Runs rustfmt on keystore2 to standardize formatting changes.
Test: Formatting change so no test needed
Change-Id: I24208f8fe91e6b15108eef0ff5264a3f086497e4
The test tries to create a race condition: It creates an operation
and starts two threads, each trying to use the operation repeatedly
until it gets `OPERATION_BUSY` or finishes successfully.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ib3549d6bcad4e24bf621960f0f399481bf2da7c7
- Generate HMAC keys with digest modes [SHA1, SHA_2_224, SHA_2_256,
SHA_2_384, SHA_2_512], should be able to create operations using
generated keys successfully.
- Try to generate HAMC keys with key size in the range 0..513. For
invalid key size, key generation should fail with an error code
`UNSUPPORTED_KEY_SIZE`.
- Generate HMAC keys with min-mac-lengths in the range 0..257. For
invalid min-mac-length, key generation should fail with an error
code `UNSUPPORTED_MIN_MAC_LENGTH`.
- Try to generate HMAC key with multiple digest modes, key generation
should fail with an error code `UNSUPPORTED_DIGEST`.
- Try to generate HMAC key without providing digest mode, key
generation should fail with an error code `UNSUPPORTED_DIGEST`.
- Try to generate HMAC key with digest mode `NONE`, key
generation should fail with an error code `UNSUPPORTED_DIGEST`.
- Generate HMAC key with min-mac-length of 128 bits and digests
[SHA1, SHA-2-224], try to create operations with mac-len greater than
digest lengths. Test should fail to create an operation with an error
code `UNSUPPORTED_MAC_LENGTH`.
- Generate HMAC key with min-mac-length of 128 bits and digests
[SHA1, SHA-2-224], try to create operations with mac-len less than
min-mac-length. Test should fail to create an operation with an error
code `INVALID_MAC_LENGTH`.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I594c9718b0f6a67f2655faca4bf100abf2ced3a3
Choose the strategy for generating the boot level key from a property,
if present, instead of looking at KM versions.
Bug: 241241178
Test: set property on Cuttlefish, check logs for strategy used.
Change-Id: I2c7a6fb2c6471ab4a7cb7f650791930f41068bfa
- Generate 3DES keys with block modes [ECB, CBC] and padding modes
[NONE, PKCS7]. Should be able to create operations successfully
with these generated keys.
- Try to generate a key and create an operation with invalid inputs, it
should fail with proper error codes
- with unsupported key size
- with unsupported padding mode
- with padding mode NONE and input text whose length isn't a
multiple of the DES block size
- with unsupported blockmode
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ida98fd2e6f9b7ba84b8beba9ea979d5aeb2240ee
Updated to return `INVALID_ARGUMENT` instead of `PERMISSION_DENIED`
response code when domain is other than `APP` or `SELINUX`.
Added tests to validate `listEntries` API with valid domains `APP and
SELINUX` and invalid domains like `BLOB`.
Bug: 239719010
Test: atest CtsKeystoreTestCases; atest keystore2_client_tests;
Change-Id: I7d10c13342ca5719682e371e428fa42f992ba07d
Separated out the tests based on functionalities and created a separate
modules without modifying the existing test cases.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ifc93b3ce69817469d1d5f01844c623f5209e2b62
- Generate AES keys with block modes [ECB, CBC] and padding modes [NONE,
PKCS7]. Should be able to create operations successfully with these
generated keys.
- Generate AES keys with block modes [CTR, GCM] and padding modes [NONE,
PKCS7]. Should be able to create operations successfully with padding
mode NONE. With PKCS7 padding mode creation of an operation should
fail with incompatible padding mode.
- Try to generate a key and create an operation with invalid inputs, it
should fail with proper error codes.
- with unsupported key size
- with GCM block mode without providing min-mac-length
- with multiple block modes
- with multiple padding modes
- with incompatible padding modes
- with incompatible block modes
- with missing mac-length
- with invalid mac-length
- with unsupported mac-length
- With AES-CBC-PKCS7 key without `CALLER_NONCE` authorization, Try to
set nonce while creating an operation.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ibf1b8460317b4c99d9060d5889c8b3778a80ca5b
- Generate RSA signing keys with combinations of digest modes [NONE,
MD5, SHA1, SHA_2_224, SHA_2_256, SHA_2_384, SHA_2_512] and padding
modes [NONE, RSA_PKCS1_1_5_SIGN, RSA_PSS]. Should be able to
create operations using these keys except in below cases.
- when padding mode is RSA_PSS and digest mode is NONE
- when padding mode is NONE and digest is other than NONE.
- Generate RSA encrypt/decrypt keys with OAEP padding mode, combinations
of digests [MD5, SHA1, SHA_2_224, SHA_2_256, SHA_2_384, SHA_2_512] and
mgf-digests [MD5, SHA1, SHA_2_224, SHA_2_256, SHA_2_384, SHA_2_512].
Should be able to create operations with these generated keys
successfully.
