2016-01-21 21:26:12 +01:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2016 The Android Open Source Project
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "KeyStorage.h"
|
|
|
|
|
2019-06-07 23:18:14 +02:00
|
|
|
#include "Checkpoint.h"
|
2016-01-21 21:26:12 +01:00
|
|
|
#include "Keymaster.h"
|
2016-02-10 15:02:47 +01:00
|
|
|
#include "ScryptParameters.h"
|
2016-01-21 21:26:12 +01:00
|
|
|
#include "Utils.h"
|
|
|
|
|
2020-11-06 04:58:26 +01:00
|
|
|
#include <algorithm>
|
2021-01-19 18:51:51 +01:00
|
|
|
#include <memory>
|
|
|
|
#include <mutex>
|
2019-06-07 05:38:38 +02:00
|
|
|
#include <thread>
|
2016-01-21 21:26:12 +01:00
|
|
|
#include <vector>
|
|
|
|
|
|
|
|
#include <errno.h>
|
2016-05-16 17:14:56 +02:00
|
|
|
#include <stdio.h>
|
2016-01-21 21:26:12 +01:00
|
|
|
#include <sys/stat.h>
|
|
|
|
#include <sys/types.h>
|
|
|
|
#include <sys/wait.h>
|
|
|
|
#include <unistd.h>
|
|
|
|
|
2017-01-05 07:32:40 +01:00
|
|
|
#include <openssl/err.h>
|
|
|
|
#include <openssl/evp.h>
|
2016-01-21 21:26:12 +01:00
|
|
|
#include <openssl/sha.h>
|
|
|
|
|
|
|
|
#include <android-base/file.h>
|
|
|
|
#include <android-base/logging.h>
|
2019-06-07 05:38:38 +02:00
|
|
|
#include <android-base/properties.h>
|
2019-06-07 23:18:14 +02:00
|
|
|
#include <android-base/unique_fd.h>
|
2016-01-21 21:26:12 +01:00
|
|
|
|
2016-02-10 15:02:47 +01:00
|
|
|
#include <cutils/properties.h>
|
|
|
|
|
|
|
|
extern "C" {
|
|
|
|
|
|
|
|
#include "crypto_scrypt.h"
|
|
|
|
}
|
|
|
|
|
2016-01-21 21:26:12 +01:00
|
|
|
namespace android {
|
|
|
|
namespace vold {
|
|
|
|
|
2021-03-15 23:33:08 +01:00
|
|
|
const KeyAuthentication kEmptyAuthentication{""};
|
2016-02-08 16:55:41 +01:00
|
|
|
|
2016-01-21 21:26:12 +01:00
|
|
|
static constexpr size_t AES_KEY_BYTES = 32;
|
|
|
|
static constexpr size_t GCM_NONCE_BYTES = 12;
|
|
|
|
static constexpr size_t GCM_MAC_BYTES = 16;
|
2016-03-09 18:31:37 +01:00
|
|
|
static constexpr size_t SECDISCARDABLE_BYTES = 1 << 14;
|
2016-04-27 21:58:41 +02:00
|
|
|
|
2016-02-08 16:55:41 +01:00
|
|
|
static const char* kCurrentVersion = "1";
|
2016-01-21 21:26:12 +01:00
|
|
|
static const char* kRmPath = "/system/bin/rm";
|
|
|
|
static const char* kSecdiscardPath = "/system/bin/secdiscard";
|
2016-02-10 15:02:47 +01:00
|
|
|
static const char* kStretch_none = "none";
|
|
|
|
static const char* kStretch_nopassword = "nopassword";
|
2017-01-05 07:32:40 +01:00
|
|
|
static const char* kHashPrefix_secdiscardable = "Android secdiscardable SHA512";
|
|
|
|
static const char* kHashPrefix_keygen = "Android key wrapping key generation SHA512";
|
2016-01-21 21:26:12 +01:00
|
|
|
static const char* kFn_encrypted_key = "encrypted_key";
|
2016-02-08 16:55:41 +01:00
|
|
|
static const char* kFn_keymaster_key_blob = "keymaster_key_blob";
|
2016-05-16 17:14:56 +02:00
|
|
|
static const char* kFn_keymaster_key_blob_upgraded = "keymaster_key_blob_upgraded";
|
2016-01-21 21:26:12 +01:00
|
|
|
static const char* kFn_secdiscardable = "secdiscardable";
|
2016-02-08 16:55:41 +01:00
|
|
|
static const char* kFn_stretching = "stretching";
|
|
|
|
static const char* kFn_version = "version";
|
2016-01-21 21:26:12 +01:00
|
|
|
|
2021-01-19 18:51:51 +01:00
|
|
|
namespace {
|
|
|
|
|
|
|
|
// Storage binding info for ensuring key encryption keys include a
|
|
|
|
// platform-provided seed in their derivation.
|
|
|
|
struct StorageBindingInfo {
|
|
|
|
enum class State {
|
|
|
|
UNINITIALIZED,
|
|
|
|
IN_USE, // key storage keys are bound to seed
|
|
|
|
NOT_USED, // key storage keys are NOT bound to seed
|
|
|
|
};
|
|
|
|
|
|
|
|
// Binding seed mixed into all key storage keys.
|
|
|
|
std::vector<uint8_t> seed;
|
|
|
|
|
|
|
|
// State tracker for the key storage key binding.
|
|
|
|
State state = State::UNINITIALIZED;
|
|
|
|
|
|
|
|
std::mutex guard;
|
|
|
|
};
|
|
|
|
|
|
|
|
// Never freed as the dtor is non-trivial.
|
|
|
|
StorageBindingInfo& storage_binding_info = *new StorageBindingInfo;
|
|
|
|
|
|
|
|
} // namespace
|
|
|
|
|
2016-01-27 15:30:22 +01:00
|
|
|
static bool checkSize(const std::string& kind, size_t actual, size_t expected) {
|
2016-01-21 21:26:12 +01:00
|
|
|
if (actual != expected) {
|
2016-03-09 18:31:37 +01:00
|
|
|
LOG(ERROR) << "Wrong number of bytes in " << kind << ", expected " << expected << " got "
|
|
|
|
<< actual;
|
2016-01-21 21:26:12 +01:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2017-10-26 20:16:39 +02:00
|
|
|
static void hashWithPrefix(char const* prefix, const std::string& tohash, std::string* res) {
|
2016-01-21 21:26:12 +01:00
|
|
|
SHA512_CTX c;
|
|
|
|
|
|
|
|
SHA512_Init(&c);
|
|
|
|
// Personalise the hashing by introducing a fixed prefix.
|
|
|
|
// Hashing applications should use personalization except when there is a
|
|
|
|
// specific reason not to; see section 4.11 of https://www.schneier.com/skein1.3.pdf
|
2017-01-05 07:32:40 +01:00
|
|
|
std::string hashingPrefix = prefix;
|
|
|
|
hashingPrefix.resize(SHA512_CBLOCK);
|
|
|
|
SHA512_Update(&c, hashingPrefix.data(), hashingPrefix.size());
|
|
|
|
SHA512_Update(&c, tohash.data(), tohash.size());
|
2017-10-26 20:16:39 +02:00
|
|
|
res->assign(SHA512_DIGEST_LENGTH, '\0');
|
|
|
|
SHA512_Final(reinterpret_cast<uint8_t*>(&(*res)[0]), &c);
|
2016-01-21 21:26:12 +01:00
|
|
|
}
|
|
|
|
|
2021-03-15 20:44:36 +01:00
|
|
|
// Generates a keymaster key, using rollback resistance if supported.
|
|
|
|
static bool generateKeymasterKey(Keymaster& keymaster,
|
|
|
|
const km::AuthorizationSetBuilder& paramBuilder,
|
|
|
|
std::string* key) {
|
|
|
|
auto paramsWithRollback = paramBuilder;
|
|
|
|
paramsWithRollback.Authorization(km::TAG_ROLLBACK_RESISTANCE);
|
|
|
|
|
|
|
|
if (!keymaster.generateKey(paramsWithRollback, key)) {
|
|
|
|
LOG(WARNING) << "Failed to generate rollback-resistant key. This is expected if keymaster "
|
|
|
|
"doesn't support rollback resistance. Falling back to "
|
|
|
|
"non-rollback-resistant key.";
|
|
|
|
if (!keymaster.generateKey(paramBuilder, key)) return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2021-03-15 23:33:08 +01:00
|
|
|
static bool generateKeyStorageKey(Keymaster& keymaster, const std::string& appId,
|
|
|
|
std::string* key) {
|
Make vold use keystore2 instead of keymaster
Make vold use keystore2 for all its operations instead of directly using
keymaster. This way, we won't have any clients that bypass keystore2,
and we'll no longer need to reserve a keymaster operation for vold.
Note that we now hardcode "SecurityLevel::TRUSTED_ENVIRONMENT" (TEE)
when talking to Keystore2 since Keystore2 only allows TEE and STRONGBOX.
Keystore2 presents any SOFTWARE implementation as a TEE to callers when
no "real" TEE is present. As far as storage encryption is concerned,
there's no advantage to using a STRONGBOX when a "real" TEE is present,
and a STRONGBOX can't be present if a "real" TEE isn't, so asking
Keystore2 for a TEE is the best we can do in any situation.
