1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef ANDROID_VOLD_KEYSTORAGE_H 18 #define ANDROID_VOLD_KEYSTORAGE_H 19 20 #include "KeyBuffer.h" 21 22 #include <cstdint> 23 #include <string> 24 #include <vector> 25 26 namespace android { 27 namespace vold { 28 29 // Represents the information needed to decrypt a disk encryption key. 30 class KeyAuthentication { 31 public: KeyAuthentication(const std::string & s)32 KeyAuthentication(const std::string& s) : secret{s} {}; 33 usesKeymaster()34 bool usesKeymaster() const { return secret.empty(); }; 35 36 const std::string secret; 37 }; 38 39 extern const KeyAuthentication kEmptyAuthentication; 40 41 bool createSecdiscardable(const std::string& path, std::string* hash); 42 bool readSecdiscardable(const std::string& path, std::string* hash); 43 44 // Create a directory at the named path, and store "key" in it, 45 // in such a way that it can only be retrieved via Keymaster and 46 // can be securely deleted. 47 // It's safe to move/rename the directory after creation. 48 bool storeKey(const std::string& dir, const KeyAuthentication& auth, const KeyBuffer& key); 49 50 // Create a directory at the named path, and store "key" in it as storeKey 51 // This version creates the key in "tmp_path" then atomically renames "tmp_path" 52 // to "key_path" thereby ensuring that the key is either stored entirely or 53 // not at all. All the needed files and directories are also fsync'ed to ensure 54 // that the key is actually persisted to disk. 55 bool storeKeyAtomically(const std::string& key_path, const std::string& tmp_path, 56 const KeyAuthentication& auth, const KeyBuffer& key); 57 58 // Retrieve the key from the named directory. 59 bool retrieveKey(const std::string& dir, const KeyAuthentication& auth, KeyBuffer* key); 60 61 // Securely destroy the key stored in the named directory and delete the directory. 62 bool destroyKey(const std::string& dir); 63 64 bool runSecdiscardSingle(const std::string& file); 65 66 // Generate wrapped storage key using keymaster. Uses STORAGE_KEY tag in keymaster. 67 bool generateWrappedStorageKey(KeyBuffer* key); 68 // Export the per-boot boot wrapped storage key using keymaster. 69 bool exportWrappedStorageKey(const KeyBuffer& kmKey, KeyBuffer* key); 70 71 // Set a seed to be mixed into all key storage encryption keys. 72 bool setKeyStorageBindingSeed(const std::vector<uint8_t>& seed); 73 } // namespace vold 74 } // namespace android 75 76 #endif 77