• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 //
2 // Copyright (C) 2020 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 //      http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15 
16 #include <windows.h>
17 
18 #include "host/commands/secure_env/secure_env_windows_lib.h"
19 
20 #include <thread>
21 
22 #include <android-base/logging.h>
23 #include <keymaster/android_keymaster.h>
24 #include <keymaster/contexts/pure_soft_keymaster_context.h>
25 #include "common/libs/security/gatekeeper_channel_windows.h"
26 #include "common/libs/security/keymaster_channel_windows.h"
27 #include "host/commands/secure_env/gatekeeper_responder.h"
28 #include "host/commands/secure_env/keymaster_responder.h"
29 #include "host/commands/secure_env/soft_gatekeeper.h"
30 #include "host/commands/secure_env/tpm_gatekeeper.h"
31 #include "host/commands/secure_env/tpm_keymaster_context.h"
32 #include "host/commands/secure_env/tpm_keymaster_enforcement.h"
33 #include "host/commands/secure_env/tpm_resource_manager.h"
34 
35 namespace secure_env {
36 namespace {
37 // Copied from AndroidKeymaster4Device
38 constexpr size_t kOperationTableSize = 16;
39 
40 }  // namespace
41 
StartSecureEnvWithHandles(HANDLE keymaster_pipe_handle,HANDLE gatekeeper_pipe_handle,bool)42 bool StartSecureEnvWithHandles(HANDLE keymaster_pipe_handle,
43                                HANDLE gatekeeper_pipe_handle,
44                                bool /*use_tpm*/) {
45   // Start threads for gatekeeper and keymaster
46   std::thread keymaster_thread([=]() {
47     // keymaster::AndroidKeymaster puts keymaster_context into a UniquePtr,
48     // taking ownership.
49     keymaster::KeymasterContext* keymaster_context =
50         new keymaster::PureSoftKeymasterContext(
51             keymaster::KmVersion::KEYMASTER_4_1, KM_SECURITY_LEVEL_SOFTWARE);
52 
53     // Setup software keymaster
54     std::unique_ptr<keymaster::AndroidKeymaster> keymaster_ptr(
55         new keymaster::AndroidKeymaster(keymaster_context,
56                                         kOperationTableSize));
57 
58     std::unique_ptr<cuttlefish::KeymasterWindowsChannel> keymaster_channel =
59         cuttlefish::KeymasterWindowsChannel::Create(keymaster_pipe_handle);
60     if (!keymaster_channel) {
61       return;
62     }
63 
64     cuttlefish::KeymasterResponder keymaster_responder(*keymaster_channel,
65                                                        *keymaster_ptr);
66 
67     while (keymaster_responder.ProcessMessage()) {
68     }
69   });
70 
71   std::thread gatekeeper_thread([=]() {
72     // Setup software gatekeeper
73     std::unique_ptr<gatekeeper::GateKeeper> gatekeeper_ptr(
74         new gatekeeper::SoftGateKeeper);
75 
76     std::unique_ptr<cuttlefish::GatekeeperWindowsChannel> gatekeeper_channel =
77         cuttlefish::GatekeeperWindowsChannel::Create(gatekeeper_pipe_handle);
78     if (!gatekeeper_channel) {
79       return;
80     }
81 
82     cuttlefish::GatekeeperResponder gatekeeper_responder(*gatekeeper_channel,
83                                                          *gatekeeper_ptr);
84 
85     while (gatekeeper_responder.ProcessMessage()) {
86     }
87   });
88 
89   keymaster_thread.join();
90   gatekeeper_thread.join();
91 
92   return true;
93 }
94 
StartSecureEnv(const char * keymaster_pipe,const char * gatekeeper_pipe,bool use_tpm)95 bool StartSecureEnv(const char* keymaster_pipe, const char* gatekeeper_pipe,
96                     bool use_tpm) {
97   // Create the keymaster pipe
98   HANDLE keymaster_handle = CreateNamedPipeA(
99       keymaster_pipe,
100       /* dwOpenMode= */ PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE |
101           FILE_FLAG_OVERLAPPED,
102       /* dwPipeMode= */ PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT |
103           PIPE_REJECT_REMOTE_CLIENTS,
104       /* nMaxInstances= */ 1,
105       /* nOutBufferSize= */ 1024,  // The buffer sizes are only advisory.
106       /* nInBufferSize= */ 1024,
107       /* nDefaultTimeOut= */ 0,
108       /* lpSecurityAttributes= */ NULL);
109   if (keymaster_handle == INVALID_HANDLE_VALUE) {
110     LOG(ERROR) << "Error: Could not create keymaster pipe " << keymaster_pipe
111                << ". Got error code " << GetLastError();
112     return false;
113   }
114   LOG(INFO) << "Created keymaster pipe " << keymaster_pipe;
115 
116   HANDLE gatekeeper_handle = CreateNamedPipeA(
117       gatekeeper_pipe,
118       /* dwOpenMode= */ PIPE_ACCESS_DUPLEX | FILE_FLAG_FIRST_PIPE_INSTANCE |
119           FILE_FLAG_OVERLAPPED,
120       /* dwPipeMode= */ PIPE_TYPE_BYTE | PIPE_READMODE_BYTE | PIPE_WAIT |
121           PIPE_REJECT_REMOTE_CLIENTS,
122       /* nMaxInstances= */ 1,
123       /* nOutBufferSize= */ 1024,  // The buffer sizes are only advisory.
124       /* nInBufferSize= */ 1024,
125       /* nDefaultTimeOut= */ 0,
126       /* lpSecurityAttributes= */ NULL);
127   if (gatekeeper_handle == INVALID_HANDLE_VALUE) {
128     LOG(ERROR) << "Error: Could not create gatekeeper pipe " << gatekeeper_pipe
129                << ". Got error code " << GetLastError();
130     return false;
131   }
132   LOG(INFO) << "Created gatekeeper pipe " << gatekeeper_pipe;
133 
134   return StartSecureEnvWithHandles(keymaster_handle, gatekeeper_handle,
135                                    use_tpm);
136 }
137 
138 }  // namespace secure_env
139