Commit graph

108 commits

Author SHA1 Message Date
Rubin Xu
eb850f93ab Remove secdiscard IPC call
No longer used by the framework, hence removing.

Bug: 62140539
Test: builds
Change-Id: I17b9818ea6121d84223a502949186cf679a83a90
2018-03-05 13:55:23 +00:00
Andreas Huber
71cd43f434 Fingerprint data is now stored in one of two ways depending on the
shipping API version:

For devices shipped before Android P nothing changes, data
is stored under /data/system/users/<user-id>/fpdata/...

Devices shipped from now on will instead store
fingerprint data under /data/vendor_de/<user-id>/fpdata.

Support for /data/vendor_de and /data/vendor_ce has been added to vold.

Bug: 36997597
Change-Id: I615e90d1c9ab08e768a8713968fa043598a0a526
Test: manually
2018-01-23 14:34:55 -08:00
Paul Crowley
26a53888a4 When we forget a volume, forget per-volume key
Protect all per-volume-per-user keys with a per-volume key, which is
forgotten when the volume is forgotten. This means that the user's key
is securely lost even when their storage is encrypted at forgetting
time.

Bug: 25861755
Test: create a volume, forget it, check logs and filesystem.
Change-Id: I8df77bc91bbfa2258e082ddd54d6160dbf39b378
2017-10-26 12:19:09 -07:00
Paul Crowley
c6433a299d Forget keys when we forget the volume.
Bug: 25861755
Test: create a volume, forget it, check logs and filesystem.
Change-Id: I0ab662969c51703cb046d57b72330e0f14447ef3
2017-10-26 12:19:03 -07:00
Paul Crowley
3aa914d4a9 Give SD cards their own keys and modes.
When we set up encryption on real volumes - not just /data - we should
give them their own keys, so that these keys can be deleted when the
volume is forgotten. Also, we must choose the encryption modes
differently, since ICE encryption which works on /data may not work on
such volumes.

Bug: 25861755
Test: boot device, add SD card, check modes.
Change-Id: I354cd651757c3566dba046ae99d324833ad9b0e5
2017-10-24 15:27:04 -07:00
Paul Crowley
82b41ff837 Convert vold_prepare_subdirs to C++
Minimize overhead in boot by replacing shell script invoked multiple
times with a C++ program invoked once.

Bug: 67901036
Test: create user, run adb shell ls -laZ /data/misc_ce/10; delete user
    and check logs.
Change-Id: I886cfd6505cca1f5b5902f2071e13f48e612214d
2017-10-24 15:26:58 -07:00
Paul Crowley
8e55066845 Recursively delete subdirs when deleting
Use vold_prepare_subdirs since only it has the privilege needed.

Bug: 25861755
Test: Boot device, create user, create files, remove user, observe logs
Change-Id: I90fb2517ccd177c9b009001e7a2b00f537152f8c
2017-10-17 10:44:17 -07:00
Paul Crowley
1a9652613a Create subdirectories of misc_ce/misc_de when needed
Bug: 25861755
Test: Boot device, check directory exists as it should.
Change-Id: I413631452e8e0bdd869887091f8b077bd5f9297e
2017-10-16 11:36:32 -07:00
Paul Crowley
3b71fc5100 Be more C++. volume UUID should always be std::string.
Test: boots
Bug: 67041047
Change-Id: I36d3944ae8de192703b9ee359900841b833fe3a1
2017-10-09 13:36:35 -07:00
Paul Crowley
a7ca40bd70 Remove dead code; move code out of cryptfs that doesn't belong.
Test: Marlin boots
Change-Id: I5c3fc21fef336b301981d6eff6f6ea242f30f66c
2017-10-06 14:29:33 -07:00
Paul Crowley
6b756ce5e9 Don't re-prepare main storage when preparing SD card storage
Test: Boots correctly, logs show main storage no longer prepared when
SD card is.

Change-Id: I9a123436e7083d8331c7543fe77aa6587b28db9f
2017-10-05 14:07:09 -07:00
Jeff Sharkey
95440ebd97 Enable "cert-err34-c" tidy checks.
Now that we've moved to Binder, we only have a few lingering atoi()
usages that are cleaned up in this CL.

Rewrite match_multi_entry() entirely, with tests to verify both old
and new implementations.

Test: adb shell /data/nativetest/vold_tests/vold_tests
Bug: 36655947
Change-Id: Ib79dc1ddc2366db4d5b4e1a1e2ed9456a06a983e
2017-09-20 13:29:48 -06:00
Pavel Grafov
e2e2d308df Zero memory used for encryuption keys.
std::vector with custom zeroing allocator is used instead of
std::string for data that can contain encryption keys.

