1 /*
2 * Copyright (C) 2022-2025 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "key_manager.h"
17
18 #include <fcntl.h>
19 #include "directory_ex.h"
20 #include "file_ex.h"
21 #include "fscrypt_key_v1.h"
22 #include "fscrypt_key_v2.h"
23 #include "iam_client.h"
24 #include "libfscrypt/fscrypt_control.h"
25 #include "recover_manager.h"
26 #include "storage_service_errno.h"
27 #include "storage_service_log.h"
28 #include "user/user_manager.h"
29 #include "utils/storage_radar.h"
30 #ifdef EL5_FILEKEY_MANAGER
31 #include "el5_filekey_manager_kit.h"
32 #endif
33 #ifdef EL5_FILEKEY_MANAGER
34 using namespace OHOS::Security::AccessToken;
35 #endif
36
37 using namespace OHOS::StorageService;
38 namespace OHOS {
39 namespace StorageDaemon {
40 const UserAuth NULL_KEY_AUTH = {};
41 constexpr const char *DEFAULT_NEED_RESTORE_VERSION = "1";
42 constexpr const char *DEFAULT_NEED_RESTORE_UPDATE_VERSION = "3";
43 constexpr const char *UECE_PATH = "/dev/fbex_uece";
44 constexpr const char *DATA_DIR = "data/app/";
45 constexpr const char *SERVICE_DIR = "data/service/";
46 constexpr const char *ENCRYPT_VERSION_DIR = "/latest/encrypted";
47 constexpr const char *SEC_DISCARD_DIR = "/latest/sec_discard";
48 constexpr const char *SHIELD_DIR = "/latest/shield";
49 constexpr const char *DESC_DIR = "/key_desc";
50 constexpr const char *EL2_ENCRYPT_TMP_FILE = "/el2_tmp";
51 constexpr uint32_t KEY_RECOVERY_USER_ID = 300;
52 constexpr uint32_t RECOVERY_TOKEN_CHALLENGE_LENG = 32;
53
54 constexpr const char *SERVICE_STORAGE_DAEMON_DIR = "/data/service/el1/public/storage_daemon";
55 constexpr const char *FSCRYPT_EL_DIR = "/data/service/el1/public/storage_daemon/sd";
56
57 constexpr uint8_t RETRIEVE_KEY = 0x0;
58 constexpr uint8_t FIRST_CREATE_KEY = 0x6c;
59 constexpr uint8_t USER_LOGOUT = 0x0;
60 constexpr uint32_t USER_ADD_AUTH = 0x0;
61 constexpr uint32_t USER_CHANGE_AUTH = 0x1;
62
GetBaseKey(const std::string & dir)63 std::shared_ptr<BaseKey> KeyManager::GetBaseKey(const std::string& dir)
64 {
65 uint8_t versionFromPolicy = GetFscryptVersionFromPolicy();
66 uint8_t kernelSupportVersion = KeyCtrlGetFscryptVersion(MNT_DATA);
67 if (kernelSupportVersion != FSCRYPT_V1 && kernelSupportVersion != FSCRYPT_V2) {
68 LOGE("kernel not support fscrypt, ret is %{public}d, errno is %{public}d.", kernelSupportVersion, errno);
69 return nullptr;
70 }
71 if ((versionFromPolicy == kernelSupportVersion) && (kernelSupportVersion == FSCRYPT_V2)) {
72 return std::dynamic_pointer_cast<BaseKey>(std::make_shared<FscryptKeyV2>(dir));
73 }
74 if (versionFromPolicy != kernelSupportVersion) {
75 LOGE("version from policy %{public}u not same as version from kernel %{public}u", versionFromPolicy,
76 kernelSupportVersion);
77 }
78 return std::dynamic_pointer_cast<BaseKey>(std::make_shared<FscryptKeyV1>(dir));
79 }
80
GenerateAndInstallDeviceKey(const std::string & dir)81 int KeyManager::GenerateAndInstallDeviceKey(const std::string &dir)
82 {
83 LOGW("enter");
84 globalEl1Key_ = GetBaseKey(dir);
85 if (globalEl1Key_ == nullptr) {
86 StorageRadar::ReportUserKeyResult("GenerateAndInstallDeviceKey", 0, E_GLOBAL_KEY_NULLPTR, "EL1", "");
87 return E_GLOBAL_KEY_NULLPTR;
88 }
89
90 if (globalEl1Key_->InitKey(true) == false) {
91 globalEl1Key_ = nullptr;
92 LOGE("global security key init failed");
93 StorageRadar::ReportUserKeyResult("GenerateAndInstallDeviceKey", 0, E_GLOBAL_KEY_INIT_ERROR, "EL1", "");
94 return E_GLOBAL_KEY_INIT_ERROR;
95 }
96 auto ret = globalEl1Key_->StoreKey(NULL_KEY_AUTH);
97 if (ret != E_OK) {
98 globalEl1Key_->ClearKey();
99 globalEl1Key_ = nullptr;
100 LOGE("global security key store failed");
101 StorageRadar::ReportUserKeyResult("GenerateAndInstallDeviceKey", 0, E_GLOBAL_KEY_STORE_ERROR, "EL1", "");
102 return E_GLOBAL_KEY_STORE_ERROR;
103 }
104
105 if (globalEl1Key_->ActiveKey(FIRST_CREATE_KEY) != E_OK) {
106 globalEl1Key_->ClearKey();
107 globalEl1Key_ = nullptr;
108 LOGE("global security key active failed");
109 StorageRadar::ReportUserKeyResult("GenerateAndInstallDeviceKey", 0, E_GLOBAL_KEY_ACTIVE_ERROR, "EL1", "");
110 return E_GLOBAL_KEY_ACTIVE_ERROR;
111 }
112
113 if (globalEl1Key_->UpdateKey() != E_OK) {
114 StorageRadar::ReportUserKeyResult("GenerateAndInstallDeviceKey", 0, E_GLOBAL_KEY_UPDATE_ERROR, "EL1", "");
115 }
116 hasGlobalDeviceKey_ = true;
117 LOGW("key create success");
118 return 0;
119 }
120
RestoreDeviceKey(const std::string & dir)121 int KeyManager::RestoreDeviceKey(const std::string &dir)
122 {
123 LOGI("enter");
124 if (globalEl1Key_ != nullptr) {
125 LOGI("device key has existed");
126 return 0;
127 }
128
129 globalEl1Key_ = GetBaseKey(dir);
130 if (globalEl1Key_ == nullptr) {
131 StorageRadar::ReportUserKeyResult("RestoreDeviceKey", 0, E_GLOBAL_KEY_NULLPTR, "EL1", "");
132 return E_GLOBAL_KEY_NULLPTR;
133 }
134
135 if (globalEl1Key_->InitKey(false) == false) {
136 globalEl1Key_ = nullptr;
137 LOGE("global security key init failed");
138 StorageRadar::ReportUserKeyResult("RestoreDeviceKey", 0, E_GLOBAL_KEY_INIT_ERROR, "EL1", "");
139 return E_GLOBAL_KEY_INIT_ERROR;
140 }
141
142 auto ret = globalEl1Key_->RestoreKey(NULL_KEY_AUTH);
143 if (ret != E_OK) {
144 globalEl1Key_ = nullptr;
145 LOGE("global security key restore failed");
146 StorageRadar::ReportUserKeyResult("RestoreDeviceKey", 0, E_GLOBAL_KEY_STORE_ERROR, "EL1", "");
147 return E_GLOBAL_KEY_STORE_ERROR;
148 }
149
150 if (globalEl1Key_->ActiveKey(RETRIEVE_KEY) != E_OK) {
151 globalEl1Key_ = nullptr;
152 LOGE("global security key active failed");
153 StorageRadar::ReportUserKeyResult("RestoreDeviceKey", 0, E_GLOBAL_KEY_ACTIVE_ERROR, "EL1", "");
154 return E_GLOBAL_KEY_ACTIVE_ERROR;
155 }
156 hasGlobalDeviceKey_ = true;
157 LOGI("key restore success");
158
159 return 0;
160 }
161
InitGlobalDeviceKey(void)162 int KeyManager::InitGlobalDeviceKey(void)
163 {
164 LOGW("enter");
165 int ret = InitFscryptPolicy();
166 if (ret < 0) {
167 LOGE("fscrypt init failed, fscrypt will not be enabled");
168 StorageRadar::ReportUserKeyResult("InitGlobalDeviceKey::InitFscryptPolicy", 0, ret, "EL1", "");
169 return ret;
170 }
171
172 std::lock_guard<std::mutex> lock(keyMutex_);
173 if (hasGlobalDeviceKey_ || globalEl1Key_ != nullptr) {
174 LOGI("glabal device el1 have existed");
175 return 0;
176 }
177
178 ret = MkDir(STORAGE_DAEMON_DIR, S_IRWXU); // para.0700: root only
179 if (ret && errno != EEXIST) {
180 LOGE("create storage daemon dir error");
181 StorageRadar::ReportUserKeyResult("InitGlobalDeviceKey::MkDir", 0, ret, "EL1",
182 std::string("errno = ") + std::to_string(errno) + ", path = " + STORAGE_DAEMON_DIR);
183 return ret;
184 }
185 std::error_code errCode;
186 if (std::filesystem::exists(DEVICE_EL1_DIR, errCode) && !std::filesystem::is_empty(DEVICE_EL1_DIR)) {
187 UpgradeKeys({{0, DEVICE_EL1_DIR}});
188 return RestoreDeviceKey(DEVICE_EL1_DIR);
189 }
190 ret = MkDir(DEVICE_EL1_DIR, S_IRWXU);
191 if (ret && errno != EEXIST) {
192 LOGE("create device el1 key dir = (/data/service/el0/storage_daemon/sd) error");
193 StorageRadar::ReportUserKeyResult("InitGlobalDeviceKey::MkDir", 0, ret, "EL1",
194 std::string("errno = ") + std::to_string(errno) + ", path = " + DEVICE_EL1_DIR);
195 return ret;
196 }
197
198 return GenerateAndInstallDeviceKey(DEVICE_EL1_DIR);
199 }
200
GenerateAndInstallUserKey(uint32_t userId,const std::string & dir,const UserAuth & auth,KeyType type)201 int KeyManager::GenerateAndInstallUserKey(uint32_t userId, const std::string &dir, const UserAuth &auth, KeyType type)
202 {
203 LOGW("enter");
204 if (HasElkey(userId, type)) {
205 LOGI("The user %{public}u el %{public}u have existed", userId, type);
206 return 0;
207 }
208 auto elKey = GetBaseKey(dir);
209 if (elKey == nullptr) {
210 return E_GLOBAL_KEY_NULLPTR;
211 }
212 if (type == EL5_KEY) {
213 return GenerateAndInstallEl5Key(userId, dir, auth);
214 }
215 if (elKey->InitKey(true) == false) {
216 LOGE("user security key init failed");
217 return E_ELX_KEY_INIT_ERROR;
218 }
219 auto ret = elKey->StoreKey(auth);
220 if (ret != E_OK) {
221 elKey->ClearKey();
222 LOGE("user security key store failed");
223 return E_ELX_KEY_STORE_ERROR;
224 }
225 if (elKey->ActiveKey(FIRST_CREATE_KEY) != E_OK) {
226 elKey->ClearKey();
227 LOGE("user security key active failed");
228 return E_ELX_KEY_ACTIVE_ERROR;
229 }
230 (void)elKey->UpdateKey();
231 if (type == EL1_KEY) {
232 userEl1Key_[userId] = elKey;
233 } else if (type == EL2_KEY) {
234 userEl2Key_[userId] = elKey;
235 } else if (type == EL3_KEY) {
236 userEl3Key_[userId] = elKey;
237 } else if (type == EL4_KEY) {
238 userEl4Key_[userId] = elKey;
239 }
240 LOGI("key create success");
241 return 0;
242 }
243
GenerateAndInstallEl5Key(uint32_t userId,const std::string & dir,const UserAuth & auth)244 int KeyManager::GenerateAndInstallEl5Key(uint32_t userId, const std::string &dir, const UserAuth &auth)
245 {
246 LOGI("enter");
247 auto elKey = GetBaseKey(dir);
248 if (elKey == nullptr) {
249 return E_GLOBAL_KEY_NULLPTR;
250 }
251 bool isNeedEncryptClassE = true;
252 saveESecretStatus[userId] = true;
253 auto ret = elKey->AddClassE(isNeedEncryptClassE, saveESecretStatus[userId], FIRST_CREATE_KEY);
254 if (ret != E_OK) {
255 elKey->ClearKey();
256 LOGE("user %{public}u el5 create error, error=%{public}d", userId, ret);
257 return E_EL5_ADD_CLASS_ERROR;
258 }
259 std::string keyDir = GetKeyDirByUserAndType(userId, EL5_KEY);
260 if (keyDir == "") {
261 return E_KEY_TYPE_INVALID;
262 }
263 if (!saveESecretStatus[userId]) {
264 OHOS::ForceRemoveDirectory(keyDir);
265 }
266 saveESecretStatus[userId] = (!auth.secret.IsEmpty() && !auth.token.IsEmpty());
267 if (isNeedEncryptClassE) {
268 if (!auth.secret.IsEmpty() && !auth.token.IsEmpty()) {
269 auto ret = elKey->EncryptClassE(auth, saveESecretStatus[userId], userId, USER_ADD_AUTH);
270 if (ret != E_OK) {
271 elKey->ClearKey();
272 LOGE("user %{public}u el5 create error", userId);
273 return E_EL5_ENCRYPT_CLASS_ERROR;
274 }
275 }
276 } else {
277 bool eBufferStatue = false;
278 if (elKey->DecryptClassE(auth, saveESecretStatus[userId], eBufferStatue, userId, false) != E_OK) {
279 LOGE("user %{public}u decrypt error", userId);
280 }
281 }
282 userEl5Key_[userId] = elKey;
283 return 0;
284 }
285
RestoreUserKey(uint32_t userId,const std::string & dir,const UserAuth & auth,KeyType type)286 int KeyManager::RestoreUserKey(uint32_t userId, const std::string &dir, const UserAuth &auth, KeyType type)
287 {
288 LOGI("enter");
289 if (HasElkey(userId, type)) {
290 LOGI("The user %{public}u el %{public}u have existed", userId, type);
291 return E_OK;
292 }
293
