Merge "Convert Gatekeeper from HIDL to AIDL"

}

cc_binary {

    name: "android.hardware.gatekeeper@1.0-service.trusty",

    defaults: ["hidl_defaults"],

    name: "android.hardware.gatekeeper-service.trusty",

    vendor: true,

    relative_install_path: "hw",

    init_rc: ["android.hardware.gatekeeper@1.0-service.trusty.rc"],

    init_rc: ["android.hardware.gatekeeper-service.trusty.rc"],

    srcs: [

        "service.cpp",

        "-Werror",

    ],

    static_libs: [

        "libgflags",

    ],

    shared_libs: [

        "android.hardware.gatekeeper@1.0",

        "android.hardware.gatekeeper-V1-ndk",

        "libbase",

        "libhidlbase",

        "libbinder_ndk",

        "libgatekeeper",

        "libhardware",

        "libutils",

        "liblog",

        "libcutils",

        "libtrusty",

    ],

    vintf_fragments: ["android.hardware.gatekeeper@1.0-service.trusty.xml"],

    vintf_fragments: ["android.hardware.gatekeeper-service.trusty.xml"],

}

service vendor.gatekeeper-1-0 /vendor/bin/hw/android.hardware.gatekeeper@1.0-service.trusty

service vendor.gatekeeper_default /vendor/bin/hw/android.hardware.gatekeeper-service.trusty

    class hal

    user system

    group system

<manifest version="1.0" type="device">

    <hal format="hidl">

    <hal format="aidl">

        <name>android.hardware.gatekeeper</name>

        <transport>hwbinder</transport>

        <version>1.0</version>

        <version>1</version>

        <interface>

            <name>IGatekeeper</name>

            <instance>default</instance>

 * See the License for the specific language governing permissions and

 * limitations under the License.

 */

#define LOG_TAG "android.hardware.gatekeeper@1.0-service.trusty"

#define LOG_TAG "android.hardware.gatekeeper-service.trusty"

#include <android-base/logging.h>

#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>

#include <hidl/LegacySupport.h>

#include <android/binder_manager.h>

#include <android/binder_process.h>

#include "trusty_gatekeeper.h"

// Generated HIDL files

using android::hardware::gatekeeper::V1_0::IGatekeeper;

using gatekeeper::TrustyGateKeeperDevice;

using aidl::android::hardware::gatekeeper::TrustyGateKeeperDevice;

int main() {

    ::android::hardware::configureRpcThreadpool(1, true /* willJoinThreadpool */);

    android::sp<TrustyGateKeeperDevice> gatekeeper(new TrustyGateKeeperDevice());

    auto status = gatekeeper->registerAsService();

    if (status != android::OK) {

        LOG(FATAL) << "Could not register service for Gatekeeper 1.0 (trusty) (" << status << ")";

    }

    ABinderProcess_setThreadPoolMaxThreadCount(0);

    std::shared_ptr<TrustyGateKeeperDevice> gatekeeper =

            ndk::SharedRefBase::make<TrustyGateKeeperDevice>();

    const std::string instance = std::string() + TrustyGateKeeperDevice::descriptor + "/default";

    binder_status_t status =

            AServiceManager_addService(gatekeeper->asBinder().get(), instance.c_str());

    CHECK_EQ(status, STATUS_OK);

    ABinderProcess_joinThreadPool();

    android::hardware::joinRpcThreadpool();

    return -1;  // Should never get here.

}

#define LOG_TAG "TrustyGateKeeper"

#include <android-base/logging.h>

#include <endian.h>

#include <limits>

#include <android-base/logging.h>

#include <gatekeeper/password_handle.h>

#include <hardware/hw_auth_token.h>

#include "gatekeeper_ipc.h"

#include "trusty_gatekeeper.h"

#include "trusty_gatekeeper_ipc.h"

#include "gatekeeper_ipc.h"

using ::android::hardware::hidl_vec;

using ::android::hardware::Return;

using ::android::hardware::gatekeeper::V1_0::GatekeeperStatusCode;

using ::gatekeeper::EnrollRequest;

using ::gatekeeper::EnrollResponse;

namespace aidl::android::hardware::gatekeeper {

using ::gatekeeper::ERROR_INVALID;

using ::gatekeeper::ERROR_MEMORY_ALLOCATION_FAILED;

using ::gatekeeper::ERROR_NONE;

using ::gatekeeper::ERROR_RETRY;

using ::gatekeeper::SizedBuffer;

using ::gatekeeper::VerifyRequest;

using ::gatekeeper::VerifyResponse;

namespace gatekeeper {

constexpr const uint32_t SEND_BUF_SIZE = 8192;

constexpr const uint32_t RECV_BUF_SIZE = 8192;

    trusty_gatekeeper_disconnect();

