1 /*
2  * Copyright (C) 2016 The Android Open Source Project
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License");
5  * you may not use this file except in compliance with the License.
6  * You may obtain a copy of the License at
7  *
8  *      http://www.apache.org/licenses/LICENSE-2.0
9  *
10  * Unless required by applicable law or agreed to in writing, software
11  * distributed under the License is distributed on an "AS IS" BASIS,
12  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13  * See the License for the specific language governing permissions and
14  * limitations under the License.
15  */
16 
17 #ifndef ANDROID_VOLD_KEYSTORAGE_H
18 #define ANDROID_VOLD_KEYSTORAGE_H
19 
20 #include "KeyBuffer.h"
21 
22 #include <string>
23 
24 namespace android {
25 namespace vold {
26 
27 // Represents the information needed to decrypt a disk encryption key.
28 // If "token" is nonempty, it is passed in as a required Gatekeeper auth token.
29 // If "token" and "secret" are nonempty, "secret" is appended to the application-specific
30 // binary needed to unlock.
31 // If only "secret" is nonempty, it is used to decrypt in a non-Keymaster process.
32 class KeyAuthentication {
33   public:
KeyAuthentication(const std::string & t,const std::string & s)34     KeyAuthentication(const std::string& t, const std::string& s) : token{t}, secret{s} {};
35 
usesKeymaster()36     bool usesKeymaster() const { return !token.empty() || secret.empty(); };
37 
38     const std::string token;
39     const std::string secret;
40 };
41 
42 extern const KeyAuthentication kEmptyAuthentication;
43 
44 // Checks if path "path" exists.
45 bool pathExists(const std::string& path);
46 
47 bool createSecdiscardable(const std::string& path, std::string* hash);
48 bool readSecdiscardable(const std::string& path, std::string* hash);
49 
50 // Create a directory at the named path, and store "key" in it,
51 // in such a way that it can only be retrieved via Keymaster and
52 // can be securely deleted.
53 // It's safe to move/rename the directory after creation.
54 bool storeKey(const std::string& dir, const KeyAuthentication& auth, const KeyBuffer& key);
55 
56 // Create a directory at the named path, and store "key" in it as storeKey
57 // This version creates the key in "tmp_path" then atomically renames "tmp_path"
58 // to "key_path" thereby ensuring that the key is either stored entirely or
59 // not at all.
60 bool storeKeyAtomically(const std::string& key_path, const std::string& tmp_path,
61                         const KeyAuthentication& auth, const KeyBuffer& key);
62 
63 // Retrieve the key from the named directory.
64 bool retrieveKey(const std::string& dir, const KeyAuthentication& auth, KeyBuffer* key,
65                  bool keepOld = false);
66 
67 // Securely destroy the key stored in the named directory and delete the directory.
68 bool destroyKey(const std::string& dir);
69 
70 bool runSecdiscardSingle(const std::string& file);
71 
72 // Generate wrapped storage key using keymaster. Uses STORAGE_KEY tag in keymaster.
73 bool generateWrappedStorageKey(KeyBuffer* key);
74 // Export the per-boot boot wrapped storage key using keymaster.
75 bool exportWrappedStorageKey(const KeyBuffer& kmKey, KeyBuffer* key);
76 }  // namespace vold
77 }  // namespace android
78 
79 #endif
80