1 /*
2  * Copyright (C) 2015 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #define LOG_TAG "TrustyGateKeeper"
18 
19 #include <endian.h>
20 #include <limits>
21 
22 #include <android-base/logging.h>
23 #include <gatekeeper/password_handle.h>
24 #include <hardware/hw_auth_token.h>
25 
26 #include "gatekeeper_ipc.h"
27 #include "trusty_gatekeeper.h"
28 #include "trusty_gatekeeper_ipc.h"
29 
30 namespace aidl::android::hardware::gatekeeper {
31 
32 using ::gatekeeper::ERROR_INVALID;
33 using ::gatekeeper::ERROR_NONE;
34 using ::gatekeeper::ERROR_RETRY;
35 using ::gatekeeper::SizedBuffer;
36 using ::gatekeeper::VerifyRequest;
37 using ::gatekeeper::VerifyResponse;
38 
39 constexpr const uint32_t SEND_BUF_SIZE = 8192;
40 constexpr const uint32_t RECV_BUF_SIZE = 8192;
41 
TrustyGateKeeperDevice()42 TrustyGateKeeperDevice::TrustyGateKeeperDevice() {
43     int rc = trusty_gatekeeper_connect();
44     if (rc < 0) {
45         LOG(ERROR) << "Error initializing trusty session: " << rc;
46     }
47 
48     error_ = rc;
49 }
50 
~TrustyGateKeeperDevice()51 TrustyGateKeeperDevice::~TrustyGateKeeperDevice() {
52     trusty_gatekeeper_disconnect();
53 }
54 
vec2sized_buffer(const std::vector<uint8_t> & vec)55 SizedBuffer vec2sized_buffer(const std::vector<uint8_t>& vec) {
56     if (vec.size() == 0 || vec.size() > std::numeric_limits<uint32_t>::max()) return {};
57     auto buffer = new uint8_t[vec.size()];
58     std::copy(vec.begin(), vec.end(), buffer);
59     return {buffer, static_cast<uint32_t>(vec.size())};
60 }
61 
sizedBuffer2AidlHWToken(SizedBuffer & buffer,android::hardware::security::keymint::HardwareAuthToken * aidlToken)62 void sizedBuffer2AidlHWToken(SizedBuffer& buffer,
63                              android::hardware::security::keymint::HardwareAuthToken* aidlToken) {
64     const hw_auth_token_t* authToken =
65             reinterpret_cast<const hw_auth_token_t*>(buffer.Data<uint8_t>());
66     aidlToken->challenge = authToken->challenge;
67     aidlToken->userId = authToken->user_id;
68     aidlToken->authenticatorId = authToken->authenticator_id;
69     // these are in network order: translate to host
70     aidlToken->authenticatorType =
71             static_cast<android::hardware::security::keymint::HardwareAuthenticatorType>(
72                     be32toh(authToken->authenticator_type));
73     aidlToken->timestamp.milliSeconds = be64toh(authToken->timestamp);
74     aidlToken->mac.insert(aidlToken->mac.begin(), std::begin(authToken->hmac),
75                           std::end(authToken->hmac));
76 }
77 
enroll(int32_t uid,const std::vector<uint8_t> & currentPasswordHandle,const std::vector<uint8_t> & currentPassword,const std::vector<uint8_t> & desiredPassword,GatekeeperEnrollResponse * rsp)78 ::ndk::ScopedAStatus TrustyGateKeeperDevice::enroll(
79         int32_t uid, const std::vector<uint8_t>& currentPasswordHandle,
80         const std::vector<uint8_t>& currentPassword, const std::vector<uint8_t>& desiredPassword,
81         GatekeeperEnrollResponse* rsp) {
82     if (error_ != 0) {
83         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
84     }
85 
86     if (desiredPassword.size() == 0) {
87         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
88     }
89 
90     EnrollRequest request(uid, vec2sized_buffer(currentPasswordHandle),
91                           vec2sized_buffer(desiredPassword), vec2sized_buffer(currentPassword));
92     EnrollResponse response;
93     auto error = Send(request, &response);
94     if (error != ERROR_NONE) {
95         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
96     } else if (response.error == ERROR_RETRY) {
97         *rsp = {ERROR_RETRY_TIMEOUT, static_cast<int32_t>(response.retry_timeout), 0, {}};
98         return ndk::ScopedAStatus::ok();
99     } else if (response.error != ERROR_NONE) {
100         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
101     } else {
102         const ::gatekeeper::password_handle_t* password_handle =
103                 response.enrolled_password_handle.Data<::gatekeeper::password_handle_t>();
104         *rsp = {STATUS_OK,
105                 0,
106                 static_cast<int64_t>(password_handle->user_id),
107                 {response.enrolled_password_handle.Data<uint8_t>(),
108                  (response.enrolled_password_handle.Data<uint8_t>() +
109                   response.enrolled_password_handle.size())}};
110     }
111     return ndk::ScopedAStatus::ok();
