Skip to content

Commit

Permalink
Allow system_server to call IKeystoreMaintenance.deleteAllKeys()
Browse files Browse the repository at this point in the history
This allows RecoverySystem to destroy all synthetic blob protector keys
and make FBE-encrypted data unrecoverable even if data wipe in recovery
is interrupted or skipped.

Bug: 324321147
Test: Manual - System -> Reset options -> Erase all data.
Test: Hold VolDown key to interrupt reboot and stop at bootloader
screen.
Test: fastboot oem bcd wipe command && fastboot oem bcd wipe recovery
Test: fastboot reboot
Test: Device reboots into recovery and prompts to factory reset:
Test: 'Cannot load Android system. Your data may be corrupt. ...
(cherry picked from https://android-review.googlesource.com/q/commit:3941b6874350fb1c8558fcd539ec0ec5038c1d7e)
(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:72313f580e19af6fbbe95187881c4771a0f2416b)
Merged-In: I5be2f9e8314d36448994f4f14ff585ded7095c8c
Change-Id: I5be2f9e8314d36448994f4f14ff585ded7095c8c
  • Loading branch information
nelenkov authored and aoleary committed Sep 17, 2024
1 parent 93985c1 commit da3bbdc
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 0 deletions.
1 change: 1 addition & 0 deletions prebuilts/api/33.0/private/system_server.te
Original file line number Diff line number Diff line change
Expand Up @@ -970,6 +970,7 @@ allow system_server keystore:keystore2 {
clear_ns
clear_uid
get_state
delete_all_keys
lock
pull_metrics
reset
Expand Down
1 change: 1 addition & 0 deletions private/system_server.te
Original file line number Diff line number Diff line change
Expand Up @@ -970,6 +970,7 @@ allow system_server keystore:keystore2 {
clear_ns
clear_uid
get_state
delete_all_keys
lock
pull_metrics
reset
Expand Down

0 comments on commit da3bbdc

Please sign in to comment.