2016-01-21 21:26:12 +01:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2016 The Android Open Source Project
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef ANDROID_VOLD_KEYSTORAGE_H
|
|
|
|
#define ANDROID_VOLD_KEYSTORAGE_H
|
|
|
|
|
2017-08-01 18:15:53 +02:00
|
|
|
#include "KeyBuffer.h"
|
|
|
|
|
2021-01-19 18:51:51 +01:00
|
|
|
#include <cstdint>
|
2016-01-21 21:26:12 +01:00
|
|
|
#include <string>
|
2021-01-19 18:51:51 +01:00
|
|
|
#include <vector>
|
2016-01-21 21:26:12 +01:00
|
|
|
|
|
|
|
namespace android {
|
|
|
|
namespace vold {
|
|
|
|
|
2016-02-08 16:55:41 +01:00
|
|
|
// Represents the information needed to decrypt a disk encryption key.
|
|
|
|
// If "token" is nonempty, it is passed in as a required Gatekeeper auth token.
|
2017-01-05 07:32:40 +01:00
|
|
|
// If "token" and "secret" are nonempty, "secret" is appended to the application-specific
|
2016-02-08 16:55:41 +01:00
|
|
|
// binary needed to unlock.
|
2017-01-05 07:32:40 +01:00
|
|
|
// If only "secret" is nonempty, it is used to decrypt in a non-Keymaster process.
|
2016-02-08 16:55:41 +01:00
|
|
|
class KeyAuthentication {
|
2016-03-09 18:31:37 +01:00
|
|
|
public:
|
2018-12-18 20:10:31 +01:00
|
|
|
KeyAuthentication(const std::string& t, const std::string& s) : token{t}, secret{s} {};
|
2017-01-05 07:32:40 +01:00
|
|
|
|
|
|
|
bool usesKeymaster() const { return !token.empty() || secret.empty(); };
|
|
|
|
|
2016-02-08 16:55:41 +01:00
|
|
|
const std::string token;
|
|
|
|
const std::string secret;
|
|
|
|
};
|
|
|
|
|
|
|
|
extern const KeyAuthentication kEmptyAuthentication;
|
|
|
|
|
2017-10-26 20:16:39 +02:00
|
|
|
bool createSecdiscardable(const std::string& path, std::string* hash);
|
|
|
|
bool readSecdiscardable(const std::string& path, std::string* hash);
|
|
|
|
|
2016-01-21 21:26:12 +01:00
|
|
|
// Create a directory at the named path, and store "key" in it,
|
|
|
|
// in such a way that it can only be retrieved via Keymaster and
|
|
|
|
// can be securely deleted.
|
|
|
|
// It's safe to move/rename the directory after creation.
|
2017-08-01 18:15:53 +02:00
|
|
|
bool storeKey(const std::string& dir, const KeyAuthentication& auth, const KeyBuffer& key);
|
2016-01-21 21:26:12 +01:00
|
|
|
|
2016-06-02 20:01:19 +02:00
|
|
|
// Create a directory at the named path, and store "key" in it as storeKey
|
|
|
|
// This version creates the key in "tmp_path" then atomically renames "tmp_path"
|
|
|
|
// to "key_path" thereby ensuring that the key is either stored entirely or
|
2021-02-17 00:59:17 +01:00
|
|
|
// not at all. All the needed files and directories are also fsync'ed to ensure
|
|
|
|
// that the key is actually persisted to disk.
|
2016-06-02 20:01:19 +02:00
|
|
|
bool storeKeyAtomically(const std::string& key_path, const std::string& tmp_path,
|
2017-08-01 18:15:53 +02:00
|
|
|
const KeyAuthentication& auth, const KeyBuffer& key);
|
2016-06-02 20:01:19 +02:00
|
|
|
|
2016-01-21 21:26:12 +01:00
|
|
|
// Retrieve the key from the named directory.
|
2020-11-06 04:58:26 +01:00
|
|
|
bool retrieveKey(const std::string& dir, const KeyAuthentication& auth, KeyBuffer* key);
|
2016-01-21 21:26:12 +01:00
|
|
|
|
|
|
|
// Securely destroy the key stored in the named directory and delete the directory.
|
2016-03-09 18:31:37 +01:00
|
|
|
bool destroyKey(const std::string& dir);
|
2016-01-21 21:26:12 +01:00
|
|
|
|
2017-04-27 21:43:10 +02:00
|
|
|
bool runSecdiscardSingle(const std::string& file);
|
2020-02-03 22:06:45 +01:00
|
|
|
|
|
|
|
// Generate wrapped storage key using keymaster. Uses STORAGE_KEY tag in keymaster.
|
|
|
|
bool generateWrappedStorageKey(KeyBuffer* key);
|
|
|
|
// Export the per-boot boot wrapped storage key using keymaster.
|
|
|
|
bool exportWrappedStorageKey(const KeyBuffer& kmKey, KeyBuffer* key);
|
2021-01-19 18:51:51 +01:00
|
|
|
|
|
|
|
// Set a seed to be mixed into all key storage encryption keys.
|
|
|
|
bool setKeyStorageBindingSeed(const std::vector<uint8_t>& seed);
|
2016-01-21 21:26:12 +01:00
|
|
|
} // namespace vold
|
|
|
|
} // namespace android
|
|
|
|
|
|
|
|
#endif
|