LockSettingsService: Support for separate clear key apiHEAD lineage-17.0

With the new key management changes for FBE, the keys are not present in the clear in vold. So, while clearing a pin, we cannot use the present method to rebound the key to keymaster. We need to provide the old secret so as to retrieve the key and then bind it with keymaster. CRs-Fixed: 2288316 Change-Id: I1dd707513a3d45b62b925fa7bba15babdba9bd1c
author: Shivaprasad Hongal <shongal@codeaurora.org> 2018-07-05 16:00:04 -0700
committer: Bruno Martins <bgcngm@gmail.com> 2020-01-02 16:13:32 +0100
commit: ae344126732e4833089dbcc718107b20a79a309c (patch)
tree: b72ab56a8a15c3daa586d0f79de63f6a8b61a292
parent: f7ffa4e1204711cba1fe56218fc97fe6d0cec22a (diff)
download: android_frameworks_base-lineage-17.0.tar.gz
android_frameworks_base-lineage-17.0.tar.bz2
android_frameworks_base-lineage-17.0.zip
3 files changed, 32 insertions, 1 deletions
diff --git a/core/java/android/os/storage/IStorageManager.aidl b/core/java/android/os/storage/IStorageManager.aidl
index 92fecaddff2..bbc936d76e1 100644
--- a/core/java/android/os/storage/IStorageManager.aidl
+++ b/core/java/android/os/storage/IStorageManager.aidl
@@ -193,4 +193,5 @@ interface IStorageManager {
     void startCheckpoint(int numTries) = 85;
     boolean needsCheckpoint() = 86;
     void abortChanges(in String message, boolean retry) = 87;
+    void clearUserKeyAuth(int userId, int serialNumber, in byte[] token, in byte[] secret) = 88;
 }
diff --git a/services/core/java/com/android/server/StorageManagerService.java b/services/core/java/com/android/server/StorageManagerService.java
index 40c97f4cbe6..5e65db7087c 100644
--- a/services/core/java/com/android/server/StorageManagerService.java
+++ b/services/core/java/com/android/server/StorageManagerService.java
@@ -2790,6 +2790,24 @@ class StorageManagerService extends IStorageManager.Stub
     }
 
     /*
+     * Clear disk encryption key bound to the associated token / secret pair. Removing the user
+     * binding of the Disk encryption key is done in two phases: first, this call will retrieve
+     * the disk encryption key using the provided token / secret pair and store it by
+     * encrypting it with a keymaster key not bound to the user, then fixateNewestUserKeyAuth
+     * is called to delete all other bindings of the disk encryption key.
+     */
+    @Override
+    public void clearUserKeyAuth(int userId, int serialNumber, byte[] token, byte[] secret) {
+        enforcePermission(android.Manifest.permission.STORAGE_INTERNAL);
+
+        try {
+            mVold.clearUserKeyAuth(userId, serialNumber, encodeBytes(token), encodeBytes(secret));
+        } catch (Exception e) {
+            Slog.wtf(TAG, e);
+        }
+    }
+
+    /*
      * Delete all disk encryption token/secret pairs except the most recently added one
      */
     @Override
diff --git a/services/core/java/com/android/server/locksettings/LockSettingsService.java b/services/core/java/com/android/server/locksettings/LockSettingsService.java
index c9fd9a3b267..46e3fae42f9 100644
--- a/services/core/java/com/android/server/locksettings/LockSettingsService.java
+++ b/services/core/java/com/android/server/locksettings/LockSettingsService.java
@@ -1687,6 +1687,18 @@ public class LockSettingsService extends ILockSettings.Stub {
         addUserKeyAuth(userId, null, null);
     }
 
+    private void clearUserKeyAuth(int userId, byte[] token, byte[] secret) throws RemoteException {
+        if (DEBUG) Slog.d(TAG, "clearUserKeyProtection user=" + userId);
+        final UserInfo userInfo = mUserManager.getUserInfo(userId);
+        final IStorageManager storageManager = mInjector.getStorageManager();
+        final long callingId = Binder.clearCallingIdentity();
+        try {
+            storageManager.clearUserKeyAuth(userId, userInfo.serialNumber, token, secret);
+        } finally {
+            Binder.restoreCallingIdentity(callingId);
+        }
+    }
+
     private static byte[] secretFromCredential(byte[] credential) throws RemoteException {
         try {
             MessageDigest digest = MessageDigest.getInstance("SHA-512");
@@ -2693,7 +2705,7 @@ public class LockSettingsService extends ILockSettings.Stub {
             // during boot. Vold storage needs to be unlocked before manipulation of the keys can
             // succeed.
             unlockUserKey(userId, null, auth.deriveDiskEncryptionKey());
-            clearUserKeyProtection(userId);
+            clearUserKeyAuth(userId, null, auth.deriveDiskEncryptionKey());
             fixateNewestUserKeyAuth(userId);
             unlockKeystore(auth.deriveKeyStorePassword(), userId);
             setKeystorePassword(null, userId);
author	Shivaprasad Hongal <shongal@codeaurora.org>	2018-07-05 16:00:04 -0700
committer	Bruno Martins <bgcngm@gmail.com>	2020-01-02 16:13:32 +0100
commit	ae344126732e4833089dbcc718107b20a79a309c (patch)
tree	b72ab56a8a15c3daa586d0f79de63f6a8b61a292
parent	f7ffa4e1204711cba1fe56218fc97fe6d0cec22a (diff)
download	android_frameworks_base-lineage-17.0.tar.gz android_frameworks_base-lineage-17.0.tar.bz2 android_frameworks_base-lineage-17.0.zip