294 auto elKey = GetBaseKey(dir);
295 if (elKey == nullptr) {
296 return E_GLOBAL_KEY_NULLPTR;
297 }
298
299 if (elKey->InitKey(false) == false) {
300 LOGE("user security key init failed");
301 return E_ELX_KEY_INIT_ERROR;
302 }
303
304 auto ret = elKey->RestoreKey(auth);
305 if (ret != E_OK) {
306 LOGE("user security key restore failed");
307 return E_ELX_KEY_STORE_ERROR;
308 }
309
310 if (elKey->ActiveKey(RETRIEVE_KEY) != E_OK) {
311 LOGE("user security key active failed");
312 return E_ELX_KEY_ACTIVE_ERROR;
313 }
314
315 if (type == EL1_KEY) {
316 userEl1Key_[userId] = elKey;
317 } else if (type == EL2_KEY) {
318 userEl2Key_[userId] = elKey;
319 } else if (type == EL3_KEY) {
320 userEl3Key_[userId] = elKey;
321 } else if (type == EL4_KEY) {
322 userEl4Key_[userId] = elKey;
323 } else if (type == EL5_KEY) {
324 userEl5Key_[userId] = elKey;
325 }
326 LOGI("key restore success");
327
328 return E_OK;
329 }
330
331 #ifdef USER_CRYPTO_MIGRATE_KEY
ClearAppCloneUserNeedRestore(unsigned int userId,std::string elNeedRestorePath)332 int32_t KeyManager::ClearAppCloneUserNeedRestore(unsigned int userId, std::string elNeedRestorePath)
333 {
334 LOGI("enter");
335 if (userId < StorageService::START_APP_CLONE_USER_ID || userId >= StorageService::MAX_APP_CLONE_USER_ID) {
336 LOGI("Clear userId %{public}d out of range", userId);
337 return E_USERID_RANGE;
338 }
339
340 LOGE("User %{public}d is app clone user, do delete elx need_restore.", userId);
341 std::error_code errCode;
342 if (!std::filesystem::exists(elNeedRestorePath, errCode)) {
343 LOGI("need_restore don't exist, not need to delete.");
344 }
345 (void)remove(elNeedRestorePath.c_str());
346 LOGI("Complete delete need_restore.");
347 return E_OK;
348 }
349 #endif
350
HasElkey(uint32_t userId,KeyType type)351 bool KeyManager::HasElkey(uint32_t userId, KeyType type)
352 {
353 LOGI("enter");
354 switch (type) {
355 case EL1_KEY:
356 if (userEl1Key_.find(userId) != userEl1Key_.end()) {
357 LOGI("user el1 key has existed");
358 return true;
359 }
360 break;
361 case EL2_KEY:
362 if (userEl2Key_.find(userId) != userEl2Key_.end()) {
363 LOGI("user el2 key has existed");
364 return true;
365 }
366 break;
367 case EL3_KEY:
368 if (userEl3Key_.find(userId) != userEl3Key_.end()) {
369 LOGI("user el3 key has existed");
370 return true;
371 }
372 break;
373 case EL4_KEY:
374 if (userEl4Key_.find(userId) != userEl4Key_.end()) {
375 LOGI("user el4 key has existed");
376 return true;
377 }
378 break;
379 case EL5_KEY:
380 if (userEl5Key_.find(userId) != userEl5Key_.end()) {
381 LOGI("user el5 key has existed");
382 return true;
383 }
384 break;
385 default:
386 LOGE("key type error");
387 break;
388 }
389
390 return false;
391 }
392
IsNeedClearKeyFile(std::string file)393 bool KeyManager::IsNeedClearKeyFile(std::string file)
394 {
395 LOGI("enter:");
396 std::error_code errCode;
397 if (!std::filesystem::exists(file, errCode)) {
398 LOGE("file not exist, file is %{private}s", file.c_str());
399 return false;
400 }
401
402 std::string version;
403 if (!OHOS::LoadStringFromFile(file, version)) {
404 LOGE("LoadStringFromFile return fail, file is %{private}s", file.c_str());
405 return false;
406 }
407
408 if (version != DEFAULT_NEED_RESTORE_VERSION && version != DEFAULT_NEED_RESTORE_UPDATE_VERSION) {
409 LOGE("need to clear, file is %{private}s, version is %{public}s.", file.c_str(), version.c_str());
410 return true;
411 }
412 LOGE("no need to clear, file is %{private}s, version is %{public}s", file.c_str(), version.c_str());
413 return false;
414 }
415
ProcUpgradeKey(const std::vector<FileList> & dirInfo)416 void KeyManager::ProcUpgradeKey(const std::vector<FileList> &dirInfo)
417 {
418 LOGI("enter:");
419 for (const auto &it : dirInfo) {
420 std::string needRestorePath = it.path + "/latest/need_restore";
421 if (IsNeedClearKeyFile(needRestorePath)) {
422 bool ret = RmDirRecurse(it.path);
423 if (!ret) {
424 LOGE("remove key dir fail, result is %{public}d, dir %{private}s", ret, it.path.c_str());
425 }
426 }
427 }
428 }
429
LoadAllUsersEl1Key(void)430 int KeyManager::LoadAllUsersEl1Key(void)
431 {
432 LOGI("enter");
433 int ret = E_OK;
434 std::vector<FileList> dirInfo;
435 ReadDigitDir(USER_EL2_DIR, dirInfo);
436 UpgradeKeys(dirInfo);
437 dirInfo.clear();
438 ReadDigitDir(USER_EL1_DIR, dirInfo);
439 UpgradeKeys(dirInfo);
440 for (auto &item : dirInfo) {
441 ret = RestoreUserKey(item.userId, item.path, NULL_KEY_AUTH, EL1_KEY);
442 if (ret != E_OK) {
443 LOGE("user %{public}u el1 key restore error", item.userId);
444 StorageRadar::ReportUserKeyResult("LoadAllUsersEl1Key::RestoreUserKey", item.userId,
445 ret, "EL1", "user el1 path = " + item.path);
446 }
447 }
448
449 /* only for el3/el4 upgrade scene */
450 dirInfo.clear();
451 ReadDigitDir(USER_EL3_DIR, dirInfo);
452 ProcUpgradeKey(dirInfo);
453 dirInfo.clear();
454 ReadDigitDir(USER_EL4_DIR, dirInfo);
455 ProcUpgradeKey(dirInfo);
456 dirInfo.clear();
457 ReadDigitDir(USER_EL5_DIR, dirInfo);
458 ProcUpgradeKey(dirInfo);
459 return ret;
460 }
461
InitUserElkeyStorageDir(void)462 int KeyManager::InitUserElkeyStorageDir(void)
463 {
464 int ret = MkDir(SERVICE_STORAGE_DAEMON_DIR, S_IRWXU);
465 if (ret && errno != EEXIST) {
466 LOGE("make service storage daemon dir error");
467 return ret;
468 }
469
470 ret = MkDir(FSCRYPT_EL_DIR, S_IRWXU);
471 if (ret && errno != EEXIST) {
472 LOGE("make service storage daemon dir error");
473 return ret;
474 }
475
476 ret = MkDir(USER_EL1_DIR, S_IRWXU);
477 if (ret && errno != EEXIST) {
478 LOGE("make el1 storage dir error");
479 return ret;
480 }
481 ret = MkDir(USER_EL2_DIR, S_IRWXU);
482 if (ret && errno != EEXIST) {
483 LOGE("make el2 storage dir error");
484 return ret;
485 }
486 // 0700 means create el3 permissions
487 ret = MkDir(USER_EL3_DIR, S_IRWXU);
488 if (ret && errno != EEXIST) {
489 LOGE("make el3 storage dir error");
490 return ret;
491 }
492 // 0700 means create el4 permissions
493 ret = MkDir(USER_EL4_DIR, S_IRWXU);
494 if (ret && errno != EEXIST) {
495 LOGE("make el4 storage dir error");
496 return ret;
497 }
498 // 0700 means create el5 permissions
499 ret = MkDir(USER_EL5_DIR, S_IRWXU);
500 if (ret && errno != EEXIST) {
501 LOGE("make el5 storage dir error");
502 return ret;
503 }
504 return 0;
505 }
506
InitGlobalUserKeys(void)507 int KeyManager::InitGlobalUserKeys(void)
508 {
509 LOGW("enter");
510 if (!KeyCtrlHasFscryptSyspara()) {
511 return 0;
512 }
513 std::lock_guard<std::mutex> lock(keyMutex_);
514 int ret = InitUserElkeyStorageDir();
515 if (ret) {
516 LOGE("Init user el storage dir failed");
517 StorageRadar::ReportUserKeyResult("InitGlobalUserKeys::InitUserElkeyStorageDir", GLOBAL_USER_ID,
518 ret, "EL1", "");
519 return ret;
520 }
521
522 std::string globalUserEl1Path = std::string(USER_EL1_DIR) + "/" + std::to_string(GLOBAL_USER_ID);
523 if (IsDir(globalUserEl1Path)) {
524 ret = RestoreUserKey(GLOBAL_USER_ID, globalUserEl1Path, NULL_KEY_AUTH, EL1_KEY);
525 if (ret != 0) {
526 LOGE("Restore el1 failed");
527 StorageRadar::ReportUserKeyResult("InitGlobalUserKeys::RestoreUserKey", GLOBAL_USER_ID,
528 ret, "EL1", "global user el1 path = " + globalUserEl1Path);
529 return ret;
530 }
531 } else {
532 ret = GenerateAndInstallUserKey(GLOBAL_USER_ID, globalUserEl1Path, NULL_KEY_AUTH, EL1_KEY);
533 if (ret != 0) {
534 LOGE("Generate el1 failed");
535 StorageRadar::ReportUserKeyResult("InitGlobalUserKeys::GenerateAndInstallUserKey", GLOBAL_USER_ID,
536 ret, "EL1", "global user el1 path = " + globalUserEl1Path);
537 return ret;
538 }
539 }
540
541 ret = LoadAllUsersEl1Key();
542 if (ret) {
543 LOGE("Load all users el1 failed");
544 return ret;
545 }
546 LOGW("Init global user key success");
547
548 return 0;
549 }
550
GenerateUserKeys(unsigned int user,uint32_t flags)551 int KeyManager::GenerateUserKeys(unsigned int user, uint32_t flags)
552 {
553 LOGW("start, user:%{public}u", user);
554 if (!KeyCtrlHasFscryptSyspara()) {
555 return 0;
556 }
557 if ((!IsDir(USER_EL1_DIR)) || (!IsDir(USER_EL2_DIR)) || (!IsDir(USER_EL3_DIR)) ||
558 (!IsDir(USER_EL4_DIR)) || (!IsDir(USER_EL5_DIR))) {
559 LOGI("El storage dir is not existed");
560 return -ENOENT;
561 }
562 int ret = GenerateElxAndInstallUserKey(user);
563 if (ret != E_OK) {
564 LOGE("Generate ELX failed!");
565 return ret;
566 }
567 LOGW("Create user el success");
568 return ret;
569 }
570
GenerateElxAndInstallUserKey(unsigned int user)571 int KeyManager::GenerateElxAndInstallUserKey(unsigned int user)
572 {
573 std::string el1Path = std::string(USER_EL1_DIR) + "/" + std::to_string(user);
574 std::string el2Path = std::string(USER_EL2_DIR) + "/" + std::to_string(user);
575 std::string el3Path = std::string(USER_EL3_DIR) + "/" + std::to_string(user);
576 std::string el4Path = std::string(USER_EL4_DIR) + "/" + std::to_string(user);
577 std::string el5Path = std::string(USER_EL5_DIR) + "/" + std::to_string(user);
578 if (IsDir(el1Path) || IsDir(el2Path) || IsDir(el3Path) || IsDir(el4Path) || IsDir(el5Path)) {
579 return CheckAndFixUserKeyDirectory(user);
580 }
581 std::lock_guard<std::mutex> lock(keyMutex_);
582 int ret = GenerateAndInstallUserKey(user, el1Path, NULL_KEY_AUTH, EL1_KEY);
583 if (ret) {
584 LOGE("user el1 create error");
585 StorageRadar::ReportUserKeyResult("GenerateElxAndInstallUserKey", user, ret, "EL1", "el1Path = " + el1Path);
586 return ret;
587 }
588
589 ret = GenerateAndInstallUserKey(user, el2Path, NULL_KEY_AUTH, EL2_KEY);
590 if (ret) {
591 DoDeleteUserKeys(user);
592 LOGE("user el2 create error");
593 StorageRadar::ReportUserKeyResult("GenerateElxAndInstallUserKey", user, ret, "EL2", "el2Path = " + el2Path);
594 return ret;
595 }
596 ret = GenerateAndInstallUserKey(user, el3Path, NULL_KEY_AUTH, EL3_KEY);
597 if (ret) {
598 DoDeleteUserKeys(user);
599 LOGE("user el3 create error");
600 StorageRadar::ReportUserKeyResult("GenerateElxAndInstallUserKey", user, ret, "EL3", "el3Path = " + el3Path);
601 return ret;
602 }
603 ret = GenerateAndInstallUserKey(user, el4Path, NULL_KEY_AUTH, EL4_KEY);
604 if (ret) {
605 DoDeleteUserKeys(user);
606 LOGE("user el4 create error");
607 StorageRadar::ReportUserKeyResult("GenerateElxAndInstallUserKey", user, ret, "EL4", "el4Path = " + el4Path);
608 return ret;
609 }
610 ret = GenerateAndInstallUserKey(user, el5Path, NULL_KEY_AUTH, EL5_KEY);
611 if (ret) {
612 DoDeleteUserKeys(user);
613 LOGE("user el5 create error");
614 StorageRadar::ReportUserKeyResult("GenerateElxAndInstallUserKey", user, ret, "EL5", "el5Path = " + el5Path);
615 return ret;
616 }
617 saveLockScreenStatus[user] = true;
618 return ret;
619 }
620
CheckAndFixUserKeyDirectory(unsigned int user)621 int KeyManager::CheckAndFixUserKeyDirectory(unsigned int user)
622 {
623 std::string el1NeedRestorePath = std::string(USER_EL1_DIR) + "/" + std::to_string(user) + RESTORE_DIR;
624 std::error_code errCode;
625 if (std::filesystem::exists(el1NeedRestorePath, errCode)) {
626 LOGE("el1 need_restore file is existed, upgrade scene not support.");
627 return -EEXIST;
628 }
629 int ret = GenerateIntegrityDirs(user, EL1_KEY);
630 if (ret != -EEXIST) {
631 LOGE("GenerateIntegrityDirs el1 failed.");
632 StorageRadar::ReportUserKeyResult("GenerateIntegrityDirs", user, ret, "EL1", "");
633 }
634 ret = GenerateIntegrityDirs(user, EL2_KEY);
635 if (ret != -EEXIST) {
636 LOGE("GenerateIntegrityDirs el2 failed.");
637 StorageRadar::ReportUserKeyResult("GenerateIntegrityDirs", user, ret, "EL2", "");
638 }
639 return ret;
640 }
641
GenerateIntegrityDirs(int32_t userId,KeyType type)642 int KeyManager::GenerateIntegrityDirs(int32_t userId, KeyType type)
643 {
644 std::string dirType = (type == EL1_KEY) ? EL1 : EL2;
645 std::string userDir = std::string(FSCRYPT_EL_DIR) + "/" + dirType;
646 uint32_t flag_type = (type == EL1_KEY) ? IStorageDaemon::CRYPTO_FLAG_EL1 : IStorageDaemon::CRYPTO_FLAG_EL2;
647 std::string versionElx = userDir + "/" + std::to_string(userId) + FSCRYPT_VERSION_DIR;
648 std::string encryptElx = userDir + "/" + std::to_string(userId) + ENCRYPT_VERSION_DIR;
649 std::string discardElx = userDir + "/" + std::to_string(userId) + SEC_DISCARD_DIR;
650 std::string shieldElx = userDir + "/" + std::to_string(userId) + SHIELD_DIR;
651 std::error_code errCode;
652 if (!std::filesystem::exists(versionElx, errCode) || !std::filesystem::exists(encryptElx, errCode) ||
653 !std::filesystem::exists(shieldElx, errCode) || !std::filesystem::exists(discardElx, errCode) ||
654 !IsWorkDirExist(dirType, userId)) {
655 LOGE("user %{public}d el %{public}d is not integrity. create error", userId, type);
656 std::string extraData =
657 "dir is not Integrity , userId =" + std::to_string(userId) + ", type = " + std::to_string(type);
658 StorageRadar::ReportUserKeyResult("GenerateIntegrityDirs", userId, E_DIR_INTEGRITY_ERR, dirType,
659 extraData);
660 int ret = DoDeleteUserCeEceSeceKeys(userId, userDir, type == EL1_KEY ? userEl1Key_ : userEl2Key_);
661 if (ret != E_OK) {
662 LOGE("Delete userId=%{public}d el %{public}d key failed", userId, type);
663 }
664
665 ret = GenerateUserKeyByType(userId, type, {}, {});
666 if (ret != E_OK) {
667 LOGE("upgrade scene:generate user key fail, userId %{public}d, KeyType %{public}d", userId, type);
668 return ret;
669 }
670
671 LOGI("try to destory dir first, user %{public}d, Type %{public}d", userId, type);
672 (void)UserManager::GetInstance()->DestroyUserDirs(userId, flag_type);
673 ret = UserManager::GetInstance()->PrepareUserDirs(userId, flag_type);
674 if (ret != E_OK) {
675 LOGE("upgrade scene:prepare user dirs fail, userId %{public}d, type %{public}d", userId, type);
676 return ret;
677 }
678 }
679 LOGI("userId=%{public}d el %{public}d directory is existed, no need fix.", userId, type);
680 return -EEXIST;
681 }
682
IsWorkDirExist(std::string type,int32_t userId)683 bool KeyManager::IsWorkDirExist(std::string type, int32_t userId)
684 {
685 std::string dataDir = std::string(DATA_DIR) + type + "/" + std::to_string(userId);
686 std::string serviceDir = std::string(SERVICE_DIR) + type + "/" + std::to_string(userId);
687 std::error_code errCode;
688 bool isExist = std::filesystem::exists(dataDir, errCode) && std::filesystem::exists(serviceDir, errCode);
689 return isExist;
690 }
691
GenerateUserKeyByType(unsigned int user,KeyType type,const std::vector<uint8_t> & token,const std::vector<uint8_t> & secret)692 int KeyManager::GenerateUserKeyByType(unsigned int user, KeyType type,
693 const std::vector<uint8_t> &token,
694 const std::vector<uint8_t> &secret)
695 {
696 LOGI("start, user:%{public}u, type %{public}u", user, type);
697 if (!KeyCtrlHasFscryptSyspara()) {
698 return 0;
699 }
700
701 std::lock_guard<std::mutex> lock(keyMutex_);
702 std::string elPath = GetKeyDirByType(type);
703 if (!IsDir(elPath)) {
704 LOGI("El storage dir is not existed");
705 return -ENOENT;
706 }
707
708 std::string elUserKeyPath = elPath + + "/" + std::to_string(user);
709 if (IsDir(elUserKeyPath)) {
710 LOGE("user %{public}d el key have existed, create error", user);
711 return -EEXIST;
712 }
713 uint64_t secureUid = { 0 };
714 if (!secret.empty() && !token.empty()) {
715 IamClient::GetInstance().GetSecureUid(user, secureUid);
716 LOGE("token is exist, get secure uid");
717 }
718 UserAuth auth = { .token = token, .secret = secret, .secureUid = secureUid };
719 int ret = GenerateAndInstallUserKey(user, elUserKeyPath, auth, type);
720 if (ret) {
721 LOGE("user el create error, user %{public}u, type %{public}u", user, type);
722 StorageRadar::ReportUserKeyResult("GenerateUserKeyByType::GenerateAndInstallUserKey",
723 user, ret, std::to_string(type), "user key path = " + elUserKeyPath);
724 return ret;
725 }
726 LOGI("Create user el success, user %{public}u, type %{public}u", user, type);
727
728 return 0;
729 }
730
DoDeleteUserCeEceSeceKeys(unsigned int user,const std::string userDir,std::map<unsigned int,std::shared_ptr<BaseKey>> & userElKey_)731 int KeyManager::DoDeleteUserCeEceSeceKeys(unsigned int user,
732 const std::string userDir,
733 std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_)
734 {
735 LOGI("enter, userDir is %{public}s", userDir.c_str());
736 int ret = 0;
737 auto it = userElKey_.find(user);
738 #ifdef USER_CRYPTO_MIGRATE_KEY
739 if (userDir == USER_EL1_DIR) {
740 std::string elNeedRestorePath = std::string(USER_EL1_DIR) + "/" + std::to_string(user) + RESTORE_DIR;
741 (void)ClearAppCloneUserNeedRestore(user, elNeedRestorePath);
742 }
743 #endif
744 if (it != userElKey_.end()) {
745 auto elKey = it->second;
746 if (!elKey->ClearKey()) {
747 LOGE("clear key failed");
748 ret = E_CLEAR_KEY_FAILED;
749 }
750 userElKey_.erase(user);
751 saveLockScreenStatus.erase(user);
752 } else {
753 std::string elPath = userDir + "/" + std::to_string(user);
754 std::shared_ptr<BaseKey> elKey = GetBaseKey(elPath);
755 if (elKey == nullptr) {
756 LOGE("Malloc el1 Basekey memory failed");
757 return E_PARAMS_NULLPTR_ERR;
758 }
759 if (!elKey->ClearKey()) {
760 LOGE("clear key failed");
761 ret = E_CLEAR_KEY_FAILED;
762 }
763 }
764 LOGI("end, ret is %{public}d", ret);
765 return ret;
766 }
767
DoDeleteUserKeys(unsigned int user)768 int KeyManager::DoDeleteUserKeys(unsigned int user)
769 {
770 int errCode = 0;
771 int deleteRet = DoDeleteUserCeEceSeceKeys(user, USER_EL1_DIR, userEl1Key_);
772 const std::string elxPath("elx path=");
773 if (deleteRet != 0) {
774 LOGE("Delete el1 key failed");
775 errCode = deleteRet;
776 StorageRadar::ReportUserKeyResult("DoDeleteUserKeys", user, errCode, "El1", elxPath + USER_EL1_DIR);
777 }
778 deleteRet = DoDeleteUserCeEceSeceKeys(user, USER_EL2_DIR, userEl2Key_);
779 if (deleteRet != 0) {
780 LOGE("Delete el2 key failed");
781 errCode = deleteRet;
782 StorageRadar::ReportUserKeyResult("DoDeleteUserKeys", user, errCode, "El2", elxPath + USER_EL2_DIR);
783 }
784 deleteRet = DoDeleteUserCeEceSeceKeys(user, USER_EL3_DIR, userEl3Key_);
785 if (deleteRet != 0) {
786 LOGE("Delete el3 key failed");
787 errCode = deleteRet;
788 StorageRadar::ReportUserKeyResult("DoDeleteUserKeys", user, errCode, "El3", elxPath + USER_EL3_DIR);
789 }
790 deleteRet = DoDeleteUserCeEceSeceKeys(user, USER_EL4_DIR, userEl4Key_);
791 if (deleteRet != 0) {
792 LOGE("Delete el4 key failed");
793 errCode = deleteRet;
794 StorageRadar::ReportUserKeyResult("DoDeleteUserKeys", user, errCode, "El4", elxPath + USER_EL4_DIR);
795 }
796 if (IsUeceSupportWithErrno() != ENOENT) {
797 deleteRet = DoDeleteUserCeEceSeceKeys(user, USER_EL5_DIR, userEl5Key_);
798 if (deleteRet != 0) {
799 LOGE("Delete el5 key failed");
800 errCode = deleteRet;
801 StorageRadar::ReportUserKeyResult("DoDeleteUserKeys", user, errCode, "El5", elxPath + USER_EL5_DIR);
802 }
803 }
804 return errCode;
805 }
806
DeleteUserKeys(unsigned int user)807 int KeyManager::DeleteUserKeys(unsigned int user)
808 {
809 LOGI("start, user:%{public}d", user);
810 if (!KeyCtrlHasFscryptSyspara()) {
811 return 0;
812 }
813
814 std::lock_guard<std::mutex> lock(keyMutex_);
815 int ret = DoDeleteUserKeys(user);
816 LOGI("delete user key end, ret is %{public}d", ret);
817
818 auto userTask = userLockScreenTask_.find(user);
819 if (userTask != userLockScreenTask_.end()) {
820 userLockScreenTask_.erase(userTask);
821 LOGI("Delete user %{public}u, erase user task", user);
822 }
823 return ret;
824 }
825
BuildSecretStatus(struct UserTokenSecret & userTokenSecret)826 std::string BuildSecretStatus(struct UserTokenSecret &userTokenSecret)
827 {
828 std::string isOldEmy = userTokenSecret.oldSecret.empty() ? "true" : "false";
829 std::string isNewEmy = userTokenSecret.newSecret.empty() ? "true" : "false";
830 return "oldSecret isEmpty = " + isOldEmy + ", newSecret isEmpty = " + isNewEmy;
831 }
832
833 #ifdef USER_CRYPTO_MIGRATE_KEY
UpdateUserAuth(unsigned int user,struct UserTokenSecret & userTokenSecret,bool needGenerateShield)834 int KeyManager::UpdateUserAuth(unsigned int user, struct UserTokenSecret &userTokenSecret,
835 bool needGenerateShield)
836 #else
837 int KeyManager::UpdateUserAuth(unsigned int user, struct UserTokenSecret &userTokenSecret)
838 #endif
839 {
840 std::lock_guard<std::mutex> lock(keyMutex_);
841 std::string secretInfo = BuildSecretStatus(userTokenSecret);
842 #ifdef USER_CRYPTO_MIGRATE_KEY
843 int ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL2_KEY, needGenerateShield);
844 if (ret != 0) {
845 StorageRadar::ReportUpdateUserAuth("UpdateCeEceSeceUserAuth_Migrate", user, ret, "EL2", secretInfo);
846 return ret;
847 }
848 ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL3_KEY, needGenerateShield);
849 if (ret != 0) {
850 LOGE("user %{public}u UpdateUserAuth el3 key fail", user);
851 StorageRadar::ReportUpdateUserAuth("UpdateCeEceSeceUserAuth_Migrate", user, ret, "EL3", secretInfo);
852 return ret;
853 }
854 ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL4_KEY, needGenerateShield);
855 if (ret != 0) {
856 LOGE("user %{public}u UpdateUserAuth el4 key fail", user);
857 StorageRadar::ReportUpdateUserAuth("UpdateCeEceSeceUserAuth_Migrate", user, ret, "EL4", secretInfo);
858 return ret;
859 }
860 #else
861 int ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL2_KEY);
862 if (ret != 0) {
863 StorageRadar::ReportUpdateUserAuth("UpdateCeEceSeceUserAuth", user, ret, "EL2", secretInfo);
