openharmony/security_code_signature
1
0
Fork 0
mirror of https://gitee.com/openharmony/security_code_signature synced 2024-11-23 06:10:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

!209 代码同步

Browse Source 
Merge pull request !209 from fundavid/OpenHarmony-5.0-Release
This commit is contained in:
openharmony_ci 2024-09-23 11:30:24 +00:00 committed by Gitee
commit 8407994fa8
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
13 changed files with 110 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
bundle.json
View File

@ -30,7 +30,6 @@
"hitrace",
"hisysevent",
"ability_base",
"bounds_checking_function",
"c_utils",
"ipc",
"samgr",

3
interfaces/innerkits/jit_code_sign/include/jit_buffer_integrity.h
View File

@ -20,7 +20,6 @@
#include <cstring>
#include "errcode.h"
#include "jit_fort_helper.h"
#include "jit_code_signer_base.h"
#include "jit_code_signer_factory.h"
#include "jit_fort_helper.h"
@ -214,7 +213,7 @@ __attribute__((no_sanitize("cfi"))) static inline int32_t CopyToJitCode(
return CS_ERR_JITFORT_IN;
}
#endif
if (IsSupportPACFeature()) {
if (IsSupportJitCodeSigner()) {
ret = signer->ValidateCodeCopy(reinterpret_cast<Instr *>(jitMemory),
reinterpret_cast<Byte *>(tmpBuffer), size);
} else {

4
interfaces/innerkits/jit_code_sign/include/jit_fort_helper.h
View File

@ -22,7 +22,6 @@
#ifdef __aarch64__
#include <asm/hwcap.h>
#include <cstdio>
#include <sys/auxv.h>
#endif
#include "errcode.h"
@ -67,7 +66,8 @@ __attribute__((always_inline)) static int inline PrctlWrapper(
__attribute__((always_inline)) static inline bool IsSupportPACFeature()
{
#ifdef __aarch64__
long hwcaps = PrctlWrapper(JITFORT_PRCTL_OPTION, JITFORT_CPU_FEATURES, 0);
unsigned long hwcaps = static_cast<unsigned long>(PrctlWrapper(
JITFORT_PRCTL_OPTION, JITFORT_CPU_FEATURES, 0));
if ((hwcaps & HWCAP_PACA) && (hwcaps & HWCAP_PACG)) {
return true;
}

8
services/key_enable/cfg/disable_xpm/key_enable.cfg
View File

@ -3,12 +3,12 @@
"name" : "post-fs-data",
"cmds" : [
"write /proc/sys/fs/verity/require_signatures 1",
"mkdir /data/service/el1/profiles 0655 installs installs",
"mkdir /data/service/el1/profiles/release 0655 installs installs",
"mkdir /data/service/el1/profiles/debug 0655 installs installs"
"mkdir /data/service/el1/public/profiles 0655 installs installs",
"mkdir /data/service/el1/public/profiles/release 0655 installs installs",
"mkdir /data/service/el1/public/profiles/debug 0655 installs installs"
]
}, {
"name" : "late-fs",
"name" : "init",
"cmds" : [
"start key_enable"
]

8
services/key_enable/cfg/enable_xpm/level1/key_enable.cfg
View File

@ -3,12 +3,12 @@
"name" : "post-fs-data",
"cmds" : [
"write /proc/sys/fs/verity/require_signatures 1",
"mkdir /data/service/el1/profiles 0655 installs installs",
"mkdir /data/service/el1/profiles/release 0655 installs installs",
"mkdir /data/service/el1/profiles/debug 0655 installs installs"
"mkdir /data/service/el1/public/profiles 0655 installs installs",
"mkdir /data/service/el1/public/profiles/release 0655 installs installs",
"mkdir /data/service/el1/public/profiles/debug 0655 installs installs"
]
}, {
"name" : "late-fs",
"name" : "init",
"cmds" : [
"start key_enable"
]

8
services/key_enable/cfg/enable_xpm/level2/key_enable.cfg
View File

@ -3,12 +3,12 @@
"name" : "post-fs-data",
"cmds" : [
"write /proc/sys/fs/verity/require_signatures 1",
"mkdir /data/service/el1/profiles 0655 installs installs",
"mkdir /data/service/el1/profiles/release 0655 installs installs",
"mkdir /data/service/el1/profiles/debug 0655 installs installs"
"mkdir /data/service/el1/public/profiles 0655 installs installs",
"mkdir /data/service/el1/public/profiles/release 0655 installs installs",
"mkdir /data/service/el1/public/profiles/debug 0655 installs installs"
]
}, {
"name" : "late-fs",
"name" : "init",
"cmds" : [
"start key_enable"
]

