Commit graph

8640 commits

Author SHA1 Message Date
Eran Messeri
b7e5421688 Merge "Correcting permission check for App UIDs listing" into main 2024-02-06 16:40:03 +00:00
Eran Messeri
cfe79f1828 Correcting permission check for App UIDs listing
Correct the permission check for the Keystore maintenance method
that returns the list of app UIDs which have keys that are
bound to a specific SID.

The previous check relied on SELinux policies. But the Settings
app that calls this method has a permission - MANAGE_USERS -
that is more appropriate to check.

Bug: 302109605
Test: Manual.
Change-Id: Ia26256cf995d16d03d0bb92d8b237f7bbea30d07
2024-02-06 14:58:09 +00:00
Treehugger Robot
4a8dc192c3 Merge "Set the container field of aconfig flags" into main 2024-02-05 22:08:34 +00:00
Stefano Cianciulli
a57741efb9 Merge "Add libstatspull and libstatssocker to odsign" into main 2024-02-05 09:56:53 +00:00
Oriol Prieto Gasco
85d84ff9ed Set the container field of aconfig flags
Test: m
Bug: 312769710
Change-Id: I366717c7139886e30360914256ad7710da5095e9
2024-02-03 02:39:40 +00:00
Stefano Cianciulli
5cacaefd20 Add libstatspull and libstatssocker to odsign
Bug: 257028435
Test: atest ArtGtestsTargetChroot
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:d0737bfd5bd288c291ec454d09e1c80d0a2cc95e)
Merged-In: I619784b71c0a87574dc633d641aec91da1fc3475
Change-Id: I619784b71c0a87574dc633d641aec91da1fc3475
2024-02-02 11:18:15 +00:00
Treehugger Robot
2730678378 Merge "Replace use of deprecated logging functions" into main 2024-02-01 11:11:14 +00:00
Jeff Vander Stoep
940820cfa1 Replace use of deprecated logging functions
This is needed to upgrade the android_logger crate from 0.12.0
to 0.13.3.

with_max_level provides the same functionality as with_min_level.
The renaming is admittedly confusing, but the new name is accurate
and it makes sense that they deprecated and then removed the
previously poorly named with_min_level.

See crate documentation [1] and code [2].

[1]: https://docs.rs/android_logger/0.12.0/android_logger/struct.Config.html#method.with_min_level
[2]: https://docs.rs/android_logger/0.12.0/src/android_logger/lib.rs.html#227

Bug: 322718401
Test: build and run CF with the change.
Test: m aosp_cf_x86_64_phone
Change-Id: I8d9d7c42100ede48496f9846068ed312fb8a15cb
2024-01-31 10:55:55 +01:00
Shaquille Johnson
53d2763a23 Merge "Deprecating the aidl for Android Protected Confirmation" into main 2024-01-29 13:49:22 +00:00
Shaquille Johnson
07fec0ff0c Deprecating the aidl for Android Protected Confirmation
Android Protected Confirmation is deprecated due to the high
support/maintenance cost for Android device makers and low adoption rate
among app developers. APC requires Android device makers to have a
substantial amount of device-specific UI code running in the trusted
execution environment. That has proven to be expensive to maintain and
non-scalable, as there cannot be a single implementations device makers
can share or use as a reference. Additionally, app developers have not
adopted this feature, as the Android platform offers other mechanisms
for authentication a user's intent. These mechanisms, such as
authentication-bound Keystore keys, are less secure than Trusted UI, but
are more wide-spread. While we explore alternatives to APC that are
viable to the device makers ecosystem, we sunset the APC API.

Bug: 313856313
Test: atest keystore2_test && atest CtsKeystoreTestCases
Change-Id: If065697ed13e3de706b8dde5cc5e2b6018592018
2024-01-25 16:02:32 +00:00
Eran Messeri
1841a55ebf Merge "List apps affected by secure user ID" into main 2024-01-24 16:43:36 +00:00
Eran Messeri
4dc27b52eb List apps affected by secure user ID
Add a method to the Keystore maintenance interface to list the UIDs of
apps that are affected by a given secure user ID.

With this method, it would be possible to tell if removing a given
user's LSKF or enrolling new biometrics will invalidate Keystore keys,
thus affecting some apps.

