Merge "[vold] Add mount lazy if forcemount fail."
diff --git a/Android.bp b/Android.bp
index f2a1a37..1ccfc09 100644
--- a/Android.bp
+++ b/Android.bp
@@ -9,13 +9,9 @@
"-Wall",
"-Werror",
"-Wextra",
- "-Wno-missing-field-initializers",
"-Wno-unused-parameter",
- "-Wno-unused-variable",
],
- clang: true,
-
tidy: true,
tidy_checks: [
"-*",
@@ -23,8 +19,9 @@
"clang-analyzer-security*",
"android-*",
],
- tidy_flags: [
- "-warnings-as-errors=clang-analyzer-security*,cert-*",
+ tidy_checks_as_errors: [
+ "clang-analyzer-security*",
+ "cert-*",
],
}
@@ -41,15 +38,13 @@
"libfec_rs",
"libfs_avb",
"libfs_mgr",
- "libscrypt_static",
"libsquashfs_utils",
"libvold_binder",
],
shared_libs: [
- "android.hardware.keymaster@3.0",
- "android.hardware.keymaster@4.0",
- "android.hardware.keymaster@4.1",
"android.hardware.boot@1.0",
+ "android.hardware.boot-V1-ndk",
+ "libboot_control_client",
"libbase",
"libbinder",
"libcrypto",
@@ -63,8 +58,6 @@
"libhardware_legacy",
"libincfs",
"libhidlbase",
- "libkeymaster4support",
- "libkeymaster4_1support",
"libkeyutils",
"liblog",
"liblogwrap",
@@ -113,6 +106,7 @@
defaults: [
"vold_default_flags",
"vold_default_libs",
+ "keystore2_use_latest_aidl_ndk_shared",
],
srcs: [
@@ -120,7 +114,6 @@
"Benchmark.cpp",
"Checkpoint.cpp",
"CryptoType.cpp",
- "Devmapper.cpp",
"EncryptInplace.cpp",
"FileDeviceUtils.cpp",
"FsCrypt.cpp",
@@ -128,14 +121,13 @@
"KeyBuffer.cpp",
"KeyStorage.cpp",
"KeyUtil.cpp",
- "Keymaster.cpp",
+ "Keystore.cpp",
"Loop.cpp",
"MetadataCrypt.cpp",
"MoveStorage.cpp",
"NetlinkHandler.cpp",
"NetlinkManager.cpp",
"Process.cpp",
- "ScryptParameters.cpp",
"Utils.cpp",
"VoldNativeService.cpp",
"VoldNativeServiceValidation.cpp",
@@ -170,12 +162,14 @@
},
shared_libs: [
"android.hardware.health.storage@1.0",
- "android.hardware.health.storage-V1-ndk_platform",
+ "android.hardware.health.storage-V1-ndk",
+ "android.security.maintenance-ndk",
"libbinder_ndk",
+ "libkeymint_support",
],
whole_static_libs: [
- "com.android.sysprop.apex",
- "libc++fs"
+ "libcom.android.sysprop.apex",
+ "libc++fs",
],
}
@@ -184,25 +178,27 @@
defaults: [
"vold_default_flags",
"vold_default_libs",
+ "keystore2_use_latest_aidl_ndk_shared",
],
srcs: ["main.cpp"],
static_libs: ["libvold"],
init_rc: [
"vold.rc",
- "wait_for_keymaster.rc",
],
required: [
"mke2fs",
"vold_prepare_subdirs",
- "wait_for_keymaster",
+ "fuseMedia.o",
],
shared_libs: [
"android.hardware.health.storage@1.0",
- "android.hardware.health.storage-V1-ndk_platform",
+ "android.hardware.health.storage-V1-ndk",
+ "android.security.maintenance-ndk",
"libbinder_ndk",
+ "libkeymint_support",
],
product_variables: {
@@ -214,48 +210,28 @@
"libarcvolume",
],
},
- },
+ },
}
cc_binary {
name: "vdc",
defaults: ["vold_default_flags"],
- srcs: ["vdc.cpp"],
+ srcs: [
+ "vdc.cpp",
+ "Utils.cpp",
+ ],
shared_libs: [
"libbase",
"libbinder",
"libcutils",
+ "liblogwrap",
+ "libselinux",
"libutils",
],
static_libs: [
"libvold_binder",
],
- init_rc: ["vdc.rc"],
-}
-
-cc_binary {
- name: "wait_for_keymaster",
- defaults: ["vold_default_flags"],
-
- srcs: [
- "wait_for_keymaster.cpp",
- "Keymaster.cpp",
- ],
- shared_libs: [
- "libbase",
- "libbinder",
-
- "android.hardware.keymaster@3.0",
- "android.hardware.keymaster@4.0",
- "android.hardware.keymaster@4.1",
- "libhardware",
- "libhardware_legacy",
- "libhidlbase",
- "libkeymaster4support",
- "libkeymaster4_1support",
- "libutils",
- ],
}
cc_binary {
@@ -273,7 +249,10 @@
name: "vold_prepare_subdirs",
defaults: ["vold_default_flags"],
- srcs: ["vold_prepare_subdirs.cpp", "Utils.cpp"],
+ srcs: [
+ "vold_prepare_subdirs.cpp",
+ "Utils.cpp",
+ ],
shared_libs: [
"libbase",
"libcutils",
diff --git a/Checkpoint.cpp b/Checkpoint.cpp
index 755f0e3..4766d79 100644
--- a/Checkpoint.cpp
+++ b/Checkpoint.cpp
@@ -26,12 +26,12 @@
#include <thread>
#include <vector>
+#include <BootControlClient.h>
#include <android-base/file.h>
#include <android-base/logging.h>
#include <android-base/parseint.h>
#include <android-base/properties.h>
#include <android-base/unique_fd.h>
-#include <android/hardware/boot/1.0/IBootControl.h>
#include <cutils/android_reboot.h>
#include <fcntl.h>
#include <fs_mgr.h>
@@ -48,11 +48,7 @@
using android::binder::Status;
using android::fs_mgr::Fstab;
using android::fs_mgr::ReadFstabFromFile;
-using android::hardware::hidl_string;
-using android::hardware::boot::V1_0::BoolResult;
-using android::hardware::boot::V1_0::CommandResult;
-using android::hardware::boot::V1_0::IBootControl;
-using android::hardware::boot::V1_0::Slot;
+using android::hal::BootControlClient;
namespace android {
namespace vold {
@@ -128,11 +124,10 @@
if (retry < -1) return error(EINVAL, "Retry count must be more than -1");
std::string content = std::to_string(retry + 1);
if (retry == -1) {
- sp<IBootControl> module = IBootControl::getService();
+ auto module = BootControlClient::WaitForService();
if (module) {
- std::string suffix;
- auto cb = [&suffix](hidl_string s) { suffix = s; };
- if (module->getSuffix(module->getCurrentSlot(), cb).isOk()) content += " " + suffix;
+ std::string suffix = module->GetSuffix(module->GetCurrentSlot());
+ if (!suffix.empty()) content += " " + suffix;
}
}
if (!android::base::WriteStringToFile(content, kMetadataCPFile))
@@ -143,6 +138,7 @@
namespace {
volatile bool isCheckpointing = false;
+volatile bool isBow = true;
volatile bool needsCheckpointWasCalled = false;
@@ -162,10 +158,9 @@
<< "NOT COMMITTING CHECKPOINT BECAUSE persist.vold.dont_commit_checkpoint IS 1";
return Status::ok();
}
- sp<IBootControl> module = IBootControl::getService();
+ auto module = BootControlClient::WaitForService();
if (module) {
- CommandResult cr;
- module->markBootSuccessful([&cr](CommandResult result) { cr = result; });
+ auto cr = module->MarkBootSuccessful();
if (!cr.success)
return error(EINVAL, "Error marking booted successfully: " + std::string(cr.errMsg));
LOG(INFO) << "Marked slot as booted successfully.";
@@ -173,6 +168,8 @@
if (!SetProperty("ota.warm_reset", "0")) {
LOG(WARNING) << "Failed to reset the warm reset flag";
}
+ } else {
+ LOG(ERROR) << "Failed to get BootControl HAL, not marking slot as successful.";
}
// Must take action for list of mounted checkpointed things here
// To do this, we walk the list of mounted file systems.
@@ -198,7 +195,7 @@
return error(EINVAL, "Failed to remount");
}
}
- } else if (fstab_rec->fs_mgr_flags.checkpoint_blk) {
+ } else if (fstab_rec->fs_mgr_flags.checkpoint_blk && isBow) {
if (!setBowState(mount_rec.blk_device, "2"))
return error(EINVAL, "Failed to set bow state");
}
@@ -254,12 +251,11 @@
if (content == "0") return true;
if (content.substr(0, 3) == "-1 ") {
std::string oldSuffix = content.substr(3);
- sp<IBootControl> module = IBootControl::getService();
+ auto module = BootControlClient::WaitForService();
std::string newSuffix;
if (module) {
- auto cb = [&newSuffix](hidl_string s) { newSuffix = s; };
- module->getSuffix(module->getCurrentSlot(), cb);
+ newSuffix = module->GetSuffix(module->GetCurrentSlot());
if (oldSuffix == newSuffix) return true;
}
}
@@ -276,11 +272,11 @@
bool ret;
std::string content;
- sp<IBootControl> module = IBootControl::getService();
+ auto module = BootControlClient::WaitForService();
if (isCheckpointing) return isCheckpointing;
-
- if (module && module->isSlotMarkedSuccessful(module->getCurrentSlot()) == BoolResult::FALSE) {
+ // In case of INVALID slot or other failures, we do not perform checkpoint.
+ if (module && !module->IsSlotMarkedSuccessful(module->GetCurrentSlot()).value_or(true)) {
isCheckpointing = true;
return true;
}
@@ -386,7 +382,7 @@
LOG(INFO) << "Trimmed " << range.len << " bytes on " << mount_rec.mount_point << " in "
<< nanoseconds_to_milliseconds(time) << "ms for checkpoint";
- setBowState(mount_rec.blk_device, "1");
+ isBow &= setBowState(mount_rec.blk_device, "1");
}
if (fstab_rec->fs_mgr_flags.checkpoint_blk || fstab_rec->fs_mgr_flags.checkpoint_fs) {
std::thread(cp_healthDaemon, std::string(mount_rec.mount_point),
diff --git a/Devmapper.cpp b/Devmapper.cpp
deleted file mode 100644
index d55d92d..0000000
--- a/Devmapper.cpp
+++ /dev/null
@@ -1,102 +0,0 @@
-/*
- * Copyright (C) 2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#define ATRACE_TAG ATRACE_TAG_PACKAGE_MANAGER
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <sys/stat.h>
-#include <sys/types.h>
-
-#include <linux/kdev_t.h>
-
-#include <android-base/logging.h>
-#include <android-base/stringprintf.h>
-#include <android-base/strings.h>
-#include <libdm/dm.h>
-#include <utils/Trace.h>
-
-#include "Devmapper.h"
-
-using android::base::StringPrintf;
-using namespace android::dm;
-
-static const char* kVoldPrefix = "vold:";
-
-int Devmapper::create(const char* name_raw, const char* loopFile, const char* key,
- unsigned long numSectors, char* ubuffer, size_t len) {
- auto& dm = DeviceMapper::Instance();
- auto name_string = StringPrintf("%s%s", kVoldPrefix, name_raw);
-
- DmTable table;
- table.Emplace<DmTargetCrypt>(0, numSectors, "twofish", key, 0, loopFile, 0);
-
- if (!dm.CreateDevice(name_string, table)) {
- LOG(ERROR) << "Failed to create device-mapper device " << name_string;
- return -1;
- }
-
- std::string path;
- if (!dm.GetDmDevicePathByName(name_string, &path)) {
- LOG(ERROR) << "Failed to get device-mapper device path for " << name_string;
- return -1;
- }
- snprintf(ubuffer, len, "%s", path.c_str());
- return 0;
-}
-
-int Devmapper::destroy(const char* name_raw) {
- auto& dm = DeviceMapper::Instance();
-
- auto name_string = StringPrintf("%s%s", kVoldPrefix, name_raw);
- if (!dm.DeleteDevice(name_string)) {
- if (errno != ENXIO) {
- PLOG(ERROR) << "Failed DM_DEV_REMOVE";
- }
- return -1;
- }
- return 0;
-}
-
-int Devmapper::destroyAll() {
- ATRACE_NAME("Devmapper::destroyAll");
-
- auto& dm = DeviceMapper::Instance();
- std::vector<DeviceMapper::DmBlockDevice> devices;
- if (!dm.GetAvailableDevices(&devices)) {
- LOG(ERROR) << "Failed to get dm devices";
- return -1;
- }
-
- for (const auto& device : devices) {
- if (android::base::StartsWith(device.name(), kVoldPrefix)) {
- LOG(DEBUG) << "Tearing down stale dm device named " << device.name();
- if (!dm.DeleteDevice(device.name())) {
- if (errno != ENXIO) {
- PLOG(WARNING) << "Failed to destroy dm device named " << device.name();
- }
- }
- } else {
- LOG(DEBUG) << "Found unmanaged dm device named " << device.name();
- }
- }
- return 0;
-}
diff --git a/Devmapper.h b/Devmapper.h
deleted file mode 100644
index 9d4896e..0000000
--- a/Devmapper.h
+++ /dev/null
@@ -1,31 +0,0 @@
-/*
- * Copyright (C) 2008 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef _DEVMAPPER_H
-#define _DEVMAPPER_H
-
-#include <linux/dm-ioctl.h>
-#include <unistd.h>
-
-class Devmapper {
- public:
- static int create(const char* name, const char* loopFile, const char* key,
- unsigned long numSectors, char* buffer, size_t len);
- static int destroy(const char* name);
- static int destroyAll();
-};
-
-#endif
diff --git a/EncryptInplace.cpp b/EncryptInplace.cpp
index 057b3ef..190bb83 100644
--- a/EncryptInplace.cpp
+++ b/EncryptInplace.cpp
@@ -20,13 +20,11 @@
#include <ext4_utils/ext4_utils.h>
#include <f2fs_sparseblock.h>
#include <fcntl.h>
-#include <time.h>
#include <algorithm>
#include <vector>
#include <android-base/logging.h>
-#include <android-base/properties.h>
#include <android-base/unique_fd.h>
enum EncryptInPlaceError {
@@ -43,7 +41,7 @@
class InPlaceEncrypter {
public:
bool EncryptInPlace(const std::string& crypto_blkdev, const std::string& real_blkdev,
- uint64_t nr_sec, bool set_progress_properties);
+ uint64_t nr_sec);
bool ProcessUsedBlock(uint64_t block_num);
private:
@@ -75,19 +73,14 @@
std::string real_blkdev_;
std::string crypto_blkdev_;
uint64_t nr_sec_;
- bool set_progress_properties_;
android::base::unique_fd realfd_;
android::base::unique_fd cryptofd_;
- time_t time_started_;
- int remaining_time_;
-
std::string fs_type_;
uint64_t blocks_done_;
uint64_t blocks_to_encrypt_;
unsigned int block_size_;
- unsigned int cur_pct_;
std::vector<uint8_t> io_buffer_;
uint64_t first_pending_block_;
@@ -108,7 +101,6 @@
blocks_done_ = 0;
blocks_to_encrypt_ = blocks_to_encrypt;
block_size_ = block_size;
- cur_pct_ = 0;
// Allocate the I/O buffer. kIOBufferSize should always be a multiple of
// the filesystem block size, but round it up just in case.
@@ -136,46 +128,6 @@
if (blocks_done_ >= blocks_next_msg)
LOG(DEBUG) << "Encrypted " << blocks_next_msg << " of " << blocks_to_encrypt_ << " blocks";
-
- if (!set_progress_properties_) return;
-
- uint64_t new_pct;
- if (done) {
- new_pct = 100;
- } else {
- new_pct = (blocks_done_ * 100) / std::max<uint64_t>(blocks_to_encrypt_, 1);
- new_pct = std::min<uint64_t>(new_pct, 99);
- }
- if (new_pct > cur_pct_) {
- cur_pct_ = new_pct;
- android::base::SetProperty("vold.encrypt_progress", std::to_string(new_pct));
- }
-
- if (cur_pct_ >= 5) {
- struct timespec time_now;
- if (clock_gettime(CLOCK_MONOTONIC, &time_now)) {
- PLOG(WARNING) << "Error getting time while updating encryption progress";
- } else {
- double elapsed_time = difftime(time_now.tv_sec, time_started_);
-
- uint64_t remaining_blocks = 0;
- if (blocks_done_ < blocks_to_encrypt_)
- remaining_blocks = blocks_to_encrypt_ - blocks_done_;
-
- int remaining_time = 0;
- if (blocks_done_ != 0)
- remaining_time = (int)(elapsed_time * remaining_blocks / blocks_done_);
-
- // Change time only if not yet set, lower, or a lot higher for
- // best user experience
- if (remaining_time_ == -1 || remaining_time < remaining_time_ ||
- remaining_time > remaining_time_ + 60) {
- remaining_time_ = remaining_time;
- android::base::SetProperty("vold.encrypt_time_remaining",
- std::to_string(remaining_time));
- }
- }
- }
}
bool InPlaceEncrypter::EncryptPendingData() {
@@ -313,14 +265,10 @@
}
bool InPlaceEncrypter::EncryptInPlace(const std::string& crypto_blkdev,
- const std::string& real_blkdev, uint64_t nr_sec,
- bool set_progress_properties) {
- struct timespec time_started = {0};
-
+ const std::string& real_blkdev, uint64_t nr_sec) {
real_blkdev_ = real_blkdev;
crypto_blkdev_ = crypto_blkdev;
nr_sec_ = nr_sec;
- set_progress_properties_ = set_progress_properties;
realfd_.reset(open64(real_blkdev.c_str(), O_RDONLY | O_CLOEXEC));
if (realfd_ < 0) {
@@ -334,13 +282,6 @@
return false;
}
- if (clock_gettime(CLOCK_MONOTONIC, &time_started)) {
- PLOG(WARNING) << "Error getting time at start of in-place encryption";
- // Note - continue anyway - we'll run with 0
- }
- time_started_ = time_started.tv_sec;
- remaining_time_ = -1;
-
bool success = DoEncryptInPlace();
if (success) success &= EncryptPendingData();
@@ -359,8 +300,11 @@
<< ") was incorrect; we actually encrypted " << blocks_done_
<< " blocks. Encryption progress was inaccurate";
}
- // Make sure vold.encrypt_progress gets set to 100.
+ // Ensure that the final progress message is printed, so the series of log
+ // messages ends with e.g. "Encrypted 50327 of 50327 blocks" rather than
+ // "Encrypted 50000 of 50327 blocks".
UpdateProgress(0, true);
+
LOG(INFO) << "Successfully encrypted " << DescribeFilesystem();
return true;
}
@@ -371,10 +315,10 @@
// sectors; however, if a filesystem is detected, then its size will be used
// instead, and only the in-use blocks of the filesystem will be encrypted.
bool encrypt_inplace(const std::string& crypto_blkdev, const std::string& real_blkdev,
- uint64_t nr_sec, bool set_progress_properties) {
+ uint64_t nr_sec) {
LOG(DEBUG) << "encrypt_inplace(" << crypto_blkdev << ", " << real_blkdev << ", " << nr_sec
- << ", " << (set_progress_properties ? "true" : "false") << ")";
+ << ")";
InPlaceEncrypter encrypter;
- return encrypter.EncryptInPlace(crypto_blkdev, real_blkdev, nr_sec, set_progress_properties);
+ return encrypter.EncryptInPlace(crypto_blkdev, real_blkdev, nr_sec);
}
diff --git a/EncryptInplace.h b/EncryptInplace.h
index 480a47c..ef6f848 100644
--- a/EncryptInplace.h
+++ b/EncryptInplace.h
@@ -21,6 +21,6 @@
#include <string>
bool encrypt_inplace(const std::string& crypto_blkdev, const std::string& real_blkdev,
- uint64_t nr_sec, bool set_progress_properties);
+ uint64_t nr_sec);
#endif
diff --git a/FsCrypt.cpp b/FsCrypt.cpp
index a56d196..f871a32 100644
--- a/FsCrypt.cpp
+++ b/FsCrypt.cpp
@@ -33,7 +33,6 @@
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
-#include <selinux/android.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/types.h>
@@ -44,7 +43,6 @@
#include "android/os/IVold.h"
-#define EMULATED_USES_SELINUX 0
#define MANAGE_MISC_DIRS 0
#include <cutils/fs.h>
@@ -94,9 +92,16 @@
const std::string systemwide_volume_key_dir =
std::string() + DATA_MNT_POINT + "/misc/vold/volume_keys";
+const std::string data_data_dir = std::string() + DATA_MNT_POINT + "/data";
+const std::string data_user_0_dir = std::string() + DATA_MNT_POINT + "/user/0";
+const std::string media_obb_dir = std::string() + DATA_MNT_POINT + "/media/obb";
+
// Some users are ephemeral, don't try to wipe their keys from disk
std::set<userid_t> s_ephemeral_users;
+// The system DE encryption policy
+EncryptionPolicy s_device_policy;
+
// Map user ids to encryption policies
std::map<userid_t, EncryptionPolicy> s_de_policies;
std::map<userid_t, EncryptionPolicy> s_ce_policies;
@@ -108,10 +113,6 @@
return KeyGeneration{FSCRYPT_MAX_KEY_SIZE, true, options.use_hw_wrapped_key};
}
-static bool fscrypt_is_emulated() {
- return property_get_bool("persist.sys.emulate_fbe", false);
-}
-
static const char* escape_empty(const std::string& value) {
return value.empty() ? "null" : value.c_str();
}
@@ -186,10 +187,7 @@
auto const current_path = get_ce_key_current_path(directory_path);
if (to_fix != current_path) {
LOG(DEBUG) << "Renaming " << to_fix << " to " << current_path;
- if (rename(to_fix.c_str(), current_path.c_str()) != 0) {
- PLOG(WARNING) << "Unable to rename " << to_fix << " to " << current_path;
- return;
- }
+ if (!android::vold::RenameKeyDir(to_fix, current_path)) return;
}
android::vold::FsyncDirectory(directory_path);
}
@@ -211,7 +209,7 @@
return false;
}
-static bool IsEmmcStorage(const std::string& blk_device) {
+static bool MightBeEmmcStorage(const std::string& blk_device) {
// Handle symlinks.
std::string real_path;
if (!Realpath(blk_device, &real_path)) {
@@ -227,8 +225,15 @@
}
// Now we should have the "real" block device.
- LOG(DEBUG) << "IsEmmcStorage(): blk_device = " << blk_device << ", real_path=" << real_path;
- return StartsWith(Basename(real_path), "mmcblk");
+ LOG(DEBUG) << "MightBeEmmcStorage(): blk_device = " << blk_device
+ << ", real_path=" << real_path;
+ std::string name = Basename(real_path);
+ return StartsWith(name, "mmcblk") ||
+ // virtio devices may provide inline encryption support that is
+ // backed by eMMC inline encryption on the host, thus inheriting the
+ // DUN size limitation. So virtio devices must be allowed here too.
+ // TODO(b/207390665): check the maximum DUN size directly instead.
+ StartsWith(name, "vd");
}
// Retrieve the options to use for encryption policies on the /data filesystem.
@@ -244,7 +249,7 @@
return false;
}
if ((options->flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_32) &&
- !IsEmmcStorage(entry->blk_device)) {
+ !MightBeEmmcStorage(entry->blk_device)) {
LOG(ERROR) << "The emmc_optimized encryption flag is only allowed on eMMC storage. Remove "
"this flag from the device's fstab";
return false;
@@ -303,15 +308,26 @@
return true;
}
+// Prepare a directory without assigning it an encryption policy. The directory
+// will inherit the encryption policy of its parent directory, or will be
+// unencrypted if the parent directory is unencrypted.
static bool prepare_dir(const std::string& dir, mode_t mode, uid_t uid, gid_t gid) {
LOG(DEBUG) << "Preparing: " << dir;
- if (fs_prepare_dir(dir.c_str(), mode, uid, gid) != 0) {
+ if (android::vold::PrepareDir(dir, mode, uid, gid, 0) != 0) {
PLOG(ERROR) << "Failed to prepare " << dir;
return false;
}
return true;
}
+// Prepare a directory and assign it the given encryption policy.
+static bool prepare_dir_with_policy(const std::string& dir, mode_t mode, uid_t uid, gid_t gid,
+ const EncryptionPolicy& policy) {
+ if (!prepare_dir(dir, mode, uid, gid)) return false;
+ if (IsFbeEnabled() && !EnsurePolicy(policy, dir)) return false;
+ return true;
+}
+
static bool destroy_dir(const std::string& dir) {
LOG(DEBUG) << "Destroying: " << dir;
if (rmdir(dir.c_str()) != 0 && errno != ENOENT) {
@@ -361,7 +377,6 @@
EncryptionPolicy* policy) {
auto refi = key_map.find(user_id);
if (refi == key_map.end()) {
- LOG(DEBUG) << "Cannot find key for " << user_id;
return false;
}
*policy = refi->second;
@@ -402,7 +417,11 @@
userid_t user_id = std::stoi(entry->d_name);
auto key_path = de_dir + "/" + entry->d_name;
KeyBuffer de_key;
- if (!retrieveKey(key_path, kEmptyAuthentication, &de_key)) return false;
+ if (!retrieveKey(key_path, kEmptyAuthentication, &de_key)) {
+ // This is probably a partially removed user, so ignore
+ if (user_id != 0) continue;
+ return false;
+ }
EncryptionPolicy de_policy;
if (!install_storage_key(DATA_MNT_POINT, options, de_key, &de_policy)) return false;
auto ret = s_de_policies.insert({user_id, de_policy});
@@ -439,11 +458,12 @@
makeGen(options), &device_key))
return false;
- EncryptionPolicy device_policy;
- if (!install_storage_key(DATA_MNT_POINT, options, device_key, &device_policy)) return false;
+ // This initializes s_device_policy, which is a global variable so that
+ // fscrypt_init_user0() can access it later.
+ if (!install_storage_key(DATA_MNT_POINT, options, device_key, &s_device_policy)) return false;
std::string options_string;
- if (!OptionsToString(device_policy.options, &options_string)) {
+ if (!OptionsToString(s_device_policy.options, &options_string)) {
LOG(ERROR) << "Unable to serialize options";
return false;
}
@@ -451,7 +471,7 @@
if (!android::vold::writeStringToFile(options_string, options_filename)) return false;
std::string ref_filename = std::string(DATA_MNT_POINT) + fscrypt_key_ref;
- if (!android::vold::writeStringToFile(device_policy.key_raw_ref, ref_filename)) return false;
+ if (!android::vold::writeStringToFile(s_device_policy.key_raw_ref, ref_filename)) return false;
LOG(INFO) << "Wrote system DE key reference to:" << ref_filename;
KeyBuffer per_boot_key;
@@ -466,9 +486,58 @@
return true;
}
+static bool prepare_special_dirs() {
+ // Ensure that /data/data and its "alias" /data/user/0 exist, and create the
+ // bind mount of /data/data onto /data/user/0. This *should* happen in
+ // fscrypt_prepare_user_storage(). However, it actually must be done early,
+ // before the rest of user 0's CE storage is prepared. This is because
+ // zygote may need to set up app data isolation before then, which requires
+ // mounting a tmpfs over /data/data to ensure it remains hidden. This issue
+ // arises due to /data/data being in the top-level directory.
+
+ // /data/user/0 used to be a symlink to /data/data, so we must first delete
+ // the old symlink if present.
+ if (android::vold::IsSymlink(data_user_0_dir) && android::vold::Unlink(data_user_0_dir) != 0)
+ return false;
+ // On first boot, we'll be creating /data/data for the first time, and user
+ // 0's CE key will be installed already since it was just created. Take the
+ // opportunity to also set the encryption policy of /data/data right away.
+ EncryptionPolicy ce_policy;
+ if (lookup_policy(s_ce_policies, 0, &ce_policy)) {
+ if (!prepare_dir_with_policy(data_data_dir, 0771, AID_SYSTEM, AID_SYSTEM, ce_policy))
+ return false;
+ } else {
+ if (!prepare_dir(data_data_dir, 0771, AID_SYSTEM, AID_SYSTEM)) return false;
+ // EnsurePolicy() will have to happen later, in fscrypt_prepare_user_storage().
+ }
+ if (!prepare_dir(data_user_0_dir, 0700, AID_SYSTEM, AID_SYSTEM)) return false;
+ if (android::vold::BindMount(data_data_dir, data_user_0_dir) != 0) return false;
+
+ // If /data/media/obb doesn't exist, create it and encrypt it with the
+ // device policy. Normally, device-policy-encrypted directories are created
+ // and encrypted by init; /data/media/obb is special because it is located
+ // in /data/media. Since /data/media also contains per-user encrypted
+ // directories, by design only vold can write to it. As a side effect of
+ // that, vold must create /data/media/obb.
+ //
+ // We must tolerate /data/media/obb being unencrypted if it already exists
+ // on-disk, since it used to be unencrypted (b/64566063).
+ if (android::vold::pathExists(media_obb_dir)) {
+ if (!prepare_dir(media_obb_dir, 0770, AID_MEDIA_RW, AID_MEDIA_RW)) return false;
+ } else {
+ if (!prepare_dir_with_policy(media_obb_dir, 0770, AID_MEDIA_RW, AID_MEDIA_RW,
+ s_device_policy))
+ return false;
+ }
+ return true;
+}
+
+bool fscrypt_init_user0_done;
+
bool fscrypt_init_user0() {
LOG(DEBUG) << "fscrypt_init_user0";
- if (fscrypt_is_native()) {
+
+ if (IsFbeEnabled()) {
if (!prepare_dir(user_key_dir, 0700, AID_ROOT, AID_ROOT)) return false;
if (!prepare_dir(user_key_dir + "/ce", 0700, AID_ROOT, AID_ROOT)) return false;
if (!prepare_dir(user_key_dir + "/de", 0700, AID_ROOT, AID_ROOT)) return false;
@@ -479,33 +548,33 @@
// explicit calls to install DE keys for secondary users
if (!load_all_de_keys()) return false;
}
- // We can only safely prepare DE storage here, since CE keys are probably
- // entangled with user credentials. The framework will always prepare CE
- // storage once CE keys are installed.
+
+ // Now that user 0's CE key has been created, we can prepare /data/data.
