Skip DE-critical system keys on clearNamespace
When clearing keys for a specific uid, the C++ Keystore code included a
hack that would skip over deleting keys owned by the system uid (1000)
and which were marked with a special flag (ag/2161344).
This hack was not transplanted when Keystore was re-written from C++ to
Rust for Android S, but there are now scenarios that implicitly rely on
this behaviour being present. So reproduce the hack in the Rust code
that handles legacy keys.
Test: 11->15 upgrade tests
Bug: 377650521
Change-Id: I9ca0f0b31670eb419870a96df93c78c1cf17b795
diff --git a/keystore2/src/legacy_importer.rs b/keystore2/src/legacy_importer.rs
index 24f3263..0d8dc4a 100644
--- a/keystore2/src/legacy_importer.rs
+++ b/keystore2/src/legacy_importer.rs
@@ -786,7 +786,7 @@
.context(ks_err!("Trying to load legacy blob."))?;
// Determine if the key needs special handling to be deleted.
- let (need_gc, is_super_encrypted) = km_blob_params
+ let (need_gc, is_super_encrypted, is_de_critical) = km_blob_params
.as_ref()
.map(|(blob, params)| {
let params = match params {
@@ -798,13 +798,18 @@
KeyParameterValue::RollbackResistance == *kp.key_parameter_value()
}),
blob.is_encrypted(),
+ blob.is_critical_to_device_encryption(),
)
})
- .unwrap_or((false, false));
+ .unwrap_or((false, false, false));
if keep_non_super_encrypted_keys && !is_super_encrypted {
continue;
}
+ if uid == rustutils::users::AID_SYSTEM && is_de_critical {
+ log::info!("skip deletion of system key '{alias}' which is DE-critical");
+ continue;
+ }
if need_gc {
let mark_deleted = match km_blob_params