 Chromium Code Reviews
 Chromium Code Reviews Issue 2529743002:
  Wait for the attestation to be ready (TPM being prepared for attestation) before trying to enroll.  (Closed)
    
  
    Issue 2529743002:
  Wait for the attestation to be ready (TPM being prepared for attestation) before trying to enroll.  (Closed) 
  | OLD | NEW | 
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be | 
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. | 
| 4 | 4 | 
| 5 #include "chromeos/attestation/attestation_flow.h" | 5 #include "chromeos/attestation/attestation_flow.h" | 
| 6 | 6 | 
| 7 #include <algorithm> | |
| 7 #include <utility> | 8 #include <utility> | 
| 8 | 9 | 
| 9 #include "base/bind.h" | 10 #include "base/bind.h" | 
| 11 #include "base/memory/ptr_util.h" | |
| 12 #include "base/time/tick_clock.h" | |
| 13 #include "base/timer/timer.h" | |
| 10 #include "chromeos/cryptohome/async_method_caller.h" | 14 #include "chromeos/cryptohome/async_method_caller.h" | 
| 11 #include "chromeos/cryptohome/cryptohome_parameters.h" | 15 #include "chromeos/cryptohome/cryptohome_parameters.h" | 
| 12 #include "chromeos/dbus/cryptohome_client.h" | 16 #include "chromeos/dbus/cryptohome_client.h" | 
| 13 #include "components/signin/core/account_id/account_id.h" | 17 #include "components/signin/core/account_id/account_id.h" | 
| 14 | 18 | 
| 15 namespace chromeos { | 19 namespace chromeos { | 
| 16 namespace attestation { | 20 namespace attestation { | 
| 17 | 21 | 
| 18 namespace { | 22 namespace { | 
| 19 | 23 | 
| 24 // A reasonable preparedness timeout that gives enough time for attestation | |
| 25 // to be prepared, yet does not make the caller wait too long. | |
| 26 base::TimeDelta kDefaultPreparednessTimeout = base::TimeDelta::FromMinutes(3); | |
| 
Darren Krahn
2016/12/06 17:31:25
POD-type globals only please
 | |
| 27 | |
| 28 // Delay before checking whether attestation has been prepared again. | |
| 29 constexpr base::TimeDelta kRetryDelay = base::TimeDelta::FromSeconds(9); | |
| 
Darren Krahn
2016/12/06 17:31:25
same here, POD-type globals only
 | |
| 30 | |
| 20 // Redirects to one of three callbacks based on a boolean value and dbus call | 31 // Redirects to one of three callbacks based on a boolean value and dbus call | 
| 21 // status. | 32 // status. | 
| 22 // | 33 // | 
| 23 // Parameters | 34 // Parameters | 
| 24 // on_true - Called when status=succes and value=true. | 35 // on_true - Called when status=succes and value=true. | 
| 25 // on_false - Called when status=success and value=false. | 36 // on_false - Called when status=success and value=false. | 
| 26 // on_fail - Called when status=failure. | 37 // on_fail - Called when status=failure. | 
| 27 // status - The D-Bus operation status. | 38 // status - The D-Bus operation status. | 
| 28 // value - The value returned by the D-Bus operation. | 39 // value - The value returned by the D-Bus operation. | 
| 29 void DBusBoolRedirectCallback(const base::Closure& on_true, | 40 void DBusBoolRedirectCallback(const base::Closure& on_true, | 
| 30 const base::Closure& on_false, | 41 const base::Closure& on_false, | 
| 31 const base::Closure& on_fail, | 42 const base::Closure& on_fail, | 
| 43 const std::string& on_fail_message, | |
| 32 DBusMethodCallStatus status, | 44 DBusMethodCallStatus status, | 
| 33 bool value) { | 45 bool value) { | 
