On the first boot after an upgrade, ensure that any Keystore key
deletions triggered by fscrypt_set_user_key_protection() are deferred
until the userdata filesystem checkpoint is committed, so that the
system doesn't end up in a bad state if the checkpoint is rolled back.
Test: see I77d30f9be57de7b7c4818680732331549ecb73c8
Bug: 232452368
Ignore-AOSP-First: depends on other changes in internal master
Change-Id: I59b758bc13b7a2ae270f1a6c409affe2eb61119c
Ignore-AOSP-First: Internal CR while awaiting security and legal review.
This CR, when paired with a functional NTFS implementation and the
corresponding SEPolicy updates, will allow NTFS USB drives to be mounted
on Android.
Bug: 254407246
Test: Extensive testing with an ADT-4 and NTFS USB drives.
Change-Id: If4197c4c588866c611cd6ba3483707d3cb0e0cf8
Cache the EncryptionOptions for /data in a static variable so that it
doesn't have to be repeatedly regenerated from the fstab.
Bug: 232452368
Bug: 251131631
Bug: 251147505
Ignore-AOSP-First: depends on other changes in internal master
Change-Id: I24b27190ed807f142b793d3cf250ec271d092f34
Directory syncs can be expensive, so only sync the directory in
fixate_user_ce_key() if something was actually done, i.e. if at least
one key directory was deleted or renamed. Previously, the unconditional
sync in this function was being executed whenever the CE key was
retrieved or stored. Note that all the syncs needed when storing the
key already happen in storeKeyAtomically(); this one was unrelated.
Bug: 232452368
Bug: 251131631
Bug: 251147505
Ignore-AOSP-First: depends on other changes in internal master
Change-Id: Ib0f2b9e27cdd11e359a1618cddc1f5480bd2fd37
Try to be more robust in the case where the device is rebooted during
the first boot, in between the generation and the storage of the CE key
for a user other than user 0. This is relevant when users are created
during early boot, which Automotive devices do.
Bug: 232452368
Bug: 251213447
Ignore-AOSP-First: depends on other changes in internal master
Change-Id: Ic8f19a36c1385a71a168a330e87675433925a60f
As a small optimization and code simplification, stop reading and
writing the "stretching" file alongside each stored key. vold never
does key stretching anymore.
There was one special case in the code where if the stretching file
existed and contained "nopassword", then the secret was ignored.
However, this didn't seem to be of any use, especially since it didn't
cause Keystore to be used, so it did *not* allow a key stored with no
secret to be read if a secret was unexpectedly provided.
Bug: 232452368
Bug: 251131631
Bug: 251147505
Change-Id: I5a7cbba7492526e51c451f222b9413d9fae6bce5
Try to be more robust in the case where the device is rebooted during
the first boot, in between the generation and the storage of user 0's CE
key. We can automatically recover from this scenario by generating a
new CE key and replacing /data/data.
This might resolve b/251213447.
Bug: 232452368
Bug: 251213447
Ignore-AOSP-First: depends on other changes in internal master
Change-Id: If0675de9167f7f855c0c0c6afe55fd1da39f5ce1
Storage keys that are encrypted by the user's synthetic password don't
need to be securely deletable by vold, since secure deletion is already
implemented at a higher level: the synthetic password protectors managed
by LockSettingsService. Therefore, remove the use of the secdiscardable
file by vold in this case to improve performance.
Bug: 232452368
Bug: 251131631
Bug: 251147505
Change-Id: I847d6cd3b289dbeb1ca2760d6e261a78c179cad0
The legacy method for metadata encryption on adoptable storage failed
when the size of the block device isn't a multiple of the crypto sector size.
Update the size of dm-crypt device according to sector size
before construct dm_target.
