pa-fazil
/
android_system_core
mirror of https://github.com/fazilsheik96/android_system_core.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Separating GateKeeperProxy declaration in header 

Adding gatekeeperd.h and moving declarations for GateKeeperProxy into
header. Adding separate main.cpp for entry point.
Adding cc_default to be used by binary and fuzzer.
This is needed in order to fuzz gatekeeperd AIDL service

Test: m gatekeeperd
Bug: N/A
Change-Id: Ifb2082f68bb200e4ed83608a6def8e45032753de
This commit is contained in:
Pawan Wagh 2023-04-21 22:04:31 +00:00
parent 057cbf6379
commit c5c0c3024c
4 changed files with 461 additions and 371 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
gatekeeperd/Android.bp
View File

@ -18,8 +18,8 @@ package {
default_applicable_licenses: ["Android-Apache-2.0"], default_applicable_licenses: ["Android-Apache-2.0"],
} }
cc_binary { cc_defaults {
name: "gatekeeperd", name: "gatekeeperd_defaults",
cflags: [ cflags: [
"-Wall", "-Wall",
"-Wextra", "-Wextra",
@ -52,6 +52,16 @@ cc_binary {
static_libs: ["libscrypt_static"], static_libs: ["libscrypt_static"],
include_dirs: ["external/scrypt/lib/crypto"], include_dirs: ["external/scrypt/lib/crypto"],
}
cc_binary {
name: "gatekeeperd",
defaults: [
"gatekeeperd_defaults",
],
srcs: [
"main.cpp",
],
init_rc: ["gatekeeperd.rc"], init_rc: ["gatekeeperd.rc"],
} }

685
gatekeeperd/gatekeeperd.cpp
View File

@ -13,11 +13,9 @@
* See the License for the specific language governing permissions and * See the License for the specific language governing permissions and
* limitations under the License. * limitations under the License.
*/ */
#define LOG_TAG "gatekeeperd" #define LOG_TAG "gatekeeperd"
#include <android/service/gatekeeper/BnGateKeeperService.h> #include "gatekeeperd.h"
#include <gatekeeper/GateKeeperResponse.h>
#include <endian.h> #include <endian.h>
#include <errno.h> #include <errno.h>
@ -39,25 +37,18 @@
#include <log/log.h> #include <log/log.h>
#include <utils/String16.h> #include <utils/String16.h>
#include <aidl/android/hardware/gatekeeper/IGatekeeper.h>
#include <aidl/android/hardware/security/keymint/HardwareAuthToken.h> #include <aidl/android/hardware/security/keymint/HardwareAuthToken.h>
#include <aidl/android/security/authorization/IKeystoreAuthorization.h> #include <aidl/android/security/authorization/IKeystoreAuthorization.h>
#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
#include <hidl/HidlSupport.h> #include <hidl/HidlSupport.h>
using android::sp; using android::sp;
using android::hardware::Return; using android::hardware::Return;
using android::hardware::gatekeeper::V1_0::GatekeeperResponse; using android::hardware::gatekeeper::V1_0::GatekeeperResponse;
using android::hardware::gatekeeper::V1_0::GatekeeperStatusCode; using android::hardware::gatekeeper::V1_0::GatekeeperStatusCode;
using android::hardware::gatekeeper::V1_0::IGatekeeper;
using AidlGatekeeperEnrollResp = aidl::android::hardware::gatekeeper::GatekeeperEnrollResponse; using AidlGatekeeperEnrollResp = aidl::android::hardware::gatekeeper::GatekeeperEnrollResponse;
using AidlGatekeeperVerifyResp = aidl::android::hardware::gatekeeper::GatekeeperVerifyResponse; using AidlGatekeeperVerifyResp = aidl::android::hardware::gatekeeper::GatekeeperVerifyResponse;
using AidlIGatekeeper = aidl::android::hardware::gatekeeper::IGatekeeper;
using ::android::binder::Status;
using ::android::service::gatekeeper::BnGateKeeperService;
using GKResponse = ::android::service::gatekeeper::GateKeeperResponse;
using GKResponseCode = ::android::service::gatekeeper::ResponseCode; using GKResponseCode = ::android::service::gatekeeper::ResponseCode;
using ::aidl::android::hardware::security::keymint::HardwareAuthenticatorType; using ::aidl::android::hardware::security::keymint::HardwareAuthenticatorType;
using ::aidl::android::hardware::security::keymint::HardwareAuthToken; using ::aidl::android::hardware::security::keymint::HardwareAuthToken;
@ -70,172 +61,167 @@ static const String16 KEYGUARD_PERMISSION("android.permission.ACCESS_KEYGUARD_SE
static const String16 DUMP_PERMISSION("android.permission.DUMP"); static const String16 DUMP_PERMISSION("android.permission.DUMP");
constexpr const char gatekeeperServiceName[] = "android.hardware.gatekeeper.IGatekeeper/default"; constexpr const char gatekeeperServiceName[] = "android.hardware.gatekeeper.IGatekeeper/default";
class GateKeeperProxy : public BnGateKeeperService { GateKeeperProxy::GateKeeperProxy() {
public: clear_state_if_needed_done = false;
GateKeeperProxy() { hw_device = IGatekeeper::getService();