| 34 if (status != DBUS_METHOD_CALL_SUCCESS) { | 46 if (status != DBUS_METHOD_CALL_SUCCESS) { | 
| 35 LOG(ERROR) << "Attestation: Failed to query enrollment state."; | 47 LOG(ERROR) << "Attestation: Failed to " << on_fail_message << "."; | 
| 36 if (!on_fail.is_null()) | 48 if (!on_fail.is_null()) | 
| 37 on_fail.Run(); | 49 on_fail.Run(); | 
| 38 return; | 50 return; | 
| 39 } | 51 } | 
| 40 const base::Closure& task = value ? on_true : on_false; | 52 const base::Closure& task = value ? on_true : on_false; | 
| 41 if (!task.is_null()) | 53 if (!task.is_null()) | 
| 42 task.Run(); | 54 task.Run(); | 
| 43 } | 55 } | 
| 44 | 56 | 
| 45 void DBusDataMethodCallback( | 57 void DBusDataMethodCallback( | 
| (...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 88 NOTREACHED(); | 100 NOTREACHED(); | 
| 89 return ""; | 101 return ""; | 
| 90 } | 102 } | 
| 91 | 103 | 
| 92 AttestationFlow::AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, | 104 AttestationFlow::AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, | 
| 93 CryptohomeClient* cryptohome_client, | 105 CryptohomeClient* cryptohome_client, | 
| 94 std::unique_ptr<ServerProxy> server_proxy) | 106 std::unique_ptr<ServerProxy> server_proxy) | 
| 95 : async_caller_(async_caller), | 107 : async_caller_(async_caller), | 
| 96 cryptohome_client_(cryptohome_client), | 108 cryptohome_client_(cryptohome_client), | 
| 97 server_proxy_(std::move(server_proxy)), | 109 server_proxy_(std::move(server_proxy)), | 
| 110 preparedness_timeout_(kDefaultPreparednessTimeout), | |
| 98 weak_factory_(this) {} | 111 weak_factory_(this) {} | 
| 99 | 112 | 
| 100 AttestationFlow::~AttestationFlow() { | 113 AttestationFlow::~AttestationFlow() { | 
| 101 } | 114 } | 
| 102 | 115 | 
| 103 void AttestationFlow::GetCertificate( | 116 void AttestationFlow::GetCertificate( | 
| 104 AttestationCertificateProfile certificate_profile, | 117 AttestationCertificateProfile certificate_profile, | 
| 105 const AccountId& account_id, | 118 const AccountId& account_id, | 
| 106 const std::string& request_origin, | 119 const std::string& request_origin, | 
| 107 bool force_new_key, | 120 bool force_new_key, | 
| 108 const CertificateCallback& callback) { | 121 const CertificateCallback& callback) { | 
| 109 // If this device has not enrolled with the Privacy CA, we need to do that | 122 // If this device has not enrolled with the Privacy CA, we need to do that | 
| 110 // first. Once enrolled we can proceed with the certificate request. | 123 // first. Once enrolled we can proceed with the certificate request. | 
| 111 base::Closure do_cert_request = base::Bind( | 124 const base::Closure do_cert_request = base::Bind( | 
| 112 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), | 125 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), | 
| 113 certificate_profile, account_id, request_origin, force_new_key, callback); | 126 certificate_profile, account_id, request_origin, force_new_key, callback); | 
| 114 base::Closure on_enroll_failure = base::Bind(callback, false, ""); | 127 const base::Closure on_enroll_failure = base::Bind(callback, false, ""); | 
| 115 base::Closure do_enroll = base::Bind(&AttestationFlow::StartEnroll, | 128 const base::Closure initiate_enroll = | 
| 116 weak_factory_.GetWeakPtr(), | 129 base::Bind(&AttestationFlow::InitiateEnroll, weak_factory_.GetWeakPtr(), | 
| 117 on_enroll_failure, | 130 on_enroll_failure, do_cert_request); | 
