diff options
| author | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2021-08-12 01:10:23 +0000 |
|---|---|---|
| committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2021-08-12 01:10:23 +0000 |
| commit | ce5962f4b29e7e5c48bc0439df44ada6e1c61d74 (patch) | |
| tree | e8f33c2dd866ade9fbfd2240893bd4251a227ce8 | |
| parent | 345a08bcac65e2a20f708a0b9ba148041079e973 (diff) | |
| parent | 8f19fd90e3c9c1fcb3056129f356f875c95b839c (diff) | |
| download | vold-android12-tests-release.tar.gz | |
Snap for 7633965 from 8f19fd90e3c9c1fcb3056129f356f875c95b839c to sc-releaseandroid-vts-12.0_r9android-vts-12.0_r8android-vts-12.0_r7android-vts-12.0_r6android-vts-12.0_r5android-vts-12.0_r4android-vts-12.0_r3android-vts-12.0_r2android-vts-12.0_r12android-vts-12.0_r11android-vts-12.0_r10android-vts-12.0_r1android-security-12.0.0_r61android-security-12.0.0_r60android-security-12.0.0_r59android-security-12.0.0_r58android-security-12.0.0_r57android-security-12.0.0_r56android-security-12.0.0_r55android-security-12.0.0_r54android-security-12.0.0_r53android-security-12.0.0_r52android-security-12.0.0_r51android-security-12.0.0_r50android-security-12.0.0_r49android-security-12.0.0_r48android-security-12.0.0_r47android-security-12.0.0_r46android-security-12.0.0_r45android-security-12.0.0_r44android-security-12.0.0_r43android-security-12.0.0_r42android-security-12.0.0_r41android-security-12.0.0_r40android-security-12.0.0_r39android-security-12.0.0_r38android-security-12.0.0_r37android-security-12.0.0_r36android-security-12.0.0_r35android-security-12.0.0_r34android-platform-12.0.0_r1android-cts-12.0_r9android-cts-12.0_r8android-cts-12.0_r7android-cts-12.0_r6android-cts-12.0_r5android-cts-12.0_r4android-cts-12.0_r3android-cts-12.0_r2android-cts-12.0_r12android-cts-12.0_r11android-cts-12.0_r10android-cts-12.0_r1android-12.0.0_r9android-12.0.0_r8android-12.0.0_r34android-12.0.0_r33android-12.0.0_r31android-12.0.0_r30android-12.0.0_r3android-12.0.0_r25android-12.0.0_r2android-12.0.0_r11android-12.0.0_r10android-12.0.0_r1android12-tests-releaseandroid12-security-releaseandroid12-s5-releaseandroid12-s4-releaseandroid12-s3-releaseandroid12-s2-releaseandroid12-s1-releaseandroid12-release
Change-Id: I3b5c49e2efc217ad764eca6f0a7d2f2c33f2bc09
| -rw-r--r-- | KeyStorage.cpp | 5 | ||||
| -rw-r--r-- | Keymaster.cpp | 13 | ||||
| -rw-r--r-- | Keymaster.h | 3 | ||||
| -rw-r--r-- | MetadataCrypt.cpp | 11 |
4 files changed, 31 insertions, 1 deletions
diff --git a/KeyStorage.cpp b/KeyStorage.cpp index 472e6b1e..93c5c29c 100644 --- a/KeyStorage.cpp +++ b/KeyStorage.cpp @@ -379,7 +379,9 @@ static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir const km::AuthorizationSet& keyParams, const KeyBuffer& message, std::string* ciphertext) { km::AuthorizationSet opParams = - km::AuthorizationSetBuilder().Authorization(km::TAG_PURPOSE, km::KeyPurpose::ENCRYPT); + km::AuthorizationSetBuilder() + .Authorization(km::TAG_ROLLBACK_RESISTANCE) + .Authorization(km::TAG_PURPOSE, km::KeyPurpose::ENCRYPT); km::AuthorizationSet outParams; auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, &outParams); if (!opHandle) return false; @@ -408,6 +410,7 @@ static bool decryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir auto bodyAndMac = ciphertext.substr(GCM_NONCE_BYTES); auto opParams = km::AuthorizationSetBuilder() .Authorization(km::TAG_NONCE, nonce) + .Authorization(km::TAG_ROLLBACK_RESISTANCE) .Authorization(km::TAG_PURPOSE, km::KeyPurpose::DECRYPT); auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, nullptr); if (!opHandle) return false; diff --git a/Keymaster.cpp b/Keymaster.cpp index 80386818..23145504 100644 --- a/Keymaster.cpp +++ b/Keymaster.cpp @@ -230,5 +230,18 @@ void Keymaster::earlyBootEnded() { logKeystore2ExceptionIfPresent(rc, "earlyBootEnded"); } +void Keymaster::deleteAllKeys() { + ::ndk::SpAIBinder binder(AServiceManager_getService(maintenance_service_name)); + auto maint_service = ks2_maint::IKeystoreMaintenance::fromBinder(binder); + + if (!maint_service) { + LOG(ERROR) << "Unable to connect to keystore2 maintenance service for deleteAllKeys"; + return; + } + + auto rc = maint_service->deleteAllKeys(); + logKeystore2ExceptionIfPresent(rc, "deleteAllKeys"); +} + } // namespace vold } // namespace android diff --git a/Keymaster.h b/Keymaster.h index 1100840b..47bf4a26 100644 --- a/Keymaster.h +++ b/Keymaster.h @@ -127,6 +127,9 @@ class Keymaster { // be created or used. static void earlyBootEnded(); + // Tell all Keymint devices to delete all rollback-protected keys. + static void deleteAllKeys(); + private: std::shared_ptr<ks2::IKeystoreSecurityLevel> securityLevel; DISALLOW_COPY_AND_ASSIGN(Keymaster); diff --git a/MetadataCrypt.cpp b/MetadataCrypt.cpp index dc50679e..9038e8d5 100644 --- a/MetadataCrypt.cpp +++ b/MetadataCrypt.cpp @@ -112,6 +112,17 @@ static bool read_key(const std::string& metadata_key_dir, const KeyGeneration& g auto dir = metadata_key_dir + "/key"; LOG(DEBUG) << "metadata_key_dir/key: " << dir; if (!MkdirsSync(dir, 0700)) return false; + if (!pathExists(dir)) { + auto delete_all = android::base::GetBoolProperty( + "ro.crypto.metadata_init_delete_all_keys.enabled", false); + if (delete_all) { + LOG(INFO) << "Metadata key does not exist, calling deleteAllKeys"; + Keymaster::deleteAllKeys(); + } else { + LOG(DEBUG) << "Metadata key does not exist but " + "ro.crypto.metadata_init_delete_all_keys.enabled is false"; + } + } auto temp = metadata_key_dir + "/tmp"; return retrieveOrGenerateKey(dir, temp, kEmptyAuthentication, gen, key); } |