From bd79db4d6d2d38929ffd748c2929d6fb72666551 Mon Sep 17 00:00:00 2001 From: mauronofrio matarrese Date: Mon, 25 May 2020 20:18:52 +0200 Subject: [PATCH] fscrypt: change to upgrade key if export fails Importing this commit: https://github.com/mauronofrio/android_bootable_recovery/commit/f999d65b23f0cd36ee85995ac1601d1b2ab690e5 Change-Id: If73dc534ddf6c8b96ce2789789f25ce432428aa5 --- crypto/fscrypt/KeyStorage.cpp | 26 ++++++++++++++++++++++---- crypto/fscrypt/Keymaster.cpp | 8 ++++---- crypto/fscrypt/Keymaster.h | 2 +- 3 files changed, 27 insertions(+), 9 deletions(-) diff --git a/crypto/fscrypt/KeyStorage.cpp b/crypto/fscrypt/KeyStorage.cpp index 766cc610..94575910 100755 --- a/crypto/fscrypt/KeyStorage.cpp +++ b/crypto/fscrypt/KeyStorage.cpp @@ -165,10 +165,28 @@ bool getEphemeralWrappedKey(km::KeyFormat format, KeyBuffer& kmKey, KeyBuffer* k std::string key_temp; Keymaster keymaster; if (!keymaster) return false; - if (!keymaster.exportKey(format, kmKey, "!", "!", &key_temp)) return false; - *key = KeyBuffer(key_temp.size()); - memcpy(reinterpret_cast(key->data()), key_temp.c_str(), key->size()); - return true; + + //Export once, if upgrade needed, upgrade and export again + bool export_again = true; + while (export_again) { + export_again = false; + auto ret = keymaster.exportKey(format, kmKey, "!", "!", &key_temp); + if (ret == km::ErrorCode::OK) { + *key = KeyBuffer(key_temp.size()); + memcpy(reinterpret_cast(key->data()), key_temp.c_str(), key->size()); + return true; + } + if (ret != km::ErrorCode::KEY_REQUIRES_UPGRADE) return false; + LOG(DEBUG) << "Upgrading key"; + std::string kmKeyStr(reinterpret_cast(kmKey.data()), kmKey.size()); + std::string newKey; + if (!keymaster.upgradeKey(kmKeyStr, km::AuthorizationSet(), &newKey)) return false; + memcpy(reinterpret_cast(kmKey.data()), newKey.c_str(), kmKey.size()); + LOG(INFO) << "Key upgraded"; + export_again = true; + } + //Should never come here + return false; } static std::pair beginParams( diff --git a/crypto/fscrypt/Keymaster.cpp b/crypto/fscrypt/Keymaster.cpp index ab39ef8d..706181df 100755 --- a/crypto/fscrypt/Keymaster.cpp +++ b/crypto/fscrypt/Keymaster.cpp @@ -138,7 +138,7 @@ bool Keymaster::generateKey(const km::AuthorizationSet& inParams, std::string* k return true; } -bool Keymaster::exportKey(km::KeyFormat format, KeyBuffer& kmKey, const std::string& clientId, +km::ErrorCode Keymaster::exportKey(km::KeyFormat format, KeyBuffer& kmKey, const std::string& clientId, const std::string& appData, std::string* key) { auto kmKeyBlob = km::support::blob2hidlVec(std::string(kmKey.data(), kmKey.size())); auto emptyAssign = NULL; @@ -155,13 +155,13 @@ bool Keymaster::exportKey(km::KeyFormat format, KeyBuffer& kmKey, const std::str auto error = mDevice->exportKey(format, kmKeyBlob, kmClientId, kmAppData, hidlCb); if (!error.isOk()) { LOG(ERROR) << "export_key failed: " << error.description(); - return false; + return km::ErrorCode::UNKNOWN_ERROR; } if (km_error != km::ErrorCode::OK) { LOG(ERROR) << "export_key failed, code " << int32_t(km_error); - return false; + return km_error; } - return true; + return km::ErrorCode::OK; } bool Keymaster::deleteKey(const std::string& key) { diff --git a/crypto/fscrypt/Keymaster.h b/crypto/fscrypt/Keymaster.h index 4301a9cf..7d4d9c93 100644 --- a/crypto/fscrypt/Keymaster.h +++ b/crypto/fscrypt/Keymaster.h @@ -103,7 +103,7 @@ class Keymaster { // Generate a key in the keymaster from the given params. bool generateKey(const km::AuthorizationSet& inParams, std::string* key); // Export a key from keymaster. - bool exportKey(km::KeyFormat format, KeyBuffer& kmKey, const std::string& clientId, + km::ErrorCode exportKey(km::KeyFormat format, KeyBuffer& kmKey, const std::string& clientId, const std::string& appData, std::string* key); // If the keymaster supports it, permanently delete a key. bool deleteKey(const std::string& key);