1 //
2 // Copyright (C) 2019 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15
16 #include "host/commands/run_cvd/launch/launch.h"
17
18 #include <string>
19 #include <unordered_set>
20 #include <utility>
21 #include <vector>
22
23 #include <fruit/fruit.h>
24
25 #include "common/libs/utils/result.h"
26 #include "host/libs/config/command_source.h"
27 #include "host/libs/config/known_paths.h"
28
29 namespace cuttlefish {
30 namespace {
31
32 class SecureEnvironment : public CommandSource, public KernelLogPipeConsumer {
33 public:
INJECT(SecureEnvironment (const CuttlefishConfig & config,const CuttlefishConfig::InstanceSpecific & instance,KernelLogPipeProvider & kernel_log_pipe_provider))34 INJECT(SecureEnvironment(const CuttlefishConfig& config,
35 const CuttlefishConfig::InstanceSpecific& instance,
36 KernelLogPipeProvider& kernel_log_pipe_provider))
37 : config_(config),
38 instance_(instance),
39 kernel_log_pipe_provider_(kernel_log_pipe_provider) {}
40
41 // CommandSource
Commands()42 Result<std::vector<MonitorCommand>> Commands() override {
43 Command command(SecureEnvBinary());
44 command.AddParameter("-confui_server_fd=", confui_server_fd_);
45 command.AddParameter("-keymaster_fd_out=", fifos_[0]);
46 command.AddParameter("-keymaster_fd_in=", fifos_[1]);
47 command.AddParameter("-gatekeeper_fd_out=", fifos_[2]);
48 command.AddParameter("-gatekeeper_fd_in=", fifos_[3]);
49 command.AddParameter("-oemlock_fd_out=", fifos_[4]);
50 command.AddParameter("-oemlock_fd_in=", fifos_[5]);
51 command.AddParameter("-keymint_fd_out=", fifos_[6]);
52 command.AddParameter("-keymint_fd_in=", fifos_[7]);
53
54 const auto& secure_hals = config_.secure_hals();
55 bool secure_keymint = secure_hals.count(SecureHal::Keymint) > 0;
56 command.AddParameter("-keymint_impl=", secure_keymint ? "tpm" : "software");
57 bool secure_gatekeeper = secure_hals.count(SecureHal::Gatekeeper) > 0;
58 auto gatekeeper_impl = secure_gatekeeper ? "tpm" : "software";
59 command.AddParameter("-gatekeeper_impl=", gatekeeper_impl);
60
61 bool secure_oemlock = secure_hals.count(SecureHal::Oemlock) > 0;
62 auto oemlock_impl = secure_oemlock ? "tpm" : "software";
63 command.AddParameter("-oemlock_impl=", oemlock_impl);
64
65 command.AddParameter("-kernel_events_fd=", kernel_log_pipe_);
66
67 std::vector<MonitorCommand> commands;
68 commands.emplace_back(std::move(command));
69 return commands;
70 }
71
72 // SetupFeature
Name() const73 std::string Name() const override { return "SecureEnvironment"; }
Enabled() const74 bool Enabled() const override { return true; }
75
76 private:
Dependencies() const77 std::unordered_set<SetupFeature*> Dependencies() const override {
78 return {&kernel_log_pipe_provider_};
79 }
ResultSetup()80 Result<void> ResultSetup() override {
81 std::vector<std::string> fifo_paths = {
82 instance_.PerInstanceInternalPath("keymaster_fifo_vm.in"),
83 instance_.PerInstanceInternalPath("keymaster_fifo_vm.out"),
84 instance_.PerInstanceInternalPath("gatekeeper_fifo_vm.in"),
85 instance_.PerInstanceInternalPath("gatekeeper_fifo_vm.out"),
86 instance_.PerInstanceInternalPath("oemlock_fifo_vm.in"),
87 instance_.PerInstanceInternalPath("oemlock_fifo_vm.out"),
88 instance_.PerInstanceInternalPath("keymint_fifo_vm.in"),
89 instance_.PerInstanceInternalPath("keymint_fifo_vm.out"),
90 };
91 std::vector<SharedFD> fifos;
92 for (const auto& path : fifo_paths) {
93 unlink(path.c_str());
94 CF_EXPECT(mkfifo(path.c_str(), 0660) == 0, "Could not create " << path);
95 auto fd = SharedFD::Open(path, O_RDWR);
96 CF_EXPECT(fd->IsOpen(),
97 "Could not open " << path << ": " << fd->StrError());
98 fifos_.push_back(fd);
99 }
100
101 auto confui_socket_path =
102 instance_.PerInstanceInternalUdsPath("confui_sign.sock");
103 confui_server_fd_ = SharedFD::SocketLocalServer(confui_socket_path, false,
104 SOCK_STREAM, 0600);
105 CF_EXPECT(confui_server_fd_->IsOpen(),
106 "Could not open " << confui_socket_path << ": "
107 << confui_server_fd_->StrError());
108 kernel_log_pipe_ = kernel_log_pipe_provider_.KernelLogPipe();
109
110 return {};
111 }
112
113 const CuttlefishConfig& config_;
114 const CuttlefishConfig::InstanceSpecific& instance_;
115 SharedFD confui_server_fd_;
116 std::vector<SharedFD> fifos_;
117 KernelLogPipeProvider& kernel_log_pipe_provider_;
118 SharedFD kernel_log_pipe_;
119 };
120
121 } // namespace
122
123 fruit::Component<fruit::Required<const CuttlefishConfig,
124 const CuttlefishConfig::InstanceSpecific,
125 KernelLogPipeProvider>>
SecureEnvComponent()126 SecureEnvComponent() {
127 return fruit::createComponent()
128 .addMultibinding<CommandSource, SecureEnvironment>()
129 .addMultibinding<KernelLogPipeConsumer, SecureEnvironment>()
130 .addMultibinding<SetupFeature, SecureEnvironment>();
131 }
132
133 } // namespace cuttlefish
134