Bug: 302109605
Test: atest keystore2_test
Change-Id: If5888506e0c72a56eca3339778889c7d8038acc5
2024-01-24 14:48:54 +00:00
Eric Biggers
3b862a87dd Merge "Fix UnlockedDeviceRequired with weak unlock methods" into main 2024-01-18 22:22:12 +00:00
Eric Biggers
ed4f8be6be Merge "keystore: remove unused Keystore1 files" into main 2024-01-18 20:25:36 +00:00
Andrew Walbran
4a04e9195e Merge "Format Android.bp files with bpfmt" into main 2024-01-18 19:01:27 +00:00
Luca Stefani
481b5d663b Format Android.bp files with bpfmt
Change-Id: I083e96e3dd94a48ebad473bcfbbb7fcbb89ce466
2024-01-18 08:34:35 +01:00
Eric Biggers
6946daa1ab Fix UnlockedDeviceRequired with weak unlock methods
Starting in Android 12, unlocking the device with a class 1
("convenience") biometric, class 2 ("weak") biometric, or a trust agent
unexpectedly doesn't allow the use of UnlockedDeviceRequired keys.  The
cause of this bug is that the cryptographic protection that Keystore now
applies to UnlockedDeviceRequired keys incorrectly assumes that the
device can only be unlocked using LSKF or via a biometric that
participates in Keystore (has a SID and uses HardwareAuthTokens).
Actually, Keyguard also allows the device to be unlocked using weaker
biometrics that do not particiate in Keystore, if they are enrolled.
Similarly, there are also cases where a trust agent can actively unlock
the device, e.g. unlocking a phone using a paired watch.

In combination with the system_server changes in
I34dc49f1338e94755e96c1cf84de0638dc70d311, this CL fixes the bug by
making Keystore retain the UnlockedDeviceRequired super keys in memory
if a weak unlock method is enabled at device lock time.  This does mean
that UnlockedDeviceRequired is enforced only logically when a weak
unlock method is enabled, but this is the best we can do in this case.

This CL also adds methods by which Keystore can be notified of the
expiration of unlock methods, causing the security level of
UnlockedDeviceRequired keys to be upgraded.  A future CL for
system_server is planned to use these.

Test: see I34dc49f1338e94755e96c1cf84de0638dc70d311
Bug: 296464083
Change-Id: I1b0d9ec4f9e31dc91642e865045766bd17e34cad
2024-01-17 22:51:37 +00:00
Eric Biggers
74b6c752da keystore: remove unused Keystore1 files
Remove files from the "keystore" directory that are unused, i.e. not
referenced by an Android.bp, or in the case of header files not included
from anywhere.  This mostly includes files belonging to Keystore1 that
were missed when Keystore1 was deleted.  This also includes a couple
outdated test scripts that were never actually wired up to anything.

Bug: 171305684
Test: m; mmm system/security
Change-Id: Ie31f773b5f15b0a0f95dffa9cad109fbf3a84970
2024-01-17 22:38:36 +00:00
Eric Biggers
0e77b347e7 Merge changes I1a855726,Ib7976671,I76e5ee5a into main
* changes:
  keystore: remove misleading error message from AES_gcm_decrypt()
  keystore: eliminate redundant key stretching
  keystore: rename the PBKDF2 functions
2024-01-17 21:49:02 +00:00
Eric Biggers
b9c88c9c9e keystore: remove misleading error message from AES_gcm_decrypt()
Since there's now a case where AES_gcm_decrypt() is expected to fail
(trying to use HKDF-derived key to decrypt an old super key that's
encrypted by an PBKDF2-derived key, before falling back to PBKDF2),
remove the corresponding error message from the C++ function.  The error
message is misleading in this case.  In other cases, the error message
does not provide useful information since it seems to be the only way
that AES_gcm_decrypt() can actually fail (seeing as the length mismatch
should never happen), and the caller uses the boolean return value to
create the real Rust error which is then logged/handled appropriately.

Bug: 296464083
Bug: 314391626
Test: Verified that on device that has old super keys, the
      "Failed to decrypt blob" message is no longer logged.
Change-Id: I1a85572626d90b74aa3ccd31bd112d7b06fbe028
2024-01-17 18:36:57 +00:00
Eric Biggers
6e5ccd7f4a keystore: eliminate redundant key stretching
Since the Keystore password is a high-entropy synthetic password, key
stretching is not required.  Therefore, improve the performance of
encrypting and decrypting Keystore user super keys by using HKDF instead
of 8192-iteration PBKDF2.  PBKDF2 continues to be used for decrypting
old keys, when AES-GCM decryption using the HKDF-derived key fails.

