1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
/*
* Copyright (C) 2009 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
//#define LOG_NDEBUG 0
#define LOG_TAG "keystore"
#include <binder/IPCThreadState.h>
#include <binder/IServiceManager.h>
#include <android/hardware/keymaster/3.0/IHwKeymasterDevice.h>
#include <android/system/wifi/keystore/1.0/IKeystore.h>
#include <wifikeystorehal/keystore.h>
#include <cutils/log.h>
#include "KeyStore.h"
#include "entropy.h"
#include "include/keystore/keystore_hidl_support.h"
#include "include/keystore/keystore_return_types.h"
#include "key_store_service.h"
#include "legacy_keymaster_device_wrapper.h"
#include "permissions.h"
#include <android/security/IKeystoreService.h>
/* KeyStore is a secured storage for key-value pairs. In this implementation,
* each file stores one key-value pair. Keys are encoded in file names, and
* values are encrypted with checksums. The encryption key is protected by a
* user-defined password. To keep things simple, buffers are always larger than
* the maximum space we needed, so boundary checks on buffers are omitted. */
using ::android::hardware::configureRpcThreadpool;
using ::android::system::wifi::keystore::V1_0::IKeystore;
using ::android::system::wifi::keystore::V1_0::implementation::Keystore;
/**
* TODO implement keystore daemon using binderized keymaster HAL.
*/
int main(int argc, char* argv[]) {
using android::hardware::hidl_string;
if (argc < 2) {
ALOGE("A directory must be specified!");
return 1;
}
if (chdir(argv[1]) == -1) {
ALOGE("chdir: %s: %s", argv[1], strerror(errno));
return 1;
}
Entropy entropy;
if (!entropy.open()) {
return 1;
}
auto dev = android::hardware::keymaster::V3_0::IKeymasterDevice::getService();
if (dev.get() == nullptr) {
return -1;
}
auto fallback = android::keystore::makeSoftwareKeymasterDevice();
if (dev.get() == nullptr) {
return -1;
}
if (configure_selinux() == -1) {
return -1;
}
bool allowNewFallbackDevice = false;
keystore::KeyStoreServiceReturnCode rc;
rc = KS_HANDLE_HIDL_ERROR(
dev->getHardwareFeatures([&](bool, bool, bool, bool supportsAttestation, bool,
const hidl_string&, const hidl_string&) {
// Attestation support indicates the hardware is keymaster 2.0 or higher.
// For these devices we will not allow the fallback device for import or generation
// of keys. The fallback device is only used for legacy keys present on the device.
allowNewFallbackDevice = !supportsAttestation;
}));
if (!rc.isOk()) {
return -1;
}
KeyStore keyStore(&entropy, dev, fallback, allowNewFallbackDevice);
keyStore.initialize();
android::sp<android::IServiceManager> sm = android::defaultServiceManager();
android::sp<keystore::KeyStoreService> service = new keystore::KeyStoreService(&keyStore);
android::status_t ret = sm->addService(android::String16("android.security.keystore"), service);
if (ret != android::OK) {
ALOGE("Couldn't register binder service!");
return -1;
}
/**
* Register the wifi keystore HAL service to run in passthrough mode.
* This will spawn off a new thread which will service the HIDL
* transactions.
*/
configureRpcThreadpool(1, false /* callerWillJoin */);
android::sp<IKeystore> wifiKeystoreHalService = new Keystore();
android::status_t err = wifiKeystoreHalService->registerAsService();
if (ret != android::OK) {
ALOGE("Cannot register wifi keystore HAL service: %d", err);
}
/*
* This thread is just going to process Binder transactions.
*/
android::IPCThreadState::self()->joinThreadPool();
return 1;
}
|
