2015-11-09 02:56:23 +01:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2015 The Android Open Source Project
|
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
2018-10-23 22:06:55 +02:00
|
|
|
#include "FsCrypt.h"
|
2015-04-29 00:14:15 +02:00
|
|
|
|
2022-11-09 06:48:45 +01:00
|
|
|
#include "Checkpoint.h"
|
2016-01-21 21:26:12 +01:00
|
|
|
#include "KeyStorage.h"
|
2016-06-02 20:01:19 +02:00
|
|
|
#include "KeyUtil.h"
|
2015-11-09 02:56:23 +01:00
|
|
|
#include "Utils.h"
|
2017-10-06 23:29:33 +02:00
|
|
|
#include "VoldUtil.h"
|
|
|
|
|
2016-05-17 23:17:56 +02:00
|
|
|
#include <algorithm>
|
2015-04-29 00:14:15 +02:00
|
|
|
#include <map>
|
2019-11-01 06:59:34 +01:00
|
|
|
#include <optional>
|
2016-01-28 11:09:46 +01:00
|
|
|
#include <set>
|
2015-04-10 16:48:51 +02:00
|
|
|
#include <sstream>
|
2016-03-09 18:31:37 +01:00
|
|
|
#include <string>
|
2016-06-02 20:01:19 +02:00
|
|
|
#include <vector>
|
2015-04-29 00:14:15 +02:00
|
|
|
|
2015-05-06 16:04:43 +02:00
|
|
|
#include <dirent.h>
|
2016-03-09 18:31:37 +01:00
|
|
|
#include <errno.h>
|
2015-05-06 16:04:43 +02:00
|
|
|
#include <fcntl.h>
|
2016-05-17 23:17:56 +02:00
|
|
|
#include <limits.h>
|
2016-03-09 18:31:37 +01:00
|
|
|
#include <sys/mount.h>
|
|
|
|
#include <sys/stat.h>
|
|
|
|
#include <sys/types.h>
|
2018-09-18 22:30:21 +02:00
|
|
|
#include <unistd.h>
|
2015-04-29 00:14:15 +02:00
|
|
|
|
2015-08-24 15:53:28 +02:00
|
|
|
#include <private/android_filesystem_config.h>
|
2020-02-18 16:29:25 +01:00
|
|
|
#include <private/android_projectid_config.h>
|
2015-08-24 15:53:28 +02:00
|
|
|
|
2017-10-20 17:17:54 +02:00
|
|
|
#include "android/os/IVold.h"
|
|
|
|
|
2016-04-15 04:45:16 +02:00
|
|
|
#define MANAGE_MISC_DIRS 0
|
2016-01-13 00:52:16 +01:00
|
|
|
|
2015-11-09 02:56:23 +01:00
|
|
|
#include <cutils/fs.h>
|
2016-06-02 20:01:19 +02:00
|
|
|
#include <cutils/properties.h>
|
|
|
|
|
2018-10-23 22:06:55 +02:00
|
|
|
#include <fscrypt/fscrypt.h>
|
2017-05-10 02:01:04 +02:00
|
|
|
#include <keyutils.h>
|
2020-07-06 22:46:38 +02:00
|
|
|
#include <libdm/dm.h>
|
2015-11-09 02:56:23 +01:00
|
|
|
|
2015-12-05 00:50:53 +01:00
|
|
|
#include <android-base/file.h>
|
2015-12-05 02:55:33 +01:00
|
|
|
#include <android-base/logging.h>
|
2017-10-10 01:35:51 +02:00
|
|
|
#include <android-base/properties.h>
|
2015-12-05 00:50:53 +01:00
|
|
|
#include <android-base/stringprintf.h>
|
vold: support v2 encryption policies
Add support for setting v2 encryption policies when configured in the
fstab (for internal storage) or in system properties (for adoptable
storage), and for installing and evicting the keys for such policies.
v2 policies support the same encryption modes and flags as v1 policies,
but internally they use a more standard, secure, and flexible KDF. Due
to this, some future features will be supported by v2 policies only.
Bug: 140500999
Test: Configured a device to use v2 encryption policies (applied the
needed kernel patches and added
"fileencryption=aes-256-xts:aes-256-cts:v2" to fstab, and set the
corresponding system properties for adoptable storage). Wiped
userdata, booted device and checked logs to verify that v2
policies were being used.
Also enabled virtual SD card and formatted as adoptable storage;
verified it works and that v2 policies were being used on it.
Also created, started, and stopped a 2nd user and verified their
keys were evicted.
Also verified that the device comes up again after rebooting.
Also verified that a device using v1 encryption policies continues
to work, both with and without an updated kernel -- including
stopping a user so that their keys get evicted.
Change-Id: If64028d8580584b2c33c614cabd5d6b93657f608
2019-09-30 22:06:47 +02:00
|
|
|
#include <android-base/strings.h>
|
2018-11-12 08:26:02 +01:00
|
|
|
#include <android-base/unique_fd.h>
|
2015-04-29 00:14:15 +02:00
|
|
|
|
2020-07-06 22:46:38 +02:00
|
|
|
using android::base::Basename;
|
|
|
|
using android::base::Realpath;
|
|
|
|
using android::base::StartsWith;
|
2015-11-09 02:56:23 +01:00
|
|
|
using android::base::StringPrintf;
|
2019-01-29 23:34:01 +01:00
|
|
|
using android::fs_mgr::GetEntryForMountPoint;
|
2020-01-24 00:29:30 +01:00
|
|
|
using android::vold::BuildDataPath;
|
2020-11-03 00:11:06 +01:00
|
|
|
using android::vold::IsDotOrDotDot;
|
2020-02-11 14:20:29 +01:00
|
|
|
using android::vold::IsFilesystemSupported;
|
2016-02-08 16:55:41 +01:00
|
|
|
using android::vold::kEmptyAuthentication;
|
2017-08-01 18:15:53 +02:00
|
|
|
using android::vold::KeyBuffer;
|
2020-02-07 21:51:56 +01:00
|
|
|
using android::vold::KeyGeneration;
|
2020-02-12 20:04:05 +01:00
|
|
|
using android::vold::retrieveKey;
|
|
|
|
using android::vold::retrieveOrGenerateKey;
|
2021-02-01 08:57:02 +01:00
|
|
|
using android::vold::SetDefaultAcl;
|
2020-02-11 14:20:29 +01:00
|
|
|
using android::vold::SetQuotaInherit;
|
|
|
|
using android::vold::SetQuotaProjectId;
|
2019-03-26 07:14:19 +01:00
|
|
|
using android::vold::writeStringToFile;
|
2019-10-24 23:55:17 +02:00
|
|
|
using namespace android::fscrypt;
|
2020-07-06 22:46:38 +02:00
|
|
|
using namespace android::dm;
|
2015-11-09 02:56:23 +01:00
|
|
|
|
2015-04-29 00:14:15 +02:00
|
|
|
namespace {
|
2016-10-31 11:28:25 +01:00
|
|
|
|
2018-10-23 22:06:55 +02:00
|
|
|
const std::string device_key_dir = std::string() + DATA_MNT_POINT + fscrypt_unencrypted_folder;
|
2016-03-09 18:31:37 +01:00
|
|
|
const std::string device_key_path = device_key_dir + "/key";
|
|
|
|
const std::string device_key_temp = device_key_dir + "/temp";
|
2016-02-03 22:39:13 +01:00
|
|
|
|
2016-03-09 18:31:37 +01:00
|
|
|
const std::string user_key_dir = std::string() + DATA_MNT_POINT + "/misc/vold/user_keys";
|
|
|
|
const std::string user_key_temp = user_key_dir + "/temp";
|
2017-10-20 17:17:54 +02:00
|
|
|
const std::string prepare_subdirs_path = "/system/bin/vold_prepare_subdirs";
|
2016-01-20 14:12:38 +01:00
|
|
|
|
2017-10-26 20:16:39 +02:00
|
|
|
const std::string systemwide_volume_key_dir =
|
|
|
|
std::string() + DATA_MNT_POINT + "/misc/vold/volume_keys";
|
|
|
|
|
2022-05-11 07:33:25 +02:00
|
|
|
const std::string data_data_dir = std::string() + DATA_MNT_POINT + "/data";
|
|
|
|
const std::string data_user_0_dir = std::string() + DATA_MNT_POINT + "/user/0";
|
|
|
|
const std::string media_obb_dir = std::string() + DATA_MNT_POINT + "/media/obb";
|
|
|
|
|
2022-10-26 21:05:10 +02:00
|
|
|
// The file encryption options to use on the /data filesystem
|
|
|
|
EncryptionOptions s_data_options;
|
|
|
|
|
2022-10-19 21:38:50 +02:00
|
|
|
// Some users are ephemeral; don't try to store or wipe their keys on disk.
|
2016-03-09 18:31:37 +01:00
|
|
|
std::set<userid_t> s_ephemeral_users;
|
2016-02-03 19:52:41 +01:00
|
|
|
|
2022-09-06 23:29:14 +02:00
|
|
|
// New CE keys that haven't been committed to disk yet
|
|
|
|
std::map<userid_t, KeyBuffer> s_new_ce_keys;
|
|
|
|
|
2022-05-11 07:33:25 +02:00
|
|
|
// The system DE encryption policy
|
|
|
|
EncryptionPolicy s_device_policy;
|
|
|
|
|
2020-01-24 00:29:30 +01:00
|
|
|
// Map user ids to encryption policies
|
|
|
|
std::map<userid_t, EncryptionPolicy> s_de_policies;
|
|
|
|
std::map<userid_t, EncryptionPolicy> s_ce_policies;
|
2015-04-29 00:14:15 +02:00
|
|
|
|
2022-11-09 06:48:45 +01:00
|
|
|
// CE key fixation operations that have been deferred to checkpoint commit
|
|
|
|
std::map<std::string, std::string> s_deferred_fixations;
|
|
|
|
|
2018-09-18 22:30:21 +02:00
|
|
|
} // namespace
|
2015-04-29 00:14:15 +02:00
|
|
|
|
2020-02-07 21:51:56 +01:00
|
|
|
// Returns KeyGeneration suitable for key as described in EncryptionOptions
|
|
|
|
static KeyGeneration makeGen(const EncryptionOptions& options) {
|
2022-10-26 21:05:10 +02:00
|
|
|
if (options.version == 0) {
|
|
|
|
LOG(ERROR) << "EncryptionOptions not initialized";
|
|
|
|
return android::vold::neverGen();
|
|
|
|
}
|
2020-02-07 21:51:56 +01:00
|
|
|
return KeyGeneration{FSCRYPT_MAX_KEY_SIZE, true, options.use_hw_wrapped_key};
|
|
|
|
}
|
|
|
|
|
2017-10-09 19:55:21 +02:00
|
|
|
static const char* escape_empty(const std::string& value) {
|
|
|
|
return value.empty() ? "null" : value.c_str();
|
2015-04-29 00:14:15 +02:00
|
|
|
}
|
|
|
|
|
2016-02-01 15:10:43 +01:00
|
|
|
static std::string get_de_key_path(userid_t user_id) {
|
|
|
|
return StringPrintf("%s/de/%d", user_key_dir.c_str(), user_id);
|
|
|
|
}
|
|
|
|
|
2016-05-17 23:17:56 +02:00
|
|
|
static std::string get_ce_key_directory_path(userid_t user_id) {
|
|
|
|
return StringPrintf("%s/ce/%d", user_key_dir.c_str(), user_id);
|
|
|
|
}
|
|
|
|
|
|
|
|
// Returns the keys newest first
|
|
|
|
static std::vector<std::string> get_ce_key_paths(const std::string& directory_path) {
|
|
|
|
auto dirp = std::unique_ptr<DIR, int (*)(DIR*)>(opendir(directory_path.c_str()), closedir);
|
|
|
|
if (!dirp) {
|
|
|
|
PLOG(ERROR) << "Unable to open ce key directory: " + directory_path;
|
|
|
|
return std::vector<std::string>();
|
|
|
|
}
|
|
|
|
std::vector<std::string> result;
|
|
|
|
for (;;) {
|
|
|
|
errno = 0;
|
|
|
|
auto const entry = readdir(dirp.get());
|
|
|
|
if (!entry) {
|
|
|
|
if (errno) {
|
|
|
|
PLOG(ERROR) << "Unable to read ce key directory: " + directory_path;
|
|
|
|
return std::vector<std::string>();
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
2020-11-03 00:11:06 +01:00
|
|
|
if (IsDotOrDotDot(*entry)) continue;
|
2016-05-17 23:17:56 +02:00
|
|
|
if (entry->d_type != DT_DIR || entry->d_name[0] != 'c') {
|
|
|
|
LOG(DEBUG) << "Skipping non-key " << entry->d_name;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
result.emplace_back(directory_path + "/" + entry->d_name);
|
|
|
|
}
|
|
|
|
std::sort(result.begin(), result.end());
|
|
|
|
std::reverse(result.begin(), result.end());
|
|
|
|
return result;
|
|
|
|
}
|
|
|
|
|
|
|
|
static std::string get_ce_key_current_path(const std::string& directory_path) {
|
|
|
|
return directory_path + "/current";
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool get_ce_key_new_path(const std::string& directory_path,
|
2018-09-18 22:30:21 +02:00
|
|
|
const std::vector<std::string>& paths, std::string* ce_key_path) {
|
2016-05-17 23:17:56 +02:00
|
|
|
if (paths.empty()) {
|
|
|
|
*ce_key_path = get_ce_key_current_path(directory_path);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
for (unsigned int i = 0; i < UINT_MAX; i++) {
|
|
|
|
auto const candidate = StringPrintf("%s/cx%010u", directory_path.c_str(), i);
|
|
|
|
if (paths[0] < candidate) {
|
|
|
|
*ce_key_path = candidate;
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Discard all keys but the named one; rename it to canonical name.
