Commit graph

46 commits

Author SHA1 Message Date
Paul Crowley
f7a0d007d2 Add new argument to unlock_user_key, fixing merge-caused error.
Change-Id: Ic51f375e500cd61bda926e3b039126a840ed89f0
2016-02-08 22:40:34 +00:00
Paul Crowley
5c025bd9a5 Merge "Password security for FBE disk encryption keys" into nyc-dev 2016-02-08 21:45:46 +00:00
Paul Crowley
0572080814 Password security for FBE disk encryption keys
Added a new call change_user_key which changes the way that disk
encryption keys are protected; a key can now be protected with a
combination of an auth token and a secret which is a hashed password.
Both of these are passed to unlock_user_key.

This change introduces a security bug, b/26948053, which must be fixed
before we ship.

Bug: 22950892
Change-Id: Iac1e45bb6f86f2af5c472c70a0fe3228b02115bf
2016-02-08 20:03:57 +00:00
Jeff Sharkey
0754a45539 Emulation fixes: mics dirs, recover after disable.
Add new misc directories to list of paths that we lock/unlock in
emulation mode.  When booting a device without native-FBE and without
emulation, make sure we "unlock" any emulated settings on user 0;
MountService handles this for secondary users later during boot.

Bug: 27069522
Change-Id: I15c7cf00a7231ce99b2e4e11a25106d7b87e70cc
2016-02-08 12:45:16 -07:00
Jeff Sharkey
47695b29af Allow callers to prepare CE/DE user storage.
Give callers the option of preparing CE and/or DE storage.  The
framework will only prepare CE storage after the CE keys have been
unlocked for that user.

When init is calling enablecrypto, kick off the work in a thread so
that we can make other calls back into vold without causing
deadlock.  Leaves blocking call intact for framework callers.

Clean up 'vdc' tool to send useful transaction numbers, and
actually watch for the matching result to come back.  This fixes
race conditions when there are multiple 'vdc' callers.

Also add other system and misc directories to match spec.

Bug: 25796509
Change-Id: Ie4f853db6e387916b845d2b5fb92925d743b063d
2016-02-05 13:03:52 -07:00
Paul Lawrence
f10544df96 Remove unencrypted_properties
Change-Id: I5728f03dbde6621e410efcda1d93054915793407
2016-02-04 12:48:41 -08:00
Paul Lawrence
5a06a6481b Fix minor issues with previous change
New style logging
Remove set/get field from e4crypt
Save keys to temp file then rename

See https://googleplex-android-review.git.corp.google.com/#/c/858922/

Change-Id: I454c3f78489b491ffc1230a70dce64935e4e0f8a
2016-02-03 13:39:13 -08:00
Paul Lawrence
aec34dfb1d Use consistent method for device key
Change-Id: I420f548115c1b55e62b193c60d569fdda518af1a
2016-02-03 10:52:41 -08:00
Paul Lawrence
7b6b565fa0 Remove support for non-default root passwords in FBE
Change-Id: Ie179cb09f9f24382afd0fe0f3aa2a1ad943a7f5d
2016-02-02 12:47:52 -08:00
Paul Crowley
b92f83c051 Add support for per-user DE keys.
FBE devices need a factory reset after this change.

Bug: 26704408
Change-Id: I150b82a13a4a007d9a8997ef6a676e96576356b2
2016-02-01 17:17:41 +00:00
Paul Crowley
b1f3d242dd Refactor of Ext4Crypt.cpp in preparation for DE keys
Mainly a refactor, but with a substantive change: Keys are created in
a temporary location, then moved to their final destination, for
atomicity.

Bug: 26704408
Change-Id: I0b2dc70d6bfa1f8a65536dd05b73c4b36a4699cf
2016-02-01 17:06:49 +00:00
Paul Crowley
8fb12fd835 Add init_user0 command.
Change-Id: Icf746ec1968a073fde707ecc788b648f5803fd38
2016-02-01 15:19:07 +00:00
Paul Crowley
ea62e26ad3 Create disk encryption keys only when FBE enabled
Our code for creating disk encryption keys doesn't work everywhere,
and it doesn't need to; only on platforms that support FBE. Don't
create them elsewhere.

Bug: 26842807
Change-Id: I686d0ffd7cb3adbddfce661c22ce18f66acb1aba
2016-01-28 12:23:53 +00:00
Paul Crowley
13ffd8ef7a Improvements to the key storage module
The key storage module didn't comply with Android coding standards
and had room for improvemnet in a few other ways, so have cleaned up.

Change-Id: I260ccff316423169cf887e538113b5ea400892f2
2016-01-27 15:54:35 +00:00
Paul Crowley
1ef255816c Use a keymaster-based key storage module
Instead of writing raw keys, encrypt the keys with keymaster. This
paves the way to protecting them with auth tokens and passwords later.
In addition, fold in the hash of a 16k file into their encryption, to
ensure secure deletion works properly.

Now even C++ier!

