Keystore 2.0: Don't use DB unconditionally in generate_key()
The global DB can only be initialized after /data is mounted, so we can't
access it before /data is mounted. In particular, generate_key() was
accessing DB unconditionally to handle key attestation, which won't work
once keystore2 starts before /data is mounted.
This patch makes generate_key() directly handle the case when we have a
Domain::BLOB key with no attestation key to avoid initializing DB.
Bug: 181910578
Test: Make keystore2 boot early and call generate_key from vold
before /data is mounted
Change-Id: I6c61caab681ce462e52cfa497ea699abc6aa3984
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
index 0abc7e3..6560d4d 100644
--- a/keystore2/src/security_level.rs
+++ b/keystore2/src/security_level.rs
@@ -420,17 +420,20 @@
// generate_key requires the rebind permission.
check_key_permission(KeyPerm::rebind(), &key, &None).context("In generate_key.")?;
- let (attest_key, cert_chain) = DB
- .with::<_, Result<(Option<AttestationKey>, Option<Certificate>)>>(|db| {
- self.get_attest_key_and_cert_chain(
- &key,
- caller_uid,
- attest_key_descriptor,
- params,
- &mut db.borrow_mut(),
- )
- })
- .context("In generate_key: Trying to get an attestation key")?;
+ let (attest_key, cert_chain) = match (key.domain, attest_key_descriptor) {
+ (Domain::BLOB, None) => (None, None),
+ _ => DB
+ .with::<_, Result<(Option<AttestationKey>, Option<Certificate>)>>(|db| {
+ self.get_attest_key_and_cert_chain(
+ &key,
+ caller_uid,
+ attest_key_descriptor,
+ params,
+ &mut db.borrow_mut(),
+ )
+ })
+ .context("In generate_key: Trying to get an attestation key")?,
+ };
let params = Self::add_certificate_parameters(caller_uid, params, &key)
.context("In generate_key: Trying to get aaid.")?;