864 return ret;
865 }
866 ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL3_KEY);
867 if (ret != 0) {
868 LOGE("user %{public}u UpdateUserAuth el3 key fail", user);
869 StorageRadar::ReportUpdateUserAuth("UpdateCeEceSeceUserAuth", user, ret, "EL3", secretInfo);
870 return ret;
871 }
872 ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL4_KEY);
873 if (ret != 0) {
874 LOGE("user %{public}u UpdateUserAuth el4 key fail", user);
875 StorageRadar::ReportUpdateUserAuth("UpdateCeEceSeceUserAuth", user, ret, "EL4", secretInfo);
876 return ret;
877 }
878 #endif
879 ret = UpdateESecret(user, userTokenSecret);
880 if (ret != 0) {
881 LOGE("user %{public}u UpdateESecret fail", user);
882 StorageRadar::ReportUpdateUserAuth("UpdateESecret", user, ret, "EL5", secretInfo);
883 return ret;
884 }
885 return ret;
886 }
887
UpdateUseAuthWithRecoveryKey(const std::vector<uint8_t> & authToken,const std::vector<uint8_t> & newSecret,uint64_t secureUid,uint32_t userId,std::vector<std::vector<uint8_t>> & plainText)888 int32_t KeyManager::UpdateUseAuthWithRecoveryKey(const std::vector<uint8_t> &authToken,
889 const std::vector<uint8_t> &newSecret, uint64_t secureUid, uint32_t userId,
890 std::vector<std::vector<uint8_t>> &plainText)
891 {
892 LOGI("enter UpdateUseAuthWithRecoveryKey start, user:%{public}d", userId);
893 std::string el2Path = std::string(USER_EL2_DIR) + "/" + std::to_string(userId);
894 std::string el3Path = std::string(USER_EL3_DIR) + "/" + std::to_string(userId);
895 std::string el4Path = std::string(USER_EL4_DIR) + "/" + std::to_string(userId);
896 std::vector<std::string> elKeyDirs = {el2Path, el3Path, el4Path};
897
898 uint32_t i = 0;
899 for (const auto &elxKeyDir : elKeyDirs) {
900 if (!IsDir(elxKeyDir)) {
901 LOGE("Have not found type %{public}s", elxKeyDir.c_str());
902 return E_KEY_TYPE_INVALID;
903 }
904 std::shared_ptr<BaseKey> elxKey = GetBaseKey(elxKeyDir);
905 if (elxKey == nullptr) {
906 LOGE("load elx key failed , key path is %{public}s", elxKeyDir.c_str());
907 return E_PARAMS_NULLPTR_ERR;
908 }
909
910 if (plainText.size() < elKeyDirs.size()) {
911 LOGE("plain text size error");
912 return E_PARAMS_INVALID;
913 }
914 KeyBlob originKey(plainText[i]);
915 elxKey->SetOriginKey(originKey);
916 i++;
917 auto ret = elxKey->StoreKey({authToken, newSecret, secureUid});
918 if (ret != E_OK) {
919 LOGE("Store key error");
920 return E_ELX_KEY_STORE_ERROR;
921 }
922 }
923 if (IsUeceSupport()) {
924 std::shared_ptr<BaseKey> el5Key = GetBaseKey(std::string(USER_EL5_DIR) + "/" + std::to_string(userId));
925 if (!el5Key) {
926 return E_PARAMS_NULLPTR_ERR;
927 }
928 bool tempUeceSupport = true;
929 UserAuth userAuth = {.token = authToken, .secret = newSecret, .secureUid = secureUid};
930 auto ret = el5Key->EncryptClassE(userAuth, tempUeceSupport, userId, USER_ADD_AUTH);
931 if (ret != E_OK) {
932 el5Key->ClearKey();
933 LOGE("user %{public}u Encrypt E fail", userId);
934 return E_EL5_ENCRYPT_CLASS_ERROR;
935 }
936 ret = el5Key->LockUece(tempUeceSupport);
937 if (ret != E_OK) {
938 LOGE("lock user %{public}u key failed !", userId);
939 }
940 }
941 return E_OK;
942 }
943
UpdateESecret(unsigned int user,struct UserTokenSecret & tokenSecret)944 int KeyManager::UpdateESecret(unsigned int user, struct UserTokenSecret &tokenSecret)
945 {
946 LOGW("UpdateESecret enter");
947 std::shared_ptr<BaseKey> el5Key = GetUserElKey(user, EL5_KEY);
948 std::string el5Path = std::string(USER_EL5_DIR) + "/" + std::to_string(user);
949 if (IsUeceSupport() && el5Key == nullptr) {
950 if (!MkDirRecurse(el5Path, S_IRWXU)) {
951 LOGE("MkDirRecurse %{public}u failed!", user);
952 return E_CREATE_DIR_RECURSIVE_FAILED;
953 }
954 LOGI("MkDirRecurse %{public}u success!", user);
955 el5Key = GetUserElKey(user, EL5_KEY);
956 }
957 if (el5Key == nullptr) {
958 LOGE("Have not found user %{public}u el key", user);
959 return E_PARAMS_NULLPTR_ERR;
960 }
961 if (tokenSecret.newSecret.empty()) {
962 auto ret = el5Key->DeleteClassEPinCode(user);
963 if (ret != E_OK) {
964 LOGE("user %{public}u DeleteClassE fail, error=%{public}d", user, ret);
965 return E_EL5_DELETE_CLASS_ERROR;
966 }
967 saveESecretStatus[user] = false;
968 return 0;
969 }
970 if (!tokenSecret.newSecret.empty() && !tokenSecret.oldSecret.empty()) {
971 saveESecretStatus[user] = true;
972 auto ret = el5Key->ChangePinCodeClassE(saveESecretStatus[user], user);
973 if (ret != E_OK) {
974 LOGE("user %{public}u ChangePinCodeClassE fail, error=%{public}d", user, ret);
975 return E_EL5_UPDATE_CLASS_ERROR;
976 }
977 return 0;
978 }
979 uint32_t status = tokenSecret.oldSecret.empty() ? USER_ADD_AUTH : USER_CHANGE_AUTH;
980 LOGI("UpdateESecret status is %{public}u", status);
981 UserAuth auth = { .token = tokenSecret.token, .secret = tokenSecret.newSecret, .secureUid = tokenSecret.secureUid };
982 saveESecretStatus[user] = true;
983 auto ret = el5Key->EncryptClassE(auth, saveESecretStatus[user], user, status);
984 if (ret != E_OK) {
985 LOGE("user %{public}u EncryptClassE fail", user);
986 return E_EL5_ENCRYPT_CLASS_ERROR;
987 }
988 LOGW("saveESecretStatus is %{public}u", saveESecretStatus[user]);
989 return 0;
990 }
991
992 #ifdef USER_CRYPTO_MIGRATE_KEY
UpdateCeEceSeceUserAuth(unsigned int user,struct UserTokenSecret & userTokenSecret,KeyType type,bool needGenerateShield)993 int KeyManager::UpdateCeEceSeceUserAuth(unsigned int user,
994 struct UserTokenSecret &userTokenSecret,
995 KeyType type, bool needGenerateShield)
996 #else
997 int KeyManager::UpdateCeEceSeceUserAuth(unsigned int user,
998 struct UserTokenSecret &userTokenSecret,
999 KeyType type)
1000 #endif
1001 {
1002 LOGW("start, user:%{public}d", user);
1003 if (!KeyCtrlHasFscryptSyspara()) {
1004 return E_OK;
1005 }
1006 std::shared_ptr<BaseKey> item = GetUserElKey(user, type);
1007 if (item == nullptr) {
1008 LOGE("Have not found user %{public}u el key", user);
1009 return E_PARAMS_NULLPTR_ERR;
1010 }
1011
1012 UserAuth auth = { {}, userTokenSecret.oldSecret, userTokenSecret.secureUid };
1013 LOGW("param status token:%{public}d, oldSec:%{public}d, newSec:%{public}d", userTokenSecret.token.empty(),
1014 userTokenSecret.oldSecret.empty(), userTokenSecret.newSecret.empty());
1015 if (!userTokenSecret.oldSecret.empty()) {
1016 KeyBlob token(userTokenSecret.token);
1017 auth.token = std::move(token);
1018 }
1019 if ((item->RestoreKey(auth) != E_OK) && (item->RestoreKey(NULL_KEY_AUTH) != E_OK)) {
1020 LOGE("Restore key error");
1021 return E_RESTORE_KEY_FAILED;
1022 }
1023 if (!userTokenSecret.newSecret.empty()) {
1024 KeyBlob token(userTokenSecret.token);
1025 KeyBlob newSecret(userTokenSecret.newSecret);
1026 auth.token = std::move(token);
1027 auth.secret = std::move(newSecret);
1028 } else {
1029 auth.token.Clear();
1030 auth.secret.Clear();
1031 }
1032 #ifdef USER_CRYPTO_MIGRATE_KEY
1033 auto ret = item->StoreKey(auth, needGenerateShield);
1034 #else
1035 auto ret = item->StoreKey(auth);
1036 #endif
1037 if (ret != E_OK) {
1038 LOGE("Store key error");
1039 return E_ELX_KEY_STORE_ERROR;
1040 }
1041
1042 userPinProtect[user] = !userTokenSecret.newSecret.empty();
1043 return 0;
1044 }
1045
CheckNeedRestoreVersion(unsigned int user,KeyType type)1046 int KeyManager::CheckNeedRestoreVersion(unsigned int user, KeyType type)
1047 {
1048 std::error_code errCode;
1049 std::string restore_version;
1050 std::string need_restore_path = GetKeyDirByUserAndType(user, type) + RESTORE_DIR;
1051 (void)OHOS::LoadStringFromFile(need_restore_path, restore_version);
1052 if (std::filesystem::exists(need_restore_path, errCode) &&
1053 restore_version == DEFAULT_NEED_RESTORE_UPDATE_VERSION && !IsAppCloneUser(user)) {
1054 LOGI("NEED_RESTORE path exist: %{public}s, errcode: %{public}d", need_restore_path.c_str(), errCode.value());
1055 return type == EL5_KEY ? -ENONET : -EFAULT;
1056 }
1057 return E_OK;
1058 }
1059
GetKeyDirByUserAndType(unsigned int user,KeyType type)1060 std::string KeyManager::GetKeyDirByUserAndType(unsigned int user, KeyType type)
1061 {
1062 std::string keyDir = "";
1063 switch (type) {
1064 case EL1_KEY:
1065 keyDir = std::string(USER_EL1_DIR) + "/" + std::to_string(user);
1066 break;
1067 case EL2_KEY:
1068 keyDir = std::string(USER_EL2_DIR) + "/" + std::to_string(user);
1069 break;
1070 case EL3_KEY:
1071 keyDir = std::string(USER_EL3_DIR) + "/" + std::to_string(user);
1072 break;
1073 case EL4_KEY:
1074 keyDir = std::string(USER_EL4_DIR) + "/" + std::to_string(user);
1075 break;
1076 case EL5_KEY:
1077 keyDir = std::string(USER_EL5_DIR) + "/" + std::to_string(user);
1078 break;
1079 default:
1080 LOGE("GetKeyDirByUserAndType type %{public}u is invalid", type);
1081 break;
1082 }
1083 return keyDir;
1084 }
1085
GetNatoNeedRestorePath(uint32_t userId,KeyType type)1086 std::string KeyManager::GetNatoNeedRestorePath(uint32_t userId, KeyType type)
1087 {
1088 std::string keyDir = "";
1089 switch (type) {
1090 case EL2_KEY:
1091 keyDir = std::string(NATO_EL2_DIR) + "/" + std::to_string(userId);
1092 break;
1093 case EL3_KEY:
1094 keyDir = std::string(NATO_EL3_DIR) + "/" + std::to_string(userId);
1095 break;
1096 case EL4_KEY:
1097 keyDir = std::string(NATO_EL4_DIR) + "/" + std::to_string(userId);
1098 break;
1099 default:
1100 LOGE("GetNatoNeedRestorePath type %{public}u is invalid", type);
1101 break;
1102 }
1103 return keyDir;
1104 }
1105
GetKeyDirByType(KeyType type)1106 std::string KeyManager::GetKeyDirByType(KeyType type)
1107 {
1108 std::string keyDir = "";
1109 switch (type) {
1110 case EL1_KEY:
1111 keyDir = USER_EL1_DIR;
1112 break;
1113 case EL2_KEY:
1114 keyDir = USER_EL2_DIR;
1115 break;
1116 case EL3_KEY:
1117 keyDir = USER_EL3_DIR;
1118 break;
1119 case EL4_KEY:
1120 keyDir = USER_EL4_DIR;
1121 break;
1122 case EL5_KEY:
1123 keyDir = USER_EL5_DIR;
1124 break;
1125 default:
1126 LOGE("GetKeyDirByType type %{public}u is invalid", type);
1127 break;
1128 }
1129 return keyDir;
1130 }
1131
SaveUserElKey(unsigned int user,KeyType type,std::shared_ptr<BaseKey> elKey)1132 void KeyManager::SaveUserElKey(unsigned int user, KeyType type, std::shared_ptr<BaseKey> elKey)
1133 {
1134 switch (type) {
1135 case EL1_KEY:
1136 userEl1Key_[user] = elKey;
1137 break;
1138 case EL2_KEY:
1139 userEl2Key_[user] = elKey;
1140 break;
1141 case EL3_KEY:
1142 userEl3Key_[user] = elKey;
1143 break;
1144 case EL4_KEY:
1145 userEl4Key_[user] = elKey;
1146 break;
1147 case EL5_KEY:
1148 userEl5Key_[user] = elKey;
1149 break;
1150 default:
1151 LOGE("SaveUserElKey type %{public}u is invalid", type);
1152 }
1153 }
1154
