[automerger skipped] Gatekeeperd maintenance am: 3a1eb672c5
am: 2e13c844e5 -s ours
am skip reason: change_id I72b734db6f67b79b29c2629764490d75d179908a with SHA1 ea53977df9 is in history
Change-Id: I51ab5f572a5a344033c90cabe615c27a189ec544
diff --git a/adb/adb.cpp b/adb/adb.cpp
index 24d4292..d5e7be1 100644
--- a/adb/adb.cpp
+++ b/adb/adb.cpp
@@ -337,9 +337,12 @@
case ADB_AUTH_SIGNATURE: {
// TODO: Switch to string_view.
std::string signature(p->payload.begin(), p->payload.end());
- if (adbd_auth_verify(t->token, sizeof(t->token), signature)) {
+ std::string auth_key;
+ if (adbd_auth_verify(t->token, sizeof(t->token), signature, &auth_key)) {
adbd_auth_verified(t);
t->failed_auth_attempts = 0;
+ t->auth_key = auth_key;
+ adbd_notify_framework_connected_key(t);
} else {
if (t->failed_auth_attempts++ > 256) std::this_thread::sleep_for(1s);
send_auth_request(t);
@@ -348,7 +351,8 @@
}
case ADB_AUTH_RSAPUBLICKEY:
- adbd_auth_confirm_key(p->payload.data(), p->msg.data_length, t);
+ t->auth_key = std::string(p->payload.data());
+ adbd_auth_confirm_key(t);
break;
#endif
default:
diff --git a/adb/adb.h b/adb/adb.h
index 3a6f059..9324cee 100644
--- a/adb/adb.h
+++ b/adb/adb.h
@@ -33,6 +33,7 @@
constexpr size_t MAX_PAYLOAD_V1 = 4 * 1024;
constexpr size_t MAX_PAYLOAD = 1024 * 1024;
+constexpr size_t MAX_FRAMEWORK_PAYLOAD = 64 * 1024;
constexpr size_t LINUX_MAX_SOCKET_SIZE = 4194304;
diff --git a/adb/adb_auth.h b/adb/adb_auth.h
index 2fc8478..2be9a76 100644
--- a/adb/adb_auth.h
+++ b/adb/adb_auth.h
@@ -50,8 +50,10 @@
void adbd_auth_verified(atransport *t);
void adbd_cloexec_auth_socket();
-bool adbd_auth_verify(const char* token, size_t token_size, const std::string& sig);
-void adbd_auth_confirm_key(const char* data, size_t len, atransport* t);
+bool adbd_auth_verify(const char* token, size_t token_size, const std::string& sig,
+ std::string* auth_key);
+void adbd_auth_confirm_key(atransport* t);
+void adbd_notify_framework_connected_key(atransport* t);
void send_auth_request(atransport *t);
diff --git a/adb/daemon/auth.cpp b/adb/daemon/auth.cpp
index 1800f84..a18afa4 100644
--- a/adb/daemon/auth.cpp
+++ b/adb/daemon/auth.cpp
@@ -18,6 +18,7 @@
#include "adb.h"
#include "adb_auth.h"
+#include "adb_io.h"
#include "fdevent.h"
#include "sysdeps.h"
#include "transport.h"
@@ -25,7 +26,9 @@
#include <resolv.h>
#include <stdio.h>
#include <string.h>
+#include <iomanip>
+#include <algorithm>
#include <memory>
#include <android-base/file.h>
@@ -37,22 +40,24 @@
static fdevent* listener_fde = nullptr;
static fdevent* framework_fde = nullptr;
-static int framework_fd = -1;
+static auto& framework_mutex = *new std::mutex();
+static int framework_fd GUARDED_BY(framework_mutex) = -1;
+static auto& connected_keys GUARDED_BY(framework_mutex) = *new std::vector<std::string>;
-static void usb_disconnected(void* unused, atransport* t);
-static struct adisconnect usb_disconnect = { usb_disconnected, nullptr};
-static atransport* usb_transport;
+static void adb_disconnected(void* unused, atransport* t);
+static struct adisconnect adb_disconnect = {adb_disconnected, nullptr};
+static atransport* adb_transport;
static bool needs_retry = false;
bool auth_required = true;
-bool adbd_auth_verify(const char* token, size_t token_size, const std::string& sig) {
+bool adbd_auth_verify(const char* token, size_t token_size, const std::string& sig,
+ std::string* auth_key) {
static constexpr const char* key_paths[] = { "/adb_keys", "/data/misc/adb/adb_keys", nullptr };
for (const auto& path : key_paths) {
if (access(path, R_OK) == 0) {
LOG(INFO) << "Loading keys from " << path;
-
std::string content;
if (!android::base::ReadFileToString(path, &content)) {
PLOG(ERROR) << "Couldn't read " << path;
@@ -60,6 +65,8 @@
}
for (const auto& line : android::base::Split(content, "\n")) {
+ if (line.empty()) continue;
+ *auth_key = line;
// TODO: do we really have to support both ' ' and '\t'?
char* sep = strpbrk(const_cast<char*>(line.c_str()), " \t");
if (sep) *sep = '\0';
@@ -87,9 +94,31 @@
}
}
}
+ auth_key->clear();
return false;
}
+static bool adbd_send_key_message_locked(std::string_view msg_type, std::string_view key)
+ REQUIRES(framework_mutex) {
+ if (framework_fd < 0) {
+ LOG(ERROR) << "Client not connected to send msg_type " << msg_type;
+ return false;
+ }
+ std::string msg = std::string(msg_type) + std::string(key);
+ int msg_len = msg.length();
+ if (msg_len >= static_cast<int>(MAX_FRAMEWORK_PAYLOAD)) {
+ LOG(ERROR) << "Key too long (" << msg_len << ")";
+ return false;
+ }
+
+ LOG(DEBUG) << "Sending '" << msg << "'";
+ if (!WriteFdExactly(framework_fd, msg.c_str(), msg_len)) {
+ PLOG(ERROR) << "Failed to write " << msg_type;
+ return false;
+ }
+ return true;
+}
+
static bool adbd_auth_generate_token(void* token, size_t token_size) {
FILE* fp = fopen("/dev/urandom", "re");
if (!fp) return false;
@@ -98,17 +127,28 @@
return okay;
}
-static void usb_disconnected(void* unused, atransport* t) {
- LOG(INFO) << "USB disconnect";
- usb_transport = nullptr;
+static void adb_disconnected(void* unused, atransport* t) {
+ LOG(INFO) << "ADB disconnect";
+ adb_transport = nullptr;
needs_retry = false;
+ {
+ std::lock_guard<std::mutex> lock(framework_mutex);
+ if (framework_fd >= 0) {
+ adbd_send_key_message_locked("DC", t->auth_key);
+ }
+ connected_keys.erase(std::remove(connected_keys.begin(), connected_keys.end(), t->auth_key),
+ connected_keys.end());
+ }
}
static void framework_disconnected() {
LOG(INFO) << "Framework disconnect";
if (framework_fde) {
fdevent_destroy(framework_fde);
- framework_fd = -1;
+ {
+ std::lock_guard<std::mutex> lock(framework_mutex);
+ framework_fd = -1;
+ }
}
}
@@ -119,41 +159,28 @@
if (ret <= 0) {
framework_disconnected();
} else if (ret == 2 && response[0] == 'O' && response[1] == 'K') {
- if (usb_transport) {
- adbd_auth_verified(usb_transport);
+ if (adb_transport) {
+ adbd_auth_verified(adb_transport);
}
}
}
}
-void adbd_auth_confirm_key(const char* key, size_t len, atransport* t) {
- if (!usb_transport) {
- usb_transport = t;
- t->AddDisconnect(&usb_disconnect);
+void adbd_auth_confirm_key(atransport* t) {
+ if (!adb_transport) {
+ adb_transport = t;
+ t->AddDisconnect(&adb_disconnect);
}
- if (framework_fd < 0) {
- LOG(ERROR) << "Client not connected";
- needs_retry = true;
- return;
- }
+ {
+ std::lock_guard<std::mutex> lock(framework_mutex);
+ if (framework_fd < 0) {
+ LOG(ERROR) << "Client not connected";
+ needs_retry = true;
+ return;
+ }
- if (key[len - 1] != '\0') {
- LOG(ERROR) << "Key must be a null-terminated string";
- return;
- }
-
- char msg[MAX_PAYLOAD_V1];
- int msg_len = snprintf(msg, sizeof(msg), "PK%s", key);
- if (msg_len >= static_cast<int>(sizeof(msg))) {
- LOG(ERROR) << "Key too long (" << msg_len << ")";
- return;
- }
- LOG(DEBUG) << "Sending '" << msg << "'";
-
- if (unix_write(framework_fd, msg, msg_len) == -1) {
- PLOG(ERROR) << "Failed to write PK";
- return;
+ adbd_send_key_message_locked("PK", t->auth_key);
}
}
@@ -164,18 +191,46 @@
return;
}
- if (framework_fd >= 0) {
- LOG(WARNING) << "adb received framework auth socket connection again";
- framework_disconnected();
+ {
+ std::lock_guard<std::mutex> lock(framework_mutex);
+ if (framework_fd >= 0) {
+ LOG(WARNING) << "adb received framework auth socket connection again";
+ framework_disconnected();
+ }
+
+ framework_fd = s;
+ framework_fde = fdevent_create(framework_fd, adbd_auth_event, nullptr);
+ fdevent_add(framework_fde, FDE_READ);
+
+ if (needs_retry) {
+ needs_retry = false;
+ send_auth_request(adb_transport);
+ }
+
+ // if a client connected before the framework was available notify the framework of the
+ // connected key now.
+ if (!connected_keys.empty()) {
+ for (const auto& key : connected_keys) {
+ adbd_send_key_message_locked("CK", key);
+ }
+ }
}
+}
- framework_fd = s;
- framework_fde = fdevent_create(framework_fd, adbd_auth_event, nullptr);
- fdevent_add(framework_fde, FDE_READ);
-
- if (needs_retry) {
- needs_retry = false;
- send_auth_request(usb_transport);
+void adbd_notify_framework_connected_key(atransport* t) {
+ if (!adb_transport) {
+ adb_transport = t;
+ t->AddDisconnect(&adb_disconnect);
+ }
+ {
+ std::lock_guard<std::mutex> lock(framework_mutex);
+ if (std::find(connected_keys.begin(), connected_keys.end(), t->auth_key) ==
+ connected_keys.end()) {
+ connected_keys.push_back(t->auth_key);
+ }
+ if (framework_fd >= 0) {
+ adbd_send_key_message_locked("CK", t->auth_key);
+ }
}
}
diff --git a/adb/daemon/usb.cpp b/adb/daemon/usb.cpp
index f4aa9fb..1abae87 100644
--- a/adb/daemon/usb.cpp
+++ b/adb/daemon/usb.cpp
@@ -509,16 +509,14 @@
}
if (id.direction == TransferDirection::READ) {
- if (!HandleRead(id, event.res)) {
- return;
- }
+ HandleRead(id, event.res);
} else {
HandleWrite(id);
}
}
}
- bool HandleRead(TransferId id, int64_t size) {
+ void HandleRead(TransferId id, int64_t size) {
uint64_t read_idx = id.id % kUsbReadQueueDepth;
IoBlock* block = &read_requests_[read_idx];
block->pending = false;
@@ -528,7 +526,7 @@
if (block->id().id != needed_read_id_) {
LOG(VERBOSE) << "read " << block->id().id << " completed while waiting for "
<< needed_read_id_;
- return true;
+ return;
}
for (uint64_t id = needed_read_id_;; ++id) {
@@ -537,22 +535,15 @@
if (current_block->pending) {
break;
}
- if (!ProcessRead(current_block)) {
- return false;
- }
+ ProcessRead(current_block);
++needed_read_id_;
}
-
- return true;
}
- bool ProcessRead(IoBlock* block) {
+ void ProcessRead(IoBlock* block) {
if (!block->payload->empty()) {
if (!incoming_header_.has_value()) {
- if (block->payload->size() != sizeof(amessage)) {
- HandleError("received packet of unexpected length while reading header");
- return false;
- }
+ CHECK_EQ(sizeof(amessage), block->payload->size());
amessage msg;
memcpy(&msg, block->payload->data(), sizeof(amessage));
LOG(DEBUG) << "USB read:" << dump_header(&msg);
@@ -560,10 +551,7 @@
} else {
size_t bytes_left = incoming_header_->data_length - incoming_payload_.size();
Block payload = std::move(*block->payload);
- if (block->payload->size() > bytes_left) {
- HandleError("received too many bytes while waiting for payload");
- return false;
- }
+ CHECK_LE(payload.size(), bytes_left);
incoming_payload_.append(std::make_unique<Block>(std::move(payload)));
}
@@ -582,7 +570,6 @@
PrepareReadBlock(block, block->id().id + kUsbReadQueueDepth);
SubmitRead(block);
- return true;
}
bool SubmitRead(IoBlock* block) {
diff --git a/adb/daemon/usb_ffs.cpp b/adb/daemon/usb_ffs.cpp
index a64ce40..338d776 100644
--- a/adb/daemon/usb_ffs.cpp
+++ b/adb/daemon/usb_ffs.cpp
@@ -299,7 +299,6 @@
}
// Signal only when writing the descriptors to ffs
android::base::SetProperty("sys.usb.ffs.ready", "1");
- *out_control = std::move(control);
}
bulk_out.reset(adb_open(USB_FFS_ADB_OUT, O_RDONLY));
@@ -314,6 +313,7 @@
return false;
}
+ *out_control = std::move(control);
*out_bulk_in = std::move(bulk_in);
*out_bulk_out = std::move(bulk_out);
return true;
diff --git a/adb/transport.h b/adb/transport.h
index f4490ed..3473ca2 100644
--- a/adb/transport.h
+++ b/adb/transport.h
@@ -274,6 +274,9 @@
std::string device;
std::string devpath;
+ // Used to provide the key to the framework.
