DO NOT MERGE Securely encrypt the master key

(chery-picked from commit 806d10be2336f32cdca16c2540cbf3d548f2fec7) Move all key management into vold Reuse vold's existing key management through the crypto footer to manage the device wide keys. Use ro.crypto.type flag to determine crypto type, which prevents any issues when running in block encrypted mode, as well as speeding up boot in block or no encryption. This is one of four changes to enable this functionality: https://android-review.googlesource.com/#/c/148586/ https://android-review.googlesource.com/#/c/148604/ https://android-review.googlesource.com/#/c/148606/ https://android-review.googlesource.com/#/c/148607/ Bug: 18151196 Change-Id: I6a8a18f43ae837e330e2785bd26c2c306ae1816b
author: Paul Lawrence <paullawrence@google.com> 2015-04-28 22:07:10 +0000
committer: Paul Lawrence <paullawrence@google.com> 2015-05-29 17:39:16 +0000
commit: 0a423d994a0dbd05924ae6cff702b5d4d7dd43f0 (patch)
tree: de7a20a355c1e1bb0c71fa8dc8d67a204d2c6bce /init
parent: 0aab798312364971ad3d2052306f3c9a8aed6c57 (diff)
download: system_core-0a423d994a0dbd05924ae6cff702b5d4d7dd43f0.zip
system_core-0a423d994a0dbd05924ae6cff702b5d4d7dd43f0.tar.gz
system_core-0a423d994a0dbd05924ae6cff702b5d4d7dd43f0.tar.bz2
1 files changed, 26 insertions, 32 deletions
diff --git a/init/builtins.cpp b/init/builtins.cpp
index 735033e..9e5f9ff 100644
--- a/init/builtins.cpp
+++ b/init/builtins.cpp
@@ -29,7 +29,7 @@
 #include <sys/wait.h>
 #include <unistd.h>
 #include <linux/loop.h>
-#include <ext4_crypt.h>
+#include <ext4_crypt_init_extensions.h>
 
 #include <selinux/selinux.h>
 #include <selinux/label.h>
@@ -392,18 +392,6 @@ static int wipe_data_via_recovery()
 }
 
 /*
- * Callback to make a directory from the ext4 code
- */
-static int do_mount_alls_make_dir(const char* dir)
-{
-    if (make_dir(dir, 0700) && errno != EEXIST) {
-        return -1;
-    }
-
-    return 0;
-}
-
-/*
  * This function might request a reboot, in which case it will
  * not return.
  */
@@ -458,6 +446,7 @@ int do_mount_all(int nargs, char **args)
         property_set("vold.decrypt", "trigger_encryption");
     } else if (ret == FS_MGR_MNTALL_DEV_MIGHT_BE_ENCRYPTED) {
         property_set("ro.crypto.state", "encrypted");
+        property_set("ro.crypto.type", "block");
         property_set("vold.decrypt", "trigger_default_encryption");
     } else if (ret == FS_MGR_MNTALL_DEV_NOT_ENCRYPTED) {
         property_set("ro.crypto.state", "unencrypted");
@@ -471,26 +460,11 @@ int do_mount_all(int nargs, char **args)
         ret = wipe_data_via_recovery();
         /* If reboot worked, there is no return. */
     } else if (ret == FS_MGR_MNTALL_DEV_DEFAULT_FILE_ENCRYPTED) {
-        // We have to create the key files here. Only init can call make_dir,
-        // and we can't do it from fs_mgr as then fs_mgr would depend on
-        // make_dir creating a circular dependency.
-        fstab = fs_mgr_read_fstab(args[1]);
-        for (int i = 0; i < fstab->num_entries; ++i) {
-            if (fs_mgr_is_file_encrypted(&fstab->recs[i])) {
-              if (e4crypt_create_device_key(fstab->recs[i].mount_point,
-                                            do_mount_alls_make_dir)) {
-                    ERROR("Could not create device key on %s"
-                          " - continue unencrypted\n",
-                          fstab->recs[i].mount_point);
-                }
-            }
-        }
-        fs_mgr_free_fstab(fstab);
-
         if (e4crypt_install_keyring()) {
             return -1;
         }
         property_set("ro.crypto.state", "encrypted");
+        property_set("ro.crypto.type", "file");
 
         // Although encrypted, we have device key, so we do not need to
         // do anything different from the nonencrypted case.
@@ -500,6 +474,7 @@ int do_mount_all(int nargs, char **args)
             return -1;
         }
         property_set("ro.crypto.state", "encrypted");
+        property_set("ro.crypto.type", "file");
         property_set("vold.decrypt", "trigger_restart_min_framework");
     } else if (ret > 0) {
         ERROR("fs_mgr_mount_all returned unexpected error %d\n", ret);
@@ -846,11 +821,30 @@ int do_wait(int nargs, char **args)
         return -1;
 }
 
+/*
+ * Callback to make a directory from the ext4 code
+ */
+static int do_installkeys_ensure_dir_exists(const char* dir)
+{
+    if (make_dir(dir, 0700) && errno != EEXIST) {
+        return -1;
+    }
+
+    return 0;
+}
+
 int do_installkey(int nargs, char **args)
 {
-    if (nargs == 2) {
-        return e4crypt_install_key(args[1]);
+    if (nargs != 2) {
+        return -1;
     }
 
-    return -1;
+    char prop_value[PROP_VALUE_MAX] = {0};
+    property_get("ro.crypto.type", prop_value);
+    if (strcmp(prop_value, "file")) {
+        return 0;
+    }
+
+    return e4crypt_create_device_key(args[1],
+                                     do_installkeys_ensure_dir_exists);
 }
author	Paul Lawrence <paullawrence@google.com>	2015-04-28 22:07:10 +0000
committer	Paul Lawrence <paullawrence@google.com>	2015-05-29 17:39:16 +0000
commit	0a423d994a0dbd05924ae6cff702b5d4d7dd43f0 (patch)
tree	de7a20a355c1e1bb0c71fa8dc8d67a204d2c6bce /init
parent	0aab798312364971ad3d2052306f3c9a8aed6c57 (diff)
download	system_core-0a423d994a0dbd05924ae6cff702b5d4d7dd43f0.zip system_core-0a423d994a0dbd05924ae6cff702b5d4d7dd43f0.tar.gz system_core-0a423d994a0dbd05924ae6cff702b5d4d7dd43f0.tar.bz2