112 }
113 
verify(int32_t uid,int64_t challenge,const std::vector<uint8_t> & enrolledPasswordHandle,const std::vector<uint8_t> & providedPassword,GatekeeperVerifyResponse * rsp)114 ::ndk::ScopedAStatus TrustyGateKeeperDevice::verify(
115         int32_t uid, int64_t challenge, const std::vector<uint8_t>& enrolledPasswordHandle,
116         const std::vector<uint8_t>& providedPassword, GatekeeperVerifyResponse* rsp) {
117     if (error_ != 0) {
118         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
119     }
120 
121     if (enrolledPasswordHandle.size() == 0) {
122         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
123     }
124 
125     VerifyRequest request(uid, challenge, vec2sized_buffer(enrolledPasswordHandle),
126                           vec2sized_buffer(providedPassword));
127     VerifyResponse response;
128 
129     auto error = Send(request, &response);
130     if (error != ERROR_NONE) {
131         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
132     } else if (response.error == ERROR_RETRY) {
133         *rsp = {ERROR_RETRY_TIMEOUT, static_cast<int32_t>(response.retry_timeout), {}};
134         return ndk::ScopedAStatus::ok();
135     } else if (response.error != ERROR_NONE) {
136         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
137     } else {
138         // On Success, return GatekeeperVerifyResponse with Success Status, timeout{0} and
139         // valid HardwareAuthToken.
140         *rsp = {response.request_reenroll ? STATUS_REENROLL : STATUS_OK, 0, {}};
141         // Convert the hw_auth_token_t to HardwareAuthToken in the response.
142         sizedBuffer2AidlHWToken(response.auth_token, &rsp->hardwareAuthToken);
143     }
144     return ndk::ScopedAStatus::ok();
145 }
146 
deleteUser(int32_t uid)147 ::ndk::ScopedAStatus TrustyGateKeeperDevice::deleteUser(int32_t uid) {
148     if (error_ != 0) {
149         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
150     }
151 
152     DeleteUserRequest request(uid);
153     DeleteUserResponse response;
154     auto error = Send(request, &response);
155 
156     if (error != ERROR_NONE) {
157         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
158     } else if (response.error == ERROR_NOT_IMPLEMENTED) {
159         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_NOT_IMPLEMENTED));
160     } else if (response.error != ERROR_NONE) {
161         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
162     } else {
163         return ndk::ScopedAStatus::ok();
164     }
165 }
166 
deleteAllUsers()167 ::ndk::ScopedAStatus TrustyGateKeeperDevice::deleteAllUsers() {
168     if (error_ != 0) {
169         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
170     }
171 
172     DeleteAllUsersRequest request;
173     DeleteAllUsersResponse response;
174     auto error = Send(request, &response);
175 
176     if (error != ERROR_NONE) {
177         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
178     } else if (response.error == ERROR_NOT_IMPLEMENTED) {
179         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_NOT_IMPLEMENTED));
180     } else if (response.error != ERROR_NONE) {
181         return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));
182     } else {
183         return ndk::ScopedAStatus::ok();
184     }
185 }
186 
Send(uint32_t command,const GateKeeperMessage & request,GateKeeperMessage * response)187 gatekeeper_error_t TrustyGateKeeperDevice::Send(uint32_t command, const GateKeeperMessage& request,
188         GateKeeperMessage *response) {
189     uint32_t request_size = request.GetSerializedSize();
190     if (request_size > SEND_BUF_SIZE)
191         return ERROR_INVALID;
192     uint8_t send_buf[SEND_BUF_SIZE];
193     request.Serialize(send_buf, send_buf + request_size);
194 
195     // Send it
196     uint8_t recv_buf[RECV_BUF_SIZE];
197     uint32_t response_size = RECV_BUF_SIZE;
198     int rc = trusty_gatekeeper_call(command, send_buf, request_size, recv_buf, &response_size);
199     if (rc < 0) {
200         LOG(ERROR) << "error (" << rc << ") calling gatekeeper TA";
201         return ERROR_INVALID;
202     }
203 
204     const gatekeeper_message *msg = reinterpret_cast<gatekeeper_message *>(recv_buf);
205     const uint8_t *payload = msg->payload;
206 
207     return response->Deserialize(payload, payload + response_size);
208 }
209 
210 }  // namespace aidl::android::hardware::gatekeeper
211