Merge changes If530edaf,I7f11a135,I28412f24,Ia27a61fa,If221e239 into main

* changes: Revert "fskeyring & userspace reboot: support CE keys" Evict adoptable storage CE and DE keys when possible Don't erase key from s_new_ce_keys on eviction Call fscrypt_destroy_volume_keys() under mCryptLock Fold read_and_install_user_ce_key() into fscrypt_unlock_user_key()
2023-10-06 19:52:39 +00:00 · 2023-10-06 19:52:39 +00:00 · f15785a54d
commit f15785a54d
parent ab9fe7e68a 01604fb13f
6 changed files with 129 additions and 229 deletions
--- a/FsCrypt.cpp
+++ b/FsCrypt.cpp
@ -106,15 +106,25 @@ std::set<userid_t> s_ephemeral_users;
 // New CE keys that haven't been committed to disk yet
 std::map<userid_t, KeyBuffer> s_new_ce_keys;
 // CE key fixation operations that have been deferred to checkpoint commit
 std::map<std::string, std::string> s_deferred_fixations;
 // The system DE encryption policy
 EncryptionPolicy s_device_policy;
-// Map user ids to encryption policies
+// Struct that holds the EncryptionPolicy for each CE or DE key that is currently installed
-std::map<userid_t, EncryptionPolicy> s_de_policies;
+// (added to the kernel) for a particular user
-std::map<userid_t, EncryptionPolicy> s_ce_policies;
+struct UserPolicies {
    // Internal storage policy.  Exists whenever a user's UserPolicies exists at all, and used
    // instead of a map entry keyed by an empty UUID to make this invariant explicit.
    EncryptionPolicy internal;
    // Adoptable storage policies, indexed by (nonempty) volume UUID
    std::map<std::string, EncryptionPolicy> adoptable;
 };
-// CE key fixation operations that have been deferred to checkpoint commit
+// The currently installed CE and DE keys for each user.  Protected by VolumeManager::mCryptLock.
-std::map<std::string, std::string> s_deferred_fixations;
+std::map<userid_t, UserPolicies> s_ce_policies;
 std::map<userid_t, UserPolicies> s_de_policies;
 }  // namespace
@ -316,18 +326,6 @@ static bool get_volume_file_encryption_options(EncryptionOptions* options) {
    return true;
 }
 static bool read_and_install_user_ce_key(userid_t user_id,
                                         const android::vold::KeyAuthentication& auth) {
    if (s_ce_policies.count(user_id) != 0) return true;
    KeyBuffer ce_key;
    if (!read_and_fixate_user_ce_key(user_id, auth, &ce_key)) return false;
    EncryptionPolicy ce_policy;
    if (!install_storage_key(DATA_MNT_POINT, s_data_options, ce_key, &ce_policy)) return false;
    s_ce_policies[user_id] = ce_policy;
    LOG(DEBUG) << "Installed ce key for user " << user_id;
    return true;
 }
 // Prepare a directory without assigning it an encryption policy.  The directory
 // will inherit the encryption policy of its parent directory, or will be
 // unencrypted if the parent directory is unencrypted.
@ -410,7 +408,7 @@ static bool create_de_key(userid_t user_id, bool ephemeral) {
        return false;
    EncryptionPolicy de_policy;
    if (!install_storage_key(DATA_MNT_POINT, s_data_options, de_key, &de_policy)) return false;
-    s_de_policies[user_id] = de_policy;
+    s_de_policies[user_id].internal = de_policy;
    LOG(INFO) << "Created DE key for user " << user_id;
    return true;
 }
@ -428,21 +426,11 @@ static bool create_ce_key(userid_t user_id, bool ephemeral) {
    }
    EncryptionPolicy ce_policy;
    if (!install_storage_key(DATA_MNT_POINT, s_data_options, ce_key, &ce_policy)) return false;
-    s_ce_policies[user_id] = ce_policy;
+    s_ce_policies[user_id].internal = ce_policy;
    LOG(INFO) << "Created CE key for user " << user_id;
    return true;
 }
 static bool lookup_policy(const std::map<userid_t, EncryptionPolicy>& key_map, userid_t user_id,
                          EncryptionPolicy* policy) {
    auto refi = key_map.find(user_id);
    if (refi == key_map.end()) {
        return false;
    }
    *policy = refi->second;
    return true;
 }
 static bool is_numeric(const char* name) {
    for (const char* p = name; *p != '\0'; p++) {
        if (!isdigit(*p)) return false;
@ -482,8 +470,8 @@ static bool load_all_de_keys() {
        }
        EncryptionPolicy de_policy;
        if (!install_storage_key(DATA_MNT_POINT, s_data_options, de_key, &de_policy)) return false;
-        auto ret = s_de_policies.insert({user_id, de_policy});
+        const auto& [existing, is_new] = s_de_policies.insert({user_id, {de_policy, {}}});
-        if (!ret.second && ret.first->second != de_policy) {
+        if (!is_new && existing->second.internal != de_policy) {
            LOG(ERROR) << "DE policy for user" << user_id << " changed";
            return false;
        }
@ -494,17 +482,6 @@ static bool load_all_de_keys() {
    return true;
 }
 // Attempt to reinstall CE keys for users that we think are unlocked.
