Commit graph

75 commits

Author SHA1 Message Date
Paul Lawrence
45f10533f8 Revert "Revert "Encrypt phone even if pattern or no keyguard""
Don't block based on keyguard type, and pass type to encryption function.

Requires:
  https://googleplex-android-review.git.corp.google.com/#/c/444201/
or encryption will no longer work.

This reverts commit efec3f2927.

Change-Id: I431589a56eb11118027e0a5a84f55e973b1084aa
2014-04-10 14:30:31 +00:00
Paul Lawrence
efec3f2927 Revert "Encrypt phone even if pattern or no keyguard"
This reverts commit 5cc86c5741.

Without two more commits, this will break encryption. I'll re-commit when the other two pass code review.

Change-Id: I71720d065c16cf0f7f534e74ffe883f1e113c477
2014-04-03 20:55:47 +00:00
Paul Lawrence
5cc86c5741 Encrypt phone even if pattern or no keyguard
Add option to enablecrypto to take type, allowing us to set type
when encrypting.

Bug: 13749169
Change-Id: If22fcfa93f1ebd1a5bd3b0077bb3bd8ae71fe819
2014-04-03 19:20:28 +00:00
Paul Lawrence
cc215381dd Merge "Store password in vold" 2014-03-21 20:40:36 +00:00
Paul Lawrence
87999173dd Don't corrupt ssd when encrypting and power fails
Stop encryption when battery is low, mark position, and continue on reboot.

Note - support for multiple encrypted volumes removed as no devices seem
to exist with an fstab that uses this feature. If you want support for such
a device, contact me and we will re-add it with appropriate testing.

Bug: 13284213
Change-Id: I1f7178e4f7dd8ea816cbc03ab5c4f6543e98acaa
2014-03-21 18:30:26 +00:00
Paul Lawrence
399317ede4 Store password in vold
If we are not to double prompt, we need to pass the password from
CryptKeeper to KeyStore. Since the entire framework is taken down
and restarted, we must store the password in a secure system daemon.
There seems no better way than holding it in vold.

Change-Id: Ia60f2f051fc3f87c4b6468465f17b655f43f97de
2014-03-21 11:15:39 -07:00
Paul Lawrence
684dbdf316 Infrastructure to securely allow only one prompt at boot when encrypted
Add a call to vold that says if we decrypted the data partition. Reset the
flag so that it only returns true the first time.

Bug: 12990752
Change-Id: Ib00be87137c00fb8ad29205c85a3ea187764b702
2014-02-14 17:41:18 +00:00
Paul Lawrence
1348603357 Enable auto-encrypt drive at startup
Modify enablecrypto command to make the password optional. When it is
not there, default encrypt the device.

Remove a warning by making at least some parts of this file const-correct.

Bug: 11985952
Change-Id: Ie27da4c4072386d9d6519d97ff46c6dc4ed188dc
2014-02-14 09:34:44 -08:00
Paul Lawrence
f4faa575c9 Support default, pattern, pin and password encryption types
Store encryption type in crypto footer, and provide functions to
manipulate it. Add mount_default_encrypted command to vdc to allow
mounting of default encrypted volumes at boot time.

Bug: 8769627
Change-Id: Ie41848f258e128b48b579e09789abfa24c95e2b2
2014-02-12 14:54:40 -08:00
Mark Salyzyn
3e971277db vold: suppress unused argument warning messages
Change-Id: Ic1ab533f756fbd44b1f2e5ae12e2f5736ace7740
2014-02-12 20:18:28 +00:00
JP Abgrall
502dc74153 vold: cryptfs: Retry encryption after killing processes using /data
Currently, if a non-framework process or service is using /data,
unmounting will fail as nothing will kill it.
Instead of rebooting on unmount failure, we now kill all processes
using /data, then try one more time.

Bug: 11291208
Change-Id: I6c5276c78aa55965914ace96e1db74dc80fca3c1
2013-11-01 13:08:46 -07:00
Jeff Sharkey
ba6ae8db13 Add support for more expressive SD card permissions
We now run an sdcard fuse daemon on top of a physical SD card.
Add support for that.

Bug: 10330128

Change-Id: I6a291f861ccb0f2911c07cc8f659e2cec4e6d76c
2013-10-08 10:13:04 -07:00
Kenny Root
c4c70f15bb Change key derivation to scrypt
scrypt is a sequential memory-hard key derivation algorithm that makes
it more difficult for adversaries to brute force passwords using
specialized equipment. See http://www.tarsnap.com/scrypt/scrypt.pdf for
more details of the algorithm.

This adds support for initializing disk encryption using scrypt and
upgrading from the previous PBKDF2 algorithm.

Change-Id: I1d26db4eb9d27fea7310be3e49c8e6219e6d2c3b
2013-06-24 09:40:54 -07:00
Kenny Root
c96a5f8edf Extract some version constants to header
In order to make it easier to upgrade the crypto footer, extract some
constants to a header file instead. Then the header can control what the
current version is and the upgrade_crypto_ftr code should be the only
thing that needs to be updated.

Change-Id: I3ed5a7d3b640419cd8af91388d94a00de8cc09db
2013-06-14 12:50:02 -07:00
Ken Sumrall
160b4d68ec vold: Add support for unencrypted persistent info
In order to display the correct language, timezone, airplane
mode and other settings on the decrypt screen, a copy of those
settings needs to be stored unencrypted so the framework can
query them.  This adds support to vold to store up to 32
property like key/value pairs that are not encrypted.

