Age | Commit message (Collapse) | Author |
|
sc-qpr3-release
Change-Id: I4d726fb2a82dc1c5db9ab999790d408d88ce094c
|
|
Placing a call to delete all expired attestation keys directly in
the function responsible for retrieving them. This guarantees that any
key selected will be fresh. This also modifies
delete_expired_attestation_keys to create a time buffer so that a key
can't be milliseconds away from expiration when this call returns.
Bug: 220065678
Test: atest keystore2_tests
Change-Id: I6f83eb65d02d8583d054c56ef6c572f3ee2e8e24
Merged-In: I6f83eb65d02d8583d054c56ef6c572f3ee2e8e24
|
|
This change applies a key upgrade path to the RKP keys when they are
used in key generation. Without this, RKP keys will fail after a device
receives an update due to version mismatch in KeyMint.
Bug: 220063191
Test: atest keystore2_test && atest RemoteProvisionerUnitTests
Change-Id: I5dddc8fa1fe7fe9d7dd559b337089d607fcc735a
Merged-In: I5dddc8fa1fe7fe9d7dd559b337089d607fcc735a
|
|
sc-qpr3-release
Change-Id: I61b7f804d964f15c416b01f5fc0af27e8531a2e8
|
|
This CL addresses various gaps in legacy support.
* Encrypted legacy blobs.
* Encrypted key characteristics files (pre Android Q).
* Encrypted certificate and certificate chain entries
(pre Android R).
To support key migration even when the corresponding user is locked,
keys can now be migrated in the legacy database by renaming files.
In order to construct a complete a key characteristics cache from old
characteristics files the information must be augmented with the
characteristics that can be extracted from the key blob by calling
KeyMintDevice::getKeyCharacteristics. For this to work, the blob
may need to be decrypted, upgraded, and reencrypted. The crypto steps
may fail with ResponseCode::LOCKED though if the user is locked.
If the key was upgraded in the process both the old and the new key
blob must be inserted into the database in order for the garbage
collector to reap and invalidate the superseded blob correctly.
At the time APPLICATION_ID and APPLICATION_DATA are usually not
available. This would cause such bound keys to fail with
ErrorCode::INVALID_KEY_BLOB. However, APPLICATION_ID/DATA were
never exposed to applications though, so this should be acceptable
for now.
Ignore-AOSP-First: Cherry-picked.
Bug: 213173772
Bug: 213172664
Bug: 203101472
Test: keystore2_test
Merged-In: Id8561d3f98d53182709d9f4feeeecda3b1535077
Change-Id: Id8561d3f98d53182709d9f4feeeecda3b1535077
|
|
This refactor serves the disambiguation between the import of legacy
blobs into the sqlite3 database and the migration of keys between
namespaces, which becomes more promient in the light of shared uid
migration.
Ignore-AOSP-First: Cherry-picked.
Bug: 213173772
Bug: 213172664
Bug: 203101472
Test: No new test required because no functionality was changed.
Merged-In: I0612d0731083548a196911712f6c0adbbc9a5e9a
Change-Id: I0612d0731083548a196911712f6c0adbbc9a5e9a
|
|
|
|
When a user was deleted, only the per boot key was deleted, but not the
lock screen bound wrapping keys. This patch makes sure that all user
specific super keys are deleted.
Added test for the behavior of unbind_keys_for_user with respect to
super keys.
Ignore-AOSP-First: No mergepath from AOSP
Bug: 195924790
Test: keystore2_test
Merged-In: I3741450ddf971a6b4ee184fbc946cf127e1c39f8
Change-Id: I3741450ddf971a6b4ee184fbc946cf127e1c39f8
|
|
|
|
am: 9a374680df -s ours am: e757cdcb87 -s ours
am skip reason: Merged-In I347794f456b9809f25489156a2370d1be93d40cd with SHA-1 3469908edc is already in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/16511961
Change-Id: Iad2876bbbfa35e6ff0cab1670329fcf05833cf3a
|
|
am: 9a374680df -s ours
am skip reason: Merged-In I347794f456b9809f25489156a2370d1be93d40cd with SHA-1 3469908edc is already in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/16511961
Change-Id: Ic619a3936437a9d60cf36671df63731028d1b640
|
|
am: 3469908edc -s ours
am skip reason: Merged-In I347794f456b9809f25489156a2370d1be93d40cd with SHA-1 7bf6e0a053 is already in history
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/16511960
Change-Id: I4649f465652fe5603f50a9e091a7719383d72412
|
|
Ignore-AOSP-First: Cherry-picked from AOSP.