- Generate RSA encrypt/decrypt keys with combinations of padding modes
[NONE, RSA_PKCS1_1_5_ENCRYPT, RSA_OAEP], digests [NONE, MD5, SHA1,
SHA_2_224, SHA_2_256, SHA_2_384, SHA_2_512]. Should be able to create
operations with these generated keys successfully except in below case
- with padding mode RSA_OAEP and digest mode NONE an error is
expected.
- Generate RSA encrypt/decrypt keys with padding modes [NONE,
RSA_PKCS1_1_5_ENCRYPT, RSA_OAEP] and without digests. Should be able
to create operations with these generated keys successfully.
- Generate RSA keys without padding modes and digest modes. Creation of
an operation should fail with unsupported padding mode error.
- Tests to validate failure of generating RSA keys with incompatible
purpose, unsupported purpose, unsupported padding mode, unsupported
digest and unsupported key sizes.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I16843932cc170d0e820208f558587aacf13b9272
Currently software-emulated keys do not have any update mechanism. Any
software key that is created in previous versions cannot be used once
the device is upgraded. With this change, keys now can be upgraded and
used by the latest keystore.
Change-Id: Ic791baeedd7775df7eafca405440e645b19ec2bc
Test: TreeHugger
Fixes: 223376764
- Test to verify that Domain::KEY_ID is not allowed for generating
a key. Try to generate a key with domain as KEY_ID and expect an
error.
- Test to find key entry with domain as KEY_ID.
Generate a key and load it with domain as KEY_ID. Test should be
able to create an operation using the key loaded with domain as
KEY_ID.
- Generate a key with an alias. Generate another key and bind it with
same alias. Verify that originally generated key no longer exists
and report an error if we try to use it.
- Generate a key with an alias. Load the generated key with domain
KEY_ID. Generate another key and bind it with same alias. Verify
that originally loaded key no longer exists and report an error
if we try to use it.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: Ibfe237181311decf5f6f00dc222d5cd124e4ac11
Microdroid payloads use diced to access their secrets and BCCs. The
open_dice_cbor then gives them safe rust bindings to open-dice to
process them. There's a dependency on ZVec which pulls in
libkeystore2_crypto.
Test: build, TH
Change-Id: I402a9a416d7b0e0eed2e268495b148e5669e5c52
This buffer time is how far into the future keystore looks to mark
a key as "old" and needing deletion.
The old buffer time was only 20 seconds, which may not even be enough
for very slow network (where round trips and retries could take
minutes).
Test: keystore2_test
Change-Id: I27869458ec66e546b42fe344bbdffd32881c84e7
Test 1: Should fail to generate a key with domain not listed
in keystore2::Domain.
Test 2: Should fail to generate a EC key without providing curve.
Test 3: Should fail to generate a EC key with 25519 curve having
sign and agree_key purposes.
Test 4: Generate a EC keys with `NONE, MD5, SHA1, SHA-2 224,
SHA-2 256, SHA-2 384 and SHA-2 512` digest modes and P_224,
P_256, P_384, P_521 ec curves combinations. Should be able
to create operations with these keys successfully for all
digest modes except NONE and MD5.
Test 5: Generate a EC key with curve CURVE_25519 and digest mode NONE.
Should be able to create an operation with digest mode NONE.
Test 6: Generate a EC keys with curve CURVE_25519 and digest modes
`MD5, SHA1, SHA-2 224, SHA-2 256, SHA-2 384 and SHA-2 512`
combinations. Creation of an operation should fail with
unsupported digest error.
Test 7: Should fail to create an operation with incompatible digest
mode in key authorizations.
Test 8: Test for key owner validation. Generate a key in one user and
try to use it in another user context where it should fail to
load the key as it doesn't own the key generated by prior user.
Test 9: Generate a key with Domain::BLOB. Verify that key descriptor
holds the key blob. Try to use this key to perform an operation
successfully.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I8b923cfdd9dbd50d1ebaab03560e9378ede7cdee
- Test to verify grant API with invalid access vector, it is expected to
fail with proper error code.
- Test to verify grant API with empty access vector, it is expected to
succeed granting a key with empty access vector. In grantee context
while trying to use this key permission denied error is expected.
- Test to verify grant API with valid access vector, it is expected to
successfully grant a key. Grantee should be able access the key and
use it according to granted key permissions.
Bug: 236253306
Test: atest keystore2_client_tests
Change-Id: I20dc31b0e4f888f2bf740f84e3bb7b0e97a1bb52
Keystore2 previously did not process the DEVICE_UNIQUE_ATTESTATION tag.
This was an unnecessary step when there was no ability to select the
attestation key provided to the backing Keymaster instance. Now,
however, Keystore2 does need to process generateKey requests for this
tag. This is because it will pass in an RKP key by default and append
those certificates to the result if RKP is present.
This change alters Keystore2 behavior during attestation key selection.
If the DEVICE_UNIQUE_ATTESTATION tag is present, it will no longer
attempt to select an RKP key and will instead pass nothing in the
attestKey argument for KM.
