1 /*
2 * Copyright (C) 2022-2024 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 #include "key_manager.h"
17
18 #include <fcntl.h>
19 #include <filesystem>
20 #include <string>
21
22 #include "base_key.h"
23 #include "directory_ex.h"
24 #include "file_ex.h"
25 #include "fscrypt_key_v1.h"
26 #include "fscrypt_key_v2.h"
27 #include "iam_client.h"
28 #include "libfscrypt/fscrypt_control.h"
29 #include "libfscrypt/key_control.h"
30 #include "parameter.h"
31 #include "storage_service_constant.h"
32 #include "storage_service_errno.h"
33 #include "storage_service_log.h"
34 #include "user/mount_manager.h"
35 #include "user/user_manager.h"
36 #include "utils/storage_radar.h"
37 #ifdef EL5_FILEKEY_MANAGER
38 #include "el5_filekey_manager_kit.h"
39 #endif
40 #ifdef EL5_FILEKEY_MANAGER
41 using namespace OHOS::Security::AccessToken;
42 #endif
43
44 using namespace OHOS::StorageService;
45 namespace OHOS {
46 namespace StorageDaemon {
47 const UserAuth NULL_KEY_AUTH = {};
48 const std::string DEFAULT_NEED_RESTORE_VERSION = "1";
49 constexpr const char *UECE_PATH = "/dev/fbex_uece";
50
GetBaseKey(const std::string & dir)51 std::shared_ptr<BaseKey> KeyManager::GetBaseKey(const std::string& dir)
52 {
53 uint8_t versionFromPolicy = GetFscryptVersionFromPolicy();
54 uint8_t kernelSupportVersion = KeyCtrlGetFscryptVersion(MNT_DATA.c_str());
55 if (kernelSupportVersion == FSCRYPT_INVALID) {
56 LOGE("kernel not support fscrypt");
57 return nullptr;
58 }
59 if ((versionFromPolicy == kernelSupportVersion) && (kernelSupportVersion == FSCRYPT_V2)) {
60 return std::dynamic_pointer_cast<BaseKey>(std::make_shared<FscryptKeyV2>(dir));
61 }
62 if (versionFromPolicy != kernelSupportVersion) {
63 LOGE("version from policy %{public}u not same as version from kernel %{public}u", versionFromPolicy,
64 kernelSupportVersion);
65 }
66 return std::dynamic_pointer_cast<BaseKey>(std::make_shared<FscryptKeyV1>(dir));
67 }
68
GenerateAndInstallDeviceKey(const std::string & dir)69 int KeyManager::GenerateAndInstallDeviceKey(const std::string &dir)
70 {
71 LOGW("enter");
72 globalEl1Key_ = GetBaseKey(dir);
73 if (globalEl1Key_ == nullptr) {
74 StorageRadar::ReportUserKeyResult("GenerateAndInstallDeviceKey", 0, E_GLOBAL_KEY_NULLPTR, "EL1", "");
75 return E_GLOBAL_KEY_NULLPTR;
76 }
77
78 if (globalEl1Key_->InitKey(true) == false) {
79 globalEl1Key_ = nullptr;
80 LOGE("global security key init failed");
81 StorageRadar::ReportUserKeyResult("GenerateAndInstallDeviceKey", 0, E_GLOBAL_KEY_INIT_ERROR, "EL1", "");
82 return E_GLOBAL_KEY_INIT_ERROR;
83 }
84
85 if (globalEl1Key_->StoreKey(NULL_KEY_AUTH) == false) {
86 globalEl1Key_->ClearKey();
87 globalEl1Key_ = nullptr;
88 LOGE("global security key store failed");
89 StorageRadar::ReportUserKeyResult("GenerateAndInstallDeviceKey", 0, E_GLOBAL_KEY_STORE_ERROR, "EL1", "");
90 return E_GLOBAL_KEY_STORE_ERROR;
91 }
92
93 if (globalEl1Key_->ActiveKey(FIRST_CREATE_KEY) == false) {
94 globalEl1Key_->ClearKey();
95 globalEl1Key_ = nullptr;
96 LOGE("global security key active failed");
97 StorageRadar::ReportUserKeyResult("GenerateAndInstallDeviceKey", 0, E_GLOBAL_KEY_ACTIVE_ERROR, "EL1", "");
98 return E_GLOBAL_KEY_ACTIVE_ERROR;
99 }
100
101 if (!globalEl1Key_->UpdateKey()) {
102 StorageRadar::ReportUserKeyResult("GenerateAndInstallDeviceKey", 0, E_GLOBAL_KEY_UPDATE_ERROR, "EL1", "");
103 };
104 hasGlobalDeviceKey_ = true;
105 LOGW("key create success");
106 return 0;
107 }
108
RestoreDeviceKey(const std::string & dir)109 int KeyManager::RestoreDeviceKey(const std::string &dir)
110 {
111 LOGI("enter");
112 if (globalEl1Key_ != nullptr) {
113 LOGI("device key has existed");
114 return 0;
115 }
116
117 globalEl1Key_ = GetBaseKey(dir);
118 if (globalEl1Key_ == nullptr) {
119 StorageRadar::ReportUserKeyResult("RestoreDeviceKey", 0, E_GLOBAL_KEY_NULLPTR, "EL1", "");
120 return E_GLOBAL_KEY_NULLPTR;
121 }
122
123 if (globalEl1Key_->InitKey(false) == false) {
124 globalEl1Key_ = nullptr;
125 LOGE("global security key init failed");
126 StorageRadar::ReportUserKeyResult("RestoreDeviceKey", 0, E_GLOBAL_KEY_INIT_ERROR, "EL1", "");
127 return E_GLOBAL_KEY_INIT_ERROR;
128 }
129
130 if (globalEl1Key_->RestoreKey(NULL_KEY_AUTH) == false) {
131 globalEl1Key_ = nullptr;
132 LOGE("global security key restore failed");
133 StorageRadar::ReportUserKeyResult("RestoreDeviceKey", 0, E_GLOBAL_KEY_STORE_ERROR, "EL1", "");
134 return E_GLOBAL_KEY_STORE_ERROR;
135 }
136
137 if (globalEl1Key_->ActiveKey(RETRIEVE_KEY) == false) {
138 globalEl1Key_ = nullptr;
139 LOGE("global security key active failed");
140 StorageRadar::ReportUserKeyResult("RestoreDeviceKey", 0, E_GLOBAL_KEY_ACTIVE_ERROR, "EL1", "");
141 return E_GLOBAL_KEY_ACTIVE_ERROR;
142 }
143 hasGlobalDeviceKey_ = true;
144 LOGI("key restore success");
145
146 return 0;
147 }
148
InitGlobalDeviceKey(void)149 int KeyManager::InitGlobalDeviceKey(void)
150 {
151 LOGW("enter");
152 int ret = InitFscryptPolicy();
153 if (ret < 0) {
154 LOGE("fscrypt init failed, fscrypt will not be enabled");
155 StorageRadar::ReportUserKeyResult("InitGlobalDeviceKey:InitFscryptPolicy", 0, ret, "EL1", "");
156 return ret;
157 }
158
159 std::lock_guard<std::mutex> lock(keyMutex_);
160 if (hasGlobalDeviceKey_ || globalEl1Key_ != nullptr) {
161 LOGI("glabal device el1 have existed");
162 return 0;
163 }
164
165 ret = MkDir(STORAGE_DAEMON_DIR, S_IRWXU); // para.0700: root only
166 if (ret && errno != EEXIST) {
167 LOGE("create storage daemon dir error");
168 StorageRadar::ReportUserKeyResult("InitGlobalDeviceKey:MkDir", 0, ret, "EL1",
169 "errno = " + std::to_string(errno) + ", path = " + STORAGE_DAEMON_DIR);
170 return ret;
171 }
172 std::error_code errCode;
173 if (std::filesystem::exists(DEVICE_EL1_DIR, errCode) && !std::filesystem::is_empty(DEVICE_EL1_DIR)) {
174 UpgradeKeys({{0, DEVICE_EL1_DIR}});
175 return RestoreDeviceKey(DEVICE_EL1_DIR);
176 }
177 ret = MkDir(DEVICE_EL1_DIR, S_IRWXU);
178 if (ret && errno != EEXIST) {
179 LOGE("create device el1 key dir = (/data/service/el0/storage_daemon/sd) error");
180 StorageRadar::ReportUserKeyResult("InitGlobalDeviceKey:MkDir", 0, ret, "EL1",
181 "errno = " + std::to_string(errno) + ", path = " + DEVICE_EL1_DIR);
182 return ret;
183 }
184
185 return GenerateAndInstallDeviceKey(DEVICE_EL1_DIR);
186 }
187
GenerateAndInstallUserKey(uint32_t userId,const std::string & dir,const UserAuth & auth,KeyType type)188 int KeyManager::GenerateAndInstallUserKey(uint32_t userId, const std::string &dir, const UserAuth &auth, KeyType type)
189 {
190 LOGW("enter");
191 if (HasElkey(userId, type)) {
192 LOGI("The user %{public}u el %{public}u have existed", userId, type);
193 return 0;
194 }
195 auto elKey = GetBaseKey(dir);
196 if (elKey == nullptr) {
197 return E_GLOBAL_KEY_NULLPTR;
198 }
199 if (type == EL5_KEY) {
200 return GenerateAndInstallEl5Key(userId, dir, auth);
201 }
202 if (elKey->InitKey(true) == false) {
203 LOGE("user security key init failed");
204 return E_ELX_KEY_INIT_ERROR;
205 }
206 if (elKey->StoreKey(auth) == false) {
207 elKey->ClearKey();
208 LOGE("user security key store failed");
209 return E_ELX_KEY_STORE_ERROR;
210 }
211 if (elKey->ActiveKey(FIRST_CREATE_KEY) == false) {
212 elKey->ClearKey();
213 LOGE("user security key active failed");
214 return E_ELX_KEY_ACTIVE_ERROR;
215 }
216 (void)elKey->UpdateKey();
217 if (type == EL1_KEY) {
218 userEl1Key_[userId] = elKey;
219 } else if (type == EL2_KEY) {
220 userEl2Key_[userId] = elKey;
221 } else if (type == EL3_KEY) {
222 userEl3Key_[userId] = elKey;
223 } else if (type == EL4_KEY) {
224 userEl4Key_[userId] = elKey;
225 }
226 LOGI("key create success");
227 return 0;
228 }
229
GenerateAndInstallEl5Key(uint32_t userId,const std::string & dir,const UserAuth & auth)230 int KeyManager::GenerateAndInstallEl5Key(uint32_t userId, const std::string &dir, const UserAuth &auth)
231 {
232 LOGI("enter");
233 auto elKey = GetBaseKey(dir);
234 if (elKey == nullptr) {
235 return E_GLOBAL_KEY_NULLPTR;
236 }
237 bool isNeedEncryptClassE = true;
238 saveESecretStatus[userId] = true;