The difference in behaviour only really affects the full disk encryption
code in cryptfs.cpp, which used to explicitly check that the keymaster
device is a "real" TEE (as opposed to a SOFTWARE implementation) before
using it (it can no longer do so since Keystore2 doesn't provide a way
to do this).
A little code history digging (7c49ab0a0b in particular) shows that
cryptfs.cpp cared about two things when using a keymaster.
- 1) that the keys generated by the keymaster were "standalone" keys -
i.e. that the keymaster could operate on those keys without
requiring /data or any other service to be available.
- 2) that the keymaster was a non-SOFTWARE implementation so that things
would still work in case a "real" TEE keymaster was ever somehow
added to the device after first boot.
Today, all "real" TEE keymasters always generate "standalone" keys, and
a TEE has been required in Android devices since at least Android N. The
only two exceptions are Goldfish and ARC++, which have SOFTWARE
keymasters, but both those keymasters also generate "standalone" keys.
We're also no longer worried about possibly adding a "real" TEE KM to
either of those devices after first boot. So there's no longer a reason
cryptfs.cpp can't use the SOFTWARE keymaster on those devices.
There's also already an upgrade path in place (see
test_mount_encrypted_fs() in cryptfs.cpp) to upgrade the kdf that's
being used once a TEE keymaster is added to the device. So it's safe for
cryptfs.cpp to ask for a TEE keymaster from Keystore2 and use it
blindly, without checking whether or not it's a "real" TEE, which is why
Keymaster::isSecure() just returns true now. A future patch will remove
that function and simplify its callers.
Bug: 181910578
Test: cuttlefish and bramble boot. Adding, switching between, stopping
and removing users work.
Change-Id: Iaebfef082eca0da8a305043fafb6d85e5de14cf8
2021-03-01 07:32:07 +01:00
|
|
|
auto paramBuilder = km::AuthorizationSetBuilder()
|
|
|
|
.AesEncryptionKey(AES_KEY_BYTES * 8)
|
|
|
|
.GcmModeMinMacLen(GCM_MAC_BYTES * 8)
|
|
|
|
.Authorization(km::TAG_APPLICATION_ID, appId)
|
|
|
|
.Authorization(km::TAG_NO_AUTH_REQUIRED);
|
2021-05-12 04:48:47 +02:00
|
|
|
LOG(DEBUG) << "Generating \"key storage\" key";
|
2021-03-15 20:44:36 +01:00
|
|
|
return generateKeymasterKey(keymaster, paramBuilder, key);
|
2016-03-04 23:07:05 +01:00
|
|
|
}
|
|
|
|
|
2020-02-03 22:06:45 +01:00
|
|
|
bool generateWrappedStorageKey(KeyBuffer* key) {
|
|
|
|
Keymaster keymaster;
|
|
|
|
if (!keymaster) return false;
|
|
|
|
std::string key_temp;
|
|
|
|
auto paramBuilder = km::AuthorizationSetBuilder().AesEncryptionKey(AES_KEY_BYTES * 8);
|
|
|
|
paramBuilder.Authorization(km::TAG_STORAGE_KEY);
|
2021-03-15 20:44:36 +01:00
|
|
|
if (!generateKeymasterKey(keymaster, paramBuilder, &key_temp)) return false;
|
2020-02-03 22:06:45 +01:00
|
|
|
*key = KeyBuffer(key_temp.size());
|
|
|
|
memcpy(reinterpret_cast<void*>(key->data()), key_temp.c_str(), key->size());
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool exportWrappedStorageKey(const KeyBuffer& kmKey, KeyBuffer* key) {
|
|
|
|
Keymaster keymaster;
|
|
|
|
if (!keymaster) return false;
|
|
|
|
std::string key_temp;
|
|
|
|
|
|
|
|
if (!keymaster.exportKey(kmKey, &key_temp)) return false;
|
|
|
|
*key = KeyBuffer(key_temp.size());
|
|
|
|
memcpy(reinterpret_cast<void*>(key->data()), key_temp.c_str(), key->size());
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2021-03-15 23:33:08 +01:00
|
|
|
static km::AuthorizationSet beginParams(const std::string& appId) {
|
|
|
|
return km::AuthorizationSetBuilder()
|
|
|
|
.GcmModeMacLen(GCM_MAC_BYTES * 8)
|
Make vold use keystore2 instead of keymaster
Make vold use keystore2 for all its operations instead of directly using
keymaster. This way, we won't have any clients that bypass keystore2,
and we'll no longer need to reserve a keymaster operation for vold.
Note that we now hardcode "SecurityLevel::TRUSTED_ENVIRONMENT" (TEE)
when talking to Keystore2 since Keystore2 only allows TEE and STRONGBOX.
Keystore2 presents any SOFTWARE implementation as a TEE to callers when
no "real" TEE is present. As far as storage encryption is concerned,
there's no advantage to using a STRONGBOX when a "real" TEE is present,
and a STRONGBOX can't be present if a "real" TEE isn't, so asking
Keystore2 for a TEE is the best we can do in any situation.
The difference in behaviour only really affects the full disk encryption
code in cryptfs.cpp, which used to explicitly check that the keymaster
device is a "real" TEE (as opposed to a SOFTWARE implementation) before
using it (it can no longer do so since Keystore2 doesn't provide a way
to do this).
A little code history digging (7c49ab0a0b in particular) shows that
cryptfs.cpp cared about two things when using a keymaster.
- 1) that the keys generated by the keymaster were "standalone" keys -
i.e. that the keymaster could operate on those keys without
requiring /data or any other service to be available.
- 2) that the keymaster was a non-SOFTWARE implementation so that things
would still work in case a "real" TEE keymaster was ever somehow
added to the device after first boot.
Today, all "real" TEE keymasters always generate "standalone" keys, and
a TEE has been required in Android devices since at least Android N. The
only two exceptions are Goldfish and ARC++, which have SOFTWARE
keymasters, but both those keymasters also generate "standalone" keys.
We're also no longer worried about possibly adding a "real" TEE KM to
either of those devices after first boot. So there's no longer a reason
cryptfs.cpp can't use the SOFTWARE keymaster on those devices.
There's also already an upgrade path in place (see
test_mount_encrypted_fs() in cryptfs.cpp) to upgrade the kdf that's
being used once a TEE keymaster is added to the device. So it's safe for
cryptfs.cpp to ask for a TEE keymaster from Keystore2 and use it
blindly, without checking whether or not it's a "real" TEE, which is why
Keymaster::isSecure() just returns true now. A future patch will remove
that function and simplify its callers.
Bug: 181910578
Test: cuttlefish and bramble boot. Adding, switching between, stopping
and removing users work.
Change-Id: Iaebfef082eca0da8a305043fafb6d85e5de14cf8
2021-03-01 07:32:07 +01:00
|
|
|
.Authorization(km::TAG_APPLICATION_ID, appId);
|
2016-01-21 21:26:12 +01:00
|
|
|
}
|
|
|
|
|
2016-05-16 17:14:56 +02:00
|
|
|
static bool readFileToString(const std::string& filename, std::string* result) {
|
|
|
|
if (!android::base::ReadFileToString(filename, result)) {
|
|
|
|
PLOG(ERROR) << "Failed to read from " << filename;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2017-10-26 20:16:39 +02:00
|
|
|
static bool readRandomBytesOrLog(size_t count, std::string* out) {
|
|
|
|
auto status = ReadRandomBytes(count, *out);
|
|
|
|
if (status != OK) {
|
|
|
|
LOG(ERROR) << "Random read failed with status: " << status;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool createSecdiscardable(const std::string& filename, std::string* hash) {
|
|
|
|
std::string secdiscardable;
|
|
|
|
if (!readRandomBytesOrLog(SECDISCARDABLE_BYTES, &secdiscardable)) return false;
|
|
|
|
if (!writeStringToFile(secdiscardable, filename)) return false;
|
|
|
|
hashWithPrefix(kHashPrefix_secdiscardable, secdiscardable, hash);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
bool readSecdiscardable(const std::string& filename, std::string* hash) {
|
|
|
|
std::string secdiscardable;
|
|
|
|
if (!readFileToString(filename, &secdiscardable)) return false;
|
|
|
|
hashWithPrefix(kHashPrefix_secdiscardable, secdiscardable, hash);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2020-11-06 04:58:26 +01:00
|
|
|
static std::mutex key_upgrade_lock;
|
|
|
|
|
|
|
|
// List of key directories that have had their Keymaster key upgraded during
|
|
|
|
// this boot and written to "keymaster_key_blob_upgraded", but replacing the old
|
|
|
|
// key was delayed due to an active checkpoint. Protected by key_upgrade_lock.
|
|
|
|
static std::vector<std::string> key_dirs_to_commit;
|
|
|
|
|
|
|
|
// Replaces |dir|/keymaster_key_blob with |dir|/keymaster_key_blob_upgraded and
|
|
|
|
// deletes the old key from Keymaster.
|
|
|
|
static bool CommitUpgradedKey(Keymaster& keymaster, const std::string& dir) {
|
|
|
|
auto blob_file = dir + "/" + kFn_keymaster_key_blob;
|
|
|
|
auto upgraded_blob_file = dir + "/" + kFn_keymaster_key_blob_upgraded;
|
|
|
|
|
|
|
|
std::string blob;
|
|
|
|
if (!readFileToString(blob_file, &blob)) return false;
|
|
|
|
|
|
|
|
if (rename(upgraded_blob_file.c_str(), blob_file.c_str()) != 0) {
|
|
|
|
PLOG(ERROR) << "Failed to rename " << upgraded_blob_file << " to " << blob_file;
|
|
|
|
return false;
|
2019-06-07 05:38:38 +02:00
|
|
|
}
|
2020-11-06 04:58:26 +01:00
|
|
|
// Ensure that the rename is persisted before deleting the Keymaster key.
|
|
|
|
if (!FsyncDirectory(dir)) return false;
|
|
|
|
|
|
|
|
if (!keymaster || !keymaster.deleteKey(blob)) {
|
|
|
|
LOG(WARNING) << "Failed to delete old key " << blob_file
|
|
|
|
<< " from Keymaster; continuing anyway";
|
|
|
|
// Continue on, but the space in Keymaster used by the old key won't be freed.