+ std::string auth_key;
+
bool IsTcpDevice() const { return type == kTransportLocal; }
#if ADB_HOST
diff --git a/bootstat/bootstat.cpp b/bootstat/bootstat.cpp
index 6936cc2..8e7d918 100644
--- a/bootstat/bootstat.cpp
+++ b/bootstat/bootstat.cpp
@@ -1093,8 +1093,8 @@
void LogBootInfoToStatsd(std::chrono::milliseconds end_time,
std::chrono::milliseconds total_duration, int32_t bootloader_duration_ms,
double time_since_last_boot_sec) {
- const auto reason = android::base::GetProperty(bootloader_reboot_reason_property, "<EMPTY>");
- const auto system_reason = android::base::GetProperty(system_reboot_reason_property, "<EMPTY>");
+ auto reason = android::base::GetProperty(bootloader_reboot_reason_property, "<EMPTY>");
+ auto system_reason = android::base::GetProperty(system_reboot_reason_property, "<EMPTY>");
android::util::stats_write(android::util::BOOT_SEQUENCE_REPORTED, reason.c_str(),
system_reason.c_str(), end_time.count(), total_duration.count(),
(int64_t)bootloader_duration_ms,
diff --git a/healthd/Android.mk b/healthd/Android.mk
index d18f15a..05123af 100644
--- a/healthd/Android.mk
+++ b/healthd/Android.mk
@@ -93,7 +93,6 @@
libbinderthreadstate \
libhidltransport \
libhidlbase \
- libhwbinder_noltopgo \
libhealthstoragedefault \
libvndksupport \
libhealthd_charger \
@@ -152,7 +151,6 @@
libbinderthreadstate \
libhidltransport \
libhidlbase \
- libhwbinder_noltopgo \
libhealthstoragedefault \
libvndksupport \
libhealthd_charger_nops \
diff --git a/libappfuse/FuseBridgeLoop.cc b/libappfuse/FuseBridgeLoop.cc
index f1ca446..f71d0c3 100644
--- a/libappfuse/FuseBridgeLoop.cc
+++ b/libappfuse/FuseBridgeLoop.cc
@@ -86,6 +86,7 @@
const bool proxy_read_ready = last_proxy_events_.events & EPOLLIN;
const bool proxy_write_ready = last_proxy_events_.events & EPOLLOUT;
+ last_state_ = state_;
last_device_events_.events = 0;
last_proxy_events_.events = 0;
diff --git a/libcutils/include/cutils/native_handle.h b/libcutils/include/cutils/native_handle.h
index f6cae36..4f07456 100644
--- a/libcutils/include/cutils/native_handle.h
+++ b/libcutils/include/cutils/native_handle.h
@@ -69,10 +69,11 @@
/*
* native_handle_create
- *
+ *
* creates a native_handle_t and initializes it. must be destroyed with
- * native_handle_delete().
- *
+ * native_handle_delete(). Note that numFds must be <= NATIVE_HANDLE_MAX_FDS,
+ * numInts must be <= NATIVE_HANDLE_MAX_INTS, and both must be >= 0.
+ *
*/
native_handle_t* native_handle_create(int numFds, int numInts);
diff --git a/libmemunreachable/Android.bp b/libmemunreachable/Android.bp
index 62a7266..f1abdd2 100644
--- a/libmemunreachable/Android.bp
+++ b/libmemunreachable/Android.bp
@@ -111,7 +111,7 @@
static_libs: ["libmemunreachable"],
shared_libs: [
"libbinder",
- "libhwbinder",
+ "libhidlbase",
"libutils",
],
test_suites: ["device-tests"],
diff --git a/libstats/statsd_writer.c b/libstats/statsd_writer.c
index b778f92..b1c05ea 100644
--- a/libstats/statsd_writer.c
+++ b/libstats/statsd_writer.c
@@ -109,6 +109,11 @@
if (sock < 0) {
ret = -errno;
} else {
+ int sndbuf = 1 * 1024 * 1024; // set max send buffer size 1MB
+ socklen_t bufLen = sizeof(sndbuf);
+ // SO_RCVBUF does not have an effect on unix domain socket, but SO_SNDBUF does.
+ // Proceed to connect even setsockopt fails.
+ setsockopt(sock, SOL_SOCKET, SO_SNDBUF, &sndbuf, bufLen);
struct sockaddr_un un;
memset(&un, 0, sizeof(struct sockaddr_un));
un.sun_family = AF_UNIX;
diff --git a/libsystem/include/system/graphics-base-v1.2.h b/libsystem/include/system/graphics-base-v1.2.h
new file mode 100644
index 0000000..2194f5e
--- /dev/null
+++ b/libsystem/include/system/graphics-base-v1.2.h
@@ -0,0 +1,31 @@
+// This file is autogenerated by hidl-gen. Do not edit manually.