|
2022-09-06 23:29:14 +02:00
|
|
|
static bool fixate_user_ce_key(const std::string& directory_path, const std::string& to_fix,
|
2016-05-17 23:17:56 +02:00
|
|
|
const std::vector<std::string>& paths) {
|
2022-10-26 21:02:43 +02:00
|
|
|
bool need_sync = false;
|
2018-09-18 22:30:21 +02:00
|
|
|
for (auto const other_path : paths) {
|
2016-05-17 23:17:56 +02:00
|
|
|
if (other_path != to_fix) {
|
|
|
|
android::vold::destroyKey(other_path);
|
2022-10-26 21:02:43 +02:00
|
|
|
need_sync = true;
|
2016-05-17 23:17:56 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
auto const current_path = get_ce_key_current_path(directory_path);
|
|
|
|
if (to_fix != current_path) {
|
|
|
|
LOG(DEBUG) << "Renaming " << to_fix << " to " << current_path;
|
2022-09-06 23:29:14 +02:00
|
|
|
if (!android::vold::RenameKeyDir(to_fix, current_path)) return false;
|
2022-10-26 21:02:43 +02:00
|
|
|
need_sync = true;
|
2016-05-17 23:17:56 +02:00
|
|
|
}
|
2022-10-26 21:02:43 +02:00
|
|
|
if (need_sync && !android::vold::FsyncDirectory(directory_path)) return false;
|
2022-09-06 23:29:14 +02:00
|
|
|
return true;
|
2016-05-17 23:17:56 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
static bool read_and_fixate_user_ce_key(userid_t user_id,
|
|
|
|
const android::vold::KeyAuthentication& auth,
|
2018-09-18 22:30:21 +02:00
|
|
|
KeyBuffer* ce_key) {
|
2016-05-17 23:17:56 +02:00
|
|
|
auto const directory_path = get_ce_key_directory_path(user_id);
|
|
|
|
auto const paths = get_ce_key_paths(directory_path);
|
2018-09-18 22:30:21 +02:00
|
|
|
for (auto const ce_key_path : paths) {
|
2016-05-17 23:17:56 +02:00
|
|
|
LOG(DEBUG) << "Trying user CE key " << ce_key_path;
|
2020-11-06 04:58:26 +01:00
|
|
|
if (retrieveKey(ce_key_path, auth, ce_key)) {
|
2016-05-17 23:17:56 +02:00
|
|
|
LOG(DEBUG) << "Successfully retrieved key";
|
2022-11-09 06:48:45 +01:00
|
|
|
s_deferred_fixations.erase(directory_path);
|
2016-05-17 23:17:56 +02:00
|
|
|
fixate_user_ce_key(directory_path, ce_key_path, paths);
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
LOG(ERROR) << "Failed to find working ce key for user " << user_id;
|
|
|
|
return false;
|
2015-05-19 13:34:09 +02:00
|
|
|
}
|
|
|
|
|
2021-11-22 20:15:23 +01:00
|
|
|
static bool MightBeEmmcStorage(const std::string& blk_device) {
|
2020-07-06 22:46:38 +02:00
|
|
|
// Handle symlinks.
|
|
|
|
std::string real_path;
|
|
|
|
if (!Realpath(blk_device, &real_path)) {
|
|
|
|
real_path = blk_device;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Handle logical volumes.
|
|
|
|
auto& dm = DeviceMapper::Instance();
|
|
|
|
for (;;) {
|
|
|
|
auto parent = dm.GetParentBlockDeviceByPath(real_path);
|
|
|
|
if (!parent.has_value()) break;
|
|
|
|
real_path = *parent;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Now we should have the "real" block device.
|
2021-11-22 20:15:23 +01:00
|
|
|
LOG(DEBUG) << "MightBeEmmcStorage(): blk_device = " << blk_device
|
|
|
|
<< ", real_path=" << real_path;
|
|
|
|
std::string name = Basename(real_path);
|
|
|
|
return StartsWith(name, "mmcblk") ||
|
|
|
|
// virtio devices may provide inline encryption support that is
|
|
|
|
// backed by eMMC inline encryption on the host, thus inheriting the
|
|
|
|
// DUN size limitation. So virtio devices must be allowed here too.
|
|
|
|
// TODO(b/207390665): check the maximum DUN size directly instead.
|
|
|
|
StartsWith(name, "vd");
|
2020-07-06 22:46:38 +02:00
|
|
|
}
|
|
|
|
|
2022-10-26 21:05:10 +02:00
|
|
|
// Sets s_data_options to the file encryption options for the /data filesystem.
|
|
|
|
static bool init_data_file_encryption_options() {
|
vold: support v2 encryption policies
Add support for setting v2 encryption policies when configured in the
fstab (for internal storage) or in system properties (for adoptable
storage), and for installing and evicting the keys for such policies.
v2 policies support the same encryption modes and flags as v1 policies,
but internally they use a more standard, secure, and flexible KDF. Due
to this, some future features will be supported by v2 policies only.
Bug: 140500999
Test: Configured a device to use v2 encryption policies (applied the
needed kernel patches and added
"fileencryption=aes-256-xts:aes-256-cts:v2" to fstab, and set the
corresponding system properties for adoptable storage). Wiped
userdata, booted device and checked logs to verify that v2
policies were being used.
Also enabled virtual SD card and formatted as adoptable storage;
verified it works and that v2 policies were being used on it.
Also created, started, and stopped a 2nd user and verified their
keys were evicted.
Also verified that the device comes up again after rebooting.
Also verified that a device using v1 encryption policies continues
to work, both with and without an updated kernel -- including
stopping a user so that their keys get evicted.
Change-Id: If64028d8580584b2c33c614cabd5d6b93657f608
2019-09-30 22:06:47 +02:00
|
|
|
auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT);
|
|
|
|
if (entry == nullptr) {
|
2020-01-24 00:29:30 +01:00
|
|
|
LOG(ERROR) << "No mount point entry for " << DATA_MNT_POINT;
|
|
|
|
return false;
|
vold: support v2 encryption policies
Add support for setting v2 encryption policies when configured in the
fstab (for internal storage) or in system properties (for adoptable
storage), and for installing and evicting the keys for such policies.
v2 policies support the same encryption modes and flags as v1 policies,
but internally they use a more standard, secure, and flexible KDF. Due
to this, some future features will be supported by v2 policies only.
Bug: 140500999
Test: Configured a device to use v2 encryption policies (applied the
needed kernel patches and added
"fileencryption=aes-256-xts:aes-256-cts:v2" to fstab, and set the
corresponding system properties for adoptable storage). Wiped
userdata, booted device and checked logs to verify that v2
policies were being used.
Also enabled virtual SD card and formatted as adoptable storage;
verified it works and that v2 policies were being used on it.
Also created, started, and stopped a 2nd user and verified their
keys were evicted.
Also verified that the device comes up again after rebooting.
Also verified that a device using v1 encryption policies continues
to work, both with and without an updated kernel -- including
stopping a user so that their keys get evicted.
Change-Id: If64028d8580584b2c33c614cabd5d6b93657f608
2019-09-30 22:06:47 +02:00
|
|
|
}
|
2022-10-26 21:05:10 +02:00
|
|
|
if (!ParseOptions(entry->encryption_options, &s_data_options)) {
|
2019-10-25 08:21:44 +02:00
|
|
|
LOG(ERROR) << "Unable to parse encryption options for " << DATA_MNT_POINT ": "
|
|
|
|
<< entry->encryption_options;
|
2020-01-24 00:29:30 +01:00
|
|
|
return false;
|
2019-10-25 08:21:44 +02:00
|
|
|
}
|
2022-10-26 21:05:10 +02:00
|
|
|
if ((s_data_options.flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) &&
|
2021-11-22 20:15:23 +01:00
|
|
|
!MightBeEmmcStorage(entry->blk_device)) {
|
2020-07-06 22:46:38 +02:00
|
|
|
LOG(ERROR) << "The emmc_optimized encryption flag is only allowed on eMMC storage. Remove "
|
|
|
|
"this flag from the device's fstab";
|
|
|
|
return false;
|
|
|
|
}
|
2020-01-24 00:29:30 +01:00
|
|
|
return true;
|
vold: support v2 encryption policies
Add support for setting v2 encryption policies when configured in the
fstab (for internal storage) or in system properties (for adoptable
storage), and for installing and evicting the keys for such policies.
v2 policies support the same encryption modes and flags as v1 policies,
but internally they use a more standard, secure, and flexible KDF. Due
to this, some future features will be supported by v2 policies only.
Bug: 140500999
Test: Configured a device to use v2 encryption policies (applied the
needed kernel patches and added
"fileencryption=aes-256-xts:aes-256-cts:v2" to fstab, and set the
corresponding system properties for adoptable storage). Wiped
userdata, booted device and checked logs to verify that v2
policies were being used.
Also enabled virtual SD card and formatted as adoptable storage;
verified it works and that v2 policies were being used on it.
Also created, started, and stopped a 2nd user and verified their
keys were evicted.
Also verified that the device comes up again after rebooting.
Also verified that a device using v1 encryption policies continues
to work, both with and without an updated kernel -- including
stopping a user so that their keys get evicted.
