commit 5cb52dc417e72b7ea3de3072b44bb7a159c76ab1
author Janis Danisevskis <jdanis@google.com> Wed Apr 07 16:31:18 2021 -0700
committer Janis Danisevskis <jdanis@google.com> Thu Apr 08 14:08:47 2021 -0700
tree 27c82192b49fabbf59b10a81e890ab93e03b320c
parent 850217779e30b18b940fbc21ee874d9d9a70ef62

Keystore 2.0: Implement unique id rotation on factory reset.

This patch implements unique id rotation on factory reset. It is assumed
that the timestamp file disappears on factory reset so the timestamp
file's creation time gives a lower bound on the time since the last
factory reset.

Bug: 184784809
Test: atest keystore2_test
Change-Id: Iaa1c74b0ccffe69d5d9c68e7c6dac98a13136437

keystore2/src/service.rs

diff --git a/keystore2/src/service.rs b/keystore2/src/service.rs
index 73bd526..1debe1b 100644
--- a/keystore2/src/service.rs
+++ b/keystore2/src/service.rs
@@ -17,7 +17,6 @@
 
 use std::collections::HashMap;
 
-use crate::error::{self, map_or_log_err, ErrorCode};
 use crate::permission::{KeyPerm, KeystorePerm};
 use crate::security_level::KeystoreSecurityLevel;
 use crate::utils::{
@@ -33,6 +32,10 @@
     database::{KeyEntryLoadBits, KeyType, SubComponentType},
     error::ResponseCode,
 };
+use crate::{
+    error::{self, map_or_log_err, ErrorCode},
+    id_rotation::IdRotationState,
+};
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel;
 use android_system_keystore2::aidl::android::system::keystore2::{
     Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
@@ -53,21 +56,26 @@
 
 impl KeystoreService {
     /// Create a new instance of the Keystore 2.0 service.
-    pub fn new_native_binder() -> Result<Strong<dyn IKeystoreService>> {
+    pub fn new_native_binder(
+        id_rotation_state: IdRotationState,
+    ) -> Result<Strong<dyn IKeystoreService>> {
         let mut result: Self = Default::default();
-        let (dev, uuid) =
-            KeystoreSecurityLevel::new_native_binder(SecurityLevel::TRUSTED_ENVIRONMENT)
-                .context(concat!(
-                    "In KeystoreService::new_native_binder: ",
-                    "Trying to construct mandatory security level TEE."
-                ))
-                .map(|(dev, uuid)| (Asp::new(dev.as_binder()), uuid))?;
+        let (dev, uuid) = KeystoreSecurityLevel::new_native_binder(
+            SecurityLevel::TRUSTED_ENVIRONMENT,
+            id_rotation_state.clone(),
+        )
+        .context(concat!(
+            "In KeystoreService::new_native_binder: ",
+            "Trying to construct mandatory security level TEE."
+        ))
+        .map(|(dev, uuid)| (Asp::new(dev.as_binder()), uuid))?;
         result.i_sec_level_by_uuid.insert(uuid, dev);
         result.uuid_by_sec_level.insert(SecurityLevel::TRUSTED_ENVIRONMENT, uuid);
 
         // Strongbox is optional, so we ignore errors and turn the result into an Option.
-        if let Ok((dev, uuid)) = KeystoreSecurityLevel::new_native_binder(SecurityLevel::STRONGBOX)
-            .map(|(dev, uuid)| (Asp::new(dev.as_binder()), uuid))
+        if let Ok((dev, uuid)) =
+            KeystoreSecurityLevel::new_native_binder(SecurityLevel::STRONGBOX, id_rotation_state)
+                .map(|(dev, uuid)| (Asp::new(dev.as_binder()), uuid))
         {
             result.i_sec_level_by_uuid.insert(uuid, dev);
             result.uuid_by_sec_level.insert(SecurityLevel::STRONGBOX, uuid);