+// Source: android.hardware.graphics.common@1.2
+// Location: hardware/interfaces/graphics/common/1.2/
+
+#ifndef HIDL_GENERATED_ANDROID_HARDWARE_GRAPHICS_COMMON_V1_2_EXPORTED_CONSTANTS_H_
+#define HIDL_GENERATED_ANDROID_HARDWARE_GRAPHICS_COMMON_V1_2_EXPORTED_CONSTANTS_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef enum {
+ HAL_HDR_HDR10_PLUS = 4,
+} android_hdr_v1_2_t;
+
+typedef enum {
+ HAL_DATASPACE_DISPLAY_BT2020 = 142999552 /* ((STANDARD_BT2020 | TRANSFER_SRGB) | RANGE_FULL) */,
+ HAL_DATASPACE_DYNAMIC_DEPTH = 4098 /* 0x1002 */,
+ HAL_DATASPACE_JPEG_APP_SEGMENTS = 4099 /* 0x1003 */,
+ HAL_DATASPACE_HEIF = 4100 /* 0x1004 */,
+} android_dataspace_v1_2_t;
+
+typedef enum {
+ HAL_PIXEL_FORMAT_HSV_888 = 55 /* 0x37 */,
+} android_pixel_format_v1_2_t;
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif // HIDL_GENERATED_ANDROID_HARDWARE_GRAPHICS_COMMON_V1_2_EXPORTED_CONSTANTS_H_
diff --git a/libsystem/include/system/graphics-base.h b/libsystem/include/system/graphics-base.h
index ea92007..92ee077 100644
--- a/libsystem/include/system/graphics-base.h
+++ b/libsystem/include/system/graphics-base.h
@@ -3,5 +3,6 @@
#include "graphics-base-v1.0.h"
#include "graphics-base-v1.1.h"
+#include "graphics-base-v1.2.h"
#endif // SYSTEM_CORE_GRAPHICS_BASE_H_
diff --git a/lmkd/lmkd.c b/lmkd/lmkd.c
index 48140b8..521f92e 100644
--- a/lmkd/lmkd.c
+++ b/lmkd/lmkd.c
@@ -1373,8 +1373,8 @@
set_process_group_and_prio(pid, SP_FOREGROUND, ANDROID_PRIORITY_HIGHEST);
inc_killcnt(procp->oomadj);
- ALOGI("Kill '%s' (%d), uid %d, oom_adj %d to free %ldkB",
- taskname, pid, uid, procp->oomadj, tasksize * page_k);
+ ALOGE("Kill '%s' (%d), uid %d, oom_adj %d to free %ldkB", taskname, pid, uid, procp->oomadj,
+ tasksize * page_k);
TRACE_KILL_END();
diff --git a/rootdir/etc/ld.config.txt b/rootdir/etc/ld.config.txt
index b1616d3..f732b3c 100644
--- a/rootdir/etc/ld.config.txt
+++ b/rootdir/etc/ld.config.txt
@@ -183,6 +183,7 @@
namespace.media.asan.search.paths = /apex/com.android.media/${LIB}
namespace.media.permitted.paths = /apex/com.android.media/${LIB}/extractors
+namespace.media.asan.permitted.paths = /apex/com.android.media/${LIB}/extractors
namespace.media.links = default
namespace.media.link.default.shared_libs = %LLNDK_LIBRARIES%
@@ -651,6 +652,7 @@
namespace.media.asan.search.paths = /apex/com.android.media/${LIB}
namespace.media.permitted.paths = /apex/com.android.media/${LIB}/extractors
+namespace.media.asan.permitted.paths = /apex/com.android.media/${LIB}/extractors
namespace.media.links = default
namespace.media.link.default.shared_libs = %LLNDK_LIBRARIES%
diff --git a/rootdir/etc/public.libraries.android.txt b/rootdir/etc/public.libraries.android.txt
index d8f6095..27e855f 100644
--- a/rootdir/etc/public.libraries.android.txt
+++ b/rootdir/etc/public.libraries.android.txt
@@ -1,6 +1,7 @@
# See https://android.googlesource.com/platform/ndk/+/master/docs/PlatformApis.md
libandroid.so
libaaudio.so
+libamidi.so
libbinder_ndk.so
libc.so
libcamera2ndk.so
diff --git a/rootdir/etc/public.libraries.iot.txt b/rootdir/etc/public.libraries.iot.txt
index 20905bf..b565340 100644
--- a/rootdir/etc/public.libraries.iot.txt
+++ b/rootdir/etc/public.libraries.iot.txt
@@ -2,6 +2,7 @@
libandroid.so
libandroidthings.so
libaaudio.so
+libamidi.so
libbinder_ndk.so
libc.so
libcamera2ndk.so
diff --git a/rootdir/etc/public.libraries.wear.txt b/rootdir/etc/public.libraries.wear.txt
index 4ece5b5..7cbda08 100644
--- a/rootdir/etc/public.libraries.wear.txt
+++ b/rootdir/etc/public.libraries.wear.txt
@@ -1,6 +1,7 @@
# See https://android.googlesource.com/platform/ndk/+/master/docs/PlatformApis.md
libandroid.so
libaaudio.so
+libamidi.so
libbinder_ndk.so
libc.so
libcamera2ndk.so
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 3acf301..55a1623 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -590,7 +590,6 @@
symlink /data/data /data/user/0
mkdir /data/media 0770 media_rw media_rw
- mkdir /data/media/obb 0770 media_rw media_rw
mkdir /data/cache 0770 system cache
mkdir /data/cache/recovery 0770 system cache
@@ -667,6 +666,12 @@
chown root system /sys/module/lowmemorykiller/parameters/minfree
chmod 0664 /sys/module/lowmemorykiller/parameters/minfree
+ # System server manages zram writeback
+ chown root system /sys/block/zram0/idle
+ chmod 0664 /sys/block/zram0/idle
+ chown root system /sys/block/zram0/writeback
+ chmod 0664 /sys/block/zram0/writeback
+
# Tweak background writeout
write /proc/sys/vm/dirty_expire_centisecs 200
write /proc/sys/vm/dirty_background_ratio 5
diff --git a/rootdir/init.usb.rc b/rootdir/init.usb.rc
index f0681d2..b6cba90 100644
--- a/rootdir/init.usb.rc
+++ b/rootdir/init.usb.rc
@@ -14,7 +14,7 @@
# adbd is controlled via property triggers in init.<platform>.usb.rc
service adbd /system/bin/adbd --root_seclabel=u:r:su:s0
class core
- socket adbd stream 660 system system
+ socket adbd seqpacket 660 system system
disabled
seclabel u:r:adbd:s0
diff --git a/rootdir/init.zygote32.rc b/rootdir/init.zygote32.rc
index f8e680d..bf3fb42 100644
--- a/rootdir/init.zygote32.rc
+++ b/rootdir/init.zygote32.rc
@@ -4,7 +4,7 @@
user root
group root readproc reserved_disk
socket zygote stream 660 root system
- socket blastula_pool stream 660 root system
+ socket usap_pool_primary stream 660 root system
onrestart write /sys/android_power/request_state wake
onrestart write /sys/power/state on
onrestart restart audioserver
diff --git a/rootdir/init.zygote32_64.rc b/rootdir/init.zygote32_64.rc
index 0235370..1bab588 100644
--- a/rootdir/init.zygote32_64.rc
+++ b/rootdir/init.zygote32_64.rc
@@ -4,7 +4,7 @@
user root
group root readproc reserved_disk
socket zygote stream 660 root system
- socket blastula_pool stream 660 root system
+ socket usap_pool_primary stream 660 root system
onrestart write /sys/android_power/request_state wake
onrestart write /sys/power/state on
onrestart restart audioserver
@@ -20,6 +20,6 @@
user root
group root readproc reserved_disk
socket zygote_secondary stream 660 root system
- socket blastula_pool_secondary stream 660 root system
+ socket usap_pool_secondary stream 660 root system
onrestart restart zygote
writepid /dev/cpuset/foreground/tasks
diff --git a/rootdir/init.zygote64.rc b/rootdir/init.zygote64.rc
index 3f3cc15..6fa210a 100644
--- a/rootdir/init.zygote64.rc
