Merge "Revert "Add "Unlocked device required" parameter to keys""

author: Jorim Jaggi <jjaggi@google.com> 2018-01-30 15:36:28 +0000
committer: Android (Google) Code Review <android-gerrit@google.com> 2018-01-30 15:36:28 +0000
commit: 5eec4382f2f49f87e3329daabf1db6ebe651e8fc (patch)
tree: 4fa63a4fbed4a4ceb62528770ed77e550e4ff8e1
parent: fb6a3d646f6c52229e4a1cb540a2149f7dba65cf (diff)
parent: 1b75929a58c32882d21d04ee1df2a60a199923bd (diff)
download: security-5eec4382f2f49f87e3329daabf1db6ebe651e8fc.tar.gz
7 files changed, 3 insertions, 41 deletions
diff --git a/keystore/Android.bp b/keystore/Android.bp
index 68dde3d3..cb736b33 100644
--- a/keystore/Android.bp
+++ b/keystore/Android.bp
@@ -84,7 +84,6 @@ cc_binary {
     srcs: ["keystore_cli.cpp"],
     shared_libs: [
         "android.hardware.keymaster@3.0",
-        "android.hardware.keymaster@4.0",
         "libbinder",
         "libcrypto",
         "libcutils",
@@ -110,8 +109,8 @@ cc_binary {
     srcs: ["keystore_cli_v2.cpp"],
     shared_libs: [
         "android.hardware.confirmationui@1.0",
+        "android.hardware.keymaster@3.0",
         "libbinder",
-        "android.hardware.keymaster@4.0",
         "libchrome",
         "libutils",
         "libhidlbase",
diff --git a/keystore/include/keystore/keymaster_types.h b/keystore/include/keystore/keymaster_types.h
index bd612940..62b43bee 100644
--- a/keystore/include/keystore/keymaster_types.h
+++ b/keystore/include/keystore/keymaster_types.h
@@ -83,7 +83,6 @@ using keymaster::TAG_RESET_SINCE_ID_ROTATION;
 using keymaster::TAG_RSA_PUBLIC_EXPONENT;
 using keymaster::TAG_USAGE_EXPIRE_DATETIME;
 using keymaster::TAG_USER_AUTH_TYPE;
-using keymaster::TAG_USER_ID;
 using keymaster::TAG_USER_SECURE_ID;
 
 using keymaster::NullOr;
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index c3f661c1..89c31a54 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -372,7 +372,6 @@ Status KeyStoreService::lock(int32_t userId, int32_t* aidl_return) {
         return Status::ok();
     }
 
-    enforcement_policy.set_device_locked(true, userId);
     mKeyStore->lock(userId);
     *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
     return Status::ok();
@@ -401,7 +400,6 @@ Status KeyStoreService::unlock(int32_t userId, const String16& pw, int32_t* aidl
         return Status::ok();
     }
 
-    enforcement_policy.set_device_locked(false, userId);
     const String8 password8(pw);
     // read master key, decrypt with password, initialize mMasterKey*.
     *aidl_return = static_cast<int32_t>(mKeyStore->readMasterKey(password8, userId));
@@ -1468,7 +1466,7 @@ Status KeyStoreService::isOperationAuthorized(const sp<IBinder>& token, bool* ai
 }
 
 Status KeyStoreService::addAuthToken(const ::std::vector<uint8_t>& authTokenAsVector,
-                                     int32_t android_uid, int32_t* aidl_return) {
+                                     int32_t* aidl_return) {
 
     // TODO(swillden): When gatekeeper and fingerprint are ready, this should be updated to
     // receive a HardwareAuthToken, rather than an opaque byte array.
@@ -1490,8 +1488,6 @@ Status KeyStoreService::addAuthToken(const ::std::vector<uint8_t>& authTokenAsVe
         return Status::ok();
     }
 
