1 /*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "gatekeeperd"
18
19 #include <android/service/gatekeeper/BnGateKeeperService.h>
20 #include <gatekeeper/GateKeeperResponse.h>
21
22 #include <endian.h>
23 #include <errno.h>
24 #include <fcntl.h>
25 #include <unistd.h>
26 #include <memory>
27
28 #include <android-base/logging.h>
29 #include <android-base/properties.h>
30 #include <android/binder_ibinder.h>
31 #include <android/binder_manager.h>
32 #include <binder/IPCThreadState.h>
33 #include <binder/IServiceManager.h>
34 #include <binder/PermissionCache.h>
35 #include <gatekeeper/password_handle.h> // for password_handle_t
36 #include <hardware/hw_auth_token.h>
37 #include <libgsi/libgsi.h>
38 #include <log/log.h>
39 #include <utils/String16.h>
40
41 #include <aidl/android/hardware/security/keymint/HardwareAuthToken.h>
42 #include <aidl/android/security/authorization/IKeystoreAuthorization.h>
43 #include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
44 #include <hidl/HidlSupport.h>
45
46 using android::sp;
47 using android::hardware::Return;
48 using android::hardware::gatekeeper::V1_0::GatekeeperResponse;
49 using android::hardware::gatekeeper::V1_0::GatekeeperStatusCode;
50 using android::hardware::gatekeeper::V1_0::IGatekeeper;
51
52 using ::android::binder::Status;
53 using ::android::service::gatekeeper::BnGateKeeperService;
54 using GKResponse = ::android::service::gatekeeper::GateKeeperResponse;
55 using GKResponseCode = ::android::service::gatekeeper::ResponseCode;
56 using ::aidl::android::hardware::security::keymint::HardwareAuthenticatorType;
57 using ::aidl::android::hardware::security::keymint::HardwareAuthToken;
58 using ::aidl::android::security::authorization::IKeystoreAuthorization;
59
60 namespace android {
61
62 static const String16 KEYGUARD_PERMISSION("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE");
63 static const String16 DUMP_PERMISSION("android.permission.DUMP");
64
65 class GateKeeperProxy : public BnGateKeeperService {
66 public:
GateKeeperProxy()67 GateKeeperProxy() {
68 clear_state_if_needed_done = false;
69 hw_device = IGatekeeper::getService();
70 is_running_gsi = android::base::GetBoolProperty(android::gsi::kGsiBootedProp, false);
71
72 if (!hw_device) {
73 LOG(ERROR) << "Could not find Gatekeeper device, which makes me very sad.";
74 }
75 }
76
~GateKeeperProxy()77 virtual ~GateKeeperProxy() {}
78
store_sid(uint32_t userId,uint64_t sid)79 void store_sid(uint32_t userId, uint64_t sid) {
80 char filename[21];
81 snprintf(filename, sizeof(filename), "%u", userId);
82 int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
83 if (fd < 0) {
84 ALOGE("could not open file: %s: %s", filename, strerror(errno));
85 return;
86 }
87 write(fd, &sid, sizeof(sid));
88 close(fd);
89 }
90
clear_state_if_needed()91 void clear_state_if_needed() {
92 if (clear_state_if_needed_done) {
93 return;
94 }
95
96 if (mark_cold_boot() && !is_running_gsi) {
97 ALOGI("cold boot: clearing state");
98 if (hw_device) {
99 hw_device->deleteAllUsers([](const GatekeeperResponse&) {});
100 }
101 }
102
103 clear_state_if_needed_done = true;
104 }
105
mark_cold_boot()106 bool mark_cold_boot() {
107 const char* filename = ".coldboot";
108 if (access(filename, F_OK) == -1) {
109 int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
110 if (fd < 0) {
111 ALOGE("could not open file: %s : %s", filename, strerror(errno));
112 return false;
113 }
114 close(fd);
115 return true;
116 }
117 return false;
118 }
119
maybe_store_sid(uint32_t userId,uint64_t sid)120 void maybe_store_sid(uint32_t userId, uint64_t sid) {
121 char filename[21];
122 snprintf(filename, sizeof(filename), "%u", userId);
123 if (access(filename, F_OK) == -1) {
124 store_sid(userId, sid);
125 }
126 }
127
read_sid(uint32_t userId)128 uint64_t read_sid(uint32_t userId) {
129 char filename[21];
130 uint64_t sid;
131 snprintf(filename, sizeof(filename), "%u", userId);
132 int fd = open(filename, O_RDONLY);
133 if (fd < 0) return 0;
134 read(fd, &sid, sizeof(sid));
135 close(fd);
136 return sid;
137 }
138
clear_sid(uint32_t userId)139 void clear_sid(uint32_t userId) {
140 char filename[21];
141 snprintf(filename, sizeof(filename), "%u", userId);
142 if (remove(filename) < 0) {
143 ALOGE("%s: could not remove file [%s], attempting 0 write", __func__, strerror(errno));
144 store_sid(userId, 0);
145 }
146 }
147
148 // This should only be called on userIds being passed to the GateKeeper HAL. It ensures that
149 // secure storage shared across a GSI image and a host image will not overlap.
