This reverts commit 2dbabf3b72.
Reason for revert: DroidMonitor revert for b/310139666
Bug: 310139666
Change-Id: I1213940cc4e3112038c1cc66f5a218a9378d6b0f
This makes rkpd_client independent of keystore2 and facilitates
the extraction of rkpd_client as a standalone library later.
Test: atest keystore2_test
Bug: 241428146
Change-Id: I3bcf0afdb587b2e95bd9a970631c29696f57ed4f
This cl moves watchdog calls to keystore2 to make rkpd_client
less dependent on keystore2, this allows us to make rkpd_client
an independent library more easily later.
Test: atest keystore2_test
Bug: 241428146
Change-Id: Ic3040ad65356aa7e25d38f36d453a258caf28403
This simplifies the task of creating an independent library of
rkpd_client later.
Test: atest keystore2_test
Bug: 241428146
Change-Id: Idddf37d14580e691fde5a494e54297465cb693b6
This will facilitate the extraction of rkpd_client as a standalone
library later.
Test: atest keystore2_test
Bug: 241428146
Change-Id: Icff6f88f2c3cc3dc50dd126067ed5f10c8aa7b29
This simplifies the task of creating an independent library of
rkpd_client later.
Test: atest keystore2_test
Bug: 241428146
Change-Id: I2834c9be9f5100d52829e6392f0dd48e7c76beb1
This returns the time (from CLOCK_MONOTONIC_RAW) that the specified user
last authenticated using the given authenticator.
Bug: 303839446
Test: atest keystore2_client_tests
Change-Id: Idd4c477365ffa556b7985d1d926dfa554680ff28
Adding a 'static bound for a binder Interface Implementation.
This is now needed to allow new code used to cast a Binder
Native object back to the original object that implements the
Binder Interface.
Test: CI
Bug: 278780666
Change-Id: Ifa1ec4d4c6692d75ada6c58cb97e6c82b791be04
1. Generate a key with application-data and use the generated key to
create an operation using the same application-data. Test should
create an operation successfully.
2. Generate a key with application-data and use the generated key to
create an operation using different application-data. Test should
fail to create an operation with `INVALID_KEY_BLOB` error code.
3. Generate a key with application-id and use the generated key to
create an operation using the same application-id. Test should
create an operation successfully.
4. Generate a key with application-id and use the generated key to
create an operation using different application-id. Test should
fail to create an operation with `INVALID_KEY_BLOB` error code.
5. Generate an attestation key without app-id and app-data. Test should
generate a new key with specifying app-id, app-data and using
previously generated attestation key. Test should be able to generate
a new key successfully.
6. Generate an attestation key with app-id and app-data. Test should try
to generate an attested key using previously generated attestation
key without specifying same app-id, app-data. Test should fail to
generate a new key with an error code `INVALID_KEY_BLOB`. It is an
oversight of the Keystore API that `APPLICATION_ID` and
`APPLICATION_DATA` tags cannot be provided to generateKey for
an attestation key that was generated with them.
Bug: 279721870
Test: atest keystore2_client_tests
Change-Id: I56fad4806c6d96c5994f4affdd7aa6620b1f1be8
* changes:
keystore2: rename the ScreenLockBound superencryption keys and type
keystore2: rename the LskfBound superencryption key and type
keystore2: rename values of UserState enum
Rename the ScreenLockBound superencryption keys and superencryption type
to UnlockedDeviceRequired. This avoids confusion about what "screen
lock bound" means and makes the terminology consistent with the
UnlockedDeviceRequired key parameter in the API.
Bug: 296464083
Test: atest -p --include-subdirs system/security/keystore2
Test: atest CtsKeystoreTestCases
Flag: exempt, mechanical refactoring and comment changes
Change-Id: I98f7716d05c06f8c6db0f3eb616fb6e780407c2d
Rename the LskfBound superencryption key and superencryption type (also
known as per-boot) to AfterFirstUnlock.
This makes it much clearer what the protection of this key is. This
includes avoiding the misleading use of "LSKF"; the secret that's
actually relevant is the user's synthetic password, which is most
commonly unlocked with the LSKF but can potentially be unlocked in other
ways. This is also helpful for the planned change to make the user's
super keys exist even while the user doesn't have an LSKF.
