Support Resume on Reboot
When an OTA is downloaded, the RecoverySystem can be triggered to store
the user's lock screen knowledge factor in a secure way using the
IRebootEscrow HAL. This will allow the credential encrypted (CE)
storage, keymaster credentials, and possibly others to be unlocked when
the device reboots after an OTA.
Bug: 63928581
Test: atest FrameworksServicesTests:RebootEscrowDataTest \
FrameworksServicesTests:LockSettingsServiceTests \
FrameworksServicesTests:RecoverySystemServiceTest \
FrameworksServicesTests:RebootEscrowManagerTests
Test: use fake OTA console app to apply update
Change-Id: I59df6942b27ea2bdd11b757922f5169085a325f0
diff --git a/api/system-current.txt b/api/system-current.txt
index 653df73..01f30cf 100755
--- a/api/system-current.txt
+++ b/api/system-current.txt
@@ -2117,6 +2117,7 @@
field public static final String EXTRA_REQUEST_PERMISSIONS_NAMES = "android.content.pm.extra.REQUEST_PERMISSIONS_NAMES";
field public static final String EXTRA_REQUEST_PERMISSIONS_RESULTS = "android.content.pm.extra.REQUEST_PERMISSIONS_RESULTS";
field public static final String FEATURE_BROADCAST_RADIO = "android.hardware.broadcastradio";
+ field public static final String FEATURE_REBOOT_ESCROW = "android.hardware.reboot_escrow";
field public static final String FEATURE_TELEPHONY_CARRIERLOCK = "android.hardware.telephony.carrierlock";
field public static final int FLAG_PERMISSION_APPLY_RESTRICTION = 16384; // 0x4000
field public static final int FLAG_PERMISSION_GRANTED_BY_DEFAULT = 32; // 0x20
@@ -6905,9 +6906,12 @@
public class RecoverySystem {
method @RequiresPermission(android.Manifest.permission.RECOVERY) public static void cancelScheduledUpdate(android.content.Context) throws java.io.IOException;
+ method @RequiresPermission(android.Manifest.permission.RECOVERY) public static boolean clearPrepareForUnattendedUpdate(@NonNull android.content.Context) throws java.io.IOException;
method @RequiresPermission(android.Manifest.permission.RECOVERY) public static void installPackage(android.content.Context, java.io.File, boolean) throws java.io.IOException;
+ method @RequiresPermission(android.Manifest.permission.RECOVERY) public static void prepareForUnattendedUpdate(@NonNull android.content.Context, @NonNull String, @Nullable android.content.IntentSender) throws java.io.IOException;
method @RequiresPermission(android.Manifest.permission.RECOVERY) public static void processPackage(android.content.Context, java.io.File, android.os.RecoverySystem.ProgressListener, android.os.Handler) throws java.io.IOException;
method @RequiresPermission(android.Manifest.permission.RECOVERY) public static void processPackage(android.content.Context, java.io.File, android.os.RecoverySystem.ProgressListener) throws java.io.IOException;
+ method @RequiresPermission(android.Manifest.permission.RECOVERY) public static boolean rebootAndApply(@NonNull android.content.Context, @NonNull String, @NonNull String) throws java.io.IOException;
method @RequiresPermission(allOf={android.Manifest.permission.RECOVERY, android.Manifest.permission.REBOOT}) public static void rebootWipeAb(android.content.Context, java.io.File, String) throws java.io.IOException;
method @RequiresPermission(android.Manifest.permission.RECOVERY) public static void scheduleUpdateOnBoot(android.content.Context, java.io.File) throws java.io.IOException;
method public static boolean verifyPackageCompatibility(java.io.File) throws java.io.IOException;
diff --git a/core/java/android/content/pm/PackageManager.java b/core/java/android/content/pm/PackageManager.java
index f792127..b85c58a 100644
--- a/core/java/android/content/pm/PackageManager.java
+++ b/core/java/android/content/pm/PackageManager.java
@@ -2918,6 +2918,18 @@
public static final String FEATURE_IPSEC_TUNNELS = "android.software.ipsec_tunnels";
/**
+ * Feature for {@link #getSystemAvailableFeatures} and {@link #hasSystemFeature}: The device has
+ * the requisite hardware support to support reboot escrow of synthetic password for updates.
+ *
+ * <p>This feature implies that the device has the RebootEscrow HAL implementation.
+ *
+ * @hide
+ */
+ @SystemApi
+ @SdkConstant(SdkConstantType.FEATURE)
+ public static final String FEATURE_REBOOT_ESCROW = "android.hardware.reboot_escrow";
+
+ /**
* Extra field name for the URI to a verification file. Passed to a package
* verifier.
*
diff --git a/core/java/android/os/IRecoverySystem.aidl b/core/java/android/os/IRecoverySystem.aidl
index c5ceecd..2561e1e 100644
--- a/core/java/android/os/IRecoverySystem.aidl
+++ b/core/java/android/os/IRecoverySystem.aidl
@@ -17,6 +17,7 @@
package android.os;
+import android.content.IntentSender;
import android.os.IRecoverySystemProgressListener;
/** @hide */
@@ -26,4 +27,7 @@
boolean setupBcb(in String command);
boolean clearBcb();
void rebootRecoveryWithCommand(in String command);
+ boolean requestLskf(in String updateToken, in IntentSender sender);
+ boolean clearLskf();
+ boolean rebootWithLskf(in String updateToken, in String reason);
}
diff --git a/core/java/android/os/RecoverySystem.java b/core/java/android/os/RecoverySystem.java
index 1901820..cdcb3ff 100644
--- a/core/java/android/os/RecoverySystem.java
+++ b/core/java/android/os/RecoverySystem.java
@@ -18,6 +18,8 @@
import static java.nio.charset.StandardCharsets.UTF_8;
+import android.annotation.NonNull;
+import android.annotation.Nullable;
import android.annotation.RequiresPermission;
import android.annotation.SuppressLint;
import android.annotation.SystemApi;
@@ -29,6 +31,7 @@
import android.content.Context;
import android.content.Intent;
import android.content.IntentFilter;
+import android.content.IntentSender;
import android.content.pm.PackageManager;
import android.provider.Settings;
import android.telephony.SubscriptionInfo;
@@ -624,22 +627,91 @@
}
/**
- * Schedule to install the given package on next boot. The caller needs to
- * ensure that the package must have been processed (uncrypt'd) if needed.
- * It sets up the command in BCB (bootloader control block), which will
- * be read by the bootloader and the recovery image.
+ * Prepare to apply an unattended update by asking the user for their Lock Screen Knowledge
+ * Factor (LSKF). If supplied, the {@code intentSender} will be called when the system is setup
+ * and ready to apply the OTA.
+ * <p>
+ * When the system is already prepared for update and this API is called again with the same
+ * {@code updateToken}, it will not call the intent sender nor request the user enter their Lock
+ * Screen Knowledge Factor.
+ * <p>
+ * When this API is called again with a different {@code updateToken}, the prepared-for-update
+ * status is reset and process repeats as though it's the initial call to this method as
+ * described in the first paragraph.
*
- * @param Context the Context to use.
- * @param packageFile the package to be installed.
- *
- * @throws IOException if there were any errors setting up the BCB.
- *
+ * @param context the Context to use.
+ * @param updateToken token used to indicate which update was prepared
+ * @param intentSender the intent to call when the update is prepared; may be {@code null}
+ * @throws IOException if there were any errors setting up unattended update
* @hide
*/
@SystemApi
@RequiresPermission(android.Manifest.permission.RECOVERY)
- public static void scheduleUpdateOnBoot(Context context, File packageFile)
+ public static void prepareForUnattendedUpdate(@NonNull Context context,
+ @NonNull String updateToken, @Nullable IntentSender intentSender) throws IOException {
+ if (updateToken == null) {
+ throw new NullPointerException("updateToken == null");
+ }
+ RecoverySystem rs = (RecoverySystem) context.getSystemService(Context.RECOVERY_SERVICE);
+ if (!rs.requestLskf(updateToken, intentSender)) {
+ throw new IOException("preparation for update failed");
+ }
+ }
+
+ /**
+ * Request that any previously requested Lock Screen Knowledge Factor (LSKF) is cleared and
+ * the preparation for unattended update is reset.
+ *
+ * @param context the Context to use.
+ * @throws IOException if there were any errors setting up unattended update
+ * @hide
+ */
+ @SystemApi
+ @RequiresPermission(android.Manifest.permission.RECOVERY)
+ public static boolean clearPrepareForUnattendedUpdate(@NonNull Context context)
throws IOException {
+ RecoverySystem rs = (RecoverySystem) context.getSystemService(Context.RECOVERY_SERVICE);
+ return rs.clearLskf();
+ }
+
+ /**
+ * Request that the device reboot and apply the update that has been prepared. The
+ * {@code updateToken} must match what was given for {@link #prepareForUnattendedUpdate} or
+ * this will return {@code false}.
+ *
+ * @param context the Context to use.
