diff options
author | Shawn Willden <swillden@google.com> | 2021-08-12 01:33:01 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2021-08-12 01:33:01 +0000 |
commit | 1c7821bd750dd3b0fa5e3561e46f4d2d71488190 (patch) | |
tree | 1999a302cc1601f63d04f6aac81d703c805ecab2 | |
parent | 4e61e0332be686f605be045f59cfc5b9b025a787 (diff) | |
parent | 5ba41aa8365083afcde31ed0872e03a87f78206f (diff) | |
download | security-1c7821bd750dd3b0fa5e3561e46f4d2d71488190.tar.gz |
Revert "Add deleteAllKeys to IKeystoreMaintenance" am: 5ba41aa836
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15536477
Change-Id: I6e1aa29d284167f7539bf91118a27107a688ee46
-rw-r--r-- | keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl | 8 | ||||
-rw-r--r-- | keystore2/src/maintenance.rs | 82 | ||||
-rw-r--r-- | keystore2/src/permission.rs | 2 |
3 files changed, 27 insertions, 65 deletions
diff --git a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl index 6a37c786..5f91e799 100644 --- a/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl +++ b/keystore2/aidl/android/security/maintenance/IKeystoreMaintenance.aidl @@ -123,12 +123,4 @@ interface IKeystoreMaintenance { * `ResponseCode::SYSTEM_ERROR` - An unexpected system error occurred. */ void migrateKeyNamespace(in KeyDescriptor source, in KeyDescriptor destination); - - /** - * Deletes all keys in all hardware keystores. Used when keystore is reset completely. After - * this function is called all keys with Tag::ROLLBACK_RESISTANCE in their hardware-enforced - * authorization lists must be rendered permanently unusable. Keys without - * Tag::ROLLBACK_RESISTANCE may or may not be rendered unusable. - */ - void deleteAllKeys(); } diff --git a/keystore2/src/maintenance.rs b/keystore2/src/maintenance.rs index 3180e5df..637fb612 100644 --- a/keystore2/src/maintenance.rs +++ b/keystore2/src/maintenance.rs @@ -152,50 +152,22 @@ impl Maintenance { } } - fn call_with_watchdog<F>(sec_level: SecurityLevel, name: &'static str, op: &F) -> Result<()> - where - F: Fn(Strong<dyn IKeyMintDevice>) -> binder::public_api::Result<()>, - { + fn early_boot_ended_help(sec_level: SecurityLevel) -> Result<()> { let (dev, _, _) = get_keymint_device(&sec_level) - .context("In call_with_watchdog: getting keymint device")?; - let km_dev: Strong<dyn IKeyMintDevice> = dev - .get_interface() - .context("In call_with_watchdog: getting keymint device interface")?; - - let _wp = wd::watch_millis_with("In call_with_watchdog", 500, move || { - format!("Seclevel: {:?} Op: {}", sec_level, name) - }); - map_km_error(op(km_dev)).with_context(|| format!("In keymint device: calling {}", name))?; + .context("In early_boot_ended: getting keymint device")?; + let km_dev: Strong<dyn IKeyMintDevice> = + dev.get_interface().context("In early_boot_ended: getting keymint device interface")?; + + let _wp = wd::watch_millis_with( + "In early_boot_ended_help: calling earlyBootEnded()", + 500, + move || format!("Seclevel: {:?}", sec_level), + ); + map_km_error(km_dev.earlyBootEnded()) + .context("In keymint device: calling earlyBootEnded")?; Ok(()) } - fn call_on_all_security_levels<F>(name: &'static str, op: F) -> Result<()> - where - F: Fn(Strong<dyn IKeyMintDevice>) -> binder::public_api::Result<()>, - { - let sec_levels = [ - (SecurityLevel::TRUSTED_ENVIRONMENT, "TRUSTED_ENVIRONMENT"), - (SecurityLevel::STRONGBOX, "STRONGBOX"), - ]; - sec_levels.iter().fold(Ok(()), move |result, (sec_level, sec_level_string)| { - let curr_result = Maintenance::call_with_watchdog(*sec_level, name, &op); - match curr_result { - Ok(()) => log::info!( - "Call to {} succeeded for security level {}.", - name, - &sec_level_string - ), - Err(ref e) => log::error!( - "Call to {} failed for security level {}: {}.", - name, - &sec_level_string, - e - ), - } - result.and(curr_result) - }) - } - fn early_boot_ended() -> Result<()> { check_keystore_permission(KeystorePerm::early_boot_ended()) .context("In early_boot_ended. Checking permission")?; @@ -204,7 +176,21 @@ impl Maintenance { if let Err(e) = DB.with(|db| SUPER_KEY.set_up_boot_level_cache(&mut db.borrow_mut())) { log::error!("SUPER_KEY.set_up_boot_level_cache failed:\n{:?}\n:(", e); } - Maintenance::call_on_all_security_levels("earlyBootEnded", |dev| dev.earlyBootEnded()) + + let sec_levels = [ + (SecurityLevel::TRUSTED_ENVIRONMENT, "TRUSTED_ENVIRONMENT"), + (SecurityLevel::STRONGBOX, "STRONGBOX"), + ]; + sec_levels.iter().fold(Ok(()), |result, (sec_level, sec_level_string)| { + let curr_result = Maintenance::early_boot_ended_help(*sec_level); + if curr_result.is_err() { + log::error!( + "Call to earlyBootEnded failed for security level {}.", + &sec_level_string + ); + } + result.and(curr_result) + }) } fn on_device_off_body() -> Result<()> { @@ -252,15 +238,6 @@ impl Maintenance { }) }) } - - fn delete_all_keys() -> Result<()> { - // Security critical permission check. This statement must return on fail. - check_keystore_permission(KeystorePerm::delete_all_keys()) - .context("In delete_all_keys. Checking permission")?; - log::info!("In delete_all_keys."); - - Maintenance::call_on_all_security_levels("deleteAllKeys", |dev| dev.deleteAllKeys()) - } } impl Interface for Maintenance {} @@ -309,9 +286,4 @@ impl IKeystoreMaintenance for Maintenance { let _wp = wd::watch_millis("IKeystoreMaintenance::migrateKeyNamespace", 500); map_or_log_err(Self::migrate_key_namespace(source, destination), Ok) } - - fn deleteAllKeys(&self) -> BinderResult<()> { - let _wp = wd::watch_millis("IKeystoreMaintenance::deleteAllKeys", 500); - map_or_log_err(Self::delete_all_keys(), Ok) - } } diff --git a/keystore2/src/permission.rs b/keystore2/src/permission.rs index 4add8992..8343a299 100644 --- a/keystore2/src/permission.rs +++ b/keystore2/src/permission.rs @@ -317,8 +317,6 @@ implement_permission!( ReportOffBody = 0x1000, selinux name: report_off_body; /// Checked when IkeystoreMetrics::pullMetris is called. PullMetrics = 0x2000, selinux name: pull_metrics; - /// Checked when IKeystoreMaintenance::deleteAllKeys is called. - DeleteAllKeys = 0x4000, selinux name: delete_all_keys; } ); |