 static bool try_reload_ce_keys() {
    for (const auto& it : s_ce_policies) {
        if (!android::vold::reloadKeyFromSessionKeyring(DATA_MNT_POINT, it.second)) {
            LOG(ERROR) << "Failed to load CE key from session keyring for user " << it.first;
            return false;
        }
    }
    return true;
 }
 bool fscrypt_initialize_systemwide_keys() {
    LOG(INFO) << "fscrypt_initialize_systemwide_keys";
@ -561,8 +538,8 @@ static bool prepare_special_dirs() {
    // On first boot, we'll be creating /data/data for the first time, and user
    // 0's CE key will be installed already since it was just created.  Take the
    // opportunity to also set the encryption policy of /data/data right away.
-    EncryptionPolicy ce_policy;
+    if (s_ce_policies.count(0) != 0) {
-    if (lookup_policy(s_ce_policies, 0, &ce_policy)) {
+        const EncryptionPolicy& ce_policy = s_ce_policies[0].internal;
        if (!prepare_dir_with_policy(data_data_dir, 0771, AID_SYSTEM, AID_SYSTEM, ce_policy)) {
            // Preparing /data/data failed, yet we had just generated a new CE
            // key because one wasn't stored.  Before erroring out, try deleting
@ -633,13 +610,6 @@ bool fscrypt_init_user0() {
        return false;
    }
    // In some scenarios (e.g. userspace reboot) we might unmount userdata
    // without doing a hard reboot. If CE keys were stored in fs keyring then
    // they will be lost after unmount. Attempt to re-install them.
    if (IsFbeEnabled() && android::vold::isFsKeyringSupported()) {
        if (!try_reload_ce_keys()) return false;
    }
    fscrypt_init_user0_done = true;
    return true;
 }
@ -683,30 +653,34 @@ static void drop_caches_if_needed() {
    }
 }
-static bool evict_ce_key(userid_t user_id) {
+// Evicts all the user's keys of one type from all volumes (internal and adoptable).
 // This evicts either CE keys or DE keys, depending on which map is passed.
 static bool evict_user_keys(std::map<userid_t, UserPolicies>& policy_map, userid_t user_id) {
    bool success = true;
-    EncryptionPolicy policy;
+    auto it = policy_map.find(user_id);
-    // If we haven't loaded the CE key, no need to evict it.
+    if (it != policy_map.end()) {
-    if (lookup_policy(s_ce_policies, user_id, &policy)) {
+        const UserPolicies& policies = it->second;
-        success &= android::vold::evictKey(DATA_MNT_POINT, policy);
+        success &= android::vold::evictKey(BuildDataPath(""), policies.internal);
        for (const auto& [volume_uuid, policy] : policies.adoptable) {
            success &= android::vold::evictKey(BuildDataPath(volume_uuid), policy);
        }
        policy_map.erase(it);
        drop_caches_if_needed();
    }
    s_ce_policies.erase(user_id);
    s_new_ce_keys.erase(user_id);
    return success;
 }
 // Evicts and destroys all CE and DE keys for a user.  This is called when the user is removed.
