commit 74997ed800092cf51ffd8405d48b054122bbf694
author Tri Vo <trong@google.com> Thu Jul 20 17:57:19 2023 -0400
committer Tri Vo <trong@google.com> Tue Jul 25 16:40:31 2023 -0400
tree c0001e49d85da05384f0f8c4706a32e25f6eb6af
parent fa6e5a734c2f206dfa91bce174236416120066ba

keystore: Fix ID rotation window

KeyMint spec requires unique ID rotation to happen every 30 days (or
more precisely 2592000000 milliseconds) starting at UNIX epoch time.

Keystore is also supposed to set the RESET_SINCE_ID_ROTATION to indicate
"whether the device has been factory reset since the last unique ID
rotation".

However, instead Keystore sets RESET_SINCE_ID_ROTATION if there has been
a factory reset in the last 30 days counting back from now, which is
different and will give one extra UNIQUE_ID value in a subsequent
period:

For example, if there's a factory reset (marked as :) in the 3rd period
(periods delimited by |), the first half of the 4th period will have
RESET_SINCE_ID_ROTATION set and get a different UNIQUE_ID value than it
should:

Want = |   A    |   B    | C : C2 |   D    | ...
Get  = |   A    |   B    | C : C2 | D2 : D | ...

Bug: 289774200
Test: keystore2_test
Change-Id: I156de902931915cd1ae7ad2eba63fd0276f15ae0

keystore2/src/security_level.rs

diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 5eed37c..db44d4b 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -405,8 +405,7 @@
     ) -> Result<Vec<KeyParameter>> {
         let mut result = params.to_vec();
 
-        // Unconditionally add the CREATION_DATETIME tag and prevent callers from
-        // specifying it.
+        // Prevent callers from specifying the CREATION_DATETIME tag.
         if params.iter().any(|kp| kp.tag == Tag::CREATION_DATETIME) {
             return Err(Error::Rc(ResponseCode::INVALID_ARGUMENT)).context(ks_err!(
                 "KeystoreSecurityLevel::add_required_parameters: \
@@ -414,12 +413,16 @@
             ));
         }
 
+        // Use this variable to refer to notion of "now". This eliminates discrepancies from
+        // quering the clock multiple times.
+        let creation_datetime = SystemTime::now();
+
         // Add CREATION_DATETIME only if the backend version Keymint V1 (100) or newer.
         if self.hw_info.versionNumber >= 100 {
             result.push(KeyParameter {
                 tag: Tag::CREATION_DATETIME,
                 value: KeyParameterValue::DateTime(
-                    SystemTime::now()
+                    creation_datetime
                         .duration_since(SystemTime::UNIX_EPOCH)
                         .context(ks_err!(
                             "KeystoreSecurityLevel::add_required_parameters: \
@@ -462,7 +465,7 @@
             }
             if self
                 .id_rotation_state
-                .had_factory_reset_since_id_rotation()
+                .had_factory_reset_since_id_rotation(&creation_datetime)
                 .context(ks_err!("Call to had_factory_reset_since_id_rotation failed."))?
             {
                 result.push(KeyParameter {