Have vold inform keymaster that early boot ended
Just before mounting partition(s) not verified by verified boot, vold should notify keymaster that early boot has ended so it won't allow EARLY_BOOT_ONLY keys to be created or used. Test: VtsHalKeymasterV4_1TargetTest Change-Id: I74ffec8d5b33f01e62f845a8fc824b3a3cad50f3 Merged-In: I74ffec8d5b33f01e62f845a8fc824b3a3cad50f3
This commit is contained in:
Shawn Willden
parent
35f0f22c9b
commit
2b1ff5aaab
3 changed files with 24 additions and 0 deletions
|
|
@ -207,6 +207,17 @@ bool Keymaster::isSecure() {
|
|||
return mDevice->halVersion().securityLevel != km::SecurityLevel::SOFTWARE;
|
||||
}
|
||||
|
||||
void Keymaster::earlyBootEnded() {
|
||||
auto error = mDevice->earlyBootEnded();
|
||||
if (!error.isOk()) {
|
||||
LOG(ERROR) << "earlyBootEnded failed: " << error.description();
|
||||
}
|
||||
km::V4_1_ErrorCode km_error = error;
|
||||
if (km_error != km::V4_1_ErrorCode::OK && km_error != km::V4_1_ErrorCode::UNIMPLEMENTED) {
|
||||
LOG(ERROR) << "Error reporting early boot ending to keymaster: " << int32_t(km_error);
|
||||
}
|
||||
}
|
||||
|
||||
} // namespace vold
|
||||
} // namespace android
|
||||
|
||||
|
|
|
|||
|
|
@ -39,6 +39,7 @@ using namespace ::android::hardware::keymaster::V4_1;
|
|||
// dangerous thing to rely on, but in this case its implications are simple and straightforward:
|
||||
// km::ErrorCode refers to the 4.0 ErrorCode, though we pull everything else from 4.1.
|
||||
using ErrorCode = ::android::hardware::keymaster::V4_0::ErrorCode;
|
||||
using V4_1_ErrorCode = ::android::hardware::keymaster::V4_1::ErrorCode;
|
||||
|
||||
} // namespace km
|
||||
|
||||
|
|
@ -125,6 +126,10 @@ class Keymaster {
|
|||
km::AuthorizationSet* outParams);
|
||||
bool isSecure();
|
||||
|
||||
// Tell Keymaster that early boot has ended and early boot-only keys can no longer be created or
|
||||
// used.
|
||||
void earlyBootEnded();
|
||||
|
||||
private:
|
||||
std::unique_ptr<KmDevice> mDevice;
|
||||
DISALLOW_COPY_AND_ASSIGN(Keymaster);
|
||||
|
|
|
|||
|
|
@ -56,6 +56,14 @@ static const char* kFn_keymaster_key_blob = "keymaster_key_blob";
|
|||
static const char* kFn_keymaster_key_blob_upgraded = "keymaster_key_blob_upgraded";
|
||||
|
||||
static bool mount_via_fs_mgr(const char* mount_point, const char* blk_device) {
|
||||
// We're about to mount data not verified by verified boot. Tell Keymaster that early boot has
|
||||
// ended.
|
||||
//
|
||||
// TODO(paulcrowley): Make a Keymaster singleton or something, so we don't have to repeatedly
|
||||
// open and initialize the service.
|
||||
::android::vold::Keymaster keymaster;
|
||||
keymaster.earlyBootEnded();
|
||||
|
||||
// fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
|
||||
// partitions in the fsck domain.
|
||||
if (setexeccon(android::vold::sFsckContext)) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue