1 /*
2 * Copyright (C) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "key_manager.h"
17
18 #include <fcntl.h>
19 #include <filesystem>
20 #include <string>
21
22 #include "base_key.h"
23 #include "directory_ex.h"
24 #include "file_ex.h"
25 #include "fscrypt_key_v1.h"
26 #include "fscrypt_key_v2.h"
27 #include "iam_client.h"
28 #include "libfscrypt/fscrypt_control.h"
29 #include "libfscrypt/key_control.h"
30 #include "parameter.h"
31 #include "storage_service_constant.h"
32 #include "storage_service_errno.h"
33 #include "storage_service_log.h"
34 #include "user/mount_manager.h"
35 #include "user/user_manager.h"
36 #ifdef EL5_FILEKEY_MANAGER
37 #include "el5_filekey_manager_kit.h"
38 #endif
39 #ifdef EL5_FILEKEY_MANAGER
40 using namespace OHOS::Security::AccessToken;
41 #endif
42
43 namespace OHOS {
44 namespace StorageDaemon {
45 const UserAuth NULL_KEY_AUTH = {};
46 const std::string DEFAULT_NEED_RESTORE_VERSION = "1";
47 constexpr const char *UECE_PATH = "/dev/fbex_uece";
48
GetBaseKey(const std::string & dir)49 std::shared_ptr<BaseKey> KeyManager::GetBaseKey(const std::string& dir)
50 {
51 uint8_t versionFromPolicy = GetFscryptVersionFromPolicy();
52 uint8_t kernelSupportVersion = KeyCtrlGetFscryptVersion(MNT_DATA.c_str());
53 if (kernelSupportVersion == FSCRYPT_INVALID) {
54 LOGE("kernel not support fscrypt");
55 return nullptr;
56 }
57 if ((versionFromPolicy == kernelSupportVersion) && (kernelSupportVersion == FSCRYPT_V2)) {
58 return std::dynamic_pointer_cast<BaseKey>(std::make_shared<FscryptKeyV2>(dir));
59 }
60 if (versionFromPolicy != kernelSupportVersion) {
61 LOGE("version from policy %{public}u not same as version from kernel %{public}u", versionFromPolicy,
62 kernelSupportVersion);
63 }
64 return std::dynamic_pointer_cast<BaseKey>(std::make_shared<FscryptKeyV1>(dir));
65 }
66
GenerateAndInstallDeviceKey(const std::string & dir)67 int KeyManager::GenerateAndInstallDeviceKey(const std::string &dir)
68 {
69 LOGI("enter");
70 globalEl1Key_ = GetBaseKey(dir);
71 if (globalEl1Key_ == nullptr) {
72 return -EOPNOTSUPP;
73 }
74
75 if (globalEl1Key_->InitKey(true) == false) {
76 globalEl1Key_ = nullptr;
77 LOGE("global security key init failed");
78 return -EFAULT;
79 }
80
81 if (globalEl1Key_->StoreKey(NULL_KEY_AUTH) == false) {
82 globalEl1Key_->ClearKey();
83 globalEl1Key_ = nullptr;
84 LOGE("global security key store failed");
85 return -EFAULT;
86 }
87
88 if (globalEl1Key_->ActiveKey(FIRST_CREATE_KEY) == false) {
89 globalEl1Key_->ClearKey();
90 globalEl1Key_ = nullptr;
91 LOGE("global security key active failed");
92 return -EFAULT;
93 }
94
95 (void)globalEl1Key_->UpdateKey();
96 hasGlobalDeviceKey_ = true;
97 LOGI("key create success");
98 return 0;
99 }
100
RestoreDeviceKey(const std::string & dir)101 int KeyManager::RestoreDeviceKey(const std::string &dir)
102 {
103 LOGI("enter");
104 if (globalEl1Key_ != nullptr) {
105 LOGI("device key has existed");
106 return 0;
107 }
108
109 globalEl1Key_ = GetBaseKey(dir);
110 if (globalEl1Key_ == nullptr) {
111 return -EOPNOTSUPP;
112 }
113
114 if (globalEl1Key_->InitKey(false) == false) {
115 globalEl1Key_ = nullptr;
116 LOGE("global security key init failed");
117 return -EFAULT;
118 }
119
120 if (globalEl1Key_->RestoreKey(NULL_KEY_AUTH) == false) {
121 globalEl1Key_ = nullptr;
122 LOGE("global security key restore failed");
123 return -EFAULT;
124 }
125
126 if (globalEl1Key_->ActiveKey(RETRIEVE_KEY) == false) {
127 globalEl1Key_ = nullptr;
128 LOGE("global security key active failed");
129 return -EFAULT;
130 }
131 hasGlobalDeviceKey_ = true;
132 LOGI("key restore success");
133
134 return 0;
135 }
136
InitGlobalDeviceKey(void)137 int KeyManager::InitGlobalDeviceKey(void)
138 {
139 LOGI("enter");
140 int ret = InitFscryptPolicy();
141 if (ret < 0) {
142 LOGE("fscrypt init failed, fscrypt will not be enabled");
143 return ret;
144 }
145
146 std::lock_guard<std::mutex> lock(keyMutex_);
147 if (hasGlobalDeviceKey_ || globalEl1Key_ != nullptr) {
148 LOGI("glabal device el1 have existed");
149 return 0;
150 }
151
152 ret = MkDir(STORAGE_DAEMON_DIR, S_IRWXU); // para.0700: root only
153 if (ret && errno != EEXIST) {
154 LOGE("create storage daemon dir error");
155 return ret;
156 }
157 std::error_code errCode;
158 if (std::filesystem::exists(DEVICE_EL1_DIR, errCode) && !std::filesystem::is_empty(DEVICE_EL1_DIR)) {
159 UpgradeKeys({{0, DEVICE_EL1_DIR}});
160 return RestoreDeviceKey(DEVICE_EL1_DIR);
161 }
162 ret = MkDir(DEVICE_EL1_DIR, S_IRWXU);
163 if (ret && errno != EEXIST) {
164 LOGE("create device el1 key dir = (/data/service/el0/storage_daemon/sd) error");
165 return ret;
166 }
167
168 return GenerateAndInstallDeviceKey(DEVICE_EL1_DIR);
169 }
170
GenerateAndInstallUserKey(uint32_t userId,const std::string & dir,const UserAuth & auth,KeyType type)171 int KeyManager::GenerateAndInstallUserKey(uint32_t userId, const std::string &dir, const UserAuth &auth, KeyType type)
172 {
173 LOGI("enter");
174 if (HasElkey(userId, type)) {
175 LOGI("The user %{public}u el %{public}u have existed", userId, type);
176 return 0;
177 }
178 auto elKey = GetBaseKey(dir);
179 if (elKey == nullptr) {
180 return -EOPNOTSUPP;
181 }
182 if (type == EL5_KEY) {
183 return GenerateAndInstallEl5Key(userId, dir, auth);
184 }
185 if (elKey->InitKey(true) == false) {
186 LOGE("user security key init failed");
187 return -EFAULT;
188 }
189 if (elKey->StoreKey(auth) == false) {
190 elKey->ClearKey();
191 LOGE("user security key store failed");
192 return -EFAULT;
193 }
194 if (elKey->ActiveKey(FIRST_CREATE_KEY) == false) {
195 elKey->ClearKey();
196 LOGE("user security key active failed");
197 return -EFAULT;
198 }
199 (void)elKey->UpdateKey();
200 if (type == EL1_KEY) {
201 userEl1Key_[userId] = elKey;
202 } else if (type == EL2_KEY) {
203 userEl2Key_[userId] = elKey;
204 } else if (type == EL3_KEY) {
205 userEl3Key_[userId] = elKey;
206 } else if (type == EL4_KEY) {
207 userEl4Key_[userId] = elKey;
208 }
209 LOGI("key create success");
210 return 0;
211 }
212
GenerateAndInstallEl5Key(uint32_t userId,const std::string & dir,const UserAuth & auth)213 int KeyManager::GenerateAndInstallEl5Key(uint32_t userId, const std::string &dir, const UserAuth &auth)
214 {
215 LOGI("enter");
216 auto elKey = GetBaseKey(dir);
217 if (elKey == nullptr) {
218 return -EOPNOTSUPP;
219 }
220 bool isNeedEncryptClassE = true;
221 saveESecretStatus[userId] = true;
222 if (elKey->AddClassE(isNeedEncryptClassE, saveESecretStatus[userId], FIRST_CREATE_KEY) == false) {
223 elKey->ClearKey();
224 LOGE("user %{public}u el5 create error", userId);
225 return -EFAULT;
226 }
227 std::string keyDir = GetKeyDirByUserAndType(userId, EL5_KEY);
228 if (keyDir == "") {
229 return E_KEY_TYPE_INVAL;
230 }
231 if (!saveESecretStatus[userId]) {
232 OHOS::ForceRemoveDirectory(keyDir);
233 }
234 saveESecretStatus[userId] = (!auth.secret.IsEmpty() && !auth.token.IsEmpty());
235 if (isNeedEncryptClassE) {
236 if ((!auth.secret.IsEmpty() && !auth.token.IsEmpty()) &&
237 !elKey->EncryptClassE(auth, saveESecretStatus[userId], userId, USER_ADD_AUTH)) {
238 elKey->ClearKey();
239 LOGE("user %{public}u el5 create error", userId);
240 return -EFAULT;
241 }
242 } else {
243 bool eBufferStatue = false;
244 if (!elKey->DecryptClassE(auth, saveESecretStatus[userId], eBufferStatue, userId, USER_UNLOCK)) {
245 LOGE("user %{public}u decrypt error", userId);
246 }
247 }
248 userEl5Key_[userId] = elKey;
249 return 0;
250 }
251
RestoreUserKey(uint32_t userId,const std::string & dir,const UserAuth & auth,KeyType type)252 int KeyManager::RestoreUserKey(uint32_t userId, const std::string &dir, const UserAuth &auth, KeyType type)
253 {
254 LOGI("enter");
