diff --git a/system/security/0001-Keystore-2.0-Add-CREATION_DATETIME-only-for-Keymint-.patch b/system/security/0001-Keystore-2.0-Add-CREATION_DATETIME-only-for-Keymint-.patch deleted file mode 100644 index 15a12d1..0000000 --- a/system/security/0001-Keystore-2.0-Add-CREATION_DATETIME-only-for-Keymint-.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 0c610f5f6935977142a7dbb9dbca4b9b1bc83c55 Mon Sep 17 00:00:00 2001 -From: Janis Danisevskis -Date: Mon, 20 Dec 2021 13:16:23 -0800 -Subject: [PATCH] Keystore 2.0: Add CREATION_DATETIME only for Keymint V1 and - higher. - -Adding CREATION_DATETIME unconditionally should be accepted by all -keymaster implementations. Alas, VTS tests never covered this before -Keymint V1 and so there are implementations that fail when the caller -presents the tag. - -Test: CtsKeystoreTestCases for regression testing. -Bug: 210792876 -Bug: 204578637 -Change-Id: I3cf7e8def7a369839844ef1b3628f477d8fe6b53 ---- - keystore2/src/security_level.rs | 33 ++++++++++++++++++--------------- - 1 file changed, 18 insertions(+), 15 deletions(-) - -diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs -index 1b2e3485..0f4c0f7d 100644 ---- a/keystore2/src/security_level.rs -+++ b/keystore2/src/security_level.rs -@@ -405,23 +405,26 @@ impl KeystoreSecurityLevel { - ); - } - -- result.push(KeyParameter { -- tag: Tag::CREATION_DATETIME, -- value: KeyParameterValue::DateTime( -- SystemTime::now() -- .duration_since(SystemTime::UNIX_EPOCH) -- .context( -- "In KeystoreSecurityLevel::add_required_parameters: \ -+ // Add CREATION_DATETIME only if the backend version Keymint V1 (100) or newer. -+ if self.hw_info.versionNumber >= 100 { -+ result.push(KeyParameter { -+ tag: Tag::CREATION_DATETIME, -+ value: KeyParameterValue::DateTime( -+ SystemTime::now() -+ .duration_since(SystemTime::UNIX_EPOCH) -+ .context( -+ "In KeystoreSecurityLevel::add_required_parameters: \ - Failed to get epoch time.", -- )? -- .as_millis() -- .try_into() -- .context( -- "In KeystoreSecurityLevel::add_required_parameters: \ -+ )? -+ .as_millis() -+ .try_into() -+ .context( -+ "In KeystoreSecurityLevel::add_required_parameters: \ - Failed to convert epoch time.", -- )?, -- ), -- }); -+ )?, -+ ), -+ }); -+ } - - // If there is an attestation challenge we need to get an application id. - if params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE) { --- -2.35.3 - diff --git a/system/vold/0001-Fallback-to-non-rollback-resistant-keys-if-not-avail.patch b/system/vold/0001-Fallback-to-non-rollback-resistant-keys-if-not-avail.patch new file mode 100644 index 0000000..9f2b5c8 --- /dev/null +++ b/system/vold/0001-Fallback-to-non-rollback-resistant-keys-if-not-avail.patch @@ -0,0 +1,54 @@ +From 6d24663905ec1735eefc4b13b60f09465b28111a Mon Sep 17 00:00:00 2001 +From: Pierre-Hugues Husson +Date: Tue, 5 Oct 2021 16:17:15 -0400 +Subject: [PATCH] Fallback to non-rollback resistant keys if not available + +Boot on Mediatek devices was broken with: +~ Add ROLLBACK_RESISTANCE tag to key usage + +Change-Id: I0ab7103c317c70779dee03dce25ba9c9da1629f4 +--- + KeyStorage.cpp | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +diff --git a/KeyStorage.cpp b/KeyStorage.cpp +index 93c5c29..ef089ad 100644 +--- a/KeyStorage.cpp ++++ b/KeyStorage.cpp +@@ -378,12 +378,15 @@ static KeymasterOperation BeginKeymasterOp(Keymaster& keymaster, const std::stri + static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir, + const km::AuthorizationSet& keyParams, + const KeyBuffer& message, std::string* ciphertext) { +- km::AuthorizationSet opParams = ++ auto opParams = + km::AuthorizationSetBuilder() +- .Authorization(km::TAG_ROLLBACK_RESISTANCE) + .Authorization(km::TAG_PURPOSE, km::KeyPurpose::ENCRYPT); ++ auto opParamsWithRollback = opParams; ++ opParamsWithRollback.Authorization(km::TAG_ROLLBACK_RESISTANCE); ++ + km::AuthorizationSet outParams; +- auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, &outParams); ++ auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParamsWithRollback, &outParams); ++ if (!opHandle) opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, &outParams); + if (!opHandle) return false; + auto nonceBlob = outParams.GetTagValue(km::TAG_NONCE); + if (!nonceBlob) { +@@ -410,9 +413,12 @@ static bool decryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir + auto bodyAndMac = ciphertext.substr(GCM_NONCE_BYTES); + auto opParams = km::AuthorizationSetBuilder() + .Authorization(km::TAG_NONCE, nonce) +- .Authorization(km::TAG_ROLLBACK_RESISTANCE) + .Authorization(km::TAG_PURPOSE, km::KeyPurpose::DECRYPT); +- auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, nullptr); ++ auto opParamsWithRollback = opParams; ++ opParamsWithRollback.Authorization(km::TAG_ROLLBACK_RESISTANCE); ++ ++ auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParamsWithRollback, nullptr); ++ if (!opHandle) opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, nullptr); + if (!opHandle) return false; + if (!opHandle.updateCompletely(bodyAndMac, message)) return false; + if (!opHandle.finish(nullptr)) return false; +-- +2.33.0 +