Commit graph

215 commits

Author SHA1 Message Date
Paul Lawrence
4ed4526e68 Make sure encryption type is set on first boot
Bug: 27599622
Change-Id: I2f38c03941ac8cdba40baf7421132f572866e296
2016-03-10 15:44:21 -08:00
Daniel Rosenberg
25a5213c1f Add information to error message
Bug: 27452459
Change-Id: I89e813755da0946de4effd827799681df7e12d82
2016-03-09 13:53:39 -08:00
Paul Crowley
63c18d3ba9 Add scrypt-based password stretching.
Bug: 27056334
Change-Id: Ifa7f776c21c439f89dad7836175fbd045e1c603e
2016-02-10 14:07:59 +00:00
Paul Crowley
38132a1f66 Refactor now that global DE has been reworked
Change-Id: I4d6156332cfc847e25e7c8863fd6a50fa325fb87
2016-02-09 10:11:42 +00:00
Jeff Sharkey
47695b29af Allow callers to prepare CE/DE user storage.
Give callers the option of preparing CE and/or DE storage.  The
framework will only prepare CE storage after the CE keys have been
unlocked for that user.

When init is calling enablecrypto, kick off the work in a thread so
that we can make other calls back into vold without causing
deadlock.  Leaves blocking call intact for framework callers.

Clean up 'vdc' tool to send useful transaction numbers, and
actually watch for the matching result to come back.  This fixes
race conditions when there are multiple 'vdc' callers.

Also add other system and misc directories to match spec.

Bug: 25796509
Change-Id: Ie4f853db6e387916b845d2b5fb92925d743b063d
2016-02-05 13:03:52 -07:00
Paul Lawrence
5a06a6481b Fix minor issues with previous change
New style logging
Remove set/get field from e4crypt
Save keys to temp file then rename

See https://googleplex-android-review.git.corp.google.com/#/c/858922/

Change-Id: I454c3f78489b491ffc1230a70dce64935e4e0f8a
2016-02-03 13:39:13 -08:00
Paul Lawrence
7b6b565fa0 Remove support for non-default root passwords in FBE
Change-Id: Ie179cb09f9f24382afd0fe0f3aa2a1ad943a7f5d
2016-02-02 12:47:52 -08:00
Jeff Vander Stoep
75fc83bac8 resolve merge conflicts of 2b6f9ce823 to master.
Change-Id: I69f36f560334b11b099f2eb15999603dd2469d4f
2016-02-01 15:24:58 -08:00
Jeff Vander Stoep
df72575862 cryptfs: run e2fsck/fsck.f2fs in fsck domain
e2fsck and fsck.f2fs must run in the fsck domain. Add call to
setexeccon() to tell selinux to run in the fsck domain on exec.

Addresses:
avc: denied { execute_no_trans } for path="/system/bin/e2fsck" dev="mmcblk0p41" ino=241 scontext=u:r:vold:s0 tcontext=u:object_r:fsck_exec:s0 tclass=file

Bug: 26872236
Change-Id: Ib2a583aeefc667f8aa67532e0ac0ff9619b65461
2016-02-01 12:59:59 -08:00
Paul Lawrence
b0f4a229e5 Merge "cryptfs: Skip to encrtypt unused blocks into a block group which uninitialize block bitmap ." am: 1ae498e0d4
am: 9b5db9bcbe

* commit '9b5db9bcbe333b677ca18d2c1c398c8751cd0fd2':
  cryptfs: Skip to encrtypt unused blocks into a block group which uninitialize block bitmap .
2016-01-12 22:21:21 +00:00
liminghao
aa08e58e3a cryptfs: Skip to encrtypt unused blocks into a block group which uninitialize block bitmap .
Bug: 198288

Change-Id: Iaa1a14fd916ddec8dc1a4be18d49732ebcba6884
Signed-off-by: liminghao <liminghao@xiaomi.com>
2016-01-06 15:20:38 +08:00
Paul Lawrence
3d99ebad3d Encrypt on reboot
Change encryption to happen after a reboot, not before. This
removes the problem whereby if data cannot be unmounted, we cannot
encrypt.