255 if (HasElkey(userId, type)) {
256 LOGI("The user %{public}u el %{public}u have existed", userId, type);
257 return 0;
258 }
259
260 auto elKey = GetBaseKey(dir);
261 if (elKey == nullptr) {
262 return -EOPNOTSUPP;
263 }
264
265 if (elKey->InitKey(false) == false) {
266 LOGE("user security key init failed");
267 return -EFAULT;
268 }
269
270 if (elKey->RestoreKey(auth) == false) {
271 LOGE("user security key restore failed");
272 return -EFAULT;
273 }
274
275 if (elKey->ActiveKey(RETRIEVE_KEY) == false) {
276 LOGE("user security key active failed");
277 return -EFAULT;
278 }
279
280 if (type == EL1_KEY) {
281 userEl1Key_[userId] = elKey;
282 } else if (type == EL2_KEY) {
283 userEl2Key_[userId] = elKey;
284 } else if (type == EL3_KEY) {
285 userEl3Key_[userId] = elKey;
286 } else if (type == EL4_KEY) {
287 userEl4Key_[userId] = elKey;
288 } else if (type == EL5_KEY) {
289 userEl5Key_[userId] = elKey;
290 }
291 LOGI("key restore success");
292
293 return 0;
294 }
295
HasElkey(uint32_t userId,KeyType type)296 bool KeyManager::HasElkey(uint32_t userId, KeyType type)
297 {
298 LOGI("enter");
299 switch (type) {
300 case EL1_KEY:
301 if (userEl1Key_.find(userId) != userEl1Key_.end()) {
302 LOGI("user el1 key has existed");
303 return true;
304 }
305 break;
306 case EL2_KEY:
307 if (userEl2Key_.find(userId) != userEl2Key_.end()) {
308 LOGI("user el2 key has existed");
309 return true;
310 }
311 break;
312 case EL3_KEY:
313 if (userEl3Key_.find(userId) != userEl3Key_.end()) {
314 LOGI("user el3 key has existed");
315 return true;
316 }
317 break;
318 case EL4_KEY:
319 if (userEl4Key_.find(userId) != userEl4Key_.end()) {
320 LOGI("user el4 key has existed");
321 return true;
322 }
323 break;
324 case EL5_KEY:
325 if (userEl5Key_.find(userId) != userEl5Key_.end()) {
326 LOGI("user el5 key has existed");
327 return true;
328 }
329 break;
330 default:
331 LOGE("key type error");
332 break;
333 }
334
335 return false;
336 }
337
IsNeedClearKeyFile(std::string file)338 bool KeyManager::IsNeedClearKeyFile(std::string file)
339 {
340 LOGI("enter:");
341 if (!std::filesystem::exists(file)) {
342 LOGE("file not exist, file is %{private}s", file.c_str());
343 return false;
344 }
345
346 std::string version;
347 if (!OHOS::LoadStringFromFile(file, version)) {
348 LOGE("LoadStringFromFile return fail, file is %{private}s", file.c_str());
349 return false;
350 }
351
352 if (version != DEFAULT_NEED_RESTORE_VERSION) {
353 LOGE("need to clear, file is %{private}s, version is %{public}s.", file.c_str(), version.c_str());
354 return true;
355 }
356 LOGE("no need to clear, file is %{private}s, version is %{public}s", file.c_str(), version.c_str());
357 return false;
358 }
359
ProcUpgradeKey(const std::vector<FileList> & dirInfo)360 void KeyManager::ProcUpgradeKey(const std::vector<FileList> &dirInfo)
361 {
362 LOGI("enter:");
363 for (const auto &it : dirInfo) {
364 std::string needRestorePath = it.path + "/latest/need_restore";
365 if (IsNeedClearKeyFile(needRestorePath)) {
366 bool ret = RmDirRecurse(it.path);
367 if (!ret) {
368 LOGE("remove key dir fail, result is %{public}d, dir %{private}s", ret, it.path.c_str());
369 }
370 }
371 }
372 }
373
LoadAllUsersEl1Key(void)374 int KeyManager::LoadAllUsersEl1Key(void)
375 {
376 LOGI("enter");
377 std::vector<FileList> dirInfo;
378 ReadDigitDir(USER_EL2_DIR, dirInfo);
379 UpgradeKeys(dirInfo);
380 dirInfo.clear();
381 ReadDigitDir(USER_EL1_DIR, dirInfo);
382 UpgradeKeys(dirInfo);
383 for (auto &item : dirInfo) {
384 if (RestoreUserKey(item.userId, item.path, NULL_KEY_AUTH, EL1_KEY) != 0) {
385 LOGE("user %{public}u el1 key restore error", item.userId);
386 }
387 }
388
389 /* only for el3/el4 upgrade scene */
390 dirInfo.clear();
391 ReadDigitDir(USER_EL3_DIR, dirInfo);
392 ProcUpgradeKey(dirInfo);
393 dirInfo.clear();
394 ReadDigitDir(USER_EL4_DIR, dirInfo);
395 ProcUpgradeKey(dirInfo);
396 dirInfo.clear();
397 ReadDigitDir(USER_EL5_DIR, dirInfo);
398 ProcUpgradeKey(dirInfo);
399 return 0;
400 }
401
InitUserElkeyStorageDir(void)402 int KeyManager::InitUserElkeyStorageDir(void)
403 {
404 int ret = MkDir(SERVICE_STORAGE_DAEMON_DIR, S_IRWXU);
405 if (ret && errno != EEXIST) {
406 LOGE("make service storage daemon dir error");
407 return ret;
408 }
409
410 ret = MkDir(FSCRYPT_EL_DIR, S_IRWXU);
411 if (ret && errno != EEXIST) {
412 LOGE("make service storage daemon dir error");
413 return ret;
414 }
415
416 ret = MkDir(USER_EL1_DIR, S_IRWXU);
417 if (ret && errno != EEXIST) {
418 LOGE("make el1 storage dir error");
419 return ret;
420 }
421 ret = MkDir(USER_EL2_DIR, S_IRWXU);
422 if (ret && errno != EEXIST) {
423 LOGE("make el2 storage dir error");
424 return ret;
425 }
426 // 0700 means create el3 permissions
427 ret = MkDir(USER_EL3_DIR, S_IRWXU);
428 if (ret && errno != EEXIST) {
429 LOGE("make el3 storage dir error");
430 return ret;
431 }
432 // 0700 means create el4 permissions
433 ret = MkDir(USER_EL4_DIR, S_IRWXU);
434 if (ret && errno != EEXIST) {
435 LOGE("make el4 storage dir error");
436 return ret;
437 }
438 // 0700 means create el5 permissions
439 ret = MkDir(USER_EL5_DIR, S_IRWXU);
440 if (ret && errno != EEXIST) {
441 LOGE("make el5 storage dir error");
442 return ret;
443 }
444 return 0;
445 }
446
InitGlobalUserKeys(void)447 int KeyManager::InitGlobalUserKeys(void)
448 {
449 LOGI("enter");
450 if (!KeyCtrlHasFscryptSyspara()) {
451 return 0;
452 }
453 std::lock_guard<std::mutex> lock(keyMutex_);
454 int ret = InitUserElkeyStorageDir();
455 if (ret) {
456 LOGE("Init user el storage dir failed");
457 return ret;
458 }
459
460 std::string globalUserEl1Path = USER_EL1_DIR + "/" + std::to_string(GLOBAL_USER_ID);
461 if (IsDir(globalUserEl1Path)) {
462 ret = RestoreUserKey(GLOBAL_USER_ID, globalUserEl1Path, NULL_KEY_AUTH, EL1_KEY);
463 if (ret != 0) {
464 LOGE("Restore el1 failed");
465 return ret;
466 }
467 } else {
468 ret = GenerateAndInstallUserKey(GLOBAL_USER_ID, globalUserEl1Path, NULL_KEY_AUTH, EL1_KEY);
469 if (ret != 0) {
470 LOGE("Generate el1 failed");
471 return ret;
472 }
473 }
474
475 ret = LoadAllUsersEl1Key();
476 if (ret) {
477 LOGE("Load all users el1 failed");
478 return ret;
479 }
480 LOGI("Init global user key success");
481
482 return 0;
483 }
484
GenerateUserKeys(unsigned int user,uint32_t flags)485 int KeyManager::GenerateUserKeys(unsigned int user, uint32_t flags)
486 {
487 LOGI("start, user:%{public}u", user);
488 if (!KeyCtrlHasFscryptSyspara()) {
489 return 0;
490 }
491 if ((!IsDir(USER_EL1_DIR)) || (!IsDir(USER_EL2_DIR)) || (!IsDir(USER_EL3_DIR)) ||
492 (!IsDir(USER_EL4_DIR)) || (!IsDir(USER_EL5_DIR))) {
493 LOGI("El storage dir is not existed");
494 return -ENOENT;
495 }
496 int ret = GenerateElxAndInstallUserKey(user);
497 if (ret != E_OK) {
498 LOGE("Generate ELX failed!");
499 return ret;
500 }
501 LOGI("Create user el success");
502 return ret;
503 }
504
GenerateElxAndInstallUserKey(unsigned int user)505 int KeyManager::GenerateElxAndInstallUserKey(unsigned int user)
506 {
507 std::string el1Path = USER_EL1_DIR + "/" + std::to_string(user);
508 std::string el2Path = USER_EL2_DIR + "/" + std::to_string(user);
509 std::string el3Path = USER_EL3_DIR + "/" + std::to_string(user);
510 std::string el4Path = USER_EL4_DIR + "/" + std::to_string(user);
511 std::string el5Path = USER_EL5_DIR + "/" + std::to_string(user);
512 if (IsDir(el1Path) || IsDir(el2Path) || IsDir(el3Path) || IsDir(el4Path) || IsDir(el5Path)) {
513 return CheckAndFixUserKeyDirectory(user);
514 }
515 std::lock_guard<std::mutex> lock(keyMutex_);
516 int ret = GenerateAndInstallUserKey(user, el1Path, NULL_KEY_AUTH, EL1_KEY);
517 if (ret) {
518 LOGE("user el1 create error");
519 return ret;
520 }
521
