Refactor now that global DE has been reworked
Change-Id: I4d6156332cfc847e25e7c8863fd6a50fa325fb87
This commit is contained in:
Paul Crowley
parent
57eedbf8cb
commit
38132a1f66
4 changed files with 52 additions and 66 deletions
|
|
@ -61,33 +61,20 @@ using android::vold::kEmptyAuthentication;
|
|||
static constexpr int FLAG_STORAGE_DE = 1 << 0;
|
||||
static constexpr int FLAG_STORAGE_CE = 1 << 1;
|
||||
|
||||
static bool e4crypt_is_native() {
|
||||
char value[PROPERTY_VALUE_MAX];
|
||||
property_get("ro.crypto.type", value, "none");
|
||||
return !strcmp(value, "file");
|
||||
}
|
||||
|
||||
static bool e4crypt_is_emulated() {
|
||||
return property_get_bool("persist.sys.emulate_fbe", false);
|
||||
}
|
||||
|
||||
static const char* escape_null(const char* value) {
|
||||
return (value == nullptr) ? "null" : value;
|
||||
}
|
||||
|
||||
namespace {
|
||||
// Key length in bits
|
||||
const int key_length = 128;
|
||||
static_assert(key_length % 8 == 0,
|
||||
"Key length must be multiple of 8 bits");
|
||||
|
||||
const std::string device_key_leaf = "/unencrypted/key";
|
||||
const std::string device_key_temp = "/unencrypted/temp";
|
||||
const std::string device_key_dir = std::string() + DATA_MNT_POINT + "/unencrypted";
|
||||
const std::string device_key_path = device_key_dir + "/key";
|
||||
const std::string device_key_temp = device_key_dir + "/temp";
|
||||
|
||||
const std::string user_key_dir = std::string() + DATA_MNT_POINT + "/misc/vold/user_keys";
|
||||
const std::string user_key_temp = user_key_dir + "/temp";
|
||||
|
||||
bool s_enabled = false;
|
||||
bool s_global_de_initialized = false;
|
||||
|
||||
// Some users are ephemeral, don't try to wipe their keys from disk
|
||||
std::set<userid_t> s_ephemeral_users;
|
||||
|
|
@ -114,9 +101,18 @@ namespace {
|
|||
}
|
||||
|
||||
// TODO replace with proper function to test for file encryption
|
||||
int e4crypt_crypto_complete(const char* path)
|
||||
{
|
||||
return e4crypt_is_native() ? 0 : -1;
|
||||
bool e4crypt_is_native() {
|
||||
char value[PROPERTY_VALUE_MAX];
|
||||
property_get("ro.crypto.type", value, "none");
|
||||
return !strcmp(value, "file");
|
||||
}
|
||||
|
||||
static bool e4crypt_is_emulated() {
|
||||
return property_get_bool("persist.sys.emulate_fbe", false);
|
||||
}
|
||||
|
||||
static const char* escape_null(const char* value) {
|
||||
return (value == nullptr) ? "null" : value;
|
||||
}
|
||||
|
||||
// Get raw keyref - used to make keyname and to pass to ioctl
|
||||
|
|
@ -238,17 +234,17 @@ static bool path_exists(const std::string &path) {
|
|||
|
||||
// NB this assumes that there is only one thread listening for crypt commands, because
|
||||
// it creates keys in a fixed location.
|
||||
static bool store_key(const std::string &key_path,
|
||||
static bool store_key(const std::string &key_path, const std::string &tmp_path,
|
||||
const android::vold::KeyAuthentication &auth, const std::string &key) {
|
||||
if (path_exists(key_path)) {
|
||||
LOG(ERROR) << "Already exists, cannot create key at: " << key_path;
|
||||
return false;
|
||||
}
|
||||
if (path_exists(user_key_temp)) {
|
||||
android::vold::destroyKey(user_key_temp);
|
||||
if (path_exists(tmp_path)) {
|
||||
android::vold::destroyKey(tmp_path);
|
||||
}
|
||||
if (!android::vold::storeKey(user_key_temp, auth, key)) return false;
|
||||
if (rename(user_key_temp.c_str(), key_path.c_str()) != 0) {
|
||||
if (!android::vold::storeKey(tmp_path, auth, key)) return false;
|
||||
if (rename(tmp_path.c_str(), key_path.c_str()) != 0) {
|
||||
PLOG(ERROR) << "Unable to move new key to location: " << key_path;
|
||||
return false;
|
||||
}
|
||||
|
|
@ -264,10 +260,12 @@ static bool create_and_install_user_keys(userid_t user_id, bool create_ephemeral
|
|||
// If the key should be created as ephemeral, don't store it.
