insecure keymint: in-process initialization ordering
This creates an ordering of
1. In-memory HALs are initialized
2. Secure AIDL HALs are exposed
There are some dependencies on the information, e.g.
Boot info:
https://cs.android.com/android/platform/superproject/main/+/main:system/keymint/ta/src/keys.rs;l=705;drc=72ed18b226a9944330ecd97d776d57ea1b2eb9e8
https://cs.android.com/android/platform/superproject/main/+/main:system/keymint/ta/src/lib.rs;l=356;drc=4f8cad1bf0b3392414e5735b95a7c5d80d64d6e6
https://cs.android.com/android/platform/superproject/main/+/main:system/keymint/ta/src/rkp.rs;l=75;drc=747e5931be387fb600f6865d2308390646243610
HAL info:
https://cs.android.com/android/platform/superproject/main/+/main:system/keymint/ta/src/rkp.rs;l=79;drc=747e5931be387fb600f6865d2308390646243610
Bug: b/339121782
Test: launch_cvd --resume=false --secure_hals=oemlock:guest_insecure_keymint:guest_insecure_gatekeeper
Change-Id: Ifbe8655bf14c248e886725217d261dae5458e15f
diff --git a/security/keymint/aidl/default/main.rs b/security/keymint/aidl/default/main.rs
index 47143f4..007aded 100644
--- a/security/keymint/aidl/default/main.rs
+++ b/security/keymint/aidl/default/main.rs
@@ -74,6 +74,35 @@
// Create a TA in-process, which acts as a local channel for communication.
let channel = Arc::new(Mutex::new(LocalTa::new()));
+ // Let the TA know information about the boot environment. In a real device this
+ // is communicated directly from the bootloader to the TA, but here we retrieve
+ // the information from system properties and send from the HAL service.
+ let boot_req = get_boot_info();
+ debug!("boot/HAL->TA: boot info is {:?}", boot_req);
+ kmr_hal::send_boot_info(channel.lock().unwrap().deref_mut(), boot_req)
+ .map_err(|e| HalServiceError(format!("Failed to send boot info: {:?}", e)))?;
+
+ // Let the TA know information about the userspace environment.
+ if let Err(e) = kmr_hal::send_hal_info(channel.lock().unwrap().deref_mut()) {
+ error!("Failed to send HAL info: {:?}", e);
+ }
+
+ // Let the TA know about attestation IDs. (In a real device these would be pre-provisioned into
+ // the TA.)
+ let attest_ids = attestation_id_info();
+ if let Err(e) = kmr_hal::send_attest_ids(channel.lock().unwrap().deref_mut(), attest_ids) {
+ error!("Failed to send attestation ID info: {:?}", e);
+ }
+
+ let secret_service = kmr_hal::sharedsecret::Device::new_as_binder(channel.clone());
+ let service_name = format!("{}/{}", SECRET_SERVICE_NAME, SERVICE_INSTANCE);
+ binder::add_service(&service_name, secret_service.as_binder()).map_err(|e| {
+ HalServiceError(format!(
+ "Failed to register service {} because of {:?}.",
+ service_name, e
+ ))
+ })?;
+
let km_service = kmr_hal::keymint::Device::new_as_binder(channel.clone());
let service_name = format!("{}/{}", KM_SERVICE_NAME, SERVICE_INSTANCE);
binder::add_service(&service_name, km_service.as_binder()).map_err(|e| {
@@ -101,37 +130,6 @@
))
})?;
- let secret_service = kmr_hal::sharedsecret::Device::new_as_binder(channel.clone());
- let service_name = format!("{}/{}", SECRET_SERVICE_NAME, SERVICE_INSTANCE);
- binder::add_service(&service_name, secret_service.as_binder()).map_err(|e| {
- HalServiceError(format!(
- "Failed to register service {} because of {:?}.",
- service_name, e
- ))
- })?;
-
- info!("Successfully registered KeyMint HAL services.");
-
- // Let the TA know information about the boot environment. In a real device this
- // is communicated directly from the bootloader to the TA, but here we retrieve
- // the information from system properties and send from the HAL service.
- let boot_req = get_boot_info();
- debug!("boot/HAL->TA: boot info is {:?}", boot_req);
- kmr_hal::send_boot_info(channel.lock().unwrap().deref_mut(), boot_req)
- .map_err(|e| HalServiceError(format!("Failed to send boot info: {:?}", e)))?;
-
- // Let the TA know information about the userspace environment.
- if let Err(e) = kmr_hal::send_hal_info(channel.lock().unwrap().deref_mut()) {
- error!("Failed to send HAL info: {:?}", e);
- }
-
- // Let the TA know about attestation IDs. (In a real device these would be pre-provisioned into
- // the TA.)
- let attest_ids = attestation_id_info();
- if let Err(e) = kmr_hal::send_attest_ids(channel.lock().unwrap().deref_mut(), attest_ids) {
- error!("Failed to send attestation ID info: {:?}", e);
- }
-
info!("Successfully registered KeyMint HAL services.");
binder::ProcessState::join_thread_pool();
info!("KeyMint HAL service is terminating."); // should not reach here