1 /* 2 * Copyright (c) 2021-2024 Huawei Device Co., Ltd. 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 #ifndef STORAGE_DAEMON_CRYPTO_KEYMANAGER_H 17 #define STORAGE_DAEMON_CRYPTO_KEYMANAGER_H 18 19 #include <iostream> 20 #include <map> 21 #include <memory> 22 #include <mutex> 23 24 #include "base_key.h" 25 #include "crypto_delay_handler.h" 26 #include "key_blob.h" 27 #include "ipc/storage_daemon.h" 28 #include "storage_service_constant.h" 29 #include "utils/file_utils.h" 30 31 namespace OHOS { 32 namespace StorageDaemon { 33 const std::string FSCRYPT_USER_EL1_PUBLIC = std::string() + "/data/service/el1/public"; 34 const std::string SERVICE_STORAGE_DAEMON_DIR = FSCRYPT_USER_EL1_PUBLIC + "/storage_daemon"; 35 const std::string FSCRYPT_EL_DIR = SERVICE_STORAGE_DAEMON_DIR + "/sd"; 36 const std::string USER_EL1_DIR = FSCRYPT_EL_DIR + "/el1"; 37 const std::string USER_EL2_DIR = FSCRYPT_EL_DIR + "/el2"; 38 const std::string USER_EL3_DIR = FSCRYPT_EL_DIR + "/el3"; 39 const std::string USER_EL4_DIR = FSCRYPT_EL_DIR + "/el4"; 40 const std::string USER_EL5_DIR = FSCRYPT_EL_DIR + "/el5"; 41 const std::string UECE_DIR = "data/app/el5"; 42 const std::string DATA_DIR = "data/app/"; 43 const std::string SERVICE_DIR = "data/service/"; 44 const std::string FSCRYPT_VERSION_DIR = "/fscrypt_version"; 45 const std::string ENCRYPT_VERSION_DIR = "/latest/encrypted"; 46 const std::string SEC_DISCARD_DIR = "/latest/sec_discard"; 47 const std::string SHIELD_DIR = "/latest/shield"; 48 const std::string RESTORE_DIR = "/latest/need_restore"; 49 50 class KeyManager { 51 public: GetInstance(void)52 static KeyManager *GetInstance(void) 53 { 54 static KeyManager instance; 55 return &instance; 56 } 57 int InitGlobalDeviceKey(void); 58 int InitGlobalUserKeys(void); 59 int GenerateUserKeys(unsigned int user, uint32_t flags); 60 int DeleteUserKeys(unsigned int user); 61 62 #ifdef USER_CRYPTO_MIGRATE_KEY 63 int UpdateUserAuth(unsigned int user, struct UserTokenSecret &userTokenSecret, 64 bool needGenerateShield = true); 65 int UpdateCeEceSeceUserAuth(unsigned int user, struct UserTokenSecret &userTokenSecret, 66 KeyType type, bool needGenerateShield); 67 #else 68 int UpdateUserAuth(unsigned int user, struct UserTokenSecret &userTokenSecret); 69 int UpdateCeEceSeceUserAuth(unsigned int user, struct UserTokenSecret &userTokenSecret, 70 KeyType type); 71 72 #endif 73 int ActiveUserKey(unsigned int user, const std::vector<uint8_t> &token, 74 const std::vector<uint8_t> &secret); 75 int ActiveCeSceSeceUserKey(unsigned int user, KeyType type, const std::vector<uint8_t> &token, 76 const std::vector<uint8_t> &secret); 77 int InActiveUserKey(unsigned int user); 78 int SetDirectoryElPolicy(unsigned int user, KeyType type, 79 const std::vector<FileList> &vec); 80 int UpdateKeyContext(uint32_t userId); 81 int UpdateCeEceSeceKeyContext(uint32_t userId, KeyType type); 82 int getEceSeceKeyPath(unsigned int user, KeyType type, std::string &eceSeceKeyPath); 83 int LockUserScreen(uint32_t user); 84 int UnlockUserScreen(uint32_t user, const std::vector<uint8_t> &token, 85 const std::vector<uint8_t> &secret); 86 int GetLockScreenStatus(uint32_t user, bool &lockScreenStatus); 87 int GenerateAppkey(uint32_t user, uint32_t hashId, std::string &keyId); 88 int DeleteAppkey(uint32_t user, const std::string keyId); 89 int UnlockUserAppKeys(uint32_t userId, bool needGetAllAppKey); 90 int GetFileEncryptStatus(uint32_t userId, bool &isEncrypted, bool needCheckDirMount = false); 91 #ifdef USER_CRYPTO_MIGRATE_KEY 92 int RestoreUserKey(uint32_t userId, KeyType type); 93 #endif 94 std::string GetKeyDirByUserAndType(unsigned int user, KeyType type); 95 std::string GetKeyDirByType(KeyType type); 96 int GenerateUserKeyByType(unsigned int user, KeyType type, 97 const std::vector<uint8_t> &token, 98 const std::vector<uint8_t> &secret); 99 int TryToFixUserCeEceSeceKey(unsigned int