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void DeferredCommitKeys() {
|
|
|
|
android::base::WaitForProperty("vold.checkpoint_committed", "1");
|
|
|
|
LOG(INFO) << "Committing upgraded keys";
|
2019-06-07 05:38:38 +02:00
|
|
|
Keymaster keymaster;
|
2020-11-06 04:58:26 +01:00
|
|
|
if (!keymaster) {
|
|
|
|
LOG(ERROR) << "Failed to open Keymaster; old keys won't be deleted from Keymaster";
|
|
|
|
// Continue on, but the space in Keymaster used by the old keys won't be freed.
|
|
|
|
}
|
|
|
|
std::lock_guard<std::mutex> lock(key_upgrade_lock);
|
|
|
|
for (auto& dir : key_dirs_to_commit) {
|
|
|
|
LOG(INFO) << "Committing upgraded key " << dir;
|
|
|
|
CommitUpgradedKey(keymaster, dir);
|
2019-06-07 05:38:38 +02:00
|
|
|
}
|
2020-11-06 04:58:26 +01:00
|
|
|
key_dirs_to_commit.clear();
|
2019-06-07 05:38:38 +02:00
|
|
|
}
|
|
|
|
|
2020-11-06 04:58:26 +01:00
|
|
|
// Returns true if the Keymaster key in |dir| has already been upgraded and is
|
|
|
|
// pending being committed. Assumes that key_upgrade_lock is held.
|
|
|
|
static bool IsKeyCommitPending(const std::string& dir) {
|
|
|
|
for (const auto& dir_to_commit : key_dirs_to_commit) {
|
|
|
|
if (IsSameFile(dir, dir_to_commit)) return true;
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
2019-06-07 05:38:38 +02:00
|
|
|
|
2020-11-06 04:58:26 +01:00
|
|
|
// Schedules the upgraded Keymaster key in |dir| to be committed later.
|
|
|
|
// Assumes that key_upgrade_lock is held.
|
|
|
|
static void ScheduleKeyCommit(const std::string& dir) {
|
|
|
|
if (key_dirs_to_commit.empty()) std::thread(DeferredCommitKeys).detach();
|
|
|
|
key_dirs_to_commit.push_back(dir);
|
|
|
|
}
|
|
|
|
|
|
|
|
static void CancelPendingKeyCommit(const std::string& dir) {
|
|
|
|
std::lock_guard<std::mutex> lock(key_upgrade_lock);
|
|
|
|
for (auto it = key_dirs_to_commit.begin(); it != key_dirs_to_commit.end(); it++) {
|
|
|
|
if (IsSameFile(*it, dir)) {
|
|
|
|
LOG(DEBUG) << "Cancelling pending commit of upgraded key " << dir
|
|
|
|
<< " because it is being destroyed";
|
|
|
|
key_dirs_to_commit.erase(it);
|
|
|
|
break;
|
|
|
|
}
|
2019-06-07 05:38:38 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2021-05-13 09:43:03 +02:00
|
|
|
// Renames a key directory. Also updates the deferred commit vector
|
|
|
|
// (key_dirs_to_commit) appropriately.
|
|
|
|
//
|
|
|
|
// However, @old_name must be the path to the directory that was used to put that
|
|
|
|
// directory into the deferred commit list in the first place (since this function
|
|
|
|
// directly compares paths instead of using IsSameFile()).
|
|
|
|
static bool RenameKeyDir(const std::string& old_name, const std::string& new_name) {
|
|
|
|
std::lock_guard<std::mutex> lock(key_upgrade_lock);
|
|
|
|
|
|
|
|
if (rename(old_name.c_str(), new_name.c_str()) != 0) return false;
|
|
|
|
|
|
|
|
// IsSameFile() doesn't work here since we just renamed @old_name.
|
|
|
|
for (auto it = key_dirs_to_commit.begin(); it != key_dirs_to_commit.end(); it++) {
|
|
|
|
if (*it == old_name) *it = new_name;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2020-11-06 04:58:26 +01:00
|
|
|
// Deletes a leftover upgraded key, if present. An upgraded key can be left
|
|
|
|
// over if an update failed, or if we rebooted before committing the key in a
|
|
|
|
// freak accident. Either way, we can re-upgrade the key if we need to.
|
|
|
|
static void DeleteUpgradedKey(Keymaster& keymaster, const std::string& path) {
|
|
|
|
if (pathExists(path)) {
|
|
|
|
LOG(DEBUG) << "Deleting leftover upgraded key " << path;
|
|
|
|
std::string blob;
|
|
|
|
if (!android::base::ReadFileToString(path, &blob)) {
|
|
|
|
LOG(WARNING) << "Failed to read leftover upgraded key " << path
|
|
|
|
<< "; continuing anyway";
|
|
|
|
} else if (!keymaster.deleteKey(blob)) {
|
|
|
|
LOG(WARNING) << "Failed to delete leftover upgraded key " << path
|
|
|
|
<< " from Keymaster; continuing anyway";
|
2016-05-16 17:14:56 +02:00
|
|
|
}
|
2020-11-06 04:58:26 +01:00
|
|
|
if (unlink(path.c_str()) != 0) {
|
|
|
|
LOG(WARNING) << "Failed to unlink leftover upgraded key " << path
|
|
|
|
<< "; continuing anyway";
|
2016-05-16 17:14:56 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2020-11-06 04:58:26 +01:00
|
|
|
// Begins a Keymaster operation using the key stored in |dir|.
|
|
|
|
static KeymasterOperation BeginKeymasterOp(Keymaster& keymaster, const std::string& dir,
|
|
|
|
const km::AuthorizationSet& keyParams,
|
|
|
|
const km::AuthorizationSet& opParams,
|
|
|
|
km::AuthorizationSet* outParams) {
|
|
|
|
km::AuthorizationSet inParams(keyParams);
|
|
|
|
inParams.append(opParams.begin(), opParams.end());
|
|
|
|
|
|
|
|
auto blob_file = dir + "/" + kFn_keymaster_key_blob;
|
|
|
|
auto upgraded_blob_file = dir + "/" + kFn_keymaster_key_blob_upgraded;
|
|
|
|
|
|
|
|
std::lock_guard<std::mutex> lock(key_upgrade_lock);
|
|
|
|
|
|
|
|
std::string blob;
|
|
|
|
bool already_upgraded = IsKeyCommitPending(dir);
|
|
|
|
if (already_upgraded) {
|
|
|
|
LOG(DEBUG)
|
|
|
|
<< blob_file
|
|
|
|
<< " was already upgraded and is waiting to be committed; using the upgraded blob";
|
|
|
|
if (!readFileToString(upgraded_blob_file, &blob)) return KeymasterOperation();
|
|
|
|
} else {
|
|
|
|
DeleteUpgradedKey(keymaster, upgraded_blob_file);
|
|
|
|
if (!readFileToString(blob_file, &blob)) return KeymasterOperation();
|
|
|
|
}
|
|
|
|
|
Make vold use keystore2 instead of keymaster
Make vold use keystore2 for all its operations instead of directly using
keymaster. This way, we won't have any clients that bypass keystore2,
and we'll no longer need to reserve a keymaster operation for vold.
Note that we now hardcode "SecurityLevel::TRUSTED_ENVIRONMENT" (TEE)
when talking to Keystore2 since Keystore2 only allows TEE and STRONGBOX.
Keystore2 presents any SOFTWARE implementation as a TEE to callers when
no "real" TEE is present. As far as storage encryption is concerned,
there's no advantage to using a STRONGBOX when a "real" TEE is present,
and a STRONGBOX can't be present if a "real" TEE isn't, so asking
Keystore2 for a TEE is the best we can do in any situation.
The difference in behaviour only really affects the full disk encryption
code in cryptfs.cpp, which used to explicitly check that the keymaster
device is a "real" TEE (as opposed to a SOFTWARE implementation) before
using it (it can no longer do so since Keystore2 doesn't provide a way
to do this).
A little code history digging (7c49ab0a0b in particular) shows that
cryptfs.cpp cared about two things when using a keymaster.
- 1) that the keys generated by the keymaster were "standalone" keys -
i.e. that the keymaster could operate on those keys without
requiring /data or any other service to be available.
- 2) that the keymaster was a non-SOFTWARE implementation so that things
would still work in case a "real" TEE keymaster was ever somehow
added to the device after first boot.
Today, all "real" TEE keymasters always generate "standalone" keys, and
a TEE has been required in Android devices since at least Android N. The
only two exceptions are Goldfish and ARC++, which have SOFTWARE
keymasters, but both those keymasters also generate "standalone" keys.
