Commit graph

67 commits

Author SHA1 Message Date
Eric Biggers
f9c6dfa8fd Allow IV_INO_LBLK_32 with virtio storage
This has to be allowed as a workaround until there is a way for
userspace to check the maximum DUN size directly.

Bug: 207390665
Change-Id: Id5e51720ca963fe80e65dbae1965f777b3cd2ee4
2021-11-22 11:33:39 -08:00
Satya Tangirala
0f890a93e1 Always use RenameKeyDir() when moving/renaming key directories
Make fixate_user_ce_key() use RenameKeyDir() to rename key directories
so that any deferred commits for these directories are also updated
appropriately.

This fixes a potential lost Keymaster key upgrade if a key were to be
re-wrapped while a user data checkpoint is pending.  This isn't a huge
issue as the key will just get upgraded again, but this should be fixed.

[ebiggers@ - cleaned up slightly from satyat@'s original change]

Bug: 190398249
Change-Id: Ic6c5b4468d07ab335368e3d373916145d096af01
2021-06-08 15:57:31 -07:00
Eric Biggers
d863b2cd4a Remove /data/misc/vold/user_keys/ce/${user_id} when no longer needed
When a user is removed, vold is deleting the subdirectories of
/data/misc/vold/user_keys/ce/${user_id} but not that directory itself.
This is unexpected, as none of the user's directories should be left
around.  Delete it too.

Bug: 188702840
Test: pm create-user foo
      pm remove-user 10
      stat /data/misc/vold/user_keys/ce/10 # no longer exists
Change-Id: Id4033a668fa6de1debb9ba6fdd1351c940bd35fc
2021-05-27 17:34:19 -07:00
Eric Biggers
18ba15223c vold: add getUnlockedUsers() method to Binder interface
This is needed so that system_server can remind itself about which users
have their storage unlocked, if system_server is restarted due to a
userspace reboot (soft restart).

Bug: 146206679
Test: see I482ed8017f7bbc8f7d4fd5a2c0f58629317ce4ed
Change-Id: I02f0494d827094bd41bcfe5f63c24e204b728595
(cherry picked from commit 1799debfd6)
2021-04-13 10:53:00 -07:00
Satya Tangirala
e13617100d Remove HardwareAuthToken support from vold::Keymaster
HardwareAuthTokens are no longer used by vold since Android P. So remove
the auth token parameter from vold. This patch doesn't remove the token
from IVold.aidl, and the methods in VoldNativeService.cpp return an
error if a non-empty auth token is passed to them.

Bug: 181910578
Test: cuttlefish and bramble boot with patch
Change-Id: I1a9f54e10f9efdda9973906afd0a5de5a699ada5
2021-04-07 02:05:35 -07:00
Treehugger Robot
f6546171af Merge "Set a default ACL on /data/media/userId." 2021-03-02 09:25:52 +00:00
Martijn Coenen
5adf92a988 Set a default ACL on /data/media/userId.
This directory is used as a root for external storage on adopted storage
devices. It needs to be writable by processes holding the AID_MEDIA_RW
GID permission; in particular, it should be writable by the FUSE daemon.

On devices with sdcardfs, this was ensured automatically, because
sdcardfs presented a view of this directory that was writable, that we
could use for the FUSE daemon. But on devices without sdcardfs, the FUSE
daemon sees the raw filesystem and its permissions. This also means that
files created by the FUSE daemon will have their uid/gid set to the uid
of the FUSE daemon; to ensure these files stay writable to other system
applications that have AID_MEDIA_RW, use a default ACL to make sure the
gid stays AID_MEDIA_RW.

In particular, this fixes an issue with app cloning, where we want the
FUSE daemon of user 0 to be able to access the files of the app clone
user, and vice versa.

Bug: 154057120
Test: inspect uid/gid of /data/media/0 and contents
Change-Id: Ic5d63457ec917ea407b900dbb7773d89311780c6
2021-02-24 12:45:09 +01:00
Treehugger Robot
6c36c6f421 Merge changes from topic "fsync-fixes"
* changes:
  Add syncs when creating parent directories
  Sync parent directory in storeKeyAtomically()
  Move pathExists() to Utils.cpp
2021-02-19 19:23:47 +00:00
Dhiraj Jadhav
a98846d8d5 Merge "Revert "Revert "Revert "Set a default ACL on /data/media/userId."""" 2021-02-18 17:38:20 +00:00
Dhiraj Jadhav
72005fd1e6 Revert "Revert "Revert "Set a default ACL on /data/media/userId."""
This reverts commit ea9681e4cd.