|
||||
s_ephemeral_users.insert(user_id);
|
||||
} else {
|
||||
if (!store_key(get_de_key_path(user_id), kEmptyAuthentication, de_key)) return false;
|
||||
if (!store_key(get_de_key_path(user_id), user_key_temp,
|
||||
kEmptyAuthentication, de_key)) return false;
|
||||
if (!prepare_dir(user_key_dir + "/ce/" + std::to_string(user_id),
|
||||
0700, AID_ROOT, AID_ROOT)) return false;
|
||||
if (!store_key(get_ce_key_path(user_id), kEmptyAuthentication, ce_key)) return false;
|
||||
if (!store_key(get_ce_key_path(user_id), user_key_temp,
|
||||
kEmptyAuthentication, ce_key)) return false;
|
||||
}
|
||||
std::string de_raw_ref;
|
||||
if (!install_key(de_key, de_raw_ref)) return false;
|
||||
|
|
@ -344,34 +342,24 @@ static bool load_all_de_keys() {
|
|||
return true;
|
||||
}
|
||||
|
||||
int e4crypt_enable(const char* path)
|
||||
int e4crypt_initialize_global_de()
|
||||
{
|
||||
LOG(INFO) << "e4crypt_enable";
|
||||
LOG(INFO) << "e4crypt_initialize_global_de";
|
||||
|
||||
if (s_enabled) {
|
||||
LOG(INFO) << "Already enabled";
|
||||
if (s_global_de_initialized) {
|
||||
LOG(INFO) << "Already initialized";
|
||||
return 0;
|
||||
}
|
||||
|
||||
std::string device_key;
|
||||
std::string device_key_path = std::string(path) + device_key_leaf;
|
||||
if (!android::vold::retrieveKey(device_key_path, kEmptyAuthentication, device_key)) {
|
||||
if (path_exists(device_key_path)) {
|
||||
if (!android::vold::retrieveKey(device_key_path,
|
||||
kEmptyAuthentication, device_key)) return -1;
|
||||
} else {
|
||||
LOG(INFO) << "Creating new key";
|
||||
if (!random_key(device_key)) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
std::string key_temp = std::string(path) + device_key_temp;
|
||||
if (path_exists(key_temp)) {
|
||||
android::vold::destroyKey(key_temp);
|
||||
}
|
||||
|
||||
if (!android::vold::storeKey(key_temp, kEmptyAuthentication, device_key)) return -1;
|
||||
if (rename(key_temp.c_str(), device_key_path.c_str()) != 0) {
|
||||
PLOG(ERROR) << "Unable to move new key to location: "
|
||||
<< device_key_path;
|
||||
return -1;
|
||||
}
|
||||
if (!random_key(device_key)) return -1;
|
||||
if (!store_key(device_key_path, device_key_temp,
|
||||
kEmptyAuthentication, device_key)) return -1;
|
||||
}
|
||||
|
||||
std::string device_key_ref;
|
||||
|
|
@ -386,7 +374,7 @@ int e4crypt_enable(const char* path)
|
|||
return -1;
|
||||
}
|
||||
|
||||
s_enabled = true;
|
||||
s_global_de_initialized = true;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -543,7 +531,7 @@ int e4crypt_change_user_key(userid_t user_id, int serial,
|
|||
auto ce_key = it->second;
|
||||
auto ce_key_path = get_ce_key_path(user_id);
|
||||
android::vold::destroyKey(ce_key_path);
|
||||
if (!store_key(ce_key_path, auth, ce_key)) return -1;
|
||||
if (!store_key(ce_key_path, user_key_temp, auth, ce_key)) return -1;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -612,7 +600,7 @@ int e4crypt_prepare_user_storage(const char* volume_uuid, userid_t user_id,
|
|||
if (!prepare_dir(misc_de_path, 01771, AID_SYSTEM, AID_MISC)) return -1;
|
||||
if (!prepare_dir(user_de_path, 0771, AID_SYSTEM, AID_SYSTEM)) return -1;
|
||||
|
||||
if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
|
||||
if (e4crypt_is_native()) {
|
||||
std::string de_raw_ref;
|
||||
if (!lookup_key_ref(s_de_key_raw_refs, user_id, de_raw_ref)) return -1;
|
||||
if (!ensure_policy(de_raw_ref, system_de_path)) return -1;
|
||||
|
|
@ -632,7 +620,7 @@ int e4crypt_prepare_user_storage(const char* volume_uuid, userid_t user_id,
|
|||
if (!prepare_dir(media_ce_path, 0770, AID_MEDIA_RW, AID_MEDIA_RW)) return -1;
|
||||
if (!prepare_dir(user_ce_path, 0771, AID_SYSTEM, AID_SYSTEM)) return -1;
|
||||
|
||||
if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
|
||||
if (e4crypt_is_native()) {
|
||||
std::string ce_raw_ref;
|
||||
if (!lookup_key_ref(s_ce_key_raw_refs, user_id, ce_raw_ref)) return -1;
|
||||
if (!ensure_policy(ce_raw_ref, system_ce_path)) return -1;
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@
|
|||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include <stddef.h>
|
||||
#include <stdbool.h>