Change-Id: If64028d8580584b2c33c614cabd5d6b93657f608
2019-09-30 22:06:47 +02:00
|
|
|
}
|
|
|
|
|
2020-02-03 22:06:45 +01:00
|
|
|
static bool install_storage_key(const std::string& mountpoint, const EncryptionOptions& options,
|
|
|
|
const KeyBuffer& key, EncryptionPolicy* policy) {
|
2022-10-26 21:05:10 +02:00
|
|
|
if (options.version == 0) {
|
|
|
|
LOG(ERROR) << "EncryptionOptions not initialized";
|
|
|
|
return false;
|
|
|
|
}
|
2020-02-03 22:06:45 +01:00
|
|
|
KeyBuffer ephemeral_wrapped_key;
|
|
|
|
if (options.use_hw_wrapped_key) {
|
|
|
|
if (!exportWrappedStorageKey(key, &ephemeral_wrapped_key)) {
|
|
|
|
LOG(ERROR) << "Failed to get ephemeral wrapped key";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return installKey(mountpoint, options, options.use_hw_wrapped_key ? ephemeral_wrapped_key : key,
|
|
|
|
policy);
|
|
|
|
}
|
|
|
|
|
vold: support v2 encryption policies
Add support for setting v2 encryption policies when configured in the
fstab (for internal storage) or in system properties (for adoptable
storage), and for installing and evicting the keys for such policies.
v2 policies support the same encryption modes and flags as v1 policies,
but internally they use a more standard, secure, and flexible KDF. Due
to this, some future features will be supported by v2 policies only.
Bug: 140500999
Test: Configured a device to use v2 encryption policies (applied the
needed kernel patches and added
"fileencryption=aes-256-xts:aes-256-cts:v2" to fstab, and set the
corresponding system properties for adoptable storage). Wiped
userdata, booted device and checked logs to verify that v2
policies were being used.
Also enabled virtual SD card and formatted as adoptable storage;
verified it works and that v2 policies were being used on it.
Also created, started, and stopped a 2nd user and verified their
keys were evicted.
Also verified that the device comes up again after rebooting.
Also verified that a device using v1 encryption policies continues
to work, both with and without an updated kernel -- including
stopping a user so that their keys get evicted.
Change-Id: If64028d8580584b2c33c614cabd5d6b93657f608
2019-09-30 22:06:47 +02:00
|
|
|
// Retrieve the options to use for encryption policies on adoptable storage.
|
2019-10-24 23:55:17 +02:00
|
|
|
static bool get_volume_file_encryption_options(EncryptionOptions* options) {
|
2020-02-18 19:10:08 +01:00
|
|
|
// If we give the empty string, libfscrypt will use the default (currently XTS)
|
|
|
|
auto contents_mode = android::base::GetProperty("ro.crypto.volume.contents_mode", "");
|
|
|
|
// HEH as default was always a mistake. Use the libfscrypt default (CTS)
|
|
|
|
// for devices launching on versions above Android 10.
|
|
|
|
auto first_api_level = GetFirstApiLevel();
|
2019-10-25 07:52:02 +02:00
|
|
|
auto filenames_mode =
|
2020-02-18 19:10:08 +01:00
|
|
|
android::base::GetProperty("ro.crypto.volume.filenames_mode",
|
2020-08-10 19:55:56 +02:00
|
|
|
first_api_level > __ANDROID_API_Q__ ? "" : "aes-256-heh");
|
2020-01-24 00:29:30 +01:00
|
|
|
auto options_string = android::base::GetProperty("ro.crypto.volume.options",
|
2020-02-18 19:10:08 +01:00
|
|
|
contents_mode + ":" + filenames_mode);
|
|
|
|
if (!ParseOptionsForApiLevel(first_api_level, options_string, options)) {
|
2020-01-24 00:29:30 +01:00
|
|
|
LOG(ERROR) << "Unable to parse volume encryption options: " << options_string;
|
|
|
|
return false;
|
|
|
|
}
|
2020-07-06 22:46:38 +02:00
|
|
|
if (options->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) {
|
|
|
|
LOG(ERROR) << "The emmc_optimized encryption flag is only allowed on eMMC storage. Remove "
|
|
|
|
"this flag from ro.crypto.volume.options";
|
|
|
|
return false;
|
|
|
|
}
|
2020-01-24 00:29:30 +01:00
|
|
|
return true;
|
2019-09-30 22:05:58 +02:00
|
|
|
}
|
|
|
|
|
2022-05-12 21:17:15 +02:00
|
|
|
// Prepare a directory without assigning it an encryption policy. The directory
|
|
|
|
// will inherit the encryption policy of its parent directory, or will be
|
|
|
|
// unencrypted if the parent directory is unencrypted.
|
2016-03-09 18:31:37 +01:00
|
|
|
static bool prepare_dir(const std::string& dir, mode_t mode, uid_t uid, gid_t gid) {
|
2016-01-28 11:09:46 +01:00
|
|
|
LOG(DEBUG) << "Preparing: " << dir;
|
2022-05-05 00:17:54 +02:00
|
|
|
if (android::vold::PrepareDir(dir, mode, uid, gid, 0) != 0) {
|
2016-01-27 15:30:22 +01:00
|
|
|
PLOG(ERROR) << "Failed to prepare " << dir;
|
2016-01-20 14:12:38 +01:00
|
|
|
return false;
|
|
|
|
}
|
2016-01-27 15:30:22 +01:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2022-05-12 21:17:15 +02:00
|
|
|
// Prepare a directory and assign it the given encryption policy.
|
|
|
|
static bool prepare_dir_with_policy(const std::string& dir, mode_t mode, uid_t uid, gid_t gid,
|
|
|
|
const EncryptionPolicy& policy) {
|
2023-06-08 18:15:52 +02:00
|
|
|
if (android::vold::pathExists(dir)) {
|
|
|
|
if (!prepare_dir(dir, mode, uid, gid)) return false;
|
|
|
|
if (IsFbeEnabled() && !EnsurePolicy(policy, dir)) return false;
|
|
|
|
} else {
|
|
|
|
// If the directory does not yet exist, then create it under a temporary name, and only move
|
|
|
|
// it to the final name after it is fully prepared with an encryption policy and the desired
|
|
|
|
// file permissions. This prevents the directory from being accessed before it is ready.
|
|
|
|
//
|
|
|
|
// Note: this relies on the SELinux file_contexts assigning the same type to the file path
|
|
|
|
// with the ".new" suffix as to the file path without the ".new" suffix.
|
|
|
|
|
|
|
|
const std::string tmp_dir = dir + ".new";
|
|
|
|
if (android::vold::pathExists(tmp_dir)) {
|
|
|
|
android::vold::DeleteDirContentsAndDir(tmp_dir);
|
|
|
|
}
|
|
|
|
if (!prepare_dir(tmp_dir, mode, uid, gid)) return false;
|
|
|
|
if (IsFbeEnabled() && !EnsurePolicy(policy, tmp_dir)) return false;
|
|
|
|
|
|
|
|
// On some buggy kernels, renaming a directory that is both encrypted and case-insensitive
|
|
|
|
// fails in some specific circumstances. Unfortunately, these circumstances happen here
|
|
|
|
// when processing the "media" directory. This was already fixed by kernel commit
|
|
|
|
// https://git.kernel.org/linus/b5639bb4313b9d45 ('f2fs: don't use casefolded comparison for
|
|
|
|
// "." and ".."'). But to support kernels that lack that fix, we use the below workaround.
|
|
|
|
// It bypasses the bug by making the encryption key of tmp_dir be loaded before the rename.
|
|
|
|
android::vold::pathExists(tmp_dir + "/subdir");
|
|
|
|
|
|
|
|
if (rename(tmp_dir.c_str(), dir.c_str()) != 0) {
|
|
|
|
PLOG(ERROR) << "Failed to rename " << tmp_dir << " to " << dir;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
2022-05-12 21:17:15 +02:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2016-04-15 04:45:16 +02:00
|
|
|
static bool destroy_dir(const std::string& dir) {
|
|
|
|
LOG(DEBUG) << "Destroying: " << dir;
|
|
|
|
if (rmdir(dir.c_str()) != 0 && errno != ENOENT) {
|
|
|
|
PLOG(ERROR) << "Failed to destroy " << dir;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2022-10-19 21:38:50 +02:00
|
|
|
// Checks whether the DE key directory exists for the given user.
|
|
|
|
static bool de_key_exists(userid_t user_id) {
|
|
|
|
return android::vold::pathExists(get_de_key_path(user_id));
|
|
|
|
}
|
|
|
|
|
|
|
|
// Checks whether at least one CE key subdirectory exists for the given user.
|
|
|
|
static bool ce_key_exists(userid_t user_id) {
|
|
|
|
auto directory_path = get_ce_key_directory_path(user_id);
|
2022-10-07 21:07:23 +02:00
|
|
|
// The common case is that "$dir/current" exists, so check for that first.
|
|
|
|
if (android::vold::pathExists(get_ce_key_current_path(directory_path))) return true;
|
|
|
|
|
|
|
|
// Else, there could still be another subdirectory of $dir (if a crash
|
|
|
|
// occurred during fixate_user_ce_key()), so check for one.
|
|
|
|
return android::vold::pathExists(directory_path) && !get_ce_key_paths(directory_path).empty();
|
|
|
|
}
|
|
|
|
|
2022-10-19 21:38:50 +02:00
|
|
|
static bool create_de_key(userid_t user_id, bool ephemeral) {
|
|
|
|
KeyBuffer de_key;
|
2022-10-26 21:05:10 +02:00
|
|
|
if (!generateStorageKey(makeGen(s_data_options), &de_key)) return false;
|
2022-10-19 21:38:50 +02:00
|
|
|
if (!ephemeral && !android::vold::storeKeyAtomically(get_de_key_path(user_id), user_key_temp,
|
|
|
|
kEmptyAuthentication, de_key))
|
|
|
|
return false;
|
|
|
|
EncryptionPolicy de_policy;
|
2022-10-26 21:05:10 +02:00
|
|
|
if (!install_storage_key(DATA_MNT_POINT, s_data_options, de_key, &de_policy)) return false;
|
2022-10-19 21:38:50 +02:00
|
|
|
s_de_policies[user_id] = de_policy;
|
|
|
|
LOG(INFO) << "Created DE key for user " << user_id;
|
|
|
|
return true;
|
|
|
|
}
|
2022-10-07 21:07:23 +02:00
|
|
|
|
2022-10-19 21:38:50 +02:00
|
|
|
static bool create_ce_key(userid_t user_id, bool ephemeral) {
|
|
|
|
KeyBuffer ce_key;
|
2022-10-26 21:05:10 +02:00
|
|
|
if (!generateStorageKey(makeGen(s_data_options), &ce_key)) return false;
|
2022-10-19 21:38:50 +02:00
|
|
|
if (!ephemeral) {
|
|
|
|
if (!prepare_dir(get_ce_key_directory_path(user_id), 0700, AID_ROOT, AID_ROOT))
|
|
|
|
return false;
|
|
|
|
// We don't store the CE key on disk here, since here we don't have the
|
|
|
|
// secret needed to do so securely. Instead, we cache it in memory for
|
|
|
|
// now, and we store it later in fscrypt_set_user_key_protection().
