Snap for 4793185 from e763ed2aa3075a1fd699f09c06ba67dbfd946a6b to pi-release
Change-Id: If756e11bbaf9d526a472fbbdf309520c3ef9695f
diff --git a/Android.bp b/Android.bp
index a8934fc..556784f 100644
--- a/Android.bp
+++ b/Android.bp
@@ -158,7 +158,10 @@
],
},
},
- init_rc: ["vold.rc"],
+ init_rc: [
+ "vold.rc",
+ "wait_for_keymaster.rc",
+ ],
required: [
"mke2fs",
diff --git a/Keymaster.cpp b/Keymaster.cpp
index 4921448..aad4387 100644
--- a/Keymaster.cpp
+++ b/Keymaster.cpp
@@ -49,9 +49,6 @@
size_t toRead = static_cast<size_t>(inputLen - inputConsumed);
auto inputBlob = km::support::blob2hidlVec(
reinterpret_cast<const uint8_t*>(&input[inputConsumed]), toRead);
- // TODO(swillden): Need to handle getting a VerificationToken from the TEE if mDevice is
- // StrongBox, so we can provide it here. The VerificationToken will need to be
- // requested/retrieved during Keymaster::begin().
auto error = mDevice->update(mOpHandle, hidl_vec<km::KeyParameter>(), inputBlob,
km::HardwareAuthToken(), km::VerificationToken(), hidlCB);
if (!error.isOk()) {
@@ -105,8 +102,9 @@
hmacKeyGenerated = true;
}
for (auto& dev : devices) {
- // Explicitly avoid using STRONGBOX for now.
- // TODO: Re-enable STRONGBOX, since it's what we really want. b/77338527
+ // Do not use StrongBox for device encryption / credential encryption. If a security chip
+ // is present it will have Weaver, which already strengthens CE. We get no additional
+ // benefit from using StrongBox here, so skip it.
if (dev->halVersion().securityLevel != SecurityLevel::STRONGBOX) {
mDevice = std::move(dev);
break;
diff --git a/wait_for_keymaster.rc b/wait_for_keymaster.rc
new file mode 100644
index 0000000..9e83a93
--- /dev/null
+++ b/wait_for_keymaster.rc
@@ -0,0 +1,5 @@
+service wait_for_keymaster /system/bin/wait_for_keymaster
+ user root
+ group root system
+ priority -20
+ ioprio rt 0