+ * @param updateToken the token used to call {@link #prepareForUnattendedUpdate} before
+ * @param reason the reboot reason to give to the {@link PowerManager}
+ * @throws IOException if there were any errors setting up unattended update
+ * @return false if the reboot couldn't proceed because the device wasn't ready for an
+ * unattended reboot or if the {@code updateToken} did not match the previously
+ * given token
+ * @hide
+ */
+ @SystemApi
+ @RequiresPermission(android.Manifest.permission.RECOVERY)
+ public static boolean rebootAndApply(@NonNull Context context, @NonNull String updateToken,
+ @NonNull String reason) throws IOException {
+ if (updateToken == null) {
+ throw new NullPointerException("updateToken == null");
+ }
+ RecoverySystem rs = (RecoverySystem) context.getSystemService(Context.RECOVERY_SERVICE);
+ return rs.rebootWithLskf(updateToken, reason);
+ }
+
+ /**
+ * Schedule to install the given package on next boot. The caller needs to ensure that the
+ * package must have been processed (uncrypt'd) if needed. It sets up the command in BCB
+ * (bootloader control block), which will be read by the bootloader and the recovery image.
+ *
+ * @param context the Context to use.
+ * @param packageFile the package to be installed.
+ * @throws IOException if there were any errors setting up the BCB.
+ * @hide
+ */
+ @SystemApi
+ @RequiresPermission(android.Manifest.permission.RECOVERY)
+ public static void scheduleUpdateOnBoot(Context context, File packageFile) throws IOException {
String filename = packageFile.getCanonicalPath();
boolean securityUpdate = filename.endsWith("_s.zip");
@@ -1204,6 +1276,49 @@
}
/**
+ * Begins the process of asking the user for the Lock Screen Knowledge Factor.
+ *
+ * @param updateToken token that will be used in calls to {@link #rebootAndApply} to ensure
+ * that the preparation was for the correct update
+ * @return true if the request was correct
+ * @throws IOException if the recovery system service could not be contacted
+ */
+ private boolean requestLskf(String updateToken, IntentSender sender) throws IOException {
+ try {
+ return mService.requestLskf(updateToken, sender);
+ } catch (RemoteException e) {
+ throw new IOException("could request update");
+ }
+ }
+
+ /**
+ * Calls the recovery system service and clears the setup for the OTA.
+ *
+ * @return true if the setup for OTA was cleared
+ * @throws IOException if the recovery system service could not be contacted
+ */
+ private boolean clearLskf() throws IOException {
+ try {
+ return mService.clearLskf();
+ } catch (RemoteException e) {
+ throw new IOException("could not clear LSKF");
+ }
+ }
+
+ /**
+ * Calls the recovery system service to reboot and apply update.
+ *
+ * @param updateToken the update token for which the update was prepared
+ */
+ private boolean rebootWithLskf(String updateToken, String reason) throws IOException {
+ try {
+ return mService.rebootWithLskf(updateToken, reason);
+ } catch (RemoteException e) {
+ throw new IOException("could not reboot for update");
+ }
+ }
+
+ /**
* Internally, recovery treats each line of the command file as a separate
* argv, so we only need to protect against newlines and nulls.
*/
diff --git a/core/java/com/android/internal/widget/LockPatternUtils.java b/core/java/com/android/internal/widget/LockPatternUtils.java
index 4f4c8c3..540c438 100644
--- a/core/java/com/android/internal/widget/LockPatternUtils.java
+++ b/core/java/com/android/internal/widget/LockPatternUtils.java
@@ -1599,6 +1599,11 @@
public static final int STRONG_AUTH_REQUIRED_AFTER_USER_LOCKDOWN = 0x20;
/**
+ * Strong authentication is required to prepare for unattended upgrade.
+ */
+ public static final int STRONG_AUTH_REQUIRED_FOR_UNATTENDED_UPDATE = 0x40;
+
+ /**
* Strong auth flags that do not prevent biometric methods from being accepted as auth.
* If any other flags are set, biometric authentication is disabled.
*/
diff --git a/core/java/com/android/internal/widget/LockSettingsInternal.java b/core/java/com/android/internal/widget/LockSettingsInternal.java
index dd05576..90a18ef 100644
--- a/core/java/com/android/internal/widget/LockSettingsInternal.java
+++ b/core/java/com/android/internal/widget/LockSettingsInternal.java
@@ -77,4 +77,34 @@
* @return the user password metrics.
*/
public abstract @Nullable PasswordMetrics getUserPasswordMetrics(int userHandle);
+
+ /**
+ * Prepare for reboot escrow. This triggers the strong auth to be required. After the escrow
+ * is complete as indicated by calling to the listener registered with {@link
+ * #setRebootEscrowListener}, then {@link #armRebootEscrow()} should be called before
+ * rebooting to apply the update.
+ */
+ public abstract void prepareRebootEscrow();
+
+ /**
+ * Registers a listener for when the RebootEscrow HAL has stored its data needed for rebooting
+ * for an OTA.
+ *
+ * @see RebootEscrowListener
+ * @param listener
+ */
+ public abstract void setRebootEscrowListener(RebootEscrowListener listener);
+
+ /**
+ * Requests that any data needed for rebooting is cleared from the RebootEscrow HAL.
+ */
+ public abstract void clearRebootEscrow();
+
+ /**
+ * Should be called immediately before rebooting for an update. This depends on {@link
+ * #prepareRebootEscrow()} having been called and the escrow completing.
+ *
+ * @return true if the arming worked
+ */
+ public abstract boolean armRebootEscrow();
}
diff --git a/core/java/com/android/internal/widget/RebootEscrowListener.java b/core/java/com/android/internal/widget/RebootEscrowListener.java
new file mode 100644
index 0000000..1654532
--- /dev/null
+++ b/core/java/com/android/internal/widget/RebootEscrowListener.java
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.internal.widget;
+
+/**
+ * Private API to be notified about reboot escrow events.
+ *
+ * {@hide}
+ */
+public interface RebootEscrowListener {
+ /**
+ * Called when the preparation status has changed. When {@code prepared} is {@code true} the
+ * user has entered their lock screen knowledge factor (LSKF) and the HAL has confirmed that
+ * it is ready to retrieve the secret after a reboot. When {@code prepared} is {@code false}
+ * then those conditions are not true.
+ */
+ void onPreparedForReboot(boolean prepared);
+}
diff --git a/packages/SystemUI/res-keyguard/values/strings.xml b/packages/SystemUI/res-keyguard/values/strings.xml
index f7e9fed..4d184d5 100644
--- a/packages/SystemUI/res-keyguard/values/strings.xml
+++ b/packages/SystemUI/res-keyguard/values/strings.xml
@@ -240,6 +240,15 @@
<!-- Description of airplane mode -->
<string name="airplane_mode">Airplane mode</string>
+ <!-- An explanation text that the PIN needs to be entered to prepare for an operating system update. [CHAR LIMIT=80] -->
+ <string name="kg_prompt_reason_prepare_for_update_pin">PIN required to prepare for update</string>
+
+ <!-- An explanation text that the pattern needs to be entered to prepare for an operating system update. [CHAR LIMIT=80] -->
+ <string name="kg_prompt_reason_prepare_for_update_pattern">Pattern required to prepare for update</string>
+
+ <!-- An explanation text that the password needs to be entered to prepare for an operating system update. [CHAR LIMIT=80] -->
+ <string name="kg_prompt_reason_prepare_for_update_password">Password required to prepare for update</string>
+
<!-- An explanation text that the pattern needs to be solved since the device has just been restarted. [CHAR LIMIT=80] -->
<string name="kg_prompt_reason_restart_pattern">Pattern required after device restarts</string>
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java
index 2c8f238..ed1cd81 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardHostView.java
@@ -168,8 +168,9 @@
*
* @param reason a flag indicating which string should be shown, see
* {@link KeyguardSecurityView#PROMPT_REASON_NONE},
- * {@link KeyguardSecurityView#PROMPT_REASON_RESTART} and
- * {@link KeyguardSecurityView#PROMPT_REASON_TIMEOUT}.
+ * {@link KeyguardSecurityView#PROMPT_REASON_RESTART},
+ * {@link KeyguardSecurityView#PROMPT_REASON_TIMEOUT}, and
+ * {@link KeyguardSecurityView#PROMPT_REASON_PREPARE_FOR_UPDATE}.
*/
public void showPromptReason(int reason) {
mSecurityContainer.showPromptReason(reason);
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java
index f8f3dc8..718bcf1 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPasswordView.java
@@ -137,6 +137,8 @@
return R.string.kg_prompt_reason_device_admin;
case PROMPT_REASON_USER_REQUEST:
return R.string.kg_prompt_reason_user_request;
+ case PROMPT_REASON_PREPARE_FOR_UPDATE:
+ return R.string.kg_prompt_reason_prepare_for_update_password;
case PROMPT_REASON_NONE:
return 0;
default:
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java
index 9eb168a..48c6bd1 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPatternView.java
@@ -438,6 +438,10 @@
case PROMPT_REASON_USER_REQUEST:
mSecurityMessageDisplay.setMessage(R.string.kg_prompt_reason_user_request);
break;
+ case PROMPT_REASON_PREPARE_FOR_UPDATE:
+ mSecurityMessageDisplay.setMessage(
+ R.string.kg_prompt_reason_prepare_for_update_pattern);
+ break;
case PROMPT_REASON_NONE:
break;
default:
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardPinBasedInputView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardPinBasedInputView.java
index c67decc..6d865ab 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardPinBasedInputView.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardPinBasedInputView.java
@@ -116,6 +116,8 @@
return R.string.kg_prompt_reason_device_admin;
case PROMPT_REASON_USER_REQUEST:
return R.string.kg_prompt_reason_user_request;
+ case PROMPT_REASON_PREPARE_FOR_UPDATE:
+ return R.string.kg_prompt_reason_prepare_for_update_pin;
case PROMPT_REASON_NONE:
return 0;
default:
diff --git a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityView.java b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityView.java
index e108194..09d4d5f 100644
--- a/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityView.java
+++ b/packages/SystemUI/src/com/android/keyguard/KeyguardSecurityView.java
@@ -51,6 +51,11 @@
*/
int PROMPT_REASON_AFTER_LOCKOUT = 5;
+ /***
+ * Strong auth is require to prepare for an unattended update.