clear_state_if_needed_done = false; ::ndk::SpAIBinder ks2Binder(AServiceManager_getService(gatekeeperServiceName));
hw_device = IGatekeeper::getService(); aidl_hw_device = AidlIGatekeeper::fromBinder(ks2Binder);
::ndk::SpAIBinder ks2Binder(AServiceManager_getService(gatekeeperServiceName)); is_running_gsi = android::base::GetBoolProperty(android::gsi::kGsiBootedProp, false);
aidl_hw_device = AidlIGatekeeper::fromBinder(ks2Binder);
is_running_gsi = android::base::GetBoolProperty(android::gsi::kGsiBootedProp, false);
if (!aidl_hw_device && !hw_device) { if (!aidl_hw_device && !hw_device) {
LOG(ERROR) << "Could not find Gatekeeper device, which makes me very sad."; LOG(ERROR) << "Could not find Gatekeeper device, which makes me very sad.";
}
}
void GateKeeperProxy::store_sid(uint32_t userId, uint64_t sid) {
char filename[21];
snprintf(filename, sizeof(filename), "%u", userId);
int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
if (fd < 0) {
ALOGE("could not open file: %s: %s", filename, strerror(errno));
return;
}
write(fd, &sid, sizeof(sid));
close(fd);
}
void GateKeeperProxy::clear_state_if_needed() {
if (clear_state_if_needed_done) {
return;
}
if (mark_cold_boot() && !is_running_gsi) {
ALOGI("cold boot: clearing state");
if (aidl_hw_device) {
aidl_hw_device->deleteAllUsers();
} else if (hw_device) {
hw_device->deleteAllUsers([](const GatekeeperResponse&) {});
} }
} }
virtual ~GateKeeperProxy() {} clear_state_if_needed_done = true;
}
void store_sid(uint32_t userId, uint64_t sid) { bool GateKeeperProxy::mark_cold_boot() {
char filename[21]; const char* filename = ".coldboot";
snprintf(filename, sizeof(filename), "%u", userId); if (access(filename, F_OK) == -1) {
int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR); int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
if (fd < 0) { if (fd < 0) {
ALOGE("could not open file: %s: %s", filename, strerror(errno)); ALOGE("could not open file: %s : %s", filename, strerror(errno));
return; return false;
} }
write(fd, &sid, sizeof(sid));
close(fd); close(fd);
return true;
} }
return false;
}
void clear_state_if_needed() { void GateKeeperProxy::maybe_store_sid(uint32_t userId, uint64_t sid) {
if (clear_state_if_needed_done) { char filename[21];
return; snprintf(filename, sizeof(filename), "%u", userId);
} if (access(filename, F_OK) == -1) {
store_sid(userId, sid);
if (mark_cold_boot() && !is_running_gsi) {
ALOGI("cold boot: clearing state");
if (aidl_hw_device) {
aidl_hw_device->deleteAllUsers();
} else if (hw_device) {
hw_device->deleteAllUsers([](const GatekeeperResponse&) {});
}
}
clear_state_if_needed_done = true;
} }
}
bool mark_cold_boot() { uint64_t GateKeeperProxy::read_sid(uint32_t userId) {
const char* filename = ".coldboot"; char filename[21];
if (access(filename, F_OK) == -1) { uint64_t sid;
int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR); snprintf(filename, sizeof(filename), "%u", userId);
if (fd < 0) { int fd = open(filename, O_RDONLY);
ALOGE("could not open file: %s : %s", filename, strerror(errno)); if (fd < 0) return 0;
return false; read(fd, &sid, sizeof(sid));
} close(fd);
close(fd); return sid;
return true; }
}
return false;
}
void maybe_store_sid(uint32_t userId, uint64_t sid) { void GateKeeperProxy::clear_sid(uint32_t userId) {
char filename[21]; char filename[21];
snprintf(filename, sizeof(filename), "%u", userId); snprintf(filename, sizeof(filename), "%u", userId);
if (access(filename, F_OK) == -1) { if (remove(filename) < 0 && errno != ENOENT) {
store_sid(userId, sid); ALOGE("%s: could not remove file [%s], attempting 0 write", __func__, strerror(errno));
} store_sid(userId, 0);
} }
}
uint64_t read_sid(uint32_t userId) { uint32_t GateKeeperProxy::adjust_userId(uint32_t userId) {
char filename[21]; static constexpr uint32_t kGsiOffset = 1000000;
uint64_t sid; CHECK(userId < kGsiOffset);
snprintf(filename, sizeof(filename), "%u", userId); CHECK((aidl_hw_device != nullptr) || (hw_device != nullptr));
int fd = open(filename, O_RDONLY); if (is_running_gsi) {
if (fd < 0) return 0; return userId + kGsiOffset;
read(fd, &sid, sizeof(sid));
close(fd);
return sid;
}
void clear_sid(uint32_t userId) {
char filename[21];
snprintf(filename, sizeof(filename), "%u", userId);
if (remove(filename) < 0 && errno != ENOENT) {
ALOGE("%s: could not remove file [%s], attempting 0 write", __func__, strerror(errno));
store_sid(userId, 0);
}
}
// This should only be called on userIds being passed to the GateKeeper HAL. It ensures that
// secure storage shared across a GSI image and a host image will not overlap.
