diff options
author | android-build-team Robot <android-build-team-robot@google.com> | 2018-01-30 21:10:58 +0000 |
---|---|---|
committer | android-build-team Robot <android-build-team-robot@google.com> | 2018-01-30 21:10:58 +0000 |
commit | e5ffa7781d8d111e3db4763a995d763b7d110005 (patch) | |
tree | 2e0795351b1aed97bc61056c1f515284adc68aa5 | |
parent | ef1d54f5072f9a698e67faa6cbd2b1818eed6a10 (diff) | |
parent | 91d2efb1bacc6918146de4e76f77e68c1e99f16d (diff) | |
download | security-e5ffa7781d8d111e3db4763a995d763b7d110005.tar.gz |
Merge cherrypicks of [3535875, 3534641, 3534642, 3536651, 3536652, 3536653, 3535904, 3535498, 3536654, 3535876, 3534643, 3535905] into pi-release
Change-Id: Ie533a45f6fbde549a5c99e8be5400381a51b82ac
-rw-r--r-- | keystore/Android.bp | 3 | ||||
-rw-r--r-- | keystore/include/keystore/keymaster_types.h | 1 | ||||
-rw-r--r-- | keystore/key_store_service.cpp | 6 | ||||
-rw-r--r-- | keystore/key_store_service.h | 2 | ||||
-rw-r--r-- | keystore/keymaster_enforcement.cpp | 14 | ||||
-rw-r--r-- | keystore/keymaster_enforcement.h | 5 | ||||
-rw-r--r-- | keystore/keystore_keymaster_enforcement.h | 13 |
7 files changed, 3 insertions, 41 deletions
diff --git a/keystore/Android.bp b/keystore/Android.bp index 68dde3d3..cb736b33 100644 --- a/keystore/Android.bp +++ b/keystore/Android.bp @@ -84,7 +84,6 @@ cc_binary { srcs: ["keystore_cli.cpp"], shared_libs: [ "android.hardware.keymaster@3.0", - "android.hardware.keymaster@4.0", "libbinder", "libcrypto", "libcutils", @@ -110,8 +109,8 @@ cc_binary { srcs: ["keystore_cli_v2.cpp"], shared_libs: [ "android.hardware.confirmationui@1.0", + "android.hardware.keymaster@3.0", "libbinder", - "android.hardware.keymaster@4.0", "libchrome", "libutils", "libhidlbase", diff --git a/keystore/include/keystore/keymaster_types.h b/keystore/include/keystore/keymaster_types.h index bd612940..62b43bee 100644 --- a/keystore/include/keystore/keymaster_types.h +++ b/keystore/include/keystore/keymaster_types.h @@ -83,7 +83,6 @@ using keymaster::TAG_RESET_SINCE_ID_ROTATION; using keymaster::TAG_RSA_PUBLIC_EXPONENT; using keymaster::TAG_USAGE_EXPIRE_DATETIME; using keymaster::TAG_USER_AUTH_TYPE; -using keymaster::TAG_USER_ID; using keymaster::TAG_USER_SECURE_ID; using keymaster::NullOr; diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp index 582f8aa5..96d8f4d3 100644 --- a/keystore/key_store_service.cpp +++ b/keystore/key_store_service.cpp @@ -364,7 +364,6 @@ Status KeyStoreService::lock(int32_t userId, int32_t* aidl_return) { return Status::ok(); } - enforcement_policy.set_device_locked(true, userId); mKeyStore->lock(userId); *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR); return Status::ok(); @@ -393,7 +392,6 @@ Status KeyStoreService::unlock(int32_t userId, const String16& pw, int32_t* aidl return Status::ok(); } - enforcement_policy.set_device_locked(false, userId); const String8 password8(pw); // read master key, decrypt with password, initialize mMasterKey*. *aidl_return = static_cast<int32_t>(mKeyStore->readMasterKey(password8, userId)); @@ -1446,7 +1444,7 @@ Status KeyStoreService::isOperationAuthorized(const sp<IBinder>& token, bool* ai } Status KeyStoreService::addAuthToken(const ::std::vector<uint8_t>& authTokenAsVector, - int32_t android_uid, int32_t* aidl_return) { + int32_t* aidl_return) { // TODO(swillden): When gatekeeper and fingerprint are ready, this should be updated to // receive a HardwareAuthToken, rather than an opaque byte array. @@ -1468,8 +1466,6 @@ Status KeyStoreService::addAuthToken(const ::std::vector<uint8_t>& authTokenAsVe return