239 if (elKey->AddClassE(isNeedEncryptClassE, saveESecretStatus[userId], FIRST_CREATE_KEY) == false) {
240 elKey->ClearKey();
241 LOGE("user %{public}u el5 create error", userId);
242 return E_EL5_ADD_CLASS_ERROR;
243 }
244 std::string keyDir = GetKeyDirByUserAndType(userId, EL5_KEY);
245 if (keyDir == "") {
246 return E_KEY_TYPE_INVAL;
247 }
248 if (!saveESecretStatus[userId]) {
249 OHOS::ForceRemoveDirectory(keyDir);
250 }
251 saveESecretStatus[userId] = (!auth.secret.IsEmpty() && !auth.token.IsEmpty());
252 if (isNeedEncryptClassE) {
253 if ((!auth.secret.IsEmpty() && !auth.token.IsEmpty()) &&
254 !elKey->EncryptClassE(auth, saveESecretStatus[userId], userId, USER_ADD_AUTH)) {
255 elKey->ClearKey();
256 LOGE("user %{public}u el5 create error", userId);
257 return E_EL5_ENCRYPT_CLASS_ERROR;
258 }
259 } else {
260 bool eBufferStatue = false;
261 if (!elKey->DecryptClassE(auth, saveESecretStatus[userId], eBufferStatue, userId, false)) {
262 LOGE("user %{public}u decrypt error", userId);
263 }
264 }
265 userEl5Key_[userId] = elKey;
266 return 0;
267 }
268
RestoreUserKey(uint32_t userId,const std::string & dir,const UserAuth & auth,KeyType type)269 int KeyManager::RestoreUserKey(uint32_t userId, const std::string &dir, const UserAuth &auth, KeyType type)
270 {
271 LOGI("enter");
272 if (HasElkey(userId, type)) {
273 LOGI("The user %{public}u el %{public}u have existed", userId, type);
274 return 0;
275 }
276
277 auto elKey = GetBaseKey(dir);
278 if (elKey == nullptr) {
279 return E_GLOBAL_KEY_NULLPTR;
280 }
281
282 if (elKey->InitKey(false) == false) {
283 LOGE("user security key init failed");
284 return E_ELX_KEY_INIT_ERROR;
285 }
286
287 if (elKey->RestoreKey(auth) == false) {
288 LOGE("user security key restore failed");
289 return E_ELX_KEY_STORE_ERROR;
290 }
291
292 if (elKey->ActiveKey(RETRIEVE_KEY) == false) {
293 LOGE("user security key active failed");
294 return E_ELX_KEY_ACTIVE_ERROR;
295 }
296
297 if (type == EL1_KEY) {
298 userEl1Key_[userId] = elKey;
299 } else if (type == EL2_KEY) {
300 userEl2Key_[userId] = elKey;
301 } else if (type == EL3_KEY) {
302 userEl3Key_[userId] = elKey;
303 } else if (type == EL4_KEY) {
304 userEl4Key_[userId] = elKey;
305 } else if (type == EL5_KEY) {
306 userEl5Key_[userId] = elKey;
307 }
308 LOGI("key restore success");
309
310 return 0;
311 }
312
HasElkey(uint32_t userId,KeyType type)313 bool KeyManager::HasElkey(uint32_t userId, KeyType type)
314 {
315 LOGI("enter");
316 switch (type) {
317 case EL1_KEY:
318 if (userEl1Key_.find(userId) != userEl1Key_.end()) {
319 LOGI("user el1 key has existed");
320 return true;
321 }
322 break;
323 case EL2_KEY:
324 if (userEl2Key_.find(userId) != userEl2Key_.end()) {
325 LOGI("user el2 key has existed");
326 return true;
327 }
328 break;
329 case EL3_KEY:
330 if (userEl3Key_.find(userId) != userEl3Key_.end()) {
331 LOGI("user el3 key has existed");
332 return true;
333 }
334 break;
335 case EL4_KEY:
336 if (userEl4Key_.find(userId) != userEl4Key_.end()) {
337 LOGI("user el4 key has existed");
338 return true;
339 }
340 break;
341 case EL5_KEY:
342 if (userEl5Key_.find(userId) != userEl5Key_.end()) {
343 LOGI("user el5 key has existed");
344 return true;
345 }
346 break;
347 default:
348 LOGE("key type error");
349 break;
350 }
351
352 return false;
353 }
354
IsNeedClearKeyFile(std::string file)355 bool KeyManager::IsNeedClearKeyFile(std::string file)
356 {
357 LOGI("enter:");
358 std::error_code errCode;
359 if (!std::filesystem::exists(file, errCode)) {
360 LOGE("file not exist, file is %{private}s", file.c_str());
361 return false;
362 }
363
364 std::string version;
365 if (!OHOS::LoadStringFromFile(file, version)) {
366 LOGE("LoadStringFromFile return fail, file is %{private}s", file.c_str());
367 return false;
368 }
369
370 if (version != DEFAULT_NEED_RESTORE_VERSION) {
371 LOGE("need to clear, file is %{private}s, version is %{public}s.", file.c_str(), version.c_str());
372 return true;
373 }
374 LOGE("no need to clear, file is %{private}s, version is %{public}s", file.c_str(), version.c_str());
375 return false;
376 }
377
ProcUpgradeKey(const std::vector<FileList> & dirInfo)378 void KeyManager::ProcUpgradeKey(const std::vector<FileList> &dirInfo)
379 {
380 LOGI("enter:");
381 for (const auto &it : dirInfo) {
382 std::string needRestorePath = it.path + "/latest/need_restore";
383 if (IsNeedClearKeyFile(needRestorePath)) {
384 bool ret = RmDirRecurse(it.path);
385 if (!ret) {
386 LOGE("remove key dir fail, result is %{public}d, dir %{private}s", ret, it.path.c_str());
387 }
388 }
389 }
390 }
391
LoadAllUsersEl1Key(void)392 int KeyManager::LoadAllUsersEl1Key(void)
393 {
394 LOGI("enter");
395 std::vector<FileList> dirInfo;
396 ReadDigitDir(USER_EL2_DIR, dirInfo);
397 UpgradeKeys(dirInfo);
398 dirInfo.clear();
399 ReadDigitDir(USER_EL1_DIR, dirInfo);
400 UpgradeKeys(dirInfo);
401 for (auto &item : dirInfo) {
402 int ret = RestoreUserKey(item.userId, item.path, NULL_KEY_AUTH, EL1_KEY);
403 if (ret != 0) {
404 LOGE("user %{public}u el1 key restore error", item.userId);
405 StorageRadar::ReportUserKeyResult("LoadAllUserEl1Key::RestoreUserKey", item.userId,
406 ret, "EL1", "user el1 path = " + item.path);
407 }
408 }
409
410 /* only for el3/el4 upgrade scene */
411 dirInfo.clear();
412 ReadDigitDir(USER_EL3_DIR, dirInfo);
413 ProcUpgradeKey(dirInfo);
414 dirInfo.clear();
415 ReadDigitDir(USER_EL4_DIR, dirInfo);
416 ProcUpgradeKey(dirInfo);
417 dirInfo.clear();
418 ReadDigitDir(USER_EL5_DIR, dirInfo);
419 ProcUpgradeKey(dirInfo);
420 return 0;
421 }
422
InitUserElkeyStorageDir(void)423 int KeyManager::InitUserElkeyStorageDir(void)
424 {
425 int ret = MkDir(SERVICE_STORAGE_DAEMON_DIR, S_IRWXU);
426 if (ret && errno != EEXIST) {
427 LOGE("make service storage daemon dir error");
428 return ret;
429 }
430
431 ret = MkDir(FSCRYPT_EL_DIR, S_IRWXU);
432 if (ret && errno != EEXIST) {
433 LOGE("make service storage daemon dir error");
434 return ret;
435 }
436
437 ret = MkDir(USER_EL1_DIR, S_IRWXU);
438 if (ret && errno != EEXIST) {
439 LOGE("make el1 storage dir error");
440 return ret;
441 }
442 ret = MkDir(USER_EL2_DIR, S_IRWXU);
443 if (ret && errno != EEXIST) {
444 LOGE("make el2 storage dir error");
445 return ret;
446 }
447 // 0700 means create el3 permissions
448 ret = MkDir(USER_EL3_DIR, S_IRWXU);
449 if (ret && errno != EEXIST) {
450 LOGE("make el3 storage dir error");
451 return ret;
452 }
453 // 0700 means create el4 permissions
454 ret = MkDir(USER_EL4_DIR, S_IRWXU);
455 if (ret && errno != EEXIST) {
456 LOGE("make el4 storage dir error");
457 return ret;
458 }
459 // 0700 means create el5 permissions
460 ret = MkDir(USER_EL5_DIR, S_IRWXU);
461 if (ret && errno != EEXIST) {
462 LOGE("make el5 storage dir error");
463 return ret;
464 }
465 return 0;
466 }
467
InitGlobalUserKeys(void)468 int KeyManager::InitGlobalUserKeys(void)
469 {
470 LOGI("enter");
471 if (!KeyCtrlHasFscryptSyspara()) {
472 return 0;
473 }
474 std::lock_guard<std::mutex> lock(keyMutex_);
475 int ret = InitUserElkeyStorageDir();
476 if (ret) {
477 LOGE("Init user el storage dir failed");
478 StorageRadar::ReportUserKeyResult("InitGlobalUserKeys::InitUserElkeyStorageDir", GLOBAL_USER_ID,
479 ret, "EL1", "");
480 return ret;
481 }
482
483 std::string globalUserEl1Path = USER_EL1_DIR + "/" + std::to_string(GLOBAL_USER_ID);
484 if (IsDir(globalUserEl1Path)) {
485 ret = RestoreUserKey(GLOBAL_USER_ID, globalUserEl1Path, NULL_KEY_AUTH, EL1_KEY);
486 if (ret != 0) {
487 LOGE("Restore el1 failed");
488 LOGE("Init user el storage dir failed");
489 StorageRadar::ReportUserKeyResult("InitGlobalUserKeys::RestoreUserKey", GLOBAL_USER_ID,
490 ret, "EL1", "global user el1 path = " + globalUserEl1Path);
491 return ret;
492 }
493 } else {
494 ret = GenerateAndInstallUserKey(GLOBAL_USER_ID, globalUserEl1Path, NULL_KEY_AUTH, EL1_KEY);
495 if (ret != 0) {
496 LOGE("Generate el1 failed");
497 StorageRadar::ReportUserKeyResult("InitGlobalUserKeys::GenerateAndInstallUserKey", GLOBAL_USER_ID,
498 ret, "EL1", "global user el1 path = " + globalUserEl1Path);
499 return ret;
500 }
501 }
502
