Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(133)

Side by Side Diff: chromeos/attestation/attestation_flow.cc

Issue 2529743002: Wait for the attestation to be ready (TPM being prepared for attestation) before trying to enroll. (Closed)
Patch Set: Inverted condition for easier reading. Created 4 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "chromeos/attestation/attestation_flow.h" 5 #include "chromeos/attestation/attestation_flow.h"
6 6
7 #include <utility> 7 #include <utility>
8 8
9 #include "base/bind.h" 9 #include "base/bind.h"
10 #include "base/memory/ptr_util.h"
11 #include "base/timer/timer.h"
10 #include "chromeos/cryptohome/async_method_caller.h" 12 #include "chromeos/cryptohome/async_method_caller.h"
11 #include "chromeos/cryptohome/cryptohome_parameters.h" 13 #include "chromeos/cryptohome/cryptohome_parameters.h"
12 #include "chromeos/dbus/cryptohome_client.h" 14 #include "chromeos/dbus/cryptohome_client.h"
13 #include "components/signin/core/account_id/account_id.h" 15 #include "components/signin/core/account_id/account_id.h"
14 16
15 namespace chromeos { 17 namespace chromeos {
16 namespace attestation { 18 namespace attestation {
17 19
18 namespace { 20 namespace {
19 21
22 // Default backoff policy.
23 const net::BackoffEntry::Policy kDefaultBackoffPolicy = {
24 // Number of initial errors (in sequence) to ignore before applying
25 // exponential back-off rules.
26 0,
27
28 // Initial delay for exponential back-off in ms.
29 2000,
30
31 // Factor by which the waiting time will be multiplied.
32 2,
33
34 // Fuzzing percentage. ex: 10% will spread requests randomly
35 // between 90%-100% of the calculated time.
36 0,
37
38 // Maximum amount of time we are willing to delay our request in ms.
39 -1,
40
41 // Time to keep an entry from being discarded even when it
42 // has no significant state, -1 to never discard.
43 -1,
44
45 // Don't use initial delay unless the last request was an error.
46 false,
47 };
48
20 // Redirects to one of three callbacks based on a boolean value and dbus call 49 // Redirects to one of three callbacks based on a boolean value and dbus call
21 // status. 50 // status.
22 // 51 //
23 // Parameters 52 // Parameters
24 // on_true - Called when status=succes and value=true. 53 // on_true - Called when status=succes and value=true.
25 // on_false - Called when status=success and value=false. 54 // on_false - Called when status=success and value=false.
26 // on_fail - Called when status=failure. 55 // on_fail - Called when status=failure.
27 // status - The D-Bus operation status. 56 // status - The D-Bus operation status.
28 // value - The value returned by the D-Bus operation. 57 // value - The value returned by the D-Bus operation.
29 void DBusBoolRedirectCallback(const base::Closure& on_true, 58 void DBusBoolRedirectCallback(const base::Closure& on_true,
30 const base::Closure& on_false, 59 const base::Closure& on_false,
31 const base::Closure& on_fail, 60 const base::Closure& on_fail,
61 const std::string& on_fail_message,
32 DBusMethodCallStatus status, 62 DBusMethodCallStatus status,
33 bool value) { 63 bool value) {
34 if (status != DBUS_METHOD_CALL_SUCCESS) { 64 if (status != DBUS_METHOD_CALL_SUCCESS) {
35 LOG(ERROR) << "Attestation: Failed to query enrollment state."; 65 LOG(ERROR) << "Attestation: Failed to " << on_fail_message << ".";
36 if (!on_fail.is_null()) 66 if (!on_fail.is_null())
37 on_fail.Run(); 67 on_fail.Run();
38 return; 68 return;
39 } 69 }
40 const base::Closure& task = value ? on_true : on_false; 70 const base::Closure& task = value ? on_true : on_false;
41 if (!task.is_null()) 71 if (!task.is_null())
42 task.Run(); 72 task.Run();
43 } 73 }
44 74
45 void DBusDataMethodCallback( 75 void DBusDataMethodCallback(
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after
88 NOTREACHED(); 118 NOTREACHED();
89 return ""; 119 return "";
90 } 120 }
91 121
92 AttestationFlow::AttestationFlow(cryptohome::AsyncMethodCaller* async_caller, 122 AttestationFlow::AttestationFlow(cryptohome::AsyncMethodCaller* async_caller,
93 CryptohomeClient* cryptohome_client, 123 CryptohomeClient* cryptohome_client,
94 std::unique_ptr<ServerProxy> server_proxy) 124 std::unique_ptr<ServerProxy> server_proxy)
95 : async_caller_(async_caller), 125 : async_caller_(async_caller),
96 cryptohome_client_(cryptohome_client), 126 cryptohome_client_(cryptohome_client),
97 server_proxy_(std::move(server_proxy)), 127 server_proxy_(std::move(server_proxy)),
128 retry_timer_(new base::OneShotTimer()),
129 retry_backoff_(&kDefaultBackoffPolicy),
98 weak_factory_(this) {} 130 weak_factory_(this) {}
99 131
100 AttestationFlow::~AttestationFlow() { 132 AttestationFlow::~AttestationFlow() {
101 } 133 }
102 134
103 void AttestationFlow::GetCertificate( 135 void AttestationFlow::GetCertificate(
104 AttestationCertificateProfile certificate_profile, 136 AttestationCertificateProfile certificate_profile,
105 const AccountId& account_id, 137 const AccountId& account_id,
106 const std::string& request_origin, 138 const std::string& request_origin,
107 bool force_new_key, 139 bool force_new_key,
108 const CertificateCallback& callback) { 140 const CertificateCallback& callback) {
141 // Fail requests if we are backing off right now.