+ if (!prepare_special_dirs()) return false;
+
+ // With the exception of what is done by prepare_special_dirs() above, we
+ // only prepare DE storage here, since user 0's CE key won't be installed
+ // yet unless it was just created. The framework will prepare the user's CE
+ // storage later, once their CE key is installed.
if (!fscrypt_prepare_user_storage("", 0, 0, android::os::IVold::STORAGE_FLAG_DE)) {
LOG(ERROR) << "Failed to prepare user 0 storage";
return false;
}
- // If this is a non-FBE device that recently left an emulated mode,
- // restore user data directories to known-good state.
- if (!fscrypt_is_native() && !fscrypt_is_emulated()) {
- fscrypt_unlock_user_key(0, 0, "!", "!");
- }
-
// In some scenarios (e.g. userspace reboot) we might unmount userdata
// without doing a hard reboot. If CE keys were stored in fs keyring then
// they will be lost after unmount. Attempt to re-install them.
- if (fscrypt_is_native() && android::vold::isFsKeyringSupported()) {
+ if (IsFbeEnabled() && android::vold::isFsKeyringSupported()) {
if (!try_reload_ce_keys()) return false;
}
+ fscrypt_init_user0_done = true;
return true;
}
bool fscrypt_vold_create_user_key(userid_t user_id, int serial, bool ephemeral) {
LOG(DEBUG) << "fscrypt_vold_create_user_key for " << user_id << " serial " << serial;
- if (!fscrypt_is_native()) {
+ if (!IsFbeEnabled()) {
return true;
}
// FIXME test for existence of key that is not loaded yet
@@ -556,7 +625,7 @@
bool fscrypt_destroy_user_key(userid_t user_id) {
LOG(DEBUG) << "fscrypt_destroy_user_key(" << user_id << ")";
- if (!fscrypt_is_native()) {
+ if (!IsFbeEnabled()) {
return true;
}
bool success = true;
@@ -569,9 +638,12 @@
if (it != s_ephemeral_users.end()) {
s_ephemeral_users.erase(it);
} else {
- for (auto const path : get_ce_key_paths(get_ce_key_directory_path(user_id))) {
+ auto ce_path = get_ce_key_directory_path(user_id);
+ for (auto const path : get_ce_key_paths(ce_path)) {
success &= android::vold::destroyKey(path);
}
+ success &= destroy_dir(ce_path);
+
auto de_key_path = get_de_key_path(user_id);
if (android::vold::pathExists(de_key_path)) {
success &= android::vold::destroyKey(de_key_path);
@@ -582,36 +654,6 @@
return success;
}
-static bool emulated_lock(const std::string& path) {
- if (chmod(path.c_str(), 0000) != 0) {
- PLOG(ERROR) << "Failed to chmod " << path;
- return false;
- }
-#if EMULATED_USES_SELINUX
- if (setfilecon(path.c_str(), "u:object_r:storage_stub_file:s0") != 0) {
- PLOG(WARNING) << "Failed to setfilecon " << path;
- return false;
- }
-#endif
- return true;
-}
-
-static bool emulated_unlock(const std::string& path, mode_t mode) {
- if (chmod(path.c_str(), mode) != 0) {
- PLOG(ERROR) << "Failed to chmod " << path;
- // FIXME temporary workaround for b/26713622
- if (fscrypt_is_emulated()) return false;
- }
-#if EMULATED_USES_SELINUX
- if (selinux_android_restorecon(path.c_str(), SELINUX_ANDROID_RESTORECON_FORCE) != 0) {
- PLOG(WARNING) << "Failed to restorecon " << path;
- // FIXME temporary workaround for b/26713622
- if (fscrypt_is_emulated()) return false;
- }
-#endif
- return true;
-}
-
static bool parse_hex(const std::string& hex, std::string* result) {
if (hex == "!") {
*result = "";
@@ -625,14 +667,13 @@
}
static std::optional<android::vold::KeyAuthentication> authentication_from_hex(
- const std::string& token_hex, const std::string& secret_hex) {
- std::string token, secret;
- if (!parse_hex(token_hex, &token)) return std::optional<android::vold::KeyAuthentication>();
+ const std::string& secret_hex) {
+ std::string secret;
if (!parse_hex(secret_hex, &secret)) return std::optional<android::vold::KeyAuthentication>();
if (secret.empty()) {
return kEmptyAuthentication;
} else {
- return android::vold::KeyAuthentication(token, secret);
+ return android::vold::KeyAuthentication(secret);
}
}
@@ -658,7 +699,7 @@
}
auto key_path = volkey_path(misc_path, volume_uuid);
if (!android::vold::MkdirsSync(key_path, 0700)) return false;
- android::vold::KeyAuthentication auth("", secdiscardable_hash);
+ android::vold::KeyAuthentication auth(secdiscardable_hash);
EncryptionOptions options;
if (!get_volume_file_encryption_options(&options)) return false;
@@ -701,29 +742,25 @@
return true;
}
-bool fscrypt_add_user_key_auth(userid_t user_id, int serial, const std::string& token_hex,
- const std::string& secret_hex) {
- LOG(DEBUG) << "fscrypt_add_user_key_auth " << user_id << " serial=" << serial
- << " token_present=" << (token_hex != "!");
- if (!fscrypt_is_native()) return true;
- auto auth = authentication_from_hex(token_hex, secret_hex);
+bool fscrypt_add_user_key_auth(userid_t user_id, int serial, const std::string& secret_hex) {
+ LOG(DEBUG) << "fscrypt_add_user_key_auth " << user_id << " serial=" << serial;
+ if (!IsFbeEnabled()) return true;
+ auto auth = authentication_from_hex(secret_hex);
if (!auth) return false;
return fscrypt_rewrap_user_key(user_id, serial, kEmptyAuthentication, *auth);
}
-bool fscrypt_clear_user_key_auth(userid_t user_id, int serial, const std::string& token_hex,
- const std::string& secret_hex) {
- LOG(DEBUG) << "fscrypt_clear_user_key_auth " << user_id << " serial=" << serial
- << " token_present=" << (token_hex != "!");
- if (!fscrypt_is_native()) return true;
- auto auth = authentication_from_hex(token_hex, secret_hex);
+bool fscrypt_clear_user_key_auth(userid_t user_id, int serial, const std::string& secret_hex) {
+ LOG(DEBUG) << "fscrypt_clear_user_key_auth " << user_id << " serial=" << serial;
+ if (!IsFbeEnabled()) return true;
+ auto auth = authentication_from_hex(secret_hex);
if (!auth) return false;
return fscrypt_rewrap_user_key(user_id, serial, *auth, kEmptyAuthentication);
}
bool fscrypt_fixate_newest_user_key_auth(userid_t user_id) {
LOG(DEBUG) << "fscrypt_fixate_newest_user_key_auth " << user_id;
- if (!fscrypt_is_native()) return true;
+ if (!IsFbeEnabled()) return true;
if (s_ephemeral_users.count(user_id) != 0) return true;
auto const directory_path = get_ce_key_directory_path(user_id);
auto const paths = get_ce_key_paths(directory_path);
@@ -735,33 +772,28 @@
return true;
}
+std::vector<int> fscrypt_get_unlocked_users() {
+ std::vector<int> user_ids;
+ for (const auto& it : s_ce_policies) {
+ user_ids.push_back(it.first);
+ }
+ return user_ids;
+}
+
// TODO: rename to 'install' for consistency, and take flags to know which keys to install
-bool fscrypt_unlock_user_key(userid_t user_id, int serial, const std::string& token_hex,
- const std::string& secret_hex) {
- LOG(DEBUG) << "fscrypt_unlock_user_key " << user_id << " serial=" << serial
- << " token_present=" << (token_hex != "!");
- if (fscrypt_is_native()) {
+bool fscrypt_unlock_user_key(userid_t user_id, int serial, const std::string& secret_hex) {
+ LOG(DEBUG) << "fscrypt_unlock_user_key " << user_id << " serial=" << serial;
+ if (IsFbeEnabled()) {
if (s_ce_policies.count(user_id) != 0) {
LOG(WARNING) << "Tried to unlock already-unlocked key for user " << user_id;
return true;
}
- auto auth = authentication_from_hex(token_hex, secret_hex);
+ auto auth = authentication_from_hex(secret_hex);
if (!auth) return false;
if (!read_and_install_user_ce_key(user_id, *auth)) {
LOG(ERROR) << "Couldn't read key for " << user_id;
return false;
}
- } else {
- // When in emulation mode, we just use chmod. However, we also
- // unlock directories when not in emulation mode, to bring devices
- // back into a known-good state.
- if (!emulated_unlock(android::vold::BuildDataSystemCePath(user_id), 0771) ||
- !emulated_unlock(android::vold::BuildDataMiscCePath(user_id), 01771) ||
- !emulated_unlock(android::vold::BuildDataMediaCePath("", user_id), 0770) ||
- !emulated_unlock(android::vold::BuildDataUserCePath("", user_id), 0771)) {
- LOG(ERROR) << "Failed to unlock user " << user_id;
- return false;
- }
}
return true;
}
@@ -769,19 +801,9 @@
// TODO: rename to 'evict' for consistency
bool fscrypt_lock_user_key(userid_t user_id) {
LOG(DEBUG) << "fscrypt_lock_user_key " << user_id;
- if (fscrypt_is_native()) {
+ if (IsFbeEnabled()) {
return evict_ce_key(user_id);
- } else if (fscrypt_is_emulated()) {
- // When in emulation mode, we just use chmod
- if (!emulated_lock(android::vold::BuildDataSystemCePath(user_id)) ||
- !emulated_lock(android::vold::BuildDataMiscCePath(user_id)) ||
- !emulated_lock(android::vold::BuildDataMediaCePath("", user_id)) ||
- !emulated_lock(android::vold::BuildDataUserCePath("", user_id))) {
- LOG(ERROR) << "Failed to lock user " << user_id;
- return false;
- }
}
-
return true;
}
@@ -801,6 +823,23 @@
LOG(DEBUG) << "fscrypt_prepare_user_storage for volume " << escape_empty(volume_uuid)
<< ", user " << user_id << ", serial " << serial << ", flags " << flags;
+ // Internal storage must be prepared before adoptable storage, since the
+ // user's volume keys are stored in their internal storage.
+ if (!volume_uuid.empty()) {
+ if ((flags & android::os::IVold::STORAGE_FLAG_DE) &&
+ !android::vold::pathExists(android::vold::BuildDataMiscDePath("", user_id))) {
+ LOG(ERROR) << "Cannot prepare DE storage for user " << user_id << " on volume "
+ << volume_uuid << " before internal storage";
+ return false;
+ }
+ if ((flags & android::os::IVold::STORAGE_FLAG_CE) &&
+ !android::vold::pathExists(android::vold::BuildDataMiscCePath("", user_id))) {
+ LOG(ERROR) << "Cannot prepare CE storage for user " << user_id << " on volume "
+ << volume_uuid << " before internal storage";
+ return false;
+ }
+ }
+
if (flags & android::os::IVold::STORAGE_FLAG_DE) {
// DE_sys key
auto system_legacy_path = android::vold::BuildDataSystemLegacyPath(user_id);
@@ -808,11 +847,26 @@
auto profiles_de_path = android::vold::BuildDataProfilesDePath(user_id);
// DE_n key
+ EncryptionPolicy de_policy;
auto system_de_path = android::vold::BuildDataSystemDePath(user_id);
- auto misc_de_path = android::vold::BuildDataMiscDePath(user_id);
+ auto misc_de_path = android::vold::BuildDataMiscDePath(volume_uuid, user_id);
auto vendor_de_path = android::vold::BuildDataVendorDePath(user_id);
auto user_de_path = android::vold::BuildDataUserDePath(volume_uuid, user_id);
+ if (IsFbeEnabled()) {
+ if (volume_uuid.empty()) {
+ if (!lookup_policy(s_de_policies, user_id, &de_policy)) {
+ LOG(ERROR) << "Cannot find DE policy for user " << user_id;
+ return false;
+ }
+ } else {
+ auto misc_de_empty_volume_path = android::vold::BuildDataMiscDePath("", user_id);
+ if (!read_or_create_volkey(misc_de_empty_volume_path, volume_uuid, &de_policy)) {
+ return false;
+ }
+ }
+ }
+
if (volume_uuid.empty()) {
if (!prepare_dir(system_legacy_path, 0700, AID_SYSTEM, AID_SYSTEM)) return false;
#if MANAGE_MISC_DIRS
@@ -822,40 +876,49 @@
#endif
if (!prepare_dir(profiles_de_path, 0771, AID_SYSTEM, AID_SYSTEM)) return false;
- if (!prepare_dir(system_de_path, 0770, AID_SYSTEM, AID_SYSTEM)) return false;
- if (!prepare_dir(misc_de_path, 01771, AID_SYSTEM, AID_MISC)) return false;
- if (!prepare_dir(vendor_de_path, 0771, AID_ROOT, AID_ROOT)) return false;
+ if (!prepare_dir_with_policy(system_de_path, 0770, AID_SYSTEM, AID_SYSTEM, de_policy))
+ return false;
+ if (!prepare_dir_with_policy(vendor_de_path, 0771, AID_ROOT, AID_ROOT, de_policy))
+ return false;
}
- if (!prepare_dir(user_de_path, 0771, AID_SYSTEM, AID_SYSTEM)) return false;
- if (fscrypt_is_native()) {
- EncryptionPolicy de_policy;
- if (volume_uuid.empty()) {
- if (!lookup_policy(s_de_policies, user_id, &de_policy)) return false;
- if (!EnsurePolicy(de_policy, system_de_path)) return false;
- if (!EnsurePolicy(de_policy, misc_de_path)) return false;
- if (!EnsurePolicy(de_policy, vendor_de_path)) return false;
- } else {
- if (!read_or_create_volkey(misc_de_path, volume_uuid, &de_policy)) return false;
- }
- if (!EnsurePolicy(de_policy, user_de_path)) return false;
- }
+ if (!prepare_dir_with_policy(misc_de_path, 01771, AID_SYSTEM, AID_MISC, de_policy))
+ return false;
+ if (!prepare_dir_with_policy(user_de_path, 0771, AID_SYSTEM, AID_SYSTEM, de_policy))
+ return false;
}
if (flags & android::os::IVold::STORAGE_FLAG_CE) {
// CE_n key
+ EncryptionPolicy ce_policy;
auto system_ce_path = android::vold::BuildDataSystemCePath(user_id);
- auto misc_ce_path = android::vold::BuildDataMiscCePath(user_id);
+ auto misc_ce_path = android::vold::BuildDataMiscCePath(volume_uuid, user_id);
auto vendor_ce_path = android::vold::BuildDataVendorCePath(user_id);
auto media_ce_path = android::vold::BuildDataMediaCePath(volume_uuid, user_id);
auto user_ce_path = android::vold::BuildDataUserCePath(volume_uuid, user_id);
- if (volume_uuid.empty()) {
- if (!prepare_dir(system_ce_path, 0770, AID_SYSTEM, AID_SYSTEM)) return false;
- if (!prepare_dir(misc_ce_path, 01771, AID_SYSTEM, AID_MISC)) return false;
- if (!prepare_dir(vendor_ce_path, 0771, AID_ROOT, AID_ROOT)) return false;
+ if (IsFbeEnabled()) {
+ if (volume_uuid.empty()) {
+ if (!lookup_policy(s_ce_policies, user_id, &ce_policy)) {
+ LOG(ERROR) << "Cannot find CE policy for user " << user_id;
+ return false;
+ }
+ } else {
+ auto misc_ce_empty_volume_path = android::vold::BuildDataMiscCePath("", user_id);
+ if (!read_or_create_volkey(misc_ce_empty_volume_path, volume_uuid, &ce_policy)) {
+ return false;
+ }
+ }
}
- if (!prepare_dir(media_ce_path, 02770, AID_MEDIA_RW, AID_MEDIA_RW)) return false;
+
+ if (volume_uuid.empty()) {
+ if (!prepare_dir_with_policy(system_ce_path, 0770, AID_SYSTEM, AID_SYSTEM, ce_policy))
+ return false;
+ if (!prepare_dir_with_policy(vendor_ce_path, 0771, AID_ROOT, AID_ROOT, ce_policy))
+ return false;
+ }
+ if (!prepare_dir_with_policy(media_ce_path, 02770, AID_MEDIA_RW, AID_MEDIA_RW, ce_policy))
+ return false;
// On devices without sdcardfs (kernel 5.4+), the path permissions aren't fixed
// up automatically; therefore, use a default ACL, to ensure apps with MEDIA_RW
// can keep reading external storage; in particular, this allows app cloning
@@ -864,22 +927,10 @@
if (ret != android::OK) {
return false;
}
-
- if (!prepare_dir(user_ce_path, 0771, AID_SYSTEM, AID_SYSTEM)) return false;
-
- if (fscrypt_is_native()) {
- EncryptionPolicy ce_policy;
- if (volume_uuid.empty()) {
- if (!lookup_policy(s_ce_policies, user_id, &ce_policy)) return false;
- if (!EnsurePolicy(ce_policy, system_ce_path)) return false;
- if (!EnsurePolicy(ce_policy, misc_ce_path)) return false;
- if (!EnsurePolicy(ce_policy, vendor_ce_path)) return false;
- } else {
- if (!read_or_create_volkey(misc_ce_path, volume_uuid, &ce_policy)) return false;
- }
- if (!EnsurePolicy(ce_policy, media_ce_path)) return false;
- if (!EnsurePolicy(ce_policy, user_ce_path)) return false;
- }
+ if (!prepare_dir_with_policy(misc_ce_path, 01771, AID_SYSTEM, AID_MISC, ce_policy))
+ return false;
+ if (!prepare_dir_with_policy(user_ce_path, 0771, AID_SYSTEM, AID_SYSTEM, ce_policy))
+ return false;
if (volume_uuid.empty()) {
// Now that credentials have been installed, we can run restorecon
@@ -905,20 +956,21 @@
if (flags & android::os::IVold::STORAGE_FLAG_CE) {
// CE_n key
auto system_ce_path = android::vold::BuildDataSystemCePath(user_id);
- auto misc_ce_path = android::vold::BuildDataMiscCePath(user_id);
+ auto misc_ce_path = android::vold::BuildDataMiscCePath(volume_uuid, user_id);
auto vendor_ce_path = android::vold::BuildDataVendorCePath(user_id);
auto media_ce_path = android::vold::BuildDataMediaCePath(volume_uuid, user_id);
auto user_ce_path = android::vold::BuildDataUserCePath(volume_uuid, user_id);
res &= destroy_dir(media_ce_path);
+ res &= destroy_dir(misc_ce_path);
res &= destroy_dir(user_ce_path);
if (volume_uuid.empty()) {
res &= destroy_dir(system_ce_path);
- res &= destroy_dir(misc_ce_path);
res &= destroy_dir(vendor_ce_path);
} else {
- if (fscrypt_is_native()) {
- res &= destroy_volkey(misc_ce_path, volume_uuid);
+ if (IsFbeEnabled()) {
+ auto misc_ce_empty_volume_path = android::vold::BuildDataMiscCePath("", user_id);
+ res &= destroy_volkey(misc_ce_empty_volume_path, volume_uuid);
}
}
}
@@ -931,11 +983,12 @@
// DE_n key
auto system_de_path = android::vold::BuildDataSystemDePath(user_id);
- auto misc_de_path = android::vold::BuildDataMiscDePath(user_id);
+ auto misc_de_path = android::vold::BuildDataMiscDePath(volume_uuid, user_id);
auto vendor_de_path = android::vold::BuildDataVendorDePath(user_id);
auto user_de_path = android::vold::BuildDataUserDePath(volume_uuid, user_id);
res &= destroy_dir(user_de_path);
+ res &= destroy_dir(misc_de_path);
if (volume_uuid.empty()) {
res &= destroy_dir(system_legacy_path);
#if MANAGE_MISC_DIRS
@@ -943,11 +996,11 @@
#endif
res &= destroy_dir(profiles_de_path);
res &= destroy_dir(system_de_path);
- res &= destroy_dir(misc_de_path);
res &= destroy_dir(vendor_de_path);
} else {
- if (fscrypt_is_native()) {
- res &= destroy_volkey(misc_de_path, volume_uuid);
+ if (IsFbeEnabled()) {
+ auto misc_de_empty_volume_path = android::vold::BuildDataMiscDePath("", user_id);
+ res &= destroy_volkey(misc_de_empty_volume_path, volume_uuid);
}
}
}
diff --git a/FsCrypt.h b/FsCrypt.h
index 641991a..e5af487 100644
--- a/FsCrypt.h
+++ b/FsCrypt.h
@@ -15,22 +15,22 @@
*/
#include <string>
+#include <vector>
#include <cutils/multiuser.h>
bool fscrypt_initialize_systemwide_keys();
bool fscrypt_init_user0();
+extern bool fscrypt_init_user0_done;
bool fscrypt_vold_create_user_key(userid_t user_id, int serial, bool ephemeral);
bool fscrypt_destroy_user_key(userid_t user_id);
-bool fscrypt_add_user_key_auth(userid_t user_id, int serial, const std::string& token,
- const std::string& secret);
-bool fscrypt_clear_user_key_auth(userid_t user_id, int serial, const std::string& token,
- const std::string& secret);
+bool fscrypt_add_user_key_auth(userid_t user_id, int serial, const std::string& secret);
+bool fscrypt_clear_user_key_auth(userid_t user_id, int serial, const std::string& secret);
bool fscrypt_fixate_newest_user_key_auth(userid_t user_id);
-bool fscrypt_unlock_user_key(userid_t user_id, int serial, const std::string& token,
- const std::string& secret);
+std::vector<int> fscrypt_get_unlocked_users();
+bool fscrypt_unlock_user_key(userid_t user_id, int serial, const std::string& secret);
bool fscrypt_lock_user_key(userid_t user_id);
bool fscrypt_prepare_user_storage(const std::string& volume_uuid, userid_t user_id, int serial,
diff --git a/IdleMaint.cpp b/IdleMaint.cpp
index 8005cf4..fedfc3d 100644
--- a/IdleMaint.cpp
+++ b/IdleMaint.cpp
@@ -85,6 +85,12 @@
*/
static const int GC_TIMEOUT_SEC = 420;
static const int DEVGC_TIMEOUT_SEC = 120;
+static const int KBYTES_IN_SEGMENT = 2048;
+static const int ONE_MINUTE_IN_MS = 60000;
+static const int GC_NORMAL_MODE = 0;
+static const int GC_URGENT_MID_MODE = 3;
+
+static int32_t previousSegmentWrite = 0;
static IdleMaintStats idle_maint_stat(IdleMaintStats::kStopped);
static std::condition_variable cv_abort, cv_stop;
@@ -111,7 +117,7 @@
}
}
-static void addFromFstab(std::list<std::string>* paths, PathTypes path_type) {
+static void addFromFstab(std::list<std::string>* paths, PathTypes path_type, bool only_data_part) {
std::string previous_mount_point;
for (const auto& entry : fstab_default) {
// Skip raw partitions and swap space.
@@ -133,6 +139,10 @@
continue;
}
+ if (only_data_part && entry.mount_point != "/data") {
+ continue;
+ }
+
// Skip the multi-type partitions, which are required to be following each other.
// See fs_mgr.c's mount_with_alternatives().
if (entry.mount_point == previous_mount_point) {
@@ -142,10 +152,10 @@
if (path_type == PathTypes::kMountPoint) {
paths->push_back(entry.mount_point);
} else if (path_type == PathTypes::kBlkDevice) {
- std::string gc_path;
+ std::string path;
if (entry.fs_type == "f2fs" &&
- Realpath(android::vold::BlockDeviceForPath(entry.mount_point + "/"), &gc_path)) {
- paths->push_back("/sys/fs/" + entry.fs_type + "/" + Basename(gc_path));
+ Realpath(android::vold::BlockDeviceForPath(entry.mount_point + "/"), &path)) {
+ paths->push_back("/sys/fs/" + entry.fs_type + "/" + Basename(path));
}
}
@@ -161,7 +171,7 @@
// Collect both fstab and vold volumes
std::list<std::string> paths;
- addFromFstab(&paths, PathTypes::kMountPoint);
+ addFromFstab(&paths, PathTypes::kMountPoint, false);
addFromVolumeManager(&paths, PathTypes::kMountPoint);
for (const auto& path : paths) {
@@ -264,15 +274,18 @@
return android::OK;
}
-static void runDevGcFstab(void) {
- std::string path;
+static std::string getDevSysfsPath() {
for (const auto& entry : fstab_default) {
if (!entry.sysfs_path.empty()) {
- path = entry.sysfs_path;
- break;
+ return entry.sysfs_path;
}
}
+ LOG(WARNING) << "Cannot find dev sysfs path";
+ return "";
+}
+static void runDevGcFstab(void) {
+ std::string path = getDevSysfsPath();
if (path.empty()) {
return;
}
@@ -377,33 +390,13 @@
}
static void runDevGc(void) {
- auto aidl_service_name = AStorage::descriptor + "/default"s;
- if (AServiceManager_isDeclared(aidl_service_name.c_str())) {
- ndk::SpAIBinder binder(AServiceManager_waitForService(aidl_service_name.c_str()));
- if (binder.get() != nullptr) {
- std::shared_ptr<AStorage> aidl_service = AStorage::fromBinder(binder);
- if (aidl_service != nullptr) {
- runDevGcOnHal<IDL::AIDL>(aidl_service, ndk::SharedRefBase::make<AGcCallbackImpl>(),
- &ndk::ScopedAStatus::getDescription);
- return;
- }
- }
- LOG(WARNING) << "Device declares " << aidl_service_name
- << " but it is not running, skip dev GC on AIDL HAL";
- return;
- }
- auto hidl_service = HStorage::getService();
- if (hidl_service != nullptr) {
- runDevGcOnHal<IDL::HIDL>(hidl_service, sp<HGcCallbackImpl>(new HGcCallbackImpl()),
- &Return<void>::description);
- return;
- }
- // fallback to legacy code path
runDevGcFstab();
}
-int RunIdleMaint(const android::sp<android::os::IVoldTaskListener>& listener) {
+int RunIdleMaint(bool needGC, const android::sp<android::os::IVoldTaskListener>& listener) {
std::unique_lock<std::mutex> lk(cv_m);
+ bool gc_aborted = false;
+
if (idle_maint_stat != IdleMaintStats::kStopped) {
LOG(DEBUG) << "idle maintenance is already running";
if (listener) {
@@ -422,15 +415,22 @@
return android::UNEXPECTED_NULL;
}
- std::list<std::string> paths;
- addFromFstab(&paths, PathTypes::kBlkDevice);
- addFromVolumeManager(&paths, PathTypes::kBlkDevice);
+ if (needGC) {
+ std::list<std::string> paths;
+ addFromFstab(&paths, PathTypes::kBlkDevice, false);
+ addFromVolumeManager(&paths, PathTypes::kBlkDevice);
- startGc(paths);
+ startGc(paths);
- bool gc_aborted = waitForGc(paths);
+ gc_aborted = waitForGc(paths);
- stopGc(paths);
+ stopGc(paths);
+ }
+
+ if (!gc_aborted) {
+ Trim(nullptr);
+ runDevGc();
+ }
lk.lock();
idle_maint_stat = IdleMaintStats::kStopped;
@@ -438,11 +438,6 @@
cv_stop.notify_one();
- if (!gc_aborted) {
- Trim(nullptr);
- runDevGc();
- }
-
if (listener) {
android::os::PersistableBundle extras;
listener->onFinished(0, extras);
@@ -480,5 +475,187 @@
return android::OK;
}
+int getLifeTime(const std::string& path) {
+ std::string result;
+
+ if (!ReadFileToString(path, &result)) {
+ PLOG(WARNING) << "Reading lifetime estimation failed for " << path;
+ return -1;
+ }
+ return std::stoi(result, 0, 16);
+}
+
+int32_t GetStorageLifeTime() {
+ std::string path = getDevSysfsPath();
+ if (path.empty()) {
+ return -1;
+ }
+
+ std::string lifeTimeBasePath = path + "/health_descriptor/life_time_estimation_";
+
+ int32_t lifeTime = getLifeTime(lifeTimeBasePath + "c");
+ if (lifeTime != -1) {
+ return lifeTime;
+ }
+
+ int32_t lifeTimeA = getLifeTime(lifeTimeBasePath + "a");
+ int32_t lifeTimeB = getLifeTime(lifeTimeBasePath + "b");
+ lifeTime = std::max(lifeTimeA, lifeTimeB);
+ if (lifeTime != -1) {
+ return lifeTime == 0 ? -1 : lifeTime * 10;
+ }
+ return -1;
+}
+
+void SetGCUrgentPace(int32_t neededSegments, int32_t minSegmentThreshold, float dirtyReclaimRate,
+ float reclaimWeight, int32_t gcPeriod, int32_t minGCSleepTime,
+ int32_t targetDirtyRatio) {
+ std::list<std::string> paths;
+ bool needGC = false;
+ int32_t sleepTime;
+
+ addFromFstab(&paths, PathTypes::kBlkDevice, true);
+ if (paths.empty()) {
+ LOG(WARNING) << "There is no valid blk device path for data partition";
+ return;
+ }
+
+ std::string f2fsSysfsPath = paths.front();
+ std::string freeSegmentsPath = f2fsSysfsPath + "/free_segments";
+ std::string dirtySegmentsPath = f2fsSysfsPath + "/dirty_segments";
+ std::string gcSleepTimePath = f2fsSysfsPath + "/gc_urgent_sleep_time";
+ std::string gcUrgentModePath = f2fsSysfsPath + "/gc_urgent";
+ std::string ovpSegmentsPath = f2fsSysfsPath + "/ovp_segments";
+ std::string reservedBlocksPath = f2fsSysfsPath + "/reserved_blocks";
+ std::string freeSegmentsStr, dirtySegmentsStr, ovpSegmentsStr, reservedBlocksStr;
+
+ if (!ReadFileToString(freeSegmentsPath, &freeSegmentsStr)) {
+ PLOG(WARNING) << "Reading failed in " << freeSegmentsPath;
+ return;
+ }
+
+ if (!ReadFileToString(dirtySegmentsPath, &dirtySegmentsStr)) {
+ PLOG(WARNING) << "Reading failed in " << dirtySegmentsPath;
+ return;
+ }
+
+ if (!ReadFileToString(ovpSegmentsPath, &ovpSegmentsStr)) {
+ PLOG(WARNING) << "Reading failed in " << ovpSegmentsPath;
+ return;
+ }
+
+ if (!ReadFileToString(reservedBlocksPath, &reservedBlocksStr)) {
+ PLOG(WARNING) << "Reading failed in " << reservedBlocksPath;
+ return;
+ }
+
+ int32_t freeSegments = std::stoi(freeSegmentsStr);
+ int32_t dirtySegments = std::stoi(dirtySegmentsStr);
+ int32_t reservedBlocks = std::stoi(ovpSegmentsStr) + std::stoi(reservedBlocksStr);
+
+ freeSegments = freeSegments > reservedBlocks ? freeSegments - reservedBlocks : 0;
+ int32_t totalSegments = freeSegments + dirtySegments;
+ int32_t finalTargetSegments = 0;
+
+ if (totalSegments < minSegmentThreshold) {
+ LOG(INFO) << "The sum of free segments: " << freeSegments
+ << ", dirty segments: " << dirtySegments << " is under " << minSegmentThreshold;
+ } else {
+ int32_t dirtyRatio = dirtySegments * 100 / totalSegments;
+ int32_t neededForTargetRatio =
+ (dirtyRatio > targetDirtyRatio)
+ ? totalSegments * (dirtyRatio - targetDirtyRatio) / 100
+ : 0;
+ neededSegments *= reclaimWeight;
+ neededSegments = (neededSegments > freeSegments) ? neededSegments - freeSegments : 0;
+
+ finalTargetSegments = std::max(neededSegments, neededForTargetRatio);
+ if (finalTargetSegments == 0) {
+ LOG(INFO) << "Enough free segments: " << freeSegments;
+ } else {
+ finalTargetSegments =
+ std::min(finalTargetSegments, (int32_t)(dirtySegments * dirtyReclaimRate));
+ if (finalTargetSegments == 0) {
+ LOG(INFO) << "Low dirty segments: " << dirtySegments;
+ } else if (neededSegments >= neededForTargetRatio) {
+ LOG(INFO) << "Trigger GC, because of needed segments exceeding free segments";
+ needGC = true;
+ } else {
+ LOG(INFO) << "Trigger GC for target dirty ratio diff of: "
+ << dirtyRatio - targetDirtyRatio;
+ needGC = true;
+ }
+ }
+ }
+
+ if (!needGC) {
+ if (!WriteStringToFile(std::to_string(GC_NORMAL_MODE), gcUrgentModePath)) {
+ PLOG(WARNING) << "Writing failed in " << gcUrgentModePath;
+ }
+ return;
+ }
+
+ sleepTime = gcPeriod * ONE_MINUTE_IN_MS / finalTargetSegments;
+ if (sleepTime < minGCSleepTime) {
+ sleepTime = minGCSleepTime;
+ }
+
+ if (!WriteStringToFile(std::to_string(sleepTime), gcSleepTimePath)) {
+ PLOG(WARNING) << "Writing failed in " << gcSleepTimePath;
+ return;
+ }
+
+ if (!WriteStringToFile(std::to_string(GC_URGENT_MID_MODE), gcUrgentModePath)) {
+ PLOG(WARNING) << "Writing failed in " << gcUrgentModePath;
+ return;
+ }
+
+ LOG(INFO) << "Successfully set gc urgent mode: "
+ << "free segments: " << freeSegments << ", reclaim target: " << finalTargetSegments
+ << ", sleep time: " << sleepTime;
+}
+
+static int32_t getLifeTimeWrite() {
+ std::list<std::string> paths;
+ addFromFstab(&paths, PathTypes::kBlkDevice, true);
+ if (paths.empty()) {
+ LOG(WARNING) << "There is no valid blk device path for data partition";
+ return -1;
+ }
+
+ std::string writeKbytesPath = paths.front() + "/lifetime_write_kbytes";
+ std::string writeKbytesStr;
+ if (!ReadFileToString(writeKbytesPath, &writeKbytesStr)) {
+ PLOG(WARNING) << "Reading failed in " << writeKbytesPath;
+ return -1;
+ }
+
+ unsigned long long writeBytes = std::strtoull(writeKbytesStr.c_str(), NULL, 0);
+ /* Careful: values > LLONG_MAX can appear in the file due to a kernel bug. */
+ if (writeBytes / KBYTES_IN_SEGMENT > INT32_MAX) {
+ LOG(WARNING) << "Bad lifetime_write_kbytes: " << writeKbytesStr;
+ return -1;
+ }
+ return writeBytes / KBYTES_IN_SEGMENT;
+}
+
+void RefreshLatestWrite() {
+ int32_t segmentWrite = getLifeTimeWrite();
+ if (segmentWrite != -1) {
+ previousSegmentWrite = segmentWrite;
+ }
+}
+
+int32_t GetWriteAmount() {
+ int32_t currentSegmentWrite = getLifeTimeWrite();
+ if (currentSegmentWrite == -1) {
+ return -1;
+ }
+
+ int32_t writeAmount = currentSegmentWrite - previousSegmentWrite;
+ previousSegmentWrite = currentSegmentWrite;
+ return writeAmount;
+}
+
} // namespace vold
} // namespace android
diff --git a/IdleMaint.h b/IdleMaint.h
index e043db4..a28cde2 100644
--- a/IdleMaint.h
+++ b/IdleMaint.h
@@ -23,8 +23,14 @@
namespace vold {
void Trim(const android::sp<android::os::IVoldTaskListener>& listener);
-int RunIdleMaint(const android::sp<android::os::IVoldTaskListener>& listener);
+int RunIdleMaint(bool needGC, const android::sp<android::os::IVoldTaskListener>& listener);
int AbortIdleMaint(const android::sp<android::os::IVoldTaskListener>& listener);
+int32_t GetStorageLifeTime();
+void SetGCUrgentPace(int32_t neededSegments, int32_t minSegmentThreshold, float dirtyReclaimRate,
+ float reclaimWeight, int32_t gcPeriod, int32_t minGCSleepTime,
+ int32_t targetDirtyRatio);
+void RefreshLatestWrite();
+int32_t GetWriteAmount();
} // namespace vold
} // namespace android
diff --git a/KeyBuffer.h b/KeyBuffer.h
index a68311f..4468220 100644
--- a/KeyBuffer.h
+++ b/KeyBuffer.h
@@ -17,32 +17,18 @@
#ifndef ANDROID_VOLD_KEYBUFFER_H
#define ANDROID_VOLD_KEYBUFFER_H
-#include <cstring>
+#include <string.h>
#include <memory>
#include <vector>
namespace android {
namespace vold {
-/**
- * Variant of memset() that should never be optimized away. Borrowed from keymaster code.