We're also no longer worried about possibly adding a "real" TEE KM to
either of those devices after first boot. So there's no longer a reason
cryptfs.cpp can't use the SOFTWARE keymaster on those devices.
There's also already an upgrade path in place (see
test_mount_encrypted_fs() in cryptfs.cpp) to upgrade the kdf that's
being used once a TEE keymaster is added to the device. So it's safe for
cryptfs.cpp to ask for a TEE keymaster from Keystore2 and use it
blindly, without checking whether or not it's a "real" TEE, which is why
Keymaster::isSecure() just returns true now. A future patch will remove
that function and simplify its callers.
Bug: 181910578
Test: cuttlefish and bramble boot. Adding, switching between, stopping
and removing users work.
Change-Id: Iaebfef082eca0da8a305043fafb6d85e5de14cf8
2021-03-01 07:32:07 +01:00
|
|
|
auto opHandle = keymaster.begin(blob, inParams, outParams);
|
|
|
|
if (!opHandle) return opHandle;
|
|
|
|
|
|
|
|
// If key blob wasn't upgraded, nothing left to do.
|
|
|
|
if (!opHandle.getUpgradedBlob()) return opHandle;
|
2020-11-06 04:58:26 +01:00
|
|
|
|
|
|
|
if (already_upgraded) {
|
|
|
|
LOG(ERROR) << "Unexpected case; already-upgraded key " << upgraded_blob_file
|
|
|
|
<< " still requires upgrade";
|
|
|
|
return KeymasterOperation();
|
|
|
|
}
|
|
|
|
LOG(INFO) << "Upgrading key: " << blob_file;
|
Make vold use keystore2 instead of keymaster
Make vold use keystore2 for all its operations instead of directly using
keymaster. This way, we won't have any clients that bypass keystore2,
and we'll no longer need to reserve a keymaster operation for vold.
Note that we now hardcode "SecurityLevel::TRUSTED_ENVIRONMENT" (TEE)
when talking to Keystore2 since Keystore2 only allows TEE and STRONGBOX.
Keystore2 presents any SOFTWARE implementation as a TEE to callers when
no "real" TEE is present. As far as storage encryption is concerned,
there's no advantage to using a STRONGBOX when a "real" TEE is present,
and a STRONGBOX can't be present if a "real" TEE isn't, so asking
Keystore2 for a TEE is the best we can do in any situation.
The difference in behaviour only really affects the full disk encryption
code in cryptfs.cpp, which used to explicitly check that the keymaster
device is a "real" TEE (as opposed to a SOFTWARE implementation) before
using it (it can no longer do so since Keystore2 doesn't provide a way
to do this).
A little code history digging (7c49ab0a0b in particular) shows that
cryptfs.cpp cared about two things when using a keymaster.
- 1) that the keys generated by the keymaster were "standalone" keys -
i.e. that the keymaster could operate on those keys without
requiring /data or any other service to be available.
- 2) that the keymaster was a non-SOFTWARE implementation so that things
would still work in case a "real" TEE keymaster was ever somehow
added to the device after first boot.
Today, all "real" TEE keymasters always generate "standalone" keys, and
a TEE has been required in Android devices since at least Android N. The
only two exceptions are Goldfish and ARC++, which have SOFTWARE
keymasters, but both those keymasters also generate "standalone" keys.
We're also no longer worried about possibly adding a "real" TEE KM to
either of those devices after first boot. So there's no longer a reason
cryptfs.cpp can't use the SOFTWARE keymaster on those devices.
There's also already an upgrade path in place (see
test_mount_encrypted_fs() in cryptfs.cpp) to upgrade the kdf that's
being used once a TEE keymaster is added to the device. So it's safe for
cryptfs.cpp to ask for a TEE keymaster from Keystore2 and use it
blindly, without checking whether or not it's a "real" TEE, which is why
Keymaster::isSecure() just returns true now. A future patch will remove
that function and simplify its callers.
Bug: 181910578
Test: cuttlefish and bramble boot. Adding, switching between, stopping
and removing users work.
Change-Id: Iaebfef082eca0da8a305043fafb6d85e5de14cf8
2021-03-01 07:32:07 +01:00
|
|
|
if (!writeStringToFile(*opHandle.getUpgradedBlob(), upgraded_blob_file))
|
|
|
|
return KeymasterOperation();
|
2020-11-06 04:58:26 +01:00
|
|
|
if (cp_needsCheckpoint()) {
|
|
|
|
LOG(INFO) << "Wrote upgraded key to " << upgraded_blob_file
|
|
|
|
<< "; delaying commit due to checkpoint";
|
|
|
|
ScheduleKeyCommit(dir);
|
|
|
|
} else {
|
|
|
|
if (!CommitUpgradedKey(keymaster, dir)) return KeymasterOperation();
|
|
|
|
LOG(INFO) << "Key upgraded: " << blob_file;
|
|
|
|
}
|
Make vold use keystore2 instead of keymaster
Make vold use keystore2 for all its operations instead of directly using
keymaster. This way, we won't have any clients that bypass keystore2,
and we'll no longer need to reserve a keymaster operation for vold.
Note that we now hardcode "SecurityLevel::TRUSTED_ENVIRONMENT" (TEE)
when talking to Keystore2 since Keystore2 only allows TEE and STRONGBOX.
Keystore2 presents any SOFTWARE implementation as a TEE to callers when
no "real" TEE is present. As far as storage encryption is concerned,
there's no advantage to using a STRONGBOX when a "real" TEE is present,
and a STRONGBOX can't be present if a "real" TEE isn't, so asking
Keystore2 for a TEE is the best we can do in any situation.
The difference in behaviour only really affects the full disk encryption
code in cryptfs.cpp, which used to explicitly check that the keymaster
device is a "real" TEE (as opposed to a SOFTWARE implementation) before
using it (it can no longer do so since Keystore2 doesn't provide a way
to do this).
A little code history digging (7c49ab0a0b in particular) shows that
cryptfs.cpp cared about two things when using a keymaster.
- 1) that the keys generated by the keymaster were "standalone" keys -
i.e. that the keymaster could operate on those keys without
requiring /data or any other service to be available.
- 2) that the keymaster was a non-SOFTWARE implementation so that things
would still work in case a "real" TEE keymaster was ever somehow
added to the device after first boot.
Today, all "real" TEE keymasters always generate "standalone" keys, and
a TEE has been required in Android devices since at least Android N. The
only two exceptions are Goldfish and ARC++, which have SOFTWARE
keymasters, but both those keymasters also generate "standalone" keys.
We're also no longer worried about possibly adding a "real" TEE KM to
either of those devices after first boot. So there's no longer a reason
cryptfs.cpp can't use the SOFTWARE keymaster on those devices.
There's also already an upgrade path in place (see
test_mount_encrypted_fs() in cryptfs.cpp) to upgrade the kdf that's
being used once a TEE keymaster is added to the device. So it's safe for
cryptfs.cpp to ask for a TEE keymaster from Keystore2 and use it
blindly, without checking whether or not it's a "real" TEE, which is why
Keymaster::isSecure() just returns true now. A future patch will remove
that function and simplify its callers.
Bug: 181910578
Test: cuttlefish and bramble boot. Adding, switching between, stopping
and removing users work.
Change-Id: Iaebfef082eca0da8a305043fafb6d85e5de14cf8
2021-03-01 07:32:07 +01:00
|
|
|
return opHandle;
|
2020-11-06 04:58:26 +01:00
|
|
|
}
|
|
|
|
|
2016-05-16 17:14:56 +02:00
|
|
|
static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir,
|
2018-01-22 17:08:32 +01:00
|
|
|
const km::AuthorizationSet& keyParams,
|
2020-11-06 04:58:26 +01:00
|
|
|
const KeyBuffer& message, std::string* ciphertext) {
|
Make vold use keystore2 instead of keymaster
Make vold use keystore2 for all its operations instead of directly using
keymaster. This way, we won't have any clients that bypass keystore2,
and we'll no longer need to reserve a keymaster operation for vold.
Note that we now hardcode "SecurityLevel::TRUSTED_ENVIRONMENT" (TEE)
when talking to Keystore2 since Keystore2 only allows TEE and STRONGBOX.
Keystore2 presents any SOFTWARE implementation as a TEE to callers when
no "real" TEE is present. As far as storage encryption is concerned,
there's no advantage to using a STRONGBOX when a "real" TEE is present,
and a STRONGBOX can't be present if a "real" TEE isn't, so asking
Keystore2 for a TEE is the best we can do in any situation.
The difference in behaviour only really affects the full disk encryption
code in cryptfs.cpp, which used to explicitly check that the keymaster
device is a "real" TEE (as opposed to a SOFTWARE implementation) before
using it (it can no longer do so since Keystore2 doesn't provide a way
to do this).
A little code history digging (7c49ab0a0b in particular) shows that
cryptfs.cpp cared about two things when using a keymaster.
- 1) that the keys generated by the keymaster were "standalone" keys -
i.e. that the keymaster could operate on those keys without
requiring /data or any other service to be available.
- 2) that the keymaster was a non-SOFTWARE implementation so that things
would still work in case a "real" TEE keymaster was ever somehow
added to the device after first boot.
