vold: Bring in more wrapped key changes
Conflicts: KeyStorage.cpp KeyUtil.cpp [wight554: Apply changes from CAF 12] Change-Id: I44e81afaec78c567a0bf2eed30a79eb737e2a867 Signed-off-by: Volodymyr Zhdanov <wight554@gmail.com> Signed-off-by: zlewchan <zlewchan@icloud.com>
This commit is contained in:
parent
e955745ae2
commit
3a710043d3
3 changed files with 23 additions and 1 deletions
|
@ -278,6 +278,10 @@ static bool init_data_file_encryption_options() {
|
||||||
"this flag from the device's fstab";
|
"this flag from the device's fstab";
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
if (s_data_options.version == 1) {
|
||||||
|
s_data_options.use_hw_wrapped_key =
|
||||||
|
GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT)->fs_mgr_flags.wrapped_key;
|
||||||
|
}
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -65,6 +65,8 @@ static const char* kFn_secdiscardable = "secdiscardable";
|
||||||
static const char* kFn_version = "version";
|
static const char* kFn_version = "version";
|
||||||
// Note: old key directories may contain a file named "stretching".
|
// Note: old key directories may contain a file named "stretching".
|
||||||
|
|
||||||
|
static const int32_t KM_TAG_FBE_ICE = static_cast<int32_t>(7 << 28) | 16201;
|
||||||
|
|
||||||
namespace {
|
namespace {
|
||||||
|
|
||||||
// Storage binding info for ensuring key encryption keys include a
|
// Storage binding info for ensuring key encryption keys include a
|
||||||
|
@ -139,6 +141,12 @@ bool generateWrappedStorageKey(KeyBuffer* key) {
|
||||||
std::string key_temp;
|
std::string key_temp;
|
||||||
auto paramBuilder = km::AuthorizationSetBuilder().AesEncryptionKey(AES_KEY_BYTES * 8);
|
auto paramBuilder = km::AuthorizationSetBuilder().AesEncryptionKey(AES_KEY_BYTES * 8);
|
||||||
paramBuilder.Authorization(km::TAG_STORAGE_KEY);
|
paramBuilder.Authorization(km::TAG_STORAGE_KEY);
|
||||||
|
|
||||||
|
km::KeyParameter param1;
|
||||||
|
param1.tag = (km::Tag) (KM_TAG_FBE_ICE);
|
||||||
|
param1.value = km::KeyParameterValue::make<km::KeyParameterValue::boolValue>(true);
|
||||||
|
paramBuilder.push_back(param1);
|
||||||
|
|
||||||
if (!keystore.generateKey(paramBuilder, &key_temp)) return false;
|
if (!keystore.generateKey(paramBuilder, &key_temp)) return false;
|
||||||
*key = KeyBuffer(key_temp.size());
|
*key = KeyBuffer(key_temp.size());
|
||||||
memcpy(reinterpret_cast<void*>(key->data()), key_temp.c_str(), key->size());
|
memcpy(reinterpret_cast<void*>(key->data()), key_temp.c_str(), key->size());
|
||||||
|
|
12
KeyUtil.cpp
12
KeyUtil.cpp
|
@ -143,7 +143,17 @@ bool installKey(const std::string& mountpoint, const EncryptionOptions& options,
|
||||||
// A key for a v1 policy is specified by an arbitrary 8-byte
|
// A key for a v1 policy is specified by an arbitrary 8-byte
|
||||||
// "descriptor", which must be provided by userspace. We use the
|
// "descriptor", which must be provided by userspace. We use the
|
||||||
// first 8 bytes from the double SHA-512 of the key itself.
|
// first 8 bytes from the double SHA-512 of the key itself.
|
||||||
policy->key_raw_ref = generateKeyRef((const uint8_t*)key.data(), key.size());
|
if (options.use_hw_wrapped_key) {
|
||||||
|
/* When wrapped key is supported, only the first 32 bytes are
|
||||||
|
the same per boot. The second 32 bytes can change as the ephemeral
|
||||||
|
key is different. */
|
||||||
|
policy->key_raw_ref = generateKeyRef((const uint8_t*)key.data(), key.size()/2);
|
||||||
|
} else {
|
||||||
|
policy->key_raw_ref = generateKeyRef((const uint8_t*)key.data(), key.size());
|
||||||
|
}
|
||||||
|
if (!isFsKeyringSupported()) {
|
||||||
|
return installKeyLegacy(key, policy->key_raw_ref);
|
||||||
|
}
|
||||||
if (!buildKeySpecifier(&arg->key_spec, *policy)) {
|
if (!buildKeySpecifier(&arg->key_spec, *policy)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue