Merge "Remove most of FDE support" am: a70c666688 am: 650828aabf am: d7a58896a2 am: d2769a436c
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1875760 Change-Id: I0d1fb1b5a01a7c2a5a15a7ebb3b98425756203fd
This commit is contained in:
Eric Biggers
Automerger Merge Worker
commit
655f36ee0f
5 changed files with 97 additions and 2897 deletions
|
|
@ -19,7 +19,6 @@
|
|||
#include "VoldNativeService.h"
|
||||
|
||||
#include <android-base/logging.h>
|
||||
#include <android-base/stringprintf.h>
|
||||
#include <android-base/strings.h>
|
||||
#include <fs_mgr.h>
|
||||
#include <fscrypt/fscrypt.h>
|
||||
|
|
@ -39,15 +38,12 @@
|
|||
#include "Keystore.h"
|
||||
#include "MetadataCrypt.h"
|
||||
#include "MoveStorage.h"
|
||||
#include "Process.h"
|
||||
#include "VoldNativeServiceValidation.h"
|
||||
#include "VoldUtil.h"
|
||||
#include "VolumeManager.h"
|
||||
#include "cryptfs.h"
|
||||
#include "incfs.h"
|
||||
|
||||
using android::base::StringPrintf;
|
||||
using std::endl;
|
||||
using namespace std::literals;
|
||||
|
||||
namespace android {
|
||||
|
|
@ -524,130 +520,107 @@ binder::Status VoldNativeService::openAppFuseFile(int32_t uid, int32_t mountId,
|
|||
return Ok();
|
||||
}
|
||||
|
||||
// TODO(b/191796797) remove this once caller is removed
|
||||
binder::Status VoldNativeService::fdeCheckPassword(const std::string& password) {
|
||||
ENFORCE_SYSTEM_OR_ROOT;
|
||||
ACQUIRE_CRYPT_LOCK;
|
||||
|
||||
return translate(cryptfs_check_passwd(password.c_str()));
|
||||
SLOGE("fdeCheckPassword is no longer supported");
|
||||
return translate(-1);
|
||||
}
|
||||
|
||||
// TODO(b/191796797) remove this once caller is removed
|
||||
binder::Status VoldNativeService::fdeRestart() {
|
||||
ENFORCE_SYSTEM_OR_ROOT;
|
||||
ACQUIRE_CRYPT_LOCK;
|
||||
|
||||
// Spawn as thread so init can issue commands back to vold without
|
||||
// causing deadlock, usually as a result of prep_data_fs.
|
||||
std::thread(&cryptfs_restart).detach();
|
||||
SLOGE("fdeRestart is no longer supported");
|
||||
return Ok();
|
||||
}
|
||||
|
||||
// TODO(b/191796797) remove this once caller is removed
|
||||
#define CRYPTO_COMPLETE_NOT_ENCRYPTED 1
|
||||
binder::Status VoldNativeService::fdeComplete(int32_t* _aidl_return) {
|
||||
ENFORCE_SYSTEM_OR_ROOT;
|
||||
ACQUIRE_CRYPT_LOCK;
|
||||
|
||||
*_aidl_return = cryptfs_crypto_complete();
|
||||
SLOGE("fdeComplete is no longer supported");
|
||||
*_aidl_return = CRYPTO_COMPLETE_NOT_ENCRYPTED;
|
||||
return Ok();
|
||||
}
|
||||
|
||||
static int fdeEnableInternal(int32_t passwordType, const std::string& password,
|
||||
int32_t encryptionFlags) {
|
||||
bool noUi = (encryptionFlags & VoldNativeService::ENCRYPTION_FLAG_NO_UI) != 0;
|
||||
|
||||
for (int tries = 0; tries < 2; ++tries) {
|
||||
int rc;
|
||||
if (passwordType == VoldNativeService::PASSWORD_TYPE_DEFAULT) {
|
||||
rc = cryptfs_enable_default(noUi);
|
||||
} else {
|
||||
rc = cryptfs_enable(passwordType, password.c_str(), noUi);
|
||||
}
|
||||
|
||||
if (rc == 0) {
|
||||
return 0;
|
||||
} else if (tries == 0) {
|
||||
KillProcessesWithOpenFiles(DATA_MNT_POINT, SIGKILL);
|
||||
}
|
||||
}
|
||||
|
||||
return -1;
|
||||
}
|
||||
|
||||
// TODO(b/191796797) remove this once caller is removed
|
||||
binder::Status VoldNativeService::fdeEnable(int32_t passwordType, const std::string& password,
|
||||
int32_t encryptionFlags) {
|
||||
ENFORCE_SYSTEM_OR_ROOT;
|
||||
ACQUIRE_CRYPT_LOCK;
|
||||
|
||||
LOG(DEBUG) << "fdeEnable(" << passwordType << ", *, " << encryptionFlags << ")";
|
||||
if (fscrypt_is_native()) {
|
||||
LOG(ERROR) << "fscrypt_is_native, fdeEnable invalid";
|
||||
return error("fscrypt_is_native, fdeEnable invalid");
|
||||
}
|
||||
LOG(DEBUG) << "!fscrypt_is_native, spawning fdeEnableInternal";
|
||||
|
||||
// Spawn as thread so init can issue commands back to vold without
|
||||
// causing deadlock, usually as a result of prep_data_fs.
