diff --git a/HAL/keymaster/4.1/JavacardKeymaster4Device.cpp b/HAL/keymaster/4.1/JavacardKeymaster4Device.cpp index 7e80740a..9df7b6d4 100644 --- a/HAL/keymaster/4.1/JavacardKeymaster4Device.cpp +++ b/HAL/keymaster/4.1/JavacardKeymaster4Device.cpp @@ -93,7 +93,7 @@ static inline std::unique_ptr& getTransportFacto if (!isEmulator) { std::string fingerprint = android::base::GetProperty(PROP_BUILD_FINGERPRINT, ""); if (!fingerprint.empty()) { - if (fingerprint.find(CUTTLEFISH_FINGERPRINT_SS, 0)) { + if (fingerprint.find(CUTTLEFISH_FINGERPRINT_SS, 0) != std::string::npos) { isEmulator = true; } } diff --git a/HAL/keymaster/Android.bp b/HAL/keymaster/Android.bp index cb88780c..9bfe7faa 100644 --- a/HAL/keymaster/Android.bp +++ b/HAL/keymaster/Android.bp @@ -87,11 +87,7 @@ cc_library { cc_library { name: "libjc_transport", - host_supported: true, vendor_available: true, - vndk: { - enabled: true, - }, srcs: [ "4.1/SocketTransport.cpp", diff --git a/aosp_integration_patches/build_make.patch b/aosp_integration_patches/build_make.patch deleted file mode 100644 index 6cdb7423..00000000 --- a/aosp_integration_patches/build_make.patch +++ /dev/null @@ -1,20 +0,0 @@ -commit ef71f76d787eab8e5332a467a2e08e186acfdaa5 -Author: Manish Dwivedi -Date: Tue Jun 29 01:42:20 2021 +0000 - - aosp_master - - Change-Id: I82cb82e483f55608b9441f08c0a550bc6401822a - -diff --git a/target/product/gsi/current.txt b/target/product/gsi/current.txt -index c753e6c3be..765ca558c9 100644 ---- a/target/product/gsi/current.txt -+++ b/target/product/gsi/current.txt -@@ -113,6 +113,7 @@ VNDK-core: libgatekeeper.so - VNDK-core: libgui.so - VNDK-core: libhardware_legacy.so - VNDK-core: libhidlallocatorutils.so -+VNDK-core: libjc_transport.so - VNDK-core: libjpeg.so - VNDK-core: libldacBT_abr.so - VNDK-core: libldacBT_enc.so diff --git a/aosp_integration_patches/omapi_patches/JavacardKeymaster.patch b/aosp_integration_patches/omapi_patches/JavacardKeymaster.patch new file mode 100644 index 00000000..cc06ca69 --- /dev/null +++ b/aosp_integration_patches/omapi_patches/JavacardKeymaster.patch @@ -0,0 +1,330 @@ +diff --git a/HAL/keymaster/4.1/OmapiTransport.cpp b/HAL/keymaster/4.1/OmapiTransport.cpp +index 5aaefc9..9466c84 100644 +--- a/HAL/keymaster/4.1/OmapiTransport.cpp ++++ b/HAL/keymaster/4.1/OmapiTransport.cpp +@@ -14,36 +14,214 @@ + ** See the License for the specific language governing permissions and + ** limitations under the License. + */ +-#include +-#include +-#include +-#include +-#include ++#include ++#include ++#include ++#include ++#include + #include ++ ++#include ++ + #include "Transport.h" + +-#define PORT 8080 +-#define IPADDR "10.9.40.24" + #define UNUSED_V(a) a=a + + namespace se_transport { + +-bool OmapiTransport::openConnection() { ++class SEListener : public ::aidl::android::se::omapi::BnSecureElementListener {}; ++ ++bool OmapiTransport::initialize() { ++ std::vector readers = {}; ++ ++ LOG(DEBUG) << "Initialize the secure element connection"; ++ ++ // Get OMAPI vendor stable service handler ++ ::ndk::SpAIBinder ks2Binder(AServiceManager_getService(omapiServiceName)); ++ omapiSeService = aidl::android::se::omapi::ISecureElementService::fromBinder(ks2Binder); ++ ++ if (omapiSeService == nullptr) { ++ LOG(ERROR) << "Failed to start omapiSeService null"; ++ return false; ++ } ++ ++ // reset readers, clear readers if already existing ++ if (mVSReaders.size() > 0) { ++ closeConnection(); ++ } ++ ++ // Get available readers ++ auto status = omapiSeService->getReaders(&readers); ++ if (!status.isOk()) { ++ LOG(ERROR) << "getReaders failed to get available readers: " << status.getMessage(); ++ return false; ++ } ++ ++ // Get SE readers handlers ++ for (auto readerName : readers) { ++ std::shared_ptr<::aidl::android::se::omapi::ISecureElementReader> reader; ++ status = omapiSeService->getReader(readerName, &reader); ++ if (!status.isOk()) { ++ LOG(ERROR) << "getReader for " << readerName.c_str() << " Failed: " ++ << status.getMessage(); ++ return false; ++ } ++ ++ mVSReaders[readerName] = reader; ++ } ++ ++ // Find eSE reader, as of now assumption is only eSE available on device ++ LOG(DEBUG) << "Finding eSE reader"; ++ eSEReader = nullptr; ++ if (mVSReaders.size() > 0) { ++ for (const auto& [name, reader] : mVSReaders) { ++ if (name.find(ESE_READER_PREFIX, 0) != std::string::npos) { ++ LOG(DEBUG) << "eSE reader found: " << name; ++ eSEReader = reader; ++ } ++ } ++ } ++ ++ if (eSEReader == nullptr) { ++ LOG(ERROR) << "secure element reader " << ESE_READER_PREFIX << " not found"; ++ return false; ++ } ++ + return true; + } + +-bool OmapiTransport::sendData(const uint8_t* inData, const size_t inLen, std::vector& output) { +- std::vector test(inData, inData+inLen); +- output = std::move(test); ++bool OmapiTransport::internalTransmitApdu( ++ std::shared_ptr reader, ++ std::vector apdu, std::vector& transmitResponse) { ++ std::shared_ptr session; ++ std::shared_ptr channel; ++ auto mSEListener = std::make_shared(); ++ std::vector selectResponse = {}; ++ std::vector SELECTABLE_AID = {0xA0, 0x00, 0x00, 0x04, 0x76, 0x41, 0x6E, 0x64, ++ 0x72, 0x6F, 0x69, 0x64, 0x43, 0x54, 0x53, 0x31}; ++ ++ LOG(DEBUG) << "internalTransmitApdu: trasmitting data to secure element"; ++ ++ if (reader == nullptr) { ++ LOG(ERROR) << "eSE reader is null"; ++ return false; ++ } ++ ++ bool status = false; ++ auto res = reader->isSecureElementPresent(&status); ++ if (!res.isOk()) { ++ LOG(ERROR) << "isSecureElementPresent error: " << res.getMessage(); ++ return false; ++ } ++ if (!status) { ++ LOG(ERROR) << "secure element not found"; ++ return false; ++ } ++ ++ res = reader->openSession(&session); ++ if (!res.isOk()) { ++ LOG(ERROR) << "openSession error: " << res.getMessage(); ++ return false; ++ } ++ if (session == nullptr) { ++ LOG(ERROR) << "Could not open session null"; ++ return false; ++ } ++ ++ res = session->openLogicalChannel(SELECTABLE_AID, 0x00, mSEListener, &channel); ++ if (!res.isOk()) { ++ LOG(ERROR) << "openLogicalChannel error: " << res.getMessage(); ++ return false; ++ } ++ if (channel == nullptr) { ++ LOG(ERROR) << "Could not open channel null"; ++ return false; ++ } ++ ++ res = channel->getSelectResponse(&selectResponse); ++ if (!res.isOk()) { ++ LOG(ERROR) << "getSelectResponse error: " << res.getMessage(); ++ return false; ++ } ++ if (selectResponse.size() < 2) { ++ LOG(ERROR) << "getSelectResponse size error"; ++ return false; ++ } ++ ++ res = channel->transmit(apdu, &transmitResponse); ++ if (channel != nullptr) channel->close(); ++ if (session != nullptr) session->close(); ++ ++ LOG(INFO) << "STATUS OF TRNSMIT: " << res.getExceptionCode() << " Message: " ++ << res.getMessage(); ++ if (!res.isOk()) { ++ LOG(ERROR) << "transmit error: " << res.getMessage(); ++ return false; ++ } ++ + return true; + } + ++bool OmapiTransport::openConnection() { ++ ++ // if already conection setup done, no need to initialise it again. ++ if (isConnected()) { ++ return true; ++ } ++ ++ return initialize(); ++} ++ ++bool OmapiTransport::sendData(const uint8_t* inData, const size_t inLen, ++ std::vector& output) { ++ std::vector apdu(inData, inData+inLen); ++ ++ if (!isConnected()) { ++ // Try to initialize connection to eSE ++ LOG(INFO) << "Failed to send data, try to initialize connection SE connection"; ++ if (!initialize()) { ++ LOG(ERROR) << "Failed to send data, initialization not completed"; ++ closeConnection(); ++ return false; ++ } ++ } ++ ++ if (inData == NULL) { ++ LOG(ERROR) << "Failed to send data, APDU is null"; ++ return false; ++ } ++ ++ if (eSEReader != nullptr) { ++ LOG(DEBUG) << "Sending apdu data to secure element: " << ESE_READER_PREFIX; ++ return internalTransmitApdu(eSEReader, apdu, output); ++ } else { ++ LOG(ERROR) << "secure element reader " << ESE_READER_PREFIX << " not found"; ++ return false; ++ } ++} ++ + bool OmapiTransport::closeConnection() { ++ LOG(DEBUG) << "Closing all connections"; ++ if (omapiSeService != nullptr) { ++ if (mVSReaders.size() > 0) { ++ for (const auto& [name, reader] : mVSReaders) { ++ reader->closeSessions(); ++ } ++ mVSReaders.clear(); ++ } ++ } + return true; + } + + bool OmapiTransport::isConnected() { +- return true; ++ // Check already initialization completed or not ++ if (omapiSeService != nullptr && eSEReader != nullptr) { ++ LOG(DEBUG) << "Connection initialization already completed"; ++ return true; ++ } ++ ++ LOG(DEBUG) << "Connection initialization not completed"; ++ return false; + } + + } +diff --git a/HAL/keymaster/Android.bp b/HAL/keymaster/Android.bp +index 9bfe7fa..33f255f 100644 +--- a/HAL/keymaster/Android.bp ++++ b/HAL/keymaster/Android.bp +@@ -47,6 +47,8 @@ cc_binary { + "libjc_transport", + "libjc_common", + "libcrypto", ++ "libbinder_ndk", ++ "android.se.omapi-V1-ndk", + ], + required: [ + "android.hardware.strongbox_keystore.xml", +@@ -82,6 +84,8 @@ cc_library { + "android.hardware.keymaster@4.0", + "libjc_transport", + "libcrypto", ++ "libbinder_ndk", ++ "android.se.omapi-V1-ndk", + ], + } + +@@ -100,6 +104,8 @@ cc_library { + "libbinder", + "libbase", + "liblog", ++ "libbinder_ndk", ++ "android.se.omapi-V1-ndk", + ], + } + +diff --git a/HAL/keymaster/include/Transport.h b/HAL/keymaster/include/Transport.h +index c6674dc..b4f67c7 100644 +--- a/HAL/keymaster/include/Transport.h ++++ b/HAL/keymaster/include/Transport.h +@@ -17,6 +17,16 @@ + #ifndef __SE_TRANSPORT__ + #define __SE_TRANSPORT__ + ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include ++ + namespace se_transport { + + /** +@@ -30,7 +40,7 @@ class ITransport { + /** + * Opens connection. + */ +- virtual bool openConnection() = 0; ++ virtual bool openConnection() = 0; + /** + * Send data over communication channel