1 /*
2 * Copyright (C) 2020 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16 #ifndef CPP_SECURITY_VEHICLE_BINDING_UTIL_SRC_VEHICLEBINDINGUTIL_H_
17 #define CPP_SECURITY_VEHICLE_BINDING_UTIL_SRC_VEHICLEBINDINGUTIL_H_
18
19 #include "android/hardware/automotive/vehicle/2.0/types.h"
20
21 #include <android/hardware/automotive/vehicle/2.0/IVehicle.h>
22 #include <utils/StrongPointer.h>
23
24 #include <cstdint>
25 #include <vector>
26
27 namespace android {
28 namespace automotive {
29 namespace security {
30
31 constexpr size_t SEED_BYTE_SIZE = 16;
32
33 // Possible results of attempting to set the vehicle binding seed.
34 enum class BindingStatus {
35 OK,
36 NOT_SUPPORTED,
37 ERROR,
38 };
39
40 template <typename EnumT>
toInt(const EnumT value)41 constexpr auto toInt(const EnumT value) {
42 return static_cast<typename std::underlying_type<EnumT>::type>(value);
43 }
44
45 // Interface for getting cryptographically secure random byte strings
46 class Csrng {
47 public:
48 virtual ~Csrng() = default;
49
50 // Fill the given buffer with random bytes. Returns false if there is
51 // an unrecoverable error getting bits.
52 virtual bool fill(void* buffer, size_t size) const = 0;
53 };
54
55 // Csrng that relies on `/dev/urandom` to supply bits. We have to rely on
56 // urandom so that we don't block boot-up. Devices that wish to supply very
57 // high-quality random bits at boot should seed the linux PRNG at boot with
58 // entropy.
59 class DefaultCsrng : public Csrng {
60 public:
61 bool fill(void* buffer, size_t size) const override;
62 };
63
64 // Interface for forking and executing a child process.
65 class Executor {
66 public:
67 virtual ~Executor() = default;
68
69 // Run the given command line and its arguments. Returns 0 on success, -1
70 // if an internal error occurred, and -ECHILD if the child process did not
71 // exit properly.
72 //
73 // On exit, `exit_code` is set to the child's exit status.
74 virtual int run(const std::vector<std::string>& cmd_args, int* exit_code) const = 0;
75 };
76
77 // Default Executor which forks, execs, and logs output from the child process.
78 class DefaultExecutor : public Executor {
79 int run(const std::vector<std::string>& cmd_args, int* exit_code) const override;
80 };
81
82 // Set the seed in vold that is used to bind the encryption keys to the vehicle.
83 // This is used to guard against headunit removal and subsequent scraping of
84 // the filesystem for sensitive data (e.g. PII).
85 //
86 // The seed is read from the VHAL property STORAGE_ENCRYPTION_BINDING_SEED. If
87 // the property has not yet been set, a random byte value is generated and
88 // saved in the VHAL for reuse on future boots.
89 BindingStatus setVehicleBindingSeed(
90 sp<::android::hardware::automotive::vehicle::V2_0::IVehicle> vehicle,
91 const Executor& executor, const Csrng& csrng);
92
93 } // namespace security
94 } // namespace automotive
95 } // namespace android
96
97 #endif // CPP_SECURITY_VEHICLE_BINDING_UTIL_SRC_VEHICLEBINDINGUTIL_H_
98