Change-Id: Id5c936d2c57d46ed5cff9325d92ba1e8d2ec8972
2013-04-26 15:44:59 -07:00
Ken Sumrall
3ad9072a5d Add the new verifypw command to vold/cryptfs
This vold command returns 0 if the given password matches the password
used to decrypt the device on boot.  It returns 1 if they don't match,
and it returns -1 on an internal error, and -2 if the device is not encrypted.

Also check the uid of the sender of the command and only allow the root and
system users to issue cryptfs commands.

Change-Id: I5e5ae3b72a2d7814ae68c2d49aa9deb90fb1dac5
2011-10-12 19:10:38 -07:00
Ken Sumrall
0b8b597193 Add the ability to revert a crypto mapping when unmounting a volume
Add the force_and_revert option to the unmount command which will force
the unmount, and revert a crypto mapping.  This is used during factory
reset so that when the internal sdcard volume is formatted, it formats
the raw device, not the encrypted mapping.

Change-Id: I36b6ff9bb54863b121de635472a303bf4a2334a9
2011-08-31 18:09:35 -07:00
Ken Sumrall
29d8da8cef vold: allow to store key in a file on another partition
Add support for keeping the keys in a separate file on another partition,
for devices with no space reserved for a footer after the userdata filesystem.

Add support for encrypting the volumes managed by vold, if they meet certain
criteria, namely being marked as nonremovable and encryptable in vold.fstab.
A bit of trickiness is required to keep vold happy.

Change-Id: Idf0611f74b56c1026c45742ca82e0c26e58828fe
2011-06-02 16:30:14 -07:00
Ken Sumrall
7f7dbaa278 Improve detection of incomplete encryption
Bug 3384231 is punted to MR1, but the code to set the flag is already
in the tree, so this CL does 3 things:

1.  Comments out the lines that set the flag
2.  Removes the change to the checkpw that was added in the last change.
3.  Implements a new command to check the flag (which no one is calling
    yet and the flag won't be set anyhow).

When MR1 comes, it will be a simple matter to enable the flag setting
code and start testing it.

The fear is a false positive detection of incomplete encryption could
cause people to be prompted to wipe their data when MR1 comes out and
the flag is checked.  Not setting this for first release, and testing
this more before MR1, will give us confidence that the code will not
detect false positives of encryption failure.

Change-Id: I6dfba11646e291fe5867e8375b71a53c815f3968
2011-02-01 15:46:41 -08:00
Ken Sumrall
d33d417e3a Detect when encryption failed to complete
For the case there encryption failes to complete because of a kernel
crash or the user power cycling the device, define a flag in the
crypto footer that says encryption is in progress.  Set it when starting
the actual encryption, and clear it when it successfully completes.

When the user is asked for the disk password, if the flag is set,
return a special error to the caller so the UI can know to tell the
user there is no valid data on the disk, and present a button to
wipe and reset the device.

Change-Id: I3723ec77f33437d94b3ac9ad5db0a5c950d11648
2011-02-01 00:49:13 -08:00
Jason parks
70a4b3fd7a Change cryptfs changepw to only require a new password.
The master key is now stored unhashed in memory. This
is needed because certain operation like remote reseting
of passwords the old password is not avaliable.
The changepw interface has been changed to only take
the new password as the only argument. When this is
called we reencrypt the master key with the new password
and old salt.

Bug: 3382129
Change-Id: I9a596b89013194605d6d7790067691aa0dc75e72
2011-01-28 10:17:44 -06:00
Ken Sumrall
e874407036 Create and use a salt when calling pbkdf2 to encrypt/decrypt the master key.
In order to prevent rainbow table attacks on decrypting the master key,
create a 16 byte "salt" by reading /dev/urandom.  This is done right after
reading urandom to get the master key for the filesystem.  The salt is
stored 32 bytes after the end of the key (a padding added to help prevent
accidental overwriting of the salt) and the salt is fixed at 16 bytes long.

This change will make existing encrypted filesystems unusable.

Change-Id: I420549d064c61d38aea78eef4d86c88acb265ca3
2011-01-18 22:01:55 -08:00
Ken Sumrall
8ddbe40a8a Updates to cryptfs framework.
Update the enable inplace API to allow the UI to show a progress bar.
Add new command changepw (whichis currently not working)
Internal restructuring of code to support these two features.
Some minor cleanup of the code as well.

Change-Id: I11461fc9ce66965bea6cd0b6bb2ff48bcf607b97
2011-01-17 15:26:29 -08:00
Ken Sumrall
6864b7ec94 Change the cryptfs command to separate out checking the password and restarting
In order to make the animations and the UI look right, we need to change
the cryptfs checkpw command to return a status if the password was
correct or not, and not have it automatically restart if it's correct.

There is a new command restart that will restart the framework with the
encrypted filesystem.

Change-Id: Ia8ae00d7ed8667699aa58d05ad8ba953cca9316e
2011-01-14 15:20:02 -08:00
Ken Sumrall
8f869aa1bc Support for encrypting /data on Stingray.
There are still a few hacks and performance issues related
to shutting down the framework in this code, but it is
functional and tested.  Without the UI changes, it requires
cryptic adb shell commands to enable, which I shall not
utter here.

Change-Id: I0b8f90afd707e17fbdb0373d156236946633cf8b
2010-12-18 18:35:56 -08:00