Explain the rationale for not using StrongBox in vold.
Bug: 77338527 Test: Comment-only change. Change-Id: I9f87e34854eabcc4c183553cf56a033970bb867e
This commit is contained in:
parent
f5b085c13a
commit
e763ed2aa3
1 changed files with 3 additions and 5 deletions
|
@ -49,9 +49,6 @@ bool KeymasterOperation::updateCompletely(const char* input, size_t inputLen,
|
||||||
size_t toRead = static_cast<size_t>(inputLen - inputConsumed);
|
size_t toRead = static_cast<size_t>(inputLen - inputConsumed);
|
||||||
auto inputBlob = km::support::blob2hidlVec(
|
auto inputBlob = km::support::blob2hidlVec(
|
||||||
reinterpret_cast<const uint8_t*>(&input[inputConsumed]), toRead);
|
reinterpret_cast<const uint8_t*>(&input[inputConsumed]), toRead);
|
||||||
// TODO(swillden): Need to handle getting a VerificationToken from the TEE if mDevice is
|
|
||||||
// StrongBox, so we can provide it here. The VerificationToken will need to be
|
|
||||||
// requested/retrieved during Keymaster::begin().
|
|
||||||
auto error = mDevice->update(mOpHandle, hidl_vec<km::KeyParameter>(), inputBlob,
|
auto error = mDevice->update(mOpHandle, hidl_vec<km::KeyParameter>(), inputBlob,
|
||||||
km::HardwareAuthToken(), km::VerificationToken(), hidlCB);
|
km::HardwareAuthToken(), km::VerificationToken(), hidlCB);
|
||||||
if (!error.isOk()) {
|
if (!error.isOk()) {
|
||||||
|
@ -105,8 +102,9 @@ Keymaster::Keymaster() {
|
||||||
hmacKeyGenerated = true;
|
hmacKeyGenerated = true;
|
||||||
}
|
}
|
||||||
for (auto& dev : devices) {
|
for (auto& dev : devices) {
|
||||||
// Explicitly avoid using STRONGBOX for now.
|
// Do not use StrongBox for device encryption / credential encryption. If a security chip
|
||||||
// TODO: Re-enable STRONGBOX, since it's what we really want. b/77338527
|
// is present it will have Weaver, which already strengthens CE. We get no additional
|
||||||
|
// benefit from using StrongBox here, so skip it.
|
||||||
if (dev->halVersion().securityLevel != SecurityLevel::STRONGBOX) {
|
if (dev->halVersion().securityLevel != SecurityLevel::STRONGBOX) {
|
||||||
mDevice = std::move(dev);
|
mDevice = std::move(dev);
|
||||||
break;
|
break;
|
||||||
|
|
Loading…
Reference in a new issue