tequilaOS/platform_system_vold
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Rename "user key" methods in vold

Browse source 
Rename methods that refer to "user key" to be more precise about what
they mean.  For more details, see the corresponding frameworks/base
changes (I202ebbfd2b4f79fedb3ed120a8ad81500c126894 and
I5894beb97823dced5954e405d779fada49c79e8d).

No change in behavior except for some changed log messages.

Flag: exempt, mechanical refactoring only
Test: presubmit
Change-Id: I9edcb557172395f4f6cf8e837efcc06fcfefb37d
This commit is contained in:
Eric Biggers 2023-10-19 19:47:20 +00:00
parent f15785a54d
commit a53a66caed
5 changed files with 44 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
FsCrypt.cpp
View file

@ -421,7 +421,7 @@ static bool create_ce_key(userid_t user_id, bool ephemeral) {
return false; return false;
// We don't store the CE key on disk here, since here we don't have the // We don't store the CE key on disk here, since here we don't have the
// secret needed to do so securely. Instead, we cache it in memory for // secret needed to do so securely. Instead, we cache it in memory for
// now, and we store it later in fscrypt_set_user_key_protection(). // now, and we store it later in fscrypt_set_ce_key_protection().
s_new_ce_keys.insert({user_id, ce_key}); s_new_ce_keys.insert({user_id, ce_key});
} }
EncryptionPolicy ce_policy; EncryptionPolicy ce_policy;
@ -614,15 +614,15 @@ bool fscrypt_init_user0() {
return true; return true;
} }
bool fscrypt_vold_create_user_key(userid_t user_id, int serial, bool ephemeral) { // Creates the CE and DE keys for a new user.
LOG(DEBUG) << "fscrypt_vold_create_user_key for " << user_id << " serial " << serial; bool fscrypt_create_user_keys(userid_t user_id, int serial, bool ephemeral) {
LOG(DEBUG) << "fscrypt_create_user_keys for " << user_id << " serial " << serial;
if (!IsFbeEnabled()) { if (!IsFbeEnabled()) {
return true; return true;
} }
// FIXME test for existence of key that is not loaded yet // FIXME test for existence of key that is not loaded yet
if (s_ce_policies.count(user_id) != 0) { if (s_ce_policies.count(user_id) != 0) {
LOG(ERROR) << "Already exists, can't fscrypt_vold_create_user_key for " << user_id LOG(ERROR) << "Already exists, can't create keys for " << user_id << " serial " << serial;
<< " serial " << serial;
// FIXME should we fail the command? // FIXME should we fail the command?
return true; return true;
} }
@ -671,8 +671,8 @@ static bool evict_user_keys(std::map<userid_t, UserPolicies>& policy_map, userid
} }
// Evicts and destroys all CE and DE keys for a user. This is called when the user is removed. // Evicts and destroys all CE and DE keys for a user. This is called when the user is removed.
bool fscrypt_destroy_user_key(userid_t user_id) { bool fscrypt_destroy_user_keys(userid_t user_id) {
LOG(DEBUG) << "fscrypt_destroy_user_key(" << user_id << ")"; LOG(DEBUG) << "fscrypt_destroy_user_keys(" << user_id << ")";
if (!IsFbeEnabled()) { if (!IsFbeEnabled()) {
return true; return true;
} }
@ -769,13 +769,13 @@ static bool destroy_volkey(const std::string& misc_path, const std::string& volu
// re-encrypting the CE key upon upgrade from an Android version where the CE // re-encrypting the CE key upon upgrade from an Android version where the CE
// key was stored with kEmptyAuthentication when the user didn't have an LSKF. // key was stored with kEmptyAuthentication when the user didn't have an LSKF.
// See the comments below for the different cases handled. // See the comments below for the different cases handled.
bool fscrypt_set_user_key_protection(userid_t user_id, const std::string& secret_hex) { bool fscrypt_set_ce_key_protection(userid_t user_id, const std::string& secret_hex) {
LOG(DEBUG) << "fscrypt_set_user_key_protection " << user_id; LOG(DEBUG) << "fscrypt_set_ce_key_protection " << user_id;
if (!IsFbeEnabled()) return true; if (!IsFbeEnabled()) return true;
auto auth = authentication_from_hex(secret_hex); auto auth = authentication_from_hex(secret_hex);
if (!auth) return false; if (!auth) return false;
if (auth->secret.empty()) { if (auth->secret.empty()) {
LOG(ERROR) << "fscrypt_set_user_key_protection: secret must be nonempty"; LOG(ERROR) << "fscrypt_set_ce_key_protection: secret must be nonempty";
return false; return false;
} }
// We shouldn't store any keys for ephemeral users. // We shouldn't store any keys for ephemeral users.
@ -871,11 +871,11 @@ std::vector<int> fscrypt_get_unlocked_users() {
// Unlocks internal CE storage for the given user. This only unlocks internal storage, since // Unlocks internal CE storage for the given user. This only unlocks internal storage, since
// fscrypt_prepare_user_storage() has to be called for each adoptable storage volume anyway (since // fscrypt_prepare_user_storage() has to be called for each adoptable storage volume anyway (since
// the volume might have been absent when the user was created), and that handles the unlocking. // the volume might have been absent when the user was created), and that handles the unlocking.
bool fscrypt_unlock_user_key(userid_t user_id, int serial, const std::string& secret_hex) { bool fscrypt_unlock_ce_storage(userid_t user_id, int serial, const std::string& secret_hex) {
LOG(DEBUG) << "fscrypt_unlock_user_key " << user_id << " serial=" << serial; LOG(DEBUG) << "fscrypt_unlock_ce_storage " << user_id << " serial=" << serial;
if (!IsFbeEnabled()) return true; if (!IsFbeEnabled()) return true;
if (s_ce_policies.count(user_id) != 0) { if (s_ce_policies.count(user_id) != 0) {
LOG(WARNING) << "Tried to unlock already-unlocked key for user " << user_id; LOG(WARNING) << "CE storage for user " << user_id << " is already unlocked";
return true; return true;
} }
auto auth = authentication_from_hex(secret_hex); auto auth = authentication_from_hex(secret_hex);
@ -885,13 +885,13 @@ bool fscrypt_unlock_user_key(userid_t user_id, int serial, const std::string& se
EncryptionPolicy ce_policy; EncryptionPolicy ce_policy;
if (!install_storage_key(DATA_MNT_POINT, s_data_options, ce_key, &ce_policy)) return false; if (!install_storage_key(DATA_MNT_POINT, s_data_options, ce_key, &ce_policy)) return false;
s_ce_policies[user_id].internal = ce_policy; s_ce_policies[user_id].internal = ce_policy;
LOG(DEBUG) << "Installed ce key for user " << user_id; LOG(DEBUG) << "Installed CE key for user " << user_id;
return true; return true;
} }
// Locks CE storage for the given user. This locks both internal and adoptable storage. // Locks CE storage for the given user. This locks both internal and adoptable storage.
bool fscrypt_lock_user_key(userid_t user_id) { bool fscrypt_lock_ce_storage(userid_t user_id) {
LOG(DEBUG) << "fscrypt_lock_user_key " << user_id; LOG(DEBUG) << "fscrypt_lock_ce_storage " << user_id;
if (!IsFbeEnabled()) return true; if (!IsFbeEnabled()) return true;
return evict_user_keys(s_ce_policies, user_id); return evict_user_keys(s_ce_policies, user_id);
} }