|
|
|
|
s_new_ce_keys.insert({user_id, ce_key});
|
2015-05-06 16:04:43 +02:00
|
|
|
}
|
2022-10-19 21:38:50 +02:00
|
|
|
EncryptionPolicy ce_policy;
|
2022-10-26 21:05:10 +02:00
|
|
|
if (!install_storage_key(DATA_MNT_POINT, s_data_options, ce_key, &ce_policy)) return false;
|
2022-10-19 21:38:50 +02:00
|
|
|
s_ce_policies[user_id] = ce_policy;
|
|
|
|
LOG(INFO) << "Created CE key for user " << user_id;
|
2016-01-20 14:12:38 +01:00
|
|
|
return true;
|
2015-05-06 16:04:43 +02:00
|
|
|
}
|
|
|
|
|
2020-01-24 00:29:30 +01:00
|
|
|
static bool lookup_policy(const std::map<userid_t, EncryptionPolicy>& key_map, userid_t user_id,
|
|
|
|
EncryptionPolicy* policy) {
|
2016-01-28 11:09:46 +01:00
|
|
|
auto refi = key_map.find(user_id);
|
|
|
|
if (refi == key_map.end()) {
|
|
|
|
return false;
|
|
|
|
}
|
2020-01-24 00:29:30 +01:00
|
|
|
*policy = refi->second;
|
2016-01-28 11:09:46 +01:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2016-03-09 18:31:37 +01:00
|
|
|
static bool is_numeric(const char* name) {
|
|
|
|
for (const char* p = name; *p != '\0'; p++) {
|
|
|
|
if (!isdigit(*p)) return false;
|
2016-02-01 15:10:43 +01:00
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool load_all_de_keys() {
|
|
|
|
auto de_dir = user_key_dir + "/de";
|
2016-03-09 18:31:37 +01:00
|
|
|
auto dirp = std::unique_ptr<DIR, int (*)(DIR*)>(opendir(de_dir.c_str()), closedir);
|
2016-02-01 15:10:43 +01:00
|
|
|
if (!dirp) {
|
|
|
|
PLOG(ERROR) << "Unable to read de key directory";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
for (;;) {
|
|
|
|
errno = 0;
|
|
|
|
auto entry = readdir(dirp.get());
|
|
|
|
if (!entry) {
|
|
|
|
if (errno) {
|
|
|
|
PLOG(ERROR) << "Unable to read de key directory";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
2020-11-03 00:11:06 +01:00
|
|
|
if (IsDotOrDotDot(*entry)) continue;
|
2016-02-01 15:10:43 +01:00
|
|
|
if (entry->d_type != DT_DIR || !is_numeric(entry->d_name)) {
|
|
|
|
LOG(DEBUG) << "Skipping non-de-key " << entry->d_name;
|
|
|
|
continue;
|
|
|
|
}
|
2017-09-19 02:19:28 +02:00
|
|
|
userid_t user_id = std::stoi(entry->d_name);
|
2020-02-27 19:21:55 +01:00
|
|
|
auto key_path = de_dir + "/" + entry->d_name;
|
|
|
|
KeyBuffer de_key;
|
2022-10-10 13:16:23 +02:00
|
|
|
if (!retrieveKey(key_path, kEmptyAuthentication, &de_key)) {
|
|
|
|
// This is probably a partially removed user, so ignore
|
|
|
|
if (user_id != 0) continue;
|
|
|
|
return false;
|
|
|
|
}
|
2020-02-27 19:21:55 +01:00
|
|
|
EncryptionPolicy de_policy;
|
2022-10-26 21:05:10 +02:00
|
|
|
if (!install_storage_key(DATA_MNT_POINT, s_data_options, de_key, &de_policy)) return false;
|
2020-02-27 19:21:55 +01:00
|
|
|
auto ret = s_de_policies.insert({user_id, de_policy});
|
|
|
|
if (!ret.second && ret.first->second != de_policy) {
|
|
|
|
LOG(ERROR) << "DE policy for user" << user_id << " changed";
|
|
|
|
return false;
|
2016-02-01 15:10:43 +01:00
|
|
|
}
|
2020-02-27 19:21:55 +01:00
|
|
|
LOG(DEBUG) << "Installed de key for user " << user_id;
|
2016-02-01 15:10:43 +01:00
|
|
|
}
|
2018-10-23 22:06:55 +02:00
|
|
|
// fscrypt:TODO: go through all DE directories, ensure that all user dirs have the
|
2016-02-01 15:10:43 +01:00
|
|
|
// correct policy set on them, and that no rogue ones exist.
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2020-02-28 20:50:31 +01:00
|
|
|
// Attempt to reinstall CE keys for users that we think are unlocked.
|
|
|
|
static bool try_reload_ce_keys() {
|
|
|
|
for (const auto& it : s_ce_policies) {
|
|
|
|
if (!android::vold::reloadKeyFromSessionKeyring(DATA_MNT_POINT, it.second)) {
|
|
|
|
LOG(ERROR) << "Failed to load CE key from session keyring for user " << it.first;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2019-09-12 00:00:08 +02:00
|
|
|
bool fscrypt_initialize_systemwide_keys() {
|
|
|
|
LOG(INFO) << "fscrypt_initialize_systemwide_keys";
|
2016-02-03 19:52:41 +01:00
|
|
|
|
2022-10-26 21:05:10 +02:00
|
|
|
if (!init_data_file_encryption_options()) return false;
|
2016-02-03 19:52:41 +01:00
|
|
|
|
2020-01-24 00:29:30 +01:00
|
|
|
KeyBuffer device_key;
|
2020-02-12 20:04:05 +01:00
|
|
|
if (!retrieveOrGenerateKey(device_key_path, device_key_temp, kEmptyAuthentication,
|
2022-10-26 21:05:10 +02:00
|
|
|
makeGen(s_data_options), &device_key))
|
2020-01-24 00:29:30 +01:00
|
|
|
return false;
|
vold: support v2 encryption policies
Add support for setting v2 encryption policies when configured in the
fstab (for internal storage) or in system properties (for adoptable
storage), and for installing and evicting the keys for such policies.
v2 policies support the same encryption modes and flags as v1 policies,
but internally they use a more standard, secure, and flexible KDF. Due
to this, some future features will be supported by v2 policies only.
Bug: 140500999
Test: Configured a device to use v2 encryption policies (applied the
needed kernel patches and added
"fileencryption=aes-256-xts:aes-256-cts:v2" to fstab, and set the
corresponding system properties for adoptable storage). Wiped
userdata, booted device and checked logs to verify that v2
policies were being used.
Also enabled virtual SD card and formatted as adoptable storage;
verified it works and that v2 policies were being used on it.
Also created, started, and stopped a 2nd user and verified their
keys were evicted.
Also verified that the device comes up again after rebooting.
Also verified that a device using v1 encryption policies continues
to work, both with and without an updated kernel -- including
stopping a user so that their keys get evicted.
Change-Id: If64028d8580584b2c33c614cabd5d6b93657f608
2019-09-30 22:06:47 +02:00
|
|
|
|
2022-05-11 07:33:25 +02:00
|
|
|
// This initializes s_device_policy, which is a global variable so that
|
|
|
|
// fscrypt_init_user0() can access it later.
|
2022-10-26 21:05:10 +02:00
|
|
|
if (!install_storage_key(DATA_MNT_POINT, s_data_options, device_key, &s_device_policy))
|
|
|
|
return false;
|
2017-02-02 23:52:12 +01:00
|
|
|
|
2019-10-24 23:55:17 +02:00
|
|
|
std::string options_string;
|
2022-05-11 07:33:25 +02:00
|
|
|
if (!OptionsToString(s_device_policy.options, &options_string)) {
|
2019-10-24 23:55:17 +02:00
|
|
|
LOG(ERROR) << "Unable to serialize options";
|
|
|
|
return false;
|
|
|
|
}
|
2020-01-24 00:29:30 +01:00
|
|
|
std::string options_filename = std::string(DATA_MNT_POINT) + fscrypt_key_mode;
|
vold: support v2 encryption policies
Add support for setting v2 encryption policies when configured in the
fstab (for internal storage) or in system properties (for adoptable
storage), and for installing and evicting the keys for such policies.
v2 policies support the same encryption modes and flags as v1 policies,
but internally they use a more standard, secure, and flexible KDF. Due
to this, some future features will be supported by v2 policies only.
Bug: 140500999
Test: Configured a device to use v2 encryption policies (applied the
needed kernel patches and added
"fileencryption=aes-256-xts:aes-256-cts:v2" to fstab, and set the
corresponding system properties for adoptable storage). Wiped
userdata, booted device and checked logs to verify that v2
policies were being used.
Also enabled virtual SD card and formatted as adoptable storage;
verified it works and that v2 policies were being used on it.
Also created, started, and stopped a 2nd user and verified their
keys were evicted.
Also verified that the device comes up again after rebooting.
Also verified that a device using v1 encryption policies continues
to work, both with and without an updated kernel -- including
stopping a user so that their keys get evicted.
Change-Id: If64028d8580584b2c33c614cabd5d6b93657f608
2019-09-30 22:06:47 +02:00
|
|
|
if (!android::vold::writeStringToFile(options_string, options_filename)) return false;
|
2016-05-24 23:20:38 +02:00
|
|
|
|
2020-01-24 00:29:30 +01:00
|
|
|
std::string ref_filename = std::string(DATA_MNT_POINT) + fscrypt_key_ref;
|
2022-05-11 07:33:25 +02:00
|
|
|
if (!android::vold::writeStringToFile(s_device_policy.key_raw_ref, ref_filename)) return false;
|
2016-06-02 20:01:19 +02:00
|
|
|
LOG(INFO) << "Wrote system DE key reference to:" << ref_filename;
|
2016-02-03 19:52:41 +01:00
|
|
|
|
2019-09-12 00:00:08 +02:00
|
|
|
KeyBuffer per_boot_key;
|
2022-10-26 21:05:10 +02:00
|
|
|
if (!generateStorageKey(makeGen(s_data_options), &per_boot_key)) return false;
|
2020-01-24 00:29:30 +01:00
|
|
|
EncryptionPolicy per_boot_policy;
|
2022-10-26 21:05:10 +02:00
|
|
|
if (!install_storage_key(DATA_MNT_POINT, s_data_options, per_boot_key, &per_boot_policy))
|
|
|
|
return false;
|
2019-09-12 00:00:08 +02:00
|
|
|
std::string per_boot_ref_filename = std::string("/data") + fscrypt_key_per_boot_ref;
|
2020-01-24 00:29:30 +01:00
|
|
|
if (!android::vold::writeStringToFile(per_boot_policy.key_raw_ref, per_boot_ref_filename))
|
|
|
|
return false;
|
2019-09-12 00:00:08 +02:00
|
|
|
LOG(INFO) << "Wrote per boot key reference to:" << per_boot_ref_filename;
|
|
|
|
|
2016-02-09 11:04:39 +01:00
|
|
|
return true;
|
2016-02-03 19:52:41 +01:00
|
|
|
}
|
|
|
|
|
2022-05-11 07:33:25 +02:00
|
|
|
static bool prepare_special_dirs() {
|
2022-05-12 21:17:15 +02:00
|
|
|
// Ensure that /data/data and its "alias" /data/user/0 exist, and create the
|
|
|
|
// bind mount of /data/data onto /data/user/0. This *should* happen in
|
|
|
|
// fscrypt_prepare_user_storage(). However, it actually must be done early,
|
|
|
|
// before the rest of user 0's CE storage is prepared. This is because
|
|
|
|
// zygote may need to set up app data isolation before then, which requires
|
|
|
|
// mounting a tmpfs over /data/data to ensure it remains hidden. This issue
|
|
|
|
// arises due to /data/data being in the top-level directory.
|
|
|
|
|
2022-05-11 07:33:25 +02:00
|
|
|
// /data/user/0 used to be a symlink to /data/data, so we must first delete
|
|
|
|
// the old symlink if present.
|
|
|
|
if (android::vold::IsSymlink(data_user_0_dir) && android::vold::Unlink(data_user_0_dir) != 0)
|
|
|
|
return false;
|
2022-05-12 21:17:15 +02:00
|
|
|
// On first boot, we'll be creating /data/data for the first time, and user
|
|
|
|
// 0's CE key will be installed already since it was just created. Take the
|
|
|
|
// opportunity to also set the encryption policy of /data/data right away.
|
|
|
|
EncryptionPolicy ce_policy;
|
|
|
|
if (lookup_policy(s_ce_policies, 0, &ce_policy)) {
|
2022-10-07 21:07:23 +02:00
|
|
|
if (!prepare_dir_with_policy(data_data_dir, 0771, AID_SYSTEM, AID_SYSTEM, ce_policy)) {
|
|
|
|
// Preparing /data/data failed, yet we had just generated a new CE
|
|
|
|
// key because one wasn't stored. Before erroring out, try deleting
|
|
|
|
// the directory and retrying, as it's possible that the directory
|
|
|
|
// exists with different CE policy from an interrupted first boot.
