| d3ed3a207990fa2a1cd2902a07afc9bd3d1f5777 |
|
28-Mar-2017 |
Shawn Willden <swillden@google.com> |
Revert "Delegate auth token parsing to HAL."
This reverts commit 76f21b2676092911ab030c3dde1489902c00ab71.
Reason for revert: b/36637075
Bug: 36637075
Change-Id: Ica737cf96d14086aae7918f8bf2f86a36555d03b
/system/security/keystore/operation.cpp
|
| 76f21b2676092911ab030c3dde1489902c00ab71 |
|
17-Feb-2017 |
Shawn Willden <swillden@google.com> |
Delegate auth token parsing to HAL.
Auth tokens have an unfortunate dual character. To most of the system
they are opaque blobs that are intended only to be obtained from one
HAL (e.g. gatekeeper or fingerprint) and passed to another
HAL (keymaster), but keystore actually needs to extract some bits of
information from them in order to determine which of the available blobs
should be provided for a given keymaster key operation.
This CL adds a method that resolves this dual nature by moving the
responsibility of parsing blobs to the HAL so that no component of the
framework has to make any assumptions about their content and all can
treat them as fully opaque. This still means that the various HAL
implementers have to agree on content, but they also have to agree on an
HMAC key which much be securely distributed to all at every boot, so
asking them to agree on an auth token format is perfectly
acceptable. But now the Android system doesn't have to care about the
format.
Bug: 32962548
Test: CTS tests pass, plus manual testing.
Change-Id: I2ab4b4fbea1425fc08aa754fc10f8e386899af25
/system/security/keystore/operation.cpp
|
| c7a9fa29c185a8c1889486d4acf00fd59c513870 |
|
13-Oct-2016 |
Janis Danisevskis <jdanis@google.com> |
Port to binderized keymaster HAL
This patch ports keystore to the HIDL based binderized keymaster HAL.
Keystore has no more dependencies on legacy keymaster headers, and
therefore data structures, constant declarations, or enums. All
keymaster related data structures and enums used by keystore are the
once defined by the HIDL based keymaster HAL definition. In the process
of porting, keystore underwent some changes:
* Keystore got a new implementation of AuthorizationSet that is fully
based on the new HIDL data structures. Key parameters are now either
organised as AuthorizationSets or hidl_vec<KeyParameter>. (Formerly,
this was a mixture of keymaster's AuthorizationSet,
std::vec<keymaster_key_param_t>, and keymaster_key_param_set_t.) The
former is used for memory management and provides algorithms for
assembling, joining, and subtracting sets of parameters. The latter
is used as wire format for the HAL IPC; it can wrap the memory owned
by an AuthorizationSet for this purpose. The AuthorizationSet is
accompanied by a new implementation of type safe functions for
creating and accessing tagged key parameters,
Authorizations (keystore/keymaster_tags.h).
* A new type (KSSReturnCode) was introduced that wraps keystore service
response codes. Keystore has two sets of error codes. ErrorCode
errors are less than 0 and use 0 as success value. ResponseCode
errors are greater than zero and use 1 as success value. This patch
changes ResponseCode to be an enum class so that is no longer
assignable to int without a cast. The new return type can only be
initialized by ResponseCode or ErrorCode and when accessed as int32_t,
which happens on serialization when the response is send to a client,
the success values are coalesced onto 1 as expected by the
clients. KSSreturnCode is also comparable to ResponseCode and
ErrorCode, and the predicate isOk() returns true if it was initialized
with either ErrorCode::OK (0) or ReponseCode::NO_ERROR (1).
* A bug was fixed, that caused the keystore verify function to return
success, regardless of the input, internal errors, or lack of
permissions.
* The marshalling code in IKeystoreService.cpp was rewritten. For data
structures that are known to keymaster, the client facing side of
keystore uses HIDL based data structures as (target) source
for (un)marshaling to avoid further conversion. hidl_vecs are used to
wrap parcel memory without copying and taking ownership where
possible.
* Explicit use of malloc is reduced (malloc was required by the C nature
of the old HAL). The new implementations avoid explicit use of
malloc/new and waive the use of pointers for return values. Instead,
functions return by value objects that take ownership of secondary
memory allocations where required.
Test: runtest --path=cts/tests/tests/keystore/src/android/keystore/cts
Bug: 32020919
Change-Id: I59d3a0f4a6bdf6bb3bbf791ad8827c463effa286
/system/security/keystore/operation.cpp
|
| 24b2a39dedc44d0fe2e4ea85f487a235f058685a |
|
28-Jul-2016 |
Chih-Hung Hsieh <chh@google.com> |
Fix clang-tidy performance warnings in system/security.
* Use const reference type for parameters, local variables,
and for-loop index variables to avoid unnecessary copy.
Bug: 30407689
Bug: 30413223
Bug: 30413862
Change-Id: I3b9383f34e466ca6b5290bad802d535443fd0187
Test: build with WITH_TIDY=1
/system/security/keystore/operation.cpp
|
| 715d023c9294cf4860f73c8d83e82c5aa699add6 |
|
21-Jan-2016 |
Shawn Willden <swillden@google.com> |
Update Keystore to use keymaster2 HAL.
This CL doesn't wire in any of the new keymaster2 features, it just uses
the keymaster2 HAL rather than the keymaster1 HAL. This means that if
keymaster1 hardware is found, it is unconditionally wrapped in
SoftKeymasterDevice, so keymaster2 functionality can (eventually) be
provided.
