From b9b2830c8127008a742ba9529a6a64d8d87deb18 Mon Sep 17 00:00:00 2001 From: Alice Wang Date: Wed, 31 Jul 2024 18:41:00 +0000 Subject: [PATCH] [km] Add a new rust binary for non-secure KeyMint host The new binary sets non-secure RoT for keymint. The non-secure version will be used on cuttlefish. Bug: 355194622 Test: CF is gets booted with KeyMint TA in VM Change-Id: Iff202c6d4bb70dabeb866b4f3fbc18c006bb219e --- trusty/keymint/Android.bp | 22 ++++++++++++++---- trusty/keymint/src/keymint_hal_main.rs | 31 ++++++++++++++++++++++++-- 2 files changed, 47 insertions(+), 6 deletions(-) diff --git a/trusty/keymint/Android.bp b/trusty/keymint/Android.bp index 92d9c6fbb..1b87d806f 100644 --- a/trusty/keymint/Android.bp +++ b/trusty/keymint/Android.bp @@ -17,12 +17,10 @@ package { default_applicable_licenses: ["Android-Apache-2.0"], } -rust_binary { - name: "android.hardware.security.keymint-service.rust.trusty", +rust_defaults { + name: "android.hardware.security.keymint-service.rust.trusty.default", relative_install_path: "hw", vendor: true, - init_rc: ["android.hardware.security.keymint-service.rust.trusty.rc"], - vintf_fragments: ["android.hardware.security.keymint-service.rust.trusty.xml"], srcs: [ "src/keymint_hal_main.rs", ], @@ -37,7 +35,23 @@ rust_binary { "liblog_rust", ], prefer_rlib: true, +} + +rust_binary { + name: "android.hardware.security.keymint-service.rust.trusty", + defaults: ["android.hardware.security.keymint-service.rust.trusty.default"], + init_rc: ["android.hardware.security.keymint-service.rust.trusty.rc"], + vintf_fragments: ["android.hardware.security.keymint-service.rust.trusty.xml"], required: [ "android.hardware.hardware_keystore.xml", ], } + +rust_binary { + name: "android.hardware.security.keymint-service.rust.trusty.nonsecure", + defaults: ["android.hardware.security.keymint-service.rust.trusty.default"], + features: ["nonsecure"], + rustlibs: [ + "libkmr_hal_nonsecure", + ], +} diff --git a/trusty/keymint/src/keymint_hal_main.rs b/trusty/keymint/src/keymint_hal_main.rs index 3c5627bd1..a0b1d792c 100644 --- a/trusty/keymint/src/keymint_hal_main.rs +++ b/trusty/keymint/src/keymint_hal_main.rs @@ -18,7 +18,7 @@ use clap::Parser; use kmr_hal::{ extract_rsp, keymint, rpc, secureclock, send_hal_info, sharedsecret, SerializedChannel, }; -use log::{error, info}; +use log::{error, info, warn}; use std::{ ffi::CString, ops::DerefMut, @@ -109,7 +109,11 @@ fn inner_main() -> Result<(), HalServiceError> { error!("{}", panic_info); })); - info!("Trusty KM HAL service is starting."); + if cfg!(feature = "nonsecure") { + warn!("Non-secure Trusty KM HAL service is starting."); + } else { + info!("Trusty KM HAL service is starting."); + } info!("Starting thread pool now."); binder::ProcessState::start_thread_pool(); @@ -126,6 +130,29 @@ fn inner_main() -> Result<(), HalServiceError> { )?; let tipc_channel = Arc::new(Mutex::new(TipcChannel(connection))); + #[cfg(feature = "nonsecure")] + { + // When the non-secure feature is enabled, retrieve root-of-trust information + // (with the exception of the verified boot key hash) from Android properties, and + // populate the TA with this information. On a real device, the bootloader should + // provide this data to the TA directly. + let boot_req = kmr_hal_nonsecure::get_boot_info(); + info!("boot/HAL->TA: boot info is {:?}", boot_req); + kmr_hal::send_boot_info(tipc_channel.lock().unwrap().deref_mut(), boot_req) + .map_err(|e| HalServiceError(format!("Failed to send boot info: {:?}", e)))?; + // When the non-secure feature is enabled, also retrieve device ID information + // (except for IMEI/MEID values) from Android properties and populate the TA with + // this information. On a real device, a factory provisioning process would populate + // this information. + let attest_ids = kmr_hal_nonsecure::attestation_id_info(); + if let Err(e) = + kmr_hal::send_attest_ids(tipc_channel.lock().unwrap().deref_mut(), attest_ids) + { + error!("Failed to send attestation ID info: {:?}", e); + } + info!("Successfully sent non-secure boot info and attestation IDs to the TA."); + } + // Register the Keymint service let km_service = keymint::Device::new_as_binder(tipc_channel.clone()); let km_service_name = format!("{}/{}", KM_SERVICE_NAME, SERVICE_INSTANCE);