diff --git a/Android.bp b/Android.bp index 84809a3..4f39eb1 100644 --- a/Android.bp +++ b/Android.bp @@ -123,7 +123,7 @@ cc_library_static { "KeyBuffer.cpp", "KeyStorage.cpp", "KeyUtil.cpp", - "Keymaster.cpp", + "Keystore.cpp", "Loop.cpp", "MetadataCrypt.cpp", "MoveStorage.cpp", @@ -241,7 +241,7 @@ cc_binary { srcs: [ "wait_for_keymaster.cpp", - "Keymaster.cpp", + "Keystore.cpp", ], shared_libs: [ "libbase", diff --git a/KeyStorage.cpp b/KeyStorage.cpp index 64b413a..6aab4bd 100644 --- a/KeyStorage.cpp +++ b/KeyStorage.cpp @@ -17,7 +17,7 @@ #include "KeyStorage.h" #include "Checkpoint.h" -#include "Keymaster.h" +#include "Keystore.h" #include "ScryptParameters.h" #include "Utils.h" @@ -123,51 +123,49 @@ static void hashWithPrefix(char const* prefix, const std::string& tohash, std::s SHA512_Final(reinterpret_cast(&(*res)[0]), &c); } -// Generates a keymaster key, using rollback resistance if supported. -static bool generateKeymasterKey(Keymaster& keymaster, - const km::AuthorizationSetBuilder& paramBuilder, - std::string* key) { +// Generates a keystore key, using rollback resistance if supported. +static bool generateKeystoreKey(Keystore& keystore, const km::AuthorizationSetBuilder& paramBuilder, + std::string* key) { auto paramsWithRollback = paramBuilder; paramsWithRollback.Authorization(km::TAG_ROLLBACK_RESISTANCE); - if (!keymaster.generateKey(paramsWithRollback, key)) { - LOG(WARNING) << "Failed to generate rollback-resistant key. This is expected if keymaster " + if (!keystore.generateKey(paramsWithRollback, key)) { + LOG(WARNING) << "Failed to generate rollback-resistant key. This is expected if keystore " "doesn't support rollback resistance. Falling back to " "non-rollback-resistant key."; - if (!keymaster.generateKey(paramBuilder, key)) return false; + if (!keystore.generateKey(paramBuilder, key)) return false; } return true; } -static bool generateKeyStorageKey(Keymaster& keymaster, const std::string& appId, - std::string* key) { +static bool generateKeyStorageKey(Keystore& keystore, const std::string& appId, std::string* key) { auto paramBuilder = km::AuthorizationSetBuilder() .AesEncryptionKey(AES_KEY_BYTES * 8) .GcmModeMinMacLen(GCM_MAC_BYTES * 8) .Authorization(km::TAG_APPLICATION_ID, appId) .Authorization(km::TAG_NO_AUTH_REQUIRED); LOG(DEBUG) << "Generating \"key storage\" key"; - return generateKeymasterKey(keymaster, paramBuilder, key); + return generateKeystoreKey(keystore, paramBuilder, key); } bool generateWrappedStorageKey(KeyBuffer* key) { - Keymaster keymaster; - if (!keymaster) return false; + Keystore keystore; + if (!keystore) return false; std::string key_temp; auto paramBuilder = km::AuthorizationSetBuilder().AesEncryptionKey(AES_KEY_BYTES * 8); paramBuilder.Authorization(km::TAG_STORAGE_KEY); - if (!generateKeymasterKey(keymaster, paramBuilder, &key_temp)) return false; + if (!generateKeystoreKey(keystore, paramBuilder, &key_temp)) return false; *key = KeyBuffer(key_temp.size()); memcpy(reinterpret_cast(key->data()), key_temp.c_str(), key->size()); return true; } -bool exportWrappedStorageKey(const KeyBuffer& kmKey, KeyBuffer* key) { - Keymaster keymaster; - if (!keymaster) return false; +bool exportWrappedStorageKey(const KeyBuffer& ksKey, KeyBuffer* key) { + Keystore keystore; + if (!keystore) return false; std::string key_temp; - if (!keymaster.exportKey(kmKey, &key_temp)) return false; + if (!keystore.exportKey(ksKey, &key_temp)) return false; *key = KeyBuffer(key_temp.size()); memcpy(reinterpret_cast(key->data()), key_temp.c_str(), key->size()); return true; @@ -213,15 +211,15 @@ bool readSecdiscardable(const std::string& filename, std::string* hash) { static std::mutex