system: vold: Upgrade the FBE key
During OTA upgrades if security state or ROT changes then Keymaster
keys requires upgrade. So for such usescases, if the FBE ephemeral
key export fails, check whether KM key requires upgrade and try for
exporting ephemeral key again.
Conflicts:
Keymaster.cpp
Keymaster.h
[wight554: Apply changes from CAF 12]
CRs-Fixed: 2632902
Change-Id: I3ee2fcd97a56b628dc4304867c8f2b8da875f883
Signed-off-by: Neeraj Soni <neersoni@codeaurora.org>
Signed-off-by: Volodymyr Zhdanov <wight554@gmail.com>
diff --git a/KeyStorage.cpp b/KeyStorage.cpp
index 650222c..125ee2b 100644
--- a/KeyStorage.cpp
+++ b/KeyStorage.cpp
@@ -158,7 +158,24 @@
if (!keystore) return false;
std::string key_temp;
- if (!keystore.exportKey(ksKey, &key_temp)) return false;
+ auto ret = keystore.exportKey(ksKey, &key_temp);
+ if (ret != km::ErrorCode::OK) {
+ if (ret == km::ErrorCode::KEY_REQUIRES_UPGRADE) {
+ // TODO(b/187304488): Re-land the below logic. (keystore.upgradeKey() was removed)
+ return false;
+ /*
+ std::string kmKeyStr(reinterpret_cast<const char*>(ksKey.data()), ksKey.size());
+ std::string Keystr;
+ if (!keystore.upgradeKey(kmKeyStr, km::AuthorizationSet(), &Keystr)) return false;
+ KeyBuffer upgradedKey = KeyBuffer(Keystr.size());
+ memcpy(reinterpret_cast<void*>(upgradedKey.data()), Keystr.c_str(), upgradedKey.size());
+ ret = keystore.exportKey(upgradedKey, &key_temp);
+ if (ret != km::ErrorCode::OK) return false;
+ */
+ } else {
+ return false;
+ }
+ }
*key = KeyBuffer(key_temp.size());
memcpy(reinterpret_cast<void*>(key->data()), key_temp.c_str(), key->size());
return true;
diff --git a/Keystore.cpp b/Keystore.cpp
index 6040f2d..3c3f082 100644
--- a/Keystore.cpp
+++ b/Keystore.cpp
@@ -150,8 +150,8 @@
return true;
}
-bool Keystore::exportKey(const KeyBuffer& ksKey, std::string* key) {
- bool ret = false;
+km::ErrorCode Keystore::exportKey(const KeyBuffer& ksKey, std::string* key) {
+ km::ErrorCode ret = km::ErrorCode::UNKNOWN_ERROR;
ks2::KeyDescriptor storageKey = {
.domain = ks2::Domain::BLOB,
.alias = std::nullopt,
@@ -174,7 +174,7 @@
// using the original blobs for TAG_STORAGE_KEY keys. If KeyMint "upgrades"
// them anyway, then they'll just get re-upgraded before each use.
- ret = true;
+ ret = km::ErrorCode::OK;
out:
zeroize_vector(ephemeral_key_response.ephemeralKey);
zeroize_vector(storageKey.blob.value());
diff --git a/Keystore.h b/Keystore.h
index d8c488e..a9dd7aa 100644
--- a/Keystore.h
+++ b/Keystore.h
@@ -113,7 +113,7 @@
// Generate a key using keystore2 from the given params.
bool generateKey(const km::AuthorizationSet& inParams, std::string* key);
// Exports a keystore2 key with STORAGE_KEY tag wrapped with a per-boot ephemeral key
- bool exportKey(const KeyBuffer& ksKey, std::string* key);
+ km::ErrorCode exportKey(const KeyBuffer& ksKey, std::string* key);
// If supported, permanently delete a key from the keymint device it belongs to.
bool deleteKey(const std::string& key);
// Begin a new cryptographic operation, collecting output parameters if pointer is non-null