Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c2715796 authored by Shivaprasad Hongal's avatar Shivaprasad Hongal Committed by Weikai Kong
Browse files

LockSettingsService: Support for separate clear key api 

With the new key management changes for FBE, the keys
are not present in the clear in vold. So, while clearing a pin,
we cannot use the present method to rebound the key to keymaster.

We need to provide the old secret so as to retrieve the key
and then bind it with keymaster.

CRs-Fixed: 2288316

Change-Id: I1dd707513a3d45b62b925fa7bba15babdba9bd1c
(cherry picked from commit ae344126)
parent 80906861

core/java/android/os/storage/IStorageManager.aidl

+1 −0
Original line number Diff line number Diff line
@@ -193,4 +193,5 @@ interface IStorageManager { 
    void startCheckpoint(int numTries) = 85;

    boolean needsCheckpoint() = 86;

    void abortChanges(in String message, boolean retry) = 87;

    void clearUserKeyAuth(int userId, int serialNumber, in byte[] token, in byte[] secret) = 88;

}

services/core/java/com/android/server/StorageManagerService.java

+18 −0
Original line number Diff line number Diff line
@@ -2789,6 +2789,24 @@ class StorageManagerService extends IStorageManager.Stub 
        }

    }



    /*

     * Clear disk encryption key bound to the associated token / secret pair. Removing the user

     * binding of the Disk encryption key is done in two phases: first, this call will retrieve

     * the disk encryption key using the provided token / secret pair and store it by

     * encrypting it with a keymaster key not bound to the user, then fixateNewestUserKeyAuth

     * is called to delete all other bindings of the disk encryption key.

     */

    @Override

    public void clearUserKeyAuth(int userId, int serialNumber, byte[] token, byte[] secret) {

        enforcePermission(android.Manifest.permission.STORAGE_INTERNAL);



        try {

            mVold.clearUserKeyAuth(userId, serialNumber, encodeBytes(token), encodeBytes(secret));

        } catch (Exception e) {

            Slog.wtf(TAG, e);

        }

    }



    /*

     * Delete all disk encryption token/secret pairs except the most recently added one

     */

services/core/java/com/android/server/locksettings/LockSettingsService.java

+13 −1
Original line number Diff line number Diff line
@@ -1740,6 +1740,18 @@ public class LockSettingsService extends ILockSettings.Stub { 
        addUserKeyAuth(userId, null, null);

    }



    private void clearUserKeyAuth(int userId, byte[] token, byte[] secret) throws RemoteException {

        if (DEBUG) Slog.d(TAG, "clearUserKeyProtection user=" + userId);

        final UserInfo userInfo = mUserManager.getUserInfo(userId);

        final IStorageManager storageManager = mInjector.getStorageManager();

        final long callingId = Binder.clearCallingIdentity();

        try {

            storageManager.clearUserKeyAuth(userId, userInfo.serialNumber, token, secret);

        } finally {

            Binder.restoreCallingIdentity(callingId);

        }

    }



    private static byte[] secretFromCredential(byte[] credential) throws RemoteException {

        try {

            MessageDigest digest = MessageDigest.getInstance("SHA-512");
@@ -2759,7 +2771,7 @@ public class LockSettingsService extends ILockSettings.Stub { 
            // during boot. Vold storage needs to be unlocked before manipulation of the keys can

            // succeed.

            unlockUserKey(userId, null, auth.deriveDiskEncryptionKey());

            clearUserKeyProtection(userId);

            clearUserKeyAuth(userId, null, auth.deriveDiskEncryptionKey());

            fixateNewestUserKeyAuth(userId);

            unlockKeystore(auth.deriveKeyStorePassword(), userId);

            setKeystorePassword(null, userId);