Patches for aosp_12 branch

HAL/keymaster/4.1/JavacardKeymaster4Device.cpp

@@ -93,7 +93,7 @@ static inline std::unique_ptr<se_transport::TransportFactory>& getTransportFacto
         if (!isEmulator) {
             std::string fingerprint = android::base::GetProperty(PROP_BUILD_FINGERPRINT, "");
             if (!fingerprint.empty()) {
-                if (fingerprint.find(CUTTLEFISH_FINGERPRINT_SS, 0)) {
+                if (fingerprint.find(CUTTLEFISH_FINGERPRINT_SS, 0) != std::string::npos) {
                     isEmulator = true;
                 }
             }

HAL/keymaster/Android.bp

@@ -87,11 +87,7 @@ cc_library {
 
 cc_library {
     name: "libjc_transport",
-    host_supported: true,
     vendor_available: true,
-    vndk: {
-        enabled: true,
-    },
 
     srcs: [
         "4.1/SocketTransport.cpp",

aosp_integration_patches/omapi_patches/JavacardKeymaster.patch

@@ -0,0 +1,330 @@
+diff --git a/HAL/keymaster/4.1/OmapiTransport.cpp b/HAL/keymaster/4.1/OmapiTransport.cpp
+index 5aaefc9..9466c84 100644
+--- a/HAL/keymaster/4.1/OmapiTransport.cpp
++++ b/HAL/keymaster/4.1/OmapiTransport.cpp
+@@ -14,36 +14,214 @@
+  ** See the License for the specific language governing permissions and
+  ** limitations under the License.
+  */
+-#include <stdio.h> 
+-#include <sys/socket.h> 
+-#include <arpa/inet.h> 
+-#include <unistd.h> 
+-#include <string.h> 
++#include <stdio.h>
++#include <sys/socket.h>
++#include <arpa/inet.h>
++#include <unistd.h>
++#include <string.h>
+ #include <vector>
++
++#include <android-base/logging.h>
++
+ #include "Transport.h"
+
+-#define PORT    8080
+-#define IPADDR  "10.9.40.24"
+ #define UNUSED_V(a) a=a
+
+ namespace se_transport {
+
+-bool OmapiTransport::openConnection() {
++class SEListener : public ::aidl::android::se::omapi::BnSecureElementListener {};
++
++bool OmapiTransport::initialize() {
++    std::vector<std::string> readers = {};
++
++    LOG(DEBUG) << "Initialize the secure element connection";
++
++    // Get OMAPI vendor stable service handler
++    ::ndk::SpAIBinder ks2Binder(AServiceManager_getService(omapiServiceName));
++    omapiSeService = aidl::android::se::omapi::ISecureElementService::fromBinder(ks2Binder);
++
++    if (omapiSeService == nullptr) {
++        LOG(ERROR) << "Failed to start omapiSeService null";
++        return false;
++    }
++
++    // reset readers, clear readers if already existing
++    if (mVSReaders.size() > 0) {
++        closeConnection();
++    }
++
++    // Get available readers
++    auto status = omapiSeService->getReaders(&readers);
++    if (!status.isOk()) {
++        LOG(ERROR) << "getReaders failed to get available readers: " << status.getMessage();
++        return false;
++    }
++
++    // Get SE readers handlers
++    for (auto readerName : readers) {
++        std::shared_ptr<::aidl::android::se::omapi::ISecureElementReader> reader;
++        status = omapiSeService->getReader(readerName, &reader);
++        if (!status.isOk()) {
++            LOG(ERROR) << "getReader for " << readerName.c_str() << " Failed: "
++                       << status.getMessage();
++            return false;
++        }
++
++        mVSReaders[readerName] = reader;
++    }
++
++    // Find eSE reader, as of now assumption is only eSE available on device
++    LOG(DEBUG) << "Finding eSE reader";
++    eSEReader = nullptr;
++    if (mVSReaders.size() > 0) {
++        for (const auto& [name, reader] : mVSReaders) {
++            if (name.find(ESE_READER_PREFIX, 0) != std::string::npos) {
++                LOG(DEBUG) << "eSE reader found: " << name;
++                eSEReader = reader;
++            }
++        }
++    }
++
++    if (eSEReader == nullptr) {
++        LOG(ERROR) << "secure element reader " << ESE_READER_PREFIX << " not found";
++        return false;
++    }
++
+     return true;
+ }
+
+-bool OmapiTransport::sendData(const uint8_t* inData, const size_t inLen, std::vector<uint8_t>& output) {
+-    std::vector<uint8_t> test(inData, inData+inLen);
+-    output = std::move(test);
++bool OmapiTransport::internalTransmitApdu(
++        std::shared_ptr<aidl::android::se::omapi::ISecureElementReader> reader,
++        std::vector<uint8_t> apdu, std::vector<uint8_t>& transmitResponse) {
