tequilaOS/platform_system_security
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Do not clear critical keys in clear_uid()

Browse source 
If clear_uid() is called on system uid, skip clearing keys with
FLAG_CRITICAL_TO_DEVICE_ENCRYPTION flag since device authenticaion
would be broken without them.

Bug: 34600579
Test: Add device lock under synthtic password, goto Settings/security/encryption,
      tap clear credentials and verify device lock is still intact.

Change-Id: I6c009163831b0901b0973d13906f56139028052c
This commit is contained in:
Rubin Xu 2017-04-26 20:07:30 +01:00
parent 211dcefb77
commit 85c85e9840
1 changed files with 11 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
keystore/key_store_service.cpp
View file

@ -632,6 +632,17 @@ KeyStoreServiceReturnCode KeyStoreService::clear_uid(int64_t targetUid64) {
for (uint32_t i = 0; i < aliases.size(); i++) {
String8 name8(aliases[i]);
String8 filename(mKeyStore->getKeyNameForUidWithDir(name8, targetUid, ::TYPE_ANY));
if (get_app_id(targetUid) == AID_SYSTEM) {
Blob keyBlob;
ResponseCode responseCode =
mKeyStore->get(filename.string(), &keyBlob, ::TYPE_ANY, get_user_id(targetUid));
if (responseCode == ResponseCode::NO_ERROR && keyBlob.isCriticalToDeviceEncryption()) {
// Do not clear keys critical to device encryption under system uid.
continue;
}
}
mKeyStore->del(filename.string(), ::TYPE_ANY, get_user_id(targetUid));
// del() will fail silently if no cached characteristics are present for this alias.