GetUserElKey(unsigned int user,KeyType type)1155 std::shared_ptr<BaseKey> KeyManager::GetUserElKey(unsigned int user, KeyType type)
1156 {
1157 bool isNeedGenerateBaseKey = false;
1158 std::shared_ptr<BaseKey> elKey = nullptr;
1159 if (!HasElkey(user, type)) {
1160 LOGE("Have not found user %{public}u key, type %{public}u", user, type);
1161 std::string keyDir = GetKeyDirByUserAndType(user, type);
1162 if (!IsDir(keyDir)) {
1163 LOGE("Have not found user %{public}u el, %{public}u type", user, type);
1164 return nullptr;
1165 }
1166 elKey = GetBaseKey(keyDir);
1167 if (elKey == nullptr) {
1168 LOGE("BaseKey memory failed");
1169 return nullptr;
1170 }
1171 isNeedGenerateBaseKey = true;
1172 LOGI("Generate new baseKey type: %{public}u", type);
1173 }
1174
1175 switch (type) {
1176 case EL1_KEY:
1177 if (isNeedGenerateBaseKey) {
1178 userEl1Key_[user] = elKey;
1179 }
1180 return userEl1Key_[user];
1181 case EL2_KEY:
1182 if (isNeedGenerateBaseKey) {
1183 userEl2Key_[user] = elKey;
1184 }
1185 return userEl2Key_[user];
1186 case EL3_KEY:
1187 if (isNeedGenerateBaseKey) {
1188 userEl3Key_[user] = elKey;
1189 }
1190 return userEl3Key_[user];
1191 case EL4_KEY:
1192 if (isNeedGenerateBaseKey) {
1193 userEl4Key_[user] = elKey;
1194 }
1195 return userEl4Key_[user];
1196 case EL5_KEY:
1197 if (isNeedGenerateBaseKey) {
1198 userEl5Key_[user] = elKey;
1199 }
1200 return userEl5Key_[user];
1201 default:
1202 LOGE("GetUserElKey type %{public}u is invalid", type);
1203 return nullptr;
1204 }
1205 }
1206
ActiveCeSceSeceUserKey(unsigned int user,KeyType type,const std::vector<uint8_t> & token,const std::vector<uint8_t> & secret)1207 int KeyManager::ActiveCeSceSeceUserKey(unsigned int user,
1208 KeyType type,
1209 const std::vector<uint8_t> &token,
1210 const std::vector<uint8_t> &secret)
1211 {
1212 if (!KeyCtrlHasFscryptSyspara()) {
1213 return 0;
1214 }
1215 int ret = CheckNeedRestoreVersion(user, type);
1216 if (ret == -EFAULT || ret == -ENOENT) {
1217 return ret;
1218 }
1219 if (CheckUserPinProtect(user, token, secret) != E_OK) {
1220 LOGE("IAM & Storage mismatch, wait user input pin.");
1221 return E_CHECK_USER_PIN_PROTECT_ERR;
1222 }
1223 std::lock_guard<std::mutex> lock(keyMutex_);
1224 if (HasElkey(user, type) && HashElxActived(user, type)) {
1225 LOGE("The user %{public}u el have been actived, key type is %{public}u", user, type);
1226 return 0;
1227 }
1228 std::shared_ptr<DelayHandler> userDelayHandler;
1229 if (GetUserDelayHandler(user, userDelayHandler)) {
1230 userDelayHandler->CancelDelayTask();
1231 }
1232 std::string keyDir = GetKeyDirByUserAndType(user, type);
1233 if (keyDir == "") {
1234 return E_KEY_TYPE_INVALID;
1235 }
1236 if (!CheckDir(type, keyDir, user)) {
1237 return -ENOENT;
1238 }
1239 std::shared_ptr<BaseKey> elKey = GetBaseKey(keyDir);
1240 if (elKey == nullptr) {
1241 LOGE("elKey failed");
1242 return -EOPNOTSUPP;
1243 }
1244 if (type == EL5_KEY) {
1245 return ActiveUece(user, elKey, token, secret);
1246 }
1247 if (ActiveElXUserKey(user, token, type, secret, elKey) != 0) {
1248 LOGE("ActiveElXUserKey failed");
1249 return E_ELX_KEY_ACTIVE_ERROR;
1250 }
1251 SaveUserElKey(user, type, elKey);
1252 userPinProtect[user] = !secret.empty();
1253 saveLockScreenStatus[user] = true;
1254 LOGI("Active user %{public}u el success, saveLockScreenStatus is %{public}d", user, saveLockScreenStatus[user]);
1255 return 0;
1256 }
1257
ActiveElxUserKey4Nato(unsigned int user,KeyType type)1258 int KeyManager::ActiveElxUserKey4Nato(unsigned int user, KeyType type)
1259 {
1260 LOGW("Active Elx user key for nato for userId=%{public}d, keyType=%{public}u", user, type);
1261 if (!KeyCtrlHasFscryptSyspara()) {
1262 return E_OK;
1263 }
1264 std::lock_guard<std::mutex> lock(keyMutex_);
1265 std::string keyDir = GetNatoNeedRestorePath(user, type);
1266 if (keyDir == "") {
1267 return E_KEY_TYPE_INVALID;
1268 }
1269 if (!CheckDir(type, keyDir, user)) {
1270 return E_NATO_CHECK_KEY_DIR_ERROR;
1271 }
1272 std::shared_ptr<BaseKey> elKey = GetBaseKey(keyDir);
1273 if (elKey == nullptr) {
1274 LOGE("GetBaseKey nato for userId=%{public}d el%{public}u failed.", user, type);
1275 return E_PARAMS_NULLPTR_ERR;
1276 }
1277 if (!elKey->InitKey(false)) {
1278 LOGE("InitKey nato for userId=%{public}d el%{public}u failed.", user, type);
1279 return E_NATO_INIT_USER_KEY_ERROR;
1280 }
1281 if (elKey->RestoreKey4Nato(keyDir, type) != E_OK) {
1282 LOGE("RestoreKey nato for userId=%{public}d el%{public}u failed.", user, type);
1283 return E_NATO_RESTORE_USER_KEY_ERROR;
1284 }
1285 if (elKey->ActiveKey(RETRIEVE_KEY) != E_OK) {
1286 LOGE("ActiveKey nato for userId=%{public}d el%{public}u failed.", user, type);
1287 return E_NATO_ACTIVE_EL4_KEY_ERROR;
1288 }
1289 LOGW("Active Elx user key for nato for userId=%{public}d, keyType=%{public}u success.", user, type);
1290 return E_OK;
1291 }
1292
ActiveUece(unsigned int user,std::shared_ptr<BaseKey> elKey,const std::vector<uint8_t> & token,const std::vector<uint8_t> & secret)1293 int KeyManager::ActiveUece(unsigned int user,
1294 std::shared_ptr<BaseKey> elKey,
1295 const std::vector<uint8_t> &token,
1296 const std::vector<uint8_t> &secret)
1297 {
1298 if (ActiveUeceUserKey(user, token, secret, elKey) != 0) {
1299 LOGE("ActiveUeceUserKey failed");
1300 return E_ELX_KEY_ACTIVE_ERROR;
1301 }
1302 return 0;
1303 }
1304
CheckDir(KeyType type,std::string keyDir,unsigned int user)1305 bool KeyManager::CheckDir(KeyType type, std::string keyDir, unsigned int user)
1306 {
1307 if ((type != EL5_KEY) && !IsDir(keyDir)) {
1308 LOGE("Have not found user %{public}u el", user);
1309 return false;
1310 }
1311 if ((type == EL5_KEY) && CheckAndDeleteEmptyEl5Directory(keyDir, user) != 0) {
1312 return false;
1313 }
1314 return true;
1315 }
1316
HashElxActived(unsigned int user,KeyType type)1317 bool KeyManager::HashElxActived(unsigned int user, KeyType type)
1318 {
1319 LOGI("enter");
1320 switch (type) {
1321 case EL1_KEY:
1322 return HasElxDesc(userEl1Key_, type, user);
1323 case EL2_KEY:
1324 return HasElxDesc(userEl2Key_, type, user);
1325 case EL3_KEY:
1326 return HasElxDesc(userEl3Key_, type, user);
1327 case EL4_KEY:
1328 return HasElxDesc(userEl4Key_, type, user);
1329 case EL5_KEY:
1330 return HasElxDesc(userEl5Key_, type, user);
1331 default:
1332 LOGE("key type error");
1333 break;
1334 }
1335 return false;
1336 }
1337
HasElxDesc(std::map<unsigned int,std::shared_ptr<BaseKey>> & userElKey_,KeyType type,unsigned int user)1338 bool KeyManager::HasElxDesc(std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_,
1339 KeyType type,
1340 unsigned int user)
1341 {
1342 LOGI("Enter.");
1343 auto it = userElKey_.find(user);
1344 if (it != userElKey_.end()) {
1345 auto elKey = it->second;
1346 if (elKey == nullptr) {
1347 LOGI("The ElKey is nullptr: %{public}d", elKey == nullptr);
1348 return false;
1349 }
1350
1351 if (it != userElKey_.end() && !elKey->KeyDescIsEmpty()) {
1352 LOGI("user el%{public}u key desc has existed", type);
1353 return true;
1354 }
1355 }
1356 return false;
1357 }
1358
IsAppCloneUser(unsigned int user)1359 bool KeyManager::IsAppCloneUser(unsigned int user)
1360 {
1361 return user >= START_APP_CLONE_USER_ID && user <= MAX_APP_CLONE_USER_ID;
1362 }
1363
CheckAndDeleteEmptyEl5Directory(std::string keyDir,unsigned int user)1364 int KeyManager::CheckAndDeleteEmptyEl5Directory(std::string keyDir, unsigned int user)
1365 {
1366 std::string keyUeceDir = std::string(UECE_DIR) + "/" + std::to_string(user);
1367 if (!IsDir(keyDir) || !IsDir(keyUeceDir)) {
1368 LOGE("Have not found dir %{public}u el5", user);
1369 return -ENOENT;
1370 }
1371
1372 if (IsDir(keyDir) && std::filesystem::is_empty(keyDir)) {
1373 OHOS::ForceRemoveDirectory(keyDir);
1374 LOGE("Have removed key dir %{public}u el5", user);
1375 return -ENOENT;
1376 }
1377 return 0;
1378 }
1379
GetUserDelayHandler(uint32_t userId,std::shared_ptr<DelayHandler> & delayHandler)1380 bool KeyManager::GetUserDelayHandler(uint32_t userId, std::shared_ptr<DelayHandler> &delayHandler)
1381 {
1382 LOGI("enter");
1383 auto iterTask = userLockScreenTask_.find(userId);
1384 if (iterTask == userLockScreenTask_.end()) {
1385 userLockScreenTask_[userId] = std::make_shared<DelayHandler>(userId);
1386 }
1387 delayHandler = userLockScreenTask_[userId];
1388 if (delayHandler == nullptr) {
1389 LOGE("user %{public}d delayHandler is nullptr !", userId);
1390 return false;
1391 }
1392 return true;
1393 }
1394
ActiveUeceUserKey(unsigned int user,const std::vector<uint8_t> & token,const std::vector<uint8_t> & secret,std::shared_ptr<BaseKey> elKey)1395 int KeyManager::ActiveUeceUserKey(unsigned int user,
1396 const std::vector<uint8_t> &token,
1397 const std::vector<uint8_t> &secret, std::shared_ptr<BaseKey> elKey)
1398 {
1399 saveESecretStatus[user] = !secret.empty();
1400 LOGW("userId %{public}u, token empty %{public}d sec empty %{public}d", user, token.empty(), secret.empty());
1401 userEl5Key_[user] = elKey;
1402 UserAuth auth = { .token = token, .secret = secret };
1403 bool eBufferStatue = false;
1404 auto ret = elKey->DecryptClassE(auth, saveESecretStatus[user], eBufferStatue, user, true);
1405 if (ret != E_OK) {
1406 LOGE("Unlock user %{public}u E_Class failed", user);
1407 return E_EL5_DELETE_CLASS_ERROR;
1408 }
1409
1410 if (!token.empty() && !secret.empty() && eBufferStatue) {
1411 if (TryToFixUeceKey(user, token, secret) != E_OK) {
1412 LOGE("TryToFixUeceKey el5 failed !");
1413 return E_TRY_TO_FIX_USER_KEY_ERR;
1414 }
1415 }
1416 LOGW("ActiveCeSceSeceUserKey user %{public}u, saveESecretStatus %{public}d", user, saveESecretStatus[user]);
1417 return 0;
1418 }
1419
ActiveElXUserKey(unsigned int user,const std::vector<uint8_t> & token,KeyType keyType,const std::vector<uint8_t> & secret,std::shared_ptr<BaseKey> elKey)1420 int KeyManager::ActiveElXUserKey(unsigned int user,
1421 const std::vector<uint8_t> &token, KeyType keyType,
1422 const std::vector<uint8_t> &secret, std::shared_ptr<BaseKey> elKey)
1423 {
1424 if (elKey->InitKey(false) == false) {
1425 LOGE("Init el failed");
1426 return E_ELX_KEY_INIT_ERROR;
1427 }
1428 UserAuth auth = { token, secret };
1429 auto keyResult = elKey->RestoreKey(auth);
1430 bool noKeyResult = (keyResult != E_OK) && (elKey->RestoreKey(NULL_KEY_AUTH) == E_OK);
1431 // key and no-key situation all failed, include upgrade situation, return err
1432 if (keyResult != E_OK && !noKeyResult) {
1433 LOGE("Restore el failed, type: %{public}u", keyType);
1434 return E_RESTORE_KEY_FAILED;
1435 }
1436 // if device has pwd and decrypt success, continue.otherwise try no pwd and fix situation.