Test: Run Keystore CTS tests
Bug: b/191171542
Merged-In: I0f2c6d4e1d7a3fda973bcf65fd967119cbd52337
Change-Id: I0f2c6d4e1d7a3fda973bcf65fd967119cbd52337
|
|
Odrefresh supports partial compilation, by only re-generating the files
that are needed. This means that we need to verify already existing
artifacts before calling odrefresh, because otherwise we won't know
whether files that aren't in fs-verity have been generated by odrefresh,
or by an attacker that managed to compromise the filesystem on a
previous boot cycle.
To make this change without adding additional boot time, we need to
switch back to calling odrefresh in two phases again: first, we call
`odrefresh --check` to determine whether odrefresh needs to generate new
artifacts. In either case we will need to verify existing artifacts, but
if `odrefresh --check` said that it won't need to generate any new ones,
we can say we're done with the key after retrieving the digests, which
allows boot to continue in parallel with verification.
Bug: 206090748
Test: atest odsign_e2e_tests
Ignore-AOSP-First: Security fix
Change-Id: I347794f456b9809f25489156a2370d1be93d40cd
Merged-In: I347794f456b9809f25489156a2370d1be93d40cd
(cherry picked from commit 7bf6e0a053307a0918965da9be6560e77d6cfe59)
|
|
Odrefresh supports partial compilation, by only re-generating the files
that are needed. This means that we need to verify already existing
artifacts before calling odrefresh, because otherwise we won't know
whether files that aren't in fs-verity have been generated by odrefresh,
or by an attacker that managed to compromise the filesystem on a
previous boot cycle.
To make this change without adding additional boot time, we need to
switch back to calling odrefresh in two phases again: first, we call
`odrefresh --check` to determine whether odrefresh needs to generate new
artifacts. In either case we will need to verify existing artifacts, but
if `odrefresh --check` said that it won't need to generate any new ones,
we can say we're done with the key after retrieving the digests, which
allows boot to continue in parallel with verification.
Bug: 206090748
Test: atest odsign_e2e_tests
Ignore-AOSP-First: Security fix
Change-Id: I347794f456b9809f25489156a2370d1be93d40cd
Merged-In: I347794f456b9809f25489156a2370d1be93d40cd
(cherry picked from commit 7bf6e0a053307a0918965da9be6560e77d6cfe59)
|
|
|
|
When collecting metrics about RKP pool status, we currently query
the remote_provisioning module by setting expired_by = now.
But inside remote_provisioning module, all expired keys by now are
deleted before returning the pool status.
Therefore, in the metrics, we do not see the number of expiring keys
since it is always zero.
Test: statsd TestDrive script
Bug: 210162269
Ignore-AOSP-First: This will be merged to AOSP manually.
Change-Id: I7f7026b1297f297ce208b828b647f1056485128e
|
|
Add CREATE_DATETIME unconditionally on generation and import.
Ignore-AOSP-First: Cherry-picked from AOSP.
Test: CtsKeystoreTestCases
Bug: 204578637
Bug: 204502660
Merged-In: I5b6eb8647d2595e575c72476010ccabf0a1a4527
Change-Id: I5b6eb8647d2595e575c72476010ccabf0a1a4527
|
|
Odrefresh supports partial compilation, by only re-generating the files
that are needed. This means that we need to verify already existing
artifacts before calling odrefresh, because otherwise we won't know
whether files that aren't in fs-verity have been generated by odrefresh,
or by an attacker that managed to compromise the filesystem on a
previous boot cycle.
To make this change without adding additional boot time, we need to
switch back to calling odrefresh in two phases again: first, we call
`odrefresh --check` to determine whether odrefresh needs to generate new
artifacts. In either case we will need to verify existing artifacts, but
if `odrefresh --check` said that it won't need to generate any new ones,
we can say we're done with the key after retrieving the digests, which
allows boot to continue in parallel with verification.