Reason for revert: storage Permission causing b/179362637 adb push to fail

Change-Id: Ibc1d8b5b685c22545b7e2d15de58059960b87e14
2021-02-18 04:57:03 +00:00
Eric Biggers
fec0c0e472 Add syncs when creating parent directories
vold creates some directories for storing encryption keys if they don't
already exist, potentially including parent directories:

    /metadata/vold/metadata_encryption
    /data/misc/vold/volume_keys/$volume_uuid
    /data/misc_de/$user/vold/volume_keys/$volume_uuid
    /data/misc_ce/$user/vold/volume_keys/$volume_uuid

Currently fs_mkdirs() is used for this.  However, fs_mkdirs() doesn't
include the fsync()s of the parent directories that are needed to ensure
that the new directories are persisted to disk right away -- which is
important for encryption keys.

Add a utility function MkdirsSync() which does what is needed, and make
the appropriate places call it.

Test: Booted and checked log for "Created directory" message.
      Also ran 'atest vold_tests' to run the new unit test.
Change-Id: Ie9917b616433080139b8db3fd6877203ee6faf77
2021-02-16 16:18:53 -08:00
Eric Biggers
3345a2a98c Sync parent directory in storeKeyAtomically()
When an FBE or metadata encryption key is created, it's important that
it be persisted to disk right away; otherwise the device may fail to
boot after an unclean shutdown.  storeKey() has the needed fsync()s.
However, storeKeyAtomically() doesn't, as it doesn't fsync() the parent
directory of key_path after it renames tmp_path to it.

Two callers do fsync() the parent directory themselves, but others
don't.  E.g., the metadata encryption key doesn't get properly synced.

Therefore, add the needed fsync() to storeKeyAtomically() so that it
gets done for everyone.

Also remove the now-unneeded fsync()s from the two callers that did it
themselves.

Change-Id: I342ebd94f0a3d2bf3a7a443c35b6bda0f12e1ab2
2021-02-16 16:05:38 -08:00
Martijn Coenen
2e8f0d438b Merge "Revert "Revert "Set a default ACL on /data/media/userId.""" 2021-02-01 13:30:04 +00:00
Martijn Coenen
ea9681e4cd Revert "Revert "Set a default ACL on /data/media/userId.""
This reverts commit b276e80aec.

Reason for revert: b/177926359 is now fixed

Change-Id: I8ec5d80a44fc9e491ab3430592e17d10a82f40ea
2021-02-01 07:57:02 +00:00
Martijn Coenen
d9cf8590cb Merge "Revert "Set a default ACL on /data/media/userId."" 2021-01-21 08:19:20 +00:00
Martijn Coenen
b276e80aec Revert "Set a default ACL on /data/media/userId."
This reverts commit a71323ec0e.

Reason for revert: b/177926359 - note that this is a Google testing infrastructure issue, and no issue with this patch. Partners can keep using this patch. It will be resubmitted in a few weeks.

Change-Id: Ia13279ac1aafa2e4425c4527aeadd5d0fadbc2e4
2021-01-20 15:51:44 +00:00
Martijn Coenen
14782046f3 Merge "Set a default ACL on /data/media/userId." 2021-01-19 09:38:55 +00:00
Alan Stokes
e0b7f306c1 Remove ro.vold.level_from_user.
This is on everywhere, we no longer have any need for it.

Fix: 171462631
Test: Presubmits
Change-Id: I240361619acafeee6cac383037887e15a46c0c38
2021-01-05 09:49:24 +00:00
Martijn Coenen
a71323ec0e Set a default ACL on /data/media/userId.
This directory is used as a root for external storage on adopted storage
devices. It needs to be writable by processes holding the AID_MEDIA_RW
GID permission; in particular, it should be writable by the FUSE daemon.