+ */
+ int PROMPT_REASON_PREPARE_FOR_UPDATE = 6;
+
/**
* Interface back to keyguard to tell it when security
* @param callback
diff --git a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
index c1934c6..e13c3e0 100644
--- a/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
+++ b/packages/SystemUI/src/com/android/systemui/keyguard/KeyguardViewMediator.java
@@ -22,6 +22,7 @@
import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_DPM_LOCK_NOW;
import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_LOCKOUT;
import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_TIMEOUT;
+import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_FOR_UNATTENDED_UPDATE;
import static com.android.systemui.DejankUtils.whitelistIpcs;
import android.app.ActivityManager;
@@ -670,6 +671,8 @@
return KeyguardSecurityView.PROMPT_REASON_USER_REQUEST;
} else if (any && (strongAuth & STRONG_AUTH_REQUIRED_AFTER_LOCKOUT) != 0) {
return KeyguardSecurityView.PROMPT_REASON_AFTER_LOCKOUT;
+ } else if (any && (strongAuth & STRONG_AUTH_REQUIRED_FOR_UNATTENDED_UPDATE) != 0) {
+ return KeyguardSecurityView.PROMPT_REASON_PREPARE_FOR_UPDATE;
}
return KeyguardSecurityView.PROMPT_REASON_NONE;
}
diff --git a/services/core/Android.bp b/services/core/Android.bp
index 8d22300..a1f57cb 100644
--- a/services/core/Android.bp
+++ b/services/core/Android.bp
@@ -117,6 +117,7 @@
"android.hardware.oemlock-V1.0-java",
"android.hardware.configstore-V1.0-java",
"android.hardware.contexthub-V1.0-java",
+ "android.hardware.rebootescrow-java",
"android.hardware.soundtrigger-V2.3-java",
"android.hidl.manager-V1.2-java",
"dnsresolver_aidl_interface-V2-java",
diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java
index 4546ea4..7233f34 100644
--- a/services/core/java/com/android/server/locksettings/LockSettingsService.java
+++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java
@@ -20,6 +20,7 @@
import static android.Manifest.permission.READ_CONTACTS;
import static android.content.Context.KEYGUARD_SERVICE;
import static android.content.pm.PackageManager.PERMISSION_GRANTED;
+import static android.os.UserHandle.USER_ALL;
import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_NONE;
import static com.android.internal.widget.LockPatternUtils.CREDENTIAL_TYPE_PASSWORD;
@@ -29,6 +30,7 @@
import static com.android.internal.widget.LockPatternUtils.EscrowTokenStateChangeCallback;
import static com.android.internal.widget.LockPatternUtils.SYNTHETIC_PASSWORD_HANDLE_KEY;
import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_LOCKOUT;
+import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_FOR_UNATTENDED_UPDATE;
import static com.android.internal.widget.LockPatternUtils.USER_FRP;
import static com.android.internal.widget.LockPatternUtils.frpCredentialEnabled;
import static com.android.internal.widget.LockPatternUtils.userOwnsFrpCredential;
@@ -118,6 +120,7 @@
import com.android.internal.widget.LockPatternUtils;
import com.android.internal.widget.LockSettingsInternal;
import com.android.internal.widget.LockscreenCredential;
+import com.android.internal.widget.RebootEscrowListener;
import com.android.internal.widget.VerifyCredentialResponse;
import com.android.server.LocalServices;
import com.android.server.ServiceThread;
@@ -222,7 +225,10 @@
private final RecoverableKeyStoreManager mRecoverableKeyStoreManager;
+ private final RebootEscrowManager mRebootEscrowManager;
+
private boolean mFirstCallToVold;
+
// Current password metric for all users on the device. Updated when user unlocks
// the device or changes password. Removed when user is stopped.
@GuardedBy("this")
@@ -483,6 +489,11 @@
new PasswordSlotManager());
}
+ public RebootEscrowManager getRebootEscrowManager(RebootEscrowManager.Callbacks callbacks,
+ LockSettingsStorage storage) {
+ return new RebootEscrowManager(mContext, callbacks, storage);
+ }
+
public boolean hasEnrolledBiometrics(int userId) {
BiometricManager bm = mContext.getSystemService(BiometricManager.class);
return bm.hasEnrolledBiometrics(userId);
@@ -550,6 +561,9 @@
mSpManager = injector.getSyntheticPasswordManager(mStorage);
+ mRebootEscrowManager = injector.getRebootEscrowManager(new RebootEscrowCallbacks(),
+ mStorage);
+
LocalServices.addService(LockSettingsInternal.class, new LocalService());
}
@@ -782,7 +796,14 @@
migrateOldData();
getGateKeeperService();
mSpManager.initWeaverService();
- // Find the AuthSecret HAL
+ getAuthSecretHal();
+ mDeviceProvisionedObserver.onSystemReady();
+ mRebootEscrowManager.loadRebootEscrowDataIfAvailable();
+ // TODO: maybe skip this for split system user mode.
+ mStorage.prefetchUser(UserHandle.USER_SYSTEM);
+ }
+
+ private void getAuthSecretHal() {
try {
mAuthSecretService = IAuthSecret.getService();
} catch (NoSuchElementException e) {
@@ -790,9 +811,6 @@
} catch (RemoteException e) {
Slog.w(TAG, "Failed to get AuthSecret HAL", e);
}
- mDeviceProvisionedObserver.onSystemReady();
- // TODO: maybe skip this for split system user mode.
- mStorage.prefetchUser(UserHandle.USER_SYSTEM);
}
private void migrateOldData() {
@@ -2466,10 +2484,18 @@
private void onAuthTokenKnownForUser(@UserIdInt int userId, AuthenticationToken auth) {
if (mInjector.isGsiRunning()) {
- Slog.w(TAG, "AuthSecret disabled in GSI");
+ Slog.w(TAG, "Running in GSI; skipping calls to AuthSecret and RebootEscrow");
return;
}
+ mRebootEscrowManager.callToRebootEscrowIfNeeded(userId, auth.getVersion(),
+ auth.getSyntheticPassword());
+
+ callToAuthSecretIfNeeded(userId, auth);
+ }
+
+ private void callToAuthSecretIfNeeded(@UserIdInt int userId,
+ AuthenticationToken auth) {
// Pass the primary user's auth secret to the HAL
if (mAuthSecretService != null && mUserManager.getUserInfo(userId).isPrimary()) {
try {
@@ -3288,5 +3314,46 @@
return LockSettingsService.this.getUserPasswordMetrics(userHandle);
}
+ @Override
+ public void prepareRebootEscrow() {
+ if (!mRebootEscrowManager.prepareRebootEscrow()) {
+ return;
+ }
+ mStrongAuth.requireStrongAuth(STRONG_AUTH_REQUIRED_FOR_UNATTENDED_UPDATE, USER_ALL);
+ }
+
+ @Override
+ public void setRebootEscrowListener(RebootEscrowListener listener) {
+ mRebootEscrowManager.setRebootEscrowListener(listener);
+ }
+
+ @Override
+ public void clearRebootEscrow() {
+ if (!mRebootEscrowManager.clearRebootEscrow()) {
+ return;
+ }
+ mStrongAuth.noLongerRequireStrongAuth(STRONG_AUTH_REQUIRED_FOR_UNATTENDED_UPDATE,
+ USER_ALL);
+ }
+
+ @Override
+ public boolean armRebootEscrow() {
+ return mRebootEscrowManager.armRebootEscrowIfNeeded();
+ }
+ }
+
+ private class RebootEscrowCallbacks implements RebootEscrowManager.Callbacks {
+ @Override
+ public boolean isUserSecure(int userId) {
+ return LockSettingsService.this.isUserSecure(userId);
+ }
+
+ @Override
+ public void onRebootEscrowRestored(byte spVersion, byte[] syntheticPassword, int userId) {
