From f5b085c13ae130b30fb11b35420c2dbdc1f9e4fa Mon Sep 17 00:00:00 2001
From: Wei Wang <wvw@google.com>
Date: Tue, 15 May 2018 16:12:20 -0700
Subject: [PATCH 1/2] Add rc file for wait_for_keymaster

Similar to update_verifier, define higher prio and use exec_start for
this binary.

Bug: 79492334
Test: Reboot test
Change-Id: I8d3133cabcc8d4cee8bdead310f2c18d8d07e9dd
---
 Android.bp            | 5 ++++-
 wait_for_keymaster.rc | 5 +++++
 2 files changed, 9 insertions(+), 1 deletion(-)
 create mode 100644 wait_for_keymaster.rc

diff --git a/Android.bp b/Android.bp
index a8934fc..556784f 100644
--- a/Android.bp
+++ b/Android.bp
@@ -158,7 +158,10 @@ cc_binary {
             ],
         },
     },
-    init_rc: ["vold.rc"],
+    init_rc: [
+        "vold.rc",
+        "wait_for_keymaster.rc",
+    ],
 
     required: [
         "mke2fs",
diff --git a/wait_for_keymaster.rc b/wait_for_keymaster.rc
new file mode 100644
index 0000000..9e83a93
--- /dev/null
+++ b/wait_for_keymaster.rc
@@ -0,0 +1,5 @@
+service wait_for_keymaster /system/bin/wait_for_keymaster
+    user root
+    group root system
+    priority -20
+    ioprio rt 0

From e763ed2aa3075a1fd699f09c06ba67dbfd946a6b Mon Sep 17 00:00:00 2001
From: Shawn Willden <swillden@google.com>
Date: Thu, 17 May 2018 15:24:56 -0600
Subject: [PATCH 2/2] Explain the rationale for not using StrongBox in vold.

Bug: 77338527
Test:  Comment-only change.
Change-Id: I9f87e34854eabcc4c183553cf56a033970bb867e
---
 Keymaster.cpp | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/Keymaster.cpp b/Keymaster.cpp
index 4921448..aad4387 100644
--- a/Keymaster.cpp
+++ b/Keymaster.cpp
@@ -49,9 +49,6 @@ bool KeymasterOperation::updateCompletely(const char* input, size_t inputLen,
         size_t toRead = static_cast<size_t>(inputLen - inputConsumed);
         auto inputBlob = km::support::blob2hidlVec(
             reinterpret_cast<const uint8_t*>(&input[inputConsumed]), toRead);
-        // TODO(swillden): Need to handle getting a VerificationToken from the TEE if mDevice is
-        // StrongBox, so we can provide it here.  The VerificationToken will need to be
-        // requested/retrieved during Keymaster::begin().
         auto error = mDevice->update(mOpHandle, hidl_vec<km::KeyParameter>(), inputBlob,
                                      km::HardwareAuthToken(), km::VerificationToken(), hidlCB);
         if (!error.isOk()) {
@@ -105,8 +102,9 @@ Keymaster::Keymaster() {
         hmacKeyGenerated = true;
     }
     for (auto& dev : devices) {
-        // Explicitly avoid using STRONGBOX for now.
-        // TODO: Re-enable STRONGBOX, since it's what we really want. b/77338527
+        // Do not use StrongBox for device encryption / credential encryption.  If a security chip
+        // is present it will have Weaver, which already strengthens CE.  We get no additional
+        // benefit from using StrongBox here, so skip it.
         if (dev->halVersion().securityLevel != SecurityLevel::STRONGBOX) {
             mDevice = std::move(dev);
             break;