Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit c3e8542a authored by Eric Biggers's avatar Eric Biggers
Browse files

Zeroize CE storage key in setCeStorageProtection() 

Secrets derived from or unlocked by the LSKF need to be zeroized as soon
as they are no longer needed.

Bug: 320392352
Test: atest FrameworksServicesTests:com.android.server.locksettings
Flag: EXEMPT bugfix
Change-Id: Ic2b0b22051f91fd8a9eff96ca2156fd379ef5c96
parent 8f7bd978

services/core/java/com/android/server/locksettings/LockSettingsService.java

+1 −0
Original line number Diff line number Diff line
@@ -2198,6 +2198,7 @@ public class LockSettingsService extends ILockSettings.Stub { 
            throw new IllegalStateException("Failed to protect CE key for user " + userId, e);

        } finally {

            Binder.restoreCallingIdentity(callingId);

            ArrayUtils.zeroize(secret);

        }

    }

services/tests/servicestests/src/com/android/server/locksettings/FakeStorageManager.java

+3 −1
Original line number Diff line number Diff line
@@ -20,13 +20,15 @@ import static com.google.common.truth.Truth.assertThat; 


import android.util.ArrayMap;



import java.util.Arrays;



public class FakeStorageManager {



    private final ArrayMap<Integer, byte[]> mUserSecrets = new ArrayMap<>();



    public void setCeStorageProtection(int userId, byte[] secret) {

        assertThat(mUserSecrets).doesNotContainKey(userId);

        mUserSecrets.put(userId, secret);

        mUserSecrets.put(userId, Arrays.copyOf(secret, secret.length));

    }



    public byte[] getUserUnlockToken(int userId) {