Bug: 248582018
Change-Id: I5c78889bdfedca7f7b0704500fc313d7a48d5a3b
Signed-off-by: Hongyu Jin <hongyu.jin@unisoc.com>
When generating a CE key, don't persist it immediately with
kEmptyAuthentication. Instead, cache it in memory and persist it later
when the secret to protect it with is given. This is needed to make it
so that the CE key is always encrypted by the user's synthetic password
while it is stored on-disk. See the corresponding system_server changes
for more information about this design change and its motivation.
As part of this, simplify vold's Binder interface by replacing the three
methods addUserKeyAuth(), clearUserKeyAuth(), and
fixateNewestUserKeyAuth() with a single method setUserKeyProtection().
setUserKeyProtection() handles persisting the key for a new user or
re-encrypting the default-encrypted key for an existing unsecured user.
Bug: 232452368
Ignore-AOSP-First: This depends on frameworks/base changes that can only
be submitted to internal master, due to conflicts.
Test: see Ia753ea21bbaca8ef7a90c03fe73b66c896b1536e
Change-Id: Id36ba8ee343ccb6de7ec892c3f600abd636f6ce5
am skip reason: Merged-In I648a1af9e16787dfcfeefa2b2f2e4a72cac2c6a6 with SHA-1 2d30b890d2 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2186984
Change-Id: I59c62e854707afe4020522a45f497454fe0017bc
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I648a1af9e16787dfcfeefa2b2f2e4a72cac2c6a6 with SHA-1 2d30b890d2 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2186984
Change-Id: I0f16d59d0fd19f3e1c31f1e1b34f7745a1854ded
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I648a1af9e16787dfcfeefa2b2f2e4a72cac2c6a6 with SHA-1 2d30b890d2 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2186984
Change-Id: Ic61f28f1c336a049d02664b12a4d6c95c98323b0
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I648a1af9e16787dfcfeefa2b2f2e4a72cac2c6a6 with SHA-1 2d30b890d2 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2186984
Change-Id: I66e62f75632b9997f411989952dea65f6cbb6c9f
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I648a1af9e16787dfcfeefa2b2f2e4a72cac2c6a6 with SHA-1 2d30b890d2 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2186984
Change-Id: Ia960d269e55ca3a616f92e35d78eb775b0f42089
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I648a1af9e16787dfcfeefa2b2f2e4a72cac2c6a6 with SHA-1 2d30b890d2 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2186984
Change-Id: I8081ab864aaf5d222f02a0ac3cf8557b058a959c
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I648a1af9e16787dfcfeefa2b2f2e4a72cac2c6a6 with SHA-1 2d30b890d2 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2186984
Change-Id: I22c2be9483000fbf4b7c44190828b7ee96bc7ef4
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I648a1af9e16787dfcfeefa2b2f2e4a72cac2c6a6 with SHA-1 2d30b890d2 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2186984
Change-Id: Iebbbc82040a8b9f9126b17e5be21f669bd79e86d
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I648a1af9e16787dfcfeefa2b2f2e4a72cac2c6a6 with SHA-1 2d30b890d2 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2186984
Change-Id: I02b02043d7fd112d860c3c39e92e78abbac136fd
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I648a1af9e16787dfcfeefa2b2f2e4a72cac2c6a6 with SHA-1 2d30b890d2 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2186984
Change-Id: I7876d4bf00b328961ea1f40dfdc1d7d745599485
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I648a1af9e16787dfcfeefa2b2f2e4a72cac2c6a6 with SHA-1 2d30b890d2 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2186984
Change-Id: I706e111de9d7ee32e3c26602e0c7f458d9156eeb
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I648a1af9e16787dfcfeefa2b2f2e4a72cac2c6a6 with SHA-1 2d30b890d2 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2186984
Change-Id: I35727301158f7d64c0b39ad110add2f3e84ef86b
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
am skip reason: Merged-In I648a1af9e16787dfcfeefa2b2f2e4a72cac2c6a6 with SHA-1 2d30b890d2 is already in history
Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2186984
Change-Id: Icfebe368155bc2ccf36884a5df443e05b2b77880
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>