Commit graph

88 commits

Author SHA1 Message Date
Calin Juravle
4c4958d706 Merge "Vold: Clean up code related to foreign dex use" am: 61a7d1a815 am: aaa95fbdfe
am: 0a8d4511c8

Change-Id: I3a84eca8a285bed3ec42c8744db8974e0109fb65
2017-03-07 19:10:47 +00:00
Calin Juravle
3a68f14192 Vold: Clean up code related to foreign dex use
We simplified the way we track whether or not a dex file is used by
other apps. DexManger in the framework keeps track of the data and we
no longer need file markers on disk.

Test: device boots, foreign dex markers are not created anymore

Bug: 32871170
Change-Id: Id0360205b019be92049f36eab4339f4736e974f4
2017-03-03 18:24:21 -08:00
Eric Biggers
b45caafbcc vold: allow specifying HEH filenames encryption
Make the vold changes needed to support specifying aes-256-heh filenames
encryption.  The previous mode, aes-256-cts, remains supported as well.

The file /data/unencrypted/mode is updated to have the syntax
contents_encryption_mode[:filenames_encryption_mode] instead of just
contents_encryption_mode.  This is consistent with the new fstab syntax.

Bug: 34712722
Change-Id: Ibc236d0ec4fdeda4e4e301f45fb996317692cfa3
2017-02-07 20:53:45 +00:00
Andrew Scull
7ec25c715f Evict CE keys on request or when a user is removed.
A work around for a kernel bug is needed to avoid the phone locking up
and turning into a hand warmer.

Test: com.android.cts.devicepolicy.ManagedProfileTest#testLockNowWithKeyEviction*
Bug: 31000719
Change-Id: Ia2121b3e3c22b10351296fa998892a91e601bb2c
2016-12-14 11:13:20 +00:00
Paul Crowley
4f70554179 Merge "Remove misleading comment (b/26948053)"
am: dbeebf56aa

Change-Id: I6e63f700ecd9cad50956cc2a1cc34b4f81b1a497
2016-10-28 21:14:50 +00:00
Paul Crowley
99360d76e5 Remove misleading comment (b/26948053)
Vold is considered part of our trusted computing base, and
compromising vold is already identified as a complete device
compromise. While storing keys only in the kernel would be better, the
current setup does not introduce a security bug or worsen any security
control.

Bug: 26948053
Test: Comment-only change.
Change-Id: Ib5436f4386769ec44b74dc6b50fbcc0fed99b96b
2016-10-19 15:10:26 -07:00
Tao Bao
985d0805e7 Merge "Update the header path for ext4_utils." am: 6a18a6ddb5 am: 4759d1d637
am: e85d4467f5

Change-Id: I78ef6034fc2586383e70345bcd186875528c9ffc
2016-10-10 22:14:58 +00:00
Tao Bao
989fec2769 Update the header path for ext4_utils.
Test: mmma system/vold

Change-Id: I805b8874b05b8043390c2cd3c143cc469913c067
2016-10-05 23:12:49 -07:00
Paul Crowley
25a713873c Don't try to fixate CE keys for ephemeral users
Ephemeral users don't have keys stored on disk at all, so it's neither
necessary nor possible to manipulate the disk keys here.

Bug: 30038313
Change-Id: Idc7ec1bfe1e8a6ffa6cee2f284dbe378097b08da
2016-07-25 15:55:36 -07:00
Paul Crowley
ab0b56aef3 Don't fail if a key we want to delete is already deleted
This can happen when cleaning up stale users at boot time.

Bug: 30158800
Change-Id: I2733d8d525fc79b7f05eb2225b7e6e14c4da277f
2016-07-21 11:27:15 -07:00
Paul Crowley
abc253884f Don't evict keys when we delete users
Work around a kernel bug that was causing lockups.

Bug: 30225438
Change-Id: Ia6eb60774037e692351af8eaed98b79596ea3635
2016-07-19 16:00:35 -07:00
Jeff Sharkey
d24aeda425 Only restorecon CE storage after unlocked.
On FBE devices, the filenames inside credential-encrypted directories
are mangled until the key is installed.  This means the initial
restorecon at boot needs to skip these directories until the keys
are installed.

