Remove HardwareAuthToken parameter from addUserKeyAuth
Due to the migration to synthetic passwords, the 'token' parameter to
addUserKeyAuth() is no longer needed. Remove it.
Test: atest com.android.server.locksettings
Bug: 184723544
Change-Id: I06e7c36787cc7f384acb7742737c3b1cfa50f0ae
(cherry picked from commit 6b220a95e9bcb25e103bc0cb3dc4f4bc18c3e137)
Merged-In: I06e7c36787cc7f384acb7742737c3b1cfa50f0ae
diff --git a/core/java/android/os/storage/IStorageManager.aidl b/core/java/android/os/storage/IStorageManager.aidl
index 6c0a1f9..c86221c 100644
--- a/core/java/android/os/storage/IStorageManager.aidl
+++ b/core/java/android/os/storage/IStorageManager.aidl
@@ -179,7 +179,7 @@
void prepareUserStorage(in String volumeUuid, int userId, int serialNumber, int flags) = 66;
void destroyUserStorage(in String volumeUuid, int userId, int flags) = 67;
boolean isConvertibleToFBE() = 68;
- void addUserKeyAuth(int userId, int serialNumber, in byte[] token, in byte[] secret) = 70;
+ void addUserKeyAuth(int userId, int serialNumber, in byte[] secret) = 70;
void fixateNewestUserKeyAuth(int userId) = 71;
void fstrim(int flags, IVoldTaskListener listener) = 72;
AppFuseMount mountProxyFileDescriptorBridge() = 73;
diff --git a/services/core/java/com/android/server/StorageManagerService.java b/services/core/java/com/android/server/StorageManagerService.java
index 8a83130..bfa310f 100644
--- a/services/core/java/com/android/server/StorageManagerService.java
+++ b/services/core/java/com/android/server/StorageManagerService.java
@@ -3408,18 +3408,19 @@
}
/*
- * Add this token/secret pair to the set of ways we can recover a disk encryption key.
- * Changing the token/secret for a disk encryption key is done in two phases: first, adding
- * a new token/secret pair with this call, then delting all other pairs with
- * fixateNewestUserKeyAuth. This allows other places where a credential is used, such as
- * Gatekeeper, to be updated between the two calls.
+ * Add this secret to the set of ways we can recover a user's disk
+ * encryption key. Changing the secret for a disk encryption key is done in
+ * two phases. First, this method is called to add the new secret binding.
+ * Second, fixateNewestUserKeyAuth is called to delete all other bindings.
+ * This allows other places where a credential is used, such as Gatekeeper,
+ * to be updated between the two calls.
*/
@Override
- public void addUserKeyAuth(int userId, int serialNumber, byte[] token, byte[] secret) {
+ public void addUserKeyAuth(int userId, int serialNumber, byte[] secret) {
enforcePermission(android.Manifest.permission.STORAGE_INTERNAL);
try {
- mVold.addUserKeyAuth(userId, serialNumber, encodeBytes(token), encodeBytes(secret));
+ mVold.addUserKeyAuth(userId, serialNumber, encodeBytes(secret));
} catch (Exception e) {
Slog.wtf(TAG, e);
}
diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java
index a162669..31083601 100644
--- a/services/core/java/com/android/server/locksettings/LockSettingsService.java
+++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java
@@ -1891,9 +1891,9 @@
mStorage.writeChildProfileLock(userId, outputStream.toByteArray());
}
- private void setAuthlessUserKeyProtection(int userId, byte[] key) {
- if (DEBUG) Slog.d(TAG, "setAuthlessUserKeyProtectiond: user=" + userId);
- addUserKeyAuth(userId, null, key);
+ private void setUserKeyProtection(int userId, byte[] key) {
+ if (DEBUG) Slog.d(TAG, "setUserKeyProtection: user=" + userId);
+ addUserKeyAuth(userId, key);
}
private void clearUserKeyProtection(int userId, byte[] secret) {
@@ -1944,11 +1944,11 @@
}
}
- private void addUserKeyAuth(int userId, byte[] token, byte[] secret) {
+ private void addUserKeyAuth(int userId, byte[] secret) {
final UserInfo userInfo = mUserManager.getUserInfo(userId);
final long callingId = Binder.clearCallingIdentity();
try {
- mStorageManager.addUserKeyAuth(userId, userInfo.serialNumber, token, secret);
+ mStorageManager.addUserKeyAuth(userId, userInfo.serialNumber, secret);
} catch (RemoteException e) {
throw new IllegalStateException("Failed to add new key to vold " + userId, e);
} finally {
@@ -2725,7 +2725,7 @@
mSpManager.newSidForUser(getGateKeeperService(), auth, userId);
}
mSpManager.verifyChallenge(getGateKeeperService(), auth, 0L, userId);
- setAuthlessUserKeyProtection(userId, auth.deriveDiskEncryptionKey());
+ setUserKeyProtection(userId, auth.deriveDiskEncryptionKey());
setKeystorePassword(auth.deriveKeyStorePassword(), userId);
} else {
clearUserKeyProtection(userId, null);
@@ -2927,7 +2927,7 @@
// a new SID, and re-add keys to vold and keystore.
mSpManager.newSidForUser(getGateKeeperService(), auth, userId);
mSpManager.verifyChallenge(getGateKeeperService(), auth, 0L, userId);
- setAuthlessUserKeyProtection(userId, auth.deriveDiskEncryptionKey());
+ setUserKeyProtection(userId, auth.deriveDiskEncryptionKey());
fixateNewestUserKeyAuth(userId);
setKeystorePassword(auth.deriveKeyStorePassword(), userId);
}
diff --git a/services/tests/servicestests/src/com/android/server/locksettings/BaseLockSettingsServiceTests.java b/services/tests/servicestests/src/com/android/server/locksettings/BaseLockSettingsServiceTests.java
index dad50bd8..2bd42fa 100644
--- a/services/tests/servicestests/src/com/android/server/locksettings/BaseLockSettingsServiceTests.java
+++ b/services/tests/servicestests/src/com/android/server/locksettings/BaseLockSettingsServiceTests.java
@@ -221,10 +221,10 @@
Object[] args = invocation.getArguments();
mStorageManager.addUserKeyAuth((int) args[0] /* userId */,
(int) args[1] /* serialNumber */,
- (byte[]) args[3] /* secret */);
+ (byte[]) args[2] /* secret */);
return null;
}
- }).when(sm).addUserKeyAuth(anyInt(), anyInt(), any(), any());
+ }).when(sm).addUserKeyAuth(anyInt(), anyInt(), any());
doAnswer(new Answer<Void>() {
@Override
