Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 673d34addba30be44edfe27bd737c77fc68a518a^! / . / keystore2 / src / database.rs
commit673d34addba30be44edfe27bd737c77fc68a518a[log] [tgz]
authorEric Biggers <ebiggers@google.com>Wed Oct 18 01:54:18 2023 +0000
committerEric Biggers <ebiggers@google.com>Wed Oct 18 01:54:18 2023 +0000
tree194b9f3b8f06f1722b10c02730e7970c97bf9465
parent1386937ecab8f2371cfc163583233565842b2525 [diff] [blame]
keystore2: rename the LskfBound superencryption key and type

Rename the LskfBound superencryption key and superencryption type (also
known as per-boot) to AfterFirstUnlock.

This makes it much clearer what the protection of this key is.  This
includes avoiding the misleading use of "LSKF"; the secret that's
actually relevant is the user's synthetic password, which is most
commonly unlocked with the LSKF but can potentially be unlocked in other
ways.  This is also helpful for the planned change to make the user's
super keys exist even while the user doesn't have an LSKF.

Bug: 296464083
Test: atest -p --include-subdirs system/security/keystore2
Test: atest CtsKeystoreTestCases
Flag: exempt, mechanical refactoring and comment changes
Change-Id: I9b16934f37222fef2bf01830f521928ef2c1853a

diff --git a/keystore2/src/database.rs b/keystore2/src/database.rs
index 3a2f50f..08361b1 100644
--- a/keystore2/src/database.rs
+++ b/keystore2/src/database.rs

@@ -2855,7 +2855,7 @@
     };
     use crate::key_perm_set;
     use crate::permission::{KeyPerm, KeyPermSet};
-    use crate::super_key::{SuperKeyManager, USER_SUPER_KEY, SuperEncryptionAlgorithm, SuperKeyType};
+    use crate::super_key::{SuperKeyManager, USER_AFTER_FIRST_UNLOCK_SUPER_KEY, SuperEncryptionAlgorithm, SuperKeyType};
     use keystore2_test_utils::TempDir;
     use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
         HardwareAuthToken::HardwareAuthToken,
@@ -4966,18 +4966,23 @@
             SuperKeyManager::encrypt_with_password(&super_key, &pw)?;
         db.store_super_key(
             1,
-            &USER_SUPER_KEY,
+            &USER_AFTER_FIRST_UNLOCK_SUPER_KEY,
             &encrypted_super_key,
             &metadata,
             &KeyMetaData::new(),
         )?;
 
         // Check if super key exists.
-        assert!(db.key_exists(Domain::APP, 1, USER_SUPER_KEY.alias, KeyType::Super)?);
+        assert!(db.key_exists(
+            Domain::APP,
+            1,
+            USER_AFTER_FIRST_UNLOCK_SUPER_KEY.alias,
+            KeyType::Super
+        )?);
 
-        let (_, key_entry) = db.load_super_key(&USER_SUPER_KEY, 1)?.unwrap();
+        let (_, key_entry) = db.load_super_key(&USER_AFTER_FIRST_UNLOCK_SUPER_KEY, 1)?.unwrap();
         let loaded_super_key = SuperKeyManager::extract_super_key_from_key_entry(
-            USER_SUPER_KEY.algorithm,
+            USER_AFTER_FIRST_UNLOCK_SUPER_KEY.algorithm,
             key_entry,
             &pw,
             None,