Cryptographic security for MAX_BOOT_LEVEL

Use a KDF to generate a key for each boot level, anchored in a key which can only be used once per boot. Bug: 176450483 Test: aosp/1577966: ensure key created at level 40 stops working at 41 Test: keystore2_test Change-Id: I12530cd13cb176251c8a0b5431d53c0a7c1bc02d
author: Paul Crowley <paulcrowley@google.com> 2021-03-31 09:17:47 -0700
committer: Paul Crowley <paulcrowley@google.com> 2021-04-05 13:35:57 -0700
commit: 9f7f48b9894975104315552ee873256e4b827b81 (patch)
tree: 8322a385db838fbebd53f760a26ed173ded1e6ac /keystore2/src/maintenance.rs
parent: 5975c897763c2596bc7bc724000fd8bb526b4658 (diff)
download: security-9f7f48b9894975104315552ee873256e4b827b81.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/keystore2/src/maintenance.rs b/keystore2/src/maintenance.rs
index e059a0b5..5c1e82dc 100644
--- a/keystore2/src/maintenance.rs
+++ b/keystore2/src/maintenance.rs
@@ -141,6 +141,11 @@ impl Maintenance {
     fn early_boot_ended() -> Result<()> {
         check_keystore_permission(KeystorePerm::early_boot_ended())
             .context("In early_boot_ended. Checking permission")?;
+        log::info!("In early_boot_ended.");
+
+        if let Err(e) = DB.with(|db| SUPER_KEY.set_up_boot_level_cache(&mut db.borrow_mut())) {
+            log::error!("SUPER_KEY.set_up_boot_level_cache failed:\n{:?}\n:(", e);
+        }
 
         let sec_levels = [
             (SecurityLevel::TRUSTED_ENVIRONMENT, "TRUSTED_ENVIRONMENT"),
author	Paul Crowley <paulcrowley@google.com>	2021-03-31 09:17:47 -0700
committer	Paul Crowley <paulcrowley@google.com>	2021-04-05 13:35:57 -0700
commit	9f7f48b9894975104315552ee873256e4b827b81 (patch)
tree	8322a385db838fbebd53f760a26ed173ded1e6ac /keystore2/src/maintenance.rs
parent	5975c897763c2596bc7bc724000fd8bb526b4658 (diff)
download	security-9f7f48b9894975104315552ee873256e4b827b81.tar.gz