LockSettingsService: fix UnlockedDeviceRequired to work without LSKF
The security improvements to Keystore's UnlockedDeviceRequired key
protection in Android 12 regressed its behavior by making it no longer
work for unsecured users, e.g. users with a Swipe lock screen. One of
the things that broke it is that Keystore started superencrypting
UnlockedDeviceRequired keys, yet Keystore unnecessarily ties
superencryption to the existence of the user's LSKF. That is, Keystore
creates a user's super keys only when an LSKF is set, and Keystore
deletes all super keys and superencrypted keys when the LSKF is removed.
To fix this, we're first making each user's Keystore super keys have the
same lifetime as the user's synthetic password (and always be encrypted
by it), which is very similar to how the CE storage key works starting
in Android 14. Second, when a user's LSKF is removed, we're making
Keystore delete *only* the user's auth-bound keys.
This change implements the LockSettingsService side of the fix. This
includes the following parts:
- When initializing a user's synthetic password, LockSettingsService now
initializes the user's Keystore super keys.
- When upgrading to a build including this fix, LockSettingsService now
does a one-time migration where it initializes the super keys for
unsecured users. This is necessary to handle existing users.
- When removing a user's LSKF, LockSettingsService now calls the new
onUserLskfRemoved method of Keystore to delete auth-bound keys only.
- Finally, when an unsecured user's CE storage is unlocked,
LockSettingsService now unlocks the user's Keystore super keys too.
Due to trunk-stable, these changes are actually behind a flag for now.
Bug: 296464083
Test: see If12824369fbad4a90e5cd0427e792655fd233b96
Change-Id: Ib92a439c2c27cef54c28189dfb5beef68756528e
5 files changed