1 /*
2 * Copyright (C) 2015 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17 #define LOG_TAG "gatekeeperd"
18
19 #include "IGateKeeperService.h"
20
21 #include <errno.h>
22 #include <fcntl.h>
23 #include <inttypes.h>
24 #include <stdint.h>
25 #include <unistd.h>
26
27 #include <binder/IPCThreadState.h>
28 #include <binder/IServiceManager.h>
29 #include <binder/PermissionCache.h>
30 #include <gatekeeper/password_handle.h> // for password_handle_t
31 #include <hardware/gatekeeper.h>
32 #include <hardware/hw_auth_token.h>
33 #include <keystore/IKeystoreService.h>
34 #include <keystore/keystore.h> // For error code
35 #include <log/log.h>
36 #include <utils/Log.h>
37 #include <utils/String16.h>
38
39 #include "SoftGateKeeperDevice.h"
40 #include "IUserManager.h"
41
42 #include <hidl/HidlSupport.h>
43 #include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
44
45 using android::sp;
46 using android::hardware::gatekeeper::V1_0::IGatekeeper;
47 using android::hardware::gatekeeper::V1_0::GatekeeperStatusCode;
48 using android::hardware::gatekeeper::V1_0::GatekeeperResponse;
49 using android::hardware::Return;
50
51 namespace android {
52
53 static const String16 KEYGUARD_PERMISSION("android.permission.ACCESS_KEYGUARD_SECURE_STORAGE");
54 static const String16 DUMP_PERMISSION("android.permission.DUMP");
55
56 class GateKeeperProxy : public BnGateKeeperService {
57 public:
GateKeeperProxy()58 GateKeeperProxy() {
59 hw_device = IGatekeeper::getService();
60
61 if (hw_device == nullptr) {
62 ALOGW("falling back to software GateKeeper");
63 soft_device.reset(new SoftGateKeeperDevice());
64 }
65
66 if (mark_cold_boot()) {
67 ALOGI("cold boot: clearing state");
68 if (hw_device != nullptr) {
69 hw_device->deleteAllUsers([](const GatekeeperResponse &){});
70 }
71 }
72 }
73
~GateKeeperProxy()74 virtual ~GateKeeperProxy() {
75 }
76
store_sid(uint32_t uid,uint64_t sid)77 void store_sid(uint32_t uid, uint64_t sid) {
78 char filename[21];
79 snprintf(filename, sizeof(filename), "%u", uid);
80 int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
81 if (fd < 0) {
82 ALOGE("could not open file: %s: %s", filename, strerror(errno));
83 return;
84 }
85 write(fd, &sid, sizeof(sid));
86 close(fd);
87 }
88
mark_cold_boot()89 bool mark_cold_boot() {
90 const char *filename = ".coldboot";
91 if (access(filename, F_OK) == -1) {
92 int fd = open(filename, O_WRONLY | O_TRUNC | O_CREAT, S_IRUSR | S_IWUSR);
93 if (fd < 0) {
94 ALOGE("could not open file: %s : %s", filename, strerror(errno));
95 return false;
96 }
97 close(fd);
98 return true;
99 }
100 return false;
101 }
102
maybe_store_sid(uint32_t uid,uint64_t sid)103 void maybe_store_sid(uint32_t uid, uint64_t sid) {
104 char filename[21];
105 snprintf(filename, sizeof(filename), "%u", uid);
106 if (access(filename, F_OK) == -1) {
107 store_sid(uid, sid);
108 }
109 }
110
read_sid(uint32_t uid)111 uint64_t read_sid(uint32_t uid) {
112 char filename[21];
113 uint64_t sid;
114 snprintf(filename, sizeof(filename), "%u", uid);
115 int fd = open(filename, O_RDONLY);
116 if (fd < 0) return 0;
117 read(fd, &sid, sizeof(sid));
118 close(fd);
119 return sid;
120 }
121
clear_sid(uint32_t uid)122 void clear_sid(uint32_t uid) {
123 char filename[21];
124 snprintf(filename, sizeof(filename), "%u", uid);
125 if (remove(filename) < 0) {
126 ALOGE("%s: could not remove file [%s], attempting 0 write", __func__, strerror(errno));
127 store_sid(uid, 0);
128 }
129 }
130
enroll(uint32_t uid,const uint8_t * current_password_handle,uint32_t current_password_handle_length,const uint8_t * current_password,uint32_t current_password_length,const uint8_t * desired_password,uint32_t desired_password_length,uint8_t ** enrolled_password_handle,uint32_t * enrolled_password_handle_length)131 virtual int enroll(uint32_t uid,