+++ b/rootdir/init.zygote64.rc
@@ -4,7 +4,7 @@
user root
group root readproc reserved_disk
socket zygote stream 660 root system
- socket blastula_pool stream 660 root system
+ socket usap_pool_primary stream 660 root system
onrestart write /sys/android_power/request_state wake
onrestart write /sys/power/state on
onrestart restart audioserver
diff --git a/rootdir/init.zygote64_32.rc b/rootdir/init.zygote64_32.rc
index fae38c9..48461ec 100644
--- a/rootdir/init.zygote64_32.rc
+++ b/rootdir/init.zygote64_32.rc
@@ -4,7 +4,7 @@
user root
group root readproc reserved_disk
socket zygote stream 660 root system
- socket blastula_pool stream 660 root system
+ socket usap_pool_primary stream 660 root system
onrestart write /sys/android_power/request_state wake
onrestart write /sys/power/state on
onrestart restart audioserver
@@ -20,6 +20,6 @@
user root
group root readproc reserved_disk
socket zygote_secondary stream 660 root system
- socket blastula_pool_secondary stream 660 root system
+ socket usap_pool_secondary stream 660 root system
onrestart restart zygote
writepid /dev/cpuset/foreground/tasks
diff --git a/sdcard/sdcard.cpp b/sdcard/sdcard.cpp
index 2b35819..0acea72 100644
--- a/sdcard/sdcard.cpp
+++ b/sdcard/sdcard.cpp
@@ -214,7 +214,14 @@
if (multi_user) {
std::string obb_path = source_path + "/obb";
- fs_prepare_dir(obb_path.c_str(), 0775, uid, gid);
+ // Only attempt to prepare the /obb dir if it already exists. We want
+ // the legacy obb path "/data/media/obb" to be fixed up so that we can
+ // migrate it to its new location, but we don't want the directory to be
+ // created if it doesn't already exist.
+ struct stat sb;
+ if (TEMP_FAILURE_RETRY(lstat(obb_path.c_str(), &sb)) == 0) {
+ fs_prepare_dir(obb_path.c_str(), 0775, uid, gid);
+ }
}
exit(0);
diff --git a/trusty/gatekeeper/Android.bp b/trusty/gatekeeper/Android.bp
index 65b271a..1666cfb 100644
--- a/trusty/gatekeeper/Android.bp
+++ b/trusty/gatekeeper/Android.bp
@@ -1,4 +1,3 @@
-//
// Copyright (C) 2015 The Android Open-Source Project
//
// Licensed under the Apache License, Version 2.0 (the "License");
@@ -20,14 +19,15 @@
// to only building on ARM if they include assembly. Individual makefiles
// are responsible for having their own logic, for fine-grained control.
-cc_library_shared {
- name: "gatekeeper.trusty",
+cc_binary {
+ name: "android.hardware.gatekeeper@1.0-service.trusty",
+ defaults: ["hidl_defaults"],
vendor: true,
-
relative_install_path: "hw",
+ init_rc: ["android.hardware.gatekeeper@1.0-service.trusty.rc"],
srcs: [
- "module.cpp",
+ "service.cpp",
"trusty_gatekeeper_ipc.c",
"trusty_gatekeeper.cpp",
],
@@ -39,10 +39,16 @@
],
shared_libs: [
+ "android.hardware.gatekeeper@1.0",
+ "libbase",
+ "libhidlbase",
+ "libhidltransport",
"libgatekeeper",
+ "libutils",
"liblog",
"libcutils",
"libtrusty",
],
- header_libs: ["libhardware_headers"],
+
+ vintf_fragments: ["android.hardware.gatekeeper@1.0-service.trusty.xml"],
}
diff --git a/trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.rc b/trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.rc
new file mode 100644
index 0000000..5413a6c
--- /dev/null
+++ b/trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.rc
@@ -0,0 +1,4 @@
+service vendor.gatekeeper-1-0 /vendor/bin/hw/android.hardware.gatekeeper@1.0-service.trusty
+ class hal
+ user system
+ group system
diff --git a/trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.xml b/trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.xml
new file mode 100644
index 0000000..19714a8
--- /dev/null
+++ b/trusty/gatekeeper/android.hardware.gatekeeper@1.0-service.trusty.xml
@@ -0,0 +1,11 @@
+<manifest version="1.0" type="device">
+ <hal format="hidl">
+ <name>android.hardware.gatekeeper</name>
+ <transport>hwbinder</transport>
+ <version>1.0</version>
+ <interface>
+ <name>IGatekeeper</name>
+ <instance>default</instance>
+ </interface>
+ </hal>
+</manifest>
diff --git a/trusty/gatekeeper/module.cpp b/trusty/gatekeeper/module.cpp
deleted file mode 100644
index 0ee3c2f..0000000
--- a/trusty/gatekeeper/module.cpp
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2015 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <hardware/hardware.h>
-
-#include <string.h>
-#include <errno.h>
-#include <stdlib.h>
-
-#include "trusty_gatekeeper.h"
-
-using gatekeeper::TrustyGateKeeperDevice;
-
-static int trusty_gatekeeper_open(const hw_module_t *module, const char *name,
- hw_device_t **device) {
-
- if (strcmp(name, HARDWARE_GATEKEEPER) != 0) {
- return -EINVAL;
- }
-
- TrustyGateKeeperDevice *gatekeeper = new TrustyGateKeeperDevice(module);
- if (gatekeeper == NULL) return -ENOMEM;
- *device = gatekeeper->hw_device();
-
- return 0;
-}
-
-static struct hw_module_methods_t gatekeeper_module_methods = {
- .open = trusty_gatekeeper_open,
-};
-
-struct gatekeeper_module HAL_MODULE_INFO_SYM __attribute__((visibility("default"))) = {
- .common = {
- .tag = HARDWARE_MODULE_TAG,
- .module_api_version = GATEKEEPER_MODULE_API_VERSION_0_1,
- .hal_api_version = HARDWARE_HAL_API_VERSION,
- .id = GATEKEEPER_HARDWARE_MODULE_ID,
- .name = "Trusty GateKeeper HAL",
- .author = "The Android Open Source Project",
- .methods = &gatekeeper_module_methods,
- .dso = 0,
- .reserved = {}
- },
-};
diff --git a/trusty/gatekeeper/service.cpp b/trusty/gatekeeper/service.cpp
new file mode 100644
index 0000000..c5ee488
--- /dev/null
+++ b/trusty/gatekeeper/service.cpp
@@ -0,0 +1,39 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#define LOG_TAG "android.hardware.gatekeeper@1.0-service.trusty"
+
+#include <android-base/logging.h>
+#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
+
+#include <hidl/LegacySupport.h>
+
+#include "trusty_gatekeeper.h"
+
+// Generated HIDL files
+using android::hardware::gatekeeper::V1_0::IGatekeeper;
+using gatekeeper::TrustyGateKeeperDevice;
+
+int main() {
+ ::android::hardware::configureRpcThreadpool(1, true /* willJoinThreadpool */);
+ android::sp<TrustyGateKeeperDevice> gatekeeper(new TrustyGateKeeperDevice());
+ auto status = gatekeeper->registerAsService();
+ if (status != android::OK) {
+ LOG(FATAL) << "Could not register service for Gatekeeper 1.0 (trusty) (" << status << ")";
+ }
+
+ android::hardware::joinRpcThreadpool();
+ return -1; // Should never get here.