Today, all "real" TEE keymasters always generate "standalone" keys, and
a TEE has been required in Android devices since at least Android N. The
only two exceptions are Goldfish and ARC++, which have SOFTWARE
keymasters, but both those keymasters also generate "standalone" keys.
We're also no longer worried about possibly adding a "real" TEE KM to
either of those devices after first boot. So there's no longer a reason
cryptfs.cpp can't use the SOFTWARE keymaster on those devices.
There's also already an upgrade path in place (see
test_mount_encrypted_fs() in cryptfs.cpp) to upgrade the kdf that's
being used once a TEE keymaster is added to the device. So it's safe for
cryptfs.cpp to ask for a TEE keymaster from Keystore2 and use it
blindly, without checking whether or not it's a "real" TEE, which is why
Keymaster::isSecure() just returns true now. A future patch will remove
that function and simplify its callers.
Bug: 181910578
Test: cuttlefish and bramble boot. Adding, switching between, stopping
and removing users work.
Change-Id: Iaebfef082eca0da8a305043fafb6d85e5de14cf8
2021-03-01 07:32:07 +01:00
|
|
|
km::AuthorizationSet opParams =
|
|
|
|
km::AuthorizationSetBuilder().Authorization(km::TAG_PURPOSE, km::KeyPurpose::ENCRYPT);
|
2018-01-22 17:08:32 +01:00
|
|
|
km::AuthorizationSet outParams;
|
Make vold use keystore2 instead of keymaster
Make vold use keystore2 for all its operations instead of directly using
keymaster. This way, we won't have any clients that bypass keystore2,
and we'll no longer need to reserve a keymaster operation for vold.
Note that we now hardcode "SecurityLevel::TRUSTED_ENVIRONMENT" (TEE)
when talking to Keystore2 since Keystore2 only allows TEE and STRONGBOX.
Keystore2 presents any SOFTWARE implementation as a TEE to callers when
no "real" TEE is present. As far as storage encryption is concerned,
there's no advantage to using a STRONGBOX when a "real" TEE is present,
and a STRONGBOX can't be present if a "real" TEE isn't, so asking
Keystore2 for a TEE is the best we can do in any situation.
The difference in behaviour only really affects the full disk encryption
code in cryptfs.cpp, which used to explicitly check that the keymaster
device is a "real" TEE (as opposed to a SOFTWARE implementation) before
using it (it can no longer do so since Keystore2 doesn't provide a way
to do this).
A little code history digging (7c49ab0a0b in particular) shows that
cryptfs.cpp cared about two things when using a keymaster.
- 1) that the keys generated by the keymaster were "standalone" keys -
i.e. that the keymaster could operate on those keys without
requiring /data or any other service to be available.
- 2) that the keymaster was a non-SOFTWARE implementation so that things
would still work in case a "real" TEE keymaster was ever somehow
added to the device after first boot.
Today, all "real" TEE keymasters always generate "standalone" keys, and
a TEE has been required in Android devices since at least Android N. The
only two exceptions are Goldfish and ARC++, which have SOFTWARE
keymasters, but both those keymasters also generate "standalone" keys.
We're also no longer worried about possibly adding a "real" TEE KM to
either of those devices after first boot. So there's no longer a reason
cryptfs.cpp can't use the SOFTWARE keymaster on those devices.
There's also already an upgrade path in place (see
test_mount_encrypted_fs() in cryptfs.cpp) to upgrade the kdf that's
being used once a TEE keymaster is added to the device. So it's safe for
cryptfs.cpp to ask for a TEE keymaster from Keystore2 and use it
blindly, without checking whether or not it's a "real" TEE, which is why
Keymaster::isSecure() just returns true now. A future patch will remove
that function and simplify its callers.
Bug: 181910578
Test: cuttlefish and bramble boot. Adding, switching between, stopping
and removing users work.
Change-Id: Iaebfef082eca0da8a305043fafb6d85e5de14cf8
2021-03-01 07:32:07 +01:00
|
|
|
auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, &outParams);
|
2016-01-27 15:30:22 +01:00
|
|
|
if (!opHandle) return false;
|
2018-01-22 17:08:32 +01:00
|
|
|
auto nonceBlob = outParams.GetTagValue(km::TAG_NONCE);
|
Make vold use keystore2 instead of keymaster
Make vold use keystore2 for all its operations instead of directly using
keymaster. This way, we won't have any clients that bypass keystore2,
and we'll no longer need to reserve a keymaster operation for vold.
Note that we now hardcode "SecurityLevel::TRUSTED_ENVIRONMENT" (TEE)
when talking to Keystore2 since Keystore2 only allows TEE and STRONGBOX.
Keystore2 presents any SOFTWARE implementation as a TEE to callers when
no "real" TEE is present. As far as storage encryption is concerned,
there's no advantage to using a STRONGBOX when a "real" TEE is present,
and a STRONGBOX can't be present if a "real" TEE isn't, so asking
Keystore2 for a TEE is the best we can do in any situation.
The difference in behaviour only really affects the full disk encryption
code in cryptfs.cpp, which used to explicitly check that the keymaster
device is a "real" TEE (as opposed to a SOFTWARE implementation) before
using it (it can no longer do so since Keystore2 doesn't provide a way
to do this).
A little code history digging (7c49ab0a0b in particular) shows that
cryptfs.cpp cared about two things when using a keymaster.
- 1) that the keys generated by the keymaster were "standalone" keys -
i.e. that the keymaster could operate on those keys without
requiring /data or any other service to be available.
- 2) that the keymaster was a non-SOFTWARE implementation so that things
would still work in case a "real" TEE keymaster was ever somehow
added to the device after first boot.
Today, all "real" TEE keymasters always generate "standalone" keys, and
a TEE has been required in Android devices since at least Android N. The
only two exceptions are Goldfish and ARC++, which have SOFTWARE
keymasters, but both those keymasters also generate "standalone" keys.
We're also no longer worried about possibly adding a "real" TEE KM to
either of those devices after first boot. So there's no longer a reason
cryptfs.cpp can't use the SOFTWARE keymaster on those devices.
There's also already an upgrade path in place (see
test_mount_encrypted_fs() in cryptfs.cpp) to upgrade the kdf that's
being used once a TEE keymaster is added to the device. So it's safe for
cryptfs.cpp to ask for a TEE keymaster from Keystore2 and use it
blindly, without checking whether or not it's a "real" TEE, which is why
Keymaster::isSecure() just returns true now. A future patch will remove
that function and simplify its callers.
Bug: 181910578
Test: cuttlefish and bramble boot. Adding, switching between, stopping
and removing users work.
Change-Id: Iaebfef082eca0da8a305043fafb6d85e5de14cf8
2021-03-01 07:32:07 +01:00
|
|
|
if (!nonceBlob) {
|
2016-01-21 21:26:12 +01:00
|
|
|
LOG(ERROR) << "GCM encryption but no nonce generated";
|
|
|
|
return false;
|
|
|
|
}
|
2016-01-27 15:30:22 +01:00
|
|
|
// nonceBlob here is just a pointer into existing data, must not be freed
|
Make vold use keystore2 instead of keymaster
Make vold use keystore2 for all its operations instead of directly using
keymaster. This way, we won't have any clients that bypass keystore2,
and we'll no longer need to reserve a keymaster operation for vold.
Note that we now hardcode "SecurityLevel::TRUSTED_ENVIRONMENT" (TEE)
when talking to Keystore2 since Keystore2 only allows TEE and STRONGBOX.
Keystore2 presents any SOFTWARE implementation as a TEE to callers when
no "real" TEE is present. As far as storage encryption is concerned,
there's no advantage to using a STRONGBOX when a "real" TEE is present,
and a STRONGBOX can't be present if a "real" TEE isn't, so asking
Keystore2 for a TEE is the best we can do in any situation.
The difference in behaviour only really affects the full disk encryption
code in cryptfs.cpp, which used to explicitly check that the keymaster
device is a "real" TEE (as opposed to a SOFTWARE implementation) before
using it (it can no longer do so since Keystore2 doesn't provide a way
to do this).
A little code history digging (7c49ab0a0b in particular) shows that
cryptfs.cpp cared about two things when using a keymaster.
- 1) that the keys generated by the keymaster were "standalone" keys -
i.e. that the keymaster could operate on those keys without
requiring /data or any other service to be available.
- 2) that the keymaster was a non-SOFTWARE implementation so that things
would still work in case a "real" TEE keymaster was ever somehow
added to the device after first boot.
Today, all "real" TEE keymasters always generate "standalone" keys, and
a TEE has been required in Android devices since at least Android N. The
only two exceptions are Goldfish and ARC++, which have SOFTWARE
keymasters, but both those keymasters also generate "standalone" keys.
We're also no longer worried about possibly adding a "real" TEE KM to
either of those devices after first boot. So there's no longer a reason
cryptfs.cpp can't use the SOFTWARE keymaster on those devices.
There's also already an upgrade path in place (see
test_mount_encrypted_fs() in cryptfs.cpp) to upgrade the kdf that's
being used once a TEE keymaster is added to the device. So it's safe for
cryptfs.cpp to ask for a TEE keymaster from Keystore2 and use it
blindly, without checking whether or not it's a "real" TEE, which is why
Keymaster::isSecure() just returns true now. A future patch will remove
that function and simplify its callers.
Bug: 181910578
Test: cuttlefish and bramble boot. Adding, switching between, stopping
and removing users work.
