Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 618869e08ca57d79f99133a70932ed355730b717^! / . / keystore2 / src / boot_level_keys.rs
commit618869e08ca57d79f99133a70932ed355730b717[log] [tgz]
authorPaul Crowley <paulcrowley@google.com>Thu Apr 08 20:30:54 2021 -0700
committerPaul Crowley <paulcrowley@google.com>Tue Apr 27 12:11:25 2021 -0700
tree65fb8c4ae5e761e3e961a16172b93f521cb3b4ce
parentef611e54ff2cf92cdc69237eb06562a620a165ac [diff] [blame]
Biometric support for UNLOCKED_DEVICE_REQUIRED

When the device is locked, keystore is passed a list of biometric
SIDs which should allow unlock of UNLOCKED_DEVICE_REQUIRED keys.
It creates a KM key protected by these SIDs and uses it to encrypt
the UNLOCKED_DEVICE_REQUIRED secrets, and uses this key to recover
those secrets when the device is unlocked.

Test: aosp/1686345
Bug: 163866361
Change-Id: Ic73ed0089cd9567a83c38aed61e20215862aa0be

diff --git a/keystore2/src/boot_level_keys.rs b/keystore2/src/boot_level_keys.rs
index a658c02..3084195 100644
--- a/keystore2/src/boot_level_keys.rs
+++ b/keystore2/src/boot_level_keys.rs

@@ -17,28 +17,17 @@
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
     Algorithm::Algorithm, Digest::Digest, KeyPurpose::KeyPurpose, SecurityLevel::SecurityLevel,
 };
-use android_system_keystore2::aidl::android::system::keystore2::{
-    Domain::Domain, KeyDescriptor::KeyDescriptor,
-};
 use anyhow::{Context, Result};
 use keystore2_crypto::{hkdf_expand, ZVec, AES_256_KEY_LENGTH};
 use std::{collections::VecDeque, convert::TryFrom};
 
-use crate::{
-    database::KeystoreDB, key_parameter::KeyParameterValue, raw_device::KeyMintDevice,
-    utils::AID_KEYSTORE,
-};
+use crate::{database::KeystoreDB, key_parameter::KeyParameterValue, raw_device::KeyMintDevice};
 
 /// This is not thread safe; caller must hold a lock before calling.
 /// In practice the caller is SuperKeyManager and the lock is the
 /// Mutex on its internal state.
 pub fn get_level_zero_key(db: &mut KeystoreDB) -> Result<ZVec> {
-    let key_desc = KeyDescriptor {
-        domain: Domain::APP,
-        nspace: AID_KEYSTORE as i64,
-        alias: Some("boot_level_key".to_string()),
-        blob: None,
-    };
+    let key_desc = KeyMintDevice::internal_descriptor("boot_level_key".to_string());
     let params = [
         KeyParameterValue::Algorithm(Algorithm::HMAC).into(),
         KeyParameterValue::Digest(Digest::SHA_2_256).into(),
@@ -60,10 +49,11 @@
     let level_zero_key = km_dev
         .use_key_in_one_step(
             db,
-            key_id_guard,
+            &key_id_guard,
             &key_entry,
             KeyPurpose::SIGN,
             &params,
+            None,
             b"Create boot level key",
         )
         .context("In get_level_zero_key: use_key_in_one_step failed")?;