1 //
2 // Copyright (C) 2020 The Android Open Source Project
3 //
4 // Licensed under the Apache License, Version 2.0 (the "License");
5 // you may not use this file except in compliance with the License.
6 // You may obtain a copy of the License at
7 //
8 // http://www.apache.org/licenses/LICENSE-2.0
9 //
10 // Unless required by applicable law or agreed to in writing, software
11 // distributed under the License is distributed on an "AS IS" BASIS,
12 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 // See the License for the specific language governing permissions and
14 // limitations under the License.
15
16 #include <functional>
17 #include <mutex>
18 #include <optional>
19 #include <thread>
20
21 #include <android-base/logging.h>
22 #include <android-base/strings.h>
23 #include <fruit/fruit.h>
24 #include <gflags/gflags.h>
25 #include <keymaster/android_keymaster.h>
26 #include <keymaster/contexts/pure_soft_keymaster_context.h>
27 #include <keymaster/soft_keymaster_logger.h>
28 #include <tss2/tss2_esys.h>
29 #include <tss2/tss2_rc.h>
30
31 #include "common/libs/fs/shared_fd.h"
32 #include "common/libs/security/confui_sign.h"
33 #include "common/libs/security/gatekeeper_channel_sharedfd.h"
34 #include "common/libs/security/keymaster_channel_sharedfd.h"
35 #include "common/libs/transport/channel_sharedfd.h"
36 #include "host/commands/kernel_log_monitor/kernel_log_server.h"
37 #include "host/commands/kernel_log_monitor/utils.h"
38 #include "host/commands/secure_env/confui_sign_server.h"
39 #include "host/commands/secure_env/device_tpm.h"
40 #include "host/commands/secure_env/gatekeeper_responder.h"
41 #include "host/commands/secure_env/in_process_tpm.h"
42 #include "host/commands/secure_env/keymaster_responder.h"
43 #include "host/commands/secure_env/oemlock/oemlock.h"
44 #include "host/commands/secure_env/oemlock/oemlock_responder.h"
45 #include "host/commands/secure_env/proxy_keymaster_context.h"
46 #include "host/commands/secure_env/rust/kmr_ta.h"
47 #include "host/commands/secure_env/soft_gatekeeper.h"
48 #include "host/commands/secure_env/storage/insecure_json_storage.h"
49 #include "host/commands/secure_env/storage/storage.h"
50 #include "host/commands/secure_env/storage/tpm_storage.h"
51 #include "host/commands/secure_env/suspend_resume_handler.h"
52 #include "host/commands/secure_env/tpm_gatekeeper.h"
53 #include "host/commands/secure_env/tpm_keymaster_context.h"
54 #include "host/commands/secure_env/tpm_keymaster_enforcement.h"
55 #include "host/commands/secure_env/tpm_resource_manager.h"
56 #include "host/commands/secure_env/worker_thread_loop_body.h"
57 #include "host/libs/config/known_paths.h"
58 #include "host/libs/config/logging.h"
59
60 DEFINE_int32(confui_server_fd, -1, "A named socket to serve confirmation UI");
61 DEFINE_int32(snapshot_control_fd, -1,
62 "A socket connected to run_cvd for snapshot operations and"
63 "responses");
64 DEFINE_int32(keymaster_fd_in, -1, "A pipe for keymaster communication");
65 DEFINE_int32(keymaster_fd_out, -1, "A pipe for keymaster communication");
66 DEFINE_int32(keymint_fd_in, -1, "A pipe for keymint communication");
67 DEFINE_int32(keymint_fd_out, -1, "A pipe for keymint communication");
68 DEFINE_int32(gatekeeper_fd_in, -1, "A pipe for gatekeeper communication");
69 DEFINE_int32(gatekeeper_fd_out, -1, "A pipe for gatekeeper communication");
70 DEFINE_int32(oemlock_fd_in, -1, "A pipe for oemlock communication");
71 DEFINE_int32(oemlock_fd_out, -1, "A pipe for oemlock communication");
72 DEFINE_int32(kernel_events_fd, -1,
73 "A pipe for monitoring events based on "
74 "messages written to the kernel log. This "
75 "is used by secure_env to monitor for "
76 "device reboots.");
77
78 DEFINE_string(tpm_impl, "in_memory",
79 "The TPM implementation. \"in_memory\" or \"host_device\"");
80
81 DEFINE_string(keymint_impl, "tpm",
82 "The KeyMint implementation. \"tpm\" or \"software\"");
83
84 DEFINE_string(gatekeeper_impl, "tpm",
85 "The gatekeeper implementation. \"tpm\" or \"software\"");
86
87 DEFINE_string(oemlock_impl, "tpm",
88 "The oemlock implementation. \"tpm\" or \"software\"");
89
90 namespace cuttlefish {
91 namespace {
92
93 // Copied from AndroidKeymaster4Device
94 constexpr size_t kOperationTableSize = 16;
95 constexpr std::chrono::seconds kRestartLockTimeout(2);
96
97 // Dup a command line file descriptor into a SharedFD.