key_upgrade_lock; -// List of key directories that have had their Keymaster key upgraded during +// List of key directories that have had their Keystore key upgraded during // this boot and written to "keymaster_key_blob_upgraded", but replacing the old // key was delayed due to an active checkpoint. Protected by key_upgrade_lock. // A directory can be in this list at most once. static std::vector key_dirs_to_commit; // Replaces |dir|/keymaster_key_blob with |dir|/keymaster_key_blob_upgraded and -// deletes the old key from Keymaster. -static bool CommitUpgradedKey(Keymaster& keymaster, const std::string& dir) { +// deletes the old key from Keystore. +static bool CommitUpgradedKey(Keystore& keystore, const std::string& dir) { auto blob_file = dir + "/" + kFn_keymaster_key_blob; auto upgraded_blob_file = dir + "/" + kFn_keymaster_key_blob_upgraded; @@ -232,13 +230,13 @@ static bool CommitUpgradedKey(Keymaster& keymaster, const std::string& dir) { PLOG(ERROR) << "Failed to rename " << upgraded_blob_file << " to " << blob_file; return false; } - // Ensure that the rename is persisted before deleting the Keymaster key. + // Ensure that the rename is persisted before deleting the Keystore key. if (!FsyncDirectory(dir)) return false; - if (!keymaster || !keymaster.deleteKey(blob)) { + if (!keystore || !keystore.deleteKey(blob)) { LOG(WARNING) << "Failed to delete old key " << blob_file - << " from Keymaster; continuing anyway"; - // Continue on, but the space in Keymaster used by the old key won't be freed. + << " from Keystore; continuing anyway"; + // Continue on, but the space in Keystore used by the old key won't be freed. } return true; } @@ -246,20 +244,20 @@ static bool CommitUpgradedKey(Keymaster& keymaster, const std::string& dir) { static void DeferredCommitKeys() { android::base::WaitForProperty("vold.checkpoint_committed", "1"); LOG(INFO) << "Committing upgraded keys"; - Keymaster keymaster; - if (!keymaster) { - LOG(ERROR) << "Failed to open Keymaster; old keys won't be deleted from Keymaster"; - // Continue on, but the space in Keymaster used by the old keys won't be freed. + Keystore keystore; + if (!keystore) { + LOG(ERROR) << "Failed to open Keystore; old keys won't be deleted from Keystore"; + // Continue on, but the space in Keystore used by the old keys won't be freed. } std::lock_guard lock(key_upgrade_lock); for (auto& dir : key_dirs_to_commit) { LOG(INFO) << "Committing upgraded key " << dir; - CommitUpgradedKey(keymaster, dir); + CommitUpgradedKey(keystore, dir); } key_dirs_to_commit.clear(); } -// Returns true if the Keymaster key in |dir| has already been upgraded and is +// Returns true if the Keystore key in |dir| has already been upgraded and is // pending being committed. Assumes that key_upgrade_lock is held. static bool IsKeyCommitPending(const std::string& dir) { for (const auto& dir_to_commit : key_dirs_to_commit) { @@ -268,7 +266,7 @@ static bool IsKeyCommitPending(const std::string& dir) { return false; } -// Schedules the upgraded Keymaster key in |dir| to be committed later. Assumes +// Schedules the upgraded Keystore key in |dir| to be committed later. Assumes // that key_upgrade_lock is held and that a commit isn't already pending for the // directory. static void ScheduleKeyCommit(const std::string& dir) { @@ -313,16 +311,16 @@ bool RenameKeyDir(const std::string& old_name, const std::string& new_name) { // Deletes a leftover upgraded key, if present. An upgraded key can be left // over if an update failed, or if we rebooted before committing the key in a // freak accident. Either way, we can re-upgrade the key if we need to. -static void DeleteUpgradedKey(Keymaster& keymaster, const