Change-Id: Iaebfef082eca0da8a305043fafb6d85e5de14cf8
2021-03-01 07:32:07 +01:00
|
|
|
std::string nonce(nonceBlob.value().get().begin(), nonceBlob.value().get().end());
|
2016-01-27 15:30:22 +01:00
|
|
|
if (!checkSize("nonce", nonce.size(), GCM_NONCE_BYTES)) return false;
|
2016-01-21 21:26:12 +01:00
|
|
|
std::string body;
|
2016-03-09 01:08:32 +01:00
|
|
|
if (!opHandle.updateCompletely(message, &body)) return false;
|
2016-01-21 21:26:12 +01:00
|
|
|
|
|
|
|
std::string mac;
|
2016-05-16 17:14:56 +02:00
|
|
|
if (!opHandle.finish(&mac)) return false;
|
2016-01-27 15:30:22 +01:00
|
|
|
if (!checkSize("mac", mac.size(), GCM_MAC_BYTES)) return false;
|
2016-03-09 01:08:32 +01:00
|
|
|
*ciphertext = nonce + body + mac;
|
2016-01-21 21:26:12 +01:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2016-05-16 17:14:56 +02:00
|
|
|
static bool decryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir,
|
2018-01-22 17:08:32 +01:00
|
|
|
const km::AuthorizationSet& keyParams,
|
2020-11-06 04:58:26 +01:00
|
|
|
const std::string& ciphertext, KeyBuffer* message) {
|
Make vold use keystore2 instead of keymaster
Make vold use keystore2 for all its operations instead of directly using
keymaster. This way, we won't have any clients that bypass keystore2,
and we'll no longer need to reserve a keymaster operation for vold.
Note that we now hardcode "SecurityLevel::TRUSTED_ENVIRONMENT" (TEE)
when talking to Keystore2 since Keystore2 only allows TEE and STRONGBOX.
Keystore2 presents any SOFTWARE implementation as a TEE to callers when
no "real" TEE is present. As far as storage encryption is concerned,
there's no advantage to using a STRONGBOX when a "real" TEE is present,
and a STRONGBOX can't be present if a "real" TEE isn't, so asking
Keystore2 for a TEE is the best we can do in any situation.
The difference in behaviour only really affects the full disk encryption
code in cryptfs.cpp, which used to explicitly check that the keymaster
device is a "real" TEE (as opposed to a SOFTWARE implementation) before
using it (it can no longer do so since Keystore2 doesn't provide a way
to do this).
A little code history digging (7c49ab0a0b in particular) shows that
cryptfs.cpp cared about two things when using a keymaster.
- 1) that the keys generated by the keymaster were "standalone" keys -
i.e. that the keymaster could operate on those keys without
requiring /data or any other service to be available.
- 2) that the keymaster was a non-SOFTWARE implementation so that things
would still work in case a "real" TEE keymaster was ever somehow
added to the device after first boot.
Today, all "real" TEE keymasters always generate "standalone" keys, and
a TEE has been required in Android devices since at least Android N. The
only two exceptions are Goldfish and ARC++, which have SOFTWARE
keymasters, but both those keymasters also generate "standalone" keys.
We're also no longer worried about possibly adding a "real" TEE KM to
either of those devices after first boot. So there's no longer a reason
cryptfs.cpp can't use the SOFTWARE keymaster on those devices.
There's also already an upgrade path in place (see
test_mount_encrypted_fs() in cryptfs.cpp) to upgrade the kdf that's
being used once a TEE keymaster is added to the device. So it's safe for
cryptfs.cpp to ask for a TEE keymaster from Keystore2 and use it
blindly, without checking whether or not it's a "real" TEE, which is why
Keymaster::isSecure() just returns true now. A future patch will remove
that function and simplify its callers.
Bug: 181910578
Test: cuttlefish and bramble boot. Adding, switching between, stopping
and removing users work.
Change-Id: Iaebfef082eca0da8a305043fafb6d85e5de14cf8
2021-03-01 07:32:07 +01:00
|
|
|
const std::string nonce = ciphertext.substr(0, GCM_NONCE_BYTES);
|
2016-01-27 15:30:22 +01:00
|
|
|
auto bodyAndMac = ciphertext.substr(GCM_NONCE_BYTES);
|
Make vold use keystore2 instead of keymaster
Make vold use keystore2 for all its operations instead of directly using
keymaster. This way, we won't have any clients that bypass keystore2,
and we'll no longer need to reserve a keymaster operation for vold.
Note that we now hardcode "SecurityLevel::TRUSTED_ENVIRONMENT" (TEE)
when talking to Keystore2 since Keystore2 only allows TEE and STRONGBOX.
Keystore2 presents any SOFTWARE implementation as a TEE to callers when
no "real" TEE is present. As far as storage encryption is concerned,
there's no advantage to using a STRONGBOX when a "real" TEE is present,
and a STRONGBOX can't be present if a "real" TEE isn't, so asking
Keystore2 for a TEE is the best we can do in any situation.
The difference in behaviour only really affects the full disk encryption
code in cryptfs.cpp, which used to explicitly check that the keymaster
device is a "real" TEE (as opposed to a SOFTWARE implementation) before
using it (it can no longer do so since Keystore2 doesn't provide a way
to do this).
A little code history digging (7c49ab0a0b in particular) shows that
cryptfs.cpp cared about two things when using a keymaster.
- 1) that the keys generated by the keymaster were "standalone" keys -
i.e. that the keymaster could operate on those keys without
requiring /data or any other service to be available.
- 2) that the keymaster was a non-SOFTWARE implementation so that things
would still work in case a "real" TEE keymaster was ever somehow
added to the device after first boot.
Today, all "real" TEE keymasters always generate "standalone" keys, and
a TEE has been required in Android devices since at least Android N. The
only two exceptions are Goldfish and ARC++, which have SOFTWARE
keymasters, but both those keymasters also generate "standalone" keys.
We're also no longer worried about possibly adding a "real" TEE KM to
either of those devices after first boot. So there's no longer a reason
cryptfs.cpp can't use the SOFTWARE keymaster on those devices.
There's also already an upgrade path in place (see
test_mount_encrypted_fs() in cryptfs.cpp) to upgrade the kdf that's
being used once a TEE keymaster is added to the device. So it's safe for
cryptfs.cpp to ask for a TEE keymaster from Keystore2 and use it
blindly, without checking whether or not it's a "real" TEE, which is why
Keymaster::isSecure() just returns true now. A future patch will remove
that function and simplify its callers.
Bug: 181910578
Test: cuttlefish and bramble boot. Adding, switching between, stopping
and removing users work.