Bug: 234413909
Test: atest com.android.cts.devicepolicy.MixedDeviceOwnerTest#testKeyManagement
Change-Id: Ib81fb65570a4e9eb7e7b051f9791071ee78dc02f
Verify that the clients (for ex: clients with `vold` context) with
`req_forced_op` permission are allowed to create forced (unpruneable)
operations otherwise the creation of forced operation is denied.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I73d85ac127274e623095e233368b0211f6738d6e
The usage of unique device identifiers is enforced via Android system
permission, not SELinux policy.
Mark the USE_DEV_ID SELinux policy as unused.
Bug: 235987410
Test: atest keystore2_test
Change-Id: I89e61eaf5d1f708e3ce10a90cf33d90946009201
For any Domain value other than APP, SELINUX, GRANT and KEY_ID it is
updated to return response code as ResponseCode::INVALID_ARGUMENT
instead of ResponseCode::SYSTEM_ERROR.
Bug: 232022823
Test: atest keystore2_client_test; atest CtsKeystoreTestCases
Change-Id: I48314558fb2e77636fa99f42f8326fa99f719a4f
Creating n number of operations from same owner. Expecting creation
of all operations should be successful without any error. Whenever all
operation slots are full older operations are expected to be pruned.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I9d231658e77cb10f67cfd248072bde0755c1660d
In https://android-review.googlesource.com/c/platform/system/security/+/1698833
we added a check only for client keys. However, this means that on application
deletion only the keystore keys related to the application are unbound and the
attestation keys get orphaned.
Through this change, I am planning to unbind the attestation keys related to
the application as well.
Change-Id: I1c9d1ac6d6943cc53f5d74653e3da72cd4f2adf7
Test: atest keystore2_test
BUG: 232534682
- Forced operation creation with all slots filled with normal operations
- Forced operation creation with all slots filled with forced operations
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I493ea1c25d09597c44add430a20b5ca9c983e8d3
Added SPDX-license-identifier-Apache-2.0 to:
keystore2/tests/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Change-Id: I816f5ba7db5e359b97f1bd0222ca43eebacfc4d1
Creates multiple child procs and creates opearations in it and
parent proc waits for all child procs operations status, expects
one or more opearations to fail with backeend busy error.
Bug: 194359114
Test: atest keystore2_client_test
Change-Id: I52f95a7cfd031d80c88bfc2ca478a26572f40150
A rust_defaults "keystore2_use_latest_aidl_rust" that includes the latest
Keystore2 AIDL library. Modules that depend on Keystore2 directly can include
this rust_defaults to avoid managing dependency versions explicitly
Test: Compile
Change-Id: Iabe9af743c4ceb787db42ff7cc619bab97ec55c4
Bug: 230750270
Test: Local testing with statsd TestDrive script
Ignore-AOSP-First: This targets T and will be cherry-picked to AOSP later.
Change-Id: I8490e31df4a111ff6787ea67dd8a170b410566df
(cherry picked from commit d675e225a7)
To allow for testing, read the rkp_only properties every time instead
of caching the value. This allows the RemoteProvisioner tests to alter
the property, moving the device in and out of rkp-only mode.
Test: RemoteProvisionerUnitTests
Bug: 27306369
Change-Id: If9a616fd36095175f4aea07c897c67a11eb04bcf
A value for the salt is present in all code paths:
- All callers of `Password::derive_key` pass a `Some(..)` value for the
salt. Remove this `Some` everywhere and...
- Change the signature of `derive_key` to expect a `&[u8]` for `salt`
rather than an `Option<&[u8]>`.
- `Password::derive_key` is the only caller of `generateKeyFromPassword`
(via bindgen to C++-land), so...
- Make it clear that the C++ `generateKeyFromPassword()` function
expects 16 bytes of `salt`.
Bug: 172121323
Test: compile, TreeHugger
Change-Id: I41966cce96b5371785680c13bacfc5f95969372a
An empty key pool should not allow fallback to the batch key if the
vendor indicates the system is rkp only.
Additionally, if the system is misconfigured (e.g. marked as rkp only
and has no remotely provisioned component hal) then we should insist
on checking RKP keys anyway. This will result in the given system
always returning OUT_OF_KEYS, which will fail various tests.
Test: keystore2_test
Test: RemoteProvisionerUnitTests
Bug: 227306369
Change-Id: I027bc56ff167abf99b18be01dccf05f90dd07f2a
The wrong tag was included in the km_compat layer filter code for
key generation tags. This prevented the INCLUDE_UNIQUE_ID tag from
being passed to keymaster, breaking unique id attestation on platforms
with keymaster (keymint functionality was correct).
