1 /* 2 * Copyright (C) 2015 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #define LOG_TAG "gatekeeperd" 18 19 #include "IGateKeeperService.h" 20 21 #include <errno.h> 22 #include <fcntl.h> 23 #include <inttypes.h> 24 #include <stdint.h> 25 #include <unistd.h> 26 #include <memory> 27 28 #include <binder/IPCThreadState.h> 29 #include <binder/IServiceManager.h> 30 #include <binder/PermissionCache.h> 31 #include <gatekeeper/password_handle.h> // for password_handle_t 32 #include <hardware/gatekeeper.h> 33 #include <hardware/hw_auth_token.h> 34 #include <keystore/IKeystoreService.h> 35 #include <keystore/keystore.h> // For error code 36 #include <log/log.h> 37 #include <utils/Log.h> 38 #include <utils/String16.h> 39 40 #include "SoftGateKeeperDevice.h" 41 42 #include <hidl/HidlSupport.h> 43 #include <android/hardware/gatekeeper/1.0/IGatekeeper.h> 44 45 using android::sp; 46 using android::hardware::gatekeeper::V1_0::IGatekeeper; 47 using android::hardware::gatekeeper::V1_0::GatekeeperStatusCode; 48 using android::hardware::gatekeeper::V1_0::GatekeeperResponse; 49 using android::hardware::Return; 50 51 namespace android { 52 53 static const String16 KEYGUARD_PERMISSION("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE"); 54 static const String16 DUMP_PERMISSION("android.permission.DUMP"); 55 56 class GateKeeperProxy : public BnGateKeeperService { 57 public: 58 GateKeeperProxy() { 59 clear_state_if_needed_done = false; 60 hw_device = IGatekeeper::getService(); 61 62 if (hw_device == nullptr) { 63 ALOGW("falling back to software GateKeeper"); 64 soft_device.reset(new SoftGateKeeperDevice()); 65 } 66 } 67 68 virtual ~GateKeeperProxy() { 69 } 70 71 void store_sid(uint32_t uid, uint64_t sid) { 72 char filename[21]; 73 snprintf(filename, sizeof(filename), "%u", uid); 74 int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR); 75 if (fd < 0) { 76 ALOGE("could not open file: %s: %s", filename, strerror(errno)); 77 return; 78 } 79 write(fd, &sid, sizeof(sid)); 80 close(fd); 81 } 82 83 void clear_state_if_needed() { 84 if (clear_state_if_needed_done) { 85 return; 86 } 87 88 if (mark_cold_boot()) { 89 ALOGI("cold boot: clearing state"); 90 if (hw_device != nullptr) { 91 hw_device->deleteAllUsers([](const GatekeeperResponse &){}); 92 } 93 } 94 95 clear_state_if_needed_done = true; 96 } 97 98 bool mark_cold_boot() { 99 const char *filename = ".coldboot"; 100 if (access(filename, F_OK) == -1) { 101 int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR); 102 if (fd < 0) { 103 ALOGE("could not open file: %s : %s", filename, strerror(errno)); 104 return false; 105 } 106 close(fd); 107 return true; 108 } 109 return false; 110 } 111 112 void maybe_store_sid(uint32_t uid, uint64_t sid) { 113 char filename[21]; 114 snprintf(filename, sizeof(filename), "%u", uid); 115 if (access(filename, F_OK) == -1) { 116 store_sid(uid, sid); 117 } 118 } 119 120 uint64_t read_sid(uint32_t uid) { 121 char filename[21]; 122 uint64_t sid; 123 snprintf(filename, sizeof(filename), "%u", uid); 124 int fd = open(filename, O_RDONLY); 125 if (fd < 0) return 0; 126 read(fd, &sid, sizeof(sid)); 127 close(fd); 128 return sid; 129 } 130 131 void clear_sid(uint32_t uid) { 132 char filename[21]; 133 snprintf(filename, sizeof(filename), "%u", uid); 134 if (remove(filename) < 0) { 135 ALOGE("%s: could not remove file [%s], attempting 0 write", __func__, strerror(errno)); 136 store_sid(uid, 0); 137 } 138 } 139 140 virtual int enroll(uint32_t uid, 141 const uint8_t *current_password_handle, uint32_t current_password_handle_length, 142 const uint8_t *current_password, uint32_t current_password_length, 143 const uint8_t *desired_password, uint32_t desired_password_length, 144 uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) { 145 IPCThreadState* ipc = IPCThreadState::self(); 146 const int calling_pid = ipc->getCallingPid(); 147 const int calling_uid = ipc->getCallingUid(); 148 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) { 149 return PERMISSION_DENIED; 150 } 151 152 // Make sure to clear any state from before factory reset as soon as a credential is 153 // enrolled (which may happen during device setup). 154 clear_state_if_needed(); 155 156 // need a desired password to enroll 157 if (desired_password_length == 0) return -EINVAL; 158 159 int ret; 160 if (hw_device != nullptr) { 161 const gatekeeper::password_handle_t *handle = 162 reinterpret_cast<const gatekeeper::password_handle_t *>(current_password_handle); 163 164 if (handle != NULL && handle->version != 0 && !handle->hardware_backed) { 165 // handle is being re-enrolled from a software version. HAL probably won't accept 166 // the handle as valid, so we nullify it and enroll from scratch 167 current_password_handle = NULL; 168 current_password_handle_length = 0; 169 current_password = NULL; 170 current_password_length = 0; 171 } 172 173 android::hardware::hidl_vec<uint8_t> curPwdHandle; 174 curPwdHandle.setToExternal(const_cast<uint8_t*>(current_password_handle), 175 current_password_handle_length); 176 android::hardware::hidl_vec<uint8_t> curPwd; 177 curPwd.setToExternal(const_cast<uint8_t*>(current_password), 178 current_password_length); 179 android::hardware::hidl_vec<uint8_t> newPwd; 180 newPwd.setToExternal(const_cast<uint8_t*>(desired_password), 181 desired_password_length); 182 183 Return<void> hwRes = hw_device->enroll(uid, curPwdHandle, curPwd, newPwd, 184 [&ret, enrolled_password_handle, enrolled_password_handle_length] 185 (const GatekeeperResponse &rsp) { 186 ret = static_cast<int>(rsp.code); // propagate errors 187 if (rsp.code >= GatekeeperStatusCode::STATUS_OK) { 188 if (enrolled_password_handle != nullptr && 189 enrolled_password_handle_length != nullptr) { 190 *enrolled_password_handle = new uint8_t[rsp.data.size()]; 191 *enrolled_password_handle_length = rsp.data.size(); 192 memcpy(*enrolled_password_handle, rsp.data.data(), 193 *enrolled_password_handle_length); 194 } 195 ret = 0; // all success states are reported as 0 196 } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT && rsp.timeout > 0) { 197 ret = rsp.timeout; 198 } 199 }); 200 if (!hwRes.isOk()) { 201 ALOGE("enroll transaction failed\n"); 202 ret = -1; 203 } 204 } else { 205 ret = soft_device->enroll(uid, 206 current_password_handle, current_password_handle_length, 207 current_password, current_password_length, 208 desired_password, desired_password_length, 209 enrolled_password_handle, enrolled_password_handle_length); 210 } 211 212 if (ret == GATEKEEPER_RESPONSE_OK && (*enrolled_password_handle == nullptr || 213 *enrolled_password_handle_length != sizeof(password_handle_t))) { 214 ret = GATEKEEPER_RESPONSE_ERROR; 215 ALOGE("HAL: password_handle=%p size_of_handle=%" PRIu32 "\n", 216 *enrolled_password_handle, *enrolled_password_handle_length); 217 } 218 219 if (ret == GATEKEEPER_RESPONSE_OK) { 220 gatekeeper::password_handle_t *handle = 221 reinterpret_cast<gatekeeper::password_handle_t *>(*enrolled_password_handle); 222 store_sid(uid, handle->user_id); 223 