+}
diff --git a/trusty/gatekeeper/trusty_gatekeeper.cpp b/trusty/gatekeeper/trusty_gatekeeper.cpp
index b3fbfa9..d149664 100644
--- a/trusty/gatekeeper/trusty_gatekeeper.cpp
+++ b/trusty/gatekeeper/trusty_gatekeeper.cpp
@@ -16,147 +16,131 @@
#define LOG_TAG "TrustyGateKeeper"
-#include <assert.h>
-#include <errno.h>
-#include <stdio.h>
-
-#include <type_traits>
-
-#include <log/log.h>
+#include <android-base/logging.h>
+#include <limits>
#include "trusty_gatekeeper.h"
#include "trusty_gatekeeper_ipc.h"
#include "gatekeeper_ipc.h"
+using ::android::hardware::hidl_vec;
+using ::android::hardware::Return;
+using ::android::hardware::gatekeeper::V1_0::GatekeeperStatusCode;
+using ::gatekeeper::EnrollRequest;
+using ::gatekeeper::EnrollResponse;
+using ::gatekeeper::ERROR_INVALID;
+using ::gatekeeper::ERROR_MEMORY_ALLOCATION_FAILED;
+using ::gatekeeper::ERROR_NONE;
+using ::gatekeeper::ERROR_RETRY;
+using ::gatekeeper::SizedBuffer;
+using ::gatekeeper::VerifyRequest;
+using ::gatekeeper::VerifyResponse;
+
namespace gatekeeper {
-const uint32_t SEND_BUF_SIZE = 8192;
-const uint32_t RECV_BUF_SIZE = 8192;
+constexpr const uint32_t SEND_BUF_SIZE = 8192;
+constexpr const uint32_t RECV_BUF_SIZE = 8192;
-TrustyGateKeeperDevice::TrustyGateKeeperDevice(const hw_module_t *module) {
-#if __cplusplus >= 201103L || defined(__GXX_EXPERIMENTAL_CXX0X__)
- static_assert(std::is_standard_layout<TrustyGateKeeperDevice>::value,
- "TrustyGateKeeperDevice must be standard layout");
- static_assert(offsetof(TrustyGateKeeperDevice, device_) == 0,
- "device_ must be the first member of TrustyGateKeeperDevice");
- static_assert(offsetof(TrustyGateKeeperDevice, device_.common) == 0,
- "common must be the first member of gatekeeper_device");
-#else
- assert(reinterpret_cast<gatekeeper_device_t *>(this) == &device_);
- assert(reinterpret_cast<hw_device_t *>(this) == &(device_.common));
-#endif
-
- memset(&device_, 0, sizeof(device_));
- device_.common.tag = HARDWARE_DEVICE_TAG;
- device_.common.version = 1;
- device_.common.module = const_cast<hw_module_t *>(module);
- device_.common.close = close_device;
-
- device_.enroll = enroll;
- device_.verify = verify;
- device_.delete_user = nullptr;
- device_.delete_all_users = nullptr;
-
+TrustyGateKeeperDevice::TrustyGateKeeperDevice() {
int rc = trusty_gatekeeper_connect();
if (rc < 0) {
- ALOGE("Error initializing trusty session: %d", rc);
+ LOG(ERROR) << "Error initializing trusty session: " << rc;
}
error_ = rc;
-
-}
-
-hw_device_t* TrustyGateKeeperDevice::hw_device() {
- return &device_.common;
-}
-
-int TrustyGateKeeperDevice::close_device(hw_device_t* dev) {
- delete reinterpret_cast<TrustyGateKeeperDevice *>(dev);
- return 0;
}
TrustyGateKeeperDevice::~TrustyGateKeeperDevice() {
trusty_gatekeeper_disconnect();
}
-int TrustyGateKeeperDevice::Enroll(uint32_t uid, const uint8_t *current_password_handle,
- uint32_t current_password_handle_length, const uint8_t *current_password,
- uint32_t current_password_length, const uint8_t *desired_password,
- uint32_t desired_password_length, uint8_t **enrolled_password_handle,
- uint32_t *enrolled_password_handle_length) {
-
- if (error_ != 0) {
- return error_;
- }
-
- SizedBuffer desired_password_buffer(desired_password_length);
- memcpy(desired_password_buffer.buffer.get(), desired_password, desired_password_length);
-
- SizedBuffer current_password_handle_buffer(current_password_handle_length);
- if (current_password_handle) {
- memcpy(current_password_handle_buffer.buffer.get(), current_password_handle,
- current_password_handle_length);
- }
-
- SizedBuffer current_password_buffer(current_password_length);
- if (current_password) {
- memcpy(current_password_buffer.buffer.get(), current_password, current_password_length);
- }
-
- EnrollRequest request(uid, ¤t_password_handle_buffer, &desired_password_buffer,
- ¤t_password_buffer);
- EnrollResponse response;
-
- gatekeeper_error_t error = Send(request, &response);
-
- if (error == ERROR_RETRY) {
- return response.retry_timeout;
- } else if (error != ERROR_NONE) {
- return -EINVAL;
- }
-
- *enrolled_password_handle = response.enrolled_password_handle.buffer.release();
- *enrolled_password_handle_length = response.enrolled_password_handle.length;
-
-
- return 0;
+SizedBuffer hidl_vec2sized_buffer(const hidl_vec<uint8_t>& vec) {
+ if (vec.size() == 0 || vec.size() > std::numeric_limits<uint32_t>::max()) return {};
+ auto dummy = new uint8_t[vec.size()];
+ std::copy(vec.begin(), vec.end(), dummy);
+ return {dummy, static_cast<uint32_t>(vec.size())};
}
-int TrustyGateKeeperDevice::Verify(uint32_t uid, uint64_t challenge,
- const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
- const uint8_t *provided_password, uint32_t provided_password_length,
- uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll) {
+Return<void> TrustyGateKeeperDevice::enroll(uint32_t uid,
+ const hidl_vec<uint8_t>& currentPasswordHandle,
+ const hidl_vec<uint8_t>& currentPassword,
+ const hidl_vec<uint8_t>& desiredPassword,
+ enroll_cb _hidl_cb) {
if (error_ != 0) {
- return error_;
+ _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
+ return {};
}
- SizedBuffer password_handle_buffer(enrolled_password_handle_length);
- memcpy(password_handle_buffer.buffer.get(), enrolled_password_handle,
- enrolled_password_handle_length);
- SizedBuffer provided_password_buffer(provided_password_length);
- memcpy(provided_password_buffer.buffer.get(), provided_password, provided_password_length);
+ if (desiredPassword.size() == 0) {
+ _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
+ return {};
+ }
- VerifyRequest request(uid, challenge, &password_handle_buffer, &provided_password_buffer);
+ EnrollRequest request(uid, hidl_vec2sized_buffer(currentPasswordHandle),
+ hidl_vec2sized_buffer(desiredPassword),
+ hidl_vec2sized_buffer(currentPassword));
+ EnrollResponse response;
+ auto error = Send(request, &response);
+ if (error != ERROR_NONE) {
+ _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
+ } else if (response.error == ERROR_RETRY) {
