Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(199)

Side by Side Diff: chromeos/attestation/attestation_flow.cc

Issue 2529743002: Wait for the attestation to be ready (TPM being prepared for attestation) before trying to enroll. (Closed)
Patch Set: Hide RetryData as an implementation detail. Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "chromeos/attestation/attestation_flow.h" 5 #include "chromeos/attestation/attestation_flow.h"
6 6
7 #include <algorithm>
7 #include <utility> 8 #include <utility>
8 9
9 #include "base/bind.h" 10 #include "base/bind.h"
11 #include "base/memory/ptr_util.h"
12 #include "base/time/tick_clock.h"
13 #include "base/timer/timer.h"
10 #include "chromeos/cryptohome/async_method_caller.h" 14 #include "chromeos/cryptohome/async_method_caller.h"
11 #include "chromeos/cryptohome/cryptohome_parameters.h" 15 #include "chromeos/cryptohome/cryptohome_parameters.h"
12 #include "chromeos/dbus/cryptohome_client.h" 16 #include "chromeos/dbus/cryptohome_client.h"
13 #include "components/signin/core/account_id/account_id.h" 17 #include "components/signin/core/account_id/account_id.h"
14 18
15 namespace chromeos { 19 namespace chromeos {
16 namespace attestation { 20 namespace attestation {
17 21
18 namespace { 22 namespace {
19 23
24 // A reasonable preparedness timeout that gives enough time for attestation
25 // to be prepared, yet does not make the caller wait too long.
26 base::TimeDelta kDefaultPreparednessTimeout = base::TimeDelta::FromMinutes(3);
Darren Krahn 2016/12/06 17:31:25 POD-type globals only please
27
28 // Delay before checking whether attestation has been prepared again.
29 constexpr base::TimeDelta kRetryDelay = base::TimeDelta::FromSeconds(9);
Darren Krahn 2016/12/06 17:31:25 same here, POD-type globals only
30
20 // Redirects to one of three callbacks based on a boolean value and dbus call 31 // Redirects to one of three callbacks based on a boolean value and dbus call
21 // status. 32 // status.
22 // 33 //
23 // Parameters 34 // Parameters
24 // on_true - Called when status=succes and value=true. 35 // on_true - Called when status=succes and value=true.
25 // on_false - Called when status=success and value=false. 36 // on_false - Called when status=success and value=false.
26 // on_fail - Called when status=failure. 37 // on_fail - Called when status=failure.
27 // status - The D-Bus operation status. 38 // status - The D-Bus operation status.
28 // value - The value returned by the D-Bus operation. 39 // value - The value returned by the D-Bus operation.
29 void DBusBoolRedirectCallback(const base::Closure& on_true, 40 void DBusBoolRedirectCallback(const base::Closure& on_true,
30 const base::Closure& on_false, 41 const base::Closure& on_false,
31 const base::Closure& on_fail, 42 const base::Closure& on_fail,
43 const std::string& on_fail_message,
32 DBusMethodCallStatus status, 44 DBusMethodCallStatus status,
33 bool value) { 45 bool value) {
34 if (status != DBUS_METHOD_CALL_SUCCESS) { 46 if (status != DBUS_METHOD_CALL_SUCCESS) {
35 LOG(ERROR) << "Attestation: Failed to query enrollment state."; 47 LOG(ERROR) << "Attestation: Failed to " << on_fail_message << ".";
36 if (!on_fail.is_null()) 48 if (!on_fail.is_null())
37 on_fail.Run(); 49 on_fail.Run();
38 return; 50 return;
39 } 51 }
40 const base::Closure& task = value ? on_true : on_false; 52 const base::Closure& task = value ? on_true : on_false;
41 if (!task.is_null()) 53 if (!task.is_null())
42 task.Run(); 54 task.Run();
43 } 55 }
44 56
45 void DBusDataMethodCallback( 57 void DBusDataMethodCallback(
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after
88 NOTREACHED(); 100 NOTREACHED();
89 return ""; 101 return "";
