226 lines
7.9 KiB
Rust
226 lines
7.9 KiB
Rust
// Copyright 2022, The Android Open Source Project
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
//! Main entry point for the microdroid IDiceDevice HAL implementation.
|
|
|
|
use anyhow::{bail, Error, Result};
|
|
use byteorder::{NativeEndian, ReadBytesExt};
|
|
use diced::{
|
|
dice,
|
|
hal_node::{DiceArtifacts, DiceDevice, ResidentHal, UpdatableDiceArtifacts},
|
|
};
|
|
use libc::{c_void, mmap, munmap, MAP_FAILED, MAP_PRIVATE, PROT_READ};
|
|
use serde::{Deserialize, Serialize};
|
|
use std::fs;
|
|
use std::os::unix::io::AsRawFd;
|
|
use std::panic;
|
|
use std::path::{Path, PathBuf};
|
|
use std::ptr::null_mut;
|
|
use std::slice;
|
|
use std::sync::Arc;
|
|
|
|
const AVF_STRICT_BOOT: &str = "/sys/firmware/devicetree/base/chosen/avf,strict-boot";
|
|
const DICE_HAL_SERVICE_NAME: &str = "android.hardware.security.dice.IDiceDevice/default";
|
|
|
|
/// Artifacts that are mapped into the process address space from the driver.
|
|
struct MappedDriverArtifacts<'a> {
|
|
mmap_addr: *mut c_void,
|
|
mmap_size: usize,
|
|
cdi_attest: &'a [u8; dice::CDI_SIZE],
|
|
cdi_seal: &'a [u8; dice::CDI_SIZE],
|
|
bcc: &'a [u8],
|
|
}
|
|
|
|
impl MappedDriverArtifacts<'_> {
|
|
fn new(driver_path: &Path) -> Result<Self> {
|
|
let mut file = fs::File::open(driver_path)
|
|
.map_err(|error| Error::new(error).context("Opening driver"))?;
|
|
let mmap_size =
|
|
file.read_u64::<NativeEndian>()
|
|
.map_err(|error| Error::new(error).context("Reading driver"))? as usize;
|
|
// It's safe to map the driver as the service will only create a single
|
|
// mapping per process.
|
|
let mmap_addr = unsafe {
|
|
let fd = file.as_raw_fd();
|
|
mmap(null_mut(), mmap_size, PROT_READ, MAP_PRIVATE, fd, 0)
|
|
};
|
|
if mmap_addr == MAP_FAILED {
|
|
bail!("Failed to mmap {:?}", driver_path);
|
|
}
|
|
// The slice is created for the region of memory that was just
|
|
// successfully mapped into the process address space so it will be
|
|
// accessible and not referenced from anywhere else.
|
|
let mmap_buf =
|
|
unsafe { slice::from_raw_parts((mmap_addr as *const u8).as_ref().unwrap(), mmap_size) };
|
|
// Very inflexible parsing / validation of the BccHandover data. Assumes deterministically
|
|
// encoded CBOR.
|
|
//
|
|
// BccHandover = {
|
|
// 1 : bstr .size 32, ; CDI_Attest
|
|
// 2 : bstr .size 32, ; CDI_Seal
|
|
// 3 : Bcc, ; Certificate chain
|
|
// }
|
|
if mmap_buf[0..4] != [0xa3, 0x01, 0x58, 0x20]
|
|
|| mmap_buf[36..39] != [0x02, 0x58, 0x20]
|
|
|| mmap_buf[71] != 0x03
|
|
{
|
|
bail!("BccHandover format mismatch");
|
|
}
|
|
Ok(Self {
|
|
mmap_addr,
|
|
mmap_size,
|
|
cdi_attest: mmap_buf[4..36].try_into().unwrap(),
|
|
cdi_seal: mmap_buf[39..71].try_into().unwrap(),
|
|
bcc: &mmap_buf[72..],
|
|
})
|
|
}
|
|
}
|
|
|
|
impl Drop for MappedDriverArtifacts<'_> {
|
|
fn drop(&mut self) {
|
|
// All references to the mapped region have the same lifetime as self.
|
|
// Since self is being dropped, so are all the references to the mapped
|
|
// region meaning its safe to unmap.
|
|
let ret = unsafe { munmap(self.mmap_addr, self.mmap_size) };
|
|
if ret != 0 {
|
|
log::warn!("Failed to munmap ({})", ret);
|
|
}
|
|
}
|
|
}
|
|
|
|
impl DiceArtifacts for MappedDriverArtifacts<'_> {
|
|
fn cdi_attest(&self) -> &[u8; dice::CDI_SIZE] {
|
|
self.cdi_attest
|
|
}
|
|
fn cdi_seal(&self) -> &[u8; dice::CDI_SIZE] {
|
|
self.cdi_seal
|
|
}
|
|
fn bcc(&self) -> Vec<u8> {
|
|
// The BCC only contains public information so it's fine to copy.
