponseCode::OK && !gkResponse->should_reenroll()) {
if (gkResponse->payload().size() != sizeof(gatekeeper::password_handle_t)) {
LOG(ERROR) << "HAL returned password handle of invalid length "
<< gkResponse->payload().size();
return GK_ERROR;
}
} else {
ret = soft_device->enroll(uid,
current_password_handle, current_password_handle_length,
current_password, current_password_length,
desired_password, desired_password_length,
enrolled_password_handle, enrolled_password_handle_length);
}
if (ret == GATEKEEPER_RESPONSE_OK && (*enrolled_password_handle == nullptr ||
*enrolled_password_handle_length != sizeof(password_handle_t))) {
ret = GATEKEEPER_RESPONSE_ERROR;
ALOGE("HAL: password_handle=%p size_of_handle=%" PRIu32 "\n",
*enrolled_password_handle, *enrolled_password_handle_length);
}
if (ret == GATEKEEPER_RESPONSE_OK) {
gatekeeper::password_handle_t *handle =
reinterpret_cast<gatekeeper::password_handle_t *>(*enrolled_password_handle);
const gatekeeper::password_handle_t* handle =
reinterpret_cast<const gatekeeper::password_handle_t*>(
gkResponse->payload().data());
store_sid(uid, handle->user_id);
bool rr;
GKResponse verifyResponse;
// immediately verify this password so we don't ask the user to enter it again
// if they just created it.
verify(uid, *enrolled_password_handle, sizeof(password_handle_t), desired_password,
desired_password_length, &rr);
auto status = verify(uid, gkResponse->payload(), desiredPassword, &verifyResponse);
if (!status.isOk() || verifyResponse.response_code() != GKResponseCode::OK) {
LOG(ERROR) << "Failed to verify password after enrolling";
}
}
return ret;
return Status::ok();
}
virtual int verify(uint32_t uid,
const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
const uint8_t *provided_password, uint32_t provided_password_length, bool *request_reenroll) {
uint8_t *auth_token = nullptr;
uint32_t auth_token_length;
int ret = verifyChallenge(uid, 0, enrolled_password_handle, enrolled_password_handle_length,
provided_password, provided_password_length,
&auth_token, &auth_token_length, request_reenroll);
delete [] auth_token;
return ret;
Status verify(int32_t uid, const ::std::vector<uint8_t>& enrolledPasswordHandle,
const ::std::vector<uint8_t>& providedPassword, GKResponse* gkResponse) override {
return verifyChallenge(uid, 0 /* challenge */, enrolledPasswordHandle, providedPassword,
gkResponse);
}
virtual int verifyChallenge(uint32_t uid, uint64_t challenge,
const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
const uint8_t *provided_password, uint32_t provided_password_length,
uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) {
Status verifyChallenge(int32_t uid, int64_t challenge,
const std::vector<uint8_t>& enrolledPasswordHandle,
const std::vector<uint8_t>& providedPassword,
GKResponse* gkResponse) override {
IPCThreadState* ipc = IPCThreadState::self();
const int calling_pid = ipc->getCallingPid();
const int calling_uid = ipc->getCallingUid();
if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
return PERMISSION_DENIED;
return GK_ERROR;
}
// can't verify if we're missing either param
if ((enrolled_password_handle_length | provided_password_length) == 0)
return -EINVAL;
if (enrolledPasswordHandle.size() == 0 || providedPassword.size() == 0) return GK_ERROR;
int ret;
if (hw_device != nullptr) {
const gatekeeper::password_handle_t *handle =
reinterpret_cast<const gatekeeper::password_handle_t *>(enrolled_password_handle);
// handle version 0 does not have hardware backed flag, and thus cannot be upgraded to
// a HAL if there was none before
if (handle->version == 0 || handle->hardware_backed) {
uint32_t hw_uid = adjust_uid(uid);
android::hardware::hidl_vec<uint8_t> curPwdHandle;
curPwdHandle.setToExternal(const_cast<uint8_t*>(enrolled_password_handle),
enrolled_password_handle_length);
android::hardware::hidl_vec<uint8_t> enteredPwd;
enteredPwd.setToExternal(const_cast<uint8_t*>(provided_password),
provided_password_length);
Return<void> hwRes = hw_device->verify(hw_uid, challenge, curPwdHandle, enteredPwd,
[&ret, request_reenroll, auth_token, auth_token_length]
(const GatekeeperResponse &rsp) {
ret = static_cast<int>(rsp.code); // propagate errors
if (auth_token != nullptr && auth_token_length != nullptr &&
rsp.code >= GatekeeperStatusCode::STATUS_OK) {
*auth_token = new uint8_t[rsp.data.size()];
*auth_token_length = rsp.data.size();
memcpy(*auth_token, rsp.data.data(), *auth_token_length);
if (request_reenroll != nullptr) {
*request_reenroll = (rsp.code == GatekeeperStatusCode::STATUS_REENROLL);
}
ret = 0; // all success states are reported as 0
} else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT &&
rsp.timeout > 0) {
ret = rsp.timeout;
if (!hw_device) return GK_ERROR;
if (enrolledPasswordHandle.size() != sizeof(gatekeeper::password_handle_t)) {
