commit 618869e08ca57d79f99133a70932ed355730b717
author Paul Crowley <paulcrowley@google.com> Thu Apr 08 20:30:54 2021 -0700
committer Paul Crowley <paulcrowley@google.com> Tue Apr 27 12:11:25 2021 -0700
tree 65fb8c4ae5e761e3e961a16172b93f521cb3b4ce
parent ef611e54ff2cf92cdc69237eb06562a620a165ac

Biometric support for UNLOCKED_DEVICE_REQUIRED

When the device is locked, keystore is passed a list of biometric
SIDs which should allow unlock of UNLOCKED_DEVICE_REQUIRED keys.
It creates a KM key protected by these SIDs and uses it to encrypt
the UNLOCKED_DEVICE_REQUIRED secrets, and uses this key to recover
those secrets when the device is unlocked.

Test: aosp/1686345
Bug: 163866361
Change-Id: Ic73ed0089cd9567a83c38aed61e20215862aa0be

keystore2/src/authorization.rs

diff --git a/keystore2/src/authorization.rs b/keystore2/src/authorization.rs
index ec1edff..cac75c0 100644
--- a/keystore2/src/authorization.rs
+++ b/keystore2/src/authorization.rs
@@ -130,7 +130,15 @@
         lock_screen_event: LockScreenEvent,
         user_id: i32,
         password: Option<Password>,
+        unlocking_sids: Option<&[i64]>,
     ) -> Result<()> {
+        log::info!(
+            "on_lock_screen_event({:?}, user_id={:?}, password.is_some()={}, unlocking_sids={:?})",
+            lock_screen_event,
+            user_id,
+            password.is_some(),
+            unlocking_sids
+        );
         match (lock_screen_event, password) {
             (LockScreenEvent::UNLOCK, Some(password)) => {
                 // This corresponds to the unlock() method in legacy keystore API.
@@ -172,14 +180,23 @@
                 check_keystore_permission(KeystorePerm::unlock())
                     .context("In on_lock_screen_event: Unlock.")?;
                 ENFORCEMENTS.set_device_locked(user_id, false);
+                DB.with(|db| {
+                    SUPER_KEY.try_unlock_user_with_biometric(&mut db.borrow_mut(), user_id as u32)
+                })
+                .context("In on_lock_screen_event: try_unlock_user_with_biometric failed")?;
                 Ok(())
             }
             (LockScreenEvent::LOCK, None) => {
                 check_keystore_permission(KeystorePerm::lock())
                     .context("In on_lock_screen_event: Lock")?;
                 ENFORCEMENTS.set_device_locked(user_id, true);
-                SUPER_KEY.lock_screen_lock_bound_key(user_id as u32);
-
+                DB.with(|db| {
+                    SUPER_KEY.lock_screen_lock_bound_key(
+                        &mut db.borrow_mut(),
+                        user_id as u32,
+                        unlocking_sids.unwrap_or(&[]),
+                    );
+                });
                 Ok(())
             }
             _ => {
@@ -225,9 +242,15 @@
         lock_screen_event: LockScreenEvent,
         user_id: i32,
         password: Option<&[u8]>,
+        unlocking_sids: Option<&[i64]>,
     ) -> BinderResult<()> {
         map_or_log_err(
-            self.on_lock_screen_event(lock_screen_event, user_id, password.map(|pw| pw.into())),
+            self.on_lock_screen_event(
+                lock_screen_event,
+                user_id,
+                password.map(|pw| pw.into()),
+                unlocking_sids,
+            ),
             Ok,
         )
     }