Evolution-x/hardware_interfaces
1
0
Fork 0
mirror of https://github.com/Evolution-X/hardware_interfaces synced 2026-02-02 23:48:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
121fedaa46cadbc06142c3bda6c5e52d45d3c8d2
hardware_interfaces/security/authgraph/default/src/main.rs
David Drysdale 8898d2ec57 Secretkeeper: add AuthGraph key exchange 
Add `ISecretkeeper::getAuthGraphKe()` method to the Secretkeeper HAL.

Align the AIDL targets between AuthGraph and Secretkeeper, and add
some defaults that automatically link to the current version of the
Secretkeeper AIDL targets.

Move the non-secure implementation of AuthGraph to run the TA in a
separate thread.

Alter the nonsecure implementation of Secretkeeper so that it no longer
directly implements Secretkeeper functionality, but instead re-uses
common code from the Secretkeeper reference implementation.  This
involves re-using the common implementation of the HAL service (from
`authgraph_hal`), but also involves using the reference implementation
of the the TA code that would normally run in a separate secure
environment.  The latter code expects to run in a single-threaded
environment, so run it in a single local thread.

Note that the negotiated session keys emitted by AuthGraph are not yet
used by Secretkeeper (coming in a subsequent CL).

Extend the Secretkeeper VTS tests to invoke the AuthGraph VTS inner
tests on the returned IAuthGraphKeyExchange instance, exercising the
instance as an AuthGraph sink.

Bug: 291228560
Test: VtsSecretkeeperTargetTest
Change-Id: Ia2c97976edc4530b2c902d95a74f3c340d342174
2023-12-06 06:50:19 +00:00

82 lines
2.9 KiB
Rust
Raw Blame History

/*
* Copyright (C) 2023 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
//! Default implementation of the AuthGraph key exchange HAL.
//!
//! This implementation of the HAL is only intended to allow testing and policy compliance. A real
//! implementation of the AuthGraph HAL would be implemented in a secure environment, and would not
//! be independently registered with service manager (a secure component that uses AuthGraph would
//! expose an entrypoint that allowed retrieval of the specific IAuthGraphKeyExchange instance that
//! is correlated with the component).
use authgraph_hal::service;
use authgraph_nonsecure::LocalTa;
use log::{error, info};
static SERVICE_NAME: &str = "android.hardware.security.authgraph.IAuthGraphKeyExchange";
static SERVICE_INSTANCE: &str = "nonsecure";
/// Local error type for failures in the HAL service.
#[derive(Debug, Clone)]
struct HalServiceError(String);
impl From<String> for HalServiceError {
fn from(s: String) -> Self {
Self(s)
}
}
fn main() {
if let Err(e) = inner_main() {
panic!("HAL service failed: {:?}", e);
}
}
fn inner_main() -> Result<(), HalServiceError> {
// Initialize Android logging.
android_logger::init_once(
android_logger::Config::default()
.with_tag("authgraph-hal-nonsecure")
.with_min_level(log::Level::Info)
.with_log_id(android_logger::LogId::System),
);
// Redirect panic messages to logcat.
std::panic::set_hook(Box::new(|panic_info| {
error!("{}", panic_info);
}));
info!("Insecure AuthGraph key exchange HAL service is starting.");
info!("Starting thread pool now.");
binder::ProcessState::start_thread_pool();
// Register the service
let local_ta = LocalTa::new().map_err(|e| format!("Failed to create the TA because: {e:?}"))?;
let service = service::AuthGraphService::new_as_binder(local_ta);
let service_name = format!("{}/{}", SERVICE_NAME, SERVICE_INSTANCE);
binder::add_service(&service_name, service.as_binder()).map_err(|e| {
format!(
"Failed to register service {} because of {:?}.",
service_name, e
)
})?;
info!("Successfully registered AuthGraph HAL services.");
binder::ProcessState::join_thread_pool();
info!("AuthGraph HAL service is terminating."); // should not reach here
Ok(())
}
Reference in New Issue View Git Blame Copy Permalink