tequilaOS/platform_system_core
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add wrapped key support for metadata encryption

Browse source 
Change metadata_cipher fstab option to metadata_encryption
that includes encryption flags in addition to the cipher.
wrappedkey_v0 encryption flag is used to denote that the
inline encryption hardware supports wrapped keys. dm-default-key
device is created and a wrappedkey is provided along with the
optional wrappedkey_v0 argument.

Bug: 147733587

Test: FBE validation with Fscrypt v2 + inline crypt + wrapped
key changes kernel and metadata encryption with wrapped key.

Change-Id: Id1a18db175680dd6b0adb4594d06566eb1285785
This commit is contained in:
Barani Muthukumaran 2020-02-06 23:46:37 -08:00 committed by Paul Crowley
parent 71fcaf5726
commit 2ca1d83ddb
6 changed files with 44 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
fs_mgr/fs_mgr_fstab.cpp
View file

@ -277,9 +277,9 @@ void ParseFsMgrFlags(const std::string& flags, FstabEntry* entry) {
} else if (StartsWith(flag, "keydirectory=")) {
// The metadata flag is followed by an = and the directory for the keys.
entry->metadata_key_dir = arg;
} else if (StartsWith(flag, "metadata_cipher=")) {
// Specify the cipher to use for metadata encryption
entry->metadata_cipher = arg;
} else if (StartsWith(flag, "metadata_encryption=")) {
// Specify the cipher and flags to use for metadata encryption
entry->metadata_encryption = arg;
} else if (StartsWith(flag, "sysfs_path=")) {
// The path to trigger device gc by idle-maint of vold.
entry->sysfs_path = arg;

2
fs_mgr/include_fstab/fstab/fstab.h
View file

@ -38,7 +38,7 @@ struct FstabEntry {
std::string fs_options;
std::string key_loc;
std::string metadata_key_dir;
std::string metadata_cipher;
std::string metadata_encryption;
off64_t length = 0;
std::string label;
int partnum = -1;

1
fs_mgr/libdm/dm_target.cpp
View file

@ -280,6 +280,7 @@ std::string DmTargetDefaultKey::GetParameterString() const {
extra_argv.emplace_back("allow_discards");
extra_argv.emplace_back("sector_size:4096");
extra_argv.emplace_back("iv_large_sectors");
if (is_hw_wrapped_) extra_argv.emplace_back("wrappedkey_v0");
}
if (!extra_argv.empty()) {
argv.emplace_back(std::to_string(extra_argv.size()));

9
fs_mgr/libdm/dm_test.cpp
View file

@ -526,13 +526,18 @@ TEST(libdm, DefaultKeyArgs) {
bool is_legacy;
ASSERT_TRUE(DmTargetDefaultKey::IsLegacy(&is_legacy));
// set_dun only in the non-is_legacy case
DmTargetDefaultKey target(0, 4096, "AES-256-XTS", "abcdef0123456789", "/dev/loop0", 0,
is_legacy, !is_legacy);
DmTargetDefaultKey target(0, 4096, "AES-256-XTS", "abcdef0123456789", "/dev/loop0", 0);
if (is_legacy) {
target.SetIsLegacy();
} else {
target.SetSetDun();
}
ASSERT_EQ(target.name(), "default-key");
ASSERT_TRUE(target.Valid());
if (is_legacy) {
ASSERT_EQ(target.GetParameterString(), "AES-256-XTS abcdef0123456789 /dev/loop0 0");
} else {
// TODO: Add case for wrapped key enabled
ASSERT_EQ(target.GetParameterString(),
"AES-256-XTS abcdef0123456789 0 /dev/loop0 0 3 allow_discards sector_size:4096 "
"iv_large_sectors");

15
fs_mgr/libdm/include/libdm/dm_target.h
View file

@ -280,20 +280,20 @@ class DmTargetCrypt final : public DmTarget {
class DmTargetDefaultKey final : public DmTarget {
public:
DmTargetDefaultKey(uint64_t start, uint64_t length, const std::string& cipher,
const std::string& key, const std::string& blockdev, uint64_t start_sector,
bool is_legacy, bool set_dun)
const std::string& key, const std::string& blockdev, uint64_t start_sector)
: DmTarget(start, length),
cipher_(cipher),
key_(key),
blockdev_(blockdev),
start_sector_(start_sector),
is_legacy_(is_legacy),
set_dun_(set_dun) {}
start_sector_(start_sector) {}
std::string name() const override { return name_; }
bool Valid() const override;
std::string GetParameterString() const override;
static bool IsLegacy(bool* result);
void SetIsLegacy() { is_legacy_ = true; }
void SetSetDun() { set_dun_ = true; }
void SetWrappedKeyV0() { is_hw_wrapped_ = true; }
private:
static const std::string name_;
@ -301,8 +301,9 @@ class DmTargetDefaultKey final : public DmTarget {
std::string key_;
std::string blockdev_;
uint64_t start_sector_;
bool is_legacy_;
bool set_dun_;
bool is_legacy_ = false;
bool set_dun_ = false;
bool is_hw_wrapped_ = false;
};
} // namespace dm

27
fs_mgr/tests/fs_mgr_test.cpp
View file

@ -895,11 +895,11 @@ source none0 swap defaults keydirectory=/dir/key
EXPECT_EQ("/dir/key", entry->metadata_key_dir);
}
TEST(fs_mgr, ReadFstabFromFile_FsMgrOptions_MetadataCipher) {
TEST(fs_mgr, ReadFstabFromFile_FsMgrOptions_MetadataEncryption) {
TemporaryFile tf;
ASSERT_TRUE(tf.fd != -1);
std::string fstab_contents = R"fs(
source none0 swap defaults keydirectory=/dir/key,metadata_cipher=adiantum
source none0 swap defaults keydirectory=/dir/key,metadata_encryption=adiantum
)fs";
ASSERT_TRUE(android::base::WriteStringToFile(fstab_contents, tf.path));
@ -909,7 +909,28 @@ source none0 swap defaults keydirectory=/dir/key,metadata_cipher=ad
ASSERT_EQ(1U, fstab.size());
auto entry = fstab.begin();
EXPECT_EQ("adiantum", entry->metadata_cipher);
EXPECT_EQ("adiantum", entry->metadata_encryption);
}
TEST(fs_mgr, ReadFstabFromFile_FsMgrOptions_MetadataEncryption_WrappedKey) {
TemporaryFile tf;
ASSERT_TRUE(tf.fd != -1);
std::string fstab_contents = R"fs(
source none0 swap defaults keydirectory=/dir/key,metadata_encryption=aes-256-xts:wrappedkey_v0
)fs";
ASSERT_TRUE(android::base::WriteStringToFile(fstab_contents, tf.path));
Fstab fstab;
EXPECT_TRUE(ReadFstabFromFile(tf.path, &fstab));
ASSERT_EQ(1U, fstab.size());
auto entry = fstab.begin();
EXPECT_EQ("aes-256-xts:wrappedkey_v0", entry->metadata_encryption);
auto parts = android::base::Split(entry->metadata_encryption, ":");
EXPECT_EQ(2U, parts.size());
EXPECT_EQ("aes-256-xts", parts[0]);
EXPECT_EQ("wrappedkey_v0", parts[1]);
}
TEST(fs_mgr, ReadFstabFromFile_FsMgrOptions_SysfsPath) {