adjust_userId(uint32_t userId)150 uint32_t adjust_userId(uint32_t userId) {
151 static constexpr uint32_t kGsiOffset = 1000000;
152 CHECK(userId < kGsiOffset);
153 CHECK(hw_device != nullptr);
154 if (is_running_gsi) {
155 return userId + kGsiOffset;
156 }
157 return userId;
158 }
159
160 #define GK_ERROR *gkResponse = GKResponse::error(), Status::ok()
161
enroll(int32_t userId,const std::optional<std::vector<uint8_t>> & currentPasswordHandle,const std::optional<std::vector<uint8_t>> & currentPassword,const std::vector<uint8_t> & desiredPassword,GKResponse * gkResponse)162 Status enroll(int32_t userId, const std::optional<std::vector<uint8_t>>& currentPasswordHandle,
163 const std::optional<std::vector<uint8_t>>& currentPassword,
164 const std::vector<uint8_t>& desiredPassword, GKResponse* gkResponse) override {
165 IPCThreadState* ipc = IPCThreadState::self();
166 const int calling_pid = ipc->getCallingPid();
167 const int calling_uid = ipc->getCallingUid();
168 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
169 return GK_ERROR;
170 }
171
172 // Make sure to clear any state from before factory reset as soon as a credential is
173 // enrolled (which may happen during device setup).
174 clear_state_if_needed();
175
176 // need a desired password to enroll
177 if (desiredPassword.size() == 0) return GK_ERROR;
178
179 if (!hw_device) {
180 LOG(ERROR) << "has no HAL to talk to";
181 return GK_ERROR;
182 }
183
184 android::hardware::hidl_vec<uint8_t> curPwdHandle;
185 android::hardware::hidl_vec<uint8_t> curPwd;
186
187 if (currentPasswordHandle && currentPassword) {
188 if (currentPasswordHandle->size() != sizeof(gatekeeper::password_handle_t)) {
189 LOG(INFO) << "Password handle has wrong length";
190 return GK_ERROR;
191 }
192 curPwdHandle.setToExternal(const_cast<uint8_t*>(currentPasswordHandle->data()),
193 currentPasswordHandle->size());
194 curPwd.setToExternal(const_cast<uint8_t*>(currentPassword->data()),
195 currentPassword->size());
196 }
197
198 android::hardware::hidl_vec<uint8_t> newPwd;
199 newPwd.setToExternal(const_cast<uint8_t*>(desiredPassword.data()), desiredPassword.size());
200
201 uint32_t hw_userId = adjust_userId(userId);
202 Return<void> hwRes = hw_device->enroll(
203 hw_userId, curPwdHandle, curPwd, newPwd,
204 [&gkResponse](const GatekeeperResponse& rsp) {
205 if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {
206 *gkResponse = GKResponse::ok({rsp.data.begin(), rsp.data.end()});
207 } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT &&
208 rsp.timeout > 0) {
209 *gkResponse = GKResponse::retry(rsp.timeout);
210 } else {
211 *gkResponse = GKResponse::error();
212 }
213 });
214 if (!hwRes.isOk()) {
215 LOG(ERROR) << "enroll transaction failed";
216 return GK_ERROR;
217 }
218
219 if (gkResponse->response_code() == GKResponseCode::OK && !gkResponse->should_reenroll()) {
220 if (gkResponse->payload().size() != sizeof(gatekeeper::password_handle_t)) {
221 LOG(ERROR) << "HAL returned password handle of invalid length "
222 << gkResponse->payload().size();
223 return GK_ERROR;
224 }
225
226 const gatekeeper::password_handle_t* handle =
227 reinterpret_cast<const gatekeeper::password_handle_t*>(
228 gkResponse->payload().data());
229 store_sid(userId, handle->user_id);
230
231 GKResponse verifyResponse;
232 // immediately verify this password so we don't ask the user to enter it again
233 // if they just created it.