|
|
self.bcc.to_vec()
|
|
}
|
|
}
|
|
|
|
/// Artifacts that are kept in the process address space after the artifacts
|
|
/// from the driver have been consumed.
|
|
#[derive(Clone, Serialize, Deserialize)]
|
|
struct RawArtifacts {
|
|
cdi_attest: [u8; dice::CDI_SIZE],
|
|
cdi_seal: [u8; dice::CDI_SIZE],
|
|
bcc: Vec<u8>,
|
|
}
|
|
|
|
impl DiceArtifacts for RawArtifacts {
|
|
fn cdi_attest(&self) -> &[u8; dice::CDI_SIZE] {
|
|
&self.cdi_attest
|
|
}
|
|
fn cdi_seal(&self) -> &[u8; dice::CDI_SIZE] {
|
|
&self.cdi_seal
|
|
}
|
|
fn bcc(&self) -> Vec<u8> {
|
|
// The BCC only contains public information so it's fine to copy.
|
|
self.bcc.clone()
|
|
}
|
|
}
|
|
|
|
#[derive(Clone, Serialize, Deserialize)]
|
|
enum DriverArtifactManager {
|
|
Invalid,
|
|
Driver(PathBuf),
|
|
Updated(RawArtifacts),
|
|
}
|
|
|
|
impl DriverArtifactManager {
|
|
fn new(driver_path: &Path) -> Self {
|
|
if driver_path.exists() {
|
|
log::info!("Using DICE values from driver");
|
|
Self::Driver(driver_path.to_path_buf())
|
|
} else if Path::new(AVF_STRICT_BOOT).exists() {
|
|
log::error!("Strict boot requires DICE value from driver but none were found");
|
|
Self::Invalid
|
|
} else {
|
|
log::warn!("Using sample DICE values");
|
|
let (cdi_attest, cdi_seal, bcc) = diced_sample_inputs::make_sample_bcc_and_cdis()
|
|
.expect("Failed to create sample dice artifacts.");
|
|
Self::Updated(RawArtifacts {
|
|
cdi_attest: cdi_attest[..].try_into().unwrap(),
|
|
cdi_seal: cdi_seal[..].try_into().unwrap(),
|
|
bcc,
|
|
})
|
|
}
|
|
}
|
|
}
|
|
|
|
impl UpdatableDiceArtifacts for DriverArtifactManager {
|
|
fn with_artifacts<F, T>(&self, f: F) -> Result<T>
|
|
where
|
|
F: FnOnce(&dyn DiceArtifacts) -> Result<T>,
|
|
{
|
|
match self {
|
|
Self::Invalid => bail!("No DICE artifacts available."),
|
|
Self::Driver(driver_path) => f(&MappedDriverArtifacts::new(driver_path.as_path())?),
|
|
Self::Updated(raw_artifacts) => f(raw_artifacts),
|
|
}
|
|
}
|
|
fn update(self, new_artifacts: &impl DiceArtifacts) -> Result<Self> {
|
|
if let Self::Invalid = self {
|
|
bail!("Cannot update invalid DICE artifacts.");
|
|
}
|
|
if let Self::Driver(driver_path) = self {
|
|
// Writing to the device wipes the artifcates. The string is ignored
|
|
// by the driver but included for documentation.
|
|
fs::write(driver_path, "wipe")
|
|
.map_err(|error| Error::new(error).context("Wiping driver"))?;
|
|
}
|
|
Ok(Self::Updated(RawArtifacts {
|
|
cdi_attest: *new_artifacts.cdi_attest(),
|
|
cdi_seal: *new_artifacts.cdi_seal(),
|
|
bcc: new_artifacts.bcc(),
|
|
}))
|
|
}
|
|
}
|
|
|
|
fn main() {
|
|
android_logger::init_once(
|
|
android_logger::Config::default()
|
|
.with_tag("android.hardware.security.dice")
|
|
.with_min_level(log::Level::Debug),
|
|
);
|
|
// Redirect panic messages to logcat.
|
|
panic::set_hook(Box::new(|panic_info| {
|
|
log::error!("{}", panic_info);
|
|
}));
|
|
|
|
// Saying hi.
|
|
log::info!("android.hardware.security.dice is starting.");
|
|
|
|
let hal_impl = Arc::new(
|
|
unsafe {
|
|
// Safety: ResidentHal cannot be used in multi threaded processes.
|
|
// This service does not start a thread pool. The main thread is the only thread
|
|
// joining the thread pool, thereby keeping the process single threaded.
|
|
ResidentHal::new(DriverArtifactManager::new(Path::new("/dev/open-dice0")))
|
|
}
|
|
.expect("Failed to create ResidentHal implementation."),
|
|
);
|
|
|
|
let hal = DiceDevice::new_as_binder(hal_impl).expect("Failed to construct hal service.");
|
|
|
|
binder::add_service(DICE_HAL_SERVICE_NAME, hal.as_binder())
|
|
.expect("Failed to register IDiceDevice Service");
|
|
|
|
log::info!("Joining thread pool now.");
|
|
binder::ProcessState::join_thread_pool();
|
|
}
|