90 } 102 }
91 103
92 AttestationFlow::AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, 104 AttestationFlow::AttestationFlow(cryptohome::AsyncMethodCaller* async_caller,
93 CryptohomeClient* cryptohome_client, 105 CryptohomeClient* cryptohome_client,
94 std::unique_ptr<ServerProxy> server_proxy) 106 std::unique_ptr<ServerProxy> server_proxy)
95 : async_caller_(async_caller), 107 : async_caller_(async_caller),
96 cryptohome_client_(cryptohome_client), 108 cryptohome_client_(cryptohome_client),
97 server_proxy_(std::move(server_proxy)), 109 server_proxy_(std::move(server_proxy)),
110 preparedness_timeout_(kDefaultPreparednessTimeout),
98 weak_factory_(this) {} 111 weak_factory_(this) {}
99 112
100 AttestationFlow::~AttestationFlow() { 113 AttestationFlow::~AttestationFlow() {
101 } 114 }
102 115
103 void AttestationFlow::GetCertificate( 116 void AttestationFlow::GetCertificate(
104 AttestationCertificateProfile certificate_profile, 117 AttestationCertificateProfile certificate_profile,
105 const AccountId& account_id, 118 const AccountId& account_id,
106 const std::string& request_origin, 119 const std::string& request_origin,
107 bool force_new_key, 120 bool force_new_key,
108 const CertificateCallback& callback) { 121 const CertificateCallback& callback) {
109 // If this device has not enrolled with the Privacy CA, we need to do that 122 // If this device has not enrolled with the Privacy CA, we need to do that
110 // first. Once enrolled we can proceed with the certificate request. 123 // first. Once enrolled we can proceed with the certificate request.
111 base::Closure do_cert_request = base::Bind( 124 const base::Closure do_cert_request = base::Bind(
112 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), 125 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(),
113 certificate_profile, account_id, request_origin, force_new_key, callback); 126 certificate_profile, account_id, request_origin, force_new_key, callback);
114 base::Closure on_enroll_failure = base::Bind(callback, false, ""); 127 const base::Closure on_enroll_failure = base::Bind(callback, false, "");
115 base::Closure do_enroll = base::Bind(&AttestationFlow::StartEnroll, 128 const base::Closure initiate_enroll =
116 weak_factory_.GetWeakPtr(), 129 base::Bind(&AttestationFlow::InitiateEnroll, weak_factory_.GetWeakPtr(),
117 on_enroll_failure, 130 on_enroll_failure, do_cert_request);
118 do_cert_request); 131 cryptohome_client_->TpmAttestationIsEnrolled(
119 cryptohome_client_->TpmAttestationIsEnrolled(base::Bind( 132 base::Bind(&DBusBoolRedirectCallback,
120 &DBusBoolRedirectCallback, 133 do_cert_request, // If enrolled, proceed with cert request.
121 do_cert_request, // If enrolled, proceed with cert request. 134 initiate_enroll, // If not enrolled, initiate enrollment.
122 do_enroll, // If not enrolled, initiate enrollment. 135 on_enroll_failure, "check enrollment state"));
123 on_enroll_failure)); 136 }
137
138 void AttestationFlow::SetTickClockForTest(base::TickClock* tick_clock) {
139 tick_clock_ = tick_clock;
140 }
141
142 struct AttestationFlow::RetryData {
143 public:
144 RetryData(base::TimeDelta timeout, base::TickClock* tick_clock)
145 : timeout(timeout), retry_timer(tick_clock), tick_clock_(tick_clock) {
146 begin = Now();
147 }
148 ~RetryData() { retry_timer.Stop(); }
149
150 base::TimeTicks Now() {
151 return tick_clock_ ? tick_clock_->NowTicks() : base::TimeTicks::Now();
152 }
153
154 base::TimeDelta timeout;
155 base::OneShotTimer retry_timer;
156 base::TimeTicks begin;
157
158 private:
159 base::TickClock* tick_clock_;
160 };
161
162 void AttestationFlow::InitiateEnroll(const base::Closure& on_failure,
