Revert^2 "Detect factory reset and deleteAllKeys"

Revert submission 15536724-revert-15521094-vold-deleteAllKeys-GDJSMLXRVZ Reason for revert: Underlying KM problem fixed Reverted Changes: I8e2621bef:Revert "Detect factory reset and deleteAllKeys" I546b980bb:Revert "Add deleteAllKeys to IKeystoreMaintenance"... I1ed68dd9e:Revert "Allow vold to deleteAllKeys in Keystore" Bug: 187105270 Test: booted Cuttlefish twice Merged-In: 1e6a5f5106 Change-Id: Id641444b4ebba951aa8c5474ed60844cfaae1e20
2021-08-12 19:20:40 +00:00 · 2021-08-12 19:20:40 +00:00 · d31f36d334
commit d31f36d334
parent 2bab97c368
3 changed files with 27 additions and 0 deletions
--- a/Keymaster.cpp
+++ b/Keymaster.cpp
@ -230,5 +230,18 @@ void Keymaster::earlyBootEnded() {
    logKeystore2ExceptionIfPresent(rc, "earlyBootEnded");
 }

+void Keymaster::deleteAllKeys() {
+    ::ndk::SpAIBinder binder(AServiceManager_getService(maintenance_service_name));
+    auto maint_service = ks2_maint::IKeystoreMaintenance::fromBinder(binder);
+
+    if (!maint_service) {
+        LOG(ERROR) << "Unable to connect to keystore2 maintenance service for deleteAllKeys";
+        return;
+    }
+
+    auto rc = maint_service->deleteAllKeys();
+    logKeystore2ExceptionIfPresent(rc, "deleteAllKeys");
+}
+
 }  // namespace vold
 }  // namespace android
--- a/Keymaster.h
+++ b/Keymaster.h
@ -127,6 +127,9 @@ class Keymaster {
    // be created or used.
    static void earlyBootEnded();

+    // Tell all Keymint devices to delete all rollback-protected keys.
+    static void deleteAllKeys();
+
  private:
    std::shared_ptr<ks2::IKeystoreSecurityLevel> securityLevel;
    DISALLOW_COPY_AND_ASSIGN(Keymaster);
--- a/MetadataCrypt.cpp
+++ b/MetadataCrypt.cpp
@ -112,6 +112,17 @@ static bool read_key(const std::string& metadata_key_dir, const KeyGeneration& g
    auto dir = metadata_key_dir + "/key";
    LOG(DEBUG) << "metadata_key_dir/key: " << dir;
    if (!MkdirsSync(dir, 0700)) return false;
+    if (!pathExists(dir)) {
+        auto delete_all = android::base::GetBoolProperty(
+                "ro.crypto.metadata_init_delete_all_keys.enabled", false);
+        if (delete_all) {
+            LOG(INFO) << "Metadata key does not exist, calling deleteAllKeys";
+            Keymaster::deleteAllKeys();
+        } else {
+            LOG(DEBUG) << "Metadata key does not exist but "
+                          "ro.crypto.metadata_init_delete_all_keys.enabled is false";
+        }
+    }
    auto temp = metadata_key_dir + "/tmp";
    return retrieveOrGenerateKey(dir, temp, kEmptyAuthentication, gen, key);
 }