1 /*
2 * Copyright (C) 2009 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 //#define LOG_NDEBUG 0
18 #define LOG_TAG "keystore"
19
20 #include <keymaster/keymaster_configuration.h>
21 #include <keymaster/soft_keymaster_device.h>
22 #include <keymaster/soft_keymaster_logger.h>
23
24 #include <binder/IPCThreadState.h>
25 #include <binder/IServiceManager.h>
26
27 #include <cutils/log.h>
28
29 #include "entropy.h"
30 #include "key_store_service.h"
31 #include "keystore.h"
32 #include "permissions.h"
33
34 /* KeyStore is a secured storage for key-value pairs. In this implementation,
35 * each file stores one key-value pair. Keys are encoded in file names, and
36 * values are encrypted with checksums. The encryption key is protected by a
37 * user-defined password. To keep things simple, buffers are always larger than
38 * the maximum space we needed, so boundary checks on buffers are omitted. */
39
40 using keymaster::AuthorizationSet;
41 using keymaster::AuthorizationSetBuilder;
42 using keymaster::SoftKeymasterDevice;
43
configure_keymaster_devices(keymaster2_device_t * main,keymaster2_device_t * fallback)44 static int configure_keymaster_devices(keymaster2_device_t* main, keymaster2_device_t* fallback) {
45 keymaster_error_t error = keymaster::ConfigureDevice(main);
46 if (error != KM_ERROR_OK) {
47 return -1;
48 }
49
50 error = keymaster::ConfigureDevice(fallback);
51 if (error != KM_ERROR_OK) {
52 return -1;
53 }
54
55 return 0;
56 }
57
keymaster0_device_initialize(const hw_module_t * mod,keymaster2_device_t ** dev)58 static int keymaster0_device_initialize(const hw_module_t* mod, keymaster2_device_t** dev) {
59 assert(mod->module_api_version < KEYMASTER_MODULE_API_VERSION_1_0);
60 ALOGI("Found keymaster0 module %s, version %x", mod->name, mod->module_api_version);
61
62 UniquePtr<SoftKeymasterDevice> soft_keymaster(new SoftKeymasterDevice);
63 keymaster0_device_t* km0_device = NULL;
64 keymaster_error_t error = KM_ERROR_OK;
65
66 int rc = keymaster0_open(mod, &km0_device);
67 if (rc) {
68 ALOGE("Error opening keystore keymaster0 device.");
69 goto err;
70 }
71
72 if (km0_device->flags & KEYMASTER_SOFTWARE_ONLY) {
73 ALOGI("Keymaster0 module is software-only. Using SoftKeymasterDevice instead.");
74 km0_device->common.close(&km0_device->common);
75 km0_device = NULL;
76 // SoftKeymasterDevice will be deleted by keymaster_device_release()
77 *dev = soft_keymaster.release()->keymaster2_device();
78 return 0;
79 }
80
81 ALOGD("Wrapping keymaster0 module %s with SoftKeymasterDevice", mod->name);
82 error = soft_keymaster->SetHardwareDevice(km0_device);
83 km0_device = NULL; // SoftKeymasterDevice has taken ownership.
84 if (error != KM_ERROR_OK) {
85 ALOGE("Got error %d from SetHardwareDevice", error);
86 rc = error;
87 goto err;
88 }
89
90 // SoftKeymasterDevice will be deleted by keymaster_device_release()
91 *dev = soft_keymaster.release()->keymaster2_device();
92 return 0;
93
94 err:
95 if (km0_device)
96 km0_device->common.close(&km0_device->common);
97 *dev = NULL;
98 return rc;
99 }
100
keymaster1_device_initialize(const hw_module_t * mod,keymaster2_device_t ** dev)101 static int keymaster1_device_initialize(const hw_module_t* mod, keymaster2_device_t** dev) {
102 assert(mod->module_api_version >= KEYMASTER_MODULE_API_VERSION_1_0);
103 ALOGI("Found keymaster1 module %s, version %x", mod->name, mod->module_api_version);
104
105 UniquePtr<SoftKeymasterDevice> soft_keymaster(new SoftKeymasterDevice);
106 keymaster1_device_t* km1_device = nullptr;
107 keymaster_error_t error = KM_ERROR_OK;
108
109 int rc = keymaster1_open(mod, &km1_device);
110 if (rc) {
111 ALOGE("Error %d opening keystore keymaster1 device", rc);
112 goto err;
113 }
114
115 ALOGD("Wrapping keymaster1 module %s with SofKeymasterDevice", mod->name);
116 error = soft_keymaster->SetHardwareDevice(km1_device);
117 km1_device = nullptr; // SoftKeymasterDevice has taken ownership.