Bug: 25426629

Change-Id: I25d610204234ed8254330d001eb965e6e87a2fe9
2015-11-23 12:40:17 -08:00
Kenny Root
873da23cb0 Merge "system/vold: check return value of PKCS5_PBKDF2_HMAC_SHA1." am: 0a7e668ebf am: cd6d8e3fb6
am: 03b10c268b

* commit '03b10c268b810c06e31f20fab00ee9bb93d09d01':
  system/vold: check return value of PKCS5_PBKDF2_HMAC_SHA1.
2015-11-06 17:27:03 +00:00
Kenny Root
cd6d8e3fb6 Merge "system/vold: check return value of PKCS5_PBKDF2_HMAC_SHA1."
am: 0a7e668ebf

* commit '0a7e668ebf7215fbb89837e251f3f73a124adada':
  system/vold: check return value of PKCS5_PBKDF2_HMAC_SHA1.
2015-11-06 17:22:59 +00:00
Kenny Root
0a7e668ebf Merge "system/vold: check return value of PKCS5_PBKDF2_HMAC_SHA1." 2015-11-06 17:20:30 +00:00
Adam Langley
bf0d972ab4 system/vold: check return value of PKCS5_PBKDF2_HMAC_SHA1.
The function PKCS5_PBKDF2_HMAC_SHA1 can fail for a number of reasons and
thus its return value should be checked and handled.

Change-Id: I0f0d8f74b58940a34df16b88434a085760822075
2015-11-04 14:51:39 -08:00
Paul Lawrence
0c24746627 Add developer option to convert from FDE to FBE
This set of changes adds the screen that offers this conversion,
and the plumbing so the option is only available on suitable
devices.

It does not implement the conversion mechanism.

Change-Id: I801199c37b03436045d40bf8840a8746daf94d27
2015-11-04 05:09:32 -08:00
Paul Lawrence
2309f76d17 Merge "Don't show UI on default encryption" into mnc-dr-dev 2015-10-21 14:27:30 +00:00
David Ng
82fd804f8b vold: Retry opening block device on failure when starting encryption
The device mapper storage device node can take some time to be
created; so retry.

Bug: 23024596
Change-Id: Ieeb3b697f9cef72d4ea9d106750696901f0a224d
2015-10-01 11:45:22 +01:00
Paul Lawrence
569649ff1d Don't show UI on default encryption
Bug: 22989588
Change-Id: I21403233d84031869d929c46c3c7b2ebefb3caff
2015-09-09 12:13:00 -07:00
Paul Lawrence
f733ae6306 Don't break on setting default password
Bug: 22329642
Change-Id: I58dac4dba8e65c7015d50ca0c3575f77f550a215
2015-07-13 16:59:12 +00:00
Shawn Willden
86af3557e3 Add purpose to vold-generated keymaster1 keys.
Also remove the app ID and additional padding and digest options.

Bug: 22009890
Change-Id: Ibff9bbd0e0c11d651d11fac85d4ac907588f1cd2
2015-06-24 09:27:31 -07:00
Shawn Willden
0417060e8e Use correct error code for rate limiting.
Note that this CL depends on cl 712195, which must be submitted first.