- */
-#ifdef __clang__
-#define OPTNONE __attribute__((optnone))
-#else // not __clang__
-#define OPTNONE __attribute__((optimize("O0")))
-#endif // not __clang__
-inline OPTNONE void* memset_s(void* s, int c, size_t n) {
- if (!s) return s;
- return memset(s, c, n);
-}
-#undef OPTNONE
-
// Allocator that delegates useful work to standard one but zeroes data before deallocating.
class ZeroingAllocator : public std::allocator<char> {
public:
void deallocate(pointer p, size_type n) {
- memset_s(p, 0, n);
+ memset_explicit(p, 0, n);
std::allocator<char>::deallocate(p, n);
}
};
diff --git a/KeyStorage.cpp b/KeyStorage.cpp
index 356d556..837bb1a 100644
--- a/KeyStorage.cpp
+++ b/KeyStorage.cpp
@@ -17,8 +17,7 @@
#include "KeyStorage.h"
#include "Checkpoint.h"
-#include "Keymaster.h"
-#include "ScryptParameters.h"
+#include "Keystore.h"
#include "Utils.h"
#include <algorithm>
@@ -45,44 +44,27 @@
#include <cutils/properties.h>
-#include <hardware/hw_auth_token.h>
-#include <keymasterV4_1/authorization_set.h>
-#include <keymasterV4_1/keymaster_utils.h>
-
-extern "C" {
-
-#include "crypto_scrypt.h"
-}
-
namespace android {
namespace vold {
-const KeyAuthentication kEmptyAuthentication{"", ""};
+const KeyAuthentication kEmptyAuthentication{""};
static constexpr size_t AES_KEY_BYTES = 32;
static constexpr size_t GCM_NONCE_BYTES = 12;
static constexpr size_t GCM_MAC_BYTES = 16;
-static constexpr size_t SALT_BYTES = 1 << 4;
static constexpr size_t SECDISCARDABLE_BYTES = 1 << 14;
-static constexpr size_t STRETCHED_BYTES = 1 << 6;
-
-static constexpr uint32_t AUTH_TIMEOUT = 30; // Seconds
static const char* kCurrentVersion = "1";
static const char* kRmPath = "/system/bin/rm";
static const char* kSecdiscardPath = "/system/bin/secdiscard";
-static const char* kStretch_none = "none";
-static const char* kStretch_nopassword = "nopassword";
-static const std::string kStretchPrefix_scrypt = "scrypt ";
static const char* kHashPrefix_secdiscardable = "Android secdiscardable SHA512";
static const char* kHashPrefix_keygen = "Android key wrapping key generation SHA512";
static const char* kFn_encrypted_key = "encrypted_key";
static const char* kFn_keymaster_key_blob = "keymaster_key_blob";
static const char* kFn_keymaster_key_blob_upgraded = "keymaster_key_blob_upgraded";
-static const char* kFn_salt = "salt";
static const char* kFn_secdiscardable = "secdiscardable";
-static const char* kFn_stretching = "stretching";
static const char* kFn_version = "version";
+// Note: old key directories may contain a file named "stretching".
namespace {
@@ -133,81 +115,52 @@
SHA512_Final(reinterpret_cast<uint8_t*>(&(*res)[0]), &c);
}
-// Generates a keymaster key, using rollback resistance if supported.
-static bool generateKeymasterKey(Keymaster& keymaster,
- const km::AuthorizationSetBuilder& paramBuilder,
- std::string* key) {
+static bool generateKeyStorageKey(Keystore& keystore, const std::string& appId, std::string* key) {
+ auto paramBuilder = km::AuthorizationSetBuilder()
+ .AesEncryptionKey(AES_KEY_BYTES * 8)
+ .GcmModeMinMacLen(GCM_MAC_BYTES * 8)
+ .Authorization(km::TAG_APPLICATION_ID, appId)
+ .Authorization(km::TAG_NO_AUTH_REQUIRED);
+ LOG(DEBUG) << "Generating \"key storage\" key";
auto paramsWithRollback = paramBuilder;
paramsWithRollback.Authorization(km::TAG_ROLLBACK_RESISTANCE);
- if (!keymaster.generateKey(paramsWithRollback, key)) {
- LOG(WARNING) << "Failed to generate rollback-resistant key. This is expected if keymaster "
+ if (!keystore.generateKey(paramsWithRollback, key)) {
+ LOG(WARNING) << "Failed to generate rollback-resistant key. This is expected if keystore "
"doesn't support rollback resistance. Falling back to "
"non-rollback-resistant key.";
- if (!keymaster.generateKey(paramBuilder, key)) return false;
+ if (!keystore.generateKey(paramBuilder, key)) return false;
}
return true;
}
-static bool generateKeyStorageKey(Keymaster& keymaster, const KeyAuthentication& auth,
- const std::string& appId, std::string* key) {
- auto paramBuilder = km::AuthorizationSetBuilder()
- .AesEncryptionKey(AES_KEY_BYTES * 8)
- .GcmModeMinMacLen(GCM_MAC_BYTES * 8)
- .Authorization(km::TAG_APPLICATION_ID, km::support::blob2hidlVec(appId));
- if (auth.token.empty()) {
- LOG(DEBUG) << "Generating \"key storage\" key that doesn't need auth token";
- paramBuilder.Authorization(km::TAG_NO_AUTH_REQUIRED);
- } else {
- LOG(DEBUG) << "Generating \"key storage\" key that needs auth token";
- if (auth.token.size() != sizeof(hw_auth_token_t)) {
- LOG(ERROR) << "Auth token should be " << sizeof(hw_auth_token_t) << " bytes, was "
- << auth.token.size() << " bytes";
- return false;
- }
- const hw_auth_token_t* at = reinterpret_cast<const hw_auth_token_t*>(auth.token.data());
- auto user_id = at->user_id; // Make a copy because at->user_id is unaligned.
- paramBuilder.Authorization(km::TAG_USER_SECURE_ID, user_id);
- paramBuilder.Authorization(km::TAG_USER_AUTH_TYPE, km::HardwareAuthenticatorType::PASSWORD);
- paramBuilder.Authorization(km::TAG_AUTH_TIMEOUT, AUTH_TIMEOUT);
- }
- return generateKeymasterKey(keymaster, paramBuilder, key);
-}
-
bool generateWrappedStorageKey(KeyBuffer* key) {
- Keymaster keymaster;
- if (!keymaster) return false;
+ Keystore keystore;
+ if (!keystore) return false;
std::string key_temp;
auto paramBuilder = km::AuthorizationSetBuilder().AesEncryptionKey(AES_KEY_BYTES * 8);
paramBuilder.Authorization(km::TAG_STORAGE_KEY);
- if (!generateKeymasterKey(keymaster, paramBuilder, &key_temp)) return false;
+ if (!keystore.generateKey(paramBuilder, &key_temp)) return false;
*key = KeyBuffer(key_temp.size());
memcpy(reinterpret_cast<void*>(key->data()), key_temp.c_str(), key->size());
return true;
}
-bool exportWrappedStorageKey(const KeyBuffer& kmKey, KeyBuffer* key) {
- Keymaster keymaster;
- if (!keymaster) return false;
+bool exportWrappedStorageKey(const KeyBuffer& ksKey, KeyBuffer* key) {
+ Keystore keystore;
+ if (!keystore) return false;
std::string key_temp;
- if (!keymaster.exportKey(kmKey, &key_temp)) return false;
+ if (!keystore.exportKey(ksKey, &key_temp)) return false;
*key = KeyBuffer(key_temp.size());
memcpy(reinterpret_cast<void*>(key->data()), key_temp.c_str(), key->size());
return true;
}
-static std::pair<km::AuthorizationSet, km::HardwareAuthToken> beginParams(
- const KeyAuthentication& auth, const std::string& appId) {
- auto paramBuilder = km::AuthorizationSetBuilder()
- .GcmModeMacLen(GCM_MAC_BYTES * 8)
- .Authorization(km::TAG_APPLICATION_ID, km::support::blob2hidlVec(appId));
- km::HardwareAuthToken authToken;
- if (!auth.token.empty()) {
- LOG(DEBUG) << "Supplying auth token to Keymaster";
- authToken = km::support::hidlVec2AuthToken(km::support::blob2hidlVec(auth.token));
- }
- return {paramBuilder, authToken};
+static km::AuthorizationSet beginParams(const std::string& appId) {
+ return km::AuthorizationSetBuilder()
+ .GcmModeMacLen(GCM_MAC_BYTES * 8)
+ .Authorization(km::TAG_APPLICATION_ID, appId);
}
static bool readFileToString(const std::string& filename, std::string* result) {
@@ -236,22 +189,27 @@
}
bool readSecdiscardable(const std::string& filename, std::string* hash) {
- std::string secdiscardable;
- if (!readFileToString(filename, &secdiscardable)) return false;
- hashWithPrefix(kHashPrefix_secdiscardable, secdiscardable, hash);
+ if (pathExists(filename)) {
+ std::string secdiscardable;
+ if (!readFileToString(filename, &secdiscardable)) return false;
+ hashWithPrefix(kHashPrefix_secdiscardable, secdiscardable, hash);
+ } else {
+ *hash = "";
+ }
return true;
}
static std::mutex key_upgrade_lock;
-// List of key directories that have had their Keymaster key upgraded during
+// List of key directories that have had their Keystore key upgraded during
// this boot and written to "keymaster_key_blob_upgraded", but replacing the old
// key was delayed due to an active checkpoint. Protected by key_upgrade_lock.
+// A directory can be in this list at most once.
static std::vector<std::string> key_dirs_to_commit;
// Replaces |dir|/keymaster_key_blob with |dir|/keymaster_key_blob_upgraded and
-// deletes the old key from Keymaster.
-static bool CommitUpgradedKey(Keymaster& keymaster, const std::string& dir) {
+// deletes the old key from Keystore.
+static bool CommitUpgradedKey(Keystore& keystore, const std::string& dir) {
auto blob_file = dir + "/" + kFn_keymaster_key_blob;
auto upgraded_blob_file = dir + "/" + kFn_keymaster_key_blob_upgraded;
@@ -262,13 +220,13 @@
PLOG(ERROR) << "Failed to rename " << upgraded_blob_file << " to " << blob_file;
return false;
}
- // Ensure that the rename is persisted before deleting the Keymaster key.
+ // Ensure that the rename is persisted before deleting the Keystore key.
if (!FsyncDirectory(dir)) return false;
- if (!keymaster || !keymaster.deleteKey(blob)) {
+ if (!keystore || !keystore.deleteKey(blob)) {
LOG(WARNING) << "Failed to delete old key " << blob_file
- << " from Keymaster; continuing anyway";
- // Continue on, but the space in Keymaster used by the old key won't be freed.
+ << " from Keystore; continuing anyway";
+ // Continue on, but the space in Keystore used by the old key won't be freed.
}
return true;
}
@@ -276,20 +234,20 @@
static void DeferredCommitKeys() {
android::base::WaitForProperty("vold.checkpoint_committed", "1");
LOG(INFO) << "Committing upgraded keys";
- Keymaster keymaster;
- if (!keymaster) {
- LOG(ERROR) << "Failed to open Keymaster; old keys won't be deleted from Keymaster";
- // Continue on, but the space in Keymaster used by the old keys won't be freed.
+ Keystore keystore;
+ if (!keystore) {
+ LOG(ERROR) << "Failed to open Keystore; old keys won't be deleted from Keystore";
+ // Continue on, but the space in Keystore used by the old keys won't be freed.
}
std::lock_guard<std::mutex> lock(key_upgrade_lock);
for (auto& dir : key_dirs_to_commit) {
LOG(INFO) << "Committing upgraded key " << dir;
- CommitUpgradedKey(keymaster, dir);
+ CommitUpgradedKey(keystore, dir);
}
key_dirs_to_commit.clear();
}
-// Returns true if the Keymaster key in |dir| has already been upgraded and is
+// Returns true if the Keystore key in |dir| has already been upgraded and is
// pending being committed. Assumes that key_upgrade_lock is held.
static bool IsKeyCommitPending(const std::string& dir) {
for (const auto& dir_to_commit : key_dirs_to_commit) {
@@ -298,8 +256,9 @@
return false;
}
-// Schedules the upgraded Keymaster key in |dir| to be committed later.
-// Assumes that key_upgrade_lock is held.
+// Schedules the upgraded Keystore key in |dir| to be committed later. Assumes
+// that key_upgrade_lock is held and that a commit isn't already pending for the
+// directory.
static void ScheduleKeyCommit(const std::string& dir) {
if (key_dirs_to_commit.empty()) std::thread(DeferredCommitKeys).detach();
key_dirs_to_commit.push_back(dir);
@@ -317,19 +276,41 @@
}
}
+bool RenameKeyDir(const std::string& old_name, const std::string& new_name) {
+ std::lock_guard<std::mutex> lock(key_upgrade_lock);
+
+ // Find the entry in key_dirs_to_commit (if any) for this directory so that
+ // we can update it if the rename succeeds. We don't allow duplicates in
+ // this list, so there can be at most one such entry.
+ auto it = key_dirs_to_commit.begin();
+ for (; it != key_dirs_to_commit.end(); it++) {
+ if (IsSameFile(old_name, *it)) break;
+ }
+
+ if (rename(old_name.c_str(), new_name.c_str()) != 0) {
+ PLOG(ERROR) << "Failed to rename key directory \"" << old_name << "\" to \"" << new_name
+ << "\"";
+ return false;
+ }
+
+ if (it != key_dirs_to_commit.end()) *it = new_name;
+
+ return true;
+}
+
// Deletes a leftover upgraded key, if present. An upgraded key can be left
// over if an update failed, or if we rebooted before committing the key in a
// freak accident. Either way, we can re-upgrade the key if we need to.
-static void DeleteUpgradedKey(Keymaster& keymaster, const std::string& path) {
+static void DeleteUpgradedKey(Keystore& keystore, const std::string& path) {
if (pathExists(path)) {
LOG(DEBUG) << "Deleting leftover upgraded key " << path;
std::string blob;
if (!android::base::ReadFileToString(path, &blob)) {
LOG(WARNING) << "Failed to read leftover upgraded key " << path
<< "; continuing anyway";
- } else if (!keymaster.deleteKey(blob)) {
+ } else if (!keystore.deleteKey(blob)) {
LOG(WARNING) << "Failed to delete leftover upgraded key " << path
- << " from Keymaster; continuing anyway";
+ << " from Keystore; continuing anyway";
}
if (unlink(path.c_str()) != 0) {
LOG(WARNING) << "Failed to unlink leftover upgraded key " << path
@@ -338,13 +319,11 @@
}
}
-// Begins a Keymaster operation using the key stored in |dir|.
-static KeymasterOperation BeginKeymasterOp(Keymaster& keymaster, const std::string& dir,
- km::KeyPurpose purpose,
- const km::AuthorizationSet& keyParams,
- const km::AuthorizationSet& opParams,
- const km::HardwareAuthToken& authToken,
- km::AuthorizationSet* outParams) {
+// Begins a Keystore operation using the key stored in |dir|.
+static KeystoreOperation BeginKeystoreOp(Keystore& keystore, const std::string& dir,
+ const km::AuthorizationSet& keyParams,
+ const km::AuthorizationSet& opParams,
+ km::AuthorizationSet* outParams) {
km::AuthorizationSet inParams(keyParams);
inParams.append(opParams.begin(), opParams.end());
@@ -359,53 +338,52 @@
LOG(DEBUG)
<< blob_file
<< " was already upgraded and is waiting to be committed; using the upgraded blob";
- if (!readFileToString(upgraded_blob_file, &blob)) return KeymasterOperation();
+ if (!readFileToString(upgraded_blob_file, &blob)) return KeystoreOperation();
} else {
- DeleteUpgradedKey(keymaster, upgraded_blob_file);
- if (!readFileToString(blob_file, &blob)) return KeymasterOperation();
+ DeleteUpgradedKey(keystore, upgraded_blob_file);
+ if (!readFileToString(blob_file, &blob)) return KeystoreOperation();
}
- auto opHandle = keymaster.begin(purpose, blob, inParams, authToken, outParams);
- if (opHandle) return opHandle;
- if (opHandle.errorCode() != km::ErrorCode::KEY_REQUIRES_UPGRADE) return opHandle;
+ auto opHandle = keystore.begin(blob, inParams, outParams);
+ if (!opHandle) return opHandle;
+
+ // If key blob wasn't upgraded, nothing left to do.
+ if (!opHandle.getUpgradedBlob()) return opHandle;
if (already_upgraded) {
LOG(ERROR) << "Unexpected case; already-upgraded key " << upgraded_blob_file
<< " still requires upgrade";
- return KeymasterOperation();
+ return KeystoreOperation();
}
LOG(INFO) << "Upgrading key: " << blob_file;
- if (!keymaster.upgradeKey(blob, keyParams, &blob)) return KeymasterOperation();
- if (!writeStringToFile(blob, upgraded_blob_file)) return KeymasterOperation();
+ if (!writeStringToFile(*opHandle.getUpgradedBlob(), upgraded_blob_file))
+ return KeystoreOperation();
if (cp_needsCheckpoint()) {
LOG(INFO) << "Wrote upgraded key to " << upgraded_blob_file
<< "; delaying commit due to checkpoint";
ScheduleKeyCommit(dir);
} else {
- if (!CommitUpgradedKey(keymaster, dir)) return KeymasterOperation();
+ if (!CommitUpgradedKey(keystore, dir)) return KeystoreOperation();
LOG(INFO) << "Key upgraded: " << blob_file;
}
-
- return keymaster.begin(purpose, blob, inParams, authToken, outParams);
+ return opHandle;
}
-static bool encryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir,
- const km::AuthorizationSet& keyParams,
- const km::HardwareAuthToken& authToken,
- const KeyBuffer& message, std::string* ciphertext) {
- km::AuthorizationSet opParams;
+static bool encryptWithKeystoreKey(Keystore& keystore, const std::string& dir,
+ const km::AuthorizationSet& keyParams, const KeyBuffer& message,
+ std::string* ciphertext) {
+ km::AuthorizationSet opParams =
+ km::AuthorizationSetBuilder().Authorization(km::TAG_PURPOSE, km::KeyPurpose::ENCRYPT);
km::AuthorizationSet outParams;
- auto opHandle = BeginKeymasterOp(keymaster, dir, km::KeyPurpose::ENCRYPT, keyParams, opParams,
- authToken, &outParams);
+ auto opHandle = BeginKeystoreOp(keystore, dir, keyParams, opParams, &outParams);
if (!opHandle) return false;
auto nonceBlob = outParams.GetTagValue(km::TAG_NONCE);
- if (!nonceBlob.isOk()) {
+ if (!nonceBlob) {
LOG(ERROR) << "GCM encryption but no nonce generated";
return false;
}
// nonceBlob here is just a pointer into existing data, must not be freed
- std::string nonce(reinterpret_cast<const char*>(&nonceBlob.value()[0]),
- nonceBlob.value().size());
+ std::string nonce(nonceBlob.value().get().begin(), nonceBlob.value().get().end());
if (!checkSize("nonce", nonce.size(), GCM_NONCE_BYTES)) return false;
std::string body;
if (!opHandle.updateCompletely(message, &body)) return false;
@@ -417,78 +395,24 @@
return true;
}
-static bool decryptWithKeymasterKey(Keymaster& keymaster, const std::string& dir,
- const km::AuthorizationSet& keyParams,
- const km::HardwareAuthToken& authToken,
- const std::string& ciphertext, KeyBuffer* message) {
- auto nonce = ciphertext.substr(0, GCM_NONCE_BYTES);
+static bool decryptWithKeystoreKey(Keystore& keystore, const std::string& dir,
+ const km::AuthorizationSet& keyParams,
+ const std::string& ciphertext, KeyBuffer* message) {
+ const std::string nonce = ciphertext.substr(0, GCM_NONCE_BYTES);
auto bodyAndMac = ciphertext.substr(GCM_NONCE_BYTES);
- auto opParams = km::AuthorizationSetBuilder().Authorization(km::TAG_NONCE,
- km::support::blob2hidlVec(nonce));
- auto opHandle = BeginKeymasterOp(keymaster, dir, km::KeyPurpose::DECRYPT, keyParams, opParams,
- authToken, nullptr);
+ auto opParams = km::AuthorizationSetBuilder()
+ .Authorization(km::TAG_NONCE, nonce)
+ .Authorization(km::TAG_PURPOSE, km::KeyPurpose::DECRYPT);
+ auto opHandle = BeginKeystoreOp(keystore, dir, keyParams, opParams, nullptr);
if (!opHandle) return false;
if (!opHandle.updateCompletely(bodyAndMac, message)) return false;
if (!opHandle.finish(nullptr)) return false;
return true;
}
-static std::string getStretching(const KeyAuthentication& auth) {
- if (!auth.usesKeymaster()) {
- return kStretch_none;
- } else if (auth.secret.empty()) {
- return kStretch_nopassword;
- } else {
- char paramstr[PROPERTY_VALUE_MAX];
-
- property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS);
- return std::string() + kStretchPrefix_scrypt + paramstr;
- }
-}
-
-static bool stretchingNeedsSalt(const std::string& stretching) {
- return stretching != kStretch_nopassword && stretching != kStretch_none;
-}
-
-static bool stretchSecret(const std::string& stretching, const std::string& secret,
- const std::string& salt, std::string* stretched) {
- if (stretching == kStretch_nopassword) {
- if (!secret.empty()) {
- LOG(WARNING) << "Password present but stretching is nopassword";
- // Continue anyway
- }
- stretched->clear();
- } else if (stretching == kStretch_none) {
- *stretched = secret;
- } else if (std::equal(kStretchPrefix_scrypt.begin(), kStretchPrefix_scrypt.end(),
- stretching.begin())) {
- int Nf, rf, pf;
- if (!parse_scrypt_parameters(stretching.substr(kStretchPrefix_scrypt.size()).c_str(), &Nf,
- &rf, &pf)) {
- LOG(ERROR) << "Unable to parse scrypt params in stretching: " << stretching;
- return false;
- }
- stretched->assign(STRETCHED_BYTES, '\0');
- if (crypto_scrypt(reinterpret_cast<const uint8_t*>(secret.data()), secret.size(),
- reinterpret_cast<const uint8_t*>(salt.data()), salt.size(), 1 << Nf,
- 1 << rf, 1 << pf, reinterpret_cast<uint8_t*>(&(*stretched)[0]),
- stretched->size()) != 0) {
- LOG(ERROR) << "scrypt failed with params: " << stretching;
- return false;
- }
- } else {
- LOG(ERROR) << "Unknown stretching type: " << stretching;
- return false;
- }
- return true;
-}
-
-static bool generateAppId(const KeyAuthentication& auth, const std::string& stretching,
- const std::string& salt, const std::string& secdiscardable_hash,
- std::string* appId) {
- std::string stretched;
- if (!stretchSecret(stretching, auth.secret, salt, &stretched)) return false;
- *appId = secdiscardable_hash + stretched;
+static std::string generateAppId(const KeyAuthentication& auth,
+ const std::string& secdiscardable_hash) {
+ std::string appId = secdiscardable_hash + auth.secret;
const std::lock_guard<std::mutex> scope_lock(storage_binding_info.guard);
switch (storage_binding_info.state) {
@@ -496,22 +420,21 @@
storage_binding_info.state = StorageBindingInfo::State::NOT_USED;
break;
case StorageBindingInfo::State::IN_USE:
- appId->append(storage_binding_info.seed.begin(), storage_binding_info.seed.end());
+ appId.append(storage_binding_info.seed.begin(), storage_binding_info.seed.end());
break;
case StorageBindingInfo::State::NOT_USED:
// noop
break;
}
-
- return true;
+ return appId;
}
static void logOpensslError() {
LOG(ERROR) << "Openssl error: " << ERR_get_error();
}
-static bool encryptWithoutKeymaster(const std::string& preKey, const KeyBuffer& plaintext,
- std::string* ciphertext) {
+static bool encryptWithoutKeystore(const std::string& preKey, const KeyBuffer& plaintext,
+ std::string* ciphertext) {
std::string key;
hashWithPrefix(kHashPrefix_keygen, preKey, &key);
key.resize(AES_KEY_BYTES);
@@ -560,8 +483,8 @@
return true;
}
-static bool decryptWithoutKeymaster(const std::string& preKey, const std::string& ciphertext,
- KeyBuffer* plaintext) {
+static bool decryptWithoutKeystore(const std::string& preKey, const std::string& ciphertext,
+ KeyBuffer* plaintext) {
if (ciphertext.size() < GCM_NONCE_BYTES + GCM_MAC_BYTES) {
LOG(ERROR) << "GCM ciphertext too small: " << ciphertext.size();
return false;
@@ -612,40 +535,42 @@
return true;
}
-bool storeKey(const std::string& dir, const KeyAuthentication& auth, const KeyBuffer& key) {
+// Creates a directory at the given path |dir| and stores |key| in it, in such a
+// way that it can only be retrieved via Keystore (if no secret is given in
+// |auth|) or with the given secret (if a secret is given in |auth|). In the
+// former case, an attempt is made to make the key securely deletable. In the
+// latter case, secure deletion is expected to be handled at a higher level.
