diff --git a/init/Android.bp b/init/Android.bp index 585c9f05d..52651e298 100644 --- a/init/Android.bp +++ b/init/Android.bp @@ -199,6 +199,7 @@ libinit_cc_defaults { "libfs_mgr", "libgsi", "libhidl-gen-utils", + "libkeyutils", "liblog", "liblogwrap", "liblp", diff --git a/init/builtins.cpp b/init/builtins.cpp index 606ea8c0a..a95a4a315 100644 --- a/init/builtins.cpp +++ b/init/builtins.cpp @@ -592,6 +592,9 @@ static Result queue_fs_event(int code) { } else if (code == FS_MGR_MNTALL_DEV_FILE_ENCRYPTED || code == FS_MGR_MNTALL_DEV_IS_METADATA_ENCRYPTED || code == FS_MGR_MNTALL_DEV_NEEDS_METADATA_ENCRYPTION) { + if (!FscryptInstallKeyring()) { + return Error() << "FscryptInstallKeyring() failed"; + } SetProperty("ro.crypto.state", "encrypted"); // Although encrypted, vold has already set the device up, so we do not need to diff --git a/init/fscrypt_init_extensions.cpp b/init/fscrypt_init_extensions.cpp index 6a561e54c..fbd818957 100644 --- a/init/fscrypt_init_extensions.cpp +++ b/init/fscrypt_init_extensions.cpp @@ -34,12 +34,28 @@ #include #include #include +#include #include #define TAG "fscrypt" using namespace android::fscrypt; +bool FscryptInstallKeyring() { + if (keyctl_search(KEY_SPEC_SESSION_KEYRING, "keyring", "fscrypt", 0) != -1) { + LOG(INFO) << "Keyring is already created"; + return true; + } + key_serial_t device_keyring = add_key("keyring", "fscrypt", 0, 0, KEY_SPEC_SESSION_KEYRING); + + if (device_keyring == -1) { + PLOG(ERROR) << "Failed to create keyring"; + return false; + } + LOG(INFO) << "Keyring created with id " << device_keyring << " in process " << getpid(); + return true; +} + // TODO(b/139378601): use a single central implementation of this. static void delete_dir_contents(const std::string& dir) { char* const paths[2] = {const_cast(dir.c_str()), nullptr}; diff --git a/init/fscrypt_init_extensions.h b/init/fscrypt_init_extensions.h index 5e0269a3b..d357bb2fd 100644 --- a/init/fscrypt_init_extensions.h +++ b/init/fscrypt_init_extensions.h @@ -25,5 +25,6 @@ enum class FscryptAction { kDeleteIfNecessary, }; +bool FscryptInstallKeyring(); bool FscryptSetDirectoryPolicy(const std::string& ref_basename, FscryptAction action, const std::string& dir); diff --git a/init/fuzzer/Android.bp b/init/fuzzer/Android.bp index 5823932d2..65d280335 100644 --- a/init/fuzzer/Android.bp +++ b/init/fuzzer/Android.bp @@ -31,6 +31,7 @@ cc_defaults { "libbase", "libfs_mgr", "libhidl-gen-utils", + "libkeyutils", "liblog", "libprocessgroup", "libselinux", diff --git a/init/init.cpp b/init/init.cpp index 19e909fcb..aeccd6696 100644 --- a/init/init.cpp +++ b/init/init.cpp @@ -54,6 +54,7 @@ #include #include #include +#include #include #include #include @@ -970,6 +971,11 @@ int SecondStageMain(int argc, char** argv) { << " to /proc/1/oom_score_adj: " << result.error(); } + // Set up a session keyring that all processes will have access to. It + // will hold things like FBE encryption keys. No process should override + // its session keyring. + keyctl_get_keyring_ID(KEY_SPEC_SESSION_KEYRING, 1); + // Indicate that booting is in progress to background fw loaders, etc. close(open("/dev/.booting", O_WRONLY | O_CREAT | O_CLOEXEC, 0000));