1 /* 2 * Copyright (C) 2021 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 package android.service.resumeonreboot; 18 19 import android.annotation.DurationMillisLong; 20 import android.annotation.NonNull; 21 import android.annotation.Nullable; 22 import android.annotation.SdkConstant; 23 import android.annotation.SystemApi; 24 import android.app.Service; 25 import android.content.Intent; 26 import android.os.Bundle; 27 import android.os.Handler; 28 import android.os.IBinder; 29 import android.os.ParcelableException; 30 import android.os.RemoteCallback; 31 import android.os.RemoteException; 32 33 import com.android.internal.os.BackgroundThread; 34 35 import java.io.IOException; 36 37 /** 38 * Base class for service that provides wrapping/unwrapping of the opaque blob needed for 39 * ResumeOnReboot operation. The package needs to provide a wrap/unwrap implementation for handling 40 * the opaque blob, that's secure even when on device keystore and clock is compromised. This can 41 * be achieved by using tamper-resistant hardware such as a secure element with a secure clock, or 42 * using a remote server to store and retrieve data and manage timing. 43 * 44 * <p>To extend this class, you must declare the service in your manifest file with the 45 * {@link android.Manifest.permission#BIND_RESUME_ON_REBOOT_SERVICE} permission, 46 * include an intent filter with the {@link #SERVICE_INTERFACE} action and mark the service as 47 * direct-boot aware. In addition, the package that contains the service must be granted 48 * {@link android.Manifest.permission#BIND_RESUME_ON_REBOOT_SERVICE}. 49 * For example:</p> 50 * <pre> 51 * <service android:name=".FooResumeOnRebootService" 52 * android:exported="true" 53 * android:priority="100" 54 * android:directBootAware="true" 55 * android:permission="android.permission.BIND_RESUME_ON_REBOOT_SERVICE"> 56 * <intent-filter> 57 * <action android:name="android.service.resumeonreboot.ResumeOnRebootService" /> 58 * </intent-filter> 59 * </service> 60 * </pre> 61 * 62 * @hide 63 * @see 64 * <a href="https://source.android.com/devices/tech/ota/resume-on-reboot">https://source.android.com/devices/tech/ota/resume-on-reboot</a> 65 */ 66 @SystemApi 67 public abstract class ResumeOnRebootService extends Service { 68 69 /** 70 * The intent that the service must respond to. Add it to the intent filter of the service. 71 */ 72 @SdkConstant(SdkConstant.SdkConstantType.SERVICE_ACTION) 73 public static final String SERVICE_INTERFACE = 74 "android.service.resumeonreboot.ResumeOnRebootService"; 75 /** @hide */ 76 public static final String UNWRAPPED_BLOB_KEY = "unrwapped_blob_key"; 77 /** @hide */ 78 public static final String WRAPPED_BLOB_KEY = "wrapped_blob_key"; 79 /** @hide */ 80 public static final String EXCEPTION_KEY = "exception_key"; 81 82 private final Handler mHandler = BackgroundThread.getHandler(); 83 84 /** 85 * Implementation for wrapping the opaque blob used for resume-on-reboot prior to 86 * reboot. The service should not assume any structure of the blob to be wrapped. The 87 * implementation should wrap the opaque blob in a reasonable time or throw {@link IOException} 88 * if it's unable to complete the action due to retry-able errors (e.g network errors) 89 * and {@link IllegalArgumentException} if {@code wrapBlob} fails due to fatal errors 90 * (e.g corrupted blob). 91 * 92 * @param blob The opaque blob with size on the order of 100 bytes. 93 * @param lifeTimeInMillis The life time of the blob. This must be strictly enforced by the 94 * implementation and any attempt to unWrap the wrapped blob returned by 95 * this function after expiration should 96 * fail. 97 * @return Wrapped blob to be persisted across reboot with size on the order of 100 bytes. 98 * @throws IOException if the implementation is unable to wrap the blob successfully due to 99 * retry-able errors. 100 */ 101 @NonNull onWrap(@onNull byte[] blob, @DurationMillisLong long lifeTimeInMillis)102 public abstract byte[] onWrap(@NonNull byte[] blob, @DurationMillisLong long lifeTimeInMillis) 103 throws IOException; 104 105 /** 106 * Implementation for unwrapping the wrapped blob used for resume-on-reboot after reboot. This 107 * operation would happen after reboot during direct boot mode (i.e before device is unlocked 108 * for the first time). The implementation should unwrap the wrapped blob in a reasonable time 109 * and returns the result or throw {@link IOException} if it's unable to complete the action 110 * due to retry-able errors (e.g network error) and {@link IllegalArgumentException} 111 * if {@code unwrapBlob} fails due to fatal errors (e.g stale or corrupted blob). 112 * 113 * @param wrappedBlob The wrapped blob with size on the order of 100 bytes. 114 * @return Unwrapped blob used for resume-on-reboot with the size on the order of 100 bytes. 115 * @throws IOException if the implementation is unable to unwrap the wrapped blob successfully 116 * due to retry-able errors. 117 */ 118 @NonNull onUnwrap(@onNull byte[] wrappedBlob)119 public abstract byte[] onUnwrap(@NonNull byte[] wrappedBlob) throws IOException; 120 121 private final android.service.resumeonreboot.IResumeOnRebootService mInterface = 122 new android.service.resumeonreboot.IResumeOnRebootService.Stub() { 123 124 @Override 125 public void wrapSecret(byte[] unwrappedBlob, 126 @DurationMillisLong long lifeTimeInMillis, 127 RemoteCallback resultCallback) throws RemoteException { 128 mHandler.post(() -> { 129 try { 130 byte[] wrappedBlob = onWrap(unwrappedBlob, 131 lifeTimeInMillis); 132 Bundle bundle = new Bundle(); 133 bundle.putByteArray(WRAPPED_BLOB_KEY, wrappedBlob); 134 resultCallback.sendResult(bundle); 135 } catch (Throwable e) { 136 Bundle bundle = new Bundle(); 137 bundle.putParcelable(EXCEPTION_KEY, new ParcelableException(e)); 138 resultCallback.sendResult(bundle); 139 } 140 }); 141 } 142 143 @Override 144 public void unwrap(byte[] wrappedBlob, RemoteCallback resultCallback) 145 throws RemoteException { 146 mHandler.post(() -> { 147 try { 148 byte[] unwrappedBlob = onUnwrap(wrappedBlob); 149 Bundle bundle = new Bundle(); 150 bundle.putByteArray(UNWRAPPED_BLOB_KEY, unwrappedBlob); 151 resultCallback.sendResult(bundle); 152 } catch (Throwable e) { 153 Bundle bundle = new Bundle(); 154 bundle.putParcelable(EXCEPTION_KEY, new ParcelableException(e)); 155 resultCallback.sendResult(bundle); 156 } 157 }); 158 } 159 }; 160 161 @Nullable 162 @Override onBind(@ullable Intent intent)163 public IBinder onBind(@Nullable Intent intent) { 164 return mInterface.asBinder(); 165 } 166 } 167