std::string& path) { +static void DeleteUpgradedKey(Keystore& keystore, const std::string& path) { if (pathExists(path)) { LOG(DEBUG) << "Deleting leftover upgraded key " << path; std::string blob; if (!android::base::ReadFileToString(path, &blob)) { LOG(WARNING) << "Failed to read leftover upgraded key " << path << "; continuing anyway"; - } else if (!keymaster.deleteKey(blob)) { + } else if (!keystore.deleteKey(blob)) { LOG(WARNING) << "Failed to delete leftover upgraded key " << path - << " from Keymaster; continuing anyway"; + << " from Keystore; continuing anyway"; } if (unlink(path.c_str()) != 0) { LOG(WARNING) << "Failed to unlink leftover upgraded key " << path @@ -331,11 +329,11 @@ static void DeleteUpgradedKey(Keymaster& keymaster, const std::string& path) { } } -// Begins a Keymaster operation using the key stored in |dir|. -static KeymasterOperation BeginKeymasterOp(Keymaster& keymaster, const std::string& dir, - const km::AuthorizationSet& keyParams, - const km::AuthorizationSet& opParams, - km::AuthorizationSet* outParams) { +// Begins a Keystore operation using the key stored in |dir|. +static KeystoreOperation BeginKeystoreOp(Keystore& keystore, const std::string& dir, + const km::AuthorizationSet& keyParams, + const km::AuthorizationSet& opParams, + km::AuthorizationSet* outParams) { km::AuthorizationSet inParams(keyParams); inParams.append(opParams.begin(), opParams.end()); @@ -350,13 +348,13 @@ static KeymasterOperation BeginKeymasterOp(Keymaster& keymaster, const std::stri LOG(DEBUG) << blob_file << " was already upgraded and is waiting to be committed; using the upgraded blob"; - if (!readFileToString(upgraded_blob_file, &blob)) return KeymasterOperation(); + if (!readFileToString(upgraded_blob_file, &blob)) return KeystoreOperation(); } else { - DeleteUpgradedKey(keymaster, upgraded_blob_file); - if (!readFileToString(blob_file, &blob)) return KeymasterOperation(); + DeleteUpgradedKey(keystore, upgraded_blob_file); + if (!readFileToString(blob_file, &blob)) return KeystoreOperation(); } - auto opHandle = keymaster.begin(blob, inParams, outParams); + auto opHandle = keystore.begin(blob, inParams, outParams); if (!opHandle) return opHandle; // If key blob wasn't upgraded, nothing left to do. @@ -365,29 +363,29 @@ static KeymasterOperation BeginKeymasterOp(Keymaster& keymaster, const std::stri if (already_upgraded) { LOG(ERROR) << "Unexpected case; already-upgraded key " << upgraded_blob_file << " still requires upgrade"; - return KeymasterOperation(); + return KeystoreOperation(); } LOG(INFO) << "Upgrading key: " << blob_file; if (!writeStringToFile(*opHandle.getUpgradedBlob(), upgraded_blob_file)) - return KeymasterOperation(); + return KeystoreOperation(); if (cp_needsCheckpoint()) { LOG(INFO) << "Wrote upgraded key to " << upgraded_blob_file << "; delaying commit due to checkpoint"; ScheduleKeyCommit(dir); } else { - if (!CommitUpgradedKey(keymaster, dir)) return KeymasterOperation(); + if (!CommitUpgradedKey(keystore, dir)) return KeystoreOperation(); LOG(INFO) << "Key upgraded: " << blob_file; } return opHandle; } -static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir, - const km::AuthorizationSet& keyParams, - const KeyBuffer& message, std::string* ciphertext) { +static bool encryptWithKeystoreKey(Keystore& keystore, const std::string& dir, + const km::AuthorizationSet& keyParams, const KeyBuffer& message, + std::string* ciphertext) { km::AuthorizationSet opParams = km::AuthorizationSetBuilder().Authorization(km::TAG_PURPOSE, km::KeyPurpose::ENCRYPT); km::AuthorizationSet outParams; - auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, &outParams); + auto