Change-Id: Ica2cb0751e4e0a82c56c36b03f94da54ef62d9a3
/system/security/keystore/operation.cpp
|
| e5c18d038ae1f696f278940f0eb2ec0a5436a75b |
|
14-Aug-2015 |
Dan Albert <danalbert@google.com> |
Fix pessimizing move.
Using std::move here prevents the compiler from performing copy
elision.
Change-Id: I21ad9dfec4fe36dd935403c9fd0af5e20e131036
(cherry picked from commit 17ee05c5842d8730f4a0b81b14638ce6ac2287ac)
/system/security/keystore/operation.cpp
|
| 700c1a35c52798831b8a8d76a042c4650c6d793f |
|
24-Jun-2015 |
Alex Klyubin <klyubin@google.com> |
Abort operation pruning only if it fails to make space.
keystore service's begin operation may sometimes encounter a situation
where the underlying device's begin operation fails because of too
many operations in progress. In that case, keystore attempts to prune
the oldest pruneable operation by invoking the underlying device's
abort operation. Regardless of whether the abort operation fails,
keystore then removes the operation from the list of in-progress
prunable operations.
The issue is that when the underlying device's abort operation fails,
keystore fails the begin operation that caused all this prunining.
This is despite the fact that keystore has managed to make space for
one more operation.
The fix is to fail the begin operation only if the pruning attempt
did not make space for a a new operation.
Bug: 22040842
Change-Id: Id98b2c6690de3cfb2a7b1d3bdd10742cc59ecbfa
/system/security/keystore/operation.cpp
|
| 9221bff2f13451ef330135bb32ea96de2a8b09cc |
|
19-Jun-2015 |
Shawn Willden <swillden@google.com> |
Add keymaster authorization policy enforcement to keystore.
Bug: 19511945
Change-Id: I76c04e8d3253ba490cedac53bbc75943ec68df1d
/system/security/keystore/operation.cpp
|
| b2ffa420da26414379b31807eec76ec8c9f3b0a9 |
|
17-Jun-2015 |
Shawn Willden <swillden@google.com> |
Don't check authorizations for pubkey operations.
Bug: 21877150
Change-Id: I43dafb66fc3246f4d8e3bf4743fbdcbe072468d1
/system/security/keystore/operation.cpp
|
| 999f1b05261837d6571fa4effa357a9af1d8d01a |
|
02-Jun-2015 |
Chad Brubaker <cbrubaker@google.com> |
Fix potential use-after-free in hw auth token handling.
The operation map caches the hw_auth_token used to start the operation
but it was storing the pointer returned by the auth token table and not
the token itself leading to a potential use-after-free if the token was
removed from the table between the operation starting and completeting.
The operation table now stores the auth token itself instead of the
pointer provided by the auth table.
Change-Id: I80fd49655ed98e7879d2caa7f1ae077ff50e0e54
/system/security/keystore/operation.cpp
|
| 0cf34a249c008743cf2e2371743a89f86aa4b03c |
|
23-Apr-2015 |
Chad Brubaker <cbrubaker@google.com> |
Move auth token checking to begin
Auth tokens will now be checked on begin and then used for all
subsequent calls for that operation, this means that things like
auth timeouts will only be checked on begin, and operation that starts
at timeout - .00001 will now be able to be used to completion.
One exception to this is keys that use per operation authorization.
Begin for these operations must succeed so that the application gets a
handle to authorize. For those keys if the application calls update
before authorizing the operation the call will fail. For these keys
begin will return OP_AUTH_NEEDED so let the caller know more work is
needed before using the operation.
(cherry picked from commit aebbfc2ba548064e4f537154bab6ec60dfe4115e)
Change-Id: I3da4f93a076c0ed2d8630ca8cd1608e9bad2c2ff
/system/security/keystore/operation.cpp
|
| ad6514ab7a57504aa3b04bcc383f60940b923710 |
|
09-Apr-2015 |
Chad Brubaker <cbrubaker@google.com> |
Store the key characteristics for operations
Instead of storing the key blob and parsing the characteristics out,
which some implementations might not support, instead call get
characteristics on begin and store that result for subsequent auth
calls.
Change-Id: I75e39ee28cc440e4ed411b2daaa2744085e1aa12
/system/security/keystore/operation.cpp
|
| 06801e0a7ccabbe8f22cff29b7edb7c7d02d7692 |
|
01-Apr-2015 |
Chad Brubaker <cbrubaker@google.com> |
Add auth token fetching
Auth tokens are now fetched from the table in begin update and finish if
needed. Begin will not fail on a missing/expired auth token since some
authorization requires a valid operation handle.
This doesn't yet do any enforcement of the token beyond what the auth
token table does, that should happen in the keymaster auth code when it
is done.
This also includes the key in the operation map since authorization
works based off that and not the handle.
Change-Id: I62a395b74a925b819f4cde75ae3bfab8b8928cd1
/system/security/keystore/operation.cpp
|
| 40a1a9b306d4e3c85b24f80ff39841507cf42357 |
|
20-Feb-2015 |
Chad Brubaker <cbrubaker@google.com> |
Implement keymaster 1.0 crypto operations
Change-Id: I365ea9082e14bccb83018e8ea67a10408362c550
/system/security/keystore/operation.cpp
|