userId, KeyType type, 100 const std::vector<uint8_t> &token, 101 const std::vector<uint8_t> &secret); 102 int TryToFixUeceKey(unsigned int userId, 103 const std::vector<uint8_t> &token, 104 const std::vector<uint8_t> &secret); 105 private: KeyManager()106 KeyManager() 107 { 108 hasGlobalDeviceKey_ = false; 109 } ~KeyManager()110 ~KeyManager() {} 111 int GenerateAndInstallDeviceKey(const std::string &dir); 112 int RestoreDeviceKey(const std::string &dir); 113 int GenerateAndInstallUserKey(uint32_t userId, const std::string &dir, const UserAuth &auth, KeyType type); 114 int GenerateAndInstallEl5Key(uint32_t userId, const std::string &dir, const UserAuth &auth); 115 int RestoreUserKey(uint32_t userId, const std::string &dir, const UserAuth &auth, KeyType type); 116 int LoadAllUsersEl1Key(void); 117 int InitUserElkeyStorageDir(void); 118 bool HasElkey(uint32_t userId, KeyType type); 119 int DoDeleteUserKeys(unsigned int user); 120 int DoDeleteUserCeEceSeceKeys(unsigned int user, const std::string userDir, 121 std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_); 122 int UpgradeKeys(const std::vector<FileList> &dirInfo); 123 int UpdateESecret(unsigned int user, struct UserTokenSecret &tokenSecret); 124 bool ResetESecret(unsigned int user, std::shared_ptr<BaseKey> &elKey); 125 std::shared_ptr<BaseKey> GetBaseKey(const std::string& dir); 126 std::shared_ptr<BaseKey> GetUserElKey(unsigned int user, KeyType type); 127 void SaveUserElKey(unsigned int user, KeyType type, std::shared_ptr<BaseKey> elKey); 128 bool IsNeedClearKeyFile(std::string file); 129 void ProcUpgradeKey(const std::vector<FileList> &dirInfo); 130 int GenerateElxAndInstallUserKey(unsigned int user); 131 int ActiveUeceUserKey(unsigned int user, 132 const std::vector<uint8_t> &token, 133 const std::vector<uint8_t> &secret, std::shared_ptr<BaseKey> elKey); 134 int ActiveElXUserKey(unsigned int user, 135 const std::vector<uint8_t> &token, KeyType keyType, 136 const std::vector<uint8_t> &secret, std::shared_ptr<BaseKey> elKey); 137 int InactiveUserElKey(unsigned int user, std::map<unsigned int, std::shared_ptr<BaseKey>> &userElxKey_); 138 int CheckAndDeleteEmptyEl5Directory(std::string keyDir, unsigned int user); 139 bool GetUserDelayHandler(uint32_t userId, std::shared_ptr<DelayHandler> &delayHandler); 140 bool IsUeceSupport(); 141 int IsUeceSupportWithErrno(); 142 bool IsUserCeDecrypt(uint32_t userId); 143 int32_t UnlockEceSece(uint32_t user, const std::vector<uint8_t> &token, const std::vector<uint8_t> &secret); 144 int32_t UnlockUece(uint32_t user, const std::vector<uint8_t> &token, const std::vector<uint8_t> &secret); 145 int CheckUserPinProtect(unsigned int userId, const std::vector<uint8_t> &token, const std::vector<uint8_t> &secret); 146 bool HashElxActived(unsigned int user, KeyType type); 147 bool HasElxDesc(std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_, KeyType type, unsigned int user); 148 bool IsWorkDirExist(std::string type, int32_t userId); 149 int GenerateIntegrityDirs(int32_t userId, KeyType type); 150 int CheckAndFixUserKeyDirectory(unsigned int user); 151 152 std::map<unsigned int, std::shared_ptr<BaseKey>> userEl1Key_; 153 std::map<unsigned int, std::shared_ptr<BaseKey>> userEl2Key_; 154 std::map<unsigned int, std::shared_ptr<BaseKey>> userEl3Key_; 155 std::map<unsigned int, std::shared_ptr<BaseKey>> userEl4Key_; 156 std::map<unsigned int, std::shared_ptr<BaseKey>> userEl5Key_; 157 std::map<unsigned int, std::shared_ptr<DelayHandler>> userLockScreenTask_; 158 std::shared_ptr<BaseKey> globalEl1Key_ { nullptr }; 159 std::map<unsigned int, bool> userPinProtect; 160 std::map<unsigned int, bool> saveLockScreenStatus; 161 std::map<unsigned int, bool> saveESecretStatus; 162 std::mutex keyMutex_; 163 bool hasGlobalDeviceKey_; 164 }; 165 } // namespace StorageDaemon 166 } // namespace OHOS 167 168 #endif // STORAGE_DAEMON_CRYPTO_KEYMANAGER_H 169