opHandle = BeginKeystoreOp(keystore, dir, keyParams, opParams, &outParams); if (!opHandle) return false; auto nonceBlob = outParams.GetTagValue(km::TAG_NONCE); if (!nonceBlob) { @@ -407,15 +405,15 @@ static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir return true; } -static bool decryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir, - const km::AuthorizationSet& keyParams, - const std::string& ciphertext, KeyBuffer* message) { +static bool decryptWithKeystoreKey(Keystore& keystore, const std::string& dir, + const km::AuthorizationSet& keyParams, + const std::string& ciphertext, KeyBuffer* message) { const std::string nonce = ciphertext.substr(0, GCM_NONCE_BYTES); auto bodyAndMac = ciphertext.substr(GCM_NONCE_BYTES); auto opParams = km::AuthorizationSetBuilder() .Authorization(km::TAG_NONCE, nonce) .Authorization(km::TAG_PURPOSE, km::KeyPurpose::DECRYPT); - auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, nullptr); + auto opHandle = BeginKeystoreOp(keystore, dir, keyParams, opParams, nullptr); if (!opHandle) return false; if (!opHandle.updateCompletely(bodyAndMac, message)) return false; if (!opHandle.finish(nullptr)) return false; @@ -423,7 +421,7 @@ static bool decryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir } static std::string getStretching(const KeyAuthentication& auth) { - if (auth.usesKeymaster()) { + if (auth.usesKeystore()) { return kStretch_nopassword; } else { return kStretch_none; @@ -473,8 +471,8 @@ static void logOpensslError() { LOG(ERROR) << "Openssl error: " << ERR_get_error(); } -static bool encryptWithoutKeymaster(const std::string& preKey, const KeyBuffer& plaintext, - std::string* ciphertext) { +static bool encryptWithoutKeystore(const std::string& preKey, const KeyBuffer& plaintext, + std::string* ciphertext) { std::string key; hashWithPrefix(kHashPrefix_keygen, preKey, &key); key.resize(AES_KEY_BYTES); @@ -523,8 +521,8 @@ static bool encryptWithoutKeymaster(const std::string& preKey, const KeyBuffer& return true; } -static bool decryptWithoutKeymaster(const std::string& preKey, const std::string& ciphertext, - KeyBuffer* plaintext) { +static bool decryptWithoutKeystore(const std::string& preKey, const std::string& ciphertext, + KeyBuffer* plaintext) { if (ciphertext.size() < GCM_NONCE_BYTES + GCM_MAC_BYTES) { LOG(ERROR) << "GCM ciphertext too small: " << ciphertext.size(); return false; @@ -576,7 +574,7 @@ static bool decryptWithoutKeymaster(const std::string& preKey, const std::string } // Creates a directory at the given path |dir| and stores |key| in it, in such a -// way that it can only be retrieved via Keymaster (if no secret is given in +// way that it can only be retrieved via Keystore (if no secret is given in // |auth|) or with the given secret (if a secret is given in |auth|), and can be // securely deleted. If a storage binding seed has been set, then the storage // binding seed will be required to retrieve the key as well. @@ -593,16 +591,16 @@ static bool storeKey(const std::string& dir, const KeyAuthentication& auth, cons std::string appId; if (!generateAppId(auth, stretching, secdiscardable_hash, &appId)) return false; std::string encryptedKey; - if (auth.usesKeymaster()) { - Keymaster keymaster; - if (!keymaster) return false; - std::string kmKey; - if (!generateKeyStorageKey(keymaster, appId, &kmKey)) return false; - if (!writeStringToFile(kmKey, dir + "/" + kFn_keymaster_key_blob)) return false; + if (auth.usesKeystore()) { + Keystore keystore; + if (!keystore) return false; + std::string ksKey; + if (!generateKeyStorageKey(keystore, appId, &ksKey)) return false; + if (!writeStringToFile(ksKey, dir + "/" + kFn_keymaster_key_blob)) return