| Age | Commit message (Collapse) | Author |
|---|
|
Change-Id: I995eb0799abc02de78ad82e2858b0e566045faa2
|
|
3366918, 3365573, 3365589, 3365590, 3366938, 3366902, 3365574, 3365575, 3365576, 3365577, 3366958, 3365824, 3365591, 3366959, 3366960, 3366961, 3366962, 3366963, 3366964, 3366965, 3366919, 3366966, 3366967, 3366968, 3366969, 3366970, 3367018, 3367019, 3365592, 3365593, 3366985, 3365825, 3366988, 3366989, 3366990, 3366991, 3366992, 3366993, 3366994, 3367004, 3367005, 3367006, 3367007, 3367008, 3367009, 3367010, 3367011, 3367012, 3367013, 3367014, 3367015, 3367016, 3367017, 3367038, 3367039, 3367040, 3367041, 3367042, 3367044, 3367045, 3367046, 3367049, 3367050, 3367052, 3367053, 3367054, 3367055, 3367056, 3366920, 3366921, 3366922, 3367079] into oc-mr1-release
Change-Id: I27c08520f91b809553531527b1eda9599beffd24
|
|
The incorrect logical operator being used was causing unconditional
permission to be granted, which is the exact opposite of intended
behavior.
Bug: 70280642
Test: testEcAttestation_KeyStoreExceptionWhenRequestingUniqueId passes
Change-Id: I2f1ed9768f136003126fb59a7a4517a159ff978c
Merged-In: I2f1ed9768f136003126fb59a7a4517a159ff978c
(cherry picked from commit 670467d9a4be539ac1cb2a7eb1a41ce2524a24b2)
(cherry picked from commit fd8d014e0d0d35be1f6dfea4d8e3ad07468fc683)
|
|
A proper fix for this feature requires reworking binder permission
checking to take the selinux context and not the pid. This is feature
work that should be done for P to properly fix these race conditions
that occur elsewhere in the code.
Bug: 68217699
Test: KeyStore keygen permissions cannot be bypassed through PID cycling
Change-Id: I1ba5210010d6c413c9b1dbde3df0cc566400bfac
Merged-In: I1ba5210010d6c413c9b1dbde3df0cc566400bfac
(cherry picked from commit ef4f067c03543d8c8f2f8218bc69af12692ba000)
(cherry picked from commit 05fbbe5f3d47454a85da374cad9b54e4978c2c70)
|
|
3117095, 3115988, 3116845, 3116471, 3116500, 3116573, 3115989, 3116501, 3116076, 3116472] into oc-mr1-release
Change-Id: Ie28eb9ae8fab72c17f0e55bcd15f6a404ce0ad6a
|
|
We observed on some Pixel C that they sometimes generate auth token with
a stuck timestamp value. Since the timestamp value does not increase,
newer auth token is not considered "superceding" old auth tokens and keystore
end up retrieving older auth tokens which are then treated as expired due to
its time_received value being too old.
We workaround this issue by comparing both the timestamp (which is part of
auth token) and the time_received (which is a monotonic clock value at the
time auth token is sent to keystore). So a new auth token with stuck timestamp
value but newer time_received still supercedes older auth tokens.
This is actually sufficient to workaround the issue on Pixel C, since the stuck
timestamp value is returned by the secure RTC, whose value is also used by
keymaster TA to check key authorization. In other words, the auth token is
still good to authorize auth-bound keys, even with a stuck timestamp value.
This does mean that on the affected Pixel C, auth-bound keys are not enforced
at TrustZone leve, but merely a logical check in keystore daemon.
Bug: 65283496
Test: boot device, unlock successfully
Change-Id: I0b9d5463e94241bfaf552dcb31fea04ee966596c
(cherry picked from commit bfb01d904d403087d096658d3830b34d0f931714)
|
|
Change-Id: I9f75a32527460a238c5e371d9f4a2812662be961
|
|
HardwareAuthToken.timestamp is uint64_t but got truncated to uint32_t by
timestamp_host_order(). Also add some logging to undertand the issue of
bad auth token on ryu.