Test: KeyAttestationTest
Fixes: 228851969
Change-Id: I81ef55bb92c9869102a741e64375b883c3443224
Added SPDX-license-identifier-Apache-2.0 to:
keystore2/tests/legacy_blobs/Android.bp
Bug: 68860345
Bug: 151177513
Bug: 151953481
Test: m all
Change-Id: Ifc2e14a9b60e364323794eaa5a8c181c4f0a78ee
This change leverages the ro.remote_provisioning.rkp_only system
property in order to determine whether or not the system has fallback
keys. If there are no fallback keys, then ks2 will now return
OUT_OF_KEYS as a ResponseCode to the caller over the binder interface.
This will allow the caller to call generateKey() on the
RemoteProvisioner AIDL interface, blocking until the call is returned.
At this point, keys will either have been provisioned, or an actionable
error can be routed back to the developer.
Bug: 227306369
Test: atest RemoteProvisionerUnitTests
Change-Id: I8f5bc5add4ab895ab95c9e4e70e6fc9fa4422da5
Allow an application to either have an selinux permission or a
privileged application permission to request a unique id attestation.
Eventually, we will remove the sepolicy permission. However, until
GMSCore is updated to pick up the new permission, keep the policy
around.
Test: KeyAttestationTest
Bug: 216778747
Change-Id: I2401ca630d1599f0399b47e1fd9dd88d78318b95
- authorizations: helper struct to create set of key authorizations
- key_generations: helper methods to generate various keys.
Test: N/A
Change-Id: I23250838b7b6d8ad59f5ef8682861a07e856299f
Creating a new library "libkeystore2_with_test_utils" where it includes blob utils
apis and sample test vectors based on feature flag keystore2_blob_test_utils.
Bug: 213173772
Bug: 213172664
Bug: 203101472
Test: keystore2_test
Change-Id: I869d27d1d3e8c6d28d8f5e5d6aed4305b5265816
This CL adds run_as_child which starts a child asynchronously and
returns a handle that allows waiting for and communicating with the
child process.
Test: keystore2_test_utils_test
Change-Id: Ibde858f249c94295b5f1c0c0cb29b8a98fb98a3a
- Remove the listEntries API in IKeystoreMaintenance
- Remove the ability to migrate keys across UIDs in the APP domain
Test: m keystore2
Bug: 220015249
Change-Id: I513e5b485b026825b9e7f8c86a1e8fb89247ab3d
CreateKeyMintDevice now creates a shared_ptr with correct ref counts.
Bug: 219791936
Test: atest keystore2_km_compat_test_cpp does not crash any more.
Change-Id: I3b304c0a4d55883b8f917ce0ef4c70d4bd0e9e9b
If we cannot create an IRemotelyProvisionedKeyPool binder, keystore
starts up as normal. However, we were not logging _why_ the operation
failed. This change adds a bit of logging so that we can diagnose when
devices are missing the IRemotelyProvisionedKeyPool service.
Test: keystore2_test
Change-Id: I60a481dc9762d8b156c5bec9e622a7e2192d145d
On some devices it is infeasible to provision the KeyMint RoT bits in
the Android Bootloader. This provides an alternate path to provision
them from the TEE during early boot.
Bug: 219076736
Test: VtsAidlKeyMintTargetTest
Change-Id: I8e19a1096087780f8c979f5a6b37f4100e41a975
Merged-In: I8e19a1096087780f8c979f5a6b37f4100e41a975
Placing a call to delete all expired attestation keys directly in
the function responsible for retrieving them. This guarantees that any
key selected will be fresh. This also modifies
delete_expired_attestation_keys to create a time buffer so that a key
can't be milliseconds away from expiration when this call returns.
Test: atest keystore2_tests
Change-Id: I6f83eb65d02d8583d054c56ef6c572f3ee2e8e24
This change applies a key upgrade path to the RKP keys when they are
used in key generation. Without this, RKP keys will fail after a device
receives an update due to version mismatch in KeyMint.
Test: atest keystore2_test && atest RemoteProvisionerUnitTests
Change-Id: I5dddc8fa1fe7fe9d7dd559b337089d607fcc735a
Virtual operation slots are leaked when sofware emulation is used.
This can lead to TOO_MANY_OPERATIONS errors despite have plenty of spare
operation slots in the backend.
Also fixes not using the reserved operation slot for signing. All
signing operations during key generation are now serialized and use the
reserved operation slot.
The slot test in keystore2_km_compat_test_cpp now tests that sofware
emulated operations don't impact the virtual operation slot accounting.
It also verifies that key generation that requires an operation slot can
commence even if all virtual slots are depleted.
Bug: 219551178
Bug: 219552427
Test: atest keystore2_km_compat_test_cpp
Change-Id: I6665b06a038e4935b4c751228881d8b500a6dcd4
Slot_test
Change-Id: Ice45c9f67f0ac0aa067825c410bf3ba9257e5bee
This CL addresses various gaps in legacy support.
* Encrypted legacy blobs.
* Encrypted key characteristics files (pre Android Q).
* Encrypted certificate and certificate chain entries
(pre Android R).
To support key migration even when the corresponding user is locked,
keys can now be migrated in the legacy database by renaming files.
