keystore2: make UnlockedDeviceRequired fix unconditional
Make the fix unconditional and remove all superseded code.
Bug: 299298338
Test: atest -p --include-subdirs system/security/keystore2
Test: atest CtsKeystoreTestCases
Test: atest com.android.server.locksettings
Test: atest TrustManagerServiceTest
Test: atest TrustTests
Change-Id: I99ae3b3ab9fd2dff54793ba455110612d2bd0345
diff --git a/keystore2/src/authorization.rs b/keystore2/src/authorization.rs
index 5a3fdbc..c76f86b 100644
--- a/keystore2/src/authorization.rs
+++ b/keystore2/src/authorization.rs
@@ -150,7 +150,7 @@
&self,
user_id: i32,
unlocking_sids: &[i64],
- mut weak_unlock_enabled: bool,
+ weak_unlock_enabled: bool,
) -> Result<()> {
log::info!(
"on_device_locked(user_id={}, unlocking_sids={:?}, weak_unlock_enabled={})",
@@ -158,9 +158,6 @@
unlocking_sids,
weak_unlock_enabled
);
- if !android_security_flags::fix_unlocked_device_required_keys_v2() {
- weak_unlock_enabled = false;
- }
check_keystore_permission(KeystorePerm::Lock)
.context(ks_err!("caller missing Lock permission"))?;
ENFORCEMENTS.set_device_locked(user_id, true);
@@ -178,9 +175,6 @@
fn on_weak_unlock_methods_expired(&self, user_id: i32) -> Result<()> {
log::info!("on_weak_unlock_methods_expired(user_id={})", user_id);
- if !android_security_flags::fix_unlocked_device_required_keys_v2() {
- return Ok(());
- }
check_keystore_permission(KeystorePerm::Lock)
.context(ks_err!("caller missing Lock permission"))?;
SUPER_KEY.write().unwrap().wipe_plaintext_unlocked_device_required_keys(user_id as u32);
@@ -189,9 +183,6 @@
fn on_non_lskf_unlock_methods_expired(&self, user_id: i32) -> Result<()> {
log::info!("on_non_lskf_unlock_methods_expired(user_id={})", user_id);
- if !android_security_flags::fix_unlocked_device_required_keys_v2() {
- return Ok(());
- }
check_keystore_permission(KeystorePerm::Lock)
.context(ks_err!("caller missing Lock permission"))?;
SUPER_KEY.write().unwrap().wipe_all_unlocked_device_required_keys(user_id as u32);