1437 if (keyResult != E_OK && noKeyResult) {
1438 if (TryToFixUserCeEceSeceKey(user, keyType, token, secret) != E_OK) {
1439 LOGE("TryToFixUserCeEceSeceKey elx failed, type %{public}u", keyType);
1440 return E_TRY_TO_FIX_USER_KEY_ERR;
1441 }
1442 }
1443 std::string NEED_UPDATE_PATH = GetKeyDirByUserAndType(user, keyType) + PATH_LATEST + SUFFIX_NEED_UPDATE;
1444 std::string NEED_RESTORE_PATH = GetKeyDirByUserAndType(user, keyType) + PATH_LATEST + SUFFIX_NEED_RESTORE;
1445 if (!FileExists(NEED_RESTORE_PATH) && !FileExists(NEED_UPDATE_PATH)) {
1446 auto ret = elKey->StoreKey(auth);
1447 if (ret != E_OK) {
1448 LOGE("Store el failed");
1449 return E_ELX_KEY_STORE_ERROR;
1450 }
1451 }
1452 if (elKey->ActiveKey(RETRIEVE_KEY) != E_OK) {
1453 LOGE("Active user %{public}u key failed", user);
1454 return E_ELX_KEY_ACTIVE_ERROR;
1455 }
1456 return 0;
1457 }
1458
UnlockUserScreen(uint32_t user,const std::vector<uint8_t> & token,const std::vector<uint8_t> & secret)1459 int KeyManager::UnlockUserScreen(uint32_t user, const std::vector<uint8_t> &token, const std::vector<uint8_t> &secret)
1460 {
1461 LOGI("start");
1462 userPinProtect[user] = !secret.empty() || !token.empty();
1463 std::shared_ptr<DelayHandler> userDelayHandler;
1464 if (GetUserDelayHandler(user, userDelayHandler)) {
1465 userDelayHandler->CancelDelayTask();
1466 }
1467 auto iter = saveLockScreenStatus.find(user);
1468 if (iter == saveLockScreenStatus.end()) {
1469 saveLockScreenStatus.insert(std::make_pair(user, false));
1470 }
1471 if (!IsUserCeDecrypt(user)) {
1472 LOGE("user ce does not decrypt, skip");
1473 return 0;
1474 }
1475 if (!KeyCtrlHasFscryptSyspara()) {
1476 saveLockScreenStatus[user] = true;
1477 LOGI("saveLockScreenStatus is %{public}d", saveLockScreenStatus[user]);
1478 return 0;
1479 }
1480 std::lock_guard<std::mutex> lock(keyMutex_);
1481 std::string tokenEmy = token.empty() ? "true" : "false";
1482 std::string secretEmy = secret.empty() ? "true" : "false";
1483 std::string tokenInfo = "token isEmpty = " + tokenEmy + ", secret isEmpty = " + secretEmy;
1484 int ret = 0;
1485 if ((ret = UnlockEceSece(user, token, secret)) != E_OK) {
1486 StorageRadar::ReportUpdateUserAuth("UnlockUserScreen::UnlockEceSece", user, ret, "EL4", tokenInfo);
1487 return ret;
1488 }
1489 if ((ret = UnlockUece(user, token, secret)) != E_OK) {
1490 StorageRadar::ReportUpdateUserAuth("UnlockUserScreen::UnlockUece", user, ret, "EL5", tokenInfo);
1491 return ret;
1492 }
1493 saveLockScreenStatus[user] = true;
1494 LOGW("UnlockUserScreen user %{public}u el3 and el4 success and saveLockScreenStatus is %{public}d", user,
1495 saveLockScreenStatus[user]);
1496 return 0;
1497 }
1498
UnlockEceSece(uint32_t user,const std::vector<uint8_t> & token,const std::vector<uint8_t> & secret)1499 int32_t KeyManager::UnlockEceSece(uint32_t user,
1500 const std::vector<uint8_t> &token,
1501 const std::vector<uint8_t> &secret)
1502 {
1503 auto el4Key = GetUserElKey(user, EL4_KEY);
1504 if (el4Key == nullptr) {
1505 saveLockScreenStatus[user] = true;
1506 LOGE("The user %{public}u not been actived and saveLockScreenStatus is %{public}d", user,
1507 saveLockScreenStatus[user]);
1508 return E_NON_EXIST;
1509 }
1510 if (el4Key->RestoreKey({ token, secret }, false) != E_OK && el4Key->RestoreKey(NULL_KEY_AUTH, false) != E_OK) {
1511 LOGE("Restore user %{public}u el4 key failed", user);
1512 return E_RESTORE_KEY_FAILED;
1513 }
1514 int32_t ret = el4Key->UnlockUserScreen(user, FSCRYPT_SDP_ECE_CLASS);
1515 if (ret != E_OK) {
1516 LOGE("UnlockUserScreen user %{public}u el4 key failed", user);
1517 return E_UNLOCK_SCREEN_FAILED;
1518 }
1519 LOGI("DecryptClassE user %{public}u saveESecretStatus %{public}d", user, saveESecretStatus[user]);
1520 return E_OK;
1521 }
1522
UnlockUece(uint32_t user,const std::vector<uint8_t> & token,const std::vector<uint8_t> & secret)1523 int32_t KeyManager::UnlockUece(uint32_t user,
1524 const std::vector<uint8_t> &token,
1525 const std::vector<uint8_t> &secret)
1526 {
1527 UserAuth auth = {.token = token, .secret = secret};
1528 saveESecretStatus[user] = !auth.token.IsEmpty();
1529 auto el5Key = GetUserElKey(user, EL5_KEY);
1530 bool eBufferStatue = false;
1531 if (el5Key != nullptr) {
1532 auto ret = el5Key->DecryptClassE(auth, saveESecretStatus[user], eBufferStatue, user, false);
1533 if (ret != E_OK) {
1534 LOGE("Unlock user %{public}u uece failed", user);
1535 return E_UNLOCK_APP_KEY2_FAILED;
1536 }
1537 }
1538 if (UnlockUserAppKeys(user, false) != E_OK) {
1539 LOGE("failed to delete appkey2");
1540 return E_UNLOCK_APP_KEY2_FAILED;
1541 }
1542 return E_OK;
1543 }
1544
GetLockScreenStatus(uint32_t user,bool & lockScreenStatus)1545 int KeyManager::GetLockScreenStatus(uint32_t user, bool &lockScreenStatus)
1546 {
1547 LOGI("start");
1548 std::lock_guard<std::mutex> lock(keyMutex_);
1549 auto iter = saveLockScreenStatus.find(user);
1550 lockScreenStatus = (iter == saveLockScreenStatus.end()) ? false: iter->second;
1551 LOGW("lockScreenStatus is %{public}d", lockScreenStatus);
1552 return 0;
1553 }
1554
GenerateAppkey(uint32_t userId,uint32_t hashId,std::string & keyId)1555 int KeyManager::GenerateAppkey(uint32_t userId, uint32_t hashId, std::string &keyId)
1556 {
1557 if (!IsUeceSupport()) {
1558 LOGI("Not support uece !");
1559 return -ENOTSUP;
1560 }
1561 LOGI("enter");
1562 std::lock_guard<std::mutex> lock(keyMutex_);
1563 if (userId == KEY_RECOVERY_USER_ID) {
1564 LOGI("GenerateAppKey when RecoverKey");
1565 auto el5Key = GetBaseKey(GetKeyDirByUserAndType(userId, EL5_KEY));
1566 if (el5Key == nullptr) {
1567 LOGE("el5Key is nullptr");
1568 return E_PARAMS_NULLPTR_ERR;
1569 }
1570 auto ret = el5Key->GenerateAppkey(userId, hashId, keyId);
1571 if (ret != E_OK) {
1572 LOGE("Failed to generate Appkey2, error=%{public}d", ret);
1573 return E_EL5_GENERATE_APP_KEY_ERR;
1574 }
1575 return 0;
1576 }
1577 auto el5Key = GetBaseKey(GetKeyDirByUserAndType(userId, EL5_KEY));
1578 if (el5Key == nullptr) {
1579 LOGE("el5Key is nullptr");
1580 return E_PARAMS_NULLPTR_ERR;
1581 }
1582 auto ret = el5Key->GenerateAppkey(userId, hashId, keyId);
1583 if (ret != E_OK) {
1584 LOGE("Failed to generate Appkey2 error=%{public}d", ret);
1585 return E_EL5_GENERATE_APP_KEY_ERR;
1586 }
1587 return 0;
1588 }
1589
DeleteAppkey(uint32_t userId,const std::string keyId)1590 int KeyManager::DeleteAppkey(uint32_t userId, const std::string keyId)
1591 {
1592 std::lock_guard<std::mutex> lock(keyMutex_);
1593 auto el5Key = GetBaseKey(GetKeyDirByUserAndType(userId, EL5_KEY));
1594 if (el5Key == nullptr) {
1595 LOGE("el5Key is nullptr");
1596 return E_PARAMS_NULLPTR_ERR;
1597 }
1598 if (el5Key->DeleteAppkey(keyId) != E_OK) {
1599 LOGE("Failed to delete Appkey2");
1600 return E_EL5_DELETE_APP_KEY_ERR;
1601 }
1602 return 0;
1603 }
1604
CreateRecoverKey(uint32_t userId,uint32_t userType,const std::vector<uint8_t> & token,const std::vector<uint8_t> & secret)1605 int KeyManager::CreateRecoverKey(uint32_t userId, uint32_t userType, const std::vector<uint8_t> &token,
1606 const std::vector<uint8_t> &secret)
1607 {
1608 LOGI("enter");
1609 std::string globalUserEl1Path = std::string(USER_EL1_DIR) + "/" + std::to_string(GLOBAL_USER_ID);
1610 std::string el1Path = std::string(USER_EL1_DIR) + "/" + std::to_string(userId);
1611 std::string el2Path = std::string(USER_EL2_DIR) + "/" + std::to_string(userId);
1612 std::string el3Path = std::string(USER_EL3_DIR) + "/" + std::to_string(userId);
1613 std::string el4Path = std::string(USER_EL4_DIR) + "/" + std::to_string(userId);
1614 std::vector<std::string> elKeyDirs = { DEVICE_EL1_DIR, globalUserEl1Path, el1Path, el2Path, el3Path, el4Path };
1615 std::vector<KeyBlob> originKeys;
1616 for (const auto &elxKeyDir : elKeyDirs) {
1617 if (!IsDir(elxKeyDir)) {
1618 LOGE("Have not found type %{public}s el", elxKeyDir.c_str());
1619 return E_KEY_TYPE_INVALID;
1620 }
1621 std::shared_ptr<BaseKey> elxKey = GetBaseKey(elxKeyDir);
1622 if (elxKey == nullptr) {
1623 LOGE("load elx key failed , key path is %{public}s", elxKeyDir.c_str());
1624 return E_PARAMS_NULLPTR_ERR;
1625 }
1626 UserAuth auth = { token, secret };
1627 if (secret.empty() && token.size() == RECOVERY_TOKEN_CHALLENGE_LENG) {
1628 LOGW("secret is empty, use none token.");
1629 auth = { {}, {}};
1630 }
1631 if ((elxKey->RestoreKey(auth, false) != E_OK) && (elxKey->RestoreKey(NULL_KEY_AUTH, false) != E_OK)) {
1632 LOGE("Restore el failed");
1633 return E_RESTORE_KEY_FAILED;
1634 }
1635 KeyBlob originKey;
1636 if (!elxKey->GetOriginKey(originKey)) {
1637 LOGE("get origin key failed !");
1638 return -ENOENT;
1639 }
1640 originKeys.push_back(std::move(originKey));
1641 }
1642 int ret = RecoveryManager::GetInstance().CreateRecoverKey(userId, userType, token, secret, originKeys);
1643 if (ret != E_OK) {
1644 LOGE("Create recovery key failed !");
1645 return ret;
1646 }
1647 originKeys.clear();
1648 return E_OK;
1649 }
1650
SetRecoverKey(const std::vector<uint8_t> & key)1651 int KeyManager::SetRecoverKey(const std::vector<uint8_t> &key)
1652 {
1653 LOGI("enter");
1654 std::vector<KeyBlob> originIvs;
1655 if (RecoveryManager::GetInstance().SetRecoverKey(key) != E_OK) {
1656 LOGE("Set recovery key filed !");
1657 return E_SET_RECOVERY_KEY_ERR;
1658 }
1659 return E_OK;
1660 }
1661
UnlockUserAppKeys(uint32_t userId,bool needGetAllAppKey)1662 int KeyManager::UnlockUserAppKeys(uint32_t userId, bool needGetAllAppKey)
1663 {
1664 if (!IsUeceSupport()) {
1665 LOGI("E type is not support");
1666 return E_OK;
1667 }
1668 #ifdef EL5_FILEKEY_MANAGER
1669 int ret = E_OK;
1670 std::vector<std::pair<int, std::string>> keyInfo;
1671 std::vector<std::pair<std::string, bool>> loadInfos;
1672 if (needGetAllAppKey) {
1673 ret = El5FilekeyManagerKit::GetUserAllAppKey(userId, keyInfo);
1674 if (ret != 0) {
1675 LOGE("get user all app keys fail.");
