From 093811ef2221145defd1cd3621e813c6a7018f96 Mon Sep 17 00:00:00 2001 From: David Drysdale Date: Thu, 9 Nov 2023 08:32:02 +0000 Subject: [PATCH] Flag for import of previously-emulated keys Test: build Bug: 283077822 Change-Id: I28f673b6eb905c2953fbb91f2658ff224ca0e21c --- keystore2/aconfig/flags.aconfig | 8 ++++++++ keystore2/src/utils.rs | 11 +++++++---- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/keystore2/aconfig/flags.aconfig b/keystore2/aconfig/flags.aconfig index 5d2a422c..02716da5 100644 --- a/keystore2/aconfig/flags.aconfig +++ b/keystore2/aconfig/flags.aconfig @@ -15,3 +15,11 @@ flag { bug: "307460850" is_fixed_read_only: true } + +flag { + name: "import_previously_emulated_keys" + namespace: "hardware_backed_security" + description: "Include support for importing keys that were previously software-emulated into KeyMint" + bug: "283077822" + is_fixed_read_only: true +} \ No newline at end of file diff --git a/keystore2/src/utils.rs b/keystore2/src/utils.rs index 74a5ae6a..174a22ba 100644 --- a/keystore2/src/utils.rs +++ b/keystore2/src/utils.rs @@ -367,7 +367,9 @@ where km_op, new_blob_handler, ) - } else if key_blob.starts_with(km_compat::KEYMASTER_BLOB_SW_PREFIX) { + } else if keystore2_flags::import_previously_emulated_keys() + && key_blob.starts_with(km_compat::KEYMASTER_BLOB_SW_PREFIX) + { // 2) The keyblob was created in software by the km_compat C++ code because a prior // Keymaster implementation did not support ECDH (which was only added in KeyMint). // @@ -386,9 +388,10 @@ where km_op, new_blob_handler, ) - } else if let km_compat::KeyBlob::Wrapped(inner_keyblob) = - km_compat::unwrap_keyblob(key_blob) - { + } else if let (true, km_compat::KeyBlob::Wrapped(inner_keyblob)) = ( + keystore2_flags::import_previously_emulated_keys(), + km_compat::unwrap_keyblob(key_blob), + ) { // 3) The keyblob was created in software by km_compat.rs because a prior KeyMint // implementation did not support a feature present in the current KeyMint spec. // (For example, a curve 25519 key created when the device only supported KeyMint