DupFdFlag(gflags::int32 fd)98 SharedFD DupFdFlag(gflags::int32 fd) {
99 CHECK(fd != -1);
100 SharedFD duped = SharedFD::Dup(fd);
101 CHECK(duped->IsOpen()) << "Could not dup output fd: " << duped->StrError();
102 // The original FD is intentionally kept open so that we can re-exec this
103 // process without having to do a bunch of argv book-keeping.
104 return duped;
105 }
106
107 // Re-launch this process with all the same flags it was originallys started
108 // with.
ReExecSelf()109 [[noreturn]] void ReExecSelf() {
110 // Allocate +1 entry for terminating nullptr.
111 std::vector<char*> argv(gflags::GetArgvs().size() + 1, nullptr);
112 for (size_t i = 0; i < gflags::GetArgvs().size(); ++i) {
113 argv[i] = strdup(gflags::GetArgvs()[i].c_str());
114 CHECK(argv[i] != nullptr) << "OOM";
115 }
116 execv(SecureEnvBinary().c_str(), argv.data());
117 char buf[128];
118 LOG(FATAL) << "Exec failed, secure_env is out of sync with the guest: "
119 << errno << "(" << strerror_r(errno, buf, sizeof(buf)) << ")";
120 abort(); // LOG(FATAL) isn't marked as noreturn
121 }
122
123 // Spin up a thread that monitors for a kernel loaded event, then re-execs
124 // this process. This way, secure_env's boot tracking matches up with the guest.
StartKernelEventMonitor(SharedFD kernel_events_fd,std::timed_mutex & oemlock_lock)125 std::thread StartKernelEventMonitor(SharedFD kernel_events_fd,
126 std::timed_mutex& oemlock_lock) {
127 return std::thread([kernel_events_fd, &oemlock_lock]() {
128 while (kernel_events_fd->IsOpen()) {
129 auto read_result = monitor::ReadEvent(kernel_events_fd);
130 CHECK(read_result.has_value()) << kernel_events_fd->StrError();
131 if (read_result->event == monitor::Event::BootloaderLoaded) {
132 LOG(DEBUG) << "secure_env detected guest reboot, restarting.";
133
134 // secure_env app potentially may become stuck at IO during holding the
135 // lock, so limit the waiting time to make sure self-restart is executed
136 // as expected
137 const bool locked = oemlock_lock.try_lock_for(kRestartLockTimeout);
138 if (!locked) {
139 LOG(WARNING) << "Couldn't acquire oemlock lock within timeout. "
140 "Executing self-restart anyway";
141 }
142
143 ReExecSelf();
144
145 if (locked) {
146 oemlock_lock.unlock();
147 }
148 }
149 }
150 });
151 }
152
153 fruit::Component<fruit::Required<gatekeeper::SoftGateKeeper, TpmGatekeeper,
154 TpmResourceManager>,
155 gatekeeper::GateKeeper, keymaster::KeymasterEnforcement>
ChooseGatekeeperComponent()156 ChooseGatekeeperComponent() {
157 if (FLAGS_gatekeeper_impl == "software") {
158 return fruit::createComponent()
159 .bind<gatekeeper::GateKeeper, gatekeeper::SoftGateKeeper>()
160 .registerProvider([]() -> keymaster::KeymasterEnforcement* {
161 return new keymaster::SoftKeymasterEnforcement(64, 64);
162 });
163 } else if (FLAGS_gatekeeper_impl == "tpm") {
164 return fruit::createComponent()
165 .bind<gatekeeper::GateKeeper, TpmGatekeeper>()
166 .registerProvider(
167 [](TpmResourceManager& resource_manager,
168 TpmGatekeeper& gatekeeper) -> keymaster::KeymasterEnforcement* {
169 return new TpmKeymasterEnforcement(resource_manager, gatekeeper);
170 });
171 } else {
172 LOG(FATAL) << "Invalid gatekeeper implementation: "
173 << FLAGS_gatekeeper_impl;
174 abort();
175 }
176 }
177
178 fruit::Component<fruit::Required<TpmResourceManager>, oemlock::OemLock>
ChooseOemlockComponent()179 ChooseOemlockComponent() {
