The new wipe option to the vold format command will invoke BLKDISCARD
on the partition before invoking newfs_msdos. This will be used whenever
a full wipe of the device is wanted, as this is more secure than just
doing newfs_msdos.
Bug: 9392982
Change-Id: Ie106f1b9cc70abc61206006d1821641c27c7ccae
The new selinux_reload_policy command can take a while to complete on
some systems. The reason is being investigated, and hopefully a fix can
be found to improve performance, but for now, increase the timeout that
vold waits for the post_fs_data section to complete when decrypting a
device on boot.
Also, emit a decent error message if the device times out.
Bug: 8967715
Change-Id: Ifb01c983dffe095a9de752c17c467a1751e9ce99
In order to display the correct language, timezone, airplane
mode and other settings on the decrypt screen, a copy of those
settings needs to be stored unencrypted so the framework can
query them. This adds support to vold to store up to 32
property like key/value pairs that are not encrypted.
Change-Id: Id5c936d2c57d46ed5cff9325d92ba1e8d2ec8972
Change vold to use the unified fstab. This includes both
support for sdcards, and changes to the crypto code to work
with some changes to the fs_mgr library api.
Change-Id: Id5a8aa5b699afe151db6e31aa0d76105f9c95a80
dm-crypt version 1.11.0 and later supports the allow_discards option
when setting up a crypto device. This passes discard requests from
the filesytem to the underlying block device. This helps make flash
based storage faster. So query the dm-crypt version, and pass the
option if the version is 1.11.0 or greater.
Change-Id: If30e9db5a2dbd6ea0281d91344e5b2c35e75131e
The previous problem of the framework not properly restarting after accepting
the password to decrypt the storage is also a problem when restarting the
framework to display the encryption progress screen. So like the previous
hacky fix, add a sleep to wait a few moments before proceeding. Also,
increase the sleep of the previous fix from 1 second to 2, as the problem
was seen once more in testing. A proper fix has been designed and hopefully
will work and be checked-in RSN.
Change-Id: Icc2c072ce7f7ebcdea22cd7ff8cb2b87a627c578
There is a race in the encryption code that after it accepts the
decryption password, it tells init to kill all the processes in
class "main", then it mounts the decrypted filesystem, preps it,
and restarts the framework. For an unknown reason on some devices,
the new framework sometimes starts up before init has killed and
reaped all the old processes. The proper fix is to make the killing
of the old framework synchronous, so vold waits till all the
processes have died. But with factory rom a few days away, the
much more pragmatic solution of adding a sleep of 1 second after
telling init to kill the old framework will suffice.
Bug: 7271212
Change-Id: Ie971cd04abbc6f3f6500b4acd79d3b3b26d9561c
The kernel seems to return from umount(2) sometimes before it has
released the underlying block device. So until the kernel is fixed,
try up to 10 times to load the crypto mapping table, waiting 500 ms
between tries.
bug: 7220345
Change-Id: Iad3bbef37cbe2e01613bb8a8c4886babdecb8328
When creating a new file using open(..., O_CREAT), it is an error
to fail to specify a creation mode. If a mode is not specified, a
random stack provided value is used as the "mode".
This will become a compile error in a future Android change.
Change-Id: I761708c001247d7a2faac2e286288b45bfecc6f7
Now that forward locked apps are stored on /data as asec image files
that are mounted, they need to be unmounted before /data can be unmounted
so it can be encrypted.
Change-Id: I7c87deb52aaed21c8ad8ce8aceb7c15c2338620a
The new filesystem manager is in charge of mounting the block devices now,
removing much of the knowledge from init.<device>.rc. This also let us
clean up some init code dealing with encryption, so this change updates
vold to work with that. More cleanup is possible, but the main goal of the
filesystem manager was to enable e2fsck, not a full cleanup of encryption.
Change-Id: I00ea80a923d14770ed8fdd190e8840be195f8514
The new filesystem manager is in charge of mounting the block devices now,
removing much of the knowledge from init.<device>.rc. This also let us
clean up some init code dealing with encryption, so this change updates
vold to work with that. More cleanup is possible, but the main goal of the
filesystem manager was to enable e2fsck, not a full cleanup of encryption.
