1 /*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #ifndef CPP_SECURITY_VEHICLE_BINDING_UTIL_SRC_VEHICLEBINDINGUTIL_H_
17 #define CPP_SECURITY_VEHICLE_BINDING_UTIL_SRC_VEHICLEBINDINGUTIL_H_
18
19 #include "android/hardware/automotive/vehicle/2.0/types.h"
20
21 #include <utils/StrongPointer.h>
22
23 #include <IVhalClient.h>
24
25 #include <cstdint>
26 #include <vector>
27
28 namespace android {
29 namespace automotive {
30 namespace security {
31
32 constexpr size_t SEED_BYTE_SIZE = 16;
33
34 // Possible results of attempting to set the vehicle binding seed.
35 enum class BindingStatus {
36 OK,
37 NOT_SUPPORTED,
38 ERROR,
39 WAIT_VHAL_TIMEOUT,
40 };
41
42 template <typename EnumT>
toInt(const EnumT value)43 constexpr auto toInt(const EnumT value) {
44 return static_cast<typename std::underlying_type<EnumT>::type>(value);
45 }
46
47 // Interface for getting cryptographically secure random byte strings
48 class Csrng {
49 public:
50 virtual ~Csrng() = default;
51
52 // Fill the given buffer with random bytes. Returns false if there is
53 // an unrecoverable error getting bits.
54 virtual bool fill(void* buffer, size_t size) const = 0;
55 };
56
57 // Csrng that relies on `/dev/urandom` to supply bits. We have to rely on
58 // urandom so that we don't block boot-up. Devices that wish to supply very
59 // high-quality random bits at boot should seed the linux PRNG at boot with
60 // entropy.
61 class DefaultCsrng : public Csrng {
62 public:
63 bool fill(void* buffer, size_t size) const override;
64 };
65
66 // Interface for forking and executing a child process.
67 class Executor {
68 public:
69 virtual ~Executor() = default;
70
71 // Run the given command line and its arguments. Returns 0 on success, -1
72 // if an internal error occurred, and -ECHILD if the child process did not
73 // exit properly.
74 //
75 // On exit, `exit_code` is set to the child's exit status.
76 virtual int run(const std::vector<std::string>& cmd_args, int* exit_code) const = 0;
77 };
78
79 // Default Executor which forks, execs, and logs output from the child process.
80 class DefaultExecutor : public Executor {
81 int run(const std::vector<std::string>& cmd_args, int* exit_code) const override;
82 };
83
84 // Set the seed in vold that is used to bind the encryption keys to the vehicle.
85 // This is used to guard against headunit removal and subsequent scraping of
86 // the filesystem for sensitive data (e.g. PII).
87 //
88 // The seed is read from the VHAL property STORAGE_ENCRYPTION_BINDING_SEED. If
89 // the property has not yet been set, a random byte value is generated and
90 // saved in the VHAL for reuse on future boots.
91 BindingStatus setVehicleBindingSeed(
92 std::shared_ptr<android::frameworks::automotive::vhal::IVhalClient> vehicle,
93 const Executor& executor, const Csrng& csrng);
94
95 } // namespace security
96 } // namespace automotive
97 } // namespace android
98
99 #endif // CPP_SECURITY_VEHICLE_BINDING_UTIL_SRC_VEHICLEBINDINGUTIL_H_
100