180 return fruit::createComponent()
181 .registerProvider(
182 [](TpmResourceManager& resource_manager) -> secure_env::Storage* {
183 if (FLAGS_oemlock_impl == "software") {
184 return new secure_env::InsecureJsonStorage("oemlock_insecure");
185 } else if (FLAGS_oemlock_impl == "tpm") {
186 return new secure_env::TpmStorage(resource_manager,
187 "oemlock_secure");
188 } else {
189 LOG(FATAL) << "Invalid oemlock implementation: "
190 << FLAGS_oemlock_impl;
191 abort();
192 }
193 })
194 .registerProvider([](secure_env::Storage& storage) -> oemlock::OemLock* {
195 return new oemlock::OemLock(storage);
196 });
197 ;
198 }
199
200 fruit::Component<TpmResourceManager, gatekeeper::GateKeeper, oemlock::OemLock,
201 keymaster::KeymasterEnforcement>
SecureEnvComponent()202 SecureEnvComponent() {
203 return fruit::createComponent()
204 .registerProvider([]() -> Tpm* { // fruit will take ownership
205 if (FLAGS_tpm_impl == "in_memory") {
206 return new InProcessTpm();
207 } else if (FLAGS_tpm_impl == "host_device") {
208 return new DeviceTpm("/dev/tpm0");
209 } else {
210 LOG(FATAL) << "Unknown TPM implementation: " << FLAGS_tpm_impl;
211 abort();
212 }
213 })
214 .registerProvider([](Tpm* tpm) {
215 if (tpm->TctiContext() == nullptr) {
216 LOG(FATAL) << "Unable to connect to TPM implementation.";
217 }
218 ESYS_CONTEXT* esys_ptr = nullptr;
219 std::unique_ptr<ESYS_CONTEXT, void (*)(ESYS_CONTEXT*)> esys(
220 nullptr, [](ESYS_CONTEXT* esys) { Esys_Finalize(&esys); });
221 auto rc = Esys_Initialize(&esys_ptr, tpm->TctiContext(), nullptr);
222 if (rc != TPM2_RC_SUCCESS) {
223 LOG(FATAL) << "Could not initialize esys: " << Tss2_RC_Decode(rc)
224 << " (" << rc << ")";
225 }
226 esys.reset(esys_ptr);
227 return esys;
228 })
229 .registerProvider(
230 [](std::unique_ptr<ESYS_CONTEXT, void (*)(ESYS_CONTEXT*)>& esys) {
231 return new TpmResourceManager(
232 esys.get()); // fruit will take ownership
233 })
234 .registerProvider([](TpmResourceManager& resource_manager) {
235 return new secure_env::TpmStorage(resource_manager,
236 "gatekeeper_secure");
237 })
238 .registerProvider([]() {
239 return new secure_env::InsecureJsonStorage("gatekeeper_insecure");
240 })
241 .registerProvider([](TpmResourceManager& resource_manager,
242 secure_env::TpmStorage& secure_storage,
243 secure_env::InsecureJsonStorage& insecure_storage) {
244 return new TpmGatekeeper(resource_manager, secure_storage,
245 insecure_storage);
246 })
247 .registerProvider([]() { return new gatekeeper::SoftGateKeeper(); })
248 .install(ChooseGatekeeperComponent)
249 .install(ChooseOemlockComponent);
250 }
251
252 } // namespace
253
SecureEnvMain(int argc,char ** argv)254 Result<void> SecureEnvMain(int argc, char** argv) {
255 DefaultSubprocessLogging(argv);
256 gflags::ParseCommandLineFlags(&argc, &argv, true);
257 keymaster::SoftKeymasterLogger km_logger;
258
259 fruit::Injector<TpmResourceManager, gatekeeper::GateKeeper, oemlock::OemLock,
260 keymaster::KeymasterEnforcement>
261 injector(SecureEnvComponent);
262 TpmResourceManager* resource_manager = injector.get<TpmResourceManager*>();
263 gatekeeper::GateKeeper* gatekeeper = injector.get<gatekeeper::GateKeeper*>();
264 oemlock::OemLock* oemlock = injector.get<oemlock::OemLock*>();
265 keymaster::KeymasterEnforcement* keymaster_enforcement =
266 injector.get<keymaster::KeymasterEnforcement*>();
267 std::unique_ptr<keymaster::KeymasterContext> keymaster_context;