Bug: 206090748
Test: atest odsign_e2e_tests
Ignore-AOSP-First: Security fix
Change-Id: I347794f456b9809f25489156a2370d1be93d40cd
Merged-In: I347794f456b9809f25489156a2370d1be93d40cd
|
|
AddFilesToVerityRecursive() would fail if any of the files considered
was already in fs-verity. This is not desirable in case of partial
compilation, where some files might already have been generated and
signed on a previous boot. Allow such files, because earlier code will
already have verified that their signature matched the signature that we
remember anyway.
Bug: 205276874
Test: atest odsign_e2e_tests
Change-Id: Iaf35607d0054bdcd00501c6102ad629ce9fe7ac3
Merged-In: Iaf35607d0054bdcd00501c6102ad629ce9fe7ac3
|
|
|
|
We only need to check that a token with a given auth type exists if
a key has a timeout bound policy. In that case, we should match that
a given token may be found with the configured authorization type.
However, if a key's parameters indicate unlocked device is required,
then any token will do. We don't care about the auth type. If the key
parameters require per-operation authentication, then the type of
authentication will be checked later, after a fresh authentication.
Test: CtsVerifier - Unloced Device Required
Test: CstKeystoreTestCases
Bug: 206762528
Ignore-AOSP-First: No merge path to sc-v2-dev
Change-Id: Icdffc42084854b298e8798d99312e9f829aee753
Merged-In: Icdffc42084854b298e8798d99312e9f829aee753
|
|
Keystore 2.0 in Android S requires all new certificates to be stored in
DER format, however, when upgrading from R or older, there may be
certificates stored in PEM format. This patch allows keystore2-engine to
extract the public keys from certificates in either format.
Ignore-AOSP-First: Cherry-Pick - Already on AOSP.
Bug: 199155260
Test: N/A
Change-Id: I4bd5befcef15af5fbc2cbec3fdf4d581b1558b56
Merged-In: I4bd5befcef15af5fbc2cbec3fdf4d581b1558b56
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15942712
Change-Id: I0d6f6590b84f947a78ea502853bea719d453ecd1
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15942712
Change-Id: I551bff3569dfa4e62f9b9c718bfe6f8f8e9161c6
|
|
Older KM implementations do not consume data if in certain block modes
when too little data is presented. However, km_compat update assumes
that the backend always consumes some data. If this assumption does not
hold it can get stuck in an infinite loop.
This patch adds some buffering, allowing the km_compat to buffer
unconsumed data and make it appear to the caller that the data was
indeed consumed.
Ignore-AOSP-First: b/200041882 ASA review.
Bug: 200041882
Test: CtsKeystoreTestCases for regression testing
keystore2_km_compat_test
Merged-In: Icae44c6bc97507f192ec44c944c3bc0a9dd60ba7
Change-Id: Icae44c6bc97507f192ec44c944c3bc0a9dd60ba7
|
|
c5d4b5da6f
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15547744
Change-Id: If561d557d69899c1a5c8f2546562c1c9074e1962
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15547744
Change-Id: Ib166962a5faa8e5b7b8c4caa1c90e3e339a232c4
|
|
Revert submission 15536724-revert-15521094-vold-deleteAllKeys-GDJSMLXRVZ
Reason for revert: Underlying KM problem fixed
Reverted Changes:
I8e2621bef:Revert "Detect factory reset and deleteAllKeys"
I546b980bb:Revert "Add deleteAllKeys to IKeystoreMaintenance"...
