Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 5cb52dc417e72b7ea3de3072b44bb7a159c76ab1^! / . / keystore2 / src / keystore2_main.rs
commit5cb52dc417e72b7ea3de3072b44bb7a159c76ab1[log] [tgz]
authorJanis Danisevskis <jdanis@google.com>Wed Apr 07 16:31:18 2021 -0700
committerJanis Danisevskis <jdanis@google.com>Thu Apr 08 14:08:47 2021 -0700
tree27c82192b49fabbf59b10a81e890ab93e03b320c
parent850217779e30b18b940fbc21ee874d9d9a70ef62 [diff] [blame]
Keystore 2.0: Implement unique id rotation on factory reset.

This patch implements unique id rotation on factory reset. It is assumed
that the timestamp file disappears on factory reset so the timestamp
file's creation time gives a lower bound on the time since the last
factory reset.

Bug: 184784809
Test: atest keystore2_test
Change-Id: Iaa1c74b0ccffe69d5d9c68e7c6dac98a13136437

diff --git a/keystore2/src/keystore2_main.rs b/keystore2/src/keystore2_main.rs
index e745697..df7ba26 100644
--- a/keystore2/src/keystore2_main.rs
+++ b/keystore2/src/keystore2_main.rs

@@ -14,13 +14,13 @@
 
 //! This crate implements the Keystore 2.0 service entry point.
 
-use keystore2::authorization::AuthorizationManager;
 use keystore2::entropy;
 use keystore2::globals::ENFORCEMENTS;
 use keystore2::maintenance::Maintenance;
 use keystore2::remote_provisioning::RemoteProvisioningService;
 use keystore2::service::KeystoreService;
 use keystore2::{apc::ApcManager, shared_secret_negotiation};
+use keystore2::{authorization::AuthorizationManager, id_rotation::IdRotationState};
 use log::{error, info};
 use std::{panic, path::Path, sync::mpsc::channel};
 use vpnprofilestore::VpnProfileStore;
@@ -57,12 +57,14 @@
     // startup as Keystore 1.0 did because Keystore 2.0 is intended to run much earlier than
     // Keystore 1.0. Instead we set a global variable to the database path.
     // For the ground truth check the service startup rule for init (typically in keystore2.rc).
-    if let Some(dir) = args.next() {
+    let id_rotation_state = if let Some(dir) = args.next() {
+        let db_path = Path::new(&dir);
         *keystore2::globals::DB_PATH.lock().expect("Could not lock DB_PATH.") =
-            Path::new(&dir).to_path_buf();
+            db_path.to_path_buf();
+        IdRotationState::new(&db_path)
     } else {
-        panic!("Must specify a working directory.");
-    }
+        panic!("Must specify a database directory.");
+    };
 
     let (confirmation_token_sender, confirmation_token_receiver) = channel();
 
@@ -81,7 +83,7 @@
     info!("Starting thread pool now.");
     binder::ProcessState::start_thread_pool();
 
-    let ks_service = KeystoreService::new_native_binder().unwrap_or_else(|e| {
+    let ks_service = KeystoreService::new_native_binder(id_rotation_state).unwrap_or_else(|e| {
         panic!("Failed to create service {} because of {:?}.", KS2_SERVICE_NAME, e);
     });
     binder::add_service(KS2_SERVICE_NAME, ks_service.as_binder()).unwrap_or_else(|e| {