+//
+// If a storage binding seed has been set, then the storage binding seed will be
+// required to retrieve the key as well.
+static bool storeKey(const std::string& dir, const KeyAuthentication& auth, const KeyBuffer& key) {
if (TEMP_FAILURE_RETRY(mkdir(dir.c_str(), 0700)) == -1) {
PLOG(ERROR) << "key mkdir " << dir;
return false;
}
if (!writeStringToFile(kCurrentVersion, dir + "/" + kFn_version)) return false;
std::string secdiscardable_hash;
- if (!createSecdiscardable(dir + "/" + kFn_secdiscardable, &secdiscardable_hash)) return false;
- std::string stretching = getStretching(auth);
- if (!writeStringToFile(stretching, dir + "/" + kFn_stretching)) return false;
- std::string salt;
- if (stretchingNeedsSalt(stretching)) {
- if (ReadRandomBytes(SALT_BYTES, salt) != OK) {
- LOG(ERROR) << "Random read failed";
+ if (auth.usesKeystore() &&
+ !createSecdiscardable(dir + "/" + kFn_secdiscardable, &secdiscardable_hash))
+ return false;
+ std::string appId = generateAppId(auth, secdiscardable_hash);
+ std::string encryptedKey;
+ if (auth.usesKeystore()) {
+ Keystore keystore;
+ if (!keystore) return false;
+ std::string ksKey;
+ if (!generateKeyStorageKey(keystore, appId, &ksKey)) return false;
+ if (!writeStringToFile(ksKey, dir + "/" + kFn_keymaster_key_blob)) return false;
+ km::AuthorizationSet keyParams = beginParams(appId);
+ if (!encryptWithKeystoreKey(keystore, dir, keyParams, key, &encryptedKey)) {
+ LOG(ERROR) << "encryptWithKeystoreKey failed";
return false;
}
- if (!writeStringToFile(salt, dir + "/" + kFn_salt)) return false;
- }
- std::string appId;
- if (!generateAppId(auth, stretching, salt, secdiscardable_hash, &appId)) return false;
- std::string encryptedKey;
- if (auth.usesKeymaster()) {
- Keymaster keymaster;
- if (!keymaster) return false;
- std::string kmKey;
- if (!generateKeyStorageKey(keymaster, auth, appId, &kmKey)) return false;
- if (!writeStringToFile(kmKey, dir + "/" + kFn_keymaster_key_blob)) return false;
- km::AuthorizationSet keyParams;
- km::HardwareAuthToken authToken;
- std::tie(keyParams, authToken) = beginParams(auth, appId);
- if (!encryptWithKeymasterKey(keymaster, dir, keyParams, authToken, key, &encryptedKey))
- return false;
} else {
- if (!encryptWithoutKeymaster(appId, key, &encryptedKey)) return false;
+ if (!encryptWithoutKeystore(appId, key, &encryptedKey)) {
+ LOG(ERROR) << "encryptWithoutKeystore failed";
+ return false;
+ }
}
if (!writeStringToFile(encryptedKey, dir + "/" + kFn_encrypted_key)) return false;
if (!FsyncDirectory(dir)) return false;
@@ -663,10 +588,9 @@
destroyKey(tmp_path); // May be partially created so ignore errors
}
if (!storeKey(tmp_path, auth, key)) return false;
- if (rename(tmp_path.c_str(), key_path.c_str()) != 0) {
- PLOG(ERROR) << "Unable to move new key to location: " << key_path;
- return false;
- }
+
+ if (!RenameKeyDir(tmp_path, key_path)) return false;
+
if (!FsyncParentDirectory(key_path)) return false;
LOG(DEBUG) << "Created key: " << key_path;
return true;
@@ -681,37 +605,33 @@
}
std::string secdiscardable_hash;
if (!readSecdiscardable(dir + "/" + kFn_secdiscardable, &secdiscardable_hash)) return false;
- std::string stretching;
- if (!readFileToString(dir + "/" + kFn_stretching, &stretching)) return false;
- std::string salt;
- if (stretchingNeedsSalt(stretching)) {
- if (!readFileToString(dir + "/" + kFn_salt, &salt)) return false;
- }
- std::string appId;
- if (!generateAppId(auth, stretching, salt, secdiscardable_hash, &appId)) return false;
+ std::string appId = generateAppId(auth, secdiscardable_hash);
std::string encryptedMessage;
if (!readFileToString(dir + "/" + kFn_encrypted_key, &encryptedMessage)) return false;
- if (auth.usesKeymaster()) {
- Keymaster keymaster;
- if (!keymaster) return false;
- km::AuthorizationSet keyParams;
- km::HardwareAuthToken authToken;
- std::tie(keyParams, authToken) = beginParams(auth, appId);
- if (!decryptWithKeymasterKey(keymaster, dir, keyParams, authToken, encryptedMessage, key))
+ if (auth.usesKeystore()) {
+ Keystore keystore;
+ if (!keystore) return false;
+ km::AuthorizationSet keyParams = beginParams(appId);
+ if (!decryptWithKeystoreKey(keystore, dir, keyParams, encryptedMessage, key)) {
+ LOG(ERROR) << "decryptWithKeystoreKey failed";
return false;
+ }
} else {
- if (!decryptWithoutKeymaster(appId, encryptedMessage, key)) return false;
+ if (!decryptWithoutKeystore(appId, encryptedMessage, key)) {
+ LOG(ERROR) << "decryptWithoutKeystore failed";
+ return false;
+ }
}
return true;
}
-static bool DeleteKeymasterKey(const std::string& blob_file) {
+static bool DeleteKeystoreKey(const std::string& blob_file) {
std::string blob;
if (!readFileToString(blob_file, &blob)) return false;
- Keymaster keymaster;
- if (!keymaster) return false;
- LOG(DEBUG) << "Deleting key " << blob_file << " from Keymaster";
- if (!keymaster.deleteKey(blob)) return false;
+ Keystore keystore;
+ if (!keystore) return false;
+ LOG(DEBUG) << "Deleting key " << blob_file << " from Keystore";
+ if (!keystore.deleteKey(blob)) return false;
return true;
}
@@ -740,14 +660,17 @@
kSecdiscardPath,
"--",
dir + "/" + kFn_encrypted_key,
- dir + "/" + kFn_secdiscardable,
};
+ auto secdiscardable = dir + "/" + kFn_secdiscardable;
+ if (pathExists(secdiscardable)) {
+ secdiscard_cmd.push_back(secdiscardable);
+ }
// Try each thing, even if previous things failed.
for (auto& fn : {kFn_keymaster_key_blob, kFn_keymaster_key_blob_upgraded}) {
auto blob_file = dir + "/" + fn;
if (pathExists(blob_file)) {
- success &= DeleteKeymasterKey(blob_file);
+ success &= DeleteKeystoreKey(blob_file);
secdiscard_cmd.push_back(blob_file);
}
}
@@ -765,6 +688,7 @@
case StorageBindingInfo::State::UNINITIALIZED:
storage_binding_info.state = StorageBindingInfo::State::IN_USE;
storage_binding_info.seed = seed;
+ android::base::SetProperty("vold.storage_seed_bound", "1");
return true;
case StorageBindingInfo::State::IN_USE:
LOG(ERROR) << "key storage binding seed already set";
diff --git a/KeyStorage.h b/KeyStorage.h
index 5fded41..cc2f549 100644
--- a/KeyStorage.h
+++ b/KeyStorage.h
@@ -27,17 +27,12 @@
namespace vold {
// Represents the information needed to decrypt a disk encryption key.
-// If "token" is nonempty, it is passed in as a required Gatekeeper auth token.
-// If "token" and "secret" are nonempty, "secret" is appended to the application-specific
-// binary needed to unlock.
-// If only "secret" is nonempty, it is used to decrypt in a non-Keymaster process.
class KeyAuthentication {
public:
- KeyAuthentication(const std::string& t, const std::string& s) : token{t}, secret{s} {};
+ KeyAuthentication(const std::string& s) : secret{s} {};
- bool usesKeymaster() const { return !token.empty() || secret.empty(); };
+ bool usesKeystore() const { return secret.empty(); };
- const std::string token;
const std::string secret;
};
@@ -46,11 +41,9 @@
bool createSecdiscardable(const std::string& path, std::string* hash);
bool readSecdiscardable(const std::string& path, std::string* hash);
-// Create a directory at the named path, and store "key" in it,
-// in such a way that it can only be retrieved via Keymaster and
-// can be securely deleted.
-// It's safe to move/rename the directory after creation.
-bool storeKey(const std::string& dir, const KeyAuthentication& auth, const KeyBuffer& key);
+// Renames a key directory while also managing deferred commits appropriately.
+// This method should be used whenever a key directory needs to be moved/renamed.
+bool RenameKeyDir(const std::string& old_name, const std::string& new_name);
// Create a directory at the named path, and store "key" in it as storeKey
// This version creates the key in "tmp_path" then atomically renames "tmp_path"
@@ -68,10 +61,10 @@
bool runSecdiscardSingle(const std::string& file);
-// Generate wrapped storage key using keymaster. Uses STORAGE_KEY tag in keymaster.
+// Generate wrapped storage key using keystore. Uses STORAGE_KEY tag in keystore.
bool generateWrappedStorageKey(KeyBuffer* key);
-// Export the per-boot boot wrapped storage key using keymaster.
-bool exportWrappedStorageKey(const KeyBuffer& kmKey, KeyBuffer* key);
+// Export the per-boot boot wrapped storage key using keystore.
+bool exportWrappedStorageKey(const KeyBuffer& ksKey, KeyBuffer* key);
// Set a seed to be mixed into all key storage encryption keys.
bool setKeyStorageBindingSeed(const std::vector<uint8_t>& seed);
diff --git a/KeyUtil.cpp b/KeyUtil.cpp
index 886054e..395b6b3 100644
--- a/KeyUtil.cpp
+++ b/KeyUtil.cpp
@@ -19,6 +19,7 @@
#include <iomanip>
#include <sstream>
#include <string>
+#include <thread>
#include <fcntl.h>
#include <linux/fscrypt.h>
@@ -36,6 +37,13 @@
namespace android {
namespace vold {
+using android::fscrypt::EncryptionOptions;
+using android::fscrypt::EncryptionPolicy;
+
+// This must be acquired before calling fscrypt ioctls that operate on keys.
+// This prevents race conditions between evicting and reinstalling keys.
+static std::mutex fscrypt_keyring_mutex;
+
const KeyGeneration neverGen() {
return KeyGeneration{0, false, false};
}
@@ -51,7 +59,10 @@
}
bool generateStorageKey(const KeyGeneration& gen, KeyBuffer* key) {
- if (!gen.allow_gen) return false;
+ if (!gen.allow_gen) {
+ LOG(ERROR) << "Generating storage key not allowed";
+ return false;
+ }
if (gen.use_hw_wrapped_key) {
if (gen.keysize != FSCRYPT_MAX_KEY_SIZE) {
LOG(ERROR) << "Cannot generate a wrapped key " << gen.keysize << " bytes long";
@@ -261,6 +272,7 @@
bool installKey(const std::string& mountpoint, const EncryptionOptions& options,
const KeyBuffer& key, EncryptionPolicy* policy) {
+ const std::lock_guard<std::mutex> lock(fscrypt_keyring_mutex);
policy->options = options;
// Put the fscrypt_add_key_arg in an automatically-zeroing buffer, since we
// have to copy the raw key into it.
@@ -354,7 +366,66 @@
return true;
}
+static void waitForBusyFiles(const struct fscrypt_key_specifier key_spec, const std::string ref,
+ const std::string mountpoint) {
+ android::base::unique_fd fd(open(mountpoint.c_str(), O_RDONLY | O_DIRECTORY | O_CLOEXEC));
+ if (fd == -1) {
+ PLOG(ERROR) << "Failed to open " << mountpoint << " to evict key";
+ return;
+ }
+
+ std::chrono::milliseconds wait_time(3200);
+ std::chrono::milliseconds total_wait_time(0);
+ while (wait_time <= std::chrono::milliseconds(51200)) {
+ total_wait_time += wait_time;
+ std::this_thread::sleep_for(wait_time);
+
+ const std::lock_guard<std::mutex> lock(fscrypt_keyring_mutex);
+
+ struct fscrypt_get_key_status_arg get_arg;
+ memset(&get_arg, 0, sizeof(get_arg));
+ get_arg.key_spec = key_spec;
+
+ if (ioctl(fd, FS_IOC_GET_ENCRYPTION_KEY_STATUS, &get_arg) != 0) {
+ PLOG(ERROR) << "Failed to get status for fscrypt key with ref " << ref << " from "
+ << mountpoint;
+ return;
+ }
+ if (get_arg.status != FSCRYPT_KEY_STATUS_INCOMPLETELY_REMOVED) {
+ LOG(DEBUG) << "Key status changed, cancelling busy file cleanup for key with ref "
+ << ref << ".";
+ return;
+ }
+
+ struct fscrypt_remove_key_arg remove_arg;
+ memset(&remove_arg, 0, sizeof(remove_arg));
+ remove_arg.key_spec = key_spec;
+
+ if (ioctl(fd, FS_IOC_REMOVE_ENCRYPTION_KEY, &remove_arg) != 0) {
+ PLOG(ERROR) << "Failed to clean up busy files for fscrypt key with ref " << ref
+ << " from " << mountpoint;
+ return;
+ }
+ if (remove_arg.removal_status_flags & FSCRYPT_KEY_REMOVAL_STATUS_FLAG_OTHER_USERS) {
+ // Should never happen because keys are only added/removed as root.
+ LOG(ERROR) << "Unexpected case: key with ref " << ref
+ << " is still added by other users!";
+ } else if (!(remove_arg.removal_status_flags &
+ FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY)) {
+ LOG(INFO) << "Successfully cleaned up busy files for key with ref " << ref
+ << ". After waiting " << total_wait_time.count() << "ms.";
+ return;
+ }
+ LOG(WARNING) << "Files still open after waiting " << total_wait_time.count()
+ << "ms. Key with ref " << ref << " still has unlocked files!";
+ wait_time *= 2;
+ }
+ LOG(ERROR) << "Waiting for files to close never completed. Files using key with ref " << ref
+ << " were not locked!";
+}
+
bool evictKey(const std::string& mountpoint, const EncryptionPolicy& policy) {
+ const std::lock_guard<std::mutex> lock(fscrypt_keyring_mutex);
if (policy.options.version == 1 && !isFsKeyringSupported()) {
return evictKeyLegacy(policy.key_raw_ref);
}
@@ -384,8 +455,14 @@
// Should never happen because keys are only added/removed as root.
LOG(ERROR) << "Unexpected case: key with ref " << ref << " is still added by other users!";
} else if (arg.removal_status_flags & FSCRYPT_KEY_REMOVAL_STATUS_FLAG_FILES_BUSY) {
- LOG(ERROR) << "Files still open after removing key with ref " << ref
- << ". These files were not locked!";
+ LOG(WARNING)
+ << "Files still open after removing key with ref " << ref
+ << ". These files were not locked! Punting busy file clean up to worker thread.";
+ // Processes are killed asynchronously in ActivityManagerService due to performance issues
+ // with synchronous kills. If there were busy files they will probably be killed soon. Wait
+ // for them asynchronously.
+ std::thread busyFilesThread(waitForBusyFiles, arg.key_spec, ref, mountpoint);
+ busyFilesThread.detach();
}
if (!evictProvisioningKey(ref)) return false;
diff --git a/KeyUtil.h b/KeyUtil.h
index 73255a3..5940b8a 100644
--- a/KeyUtil.h
+++ b/KeyUtil.h
@@ -28,8 +28,6 @@
namespace android {
namespace vold {
-using namespace android::fscrypt;
-
// Description of how to generate a key when needed.
struct KeyGeneration {
size_t keysize;
@@ -63,8 +61,8 @@
//
// Returns %true on success, %false on failure. On success also sets *policy
// to the EncryptionPolicy used to refer to this key.
-bool installKey(const std::string& mountpoint, const EncryptionOptions& options,
- const KeyBuffer& key, EncryptionPolicy* policy);
+bool installKey(const std::string& mountpoint, const android::fscrypt::EncryptionOptions& options,
+ const KeyBuffer& key, android::fscrypt::EncryptionPolicy* policy);
// Evict a file-based encryption key from the kernel.
//
@@ -72,7 +70,7 @@
//
// If the kernel doesn't support the filesystem-level keyring, the caller is
// responsible for dropping caches.
-bool evictKey(const std::string& mountpoint, const EncryptionPolicy& policy);
+bool evictKey(const std::string& mountpoint, const android::fscrypt::EncryptionPolicy& policy);
// Retrieves the key from the named directory, or generates it if it doesn't
// exist.
@@ -82,7 +80,8 @@
// Re-installs a file-based encryption key of fscrypt-provisioning type from the
// global session keyring back into fs keyring of the mountpoint.
-bool reloadKeyFromSessionKeyring(const std::string& mountpoint, const EncryptionPolicy& policy);
+bool reloadKeyFromSessionKeyring(const std::string& mountpoint,
+ const android::fscrypt::EncryptionPolicy& policy);
} // namespace vold
} // namespace android
diff --git a/Keymaster.cpp b/Keymaster.cpp
deleted file mode 100644
index 786cdb5..0000000
--- a/Keymaster.cpp
+++ /dev/null
@@ -1,384 +0,0 @@
-/*
- * Copyright (C) 2016 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "Keymaster.h"
-
-#include <android-base/logging.h>
-#include <keymasterV4_1/authorization_set.h>
-#include <keymasterV4_1/keymaster_utils.h>
-
-namespace android {
-namespace vold {
-
-using ::android::hardware::hidl_string;
-using ::android::hardware::hidl_vec;
-using ::android::hardware::keymaster::V4_0::SecurityLevel;
-
-KeymasterOperation::~KeymasterOperation() {
- if (mDevice) mDevice->abort(mOpHandle);
-}
-
-bool KeymasterOperation::updateCompletely(const char* input, size_t inputLen,
- const std::function<void(const char*, size_t)> consumer) {
- uint32_t inputConsumed = 0;
-
- km::ErrorCode km_error;
- auto hidlCB = [&](km::ErrorCode ret, uint32_t inputConsumedDelta,
- const hidl_vec<km::KeyParameter>& /*ignored*/,
- const hidl_vec<uint8_t>& _output) {
- km_error = ret;
- if (km_error != km::ErrorCode::OK) return;
- inputConsumed += inputConsumedDelta;
- consumer(reinterpret_cast<const char*>(&_output[0]), _output.size());
- };
-
- while (inputConsumed != inputLen) {
- size_t toRead = static_cast<size_t>(inputLen - inputConsumed);
- auto inputBlob = km::support::blob2hidlVec(
- reinterpret_cast<const uint8_t*>(&input[inputConsumed]), toRead);
- auto error = mDevice->update(mOpHandle, hidl_vec<km::KeyParameter>(), inputBlob,
- km::HardwareAuthToken(), km::VerificationToken(), hidlCB);
- if (!error.isOk()) {
- LOG(ERROR) << "update failed: " << error.description();
- mDevice = nullptr;
- return false;
- }
- if (km_error != km::ErrorCode::OK) {
- LOG(ERROR) << "update failed, code " << int32_t(km_error);
- mDevice = nullptr;
- return false;
- }
- if (inputConsumed > inputLen) {
- LOG(ERROR) << "update reported too much input consumed";
- mDevice = nullptr;
- return false;
- }
- }
- return true;
-}
-
-bool KeymasterOperation::finish(std::string* output) {
- km::ErrorCode km_error;
- auto hidlCb = [&](km::ErrorCode ret, const hidl_vec<km::KeyParameter>& /*ignored*/,
- const hidl_vec<uint8_t>& _output) {
- km_error = ret;
- if (km_error != km::ErrorCode::OK) return;
- if (output) output->assign(reinterpret_cast<const char*>(&_output[0]), _output.size());
- };
- auto error = mDevice->finish(mOpHandle, hidl_vec<km::KeyParameter>(), hidl_vec<uint8_t>(),
- hidl_vec<uint8_t>(), km::HardwareAuthToken(),
- km::VerificationToken(), hidlCb);
- mDevice = nullptr;
- if (!error.isOk()) {
- LOG(ERROR) << "finish failed: " << error.description();
- return false;
- }
- if (km_error != km::ErrorCode::OK) {
- LOG(ERROR) << "finish failed, code " << int32_t(km_error);
- return false;
- }
- return true;
-}
-
-/* static */ bool Keymaster::hmacKeyGenerated = false;
-
-Keymaster::Keymaster() {
- auto devices = KmDevice::enumerateAvailableDevices();
- if (!hmacKeyGenerated) {
- KmDevice::performHmacKeyAgreement(devices);
- hmacKeyGenerated = true;
- }
- for (auto& dev : devices) {
- // Do not use StrongBox for device encryption / credential encryption. If a security chip
- // is present it will have Weaver, which already strengthens CE. We get no additional
- // benefit from using StrongBox here, so skip it.
- if (dev->halVersion().securityLevel != SecurityLevel::STRONGBOX) {
- mDevice = std::move(dev);
- break;
- }
- }
- if (!mDevice) return;
- auto& version = mDevice->halVersion();
- LOG(INFO) << "Using " << version.keymasterName << " from " << version.authorName
- << " for encryption. Security level: " << toString(version.securityLevel)
- << ", HAL: " << mDevice->descriptor() << "/" << mDevice->instanceName();
-}
-
-bool Keymaster::generateKey(const km::AuthorizationSet& inParams, std::string* key) {
- km::ErrorCode km_error;
- auto hidlCb = [&](km::ErrorCode ret, const hidl_vec<uint8_t>& keyBlob,
- const km::KeyCharacteristics& /*ignored*/) {
- km_error = ret;
- if (km_error != km::ErrorCode::OK) return;
- if (key) key->assign(reinterpret_cast<const char*>(&keyBlob[0]), keyBlob.size());
- };
-
- auto error = mDevice->generateKey(inParams.hidl_data(), hidlCb);
- if (!error.isOk()) {
- LOG(ERROR) << "generate_key failed: " << error.description();
- return false;
- }
- if (km_error != km::ErrorCode::OK) {
- LOG(ERROR) << "generate_key failed, code " << int32_t(km_error);
- return false;
- }
- return true;
-}
-
-bool Keymaster::exportKey(const KeyBuffer& kmKey, std::string* key) {
- auto kmKeyBlob = km::support::blob2hidlVec(std::string(kmKey.data(), kmKey.size()));
- km::ErrorCode km_error;
- auto hidlCb = [&](km::ErrorCode ret, const hidl_vec<uint8_t>& exportedKeyBlob) {
- km_error = ret;
- if (km_error != km::ErrorCode::OK) return;
- if (key)
- key->assign(reinterpret_cast<const char*>(&exportedKeyBlob[0]), exportedKeyBlob.size());
- };
- auto error = mDevice->exportKey(km::KeyFormat::RAW, kmKeyBlob, {}, {}, hidlCb);
- if (!error.isOk()) {
- LOG(ERROR) << "export_key failed: " << error.description();
- return false;
- }
- if (km_error != km::ErrorCode::OK) {
- LOG(ERROR) << "export_key failed, code " << int32_t(km_error);
- return false;
- }
- return true;
-}
-
-bool Keymaster::deleteKey(const std::string& key) {
- auto keyBlob = km::support::blob2hidlVec(key);
- auto error = mDevice->deleteKey(keyBlob);
- if (!error.isOk()) {
- LOG(ERROR) << "delete_key failed: " << error.description();
- return false;
- }
- if (error != km::ErrorCode::OK) {
- LOG(ERROR) << "delete_key failed, code " << int32_t(km::ErrorCode(error));
- return false;
- }
- return true;
-}
-
-bool Keymaster::upgradeKey(const std::string& oldKey, const km::AuthorizationSet& inParams,
- std::string* newKey) {
- auto oldKeyBlob = km::support::blob2hidlVec(oldKey);
- km::ErrorCode km_error;
- auto hidlCb = [&](km::ErrorCode ret, const hidl_vec<uint8_t>& upgradedKeyBlob) {
- km_error = ret;
- if (km_error != km::ErrorCode::OK) return;
- if (newKey)
- newKey->assign(reinterpret_cast<const char*>(&upgradedKeyBlob[0]),
- upgradedKeyBlob.size());
- };
- auto error = mDevice->upgradeKey(oldKeyBlob, inParams.hidl_data(), hidlCb);
- if (!error.isOk()) {
- LOG(ERROR) << "upgrade_key failed: " << error.description();
- return false;
- }
- if (km_error != km::ErrorCode::OK) {
- LOG(ERROR) << "upgrade_key failed, code " << int32_t(km_error);
- return false;
- }
- return true;
-}
-
-KeymasterOperation Keymaster::begin(km::KeyPurpose purpose, const std::string& key,
- const km::AuthorizationSet& inParams,
- const km::HardwareAuthToken& authToken,
- km::AuthorizationSet* outParams) {
- auto keyBlob = km::support::blob2hidlVec(key);
- uint64_t mOpHandle;
- km::ErrorCode km_error;
-
- auto hidlCb = [&](km::ErrorCode ret, const hidl_vec<km::KeyParameter>& _outParams,
- uint64_t operationHandle) {
- km_error = ret;
- if (km_error != km::ErrorCode::OK) return;
- if (outParams) *outParams = _outParams;
- mOpHandle = operationHandle;
- };
-
- auto error = mDevice->begin(purpose, keyBlob, inParams.hidl_data(), authToken, hidlCb);
- if (!error.isOk()) {
- LOG(ERROR) << "begin failed: " << error.description();
- return KeymasterOperation(km::ErrorCode::UNKNOWN_ERROR);
- }
- if (km_error != km::ErrorCode::OK) {
- LOG(ERROR) << "begin failed, code " << int32_t(km_error);
- return KeymasterOperation(km_error);
- }
- return KeymasterOperation(mDevice.get(), mOpHandle);
-}
-
-bool Keymaster::isSecure() {
- return mDevice->halVersion().securityLevel != km::SecurityLevel::SOFTWARE;
-}
-
-void Keymaster::earlyBootEnded() {
- auto devices = KmDevice::enumerateAvailableDevices();
- for (auto& dev : devices) {
- auto error = dev->earlyBootEnded();
- if (!error.isOk()) {
- LOG(ERROR) << "earlyBootEnded call failed: " << error.description() << " for "
- << dev->halVersion().keymasterName;
- }
- km::V4_1_ErrorCode km_error = error;
- if (km_error != km::V4_1_ErrorCode::OK && km_error != km::V4_1_ErrorCode::UNIMPLEMENTED) {
- LOG(ERROR) << "Error reporting early boot ending to keymaster: "
- << static_cast<int32_t>(km_error) << " for "
- << dev->halVersion().keymasterName;
- }
- }
-}
-
-} // namespace vold
-} // namespace android
-
-using namespace ::android::vold;
-
-int keymaster_compatibility_cryptfs_scrypt() {
- Keymaster dev;
- if (!dev) {
- LOG(ERROR) << "Failed to initiate keymaster session";
- return -1;
- }
- return dev.isSecure();
-}
-
-static bool write_string_to_buf(const std::string& towrite, uint8_t* buffer, uint32_t buffer_size,
- uint32_t* out_size) {
- if (!buffer || !out_size) {
- LOG(ERROR) << "Missing target pointers";
- return false;
- }
- *out_size = towrite.size();
- if (buffer_size < towrite.size()) {
- LOG(ERROR) << "Buffer too small " << buffer_size << " < " << towrite.size();
- return false;
- }
- memset(buffer, '\0', buffer_size);
- std::copy(towrite.begin(), towrite.end(), buffer);
- return true;
-}
-
-static km::AuthorizationSet keyParams(uint32_t rsa_key_size, uint64_t rsa_exponent,
- uint32_t ratelimit) {
- return km::AuthorizationSetBuilder()
- .RsaSigningKey(rsa_key_size, rsa_exponent)
- .NoDigestOrPadding()
- .Authorization(km::TAG_BLOB_USAGE_REQUIREMENTS, km::KeyBlobUsageRequirements::STANDALONE)
- .Authorization(km::TAG_NO_AUTH_REQUIRED)
- .Authorization(km::TAG_MIN_SECONDS_BETWEEN_OPS, ratelimit);
-}
-
-int keymaster_create_key_for_cryptfs_scrypt(uint32_t rsa_key_size, uint64_t rsa_exponent,
- uint32_t ratelimit, uint8_t* key_buffer,
- uint32_t key_buffer_size, uint32_t* key_out_size) {
- if (key_out_size) {
- *key_out_size = 0;
- }
- Keymaster dev;
- if (!dev) {
- LOG(ERROR) << "Failed to initiate keymaster session";
- return -1;
- }
- std::string key;
- if (!dev.generateKey(keyParams(rsa_key_size, rsa_exponent, ratelimit), &key)) return -1;
- if (!write_string_to_buf(key, key_buffer, key_buffer_size, key_out_size)) return -1;
- return 0;
-}
-
-int keymaster_upgrade_key_for_cryptfs_scrypt(uint32_t rsa_key_size, uint64_t rsa_exponent,
- uint32_t ratelimit, const uint8_t* key_blob,
- size_t key_blob_size, uint8_t* key_buffer,
- uint32_t key_buffer_size, uint32_t* key_out_size) {
- if (key_out_size) {
- *key_out_size = 0;
- }
- Keymaster dev;
- if (!dev) {
- LOG(ERROR) << "Failed to initiate keymaster session";
- return -1;
- }
- std::string old_key(reinterpret_cast<const char*>(key_blob), key_blob_size);
- std::string new_key;
- if (!dev.upgradeKey(old_key, keyParams(rsa_key_size, rsa_exponent, ratelimit), &new_key))
- return -1;
- if (!write_string_to_buf(new_key, key_buffer, key_buffer_size, key_out_size)) return -1;
- return 0;
-}
-
-KeymasterSignResult keymaster_sign_object_for_cryptfs_scrypt(
- const uint8_t* key_blob, size_t key_blob_size, uint32_t ratelimit, const uint8_t* object,
- const size_t object_size, uint8_t** signature_buffer, size_t* signature_buffer_size) {
- Keymaster dev;
- if (!dev) {
- LOG(ERROR) << "Failed to initiate keymaster session";
- return KeymasterSignResult::error;
- }
- if (!key_blob || !object || !signature_buffer || !signature_buffer_size) {
- LOG(ERROR) << __FILE__ << ":" << __LINE__ << ":Invalid argument";
- return KeymasterSignResult::error;
- }
-
- km::AuthorizationSet outParams;
- std::string key(reinterpret_cast<const char*>(key_blob), key_blob_size);
- std::string input(reinterpret_cast<const char*>(object), object_size);
- std::string output;
- KeymasterOperation op;
-
- auto paramBuilder = km::AuthorizationSetBuilder().NoDigestOrPadding();
- while (true) {
- op = dev.begin(km::KeyPurpose::SIGN, key, paramBuilder, km::HardwareAuthToken(), &outParams);
- if (op.errorCode() == km::ErrorCode::KEY_RATE_LIMIT_EXCEEDED) {
- sleep(ratelimit);
- continue;
- } else
- break;
- }
-
- if (op.errorCode() == km::ErrorCode::KEY_REQUIRES_UPGRADE) {
- LOG(ERROR) << "Keymaster key requires upgrade";
- return KeymasterSignResult::upgrade;
- }
-
- if (op.errorCode() != km::ErrorCode::OK) {
- LOG(ERROR) << "Error starting keymaster signature transaction: " << int32_t(op.errorCode());
- return KeymasterSignResult::error;
- }
-
- if (!op.updateCompletely(input, &output)) {
- LOG(ERROR) << "Error sending data to keymaster signature transaction: "
- << uint32_t(op.errorCode());
- return KeymasterSignResult::error;
- }
-
- if (!op.finish(&output)) {
- LOG(ERROR) << "Error finalizing keymaster signature transaction: "
- << int32_t(op.errorCode());
- return KeymasterSignResult::error;
- }
-
- *signature_buffer = reinterpret_cast<uint8_t*>(malloc(output.size()));
- if (*signature_buffer == nullptr) {
- LOG(ERROR) << "Error allocation buffer for keymaster signature";
- return KeymasterSignResult::error;
- }
- *signature_buffer_size = output.size();
- std::copy(output.data(), output.data() + output.size(), *signature_buffer);
- return KeymasterSignResult::ok;
-}
diff --git a/Keymaster.h b/Keymaster.h
deleted file mode 100644
index d9ced91..0000000
--- a/Keymaster.h
+++ /dev/null
@@ -1,177 +0,0 @@
-/*
- * Copyright (C) 2016 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_VOLD_KEYMASTER_H
-#define ANDROID_VOLD_KEYMASTER_H
-
-#include "KeyBuffer.h"
-
-#include <memory>
-#include <string>
-#include <utility>
-
-#include <android-base/macros.h>
-#include <keymasterV4_1/Keymaster.h>
-#include <keymasterV4_1/authorization_set.h>
-
-namespace android {
-namespace vold {
-
-namespace km {
-
-using namespace ::android::hardware::keymaster::V4_1;
-
-// Surprisingly -- to me, at least -- this is totally fine. You can re-define symbols that were
-// brought in via a using directive (the "using namespace") above. In general this seems like a
-// dangerous thing to rely on, but in this case its implications are simple and straightforward:
-// km::ErrorCode refers to the 4.0 ErrorCode, though we pull everything else from 4.1.