uint32_t adjust_userId(uint32_t userId) {
static constexpr uint32_t kGsiOffset = 1000000;
CHECK(userId < kGsiOffset);
CHECK((aidl_hw_device != nullptr) || (hw_device != nullptr));
if (is_running_gsi) {
return userId + kGsiOffset;
}
return userId;
} }
return userId;
}
#define GK_ERROR *gkResponse = GKResponse::error(), Status::ok() #define GK_ERROR *gkResponse = GKResponse::error(), Status::ok()
Status enroll(int32_t userId, const std::optional<std::vector<uint8_t>>& currentPasswordHandle, Status GateKeeperProxy::enroll(int32_t userId,
const std::optional<std::vector<uint8_t>>& currentPassword, const std::optional<std::vector<uint8_t>>& currentPasswordHandle,
const std::vector<uint8_t>& desiredPassword, GKResponse* gkResponse) override { const std::optional<std::vector<uint8_t>>& currentPassword,
IPCThreadState* ipc = IPCThreadState::self(); const std::vector<uint8_t>& desiredPassword,
const int calling_pid = ipc->getCallingPid(); GKResponse* gkResponse) {
const int calling_uid = ipc->getCallingUid(); IPCThreadState* ipc = IPCThreadState::self();
if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) { const int calling_pid = ipc->getCallingPid();
return GK_ERROR; const int calling_uid = ipc->getCallingUid();
} if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
return GK_ERROR;
}
// Make sure to clear any state from before factory reset as soon as a credential is // Make sure to clear any state from before factory reset as soon as a credential is
// enrolled (which may happen during device setup). // enrolled (which may happen during device setup).
clear_state_if_needed(); clear_state_if_needed();
// need a desired password to enroll // need a desired password to enroll
if (desiredPassword.size() == 0) return GK_ERROR; if (desiredPassword.size() == 0) return GK_ERROR;
if (!aidl_hw_device && !hw_device) { if (!aidl_hw_device && !hw_device) {
LOG(ERROR) << "has no HAL to talk to"; LOG(ERROR) << "has no HAL to talk to";
return GK_ERROR; return GK_ERROR;
} }
android::hardware::hidl_vec<uint8_t> curPwdHandle; android::hardware::hidl_vec<uint8_t> curPwdHandle;
android::hardware::hidl_vec<uint8_t> curPwd; android::hardware::hidl_vec<uint8_t> curPwd;
if (currentPasswordHandle && currentPassword) { if (currentPasswordHandle && currentPassword) {
if (hw_device) { if (hw_device) {
// Hidl Implementations expects passwordHandle to be in // Hidl Implementations expects passwordHandle to be in
// gatekeeper::password_handle_t format. // gatekeeper::password_handle_t format.