Bug: 296464083
Bug: 314391626
Test: atest -p --include-subdirs system/security/keystore2
Test: Upgraded a device and verified the old super keys can still be
      decrypted.
Test: Verified via logcat that super key creation got faster.
Change-Id: Ib7976671ecf886e6308b66e6b1fdfb4b21346afb
2024-01-17 18:36:57 +00:00
Eric Biggers
d68e691d0a keystore: rename the PBKDF2 functions
Rename Password::derive_key() to Password::derive_key_pbkdf2(), and
rename generateKeyFromPassword() to PBKDF2().  This helps distinguish
these functions from the HKDF functions, including the existing ones as
well as the Password::derive_key_hkdf() added by the next CL.

Bug: 296464083
Bug: 314391626
Test: atest -p --include-subdirs system/security/keystore2
Change-Id: I76e5ee5a5c6452951727be6fce1a43a2322a3950
2024-01-17 18:36:57 +00:00
Treehugger Robot
98af22dbef Merge "Update source for Rust 1.74.1" into main 2024-01-16 22:26:11 +00:00
Chris Wailes
282343391e Update source for Rust 1.74.1
Test: m rust
Bug: 310977762
Change-Id: Id99be2655b75f703280f2bdf974fe3fed6f24452
2024-01-16 13:37:36 -08:00
Shaquille Johnson
8e98af6e9f Merge "Add new error for system errors that are retryable" into main 2024-01-12 15:51:42 +00:00
Shaquille Johnson
ac3c2cdea4 Add new error for system errors that are retryable
Some issues require a system error to be raised that
indicates we should retry the process. This adds a new
error and bumps the version of the api for future use.

Test: atest keystore2_test
Bug: 238619180
Change-Id: Iff8fa83f7b223e08de9fa31434e16aa3aa2153f6
2024-01-12 15:50:54 +00:00
Eran Messeri
46531afc61 Merge "Created libkeystore-engine as cc-library instead of cc-test-library to avoid issues while linking shared libraries with Rust test binaries." into main 2024-01-08 16:26:52 +00:00
Roland Levillain
89e7cddf9c Merge "Update OWNERS files under system/security." into main 2024-01-03 14:21:12 +00:00
Roland Levillain
d5efc86c25 Update OWNERS files under system/security.
Test: n/a
Change-Id: Ic0e0d868eb715e20f41e14ee5146d54dded2e43b
2024-01-03 13:05:38 +00:00
Rajesh Nyamagoud
4347357814 Created libkeystore-engine as cc-library instead of cc-test-library to
avoid issues while linking shared libraries with Rust test binaries.

This change is made to avoid vts-tradefed failure to link the shared
library while running the Rust VTS `keystore2_client_tests` test
suite. As suggested in b/314110490#24 using the libkeystore-engine
static-library to run keystore2_client_tests.

Bug: 314110490, 298668920
Test: atest keystore2_client_tests; run vts -m keystore2_client_tests
Change-Id: If956865eeb4af908f33b1ad81a2b2e26300aae0e
2024-01-03 01:44:24 +00:00
Shaquille Johnson
df2668bd96 Merge "When wal flag not enabled set db back to default" into main 2023-12-28 15:25:08 +00:00
Treehugger Robot
d315965968 Merge "Rename bssl-ffi to bssl-sys" into main 2023-12-21 21:48:19 +00:00
Shaquille Johnson
52b8c9321b When wal flag not enabled set db back to default
When a database is set once it will still maintain that
setting even if on the next connection it is not specified.
Any databases that set the wal flag will need to turn the
database back to its default when the flag is disabled or
there will be an error in the access of the database.

Bug: 314419678
Test: atest keystore2_test && atest legacykeystore_test
Change-Id: I008f2d2f6ac055704b721cdd451fc8bdfe448832
2023-12-21 18:30:50 +00:00
Ludovic Barman
c41feb0932 Merge "Remove unused use_protobuf3 flag" into main 2023-12-20 15:27:57 +00:00
Treehugger Robot
0ac69e8ba3 Merge "Changes made to compile keystore2_client_tests module with compile_multilib set to first." into main 2023-12-19 15:44:36 +00:00
Robert Shih
156716d72e Merge "rkp_factory_extraction_tool: log description when binder fails" into main 2023-12-19 05:00:44 +00:00
Robert Shih
6c3e15b8ac rkp_factory_extraction_tool: log description when binder fails
Service specific error will be part of the description if applicable.

