From c1d481b27de0d767ee981f0cc47ac8d313d9e38d Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Sat, 16 Apr 2022 21:21:10 -0400 Subject: [PATCH 1/2] remove unused vold patch --- ...rollback-resistant-keys-if-not-avail.patch | 54 ------------------- 1 file changed, 54 deletions(-) delete mode 100644 system/vold/0001-Fallback-to-non-rollback-resistant-keys-if-not-avail.patch diff --git a/system/vold/0001-Fallback-to-non-rollback-resistant-keys-if-not-avail.patch b/system/vold/0001-Fallback-to-non-rollback-resistant-keys-if-not-avail.patch deleted file mode 100644 index 9f2b5c8..0000000 --- a/system/vold/0001-Fallback-to-non-rollback-resistant-keys-if-not-avail.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 6d24663905ec1735eefc4b13b60f09465b28111a Mon Sep 17 00:00:00 2001 -From: Pierre-Hugues Husson -Date: Tue, 5 Oct 2021 16:17:15 -0400 -Subject: [PATCH] Fallback to non-rollback resistant keys if not available - -Boot on Mediatek devices was broken with: -~ Add ROLLBACK_RESISTANCE tag to key usage - -Change-Id: I0ab7103c317c70779dee03dce25ba9c9da1629f4 ---- - KeyStorage.cpp | 16 +++++++++++----- - 1 file changed, 11 insertions(+), 5 deletions(-) - -diff --git a/KeyStorage.cpp b/KeyStorage.cpp -index 93c5c29..ef089ad 100644 ---- a/KeyStorage.cpp -+++ b/KeyStorage.cpp -@@ -378,12 +378,15 @@ static KeymasterOperation BeginKeymasterOp(Keymaster& keymaster, const std::stri - static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir, - const km::AuthorizationSet& keyParams, - const KeyBuffer& message, std::string* ciphertext) { -- km::AuthorizationSet opParams = -+ auto opParams = - km::AuthorizationSetBuilder() -- .Authorization(km::TAG_ROLLBACK_RESISTANCE) - .Authorization(km::TAG_PURPOSE, km::KeyPurpose::ENCRYPT); -+ auto opParamsWithRollback = opParams; -+ opParamsWithRollback.Authorization(km::TAG_ROLLBACK_RESISTANCE); -+ - km::AuthorizationSet outParams; -- auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, &outParams); -+ auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParamsWithRollback, &outParams); -+ if (!opHandle) opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, &outParams); - if (!opHandle) return false; - auto nonceBlob = outParams.GetTagValue(km::TAG_NONCE); - if (!nonceBlob) { -@@ -410,9 +413,12 @@ static bool decryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir - auto bodyAndMac = ciphertext.substr(GCM_NONCE_BYTES); - auto opParams = km::AuthorizationSetBuilder() - .Authorization(km::TAG_NONCE, nonce) -- .Authorization(km::TAG_ROLLBACK_RESISTANCE) - .Authorization(km::TAG_PURPOSE, km::KeyPurpose::DECRYPT); -- auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, nullptr); -+ auto opParamsWithRollback = opParams; -+ opParamsWithRollback.Authorization(km::TAG_ROLLBACK_RESISTANCE); -+ -+ auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParamsWithRollback, nullptr); -+ if (!opHandle) opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, nullptr); - if (!opHandle) return false; - if (!opHandle.updateCompletely(bodyAndMac, message)) return false; - if (!opHandle.finish(nullptr)) return false; --- -2.33.0 - From 8c4bc15e8f86409fcc8e3ff34e5184b3e86dcbf7 Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Sat, 16 Apr 2022 21:22:42 -0400 Subject: [PATCH 2/2] add keystore patch for sc-v2 --- ...-CREATION_DATETIME-only-for-Keymint-.patch | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 system/security/0001-Keystore-2.0-Add-CREATION_DATETIME-only-for-Keymint-.patch diff --git a/system/security/0001-Keystore-2.0-Add-CREATION_DATETIME-only-for-Keymint-.patch b/system/security/0001-Keystore-2.0-Add-CREATION_DATETIME-only-for-Keymint-.patch new file mode 100644 index 0000000..15a12d1 --- /dev/null +++ b/system/security/0001-Keystore-2.0-Add-CREATION_DATETIME-only-for-Keymint-.patch @@ -0,0 +1,68 @@ +From 0c610f5f6935977142a7dbb9dbca4b9b1bc83c55 Mon Sep 17 00:00:00 2001 +From: Janis Danisevskis +Date: Mon, 20 Dec 2021 13:16:23 -0800 +Subject: [PATCH] Keystore 2.0: Add CREATION_DATETIME only for Keymint V1 and + higher. + +Adding CREATION_DATETIME unconditionally should be accepted by all +keymaster implementations. Alas, VTS tests never covered this before +Keymint V1 and so there are implementations that fail when the caller +presents the tag. + +Test: CtsKeystoreTestCases for regression testing. +Bug: 210792876 +Bug: 204578637 +Change-Id: I3cf7e8def7a369839844ef1b3628f477d8fe6b53 +--- + keystore2/src/security_level.rs | 33 ++++++++++++++++++--------------- + 1 file changed, 18 insertions(+), 15 deletions(-) + +diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs +index 1b2e3485..0f4c0f7d 100644 +--- a/keystore2/src/security_level.rs ++++ b/keystore2/src/security_level.rs +@@ -405,23 +405,26 @@ impl KeystoreSecurityLevel { + ); + } + +- result.push(KeyParameter { +- tag: Tag::CREATION_DATETIME, +- value: KeyParameterValue::DateTime( +- SystemTime::now() +- .duration_since(SystemTime::UNIX_EPOCH) +- .context( +- "In KeystoreSecurityLevel::add_required_parameters: \ ++ // Add CREATION_DATETIME only if the backend version Keymint V1 (100) or newer. ++ if self.hw_info.versionNumber >= 100 { ++ result.push(KeyParameter { ++ tag: Tag::CREATION_DATETIME, ++ value: KeyParameterValue::DateTime( ++ SystemTime::now() ++ .duration_since(SystemTime::UNIX_EPOCH) ++ .context( ++ "In KeystoreSecurityLevel::add_required_parameters: \ + Failed to get epoch time.", +- )? +- .as_millis() +- .try_into() +- .context( +- "In KeystoreSecurityLevel::add_required_parameters: \ ++ )? ++ .as_millis() ++ .try_into() ++ .context( ++ "In KeystoreSecurityLevel::add_required_parameters: \ + Failed to convert epoch time.", +- )?, +- ), +- }); ++ )?, ++ ), ++ }); ++ } + + // If there is an attestation challenge we need to get an application id. + if params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE) { +-- +2.35.3 +