diff options
| author | Eric Biggers <ebiggers@google.com> | 2024-03-13 19:31:42 +0000 |
|---|---|---|
| committer | Eric Biggers <ebiggers@google.com> | 2024-03-14 17:43:49 +0000 |
| commit | b5613dae228ac193a6acfce63db81c5c4c61db9d (patch) | |
| tree | 8e01c3878819544db60fa9026c607400d958eb01 /keystore2/src/key_parameter.rs | |
| parent | e2ce4fd6428cf719a1b28d649d0c739b98492684 (diff) | |
| download | security-b5613dae228ac193a6acfce63db81c5c4c61db9d.tar.gz | |
Remove broken and unused support for expiring keys when off-body
Remove IKeystoreMaintenance#onDeviceOffBody(), as it's no longer called.
In addition, remove the code that tried to enforce the AllowWhileOnBody
key parameter. This code was broken during the rewrite of Keystore in
Android 12, and as a result, AllowWhileOnBody has no user-visible
effect. AllowWhileOnBody is *supposed* to cause the key's
authentication timeout, if it has one, to automatically expire when the
device is removed from the user's body. (A better name for it might
have been something like UserAuthenticationExpiresWhenRemovedFromBody.)
Android 11 Keystore implemented this behavior; see
https://android.googlesource.com/platform/system/security/+/refs/heads/android11-release/keystore/auth_token_table.cpp#165
Android 12 Keystore changed AllowWhileOnBody to have no effect.
Apparently due to a misunderstanding, the (incorrect) behavior that was
attempted to be implemented was "The key may be used after
authentication timeout if device is still on-body". But what was
actually implemented was that the Keystore daemon stopped enforcing
authentication timeouts for AllowWhileOnBody keys entirely, except after
a wearable device was removed from the body in which case the timeout is
enforced for any earlier authentications. Yet, this has no user-visible
effect because KeyMint still enforces the authentication timeout as
usual. So, AllowWhileOnBody has really been a no-op since Android 12.
We can always bring this code back, fixed and with tests, if this
feature comes back. But for now there is no reason to keep it around.
Bug: 289849354
Test: atest -p --include-subdirs system/security/keystore2
Test: atest CtsKeystoreTestCases
Change-Id: I4a7b3a90b56dacbb5316e30a30bf3fabc0debe48
Diffstat (limited to 'keystore2/src/key_parameter.rs')
| -rw-r--r-- | keystore2/src/key_parameter.rs | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/keystore2/src/key_parameter.rs b/keystore2/src/key_parameter.rs index 02a1f16c..bd452073 100644 --- a/keystore2/src/key_parameter.rs +++ b/keystore2/src/key_parameter.rs @@ -912,7 +912,8 @@ pub enum KeyParameterValue { /// The time in seconds for which the key is authorized for use, after user authentication #[key_param(tag = AUTH_TIMEOUT, field = Integer)] AuthTimeout(i32), - /// The key may be used after authentication timeout if device is still on-body + /// The key's authentication timeout, if it has one, is automatically expired when the device is + /// removed from the user's body. No longer implemented; this tag is no longer enforced. #[key_param(tag = ALLOW_WHILE_ON_BODY, field = BoolValue)] AllowWhileOnBody, /// The key must be unusable except when the user has provided proof of physical presence |