This CL uses an existing facility to request that init run a
recursive restorecon over a given path, and it requests that
operation for the CE directories that would have been omitted by
the SKIPCE flag earlier during boot.

Bug: 30126557
Change-Id: I8c7abea27215075a091f615a7185a82a2f4a4a95
2016-07-18 09:52:46 -06:00
Paul Lawrence
6abe6831b5 Stop dropping caches now we have kernel fix
Only merge once

https://partner-android-review.googlesource.com/#/c/619829/1

has been merged into kernel.

Bug: 28779973
Change-Id: Icef78d1e4381e89e07797c36f6f650033d313557
2016-06-22 09:24:51 -07:00
Paul Lawrence
6e41059734 Set encryption mode in mode file
Bug: 28905864
Change-Id: Ie2a5c3e029075d53a86ef3afb7fe364c16d8d52b
2016-05-27 09:40:37 -07:00
Paul Lawrence
3ae29e7740 Revert "Add fileencrypted=software/ice to fstab options"
This reverts commit 01f1bc7254.

Bug: 28905864
Change-Id: I489f5d073530438829038630af7af6b2a5cbdbbe
2016-05-23 15:05:51 -07:00
Paul Crowley
8fd77a05cc Two phases to set the password for disk encryption
am: a363036b44

* commit 'a363036b44f7f140aa9a943578f56abff5880a60':
  Two phases to set the password for disk encryption

Change-Id: Ia28823079d8c0bda220238339f28095b234a0ae5
2016-05-18 22:59:57 +00:00
Paul Crowley
a363036b44 Two phases to set the password for disk encryption
Revert "Revert "Two phases to set the password for disk encryption""

This reverts commit d402389290.

In addition, fix the bug in the original commit.

Bug: 28154455
Bug: 28694324
Change-Id: I885f1d73e739416347c135d79979941c2bbdbe62
2016-05-17 15:23:06 -07:00
Paul Lawrence
01f1bc7254 Add fileencrypted=software/ice to fstab options
Bug: 28616054
Change-Id: If3fddd62f069c7e3e8369a1db68e69c390059d63
2016-05-11 08:56:31 -07:00
Paul Crowley
44ddebaac0 Merge "e4crypt_is_native has been moved into system/extras." into nyc-dev
am: cfa03d4a4c

* commit 'cfa03d4a4c53acf41dca2c41a2efd00de06043bb':
  e4crypt_is_native has been moved into system/extras.

Change-Id: I345475c44fb2d8812a25c9f2195c748cddc55bfe
2016-05-10 22:17:38 +00:00
Paul Crowley
cfa03d4a4c Merge "e4crypt_is_native has been moved into system/extras." into nyc-dev 2016-05-10 22:12:49 +00:00
Paul Crowley
26642bf7bf Revert "Two phases to set the password for disk encryption"
am: d402389290

* commit 'd402389290eeef86be7eb9241e20fdd125d44eb1':
  Revert "Two phases to set the password for disk encryption"

Change-Id: I53a3804fc7bff9c99840aeee36fc4b7ff8e46ac1
2016-05-10 21:19:47 +00:00
Paul Crowley
d402389290 Revert "Two phases to set the password for disk encryption"
This reverts commit 92c5eeb467.

Bug: 28694324
Change-Id: Ibbbaff287f4dd28f4a13e122a3617987a8875a44
2016-05-10 20:36:43 +00:00
Paul Crowley
4d2d5244d6 e4crypt_is_native has been moved into system/extras.
Bug: 28318405
Change-Id: Id962764cf7fb5f58b769bf99aeb6d3d69cb66991
2016-05-10 08:43:07 -07:00
Paul Crowley
4e44272c3d Two phases to set the password for disk encryption
am: 92c5eeb467

* commit '92c5eeb46779f0fa1c9e6db6b0d632d960cbb2e4':
  Two phases to set the password for disk encryption

Change-Id: I82c1cfa2874ac4709e42f5c2047c832cbcaccb91
2016-05-09 21:51:33 +00:00
Paul Crowley
92c5eeb467 Two phases to set the password for disk encryption
In one phase, we make the new password work, and in the second we make
it the only one which works ("fixation"). This means that we can set
the password in Gatekeeper between these two phases, and a crash
doesn't break things. Unlocking a user automatically fixates the
presented credential.

