tequilaOS/platform_system_vold
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Remove Keymaster::isSecure() and simplify callers

Browse source 
Now that isSecure() always returns true, we can remove it and simplify
all the callers (i.e. cryptfs). Refer to the commit description for
Iaebfef082eca0da8a305043fafb6d85e5de14cf8 for why this function always
return true.

Bug: 181910578
Test: Cuttlefish and bramble boot
Change-Id: I185dd8180bd7842b05295263f0b1aa7205329a88
This commit is contained in:
Satya Tangirala 2021-03-22 23:29:15 -07:00
parent e8de4ffd73
commit 23452c1e3a
3 changed files with 2 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
Keymaster.cpp
View file

@ -219,10 +219,6 @@ KeymasterOperation Keymaster::begin(const std::string& key, const km::Authorizat
return KeymasterOperation(cor.iOperation, cor.upgradedBlob);
}
bool Keymaster::isSecure() {
return true;
}
void Keymaster::earlyBootEnded() {
::ndk::SpAIBinder binder(AServiceManager_getService(maintenance_service_name));
auto maint_service = ks2_maint::IKeystoreMaintenance::fromBinder(binder);
@ -238,14 +234,3 @@ void Keymaster::earlyBootEnded() {
} // namespace vold
} // namespace android
// TODO: This always returns true right now since we hardcode the security level.
// If it's alright to hardcode it, we should remove this function and simplify the callers.
int keymaster_compatibility_cryptfs_scrypt() {
android::vold::Keymaster dev;
if (!dev) {
LOG(ERROR) << "Failed to initiate keymaster session";
return -1;
}
return dev.isSecure();
}

3
Keymaster.h
View file

@ -122,7 +122,6 @@ class Keymaster {
// also stores the upgraded key blob.
KeymasterOperation begin(const std::string& key, const km::AuthorizationSet& inParams,
km::AuthorizationSet* outParams);
bool isSecure();
// Tell all Keymint devices that early boot has ended and early boot-only keys can no longer
// be created or used.
@ -136,6 +135,4 @@ class Keymaster {
} // namespace vold
} // namespace android
int keymaster_compatibility_cryptfs_scrypt();
#endif

29
cryptfs.cpp
View file

@ -328,11 +328,6 @@ const KeyGeneration cryptfs_get_keygen() {
return KeyGeneration{get_crypto_type().get_keysize(), true, false};
}
/* Should we use keymaster? */
static int keymaster_check_compatibility() {
return keymaster_compatibility_cryptfs_scrypt();
}
static bool write_string_to_buf(const std::string& towrite, uint8_t* buffer, uint32_t buffer_size,
uint32_t* out_size) {
if (!buffer || !out_size) {
@ -1834,7 +1829,6 @@ static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, const char*
char tmp_mount_point[64];
unsigned int orig_failed_decrypt_count;
int rc;
int use_keymaster = 0;
int upgrade = 0;
unsigned char* intermediate_key = 0;
size_t intermediate_key_size = 0;
@ -1916,15 +1910,9 @@ static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, const char*
rc = 0;
// Upgrade if we're not using the latest KDF.
use_keymaster = keymaster_check_compatibility();
if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
// Don't allow downgrade
} else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
if (crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
upgrade = 1;
} else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
crypt_ftr->kdf_type = KDF_SCRYPT;
upgrade = 1;
}
if (upgrade) {
@ -2128,20 +2116,7 @@ static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr* ftr) {
ftr->minor_version = CURRENT_MINOR_VERSION;
ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
ftr->keysize = get_crypto_type().get_keysize();
switch (keymaster_check_compatibility()) {
case 1:
ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
break;
case 0:
ftr->kdf_type = KDF_SCRYPT;
break;
default:
SLOGE("keymaster_check_compatibility failed");
return -1;
}
ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
get_device_scrypt_params(ftr);