Bug: 21607106
Change-Id: Iafc42d1c8a1145a31ea252b33b404044f92ec62b
2015-06-19 09:14:51 -06:00
Shawn Willden
da6e899f4e Add keymaster1 support to vold.
Bug: 21607106
Change-Id: I498141b90888d4f0652912413b04519f61886935
2015-06-17 10:27:07 -06:00
Paul Lawrence
b1ef4665e8 Improve boot time by 0.1s by reducing a polling sleep interval
Bug: 21516860
Change-Id: I9e28f4d9cc20ec2a7d9e325c02ef85f0ad9b3d60
2015-06-11 11:36:18 -07:00
Paul Lawrence
3bd36d5e5f Remove hex encoding and password adjusting now that patterns are '1' based
Bug: 21606650
Change-Id: I3486ad394d563135c5171a1d4785f7a27eeea3ae
2015-06-10 07:21:19 -07:00
Paul Lawrence
86c942a253 DO NOT MERGE Delete password as per block encryption
(cherry-picked from commit 00f4aade5c)

Bug: 18151196
Change-Id: Iee0f932c61ff4a309dc2861725b24bf976adb4c7
2015-05-29 14:22:18 -07:00
Paul Lawrence
2f32cda63b DO NOT MERGE Retry unmounts in ext4 encryption
(cherry-picked from commit 29b54aab8e)

Bug: 18151196
Change-Id: I52ca23b2ce3adcff44bd003d4a12243a0bd6ac34
2015-05-29 14:20:51 -07:00
Paul Lawrence
368d79459e DO NOT MERGE Enable properties in ext4enc
(cherry-picked from 4e7274551c)

Enables OwnerInfo and pattern suppression

Bug: 18151196

Change-Id: I46144e16cb00319deeb5492ab82c67f5dd43d6d3
2015-05-29 14:16:42 -07:00
Paul Lawrence
c78c71b171 DO NOT MERGE Check password is correct by checking hash
(cherry-picked from commit 3ca21e227a)

Handle failures gracefully

Change-Id: Ifb6da8c11a86c50fb11964c18cc1be1326461f78
2015-05-29 14:13:50 -07:00
Paul Lawrence
731a7a242d DO NOT MERGE Securely encrypt the master key
(cherry-picked from commit 707fd6c7cc)

Move all key management into vold
Reuse vold's existing key management through the crypto footer
to manage the device wide keys.

Use ro.crypto.type flag to determine crypto type, which prevents
any issues when running in block encrypted mode, as well as speeding
up boot in block or no encryption.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/148586/
  https://android-review.googlesource.com/#/c/148604/
  https://android-review.googlesource.com/#/c/148606/
  https://android-review.googlesource.com/#/c/148607/

Bug: 18151196

Change-Id: I3c68691717a61b5e1df76423ca0c02baff0dab98
2015-05-29 17:25:54 +00:00
Jeff Sharkey
ce6a913aea Exclusive exec() path, format after partition.
Sadly setexeccon() is process global, so we need to carefully ensure
that all exec() are mutually exclusive to avoid transitioning into
unwanted domains.  Also, because we have several threads floating
around, we need to guard all our FDs with O_CLOEXEC.

Format all newly created volumes immediately after partitioning,
but silence all events emitted from those volumes to prevent the
framework from getting all excited.  Unify all notify events under a
single codepath to make them easy to silence.

Sent SIGINT before escalating to SIGTERM when unmounting.

Bug: 19993667
Change-Id: Idc6c806afc7919a004a93e2240b42884f6b52d6b
2015-04-11 08:48:13 -07:00
Jeff Sharkey
9c48498f45 Support for private (adopted) volumes.
This adds support for private volumes which is just a filesystem
wrapped in a dm-crypt layer.  For now we're using the exact same
configuration as internal encryption (aes-cbc-essiv:sha256), but we
don't store any key material on the removable media.  Instead, we
store the key on internal storage, and use the GPT partition GUID
to identify which key should be used.

This means that private external storage is effectively as secure as
the internal storage of the device.  That is, if the internal storage
is encrypted, then our external storage key is also encrypted.

When partitioning disks, we now support a "private" mode which has
a PrivateVolume partition, and a currently unused 16MB metadata
partition reserved for future use.  It also supports a "mixed" mode
which creates both a PublicVolume and PrivateVolume on the same
disk.  Mixed mode is currently experimental.