On devices with sdcardfs, this was ensured automatically, because
sdcardfs presented a view of this directory that was writable, that we
could use for the FUSE daemon. But on devices without sdcardfs, the FUSE
daemon sees the raw filesystem and its permissions. This also means that
files created by the FUSE daemon will have their uid/gid set to the uid
of the FUSE daemon; to ensure these files stay writable to other system
applications that have AID_MEDIA_RW, use a default ACL to make sure the
gid stays AID_MEDIA_RW.

In particular, this fixes an issue with app cloning, where we want the
FUSE daemon of user 0 to be able to access the files of the app clone
user, and vice versa.

Bug: 154057120
Test: inspect uid/gid of /data/media/0 and contents
Change-Id: Ib718b8362df84754ee3cac33865bca3c12df2e3a
2020-12-23 21:05:02 +00:00
Martijn Coenen
94d6c1275d Revert "Set a default ACL on /data/media/userId."
This reverts commit 8688eb4f47.

Reason for revert: Probably causing b/176240229

Change-Id: Id92d1f1589e8927f372960ec2cc5d262d10ad161
2020-12-23 19:14:15 +00:00
Martijn Coenen
8688eb4f47 Set a default ACL on /data/media/userId.
This directory is used as a root for external storage on adopted storage
devices. It needs to be writable by processes holding the AID_MEDIA_RW
GID permission; in particular, it should be writable by the FUSE daemon.

On devices with sdcardfs, this was ensured automatically, because
sdcardfs presented a view of this directory that was writable, that we
could use for the FUSE daemon. But on devices without sdcardfs, the FUSE
daemon sees the raw filesystem and its permissions. This also means that
files created by the FUSE daemon will have their uid/gid set to the uid
of the FUSE daemon; to ensure these files stay writable to other system
applications that have AID_MEDIA_RW, use a default ACL to make sure the
gid stays AID_MEDIA_RW.

In particular, this fixes an issue with app cloning, where we want the
FUSE daemon of user 0 to be able to access the files of the app clone
user, and vice versa.

Bug: 154057120
Test: inspect uid/gid of /data/media/0 and contents
Change-Id: I6dfae41f9cb6a8283978b2667b02708a000f07c0
2020-12-16 17:54:22 +01:00
Alan Stokes
1dafff79e1 Enable improved user separation by default.
This is already on for all Pixel devices with no problems observed.

If this causes issues with a specific device (e.g. vendor apps being
unable to access their data) it can be temporarily disabled by adding

PRODUCT_PROPERTY_OVERRIDES += ro.vold.level_from_user=0

to the device.mk file. Please file a bug if that happens.

Bug: 141677108
Test: presubmits
Change-Id: Ic9da534f1a5f4c9e3bd62ea5c09a3b11ebcb33e7
Merged-In: Ic9da534f1a5f4c9e3bd62ea5c09a3b11ebcb33e7
(cherry picked from commit 763393644a)
2020-12-10 09:54:06 +00:00
Eric Biggers
f74373b177 KeyStorage: rework key upgrade handling
Remove the error-prone 'keepOld' parameter, and instead make begin()
(renamed to BeginKeymasterOp()) do all the key upgrade handling.

Don't handle /data and /metadata differently anymore.  Previously, when
a checkpoint is active, key blob files were replaced on /data
immediately; only the actual Keymaster key deletion was delayed until
checkpoint commit.  But it's easier to just delay the key blob file
replacement too, as we have to implement that for /metadata anyway.

Also be more vigilant about deleting any leftover upgraded keys.

Test: Tested on bramble using an OTA rvc-d1-release => master.  In OTA
      success case, verified via logcat that the keys were upgraded and
      then were committed after the boot succeeded.  In OTA failure
      case, verified that the device still boots -- i.e., the old keys
      weren't lost.  Verified that in either case, no
      keymaster_key_blob_upgraded files were left over.  Finally, also
      tried 'pm create-user' and 'pm remove-user' and verified via
      logcat that the Keymaster keys still get deleted.
Change-Id: Ic9c3e63e0bcae0c608fc79050ca4a1676b3852ee
2020-11-05 19:58:26 -08:00
Eric Biggers
6b84039847 FsCrypt: silently skip "." and ".." when loading keys
Avoid logging useless messages like:

    D vold    : Skipping non-key .
    D vold    : Skipping non-key ..
    D vold    : Skipping non-de-key .
    D vold    : Skipping non-de-key ..

