commit eae11551bdcd1ee68402a389fce62790ddf840e8
author Paul Crowley <paulcrowley@google.com> Fri Aug 13 02:46:44 2021 +0000
committer Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Fri Aug 13 02:46:44 2021 +0000
tree e8f33c2dd866ade9fbfd2240893bd4251a227ce8
parent fb0d651988531c24a538276beb1f94453bb24ab9
parent 1566a5bf000ae002529d010012c40801ccf1246d

Merge "Revert^2 "Detect factory reset and deleteAllKeys"" into sc-dev am: 1566a5bf00

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/vold/+/15547746

Change-Id: I89bdf3d65c2461f882d39089e64961537888955b

Keymaster.cpp

diff --git a/Keymaster.cpp b/Keymaster.cpp
index 8038681..2314550 100644
--- a/Keymaster.cpp
+++ b/Keymaster.cpp
@@ -230,5 +230,18 @@
     logKeystore2ExceptionIfPresent(rc, "earlyBootEnded");
 }
 
+void Keymaster::deleteAllKeys() {
+    ::ndk::SpAIBinder binder(AServiceManager_getService(maintenance_service_name));
+    auto maint_service = ks2_maint::IKeystoreMaintenance::fromBinder(binder);
+
+    if (!maint_service) {
+        LOG(ERROR) << "Unable to connect to keystore2 maintenance service for deleteAllKeys";
+        return;
+    }
+
+    auto rc = maint_service->deleteAllKeys();
+    logKeystore2ExceptionIfPresent(rc, "deleteAllKeys");
+}
+
 }  // namespace vold
 }  // namespace android

Keymaster.h

diff --git a/Keymaster.h b/Keymaster.h
index 1100840..47bf4a2 100644
--- a/Keymaster.h
+++ b/Keymaster.h
@@ -127,6 +127,9 @@
     // be created or used.
     static void earlyBootEnded();
 
+    // Tell all Keymint devices to delete all rollback-protected keys.
+    static void deleteAllKeys();
+
   private:
     std::shared_ptr<ks2::IKeystoreSecurityLevel> securityLevel;
     DISALLOW_COPY_AND_ASSIGN(Keymaster);

MetadataCrypt.cpp

diff --git a/MetadataCrypt.cpp b/MetadataCrypt.cpp
index dc50679..9038e8d 100644
--- a/MetadataCrypt.cpp
+++ b/MetadataCrypt.cpp
@@ -112,6 +112,17 @@
     auto dir = metadata_key_dir + "/key";
     LOG(DEBUG) << "metadata_key_dir/key: " << dir;
     if (!MkdirsSync(dir, 0700)) return false;
+    if (!pathExists(dir)) {
+        auto delete_all = android::base::GetBoolProperty(
+                "ro.crypto.metadata_init_delete_all_keys.enabled", false);
+        if (delete_all) {
+            LOG(INFO) << "Metadata key does not exist, calling deleteAllKeys";
+            Keymaster::deleteAllKeys();
+        } else {
+            LOG(DEBUG) << "Metadata key does not exist but "
+                          "ro.crypto.metadata_init_delete_all_keys.enabled is false";
+        }
+    }
     auto temp = metadata_key_dir + "/tmp";
     return retrieveOrGenerateKey(dir, temp, kEmptyAuthentication, gen, key);
 }