503 ret = LoadAllUsersEl1Key();
504 if (ret) {
505 LOGE("Load all users el1 failed");
506 return ret;
507 }
508 LOGI("Init global user key success");
509
510 return 0;
511 }
512
GenerateUserKeys(unsigned int user,uint32_t flags)513 int KeyManager::GenerateUserKeys(unsigned int user, uint32_t flags)
514 {
515 LOGW("start, user:%{public}u", user);
516 if (!KeyCtrlHasFscryptSyspara()) {
517 return 0;
518 }
519 if ((!IsDir(USER_EL1_DIR)) || (!IsDir(USER_EL2_DIR)) || (!IsDir(USER_EL3_DIR)) ||
520 (!IsDir(USER_EL4_DIR)) || (!IsDir(USER_EL5_DIR))) {
521 LOGI("El storage dir is not existed");
522 return -ENOENT;
523 }
524 int ret = GenerateElxAndInstallUserKey(user);
525 if (ret != E_OK) {
526 LOGE("Generate ELX failed!");
527 return ret;
528 }
529 LOGW("Create user el success");
530 return ret;
531 }
532
GenerateElxAndInstallUserKey(unsigned int user)533 int KeyManager::GenerateElxAndInstallUserKey(unsigned int user)
534 {
535 std::string el1Path = USER_EL1_DIR + "/" + std::to_string(user);
536 std::string el2Path = USER_EL2_DIR + "/" + std::to_string(user);
537 std::string el3Path = USER_EL3_DIR + "/" + std::to_string(user);
538 std::string el4Path = USER_EL4_DIR + "/" + std::to_string(user);
539 std::string el5Path = USER_EL5_DIR + "/" + std::to_string(user);
540 if (IsDir(el1Path) || IsDir(el2Path) || IsDir(el3Path) || IsDir(el4Path) || IsDir(el5Path)) {
541 return CheckAndFixUserKeyDirectory(user);
542 }
543 std::lock_guard<std::mutex> lock(keyMutex_);
544 int ret = GenerateAndInstallUserKey(user, el1Path, NULL_KEY_AUTH, EL1_KEY);
545 if (ret) {
546 LOGE("user el1 create error");
547 StorageRadar::ReportUserKeyResult("GenerateElxAndInstallUserKey", user, ret, "EL1", "el1path = " + el1Path);
548 return ret;
549 }
550
551 ret = GenerateAndInstallUserKey(user, el2Path, NULL_KEY_AUTH, EL2_KEY);
552 if (ret) {
553 DoDeleteUserKeys(user);
554 LOGE("user el2 create error");
555 StorageRadar::ReportUserKeyResult("GenerateElxAndInstallUserKey", user, ret, "EL2", "el2path = " + el2Path);
556 return ret;
557 }
558 ret = GenerateAndInstallUserKey(user, el3Path, NULL_KEY_AUTH, EL3_KEY);
559 if (ret) {
560 DoDeleteUserKeys(user);
561 LOGE("user el3 create error");
562 StorageRadar::ReportUserKeyResult("GenerateElxAndInstallUserKey", user, ret, "EL3", "el3path = " + el3Path);
563 return ret;
564 }
565 ret = GenerateAndInstallUserKey(user, el4Path, NULL_KEY_AUTH, EL4_KEY);
566 if (ret) {
567 DoDeleteUserKeys(user);
568 LOGE("user el4 create error");
569 StorageRadar::ReportUserKeyResult("GenerateElxAndInstallUserKey", user, ret, "EL4", "el4path = " + el4Path);
570 return ret;
571 }
572 ret = GenerateAndInstallUserKey(user, el5Path, NULL_KEY_AUTH, EL5_KEY);
573 if (ret) {
574 DoDeleteUserKeys(user);
575 LOGE("user el5 create error");
576 StorageRadar::ReportUserKeyResult("GenerateElxAndInstallUserKey", user, ret, "EL5", "el5path = " + el5Path);
577 return ret;
578 }
579 saveLockScreenStatus[user] = true;
580 return ret;
581 }
582
CheckAndFixUserKeyDirectory(unsigned int user)583 int KeyManager::CheckAndFixUserKeyDirectory(unsigned int user)
584 {
585 std::string el1NeedRestorePath = USER_EL1_DIR + "/" + std::to_string(user) + RESTORE_DIR;
586 std::error_code errCode;
587 if (std::filesystem::exists(el1NeedRestorePath, errCode)) {
588 LOGE("el1 need_restore file is existed, upgrade scene not support.");
589 return -EEXIST;
590 }
591 int ret = GenerateIntegrityDirs(user, EL1_KEY);
592 if (ret != -EEXIST) {
593 LOGE("GenerateIntegrityDirs el1 failed.");
594 StorageRadar::ReportUserKeyResult("GenerateIntegrityDirs", user, ret, "EL1", "");
595 }
596 ret = GenerateIntegrityDirs(user, EL2_KEY);
597 if (ret != -EEXIST) {
598 LOGE("GenerateIntegrityDirs el2 failed.");
599 StorageRadar::ReportUserKeyResult("GenerateIntegrityDirs", user, ret, "EL2", "");
600 }
601 return ret;
602 }
603
GenerateIntegrityDirs(int32_t userId,KeyType type)604 int KeyManager::GenerateIntegrityDirs(int32_t userId, KeyType type)
605 {
606 std::string dirType = (type == EL1_KEY) ? EL1 : EL2;
607 std::string userDir = FSCRYPT_EL_DIR + "/" + dirType;
608 uint32_t flag_type = (type == EL1_KEY) ? IStorageDaemon::CRYPTO_FLAG_EL1 : IStorageDaemon::CRYPTO_FLAG_EL2;
609 std::string versionElx = userDir + "/" + std::to_string(userId) + FSCRYPT_VERSION_DIR;
610 std::string encryptElx = userDir + "/" + std::to_string(userId) + ENCRYPT_VERSION_DIR;
611 std::string discardElx = userDir + "/" + std::to_string(userId) + SEC_DISCARD_DIR;
612 std::string shieldElx = userDir + "/" + std::to_string(userId) + SHIELD_DIR;
613 std::error_code errCode;
614 if (!std::filesystem::exists(versionElx, errCode) || !std::filesystem::exists(encryptElx, errCode) ||
615 !std::filesystem::exists(shieldElx, errCode) || !std::filesystem::exists(discardElx, errCode) ||
616 !IsWorkDirExist(dirType, userId)) {
617 LOGE("user %{public}d el %{public}d is not integrity. create error", userId, type);
618 int ret = DoDeleteUserCeEceSeceKeys(userId, userDir, type == EL1_KEY ? userEl1Key_ : userEl2Key_);
619 if (ret != E_OK) {
620 LOGE("Delete userId=%{public}d el %{public}d key failed", userId, type);
621 }
622
623 ret = GenerateUserKeyByType(userId, type, {}, {});
624 if (ret != E_OK) {
625 LOGE("upgrade scene:generate user key fail, userId %{public}d, KeyType %{public}d", userId, type);
626 return ret;
627 }
628
629 LOGI("try to destory dir first, user %{public}d, Type %{public}d", userId, type);
630 (void)UserManager::GetInstance()->DestroyUserDirs(userId, flag_type);
631 ret = UserManager::GetInstance()->PrepareUserDirs(userId, flag_type);
632 if (ret != E_OK) {
633 LOGE("upgrade scene:prepare user dirs fail, userId %{public}d, type %{public}d", userId, type);
634 return ret;
635 }
636 }
637 LOGI("userId=%{public}d el %{public}d directory is existed, no need fix.", userId, type);
638 return -EEXIST;
639 }
640
IsWorkDirExist(std::string type,int32_t userId)641 bool KeyManager::IsWorkDirExist(std::string type, int32_t userId)
642 {
643 std::string dataDir = DATA_DIR + type + "/" + std::to_string(userId);
644 std::string serviceDir = SERVICE_DIR + type + "/" + std::to_string(userId);
645 std::error_code errCode;
646 bool isExist = std::filesystem::exists(dataDir, errCode) && std::filesystem::exists(serviceDir, errCode);
647 return isExist;
648 }
649
GenerateUserKeyByType(unsigned int user,KeyType type,const std::vector<uint8_t> & token,const std::vector<uint8_t> & secret)650 int KeyManager::GenerateUserKeyByType(unsigned int user, KeyType type,
651 const std::vector<uint8_t> &token,
652 const std::vector<uint8_t> &secret)
653 {
654 LOGI("start, user:%{public}u, type %{public}u", user, type);
655 if (!KeyCtrlHasFscryptSyspara()) {
656 return 0;
657 }
658
659 std::lock_guard<std::mutex> lock(keyMutex_);
660 std::string elPath = GetKeyDirByType(type);
661 if (!IsDir(elPath)) {
662 LOGI("El storage dir is not existed");
663 return -ENOENT;
664 }
665
666 std::string elUserKeyPath = elPath + + "/" + std::to_string(user);
667 if (IsDir(elUserKeyPath)) {
668 LOGE("user %{public}d el key have existed, create error", user);
669 return -EEXIST;
670 }
671 uint64_t secureUid = { 0 };
672 if (!secret.empty() && !token.empty()) {
673 IamClient::GetInstance().GetSecureUid(user, secureUid);
674 LOGE("token is exist, get secure uid");
675 }
676 UserAuth auth = { .token = token, .secret = secret, .secureUid = secureUid };
677 int ret = GenerateAndInstallUserKey(user, elUserKeyPath, auth, type);
678 if (ret) {
679 LOGE("user el create error, user %{public}u, type %{public}u", user, type);
680 StorageRadar::ReportUserKeyResult("GenerateUserKeyByType::GenerateAndInstallUserKey",
681 user, ret, std::to_string(type), "user key path = " + elUserKeyPath);
682 return ret;
683 }
684 LOGI("Create user el success, user %{public}u, type %{public}u", user, type);
685
686 return 0;
687 }
688
DoDeleteUserCeEceSeceKeys(unsigned int user,const std::string userDir,std::map<unsigned int,std::shared_ptr<BaseKey>> & userElKey_)689 int KeyManager::DoDeleteUserCeEceSeceKeys(unsigned int user,
690 const std::string userDir,
