Revert "Make SW keymaster security level configurable"
This reverts commit c07ff3460781d470021520f13ef19d46e02e757b.
Reason for revert: b/148671771
Change-Id: I5242c0e7165055b65b8ec08504c2b220470d0d1e
diff --git a/contexts/pure_soft_keymaster_context.cpp b/contexts/pure_soft_keymaster_context.cpp
index d52fe2e..54f93bc 100644
--- a/contexts/pure_soft_keymaster_context.cpp
+++ b/contexts/pure_soft_keymaster_context.cpp
@@ -50,12 +50,12 @@
namespace keymaster {
-PureSoftKeymasterContext::PureSoftKeymasterContext(keymaster_security_level_t security_level)
+PureSoftKeymasterContext::PureSoftKeymasterContext()
: rsa_factory_(new RsaKeyFactory(this)), ec_factory_(new EcKeyFactory(this)),
aes_factory_(new AesKeyFactory(this, this)),
tdes_factory_(new TripleDesKeyFactory(this, this)),
hmac_factory_(new HmacKeyFactory(this, this)), os_version_(0), os_patchlevel_(0),
- soft_keymaster_enforcement_(64, 64), security_level_(security_level) {}
+ soft_keymaster_enforcement_(64, 64) {}
PureSoftKeymasterContext::~PureSoftKeymasterContext() {}
@@ -106,56 +106,20 @@
}
keymaster_error_t PureSoftKeymasterContext::CreateKeyBlob(const AuthorizationSet& key_description,
- const keymaster_key_origin_t origin,
- const KeymasterKeyBlob& key_material,
- KeymasterKeyBlob* blob,
- AuthorizationSet* hw_enforced,
- AuthorizationSet* sw_enforced) const {
- if (key_description.GetTagValue(TAG_ROLLBACK_RESISTANCE)) {
- return KM_ERROR_ROLLBACK_RESISTANCE_UNAVAILABLE;
- }
-
- if (GetSecurityLevel() != KM_SECURITY_LEVEL_SOFTWARE) {
- // We're pretending to be some sort of secure hardware. Put relevant tags in hw_enforced.
- for (auto& entry : key_description) {
- switch (entry.tag) {
- case KM_TAG_PURPOSE:
- case KM_TAG_ALGORITHM:
- case KM_TAG_KEY_SIZE:
- case KM_TAG_RSA_PUBLIC_EXPONENT:
- case KM_TAG_BLOB_USAGE_REQUIREMENTS:
- case KM_TAG_DIGEST:
- case KM_TAG_PADDING:
- case KM_TAG_BLOCK_MODE:
- case KM_TAG_MIN_SECONDS_BETWEEN_OPS:
- case KM_TAG_MAX_USES_PER_BOOT:
- case KM_TAG_USER_SECURE_ID:
- case KM_TAG_NO_AUTH_REQUIRED:
- case KM_TAG_AUTH_TIMEOUT:
- case KM_TAG_CALLER_NONCE:
- case KM_TAG_MIN_MAC_LENGTH:
- case KM_TAG_KDF:
- case KM_TAG_EC_CURVE:
- case KM_TAG_ECIES_SINGLE_HASH_MODE:
- case KM_TAG_USER_AUTH_TYPE:
- case KM_TAG_ORIGIN:
- case KM_TAG_OS_VERSION:
- case KM_TAG_OS_PATCHLEVEL:
- hw_enforced->push_back(entry);
- break;
- default:
- break;
- }
- }
- }
-
+ const keymaster_key_origin_t origin,
+ const KeymasterKeyBlob& key_material,
+ KeymasterKeyBlob* blob,
+ AuthorizationSet* hw_enforced,
+ AuthorizationSet* sw_enforced) const {
keymaster_error_t error = SetKeyBlobAuthorizations(key_description, origin, os_version_,
os_patchlevel_, hw_enforced, sw_enforced);
- if (error != KM_ERROR_OK) return error;
+ if (error != KM_ERROR_OK)
+ return error;
AuthorizationSet hidden;
error = BuildHiddenAuthorizations(key_description, &hidden, softwareRootOfTrust);
- if (error != KM_ERROR_OK) return error;
+ if (error != KM_ERROR_OK)
+ return error;
return SerializeIntegrityAssuredBlob(key_material, hidden, *hw_enforced, *sw_enforced, blob);
}
diff --git a/include/keymaster/contexts/pure_soft_keymaster_context.h b/include/keymaster/contexts/pure_soft_keymaster_context.h
index a1951a0..d8532a8 100644
--- a/include/keymaster/contexts/pure_soft_keymaster_context.h
+++ b/include/keymaster/contexts/pure_soft_keymaster_context.h
@@ -43,9 +43,7 @@
AttestationRecordContext,
SoftwareRandomSource {
public:
- // Security level must only be used for testing.