|
|
|
|
if (rmdir(data_data_dir.c_str()) != 0) {
|
|
|
|
PLOG(ERROR) << "rmdir " << data_data_dir << " failed";
|
|
|
|
}
|
|
|
|
if (!prepare_dir_with_policy(data_data_dir, 0771, AID_SYSTEM, AID_SYSTEM, ce_policy))
|
|
|
|
return false;
|
|
|
|
}
|
2022-05-12 21:17:15 +02:00
|
|
|
} else {
|
|
|
|
if (!prepare_dir(data_data_dir, 0771, AID_SYSTEM, AID_SYSTEM)) return false;
|
|
|
|
// EnsurePolicy() will have to happen later, in fscrypt_prepare_user_storage().
|
|
|
|
}
|
2022-05-11 07:33:25 +02:00
|
|
|
if (!prepare_dir(data_user_0_dir, 0700, AID_SYSTEM, AID_SYSTEM)) return false;
|
|
|
|
if (android::vold::BindMount(data_data_dir, data_user_0_dir) != 0) return false;
|
|
|
|
|
|
|
|
// If /data/media/obb doesn't exist, create it and encrypt it with the
|
|
|
|
// device policy. Normally, device-policy-encrypted directories are created
|
|
|
|
// and encrypted by init; /data/media/obb is special because it is located
|
|
|
|
// in /data/media. Since /data/media also contains per-user encrypted
|
|
|
|
// directories, by design only vold can write to it. As a side effect of
|
|
|
|
// that, vold must create /data/media/obb.
|
|
|
|
//
|
|
|
|
// We must tolerate /data/media/obb being unencrypted if it already exists
|
|
|
|
// on-disk, since it used to be unencrypted (b/64566063).
|
2022-05-12 21:17:15 +02:00
|
|
|
if (android::vold::pathExists(media_obb_dir)) {
|
|
|
|
if (!prepare_dir(media_obb_dir, 0770, AID_MEDIA_RW, AID_MEDIA_RW)) return false;
|
|
|
|
} else {
|
|
|
|
if (!prepare_dir_with_policy(media_obb_dir, 0770, AID_MEDIA_RW, AID_MEDIA_RW,
|
|
|
|
s_device_policy))
|
|
|
|
return false;
|
|
|
|
}
|
2022-05-11 07:33:25 +02:00
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2022-03-22 01:33:52 +01:00
|
|
|
bool fscrypt_init_user0_done;
|
|
|
|
|
2018-10-23 22:06:55 +02:00
|
|
|
bool fscrypt_init_user0() {
|
|
|
|
LOG(DEBUG) << "fscrypt_init_user0";
|
2022-05-11 07:33:25 +02:00
|
|
|
|
2022-06-15 20:52:18 +02:00
|
|
|
if (IsFbeEnabled()) {
|
2016-02-09 11:04:39 +01:00
|
|
|
if (!prepare_dir(user_key_dir, 0700, AID_ROOT, AID_ROOT)) return false;
|
|
|
|
if (!prepare_dir(user_key_dir + "/ce", 0700, AID_ROOT, AID_ROOT)) return false;
|
|
|
|
if (!prepare_dir(user_key_dir + "/de", 0700, AID_ROOT, AID_ROOT)) return false;
|
2022-10-19 21:38:50 +02:00
|
|
|
|
|
|
|
// Create user 0's DE and CE keys if they don't already exist. Check
|
|
|
|
// each key independently, since if the first boot was interrupted it is
|
|
|
|
// possible that the DE key exists but the CE key does not.
|
|
|
|
if (!de_key_exists(0) && !create_de_key(0, false)) return false;
|
|
|
|
if (!ce_key_exists(0) && !create_ce_key(0, false)) return false;
|
|
|
|
|
2016-02-02 01:02:29 +01:00
|
|
|
// TODO: switch to loading only DE_0 here once framework makes
|
|
|
|
// explicit calls to install DE keys for secondary users
|
2016-02-09 11:04:39 +01:00
|
|
|
if (!load_all_de_keys()) return false;
|
2016-02-01 15:28:12 +01:00
|
|
|
}
|
2022-05-12 21:17:15 +02:00
|
|
|
|
|
|
|
// Now that user 0's CE key has been created, we can prepare /data/data.
|
|
|
|
if (!prepare_special_dirs()) return false;
|
|
|
|
|
|
|
|
// With the exception of what is done by prepare_special_dirs() above, we
|
|
|
|
// only prepare DE storage here, since user 0's CE key won't be installed
|
2022-05-11 07:33:25 +02:00
|
|
|
// yet unless it was just created. The framework will prepare the user's CE
|
|
|
|
// storage later, once their CE key is installed.
|
2018-10-23 22:06:55 +02:00
|
|
|
if (!fscrypt_prepare_user_storage("", 0, 0, android::os::IVold::STORAGE_FLAG_DE)) {
|
2016-02-02 01:02:29 +01:00
|
|
|
LOG(ERROR) << "Failed to prepare user 0 storage";
|
2016-02-09 11:04:39 +01:00
|
|
|
return false;
|
2016-02-02 01:02:29 +01:00
|
|
|
}
|
2016-02-08 20:21:42 +01:00
|
|
|
|
2020-02-28 20:50:31 +01:00
|
|
|
// In some scenarios (e.g. userspace reboot) we might unmount userdata
|
|
|
|
// without doing a hard reboot. If CE keys were stored in fs keyring then
|
|
|
|
// they will be lost after unmount. Attempt to re-install them.
|
2022-06-15 20:52:18 +02:00
|
|
|
if (IsFbeEnabled() && android::vold::isFsKeyringSupported()) {
|
2020-02-28 20:50:31 +01:00
|
|
|
if (!try_reload_ce_keys()) return false;
|
|
|
|
}
|
|
|
|
|
2022-03-22 01:33:52 +01:00
|
|
|
fscrypt_init_user0_done = true;
|
2016-02-09 11:04:39 +01:00
|
|
|
return true;
|
2016-02-01 15:28:12 +01:00
|
|
|
}
|
|
|
|
|
2018-10-23 22:06:55 +02:00
|
|
|
bool fscrypt_vold_create_user_key(userid_t user_id, int serial, bool ephemeral) {
|
|
|
|
LOG(DEBUG) << "fscrypt_vold_create_user_key for " << user_id << " serial " << serial;
|
2022-06-15 20:52:18 +02:00
|
|
|
if (!IsFbeEnabled()) {
|
2016-02-09 11:04:39 +01:00
|
|
|
return true;
|
2016-01-28 13:23:53 +01:00
|
|
|
}
|
2016-01-28 11:09:46 +01:00
|
|
|
// FIXME test for existence of key that is not loaded yet
|
2020-01-24 00:29:30 +01:00
|
|
|
if (s_ce_policies.count(user_id) != 0) {
|
2018-10-23 22:06:55 +02:00
|
|
|
LOG(ERROR) << "Already exists, can't fscrypt_vold_create_user_key for " << user_id
|
2016-03-09 18:31:37 +01:00
|
|
|
<< " serial " << serial;
|
2016-01-20 14:12:38 +01:00
|
|
|
// FIXME should we fail the command?
|
2016-02-09 11:04:39 +01:00
|
|
|
return true;
|
2015-05-06 16:04:43 +02:00
|
|
|
}
|
2022-10-19 21:38:50 +02:00
|
|
|
if (!create_de_key(user_id, ephemeral)) return false;
|
|
|
|
if (!create_ce_key(user_id, ephemeral)) return false;
|
|
|
|
if (ephemeral) s_ephemeral_users.insert(user_id);
|
2016-02-09 11:04:39 +01:00
|
|
|
return true;
|
2015-11-09 02:56:23 +01:00
|
|
|
}
|
|
|
|
|
2019-04-04 00:44:06 +02:00
|
|
|
// "Lock" all encrypted directories whose key has been removed. This is needed
|
2019-09-30 22:05:58 +02:00
|
|
|
// in the case where the keys are being put in the session keyring (rather in
|
|
|
|
// the newer filesystem-level keyrings), because removing a key from the session
|
|
|
|
// keyring doesn't affect inodes in the kernel's inode cache whose per-file key
|
|
|
|
// was already set up. So to remove the per-file keys and make the files
|
|
|
|
// "appear encrypted", these inodes must be evicted.
|
2019-04-04 00:44:06 +02:00
|
|
|
//
|
|
|
|
// To do this, sync() to clean all dirty inodes, then drop all reclaimable slab
|
|
|
|
// objects systemwide. This is overkill, but it's the best available method
|
|
|
|
// currently. Don't use drop_caches mode "3" because that also evicts pagecache
|
|
|
|
// for in-use files; all files relevant here are already closed and sync'ed.
|
2019-09-30 22:05:58 +02:00
|
|
|
static void drop_caches_if_needed() {
|
|
|
|
if (android::vold::isFsKeyringSupported()) {
|
|
|
|
return;
|
|
|
|
}
|
2017-07-27 18:34:57 +02:00
|
|
|
sync();
|
2019-04-04 00:44:06 +02:00
|
|
|
if (!writeStringToFile("2", "/proc/sys/vm/drop_caches")) {
|
2017-07-27 18:34:57 +02:00
|
|
|
PLOG(ERROR) << "Failed to drop caches during key eviction";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-10-31 11:28:25 +01:00
|
|
|
static bool evict_ce_key(userid_t user_id) {
|
|
|
|
bool success = true;
|
2020-01-24 00:29:30 +01:00
|
|
|
EncryptionPolicy policy;
|
2016-10-31 11:28:25 +01:00
|
|
|
// If we haven't loaded the CE key, no need to evict it.