++    std::shared_ptr<aidl::android::se::omapi::ISecureElementSession> session;
++    std::shared_ptr<aidl::android::se::omapi::ISecureElementChannel> channel;
++    auto mSEListener = std::make_shared<SEListener>();
++    std::vector<uint8_t> selectResponse = {};
++    std::vector<uint8_t> SELECTABLE_AID = {0xA0, 0x00, 0x00, 0x04, 0x76, 0x41, 0x6E, 0x64,
++        0x72, 0x6F, 0x69, 0x64, 0x43, 0x54, 0x53, 0x31};
++
++    LOG(DEBUG) << "internalTransmitApdu: trasmitting data to secure element";
++
++    if (reader == nullptr) {
++        LOG(ERROR) << "eSE reader is null";
++        return false;
++    }
++
++    bool status = false;
++    auto res = reader->isSecureElementPresent(&status);
++    if (!res.isOk()) {
++        LOG(ERROR) << "isSecureElementPresent error: " << res.getMessage();
++        return false;
++    }
++    if (!status) {
++        LOG(ERROR) << "secure element not found";
++        return false;
++    }
++
++    res = reader->openSession(&session);
++    if (!res.isOk()) {
++        LOG(ERROR) << "openSession error: " << res.getMessage();
++        return false;
++    }
++    if (session == nullptr) {
++        LOG(ERROR) << "Could not open session null";
++        return false;
++    }
++
++    res = session->openLogicalChannel(SELECTABLE_AID, 0x00, mSEListener, &channel);
++    if (!res.isOk()) {
++        LOG(ERROR) << "openLogicalChannel error: " << res.getMessage();
++        return false;
++    }
++    if (channel == nullptr) {
++        LOG(ERROR) << "Could not open channel null";
++        return false;
++    }
++
++    res = channel->getSelectResponse(&selectResponse);
++    if (!res.isOk()) {
++        LOG(ERROR) << "getSelectResponse error: " << res.getMessage();
++        return false;
++    }
++    if (selectResponse.size() < 2) {
++        LOG(ERROR) << "getSelectResponse size error";
++        return false;
++    }
++
++    res = channel->transmit(apdu, &transmitResponse);
++    if (channel != nullptr) channel->close();
++    if (session != nullptr) session->close();
++
++    LOG(INFO) << "STATUS OF TRNSMIT: " << res.getExceptionCode() << " Message: "
++              << res.getMessage();
++    if (!res.isOk()) {
++        LOG(ERROR) << "transmit error: " << res.getMessage();
++        return false;
++    }
++
+     return true;
+ }
+
++bool OmapiTransport::openConnection() {
++
++    // if already conection setup done, no need to initialise it again.
++    if (isConnected()) {
++        return true;
++    }
++
++    return initialize();
++}
++
++bool OmapiTransport::sendData(const uint8_t* inData, const size_t inLen,
++                              std::vector<uint8_t>& output) {
++    std::vector<uint8_t> apdu(inData, inData+inLen);
++
++    if (!isConnected()) {
++        // Try to initialize connection to eSE
++        LOG(INFO) << "Failed to send data, try to initialize connection SE connection";
++        if (!initialize()) {
++            LOG(ERROR) << "Failed to send data, initialization not completed";
++            closeConnection();
++            return false;
++        }
++    }
++
++    if (inData == NULL) {
++        LOG(ERROR) << "Failed to send data, APDU is null";
++        return false;
++    }
++
++    if (eSEReader != nullptr) {
++        LOG(DEBUG) << "Sending apdu data to secure element: " << ESE_READER_PREFIX;
++        return internalTransmitApdu(eSEReader, apdu, output);
++    } else {
++        LOG(ERROR) << "secure element reader " << ESE_READER_PREFIX << " not found";
++        return false;
++    }
++}
++
+ bool OmapiTransport::closeConnection() {
++    LOG(DEBUG) << "Closing all connections";
++    if (omapiSeService != nullptr) {
++        if (mVSReaders.size() > 0) {
++            for (const auto& [name, reader] : mVSReaders) {
++                reader->closeSessions();
++            }
++            mVSReaders.clear();
++        }
++    }
+     return true;
+ }
+
+ bool OmapiTransport::isConnected() {
+-    return true;
++    // Check already initialization completed or not
++    if (omapiSeService != nullptr && eSEReader != nullptr) {
++        LOG(DEBUG) << "Connection initialization already completed";
++        return true;
++    }
++
++    LOG(DEBUG) << "Connection initialization not completed";
++    return false;
+ }
