Introduce KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION
This flag is used by system server to mark keys used during the
synthetic password auth flow. keys marked with this flag will not
be super encrypted because super encryption requires knowledge of
the synthetic password, causing a chicken-and-egg problem.
Bug: 35849499
Bug: 34600579
Test: cts-tradefed run cts-dev -m CtsDevicePolicyManagerTestCases -t com.android.cts.devicepolicy.MixedProfileOwnerTest#testResetPasswordWithToken
Change-Id: Ibd900e3ede1f51c476d462085caaf216d911d693
diff --git a/keystore/blob.cpp b/keystore/blob.cpp
index 8c8267b..237d896 100644
--- a/keystore/blob.cpp
+++ b/keystore/blob.cpp
@@ -75,6 +75,10 @@
return mBlob.flags & KEYSTORE_FLAG_SUPER_ENCRYPTED;
}
+bool Blob::isCriticalToDeviceEncryption() const {
+ return mBlob.flags & KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION;
+}
+
inline uint8_t setFlag(uint8_t flags, bool set, KeyStoreFlag flag) {
return set ? (flags | flag) : (flags & ~flag);
}
@@ -83,11 +87,12 @@
mBlob.flags = setFlag(mBlob.flags, encrypted, KEYSTORE_FLAG_ENCRYPTED);
}
-void Blob::setSuperEncrypted(__attribute__((unused)) bool superEncrypted) {
- // Do not enable super encryption yet, as it's clashing with synthetic password flow
- // TODO: re-enables this once keystore knows about synthetic password keys
+void Blob::setSuperEncrypted(bool superEncrypted) {
+ mBlob.flags = setFlag(mBlob.flags, superEncrypted, KEYSTORE_FLAG_SUPER_ENCRYPTED);
+}
- //mBlob.flags = setFlag(mBlob.flags, superEncrypted, KEYSTORE_FLAG_SUPER_ENCRYPTED);
+void Blob::setCriticalToDeviceEncryption(bool critical) {
+ mBlob.flags = setFlag(mBlob.flags, critical, KEYSTORE_FLAG_CRITICAL_TO_DEVICE_ENCRYPTION);
}
void Blob::setFallback(bool fallback) {