Add "unlocked device required" keystore API
Add a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.
This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.
This commit adds the API only, full functionality will be added in a
later change.
Test: CTS tests in CtsKeystoreTestCases
Bug: 67752510
Merged-In: I210fbb635a2c98e3d6208859387a5eb3f10ab976
Change-Id: I210fbb635a2c98e3d6208859387a5eb3f10ab976
(cherry picked from commit 947877a55c9adeb7fbbe2d6215735515e4cec9e3)
diff --git a/keystore/Android.bp b/keystore/Android.bp
index 9e882e4..60ac0d5 100644
--- a/keystore/Android.bp
+++ b/keystore/Android.bp
@@ -83,7 +83,7 @@
srcs: ["keystore_cli.cpp"],
shared_libs: [
- "android.hardware.keymaster@3.0",
+ "android.hardware.keymaster@4.0",
"libbinder",
"libcrypto",
"libcutils",
@@ -109,7 +109,7 @@
srcs: ["keystore_cli_v2.cpp"],
shared_libs: [
"android.hardware.confirmationui@1.0",
- "android.hardware.keymaster@3.0",
+ "android.hardware.keymaster@4.0",
"libbinder",
"libchrome",
"libutils",
diff --git a/keystore/binder/android/security/IKeystoreService.aidl b/keystore/binder/android/security/IKeystoreService.aidl
index 538dd28..db55062 100644
--- a/keystore/binder/android/security/IKeystoreService.aidl
+++ b/keystore/binder/android/security/IKeystoreService.aidl
@@ -85,4 +85,5 @@
in String locale, in int uiOptionsAsFlags);
int cancelConfirmationPrompt(IBinder listener);
boolean isConfirmationPromptSupported();
+ int onKeyguardVisibilityChanged(in boolean isShowing, in int userId);
}
diff --git a/keystore/include/keystore/keymaster_types.h b/keystore/include/keystore/keymaster_types.h
index 62b43be..bd61294 100644
--- a/keystore/include/keystore/keymaster_types.h
+++ b/keystore/include/keystore/keymaster_types.h
@@ -83,6 +83,7 @@
using keymaster::TAG_RSA_PUBLIC_EXPONENT;
using keymaster::TAG_USAGE_EXPIRE_DATETIME;
using keymaster::TAG_USER_AUTH_TYPE;
+using keymaster::TAG_USER_ID;
using keymaster::TAG_USER_SECURE_ID;
using keymaster::NullOr;
diff --git a/keystore/key_store_service.cpp b/keystore/key_store_service.cpp
index 3e8783b..8be07f8 100644
--- a/keystore/key_store_service.cpp
+++ b/keystore/key_store_service.cpp
@@ -2226,4 +2226,11 @@
return error;
}
+Status KeyStoreService::onKeyguardVisibilityChanged(bool /*isShowing*/, int32_t /*userId*/,
+ int32_t* /*aidl_return*/) {
+ // TODO(67752510)
+
+ return Status::ok();
+}
+
} // namespace keystore
diff --git a/keystore/key_store_service.h b/keystore/key_store_service.h
index 70a56ca..8d3f1f2 100644
--- a/keystore/key_store_service.h
+++ b/keystore/key_store_service.h
@@ -177,6 +177,9 @@
int32_t* _aidl_return) override;
::android::binder::Status isConfirmationPromptSupported(bool* _aidl_return) override;
+ ::android::binder::Status onKeyguardVisibilityChanged(bool isShowing, int32_t userId,
+ int32_t* _aidl_return);
+
private:
static const int32_t UID_SELF = -1;
diff --git a/keystore/keymaster_enforcement.cpp b/keystore/keymaster_enforcement.cpp
index d78a5a6..3e8c25c 100644
--- a/keystore/keymaster_enforcement.cpp
+++ b/keystore/keymaster_enforcement.cpp
@@ -282,10 +282,18 @@
}
break;
+ case Tag::USER_ID:
+ // TODO(67752510)
+ break;
+
case Tag::CALLER_NONCE:
caller_nonce_authorized_by_key = true;
break;
+ case Tag::UNLOCKED_DEVICE_REQUIRED:
+ // TODO(67752510)
+ break;
+
/* Tags should never be in key auths. */
case Tag::INVALID:
case Tag::ROOT_OF_TRUST:
diff --git a/keystore/keymaster_enforcement.h b/keystore/keymaster_enforcement.h
index d7b27fc..6e6c54f 100644
--- a/keystore/keymaster_enforcement.h
+++ b/keystore/keymaster_enforcement.h
@@ -142,6 +142,11 @@
*/
virtual bool ValidateTokenSignature(const HardwareAuthToken& token) const = 0;
+ /*
+ * Returns true if the device screen is currently locked for the specified user.
+ */
+ virtual bool is_device_locked(int32_t userId) const = 0;
+
private:
ErrorCode AuthorizeUpdateOrFinish(const AuthorizationSet& auth_set,
const HardwareAuthToken& auth_token, uint64_t op_handle);
diff --git a/keystore/keystore_keymaster_enforcement.h b/keystore/keystore_keymaster_enforcement.h
index 3cdf649..04f974f 100644
--- a/keystore/keystore_keymaster_enforcement.h
+++ b/keystore/keystore_keymaster_enforcement.h
@@ -84,6 +84,15 @@
// signing key. Assume the token is good.
return true;
}
+
+ bool is_device_locked(int32_t /*userId*/) const override {
+ // TODO(67752510)
+ return false;
+ }
+
+ void set_device_locked(bool /*isLocked*/, int32_t /*userId*/) {
+ // TODO(67752510)
+ }
};
} // namespace keystore