691 std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_)
692 {
693 LOGI("enter, userDir is %{public}s", userDir.c_str());
694 int ret = 0;
695 auto it = userElKey_.find(user);
696 if (it != userElKey_.end()) {
697 auto elKey = it->second;
698 if (!elKey->ClearKey()) {
699 LOGE("clear key failed");
700 ret = -E_CLEAR_KEY_FAILED;
701 }
702 userElKey_.erase(user);
703 saveLockScreenStatus.erase(user);
704 } else {
705 std::string elPath = userDir + "/" + std::to_string(user);
706 std::shared_ptr<BaseKey> elKey = GetBaseKey(elPath);
707 if (elKey == nullptr) {
708 LOGE("Malloc el1 Basekey memory failed");
709 return -ENOMEM;
710 }
711 if (!elKey->ClearKey()) {
712 LOGE("clear key failed");
713 ret = -E_CLEAR_KEY_FAILED;
714 }
715 }
716 LOGI("end, ret is %{public}d", ret);
717 return ret;
718 }
719
DoDeleteUserKeys(unsigned int user)720 int KeyManager::DoDeleteUserKeys(unsigned int user)
721 {
722 int errCode = 0;
723 int deleteRet = DoDeleteUserCeEceSeceKeys(user, USER_EL1_DIR, userEl1Key_);
724 if (deleteRet != 0) {
725 LOGE("Delete el1 key failed");
726 errCode = deleteRet;
727 }
728 deleteRet = DoDeleteUserCeEceSeceKeys(user, USER_EL2_DIR, userEl2Key_);
729 if (deleteRet != 0) {
730 LOGE("Delete el2 key failed");
731 errCode = deleteRet;
732 }
733 deleteRet = DoDeleteUserCeEceSeceKeys(user, USER_EL3_DIR, userEl3Key_);
734 if (deleteRet != 0) {
735 LOGE("Delete el3 key failed");
736 errCode = deleteRet;
737 }
738 deleteRet = DoDeleteUserCeEceSeceKeys(user, USER_EL4_DIR, userEl4Key_);
739 if (deleteRet != 0) {
740 LOGE("Delete el4 key failed");
741 errCode = deleteRet;
742 }
743 if (IsUeceSupportWithErrno() != ENOENT) {
744 deleteRet = DoDeleteUserCeEceSeceKeys(user, USER_EL5_DIR, userEl5Key_);
745 if (deleteRet != 0) {
746 LOGE("Delete el5 key failed");
747 errCode = deleteRet;
748 }
749 }
750 return errCode;
751 }
752
DeleteUserKeys(unsigned int user)753 int KeyManager::DeleteUserKeys(unsigned int user)
754 {
755 LOGI("start, user:%{public}d", user);
756 if (!KeyCtrlHasFscryptSyspara()) {
757 return 0;
758 }
759
760 std::lock_guard<std::mutex> lock(keyMutex_);
761 int ret = DoDeleteUserKeys(user);
762 LOGI("delete user key end, ret is %{public}d", ret);
763
764 auto userTask = userLockScreenTask_.find(user);
765 if (userTask != userLockScreenTask_.end()) {
766 userLockScreenTask_.erase(userTask);
767 LOGI("Delete user %{public}u, erase user task", user);
768 }
769 return ret;
770 }
771
772 #ifdef USER_CRYPTO_MIGRATE_KEY
UpdateUserAuth(unsigned int user,struct UserTokenSecret & userTokenSecret,bool needGenerateShield)773 int KeyManager::UpdateUserAuth(unsigned int user, struct UserTokenSecret &userTokenSecret,
774 bool needGenerateShield)
775 #else
776 int KeyManager::UpdateUserAuth(unsigned int user, struct UserTokenSecret &userTokenSecret)
777 #endif
778 {
779 std::lock_guard<std::mutex> lock(keyMutex_);
780 std::string isOldEmy = userTokenSecret.oldSecret.empty() ? "true" : "false";
781 std::string isNewEmy = userTokenSecret.newSecret.empty() ? "true" : "false";
782 std::string secretInfo = "oldSecret isEmpty = " + isOldEmy + ", newSecret isEmpty = " + isNewEmy;
783 #ifdef USER_CRYPTO_MIGRATE_KEY
784 int ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL2_KEY, needGenerateShield);
785 if (ret != 0) {
786 LOGE("user %{public}u UpdateUserAuth el2 key fail", user);
787 StorageRadar::ReportUpdateUserAuth("UpdateUserAuth::UpdateCeEceSeceUserAuth_Migrate",
788 user, ret, "EL2", secretInfo);
789 return ret;
790 }
791 ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL3_KEY, needGenerateShield);
792 if (ret != 0) {
793 LOGE("user %{public}u UpdateUserAuth el3 key fail", user);
794 StorageRadar::ReportUpdateUserAuth("UpdateUserAuth::UpdateCeEceSeceUserAuth_Migrate",
795 user, ret, "EL3", secretInfo);
796 return ret;
797 }
798 ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL4_KEY, needGenerateShield);
799 if (ret != 0) {
800 LOGE("user %{public}u UpdateUserAuth el4 key fail", user);
801 StorageRadar::ReportUpdateUserAuth("UpdateUserAuth::UpdateCeEceSeceUserAuth_Migrate",
802 user, ret, "EL4", secretInfo);
803 return ret;
804 }
805 #else
806 int ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL2_KEY);
807 if (ret != 0) {
808 LOGE("user %{public}u UpdateUserAuth el2 key fail", user);
809 StorageRadar::ReportUpdateUserAuth("UpdateUserAuth::UpdateCeEceSeceUserAuth", user, ret, "EL2", secretInfo);
810 return ret;
811 }
812 ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL3_KEY);
813 if (ret != 0) {
814 LOGE("user %{public}u UpdateUserAuth el3 key fail", user);
815 StorageRadar::ReportUpdateUserAuth("UpdateUserAuth::UpdateCeEceSeceUserAuth", user, ret, "EL3", secretInfo);
816 return ret;
817 }
818 ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, EL4_KEY);
819 if (ret != 0) {
820 LOGE("user %{public}u UpdateUserAuth el4 key fail", user);
821 StorageRadar::ReportUpdateUserAuth("UpdateUserAuth::UpdateCeEceSeceUserAuth", user, ret, "EL4", secretInfo);
822 return ret;
823 }
824 #endif
825 ret = UpdateESecret(user, userTokenSecret);
826 if (ret != 0) {
827 LOGE("user %{public}u UpdateESecret fail", user);
828 StorageRadar::ReportUpdateUserAuth("UpdateUserAuth::UpdateESecret", user, ret, "EL5", secretInfo);
829 return ret;
830 }
831 return ret;
832 }
833
UpdateESecret(unsigned int user,struct UserTokenSecret & tokenSecret)834 int KeyManager::UpdateESecret(unsigned int user, struct UserTokenSecret &tokenSecret)
835 {
836 LOGW("UpdateESecret enter");
837 std::shared_ptr<BaseKey> el5Key = GetUserElKey(user, EL5_KEY);
838 std::string el5Path = USER_EL5_DIR + "/" + std::to_string(user);
839 if (IsUeceSupport() && el5Key == nullptr) {
840 if (!MkDirRecurse(el5Path, S_IRWXU)) {
841 LOGE("MkDirRecurse %{public}u failed!", user);
842 return -EFAULT;
843 }
844 LOGI("MkDirRecurse %{public}u success!", user);
845 el5Key = GetUserElKey(user, EL5_KEY);
846 }
847 if (el5Key == nullptr) {
848 LOGE("Have not found user %{public}u el key", user);
849 return -ENOENT;
850 }
851 if (tokenSecret.newSecret.empty()) {
852 if (!el5Key->DeleteClassEPinCode(user)) {
853 LOGE("user %{public}u DeleteClassE fail", user);
854 return -EFAULT;
855 }
856 saveESecretStatus[user] = false;
857 return 0;
858 }
859 if (!tokenSecret.newSecret.empty() && !tokenSecret.oldSecret.empty()) {
860 saveESecretStatus[user] = true;
861 if (!el5Key->ChangePinCodeClassE(saveESecretStatus[user], user)) {
862 LOGE("user %{public}u ChangePinCodeClassE fail", user);
863 return -EFAULT;
864 }
865 return 0;
866 }
867 uint32_t status = tokenSecret.oldSecret.empty() ? USER_ADD_AUTH : USER_CHANGE_AUTH;
868 LOGI("UpdateESecret status is %{public}u", status);
869 UserAuth auth = { .token = tokenSecret.token, .secret = tokenSecret.newSecret, .secureUid = tokenSecret.secureUid };
870 saveESecretStatus[user] = true;
871 if (!el5Key->EncryptClassE(auth, saveESecretStatus[user], user, status)) {
872 LOGE("user %{public}u EncryptClassE fail", user);
873 return -EFAULT;
874 }
875 LOGW("saveESecretStatus is %{public}u", saveESecretStatus[user]);
876 return 0;
877 }
878
879 #ifdef USER_CRYPTO_MIGRATE_KEY
UpdateCeEceSeceUserAuth(unsigned int user,struct UserTokenSecret & userTokenSecret,KeyType type,bool needGenerateShield)880 int KeyManager::UpdateCeEceSeceUserAuth(unsigned int user,
881 struct UserTokenSecret &userTokenSecret,
882 KeyType type, bool needGenerateShield)
883 #else
884 int KeyManager::UpdateCeEceSeceUserAuth(unsigned int user,
885 struct UserTokenSecret &userTokenSecret,
886 KeyType type)
887 #endif
888 {
889 LOGW("start, user:%{public}d", user);
890 if (!KeyCtrlHasFscryptSyspara()) {
891 return 0;
892 }
893 std::shared_ptr<BaseKey> item = GetUserElKey(user, type);
894 if (item == nullptr) {
895 LOGE("Have not found user %{public}u el key", user);
896 return -ENOENT;
897 }
898
899 UserAuth auth = { {}, userTokenSecret.oldSecret, userTokenSecret.secureUid };
900 if (!userTokenSecret.oldSecret.empty()) {
901 KeyBlob token(userTokenSecret.token);
902 auth.token = std::move(token);
903 }
904 if ((item->RestoreKey(auth) == false) && (item->RestoreKey(NULL_KEY_AUTH) == false)) {
