From 2601eb7f8c241f9cf24510115e0a572819fd0514 Mon Sep 17 00:00:00 2001 From: "[6;7~" Date: Wed, 11 Aug 2021 12:46:49 -0700 Subject: [PATCH] Add ROLLBACK_RESISTANCE tag to key usage If KM is upgraded from a version that does not support rollback resistance to one that does, we really want our upgraded keys to include rollback resistance. By passing this tag in when we use the keys, we ensure that the tag is passed into the upgradeKey request whenever it is made, which some KM implementations can use to add rollback resistance to our keys. Bug: 187105270 Ignore-AOSP-First: no merge path to this branch from AOSP. Test: Manual Change-Id: I6154fe26a10b60cd686cc60dbc2e0a85c152f43b --- KeyStorage.cpp | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/KeyStorage.cpp b/KeyStorage.cpp index 472e6b1e..93c5c29c 100644 --- a/KeyStorage.cpp +++ b/KeyStorage.cpp @@ -379,7 +379,9 @@ static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir const km::AuthorizationSet& keyParams, const KeyBuffer& message, std::string* ciphertext) { km::AuthorizationSet opParams = - km::AuthorizationSetBuilder().Authorization(km::TAG_PURPOSE, km::KeyPurpose::ENCRYPT); + km::AuthorizationSetBuilder() + .Authorization(km::TAG_ROLLBACK_RESISTANCE) + .Authorization(km::TAG_PURPOSE, km::KeyPurpose::ENCRYPT); km::AuthorizationSet outParams; auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, &outParams); if (!opHandle) return false; @@ -408,6 +410,7 @@ static bool decryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir auto bodyAndMac = ciphertext.substr(GCM_NONCE_BYTES); auto opParams = km::AuthorizationSetBuilder() .Authorization(km::TAG_NONCE, nonce) + .Authorization(km::TAG_ROLLBACK_RESISTANCE) .Authorization(km::TAG_PURPOSE, km::KeyPurpose::DECRYPT); auto opHandle = BeginKeymasterOp(keymaster, dir, keyParams, opParams, nullptr); if (!opHandle) return false;