From 50397a72f13629932423dbd48c554ebec0fa1008 Mon Sep 17 00:00:00 2001 From: Shawn Willden Date: Wed, 1 Apr 2020 10:02:16 -0600 Subject: [PATCH] Send earlyBootEnded notice to all Keymasters Vold incorrectly sends the earlyBootEnded signal only to the Keymaster instance used for device encryption, but all of them need it. Bug: 152932559 Test: VtsHalKeymasterV4_1TargetTest Change-Id: Id8f01a1dc7d2398395f369c3ea74656a82888829 --- Keymaster.cpp | 20 +++++++++++++------- Keymaster.h | 6 +++--- MetadataCrypt.cpp | 10 +++------- 3 files changed, 19 insertions(+), 17 deletions(-) diff --git a/Keymaster.cpp b/Keymaster.cpp index c3f2912..786cdb5 100644 --- a/Keymaster.cpp +++ b/Keymaster.cpp @@ -229,13 +229,19 @@ bool Keymaster::isSecure() { } void Keymaster::earlyBootEnded() { - auto error = mDevice->earlyBootEnded(); - if (!error.isOk()) { - LOG(ERROR) << "earlyBootEnded failed: " << error.description(); - } - km::V4_1_ErrorCode km_error = error; - if (km_error != km::V4_1_ErrorCode::OK && km_error != km::V4_1_ErrorCode::UNIMPLEMENTED) { - LOG(ERROR) << "Error reporting early boot ending to keymaster: " << int32_t(km_error); + auto devices = KmDevice::enumerateAvailableDevices(); + for (auto& dev : devices) { + auto error = dev->earlyBootEnded(); + if (!error.isOk()) { + LOG(ERROR) << "earlyBootEnded call failed: " << error.description() << " for " + << dev->halVersion().keymasterName; + } + km::V4_1_ErrorCode km_error = error; + if (km_error != km::V4_1_ErrorCode::OK && km_error != km::V4_1_ErrorCode::UNIMPLEMENTED) { + LOG(ERROR) << "Error reporting early boot ending to keymaster: " + << static_cast(km_error) << " for " + << dev->halVersion().keymasterName; + } } } diff --git a/Keymaster.h b/Keymaster.h index 4a9ed02..d9ced91 100644 --- a/Keymaster.h +++ b/Keymaster.h @@ -128,9 +128,9 @@ class Keymaster { km::AuthorizationSet* outParams); bool isSecure(); - // Tell Keymaster that early boot has ended and early boot-only keys can no longer be created or - // used. - void earlyBootEnded(); + // Tell all Keymaster instances that early boot has ended and early boot-only keys can no longer + // be created or used. + static void earlyBootEnded(); private: sp mDevice; diff --git a/MetadataCrypt.cpp b/MetadataCrypt.cpp index 8227e74..8659502 100644 --- a/MetadataCrypt.cpp +++ b/MetadataCrypt.cpp @@ -87,13 +87,9 @@ const KeyGeneration makeGen(const CryptoOptions& options) { } static bool mount_via_fs_mgr(const char* mount_point, const char* blk_device) { - // We're about to mount data not verified by verified boot. Tell Keymaster that early boot has - // ended. - // - // TODO(paulcrowley): Make a Keymaster singleton or something, so we don't have to repeatedly - // open and initialize the service. - ::android::vold::Keymaster keymaster; - keymaster.earlyBootEnded(); + // We're about to mount data not verified by verified boot. Tell Keymaster instances that early + // boot has ended. + ::android::vold::Keymaster::earlyBootEnded(); // fs_mgr_do_mount runs fsck. Use setexeccon to run trusted // partitions in the fsck domain.