522 ret = GenerateAndInstallUserKey(user, el2Path, NULL_KEY_AUTH, EL2_KEY);
523 if (ret) {
524 DoDeleteUserKeys(user);
525 LOGE("user el2 create error");
526 return ret;
527 }
528 ret = GenerateAndInstallUserKey(user, el3Path, NULL_KEY_AUTH, EL3_KEY);
529 if (ret) {
530 DoDeleteUserKeys(user);
531 LOGE("user el3 create error");
532 return ret;
533 }
534 ret = GenerateAndInstallUserKey(user, el4Path, NULL_KEY_AUTH, EL4_KEY);
535 if (ret) {
536 DoDeleteUserKeys(user);
537 LOGE("user el4 create error");
538 return ret;
539 }
540 ret = GenerateAndInstallUserKey(user, el5Path, NULL_KEY_AUTH, EL5_KEY);
541 if (ret) {
542 DoDeleteUserKeys(user);
543 LOGE("user el5 create error");
544 return ret;
545 }
546 saveLockScreenStatus[user] = true;
547 return ret;
548 }
549
CheckAndFixUserKeyDirectory(unsigned int user)550 int KeyManager::CheckAndFixUserKeyDirectory(unsigned int user)
551 {
552 std::string el1NeedRestorePath = USER_EL1_DIR + "/" + std::to_string(user) + RESTORE_DIR;
553 std::error_code errCode;
554 if (std::filesystem::exists(el1NeedRestorePath, errCode)) {
555 LOGE("el1 need_restore file is existed, upgrade scene not support.");
556 return -EEXIST;
557 }
558 int ret = GenerateIntegrityDirs(user, EL1_KEY);
559 if (ret != -EEXIST) {
560 LOGE("GenerateIntegrityDirs el1 failed.");
561 }
562 ret = GenerateIntegrityDirs(user, EL2_KEY);
563 if (ret != -EEXIST) {
564 LOGE("GenerateIntegrityDirs el2 failed.");
565 }
566 return ret;
567 }
568
GenerateIntegrityDirs(int32_t userId,KeyType type)569 int KeyManager::GenerateIntegrityDirs(int32_t userId, KeyType type)
570 {
571 std::string dirType = (type == EL1_KEY) ? EL1 : EL2;
572 std::string userDir = FSCRYPT_EL_DIR + "/" + dirType;
573 uint32_t flag_type = (type == EL1_KEY) ? IStorageDaemon::CRYPTO_FLAG_EL1 : IStorageDaemon::CRYPTO_FLAG_EL2;
574 std::string versionElx = userDir + "/" + std::to_string(userId) + FSCRYPT_VERSION_DIR;
575 std::string encryptElx = userDir + "/" + std::to_string(userId) + ENCRYPT_VERSION_DIR;
576 std::string discardElx = userDir + "/" + std::to_string(userId) + SEC_DISCARD_DIR;
577 std::string shieldElx = userDir + "/" + std::to_string(userId) + SHIELD_DIR;
578 std::error_code errCode;
579 if (!std::filesystem::exists(versionElx, errCode) || !std::filesystem::exists(encryptElx, errCode) ||
580 !std::filesystem::exists(shieldElx, errCode) || !std::filesystem::exists(discardElx, errCode) ||
581 !IsWorkDirExist(dirType, userId)) {
582 LOGE("user %{public}d el %{public}d is not integrity. create error", userId, type);
583 int ret = DoDeleteUserCeEceSeceKeys(userId, userDir, type == EL1_KEY ? userEl1Key_ : userEl2Key_);
584 if (ret != E_OK) {
585 LOGE("Delete userId=%{public}d el %{public}d key failed", userId, type);
586 }
587
588 ret = GenerateUserKeyByType(userId, type, {}, {});
589 if (ret != E_OK) {
590 LOGE("upgrade scene:generate user key fail, userId %{public}d, KeyType %{public}d", userId, type);
591 return ret;
592 }
593
594 LOGI("try to destory dir first, user %{public}d, Type %{public}d", userId, type);
595 (void)UserManager::GetInstance()->DestroyUserDirs(userId, flag_type);
596 ret = UserManager::GetInstance()->PrepareUserDirs(userId, flag_type);
597 if (ret != E_OK) {
598 LOGE("upgrade scene:prepare user dirs fail, userId %{public}d, type %{public}d", userId, type);
599 return ret;
600 }
601 }
602 LOGI("userId=%{public}d el %{public}d directory is existed, no need fix.", userId, type);
603 return -EEXIST;
604 }
605
IsWorkDirExist(std::string type,int32_t userId)606 bool KeyManager::IsWorkDirExist(std::string type, int32_t userId)
607 {
608 std::string dataDir = DATA_DIR + type + "/" + std::to_string(userId);
609 std::string serviceDir = SERVICE_DIR + type + "/" + std::to_string(userId);
610 std::error_code errCode;
611 bool isExist = std::filesystem::exists(dataDir, errCode) && std::filesystem::exists(serviceDir, errCode);
612 return isExist;
613 }
614
GenerateUserKeyByType(unsigned int user,KeyType type,const std::vector<uint8_t> & token,const std::vector<uint8_t> & secret)615 int KeyManager::GenerateUserKeyByType(unsigned int user, KeyType type,
616 const std::vector<uint8_t> &token,
617 const std::vector<uint8_t> &secret)
618 {
619 LOGI("start, user:%{public}u, type %{public}u", user, type);
620 if (!KeyCtrlHasFscryptSyspara()) {
621 return 0;
622 }
623
624 std::lock_guard<std::mutex> lock(keyMutex_);
625 std::string elPath = GetKeyDirByType(type);
626 if (!IsDir(elPath)) {
627 LOGI("El storage dir is not existed");
628 return -ENOENT;
629 }
630
631 std::string elUserKeyPath = elPath + + "/" + std::to_string(user);
632 if (IsDir(elUserKeyPath)) {
633 LOGE("user %{public}d el key have existed, create error", user);
634 return -EEXIST;
635 }
636 uint64_t secureUid = { 0 };
637 if (!secret.empty() && !token.empty()) {
638 IamClient::GetInstance().GetSecureUid(user, secureUid);
639 LOGE("token is exist, get secure uid");
640 }
641 UserAuth auth = { .token = token, .secret = secret, .secureUid = secureUid };
642 int ret = GenerateAndInstallUserKey(user, elUserKeyPath, auth, type);
643 if (ret) {
644 LOGE("user el create error, user %{public}u, type %{public}u", user, type);
645 return ret;
646 }
647 LOGI("Create user el success, user %{public}u, type %{public}u", user, type);
648
649 return 0;
650 }
651
DoDeleteUserCeEceSeceKeys(unsigned int user,const std::string userDir,std::map<unsigned int,std::shared_ptr<BaseKey>> & userElKey_)652 int KeyManager::DoDeleteUserCeEceSeceKeys(unsigned int user,
653 const std::string userDir,
654 std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_)
655 {
656 LOGI("enter, userDir is %{public}s", userDir.c_str());
657 int ret = 0;
658 auto it = userElKey_.find(user);
659 if (it != userElKey_.end()) {
660 auto elKey = it->second;
661 if (!elKey->ClearKey()) {
662 LOGE("clear key failed");
663 ret = -E_CLEAR_KEY_FAILED;
664 }
665 userElKey_.erase(user);
666 saveLockScreenStatus.erase(user);
667 } else {
668 std::string elPath = userDir + "/" + std::to_string(user);
669 std::shared_ptr<BaseKey> elKey = GetBaseKey(elPath);
670 if (elKey == nullptr) {
671 LOGE("Malloc el1 Basekey memory failed");
672 return -ENOMEM;
673 }
674 if (!elKey->ClearKey()) {
675 LOGE("clear key failed");
676 ret = -E_CLEAR_KEY_FAILED;
677 }
678 }
679 LOGI("end, ret is %{public}d", ret);
680 return ret;
681 }
682
DoDeleteUserKeys(unsigned int user)683 int KeyManager::DoDeleteUserKeys(unsigned int user)
684 {
685 int errCode = 0;
686 int deleteRet = DoDeleteUserCeEceSeceKeys(user, USER_EL1_DIR, userEl1Key_);
687 if (deleteRet != 0) {
688 LOGE("Delete el1 key failed");
689 errCode = deleteRet;
690 }
691 deleteRet = DoDeleteUserCeEceSeceKeys(user, USER_EL2_DIR, userEl2Key_);
692 if (deleteRet != 0) {
693 LOGE("Delete el2 key failed");
694 errCode = deleteRet;
695 }
696 deleteRet = DoDeleteUserCeEceSeceKeys(user, USER_EL3_DIR, userEl3Key_);
697 if (deleteRet != 0) {
698 LOGE("Delete el3 key failed");
699 errCode = deleteRet;
700 }
701 deleteRet = DoDeleteUserCeEceSeceKeys(user, USER_EL4_DIR, userEl4Key_);
702 if (deleteRet != 0) {
703 LOGE("Delete el4 key failed");
704 errCode = deleteRet;
705 }
706 if (IsUeceSupportWithErrno() != ENOENT) {
707 deleteRet = DoDeleteUserCeEceSeceKeys(user, USER_EL5_DIR, userEl5Key_);
708 if (deleteRet != 0) {
709 LOGE("Delete el5 key failed");
710 errCode = deleteRet;
711 }
712 }
713 return errCode;
714 }
715
DeleteUserKeys(unsigned int user)716 int KeyManager::DeleteUserKeys(unsigned int user)
717 {
718 LOGI("start, user:%{public}d", user);
719 if (!KeyCtrlHasFscryptSyspara()) {
720 return 0;
721 }
722
723 std::lock_guard<std::mutex> lock(keyMutex_);
724 int ret = DoDeleteUserKeys(user);