| 118 do_cert_request); | 131 cryptohome_client_->TpmAttestationIsEnrolled( | 
| 119 cryptohome_client_->TpmAttestationIsEnrolled(base::Bind( | 132 base::Bind(&DBusBoolRedirectCallback, | 
| 120 &DBusBoolRedirectCallback, | 133 do_cert_request, // If enrolled, proceed with cert request. | 
| 121 do_cert_request, // If enrolled, proceed with cert request. | 134 initiate_enroll, // If not enrolled, initiate enrollment. | 
| 122 do_enroll, // If not enrolled, initiate enrollment. | 135 on_enroll_failure, "check enrollment state")); | 
| 123 on_enroll_failure)); | 136 } | 
| 137 | |
| 138 void AttestationFlow::SetTickClockForTest(base::TickClock* tick_clock) { | |
| 139 tick_clock_ = tick_clock; | |
| 140 } | |
| 141 | |
| 142 struct AttestationFlow::RetryData { | |
| 143 public: | |
| 144 RetryData(base::TimeDelta timeout, base::TickClock* tick_clock) | |
| 145 : timeout(timeout), retry_timer(tick_clock), tick_clock_(tick_clock) { | |
| 146 begin = Now(); | |
| 147 } | |
| 148 ~RetryData() { retry_timer.Stop(); } | |
| 149 | |
| 150 base::TimeTicks Now() { | |
| 151 return tick_clock_ ? tick_clock_->NowTicks() : base::TimeTicks::Now(); | |
| 152 } | |
| 153 | |
| 154 base::TimeDelta timeout; | |
| 155 base::OneShotTimer retry_timer; | |
| 156 base::TimeTicks begin; | |
| 157 | |
| 158 private: | |
| 159 base::TickClock* tick_clock_; | |
| 160 }; | |
| 161 | |
| 162 void AttestationFlow::InitiateEnroll(const base::Closure& on_failure, | |
| 163 const base::Closure& next_task) { | |
| 164 RetryId retry_id = CreateRetryData(); | |
| 165 if (retry_id == kInvalidRetryId) { | |
| 166 if (!on_failure.is_null()) | |
| 167 on_failure.Run(); | |
| 168 return; | |
| 169 } | |
| 170 TryInitiateEnroll(retry_id, on_failure, next_task); | |
| 171 } | |
| 172 | |
| 173 void AttestationFlow::TryInitiateEnroll(const RetryId retry_id, | |
| 174 const base::Closure& on_failure, | |
| 175 const base::Closure& next_task) { | |
| 176 const base::Closure do_enroll = base::Bind( | |
| 177 &AttestationFlow::DoneRetrying, weak_factory_.GetWeakPtr(), retry_id, | |
| 178 base::Bind(&AttestationFlow::StartEnroll, weak_factory_.GetWeakPtr(), | |
| 179 on_failure, next_task)); | |
| 180 const base::Closure retry_initiate_enroll = base::Bind( | |
| 181 &AttestationFlow::StillRetrying, weak_factory_.GetWeakPtr(), retry_id, | |
| 182 base::Bind(&AttestationFlow::DoneRetrying, weak_factory_.GetWeakPtr(), | |
| 183 retry_id, on_failure), | |
| 184 base::Bind(&AttestationFlow::TryInitiateEnroll, | |
| 185 weak_factory_.GetWeakPtr(), retry_id, on_failure, next_task)); | |
| 186 base::Closure do_fail = | |
| 187 base::Bind(&AttestationFlow::DoneRetrying, weak_factory_.GetWeakPtr(), | |
| 188 retry_id, on_failure); | |
| 189 cryptohome_client_->TpmAttestationIsPrepared( | |
| 190 base::Bind(&DBusBoolRedirectCallback, do_enroll, retry_initiate_enroll, | |
| 191 do_fail, "check for attestation readiness")); | |
| 124 } | 192 } | 
| 125 | 193 | 
| 126 void AttestationFlow::StartEnroll(const base::Closure& on_failure, | 194 void AttestationFlow::StartEnroll(const base::Closure& on_failure, | 
| 127 const base::Closure& next_task) { | 195 const base::Closure& next_task) { | 
| 128 // Get the attestation service to create a Privacy CA enrollment request. | 196 // Get the attestation service to create a Privacy CA enrollment request. | 
