Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 3bf722a8 authored by Rubin Xu's avatar Rubin Xu
Browse files

Add synthetic password to authentication flow 

The user password is used to unlock a per-user synthetic password which
serves the purpose of what the user password previsouly achieves (protect
keystore, vold disk encryption, auth token generation).

Test: runtest frameworks-services -c com.android.server.SyntheticPasswordTests
Test: manual
    1. Start with fresh device, enable synthetic password with "adb shell cmd lock_settings sp 1"
        1.1 add device lock, reboot and verify (positive & negative); change device lock, reboot and verify.
        1.2 Inflate a work profile, reboot and verify device lock. check SID with "adb shell dumpsys lock_settings"
        1.3 Un-unify and add work challenge, reboot and verify work challenge and SID.
        1.4 Re-unify work challenge, reboot and verify.
        1.5 Clear device lock, reboot and verify lock and SID.

    2. Start with a fresh device, add a device lock and inflate a work profile.
        2.1 Enable synthetic password, note current SID
        2.2 Reboot and unlock device. Verify synthetic password is generated and SID remains.
        2.3 Clear device lock, reboot and verify (SID should be cleared)

    3. Start with a fresh device, inflate a work profile, add separate work challenge
        3.1 Enable synthetic password, not current SID
        3.2 Reboot and unlock device and profile. Verify synthetic password is generated.
        3.3 Clear device lock only, reboot and verify (work profile SID should remain)

    All steps tested on marlin (FBE) and bullhead (FDE)

Bug: 33126414
Change-Id: Idb9ebfc7bba2fe40670c5fee2189e873d9704540
parent 1ea19d34

core/java/com/android/internal/widget/LockPatternUtils.java

+13 −1
Original line number Diff line number Diff line
@@ -147,6 +147,10 @@ public class LockPatternUtils { 


    public static final String PROFILE_KEY_NAME_ENCRYPT = "profile_key_name_encrypt_";

    public static final String PROFILE_KEY_NAME_DECRYPT = "profile_key_name_decrypt_";

    public static final String SYNTHETIC_PASSWORD_KEY_PREFIX = "synthetic_password_";



    public static final String SYNTHETIC_PASSWORD_HANDLE_KEY = "sp-handle";

    public static final String SYNTHETIC_PASSWORD_ENABLED_KEY = "enable-sp";



    private final Context mContext;

    private final ContentResolver mContentResolver;
@@ -1559,6 +1563,14 @@ public class LockPatternUtils { 
                        break;

                }

            }

        };

        }

    }



    public void enableSyntheticPassword() {

        setLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 1L, UserHandle.USER_SYSTEM);

    }



    public boolean isSyntheticPasswordEnabled() {

        return getLong(SYNTHETIC_PASSWORD_ENABLED_KEY, 0, UserHandle.USER_SYSTEM) != 0;

    }

}

services/core/java/com/android/server/LockSettingsService.java

+351 −6

File changed.

Preview size limit exceeded, changes collapsed.

services/core/java/com/android/server/LockSettingsShellCommand.java

+15 −3

File changed.

Preview size limit exceeded, changes collapsed.

services/core/java/com/android/server/LockSettingsStorage.java

+53 −3

File changed.

Preview size limit exceeded, changes collapsed.

services/core/java/com/android/server/StorageManagerService.java

+4 −4
Original line number Diff line number Diff line
@@ -2922,10 +2922,10 @@ class StorageManagerService extends IStorageManager.Stub 
        waitForReady();



        if (StorageManager.isFileEncryptedNativeOrEmulated()) {

            // When a user has secure lock screen, require a challenge token to

            // actually unlock. This check is mostly in place for emulation mode.

            if (mLockPatternUtils.isSecure(userId) && ArrayUtils.isEmpty(token)) {

                throw new IllegalStateException("Token required to unlock secure user " + userId);

            // When a user has secure lock screen, require secret to actually unlock.

            // This check is mostly in place for emulation mode.

            if (mLockPatternUtils.isSecure(userId) && ArrayUtils.isEmpty(secret)) {

                throw new IllegalStateException("Secret required to unlock secure user " + userId);

            }



            try {