Snap for 6279178 from ff7e85efdac3fcf8c75ad23009470799bf75beea to rvc-release

Change-Id: I117842a61d55791a5bfc8df794fd43a0831cdbe9
author: android-build-team Robot <android-build-team-robot@google.com> 2020-03-10 02:04:45 +0000
committer: android-build-team Robot <android-build-team-robot@google.com> 2020-03-10 02:04:45 +0000
commit: a397c081977806665b24e01302da50291746a87e (patch)
tree: 272c48eb5b6fe2fb5c84929ad6d63194957c5f9a
parent: cdb7b3da0e3b2d657110fc4ccaaef4f074f10b76 (diff)
parent: ff7e85efdac3fcf8c75ad23009470799bf75beea (diff)
download: security-a397c081977806665b24e01302da50291746a87e.tar.gz
5 files changed, 24 insertions, 58 deletions
diff --git a/fsverity_init/Android.bp b/fsverity_init/Android.bp
index 407849d5..3c9ade00 100644
--- a/fsverity_init/Android.bp
+++ b/fsverity_init/Android.bp
@@ -9,7 +9,6 @@ cc_binary {
     ],
     shared_libs: [
         "libbase",
-        "libkeystore_binder",
         "libkeyutils",
         "liblog",
         "liblogwrap",
diff --git a/fsverity_init/fsverity_init.cpp b/fsverity_init/fsverity_init.cpp
index 70523756..e2a8bf70 100644
--- a/fsverity_init/fsverity_init.cpp
+++ b/fsverity_init/fsverity_init.cpp
@@ -19,20 +19,14 @@
 #include <sys/types.h>
 
 #include <filesystem>
-#include <memory>
 #include <string>
-#include <vector>
 
 #include <android-base/file.h>
 #include <android-base/logging.h>
 #include <android-base/properties.h>
 #include <android-base/strings.h>
-#include <keystore/keystore_client.h>
-#include <keystore/keystore_client_impl.h>
-#include <keystore/keystore_get.h>
 #include <log/log.h>
 #include <mini_keyctl_utils.h>
-#include <private/android_filesystem_config.h>
 
 bool LoadKeyToKeyring(key_serial_t keyring_id, const char* desc, const char* data, size_t size) {
     key_serial_t key = add_key("asymmetric", desc, data, size, keyring_id);
@@ -61,31 +55,6 @@ void LoadKeyFromVerifiedPartitions(key_serial_t keyring_id) {
     }
 }
 
-std::unique_ptr<keystore::KeystoreClient> CreateKeystoreInstance() {
-    return std::unique_ptr<keystore::KeystoreClient>(
-        static_cast<keystore::KeystoreClient*>(new keystore::KeystoreClientImpl));
-}
-
-void LoadKeysFromKeystore(key_serial_t keyring_id) {
-    auto client = CreateKeystoreInstance();
-
-    std::vector<std::string> aliases;
-    if (client == nullptr || !client->listKeysOfUid("FSV_", AID_FSVERITY_CERT, &aliases)) {
-        LOG(ERROR) << "Failed to list key";
-        return;
-    }
-
-    // Always try to load all keys even if some fails to load. The rest may still
-    // be important to have.
-    for (auto& alias : aliases) {
-        auto blob = client->getKey(alias, AID_FSVERITY_CERT);
-        if (!LoadKeyToKeyring(keyring_id, "fsv_user", reinterpret_cast<char*>(blob->data()),
-                              blob->size())) {
-            LOG(ERROR) << "Failed to load key " << alias << " from keyring";
-        }
-    }
-}
-
 int main(int /*argc*/, const char** /*argv*/) {
     key_serial_t keyring_id = android::GetKeyringId(".fs-verity");
     if (keyring_id < 0) {
@@ -100,7 +69,6 @@ int main(int /*argc*/, const char** /*argv*/) {
     }
 
     LoadKeyFromVerifiedPartitions(keyring_id);
-    LoadKeysFromKeystore(keyring_id);
 
     if (!android::base::GetBoolProperty("ro.debuggable", false)) {
         if (keyctl_restrict_keyring(keyring_id, nullptr, nullptr) < 0) {
diff --git a/identity/Credential.cpp b/identity/Credential.cpp
index 604d2621..05c31d3d 100644
--- a/identity/Credential.cpp
+++ b/identity/Credential.cpp
@@ -242,8 +242,28 @@ Status Credential::getEntries(const vector<uint8_t>& requestMessage,
         }
     }
 