| 129 async_caller_->AsyncTpmAttestationCreateEnrollRequest( | 197 async_caller_->AsyncTpmAttestationCreateEnrollRequest( | 
| 130 server_proxy_->GetType(), | 198 server_proxy_->GetType(), | 
| 131 base::Bind(&AttestationFlow::SendEnrollRequestToPCA, | 199 base::Bind(&AttestationFlow::SendEnrollRequestToPCA, | 
| 132 weak_factory_.GetWeakPtr(), | 200 weak_factory_.GetWeakPtr(), | 
| 133 on_failure, | 201 on_failure, | 
| (...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 204 if (generate_new_key) { | 272 if (generate_new_key) { | 
| 205 // Get the attestation service to create a Privacy CA certificate request. | 273 // Get the attestation service to create a Privacy CA certificate request. | 
| 206 async_caller_->AsyncTpmAttestationCreateCertRequest( | 274 async_caller_->AsyncTpmAttestationCreateCertRequest( | 
| 207 server_proxy_->GetType(), certificate_profile, | 275 server_proxy_->GetType(), certificate_profile, | 
| 208 cryptohome::Identification(account_id), request_origin, | 276 cryptohome::Identification(account_id), request_origin, | 
| 209 base::Bind(&AttestationFlow::SendCertificateRequestToPCA, | 277 base::Bind(&AttestationFlow::SendCertificateRequestToPCA, | 
| 210 weak_factory_.GetWeakPtr(), key_type, account_id, key_name, | 278 weak_factory_.GetWeakPtr(), key_type, account_id, key_name, | 
| 211 callback)); | 279 callback)); | 
| 212 } else { | 280 } else { | 
| 213 // If the key already exists, query the existing certificate. | 281 // If the key already exists, query the existing certificate. | 
| 214 base::Closure on_key_exists = base::Bind( | 282 const base::Closure on_key_exists = base::Bind( | 
| 215 &AttestationFlow::GetExistingCertificate, weak_factory_.GetWeakPtr(), | 283 &AttestationFlow::GetExistingCertificate, weak_factory_.GetWeakPtr(), | 
| 216 key_type, account_id, key_name, callback); | 284 key_type, account_id, key_name, callback); | 
| 217 // If the key does not exist, call this method back with |generate_new_key| | 285 // If the key does not exist, call this method back with |generate_new_key| | 
| 218 // set to true. | 286 // set to true. | 
| 219 base::Closure on_key_not_exists = base::Bind( | 287 const base::Closure on_key_not_exists = base::Bind( | 
| 220 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), | 288 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), | 
| 221 certificate_profile, account_id, request_origin, true, callback); | 289 certificate_profile, account_id, request_origin, true, callback); | 
| 222 cryptohome_client_->TpmAttestationDoesKeyExist( | 290 cryptohome_client_->TpmAttestationDoesKeyExist( | 
| 223 key_type, cryptohome::Identification(account_id), key_name, | 291 key_type, cryptohome::Identification(account_id), key_name, | 
| 224 base::Bind(&DBusBoolRedirectCallback, on_key_exists, on_key_not_exists, | 292 base::Bind(&DBusBoolRedirectCallback, on_key_exists, on_key_not_exists, | 
| 225 base::Bind(callback, false, ""))); | 293 base::Bind(callback, false, ""), | 
| 294 "check for existence of attestation key")); | |
| 226 } | 295 } | 
| 227 } | 296 } | 
| 228 | 297 | 
| 229 void AttestationFlow::SendCertificateRequestToPCA( | 298 void AttestationFlow::SendCertificateRequestToPCA( | 
| 230 AttestationKeyType key_type, | 299 AttestationKeyType key_type, | 
| 231 const AccountId& account_id, | 300 const AccountId& account_id, | 
| 232 const std::string& key_name, | 301 const std::string& key_name, | 