Change-Id: I8d2bd67d554605a5ab9faadd3730870dfe0881f6
2020-11-02 15:47:42 -08:00
Eric Biggers
c493903732 KeyUtil: don't use keepOld=true for system DE and volume keys
Commit 77df7f207d / http://aosp/1217657 ("Refactor to use
EncryptionPolicy everywhere we used to use raw_ref") unintentionally
made fscrypt_initialize_systemwide_keys() start specifying keepOld=true
(via default parameter value) when retrieving the system DE key, and
likewise for read_or_create_volkey() and volume keys.

As a result, if the associated Keymaster key needs to be upgraded, the
upgraded key blob gets written to "keymaster_key_blob_upgraded", but it
doesn't replace the original "keymaster_key_blob", nor is the original
key deleted from Keymaster.  This happens at every boot, eventually
resulting in the RPMB partition in Keymaster becoming full.

Only the metadata encryption key ever needs keepOld=true, since it's the
only key that isn't stored in /data, and the purpose of keepOld=true is
to allow a key that isn't stored in /data to be committed or rolled back
when a userdata checkpoint is committed or rolled back.

So, fix this bug by removing the default value of keepOld, and
specifying false everywhere except the metadata encryption key.

Note that when an affected device gets this fix, it will finally upgrade
its system DE key correctly.  However, this fix doesn't free up space in
Keymaster that was consumed by this bug.

Test: On bramble:
  - Flashed rvc-d1-dev build, with wiping userdata
  - Flashed a newer build, without wiping userdata
  - Log expectedly shows key upgrades:
        $ adb logcat | grep 'Upgrading key'
        D vold    : Upgrading key: /metadata/vold/metadata_encryption/key
        D vold    : Upgrading key: /data/unencrypted/key
        D vold    : Upgrading key: /data/misc/vold/user_keys/de/0
        D vold    : Upgrading key: /data/misc/vold/user_keys/ce/0/current
  - Rebooted
  - Log unexpectedly shows the system DE key being upgraded again:
        $ adb logcat | grep 'Upgrading key'
        D vold    : Upgrading key: /data/unencrypted/key
  - "keymaster_key_blob_upgraded" unexpectedly still exists:
        $ adb shell find /data /metadata -name keymaster_key_blob_upgraded
        /data/unencrypted/key/keymaster_key_blob_upgraded
  - Applied this fix and flashed, without wiping userdata
  - Log shows system DE key being upgraded (expected because due to the
    bug, the upgraded key didn't replace the original one before)
        $ adb logcat | grep 'Upgrading key'
        D vold    : Upgrading key: /data/unencrypted/key
  - "keymaster_key_blob_upgraded" expectedly no longer exists
        $ adb shell find /data /metadata -name keymaster_key_blob_upgraded
  - Rebooted
  - Log expectedly doesn't show any more key upgrades
        $ adb logcat | grep 'Upgrading key'
Bug: 171944521
Bug: 172019387
Change-Id: I42d3f5fbe32cb2ec229f4b614cfb271412a3ed29
2020-10-30 14:53:43 -07:00
Alan Stokes
be3db7b7ae Enable vold to set level from user.
We want various per-user directories to have their SELinux MLS level
set to restrict access from other users, as an improvement to user
isolation.

We extend vold_prepare_subdirs to implement this if a flag is
set. vold itself then sets the flag based on a new property,
ro.vold.level_from_user. This is to allow testing of further
incremental work to ensure system apps correctly handle the new
restriction on different devices rather than causing immediate
breakage. Eventually this will go away and the restriction will apply
everywhere.