1676 StorageRadar::ReportEl5KeyMgrResult("UnlockUserAppKeys::GetUserAllAppKey", ret, userId);
1677 return ret;
1678 }
1679 LOGI("get user all app keys success.");
1680 } else {
1681 ret = El5FilekeyManagerKit::GetUserAppKey(userId, keyInfo);
1682 if (ret != 0) {
1683 LOGE("get User Appkeys fail.");
1684 StorageRadar::ReportEl5KeyMgrResult("UnlockUserAppKeys::GetUserAppKey", ret, userId);
1685 return ret;
1686 }
1687 LOGI("get User Appkeys success.");
1688 }
1689 ret = GenerateAndLoadAppKeyInfo(userId, keyInfo);
1690 if (ret != E_OK) {
1691 LOGE("UnlockUserAppKeys fail.");
1692 return ret;
1693 }
1694 #endif
1695 LOGI("UnlockUserAppKeys success!");
1696 return E_OK;
1697 }
1698
1699 #ifdef EL5_FILEKEY_MANAGER
GenerateAndLoadAppKeyInfo(uint32_t userId,const std::vector<std::pair<int,std::string>> & keyInfo)1700 int KeyManager::GenerateAndLoadAppKeyInfo(uint32_t userId, const std::vector<std::pair<int, std::string>> &keyInfo)
1701 {
1702 std::vector<std::pair<std::string, bool>> loadInfos;
1703 if (keyInfo.size() == 0) {
1704 LOGE("The keyInfo is empty!");
1705 return E_OK;
1706 }
1707 if (userEl5Key_.find(userId) == userEl5Key_.end()) {
1708 LOGE("userEl5Key_ has not existed");
1709 return -ENOENT;
1710 }
1711 auto elKey = userEl5Key_[userId];
1712 std::string keyId;
1713 for (auto keyInfoAppUid :keyInfo) {
1714 if (elKey->GenerateAppkey(userId, keyInfoAppUid.first, keyId) != E_OK) {
1715 LOGE("Failed to Generate Appkey2!");
1716 loadInfos.push_back(std::make_pair(keyInfoAppUid.second, false));
1717 continue;
1718 }
1719 if (keyInfoAppUid.second != keyId) {
1720 LOGE("The keyId check fails!");
1721 loadInfos.push_back(std::make_pair(keyInfoAppUid.second, false));
1722 continue;
1723 }
1724 loadInfos.push_back(std::make_pair(keyInfoAppUid.second, true));
1725 }
1726 int ret = El5FilekeyManagerKit::ChangeUserAppkeysLoadInfo(userId, loadInfos);
1727 if (ret != 0) {
1728 LOGE("Change User Appkeys LoadInfo fail.");
1729 StorageRadar::ReportEl5KeyMgrResult("GenerateAndLoadAppKeyInfo::ChangeUserAppkeysLoadInfo", ret, userId);
1730 return ret;
1731 }
1732 return E_OK;
1733 }
1734 #endif
1735
InActiveUserKey(unsigned int user)1736 int KeyManager::InActiveUserKey(unsigned int user)
1737 {
1738 LOGI("start");
1739 if (!KeyCtrlHasFscryptSyspara()) {
1740 return 0;
1741 }
1742 std::lock_guard<std::mutex> lock(keyMutex_);
1743 int ret = InactiveUserElKey(user, userEl2Key_);
1744 if (ret != E_OK) {
1745 LOGE("Inactive userEl2Key_ failed");
1746 StorageRadar::ReportUserKeyResult("InactiveUserElKey", user, ret, "EL2", "");
1747 return ret;
1748 }
1749 ret = InactiveUserElKey(user, userEl3Key_);
1750 if (ret != E_OK) {
1751 LOGE("Inactive userEl3Key_ failed");
1752 StorageRadar::ReportUserKeyResult("InactiveUserElKey", user, ret, "EL3", "");
1753 return ret;
1754 }
1755 ret = InactiveUserElKey(user, userEl4Key_);
1756 if (ret != E_OK) {
1757 LOGE("Inactive userEl4Key_ failed");
1758 StorageRadar::ReportUserKeyResult("InactiveUserElKey", user, ret, "EL4", "");
1759 return ret;
1760 }
1761 if (!IsAppCloneUser(user)) {
1762 ret = InactiveUserElKey(user, userEl5Key_);
1763 if (ret != E_OK) {
1764 LOGE("Inactive userEl5Key_ failed");
1765 StorageRadar::ReportUserKeyResult("InactiveUserElKey", user, ret, "EL5", "");
1766 return ret;
1767 }
1768 }
1769 auto userTask = userLockScreenTask_.find(user);
1770 if (userTask != userLockScreenTask_.end()) {
1771 userLockScreenTask_.erase(userTask);
1772 LOGI("InActive user %{public}u, erase user task", user);
1773 }
1774 return 0;
1775 }
1776
InactiveUserElKey(unsigned int user,std::map<unsigned int,std::shared_ptr<BaseKey>> & userElxKey_)1777 int KeyManager::InactiveUserElKey(unsigned int user, std::map<unsigned int, std::shared_ptr<BaseKey>> &userElxKey_)
1778 {
1779 if (userElxKey_.find(user) == userElxKey_.end()) {
1780 LOGE("Have not found user %{public}u el2", user);
1781 return E_PARAMS_INVALID;
1782 }
1783 auto elKey = userElxKey_[user];
1784 if (elKey->InactiveKey(USER_LOGOUT) != E_OK) {
1785 LOGE("Clear user %{public}u key failed", user);
1786 return E_ELX_KEY_INACTIVE_ERROR;
1787 }
1788 LOGI("remove elx desc");
1789 auto elx = elKey->GetKeyDir();
1790 if (!elx.empty() && elx != "el1") {
1791 std::string descElx = std::string(FSCRYPT_EL_DIR) + "/" + elx + "/" + std::to_string(user) + DESC_DIR;
1792 (void)remove(descElx.c_str());
1793 LOGI("remove desc success.");
1794 }
1795 userElxKey_.erase(user);
1796 LOGI("Inactive user %{public}u elX success", user);
1797 return 0;
1798 }
1799
LockUserScreen(uint32_t user)1800 int KeyManager::LockUserScreen(uint32_t user)
1801 {
1802 LOGI("start");
1803 std::lock_guard<std::mutex> lock(keyMutex_);
1804 std::error_code errCode;
1805 if (!IsUserCeDecrypt(user) || std::filesystem::exists(GetNatoNeedRestorePath(user, EL4_KEY), errCode)) {
1806 LOGE("user ce does not decrypt, skip");
1807 return 0;
1808 }
1809
1810 auto iter = userPinProtect.find(user);
1811 if (iter == userPinProtect.end() || iter->second == false) {
1812 if (!IamClient::GetInstance().HasPinProtect(user)) {
1813 LOGI("Has no pin protect, saveLockScreenStatus is %{public}d", saveLockScreenStatus[user]);
1814 return 0;
1815 }
1816 userPinProtect.erase(user);
1817 userPinProtect.insert(std::make_pair(user, true));
1818 LOGI("User is %{public}u ,Lock screen, SaveLockScreenStatus is %{public}d", user, saveLockScreenStatus[user]);
1819 }
1820 iter = saveLockScreenStatus.find(user);
1821 if (iter == saveLockScreenStatus.end()) {
1822 saveLockScreenStatus.insert(std::make_pair(user, false));
1823 LOGI("User is %{public}u ,Insert LockScreenStatus, SaveLockScreenStatus is %{public}d", user,
1824 saveLockScreenStatus[user]);
1825 }
1826 if (!KeyCtrlHasFscryptSyspara()) {
1827 saveLockScreenStatus[user] = false;
1828 LOGI("KeyCtrlHasFscryptSyspara is false, saveLockScreenStatus is %{public}d",
1829 saveLockScreenStatus[user]);
1830 return 0;
1831 }
1832 auto el5Key = GetUserElKey(user, EL5_KEY);
1833 saveESecretStatus[user] = true;
1834 if (el5Key != nullptr && el5Key->LockUece(saveESecretStatus[user]) != E_OK) {
1835 LOGE("lock user %{public}u el5 key failed !", user);
1836 }
1837 auto el4Key = GetUserElKey(user, EL4_KEY);
1838 if (el4Key == nullptr) {
1839 LOGE("Have not found user %{public}u el3 or el4", user);
1840 StorageRadar::ReportUpdateUserAuth("LockUserScreen::GetUserElKey", user, E_NON_EXIST, "EL4", "not found key");
1841 return E_NON_EXIST;
1842 }
1843 std::shared_ptr<DelayHandler> userDelayHandler;
1844 if (GetUserDelayHandler(user, userDelayHandler)) {
1845 userDelayHandler->StartDelayTask(el4Key);
1846 }
1847
1848 saveLockScreenStatus[user] = false;
1849 LOGI("LockUserScreen user %{public}u el3 and el4 success, saveLockScreenStatus is %{public}d",
1850 user, saveLockScreenStatus[user]);
1851 return 0;
1852 }
1853
SetDirectoryElPolicy(unsigned int user,KeyType type,const std::vector<FileList> & vec)1854 int KeyManager::SetDirectoryElPolicy(unsigned int user, KeyType type, const std::vector<FileList> &vec)
1855 {
1856 LOGI("start");
1857 if (!KeyCtrlHasFscryptSyspara()) {
1858 return 0;
1859 }
1860 std::string keyPath;
1861 std::string eceSeceKeyPath;
1862 std::lock_guard<std::mutex> lock(keyMutex_);
1863 if (type == EL1_KEY) {
1864 int ret = getElxKeyPath(user, EL1_KEY, keyPath);
1865 if (ret != E_OK) {
1866 return ret;
1867 }
1868 } else if (type == EL2_KEY || type == EL3_KEY || type == EL4_KEY || type == EL5_KEY) {
1869 int ret = getElxKeyPath(user, EL2_KEY, keyPath);
1870 if (ret != E_OK) {
1871 return ret;
1872 }
1873 } else {
1874 LOGE("Not specify el flags, no need to crypt");
1875 return 0;
1876 }
1877 if (getElxKeyPath(user, type, eceSeceKeyPath) != 0) {
1878 LOGE("method getEceSeceKeyPath fail");
1879 return -ENOENT;
1880 }
1881 for (auto item : vec) {
1882 int ret = LoadAndSetPolicy(keyPath.c_str(), item.path.c_str());
1883 if (ret != 0) {
1884 LOGE("Set directory el policy error, ret: %{public}d", ret);
1885 return E_LOAD_AND_SET_POLICY_ERR;
1886 }
1887 }
1888 if (type == EL3_KEY || type == EL4_KEY) {
1889 for (auto item : vec) {
1890 if (LoadAndSetEceAndSecePolicy(eceSeceKeyPath.c_str(), item.path.c_str(), static_cast<int>(type)) != 0) {
1891 LOGE("Set directory el policy error!");
1892 return E_LOAD_AND_SET_ECE_POLICY_ERR;
1893 }
1894 }
1895 }
1896 LOGW("Set user %{public}u el policy success", user);
1897 return 0;
1898 }
1899
getElxKeyPath(unsigned int user,KeyType type,std::string & elxKeyPath)1900 int KeyManager::getElxKeyPath(unsigned int user, KeyType type, std::string &elxKeyPath)
1901 {
1902 std::string natoPath = GetNatoNeedRestorePath(user, type);
1903 std::error_code errCode;
1904 if (std::filesystem::exists(natoPath, errCode)) {
1905 LOGW("type=%{public}d NATO path is exist.", type);
1906 elxKeyPath = natoPath;
1907 return E_OK;
1908 }
1909 if (!HasElkey(user, type) && type != EL5_KEY) {
1910 LOGE("Have not found user %{public}u el%{public}d key", user, type);
1911 return -ENOENT;
1912 }
1913
1914 switch (type) {
1915 case EL1_KEY:
1916 elxKeyPath = userEl1Key_[user]->GetDir();
1917 break;
1918 case EL2_KEY:
1919 elxKeyPath = userEl2Key_[user]->GetDir();
1920 break;
1921 case EL3_KEY:
1922 elxKeyPath = userEl3Key_[user]->GetDir();
1923 break;
1924 case EL4_KEY:
1925 elxKeyPath = userEl4Key_[user]->GetDir();
1926 break;
1927 case EL5_KEY:
1928 LOGW("el5 not to deal");
1929 break;
1930 default:
1931 LOGE("Type = %{public}u is illegal !", type);
1932 return -ENOENT;
1933 }
1934 return E_OK;
1935 }
1936
UpdateCeEceSeceKeyContext(uint32_t userId,KeyType type)1937 int KeyManager::UpdateCeEceSeceKeyContext(uint32_t userId, KeyType type)
1938 {
1939 LOGI("start");
1940 if (!KeyCtrlHasFscryptSyspara()) {
1941 return 0;
1942 }
1943 std::lock_guard<std::mutex> lock(keyMutex_);
1944 if (HasElkey(userId, type) == false) {
1945 LOGE("Have not found user %{public}u el%{public}u", userId, type);
1946 return E_PARAMS_INVALID;
1947 }