|
||||
std::thread(&fdeEnableInternal, passwordType, password, encryptionFlags).detach();
|
||||
return Ok();
|
||||
SLOGE("fdeEnable is no longer supported");
|
||||
return translate(-1);
|
||||
}
|
||||
|
||||
// TODO(b/191796797) remove this once caller is removed
|
||||
binder::Status VoldNativeService::fdeChangePassword(int32_t passwordType,
|
||||
const std::string& password) {
|
||||
ENFORCE_SYSTEM_OR_ROOT;
|
||||
ACQUIRE_CRYPT_LOCK;
|
||||
|
||||
return translate(cryptfs_changepw(passwordType, password.c_str()));
|
||||
SLOGE("fdeChangePassword is no longer supported");
|
||||
return translate(-1);
|
||||
}
|
||||
|
||||
// TODO(b/191796797) remove this once caller is removed
|
||||
binder::Status VoldNativeService::fdeVerifyPassword(const std::string& password) {
|
||||
ENFORCE_SYSTEM_OR_ROOT;
|
||||
ACQUIRE_CRYPT_LOCK;
|
||||
|
||||
return translate(cryptfs_verify_passwd(password.c_str()));
|
||||
SLOGE("fdeVerifyPassword is no longer supported");
|
||||
return translate(-1);
|
||||
}
|
||||
|
||||
// TODO(b/191796797) remove this once caller is removed
|
||||
binder::Status VoldNativeService::fdeGetField(const std::string& key, std::string* _aidl_return) {
|
||||
ENFORCE_SYSTEM_OR_ROOT;
|
||||
ACQUIRE_CRYPT_LOCK;
|
||||
|
||||
char buf[PROPERTY_VALUE_MAX];
|
||||
if (cryptfs_getfield(key.c_str(), buf, sizeof(buf)) != CRYPTO_GETFIELD_OK) {
|
||||
return error(StringPrintf("Failed to read field %s", key.c_str()));
|
||||
} else {
|
||||
*_aidl_return = buf;
|
||||
return Ok();
|
||||
}
|
||||
SLOGE("fdeGetField is no longer supported");
|
||||
return translate(-1);
|
||||
}
|
||||
|
||||
// TODO(b/191796797) remove this once caller is removed
|
||||
binder::Status VoldNativeService::fdeSetField(const std::string& key, const std::string& value) {
|
||||
ENFORCE_SYSTEM_OR_ROOT;
|
||||
ACQUIRE_CRYPT_LOCK;
|
||||
|
||||
return translate(cryptfs_setfield(key.c_str(), value.c_str()));
|
||||
SLOGE("fdeSetField is no longer supported");
|
||||
return translate(-1);
|
||||
}
|
||||
|
||||
// TODO(b/191796797) remove this once caller is removed
|
||||
binder::Status VoldNativeService::fdeGetPasswordType(int32_t* _aidl_return) {
|
||||
ENFORCE_SYSTEM_OR_ROOT;
|
||||
ACQUIRE_CRYPT_LOCK;
|
||||
|
||||
*_aidl_return = cryptfs_get_password_type();
|
||||
SLOGE("fdeGetPasswordType is no longer supported");
|
||||
*_aidl_return = -1;
|
||||
return Ok();
|
||||
}
|
||||
|
||||
// TODO(b/191796797) remove this once caller is removed