-using ErrorCode = ::android::hardware::keymaster::V4_0::ErrorCode;
-using V4_1_ErrorCode = ::android::hardware::keymaster::V4_1::ErrorCode;
-
-} // namespace km
-
-using KmDevice = km::support::Keymaster;
-
-// C++ wrappers to the Keymaster hidl interface.
-// This is tailored to the needs of KeyStorage, but could be extended to be
-// a more general interface.
-
-// Wrapper for a Keymaster operation handle representing an
-// ongoing Keymaster operation. Aborts the operation
-// in the destructor if it is unfinished. Methods log failures
-// to LOG(ERROR).
-class KeymasterOperation {
- public:
- ~KeymasterOperation();
- // Is this instance valid? This is false if creation fails, and becomes
- // false on finish or if an update fails.
- explicit operator bool() const { return mError == km::ErrorCode::OK; }
- km::ErrorCode errorCode() const { return mError; }
- // Call "update" repeatedly until all of the input is consumed, and
- // concatenate the output. Return true on success.
- template <class TI, class TO>
- bool updateCompletely(TI& input, TO* output) {
- if (output) output->clear();
- return updateCompletely(input.data(), input.size(), [&](const char* b, size_t n) {
- if (output) std::copy(b, b + n, std::back_inserter(*output));
- });
- }
-
- // Finish and write the output to this string, unless pointer is null.
- bool finish(std::string* output);
- // Move constructor
- KeymasterOperation(KeymasterOperation&& rhs) { *this = std::move(rhs); }
- // Construct an object in an error state for error returns
- KeymasterOperation() : mDevice{nullptr}, mOpHandle{0}, mError{km::ErrorCode::UNKNOWN_ERROR} {}
- // Move Assignment
- KeymasterOperation& operator=(KeymasterOperation&& rhs) {
- mDevice = rhs.mDevice;
- rhs.mDevice = nullptr;
-
- mOpHandle = rhs.mOpHandle;
- rhs.mOpHandle = 0;
-
- mError = rhs.mError;
- rhs.mError = km::ErrorCode::UNKNOWN_ERROR;
-
- return *this;
- }
-
- private:
- KeymasterOperation(KmDevice* d, uint64_t h)
- : mDevice{d}, mOpHandle{h}, mError{km::ErrorCode::OK} {}
- KeymasterOperation(km::ErrorCode error) : mDevice{nullptr}, mOpHandle{0}, mError{error} {}
-
- bool updateCompletely(const char* input, size_t inputLen,
- const std::function<void(const char*, size_t)> consumer);
-
- KmDevice* mDevice;
- uint64_t mOpHandle;
- km::ErrorCode mError;
- DISALLOW_COPY_AND_ASSIGN(KeymasterOperation);
- friend class Keymaster;
-};
-
-// Wrapper for a Keymaster device for methods that start a KeymasterOperation or are not
-// part of one.
-class Keymaster {
- public:
- Keymaster();
- // false if we failed to open the keymaster device.
- explicit operator bool() { return mDevice.get() != nullptr; }
- // Generate a key in the keymaster from the given params.
- bool generateKey(const km::AuthorizationSet& inParams, std::string* key);
- // Exports a keymaster key with STORAGE_KEY tag wrapped with a per-boot ephemeral key
- bool exportKey(const KeyBuffer& kmKey, std::string* key);
- // If the keymaster supports it, permanently delete a key.
- bool deleteKey(const std::string& key);
- // Replace stored key blob in response to KM_ERROR_KEY_REQUIRES_UPGRADE.
- bool upgradeKey(const std::string& oldKey, const km::AuthorizationSet& inParams,
- std::string* newKey);
- // Begin a new cryptographic operation, collecting output parameters if pointer is non-null
- KeymasterOperation begin(km::KeyPurpose purpose, const std::string& key,
- const km::AuthorizationSet& inParams,
- const km::HardwareAuthToken& authToken,
- km::AuthorizationSet* outParams);
- bool isSecure();
-
- // Tell all Keymaster instances that early boot has ended and early boot-only keys can no longer
- // be created or used.
- static void earlyBootEnded();
-
- private:
- sp<KmDevice> mDevice;
- DISALLOW_COPY_AND_ASSIGN(Keymaster);
- static bool hmacKeyGenerated;
-};
-
-} // namespace vold
-} // namespace android
-
-// FIXME no longer needed now cryptfs is in C++.
-
-/*
- * The following functions provide C bindings to keymaster services
- * needed by cryptfs scrypt. The compatibility check checks whether
- * the keymaster implementation is considered secure, i.e., TEE backed.
- * The create_key function generates an RSA key for signing.
- * The sign_object function signes an object with the given keymaster
- * key.
- */
-
-/* Return values for keymaster_sign_object_for_cryptfs_scrypt */
-
-enum class KeymasterSignResult {
- ok = 0,
- error = -1,
- upgrade = -2,
-};
-
-int keymaster_compatibility_cryptfs_scrypt();
-int keymaster_create_key_for_cryptfs_scrypt(uint32_t rsa_key_size, uint64_t rsa_exponent,
- uint32_t ratelimit, uint8_t* key_buffer,
- uint32_t key_buffer_size, uint32_t* key_out_size);
-
-int keymaster_upgrade_key_for_cryptfs_scrypt(uint32_t rsa_key_size, uint64_t rsa_exponent,
- uint32_t ratelimit, const uint8_t* key_blob,
- size_t key_blob_size, uint8_t* key_buffer,
- uint32_t key_buffer_size, uint32_t* key_out_size);
-
-KeymasterSignResult keymaster_sign_object_for_cryptfs_scrypt(
- const uint8_t* key_blob, size_t key_blob_size, uint32_t ratelimit, const uint8_t* object,
- const size_t object_size, uint8_t** signature_buffer, size_t* signature_buffer_size);
-
-#endif
diff --git a/Keystore.cpp b/Keystore.cpp
new file mode 100644
index 0000000..6040f2d
--- /dev/null
+++ b/Keystore.cpp
@@ -0,0 +1,253 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "Keystore.h"
+
+#include <android-base/logging.h>
+
+#include <aidl/android/hardware/security/keymint/SecurityLevel.h>
+#include <aidl/android/security/maintenance/IKeystoreMaintenance.h>
+#include <aidl/android/system/keystore2/Domain.h>
+#include <aidl/android/system/keystore2/EphemeralStorageKeyResponse.h>
+#include <aidl/android/system/keystore2/KeyDescriptor.h>
+
+// Keep these in sync with system/security/keystore2/src/keystore2_main.rs
+static constexpr const char keystore2_service_name[] =
+ "android.system.keystore2.IKeystoreService/default";
+static constexpr const char maintenance_service_name[] = "android.security.maintenance";
+
+/*
+ * Keep this in sync with the description for update() in
+ * system/hardware/interfaces/keystore2/aidl/android/system/keystore2/IKeystoreOperation.aidl
+ */
+static constexpr const size_t UPDATE_INPUT_MAX_SIZE = 32 * 1024; // 32 KiB
+
+// Keep this in sync with system/sepolicy/private/keystore2_key_contexts
+static constexpr const int VOLD_NAMESPACE = 100;
+
+namespace android {
+namespace vold {
+
+namespace ks2_maint = ::aidl::android::security::maintenance;
+
+KeystoreOperation::~KeystoreOperation() {
+ if (ks2Operation) ks2Operation->abort();
+}
+
+static void zeroize_vector(std::vector<uint8_t>& vec) {
+ memset_explicit(vec.data(), 0, vec.size());
+}
+
+static bool logKeystore2ExceptionIfPresent(::ndk::ScopedAStatus& rc, const std::string& func_name) {
+ if (rc.isOk()) return false;
+
+ auto exception_code = rc.getExceptionCode();
+ if (exception_code == EX_SERVICE_SPECIFIC) {
+ LOG(ERROR) << "keystore2 Keystore " << func_name
+ << " returned service specific error: " << rc.getServiceSpecificError();
+ } else {
+ LOG(ERROR) << "keystore2 Communication with Keystore " << func_name
+ << " failed error: " << exception_code;
+ }
+ return true;
+}
+
+bool KeystoreOperation::updateCompletely(const char* input, size_t inputLen,
+ const std::function<void(const char*, size_t)> consumer) {
+ if (!ks2Operation) return false;
+
+ while (inputLen != 0) {
+ size_t currLen = std::min(inputLen, UPDATE_INPUT_MAX_SIZE);
+ std::vector<uint8_t> input_vec(input, input + currLen);
+ inputLen -= currLen;
+ input += currLen;
+
+ std::optional<std::vector<uint8_t>> output;
+ auto rc = ks2Operation->update(input_vec, &output);
+ zeroize_vector(input_vec);
+ if (logKeystore2ExceptionIfPresent(rc, "update")) {
+ ks2Operation = nullptr;
+ return false;
+ }
+ if (output) consumer((const char*)output->data(), output->size());
+ }
+ return true;
+}
+
+bool KeystoreOperation::finish(std::string* output) {
+ std::optional<std::vector<uint8_t>> out_vec;
+
+ if (!ks2Operation) return false;
+
+ auto rc = ks2Operation->finish(std::nullopt, std::nullopt, &out_vec);
+ if (logKeystore2ExceptionIfPresent(rc, "finish")) {
+ ks2Operation = nullptr;
+ return false;
+ }
+
+ if (output) *output = std::string(out_vec->begin(), out_vec->end());
+
+ return true;
+}
+
+Keystore::Keystore() {
+ ::ndk::SpAIBinder binder(AServiceManager_waitForService(keystore2_service_name));
+ auto keystore2Service = ks2::IKeystoreService::fromBinder(binder);
+
+ if (!keystore2Service) {
+ LOG(ERROR) << "Vold unable to connect to keystore2.";
+ return;
+ }
+
+ /*
+ * There are only two options available to vold for the SecurityLevel: TRUSTED_ENVIRONMENT (TEE)
+ * and STRONGBOX. We don't use STRONGBOX because if a TEE is present it will have Weaver, which
+ * already strengthens CE, so there's no additional benefit from using StrongBox.
+ *
+ * The picture is slightly more complicated because Keystore2 reports a SOFTWARE instance as
+ * a TEE instance when there isn't a TEE instance available, but in that case, a STRONGBOX
+ * instance won't be available either, so we'll still be doing the best we can.
+ */
+ auto rc = keystore2Service->getSecurityLevel(km::SecurityLevel::TRUSTED_ENVIRONMENT,
+ &securityLevel);
+ if (logKeystore2ExceptionIfPresent(rc, "getSecurityLevel"))
+ LOG(ERROR) << "Vold unable to get security level from keystore2.";
+}
+
+bool Keystore::generateKey(const km::AuthorizationSet& inParams, std::string* key) {
+ ks2::KeyDescriptor in_key = {
+ .domain = ks2::Domain::BLOB,
+ .alias = std::nullopt,
+ .nspace = VOLD_NAMESPACE,
+ .blob = std::nullopt,
+ };
+ ks2::KeyMetadata keyMetadata;
+ auto rc = securityLevel->generateKey(in_key, std::nullopt, inParams.vector_data(), 0, {},
+ &keyMetadata);
+
+ if (logKeystore2ExceptionIfPresent(rc, "generateKey")) return false;
+
+ if (keyMetadata.key.blob == std::nullopt) {
+ LOG(ERROR) << "keystore2 generated key blob was null";
+ return false;
+ }
+ if (key) *key = std::string(keyMetadata.key.blob->begin(), keyMetadata.key.blob->end());
+
+ zeroize_vector(keyMetadata.key.blob.value());
+ return true;
+}
+
+bool Keystore::exportKey(const KeyBuffer& ksKey, std::string* key) {
+ bool ret = false;
+ ks2::KeyDescriptor storageKey = {
+ .domain = ks2::Domain::BLOB,
+ .alias = std::nullopt,
+ .nspace = VOLD_NAMESPACE,
+ };
+ storageKey.blob = std::make_optional<std::vector<uint8_t>>(ksKey.begin(), ksKey.end());
+ ks2::EphemeralStorageKeyResponse ephemeral_key_response;
+ auto rc = securityLevel->convertStorageKeyToEphemeral(storageKey, &ephemeral_key_response);
+
+ if (logKeystore2ExceptionIfPresent(rc, "exportKey")) goto out;
+ if (key)
+ *key = std::string(ephemeral_key_response.ephemeralKey.begin(),
+ ephemeral_key_response.ephemeralKey.end());
+
+ // vold intentionally ignores ephemeral_key_response.upgradedBlob, since the
+ // concept of "upgrading" doesn't make sense for TAG_STORAGE_KEY keys
+ // (hardware-wrapped inline encryption keys). These keys are only meant as
+ // a substitute for raw keys; they still go through vold's usual layer of
+ // key wrapping, which already handles version binding. So, vold just keeps
+ // using the original blobs for TAG_STORAGE_KEY keys. If KeyMint "upgrades"
+ // them anyway, then they'll just get re-upgraded before each use.
+
+ ret = true;
+out:
+ zeroize_vector(ephemeral_key_response.ephemeralKey);
+ zeroize_vector(storageKey.blob.value());
+ return ret;
+}
+
+bool Keystore::deleteKey(const std::string& key) {
+ ks2::KeyDescriptor keyDesc = {
+ .domain = ks2::Domain::BLOB,
+ .alias = std::nullopt,
+ .nspace = VOLD_NAMESPACE,
+ };
+ keyDesc.blob =
+ std::optional<std::vector<uint8_t>>(std::vector<uint8_t>(key.begin(), key.end()));
+
+ auto rc = securityLevel->deleteKey(keyDesc);
+ return !logKeystore2ExceptionIfPresent(rc, "deleteKey");
+}
+
+KeystoreOperation Keystore::begin(const std::string& key, const km::AuthorizationSet& inParams,
+ km::AuthorizationSet* outParams) {
+ ks2::KeyDescriptor keyDesc = {
+ .domain = ks2::Domain::BLOB,
+ .alias = std::nullopt,
+ .nspace = VOLD_NAMESPACE,
+ };
+ keyDesc.blob =
+ std::optional<std::vector<uint8_t>>(std::vector<uint8_t>(key.begin(), key.end()));
+
+ ks2::CreateOperationResponse cor;
+ auto rc = securityLevel->createOperation(keyDesc, inParams.vector_data(), true, &cor);
+ if (logKeystore2ExceptionIfPresent(rc, "createOperation")) {
+ if (rc.getExceptionCode() == EX_SERVICE_SPECIFIC)
+ return KeystoreOperation((km::ErrorCode)rc.getServiceSpecificError());
+ else
+ return KeystoreOperation();
+ }
+
+ if (!cor.iOperation) {
+ LOG(ERROR) << "keystore2 createOperation didn't return an operation";
+ return KeystoreOperation();
+ }
+
+ if (outParams && cor.parameters) *outParams = cor.parameters->keyParameter;
+
+ return KeystoreOperation(cor.iOperation, cor.upgradedBlob);
+}
+
+void Keystore::earlyBootEnded() {
+ ::ndk::SpAIBinder binder(AServiceManager_getService(maintenance_service_name));
+ auto maint_service = ks2_maint::IKeystoreMaintenance::fromBinder(binder);
+
+ if (!maint_service) {
+ LOG(ERROR) << "Unable to connect to keystore2 maintenance service for earlyBootEnded";
+ return;
+ }
+
+ auto rc = maint_service->earlyBootEnded();
+ logKeystore2ExceptionIfPresent(rc, "earlyBootEnded");
+}
+
+void Keystore::deleteAllKeys() {
+ ::ndk::SpAIBinder binder(AServiceManager_getService(maintenance_service_name));
+ auto maint_service = ks2_maint::IKeystoreMaintenance::fromBinder(binder);
+
+ if (!maint_service) {
+ LOG(ERROR) << "Unable to connect to keystore2 maintenance service for deleteAllKeys";
+ return;
+ }
+
+ auto rc = maint_service->deleteAllKeys();
+ logKeystore2ExceptionIfPresent(rc, "deleteAllKeys");
+}
+
+} // namespace vold
+} // namespace android
diff --git a/Keystore.h b/Keystore.h
new file mode 100644
index 0000000..d8c488e
--- /dev/null
+++ b/Keystore.h
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) 2016 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+#ifndef ANDROID_VOLD_KEYSTORE_H
+#define ANDROID_VOLD_KEYSTORE_H
+
+#include "KeyBuffer.h"
+
+#include <memory>
+#include <string>
+#include <utility>
+
+#include <android-base/macros.h>
+#include <keymint_support/authorization_set.h>
+#include <keymint_support/keymint_tags.h>
+
+#include <aidl/android/hardware/security/keymint/ErrorCode.h>
+#include <aidl/android/system/keystore2/IKeystoreService.h>
+#include <android/binder_manager.h>
+
+namespace android {
+namespace vold {
+
+namespace ks2 = ::aidl::android::system::keystore2;
+namespace km = ::aidl::android::hardware::security::keymint;
+
+// C++ wrappers to the Keystore2 AIDL interface.
+// This is tailored to the needs of KeyStorage, but could be extended to be
+// a more general interface.
+
+// Wrapper for a Keystore2 operation handle representing an
+// ongoing Keystore2 operation. Aborts the operation
+// in the destructor if it is unfinished. Methods log failures
+// to LOG(ERROR).
+class KeystoreOperation {
+ public:
+ ~KeystoreOperation();
+ // Is this instance valid? This is false if creation fails, and becomes
+ // false on finish or if an update fails.
+ explicit operator bool() const { return (bool)ks2Operation; }
+ km::ErrorCode getErrorCode() const { return errorCode; }
+ std::optional<std::string> getUpgradedBlob() const { return upgradedBlob; }
+ // Call "update" repeatedly until all of the input is consumed, and
+ // concatenate the output. Return true on success.
+ template <class TI, class TO>
+ bool updateCompletely(TI& input, TO* output) {
+ if (output) output->clear();
+ return updateCompletely(input.data(), input.size(), [&](const char* b, size_t n) {
+ if (output) std::copy(b, b + n, std::back_inserter(*output));
+ });
+ }
+
+ // Finish and write the output to this string, unless pointer is null.
+ bool finish(std::string* output);
+ // Move constructor
+ KeystoreOperation(KeystoreOperation&& rhs) { *this = std::move(rhs); }
+ // Construct an object in an error state for error returns
+ KeystoreOperation() { errorCode = km::ErrorCode::UNKNOWN_ERROR; }
+ // Move Assignment
+ KeystoreOperation& operator=(KeystoreOperation&& rhs) {
+ ks2Operation = rhs.ks2Operation;
+ rhs.ks2Operation = nullptr;
+
+ upgradedBlob = rhs.upgradedBlob;
+ rhs.upgradedBlob = std::nullopt;
+
+ errorCode = rhs.errorCode;
+ rhs.errorCode = km::ErrorCode::UNKNOWN_ERROR;
+
+ return *this;
+ }
+
+ private:
+ KeystoreOperation(std::shared_ptr<ks2::IKeystoreOperation> ks2Op,
+ std::optional<std::vector<uint8_t>> blob)
+ : ks2Operation{ks2Op}, errorCode{km::ErrorCode::OK} {
+ if (blob)
+ upgradedBlob = std::optional(std::string(blob->begin(), blob->end()));
+ else
+ upgradedBlob = std::nullopt;
+ }
+
+ KeystoreOperation(km::ErrorCode errCode) : errorCode{errCode} {}
+
+ bool updateCompletely(const char* input, size_t inputLen,
+ const std::function<void(const char*, size_t)> consumer);
+
+ std::shared_ptr<ks2::IKeystoreOperation> ks2Operation;
+ std::optional<std::string> upgradedBlob;
+ km::ErrorCode errorCode;
+ DISALLOW_COPY_AND_ASSIGN(KeystoreOperation);
+ friend class Keystore;
+};
+
+// Wrapper for keystore2 methods that vold uses.
+class Keystore {
+ public:
+ Keystore();
+ // false if we failed to get a keystore2 security level.
+ explicit operator bool() { return (bool)securityLevel; }
+ // Generate a key using keystore2 from the given params.
+ bool generateKey(const km::AuthorizationSet& inParams, std::string* key);
+ // Exports a keystore2 key with STORAGE_KEY tag wrapped with a per-boot ephemeral key
+ bool exportKey(const KeyBuffer& ksKey, std::string* key);
+ // If supported, permanently delete a key from the keymint device it belongs to.
+ bool deleteKey(const std::string& key);
+ // Begin a new cryptographic operation, collecting output parameters if pointer is non-null
+ // If the key was upgraded as a result of a call to this method, the returned KeystoreOperation
+ // also stores the upgraded key blob.
+ KeystoreOperation begin(const std::string& key, const km::AuthorizationSet& inParams,
+ km::AuthorizationSet* outParams);
+
+ // Tell all Keymint devices that early boot has ended and early boot-only keys can no longer
+ // be created or used.
+ static void earlyBootEnded();
+
+ // Tell all Keymint devices to delete all rollback-protected keys.
+ static void deleteAllKeys();
+
+ private:
+ std::shared_ptr<ks2::IKeystoreSecurityLevel> securityLevel;
+ DISALLOW_COPY_AND_ASSIGN(Keystore);
+};
+
+} // namespace vold
+} // namespace android
+
+#endif
diff --git a/Loop.cpp b/Loop.cpp
index 87f105d..4c86788 100644
--- a/Loop.cpp
+++ b/Loop.cpp
@@ -163,8 +163,6 @@
if (ioctl(fd.get(), LOOP_CLR_FD, 0) < 0) {
PLOG(WARNING) << "Failed to LOOP_CLR_FD " << path;
}
- } else {
- LOG(DEBUG) << "Found unmanaged loop device at " << path << " named " << id;
}
}
diff --git a/MetadataCrypt.cpp b/MetadataCrypt.cpp
index dc50679..0c32c3b 100644
--- a/MetadataCrypt.cpp
+++ b/MetadataCrypt.cpp
@@ -38,7 +38,7 @@
#include "EncryptInplace.h"
#include "KeyStorage.h"
#include "KeyUtil.h"
-#include "Keymaster.h"
+#include "Keystore.h"
#include "Utils.h"
#include "VoldUtil.h"
#include "fs/Ext4.h"
@@ -49,8 +49,10 @@
using android::fs_mgr::FstabEntry;
using android::fs_mgr::GetEntryForMountPoint;
+using android::fscrypt::GetFirstApiLevel;
using android::vold::KeyBuffer;
using namespace android::dm;
+using namespace std::chrono_literals;
// Parsed from metadata options
struct CryptoOptions {
@@ -61,6 +63,7 @@
};
static const std::string kDmNameUserdata = "userdata";
+static const std::string kDmNameUserdataZoned = "userdata_zoned";
// The first entry in this table is the default crypto type.
constexpr CryptoType supported_crypto_types[] = {aes_256_xts, adiantum};
@@ -80,7 +83,19 @@
return KeyGeneration{options.cipher.get_keysize(), true, options.use_hw_wrapped_key};
}
-static bool mount_via_fs_mgr(const char* mount_point, const char* blk_device) {
+void defaultkey_precreate_dm_device() {
+ auto& dm = DeviceMapper::Instance();
+ if (dm.GetState(kDmNameUserdata) != DmDeviceState::INVALID) {
+ LOG(INFO) << "Not pre-creating userdata encryption device; device already exists";
+ return;
+ }
+
+ if (!dm.CreatePlaceholderDevice(kDmNameUserdata)) {
+ LOG(ERROR) << "Failed to pre-create userdata metadata encryption device";
+ }
+}
+
+static bool mount_via_fs_mgr(const char* mount_point, const char* blk_device, bool needs_encrypt) {
// fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
// partitions in the fsck domain.
if (setexeccon(android::vold::sFsckContext)) {
@@ -89,7 +104,8 @@
}
auto mount_rc = fs_mgr_do_mount(&fstab_default, const_cast<char*>(mount_point),
const_cast<char*>(blk_device), nullptr,
- android::vold::cp_needsCheckpoint(), true);
+ needs_encrypt? false: android::vold::cp_needsCheckpoint(),
+ true);
if (setexeccon(nullptr)) {
PLOG(ERROR) << "Failed to clear setexeccon";
return false;
@@ -102,7 +118,7 @@
return true;
}
-static bool read_key(const std::string& metadata_key_dir, const KeyGeneration& gen,
+static bool read_key(const std::string& metadata_key_dir, const KeyGeneration& gen, bool first_key,
KeyBuffer* key) {
if (metadata_key_dir.empty()) {
LOG(ERROR) << "Failed to get metadata_key_dir";
@@ -112,6 +128,19 @@
auto dir = metadata_key_dir + "/key";
LOG(DEBUG) << "metadata_key_dir/key: " << dir;
if (!MkdirsSync(dir, 0700)) return false;
+ auto in_dsu = android::base::GetBoolProperty("ro.gsid.image_running", false);
+ // !pathExists(dir) does not imply there's a factory reset when in DSU mode.
+ if (!pathExists(dir) && !in_dsu && first_key) {
+ auto delete_all = android::base::GetBoolProperty(
+ "ro.crypto.metadata_init_delete_all_keys.enabled", false);
+ if (delete_all) {
+ LOG(INFO) << "Metadata key does not exist, calling deleteAllKeys";
+ Keystore::deleteAllKeys();
+ } else {
+ LOG(DEBUG) << "Metadata key does not exist but "
+ "ro.crypto.metadata_init_delete_all_keys.enabled is false";
+ }
+ }
auto temp = metadata_key_dir + "/tmp";
return retrieveOrGenerateKey(dir, temp, kEmptyAuthentication, gen, key);
}
@@ -159,8 +188,18 @@
table.AddTarget(std::move(target));
auto& dm = DeviceMapper::Instance();
- if (!dm.CreateDevice(dm_name, table, crypto_blkdev, std::chrono::seconds(5))) {
- PLOG(ERROR) << "Could not create default-key device " << dm_name;
+ if (dm_name == kDmNameUserdata && dm.GetState(dm_name) == DmDeviceState::SUSPENDED) {
+ // The device was created in advance, populate it now.
