Remove Keymaster::isSecure() and simplify callers
Now that isSecure() always returns true, we can remove it and simplify
all the callers (i.e. cryptfs). Refer to the commit description for
Iaebfef082eca0da8a305043fafb6d85e5de14cf8 for why this function always
return true.
Bug: 181910578
Test: Cuttlefish and bramble boot
Change-Id: I185dd8180bd7842b05295263f0b1aa7205329a88
diff --git a/Keymaster.cpp b/Keymaster.cpp
index 5a68630..bb26b64 100644
--- a/Keymaster.cpp
+++ b/Keymaster.cpp
@@ -219,10 +219,6 @@
return KeymasterOperation(cor.iOperation, cor.upgradedBlob);
}
-bool Keymaster::isSecure() {
- return true;
-}
-
void Keymaster::earlyBootEnded() {
::ndk::SpAIBinder binder(AServiceManager_getService(maintenance_service_name));
auto maint_service = ks2_maint::IKeystoreMaintenance::fromBinder(binder);
@@ -238,14 +234,3 @@
} // namespace vold
} // namespace android
-
-// TODO: This always returns true right now since we hardcode the security level.
-// If it's alright to hardcode it, we should remove this function and simplify the callers.
-int keymaster_compatibility_cryptfs_scrypt() {
- android::vold::Keymaster dev;
- if (!dev) {
- LOG(ERROR) << "Failed to initiate keymaster session";
- return -1;
- }
- return dev.isSecure();
-}
diff --git a/Keymaster.h b/Keymaster.h
index 84b473e..1100840 100644
--- a/Keymaster.h
+++ b/Keymaster.h
@@ -122,7 +122,6 @@
// also stores the upgraded key blob.
KeymasterOperation begin(const std::string& key, const km::AuthorizationSet& inParams,
km::AuthorizationSet* outParams);
- bool isSecure();
// Tell all Keymint devices that early boot has ended and early boot-only keys can no longer
// be created or used.
@@ -136,6 +135,4 @@
} // namespace vold
} // namespace android
-int keymaster_compatibility_cryptfs_scrypt();
-
#endif
diff --git a/cryptfs.cpp b/cryptfs.cpp
index deba6da..5764b5d 100644
--- a/cryptfs.cpp
+++ b/cryptfs.cpp
@@ -328,11 +328,6 @@
return KeyGeneration{get_crypto_type().get_keysize(), true, false};
}
-/* Should we use keymaster? */
-static int keymaster_check_compatibility() {
- return keymaster_compatibility_cryptfs_scrypt();
-}
-
static bool write_string_to_buf(const std::string& towrite, uint8_t* buffer, uint32_t buffer_size,
uint32_t* out_size) {
if (!buffer || !out_size) {
@@ -1834,7 +1829,6 @@
char tmp_mount_point[64];
unsigned int orig_failed_decrypt_count;
int rc;
- int use_keymaster = 0;
int upgrade = 0;
unsigned char* intermediate_key = 0;
size_t intermediate_key_size = 0;
@@ -1916,15 +1910,9 @@
rc = 0;
// Upgrade if we're not using the latest KDF.
- use_keymaster = keymaster_check_compatibility();
- if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
- // Don't allow downgrade
- } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
+ if (crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
upgrade = 1;
- } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
- crypt_ftr->kdf_type = KDF_SCRYPT;
- upgrade = 1;
}
if (upgrade) {
@@ -2128,20 +2116,7 @@
ftr->minor_version = CURRENT_MINOR_VERSION;
ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
ftr->keysize = get_crypto_type().get_keysize();
-
- switch (keymaster_check_compatibility()) {
- case 1:
- ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
- break;
-
- case 0:
- ftr->kdf_type = KDF_SCRYPT;
- break;
-
- default:
- SLOGE("keymaster_check_compatibility failed");
- return -1;
- }
+ ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
get_device_scrypt_params(ftr);