+ SyntheticPasswordManager.AuthenticationToken
+ authToken = new SyntheticPasswordManager.AuthenticationToken(spVersion);
+ authToken.recreateDirectly(syntheticPassword);
+ onCredentialVerified(authToken, CHALLENGE_NONE, 0, null, userId);
+ }
}
}
diff --git a/services/core/java/com/android/server/locksettings/LockSettingsStorage.java b/services/core/java/com/android/server/locksettings/LockSettingsStorage.java
index 3dab3ce..fec0189 100644
--- a/services/core/java/com/android/server/locksettings/LockSettingsStorage.java
+++ b/services/core/java/com/android/server/locksettings/LockSettingsStorage.java
@@ -81,6 +81,8 @@
private static final String LOCK_PASSWORD_FILE = "gatekeeper.password.key";
private static final String CHILD_PROFILE_LOCK_FILE = "gatekeeper.profile.key";
+ private static final String REBOOT_ESCROW_FILE = "reboot.escrow.key";
+
private static final String SYNTHETIC_PASSWORD_DIRECTORY = "spblob/";
private static final Object DEFAULT = new Object();
@@ -261,6 +263,22 @@
return hasFile(getChildProfileLockFile(userId));
}
+ public void writeRebootEscrow(int userId, byte[] rebootEscrow) {
+ writeFile(getRebootEscrowFile(userId), rebootEscrow);
+ }
+
+ public byte[] readRebootEscrow(int userId) {
+ return readFile(getRebootEscrowFile(userId));
+ }
+
+ public boolean hasRebootEscrow(int userId) {
+ return hasFile(getRebootEscrowFile(userId));
+ }
+
+ public void removeRebootEscrow(int userId) {
+ deleteFile(getRebootEscrowFile(userId));
+ }
+
public boolean hasPassword(int userId) {
return hasFile(getLockPasswordFilename(userId));
}
@@ -384,6 +402,11 @@
return getLockCredentialFilePathForUser(userId, CHILD_PROFILE_LOCK_FILE);
}
+ @VisibleForTesting
+ String getRebootEscrowFile(int userId) {
+ return getLockCredentialFilePathForUser(userId, REBOOT_ESCROW_FILE);
+ }
+
private String getLockCredentialFilePathForUser(int userId, String basename) {
String dataSystemDirectory = Environment.getDataDirectory().getAbsolutePath() +
SYSTEM_DIRECTORY;
@@ -479,18 +502,10 @@
if (parentInfo == null) {
// This user owns its lock settings files - safe to delete them
synchronized (mFileWriteLock) {
- String name = getLockPasswordFilename(userId);
- File file = new File(name);
- if (file.exists()) {
- file.delete();
- mCache.putFile(name, null);
- }
- name = getLockPatternFilename(userId);
- file = new File(name);
- if (file.exists()) {
- file.delete();
- mCache.putFile(name, null);
- }
+ deleteFilesAndRemoveCache(
+ getLockPasswordFilename(userId),
+ getLockPatternFilename(userId),
+ getRebootEscrowFile(userId));
}
} else {
// Managed profile
@@ -512,6 +527,16 @@
}
}
+ private void deleteFilesAndRemoveCache(String... names) {
+ for (String name : names) {
+ File file = new File(name);
+ if (file.exists()) {
+ file.delete();
+ mCache.putFile(name, null);
+ }
+ }
+ }
+
@VisibleForTesting
void closeDatabase() {
mOpenHelper.close();
diff --git a/services/core/java/com/android/server/locksettings/LockSettingsStrongAuth.java b/services/core/java/com/android/server/locksettings/LockSettingsStrongAuth.java
index a84306c..91cf53e 100644
--- a/services/core/java/com/android/server/locksettings/LockSettingsStrongAuth.java
+++ b/services/core/java/com/android/server/locksettings/LockSettingsStrongAuth.java
@@ -16,10 +16,8 @@
package com.android.server.locksettings;
-import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker
- .STRONG_AUTH_NOT_REQUIRED;
-import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker
- .STRONG_AUTH_REQUIRED_AFTER_TIMEOUT;
+import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_NOT_REQUIRED;
+import static com.android.internal.widget.LockPatternUtils.StrongAuthTracker.STRONG_AUTH_REQUIRED_AFTER_TIMEOUT;
import android.app.AlarmManager;
import android.app.AlarmManager.OnAlarmListener;
@@ -50,6 +48,7 @@
private static final int MSG_UNREGISTER_TRACKER = 3;
private static final int MSG_REMOVE_USER = 4;
private static final int MSG_SCHEDULE_STRONG_AUTH_TIMEOUT = 5;
+ private static final int MSG_NO_LONGER_REQUIRE_STRONG_AUTH = 6;
private static final String STRONG_AUTH_TIMEOUT_ALARM_TAG =
"LockSettingsStrongAuth.timeoutForUser";
@@ -109,6 +108,26 @@
}
}
+ private void handleNoLongerRequireStrongAuth(int strongAuthReason, int userId) {
+ if (userId == UserHandle.USER_ALL) {
+ for (int i = 0; i < mStrongAuthForUser.size(); i++) {
+ int key = mStrongAuthForUser.keyAt(i);
+ handleNoLongerRequireStrongAuthOneUser(strongAuthReason, key);
+ }
+ } else {
+ handleNoLongerRequireStrongAuthOneUser(strongAuthReason, userId);
+ }
+ }
+
+ private void handleNoLongerRequireStrongAuthOneUser(int strongAuthReason, int userId) {
+ int oldValue = mStrongAuthForUser.get(userId, mDefaultStrongAuthFlags);
+ int newValue = oldValue & ~strongAuthReason;
+ if (oldValue != newValue) {
+ mStrongAuthForUser.put(userId, newValue);
+ notifyStrongAuthTrackers(newValue, userId);
+ }
+ }
+
private void handleRemoveUser(int userId) {
int index = mStrongAuthForUser.indexOfKey(userId);
if (index >= 0) {
@@ -174,6 +193,16 @@
}
}
+ void noLongerRequireStrongAuth(int strongAuthReason, int userId) {
+ if (userId == UserHandle.USER_ALL || userId >= UserHandle.USER_SYSTEM) {
+ mHandler.obtainMessage(MSG_NO_LONGER_REQUIRE_STRONG_AUTH, strongAuthReason,
+ userId).sendToTarget();
+ } else {
+ throw new IllegalArgumentException(
+ "userId must be an explicit user id or USER_ALL");
+ }
+ }
+
public void reportUnlock(int userId) {
requireStrongAuth(STRONG_AUTH_NOT_REQUIRED, userId);
}
@@ -216,6 +245,9 @@
case MSG_SCHEDULE_STRONG_AUTH_TIMEOUT:
handleScheduleStrongAuthTimeout(msg.arg1);
break;
+ case MSG_NO_LONGER_REQUIRE_STRONG_AUTH:
+ handleNoLongerRequireStrongAuth(msg.arg1, msg.arg2);
+ break;
}
}
};
diff --git a/services/core/java/com/android/server/locksettings/RebootEscrowData.java b/services/core/java/com/android/server/locksettings/RebootEscrowData.java
new file mode 100644
index 0000000..aee608e
--- /dev/null
+++ b/services/core/java/com/android/server/locksettings/RebootEscrowData.java
@@ -0,0 +1,178 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.locksettings;
+
+import com.android.internal.util.Preconditions;
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.DataInputStream;
+import java.io.DataOutputStream;
+import java.io.IOException;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.Cipher;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.KeyGenerator;
+import javax.crypto.NoSuchPaddingException;
+import javax.crypto.SecretKey;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+
+/**
+ * Holds the data necessary to complete a reboot escrow of the Synthetic Password.
+ */
+class RebootEscrowData {
+ /**
+ * This is the current version of the escrow data format. This should be incremented if the
+ * format on disk is changed.