-    enforcement_policy.set_device_locked(false, android_uid);
-
     mAuthTokenTable.AddAuthenticationToken(hidlVec2AuthToken(hidl_vec<uint8_t>(authTokenAsVector)));
     *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR);
     return Status::ok();
diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h
index ea4a089d..ce809f87 100644
--- a/keystore/key_store_service.h
+++ b/keystore/key_store_service.h
@@ -146,7 +146,7 @@ class KeyStoreService : public android::security::BnKeystoreService,
     ::android::binder::Status isOperationAuthorized(const ::android::sp<::android::IBinder>& token,
                                                     bool* _aidl_return) override;
     ::android::binder::Status addAuthToken(const ::std::vector<uint8_t>& authToken,
-                                           int32_t android_uid, int32_t* _aidl_return) override;
+                                           int32_t* _aidl_return) override;
     ::android::binder::Status onUserAdded(int32_t userId, int32_t parentId,
                                           int32_t* _aidl_return) override;
     ::android::binder::Status onUserRemoved(int32_t userId, int32_t* _aidl_return) override;
diff --git a/keystore/keymaster_enforcement.cpp b/keystore/keymaster_enforcement.cpp
index 690927c5..d78a5a63 100644
--- a/keystore/keymaster_enforcement.cpp
+++ b/keystore/keymaster_enforcement.cpp
@@ -223,8 +223,6 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k
     bool caller_nonce_authorized_by_key = false;
     bool authentication_required = false;
     bool auth_token_matched = false;
-    bool unlocked_device_required = false;
-    int32_t user_id = -1;
 
     for (auto& param : auth_set) {
 
@@ -284,18 +282,10 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k
             }
             break;
 
-        case Tag::USER_ID:
-            user_id = authorizationValue(TAG_USER_ID, param).value();
-            break;
-
         case Tag::CALLER_NONCE:
             caller_nonce_authorized_by_key = true;
             break;
 
-        case Tag::UNLOCKED_DEVICE_REQUIRED:
-            unlocked_device_required = true;
-            break;
-
         /* Tags should never be in key auths. */
         case Tag::INVALID:
         case Tag::ROOT_OF_TRUST:
@@ -366,10 +356,6 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k
         }
     }
 
-    if (unlocked_device_required && is_device_locked(user_id)) {
-        return ErrorCode::DEVICE_LOCKED;
-    }
-
     if (authentication_required && !auth_token_matched) {
         ALOGE("Auth required but no matching auth token found");
         return ErrorCode::KEY_USER_NOT_AUTHENTICATED;
diff --git a/keystore/keymaster_enforcement.h b/keystore/keymaster_enforcement.h
index 6e6c54f2..d7b27fcd 100644
--- a/keystore/keymaster_enforcement.h
+++ b/keystore/keymaster_enforcement.h
@@ -142,11 +142,6 @@ class KeymasterEnforcement {
      */
     virtual bool ValidateTokenSignature(const HardwareAuthToken& token) const = 0;
 
-    /*
-     * Returns true if the device screen is currently locked for the specified user.
-     */
-    virtual bool is_device_locked(int32_t userId) const = 0;
-
   private:
     ErrorCode AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set,
                                       const HardwareAuthToken& auth_token, uint64_t op_handle);
diff --git a/keystore/keystore_keymaster_enforcement.h b/keystore/keystore_keymaster_enforcement.h
index e114ea90..3cdf6490 100644
--- a/keystore/keystore_keymaster_enforcement.h
+++ b/keystore/keystore_keymaster_enforcement.h
@@ -84,19 +84,6 @@ class KeystoreKeymasterEnforcement : public KeymasterEnforcement {
         // signing key. Assume the token is good.
         return true;
     }
-
-    bool is_device_locked(int32_t userId) const override {
-        // If we haven't had a set call for this user yet, assume the device is locked.
-        if (mIsDeviceLockedForUser.count(userId) == 0) return true;
-        return mIsDeviceLockedForUser.find(userId)->second;
-    }
-
-    void set_device_locked(bool isLocked, int32_t userId) {
-        mIsDeviceLockedForUser[userId] = isLocked;
-    }
-
-  private:
-    std::map<int32_t, bool> mIsDeviceLockedForUser;
 };
 
 } // namespace keystore
author	Jorim Jaggi <jjaggi@google.com>	2018-01-30 15:36:28 +0000
committer	Android (Google) Code Review <android-gerrit@google.com>	2018-01-30 15:36:28 +0000
commit	5eec4382f2f49f87e3329daabf1db6ebe651e8fc (patch)
tree	4fa63a4fbed4a4ceb62528770ed77e550e4ff8e1
parent	fb6a3d646f6c52229e4a1cb540a2149f7dba65cf (diff)
parent	1b75929a58c32882d21d04ee1df2a60a199923bd (diff)
download	security-5eec4382f2f49f87e3329daabf1db6ebe651e8fc.tar.gz