Commit graph

4926 commits

Author SHA1 Message Date
Eric Biggers
0803ba0985 Remove most of FDE support
Since Android 10, new devices have been required to use FBE instead of
FDE.  Therefore, the FDE code is no longer needed.

Remove most of cryptfs.cpp.  A few parts of it need to be kept in order
to support the dm-crypt method of adoptable storage encryption.

Keep the FDE-specific binder methods stubbed out for now until their
callers can be removed.

Bug: 191796797
Change-Id: I90b1e4cacd2f3e5cce77a82a0af744fcc7da9400
2021-11-09 16:09:33 -08:00
David Anderson
3d1a532efc Merge changes Ia095340c,I464edc6e
* changes:
  Route error logs to the kernel during early boot.
  Improve vold logging.
2021-11-08 22:46:35 +00:00
David Anderson
52de78e97b Route error logs to the kernel during early boot.
This is needed to debug vold mounting errors before adb is up. It also
helps diagnose failures on devices that store dmesg persistently.

Tested by adding an error log with serial attached.

Bug: 205314634
Test: manual test
Change-Id: Ia095340c562e3f1f94bc44c5d13ad466a7a35345
2021-11-08 13:22:54 -08:00
David Anderson
e179157dc5 Improve vold logging.
This patch adds more error logging to mountFstab. In a few cases, the
were error paths with no existing error logs. In other cases, the log
messages are there to help understand error flow in logs (for example
when a function with lots of error paths returns false).

Bug: 205314634
Test: treehugger builds
Change-Id: I464edc6e74ea0d7419ee9d9b75fd238752c13f4f
2021-11-08 13:22:53 -08:00
Treehugger Robot
2a89e7c577 Merge "Enable dynamic read logs buffer sizing for incfs" 2021-10-28 23:01:58 +00:00
Yurii Zubrytskyi
1d7acfddf7 Enable dynamic read logs buffer sizing for incfs
Default buffer size of 4 pages causes many missed log records
because of ring buffer overflows. This change adds a dynamic
sizing, up to 32 pages, that has shown to decrease dropped
records pretty much to nil

Fallback code automatically decreases the buffer size in case
of kernel memory fragmentation - some logs are still much
better than no logs at all

Bug: 203551890
Test: manual, adb install <Apk>; checked for fallback by
  increasing max size to 1024 pages
Change-Id: I0ea46c1ad2534b1dbb5faaead52afab88b66747b
2021-10-28 14:41:48 -07:00
Tianjie Xu
2c48d37a29 Merge "Delete the checkin directory with the wrong context" 2021-10-25 20:57:29 +00:00
Tianjie
b2ee9e0771 Delete the checkin directory with the wrong context
http://aosp/1845900 creates the directory with the wrong permission
and context. And when we attempt to fix it in http://aosp/1860276, the
device would fail to boot if the device is already on the bad build.

As a temporarily fix, already delete that checkin directory in vold. And
we can revert the deletion when the droidfood daily polulation gets out
of the bad state.

Bug: 203742483
Test: Update from TP1A.211016.001 and make sure the boot doesn't fail
Change-Id: Iec74528c1fe0e5876acc601e5cd008f99852d269
2021-10-22 18:28:29 +00:00
Tianjie Xu
9696432564 Merge "Correct the permission of checkin dir" 2021-10-19 21:37:52 +00:00
Tianjie
62487c92ba Correct the permission of checkin dir
Gmscore runs in cache group, so set the own:group of the checkin
directory to system:cache to align with other use cases. Because we
want proper user separation when accessing the dir, also provide
user id to set the correct selinux mls_level.

Bug: 197636740
Test: check selinux label, make sure checkin can access the directory.
Change-Id: Id47a2a30a2f37c204ef72a81ac2aebe4ee3a37b0
2021-10-16 13:24:01 -07:00
Keith Mok
319f778edc Merge "vold: Reboot if vold failure" 2021-10-16 06:39:29 +00:00
Tianjie Xu
45d04fb4a2 Merge "Create the checkin subdirectory under misc_ce" 2021-10-15 21:19:26 +00:00
Keun-young Park
bba0592dce Merge "Fix vold dump" 2021-10-14 21:19:30 +00:00
Keun young Park
0bccae2070 Fix vold dump
- Original code of re-opening /proc/self/fd/fd does not work
  due to selinux violation.
- fd (=pipe) passed over binder should be used as it is.