132 const uint8_t *current_password_handle, uint32_t current_password_handle_length,
133 const uint8_t *current_password, uint32_t current_password_length,
134 const uint8_t *desired_password, uint32_t desired_password_length,
135 uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) {
136 IPCThreadState* ipc = IPCThreadState::self();
137 const int calling_pid = ipc->getCallingPid();
138 const int calling_uid = ipc->getCallingUid();
139 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
140 return PERMISSION_DENIED;
141 }
142
143 // need a desired password to enroll
144 if (desired_password_length == 0) return -EINVAL;
145
146 int ret;
147 if (hw_device != nullptr) {
148 const gatekeeper::password_handle_t *handle =
149 reinterpret_cast<const gatekeeper::password_handle_t *>(current_password_handle);
150
151 if (handle != NULL && handle->version != 0 && !handle->hardware_backed) {
152 // handle is being re-enrolled from a software version. HAL probably won't accept
153 // the handle as valid, so we nullify it and enroll from scratch
154 current_password_handle = NULL;
155 current_password_handle_length = 0;
156 current_password = NULL;
157 current_password_length = 0;
158 }
159
160 android::hardware::hidl_vec<uint8_t> curPwdHandle;
161 curPwdHandle.setToExternal(const_cast<uint8_t*>(current_password_handle),
162 current_password_handle_length);
163 android::hardware::hidl_vec<uint8_t> curPwd;
164 curPwd.setToExternal(const_cast<uint8_t*>(current_password),
165 current_password_length);
166 android::hardware::hidl_vec<uint8_t> newPwd;
167 newPwd.setToExternal(const_cast<uint8_t*>(desired_password),
168 desired_password_length);
169
170 Return<void> hwRes = hw_device->enroll(uid, curPwdHandle, curPwd, newPwd,
171 [&ret, enrolled_password_handle, enrolled_password_handle_length]
172 (const GatekeeperResponse &rsp) {
173 ret = static_cast<int>(rsp.code); // propagate errors
174 if (rsp.code >= GatekeeperStatusCode::STATUS_OK) {
175 if (enrolled_password_handle != nullptr &&
176 enrolled_password_handle_length != nullptr) {
177 *enrolled_password_handle = new uint8_t[rsp.data.size()];
178 *enrolled_password_handle_length = rsp.data.size();
179 memcpy(*enrolled_password_handle, rsp.data.data(),
180 *enrolled_password_handle_length);
181 }
182 ret = 0; // all success states are reported as 0
183 } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT && rsp.timeout > 0) {
184 ret = rsp.timeout;
185 }
186 });
187 if (!hwRes.isOk()) {
188 ALOGE("enroll transaction failed\n");
189 ret = -1;
190 }
191 } else {
192 ret = soft_device->enroll(uid,
193 current_password_handle, current_password_handle_length,
194 current_password, current_password_length,
195 desired_password, desired_password_length,
196 enrolled_password_handle, enrolled_password_handle_length);
197 }
198
199 if (ret == GATEKEEPER_RESPONSE_OK && (*enrolled_password_handle == nullptr ||
200 *enrolled_password_handle_length != sizeof(password_handle_t))) {
201 ret = GATEKEEPER_RESPONSE_ERROR;
202 ALOGE("HAL: password_handle=%p size_of_handle=%" PRIu32 "\n",
203 *enrolled_password_handle, *enrolled_password_handle_length);
204 }
205
206 if (ret == GATEKEEPER_RESPONSE_OK) {
207 gatekeeper::password_handle_t *handle =
208 reinterpret_cast<gatekeeper::password_handle_t *>(*enrolled_password_handle);
209 store_sid(uid, handle->user_id);
210 bool rr;
211
212 // immediately verify this password so we don't ask the user to enter it again
213 // if they just created it.