Bug: 141677108
Test: Manual, with and without propery set.
Change-Id: I8e2207bd94b487bdcc09fd4d80b031027dfea1e3
2020-10-02 14:49:25 +01:00
Xin Li
24ae202734 Merge Android R (rvc-dev-plus-aosp-without-vendor@6692709)
Bug: 166295507
Merged-In: Id417587a550b0f4abf5a6a3e4b4535011b21f627
Change-Id: Ibb5e8cf5f36dad408cf047dd0498aba24249b695
2020-08-27 10:17:42 -07:00
Eric Biggers
72d07130ac vold: use __ANDROID_API_Q__ instead of pre_gki_level
The name "pre_gki_level" is causing some confusion because not all
devices launching with Android R are subject to the GKI requirement.
(See b/161563110#comment11.)  E.g., devices that use a 4.14-based kernel
are exempt from GKI.  However, the encryption requirements still apply.

Just use __ANDROID_API_Q__ directly instead.

No change in behavior.

Change-Id: Id02ae1140845ac1ae7cf78be4e57fe34da028abf
2020-08-10 11:45:08 -07:00
Eric Biggers
09f789e227 Merge "vold: only allow emmc_optimized on eMMC storage" am: 428ae6e90a am: 7a1c4ccb96
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1356175

Change-Id: Ie124c2cec8e4235ae999463d5c03615880e0c01e
2020-07-07 17:37:34 +00:00
Eric Biggers
eb566d0a7c vold: only allow emmc_optimized on eMMC storage
The emmc_optimized encryption flag is specifically designed for the
limitations of inline encryption hardware that follows the eMMC
standard.  It isn't appropriate to use on other types of storage.
So, make vold enforce that it's not used on other types of storage.

Bug: 160639344
Test:
  - Enabled emmc_optimized on Cuttlefish and verified it no longer boots
  - Using a modified version of this change, verified that
    IsEmmcStorage() works as expected on various devices including
    Cuttlefish, Cuttlefish booted in GSI image mode, a device with eMMC
    storage, and a device with UFS storage.
  - Verified that VtsKernelEncryptionTest still passes
Change-Id: Ie27b80658db53b1a4207b3cbb4e309d05130812e
2020-07-06 19:11:43 -07:00
TreeHugger Robot
cbd458bb35 Merge "Only set quota project ID inheritance on app-private dirs." into rvc-dev 2020-03-11 12:54:58 +00:00
Nikita Ioffe
1c6731c649 fskeyring & userspace reboot: support CE keys
During userspace reboot /data might be unmounted & remounted, meaning
that CE keys stored in fs-level keyring will be lost. In order to be
able to restore them, when installing new key to fs-level keyring, it's
also added to session-level keyring with type "fscrypt-provisioning".

Then when init_user0 is called during userspace reboot, vold will try to
load CE keys from the session-level keyring back into fs-level keyring
for all the users that were unlocked before the reboot.

If for any user vold fails to install the key, init_user0 will fail and
fallback to hard reboot will be triggered.

Test: set a pin pattern
Test: adb shell setprop sys.init.userdata_remount.force_umount 1
Test: adb shell svc power reboot userspace
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 143970043
Change-Id: I37603dc136c7ededc7b0381e4d730cb0ffd912b4
Merged-In: I37603dc136c7ededc7b0381e4d730cb0ffd912b4
(cherry picked from commit 1ee35cf002)
2020-03-11 11:46:46 +00:00
Martijn Coenen
9171fcc984 Only set quota project ID inheritance on app-private dirs.
Previously every directory on external storage had project ID quota
inheritance enabled; this means that if any new file/directory is
created under such a directory, it will inherit the project ID from the
parent. We use a default project ID of 1000 for generic directories, and
application-specific project IDs for app-specific directories.

MediaProvider is responsible for updating the quota type in the generic
directories, as it scans all files there. However, there is a problem
with this approach: if you move a file to a directory with project ID
inheritance set, and the project ID of that file differs from the
project ID of the dir, that results in an EXDEV error, and requires a
copy instead. For example, if /sdcard/DCIM/test.jpg has a project ID of
1003 (for images), and you try to move it to /sdcard/Pictures/test.jpg,
that would require a copy, because the project ID of /sdcard/Pictures is
1000.

While this is not a very common scenario, it's still better to avoid it.
Luckily we can - since MediaProvider anyway scans all files, it will set
the project ID on individual files correctly - there's no need to
inherit them.