LOG(INFO) << "Password handle has wrong length";
return GK_ERROR;
}
const gatekeeper::password_handle_t* handle =
reinterpret_cast<const gatekeeper::password_handle_t*>(
enrolledPasswordHandle.data());
uint32_t hw_uid = adjust_uid(uid);
android::hardware::hidl_vec<uint8_t> curPwdHandle;
curPwdHandle.setToExternal(const_cast<uint8_t*>(enrolledPasswordHandle.data()),
enrolledPasswordHandle.size());
android::hardware::hidl_vec<uint8_t> enteredPwd;
enteredPwd.setToExternal(const_cast<uint8_t*>(providedPassword.data()),
providedPassword.size());
Return<void> hwRes = hw_device->verify(
hw_uid, challenge, curPwdHandle, enteredPwd,
[&gkResponse](const GatekeeperResponse& rsp) {
if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {
*gkResponse = GKResponse::ok(
{rsp.data.begin(), rsp.data.end()},
rsp.code == GatekeeperStatusCode::STATUS_REENROLL /* reenroll */);
} else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT) {
*gkResponse = GKResponse::retry(rsp.timeout);
} else {
*gkResponse = GKResponse::error();
}
});
if (!hwRes.isOk()) {
ALOGE("verify transaction failed\n");
ret = -1;
}
} else {
// upgrade scenario, a HAL has been added to this device where there was none before
SoftGateKeeperDevice soft_dev;
ret = soft_dev.verify(uid, challenge,
enrolled_password_handle, enrolled_password_handle_length,
provided_password, provided_password_length, auth_token, auth_token_length,
request_reenroll);
if (ret == 0) {
// success! re-enroll with HAL
*request_reenroll = true;
if (!hwRes.isOk()) {
LOG(ERROR) << "verify transaction failed";
return GK_ERROR;
}
if (gkResponse->response_code() == GKResponseCode::OK) {
if (gkResponse->payload().size() != 0) {
sp<IServiceManager> sm = defaultServiceManager();
sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
sp<security::keystore::IKeystoreService> service =
interface_cast<security::keystore::IKeystoreService>(binder);
if (service) {
int result = 0;
auto binder_result = service->addAuthToken(gkResponse->payload(), &result);
if (!binder_result.isOk() ||
!keystore::KeyStoreServiceReturnCode(result).isOk()) {
LOG(ERROR) << "Failure sending auth token to KeyStore: " << result;
}
} else {
LOG(ERROR) << "Cannot deliver auth token. Unable to communicate with Keystore.";
}
}
} else {
ret = soft_device->verify(uid, challenge,
enrolled_password_handle, enrolled_password_handle_length,
provided_password, provided_password_length, auth_token, auth_token_length,
request_reenroll);
maybe_store_sid(uid, handle->user_id);
}
if (ret == 0 && *auth_token != NULL && *auth_token_length > 0) {
// TODO: cache service?
sp<IServiceManager> sm = defaultServiceManager();
sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
sp<security::keystore::IKeystoreService> service =
interface_cast<security::keystore::IKeystoreService>(binder);
if (service != NULL) {
std::vector<uint8_t> auth_token_vector(*auth_token,
(*auth_token) + *auth_token_length);
int result = 0;
auto binder_result = service->addAuthToken(auth_token_vector, &result);
if (!binder_result.isOk() || !keystore::KeyStoreServiceReturnCode(result).isOk()) {
ALOGE("Failure sending auth token to KeyStore: %" PRId32, result);
}
} else {
ALOGE("Unable to communicate with KeyStore");
}
}
if (ret == 0) {
maybe_store_sid(uid, reinterpret_cast<const gatekeeper::password_handle_t *>(
enrolled_password_handle)->user_id);
}
return ret;
return Status::ok();
}
virtual uint64_t getSecureUserId(uint32_t uid) { return read_sid(uid); }
Status getSecureUserId(int32_t uid, int64_t* sid) override {
*sid = read_sid(uid);
return Status::ok();
}
virtual void clearSecureUserId(uint32_t uid) {
Status clearSecureUserId(int32_t uid) override {
IPCThreadState* ipc = IPCThreadState::self();
const int calling_pid = ipc->getCallingPid();
const int calling_uid = ipc->getCallingUid();
if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid);
return;
return Status::ok();
}
clear_sid(uid);
if (hw_device != nullptr) {
if (hw_device) {
uint32_t hw_uid = adjust_uid(uid);
hw_device->deleteUser(hw_uid, [] (const GatekeeperResponse &){});
}
return Status::ok();
}
virtual void reportDeviceSetupComplete() {
Status reportDeviceSetupComplete() override {
IPCThreadState* ipc = IPCThreadState::self();
const int calling_pid = ipc->getCallingPid();
const int calling_uid = ipc->getCallingUid();
if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid);
return;
return Status::ok();
}
clear_state_if_needed();
return Status::ok();
}
virtual status_t dump(int fd, const Vector<String16> &) {
status_t dump(int fd, const Vector<String16>&) override {
IPCThreadState* ipc = IPCThreadState::self();
const int pid = ipc->getCallingPid();
const int uid = ipc->getCallingUid();
@ -410,7 +377,6 @@ public:
private:
sp<IGatekeeper> hw_device;
std::unique_ptr<SoftGateKeeperDevice> soft_device;
bool clear_state_if_needed_done;
bool is_running_gsi;