Change-Id: Iaebfef082eca0da8a305043fafb6d85e5de14cf8
2021-03-01 07:32:07 +01:00
|
|
|
auto opParams = km::AuthorizationSetBuilder()
|
|
|
|
.Authorization(km::TAG_NONCE, nonce)
|
|
|
|
.Authorization(km::TAG_PURPOSE, km::KeyPurpose::DECRYPT);
|
|
|
|
auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, nullptr);
|
2016-01-27 15:30:22 +01:00
|
|
|
if (!opHandle) return false;
|
|
|
|
if (!opHandle.updateCompletely(bodyAndMac, message)) return false;
|
2016-05-16 17:14:56 +02:00
|
|
|
if (!opHandle.finish(nullptr)) return false;
|
2016-01-27 15:30:22 +01:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2017-01-05 07:32:40 +01:00
|
|
|
static std::string getStretching(const KeyAuthentication& auth) {
|
2021-03-15 23:33:08 +01:00
|
|
|
if (auth.usesKeymaster()) {
|
2017-01-05 07:32:40 +01:00
|
|
|
return kStretch_nopassword;
|
|
|
|
} else {
|
2021-03-15 23:33:08 +01:00
|
|
|
return kStretch_none;
|
2017-01-05 07:32:40 +01:00
|
|
|
}
|
2016-02-10 15:02:47 +01:00
|
|
|
}
|
|
|
|
|
2016-03-09 18:31:37 +01:00
|
|
|
static bool stretchSecret(const std::string& stretching, const std::string& secret,
|
2021-04-07 23:30:25 +02:00
|
|
|
std::string* stretched) {
|
2016-02-10 15:02:47 +01:00
|
|
|
if (stretching == kStretch_nopassword) {
|
|
|
|
if (!secret.empty()) {
|
2016-03-04 22:45:00 +01:00
|
|
|
LOG(WARNING) << "Password present but stretching is nopassword";
|
2016-02-10 15:02:47 +01:00
|
|
|
// Continue anyway
|
|
|
|
}
|
2016-03-09 01:08:32 +01:00
|
|
|
stretched->clear();
|
2016-02-10 15:02:47 +01:00
|
|
|
} else if (stretching == kStretch_none) {
|
2016-03-09 01:08:32 +01:00
|
|
|
*stretched = secret;
|
2016-02-10 15:02:47 +01:00
|
|
|
} else {
|
|
|
|
LOG(ERROR) << "Unknown stretching type: " << stretching;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2016-03-09 18:31:37 +01:00
|
|
|
static bool generateAppId(const KeyAuthentication& auth, const std::string& stretching,
|
2021-04-07 23:30:25 +02:00
|
|
|
const std::string& secdiscardable_hash, std::string* appId) {
|
2016-02-10 15:02:47 +01:00
|
|
|
std::string stretched;
|
2021-04-07 23:30:25 +02:00
|
|
|
if (!stretchSecret(stretching, auth.secret, &stretched)) return false;
|
2017-10-26 20:16:39 +02:00
|
|
|
*appId = secdiscardable_hash + stretched;
|
2021-01-19 18:51:51 +01:00
|
|
|
|
|
|
|
const std::lock_guard<std::mutex> scope_lock(storage_binding_info.guard);
|
|
|
|
switch (storage_binding_info.state) {
|
|
|
|
case StorageBindingInfo::State::UNINITIALIZED:
|
|
|
|
storage_binding_info.state = StorageBindingInfo::State::NOT_USED;
|
|
|
|
break;
|
|
|
|
case StorageBindingInfo::State::IN_USE:
|
|
|
|
appId->append(storage_binding_info.seed.begin(), storage_binding_info.seed.end());
|
|
|
|
break;
|
|
|
|
case StorageBindingInfo::State::NOT_USED:
|
|
|
|
// noop
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
2017-01-05 07:32:40 +01:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void logOpensslError() {
|
|
|
|
LOG(ERROR) << "Openssl error: " << ERR_get_error();
|
|
|
|
}
|
|
|
|
|
2018-01-20 17:37:36 +01:00
|
|
|
static bool encryptWithoutKeymaster(const std::string& preKey, const KeyBuffer& plaintext,
|
|
|
|
std::string* ciphertext) {
|
2017-10-26 20:16:39 +02:00
|
|
|
std::string key;
|
|
|
|
hashWithPrefix(kHashPrefix_keygen, preKey, &key);
|
2017-01-05 07:32:40 +01:00
|
|
|
key.resize(AES_KEY_BYTES);
|
|
|
|
if (!readRandomBytesOrLog(GCM_NONCE_BYTES, ciphertext)) return false;
|
|
|
|
auto ctx = std::unique_ptr<EVP_CIPHER_CTX, decltype(&::EVP_CIPHER_CTX_free)>(
|
|
|
|
EVP_CIPHER_CTX_new(), EVP_CIPHER_CTX_free);
|
|
|
|
if (!ctx) {
|
|
|
|
logOpensslError();
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (1 != EVP_EncryptInit_ex(ctx.get(), EVP_aes_256_gcm(), NULL,
|
2018-01-20 17:37:36 +01:00
|
|
|
reinterpret_cast<const uint8_t*>(key.data()),
|
|
|
|
reinterpret_cast<const uint8_t*>(ciphertext->data()))) {
|
2017-01-05 07:32:40 +01:00
|
|
|
logOpensslError();
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
ciphertext->resize(GCM_NONCE_BYTES + plaintext.size() + GCM_MAC_BYTES);
|
|
|
|
int outlen;
|
2018-01-20 17:37:36 +01:00
|
|
|
if (1 != EVP_EncryptUpdate(
|
|
|
|
ctx.get(), reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES),
|
|
|
|
&outlen, reinterpret_cast<const uint8_t*>(plaintext.data()), plaintext.size())) {
|
2017-01-05 07:32:40 +01:00
|
|
|
logOpensslError();
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (outlen != static_cast<int>(plaintext.size())) {
|
|
|
|
LOG(ERROR) << "GCM ciphertext length should be " << plaintext.size() << " was " << outlen;
|
|
|
|
return false;
|
|
|
|
}
|
2018-01-20 17:37:36 +01:00
|
|
|
if (1 != EVP_EncryptFinal_ex(
|
|
|
|
ctx.get(),
|
|
|
|
reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES + plaintext.size()),
|
|
|
|
&outlen)) {
|
2017-01-05 07:32:40 +01:00
|
|
|
logOpensslError();
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (outlen != 0) {
|
|
|
|
LOG(ERROR) << "GCM EncryptFinal should be 0, was " << outlen;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (1 != EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_GET_TAG, GCM_MAC_BYTES,
|
2018-01-20 17:37:36 +01:00
|
|
|
reinterpret_cast<uint8_t*>(&(*ciphertext)[0] + GCM_NONCE_BYTES +
|
|
|
|
plaintext.size()))) {
|
2017-01-05 07:32:40 +01:00
|
|
|
logOpensslError();
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2018-01-20 17:37:36 +01:00
|
|
|
static bool decryptWithoutKeymaster(const std::string& preKey, const std::string& ciphertext,
|
|
|
|
KeyBuffer* plaintext) {
|
2017-01-05 07:32:40 +01:00
|
|
|
if (ciphertext.size() < GCM_NONCE_BYTES + GCM_MAC_BYTES) {
|
|
|
|
LOG(ERROR) << "GCM ciphertext too small: " << ciphertext.size();
|
|
|
|
return false;
|
|
|
|
}
|
2017-10-26 20:16:39 +02:00
|
|
|
std::string key;
|
|
|
|
hashWithPrefix(kHashPrefix_keygen, preKey, &key);
|
2017-01-05 07:32:40 +01:00
|
|
|
key.resize(AES_KEY_BYTES);
|
|
|
|
auto ctx = std::unique_ptr<EVP_CIPHER_CTX, decltype(&::EVP_CIPHER_CTX_free)>(
|
|
|
|
EVP_CIPHER_CTX_new(), EVP_CIPHER_CTX_free);
|
|
|
|
if (!ctx) {
|
|
|
|
logOpensslError();
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (1 != EVP_DecryptInit_ex(ctx.get(), EVP_aes_256_gcm(), NULL,
|
2018-01-20 17:37:36 +01:00
|
|
|
reinterpret_cast<const uint8_t*>(key.data()),
|
|
|
|
reinterpret_cast<const uint8_t*>(ciphertext.data()))) {
|
2017-01-05 07:32:40 +01:00
|
|
|
logOpensslError();
|
|
|
|
return false;
|
|
|
|
}
|
2017-08-01 18:15:53 +02:00
|
|
|
*plaintext = KeyBuffer(ciphertext.size() - GCM_NONCE_BYTES - GCM_MAC_BYTES);
|
2017-01-05 07:32:40 +01:00
|
|
|
int outlen;
|
2018-01-20 17:37:36 +01:00
|
|
|
if (1 != EVP_DecryptUpdate(ctx.get(), reinterpret_cast<uint8_t*>(&(*plaintext)[0]), &outlen,
|
|
|
|
reinterpret_cast<const uint8_t*>(ciphertext.data() + GCM_NONCE_BYTES),
|
|
|
|
plaintext->size())) {
|
2017-01-05 07:32:40 +01:00
|
|
|
logOpensslError();
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (outlen != static_cast<int>(plaintext->size())) {
|
|
|
|
LOG(ERROR) << "GCM plaintext length should be " << plaintext->size() << " was " << outlen;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (1 != EVP_CIPHER_CTX_ctrl(ctx.get(), EVP_CTRL_GCM_SET_TAG, GCM_MAC_BYTES,
|
2018-01-20 17:37:36 +01:00
|
|
|
const_cast<void*>(reinterpret_cast<const void*>(
|
|
|
|
ciphertext.data() + GCM_NONCE_BYTES + plaintext->size())))) {
|
2017-01-05 07:32:40 +01:00
|
|
|
logOpensslError();
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (1 != EVP_DecryptFinal_ex(ctx.get(),
|
2018-01-20 17:37:36 +01:00
|
|
|
reinterpret_cast<uint8_t*>(&(*plaintext)[0] + plaintext->size()),
|
|
|
|
&outlen)) {
|
2017-01-05 07:32:40 +01:00
|
|
|
logOpensslError();
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (outlen != 0) {
|
|
|
|
LOG(ERROR) << "GCM EncryptFinal should be 0, was " << outlen;
|
|
|
|
return false;
|
|
|
|
}
|
2016-02-10 15:02:47 +01:00
|
|
|
return true;
|