Bug: 312671886
Test: adb shell rkp_factory_extraction_tool
Change-Id: I071cf8bd892c3731de052dafb69a7d2029bf8b03
2023-12-18 20:09:14 -08:00
Maurice Lam
47b4facecf Rename bssl-ffi to bssl-sys
Test: TreeHugger
Change-Id: Ie8108ef5d5f8e6c8252409d1e9aceb76613dff9f
2023-12-18 23:28:21 +00:00
Ludovic Barman
6f86b6031c Remove unused use_protobuf3 flag
This is a No-op.
Protobuf3 is used regardless of this flag since https://android-review.git.corp.google.com/c/platform/build/soong/+/2817733
Test: m rust

Bug: 308790516
Change-Id: Icd38fa3976d93af730c315a112d50591fe9d00c5
2023-12-16 10:56:12 +00:00
Rajesh Nyamagoud
b061f9cf67 Changes made to compile keystore2_client_tests module with
compile_multilib set to first.

To avoid missing dependent library (libkeymaster_portable.so) error,
enforcing to compile for 64-bit on a 64-bit platform, and 32-bit on
a 32-bit platform.

Bug: 314110490
Test: run vts -m keystore2_client_tests
Change-Id: I5e8bf94ed37209f69ace2d7dd2c0ca1b680fc86d
2023-12-15 02:48:01 +00:00
Henri Chataing
76cd505946 Merge "Update fmtlib to 10.1.1" into main 2023-12-14 18:47:39 +00:00
Eran Messeri
5704b7ebae Merge "Updated libkeystore-engine library to be cc_test_library instead of cc_library_shared." into main 2023-12-13 19:16:18 +00:00
Rajesh Nyamagoud
21e7cadafd Updated libkeystore-engine library to be cc_test_library instead of
cc_library_shared.

Since libkeystore-engine used only in keystore2_client_tests test
module, creating it as cc_test_library.

Bug: 298668920
Test: atest keystore2_client_tests
Change-Id: I656e989186610266c8a59ac11db8ac8a47d3514f
2023-12-12 18:34:14 +00:00
Eric Biggers
93a028a391 Merge "Increase RLIMIT_MEMLOCK for keystore2" into main 2023-12-12 17:43:43 +00:00
Seth Moore
2dba2d9092 Merge "Add parameter for serial number property to rkp tool" into main am: 670aca611d
Original change: https://android-review.googlesource.com/c/platform/system/security/+/2861555

Change-Id: Ide067532b43de0eae3cc59bf9f2a15fe16e8aeb8
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-12-07 19:53:00 +00:00
Seth Moore
670aca611d Merge "Add parameter for serial number property to rkp tool" into main 2023-12-07 19:14:37 +00:00
Eric Biggers
d736af9e43 Merge "Split Keystore's onLockScreenEvent into onDevice{Unlocked,Locked}" into main am: a2609f539d
Original change: https://android-review.googlesource.com/c/platform/system/security/+/2855064

Change-Id: Ib7977850d20b247dda3c809e0040d1863327b717
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
2023-12-07 18:31:25 +00:00
Eric Biggers
a2609f539d Merge "Split Keystore's onLockScreenEvent into onDevice{Unlocked,Locked}" into main 2023-12-07 17:57:55 +00:00
Henri Chataing
ecaf5c8420 Update fmtlib to 10.1.1
Test: m
Change-Id: I75e5e3e2dc3f7608872f36c8fe3894f988a7b9d5
2023-12-07 17:41:48 +00:00
chuanchuan.gao
8ef6d1a6be Add parameter for serial number property to rkp tool
[Description]
1.Add patch to modify rkp_factory_extraction_tool, so
 that it can meet TV customer's factory product line.
2.Introduce a new input parameter, serialno_prop,
to the function jsonEncodeCsrWithBuild.
3.Use the new property of serialno_prop if it is set,
otherwise defaults to "ro.serialno".

Test:
1.build pass
2.AC on/off pass
3.run "rkp_factory_extraction_tool
--output_format build+csr
--serialno_prop $(customer_prop) > csr.json" pass
4.run "rkp_factory_extraction_tool
--output_format build+csr > csr.json" pass
5.VtsHalRemotelyProvisionedComponentTargetTest pass
6.libkeymint_remote_prov_support_test pass
7.VtsAidlKeyMintTargetTest pass

Bug: 313811996
Change-Id: I261f7ae1b3b4c3e2776ec4013c77b7be355477cf
2023-12-07 18:21:15 +08:00