false; km::AuthorizationSet keyParams = beginParams(appId); - if (!encryptWithKeymasterKey(keymaster, dir, keyParams, key, &encryptedKey)) return false; + if (!encryptWithKeystoreKey(keystore, dir, keyParams, key, &encryptedKey)) return false; } else { - if (!encryptWithoutKeymaster(appId, key, &encryptedKey)) return false; + if (!encryptWithoutKeystore(appId, key, &encryptedKey)) return false; } if (!writeStringToFile(encryptedKey, dir + "/" + kFn_encrypted_key)) return false; if (!FsyncDirectory(dir)) return false; @@ -643,25 +641,24 @@ bool retrieveKey(const std::string& dir, const KeyAuthentication& auth, KeyBuffe if (!generateAppId(auth, stretching, secdiscardable_hash, &appId)) return false; std::string encryptedMessage; if (!readFileToString(dir + "/" + kFn_encrypted_key, &encryptedMessage)) return false; - if (auth.usesKeymaster()) { - Keymaster keymaster; - if (!keymaster) return false; + if (auth.usesKeystore()) { + Keystore keystore; + if (!keystore) return false; km::AuthorizationSet keyParams = beginParams(appId); - if (!decryptWithKeymasterKey(keymaster, dir, keyParams, encryptedMessage, key)) - return false; + if (!decryptWithKeystoreKey(keystore, dir, keyParams, encryptedMessage, key)) return false; } else { - if (!decryptWithoutKeymaster(appId, encryptedMessage, key)) return false; + if (!decryptWithoutKeystore(appId, encryptedMessage, key)) return false; } return true; } -static bool DeleteKeymasterKey(const std::string& blob_file) { +static bool DeleteKeystoreKey(const std::string& blob_file) { std::string blob; if (!readFileToString(blob_file, &blob)) return false; - Keymaster keymaster; - if (!keymaster) return false; - LOG(DEBUG) << "Deleting key " << blob_file << " from Keymaster"; - if (!keymaster.deleteKey(blob)) return false; + Keystore keystore; + if (!keystore) return false; + LOG(DEBUG) << "Deleting key " << blob_file << " from Keystore"; + if (!keystore.deleteKey(blob)) return false; return true; } @@ -697,7 +694,7 @@ bool destroyKey(const std::string& dir) { for (auto& fn : {kFn_keymaster_key_blob, kFn_keymaster_key_blob_upgraded}) { auto blob_file = dir + "/" + fn; if (pathExists(blob_file)) { - success &= DeleteKeymasterKey(blob_file); + success &= DeleteKeystoreKey(blob_file); secdiscard_cmd.push_back(blob_file); } } diff --git a/KeyStorage.h b/KeyStorage.h index a7e694e..cc2f549 100644 --- a/KeyStorage.h +++ b/KeyStorage.h @@ -31,7 +31,7 @@ class KeyAuthentication { public: KeyAuthentication(const std::string& s) : secret{s} {}; - bool usesKeymaster() const { return secret.empty(); }; + bool usesKeystore() const { return secret.empty(); }; const std::string secret; }; @@ -61,10 +61,10 @@ bool destroyKey(const std::string& dir); bool runSecdiscardSingle(const std::string& file); -// Generate wrapped storage key using keymaster. Uses STORAGE_KEY tag in keymaster. +// Generate wrapped storage key using keystore. Uses STORAGE_KEY tag in keystore. bool generateWrappedStorageKey(KeyBuffer* key); -// Export the per-boot boot wrapped storage key using keymaster. -bool exportWrappedStorageKey(const KeyBuffer& kmKey, KeyBuffer* key); +// Export the per-boot boot wrapped storage key using keystore. +bool exportWrappedStorageKey(const KeyBuffer& ksKey, KeyBuffer* key); // Set a seed to be mixed into all key storage encryption keys. bool setKeyStorageBindingSeed(const std::vector& seed); diff --git a/Keymaster.cpp b/Keystore.cpp similarity index 88% rename from Keymaster.cpp rename to Keystore.cpp index 8038681..0995d05 100644 --- a/Keymaster.cpp +++ b/Keystore.cpp @@ -14,7 +14,7 @@ * limitations under the License. */ -#include "Keymaster.h" +#include "Keystore.h" #include @@ -43,7 +43,7 @@ namespace vold { namespace ks2_maint = ::aidl::android::security::maintenance; -KeymasterOperation::~KeymasterOperation() { +KeystoreOperation::~KeystoreOperation() { if (ks2Operation) ks2Operation->abort(); } @@ -65,8 +65,8 @@ static bool logKeystore2ExceptionIfPresent(::ndk::ScopedAStatus& rc, const std:: return true; } -bool KeymasterOperation::updateCompletely(const char* input, size_t inputLen, - const std::function consumer) { +bool KeystoreOperation::updateCompletely(const char* input, size_t inputLen, + const std::function consumer) { if (!ks2Operation) return false; while (inputLen != 0) { @@ -87,7 +87,7 @@ bool KeymasterOperation::updateCompletely(const char* input, size_t inputLen, return true; } -bool KeymasterOperation::finish(std::string* output) { +bool KeystoreOperation::finish(std::string* output) { std::optional> out_vec; if (!ks2Operation) return false; @@ -103,7 +103,7 @@ bool KeymasterOperation::finish(std::string* output) { return true; } -Keymaster::Keymaster() { +Keystore::Keystore() { ::ndk::SpAIBinder binder(AServiceManager_waitForService(keystore2_service_name)); auto keystore2Service = ks2::IKeystoreService::fromBinder(binder); @@ -127,7 +127,7 @@ Keymaster::Keymaster() { LOG(ERROR) << "Vold unable to get security level from keystore2."; } -bool Keymaster::generateKey(const km::AuthorizationSet& inParams, std::string* key) { +bool Keystore::generateKey(const km::AuthorizationSet& inParams, std::string* key) { ks2::KeyDescriptor in_key = { .domain = ks2::Domain::BLOB, .alias = std::nullopt, @@ -150,14 +150,14 @@ bool Keymaster::generateKey(const km::AuthorizationSet& inParams, std::string* k return true; } -bool Keymaster::exportKey(const KeyBuffer& kmKey, std::string* key) { +bool Keystore::exportKey(const KeyBuffer& ksKey, std::string* key) { bool ret = false; ks2::KeyDescriptor storageKey = { .domain = ks2::Domain::BLOB, .alias = std::nullopt, .nspace = VOLD_NAMESPACE, }; - storageKey.blob = std::make_optional>(kmKey.begin(), kmKey.end()); + storageKey.blob = std::make_optional>(ksKey.begin(), ksKey.end()); ks2::EphemeralStorageKeyResponse ephemeral_key_response; auto rc = securityLevel->convertStorageKeyToEphemeral(storageKey, &ephemeral_key_response); @@ -175,7 +175,7 @@ out: return ret; } -bool Keymaster::deleteKey(const std::string& key) { +bool Keystore::deleteKey(const std::string& key) { ks2::KeyDescriptor keyDesc = { .domain = ks2::Domain::BLOB, .alias = std::nullopt, @@ -188,8 +188,8 @@ bool Keymaster::deleteKey(const std::string& key) { return !logKeystore2ExceptionIfPresent(rc, "deleteKey"); } -KeymasterOperation Keymaster::begin(const std::string& key, const km::AuthorizationSet& inParams, - km::AuthorizationSet* outParams) { +KeystoreOperation Keystore::begin(const std::string& key, const km::AuthorizationSet& inParams, + km::AuthorizationSet* outParams) { ks2::KeyDescriptor keyDesc = { .domain = ks2::Domain::BLOB, .alias = std::nullopt, @@ -202,22 +202,22 @@ KeymasterOperation Keymaster::begin(const std::string& key, const km::Authorizat auto rc = securityLevel->createOperation(keyDesc, inParams.vector_data(), true, &cor); if (logKeystore2ExceptionIfPresent(rc, "createOperation")) { if (rc.getExceptionCode() == EX_SERVICE_SPECIFIC) - return KeymasterOperation((km::ErrorCode)rc.getServiceSpecificError()); + return KeystoreOperation((km::ErrorCode)rc.getServiceSpecificError()); else - return KeymasterOperation(); + return KeystoreOperation(); } if (!cor.iOperation) { LOG(ERROR) << "keystore2 createOperation didn't return an operation"; - return KeymasterOperation(); + return KeystoreOperation(); } if (outParams && cor.parameters) *outParams = cor.parameters->keyParameter; - return KeymasterOperation(cor.iOperation, cor.upgradedBlob); + return KeystoreOperation(cor.iOperation, cor.upgradedBlob); } -void Keymaster::earlyBootEnded() { +void Keystore::earlyBootEnded() { ::ndk::SpAIBinder binder(AServiceManager_getService(maintenance_service_name)); auto maint_service = ks2_maint::IKeystoreMaintenance::fromBinder(binder); diff --git a/Keymaster.h b/Keystore.h similarity index 80% rename from Keymaster.h rename to Keystore.h index 1100840..05a8370 100644 --- a/Keymaster.h +++ b/Keystore.h @@ -13,9 +13,8 @@ * See the License for the specific language governing permissions and * limitations under the License. */ -// TODO: Maybe "Keymaster" should be replaced with Keystore2 everywhere? -#ifndef ANDROID_VOLD_KEYMASTER_H -#define ANDROID_VOLD_KEYMASTER_H +#ifndef ANDROID_VOLD_KEYSTORE_H +#define ANDROID_VOLD_KEYSTORE_H #include "KeyBuffer.h" @@ -45,9 +44,9 @@ namespace km = ::aidl::android::hardware::security::keymint; // ongoing Keystore2 operation. Aborts the operation // in the destructor if it is unfinished. Methods log failures // to LOG(ERROR). -class KeymasterOperation { +class KeystoreOperation { public: - ~KeymasterOperation(); + ~KeystoreOperation(); // Is this instance valid? This is false if creation fails, and becomes // false on finish or if an update fails. explicit operator bool() const { return (bool)ks2Operation; } @@ -66,11 +65,11 @@ class KeymasterOperation { // Finish and write the output to this string, unless pointer is null. bool finish(std::string* output); // Move constructor - KeymasterOperation(KeymasterOperation&& rhs) { *this = std::move(rhs); } + KeystoreOperation(KeystoreOperation&& rhs) { *this = std::move(rhs); } // Construct an object in an error state for error returns - KeymasterOperation() { errorCode = km::ErrorCode::UNKNOWN_ERROR; } + KeystoreOperation() { errorCode = km::ErrorCode::UNKNOWN_ERROR; } // Move Assignment - KeymasterOperation& operator=(KeymasterOperation&& rhs) { + KeystoreOperation& operator=(KeystoreOperation&& rhs) { ks2Operation = rhs.ks2Operation; rhs.ks2Operation = nullptr; @@ -84,8 +83,8 @@ class KeymasterOperation { } private: - KeymasterOperation(std::shared_ptr ks2Op, - std::optional> blob) + KeystoreOperation(std::shared_ptr ks2Op, + std::optional> blob) : ks2Operation{ks2Op}, errorCode{km::ErrorCode::OK} { if (blob) upgradedBlob = std::optional(std::string(blob->begin(), blob->end())); @@ -93,7 +92,7 @@ class KeymasterOperation { upgradedBlob = std::nullopt; } - KeymasterOperation(km::ErrorCode errCode) : errorCode{errCode} {} + KeystoreOperation(km::ErrorCode errCode) : errorCode{errCode} {} bool updateCompletely(const char* input, size_t inputLen, const std::function consumer); @@ -101,27 +100,27 @@ class KeymasterOperation { std::shared_ptr ks2Operation; std::optional upgradedBlob; km::ErrorCode errorCode; - DISALLOW_COPY_AND_ASSIGN(KeymasterOperation); - friend class Keymaster; + DISALLOW_COPY_AND_ASSIGN(KeystoreOperation); + friend class Keystore; }; // Wrapper for keystore2 methods that vold uses. -class Keymaster { +class Keystore { public: - Keymaster(); + Keystore(); // false if we failed to get a keystore2 security level. explicit operator bool() { return (bool)securityLevel; } // Generate a key using keystore2 from the given params. bool generateKey(const km::AuthorizationSet& inParams, std::string* key); // Exports a keystore2 key with STORAGE_KEY tag wrapped with a per-boot ephemeral key - bool exportKey(const KeyBuffer& kmKey, std::string* key); + bool exportKey(const KeyBuffer& ksKey, std::string* key); // If supported, permanently delete a key from the keymint device it belongs to. bool