!139 研发模式豁免UDID

Merge pull request !139 from yangyangyang/20240518

services/key_enable/src/profile_utils.rs

@@ -72,6 +72,7 @@ extern "C" {
     /// if developer state on return true
     pub fn IsDeveloperModeOn() -> bool;
     fn CodeSignGetUdid(udid: *mut u8) -> i32;
+    fn IsRdDevice() -> bool;
 }
 
 #[no_mangle]
@@ -272,8 +273,9 @@ fn process_profile(
             report_parse_profile_err(&path, HisyseventProfileError::VerifySigner as i32);
             continue;
         }
+        let check_udid = unsafe { !IsRdDevice() };
         let (subject, issuer, profile_type) =
-            match parse_pkcs7_data(&pkcs7, x509_store, Pkcs7Flags::empty(), true) {
+            match parse_pkcs7_data(&pkcs7, x509_store, Pkcs7Flags::empty(), check_udid) {
                 Ok(tuple) => tuple,
                 Err(_) => {
                     error!(LOG_LABEL, "Failed to parse profile file {}", @public(path));

services/key_enable/utils/BUILD.gn

@@ -17,6 +17,7 @@ import("../../../code_signature.gni")
 ohos_static_library("libkey_enable_utils") {
   sources = [
     "src/cert_path.cpp",
+    "src/devices_security.cpp",
     "src/key_enable_adapter.cpp",
     "src/key_utils.cpp",
     "src/unlock_event_helper.cpp",

services/key_enable/utils/include/devices_security.h

@@ -1,36 +1,41 @@
-/*
- * Copyright (c) 2023-2024 Huawei Device Co., Ltd.
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef CODE_SIGN_LOCAL_CODE_SIGN_UTILS_H
-#define CODE_SIGN_LOCAL_CODE_SIGN_UTILS_H
-
-#include <cstddef>
-#include <cstdint>
-
-#ifndef LOG_RUST
-#define LOG_RUST
-#endif
-
-#include "errcode.h"
-
-#ifdef __cplusplus
-extern "C" {
-#endif
-__attribute__((visibility("default"))) int32_t InitLocalCertificate(uint8_t *cert, uint32_t *certSize);
-#ifdef __cplusplus
-}
-#endif
-
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef CODE_SIGN_DEVICES_SECURITY_H
+#define CODE_SIGN_DEVICES_SECURITY_H
+
+#ifndef LOG_RUST
+#define LOG_RUST
+#endif
+
+#include <cstdint>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define DEVICE_MODE_RD       0
+#define DEVICE_MODE_USER     1
+#define DEVICE_MODE_ERROR    2
+
+int32_t GetEfuseStatus();
+int32_t GetDeviceMode();
+bool IsRdDevice();
+
+#ifdef __cplusplus
+}
+#endif
+
 #endif

services/key_enable/utils/src/devices_security.cpp

@@ -0,0 +1,93 @@
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "devices_security.h"
+
+#include <cstdlib>
+#include <dlfcn.h>
+#include <fcntl.h>
+#include <string>
+#include <unistd.h>
+#include <securec.h>
+
+#include "log.h"
+#include "parameter.h"
+
+constexpr int32_t VALUE_MAX_LEN = 64;
+constexpr int32_t CMDLINE_MAX_BUF_LEN = 4096;
+const std::string OEM_MODE = "const.boot.oemmode";
+const std::string OEM_MODE_RD = "rd";
+const std::string EFUSE_STATE_FILE = "/proc/cmdline";
+
+using namespace OHOS::Security::CodeSign;
+
+int32_t GetEfuseStatus()
+{
+    int32_t fd = open(EFUSE_STATE_FILE.c_str(), O_RDONLY);
+    if (fd < 0) {
+        LOG_ERROR(LABEL, "open %{public}s failed, %{public}s", EFUSE_STATE_FILE.c_str(), strerror(errno));
+        return DEVICE_MODE_ERROR;
+    }
+
+    char *buf = static_cast<char *>(malloc(CMDLINE_MAX_BUF_LEN));
+    if (buf == nullptr) {
+        LOG_ERROR(LABEL, "alloc read buffer failed");
+        return DEVICE_MODE_ERROR;
+    }
+    (void)memset_s(buf, CMDLINE_MAX_BUF_LEN, 0, CMDLINE_MAX_BUF_LEN);
+
+    int32_t deviceMode = DEVICE_MODE_ERROR;
+    ssize_t ret = read(fd, buf, CMDLINE_MAX_BUF_LEN - 1);
+    (void) close(fd);
+    if (ret < 0) {
+        LOG_ERROR(LABEL, "read %{public}s failed, %{public}s", EFUSE_STATE_FILE.c_str(), strerror(errno));
+        return deviceMode;
+    }
+
+    if (strstr(buf, "efuse_status=0")) {
+        LOG_DEBUG(LABEL, "device is fused, need to check device id");
+        deviceMode = DEVICE_MODE_USER;
+    } else if (strstr(buf, "efuse_status=1")) {
+        LOG_DEBUG(LABEL, "device is not fused, skip device id check");
+        deviceMode = DEVICE_MODE_RD;
+    } else {
+        LOG_ERROR(LABEL, "failed to obtain the device efuse status");
+    }
+
+    free(buf);
+    buf = nullptr;
+    return deviceMode;
+}
+
+int32_t GetDeviceMode()
+{
+    LOG_DEBUG(LABEL, "start to check the OEM mode of the device");
+
+    char value[VALUE_MAX_LEN] = {0};
+    int32_t ret = GetParameter(OEM_MODE.c_str(), nullptr, value, sizeof(value));
+    if ((ret >= 0) && (strncmp(value, OEM_MODE_RD.c_str(), sizeof(value)) == 0)) {
+        LOG_DEBUG(LABEL, "oem mode is rd, skip device id check");
+        return DEVICE_MODE_RD;
+    }
+
+    return GetEfuseStatus();
+}
+bool IsRdDevice()
+{
+    if (GetDeviceMode() != DEVICE_MODE_RD) {
+        return false;
+    }
+    return true;
+}