+ */
+ private static final int CURRENT_VERSION = 1;
+
+ /** The secret key will be of this format. */
+ private static final String KEY_ALGO = "AES";
+
+ /** The key size used for encrypting the reboot escrow data. */
+ private static final int KEY_SIZE_BITS = 256;
+
+ /** The algorithm used for the encryption of the key blob. */
+ private static final String CIPHER_ALGO = "AES/GCM/NoPadding";
+
+ private RebootEscrowData(byte spVersion, byte[] iv, byte[] syntheticPassword, byte[] blob,
+ byte[] key) {
+ mSpVersion = spVersion;
+ mIv = iv;
+ mSyntheticPassword = syntheticPassword;
+ mBlob = blob;
+ mKey = key;
+ }
+
+ private final byte mSpVersion;
+ private final byte[] mIv;
+ private final byte[] mSyntheticPassword;
+ private final byte[] mBlob;
+ private final byte[] mKey;
+
+ public byte getSpVersion() {
+ return mSpVersion;
+ }
+
+ public byte[] getIv() {
+ return mIv;
+ }
+
+ public byte[] getSyntheticPassword() {
+ return mSyntheticPassword;
+ }
+
+ public byte[] getBlob() {
+ return mBlob;
+ }
+
+ public byte[] getKey() {
+ return mKey;
+ }
+
+ static SecretKeySpec fromKeyBytes(byte[] keyBytes) {
+ return new SecretKeySpec(keyBytes, KEY_ALGO);
+ }
+
+ static RebootEscrowData fromEncryptedData(SecretKeySpec keySpec, byte[] blob)
+ throws IOException {
+ Preconditions.checkNotNull(keySpec);
+ Preconditions.checkNotNull(blob);
+
+ DataInputStream dis = new DataInputStream(new ByteArrayInputStream(blob));
+ int version = dis.readInt();
+ if (version != CURRENT_VERSION) {
+ throw new IOException("Unsupported version " + version);
+ }
+
+ byte spVersion = dis.readByte();
+
+ int ivSize = dis.readInt();
+ if (ivSize < 0 || ivSize > 32) {
+ throw new IOException("IV out of range: " + ivSize);
+ }
+ byte[] iv = new byte[ivSize];
+ dis.readFully(iv);
+
+ int cipherTextSize = dis.readInt();
+ if (cipherTextSize < 0) {
+ throw new IOException("Invalid cipher text size: " + cipherTextSize);
+ }
+
+ byte[] cipherText = new byte[cipherTextSize];
+ dis.readFully(cipherText);
+
+ final byte[] syntheticPassword;
+ try {
+ Cipher c = Cipher.getInstance(CIPHER_ALGO);
+ c.init(Cipher.DECRYPT_MODE, keySpec, new IvParameterSpec(iv));
+ syntheticPassword = c.doFinal(cipherText);
+ } catch (NoSuchAlgorithmException | InvalidKeyException | BadPaddingException
+ | IllegalBlockSizeException | NoSuchPaddingException
+ | InvalidAlgorithmParameterException e) {
+ throw new IOException("Could not decrypt ciphertext", e);
+ }
+
+ return new RebootEscrowData(spVersion, iv, syntheticPassword, blob, keySpec.getEncoded());
+ }
+
+ static RebootEscrowData fromSyntheticPassword(byte spVersion, byte[] syntheticPassword)
+ throws IOException {
+ Preconditions.checkNotNull(syntheticPassword);
+
+ ByteArrayOutputStream bos = new ByteArrayOutputStream();
+ DataOutputStream dos = new DataOutputStream(bos);
+
+ final SecretKey secretKey;
+ try {
+ KeyGenerator keyGenerator = KeyGenerator.getInstance(KEY_ALGO);
+ keyGenerator.init(KEY_SIZE_BITS, new SecureRandom());
+ secretKey = keyGenerator.generateKey();
+ } catch (NoSuchAlgorithmException e) {
+ throw new IOException("Could not generate new secret key", e);
+ }
+
+ final byte[] cipherText;
+ final byte[] iv;
+ try {
+ Cipher cipher = Cipher.getInstance(CIPHER_ALGO);
+ cipher.init(Cipher.ENCRYPT_MODE, secretKey);
+ cipherText = cipher.doFinal(syntheticPassword);
+ iv = cipher.getIV();
+ } catch (NoSuchAlgorithmException | BadPaddingException | IllegalBlockSizeException
+ | NoSuchPaddingException | InvalidKeyException e) {
+ throw new IOException("Could not encrypt reboot escrow data", e);
+ }
+
+ dos.writeInt(CURRENT_VERSION);
+ dos.writeByte(spVersion);
+ dos.writeInt(iv.length);
+ dos.write(iv);
+ dos.writeInt(cipherText.length);
+ dos.write(cipherText);
+
+ return new RebootEscrowData(spVersion, iv, syntheticPassword, bos.toByteArray(),
+ secretKey.getEncoded());
+ }
+}
diff --git a/services/core/java/com/android/server/locksettings/RebootEscrowManager.java b/services/core/java/com/android/server/locksettings/RebootEscrowManager.java
new file mode 100644
index 0000000..d2e54f9
--- /dev/null
+++ b/services/core/java/com/android/server/locksettings/RebootEscrowManager.java
@@ -0,0 +1,275 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.locksettings;
+
+import android.annotation.Nullable;
+import android.annotation.UserIdInt;
+import android.content.Context;
+import android.content.pm.UserInfo;
+import android.hardware.rebootescrow.IRebootEscrow;
+import android.os.RemoteException;
+import android.os.ServiceManager;
+import android.os.UserManager;
+import android.util.Slog;
+
+import com.android.internal.annotations.VisibleForTesting;
+import com.android.internal.widget.RebootEscrowListener;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.NoSuchElementException;
+import java.util.concurrent.atomic.AtomicBoolean;
+
+import javax.crypto.spec.SecretKeySpec;
+
+class RebootEscrowManager {
+ private static final String TAG = "RebootEscrowManager";
+
+ /**
+ * Used to track when the reboot escrow is wanted. Set to false when mRebootEscrowReady is
+ * true.
+ */
+ private final AtomicBoolean mRebootEscrowWanted = new AtomicBoolean(false);
+
+ /** Used to track when reboot escrow is ready. */
+ private boolean mRebootEscrowReady;
+
+ /** Notified when mRebootEscrowReady changes. */
+ private RebootEscrowListener mRebootEscrowListener;
+
+ /**
+ * Stores the reboot escrow data between when it's supplied and when
+ * {@link #armRebootEscrowIfNeeded()} is called.
+ */
+ private RebootEscrowData mPendingRebootEscrowData;
+
+ private final UserManager mUserManager;
+
+ private final Injector mInjector;
+
+ private final LockSettingsStorage mStorage;
+
+ private final Callbacks mCallbacks;
+
+ interface Callbacks {
+ boolean isUserSecure(int userId);
+ void onRebootEscrowRestored(byte spVersion, byte[] syntheticPassword, int userId);
+ }
+
+ static class Injector {
+ protected Context mContext;
+
+ Injector(Context context) {
+ mContext = context;
+ }
+
+ public Context getContext() {
+ return mContext;
+ }
+ public UserManager getUserManager() {
+ return (UserManager) mContext.getSystemService(Context.USER_SERVICE);
+ }
+
+ public @Nullable IRebootEscrow getRebootEscrow() {
+ try {
+ return IRebootEscrow.Stub.asInterface(ServiceManager.getService(
+ "android.hardware.rebootescrow.IRebootEscrow/default"));
+ } catch (NoSuchElementException e) {
+ Slog.i(TAG, "Device doesn't implement RebootEscrow HAL");
+ }
+ return null;
+ }
+ }
+
+ RebootEscrowManager(Context context, Callbacks callbacks, LockSettingsStorage storage) {
+ this(new Injector(context), callbacks, storage);
+ }
+
+ @VisibleForTesting
+ RebootEscrowManager(Injector injector, Callbacks callbacks,
+ LockSettingsStorage storage) {
+ mInjector = injector;
+ mCallbacks = callbacks;
+ mStorage = storage;
+ mUserManager = injector.getUserManager();
+ }
+
+ void loadRebootEscrowDataIfAvailable() {
+ IRebootEscrow rebootEscrow = mInjector.getRebootEscrow();
+ if (rebootEscrow == null) {
+ return;
+ }
+
+ final SecretKeySpec escrowKey;
+ try {
+ byte[] escrowKeyBytes = rebootEscrow.retrieveKey();
+ if (escrowKeyBytes == null) {
+ return;
+ } else if (escrowKeyBytes.length != 32) {
+ Slog.e(TAG, "IRebootEscrow returned key of incorrect size "
+ + escrowKeyBytes.length);
+ return;
+ }
+
+ // Make sure we didn't get the null key.
