authmgr/authmgr-fe/lib.rs

/*
 * Copyright (C) 2025 The Android Open Source Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

mod accessor;

use alloc::rc::Rc;
use rpcbinder::RpcServer;
use std::ffi::CStr;
use tipc::{service_dispatcher, Manager, PortCfg};

pub use accessor::{AuthMgrAccessor, SecurityConfig};

const SECURE_STORAGE_SERVICE_NAME: &str =
    "android.hardware.security.see.storage.ISecureStorage/default";
const SECURE_STORAGE_TARGET_PORT: &CStr = c"com.android.hardware.security.see.storage";
const HWKEY_SERVICE_NAME: &str = "android.hardware.security.see.hwcrypto.IHwCryptoKey/default";
const HWKEY_TARGET_PORT: &CStr = c"com.android.trusty.rust.hwcryptohal.V1";

const PORT_COUNT: usize = 2;
const CONNECTION_COUNT: usize = 6;

type AuthMgrAccessorService = rpcbinder::RpcServer;

service_dispatcher! {
    pub enum AuthMgrFeDispatcher {
        AuthMgrAccessorService,
    }
}

fn add_server_to_authmgr_dispatcher(
    dispatcher: &mut AuthMgrFeDispatcher<PORT_COUNT>,
    service_name: &'static str,
    target_port: &'static CStr,
) {
    let accessor_server = RpcServer::new_per_session(move |uuid| {
        Some(
            AuthMgrAccessor::new_binder(service_name, get_security_config(target_port), uuid)
                .as_binder(),
        )
    });
    let serving_port = service_manager::service_name_to_trusty_port(service_name)
        .expect("Port name to be derivable from service name");
    let service_cfg =
        PortCfg::new(serving_port).expect("Service port should be valid").allow_ta_connect();

    dispatcher
        .add_service(Rc::new(accessor_server), service_cfg)
        .expect("RPC service should add to dispatcher");
}

#[cfg(feature = "authmgrfe_mode_insecure")]
fn get_security_config(target_port: &'static CStr) -> SecurityConfig {
    log::warn!("Using authmgr-fe SecurityConfig::Insecure - no authentication or authorization for trusted services.");
    SecurityConfig::Insecure { target_port }
}

#[cfg(not(feature = "authmgrfe_mode_insecure"))]
fn get_security_config(_target_port: &'static CStr) -> SecurityConfig {
    log::info!("Using authmgr-fe SecurityConfig::Secure.");
    SecurityConfig::Secure
}

pub fn init_and_start_loop() -> tipc::Result<()> {
    let mut dispatcher =
        AuthMgrFeDispatcher::<PORT_COUNT>::new().expect("Dispatcher creation should not fail");

    add_server_to_authmgr_dispatcher(
        &mut dispatcher,
        SECURE_STORAGE_SERVICE_NAME,
        SECURE_STORAGE_TARGET_PORT,
    );
    add_server_to_authmgr_dispatcher(&mut dispatcher, HWKEY_SERVICE_NAME, HWKEY_TARGET_PORT);

    Manager::<_, _, PORT_COUNT, CONNECTION_COUNT>::new_with_dispatcher(dispatcher, [])
        .expect("Service manager should be created")
        .run_event_loop()
}

#[cfg(test)]
mod tests {
    use super::*;
    use binder::IBinder;
    use test::*;
    use service_manager::*;
    use android_hardware_security_see_storage::aidl::android::hardware::security::see::storage::ISecureStorage::ISecureStorage;

    test::init!();

    #[test]
    fn test_get_secure_storage_binder() {
        let ss: Result<binder::Strong<dyn ISecureStorage>, binder::StatusCode> =
            wait_for_interface(SECURE_STORAGE_SERVICE_NAME);

        assert_ok!(ss.expect("secure storage interface to be resolved").as_binder().ping_binder());
    }
}