In order to construct a complete a key characteristics cache from old
characteristics files the information must be augmented with the
characteristics that can be extracted from the key blob by calling
KeyMintDevice::getKeyCharacteristics. For this to work, the blob
may need to be decrypted, upgraded, and reencrypted. The crypto steps
may fail with ResponseCode::LOCKED though if the user is locked.
If the key was upgraded in the process both the old and the new key
blob must be inserted into the database in order for the garbage
collector to reap and invalidate the superseded blob correctly.
At the time APPLICATION_ID and APPLICATION_DATA are usually not
available. This would cause such bound keys to fail with
ErrorCode::INVALID_KEY_BLOB. However, APPLICATION_ID/DATA were
never exposed to applications though, so this should be acceptable
for now.
Bug: 213173772
Bug: 213172664
Bug: 203101472
Test: keystore2_test
Change-Id: Id8561d3f98d53182709d9f4feeeecda3b1535077
- Implement a general back-level KeyMint wrapper, which forwards
requests to either a back-level real device, or an up-level
software device. Keyblobs from the latter are given a marker
prefix and an authentication suffix.
- Add an FFI wrapper function to allow calculation of HMAC-SHA256,
so this can be used to give an authenticated suffix to wrapped
keyblobs.
- Abstract out the decision process for whether emulation is required
to a EmulationDetector trait, and provide implementations for
KeyMint V1 and for a km_compat-wrapped Keymaster.
- Impose the KeyMint V1 wrapper whenever the real device is detected to
be a V1 implementation.
- Add support to the IKeystoreCompatService for returning a device for
SecurityLevel::SOFTWARE. This device will always be the most recent
KeyMint version.
- Clarify what level of IKeyMint implementation gets returned from
the IKeystoreCompatService for the other security levels.
- Add an inner function to the km_compat code to allow unit tests
to still work.
Co-authored-by: Janis Danisevskis <jdanis@google.com>
Bug: 194358913
Test: CtsKeystoreTestCases on oriole/bramble/cuttlefish
Change-Id: I297e8ad1cf00fd15cd5358b2760cd2ca88f53abb
This refactor serves the disambiguation between the import of legacy
blobs into the sqlite3 database and the migration of keys between
namespaces, which becomes more promient in the light of shared uid
migration.
Test: No new test required because no functionality was changed.
Change-Id: I0612d0731083548a196911712f6c0adbbc9a5e9a
Split the IRemotelyProvisionedKeyPool binder implementation to its own
struct, as we cannot have two rust objects backing the same native
binder.
Test: keystore2_test
Test: keystore2_test --ignored
Bug: 194696876
Change-Id: I188bc2e2daf277f4a3543c7ec8320002d57f60ba
This patch makes it a little easier to interpret watch dog records, by
sorting them by the age of the youngest watch point in each thread.
The most likely culprit will thus move to the top of the record.
Test: N/A
Change-Id: I17ef4801ed38313b85468bd14943269f881a8e2b
The noicu build rules were only used by microdroid which no longer has a
special variant of keystore2.
Bug: 215747811
Test: atest MicrodroidTests
Change-Id: Iefa4d22beb0074bc95e0ff20c7689ad8b62372f4
keystore2 has been removed from microdroid so the build variant is no
longer needed.
Bug: 215747811
Test: atest MicrodroidTests
Change-Id: I46395d04535a3084e995324445e6b52bef4d8154
The super key and user state management performs concurrent lookups and
cache updates that can put keystore2 in an inconsistent state which may
lead to loss of keys. It is unlikely that this data loss was trigered,
because system server does not call keystore2 in the way required to
cause problems.
Test: keystore2_tests and CTS tests for regression testing.
Bug: 213942761
Change-Id: Ieedb4806403d3aa7175c98f2dca26532ff609cea
This service allows clients to request remotely provisioned attestation
keys. These blobs are only usable by applications that have the ability
to pass them to a keymint implementation for use as keys.
This API is intended as a short-term solution in Android T to enable
remote key provisioning for identity credential keys. In Android U,
the underlying service will be updated to be more flexible allowing for
IRemotelyProvisionedComponent to be implemented by things other than
keymint.
Test: keystore2_test
Test: RemoteProvisionerUnitTests
Test: VtsHalRemotelyProvisionedComponentTargetTest
Bug: 194696876
Change-Id: I5ddb1bd087b606ccea88ccf170b99d5bc1b4501d
This patch adds detailed error messages to the service specific
exceptions. The error messages are formated anyhow::Errors, the same
that already get logged to logcat. Returning them to the client, allows
them to be included in java stack traces which will lead to easier
diagnosis of bugreports.
Test: N/A
Bug: 197890905
Change-Id: Ie6178292650327a1382b04f478ed5fa9e5fd7feb
Import from the binder crate root instead of binder::public_api for
compatibility with the new crate structure.
Original change: Ia9695e5493bda965ca9a42989ec5a284407595ce
Test: m
Bug: 196056781
Change-Id: Ie6303a36a956cf73f317520a0e0a00ec4adbb47e
Import from the binder crate root instead of binder::public_api for
compatibility with the new crate structure.
