From 23452c1e3a2178283a56e8f1577e0367d1daaf7b Mon Sep 17 00:00:00 2001
From: Satya Tangirala <satyat@google.com>
Date: Mon, 22 Mar 2021 23:29:15 -0700
Subject: Remove Keymaster::isSecure() and simplify callers

Now that isSecure() always returns true, we can remove it and simplify
all the callers (i.e. cryptfs). Refer to the commit description for
Iaebfef082eca0da8a305043fafb6d85e5de14cf8 for why this function always
return true.

Bug: 181910578
Test: Cuttlefish and bramble boot
Change-Id: I185dd8180bd7842b05295263f0b1aa7205329a88
---
 Keymaster.cpp | 15 ---------------
 Keymaster.h   |  3 ---
 cryptfs.cpp   | 29 ++---------------------------
 3 files changed, 2 insertions(+), 45 deletions(-)

diff --git a/Keymaster.cpp b/Keymaster.cpp
index 5a686305..bb26b644 100644
--- a/Keymaster.cpp
+++ b/Keymaster.cpp
@@ -219,10 +219,6 @@ KeymasterOperation Keymaster::begin(const std::string& key, const km::Authorizat
     return KeymasterOperation(cor.iOperation, cor.upgradedBlob);
 }
 
-bool Keymaster::isSecure() {
-    return true;
-}
-
 void Keymaster::earlyBootEnded() {
     ::ndk::SpAIBinder binder(AServiceManager_getService(maintenance_service_name));
     auto maint_service = ks2_maint::IKeystoreMaintenance::fromBinder(binder);
@@ -238,14 +234,3 @@ void Keymaster::earlyBootEnded() {
 
 }  // namespace vold
 }  // namespace android
-
-// TODO: This always returns true right now since we hardcode the security level.
-// If it's alright to hardcode it, we should remove this function and simplify the callers.
-int keymaster_compatibility_cryptfs_scrypt() {
-    android::vold::Keymaster dev;
-    if (!dev) {
-        LOG(ERROR) << "Failed to initiate keymaster session";
-        return -1;
-    }
-    return dev.isSecure();
-}
diff --git a/Keymaster.h b/Keymaster.h
index 84b473e0..1100840b 100644
--- a/Keymaster.h
+++ b/Keymaster.h
@@ -122,7 +122,6 @@ class Keymaster {
     // also stores the upgraded key blob.
     KeymasterOperation begin(const std::string& key, const km::AuthorizationSet& inParams,
                              km::AuthorizationSet* outParams);
-    bool isSecure();
 
     // Tell all Keymint devices that early boot has ended and early boot-only keys can no longer
     // be created or used.
@@ -136,6 +135,4 @@ class Keymaster {
 }  // namespace vold
 }  // namespace android
 
-int keymaster_compatibility_cryptfs_scrypt();
-
 #endif
diff --git a/cryptfs.cpp b/cryptfs.cpp
index deba6daf..5764b5d6 100644
--- a/cryptfs.cpp
+++ b/cryptfs.cpp
@@ -328,11 +328,6 @@ const KeyGeneration cryptfs_get_keygen() {
     return KeyGeneration{get_crypto_type().get_keysize(), true, false};
 }
 
-/* Should we use keymaster? */
-static int keymaster_check_compatibility() {
-    return keymaster_compatibility_cryptfs_scrypt();
-}
-
 static bool write_string_to_buf(const std::string& towrite, uint8_t* buffer, uint32_t buffer_size,
                                 uint32_t* out_size) {
     if (!buffer || !out_size) {
@@ -1834,7 +1829,6 @@ static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, const char*
     char tmp_mount_point[64];
     unsigned int orig_failed_decrypt_count;
     int rc;
-    int use_keymaster = 0;
     int upgrade = 0;
     unsigned char* intermediate_key = 0;
     size_t intermediate_key_size = 0;
@@ -1916,15 +1910,9 @@ static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, const char*
         rc = 0;
 
         // Upgrade if we're not using the latest KDF.
-        use_keymaster = keymaster_check_compatibility();
-        if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
-            // Don't allow downgrade
-        } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
+        if (crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
             crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
             upgrade = 1;
-        } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
-            crypt_ftr->kdf_type = KDF_SCRYPT;
-            upgrade = 1;
         }
 
         if (upgrade) {
@@ -2128,20 +2116,7 @@ static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr* ftr) {
     ftr->minor_version = CURRENT_MINOR_VERSION;
     ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
     ftr->keysize = get_crypto_type().get_keysize();
-
-    switch (keymaster_check_compatibility()) {
-        case 1:
-            ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
-            break;
-
-        case 0:
-            ftr->kdf_type = KDF_SCRYPT;
-            break;
-
-        default:
-            SLOGE("keymaster_check_compatibility failed");
-            return -1;
-    }
+    ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
 
     get_device_scrypt_params(ftr);
 
-- 
cgit v1.2.3