725 LOGI("delete user key end, ret is %{public}d", ret);
726
727 auto userTask = userLockScreenTask_.find(user);
728 if (userTask != userLockScreenTask_.end()) {
729 userLockScreenTask_.erase(userTask);
730 LOGI("Delete user %{public}u, erase user task", user);
731 }
732 return ret;
733 }
734
735 #ifdef USER_CRYPTO_MIGRATE_KEY
UpdateUserAuth(unsigned int user,struct UserTokenSecret & userTokenSecret,bool needGenerateShield)736 int KeyManager::UpdateUserAuth(unsigned int user, struct UserTokenSecret &userTokenSecret,
737 bool needGenerateShield)
738 #else
739 int KeyManager::UpdateUserAuth(unsigned int user, struct UserTokenSecret &userTokenSecret)
740 #endif
741 {
742 std::lock_guard<std::mutex> lock(keyMutex_);
743 #ifdef USER_CRYPTO_MIGRATE_KEY
744 int ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL2_KEY, needGenerateShield);
745 if (ret != 0) {
746 LOGE("user %{public}u UpdateUserAuth el2 key fail", user);
747 return ret;
748 }
749 ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL3_KEY, needGenerateShield);
750 if (ret != 0) {
751 LOGE("user %{public}u UpdateUserAuth el3 key fail", user);
752 return ret;
753 }
754 ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL4_KEY, needGenerateShield);
755 if (ret != 0) {
756 LOGE("user %{public}u UpdateUserAuth el4 key fail", user);
757 return ret;
758 }
759 #else
760 int ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL2_KEY);
761 if (ret != 0) {
762 LOGE("user %{public}u UpdateUserAuth el2 key fail", user);
763 return ret;
764 }
765 ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL3_KEY);
766 if (ret != 0) {
767 LOGE("user %{public}u UpdateUserAuth el3 key fail", user);
768 return ret;
769 }
770 ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL4_KEY);
771 if (ret != 0) {
772 LOGE("user %{public}u UpdateUserAuth el4 key fail", user);
773 return ret;
774 }
775 #endif
776 ret = UpdateESecret(user, userTokenSecret);
777 if (ret != 0) {
778 LOGE("user %{public}u UpdateESecret fail", user);
779 return ret;
780 }
781 return ret;
782 }
783
UpdateESecret(unsigned int user,struct UserTokenSecret & tokenSecret)784 int KeyManager::UpdateESecret(unsigned int user, struct UserTokenSecret &tokenSecret)
785 {
786 LOGI("UpdateESecret enter");
787 std::shared_ptr<BaseKey> el5Key = GetUserElKey(user, EL5_KEY);
788 std::string el5Path = USER_EL5_DIR + "/" + std::to_string(user);
789 if (IsUeceSupport() && el5Key == nullptr) {
790 if (!MkDirRecurse(el5Path, S_IRWXU)) {
791 LOGE("MkDirRecurse %{public}u failed!", user);
792 return -EFAULT;
793 }
794 LOGI("MkDirRecurse %{public}u success!", user);
795 el5Key = GetUserElKey(user, EL5_KEY);
796 }
797 if (el5Key == nullptr) {
798 LOGE("Have not found user %{public}u el key", user);
799 return -ENOENT;
800 }
801 if (tokenSecret.newSecret.empty()) {
802 if (!el5Key->DeleteClassEPinCode(user)) {
803 LOGE("user %{public}u DeleteClassE fail", user);
804 return -EFAULT;
805 }
806 saveESecretStatus[user] = false;
807 return 0;
808 }
809 if (!tokenSecret.newSecret.empty() && !tokenSecret.oldSecret.empty()) {
810 saveESecretStatus[user] = true;
811 if (!el5Key->ChangePinCodeClassE(saveESecretStatus[user], user)) {
812 LOGE("user %{public}u ChangePinCodeClassE fail", user);
813 return -EFAULT;
814 }
815 return 0;
816 }
817 uint32_t status = tokenSecret.oldSecret.empty() ? USER_ADD_AUTH : USER_CHANGE_AUTH;
818 LOGI("UpdateESecret status is %{public}u", status);
819 UserAuth auth = { .token = tokenSecret.token, .secret = tokenSecret.newSecret, .secureUid = tokenSecret.secureUid };
820 saveESecretStatus[user] = true;
821 if (!el5Key->EncryptClassE(auth, saveESecretStatus[user], user, status)) {
822 LOGE("user %{public}u EncryptClassE fail", user);
823 return -EFAULT;
824 }
825 LOGI("saveESecretStatus is %{public}u", saveESecretStatus[user]);
826 return 0;
827 }
828
829 #ifdef USER_CRYPTO_MIGRATE_KEY
UpdateCeEceSeceUserAuth(unsigned int user,struct UserTokenSecret & userTokenSecret,KeyType type,bool needGenerateShield)830 int KeyManager::UpdateCeEceSeceUserAuth(unsigned int user,
831 struct UserTokenSecret &userTokenSecret,
832 KeyType type, bool needGenerateShield)
833 #else
834 int KeyManager::UpdateCeEceSeceUserAuth(unsigned int user,
835 struct UserTokenSecret &userTokenSecret,
836 KeyType type)
837 #endif
838 {
839 LOGI("start, user:%{public}d", user);
840 if (!KeyCtrlHasFscryptSyspara()) {
841 return 0;
842 }
843 std::shared_ptr<BaseKey> item = GetUserElKey(user, type);
844 if (item == nullptr) {
845 LOGE("Have not found user %{public}u el key", user);
846 return -ENOENT;
847 }
848
849 UserAuth auth = { {}, userTokenSecret.oldSecret, userTokenSecret.secureUid };
850 if (!userTokenSecret.oldSecret.empty()) {
851 KeyBlob token(userTokenSecret.token);
852 auth.token = std::move(token);
853 }
854 if ((item->RestoreKey(auth) == false) && (item->RestoreKey(NULL_KEY_AUTH) == false)) {
855 LOGE("Restore key error");
856 return -EFAULT;
857 }
858 if (!userTokenSecret.newSecret.empty()) {
859 KeyBlob token(userTokenSecret.token);
860 KeyBlob newSecret(userTokenSecret.newSecret);
861 auth.token = std::move(token);
862 auth.secret = std::move(newSecret);
863 } else {
864 auth.token.Clear();
865 auth.secret.Clear();
866 }
867 #ifdef USER_CRYPTO_MIGRATE_KEY
868 if (item->StoreKey(auth, needGenerateShield) == false) {
869 #else
870 if (item->StoreKey(auth) == false) {
871 #endif
872 LOGE("Store key error");
873 return -EFAULT;
874 }
875
876 userPinProtect[user] = !userTokenSecret.newSecret.empty();
877 return 0;
878 }
879
880 int KeyManager::ActiveUserKey(unsigned int user, const std::vector<uint8_t> &token,
881 const std::vector<uint8_t> &secret)
882 {
883 LOGI("start");
884 if (!KeyCtrlHasFscryptSyspara()) {
885 return 0;
886 }
887
888 if (ActiveCeSceSeceUserKey(user, EL2_KEY, token, secret) != 0) {
889 LOGI("Active user %{public}u el2 fail", user);
890 return -EFAULT;
891 }
892 if (ActiveCeSceSeceUserKey(user, EL3_KEY, token, secret) != 0) {
893 LOGI("Active user %{public}u el3 fail", user);
894 return -EFAULT;
895 }
896 if (ActiveCeSceSeceUserKey(user, EL4_KEY, token, secret) != 0) {
897 LOGI("Active user %{public}u el4 fail", user);
898 return -EFAULT;
899 }
900 if (ActiveCeSceSeceUserKey(user, EL5_KEY, token, secret) != 0) {
901 LOGI("Active user %{public}u el5 fail", user);
902 return -EFAULT;
903 }
904 if (UnlockUserAppKeys(user, true) != E_OK) {
905 LOGE("failed to delete appkey2");
906 return -EFAULT;
907 }
908 saveESecretStatus[user] = !secret.empty();
909 return 0;
910 }
911
912 std::string KeyManager::GetKeyDirByUserAndType(unsigned int user, KeyType type)
913 {
914 std::string keyDir = "";
915 switch (type) {
916 case EL1_KEY:
917 keyDir = USER_EL1_DIR + "/" + std::to_string(user);
918 break;
919 case EL2_KEY:
920 keyDir = USER_EL2_DIR + "/" + std::to_string(user);
921 break;
922 case EL3_KEY:
923 keyDir = USER_EL3_DIR + "/" + std::to_string(user);
924 break;
925 case EL4_KEY:
926 keyDir = USER_EL4_DIR + "/" + std::to_string(user);
927 break;
928 case EL5_KEY:
929 keyDir = USER_EL5_DIR + "/" + std::to_string(user);
930 break;
931 default:
932 LOGE("GetKeyDirByUserAndType type %{public}u is invalid", type);
933 break;
934 }
935 return keyDir;
936 }
937
938 std::string KeyManager::GetKeyDirByType(KeyType type)
939 {
940 std::string keyDir = "";
941 switch (type) {
942 case EL1_KEY:
943 keyDir = USER_EL1_DIR;
944 break;
945 case EL2_KEY:
946 keyDir = USER_EL2_DIR;
947 break;
948 case EL3_KEY:
949 keyDir = USER_EL3_DIR;
950 break;
951 case EL4_KEY:
952 keyDir = USER_EL4_DIR;
953 break;
954 case EL5_KEY:
955 keyDir = USER_EL5_DIR;
956 break;
957 default:
958 LOGE("GetKeyDirByType type %{public}u is invalid", type);
959 break;
960 }
961 return keyDir;