+ int zero = 0;
+ for (int i = 0; i < escrowKeyBytes.length; i++) {
+ zero |= escrowKeyBytes[i];
+ }
+ if (zero == 0) {
+ Slog.w(TAG, "IRebootEscrow returned an all-zeroes key");
+ return;
+ }
+
+ // Overwrite the existing key with the null key
+ rebootEscrow.storeKey(new byte[32]);
+
+ escrowKey = RebootEscrowData.fromKeyBytes(escrowKeyBytes);
+ } catch (RemoteException e) {
+ Slog.w(TAG, "Could not retrieve escrow data");
+ return;
+ }
+
+ List<UserInfo> users = mUserManager.getUsers();
+ for (UserInfo user : users) {
+ if (mCallbacks.isUserSecure(user.id)) {
+ restoreRebootEscrowForUser(user.id, escrowKey);
+ }
+ }
+ }
+
+ private void restoreRebootEscrowForUser(@UserIdInt int userId, SecretKeySpec escrowKey) {
+ if (!mStorage.hasRebootEscrow(userId)) {
+ return;
+ }
+
+ try {
+ byte[] blob = mStorage.readRebootEscrow(userId);
+ mStorage.removeRebootEscrow(userId);
+
+ RebootEscrowData escrowData = RebootEscrowData.fromEncryptedData(escrowKey, blob);
+
+ mCallbacks.onRebootEscrowRestored(escrowData.getSpVersion(),
+ escrowData.getSyntheticPassword(), userId);
+ } catch (IOException e) {
+ Slog.w(TAG, "Could not load reboot escrow data for user " + userId, e);
+ }
+ }
+
+ void callToRebootEscrowIfNeeded(@UserIdInt int userId, byte spVersion,
+ byte[] syntheticPassword) {
+ if (!mRebootEscrowWanted.compareAndSet(true, false)) {
+ return;
+ }
+
+ IRebootEscrow rebootEscrow = mInjector.getRebootEscrow();
+ if (rebootEscrow == null) {
+ setRebootEscrowReady(false);
+ return;
+ }
+
+ final RebootEscrowData escrowData;
+ try {
+ escrowData = RebootEscrowData.fromSyntheticPassword(spVersion, syntheticPassword);
+ } catch (IOException e) {
+ setRebootEscrowReady(false);
+ Slog.w(TAG, "Could not escrow reboot data", e);
+ return;
+ }
+
+ mPendingRebootEscrowData = escrowData;
+ mStorage.writeRebootEscrow(userId, escrowData.getBlob());
+
+ setRebootEscrowReady(true);
+ }
+
+ private void clearRebootEscrowIfNeeded() {
+ mRebootEscrowWanted.set(false);
+ setRebootEscrowReady(false);
+
+ IRebootEscrow rebootEscrow = mInjector.getRebootEscrow();
+ if (rebootEscrow == null) {
+ return;
+ }
+
+ try {
+ rebootEscrow.storeKey(new byte[32]);
+ } catch (RemoteException e) {
+ Slog.w(TAG, "Could not call RebootEscrow HAL to shred key");
+ }
+
+ List<UserInfo> users = mUserManager.getUsers();
+ for (UserInfo user : users) {
+ mStorage.removeRebootEscrow(user.id);
+ }
+ }
+
+ boolean armRebootEscrowIfNeeded() {
+ if (!mRebootEscrowReady) {
+ return false;
+ }
+
+ IRebootEscrow rebootEscrow = mInjector.getRebootEscrow();
+ if (rebootEscrow == null) {
+ return false;
+ }
+
+ RebootEscrowData escrowData = mPendingRebootEscrowData;
+ if (escrowData == null) {
+ return false;
+ }
+
+ boolean armedRebootEscrow = false;
+ try {
+ rebootEscrow.storeKey(escrowData.getKey());
+ armedRebootEscrow = true;
+ } catch (RemoteException e) {
+ Slog.w(TAG, "Failed escrow secret to RebootEscrow HAL", e);
+ }
+ return armedRebootEscrow;
+ }
+
+ private void setRebootEscrowReady(boolean ready) {
+ if (mRebootEscrowReady != ready) {
+ mRebootEscrowListener.onPreparedForReboot(ready);
+ }
+ mRebootEscrowReady = ready;
+ }
+
+ boolean prepareRebootEscrow() {
+ if (mInjector.getRebootEscrow() == null) {
+ return false;
+ }
+
+ clearRebootEscrowIfNeeded();
+ mRebootEscrowWanted.set(true);
+ return true;
+ }
+
+ boolean clearRebootEscrow() {
+ if (mInjector.getRebootEscrow() == null) {
+ return false;
+ }
+
+ clearRebootEscrowIfNeeded();
+ return true;
+ }
+
+ void setRebootEscrowListener(RebootEscrowListener listener) {
+ mRebootEscrowListener = listener;
+ }
+}
diff --git a/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java b/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java
index 0fe16be..b726e57 100644
--- a/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java
+++ b/services/core/java/com/android/server/locksettings/SyntheticPasswordManager.java
@@ -38,7 +38,6 @@
import com.android.internal.annotations.VisibleForTesting;
import com.android.internal.util.ArrayUtils;
-import com.android.internal.util.Preconditions;
import com.android.internal.widget.ICheckCredentialProgressCallback;
import com.android.internal.widget.LockPatternUtils;
import com.android.internal.widget.LockscreenCredential;
@@ -285,6 +284,14 @@
public byte[] getSyntheticPassword() {
return mSyntheticPassword;
}
+
+ /**
+ * Returns the version of this AuthenticationToken for use with reconstructing
+ * this with a synthetic password version.
+ */
+ public byte getVersion() {
+ return mVersion;
+ }
}
static class PasswordData {
diff --git a/services/core/java/com/android/server/recoverysystem/RecoverySystemService.java b/services/core/java/com/android/server/recoverysystem/RecoverySystemService.java
index fdb14be..c36d5ef 100644
--- a/services/core/java/com/android/server/recoverysystem/RecoverySystemService.java
+++ b/services/core/java/com/android/server/recoverysystem/RecoverySystemService.java
@@ -17,8 +17,10 @@
package com.android.server.recoverysystem;
import android.content.Context;
+import android.content.IntentSender;
import android.net.LocalSocket;
import android.net.LocalSocketAddress;
+import android.os.Binder;
import android.os.IRecoverySystem;
import android.os.IRecoverySystemProgressListener;
import android.os.PowerManager;
@@ -28,6 +30,9 @@
import android.util.Slog;
import com.android.internal.annotations.VisibleForTesting;
+import com.android.internal.widget.LockSettingsInternal;
+import com.android.internal.widget.RebootEscrowListener;
+import com.android.server.LocalServices;
import com.android.server.SystemService;
import libcore.io.IoUtils;
@@ -45,7 +50,7 @@
* triggers /system/bin/uncrypt via init to de-encrypt an OTA package on the
* /data partition so that it can be accessed under the recovery image.
*/
-public class RecoverySystemService extends IRecoverySystem.Stub {
+public class RecoverySystemService extends IRecoverySystem.Stub implements RebootEscrowListener {
private static final String TAG = "RecoverySystemService";
private static final boolean DEBUG = false;
@@ -67,6 +72,10 @@
private final Injector mInjector;
private final Context mContext;
+ private boolean mPreparedForReboot;
+ private String mUnattendedRebootToken;
+ private IntentSender mPreparedForRebootIntentSender;
+
static class Injector {
protected final Context mContext;
@@ -78,6 +87,10 @@
return mContext;
}
+ public LockSettingsInternal getLockSettingsService() {
+ return LocalServices.getService(LockSettingsInternal.class);
+ }
+
public PowerManager getPowerManager() {
return (PowerManager) mContext.getSystemService(Context.POWER_SERVICE);
}
@@ -120,14 +133,23 @@
* Handles the lifecycle events for the RecoverySystemService.
*/
public static final class Lifecycle extends SystemService {
+ private RecoverySystemService mRecoverySystemService;
+
public Lifecycle(Context context) {
super(context);
}
@Override
+ public void onBootPhase(int phase) {
+ if (phase == SystemService.PHASE_SYSTEM_SERVICES_READY) {
+ mRecoverySystemService.onSystemServicesReady();
+ }
+ }
+
+ @Override
public void onStart() {
- RecoverySystemService recoverySystemService = new RecoverySystemService(getContext());
- publishBinderService(Context.RECOVERY_SERVICE, recoverySystemService);
+ mRecoverySystemService = new RecoverySystemService(getContext());
+ publishBinderService(Context.RECOVERY_SERVICE, mRecoverySystemService);
}
}
@@ -141,6 +163,11 @@
mContext = injector.getContext();
}
+ @VisibleForTesting
+ void onSystemServicesReady() {
+ mInjector.getLockSettingsService().setRebootEscrowListener(this);
+ }
+
@Override // Binder call
public boolean uncrypt(String filename, IRecoverySystemProgressListener listener) {
if (DEBUG) Slog.d(TAG, "uncrypt: " + filename);
@@ -255,6 +282,95 @@
}
}
+ @Override // Binder call
+ public boolean requestLskf(String updateToken, IntentSender intentSender) {
+ mContext.enforceCallingOrSelfPermission(android.Manifest.permission.RECOVERY, null);
+
+ if (updateToken == null) {
+ return false;
+ }
+
+ // No need to prepare again for the same token.