- explicit PureSoftKeymasterContext(
- keymaster_security_level_t security_level = KM_SECURITY_LEVEL_SOFTWARE);
+ explicit PureSoftKeymasterContext();
~PureSoftKeymasterContext() override;
/*********************************************************************************************
@@ -101,8 +99,6 @@
keymaster_verified_boot_t* verified_boot_state,
bool* device_locked) const override;
- keymaster_security_level_t GetSecurityLevel() const override { return security_level_; }
-
protected:
std::unique_ptr<KeyFactory> rsa_factory_;
std::unique_ptr<KeyFactory> ec_factory_;
@@ -112,7 +108,6 @@
uint32_t os_version_;
uint32_t os_patchlevel_;
SoftKeymasterEnforcement soft_keymaster_enforcement_;
- keymaster_security_level_t security_level_;
};
} // namespace keymaster
diff --git a/key_blob_utils/software_keyblobs.cpp b/key_blob_utils/software_keyblobs.cpp
index 60719bb..c490631 100644
--- a/key_blob_utils/software_keyblobs.cpp
+++ b/key_blob_utils/software_keyblobs.cpp
@@ -292,16 +292,10 @@
}
}
- // If hw_enforced is non-empty, we're pretending to be some sort of secure hardware.
- AuthorizationSet* pseudo_hw_enforced = (hw_enforced->empty()) ? sw_enforced : hw_enforced;
- pseudo_hw_enforced->push_back(TAG_ORIGIN, origin);
- pseudo_hw_enforced->push_back(TAG_OS_VERSION, os_version);
- pseudo_hw_enforced->push_back(TAG_OS_PATCHLEVEL, os_patchlevel);
-
- // Honor caller creation, if provided.
- if (!sw_enforced->Contains(TAG_CREATION_DATETIME)) {
- sw_enforced->push_back(TAG_CREATION_DATETIME, java_time(time(nullptr)));
- }
+ sw_enforced->push_back(TAG_CREATION_DATETIME, java_time(time(nullptr)));
+ sw_enforced->push_back(TAG_ORIGIN, origin);
+ sw_enforced->push_back(TAG_OS_VERSION, os_version);
+ sw_enforced->push_back(TAG_OS_PATCHLEVEL, os_patchlevel);
return TranslateAuthorizationSetError(sw_enforced->is_valid());
}
diff --git a/ng/AndroidKeymaster4Device.cpp b/ng/AndroidKeymaster4Device.cpp
index b42a19b..70060d6 100644
--- a/ng/AndroidKeymaster4Device.cpp
+++ b/ng/AndroidKeymaster4Device.cpp
@@ -211,14 +211,12 @@
AndroidKeymaster4Device::AndroidKeymaster4Device(SecurityLevel securityLevel)
: impl_(new ::keymaster::AndroidKeymaster(
- [&]() -> auto {
- auto context = new PureSoftKeymasterContext(
- static_cast<keymaster_security_level_t>(securityLevel));
+ []() -> auto {
+ auto context = new PureSoftKeymasterContext();
context->SetSystemVersion(GetOsVersion(), GetOsPatchlevel());
return context;
}(),
- kOperationTableSize)),
- securityLevel_(securityLevel) {}
+ kOperationTableSize)), securityLevel_(securityLevel) {}
AndroidKeymaster4Device::~AndroidKeymaster4Device() {}
