e653c93db15400048605b49d74a21ec2c139afec |
|
29-Mar-2017 |
Roshan Pius <rpius@google.com> |
keystore: Run Wifi keystore HAL in keystore daemon The wifi keystore hal will run in the context of the main keystore daemon. Also, Use the new IKeystore::tryGetService() for retrieveing the HAL service. Bug: 34603782 Test: Able to connect to wifi passpoint networks. Change-Id: I1436ea83166e5ad17372d98b0fd699c0dd732a11
/system/security/keystore/keystore_main.cpp
|
b8550a0929286bd8b91135c2beea1f61c01a441f |
|
23-Feb-2017 |
Shawn Willden <swillden@google.com> |
Add digest support and implementation name to getHardwareFeatures Test: Manual Change-Id: Iee20528e8d4f3931164aa988e11bfe71be4f56dc
/system/security/keystore/keystore_main.cpp
|
9b3791caa8a5b5e93b8af5b0385470a16552f2b6 |
|
26-Jan-2017 |
Chris Phoenix <cphoenix@google.com> |
keymaster HAL uses "default" service name The getService() and registerAsService() methods of interface objects now have default parameters of "default" for the service name. HALs will not have to use any service name unless they want to register more than one service. Test: marlin boots Bug: 33844934 Change-Id: I8ba24cd078dc5d36ecf02ddc0febc745b98d5a95
/system/security/keystore/keystore_main.cpp
|
e8ba1802a649ada4cea78af133ab4fb549eb57f5 |
|
30-Jan-2017 |
Janis Danisevskis <jdanis@google.com> |
Phase out keymaster fallback support Keystore uses two different keymaster devices. One device is provided by the OEM providing hardware/trust zone backed functionality. The other is a pure software implementation of keymaster. The latter was used when a "hardware" implementation failed generating or importing keys with certain parameters. This tolerance of misbehaving "hardware" implementations had the effect that this behavior has done unnoticed for too long. Therefore, we are phasing out the fallback device. This patch ensures that on devices with hardware implementations supporting keymaster 2.0 and higher there will be no fallback device papering over failures in the underlying keymaster implementation. Test: given a faulty KM2.0 implementation, import and generation of keys with otherwise supported parameters returns an error Change-Id: I8c2118e72558c326031368df13e836c3ef6b1da1
/system/security/keystore/keystore_main.cpp
|
c7a9fa29c185a8c1889486d4acf00fd59c513870 |
|
13-Oct-2016 |
Janis Danisevskis <jdanis@google.com> |
Port to binderized keymaster HAL This patch ports keystore to the HIDL based binderized keymaster HAL. Keystore has no more dependencies on legacy keymaster headers, and therefore data structures, constant declarations, or enums. All keymaster related data structures and enums used by keystore are the once defined by the HIDL based keymaster HAL definition. In the process of porting, keystore underwent some changes: * Keystore got a new implementation of AuthorizationSet that is fully based on the new HIDL data structures. Key parameters are now either organised as AuthorizationSets or hidl_vec<KeyParameter>. (Formerly, this was a mixture of keymaster's AuthorizationSet, std::vec<keymaster_key_param_t>, and keymaster_key_param_set_t.) The former is used for memory management and provides algorithms for assembling, joining, and subtracting sets of parameters. The latter is used as wire format for the HAL IPC; it can wrap the memory owned by an AuthorizationSet for this purpose. The AuthorizationSet is accompanied by a new implementation of type safe functions for creating and accessing tagged key parameters, Authorizations (keystore/keymaster_tags.h). * A new type (KSSReturnCode) was introduced that wraps keystore service response codes. Keystore has two sets of error codes. ErrorCode errors are less than 0 and use 0 as success value. ResponseCode errors are greater than zero and use 1 as success value. This patch changes ResponseCode to be an enum class so that is no longer assignable to int without a cast. The new return type can only be initialized by ResponseCode or ErrorCode and when accessed as int32_t, which happens on serialization when the response is send to a client, the success values are coalesced onto 1 as expected by the clients. KSSreturnCode is also comparable to ResponseCode and ErrorCode, and the predicate isOk() returns true if it was initialized with either ErrorCode::OK (0) or ReponseCode::NO_ERROR (1). * A bug was fixed, that caused the keystore verify function to return success, regardless of the input, internal errors, or lack of permissions. * The marshalling code in IKeystoreService.cpp was rewritten. For data structures that are known to keymaster, the client facing side of keystore uses HIDL based data structures as (target) source for (un)marshaling to avoid further conversion. hidl_vecs are used to wrap parcel memory without copying and taking ownership where possible. * Explicit use of malloc is reduced (malloc was required by the C nature of the old HAL). The new implementations avoid explicit use of malloc/new and waive the use of pointers for return values. Instead, functions return by value objects that take ownership of secondary memory allocations where required. Test: runtest --path=cts/tests/tests/keystore/src/android/keystore/cts Bug: 32020919 Change-Id: I59d3a0f4a6bdf6bb3bbf791ad8827c463effa286
/system/security/keystore/keystore_main.cpp
|
814a6e725cd89ad6bf27a9951d25025dc9ace9a8 |
|
15-Mar-2016 |
Shawn Willden <swillden@google.com> |
Configure keymaster with OS version info. Change-Id: Ia09591dbea04ff5d45370b47341efa5bf34604ce
/system/security/keystore/keystore_main.cpp
|
715d023c9294cf4860f73c8d83e82c5aa699add6 |
|
21-Jan-2016 |
Shawn Willden <swillden@google.com> |
Update Keystore to use keymaster2 HAL. This CL doesn't wire in any of the new keymaster2 features, it just uses the keymaster2 HAL rather than the keymaster1 HAL. This means that if keymaster1 hardware is found, it is unconditionally wrapped in SoftKeymasterDevice, so keymaster2 functionality can (eventually) be provided. Change-Id: Ica2cb0751e4e0a82c56c36b03f94da54ef62d9a3
/system/security/keystore/keystore_main.cpp
|
6507c27ab7ea34dd150d7ef9fda41878ed32547c |
|
06-Jan-2016 |
Shawn Willden <swillden@google.com> |
Refactor keystore. This CL isn't nearly as big as it looks. It doesn't change keystore functionality, it just moves all of the classes out of the former keystore.cpp into their own .h and .cpp files. Change-Id: I29a1ce21bff574be56128b32fc417e5a3d3c55fb
/system/security/keystore/keystore_main.cpp
|