Test: m
Bug: 196056781
Change-Id: Ia9695e5493bda965ca9a42989ec5a284407595ce
- Update migrate_key_namespace to accept specific UIDs for APP domain
source and destination key descriptors
- Add new API to maintenance service to query a list of aliases for
specified app UIDs
Test: atest SharedUserMigrationTest#testDataMigration (in internal)
Bug: 211665859
Change-Id: Ica06a8cd7c3f7b85f58d5953a22231cf7e9a1d7f
* changes:
Diced: Add tests for open dice rust bindings.
Diced: Implement HAL proxy node and initialize it in diced_main.
Diced: Add vendor library for DICE HAL implementations.
When a user was deleted, only the per boot key was deleted, but not the
lock screen bound wrapping keys. This patch makes sure that all user
specific super keys are deleted.
Added test for the behavior of unbind_keys_for_user with respect to
super keys.
Bug: 195924790
Test: keystore2_test
Merged-In: I3741450ddf971a6b4ee184fbc946cf127e1c39f8
Change-Id: I3741450ddf971a6b4ee184fbc946cf127e1c39f8
Adding CREATION_DATETIME unconditionally should be accepted by all
keymaster implementations. Alas, VTS tests never covered this before
Keymint V1 and so there are implementations that fail when the caller
presents the tag.
Test: CtsKeystoreTestCases for regression testing.
Bug: 210792876
Bug: 204578637
Change-Id: I3cf7e8def7a369839844ef1b3628f477d8fe6b53
This reverts commit 5b8f198fb7.
Reason for revert: Relevant vendor implementations have been fixed.
Test: CtsKeystoreTestCases ran successfully against relevant devices.
Bug: 204578637
Change-Id: I2cadd017b66f8930fd0eb26ff8f58d52cac15fd4
When collecting metrics about RKP pool status, we currently query
the remote_provisioning module by setting expired_by = now.
But inside remote_provisioning module, all expired keys by now are
deleted before returning the pool status.
Therefore, in the metrics, we do not see the number of expiring keys
since it is always zero.
Test: statsd TestDrive script
Bug: 210162269
Ignore-AOSP-First: This will be merged to AOSP manually.
Change-Id: I7f7026b1297f297ce208b828b647f1056485128e
Revert "Advertise support of KeyMint V2"
Revert submission 1900930-version-bump
Reason for revert: Broken build on sc-qpr1-dev-plus-aosp, b/210450339
Reverted Changes:
I42a9b854f:keystore2: cope with new curve25519 enum
I167d568d6:Bump keystore2 AIDL API version 1->2
I3a16d072e:Advertise support of KeyMint V2
Ibf2325329:KeyMint HAL: add curve 25519, bump version
Change-Id: Ifc713bfb2753677e933f572d385f26cea11a3ef2
Revert "Advertise support of KeyMint V2"
Revert submission 1900930-version-bump
Reason for revert: Broken build on sc-qpr1-dev-plus-aosp, b/210450339
Reverted Changes:
I42a9b854f:keystore2: cope with new curve25519 enum
I167d568d6:Bump keystore2 AIDL API version 1->2
I3a16d072e:Advertise support of KeyMint V2
Ibf2325329:KeyMint HAL: add curve 25519, bump version
Change-Id: I7db3a5941e86d4e85b1e74a595137c798079f646
This does not yet add proper support for curve 25519, but just fills
out the places where the new enum value needs to go.
Bug: 194358913
Test: TreeHugger
Change-Id: I42a9b854ff6d3e599dbbdacf89bd140429f9f8ad
The keystore2 AIDL definitions include types from KeyMint, so a bump in
the keymint version necessitates a bump in the keystore2 version.
Test: TreeHugger
Change-Id: I167d568d64fae5a615d1c38e32416e32348c203d
The KeyMint HAL will soon be updated for a new version, which will in
turn induce a version bump for the keystore2 AIDL interface. To make
this process easier, add cc_defaults that references the "current"
version, and use this elsewhere. This should hopefully mean that a
future version bump only needs to happen in the defaults.
Test: TreeHugger
Change-Id: I8999de92443fd121a9515dccde8d76094dc93023
This allows for easier bumping of the KeyMint version level.
At the moment this change should have no effect: the same dependency
is used, just reached via a default rather than explicitly.
However, when the KeyMint version increases in the near future, using
this default should mean that no change is needed here: the default
definition will change to -V2 and this will be referenced here.
Test: TreeHugger
Change-Id: I8cce78e7f56179db23b2de792764ea2cae2d3cb7
We only need to check that a token with a given auth type exists if
a key has a timeout bound policy. In that case, we should match that
a given token may be found with the configured authorization type.
However, if a key's parameters indicate unlocked device is required,
then any token will do. We don't care about the auth type. If the key
parameters require per-operation authentication, then the type of
authentication will be checked later, after a fresh authentication.