1948 std::shared_ptr<BaseKey> elKey = GetUserElKey(userId, type);
1949 if (elKey == nullptr) {
1950 LOGE("Have not found user %{public}u, type el%{public}u", userId, type);
1951 return -ENOENT;
1952 }
1953 auto ret = elKey->UpdateKey();
1954 if (ret != E_OK) {
1955 LOGE("Basekey update newest context failed");
1956 return E_ELX_KEY_UPDATE_ERROR;
1957 }
1958 return 0;
1959 }
1960
UpdateKeyContext(uint32_t userId,bool needRemoveTmpKey)1961 int KeyManager::UpdateKeyContext(uint32_t userId, bool needRemoveTmpKey)
1962 {
1963 LOGI("UpdateKeyContext enter");
1964 // todo needRemoveTmpKey
1965 int ret = UpdateCeEceSeceKeyContext(userId, EL2_KEY);
1966 if (ret != 0) {
1967 LOGE("Basekey update EL2 newest context failed");
1968 StorageRadar::ReportUpdateUserAuth("UpdateKeyContext::UpdateCeEceSeceKeyContext", userId, ret, "EL2", "");
1969 return ret;
1970 }
1971 ret = UpdateCeEceSeceKeyContext(userId, EL3_KEY);
1972 if (ret != 0) {
1973 LOGE("Basekey update EL3 newest context failed");
1974 StorageRadar::ReportUpdateUserAuth("UpdateKeyContext::UpdateCeEceSeceKeyContext", userId, ret, "EL3", "");
1975 return ret;
1976 }
1977 ret = UpdateCeEceSeceKeyContext(userId, EL4_KEY);
1978 if (ret != 0) {
1979 LOGE("Basekey update EL4 newest context failed");
1980 StorageRadar::ReportUpdateUserAuth("UpdateKeyContext::UpdateCeEceSeceKeyContext", userId, ret, "EL4", "");
1981 return ret;
1982 }
1983 if (IsUeceSupport() && saveESecretStatus[userId]) {
1984 ret = UpdateCeEceSeceKeyContext(userId, EL5_KEY);
1985 }
1986 if (ret != 0 && ((userId < START_APP_CLONE_USER_ID || userId > MAX_APP_CLONE_USER_ID))) {
1987 LOGE("Basekey update EL5 newest context failed");
1988 StorageRadar::ReportUpdateUserAuth("UpdateKeyContext::UpdateCeEceSeceKeyContext", userId, ret, "EL5", "");
1989 return ret;
1990 }
1991 LOGI("Basekey update key context success");
1992 return 0;
1993 }
1994
IsUeceSupport()1995 bool KeyManager::IsUeceSupport()
1996 {
1997 FILE *f = fopen(UECE_PATH, "r+");
1998 if (f == nullptr) {
1999 if (errno == ENOENT) {
2000 LOGE("uece does not support !");
2001 }
2002 LOGE("open uece failed, errno : %{public}d", errno);
2003 return false;
2004 }
2005 int fd = fileno(f);
2006 if (fd < 0) {
2007 if (errno == ENOENT) {
2008 LOGE("uece does not support !");
2009 }
2010 LOGE("open uece failed, errno : %{public}d", errno);
2011 (void)fclose(f);
2012 return false;
2013 }
2014 (void)fclose(f);
2015 LOGI("uece is support.");
2016 return true;
2017 }
2018
IsUeceSupportWithErrno()2019 int KeyManager::IsUeceSupportWithErrno()
2020 {
2021 int fd = open(UECE_PATH, O_RDWR);
2022 if (fd < 0) {
2023 if (errno == ENOENT) {
2024 LOGE("uece does not support !");
2025 return ENOENT;
2026 }
2027 LOGE("open uece failed, errno : %{public}d", errno);
2028 return errno;
2029 }
2030 close(fd);
2031 LOGI("uece is support.");
2032 return E_OK;
2033 }
2034
UpgradeKeys(const std::vector<FileList> & dirInfo)2035 int KeyManager::UpgradeKeys(const std::vector<FileList> &dirInfo)
2036 {
2037 for (const auto &it : dirInfo) {
2038 std::shared_ptr<BaseKey> elKey = GetBaseKey(it.path);
2039 if (elKey == nullptr) {
2040 LOGE("Basekey memory failed");
2041 continue;
2042 }
2043 elKey->UpgradeKeys();
2044 }
2045 return 0;
2046 }
2047
GetFileEncryptStatus(uint32_t userId,bool & isEncrypted,bool needCheckDirMount)2048 int KeyManager::GetFileEncryptStatus(uint32_t userId, bool &isEncrypted, bool needCheckDirMount)
2049 {
2050 LOGI("Begin check encrypted status, userId is %{public}d, needCheckDirMount is %{public}d",
2051 userId, needCheckDirMount);
2052 isEncrypted = true;
2053 const char rootPath[] = "/data/app/el2/";
2054 const char basePath[] = "/base";
2055 size_t allPathSize = strlen(rootPath) + strlen(basePath) + 1 + USER_ID_SIZE_VALUE;
2056 char *path = reinterpret_cast<char *>(malloc(sizeof(char) * (allPathSize)));
2057 if (path == nullptr) {
2058 LOGE("Failed to malloce path.");
2059 return E_MEMORY_OPERATION_ERR;
2060 }
2061 int len = sprintf_s(path, allPathSize, "%s%u%s", rootPath, userId, basePath);
2062 if (len <= 0 || (size_t)len >= allPathSize) {
2063 free(path);
2064 LOGE("Failed to get base path");
2065 return E_PARAMS_INVALID;
2066 }
2067 if (access(path, F_OK) != 0) {
2068 free(path);
2069 LOGE("Can not access el2 dir, user %{public}d el2 is encrypted.", userId);
2070 return E_OK;
2071 }
2072 std::string el2Path(path);
2073 if (!SaveStringToFile(el2Path + EL2_ENCRYPT_TMP_FILE, " ")) {
2074 free(path);
2075 LOGE("Can not save el2 file, user %{public}d el2 is encrypted.", userId);
2076 return E_OK;
2077 }
2078 free(path);
2079 int ret = remove((el2Path + EL2_ENCRYPT_TMP_FILE).c_str());
2080 LOGE("remove ret = %{public}d", ret);
2081 if (needCheckDirMount && !MountManager::GetInstance()->CheckMountFileByUser(userId)) {
2082 LOGI("The virturalDir is not exists.");
2083 return E_OK;
2084 }
2085 isEncrypted = false;
2086 LOGI("This is decrypted status");
2087 return E_OK;
2088 }
2089
IsUserCeDecrypt(uint32_t userId)2090 bool KeyManager::IsUserCeDecrypt(uint32_t userId)
2091 {
2092 bool isCeEncrypt = false;
2093 int ret = GetFileEncryptStatus(userId, isCeEncrypt);
2094 if (ret != E_OK || isCeEncrypt) {
2095 LOGE("User %{public}d el2 has not decrypt.", userId);
2096 return false;
2097 }
2098 LOGI("User %{public}d el2 decrypted.", userId);
2099 return true;
2100 }
2101
CheckUserPinProtect(unsigned int userId,const std::vector<uint8_t> & token,const std::vector<uint8_t> & secret)2102 int KeyManager::CheckUserPinProtect(unsigned int userId,
2103 const std::vector<uint8_t> &token,
2104 const std::vector<uint8_t> &secret)
2105 {
2106 LOGI("enter CheckUserPinProtect.");
2107 std::error_code errCode;
2108 std::string restorePath = std::string(USER_EL2_DIR) + "/" + std::to_string(userId) + RESTORE_DIR;
2109 if (!std::filesystem::exists(restorePath, errCode)) {
2110 LOGI("Do not check pin code.");
2111 return E_OK;
2112 }
2113 // judge if device has PIN protect
2114 if ((token.empty() && secret.empty()) && IamClient::GetInstance().HasPinProtect(userId)) {
2115 LOGE("User %{public}d has pin code protect.", userId);
2116 return E_ERR;
2117 }
2118 return E_OK;
2119 }
2120
TryToFixUserCeEceSeceKey(unsigned int userId,KeyType keyType,const std::vector<uint8_t> & token,const std::vector<uint8_t> & secret)2121 int KeyManager::TryToFixUserCeEceSeceKey(unsigned int userId,
2122 KeyType keyType,
2123 const std::vector<uint8_t> &token,
2124 const std::vector<uint8_t> &secret)
2125 {
2126 LOGI("enter TryToFixUserCeEceSeceKey");
2127 keyMutex_.unlock();
2128 if (!IamClient::GetInstance().HasPinProtect(userId)) {
2129 LOGE("User %{public}d has no pin code protect.", userId);
2130 return E_OK;
2131 }
2132
2133 uint64_t secureUid = { 0 };
2134 if (!secret.empty() && !token.empty()) {
2135 IamClient::GetInstance().GetSecureUid(userId, secureUid);
2136 LOGE("Pin code is exist, get secure uid.");
2137 }
2138 UserAuth auth = { .token = token, .secret = secret, .secureUid = secureUid };
2139 UserTokenSecret userTokenSecret = { .token = token, .oldSecret = {}, .newSecret = secret, .secureUid = secureUid };
2140
2141 int ret = E_OK;
2142 #ifdef USER_CRYPTO_MIGRATE_KEY
2143 ret = UpdateCeEceSeceUserAuth(userId, userTokenSecret, keyType, false);
2144 #else
2145 ret = UpdateCeEceSeceUserAuth(userId, userTokenSecret, keyType);
2146 #endif
2147 if (ret != E_OK) {
2148 LOGE("try to fix elx key failed !");
2149 return ret;
2150 }
2151 ret = UpdateCeEceSeceKeyContext(userId, keyType);
2152 if (ret != E_OK) {
2153 LOGE("try to fix elx key context failed !");
2154 StorageRadar::ReportUpdateUserAuth("TryToFixUserCeEceSeceKey::UpdateCeEceSeceKeyContext",
2155 userId, ret, std::to_string(keyType), "");
2156 return ret;
2157 }
2158 return E_OK;
2159 }
2160
TryToFixUeceKey(unsigned int userId,const std::vector<uint8_t> & token,const std::vector<uint8_t> & secret)2161 int KeyManager::TryToFixUeceKey(unsigned int userId,
2162 const std::vector<uint8_t> &token,
2163 const std::vector<uint8_t> &secret)
2164 {
2165 LOGI("enter TryToFixUeceKey");
2166 keyMutex_.unlock();
2167 if (!IamClient::GetInstance().HasPinProtect(userId)) {
2168 LOGE("User %{public}d has no pin code protect.", userId);
2169 return E_OK;
2170 }
2171
2172 uint64_t secureUid = { 0 };
2173 if (!secret.empty() && !token.empty()) {
2174 IamClient::GetInstance().GetSecureUid(userId, secureUid);
2175 LOGE("Pin code is exist, get secure uid.");
2176 }
2177 UserAuth auth = { .token=token, .secret=secret, .secureUid = secureUid };
2178 UserTokenSecret tokenSecret = { .token = token, .oldSecret = { }, .newSecret = secret, .secureUid = secureUid};
2179
2180 int ret = UpdateESecret(userId, tokenSecret);
2181 if (ret != E_OK) {
2182 LOGE("try to fix elx key failed !");
2183 return ret;
2184 }
2185 ret = UpdateCeEceSeceKeyContext(userId, EL5_KEY);
2186 if (ret != E_OK) {
2187 LOGE("try to fix elx key context failed !");
2188 StorageRadar::ReportUpdateUserAuth("TryToFixUeceKey::UpdateCeEceSeceKeyContext", userId, ret, "EL5", "");
2189 return ret;
2190 }
2191 return E_OK;
2192 }
2193
2194 #ifdef USER_CRYPTO_MIGRATE_KEY
RestoreUserKey(uint32_t userId,KeyType type)2195 int KeyManager::RestoreUserKey(uint32_t userId, KeyType type)
2196 {
2197 LOGI("start, user is %{public}u , type is %{public}d", userId, type);
2198 std::string dir = GetKeyDirByUserAndType(userId, type);
2199 if (dir == "") {
2200 LOGE("type is invalid, %{public}u", type);
2201 return E_PARAMS_INVALID;
2202 }
2203
2204 if (!IsDir(dir)) {
2205 LOGE("dir not exist");
2206 return -ENOENT;
2207 }
2208 int32_t ret = RestoreUserKey(userId, dir, NULL_KEY_AUTH, type);
2209 if (ret == 0 && type != EL1_KEY) {
2210 saveLockScreenStatus[userId] = true;
2211 LOGI("User is %{public}u , saveLockScreenStatus is %{public}d", userId, saveLockScreenStatus[userId]);
2212 }
2213 return ret;
2214 }
2215 #endif
2216 } // namespace StorageDaemon
2217 } // namespace OHOS
2218