Gitiles
Code Review Sign In
gerrit.twrp.me / android_bootable_recovery / 88e9c6ef052cd0ec71658ca42e8d70f0aabe07ac / . / crypto / fscrypt / KeyStorage.h
blob: 9959ce65f1b8de223b9e661fb2d8b041d55e75a3 [file] [log] [blame]
bigbiff7ba75002020-04-11 20:47:09 -0400[diff] [blame]1/*
2 * Copyright (C) 2016 The Android Open Source Project
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 *
8 * http://www.apache.org/licenses/LICENSE-2.0
9 *
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
15 */
16
17#ifndef ANDROID_VOLD_KEYSTORAGE_H
18#define ANDROID_VOLD_KEYSTORAGE_H
19
mauronofrio matarrese79820322020-05-25 19:48:56 +0200[diff] [blame]20#include "Keymaster.h"
bigbiff7ba75002020-04-11 20:47:09 -0400[diff] [blame]21#include "KeyBuffer.h"
mauronofrio matarrese79820322020-05-25 19:48:56 +0200[diff] [blame]22#include <cutils/multiuser.h>
bigbiff7ba75002020-04-11 20:47:09 -0400[diff] [blame]23#include <string>
24
25namespace android {
26namespace vold {
27
28// Represents the information needed to decrypt a disk encryption key.
29// If "token" is nonempty, it is passed in as a required Gatekeeper auth token.
30// If "token" and "secret" are nonempty, "secret" is appended to the application-specific
31// binary needed to unlock.
32// If only "secret" is nonempty, it is used to decrypt in a non-Keymaster process.
33class KeyAuthentication {
34 public:
35 KeyAuthentication(const std::string& t, const std::string& s) : token{t}, secret{s} {};
36
37 bool usesKeymaster() const { return !token.empty() || secret.empty(); };
38
39 const std::string token;
40 const std::string secret;
41};
42
mauronofrio matarrese79820322020-05-25 19:48:56 +0200[diff] [blame]43enum class KeyType {
44 DE_SYS,
45 DE_USER,
mauronofrio matarresef1079ed2020-05-25 20:52:57 +0200[diff] [blame]46 CE_USER,
47 ME,
mauronofrio matarrese79820322020-05-25 19:48:56 +0200[diff] [blame]48};
49
bigbiff7ba75002020-04-11 20:47:09 -0400[diff] [blame]50extern const KeyAuthentication kEmptyAuthentication;
51
52// Checks if path "path" exists.
53bool pathExists(const std::string& path);
54
55bool createSecdiscardable(const std::string& path, std::string* hash);
56bool readSecdiscardable(const std::string& path, std::string* hash);
57
58// Create a directory at the named path, and store "key" in it,
59// in such a way that it can only be retrieved via Keymaster and
60// can be securely deleted.
61// It's safe to move/rename the directory after creation.
62bool storeKey(const std::string& dir, const KeyAuthentication& auth, const KeyBuffer& key);
63
64// Create a directory at the named path, and store "key" in it as storeKey
65// This version creates the key in "tmp_path" then atomically renames "tmp_path"
66// to "key_path" thereby ensuring that the key is either stored entirely or
67// not at all.
68bool storeKeyAtomically(const std::string& key_path, const std::string& tmp_path,
69 const KeyAuthentication& auth, const KeyBuffer& key);
70
71// Retrieve the key from the named directory.
72bool retrieveKey(const std::string& dir, const KeyAuthentication& auth, KeyBuffer* key,
73 bool keepOld = false);
74
75// Securely destroy the key stored in the named directory and delete the directory.
76bool destroyKey(const std::string& dir);
77
78bool runSecdiscardSingle(const std::string& file);
mauronofrio matarrese79820322020-05-25 19:48:56 +0200[diff] [blame]79bool generateWrappedKey(userid_t user_id, KeyType key_type, KeyBuffer* key);
80bool getEphemeralWrappedKey(km::KeyFormat format, KeyBuffer& kmKey, KeyBuffer* key);
bigbiff7ba75002020-04-11 20:47:09 -0400[diff] [blame]81} // namespace vold
82} // namespace android
83
84#endif