commit e647f52ea92f5ad0c37385bb841f76b872c335ae
author Donnie Pollitz <donpollitz@google.com> Fri Aug 23 07:32:04 2024 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Fri Aug 23 07:32:04 2024 +0000
tree ee5b319457d94fb65b143390fd2c1936af56b87c
parent 7dc961d277519f459ee72074817267584df85a30
parent 43fd4ba1452796c77ec35c150816377bcbd6a670

Use PortCfg's allowed_uuids for generic ACLs am: 43fd4ba145

Original change: https://android-review.googlesource.com/c/trusty/app/keymint/+/3214676

Change-Id: I9ce203f6e2a880303f2adae077c1c8dc87d47336
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

generic_access_policy/lib.rs

diff --git a/generic_access_policy/lib.rs b/generic_access_policy/lib.rs
index 1e0f9e7..a600433 100644
--- a/generic_access_policy/lib.rs
+++ b/generic_access_policy/lib.rs
@@ -18,7 +18,7 @@
 
 use tipc::Uuid;
 
-const ACCESSIBLE_UUIDS: [Uuid; 4] = [
+pub const KEYMINT_ACCESSIBLE_UUIDS: [Uuid; 4] = [
     /* gatekeeper uuid */
     Uuid::new(0x38ba0cdc, 0xdf0e, 0x11e4, [0x98, 0x69, 0x23, 0x3f, 0xb6, 0xae, 0x47, 0x95]),
     /* confirmation UI uuid */
@@ -29,13 +29,6 @@
     Uuid::new(0xd322eec9, 0x6d03, 0x49fa, [0x82, 0x1c, 0x1c, 0xcd, 0x27, 0x05, 0x71, 0x9c]),
 ];
 
-pub fn keymint_check_target_access_policy(uuid: &Uuid) -> bool {
-    if ACCESSIBLE_UUIDS.contains(uuid) {
-        return true;
-    }
-    return false;
-}
-
 pub fn keymint_check_secure_target_access_policy_provisioning(_uuid: &Uuid) -> bool {
     /* Not Supported */
     return false;

ipc_manager.rs

diff --git a/ipc_manager.rs b/ipc_manager.rs
index da49cf9..70dbf93 100644
--- a/ipc_manager.rs
+++ b/ipc_manager.rs
@@ -18,7 +18,7 @@
 use alloc::{rc::Rc, vec::Vec};
 use core::{cell::RefCell, mem};
 use keymint_access_policy::{
-    keymint_check_secure_target_access_policy_provisioning, keymint_check_target_access_policy,
+    keymint_check_secure_target_access_policy_provisioning, KEYMINT_ACCESSIBLE_UUIDS,
 };
 use kmr_common::{
     crypto, km_err,
@@ -505,10 +505,6 @@
         _handle: &Handle,
         peer: &Uuid,
     ) -> tipc::Result<ConnectResult<Self::Connection>> {
-        if !keymint_check_target_access_policy(peer) {
-            error!("access policy rejected the uuid: {:?}", peer);
-            return Ok(ConnectResult::CloseConnection);
-        }
         debug!("Accepted connection from uuid {:?}.", peer);
         Ok(ConnectResult::Accept(Context { uuid: peer.clone() }))
     }
@@ -603,7 +599,8 @@
                 e
             )
         })?
-        .allow_ta_connect();
+        .allow_ta_connect()
+        .allowed_uuids(&KEYMINT_ACCESSIBLE_UUIDS);
     dispatcher.add_service(Rc::new(sec_service), cfg).map_err(|e| {
         km_err!(UnknownError, "could not add secure service to dispatcher: {:?}", e)
     })?;