 bool fscrypt_destroy_user_key(userid_t user_id) {
    LOG(DEBUG) << "fscrypt_destroy_user_key(" << user_id << ")";
    if (!IsFbeEnabled()) {
        return true;
    }
    bool success = true;
-    success &= evict_ce_key(user_id);
+
-    EncryptionPolicy de_policy;
+    success &= evict_user_keys(s_ce_policies, user_id);
-    success &= lookup_policy(s_de_policies, user_id, &de_policy) &&
+    success &= evict_user_keys(s_de_policies, user_id);
-               android::vold::evictKey(DATA_MNT_POINT, de_policy);
+
    s_de_policies.erase(user_id);
    if (!s_ephemeral_users.erase(user_id)) {
        auto ce_path = get_ce_key_directory_path(user_id);
        if (!s_new_ce_keys.erase(user_id)) {
@ -759,7 +733,7 @@ static std::string volume_secdiscardable_path(const std::string& volume_uuid) {
 }
 static bool read_or_create_volkey(const std::string& misc_path, const std::string& volume_uuid,
-                                  EncryptionPolicy* policy) {
+                                  UserPolicies& user_policies, EncryptionPolicy* policy) {
    auto secdiscardable_path = volume_secdiscardable_path(volume_uuid);
    std::string secdiscardable_hash;
    if (android::vold::pathExists(secdiscardable_path)) {
@ -780,6 +754,7 @@ static bool read_or_create_volkey(const std::string& misc_path, const std::strin
    if (!retrieveOrGenerateKey(key_path, key_path + "_tmp", auth, makeGen(options), &key))
        return false;
    if (!install_storage_key(BuildDataPath(volume_uuid), options, key, policy)) return false;
    user_policies.adoptable[volume_uuid] = *policy;
    return true;
 }
@ -887,37 +862,38 @@ void fscrypt_deferred_fixate_ce_keys() {
 std::vector<int> fscrypt_get_unlocked_users() {
    std::vector<int> user_ids;
-    for (const auto& it : s_ce_policies) {
+    for (const auto& [user_id, user_policies] : s_ce_policies) {
-        user_ids.push_back(it.first);
+        user_ids.push_back(user_id);
    }
    return user_ids;
 }
-// TODO: rename to 'install' for consistency, and take flags to know which keys to install
+// Unlocks internal CE storage for the given user.  This only unlocks internal storage, since
 // fscrypt_prepare_user_storage() has to be called for each adoptable storage volume anyway (since
 // the volume might have been absent when the user was created), and that handles the unlocking.
 bool fscrypt_unlock_user_key(userid_t user_id, int serial, const std::string& secret_hex) {
    LOG(DEBUG) << "fscrypt_unlock_user_key " << user_id << " serial=" << serial;
-    if (IsFbeEnabled()) {
+    if (!IsFbeEnabled()) return true;
    if (s_ce_policies.count(user_id) != 0) {
        LOG(WARNING) << "Tried to unlock already-unlocked key for user " << user_id;
        return true;
    }
    auto auth = authentication_from_hex(secret_hex);
    if (!auth) return false;
-        if (!read_and_install_user_ce_key(user_id, *auth)) {
+    KeyBuffer ce_key;
-            LOG(ERROR) << "Couldn't read key for " << user_id;
+    if (!read_and_fixate_user_ce_key(user_id, *auth, &ce_key)) return false;
-            return false;
+    EncryptionPolicy ce_policy;
-        }
+    if (!install_storage_key(DATA_MNT_POINT, s_data_options, ce_key, &ce_policy)) return false;
-    }
+    s_ce_policies[user_id].internal = ce_policy;
    LOG(DEBUG) << "Installed ce key for user " << user_id;
    return true;
 }
-// TODO: rename to 'evict' for consistency
+// Locks CE storage for the given user.  This locks both internal and adoptable storage.