905 LOGE("Restore key error");
906 return -EFAULT;
907 }
908 if (!userTokenSecret.newSecret.empty()) {
909 KeyBlob token(userTokenSecret.token);
910 KeyBlob newSecret(userTokenSecret.newSecret);
911 auth.token = std::move(token);
912 auth.secret = std::move(newSecret);
913 } else {
914 auth.token.Clear();
915 auth.secret.Clear();
916 }
917 #ifdef USER_CRYPTO_MIGRATE_KEY
918 if (item->StoreKey(auth, needGenerateShield) == false) {
919 #else
920 if (item->StoreKey(auth) == false) {
921 #endif
922 LOGE("Store key error");
923 return -EFAULT;
924 }
925
926 userPinProtect[user] = !userTokenSecret.newSecret.empty();
927 return 0;
928 }
929
930 int KeyManager::ActiveUserKey(unsigned int user, const std::vector<uint8_t> &token,
931 const std::vector<uint8_t> &secret)
932 {
933 LOGI("start");
934 if (!KeyCtrlHasFscryptSyspara()) {
935 return 0;
936 }
937
938 if (ActiveCeSceSeceUserKey(user, EL2_KEY, token, secret) != 0) {
939 LOGI("Active user %{public}u el2 fail", user);
940 return -EFAULT;
941 }
942 if (ActiveCeSceSeceUserKey(user, EL3_KEY, token, secret) != 0) {
943 LOGI("Active user %{public}u el3 fail", user);
944 return -EFAULT;
945 }
946 if (ActiveCeSceSeceUserKey(user, EL4_KEY, token, secret) != 0) {
947 LOGI("Active user %{public}u el4 fail", user);
948 return -EFAULT;
949 }
950 if (ActiveCeSceSeceUserKey(user, EL5_KEY, token, secret) != 0) {
951 LOGI("Active user %{public}u el5 fail", user);
952 return -EFAULT;
953 }
954 if (UnlockUserAppKeys(user, true) != E_OK) {
955 LOGE("failed to delete appkey2");
956 return -EFAULT;
957 }
958 saveESecretStatus[user] = !secret.empty();
959 return 0;
960 }
961
962 std::string KeyManager::GetKeyDirByUserAndType(unsigned int user, KeyType type)
963 {
964 std::string keyDir = "";
965 switch (type) {
966 case EL1_KEY:
967 keyDir = USER_EL1_DIR + "/" + std::to_string(user);
968 break;
969 case EL2_KEY:
970 keyDir = USER_EL2_DIR + "/" + std::to_string(user);
971 break;
972 case EL3_KEY:
973 keyDir = USER_EL3_DIR + "/" + std::to_string(user);
974 break;
975 case EL4_KEY:
976 keyDir = USER_EL4_DIR + "/" + std::to_string(user);
977 break;
978 case EL5_KEY:
979 keyDir = USER_EL5_DIR + "/" + std::to_string(user);
980 break;
981 default:
982 LOGE("GetKeyDirByUserAndType type %{public}u is invalid", type);
983 break;
984 }
985 return keyDir;
986 }
987
988 std::string KeyManager::GetKeyDirByType(KeyType type)
989 {
990 std::string keyDir = "";
991 switch (type) {
992 case EL1_KEY:
993 keyDir = USER_EL1_DIR;
994 break;
995 case EL2_KEY:
996 keyDir = USER_EL2_DIR;
997 break;
998 case EL3_KEY:
999 keyDir = USER_EL3_DIR;
1000 break;
1001 case EL4_KEY:
1002 keyDir = USER_EL4_DIR;
1003 break;
1004 case EL5_KEY:
1005 keyDir = USER_EL5_DIR;
1006 break;
1007 default:
1008 LOGE("GetKeyDirByType type %{public}u is invalid", type);
1009 break;
1010 }
1011 return keyDir;
1012 }
1013
1014 void KeyManager::SaveUserElKey(unsigned int user, KeyType type, std::shared_ptr<BaseKey> elKey)
1015 {
1016 switch (type) {
1017 case EL1_KEY:
1018 userEl1Key_[user] = elKey;
1019 break;
1020 case EL2_KEY:
1021 userEl2Key_[user] = elKey;
1022 break;
1023 case EL3_KEY:
1024 userEl3Key_[user] = elKey;
1025 break;
1026 case EL4_KEY:
1027 userEl4Key_[user] = elKey;
1028 break;
1029 case EL5_KEY:
1030 userEl5Key_[user] = elKey;
1031 break;
1032 default:
1033 LOGE("SaveUserElKey type %{public}u is invalid", type);
1034 }
1035 }
1036
1037 std::shared_ptr<BaseKey> KeyManager::GetUserElKey(unsigned int user, KeyType type)
1038 {
1039 bool isNeedGenerateBaseKey = false;
1040 std::shared_ptr<BaseKey> elKey = nullptr;
1041 if (!HasElkey(user, type)) {
1042 LOGE("Have not found user %{public}u key, type %{public}u", user, type);
1043 std::string keyDir = GetKeyDirByUserAndType(user, type);
1044 if (!IsDir(keyDir)) {
1045 LOGE("Have not found user %{public}u el, %{public}u type", user, type);
1046 return nullptr;
1047 }
1048 elKey = GetBaseKey(keyDir);
1049 if (elKey == nullptr) {
1050 LOGE("BaseKey memory failed");
1051 return nullptr;
1052 }
1053 isNeedGenerateBaseKey = true;
1054 LOGI("Generate new baseKey type: %{public}u", type);
1055 }
1056
1057 switch (type) {
1058 case EL1_KEY:
1059 if (isNeedGenerateBaseKey) {
1060 userEl1Key_[user] = elKey;
1061 }
1062 return userEl1Key_[user];
1063 case EL2_KEY:
1064 if (isNeedGenerateBaseKey) {
1065 userEl2Key_[user] = elKey;
1066 }
1067 return userEl2Key_[user];
1068 case EL3_KEY:
1069 if (isNeedGenerateBaseKey) {
1070 userEl3Key_[user] = elKey;
1071 }
1072 return userEl3Key_[user];
1073 case EL4_KEY:
1074 if (isNeedGenerateBaseKey) {
1075 userEl4Key_[user] = elKey;
1076 }
1077 return userEl4Key_[user];
1078 case EL5_KEY:
1079 if (isNeedGenerateBaseKey) {
1080 userEl5Key_[user] = elKey;
1081 }
1082 return userEl5Key_[user];
1083 default:
1084 LOGE("GetUserElKey type %{public}u is invalid", type);
1085 return nullptr;
1086 }
1087 }
1088
1089 int KeyManager::ActiveCeSceSeceUserKey(unsigned int user,
1090 KeyType type,
1091 const std::vector<uint8_t> &token,
1092 const std::vector<uint8_t> &secret)
1093 {
1094 if (!KeyCtrlHasFscryptSyspara()) {
1095 return 0;
1096 }
1097 if (CheckUserPinProtect(user, token, secret) != E_OK) {
1098 LOGE("IAM & Storage mismatch, wait user input pin.");
1099 return -EFAULT;
1100 }
1101 std::lock_guard<std::mutex> lock(keyMutex_);
1102 if (HasElkey(user, type) && type != EL5_KEY && HashElxActived(user, type)) {
1103 LOGE("The user %{public}u el have been actived, key type is %{public}u", user, type);
1104 return 0;
1105 }
1106 std::string keyDir = GetKeyDirByUserAndType(user, type);
1107 if (keyDir == "") {
1108 return E_KEY_TYPE_INVAL;
1109 }
1110 if ((type != EL5_KEY) && !IsDir(keyDir)) {
1111 LOGE("Have not found user %{public}u el", user);
1112 return -ENOENT;
1113 }
1114 if ((type == EL5_KEY) && CheckAndDeleteEmptyEl5Directory(keyDir, user) != 0) {
1115 return -ENOENT;
1116 }
1117 std::shared_ptr<BaseKey> elKey = GetBaseKey(keyDir);
1118 if (elKey == nullptr) {
1119 LOGE("elKey failed");
1120 return -EOPNOTSUPP;
1121 }
1122 if (type == EL5_KEY) {
1123 if (ActiveUeceUserKey(user, token, secret, elKey) != 0) {
1124 LOGE("ActiveUeceUserKey failed");
1125 return -EFAULT;
1126 }
1127 return 0;
1128 }
1129 if (ActiveElXUserKey(user, token, type, secret, elKey) != 0) {
1130 LOGE("ActiveElXUserKey failed");
1131 return -EFAULT;
1132 }
1133
1134 SaveUserElKey(user, type, elKey);
1135 userPinProtect.erase(user);
1136 userPinProtect.insert(std::make_pair(user, !secret.empty()));
1137 saveLockScreenStatus[user] = true;
1138 LOGI("Active user %{public}u el success", user);
1139 LOGI("saveLockScreenStatus is %{public}d", saveLockScreenStatus[user]);
1140 return 0;
1141 }
1142
1143 bool KeyManager::HashElxActived(unsigned int user, KeyType type)
1144 {
1145 LOGI("enter");
1146 switch (type) {
1147 case EL1_KEY:
1148 return HasElxDesc(userEl1Key_, type, user);
1149 break;
1150 case EL2_KEY:
1151 return HasElxDesc(userEl2Key_, type, user);
1152 break;
1153 case EL3_KEY:
1154 return HasElxDesc(userEl3Key_, type, user);
1155 break;
1156 case EL4_KEY:
1157 return HasElxDesc(userEl4Key_, type, user);
1158 break;
1159 case EL5_KEY:
1160 return HasElxDesc(userEl5Key_, type, user);
1161 break;
1162 default:
1163 LOGE("key type error");
1164 break;
1165 }
1166 return false;
1167 }
1168
1169 bool KeyManager::HasElxDesc(std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_,
1170 KeyType type,
1171 unsigned int user)
1172 {
1173 auto it = userElKey_.find(user);
1174 auto elKey = it->second;
1175 if (it != userElKey_.end() && !elKey->KeyDescIsEmpty()) {
1176 LOGI("user el%{public}u key desc has existed", type);
1177 return true;
1178 }
1179 return false;
1180 }
1181
1182 int KeyManager::CheckAndDeleteEmptyEl5Directory(std::string keyDir, unsigned int user)
1183 {
1184 std::string keyUeceDir = UECE_DIR + "/" + std::to_string(user);
1185 if (!IsDir(keyDir) || !IsDir(keyUeceDir)) {
1186 LOGE("Have not found dir %{public}u el5", user);
1187 return -ENOENT;
1188 }
1189
1190 if (IsDir(keyDir) && std::filesystem::is_empty(keyDir)) {
1191 OHOS::ForceRemoveDirectory(keyDir);