| 233 const CertificateCallback& callback, | 302 const CertificateCallback& callback, | 
| 234 bool success, | 303 bool success, | 
| 235 const std::string& data) { | 304 const std::string& data) { | 
| (...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 270 void AttestationFlow::GetExistingCertificate( | 339 void AttestationFlow::GetExistingCertificate( | 
| 271 AttestationKeyType key_type, | 340 AttestationKeyType key_type, | 
| 272 const AccountId& account_id, | 341 const AccountId& account_id, | 
| 273 const std::string& key_name, | 342 const std::string& key_name, | 
| 274 const CertificateCallback& callback) { | 343 const CertificateCallback& callback) { | 
| 275 cryptohome_client_->TpmAttestationGetCertificate( | 344 cryptohome_client_->TpmAttestationGetCertificate( | 
| 276 key_type, cryptohome::Identification(account_id), key_name, | 345 key_type, cryptohome::Identification(account_id), key_name, | 
| 277 base::Bind(&DBusDataMethodCallback, callback)); | 346 base::Bind(&DBusDataMethodCallback, callback)); | 
| 278 } | 347 } | 
| 279 | 348 | 
| 349 AttestationFlow::RetryId AttestationFlow::CreateRetryData() { | |
| 350 if (next_retry_id_ < 0) | |
| 351 next_retry_id_ = 0; | |
| 352 RetryId starting_retry_id = next_retry_id_; | |
| 353 while (retries_.find(next_retry_id_) != retries_.end()) { | |
| 354 if (++next_retry_id_ < 0) | |
| 355 next_retry_id_ = 0; | |
| 356 if (next_retry_id_ == starting_retry_id) | |
| 357 return kInvalidRetryId; | |
| 358 } | |
| 359 std::unique_ptr<RetryData> data = | |
| 360 base::MakeUnique<RetryData>(preparedness_timeout_, tick_clock_); | |
| 361 retries_.insert(std::make_pair(next_retry_id_, std::move(data))); | |
| 362 return next_retry_id_++; | |
| 363 } | |
| 364 | |
| 365 AttestationFlow::RetryData& AttestationFlow::GetRetryData(RetryId retry_id) { | |
| 366 return *retries_.find(retry_id)->second; | |
| 367 } | |
| 368 | |
| 369 void AttestationFlow::StillRetrying(const RetryId retry_id, | |
| 370 const base::Closure& on_giving_up, | |
| 371 const base::Closure& on_retrying) { | |
| 372 RetryData& retry_data = GetRetryData(retry_id); | |
| 373 base::TimeTicks now = retry_data.Now(); | |
| 374 base::TimeDelta elapsed = now - retry_data.begin; | |
| 375 if (elapsed + kRetryDelay > retry_data.timeout) { | |
| 376 LOG(ERROR) << "Attestation: Not prepared." | |
| 377 << " Giving up on retrying after " << elapsed << "."; | |
| 378 if (!on_giving_up.is_null()) | |
| 379 on_giving_up.Run(); | |
| 380 } else { | |
| 381 LOG(WARNING) << "Attestation: Not prepared yet." | |
| 382 << " Retrying in " << kRetryDelay << "."; | |
| 383 retry_data.retry_timer.Start(FROM_HERE, kRetryDelay, on_retrying); | |
| 384 } | |
| 385 } | |
| 386 | |
| 387 void AttestationFlow::DoneRetrying(RetryId retry_id, | |
| 388 const base::Closure& continuation) { | |
| 389 retries_.erase(retry_id); | |
| 390 if (!continuation.is_null()) | |
| 391 continuation.Run(); | |
| 392 } | |
| 393 | |
| 280 ServerProxy::~ServerProxy() {} | 394 ServerProxy::~ServerProxy() {} | 
| 281 | 395 | 
| 282 PrivacyCAType ServerProxy::GetType() { | 396 PrivacyCAType ServerProxy::GetType() { | 
| 283 return DEFAULT_PCA; | 397 return DEFAULT_PCA; | 
| 284 } | 398 } | 
| 285 | 399 | 
| 286 } // namespace attestation | 400 } // namespace attestation | 
| 287 } // namespace chromeos | 401 } // namespace chromeos | 
| OLD | NEW |