commit d31f36d334d19dc946971a0a59b1003937c1b3c2
author Paul Crowley <paulcrowley@google.com> Thu Aug 12 19:20:40 2021 +0000
committer Paul Crowley <paulcrowley@google.com> Fri Aug 13 01:44:46 2021 +0000
tree ab7ce0cea7df54eec1f789dae6c6d86fd2f57289
parent 2bab97c36830a568083ab60767817ef037c5367d

Revert^2 "Detect factory reset and deleteAllKeys"

Revert submission 15536724-revert-15521094-vold-deleteAllKeys-GDJSMLXRVZ

Reason for revert: Underlying KM problem fixed
Reverted Changes:
I8e2621bef:Revert "Detect factory reset and deleteAllKeys"
I546b980bb:Revert "Add deleteAllKeys to IKeystoreMaintenance"...
I1ed68dd9e:Revert "Allow vold to deleteAllKeys in Keystore"

Bug: 187105270
Test: booted Cuttlefish twice
Merged-In: 1e6a5f51065173224700d551693867bd33c7e5b9
Change-Id: Id641444b4ebba951aa8c5474ed60844cfaae1e20

Keymaster.cpp

diff --git a/Keymaster.cpp b/Keymaster.cpp
index 8038681..2314550 100644
--- a/Keymaster.cpp
+++ b/Keymaster.cpp
@@ -230,5 +230,18 @@
     logKeystore2ExceptionIfPresent(rc, "earlyBootEnded");
 }
 
+void Keymaster::deleteAllKeys() {
+    ::ndk::SpAIBinder binder(AServiceManager_getService(maintenance_service_name));
+    auto maint_service = ks2_maint::IKeystoreMaintenance::fromBinder(binder);
+
+    if (!maint_service) {
+        LOG(ERROR) << "Unable to connect to keystore2 maintenance service for deleteAllKeys";
+        return;
+    }
+
+    auto rc = maint_service->deleteAllKeys();
+    logKeystore2ExceptionIfPresent(rc, "deleteAllKeys");
+}
+
 }  // namespace vold
 }  // namespace android

Keymaster.h

diff --git a/Keymaster.h b/Keymaster.h
index 1100840..47bf4a2 100644
--- a/Keymaster.h
+++ b/Keymaster.h
@@ -127,6 +127,9 @@
     // be created or used.
     static void earlyBootEnded();
 
+    // Tell all Keymint devices to delete all rollback-protected keys.
+    static void deleteAllKeys();
+
   private:
     std::shared_ptr<ks2::IKeystoreSecurityLevel> securityLevel;
     DISALLOW_COPY_AND_ASSIGN(Keymaster);

MetadataCrypt.cpp

diff --git a/MetadataCrypt.cpp b/MetadataCrypt.cpp
index dc50679..9038e8d 100644
--- a/MetadataCrypt.cpp
+++ b/MetadataCrypt.cpp
@@ -112,6 +112,17 @@
     auto dir = metadata_key_dir + "/key";
     LOG(DEBUG) << "metadata_key_dir/key: " << dir;
     if (!MkdirsSync(dir, 0700)) return false;
+    if (!pathExists(dir)) {
+        auto delete_all = android::base::GetBoolProperty(
+                "ro.crypto.metadata_init_delete_all_keys.enabled", false);
+        if (delete_all) {
+            LOG(INFO) << "Metadata key does not exist, calling deleteAllKeys";
+            Keymaster::deleteAllKeys();
+        } else {
+            LOG(DEBUG) << "Metadata key does not exist but "
+                          "ro.crypto.metadata_init_delete_all_keys.enabled is false";
+        }
+    }
     auto temp = metadata_key_dir + "/tmp";
     return retrieveOrGenerateKey(dir, temp, kEmptyAuthentication, gen, key);
 }