if (currentPasswordHandle->size() != sizeof(gatekeeper::password_handle_t)) { if (currentPasswordHandle->size() != sizeof(gatekeeper::password_handle_t)) {
LOG(INFO) << "Password handle has wrong length"; LOG(INFO) << "Password handle has wrong length";
return GK_ERROR;
}
}
curPwdHandle.setToExternal(const_cast<uint8_t*>(currentPasswordHandle->data()),
currentPasswordHandle->size());
curPwd.setToExternal(const_cast<uint8_t*>(currentPassword->data()),
currentPassword->size());
}
android::hardware::hidl_vec<uint8_t> newPwd;
newPwd.setToExternal(const_cast<uint8_t*>(desiredPassword.data()), desiredPassword.size());
uint32_t hw_userId = adjust_userId(userId);
uint64_t secureUserId = 0;
if (aidl_hw_device) {
// AIDL gatekeeper service
AidlGatekeeperEnrollResp rsp;
auto result = aidl_hw_device->enroll(hw_userId, curPwdHandle, curPwd, newPwd, &rsp);
if (!result.isOk()) {
LOG(ERROR) << "enroll transaction failed";
return GK_ERROR; return GK_ERROR;
} }
if (rsp.statusCode >= AidlIGatekeeper::STATUS_OK) { }
*gkResponse = GKResponse::ok({rsp.data.begin(), rsp.data.end()}); curPwdHandle.setToExternal(const_cast<uint8_t*>(currentPasswordHandle->data()),
secureUserId = static_cast<uint64_t>(rsp.secureUserId); currentPasswordHandle->size());
} else if (rsp.statusCode == AidlIGatekeeper::ERROR_RETRY_TIMEOUT && curPwd.setToExternal(const_cast<uint8_t*>(currentPassword->data()),
rsp.timeoutMs > 0) { currentPassword->size());
*gkResponse = GKResponse::retry(rsp.timeoutMs); }
} else {
*gkResponse = GKResponse::error(); android::hardware::hidl_vec<uint8_t> newPwd;
} newPwd.setToExternal(const_cast<uint8_t*>(desiredPassword.data()), desiredPassword.size());
} else if (hw_device) {
// HIDL gatekeeper service uint32_t hw_userId = adjust_userId(userId);
Return<void> hwRes = hw_device->enroll( uint64_t secureUserId = 0;
if (aidl_hw_device) {
// AIDL gatekeeper service
AidlGatekeeperEnrollResp rsp;
auto result = aidl_hw_device->enroll(hw_userId, curPwdHandle, curPwd, newPwd, &rsp);
if (!result.isOk()) {
LOG(ERROR) << "enroll transaction failed";
return GK_ERROR;
}
if (rsp.statusCode >= AidlIGatekeeper::STATUS_OK) {
*gkResponse = GKResponse::ok({rsp.data.begin(), rsp.data.end()});
secureUserId = static_cast<uint64_t>(rsp.secureUserId);
} else if (rsp.statusCode == AidlIGatekeeper::ERROR_RETRY_TIMEOUT && rsp.timeoutMs > 0) {
*gkResponse = GKResponse::retry(rsp.timeoutMs);
} else {
*gkResponse = GKResponse::error();
}
} else if (hw_device) {
// HIDL gatekeeper service
Return<void> hwRes = hw_device->enroll(
hw_userId, curPwdHandle, curPwd, newPwd, hw_userId, curPwdHandle, curPwd, newPwd,
[&gkResponse](const GatekeeperResponse& rsp) { [&gkResponse](const GatekeeperResponse& rsp) {
if (rsp.code >= GatekeeperStatusCode::STATUS_OK) { if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {
@ -247,110 +233,110 @@ class GateKeeperProxy : public BnGateKeeperService {
*gkResponse = GKResponse::error(); *gkResponse = GKResponse::error();
} }
}); });
if (!hwRes.isOk()) { if (!hwRes.isOk()) {
LOG(ERROR) << "enroll transaction failed"; LOG(ERROR) << "enroll transaction failed";
return GK_ERROR;
}
if (gkResponse->response_code() == GKResponseCode::OK) {
if (gkResponse->payload().size() != sizeof(gatekeeper::password_handle_t)) {
LOG(ERROR) << "HAL returned password handle of invalid length "
<< gkResponse->payload().size();
return GK_ERROR; return GK_ERROR;
} }
if (gkResponse->response_code() == GKResponseCode::OK) {
if (gkResponse->payload().size() != sizeof(gatekeeper::password_handle_t)) {
LOG(ERROR) << "HAL returned password handle of invalid length "
<< gkResponse->payload().size();
return GK_ERROR;
}
const gatekeeper::password_handle_t* handle = const gatekeeper::password_handle_t* handle =
reinterpret_cast<const gatekeeper::password_handle_t*>( reinterpret_cast<const gatekeeper::password_handle_t*>(
gkResponse->payload().data()); gkResponse->payload().data());
secureUserId = handle->user_id; secureUserId = handle->user_id;
}
} }
if (gkResponse->response_code() == GKResponseCode::OK && !gkResponse->should_reenroll()) {
store_sid(userId, secureUserId);
GKResponse verifyResponse;
// immediately verify this password so we don't ask the user to enter it again
// if they just created it.
auto status = verify(userId, gkResponse->payload(), desiredPassword, &verifyResponse);
if (!status.isOk() || verifyResponse.response_code() != GKResponseCode::OK) {
LOG(ERROR) << "Failed to verify password after enrolling";
}
}
return Status::ok();
} }
Status verify(int32_t userId, const ::std::vector<uint8_t>& enrolledPasswordHandle, if (gkResponse->response_code() == GKResponseCode::OK && !gkResponse->should_reenroll()) {
const ::std::vector<uint8_t>& providedPassword, GKResponse* gkResponse) override { store_sid(userId, secureUserId);
return verifyChallenge(userId, 0 /* challenge */, enrolledPasswordHandle, providedPassword,
gkResponse); GKResponse verifyResponse;
// immediately verify this password so we don't ask the user to enter it again
// if they just created it.