-    Status status = halBinder_->startRetrieval(selectedProfiles, aidlAuthToken, requestMessage,
-                                               sessionTranscript, readerSignature, requestCounts);
+    // Note that the selectAuthKey() method is only called if a CryptoObject is involved at
+    // the Java layer. So we could end up with no previously selected auth key and we may
+    // need one.
+    const AuthKeyData* authKey = selectedAuthKey_;
+    if (sessionTranscript.size() > 0) {
+        if (authKey == nullptr) {
+            authKey = data_->selectAuthKey(allowUsingExhaustedKeys);
+            if (authKey == nullptr) {
+                return Status::fromServiceSpecificError(
+                    ICredentialStore::ERROR_NO_AUTHENTICATION_KEY_AVAILABLE,
+                    "No suitable authentication key available");
+            }
+        }
+    }
+    vector<uint8_t> signingKeyBlob;
+    if (authKey != nullptr) {
+        signingKeyBlob = authKey->keyBlob;
+    }
+
+    Status status =
+        halBinder_->startRetrieval(selectedProfiles, aidlAuthToken, requestMessage, signingKeyBlob,
+                                   sessionTranscript, readerSignature, requestCounts);
     if (!status.isOk() && status.exceptionCode() == binder::Status::EX_SERVICE_SPECIFIC) {
         int code = status.serviceSpecificErrorCode();
         if (code == IIdentityCredentialStore::STATUS_EPHEMERAL_PUBLIC_KEY_NOT_FOUND) {
@@ -319,26 +339,7 @@ Status Credential::getEntries(const vector<uint8_t>& requestMessage,
         ret.resultNamespaces.push_back(resultNamespaceParcel);
     }
 
-    // Note that the selectAuthKey() method is only called if a CryptoObject is involved at
-    // the Java layer. So we could end up with no previously selected auth key and we may
-    // need one.
-    const AuthKeyData* authKey = selectedAuthKey_;
-    if (sessionTranscript.size() > 0) {
-        if (authKey == nullptr) {
-            authKey = data_->selectAuthKey(allowUsingExhaustedKeys);
-            if (authKey == nullptr) {
-                return Status::fromServiceSpecificError(
-                    ICredentialStore::ERROR_NO_AUTHENTICATION_KEY_AVAILABLE,
-                    "No suitable authentication key available");
-            }
-        }
-    }
-
-    vector<uint8_t> signingKeyBlob;
-    if (authKey != nullptr) {
-        signingKeyBlob = authKey->keyBlob;
-    }
-    status = halBinder_->finishRetrieval(signingKeyBlob, &ret.mac, &ret.deviceNameSpaces);
+    status = halBinder_->finishRetrieval(&ret.mac, &ret.deviceNameSpaces);
     if (!status.isOk()) {
         return halStatusToGenericError(status);
     }
diff --git a/keystore/keystore.rc b/keystore/keystore.rc
index a688c5f4..132039a8 100644
--- a/keystore/keystore.rc
+++ b/keystore/keystore.rc
@@ -1,5 +1,5 @@
 service keystore /system/bin/keystore /data/misc/keystore
-    class core
+    class main
     user keystore
     group keystore drmrpc readproc log
     writepid /dev/cpuset/foreground/tasks
diff --git a/keystore/permissions.cpp b/keystore/permissions.cpp
index 8b9e28da..2cd42cf2 100644
--- a/keystore/permissions.cpp
+++ b/keystore/permissions.cpp
@@ -57,8 +57,6 @@ struct user_euid {
 user_euid user_euids[] = {{AID_VPN, AID_SYSTEM},
                           {AID_WIFI, AID_SYSTEM},
                           {AID_ROOT, AID_SYSTEM},
-                          {AID_FSVERITY_CERT, AID_ROOT},
-                          {AID_FSVERITY_CERT, AID_SYSTEM},
 
 #ifdef GRANT_ROOT_ALL_PERMISSIONS
                           // Allow VTS tests to act on behalf of the wifi user
author	android-build-team Robot <android-build-team-robot@google.com>	2020-03-10 02:04:45 +0000
committer	android-build-team Robot <android-build-team-robot@google.com>	2020-03-10 02:04:45 +0000
commit	a397c081977806665b24e01302da50291746a87e (patch)
tree	272c48eb5b6fe2fb5c84929ad6d63194957c5f9a
parent	cdb7b3da0e3b2d657110fc4ccaaef4f074f10b76 (diff)
parent	ff7e85efdac3fcf8c75ad23009470799bf75beea (diff)
download	security-a397c081977806665b24e01302da50291746a87e.tar.gz