268 std::unique_ptr<keymaster::AndroidKeymaster> keymaster;
269 std::timed_mutex oemlock_lock;
270 std::vector<std::thread> threads;
271
272 int security_level;
273 if (FLAGS_keymint_impl == "software") {
274 security_level = KM_SECURITY_LEVEL_SOFTWARE;
275 } else if (FLAGS_keymint_impl == "tpm") {
276 security_level = KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT;
277 } else {
278 return CF_ERR("Unknown Keymint Implementation: " + FLAGS_keymint_impl);
279 }
280
281 // go/cf-secure-env-snapshot
282 auto [rust_snapshot_socket1, rust_snapshot_socket2] =
283 CF_EXPECT(SharedFD::SocketPair(AF_UNIX, SOCK_STREAM, 0));
284 auto [keymaster_snapshot_socket1, keymaster_snapshot_socket2] =
285 CF_EXPECT(SharedFD::SocketPair(AF_UNIX, SOCK_STREAM, 0));
286 auto [gatekeeper_snapshot_socket1, gatekeeper_snapshot_socket2] =
287 CF_EXPECT(SharedFD::SocketPair(AF_UNIX, SOCK_STREAM, 0));
288 auto [oemlock_snapshot_socket1, oemlock_snapshot_socket2] =
289 CF_EXPECT(SharedFD::SocketPair(AF_UNIX, SOCK_STREAM, 0));
290 SharedFD channel_to_run_cvd = DupFdFlag(FLAGS_snapshot_control_fd);
291
292 SnapshotCommandHandler suspend_resume_handler(
293 channel_to_run_cvd,
294 SnapshotCommandHandler::SnapshotSockets{
295 .rust = std::move(rust_snapshot_socket1),
296 .keymaster = std::move(keymaster_snapshot_socket1),
297 .gatekeeper = std::move(gatekeeper_snapshot_socket1),
298 .oemlock = std::move(oemlock_snapshot_socket1),
299 });
300
301 // The guest image may have either the C++ implementation of
302 // KeyMint/Keymaster, xor the Rust implementation of KeyMint. Those different
303 // implementations each need to have a matching TA implementation in
304 // secure_env, but they use distincts ports (/dev/hvc3 for C++, /dev/hvc11 for
305 // Rust) so start threads for *both* TA implementations -- only one of them
306 // will receive any traffic from the guest.
307
308 // Start the Rust reference implementation of KeyMint.
309 #ifdef __linux__
310 LOG(INFO) << "starting Rust KeyMint TA implementation in a thread";
311
312 int keymint_in = FLAGS_keymint_fd_in;
313 int keymint_out = FLAGS_keymint_fd_out;
314 TpmResourceManager* rm = resource_manager;
315 threads.emplace_back([rm, keymint_in, keymint_out, security_level,
316 rust_snapshot_socket2 =
317 std::move(rust_snapshot_socket2)]() {
318 int snapshot_socket_fd = std::move(rust_snapshot_socket2)->UNMANAGED_Dup();
319 kmr_ta_main(keymint_in, keymint_out, security_level, rm,
320 snapshot_socket_fd);
321 });
322 #endif
323
324 // Start the C++ reference implementation of KeyMint.
325 LOG(INFO) << "starting C++ KeyMint implementation in a thread with FDs in="
326 << FLAGS_keymaster_fd_in << ", out=" << FLAGS_keymaster_fd_out;
327 CF_EXPECTF(security_level == KM_SECURITY_LEVEL_SOFTWARE ||
328 security_level == KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT,
329 "Unknown keymaster security_level \"{}\" for \"{}\"",
330 security_level, FLAGS_keymint_impl);
331 if (security_level == KM_SECURITY_LEVEL_SOFTWARE) {
332 keymaster_context.reset(new keymaster::PureSoftKeymasterContext(
333 keymaster::KmVersion::KEYMINT_3, KM_SECURITY_LEVEL_SOFTWARE));
334 } else /* KM_SECURITY_LEVEL_TRUSTED_ENVIRONMENT */ {
335 keymaster_context.reset(
336 new TpmKeymasterContext(*resource_manager, *keymaster_enforcement));
337 }
338
339 // keymaster::AndroidKeymaster puts the context pointer into a UniquePtr,
340 // taking ownership.
