diff options
author | Eric Biggers <ebiggers@google.com> | 2024-02-07 21:01:39 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2024-02-07 21:01:39 +0000 |
commit | 56910d0a4d1bf8404789551aae7846dcaa00a5a5 (patch) | |
tree | f129b87b8f99f982c34ddccc8abae9a62fb1ea91 | |
parent | eb58a7f2a03e84ec5db4212e4953b8d4ece37cd5 (diff) | |
parent | 3d4f5457af9842fb2c66714a5f99743fa33479e9 (diff) | |
download | security-56910d0a4d1bf8404789551aae7846dcaa00a5a5.tar.gz |
Merge "keystore2: rename MonotonicRawTime to BootTime" into main am: 3d4f5457af
Original change: https://android-review.googlesource.com/c/platform/system/security/+/2940163
Change-Id: I53489025aa43e2463fa61892e48dc2bb8c1858bc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
-rw-r--r-- | keystore2/src/database.rs | 40 | ||||
-rw-r--r-- | keystore2/src/database/perboot.rs | 8 | ||||
-rw-r--r-- | keystore2/src/enforcements.rs | 12 | ||||
-rw-r--r-- | keystore2/src/globals.rs | 4 | ||||
-rw-r--r-- | keystore2/src/maintenance.rs | 4 |
5 files changed, 33 insertions, 35 deletions
diff --git a/keystore2/src/database.rs b/keystore2/src/database.rs index 0a1c5471..d320e20a 100644 --- a/keystore2/src/database.rs +++ b/keystore2/src/database.rs @@ -761,22 +761,22 @@ pub struct KeystoreDB { } /// Database representation of the monotonic time retrieved from the system call clock_gettime with -/// CLOCK_MONOTONIC_RAW. Stores monotonic time as i64 in milliseconds. +/// CLOCK_BOOTTIME. Stores monotonic time as i64 in milliseconds. #[derive(Debug, Copy, Clone, Default, Eq, PartialEq, Ord, PartialOrd)] -pub struct MonotonicRawTime(i64); +pub struct BootTime(i64); -impl MonotonicRawTime { - /// Constructs a new MonotonicRawTime +impl BootTime { + /// Constructs a new BootTime pub fn now() -> Self { Self(get_current_time_in_milliseconds()) } - /// Returns the value of MonotonicRawTime in milliseconds as i64 + /// Returns the value of BootTime in milliseconds as i64 pub fn milliseconds(&self) -> i64 { self.0 } - /// Returns the integer value of MonotonicRawTime as i64 + /// Returns the integer value of BootTime as i64 pub fn seconds(&self) -> i64 { self.0 / 1000 } @@ -787,13 +787,13 @@ impl MonotonicRawTime { } } -impl ToSql for MonotonicRawTime { +impl ToSql for BootTime { fn to_sql(&self) -> rusqlite::Result<ToSqlOutput> { Ok(ToSqlOutput::Owned(Value::Integer(self.0))) } } -impl FromSql for MonotonicRawTime { +impl FromSql for BootTime { fn column_result(value: ValueRef) -> FromSqlResult<Self> { Ok(Self(i64::column_result(value)?)) } @@ -805,11 +805,11 @@ impl FromSql for MonotonicRawTime { pub struct AuthTokenEntry { auth_token: HardwareAuthToken, // Time received in milliseconds - time_received: MonotonicRawTime, + time_received: BootTime, } impl AuthTokenEntry { - fn new(auth_token: HardwareAuthToken, time_received: MonotonicRawTime) -> Self { + fn new(auth_token: HardwareAuthToken, time_received: BootTime) -> Self { AuthTokenEntry { auth_token, time_received } } @@ -832,7 +832,7 @@ impl AuthTokenEntry { } /// Returns the time that this auth token was received. - pub fn time_received(&self) -> MonotonicRawTime { + pub fn time_received(&self) -> BootTime { self.time_received } @@ -2858,14 +2858,12 @@ impl KeystoreDB { /// Insert or replace the auth token based on (user_id, auth_id, auth_type) pub fn insert_auth_token(&mut self, auth_token: &HardwareAuthToken) { - self.perboot.insert_auth_token_entry(AuthTokenEntry::new( - auth_token.clone(), - MonotonicRawTime::now(), - )) + self.perboot + .insert_auth_token_entry(AuthTokenEntry::new(auth_token.clone(), BootTime::now())) } /// Find the newest auth token matching the given predicate. - pub fn find_auth_token_entry<F>(&self, p: F) -> Option<(AuthTokenEntry, MonotonicRawTime)> + pub fn find_auth_token_entry<F>(&self, p: F) -> Option<(AuthTokenEntry, BootTime)> where F: Fn(&AuthTokenEntry) -> bool, { @@ -2873,17 +2871,17 @@ impl KeystoreDB { } /// Insert last_off_body into the metadata table at the initialization of auth token table - pub fn insert_last_off_body(&self, last_off_body: MonotonicRawTime) { + pub fn insert_last_off_body(&self, last_off_body: BootTime) { self.perboot.set_last_off_body(last_off_body) } /// Update last_off_body when on_device_off_body is called - pub fn update_last_off_body(&self, last_off_body: MonotonicRawTime) { + pub fn update_last_off_body(&self, last_off_body: BootTime) { self.perboot.set_last_off_body(last_off_body) } /// Get last_off_body time when finding auth tokens - fn get_last_off_body(&self) -> MonotonicRawTime { + fn get_last_off_body(&self) -> BootTime { self.perboot.get_last_off_body() } @@ -5054,13 +5052,13 @@ pub mod tests { #[test] fn test_last_off_body() -> Result<()> { let mut db = new_test_db()?; - db.insert_last_off_body(MonotonicRawTime::now()); + db.insert_last_off_body(BootTime::now()); let tx = db.conn.transaction_with_behavior(TransactionBehavior::Immediate)?; tx.commit()?; let last_off_body_1 = db.get_last_off_body(); let one_second = Duration::from_secs(1); thread::sleep(one_second); - db.update_last_off_body(MonotonicRawTime::now()); + db.update_last_off_body(BootTime::now()); let tx2 = db.conn.transaction_with_behavior(TransactionBehavior::Immediate)?; tx2.commit()?; let last_off_body_2 = db.get_last_off_body(); diff --git a/keystore2/src/database/perboot.rs b/keystore2/src/database/perboot.rs index 7ff35fa4..1b7c80d6 100644 --- a/keystore2/src/database/perboot.rs +++ b/keystore2/src/database/perboot.rs @@ -15,7 +15,7 @@ //! This module implements a per-boot, shared, in-memory storage of auth tokens //! and last-time-on-body for the main Keystore 2.0 database module. -use super::{AuthTokenEntry, MonotonicRawTime}; +use super::{AuthTokenEntry, BootTime}; use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{ HardwareAuthToken::HardwareAuthToken, HardwareAuthenticatorType::HardwareAuthenticatorType, }; @@ -103,11 +103,11 @@ impl PerbootDB { matches.last().map(|x| x.0.clone()) } /// Get the last time the device was off the user's body - pub fn get_last_off_body(&self) -> MonotonicRawTime { - MonotonicRawTime(self.last_off_body.load(Ordering::Relaxed)) + pub fn get_last_off_body(&self) -> BootTime { + BootTime(self.last_off_body.load(Ordering::Relaxed)) } /// Set the last time the device was off the user's body - pub fn set_last_off_body(&self, last_off_body: MonotonicRawTime) { + pub fn set_last_off_body(&self, last_off_body: BootTime) { self.last_off_body.store(last_off_body.0, Ordering::Relaxed) } /// Return how many auth tokens are currently tracked. diff --git a/keystore2/src/enforcements.rs b/keystore2/src/enforcements.rs index 04f26e9f..55c9591f 100644 --- a/keystore2/src/enforcements.rs +++ b/keystore2/src/enforcements.rs @@ -20,7 +20,7 @@ use crate::globals::{get_timestamp_service, ASYNC_TASK, DB, ENFORCEMENTS}; use crate::key_parameter::{KeyParameter, KeyParameterValue}; use crate::{authorization::Error as AuthzError, super_key::SuperEncryptionType}; use crate::{ - database::{AuthTokenEntry, MonotonicRawTime}, + database::{AuthTokenEntry, BootTime}, globals::SUPER_KEY, }; use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{ @@ -614,7 +614,7 @@ impl Enforcements { }) .ok_or(Error::Km(Ec::KEY_USER_NOT_AUTHENTICATED)) .context(ks_err!