1192 LOGE("Have removed key dir %{public}u el5", user);
1193 return -ENOENT;
1194 }
1195 return 0;
1196 }
1197
1198 bool KeyManager::GetUserDelayHandler(uint32_t userId, std::shared_ptr<DelayHandler> &delayHandler)
1199 {
1200 LOGI("enter");
1201 auto iterTask = userLockScreenTask_.find(userId);
1202 if (iterTask == userLockScreenTask_.end()) {
1203 std::shared_ptr<DelayHandler> lockScreenTask = std::make_shared<DelayHandler>(userId);
1204 userLockScreenTask_[userId] = std::make_shared<DelayHandler>(userId);
1205 }
1206 delayHandler = userLockScreenTask_[userId];
1207 if (delayHandler == nullptr) {
1208 LOGE("user %{public}d delayHandler is nullptr !", userId);
1209 return false;
1210 }
1211 return true;
1212 }
1213
1214 int KeyManager::ActiveUeceUserKey(unsigned int user,
1215 const std::vector<uint8_t> &token,
1216 const std::vector<uint8_t> &secret, std::shared_ptr<BaseKey> elKey)
1217 {
1218 std::shared_ptr<DelayHandler> userDelayHandler;
1219 if (GetUserDelayHandler(user, userDelayHandler)) {
1220 userDelayHandler->CancelDelayTask();
1221 }
1222 saveESecretStatus[user] = !secret.empty();
1223 LOGW("userId %{public}u, token empty %{public}d sec empty %{public}d", user, token.empty(), secret.empty());
1224 userEl5Key_[user] = elKey;
1225 UserAuth auth = { .token = token, .secret = secret };
1226 bool eBufferStatue = false;
1227 if (!elKey->DecryptClassE(auth, saveESecretStatus[user], eBufferStatue, user, true)) {
1228 LOGE("Unlock user %{public}u E_Class failed", user);
1229 return -EFAULT;
1230 }
1231
1232 if (!token.empty() && !secret.empty() && eBufferStatue) {
1233 if (TryToFixUeceKey(user, token, secret) != E_OK) {
1234 LOGE("TryToFixUeceKey el5 failed !");
1235 return -EFAULT;
1236 }
1237 }
1238 LOGW("ActiveCeSceSeceUserKey user %{public}u, saveESecretStatus %{public}d", user, saveESecretStatus[user]);
1239 return 0;
1240 }
1241
1242 int KeyManager::ActiveElXUserKey(unsigned int user,
1243 const std::vector<uint8_t> &token, KeyType keyType,
1244 const std::vector<uint8_t> &secret, std::shared_ptr<BaseKey> elKey)
1245 {
1246 if (elKey->InitKey(false) == false) {
1247 LOGE("Init el failed");
1248 return -EFAULT;
1249 }
1250 UserAuth auth = { token, secret };
1251 bool keyResult = elKey->RestoreKey(auth);
1252 bool noKeyResult = !keyResult && elKey->RestoreKey(NULL_KEY_AUTH);
1253 // key and no-key situation all failed, include upgrade situation, return err
1254 if (!keyResult && !noKeyResult) {
1255 LOGE("Restore el failed, type: %{public}u", keyType);
1256 return -EFAULT;
1257 }
1258 // if device has pwd and decrypt success, continue.otherwise try no pwd and fix situation.
1259 if (!keyResult && noKeyResult) {
1260 if (TryToFixUserCeEceSeceKey(user, keyType, token, secret) != E_OK) {
1261 LOGE("TryToFixUserCeEceSeceKey elx failed, type %{public}u", keyType);
1262 return -EFAULT;
1263 }
1264 }
1265 std::string NEED_UPDATE_PATH = GetKeyDirByUserAndType(user, keyType) + PATH_LATEST + SUFFIX_NEED_UPDATE;
1266 if (!FileExists(NEED_UPDATE_PATH) && (elKey->StoreKey(auth) == false)) {
1267 LOGE("Store el failed");
1268 return -EFAULT;
1269 }
1270 if (elKey->ActiveKey(RETRIEVE_KEY) == false) {
1271 LOGE("Active user %{public}u key failed", user);
1272 return -EFAULT;
1273 }
1274 return 0;
1275 }
1276
1277 int KeyManager::UnlockUserScreen(uint32_t user, const std::vector<uint8_t> &token, const std::vector<uint8_t> &secret)
1278 {
1279 LOGI("start");
1280 userPinProtect[user] = !secret.empty() || !token.empty();
1281 std::shared_ptr<DelayHandler> userDelayHandler;
1282 if (GetUserDelayHandler(user, userDelayHandler)) {
1283 userDelayHandler->CancelDelayTask();
1284 }
1285 auto iter = saveLockScreenStatus.find(user);
1286 if (iter == saveLockScreenStatus.end()) {
1287 saveLockScreenStatus.insert(std::make_pair(user, false));
1288 }
1289 if (!IsUserCeDecrypt(user)) {
1290 LOGE("user ce does not decrypt, skip");
1291 return 0;
1292 }
1293 if (!KeyCtrlHasFscryptSyspara()) {
1294 saveLockScreenStatus[user] = true;
1295 LOGI("saveLockScreenStatus is %{public}d", saveLockScreenStatus[user]);
1296 return 0;
1297 }
1298 std::lock_guard<std::mutex> lock(keyMutex_);
1299 std::string tokenEmy = token.empty() ? "true" : "false";
1300 std::string secretEmy = secret.empty() ? "true" : "false";
1301 std::string tokenInfo = "token isEmpty = " + tokenEmy + ", secret isEmpty = " + secretEmy;
1302 int ret = 0;
1303 if ((ret = UnlockEceSece(user, token, secret)) != E_OK) {
1304 StorageRadar::ReportUpdateUserAuth("UnlockUserScreen::UnlockEceSece", user, ret, "EL4", tokenInfo);
1305 return ret;
1306 }
1307 if ((ret = UnlockUece(user, token, secret)) != E_OK) {
1308 StorageRadar::ReportUpdateUserAuth("UnlockUserScreen::UnlockUece", user, ret, "EL5", tokenInfo);
1309 return ret;
1310 }
1311 saveLockScreenStatus[user] = true;
1312 LOGW("UnlockUserScreen user %{public}u el3 and el4 success and saveLockScreenStatus is %{public}d", user,
1313 saveLockScreenStatus[user]);
1314 return 0;
1315 }
1316
1317 int32_t KeyManager::UnlockEceSece(uint32_t user,
1318 const std::vector<uint8_t> &token,
1319 const std::vector<uint8_t> &secret)
1320 {
1321 auto el4Key = GetUserElKey(user, EL4_KEY);
1322 if (el4Key == nullptr) {
1323 saveLockScreenStatus[user] = true;
1324 LOGE("The user %{public}u not been actived and saveLockScreenStatus is %{public}d", user,
1325 saveLockScreenStatus[user]);
1326 return E_NON_EXIST;
1327 }
1328 if (!el4Key->RestoreKey({ token, secret }, false) && !el4Key->RestoreKey(NULL_KEY_AUTH, false)) {
1329 LOGE("Restore user %{public}u el4 key failed", user);
1330 return E_RESTORE_KEY_FAILED;
1331 }
1332 if (!el4Key->UnlockUserScreen(user, FSCRYPT_SDP_ECE_CLASS)) {
1333 LOGE("UnlockUserScreen user %{public}u el4 key failed", user);
1334 return E_UNLOCK_SCREEN_FAILED;
1335 }
1336 LOGI("DecryptClassE user %{public}u saveESecretStatus %{public}d", user, saveESecretStatus[user]);
1337 return E_OK;
1338 }
1339
1340 int32_t KeyManager::UnlockUece(uint32_t user,
1341 const std::vector<uint8_t> &token,
1342 const std::vector<uint8_t> &secret)
1343 {
1344 UserAuth auth = {.token = token, .secret = secret};
1345 saveESecretStatus[user] = !auth.token.IsEmpty();
1346 auto el5Key = GetUserElKey(user, EL5_KEY);
1347 bool eBufferStatue = false;
1348 if (el5Key != nullptr && !el5Key->DecryptClassE(auth, saveESecretStatus[user], eBufferStatue, user, false)) {
1349 LOGE("Unlock user %{public}u uece failed", user);
1350 return E_UNLOCK_APP_KEY2_FAILED;
1351 }
1352 if (UnlockUserAppKeys(user, false) != E_OK) {
1353 LOGE("failed to delete appkey2");
1354 return E_UNLOCK_APP_KEY2_FAILED;
1355 }
1356 return E_OK;
1357 }
1358
1359 int KeyManager::GetLockScreenStatus(uint32_t user, bool &lockScreenStatus)
1360 {
1361 LOGI("start");
1362 std::lock_guard<std::mutex> lock(keyMutex_);
1363 auto iter = saveLockScreenStatus.find(user);
1364 lockScreenStatus = (iter == saveLockScreenStatus.end()) ? false: iter->second;
1365 LOGW("lockScreenStatus is %{public}d", lockScreenStatus);
1366 return 0;
1367 }
1368
1369 int KeyManager::GenerateAppkey(uint32_t userId, uint32_t hashId, std::string &keyId)
1370 {
1371 if (!IsUeceSupport()) {
1372 LOGI("Not support uece !");
1373 return -ENOTSUP;
1374 }
1375 LOGI("enter");
1376 std::lock_guard<std::mutex> lock(keyMutex_);
1377 auto el5Key = GetBaseKey(GetKeyDirByUserAndType(userId, EL5_KEY));
1378 if (el5Key == nullptr) {
1379 LOGE("el5Key is nullptr");
1380 return -ENOENT;
1381 }
1382 if (el5Key->GenerateAppkey(userId, hashId, keyId) == false) {
1383 LOGE("Failed to generate Appkey2");
1384 return -EFAULT;
1385 }
1386 return 0;
1387 }
1388
1389 int KeyManager::DeleteAppkey(uint32_t userId, const std::string keyId)
1390 {
1391 std::lock_guard<std::mutex> lock(keyMutex_);
1392 auto el5Key = GetBaseKey(GetKeyDirByUserAndType(userId, EL5_KEY));
1393 if (el5Key == nullptr) {
1394 LOGE("el5Key is nullptr");
1395 return -ENOENT;
1396 }
1397 if (el5Key->DeleteAppkey(keyId) == false) {
1398 LOGE("Failed to delete Appkey2");
1399 return -EFAULT;
1400 }
1401 return 0;
1402 }
1403
