The test was disabled and got stale. Fix the test so it uses the GC,
as it's useful for checking perf-related code changes. Will investigate
fully re-enabling the test on T.
Bug: 190142197
Test: keystore2_test
Change-Id: Ifc0a4a5b3c8c301c42d068ee46754d877eeb10bc
Merged-In: Ifc0a4a5b3c8c301c42d068ee46754d877eeb10bc
WAL mode attempts to open an additional file for use as a shared memory
mechanism. If storage is too full, then the database fails to open.
Remove the use of WAL mode so that keystore can perform read-only
transactions on the database and startup even on a full disk.
Disabling WAL mode shows about a 5% performance drop on a synthetic test
that creates and destroys 5000 AES keys.
Bug: 190142197
Test: keystore2_test
Change-Id: I9b1cb7e6398e07fa9f02f0ba4e9eb48313c06472
Merged-In: I9b1cb7e6398e07fa9f02f0ba4e9eb48313c06472
We should not panic when a checksum failure happens during shared key
negotiation. This is typical for pre production devices that have not
been fully provisioned yet. Not panicking gives the user the chance to
finalize the provisioning step.
Bug: 190702219
Test: N/A
Merged-In: I0c847b52f2c63c6c2eef0765cc1536daa0893d1c
Change-Id: I0c847b52f2c63c6c2eef0765cc1536daa0893d1c
The km_compat legacy wrapper would only cache the first shared secret
participant and then return this participant regardless of which
security level was requested. As a result only one Keymaster instance
would take part in the shared secret negotiation.
This patch adds a per security level cache for ISharedSecret instances
to km_compat. It filters Keymaster instances in Keystore 2.0 to only
include the highest version of each HIDL Keymaster security level.
Bug: 190539964
Test: See b/190539964
Merged-In: I0b73da88d3e1b6900cfb332c1befc704eca59cc5
Change-Id: I0b73da88d3e1b6900cfb332c1befc704eca59cc5
Set notBefore and notAfter times using strings rather then architecture
dependent time_t.
Bug: 185119443
Test: atest keystore2_crypto_test
Merged-In: I83e64829b20d965f800e648d9b5d1452c526cb35
Change-Id: I83e64829b20d965f800e648d9b5d1452c526cb35
When generating the boot level zero key the operation params were
missing the digest parameter which throws off some KM implementaions.
Ignore-AOSP-First: No automerge path from AOSP.
Bug: 187862706
Test: Reboot twice after applying the patch. Check logs from odsign for
sucessful recovery of boot level keys.
Change-Id: Ic719fcaae4fc3f5550fcf14b55143c1ca1f125cc
Merged-In: Ic719fcaae4fc3f5550fcf14b55143c1ca1f125cc
This patch uses the database versioning mechanism to delete boot level
bound keys that have been generated before cryptographic binding to the
boot level was implemented.
Ignore-AOSP-First: No automerge path from AOSP.
Bug: 187862706
Test: keystore2_test
Change-Id: I34999d7633e4ef17205b055e11751f0498ae6932
Merged-In: I34999d7633e4ef17205b055e11751f0498ae6932
This patch adds database versioning.
When a KeystoreDB connection is opened, the database file is queried for
its version. If the version is lower than current version expected by
keystore2, upgrade function are executed until the target version is
reached and the database version is updated.
Ignore-AOSP-First: No automerge path from AOSP.
Test: keystore2_test (Note the test is added in this CL but not included
in keystore2_test yet. This will happen in the next CL.)
Bug: 187862706
Bug: 189470584
Change-Id: Ia75633942dbb8f168e781579e1c9a755c84671af
Merged-In: Ia75633942dbb8f168e781579e1c9a755c84671af
This refactor makes key type an explicit to relevant database function
to make it harder to implicitly use the wrong type.
Ignore-AOSP-First: No automerge path from AOSP.
Bug: 187862706
Bug: 189470584
Test: Regression tested with keystore2_test.
Change-Id: I9e1416743093f0a1ab86fd9351aed97f106ee819
Merged-In: I9e1416743093f0a1ab86fd9351aed97f106ee819
Check the key characteristics of the level zero key to verify its
integrity.
Ignore-AOSP-First: No automerge path from AOSP.
Bug: 187862706
Test: N/A
Change-Id: Id83e581781507e499790e77729b0e2d96795f908
Merged-In: Id83e581781507e499790e77729b0e2d96795f908
Prefer KM4.1 and higher over KM4.0 and lower, but prefer TEE over
Strongbox if TEE meets the minimal requirements.
Ignore-AOSP-First: No automerge path from AOSP.
Bug: 187862706
Test: Manually tested by observing logs during boot.
Merged-In: I1d27c80ef7c869b84b6d0c1a5d8eec287c242f6c
Change-Id: I1d27c80ef7c869b84b6d0c1a5d8eec287c242f6c
Merged-In: I1d27c80ef7c869b84b6d0c1a5d8eec287c242f6c
The upstream RSA APIs are annoyingly tedious, but ah well. Note
X509_set1_signature_algo sets both copies of the signature algorithm.
