mount-encrypted: don't fail when the key can't persist
http://crrev/c/2592070 would show recovery screen to lockouted TPM2.0
devices, although the data on those device was already disappeared,
there still had a behavior change.
And there are some TPM2.0 devices were always unfinalized, previous CL
may show recovery screen for those devices(See b/176463188).
This is a partial revert of http://crrev/c/2592070
We shouldn't introduce such behavior change in a cherry-picking CL.
BUG=b:175152256, b:174978923, b:140530417, b:176463188
TEST=The lockouted TPM2.0 device didn't show recovery screen
Change-Id: I597fde7a3a5b6425fb6e8185b1e03af5e99b9384
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2605032
Tested-by: Yi Chou <yich@google.com>
Commit-Queue: Yi Chou <yich@google.com>
Reviewed-by: Andrey Pronin <apronin@chromium.org>
diff --git a/cryptohome/mount_encrypted/encryption_key.cc b/cryptohome/mount_encrypted/encryption_key.cc
index f442a33..3754a4d 100644
--- a/cryptohome/mount_encrypted/encryption_key.cc
+++ b/cryptohome/mount_encrypted/encryption_key.cc
@@ -269,14 +269,6 @@
}
if (!system_key_.empty() && loader_->Persist() != RESULT_SUCCESS) {
- if (USE_TPM2) {
- // The system_key shouldn't fail to persist in TPM2 case, it would only
- // happen when we had some TPM errors.
- LOG(ERROR) << "Failed to persist the system key.";
- // We shouldn't continue to regenerate the existing encryption key.
- system_key_status_ = SystemKeyStatus::kUnknown;
- return RESULT_FAIL_FATAL;
- }
system_key_.clear();
}
}
diff --git a/cryptohome/mount_encrypted/encryption_key_unittest.cc b/cryptohome/mount_encrypted/encryption_key_unittest.cc
index 90dce57..bed2912 100644
--- a/cryptohome/mount_encrypted/encryption_key_unittest.cc
+++ b/cryptohome/mount_encrypted/encryption_key_unittest.cc
@@ -347,8 +347,10 @@
TEST_F(EncryptionKeyTest, TpmOwnedNoSpaces) {
SetOwned();
- ExpectSystemKeyFailed();
- EXPECT_EQ(SystemKeyStatus::kUnknown, key_->system_key_status());
+ ExpectFreshKey();
+ EXPECT_EQ(EncryptionKeyStatus::kFresh, key_->encryption_key_status());
+ ExpectNeedsFinalization();
+ EXPECT_EQ(SystemKeyStatus::kFinalizationPending, key_->system_key_status());
}
TEST_F(EncryptionKeyTest, TpmExistingSpaceNoKeyFile) {
@@ -381,8 +383,10 @@
sizeof(kEncStatefulTpm2Contents));
WriteWrappedKey(key_->key_path(), kWrappedKeyEncStatefulTpm2);
- ExpectSystemKeyFailed();
- EXPECT_EQ(SystemKeyStatus::kUnknown, key_->system_key_status());
+ ExpectFreshKey();
+ EXPECT_EQ(EncryptionKeyStatus::kFresh, key_->encryption_key_status());
+ ExpectNeedsFinalization();
+ EXPECT_EQ(SystemKeyStatus::kFinalizationPending, key_->system_key_status());
}
TEST_F(EncryptionKeyTest, TpmExistingSpaceNotYetWritten) {