 bool fscrypt_lock_user_key(userid_t user_id) {
    LOG(DEBUG) << "fscrypt_lock_user_key " << user_id;
-    if (IsFbeEnabled()) {
+    if (!IsFbeEnabled()) return true;
-        return evict_ce_key(user_id);
+    return evict_user_keys(s_ce_policies, user_id);
    }
    return true;
 }
 static bool prepare_subdirs(const std::string& action, const std::string& volume_uuid,
@ -967,14 +943,18 @@ bool fscrypt_prepare_user_storage(const std::string& volume_uuid, userid_t user_
        auto user_de_path = android::vold::BuildDataUserDePath(volume_uuid, user_id);
        if (IsFbeEnabled()) {
-            if (volume_uuid.empty()) {
+            auto it = s_de_policies.find(user_id);
-                if (!lookup_policy(s_de_policies, user_id, &de_policy)) {
+            if (it == s_de_policies.end()) {
                LOG(ERROR) << "Cannot find DE policy for user " << user_id;
                return false;
            }
            UserPolicies& user_de_policies = it->second;
            if (volume_uuid.empty()) {
                de_policy = user_de_policies.internal;
            } else {
                auto misc_de_empty_volume_path = android::vold::BuildDataMiscDePath("", user_id);
-                if (!read_or_create_volkey(misc_de_empty_volume_path, volume_uuid, &de_policy)) {
+                if (!read_or_create_volkey(misc_de_empty_volume_path, volume_uuid, user_de_policies,
                                           &de_policy)) {
                    return false;
                }
            }
@ -1011,14 +991,18 @@ bool fscrypt_prepare_user_storage(const std::string& volume_uuid, userid_t user_
        auto user_ce_path = android::vold::BuildDataUserCePath(volume_uuid, user_id);
        if (IsFbeEnabled()) {
-            if (volume_uuid.empty()) {
+            auto it = s_ce_policies.find(user_id);
-                if (!lookup_policy(s_ce_policies, user_id, &ce_policy)) {
+            if (it == s_ce_policies.end()) {
                LOG(ERROR) << "Cannot find CE policy for user " << user_id;
                return false;
            }
            UserPolicies& user_ce_policies = it->second;
            if (volume_uuid.empty()) {
                ce_policy = user_ce_policies.internal;
            } else {
                auto misc_ce_empty_volume_path = android::vold::BuildDataMiscCePath("", user_id);
-                if (!read_or_create_volkey(misc_ce_empty_volume_path, volume_uuid, &ce_policy)) {
+                if (!read_or_create_volkey(misc_ce_empty_volume_path, volume_uuid, user_ce_policies,
                                           &ce_policy)) {
                    return false;
                }
            }
@ -1148,12 +1132,27 @@ static bool destroy_volume_keys(const std::string& directory_path, const std::st
    return res;
 }
 static void erase_volume_policies(std::map<userid_t, UserPolicies>& policy_map,
                                  const std::string& volume_uuid) {
    for (auto& [user_id, user_policies] : policy_map) {
        user_policies.adoptable.erase(volume_uuid);
    }
 }
 // Destroys all CE and DE keys for an adoptable storage volume that is permanently going away.
 // Requires VolumeManager::mCryptLock.
 bool fscrypt_destroy_volume_keys(const std::string& volume_uuid) {
    if (!IsFbeEnabled()) return true;
    bool res = true;
    LOG(DEBUG) << "fscrypt_destroy_volume_keys for volume " << escape_empty(volume_uuid);
    auto secdiscardable_path = volume_secdiscardable_path(volume_uuid);
    res &= android::vold::runSecdiscardSingle(secdiscardable_path);
    res &= destroy_volume_keys("/data/misc_ce", volume_uuid);
    res &= destroy_volume_keys("/data/misc_de", volume_uuid);
    // Drop the CE and DE policies stored in memory, as they are not needed anymore.  Note that it's
    // not necessary to also evict the corresponding keys from the kernel, as that happens
    // automatically as a result of the volume being unmounted.
    erase_volume_policies(s_ce_policies, volume_uuid);
    erase_volume_policies(s_de_policies, volume_uuid);
    return res;
 }
--- a/KeyUtil.cpp
+++ b/KeyUtil.cpp
@ -164,7 +164,7 @@ static bool fscryptKeyring(key_serial_t* device_keyring) {
    return true;
 }
-// Add an encryption key of type "logon" to the global session keyring.
+// Add an encryption key to the legacy global session keyring.
 static bool installKeyLegacy(const KeyBuffer& key, const std::string& raw_ref) {
    // Place fscrypt_key into automatically zeroing buffer.
