Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c0676da2 authored by Eric Biggers's avatar Eric Biggers
Browse files

LockSettingsService: remove ensureProfileKeystoreUnlocked() 

It used to be the case that on unencrypted devices and on Full Disk
Encryption (FDE) devices, when a user was started it would immediately
be unlocked too, even if it had a lockscreen credential.

http://ag/19599753 (commit 3d5653e1) changed the flow to be the same
as on File Based Encryption (FBE) devices.  Now, users are not unlocked
until their lockscreen credential is verified.

This means that the workaround implemented by
LockSettingsService.ensureProfileKeystoreUnlocked(), which decrypted and
verified the profile password when a profile with a unified challenge
was being unlocked, is no longer necessary.  Remove it.

(Note: FDE is no longer supported anyway.  However, "no encryption" is
still supported, sort of, for device bring-up only.  This workaround
applied to both "no encryption" and FDE, so that's why the actual reason
it's no longer necessary is a bit more subtle than "this was FDE code".)

Bug: 123215607
Change-Id: I7a0b694ac9120e2e98e0a155fd53b5d590ed87af
parent 32040c16

services/core/java/com/android/server/locksettings/LockSettingsService.java

+2 −24
Original line number Diff line number Diff line
@@ -103,7 +103,6 @@ import android.security.Authorization; 
import android.security.KeyStore;

import android.security.keystore.KeyProperties;

import android.security.keystore.KeyProtection;

import android.security.keystore.UserNotAuthenticatedException;

import android.security.keystore.recovery.KeyChainProtectionParams;

import android.security.keystore.recovery.KeyChainSnapshot;

import android.security.keystore.recovery.RecoveryCertPath;
@@ -788,31 +787,12 @@ public class LockSettingsService extends ILockSettings.Stub { 
        }

    }



    /**

     * Check if profile got unlocked but the keystore is still locked. This happens on full disk

     * encryption devices since the profile may not yet be running when we consider unlocking it

     * during the normal flow. In this case unlock the keystore for the profile.

     */

    private void ensureProfileKeystoreUnlocked(int userId) {

        final KeyStore ks = KeyStore.getInstance();

        if (ks.state(userId) == KeyStore.State.LOCKED

                && isCredentialSharableWithParent(userId)

                && hasUnifiedChallenge(userId)) {

            Slog.i(TAG, "Profile got unlocked, will unlock its keystore");

            // If boot took too long and the password in vold got expired, parent keystore will

            // be still locked, we ignore this case since the user will be prompted to unlock

            // the device after boot.

            unlockChildProfile(userId, true /* ignoreUserNotAuthenticated */);

        }

    }



    private void onUnlockUser(final int userId) {

        // Perform tasks which require locks in LSS on a handler, as we are callbacks from

        // ActivityManager.unlockUser()

        mHandler.post(new Runnable() {

            @Override

            public void run() {

                ensureProfileKeystoreUnlocked(userId);

                // Hide notification first, as tie managed profile lock takes time

                hideEncryptionNotification(new UserHandle(userId));
@@ -1335,7 +1315,7 @@ public class LockSettingsService extends ILockSettings.Stub { 
        return credential;

    }



    private void unlockChildProfile(int profileHandle, boolean ignoreUserNotAuthenticated) {

    private void unlockChildProfile(int profileHandle) {

        try {

            doVerifyCredential(getDecryptedPasswordForTiedProfile(profileHandle),

                    profileHandle, null /* progressCallback */, 0 /* flags */);
@@ -1345,8 +1325,6 @@ public class LockSettingsService extends ILockSettings.Stub { 
                | BadPaddingException | CertificateException | IOException e) {

            if (e instanceof FileNotFoundException) {

                Slog.i(TAG, "Child profile key not found");

            } else if (ignoreUserNotAuthenticated && e instanceof UserNotAuthenticatedException) {

                Slog.i(TAG, "Parent keystore seems locked, ignoring");

            } else {

                Slog.e(TAG, "Failed to decrypt child profile key", e);

            }
@@ -1410,7 +1388,7 @@ public class LockSettingsService extends ILockSettings.Stub { 
            if (hasUnifiedChallenge(profile.id)) {

                if (mUserManager.isUserRunning(profile.id)) {

                    // Unlock profile with unified lock

                    unlockChildProfile(profile.id, false /* ignoreUserNotAuthenticated */);

                    unlockChildProfile(profile.id);

                } else {

                    try {

                        // Profile not ready for unlock yet, but decrypt the unified challenge now