Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d20b2504 authored by Eric Biggers's avatar Eric Biggers
Browse files

Make the CE key always be encrypted by the synthetic password 

Currently, whenever an LSKF isn't set, the CE key isn't encrypted by the
SP but rather by a non-auth-bound Keystore key.  This is inconsistent,
and it's preventing us from taking advantage of the secure deletion
support of Weaver (on devices that support Weaver), with the current
scheme relying entirely on rollback resistance support in Keystore.

Therefore, make the CE key always be encrypted by the SP-derived key.

To do this, encrypt the CE key by the SP-derived key when the SP is
initially created.  After the corresponding vold change, this will start
being the only time that the CE key is written to disk at all.

Also re-encrypt the CE key of existing users who don't have an LSKF, so
that we don't have to continue to support the legacy scheme.

Both operations are done via the new vold method setUserKeyProtection()
(accessed via StorageManagerService), which (re-)encrypts the CE key
using the given secret.  The CE key must be either not-yet-persisted or
default-encrypted.  This method replaces addUserKeyAuth(),
clearUserKeyAuth(), and fixateUserKeyAuth().

On the unlock side, make unlockUserKeyIfUnsecured() unwrap the SP and
unlock the CE key using it.  As this makes
tryDeriveVendorAuthSecretForUnsecuredPrimaryUser() no longer needed,
remove that too.

Test: atest com.android.server.locksettings && \
      atest com.android.server.am.UserControllerTest \
            com.android.server.pm.UserManagerServiceTest \
            com.android.server.pm.UserManagerTest
Test: Booted and rebooted Cuttlefish, both phone and auto builds
Test: Without the CLs in this topic, set up a Pixel 6 to have a user
      with an LSKF, a user with no LSKF or SP, and a user with an SP but
      no LSKF.  Upgraded to the CLs in this topic.  Checked log for
      the expected messages from LockSettingsService.  Verified that all
      the users can still be unlocked.  Verified that
      /data/system_de/$userId/spblob exists for all users, and that
      /data/misc/vold/user_keys/ce/$userId/encrypted_key exists but not
      a keymaster_key_blob file alongside it.  Verified that
      /data/system/locksettings.db contains
      migrated_all_users_to_sp_and_bound_ce=true.
Bug: 232452368
Change-Id: Ia753ea21bbaca8ef7a90c03fe73b66c896b1536e
parent 78e245a2
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment