Home | History | Annotate | Download | only in keystore 
      1 /*
      2  * Copyright (C) 2009 The Android Open Source Project
      3  *
      4  * Licensed under the Apache License, Version 2.0 (the "License");
      5  * you may not use this file except in compliance with the License.
      6  * You may obtain a copy of the License at
      7  *
      8  *      http://www.apache.org/licenses/LICENSE-2.0
      9  *
     10  * Unless required by applicable law or agreed to in writing, software
     11  * distributed under the License is distributed on an "AS IS" BASIS,
     12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     13  * See the License for the specific language governing permissions and
     14  * limitations under the License.
     15  */
     16 
     17 //#define LOG_NDEBUG 0
     18 #define LOG_TAG "keystore"
     19 
     20 #include <keymaster/keymaster_configuration.h>
     21 #include <keymaster/soft_keymaster_device.h>
     22 #include <keymaster/soft_keymaster_logger.h>
     23 
     24 #include <binder/IPCThreadState.h>
     25 #include <binder/IServiceManager.h>
     26 
     27 #include <cutils/log.h>
     28 
     29 #include "entropy.h"
     30 #include "key_store_service.h"
     31 #include "keystore.h"
     32 #include "permissions.h"
     33 
     34 /* KeyStore is a secured storage for key-value pairs. In this implementation,
     35  * each file stores one key-value pair. Keys are encoded in file names, and
     36  * values are encrypted with checksums. The encryption key is protected by a
     37  * user-defined password. To keep things simple, buffers are always larger than
     38  * the maximum space we needed, so boundary checks on buffers are omitted. */
     39 
     40 using keymaster::AuthorizationSet;
     41 using keymaster::AuthorizationSetBuilder;
     42 using keymaster::SoftKeymasterDevice;
     43 
     44 static int configure_keymaster_devices(keymaster2_device_t* main, keymaster2_device_t* fallback) {
     45     keymaster_error_t error = keymaster::ConfigureDevice(main);
     46     if (error != KM_ERROR_OK) {
     47         return -1;
     48     }
     49 
     50     error = keymaster::ConfigureDevice(fallback);
     51     if (error != KM_ERROR_OK) {
     52         return -1;
     53     }
     54 
     55     return 0;
     56 }
     57 
     58 static int keymaster0_device_initialize(const hw_module_t* mod, keymaster2_device_t** dev) {
     59     assert(mod->module_api_version < KEYMASTER_MODULE_API_VERSION_1_0);
     60     ALOGI("Found keymaster0 module %s, version %x", mod->name, mod->module_api_version);
     61 
     62     UniquePtr<SoftKeymasterDevice> soft_keymaster(new SoftKeymasterDevice);
     63     keymaster0_device_t* km0_device = NULL;
     64     keymaster_error_t error = KM_ERROR_OK;
     65 
     66     int rc = keymaster0_open(mod, &km0_device);
     67     if (rc) {
     68         ALOGE("Error opening keystore keymaster0 device.");
     69         goto err;
     70     }
     71 
     72     if (km0_device->flags & KEYMASTER_SOFTWARE_ONLY) {
     73         ALOGI("Keymaster0 module is software-only.  Using SoftKeymasterDevice instead.");
     74         km0_device->common.close(&km0_device->common);
     75         km0_device = NULL;
     76         // SoftKeymasterDevice will be deleted by keymaster_device_release()
     77         *dev = soft_keymaster.release()->keymaster2_device();
     78         return 0;
     79     }
     80 
     81     ALOGD("Wrapping keymaster0 module %s with SoftKeymasterDevice", mod->name);
     82     error = soft_keymaster->SetHardwareDevice(km0_device);
     83     km0_device = NULL;  // SoftKeymasterDevice has taken ownership.
     84     if (error != KM_ERROR_OK) {
     85         ALOGE("Got error %d from SetHardwareDevice", error);
     86         rc = error;
     87         goto err;
     88     }
     89 
     90     // SoftKeymasterDevice will be deleted by  keymaster_device_release()
     91     *dev = soft_keymaster.release()->keymaster2_device();
     92     return 0;
     93 
     94 err:
     95     if (km0_device)
     96         km0_device->common.close(&km0_device->common);
     97     *dev = NULL;
     98     return rc;
     99 }
    100 
    101 static int keymaster1_device_initialize(const hw_module_t* mod, keymaster2_device_t** dev) {
    102     assert(mod->module_api_version >= KEYMASTER_MODULE_API_VERSION_1_0);
    103     ALOGI("Found keymaster1 module %s, version %x", mod->name, mod->module_api_version);
    104 
    105     UniquePtr<SoftKeymasterDevice> soft_keymaster(new SoftKeymasterDevice);
    106     keymaster1_device_t* km1_device = nullptr;
    107     keymaster_error_t error = KM_ERROR_OK;
    108 
    109     int rc = keymaster1_open(mod, &km1_device);
    110     if (rc) {
    111         ALOGE("Error %d opening keystore keymaster1 device", rc);
    112         goto err;
    113     }
    114 
    115     ALOGD("Wrapping keymaster1 module %s with SofKeymasterDevice", mod->name);
    116     error = soft_keymaster->SetHardwareDevice(km1_device);
    117     km1_device = nullptr;  // SoftKeymasterDevice has taken ownership.