+ if (!dm.LoadTableAndActivate(dm_name, table)) {
+ LOG(ERROR) << "Failed to populate default-key device " << dm_name;
+ return false;
+ }
+ if (!dm.WaitForDevice(dm_name, 20s, crypto_blkdev)) {
+ LOG(ERROR) << "Failed to wait for default-key device " << dm_name;
+ return false;
+ }
+ } else if (!dm.CreateDevice(dm_name, table, crypto_blkdev, 5s)) {
+ LOG(ERROR) << "Could not create default-key device " << dm_name;
return false;
}
return true;
@@ -202,13 +241,15 @@
bool fscrypt_mount_metadata_encrypted(const std::string& blk_device, const std::string& mount_point,
bool needs_encrypt, bool should_format,
- const std::string& fs_type) {
+ const std::string& fs_type, const std::string& zoned_device) {
LOG(DEBUG) << "fscrypt_mount_metadata_encrypted: " << mount_point
<< " encrypt: " << needs_encrypt << " format: " << should_format << " with "
- << fs_type;
+ << fs_type << " block device: " << blk_device
+ << " and zoned device: " << zoned_device;
auto encrypted_state = android::base::GetProperty("ro.crypto.state", "");
if (encrypted_state != "" && encrypted_state != "encrypted") {
- LOG(DEBUG) << "fscrypt_enable_crypto got unexpected starting state: " << encrypted_state;
+ LOG(ERROR) << "fscrypt_mount_metadata_encrypted got unexpected starting state: "
+ << encrypted_state;
return false;
}
@@ -224,7 +265,7 @@
CryptoOptions options;
if (options_format_version == 1) {
- if (!data_rec->metadata_encryption.empty()) {
+ if (!data_rec->metadata_encryption_options.empty()) {
LOG(ERROR) << "metadata_encryption options cannot be set in legacy mode";
return false;
}
@@ -237,20 +278,47 @@
return false;
}
} else if (options_format_version == 2) {
- if (!parse_options(data_rec->metadata_encryption, &options)) return false;
+ if (!parse_options(data_rec->metadata_encryption_options, &options)) return false;
} else {
LOG(ERROR) << "Unknown options_format_version: " << options_format_version;
return false;
}
+ auto default_metadata_key_dir = data_rec->metadata_key_dir;
+ if (!zoned_device.empty()) {
+ default_metadata_key_dir = default_metadata_key_dir + "/default";
+ }
auto gen = needs_encrypt ? makeGen(options) : neverGen();
KeyBuffer key;
- if (!read_key(data_rec->metadata_key_dir, gen, &key)) return false;
+ if (!read_key(default_metadata_key_dir, gen, true, &key)) {
+ LOG(ERROR) << "read_key failed in mountFstab";
+ return false;
+ }
std::string crypto_blkdev;
uint64_t nr_sec;
- if (!create_crypto_blk_dev(kDmNameUserdata, blk_device, key, options, &crypto_blkdev, &nr_sec))
+ if (!create_crypto_blk_dev(kDmNameUserdata, blk_device, key, options, &crypto_blkdev,
+ &nr_sec)) {
+ LOG(ERROR) << "create_crypto_blk_dev failed in mountFstab";
return false;
+ }
+
+ // create dm-default-key for zoned device
+ std::string crypto_zoned_blkdev;
+ if (!zoned_device.empty()) {
+ auto zoned_metadata_key_dir = data_rec->metadata_key_dir + "/zoned";
+
+ if (!read_key(zoned_metadata_key_dir, gen, false, &key)) {
+ LOG(ERROR) << "read_key failed with zoned device: " << zoned_device;
+ return false;
+ }
+ if (!create_crypto_blk_dev(kDmNameUserdataZoned, zoned_device, key, options,
+ &crypto_zoned_blkdev, &nr_sec)) {
+ LOG(ERROR) << "fscrypt_mount_metadata_encrypted: failed with zoned device: "
+ << zoned_device;
+ return false;
+ }
+ }
if (needs_encrypt) {
if (should_format) {
@@ -259,20 +327,31 @@
if (fs_type == "ext4") {
error = ext4::Format(crypto_blkdev, 0, mount_point);
} else if (fs_type == "f2fs") {
- error = f2fs::Format(crypto_blkdev);
+ error = f2fs::Format(crypto_blkdev, crypto_zoned_blkdev);
} else {
LOG(ERROR) << "Unknown filesystem type: " << fs_type;
return false;
}
- LOG(DEBUG) << "Format (err=" << error << ") " << crypto_blkdev << " on " << mount_point;
- if (error != 0) return false;
+ if (error != 0) {
+ LOG(ERROR) << "Format of " << crypto_blkdev << " for " << mount_point
+ << " failed (err=" << error << ").";
+ return false;
+ }
+ LOG(DEBUG) << "Format of " << crypto_blkdev << " for " << mount_point << " succeeded.";
} else {
- if (!encrypt_inplace(crypto_blkdev, blk_device, nr_sec, false)) return false;
+ if (!zoned_device.empty()) {
+ LOG(ERROR) << "encrypt_inplace cannot support zoned device; should format it.";
+ return false;
+ }
+ if (!encrypt_inplace(crypto_blkdev, blk_device, nr_sec)) {
+ LOG(ERROR) << "encrypt_inplace failed in mountFstab";
+ return false;
+ }
}
}
LOG(DEBUG) << "Mounting metadata-encrypted filesystem:" << mount_point;
- mount_via_fs_mgr(mount_point.c_str(), crypto_blkdev.c_str());
+ mount_via_fs_mgr(mount_point.c_str(), crypto_blkdev.c_str(), needs_encrypt);
// Record that there's at least one fstab entry with metadata encryption
if (!android::base::SetProperty("ro.crypto.metadata.enabled", "true")) {
diff --git a/MetadataCrypt.h b/MetadataCrypt.h
index e482765..f6d6b8e 100644
--- a/MetadataCrypt.h
+++ b/MetadataCrypt.h
@@ -25,9 +25,11 @@
namespace android {
namespace vold {
+void defaultkey_precreate_dm_device();
bool fscrypt_mount_metadata_encrypted(const std::string& block_device,
const std::string& mount_point, bool needs_encrypt,
- bool should_format, const std::string& fs_type);
+ bool should_format, const std::string& fs_type,
+ const std::string& zoned_device);
bool defaultkey_volume_keygen(KeyGeneration* gen);
diff --git a/Process.cpp b/Process.cpp
index 62d51a2..c1d55ee 100644
--- a/Process.cpp
+++ b/Process.cpp
@@ -84,7 +84,7 @@
}
// TODO: Refactor the code with KillProcessesWithOpenFiles().
-int KillProcessesWithMounts(const std::string& prefix, int signal) {
+int KillProcessesWithTmpfsMounts(const std::string& prefix, int signal) {
std::unordered_set<pid_t> pids;
auto proc_d = std::unique_ptr<DIR, int (*)(DIR*)>(opendir("/proc"), closedir);
@@ -112,7 +112,8 @@
// Check if obb directory is mounted, and get all packages of mounted app data directory.
mntent* mentry;
while ((mentry = getmntent(fp.get())) != nullptr) {
- if (android::base::StartsWith(mentry->mnt_dir, prefix)) {
+ if (mentry->mnt_fsname != nullptr && strncmp(mentry->mnt_fsname, "tmpfs", 5) == 0
+ && android::base::StartsWith(mentry->mnt_dir, prefix)) {
pids.insert(pid);
break;
}
@@ -174,7 +175,15 @@
}
if (signal != 0) {
for (const auto& pid : pids) {
- LOG(WARNING) << "Sending " << strsignal(signal) << " to " << pid;
+ std::string comm;
+ android::base::ReadFileToString(StringPrintf("/proc/%d/comm", pid), &comm);
+ comm = android::base::Trim(comm);
+
+ std::string exe;
+ android::base::Readlink(StringPrintf("/proc/%d/exe", pid), &exe);
+
+ LOG(WARNING) << "Sending " << strsignal(signal) << " to pid " << pid << " (" << comm
+ << ", " << exe << ")";
kill(pid, signal);
}
}
diff --git a/Process.h b/Process.h
index a56b9ce..f3728b5 100644
--- a/Process.h
+++ b/Process.h
@@ -21,7 +21,7 @@
namespace vold {
int KillProcessesWithOpenFiles(const std::string& path, int signal, bool killFuseDaemon = true);
-int KillProcessesWithMounts(const std::string& path, int signal);
+int KillProcessesWithTmpfsMounts(const std::string& path, int signal);
} // namespace vold
} // namespace android
diff --git a/ScryptParameters.cpp b/ScryptParameters.cpp
deleted file mode 100644
index f5a964f..0000000
--- a/ScryptParameters.cpp
+++ /dev/null
@@ -1,51 +0,0 @@
-/*
- * Copyright (C) 2016 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include "ScryptParameters.h"
-
-#include <stdlib.h>
-#include <string.h>
-
-bool parse_scrypt_parameters(const char* paramstr, int* Nf, int* rf, int* pf) {
- int params[3] = {};
- char* token;
- char* saveptr;
- int i;
-
- /*
- * The token we're looking for should be three integers separated by
- * colons (e.g., "12:8:1"). Scan the property to make sure it matches.
- */
- for (i = 0, token = strtok_r(const_cast<char*>(paramstr), ":", &saveptr);
- token != nullptr && i < 3; i++, token = strtok_r(nullptr, ":", &saveptr)) {
- char* endptr;
- params[i] = strtol(token, &endptr, 10);
-
- /*
- * Check that there was a valid number and it's 8-bit.
- */
- if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) {
- return false;
- }
- }
- if (token != nullptr) {
- return false;
- }
- *Nf = params[0];
- *rf = params[1];
- *pf = params[2];
- return true;
-}
diff --git a/ScryptParameters.h b/ScryptParameters.h
deleted file mode 100644
index edb80cc..0000000
--- a/ScryptParameters.h
+++ /dev/null
@@ -1,28 +0,0 @@
-/*
- * Copyright (C) 2016 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#ifndef ANDROID_VOLD_SCRYPT_PARAMETERS_H
-#define ANDROID_VOLD_SCRYPT_PARAMETERS_H
-
-#include <stdbool.h>
-#include <sys/cdefs.h>
-
-#define SCRYPT_PROP "ro.crypto.scrypt_params"
-#define SCRYPT_DEFAULTS "15:3:1"
-
-bool parse_scrypt_parameters(const char* paramstr, int* Nf, int* rf, int* pf);
-
-#endif
diff --git a/TEST_MAPPING b/TEST_MAPPING
index 4f62642..a535181 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -1,9 +1,29 @@
{
"presubmit": [
{
+ "name": "CtsScopedStorageCoreHostTest"
+ },
+ {
"name": "CtsScopedStorageHostTest"
},
{
+ "name": "CtsScopedStorageDeviceOnlyTest"
+ },
+ {
+ "name": "AdoptableHostTest"
+ }
+ ],
+ "hwasan-postsubmit": [
+ {
+ "name": "CtsScopedStorageCoreHostTest"
+ },
+ {
+ "name": "CtsScopedStorageHostTest"
+ },
+ {
+ "name": "CtsScopedStorageDeviceOnlyTest"
+ },
+ {
"name": "AdoptableHostTest"
}
]
diff --git a/Utils.cpp b/Utils.cpp
index 9ff7920..157b839 100644
--- a/Utils.cpp
+++ b/Utils.cpp
@@ -23,6 +23,7 @@
#include <android-base/file.h>
#include <android-base/logging.h>
#include <android-base/properties.h>
+#include <android-base/scopeguard.h>
#include <android-base/stringprintf.h>
#include <android-base/strings.h>
#include <android-base/unique_fd.h>
@@ -68,10 +69,10 @@
namespace android {
namespace vold {
-security_context_t sBlkidContext = nullptr;
-security_context_t sBlkidUntrustedContext = nullptr;
-security_context_t sFsckContext = nullptr;
-security_context_t sFsckUntrustedContext = nullptr;
+char* sBlkidContext = nullptr;
+char* sBlkidUntrustedContext = nullptr;
+char* sFsckContext = nullptr;
+char* sFsckUntrustedContext = nullptr;
bool sSleepOnUnmount = true;
@@ -100,13 +101,21 @@
status_t CreateDeviceNode(const std::string& path, dev_t dev) {
std::lock_guard<std::mutex> lock(kSecurityLock);
const char* cpath = path.c_str();
- status_t res = 0;
+ auto clearfscreatecon = android::base::make_scope_guard([] { setfscreatecon(nullptr); });
+ auto secontext = std::unique_ptr<char, void (*)(char*)>(nullptr, freecon);
+ char* tmp_secontext;
- char* secontext = nullptr;
- if (sehandle) {
- if (!selabel_lookup(sehandle, &secontext, cpath, S_IFBLK)) {
- setfscreatecon(secontext);
+ if (selabel_lookup(sehandle, &tmp_secontext, cpath, S_IFBLK) == 0) {
+ secontext.reset(tmp_secontext);
+ if (setfscreatecon(secontext.get()) != 0) {
+ LOG(ERROR) << "Failed to setfscreatecon for device node " << path;
+ return -EINVAL;
}
+ } else if (errno == ENOENT) {
+ LOG(DEBUG) << "No selabel defined for device node " << path;
+ } else {
+ PLOG(ERROR) << "Failed to look up selabel for device node " << path;
+ return -errno;
}
mode_t mode = 0660 | S_IFBLK;
@@ -114,16 +123,10 @@
if (errno != EEXIST) {
PLOG(ERROR) << "Failed to create device node for " << major(dev) << ":" << minor(dev)
<< " at " << path;
- res = -errno;
+ return -errno;
}
}
-
- if (secontext) {
- setfscreatecon(nullptr);
- freecon(secontext);
- }
-
- return res;
+ return OK;
}
status_t DestroyDeviceNode(const std::string& path) {
@@ -240,7 +243,12 @@
}
fsx.fsx_projid = projectId;
- return ioctl(fd, FS_IOC_FSSETXATTR, &fsx);
+ ret = ioctl(fd, FS_IOC_FSSETXATTR, &fsx);
+ if (ret == -1) {
+ PLOG(ERROR) << "Failed to set project id on " << path;
+ return ret;
+ }
+ return 0;
}
int PrepareDirWithProjectId(const std::string& path, mode_t mode, uid_t uid, gid_t gid,
@@ -444,29 +452,26 @@
unsigned int attrs) {
std::lock_guard<std::mutex> lock(kSecurityLock);
const char* cpath = path.c_str();
+ auto clearfscreatecon = android::base::make_scope_guard([] { setfscreatecon(nullptr); });
+ auto secontext = std::unique_ptr<char, void (*)(char*)>(nullptr, freecon);
+ char* tmp_secontext;
- char* secontext = nullptr;
- if (sehandle) {
- if (!selabel_lookup(sehandle, &secontext, cpath, S_IFDIR)) {
- setfscreatecon(secontext);
+ if (selabel_lookup(sehandle, &tmp_secontext, cpath, S_IFDIR) == 0) {
+ secontext.reset(tmp_secontext);
+ if (setfscreatecon(secontext.get()) != 0) {
+ LOG(ERROR) << "Failed to setfscreatecon for directory " << path;
+ return -EINVAL;
}
- }
-
- int res = fs_prepare_dir(cpath, mode, uid, gid);
-
- if (secontext) {
- setfscreatecon(nullptr);
- freecon(secontext);
- }
-
- if (res) return -errno;
- if (attrs) res = SetAttrs(path, attrs);
-
- if (res == 0) {
- return OK;
+ } else if (errno == ENOENT) {
+ LOG(DEBUG) << "No selabel defined for directory " << path;
} else {
+ PLOG(ERROR) << "Failed to look up selabel for directory " << path;
return -errno;
}
+
+ if (fs_prepare_dir(cpath, mode, uid, gid) != 0) return -errno;
+ if (attrs && SetAttrs(path, attrs) != 0) return -errno;
+ return OK;
}
status_t ForceUnmount(const std::string& path) {
@@ -499,25 +504,25 @@
return -errno;
}
-status_t KillProcessesWithMountPrefix(const std::string& path) {
- if (KillProcessesWithMounts(path, SIGINT) == 0) {
+status_t KillProcessesWithTmpfsMountPrefix(const std::string& path) {
+ if (KillProcessesWithTmpfsMounts(path, SIGINT) == 0) {
return OK;
}
if (sSleepOnUnmount) sleep(5);
- if (KillProcessesWithMounts(path, SIGTERM) == 0) {
+ if (KillProcessesWithTmpfsMounts(path, SIGTERM) == 0) {
return OK;
}
if (sSleepOnUnmount) sleep(5);
- if (KillProcessesWithMounts(path, SIGKILL) == 0) {
+ if (KillProcessesWithTmpfsMounts(path, SIGKILL) == 0) {
return OK;
}
if (sSleepOnUnmount) sleep(5);
// Send SIGKILL a second time to determine if we've
// actually killed everyone mount
- if (KillProcessesWithMounts(path, SIGKILL) == 0) {
+ if (KillProcessesWithTmpfsMounts(path, SIGKILL) == 0) {
return OK;
}
PLOG(ERROR) << "Failed to kill processes using " << path;
@@ -697,7 +702,7 @@
}
status_t ForkExecvp(const std::vector<std::string>& args, std::vector<std::string>* output,
- security_context_t context) {
+ char* context) {
auto argv = ConvertToArgv(args);
android::base::unique_fd pipe_read, pipe_write;
@@ -749,7 +754,53 @@
return OK;
}
-pid_t ForkExecvpAsync(const std::vector<std::string>& args) {
+status_t ForkExecvpTimeout(const std::vector<std::string>& args, std::chrono::seconds timeout,
+ char* context) {
+ int status;
+
+ pid_t wait_timeout_pid = fork();
+ if (wait_timeout_pid == 0) {
+ pid_t pid = ForkExecvpAsync(args, context);
+ if (pid == -1) {
+ _exit(EXIT_FAILURE);
+ }
+ pid_t timer_pid = fork();
+ if (timer_pid == 0) {
+ std::this_thread::sleep_for(timeout);
+ _exit(ETIMEDOUT);
+ }
+ if (timer_pid == -1) {
+ PLOG(ERROR) << "fork in ForkExecvpAsync_timeout";
+ kill(pid, SIGTERM);
+ _exit(EXIT_FAILURE);
+ }
+ pid_t finished = wait(&status);
+ if (finished == pid) {
+ kill(timer_pid, SIGTERM);
+ } else {
+ kill(pid, SIGTERM);
+ }
+ if (!WIFEXITED(status)) {
+ _exit(ECHILD);
+ }
+ _exit(WEXITSTATUS(status));
+ }
+ if (waitpid(wait_timeout_pid, &status, 0) == -1) {
+ PLOG(ERROR) << "waitpid in ForkExecvpAsync_timeout";
+ return -errno;
+ }
+ if (!WIFEXITED(status)) {
+ LOG(ERROR) << "Process did not exit normally, status: " << status;
+ return -ECHILD;
+ }
+ if (WEXITSTATUS(status)) {
+ LOG(ERROR) << "Process exited with code: " << WEXITSTATUS(status);
+ return WEXITSTATUS(status);
+ }
+ return OK;
+}
+
+pid_t ForkExecvpAsync(const std::vector<std::string>& args, char* context) {
auto argv = ConvertToArgv(args);
pid_t pid = fork();
@@ -757,6 +808,12 @@
close(STDIN_FILENO);
close(STDOUT_FILENO);
close(STDERR_FILENO);
+ if (context) {
+ if (setexeccon(context)) {
+ LOG(ERROR) << "Failed to setexeccon in ForkExecvpAsync";
+ abort();
+ }
+ }
execvp(argv[0], const_cast<char**>(argv.data()));
PLOG(ERROR) << "exec in ForkExecvpAsync";
@@ -1063,14 +1120,6 @@
return StringPrintf("%s/misc/user/%u", BuildDataPath("").c_str(), userId);
}
-std::string BuildDataMiscCePath(userid_t userId) {
- return StringPrintf("%s/misc_ce/%u", BuildDataPath("").c_str(), userId);
-}
-
-std::string BuildDataMiscDePath(userid_t userId) {
- return StringPrintf("%s/misc_de/%u", BuildDataPath("").c_str(), userId);
-}
-
// Keep in sync with installd (frameworks/native/cmds/installd/utils.h)
std::string BuildDataProfilesDePath(userid_t userId) {
return StringPrintf("%s/misc/profiles/cur/%u", BuildDataPath("").c_str(), userId);
@@ -1100,17 +1149,17 @@
return StringPrintf("%s/media/%u", data.c_str(), userId);
}
+std::string BuildDataMiscCePath(const std::string& volumeUuid, userid_t userId) {
+ return StringPrintf("%s/misc_ce/%u", BuildDataPath(volumeUuid).c_str(), userId);
+}
+
+std::string BuildDataMiscDePath(const std::string& volumeUuid, userid_t userId) {
+ return StringPrintf("%s/misc_de/%u", BuildDataPath(volumeUuid).c_str(), userId);
+}
+
std::string BuildDataUserCePath(const std::string& volumeUuid, userid_t userId) {
// TODO: unify with installd path generation logic
std::string data(BuildDataPath(volumeUuid));
- if (volumeUuid.empty() && userId == 0) {
- std::string legacy = StringPrintf("%s/data", data.c_str());
- struct stat sb;
- if (lstat(legacy.c_str(), &sb) == 0 && S_ISDIR(sb.st_mode)) {
- /* /data/data is dir, return /data/data for legacy system */
- return legacy;
- }
- }
return StringPrintf("%s/user/%u", data.c_str(), userId);
}
@@ -1130,6 +1179,12 @@
}
}
+// Returns true if |path| exists and is a symlink.
+bool IsSymlink(const std::string& path) {
+ struct stat stbuf;
+ return lstat(path.c_str(), &stbuf) == 0 && S_ISLNK(stbuf.st_mode);
+}
+
// Returns true if |path1| names the same existing file or directory as |path2|.
bool IsSameFile(const std::string& path1, const std::string& path2) {
struct stat stbuf1, stbuf2;
@@ -1209,49 +1264,6 @@
return kMajorBlockVirtioBlk && major == kMajorBlockVirtioBlk;
}
-static status_t findMountPointsWithPrefix(const std::string& prefix,
- std::list<std::string>& mountPoints) {
- // Add a trailing slash if the client didn't provide one so that we don't match /foo/barbaz
- // when the prefix is /foo/bar
- std::string prefixWithSlash(prefix);
- if (prefix.back() != '/') {
- android::base::StringAppendF(&prefixWithSlash, "/");
- }
-
- std::unique_ptr<FILE, int (*)(FILE*)> mnts(setmntent("/proc/mounts", "re"), endmntent);
- if (!mnts) {
- PLOG(ERROR) << "Unable to open /proc/mounts";
- return -errno;
- }
-
- // Some volumes can be stacked on each other, so force unmount in
- // reverse order to give us the best chance of success.
- struct mntent* mnt; // getmntent returns a thread local, so it's safe.
- while ((mnt = getmntent(mnts.get())) != nullptr) {
- auto mountPoint = std::string(mnt->mnt_dir) + "/";
- if (android::base::StartsWith(mountPoint, prefixWithSlash)) {
- mountPoints.push_front(mountPoint);
- }
- }
- return OK;
-}
-
-// Unmount all mountpoints that start with prefix. prefix itself doesn't need to be a mountpoint.
-status_t UnmountTreeWithPrefix(const std::string& prefix) {
- std::list<std::string> toUnmount;
- status_t result = findMountPointsWithPrefix(prefix, toUnmount);
- if (result < 0) {
- return result;
- }
- for (const auto& path : toUnmount) {
- if (umount2(path.c_str(), MNT_DETACH)) {
- PLOG(ERROR) << "Failed to unmount " << path;
- result = -errno;
- }
- }
- return result;
-}
-
status_t UnmountTree(const std::string& mountPoint) {
if (TEMP_FAILURE_RETRY(umount2(mountPoint.c_str(), MNT_DETACH)) < 0 && errno != EINVAL &&
errno != ENOENT) {
@@ -1436,7 +1448,21 @@
status_t AbortFuseConnections() {
namespace fs = std::filesystem;
- for (const auto& itEntry : fs::directory_iterator("/sys/fs/fuse/connections")) {
+ static constexpr const char* kFuseConnections = "/sys/fs/fuse/connections";
+
+ std::error_code ec;
+ for (const auto& itEntry : fs::directory_iterator(kFuseConnections, ec)) {
+ std::string fsPath = itEntry.path().string() + "/filesystem";
+ std::string fs;
+
+ // Virtiofs is on top of fuse and there isn't any user space daemon.
+ // Android user space doesn't manage it.
+ if (android::base::ReadFileToString(fsPath, &fs, false) &&
+ android::base::Trim(fs) == "virtiofs") {
+ LOG(INFO) << "Ignore virtiofs connection entry " << itEntry.path().string();
+ continue;
+ }
+
std::string abortPath = itEntry.path().string() + "/abort";
LOG(DEBUG) << "Aborting fuse connection entry " << abortPath;
bool ret = writeStringToFile("1", abortPath);
@@ -1445,6 +1471,11 @@
}
}
+ if (ec) {
+ LOG(WARNING) << "Failed to iterate through " << kFuseConnections << ": " << ec.message();
+ return -ec.value();
+ }
+
return OK;
}
@@ -1690,5 +1721,75 @@
return OK;
}
+
+namespace ab = android::base;
+
+static ab::unique_fd openDirFd(int parentFd, const char* name) {
+ return ab::unique_fd{::openat(parentFd, name, O_CLOEXEC | O_DIRECTORY | O_PATH | O_NOFOLLOW)};
+}
+
+static ab::unique_fd openAbsolutePathFd(std::string_view path) {
+ if (path.empty() || path[0] != '/') {
+ errno = EINVAL;
+ return {};
+ }
+ if (path == "/") {
+ return openDirFd(-1, "/");
+ }
+
+ // first component is special - it includes the leading slash
+ auto next = path.find('/', 1);
+ auto component = std::string(path.substr(0, next));
+ if (component == "..") {
+ errno = EINVAL;
+ return {};
+ }
+ auto fd = openDirFd(-1, component.c_str());
+ if (!fd.ok()) {
+ return fd;
+ }
+ path.remove_prefix(std::min(next + 1, path.size()));
+ while (next != path.npos && !path.empty()) {
+ next = path.find('/');
+ component.assign(path.substr(0, next));
+ fd = openDirFd(fd, component.c_str());
+ if (!fd.ok()) {
+ return fd;
+ }
+ path.remove_prefix(std::min(next + 1, path.size()));
+ }
+ return fd;
+}
+
+std::pair<android::base::unique_fd, std::string> OpenDirInProcfs(std::string_view path) {
+ auto fd = openAbsolutePathFd(path);
+ if (!fd.ok()) {
+ return {};
+ }
+
+ auto linkPath = std::string("/proc/self/fd/") += std::to_string(fd.get());
+ return {std::move(fd), std::move(linkPath)};
+}
+
+bool IsFuseBpfEnabled() {
+ // TODO Once kernel supports flag, trigger off kernel flag unless
+ // ro.fuse.bpf.enabled is explicitly set to false
+ bool enabled;
+ if (base::GetProperty("ro.fuse.bpf.is_running", "") != "")
+ enabled = base::GetBoolProperty("ro.fuse.bpf.is_running", false);
+ else if (base::GetProperty("persist.sys.fuse.bpf.override", "") != "")
+ enabled = base::GetBoolProperty("persist.sys.fuse.bpf.override", false);
+ else
+ enabled = base::GetBoolProperty("ro.fuse.bpf.enabled", false);
+
+ if (enabled) {
+ base::SetProperty("ro.fuse.bpf.is_running", "true");
+ return true;
+ } else {
+ base::SetProperty("ro.fuse.bpf.is_running", "false");
+ return false;
+ }
+}
+
} // namespace vold
} // namespace android
diff --git a/Utils.h b/Utils.h
index 4771593..fbd0f30 100644
--- a/Utils.h
+++ b/Utils.h
@@ -27,6 +27,7 @@
#include <chrono>
#include <string>
+#include <string_view>
#include <vector>
struct DIR;
@@ -37,11 +38,13 @@
static const char* kVoldAppDataIsolationEnabled = "persist.sys.vold_app_data_isolation_enabled";
static const char* kExternalStorageSdcardfs = "external_storage.sdcardfs.enabled";
+static constexpr std::chrono::seconds kUntrustedFsckSleepTime(45);
+
/* SELinux contexts used depending on the block device type */
-extern security_context_t sBlkidContext;
-extern security_context_t sBlkidUntrustedContext;
-extern security_context_t sFsckContext;
-extern security_context_t sFsckUntrustedContext;
+extern char* sBlkidContext;
+extern char* sBlkidUntrustedContext;
+extern char* sFsckContext;
+extern char* sFsckUntrustedContext;
// TODO remove this with better solution, b/64143519
extern bool sSleepOnUnmount;
@@ -78,8 +81,8 @@
/* Kills any processes using given path */
status_t KillProcessesUsingPath(const std::string& path);
-/* Kills any processes using given mount prifix */
-status_t KillProcessesWithMountPrefix(const std::string& path);
+/* Kills any processes using given tmpfs mount prifix */
+status_t KillProcessesWithTmpfsMountPrefix(const std::string& path);
/* Creates bind mount from source to target */
status_t BindMount(const std::string& source, const std::string& target);
@@ -104,10 +107,12 @@
std::string* fsLabel);
/* Returns either WEXITSTATUS() status, or a negative errno */
-status_t ForkExecvp(const std::vector<std::string>& args, std::vector<std::string>* output = nullptr,
- security_context_t context = nullptr);
+status_t ForkExecvp(const std::vector<std::string>& args,
+ std::vector<std::string>* output = nullptr, char* context = nullptr);
+status_t ForkExecvpTimeout(const std::vector<std::string>& args, std::chrono::seconds timeout,
+ char* context = nullptr);
-pid_t ForkExecvpAsync(const std::vector<std::string>& args);
+pid_t ForkExecvpAsync(const std::vector<std::string>& args, char* context = nullptr);
/* Gets block device size in bytes */
status_t GetBlockDevSize(int fd, uint64_t* size);
@@ -144,19 +149,21 @@
std::string BuildDataSystemCePath(userid_t userid);
std::string BuildDataSystemDePath(userid_t userid);
std::string BuildDataMiscLegacyPath(userid_t userid);
-std::string BuildDataMiscCePath(userid_t userid);
-std::string BuildDataMiscDePath(userid_t userid);
std::string BuildDataProfilesDePath(userid_t userid);
std::string BuildDataVendorCePath(userid_t userid);
std::string BuildDataVendorDePath(userid_t userid);
std::string BuildDataPath(const std::string& volumeUuid);
std::string BuildDataMediaCePath(const std::string& volumeUuid, userid_t userid);
+std::string BuildDataMiscCePath(const std::string& volumeUuid, userid_t userid);
+std::string BuildDataMiscDePath(const std::string& volumeUuid, userid_t userid);
std::string BuildDataUserCePath(const std::string& volumeUuid, userid_t userid);
std::string BuildDataUserDePath(const std::string& volumeUuid, userid_t userid);
dev_t GetDevice(const std::string& path);
+bool IsSymlink(const std::string& path);
+
bool IsSameFile(const std::string& path1, const std::string& path2);
status_t EnsureDirExists(const std::string& path, mode_t mode, uid_t uid, gid_t gid);
@@ -169,7 +176,6 @@
// Handles dynamic major assignment for virtio-block
bool IsVirtioBlkDevice(unsigned int major);
-status_t UnmountTreeWithPrefix(const std::string& prefix);
status_t UnmountTree(const std::string& mountPoint);
bool IsDotOrDotDot(const struct dirent& ent);
@@ -200,6 +206,20 @@
const std::string& relative_upper_path);
status_t PrepareAndroidDirs(const std::string& volumeRoot);
+
+bool IsFuseBpfEnabled();
+
+// Open a given directory as an FD, and return that and the corresponding procfs virtual
+// symlink path that can be used in any API that accepts a path string. Path stays valid until
+// the directory FD is closed.