Bug: 64201177
Test: manually created a managed profile, changed it's credentials
Test: manually upgraded a phone with profile from O to MR1.
Change-Id: Ic31877049f69eba9f8ea64fd99acaaca5a01d3dd
2017-08-10 17:31:03 +01:00
Pavel Grafov
b350ed02d5 Drop inode and page caches after evicting CE key.
Bug: 63257991
Test: Turning work profile off and attempting to read profile files.
Change-Id: I36f8ae9a8894f88950f50aed4a06645fab7e998b
2017-07-27 17:45:42 +01:00
Jeff Sharkey
d794526962 Fully switch to mke2fs; set policies everywhere.
Older make_ext4fs doesn't support enabling quotas, so switch everyone
over to using mke2fs for adoptable storage.

Remove UUID check so that we start setting ext4-crypto policies on
adoptable storage devices; a future change will handle the actual
key management.

Bug: 30230655, 36757864
Test: cts-tradefed run commandAndExit cts-dev --abi armeabi-v7a -m CtsAppSecurityHostTestCases -t android.appsecurity.cts.AdoptableHostTest
Change-Id: I021f85b1be8431044c239521c37be96534682746
2017-06-26 16:09:14 -06:00
Rubin Xu
2436e27717 Add secdiscard command for secure deletion of files
This is used by LockSettingsService to delete sensitive credential files.

Bug: 34600579
Test: manual - change device lock under synthetic password, verify
      old data on disk is erased.

Change-Id: I5e11b559ad8818bd2ad2b321d67d21477aab7555
2017-05-16 12:44:02 +01:00
Elliott Hughes
c3bda18bda Switch to libkeyutils.
Bug: http://b/37991155
Test: builds+boots
Change-Id: I33a3ba0d59ffd504093dc94517815c1196e95e2b
2017-05-10 16:59:33 -07:00
Paul Crowley
f71ace310e Refactor to lay the groundwork for metadata encryption
Bug: 26778031
Test: Angler, Marlin build and boot
Change-Id: Ic136dfe6195a650f7db76d3489f36da6a1929dc5
2017-04-21 10:47:17 -07:00
Daniel Rosenberg
8ad0bef7b5 Revert "Stop dropping caches now we have kernel fix"
This reverts commit 6abe6831b5.

Bringing this back temporarily for the same issue on sdcardfs.
Will remove once the kernel issue is resolved.

Change-Id: Ia29ea4fddb7777012a2eea9259f9ac856773fe01
Bug: 37231161
Test: Boot device with FBE enabled. ls /storage/emulated/0/Android
Unlock device. ls /storage/emulated/0/Android
1st will not be found. Second should be found.
2017-04-20 12:38:26 -07:00
Eric Biggers
fa4039b162 vold: unlink ext4 encryption keys rather than revoking them
Unlinking keys rather than revoking them avoids bugs in certain kernel
versions without having to hack around the problem with an arbitrary 20
second delay, which is not guaranteed to be sufficient and has caused
full device hangs like in b/35988361.

Furthermore, in the context of filesystem encryption, unlinking is not
currently supposed to be any less secure than revoking.  There was a
case where revoking (but not unlinking) keys will cause the filesystem
to deny access to files that were previously opened with that key.
However, this was a means of _access control_, which encryption is not
intended to be used for.  Instead, file permissions and/or SELinux
should be used to enforce access control, while filesystem encryption
should be used to protect data at rest independently from access
control.  This misfeature has also been removed upstream (and backported
to 4.4-stable and 4.9-stable) because it caused CVE-2017-7374.

Eventually we'd really like to make the kernel support proper revocation
of filesystem encryption keys, i.e. fully clearing all key material and
plaintext and safely waiting for any affected filesystem operations or
writeback to complete.  But for now this functionality does not exist.
('sync && echo 3 > /proc/sys/vm/drop_caches' can be useful, but it's not
good enough.)

Bug: 35988361
Change-Id: Ib44effe5368cdce380ae129dc4e6c6fde6cb2719
(cherry picked from commit fd7ba5e4c6)
2017-04-04 22:25:24 +00:00
Calin Juravle
4c4958d706 Merge "Vold: Clean up code related to foreign dex use" am: 61a7d1a815 am: aaa95fbdfe
am: 0a8d4511c8

Change-Id: I3a84eca8a285bed3ec42c8744db8974e0109fb65
2017-03-07 19:10:47 +00:00
Calin Juravle
3a68f14192 Vold: Clean up code related to foreign dex use
We simplified the way we track whether or not a dex file is used by
other apps. DexManger in the framework keeps track of the data and we
no longer need file markers on disk.

Test: device boots, foreign dex markers are not created anymore

Bug: 32871170
Change-Id: Id0360205b019be92049f36eab4339f4736e974f4
2017-03-03 18:24:21 -08:00
Eric Biggers
b45caafbcc vold: allow specifying HEH filenames encryption
Make the vold changes needed to support specifying aes-256-heh filenames
encryption.  The previous mode, aes-256-cts, remains supported as well.

