Keystore 2.0: Boot level keys: Check key characteristics. Check the key characteristics of the level zero key to verify its integrity. Ignore-AOSP-First: No automerge path from AOSP. Bug: 187862706 Test: N/A Change-Id: Id83e581781507e499790e77729b0e2d96795f908

commit: 0f81538628d2d1c2de4b0f75ea0128368a1a141c [log] [tgz]
author: Janis Danisevskis <jdanis@google.com> Tue May 25 10:56:10 2021 -0700
committer: Janis Danisevskis <jdanis@google.com> Tue Jun 01 12:30:42 2021 -0700
tree: 37ec5ac7298a03b5ba592f29819fe866dd490fe7
parent: e8597d6757bd1682e5a2f01b7ea13bac334e2ecb [diff] [blame]
diff --git a/keystore2/src/super_key.rs b/keystore2/src/super_key.rs
index 7a8b9be..7449f20 100644
--- a/keystore2/src/super_key.rs
+++ b/keystore2/src/super_key.rs

@@ -19,7 +19,7 @@
     database::EncryptedBy,
     database::KeyEntry,
     database::KeyType,
-    database::{KeyIdGuard, KeyMetaData, KeyMetaEntry, KeystoreDB},
+    database::{KeyEntryLoadBits, KeyIdGuard, KeyMetaData, KeyMetaEntry, KeystoreDB},
     ec_crypto::ECDHPrivateKey,
     enforcements::Enforcements,
     error::Error,
@@ -30,6 +30,7 @@
     raw_device::KeyMintDevice,
     try_insert::TryInsert,
     utils::watchdog as wd,
+    utils::AID_KEYSTORE,
 };
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
     Algorithm::Algorithm, BlockMode::BlockMode, HardwareAuthToken::HardwareAuthToken,
@@ -194,6 +195,12 @@
         auth_token: &HardwareAuthToken,
         reencrypt_with: Option<Arc<SuperKey>>,
     ) -> Result<Arc<SuperKey>> {
+        let key_blob = key_entry
+            .key_blob_info()
+            .as_ref()
+            .map(|(key_blob, _)| KeyBlob::Ref(key_blob))
+            .ok_or(Error::Rc(ResponseCode::KEY_NOT_FOUND))
+            .context("In LockedKey::decrypt: Missing key blob info.")?;
         let key_params = vec![
             KeyParameterValue::Algorithm(Algorithm::AES),
             KeyParameterValue::KeySize(256),
@@ -206,7 +213,7 @@
         let key = ZVec::try_from(km_dev.use_key_in_one_step(
             db,
             key_id_guard,
-            key_entry,
+            &key_blob,
             KeyPurpose::DECRYPT,
             &key_params,
             Some(auth_token),
@@ -985,8 +992,15 @@
         let mut data = self.data.lock().unwrap();
         let mut entry = data.user_keys.entry(user_id).or_default();
         if let Some(biometric) = entry.biometric_unlock.as_ref() {
-            let (key_id_guard, key_entry) =
-                KeyMintDevice::lookup_from_desc(db, &biometric.key_desc)?;
+            let (key_id_guard, key_entry) = db
+                .load_key_entry(
+                    &biometric.key_desc,
+                    KeyType::Client, // This should not be a Client key.
+                    KeyEntryLoadBits::KM,
+                    AID_KEYSTORE,
+                    |_, _| Ok(()),
+                )
+                .context("In try_unlock_user_with_biometric: load_key_entry failed")?;
             let km_dev: KeyMintDevice = KeyMintDevice::get(SecurityLevel::TRUSTED_ENVIRONMENT)
                 .context("In try_unlock_user_with_biometric: KeyMintDevice::get failed")?;
             for sid in &biometric.sids {
commit	0f81538628d2d1c2de4b0f75ea0128368a1a141c	[log] [tgz]
author	Janis Danisevskis <jdanis@google.com>	Tue May 25 10:56:10 2021 -0700
committer	Janis Danisevskis <jdanis@google.com>	Tue Jun 01 12:30:42 2021 -0700
tree	37ec5ac7298a03b5ba592f29819fe866dd490fe7
parent	e8597d6757bd1682e5a2f01b7ea13bac334e2ecb [diff] [blame]