+//
+// This may be useful when an API wants to restrict a path passed from an untrusted process,
+// and do it without any TOCTOU attacks possible (e.g. where an attacker replaces one of
+// the components with a symlink after the check passed). In that case opening a path through
+// this function guarantees that the target directory stays the same, and that it can be
+// referenced inside the current process via the virtual procfs symlink returned here.
+std::pair<android::base::unique_fd, std::string> OpenDirInProcfs(std::string_view path);
+
} // namespace vold
} // namespace android
diff --git a/VoldNativeService.cpp b/VoldNativeService.cpp
index b7f1749..601323f 100644
--- a/VoldNativeService.cpp
+++ b/VoldNativeService.cpp
@@ -19,13 +19,13 @@
#include "VoldNativeService.h"
#include <android-base/logging.h>
-#include <android-base/stringprintf.h>
#include <android-base/strings.h>
#include <fs_mgr.h>
#include <fscrypt/fscrypt.h>
#include <private/android_filesystem_config.h>
#include <utils/Trace.h>
+#include <stdio.h>
#include <fstream>
#include <thread>
@@ -34,18 +34,15 @@
#include "FsCrypt.h"
#include "IdleMaint.h"
#include "KeyStorage.h"
-#include "Keymaster.h"
+#include "Keystore.h"
#include "MetadataCrypt.h"
#include "MoveStorage.h"
-#include "Process.h"
#include "VoldNativeServiceValidation.h"
#include "VoldUtil.h"
#include "VolumeManager.h"
#include "cryptfs.h"
#include "incfs.h"
-using android::base::StringPrintf;
-using std::endl;
using namespace std::literals;
namespace android {
@@ -54,6 +51,7 @@
namespace {
constexpr const char* kDump = "android.permission.DUMP";
+constexpr auto kIncFsReadNoTimeoutMs = 100;
static binder::Status error(const std::string& msg) {
PLOG(ERROR) << msg;
@@ -131,15 +129,14 @@
}
status_t VoldNativeService::dump(int fd, const Vector<String16>& /* args */) {
- auto out = std::fstream(StringPrintf("/proc/self/fd/%d", fd));
const binder::Status dump_permission = CheckPermission(kDump);
if (!dump_permission.isOk()) {
- out << dump_permission.toString8() << endl;
+ dprintf(fd, "%s\n", dump_permission.toString8().c_str());
return PERMISSION_DENIED;
}
ACQUIRE_LOCK;
- out << "vold is happy!" << endl;
+ dprintf(fd, "vold is happy!\n");
return NO_ERROR;
}
@@ -178,16 +175,20 @@
binder::Status VoldNativeService::abortFuse() {
ENFORCE_SYSTEM_OR_ROOT;
- ACQUIRE_LOCK;
+ // if acquire lock, maybe lead to a deadlock if lock is held by a
+ // thread that is blocked on a FUSE operation.
+ // abort fuse doesn't need to access any state, so do not acquire lock
return translate(VolumeManager::Instance()->abortFuse());
}
-binder::Status VoldNativeService::onUserAdded(int32_t userId, int32_t userSerial) {
+binder::Status VoldNativeService::onUserAdded(int32_t userId, int32_t userSerial,
+ int32_t sharesStorageWithUserId) {
ENFORCE_SYSTEM_OR_ROOT;
ACQUIRE_LOCK;
- return translate(VolumeManager::Instance()->onUserAdded(userId, userSerial));
+ return translate(
+ VolumeManager::Instance()->onUserAdded(userId, userSerial, sharesStorageWithUserId));
}
binder::Status VoldNativeService::onUserRemoved(int32_t userId) {
@@ -415,16 +416,13 @@
return translate(VolumeManager::Instance()->fixupAppDir(path, appUid));
}
-binder::Status VoldNativeService::createObb(const std::string& sourcePath,
- const std::string& sourceKey, int32_t ownerGid,
+binder::Status VoldNativeService::createObb(const std::string& sourcePath, int32_t ownerGid,
std::string* _aidl_return) {
ENFORCE_SYSTEM_OR_ROOT;
CHECK_ARGUMENT_PATH(sourcePath);
- CHECK_ARGUMENT_HEX(sourceKey);
ACQUIRE_LOCK;
- return translate(
- VolumeManager::Instance()->createObb(sourcePath, sourceKey, ownerGid, _aidl_return));
+ return translate(VolumeManager::Instance()->createObb(sourcePath, ownerGid, _aidl_return));
}
binder::Status VoldNativeService::destroyObb(const std::string& volId) {
@@ -471,11 +469,11 @@
}
binder::Status VoldNativeService::runIdleMaint(
- const android::sp<android::os::IVoldTaskListener>& listener) {
+ bool needGC, const android::sp<android::os::IVoldTaskListener>& listener) {
ENFORCE_SYSTEM_OR_ROOT;
ACQUIRE_LOCK;
- std::thread([=]() { android::vold::RunIdleMaint(listener); }).detach();
+ std::thread([=]() { android::vold::RunIdleMaint(needGC, listener); }).detach();
return Ok();
}
@@ -488,6 +486,43 @@
return Ok();
}
+binder::Status VoldNativeService::getStorageLifeTime(int32_t* _aidl_return) {
+ ENFORCE_SYSTEM_OR_ROOT;
+ ACQUIRE_LOCK;
+
+ *_aidl_return = GetStorageLifeTime();
+ return Ok();
+}
+
+binder::Status VoldNativeService::setGCUrgentPace(int32_t neededSegments,
+ int32_t minSegmentThreshold,
+ float dirtyReclaimRate, float reclaimWeight,
+ int32_t gcPeriod, int32_t minGCSleepTime,
+ int32_t targetDirtyRatio) {
+ ENFORCE_SYSTEM_OR_ROOT;
+ ACQUIRE_LOCK;
+
+ SetGCUrgentPace(neededSegments, minSegmentThreshold, dirtyReclaimRate, reclaimWeight, gcPeriod,
+ minGCSleepTime, targetDirtyRatio);
+ return Ok();
+}
+
+binder::Status VoldNativeService::refreshLatestWrite() {
+ ENFORCE_SYSTEM_OR_ROOT;
+ ACQUIRE_LOCK;
+
+ RefreshLatestWrite();
+ return Ok();
+}
+
+binder::Status VoldNativeService::getWriteAmount(int32_t* _aidl_return) {
+ ENFORCE_SYSTEM_OR_ROOT;
+ ACQUIRE_LOCK;
+
+ *_aidl_return = GetWriteAmount();
+ return Ok();
+}
+
binder::Status VoldNativeService::mountAppFuse(int32_t uid, int32_t mountId,
android::base::unique_fd* _aidl_return) {
ENFORCE_SYSTEM_OR_ROOT;
@@ -520,133 +555,6 @@
return Ok();
}
-binder::Status VoldNativeService::fdeCheckPassword(const std::string& password) {
- ENFORCE_SYSTEM_OR_ROOT;
- ACQUIRE_CRYPT_LOCK;
-
- return translate(cryptfs_check_passwd(password.c_str()));
-}
-
-binder::Status VoldNativeService::fdeRestart() {
- ENFORCE_SYSTEM_OR_ROOT;
- ACQUIRE_CRYPT_LOCK;
-
- // Spawn as thread so init can issue commands back to vold without
- // causing deadlock, usually as a result of prep_data_fs.
- std::thread(&cryptfs_restart).detach();
- return Ok();
-}
-
-binder::Status VoldNativeService::fdeComplete(int32_t* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
- ACQUIRE_CRYPT_LOCK;
-
- *_aidl_return = cryptfs_crypto_complete();
- return Ok();
-}
-
-static int fdeEnableInternal(int32_t passwordType, const std::string& password,
- int32_t encryptionFlags) {
- bool noUi = (encryptionFlags & VoldNativeService::ENCRYPTION_FLAG_NO_UI) != 0;
-
- for (int tries = 0; tries < 2; ++tries) {
- int rc;
- if (passwordType == VoldNativeService::PASSWORD_TYPE_DEFAULT) {
- rc = cryptfs_enable_default(noUi);
- } else {
- rc = cryptfs_enable(passwordType, password.c_str(), noUi);
- }
-
- if (rc == 0) {
- return 0;
- } else if (tries == 0) {
- KillProcessesWithOpenFiles(DATA_MNT_POINT, SIGKILL);
- }
- }
-
- return -1;
-}
-
-binder::Status VoldNativeService::fdeEnable(int32_t passwordType, const std::string& password,
- int32_t encryptionFlags) {
- ENFORCE_SYSTEM_OR_ROOT;
- ACQUIRE_CRYPT_LOCK;
-
- LOG(DEBUG) << "fdeEnable(" << passwordType << ", *, " << encryptionFlags << ")";
- if (fscrypt_is_native()) {
- LOG(ERROR) << "fscrypt_is_native, fdeEnable invalid";
- return error("fscrypt_is_native, fdeEnable invalid");
- }
- LOG(DEBUG) << "!fscrypt_is_native, spawning fdeEnableInternal";
-
- // Spawn as thread so init can issue commands back to vold without
- // causing deadlock, usually as a result of prep_data_fs.
- std::thread(&fdeEnableInternal, passwordType, password, encryptionFlags).detach();
- return Ok();
-}
-
-binder::Status VoldNativeService::fdeChangePassword(int32_t passwordType,
- const std::string& password) {
- ENFORCE_SYSTEM_OR_ROOT;
- ACQUIRE_CRYPT_LOCK;
-
- return translate(cryptfs_changepw(passwordType, password.c_str()));
-}
-
-binder::Status VoldNativeService::fdeVerifyPassword(const std::string& password) {
- ENFORCE_SYSTEM_OR_ROOT;
- ACQUIRE_CRYPT_LOCK;
-
- return translate(cryptfs_verify_passwd(password.c_str()));
-}
-
-binder::Status VoldNativeService::fdeGetField(const std::string& key, std::string* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
- ACQUIRE_CRYPT_LOCK;
-
- char buf[PROPERTY_VALUE_MAX];
- if (cryptfs_getfield(key.c_str(), buf, sizeof(buf)) != CRYPTO_GETFIELD_OK) {
- return error(StringPrintf("Failed to read field %s", key.c_str()));
- } else {
- *_aidl_return = buf;
- return Ok();
- }
-}
-
-binder::Status VoldNativeService::fdeSetField(const std::string& key, const std::string& value) {
- ENFORCE_SYSTEM_OR_ROOT;
- ACQUIRE_CRYPT_LOCK;
-
- return translate(cryptfs_setfield(key.c_str(), value.c_str()));
-}
-
-binder::Status VoldNativeService::fdeGetPasswordType(int32_t* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
- ACQUIRE_CRYPT_LOCK;
-
- *_aidl_return = cryptfs_get_password_type();
- return Ok();
-}
-
-binder::Status VoldNativeService::fdeGetPassword(std::string* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
- ACQUIRE_CRYPT_LOCK;
-
- const char* res = cryptfs_get_password();
- if (res != nullptr) {
- *_aidl_return = res;
- }
- return Ok();
-}
-
-binder::Status VoldNativeService::fdeClearPassword() {
- ENFORCE_SYSTEM_OR_ROOT;
- ACQUIRE_CRYPT_LOCK;
-
- cryptfs_clear_password();
- return Ok();
-}
-
binder::Status VoldNativeService::fbeEnable() {
ENFORCE_SYSTEM_OR_ROOT;
ACQUIRE_CRYPT_LOCK;
@@ -654,18 +562,6 @@
return translateBool(fscrypt_initialize_systemwide_keys());
}
-binder::Status VoldNativeService::mountDefaultEncrypted() {
- ENFORCE_SYSTEM_OR_ROOT;
- ACQUIRE_CRYPT_LOCK;
-
- if (!fscrypt_is_native()) {
- // Spawn as thread so init can issue commands back to vold without
- // causing deadlock, usually as a result of prep_data_fs.
- std::thread(&cryptfs_mount_default_encrypted).detach();
- }
- return Ok();
-}
-
binder::Status VoldNativeService::initUser0() {
ENFORCE_SYSTEM_OR_ROOT;
ACQUIRE_CRYPT_LOCK;
@@ -673,31 +569,25 @@
return translateBool(fscrypt_init_user0());
}
-binder::Status VoldNativeService::isConvertibleToFbe(bool* _aidl_return) {
- ENFORCE_SYSTEM_OR_ROOT;
- ACQUIRE_CRYPT_LOCK;
-
- *_aidl_return = cryptfs_isConvertibleToFBE() != 0;
- return Ok();
-}
-
binder::Status VoldNativeService::mountFstab(const std::string& blkDevice,
- const std::string& mountPoint) {
+ const std::string& mountPoint,
+ const std::string& zonedDevice) {
ENFORCE_SYSTEM_OR_ROOT;
ACQUIRE_LOCK;
- return translateBool(
- fscrypt_mount_metadata_encrypted(blkDevice, mountPoint, false, false, "null"));
+ return translateBool(fscrypt_mount_metadata_encrypted(blkDevice, mountPoint, false, false,
+ "null", zonedDevice));
}
binder::Status VoldNativeService::encryptFstab(const std::string& blkDevice,
const std::string& mountPoint, bool shouldFormat,
- const std::string& fsType) {
+ const std::string& fsType,
+ const std::string& zonedDevice) {
ENFORCE_SYSTEM_OR_ROOT;
ACQUIRE_LOCK;
- return translateBool(
- fscrypt_mount_metadata_encrypted(blkDevice, mountPoint, true, shouldFormat, fsType));
+ return translateBool(fscrypt_mount_metadata_encrypted(blkDevice, mountPoint, true, shouldFormat,
+ fsType, zonedDevice));
}
binder::Status VoldNativeService::setStorageBindingSeed(const std::vector<uint8_t>& seed) {
@@ -723,21 +613,19 @@
}
binder::Status VoldNativeService::addUserKeyAuth(int32_t userId, int32_t userSerial,
- const std::string& token,
const std::string& secret) {
ENFORCE_SYSTEM_OR_ROOT;
ACQUIRE_CRYPT_LOCK;
- return translateBool(fscrypt_add_user_key_auth(userId, userSerial, token, secret));
+ return translateBool(fscrypt_add_user_key_auth(userId, userSerial, secret));
}
binder::Status VoldNativeService::clearUserKeyAuth(int32_t userId, int32_t userSerial,
- const std::string& token,
const std::string& secret) {
ENFORCE_SYSTEM_OR_ROOT;
ACQUIRE_CRYPT_LOCK;
- return translateBool(fscrypt_clear_user_key_auth(userId, userSerial, token, secret));
+ return translateBool(fscrypt_clear_user_key_auth(userId, userSerial, secret));
}
binder::Status VoldNativeService::fixateNewestUserKeyAuth(int32_t userId) {
@@ -747,13 +635,20 @@
return translateBool(fscrypt_fixate_newest_user_key_auth(userId));
}
+binder::Status VoldNativeService::getUnlockedUsers(std::vector<int>* _aidl_return) {
+ ENFORCE_SYSTEM_OR_ROOT;
+ ACQUIRE_CRYPT_LOCK;
+
+ *_aidl_return = fscrypt_get_unlocked_users();
+ return Ok();
+}
+
binder::Status VoldNativeService::unlockUserKey(int32_t userId, int32_t userSerial,
- const std::string& token,
const std::string& secret) {
ENFORCE_SYSTEM_OR_ROOT;
ACQUIRE_CRYPT_LOCK;
- return translateBool(fscrypt_unlock_user_key(userId, userSerial, token, secret));
+ return translateBool(fscrypt_unlock_user_key(userId, userSerial, secret));
}
binder::Status VoldNativeService::lockUserKey(int32_t userId) {
@@ -913,7 +808,7 @@
ACQUIRE_LOCK;
initializeIncFs();
- Keymaster::earlyBootEnded();
+ Keystore::earlyBootEnded();
return Ok();
}
@@ -926,16 +821,34 @@
binder::Status VoldNativeService::mountIncFs(
const std::string& backingPath, const std::string& targetDir, int32_t flags,
+ const std::string& sysfsName,
::android::os::incremental::IncrementalFileSystemControlParcel* _aidl_return) {
ENFORCE_SYSTEM_OR_ROOT;
- CHECK_ARGUMENT_PATH(backingPath);
- CHECK_ARGUMENT_PATH(targetDir);
+ if (auto status = CheckIncrementalPath(IncrementalPathKind::MountTarget, targetDir);
+ !status.isOk()) {
+ return status;
+ }
+ if (auto status = CheckIncrementalPath(IncrementalPathKind::MountSource, backingPath);
+ !status.isOk()) {
+ return status;
+ }
- auto control = incfs::mount(backingPath, targetDir,
+ auto [backingFd, backingSymlink] = OpenDirInProcfs(backingPath);
+ if (!backingFd.ok()) {
+ return translate(-errno);
+ }
+ auto [targetFd, targetSymlink] = OpenDirInProcfs(targetDir);
+ if (!targetFd.ok()) {
+ return translate(-errno);
+ }
+
+ auto control = incfs::mount(backingSymlink, targetSymlink,
{.flags = IncFsMountFlags(flags),
+ // Mount with read timeouts.
.defaultReadTimeoutMs = INCFS_DEFAULT_READ_TIMEOUT_MS,
// Mount with read logs disabled.
- .readLogBufferPages = 0});
+ .readLogBufferPages = 0,
+ .sysfsName = sysfsName.c_str()});
if (!control) {
return translate(-errno);
}
@@ -944,23 +857,33 @@
_aidl_return->cmd.reset(unique_fd(fds[CMD].release()));
_aidl_return->pendingReads.reset(unique_fd(fds[PENDING_READS].release()));
_aidl_return->log.reset(unique_fd(fds[LOGS].release()));
+ if (fds[BLOCKS_WRITTEN].ok()) {
+ _aidl_return->blocksWritten.emplace(unique_fd(fds[BLOCKS_WRITTEN].release()));
+ }
return Ok();
}
binder::Status VoldNativeService::unmountIncFs(const std::string& dir) {
ENFORCE_SYSTEM_OR_ROOT;
- CHECK_ARGUMENT_PATH(dir);
+ if (auto status = CheckIncrementalPath(IncrementalPathKind::Any, dir); !status.isOk()) {
+ return status;
+ }
- return translate(incfs::unmount(dir));
+ auto [fd, symLink] = OpenDirInProcfs(dir);
+ if (!fd.ok()) {
+ return translate(-errno);
+ }
+ return translate(incfs::unmount(symLink));
}
binder::Status VoldNativeService::setIncFsMountOptions(
const ::android::os::incremental::IncrementalFileSystemControlParcel& control,
- bool enableReadLogs) {
+ bool enableReadLogs, bool enableReadTimeouts, const std::string& sysfsName) {
ENFORCE_SYSTEM_OR_ROOT;
auto incfsControl =
- incfs::createControl(control.cmd.get(), control.pendingReads.get(), control.log.get());
+ incfs::createControl(control.cmd.get(), control.pendingReads.get(), control.log.get(),
+ control.blocksWritten ? control.blocksWritten->get() : -1);
auto cleanupFunc = [](auto incfsControl) {
for (auto& fd : incfsControl->releaseFds()) {
(void)fd.release();
@@ -968,24 +891,52 @@
};
auto cleanup =
std::unique_ptr<incfs::Control, decltype(cleanupFunc)>(&incfsControl, cleanupFunc);
- if (auto error = incfs::setOptions(
- incfsControl,
- {.defaultReadTimeoutMs = INCFS_DEFAULT_READ_TIMEOUT_MS,
- .readLogBufferPages = enableReadLogs ? INCFS_DEFAULT_PAGE_READ_BUFFER_PAGES : 0});
- error < 0) {
- return binder::Status::fromServiceSpecificError(error);
- }
+ constexpr auto minReadLogBufferPages = INCFS_DEFAULT_PAGE_READ_BUFFER_PAGES;
+ constexpr auto maxReadLogBufferPages = 8 * INCFS_DEFAULT_PAGE_READ_BUFFER_PAGES;
+ auto options = incfs::MountOptions{
+ .defaultReadTimeoutMs =
+ enableReadTimeouts ? INCFS_DEFAULT_READ_TIMEOUT_MS : kIncFsReadNoTimeoutMs,
+ .readLogBufferPages = enableReadLogs ? maxReadLogBufferPages : 0,
+ .sysfsName = sysfsName.c_str()};
+
+ for (;;) {
+ const auto error = incfs::setOptions(incfsControl, options);
+ if (!error) {
+ return Ok();
+ }
+ if (!enableReadLogs || error != -ENOMEM) {
+ return binder::Status::fromServiceSpecificError(error);
+ }
+ // In case of memory allocation error retry with a smaller buffer.
+ options.readLogBufferPages /= 2;
+ if (options.readLogBufferPages < minReadLogBufferPages) {
+ return binder::Status::fromServiceSpecificError(error);
+ }
+ }
+ // unreachable, but makes the compiler happy
return Ok();
}
binder::Status VoldNativeService::bindMount(const std::string& sourceDir,
const std::string& targetDir) {
ENFORCE_SYSTEM_OR_ROOT;
- CHECK_ARGUMENT_PATH(sourceDir);
- CHECK_ARGUMENT_PATH(targetDir);
+ if (auto status = CheckIncrementalPath(IncrementalPathKind::Any, sourceDir); !status.isOk()) {
+ return status;
+ }
+ if (auto status = CheckIncrementalPath(IncrementalPathKind::Bind, targetDir); !status.isOk()) {
+ return status;
+ }
- return translate(incfs::bindMount(sourceDir, targetDir));
+ auto [sourceFd, sourceSymlink] = OpenDirInProcfs(sourceDir);
+ if (!sourceFd.ok()) {
+ return translate(-errno);
+ }
+ auto [targetFd, targetSymlink] = OpenDirInProcfs(targetDir);
+ if (!targetFd.ok()) {
+ return translate(-errno);
+ }
+ return translate(incfs::bindMount(sourceSymlink, targetSymlink));
}
binder::Status VoldNativeService::destroyDsuMetadataKey(const std::string& dsuSlot) {
diff --git a/VoldNativeService.h b/VoldNativeService.h
index 123f127..12a93f5 100644
--- a/VoldNativeService.h
+++ b/VoldNativeService.h
@@ -38,7 +38,7 @@
binder::Status shutdown();
binder::Status abortFuse();
- binder::Status onUserAdded(int32_t userId, int32_t userSerial);
+ binder::Status onUserAdded(int32_t userId, int32_t userSerial, int32_t sharesStorageWithUserId);
binder::Status onUserRemoved(int32_t userId);
binder::Status onUserStarted(int32_t userId);
binder::Status onUserStopped(int32_t userId);
@@ -73,8 +73,8 @@
binder::Status setupAppDir(const std::string& path, int32_t appUid);
binder::Status fixupAppDir(const std::string& path, int32_t appUid);
- binder::Status createObb(const std::string& sourcePath, const std::string& sourceKey,
- int32_t ownerGid, std::string* _aidl_return);
+ binder::Status createObb(const std::string& sourcePath, int32_t ownerGid,
+ std::string* _aidl_return);
binder::Status destroyObb(const std::string& volId);
binder::Status createStubVolume(const std::string& sourcePath, const std::string& mountPath,
@@ -85,8 +85,15 @@
binder::Status fstrim(int32_t fstrimFlags,
const android::sp<android::os::IVoldTaskListener>& listener);
- binder::Status runIdleMaint(const android::sp<android::os::IVoldTaskListener>& listener);
+ binder::Status runIdleMaint(bool needGC,
+ const android::sp<android::os::IVoldTaskListener>& listener);
binder::Status abortIdleMaint(const android::sp<android::os::IVoldTaskListener>& listener);
+ binder::Status getStorageLifeTime(int32_t* _aidl_return);
+ binder::Status setGCUrgentPace(int32_t neededSegments, int32_t minSegmentThreshold,
+ float dirtyReclaimRate, float reclaimWeight, int32_t gcPeriod,
+ int32_t minGCSleepTime, int32_t targetDirtyRatio);
+ binder::Status refreshLatestWrite();
+ binder::Status getWriteAmount(int32_t* _aidl_return);
binder::Status mountAppFuse(int32_t uid, int32_t mountId,
android::base::unique_fd* _aidl_return);
@@ -94,41 +101,26 @@
binder::Status openAppFuseFile(int32_t uid, int32_t mountId, int32_t fileId, int32_t flags,
android::base::unique_fd* _aidl_return);
- binder::Status fdeCheckPassword(const std::string& password);
- binder::Status fdeRestart();
- binder::Status fdeComplete(int32_t* _aidl_return);
- binder::Status fdeEnable(int32_t passwordType, const std::string& password,
- int32_t encryptionFlags);
- binder::Status fdeChangePassword(int32_t passwordType, const std::string& password);
- binder::Status fdeVerifyPassword(const std::string& password);
- binder::Status fdeGetField(const std::string& key, std::string* _aidl_return);
- binder::Status fdeSetField(const std::string& key, const std::string& value);
- binder::Status fdeGetPasswordType(int32_t* _aidl_return);
- binder::Status fdeGetPassword(std::string* _aidl_return);
- binder::Status fdeClearPassword();
-
binder::Status fbeEnable();
- binder::Status mountDefaultEncrypted();
binder::Status initUser0();
- binder::Status isConvertibleToFbe(bool* _aidl_return);
- binder::Status mountFstab(const std::string& blkDevice, const std::string& mountPoint);
+ binder::Status mountFstab(const std::string& blkDevice, const std::string& mountPoint,
+ const std::string& zonedDevice);
binder::Status encryptFstab(const std::string& blkDevice, const std::string& mountPoint,
- bool shouldFormat, const std::string& fsType);
+ bool shouldFormat, const std::string& fsType,
+ const std::string& zonedDevice);
binder::Status setStorageBindingSeed(const std::vector<uint8_t>& seed);
binder::Status createUserKey(int32_t userId, int32_t userSerial, bool ephemeral);
binder::Status destroyUserKey(int32_t userId);
- binder::Status addUserKeyAuth(int32_t userId, int32_t userSerial, const std::string& token,
- const std::string& secret);
- binder::Status clearUserKeyAuth(int32_t userId, int32_t userSerial, const std::string& token,
- const std::string& secret);
+ binder::Status addUserKeyAuth(int32_t userId, int32_t userSerial, const std::string& secret);
+ binder::Status clearUserKeyAuth(int32_t userId, int32_t userSerial, const std::string& secret);
binder::Status fixateNewestUserKeyAuth(int32_t userId);
- binder::Status unlockUserKey(int32_t userId, int32_t userSerial, const std::string& token,
- const std::string& secret);
+ binder::Status getUnlockedUsers(std::vector<int>* _aidl_return);
+ binder::Status unlockUserKey(int32_t userId, int32_t userSerial, const std::string& secret);
binder::Status lockUserKey(int32_t userId);
binder::Status prepareUserStorage(const std::optional<std::string>& uuid, int32_t userId,
@@ -161,11 +153,12 @@
binder::Status incFsEnabled(bool* _aidl_return) override;
binder::Status mountIncFs(
const std::string& backingPath, const std::string& targetDir, int32_t flags,
+ const std::string& sysfsName,
::android::os::incremental::IncrementalFileSystemControlParcel* _aidl_return) override;
binder::Status unmountIncFs(const std::string& dir) override;
binder::Status setIncFsMountOptions(
const ::android::os::incremental::IncrementalFileSystemControlParcel& control,
- bool enableReadLogs) override;
+ bool enableReadLogs, bool enableReadTimeouts, const std::string& sysfsName) override;
binder::Status bindMount(const std::string& sourceDir, const std::string& targetDir) override;
binder::Status destroyDsuMetadataKey(const std::string& dsuSlot) override;
diff --git a/VoldNativeServiceValidation.cpp b/VoldNativeServiceValidation.cpp
index ee1e65a..1d19141 100644
--- a/VoldNativeServiceValidation.cpp
+++ b/VoldNativeServiceValidation.cpp
@@ -105,4 +105,31 @@
return Ok();
}
+binder::Status CheckIncrementalPath(IncrementalPathKind kind, const std::string& path) {
+ if (auto status = CheckArgumentPath(path); !status.isOk()) {
+ return status;
+ }
+ if (kind == IncrementalPathKind::MountSource || kind == IncrementalPathKind::MountTarget ||
+ kind == IncrementalPathKind::Any) {
+ if (android::base::StartsWith(path, "/data/incremental/MT_")) {
+ if (kind != IncrementalPathKind::MountSource &&
+ (android::base::EndsWith(path, "/mount") || path.find("/mount/") != path.npos)) {
+ return Ok();
+ }
+ if (kind != IncrementalPathKind::MountTarget &&
+ (android::base::EndsWith(path, "/backing_store") ||
+ path.find("/backing_store/") != path.npos)) {
+ return Ok();
+ }
+ }
+ }
+ if (kind == IncrementalPathKind::Bind || kind == IncrementalPathKind::Any) {
+ if (android::base::StartsWith(path, "/data/app/")) {
+ return Ok();
+ }
+ }
+ return Exception(binder::Status::EX_ILLEGAL_ARGUMENT,
+ StringPrintf("Path '%s' is not allowed", path.c_str()));
+}
+
} // namespace android::vold
diff --git a/VoldNativeServiceValidation.h b/VoldNativeServiceValidation.h
index d2fc9e0..7fcb738 100644
--- a/VoldNativeServiceValidation.h
+++ b/VoldNativeServiceValidation.h
@@ -34,4 +34,9 @@
binder::Status CheckArgumentPath(const std::string& path);
binder::Status CheckArgumentHex(const std::string& hex);
+// Incremental service is only allowed to touch its own directory, and the installed apps dir.