auto status = verify(userId, gkResponse->payload(), desiredPassword, &verifyResponse);
if (!status.isOk() || verifyResponse.response_code() != GKResponseCode::OK) {
LOG(ERROR) << "Failed to verify password after enrolling";
}
} }
Status verifyChallenge(int32_t userId, int64_t challenge, return Status::ok();
const std::vector<uint8_t>& enrolledPasswordHandle, }
const std::vector<uint8_t>& providedPassword,
GKResponse* gkResponse) override { Status GateKeeperProxy::verify(int32_t userId, const ::std::vector<uint8_t>& enrolledPasswordHandle,
IPCThreadState* ipc = IPCThreadState::self(); const ::std::vector<uint8_t>& providedPassword,
const int calling_pid = ipc->getCallingPid(); GKResponse* gkResponse) {
const int calling_uid = ipc->getCallingUid(); return verifyChallenge(userId, 0 /* challenge */, enrolledPasswordHandle, providedPassword,
if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) { gkResponse);
}
Status GateKeeperProxy::verifyChallenge(int32_t userId, int64_t challenge,
const std::vector<uint8_t>& enrolledPasswordHandle,
const std::vector<uint8_t>& providedPassword,
GKResponse* gkResponse) {
IPCThreadState* ipc = IPCThreadState::self();
const int calling_pid = ipc->getCallingPid();
const int calling_uid = ipc->getCallingUid();
if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
return GK_ERROR;
}
// can't verify if we're missing either param
if (enrolledPasswordHandle.size() == 0 || providedPassword.size() == 0) return GK_ERROR;
if (!aidl_hw_device && !hw_device) {
LOG(ERROR) << "has no HAL to talk to";
return GK_ERROR;
}
if (hw_device) {
// Hidl Implementations expects passwordHandle to be in gatekeeper::password_handle_t
if (enrolledPasswordHandle.size() != sizeof(gatekeeper::password_handle_t)) {
LOG(INFO) << "Password handle has wrong length";
return GK_ERROR; return GK_ERROR;
} }
}
// can't verify if we're missing either param uint32_t hw_userId = adjust_userId(userId);
if (enrolledPasswordHandle.size() == 0 || providedPassword.size() == 0) return GK_ERROR; android::hardware::hidl_vec<uint8_t> curPwdHandle;
curPwdHandle.setToExternal(const_cast<uint8_t*>(enrolledPasswordHandle.data()),
enrolledPasswordHandle.size());
android::hardware::hidl_vec<uint8_t> enteredPwd;
enteredPwd.setToExternal(const_cast<uint8_t*>(providedPassword.data()),
providedPassword.size());
if (!aidl_hw_device && !hw_device) { uint64_t secureUserId = 0;
LOG(ERROR) << "has no HAL to talk to"; if (aidl_hw_device) {
// AIDL gatekeeper service
AidlGatekeeperVerifyResp rsp;
auto result = aidl_hw_device->verify(hw_userId, challenge, curPwdHandle, enteredPwd, &rsp);
if (!result.isOk()) {
LOG(ERROR) << "verify transaction failed";
return GK_ERROR; return GK_ERROR;
} }
if (rsp.statusCode >= AidlIGatekeeper::STATUS_OK) {
if (hw_device) { secureUserId = rsp.hardwareAuthToken.userId;
// Hidl Implementations expects passwordHandle to be in gatekeeper::password_handle_t // Serialize HardwareAuthToken to a vector as hw_auth_token_t.
if (enrolledPasswordHandle.size() != sizeof(gatekeeper::password_handle_t)) { *gkResponse = GKResponse::ok(
LOG(INFO) << "Password handle has wrong length"; authToken2AidlVec(rsp.hardwareAuthToken),
return GK_ERROR; rsp.statusCode == AidlIGatekeeper::STATUS_REENROLL /* reenroll */);
} } else if (rsp.statusCode == AidlIGatekeeper::ERROR_RETRY_TIMEOUT) {
*gkResponse = GKResponse::retry(rsp.timeoutMs);
} else {
*gkResponse = GKResponse::error();
} }
} else if (hw_device) {
uint32_t hw_userId = adjust_userId(userId); // HIDL gatekeeper service
android::hardware::hidl_vec<uint8_t> curPwdHandle; Return<void> hwRes = hw_device->verify(
curPwdHandle.setToExternal(const_cast<uint8_t*>(enrolledPasswordHandle.data()),
enrolledPasswordHandle.size());
android::hardware::hidl_vec<uint8_t> enteredPwd;
enteredPwd.setToExternal(const_cast<uint8_t*>(providedPassword.data()),
providedPassword.size());
uint64_t secureUserId = 0;
if (aidl_hw_device) {
// AIDL gatekeeper service
AidlGatekeeperVerifyResp rsp;
auto result =
aidl_hw_device->verify(hw_userId, challenge, curPwdHandle, enteredPwd, &rsp);
if (!result.isOk()) {
LOG(ERROR) << "verify transaction failed";
return GK_ERROR;
}
if (rsp.statusCode >= AidlIGatekeeper::STATUS_OK) {
secureUserId = rsp.hardwareAuthToken.userId;
// Serialize HardwareAuthToken to a vector as hw_auth_token_t.
