Commit graph

4524 commits

Author SHA1 Message Date
Treehugger Robot
85705f6c86 Merge "Remove ndk_platform backend. Use the ndk backend." 2021-07-28 12:26:13 +00:00
Nikita Ioffe
cbf82ffa29 Merge "Remove vold logs related to block devices" 2021-07-28 11:01:01 +00:00
Nikita Ioffe
b881fc4feb Remove vold logs related to block devices
Since every APEX requires at least one loop device, now most of the
block devices on a device are not managed by vold. This change removes
some log statements around block devices that vold is not aware of.

Test: device boots
Test: adb logcat
Change-Id: I8efa22023c1f888e75f40178fac464af4457df3c
2021-07-28 02:58:57 +01:00
Jiyong Park
973e05938d Remove ndk_platform backend. Use the ndk backend.
The ndk_platform backend will soon be deprecated because the ndk backend
can serve the same purpose. This is to eliminate the confusion about
having two variants (ndk and ndk_platform) for the same 'ndk' backend.

Bug: 161456198
Test: m
Change-Id: I87554ce86da0f862568c5aa84a21e6613655eb25
2021-07-27 12:21:11 +09:00
Keith Mok
2d76731968 Merge "Add command for setting the key binding seed" 2021-07-15 20:47:42 +00:00
Sean Keys
8452f41d4a Add command for setting the key binding seed
The seed value is passed to vold early in startup so that the
key-encryption keys are bound to the seed. This is useful for systems
like auto, in which the Android device may not require credentials to
use. In that case, the device should be bound to the rest of the system
(the car, in the case of auto) to guard against theft.

Test: manual
Change-Id: I2e16387b0752a30ef226b5ddf32ebf955aa9610a
2021-07-13 23:41:50 +00:00
Eric Biggers
a3bd31c170 Merge "Ignore too-early earlyBootEnded on FDE devices" 2021-06-25 19:43:02 +00:00
Eric Biggers
4859e0ca0f Ignore too-early earlyBootEnded on FDE devices
Don't call IKeystoreMaintenance::earlyBootEnded() too early on FDE
devices, so that keystore2 doesn't have to be restarted.

Bug: 192090857
Test: Tested FDE on Cuttlefish, both first and non-first boots.
      Verified via log that earlyBootEnded is now called only when it
      should be, and that keystore2 no longer has to be restarted.
Change-Id: I03f816db194a8276ad19ca99b3c8894e8a5fed23
2021-06-25 12:40:21 -07:00
Treehugger Robot
73a54f653b Merge "Replace writepid with task_profiles command for cgroup migration" 2021-06-23 21:32:20 +00:00
Suren Baghdasaryan
d7d3010c45 Replace writepid with task_profiles command for cgroup migration
writepid command usage to join a cgroup has been deprecated in favor
of a more flexible approach using task_profiles. This way cgroup path
is not hardcoded and cgroup changes can be easily made. Replace
writepid with task_profiles command to migrate between cgroups.

Bug: 191283136
Test: build and boot
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: I9e89fc0f3dc1b4e970cf3a5982ed7f177d2c392c
2021-06-23 18:40:55 +00:00
Paul Crowley
f267642932 Merge "Remove wait_for_keymaster and all references" am: a236ff87b9
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1736579

Change-Id: I163f07ec1d3f62423d233da7bf225579f9d0894f
2021-06-17 18:40:40 +00:00
Paul Crowley
a236ff87b9 Merge "Remove wait_for_keymaster and all references" 2021-06-17 18:18:28 +00:00
Treehugger Robot
23aaf5a7a6 Merge "No using inside header files" am: 17e1a0919d
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1285212

Change-Id: Ifb5136466ac04777988d14e3db63578a66384d29
2021-06-16 10:14:44 +00:00
Treehugger Robot
17e1a0919d Merge "No using inside header files" 2021-06-16 09:56:52 +00:00
Paul Crowley
604abdd0cb Remove wait_for_keymaster and all references
No longer needed now init listens for property changes on a
separate thread.

Bug: 186580823
Test: Cuttlefish boots successfully
Change-Id: I7dd1f85a73df6c2160ef8778703709e90309b9b4
2021-06-15 15:54:51 -07:00
Paul Crowley
f4430387d2 No using inside header files
I thought it was OK to use "using" in a header file so long as it was
inside a "namespace" block, but it just imports symbols from one
namespace into another, so things that shouldn't work do.