962 }
963
964 void KeyManager::SaveUserElKey(unsigned int user, KeyType type, std::shared_ptr<BaseKey> elKey)
965 {
966 switch (type) {
967 case EL1_KEY:
968 userEl1Key_[user] = elKey;
969 break;
970 case EL2_KEY:
971 userEl2Key_[user] = elKey;
972 break;
973 case EL3_KEY:
974 userEl3Key_[user] = elKey;
975 break;
976 case EL4_KEY:
977 userEl4Key_[user] = elKey;
978 break;
979 case EL5_KEY:
980 userEl5Key_[user] = elKey;
981 break;
982 default:
983 LOGE("SaveUserElKey type %{public}u is invalid", type);
984 }
985 }
986
987 std::shared_ptr<BaseKey> KeyManager::GetUserElKey(unsigned int user, KeyType type)
988 {
989 bool isNeedGenerateBaseKey = false;
990 std::shared_ptr<BaseKey> elKey = nullptr;
991 if (!HasElkey(user, type)) {
992 LOGE("Have not found user %{public}u key, type %{public}u", user, type);
993 std::string keyDir = GetKeyDirByUserAndType(user, type);
994 if (!IsDir(keyDir)) {
995 LOGE("Have not found user %{public}u el, %{public}u type", user, type);
996 return nullptr;
997 }
998 elKey = GetBaseKey(keyDir);
999 if (elKey == nullptr) {
1000 LOGE("BaseKey memory failed");
1001 return nullptr;
1002 }
1003 isNeedGenerateBaseKey = true;
1004 LOGI("Generate new baseKey type: %{public}u", type);
1005 }
1006
1007 switch (type) {
1008 case EL1_KEY:
1009 if (isNeedGenerateBaseKey) {
1010 userEl1Key_[user] = elKey;
1011 }
1012 return userEl1Key_[user];
1013 case EL2_KEY:
1014 if (isNeedGenerateBaseKey) {
1015 userEl2Key_[user] = elKey;
1016 }
1017 return userEl2Key_[user];
1018 case EL3_KEY:
1019 if (isNeedGenerateBaseKey) {
1020 userEl3Key_[user] = elKey;
1021 }
1022 return userEl3Key_[user];
1023 case EL4_KEY:
1024 if (isNeedGenerateBaseKey) {
1025 userEl4Key_[user] = elKey;
1026 }
1027 return userEl4Key_[user];
1028 case EL5_KEY:
1029 if (isNeedGenerateBaseKey) {
1030 userEl5Key_[user] = elKey;
1031 }
1032 return userEl5Key_[user];
1033 default:
1034 LOGE("GetUserElKey type %{public}u is invalid", type);
1035 return nullptr;
1036 }
1037 }
1038
1039 int KeyManager::ActiveCeSceSeceUserKey(unsigned int user,
1040 KeyType type,
1041 const std::vector<uint8_t> &token,
1042 const std::vector<uint8_t> &secret)
1043 {
1044 if (!KeyCtrlHasFscryptSyspara()) {
1045 return 0;
1046 }
1047 if (CheckUserPinProtect(user, token, secret) != E_OK) {
1048 LOGE("IAM & Storage mismatch, wait user input pin.");
1049 return -EFAULT;
1050 }
1051 std::lock_guard<std::mutex> lock(keyMutex_);
1052 if (HasElkey(user, type) && type != EL5_KEY && HashElxActived(user, type)) {
1053 LOGE("The user %{public}u el have been actived, key type is %{public}u", user, type);
1054 return 0;
1055 }
1056 std::string keyDir = GetKeyDirByUserAndType(user, type);
1057 if (keyDir == "") {
1058 return E_KEY_TYPE_INVAL;
1059 }
1060 if ((type != EL5_KEY) && !IsDir(keyDir)) {
1061 LOGE("Have not found user %{public}u el", user);
1062 return -ENOENT;
1063 }
1064 if ((type == EL5_KEY) && CheckAndDeleteEmptyEl5Directory(keyDir, user) != 0) {
1065 return -ENOENT;
1066 }
1067 std::shared_ptr<BaseKey> elKey = GetBaseKey(keyDir);
1068 if (elKey == nullptr) {
1069 LOGE("elKey failed");
1070 return -EOPNOTSUPP;
1071 }
1072 if (type == EL5_KEY) {
1073 if (ActiveUeceUserKey(user, token, secret, elKey) != 0) {
1074 LOGE("ActiveUeceUserKey failed");
1075 return -EFAULT;
1076 }
1077 return 0;
1078 }
1079 if (ActiveElXUserKey(user, token, type, secret, elKey) != 0) {
1080 LOGE("ActiveElXUserKey failed");
1081 return -EFAULT;
1082 }
1083
1084 SaveUserElKey(user, type, elKey);
1085 userPinProtect.erase(user);
1086 userPinProtect.insert(std::make_pair(user, !secret.empty()));
1087 saveLockScreenStatus[user] = true;
1088 LOGI("Active user %{public}u el success", user);
1089 LOGI("saveLockScreenStatus is %{public}d", saveLockScreenStatus[user]);
1090 return 0;
1091 }
1092
1093 bool KeyManager::HashElxActived(unsigned int user, KeyType type)
1094 {
1095 LOGI("enter");
1096 switch (type) {
1097 case EL1_KEY:
1098 return HasElxDesc(userEl1Key_, type, user);
1099 break;
1100 case EL2_KEY:
1101 return HasElxDesc(userEl2Key_, type, user);
1102 break;
1103 case EL3_KEY:
1104 return HasElxDesc(userEl3Key_, type, user);
1105 break;
1106 case EL4_KEY:
1107 return HasElxDesc(userEl4Key_, type, user);
1108 break;
1109 case EL5_KEY:
1110 return HasElxDesc(userEl5Key_, type, user);
1111 break;
1112 default:
1113 LOGE("key type error");
1114 break;
1115 }
1116 return false;
1117 }
1118
1119 bool KeyManager::HasElxDesc(std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_,
1120 KeyType type,
1121 unsigned int user)
1122 {
1123 auto it = userElKey_.find(user);
1124 auto elKey = it->second;
1125 if (it != userElKey_.end() && !elKey->KeyDesclsEmpty()) {
1126 LOGI("user el%{public}u key desc has existed", type);
1127 return true;
1128 }
1129 return false;
1130 }
1131
1132 int KeyManager::CheckAndDeleteEmptyEl5Directory(std::string keyDir, unsigned int user)
1133 {
1134 std::string keyUeceDir = UECE_DIR + "/" + std::to_string(user);
1135 if (!IsDir(keyDir) || !IsDir(keyUeceDir)) {
1136 LOGE("Have not found dir %{public}u el5", user);
1137 return -ENOENT;
1138 }
1139
1140 if (IsDir(keyDir) && std::filesystem::is_empty(keyDir)) {
1141 OHOS::ForceRemoveDirectory(keyDir);
1142 LOGE("Have removed key dir %{public}u el5", user);
1143 return -ENOENT;
1144 }
1145 return 0;
1146 }
1147
1148 bool KeyManager::GetUserDelayHandler(uint32_t userId, std::shared_ptr<DelayHandler> &delayHandler)
1149 {
1150 LOGI("enter");
1151 auto iterTask = userLockScreenTask_.find(userId);
1152 if (iterTask == userLockScreenTask_.end()) {
1153 std::shared_ptr<DelayHandler> lockScreenTask = std::make_shared<DelayHandler>(userId);
1154 userLockScreenTask_[userId] = std::make_shared<DelayHandler>(userId);
1155 }
1156 delayHandler = userLockScreenTask_[userId];
1157 if (delayHandler == nullptr) {
1158 LOGE("user %{public}d delayHandler is nullptr !", userId);
1159 return false;
1160 }
1161 return true;
1162 }
1163
1164 int KeyManager::ActiveUeceUserKey(unsigned int user,
1165 const std::vector<uint8_t> &token,
1166 const std::vector<uint8_t> &secret, std::shared_ptr<BaseKey> elKey)
1167 {
1168 saveESecretStatus[user] = !secret.empty();
1169 LOGI("userId %{public}u, token empty %{public}d sec empty %{public}d", user, token.empty(), secret.empty());
1170 userEl5Key_[user] = elKey;
1171 UserAuth auth = { .token = token, .secret = secret };
1172 bool eBufferStatue = false;
1173 if (!elKey->DecryptClassE(auth, saveESecretStatus[user], eBufferStatue, user, USER_UNLOCK)) {
1174 LOGE("Unlock user %{public}u E_Class failed", user);
1175 return -EFAULT;
1176 }
1177
1178 if (!token.empty() && !secret.empty() && eBufferStatue) {
1179 if (TryToFixUeceKey(user, token, secret) != E_OK) {
1180 LOGE("TryToFixUeceKey el5 failed !");
1181 return -EFAULT;
1182 }
1183 }
1184 LOGI("ActiveCeSceSeceUserKey user %{public}u, saveESecretStatus %{public}d", user, saveESecretStatus[user]);
1185 return 0;
1186 }
1187
1188 int KeyManager::ActiveElXUserKey(unsigned int user,
1189 const std::vector<uint8_t> &token, KeyType keyType,
1190 const std::vector<uint8_t> &secret, std::shared_ptr<BaseKey> elKey)
1191 {
1192 if (elKey->InitKey(false) == false) {
1193 LOGE("Init el failed");
1194 return -EFAULT;
1195 }
1196 UserAuth auth = { token, secret };
1197 bool keyResult = elKey->RestoreKey(auth);
1198 bool noKeyResult = !keyResult && elKey->RestoreKey(NULL_KEY_AUTH);
1199 // key and no-key situation all failed, include upgrade situation, return err
1200 if (!keyResult && !noKeyResult) {
1201 LOGE("Restore el failed, type: %{public}u", keyType);
1202 return -EFAULT;
1203 }
1204 // if device has pwd and decrypt success, continue.otherwise try no pwd and fix situation.
