Compare commits
2 commits
e27662cba1
...
8c4bc15e8f
Author | SHA1 | Date | |
---|---|---|---|
Peter Cai | 8c4bc15e8f | ||
Peter Cai | c1d481b27d |
|
@ -0,0 +1,68 @@
|
|||
From 0c610f5f6935977142a7dbb9dbca4b9b1bc83c55 Mon Sep 17 00:00:00 2001
|
||||
From: Janis Danisevskis <jdanis@google.com>
|
||||
Date: Mon, 20 Dec 2021 13:16:23 -0800
|
||||
Subject: [PATCH] Keystore 2.0: Add CREATION_DATETIME only for Keymint V1 and
|
||||
higher.
|
||||
|
||||
Adding CREATION_DATETIME unconditionally should be accepted by all
|
||||
keymaster implementations. Alas, VTS tests never covered this before
|
||||
Keymint V1 and so there are implementations that fail when the caller
|
||||
presents the tag.
|
||||
|
||||
Test: CtsKeystoreTestCases for regression testing.
|
||||
Bug: 210792876
|
||||
Bug: 204578637
|
||||
Change-Id: I3cf7e8def7a369839844ef1b3628f477d8fe6b53
|
||||
---
|
||||
keystore2/src/security_level.rs | 33 ++++++++++++++++++---------------
|
||||
1 file changed, 18 insertions(+), 15 deletions(-)
|
||||
|
||||
diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
|
||||
index 1b2e3485..0f4c0f7d 100644
|
||||
--- a/keystore2/src/security_level.rs
|
||||
+++ b/keystore2/src/security_level.rs
|
||||
@@ -405,23 +405,26 @@ impl KeystoreSecurityLevel {
|
||||
);
|
||||
}
|
||||
|
||||
- result.push(KeyParameter {
|
||||
- tag: Tag::CREATION_DATETIME,
|
||||
- value: KeyParameterValue::DateTime(
|
||||
- SystemTime::now()
|
||||
- .duration_since(SystemTime::UNIX_EPOCH)
|
||||
- .context(
|
||||
- "In KeystoreSecurityLevel::add_required_parameters: \
|
||||
+ // Add CREATION_DATETIME only if the backend version Keymint V1 (100) or newer.
|
||||
+ if self.hw_info.versionNumber >= 100 {
|
||||
+ result.push(KeyParameter {
|
||||
+ tag: Tag::CREATION_DATETIME,
|
||||
+ value: KeyParameterValue::DateTime(
|
||||
+ SystemTime::now()
|
||||
+ .duration_since(SystemTime::UNIX_EPOCH)
|
||||
+ .context(
|
||||
+ "In KeystoreSecurityLevel::add_required_parameters: \
|
||||
Failed to get epoch time.",
|
||||
- )?
|
||||
- .as_millis()
|
||||
- .try_into()
|
||||
- .context(
|
||||
- "In KeystoreSecurityLevel::add_required_parameters: \
|
||||
+ )?
|
||||
+ .as_millis()
|
||||
+ .try_into()
|
||||
+ .context(
|
||||
+ "In KeystoreSecurityLevel::add_required_parameters: \
|
||||
Failed to convert epoch time.",
|
||||
- )?,
|
||||
- ),
|
||||
- });
|
||||
+ )?,
|
||||
+ ),
|
||||
+ });
|
||||
+ }
|
||||
|
||||
// If there is an attestation challenge we need to get an application id.
|
||||
if params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE) {
|
||||
--
|
||||
2.35.3
|
||||
|
|
@ -1,54 +0,0 @@
|
|||
From 6d24663905ec1735eefc4b13b60f09465b28111a Mon Sep 17 00:00:00 2001
|
||||
From: Pierre-Hugues Husson <phh@phh.me>
|
||||
Date: Tue, 5 Oct 2021 16:17:15 -0400
|
||||
Subject: [PATCH] Fallback to non-rollback resistant keys if not available
|
||||
|
||||
Boot on Mediatek devices was broken with:
|
||||
~ Add ROLLBACK_RESISTANCE tag to key usage
|
||||
|
||||
Change-Id: I0ab7103c317c70779dee03dce25ba9c9da1629f4
|
||||
---
|
||||
KeyStorage.cpp | 16 +++++++++++-----
|
||||
1 file changed, 11 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/KeyStorage.cpp b/KeyStorage.cpp
|
||||
index 93c5c29..ef089ad 100644
|
||||
--- a/KeyStorage.cpp
|
||||
+++ b/KeyStorage.cpp
|
||||
@@ -378,12 +378,15 @@ static KeymasterOperation BeginKeymasterOp(Keymaster& keymaster, const std::stri
|
||||
static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir,
|
||||
const km::AuthorizationSet& keyParams,
|
||||
const KeyBuffer& message, std::string* ciphertext) {
|
||||
- km::AuthorizationSet opParams =
|
||||
+ auto opParams =
|
||||
km::AuthorizationSetBuilder()
|
||||
- .Authorization(km::TAG_ROLLBACK_RESISTANCE)
|
||||
.Authorization(km::TAG_PURPOSE, km::KeyPurpose::ENCRYPT);
|
||||
+ auto opParamsWithRollback = opParams;
|
||||
+ opParamsWithRollback.Authorization(km::TAG_ROLLBACK_RESISTANCE);
|
||||
+
|
||||
km::AuthorizationSet outParams;
|
||||
- auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, &outParams);
|
||||
+ auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParamsWithRollback, &outParams);
|
||||
+ if (!opHandle) opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, &outParams);
|
||||
if (!opHandle) return false;
|
||||
auto nonceBlob = outParams.GetTagValue(km::TAG_NONCE);
|
||||
if (!nonceBlob) {
|
||||
@@ -410,9 +413,12 @@ static bool decryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir
|
||||
auto bodyAndMac = ciphertext.substr(GCM_NONCE_BYTES);
|
||||
auto opParams = km::AuthorizationSetBuilder()
|
||||
.Authorization(km::TAG_NONCE, nonce)
|
||||
- .Authorization(km::TAG_ROLLBACK_RESISTANCE)
|
||||
.Authorization(km::TAG_PURPOSE, km::KeyPurpose::DECRYPT);
|
||||
- auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, nullptr);
|
||||
+ auto opParamsWithRollback = opParams;
|
||||
+ opParamsWithRollback.Authorization(km::TAG_ROLLBACK_RESISTANCE);
|
||||
+
|
||||
+ auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParamsWithRollback, nullptr);
|
||||
+ if (!opHandle) opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, nullptr);
|
||||
if (!opHandle) return false;
|
||||
if (!opHandle.updateCompletely(bodyAndMac, message)) return false;
|
||||
if (!opHandle.finish(nullptr)) return false;
|
||||
--
|
||||
2.33.0
|
||||
|
Loading…
Reference in a new issue