tequilaOS/platform_system_security
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_security/keystore
History
Rubin Xu bfb01d904d Handle auth token with same timestamp 
We observed on some Pixel C that they sometimes generate auth token with
a stuck timestamp value. Since the timestamp value does not increase,
newer auth token is not considered "superceding" old auth tokens and keystore
end up retrieving older auth tokens which are then treated as expired due to
its time_received value being too old.

We workaround this issue by comparing both the timestamp (which is part of
auth token) and the time_received (which is a monotonic clock value at the
time auth token is sent to keystore). So a new auth token with stuck timestamp
value but newer time_received still supercedes older auth tokens.

This is actually sufficient to workaround the issue on Pixel C, since the stuck
timestamp value is returned by the secure RTC, whose value is also used by
keymaster TA to check key authorization. In other words, the auth token is
still good to authorize auth-bound keys, even with a stuck timestamp value.
This does mean that on the affected Pixel C, auth-bound keys are not enforced
at TrustZone leve, but merely a logical check in keystore daemon.

Bug: 65283496
Test: boot device, unlock successfully
Change-Id: I0b9d5463e94241bfaf552dcb31fea04ee966596c
2017-10-23 17:06:04 +01:00
..
include/keystore Refurbish granting mechanism 2017-06-23 14:01:54 -07:00
tests Fix AuthTokenTable tests. 2016-03-25 12:34:28 -06:00
.clang-format Add attestation application id for key attestation 2016-08-19 15:04:48 +01:00
Android.mk Refurbish granting mechanism 2017-06-23 14:01:54 -07:00
auth_token_table.cpp Handle auth token with same timestamp 2017-10-23 17:06:04 +01:00
auth_token_table.h Handle auth token with same timestamp 2017-10-23 17:06:04 +01:00
authorization_set.cpp Port to binderized keymaster HAL 2017-01-23 08:30:49 -07:00
blob.cpp Fix use of auth-bound keys after screen lock removal 2017-09-12 04:13:57 +00:00
blob.h Use AES-GCM to encrypt keystore blobs. 2017-05-23 20:16:04 -06:00
defaults.h Port to binderized keymaster HAL 2017-01-23 08:30:49 -07:00
entropy.cpp Refactor keystore. 2016-01-26 22:48:06 -07:00
entropy.h Refactor keystore. 2016-01-26 22:48:06 -07:00
grant_store.cpp Fix multiple issues with the keystore grant mechanism 2017-10-02 09:58:04 -07:00
grant_store.h Fix multiple issues with the keystore grant mechanism 2017-10-02 09:58:04 -07:00
IKeystoreService.cpp Refurbish granting mechanism 2017-06-23 14:01:54 -07:00
key_store_service.cpp Fix int truncation in auth token handling 2017-10-12 10:50:11 +01:00
key_store_service.h Refurbish granting mechanism 2017-06-23 14:01:54 -07:00
KeyAttestationApplicationId.cpp Add attestation application id for key attestation 2016-08-19 15:04:48 +01:00
KeyAttestationPackageInfo.cpp Add attestation application id for key attestation 2016-08-19 15:04:48 +01:00
keyblob_utils.cpp Separate keymaster0 and keymaster1 HALs. 2015-02-25 23:13:12 -07:00
keymaster_enforcement.cpp Add manufacturer and model to device ID attestation 2017-03-20 14:02:36 +01:00
keymaster_enforcement.h Port to binderized keymaster HAL 2017-01-23 08:30:49 -07:00
keystore.cpp Fix multiple issues with the keystore grant mechanism 2017-10-02 09:58:04 -07:00
keystore.h Fix multiple issues with the keystore grant mechanism 2017-10-02 09:58:04 -07:00
keystore.rc Move keystore to foreground cpuset. 2016-04-15 19:18:05 +00:00
keystore_aidl_hidl_marshalling_utils.cpp Port to binderized keymaster HAL 2017-01-23 08:30:49 -07:00
keystore_aidl_hidl_marshalling_utils.h Port to binderized keymaster HAL 2017-01-23 08:30:49 -07:00
keystore_attestation_id.cpp Revise the attestation application id format 2016-09-01 15:01:33 +01:00
keystore_attestation_id.h Revise the attestation application id format 2016-09-01 15:01:33 +01:00
keystore_cli.cpp Port to binderized keymaster HAL 2017-01-23 08:30:49 -07:00
keystore_cli_v2.cpp Port to binderized keymaster HAL 2017-01-23 08:30:49 -07:00
keystore_client.proto Add encryption convenience methods to KeystoreClient. 2015-11-02 09:12:59 -08:00
keystore_client_impl.cpp Port to binderized keymaster HAL 2017-01-23 08:30:49 -07:00
keystore_get.cpp Port to binderized keymaster HAL 2017-01-23 08:30:49 -07:00
keystore_get_wifi_hidl.cpp Fix transitive include. 2017-04-06 12:41:59 -07:00
keystore_keymaster_enforcement.h Port to binderized keymaster HAL 2017-01-23 08:30:49 -07:00
keystore_main.cpp keystore: Run Wifi keystore HAL in keystore daemon 2017-03-30 13:04:46 -07:00
keystore_tags_utils.cpp Port to binderized keymaster HAL 2017-01-23 08:30:49 -07:00
keystore_utils.cpp Split libkeymaster1 into libkeymaster and libkeymaster_portable 2017-05-03 15:53:26 +00:00
keystore_utils.h Remove use of UniquePtr from keystore 2017-05-01 12:34:46 -07:00
legacy_keymaster_device_wrapper.cpp Revert "Delegate auth token parsing to HAL." 2017-03-28 00:44:33 +00:00
legacy_keymaster_device_wrapper.h Revert "Delegate auth token parsing to HAL." 2017-03-28 00:44:33 +00:00
operation.cpp Revert "Delegate auth token parsing to HAL." 2017-03-28 00:44:33 +00:00
operation.h Revert "Delegate auth token parsing to HAL." 2017-03-28 00:44:33 +00:00
permissions.cpp Fix unique ID attestation. 2017-04-11 11:48:50 -06:00
permissions.h Fix multiple issues with the keystore grant mechanism 2017-10-02 09:58:04 -07:00
Signature.cpp Add attestation application id for key attestation 2016-08-19 15:04:48 +01:00
test-keystore Revive test script for keystore 2015-09-24 21:10:20 +03:00
user_state.cpp Use AES-GCM to encrypt keystore blobs. 2017-05-23 20:16:04 -06:00
user_state.h Use AES-GCM to encrypt keystore blobs. 2017-05-23 20:16:04 -06:00