*gkResponse = GKResponse::ok(authToken2AidlVec(rsp.hardwareAuthToken),
rsp.statusCode ==
AidlIGatekeeper::STATUS_REENROLL /* reenroll */);
} else if (rsp.statusCode == AidlIGatekeeper::ERROR_RETRY_TIMEOUT) {
*gkResponse = GKResponse::retry(rsp.timeoutMs);
} else {
*gkResponse = GKResponse::error();
}
} else if (hw_device) {
// HIDL gatekeeper service
Return<void> hwRes = hw_device->verify(
hw_userId, challenge, curPwdHandle, enteredPwd, hw_userId, challenge, curPwdHandle, enteredPwd,
[&gkResponse](const GatekeeperResponse& rsp) { [&gkResponse](const GatekeeperResponse& rsp) {
if (rsp.code >= GatekeeperStatusCode::STATUS_OK) { if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {
*gkResponse = GKResponse::ok( *gkResponse = GKResponse::ok(
{rsp.data.begin(), rsp.data.end()}, {rsp.data.begin(), rsp.data.end()},
rsp.code == GatekeeperStatusCode::STATUS_REENROLL /* reenroll */); rsp.code == GatekeeperStatusCode::STATUS_REENROLL /* reenroll */);
} else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT) { } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT) {
*gkResponse = GKResponse::retry(rsp.timeout); *gkResponse = GKResponse::retry(rsp.timeout);
} else { } else {
@ -358,149 +344,110 @@ class GateKeeperProxy : public BnGateKeeperService {
} }
}); });
if (!hwRes.isOk()) { if (!hwRes.isOk()) {
LOG(ERROR) << "verify transaction failed"; LOG(ERROR) << "verify transaction failed";
return GK_ERROR; return GK_ERROR;
}
const gatekeeper::password_handle_t* handle =
reinterpret_cast<const gatekeeper::password_handle_t*>(
enrolledPasswordHandle.data());
secureUserId = handle->user_id;
} }
const gatekeeper::password_handle_t* handle =
reinterpret_cast<const gatekeeper::password_handle_t*>(
enrolledPasswordHandle.data());
secureUserId = handle->user_id;
}
if (gkResponse->response_code() == GKResponseCode::OK) { if (gkResponse->response_code() == GKResponseCode::OK) {
if (gkResponse->payload().size() != 0) { if (gkResponse->payload().size() != 0) {
// try to connect to IKeystoreAuthorization AIDL service first. // try to connect to IKeystoreAuthorization AIDL service first.
AIBinder* authzAIBinder = AIBinder* authzAIBinder = AServiceManager_getService("android.security.authorization");
AServiceManager_getService("android.security.authorization"); ::ndk::SpAIBinder authzBinder(authzAIBinder);
::ndk::SpAIBinder authzBinder(authzAIBinder); auto authzService = IKeystoreAuthorization::fromBinder(authzBinder);
auto authzService = IKeystoreAuthorization::fromBinder(authzBinder); if (authzService) {
if (authzService) { if (gkResponse->payload().size() != sizeof(hw_auth_token_t)) {
if (gkResponse->payload().size() != sizeof(hw_auth_token_t)) { LOG(ERROR) << "Incorrect size of AuthToken payload.";
LOG(ERROR) << "Incorrect size of AuthToken payload.";
return GK_ERROR;
}
const hw_auth_token_t* hwAuthToken =
reinterpret_cast<const hw_auth_token_t*>(gkResponse->payload().data());
HardwareAuthToken authToken;
authToken.timestamp.milliSeconds = betoh64(hwAuthToken->timestamp);
authToken.challenge = hwAuthToken->challenge;
authToken.userId = hwAuthToken->user_id;
authToken.authenticatorId = hwAuthToken->authenticator_id;
authToken.authenticatorType = static_cast<HardwareAuthenticatorType>(
betoh32(hwAuthToken->authenticator_type));
authToken.mac.assign(&hwAuthToken->hmac[0], &hwAuthToken->hmac[32]);
auto result = authzService->addAuthToken(authToken);
if (!result.isOk()) {
LOG(ERROR) << "Failure in sending AuthToken to AuthorizationService.";
