From fbc30893106df9b55f0c73a8727575824b86c71b Mon Sep 17 00:00:00 2001
From: "A. Cody Schuffelen" <schuffelen@google.com>
Date: Tue, 7 May 2024 16:23:54 -0700
Subject: [PATCH] insecure keymint: in-process initialization ordering

This creates an ordering of

1. In-memory HALs are initialized
2. Secure AIDL HALs are exposed

There are some dependencies on the information, e.g.

Boot info:
https://cs.android.com/android/platform/superproject/main/+/main:system/keymint/ta/src/keys.rs;l=705;drc=72ed18b226a9944330ecd97d776d57ea1b2eb9e8
https://cs.android.com/android/platform/superproject/main/+/main:system/keymint/ta/src/lib.rs;l=356;drc=4f8cad1bf0b3392414e5735b95a7c5d80d64d6e6
https://cs.android.com/android/platform/superproject/main/+/main:system/keymint/ta/src/rkp.rs;l=75;drc=747e5931be387fb600f6865d2308390646243610

HAL info:
https://cs.android.com/android/platform/superproject/main/+/main:system/keymint/ta/src/rkp.rs;l=79;drc=747e5931be387fb600f6865d2308390646243610

Bug: b/339121782
Test: launch_cvd --resume=false --secure_hals=oemlock:guest_insecure_keymint:guest_insecure_gatekeeper
Change-Id: Ifbe8655bf14c248e886725217d261dae5458e15f
---
 security/keymint/aidl/default/main.rs | 60 +++++++++++++--------------
 1 file changed, 29 insertions(+), 31 deletions(-)

diff --git a/security/keymint/aidl/default/main.rs b/security/keymint/aidl/default/main.rs
index 47143f49fa..007aded95d 100644
--- a/security/keymint/aidl/default/main.rs
+++ b/security/keymint/aidl/default/main.rs
@@ -74,6 +74,35 @@ fn inner_main() -> Result<(), HalServiceError> {
     // Create a TA in-process, which acts as a local channel for communication.
     let channel = Arc::new(Mutex::new(LocalTa::new()));
 
+    // Let the TA know information about the boot environment. In a real device this
+    // is communicated directly from the bootloader to the TA, but here we retrieve
+    // the information from system properties and send from the HAL service.
+    let boot_req = get_boot_info();
+    debug!("boot/HAL->TA: boot info is {:?}", boot_req);
+    kmr_hal::send_boot_info(channel.lock().unwrap().deref_mut(), boot_req)
+        .map_err(|e| HalServiceError(format!("Failed to send boot info: {:?}", e)))?;
+
+    // Let the TA know information about the userspace environment.
+    if let Err(e) = kmr_hal::send_hal_info(channel.lock().unwrap().deref_mut()) {
+        error!("Failed to send HAL info: {:?}", e);
+    }
+
+    // Let the TA know about attestation IDs. (In a real device these would be pre-provisioned into
+    // the TA.)
+    let attest_ids = attestation_id_info();
+    if let Err(e) = kmr_hal::send_attest_ids(channel.lock().unwrap().deref_mut(), attest_ids) {
+        error!("Failed to send attestation ID info: {:?}", e);
+    }
+
+    let secret_service = kmr_hal::sharedsecret::Device::new_as_binder(channel.clone());
+    let service_name = format!("{}/{}", SECRET_SERVICE_NAME, SERVICE_INSTANCE);
+    binder::add_service(&service_name, secret_service.as_binder()).map_err(|e| {
+        HalServiceError(format!(
+            "Failed to register service {} because of {:?}.",
+            service_name, e
+        ))
+    })?;
+
     let km_service = kmr_hal::keymint::Device::new_as_binder(channel.clone());
     let service_name = format!("{}/{}", KM_SERVICE_NAME, SERVICE_INSTANCE);
     binder::add_service(&service_name, km_service.as_binder()).map_err(|e| {
@@ -101,37 +130,6 @@ fn inner_main() -> Result<(), HalServiceError> {
         ))
     })?;
 
-    let secret_service = kmr_hal::sharedsecret::Device::new_as_binder(channel.clone());
-    let service_name = format!("{}/{}", SECRET_SERVICE_NAME, SERVICE_INSTANCE);
-    binder::add_service(&service_name, secret_service.as_binder()).map_err(|e| {
-        HalServiceError(format!(
-            "Failed to register service {} because of {:?}.",
-            service_name, e
-        ))
-    })?;
-
-    info!("Successfully registered KeyMint HAL services.");
-
-    // Let the TA know information about the boot environment. In a real device this
-    // is communicated directly from the bootloader to the TA, but here we retrieve
-    // the information from system properties and send from the HAL service.
-    let boot_req = get_boot_info();
-    debug!("boot/HAL->TA: boot info is {:?}", boot_req);
-    kmr_hal::send_boot_info(channel.lock().unwrap().deref_mut(), boot_req)
-        .map_err(|e| HalServiceError(format!("Failed to send boot info: {:?}", e)))?;
-
-    // Let the TA know information about the userspace environment.
-    if let Err(e) = kmr_hal::send_hal_info(channel.lock().unwrap().deref_mut()) {
-        error!("Failed to send HAL info: {:?}", e);
-    }
-
-    // Let the TA know about attestation IDs. (In a real device these would be pre-provisioned into
-    // the TA.)
-    let attest_ids = attestation_id_info();
-    if let Err(e) = kmr_hal::send_attest_ids(channel.lock().unwrap().deref_mut(), attest_ids) {
-        error!("Failed to send attestation ID info: {:?}", e);
-    }
-
     info!("Successfully registered KeyMint HAL services.");
     binder::ProcessState::join_thread_pool();
     info!("KeyMint HAL service is terminating."); // should not reach here