Test: CtsVerifier - Unloced Device Required
Test: CstKeystoreTestCases
Bug: 206762528
Change-Id: Icdffc42084854b298e8798d99312e9f829aee753
This was previously added as a hack to work around a build system bug in
which rlib dependencies would not result in their corresponding C DSOs
being installed on the device. Now that it is fixed, we can remove this.
Bug: 187412695
Test: m installclean && m; boot AVD
Change-Id: I61f14d7a60e80034d24f0e6e4c3a8e2ea8831c96
This change strips out all of the manually written CBOR parsing and
serialization code in favor of using the serde-cbor library in order to
make the code more robust and the error messages more actionable.
Fixes: 180392379
Test: atest RemoteProvisionerUnitTests
Change-Id: I1b08b26b6192763e393b061cd9b919cfd71c13c9
corresponding to the selinux perm `migrate_any_key`. Checked when
migrating keys for an app leaving a sharedUserId.
Bug: 179284822
Test: TH
Change-Id: I831af2f99049401855dcf4b7d23555a3473e37c6
Run a subset of the Keystore CTS test cases on presubmit when keystore2
gets changed. Also Run the full CTS test suite as post submit.
Bug: 204906931
Test: Improves test coverage during presubmit.
Change-Id: I9b14734e4d838881e7dabf698b3df826a0ed433b
Add the function try_clone to ZVec. Cloning may fail because mlock may
fail during the allocation of a new memory region.
Test: N/A
Change-Id: I1dc3f098d8c02d3bf9116ab86527eca6793d0bfe
ZVec now has its own error rather then using the crypto library error.
This makes it easier to move ZVec out of the crypto library in the
future.
Test: N/A
Change-Id: I4788cbbc48281e30729142fb08f5cb94b2d243c2
writepid command usage to join a cgroup has been deprecated in favor
of a more flexible approach using task_profiles. This way cgroup path
is not hardcoded and cgroup changes can be easily made. Replace
writepid with task_profiles command to migrate between cgroups.
Bug: 191283136
Test: build and boot
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: Ia136fd51d7fd39a0e1988ae3ae1aeb80ab5f3cc5
Now that the implement_class! macro is generic enough, it can replace
implement_permissions_aidl! with minor tweak to the rest of the code.
Test: keystore2_test
Bug: 203555519
Change-Id: Ib339bd0ac0acc27169b9303f50999d552a1aa632
* Add trait ClassPermission and fn check_permission. This binds
together permission names and their class name.
* Rename implement_permission! to implement_class!.
* Add #[selinux(class_name = <name>)] stanza to the syntax of
implement_class!.
Test: keystore2_test for regressions.
Bug: 203555519
This reverts commit b8fd77fba016c4c908d371d546a5d86aff4a78d7.
Change-Id: I6863269ea4af5a6d0b36cf17e0238c81bc713d48
Change the input syntax of implement_permission! to something more
rust-like.
Test: keystore2_test
Bug: 203555519
Change-Id: Ic7ce23e2fecb8351b5c8c2835c7baab1d73f2616
Older KM implementations do not consume data if in certain block modes
when too little data is presented. However, km_compat update assumes
that the backend always consumes some data. If this assumption does not
hold it can get stuck in an infinite loop.
This patch adds some buffering, allowing the km_compat to buffer
unconsumed data and make it appear to the caller that the data was
indeed consumed.
Ignore-AOSP-First: b/200041882 ASA review.
Bug: 200041882
Test: CtsKeystoreTestCases for regression testing
keystore2_km_compat_test
Merged-In: Icae44c6bc97507f192ec44c944c3bc0a9dd60ba7
Change-Id: Icae44c6bc97507f192ec44c944c3bc0a9dd60ba7
Instead of changing keystore2 to use libsqlite_noicu, create another
variant of keystore2 (keystore2-microdroid) which uses libsqlite_noicu,
and use it only for microdroid.
Although keystore2 doesn't actually depend on the ICU extension, doing
it for Android caused a small regression (6ms) to the boot time because
keystore2 should spend time for loading the new library
libsqlite_noicu instead of sharing text pages from libsqlite.so which
were already preloaded by zygote.
With this change, keystore2 for Android goes back to use libsqlite.so.
The use of the noicu variant is limited to Microdroid.
Bug: 201344281
Test: measure SystemServerTiming_StartLockSettingsService-total
Change-Id: I6ff123415cdc3e7494a7857864e04525322bc079
Stop testing for a vendor patch level in km_compat get key
characteristics test.
Bug: 189973657
Test: atest keystore2_km_compat_test
Change-Id: Id811d8fdc26fdf09e5f0ae454be7c146a7c57563
The run_as function allows a test with sufficient privileges to run a
closure as different identity given by a tuple of UID, GID, and SELinux
context. This is infrastructure in preparation for the keystore2 vts
test.
Test: keystore2_test_utils_test
Bug: 182508302
Change-Id: Ic1923028e5bc4ca4b1112e34669d52687450fd14
This CL fixes the error message returned when an auth token is not
found for IC.
