diff options
3 files changed, 32 insertions, 1 deletions
diff --git a/core/java/android/os/storage/IStorageManager.aidl b/core/java/android/os/storage/IStorageManager.aidl index 92fecaddff2..bbc936d76e1 100644 --- a/core/java/android/os/storage/IStorageManager.aidl +++ b/core/java/android/os/storage/IStorageManager.aidl @@ -193,4 +193,5 @@ interface IStorageManager { void startCheckpoint(int numTries) = 85; boolean needsCheckpoint() = 86; void abortChanges(in String message, boolean retry) = 87; + void clearUserKeyAuth(int userId, int serialNumber, in byte[] token, in byte[] secret) = 88; } diff --git a/services/core/java/com/android/server/StorageManagerService.java b/services/core/java/com/android/server/StorageManagerService.java index 40c97f4cbe6..5e65db7087c 100644 --- a/services/core/java/com/android/server/StorageManagerService.java +++ b/services/core/java/com/android/server/StorageManagerService.java @@ -2790,6 +2790,24 @@ class StorageManagerService extends IStorageManager.Stub } /* + * Clear disk encryption key bound to the associated token / secret pair. Removing the user + * binding of the Disk encryption key is done in two phases: first, this call will retrieve + * the disk encryption key using the provided token / secret pair and store it by + * encrypting it with a keymaster key not bound to the user, then fixateNewestUserKeyAuth + * is called to delete all other bindings of the disk encryption key. + */ + @Override + public void clearUserKeyAuth(int userId, int serialNumber, byte[] token, byte[] secret) { + enforcePermission(android.Manifest.permission.STORAGE_INTERNAL); + + try { + mVold.clearUserKeyAuth(userId, serialNumber, encodeBytes(token), encodeBytes(secret)); + } catch (Exception e) { + Slog.wtf(TAG, e); + } + } + + /* * Delete all disk encryption token/secret pairs except the most recently added one */ @Override diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java index c9fd9a3b267..46e3fae42f9 100644 --- a/services/core/java/com/android/server/locksettings/LockSettingsService.java +++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java @@ -1687,6 +1687,18 @@ public class LockSettingsService extends ILockSettings.Stub { addUserKeyAuth(userId, null, null); } + private void clearUserKeyAuth(int userId, byte[] token, byte[] secret) throws RemoteException { + if (DEBUG) Slog.d(TAG, "clearUserKeyProtection user=" + userId); + final UserInfo userInfo = mUserManager.getUserInfo(userId); + final IStorageManager storageManager = mInjector.getStorageManager(); + final long callingId = Binder.clearCallingIdentity(); + try { + storageManager.clearUserKeyAuth(userId, userInfo.serialNumber, token, secret); + } finally { + Binder.restoreCallingIdentity(callingId); + } + } + private static byte[] secretFromCredential(byte[] credential) throws RemoteException { try { MessageDigest digest = MessageDigest.getInstance("SHA-512"); @@ -2693,7 +2705,7 @@ public class LockSettingsService extends ILockSettings.Stub { // during boot. Vold storage needs to be unlocked before manipulation of the keys can // succeed. unlockUserKey(userId, null, auth.deriveDiskEncryptionKey()); - clearUserKeyProtection(userId); + clearUserKeyAuth(userId, null, auth.deriveDiskEncryptionKey()); fixateNewestUserKeyAuth(userId); unlockKeystore(auth.deriveKeyStorePassword(), userId); setKeystorePassword(null, userId); |