Test: Treehugger
Change-Id: I4d43d35339636af7e95761cada7120b4db638c01
2021-06-15 15:20:44 -07:00
Eric Biggers
087a2952db Merge "Replace most references to Keymaster with Keystore" am: ec78a94586
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1737853

Change-Id: Ic27ef7ebf2817da0a1a302ae77186ce3973368a1
2021-06-15 21:50:06 +00:00
Eric Biggers
ec78a94586 Merge "Replace most references to Keymaster with Keystore" 2021-06-15 21:35:16 +00:00
Eric Biggers
d86a8abec7 Replace most references to Keymaster with Keystore
Now that vold uses Keystore2 rather than the Keymaster HAL directly, and
also the new version of Keymaster is called "KeyMint" instead, replace
most of the references to Keymaster in vold with Keystore.

(I decided not to include the "2" in most places, as it seemed
unnecessarily precise in most places, and it would be something that
might need to keep being updated.  Only Keystore.{cpp,h} really need to
care about the version number.)

I didn't rename many things in cryptfs.cpp, as that file will be going
away soon anyway.  I also left "wait_for_keymaster" and "vdc keymaster
earlyBootEnded" as-is for now, as those are referenced outside vold.

Bug: 183669495
Change-Id: I92cd648fae09f8c9769f7cf34dbf6c6e956be4e8
2021-06-15 12:07:15 -07:00
Eric Biggers
d535dc6846 Merge "cryptfs: log beginning/end of each unmount attempt" am: e33bd41f49
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1735012

Change-Id: Id6caea9e59a5b65a594c3545ca8d3e90a0558a7c
2021-06-14 22:15:18 +00:00
Eric Biggers
e33bd41f49 Merge "cryptfs: log beginning/end of each unmount attempt" 2021-06-14 22:00:00 +00:00
Xin Li
35c828e5ae Merge "DO NOT MERGE - Merge ab/7272582" am: 12e48a85fb
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1735803

Change-Id: Iad13ce7ee56cf7d85a896f48d4b5af0c5df29220
2021-06-14 03:14:01 +00:00
Xin Li
0bd6aa1328 DO NOT MERGE - Merge ab/7272582 am: 1c79e144d5
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1735803

Change-Id: I6b77a17874d042c6ec322b7a770149e75340a915
2021-06-14 03:13:51 +00:00
Xin Li
12e48a85fb Merge "DO NOT MERGE - Merge ab/7272582" 2021-06-14 03:02:53 +00:00
Eric Biggers
47525e6f78 cryptfs: log beginning/end of each unmount attempt
Add more log messages to make it easier to understand failures in
wait_and_unmount().

Bug: 189250652
Change-Id: I621f54f30bb01cd52c4f9a74dba2d46b4d1a8a9d
2021-06-11 17:56:27 -07:00
Xin Li
1c79e144d5 DO NOT MERGE - Merge ab/7272582
Bug: 190855093
Change-Id: I6739d9fa0fc483ed6128811f0e03c8178fed821a
2021-06-11 17:34:10 -07:00
Treehugger Robot
b84d773488 Merge changes from topic "rename-key-dir" am: 9891ae7479
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1730556

Change-Id: I43149e3979d9b7f1548cd91f50024c9d471096f0
2021-06-09 00:37:10 +00:00
Treehugger Robot
9891ae7479 Merge changes from topic "rename-key-dir"
* changes:
  Don't export storeKey(), and update comments
  Always use RenameKeyDir() when moving/renaming key directories
  Make RenameKeyDir() use IsSameFile()
2021-06-09 00:21:43 +00:00
Satya Tangirala
351a4af716 Don't export storeKey(), and update comments
storeKey() is no longer used outside KeyStorage.cpp, so make it a static
function.  Also fix the documentation for storeKey() (e.g. it's no
longer safe to directly move/rename directories created by storeKey() --
one must use RenameKeyDir() instead).

No functional changes.

[ebiggers@ - cleaned up slightly from satyat@'s original change]

Bug: 190398249
Change-Id: I85918359e77bef414dfddfe5ded30fcde6514013
2021-06-08 15:57:31 -07:00
Satya Tangirala
0f890a93e1 Always use RenameKeyDir() when moving/renaming key directories
Make fixate_user_ce_key() use RenameKeyDir() to rename key directories
so that any deferred commits for these directories are also updated
appropriately.

This fixes a potential lost Keymaster key upgrade if a key were to be
re-wrapped while a user data checkpoint is pending.  This isn't a huge
issue as the key will just get upgraded again, but this should be fixed.

[ebiggers@ - cleaned up slightly from satyat@'s original change]

Bug: 190398249
Change-Id: Ic6c5b4468d07ab335368e3d373916145d096af01
2021-06-08 15:57:31 -07:00
Eric Biggers
107d21d484 Make RenameKeyDir() use IsSameFile()
Comparing paths is error-prone (e.g. "/foo/bar" vs "/foo//bar"), so
entries in key_dirs_to_commit are compared using inode and device
number.  However RenameKeyDir() breaks this rule and compares raw paths.