|
2020-01-24 00:29:30 +01:00
|
|
|
if (lookup_policy(s_ce_policies, user_id, &policy)) {
|
|
|
|
success &= android::vold::evictKey(DATA_MNT_POINT, policy);
|
2019-09-30 22:05:58 +02:00
|
|
|
drop_caches_if_needed();
|
2016-10-31 11:28:25 +01:00
|
|
|
}
|
2020-01-24 00:29:30 +01:00
|
|
|
s_ce_policies.erase(user_id);
|
2016-10-31 11:28:25 +01:00
|
|
|
return success;
|
|
|
|
}
|
|
|
|
|
2018-10-23 22:06:55 +02:00
|
|
|
bool fscrypt_destroy_user_key(userid_t user_id) {
|
|
|
|
LOG(DEBUG) << "fscrypt_destroy_user_key(" << user_id << ")";
|
2022-06-15 20:52:18 +02:00
|
|
|
if (!IsFbeEnabled()) {
|
2016-02-09 11:04:39 +01:00
|
|
|
return true;
|
2016-01-28 13:23:53 +01:00
|
|
|
}
|
2016-01-28 11:09:46 +01:00
|
|
|
bool success = true;
|
2016-10-31 11:28:25 +01:00
|
|
|
success &= evict_ce_key(user_id);
|
2020-01-24 00:29:30 +01:00
|
|
|
EncryptionPolicy de_policy;
|
|
|
|
success &= lookup_policy(s_de_policies, user_id, &de_policy) &&
|
|
|
|
android::vold::evictKey(DATA_MNT_POINT, de_policy);
|
|
|
|
s_de_policies.erase(user_id);
|
2022-09-06 23:29:14 +02:00
|
|
|
if (!s_ephemeral_users.erase(user_id)) {
|
2021-05-28 02:29:10 +02:00
|
|
|
auto ce_path = get_ce_key_directory_path(user_id);
|
2022-09-06 23:29:14 +02:00
|
|
|
if (!s_new_ce_keys.erase(user_id)) {
|
|
|
|
for (auto const path : get_ce_key_paths(ce_path)) {
|
|
|
|
success &= android::vold::destroyKey(path);
|
|
|
|
}
|
2016-05-17 23:17:56 +02:00
|
|
|
}
|
2022-11-09 06:48:45 +01:00
|
|
|
s_deferred_fixations.erase(ce_path);
|
2021-05-28 02:29:10 +02:00
|
|
|
success &= destroy_dir(ce_path);
|
|
|
|
|
2016-07-20 00:29:53 +02:00
|
|
|
auto de_key_path = get_de_key_path(user_id);
|
2016-06-02 20:01:19 +02:00
|
|
|
if (android::vold::pathExists(de_key_path)) {
|
2016-07-20 00:29:53 +02:00
|
|
|
success &= android::vold::destroyKey(de_key_path);
|
|
|
|
} else {
|
|
|
|
LOG(INFO) << "Not present so not erasing: " << de_key_path;
|
|
|
|
}
|
2015-05-19 13:34:09 +02:00
|
|
|
}
|
2016-02-09 11:04:39 +01:00
|
|
|
return success;
|
2015-05-19 13:34:09 +02:00
|
|
|
}
|
2015-11-09 02:56:23 +01:00
|
|
|
|
2017-10-09 19:55:21 +02:00
|
|
|
static bool parse_hex(const std::string& hex, std::string* result) {
|
|
|
|
if (hex == "!") {
|
2016-03-09 01:08:32 +01:00
|
|
|
*result = "";
|
2016-02-08 16:55:41 +01:00
|
|
|
return true;
|
|
|
|
}
|
2016-03-09 01:08:32 +01:00
|
|
|
if (android::vold::HexToStr(hex, *result) != 0) {
|
2016-03-09 18:31:37 +01:00
|
|
|
LOG(ERROR) << "Invalid FBE hex string"; // Don't log the string for security reasons
|
2016-02-08 16:55:41 +01:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2019-11-01 06:59:34 +01:00
|
|
|
static std::optional<android::vold::KeyAuthentication> authentication_from_hex(
|
2021-03-15 23:33:08 +01:00
|
|
|
const std::string& secret_hex) {
|
|
|
|
std::string secret;
|
2019-11-01 06:59:34 +01:00
|
|
|
if (!parse_hex(secret_hex, &secret)) return std::optional<android::vold::KeyAuthentication>();
|
|
|
|
if (secret.empty()) {
|
|
|
|
return kEmptyAuthentication;
|
|
|
|
} else {
|
2021-03-15 23:33:08 +01:00
|
|
|
return android::vold::KeyAuthentication(secret);
|
2019-11-01 06:59:34 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-10-10 01:35:51 +02:00
|
|
|
static std::string volkey_path(const std::string& misc_path, const std::string& volume_uuid) {
|
|
|
|
return misc_path + "/vold/volume_keys/" + volume_uuid + "/default";
|
|
|
|
}
|
|
|
|
|
2017-10-26 20:16:39 +02:00
|
|
|
static std::string volume_secdiscardable_path(const std::string& volume_uuid) {
|
|
|
|
return systemwide_volume_key_dir + "/" + volume_uuid + "/secdiscardable";
|
|
|
|
}
|
|
|
|
|
2017-10-10 01:35:51 +02:00
|
|
|
static bool read_or_create_volkey(const std::string& misc_path, const std::string& volume_uuid,
|
2019-10-24 23:55:17 +02:00
|
|
|
EncryptionPolicy* policy) {
|
2017-10-26 20:16:39 +02:00
|
|
|
auto secdiscardable_path = volume_secdiscardable_path(volume_uuid);
|
|
|
|
std::string secdiscardable_hash;
|
|
|
|
if (android::vold::pathExists(secdiscardable_path)) {
|
|
|
|
if (!android::vold::readSecdiscardable(secdiscardable_path, &secdiscardable_hash))
|
|
|
|
return false;
|
|
|
|
} else {
|
2021-02-17 00:59:17 +01:00
|
|
|
if (!android::vold::MkdirsSync(secdiscardable_path, 0700)) return false;
|
2017-10-26 20:16:39 +02:00
|
|
|
if (!android::vold::createSecdiscardable(secdiscardable_path, &secdiscardable_hash))
|
|
|
|
return false;
|
|
|
|
}
|
2017-10-10 01:35:51 +02:00
|
|
|
auto key_path = volkey_path(misc_path, volume_uuid);
|
2021-02-17 00:59:17 +01:00
|
|
|
if (!android::vold::MkdirsSync(key_path, 0700)) return false;
|
2021-03-15 23:33:08 +01:00
|
|
|
android::vold::KeyAuthentication auth(secdiscardable_hash);
|
vold: support v2 encryption policies
Add support for setting v2 encryption policies when configured in the
fstab (for internal storage) or in system properties (for adoptable
storage), and for installing and evicting the keys for such policies.
v2 policies support the same encryption modes and flags as v1 policies,
but internally they use a more standard, secure, and flexible KDF. Due
to this, some future features will be supported by v2 policies only.
Bug: 140500999
Test: Configured a device to use v2 encryption policies (applied the
needed kernel patches and added
"fileencryption=aes-256-xts:aes-256-cts:v2" to fstab, and set the
corresponding system properties for adoptable storage). Wiped
userdata, booted device and checked logs to verify that v2
policies were being used.
Also enabled virtual SD card and formatted as adoptable storage;
verified it works and that v2 policies were being used on it.
Also created, started, and stopped a 2nd user and verified their
keys were evicted.
Also verified that the device comes up again after rebooting.
Also verified that a device using v1 encryption policies continues
to work, both with and without an updated kernel -- including
stopping a user so that their keys get evicted.
Change-Id: If64028d8580584b2c33c614cabd5d6b93657f608
2019-09-30 22:06:47 +02:00
|
|
|
|
2020-01-24 00:29:30 +01:00
|
|
|
EncryptionOptions options;
|
|
|
|
if (!get_volume_file_encryption_options(&options)) return false;
|
|
|
|
KeyBuffer key;
|
2020-11-06 04:58:26 +01:00
|
|
|
if (!retrieveOrGenerateKey(key_path, key_path + "_tmp", auth, makeGen(options), &key))
|
2020-02-03 22:06:45 +01:00
|
|
|
return false;
|
|
|
|
if (!install_storage_key(BuildDataPath(volume_uuid), options, key, policy)) return false;
|
2020-01-24 00:29:30 +01:00
|
|
|
return true;
|
2017-10-10 01:35:51 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
static bool destroy_volkey(const std::string& misc_path, const std::string& volume_uuid) {
|
2017-10-24 23:54:43 +02:00
|
|
|
auto path = volkey_path(misc_path, volume_uuid);
|
|
|
|
if (!android::vold::pathExists(path)) return true;
|
|
|
|
return android::vold::destroyKey(path);
|
2017-10-10 01:35:51 +02:00
|
|
|
}
|
|
|
|
|
2022-10-19 21:38:50 +02:00
|
|
|
// (Re-)encrypts the user's CE key with the given secret. This function handles
|
|
|
|
// storing the CE key for a new user for the first time. It also handles
|
|
|
|
// re-encrypting the CE key upon upgrade from an Android version where the CE
|
|
|
|
// key was stored with kEmptyAuthentication when the user didn't have an LSKF.
|
|
|
|
// See the comments below for the different cases handled.
|
2022-09-06 23:29:14 +02:00
|
|
|
bool fscrypt_set_user_key_protection(userid_t user_id, const std::string& secret_hex) {
|
|
|
|
LOG(DEBUG) << "fscrypt_set_user_key_protection " << user_id;
|
|
|
|
if (!IsFbeEnabled()) return true;
|
|
|
|
auto auth = authentication_from_hex(secret_hex);
|
|
|
|
if (!auth) return false;
|
|
|
|
if (auth->secret.empty()) {
|
|
|
|
LOG(ERROR) << "fscrypt_set_user_key_protection: secret must be nonempty";
|
|
|
|
return false;
|
|
|
|
}
|
2022-10-19 21:38:50 +02:00
|
|
|
// We shouldn't store any keys for ephemeral users.
|
2022-09-06 23:29:14 +02:00
|
|
|
if (s_ephemeral_users.count(user_id) != 0) {
|
|
|
|
LOG(DEBUG) << "Not storing key because user is ephemeral";
|
|
|
|
return true;
|
|
|
|
}
|
2019-11-01 06:59:34 +01:00
|
|
|
KeyBuffer ce_key;
|
2022-09-06 23:29:14 +02:00
|
|
|
auto it = s_new_ce_keys.find(user_id);
|
|
|
|
if (it != s_new_ce_keys.end()) {
|
2022-10-19 21:38:50 +02:00
|
|
|
// If the key exists in s_new_ce_keys, then the key is a
|
|
|
|
// not-yet-committed key for a new user, and we are committing it here.
|
|
|
|
// This happens when the user's synthetic password is created.
|
2022-09-06 23:29:14 +02:00
|
|
|
ce_key = it->second;
|
2022-10-19 21:38:50 +02:00
|
|
|
} else if (ce_key_exists(user_id)) {
|
|
|
|
// If the key doesn't exist in s_new_ce_keys but does exist on-disk,
|
|
|
|
// then we are setting the protection on an existing key. This happens
|
|
|
|
// at upgrade time, when CE keys that were previously protected by
|
2022-09-06 23:29:14 +02:00
|
|
|
// kEmptyAuthentication are encrypted by the user's synthetic password.
|
2022-10-19 21:38:50 +02:00
|
|
|
LOG(DEBUG) << "CE key already exists on-disk; re-protecting it with the given secret";
|
2022-09-06 23:29:14 +02:00
|
|
|
if (!read_and_fixate_user_ce_key(user_id, kEmptyAuthentication, &ce_key)) {
|
2022-10-19 21:38:50 +02:00
|
|
|
LOG(ERROR) << "Failed to retrieve CE key for user " << user_id << " using empty auth";
|
2022-09-06 23:29:14 +02:00
|
|
|
// Before failing, also check whether the key is already protected
|
|
|
|
// with the given secret. This isn't expected, but in theory it
|
|
|
|
// could happen if an upgrade is requested for a user more than once
|
|
|
|
// due to a power-off or other interruption.
|
|
|
|
if (read_and_fixate_user_ce_key(user_id, *auth, &ce_key)) {
|
2022-10-19 21:38:50 +02:00
|
|
|
LOG(WARNING) << "CE key is already protected by given secret";
|
2022-09-06 23:29:14 +02:00
|
|
|
return true;
|
|
|
|
}
|
2022-10-19 21:38:50 +02:00
|
|
|
// The key isn't protected by either kEmptyAuthentication or by
|
|
|
|
// |auth|. This should never happen, and there's nothing we can do
|
|
|
|
// besides return an error.
|
2022-09-06 23:29:14 +02:00
|
|
|
return false;
|
|
|
|
}
|
2022-10-19 21:38:50 +02:00
|
|
|
} else {
|
|
|
|
// If the key doesn't exist in memory or on-disk, then we need to
|
|
|
|
// generate it here, then commit it to disk. This is needed after the
|
|
|
|
// unusual case where a non-system user was created during early boot,
|
|
|
|
// and then the device was force-rebooted before the boot completed. In
|
|
|
|
// that case, the Android user record was committed but the CE key was
|
|
|
|
// not. So the CE key was lost, and we need to regenerate it. This
|
|
|
|
// should be fine, since the key should not have been used yet.
|
|
|
|
LOG(WARNING) << "CE key not found! Regenerating it";
|
|
|
|
if (!create_ce_key(user_id, false)) return false;
|
|
|
|
ce_key = s_new_ce_keys.find(user_id)->second;
|
2016-02-08 16:55:41 +01:00
|
|
|
}
|
2022-10-19 21:38:50 +02:00
|
|
|
|
|
|
|
auto const directory_path = get_ce_key_directory_path(user_id);
|
2016-05-17 23:17:56 +02:00
|
|
|
auto const paths = get_ce_key_paths(directory_path);
|
|
|
|
std::string ce_key_path;
|
|
|
|
if (!get_ce_key_new_path(directory_path, paths, &ce_key_path)) return false;
|
2022-09-06 23:29:14 +02:00
|
|
|
if (!android::vold::storeKeyAtomically(ce_key_path, user_key_temp, *auth, ce_key)) return false;
|
2022-11-09 06:48:45 +01:00
|
|
|
|
|
|
|
// Fixate the key, i.e. delete all other bindings of it. (In practice this
|
|
|
|
// just means the kEmptyAuthentication binding, if there is one.) However,
|
|
|
|
// if a userdata filesystem checkpoint is pending, then we need to delay the
|
|
|
|
// fixation until the checkpoint has been committed, since deleting keys
|
|
|
|
// from Keystore cannot be rolled back.