Bug: 198731997
Test: N/A
Change-Id: I4512c89f7793f2c50a61d221abe20bdfa5e87102
keystore has used libsqlite which was built with the ICU extension [1].
The extension brings huge (> 60MB) dependency to the i18n APEX which is
too big for microdroid. Since the use of sqlite in keystore doesn't
seem to require operations like upper/lower, sorting, and regex for all
unicode strings, drop the dependency to the i18n APEX.
[1] https://www.sqlite.org/src/file?name=ext/icu/README.txt
Bug: 199674764
Test: m
Change-Id: I1e7a83283c3e79e69793a2076c97bc1bf6b9e0bf
Add a trace callback and forward all log messages to the keystore2 logs
so that we catch any sqlite errors.
Test: keystore2_test, legacykeystore_test
Change-Id: I655a78153bc855678b9012b75dc522611e1ff671
This makes sure that when developers add a new version of an interface,
or when interfaces are being frozen, the runtime/buildtime situation of
clients depending on those interfaces remains the same. This is required
for AIDL to continue working at scale.
Bug: 188871598
Test: build
Change-Id: I8c6c0e279ef56b7ae06d5621a772e7abc8163a59
This makes sure that when developers add a new version of an interface,
or when interfaces are being frozen, the runtime/buildtime situation of
clients depending on those interfaces remains the same. This is required
for AIDL to continue working at scale.
Bug: 188871598
Test: build
Change-Id: I98cf349e8501570b5bf3aed298082d0e9b9dad7e
Waiting just 1ms for a callback on a different thread to be executed
is a bit swift; try 50ms instead.
Bug: 197762120
Test: keystore2_test
Change-Id: I27399b9687e21bae86a59f288c99449ca9858d6c
Note that some of these are currently no-op tests that do nothing.
But this makes them future proof in case we add more later.
Test: atest
Change-Id: I22914e36568d5808ab60541354e5585a1aeebd44
This CL adds metrics logging for fallback during RKP hybrid mode.
Test: atest com.android.remoteprovisioner.unittest.ServerToSystemTest#testFallback
on cuttlefish, followed by ./statsd_testdrive 10124
Bug: 194510784
Change-Id: I3d6184df02828fef1d0110688afe1ba2db10eae9
(cherry picked from commit 400b225c94)
Revert "Enable deleteAllKeys from vold"
Revert "Allow vold to deleteAllKeys in Keystore"
Revert submission 15521094-vold-deleteAllKeys
Reason for revert: Causes infinite loop in Trusty KeyMint
Reverted Changes:
I9c5c54714:Detect factory reset and deleteAllKeys
I2fb0e94db:Allow vold to deleteAllKeys in Keystore
Id23f25c69:Add deleteAllKeys to IKeystoreMaintenance
Ife779307d:Enable deleteAllKeys from vold
I4312b9a11:Enable deleteAllKeys from vold
Bug: 187105270
Change-Id: I546b980bb49b064a8cbf127659f2a58748082c65
Add a method to IKeystoreMaintenance which calls deleteAllKeys on every
KM instance. This method will be called by vold when it detects a
factory reset.
Bug: 187105270
Test: booted Cuttlefish twice
Ignore-AOSP-First: no merge path to this branch from AOSP.
Merged-In: Id23f25c69a74a99bfebbf28429651d6fd647dbcd
Change-Id: Id23f25c69a74a99bfebbf28429651d6fd647dbcd
Add a method to IKeystoreMaintenance which calls deleteAllKeys on every
KM instance. This method will be called by vold when it detects a
factory reset.
Bug: 187105270
Test: booted Cuttlefish twice
Change-Id: Id23f25c69a74a99bfebbf28429651d6fd647dbcd
This CL adds metrics logging for fallback during RKP hybrid mode.
Ignore-AOSP-First: No merge path from AOSP.
Test: atest com.android.remoteprovisioner.unittest.ServerToSystemTest#testFallback
on cuttlefish, followed by ./statsd_testdrive 10124
Bug: 194510784
Change-Id: I3d6184df02828fef1d0110688afe1ba2db10eae9
(cherry picked from commit 400b225c94)
This CL adds metrics logging for fallback during RKP hybrid mode.
Ignore-AOSP-First: No merge path from AOSP.
Test: atest com.android.remoteprovisioner.unittest.ServerToSystemTest#testFallback
on cuttlefish, followed by ./statsd_testdrive 10124
Bug: 194510784
Merged-In: I3d6184df02828fef1d0110688afe1ba2db10eae9
Change-Id: I3d6184df02828fef1d0110688afe1ba2db10eae9
The ndk_platform backend will soon be deprecated because the ndk backend
can serve the same purpose. This is to eliminate the confusion about
having two variants (ndk and ndk_platform) for the same 'ndk' backend.
Bug: 161456198
Test: m
Change-Id: Ibeb4178f99857be75bb5f83a073a2d679058d921
