Specialize the KM context to use encrypted key blobs These key blobs are intended to be exported outside the VM, without need for further encryption. This will allows a limited form of persistence for VMs between boots of the same code. The authorization set is left in plain text which reveals some metadata about the key but does not compromise its security. Bug: 190578423 Test: atest MicrodroidHostTestCases Change-Id: I47a0f80e2137e189634b77c0b4aafb32d002be50

commit: 9fadf34678bddb1333733336bcd0d88d8114896e [log] [tgz]
author: Andrew Scull <ascull@google.com> Thu Jun 03 08:38:47 2021 +0000
committer: Andrew Scull <ascull@google.com> Tue Jul 13 13:37:45 2021 +0000
tree: 3600ae9a91be3f667ab4b54df171f0a14cf45992
parent: 6f3e5fe3885437c0a88e52a7c34c24c41df52971 [diff] [blame]
diff --git a/microdroid/keymint/service.cpp b/microdroid/keymint/service.cpp
index 8e20f44..5fc0bd2 100644
--- a/microdroid/keymint/service.cpp
+++ b/microdroid/keymint/service.cpp

@@ -102,7 +102,7 @@
 
     // Add Keymint Service
     std::shared_ptr<MicrodroidKeyMintDevice> keyMint =
-            ndk::SharedRefBase::make<MicrodroidKeyMintDevice>();
+            ndk::SharedRefBase::make<MicrodroidKeyMintDevice>(*rootKey);
     auto instanceName = std::string(MicrodroidKeyMintDevice::descriptor) + "/default";
     LOG(INFO) << "adding keymint service instance: " << instanceName;
     binder_status_t status =
commit	9fadf34678bddb1333733336bcd0d88d8114896e	[log] [tgz]
author	Andrew Scull <ascull@google.com>	Thu Jun 03 08:38:47 2021 +0000
committer	Andrew Scull <ascull@google.com>	Tue Jul 13 13:37:45 2021 +0000
tree	3600ae9a91be3f667ab4b54df171f0a14cf45992
parent	6f3e5fe3885437c0a88e52a7c34c24c41df52971 [diff] [blame]