    KeyBuffer fsKeyBuffer(sizeof(fscrypt_key));
@ -187,32 +187,6 @@ static bool installKeyLegacy(const KeyBuffer& key, const std::string& raw_ref) {
    return true;
 }
 // Installs fscrypt-provisioning key into session level kernel keyring.
 // This allows for the given key to be installed back into filesystem keyring.
 // For more context see reloadKeyFromSessionKeyring.
 static bool installProvisioningKey(const KeyBuffer& key, const std::string& ref,
                                   const fscrypt_key_specifier& key_spec) {
    key_serial_t device_keyring;
    if (!fscryptKeyring(&device_keyring)) return false;
    // Place fscrypt_provisioning_key_payload into automatically zeroing buffer.
    KeyBuffer buf(sizeof(fscrypt_provisioning_key_payload) + key.size(), 0);
    fscrypt_provisioning_key_payload& provisioning_key =
            *reinterpret_cast<fscrypt_provisioning_key_payload*>(buf.data());
    memcpy(provisioning_key.raw, key.data(), key.size());
    provisioning_key.type = key_spec.type;
    key_serial_t key_id = add_key("fscrypt-provisioning", ref.c_str(), (void*)&provisioning_key,
                                  buf.size(), device_keyring);
    if (key_id == -1) {
        PLOG(ERROR) << "Failed to insert fscrypt-provisioning key for " << ref
                    << " into session keyring";
        return false;
    }
    LOG(DEBUG) << "Added fscrypt-provisioning key for " << ref << " to session keyring";
    return true;
 }
 // Build a struct fscrypt_key_specifier for use in the key management ioctls.
 static bool buildKeySpecifier(fscrypt_key_specifier* spec, const EncryptionPolicy& policy) {
    switch (policy.options.version) {
@ -240,34 +214,6 @@ static bool buildKeySpecifier(fscrypt_key_specifier* spec, const EncryptionPolic
    }
 }
 // Installs key into keyring of a filesystem mounted on |mountpoint|.
 //
 // It's callers responsibility to fill key specifier, and either arg->raw or arg->key_id.
 //
 // In case arg->key_spec.type equals to FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER
 // arg->key_spec.u.identifier will be populated with raw key reference generated
 // by kernel.
 //
 // For documentation on difference between arg->raw and arg->key_id see
 // https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html#fs-ioc-add-encryption-key
 static bool installFsKeyringKey(const std::string& mountpoint, const EncryptionOptions& options,
                                fscrypt_add_key_arg* arg) {
    if (options.use_hw_wrapped_key) arg->__flags |= __FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED;
    android::base::unique_fd fd(open(mountpoint.c_str(), O_RDONLY | O_DIRECTORY | O_CLOEXEC));
    if (fd == -1) {
        PLOG(ERROR) << "Failed to open " << mountpoint << " to install key";
        return false;
    }
    if (ioctl(fd, FS_IOC_ADD_ENCRYPTION_KEY, arg) != 0) {
        PLOG(ERROR) << "Failed to install fscrypt key to " << mountpoint;
        return false;
    }
    return true;
 }
 bool installKey(const std::string& mountpoint, const EncryptionOptions& options,
                const KeyBuffer& key, EncryptionPolicy* policy) {
    const std::lock_guard<std::mutex> lock(fscrypt_keyring_mutex);
@ -304,24 +250,33 @@ bool installKey(const std::string& mountpoint, const EncryptionOptions& options,
            return false;
    }
    if (options.use_hw_wrapped_key) arg->__flags |= __FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED;
    // Provide the raw key.
    arg->raw_size = key.size();
    memcpy(arg->raw, key.data(), key.size());
-    if (!installFsKeyringKey(mountpoint, options, arg)) return false;
+    android::base::unique_fd fd(open(mountpoint.c_str(), O_RDONLY | O_DIRECTORY | O_CLOEXEC));
    if (fd == -1) {
        PLOG(ERROR) << "Failed to open " << mountpoint << " to install key";
        return false;
    }
    if (ioctl(fd, FS_IOC_ADD_ENCRYPTION_KEY, arg) != 0) {
        PLOG(ERROR) << "Failed to install fscrypt key to " << mountpoint;
        return false;
    }
    if (arg->key_spec.type == FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) {
        // Retrieve the key identifier that the kernel computed.
