From caf0aeea16c399d11f37b20db59cc3f38cc9f53c Mon Sep 17 00:00:00 2001 From: fundavid Date: Mon, 23 Sep 2024 15:12:52 +0800 Subject: [PATCH] code sync Signed-off-by: fundavid --- bundle.json | 1 - .../include/jit_buffer_integrity.h | 3 +- .../jit_code_sign/include/jit_fort_helper.h | 4 +- .../key_enable/cfg/disable_xpm/key_enable.cfg | 8 +-- .../cfg/enable_xpm/level1/key_enable.cfg | 8 +-- .../cfg/enable_xpm/level2/key_enable.cfg | 8 +-- .../cfg/enable_xpm/level3/key_enable.cfg | 8 +-- .../cfg/enable_xpm/level4/key_enable.cfg | 8 +-- .../cfg/enable_xpm/level5/key_enable.cfg | 8 +-- services/key_enable/src/cert_chain_utils.rs | 2 +- services/key_enable/src/cert_path_utils.rs | 2 +- services/key_enable/src/key_enable.rs | 48 +++++++++---- services/key_enable/src/profile_utils.rs | 69 ++++++++++++------- 13 files changed, 110 insertions(+), 67 deletions(-) diff --git a/bundle.json b/bundle.json index 55047c6..414b8e6 100644 --- a/bundle.json +++ b/bundle.json @@ -30,7 +30,6 @@ "hitrace", "hisysevent", "ability_base", - "bounds_checking_function", "c_utils", "ipc", "samgr", diff --git a/interfaces/innerkits/jit_code_sign/include/jit_buffer_integrity.h b/interfaces/innerkits/jit_code_sign/include/jit_buffer_integrity.h index 95a7dd1..5b61c48 100644 --- a/interfaces/innerkits/jit_code_sign/include/jit_buffer_integrity.h +++ b/interfaces/innerkits/jit_code_sign/include/jit_buffer_integrity.h @@ -20,7 +20,6 @@ #include #include "errcode.h" -#include "jit_fort_helper.h" #include "jit_code_signer_base.h" #include "jit_code_signer_factory.h" #include "jit_fort_helper.h" @@ -214,7 +213,7 @@ __attribute__((no_sanitize("cfi"))) static inline int32_t CopyToJitCode( return CS_ERR_JITFORT_IN; } #endif - if (IsSupportPACFeature()) { + if (IsSupportJitCodeSigner()) { ret = signer->ValidateCodeCopy(reinterpret_cast(jitMemory), reinterpret_cast(tmpBuffer), size); } else { diff --git a/interfaces/innerkits/jit_code_sign/include/jit_fort_helper.h b/interfaces/innerkits/jit_code_sign/include/jit_fort_helper.h index 46b33a9..40e704d 100644 --- a/interfaces/innerkits/jit_code_sign/include/jit_fort_helper.h +++ b/interfaces/innerkits/jit_code_sign/include/jit_fort_helper.h @@ -22,7 +22,6 @@ #ifdef __aarch64__ #include #include -#include #endif #include "errcode.h" @@ -67,7 +66,8 @@ __attribute__((always_inline)) static int inline PrctlWrapper( __attribute__((always_inline)) static inline bool IsSupportPACFeature() { #ifdef __aarch64__ - long hwcaps = PrctlWrapper(JITFORT_PRCTL_OPTION, JITFORT_CPU_FEATURES, 0); + unsigned long hwcaps = static_cast(PrctlWrapper( + JITFORT_PRCTL_OPTION, JITFORT_CPU_FEATURES, 0)); if ((hwcaps & HWCAP_PACA) && (hwcaps & HWCAP_PACG)) { return true; } diff --git a/services/key_enable/cfg/disable_xpm/key_enable.cfg b/services/key_enable/cfg/disable_xpm/key_enable.cfg index ff934d4..32a8fb3 100644 --- a/services/key_enable/cfg/disable_xpm/key_enable.cfg +++ b/services/key_enable/cfg/disable_xpm/key_enable.cfg @@ -3,12 +3,12 @@ "name" : "post-fs-data", "cmds" : [ "write /proc/sys/fs/verity/require_signatures 1", - "mkdir /data/service/el1/profiles 0655 installs installs", - "mkdir /data/service/el1/profiles/release 0655 installs installs", - "mkdir /data/service/el1/profiles/debug 0655 installs installs" + "mkdir /data/service/el1/public/profiles 0655 installs installs", + "mkdir /data/service/el1/public/profiles/release 0655 installs installs", + "mkdir /data/service/el1/public/profiles/debug 0655 installs installs" ] }, { - "name" : "late-fs", + "name" : "init", "cmds" : [ "start key_enable" ] diff --git a/services/key_enable/cfg/enable_xpm/level1/key_enable.cfg b/services/key_enable/cfg/enable_xpm/level1/key_enable.cfg index 3d0685a..c96ac7c 100644 --- a/services/key_enable/cfg/enable_xpm/level1/key_enable.cfg +++ b/services/key_enable/cfg/enable_xpm/level1/key_enable.cfg @@ -3,12 +3,12 @@ "name" : "post-fs-data", "cmds" : [ "write /proc/sys/fs/verity/require_signatures 1", - "mkdir /data/service/el1/profiles 0655 installs installs", - "mkdir /data/service/el1/profiles/release 0655 installs installs", - "mkdir /data/service/el1/profiles/debug 0655 installs installs" + "mkdir /data/service/el1/public/profiles 0655 installs installs", + "mkdir /data/service/el1/public/profiles/release 0655 installs installs", + "mkdir /data/service/el1/public/profiles/debug 0655 installs installs" ] }, { - "name" : "late-fs", + "name" : "init", "cmds" : [ "start key_enable" ] diff --git a/services/key_enable/cfg/enable_xpm/level2/key_enable.cfg b/services/key_enable/cfg/enable_xpm/level2/key_enable.cfg index 8cd2cf5..68da39f 100644 --- a/services/key_enable/cfg/enable_xpm/level2/key_enable.cfg +++ b/services/key_enable/cfg/enable_xpm/level2/key_enable.cfg @@ -3,12 +3,12 @@ "name" : "post-fs-data", "cmds" : [ "write /proc/sys/fs/verity/require_signatures 1", - "mkdir /data/service/el1/profiles 0655 installs installs", - "mkdir /data/service/el1/profiles/release 0655 installs installs", - "mkdir /data/service/el1/profiles/debug 0655 installs installs" + "mkdir /data/service/el1/public/profiles 0655 installs installs", + "mkdir /data/service/el1/public/profiles/release 0655 installs installs", + "mkdir /data/service/el1/public/profiles/debug 0655 installs installs" ] }, { - "name" : "late-fs", + "name" : "init", "cmds" : [ "start key_enable" ] diff --git a/services/key_enable/cfg/enable_xpm/level3/key_enable.cfg b/services/key_enable/cfg/enable_xpm/level3/key_enable.cfg index 086faea..4d5fb6f 100644 --- a/services/key_enable/cfg/enable_xpm/level3/key_enable.cfg +++ b/services/key_enable/cfg/enable_xpm/level3/key_enable.cfg @@ -3,12 +3,12 @@ "name" : "post-fs-data", "cmds" : [ "write /proc/sys/fs/verity/require_signatures 1", - "mkdir /data/service/el1/profiles 0655 installs installs", - "mkdir /data/service/el1/profiles/release 0655 installs installs", - "mkdir /data/service/el1/profiles/debug 0655 installs installs" + "mkdir /data/service/el1/public/profiles 0655 installs installs", + "mkdir /data/service/el1/public/profiles/release 0655 installs installs", + "mkdir /data/service/el1/public/profiles/debug 0655 installs installs" ] }, { - "name" : "late-fs", + "name" : "init", "cmds" : [ "start key_enable" ] diff --git a/services/key_enable/cfg/enable_xpm/level4/key_enable.cfg b/services/key_enable/cfg/enable_xpm/level4/key_enable.cfg index 2a8c20d..86babbf 100644 --- a/services/key_enable/cfg/enable_xpm/level4/key_enable.cfg +++ b/services/key_enable/cfg/enable_xpm/level4/key_enable.cfg @@ -3,12 +3,12 @@ "name" : "post-fs-data", "cmds" : [ "write /proc/sys/fs/verity/require_signatures 1", - "mkdir /data/service/el1/profiles 0655 installs installs", - "mkdir /data/service/el1/profiles/release 0655 installs