1404 int KeyManager::UnlockUserAppKeys(uint32_t userId, bool needGetAllAppKey)
1405 {
1406 if (!IsUeceSupport()) {
1407 LOGI("E type is not support");
1408 return E_OK;
1409 }
1410 #ifdef EL5_FILEKEY_MANAGER
1411 std::vector<std::pair<int, std::string>> keyInfo;
1412 std::vector<std::pair<std::string, bool>> loadInfos;
1413 if (needGetAllAppKey) {
1414 if (El5FilekeyManagerKit::GetUserAllAppKey(userId, keyInfo) != 0) {
1415 LOGE("get user all app keys fail.");
1416 return -EFAULT;
1417 }
1418 LOGI("get user all app keys success.");
1419 } else {
1420 if (El5FilekeyManagerKit::GetUserAppKey(userId, keyInfo) != 0) {
1421 LOGE("get User Appkeys fail.");
1422 return -EFAULT;
1423 }
1424 LOGI("get User Appkeys success.");
1425 }
1426 if (keyInfo.size() == 0) {
1427 LOGE("The keyInfo is empty!");
1428 return 0;
1429 }
1430 if (userEl5Key_.find(userId) == userEl5Key_.end()) {
1431 LOGE("userEl5Key_ has not existed");
1432 return -ENOENT;
1433 }
1434 auto elKey = userEl5Key_[userId];
1435 std::string keyId;
1436 for (auto keyInfoAppUid :keyInfo) {
1437 if (elKey->GenerateAppkey(userId, keyInfoAppUid.first, keyId) == false) {
1438 LOGE("Failed to Generate Appkey2!");
1439 loadInfos.push_back(std::make_pair(keyInfoAppUid.second, false));
1440 }
1441 if (keyInfoAppUid.second != keyId) {
1442 LOGE("The keyId check fails!");
1443 loadInfos.push_back(std::make_pair(keyInfoAppUid.second, false));
1444 }
1445 loadInfos.push_back(std::make_pair(keyInfoAppUid.second, true));
1446 }
1447 if (El5FilekeyManagerKit::ChangeUserAppkeysLoadInfo(userId, loadInfos) != 0) {
1448 LOGE("Change User Appkeys LoadInfo fail.");
1449 return -EFAULT;
1450 }
1451 #endif
1452 LOGI("UnlockUserAppKeys success!");
1453 return E_OK;
1454 }
1455
1456 int KeyManager::InActiveUserKey(unsigned int user)
1457 {
1458 LOGI("start");
1459 if (!KeyCtrlHasFscryptSyspara()) {
1460 return 0;
1461 }
1462 std::lock_guard<std::mutex> lock(keyMutex_);
1463 int ret = InactiveUserElKey(user, userEl2Key_);
1464 if (ret != E_OK) {
1465 LOGE("Inactive userEl2Key_ failed");
1466 StorageRadar::ReportUserKeyResult("InactiveUserElKey", user, ret, "EL2", "");
1467 return ret;
1468 }
1469 ret = InactiveUserElKey(user, userEl3Key_);
1470 if (ret != E_OK) {
1471 LOGE("Inactive userEl3Key_ failed");
1472 StorageRadar::ReportUserKeyResult("InactiveUserElKey", user, ret, "EL3", "");
1473 return ret;
1474 }
1475 ret = InactiveUserElKey(user, userEl4Key_);
1476 if (ret != E_OK) {
1477 LOGE("Inactive userEl4Key_ failed");
1478 StorageRadar::ReportUserKeyResult("InactiveUserElKey", user, ret, "EL4", "");
1479 return ret;
1480 }
1481 ret = InactiveUserElKey(user, userEl5Key_);
1482 if (ret != E_OK) {
1483 LOGE("Inactive userEl5Key_ failed");
1484 StorageRadar::ReportUserKeyResult("InactiveUserElKey", user, ret, "EL5", "");
1485 return ret;
1486 }
1487 auto userTask = userLockScreenTask_.find(user);
1488 if (userTask != userLockScreenTask_.end()) {
1489 userLockScreenTask_.erase(userTask);
1490 LOGI("InActive user %{public}u, erase user task", user);
1491 }
1492 return 0;
1493 }
1494
1495 int KeyManager::InactiveUserElKey(unsigned int user, std::map<unsigned int, std::shared_ptr<BaseKey>> &userElxKey_)
1496 {
1497 if (userElxKey_.find(user) == userElxKey_.end()) {
1498 LOGE("Have not found user %{public}u el2", user);
1499 return E_PARAMS_INVAL;
1500 }
1501 auto elKey = userElxKey_[user];
1502 if (elKey->InactiveKey(USER_LOGOUT) == false) {
1503 LOGE("Clear user %{public}u key failed", user);
1504 return E_ELX_KEY_INACTIVE_ERROR;
1505 }
1506 userElxKey_.erase(user);
1507 LOGI("Inactive user %{public}u elX success", user);
1508 return 0;
1509 }
1510
1511 int KeyManager::LockUserScreen(uint32_t user)
1512 {
1513 LOGI("start");
1514 std::lock_guard<std::mutex> lock(keyMutex_);
1515 if (!IsUserCeDecrypt(user)) {
1516 LOGE("user ce does not decrypt, skip");
1517 return 0;
1518 }
1519 auto iter = userPinProtect.find(user);
1520 if (iter == userPinProtect.end() || iter->second == false) {
1521 if (!IamClient::GetInstance().HasPinProtect(user)) {
1522 LOGI("Has no pin protect, saveLockScreenStatus is %{public}d", saveLockScreenStatus[user]);
1523 return 0;
1524 }
1525 userPinProtect.erase(user);
1526 userPinProtect.insert(std::make_pair(user, true));
1527 }
1528 iter = saveLockScreenStatus.find(user);
1529 if (iter == saveLockScreenStatus.end()) {
1530 saveLockScreenStatus.insert(std::make_pair(user, false));
1531 }
1532 if (!KeyCtrlHasFscryptSyspara()) {
1533 saveLockScreenStatus[user] = false;
1534 LOGI("KeyCtrlHasFscryptSyspara is false, saveLockScreenStatus is %{public}d",
1535 saveLockScreenStatus[user]);
1536 return 0;
1537 }
1538 auto el5Key = GetUserElKey(user, EL5_KEY);
1539 saveESecretStatus[user] = true;
1540 if (el5Key != nullptr && !el5Key->LockUece(saveESecretStatus[user])) {
1541 LOGE("lock user %{public}u el5 key failed !", user);
1542 }
1543 auto el4Key = GetUserElKey(user, EL4_KEY);
1544 if (el4Key == nullptr) {
1545 LOGE("Have not found user %{public}u el3 or el4", user);
1546 StorageRadar::ReportUpdateUserAuth("LockUserScreen::GetUserElKey", user, -ENOENT, "EL4", "not found key");
1547 return -ENOENT;
1548 }
1549 std::shared_ptr<DelayHandler> userDelayHandler;
1550 if (GetUserDelayHandler(user, userDelayHandler)) {
1551 userDelayHandler->StartDelayTask(el4Key);
1552 }
1553
1554 saveLockScreenStatus[user] = false;
1555 LOGI("LockUserScreen user %{public}u el3 and el4 success, saveLockScreenStatus is %{public}d",
1556 user, saveLockScreenStatus[user]);
1557 return 0;
1558 }
1559
1560 int KeyManager::SetDirectoryElPolicy(unsigned int user, KeyType type, const std::vector<FileList> &vec)
1561 {
1562 LOGI("start");
1563 if (!KeyCtrlHasFscryptSyspara()) {
1564 return 0;
1565 }
1566 std::string keyPath;
1567 std::string eceSeceKeyPath;
1568 std::lock_guard<std::mutex> lock(keyMutex_);
1569 if (type == EL1_KEY) {
1570 if (userEl1Key_.find(user) == userEl1Key_.end()) {
1571 LOGE("Have not found user %{public}u el1 key, not enable el1", user);
1572 return -ENOENT;
1573 }
1574 keyPath = userEl1Key_[user]->GetDir();
1575 } else if (type == EL2_KEY || type == EL3_KEY || type == EL4_KEY || type == EL5_KEY) {
1576 if (userEl2Key_.find(user) == userEl2Key_.end()) {
1577 LOGE("Have not found user %{public}u el2 key, not enable el2", user);
1578 return -ENOENT;
1579 }
1580 keyPath = userEl2Key_[user]->GetDir();
1581 } else {
1582 LOGE("Not specify el flags, no need to crypt");
1583 return 0;
1584 }
1585 if (getEceSeceKeyPath(user, type, eceSeceKeyPath) != 0) {
1586 LOGE("method getEceSeceKeyPath fail");
1587 return -ENOENT;
1588 }
1589 for (auto item : vec) {
1590 int ret = LoadAndSetPolicy(keyPath.c_str(), item.path.c_str());
1591 if (ret != 0) {
1592 LOGE("Set directory el policy error, ret: %{public}d", ret);
1593 return -EFAULT;
1594 }
1595 }
1596 if (type == EL3_KEY || type == EL4_KEY) {
1597 for (auto item : vec) {
1598 if (LoadAndSetEceAndSecePolicy(eceSeceKeyPath.c_str(), item.path.c_str(), static_cast<int>(type)) != 0) {
1599 LOGE("Set directory el policy error!");
1600 return -EFAULT;
1601 }
1602 }
1603 }
1604 LOGW("Set user %{public}u el policy success", user);
1605 return 0;
1606 }
1607
1608 int KeyManager::getEceSeceKeyPath(unsigned int user, KeyType type, std::string &eceSeceKeyPath)
1609 {
1610 if (type == EL3_KEY) {
1611 if (userEl3Key_.find(user) == userEl3Key_.end()) {
1612 LOGI("Have not found user %{public}u el3 key, not enable el3", user);
1613 return -ENOENT;
1614 }
1615 eceSeceKeyPath = userEl3Key_[user]->GetDir();
1616 }
1617 if (type == EL4_KEY) {
1618 if (userEl4Key_.find(user) == userEl4Key_.end()) {
1619 LOGI("Have not found user %{public}u el4 key, not enable el4", user);
1620 return -ENOENT;
1621 }
1622 eceSeceKeyPath = userEl4Key_[user]->GetDir();
1623 }
1624 return 0;
1625 }
1626
1627 int KeyManager::UpdateCeEceSeceKeyContext(uint32_t userId, KeyType type)
1628 {
1629 LOGI("start");
1630 if (!KeyCtrlHasFscryptSyspara()) {
1631 return 0;
1632 }
1633 std::lock_guard<std::mutex> lock(keyMutex_);
1634 if (HasElkey(userId, type) == false) {
