platform_system_security

History

Eric Biggers b0478cfa34 keystore2: fix UnlockedDeviceRequired to work without LSKF The security improvements to UnlockedDeviceRequired in Android 12 regressed its behavior by making it no longer work for unsecured users, e.g. users with a Swipe lock screen. Two different things broke it: 1. Keystore started enforcing that a HardwareAuthToken be present for all keys that use UnlockedDeviceRequired. 2. Keystore started superencrypting all keys that use UnlockedDeviceRequired. Previously, only keys that used UserAuthenticationRequired were superencrypted. The above changes apparently resulted from a misconception that for the device to be unlocked, the user must have authenticated. However, unsecured users cannot authenticate and cannot have HardwareAuthTokens, yet the device is always considered unlocked for them. This change first fixes cause (1) by making Keystore allow keys that use UnlockedDeviceRequired to be used without a HardwareAuthToken, provided that they don't also use UserAuthenticationRequired (which is the protection that actually requires a HardwareAuthToken). Regarding cause (2), superencryption is an important security enhancement for UnlockedDeviceRequired, so it's not being removed. Instead, the real problem is in the way that Keystore unnecessarily ties superencryption to the existence of the LSKF. That is, Keystore creates a user's super keys only when an LSKF is set, and Keystore deletes all the user's super keys and superencrypted keys when the LSKF is removed. Therefore, this change, in coordination with the corresponding LockSettingsService change, makes each user's Keystore super keys have the same lifetime as the user's synthetic password. That basically means they are created when the user is created and are deleted only when the user is deleted. In addition, when a user's LSKF is removed, Keystore now deletes only the user's auth-bound keys. The fix for cause (1) is entirely in Keystore and is guarded by the fix_unlocked_device_required_keys flag. The fix for cause (2) consists of two new IKeystoreMaintenance methods, initUserSuperKeys() and onUserLskfRemoved(), that are called by LockSettingsService and are flagged at the LockSettingsService level. Note that once the flag is removed, it will be possible to remove superseded code, including the onUserPasswordChanged() method of IKeystoreMaintenance and the init_user() and reset_user() functions that it calls. Bug: 296464083 Test: # Did the following with and without the flag enabled: atest com.android.server.locksettings \ && atest -p --include-subdirs system/security/keystore2 \ && atest CtsKeystoreTestCases Change-Id: If12824369fbad4a90e5cd0427e792655fd233b96	2023-11-13 18:39:29 +00:00
..
android/security	keystore2: fix UnlockedDeviceRequired to work without LSKF	2023-11-13 18:39:29 +00:00
Android.bp	Revert^2 "Remove android.security.remoteprovisioning interfaces"	2023-03-20 19:38:04 +00:00

Eric Biggers b0478cfa34 keystore2: fix UnlockedDeviceRequired to work without LSKF

The security improvements to UnlockedDeviceRequired in Android 12
regressed its behavior by making it no longer work for unsecured users,
e.g. users with a Swipe lock screen.  Two different things broke it:

1. Keystore started enforcing that a HardwareAuthToken be present for
   all keys that use UnlockedDeviceRequired.

2. Keystore started superencrypting all keys that use
   UnlockedDeviceRequired.  Previously, only keys that used
   UserAuthenticationRequired were superencrypted.

The above changes apparently resulted from a misconception that for the
device to be unlocked, the user must have authenticated.  However,
unsecured users cannot authenticate and cannot have HardwareAuthTokens,
yet the device is always considered unlocked for them.

This change first fixes cause (1) by making Keystore allow keys that use
UnlockedDeviceRequired to be used without a HardwareAuthToken, provided
that they don't also use UserAuthenticationRequired (which is the
protection that actually requires a HardwareAuthToken).

Regarding cause (2), superencryption is an important security
enhancement for UnlockedDeviceRequired, so it's not being removed.
Instead, the real problem is in the way that Keystore unnecessarily ties
superencryption to the existence of the LSKF.  That is, Keystore creates
a user's super keys only when an LSKF is set, and Keystore deletes all
the user's super keys and superencrypted keys when the LSKF is removed.

Therefore, this change, in coordination with the corresponding
LockSettingsService change, makes each user's Keystore super keys have
the same lifetime as the user's synthetic password.  That basically
means they are created when the user is created and are deleted only
when the user is deleted.  In addition, when a user's LSKF is removed,
Keystore now deletes *only* the user's auth-bound keys.

The fix for cause (1) is entirely in Keystore and is guarded by the
fix_unlocked_device_required_keys flag.  The fix for cause (2) consists
of two new IKeystoreMaintenance methods, initUserSuperKeys() and
onUserLskfRemoved(), that are called by LockSettingsService and are
flagged at the LockSettingsService level.  Note that once the flag is
removed, it will be possible to remove superseded code, including the
onUserPasswordChanged() method of IKeystoreMaintenance and the
init_user() and reset_user() functions that it calls.

Bug: 296464083
Test: # Did the following with and without the flag enabled:
      atest com.android.server.locksettings \
      && atest -p --include-subdirs system/security/keystore2 \
      && atest CtsKeystoreTestCases
Change-Id: If12824369fbad4a90e5cd0427e792655fd233b96

2023-11-13 18:39:29 +00:00

android/security

keystore2: fix UnlockedDeviceRequired to work without LSKF

2023-11-13 18:39:29 +00:00

Android.bp

Revert^2 "Remove android.security.remoteprovisioning interfaces"

2023-03-20 19:38:04 +00:00