1 /*
2  * Copyright (C) 2023 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #include <aidl/android/hardware/gatekeeper/IGatekeeper.h>
18 #include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
19 #include <android/service/gatekeeper/BnGateKeeperService.h>
20 #include <gatekeeper/GateKeeperResponse.h>
21 
22 using ::android::hardware::gatekeeper::V1_0::IGatekeeper;
23 using AidlIGatekeeper = ::aidl::android::hardware::gatekeeper::IGatekeeper;
24 using ::android::binder::Status;
25 using ::android::service::gatekeeper::BnGateKeeperService;
26 using GKResponse = ::android::service::gatekeeper::GateKeeperResponse;
27 
28 namespace android {
29 
30 class GateKeeperProxy : public BnGateKeeperService {
31   public:
32     GateKeeperProxy();
33 
~GateKeeperProxy()34     virtual ~GateKeeperProxy() {}
35 
36     void store_sid(uint32_t userId, uint64_t sid);
37 
38     void clear_state_if_needed();
39 
40     bool mark_cold_boot();
41 
42     void maybe_store_sid(uint32_t userId, uint64_t sid);
43 
44     uint64_t read_sid(uint32_t userId);
45 
46     void clear_sid(uint32_t userId);
47 
48     // This should only be called on userIds being passed to the GateKeeper HAL. It ensures that
49     // secure storage shared across a GSI image and a host image will not overlap.
50     Status adjust_userId(uint32_t userId, uint32_t* hw_userId);
51 
52 #define GK_ERROR *gkResponse = GKResponse::error(), Status::ok()
53 
54     Status enroll(int32_t userId, const std::optional<std::vector<uint8_t>>& currentPasswordHandle,
55                   const std::optional<std::vector<uint8_t>>& currentPassword,
56                   const std::vector<uint8_t>& desiredPassword, GKResponse* gkResponse) override;
57 
58     Status verify(int32_t userId, const ::std::vector<uint8_t>& enrolledPasswordHandle,
59                   const ::std::vector<uint8_t>& providedPassword, GKResponse* gkResponse) override;
60 
61     Status verifyChallenge(int32_t userId, int64_t challenge,
62                            const std::vector<uint8_t>& enrolledPasswordHandle,
63                            const std::vector<uint8_t>& providedPassword,
64                            GKResponse* gkResponse) override;
65 
66     Status getSecureUserId(int32_t userId, int64_t* sid) override;
67 
68     Status clearSecureUserId(int32_t userId) override;
69 
70     Status reportDeviceSetupComplete() override;
71 
72     status_t dump(int fd, const Vector<String16>&) override;
73 
74   private:
75     // AIDL gatekeeper service.
76     std::shared_ptr<AidlIGatekeeper> aidl_hw_device;
77     // HIDL gatekeeper service.
78     sp<IGatekeeper> hw_device;
79 
80     bool clear_state_if_needed_done;
81     bool is_running_gsi;
82 };
83 }  // namespace android
84