bool rr; 224 225 // immediately verify this password so we don't ask the user to enter it again 226 // if they just created it. 227 verify(uid, *enrolled_password_handle, sizeof(password_handle_t), desired_password, 228 desired_password_length, &rr); 229 } 230 231 return ret; 232 } 233 234 virtual int verify(uint32_t uid, 235 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length, 236 const uint8_t *provided_password, uint32_t provided_password_length, bool *request_reenroll) { 237 uint8_t *auth_token; 238 uint32_t auth_token_length; 239 return verifyChallenge(uid, 0, enrolled_password_handle, enrolled_password_handle_length, 240 provided_password, provided_password_length, 241 &auth_token, &auth_token_length, request_reenroll); 242 } 243 244 virtual int verifyChallenge(uint32_t uid, uint64_t challenge, 245 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length, 246 const uint8_t *provided_password, uint32_t provided_password_length, 247 uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) { 248 IPCThreadState* ipc = IPCThreadState::self(); 249 const int calling_pid = ipc->getCallingPid(); 250 const int calling_uid = ipc->getCallingUid(); 251 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) { 252 return PERMISSION_DENIED; 253 } 254 255 // can't verify if we're missing either param 256 if ((enrolled_password_handle_length | provided_password_length) == 0) 257 return -EINVAL; 258 259 int ret; 260 if (hw_device != nullptr) { 261 const gatekeeper::password_handle_t *handle = 262 reinterpret_cast<const gatekeeper::password_handle_t *>(enrolled_password_handle); 263 // handle version 0 does not have hardware backed flag, and thus cannot be upgraded to 264 // a HAL if there was none before 265 if (handle->version == 0 || handle->hardware_backed) { 266 android::hardware::hidl_vec<uint8_t> curPwdHandle; 267 curPwdHandle.setToExternal(const_cast<uint8_t*>(enrolled_password_handle), 268 enrolled_password_handle_length); 269 android::hardware::hidl_vec<uint8_t> enteredPwd; 270 enteredPwd.setToExternal(const_cast<uint8_t*>(provided_password), 271 provided_password_length); 272 Return<void> hwRes = hw_device->verify(uid, challenge, curPwdHandle, enteredPwd, 273 [&ret, request_reenroll, auth_token, auth_token_length] 274 (const GatekeeperResponse &rsp) { 275 ret = static_cast<int>(rsp.code); // propagate errors 276 if (auth_token != nullptr && auth_token_length != nullptr && 277 rsp.code >= GatekeeperStatusCode::STATUS_OK) { 278 *auth_token = new uint8_t[rsp.data.size()]; 279 *auth_token_length = rsp.data.size(); 280 memcpy(*auth_token, rsp.data.data(), *auth_token_length); 281 if (request_reenroll != nullptr) { 282 *request_reenroll = (rsp.code == GatekeeperStatusCode::STATUS_REENROLL); 283 } 284 ret = 0; // all success states are reported as 0 285 } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT && 286 rsp.timeout > 0) { 287 ret = rsp.timeout; 288 } 289 }); 290 if (!hwRes.isOk()) { 291 ALOGE("verify transaction failed\n"); 292 ret = -1; 293 } 294 } else { 295 // upgrade scenario, a HAL has been added to this device where there was none before 296 SoftGateKeeperDevice soft_dev; 297 ret = soft_dev.verify(uid, challenge, 298 enrolled_password_handle, enrolled_password_handle_length, 299 provided_password, provided_password_length, auth_token, auth_token_length, 300 request_reenroll); 301 302 if (ret == 0) { 303 // success! re-enroll with HAL 304 *request_reenroll = true; 305 } 306 } 307 } else { 308 ret = soft_device->verify(uid, challenge, 309 enrolled_password_handle, enrolled_password_handle_length, 310 provided_password, provided_password_length, auth_token, auth_token_length, 311 request_reenroll); 312 } 313 314 if (ret == 0 && *auth_token != NULL && *auth_token_length > 0) { 315 // TODO: cache service? 