|
||||
binder::Status VoldNativeService::fdeGetPassword(std::string* _aidl_return) {
|
||||
ENFORCE_SYSTEM_OR_ROOT;
|
||||
ACQUIRE_CRYPT_LOCK;
|
||||
|
||||
const char* res = cryptfs_get_password();
|
||||
if (res != nullptr) {
|
||||
*_aidl_return = res;
|
||||
}
|
||||
SLOGE("fdeGetPassword is no longer supported");
|
||||
return Ok();
|
||||
}
|
||||
|
||||
// TODO(b/191796797) remove this once caller is removed
|
||||
binder::Status VoldNativeService::fdeClearPassword() {
|
||||
ENFORCE_SYSTEM_OR_ROOT;
|
||||
ACQUIRE_CRYPT_LOCK;
|
||||
|
||||
cryptfs_clear_password();
|
||||
SLOGE("fdeClearPassword is no longer supported");
|
||||
return Ok();
|
||||
}
|
||||
|
||||
|
|
@ -658,15 +631,12 @@ binder::Status VoldNativeService::fbeEnable() {
|
|||
return translateBool(fscrypt_initialize_systemwide_keys());
|
||||
}
|
||||
|
||||
// TODO(b/191796797) remove this once caller is removed
|
||||
binder::Status VoldNativeService::mountDefaultEncrypted() {
|
||||
ENFORCE_SYSTEM_OR_ROOT;
|
||||
ACQUIRE_CRYPT_LOCK;
|
||||
|
||||
if (!fscrypt_is_native()) {
|
||||
// Spawn as thread so init can issue commands back to vold without
|
||||
// causing deadlock, usually as a result of prep_data_fs.
|
||||
std::thread(&cryptfs_mount_default_encrypted).detach();
|
||||
}
|
||||
SLOGE("mountDefaultEncrypted is no longer supported");
|
||||
return Ok();
|
||||
}
|
||||
|
||||
|
|
@ -677,11 +647,13 @@ binder::Status VoldNativeService::initUser0() {
|
|||
return translateBool(fscrypt_init_user0());
|
||||
}
|
||||
|
||||
// TODO(b/191796797) remove this once caller is removed
|
||||
binder::Status VoldNativeService::isConvertibleToFbe(bool* _aidl_return) {
|
||||
ENFORCE_SYSTEM_OR_ROOT;
|
||||
ACQUIRE_CRYPT_LOCK;
|
||||
|
||||
*_aidl_return = cryptfs_isConvertibleToFBE() != 0;
|
||||
SLOGE("isConvertibleToFbe is no longer supported");
|
||||
*_aidl_return = false;
|
||||
return Ok();
|
||||
}
|
||||
|
||||
|
|
|
|||
2791
cryptfs.cpp
2791
cryptfs.cpp
File diff suppressed because it is too large
Load diff
50
cryptfs.h
50
cryptfs.h
|
|
@ -19,61 +19,15 @@
|
|||
|
||||
#include <string>
|
||||
|
||||
#include <linux/types.h>
|
||||
#include <stdbool.h>
|
||||
#include <stdint.h>
|
||||
|
||||
#include <cutils/properties.h>
|
||||
|
||||
#include "KeyBuffer.h"
|
||||
#include "KeyUtil.h"
|
||||
|
||||
// TODO(b/191796797): remove this once it is no longer referenced by system/core
|
||||
// and bootable/recovery.