Bug: 65283496
Test: builds and runs
Change-Id: Ia51d0880f47594e6ab02e46bec270ee68dc5823f
|
|
Change-Id: I55ea727f72fa368ac813f08dd6789ed01ebe527d
|
|
1. Ungrant did not check the callers uid which allowed any caller
to remove grants to any key.
2. Grants were not removed when a key was deleted.
3. clean_uid did not clear the grant cache of the target uid.
This would leave state grants that could have been used
by a new app that happend to get the same uid as the one
that was previously uninstalled.
4. Various paths did not respect grants: del, exist, getmtime
The del path was particularly awkward because it is required
by upgradeKeyBlob. This means it must work when a key that needs
upgrading is accessed through a grant alias.
Bug: 65851049
Merged-In: I6709b7562d47ad6156bee88a9e2d961f8a4a797d
Change-Id: I6709b7562d47ad6156bee88a9e2d961f8a4a797d
|
|
Bug: 65851049
Merged-In: Ibea71d42934d283c95729eca6772a9aadb949a6a
Change-Id: Ibea71d42934d283c95729eca6772a9aadb949a6a
|
|
On the upgrade path from keystore blobs version 0, the userId was
interpreted as uid which resulted in it being converted to a userId a
second time. This would result in keys belonging to other users
being assigned to the main user.
This patch fixes the bug and the misnomer that lead to the confusion.
Bug: 65851049
Merged-In: I91975310b6140929dcb6820aa8bd4c28b8e5de5e
Change-Id: I91975310b6140929dcb6820aa8bd4c28b8e5de5e
|
|
4332123 snap-temp-L59300000101925107
Change-Id: Ifda348ad2a3b5bcdf7dc6d742bad6e12151d3123
|
|
Change-Id: I503f8da7565c47ceb3f85feb6f2aeb3f433a6405
|
|
ag/2835967 corrected a lost authorization check result introduced during
a refactor, but in the process failed to return the auth check result in
one codepath, causing the Java layer above to fail to throw the
exception. That in turn broke work profile password removal. This CL
sets the return code for cases where the authorization check failed.
Bug: 65348783
Test: Manually tested with TestDPC, add and remove passcode
Change-Id: I846b154c8cbcd9a73cd12b9a4376616dacf62fbb
(cherry picked from commit 827243a97217ed8c64542efd3a72e430e9b84b22)
|
|
|
|
|
|
ag/2835967 corrected a lost authorization check result introduced during
a refactor, but in the process failed to return the auth check result in
one codepath, causing the Java layer above to fail to throw the
exception. That in turn broke work profile password removal. This CL
sets the return code for cases where the authorization check failed.
Bug: 65348783
Test: Manually tested with TestDPC, add and remove passcode
Change-Id: I846b154c8cbcd9a73cd12b9a4376616dacf62fbb
|
|
getKeyForName was broken in case the name was a grant name and the
type was TYPE_KEY_CHARACTERISTICS. In this case the key blob instead of
the key characteristics blob was retreived.
Bug: 65200397
Bug: 37264540
Bug: 62237038
Test: run cts-dev --module CtsDevicePolicyManagerTestCases --test
com.android.cts.devicepolicy.DeviceOwnerTest#testKeyManagement
because it grants a key
Change-Id: I0746d60555b51d47ea19ab05b9da29164c8b71db
(cherry picked from commit 6905c336b29561abf7841cfa1bde5eeab62915e7)
|
|
When auth-bound keys are used after the screen lock has been removed it
is expected that getKeyCharacteristics still succeeds. However, when the
super encrypt feature was introduced the key blob is no longer
accessible, and thus, the retrieving the key characteristics fails.
This patch retrieves the key characteristics from the characteristics
cache file, which is not super encrypted. Using such a key still fails
but in ways expected by the framework.