|
|
|
|
if (android::vold::cp_needsCheckpoint()) {
|
|
|
|
LOG(INFO) << "Deferring fixation of " << directory_path << " until checkpoint is committed";
|
|
|
|
s_deferred_fixations[directory_path] = ce_key_path;
|
|
|
|
} else {
|
|
|
|
s_deferred_fixations.erase(directory_path);
|
|
|
|
if (!fixate_user_ce_key(directory_path, ce_key_path, paths)) return false;
|
|
|
|
}
|
|
|
|
|
2022-09-06 23:29:14 +02:00
|
|
|
if (s_new_ce_keys.erase(user_id)) {
|
|
|
|
LOG(INFO) << "Stored CE key for new user " << user_id;
|
2016-05-17 23:17:56 +02:00
|
|
|
}
|
2016-02-09 11:04:39 +01:00
|
|
|
return true;
|
2016-02-08 16:55:41 +01:00
|
|
|
}
|
|
|
|
|
2022-11-09 06:48:45 +01:00
|
|
|
void fscrypt_deferred_fixate_ce_keys() {
|
|
|
|
for (const auto& it : s_deferred_fixations) {
|
|
|
|
const auto& directory_path = it.first;
|
|
|
|
const auto& to_fix = it.second;
|
|
|
|
LOG(INFO) << "Doing deferred fixation of " << directory_path;
|
|
|
|
fixate_user_ce_key(directory_path, to_fix, get_ce_key_paths(directory_path));
|
|
|
|
// Continue on error.
|
|
|
|
}
|
|
|
|
s_deferred_fixations.clear();
|
|
|
|
}
|
|
|
|
|
2021-04-06 21:02:56 +02:00
|
|
|
std::vector<int> fscrypt_get_unlocked_users() {
|
|
|
|
std::vector<int> user_ids;
|
|
|
|
for (const auto& it : s_ce_policies) {
|
|
|
|
user_ids.push_back(it.first);
|
|
|
|
}
|
|
|
|
return user_ids;
|
|
|
|
}
|
|
|
|
|
2016-02-02 01:02:29 +01:00
|
|
|
// TODO: rename to 'install' for consistency, and take flags to know which keys to install
|
2021-03-15 23:33:08 +01:00
|
|
|
bool fscrypt_unlock_user_key(userid_t user_id, int serial, const std::string& secret_hex) {
|
|
|
|
LOG(DEBUG) << "fscrypt_unlock_user_key " << user_id << " serial=" << serial;
|
2023-08-01 21:34:53 +02:00
|
|
|
if (!IsFbeEnabled()) return true;
|
|
|
|
if (s_ce_policies.count(user_id) != 0) {
|
|
|
|
LOG(WARNING) << "Tried to unlock already-unlocked key for user " << user_id;
|
|
|
|
return true;
|
2015-11-09 02:56:23 +01:00
|
|
|
}
|
2023-08-01 21:34:53 +02:00
|
|
|
auto auth = authentication_from_hex(secret_hex);
|
|
|
|
if (!auth) return false;
|
|
|
|
KeyBuffer ce_key;
|
|
|
|
if (!read_and_fixate_user_ce_key(user_id, *auth, &ce_key)) return false;
|
|
|
|
EncryptionPolicy ce_policy;
|
|
|
|
if (!install_storage_key(DATA_MNT_POINT, s_data_options, ce_key, &ce_policy)) return false;
|
|
|
|
s_ce_policies[user_id] = ce_policy;
|
|
|
|
LOG(DEBUG) << "Installed ce key for user " << user_id;
|
2016-02-09 11:04:39 +01:00
|
|
|
return true;
|
2015-11-09 02:56:23 +01:00
|
|
|
}
|
|
|
|
|
2016-02-02 01:02:29 +01:00
|
|
|
// TODO: rename to 'evict' for consistency
|
2018-10-23 22:06:55 +02:00
|
|
|
bool fscrypt_lock_user_key(userid_t user_id) {
|
|
|
|
LOG(DEBUG) << "fscrypt_lock_user_key " << user_id;
|
2022-06-15 20:52:18 +02:00
|
|
|
if (IsFbeEnabled()) {
|
2016-10-31 11:28:25 +01:00
|
|
|
return evict_ce_key(user_id);
|
2015-11-09 02:56:23 +01:00
|
|
|
}
|
2016-02-09 11:04:39 +01:00
|
|
|
return true;
|
2015-11-09 02:56:23 +01:00
|
|
|
}
|
|
|
|
|
2017-10-20 17:17:54 +02:00
|
|
|
static bool prepare_subdirs(const std::string& action, const std::string& volume_uuid,
|
|
|
|
userid_t user_id, int flags) {
|
|
|
|
if (0 != android::vold::ForkExecvp(
|
|
|
|
std::vector<std::string>{prepare_subdirs_path, action, volume_uuid,
|
|
|
|
std::to_string(user_id), std::to_string(flags)})) {
|
|
|
|
LOG(ERROR) << "vold_prepare_subdirs failed";
|
2017-10-17 02:01:44 +02:00
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2018-10-23 22:06:55 +02:00
|
|
|
bool fscrypt_prepare_user_storage(const std::string& volume_uuid, userid_t user_id, int serial,
|
2017-10-09 19:55:21 +02:00
|
|
|
int flags) {
|
2018-10-23 22:06:55 +02:00
|
|
|
LOG(DEBUG) << "fscrypt_prepare_user_storage for volume " << escape_empty(volume_uuid)
|
2016-03-09 18:31:37 +01:00
|
|
|
<< ", user " << user_id << ", serial " << serial << ", flags " << flags;
|
2016-02-02 01:02:29 +01:00
|
|
|
|
2022-05-04 06:39:50 +02:00
|
|
|
// Internal storage must be prepared before adoptable storage, since the
|
|
|
|
// user's volume keys are stored in their internal storage.
|
|
|
|
if (!volume_uuid.empty()) {
|
|
|
|
if ((flags & android::os::IVold::STORAGE_FLAG_DE) &&
|
|
|
|
!android::vold::pathExists(android::vold::BuildDataMiscDePath("", user_id))) {
|
|
|
|
LOG(ERROR) << "Cannot prepare DE storage for user " << user_id << " on volume "
|
|
|
|
<< volume_uuid << " before internal storage";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
if ((flags & android::os::IVold::STORAGE_FLAG_CE) &&
|
|
|
|
!android::vold::pathExists(android::vold::BuildDataMiscCePath("", user_id))) {
|
|
|
|
LOG(ERROR) << "Cannot prepare CE storage for user " << user_id << " on volume "
|
|
|
|
<< volume_uuid << " before internal storage";
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-10-20 17:17:54 +02:00
|
|
|
if (flags & android::os::IVold::STORAGE_FLAG_DE) {
|
2016-04-15 04:45:16 +02:00
|
|
|
// DE_sys key
|
|
|
|
auto system_legacy_path = android::vold::BuildDataSystemLegacyPath(user_id);
|
|
|
|
auto misc_legacy_path = android::vold::BuildDataMiscLegacyPath(user_id);
|
|
|
|
auto profiles_de_path = android::vold::BuildDataProfilesDePath(user_id);
|
|
|
|
|
|
|
|
// DE_n key
|
2022-05-12 21:17:15 +02:00
|
|
|
EncryptionPolicy de_policy;
|
2016-02-02 01:02:29 +01:00
|
|
|
auto system_de_path = android::vold::BuildDataSystemDePath(user_id);
|
2022-03-07 21:27:06 +01:00
|
|
|
auto misc_de_path = android::vold::BuildDataMiscDePath(volume_uuid, user_id);
|
2018-01-22 20:25:29 +01:00
|
|
|
auto vendor_de_path = android::vold::BuildDataVendorDePath(user_id);
|
2016-02-02 01:02:29 +01:00
|
|
|
auto user_de_path = android::vold::BuildDataUserDePath(volume_uuid, user_id);
|
|
|
|
|
2022-06-15 20:52:18 +02:00
|
|
|
if (IsFbeEnabled()) {
|
2022-05-12 21:17:15 +02:00
|
|
|
if (volume_uuid.empty()) {
|
|
|
|
if (!lookup_policy(s_de_policies, user_id, &de_policy)) {
|
|
|
|
LOG(ERROR) << "Cannot find DE policy for user " << user_id;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
auto misc_de_empty_volume_path = android::vold::BuildDataMiscDePath("", user_id);
|
|
|
|
if (!read_or_create_volkey(misc_de_empty_volume_path, volume_uuid, &de_policy)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-10-09 19:55:21 +02:00
|
|
|
if (volume_uuid.empty()) {
|
2017-10-05 23:07:09 +02:00
|
|
|
if (!prepare_dir(system_legacy_path, 0700, AID_SYSTEM, AID_SYSTEM)) return false;
|
2016-04-15 04:45:16 +02:00
|
|
|
#if MANAGE_MISC_DIRS
|
2017-10-05 23:07:09 +02:00
|
|
|
if (!prepare_dir(misc_legacy_path, 0750, multiuser_get_uid(user_id, AID_SYSTEM),
|
2018-09-18 22:30:21 +02:00
|
|
|
multiuser_get_uid(user_id, AID_EVERYBODY)))
|
|
|
|
return false;
|
2016-04-15 04:45:16 +02:00
|
|
|
#endif
|
2017-10-05 23:07:09 +02:00
|
|
|
if (!prepare_dir(profiles_de_path, 0771, AID_SYSTEM, AID_SYSTEM)) return false;
|
2016-04-15 04:45:16 +02:00
|
|
|
|
2022-05-12 21:17:15 +02:00
|
|
|
if (!prepare_dir_with_policy(system_de_path, 0770, AID_SYSTEM, AID_SYSTEM, de_policy))
|
|
|
|
return false;
|
|
|
|
if (!prepare_dir_with_policy(vendor_de_path, 0771, AID_ROOT, AID_ROOT, de_policy))
|
|
|
|
return false;
|
2017-10-05 23:07:09 +02:00
|
|
|
}
|
2022-03-07 21:27:06 +01:00
|
|
|
|
2022-05-12 21:17:15 +02:00
|
|
|
if (!prepare_dir_with_policy(misc_de_path, 01771, AID_SYSTEM, AID_MISC, de_policy))
|
|
|
|
return false;
|
|
|
|
if (!prepare_dir_with_policy(user_de_path, 0771, AID_SYSTEM, AID_SYSTEM, de_policy))
|
|
|
|
return false;
|
2016-02-02 01:02:29 +01:00
|
|
|
}
|
|
|
|
|
2017-10-20 17:17:54 +02:00
|
|
|
if (flags & android::os::IVold::STORAGE_FLAG_CE) {
|
2016-04-15 04:45:16 +02:00
|
|
|
// CE_n key
|
2022-05-12 21:17:15 +02:00
|
|
|
EncryptionPolicy ce_policy;
|
2016-02-02 01:02:29 +01:00
|
|
|
auto system_ce_path = android::vold::BuildDataSystemCePath(user_id);
|
2022-03-07 21:27:06 +01:00
|
|
|
auto misc_ce_path = android::vold::BuildDataMiscCePath(volume_uuid, user_id);
|
2018-01-22 20:25:29 +01:00
|
|
|
auto vendor_ce_path = android::vold::BuildDataVendorCePath(user_id);
|
2016-04-15 04:45:16 +02:00
|
|
|
auto media_ce_path = android::vold::BuildDataMediaCePath(volume_uuid, user_id);
|
|
|
|
auto user_ce_path = android::vold::BuildDataUserCePath(volume_uuid, user_id);
|
2016-02-02 01:02:29 +01:00
|
|
|
|
2022-06-15 20:52:18 +02:00
|
|
|
if (IsFbeEnabled()) {
|
2022-05-12 21:17:15 +02:00
|
|
|
if (volume_uuid.empty()) {
|
|
|
|
if (!lookup_policy(s_ce_policies, user_id, &ce_policy)) {
|
|
|
|
LOG(ERROR) << "Cannot find CE policy for user " << user_id;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
auto misc_ce_empty_volume_path = android::vold::BuildDataMiscCePath("", user_id);
|
|
|
|
if (!read_or_create_volkey(misc_ce_empty_volume_path, volume_uuid, &ce_policy)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-10-09 19:55:21 +02:00
|
|
|
if (volume_uuid.empty()) {
|
2022-05-12 21:17:15 +02:00
|
|
|
if (!prepare_dir_with_policy(system_ce_path, 0770, AID_SYSTEM, AID_SYSTEM, ce_policy))
|
|
|
|
return false;
|
|
|
|
if (!prepare_dir_with_policy(vendor_ce_path, 0771, AID_ROOT, AID_ROOT, ce_policy))
|
|
|
|
return false;
|
2017-10-05 23:07:09 +02:00
|
|
|
}
|
2022-05-12 21:17:15 +02:00
|
|
|
if (!prepare_dir_with_policy(media_ce_path, 02770, AID_MEDIA_RW, AID_MEDIA_RW, ce_policy))
|
|
|
|
return false;
|
2021-02-01 08:57:02 +01:00
|
|
|
// On devices without sdcardfs (kernel 5.4+), the path permissions aren't fixed
|
|
|
|
// up automatically; therefore, use a default ACL, to ensure apps with MEDIA_RW
|
|
|
|
// can keep reading external storage; in particular, this allows app cloning
|
|
|
|
// scenarios to work correctly on such devices.