Change-Id: I00ea80a923d14770ed8fdd190e8840be195f8514
Needed for headless devices that need to recover with no user intervention
Bug: 5556856
Change-Id: I0f85591df513a6893324fb057bde114ac1df044b
Signed-off-by: Mike Lockwood <lockwood@google.com>
If there is filesystem damage on a non-encrypted device, and /data is not
mountable, and if the device stores the keys in a file on a different
partition (like on Crespo) then, vold would return an error which caused
the crypto UI to present an option to the user to wipe the device because
it assumed encryption had failed. This fixes it to not do that.
Change-Id: Ibff6299787b45768416dbc4052de7db3b140b808
This vold command returns 0 if the given password matches the password
used to decrypt the device on boot. It returns 1 if they don't match,
and it returns -1 on an internal error, and -2 if the device is not encrypted.
Also check the uid of the sender of the command and only allow the root and
system users to issue cryptfs commands.
Change-Id: I5e5ae3b72a2d7814ae68c2d49aa9deb90fb1dac5
If a raw block is specified for key storage, do not try to force the size
of the file to 16 Kbytes when writing the keys, and do not complain if
the size is not 16 Kbytes when reading the keys. Only do them if the
keyfile is a regular file.
Change-Id: I4de1cb7c3614479d93289d4f2767ca6ce1bbbc73
Add the force_and_revert option to the unmount command which will force
the unmount, and revert a crypto mapping. This is used during factory
reset so that when the internal sdcard volume is formatted, it formats
the raw device, not the encrypted mapping.
Change-Id: I36b6ff9bb54863b121de635472a303bf4a2334a9
Mounting was already not allowed, but also unshare before starting
encryption, and don't allow sharing or formatting to be initiated
during encrytion.
Change-Id: Ida188d81f025739ba4dd90492b3e66088735991e
Forgot to include the size of the userdata partition when computing
the total size of vold managed volumes to encrypt.
Change-Id: I237548439d4380b4225ffbc603fa972c3b1c5bae
Add support for keeping the keys in a separate file on another partition,
for devices with no space reserved for a footer after the userdata filesystem.
Add support for encrypting the volumes managed by vold, if they meet certain
criteria, namely being marked as nonremovable and encryptable in vold.fstab.
A bit of trickiness is required to keep vold happy.
Change-Id: Idf0611f74b56c1026c45742ca82e0c26e58828fe
Fix for bug 3415286. Trigger an action in init.rc to load the persistent
properties after /data has been decrypted and mounted.
Change-Id: I5fe3b481bcc6963113e830728c204b22ffc3b722
The new android_reboot() function is a nicer way to reboot.
It can optionally sync(2) and remount as read-only writable
filesystems. This fixes bug 3350709.
Change-Id: I4618bd5e8cccdce08494a7ca3f40ef72b2875e68
Need to detect if the encryption process didn't finish successfully, and if
so, provide a way for the UI to detect that and give the user an option to
wipe the system clean. Otherwise, the user is stuck in a reboot loop, and
they will need to do magic button presses to enter recovery and wipe the
device to get out of it.
Change-Id: I58253e1e523ee42bdd1a59aa7d8a9d20071bd18b
Bug 3384231 is punted to MR1, but the code to set the flag is already
in the tree, so this CL does 3 things:
1. Comments out the lines that set the flag
2. Removes the change to the checkpw that was added in the last change.
3. Implements a new command to check the flag (which no one is calling
yet and the flag won't be set anyhow).
When MR1 comes, it will be a simple matter to enable the flag setting
code and start testing it.
The fear is a false positive detection of incomplete encryption could
cause people to be prompted to wipe their data when MR1 comes out and
the flag is checked. Not setting this for first release, and testing
this more before MR1, will give us confidence that the code will not
detect false positives of encryption failure.