installs", - "mkdir /data/service/el1/profiles/debug 0655 installs installs" + "mkdir /data/service/el1/public/profiles 0655 installs installs", + "mkdir /data/service/el1/public/profiles/release 0655 installs installs", + "mkdir /data/service/el1/public/profiles/debug 0655 installs installs" ] }, { - "name" : "late-fs", + "name" : "init", "cmds" : [ "start key_enable" ] diff --git a/services/key_enable/cfg/enable_xpm/level5/key_enable.cfg b/services/key_enable/cfg/enable_xpm/level5/key_enable.cfg index d4615d7..6eb075e 100644 --- a/services/key_enable/cfg/enable_xpm/level5/key_enable.cfg +++ b/services/key_enable/cfg/enable_xpm/level5/key_enable.cfg @@ -3,12 +3,12 @@ "name" : "post-fs-data", "cmds" : [ "write /proc/sys/fs/verity/require_signatures 1", - "mkdir /data/service/el1/profiles 0655 installs installs", - "mkdir /data/service/el1/profiles/release 0655 installs installs", - "mkdir /data/service/el1/profiles/debug 0655 installs installs" + "mkdir /data/service/el1/public/profiles 0655 installs installs", + "mkdir /data/service/el1/public/profiles/release 0655 installs installs", + "mkdir /data/service/el1/public/profiles/debug 0655 installs installs" ] }, { - "name" : "late-fs", + "name" : "init", "cmds" : [ "start key_enable" ] diff --git a/services/key_enable/src/cert_chain_utils.rs b/services/key_enable/src/cert_chain_utils.rs index 6cc5be9..23c50cf 100644 --- a/services/key_enable/src/cert_chain_utils.rs +++ b/services/key_enable/src/cert_chain_utils.rs @@ -22,7 +22,7 @@ use ylong_json::JsonValue; const LOG_LABEL: HiLogLabel = HiLogLabel { log_type: LogType::LogCore, - domain: 0xd005a06, // security domain + domain: 0xd005a06, tag: "CODE_SIGN", }; /// collection to contain pem data diff --git a/services/key_enable/src/cert_path_utils.rs b/services/key_enable/src/cert_path_utils.rs index 6841b15..9d03557 100644 --- a/services/key_enable/src/cert_path_utils.rs +++ b/services/key_enable/src/cert_path_utils.rs @@ -24,7 +24,7 @@ extern "C" { const LOG_LABEL: HiLogLabel = HiLogLabel { log_type: LogType::LogCore, - domain: 0xd005a06, // security domain + domain: 0xd005a06, tag: "CODE_SIGN", }; const TRUST_PROFILE_PATH_KEY: &str = "trust-profile-path"; diff --git a/services/key_enable/src/key_enable.rs b/services/key_enable/src/key_enable.rs index 5eebc3a..b9867d6 100644 --- a/services/key_enable/src/key_enable.rs +++ b/services/key_enable/src/key_enable.rs @@ -26,10 +26,12 @@ use std::io::{BufRead, BufReader}; use std::option::Option; use std::ptr; use std::thread; +use std::time::{Duration, Instant}; +use std::path::Path; const LOG_LABEL: HiLogLabel = HiLogLabel { log_type: LogType::LogCore, - domain: 0xd005a06, // security domain + domain: 0xd005a06, tag: "CODE_SIGN", }; @@ -39,6 +41,9 @@ const KEYRING_TYPE: &str = "keyring"; const FSVERITY_KEYRING_NAME: &str = ".fs-verity"; const LOCAL_KEY_NAME: &str = "local_key"; const CODE_SIGN_KEY_NAME_PREFIX: &str = "fs_verity_key"; +const PROFILE_STORE_EL1: &str = "/data/service/el1/public/profiles"; +const PROFILE_SEARCH_SLEEP_TIME: u64 = 200; +const PROFILE_SEARCH_SLEEP_OUT_TIME: u64 = 600; const SUCCESS: i32 = 0; type KeySerial = i32; @@ -164,24 +169,37 @@ fn enable_trusted_keys(key_id: KeySerial, root_cert: &PemCollection) { } } +fn check_and_add_cert_path(root_cert: &PemCollection, cert_paths: &TrustCertPath) -> bool { + if Path::new(PROFILE_STORE_EL1).exists() { + if add_profile_cert_path(root_cert, cert_paths).is_err() { + error!