diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 759ef06a..e3df13ae 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -41,7 +41,7 @@ typedef UniquePtr<BIGNUM, BIGNUM_Delete> Unique_BIGNUM;
 
 void KeyStoreService::binderDied(const wp<IBinder>& who) {
     auto operations = mOperationMap.getOperationsForToken(who.unsafe_get());
-    for (auto token : operations) {
+    for (const auto& token : operations) {
         abort(token);
     }
 }
@@ -297,7 +297,7 @@ int32_t KeyStoreService::generate(const String16& name, int32_t targetUid, int32
             ALOGI("invalid number of arguments: %zu", args->size());
             return ::SYSTEM_ERROR;
         } else if (args->size() == 1) {
-            sp<KeystoreArg> expArg = args->itemAt(0);
+            const sp<KeystoreArg>& expArg = args->itemAt(0);
             if (expArg != NULL) {
                 Unique_BIGNUM pubExpBn(BN_bin2bn(
                     reinterpret_cast<const unsigned char*>(expArg->data()), expArg->size(), NULL));
@@ -1351,7 +1351,7 @@ inline void KeyStoreService::addAuthToParams(std::vector<keymaster_key_param_t>*
  *         KM_ERROR_INVALID_OPERATION_HANDLE if token is not a valid
  *         operation token.
  */
-int32_t KeyStoreService::addOperationAuthTokenIfNeeded(sp<IBinder> token,
+int32_t KeyStoreService::addOperationAuthTokenIfNeeded(const sp<IBinder>& token,
                                                        std::vector<keymaster_key_param_t>* params) {
     const hw_auth_token_t* authToken = NULL;
     mOperationMap.getOperationAuthToken(token, &authToken);
diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h
index e744d1ca..3efae476 100644
--- a/keystore/key_store_service.h
+++ b/keystore/key_store_service.h
@@ -205,7 +205,7 @@ class KeyStoreService : public BnKeystoreService, public IBinder::DeathRecipient
      *         KM_ERROR_INVALID_OPERATION_HANDLE if token is not a valid
      *         operation token.
      */
-    int32_t addOperationAuthTokenIfNeeded(sp<IBinder> token,
+    int32_t addOperationAuthTokenIfNeeded(const sp<IBinder>& token,
                                           std::vector<keymaster_key_param_t>* params);
 
     /**
diff --git a/keystore/keystore_cli.cpp b/keystore/keystore_cli.cpp
index 34f1d9c1..bf6f4a0b 100644
--- a/keystore/keystore_cli.cpp
+++ b/keystore/keystore_cli.cpp
@@ -176,7 +176,7 @@ static const char* responses[] = {
         } \
     } while (0)
 
-static int list(sp<IKeystoreService> service, const String16& name, int uid) {
+static int list(const sp<IKeystoreService>& service, const String16& name, int uid) {
     Vector<String16> matches;
     int32_t ret = service->list(name, uid, &matches);
     if (ret < 0) {
diff --git a/keystore/operation.cpp b/keystore/operation.cpp
index 72aa95f7..e8ae8b7f 100644
--- a/keystore/operation.cpp
+++ b/keystore/operation.cpp
@@ -25,7 +25,7 @@ OperationMap::OperationMap(IBinder::DeathRecipient* deathRecipient)
 
 sp<IBinder> OperationMap::addOperation(keymaster_operation_handle_t handle, uint64_t keyid,
                                        keymaster_purpose_t purpose, const keymaster2_device_t* dev,
-                                       sp<IBinder> appToken,
+                                       const sp<IBinder>& appToken,
                                        keymaster_key_characteristics_t* characteristics,
                                        bool pruneable) {
     sp<IBinder> token = new BBinder();
@@ -40,7 +40,7 @@ sp<IBinder> OperationMap::addOperation(keymaster_operation_handle_t handle, uint
     return token;
 }
 
-bool OperationMap::getOperation(sp<IBinder> token, keymaster_operation_handle_t* outHandle,
+bool OperationMap::getOperation(const sp<IBinder>& token, keymaster_operation_handle_t* outHandle,
                                 uint64_t* outKeyid, keymaster_purpose_t* outPurpose,
                                 const keymaster2_device_t** outDevice,
                                 const keymaster_key_characteristics_t** outCharacteristics) {
@@ -63,7 +63,7 @@ bool OperationMap::getOperation(sp<IBinder> token, keymaster_operation_handle_t*
     return true;
 }
 
-void OperationMap::updateLru(sp<IBinder> token) {
+void OperationMap::updateLru(const sp<IBinder>& token) {
     auto lruEntry = std::find(mLru.begin(), mLru.end(), token);
     if (lruEntry != mLru.end()) {
         mLru.erase(lruEntry);
@@ -71,7 +71,7 @@ void OperationMap::updateLru(sp<IBinder> token) {
     }
 }
 