Change-Id: I6dfba11646e291fe5867e8375b71a53c815f3968
For the case there encryption failes to complete because of a kernel
crash or the user power cycling the device, define a flag in the
crypto footer that says encryption is in progress. Set it when starting
the actual encryption, and clear it when it successfully completes.
When the user is asked for the disk password, if the flag is set,
return a special error to the caller so the UI can know to tell the
user there is no valid data on the disk, and present a button to
wipe and reset the device.
Change-Id: I3723ec77f33437d94b3ac9ad5db0a5c950d11648
The Progress bar UI grabs a full wakelock when encrypting, but we've seen
a case where it looks like the progress bar UI crashes, and the wakelock is
lost, and then all hell breaks loose. The enablecrypto command has a lot of
work to do, and it will take some time, so it should grab a wakelock to
ensure it can finish without being interrupted and put to sleep.
It grabs a partial wake lock, as it doesn't need the screen to be on to do
its work. If the UI wants to keep it on, it should also grab a full wakelock,
which it does. If the UI crashes, the screen may turn off, but the encryption
will keep going, and vold will reboot the device when it's done.
Change-Id: I51d3a72b8c77383044a3facb1604c1ee510733ae
If the already existing filesystem encompasses the entire /data partition
and does not leave the last 16 Kbytes for the crypto footer, refuse to
do encrypt in place and return an error. This is only an issue for folks
with early development systems trying to encrypt an old /data. This should
not be seen in released devices.
Also, if there is an error, try to report back to the UI what the error was
so it can deal with it.
Change-Id: If66781a4fe03034c96c3dd12075240deb8663db0
The master key is now stored unhashed in memory. This
is needed because certain operation like remote reseting
of passwords the old password is not avaliable.
The changepw interface has been changed to only take
the new password as the only argument. When this is
called we reencrypt the master key with the new password
and old salt.
Bug: 3382129
Change-Id: I9a596b89013194605d6d7790067691aa0dc75e72
In order to prevent rainbow table attacks on decrypting the master key,
create a 16 byte "salt" by reading /dev/urandom. This is done right after
reading urandom to get the master key for the filesystem. The salt is
stored 32 bytes after the end of the key (a padding added to help prevent
accidental overwriting of the salt) and the salt is fixed at 16 bytes long.
This change will make existing encrypted filesystems unusable.
Change-Id: I420549d064c61d38aea78eef4d86c88acb265ca3
Maintain and query some internal state to know if it's OK to run
the various cryptfs commands. Do not allow enablecrypto to run if
the device is already encrypted. Do no allow restart to run if
we have already run it before or if the password has not been
validated. Do not allow checkpw to run if not encrypted, or it
has already validated the password.
This is an extra layer of safety on top of the checks up in the
UI code agains possible DoS attacks on the device.
Change-Id: I9afc8d42773020e82a512e6b637feede101d1362
Also, change the value that triggers the progress bar framework from
"startup" to "0" in the property vold.encrypt_progress.
Change-Id: I3890e66a95283ce2ceeca82f516859b083919b9e
Update the enable inplace API to allow the UI to show a progress bar.
Add new command changepw (whichis currently not working)
Internal restructuring of code to support these two features.
Some minor cleanup of the code as well.
Change-Id: I11461fc9ce66965bea6cd0b6bb2ff48bcf607b97
In order to make the animations and the UI look right, we need to change
the cryptfs checkpw command to return a status if the password was
correct or not, and not have it automatically restart if it's correct.
There is a new command restart that will restart the framework with the
encrypted filesystem.
Change-Id: Ia8ae00d7ed8667699aa58d05ad8ba953cca9316e
Now that the framework shuts down quickly, remove the 30
second sleep when enabling crypto. Also, stop spewing
the secret master key to the disk in the system log!
Change-Id: Icb3f9456ababe3dff8de52cbbae92da0e9e5dd2f
There are still a few hacks and performance issues related
to shutting down the framework in this code, but it is
functional and tested. Without the UI changes, it requires
cryptic adb shell commands to enable, which I shall not
utter here.
Change-Id: I0b8f90afd707e17fbdb0373d156236946633cf8b
