| Age | Commit message (Collapse) | Author |
|---|
|
This flag was defined as a regular flag and then was later changed to a
fixed_read_only flag. This scenario is currently "unsupported" by the
flags infrastructure; an error occurs when trying to advance the flag to
staging. Work around this by renaming the flag so that the flags
infrastructure sees it as an entirely new flag. This cl adds this flag
to the legacykeystore code as well.
Bug: 296464083
Bug: 311648623
Test: m keystore2
Change-Id: If62a5fac2404113ca0bbc0807f154401c4241bf1
|
|
Rename the LskfBound superencryption key and superencryption type (also
known as per-boot) to AfterFirstUnlock.
This makes it much clearer what the protection of this key is. This
includes avoiding the misleading use of "LSKF"; the secret that's
actually relevant is the user's synthetic password, which is most
commonly unlocked with the LSKF but can potentially be unlocked in other
ways. This is also helpful for the planned change to make the user's
super keys exist even while the user doesn't have an LSKF.
Bug: 296464083
Test: atest -p --include-subdirs system/security/keystore2
Test: atest CtsKeystoreTestCases
Flag: exempt, mechanical refactoring and comment changes
Change-Id: I9b16934f37222fef2bf01830f521928ef2c1853a
|
|
Test: atest keystore2_test_utils_test keystore2_test
Change-Id: Ib613f9e11523f16060e4fb473b849203ff26ee2d
|
|
error: casting to the same type is unnecessary
Test: ./build.py --lto=thin
Bug: 263153841
Change-Id: Ibf820a90c36c46155d07176b3194b460904140c9
|
|
note from clippy: https://rust-lang.github.io/rust-clippy/master/index.html#manual_retain
Please check change for correctness.
bug: 243420629
Test: test_compiler.py
Change-Id: If64daae01c3bf6d83b80f624c1f5603fae171a2d
|
|
Test: m rust
Bug: 241303140
Change-Id: I3b4d8c1c3101941258e366279bfd2a4a3ab1b948
|
|
This CL addresses various gaps in legacy support.
* Encrypted legacy blobs.
* Encrypted key characteristics files (pre Android Q).
* Encrypted certificate and certificate chain entries
(pre Android R).
To support key migration even when the corresponding user is locked,
keys can now be migrated in the legacy database by renaming files.
In order to construct a complete a key characteristics cache from old
characteristics files the information must be augmented with the
characteristics that can be extracted from the key blob by calling
KeyMintDevice::getKeyCharacteristics. For this to work, the blob
may need to be decrypted, upgraded, and reencrypted. The crypto steps
may fail with ResponseCode::LOCKED though if the user is locked.
If the key was upgraded in the process both the old and the new key
blob must be inserted into the database in order for the garbage
collector to reap and invalidate the superseded blob correctly.
At the time APPLICATION_ID and APPLICATION_DATA are usually not
available. This would cause such bound keys to fail with
ErrorCode::INVALID_KEY_BLOB. However, APPLICATION_ID/DATA were
never exposed to applications though, so this should be acceptable
for now.
Bug: 213173772
Bug: 213172664
Bug: 203101472
Test: keystore2_test
Change-Id: Id8561d3f98d53182709d9f4feeeecda3b1535077
|
|
The noicu build rules were only used by microdroid which no longer has a
special variant of keystore2.
Bug: 215747811
Test: atest MicrodroidTests
Change-Id: Iefa4d22beb0074bc95e0ff20c7689ad8b62372f4
|
|
This patch adds detailed error messages to the service specific
exceptions. The error messages are formated anyhow::Errors, the same
that already get logged to logcat. Returning them to the client, allows
them to be included in java stack traces which will lead to easier
diagnosis of bugreports.
Test: N/A
Bug: 197890905
Change-Id: Ie6178292650327a1382b04f478ed5fa9e5fd7feb
|
|
Instead of changing keystore2 to use libsqlite_noicu, create another
variant of keystore2 (keystore2-microdroid) which uses libsqlite_noicu,
and use it only for microdroid.
Although keystore2 doesn't actually depend on the ICU extension, doing
it for Android caused a small regression (6ms) to the boot time because
keystore2 should spend time for loading the new library
libsqlite_noicu instead of sharing text pages from libsqlite.so which
were already preloaded by zygote.
With this change, keystore2 for Android goes back to use libsqlite.so.
The use of the noicu variant is limited to Microdroid.
Bug: 201344281
Test: measure SystemServerTiming_StartLockSettingsService-total
Change-Id: I6ff123415cdc3e7494a7857864e04525322bc079
|
|
keystore has used libsqlite which was built with the ICU extension [1].
The extension brings huge (> 60MB) dependency to the i18n APEX which is
too big for microdroid. Since the use of sqlite in keystore doesn't
seem to require operations like upper/lower, sorting, and regex for all
unicode strings, drop the dependency to the i18n APEX.
[1] https://www.sqlite.org/src/file?name=ext/icu/README.txt
Bug: 199674764
Test: m
Change-Id: I1e7a83283c3e79e69793a2076c97bc1bf6b9e0bf
|
|
Bug: 182498247
Test: Build
Change-Id: I0ab7fb092574c74b09c1b5b60e82ff776a214d53
|
|
This CL fixes several new warnings generated by rustc 1.54.0.
Bug: 194812675
Test: m rust
Change-Id: I3076313ea51c6f4e74029ad9fb45d6f0b6dea460
|
|
Without this patch apps may leave the legacy keystore in an undefined
state when uninstalled and when the UID is reused the new app would find
stale entries in the legacy keystore.
There is no public API to use legacy keystore, but malicious apps could
use this to leave identifying information across installs.
Bug: 192575371
Test: legacykeystore_test
Merged-In: I06e8a4927af66092140ec84e7f5d83621cbb0b62
Change-Id: I06e8a4927af66092140ec84e7f5d83621cbb0b62
|
|
It turns out there are more clients that use Keystore in a creative
way. This patch renames the VpnProfileStore to LegacyKeystore and
extends the functionality such that it allows access to all blobs with
alias prefixes that were not known to Keystore. It also brings back the
option to specify a uid argument. Specifically, for AID_SYSTEM to
manipulate the WIFI namespace.
Test: TBD
Bug: 191373871
Merged-In: Iaf81e7ccaee3c09a465dcec0fd5899b781c31db5
Change-Id: Iaf81e7ccaee3c09a465dcec0fd5899b781c31db5
|