For now, just add ext4 support to PrivateVolume; we'll look at f2fs
in a future change.  Add VolumeBase lifecycle for setting up crypto
mappings, and extract blkid logic into shared method.  Sprinkle some
more "static" around the cryptfs code to improve invariants.

Bug: 19993667
Change-Id: Ibd1df6250735b706959a1eb9d9f7219ea85912a0
2015-04-01 10:45:05 -07:00
Jeff Sharkey
36801cccf2 Progress towards dynamic storage support.
Wire up new Disk and VolumeBase objects and events to start replacing
older DirectVolume code.  Use filesystem UUID as visible PublicVolume
name to be more deterministic.

When starting, create DiskSource instances based on fstab, and watch
for kernel devices to appear.  Turn matching devices into Disk
objects, scan for partitions, and create any relevant VolumeBase
objects.  Broadcast all of these events towards userspace so the
framework can decide what to mount.

Keep track of the primary VolumeBase, and update the new per-user
/storage/self/primary symlink for all started users.

Provide a reset command that framework uses to start from a known
state when runtime is restarted.  When vold is unexpectedly killed,
try recovering by unmounting everything under /mnt and /storage
before moving forward.

Remove UMS sharing support for now, since no current devices support
it; MTP is the recommended solution going forward because it offers
better multi-user support.

Switch killProcessesWithOpenFiles() to directly take signal.  Fix
one SOCK_CLOEXEC bug, but SELinux says there are more lurking.

Bug: 19993667
Change-Id: I2dad1303aa4667ec14c52f774e2a28b3c1c1ff6d
2015-03-30 19:46:31 -07:00
Elliott Hughes
2a8c10965a am 8a0fde27: am e9623fed: Merge "Fixed type mismatch for ioctl(BLKGETSIZE)"
* commit '8a0fde272be430f66b2e5db6236aa732d2ba6efc':
  Fixed type mismatch for ioctl(BLKGETSIZE)
2015-03-30 21:28:10 +00:00
Hiroaki Miyazawa
14eab550e8 Fixed type mismatch for ioctl(BLKGETSIZE)
ioctl(BLKGETSIZE) expects unsigned long
(8 bytes on 64 bit environment).

This is fixing fails in android.os.storage.StorageManagerIntegrationTest
(in FrameworkCoreTests).

To verify, install FrameworksCoreTests.apk and do:

adb shell am instrument -r -w -e class android.os.storage.\
StorageManagerIntegrationTest#testMountSingleEncryptedObb \
com.android.frameworks.coretests/android.test.InstrumentationTestRunner

Change-Id: Ib6d5c7490c02521c93f107c35ad0aac49f6a3f1a
2015-03-30 11:28:11 -07:00
Paul Lawrence
8175a0b65d Adding e4crypt support
Redirect all crypto calls to e4crypt equivalents if file level encryption
detected. Note this change implements only the ones needed for minimal
functionality.

Requires matching change:
  https://googleplex-android-review.git.corp.google.com/#/c/642778/

Change-Id: I622d1a91704de4b3ab655486e6d38cd6718e6016
2015-03-27 13:38:41 -07:00
Paul Lawrence
05335c344d Adding e4crypt support
Redirect all crypto calls to e4crypt equivalents if file level encryption
detected. Note this change implements only the ones needed for minimal
functionality.

Requires matching change:
  https://googleplex-android-review.git.corp.google.com/#/c/642778/

Change-Id: I622d1a91704de4b3ab655486e6d38cd6718e6016
2015-03-19 09:46:47 -07:00
Shawn Willden
47bc0ffadd am 5054f7ee: Merge "Rename keymaster_device_t to keymaster0_device_t."
* commit '5054f7ee4fa6e747eb8d08f60ec91ba6a9363878':
  Rename keymaster_device_t to keymaster0_device_t.
2015-02-26 23:31:10 +00:00
Shawn Willden
8af33350cd Rename keymaster_device_t to keymaster0_device_t.
This is to accomodate the new keymaster1_device_t, which has an entirely
different interface.