1205 if (!keyResult && noKeyResult) {
1206 if (TryToFixUserCeEceSeceKey(user, keyType, token, secret) != E_OK) {
1207 LOGE("TryToFixUserCeEceSeceKey elx failed, type %{public}u", keyType);
1208 return -EFAULT;
1209 }
1210 }
1211 std::string NEED_UPDATE_PATH = GetKeyDirByUserAndType(user, keyType) + PATH_LATEST + SUFFIX_NEED_UPDATE;
1212 if (!FileExists(NEED_UPDATE_PATH) && (elKey->StoreKey(auth) == false)) {
1213 LOGE("Store el failed");
1214 return -EFAULT;
1215 }
1216 if (elKey->ActiveKey(RETRIEVE_KEY) == false) {
1217 LOGE("Active user %{public}u key failed", user);
1218 return -EFAULT;
1219 }
1220 return 0;
1221 }
1222
1223 int KeyManager::UnlockUserScreen(uint32_t user, const std::vector<uint8_t> &token, const std::vector<uint8_t> &secret)
1224 {
1225 LOGI("start");
1226 userPinProtect[user] = !secret.empty() || !token.empty();
1227 std::shared_ptr<DelayHandler> userDelayHandler;
1228 if (GetUserDelayHandler(user, userDelayHandler)) {
1229 userDelayHandler->CancelDelayTask();
1230 }
1231 auto iter = saveLockScreenStatus.find(user);
1232 if (iter == saveLockScreenStatus.end()) {
1233 saveLockScreenStatus.insert(std::make_pair(user, false));
1234 }
1235 if (!IsUserCeDecrypt(user)) {
1236 LOGE("user ce does not decrypt, skip");
1237 return 0;
1238 }
1239 if (!KeyCtrlHasFscryptSyspara()) {
1240 saveLockScreenStatus[user] = true;
1241 LOGI("saveLockScreenStatus is %{public}d", saveLockScreenStatus[user]);
1242 return 0;
1243 }
1244 std::lock_guard<std::mutex> lock(keyMutex_);
1245 int ret = 0;
1246 if (!UnlockEceSece(user, token, secret, ret)) {
1247 return ret;
1248 }
1249 if (!UnlockUece(user, token, secret, ret)) {
1250 return ret;
1251 }
1252 saveLockScreenStatus[user] = true;
1253 LOGI("UnlockUserScreen user %{public}u el3 and el4 success and saveLockScreenStatus is %{public}d", user,
1254 saveLockScreenStatus[user]);
1255 return 0;
1256 }
1257
1258 bool KeyManager::UnlockEceSece(uint32_t user,
1259 const std::vector<uint8_t> &token,
1260 const std::vector<uint8_t> &secret,
1261 int &ret)
1262 {
1263 auto el4Key = GetUserElKey(user, EL4_KEY);
1264 if (el4Key == nullptr) {
1265 saveLockScreenStatus[user] = true;
1266 LOGE("The user %{public}u not been actived and saveLockScreenStatus is %{public}d", user,
1267 saveLockScreenStatus[user]);
1268 ret = 0;
1269 return false;
1270 }
1271 if (!el4Key->RestoreKey({token, secret}) && !el4Key->RestoreKey(NULL_KEY_AUTH)) {
1272 LOGE("Restore user %{public}u el4 key failed", user);
1273 ret = -EFAULT;
1274 return false;
1275 }
1276 if (!el4Key->UnlockUserScreen(user, FSCRYPT_SDP_ECE_CLASS)) {
1277 LOGE("UnlockUserScreen user %{public}u el4 key failed", user);
1278 ret = -EFAULT;
1279 return false;
1280 }
1281 LOGI("DecryptClassE user %{public}u saveESecretStatus %{public}d", user, saveESecretStatus[user]);
1282 return true;
1283 }
1284
1285 bool KeyManager::UnlockUece(uint32_t user,
1286 const std::vector<uint8_t> &token,
1287 const std::vector<uint8_t> &secret,
1288 int &ret)
1289 {
1290 UserAuth auth = {.token = token, .secret = secret};
1291 saveESecretStatus[user] = !auth.token.IsEmpty();
1292 auto el5Key = GetUserElKey(user, EL5_KEY);
1293 bool eBufferStatue = false;
1294 if (el5Key != nullptr && !el5Key->DecryptClassE(auth, saveESecretStatus[user], eBufferStatue, user, USER_UNLOCK)) {
1295 LOGE("Unlock user %{public}u uece failed", user);
1296 ret = -EFAULT;
1297 return false;
1298 }
1299 if (UnlockUserAppKeys(user, false) != E_OK) {
1300 LOGE("failed to delete appkey2");
1301 ret = -EFAULT;
1302 return false;
1303 }
1304 return true;
1305 }
1306
1307 int KeyManager::GetLockScreenStatus(uint32_t user, bool &lockScreenStatus)
1308 {
1309 LOGI("start");
1310 std::lock_guard<std::mutex> lock(keyMutex_);
1311 auto iter = saveLockScreenStatus.find(user);
1312 lockScreenStatus = (iter == saveLockScreenStatus.end()) ? false: iter->second;
1313 LOGI("lockScreenStatus is %{public}d", lockScreenStatus);
1314 return 0;
1315 }
1316
1317 int KeyManager::GenerateAppkey(uint32_t userId, uint32_t hashId, std::string &keyId)
1318 {
1319 if (!IsUeceSupport()) {
1320 LOGI("Not support uece !");
1321 return -ENOTSUP;
1322 }
1323 if (userEl4Key_.find(userId) == userEl4Key_.end()) {
1324 LOGE("userEl4Key_ has not existed");
1325 if (!IsUserCeDecrypt(userId)) {
1326 LOGE("user ce does not decrypt, skip");
1327 return -ENOENT;
1328 }
1329 GetUserElKey(userId, EL4_KEY);
1330 }
1331 auto el4Key = userEl4Key_[userId];
1332 if (el4Key == nullptr) {
1333 LOGE("el4Key_ is nullptr");
1334 return -ENOENT;
1335 }
1336 if (el4Key->GenerateAppkey(userId, hashId, keyId) == false) {
1337 LOGE("Failed to generate Appkey2");
1338 return -EFAULT;
1339 }
1340 return 0;
1341 }
1342
1343 int KeyManager::DeleteAppkey(uint32_t userId, const std::string keyId)
1344 {
1345 std::lock_guard<std::mutex> lock(keyMutex_);
1346 if (userEl4Key_.find(userId) == userEl4Key_.end()) {
1347 LOGE("userEl4Key_ has not existed");
1348 if (!IsUserCeDecrypt(userId)) {
1349 LOGE("user ce does not decrypt, skip");
1350 return -ENOENT;
1351 }
1352 GetUserElKey(userId, EL4_KEY);
1353 }
1354 auto el4Key = userEl4Key_[userId];
1355 if (el4Key == nullptr) {
1356 LOGE("el4Key_ is nullptr");
1357 return -ENOENT;
1358 }
1359 if (el4Key->DeleteAppkey(keyId) == false) {
1360 LOGE("Failed to delete Appkey2");
1361 return -EFAULT;
1362 }
1363 return 0;
1364 }
1365
1366 int KeyManager::UnlockUserAppKeys(uint32_t userId, bool needGetAllAppKey)
1367 {
1368 if (!IsUeceSupport()) {
1369 LOGI("E type is not support");
1370 return E_OK;
1371 }
1372 #ifdef EL5_FILEKEY_MANAGER
1373 std::vector<std::pair<int, std::string>> keyInfo;
1374 std::vector<std::pair<std::string, bool>> loadInfos;
1375 if (needGetAllAppKey) {
1376 if (El5FilekeyManagerKit::GetUserAllAppKey(userId, keyInfo) != 0) {
1377 LOGE("get user all app keys fail.");
1378 return -EFAULT;
1379 }
1380 LOGI("get user all app keys success.");
1381 } else {
1382 if (El5FilekeyManagerKit::GetUserAppKey(userId, keyInfo) != 0) {
1383 LOGE("get User Appkeys fail.");
1384 return -EFAULT;
1385 }
1386 LOGI("get User Appkeys success.");
1387 }
1388 if (keyInfo.size() == 0) {
1389 LOGE("The keyInfo is empty!");
1390 return 0;
1391 }
1392 if (userEl5Key_.find(userId) == userEl5Key_.end()) {
1393 LOGE("userEl5Key_ has not existed");
1394 return -ENOENT;
1395 }
1396 auto elKey = userEl5Key_[userId];
1397 std::string keyId;
1398 for (auto keyInfoAppUid :keyInfo) {
1399 if (elKey->GenerateAppkey(userId, keyInfoAppUid.first, keyId) == false) {
1400 LOGE("Failed to Generate Appkey2!");
1401 loadInfos.push_back(std::make_pair(keyInfoAppUid.second, false));
1402 }
1403 if (keyInfoAppUid.second != keyId) {
1404 LOGE("The keyId check fails!");
1405 loadInfos.push_back(std::make_pair(keyInfoAppUid.second, false));
1406 }
1407 loadInfos.push_back(std::make_pair(keyInfoAppUid.second, true));
1408 }
1409 if (El5FilekeyManagerKit::ChangeUserAppkeysLoadInfo(userId, loadInfos) != 0) {