("No suitable auth token found."))?; - let now = MonotonicRawTime::now(); + let now = BootTime::now(); let token_age = now .checked_sub(&hat.time_received()) .ok_or_else(Error::sys) @@ -680,7 +680,7 @@ impl Enforcements { // Now check the validity of the auth token if the key is timeout bound. let hat = match (hat_and_last_off_body, key_time_out) { (Some((hat, last_off_body)), Some(key_time_out)) => { - let now = MonotonicRawTime::now(); + let now = BootTime::now(); let token_age = now .checked_sub(&hat.time_received()) .ok_or_else(Error::sys) @@ -728,7 +728,7 @@ impl Enforcements { }) } - fn find_auth_token<F>(p: F) -> Option<(AuthTokenEntry, MonotonicRawTime)> + fn find_auth_token<F>(p: F) -> Option<(AuthTokenEntry, BootTime)> where F: Fn(&AuthTokenEntry) -> bool, { @@ -853,7 +853,7 @@ impl Enforcements { } else { // Filter the matching auth tokens by age. if auth_token_max_age_millis != 0 { - let now_in_millis = MonotonicRawTime::now(); + let now_in_millis = BootTime::now(); let result = Self::find_auth_token(|auth_token_entry: &AuthTokenEntry| { let token_valid = now_in_millis .checked_sub(&auth_token_entry.time_received()) @@ -889,7 +889,7 @@ impl Enforcements { &self, secure_user_id: i64, auth_type: HardwareAuthenticatorType, - ) -> Option<MonotonicRawTime> { + ) -> Option<BootTime> { let sids: Vec<i64> = vec![secure_user_id]; let result = diff --git a/keystore2/src/globals.rs b/keystore2/src/globals.rs index 0f899edc..eb755a6b 100644 --- a/keystore2/src/globals.rs +++ b/keystore2/src/globals.rs @@ -23,7 +23,7 @@ use crate::legacy_blob::LegacyBlobLoader; use crate::legacy_importer::LegacyImporter; use crate::super_key::SuperKeyManager; use crate::utils::watchdog as wd; -use crate::{async_task::AsyncTask, database::MonotonicRawTime}; +use crate::{async_task::AsyncTask, database::BootTime}; use crate::{ database::KeystoreDB, database::Uuid, @@ -68,7 +68,7 @@ pub fn create_thread_local_db() -> KeystoreDB { DB_INIT.call_once(|| { log::info!("Touching Keystore 2.0 database for this first time since boot."); - db.insert_last_off_body(MonotonicRawTime::now()); + db.insert_last_off_body(BootTime::now()); log::info!("Calling cleanup leftovers."); let n = db.cleanup_leftovers().expect("Failed to cleanup database on startup."); if n != 0 { diff --git a/keystore2/src/maintenance.rs b/keystore2/src/maintenance.rs index ae988883..3e34cff3 100644 --- a/keystore2/src/maintenance.rs +++ b/keystore2/src/maintenance.rs @@ -14,7 +14,7 @@ //! This module implements IKeystoreMaintenance AIDL interface. -use crate::database::{KeyEntryLoadBits, KeyType, MonotonicRawTime}; +use crate::database::{BootTime, KeyEntryLoadBits, KeyType}; use crate::error::map_km_error; use crate::error::map_or_log_err; use crate::error::Error; @@ -228,7 +228,7 @@ impl Maintenance { // Security critical permission check. This statement must return on fail. check_keystore_permission(KeystorePerm::ReportOffBody).context(ks_err!())?; - DB.with(|db| db.borrow_mut().update_last_off_body(MonotonicRawTime::now())); + DB.with(|db| db.borrow_mut().update_last_off_body(BootTime::now())); Ok(()) } |