Cryptographic security for MAX_BOOT_LEVEL Use a KDF to generate a key for each boot level, anchored in a key which can only be used once per boot. Bug: 176450483 Test: aosp/1577966: ensure key created at level 40 stops working at 41 Test: keystore2_test Change-Id: I12530cd13cb176251c8a0b5431d53c0a7c1bc02d

commit: 9f7f48b9894975104315552ee873256e4b827b81 [log] [tgz]
author: Paul Crowley <paulcrowley@google.com> Wed Mar 31 09:17:47 2021 -0700
committer: Paul Crowley <paulcrowley@google.com> Mon Apr 05 13:35:57 2021 -0700
tree: 8322a385db838fbebd53f760a26ed173ded1e6ac
parent: 5975c897763c2596bc7bc724000fd8bb526b4658 [diff] [blame]
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index ec6c4d7..0f9e630 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs

@@ -686,7 +686,7 @@
             SuperKeyManager::reencrypt_if_required(key_blob, &upgraded_blob)
                 .context("In store_upgraded_keyblob: Failed to handle super encryption.")?;
 
-        let mut new_blob_metadata = new_blob_metadata.unwrap_or_else(BlobMetaData::new);
+        let mut new_blob_metadata = new_blob_metadata.unwrap_or_default();
         if let Some(uuid) = km_uuid {
             new_blob_metadata.add(BlobMetaEntry::KmUuid(*uuid));
         }
commit	9f7f48b9894975104315552ee873256e4b827b81	[log] [tgz]
author	Paul Crowley <paulcrowley@google.com>	Wed Mar 31 09:17:47 2021 -0700
committer	Paul Crowley <paulcrowley@google.com>	Mon Apr 05 13:35:57 2021 -0700
tree	8322a385db838fbebd53f760a26ed173ded1e6ac
parent	5975c897763c2596bc7bc724000fd8bb526b4658 [diff] [blame]