85
gatekeeperd/include/gatekeeper/GateKeeperResponse.h Normal file
View File

@ -0,0 +1,85 @@
/*
**
** Copyright 2019, The Android Open Source Project
**
** Licensed under the Apache License, Version 2.0 (the "License");
** you may not use this file except in compliance with the License.
** You may obtain a copy of the License at
**
** http://www.apache.org/licenses/LICENSE-2.0
**
** Unless required by applicable law or agreed to in writing, software
** distributed under the License is distributed on an "AS IS" BASIS,
** WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
** See the License for the specific language governing permissions and
** limitations under the License.
*/
#ifndef GATEKEEPERD_INCLUDE_GATEKEEPER_GATEKEEPERRESPONSE_H_
#define GATEKEEPERD_INCLUDE_GATEKEEPER_GATEKEEPERRESPONSE_H_
#include <binder/Parcelable.h>
namespace android {
namespace service {
namespace gatekeeper {
enum class ResponseCode : int32_t {
ERROR = -1,
OK = 0,
RETRY = 1,
};
class GateKeeperResponse : public ::android::Parcelable {
GateKeeperResponse(ResponseCode response_code, int32_t timeout = 0,
std::vector<uint8_t> payload = {}, bool should_reenroll = false)
: response_code_(response_code),
timeout_(timeout),
payload_(std::move(payload)),
should_reenroll_(should_reenroll) {}
public:
GateKeeperResponse() = default;
GateKeeperResponse(GateKeeperResponse&&) = default;
GateKeeperResponse(const GateKeeperResponse&) = default;
GateKeeperResponse& operator=(GateKeeperResponse&&) = default;
static GateKeeperResponse error() { return GateKeeperResponse(ResponseCode::ERROR); }
static GateKeeperResponse retry(int32_t timeout) {
return GateKeeperResponse(ResponseCode::RETRY, timeout);
}
static GateKeeperResponse ok(std::vector<uint8_t> payload, bool reenroll = false) {
return GateKeeperResponse(ResponseCode::OK, 0, std::move(payload), reenroll);
}
status_t readFromParcel(const Parcel* in) override;
status_t writeToParcel(Parcel* out) const override;
const std::vector<uint8_t>& payload() const { return payload_; }
void payload(std::vector<uint8_t> payload) { payload_ = payload; }
ResponseCode response_code() const { return response_code_; }
void response_code(ResponseCode response_code) { response_code_ = response_code; }
bool should_reenroll() const { return should_reenroll_; }
void should_reenroll(bool should_reenroll) { should_reenroll_ = should_reenroll; }
int32_t timeout() const { return timeout_; }
void timeout(int32_t timeout) { timeout_ = timeout; }
private:
ResponseCode response_code_;
int32_t timeout_;
std::vector<uint8_t> payload_;
bool should_reenroll_;
};
} // namespace gatekeeper
} // namespace service
} // namespace android
#endif // GATEKEEPERD_INCLUDE_GATEKEEPER_GATEKEEPERRESPONSE_H_

34
gatekeeperd/tests/Android.bp
View File

@ -1,34 +0,0 @@
//
// Copyright (C) 2015 The Android Open Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
cc_test {
name: "gatekeeperd-unit-tests",
cflags: [
"-g",
"-Wall",
"-Werror",
"-Wno-missing-field-initializers",
],
shared_libs: [
"libgatekeeper",
"libcrypto",
"libbase",
],
static_libs: ["libscrypt_static"],
include_dirs: ["external/scrypt/lib/crypto"],
srcs: ["gatekeeper_test.cpp"],
}

