Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / android_system_vold / f74373b17758886ba2880fc1ed838689e2022467^! / . / KeyStorage.h
commitf74373b17758886ba2880fc1ed838689e2022467[log] [tgz]
authorEric Biggers <ebiggers@google.com>Thu Nov 05 19:58:26 2020 -0800
committerEric Biggers <ebiggers@google.com>Thu Nov 05 19:58:26 2020 -0800
tree97f6cf28e280832680ba2095d95c7ceab3a87f97
parente244a15f34ae2e85e3f5b40be0bf252e37eab56b [diff] [blame]
KeyStorage: rework key upgrade handling

Remove the error-prone 'keepOld' parameter, and instead make begin()
(renamed to BeginKeymasterOp()) do all the key upgrade handling.

Don't handle /data and /metadata differently anymore.  Previously, when
a checkpoint is active, key blob files were replaced on /data
immediately; only the actual Keymaster key deletion was delayed until
checkpoint commit.  But it's easier to just delay the key blob file
replacement too, as we have to implement that for /metadata anyway.

Also be more vigilant about deleting any leftover upgraded keys.

Test: Tested on bramble using an OTA rvc-d1-release => master.  In OTA
      success case, verified via logcat that the keys were upgraded and
      then were committed after the boot succeeded.  In OTA failure
      case, verified that the device still boots -- i.e., the old keys
      weren't lost.  Verified that in either case, no
      keymaster_key_blob_upgraded files were left over.  Finally, also
      tried 'pm create-user' and 'pm remove-user' and verified via
      logcat that the Keymaster keys still get deleted.
Change-Id: Ic9c3e63e0bcae0c608fc79050ca4a1676b3852ee

diff --git a/KeyStorage.h b/KeyStorage.h
index 5228f08..1eb26ae 100644
--- a/KeyStorage.h
+++ b/KeyStorage.h

@@ -61,20 +61,7 @@
                         const KeyAuthentication& auth, const KeyBuffer& key);
 
 // Retrieve the key from the named directory.
-//
-// If the key is wrapped by a Keymaster key that requires an upgrade, then that
-// Keymaster key is upgraded.  If |keepOld| is false, then the upgraded
-// Keymaster key replaces the original one.  As part of this, the original is
-// deleted from Keymaster; however, if a user data checkpoint is active, this
-// part is delayed until the checkpoint is committed.
-//
-// If instead |keepOld| is true, then the upgraded key doesn't actually replace
-// the original one.  This is needed *only* if |dir| isn't located in /data and
-// a user data checkpoint is active.  In this case the caller must handle
-// replacing the original key if the checkpoint is committed, and deleting the
-// upgraded key if the checkpoint is rolled back.
-bool retrieveKey(const std::string& dir, const KeyAuthentication& auth, KeyBuffer* key,
-                 bool keepOld);
+bool retrieveKey(const std::string& dir, const KeyAuthentication& auth, KeyBuffer* key);
 
 // Securely destroy the key stored in the named directory and delete the directory.
 bool destroyKey(const std::string& dir);