214 verify(uid, *enrolled_password_handle, sizeof(password_handle_t), desired_password,
215 desired_password_length, &rr);
216 }
217
218 return ret;
219 }
220
verify(uint32_t uid,const uint8_t * enrolled_password_handle,uint32_t enrolled_password_handle_length,const uint8_t * provided_password,uint32_t provided_password_length,bool * request_reenroll)221 virtual int verify(uint32_t uid,
222 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
223 const uint8_t *provided_password, uint32_t provided_password_length, bool *request_reenroll) {
224 uint8_t *auth_token;
225 uint32_t auth_token_length;
226 return verifyChallenge(uid, 0, enrolled_password_handle, enrolled_password_handle_length,
227 provided_password, provided_password_length,
228 &auth_token, &auth_token_length, request_reenroll);
229 }
230
verifyChallenge(uint32_t uid,uint64_t challenge,const uint8_t * enrolled_password_handle,uint32_t enrolled_password_handle_length,const uint8_t * provided_password,uint32_t provided_password_length,uint8_t ** auth_token,uint32_t * auth_token_length,bool * request_reenroll)231 virtual int verifyChallenge(uint32_t uid, uint64_t challenge,
232 const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
233 const uint8_t *provided_password, uint32_t provided_password_length,
234 uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) {
235 IPCThreadState* ipc = IPCThreadState::self();
236 const int calling_pid = ipc->getCallingPid();
237 const int calling_uid = ipc->getCallingUid();
238 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
239 return PERMISSION_DENIED;
240 }
241
242 // can't verify if we're missing either param
243 if ((enrolled_password_handle_length | provided_password_length) == 0)
244 return -EINVAL;
245
246 int ret;
247 if (hw_device != nullptr) {
248 const gatekeeper::password_handle_t *handle =
249 reinterpret_cast<const gatekeeper::password_handle_t *>(enrolled_password_handle);
250 // handle version 0 does not have hardware backed flag, and thus cannot be upgraded to
251 // a HAL if there was none before
252 if (handle->version == 0 || handle->hardware_backed) {
253 android::hardware::hidl_vec<uint8_t> curPwdHandle;
254 curPwdHandle.setToExternal(const_cast<uint8_t*>(enrolled_password_handle),
255 enrolled_password_handle_length);
256 android::hardware::hidl_vec<uint8_t> enteredPwd;
257 enteredPwd.setToExternal(const_cast<uint8_t*>(provided_password),
258 provided_password_length);
259 Return<void> hwRes = hw_device->verify(uid, challenge, curPwdHandle, enteredPwd,
260 [&ret, request_reenroll, auth_token, auth_token_length]
261 (const GatekeeperResponse &rsp) {
262 ret = static_cast<int>(rsp.code); // propagate errors
263 if (auth_token != nullptr && auth_token_length != nullptr &&
264 rsp.code >= GatekeeperStatusCode::STATUS_OK) {
265 *auth_token = new uint8_t[rsp.data.size()];
266 *auth_token_length = rsp.data.size();
267 memcpy(*auth_token, rsp.data.data(), *auth_token_length);
268 if (request_reenroll != nullptr) {
269 *request_reenroll = (rsp.code == GatekeeperStatusCode::STATUS_REENROLL);
270 }
271 ret = 0; // all success states are reported as 0
272 } else if (rsp.code == GatekeeperStatusCode::ERROR_RETRY_TIMEOUT &&
273 rsp.timeout > 0) {
274 ret = rsp.timeout;
275 }
276 });
277 if (!hwRes.isOk()) {
278 ALOGE("verify transaction failed\n");
279 ret = -1;
280 }
281 } else {
282 // upgrade scenario, a HAL has been added to this device where there was none before
283 SoftGateKeeperDevice soft_dev;
284 ret = soft_dev.verify(uid, challenge,
285 enrolled_password_handle, enrolled_password_handle_length,
286 provided_password, provided_password_length, auth_token, auth_token_length,
287 request_reenroll);
288
289 if (ret == 0) {
290 // success! re-enroll with HAL
291 *request_reenroll = true;
292 }
293 }
294 } else {
295 ret = soft_device->verify(uid, challenge,
296 enrolled_password_handle, enrolled_password_handle_length,
297 provided_password, provided_password_length, auth_token, auth_token_length,
298 request_reenroll);
299 }
300
301 if (ret == 0 && *auth_token != NULL && *auth_token_length > 0) {
302 // TODO: cache service?