-bool OperationMap::removeOperation(sp<IBinder> token) {
+bool OperationMap::removeOperation(const sp<IBinder>& token) {
     auto entry = mMap.find(token);
     if (entry == mMap.end()) {
         return false;
@@ -86,7 +86,7 @@ bool OperationMap::removeOperation(sp<IBinder> token) {
     return true;
 }
 
-void OperationMap::removeOperationTracking(sp<IBinder> token, sp<IBinder> appToken) {
+void OperationMap::removeOperationTracking(const sp<IBinder>& token, const sp<IBinder>& appToken) {
     auto appEntry = mAppTokenMap.find(appToken);
     if (appEntry == mAppTokenMap.end()) {
         ALOGE("Entry for %p contains unmapped application token %p", token.get(), appToken.get());
@@ -116,7 +116,7 @@ sp<IBinder> OperationMap::getOldestPruneableOperation() {
     return mLru[0];
 }
 
-bool OperationMap::getOperationAuthToken(sp<IBinder> token, const hw_auth_token_t** outToken) {
+bool OperationMap::getOperationAuthToken(const sp<IBinder>& token, const hw_auth_token_t** outToken) {
     auto entry = mMap.find(token);
     if (entry == mMap.end()) {
         return false;
@@ -125,7 +125,7 @@ bool OperationMap::getOperationAuthToken(sp<IBinder> token, const hw_auth_token_
     return true;
 }
 
-bool OperationMap::setOperationAuthToken(sp<IBinder> token, const hw_auth_token_t* authToken) {
+bool OperationMap::setOperationAuthToken(const sp<IBinder>& token, const hw_auth_token_t* authToken) {
     auto entry = mMap.find(token);
     if (entry == mMap.end()) {
         return false;
@@ -135,7 +135,7 @@ bool OperationMap::setOperationAuthToken(sp<IBinder> token, const hw_auth_token_
     return true;
 }
 
-std::vector<sp<IBinder>> OperationMap::getOperationsForToken(sp<IBinder> appToken) {
+std::vector<sp<IBinder>> OperationMap::getOperationsForToken(const sp<IBinder>& appToken) {
     auto appEntry = mAppTokenMap.find(appToken);
     if (appEntry != mAppTokenMap.end()) {
         return appEntry->second;
diff --git a/keystore/operation.h b/keystore/operation.h
index 083ec29a..263b5c98 100644
--- a/keystore/operation.h
+++ b/keystore/operation.h
@@ -49,24 +49,24 @@ public:
     explicit OperationMap(IBinder::DeathRecipient* deathRecipient);
     sp<IBinder> addOperation(keymaster_operation_handle_t handle, uint64_t keyid,
                              keymaster_purpose_t purpose, const keymaster2_device_t* dev,
-                             sp<IBinder> appToken, keymaster_key_characteristics_t* characteristics,
+                             const sp<IBinder>& appToken, keymaster_key_characteristics_t* characteristics,
                              bool pruneable);
-    bool getOperation(sp<IBinder> token, keymaster_operation_handle_t* outHandle,
+    bool getOperation(const sp<IBinder>& token, keymaster_operation_handle_t* outHandle,
                       uint64_t* outKeyid, keymaster_purpose_t* outPurpose,
                       const keymaster2_device_t** outDev,
                       const keymaster_key_characteristics_t** outCharacteristics);
-    bool removeOperation(sp<IBinder> token);
+    bool removeOperation(const sp<IBinder>& token);
     bool hasPruneableOperation() const;
     size_t getOperationCount() const { return mMap.size(); }
     size_t getPruneableOperationCount() const;
-    bool getOperationAuthToken(sp<IBinder> token, const hw_auth_token_t** outToken);
-    bool setOperationAuthToken(sp<IBinder> token, const hw_auth_token_t* authToken);
+    bool getOperationAuthToken(const sp<IBinder>& token, const hw_auth_token_t** outToken);
+    bool setOperationAuthToken(const sp<IBinder>& token, const hw_auth_token_t* authToken);
     sp<IBinder> getOldestPruneableOperation();
-    std::vector<sp<IBinder>> getOperationsForToken(sp<IBinder> appToken);
+    std::vector<sp<IBinder>> getOperationsForToken(const sp<IBinder>& appToken);
 
 private:
-    void updateLru(sp<IBinder> token);
-    void removeOperationTracking(sp<IBinder> token, sp<IBinder> appToken);
+    void updateLru(const sp<IBinder>& token);
+    void removeOperationTracking(const sp<IBinder>& token, const sp<IBinder>& appToken);
     struct Operation {
         Operation();
         Operation(keymaster_operation_handle_t handle, uint64_t keyid, keymaster_purpose_t purpose,