163 const base::Closure& next_task) {
164 RetryId retry_id = CreateRetryData();
165 if (retry_id == kInvalidRetryId) {
166 if (!on_failure.is_null())
167 on_failure.Run();
168 return;
169 }
170 TryInitiateEnroll(retry_id, on_failure, next_task);
171 }
172
173 void AttestationFlow::TryInitiateEnroll(const RetryId retry_id,
174 const base::Closure& on_failure,
175 const base::Closure& next_task) {
176 const base::Closure do_enroll = base::Bind(
177 &AttestationFlow::DoneRetrying, weak_factory_.GetWeakPtr(), retry_id,
178 base::Bind(&AttestationFlow::StartEnroll, weak_factory_.GetWeakPtr(),
179 on_failure, next_task));
180 const base::Closure retry_initiate_enroll = base::Bind(
181 &AttestationFlow::StillRetrying, weak_factory_.GetWeakPtr(), retry_id,
182 base::Bind(&AttestationFlow::DoneRetrying, weak_factory_.GetWeakPtr(),
183 retry_id, on_failure),
184 base::Bind(&AttestationFlow::TryInitiateEnroll,
185 weak_factory_.GetWeakPtr(), retry_id, on_failure, next_task));
186 base::Closure do_fail =
187 base::Bind(&AttestationFlow::DoneRetrying, weak_factory_.GetWeakPtr(),
188 retry_id, on_failure);
189 cryptohome_client_->TpmAttestationIsPrepared(
190 base::Bind(&DBusBoolRedirectCallback, do_enroll, retry_initiate_enroll,
191 do_fail, "check for attestation readiness"));
124 } 192 }
125 193
126 void AttestationFlow::StartEnroll(const base::Closure& on_failure, 194 void AttestationFlow::StartEnroll(const base::Closure& on_failure,
127 const base::Closure& next_task) { 195 const base::Closure& next_task) {
128 // Get the attestation service to create a Privacy CA enrollment request. 196 // Get the attestation service to create a Privacy CA enrollment request.
129 async_caller_->AsyncTpmAttestationCreateEnrollRequest( 197 async_caller_->AsyncTpmAttestationCreateEnrollRequest(
130 server_proxy_->GetType(), 198 server_proxy_->GetType(),
131 base::Bind(&AttestationFlow::SendEnrollRequestToPCA, 199 base::Bind(&AttestationFlow::SendEnrollRequestToPCA,
132 weak_factory_.GetWeakPtr(), 200 weak_factory_.GetWeakPtr(),
133 on_failure, 201 on_failure,
(...skipping 70 matching lines...) Expand 10 before | Expand all | Expand 10 after
204 if (generate_new_key) { 272 if (generate_new_key) {
205 // Get the attestation service to create a Privacy CA certificate request. 273 // Get the attestation service to create a Privacy CA certificate request.
206 async_caller_->AsyncTpmAttestationCreateCertRequest( 274 async_caller_->AsyncTpmAttestationCreateCertRequest(
207 server_proxy_->GetType(), certificate_profile, 275 server_proxy_->GetType(), certificate_profile,
208 cryptohome::Identification(account_id), request_origin, 276 cryptohome::Identification(account_id), request_origin,
209 base::Bind(&AttestationFlow::SendCertificateRequestToPCA, 277 base::Bind(&AttestationFlow::SendCertificateRequestToPCA,
210 weak_factory_.GetWeakPtr(), key_type, account_id, key_name, 278 weak_factory_.GetWeakPtr(), key_type, account_id, key_name,
211 callback)); 279 callback));
212 } else { 280 } else {
213 // If the key already exists, query the existing certificate. 281 // If the key already exists, query the existing certificate.
214 base::Closure on_key_exists = base::Bind( 282 const base::Closure on_key_exists = base::Bind(
215 &AttestationFlow::GetExistingCertificate, weak_factory_.GetWeakPtr(), 283 &AttestationFlow::GetExistingCertificate, weak_factory_.GetWeakPtr(),
216 key_type, account_id, key_name, callback); 284 key_type, account_id, key_name, callback);
217 // If the key does not exist, call this method back with |generate_new_key| 285 // If the key does not exist, call this method back with |generate_new_key|
218 // set to true. 286 // set to true.