Bug: 28154455
Change-Id: I54623c8652f0c9f72dd60388a7dc0ab2d48e81c7
2016-05-06 11:09:39 -07:00
Paul Lawrence
85e3d8cd50 Drop caches after installing key policy to avoid cache clashes
Note that this is an ugly workaround for a kernel bug.

Bug: 28373400
Change-Id: Iec1ae53f4e18f06e41e8cf1fcc3ab03fc9848632
2016-04-29 07:58:21 -07:00
Jeff Sharkey
be70c9ae22 Consistent creation/destruction of user data.
Preparing and destroying users currently needs to be split across
installd, system_server, and vold, since no single party has all the
required SELinux permissions.

Bug: 27896918, 25861755
Change-Id: Ieec14ccacfc7a3a5ab00df47ace7318feb900c38
2016-04-15 13:47:52 -06:00
Paul Crowley
71ee662ec3 Don't fail if the CE key isn't loaded in destroy_user_key
Users don't have to be unlocked to be deleted, so don't worry if we
don't have their key to evict.

Bug: 26847403
Bug: 27441228
Change-Id: Ifd93f620926630aa102a3bb4a5d2d45d34f9b75d
2016-03-29 13:07:34 -07:00
Paul Crowley
df528a7011 Run clang-format over ext4crypt related code
The formatting here is inconsistent with Android house style; use
clang-format to bring it back into line.

Change-Id: Id1fe6ff54e9b668ca88c3fc021ae0a5bdd1327eb
2016-03-09 09:34:13 -08:00
Paul Crowley
a051eb7a22 Use pointers not references for out arguments
Google/Android C++ style requires that arguments passed in for writing
should be pointers, not references, so that it's visible in the caller
that they'll be written to.

Bug: 27566014
Change-Id: I5cd55906cc4b2f61c8b97b223786be0b3ce28862
2016-03-09 09:32:02 -08:00
Paul Crowley
d9b9295b8c Fix memory leak in generate_key wrapper. Other fixes.
- catch errors in looking for the keyring
- static_assert to prevent a buffer overrun
- remove obsolete, misleading comment
- dial down priority of some log messages
- explain why we ignore some errors
- idiomatic C++11

Bug: 27552432
Change-Id: Ic3ee05b41eae45e7c6b571a459b326a483663526
2016-03-08 14:31:49 -08:00
Paul Crowley
ad8e26297b Merge "Use a proper key length for the mode." into nyc-dev 2016-03-02 18:59:58 +00:00
Paul Crowley
2199069aca Use a proper key length for the mode.
Bug: 27440526
Change-Id: I818450252dcd39f21948fc2e70856659eba5f50f
2016-03-02 10:39:53 -08:00
Calin Juravle
d1ee944f08 Prepare profile directories only for the internal storage
Bug: 27444691
Change-Id: I0d30e8883fe655c90cda47ab167a878764ea0802
2016-03-02 18:36:50 +00:00
Calin Juravle
493f5aa160 Create profile folder for foreign dex markers.
This is a special profile folder where apps will leave profile markers
for the dex files they load and don't own. System server will read the
markers and decide if the apks should be fully compiled instead of
profile guide compiled.