10
FsCrypt.h
View file

@ -23,14 +23,14 @@ bool fscrypt_initialize_systemwide_keys();
bool fscrypt_init_user0(); bool fscrypt_init_user0();
extern bool fscrypt_init_user0_done; extern bool fscrypt_init_user0_done;
bool fscrypt_vold_create_user_key(userid_t user_id, int serial, bool ephemeral); bool fscrypt_create_user_keys(userid_t user_id, int serial, bool ephemeral);
bool fscrypt_destroy_user_key(userid_t user_id); bool fscrypt_destroy_user_keys(userid_t user_id);
bool fscrypt_set_user_key_protection(userid_t user_id, const std::string& secret); bool fscrypt_set_ce_key_protection(userid_t user_id, const std::string& secret);
void fscrypt_deferred_fixate_ce_keys(); void fscrypt_deferred_fixate_ce_keys();
std::vector<int> fscrypt_get_unlocked_users(); std::vector<int> fscrypt_get_unlocked_users();
bool fscrypt_unlock_user_key(userid_t user_id, int serial, const std::string& secret); bool fscrypt_unlock_ce_storage(userid_t user_id, int serial, const std::string& secret);
bool fscrypt_lock_user_key(userid_t user_id); bool fscrypt_lock_ce_storage(userid_t user_id);
bool fscrypt_prepare_user_storage(const std::string& volume_uuid, userid_t user_id, int serial, bool fscrypt_prepare_user_storage(const std::string& volume_uuid, userid_t user_id, int serial,
int flags); int flags);

