3dfb094cb2
To prevent keys from being compromised if an attacker acquires read access to kernel memory, some inline encryption hardware supports protecting the keys in hardware without software having access to or the ability to set the plaintext keys. Instead, software only sees "wrapped keys", which may differ on every boot. 'wrappedkey_v0' fileencryption flag is used to denote that the device supports inline encryption hardware that supports this feature. On such devices keymaster is used to generate keys with STORAGE_KEY tag and export a per-boot ephemerally wrapped storage key to install it in the kernel. The wrapped key framework in the linux kernel ensures the wrapped key is provided to the inline encryption hardware where it is unwrapped and the file contents key is derived to encrypt contents without revealing the plaintext key in the clear. Test: FBE validation with Fscrypt v2 + inline crypt + wrapped key changes kernel. Bug: 147733587 Change-Id: I1f0de61b56534ec1df9baef075acb74bacd00758
19 lines
415 B
C
19 lines
415 B
C
#ifndef _UAPI_LINUX_FSCRYPT_VOLD_H
|
|
#define _UAPI_LINUX_FSCRYPT_VOLD_H
|
|
|
|
#include <linux/fscrypt.h>
|
|
#include <linux/types.h>
|
|
|
|
#define FSCRYPT_ADD_KEY_FLAG_WRAPPED 0x01
|
|
|
|
struct sys_fscrypt_add_key_arg {
|
|
struct fscrypt_key_specifier key_spec;
|
|
__u32 raw_size;
|
|
__u32 __reserved[8];
|
|
__u32 flags;
|
|
__u8 raw[];
|
|
};
|
|
|
|
#define fscrypt_add_key_arg sys_fscrypt_add_key_arg
|
|
|
|
#endif //_UAPI_LINUX_FSCRYPT_VOLD_H
|