Label keys with all the possible FBE prefixes that might apply

We don't know which FS and kernel version is going to want these keys,
so put them in the kernel three times with all three possible prefixes.

Test: Marlin set up before this change successfully boots after it.
Change-Id: I6ccfe0894551ba068de9bf5e23fe4fd1e10e36b1
This commit is contained in:
Paul Crowley 2017-06-19 16:05:55 -07:00
parent ce02449264
commit cd8bfe3d7f
2 changed files with 34 additions and 23 deletions

View file

@ -73,9 +73,16 @@ static bool fillKey(const std::string& key, ext4_encryption_key* ext4_key) {
return true;
}
std::string keyname(const std::string& raw_ref) {
static char const* const NAME_PREFIXES[] = {
"ext4",
"f2fs",
"fscrypt",
nullptr
};
static std::string keyname(const std::string& prefix, const std::string& raw_ref) {
std::ostringstream o;
o << "ext4:";
o << prefix << ":";
for (auto i : raw_ref) {
o << std::hex << std::setw(2) << std::setfill('0') << (int)i;
}
@ -98,9 +105,10 @@ bool installKey(const std::string& key, std::string* raw_ref) {
ext4_encryption_key ext4_key;
if (!fillKey(key, &ext4_key)) return false;
*raw_ref = generateKeyRef(ext4_key.raw, ext4_key.size);
auto ref = keyname(*raw_ref);
key_serial_t device_keyring;
if (!e4cryptKeyring(&device_keyring)) return false;
for (char const* const* name_prefix = NAME_PREFIXES; *name_prefix != nullptr; name_prefix++) {
auto ref = keyname(*name_prefix, *raw_ref);
key_serial_t key_id =
add_key("logon", ref.c_str(), (void*)&ext4_key, sizeof(ext4_key), device_keyring);
if (key_id == -1) {
@ -109,14 +117,16 @@ bool installKey(const std::string& key, std::string* raw_ref) {
}
LOG(DEBUG) << "Added key " << key_id << " (" << ref << ") to keyring " << device_keyring
<< " in process " << getpid();
}
return true;
}
bool evictKey(const std::string& raw_ref) {
auto ref = keyname(raw_ref);
key_serial_t device_keyring;
if (!e4cryptKeyring(&device_keyring)) return false;
bool success = true;
for (char const* const* name_prefix = NAME_PREFIXES; *name_prefix != nullptr; name_prefix++) {
auto ref = keyname(*name_prefix, raw_ref);
auto key_serial = keyctl_search(device_keyring, "logon", ref.c_str(), 0);
// Unlink the key from the keyring. Prefer unlinking to revoking or
@ -125,10 +135,12 @@ bool evictKey(const std::string& raw_ref) {
// referenced from places it shouldn't be.
if (keyctl_unlink(key_serial, device_keyring) != 0) {
PLOG(ERROR) << "Failed to unlink key with serial " << key_serial << " ref " << ref;
return false;
}
success = false;
} else {
LOG(DEBUG) << "Unlinked key with serial " << key_serial << " ref " << ref;
return true;
}
}
return success;
}
bool retrieveAndInstallKey(bool create_if_absent, const std::string& key_path,

View file

@ -36,7 +36,6 @@ struct ext4_encryption_key {
uint32_t size;
};
std::string keyname(const std::string& raw_ref);
bool randomKey(std::string* key);
bool installKey(const std::string& key, std::string* raw_ref);
bool evictKey(const std::string& raw_ref);