2016-02-08 16:55:41 +01:00
|
|
|
}
|
|
|
|
|
2017-08-01 18:15:53 +02:00
|
|
|
bool storeKey(const std::string& dir, const KeyAuthentication& auth, const KeyBuffer& key) {
|
2016-01-21 21:26:12 +01:00
|
|
|
if (TEMP_FAILURE_RETRY(mkdir(dir.c_str(), 0700)) == -1) {
|
|
|
|
PLOG(ERROR) << "key mkdir " << dir;
|
|
|
|
return false;
|
|
|
|
}
|
2016-03-09 18:31:37 +01:00
|
|
|
if (!writeStringToFile(kCurrentVersion, dir + "/" + kFn_version)) return false;
|
2017-10-26 20:16:39 +02:00
|
|
|
std::string secdiscardable_hash;
|
|
|
|
if (!createSecdiscardable(dir + "/" + kFn_secdiscardable, &secdiscardable_hash)) return false;
|
2017-01-05 07:32:40 +01:00
|
|
|
std::string stretching = getStretching(auth);
|
2016-03-09 18:31:37 +01:00
|
|
|
if (!writeStringToFile(stretching, dir + "/" + kFn_stretching)) return false;
|
2016-03-04 23:07:05 +01:00
|
|
|
std::string appId;
|
2021-04-07 23:30:25 +02:00
|
|
|
if (!generateAppId(auth, stretching, secdiscardable_hash, &appId)) return false;
|
2016-03-04 23:07:05 +01:00
|
|
|
std::string encryptedKey;
|
2017-01-05 07:32:40 +01:00
|
|
|
if (auth.usesKeymaster()) {
|
|
|
|
Keymaster keymaster;
|
|
|
|
if (!keymaster) return false;
|
|
|
|
std::string kmKey;
|
2021-03-15 23:33:08 +01:00
|
|
|
if (!generateKeyStorageKey(keymaster, appId, &kmKey)) return false;
|
2017-01-05 07:32:40 +01:00
|
|
|
if (!writeStringToFile(kmKey, dir + "/" + kFn_keymaster_key_blob)) return false;
|
2021-03-15 23:33:08 +01:00
|
|
|
km::AuthorizationSet keyParams = beginParams(appId);
|
|
|
|
if (!encryptWithKeymasterKey(keymaster, dir, keyParams, key, &encryptedKey)) return false;
|
2017-01-05 07:32:40 +01:00
|
|
|
} else {
|
|
|
|
if (!encryptWithoutKeymaster(appId, key, &encryptedKey)) return false;
|
|
|
|
}
|
2016-01-27 15:30:22 +01:00
|
|
|
if (!writeStringToFile(encryptedKey, dir + "/" + kFn_encrypted_key)) return false;
|
2018-12-08 00:36:09 +01:00
|
|
|
if (!FsyncDirectory(dir)) return false;
|
2016-01-21 21:26:12 +01:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2016-06-02 20:01:19 +02:00
|
|
|
bool storeKeyAtomically(const std::string& key_path, const std::string& tmp_path,
|
2017-08-01 18:15:53 +02:00
|
|
|
const KeyAuthentication& auth, const KeyBuffer& key) {
|
2016-06-02 20:01:19 +02:00
|
|
|
if (pathExists(key_path)) {
|
|
|
|
LOG(ERROR) << "Already exists, cannot create key at: " << key_path;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if (pathExists(tmp_path)) {
|
|
|
|
LOG(DEBUG) << "Already exists, destroying: " << tmp_path;
|
|
|
|
destroyKey(tmp_path); // May be partially created so ignore errors
|
|
|
|
}
|
|
|
|
if (!storeKey(tmp_path, auth, key)) return false;
|
2021-05-13 09:43:03 +02:00
|
|
|
|
|
|
|
if (!RenameKeyDir(tmp_path, key_path)) {
|
2016-06-02 20:01:19 +02:00
|
|
|
PLOG(ERROR) << "Unable to move new key to location: " << key_path;
|
|
|
|
return false;
|
|
|
|
}
|
2021-02-17 00:59:17 +01:00
|
|
|
if (!FsyncParentDirectory(key_path)) return false;
|
2016-06-02 20:01:19 +02:00
|
|
|
LOG(DEBUG) << "Created key: " << key_path;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2020-11-06 04:58:26 +01:00
|
|
|
bool retrieveKey(const std::string& dir, const KeyAuthentication& auth, KeyBuffer* key) {
|
2016-02-08 16:55:41 +01:00
|
|
|
std::string version;
|
2016-03-09 01:08:32 +01:00
|
|
|
if (!readFileToString(dir + "/" + kFn_version, &version)) return false;
|
2016-02-08 16:55:41 +01:00
|
|
|
if (version != kCurrentVersion) {
|
|
|
|
LOG(ERROR) << "Version mismatch, expected " << kCurrentVersion << " got " << version;
|
|
|
|
return false;
|
|
|
|
}
|
2017-10-26 20:16:39 +02:00
|
|
|
std::string secdiscardable_hash;
|
|
|
|
if (!readSecdiscardable(dir + "/" + kFn_secdiscardable, &secdiscardable_hash)) return false;
|
2016-02-10 15:02:47 +01:00
|
|
|
std::string stretching;
|
2016-03-09 01:08:32 +01:00
|
|
|
if (!readFileToString(dir + "/" + kFn_stretching, &stretching)) return false;
|
2016-03-04 23:07:05 +01:00
|
|
|
std::string appId;
|
2021-04-07 23:30:25 +02:00
|
|
|
if (!generateAppId(auth, stretching, secdiscardable_hash, &appId)) return false;
|
2016-01-27 15:30:22 +01:00
|
|
|
std::string encryptedMessage;
|
2016-03-09 01:08:32 +01:00
|
|
|
if (!readFileToString(dir + "/" + kFn_encrypted_key, &encryptedMessage)) return false;
|
2017-01-05 07:32:40 +01:00
|
|
|
if (auth.usesKeymaster()) {
|
|
|
|
Keymaster keymaster;
|
|
|
|
if (!keymaster) return false;
|
2021-03-15 23:33:08 +01:00
|
|
|
km::AuthorizationSet keyParams = beginParams(appId);
|
|
|
|
if (!decryptWithKeymasterKey(keymaster, dir, keyParams, encryptedMessage, key))
|
2018-01-20 17:37:36 +01:00
|
|
|
return false;
|
2017-01-05 07:32:40 +01:00
|
|
|
} else {
|
|
|
|
if (!decryptWithoutKeymaster(appId, encryptedMessage, key)) return false;
|
|
|
|
}
|
|
|
|
return true;
|
2016-01-21 21:26:12 +01:00
|
|
|
}
|
|
|
|
|
2020-11-06 04:58:26 +01:00
|
|
|
static bool DeleteKeymasterKey(const std::string& blob_file) {
|
|
|
|
std::string blob;
|
|
|
|
if (!readFileToString(blob_file, &blob)) return false;
|
2016-01-21 21:26:12 +01:00
|
|
|
Keymaster keymaster;
|
|
|
|
if (!keymaster) return false;
|
2020-11-06 04:58:26 +01:00
|
|
|
LOG(DEBUG) << "Deleting key " << blob_file << " from Keymaster";
|
|
|
|
if (!keymaster.deleteKey(blob)) return false;
|
2016-01-21 21:26:12 +01:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2017-04-27 21:43:10 +02:00
|
|
|
bool runSecdiscardSingle(const std::string& file) {
|
2018-01-20 17:37:36 +01:00
|
|
|
if (ForkExecvp(std::vector<std::string>{kSecdiscardPath, "--", file}) != 0) {
|
2017-04-27 21:43:10 +02:00
|
|
|
LOG(ERROR) << "secdiscard failed";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2016-03-09 18:31:37 +01:00
|
|
|
static bool recursiveDeleteKey(const std::string& dir) {
|
|
|
|
if (ForkExecvp(std::vector<std::string>{kRmPath, "-rf", dir}) != 0) {
|
2016-01-21 21:26:12 +01:00
|
|
|
LOG(ERROR) << "recursive delete failed";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2016-03-09 18:31:37 +01:00
|
|
|
bool destroyKey(const std::string& dir) {
|
2016-01-21 21:26:12 +01:00
|
|
|
bool success = true;
|
2020-11-06 04:58:26 +01:00
|
|
|
|
|
|
|
CancelPendingKeyCommit(dir);
|
|
|
|
|
2017-10-26 20:28:55 +02:00
|
|
|
auto secdiscard_cmd = std::vector<std::string>{
|
2018-09-18 22:30:21 +02:00
|
|
|
kSecdiscardPath,
|
|
|
|
"--",
|
|
|
|
dir + "/" + kFn_encrypted_key,
|
|
|
|
dir + "/" + kFn_secdiscardable,
|
2017-10-26 20:28:55 +02:00
|
|
|
};
|
2020-11-06 04:58:26 +01:00
|
|
|
// Try each thing, even if previous things failed.
|
|
|
|
|
|
|
|
for (auto& fn : {kFn_keymaster_key_blob, kFn_keymaster_key_blob_upgraded}) {
|
|
|
|
auto blob_file = dir + "/" + fn;
|
|
|
|
if (pathExists(blob_file)) {
|
|
|
|
success &= DeleteKeymasterKey(blob_file);
|
|
|
|
secdiscard_cmd.push_back(blob_file);
|
|
|
|
}
|
2017-10-26 20:28:55 +02:00
|
|
|
}
|
|
|
|
if (ForkExecvp(secdiscard_cmd) != 0) {
|
|
|
|
LOG(ERROR) << "secdiscard failed";
|
|
|
|
success = false;
|
|
|
|
}
|
2016-01-27 15:30:22 +01:00
|
|
|
success &= recursiveDeleteKey(dir);
|
2016-01-21 21:26:12 +01:00
|
|
|
return success;
|
|
|
|
}
|
|
|
|
|
2021-01-19 18:51:51 +01:00
|
|
|
bool setKeyStorageBindingSeed(const std::vector<uint8_t>& seed) {
|
|
|
|
const std::lock_guard<std::mutex> scope_lock(storage_binding_info.guard);
|
|
|
|
switch (storage_binding_info.state) {
|
|
|
|
case StorageBindingInfo::State::UNINITIALIZED:
|
|
|
|
storage_binding_info.state = StorageBindingInfo::State::IN_USE;
|
|
|
|
storage_binding_info.seed = seed;
|
|
|
|
return true;
|
|
|
|
case StorageBindingInfo::State::IN_USE:
|
|
|
|
LOG(ERROR) << "key storage binding seed already set";
|
|
|
|
return false;
|
|
|
|
case StorageBindingInfo::State::NOT_USED:
|
|
|
|
LOG(ERROR) << "key storage already in use without binding";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2016-01-21 21:26:12 +01:00
|
|
|
} // namespace vold
|
|
|
|
} // namespace android
|