The file /data/unencrypted/mode is updated to have the syntax
contents_encryption_mode[:filenames_encryption_mode] instead of just
contents_encryption_mode.  This is consistent with the new fstab syntax.

Bug: 34712722
Change-Id: Ibc236d0ec4fdeda4e4e301f45fb996317692cfa3
2017-02-07 20:53:45 +00:00
Andrew Scull
7ec25c715f Evict CE keys on request or when a user is removed.
A work around for a kernel bug is needed to avoid the phone locking up
and turning into a hand warmer.

Test: com.android.cts.devicepolicy.ManagedProfileTest#testLockNowWithKeyEviction*
Bug: 31000719
Change-Id: Ia2121b3e3c22b10351296fa998892a91e601bb2c
2016-12-14 11:13:20 +00:00
Paul Crowley
4f70554179 Merge "Remove misleading comment (b/26948053)"
am: dbeebf56aa

Change-Id: I6e63f700ecd9cad50956cc2a1cc34b4f81b1a497
2016-10-28 21:14:50 +00:00
Paul Crowley
99360d76e5 Remove misleading comment (b/26948053)
Vold is considered part of our trusted computing base, and
compromising vold is already identified as a complete device
compromise. While storing keys only in the kernel would be better, the
current setup does not introduce a security bug or worsen any security
control.

Bug: 26948053
Test: Comment-only change.
Change-Id: Ib5436f4386769ec44b74dc6b50fbcc0fed99b96b
2016-10-19 15:10:26 -07:00
Tao Bao
985d0805e7 Merge "Update the header path for ext4_utils." am: 6a18a6ddb5 am: 4759d1d637
am: e85d4467f5

Change-Id: I78ef6034fc2586383e70345bcd186875528c9ffc
2016-10-10 22:14:58 +00:00
Tao Bao
989fec2769 Update the header path for ext4_utils.
Test: mmma system/vold

Change-Id: I805b8874b05b8043390c2cd3c143cc469913c067
2016-10-05 23:12:49 -07:00
Paul Crowley
25a713873c Don't try to fixate CE keys for ephemeral users
Ephemeral users don't have keys stored on disk at all, so it's neither
necessary nor possible to manipulate the disk keys here.

Bug: 30038313
Change-Id: Idc7ec1bfe1e8a6ffa6cee2f284dbe378097b08da
2016-07-25 15:55:36 -07:00
Paul Crowley
ab0b56aef3 Don't fail if a key we want to delete is already deleted
This can happen when cleaning up stale users at boot time.

Bug: 30158800
Change-Id: I2733d8d525fc79b7f05eb2225b7e6e14c4da277f
2016-07-21 11:27:15 -07:00
Paul Crowley
abc253884f Don't evict keys when we delete users
Work around a kernel bug that was causing lockups.

Bug: 30225438
Change-Id: Ia6eb60774037e692351af8eaed98b79596ea3635
2016-07-19 16:00:35 -07:00
Jeff Sharkey
d24aeda425 Only restorecon CE storage after unlocked.
On FBE devices, the filenames inside credential-encrypted directories
are mangled until the key is installed.  This means the initial
restorecon at boot needs to skip these directories until the keys
are installed.

This CL uses an existing facility to request that init run a
recursive restorecon over a given path, and it requests that
operation for the CE directories that would have been omitted by
the SKIPCE flag earlier during boot.

Bug: 30126557
Change-Id: I8c7abea27215075a091f615a7185a82a2f4a4a95
2016-07-18 09:52:46 -06:00
Paul Lawrence
6abe6831b5 Stop dropping caches now we have kernel fix
Only merge once

https://partner-android-review.googlesource.com/#/c/619829/1

has been merged into kernel.

Bug: 28779973
Change-Id: Icef78d1e4381e89e07797c36f6f650033d313557
2016-06-22 09:24:51 -07:00
Paul Lawrence
6e41059734 Set encryption mode in mode file
Bug: 28905864
Change-Id: Ie2a5c3e029075d53a86ef3afb7fe364c16d8d52b
2016-05-27 09:40:37 -07:00
Paul Lawrence
3ae29e7740 Revert "Add fileencrypted=software/ice to fstab options"
This reverts commit 01f1bc7254.

Bug: 28905864
Change-Id: I489f5d073530438829038630af7af6b2a5cbdbbe
2016-05-23 15:05:51 -07:00
Paul Crowley
8fd77a05cc Two phases to set the password for disk encryption
am: a363036b44

* commit 'a363036b44f7f140aa9a943578f56abff5880a60':
  Two phases to set the password for disk encryption

Change-Id: Ia28823079d8c0bda220238339f28095b234a0ae5
2016-05-18 22:59:57 +00:00
Paul Crowley
a363036b44 Two phases to set the password for disk encryption
Revert "Revert "Two phases to set the password for disk encryption""

This reverts commit d402389290.