deleteKey(const std::string& key); // Begin a new cryptographic operation, collecting output parameters if pointer is non-null - // If the key was upgraded as a result of a call to this method, the returned KeymasterOperation + // If the key was upgraded as a result of a call to this method, the returned KeystoreOperation // also stores the upgraded key blob. - KeymasterOperation begin(const std::string& key, const km::AuthorizationSet& inParams, - km::AuthorizationSet* outParams); + KeystoreOperation begin(const std::string& key, const km::AuthorizationSet& inParams, + km::AuthorizationSet* outParams); // Tell all Keymint devices that early boot has ended and early boot-only keys can no longer // be created or used. @@ -129,7 +128,7 @@ class Keymaster { private: std::shared_ptr securityLevel; - DISALLOW_COPY_AND_ASSIGN(Keymaster); + DISALLOW_COPY_AND_ASSIGN(Keystore); }; } // namespace vold diff --git a/MetadataCrypt.cpp b/MetadataCrypt.cpp index dc50679..ee3b45a 100644 --- a/MetadataCrypt.cpp +++ b/MetadataCrypt.cpp @@ -38,7 +38,7 @@ #include "EncryptInplace.h" #include "KeyStorage.h" #include "KeyUtil.h" -#include "Keymaster.h" +#include "Keystore.h" #include "Utils.h" #include "VoldUtil.h" #include "fs/Ext4.h" diff --git a/VoldNativeService.cpp b/VoldNativeService.cpp index 5ea72bb..2aae8bf 100644 --- a/VoldNativeService.cpp +++ b/VoldNativeService.cpp @@ -34,7 +34,7 @@ #include "FsCrypt.h" #include "IdleMaint.h" #include "KeyStorage.h" -#include "Keymaster.h" +#include "Keystore.h" #include "MetadataCrypt.h" #include "MoveStorage.h" #include "Process.h" @@ -943,7 +943,7 @@ binder::Status VoldNativeService::earlyBootEnded() { ACQUIRE_LOCK; initializeIncFs(); - Keymaster::earlyBootEnded(); + Keystore::earlyBootEnded(); return Ok(); } diff --git a/cryptfs.cpp b/cryptfs.cpp index 1dbd6f6..f9d4ed4 100644 --- a/cryptfs.cpp +++ b/cryptfs.cpp @@ -22,7 +22,7 @@ #include "CryptoType.h" #include "EncryptInplace.h" #include "FsCrypt.h" -#include "Keymaster.h" +#include "Keystore.h" #include "Process.h" #include "ScryptParameters.h" #include "Utils.h" @@ -349,7 +349,7 @@ static int keymaster_create_key_for_cryptfs_scrypt(uint32_t rsa_key_size, uint64 if (key_out_size) { *key_out_size = 0; } - Keymaster dev; + Keystore dev; if (!dev) { LOG(ERROR) << "Failed to initiate keymaster session"; return -1; @@ -395,7 +395,7 @@ static int keymaster_sign_object_for_cryptfs_scrypt(struct crypt_mnt_ftr* ftr, u return -1; } - Keymaster dev; + Keystore dev; if (!dev) { LOG(ERROR) << "Failed to initiate keymaster session"; return -1; @@ -405,7 +405,7 @@ static int keymaster_sign_object_for_cryptfs_scrypt(struct crypt_mnt_ftr* ftr, u std::string key(reinterpret_cast(ftr->keymaster_blob), ftr->keymaster_blob_size); std::string input(reinterpret_cast(object), object_size); std::string output; - KeymasterOperation op; + KeystoreOperation op; auto paramBuilder = km::AuthorizationSetBuilder().NoDigestOrPadding().Authorization( km::TAG_PURPOSE, km::KeyPurpose::SIGN); diff --git a/wait_for_keymaster.cpp b/wait_for_keymaster.cpp index bf26518..c6bee5f 100644 --- a/wait_for_keymaster.cpp +++ b/wait_for_keymaster.cpp @@ -16,7 +16,7 @@ #include -#include "Keymaster.h" +#include "Keystore.h" int main(int argc, char** argv) { setenv("ANDROID_LOG_TAGS", "*:v", 1); @@ -26,8 +26,8 @@ int main(int argc, char** argv) { } else { android::base::InitLogging(argv, &android::base::StderrLogger); } - LOG(INFO) << "Waiting for Keymaster device"; - android::vold::Keymaster keymaster; - LOG(INFO) << "Keymaster device ready"; + LOG(INFO) << "Waiting for Keystore to be ready"; + android::vold::Keystore keystore; + LOG(INFO) << "Keystore ready"; return 0; }