341 keymaster.reset(new keymaster::AndroidKeymaster(
342 new ProxyKeymasterContext(*keymaster_context), kOperationTableSize,
343 keymaster::MessageVersion(keymaster::KmVersion::KEYMINT_3,
344 0 /* km_date */)));
345
346 auto keymaster_in = DupFdFlag(FLAGS_keymaster_fd_in);
347 auto keymaster_out = DupFdFlag(FLAGS_keymaster_fd_out);
348 keymaster::AndroidKeymaster* borrowed_km = keymaster.get();
349 threads.emplace_back([keymaster_in, keymaster_out, borrowed_km,
350 keymaster_snapshot_socket2 =
351 std::move(keymaster_snapshot_socket2)]() {
352 while (true) {
353 SharedFdKeymasterChannel keymaster_channel(keymaster_in, keymaster_out);
354
355 KeymasterResponder keymaster_responder(keymaster_channel, *borrowed_km);
356
357 std::function<bool()> keymaster_process_cb = [&keymaster_responder]() {
358 return keymaster_responder.ProcessMessage();
359 };
360
361 // infinite loop that returns if resetting responder is needed
362 auto result = secure_env_impl::WorkerInnerLoop(
363 keymaster_process_cb, keymaster_in, keymaster_snapshot_socket2);
364 if (!result.ok()) {
365 LOG(FATAL) << "keymaster worker failed: " << result.error().Trace();
366 }
367 }
368 });
369
370 auto gatekeeper_in = DupFdFlag(FLAGS_gatekeeper_fd_in);
371 auto gatekeeper_out = DupFdFlag(FLAGS_gatekeeper_fd_out);
372 threads.emplace_back([gatekeeper_in, gatekeeper_out, &gatekeeper,
373 gatekeeper_snapshot_socket2 =
374 std::move(gatekeeper_snapshot_socket2)]() {
375 while (true) {
376 SharedFdGatekeeperChannel gatekeeper_channel(gatekeeper_in,
377 gatekeeper_out);
378
379 GatekeeperResponder gatekeeper_responder(gatekeeper_channel, *gatekeeper);
380
381 std::function<bool()> gatekeeper_process_cb = [&gatekeeper_responder]() {
382 return gatekeeper_responder.ProcessMessage();
383 };
384
385 // infinite loop that returns if resetting responder is needed
386 auto result = secure_env_impl::WorkerInnerLoop(
387 gatekeeper_process_cb, gatekeeper_in, gatekeeper_snapshot_socket2);
388 if (!result.ok()) {
389 LOG(FATAL) << "gatekeeper worker failed: " << result.error().Trace();
390 }
391 }
392 });
393
394 auto oemlock_in = DupFdFlag(FLAGS_oemlock_fd_in);
395 auto oemlock_out = DupFdFlag(FLAGS_oemlock_fd_out);
396 threads.emplace_back(
397 [oemlock_in, oemlock_out, &oemlock, &oemlock_lock,
398 oemlock_snapshot_socket2 = std::move(oemlock_snapshot_socket2)]() {
399 while (true) {
400 transport::SharedFdChannel channel(oemlock_in, oemlock_out);
401 oemlock::OemLockResponder responder(channel, *oemlock, oemlock_lock);
402
403 std::function<bool()> oemlock_process_cb = [&responder]() -> bool {
404 return (responder.ProcessMessage().ok());
405 };
406
407 // infinite loop that returns if resetting responder is needed
408 auto result = secure_env_impl::WorkerInnerLoop(
409 oemlock_process_cb, oemlock_in, oemlock_snapshot_socket2);
410 if (!result.ok()) {
411 LOG(FATAL) << "oemlock worker failed: " << result.error().Trace();
412 }
413 }
414 });
415
416 auto confui_server_fd = DupFdFlag(FLAGS_confui_server_fd);
417 threads.emplace_back([confui_server_fd, resource_manager]() {
418 ConfUiSignServer confui_sign_server(*resource_manager, confui_server_fd);
419 // no return, infinite loop
420 confui_sign_server.MainLoop();
421 });
422
423 auto kernel_events_fd = DupFdFlag(FLAGS_kernel_events_fd);
424 threads.emplace_back(StartKernelEventMonitor(kernel_events_fd, oemlock_lock));
425
426 for (auto& t : threads) {
427 t.join();
428 }
429 return {};
430 }
431
432 } // namespace cuttlefish
433
main(int argc,char ** argv)434 int main(int argc, char** argv) {
435 auto result = cuttlefish::SecureEnvMain(argc, argv);
436 if (result.ok()) {
437 return 0;
438 }
439 LOG(FATAL) << result.error().Trace();
440 return -1;
441 }
442