234 auto status = verify(userId, gkResponse->payload(), desiredPassword, &verifyResponse);
235 if (!status.isOk() || verifyResponse.response_code() != GKResponseCode::OK) {
236 LOG(ERROR) << "Failed to verify password after enrolling";
237 }
238 }
239
240 return Status::ok();
241 }
242
verify(int32_t userId,const::std::vector<uint8_t> & enrolledPasswordHandle,const::std::vector<uint8_t> & providedPassword,GKResponse * gkResponse)243 Status verify(int32_t userId, const ::std::vector<uint8_t>& enrolledPasswordHandle,
244 const ::std::vector<uint8_t>& providedPassword, GKResponse* gkResponse) override {
245 return verifyChallenge(userId, 0 /* challenge */, enrolledPasswordHandle, providedPassword,
246 gkResponse);
247 }
248
verifyChallenge(int32_t userId,int64_t challenge,const std::vector<uint8_t> & enrolledPasswordHandle,const std::vector<uint8_t> & providedPassword,GKResponse * gkResponse)249 Status verifyChallenge(int32_t userId, int64_t challenge,
250 const std::vector<uint8_t>& enrolledPasswordHandle,
251 const std::vector<uint8_t>& providedPassword,
252 GKResponse* gkResponse) override {
253 IPCThreadState* ipc = IPCThreadState::self();
254 const int calling_pid = ipc->getCallingPid();
255 const int calling_uid = ipc->getCallingUid();
256 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
257 return GK_ERROR;
258 }
259
260 // can't verify if we're missing either param
261 if (enrolledPasswordHandle.size() == 0 || providedPassword.size() == 0) return GK_ERROR;
262
263 if (!hw_device) return GK_ERROR;
264
265 if (enrolledPasswordHandle.size() != sizeof(gatekeeper::password_handle_t)) {
266 LOG(INFO) << "Password handle has wrong length";
267 return GK_ERROR;
268 }
269 const gatekeeper::password_handle_t* handle =
270 reinterpret_cast<const gatekeeper::password_handle_t*>(
271 enrolledPasswordHandle.data());
272
273 uint32_t hw_userId = adjust_userId(userId);
274 android::hardware::hidl_vec<uint8_t> curPwdHandle;
275 curPwdHandle.setToExternal(const_cast<uint8_t*>(enrolledPasswordHandle.data()),
276 enrolledPasswordHandle.size());
277 android::hardware::hidl_vec<uint8_t> enteredPwd;
278 enteredPwd.setToExternal(const_cast<uint8_t*>(providedPassword.data()),
279 providedPassword.size());
280
281 Return<void> hwRes = hw_device->verify(
282 hw_userId, challenge, curPwdHandle, enteredPwd,
283 [&gkResponse](const GatekeeperResponse& rsp) {
284 if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {
285 *gkResponse = GKResponse::ok(
286 {rsp.data.begin(), rsp.data.end()},
287 rsp.code == GatekeeperStatusCode::STATUS_REENROLL /* reenroll */);
288 } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT) {
289 *gkResponse = GKResponse::retry(rsp.timeout);
290 } else {
291 *gkResponse = GKResponse::error();
292 }
293 });
294
295 if (!hwRes.isOk()) {
296 LOG(ERROR) << "verify transaction failed";
297 return GK_ERROR;
298 }
299
300 if (gkResponse->response_code() == GKResponseCode::OK) {
301 if (gkResponse->payload().size() != 0) {
302 // try to connect to IKeystoreAuthorization AIDL service first.