This also fixes an EVP_PKEY leak in some error paths.
Test: mm
Change-Id: Ifa6f130e9d7dce328c649aa241057dbe5c0e5e66
Running keystore_cli_v2 as root included user0 super keys in the list of
keys. This revealed that the database list keys query was not
restrictive enough.
Bug: 188451778
Test: keystore_cli_v2 list as root should not include any super keys.
Merged-In: I803b7c19f3cdb8a29fbc114e74da1b0dc2473c81
Change-Id: I803b7c19f3cdb8a29fbc114e74da1b0dc2473c81
* Fix keystore_cli_v2 and have it installed on the device by default
again.
* Fix confirmationui invocation test by statically linking dependencies.
Bug: 188450250
Test: atest confirmationui_invocation_test
run any keystore_cli_v2 command
Merged-In: I7097646b6714214782cf15c51dffb7368d62761b
Change-Id: I7097646b6714214782cf15c51dffb7368d62761b
With these changes, the test easily identifies threading issues by
calling selinux concurrenly. With no locking in the selinux rust module,
this test causes hard locks very quickly (usually within 2 iterations).
Fixed test hangs (false positives) by adding an explicit "complete" to
all all threads instead of using the turnpike for both test start and
test complete.
Added some debug output and increased the iteration count to run the
test longer, getting more confidence in passing tests.
Lastly, use synthetically generated categories (CatCount) for all test
threads instead of just one thread. This seems to both make the test
more "abusive" of selinux as well as reduces test code size.
Test: Remove selinux lock and run keystore2_selinux_concurrency_test
Test: keystore2_selinux_concurrency_test with selinux lock
Change-Id: I796147397da021ca5c78fe8b60aa3853d1a882a3
This test attempts to corrupt the access vector cache of libselinux by
calling selinux_check_access concurrently. The test will fail if the
cache gets corrupted in such a way that selinux_check_access ends up in
an infinite loop.
Test: atest keystore2_selinux_concurrency_test
Bug: 184006658
Change-Id: I357a4454281bdec9865ac1d8a8343378bac1698d
This is a rework of the previously reverted commit
6a50983169, which was attempting to set
WAL mode after startup. It turns out that doing this can race with other
code that is trying to use the DB, resulting in DB lock errors.
Bug: 184006658
Test: CtsKeystoreTestCases
Change-Id: I737fd2750c3157a732c2677eaabf8aa114f42832
This reverts commit 6a50983169.
Reason for revert: Bug 187889158. We forgot to account for database locks in the WAL mode set, and apparently some devices are running into locked dbs.
Change-Id: I43f8cb231397adc69ac6286b64a943cff55629c1
The return value of DB_PATH.lock() was being borrowed, which holds the
lock for the duration of the borrow.
This is not itself a major problem, but if anything else blocked DB
object initialization, other threads could be blocked for a long time
until initialization completes.
Bug: 184006658
Test: KeyStoreTest
Change-Id: I585b40b8770b90fe80d6591157525eed0b5124c3
The default busy handler leads to a semi deadlock when used in
conjunction with an in-memory database. That is, the busy handler would
time out because a mutex was held by a thread trying to acquire the file
lock.
The in-memory database was removed from keystore2, so the default busy
handler may be reinstated.
Test: keystore2_test
Bug: 184006658
Change-Id: Idf3a50250342b9eb677b460074dfc6ee7df73964
Write-ahead logging wasn't previously enabled for the keystore2 sqlite
databases out of concern that it might make it impossible to open the
database when the file system is full. Work to correct that problem,
to ensure that sqlite databases can always be opened in WAL mode even
when the WAL file cannot be created, is in progress, so this CL goes
ahead and puts the database in WAL mode. The approach is a little
wasteful, since it re-sends the pragma on every connection, but that
ensures that it gets done and shouldn't impose any significant
overhead.
In the event that setting WAL mode fails, we log an error and continue
on.
Test: CtsKeystoreTestCases
Change-Id: I7d5618760019dce68576f72575321c54c3c24415
When loading the access tuple from the grant table, we need to eliminate
the unreferenced keys.
Author: jdanis@google.com
Test: atest keystore2_test
Change-Id: I2b768fe48ee1fad829e97e596b4647c50f1d0c54
Being in SQLite incurs a variety of overheads. Originally, the per-boot
database was in SQLite with the intention of living in a temporary file
to allow keystore2 to restart without losing auth token state. Since
keystore2 is not allowed to crash, it was moved to an in-memory SQLite
database. Since it is no longer vfs backed, we do not need to pay the
memory, speed, and complexity costs of SQLite for it any longer.
Bug: 186436093
Test: atest keystore2_test
Test: atest CtsKeystoreTestCases
Change-Id: I5c219d294af1876a18a7fdef40307f3b92ae4b8b
The default sqlite cache size of 2M is excessive for keystore use cases.
Reduce it to avoid memory pressure on low memory devices.
Bug: 186436093
Test: atest CtsKeystoreTestCases, saw heap usage drop ~1M
Change-Id: I52e7d78ee15fe863857866848ede84e0f3e4f216
