commit acebfa2471594c8971513064deacfec2efaad7bf
author Janis Danisevskis <jdanis@google.com> Tue May 25 10:56:10 2021 -0700
committer Janis Danisevskis <jdanis@google.com> Tue Jun 01 14:30:27 2021 -0700
tree 46ac088e7df0374ea33dfabb9a11425234c76ad4
parent 5c7482104f61d43b15f8421c3a5c546d16d0cd45

Keystore 2.0: Boot level keys: Check key characteristics.

Check the key characteristics of the level zero key to verify its
integrity.

Ignore-AOSP-First: No automerge path from AOSP.
Bug: 187862706
Test: N/A
Change-Id: Id83e581781507e499790e77729b0e2d96795f908
Merged-In: Id83e581781507e499790e77729b0e2d96795f908

keystore2/src/boot_level_keys.rs

diff --git a/keystore2/src/boot_level_keys.rs b/keystore2/src/boot_level_keys.rs
index 5b7c3c3..ddac1f8 100644
--- a/keystore2/src/boot_level_keys.rs
+++ b/keystore2/src/boot_level_keys.rs
@@ -16,7 +16,9 @@
 
 use crate::{database::KeystoreDB, key_parameter::KeyParameterValue, raw_device::KeyMintDevice};
 use android_hardware_security_keymint::aidl::android::hardware::security::keymint::{
-    Algorithm::Algorithm, Digest::Digest, KeyPurpose::KeyPurpose, SecurityLevel::SecurityLevel,
+    Algorithm::Algorithm, Digest::Digest, KeyParameter::KeyParameter as KmKeyParameter,
+    KeyParameterValue::KeyParameterValue as KmKeyParameterValue, KeyPurpose::KeyPurpose,
+    SecurityLevel::SecurityLevel, Tag::Tag,
 };
 use anyhow::{Context, Result};
 use keystore2_crypto::{hkdf_expand, ZVec, AES_256_KEY_LENGTH};
@@ -56,14 +58,41 @@
         KeyParameterValue::NoAuthRequired.into(),
     ];
 
-    if km_dev.version() >= KeyMintDevice::KEY_MASTER_V4_1 {
+    let has_early_boot_only = km_dev.version() >= KeyMintDevice::KEY_MASTER_V4_1;
+
+    if has_early_boot_only {
         params.push(KeyParameterValue::EarlyBootOnly.into());
     } else {
         params.push(KeyParameterValue::MaxUsesPerBoot(1).into())
     }
 
     let (key_id_guard, key_entry) = km_dev
-        .lookup_or_generate_key(db, &key_desc, &params)
+        .lookup_or_generate_key(db, &key_desc, &params, |key_characteristics| {
+            key_characteristics.iter().any(|kc| {
+                if kc.securityLevel == km_dev.security_level() {
+                    kc.authorizations.iter().any(|a| {
+                        matches!(
+                            (has_early_boot_only, a),
+                            (
+                                true,
+                                KmKeyParameter {
+                                    tag: Tag::EARLY_BOOT_ONLY,
+                                    value: KmKeyParameterValue::BoolValue(true)
+                                }
+                            ) | (
+                                false,
+                                KmKeyParameter {
+                                    tag: Tag::MAX_USES_PER_BOOT,
+                                    value: KmKeyParameterValue::Integer(1)
+                                }
+                            )
+                        )
+                    })
+                } else {
+                    false
+                }
+            })
+        })
         .context("In get_level_zero_key: lookup_or_generate_key failed")?;
 
     let params = [KeyParameterValue::MacLength(256).into()];