1 // Copyright 2020, The Android Open Source Project
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 //! This is the implementation for the remote provisioning AIDL interface between
16 //! the network providers for remote provisioning and the system. This interface
17 //! allows the caller to prompt the Remote Provisioning HAL to generate keys and
18 //! CBOR blobs that can be ferried to a provisioning server that will return
19 //! certificate chains signed by some root authority and stored in a keystore SQLite
20 //! DB.
21
22 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
23 Algorithm::Algorithm, AttestationKey::AttestationKey, Certificate::Certificate,
24 KeyParameter::KeyParameter, KeyParameterValue::KeyParameterValue, SecurityLevel::SecurityLevel,
25 Tag::Tag,
26 };
27 use android_security_rkp_aidl::aidl::android::security::rkp::RemotelyProvisionedKey::RemotelyProvisionedKey;
28 use android_system_keystore2::aidl::android::system::keystore2::{
29 Domain::Domain, KeyDescriptor::KeyDescriptor,
30 };
31 use anyhow::{Context, Result};
32 use keystore2_crypto::parse_subject_from_certificate;
33
34 use crate::error::wrapped_rkpd_error_to_ks_error;
35 use crate::globals::get_remotely_provisioned_component_name;
36 use crate::ks_err;
37 use crate::metrics_store::log_rkp_error_stats;
38 use crate::watchdog_helper::watchdog as wd;
39 use android_security_metrics::aidl::android::security::metrics::RkpError::RkpError as MetricsRkpError;
40
41 /// Contains helper functions to check if remote provisioning is enabled on the system and, if so,
42 /// to assign and retrieve attestation keys and certificate chains.
43 #[derive(Default)]
44 pub struct RemProvState {
45 security_level: SecurityLevel,
46 }
47
48 impl RemProvState {
49 /// Creates a RemProvState struct.
new(security_level: SecurityLevel) -> Self50 pub fn new(security_level: SecurityLevel) -> Self {
51 Self { security_level }
52 }
53
is_rkp_only(&self) -> bool54 fn is_rkp_only(&self) -> bool {
55 let default_value = false;
56
57 let property_name = match self.security_level {
58 SecurityLevel::STRONGBOX => "remote_provisioning.strongbox.rkp_only",
59 SecurityLevel::TRUSTED_ENVIRONMENT => "remote_provisioning.tee.rkp_only",
60 _ => return default_value,
61 };
62
63 rustutils::system_properties::read_bool(property_name, default_value)
64 .unwrap_or(default_value)
65 }
66
is_asymmetric_key(&self, params: &[KeyParameter]) -> bool67 fn is_asymmetric_key(&self, params: &[KeyParameter]) -> bool {
68 params.iter().any(|kp| {
69 matches!(
70 kp,
71 KeyParameter {
72 tag: Tag::ALGORITHM,
73 value: KeyParameterValue::Algorithm(Algorithm::RSA)
74 } | KeyParameter {
75 tag: Tag::ALGORITHM,
76 value: KeyParameterValue::Algorithm(Algorithm::EC)
77 }
78 )
79 })
80 }
81
82 /// Fetches attestation key and corresponding certificates from RKPD.
get_rkpd_attestation_key_and_certs( &self, key: &KeyDescriptor, caller_uid: u32, params: &[KeyParameter], ) -> Result<Option<(AttestationKey, Certificate)>>83 pub fn get_rkpd_attestation_key_and_certs(
84 &self,
85 key: &KeyDescriptor,
86 caller_uid: u32,
87 params: &[KeyParameter],
88 ) -> Result<Option<(AttestationKey, Certificate)>> {
89 if !self.is_asymmetric_key(params) || key.domain != Domain::APP {
90 Ok(None)
91 } else {
92 match get_rkpd_attestation_key(&self.security_level, caller_uid) {
93 Err(e) => {
94 if self.is_rkp_only() {
95 log::error!("Error occurred: {:?}", e);
96 return Err(wrapped_rkpd_error_to_ks_error(&e)).context(format!("{e:?}"));
97 }
98 log::warn!("Error occurred: {:?}", e);
99 log_rkp_error_stats(
100 MetricsRkpError::FALL_BACK_DURING_HYBRID,
101 &self.security_level,
102 );
103 Ok(None)
104 }
105 Ok(rkpd_key) => Ok(Some((
106 AttestationKey {
107 keyBlob: rkpd_key.keyBlob,
108 attestKeyParams: vec![],
109 // Batch certificate is at the beginning of the certificate chain.
110 issuerSubjectName: parse_subject_from_certificate(
111 &rkpd_key.encodedCertChain,
112 )
113 .context(ks_err!("Failed to parse subject."))?,
114 },
115 Certificate { encodedCertificate: rkpd_key.encodedCertChain },
116 ))),
117 }
118 }
119 }
120 }
121
get_rkpd_attestation_key( security_level: &SecurityLevel, caller_uid: u32, ) -> Result<RemotelyProvisionedKey>122 fn get_rkpd_attestation_key(
123 security_level: &SecurityLevel,
124 caller_uid: u32,
125 ) -> Result<RemotelyProvisionedKey> {
126 // Depending on the Android release, RKP may not have been mandatory for the
127 // TEE or StrongBox KM instances. In such cases, lookup failure for the IRPC
128 // HAL service is WAI and should not cause a failure. The error should be caught
129 // by the calling function and allow for natural fallback to the factory key.
130 let rpc_name = get_remotely_provisioned_component_name(security_level)
131 .context(ks_err!("Trying to get IRPC name."))?;
132 let _wd = wd::watch("Calling get_rkpd_attestation_key()");
133 rkpd_client::get_rkpd_attestation_key(&rpc_name, caller_uid)
134 }
135