Merge "Have vold inform keymaster that early boot ended"

This commit is contained in:
Treehugger Robot 2020-02-12 04:07:43 +00:00 committed by Gerrit Code Review
commit 68b9fb10ae
3 changed files with 24 additions and 0 deletions

View file

@ -207,6 +207,17 @@ bool Keymaster::isSecure() {
return mDevice->halVersion().securityLevel != km::SecurityLevel::SOFTWARE; return mDevice->halVersion().securityLevel != km::SecurityLevel::SOFTWARE;
} }
void Keymaster::earlyBootEnded() {
auto error = mDevice->earlyBootEnded();
if (!error.isOk()) {
LOG(ERROR) << "earlyBootEnded failed: " << error.description();
}
km::V4_1_ErrorCode km_error = error;
if (km_error != km::V4_1_ErrorCode::OK && km_error != km::V4_1_ErrorCode::UNIMPLEMENTED) {
LOG(ERROR) << "Error reporting early boot ending to keymaster: " << int32_t(km_error);
}
}
} // namespace vold } // namespace vold
} // namespace android } // namespace android

View file

@ -39,6 +39,7 @@ using namespace ::android::hardware::keymaster::V4_1;
// dangerous thing to rely on, but in this case its implications are simple and straightforward: // dangerous thing to rely on, but in this case its implications are simple and straightforward:
// km::ErrorCode refers to the 4.0 ErrorCode, though we pull everything else from 4.1. // km::ErrorCode refers to the 4.0 ErrorCode, though we pull everything else from 4.1.
using ErrorCode = ::android::hardware::keymaster::V4_0::ErrorCode; using ErrorCode = ::android::hardware::keymaster::V4_0::ErrorCode;
using V4_1_ErrorCode = ::android::hardware::keymaster::V4_1::ErrorCode;
} // namespace km } // namespace km
@ -125,6 +126,10 @@ class Keymaster {
km::AuthorizationSet* outParams); km::AuthorizationSet* outParams);
bool isSecure(); bool isSecure();
// Tell Keymaster that early boot has ended and early boot-only keys can no longer be created or
// used.
void earlyBootEnded();
private: private:
std::unique_ptr<KmDevice> mDevice; std::unique_ptr<KmDevice> mDevice;
DISALLOW_COPY_AND_ASSIGN(Keymaster); DISALLOW_COPY_AND_ASSIGN(Keymaster);

View file

@ -56,6 +56,14 @@ static const char* kFn_keymaster_key_blob = "keymaster_key_blob";
static const char* kFn_keymaster_key_blob_upgraded = "keymaster_key_blob_upgraded"; static const char* kFn_keymaster_key_blob_upgraded = "keymaster_key_blob_upgraded";
static bool mount_via_fs_mgr(const char* mount_point, const char* blk_device) { static bool mount_via_fs_mgr(const char* mount_point, const char* blk_device) {
// We're about to mount data not verified by verified boot. Tell Keymaster that early boot has
// ended.
//
// TODO(paulcrowley): Make a Keymaster singleton or something, so we don't have to repeatedly
// open and initialize the service.
::android::vold::Keymaster keymaster;
keymaster.earlyBootEnded();
// fs_mgr_do_mount runs fsck. Use setexeccon to run trusted // fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
// partitions in the fsck domain. // partitions in the fsck domain.
if (setexeccon(android::vold::sFsckContext)) { if (setexeccon(android::vold::sFsckContext)) {