204
gatekeeperd/tests/gatekeeper_test.cpp
View File

@ -1,204 +0,0 @@
/*
* Copyright 2015 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <arpa/inet.h>
#include <iostream>
#include <gtest/gtest.h>
#include <hardware/hw_auth_token.h>
#include "../SoftGateKeeper.h"
using ::gatekeeper::SizedBuffer;
using ::testing::Test;
using ::gatekeeper::EnrollRequest;
using ::gatekeeper::EnrollResponse;
using ::gatekeeper::VerifyRequest;
using ::gatekeeper::VerifyResponse;
using ::gatekeeper::SoftGateKeeper;
using ::gatekeeper::secure_id_t;
static void do_enroll(SoftGateKeeper &gatekeeper, EnrollResponse *response) {
SizedBuffer password;
password.buffer.reset(new uint8_t[16]);
password.length = 16;
memset(password.buffer.get(), 0, 16);
EnrollRequest request(0, NULL, &password, NULL);
gatekeeper.Enroll(request, response);
}
TEST(GateKeeperTest, EnrollSuccess) {
SoftGateKeeper gatekeeper;
EnrollResponse response;
do_enroll(gatekeeper, &response);
ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
}
TEST(GateKeeperTest, EnrollBogusData) {
SoftGateKeeper gatekeeper;
SizedBuffer password;
EnrollResponse response;
EnrollRequest request(0, NULL, &password, NULL);
gatekeeper.Enroll(request, &response);
ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error);
}
TEST(GateKeeperTest, VerifySuccess) {
SoftGateKeeper gatekeeper;
SizedBuffer provided_password;
EnrollResponse enroll_response;
provided_password.buffer.reset(new uint8_t[16]);
provided_password.length = 16;
memset(provided_password.buffer.get(), 0, 16);
do_enroll(gatekeeper, &enroll_response);
ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
VerifyRequest request(0, 1, &enroll_response.enrolled_password_handle,
&provided_password);
VerifyResponse response;
gatekeeper.Verify(request, &response);
ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
hw_auth_token_t *auth_token =
reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());
ASSERT_EQ((uint32_t) HW_AUTH_PASSWORD, ntohl(auth_token->authenticator_type));
ASSERT_EQ((uint64_t) 1, auth_token->challenge);
ASSERT_NE(~((uint32_t) 0), auth_token->timestamp);
ASSERT_NE((uint64_t) 0, auth_token->user_id);
ASSERT_NE((uint64_t) 0, auth_token->authenticator_id);
}
TEST(GateKeeperTest, TrustedReEnroll) {
SoftGateKeeper gatekeeper;
SizedBuffer provided_password;
EnrollResponse enroll_response;
SizedBuffer password_handle;
// do_enroll enrolls an all 0 password
provided_password.buffer.reset(new uint8_t[16]);
provided_password.length = 16;
memset(provided_password.buffer.get(), 0, 16);
do_enroll(gatekeeper, &enroll_response);
ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
// keep a copy of the handle
password_handle.buffer.reset(new uint8_t[enroll_response.enrolled_password_handle.length]);
password_handle.length = enroll_response.enrolled_password_handle.length;
memcpy(password_handle.buffer.get(), enroll_response.enrolled_password_handle.buffer.get(),
password_handle.length);
// verify first password
VerifyRequest request(0, 0, &enroll_response.enrolled_password_handle,
&provided_password);
VerifyResponse response;
gatekeeper.Verify(request, &response);
ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
hw_auth_token_t *auth_token =
reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());
secure_id_t secure_id = auth_token->user_id;
// enroll new password
provided_password.buffer.reset(new uint8_t[16]);
provided_password.length = 16;
memset(provided_password.buffer.get(), 0, 16);
SizedBuffer password;
password.buffer.reset(new uint8_t[16]);
memset(password.buffer.get(), 1, 16);
password.length = 16;
EnrollRequest enroll_request(0, &password_handle, &password, &provided_password);
gatekeeper.Enroll(enroll_request, &enroll_response);
ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
// verify new password
password.buffer.reset(new uint8_t[16]);
memset(password.buffer.get(), 1, 16);
password.length = 16;
VerifyRequest new_request(0, 0, &enroll_response.enrolled_password_handle,
&password);
gatekeeper.Verify(new_request, &response);
ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
ASSERT_EQ(secure_id,
reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id);
}
TEST(GateKeeperTest, UntrustedReEnroll) {
SoftGateKeeper gatekeeper;
SizedBuffer provided_password;
EnrollResponse enroll_response;
// do_enroll enrolls an all 0 password
provided_password.buffer.reset(new uint8_t[16]);
provided_password.length = 16;
memset(provided_password.buffer.get(), 0, 16);
do_enroll(gatekeeper, &enroll_response);
ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
// verify first password
VerifyRequest request(0, 0, &enroll_response.enrolled_password_handle,
&provided_password);
VerifyResponse response;
gatekeeper.Verify(request, &response);
ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
hw_auth_token_t *auth_token =
reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get());
secure_id_t secure_id = auth_token->user_id;
// enroll new password
SizedBuffer password;
password.buffer.reset(new uint8_t[16]);
memset(password.buffer.get(), 1, 16);
password.length = 16;
EnrollRequest enroll_request(0, NULL, &password, NULL);
gatekeeper.Enroll(enroll_request, &enroll_response);
ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, enroll_response.error);
// verify new password
password.buffer.reset(new uint8_t[16]);
memset(password.buffer.get(), 1, 16);
password.length = 16;
VerifyRequest new_request(0, 0, &enroll_response.enrolled_password_handle,
&password);
gatekeeper.Verify(new_request, &response);
ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_NONE, response.error);
ASSERT_NE(secure_id,
reinterpret_cast<hw_auth_token_t *>(response.auth_token.buffer.get())->user_id);
}
TEST(GateKeeperTest, VerifyBogusData) {
SoftGateKeeper gatekeeper;
SizedBuffer provided_password;
SizedBuffer password_handle;
VerifyResponse response;
VerifyRequest request(0, 0, &provided_password, &password_handle);
gatekeeper.Verify(request, &response);
ASSERT_EQ(::gatekeeper::gatekeeper_error_t::ERROR_INVALID, response.error);
}

