Add deleteAllKeys to IKeystoreMaintenance
Add a method to IKeystoreMaintenance which calls deleteAllKeys on every
KM instance. This method will be called by vold when it detects a
factory reset.
Bug: 187105270
Test: booted Cuttlefish twice
Change-Id: Id23f25c69a74a99bfebbf28429651d6fd647dbcd
diff --git a/keystore2/src/maintenance.rs b/keystore2/src/maintenance.rs
index 08fa8d2..7ce9042 100644
--- a/keystore2/src/maintenance.rs
+++ b/keystore2/src/maintenance.rs
@@ -23,7 +23,9 @@
use crate::permission::{KeyPerm, KeystorePerm};
use crate::super_key::UserState;
use crate::utils::{check_key_permission, check_keystore_permission, watchdog as wd};
-use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel;
+use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
+ IKeyMintDevice::IKeyMintDevice, SecurityLevel::SecurityLevel,
+};
use android_security_maintenance::aidl::android::security::maintenance::{
IKeystoreMaintenance::{BnKeystoreMaintenance, IKeystoreMaintenance},
UserState::UserState as AidlUserState,
@@ -151,20 +153,47 @@
}
}
- fn early_boot_ended_help(sec_level: SecurityLevel) -> Result<()> {
+ fn call_with_watchdog<F>(sec_level: SecurityLevel, name: &'static str, op: &F) -> Result<()>
+ where
+ F: Fn(Strong<dyn IKeyMintDevice>) -> binder::public_api::Result<()>,
+ {
let (km_dev, _, _) = get_keymint_device(&sec_level)
- .context("In early_boot_ended: getting keymint device")?;
+ .context("In call_with_watchdog: getting keymint device")?;
- let _wp = wd::watch_millis_with(
- "In early_boot_ended_help: calling earlyBootEnded()",
- 500,
- move || format!("Seclevel: {:?}", sec_level),
- );
- map_km_error(km_dev.earlyBootEnded())
- .context("In keymint device: calling earlyBootEnded")?;
+ let _wp = wd::watch_millis_with("In call_with_watchdog", 500, move || {
+ format!("Seclevel: {:?} Op: {}", sec_level, name)
+ });
+ map_km_error(op(km_dev)).with_context(|| format!("In keymint device: calling {}", name))?;
Ok(())
}
+ fn call_on_all_security_levels<F>(name: &'static str, op: F) -> Result<()>
+ where
+ F: Fn(Strong<dyn IKeyMintDevice>) -> binder::public_api::Result<()>,
+ {
+ let sec_levels = [
+ (SecurityLevel::TRUSTED_ENVIRONMENT, "TRUSTED_ENVIRONMENT"),
+ (SecurityLevel::STRONGBOX, "STRONGBOX"),
+ ];
+ sec_levels.iter().fold(Ok(()), move |result, (sec_level, sec_level_string)| {
+ let curr_result = Maintenance::call_with_watchdog(*sec_level, name, &op);
+ match curr_result {
+ Ok(()) => log::info!(
+ "Call to {} succeeded for security level {}.",
+ name,
+ &sec_level_string
+ ),
+ Err(ref e) => log::error!(
+ "Call to {} failed for security level {}: {}.",
+ name,
+ &sec_level_string,
+ e
+ ),
+ }
+ result.and(curr_result)
+ })
+ }
+
fn early_boot_ended() -> Result<()> {
check_keystore_permission(KeystorePerm::early_boot_ended())
.context("In early_boot_ended. Checking permission")?;
@@ -173,21 +202,7 @@
if let Err(e) = DB.with(|db| SUPER_KEY.set_up_boot_level_cache(&mut db.borrow_mut())) {
log::error!("SUPER_KEY.set_up_boot_level_cache failed:\n{:?}\n:(", e);
}
-
- let sec_levels = [
- (SecurityLevel::TRUSTED_ENVIRONMENT, "TRUSTED_ENVIRONMENT"),
- (SecurityLevel::STRONGBOX, "STRONGBOX"),
- ];
- sec_levels.iter().fold(Ok(()), |result, (sec_level, sec_level_string)| {
- let curr_result = Maintenance::early_boot_ended_help(*sec_level);
- if curr_result.is_err() {
- log::error!(
- "Call to earlyBootEnded failed for security level {}.",
- &sec_level_string
- );
- }
- result.and(curr_result)
- })
+ Maintenance::call_on_all_security_levels("earlyBootEnded", |dev| dev.earlyBootEnded())
}
fn on_device_off_body() -> Result<()> {
@@ -235,6 +250,15 @@
})
})
}
+
+ fn delete_all_keys() -> Result<()> {
+ // Security critical permission check. This statement must return on fail.
+ check_keystore_permission(KeystorePerm::delete_all_keys())
+ .context("In delete_all_keys. Checking permission")?;
+ log::info!("In delete_all_keys.");
+
+ Maintenance::call_on_all_security_levels("deleteAllKeys", |dev| dev.deleteAllKeys())
+ }
}
impl Interface for Maintenance {}
@@ -283,4 +307,9 @@
let _wp = wd::watch_millis("IKeystoreMaintenance::migrateKeyNamespace", 500);
map_or_log_err(Self::migrate_key_namespace(source, destination), Ok)
}
+
+ fn deleteAllKeys(&self) -> BinderResult<()> {
+ let _wp = wd::watch_millis("IKeystoreMaintenance::deleteAllKeys", 500);
+ map_or_log_err(Self::delete_all_keys(), Ok)
+ }
}