Google Git
Sign in
android / platform / system / keymaster / 4663fb4035b3f046089e0a9bcea43b0b56cc649f / . / include / keymaster / secure_deletion_secret_storage.h
blob: aecfd909763229ebf767e51e139f5c68c245b8e1 [file] [log] [blame]
/*
* Copyright (C) 2021 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#pragma once
#include <optional>
#include <keymaster/key_blob_utils/auth_encrypted_key_blob.h>
namespace keymaster {
class RandomSource;
/**
* SecureDeletionSecretStorage stores secure deletion secrets for KeyMint keys. These secrets are
* mixed into the key encryption key derivation process, so once the secure deletion secrets
* associated with a key blob are destroyed, the key blob can never be decrypted again.
*/
class SecureDeletionSecretStorage {
public:
explicit SecureDeletionSecretStorage(const RandomSource& random) : random_(random) {}
virtual ~SecureDeletionSecretStorage() {}
/**
* Create secure deletion data for a new key, and return it.
*
* If `secure_deletion` is true, a random key is generated and stored in an unused key slot, and
* the key slot is returned. If no unused key slot exists or if `secure_deletion` is false, the
* returned `key_slot` is zero, indicating that secure deletion is not available for the new
* key.
*
* If `secure_deletion` and `is_upgrade` are both true, the random key will be stored in an
* "upgrade-only" slot, if no normal slots are available. The upgrade-only slots reduce the
* probability that upgrading blobs can lose secure deletion.
*
* Whether or not secure deletion is requested, this method must read secure storage to obtain
* the factory reset secret. This read may fail for one of three reasons:
*
* 1. Secure storage is not yet available. In this case the return value is std::nullopt.
*
* 2. Secure storage is available, but the secure deletion data file doesn't exist. In this
* case the method creates the file, generates and stores the factory reset secret (and
* possibly secure deletion secret, if requested), and returns a populated result.
*
* 3. Secure storage is not available but was available previously. In this case the method
* blocks until secure storage is available, possibly forever, then processes the request
* and returns a populated result.
*
* @retval is empty if no secure deletion data (factory reset or per-key) is available.
*
* If the return value is not empty, the secureDeletionData field contains data that can
* be used for key derivation. If the keySlot field is 0, the key does not have secure
* deletion support.
*/
virtual std::optional<SecureDeletionData> CreateDataForNewKey(bool secure_deletion,
bool is_upgrade) const = 0;
/**
* Get the secure deletion data for a key.
*
* If the `key_slot` argument is non-zero, this method will retrieve data from the specified
* slot and return it in the secure_deletion_secret field, otherwise the `key_slot` field will
* be an empty buffer. Whether `key_slot` is zero or not, this method will populate the
* factory_reset_secret field.
*
* This method blocks until secure storage can be read. Possibly forever.
*/
virtual SecureDeletionData GetDataForKey(uint32_t key_slot) const = 0;
/**
* Delete the secure deletion data in a key slot.
*/
virtual void DeleteKey(uint32_t key_slot) const = 0;
/**
* Deletes the secure deletion data file, deleting all secure deletion secrets and the factory
* reset secret.
*/
virtual void DeleteAllKeys() const = 0;
protected:
const RandomSource& random_;
};
} // namespace keymaster