Send earlyBootEnded notice to all Keymasters

Vold incorrectly sends the earlyBootEnded signal only to the Keymaster
instance used for device encryption, but all of them need it.

Bug: 152932559
Test: VtsHalKeymasterV4_1TargetTest
Merged-In: Id8f01a1dc7d2398395f369c3ea74656a82888829
Change-Id: Id8f01a1dc7d2398395f369c3ea74656a82888829
This commit is contained in:
Shawn Willden 2020-04-01 10:02:16 -06:00
parent 479588c68e
commit 28eddbd2ef
3 changed files with 19 additions and 17 deletions

View file

@ -229,13 +229,19 @@ bool Keymaster::isSecure() {
}
void Keymaster::earlyBootEnded() {
auto error = mDevice->earlyBootEnded();
auto devices = KmDevice::enumerateAvailableDevices();
for (auto& dev : devices) {
auto error = dev->earlyBootEnded();
if (!error.isOk()) {
LOG(ERROR) << "earlyBootEnded failed: " << error.description();
LOG(ERROR) << "earlyBootEnded call failed: " << error.description() << " for "
<< dev->halVersion().keymasterName;
}
km::V4_1_ErrorCode km_error = error;
if (km_error != km::V4_1_ErrorCode::OK && km_error != km::V4_1_ErrorCode::UNIMPLEMENTED) {
LOG(ERROR) << "Error reporting early boot ending to keymaster: " << int32_t(km_error);
LOG(ERROR) << "Error reporting early boot ending to keymaster: "
<< static_cast<int32_t>(km_error) << " for "
<< dev->halVersion().keymasterName;
}
}
}

View file

@ -128,9 +128,9 @@ class Keymaster {
km::AuthorizationSet* outParams);
bool isSecure();
// Tell Keymaster that early boot has ended and early boot-only keys can no longer be created or
// used.
void earlyBootEnded();
// Tell all Keymaster instances that early boot has ended and early boot-only keys can no longer
// be created or used.
static void earlyBootEnded();
private:
std::unique_ptr<KmDevice> mDevice;

View file

@ -87,13 +87,9 @@ const KeyGeneration makeGen(const CryptoOptions& options) {
}
static bool mount_via_fs_mgr(const char* mount_point, const char* blk_device) {
// We're about to mount data not verified by verified boot. Tell Keymaster that early boot has
// ended.
//
// TODO(paulcrowley): Make a Keymaster singleton or something, so we don't have to repeatedly
// open and initialize the service.
::android::vold::Keymaster keymaster;
keymaster.earlyBootEnded();
// We're about to mount data not verified by verified boot. Tell Keymaster instances that early
// boot has ended.
::android::vold::Keymaster::earlyBootEnded();
// fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
// partitions in the fsck domain.