316 sp<IServiceManager> sm = defaultServiceManager(); 317 sp<IBinder> binder = sm->getService(String16("android.security.keystore")); 318 sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder); 319 if (service != NULL) { 320 auto ret = service->addAuthToken(*auth_token, *auth_token_length); 321 if (!ret.isOk()) { 322 ALOGE("Failure sending auth token to KeyStore: %" PRId32, int32_t(ret)); 323 } 324 } else { 325 ALOGE("Unable to communicate with KeyStore"); 326 } 327 } 328 329 if (ret == 0) { 330 maybe_store_sid(uid, reinterpret_cast<const gatekeeper::password_handle_t *>( 331 enrolled_password_handle)->user_id); 332 } 333 334 return ret; 335 } 336 337 virtual uint64_t getSecureUserId(uint32_t uid) { return read_sid(uid); } 338 339 virtual void clearSecureUserId(uint32_t uid) { 340 IPCThreadState* ipc = IPCThreadState::self(); 341 const int calling_pid = ipc->getCallingPid(); 342 const int calling_uid = ipc->getCallingUid(); 343 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) { 344 ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid); 345 return; 346 } 347 clear_sid(uid); 348 349 if (hw_device != nullptr) { 350 hw_device->deleteUser(uid, [] (const GatekeeperResponse &){}); 351 } 352 } 353 354 virtual void reportDeviceSetupComplete() { 355 IPCThreadState* ipc = IPCThreadState::self(); 356 const int calling_pid = ipc->getCallingPid(); 357 const int calling_uid = ipc->getCallingUid(); 358 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) { 359 ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid); 360 return; 361 } 362 363 clear_state_if_needed(); 364 } 365 366 virtual status_t dump(int fd, const Vector<String16> &) { 367 IPCThreadState* ipc = IPCThreadState::self(); 368 const int pid = ipc->getCallingPid(); 369 const int uid = ipc->getCallingUid(); 370 if (!PermissionCache::checkPermission(DUMP_PERMISSION, pid, uid)) { 371 return PERMISSION_DENIED; 372 } 373 374 if (hw_device == NULL) { 375 const char *result = "Device not available"; 376 write(fd, result, strlen(result) + 1); 377 } else { 378 const char *result = "OK"; 379 write(fd, result, strlen(result) + 1); 380 } 381 382 return NO_ERROR; 383 } 384 385 private: 386 sp<IGatekeeper> hw_device; 387 std::unique_ptr<SoftGateKeeperDevice> soft_device; 388 389 bool clear_state_if_needed_done; 390 }; 391 }// namespace android 392 393 int main(int argc, char* argv[]) { 394 ALOGI("Starting gatekeeperd..."); 395 if (argc < 2) { 396 ALOGE("A directory must be specified!"); 397 return 1; 398 } 399 if (chdir(argv[1]) == -1) { 400 ALOGE("chdir: %s: %s", argv[1], strerror(errno)); 401 return 1; 402 } 403 404 android::sp<android::IServiceManager> sm = android::defaultServiceManager(); 405 android::sp<android::GateKeeperProxy> proxy = new android::GateKeeperProxy(); 406 android::status_t ret = sm->addService( 407 android::String16("android.service.gatekeeper.IGateKeeperService"), proxy); 408 if (ret != android::OK) { 409 ALOGE("Couldn't register binder service!"); 410 return -1; 411 } 412 413 /* 414 * We're the only thread in existence, so we're just going to process 415 * Binder transaction as a single-threaded program. 416 */ 417 android::IPCThreadState::self()->joinThreadPool(); 418 return 0; 419 } 420