Keystore 2.0: No longer transition to database directory.
Keystore no longer transitions to the database directory as its working
directory. This allows keystore to start before data is mounted.
Test: keystore starts and early.
Change-Id: I98272fb0e97e8fe93eb87a657286681c78d28a60
diff --git a/keystore2/src/globals.rs b/keystore2/src/globals.rs
index c488a18..cfaa28c 100644
--- a/keystore2/src/globals.rs
+++ b/keystore2/src/globals.rs
@@ -34,9 +34,9 @@
use android_security_compat::aidl::android::security::compat::IKeystoreCompatService::IKeystoreCompatService;
use anyhow::{Context, Result};
use lazy_static::lazy_static;
-use std::collections::HashMap;
use std::sync::Mutex;
use std::{cell::RefCell, sync::Once};
+use std::{collections::HashMap, path::Path, path::PathBuf};
static DB_INIT: Once = Once::new();
@@ -45,12 +45,8 @@
/// we also call KeystoreDB::cleanup_leftovers to restore the key lifecycle invariant. See the
/// documentation of cleanup_leftovers for more details.
fn create_thread_local_db() -> KeystoreDB {
- let mut db = KeystoreDB::new(
- // Keystore changes to the database directory on startup
- // (see keystore2_main.rs).
- &std::env::current_dir().expect("Could not get the current working directory."),
- )
- .expect("Failed to open database.");
+ let mut db = KeystoreDB::new(&DB_PATH.lock().expect("Could not get the database directory."))
+ .expect("Failed to open database.");
DB_INIT.call_once(|| {
log::info!("Touching Keystore 2.0 database for this first time since boot.");
db.insert_last_off_body(MonotonicRawTime::now())
@@ -113,6 +109,9 @@
}
lazy_static! {
+ /// The path where keystore stores all its keys.
+ pub static ref DB_PATH: Mutex<PathBuf> = Mutex::new(
+ Path::new("/data/misc/keystore").to_path_buf());
/// Runtime database of unwrapped super keys.
pub static ref SUPER_KEY: SuperKeyManager = Default::default();
/// Map of KeyMint devices.
@@ -127,7 +126,7 @@
/// LegacyBlobLoader is initialized and exists globally.
/// The same directory used by the database is used by the LegacyBlobLoader as well.
pub static ref LEGACY_BLOB_LOADER: LegacyBlobLoader = LegacyBlobLoader::new(
- &std::env::current_dir().expect("Could not get the current working directory."));
+ &DB_PATH.lock().expect("Could not get the database path for legacy blob loader."));
}
static KEYMINT_SERVICE_NAME: &str = "android.hardware.security.keymint.IKeyMintDevice";
diff --git a/keystore2/src/keystore2_main.rs b/keystore2/src/keystore2_main.rs
index fbf500a..f8dba07 100644
--- a/keystore2/src/keystore2_main.rs
+++ b/keystore2/src/keystore2_main.rs
@@ -19,7 +19,7 @@
use keystore2::authorization::AuthorizationManager;
use keystore2::service::KeystoreService;
use log::{error, info};
-use std::panic;
+use std::{panic, path::Path};
static KS2_SERVICE_NAME: &str = "android.system.keystore2";
static APC_SERVICE_NAME: &str = "android.security.apc";
@@ -46,12 +46,13 @@
let mut args = std::env::args();
args.next().expect("That's odd. How is there not even a first argument?");
- // Keystore changes to the database directory on startup (typically /data/misc/keystore).
+ // Keystore 2.0 cannot change to the database directory (typically /data/misc/keystore) on
+ // startup as Keystore 1.0 did because Keystore 2.0 is intended to run much earlier than
+ // Keystore 1.0. Instead we set a global variable to the database path.
// For the ground truth check the service startup rule for init (typically in keystore2.rc).
if let Some(dir) = args.next() {
- if std::env::set_current_dir(dir.clone()).is_err() {
- panic!("Failed to set working directory {}.", dir)
- }
+ *keystore2::globals::DB_PATH.lock().expect("Could not lock DB_PATH.") =
+ Path::new(&dir).to_path_buf();
} else {
panic!("Must specify a working directory.");
}