Correct the permission check for the Keystore maintenance method
that returns the list of app UIDs which have keys that are
bound to a specific SID.
The previous check relied on SELinux policies. But the Settings
app that calls this method has a permission - MANAGE_USERS -
that is more appropriate to check.
Bug: 302109605
Test: Manual.
Change-Id: Ia26256cf995d16d03d0bb92d8b237f7bbea30d07
This is needed to upgrade the android_logger crate from 0.12.0
to 0.13.3.
with_max_level provides the same functionality as with_min_level.
The renaming is admittedly confusing, but the new name is accurate
and it makes sense that they deprecated and then removed the
previously poorly named with_min_level.
See crate documentation [1] and code [2].
[1]: https://docs.rs/android_logger/0.12.0/android_logger/struct.Config.html#method.with_min_level
[2]: https://docs.rs/android_logger/0.12.0/src/android_logger/lib.rs.html#227
Bug: 322718401
Test: build and run CF with the change.
Test: m aosp_cf_x86_64_phone
Change-Id: I8d9d7c42100ede48496f9846068ed312fb8a15cb
Android Protected Confirmation is deprecated due to the high
support/maintenance cost for Android device makers and low adoption rate
among app developers. APC requires Android device makers to have a
substantial amount of device-specific UI code running in the trusted
execution environment. That has proven to be expensive to maintain and
non-scalable, as there cannot be a single implementations device makers
can share or use as a reference. Additionally, app developers have not
adopted this feature, as the Android platform offers other mechanisms
for authentication a user's intent. These mechanisms, such as
authentication-bound Keystore keys, are less secure than Trusted UI, but
are more wide-spread. While we explore alternatives to APC that are
viable to the device makers ecosystem, we sunset the APC API.
Bug: 313856313
Test: atest keystore2_test && atest CtsKeystoreTestCases
Change-Id: If065697ed13e3de706b8dde5cc5e2b6018592018
Add a method to the Keystore maintenance interface to list the UIDs of
apps that are affected by a given secure user ID.
With this method, it would be possible to tell if removing a given
user's LSKF or enrolling new biometrics will invalidate Keystore keys,
thus affecting some apps.
Bug: 302109605
Test: atest keystore2_test
Change-Id: If5888506e0c72a56eca3339778889c7d8038acc5
Starting in Android 12, unlocking the device with a class 1
("convenience") biometric, class 2 ("weak") biometric, or a trust agent
unexpectedly doesn't allow the use of UnlockedDeviceRequired keys. The
cause of this bug is that the cryptographic protection that Keystore now
applies to UnlockedDeviceRequired keys incorrectly assumes that the
device can only be unlocked using LSKF or via a biometric that
participates in Keystore (has a SID and uses HardwareAuthTokens).
Actually, Keyguard also allows the device to be unlocked using weaker
biometrics that do not particiate in Keystore, if they are enrolled.
Similarly, there are also cases where a trust agent can actively unlock
the device, e.g. unlocking a phone using a paired watch.
In combination with the system_server changes in
I34dc49f1338e94755e96c1cf84de0638dc70d311, this CL fixes the bug by
making Keystore retain the UnlockedDeviceRequired super keys in memory
if a weak unlock method is enabled at device lock time. This does mean
that UnlockedDeviceRequired is enforced only logically when a weak
unlock method is enabled, but this is the best we can do in this case.
This CL also adds methods by which Keystore can be notified of the
expiration of unlock methods, causing the security level of
UnlockedDeviceRequired keys to be upgraded. A future CL for
system_server is planned to use these.
Test: see I34dc49f1338e94755e96c1cf84de0638dc70d311
Bug: 296464083
Change-Id: I1b0d9ec4f9e31dc91642e865045766bd17e34cad
Remove files from the "keystore" directory that are unused, i.e. not
referenced by an Android.bp, or in the case of header files not included
from anywhere. This mostly includes files belonging to Keystore1 that
were missed when Keystore1 was deleted. This also includes a couple
outdated test scripts that were never actually wired up to anything.
Bug: 171305684
Test: m; mmm system/security
Change-Id: Ie31f773b5f15b0a0f95dffa9cad109fbf3a84970
Since there's now a case where AES_gcm_decrypt() is expected to fail
(trying to use HKDF-derived key to decrypt an old super key that's
encrypted by an PBKDF2-derived key, before falling back to PBKDF2),
remove the corresponding error message from the C++ function. The error
message is misleading in this case. In other cases, the error message
does not provide useful information since it seems to be the only way
that AES_gcm_decrypt() can actually fail (seeing as the length mismatch
should never happen), and the caller uses the boolean return value to
create the real Rust error which is then logged/handled appropriately.
