• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2020, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 //! This is the implementation for the remote provisioning AIDL interface between
16 //! the network providers for remote provisioning and the system. This interface
17 //! allows the caller to prompt the Remote Provisioning HAL to generate keys and
18 //! CBOR blobs that can be ferried to a provisioning server that will return
19 //! certificate chains signed by some root authority and stored in a keystore SQLite
20 //! DB.
21 
22 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
23     Algorithm::Algorithm, AttestationKey::AttestationKey, Certificate::Certificate,
24     KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue, SecurityLevel::SecurityLevel,
25     Tag::Tag,
26 };
27 use android_system_keystore2::aidl::android::system::keystore2::{
28     Domain::Domain, KeyDescriptor::KeyDescriptor,
29 };
30 use anyhow::{Context, Result};
31 use keystore2_crypto::parse_subject_from_certificate;
32 
33 use crate::database::Uuid;
34 use crate::ks_err;
35 use crate::metrics_store::log_rkp_error_stats;
36 use crate::rkpd_client::get_rkpd_attestation_key;
37 use android_security_metrics::aidl::android::security::metrics::RkpError::RkpError as MetricsRkpError;
38 
39 /// Contains helper functions to check if remote provisioning is enabled on the system and, if so,
40 /// to assign and retrieve attestation keys and certificate chains.
41 #[derive(Default)]
42 pub struct RemProvState {
43     security_level: SecurityLevel,
44     km_uuid: Uuid,
45 }
46 
47 impl RemProvState {
48     /// Creates a RemProvState struct.
new(security_level: SecurityLevel, km_uuid: Uuid) -> Self49     pub fn new(security_level: SecurityLevel, km_uuid: Uuid) -> Self {
50         Self { security_level, km_uuid }
51     }
52 
53     /// Returns the uuid for the KM instance attached to this RemProvState struct.
get_uuid(&self) -> Uuid54     pub fn get_uuid(&self) -> Uuid {
55         self.km_uuid
56     }
57 
is_rkp_only(&self) -> bool58     fn is_rkp_only(&self) -> bool {
59         let default_value = false;
60 
61         let property_name = match self.security_level {
62             SecurityLevel::STRONGBOX => "remote_provisioning.strongbox.rkp_only",
63             SecurityLevel::TRUSTED_ENVIRONMENT => "remote_provisioning.tee.rkp_only",
64             _ => return default_value,
65         };
66 
67         rustutils::system_properties::read_bool(property_name, default_value)
68             .unwrap_or(default_value)
69     }
70 
is_asymmetric_key(&self, params: &[KeyParameter]) -> bool71     fn is_asymmetric_key(&self, params: &[KeyParameter]) -> bool {
72         params.iter().any(|kp| {
73             matches!(
74                 kp,
75                 KeyParameter {
76                     tag: Tag::ALGORITHM,
77                     value: KeyParameterValue::Algorithm(Algorithm::RSA)
78                 } | KeyParameter {
79                     tag: Tag::ALGORITHM,
80                     value: KeyParameterValue::Algorithm(Algorithm::EC)
81                 }
82             )
83         })
84     }
85 
86     /// Fetches attestation key and corresponding certificates from RKPD.
get_rkpd_attestation_key_and_certs( &self, key: &KeyDescriptor, caller_uid: u32, params: &[KeyParameter], ) -> Result<Option<(AttestationKey, Certificate)>>87     pub fn get_rkpd_attestation_key_and_certs(
88         &self,
89         key: &KeyDescriptor,
90         caller_uid: u32,
91         params: &[KeyParameter],
92     ) -> Result<Option<(AttestationKey, Certificate)>> {
93         if !self.is_asymmetric_key(params) || key.domain != Domain::APP {
94             Ok(None)
95         } else {
96             match get_rkpd_attestation_key(&self.security_level, caller_uid) {
97                 Err(e) => {
98                     if self.is_rkp_only() {
99                         log::error!("Error occurred: {:?}", e);
100                         return Err(e);
101                     }
102                     log::warn!("Error occurred: {:?}", e);
103                     log_rkp_error_stats(
104                         MetricsRkpError::FALL_BACK_DURING_HYBRID,
105                         &self.security_level,
106                     );
107                     Ok(None)
108                 }
109                 Ok(rkpd_key) => Ok(Some((
110                     AttestationKey {
111                         keyBlob: rkpd_key.keyBlob,
112                         attestKeyParams: vec![],
113                         // Batch certificate is at the beginning of the certificate chain.
114                         issuerSubjectName: parse_subject_from_certificate(
115                             &rkpd_key.encodedCertChain,
116                         )
117                         .context(ks_err!("Failed to parse subject."))?,
118                     },
119                     Certificate { encodedCertificate: rkpd_key.encodedCertChain },
120                 ))),
121             }
122         }
123     }
124 }
125