+
+ }
+diff --git a/HAL/keymaster/Android.bp b/HAL/keymaster/Android.bp
+index 9bfe7fa..33f255f 100644
+--- a/HAL/keymaster/Android.bp
++++ b/HAL/keymaster/Android.bp
+@@ -47,6 +47,8 @@ cc_binary {
+         "libjc_transport",
+         "libjc_common",
+         "libcrypto",
++        "libbinder_ndk",
++        "android.se.omapi-V1-ndk",
+     ],
+     required: [
+         "android.hardware.strongbox_keystore.xml",
+@@ -82,6 +84,8 @@ cc_library {
+         "android.hardware.keymaster@4.0",
+         "libjc_transport",
+ 	"libcrypto",
++        "libbinder_ndk",
++        "android.se.omapi-V1-ndk",
+     ],
+ }
+
+@@ -100,6 +104,8 @@ cc_library {
+         "libbinder",
+         "libbase",
+         "liblog",
++        "libbinder_ndk",
++        "android.se.omapi-V1-ndk",
+     ],
+ }
+
+diff --git a/HAL/keymaster/include/Transport.h b/HAL/keymaster/include/Transport.h
+index c6674dc..b4f67c7 100644
+--- a/HAL/keymaster/include/Transport.h
++++ b/HAL/keymaster/include/Transport.h
+@@ -17,6 +17,16 @@
+ #ifndef __SE_TRANSPORT__
+ #define __SE_TRANSPORT__
+
++#include <aidl/android/se/omapi/BnSecureElementListener.h>
++#include <aidl/android/se/omapi/ISecureElementChannel.h>
++#include <aidl/android/se/omapi/ISecureElementListener.h>
++#include <aidl/android/se/omapi/ISecureElementReader.h>
++#include <aidl/android/se/omapi/ISecureElementService.h>
++#include <aidl/android/se/omapi/ISecureElementSession.h>
++#include <android/binder_manager.h>
++
++#include <map>
++
+ namespace se_transport {
+
+ /**
+@@ -30,7 +40,7 @@ class ITransport {
+     /**
+      * Opens connection.
+      */
+-	virtual bool openConnection() = 0;
++      virtual bool openConnection() = 0;
+     /**
+      * Send data over communication channel and receives data back from the remote end.
+      */
+@@ -59,7 +69,7 @@ public:
+      * Gets the binder instance of ISEService, gets the reader corresponding to secure element, establishes a session
+      * and opens a basic channel.
+      */
+-	bool openConnection() override;
++      bool openConnection() override;
+     /**
+      * Transmists the data over the opened basic channel and receives the data back.
+      */
+@@ -75,6 +85,19 @@ public:
+      */
+     bool isConnected() override;
+
++private:
++    std::shared_ptr<aidl::android::se::omapi::ISecureElementService> omapiSeService = nullptr;
++    std::shared_ptr<aidl::android::se::omapi::ISecureElementReader> eSEReader = nullptr;
++    std::map<std::string, std::shared_ptr<aidl::android::se::omapi::ISecureElementReader>>
++            mVSReaders = {};
++    std::string const ESE_READER_PREFIX = "eSE";
++    constexpr static const char omapiServiceName[] =
++            "android.system.omapi.ISecureElementService/default";
++
++    bool initialize();
++    bool internalTransmitApdu(
++            std::shared_ptr<aidl::android::se::omapi::ISecureElementReader> reader,
++            std::vector<uint8_t> apdu, std::vector<uint8_t>& transmitResponse);
+ };
+
+ class SocketTransport : public ITransport {
+@@ -85,7 +108,7 @@ public:
+     /**
+      * Creates a socket instance and connects to the provided server IP and port.
+      */
+-	bool openConnection() override;
++      bool openConnection() override;
+     /**
+      * Sends data over socket and receives data back.
+      */

aosp_integration_patches/omapi_patches/packages_apps_secureElement.patch

@@ -0,0 +1,25 @@
+diff --git a/Android.bp b/Android.bp
+index f86ad26..afea5c6 100644
+--- a/Android.bp
++++ b/Android.bp
+@@ -42,6 +42,9 @@ android_app {
+         "src/**/*.java",
+         ":statslog-secure-element-java-gen",
+     ],
++    vintf_fragments: [
++        "secure_element-service.xml",
++    ],
+     platform_apis: true,
+     certificate: "platform",
+     static_libs: ["android.hardware.secure_element-V1.0-java",
+diff --git a/res/values/config.xml b/res/values/config.xml
+index 5811b10..da6e50e 100644
+--- a/res/values/config.xml
++++ b/res/values/config.xml
+@@ -6,5 +6,5 @@
+
+     <!-- To enable vendor stable service, set this to true and
+          make sure its vntf manifest entry is also configured. -->
+-    <bool name="secure_element_vintf_enabled">false</bool>
++    <bool name="secure_element_vintf_enabled">true</bool>
+ </resources>