Bug: 202999256
Test: $ adb shell su root dumpsys vold
Change-Id: I1fceba89f1b07228e1677c266f87e431e93f7cb5
2021-10-13 16:50:10 -07:00
Xin Li
97e69c9529 Merge "Merge Android 12" 2021-10-07 23:50:41 +00:00
Xin Li
0f3734a07e Merge Android 12
Bug: 202323961
Merged-In: I9d1b60b1bddeade81238cc971d38a5de76f748d5
Change-Id: Ic882ab8446d7c9012d344acdbb3911f6be7cd285
2021-10-06 22:55:15 +00:00
Keith Mok
c73dbac02d vold: Reboot if vold failure
Vold stores some status in memory.
If vold crashed and restarted, those status are not
restored. Reboot device if vold on failure.

Bug: 202048432
Test: manually kill vold
Change-Id: Ic56acd9cc906b0166adf805023e34bbd6b3648a5
2021-10-06 18:47:37 +00:00
Tianjie
570f0585b9 Create the checkin subdirectory under misc_ce
We need some storage on the device to backup the token for checkin
services. So users won't lose the checkin tokens when they clear
the app's storage. If the device accidentally loses the
token without backup, it won't be able to checkin again until
factory reset.

Because we want the token to be user specific, put it under misc_ce
and let vold create the sub-directory.

Bug: 197636740
Test: boot device, check selinux label of the dir
Change-Id: I0e19dcb7f4feb98fd9d1013cfd84b56ff1325373
2021-10-05 22:17:22 -07:00
David Anderson
af91a5ec2d Merge "Pre-create userdata metadata encryption device." am: eb3182f040
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1833056

Change-Id: I9d1b60b1bddeade81238cc971d38a5de76f748d5
2021-09-27 20:16:47 +00:00
David Anderson
eb3182f040 Merge "Pre-create userdata metadata encryption device." 2021-09-27 20:01:24 +00:00
Howard Chen
9c2577b823 Merge "Make the deleteAllKey feature aware of the DSU mode" am: d718c8c577
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1826054

Change-Id: I55554e2a0545de6a747e44f5967534fe16d1341a
2021-09-22 04:22:35 +00:00
Howard Chen
d718c8c577 Merge "Make the deleteAllKey feature aware of the DSU mode" 2021-09-22 04:09:18 +00:00
David Anderson
156d9d2293 Pre-create userdata metadata encryption device.
CreateDevice() implicitly calls WaitForDevice(), which can impact boot
time if there are many uevents waiting to be processed. To alleviate
this, create an empty "userdata" device when vold starts (if metada
encryption is enabled). When it comes time to actually enable metadata
encryption, the device can be re-used and the subsequent Wait should be
much faster.

Bug: 198405417
Test: manual test; device boots
Change-Id: Iaacd10858272f17353475e25075ea1dda13f8fc4
2021-09-21 17:25:33 -07:00
Daniel Rosenberg
9788b022dd Merge "Fix the incorrect parameter quota when userdata is formatted with EXT4" am: 8bd25f8e74
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1825558

Change-Id: I258381abf0a516987abad5357165f8cc6daec4fd
2021-09-20 22:02:27 +00:00
Daniel Rosenberg
8bd25f8e74 Merge "Fix the incorrect parameter quota when userdata is formatted with EXT4" 2021-09-20 21:44:44 +00:00
Howard Chen
cbc1bdba59 Make the deleteAllKey feature aware of the DSU mode
Currently, the vold detects the factory reset by checking the
metadata encryption key. This logic is only valid when the
device is not in DSU mode.

Bug: 199222795
Test: run DSU installation on a Pixel device
Change-Id: Ib40bd44d2ef7c872eba177c9ccfefac8934a49e6
2021-09-15 01:59:59 +00:00
lin.gui
3101ac01ac Fix the incorrect parameter quota when userdata is formatted with EXT4
The userdata will be formatted by VOLD during bootup when the userdata
is not completed file system(EXT4 or F2FS).
For EXT4 on userdata and quota feature is enabled. the parameter quota
is incorrect in ext4::Format(). Change the parameter from
quotatype=prjquota to quotatype=usrquota:grpquota:prjquota.

Bug: 199802158
Test: run cts-on-gsi -m CtsAppSecurityHostTestCases -t
      android.appsecurity.cts.StorageHostTest

Change-Id: Ibff10e8e67b4e6ffabea97f534ff6551aed91963
2021-09-14 02:05:27 +00:00
Thiébaud Weksteen
cdbde55e7b Merge "Replace security_context_t type" am: 530329222f
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1824052

Change-Id: Ie3c20ee9187f349c308798ec370f7aa754fdfa85
2021-09-10 11:31:07 +00:00
Thiébaud Weksteen
530329222f Merge "Replace security_context_t type" 2021-09-10 11:17:18 +00:00
Thiébaud Weksteen
ae8550fd20 Replace security_context_t type
security_context_t has been marked as deprecated in libselinux from
version 3.2. Update to the `char*` type.

Bug: 190808996
Test: m
Change-Id: I6f40e161251c79893d41e12c368715736578aacc
2021-09-10 10:54:19 +02:00
Keith Mok
d5f0a5751e Merge "Set a property if seed binding is enabled." am: cc63a93fd6
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1816736

Change-Id: I80fde534da01e49298c9e7b82617befa32959414
2021-09-02 00:18:47 +00:00
Keith Mok
cc63a93fd6 Merge "Set a property if seed binding is enabled." 2021-09-01 23:55:08 +00:00
Keith Mok
e8600253ac Set a property if seed binding is enabled.
For vehicle binding seed atest

Bug: 157501579
Test: atest vehicle-binding-seed-sh
Change-Id: Ie1dad1735193ce722ec036e38f826a6b90e94526
2021-09-01 22:06:10 +00:00
Xin Li
b9d97763d2 Merge sc-dev-plus-aosp-without-vendor@7634622
Merged-In: I78039d08a9bc7d9a2d285744e6d64f4af6ac851a
Change-Id: I958ef629f8ca43d6539ae90e037b846d9e0b44a3
2021-08-14 06:31:09 +00:00
Shawn Willden
e4190a395a [automerger skipped] Merge "Revert "Detect factory reset and deleteAllKeys"" into sc-dev am: 90c818d9ee -s ours
am skip reason: Merged-In I9c5c547140e8b1bbffb9c1d215f75251f0f1354e with SHA-1 1e6a5f5106 is already in history. Merged-In was found from reverted change.

Reverted change: https://googleplex-android-review.googlesource.com/c/platform/system/vold/+/15517876

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/vold/+/15536478

Change-Id: I78039d08a9bc7d9a2d285744e6d64f4af6ac851a
2021-08-12 01:31:31 +00:00
Shawn Willden
90c818d9ee Merge "Revert "Detect factory reset and deleteAllKeys"" into sc-dev 2021-08-12 01:17:13 +00:00
Shawn Willden
2bab97c368 Revert "Detect factory reset and deleteAllKeys"
Revert "Add deleteAllKeys to IKeystoreMaintenance"

Revert "Enable deleteAllKeys from vold"

Revert "Allow vold to deleteAllKeys in Keystore"

Revert submission 15521094-vold-deleteAllKeys

Reason for revert: Causes infinite loop in Trusty KeyMint
Reverted Changes:
I9c5c54714:Detect factory reset and deleteAllKeys
I2fb0e94db:Allow vold to deleteAllKeys in Keystore
Id23f25c69:Add deleteAllKeys to IKeystoreMaintenance
Ife779307d:Enable deleteAllKeys from vold
I4312b9a11:Enable deleteAllKeys from vold

Bug: 187105270
Change-Id: I8e2621bef234d0a59be422b8d1d8d52a91378a5e
2021-08-12 01:07:00 +00:00
TreeHugger Robot
d7b96bc64f Merge "Add ROLLBACK_RESISTANCE tag to key usage" into sc-dev am: 8f19fd90e3
Original change: https://googleplex-android-review.googlesource.com/c/platform/system/vold/+/15534270

Change-Id: Ieaa3ce08c20df998a8141c77a7f771e40e1c6d0a
2021-08-11 23:16:01 +00:00
TreeHugger Robot
8f19fd90e3 Merge "Add ROLLBACK_RESISTANCE tag to key usage" into sc-dev 2021-08-11 22:59:40 +00:00
Paul Crowley
2160b23d14 [automerger skipped] Detect factory reset and deleteAllKeys am: 0f74bd4811 -s ours
am skip reason: Merged-In I9c5c547140e8b1bbffb9c1d215f75251f0f1354e with SHA-1 1e6a5f5106 is already in history

Original change: https://googleplex-android-review.googlesource.com/c/platform/system/vold/+/15517876

Change-Id: Idcba5a41ce50b3c043a8b80b74d90de0aef50f18
2021-08-11 22:00:38 +00:00
[6;7~
2601eb7f8c Add ROLLBACK_RESISTANCE tag to key usage
If KM is upgraded from a version that does not support rollback
resistance to one that does, we really want our upgraded keys to
include rollback resistance. By passing this tag in when we use the
keys, we ensure that the tag is passed into the upgradeKey request
whenever it is made, which some KM implementations can use to add
rollback resistance to our keys.