Bug: 296464083
Test: atest -p --include-subdirs system/security/keystore2
Test: atest CtsKeystoreTestCases
Flag: exempt, mechanical refactoring and comment changes
Change-Id: I9b16934f37222fef2bf01830f521928ef2c1853a
Rename UserState::LskfLocked to UserState::BeforeFirstUnlock, and
rename UserState::LskfUnlocked to UserState::AfterFirstUnlock.
This makes it much clearer what these states are. This includes
avoiding the misleading use of "LSKF"; the secret that's actually
relevant is the user's synthetic password, which is most commonly
unlocked with the LSKF but can potentially be unlocked in other ways.
This is also helpful for the planned change to make the user's super
keys exist even while the user doesn't have an LSKF.
Bug: 296464083
Test: atest -p --include-subdirs system/security/keystore2
Test: atest CtsKeystoreTestCases
Flag: exempt, mechanical refactoring and comment changes
Change-Id: I78f15e2165876951c98e22e577fc4c92a3602b3b
As early as fsverity_init, the flag can only be static (thus
is_fixed_read_only). It is now a constant/false and will be flipped
during the ramp up at build time.
Bug: 290064770
Test: mma
Test: Inspect the generated code
Change-Id: I4bd1addb996705f6e6b9f75313bf22b9ecd3e11c
* changes:
Adding tests to check unique id attestation.
Changes are made in keystore-client-tests to verify CREATION_DATETIME, ATTESTATION_CHALLENGE and ATTESTATION_APPLICATION_ID.
This function will be uses in several places for pVM
remote attestation.
Bug: 303807447
Test: atest libdiced_sample_inputs.integration_test \
libdiced_sample_inputs_nostd.integration_test
Change-Id: I6f45ff35c6e48eb42a32d28c1eb3e851859db655
Add code (adapted from system/keymint/common/src/keyblob/legacy.rs)
which parses keyblobs in the format produced by the previous C++
reference implementation of KeyMint.
Bug: 283077822
Bug: 296403357
Test: tested with ARC upgrade, see b/296403357
Change-Id: I519eed0ac968d5c2595f95609ffadede5d2d2677
When handling keyblob upgrade required, also watch out for an invalid
keyblob error that might indicate that a key used to be a
km_compat-wrapped Keymaster key.
In this situation, try stripping off the km_compat prefix and
attempt upgrade of the inner keyblob data instead.
Bug: 251426862
Bug: 283077822
Bug: 296403357
Test: tested with ARC upgrade, see b/296403357
Change-Id: I8539455e33ab2e1c97f26174476ee9d616269e74
IKeystoreMaintenance#getState() is no longer called, so remove it along
with the enum value for the GetState permission.
Bug: 296464083
Test: atest -p --include-subdirs system/security/keystore2
Change-Id: I9ec6cca78cd1eb899ac7adfc99fc5eee41dc7e44
1. Generate a key with `BOOTLOADER_ONLY` tag. Test should successfully
generate a key and verify the key characteristics. Test should fail
with error code `INVALID_KEY_BLOB` during creation of an operation
using this key.
2. Generate a key with `EARLY_BOOT_ONLY` tag. Test should successfully
generate a key and verify the key characteristics. Test should fail
with error code `EARLY_BOOT_ENDED` during creation of an operation
using this key.
3. Generate a key with `MAX_USES_PER_BOOT` tag. Test should successfully
generate a key and verify the key characteristics. Test should be
able to use the key successfully `MAX_USES_COUNT` times. After
exceeding key usage `MAX_USES_COUNT` times subsequent attempts to use
the key in test should fail with error code `MAX_OPS_EXCEEDED`.
4. Generate a key with `USAGE_COUNT_LIMIT` tag. Test should successfully
generate a key and verify the key characteristics. Test should be
able to use the key successfully `MAX_USES_COUNT` times. After
exceeding key usage `MAX_USES_COUNT` times subsequent attempts to use
the key in test should fail with error code `KEY_NOT_FOUND`. Test
should also check attest record for attested keys that
`USAGE_COUNT_LIMIT` is included in attest record.
Bug: 279721870
Test: atest keystore2_client_tests
Change-Id: I205964b571d92dc0fcbd11b1f6d45bc3aea7c050