142 if (retry_backoff_.ShouldRejectRequest()) {
The one and only Dr. Crash 2016/12/02 05:57:49 I actually think that the behavior I want is to st
143 if (!callback.is_null())
144 callback.Run(false, "");
145 return;
146 }
109 // If this device has not enrolled with the Privacy CA, we need to do that 147 // If this device has not enrolled with the Privacy CA, we need to do that
110 // first. Once enrolled we can proceed with the certificate request. 148 // first. Once enrolled we can proceed with the certificate request.
111 base::Closure do_cert_request = base::Bind( 149 base::Closure do_cert_request = base::Bind(
112 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), 150 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(),
113 certificate_profile, account_id, request_origin, force_new_key, callback); 151 certificate_profile, account_id, request_origin, force_new_key, callback);
114 base::Closure on_enroll_failure = base::Bind(callback, false, ""); 152 base::Closure on_enroll_failure = base::Bind(callback, false, "");
115 base::Closure do_enroll = base::Bind(&AttestationFlow::StartEnroll, 153 base::Closure initiate_enroll =
116 weak_factory_.GetWeakPtr(), 154 base::Bind(&AttestationFlow::InitiateEnroll, weak_factory_.GetWeakPtr(),
117 on_enroll_failure, 155 on_enroll_failure, do_cert_request);
118 do_cert_request); 156 cryptohome_client_->TpmAttestationIsEnrolled(
119 cryptohome_client_->TpmAttestationIsEnrolled(base::Bind( 157 base::Bind(&DBusBoolRedirectCallback,
120 &DBusBoolRedirectCallback, 158 do_cert_request, // If enrolled, proceed with cert request.
121 do_cert_request, // If enrolled, proceed with cert request. 159 initiate_enroll, // If not enrolled, initiate enrollment.
122 do_enroll, // If not enrolled, initiate enrollment. 160 on_enroll_failure, "check enrollment state"));
123 on_enroll_failure)); 161 }
162
163 void AttestationFlow::SetRetryTimerForTest(
164 std::unique_ptr<base::OneShotTimer> retry_timer) {
165 retry_timer_ = std::move(retry_timer);
166 }
167
168 void AttestationFlow::InitiateEnroll(const base::Closure& on_failure,
169 const base::Closure& next_task) {
170 base::Closure do_enroll =
171 base::Bind(&AttestationFlow::StartEnroll, weak_factory_.GetWeakPtr(),
172 on_failure, next_task);
173 base::Closure retry_initiate_enroll =
174 base::Bind(&AttestationFlow::RetryInitiateEnroll,
175 weak_factory_.GetWeakPtr(), on_failure, next_task);
176 cryptohome_client_->TpmAttestationIsPrepared(
177 base::Bind(&DBusBoolRedirectCallback, do_enroll, retry_initiate_enroll,
178 on_failure, "check for attestation readiness"));
