NIAP: Log key integrity failure to audit log. Logs key integrity violation in two cases: 1. software-detected corruption of key blob. 2. keymaster operation returning INVALID_KEY_BLOB Changed AES_gcm_decrypt to return VALUE_CORRUPTED on decryption errors to be consistent with digest check for older version blob. Bug: 70886042 Test: manual, by patching some bytes in the blob. Test: cts-tradefed run cts -m CtsKeystoreTestCases Change-Id: Ic8f6b7a2a49aee01253b429644af409e568d7deb

commit: cef39477f9d5f52f716165be8fadcf94cab19b1e [log] [tgz]
author: Pavel Grafov <pgrafov@google.com> Mon Feb 12 18:45:02 2018 +0000
committer: Pavel Grafov <pgrafov@google.com> Thu Feb 15 18:20:28 2018 +0000
tree: b157374fb2b68cb0028d05bb176063c692bf0e64
parent: 3bd6a51a6d49e465bcb03a43998f5bd9367fb59c [diff] [blame]
diff --git a/keystore/keystore_utils.h b/keystore/keystore_utils.h
index f1211de..3bc9c01 100644
--- a/keystore/keystore_utils.h
+++ b/keystore/keystore_utils.h

@@ -56,6 +56,15 @@
 
 class Blob;
 
+// Tags for audit logging. Be careful and don't log sensitive data.
+// Should be in sync with frameworks/base/core/java/android/app/admin/SecurityLogTags.logtags
+constexpr int SEC_TAG_KEY_DESTROYED = 210026;
+constexpr int SEC_TAG_KEY_INTEGRITY_VIOLATION = 210032;
+constexpr int SEC_TAG_AUTH_KEY_GENERATED = 210024;
+constexpr int SEC_TAG_KEY_IMPORTED = 210025;
+
+void log_key_integrity_violation(const char* name, uid_t uid);
+
 namespace keystore {
 
 hidl_vec<uint8_t> blob2hidlVec(const Blob& blob);
commit	cef39477f9d5f52f716165be8fadcf94cab19b1e	[log] [tgz]
author	Pavel Grafov <pgrafov@google.com>	Mon Feb 12 18:45:02 2018 +0000
committer	Pavel Grafov <pgrafov@google.com>	Thu Feb 15 18:20:28 2018 +0000
tree	b157374fb2b68cb0028d05bb176063c692bf0e64
parent	3bd6a51a6d49e465bcb03a43998f5bd9367fb59c [diff] [blame]