8
services/key_enable/cfg/enable_xpm/level3/key_enable.cfg
View File

@ -3,12 +3,12 @@
"name" : "post-fs-data",
"cmds" : [
"write /proc/sys/fs/verity/require_signatures 1",
"mkdir /data/service/el1/profiles 0655 installs installs",
"mkdir /data/service/el1/profiles/release 0655 installs installs",
"mkdir /data/service/el1/profiles/debug 0655 installs installs"
"mkdir /data/service/el1/public/profiles 0655 installs installs",
"mkdir /data/service/el1/public/profiles/release 0655 installs installs",
"mkdir /data/service/el1/public/profiles/debug 0655 installs installs"
]
}, {
"name" : "late-fs",
"name" : "init",
"cmds" : [
"start key_enable"
]

8
services/key_enable/cfg/enable_xpm/level4/key_enable.cfg
View File

@ -3,12 +3,12 @@
"name" : "post-fs-data",
"cmds" : [
"write /proc/sys/fs/verity/require_signatures 1",
"mkdir /data/service/el1/profiles 0655 installs installs",
"mkdir /data/service/el1/profiles/release 0655 installs installs",
"mkdir /data/service/el1/profiles/debug 0655 installs installs"
"mkdir /data/service/el1/public/profiles 0655 installs installs",
"mkdir /data/service/el1/public/profiles/release 0655 installs installs",
"mkdir /data/service/el1/public/profiles/debug 0655 installs installs"
]
}, {
"name" : "late-fs",
"name" : "init",
"cmds" : [
"start key_enable"
]

8
services/key_enable/cfg/enable_xpm/level5/key_enable.cfg
View File

@ -3,12 +3,12 @@
"name" : "post-fs-data",
"cmds" : [
"write /proc/sys/fs/verity/require_signatures 1",
"mkdir /data/service/el1/profiles 0655 installs installs",
"mkdir /data/service/el1/profiles/release 0655 installs installs",
"mkdir /data/service/el1/profiles/debug 0655 installs installs"
"mkdir /data/service/el1/public/profiles 0655 installs installs",
"mkdir /data/service/el1/public/profiles/release 0655 installs installs",
"mkdir /data/service/el1/public/profiles/debug 0655 installs installs"
]
}, {
"name" : "late-fs",
"name" : "init",
"cmds" : [
"start key_enable"
]

2
services/key_enable/src/cert_chain_utils.rs
View File

@ -22,7 +22,7 @@ use ylong_json::JsonValue;
const LOG_LABEL: HiLogLabel = HiLogLabel {
log_type: LogType::LogCore,
domain: 0xd005a06, // security domain
domain: 0xd005a06,
tag: "CODE_SIGN",
};
/// collection to contain pem data

2
services/key_enable/src/cert_path_utils.rs
View File

@ -24,7 +24,7 @@ extern "C" {
const LOG_LABEL: HiLogLabel = HiLogLabel {
log_type: LogType::LogCore,
domain: 0xd005a06, // security domain
domain: 0xd005a06,
tag: "CODE_SIGN",
};
const TRUST_PROFILE_PATH_KEY: &str = "trust-profile-path";