+ if (mPreparedForReboot && updateToken.equals(mUnattendedRebootToken)) {
+ return true;
+ }
+
+ mPreparedForReboot = false;
+ mUnattendedRebootToken = updateToken;
+ mPreparedForRebootIntentSender = intentSender;
+
+ final long origId = Binder.clearCallingIdentity();
+ try {
+ mInjector.getLockSettingsService().prepareRebootEscrow();
+ } finally {
+ Binder.restoreCallingIdentity(origId);
+ }
+
+ return true;
+ }
+
+ @Override
+ public void onPreparedForReboot(boolean ready) {
+ if (mUnattendedRebootToken == null) {
+ Slog.w(TAG, "onPreparedForReboot called when mUnattendedRebootToken is null");
+ }
+
+ mPreparedForReboot = ready;
+ if (ready) {
+ sendPreparedForRebootIntentIfNeeded();
+ }
+ }
+
+ private void sendPreparedForRebootIntentIfNeeded() {
+ final IntentSender intentSender = mPreparedForRebootIntentSender;
+ if (intentSender != null) {
+ try {
+ intentSender.sendIntent(null, 0, null, null, null);
+ } catch (IntentSender.SendIntentException e) {
+ Slog.w(TAG, "Could not send intent for prepared reboot: " + e.getMessage());
+ }
+ }
+ }
+
+ @Override // Binder call
+ public boolean clearLskf() {
+ mContext.enforceCallingOrSelfPermission(android.Manifest.permission.RECOVERY, null);
+
+ mPreparedForReboot = false;
+ mUnattendedRebootToken = null;
+ mPreparedForRebootIntentSender = null;
+
+ final long origId = Binder.clearCallingIdentity();
+ try {
+ mInjector.getLockSettingsService().clearRebootEscrow();
+ } finally {
+ Binder.restoreCallingIdentity(origId);
+ }
+
+ return true;
+ }
+
+ @Override // Binder call
+ public boolean rebootWithLskf(String updateToken, String reason) {
+ mContext.enforceCallingOrSelfPermission(android.Manifest.permission.RECOVERY, null);
+
+ if (!mPreparedForReboot) {
+ return false;
+ }
+
+ if (updateToken != null && updateToken.equals(mUnattendedRebootToken)) {
+ if (!mInjector.getLockSettingsService().armRebootEscrow()) {
+ return false;
+ }
+
+ PowerManager pm = mInjector.getPowerManager();
+ pm.reboot(reason);
+ return true;
+ }
+
+ return false;
+ }
+
/**
* Check if any of the init services is still running. If so, we cannot
* start a new uncrypt/setup-bcb/clear-bcb service right away; otherwise
diff --git a/services/tests/servicestests/src/com/android/server/locksettings/RebootEscrowDataTest.java b/services/tests/servicestests/src/com/android/server/locksettings/RebootEscrowDataTest.java
new file mode 100644
index 0000000..54c552b
--- /dev/null
+++ b/services/tests/servicestests/src/com/android/server/locksettings/RebootEscrowDataTest.java
@@ -0,0 +1,76 @@
+/*
+ * Copyright (C) 2019 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.locksettings;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.junit.Assert.assertThat;
+
+import androidx.test.runner.AndroidJUnit4;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import javax.crypto.spec.SecretKeySpec;
+
+/**
+ * atest FrameworksServicesTests:RebootEscrowDataTest
+ */
+@RunWith(AndroidJUnit4.class)
+public class RebootEscrowDataTest {
+ private static byte[] getTestSp() {
+ byte[] testSp = new byte[10];
+ for (int i = 0; i < testSp.length; i++) {
+ testSp[i] = (byte) i;
+ }
+ return testSp;
+ }
+
+ @Test(expected = NullPointerException.class)
+ public void fromEntries_failsOnNull() throws Exception {
+ RebootEscrowData.fromSyntheticPassword((byte) 2, null);
+ }
+
+ @Test(expected = NullPointerException.class)
+ public void fromEncryptedData_failsOnNullData() throws Exception {
+ byte[] testSp = getTestSp();
+ RebootEscrowData expected = RebootEscrowData.fromSyntheticPassword((byte) 2, testSp);
+ SecretKeySpec key = RebootEscrowData.fromKeyBytes(expected.getKey());
+ RebootEscrowData.fromEncryptedData(key, null);
+ }
+
+ @Test(expected = NullPointerException.class)
+ public void fromEncryptedData_failsOnNullKey() throws Exception {
+ byte[] testSp = getTestSp();
+ RebootEscrowData expected = RebootEscrowData.fromSyntheticPassword((byte) 2, testSp);
+ RebootEscrowData.fromEncryptedData(null, expected.getBlob());
+ }
+
+ @Test
+ public void fromEntries_loopback_success() throws Exception {
+ byte[] testSp = getTestSp();
+ RebootEscrowData expected = RebootEscrowData.fromSyntheticPassword((byte) 2, testSp);
+
+ SecretKeySpec key = RebootEscrowData.fromKeyBytes(expected.getKey());
+ RebootEscrowData actual = RebootEscrowData.fromEncryptedData(key, expected.getBlob());
+
+ assertThat(actual.getSpVersion(), is(expected.getSpVersion()));
+ assertThat(actual.getIv(), is(expected.getIv()));
+ assertThat(actual.getKey(), is(expected.getKey()));
+ assertThat(actual.getBlob(), is(expected.getBlob()));
+ assertThat(actual.getSyntheticPassword(), is(expected.getSyntheticPassword()));
+ }
+}
diff --git a/services/tests/servicestests/src/com/android/server/locksettings/RebootEscrowManagerTests.java b/services/tests/servicestests/src/com/android/server/locksettings/RebootEscrowManagerTests.java
new file mode 100644
index 0000000..78a5a0b
--- /dev/null
+++ b/services/tests/servicestests/src/com/android/server/locksettings/RebootEscrowManagerTests.java
@@ -0,0 +1,171 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.android.server.locksettings;
+
+import static android.content.pm.UserInfo.FLAG_FULL;
+import static android.content.pm.UserInfo.FLAG_PRIMARY;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.clearInvocations;
+import static org.mockito.Mockito.doThrow;
+import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.verifyNoMoreInteractions;
+import static org.mockito.Mockito.when;
+
+import android.content.Context;
+import android.content.pm.UserInfo;
+import android.hardware.rebootescrow.IRebootEscrow;
+import android.os.RemoteException;
+import android.os.UserManager;
+import android.platform.test.annotations.Presubmit;
+
+import androidx.test.InstrumentationRegistry;
+import androidx.test.filters.SmallTest;
+import androidx.test.runner.AndroidJUnit4;
+
+import com.android.internal.widget.RebootEscrowListener;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import java.io.File;
+import java.util.ArrayList;
+
+@SmallTest
+@Presubmit
+@RunWith(AndroidJUnit4.class)
+public class RebootEscrowManagerTests {
+ protected static final int PRIMARY_USER_ID = 0;
+ protected static final int NONSECURE_USER_ID = 10;
+ private static final byte FAKE_SP_VERSION = 1;
+ private static final byte[] FAKE_AUTH_TOKEN = new byte[] {
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+ };
+
+ private Context mContext;
+ private UserManager mUserManager;
+ private RebootEscrowManager.Callbacks mCallbacks;
+ private IRebootEscrow mRebootEscrow;
+
+ LockSettingsStorageTestable mStorage;
+
+ private RebootEscrowManager mService;
+
+ static class MockInjector extends RebootEscrowManager.Injector {
+ private final IRebootEscrow mRebootEscrow;
+ private final UserManager mUserManager;
+
+ MockInjector(Context context, UserManager userManager, IRebootEscrow rebootEscrow) {
+ super(context);
+ mRebootEscrow = rebootEscrow;
+ mUserManager = userManager;
+ }
+
+ @Override
+ public UserManager getUserManager() {
+ return mUserManager;
+ }
+
+ @Override
+ public IRebootEscrow getRebootEscrow() {
+ return mRebootEscrow;
+ }
+ }
+
+ @Before
+ public void setUp_baseServices() throws Exception {
+ mContext = mock(Context.class);
+ mUserManager = mock(UserManager.class);
+ mCallbacks = mock(RebootEscrowManager.Callbacks.class);
+ mRebootEscrow = mock(IRebootEscrow.class);
+
+ mStorage = new LockSettingsStorageTestable(mContext,
+ new File(InstrumentationRegistry.getContext().getFilesDir(), "locksettings"));
+
+ ArrayList<UserInfo> users = new ArrayList<>();
+ users.add(new UserInfo(PRIMARY_USER_ID, "primary", FLAG_PRIMARY));
+ users.add(new UserInfo(NONSECURE_USER_ID, "non-secure", FLAG_FULL));
+ when(mUserManager.getUsers()).thenReturn(users);
+ when(mCallbacks.isUserSecure(PRIMARY_USER_ID)).thenReturn(true);
+ when(mCallbacks.isUserSecure(NONSECURE_USER_ID)).thenReturn(false);
+ mService = new RebootEscrowManager(new MockInjector(mContext, mUserManager, mRebootEscrow),
+ mCallbacks, mStorage);
+ }
+
+ @Test
+ public void prepareRebootEscrow_Success() throws Exception {
+ RebootEscrowListener mockListener = mock(RebootEscrowListener.class);
+ mService.setRebootEscrowListener(mockListener);
+ mService.prepareRebootEscrow();
+
+ clearInvocations(mRebootEscrow);
+ mService.callToRebootEscrowIfNeeded(PRIMARY_USER_ID, FAKE_SP_VERSION, FAKE_AUTH_TOKEN);
+ verify(mockListener).onPreparedForReboot(eq(true));
+ verify(mRebootEscrow, never()).storeKey(any());
+ }
+
+ @Test
+ public void prepareRebootEscrow_ClearCredentials_Success() throws Exception {
+ RebootEscrowListener mockListener = mock(RebootEscrowListener.class);
+ mService.setRebootEscrowListener(mockListener);
+ mService.prepareRebootEscrow();
+ mService.callToRebootEscrowIfNeeded(PRIMARY_USER_ID, FAKE_SP_VERSION, FAKE_AUTH_TOKEN);
+ verify(mockListener).onPreparedForReboot(eq(true));
+
+ clearInvocations(mRebootEscrow);
+ mService.clearRebootEscrow();
+ verify(mockListener).onPreparedForReboot(eq(false));
+ verify(mRebootEscrow).storeKey(eq(new byte[32]));
+ }
+
+ @Test
+ public void armService_Success() throws Exception {