Bug: 187105270
Ignore-AOSP-First: no merge path to this branch from AOSP.
Test: Manual
Change-Id: I6154fe26a10b60cd686cc60dbc2e0a85c152f43b
2021-08-11 14:22:41 -07:00
Paul Crowley
c248576dad Merge "Detect factory reset and deleteAllKeys" am: 407b2c2386 am: 85961f7a9c
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1789528

Change-Id: I7608e0cccc2c145f722e0fa85b922af9b1d2d8d6
2021-08-11 18:13:25 +00:00
Paul Crowley
85961f7a9c Merge "Detect factory reset and deleteAllKeys" am: 407b2c2386
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1789528

Change-Id: Ibc05df1c5ceede35fdca6d1e6a5abd67e70519f5
2021-08-11 17:52:00 +00:00
Paul Crowley
0f74bd4811 Detect factory reset and deleteAllKeys
Where metadata encryption is enabled, if there is no metadata encryption
key present and we are generating one anew, then there has been a
factory reset, and this is the first key to be generated. We then call
deleteAllKeys to ensure data from before the factory reset is securely
deleted.

This shouldn't really be necessary; the factory reset call itself
should be doing this. However there are currently three factory reset
paths (settings, recovery, fastboot -w) and it is not clear that all
three are doing this correctly on all devices. Obviously an attacker
can prevent this code from being run by running a version of the OS
that does not include this change; however, if the bootloader is
locked, then keys will be version bound such that they will only work
on locked devices with a sufficiently recent version of the OS. If
every sufficiently recent signed version of the OS includes this change
the attack is defeated.

Bug: 187105270
Test: booted Cuttlefish twice, checked logs
Ignore-AOSP-First: no merge path to this branch from AOSP.
Merged-In: I9c5c547140e8b1bbffb9c1d215f75251f0f1354e
Change-Id: I9c5c547140e8b1bbffb9c1d215f75251f0f1354e
2021-08-11 10:43:58 -07:00
Paul Crowley
407b2c2386 Merge "Detect factory reset and deleteAllKeys" 2021-08-11 17:39:55 +00:00
Paul Crowley
1e6a5f5106 Detect factory reset and deleteAllKeys
Where metadata encryption is enabled, if there is no metadata encryption
key present and we are generating one anew, then there has been a
factory reset, and this is the first key to be generated. We then call
deleteAllKeys to ensure data from before the factory reset is securely
deleted.

This shouldn't really be necessary; the factory reset call itself
should be doing this. However there are currently three factory reset
paths (settings, recovery, fastboot -w) and it is not clear that all
three are doing this correctly on all devices. Obviously an attacker
can prevent this code from being run by running a version of the OS
that does not include this change; however, if the bootloader is
locked, then keys will be version bound such that they will only work
on locked devices with a sufficiently recent version of the OS. If
every sufficiently recent signed version of the OS includes this change
the attack is defeated.

Bug: 187105270
Test: booted Cuttlefish twice, checked logs
Change-Id: I9c5c547140e8b1bbffb9c1d215f75251f0f1354e
2021-08-11 10:29:59 -07:00
Treehugger Robot
ff366fab5f Merge "Remove ndk_platform backend. Use the ndk backend." am: 85705f6c86 am: e66b2b4015
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1778413

Change-Id: I3bf1a2b23581bb543ec1496bb60f5d8052076fce
2021-07-28 12:49:02 +00:00
Treehugger Robot
e66b2b4015 Merge "Remove ndk_platform backend. Use the ndk backend." am: 85705f6c86
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1778413

Change-Id: Ic80a30be678fd7427ee7239f8cdb758dfd483940
2021-07-28 12:35:52 +00:00
Treehugger Robot
85705f6c86 Merge "Remove ndk_platform backend. Use the ndk backend." 2021-07-28 12:26:13 +00:00
Nikita Ioffe
78c9cba6a5 Merge "Remove vold logs related to block devices" am: cbf82ffa29 am: 9bf8553f8d
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1779986

Change-Id: I0f5f606384ccebf21e618617a2dd7e12cc4db7b6
2021-07-28 11:26:30 +00:00