Merge tag 'android-security-10.0.0_r53' into int/10/fp2
Android security 10.0.0 release 53
* tag 'android-security-10.0.0_r53':
Make mIsDeviceLockedForUser synchronized.
Add permission check on onKeyguardVisibilityChanged
Encrypt AES-256 keystore master keys.
Change-Id: I913fedc4146b84a02a92737e4868320be579ab8a
diff --git a/keystore/KeyStore.h b/keystore/KeyStore.h
index 69a02ae..a7fbab4 100644
--- a/keystore/KeyStore.h
+++ b/keystore/KeyStore.h
@@ -143,6 +143,23 @@
KeystoreKeymasterEnforcement& getEnforcementPolicy() { return mEnforcementPolicy; }
ConfirmationManager& getConfirmationManager() { return *mConfirmationManager; }
+ void addOperationDevice(sp<IBinder> token, std::shared_ptr<KeymasterWorker> dev) {
+ std::lock_guard<std::mutex> lock(operationDeviceMapMutex_);
+ operationDeviceMap_.emplace(std::move(token), std::move(dev));
+ }
+ std::shared_ptr<KeymasterWorker> getOperationDevice(const sp<IBinder>& token) {
+ std::lock_guard<std::mutex> lock(operationDeviceMapMutex_);
+ auto it = operationDeviceMap_.find(token);
+ if (it != operationDeviceMap_.end()) {
+ return it->second;
+ }
+ return {};
+ }
+ void removeOperationDevice(const sp<IBinder>& token) {
+ std::lock_guard<std::mutex> lock(operationDeviceMapMutex_);
+ operationDeviceMap_.erase(token);
+ }
+
private:
static const char* kOldMasterKey;
static const char* kMetaDataFile;
@@ -173,6 +190,9 @@
void writeMetaData();
bool upgradeKeystore();
+
+ std::mutex operationDeviceMapMutex_;
+ std::map<sp<IBinder>, std::shared_ptr<KeymasterWorker>> operationDeviceMap_;
};
} // namespace keystore
diff --git a/keystore/blob.h b/keystore/blob.h
index ce488ec..e0bd146 100644
--- a/keystore/blob.h
+++ b/keystore/blob.h
@@ -37,6 +37,7 @@
constexpr size_t kGcmTagLength = 128 / 8;
constexpr size_t kGcmIvLength = 96 / 8;
constexpr size_t kAes128KeySizeBytes = 128 / 8;
+constexpr size_t kAes256KeySizeBytes = 256 / 8;
/* Here is the file format. There are two parts in blob.value, the secret and
* the description. The secret is stored in ciphertext, and its original size
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index e0ee937..b6b7295 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -888,7 +888,7 @@
[this, cb, dev](OperationResult result_) {
if (result_.resultCode.isOk() ||
result_.resultCode == ResponseCode::OP_AUTH_NEEDED) {
- addOperationDevice(result_.token, dev);
+ mKeyStore->addOperationDevice(result_.token, dev);
}
cb->onFinished(result_);
});
@@ -905,14 +905,14 @@
return AIDL_RETURN(ErrorCode::INVALID_ARGUMENT);
}
- auto dev = getOperationDevice(token);
+ auto dev = mKeyStore->getOperationDevice(token);
if (!dev) {
return AIDL_RETURN(ErrorCode::INVALID_OPERATION_HANDLE);
}
dev->update(token, params.getParameters(), input, [this, cb, token](OperationResult result_) {
if (!result_.resultCode.isOk()) {
- removeOperationDevice(token);
+ mKeyStore->removeOperationDevice(token);
}
cb->onFinished(result_);
});
@@ -930,16 +930,14 @@
return AIDL_RETURN(ErrorCode::INVALID_ARGUMENT);
}
- auto dev = getOperationDevice(token);
+ auto dev = mKeyStore->getOperationDevice(token);
if (!dev) {
return AIDL_RETURN(ErrorCode::INVALID_OPERATION_HANDLE);
}
dev->finish(token, params.getParameters(), {}, signature, entropy,
[this, cb, token](OperationResult result_) {
- if (!result_.resultCode.isOk()) {
- removeOperationDevice(token);
- }
+ mKeyStore->removeOperationDevice(token);
cb->onFinished(result_);
});
@@ -950,12 +948,15 @@
const ::android::sp<::android::IBinder>& token,
int32_t* _aidl_return) {
KEYSTORE_SERVICE_LOCK;
- auto dev = getOperationDevice(token);
+ auto dev = mKeyStore->getOperationDevice(token);
if (!dev) {
return AIDL_RETURN(ErrorCode::INVALID_OPERATION_HANDLE);
}
- dev->abort(token, [cb](KeyStoreServiceReturnCode rc) { cb->onFinished(rc); });
+ dev->abort(token, [this, cb, token](KeyStoreServiceReturnCode rc) {
+ mKeyStore->removeOperationDevice(token);
+ cb->onFinished(rc);
+ });
return AIDL_RETURN(ResponseCode::NO_ERROR);
}
@@ -1039,6 +1040,10 @@
std::tie(rc, keyBlob, charBlob, lockedEntry) =
mKeyStore->getKeyForName(name8, callingUid, TYPE_KEYMASTER_10);
+ if (!rc.isOk()) {
+ return AIDL_RETURN(rc);
+ }
+
auto dev = mKeyStore->getDevice(keyBlob);
auto hidlKey = blob2hidlVec(keyBlob);
dev->attestKey(
diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h
index 2fdc3dd..96d0c07 100644
--- a/keystore/key_store_service.h
+++ b/keystore/key_store_service.h
@@ -243,25 +243,6 @@
*/
std::mutex keystoreServiceMutex_;
- std::mutex operationDeviceMapMutex_;
- std::map<sp<IBinder>, std::shared_ptr<KeymasterWorker>> operationDeviceMap_;
-
- void addOperationDevice(sp<IBinder> token, std::shared_ptr<KeymasterWorker> dev) {
- std::lock_guard<std::mutex> lock(operationDeviceMapMutex_);
- operationDeviceMap_.emplace(std::move(token), std::move(dev));
- }
- std::shared_ptr<KeymasterWorker> getOperationDevice(const sp<IBinder>& token) {
- std::lock_guard<std::mutex> lock(operationDeviceMapMutex_);
- auto it = operationDeviceMap_.find(token);
- if (it != operationDeviceMap_.end()) {
- return it->second;
- }
- return {};
- }
- void removeOperationDevice(const sp<IBinder>& token) {
- std::lock_guard<std::mutex> lock(operationDeviceMapMutex_);
- operationDeviceMap_.erase(token);
- }
};
}; // namespace keystore
diff --git a/keystore/keymaster_worker.cpp b/keystore/keymaster_worker.cpp
index 922ef0a..728e607 100644
--- a/keystore/keymaster_worker.cpp
+++ b/keystore/keymaster_worker.cpp
@@ -321,6 +321,7 @@
// We mostly ignore errors from abort() because all we care about is whether at least
// one operation has been removed.