+ _hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}});
+ } else if (response.error != ERROR_NONE) {
+ _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
+ } else {
+ hidl_vec<uint8_t> new_handle(response.enrolled_password_handle.Data<uint8_t>(),
+ response.enrolled_password_handle.Data<uint8_t>() +
+ response.enrolled_password_handle.size());
+ _hidl_cb({GatekeeperStatusCode::STATUS_OK, response.retry_timeout, new_handle});
+ }
+ return {};
+}
+
+Return<void> TrustyGateKeeperDevice::verify(
+ uint32_t uid, uint64_t challenge,
+ const ::android::hardware::hidl_vec<uint8_t>& enrolledPasswordHandle,
+ const ::android::hardware::hidl_vec<uint8_t>& providedPassword, verify_cb _hidl_cb) {
+ if (error_ != 0) {
+ _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
+ return {};
+ }
+
+ if (enrolledPasswordHandle.size() == 0) {
+ _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
+ return {};
+ }
+
+ VerifyRequest request(uid, challenge, hidl_vec2sized_buffer(enrolledPasswordHandle),
+ hidl_vec2sized_buffer(providedPassword));
VerifyResponse response;
- gatekeeper_error_t error = Send(request, &response);
+ auto error = Send(request, &response);
+ if (error != ERROR_NONE) {
+ _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
+ } else if (response.error == ERROR_RETRY) {
+ _hidl_cb({GatekeeperStatusCode::ERROR_RETRY_TIMEOUT, response.retry_timeout, {}});
+ } else if (response.error != ERROR_NONE) {
+ _hidl_cb({GatekeeperStatusCode::ERROR_GENERAL_FAILURE, 0, {}});
+ } else {
+ hidl_vec<uint8_t> auth_token(
+ response.auth_token.Data<uint8_t>(),
+ response.auth_token.Data<uint8_t>() + response.auth_token.size());
- if (error == ERROR_RETRY) {
- return response.retry_timeout;
- } else if (error != ERROR_NONE) {
- return -EINVAL;
+ _hidl_cb({response.request_reenroll ? GatekeeperStatusCode::STATUS_REENROLL
+ : GatekeeperStatusCode::STATUS_OK,
+ response.retry_timeout, auth_token});
}
+ return {};
+}
- if (auth_token != NULL && auth_token_length != NULL) {
- *auth_token = response.auth_token.buffer.release();
- *auth_token_length = response.auth_token.length;
- }
+Return<void> TrustyGateKeeperDevice::deleteUser(uint32_t /*uid*/, deleteUser_cb _hidl_cb) {
+ _hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}});
+ return {};
+}
- if (request_reenroll != NULL) {
- *request_reenroll = response.request_reenroll;
- }
-
- return 0;
+Return<void> TrustyGateKeeperDevice::deleteAllUsers(deleteAllUsers_cb _hidl_cb) {
+ _hidl_cb({GatekeeperStatusCode::ERROR_NOT_IMPLEMENTED, 0, {}});
+ return {};
}
gatekeeper_error_t TrustyGateKeeperDevice::Send(uint32_t command, const GateKeeperMessage& request,
@@ -172,7 +156,7 @@
uint32_t response_size = RECV_BUF_SIZE;
int rc = trusty_gatekeeper_call(command, send_buf, request_size, recv_buf, &response_size);
if (rc < 0) {
- ALOGE("error (%d) calling gatekeeper TA", rc);
+ LOG(ERROR) << "error (" << rc << ") calling gatekeeper TA";
return ERROR_INVALID;
}
@@ -182,51 +166,4 @@
return response->Deserialize(payload, payload + response_size);
}
-static inline TrustyGateKeeperDevice *convert_device(const gatekeeper_device *dev) {
- return reinterpret_cast<TrustyGateKeeperDevice *>(const_cast<gatekeeper_device *>(dev));
-}
-
-/* static */
-int TrustyGateKeeperDevice::enroll(const struct gatekeeper_device *dev, uint32_t uid,
- const uint8_t *current_password_handle, uint32_t current_password_handle_length,
- const uint8_t *current_password, uint32_t current_password_length,
- const uint8_t *desired_password, uint32_t desired_password_length,
- uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length) {
-
- if (dev == NULL ||
- enrolled_password_handle == NULL || enrolled_password_handle_length == NULL ||
- desired_password == NULL || desired_password_length == 0)
- return -EINVAL;
-
- // Current password and current password handle go together
- if (current_password_handle == NULL || current_password_handle_length == 0 ||
- current_password == NULL || current_password_length == 0) {
- current_password_handle = NULL;
- current_password_handle_length = 0;
- current_password = NULL;
- current_password_length = 0;
- }
-
- return convert_device(dev)->Enroll(uid, current_password_handle, current_password_handle_length,
- current_password, current_password_length, desired_password, desired_password_length,
- enrolled_password_handle, enrolled_password_handle_length);
-
-}
-
-/* static */
-int TrustyGateKeeperDevice::verify(const struct gatekeeper_device *dev, uint32_t uid,
- uint64_t challenge, const uint8_t *enrolled_password_handle,
- uint32_t enrolled_password_handle_length, const uint8_t *provided_password,
- uint32_t provided_password_length, uint8_t **auth_token, uint32_t *auth_token_length,
- bool *request_reenroll) {
-
- if (dev == NULL || enrolled_password_handle == NULL ||
- provided_password == NULL) {
- return -EINVAL;
- }
-
- return convert_device(dev)->Verify(uid, challenge, enrolled_password_handle,
- enrolled_password_handle_length, provided_password, provided_password_length,
- auth_token, auth_token_length, request_reenroll);
-}
};
diff --git a/trusty/gatekeeper/trusty_gatekeeper.h b/trusty/gatekeeper/trusty_gatekeeper.h
index 2becc49..c0713f4 100644
--- a/trusty/gatekeeper/trusty_gatekeeper.h
+++ b/trusty/gatekeeper/trusty_gatekeeper.h
@@ -17,84 +17,34 @@
#ifndef TRUSTY_GATEKEEPER_H
#define TRUSTY_GATEKEEPER_H
-#include <hardware/gatekeeper.h>
+#include <android/hardware/gatekeeper/1.0/IGatekeeper.h>
+#include <hidl/Status.h>
+
+#include <memory>
+
#include <gatekeeper/gatekeeper_messages.h>
#include "gatekeeper_ipc.h"
namespace gatekeeper {
-class TrustyGateKeeperDevice {
- public:
-
- explicit TrustyGateKeeperDevice(const hw_module_t* module);
+class TrustyGateKeeperDevice : public ::android::hardware::gatekeeper::V1_0::IGatekeeper {
+ public:
+ explicit TrustyGateKeeperDevice();
~TrustyGateKeeperDevice();
-
- hw_device_t* hw_device();
-
/**
* Enrolls password_payload, which should be derived from a user selected pin or password,
* with the authentication factor private key used only for enrolling authentication
* factor data.