Bug: 296464083
Bug: 314391626
Test: Verified that on device that has old super keys, the
"Failed to decrypt blob" message is no longer logged.
Change-Id: I1a85572626d90b74aa3ccd31bd112d7b06fbe028
Since the Keystore password is a high-entropy synthetic password, key
stretching is not required. Therefore, improve the performance of
encrypting and decrypting Keystore user super keys by using HKDF instead
of 8192-iteration PBKDF2. PBKDF2 continues to be used for decrypting
old keys, when AES-GCM decryption using the HKDF-derived key fails.
Bug: 296464083
Bug: 314391626
Test: atest -p --include-subdirs system/security/keystore2
Test: Upgraded a device and verified the old super keys can still be
decrypted.
Test: Verified via logcat that super key creation got faster.
Change-Id: Ib7976671ecf886e6308b66e6b1fdfb4b21346afb
Rename Password::derive_key() to Password::derive_key_pbkdf2(), and
rename generateKeyFromPassword() to PBKDF2(). This helps distinguish
these functions from the HKDF functions, including the existing ones as
well as the Password::derive_key_hkdf() added by the next CL.
Bug: 296464083
Bug: 314391626
Test: atest -p --include-subdirs system/security/keystore2
Change-Id: I76e5ee5a5c6452951727be6fce1a43a2322a3950
Some issues require a system error to be raised that
indicates we should retry the process. This adds a new
error and bumps the version of the api for future use.
Test: atest keystore2_test
Bug: 238619180
Change-Id: Iff8fa83f7b223e08de9fa31434e16aa3aa2153f6
avoid issues while linking shared libraries with Rust test binaries.
This change is made to avoid vts-tradefed failure to link the shared
library while running the Rust VTS `keystore2_client_tests` test
suite. As suggested in b/314110490#24 using the libkeystore-engine
static-library to run keystore2_client_tests.
Bug: 314110490, 298668920
Test: atest keystore2_client_tests; run vts -m keystore2_client_tests
Change-Id: If956865eeb4af908f33b1ad81a2b2e26300aae0e
When a database is set once it will still maintain that
setting even if on the next connection it is not specified.
Any databases that set the wal flag will need to turn the
database back to its default when the flag is disabled or
there will be an error in the access of the database.
Bug: 314419678
Test: atest keystore2_test && atest legacykeystore_test
Change-Id: I008f2d2f6ac055704b721cdd451fc8bdfe448832
Service specific error will be part of the description if applicable.
Bug: 312671886
Test: adb shell rkp_factory_extraction_tool
Change-Id: I071cf8bd892c3731de052dafb69a7d2029bf8b03
compile_multilib set to first.
To avoid missing dependent library (libkeymaster_portable.so) error,
enforcing to compile for 64-bit on a 64-bit platform, and 32-bit on
a 32-bit platform.
Bug: 314110490
Test: run vts -m keystore2_client_tests
Change-Id: I5e8bf94ed37209f69ace2d7dd2c0ca1b680fc86d
cc_library_shared.
Since libkeystore-engine used only in keystore2_client_tests test
module, creating it as cc_test_library.
Bug: 298668920
Test: atest keystore2_client_tests
Change-Id: I656e989186610266c8a59ac11db8ac8a47d3514f
[Description]
1.Add patch to modify rkp_factory_extraction_tool, so
that it can meet TV customer's factory product line.
2.Introduce a new input parameter, serialno_prop,
to the function jsonEncodeCsrWithBuild.
3.Use the new property of serialno_prop if it is set,
otherwise defaults to "ro.serialno".
Test:
1.build pass
2.AC on/off pass
3.run "rkp_factory_extraction_tool
--output_format build+csr
--serialno_prop $(customer_prop) > csr.json" pass
4.run "rkp_factory_extraction_tool
--output_format build+csr > csr.json" pass
5.VtsHalRemotelyProvisionedComponentTargetTest pass
6.libkeymint_remote_prov_support_test pass
7.VtsAidlKeyMintTargetTest pass
Bug: 313811996
Change-Id: I261f7ae1b3b4c3e2776ec4013c77b7be355477cf