In addition, fix the bug in the original commit.

Bug: 28154455
Bug: 28694324
Change-Id: I885f1d73e739416347c135d79979941c2bbdbe62
2016-05-17 15:23:06 -07:00
Paul Lawrence
01f1bc7254 Add fileencrypted=software/ice to fstab options
Bug: 28616054
Change-Id: If3fddd62f069c7e3e8369a1db68e69c390059d63
2016-05-11 08:56:31 -07:00
Paul Crowley
44ddebaac0 Merge "e4crypt_is_native has been moved into system/extras." into nyc-dev
am: cfa03d4a4c

* commit 'cfa03d4a4c53acf41dca2c41a2efd00de06043bb':
  e4crypt_is_native has been moved into system/extras.

Change-Id: I345475c44fb2d8812a25c9f2195c748cddc55bfe
2016-05-10 22:17:38 +00:00
Paul Crowley
cfa03d4a4c Merge "e4crypt_is_native has been moved into system/extras." into nyc-dev 2016-05-10 22:12:49 +00:00
Paul Crowley
26642bf7bf Revert "Two phases to set the password for disk encryption"
am: d402389290

* commit 'd402389290eeef86be7eb9241e20fdd125d44eb1':
  Revert "Two phases to set the password for disk encryption"

Change-Id: I53a3804fc7bff9c99840aeee36fc4b7ff8e46ac1
2016-05-10 21:19:47 +00:00
Paul Crowley
d402389290 Revert "Two phases to set the password for disk encryption"
This reverts commit 92c5eeb467.

Bug: 28694324
Change-Id: Ibbbaff287f4dd28f4a13e122a3617987a8875a44
2016-05-10 20:36:43 +00:00
Paul Crowley
4d2d5244d6 e4crypt_is_native has been moved into system/extras.
Bug: 28318405
Change-Id: Id962764cf7fb5f58b769bf99aeb6d3d69cb66991
2016-05-10 08:43:07 -07:00
Paul Crowley
4e44272c3d Two phases to set the password for disk encryption
am: 92c5eeb467

* commit '92c5eeb46779f0fa1c9e6db6b0d632d960cbb2e4':
  Two phases to set the password for disk encryption

Change-Id: I82c1cfa2874ac4709e42f5c2047c832cbcaccb91
2016-05-09 21:51:33 +00:00
Paul Crowley
92c5eeb467 Two phases to set the password for disk encryption
In one phase, we make the new password work, and in the second we make
it the only one which works ("fixation"). This means that we can set
the password in Gatekeeper between these two phases, and a crash
doesn't break things. Unlocking a user automatically fixates the
presented credential.

Bug: 28154455
Change-Id: I54623c8652f0c9f72dd60388a7dc0ab2d48e81c7
2016-05-06 11:09:39 -07:00
Paul Lawrence
85e3d8cd50 Drop caches after installing key policy to avoid cache clashes
Note that this is an ugly workaround for a kernel bug.

Bug: 28373400
Change-Id: Iec1ae53f4e18f06e41e8cf1fcc3ab03fc9848632
2016-04-29 07:58:21 -07:00
Jeff Sharkey
be70c9ae22 Consistent creation/destruction of user data.
Preparing and destroying users currently needs to be split across
installd, system_server, and vold, since no single party has all the
required SELinux permissions.

Bug: 27896918, 25861755
Change-Id: Ieec14ccacfc7a3a5ab00df47ace7318feb900c38
2016-04-15 13:47:52 -06:00
Paul Crowley
71ee662ec3 Don't fail if the CE key isn't loaded in destroy_user_key
Users don't have to be unlocked to be deleted, so don't worry if we
don't have their key to evict.

Bug: 26847403
Bug: 27441228
Change-Id: Ifd93f620926630aa102a3bb4a5d2d45d34f9b75d
2016-03-29 13:07:34 -07:00
Paul Crowley
df528a7011 Run clang-format over ext4crypt related code
The formatting here is inconsistent with Android house style; use
clang-format to bring it back into line.

Change-Id: Id1fe6ff54e9b668ca88c3fc021ae0a5bdd1327eb
2016-03-09 09:34:13 -08:00
Paul Crowley
a051eb7a22 Use pointers not references for out arguments
Google/Android C++ style requires that arguments passed in for writing
should be pointers, not references, so that it's visible in the caller
that they'll be written to.

Bug: 27566014
Change-Id: I5cd55906cc4b2f61c8b97b223786be0b3ce28862
2016-03-09 09:32:02 -08:00