303 AIBinder* authzAIBinder =
304 AServiceManager_getService("android.security.authorization");
305 ::ndk::SpAIBinder authzBinder(authzAIBinder);
306 auto authzService = IKeystoreAuthorization::fromBinder(authzBinder);
307 if (authzService) {
308 if (gkResponse->payload().size() != sizeof(hw_auth_token_t)) {
309 LOG(ERROR) << "Incorrect size of AuthToken payload.";
310 return GK_ERROR;
311 }
312
313 const hw_auth_token_t* hwAuthToken =
314 reinterpret_cast<const hw_auth_token_t*>(gkResponse->payload().data());
315 HardwareAuthToken authToken;
316
317 authToken.timestamp.milliSeconds = betoh64(hwAuthToken->timestamp);
318 authToken.challenge = hwAuthToken->challenge;
319 authToken.userId = hwAuthToken->user_id;
320 authToken.authenticatorId = hwAuthToken->authenticator_id;
321 authToken.authenticatorType = static_cast<HardwareAuthenticatorType>(
322 betoh32(hwAuthToken->authenticator_type));
323 authToken.mac.assign(&hwAuthToken->hmac[0], &hwAuthToken->hmac[32]);
324 auto result = authzService->addAuthToken(authToken);
325 if (!result.isOk()) {
326 LOG(ERROR) << "Failure in sending AuthToken to AuthorizationService.";
327 return GK_ERROR;
328 }
329 } else {
330 LOG(ERROR) << "Cannot deliver auth token. Unable to communicate with "
331 "Keystore.";
332 return GK_ERROR;
333 }
334 }
335
336 maybe_store_sid(userId, handle->user_id);
337 }
338
339 return Status::ok();
340 }
341
getSecureUserId(int32_t userId,int64_t * sid)342 Status getSecureUserId(int32_t userId, int64_t* sid) override {
343 *sid = read_sid(userId);
344 return Status::ok();
345 }
346
clearSecureUserId(int32_t userId)347 Status clearSecureUserId(int32_t userId) override {
348 IPCThreadState* ipc = IPCThreadState::self();
349 const int calling_pid = ipc->getCallingPid();
350 const int calling_uid = ipc->getCallingUid();
351 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
352 ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid);
353 return Status::ok();
354 }
355 clear_sid(userId);
356
357 if (hw_device) {
358 uint32_t hw_userId = adjust_userId(userId);
359 hw_device->deleteUser(hw_userId, [](const GatekeeperResponse&) {});
360 }
361 return Status::ok();
362 }
363
reportDeviceSetupComplete()364 Status reportDeviceSetupComplete() override {
365 IPCThreadState* ipc = IPCThreadState::self();
366 const int calling_pid = ipc->getCallingPid();
367 const int calling_uid = ipc->getCallingUid();
368 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
369 ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid);
370 return Status::ok();
371 }
372
373 clear_state_if_needed();
374 return Status::ok();
375 }
376
dump(int fd,const Vector<String16> &)377 status_t dump(int fd, const Vector<String16>&) override {
378 IPCThreadState* ipc = IPCThreadState::self();
379 const int pid = ipc->getCallingPid();
380 const int uid = ipc->getCallingUid();
381 if (!PermissionCache::checkPermission(DUMP_PERMISSION, pid, uid)) {
382 return PERMISSION_DENIED;
383 }
384
385 if (hw_device == NULL) {
386 const char* result = "Device not available";
387 write(fd, result, strlen(result) + 1);
388 } else {
389 const char* result = "OK";
390 write(fd, result, strlen(result) + 1);
391 }
392
393 return OK;
394 }
395
396 private:
397 sp<IGatekeeper> hw_device;
398
399 bool clear_state_if_needed_done;
400 bool is_running_gsi;
401 };
402 } // namespace android
403
main(int argc,char * argv[])404 int main(int argc, char* argv[]) {
405 ALOGI("Starting gatekeeperd...");
406 if (argc < 2) {
407 ALOGE("A directory must be specified!");
408 return 1;
409 }
410 if (chdir(argv[1]) == -1) {
411 ALOGE("chdir: %s: %s", argv[1], strerror(errno));
412 return 1;
413 }
414
415 android::sp<android::IServiceManager> sm = android::defaultServiceManager();
416 android::sp<android::GateKeeperProxy> proxy = new android::GateKeeperProxy();
417 android::status_t ret = sm->addService(
418 android::String16("android.service.gatekeeper.IGateKeeperService"), proxy);
419 if (ret != android::OK) {
420 ALOGE("Couldn't register binder service!");
421 return -1;
422 }
423
424 /*
425 * We're the only thread in existence, so we're just going to process
426 * Binder transaction as a single-threaded program.
427 */
428 android::IPCThreadState::self()->joinThreadPool();
429 return 0;
430 }
431