219 base::Closure on_key_not_exists = base::Bind( 287 const base::Closure on_key_not_exists = base::Bind(
220 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), 288 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(),
221 certificate_profile, account_id, request_origin, true, callback); 289 certificate_profile, account_id, request_origin, true, callback);
222 cryptohome_client_->TpmAttestationDoesKeyExist( 290 cryptohome_client_->TpmAttestationDoesKeyExist(
223 key_type, cryptohome::Identification(account_id), key_name, 291 key_type, cryptohome::Identification(account_id), key_name,
224 base::Bind(&DBusBoolRedirectCallback, on_key_exists, on_key_not_exists, 292 base::Bind(&DBusBoolRedirectCallback, on_key_exists, on_key_not_exists,
225 base::Bind(callback, false, ""))); 293 base::Bind(callback, false, ""),
294 "check for existence of attestation key"));
226 } 295 }
227 } 296 }
228 297
229 void AttestationFlow::SendCertificateRequestToPCA( 298 void AttestationFlow::SendCertificateRequestToPCA(
230 AttestationKeyType key_type, 299 AttestationKeyType key_type,
231 const AccountId& account_id, 300 const AccountId& account_id,
232 const std::string& key_name, 301 const std::string& key_name,
233 const CertificateCallback& callback, 302 const CertificateCallback& callback,
234 bool success, 303 bool success,
235 const std::string& data) { 304 const std::string& data) {
(...skipping 34 matching lines...) Expand 10 before | Expand all | Expand 10 after
270 void AttestationFlow::GetExistingCertificate( 339 void AttestationFlow::GetExistingCertificate(
271 AttestationKeyType key_type, 340 AttestationKeyType key_type,
272 const AccountId& account_id, 341 const AccountId& account_id,
273 const std::string& key_name, 342 const std::string& key_name,
274 const CertificateCallback& callback) { 343 const CertificateCallback& callback) {
275 cryptohome_client_->TpmAttestationGetCertificate( 344 cryptohome_client_->TpmAttestationGetCertificate(
276 key_type, cryptohome::Identification(account_id), key_name, 345 key_type, cryptohome::Identification(account_id), key_name,
277 base::Bind(&DBusDataMethodCallback, callback)); 346 base::Bind(&DBusDataMethodCallback, callback));
278 } 347 }
279 348
349 AttestationFlow::RetryId AttestationFlow::CreateRetryData() {
350 if (next_retry_id_ < 0)
351 next_retry_id_ = 0;
352 RetryId starting_retry_id = next_retry_id_;
353 while (retries_.find(next_retry_id_) != retries_.end()) {
354 if (++next_retry_id_ < 0)
355 next_retry_id_ = 0;
356 if (next_retry_id_ == starting_retry_id)
357 return kInvalidRetryId;
358 }
359 std::unique_ptr<RetryData> data =
360 base::MakeUnique<RetryData>(preparedness_timeout_, tick_clock_);
361 retries_.insert(std::make_pair(next_retry_id_, std::move(data)));
362 return next_retry_id_++;
363 }
364
365 AttestationFlow::RetryData& AttestationFlow::GetRetryData(RetryId retry_id) {
366 return *retries_.find(retry_id)->second;
367 }
368
369 void AttestationFlow::StillRetrying(const RetryId retry_id,
370 const base::Closure& on_giving_up,
371 const base::Closure& on_retrying) {
372 RetryData& retry_data = GetRetryData(retry_id);
373 base::TimeTicks now = retry_data.Now();
374 base::TimeDelta elapsed = now - retry_data.begin;
375 if (elapsed + kRetryDelay > retry_data.timeout) {
376 LOG(ERROR) << "Attestation: Not prepared."
377 << " Giving up on retrying after " << elapsed << ".";
378 if (!on_giving_up.is_null())
379 on_giving_up.Run();
380 } else {
381 LOG(WARNING) << "Attestation: Not prepared yet."
382 << " Retrying in " << kRetryDelay << ".";
383 retry_data.retry_timer.Start(FROM_HERE, kRetryDelay, on_retrying);
384 }
385 }
386
387 void AttestationFlow::DoneRetrying(RetryId retry_id,
388 const base::Closure& continuation) {
389 retries_.erase(retry_id);
390 if (!continuation.is_null())
391 continuation.Run();
392 }
393
280 ServerProxy::~ServerProxy() {} 394 ServerProxy::~ServerProxy() {}
281 395
282 PrivacyCAType ServerProxy::GetType() { 396 PrivacyCAType ServerProxy::GetType() {
283 return DEFAULT_PCA; 397 return DEFAULT_PCA;
284 } 398 }
285 399
286 } // namespace attestation 400 } // namespace attestation
287 } // namespace chromeos 401 } // namespace chromeos
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698