auto rc = abort(oldest);
+ keyStore_->removeOperationDevice(oldest);
if (operationMap_.getOperationCount() >= op_count_before_abort) {
ALOGE("Failed to abort pruneable operation %p, error: %d", oldest.get(), rc.getErrorCode());
return false;
@@ -1091,6 +1092,7 @@
auto operations = operationMap_.getOperationsForToken(who.unsafe_get());
for (const auto& token : operations) {
abort(token);
+ keyStore_->removeOperationDevice(token);
}
});
}
diff --git a/keystore/user_state.cpp b/keystore/user_state.cpp
index bc3f6d9..8d993e2 100644
--- a/keystore/user_state.cpp
+++ b/keystore/user_state.cpp
@@ -140,10 +140,13 @@
}
ResponseCode UserState::writeMasterKey(const android::String8& pw) {
- std::vector<uint8_t> passwordKey(MASTER_KEY_SIZE_BYTES);
+ std::vector<uint8_t> passwordKey(mMasterKey.size());
generateKeyFromPassword(passwordKey, pw, mSalt);
- Blob masterKeyBlob(mMasterKey.data(), mMasterKey.size(), mSalt, sizeof(mSalt),
- TYPE_MASTER_KEY_AES256);
+ auto blobType = TYPE_MASTER_KEY_AES256;
+ if (mMasterKey.size() == kAes128KeySizeBytes) {
+ blobType = TYPE_MASTER_KEY;
+ }
+ Blob masterKeyBlob(mMasterKey.data(), mMasterKey.size(), mSalt, sizeof(mSalt), blobType);
auto lockedEntry = LockedKeyBlobEntry::get(mMasterKeyEntry);
return lockedEntry.writeBlobs(masterKeyBlob, {}, passwordKey, STATE_NO_ERROR);
}
@@ -174,7 +177,7 @@
size_t masterKeySize = MASTER_KEY_SIZE_BYTES;
if (rawBlob.type == TYPE_MASTER_KEY) {
- masterKeySize = SHA1_DIGEST_SIZE_BYTES;
+ masterKeySize = kAes128KeySizeBytes;
}
std::vector<uint8_t> passwordKey(masterKeySize);
@@ -263,7 +266,7 @@
const EVP_MD* digest = EVP_sha256();
// SHA1 was used prior to increasing the key size
- if (key.size() == SHA1_DIGEST_SIZE_BYTES) {
+ if (key.size() == kAes128KeySizeBytes) {
digest = EVP_sha1();
}
diff --git a/keystore/user_state.h b/keystore/user_state.h
index b0671e3..620aaa5 100644
--- a/keystore/user_state.h
+++ b/keystore/user_state.h
@@ -75,14 +75,14 @@
bool operator<(uid_t userId) const;
private:
- static const int SHA1_DIGEST_SIZE_BYTES = 16;
- static const int SHA256_DIGEST_SIZE_BYTES = 32;
+ static constexpr int SHA1_DIGEST_SIZE_BYTES = 16;
+ static constexpr int SHA256_DIGEST_SIZE_BYTES = 32;
- static const int MASTER_KEY_SIZE_BYTES = SHA256_DIGEST_SIZE_BYTES;
- static const int MASTER_KEY_SIZE_BITS = MASTER_KEY_SIZE_BYTES * 8;
+ static constexpr int MASTER_KEY_SIZE_BYTES = kAes256KeySizeBytes;
+ static constexpr int MASTER_KEY_SIZE_BITS = MASTER_KEY_SIZE_BYTES * 8;
- static const int MAX_RETRY = 4;
- static const size_t SALT_SIZE = 16;
+ static constexpr int MAX_RETRY = 4;
+ static constexpr size_t SALT_SIZE = 16;
void generateKeyFromPassword(std::vector<uint8_t>& key, const android::String8& pw,
uint8_t* salt);