Commit 2ed2baa7 authored by Chad Brubaker's avatar Chad Brubaker
Browse files

Add authorization binder methods

Add methods for sending an auth token to keystore and to query the
authorization state of a given operation. These methods are currently
stubs until authorization is implemented.

Change-Id: I0f97ffb3afe19c1f1d8a00bfc95e27616e7cb06c
parent 9576d286
......@@ -975,7 +975,6 @@ public:
{
Parcel data, reply;
data.writeInterfaceToken(IKeystoreService::getInterfaceDescriptor());
data.writeInt32(bufLength);
data.writeByteArray(bufLength, buf);
status_t status = remote()->transact(BnKeystoreService::ADD_RNG_ENTROPY, data, &reply);
if (status != NO_ERROR) {
......@@ -1205,7 +1204,7 @@ public:
Parcel data, reply;
data.writeInterfaceToken(IKeystoreService::getInterfaceDescriptor());
data.writeStrongBinder(token);
status_t status = remote()->transact(BnKeystoreService::FINISH, data, &reply);
status_t status = remote()->transact(BnKeystoreService::ABORT, data, &reply);
if (status != NO_ERROR) {
ALOGD("abort() could not contact remote: %d\n", status);
return KM_ERROR_UNKNOWN_ERROR;
......@@ -1218,6 +1217,45 @@ public:
}
return ret;
}
virtual bool isOperationAuthorized(const sp<IBinder>& token)
{
Parcel data, reply;
data.writeInterfaceToken(IKeystoreService::getInterfaceDescriptor());
data.writeStrongBinder(token);
status_t status = remote()->transact(BnKeystoreService::IS_OPERATION_AUTHORIZED, data,
&reply);
if (status != NO_ERROR) {
ALOGD("isOperationAuthorized() could not contact remote: %d\n", status);
return false;
}
int32_t err = reply.readExceptionCode();
int32_t ret = reply.readInt32();
if (err < 0) {
ALOGD("isOperationAuthorized() caught exception %d\n", err);
return false;
}
return ret == 1;
}
virtual int32_t addAuthToken(const uint8_t* token, size_t length)
{
Parcel data, reply;
data.writeInterfaceToken(IKeystoreService::getInterfaceDescriptor());
data.writeByteArray(length, token);
status_t status = remote()->transact(BnKeystoreService::ADD_AUTH_TOKEN, data, &reply);
if (status != NO_ERROR) {
ALOGD("addAuthToken() could not contact remote: %d\n", status);
return -1;
}
int32_t err = reply.readExceptionCode();
int32_t ret = reply.readInt32();
if (err < 0) {
ALOGD("addAuthToken() caught exception %d\n", err);
return -1;
}
return ret;
};
};
IMPLEMENT_META_INTERFACE(KeystoreService, "android.security.IKeystoreService");
......@@ -1689,6 +1727,27 @@ status_t BnKeystoreService::onTransact(
return NO_ERROR;
}
case IS_OPERATION_AUTHORIZED: {
CHECK_INTERFACE(IKeystoreService, data, reply);
sp<IBinder> token = data.readStrongBinder();
bool result = isOperationAuthorized(token);
reply->writeNoException();
reply->writeInt32(result ? 1 : 0);
return NO_ERROR;
}
case ADD_AUTH_TOKEN: {
CHECK_INTERFACE(IKeystoreService, data, reply);
sp<IBinder> token = data.readStrongBinder();
const uint8_t* token_bytes = NULL;
size_t size = 0;
readByteArray(data, &token_bytes, &size);
int32_t result = addAuthToken(token_bytes, size);
reply->writeNoException();
reply->writeInt32(result);
return NO_ERROR;
}
default:
return BBinder::onTransact(code, data, reply, flags);
}
......
......@@ -132,6 +132,8 @@ public:
UPDATE = IBinder::FIRST_CALL_TRANSACTION + 32,
FINISH = IBinder::FIRST_CALL_TRANSACTION + 33,
ABORT = IBinder::FIRST_CALL_TRANSACTION + 34,
IS_OPERATION_AUTHORIZED = IBinder::FIRST_CALL_TRANSACTION + 35,
ADD_AUTH_TOKEN = IBinder::FIRST_CALL_TRANSACTION + 36,
};
DECLARE_META_INTERFACE(KeystoreService);
......@@ -225,6 +227,10 @@ public:
virtual int32_t abort(const sp<IBinder>& handle) = 0;
virtual bool isOperationAuthorized(const sp<IBinder>& handle) = 0;
virtual int32_t addAuthToken(const uint8_t* token, size_t length) = 0;
};
// ----------------------------------------------------------------------------
......
......@@ -2793,6 +2793,20 @@ public:
return ::NO_ERROR;
}
bool isOperationAuthorized(const sp<IBinder>& token) {
const keymaster1_device_t* dev;
keymaster_operation_handle_t handle;
if(!mOperationMap.getOperation(token, &handle, &dev)) {
return false;
}
// TODO: Check authorization.
return true;
}
int32_t addAuthToken(const uint8_t* /*token*/, size_t /*length*/) {
return KM_ERROR_UNIMPLEMENTED;
}
private:
inline bool isKeystoreUnlocked(State state) {
switch (state) {
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment