Tell keystore which SIDs can unlock this user

If biometric unlock is enabled, we tell keystore at lock time so that a key can be set up in KM which unlocks UNLOCKED_DEVICE_REQUIRED keys based on auth tokens carrying those SIDs. This also has the effect that if there is no biometric unlock, UNLOCKED_DEVICE_REQUIRED keys have full cryptographic protection, per NIAP requirements. Test: aosp/1686345 Bug: 163866361 Change-Id: Ia4d01faa998c76b2b33ad3520730466ac59e6d8d
author: Paul Crowley <paulcrowley@google.com> 2021-04-08 17:33:31 -0700
committer: Paul Crowley <paulcrowley@google.com> 2021-04-27 10:34:33 -0700
commit: 336b5db80970f5539ced3cd2f0b73c8b7a6aa116 (patch)
tree: cbaadfe977f3a56cbec4ffd2933b72d8031592c8 /keystore
parent: 4459123d4932a2f4091115a5141d2ca63747ca09 (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/keystore/java/android/security/Authorization.java b/keystore/java/android/security/Authorization.java
index bd72d45297c1..00219e7f28ac 100644
--- a/keystore/java/android/security/Authorization.java
+++ b/keystore/java/android/security/Authorization.java
@@ -74,16 +74,19 @@ public class Authorization {
      * @param locked            - whether it is a lock (true) or unlock (false) event
      * @param syntheticPassword - if it is an unlock event with the password, pass the synthetic
      *                            password provided by the LockSettingService
+     * @param unlockingSids     - KeyMint secure user IDs that should be permitted to unlock
+     *                            UNLOCKED_DEVICE_REQUIRED keys.
      *
      * @return 0 if successful or a {@code ResponseCode}.
      */
     public static int onLockScreenEvent(@NonNull boolean locked, @NonNull int userId,
-            @Nullable byte[] syntheticPassword) {
+            @Nullable byte[] syntheticPassword, @Nullable long[] unlockingSids) {
         try {
             if (locked) {
-                getService().onLockScreenEvent(LockScreenEvent.LOCK, userId, null);
+                getService().onLockScreenEvent(LockScreenEvent.LOCK, userId, null, unlockingSids);
             } else {
-                getService().onLockScreenEvent(LockScreenEvent.UNLOCK, userId, syntheticPassword);
+                getService().onLockScreenEvent(
+                        LockScreenEvent.UNLOCK, userId, syntheticPassword, unlockingSids);
             }
             return 0;
         } catch (RemoteException | NullPointerException e) {
author	Paul Crowley <paulcrowley@google.com>	2021-04-08 17:33:31 -0700
committer	Paul Crowley <paulcrowley@google.com>	2021-04-27 10:34:33 -0700
commit	336b5db80970f5539ced3cd2f0b73c8b7a6aa116 (patch)
tree	cbaadfe977f3a56cbec4ffd2933b72d8031592c8 /keystore
parent	4459123d4932a2f4091115a5141d2ca63747ca09 (diff)