Bug: 22502684
Bug: 22950892
Change-Id: If70f139e342373533c42d5a298444b8438428322
2016-01-26 18:24:03 +00:00
Paul Crowley
a042cb5761 Don't fail on unlock if we're not even emulating FBE
As a precaution, we do the work of emulating an unlock even on devices
that aren't emulating FBE. However, we don't care if it fails, so
don't fail the calling command in that instance.

Bug: 26713622
Change-Id: I8c5fb4b9a130335ecbb9b8ea6367f1c59835c0f1
2016-01-21 17:26:11 +00:00
Paul Crowley
285956fe11 Rework FBE crypto to match the N way of doing things
Major rework and refactor of FBE code to load the keys at the right
time and in a natural way. The old code was aimed at our goals for M,
with patches on top, and didn't quite work.

Bug: 22358539

Change-Id: I9bf7a0a86ee3f2abf0edbd5966f93efac2474c2c
2016-01-20 13:12:38 +00:00
Jeff Sharkey
7a9dd95cbc Offer to enforce "locked" state using SELinux.
Bug: 26466827
Change-Id: Id5f05298c2cb5f3cf288df37ddf0a196ca49949b
2016-01-15 14:07:12 -07:00
Jeff Sharkey
d2d7bffd0c Create /data/media directory for new users.
Otherwise later unlock commands will fail.

Bug: 26267450
Change-Id: I090ac3a3fd4ac6d49290906e21d88f1efcdec421
2015-12-18 19:16:49 -07:00
Lenka Trochtova
9ad4369ce8 Fix a bug in passing parameters to prepare_user_storage.
Add the serial parameter to prepare_user_storage to avoid
confusion when parsing parameters and passing them around.

Change-Id: Id5516c248401ad50585aa8f6e8b1545a6cded549
2015-12-11 13:27:32 +01:00
Paul Crowley
27cbce9214 Rename functions with a system/extras name collision.
Following around the call graph in code search is hard enough as it is!

Change-Id: I09d3513664423aafe0d99f9158acfbbb6c79b590
2015-12-10 15:30:45 +00:00
Paul Lawrence
ff9097f560 Fix create_user_key to take 3 params
Change-Id: Ied03e2ee404a1b4f386740213e6ab01f18ec09b9
2015-12-09 15:45:41 -08:00
Lenka Trochtova
395039f007 Introduce support for ephemeral users.
BUG: 24883058

Change-Id: I77d4757f87214166e7c41c7eb0d06b1cd5f06b20
2015-12-08 11:10:59 +01:00
Jeff Sharkey
fc505c3ff6 Emulate media encryption, always chmod to unlock.
When FBE emulation is enabled, lock/unlock the media directories that
store emulated SD card contents.

Change unlocking logic to always chmod directories back to known
state so that we can recover devices that have disabled FBE
emulation.

Bug: 26010607, 26027473
Change-Id: I6d4bff25d8ad7b948679290106f585f777f7a249
2015-12-07 17:35:58 -07:00
Elliott Hughes
6bf0547ccc resolve merge conflicts of b7d5a47cec to master.
Change-Id: I0c5211a00d92d0ee796bb9c77d2e13675a2a3e8d
2015-12-04 17:55:33 -08:00
Elliott Hughes
7e128fbe21 Track rename from base/ to android-base/.
Change-Id: I3096cfa50afa395d8e9a8043ab69c1e390f86ccb
2015-12-04 15:50:53 -08:00
Jeff Sharkey
a597d0a424 Use the right system property name.
Bug: 22358539
Change-Id: I0bf9719a2b54acbde80f3c911988724581447b0c
2015-11-30 16:57:07 -07:00
Jeff Sharkey
c79fb89a10 Switch to new FBE emulation property.
Also prepare CE/DE storage directories for owner user at boot.

Bug: 22358539
Change-Id: I76228952c990ebed83360c69ef36321b99114196
2015-11-19 11:16:22 -07:00
Paul Crowley
5512c50c09 Merge "Add --no-unlink option to secdiscard for testing." 2015-11-16 10:36:13 +00:00
Jeff Sharkey
d2c96e7883 New granular encryption commands for framework.
We now have separate methods for key creation/destruction and
unlocking/locking.  Key unlocking can pass through an opaque token,
but it's left empty for now.

Extend user storage setup to also create system_ce and user_de
paths.  Bring over some path generation logic from installd.

Use strong type checking on user arguments.

Bug: 22358539
Change-Id: I00ba15c7b10dd682640b3f082feade4fb7cbbb5d
2015-11-10 15:57:14 -08:00
Paul Crowley
5ab73e945d Add --no-unlink option to secdiscard for testing.
Also allow deletion of multiple files in one invocation.