*
* Returns: 0 on success or an error code less than 0 on error.
- * On error, enrolled_password will not be allocated.
- */
- int Enroll(uint32_t uid, const uint8_t *current_password_handle,
- uint32_t current_password_handle_length, const uint8_t *current_password,
- uint32_t current_password_length, const uint8_t *desired_password,
- uint32_t desired_password_length, uint8_t **enrolled_password_handle,
- uint32_t *enrolled_password_handle_length);
-
- /**
- * Verifies provided_password matches expected_password after enrolling
- * with the authentication factor private key.
- *
- * Implementations of this module may retain the result of this call
- * to attest to the recency of authentication.
- *
- * On success, writes the address of a verification token to verification_token,
- *
- * Returns: 0 on success or an error code less than 0 on error
- * On error, verification token will not be allocated
- */
- int Verify(uint32_t uid, uint64_t challenge, const uint8_t *enrolled_password_handle,
- uint32_t enrolled_password_handle_length, const uint8_t *provided_password,
- uint32_t provided_password_length, uint8_t **auth_token, uint32_t *auth_token_length,
- bool *request_reenroll);
-
- private:
-
- gatekeeper_error_t Send(uint32_t command, const GateKeeperMessage& request,
- GateKeeperMessage* response);
-
- gatekeeper_error_t Send(const EnrollRequest& request, EnrollResponse *response) {
- return Send(GK_ENROLL, request, response);
- }
-
- gatekeeper_error_t Send(const VerifyRequest& request, VerifyResponse *response) {
- return Send(GK_VERIFY, request, response);
- }
-
- // Static methods interfacing the HAL API with the TrustyGateKeeper device
-
- /**
- * Enrolls desired_password, which should be derived from a user selected pin or password,
- * with the authentication factor private key used only for enrolling authentication
- * factor data.
- *
- * If there was already a password enrolled, it should be provided in
- * current_password_handle, along with the current password in current_password
- * that should validate against current_password_handle.
- *
- * Returns: 0 on success or an error code less than 0 on error.
* On error, enrolled_password_handle will not be allocated.
*/
- static int enroll(const struct gatekeeper_device *dev, uint32_t uid,
- const uint8_t *current_password_handle, uint32_t current_password_handle_length,
- const uint8_t *current_password, uint32_t current_password_length,
- const uint8_t *desired_password, uint32_t desired_password_length,
- uint8_t **enrolled_password_handle, uint32_t *enrolled_password_handle_length);
+ ::android::hardware::Return<void> enroll(
+ uint32_t uid, const ::android::hardware::hidl_vec<uint8_t>& currentPasswordHandle,
+ const ::android::hardware::hidl_vec<uint8_t>& currentPassword,
+ const ::android::hardware::hidl_vec<uint8_t>& desiredPassword,
+ enroll_cb _hidl_cb) override;
/**
* Verifies provided_password matches enrolled_password_handle.
@@ -109,18 +59,32 @@
* Returns: 0 on success or an error code less than 0 on error
* On error, verification token will not be allocated
*/
- static int verify(const struct gatekeeper_device *dev, uint32_t uid, uint64_t challenge,
- const uint8_t *enrolled_password_handle, uint32_t enrolled_password_handle_length,
- const uint8_t *provided_password, uint32_t provided_password_length,
- uint8_t **auth_token, uint32_t *auth_token_length, bool *request_reenroll);
+ ::android::hardware::Return<void> verify(
+ uint32_t uid, uint64_t challenge,
+ const ::android::hardware::hidl_vec<uint8_t>& enrolledPasswordHandle,
+ const ::android::hardware::hidl_vec<uint8_t>& providedPassword,
+ verify_cb _hidl_cb) override;
- static int close_device(hw_device_t* dev);
+ ::android::hardware::Return<void> deleteUser(uint32_t uid, deleteUser_cb _hidl_cb) override;
- gatekeeper_device device_;
+ ::android::hardware::Return<void> deleteAllUsers(deleteAllUsers_cb _hidl_cb) override;
+
+ private:
+ gatekeeper_error_t Send(uint32_t command, const GateKeeperMessage& request,
+ GateKeeperMessage* response);
+
+ gatekeeper_error_t Send(const EnrollRequest& request, EnrollResponse *response) {
+ return Send(GK_ENROLL, request, response);
+ }
+
+ gatekeeper_error_t Send(const VerifyRequest& request, VerifyResponse *response) {
+ return Send(GK_VERIFY, request, response);
+ }
+
int error_;
-
};
-}
+
+} // namespace gatekeeper
#endif
diff --git a/trusty/trusty-base.mk b/trusty/trusty-base.mk
index 445d3ce..fd8daa8 100644
--- a/trusty/trusty-base.mk
+++ b/trusty/trusty-base.mk
@@ -24,9 +24,7 @@
PRODUCT_PACKAGES += \
android.hardware.keymaster@4.0-service.trusty \
- android.hardware.gatekeeper@1.0-service \
- android.hardware.gatekeeper@1.0-impl \
- gatekeeper.trusty
+ android.hardware.gatekeeper@1.0-service.trusty
PRODUCT_PROPERTY_OVERRIDES += \
ro.hardware.keystore=trusty \