179 }
180
181 void AttestationFlow::RetryInitiateEnroll(const base::Closure& on_failure,
182 const base::Closure& next_task) {
183 if (initiate_enroll_retries_ == 0) {
184 LOG(ERROR) << "Attestation: not ready for attestation."
185 << " Giving up on retrying.";
186 if (!on_failure.is_null())
187 on_failure.Run();
188 } else {
189 if (initiate_enroll_retries_ > 0)
190 --initiate_enroll_retries_;
191 retry_backoff_.InformOfRequest(false);
192 auto retry_delay = retry_backoff_.GetTimeUntilRelease().InMilliseconds();
193 LOG(WARNING) << "Attestation: not ready for attestation yet."
194 << " Retrying in " << retry_delay << " ms.";
195 retry_timer_->Start(
196 FROM_HERE, retry_backoff_.GetTimeUntilRelease(),
197 base::Bind(&AttestationFlow::InitiateEnroll, weak_factory_.GetWeakPtr(),
198 on_failure, next_task));
199 }
124 } 200 }
125 201
126 void AttestationFlow::StartEnroll(const base::Closure& on_failure, 202 void AttestationFlow::StartEnroll(const base::Closure& on_failure,
127 const base::Closure& next_task) { 203 const base::Closure& next_task) {
204 // We are done retrying the enrollment initiation (i.e. TPM is ready).
205 retry_backoff_.Reset();
128 // Get the attestation service to create a Privacy CA enrollment request. 206 // Get the attestation service to create a Privacy CA enrollment request.
129 async_caller_->AsyncTpmAttestationCreateEnrollRequest( 207 async_caller_->AsyncTpmAttestationCreateEnrollRequest(
130 server_proxy_->GetType(), 208 server_proxy_->GetType(),
131 base::Bind(&AttestationFlow::SendEnrollRequestToPCA, 209 base::Bind(&AttestationFlow::SendEnrollRequestToPCA,
132 weak_factory_.GetWeakPtr(), 210 weak_factory_.GetWeakPtr(),
133 on_failure, 211 on_failure,
134 next_task)); 212 next_task));
135 } 213 }
136 214
137 void AttestationFlow::SendEnrollRequestToPCA(const base::Closure& on_failure, 215 void AttestationFlow::SendEnrollRequestToPCA(const base::Closure& on_failure,
(...skipping 77 matching lines...) Expand 10 before | Expand all | Expand 10 after
215 &AttestationFlow::GetExistingCertificate, weak_factory_.GetWeakPtr(), 293 &AttestationFlow::GetExistingCertificate, weak_factory_.GetWeakPtr(),
216 key_type, account_id, key_name, callback); 294 key_type, account_id, key_name, callback);
217 // If the key does not exist, call this method back with |generate_new_key| 295 // If the key does not exist, call this method back with |generate_new_key|
218 // set to true. 296 // set to true.
219 base::Closure on_key_not_exists = base::Bind( 297 base::Closure on_key_not_exists = base::Bind(
220 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(), 298 &AttestationFlow::StartCertificateRequest, weak_factory_.GetWeakPtr(),
221 certificate_profile, account_id, request_origin, true, callback); 299 certificate_profile, account_id, request_origin, true, callback);
222 cryptohome_client_->TpmAttestationDoesKeyExist( 300 cryptohome_client_->TpmAttestationDoesKeyExist(
223 key_type, cryptohome::Identification(account_id), key_name, 301 key_type, cryptohome::Identification(account_id), key_name,
224 base::Bind(&DBusBoolRedirectCallback, on_key_exists, on_key_not_exists, 302 base::Bind(&DBusBoolRedirectCallback, on_key_exists, on_key_not_exists,
225 base::Bind(callback, false, ""))); 303 base::Bind(callback, false, ""),
304 "check for existence of attestation key"));
226 } 305 }
227 } 306 }
228 307
229 void AttestationFlow::SendCertificateRequestToPCA( 308 void AttestationFlow::SendCertificateRequestToPCA(
230 AttestationKeyType key_type, 309 AttestationKeyType key_type,
231 const AccountId& account_id, 310 const AccountId& account_id,
232 const std::string& key_name, 311 const std::string& key_name,
233 const CertificateCallback& callback, 312 const CertificateCallback& callback,
234 bool success, 313 bool success,
235 const std::string& data) { 314 const std::string& data) {
(...skipping 42 matching lines...) Expand 10 before | Expand all | Expand 10 after
278 } 357 }
279 358
280 ServerProxy::~ServerProxy() {} 359 ServerProxy::~ServerProxy() {}
281 360
282 PrivacyCAType ServerProxy::GetType() { 361 PrivacyCAType ServerProxy::GetType() {
283 return DEFAULT_PCA; 362 return DEFAULT_PCA;
284 } 363 }
285 364
286 } // namespace attestation 365 } // namespace attestation
287 } // namespace chromeos 366 } // namespace chromeos
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698