We then only need to inherit quota in application-specific directories,
since in those directories the app can create files itself, and those
need to be tagged correctly.

This change enables that, by removing quota inheritance setting from the
top-level directory, and instead doing it for app-specific directories
instead.

Bug: 151078664
Test: atest StorageHostTest
      atest com.android.tests.fused.host.FuseDaemonHostTest#testRenameAndReplaceFile
Change-Id: I38a057ec61cb627e39a3ff7ac58c7218dc251bdc
2020-03-11 11:51:45 +01:00
Nikita Ioffe
1ee35cf002 fskeyring & userspace reboot: support CE keys
During userspace reboot /data might be unmounted & remounted, meaning
that CE keys stored in fs-level keyring will be lost. In order to be
able to restore them, when installing new key to fs-level keyring, it's
also added to session-level keyring with type "fscrypt-provisioning".

Then when init_user0 is called during userspace reboot, vold will try to
load CE keys from the session-level keyring back into fs-level keyring
for all the users that were unlocked before the reboot.

If for any user vold fails to install the key, init_user0 will fail and
fallback to hard reboot will be triggered.

Test: set a pin pattern
Test: adb shell setprop sys.init.userdata_remount.force_umount 1
Test: adb shell svc power reboot userspace
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 143970043
Change-Id: I37603dc136c7ededc7b0381e4d730cb0ffd912b4
2020-03-07 01:19:42 +00:00
Nikita Ioffe
f0550af103 fskeyring & userspace reboot: support DE keys
During userspace reboot /data might be unmounted, which means that if
device supports filesystem keyring, DE keys will be lost and are needed
to be re-installed.

Test: adb shell setprop sys.init.userdata_remount.force_umount 1
Test: adb shell svc power reboot userspace
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 143970043
Change-Id: I153caa1d7c373b3c906a34f1184c681e52854a9d
Merged-In: I153caa1d7c373b3c906a34f1184c681e52854a9d
(cherry picked from commit 1eaea5a6a2)
2020-03-04 12:18:53 +00:00
Nikita Ioffe
1eaea5a6a2 fskeyring & userspace reboot: support DE keys
During userspace reboot /data might be unmounted, which means that if
device supports filesystem keyring, DE keys will be lost and are needed
to be re-installed.

Test: adb shell setprop sys.init.userdata_remount.force_umount 1
Test: adb shell svc power reboot userspace
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 143970043
Change-Id: I153caa1d7c373b3c906a34f1184c681e52854a9d
2020-02-27 21:42:08 +00:00
Martijn Coenen
6a4d95d08e Merge "Switch to new project ID constants." 2020-02-20 08:58:56 +00:00
Automerger Merge Worker
d80d53e31f Merge "Make CTS not HEH the default post Q" am: 39969f0288 am: 17d85205bd am: f0bea38daa
Change-Id: I3cf8f261ce7ecf41315ffddbf4964cf47bca1655
2020-02-20 00:22:25 +00:00
Martijn Coenen
aee40511ae Switch to new project ID constants.
Use new constants, instead of reusing previous sdcardfs values.

Bug: 146419093
Test: lsattr -pR
Change-Id: I7409d86cac5360e125e843cc79f3c5f41d74dd1e
2020-02-20 00:39:05 +01:00
Automerger Merge Worker
7489ab6961 Merge changes from topics "metadata_wrapped_key_aosp", "volume_metadata" am: 36fd1ebfae am: 6891eb7e2d am: c14f46d114
Change-Id: I89f51bfaeb61c235aeccbe8a5a5a447ab14c46cb
2020-02-19 22:19:26 +00:00
Paul Crowley
eb241a1d65 Make CTS not HEH the default post Q
Making HEH the default was always a mistake and a giant foot-gun.
Let's make life easier for people by making the default depend on
first_api_level, so it's automatically set up right for new devices
without breaking old ones. Also use v2 fscrypt keys instead of v1 post
Q.

Bug: 147107322
Test: Various Cuttlefish configurations
Change-Id: I5432bdfd6fec6ed34e7f9ab7cdd32cdeb2a03472
2020-02-19 10:27:48 -08:00
Paul Crowley
249c2fb4aa Refactor: make makeGen local
No need for KeyUtil to know how to make a KeyGeneration, it's cleaner
if each module handles it separately. Also, create a CryptoOptions
structure to track metadata encryption options, and simplify legacy
cipher/option handling.

