More consistency between MetadataCrypt and cryptfs, and steps towards
supporting Adiantum properly in MetadataCrypt.
Test: create private volume on Cuttlefish
Bug: 147814592
Change-Id: Ic3993c1fde11b4f5a9e6cc8ee588a7d92241c6ab
Abolish cryptfs_revert_ext_volume, handle in caller. This allows us to
use DeleteDeviceIfExists, avoiding a spurious error message.
Test: create private volume on Cuttlefish, eject, check logs
Bug: 147814592
Change-Id: I836d8bd11b29e32da0863aaa75144543bb9cab9c
Not for security, but for consistency with the way we handle other
keys, and to move the length check to where it belongs.
Test: create private volume on Cuttlefish
Bug: 147814592
Change-Id: I10fc4896183d050ce25ff174faf78f525cf62930
To prevent keys from being compromised if an attacker
acquires read access to kernel memory, some inline
encryption hardware supports protecting the keys in
hardware without software having access to or the
ability to set the plaintext keys. Instead, software
only sees "wrapped keys", which may differ on every boot.
'wrappedkey_v0' fileencryption flag is used to denote
that the device supports inline encryption hardware that
supports this feature. On such devices keymaster is used
to generate keys with STORAGE_KEY tag and export a
per-boot ephemerally wrapped storage key to install it in
the kernel.
The wrapped key framework in the linux kernel ensures the
wrapped key is provided to the inline encryption hardware
where it is unwrapped and the file contents key is derived
to encrypt contents without revealing the plaintext key in
the clear.
Test: FBE validation with Fscrypt v2 + inline crypt + wrapped
key changes kernel.
Bug: 147733587
Change-Id: I1f0de61b56534ec1df9baef075acb74bacd00758
Just before mounting partition(s) not verified by verified boot, vold
should notify keymaster that early boot has ended so it won't allow
EARLY_BOOT_ONLY keys to be created or used.
Test: VtsHalKeymasterV4_1TargetTest
Change-Id: I74ffec8d5b33f01e62f845a8fc824b3a3cad50f3
Merged-In: I74ffec8d5b33f01e62f845a8fc824b3a3cad50f3
This CL updates vold to use the Keymaster 4.1 interface, but does not
yet call any of the new methods.
Test: Boot the device
Change-Id: I4574a2f6eead3b71d1e89488b496b734694620c7
Merged-In: I4574a2f6eead3b71d1e89488b496b734694620c7
Move most of it into cryptfs.cpp, and include cryptfs.h in fewer files.
Bug: 147814592
Test: Treehugger
Change-Id: Ia3592d73e7abc1f07a60538e0978a3033bdea7de
Version 2 of dm-default-key has an extra parameter and always sets the
DUN.
Bug: 147814592
Test: Cuttlefish boots with keydirectory flag
Test: Crosshatch formatted before this change boots after it
Change-Id: I59081e385324d2e34a5f252286a97938d6ffb79b
CE keys were cached in vold to support untrusted reset
by a device admin, this is now supported by Locksettingservice
using synthetic password. This change requires a secret to be
provided to retrieve the CE key and re-wrap without the secret
when user removes the credential.
Test: Set credential, remove credential, swipe to none
and vice-versa.
Bug: 26948053
Merged-In: I4cb1c035a472477e70c1ff5bf0b2c3fcfad495e5
Change-Id: I4cb1c035a472477e70c1ff5bf0b2c3fcfad495e5
AIDL import path should point to a root directory where relative path to
an AIDL file encodes the fully qualified name of the type in the file.
Since libvold_binder imports types like
android.os.incremental.IncrementalFileSystemControlParcel which are
under frameworks/base/core/java, the import path should set to the path,
not to the sub directory that directly has the AIDL files.
Bug: 147918827
Test: m
Change-Id: Ic4941578813eced5a7eb59a0656c10b76e902515
This gives x permission to all on the parent apex data directory
so that the data directories can be accessed by modules.
Bug: 147848983
Test: Build & flash, check permissions are correct
Change-Id: I1bbf480cbf9f9e758353237e333317516ad375ee
The apex data directories must be accessed by apexd in order for it to
perform snapshot and restore as part of the rollback process. As apexd
runs as root, this CL changes the apex data directories under misc_[ce|de]
to be owned by root.
Bug: 141148175
Test: Build and flash; check permissions are set correctly.