return GK_ERROR;
}
} else {
LOG(ERROR) << "Cannot deliver auth token. Unable to communicate with "
"Keystore.";
return GK_ERROR; return GK_ERROR;
} }
const hw_auth_token_t* hwAuthToken =
reinterpret_cast<const hw_auth_token_t*>(gkResponse->payload().data());
HardwareAuthToken authToken;
authToken.timestamp.milliSeconds = betoh64(hwAuthToken->timestamp);
authToken.challenge = hwAuthToken->challenge;
authToken.userId = hwAuthToken->user_id;
authToken.authenticatorId = hwAuthToken->authenticator_id;
authToken.authenticatorType = static_cast<HardwareAuthenticatorType>(
betoh32(hwAuthToken->authenticator_type));
authToken.mac.assign(&hwAuthToken->hmac[0], &hwAuthToken->hmac[32]);
auto result = authzService->addAuthToken(authToken);
if (!result.isOk()) {
LOG(ERROR) << "Failure in sending AuthToken to AuthorizationService.";
return GK_ERROR;
}
} else {
LOG(ERROR) << "Cannot deliver auth token. Unable to communicate with "
"Keystore.";
return GK_ERROR;
} }
maybe_store_sid(userId, secureUserId);
} }
return Status::ok(); maybe_store_sid(userId, secureUserId);
} }
Status getSecureUserId(int32_t userId, int64_t* sid) override { return Status::ok();
*sid = read_sid(userId);
return Status::ok();
}
Status clearSecureUserId(int32_t userId) override {
IPCThreadState* ipc = IPCThreadState::self();
const int calling_pid = ipc->getCallingPid();
const int calling_uid = ipc->getCallingUid();
if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid);
return Status::ok();
}
clear_sid(userId);
uint32_t hw_userId = adjust_userId(userId);
if (aidl_hw_device) {
aidl_hw_device->deleteUser(hw_userId);
} else if (hw_device) {
hw_device->deleteUser(hw_userId, [](const GatekeeperResponse&) {});
}
return Status::ok();
}
Status reportDeviceSetupComplete() override {
IPCThreadState* ipc = IPCThreadState::self();
const int calling_pid = ipc->getCallingPid();
const int calling_uid = ipc->getCallingUid();
if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid);
return Status::ok();
}
clear_state_if_needed();
return Status::ok();
}
status_t dump(int fd, const Vector<String16>&) override {
IPCThreadState* ipc = IPCThreadState::self();
const int pid = ipc->getCallingPid();
const int uid = ipc->getCallingUid();
if (!PermissionCache::checkPermission(DUMP_PERMISSION, pid, uid)) {
return PERMISSION_DENIED;
}
if (aidl_hw_device == nullptr && hw_device == nullptr) {
const char* result = "Device not available";
write(fd, result, strlen(result) + 1);
} else {
const char* result = "OK";
write(fd, result, strlen(result) + 1);
}
return OK;
}
private:
// AIDL gatekeeper service.
std::shared_ptr<AidlIGatekeeper> aidl_hw_device;
// HIDL gatekeeper service.
sp<IGatekeeper> hw_device;
bool clear_state_if_needed_done;
bool is_running_gsi;
};
} // namespace android
int main(int argc, char* argv[]) {
ALOGI("Starting gatekeeperd...");
if (argc < 2) {
ALOGE("A directory must be specified!");
return 1;
}
if (chdir(argv[1]) == -1) {
ALOGE("chdir: %s: %s", argv[1], strerror(errno));
return 1;
}
android::sp<android::IServiceManager> sm = android::defaultServiceManager();
android::sp<android::GateKeeperProxy> proxy = new android::GateKeeperProxy();
android::status_t ret =
sm->addService(android::String16("android.service.gatekeeper.IGateKeeperService"), proxy);
if (ret != android::OK) {
ALOGE("Couldn't register binder service!");
return -1;
}
/*
* We're the only thread in existence, so we're just going to process
* Binder transaction as a single-threaded program.