1635 LOGE("Have not found user %{public}u el%{public}u", userId, type);
1636 return E_PARAMS_INVAL;
1637 }
1638 std::shared_ptr<BaseKey> elKey = GetUserElKey(userId, type);
1639 if (elKey == nullptr) {
1640 LOGE("Have not found user %{public}u, type el%{public}u", userId, type);
1641 return -ENOENT;
1642 }
1643 if (!elKey->UpdateKey()) {
1644 LOGE("Basekey update newest context failed");
1645 return -EFAULT;
1646 }
1647 return 0;
1648 }
1649
1650 int KeyManager::UpdateKeyContext(uint32_t userId)
1651 {
1652 LOGI("UpdateKeyContext enter");
1653 int ret = UpdateCeEceSeceKeyContext(userId, EL2_KEY);
1654 if (ret != 0) {
1655 LOGE("Basekey update EL2 newest context failed");
1656 StorageRadar::ReportUpdateUserAuth("UpdateKeyContext::UpdateCeEceSeceKeyContext", userId, ret, "EL2", "");
1657 return ret;
1658 }
1659 ret = UpdateCeEceSeceKeyContext(userId, EL3_KEY);
1660 if (ret != 0) {
1661 LOGE("Basekey update EL3 newest context failed");
1662 StorageRadar::ReportUpdateUserAuth("UpdateKeyContext::UpdateCeEceSeceKeyContext", userId, ret, "EL3", "");
1663 return ret;
1664 }
1665 ret = UpdateCeEceSeceKeyContext(userId, EL4_KEY);
1666 if (ret != 0) {
1667 LOGE("Basekey update EL4 newest context failed");
1668 StorageRadar::ReportUpdateUserAuth("UpdateKeyContext::UpdateCeEceSeceKeyContext", userId, ret, "EL4", "");
1669 return ret;
1670 }
1671 if (IsUeceSupport() && saveESecretStatus[userId]) {
1672 ret = UpdateCeEceSeceKeyContext(userId, EL5_KEY);
1673 }
1674 if (ret != 0 && ((userId < StorageService::START_APP_CLONE_USER_ID ||
1675 userId > StorageService::MAX_APP_CLONE_USER_ID))) {
1676 LOGE("Basekey update EL5 newest context failed");
1677 StorageRadar::ReportUpdateUserAuth("UpdateKeyContext::UpdateCeEceSeceKeyContext", userId, ret, "EL5", "");
1678 return ret;
1679 }
1680 LOGI("Basekey update key context success");
1681 return 0;
1682 }
1683
1684 bool KeyManager::IsUeceSupport()
1685 {
1686 int fd = open(UECE_PATH, O_RDWR);
1687 if (fd < 0) {
1688 if (errno == ENOENT) {
1689 LOGE("uece does not support !");
1690 }
1691 LOGE("open uece failed, errno : %{public}d", errno);
1692 return false;
1693 }
1694 close(fd);
1695 LOGI("uece is support.");
1696 return true;
1697 }
1698
1699 int KeyManager::IsUeceSupportWithErrno()
1700 {
1701 int fd = open(UECE_PATH, O_RDWR);
1702 if (fd < 0) {
1703 if (errno == ENOENT) {
1704 LOGE("uece does not support !");
1705 return ENOENT;
1706 }
1707 LOGE("open uece failed, errno : %{public}d", errno);
1708 return errno;
1709 }
1710 close(fd);
1711 LOGI("uece is support.");
1712 return E_OK;
1713 }
1714
1715 int KeyManager::UpgradeKeys(const std::vector<FileList> &dirInfo)
1716 {
1717 for (const auto &it : dirInfo) {
1718 std::shared_ptr<BaseKey> elKey = GetBaseKey(it.path);
1719 if (elKey == nullptr) {
1720 LOGE("Basekey memory failed");
1721 continue;
1722 }
1723 elKey->UpgradeKeys();
1724 }
1725 return 0;
1726 }
1727
1728 int KeyManager::GetFileEncryptStatus(uint32_t userId, bool &isEncrypted, bool needCheckDirMount)
1729 {
1730 LOGI("Begin check encrypted status, userId is %{public}d, needCheckDirMount is %{public}d",
1731 userId, needCheckDirMount);
1732 isEncrypted = true;
1733 const char rootPath[] = "/data/app/el2/";
1734 const char basePath[] = "/base";
1735 size_t allPathSize = strlen(rootPath) + strlen(basePath) + 1 + USER_ID_SIZE_VALUE;
1736 char *path = reinterpret_cast<char *>(malloc(sizeof(char) * (allPathSize)));
1737 if (path == nullptr) {
1738 LOGE("Failed to malloce path.");
1739 return E_SYS_ERR;
1740 }
1741 int len = sprintf_s(path, allPathSize, "%s%u%s", rootPath, userId, basePath);
1742 if (len <= 0 || (size_t)len >= allPathSize) {
1743 free(path);
1744 LOGE("Failed to get base path");
1745 return -ENOENT;
1746 }
1747 if (access(path, F_OK) != 0) {
1748 free(path);
1749 LOGI("This is encrypted status");
1750 return E_OK;
1751 }
1752 free(path);
1753 if (needCheckDirMount && !MountManager::GetInstance()->CheckMountFileByUser(userId)) {
1754 LOGI("The virturalDir is not exists.");
1755 return E_OK;
1756 }
1757 isEncrypted = false;
1758 LOGI("This is unencrypted status");
1759 return E_OK;
1760 }
1761
1762 bool KeyManager::IsUserCeDecrypt(uint32_t userId)
1763 {
1764 bool isCeEncrypt = false;
1765 int ret = GetFileEncryptStatus(userId, isCeEncrypt);
1766 if (ret != E_OK || isCeEncrypt) {
1767 LOGE("User %{public}d de has not decrypt.", userId);
1768 return false;
1769 }
1770 LOGI("User %{public}d de decrypted.", userId);
1771 return true;
1772 }
1773
1774 int KeyManager::CheckUserPinProtect(unsigned int userId,
1775 const std::vector<uint8_t> &token,
1776 const std::vector<uint8_t> &secret)
1777 {
1778 LOGI("enter CheckUserPinProtect");
1779 // judge if device has PIN protect
1780 if ((token.empty() && secret.empty()) && IamClient::GetInstance().HasPinProtect(userId)) {
1781 LOGE("User %{public}d has pin code protect.", userId);
1782 return E_ERR;
1783 }
1784 return E_OK;
1785 }
1786
1787 int KeyManager::TryToFixUserCeEceSeceKey(unsigned int userId,
1788 KeyType keyType,
1789 const std::vector<uint8_t> &token,
1790 const std::vector<uint8_t> &secret)
1791 {
1792 LOGI("enter TryToFixUserCeEceSeceKey");
1793 keyMutex_.unlock();
1794 if (!IamClient::GetInstance().HasPinProtect(userId)) {
1795 LOGE("User %{public}d has no pin code protect.", userId);
1796 return E_OK;
1797 }
1798
1799 uint64_t secureUid = { 0 };
1800 if (!secret.empty() && !token.empty()) {
1801 IamClient::GetInstance().GetSecureUid(userId, secureUid);
1802 LOGE("Pin code is exist, get secure uid.");
1803 }
1804 UserAuth auth = { .token = token, .secret = secret, .secureUid = secureUid };
1805 UserTokenSecret userTokenSecret = { .token = token, .oldSecret = {}, .newSecret = secret, .secureUid = secureUid };
1806
1807 #ifdef USER_CRYPTO_MIGRATE_KEY
1808 if (UpdateCeEceSeceUserAuth(userId, userTokenSecret, keyType, false) != E_OK) {
1809 #else
1810 if (UpdateCeEceSeceUserAuth(userId, userTokenSecret, keyType) != E_OK) {
1811 #endif
1812 LOGE("try to fix elx key failed !");
1813 return -EFAULT;
1814 }
1815 if (UpdateCeEceSeceKeyContext(userId, keyType) != E_OK) {
1816 LOGE("try to fix elx key context failed !");
1817 StorageRadar::ReportUpdateUserAuth("TryToFixUserCeEceSeceKey::UpdateCeEceSeceKeyContext",
1818 userId, -EFAULT, std::to_string(keyType), "");
1819 return -EFAULT;
1820 }
1821 return E_OK;
1822 }
1823
1824 int KeyManager::TryToFixUeceKey(unsigned int userId,
1825 const std::vector<uint8_t> &token,
1826 const std::vector<uint8_t> &secret)
1827 {
1828 LOGI("enter TryToFixUeceKey");
1829 keyMutex_.unlock();
1830 if (!IamClient::GetInstance().HasPinProtect(userId)) {
1831 LOGE("User %{public}d has no pin code protect.", userId);
1832 return E_OK;
1833 }
1834
1835 uint64_t secureUid = { 0 };
1836 if (!secret.empty() && !token.empty()) {
1837 IamClient::GetInstance().GetSecureUid(userId, secureUid);
1838 LOGE("Pin code is exist, get secure uid.");
1839 }
1840 UserAuth auth = { .token=token, .secret=secret, .secureUid = secureUid };
1841 UserTokenSecret tokenSecret = { .token = token, .oldSecret = { }, .newSecret = secret, .secureUid = secureUid};
1842
1843 if (UpdateESecret(userId, tokenSecret) != E_OK) {
1844 LOGE("try to fix elx key failed !");
1845 return -EFAULT;
1846 }
1847 if (UpdateCeEceSeceKeyContext(userId, EL5_KEY) != E_OK) {
1848 LOGE("try to fix elx key context failed !");
1849 StorageRadar::ReportUpdateUserAuth("TryToFixUeceKey::UpdateCeEceSeceKeyContext", userId, -EFAULT, "EL5", "");
1850 return -EFAULT;
1851 }
1852 return E_OK;
1853 }
1854
1855 #ifdef USER_CRYPTO_MIGRATE_KEY
1856 int KeyManager::RestoreUserKey(uint32_t userId, KeyType type)
1857 {
1858 LOGI("start, user is %{public}u , type is %{public}d", userId, type);
1859 std::string dir = GetKeyDirByUserAndType(userId, type);
1860 if (dir == "") {
1861 LOGE("type is invalid, %{public}u", type);
1862 return E_PARAMS_INVAL;
1863 }
1864
1865 if (!IsDir(dir)) {
1866 LOGE("dir not exist");
1867 return -ENOENT;
1868 }
1869 return RestoreUserKey(userId, dir, NULL_KEY_AUTH, type);
1870 }
1871 #endif
1872 } // namespace StorageDaemon
1873 } // namespace OHOS
1874