(LOG_LABEL, "Add cert path from local profile err."); + } + info!(LOG_LABEL, "Finished cert path adding."); + true + } else { + false + } +} + // start cert path ops thread add trusted cert & developer cert -fn add_cert_path_thread( +fn add_profile_cert_path_thread( root_cert: PemCollection, cert_paths: TrustCertPath, ) -> std::thread::JoinHandle<()> { thread::spawn(move || { - // enable trusted cert in prebuilt config - info!(LOG_LABEL, "Starting enable trusted cert."); - if cert_paths.add_cert_paths().is_err() { - error!(LOG_LABEL, "Add trusted cert path err."); - } - // enable developer certs info!(LOG_LABEL, "Starting enable developer cert."); - if add_profile_cert_path(&root_cert, &cert_paths).is_err() { - error!(LOG_LABEL, "Add cert path from local profile err."); + let start_time = Instant::now(); + loop { + if check_and_add_cert_path(&root_cert, &cert_paths) { + break; + } else if start_time.elapsed() >= Duration::from_secs(PROFILE_SEARCH_SLEEP_OUT_TIME) { + error!(LOG_LABEL, "Timeout while waiting for PROFILE_STORE_EL1."); + break; + } else { + thread::sleep(Duration::from_millis(PROFILE_SEARCH_SLEEP_TIME)); + } } - info!(LOG_LABEL, "Finished cert path adding."); }) } @@ -230,12 +248,16 @@ pub fn enable_all_keys() { enable_trusted_keys(key_id, &root_cert); let cert_paths = get_cert_path(); - let cert_thread = add_cert_path_thread(root_cert, cert_paths); + // enable trusted cert in prebuilt config + if cert_paths.add_cert_paths().is_err() { + error!(LOG_LABEL, "Add trusted cert path err."); + } + + let cert_thread = add_profile_cert_path_thread(root_cert, cert_paths); enable_keys_after_user_unlock(key_id); if let Err(e) = cert_thread.join() { error!(LOG_LABEL, "add cert path thread panicked: {:?}", e); } - info!(LOG_LABEL, "Fnished enable all keys."); } diff --git a/services/key_enable/src/profile_utils.rs b/services/key_enable/src/profile_utils.rs index b0d2d62..0a16661 100644 --- a/services/key_enable/src/profile_utils.rs +++ b/services/key_enable/src/profile_utils.rs @@ -42,8 +42,10 @@ const LOG_LABEL: HiLogLabel = HiLogLabel { }; const PROFILE_STORE_EL0_PREFIX: &str = "/data/service/el0/profiles/developer"; const PROFILE_STORE_EL1_PREFIX: &str = "/data/service/el1/profiles/release"; +const PROFILE_STORE_EL1_PUBLIC_PREFIX: &str = "/data/service/el1/public/profiles/release"; const DEBUG_PROFILE_STORE_EL0_PREFIX: &str = "/data/service/el0/profiles/debug"; const DEBUG_PROFILE_STORE_EL1_PREFIX: &str = "/data/service/el1/profiles/debug"; +const DEBUG_PROFILE_STORE_EL1_PUBLIC_PREFIX: &str = "/data/service/el1/public/profiles/debug"; const PROFILE_STORE_TAIL: &str = "profile.p7b"; const PROFILE_TYPE_KEY: &str = "type"; const PROFILE_DEVICE_ID_TYPE_KEY: &str = "device-id-type"; @@ -220,8 +222,8 @@ fn format_x509_fabricate_name(name: &X509NameRef) -> String { fn get_profile_paths(is_debug: bool) -> Vec { let mut paths = Vec::new(); let profile_prefixes = match is_debug { - false => vec![PROFILE_STORE_EL0_PREFIX, PROFILE_STORE_EL1_PREFIX], - true => vec![DEBUG_PROFILE_STORE_EL0_PREFIX, DEBUG_PROFILE_STORE_EL1_PREFIX], + false => vec![PROFILE_STORE_EL0_PREFIX, PROFILE_STORE_EL1_PREFIX, PROFILE_STORE_EL1_PUBLIC_PREFIX], + true => vec![DEBUG_PROFILE_STORE_EL0_PREFIX, DEBUG_PROFILE_STORE_EL1_PREFIX, DEBUG_PROFILE_STORE_EL1_PUBLIC_PREFIX], }; for