Test: Treehugger
Bug: 147814592
Change-Id: I740063882914097329ff72348d0c0855c26c7aab
2020-02-18 12:49:36 -08:00
Paul Crowley
4eac264727 Refactor key generation to handle both normal and metadata encryption.
Bug: 147733587
Test: Treehugger
Change-Id: Iee176037dec2621c84da325c2627f988fcebbc8d
Merged-In: Iee176037dec2621c84da325c2627f988fcebbc8d
2020-02-14 13:59:06 -08:00
Paul Crowley
b3d018a62c Refactor key generation to handle both normal and metadata encryption.
Bug: 147733587
Test: Treehugger
Change-Id: Iee176037dec2621c84da325c2627f988fcebbc8d
2020-02-14 13:39:19 -08:00
Automerger Merge Worker
30b1a73b3a Merge "vold: Support Storage keys for FBE" am: 8cfb530357 am: aafbd4066a am: 54d5e5ca1e
Change-Id: I7232b8c40cd5606ce6ec801d88df9768405ffa3b
2020-02-13 00:06:10 +00:00
Barani Muthukumaran
3dfb094cb2 vold: Support Storage keys for FBE
To prevent keys from being compromised if an attacker
acquires read access to kernel memory, some inline
encryption hardware supports protecting the keys in
hardware without software having access to or the
ability to set the plaintext keys.  Instead, software
only sees "wrapped keys", which may differ on every boot.

'wrappedkey_v0' fileencryption flag is used to denote
that the device supports inline encryption hardware that
supports this feature. On such devices keymaster is used
to generate keys with STORAGE_KEY tag and export a
per-boot ephemerally wrapped storage key to install it in
the kernel.

The wrapped key framework in the linux kernel ensures the
wrapped key is provided to the inline encryption hardware
where it is unwrapped and the file contents key is derived
to encrypt contents without revealing the plaintext key in
the clear.

Test: FBE validation with Fscrypt v2 + inline crypt + wrapped
key changes kernel.

Bug: 147733587

Change-Id: I1f0de61b56534ec1df9baef075acb74bacd00758
2020-02-12 14:26:26 -08:00
Martijn Coenen
fd9cdbf124 Set quota project ID and inheritance on top-level storage directory.
When creating external storage directories like /data/media/0, make sure
we set the quota project ID correctly, and enable project ID
inheritance. This ensures that all directories/files under this will be
created with the correct project ID and inheritance as well.

Bug: 146419093
Test: lsattr -p on /data/media
Change-Id: I32bfced0d67eb8c1865897b085324f00c55926a0
2020-02-12 13:18:46 +01:00
Paul Crowley
73be12dcd5 Refactor: make cryptfs.h smaller
Move most of it into cryptfs.cpp, and include cryptfs.h in fewer files.

Bug: 147814592
Test: Treehugger
Change-Id: Ia3592d73e7abc1f07a60538e0978a3033bdea7de
2020-02-07 11:16:12 -08:00
Paul Crowley
77df7f207d Refactor to use EncryptionPolicy everywhere we used to use raw_ref
Test: Boots, no bad log messages: Cuttlefish with v2 policies, Taimen
Bug: 147733587
Change-Id: Ice4acac3236b6b7d90e60a2f57b46814aa1949f5
2020-01-28 11:17:58 -08:00
Barani Muthukumaran
b1927c2a0a vold: Do not cache CE keys in vold
CE keys were cached in vold to support untrusted reset
by a device admin, this is now supported by Locksettingservice
using synthetic password. This change requires a secret to be
provided to retrieve the CE key and re-wrap without the secret
when user removes the credential.

Test: Set credential, remove credential, swipe to none
and vice-versa.
Bug: 26948053
Merged-In: I4cb1c035a472477e70c1ff5bf0b2c3fcfad495e5
Change-Id: I4cb1c035a472477e70c1ff5bf0b2c3fcfad495e5
2020-01-24 00:20:22 +00:00