add keystore patch for sc-v2

system/security/0001-Keystore-2.0-Add-CREATION_DATETIME-only-for-Keymint-.patch

@@ -0,0 +1,68 @@
+From 0c610f5f6935977142a7dbb9dbca4b9b1bc83c55 Mon Sep 17 00:00:00 2001
+From: Janis Danisevskis <jdanis@google.com>
+Date: Mon, 20 Dec 2021 13:16:23 -0800
+Subject: [PATCH] Keystore 2.0: Add CREATION_DATETIME only for Keymint V1 and
+ higher.
+
+Adding CREATION_DATETIME unconditionally should be accepted by all
+keymaster implementations. Alas, VTS tests never covered this before
+Keymint V1 and so there are implementations that fail when the caller
+presents the tag.
+
+Test: CtsKeystoreTestCases for regression testing.
+Bug: 210792876
+Bug: 204578637
+Change-Id: I3cf7e8def7a369839844ef1b3628f477d8fe6b53
+---
+ keystore2/src/security_level.rs | 33 ++++++++++++++++++---------------
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+diff --git a/keystore2/src/security_level.rs b/keystore2/src/security_level.rs
+index 1b2e3485..0f4c0f7d 100644
+--- a/keystore2/src/security_level.rs
++++ b/keystore2/src/security_level.rs
+@@ -405,23 +405,26 @@ impl KeystoreSecurityLevel {
+             );
+         }
+ 
+-        result.push(KeyParameter {
+-            tag: Tag::CREATION_DATETIME,
+-            value: KeyParameterValue::DateTime(
+-                SystemTime::now()
+-                    .duration_since(SystemTime::UNIX_EPOCH)
+-                    .context(
+-                        "In KeystoreSecurityLevel::add_required_parameters: \
++        // Add CREATION_DATETIME only if the backend version Keymint V1 (100) or newer.
++        if self.hw_info.versionNumber >= 100 {
++            result.push(KeyParameter {
++                tag: Tag::CREATION_DATETIME,
++                value: KeyParameterValue::DateTime(
++                    SystemTime::now()
++                        .duration_since(SystemTime::UNIX_EPOCH)
++                        .context(
++                            "In KeystoreSecurityLevel::add_required_parameters: \
+                         Failed to get epoch time.",
+-                    )?
+-                    .as_millis()
+-                    .try_into()
+-                    .context(
+-                        "In KeystoreSecurityLevel::add_required_parameters: \
++                        )?
++                        .as_millis()
++                        .try_into()
++                        .context(
++                            "In KeystoreSecurityLevel::add_required_parameters: \
+                         Failed to convert epoch time.",
+-                    )?,
+-            ),
+-        });
++                        )?,
++                ),
++            });
++        }
+ 
+         // If there is an attestation challenge we need to get an application id.
+         if params.iter().any(|kp| kp.tag == Tag::ATTESTATION_CHALLENGE) {
+-- 
+2.35.3
+

system/vold/0001-Fallback-to-non-rollback-resistant-keys-if-not-avail.patch

@@ -1,54 +0,0 @@
-From 6d24663905ec1735eefc4b13b60f09465b28111a Mon Sep 17 00:00:00 2001
-From: Pierre-Hugues Husson <phh@phh.me>
-Date: Tue, 5 Oct 2021 16:17:15 -0400
-Subject: [PATCH] Fallback to non-rollback resistant keys if not available
-
-Boot on Mediatek devices was broken with:
-~ Add ROLLBACK_RESISTANCE tag to key usage
-
-Change-Id: I0ab7103c317c70779dee03dce25ba9c9da1629f4
----
- KeyStorage.cpp | 16 +++++++++++-----
- 1 file changed, 11 insertions(+), 5 deletions(-)
-
-diff --git a/KeyStorage.cpp b/KeyStorage.cpp
-index 93c5c29..ef089ad 100644
---- a/KeyStorage.cpp
-+++ b/KeyStorage.cpp
-@@ -378,12 +378,15 @@ static KeymasterOperation BeginKeymasterOp(Keymaster& keymaster, const std::stri
- static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir,
-                                     const km::AuthorizationSet& keyParams,
-                                     const KeyBuffer& message, std::string* ciphertext) {
--    km::AuthorizationSet opParams =
-+    auto opParams =
-             km::AuthorizationSetBuilder()
--                    .Authorization(km::TAG_ROLLBACK_RESISTANCE)
-                     .Authorization(km::TAG_PURPOSE, km::KeyPurpose::ENCRYPT);
-+    auto opParamsWithRollback = opParams;
-+    opParamsWithRollback.Authorization(km::TAG_ROLLBACK_RESISTANCE);
-+
-     km::AuthorizationSet outParams;
--    auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, &outParams);
-+    auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParamsWithRollback, &outParams);
-+    if (!opHandle) opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, &outParams);
-     if (!opHandle) return false;
-     auto nonceBlob = outParams.GetTagValue(km::TAG_NONCE);
-     if (!nonceBlob) {
-@@ -410,9 +413,12 @@ static bool decryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir
-     auto bodyAndMac = ciphertext.substr(GCM_NONCE_BYTES);
-     auto opParams = km::AuthorizationSetBuilder()
-                             .Authorization(km::TAG_NONCE, nonce)
--                            .Authorization(km::TAG_ROLLBACK_RESISTANCE)
-                             .Authorization(km::TAG_PURPOSE, km::KeyPurpose::DECRYPT);
--    auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, nullptr);
-+    auto opParamsWithRollback = opParams;
-+    opParamsWithRollback.Authorization(km::TAG_ROLLBACK_RESISTANCE);
-+
-+    auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParamsWithRollback, nullptr);
-+    if (!opHandle) opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, nullptr);
-     if (!opHandle) return false;
-     if (!opHandle.updateCompletely(bodyAndMac, message)) return false;
-     if (!opHandle.finish(nullptr)) return false;
--- 
-2.33.0
-