|
|
|
|
int ret = SetDefaultAcl(media_ce_path, 02770, AID_MEDIA_RW, AID_MEDIA_RW, {AID_MEDIA_RW});
|
|
|
|
if (ret != android::OK) {
|
|
|
|
return false;
|
|
|
|
}
|
2022-05-12 21:17:15 +02:00
|
|
|
if (!prepare_dir_with_policy(misc_ce_path, 01771, AID_SYSTEM, AID_MISC, ce_policy))
|
|
|
|
return false;
|
|
|
|
if (!prepare_dir_with_policy(user_ce_path, 0771, AID_SYSTEM, AID_SYSTEM, ce_policy))
|
|
|
|
return false;
|
2017-10-13 22:49:50 +02:00
|
|
|
|
|
|
|
if (volume_uuid.empty()) {
|
2017-10-17 02:01:44 +02:00
|
|
|
// Now that credentials have been installed, we can run restorecon
|
|
|
|
// over these paths
|
|
|
|
// NOTE: these paths need to be kept in sync with libselinux
|
|
|
|
android::vold::RestoreconRecursive(system_ce_path);
|
2019-05-14 18:30:29 +02:00
|
|
|
android::vold::RestoreconRecursive(vendor_ce_path);
|
2017-10-17 02:01:44 +02:00
|
|
|
android::vold::RestoreconRecursive(misc_ce_path);
|
2017-10-13 22:49:50 +02:00
|
|
|
}
|
2015-11-09 02:56:23 +01:00
|
|
|
}
|
2017-10-20 17:17:54 +02:00
|
|
|
if (!prepare_subdirs("prepare", volume_uuid, user_id, flags)) return false;
|
2015-11-09 02:56:23 +01:00
|
|
|
|
2016-02-09 11:04:39 +01:00
|
|
|
return true;
|
2015-11-09 02:56:23 +01:00
|
|
|
}
|
2016-04-15 04:45:16 +02:00
|
|
|
|
2018-10-23 22:06:55 +02:00
|
|
|
bool fscrypt_destroy_user_storage(const std::string& volume_uuid, userid_t user_id, int flags) {
|
|
|
|
LOG(DEBUG) << "fscrypt_destroy_user_storage for volume " << escape_empty(volume_uuid)
|
2016-04-15 04:45:16 +02:00
|
|
|
<< ", user " << user_id << ", flags " << flags;
|
|
|
|
bool res = true;
|
|
|
|
|
2017-10-20 17:17:54 +02:00
|
|
|
res &= prepare_subdirs("destroy", volume_uuid, user_id, flags);
|
|
|
|
|
|
|
|
if (flags & android::os::IVold::STORAGE_FLAG_CE) {
|
2017-10-17 02:01:44 +02:00
|
|
|
// CE_n key
|
|
|
|
auto system_ce_path = android::vold::BuildDataSystemCePath(user_id);
|
2022-03-07 21:27:06 +01:00
|
|
|
auto misc_ce_path = android::vold::BuildDataMiscCePath(volume_uuid, user_id);
|
2018-01-22 20:25:29 +01:00
|
|
|
auto vendor_ce_path = android::vold::BuildDataVendorCePath(user_id);
|
2017-10-17 02:01:44 +02:00
|
|
|
auto media_ce_path = android::vold::BuildDataMediaCePath(volume_uuid, user_id);
|
|
|
|
auto user_ce_path = android::vold::BuildDataUserCePath(volume_uuid, user_id);
|
|
|
|
|
|
|
|
res &= destroy_dir(media_ce_path);
|
2022-03-07 21:27:06 +01:00
|
|
|
res &= destroy_dir(misc_ce_path);
|
2017-10-17 02:01:44 +02:00
|
|
|
res &= destroy_dir(user_ce_path);
|
|
|
|
if (volume_uuid.empty()) {
|
|
|
|
res &= destroy_dir(system_ce_path);
|
2018-01-22 20:25:29 +01:00
|
|
|
res &= destroy_dir(vendor_ce_path);
|
2017-10-10 01:35:51 +02:00
|
|
|
} else {
|
2022-06-15 20:52:18 +02:00
|
|
|
if (IsFbeEnabled()) {
|
2022-03-07 21:27:06 +01:00
|
|
|
auto misc_ce_empty_volume_path = android::vold::BuildDataMiscCePath("", user_id);
|
|
|
|
res &= destroy_volkey(misc_ce_empty_volume_path, volume_uuid);
|
2017-10-10 01:35:51 +02:00
|
|
|
}
|
2017-10-17 02:01:44 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-10-20 17:17:54 +02:00
|
|
|
if (flags & android::os::IVold::STORAGE_FLAG_DE) {
|
2016-04-15 04:45:16 +02:00
|
|
|
// DE_sys key
|
|
|
|
auto system_legacy_path = android::vold::BuildDataSystemLegacyPath(user_id);
|
|
|
|
auto misc_legacy_path = android::vold::BuildDataMiscLegacyPath(user_id);
|
|
|
|
auto profiles_de_path = android::vold::BuildDataProfilesDePath(user_id);
|
|
|
|
|
|
|
|
// DE_n key
|
|
|
|
auto system_de_path = android::vold::BuildDataSystemDePath(user_id);
|
2022-03-07 21:27:06 +01:00
|
|
|
auto misc_de_path = android::vold::BuildDataMiscDePath(volume_uuid, user_id);
|
2018-01-22 20:25:29 +01:00
|
|
|
auto vendor_de_path = android::vold::BuildDataVendorDePath(user_id);
|
2016-04-15 04:45:16 +02:00
|
|
|
auto user_de_path = android::vold::BuildDataUserDePath(volume_uuid, user_id);
|
|
|
|
|
2017-10-17 02:01:44 +02:00
|
|
|
res &= destroy_dir(user_de_path);
|
2022-03-07 21:27:06 +01:00
|
|
|
res &= destroy_dir(misc_de_path);
|
2017-10-09 19:55:21 +02:00
|
|
|
if (volume_uuid.empty()) {
|
2016-04-15 04:45:16 +02:00
|
|
|
res &= destroy_dir(system_legacy_path);
|
|
|
|
#if MANAGE_MISC_DIRS
|
|
|
|
res &= destroy_dir(misc_legacy_path);
|
|
|
|
#endif
|
|
|
|
res &= destroy_dir(profiles_de_path);
|
|
|
|
res &= destroy_dir(system_de_path);
|
2018-01-22 20:25:29 +01:00
|
|
|
res &= destroy_dir(vendor_de_path);
|
2017-10-10 01:35:51 +02:00
|
|
|
} else {
|
2022-06-15 20:52:18 +02:00
|
|
|
if (IsFbeEnabled()) {
|
2022-03-07 21:27:06 +01:00
|
|
|
auto misc_de_empty_volume_path = android::vold::BuildDataMiscDePath("", user_id);
|
|
|
|
res &= destroy_volkey(misc_de_empty_volume_path, volume_uuid);
|
2017-10-10 01:35:51 +02:00
|
|
|
}
|
2016-04-15 04:45:16 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return res;
|
|
|
|
}
|
2017-04-27 21:43:10 +02:00
|
|
|
|
2017-10-24 23:54:43 +02:00
|
|
|
static bool destroy_volume_keys(const std::string& directory_path, const std::string& volume_uuid) {
|
|
|
|
auto dirp = std::unique_ptr<DIR, int (*)(DIR*)>(opendir(directory_path.c_str()), closedir);
|
|
|
|
if (!dirp) {
|
|
|
|
PLOG(ERROR) << "Unable to open directory: " + directory_path;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
bool res = true;
|
|
|
|
for (;;) {
|
|
|
|
errno = 0;
|
|
|
|
auto const entry = readdir(dirp.get());
|
|
|
|
if (!entry) {
|
|
|
|
if (errno) {
|
|
|
|
PLOG(ERROR) << "Unable to read directory: " + directory_path;
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
2020-11-03 00:11:06 +01:00
|
|
|
if (IsDotOrDotDot(*entry)) continue;
|
2017-10-24 23:54:43 +02:00
|
|
|
if (entry->d_type != DT_DIR || entry->d_name[0] == '.') {
|
|
|
|
LOG(DEBUG) << "Skipping non-user " << entry->d_name;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
res &= destroy_volkey(directory_path + "/" + entry->d_name, volume_uuid);
|
|
|
|
}
|
|
|
|
return res;
|
|
|
|
}
|
|
|
|
|
2023-08-02 00:36:55 +02:00
|
|
|
// Destroys all CE and DE keys for an adoptable storage volume that is permanently going away.
|
|
|
|
// Requires VolumeManager::mCryptLock.
|
2018-10-23 22:06:55 +02:00
|
|
|
bool fscrypt_destroy_volume_keys(const std::string& volume_uuid) {
|
2023-08-02 00:36:55 +02:00
|
|
|
if (!IsFbeEnabled()) return true;
|
2017-10-24 23:54:43 +02:00
|
|
|
bool res = true;
|
2018-10-23 22:06:55 +02:00
|
|
|
LOG(DEBUG) << "fscrypt_destroy_volume_keys for volume " << escape_empty(volume_uuid);
|
2017-10-26 20:16:39 +02:00
|
|
|
auto secdiscardable_path = volume_secdiscardable_path(volume_uuid);
|
|
|
|
res &= android::vold::runSecdiscardSingle(secdiscardable_path);
|
2017-10-24 23:54:43 +02:00
|
|
|
res &= destroy_volume_keys("/data/misc_ce", volume_uuid);
|
|
|
|
res &= destroy_volume_keys("/data/misc_de", volume_uuid);
|
|
|
|
return res;
|
|
|
|
}
|