303 sp<IServiceManager> sm = defaultServiceManager();
304 sp<IBinder> binder = sm->getService(String16("android.security.keystore"));
305 sp<IKeystoreService> service = interface_cast<IKeystoreService>(binder);
306 if (service != NULL) {
307 auto ret = service->addAuthToken(*auth_token, *auth_token_length);
308 if (!ret.isOk()) {
309 ALOGE("Failure sending auth token to KeyStore: %" PRId32, int32_t(ret));
310 }
311 } else {
312 ALOGE("Unable to communicate with KeyStore");
313 }
314 }
315
316 if (ret == 0) {
317 maybe_store_sid(uid, reinterpret_cast<const gatekeeper::password_handle_t *>(
318 enrolled_password_handle)->user_id);
319 }
320
321 return ret;
322 }
323
getSecureUserId(uint32_t uid)324 virtual uint64_t getSecureUserId(uint32_t uid) {
325 uint64_t sid = read_sid(uid);
326 if (sid == 0) {
327 // might be a work profile, look up the parent
328 sp<IServiceManager> sm = defaultServiceManager();
329 sp<IBinder> binder = sm->getService(String16("user"));
330 sp<IUserManager> um = interface_cast<IUserManager>(binder);
331 int32_t parent = um->getCredentialOwnerProfile(uid);
332 if (parent < 0) {
333 return 0;
334 } else if (parent != (int32_t) uid) {
335 return read_sid(parent);
336 }
337 }
338 return sid;
339
340 }
341
clearSecureUserId(uint32_t uid)342 virtual void clearSecureUserId(uint32_t uid) {
343 IPCThreadState* ipc = IPCThreadState::self();
344 const int calling_pid = ipc->getCallingPid();
345 const int calling_uid = ipc->getCallingUid();
346 if (!PermissionCache::checkPermission(KEYGUARD_PERMISSION, calling_pid, calling_uid)) {
347 ALOGE("%s: permission denied for [%d:%d]", __func__, calling_pid, calling_uid);
348 return;
349 }
350 clear_sid(uid);
351
352 if (hw_device != nullptr) {
353 hw_device->deleteUser(uid, [] (const GatekeeperResponse &){});
354 }
355 }
356
dump(int fd,const Vector<String16> &)357 virtual status_t dump(int fd, const Vector<String16> &) {
358 IPCThreadState* ipc = IPCThreadState::self();
359 const int pid = ipc->getCallingPid();
360 const int uid = ipc->getCallingUid();
361 if (!PermissionCache::checkPermission(DUMP_PERMISSION, pid, uid)) {
362 return PERMISSION_DENIED;
363 }
364
365 if (hw_device == NULL) {
366 const char *result = "Device not available";
367 write(fd, result, strlen(result) + 1);
368 } else {
369 const char *result = "OK";
370 write(fd, result, strlen(result) + 1);
371 }
372
373 return NO_ERROR;
374 }
375
376 private:
377 sp<IGatekeeper> hw_device;
378 UniquePtr<SoftGateKeeperDevice> soft_device;
379 };
380 }// namespace android
381
main(int argc,char * argv[])382 int main(int argc, char* argv[]) {
383 ALOGI("Starting gatekeeperd...");
384 if (argc < 2) {
385 ALOGE("A directory must be specified!");
386 return 1;
387 }
388 if (chdir(argv[1]) == -1) {
389 ALOGE("chdir: %s: %s", argv[1], strerror(errno));
390 return 1;
391 }
392
393 android::sp<android::IServiceManager> sm = android::defaultServiceManager();
394 android::sp<android::GateKeeperProxy> proxy = new android::GateKeeperProxy();
395 android::status_t ret = sm->addService(
396 android::String16("android.service.gatekeeper.IGateKeeperService"), proxy);
397 if (ret != android::OK) {
398 ALOGE("Couldn't register binder service!");
399 return -1;
400 }
401
402 /*
403 * We're the only thread in existence, so we're just going to process
404 * Binder transaction as a single-threaded program.
405 */
406 android::IPCThreadState::self()->joinThreadPool();
407 return 0;
408 }
409