48
services/key_enable/src/key_enable.rs
View File

@ -26,10 +26,12 @@ use std::io::{BufRead, BufReader};
use std::option::Option;
use std::ptr;
use std::thread;
use std::time::{Duration, Instant};
use std::path::Path;
const LOG_LABEL: HiLogLabel = HiLogLabel {
log_type: LogType::LogCore,
domain: 0xd005a06, // security domain
domain: 0xd005a06,
tag: "CODE_SIGN",
};
@ -39,6 +41,9 @@ const KEYRING_TYPE: &str = "keyring";
const FSVERITY_KEYRING_NAME: &str = ".fs-verity";
const LOCAL_KEY_NAME: &str = "local_key";
const CODE_SIGN_KEY_NAME_PREFIX: &str = "fs_verity_key";
const PROFILE_STORE_EL1: &str = "/data/service/el1/public/profiles";
const PROFILE_SEARCH_SLEEP_TIME: u64 = 200;
const PROFILE_SEARCH_SLEEP_OUT_TIME: u64 = 600;
const SUCCESS: i32 = 0;
type KeySerial = i32;
@ -164,24 +169,37 @@ fn enable_trusted_keys(key_id: KeySerial, root_cert: &PemCollection) {
}
}
fn check_and_add_cert_path(root_cert: &PemCollection, cert_paths: &TrustCertPath) -> bool {
if Path::new(PROFILE_STORE_EL1).exists() {
if add_profile_cert_path(root_cert, cert_paths).is_err() {
error!(LOG_LABEL, "Add cert path from local profile err.");
}
info!(LOG_LABEL, "Finished cert path adding.");
true
} else {
false
}
}
// start cert path ops thread add trusted cert & developer cert
fn add_cert_path_thread(
fn add_profile_cert_path_thread(
root_cert: PemCollection,
cert_paths: TrustCertPath,
) -> std::thread::JoinHandle<()> {
thread::spawn(move || {
// enable trusted cert in prebuilt config
info!(LOG_LABEL, "Starting enable trusted cert.");
if cert_paths.add_cert_paths().is_err() {
error!(LOG_LABEL, "Add trusted cert path err.");
}
// enable developer certs
info!(LOG_LABEL, "Starting enable developer cert.");
if add_profile_cert_path(&root_cert, &cert_paths).is_err() {
error!(LOG_LABEL, "Add cert path from local profile err.");
let start_time = Instant::now();
loop {
if check_and_add_cert_path(&root_cert, &cert_paths) {
break;
} else if start_time.elapsed() >= Duration::from_secs(PROFILE_SEARCH_SLEEP_OUT_TIME) {
error!(LOG_LABEL, "Timeout while waiting for PROFILE_STORE_EL1.");
break;
} else {
thread::sleep(Duration::from_millis(PROFILE_SEARCH_SLEEP_TIME));
}
}
info!(LOG_LABEL, "Finished cert path adding.");
})
}
@ -230,12 +248,16 @@ pub fn enable_all_keys() {
enable_trusted_keys(key_id, &root_cert);
let cert_paths = get_cert_path();
let cert_thread = add_cert_path_thread(root_cert, cert_paths);
// enable trusted cert in prebuilt config
if cert_paths.add_cert_paths().is_err() {
error!(LOG_LABEL, "Add trusted cert path err.");
}
let cert_thread = add_profile_cert_path_thread(root_cert, cert_paths);
enable_keys_after_user_unlock(key_id);
if let Err(e) = cert_thread.join() {
error!(LOG_LABEL, "add cert path thread panicked: {:?}", e);
}
info!(LOG_LABEL, "Fnished enable all keys.");
}

