Loading core/java/android/os/storage/IStorageManager.aidl +1 −0 Original line number Diff line number Diff line Loading @@ -187,4 +187,5 @@ interface IStorageManager { void allocateBytes(String volumeUuid, long bytes, int flags, String callingPackage) = 78; void runIdleMaintenance() = 79; void abortIdleMaintenance() = 80; void clearUserKeyAuth(int userId, int serialNumber, in byte[] token, in byte[] secret) = 81; } services/core/java/com/android/server/StorageManagerService.java +18 −0 Original line number Diff line number Diff line Loading @@ -2523,6 +2523,24 @@ class StorageManagerService extends IStorageManager.Stub } } /* * Clear disk encryption key bound to the associated token / secret pair. Removing the user * binding of the Disk encryption key is done in two phases: first, this call will retrieve * the disk encryption key using the provided token / secret pair and store it by * encrypting it with a keymaster key not bound to the user, then fixateNewestUserKeyAuth * is called to delete all other bindings of the disk encryption key. */ @Override public void clearUserKeyAuth(int userId, int serialNumber, byte[] token, byte[] secret) { enforcePermission(android.Manifest.permission.STORAGE_INTERNAL); try { mVold.clearUserKeyAuth(userId, serialNumber, encodeBytes(token), encodeBytes(secret)); } catch (Exception e) { Slog.wtf(TAG, e); } } /* * Delete all disk encryption token/secret pairs except the most recently added one */ Loading services/core/java/com/android/server/locksettings/LockSettingsService.java +13 −1 Original line number Diff line number Diff line Loading @@ -1570,6 +1570,18 @@ public class LockSettingsService extends ILockSettings.Stub { addUserKeyAuth(userId, null, null); } private void clearUserKeyAuth(int userId, byte[] token, byte[] secret) throws RemoteException { if (DEBUG) Slog.d(TAG, "clearUserKeyProtection user=" + userId); final UserInfo userInfo = mUserManager.getUserInfo(userId); final IStorageManager storageManager = mInjector.getStorageManager(); final long callingId = Binder.clearCallingIdentity(); try { storageManager.clearUserKeyAuth(userId, userInfo.serialNumber, token, secret); } finally { Binder.restoreCallingIdentity(callingId); } } private static byte[] secretFromCredential(String credential) throws RemoteException { try { MessageDigest digest = MessageDigest.getInstance("SHA-512"); Loading Loading @@ -2520,7 +2532,7 @@ public class LockSettingsService extends ILockSettings.Stub { getGateKeeperService().clearSecureUserId(userId); // Clear key from vold so ActivityManager can just unlock the user with empty secret // during boot. clearUserKeyProtection(userId); clearUserKeyAuth(userId, null, auth.deriveDiskEncryptionKey()); fixateNewestUserKeyAuth(userId); setKeystorePassword(null, userId); } Loading Loading
core/java/android/os/storage/IStorageManager.aidl +1 −0 Original line number Diff line number Diff line Loading @@ -187,4 +187,5 @@ interface IStorageManager { void allocateBytes(String volumeUuid, long bytes, int flags, String callingPackage) = 78; void runIdleMaintenance() = 79; void abortIdleMaintenance() = 80; void clearUserKeyAuth(int userId, int serialNumber, in byte[] token, in byte[] secret) = 81; }
services/core/java/com/android/server/StorageManagerService.java +18 −0 Original line number Diff line number Diff line Loading @@ -2523,6 +2523,24 @@ class StorageManagerService extends IStorageManager.Stub } } /* * Clear disk encryption key bound to the associated token / secret pair. Removing the user * binding of the Disk encryption key is done in two phases: first, this call will retrieve * the disk encryption key using the provided token / secret pair and store it by * encrypting it with a keymaster key not bound to the user, then fixateNewestUserKeyAuth * is called to delete all other bindings of the disk encryption key. */ @Override public void clearUserKeyAuth(int userId, int serialNumber, byte[] token, byte[] secret) { enforcePermission(android.Manifest.permission.STORAGE_INTERNAL); try { mVold.clearUserKeyAuth(userId, serialNumber, encodeBytes(token), encodeBytes(secret)); } catch (Exception e) { Slog.wtf(TAG, e); } } /* * Delete all disk encryption token/secret pairs except the most recently added one */ Loading
services/core/java/com/android/server/locksettings/LockSettingsService.java +13 −1 Original line number Diff line number Diff line Loading @@ -1570,6 +1570,18 @@ public class LockSettingsService extends ILockSettings.Stub { addUserKeyAuth(userId, null, null); } private void clearUserKeyAuth(int userId, byte[] token, byte[] secret) throws RemoteException { if (DEBUG) Slog.d(TAG, "clearUserKeyProtection user=" + userId); final UserInfo userInfo = mUserManager.getUserInfo(userId); final IStorageManager storageManager = mInjector.getStorageManager(); final long callingId = Binder.clearCallingIdentity(); try { storageManager.clearUserKeyAuth(userId, userInfo.serialNumber, token, secret); } finally { Binder.restoreCallingIdentity(callingId); } } private static byte[] secretFromCredential(String credential) throws RemoteException { try { MessageDigest digest = MessageDigest.getInstance("SHA-512"); Loading Loading @@ -2520,7 +2532,7 @@ public class LockSettingsService extends ILockSettings.Stub { getGateKeeperService().clearSecureUserId(userId); // Clear key from vold so ActivityManager can just unlock the user with empty secret // during boot. clearUserKeyProtection(userId); clearUserKeyAuth(userId, null, auth.deriveDiskEncryptionKey()); fixateNewestUserKeyAuth(userId); setKeystorePassword(null, userId); } Loading