+ RebootEscrowListener mockListener = mock(RebootEscrowListener.class);
+ mService.setRebootEscrowListener(mockListener);
+ mService.prepareRebootEscrow();
+
+ clearInvocations(mRebootEscrow);
+ mService.callToRebootEscrowIfNeeded(PRIMARY_USER_ID, FAKE_SP_VERSION, FAKE_AUTH_TOKEN);
+ verify(mockListener).onPreparedForReboot(eq(true));
+ verify(mRebootEscrow, never()).storeKey(any());
+
+ assertTrue(mService.armRebootEscrowIfNeeded());
+ verify(mRebootEscrow).storeKey(any());
+ }
+
+ @Test
+ public void armService_NoInitialization_Failure() throws Exception {
+ assertFalse(mService.armRebootEscrowIfNeeded());
+ verifyNoMoreInteractions(mRebootEscrow);
+ }
+
+ @Test
+ public void armService_RebootEscrowServiceException_Failure() throws Exception {
+ doThrow(RemoteException.class).when(mRebootEscrow).storeKey(any());
+ assertFalse(mService.armRebootEscrowIfNeeded());
+ verifyNoMoreInteractions(mRebootEscrow);
+ }
+}
diff --git a/services/tests/servicestests/src/com/android/server/recoverysystem/RecoverySystemServiceTest.java b/services/tests/servicestests/src/com/android/server/recoverysystem/RecoverySystemServiceTest.java
index 1f312bf..d5cdbeb 100644
--- a/services/tests/servicestests/src/com/android/server/recoverysystem/RecoverySystemServiceTest.java
+++ b/services/tests/servicestests/src/com/android/server/recoverysystem/RecoverySystemServiceTest.java
@@ -20,16 +20,19 @@
import static org.junit.Assert.assertThat;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyBoolean;
+import static org.mockito.ArgumentMatchers.anyInt;
import static org.mockito.ArgumentMatchers.eq;
import static org.mockito.Mockito.doNothing;
import static org.mockito.Mockito.doThrow;
import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoMoreInteractions;
import static org.mockito.Mockito.when;
import android.content.Context;
+import android.content.IntentSender;
import android.os.Handler;
import android.os.IPowerManager;
import android.os.IRecoverySystemProgressListener;
@@ -40,6 +43,8 @@
import androidx.test.filters.SmallTest;
import androidx.test.runner.AndroidJUnit4;
+import com.android.internal.widget.LockSettingsInternal;
+
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
@@ -58,6 +63,7 @@
private Context mContext;
private IPowerManager mIPowerManager;
private FileWriter mUncryptUpdateFileWriter;
+ private LockSettingsInternal mLockSettingsInternal;
@Before
public void setup() {
@@ -65,6 +71,9 @@
mSystemProperties = new RecoverySystemServiceTestable.FakeSystemProperties();
mUncryptSocket = mock(RecoverySystemService.UncryptSocket.class);
mUncryptUpdateFileWriter = mock(FileWriter.class);
+ mLockSettingsInternal = mock(LockSettingsInternal.class);
+
+ when(mLockSettingsInternal.armRebootEscrow()).thenReturn(true);
Looper looper = InstrumentationRegistry.getContext().getMainLooper();
mIPowerManager = mock(IPowerManager.class);
@@ -72,7 +81,7 @@
new Handler(looper));
mRecoverySystemService = new RecoverySystemServiceTestable(mContext, mSystemProperties,
- powerManager, mUncryptUpdateFileWriter, mUncryptSocket);
+ powerManager, mUncryptUpdateFileWriter, mUncryptSocket, mLockSettingsInternal);
}
@Test
@@ -194,4 +203,100 @@
verify(mUncryptSocket).sendAck();
verify(mUncryptSocket).close();
}
+
+ @Test(expected = SecurityException.class)
+ public void requestLskf_protected() {
+ doThrow(SecurityException.class).when(mContext).enforceCallingOrSelfPermission(
+ eq(android.Manifest.permission.RECOVERY), any());
+ mRecoverySystemService.requestLskf("test", null);
+ }
+
+
+ @Test
+ public void requestLskf_nullToken_failure() {
+ assertThat(mRecoverySystemService.requestLskf(null, null), is(false));
+ }
+
+ @Test
+ public void requestLskf_success() throws Exception {
+ IntentSender intentSender = mock(IntentSender.class);
+ assertThat(mRecoverySystemService.requestLskf("test", intentSender), is(true));
+ mRecoverySystemService.onPreparedForReboot(true);
+ verify(intentSender).sendIntent(any(), anyInt(), any(), any(), any());
+ }
+
+ @Test
+ public void requestLskf_subsequentRequestClearsPrepared() throws Exception {
+ IntentSender intentSender = mock(IntentSender.class);
+ assertThat(mRecoverySystemService.requestLskf("test", intentSender), is(true));
+ mRecoverySystemService.onPreparedForReboot(true);
+ verify(intentSender).sendIntent(any(), anyInt(), any(), any(), any());
+
+ assertThat(mRecoverySystemService.requestLskf("test2", null), is(true));
+ assertThat(mRecoverySystemService.rebootWithLskf("test", null), is(false));
+ assertThat(mRecoverySystemService.rebootWithLskf("test2", "foobar"), is(false));
+
+ mRecoverySystemService.onPreparedForReboot(true);
+ assertThat(mRecoverySystemService.rebootWithLskf("test2", "foobar"), is(true));
+ verify(intentSender).sendIntent(any(), anyInt(), any(), any(), any());
+ verify(mIPowerManager).reboot(anyBoolean(), eq("foobar"), anyBoolean());
+ }
+
+
+ @Test
+ public void requestLskf_requestedButNotPrepared() throws Exception {
+ IntentSender intentSender = mock(IntentSender.class);
+ assertThat(mRecoverySystemService.requestLskf("test", intentSender), is(true));
+ verify(intentSender, never()).sendIntent(any(), anyInt(), any(), any(), any());
+ }
+
+ @Test(expected = SecurityException.class)
+ public void clearLskf_protected() {
+ doThrow(SecurityException.class).when(mContext).enforceCallingOrSelfPermission(
+ eq(android.Manifest.permission.RECOVERY), any());
+ mRecoverySystemService.clearLskf();
+ }
+
+ @Test
+ public void clearLskf_requestedThenCleared() throws Exception {
+ IntentSender intentSender = mock(IntentSender.class);
+ assertThat(mRecoverySystemService.requestLskf("test", intentSender), is(true));
+ mRecoverySystemService.onPreparedForReboot(true);
+ verify(intentSender).sendIntent(any(), anyInt(), any(), any(), any());
+
+ assertThat(mRecoverySystemService.clearLskf(), is(true));
+ verify(mLockSettingsInternal).clearRebootEscrow();
+ }
+
+ @Test
+ public void startup_setRebootEscrowListener() throws Exception {
+ mRecoverySystemService.onSystemServicesReady();
+ verify(mLockSettingsInternal).setRebootEscrowListener(any());
+ }
+
+ @Test(expected = SecurityException.class)
+ public void rebootWithLskf_protected() {
+ doThrow(SecurityException.class).when(mContext).enforceCallingOrSelfPermission(
+ eq(android.Manifest.permission.RECOVERY), any());
+ mRecoverySystemService.rebootWithLskf("test1", null);
+ }
+
+ @Test
+ public void rebootWithLskf_Success() throws Exception {
+ assertThat(mRecoverySystemService.requestLskf("test", null), is(true));
+ mRecoverySystemService.onPreparedForReboot(true);
+ assertThat(mRecoverySystemService.rebootWithLskf("test", "ab-update"), is(true));
+ verify(mIPowerManager).reboot(anyBoolean(), eq("ab-update"), anyBoolean());
+ }
+
+ @Test
+ public void rebootWithLskf_withoutPrepare_Failure() throws Exception {
+ assertThat(mRecoverySystemService.rebootWithLskf("test1", null), is(false));
+ }
+
+ @Test
+ public void rebootWithLskf_withNullUpdateToken_Failure() throws Exception {
+ assertThat(mRecoverySystemService.rebootWithLskf(null, null), is(false));
+ verifyNoMoreInteractions(mIPowerManager);
+ }
}
diff --git a/services/tests/servicestests/src/com/android/server/recoverysystem/RecoverySystemServiceTestable.java b/services/tests/servicestests/src/com/android/server/recoverysystem/RecoverySystemServiceTestable.java
index a986b71..131e4f3 100644
--- a/services/tests/servicestests/src/com/android/server/recoverysystem/RecoverySystemServiceTestable.java
+++ b/services/tests/servicestests/src/com/android/server/recoverysystem/RecoverySystemServiceTestable.java
@@ -19,6 +19,8 @@
import android.content.Context;
import android.os.PowerManager;
+import com.android.internal.widget.LockSettingsInternal;
+
import java.io.FileWriter;
public class RecoverySystemServiceTestable extends RecoverySystemService {
@@ -27,15 +29,17 @@
private final PowerManager mPowerManager;
private final FileWriter mUncryptPackageFileWriter;
private final UncryptSocket mUncryptSocket;
+ private final LockSettingsInternal mLockSettingsInternal;
MockInjector(Context context, FakeSystemProperties systemProperties,
PowerManager powerManager, FileWriter uncryptPackageFileWriter,
- UncryptSocket uncryptSocket) {
+ UncryptSocket uncryptSocket, LockSettingsInternal lockSettingsInternal) {
super(context);
mSystemProperties = systemProperties;
mPowerManager = powerManager;
mUncryptPackageFileWriter = uncryptPackageFileWriter;
mUncryptSocket = uncryptSocket;
+ mLockSettingsInternal = lockSettingsInternal;
}
@Override
@@ -76,13 +80,18 @@
@Override
public void threadSleep(long millis) {
}
+
+ @Override
+ public LockSettingsInternal getLockSettingsService() {
+ return mLockSettingsInternal;
+ }
}
RecoverySystemServiceTestable(Context context, FakeSystemProperties systemProperties,
PowerManager powerManager, FileWriter uncryptPackageFileWriter,
- UncryptSocket uncryptSocket) {
+ UncryptSocket uncryptSocket, LockSettingsInternal lockSettingsInternal) {
super(new MockInjector(context, systemProperties, powerManager, uncryptPackageFileWriter,
- uncryptSocket));
+ uncryptSocket, lockSettingsInternal));
}
public static class FakeSystemProperties {