Avoid this quirk by finding the entry in the list to replace before
doing the rename.

This doesn't fix any known problem, as vold is fairly consistent with
its paths in practice; this is just a robustness improvement.

Bug: 190398249
Change-Id: I3ce2c0119cb2012ac9d12849570e56600bc23867
2021-06-08 15:57:31 -07:00
Treehugger Robot
bf28ef63eb Merge "cryptfs: try harder to unmount subdirectory mounts" am: 827dfe6e75
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1729173

Change-Id: Ia4e3e045742d5aa15fb25d20c027911a84872195
2021-06-08 19:59:37 +00:00
Eric Biggers
7ece899507 Merge "Remove /data/misc/vold/user_keys/ce/${user_id} when no longer needed" am: 67db7b9786
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1721850

Change-Id: Ia0ce45874af2fc1b01bf26c56887863d92ade912
2021-06-08 19:59:28 +00:00
Treehugger Robot
827dfe6e75 Merge "cryptfs: try harder to unmount subdirectory mounts" 2021-06-08 19:39:12 +00:00
Eric Biggers
8953430064 cryptfs: try harder to unmount subdirectory mounts
ensure_subdirectory_unmounted() was ignoring the return value from
umount(), so it wasn't possible to tell whether it succeeded or failed.
Make it log an error message on failure.

Also, there might be cases where ensure_subdirectory_unmounted() fails
initially but would succeed later, e.g. due to files in a subdirectory
mount being open and requiring processes to be killed.  To make this
more robust, keep calling ensure_subdirectory_unmounted() before each
attempt of umount("/data").

I'm not sure whether this will actually fix bug 189250652, as it hasn't
been root-caused yet, but this might help.

Bug: 189250652
Change-Id: I979b12d3c6a88fe3335ff548b1f8a5db43683c4f
2021-06-07 12:45:54 -07:00
Eric Biggers
67db7b9786 Merge "Remove /data/misc/vold/user_keys/ce/${user_id} when no longer needed" 2021-06-01 17:07:31 +00:00
Eric Biggers
d863b2cd4a Remove /data/misc/vold/user_keys/ce/${user_id} when no longer needed
When a user is removed, vold is deleting the subdirectories of
/data/misc/vold/user_keys/ce/${user_id} but not that directory itself.
This is unexpected, as none of the user's directories should be left
around.  Delete it too.

Bug: 188702840
Test: pm create-user foo
      pm remove-user 10
      stat /data/misc/vold/user_keys/ce/10 # no longer exists
Change-Id: Id4033a668fa6de1debb9ba6fdd1351c940bd35fc
2021-05-27 17:34:19 -07:00
Satya Tangirala
38c07b96a1 Merge "Fix bug with deferred commits for key upgrades in temporary directories" am: 54ebfb5806
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1706645

Change-Id: I441e7684b9e35d168ef034456311e95c01e8b18b
2021-05-13 22:26:53 +00:00
Satya Tangirala
54ebfb5806 Merge "Fix bug with deferred commits for key upgrades in temporary directories" 2021-05-13 21:59:41 +00:00
Satya Tangirala
9475b11a1e Fix bug with deferred commits for key upgrades in temporary directories
storeKeyAtomically() stores keys in a temp directory before renaming
that directory to the real target directory. However when the key is
stored in the temporary directory, the Keymaster storage key might get
upgraded, and it's possible that the temp directory is scheduled for a
deferred commit. storeKeyAtomically() renames that temp directory, but
doesn't update the list of directories marked for deferred commit.

This patch fixes this by removing the temp directory from the list and
adding the real target directory to that list instead.

This bug was found when trying to switch from using the guest keymint to
using the host remote keymint implementation on cuttlefish
(aosp/1701925).  The device triggers this bug (and boots to recovery)
when aosp/1701925 is cherry-picked.

Co-Developed-By: Eric Biggers <ebiggers@google.com>
Test: Cuttlefish boots with and without aosp/1701925
Change-Id: I3b6fd6ad32ed415da94423cca6f5a121c16472f2
2021-05-13 11:21:23 -07:00
Satya Tangirala
545a13a568 Merge changes from topic "vold-keystore2-fixes" am: 98692ab9bb
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1705226

Change-Id: I310d09e283e3d8804ba7154295d9b004e95cda98
2021-05-12 22:52:36 +00:00
Satya Tangirala
98692ab9bb Merge changes from topic "vold-keystore2-fixes"
* changes:
  Remove unused constants and cleanup KeyStorage.cpp
  Remove unused parameter "salt" from stretchSecret()
  Use AServiceManager_waitForService() to connect to keystore2
2021-05-12 22:32:32 +00:00
Satya Tangirala
6b98fb6122 Remove unused constants and cleanup KeyStorage.cpp
Now that the salt and hardware auth token related code has been removed,
we can remove the associated (and now unused) constants.