}

SizedBuffer hidl_vec2sized_buffer(const hidl_vec<uint8_t>& vec) {

SizedBuffer vec2sized_buffer(const std::vector<uint8_t>& vec) {

    if (vec.size() == 0 || vec.size() > std::numeric_limits<uint32_t>::max()) return {};

    auto buffer = new uint8_t[vec.size()];

    std::copy(vec.begin(), vec.end(), buffer);

    return {buffer, static_cast<uint32_t>(vec.size())};

}

Return<void> TrustyGateKeeperDevice::enroll(uint32_t uid,

                                            const hidl_vec<uint8_t>& currentPasswordHandle,

                                            const hidl_vec<uint8_t>& currentPassword,

                                            const hidl_vec<uint8_t>& desiredPassword,

                                            enroll_cb _hidl_cb) {

void sizedBuffer2AidlHWToken(SizedBuffer& buffer,

                             android::hardware::security::keymint::HardwareAuthToken* aidlToken) {

    const hw_auth_token_t* authToken =

            reinterpret_cast<const hw_auth_token_t*>(buffer.Data<uint8_t>());

    aidlToken->challenge = authToken->challenge;

    aidlToken->userId = authToken->user_id;

    aidlToken->authenticatorId = authToken->authenticator_id;

    // these are in network order: translate to host

    aidlToken->authenticatorType =

            static_cast<android::hardware::security::keymint::HardwareAuthenticatorType>(

                    be32toh(authToken->authenticator_type));

    aidlToken->timestamp.milliSeconds = be64toh(authToken->timestamp);

    aidlToken->mac.insert(aidlToken->mac.begin(), std::begin(authToken->hmac),

                          std::end(authToken->hmac));

}

::ndk::ScopedAStatus TrustyGateKeeperDevice::enroll(

        int32_t uid, const std::vector<uint8_t>& currentPasswordHandle,

        const std::vector<uint8_t>& currentPassword, const std::vector<uint8_t>& desiredPassword,

        GatekeeperEnrollResponse* rsp) {

    if (error_ != 0) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

        return {};

        return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));

    }

    if (desiredPassword.size() == 0) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

        return {};

        return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));

    }

    EnrollRequest request(uid, hidl_vec2sized_buffer(currentPasswordHandle),

                          hidl_vec2sized_buffer(desiredPassword),

                          hidl_vec2sized_buffer(currentPassword));

    EnrollRequest request(uid, vec2sized_buffer(currentPasswordHandle),

                          vec2sized_buffer(desiredPassword), vec2sized_buffer(currentPassword));

    EnrollResponse response;

    auto error = Send(request, &response);

    if (error != ERROR_NONE) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

        return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));

    } else if (response.error == ERROR_RETRY) {

        _hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}});

        *rsp = {ERROR_RETRY_TIMEOUT, static_cast<int32_t>(response.retry_timeout), 0, {}};

        return ndk::ScopedAStatus::ok();

    } else if (response.error != ERROR_NONE) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

        return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));

    } else {

        hidl_vec<uint8_t> new_handle(response.enrolled_password_handle.Data<uint8_t>(),

                                     response.enrolled_password_handle.Data<uint8_t>() +

                                             response.enrolled_password_handle.size());

        _hidl_cb({GatekeeperStatusCode::STATUS_OK, response.retry_timeout, new_handle});

        const ::gatekeeper::password_handle_t* password_handle =

                response.enrolled_password_handle.Data<::gatekeeper::password_handle_t>();

        *rsp = {STATUS_OK,

                0,

                static_cast<int64_t>(password_handle->user_id),

                {response.enrolled_password_handle.Data<uint8_t>(),

                 (response.enrolled_password_handle.Data<uint8_t>() +

                  response.enrolled_password_handle.size())}};

    }

    return {};

    return ndk::ScopedAStatus::ok();