        policy->key_raw_ref =
                std::string((char*)arg->key_spec.u.identifier, FSCRYPT_KEY_IDENTIFIER_SIZE);
    }
-    std::string ref = keyrefstring(policy->key_raw_ref);
+    LOG(DEBUG) << "Installed fscrypt key with ref " << keyrefstring(policy->key_raw_ref) << " to "
-    LOG(DEBUG) << "Installed fscrypt key with ref " << ref << " to " << mountpoint;
+               << mountpoint;
    if (!installProvisioningKey(key, ref, arg->key_spec)) return false;
    return true;
 }
-// Remove an encryption key of type "logon" from the global session keyring.
+// Remove an encryption key from the legacy global session keyring.
 static bool evictKeyLegacy(const std::string& raw_ref) {
    key_serial_t device_keyring;
    if (!fscryptKeyring(&device_keyring)) return false;
@ -344,26 +299,6 @@ static bool evictKeyLegacy(const std::string& raw_ref) {
    return success;
 }
 static bool evictProvisioningKey(const std::string& ref) {
    key_serial_t device_keyring;
    if (!fscryptKeyring(&device_keyring)) {
        return false;
    }
    auto key_serial = keyctl_search(device_keyring, "fscrypt-provisioning", ref.c_str(), 0);
    if (key_serial == -1 && errno != ENOKEY) {
        PLOG(ERROR) << "Error searching session keyring for fscrypt-provisioning key for " << ref;
        return false;
    }
    if (key_serial != -1 && keyctl_unlink(key_serial, device_keyring) != 0) {
        PLOG(ERROR) << "Failed to unlink fscrypt-provisioning key for " << ref
                    << " from session keyring";
        return false;
    }
    return true;
 }
 static void waitForBusyFiles(const struct fscrypt_key_specifier key_spec, const std::string ref,
                             const std::string mountpoint) {
    android::base::unique_fd fd(open(mountpoint.c_str(), O_RDONLY | O_DIRECTORY | O_CLOEXEC));
@ -462,8 +397,6 @@ bool evictKey(const std::string& mountpoint, const EncryptionPolicy& policy) {
        std::thread busyFilesThread(waitForBusyFiles, arg.key_spec, ref, mountpoint);
        busyFilesThread.detach();
    }
    if (!evictProvisioningKey(ref)) return false;
    return true;
 }
@ -485,31 +418,5 @@ bool retrieveOrGenerateKey(const std::string& key_path, const std::string& tmp_p
    return true;
 }
 bool reloadKeyFromSessionKeyring(const std::string& mountpoint, const EncryptionPolicy& policy) {
    key_serial_t device_keyring;
    if (!fscryptKeyring(&device_keyring)) {
        return false;
    }
    std::string ref = keyrefstring(policy.key_raw_ref);
    auto key_serial = keyctl_search(device_keyring, "fscrypt-provisioning", ref.c_str(), 0);
    if (key_serial == -1) {
        PLOG(ERROR) << "Failed to find fscrypt-provisioning key for " << ref
                    << " in session keyring";
        return false;
    }
    LOG(DEBUG) << "Installing fscrypt-provisioning key for " << ref << " back into " << mountpoint
               << " fs-keyring";
    struct fscrypt_add_key_arg arg;
    memset(&arg, 0, sizeof(arg));
    if (!buildKeySpecifier(&arg.key_spec, policy)) return false;
    arg.key_id = key_serial;
    if (!installFsKeyringKey(mountpoint, policy.options, &arg)) return false;
    return true;
 }
 }  // namespace vold
 }  // namespace android
--- a/KeyUtil.h
+++ b/KeyUtil.h
@ -49,16 +49,11 @@ bool isFsKeyringSupported(void);
 // on the specified filesystem using the specified encryption policy version.
 //
 // For v1 policies, we use FS_IOC_ADD_ENCRYPTION_KEY if the kernel supports it.
-// Otherwise we add the key to the global session keyring as a "logon" key.
+// Otherwise we add the key to the legacy global session keyring.
 //
 // For v2 policies, we always use FS_IOC_ADD_ENCRYPTION_KEY; it's the only way
 // the kernel supports.
