1 // Copyright 2020, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 //! This is the implementation for the remote provisioning AIDL interface between
16 //! the network providers for remote provisioning and the system. This interface
17 //! allows the caller to prompt the Remote Provisioning HAL to generate keys and
18 //! CBOR blobs that can be ferried to a provisioning server that will return
19 //! certificate chains signed by some root authority and stored in a keystore SQLite
20 //! DB.
21
22 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
23 Algorithm::Algorithm, AttestationKey::AttestationKey, KeyParameter::KeyParameter,
24 KeyParameterValue::KeyParameterValue, SecurityLevel::SecurityLevel, Tag::Tag,
25 };
26 use android_security_rkp_aidl::aidl::android::security::rkp::RemotelyProvisionedKey::RemotelyProvisionedKey;
27 use android_system_keystore2::aidl::android::system::keystore2::{
28 Domain::Domain, KeyDescriptor::KeyDescriptor,
29 };
30 use anyhow::{Context, Result};
31 use keystore2_crypto::parse_subject_from_certificate;
32
33 use crate::error::wrapped_rkpd_error_to_ks_error;
34 use crate::globals::get_remotely_provisioned_component_name;
35 use crate::ks_err;
36 use crate::metrics_store::log_rkp_error_stats;
37 use crate::watchdog_helper::watchdog as wd;
38 use android_security_metrics::aidl::android::security::metrics::RkpError::RkpError as MetricsRkpError;
39
40 /// Contains helper functions to check if remote provisioning is enabled on the system and, if so,
41 /// to assign and retrieve attestation keys and certificate chains.
42 #[derive(Default)]
43 pub struct RemProvState {
44 security_level: SecurityLevel,
45 }
46
47 impl RemProvState {
48 /// Creates a RemProvState struct.
new(security_level: SecurityLevel) -> Self49 pub fn new(security_level: SecurityLevel) -> Self {
50 Self { security_level }
51 }
52
is_rkp_only(&self) -> bool53 fn is_rkp_only(&self) -> bool {
54 let default_value = false;
55
56 let property_name = match self.security_level {
57 SecurityLevel::STRONGBOX => "remote_provisioning.strongbox.rkp_only",
58 SecurityLevel::TRUSTED_ENVIRONMENT => "remote_provisioning.tee.rkp_only",
59 _ => return default_value,
60 };
61
62 rustutils::system_properties::read_bool(property_name, default_value)
63 .unwrap_or(default_value)
64 }
65
is_asymmetric_key(&self, params: &[KeyParameter]) -> bool66 fn is_asymmetric_key(&self, params: &[KeyParameter]) -> bool {
67 params.iter().any(|kp| {
68 matches!(
69 kp,
70 KeyParameter {
71 tag: Tag::ALGORITHM,
72 value: KeyParameterValue::Algorithm(Algorithm::RSA)
73 } | KeyParameter {
74 tag: Tag::ALGORITHM,
75 value: KeyParameterValue::Algorithm(Algorithm::EC)
76 }
77 )
78 })
79 }
80
81 /// Fetches attestation key and corresponding certificates from RKPD.
get_rkpd_attestation_key_and_certs( &self, key: &KeyDescriptor, caller_uid: u32, params: &[KeyParameter], ) -> Result<Option<(AttestationKey, Vec<u8>)>>82 pub fn get_rkpd_attestation_key_and_certs(
83 &self,
84 key: &KeyDescriptor,
85 caller_uid: u32,
86 params: &[KeyParameter],
87 ) -> Result<Option<(AttestationKey, Vec<u8>)>> {
88 if !self.is_asymmetric_key(params) || key.domain != Domain::APP {
89 Ok(None)
90 } else {
91 match get_rkpd_attestation_key(&self.security_level, caller_uid) {
92 Err(e) => {
93 if self.is_rkp_only() {
94 log::error!("Error occurred: {:?}", e);
95 return Err(wrapped_rkpd_error_to_ks_error(&e)).context(format!("{e:?}"));
96 }
97 log::warn!("Error occurred: {:?}", e);
98 log_rkp_error_stats(
99 MetricsRkpError::FALL_BACK_DURING_HYBRID,
100 &self.security_level,
101 );
102 Ok(None)
103 }
104 Ok(rkpd_key) => Ok(Some((
105 AttestationKey {
106 keyBlob: rkpd_key.keyBlob,
107 attestKeyParams: vec![],
108 // Batch certificate is at the beginning of the concatenated certificate
109 // chain, and the helper function only looks at the first cert.
110 issuerSubjectName: parse_subject_from_certificate(
111 &rkpd_key.encodedCertChain,
112 )
113 .context(ks_err!("Failed to parse subject."))?,
114 },
115 rkpd_key.encodedCertChain,
116 ))),
117 }
118 }
119 }
120 }
121
get_rkpd_attestation_key( security_level: &SecurityLevel, caller_uid: u32, ) -> Result<RemotelyProvisionedKey>122 fn get_rkpd_attestation_key(
123 security_level: &SecurityLevel,
124 caller_uid: u32,
125 ) -> Result<RemotelyProvisionedKey> {
126 // Depending on the Android release, RKP may not have been mandatory for the
127 // TEE or StrongBox KM instances. In such cases, lookup failure for the IRPC
128 // HAL service is WAI and should not cause a failure. The error should be caught
129 // by the calling function and allow for natural fallback to the factory key.
130 let rpc_name = get_remotely_provisioned_component_name(security_level)
131 .context(ks_err!("Trying to get IRPC name."))?;
132 let _wd = wd::watch("Calling get_rkpd_attestation_key()");
133 rkpd_client::get_rkpd_attestation_key(&rpc_name, caller_uid)
134 }
135