}

Return<void> TrustyGateKeeperDevice::verify(

        uint32_t uid, uint64_t challenge,

        const ::android::hardware::hidl_vec<uint8_t>& enrolledPasswordHandle,

        const ::android::hardware::hidl_vec<uint8_t>& providedPassword, verify_cb _hidl_cb) {

::ndk::ScopedAStatus TrustyGateKeeperDevice::verify(

        int32_t uid, int64_t challenge, const std::vector<uint8_t>& enrolledPasswordHandle,

        const std::vector<uint8_t>& providedPassword, GatekeeperVerifyResponse* rsp) {

    if (error_ != 0) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

        return {};

        return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));

    }

    if (enrolledPasswordHandle.size() == 0) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

        return {};

        return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));

    }

    VerifyRequest request(uid, challenge, hidl_vec2sized_buffer(enrolledPasswordHandle),

                          hidl_vec2sized_buffer(providedPassword));

    VerifyRequest request(uid, challenge, vec2sized_buffer(enrolledPasswordHandle),

                          vec2sized_buffer(providedPassword));

    VerifyResponse response;

    auto error = Send(request, &response);

    if (error != ERROR_NONE) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

        return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));

    } else if (response.error == ERROR_RETRY) {

        _hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}});

        *rsp = {ERROR_RETRY_TIMEOUT, static_cast<int32_t>(response.retry_timeout), {}};

        return ndk::ScopedAStatus::ok();

    } else if (response.error != ERROR_NONE) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

        return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));

    } else {

        hidl_vec<uint8_t> auth_token(

                response.auth_token.Data<uint8_t>(),

                response.auth_token.Data<uint8_t>() + response.auth_token.size());

        _hidl_cb({response.request_reenroll ? GatekeeperStatusCode::STATUS_REENROLL

                                            : GatekeeperStatusCode::STATUS_OK,

                  response.retry_timeout, auth_token});

        // On Success, return GatekeeperVerifyResponse with Success Status, timeout{0} and

        // valid HardwareAuthToken.

        *rsp = {response.request_reenroll ? STATUS_REENROLL : STATUS_OK, 0, {}};

        // Convert the hw_auth_token_t to HardwareAuthToken in the response.

        sizedBuffer2AidlHWToken(response.auth_token, &rsp->hardwareAuthToken);

    }

    return {};

    return ndk::ScopedAStatus::ok();

}

Return<void> TrustyGateKeeperDevice::deleteUser(uint32_t uid, deleteUser_cb _hidl_cb) {

::ndk::ScopedAStatus TrustyGateKeeperDevice::deleteUser(int32_t uid) {

    if (error_ != 0) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

        return {};

        return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));

    }

    DeleteUserRequest request(uid);

    auto error = Send(request, &response);

    if (error != ERROR_NONE) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

        return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));

    } else if (response.error == ERROR_NOT_IMPLEMENTED) {

        _hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}});

        return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_NOT_IMPLEMENTED));

    } else if (response.error != ERROR_NONE) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

        return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));

    } else {

        _hidl_cb({GatekeeperStatusCode::STATUS_OK, response.retry_timeout, {}});

        return ndk::ScopedAStatus::ok();

    }

    return {};

}

Return<void> TrustyGateKeeperDevice::deleteAllUsers(deleteAllUsers_cb _hidl_cb) {

::ndk::ScopedAStatus TrustyGateKeeperDevice::deleteAllUsers() {

    if (error_ != 0) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

        return {};

        return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));

    }

    DeleteAllUsersRequest request;

    auto error = Send(request, &response);

    if (error != ERROR_NONE) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

        return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));

    } else if (response.error == ERROR_NOT_IMPLEMENTED) {

        _hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}});

        return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_NOT_IMPLEMENTED));

    } else if (response.error != ERROR_NONE) {

        _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});

        return ndk::ScopedAStatus(AStatus_fromServiceSpecificError(ERROR_GENERAL_FAILURE));

    } else {

        _hidl_cb({GatekeeperStatusCode::STATUS_OK, response.retry_timeout, {}});

        return ndk::ScopedAStatus::ok();

    }

    return {};

}

gatekeeper_error_t TrustyGateKeeperDevice::Send(uint32_t command, const GateKeeperMessage& request,

    return response->Deserialize(payload, payload + response_size);

}

};

}  // namespace aidl::android::hardware::gatekeeper