18
trusty/gatekeeper/Android.bp
View File

@ -1,4 +1,3 @@
//
// Copyright (C) 2015 The Android Open-Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
@ -20,14 +19,15 @@
// to only building on ARM if they include assembly. Individual makefiles
// are responsible for having their own logic, for fine-grained control.
cc_library_shared {
name: "gatekeeper.trusty",
cc_binary {
name: "android.hardware.gatekeeper@1.0-service.trusty",
defaults: ["hidl_defaults"],
vendor: true,
relative_install_path: "hw",
init_rc: ["android.hardware.gatekeeper@1.0-service.trusty.rc"],
srcs: [
"module.cpp",
"service.cpp",
"trusty_gatekeeper_ipc.c",
"trusty_gatekeeper.cpp",
],
@ -39,10 +39,16 @@ cc_library_shared {
],
shared_libs: [
"android.hardware.gatekeeper@1.0",
"libbase",
"libhidlbase",
"libhidltransport",
"libgatekeeper",
"libutils",
"liblog",
"libcutils",
"libtrusty",
],
header_libs: ["libhardware_headers"],
vintf_fragments: ["android.hardware.gatekeeper@1.0-service.trusty.xml"],
}

4
trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.rc Normal file
View File

@ -0,0 +1,4 @@
service vendor.gatekeeper-1-0 /vendor/bin/hw/android.hardware.gatekeeper@1.0-service.trusty
class hal
user system
group system

11
trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.xml Normal file
View File

@ -0,0 +1,11 @@
<manifest version="1.0" type="device">
<hal format="hidl">
<name>android.hardware.gatekeeper</name>
<transport>hwbinder</transport>
<version>1.0</version>
<interface>
<name>IGatekeeper</name>
<instance>default</instance>
</interface>
</hal>
</manifest>

57
trusty/gatekeeper/module.cpp
View File

@ -1,57 +0,0 @@
/*
* Copyright (C) 2015 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <hardware/hardware.h>
#include <string.h>
#include <errno.h>
#include <stdlib.h>
#include "trusty_gatekeeper.h"
using gatekeeper::TrustyGateKeeperDevice;
static int trusty_gatekeeper_open(const hw_module_t *module, const char *name,
hw_device_t **device) {
if (strcmp(name, HARDWARE_GATEKEEPER) != 0) {
return -EINVAL;
}
TrustyGateKeeperDevice *gatekeeper = new TrustyGateKeeperDevice(module);
if (gatekeeper == NULL) return -ENOMEM;
*device = gatekeeper->hw_device();
return 0;
}
static struct hw_module_methods_t gatekeeper_module_methods = {
.open = trusty_gatekeeper_open,
};
struct gatekeeper_module HAL_MODULE_INFO_SYM __attribute__((visibility("default"))) = {
.common = {
.tag = HARDWARE_MODULE_TAG,
.module_api_version = GATEKEEPER_MODULE_API_VERSION_0_1,
.hal_api_version = HARDWARE_HAL_API_VERSION,
.id = GATEKEEPER_HARDWARE_MODULE_ID,
.name = "Trusty GateKeeper HAL",
.author = "The Android Open Source Project",
.methods = &gatekeeper_module_methods,
.dso = 0,
.reserved = {}
},
};

39
trusty/gatekeeper/service.cpp Normal file
View File

@ -0,0 +1,39 @@
/*
* Copyright (C) 2019 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#define LOG_TAG "android.hardware.gatekeeper@1.0-service.trusty"
#include <android-base/logging.h>
#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
#include <hidl/LegacySupport.h>
#include "trusty_gatekeeper.h"
// Generated HIDL files
using android::hardware::gatekeeper::V1_0::IGatekeeper;
using gatekeeper::TrustyGateKeeperDevice;
int main() {
::android::hardware::configureRpcThreadpool(1, true /* willJoinThreadpool */);
android::sp<TrustyGateKeeperDevice> gatekeeper(new TrustyGateKeeperDevice());
auto status = gatekeeper->registerAsService();
if (status != android::OK) {
LOG(FATAL) << "Could not register service for Gatekeeper 1.0 (trusty) (" << status << ")";
}
android::hardware::joinRpcThreadpool();
return -1; // Should never get here.
}

