Merge "Drop ancient default salt value"
diff --git a/keystore2/src/remote_provisioning.rs b/keystore2/src/remote_provisioning.rs
index afbf475..b47b373 100644
--- a/keystore2/src/remote_provisioning.rs
+++ b/keystore2/src/remote_provisioning.rs
@@ -60,7 +60,6 @@
security_level: SecurityLevel,
km_uuid: Uuid,
is_hal_present: AtomicBool,
- is_rkp_only: bool,
}
static COSE_KEY_XCOORD: Value = Value::Integer(-2);
@@ -71,12 +70,7 @@
impl RemProvState {
/// Creates a RemProvState struct.
pub fn new(security_level: SecurityLevel, km_uuid: Uuid) -> Self {
- Self {
- security_level,
- km_uuid,
- is_hal_present: AtomicBool::new(true),
- is_rkp_only: Self::read_is_rkp_only_property(security_level),
- }
+ Self { security_level, km_uuid, is_hal_present: AtomicBool::new(true) }
}
/// Returns the uuid for the KM instance attached to this RemProvState struct.
@@ -84,12 +78,12 @@
self.km_uuid
}
- fn read_is_rkp_only_property(security_level: SecurityLevel) -> bool {
+ fn is_rkp_only(&self) -> bool {
let default_value = false;
- let property_name = match security_level {
- SecurityLevel::STRONGBOX => "ro.remote_provisioning.strongbox.rkp_only",
- SecurityLevel::TRUSTED_ENVIRONMENT => "ro.remote_provisioning.tee.rkp_only",
+ let property_name = match self.security_level {
+ SecurityLevel::STRONGBOX => "remote_provisioning.strongbox.rkp_only",
+ SecurityLevel::TRUSTED_ENVIRONMENT => "remote_provisioning.tee.rkp_only",
_ => return default_value,
};
@@ -102,6 +96,9 @@
/// server, so unfortunately caching the presence or absence of the HAL is not enough to fully
/// make decisions about the state of remote provisioning during runtime.
fn check_rem_prov_enabled(&self, db: &mut KeystoreDB) -> Result<bool> {
+ if self.is_rkp_only() {
+ return Ok(true);
+ }
if !self.is_hal_present.load(Ordering::Relaxed)
|| get_remotely_provisioned_component(&self.security_level).is_err()
{
@@ -159,7 +156,7 @@
"In get_remote_provisioning_key_and_certs: Error occurred: {:?}",
e
);
- if self.is_rkp_only {
+ if self.is_rkp_only() {
return Err(e);
}
log_rkp_error_stats(MetricsRkpError::FALL_BACK_DURING_HYBRID);
diff --git a/keystore2/src/service.rs b/keystore2/src/service.rs
index 79e7692..d634e0c 100644
--- a/keystore2/src/service.rs
+++ b/keystore2/src/service.rs
@@ -276,22 +276,19 @@
// If the first check fails we check if the caller has the list permission allowing to list
// any namespace. In that case we also adjust the queried namespace if a specific uid was
// selected.
- match check_key_permission(KeyPerm::GetInfo, &k, &None) {
- Err(e) => {
- if let Some(selinux::Error::PermissionDenied) =
- e.root_cause().downcast_ref::<selinux::Error>()
- {
- check_keystore_permission(KeystorePerm::List)
- .context("In list_entries: While checking keystore permission.")?;
- if namespace != -1 {
- k.nspace = namespace;
- }
- } else {
- return Err(e).context("In list_entries: While checking key permission.")?;
+ if let Err(e) = check_key_permission(KeyPerm::GetInfo, &k, &None) {
+ if let Some(selinux::Error::PermissionDenied) =
+ e.root_cause().downcast_ref::<selinux::Error>() {
+
+ check_keystore_permission(KeystorePerm::List)
+ .context("In list_entries: While checking keystore permission.")?;
+ if namespace != -1 {
+ k.nspace = namespace;
}
+ } else {
+ return Err(e).context("In list_entries: While checking key permission.")?;
}
- Ok(()) => {}
- };
+ }
DB.with(|db| list_key_entries(&mut db.borrow_mut(), k.domain, k.nspace))
}