Have vold inform keymaster that early boot ended Just before mounting partition(s) not verified by verified boot, vold should notify keymaster that early boot has ended so it won't allow EARLY_BOOT_ONLY keys to be created or used. Test: VtsHalKeymasterV4_1TargetTest Change-Id: I74ffec8d5b33f01e62f845a8fc824b3a3cad50f3 Merged-In: I74ffec8d5b33f01e62f845a8fc824b3a3cad50f3

commit: 2b1ff5aaab693483dc1064137e46214baf3b00a7 [log] [tgz]
author: Shawn Willden <swillden@google.com> Thu Jan 16 14:08:36 2020 -0700
committer: Shawn Willden <swillden@google.com> Tue Feb 11 15:51:04 2020 -0700
tree: b7f9f823c2cc26112ea2a26bfe8d877b3fe676a8
parent: 35f0f22c9b8cb9d8672c9cc5226c9037d621da7f [diff] [blame]
diff --git a/MetadataCrypt.cpp b/MetadataCrypt.cpp
index 088960e..acd5b59 100644
--- a/MetadataCrypt.cpp
+++ b/MetadataCrypt.cpp

@@ -56,6 +56,14 @@
 static const char* kFn_keymaster_key_blob_upgraded = "keymaster_key_blob_upgraded";
 
 static bool mount_via_fs_mgr(const char* mount_point, const char* blk_device) {
+    // We're about to mount data not verified by verified boot.  Tell Keymaster that early boot has
+    // ended.
+    //
+    // TODO(paulcrowley): Make a Keymaster singleton or something, so we don't have to repeatedly
+    // open and initialize the service.
+    ::android::vold::Keymaster keymaster;
+    keymaster.earlyBootEnded();
+
     // fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
     // partitions in the fsck domain.
     if (setexeccon(android::vold::sFsckContext)) {
commit	2b1ff5aaab693483dc1064137e46214baf3b00a7	[log] [tgz]
author	Shawn Willden <swillden@google.com>	Thu Jan 16 14:08:36 2020 -0700
committer	Shawn Willden <swillden@google.com>	Tue Feb 11 15:51:04 2020 -0700
tree	b7f9f823c2cc26112ea2a26bfe8d877b3fe676a8
parent	35f0f22c9b8cb9d8672c9cc5226c9037d621da7f [diff] [blame]