Bug: 65200397
Test: CtsVerifier ScreenLockBoundKeysTest:
1. Run test
2. with CtsVerifier in the background remove the screen lock
through the settings dialog
3. Select VtsVerifier in 'recents'
4. Run test again
Change-Id: Ifa88c58a41c376e4f800a76114d4cf9149506ac0
(cherry picked from commit 36316d673ef836a0a34a62ab4ccce67d22c8a0d2)
|
|
4326576 snap-temp-L80300000101054689
Change-Id: Ia4336fcdd942e3e461f513004e978922c21c9ab2
|
|
Previous bug fix introduced this bug, which hides the begin return code
in some cases.
Bug: 65370298
Test: runtest --path cts/tests/tests/keystore/src/android/keystore/cts
Change-Id: I3f22688eec2a327f7f033d620e342953e7ab3879
(cherry picked from commit 855e348d71518a11bffa42e1a56d39aea1135ad9)
|
|
4314464 snap-temp-L54400000099147910
Change-Id: Ie713eec2b15b74866ccb1683032ca70794a68cd9
|
|
During the keystore refactor that was part of the Treble work, this
return code was lost. As a result, some usage flows of
fingerprint-bound keys are broken in O. This CL fixes them.
Bug: 63085740
Test: Manually verified with https://github.com/googlesamples/android-FingerprintDialog
Change-Id: I3d3a3122474d2c4084cd7d0257a1df00b0316159
(cherry picked from commit ad8c55f3591c835ff20b954f47ebcfeccde8cb83)
|
|
am: aca4c4cf48 -s ours
Change-Id: I7608b863d5bfcbee7ae7e960c56601be4a5bfd6f
|
|
Keystore stores key blobs in with filenames that include the symbolic
name and the uid of the owner. This behaviour should have been
completely opaque to the user keystore. However, the granting mechanism,
by which an app can allow another app to use one of its keys, leaked the
internal structure in that the grantee had to specify the key name with
the granter's uid prefix in order to use the granted key. This in turn
collided with prefix handling in other parts of the framework.
This patch refurbishes the granting mechanism such that keystore can
choose a name for the grant. It uses the original symbolic key name as
prefix and appends _KEYSTOREGRANT_<grant_no> where the grant_no is
chosen as first free slot starting from 0. Each uid has its own grant_no
space.
This changes the grant call such that it now returns a string, which is
the alias name of the newly created grant. The string is empty if the
grant operation failed.
As before apps can still mask granted keys by importing a key with the
exact same name including the added suffix. But everybody deserves the
right to shoot themselves in the foot if they really want to.
Bug: 37264540
Bug: 62237038
Test: run cts-dev --module CtsDevicePolicyManagerTestCases --test
com.android.cts.devicepolicy.DeviceOwnerTest#testKeyManagement
because it grants a key
Merged-In: I723c44c7ae6782c8de42063744717d088cd49ba1
Change-Id: I723c44c7ae6782c8de42063744717d088cd49ba1
|
|
4185249 snap-temp-L63000000082739046
Change-Id: I3a7bbedd5183ace4f9a1defd07c04ccd9d3f5bf6
|
|
|
|
4140700 snap-temp-L81200000078275553
Change-Id: I9005bde7ba60c9b7418ad80c4aff2b24979b8fad
|
|
78505bae4c am: 7d6eedfc47
am: ae9fa426cb
Change-Id: I9a9d83f80afe33990769d6eb07b9b5374f9291e4
|
|
78505bae4c
am: 7d6eedfc47
Change-Id: Ib22db541b587fdde996d51660eb6f21e19875c13
|
|
am: 78505bae4c
Change-Id: I52d0f14d8a842504b01a681eaa1dfa8e9253b675
|
|
am: 975e1aae69
Change-Id: I4cd2a30d7281476eb30083dc04187784f8dad445
|
|
|
|
Test: None yet.
