Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9272dab4 authored by Brian Young's avatar Brian Young Committed by Brian C. Young
Browse files

Restore "Add "Unlocked device required" parameter to keys" 

Add a keymaster parameter for keys that should be inaccessible when
the device screen is locked. "Locked" here is a state where the device
can be used or accessed without any further trust factor such as a
PIN, password, fingerprint, or trusted face or voice.

This parameter is added to the Java keystore interface for key
creation and import, as well as enums specified by and for the native
keystore process.

This reverts commit da82e2cb.

Test: CTS tests in I8a5affd1eaed176756175158e3057e44934fffed

Bug: 67752510

Merged-In: Ia162f1db81d050f64995d0360f714e79033ea8a5
Change-Id: Ia162f1db81d050f64995d0360f714e79033ea8a5
(cherry picked from d7c961ee914192e09ec10727da6d31a6b597bf51)
parent 36716eb4

keystore/java/android/security/KeyStore.java

+4 −1
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ 


package android.security;



import android.app.ActivityManager;

import android.app.ActivityThread;

import android.app.Application;

import android.app.KeyguardManager;
@@ -545,7 +546,9 @@ public class KeyStore { 
        try {

            args = args != null ? args : new KeymasterArguments();

            entropy = entropy != null ? entropy : new byte[0];

            // TODO(67752510): Apply USER_ID tag

            if (!args.containsTag(KeymasterDefs.KM_TAG_USER_ID)) {

                args.addUnsignedInt(KeymasterDefs.KM_TAG_USER_ID, ActivityManager.getCurrentUser());

            }

            return mBinder.begin(getToken(), alias, purpose, pruneable, args, entropy, uid);

        } catch (RemoteException e) {

            Log.w(TAG, "Cannot connect to keystore", e);

keystore/java/android/security/keystore/KeymasterUtils.java

+6 −3
Original line number Diff line number Diff line
@@ -16,9 +16,8 @@ 


package android.security.keystore;



import android.util.Log;

import android.app.ActivityManager;

import android.hardware.fingerprint.FingerprintManager;

import android.os.UserHandle;

import android.security.GateKeeper;

import android.security.KeyStore;

import android.security.keymaster.KeymasterArguments;
@@ -102,7 +101,7 @@ public abstract class KeymasterUtils { 
     *         require user authentication.

     */

    public static void addUserAuthArgs(KeymasterArguments args, UserAuthArgs spec) {

        // TODO (67752510): Implement "unlocked device required"

        args.addUnsignedInt(KeymasterDefs.KM_TAG_USER_ID, ActivityManager.getCurrentUser());



        if (spec.isUserConfirmationRequired()) {

            args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_CONFIRMATION_REQUIRED);
@@ -112,6 +111,10 @@ public abstract class KeymasterUtils { 
            args.addBoolean(KeymasterDefs.KM_TAG_TRUSTED_USER_PRESENCE_REQUIRED);

        }



        if (spec.isUnlockedDeviceRequired()) {

            args.addBoolean(KeymasterDefs.KM_TAG_UNLOCKED_DEVICE_REQUIRED);

        }



        if (!spec.isUserAuthenticationRequired()) {

            args.addBoolean(KeymasterDefs.KM_TAG_NO_AUTH_REQUIRED);

            return;

keystore/java/android/security/keystore/UserAuthArgs.java

+1 −0
Original line number Diff line number Diff line
@@ -33,5 +33,6 @@ public interface UserAuthArgs { 
    boolean isUserConfirmationRequired();

    long getBoundToSpecificSecureUserId();

    boolean isTrustedUserPresenceRequired();

    boolean isUnlockedDeviceRequired();



}

services/core/java/com/android/server/policy/keyguard/KeyguardStateMonitor.java

+13 −0
Original line number Diff line number Diff line
@@ -19,6 +19,8 @@ package com.android.server.policy.keyguard; 
import android.app.ActivityManager;

import android.content.Context;

import android.os.RemoteException;

import android.os.ServiceManager;

import android.security.IKeystoreService;

import android.util.Slog;



import com.android.internal.policy.IKeyguardService;
@@ -51,11 +53,16 @@ public class KeyguardStateMonitor extends IKeyguardStateCallback.Stub { 
    private final LockPatternUtils mLockPatternUtils;

    private final StateCallback mCallback;



    IKeystoreService mKeystoreService;



    public KeyguardStateMonitor(Context context, IKeyguardService service, StateCallback callback) {

        mLockPatternUtils = new LockPatternUtils(context);

        mCurrentUserId = ActivityManager.getCurrentUser();

        mCallback = callback;



        mKeystoreService = IKeystoreService.Stub.asInterface(ServiceManager

                .getService("android.security.keystore"));



        try {

            service.addStateMonitorCallback(this);

        } catch (RemoteException e) {
@@ -86,6 +93,12 @@ public class KeyguardStateMonitor extends IKeyguardStateCallback.Stub { 
    @Override // Binder interface

    public void onShowingStateChanged(boolean showing) {

        mIsShowing = showing;



        try {

            mKeystoreService.onKeyguardVisibilityChanged(showing, mCurrentUserId);

        } catch (RemoteException e) {

            Slog.e(TAG, "Error informing keystore of screen lock", e);

        }

    }



    @Override // Binder interface