and receives data back from the remote end. + */ +@@ -59,7 +69,7 @@ public: + * Gets the binder instance of ISEService, gets the reader corresponding to secure element, establishes a session + * and opens a basic channel. + */ +- bool openConnection() override; ++ bool openConnection() override; + /** + * Transmists the data over the opened basic channel and receives the data back. + */ +@@ -75,6 +85,19 @@ public: + */ + bool isConnected() override; + ++private: ++ std::shared_ptr omapiSeService = nullptr; ++ std::shared_ptr eSEReader = nullptr; ++ std::map> ++ mVSReaders = {}; ++ std::string const ESE_READER_PREFIX = "eSE"; ++ constexpr static const char omapiServiceName[] = ++ "android.system.omapi.ISecureElementService/default"; ++ ++ bool initialize(); ++ bool internalTransmitApdu( ++ std::shared_ptr reader, ++ std::vector apdu, std::vector& transmitResponse); + }; + + class SocketTransport : public ITransport { +@@ -85,7 +108,7 @@ public: + /** + * Creates a socket instance and connects to the provided server IP and port. + */ +- bool openConnection() override; ++ bool openConnection() override; + /** + * Sends data over socket and receives data back. + */ diff --git a/aosp_integration_patches/omapi_patches/packages_apps_secureElement.patch b/aosp_integration_patches/omapi_patches/packages_apps_secureElement.patch new file mode 100644 index 00000000..68879424 --- /dev/null +++ b/aosp_integration_patches/omapi_patches/packages_apps_secureElement.patch @@ -0,0 +1,25 @@ +diff --git a/Android.bp b/Android.bp +index f86ad26..afea5c6 100644 +--- a/Android.bp ++++ b/Android.bp +@@ -42,6 +42,9 @@ android_app { + "src/**/*.java", + ":statslog-secure-element-java-gen", + ], ++ vintf_fragments: [ ++ "secure_element-service.xml", ++ ], + platform_apis: true, + certificate: "platform", + static_libs: ["android.hardware.secure_element-V1.0-java", +diff --git a/res/values/config.xml b/res/values/config.xml +index 5811b10..da6e50e 100644 +--- a/res/values/config.xml ++++ b/res/values/config.xml +@@ -6,5 +6,5 @@ + + +- false ++ true + diff --git a/aosp_integration_patches_aosp_12_r15/device_google_cuttlefish.patch b/aosp_integration_patches_aosp_12_r15/device_google_cuttlefish.patch new file mode 100644 index 00000000..c398e917 --- /dev/null +++ b/aosp_integration_patches_aosp_12_r15/device_google_cuttlefish.patch @@ -0,0 +1,60 @@ +diff --git a/shared/device.mk b/shared/device.mk +index 8647d0175..6fc99ff94 100644 +--- a/shared/device.mk ++++ b/shared/device.mk +@@ -538,6 +538,10 @@ endif + PRODUCT_PACKAGES += \ + $(LOCAL_KEYMINT_PRODUCT_PACKAGE) + ++PRODUCT_PACKAGES += \ ++ android.hardware.keymaster@4.1-strongbox.service \ ++ ++ + # Keymint configuration + PRODUCT_COPY_FILES += \ + frameworks/native/data/etc/android.software.device_id_attestation.xml:$(TARGET_COPY_OUT_VENDOR)/etc/permissions/android.software.device_id_attestation.xml +diff --git a/shared/sepolicy/vendor/file_contexts b/shared/sepolicy/vendor/file_contexts +index 20538a50f..553232889 100644 +--- a/shared/sepolicy/vendor/file_contexts ++++ b/shared/sepolicy/vendor/file_contexts +@@ -88,6 +88,7 @@ + /vendor/bin/hw/android\.hardware\.thermal@2\.0-service\.mock u:object_r:hal_thermal_default_exec:s0 + /vendor/bin/hw/android\.hardware\.security\.keymint-service\.remote u:object_r:hal_keymint_remote_exec:s0 + /vendor/bin/hw/android\.hardware\.keymaster@4\.1-service.remote u:object_r:hal_keymaster_remote_exec:s0 ++/vendor/bin/hw/android\.hardware\.keymaster@4\.1-strongbox\.service u:object_r:hal_keymaster_strongbox_exec:s0 + /vendor/bin/hw/android\.hardware\.gatekeeper@1\.0-service.remote u:object_r:hal_gatekeeper_remote_exec:s0 + /vendor/bin/hw/android\.hardware\.oemlock-service.example u:object_r:hal_oemlock_default_exec:s0 + /vendor/bin/hw/android\.hardware\.weaver-service.example u:object_r:hal_weaver_default_exec:s0 +diff --git a/shared/sepolicy/vendor/hal_keymaster_strongbox.te b/shared/sepolicy/vendor/hal_keymaster_strongbox.te +new file mode 100644 +index 000000000..1412e07fd +--- /dev/null ++++ b/shared/sepolicy/vendor/hal_keymaster_strongbox.te +@@ -0,0 +1,15 @@ ++type hal_keymaster_strongbox, domain; ++hal_server_domain(hal_keymaster_strongbox, hal_keymaster) ++ ++type hal_keymaster_strongbox_exec, exec_type, vendor_file_type, file_type; ++init_daemon_domain(hal_keymaster_strongbox) ++ ++vndbinder_use(hal_keymaster_strongbox) ++get_prop(hal_keymaster_strongbox, vendor_security_patch_level_prop); ++ ++# Allow access to sockets ++allow hal_keymaster_strongbox self:tcp_socket { connect create write read getattr getopt setopt }; ++allow hal_keymaster_strongbox port_type:tcp_socket name_connect; ++allow hal_keymaster_strongbox port:tcp_socket { name_connect }; ++allow hal_keymaster_strongbox vendor_data_file:file { open read getattr }; ++ +diff --git a/shared/sepolicy/vendor/service_contexts b/shared/sepolicy/vendor/service_contexts +index d20d026cf..214576e3e 100644 +--- a/shared/sepolicy/vendor/service_contexts ++++ b/shared/sepolicy/vendor/service_contexts +@@ -4,6 +4,7 @@ android.hardware.neuralnetworks.IDevice/nnapi-sample_float_slow u:object_r:hal_n + android.hardware.neuralnetworks.IDevice/nnapi-sample_minimal u:object_r:hal_neuralnetworks_service:s0 + android.hardware.neuralnetworks.IDevice/nnapi-sample_quant u:object_r:hal_neuralnetworks_service:s0 + android.hardware.neuralnetworks.IDevice/nnapi-sample_sl_shim u:object_r:hal_neuralnetworks_service:s0 ++android.hardware.keymaster@4.1::IKeymasterDevice/strongbox u:object_r:hal_keymaster_service:s0 + + # Binder service mappings + gce u:object_r:gce_service:s0 diff --git a/aosp_integration_patches_aosp_12_r15/hardware_interfaces_keymaster.patch b/aosp_integration_patches_aosp_12_r15/hardware_interfaces_keymaster.patch new file mode 100644 index 00000000..dd6d8326 --- /dev/null +++ b/aosp_integration_patches_aosp_12_r15/hardware_interfaces_keymaster.patch @@ -0,0 +1,36 @@ +diff --git a/keymaster/4.0/vts/functional/Android.bp b/keymaster/4.0/vts/functional/Android.bp +index a7be660c4..dd91e9089 100644 +--- a/keymaster/4.0/vts/functional/Android.bp ++++ b/keymaster/4.0/vts/functional/Android.bp +@@ -31,9 +31,11 @@ cc_test { + "VerificationTokenTest.cpp", + "keymaster_hidl_hal_test.cpp", + ], ++ shared_libs: [ ++ "libcrypto", ++ ], + static_libs: [ + "android.hardware.keymaster@4.0", +- "libcrypto_static", + "libkeymaster4support", + "libkeymaster4vtstest", + ], +diff --git a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp +index 476eed8b1..823683d75 100644 +--- a/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp ++++ b/keymaster/4.0/vts/functional/keymaster_hidl_hal_test.cpp +@@ -1079,9 +1079,12 @@ TEST_P(SigningOperationsTest, RsaPaddingNoneDoesNotAllowOther) { + * presented. + */ + TEST_P(SigningOperationsTest, NoUserConfirmation) { +- if (SecLevel() == SecurityLevel::STRONGBOX) return; ++ size_t key_size = 1024; ++ if (SecLevel() == SecurityLevel::STRONGBOX){ ++ key_size = 2048; ++ } + ASSERT_EQ(ErrorCode::OK, GenerateKey(AuthorizationSetBuilder() +- .RsaSigningKey(1024, 65537) ++ .RsaSigningKey(key_size, 65537) + .Digest(Digest::NONE) + .Padding(PaddingMode::NONE) + .Authorization(TAG_NO_AUTH_REQUIRED) diff --git a/aosp_integration_patches_aosp_12_r15/system_security_keystore2.patch b/aosp_integration_patches_aosp_12_r15/system_security_keystore2.patch new file mode 100644 index 00000000..22956d5e --- /dev/null +++ b/aosp_integration_patches_aosp_12_r15/system_security_keystore2.patch @@ -0,0 +1,13 @@ +diff --git a/keystore2/src/km_compat/km_compat.cpp b/keystore2/src/km_compat/km_compat.cpp +index 64849c1..40ca554 100644 +--- a/keystore2/src/km_compat/km_compat.cpp ++++ b/keystore2/src/km_compat/km_compat.cpp +@@ -1314,7 +1314,7 @@ KeymasterDevices initializeKeymasters() { + CHECK(serviceManager.get()) << "Failed to get ServiceManager"; + auto result = enumerateKeymasterDevices(serviceManager.get()); + auto softKeymaster = result[SecurityLevel::SOFTWARE]; +- if (!result[SecurityLevel::TRUSTED_ENVIRONMENT]) { ++ if ((!result[SecurityLevel::TRUSTED_ENVIRONMENT]) && (!result[SecurityLevel::STRONGBOX])) { + result = enumerateKeymasterDevices(serviceManager.get()); + } + if (softKeymaster) result[SecurityLevel::SOFTWARE] = softKeymaster; diff --git a/aosp_integration_patches_aosp_12_r15/system_sepolicy.patch b/aosp_integration_patches_aosp_12_r15/system_sepolicy.patch new file mode 100644 index 00000000..8f40193c --- /dev/null +++ b/aosp_integration_patches_aosp_12_r15/system_sepolicy.patch @@ -0,0 +1,40 @@ +diff --git a/prebuilts/api/31.0/public/hal_neverallows.te b/prebuilts/api/31.0/public/hal_neverallows.te +index 105689b8a..d7dc6baaf 100644 +--- a/prebuilts/api/31.0/public/hal_neverallows.te ++++ b/prebuilts/api/31.0/public/hal_neverallows.te +@@ -2,6 +2,7 @@ + # network capabilities + neverallow { + halserverdomain ++ -hal_keymaster_server + -hal_bluetooth_server + -hal_can_controller_server + -hal_wifi_server +@@ -19,6 +20,7 @@ neverallow { + # will result in CTS failure. + neverallow { + halserverdomain ++ -hal_keymaster_server + -hal_automotive_socket_exemption + -hal_can_controller_server + -hal_tetheroffload_server +diff --git a/public/hal_neverallows.te b/public/hal_neverallows.te +index 105689b8a..d7dc6baaf 100644 +--- a/public/hal_neverallows.te ++++ b/public/hal_neverallows.te +@@ -2,6 +2,7 @@ + # network capabilities + neverallow { + halserverdomain ++ -hal_keymaster_server + -hal_bluetooth_server + -hal_can_controller_server + -hal_wifi_server +@@ -19,6 +20,7 @@ neverallow { + # will result in CTS failure. + neverallow { + halserverdomain ++ -hal_keymaster_server + -hal_automotive_socket_exemption + -hal_can_controller_server + -hal_tetheroffload_server