1 // Copyright 2020, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 //! This is the implementation for the remote provisioning AIDL interface between
16 //! the network providers for remote provisioning and the system. This interface
17 //! allows the caller to prompt the Remote Provisioning HAL to generate keys and
18 //! CBOR blobs that can be ferried to a provisioning server that will return
19 //! certificate chains signed by some root authority and stored in a keystore SQLite
20 //! DB.
21 
22 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
23     Algorithm::Algorithm, AttestationKey::AttestationKey, Certificate::Certificate,
24     KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue, SecurityLevel::SecurityLevel,
25     Tag::Tag,
26 };
27 use android_security_rkp_aidl::aidl::android::security::rkp::RemotelyProvisionedKey::RemotelyProvisionedKey;
28 use android_system_keystore2::aidl::android::system::keystore2::{
29     Domain::Domain, KeyDescriptor::KeyDescriptor,
30 };
31 use anyhow::{Context, Result};
32 use keystore2_crypto::parse_subject_from_certificate;
33 
34 use crate::error::wrapped_rkpd_error_to_ks_error;
35 use crate::globals::get_remotely_provisioned_component_name;
36 use crate::ks_err;
37 use crate::metrics_store::log_rkp_error_stats;
38 use crate::watchdog_helper::watchdog as wd;
39 use android_security_metrics::aidl::android::security::metrics::RkpError::RkpError as MetricsRkpError;
40 
41 /// Contains helper functions to check if remote provisioning is enabled on the system and, if so,
42 /// to assign and retrieve attestation keys and certificate chains.
43 #[derive(Default)]
44 pub struct RemProvState {
45     security_level: SecurityLevel,
46 }
47 
48 impl RemProvState {
49     /// Creates a RemProvState struct.
new(security_level: SecurityLevel) -> Self50     pub fn new(security_level: SecurityLevel) -> Self {
51         Self { security_level }
52     }
53 
is_rkp_only(&self) -> bool54     fn is_rkp_only(&self) -> bool {
55         let default_value = false;
56 
57         let property_name = match self.security_level {
58             SecurityLevel::STRONGBOX => "remote_provisioning.strongbox.rkp_only",
59             SecurityLevel::TRUSTED_ENVIRONMENT => "remote_provisioning.tee.rkp_only",
60             _ => return default_value,
61         };
62 
63         rustutils::system_properties::read_bool(property_name, default_value)
64             .unwrap_or(default_value)
65     }
66 
is_asymmetric_key(&self, params: &[KeyParameter]) -> bool67     fn is_asymmetric_key(&self, params: &[KeyParameter]) -> bool {
68         params.iter().any(|kp| {
69             matches!(
70                 kp,
71                 KeyParameter {
72                     tag: Tag::ALGORITHM,
73                     value: KeyParameterValue::Algorithm(Algorithm::RSA)
74                 } | KeyParameter {
75                     tag: Tag::ALGORITHM,
76                     value: KeyParameterValue::Algorithm(Algorithm::EC)
77                 }
78             )
79         })
80     }
81 
82     /// Fetches attestation key and corresponding certificates from RKPD.
get_rkpd_attestation_key_and_certs( &self, key: &KeyDescriptor, caller_uid: u32, params: &[KeyParameter], ) -> Result<Option<(AttestationKey, Certificate)>>83     pub fn get_rkpd_attestation_key_and_certs(
84         &self,
85         key: &KeyDescriptor,
86         caller_uid: u32,
87         params: &[KeyParameter],
88     ) -> Result<Option<(AttestationKey, Certificate)>> {
89         if !self.is_asymmetric_key(params) || key.domain != Domain::APP {
90             Ok(None)
91         } else {
92             match get_rkpd_attestation_key(&self.security_level, caller_uid) {
93                 Err(e) => {
94                     if self.is_rkp_only() {
95                         log::error!("Error occurred: {:?}", e);
96                         return Err(wrapped_rkpd_error_to_ks_error(&e)).context(format!("{e:?}"));
97                     }
98                     log::warn!("Error occurred: {:?}", e);
99                     log_rkp_error_stats(
100                         MetricsRkpError::FALL_BACK_DURING_HYBRID,
101                         &self.security_level,
102                     );
103                     Ok(None)
104                 }
105                 Ok(rkpd_key) => Ok(Some((
106                     AttestationKey {
107                         keyBlob: rkpd_key.keyBlob,
108                         attestKeyParams: vec![],
109                         // Batch certificate is at the beginning of the certificate chain.
110                         issuerSubjectName: parse_subject_from_certificate(
111                             &rkpd_key.encodedCertChain,
112                         )
113                         .context(ks_err!("Failed to parse subject."))?,
114                     },
115                     Certificate { encodedCertificate: rkpd_key.encodedCertChain },
116                 ))),
117             }
118         }
119     }
120 }
121 
get_rkpd_attestation_key( security_level: &SecurityLevel, caller_uid: u32, ) -> Result<RemotelyProvisionedKey>122 fn get_rkpd_attestation_key(
123     security_level: &SecurityLevel,
124     caller_uid: u32,
125 ) -> Result<RemotelyProvisionedKey> {
126     // Depending on the Android release, RKP may not have been mandatory for the
127     // TEE or StrongBox KM instances. In such cases, lookup failure for the IRPC
128     // HAL service is WAI and should not cause a failure. The error should be caught
129     // by the calling function and allow for natural fallback to the factory key.
130     let rpc_name = get_remotely_provisioned_component_name(security_level)
131         .context(ks_err!("Trying to get IRPC name."))?;
132     let _wd = wd::watch("Calling get_rkpd_attestation_key()");
133     rkpd_client::get_rkpd_attestation_key(&rpc_name, caller_uid)
134 }
135