|
||||
#define CRYPT_FOOTER_OFFSET 0x4000
|
||||
|
||||
/* Return values for cryptfs_crypto_complete */
|
||||
#define CRYPTO_COMPLETE_NOT_ENCRYPTED 1
|
||||
#define CRYPTO_COMPLETE_ENCRYPTED 0
|
||||
#define CRYPTO_COMPLETE_BAD_METADATA (-1)
|
||||
#define CRYPTO_COMPLETE_PARTIAL (-2)
|
||||
#define CRYPTO_COMPLETE_INCONSISTENT (-3)
|
||||
#define CRYPTO_COMPLETE_CORRUPT (-4)
|
||||
|
||||
/* Return values for cryptfs_getfield */
|
||||
#define CRYPTO_GETFIELD_OK 0
|
||||
#define CRYPTO_GETFIELD_ERROR_NO_FIELD (-1)
|
||||
#define CRYPTO_GETFIELD_ERROR_OTHER (-2)
|
||||
#define CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL (-3)
|
||||
|
||||
/* Return values for cryptfs_setfield */
|
||||
#define CRYPTO_SETFIELD_OK 0
|
||||
#define CRYPTO_SETFIELD_ERROR_OTHER (-1)
|
||||
#define CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG (-2)
|
||||
#define CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG (-3)
|
||||
|
||||
/* Return values for persist_del_key */
|
||||
#define PERSIST_DEL_KEY_OK 0
|
||||
#define PERSIST_DEL_KEY_ERROR_OTHER (-1)
|
||||
#define PERSIST_DEL_KEY_ERROR_NO_FIELD (-2)
|
||||
|
||||
// Exposed for testing only
|
||||
int match_multi_entry(const char* key, const char* field, unsigned index);
|
||||
|
||||
int cryptfs_crypto_complete(void);
|
||||
int cryptfs_check_passwd(const char* pw);
|
||||
int cryptfs_verify_passwd(const char* pw);
|
||||
int cryptfs_restart(void);
|
||||
int cryptfs_enable(int type, const char* passwd, int no_ui);
|
||||
int cryptfs_changepw(int type, const char* newpw);
|
||||
int cryptfs_enable_default(int no_ui);
|
||||
int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev,
|
||||
const android::vold::KeyBuffer& key, std::string* out_crypto_blkdev);
|
||||
int cryptfs_getfield(const char* fieldname, char* value, int len);
|
||||
int cryptfs_setfield(const char* fieldname, const char* value);
|
||||
int cryptfs_mount_default_encrypted(void);
|
||||
int cryptfs_get_password_type(void);
|
||||
const char* cryptfs_get_password(void);
|
||||
void cryptfs_clear_password(void);
|
||||
int cryptfs_isConvertibleToFBE(void);
|
||||
const android::vold::KeyGeneration cryptfs_get_keygen();
|
||||
|
||||
#endif /* ANDROID_VOLD_CRYPTFS_H */
|
||||
|
|
|
|||
|
|
@ -12,7 +12,6 @@ cc_test {
|
|||
srcs: [
|
||||
"Utils_test.cpp",
|
||||
"VoldNativeServiceValidation_test.cpp",
|
||||
"cryptfs_test.cpp",
|
||||
],
|
||||
static_libs: ["libvold"],
|
||||
shared_libs: ["libbinder"]
|
||||
|
|
|
|||
|
|
@ -1,52 +0,0 @@
|
|||
/*
|
||||
* Copyright (C) 2017 The Android Open Source Project
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
#include <gtest/gtest.h>
|
||||
|
||||
#include "../cryptfs.h"
|
||||
|
||||
namespace android {
|
||||
|
||||
class CryptfsTest : public testing::Test {
|
||||
protected:
|
||||
virtual void SetUp() {}
|
||||
|
||||
virtual void TearDown() {}
|
||||
};
|
||||
|
||||
TEST_F(CryptfsTest, MatchMultiEntryTest) {
|
||||
ASSERT_NE(0, match_multi_entry("foo", "foo", 0));
|
||||
ASSERT_NE(0, match_multi_entry("foo_0", "foo", 0));
|
||||
ASSERT_NE(0, match_multi_entry("foo_1", "foo", 0));
|
||||
ASSERT_NE(0, match_multi_entry("foo_2", "foo", 0));
|
||||
|
||||
ASSERT_EQ(0, match_multi_entry("foo", "foo", 1));
|
||||
ASSERT_EQ(0, match_multi_entry("foo_0", "foo", 1));
|
||||
ASSERT_NE(0, match_multi_entry("foo_1", "foo", 1));
|
||||
ASSERT_NE(0, match_multi_entry("foo_2", "foo", 1));
|
||||
|
||||
ASSERT_EQ(0, match_multi_entry("foo", "foo", 2));
|
||||
ASSERT_EQ(0, match_multi_entry("foo_0", "foo", 2));
|
||||
ASSERT_EQ(0, match_multi_entry("foo_1", "foo", 2));
|
||||
ASSERT_NE(0, match_multi_entry("foo_2", "foo", 2));
|
||||
|
||||
ASSERT_EQ(0, match_multi_entry("food", "foo", 0));
|
||||
ASSERT_EQ(0, match_multi_entry("foo", "food", 0));
|
||||
ASSERT_EQ(0, match_multi_entry("foo", "bar", 0));
|
||||
ASSERT_EQ(0, match_multi_entry("foo_2", "bar", 0));
|
||||
}
|
||||
|
||||
} // namespace android
|
||||
Loading…
Reference in a new issue