Change-Id: I5011bf45f2d3b91964bc68fd8e61ec037e1de2ca
2015-11-02 10:13:52 +00:00
Paul Crowley
480fcd2750 Set uid/gid of newly created user dirs to system/system.
Bug: 23395513
Change-Id: I3d76b77339f995103c0aec09c6de77b3c8cdc0dd
2015-08-24 14:53:28 +01:00
Paul Crowley
9336348200 Evict the key before we delete it.
Change-Id: I9eef440a1f406c2c73c859f5ae7cee35f6a36ca4
2015-07-13 21:12:58 +01:00
Paul Crowley
cd307b7c63 Scrub the key from the disk with BLKSECDISCARD.
Bug: 19706593

(cherry-picked from commit 8d0cd7ffd903a753c6bb5c6f33987a7a66621cef)

Change-Id: Ieea73da233fe53767b5adcdb4d49f9bb00fedac1
2015-07-13 21:08:45 +01:00
Paul Crowley
b33e8873ea Add "cryptfs deleteuserkey" command to vold.
Bug: 19706593

(cherry-picked from commit eebf44563b)

Change-Id: I50dc4c39595c06bf0016d6a490130bbbc25de91b
2015-07-13 21:08:45 +01:00
Paul Crowley
95376d612c Add vold commands for setting up per-user encrypted user
directories

Bug: 19704432

(cherry-picked from commit 75a5202d9f)

Change-Id: I733e8745ec21f8e53c2cc6d8a98313275db7d897
2015-07-13 21:08:45 +01:00
Paul Crowley
f25a35a1c9 Break key installation into its own function so we can install
non-master keys.

Bug: 19704432
(cherry-picked from commit 1da96dc549)

Change-Id: I762e8f6c927db3a337fa8ce6bd428262d9e05c7a
2015-07-13 21:08:44 +01:00
Paul Lawrence
86c942a253 DO NOT MERGE Delete password as per block encryption
(cherry-picked from commit 00f4aade5c)

Bug: 18151196
Change-Id: Iee0f932c61ff4a309dc2861725b24bf976adb4c7
2015-05-29 14:22:18 -07:00
Paul Lawrence
0d9cd9e9cf DO NOT MERGE Fix problem that reading/writing crypto footers wasn't identity
(cherry-picked from commit 75c922f49b)

Bug: 18151196
Change-Id: Ideef6bcdbccf068a64ed3e042be50c4837a373f8
2015-05-29 14:21:33 -07:00
Paul Lawrence
2f32cda63b DO NOT MERGE Retry unmounts in ext4 encryption
(cherry-picked from commit 29b54aab8e)

Bug: 18151196
Change-Id: I52ca23b2ce3adcff44bd003d4a12243a0bd6ac34
2015-05-29 14:20:51 -07:00
Paul Lawrence
b7f0702ea6 DO NOT MERGE Use default key permissions for ext4enc
(cherry-picked from commit 1190a26f6d)

As per discussion default permissions are the correct ones.
Note that since we use logon keys, they cannot be read outside
the kernel.

Note also that we limit who can read/write keys in selinux policy.

Bug: 18151196
Change-Id: Icc916f430a70eff22e6b74c20ec361c8f3789c1c
2015-05-29 14:20:06 -07:00
Paul Lawrence
a56d3134b0 DO NOT MERGE Simplify password checking logic
(cherry-picked from commit aaccfac344)

Bug: 18151196
Change-Id: I07ffde534dee7d1032149cfcbaa1a61c5246d759
2015-05-29 14:17:48 -07:00
Paul Lawrence
368d79459e DO NOT MERGE Enable properties in ext4enc
(cherry-picked from 4e7274551c)

Enables OwnerInfo and pattern suppression

Bug: 18151196

Change-Id: I46144e16cb00319deeb5492ab82c67f5dd43d6d3
2015-05-29 14:16:42 -07:00
Paul Lawrence
c78c71b171 DO NOT MERGE Check password is correct by checking hash
(cherry-picked from commit 3ca21e227a)

Handle failures gracefully

Change-Id: Ifb6da8c11a86c50fb11964c18cc1be1326461f78
2015-05-29 14:13:50 -07:00
Paul Lawrence
fd7db73243 DO NOT MERGE New ext4enc kernel switching from xattrs to ioctl
(cherrypicked from commit 5e7f004231)

This is one of three changes to enable this functionality:
  https://android-review.googlesource.com/#/c/146259/
  https://android-review.googlesource.com/#/c/146264/
  https://android-review.googlesource.com/#/c/146265/

Bug: 18151196

Change-Id: Iba5146b8be1e15050ae901e08b3aaa26d96dcf7e
2015-05-29 17:50:43 +00:00
Paul Lawrence
731a7a242d DO NOT MERGE Securely encrypt the master key
(cherry-picked from commit 707fd6c7cc)

Move all key management into vold
Reuse vold's existing key management through the crypto footer
to manage the device wide keys.

Use ro.crypto.type flag to determine crypto type, which prevents
any issues when running in block encrypted mode, as well as speeding
up boot in block or no encryption.

This is one of four changes to enable this functionality:
  https://android-review.googlesource.com/#/c/148586/
  https://android-review.googlesource.com/#/c/148604/
  https://android-review.googlesource.com/#/c/148606/
  https://android-review.googlesource.com/#/c/148607/

Bug: 18151196

Change-Id: I3c68691717a61b5e1df76423ca0c02baff0dab98
2015-05-29 17:25:54 +00:00