Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 80f5f1bf authored by Dmitry Dementyev's avatar Dmitry Dementyev
Browse files

Tell KeyStore to ignore caller uid for PlatformKeyManager's keys. 

Without the change, keys created for secondary profiles are still bound
to the primary profile lock screen secret.
Test: manual
Bug: 129845209
Change-Id: I7e180656f8dc81f5c05036a7e8c810c9582f8f82
parent 31c862e1

services/core/java/com/android/server/locksettings/recoverablekeystore/PlatformKeyManager.java

+20 −13
Original line number Diff line number Diff line
@@ -19,6 +19,7 @@ package com.android.server.locksettings.recoverablekeystore; 
import android.app.KeyguardManager;

import android.content.Context;

import android.os.RemoteException;

import android.os.UserHandle;

import android.security.GateKeeper;

import android.security.keystore.AndroidKeyStoreSecretKey;

import android.security.keystore.KeyPermanentlyInvalidatedException;
@@ -437,25 +438,31 @@ public class PlatformKeyManager { 
        // so it may live in memory for some time.

        SecretKey secretKey = generateAesKey();



        KeyProtection.Builder decryptionKeyProtection =

                new KeyProtection.Builder(KeyProperties.PURPOSE_DECRYPT)

                    .setUserAuthenticationRequired(true)

                    .setUserAuthenticationValidityDurationSeconds(

                            USER_AUTHENTICATION_VALIDITY_DURATION_SECONDS)

                    .setBlockModes(KeyProperties.BLOCK_MODE_GCM)

                    .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE);

        if (userId != UserHandle.USER_SYSTEM) {

            // Bind decryption key to secondary profile lock screen secret.

            long secureUserId = getGateKeeperService().getSecureUserId(userId);

            // TODO(b/124095438): Propagate this failure instead of silently failing.

            if (secureUserId == GateKeeper.INVALID_SECURE_USER_ID) {

                Log.e(TAG, "No SID available for user " + userId);

                return;

            }



            decryptionKeyProtection

                    .setBoundToSpecificSecureUserId(secureUserId)

                    // Ignore caller uid which always belongs to the primary profile.

                    .setCriticalToDeviceEncryption(true);

        }

        // Store decryption key first since it is more likely to fail.

        mKeyStore.setEntry(

                decryptAlias,

                new KeyStore.SecretKeyEntry(secretKey),

                new KeyProtection.Builder(KeyProperties.PURPOSE_DECRYPT)

                    .setUserAuthenticationRequired(true)

                    .setUserAuthenticationValidityDurationSeconds(

                            USER_AUTHENTICATION_VALIDITY_DURATION_SECONDS)

                    .setBlockModes(KeyProperties.BLOCK_MODE_GCM)

                    .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_NONE)

                    .setBoundToSpecificSecureUserId(secureUserId)

                    .build());

                decryptionKeyProtection.build());

        mKeyStore.setEntry(

                encryptAlias,

                new KeyStore.SecretKeyEntry(secretKey),