    118     if (error != KM_ERROR_OK) {
    119         ALOGE("Got error %d from SetHardwareDevice", error);
    120         rc = error;
    121         goto err;
    122     }
    123 
    124     // SoftKeymasterDevice will be deleted by keymaster_device_release()
    125     *dev = soft_keymaster.release()->keymaster2_device();
    126     return 0;
    127 
    128 err:
    129     if (km1_device)
    130         km1_device->common.close(&km1_device->common);
    131     *dev = NULL;
    132     return rc;
    133 }
    134 
    135 static int keymaster2_device_initialize(const hw_module_t* mod, keymaster2_device_t** dev) {
    136     assert(mod->module_api_version >= KEYMASTER_MODULE_API_VERSION_2_0);
    137     ALOGI("Found keymaster2 module %s, version %x", mod->name, mod->module_api_version);
    138 
    139     UniquePtr<SoftKeymasterDevice> soft_keymaster(new SoftKeymasterDevice);
    140     keymaster2_device_t* km2_device = nullptr;
    141 
    142     int rc = keymaster2_open(mod, &km2_device);
    143     if (rc) {
    144         ALOGE("Error %d opening keystore keymaster2 device", rc);
    145         goto err;
    146     }
    147 
    148     *dev = km2_device;
    149     return 0;
    150 
    151 err:
    152     if (km2_device)
    153         km2_device->common.close(&km2_device->common);
    154     *dev = nullptr;
    155     return rc;
    156 }
    157 
    158 static int keymaster_device_initialize(keymaster2_device_t** dev) {
    159     const hw_module_t* mod;
    160 
    161     int rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
    162     if (rc) {
    163         ALOGI("Could not find any keystore module, using software-only implementation.");
    164         // SoftKeymasterDevice will be deleted by keymaster_device_release()
    165         *dev = (new SoftKeymasterDevice)->keymaster2_device();
    166         return 0;
    167     }
    168 
    169     if (mod->module_api_version < KEYMASTER_MODULE_API_VERSION_1_0) {
    170         return keymaster0_device_initialize(mod, dev);
    171     } else if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) {
    172         return keymaster1_device_initialize(mod, dev);
    173     } else {
    174         return keymaster2_device_initialize(mod, dev);
    175     }
    176 }
    177 
    178 // softkeymaster_logger appears not to be used in keystore, but it installs itself as the
    179 // logger used by SoftKeymasterDevice.
    180 static keymaster::SoftKeymasterLogger softkeymaster_logger;
    181 
    182 static int fallback_keymaster_device_initialize(keymaster2_device_t** dev) {
    183     *dev = (new SoftKeymasterDevice)->keymaster2_device();
    184     // SoftKeymasterDevice will be deleted by keymaster_device_release()
    185     return 0;
    186 }
    187 
    188 static void keymaster_device_release(keymaster2_device_t* dev) {
    189     dev->common.close(&dev->common);
    190 }
    191 
    192 int main(int argc, char* argv[]) {
    193     if (argc < 2) {
    194         ALOGE("A directory must be specified!");
    195         return 1;
    196     }
    197     if (chdir(argv[1]) == -1) {
    198         ALOGE("chdir: %s: %s", argv[1], strerror(errno));
    199         return 1;
    200     }
    201 
    202     Entropy entropy;
    203     if (!entropy.open()) {
    204         return 1;
    205     }
    206 
    207     keymaster2_device_t* dev;
    208     if (keymaster_device_initialize(&dev)) {
    209         ALOGE("keystore keymaster could not be initialized; exiting");
    210         return 1;
    211     }
    212 
    213     keymaster2_device_t* fallback;
    214     if (fallback_keymaster_device_initialize(&fallback)) {
    215         ALOGE("software keymaster could not be initialized; exiting");
    216         return 1;
    217     }
    218 
    219     if (configure_keymaster_devices(dev, fallback)) {
    220         ALOGE("Keymaster devices could not be configured; exiting");
    221         return 1;
    222     }
    223 
    224     if (configure_selinux() == -1) {
    225         return -1;
    226     }
    227 
    228     KeyStore keyStore(&entropy, dev, fallback);
    229     keyStore.initialize();
    230     android::sp<android::IServiceManager> sm = android::defaultServiceManager();
    231     android::sp<android::KeyStoreService> service = new android::KeyStoreService(&keyStore);
    232     android::status_t ret = sm->addService(android::String16("android.security.keystore"), service);
    233     if (ret != android::OK) {
    234         ALOGE("Couldn't register binder service!");
    235         return -1;
    236     }
    237 
    238     /*
    239      * We're the only thread in existence, so we're just going to process
    240      * Binder transaction as a single-threaded program.
    241      */
    242     android::IPCThreadState::self()->joinThreadPool();
    243 
    244     keymaster_device_release(dev);
    245     return 1;
    246 }
    247