Google Git
Sign in
android / platform / system / vold / e8de4ffd73b7da76dfae8ee959226dca9df45ae5
commite8de4ffd73b7da76dfae8ee959226dca9df45ae5[log] [tgz]
authorSatya Tangirala <satyat@google.com>Sun Feb 28 22:32:07 2021 -0800
committerSatya Tangirala <satyat@google.com>Thu Apr 08 00:16:01 2021 +0000
tree35ccce8f0415ae932faa158fdace9e342789b15a
parente13617100d40079b79863ed504c79e7ef22b084e [diff]
Make vold use keystore2 instead of keymaster

Make vold use keystore2 for all its operations instead of directly using
keymaster. This way, we won't have any clients that bypass keystore2,
and we'll no longer need to reserve a keymaster operation for vold.

Note that we now hardcode "SecurityLevel::TRUSTED_ENVIRONMENT" (TEE)
when talking to Keystore2 since Keystore2 only allows TEE and STRONGBOX.
Keystore2 presents any SOFTWARE implementation as a TEE to callers when
no "real" TEE is present. As far as storage encryption is concerned,
there's no advantage to using a STRONGBOX when a "real" TEE is present,
and a STRONGBOX can't be present if a "real" TEE isn't, so asking
Keystore2 for a TEE is the best we can do in any situation.

The difference in behaviour only really affects the full disk encryption
code in cryptfs.cpp, which used to explicitly check that the keymaster
device is a "real" TEE (as opposed to a SOFTWARE implementation) before
using it (it can no longer do so since Keystore2 doesn't provide a way
to do this).

A little code history digging (7c49ab0a0b in particular) shows that
cryptfs.cpp cared about two things when using a keymaster.
 - 1) that the keys generated by the keymaster were "standalone" keys -
      i.e. that the keymaster could operate on those keys without
      requiring /data or any other service to be available.
 - 2) that the keymaster was a non-SOFTWARE implementation so that things
      would still work in case a "real" TEE keymaster was ever somehow
      added to the device after first boot.

Today, all "real" TEE keymasters always generate "standalone" keys, and
a TEE has been required in Android devices since at least Android N. The
only two exceptions are Goldfish and ARC++, which have SOFTWARE
keymasters, but both those keymasters also generate "standalone" keys.

We're also no longer worried about possibly adding a "real" TEE KM to
either of those devices after first boot. So there's no longer a reason
cryptfs.cpp can't use the SOFTWARE keymaster on those devices.

There's also already an upgrade path in place (see
test_mount_encrypted_fs() in cryptfs.cpp) to upgrade the kdf that's
being used once a TEE keymaster is added to the device. So it's safe for
cryptfs.cpp to ask for a TEE keymaster from Keystore2 and use it
blindly, without checking whether or not it's a "real" TEE, which is why
Keymaster::isSecure() just returns true now. A future patch will remove
that function and simplify its callers.

Bug: 181910578
Test: cuttlefish and bramble boot. Adding, switching between, stopping
      and removing users work.
Change-Id: Iaebfef082eca0da8a305043fafb6d85e5de14cf8
5 files changed
tree: 35ccce8f0415ae932faa158fdace9e342789b15a
  1. bench/
  2. binder/
  3. fs/
  4. model/
  5. tests/
  6. .clang-format ⇨ ../../build/soong/scripts/system-clang-format
  7. Android.bp
  8. AppFuseUtil.cpp
  9. AppFuseUtil.h
  10. Benchmark.cpp
  11. Benchmark.h
  12. BenchmarkGen.h
  13. Checkpoint.cpp
  14. Checkpoint.h
  15. CleanSpec.mk
  16. cryptfs.cpp
  17. cryptfs.h
  18. CryptoType.cpp
  19. CryptoType.h
  20. Devmapper.cpp
  21. Devmapper.h
  22. EncryptInplace.cpp
  23. EncryptInplace.h
  24. FileDeviceUtils.cpp
  25. FileDeviceUtils.h
  26. FsCrypt.cpp
  27. FsCrypt.h
  28. IdleMaint.cpp
  29. IdleMaint.h
  30. KeyBuffer.cpp
  31. KeyBuffer.h
  32. Keymaster.cpp
  33. Keymaster.h
  34. KeyStorage.cpp
  35. KeyStorage.h
  36. KeyUtil.cpp
  37. KeyUtil.h
  38. Loop.cpp
  39. Loop.h
  40. main.cpp
  41. MetadataCrypt.cpp
  42. MetadataCrypt.h
  43. MoveStorage.cpp
  44. MoveStorage.h
  45. NetlinkHandler.cpp
  46. NetlinkHandler.h
  47. NetlinkManager.cpp
  48. NetlinkManager.h
  49. OWNERS
  50. PREUPLOAD.cfg
  51. Process.cpp
  52. Process.h
  53. ScryptParameters.cpp
  54. ScryptParameters.h
  55. secdiscard.cpp
  56. sehandle.h
  57. TEST_MAPPING
  58. Utils.cpp
  59. Utils.h
  60. vdc.cpp
  61. vdc.rc
  62. vold.rc
  63. vold_prepare_subdirs.cpp
  64. VoldNativeService.cpp
  65. VoldNativeService.h
  66. VoldNativeServiceValidation.cpp
  67. VoldNativeServiceValidation.h
  68. VoldUtil.cpp
  69. VoldUtil.h
  70. VolumeManager.cpp
  71. VolumeManager.h
  72. wait_for_keymaster.cpp
  73. wait_for_keymaster.rc