*/
android::IPCThreadState::self()->joinThreadPool();
return 0;
} }
Status GateKeeperProxy::getSecureUserId(int32_t userId, int64_t* sid) {
*sid = read_sid(userId);
return Status::ok();
}
Status GateKeeperProxy::clearSecureUserId(int32_t userId) {
IPCThreadState* ipc = IPCThreadState::self();
const int calling_pid = ipc->getCallingPid();
const int calling_uid = ipc->getCallingUid();
if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid);
return Status::ok();
}
clear_sid(userId);
uint32_t hw_userId = adjust_userId(userId);
if (aidl_hw_device) {
aidl_hw_device->deleteUser(hw_userId);
} else if (hw_device) {
hw_device->deleteUser(hw_userId, [](const GatekeeperResponse&) {});
}
return Status::ok();
}
Status GateKeeperProxy::reportDeviceSetupComplete() {
IPCThreadState* ipc = IPCThreadState::self();
const int calling_pid = ipc->getCallingPid();
const int calling_uid = ipc->getCallingUid();
if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid);
return Status::ok();
}
clear_state_if_needed();
return Status::ok();
}
status_t GateKeeperProxy::dump(int fd, const Vector<String16>&) {
IPCThreadState* ipc = IPCThreadState::self();
const int pid = ipc->getCallingPid();
const int uid = ipc->getCallingUid();
if (!PermissionCache::checkPermission(DUMP_PERMISSION, pid, uid)) {
return PERMISSION_DENIED;
}
if (aidl_hw_device == nullptr && hw_device == nullptr) {
const char* result = "Device not available";
write(fd, result, strlen(result) + 1);
} else {
const char* result = "OK";
write(fd, result, strlen(result) + 1);
}
return OK;
}
} // namespace android

83
gatekeeperd/gatekeeperd.h Normal file
View File

@ -0,0 +1,83 @@
/*
* Copyright (C) 2023 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <aidl/android/hardware/gatekeeper/IGatekeeper.h>
#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
#include <android/service/gatekeeper/BnGateKeeperService.h>
#include <gatekeeper/GateKeeperResponse.h>
using ::android::hardware::gatekeeper::V1_0::IGatekeeper;
using AidlIGatekeeper = ::aidl::android::hardware::gatekeeper::IGatekeeper;
using ::android::binder::Status;
using ::android::service::gatekeeper::BnGateKeeperService;
using GKResponse = ::android::service::gatekeeper::GateKeeperResponse;
namespace android {
class GateKeeperProxy : public BnGateKeeperService {
public:
GateKeeperProxy();
virtual ~GateKeeperProxy() {}
void store_sid(uint32_t userId, uint64_t sid);
void clear_state_if_needed();
bool mark_cold_boot();
void maybe_store_sid(uint32_t userId, uint64_t sid);
uint64_t read_sid(uint32_t userId);
void clear_sid(uint32_t userId);
// This should only be called on userIds being passed to the GateKeeper HAL. It ensures that
// secure storage shared across a GSI image and a host image will not overlap.
uint32_t adjust_userId(uint32_t userId);
#define GK_ERROR *gkResponse = GKResponse::error(), Status::ok()
Status enroll(int32_t userId, const std::optional<std::vector<uint8_t>>& currentPasswordHandle,
const std::optional<std::vector<uint8_t>>& currentPassword,
const std::vector<uint8_t>& desiredPassword, GKResponse* gkResponse) override;
Status verify(int32_t userId, const ::std::vector<uint8_t>& enrolledPasswordHandle,
const ::std::vector<uint8_t>& providedPassword, GKResponse* gkResponse) override;
Status verifyChallenge(int32_t userId, int64_t challenge,
const std::vector<uint8_t>& enrolledPasswordHandle,
const std::vector<uint8_t>& providedPassword,
GKResponse* gkResponse) override;
Status getSecureUserId(int32_t userId, int64_t* sid) override;
Status clearSecureUserId(int32_t userId) override;
Status reportDeviceSetupComplete() override;
status_t dump(int fd, const Vector<String16>&) override;
private:
// AIDL gatekeeper service.
std::shared_ptr<AidlIGatekeeper> aidl_hw_device;
// HIDL gatekeeper service.
sp<IGatekeeper> hw_device;
bool clear_state_if_needed_done;
bool is_running_gsi;
};
} // namespace android

50
gatekeeperd/main.cpp Normal file
View File

@ -0,0 +1,50 @@
/*
* Copyright (C) 2023 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <binder/IPCThreadState.h>
#include <binder/IServiceManager.h>
#include <log/log.h>
#include "gatekeeperd.h"
int main(int argc, char* argv[]) {
ALOGI("Starting gatekeeperd...");
if (argc < 2) {
ALOGE("A directory must be specified!");
return 1;
}
if (chdir(argv[1]) == -1) {
ALOGE("chdir: %s: %s", argv[1], strerror(errno));
return 1;
}
android::sp<android::IServiceManager> sm = android::defaultServiceManager();
android::sp<android::GateKeeperProxy> proxy = new android::GateKeeperProxy();
android::status_t ret = sm->addService(
android::String16("android.service.gatekeeper.IGateKeeperService"), proxy);
if (ret != android::OK) {
ALOGE("Couldn't register binder service!");
return -1;
}
/*
* We're the only thread in existence, so we're just going to process
* Binder transaction as a single-threaded program.
*/
android::IPCThreadState::self()->joinThreadPool();
return 0;
}