Bug: 27334750
Bug: 26080105
Change-Id: Ib18f20cf78a8dbfc465610ec6ceec52699c5420a
2016-02-25 23:31:50 +00:00
Calin Juravle
79f55a461f Prepare user profile folder
Bug: 26719109
Bug: 26563023
Change-Id: I4737b7f73df74b2b787a62db2e231f136115b359
2016-02-19 13:43:02 +00:00
Paul Crowley
ad2eb64413 Log a warning if old creds passed to change_user_key don't work.
Bug: 26948053
Change-Id: I8c117bfe5e85e73af72b6ecafea39924f3561c7c
2016-02-10 17:56:05 +00:00
Paul Crowley
63c18d3ba9 Add scrypt-based password stretching.
Bug: 27056334
Change-Id: Ifa7f776c21c439f89dad7836175fbd045e1c603e
2016-02-10 14:07:59 +00:00
Paul Crowley
76107cb3f4 Prefer bool returns to int throughout
Change-Id: Ib3592b598ee07bc71a6f9507570bf4623c1cdd6a
2016-02-09 10:11:42 +00:00
Paul Crowley
38132a1f66 Refactor now that global DE has been reworked
Change-Id: I4d6156332cfc847e25e7c8863fd6a50fa325fb87
2016-02-09 10:11:42 +00:00
Paul Crowley
57eedbf8cb Fix some "false" returns to be "-1" where appropriate in e4crypt_enable
Also fix a PLOG that should be a LOG.

Change-Id: Ic5ae288c37b6e236172f9e38349c2d0d530bfd4d
2016-02-09 10:11:42 +00:00
Jeff Sharkey
695d928286 e4crypt_unlock_user_key no longer likes nullptr.
Bug: 27075797
Change-Id: I835d17d02ea50a88ef0a5322a30e04f3d0237019
2016-02-08 18:10:34 -07:00
Paul Crowley
f7a0d007d2 Add new argument to unlock_user_key, fixing merge-caused error.
Change-Id: Ic51f375e500cd61bda926e3b039126a840ed89f0
2016-02-08 22:40:34 +00:00
Paul Crowley
5c025bd9a5 Merge "Password security for FBE disk encryption keys" into nyc-dev 2016-02-08 21:45:46 +00:00
Paul Crowley
0572080814 Password security for FBE disk encryption keys
Added a new call change_user_key which changes the way that disk
encryption keys are protected; a key can now be protected with a
combination of an auth token and a secret which is a hashed password.
Both of these are passed to unlock_user_key.

This change introduces a security bug, b/26948053, which must be fixed
before we ship.

Bug: 22950892
Change-Id: Iac1e45bb6f86f2af5c472c70a0fe3228b02115bf
2016-02-08 20:03:57 +00:00
Jeff Sharkey
0754a45539 Emulation fixes: mics dirs, recover after disable.
Add new misc directories to list of paths that we lock/unlock in
emulation mode.  When booting a device without native-FBE and without
emulation, make sure we "unlock" any emulated settings on user 0;
MountService handles this for secondary users later during boot.

Bug: 27069522
Change-Id: I15c7cf00a7231ce99b2e4e11a25106d7b87e70cc
2016-02-08 12:45:16 -07:00
Jeff Sharkey
47695b29af Allow callers to prepare CE/DE user storage.
Give callers the option of preparing CE and/or DE storage.  The
framework will only prepare CE storage after the CE keys have been
unlocked for that user.

When init is calling enablecrypto, kick off the work in a thread so
that we can make other calls back into vold without causing
deadlock.  Leaves blocking call intact for framework callers.

Clean up 'vdc' tool to send useful transaction numbers, and
actually watch for the matching result to come back.  This fixes
race conditions when there are multiple 'vdc' callers.

Also add other system and misc directories to match spec.

Bug: 25796509
Change-Id: Ie4f853db6e387916b845d2b5fb92925d743b063d
2016-02-05 13:03:52 -07:00
Paul Lawrence
f10544df96 Remove unencrypted_properties
Change-Id: I5728f03dbde6621e410efcda1d93054915793407
2016-02-04 12:48:41 -08:00
Paul Lawrence
5a06a6481b Fix minor issues with previous change
New style logging
Remove set/get field from e4crypt
Save keys to temp file then rename

See https://googleplex-android-review.git.corp.google.com/#/c/858922/

Change-Id: I454c3f78489b491ffc1230a70dce64935e4e0f8a
2016-02-03 13:39:13 -08:00
Paul Lawrence
aec34dfb1d Use consistent method for device key
Change-Id: I420f548115c1b55e62b193c60d569fdda518af1a
2016-02-03 10:52:41 -08:00