Merge changes from topic "vold-keystore2-fixes" am: 98692ab9bb
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1705226 Change-Id: I310d09e283e3d8804ba7154295d9b004e95cda98
This commit is contained in:
Satya Tangirala
Automerger Merge Worker
commit
545a13a568
3 changed files with 7 additions and 22 deletions
|
|
@ -45,8 +45,6 @@
|
|||
|
||||
#include <cutils/properties.h>
|
||||
|
||||
#include <hardware/hw_auth_token.h>
|
||||
|
||||
extern "C" {
|
||||
|
||||
#include "crypto_scrypt.h"
|
||||
|
|
@ -60,24 +58,18 @@ const KeyAuthentication kEmptyAuthentication{""};
|
|||
static constexpr size_t AES_KEY_BYTES = 32;
|
||||
static constexpr size_t GCM_NONCE_BYTES = 12;
|
||||
static constexpr size_t GCM_MAC_BYTES = 16;
|
||||
static constexpr size_t SALT_BYTES = 1 << 4;
|
||||
static constexpr size_t SECDISCARDABLE_BYTES = 1 << 14;
|
||||
static constexpr size_t STRETCHED_BYTES = 1 << 6;
|
||||
|
||||
static constexpr uint32_t AUTH_TIMEOUT = 30; // Seconds
|
||||
|
||||
static const char* kCurrentVersion = "1";
|
||||
static const char* kRmPath = "/system/bin/rm";
|
||||
static const char* kSecdiscardPath = "/system/bin/secdiscard";
|
||||
static const char* kStretch_none = "none";
|
||||
static const char* kStretch_nopassword = "nopassword";
|
||||
static const std::string kStretchPrefix_scrypt = "scrypt ";
|
||||
static const char* kHashPrefix_secdiscardable = "Android secdiscardable SHA512";
|
||||
static const char* kHashPrefix_keygen = "Android key wrapping key generation SHA512";
|
||||
static const char* kFn_encrypted_key = "encrypted_key";
|
||||
static const char* kFn_keymaster_key_blob = "keymaster_key_blob";
|
||||
static const char* kFn_keymaster_key_blob_upgraded = "keymaster_key_blob_upgraded";
|
||||
static const char* kFn_salt = "salt";
|
||||
static const char* kFn_secdiscardable = "secdiscardable";
|
||||
static const char* kFn_stretching = "stretching";
|
||||
static const char* kFn_version = "version";
|
||||
|
|
@ -154,7 +146,7 @@ static bool generateKeyStorageKey(Keymaster& keymaster, const std::string& appId
|
|||
.GcmModeMinMacLen(GCM_MAC_BYTES * 8)
|
||||
.Authorization(km::TAG_APPLICATION_ID, appId)
|
||||
.Authorization(km::TAG_NO_AUTH_REQUIRED);
|
||||
LOG(DEBUG) << "Generating \"key storage\" key that doesn't need auth token";
|
||||
LOG(DEBUG) << "Generating \"key storage\" key";
|
||||
return generateKeymasterKey(keymaster, paramBuilder, key);
|
||||
}
|
||||
|
||||
|
|
@ -415,7 +407,7 @@ static std::string getStretching(const KeyAuthentication& auth) {
|
|||
}
|
||||
|
||||
static bool stretchSecret(const std::string& stretching, const std::string& secret,
|
||||
const std::string& salt, std::string* stretched) {
|
||||
std::string* stretched) {
|
||||
if (stretching == kStretch_nopassword) {
|
||||
if (!secret.empty()) {
|
||||
LOG(WARNING) << "Password present but stretching is nopassword";
|
||||
|
|
@ -432,10 +424,9 @@ static bool stretchSecret(const std::string& stretching, const std::string& secr
|
|||
}
|
||||
|
||||
static bool generateAppId(const KeyAuthentication& auth, const std::string& stretching,
|
||||
const std::string& salt, const std::string& secdiscardable_hash,
|
||||
std::string* appId) {
|
||||
const std::string& secdiscardable_hash, std::string* appId) {
|
||||
std::string stretched;
|
||||
if (!stretchSecret(stretching, auth.secret, salt, &stretched)) return false;
|
||||
if (!stretchSecret(stretching, auth.secret, &stretched)) return false;
|
||||
*appId = secdiscardable_hash + stretched;
|
||||
|
||||
const std::lock_guard<std::mutex> scope_lock(storage_binding_info.guard);
|
||||
|
|
@ -570,9 +561,8 @@ bool storeKey(const std::string& dir, const KeyAuthentication& auth, const KeyBu
|
|||
if (!createSecdiscardable(dir + "/" + kFn_secdiscardable, &secdiscardable_hash)) return false;
|
||||
std::string stretching = getStretching(auth);
|
||||
if (!writeStringToFile(stretching, dir + "/" + kFn_stretching)) return false;
|
||||
std::string salt;
|
||||
std::string appId;
|
||||
if (!generateAppId(auth, stretching, salt, secdiscardable_hash, &appId)) return false;
|
||||
if (!generateAppId(auth, stretching, secdiscardable_hash, &appId)) return false;
|
||||
std::string encryptedKey;
|
||||
if (auth.usesKeymaster()) {
|
||||
Keymaster keymaster;
|
||||
|
|
@ -621,9 +611,8 @@ bool retrieveKey(const std::string& dir, const KeyAuthentication& auth, KeyBuffe
|
|||
if (!readSecdiscardable(dir + "/" + kFn_secdiscardable, &secdiscardable_hash)) return false;
|
||||
std::string stretching;
|
||||
if (!readFileToString(dir + "/" + kFn_stretching, &stretching)) return false;
|
||||
std::string salt;
|
||||
std::string appId;
|
||||
if (!generateAppId(auth, stretching, salt, secdiscardable_hash, &appId)) return false;
|
||||
if (!generateAppId(auth, stretching, secdiscardable_hash, &appId)) return false;
|
||||
std::string encryptedMessage;
|
||||
if (!readFileToString(dir + "/" + kFn_encrypted_key, &encryptedMessage)) return false;
|
||||
if (auth.usesKeymaster()) {
|
||||
|
|
|
|||
|
|
@ -27,10 +27,6 @@ namespace android {
|
|||
namespace vold {
|
||||
|
||||
// Represents the information needed to decrypt a disk encryption key.
|
||||
// If "token" is nonempty, it is passed in as a required Gatekeeper auth token.
|
||||
// If "token" and "secret" are nonempty, "secret" is appended to the application-specific
|
||||
// binary needed to unlock.
|
||||
// If only "secret" is nonempty, it is used to decrypt in a non-Keymaster process.
|
||||
class KeyAuthentication {
|
||||
public:
|
||||
KeyAuthentication(const std::string& s) : secret{s} {};
|
||||
|
|
|
|||
|
|
@ -104,7 +104,7 @@ bool KeymasterOperation::finish(std::string* output) {
|
|||
}
|
||||
|
||||
Keymaster::Keymaster() {
|
||||
::ndk::SpAIBinder binder(AServiceManager_getService(keystore2_service_name));
|
||||
::ndk::SpAIBinder binder(AServiceManager_waitForService(keystore2_service_name));
|
||||
auto keystore2Service = ks2::IKeystoreService::fromBinder(binder);
|
||||
|
||||
if (!keystore2Service) {
|
||||
|
|
|
|||
Loading…
Reference in a new issue