1410 LOGE("Change User Appkeys LoadInfo fail.");
1411 return -EFAULT;
1412 }
1413 #endif
1414 LOGI("UnlockUserAppKeys success!");
1415 return E_OK;
1416 }
1417
1418 int KeyManager::InActiveUserKey(unsigned int user)
1419 {
1420 LOGI("start");
1421 if (!KeyCtrlHasFscryptSyspara()) {
1422 return 0;
1423 }
1424 std::lock_guard<std::mutex> lock(keyMutex_);
1425 int ret = InactiveUserElKey(user, userEl2Key_);
1426 if (ret != E_OK) {
1427 LOGE("Inactive userEl2Key_ failed");
1428 return ret;
1429 }
1430 ret = InactiveUserElKey(user, userEl3Key_);
1431 if (ret != E_OK) {
1432 LOGE("Inactive userEl3Key_ failed");
1433 return ret;
1434 }
1435 ret = InactiveUserElKey(user, userEl4Key_);
1436 if (ret != E_OK) {
1437 LOGE("Inactive userEl4Key_ failed");
1438 return ret;
1439 }
1440 ret = InactiveUserElKey(user, userEl5Key_);
1441 if (ret != E_OK) {
1442 LOGE("Inactive userEl5Key_ failed");
1443 return ret;
1444 }
1445 auto userTask = userLockScreenTask_.find(user);
1446 if (userTask != userLockScreenTask_.end()) {
1447 userLockScreenTask_.erase(userTask);
1448 LOGI("InActive user %{public}u, erase user task", user);
1449 }
1450 return 0;
1451 }
1452
1453 int KeyManager::InactiveUserElKey(unsigned int user, std::map<unsigned int, std::shared_ptr<BaseKey>> &userElxKey_)
1454 {
1455 if (userElxKey_.find(user) == userElxKey_.end()) {
1456 LOGE("Have not found user %{public}u el2", user);
1457 return -ENOENT;
1458 }
1459 auto elKey = userElxKey_[user];
1460 if (elKey->InactiveKey(USER_LOGOUT) == false) {
1461 LOGE("Clear user %{public}u key failed", user);
1462 return -EFAULT;
1463 }
1464 userElxKey_.erase(user);
1465 LOGI("Inactive user %{public}u elX success", user);
1466 return 0;
1467 }
1468
1469 int KeyManager::LockUserScreen(uint32_t user)
1470 {
1471 LOGI("start");
1472 std::lock_guard<std::mutex> lock(keyMutex_);
1473 if (!IsUserCeDecrypt(user)) {
1474 LOGE("user ce does not decrypt, skip");
1475 return 0;
1476 }
1477 CheckAndClearTokenInfo(user);
1478 auto iter = userPinProtect.find(user);
1479 if (iter == userPinProtect.end() || iter->second == false) {
1480 if (!IamClient::GetInstance().HasPinProtect(user)) {
1481 LOGI("Has no pin protect, saveLockScreenStatus is %{public}d", saveLockScreenStatus[user]);
1482 return 0;
1483 }
1484 userPinProtect.erase(user);
1485 userPinProtect.insert(std::make_pair(user, true));
1486 }
1487 iter = saveLockScreenStatus.find(user);
1488 if (iter == saveLockScreenStatus.end()) {
1489 saveLockScreenStatus.insert(std::make_pair(user, false));
1490 }
1491 if (!KeyCtrlHasFscryptSyspara()) {
1492 saveLockScreenStatus[user] = false;
1493 LOGI("KeyCtrlHasFscryptSyspara is false, saveLockScreenStatus is %{public}d",
1494 saveLockScreenStatus[user]);
1495 return 0;
1496 }
1497 auto el5Key = GetUserElKey(user, EL5_KEY);
1498 saveESecretStatus[user] = true;
1499 if (el5Key != nullptr && !el5Key->LockUece(saveESecretStatus[user])) {
1500 LOGE("lock user %{public}u el5 key failed !", user);
1501 }
1502 auto el4Key = GetUserElKey(user, EL4_KEY);
1503 if (el4Key == nullptr) {
1504 LOGE("Have not found user %{public}u el3 or el4", user);
1505 return -ENOENT;
1506 }
1507 std::shared_ptr<DelayHandler> userDelayHandler;
1508 if (GetUserDelayHandler(user, userDelayHandler)) {
1509 userDelayHandler->StartDelayTask(el4Key);
1510 }
1511
1512 saveLockScreenStatus[user] = false;
1513 LOGI("LockUserScreen user %{public}u el3 and el4 success, saveLockScreenStatus is %{public}d",
1514 user, saveLockScreenStatus[user]);
1515 return 0;
1516 }
1517
1518 int KeyManager::SetDirectoryElPolicy(unsigned int user, KeyType type, const std::vector<FileList> &vec)
1519 {
1520 LOGI("start");
1521 if (!KeyCtrlHasFscryptSyspara()) {
1522 return 0;
1523 }
1524 std::string keyPath;
1525 std::string eceSeceKeyPath;
1526 std::lock_guard<std::mutex> lock(keyMutex_);
1527 if (type == EL1_KEY) {
1528 if (userEl1Key_.find(user) == userEl1Key_.end()) {
1529 LOGE("Have not found user %{public}u el1 key, not enable el1", user);
1530 return -ENOENT;
1531 }
1532 keyPath = userEl1Key_[user]->GetDir();
1533 } else if (type == EL2_KEY || type == EL3_KEY || type == EL4_KEY || type == EL5_KEY) {
1534 if (userEl2Key_.find(user) == userEl2Key_.end()) {
1535 LOGE("Have not found user %{public}u el2 key, not enable el2", user);
1536 return -ENOENT;
1537 }
1538 keyPath = userEl2Key_[user]->GetDir();
1539 } else {
1540 LOGE("Not specify el flags, no need to crypt");
1541 return 0;
1542 }
1543 if (getEceSeceKeyPath(user, type, eceSeceKeyPath) != 0) {
1544 LOGE("method getEceSeceKeyPath fail");
1545 return -ENOENT;
1546 }
1547 for (auto item : vec) {
1548 int ret = LoadAndSetPolicy(keyPath.c_str(), item.path.c_str());
1549 if (ret != 0) {
1550 LOGE("Set directory el policy error, ret: %{public}d", ret);
1551 return -EFAULT;
1552 }
1553 }
1554 if (type == EL3_KEY || type == EL4_KEY) {
1555 for (auto item : vec) {
1556 if (LoadAndSetEceAndSecePolicy(eceSeceKeyPath.c_str(), item.path.c_str(), static_cast<int>(type)) != 0) {
1557 LOGE("Set directory el policy error!");
1558 return -EFAULT;
1559 }
1560 }
1561 }
1562 LOGI("Set user %{public}u el policy success", user);
1563 return 0;
1564 }
1565
1566 int KeyManager::getEceSeceKeyPath(unsigned int user, KeyType type, std::string &eceSeceKeyPath)
1567 {
1568 if (type == EL3_KEY) {
1569 if (userEl3Key_.find(user) == userEl3Key_.end()) {
1570 LOGI("Have not found user %{public}u el3 key, not enable el3", user);
1571 return -ENOENT;
1572 }
1573 eceSeceKeyPath = userEl3Key_[user]->GetDir();
1574 }
1575 if (type == EL4_KEY) {
1576 if (userEl4Key_.find(user) == userEl4Key_.end()) {
1577 LOGI("Have not found user %{public}u el4 key, not enable el4", user);
1578 return -ENOENT;
1579 }
1580 eceSeceKeyPath = userEl4Key_[user]->GetDir();
1581 }
1582 return 0;
1583 }
1584
1585 int KeyManager::UpdateCeEceSeceKeyContext(uint32_t userId, KeyType type)
1586 {
1587 LOGI("start");
1588 if (!KeyCtrlHasFscryptSyspara()) {
1589 return 0;
1590 }
1591 std::lock_guard<std::mutex> lock(keyMutex_);
1592 if (HasElkey(userId, type) == false) {
1593 LOGE("Have not found user %{public}u el%{public}u", userId, type);
1594 return -ENOENT;
1595 }
1596 std::shared_ptr<BaseKey> elKey = GetUserElKey(userId, type);
1597 if (elKey == nullptr) {
1598 LOGE("Have not found user %{public}u, type el%{public}u", userId, type);
1599 return -ENOENT;
1600 }
1601 if (!elKey->UpdateKey()) {
1602 LOGE("Basekey update newest context failed");
1603 return -EFAULT;
1604 }
1605 return 0;
1606 }
1607
1608 int KeyManager::UpdateKeyContext(uint32_t userId)
1609 {
1610 LOGI("UpdateKeyContext enter");
1611 int ret = UpdateCeEceSeceKeyContext(userId, EL2_KEY);
1612 if (ret != 0) {
1613 LOGE("Basekey update EL2 newest context failed");
1614 return ret;
1615 }
1616 ret = UpdateCeEceSeceKeyContext(userId, EL3_KEY);
1617 if (ret != 0) {
1618 LOGE("Basekey update EL3 newest context failed");
1619 return ret;
1620 }
