diff options
Diffstat (limited to 'keystore2')
-rw-r--r-- | keystore2/aconfig/flags.aconfig | 8 | ||||
-rw-r--r-- | keystore2/src/utils.rs | 11 |
2 files changed, 15 insertions, 4 deletions
diff --git a/keystore2/aconfig/flags.aconfig b/keystore2/aconfig/flags.aconfig index 5d2a422c..02716da5 100644 --- a/keystore2/aconfig/flags.aconfig +++ b/keystore2/aconfig/flags.aconfig @@ -15,3 +15,11 @@ flag { bug: "307460850" is_fixed_read_only: true } + +flag { + name: "import_previously_emulated_keys" + namespace: "hardware_backed_security" + description: "Include support for importing keys that were previously software-emulated into KeyMint" + bug: "283077822" + is_fixed_read_only: true +}
\ No newline at end of file diff --git a/keystore2/src/utils.rs b/keystore2/src/utils.rs index 74a5ae6a..174a22ba 100644 --- a/keystore2/src/utils.rs +++ b/keystore2/src/utils.rs @@ -367,7 +367,9 @@ where km_op, new_blob_handler, ) - } else if key_blob.starts_with(km_compat::KEYMASTER_BLOB_SW_PREFIX) { + } else if keystore2_flags::import_previously_emulated_keys() + && key_blob.starts_with(km_compat::KEYMASTER_BLOB_SW_PREFIX) + { // 2) The keyblob was created in software by the km_compat C++ code because a prior // Keymaster implementation did not support ECDH (which was only added in KeyMint). // @@ -386,9 +388,10 @@ where km_op, new_blob_handler, ) - } else if let km_compat::KeyBlob::Wrapped(inner_keyblob) = - km_compat::unwrap_keyblob(key_blob) - { + } else if let (true, km_compat::KeyBlob::Wrapped(inner_keyblob)) = ( + keystore2_flags::import_previously_emulated_keys(), + km_compat::unwrap_keyblob(key_blob), + ) { // 3) The keyblob was created in software by km_compat.rs because a prior KeyMint // implementation did not support a feature present in the current KeyMint spec. // (For example, a curve 25519 key created when the device only supported KeyMint |