Status::ok(); } - enforcement_policy.set_device_locked(false, android_uid); - mAuthTokenTable.AddAuthenticationToken(hidlVec2AuthToken(hidl_vec<uint8_t>(authTokenAsVector))); *aidl_return = static_cast<int32_t>(ResponseCode::NO_ERROR); return Status::ok(); diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h index ea4a089d..ce809f87 100644 --- a/keystore/key_store_service.h +++ b/keystore/key_store_service.h @@ -146,7 +146,7 @@ class KeyStoreService : public android::security::BnKeystoreService, ::android::binder::Status isOperationAuthorized(const ::android::sp<::android::IBinder>& token, bool* _aidl_return) override; ::android::binder::Status addAuthToken(const ::std::vector<uint8_t>& authToken, - int32_t android_uid, int32_t* _aidl_return) override; + int32_t* _aidl_return) override; ::android::binder::Status onUserAdded(int32_t userId, int32_t parentId, int32_t* _aidl_return) override; ::android::binder::Status onUserRemoved(int32_t userId, int32_t* _aidl_return) override; diff --git a/keystore/keymaster_enforcement.cpp b/keystore/keymaster_enforcement.cpp index 690927c5..d78a5a63 100644 --- a/keystore/keymaster_enforcement.cpp +++ b/keystore/keymaster_enforcement.cpp @@ -223,8 +223,6 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k bool caller_nonce_authorized_by_key = false; bool authentication_required = false; bool auth_token_matched = false; - bool unlocked_device_required = false; - int32_t user_id = -1; for (auto& param : auth_set) { @@ -284,18 +282,10 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k } break; - case Tag::USER_ID: - user_id = authorizationValue(TAG_USER_ID, param).value(); - break; - case Tag::CALLER_NONCE: caller_nonce_authorized_by_key = true; break; - case Tag::UNLOCKED_DEVICE_REQUIRED: - unlocked_device_required = true; - break; - /* Tags should never be in key auths. */ case Tag::INVALID: case Tag::ROOT_OF_TRUST: @@ -366,10 +356,6 @@ ErrorCode KeymasterEnforcement::AuthorizeBegin(const KeyPurpose purpose, const k } } - if (unlocked_device_required && is_device_locked(user_id)) { - return ErrorCode::DEVICE_LOCKED; - } - if (authentication_required && !auth_token_matched) { ALOGE("Auth required but no matching auth token found"); return ErrorCode::KEY_USER_NOT_AUTHENTICATED; diff --git a/keystore/keymaster_enforcement.h b/keystore/keymaster_enforcement.h index 6e6c54f2..d7b27fcd 100644 --- a/keystore/keymaster_enforcement.h +++ b/keystore/keymaster_enforcement.h @@ -142,11 +142,6 @@ class KeymasterEnforcement { */ virtual bool ValidateTokenSignature(const HardwareAuthToken& token) const = 0; - /* - * Returns true if the device screen is currently locked for the specified user. - */ - virtual bool is_device_locked(int32_t userId) const = 0; - private: ErrorCode AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set, const HardwareAuthToken& auth_token, uint64_t op_handle); diff --git a/keystore/keystore_keymaster_enforcement.h b/keystore/keystore_keymaster_enforcement.h index e114ea90..3cdf6490 100644 --- a/keystore/keystore_keymaster_enforcement.h +++ b/keystore/keystore_keymaster_enforcement.h @@ -84,19 +84,6 @@ class KeystoreKeymasterEnforcement : public KeymasterEnforcement { // signing key. Assume the token is good. return true; } - - bool is_device_locked(int32_t userId) const override { - // If we haven't had a set call for this user yet, assume the device is locked. - if (mIsDeviceLockedForUser.count(userId) == 0) return true; - return mIsDeviceLockedForUser.find(userId)->second; - } - - void set_device_locked(bool isLocked, int32_t userId) { - mIsDeviceLockedForUser[userId] = isLocked; - } - - private: - std::map<int32_t, bool> mIsDeviceLockedForUser; }; } // namespace keystore |