253
trusty/gatekeeper/trusty_gatekeeper.cpp
View File

@ -16,147 +16,131 @@
#define LOG_TAG "TrustyGateKeeper"
#include <assert.h>
#include <errno.h>
#include <stdio.h>
#include <type_traits>
#include <log/log.h>
#include <android-base/logging.h>
#include <limits>
#include "trusty_gatekeeper.h"
#include "trusty_gatekeeper_ipc.h"
#include "gatekeeper_ipc.h"
using ::android::hardware::hidl_vec;
using ::android::hardware::Return;
using ::android::hardware::gatekeeper::V1_0::GatekeeperStatusCode;
using ::gatekeeper::EnrollRequest;
using ::gatekeeper::EnrollResponse;
using ::gatekeeper::ERROR_INVALID;
using ::gatekeeper::ERROR_MEMORY_ALLOCATION_FAILED;
using ::gatekeeper::ERROR_NONE;
using ::gatekeeper::ERROR_RETRY;
using ::gatekeeper::SizedBuffer;
using ::gatekeeper::VerifyRequest;
using ::gatekeeper::VerifyResponse;
namespace gatekeeper {
const uint32_t SEND_BUF_SIZE = 8192;
const uint32_t RECV_BUF_SIZE = 8192;
TrustyGateKeeperDevice::TrustyGateKeeperDevice(const hw_module_t *module) {
#if __cplusplus >= 201103L || defined(__GXX_EXPERIMENTAL_CXX0X__)
static_assert(std::is_standard_layout<TrustyGateKeeperDevice>::value,
"TrustyGateKeeperDevice must be standard layout");
static_assert(offsetof(TrustyGateKeeperDevice, device_) == 0,
"device_ must be the first member of TrustyGateKeeperDevice");
static_assert(offsetof(TrustyGateKeeperDevice, device_.common) == 0,
"common must be the first member of gatekeeper_device");
#else
assert(reinterpret_cast<gatekeeper_device_t *>(this) == &device_);
assert(reinterpret_cast<hw_device_t *>(this) == &(device_.common));
#endif
memset(&device_, 0, sizeof(device_));
device_.common.tag = HARDWARE_DEVICE_TAG;
device_.common.version = 1;
device_.common.module = const_cast<hw_module_t *>(module);
device_.common.close = close_device;
device_.enroll = enroll;
device_.verify = verify;
device_.delete_user = nullptr;
device_.delete_all_users = nullptr;
constexpr const uint32_t SEND_BUF_SIZE = 8192;
constexpr const uint32_t RECV_BUF_SIZE = 8192;
TrustyGateKeeperDevice::TrustyGateKeeperDevice() {
int rc = trusty_gatekeeper_connect();
if (rc < 0) {
ALOGE("Error initializing trusty session: %d", rc);
LOG(ERROR) << "Error initializing trusty session: " << rc;
}
error_ = rc;
}
hw_device_t* TrustyGateKeeperDevice::hw_device() {
return &device_.common;
}
int TrustyGateKeeperDevice::close_device(hw_device_t* dev) {
delete reinterpret_cast<TrustyGateKeeperDevice *>(dev);
return 0;
}
TrustyGateKeeperDevice::~TrustyGateKeeperDevice() {
trusty_gatekeeper_disconnect();
}
int TrustyGateKeeperDevice::Enroll(uint32_t uid, const uint8_t *current_password_handle,
uint32_t current_password_handle_length, const uint8_t *current_password,
uint32_t current_password_length, const uint8_t *desired_password,
uint32_t desired_password_length, uint8_t **enrolled_password_handle,
uint32_t *enrolled_password_handle_length) {
if (error_ != 0) {
return error_;
}
SizedBuffer desired_password_buffer(desired_password_length);
memcpy(desired_password_buffer.buffer.get(), desired_password, desired_password_length);
SizedBuffer current_password_handle_buffer(current_password_handle_length);
if (current_password_handle) {
memcpy(current_password_handle_buffer.buffer.get(), current_password_handle,
current_password_handle_length);
}
SizedBuffer current_password_buffer(current_password_length);
if (current_password) {
memcpy(current_password_buffer.buffer.get(), current_password, current_password_length);
}
EnrollRequest request(uid, &current_password_handle_buffer, &desired_password_buffer,
&current_password_buffer);
EnrollResponse response;
gatekeeper_error_t error = Send(request, &response);
if (error == ERROR_RETRY) {
return response.retry_timeout;
} else if (error != ERROR_NONE) {
return -EINVAL;
}
*enrolled_password_handle = response.enrolled_password_handle.buffer.release();
*enrolled_password_handle_length = response.enrolled_password_handle.length;
return 0;
SizedBuffer hidl_vec2sized_buffer(const hidl_vec<uint8_t>& vec) {
if (vec.size() == 0 || vec.size() > std::numeric_limits<uint32_t>::max()) return {};
auto dummy = new uint8_t[vec.size()];
std::copy(vec.begin(), vec.end(), dummy);
return {dummy, static_cast<uint32_t>(vec.size())};
}
int TrustyGateKeeperDevice::Verify(uint32_t uid, uint64_t challenge,
const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
const uint8_t *provided_password, uint32_t provided_password_length,
uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) {
Return<void> TrustyGateKeeperDevice::enroll(uint32_t uid,
const hidl_vec<uint8_t>& currentPasswordHandle,
const hidl_vec<uint8_t>& currentPassword,
const hidl_vec<uint8_t>& desiredPassword,
enroll_cb _hidl_cb) {
if (error_ != 0) {
return error_;
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return {};
}
SizedBuffer password_handle_buffer(enrolled_password_handle_length);
memcpy(password_handle_buffer.buffer.get(), enrolled_password_handle,
enrolled_password_handle_length);
SizedBuffer provided_password_buffer(provided_password_length);
memcpy(provided_password_buffer.buffer.get(), provided_password, provided_password_length);
if (desiredPassword.size() == 0) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return {};
}
VerifyRequest request(uid, challenge, &password_handle_buffer, &provided_password_buffer);
