Key upgrading for FDE.
Correctly handle a key upgrade error from keymaster by upgrading the
FDE RSA key and writing the new key blob to disk.
Bug: 69792304
Test: Roll back PLATFORM_SECURITY_PATCH a month, wipe and reboot, roll
forwards again, check logs with and without this patch.
Change-Id: I220d2dd4e3d791f636e9bc5f063064cecbf1b88a
diff --git a/Keymaster.h b/Keymaster.h
index 4bc0df7..8a8d699 100644
--- a/Keymaster.h
+++ b/Keymaster.h
@@ -127,6 +127,14 @@
*/
__BEGIN_DECLS
+/* Return values for keymaster_sign_object_for_cryptfs_scrypt */
+
+enum class KeymasterSignResult {
+ ok = 0,
+ error = -1,
+ upgrade = -2,
+};
+
int keymaster_compatibility_cryptfs_scrypt();
int keymaster_create_key_for_cryptfs_scrypt(uint32_t rsa_key_size,
uint64_t rsa_exponent,
@@ -135,13 +143,14 @@
uint32_t key_buffer_size,
uint32_t* key_out_size);
-int keymaster_sign_object_for_cryptfs_scrypt(const uint8_t* key_blob,
- size_t key_blob_size,
- uint32_t ratelimit,
- const uint8_t* object,
- const size_t object_size,
- uint8_t** signature_buffer,
- size_t* signature_buffer_size);
+int keymaster_upgrade_key_for_cryptfs_scrypt(uint32_t rsa_key_size, uint64_t rsa_exponent,
+ uint32_t ratelimit, const uint8_t* key_blob,
+ size_t key_blob_size, uint8_t* key_buffer,
+ uint32_t key_buffer_size, uint32_t* key_out_size);
+
+KeymasterSignResult keymaster_sign_object_for_cryptfs_scrypt(
+ const uint8_t* key_blob, size_t key_blob_size, uint32_t ratelimit, const uint8_t* object,
+ const size_t object_size, uint8_t** signature_buffer, size_t* signature_buffer_size);
__END_DECLS