test/fuzztest/BUILD.gn

@@ -9,7 +9,7 @@
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
-# limitations under the License.
+# limitations under the License.
 
 import("//build/ohos.gni")
 
@@ -17,7 +17,7 @@ group("fuzztest_group") {
   testonly = true
   if (!defined(ohos_lite)) {
     deps = [
-      "local_code_sign_stub/initlocalcertificate_fuzzer:InitLocalCertificateStubFuzzTest",
+      "local_code_sign_stub/initlocalcertificatestub_fuzzer:InitLocalCertificateStubFuzzTest",
       "local_code_sign_stub/signlocalcodestub_fuzzer:SignLocalCodeStubFuzzTest",
     ]
   }

test/unittest/BUILD.gn

@@ -254,6 +254,16 @@ ohos_unittest("jit_code_sign_unittest") {
   part_name = "code_signature"
 }
 
+ohos_unittest("key_enable_utils_unittest") {
+  module_out_path = "security/code_signature"
+  sources = [ "key_enable_utils_test.cpp" ]
+  include_dirs =
+      [ "${code_signature_root_dir}/services/key_enable/utils/include" ]
+  deps = [
+    "${code_signature_root_dir}/services/key_enable/utils:libkey_enable_utils",
+  ]
+}
+
 group("unittest_group") {
   testonly = true
   if (!defined(ohos_lite)) {
@@ -267,6 +277,9 @@ group("unittest_group") {
       ":rust_key_enable_unittest",
       ":sign_and_enforce_unittest",
     ]
+    if (code_signature_support_oh_code_sign) {
+      deps += [ ":key_enable_utils_unittest" ]
+    }
     if (jit_code_sign_enable) {
       deps += [ ":jit_code_sign_unittest" ]
     }

test/unittest/key_enable_utils_test.cpp

@@ -0,0 +1,65 @@
+/*
+ * Copyright (c) 2024 Huawei Device Co., Ltd.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <cstdlib>
+#include <gtest/gtest.h>
+#include <string>
+
+#include "devices_security.h"
+
+using namespace testing::ext;
+using namespace std;
+
+namespace OHOS {
+namespace Security {
+namespace CodeSign {
+
+class KeyEnableUtilsTest : public testing::Test {
+public:
+    KeyEnableUtilsTest() {};
+    virtual ~KeyEnableUtilsTest() {};
+    static void SetUpTestCase() {};
+    static void TearDownTestCase() {};
+    void SetUp() {};
+    void TearDown() {};
+};
+
+/**
+ * @tc.name: KeyEnableUtilsTest_0001
+ * @tc.desc: Obtaining cmdline node data from aarch64 device
+ * @tc.type: Func
+ * @tc.require: issueI8FCGF
+ */
+HWTEST_F(KeyEnableUtilsTest, KeyEnableUtilsTest_0001, TestSize.Level0)
+{
+    int32_t efuseStatus = GetEfuseStatus();
+    EXPECT_NE(efuseStatus, DEVICE_MODE_ERROR);
+}
+
+/**
+ * @tc.name: KeyEnableUtilsTest_0001
+ * @tc.desc: Obtaining device mode from aarch64 device
+ * @tc.type: Func
+ * @tc.require: issueI8FCGF
+ */
+HWTEST_F(KeyEnableUtilsTest, KeyEnableUtilsTest_0002, TestSize.Level0)
+{
+    int32_t deviceMode = GetDeviceMode();
+    EXPECT_NE(deviceMode, DEVICE_MODE_ERROR);
+}
+
+} // namespace CodeSign
+} // namespace Security
+} // namespace OHOS