EnrollRequest request(uid, hidl_vec2sized_buffer(currentPasswordHandle),
hidl_vec2sized_buffer(desiredPassword),
hidl_vec2sized_buffer(currentPassword));
EnrollResponse response;
auto error = Send(request, &response);
if (error != ERROR_NONE) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
} else if (response.error == ERROR_RETRY) {
_hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}});
} else if (response.error != ERROR_NONE) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
} else {
hidl_vec<uint8_t> new_handle(response.enrolled_password_handle.Data<uint8_t>(),
response.enrolled_password_handle.Data<uint8_t>() +
response.enrolled_password_handle.size());
_hidl_cb({GatekeeperStatusCode::STATUS_OK, response.retry_timeout, new_handle});
}
return {};
}
Return<void> TrustyGateKeeperDevice::verify(
uint32_t uid, uint64_t challenge,
const ::android::hardware::hidl_vec<uint8_t>& enrolledPasswordHandle,
const ::android::hardware::hidl_vec<uint8_t>& providedPassword, verify_cb _hidl_cb) {
if (error_ != 0) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return {};
}
if (enrolledPasswordHandle.size() == 0) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
return {};
}
VerifyRequest request(uid, challenge, hidl_vec2sized_buffer(enrolledPasswordHandle),
hidl_vec2sized_buffer(providedPassword));
VerifyResponse response;
gatekeeper_error_t error = Send(request, &response);
auto error = Send(request, &response);
if (error != ERROR_NONE) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
} else if (response.error == ERROR_RETRY) {
_hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}});
} else if (response.error != ERROR_NONE) {
_hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
} else {
hidl_vec<uint8_t> auth_token(
response.auth_token.Data<uint8_t>(),
response.auth_token.Data<uint8_t>() + response.auth_token.size());
if (error == ERROR_RETRY) {
return response.retry_timeout;
} else if (error != ERROR_NONE) {
return -EINVAL;
_hidl_cb({response.request_reenroll ? GatekeeperStatusCode::STATUS_REENROLL
: GatekeeperStatusCode::STATUS_OK,
response.retry_timeout, auth_token});
}
return {};
}
if (auth_token != NULL && auth_token_length != NULL) {
*auth_token = response.auth_token.buffer.release();
*auth_token_length = response.auth_token.length;
}
Return<void> TrustyGateKeeperDevice::deleteUser(uint32_t /*uid*/, deleteUser_cb _hidl_cb) {
_hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}});
return {};
}
if (request_reenroll != NULL) {
*request_reenroll = response.request_reenroll;
}
return 0;
Return<void> TrustyGateKeeperDevice::deleteAllUsers(deleteAllUsers_cb _hidl_cb) {
_hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}});
return {};
}
gatekeeper_error_t TrustyGateKeeperDevice::Send(uint32_t command, const GateKeeperMessage& request,
@ -172,7 +156,7 @@ gatekeeper_error_t TrustyGateKeeperDevice::Send(uint32_t command, const GateKeep
uint32_t response_size = RECV_BUF_SIZE;
int rc = trusty_gatekeeper_call(command, send_buf, request_size, recv_buf, &response_size);
if (rc < 0) {
ALOGE("error (%d) calling gatekeeper TA", rc);
LOG(ERROR) << "error (" << rc << ") calling gatekeeper TA";
return ERROR_INVALID;
}
@ -182,51 +166,4 @@ gatekeeper_error_t TrustyGateKeeperDevice::Send(uint32_t command, const GateKeep
return response->Deserialize(payload, payload + response_size);
}
static inline TrustyGateKeeperDevice *convert_device(const gatekeeper_device *dev) {
return reinterpret_cast<TrustyGateKeeperDevice *>(const_cast<gatekeeper_device *>(dev));
}
/* static */
int TrustyGateKeeperDevice::enroll(const struct gatekeeper_device *dev, uint32_t uid,
const uint8_t *current_password_handle, uint32_t current_password_handle_length,
const uint8_t *current_password, uint32_t current_password_length,
const uint8_t *desired_password, uint32_t desired_password_length,
uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) {
if (dev == NULL ||
enrolled_password_handle == NULL || enrolled_password_handle_length == NULL ||
desired_password == NULL || desired_password_length == 0)
return -EINVAL;
// Current password and current password handle go together
if (current_password_handle == NULL || current_password_handle_length == 0 ||
current_password == NULL || current_password_length == 0) {
current_password_handle = NULL;
current_password_handle_length = 0;
current_password = NULL;
current_password_length = 0;
}
return convert_device(dev)->Enroll(uid, current_password_handle, current_password_handle_length,
current_password, current_password_length, desired_password, desired_password_length,
enrolled_password_handle, enrolled_password_handle_length);
}
/* static */
int TrustyGateKeeperDevice::verify(const struct gatekeeper_device *dev, uint32_t uid,
uint64_t challenge, const uint8_t *enrolled_password_handle,
uint32_t enrolled_password_handle_length, const uint8_t *provided_password,
uint32_t provided_password_length, uint8_t **auth_token, uint32_t *auth_token_length,
bool *request_reenroll) {
if (dev == NULL || enrolled_password_handle == NULL ||
provided_password == NULL) {
return -EINVAL;
}
return convert_device(dev)->Verify(uid, challenge, enrolled_password_handle,
enrolled_password_handle_length, provided_password, provided_password_length,
auth_token, auth_token_length, request_reenroll);
}
};

