From 8452f41d4a115674e007b62cedc21ce1d87b8ca5 Mon Sep 17 00:00:00 2001
From: Sean Keys <skeys@google.com>
Date: Wed, 7 Jul 2021 22:38:04 +0000
Subject: [PATCH] Add command for setting the key binding seed

The seed value is passed to vold early in startup so that the
key-encryption keys are bound to the seed. This is useful for systems
like auto, in which the Android device may not require credentials to
use. In that case, the device should be bound to the rest of the system
(the car, in the case of auto) to guard against theft.

Test: manual
Change-Id: I2e16387b0752a30ef226b5ddf32ebf955aa9610a
---
 Android.bp |  7 ++++++-
 vdc.cpp    | 24 ++++++++++++++++++++++++
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/Android.bp b/Android.bp
index 5d67916..466ba77 100644
--- a/Android.bp
+++ b/Android.bp
@@ -220,11 +220,16 @@ cc_binary {
     name: "vdc",
     defaults: ["vold_default_flags"],
 
-    srcs: ["vdc.cpp"],
+    srcs: [
+        "vdc.cpp",
+        "Utils.cpp",
+    ],
     shared_libs: [
         "libbase",
         "libbinder",
         "libcutils",
+        "liblogwrap",
+        "libselinux",
         "libutils",
     ],
     static_libs: [
diff --git a/vdc.cpp b/vdc.cpp
index 47d98de..313ef55 100644
--- a/vdc.cpp
+++ b/vdc.cpp
@@ -28,6 +28,7 @@
 #include <sys/types.h>
 #include <sys/un.h>
 
+#include "Utils.h"
 #include "android/os/IVold.h"
 
 #include <android-base/logging.h>
@@ -37,6 +38,7 @@
 #include <android-base/strings.h>
 #include <binder/IServiceManager.h>
 #include <binder/Status.h>
+#include <utils/Errors.h>
 
 #include <private/android_filesystem_config.h>
 
@@ -64,6 +66,26 @@ static void checkStatus(std::vector<std::string>& cmd, android::binder::Status s
     exit(ENOTTY);
 }
 
+static void bindkeys(std::vector<std::string>& args, const android::sp<android::os::IVold>& vold) {
+    std::string raw_bytes;
+    const char* seed_value;
+
+    seed_value = getenv("SEED_VALUE");
+    if (seed_value == NULL) {
+        LOG(ERROR) << "Empty seed";
+        exit(EINVAL);
+    }
+
+    android::status_t status = android::vold::HexToStr(seed_value, raw_bytes);
+    if (status != android::OK) {
+        LOG(ERROR) << "Extraction of seed failed: " << status;
+        exit(status);
+    }
+
+    std::vector<uint8_t> seed{raw_bytes.begin(), raw_bytes.end()};
+    checkStatus(args, vold->setStorageBindingSeed(seed));
+}
+
 int main(int argc, char** argv) {
     setenv("ANDROID_LOG_TAGS", "*:v", 1);
     if (getppid() == 1) {
@@ -106,6 +128,8 @@ int main(int argc, char** argv) {
         checkStatus(args, vold->shutdown());
     } else if (args[0] == "volume" && args[1] == "reset") {
         checkStatus(args, vold->reset());
+    } else if (args[0] == "cryptfs" && args[1] == "bindkeys") {
+        bindkeys(args, vold);
     } else if (args[0] == "cryptfs" && args[1] == "mountFstab" && args.size() == 4) {
         checkStatus(args, vold->mountFstab(args[2], args[3]));
     } else if (args[0] == "cryptfs" && args[1] == "encryptFstab" && args.size() == 6) {