I1ed68dd9e:Revert "Allow vold to deleteAllKeys in Keystore"
Bug: 187105270
Test: booted Cuttlefish twice
Merged-In: 46c703e6a639ff16ba6466a69eb58530ce424bbb
Change-Id: Ib9fcf54fdc611de42a7d40b9319577e2708e226f
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15536477
Change-Id: Iabcb1a484f082abedeac8aa718599044dc8f7192
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15536477
Change-Id: I6e1aa29d284167f7539bf91118a27107a688ee46
|
|
Revert "Enable deleteAllKeys from vold"
Revert "Allow vold to deleteAllKeys in Keystore"
Revert submission 15521094-vold-deleteAllKeys
Reason for revert: Causes infinite loop in Trusty KeyMint
Reverted Changes:
I9c5c54714:Detect factory reset and deleteAllKeys
I2fb0e94db:Allow vold to deleteAllKeys in Keystore
Id23f25c69:Add deleteAllKeys to IKeystoreMaintenance
Ife779307d:Enable deleteAllKeys from vold
I4312b9a11:Enable deleteAllKeys from vold
Bug: 187105270
Change-Id: I546b980bb49b064a8cbf127659f2a58748082c65
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15520792
Change-Id: I4a343d0503c2fca8d594b1323ed3d1751150df7c
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15520792
Change-Id: Id005c6ea760fb5f35fb58968219be0636af0ca6e
|
|
Add a method to IKeystoreMaintenance which calls deleteAllKeys on every
KM instance. This method will be called by vold when it detects a
factory reset.
Bug: 187105270
Test: booted Cuttlefish twice
Ignore-AOSP-First: no merge path to this branch from AOSP.
Merged-In: Id23f25c69a74a99bfebbf28429651d6fd647dbcd
Change-Id: Id23f25c69a74a99bfebbf28429651d6fd647dbcd
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15433979
Change-Id: Ica677e4a00aa28ec2a574175d44e9a7e4f8f07ee
|
|
This CL adds metrics logging for fallback during RKP hybrid mode.
Ignore-AOSP-First: No merge path from AOSP.
Test: atest com.android.remoteprovisioner.unittest.ServerToSystemTest#testFallback
on cuttlefish, followed by ./statsd_testdrive 10124
Bug: 194510784
Merged-In: I3d6184df02828fef1d0110688afe1ba2db10eae9
Change-Id: I3d6184df02828fef1d0110688afe1ba2db10eae9
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15393113
Change-Id: Ic65e1d89fa60d2e4fa9d753f422be8c4c9d82862
|
|
|
|
If odsign is marked as oneshot, and it crashes (eg due to a coding
error), the device will not boot completely, because init keeps waiting
for the odsign.key.done / odsign.verification.done properties. So
instead, we don't mark it as oneshot, but stop the service manually in
the exit paths of the code. This ensures that if a bad OTA / module
update causes odsign to crash, we will automatically start it again; if
it crashes repeatedly, apexd will detect this, and roll back any module
update.
In the good path, there's no difference - odsign will run just once and
be stopped.
Bug: 194334176
Test: manually make odsign crash; inspect output
Change-Id: I7015f291888d6b8066e4c526a7e8cf3c9c7ea618
Merged-In: I7015f291888d6b8066e4c526a7e8cf3c9c7ea618
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15373963
Change-Id: I17b3b985274f2c426baa71ac0c45172a2fb17b21
|
|
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15325373
Change-Id: I302ccb6bc9a450923daf8f06681ee9c7e46ba80d
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15325372
Change-Id: I5cda32a875785e13b8f674bf36a5c0a4b3e953fb
|
|
* changes:
Adding plumbing for supported EC curve on impl
Always fall back to factory key on any RKP error
|
|
7e9dfba159
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15365713
Change-Id: I7b6732eea3d7601eccce176aad56f717e22f78dc
|
|
|
|
1. The MAC tag value was not being included in the uploaded data, so
it was previosly impossible to verify the keys to sign mac.
2. The device info is supposed to be an array with [Verified,
Unverified] info. It was previously just the verified info.
Ignore-AOSP-First: No merge path from AOSP. This is picked from AOSP.
Test: Manual. Uploaded sample data to device info service.
Change-Id: I096bc5ded0b38fc56864e75c5e06dfbef62e9a74
Merged-In: I096bc5ded0b38fc56864e75c5e06dfbef62e9a74
Fixes: 194492359
|
|
Version binding of storage keys was broken in that the old keyblob was
passed to the KM backed instead of the upgraded key blob when an upgrade
was required.
Ignore-AOSP-First: No mergepath from AOSP
Bug: 187304488
Bug: 194444841
Test: N/A
Merged-In: Iad3e9d4c0de2f8c7121147c81590e56663fe596f
Change-Id: Iad3e9d4c0de2f8c7121147c81590e56663fe596f
|
|
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/security/+/15337456
Change-Id: Ieffd7af3962243039696730ef7a5065ad8b14f33
|