Keystore 2.0: Don't use DB for keys with Domain::BLOB
The global DB can only be initialized after /data is mounted, so we can't
use it before /data is mounted. In particular, store_new_key() was
accessing DB unconditionally to call
SUPER_KEY.handle_super_encryption_on_key_init(), which won't work once
keystore2 starts before /data is mounted.
This patch makes store_new_key() directly handle Domain::BLOB keys to
avoid initializing DB.
Bug: 181910578
Test: Make keystore2 boot early and call generate_key from vold
before /data is mounted
Change-Id: I12877c1732cee8ced3ae53e8dce070280afd3bbb
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 50cb9bf..b187d3b 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -131,33 +131,34 @@
SecurityLevel::SOFTWARE,
));
- let (key_blob, mut blob_metadata) = DB
- .with(|db| {
- SUPER_KEY.handle_super_encryption_on_key_init(
- &mut db.borrow_mut(),
- &LEGACY_MIGRATOR,
- &(key.domain),
- &key_parameters,
- flags,
- user_id,
- &key_blob,
- )
- })
- .context("In store_new_key. Failed to handle super encryption.")?;
-
let creation_date = DateTime::now().context("Trying to make creation time.")?;
let key = match key.domain {
- Domain::BLOB => {
- KeyDescriptor { domain: Domain::BLOB, blob: Some(key_blob), ..Default::default() }
- }
+ Domain::BLOB => KeyDescriptor {
+ domain: Domain::BLOB,
+ blob: Some(key_blob.to_vec()),
+ ..Default::default()
+ },
_ => DB
.with::<_, Result<KeyDescriptor>>(|db| {
+ let mut db = db.borrow_mut();
+
+ let (key_blob, mut blob_metadata) = SUPER_KEY
+ .handle_super_encryption_on_key_init(
+ &mut db,
+ &LEGACY_MIGRATOR,
+ &(key.domain),
+ &key_parameters,
+ flags,
+ user_id,
+ &key_blob,
+ )
+ .context("In store_new_key. Failed to handle super encryption.")?;
+
let mut key_metadata = KeyMetaData::new();
key_metadata.add(KeyMetaEntry::CreationDate(creation_date));
blob_metadata.add(BlobMetaEntry::KmUuid(self.km_uuid));
- let mut db = db.borrow_mut();
let key_id = db
.store_new_key(
&key,