Also cleanup some comments and remove includes related to hardware auth
token support.

Bug: 181910578
Test: Cuttlefish boots.
Change-Id: I3733d5c6bbf6989adc165c554ee53faa2484f4b6
2021-05-12 13:05:35 -07:00
Satya Tangirala
478cea9783 Remove unused parameter "salt" from stretchSecret()
stretchSecret() no longer uses the "salt" parameter, so remove it and
simplify callers

Bug: 181910578
Test: Cuttlefish boots.
Change-Id: Ic2d0742b22b98a66da37f435e274c9d385b8e188
2021-05-12 13:05:35 -07:00
Satya Tangirala
6ef4e37351 Use AServiceManager_waitForService() to connect to keystore2
Vold currently uses AServiceManager_getService() to connect to
keystore2, which has an internal timeout of 5s. Since a lot of vold
keystore2 connection failures are fatal, we instead use
AServiceManager_waitForService(), which will wait efficiently for
keystore2 to start, instead of timing out after 5s.

Bug: 185934601
Test: Cuttlefish boots.
Change-Id: Ib4e977a997e020082382e0686f448d1aa72834ec
2021-05-11 19:30:30 -07:00
Treehugger Robot
274804863c Merge "Show names of processes killed by KillProcessesWithOpenFiles()" am: 93dd933d85
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1697789

Change-Id: Ifc538a3c7cee0df30b727b08333f2e037011656d
2021-05-11 20:39:27 +00:00
Treehugger Robot
93dd933d85 Merge "Show names of processes killed by KillProcessesWithOpenFiles()" 2021-05-11 20:24:49 +00:00
Eric Biggers
03e021ba56 Merge "cryptfs: kill processes more quickly in wait_and_unmount()" am: 297b23837e
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/1702389

Change-Id: I48bdc416c72646af7a6f87bad78e0b759e9f1080
2021-05-11 20:17:12 +00:00
Eric Biggers
297b23837e Merge "cryptfs: kill processes more quickly in wait_and_unmount()" 2021-05-11 20:00:14 +00:00
Eric Biggers
b4faeb8d44 cryptfs: kill processes more quickly in wait_and_unmount()
In wait_and_unmount(), kill the processes with open files after umount()
has been failing for 2 seconds rather than 17 seconds.  This avoids a
long boot delay on devices that use FDE.

Detailed explanation:

On FDE devices, vold needs to unmount the tmpfs /data in order to mount
the real, decrypted /data.  On first boot, it also needs to unmount the
unencrypted /data in order to encrypt it in-place.

/data can't be unmounted if files are open inside it.  In theory, init
is responsible for killing all processes with open files in /data, via
the property trigger "vold.decrypt=trigger_shutdown_framework".

However, years ago, commit 6e8440fd50 ("cryptfs: kill processes with
open files on tmpfs /data") added a fallback where vold kills the
processes itself.  Since then, in practice people have increasingly been
relying on this fallback, as services keep being added that use /data
but don't get stopped by trigger_shutdown_framework.

This is slowing down boot, as vold sleeps for 17 seconds before it
actually kills the processes.

The problematic services include services that are now started
explicitly in the post-fs-data trigger rather than implicitly as part of
a class (e.g., tombstoned), as well as services that now need to be
started as part of one of the early-boot classes like core or early_hal
but can still open files in /data later (e.g. keystore2 and credstore).

Another complication is that on default-encrypted devices (devices with
no PIN/pattern/password), trigger_shutdown_framework isn't run at all,
but rather it's expected that the relevant services simply weren't
started yet.  This means that we can't fix the problem just by fixing
trigger_shutdown_framework to kill all the needed processes.

Therefore, given that the vold fallback is being relied on in practice,
and FDE won't be supported much longer anyway (so simple fixes are very
much preferable here), let's just change wait_and_unmount() in vold to
use more appropriate timeouts.  Instead of waiting for 17 seconds before
killing processes, just wait for 2 seconds.  Keep the total timeout of
20 seconds, but spend most of it retrying killing the processes, and
only if the unmount is still failing.

This avoids the long boot delays in practice.

Bug: 187231646
Bug: 186165644
Test: Tested FDE on Cuttlefish, and checked logcat to verify that the
      boot delay is gone.
Change-Id: Id06a9615a87988c8336396c49ee914b35f8d585b
2021-05-10 20:44:07 -07:00