tequilaOS/platform_system_vold
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge "KeyStorage: improve logging for key generation" am: 759022d0f1 am: 209084f877 am: 514cce99b8

Browse source 
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1638259

Change-Id: If6e766b8699fb2b05de7d33c1c6d3ce569a18b11
This commit is contained in:
Eric Biggers 2021-03-16 01:55:59 +00:00 committed by Automerger Merge Worker
commit edcbdd977e
2 changed files with 25 additions and 17 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

40
KeyStorage.cpp
View file

@ -133,17 +133,33 @@ static void hashWithPrefix(char const* prefix, const std::string& tohash, std::s
SHA512_Final(reinterpret_cast<uint8_t*>(&(*res)[0]), &c); SHA512_Final(reinterpret_cast<uint8_t*>(&(*res)[0]), &c);
} }
static bool generateKeymasterKey(Keymaster& keymaster, const KeyAuthentication& auth, // Generates a keymaster key, using rollback resistance if supported.
const std::string& appId, std::string* key) { static bool generateKeymasterKey(Keymaster& keymaster,
const km::AuthorizationSetBuilder& paramBuilder,
std::string* key) {
auto paramsWithRollback = paramBuilder;
paramsWithRollback.Authorization(km::TAG_ROLLBACK_RESISTANCE);
if (!keymaster.generateKey(paramsWithRollback, key)) {
LOG(WARNING) << "Failed to generate rollback-resistant key. This is expected if keymaster "
"doesn't support rollback resistance. Falling back to "
"non-rollback-resistant key.";
if (!keymaster.generateKey(paramBuilder, key)) return false;
}
return true;
}
static bool generateKeyStorageKey(Keymaster& keymaster, const KeyAuthentication& auth,
const std::string& appId, std::string* key) {
auto paramBuilder = km::AuthorizationSetBuilder() auto paramBuilder = km::AuthorizationSetBuilder()
.AesEncryptionKey(AES_KEY_BYTES * 8) .AesEncryptionKey(AES_KEY_BYTES * 8)
.GcmModeMinMacLen(GCM_MAC_BYTES * 8) .GcmModeMinMacLen(GCM_MAC_BYTES * 8)
.Authorization(km::TAG_APPLICATION_ID, km::support::blob2hidlVec(appId)); .Authorization(km::TAG_APPLICATION_ID, km::support::blob2hidlVec(appId));
if (auth.token.empty()) { if (auth.token.empty()) {
LOG(DEBUG) << "Creating key that doesn't need auth token"; LOG(DEBUG) << "Generating \"key storage\" key that doesn't need auth token";
paramBuilder.Authorization(km::TAG_NO_AUTH_REQUIRED); paramBuilder.Authorization(km::TAG_NO_AUTH_REQUIRED);
} else { } else {
LOG(DEBUG) << "Auth token required for key"; LOG(DEBUG) << "Generating \"key storage\" key that needs auth token";
if (auth.token.size() != sizeof(hw_auth_token_t)) { if (auth.token.size() != sizeof(hw_auth_token_t)) {
LOG(ERROR) << "Auth token should be " << sizeof(hw_auth_token_t) << " bytes, was " LOG(ERROR) << "Auth token should be " << sizeof(hw_auth_token_t) << " bytes, was "
<< auth.token.size() << " bytes"; << auth.token.size() << " bytes";
@ -155,13 +171,7 @@ static bool generateKeymasterKey(Keymaster& keymaster, const KeyAuthentication&
paramBuilder.Authorization(km::TAG_USER_AUTH_TYPE, km::HardwareAuthenticatorType::PASSWORD); paramBuilder.Authorization(km::TAG_USER_AUTH_TYPE, km::HardwareAuthenticatorType::PASSWORD);
paramBuilder.Authorization(km::TAG_AUTH_TIMEOUT, AUTH_TIMEOUT); paramBuilder.Authorization(km::TAG_AUTH_TIMEOUT, AUTH_TIMEOUT);
} }
return generateKeymasterKey(keymaster, paramBuilder, key);
auto paramsWithRollback = paramBuilder;
paramsWithRollback.Authorization(km::TAG_ROLLBACK_RESISTANCE);
// Generate rollback-resistant key if possible.
return keymaster.generateKey(paramsWithRollback, key) ||
keymaster.generateKey(paramBuilder, key);
} }
bool generateWrappedStorageKey(KeyBuffer* key) { bool generateWrappedStorageKey(KeyBuffer* key) {
@ -170,11 +180,7 @@ bool generateWrappedStorageKey(KeyBuffer* key) {
std::string key_temp; std::string key_temp;
auto paramBuilder = km::AuthorizationSetBuilder().AesEncryptionKey(AES_KEY_BYTES * 8); auto paramBuilder = km::AuthorizationSetBuilder().AesEncryptionKey(AES_KEY_BYTES * 8);
paramBuilder.Authorization(km::TAG_STORAGE_KEY); paramBuilder.Authorization(km::TAG_STORAGE_KEY);
auto paramsWithRollback = paramBuilder; if (!generateKeymasterKey(keymaster, paramBuilder, &key_temp)) return false;
paramsWithRollback.Authorization(km::TAG_ROLLBACK_RESISTANCE);
if (!keymaster.generateKey(paramsWithRollback, &key_temp)) {
if (!keymaster.generateKey(paramBuilder, &key_temp)) return false;
}
*key = KeyBuffer(key_temp.size()); *key = KeyBuffer(key_temp.size());
memcpy(reinterpret_cast<void*>(key->data()), key_temp.c_str(), key->size()); memcpy(reinterpret_cast<void*>(key->data()), key_temp.c_str(), key->size());
return true; return true;
@ -631,7 +637,7 @@ bool storeKey(const std::string& dir, const KeyAuthentication& auth, const KeyBu
Keymaster keymaster; Keymaster keymaster;
if (!keymaster) return false; if (!keymaster) return false;
std::string kmKey; std::string kmKey;
if (!generateKeymasterKey(keymaster, auth, appId, &kmKey)) return false; if (!generateKeyStorageKey(keymaster, auth, appId, &kmKey)) return false;
if (!writeStringToFile(kmKey, dir + "/" + kFn_keymaster_key_blob)) return false; if (!writeStringToFile(kmKey, dir + "/" + kFn_keymaster_key_blob)) return false;
km::AuthorizationSet keyParams; km::AuthorizationSet keyParams;
km::HardwareAuthToken authToken; km::HardwareAuthToken authToken;

2
KeyUtil.cpp
View file

@ -57,8 +57,10 @@ bool generateStorageKey(const KeyGeneration& gen, KeyBuffer* key) {
LOG(ERROR) << "Cannot generate a wrapped key " << gen.keysize << " bytes long"; LOG(ERROR) << "Cannot generate a wrapped key " << gen.keysize << " bytes long";
return false; return false;
} }
LOG(DEBUG) << "Generating wrapped storage key";
return generateWrappedStorageKey(key); return generateWrappedStorageKey(key);
} else { } else {
LOG(DEBUG) << "Generating standard storage key";
return randomKey(gen.keysize, key); return randomKey(gen.keysize, key);
} }
} }