|
||||
#include <sys/cdefs.h>
|
||||
|
||||
#include <cutils/multiuser.h>
|
||||
|
|
@ -22,8 +22,8 @@
|
|||
__BEGIN_DECLS
|
||||
|
||||
// General functions
|
||||
int e4crypt_enable(const char* path);
|
||||
int e4crypt_crypto_complete(const char* path);
|
||||
bool e4crypt_is_native();
|
||||
int e4crypt_initialize_global_de();
|
||||
|
||||
int e4crypt_init_user0();
|
||||
int e4crypt_vold_create_user_key(userid_t user_id, int serial, bool ephemeral);
|
||||
|
|
|
|||
19
cryptfs.c
19
cryptfs.c
|
|
@ -56,7 +56,6 @@
|
|||
#include "VoldUtil.h"
|
||||
#include "crypto_scrypt.h"
|
||||
#include "Ext4Crypt.h"
|
||||
#include "ext4_crypt_init_extensions.h"
|
||||
#include "ext4_utils.h"
|
||||
#include "f2fs_sparseblock.h"
|
||||
#include "CheckBattery.h"
|
||||
|
|
@ -1782,7 +1781,7 @@ static int cryptfs_restart_internal(int restart_main)
|
|||
int cryptfs_restart(void)
|
||||
{
|
||||
SLOGI("cryptfs_restart");
|
||||
if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
|
||||
if (e4crypt_is_native()) {
|
||||
SLOGE("cryptfs_restart not valid for file encryption:");
|
||||
return -1;
|
||||
}
|
||||
|
|
@ -1804,7 +1803,7 @@ static int do_crypto_complete(char *mount_point)
|
|||
}
|
||||
|
||||
// crypto_complete is full disk encrypted status
|
||||
if (e4crypt_crypto_complete(mount_point) == 0) {
|
||||
if (e4crypt_is_native()) {
|
||||
return CRYPTO_COMPLETE_NOT_ENCRYPTED;
|
||||
}
|
||||
|
||||
|
|
@ -2057,7 +2056,7 @@ int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
|
|||
int cryptfs_check_passwd(char *passwd)
|
||||
{
|
||||
SLOGI("cryptfs_check_passwd");
|
||||
if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
|
||||
if (e4crypt_is_native()) {
|
||||
SLOGE("cryptfs_check_passwd not valid for file encryption");
|
||||
return -1;
|
||||
}
|
||||
|
|
@ -3349,7 +3348,7 @@ int cryptfs_enable_default(char *howarg, int no_ui)
|
|||
|
||||
int cryptfs_changepw(int crypt_type, const char *newpw)
|
||||
{
|
||||
if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
|
||||
if (e4crypt_is_native()) {
|
||||
SLOGE("cryptfs_changepw not valid for file encryption");
|
||||
return -1;
|
||||
}
|
||||
|
|
@ -3575,7 +3574,7 @@ static int persist_count_keys(const char *fieldname)
|
|||
/* Return the value of the specified field. */
|
||||
int cryptfs_getfield(const char *fieldname, char *value, int len)
|
||||
{
|
||||
if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
|
||||
if (e4crypt_is_native()) {
|
||||
SLOGE("Cannot get field when file encrypted");
|
||||
return -1;
|
||||
}
|
||||
|
|
@ -3641,7 +3640,7 @@ out:
|
|||
/* Set the value of the specified field. */
|
||||
int cryptfs_setfield(const char *fieldname, const char *value)
|
||||
{
|
||||
if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
|
||||
if (e4crypt_is_native()) {
|
||||
SLOGE("Cannot set field when file encrypted");
|
||||
return -1;
|
||||
}
|
||||
|
|
@ -3768,7 +3767,7 @@ int cryptfs_mount_default_encrypted(void)
|
|||
*/
|
||||
int cryptfs_get_password_type(void)
|
||||
{
|
||||
if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
|
||||
if (e4crypt_is_native()) {
|
||||
SLOGE("cryptfs_get_password_type not valid for file encryption");
|
||||
return -1;
|
||||
}
|
||||
|
|
@ -3789,7 +3788,7 @@ int cryptfs_get_password_type(void)
|
|||
|
||||
const char* cryptfs_get_password()
|
||||
{
|
||||
if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) {
|
||||
if (e4crypt_is_native()) {
|
||||
SLOGE("cryptfs_get_password not valid for file encryption");
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -3817,7 +3816,7 @@ void cryptfs_clear_password()
|
|||
|
||||
int cryptfs_enable_file()
|
||||
{
|
||||
return e4crypt_enable(DATA_MNT_POINT);
|
||||
return e4crypt_initialize_global_de();
|
||||
}
|
||||
|
||||
int cryptfs_isConvertibleToFBE()
|
||||
|
|
|
|||
1
main.cpp
1
main.cpp
|
|
@ -18,7 +18,6 @@
|
|||
#include "VolumeManager.h"
|
||||
#include "CommandListener.h"
|
||||
#include "CryptCommandListener.h"
|
||||
#include "Ext4Crypt.h"
|
||||
#include "NetlinkManager.h"
|
||||
#include "cryptfs.h"
|
||||
#include "sehandle.h"
|
||||
|
|
|
|||
Loading…
Reference in a new issue