 //
 // If kernel supports FS_IOC_ADD_ENCRYPTION_KEY, also installs key of
 // fscrypt-provisioning type to the global session keyring. This makes it
 // possible to unmount and then remount mountpoint without losing the file-based
 // key.
 //
 // Returns %true on success, %false on failure.  On success also sets *policy
 // to the EncryptionPolicy used to refer to this key.
 bool installKey(const std::string& mountpoint, const android::fscrypt::EncryptionOptions& options,
@ -66,10 +61,10 @@ bool installKey(const std::string& mountpoint, const android::fscrypt::Encryptio
 // Evict a file-based encryption key from the kernel.
 //
-// This undoes the effect of installKey().
+// We use FS_IOC_REMOVE_ENCRYPTION_KEY if the kernel supports it.  Otherwise we
 // remove the key from the legacy global session keyring.
 //
-// If the kernel doesn't support the filesystem-level keyring, the caller is
+// In the latter case, the caller is responsible for dropping caches.
 // responsible for dropping caches.
 bool evictKey(const std::string& mountpoint, const android::fscrypt::EncryptionPolicy& policy);
 // Retrieves the key from the named directory, or generates it if it doesn't
@ -78,11 +73,6 @@ bool retrieveOrGenerateKey(const std::string& key_path, const std::string& tmp_p
                           const KeyAuthentication& key_authentication, const KeyGeneration& gen,
                           KeyBuffer* key);
 // Re-installs a file-based encryption key of fscrypt-provisioning type from the
 // global session keyring back into fs keyring of the mountpoint.
 bool reloadKeyFromSessionKeyring(const std::string& mountpoint,
                                 const android::fscrypt::EncryptionPolicy& policy);
 }  // namespace vold
 }  // namespace android
--- a/VoldNativeService.cpp
+++ b/VoldNativeService.cpp
@ -256,9 +256,19 @@ binder::Status VoldNativeService::forgetPartition(const std::string& partGuid,
    ENFORCE_SYSTEM_OR_ROOT;
    CHECK_ARGUMENT_HEX(partGuid);
    CHECK_ARGUMENT_HEX(fsUuid);
-    ACQUIRE_LOCK;
+    bool success = true;
-    return translate(VolumeManager::Instance()->forgetPartition(partGuid, fsUuid));
+    {
        ACQUIRE_LOCK;
        success &= VolumeManager::Instance()->forgetPartition(partGuid, fsUuid);
    }
    {
        ACQUIRE_CRYPT_LOCK;
        success &= fscrypt_destroy_volume_keys(fsUuid);
    }
    return translateBool(success);
 }
 binder::Status VoldNativeService::mount(
--- a/VolumeManager.cpp
+++ b/VolumeManager.cpp
@ -349,25 +349,19 @@ void VolumeManager::listVolumes(android::vold::VolumeBase::Type type,
    }
 }
-int VolumeManager::forgetPartition(const std::string& partGuid, const std::string& fsUuid) {
+bool VolumeManager::forgetPartition(const std::string& partGuid, const std::string& fsUuid) {
    std::string normalizedGuid;
    if (android::vold::NormalizeHex(partGuid, normalizedGuid)) {
        LOG(WARNING) << "Invalid GUID " << partGuid;
-        return -1;
+        return false;
    }
    bool success = true;
    std::string keyPath = android::vold::BuildKeyPath(normalizedGuid);
    if (unlink(keyPath.c_str()) != 0) {
        LOG(ERROR) << "Failed to unlink " << keyPath;
-        success = false;
+        return false;
    }
-    if (IsFbeEnabled()) {
+    return true;
        if (!fscrypt_destroy_volume_keys(fsUuid)) {
            success = false;
        }
    }
    return success ? 0 : -1;
 }
 void VolumeManager::destroyEmulatedVolumesForUser(userid_t userId) {
--- a/VolumeManager.h
+++ b/VolumeManager.h
@ -106,7 +106,7 @@ class VolumeManager {
    userid_t getSharedStorageUser(userid_t userId);
-    int forgetPartition(const std::string& partGuid, const std::string& fsUuid);
+    bool forgetPartition(const std::string& partGuid, const std::string& fsUuid);
    int onUserAdded(userid_t userId, int userSerialNumber, userid_t cloneParentUserId);
    int onUserRemoved(userid_t userId);