diff options
author | Paul Crowley <paulcrowley@google.com> | 2021-03-31 09:17:47 -0700 |
---|---|---|
committer | Paul Crowley <paulcrowley@google.com> | 2021-04-05 13:35:57 -0700 |
commit | 9f7f48b9894975104315552ee873256e4b827b81 (patch) | |
tree | 8322a385db838fbebd53f760a26ed173ded1e6ac /keystore2/src/maintenance.rs | |
parent | 5975c897763c2596bc7bc724000fd8bb526b4658 (diff) | |
download | security-9f7f48b9894975104315552ee873256e4b827b81.tar.gz |
Cryptographic security for MAX_BOOT_LEVEL
Use a KDF to generate a key for each boot level, anchored in a key
which can only be used once per boot.
Bug: 176450483
Test: aosp/1577966: ensure key created at level 40 stops working at 41
Test: keystore2_test
Change-Id: I12530cd13cb176251c8a0b5431d53c0a7c1bc02d
Diffstat (limited to 'keystore2/src/maintenance.rs')
-rw-r--r-- | keystore2/src/maintenance.rs | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/keystore2/src/maintenance.rs b/keystore2/src/maintenance.rs index e059a0b5..5c1e82dc 100644 --- a/keystore2/src/maintenance.rs +++ b/keystore2/src/maintenance.rs @@ -141,6 +141,11 @@ impl Maintenance { fn early_boot_ended() -> Result<()> { check_keystore_permission(KeystorePerm::early_boot_ended()) .context("In early_boot_ended. Checking permission")?; + log::info!("In early_boot_ended."); + + if let Err(e) = DB.with(|db| SUPER_KEY.set_up_boot_level_cache(&mut db.borrow_mut())) { + log::error!("SUPER_KEY.set_up_boot_level_cache failed:\n{:?}\n:(", e); + } let sec_levels = [ (SecurityLevel::TRUSTED_ENVIRONMENT, "TRUSTED_ENVIRONMENT"), |