Change-Id: I61fef8270a7fce9e891cbb64cfdf082adf630921
|
|
Keystore stores key blobs in with filenames that include the symbolic
name and the uid of the owner. This behaviour should have been
completely opaque to the user keystore. However, the granting mechanism,
by which an app can allow another app to use one of its keys, leaked the
internal structure in that the grantee had to specify the key name with
the granter's uid prefix in order to use the granted key. This in turn
collided with prefix handling in other parts of the framework.
This patch refurbishes the granting mechanism such that keystore can
choose a name for the grant. It uses the original symbolic key name as
prefix and appends _KEYSTOREGRANT_<grant_no> where the grant_no is
chosen as first free slot starting from 0. Each uid has its own grant_no
space.
This changes the grant call such that it now returns a string, which is
the alias name of the newly created grant. The string is empty if the
grant operation failed.
As before apps can still mask granted keys by importing a key with the
exact same name including the added suffix. But everybody deserves the
right to shoot themselves in the foot if they really want to.
Bug: 37264540
Bug: 62237038
Test: run cts-dev --module CtsDevicePolicyManagerTestCases --test
com.android.cts.devicepolicy.DeviceOwnerTest#testKeyManagement
because it grants a key
Change-Id: I723c44c7ae6782c8de42063744717d088cd49ba1
|
|
4120176 snap-temp-L55000000076156472
Change-Id: I8d160e3579a624ffaebe42286f8eccd188efdb67
|
|
Test: manual
Change-Id: I66dea9bfdfe4fcbb507926319bfe89cd3a1fe989
|
|
4070602 snap-temp-L56000000070867102
Change-Id: I10f98a1dcdb00cff7b152df85ac739dbbd7b317b
|
|
d32de98e00
am: 067111a625
Change-Id: I82a2729806c72c6652b800d6230de86db3cd440a
|
|
am: d32de98e00
Change-Id: I8ac019f32385e4f76066ebd774c103b2f1eb251a
|
|
am: 32e07b318c
Change-Id: Id00b366aa4c19bb7a334c54cfc764a34e0508c3b
|
|
am: aad9ba51cd
Change-Id: I8c2c8e34321a7dea28dd95ba168ccdcb6dd14421
|
|
|
|
Owners are selected from top CL approvals or owners.
They will be suggested to review/approve future CLs.
Test: build/make/tools/checkowners.py -c -v OWNERS
Change-Id: Iee274934e2c8c3d6cc97406cf7717512120c4944
|
|
4050000 snap-temp-L22200000068540971
Change-Id: I7d655fb5fa7ada616da1656ea2e2852b5fa583ea
|
|
Bug:35849499
Test: None required.
Change-Id: Iadee02a253b491f192c4a8b1cf3e57125ad866a6
|
|
Keystore currently uses AES-CBC to encrypt keystore blobs, plus an MD5
digest for authentication. This scheme is mildly broken (b/26804580),
but has not been replaced because keystore encryption was slated for
removal. In order to support cryptographic binding of keys to user
authentication on devices with trusted secure computing modules,
keystore encryption has temporarily become relevant again, until a
better solution can be constructed. Thus there's a motivation to
replace the broken scheme with a proper authenticated encryption mode.
Along the way, this CL also fixes a low-priority security vulnerability,
b/31824325.
Bug: 26804580
Bug: 31824325
Bug: 35849499
Test: Manually tested the new scheme and upgrading from the old scheme
Change-Id: I139f2a7b7a3c01eade4e2d2a674d49d027179d43
|
|
4017779 snap-temp-L47900000064949209
Change-Id: I2e322de8a2be213198fc2634019cddc6a4266a11
|
|
Fix a build breakage by renaming libkeymaster to
libkeymaster_staging. fugu's vendor tree already had
a libkeymaster.so which masked system/keymaster/libkeymaster.
Bug: 37997750
Change-Id: I589e9c87c2120034d5709a0d7a141d724065d683
|
