Fix UnlockedDeviceRequired with biometric unlock with unified challenge
Currently Keystore can't decrypt the UnlockedDeviceRequired
superencryption key for a profile with unified challenge when the parent
user is unlocked via biometric. This is because the key is being
protected by the profile's list of biometric SIDs, not the parent's list
of biometric SIDs. Fix this by using the parent's list of SIDs.
Test: Unit test: 'atest TrustManagerServiceTest', with without the
fix_unlocked_device_required_keys_v2 flag enabled.
Manual test: considering that it's apparently not possible to test
biometric unlock with automated tests, I also did a manual test
using the following steps (with and without the fix):
- Added screen lock and fingerprint.
- Installed TestDPC and set up work profile.
- Locked screen, then unlocked with fingerprint.
- With screen still unlocked, ran an app in the work profile that
tries to use an UnlockedDeviceRequired key. To do this without
a custom app, I (mis)used the Keystore CTS tests:
m CtsKeystoreTestCases
adb push $ANDROID_PRODUCT_OUT/testcases/CtsKeystoreTestCases/arm64/CtsKeystoreTestCases.apk /data/local/tmp/
adb shell pm install --user 10 -t -g /data/local/tmp/CtsKeystoreTestCases.apk
adb shell am instrument --user 10 -w -e class android.keystore.cts.CipherTest#testUnlockedDeviceRequiredKeysRequireSecureLockScreen,android.keystore.cts.CipherTest#testUnlockedDeviceRequiredKeysDoNotRequireSecureLockScreen android.keystore.cts/androidx.test.runner.AndroidJUnitRunner
- Ignoring the CTS result, ran 'adb logcat -d | grep keystore |
tail -50' and looked for "Required super decryption key is not
in memory". The fix makes this error go away.
Bug: 296464083
Change-Id: I7e30cfe1336a38480fb3afbaac6a72d9c740aba9
2 files changed