Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / 7e8b462fc76543080695a0a932de6fb8dc5c5732^! / . / keystore2 / src / service.rs
commit7e8b462fc76543080695a0a932de6fb8dc5c5732[log] [tgz]
authorJanis Danisevskis <jdanis@google.com>Sat Feb 13 10:01:59 2021 -0800
committerJanis Danisevskis <jdanis@google.com>Tue Feb 16 17:30:33 2021 -0800
tree3148898417a470b234a2fb58cdc12edf8faa2ec2
parent40f0e6b5c040c5eb190e000fcff419d707640e0e [diff] [blame]
Keystore 2.0: Revise GC.

* Store GC relevant information with blobs.
* Marking a key unreferenced now deletes the main key entry and all
  associated artifacts from the database except the blobs and their
  associated metadata, which is left to the GC.
* The GC is now automatically called by the DB module and it is now
  modular enough to use local test GC.

Test: keystore2_test
Change-Id: Iaf9e851d2895c8c457d160052fcab7f8d20e6555

diff --git a/keystore2/src/service.rs b/keystore2/src/service.rs
index 6aa7ed5..efd62e3 100644
--- a/keystore2/src/service.rs
+++ b/keystore2/src/service.rs

@@ -20,6 +20,7 @@
 
 use std::collections::HashMap;
 
+use crate::error::{self, map_or_log_err, ErrorCode};
 use crate::permission::{KeyPerm, KeystorePerm};
 use crate::security_level::KeystoreSecurityLevel;
 use crate::utils::{
@@ -32,10 +33,6 @@
     database::{KeyEntryLoadBits, KeyType, SubComponentType},
     error::ResponseCode,
 };
-use crate::{
-    error::{self, map_or_log_err, ErrorCode},
-    gc::Gc,
-};
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::SecurityLevel::SecurityLevel;
 use android_system_keystore2::aidl::android::system::keystore2::{
     Domain::Domain, IKeystoreSecurityLevel::IKeystoreSecurityLevel,
@@ -185,10 +182,10 @@
             .context("Failed to load key entry.")?;
 
             if let Some((key_id_guard, key_entry)) = entry {
-                db.set_blob(&key_id_guard, SubComponentType::CERT, public_cert)
+                db.set_blob(&key_id_guard, SubComponentType::CERT, public_cert, None)
                     .context("Failed to update cert subcomponent.")?;
 
-                db.set_blob(&key_id_guard, SubComponentType::CERT_CHAIN, certificate_chain)
+                db.set_blob(&key_id_guard, SubComponentType::CERT_CHAIN, certificate_chain, None)
                     .context("Failed to update cert chain subcomponent.")?;
                 return Ok(());
             }
@@ -269,16 +266,12 @@
 
     fn delete_key(&self, key: &KeyDescriptor) -> Result<()> {
         let caller_uid = ThreadState::get_calling_uid();
-        let need_gc = DB
-            .with(|db| {
-                db.borrow_mut().unbind_key(&key, KeyType::Client, caller_uid, |k, av| {
-                    check_key_permission(KeyPerm::delete(), k, &av).context("During delete_key.")
-                })
+        DB.with(|db| {
+            db.borrow_mut().unbind_key(&key, KeyType::Client, caller_uid, |k, av| {
+                check_key_permission(KeyPerm::delete(), k, &av).context("During delete_key.")
             })
-            .context("In delete_key: Trying to unbind the key.")?;
-        if need_gc {
-            Gc::notify_gc();
-        }
+        })
+        .context("In delete_key: Trying to unbind the key.")?;
         Ok(())
     }