118 if (error != KM_ERROR_OK) {
119 ALOGE("Got error %d from SetHardwareDevice", error);
120 rc = error;
121 goto err;
122 }
123
124 // SoftKeymasterDevice will be deleted by keymaster_device_release()
125 *dev = soft_keymaster.release()->keymaster2_device();
126 return 0;
127
128 err:
129 if (km1_device)
130 km1_device->common.close(&km1_device->common);
131 *dev = NULL;
132 return rc;
133 }
134
keymaster2_device_initialize(const hw_module_t * mod,keymaster2_device_t ** dev)135 static int keymaster2_device_initialize(const hw_module_t* mod, keymaster2_device_t** dev) {
136 assert(mod->module_api_version >= KEYMASTER_MODULE_API_VERSION_2_0);
137 ALOGI("Found keymaster2 module %s, version %x", mod->name, mod->module_api_version);
138
139 UniquePtr<SoftKeymasterDevice> soft_keymaster(new SoftKeymasterDevice);
140 keymaster2_device_t* km2_device = nullptr;
141
142 int rc = keymaster2_open(mod, &km2_device);
143 if (rc) {
144 ALOGE("Error %d opening keystore keymaster2 device", rc);
145 goto err;
146 }
147
148 *dev = km2_device;
149 return 0;
150
151 err:
152 if (km2_device)
153 km2_device->common.close(&km2_device->common);
154 *dev = nullptr;
155 return rc;
156 }
157
keymaster_device_initialize(keymaster2_device_t ** dev)158 static int keymaster_device_initialize(keymaster2_device_t** dev) {
159 const hw_module_t* mod;
160
161 int rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
162 if (rc) {
163 ALOGI("Could not find any keystore module, using software-only implementation.");
164 // SoftKeymasterDevice will be deleted by keymaster_device_release()
165 *dev = (new SoftKeymasterDevice)->keymaster2_device();
166 return 0;
167 }
168
169 if (mod->module_api_version < KEYMASTER_MODULE_API_VERSION_1_0) {
170 return keymaster0_device_initialize(mod, dev);
171 } else if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
172 return keymaster1_device_initialize(mod, dev);
173 } else {
174 return keymaster2_device_initialize(mod, dev);
175 }
176 }
177
178 // softkeymaster_logger appears not to be used in keystore, but it installs itself as the
179 // logger used by SoftKeymasterDevice.
180 static keymaster::SoftKeymasterLogger softkeymaster_logger;
181
fallback_keymaster_device_initialize(keymaster2_device_t ** dev)182 static int fallback_keymaster_device_initialize(keymaster2_device_t** dev) {
183 *dev = (new SoftKeymasterDevice)->keymaster2_device();
184 // SoftKeymasterDevice will be deleted by keymaster_device_release()
185 return 0;
186 }
187
keymaster_device_release(keymaster2_device_t * dev)188 static void keymaster_device_release(keymaster2_device_t* dev) {
189 dev->common.close(&dev->common);
190 }
191
main(int argc,char * argv[])192 int main(int argc, char* argv[]) {
193 if (argc < 2) {
194 ALOGE("A directory must be specified!");
195 return 1;
196 }
197 if (chdir(argv[1]) == -1) {
198 ALOGE("chdir: %s: %s", argv[1], strerror(errno));
199 return 1;
200 }
201
202 Entropy entropy;
203 if (!entropy.open()) {
204 return 1;
205 }
206
207 keymaster2_device_t* dev;
208 if (keymaster_device_initialize(&dev)) {
209 ALOGE("keystore keymaster could not be initialized; exiting");
210 return 1;
211 }
212
213 keymaster2_device_t* fallback;
214 if (fallback_keymaster_device_initialize(&fallback)) {
215 ALOGE("software keymaster could not be initialized; exiting");
216 return 1;
217 }
218
219 if (configure_keymaster_devices(dev, fallback)) {
220 ALOGE("Keymaster devices could not be configured; exiting");
221 return 1;
222 }
223
224 if (configure_selinux() == -1) {
225 return -1;
226 }
227
228 KeyStore keyStore(&entropy, dev, fallback);
229 keyStore.initialize();
230 android::sp<android::IServiceManager> sm = android::defaultServiceManager();
231 android::sp<android::KeyStoreService> service = new android::KeyStoreService(&keyStore);
232 android::status_t ret = sm->addService(android::String16("android.security.keystore"), service);
233 if (ret != android::OK) {
234 ALOGE("Couldn't register binder service!");
235 return -1;
236 }
237
238 /*
239 * We're the only thread in existence, so we're just going to process
240 * Binder transaction as a single-threaded program.
241 */
242 android::IPCThreadState::self()->joinThreadPool();
243
244 keymaster_device_release(dev);
245 return 1;
246 }
247