1621 ret = UpdateCeEceSeceKeyContext(userId, EL4_KEY);
1622 if (ret != 0) {
1623 LOGE("Basekey update EL4 newest context failed");
1624 return ret;
1625 }
1626 if (IsUeceSupport() && saveESecretStatus[userId]) {
1627 ret = UpdateCeEceSeceKeyContext(userId, EL5_KEY);
1628 }
1629 if (ret != 0) {
1630 LOGE("Basekey update EL5 newest context failed");
1631 return ret;
1632 }
1633 LOGI("Basekey update key context success");
1634 return 0;
1635 }
1636
1637 bool KeyManager::IsUeceSupport()
1638 {
1639 int fd = open(UECE_PATH, O_RDWR);
1640 if (fd < 0) {
1641 if (errno == ENOENT) {
1642 LOGE("uece does not support !");
1643 }
1644 LOGE("open uece failed, errno : %{public}d", errno);
1645 return false;
1646 }
1647 close(fd);
1648 LOGI("uece is support.");
1649 return true;
1650 }
1651
1652 int KeyManager::IsUeceSupportWithErrno()
1653 {
1654 int fd = open(UECE_PATH, O_RDWR);
1655 if (fd < 0) {
1656 if (errno == ENOENT) {
1657 LOGE("uece does not support !");
1658 return ENOENT;
1659 }
1660 LOGE("open uece failed, errno : %{public}d", errno);
1661 return errno;
1662 }
1663 close(fd);
1664 LOGI("uece is support.");
1665 return E_OK;
1666 }
1667
1668 int KeyManager::UpgradeKeys(const std::vector<FileList> &dirInfo)
1669 {
1670 for (const auto &it : dirInfo) {
1671 std::shared_ptr<BaseKey> elKey = GetBaseKey(it.path);
1672 if (elKey == nullptr) {
1673 LOGE("Basekey memory failed");
1674 continue;
1675 }
1676 elKey->UpgradeKeys();
1677 }
1678 return 0;
1679 }
1680
1681 int KeyManager::GetFileEncryptStatus(uint32_t userId, bool &isEncrypted, bool needCheckDirMount)
1682 {
1683 LOGI("Begin check encrypted status, userId is %{public}d, needCheckDirMount is %{public}d",
1684 userId, needCheckDirMount);
1685 isEncrypted = true;
1686 const char rootPath[] = "/data/app/el2/";
1687 const char basePath[] = "/base";
1688 size_t allPathSize = strlen(rootPath) + strlen(basePath) + 1 + USER_ID_SIZE_VALUE;
1689 char *path = reinterpret_cast<char *>(malloc(sizeof(char) * (allPathSize)));
1690 if (path == nullptr) {
1691 LOGE("Failed to malloce path.");
1692 return -ENOENT;
1693 }
1694 int len = sprintf_s(path, allPathSize, "%s%u%s", rootPath, userId, basePath);
1695 if (len <= 0 || (size_t)len >= allPathSize) {
1696 free(path);
1697 LOGE("Failed to get base path");
1698 return -ENOENT;
1699 }
1700 if (access(path, F_OK) != 0) {
1701 free(path);
1702 LOGI("This is encrypted status");
1703 return E_OK;
1704 }
1705 free(path);
1706 if (needCheckDirMount && !MountManager::GetInstance()->CheckMountFileByUser(userId)) {
1707 LOGI("The virturalDir is not exists.");
1708 return E_OK;
1709 }
1710 isEncrypted = false;
1711 LOGI("This is unencrypted status");
1712 return E_OK;
1713 }
1714
1715 bool KeyManager::IsUserCeDecrypt(uint32_t userId)
1716 {
1717 bool isCeEncrypt = false;
1718 int ret = GetFileEncryptStatus(userId, isCeEncrypt);
1719 if (ret != E_OK || isCeEncrypt) {
1720 LOGE("User %{public}d de has not decrypt.", userId);
1721 return false;
1722 }
1723 LOGI("User %{public}d de decrypted.", userId);
1724 return true;
1725 }
1726
1727 void KeyManager::CheckAndClearTokenInfo(uint32_t user)
1728 {
1729 bool isExist = false;
1730 if (IamClient::GetInstance().HasFaceFinger(user, isExist) == 0 && !isExist) {
1731 LOGI("Toke info is not exist.");
1732 if ((userEl3Key_.find(user) != userEl3Key_.end()) && (userEl3Key_[user] != nullptr)) {
1733 userEl3Key_[user]->ClearMemoryKeyCtx();
1734 }
1735 if ((userEl4Key_.find(user) != userEl4Key_.end()) && (userEl4Key_[user] != nullptr)) {
1736 userEl4Key_[user]->ClearMemoryKeyCtx();
1737 }
1738 }
1739 }
1740
1741 int KeyManager::CheckUserPinProtect(unsigned int userId,
1742 const std::vector<uint8_t> &token,
1743 const std::vector<uint8_t> &secret)
1744 {
1745 LOGI("enter CheckUserPinProtect");
1746 // judge if device has PIN protect
1747 if ((token.empty() && secret.empty()) && IamClient::GetInstance().HasPinProtect(userId)) {
1748 LOGE("User %{public}d has pin code protect.", userId);
1749 return E_ERR;
1750 }
1751 return E_OK;
1752 }
1753
1754 int KeyManager::TryToFixUserCeEceSeceKey(unsigned int userId,
1755 KeyType keyType,
1756 const std::vector<uint8_t> &token,
1757 const std::vector<uint8_t> &secret)
1758 {
1759 LOGI("enter TryToFixUserCeEceSeceKey");
1760 keyMutex_.unlock();
1761 if (!IamClient::GetInstance().HasPinProtect(userId)) {
1762 LOGE("User %{public}d has no pin code protect.", userId);
1763 return E_OK;
1764 }
1765
1766 uint64_t secureUid = { 0 };
1767 if (!secret.empty() && !token.empty()) {
1768 IamClient::GetInstance().GetSecureUid(userId, secureUid);
1769 LOGE("Pin code is exist, get secure uid.");
1770 }
1771 UserAuth auth = { .token = token, .secret = secret, .secureUid = secureUid };
1772 UserTokenSecret userTokenSecret = { .token = token, .oldSecret = {}, .newSecret = secret, .secureUid = secureUid };
1773
1774 #ifdef USER_CRYPTO_MIGRATE_KEY
1775 if (UpdateCeEceSeceUserAuth(userId, userTokenSecret, keyType, false) != E_OK) {
1776 #else
1777 if (UpdateCeEceSeceUserAuth(userId, userTokenSecret, keyType) != E_OK) {
1778 #endif
1779 LOGE("try to fix elx key failed !");
1780 return -EFAULT;
1781 }
1782 if (UpdateCeEceSeceKeyContext(userId, keyType) != E_OK) {
1783 LOGE("try to fix elx key context failed !");
1784 return -EFAULT;
1785 }
1786 return E_OK;
1787 }
1788
1789 int KeyManager::TryToFixUeceKey(unsigned int userId,
1790 const std::vector<uint8_t> &token,
1791 const std::vector<uint8_t> &secret)
1792 {
1793 LOGI("enter TryToFixUeceKey");
1794 keyMutex_.unlock();
1795 if (!IamClient::GetInstance().HasPinProtect(userId)) {
1796 LOGE("User %{public}d has no pin code protect.", userId);
1797 return E_OK;
1798 }
1799
1800 uint64_t secureUid = { 0 };
1801 if (!secret.empty() && !token.empty()) {
1802 IamClient::GetInstance().GetSecureUid(userId, secureUid);
1803 LOGE("Pin code is exist, get secure uid.");
1804 }
1805 UserAuth auth = { .token=token, .secret=secret, .secureUid = secureUid };
1806 UserTokenSecret tokenSecret = { .token = token, .oldSecret = { }, .newSecret = secret, .secureUid = secureUid};
1807
1808 if (UpdateESecret(userId, tokenSecret) != E_OK) {
1809 LOGE("try to fix elx key failed !");
1810 return -EFAULT;
1811 }
1812 if (UpdateCeEceSeceKeyContext(userId, EL5_KEY) != E_OK) {
1813 LOGE("try to fix elx key context failed !");
1814 return -EFAULT;
1815 }
1816 return E_OK;
1817 }
1818
1819 #ifdef USER_CRYPTO_MIGRATE_KEY
1820 int KeyManager::RestoreUserKey(uint32_t userId, KeyType type)
1821 {
1822 LOGI("start, user is %{public}u , type is %{public}d", userId, type);
1823 std::string dir = GetKeyDirByUserAndType(userId, type);
1824 if (dir == "") {
1825 LOGE("type is invalid, %{public}u", type);
1826 return -EFAULT;
1827 }
1828
1829 if (!IsDir(dir)) {
1830 LOGE("dir not exist");
1831 return -ENOENT;
1832 }
1833 return RestoreUserKey(userId, dir, NULL_KEY_AUTH, type);
1834 }
1835 #endif
1836 } // namespace StorageDaemon
1837 } // namespace OHOS
1838