106
trusty/gatekeeper/trusty_gatekeeper.h
View File

@ -17,84 +17,34 @@
#ifndef TRUSTY_GATEKEEPER_H
#define TRUSTY_GATEKEEPER_H
#include <hardware/gatekeeper.h>
#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
#include <hidl/Status.h>
#include <memory>
#include <gatekeeper/gatekeeper_messages.h>
#include "gatekeeper_ipc.h"
namespace gatekeeper {
class TrustyGateKeeperDevice {
public:
explicit TrustyGateKeeperDevice(const hw_module_t* module);
class TrustyGateKeeperDevice : public ::android::hardware::gatekeeper::V1_0::IGatekeeper {
public:
explicit TrustyGateKeeperDevice();
~TrustyGateKeeperDevice();
hw_device_t* hw_device();
/**
* Enrolls password_payload, which should be derived from a user selected pin or password,
* with the authentication factor private key used only for enrolling authentication
* factor data.
*
* Returns: 0 on success or an error code less than 0 on error.
* On error, enrolled_password will not be allocated.
*/
int Enroll(uint32_t uid, const uint8_t *current_password_handle,
uint32_t current_password_handle_length, const uint8_t *current_password,
uint32_t current_password_length, const uint8_t *desired_password,
uint32_t desired_password_length, uint8_t **enrolled_password_handle,
uint32_t *enrolled_password_handle_length);
/**
* Verifies provided_password matches expected_password after enrolling
* with the authentication factor private key.
*
* Implementations of this module may retain the result of this call
* to attest to the recency of authentication.
*
* On success, writes the address of a verification token to verification_token,
*
* Returns: 0 on success or an error code less than 0 on error
* On error, verification token will not be allocated
*/
int Verify(uint32_t uid, uint64_t challenge, const uint8_t *enrolled_password_handle,
uint32_t enrolled_password_handle_length, const uint8_t *provided_password,
uint32_t provided_password_length, uint8_t **auth_token, uint32_t *auth_token_length,
bool *request_reenroll);
private:
gatekeeper_error_t Send(uint32_t command, const GateKeeperMessage& request,
GateKeeperMessage* response);
gatekeeper_error_t Send(const EnrollRequest& request, EnrollResponse *response) {
return Send(GK_ENROLL, request, response);
}
gatekeeper_error_t Send(const VerifyRequest& request, VerifyResponse *response) {
return Send(GK_VERIFY, request, response);
}
// Static methods interfacing the HAL API with the TrustyGateKeeper device
/**
* Enrolls desired_password, which should be derived from a user selected pin or password,
* with the authentication factor private key used only for enrolling authentication
* factor data.
*
* If there was already a password enrolled, it should be provided in
* current_password_handle, along with the current password in current_password
* that should validate against current_password_handle.
*
* Returns: 0 on success or an error code less than 0 on error.
* On error, enrolled_password_handle will not be allocated.
*/
static int enroll(const struct gatekeeper_device *dev, uint32_t uid,
const uint8_t *current_password_handle, uint32_t current_password_handle_length,
const uint8_t *current_password, uint32_t current_password_length,
const uint8_t *desired_password, uint32_t desired_password_length,
uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length);
::android::hardware::Return<void> enroll(
uint32_t uid, const ::android::hardware::hidl_vec<uint8_t>& currentPasswordHandle,
const ::android::hardware::hidl_vec<uint8_t>& currentPassword,
const ::android::hardware::hidl_vec<uint8_t>& desiredPassword,
enroll_cb _hidl_cb) override;
/**
* Verifies provided_password matches enrolled_password_handle.
@ -109,18 +59,32 @@ class TrustyGateKeeperDevice {
* Returns: 0 on success or an error code less than 0 on error
* On error, verification token will not be allocated
*/
static int verify(const struct gatekeeper_device *dev, uint32_t uid, uint64_t challenge,
const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
const uint8_t *provided_password, uint32_t provided_password_length,
uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll);
::android::hardware::Return<void> verify(
uint32_t uid, uint64_t challenge,
const ::android::hardware::hidl_vec<uint8_t>& enrolledPasswordHandle,
const ::android::hardware::hidl_vec<uint8_t>& providedPassword,
verify_cb _hidl_cb) override;
static int close_device(hw_device_t* dev);
::android::hardware::Return<void> deleteUser(uint32_t uid, deleteUser_cb _hidl_cb) override;
::android::hardware::Return<void> deleteAllUsers(deleteAllUsers_cb _hidl_cb) override;
private:
gatekeeper_error_t Send(uint32_t command, const GateKeeperMessage& request,
GateKeeperMessage* response);
gatekeeper_error_t Send(const EnrollRequest& request, EnrollResponse *response) {
return Send(GK_ENROLL, request, response);
}
gatekeeper_error_t Send(const VerifyRequest& request, VerifyResponse *response) {
return Send(GK_VERIFY, request, response);
}
gatekeeper_device device_;
int error_;
};
}
} // namespace gatekeeper
#endif

4
trusty/trusty-base.mk
View File

@ -24,9 +24,7 @@
PRODUCT_PACKAGES += \
android.hardware.keymaster@4.0-service.trusty \
android.hardware.gatekeeper@1.0-service \
android.hardware.gatekeeper@1.0-impl \
gatekeeper.trusty
android.hardware.gatekeeper@1.0-service.trusty
PRODUCT_PROPERTY_OVERRIDES += \
ro.hardware.keystore=trusty \