Soon I'll provide a libkeymaster which provides a unified (and nicer)
interface for dealing with both v0 and v1 keymaster implementations
using a v1 keymaster API.  For now this change is just so that vold will
build and run.

Change-Id: I5c54282c12d1c4b8b22ed4929b6e6c724a94ede4
2015-02-25 23:08:46 -07:00
Shawn Willden
d1fd8468d0 Rename keymaster_device_t to keymaster0_device_t.
This is to accomodate the new keymaster1_device_t, which has an entirely
different interface.

Soon I'll provide a libkeymaster which provides a unified (and nicer)
interface for dealing with both v0 and v1 keymaster implementations
using a v1 keymaster API.  For now this change is just so that vold will
build and run.

Change-Id: I5c54282c12d1c4b8b22ed4929b6e6c724a94ede4
2015-02-24 09:55:04 -07:00
JP Abgrall
933216c886 crytpfs: fix clobbering of crypto info on keymaster failure
Changing the device lock (even from swipe to none) will cause the
master key to be re-encrypted.
If at that point keymaster fails (e.g. due to an incompatible keymaster update)
cryptfs will write back the now-incomplete crypto metadata.
Upon next reboot, userdata can't be decrypted.

Now we don't bother writing on keymaster failure.

Bug: 19301883
Change-Id: I2b9a1278f8b4d333ac8d567e17e2263005e99409
2015-02-11 13:44:32 -08:00
Elliott Hughes
d32b75e6dc am 33b6de4b: am d55d8dac: Merge "prevent ioctl_init() to write outside buffer"
* commit '33b6de4b94e018b3cb621db5eabcb3a4f18bdd3d':
  prevent ioctl_init() to write outside buffer
2015-02-09 04:15:13 +00:00
Paul Lawrence
a655b9a39f am 38394c7d: am 223fd1ca: Revert "Make encryption configurable"
* commit '38394c7d2d6d5bd8c7467155587a78b912e2b7ab':
  Revert "Make encryption configurable"
2015-02-09 04:14:28 +00:00
Elliott Hughes
33b6de4b94 am d55d8dac: Merge "prevent ioctl_init() to write outside buffer"
* commit 'd55d8dac45dc60cb2cc9e599d3e89532db0cfc39':
  prevent ioctl_init() to write outside buffer
2015-02-07 07:38:37 +00:00
Elliott Hughes
d55d8dac45 Merge "prevent ioctl_init() to write outside buffer" 2015-02-07 07:29:43 +00:00
Paul Lawrence
38394c7d2d am 223fd1ca: Revert "Make encryption configurable"
* commit '223fd1cad8d627dc36e11da8cdd342c1a810d226':
  Revert "Make encryption configurable"
2015-02-07 00:11:29 +00:00
Paul Lawrence
223fd1cad8 Revert "Make encryption configurable"
This reverts commit 6a69cfc411.

The original fix seems to have led to boot failures in QA. Rather than
risk shipping, revert the change. Bug 18764230 reopened.

Requires change
    https://googleplex-android-review.git.corp.google.com/#/c/629950/

Bug: 19278390
Bug: 19199624

Change-Id: Ia858c4db0abb917f9364ec8048f59ca4fb48e233
2015-02-06 17:32:56 +00:00
Marek Pola
5e6b9141c1 prevent ioctl_init() to write outside buffer
The strncpy operation does not write a 0 termination
if the name is larger than the target buffer.

Ensure that zero termination is always written using
safe strlcpy function.

Change-Id: Idb68cdff7cd1a860c1dfac7494fa99f3d382cb91
2015-02-06 08:01:43 +01:00
Elliott Hughes
efb4c6d79a am 71f8d86f: am f805a8b3: Merge "Change lseek to lseek64"
* commit '71f8d86fdfc2c11f2d4176eabb98812bf41792e7':
  Change lseek to lseek64
2015-02-05 20:35:09 +00:00