Change-Id: Icf2059cc9448364f834eef7892914a99883746a1
When the partition is f2fs and the OS is 32bit, the data.f_bavail and
data.f_frsize are 32 bits in size. The product of them is also 32 bits
in size. If the available size of storage is greater than 4G, the
product may be greater than the unsigned long max value. If the product
is overflow and less than 100M. The UDC feature will be disabled.
There is also an overflow for std::strtoul when the variable content
is a very big number(more the unsigned long max value).
To avoid the overflow:
1. convert the variable data.f_bavvail to uint64_t and then compute the
multiplication.
2. use std::strtoull replace to std::strtoul.
Bug: 147118861
Change-Id: I60172ae4cb7c997e2ad4a36583be74736c25e565
time_started in encryptGroupsData is set from and compared to
clock_gettime(CLOCK_MONOTONIC, ...) nearly everywhere: "Clock that
cannot be set and represents monotonic time since some unspecified
starting point". However in cryptfs_enable_inplace_f2fs() it is set
from a different clock, time(NULL), with the result that the setprop
calls that indicate progress are wrong and can be called much too
often. The fix is to make this function consistent with
cryptfs_enable_inplace_ext4.
Bug: 146877356
Change-Id: I2707180e5c5bf723a5a880f6a3aac47f2bb34ccd
- Use FSCRYPT_MAX_KEY_SIZE from <linux/fscrypt.h> instead of manually
defining FS_AES_256_XTS_KEY_SIZE. These have the same numeric value
(64), but the former is supposed to be used, and AES-256-XTS isn't
necessarily the encryption algorithm that is being used anyway.
- Use the new name FSCRYPT_KEY_DESCRIPTOR_SIZE instead of the old name
FS_KEY_DESCRIPTOR_SIZE. These have the same numeric value (8).
- Don't try to handle sizeof(fscrypt_key::raw) > FSCRYPT_MAX_KEY_SIZE,
as this simply isn't the case.
- Set fscrypt_key::mode to 0 rather than FS_ENCRYPTION_MODE_AES_256_XTS.
This field has always been ignored by the kernel, and AES-256-XTS
isn't necessarily the encryption algorithm that is being used anyway.
- Initialize the fields of fscrypt_key in order.
This is a cleanup only.
Test: booted hikey with fileencryption=aes-256-xts and a kernel that
doesn't support the new fscrypt ioctls.
Bug: none
Change-Id: Ie2a7e9240aa479dfab2765c11db8a7124d20c643
aosp/1184798 has updated the kernel headers to 5.4, so we no longer need
the file fscrypt_uapi.h. In KeyUtil.cpp we also now don't need
<linux/fs.h>, but rather just the more specific <linux/fscrypt.h>.
Test: build
Bug: None
Change-Id: I56d17826eb7c3b95c74ce0435a4feae7f3cc325e
In case of userspace reboot, this function will be called again to
remount userdata into checkpoint mode.
Test: adb shell setprop sys.init.userdata_remount.force_umount_f2fs 1
Test: adb shell /system/bin/vdc checkpoint startCheckpoint 1
Test: adb reboot userspace
Test: adb shell dumpsys activity
Bug: 135984674
Bug: 143970043
Change-Id: I300b1960a6c4e95b13c43d806c4f3a9e4a612ac4
This creates apexrollback directories under /data/misc_[de|ce]/<user>
which will hold snapshots of DE_n and CE_n apex data directories
(i.e. it will hold backups of data from /data/misc_[de|ce]/<user>/apexdata
for particular apexes).
See go/apex-data-directories for details.
Bug: 141148175
Test: Built and flashed, checked directory was created.
Change-Id: I468060b20dee0c50033b5f014ce8716582d5e6bc
It will be used during the userspace reboot to unmount all emulated
storages, which is a prerequisite to unmount+remount ext4 userdata into
checkpoint mode.
Test: adb shell /system/bin/vdc checkpoint startCheckpoint 1
Test: adb reboot userspace
Bug: 143970043
Bug: 135984674
Change-Id: I07491bc4be2f30debe21b764766c9def68548e16
This creates an apexdata directory under /data/misc_de/<user> and
/data/misc_ce/<user>, and also creates a directory under that for
every APEX that is installed.
See go/apex-data-directories.
APEXes are discovered by scanning the /apex directory. It may be better
to delegate this process to a library, but it is proposed to defer that
change to a future CL.
Bug: 141148175
Test: Built and flashed, checked directories were created.
Change-Id: I95a060b4f42241c91da25a779e61a8f85ca1914c
