1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef ANDROID_VOLD_KEYSTORAGE_H 18 #define ANDROID_VOLD_KEYSTORAGE_H 19 20 #include "KeyBuffer.h" 21 22 #include <string> 23 24 namespace android { 25 namespace vold { 26 27 // Represents the information needed to decrypt a disk encryption key. 28 // If "token" is nonempty, it is passed in as a required Gatekeeper auth token. 29 // If "token" and "secret" are nonempty, "secret" is appended to the application-specific 30 // binary needed to unlock. 31 // If only "secret" is nonempty, it is used to decrypt in a non-Keymaster process. 32 class KeyAuthentication { 33 public: KeyAuthentication(const std::string & t,const std::string & s)34 KeyAuthentication(const std::string& t, const std::string& s) : token{t}, secret{s} {}; 35 usesKeymaster()36 bool usesKeymaster() const { return !token.empty() || secret.empty(); }; 37 38 const std::string token; 39 const std::string secret; 40 }; 41 42 extern const KeyAuthentication kEmptyAuthentication; 43 44 // Checks if path "path" exists. 45 bool pathExists(const std::string& path); 46 47 bool createSecdiscardable(const std::string& path, std::string* hash); 48 bool readSecdiscardable(const std::string& path, std::string* hash); 49 50 // Create a directory at the named path, and store "key" in it, 51 // in such a way that it can only be retrieved via Keymaster and 52 // can be securely deleted. 53 // It's safe to move/rename the directory after creation. 54 bool storeKey(const std::string& dir, const KeyAuthentication& auth, const KeyBuffer& key); 55 56 // Create a directory at the named path, and store "key" in it as storeKey 57 // This version creates the key in "tmp_path" then atomically renames "tmp_path" 58 // to "key_path" thereby ensuring that the key is either stored entirely or 59 // not at all. 60 bool storeKeyAtomically(const std::string& key_path, const std::string& tmp_path, 61 const KeyAuthentication& auth, const KeyBuffer& key); 62 63 // Retrieve the key from the named directory. 64 bool retrieveKey(const std::string& dir, const KeyAuthentication& auth, KeyBuffer* key, 65 bool keepOld = false); 66 67 // Securely destroy the key stored in the named directory and delete the directory. 68 bool destroyKey(const std::string& dir); 69 70 bool runSecdiscardSingle(const std::string& file); 71 72 // Generate wrapped storage key using keymaster. Uses STORAGE_KEY tag in keymaster. 73 bool generateWrappedStorageKey(KeyBuffer* key); 74 // Export the per-boot boot wrapped storage key using keymaster. 75 bool exportWrappedStorageKey(const KeyBuffer& kmKey, KeyBuffer* key); 76 } // namespace vold 77 } // namespace android 78 79 #endif 80