Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_security / d6ff8bfbcc9adefcaf838e5f2fa7b2184d574c55^1..d6ff8bfbcc9adefcaf838e5f2fa7b2184d574c55 / .
commitd6ff8bfbcc9adefcaf838e5f2fa7b2184d574c55[log] [tgz]
authorMartijn Coenen <maco@google.com>Mon Apr 19 07:21:08 2021 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Mon Apr 19 07:21:08 2021 +0000
treee9bc1bd821b5d0f05708c023b7d5979a25ac0e20
parent2295dae96257d1db8b3f8e5d04a6591b55ac33dd [diff]
parent79985bdce17da3528ec60e4ccdf0f51f1f46ad34 [diff]
Merge "On-device signing: Make sure Keystore key has the correct boot level."
diff --git a/ondevice-signing/KeystoreKey.cpp b/ondevice-signing/KeystoreKey.cpp
index 9b5e505..96e369a 100644
--- a/ondevice-signing/KeystoreKey.cpp
+++ b/ondevice-signing/KeystoreKey.cpp

@@ -151,8 +151,25 @@
     KeyEntryResponse keyEntryResponse;
     LOG(INFO) << "Trying to retrieve existing keystore key...";
     status = mService->getKeyEntry(descriptor, &keyEntryResponse);
-    if (!status.isOk()) {
-        LOG(INFO) << "Existing keystore key not found, creating new key";
+    bool keyValid = false;
+
+    if (status.isOk()) {
+        // Make sure this is an early boot key
+        for (const auto& auth : keyEntryResponse.metadata.authorizations) {
+            if (auth.keyParameter.tag == Tag::MAX_BOOT_LEVEL) {
+                if (auth.keyParameter.value.get<KeyParameterValue::integer>() == kOdsignBootLevel) {
+                    keyValid = true;
+                    break;
+                }
+            }
+        }
+        if (!keyValid) {
+            LOG(WARNING) << "Found invalid keystore key without MAX_BOOT_LEVEL tag";
+        }
+    }
+
+    if (!keyValid) {
+        LOG(INFO) << "Existing keystore key not found or invalid, creating new key";
         auto newKeyStatus = createNewKey(descriptor);
         if (!newKeyStatus.ok()) {
             LOG(ERROR) << "Failed to create new key";