Fix potential DoS on devices with old keymaster1 hardware.
The Keymaster1 specification allows implementations to provide less
than the full suite of digest algorithms. At minimum they need only
provide SHA256. If keystore detects that keymaster1 hardware provides
less than a full set, it creates a software keymaster wrapper around
the hardware. If an operation requests a digest algorithm that the
hardware does not support, the wrapper performs the digesting in
software and passes the pre-digested data to the hardware for the
final operation.
Each of these two keymaster instances (the software wrapper and the
wrapped hardware) manage their own operation table. The hardware
needs its table to figure out which in-progress operation to update or
finish. The software wrapper needs its table to figure out which
hardware operation handle to forward to the hardware for update or
finish. Note that the software wrapper's table is only used for
operations that require software digesting.
The bug causes the software wrapper to fail to remove entries from its
table when they're completed. After 16 such operations the table is
full, preventing any future operations from being started until the
device is rebooted.
Test: CTS
Bug: 71703554
Change-Id: Ifc1e2a9af9532e6a8f1cd3d0ad3ca079f126a0b7
2 files changed