69
services/key_enable/src/profile_utils.rs
View File

@ -42,8 +42,10 @@ const LOG_LABEL: HiLogLabel = HiLogLabel {
};
const PROFILE_STORE_EL0_PREFIX: &str = "/data/service/el0/profiles/developer";
const PROFILE_STORE_EL1_PREFIX: &str = "/data/service/el1/profiles/release";
const PROFILE_STORE_EL1_PUBLIC_PREFIX: &str = "/data/service/el1/public/profiles/release";
const DEBUG_PROFILE_STORE_EL0_PREFIX: &str = "/data/service/el0/profiles/debug";
const DEBUG_PROFILE_STORE_EL1_PREFIX: &str = "/data/service/el1/profiles/debug";
const DEBUG_PROFILE_STORE_EL1_PUBLIC_PREFIX: &str = "/data/service/el1/public/profiles/debug";
const PROFILE_STORE_TAIL: &str = "profile.p7b";
const PROFILE_TYPE_KEY: &str = "type";
const PROFILE_DEVICE_ID_TYPE_KEY: &str = "device-id-type";
@ -220,8 +222,8 @@ fn format_x509_fabricate_name(name: &X509NameRef) -> String {
fn get_profile_paths(is_debug: bool) -> Vec<String> {
let mut paths = Vec::new();
let profile_prefixes = match is_debug {
false => vec![PROFILE_STORE_EL0_PREFIX, PROFILE_STORE_EL1_PREFIX],
true => vec![DEBUG_PROFILE_STORE_EL0_PREFIX, DEBUG_PROFILE_STORE_EL1_PREFIX],
false => vec![PROFILE_STORE_EL0_PREFIX, PROFILE_STORE_EL1_PREFIX, PROFILE_STORE_EL1_PUBLIC_PREFIX],
true => vec![DEBUG_PROFILE_STORE_EL0_PREFIX, DEBUG_PROFILE_STORE_EL1_PREFIX, DEBUG_PROFILE_STORE_EL1_PUBLIC_PREFIX],
};
for profile_prefix in profile_prefixes {
paths.extend(get_paths_from_prefix(profile_prefix));
@ -375,10 +377,10 @@ fn process_data(profile_data: &[u8]) -> Result<(String, String, u32), ()> {
fn create_bundle_path(bundle_name: &str, profile_type: u32) -> Result<String, ()> {
let bundle_path = match profile_type {
value if value == DebugCertPathType::Developer as u32 => {
fmt_store_path(DEBUG_PROFILE_STORE_EL1_PREFIX, bundle_name)
fmt_store_path(DEBUG_PROFILE_STORE_EL1_PUBLIC_PREFIX, bundle_name)
}
value if value == ReleaseCertPathType::Developer as u32 => {
fmt_store_path(PROFILE_STORE_EL1_PREFIX, bundle_name)
fmt_store_path(PROFILE_STORE_EL1_PUBLIC_PREFIX, bundle_name)
}
_ => {
error!(LOG_LABEL, "invalid profile type");
@ -422,24 +424,16 @@ fn enable_key_in_profile_internal(
Ok(())
}
fn remove_key_in_profile_internal(bundle_name: *const c_char) -> Result<(), ()> {
let _bundle_name = c_char_to_string(bundle_name);
if _bundle_name.is_empty() {
error!(LOG_LABEL, "Invalid bundle name");
fn process_remove_bundle(
prefix: &str,
bundle_name: &str,
) -> Result<(), ()> {
let bundle_path = fmt_store_path(prefix, bundle_name);
if !file_exists(&bundle_path) {
return Err(());
}
let debug_bundle_path = fmt_store_path(DEBUG_PROFILE_STORE_EL1_PREFIX, &_bundle_name);
let release_bundle_path = fmt_store_path(PROFILE_STORE_EL1_PREFIX, &_bundle_name);
let bundle_path = if file_exists(&debug_bundle_path) {
debug_bundle_path
} else if file_exists(&release_bundle_path) {
release_bundle_path
} else {
error!(LOG_LABEL, "bundle path does not exists!");
return Err(());
};
let filename = fmt_store_path(&bundle_path, PROFILE_STORE_TAIL);
let mut profile_data = Vec::new();
if load_bytes_from_file(&filename, &mut profile_data).is_err() {
@ -452,19 +446,48 @@ fn remove_key_in_profile_internal(bundle_name: *const c_char) -> Result<(), ()>
error!(LOG_LABEL, "remove profile data error!");
return Err(());
}
info!(LOG_LABEL, "remove bundle_path path {}!", @public(bundle_path));
if unsafe { !IsDeveloperModeOn() } && profile_type == DebugCertPathType::Developer as u32 {
info!(LOG_LABEL, "not remove profile_type:{} when development off", @public(profile_type));
return Ok(());
}
if remove_cert_path_info(subject, issuer, profile_type, DEFAULT_MAX_CERT_PATH_LEN).is_err() {
error!(LOG_LABEL, "remove profile data error!");
return Err(());
}
info!(LOG_LABEL, "finish remove cert path in ioctl!");
Ok(())
}
fn remove_key_in_profile_internal(bundle_name: *const c_char) -> Result<(), ()> {
let _bundle_name = c_char_to_string(bundle_name);
if _bundle_name.is_empty() {
error!(LOG_LABEL, "Invalid bundle name");
return Err(());
}
let profile_prefix = vec![
DEBUG_PROFILE_STORE_EL0_PREFIX,
PROFILE_STORE_EL0_PREFIX,
DEBUG_PROFILE_STORE_EL1_PREFIX,
PROFILE_STORE_EL1_PREFIX,
DEBUG_PROFILE_STORE_EL1_PUBLIC_PREFIX,
PROFILE_STORE_EL1_PUBLIC_PREFIX,
];
let mut rm_succ = false;
for prefix in profile_prefix {
if process_remove_bundle(prefix, &_bundle_name).is_ok() {
rm_succ = true;
}
}
if rm_succ {
Ok(())
} else {
error!(LOG_LABEL, "Failed to remove bundle profile info, bundleName: {}.", @public(_bundle_name));
Err(())
}
}
fn c_char_to_string(c_str: *const c_char) -> String {
unsafe {
if c_str.is_null() {