25
VoldNativeService.cpp
View file

@ -607,26 +607,27 @@ binder::Status VoldNativeService::setStorageBindingSeed(const std::vector<uint8_
return translateBool(setKeyStorageBindingSeed(seed)); return translateBool(setKeyStorageBindingSeed(seed));
} }
binder::Status VoldNativeService::createUserKey(int32_t userId, int32_t userSerial, binder::Status VoldNativeService::createUserStorageKeys(int32_t userId, int32_t userSerial,
bool ephemeral) { bool ephemeral) {
ENFORCE_SYSTEM_OR_ROOT; ENFORCE_SYSTEM_OR_ROOT;
ACQUIRE_CRYPT_LOCK; ACQUIRE_CRYPT_LOCK;
return translateBool(fscrypt_vold_create_user_key(userId, userSerial, ephemeral)); return translateBool(fscrypt_create_user_keys(userId, userSerial, ephemeral));
} }
binder::Status VoldNativeService::destroyUserKey(int32_t userId) { binder::Status VoldNativeService::destroyUserStorageKeys(int32_t userId) {
ENFORCE_SYSTEM_OR_ROOT; ENFORCE_SYSTEM_OR_ROOT;
ACQUIRE_CRYPT_LOCK; ACQUIRE_CRYPT_LOCK;
return translateBool(fscrypt_destroy_user_key(userId)); return translateBool(fscrypt_destroy_user_keys(userId));
} }
binder::Status VoldNativeService::setUserKeyProtection(int32_t userId, const std::string& secret) { binder::Status VoldNativeService::setCeStorageProtection(int32_t userId,
const std::string& secret) {
ENFORCE_SYSTEM_OR_ROOT; ENFORCE_SYSTEM_OR_ROOT;
ACQUIRE_CRYPT_LOCK; ACQUIRE_CRYPT_LOCK;
return translateBool(fscrypt_set_user_key_protection(userId, secret)); return translateBool(fscrypt_set_ce_key_protection(userId, secret));
} }
binder::Status VoldNativeService::getUnlockedUsers(std::vector<int>* _aidl_return) { binder::Status VoldNativeService::getUnlockedUsers(std::vector<int>* _aidl_return) {
@ -637,19 +638,19 @@ binder::Status VoldNativeService::getUnlockedUsers(std::vector<int>* _aidl_retur
return Ok(); return Ok();
} }
binder::Status VoldNativeService::unlockUserKey(int32_t userId, int32_t userSerial, binder::Status VoldNativeService::unlockCeStorage(int32_t userId, int32_t userSerial,
const std::string& secret) { const std::string& secret) {
ENFORCE_SYSTEM_OR_ROOT; ENFORCE_SYSTEM_OR_ROOT;
ACQUIRE_CRYPT_LOCK; ACQUIRE_CRYPT_LOCK;
return translateBool(fscrypt_unlock_user_key(userId, userSerial, secret)); return translateBool(fscrypt_unlock_ce_storage(userId, userSerial, secret));
} }
binder::Status VoldNativeService::lockUserKey(int32_t userId) { binder::Status VoldNativeService::lockCeStorage(int32_t userId) {
ENFORCE_SYSTEM_OR_ROOT; ENFORCE_SYSTEM_OR_ROOT;
ACQUIRE_CRYPT_LOCK; ACQUIRE_CRYPT_LOCK;
return translateBool(fscrypt_lock_user_key(userId)); return translateBool(fscrypt_lock_ce_storage(userId));
} }
binder::Status VoldNativeService::prepareUserStorage(const std::optional<std::string>& uuid, binder::Status VoldNativeService::prepareUserStorage(const std::optional<std::string>& uuid,

10
VoldNativeService.h
View file

@ -112,14 +112,14 @@ class VoldNativeService : public BinderService<VoldNativeService>, public os::Bn
binder::Status setStorageBindingSeed(const std::vector<uint8_t>& seed); binder::Status setStorageBindingSeed(const std::vector<uint8_t>& seed);
binder::Status createUserKey(int32_t userId, int32_t userSerial, bool ephemeral); binder::Status createUserStorageKeys(int32_t userId, int32_t userSerial, bool ephemeral);
binder::Status destroyUserKey(int32_t userId); binder::Status destroyUserStorageKeys(int32_t userId);
binder::Status setUserKeyProtection(int32_t userId, const std::string& secret); binder::Status setCeStorageProtection(int32_t userId, const std::string& secret);
binder::Status getUnlockedUsers(std::vector<int>* _aidl_return); binder::Status getUnlockedUsers(std::vector<int>* _aidl_return);
binder::Status unlockUserKey(int32_t userId, int32_t userSerial, const std::string& secret); binder::Status unlockCeStorage(int32_t userId, int32_t userSerial, const std::string& secret);
binder::Status lockUserKey(int32_t userId); binder::Status lockCeStorage(int32_t userId);
binder::Status prepareUserStorage(const std::optional<std::string>& uuid, int32_t userId, binder::Status prepareUserStorage(const std::optional<std::string>& uuid, int32_t userId,
int32_t userSerial, int32_t flags); int32_t userSerial, int32_t flags);

10
binder/android/os/IVold.aidl
View file

@ -85,14 +85,14 @@ interface IVold {
void setStorageBindingSeed(in byte[] seed); void setStorageBindingSeed(in byte[] seed);
void createUserKey(int userId, int userSerial, boolean ephemeral); void createUserStorageKeys(int userId, int userSerial, boolean ephemeral);
void destroyUserKey(int userId); void destroyUserStorageKeys(int userId);
void setUserKeyProtection(int userId, @utf8InCpp String secret); void setCeStorageProtection(int userId, @utf8InCpp String secret);
int[] getUnlockedUsers(); int[] getUnlockedUsers();
void unlockUserKey(int userId, int userSerial, @utf8InCpp String secret); void unlockCeStorage(int userId, int userSerial, @utf8InCpp String secret);
void lockUserKey(int userId); void lockCeStorage(int userId);
void prepareUserStorage(@nullable @utf8InCpp String uuid, int userId, int userSerial, void prepareUserStorage(@nullable @utf8InCpp String uuid, int userId, int userSerial,
int storageFlags); int storageFlags);