profile_prefix in profile_prefixes { paths.extend(get_paths_from_prefix(profile_prefix)); @@ -375,10 +377,10 @@ fn process_data(profile_data: &[u8]) -> Result<(String, String, u32), ()> { fn create_bundle_path(bundle_name: &str, profile_type: u32) -> Result { let bundle_path = match profile_type { value if value == DebugCertPathType::Developer as u32 => { - fmt_store_path(DEBUG_PROFILE_STORE_EL1_PREFIX, bundle_name) + fmt_store_path(DEBUG_PROFILE_STORE_EL1_PUBLIC_PREFIX, bundle_name) } value if value == ReleaseCertPathType::Developer as u32 => { - fmt_store_path(PROFILE_STORE_EL1_PREFIX, bundle_name) + fmt_store_path(PROFILE_STORE_EL1_PUBLIC_PREFIX, bundle_name) } _ => { error!(LOG_LABEL, "invalid profile type"); @@ -422,24 +424,16 @@ fn enable_key_in_profile_internal( Ok(()) } -fn remove_key_in_profile_internal(bundle_name: *const c_char) -> Result<(), ()> { - let _bundle_name = c_char_to_string(bundle_name); - if _bundle_name.is_empty() { - error!(LOG_LABEL, "Invalid bundle name"); +fn process_remove_bundle( + prefix: &str, + bundle_name: &str, +) -> Result<(), ()> { + let bundle_path = fmt_store_path(prefix, bundle_name); + + if !file_exists(&bundle_path) { return Err(()); } - let debug_bundle_path = fmt_store_path(DEBUG_PROFILE_STORE_EL1_PREFIX, &_bundle_name); - let release_bundle_path = fmt_store_path(PROFILE_STORE_EL1_PREFIX, &_bundle_name); - - let bundle_path = if file_exists(&debug_bundle_path) { - debug_bundle_path - } else if file_exists(&release_bundle_path) { - release_bundle_path - } else { - error!(LOG_LABEL, "bundle path does not exists!"); - return Err(()); - }; let filename = fmt_store_path(&bundle_path, PROFILE_STORE_TAIL); let mut profile_data = Vec::new(); if load_bytes_from_file(&filename, &mut profile_data).is_err() { @@ -452,19 +446,48 @@ fn remove_key_in_profile_internal(bundle_name: *const c_char) -> Result<(), ()> error!(LOG_LABEL, "remove profile data error!"); return Err(()); } + info!(LOG_LABEL, "remove bundle_path path {}!", @public(bundle_path)); - if unsafe { !IsDeveloperModeOn() } && profile_type == DebugCertPathType::Developer as u32 { - info!(LOG_LABEL, "not remove profile_type:{} when development off", @public(profile_type)); - return Ok(()); - } + if remove_cert_path_info(subject, issuer, profile_type, DEFAULT_MAX_CERT_PATH_LEN).is_err() { error!(LOG_LABEL, "remove profile data error!"); return Err(()); } + info!(LOG_LABEL, "finish remove cert path in ioctl!"); Ok(()) } +fn remove_key_in_profile_internal(bundle_name: *const c_char) -> Result<(), ()> { + let _bundle_name = c_char_to_string(bundle_name); + if _bundle_name.is_empty() { + error!(LOG_LABEL, "Invalid bundle name"); + return Err(()); + } + + let profile_prefix = vec![ + DEBUG_PROFILE_STORE_EL0_PREFIX, + PROFILE_STORE_EL0_PREFIX, + DEBUG_PROFILE_STORE_EL1_PREFIX, + PROFILE_STORE_EL1_PREFIX, + DEBUG_PROFILE_STORE_EL1_PUBLIC_PREFIX, + PROFILE_STORE_EL1_PUBLIC_PREFIX, + ]; + + let mut rm_succ = false; + for prefix in profile_prefix { + if process_remove_bundle(prefix, &_bundle_name).is_ok() { + rm_succ = true; + } + } + if rm_succ { + Ok(()) + } else { + error!(LOG_LABEL, "Failed to remove bundle profile info, bundleName: {}.", @public(_bundle_name)); + Err(()) + } +} + fn c_char_to_string(c_str: *const c_char) -> String { unsafe { if c_str.is_null() { -- Gitee