+// This function ensures the caller isn't doing anything tricky.
+enum class IncrementalPathKind { MountSource, MountTarget, Bind, Any };
+binder::Status CheckIncrementalPath(IncrementalPathKind kind, const std::string& path);
+
} // namespace android::vold
diff --git a/VolumeManager.cpp b/VolumeManager.cpp
index 2697f67..e29b920 100644
--- a/VolumeManager.cpp
+++ b/VolumeManager.cpp
@@ -55,7 +55,6 @@
#include <fscrypt/fscrypt.h>
#include "AppFuseUtil.h"
-#include "Devmapper.h"
#include "FsCrypt.h"
#include "Loop.h"
#include "NetlinkManager.h"
@@ -82,6 +81,7 @@
using android::vold::DeleteDirContents;
using android::vold::DeleteDirContentsAndDir;
using android::vold::EnsureDirExists;
+using android::vold::GetFuseMountPathForUser;
using android::vold::IsFilesystemSupported;
using android::vold::IsSdcardfsUsed;
using android::vold::IsVirtioBlkDevice;
@@ -94,7 +94,6 @@
using android::vold::VoldNativeService;
using android::vold::VolumeBase;
-static const char* kPathUserMount = "/mnt/user";
static const char* kPathVirtualDisk = "/data/misc/vold/virtual_disk";
static const char* kPropVirtualDisk = "persist.sys.virtual_disk";
@@ -179,7 +178,6 @@
// directories that we own, in case we crashed.
unmountAll();
- Devmapper::destroyAll();
Loop::destroyAll();
// Assume that we always have an emulated volume on internal
@@ -239,7 +237,7 @@
break;
}
case NetlinkEvent::Action::kChange: {
- LOG(DEBUG) << "Disk at " << major << ":" << minor << " changed";
+ LOG(VERBOSE) << "Disk at " << major << ":" << minor << " changed";
handleDiskChanged(device);
break;
}
@@ -361,7 +359,7 @@
LOG(ERROR) << "Failed to unlink " << keyPath;
success = false;
}
- if (fscrypt_is_native()) {
+ if (IsFbeEnabled()) {
if (!fscrypt_destroy_volume_keys(fsUuid)) {
success = false;
}
@@ -427,10 +425,21 @@
}
}
-int VolumeManager::onUserAdded(userid_t userId, int userSerialNumber) {
+userid_t VolumeManager::getSharedStorageUser(userid_t userId) {
+ if (mSharedStorageUser.find(userId) == mSharedStorageUser.end()) {
+ return USER_UNKNOWN;
+ }
+ return mSharedStorageUser.at(userId);
+}
+
+int VolumeManager::onUserAdded(userid_t userId, int userSerialNumber,
+ userid_t sharesStorageWithUserId) {
LOG(INFO) << "onUserAdded: " << userId;
mAddedUsers[userId] = userSerialNumber;
+ if (sharesStorageWithUserId != USER_UNKNOWN) {
+ mSharedStorageUser[userId] = sharesStorageWithUserId;
+ }
return 0;
}
@@ -439,6 +448,7 @@
onUserStopped(userId);
mAddedUsers.erase(userId);
+ mSharedStorageUser.erase(userId);
return 0;
}
@@ -899,13 +909,29 @@
}
mInternalEmulatedVolumes.clear();
+ // Destroy and recreate all disks except that StubVolume disks are just
+ // destroyed and removed from both mDisks and mPendingDisks.
+ // StubVolumes are managed from outside Android (e.g. from Chrome OS) and
+ // their disk recreation on reset events should be handled from outside by
+ // calling createStubVolume() again.
for (const auto& disk : mDisks) {
disk->destroy();
- disk->create();
+ if (!disk->isStub()) {
+ disk->create();
+ }
}
+ const auto isStub = [](const auto& disk) { return disk->isStub(); };
+ mDisks.remove_if(isStub);
+ mPendingDisks.remove_if(isStub);
+
updateVirtualDisk();
mAddedUsers.clear();
mStartedUsers.clear();
+ mSharedStorageUser.clear();
+
+ // Abort all FUSE connections to avoid deadlocks if the FUSE daemon was killed
+ // with FUSE fds open.
+ abortFuse();
return 0;
}
@@ -1002,8 +1028,8 @@
// The volume must be mounted
return false;
}
- if ((vol.getMountFlags() & VolumeBase::MountFlags::kVisible) == 0) {
- // and visible
+ if (!vol.isVisibleForWrite()) {
+ // App dirs should only be created for writable volumes.
return false;
}
if (vol.getInternalPath().empty()) {
@@ -1064,8 +1090,8 @@
return setupAppDir(path, appUid, true /* fixupExistingOnly */);
}
-int VolumeManager::createObb(const std::string& sourcePath, const std::string& sourceKey,
- int32_t ownerGid, std::string* outVolId) {
+int VolumeManager::createObb(const std::string& sourcePath, int32_t ownerGid,
+ std::string* outVolId) {
int id = mNextObbId++;
std::string lowerSourcePath;
@@ -1077,8 +1103,8 @@
// The volume must be mounted
return false;
}
- if ((vol.getMountFlags() & VolumeBase::MountFlags::kVisible) == 0) {
- // and visible
+ if (!vol.isVisibleForWrite()) {
+ // Obb volume should only be created for writable volumes.
return false;
}
if (vol.getInternalPath().empty()) {
@@ -1103,7 +1129,7 @@
}
auto vol = std::shared_ptr<android::vold::VolumeBase>(
- new android::vold::ObbVolume(id, lowerSourcePath, sourceKey, ownerGid));
+ new android::vold::ObbVolume(id, lowerSourcePath, ownerGid));
vol->create();
mObbVolumes.push_back(vol);
diff --git a/VolumeManager.h b/VolumeManager.h
index 3573b1a..943a144 100644
--- a/VolumeManager.h
+++ b/VolumeManager.h
@@ -104,9 +104,11 @@
const std::set<userid_t>& getStartedUsers() const { return mStartedUsers; }
+ userid_t getSharedStorageUser(userid_t userId);
+
int forgetPartition(const std::string& partGuid, const std::string& fsUuid);
- int onUserAdded(userid_t userId, int userSerialNumber);
+ int onUserAdded(userid_t userId, int userSerialNumber, userid_t cloneParentUserId);
int onUserRemoved(userid_t userId);
int onUserStarted(userid_t userId);
int onUserStopped(userid_t userId);
@@ -186,8 +188,7 @@
// Called before zygote starts to ensure dir exists so zygote can bind mount them.
int ensureAppDirsCreated(const std::vector<std::string>& paths, int32_t appUid);
- int createObb(const std::string& path, const std::string& key, int32_t ownerGid,
- std::string* outVolId);
+ int createObb(const std::string& path, int32_t ownerGid, std::string* outVolId);
int destroyObb(const std::string& volId);
int createStubVolume(const std::string& sourcePath, const std::string& mountPath,
@@ -226,6 +227,8 @@
std::list<std::shared_ptr<android::vold::VolumeBase>> mInternalEmulatedVolumes;
std::unordered_map<userid_t, int> mAddedUsers;
+ // Map of users to a user with which they can share storage (eg clone profiles)
+ std::unordered_map<userid_t, userid_t> mSharedStorageUser;
// This needs to be a regular set because we care about the ordering here;
// user 0 should always go first, because it is responsible for sdcardfs.
std::set<userid_t> mStartedUsers;
diff --git a/binder/android/os/IVold.aidl b/binder/android/os/IVold.aidl
index fd134c5..c798959 100644
--- a/binder/android/os/IVold.aidl
+++ b/binder/android/os/IVold.aidl
@@ -30,7 +30,7 @@
void reset();
void shutdown();
- void onUserAdded(int userId, int userSerial);
+ void onUserAdded(int userId, int userSerial, int sharesStorageWithUserId);
void onUserRemoved(int userId);
void onUserStarted(int userId);
void onUserStopped(int userId);
@@ -60,50 +60,40 @@
void fixupAppDir(@utf8InCpp String path, int appUid);
void ensureAppDirsCreated(in @utf8InCpp String[] paths, int appUid);
- @utf8InCpp String createObb(@utf8InCpp String sourcePath, @utf8InCpp String sourceKey,
- int ownerGid);
+ @utf8InCpp String createObb(@utf8InCpp String sourcePath, int ownerGid);
void destroyObb(@utf8InCpp String volId);
void fstrim(int fstrimFlags, IVoldTaskListener listener);
- void runIdleMaint(IVoldTaskListener listener);
+ void runIdleMaint(boolean needGC, IVoldTaskListener listener);
void abortIdleMaint(IVoldTaskListener listener);
+ int getStorageLifeTime();
+ void setGCUrgentPace(int neededSegments, int minSegmentThreshold,
+ float dirtyReclaimRate, float reclaimWeight,
+ int gcPeriod, int minGCSleepTime,
+ int targetDirtyRatio);
+ void refreshLatestWrite();
+ int getWriteAmount();
FileDescriptor mountAppFuse(int uid, int mountId);
void unmountAppFuse(int uid, int mountId);
- void fdeCheckPassword(@utf8InCpp String password);
- void fdeRestart();
- int fdeComplete();
- void fdeEnable(int passwordType, @utf8InCpp String password, int encryptionFlags);
- void fdeChangePassword(int passwordType, @utf8InCpp String password);
- void fdeVerifyPassword(@utf8InCpp String password);
- @utf8InCpp String fdeGetField(@utf8InCpp String key);
- void fdeSetField(@utf8InCpp String key, @utf8InCpp String value);
- int fdeGetPasswordType();
- @utf8InCpp String fdeGetPassword();
- void fdeClearPassword();
-
void fbeEnable();
- void mountDefaultEncrypted();
void initUser0();
- boolean isConvertibleToFbe();
- void mountFstab(@utf8InCpp String blkDevice, @utf8InCpp String mountPoint);
- void encryptFstab(@utf8InCpp String blkDevice, @utf8InCpp String mountPoint, boolean shouldFormat, @utf8InCpp String fsType);
+ void mountFstab(@utf8InCpp String blkDevice, @utf8InCpp String mountPoint, @utf8InCpp String zonedDevice);
+ void encryptFstab(@utf8InCpp String blkDevice, @utf8InCpp String mountPoint, boolean shouldFormat, @utf8InCpp String fsType, @utf8InCpp String zonedDevice);
void setStorageBindingSeed(in byte[] seed);
void createUserKey(int userId, int userSerial, boolean ephemeral);
void destroyUserKey(int userId);
- void addUserKeyAuth(int userId, int userSerial, @utf8InCpp String token,
- @utf8InCpp String secret);
- void clearUserKeyAuth(int userId, int userSerial, @utf8InCpp String token,
- @utf8InCpp String secret);
+ void addUserKeyAuth(int userId, int userSerial, @utf8InCpp String secret);
+ void clearUserKeyAuth(int userId, int userSerial, @utf8InCpp String secret);
void fixateNewestUserKeyAuth(int userId);
- void unlockUserKey(int userId, int userSerial, @utf8InCpp String token,
- @utf8InCpp String secret);
+ int[] getUnlockedUsers();
+ void unlockUserKey(int userId, int userSerial, @utf8InCpp String secret);
void lockUserKey(int userId);
void prepareUserStorage(@nullable @utf8InCpp String uuid, int userId, int userSerial,
@@ -139,36 +129,23 @@
FileDescriptor openAppFuseFile(int uid, int mountId, int fileId, int flags);
boolean incFsEnabled();
- IncrementalFileSystemControlParcel mountIncFs(@utf8InCpp String backingPath, @utf8InCpp String targetDir, int flags);
+ IncrementalFileSystemControlParcel mountIncFs(@utf8InCpp String backingPath, @utf8InCpp String targetDir, int flags, @utf8InCpp String sysfsName);
void unmountIncFs(@utf8InCpp String dir);
- void setIncFsMountOptions(in IncrementalFileSystemControlParcel control, boolean enableReadLogs);
+ void setIncFsMountOptions(in IncrementalFileSystemControlParcel control, boolean enableReadLogs, boolean enableReadTimeouts, @utf8InCpp String sysfsName);
void bindMount(@utf8InCpp String sourceDir, @utf8InCpp String targetDir);
void destroyDsuMetadataKey(@utf8InCpp String dsuSlot);
- const int ENCRYPTION_FLAG_NO_UI = 4;
-
- const int ENCRYPTION_STATE_NONE = 1;
- const int ENCRYPTION_STATE_OK = 0;
- const int ENCRYPTION_STATE_ERROR_UNKNOWN = -1;
- const int ENCRYPTION_STATE_ERROR_INCOMPLETE = -2;
- const int ENCRYPTION_STATE_ERROR_INCONSISTENT = -3;
- const int ENCRYPTION_STATE_ERROR_CORRUPT = -4;
-
const int FSTRIM_FLAG_DEEP_TRIM = 1;
const int MOUNT_FLAG_PRIMARY = 1;
- const int MOUNT_FLAG_VISIBLE = 2;
+ const int MOUNT_FLAG_VISIBLE_FOR_READ = 2;
+ const int MOUNT_FLAG_VISIBLE_FOR_WRITE = 4;
const int PARTITION_TYPE_PUBLIC = 0;
const int PARTITION_TYPE_PRIVATE = 1;
const int PARTITION_TYPE_MIXED = 2;
- const int PASSWORD_TYPE_PASSWORD = 0;
- const int PASSWORD_TYPE_DEFAULT = 1;
- const int PASSWORD_TYPE_PATTERN = 2;
- const int PASSWORD_TYPE_PIN = 3;
-
const int STORAGE_FLAG_DE = 1;
const int STORAGE_FLAG_CE = 2;
diff --git a/cryptfs.cpp b/cryptfs.cpp
index 6203003..be8ba3c 100644
--- a/cryptfs.cpp
+++ b/cryptfs.cpp
@@ -14,292 +14,40 @@
* limitations under the License.
*/
+//
+// This file contains the implementation of the dm-crypt volume metadata
+// encryption method, which is deprecated. Devices that launched with Android
+// 11 or higher use a different method instead. For details, see
+// https://source.android.com/security/encryption/metadata#configuration-on-adoptable-storage
+//
+
#define LOG_TAG "Cryptfs"
#include "cryptfs.h"
-#include "Checkpoint.h"
#include "CryptoType.h"
-#include "EncryptInplace.h"
-#include "FsCrypt.h"
-#include "Keymaster.h"
-#include "Process.h"
-#include "ScryptParameters.h"
#include "Utils.h"
-#include "VoldUtil.h"
-#include "VolumeManager.h"
#include <android-base/parseint.h>
#include <android-base/properties.h>
-#include <android-base/stringprintf.h>
-#include <android-base/strings.h>
-#include <bootloader_message/bootloader_message.h>
-#include <cutils/android_reboot.h>
#include <cutils/properties.h>
-#include <ext4_utils/ext4_utils.h>
-#include <f2fs_sparseblock.h>
-#include <fs_mgr.h>
-#include <fscrypt/fscrypt.h>
#include <libdm/dm.h>
#include <log/log.h>
-#include <logwrap/logwrap.h>
-#include <openssl/evp.h>
-#include <openssl/sha.h>
-#include <selinux/selinux.h>
-#include <wakelock/wakelock.h>
-
-#include <ctype.h>
-#include <errno.h>
-#include <fcntl.h>
-#include <inttypes.h>
-#include <libgen.h>
-#include <linux/kdev_t.h>
-#include <math.h>
-#include <mntent.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/mount.h>
-#include <sys/param.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <time.h>
-#include <unistd.h>
#include <chrono>
-#include <thread>
-
-extern "C" {
-#include <crypto_scrypt.h>
-}
using android::base::ParseUint;
-using android::base::StringPrintf;
-using android::fs_mgr::GetEntryForMountPoint;
using android::vold::CryptoType;
using android::vold::KeyBuffer;
using android::vold::KeyGeneration;
using namespace android::dm;
+using namespace android::vold;
using namespace std::chrono_literals;
-/* The current cryptfs version */
-#define CURRENT_MAJOR_VERSION 1
-#define CURRENT_MINOR_VERSION 3
-
-#define CRYPT_FOOTER_TO_PERSIST_OFFSET 0x1000
-#define CRYPT_PERSIST_DATA_SIZE 0x1000
-
-#define CRYPT_SECTOR_SIZE 512
-
-#define MAX_CRYPTO_TYPE_NAME_LEN 64
-
#define MAX_KEY_LEN 48
-#define SALT_LEN 16
-#define SCRYPT_LEN 32
-
-/* definitions of flags in the structure below */
-#define CRYPT_MNT_KEY_UNENCRYPTED 0x1 /* The key for the partition is not encrypted. */
-#define CRYPT_ENCRYPTION_IN_PROGRESS 0x2 /* no longer used */
-#define CRYPT_INCONSISTENT_STATE \
- 0x4 /* Set when starting encryption, clear when \
- exit cleanly, either through success or \
- correctly marked partial encryption */
-#define CRYPT_DATA_CORRUPT \
- 0x8 /* Set when encryption is fine, but the \
- underlying volume is corrupt */
-#define CRYPT_FORCE_ENCRYPTION \
- 0x10 /* Set when it is time to encrypt this \
- volume on boot. Everything in this \
- structure is set up correctly as \
- though device is encrypted except \
- that the master key is encrypted with the \
- default password. */
-#define CRYPT_FORCE_COMPLETE \
- 0x20 /* Set when the above encryption cycle is \
- complete. On next cryptkeeper entry, match \
- the password. If it matches fix the master \
- key and remove this flag. */
-
-/* Allowed values for type in the structure below */
-#define CRYPT_TYPE_PASSWORD \
- 0 /* master_key is encrypted with a password \
- * Must be zero to be compatible with pre-L \
- * devices where type is always password.*/
-#define CRYPT_TYPE_DEFAULT \
- 1 /* master_key is encrypted with default \
- * password */
-#define CRYPT_TYPE_PATTERN 2 /* master_key is encrypted with a pattern */
-#define CRYPT_TYPE_PIN 3 /* master_key is encrypted with a pin */
-#define CRYPT_TYPE_MAX_TYPE 3 /* type cannot be larger than this value */
-
-#define CRYPT_MNT_MAGIC 0xD0B5B1C4
-#define PERSIST_DATA_MAGIC 0xE950CD44
-
-/* Key Derivation Function algorithms */
-#define KDF_PBKDF2 1
-#define KDF_SCRYPT 2
-/* Algorithms 3 & 4 deprecated before shipping outside of google, so removed */
-#define KDF_SCRYPT_KEYMASTER 5
-
-/* Maximum allowed keymaster blob size. */
-#define KEYMASTER_BLOB_SIZE 2048
-
-/* __le32 and __le16 defined in system/extras/ext4_utils/ext4_utils.h */
-#define __le8 unsigned char
-
-#if !defined(SHA256_DIGEST_LENGTH)
-#define SHA256_DIGEST_LENGTH 32
-#endif
-
-/* This structure starts 16,384 bytes before the end of a hardware
- * partition that is encrypted, or in a separate partition. It's location
- * is specified by a property set in init.<device>.rc.
- * The structure allocates 48 bytes for a key, but the real key size is
- * specified in the struct. Currently, the code is hardcoded to use 128
- * bit keys.
- * The fields after salt are only valid in rev 1.1 and later stuctures.
- * Obviously, the filesystem does not include the last 16 kbytes
- * of the partition if the crypt_mnt_ftr lives at the end of the
- * partition.
- */
-
-struct crypt_mnt_ftr {
- __le32 magic; /* See above */
- __le16 major_version;
- __le16 minor_version;
- __le32 ftr_size; /* in bytes, not including key following */
- __le32 flags; /* See above */
- __le32 keysize; /* in bytes */
- __le32 crypt_type; /* how master_key is encrypted. Must be a
- * CRYPT_TYPE_XXX value */
- __le64 fs_size; /* Size of the encrypted fs, in 512 byte sectors */
- __le32 failed_decrypt_count; /* count of # of failed attempts to decrypt and
- mount, set to 0 on successful mount */
- unsigned char crypto_type_name[MAX_CRYPTO_TYPE_NAME_LEN]; /* The type of encryption
- needed to decrypt this
- partition, null terminated */
- __le32 spare2; /* ignored */
- unsigned char master_key[MAX_KEY_LEN]; /* The encrypted key for decrypting the filesystem */
- unsigned char salt[SALT_LEN]; /* The salt used for this encryption */
- __le64 persist_data_offset[2]; /* Absolute offset to both copies of crypt_persist_data
- * on device with that info, either the footer of the
- * real_blkdevice or the metadata partition. */
-
- __le32 persist_data_size; /* The number of bytes allocated to each copy of the
- * persistent data table*/
-
- __le8 kdf_type; /* The key derivation function used. */
-
- /* scrypt parameters. See www.tarsnap.com/scrypt/scrypt.pdf */
- __le8 N_factor; /* (1 << N) */
- __le8 r_factor; /* (1 << r) */
- __le8 p_factor; /* (1 << p) */
- __le64 encrypted_upto; /* no longer used */
- __le8 hash_first_block[SHA256_DIGEST_LENGTH]; /* no longer used */
-
- /* key_master key, used to sign the derived key which is then used to generate
- * the intermediate key
- * This key should be used for no other purposes! We use this key to sign unpadded
- * data, which is acceptable but only if the key is not reused elsewhere. */
- __le8 keymaster_blob[KEYMASTER_BLOB_SIZE];
- __le32 keymaster_blob_size;
-
- /* Store scrypt of salted intermediate key. When decryption fails, we can
- check if this matches, and if it does, we know that the problem is with the
- drive, and there is no point in asking the user for more passwords.
-
- Note that if any part of this structure is corrupt, this will not match and
- we will continue to believe the user entered the wrong password. In that
- case the only solution is for the user to enter a password enough times to
- force a wipe.
-
- Note also that there is no need to worry about migration. If this data is
- wrong, we simply won't recognise a right password, and will continue to
- prompt. On the first password change, this value will be populated and
- then we will be OK.
- */
- unsigned char scrypted_intermediate_key[SCRYPT_LEN];
-
- /* sha of this structure with this element set to zero
- Used when encrypting on reboot to validate structure before doing something
- fatal
- */
- unsigned char sha256[SHA256_DIGEST_LENGTH];
-};
-
-/* Persistant data that should be available before decryption.
- * Things like airplane mode, locale and timezone are kept
- * here and can be retrieved by the CryptKeeper UI to properly
- * configure the phone before asking for the password
- * This is only valid if the major and minor version above
- * is set to 1.1 or higher.
- *
- * This is a 4K structure. There are 2 copies, and the code alternates
- * writing one and then clearing the previous one. The reading
- * code reads the first valid copy it finds, based on the magic number.
- * The absolute offset to the first of the two copies is kept in rev 1.1
- * and higher crypt_mnt_ftr structures.
- */
-struct crypt_persist_entry {
- char key[PROPERTY_KEY_MAX];
- char val[PROPERTY_VALUE_MAX];
-};
-
-/* Should be exactly 4K in size */
-struct crypt_persist_data {
- __le32 persist_magic;
- __le32 persist_valid_entries;
- __le32 persist_spare[30];
- struct crypt_persist_entry persist_entry[0];
-};
-
-static int wait_and_unmount(const char* mountpoint, bool kill);
-
-typedef int (*kdf_func)(const char* passwd, const unsigned char* salt, unsigned char* ikey,
- void* params);
-
-#define UNUSED __attribute__((unused))
-
-#define HASH_COUNT 2000
-
-constexpr size_t INTERMEDIATE_KEY_LEN_BYTES = 16;
-constexpr size_t INTERMEDIATE_IV_LEN_BYTES = 16;
-constexpr size_t INTERMEDIATE_BUF_SIZE = (INTERMEDIATE_KEY_LEN_BYTES + INTERMEDIATE_IV_LEN_BYTES);
-
-// SCRYPT_LEN is used by struct crypt_mnt_ftr for its intermediate key.
-static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN, "Mismatch of intermediate key sizes");
-
-#define KEY_IN_FOOTER "footer"
-
-#define DEFAULT_PASSWORD "default_password"
-
-#define CRYPTO_BLOCK_DEVICE "userdata"
-
-#define BREADCRUMB_FILE "/data/misc/vold/convert_fde"
-
-#define EXT4_FS 1
-#define F2FS_FS 2
#define TABLE_LOAD_RETRIES 10
-#define RSA_KEY_SIZE 2048
-#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
-#define RSA_EXPONENT 0x10001
-#define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
-
-#define RETRY_MOUNT_ATTEMPTS 10
-#define RETRY_MOUNT_DELAY_SECONDS 1
-
-#define CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE (1)
-
-static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr);
-
-static unsigned char saved_master_key[MAX_KEY_LEN];
-static char* saved_mount_point;
-static int master_key_saved = 0;
-static struct crypt_persist_data* persist_data = NULL;
-
constexpr CryptoType aes_128_cbc = CryptoType()
.set_config_name("AES-128-CBC")
.set_kernel_name("aes-cbc-essiv:sha256")
@@ -326,1544 +74,24 @@
return KeyGeneration{get_crypto_type().get_keysize(), true, false};
}
-/* Should we use keymaster? */
-static int keymaster_check_compatibility() {
- return keymaster_compatibility_cryptfs_scrypt();
-}
-
-/* Create a new keymaster key and store it in this footer */
-static int keymaster_create_key(struct crypt_mnt_ftr* ftr) {
- if (ftr->keymaster_blob_size) {
- SLOGI("Already have key");
- return 0;
- }
-
- int rc = keymaster_create_key_for_cryptfs_scrypt(
- RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob,
- KEYMASTER_BLOB_SIZE, &ftr->keymaster_blob_size);
- if (rc) {
- if (ftr->keymaster_blob_size > KEYMASTER_BLOB_SIZE) {
- SLOGE("Keymaster key blob too large");
- ftr->keymaster_blob_size = 0;
- }
- SLOGE("Failed to generate keypair");
- return -1;
- }
- return 0;
-}
-
-/* This signs the given object using the keymaster key. */
-static int keymaster_sign_object(struct crypt_mnt_ftr* ftr, const unsigned char* object,
- const size_t object_size, unsigned char** signature,
- size_t* signature_size) {
- unsigned char to_sign[RSA_KEY_SIZE_BYTES];
- size_t to_sign_size = sizeof(to_sign);
- memset(to_sign, 0, RSA_KEY_SIZE_BYTES);
-
- // To sign a message with RSA, the message must satisfy two
- // constraints:
- //
- // 1. The message, when interpreted as a big-endian numeric value, must
- // be strictly less than the public modulus of the RSA key. Note
- // that because the most significant bit of the public modulus is
- // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit
- // key), an n-bit message with most significant bit 0 always
- // satisfies this requirement.
- //
- // 2. The message must have the same length in bits as the public
- // modulus of the RSA key. This requirement isn't mathematically
- // necessary, but is necessary to ensure consistency in
- // implementations.
- switch (ftr->kdf_type) {
- case KDF_SCRYPT_KEYMASTER:
- // This ensures the most significant byte of the signed message
- // is zero. We could have zero-padded to the left instead, but
- // this approach is slightly more robust against changes in
- // object size. However, it's still broken (but not unusably
- // so) because we really should be using a proper deterministic
- // RSA padding function, such as PKCS1.
- memcpy(to_sign + 1, object, std::min((size_t)RSA_KEY_SIZE_BYTES - 1, object_size));
- SLOGI("Signing safely-padded object");
- break;
- default:
- SLOGE("Unknown KDF type %d", ftr->kdf_type);
- return -1;
- }
- for (;;) {
- auto result = keymaster_sign_object_for_cryptfs_scrypt(
- ftr->keymaster_blob, ftr->keymaster_blob_size, KEYMASTER_CRYPTFS_RATE_LIMIT, to_sign,
- to_sign_size, signature, signature_size);
- switch (result) {
- case KeymasterSignResult::ok:
- return 0;
- case KeymasterSignResult::upgrade:
- break;
- default:
- return -1;
- }
- SLOGD("Upgrading key");
- if (keymaster_upgrade_key_for_cryptfs_scrypt(
- RSA_KEY_SIZE, RSA_EXPONENT, KEYMASTER_CRYPTFS_RATE_LIMIT, ftr->keymaster_blob,
- ftr->keymaster_blob_size, ftr->keymaster_blob, KEYMASTER_BLOB_SIZE,
- &ftr->keymaster_blob_size) != 0) {
- SLOGE("Failed to upgrade key");
- return -1;
- }
- if (put_crypt_ftr_and_key(ftr) != 0) {
- SLOGE("Failed to write upgraded key to disk");
- }
- SLOGD("Key upgraded successfully");
- }
-}
-
-/* Store password when userdata is successfully decrypted and mounted.
- * Cleared by cryptfs_clear_password
- *
- * To avoid a double prompt at boot, we need to store the CryptKeeper
- * password and pass it to KeyGuard, which uses it to unlock KeyStore.
- * Since the entire framework is torn down and rebuilt after encryption,
- * we have to use a daemon or similar to store the password. Since vold
- * is secured against IPC except from system processes, it seems a reasonable
- * place to store this.
- *
- * password should be cleared once it has been used.
- *
- * password is aged out after password_max_age_seconds seconds.
- */
-static char* password = 0;
-static int password_expiry_time = 0;
-static const int password_max_age_seconds = 60;
-
-enum class RebootType { reboot, recovery, shutdown };
-static void cryptfs_reboot(RebootType rt) {
- switch (rt) {
- case RebootType::reboot:
- property_set(ANDROID_RB_PROPERTY, "reboot");
- break;
-
- case RebootType::recovery:
- property_set(ANDROID_RB_PROPERTY, "reboot,recovery");
- break;
-
- case RebootType::shutdown:
- property_set(ANDROID_RB_PROPERTY, "shutdown");
- break;
- }
-
- sleep(20);
-
- /* Shouldn't get here, reboot should happen before sleep times out */
- return;
-}
-
-/**
- * Gets the default device scrypt parameters for key derivation time tuning.
- * The parameters should lead to about one second derivation time for the
- * given device.
- */
-static void get_device_scrypt_params(struct crypt_mnt_ftr* ftr) {
- char paramstr[PROPERTY_VALUE_MAX];
- int Nf, rf, pf;
-
- property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS);
- if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) {
- SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr);
- parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf);
- }
- ftr->N_factor = Nf;
- ftr->r_factor = rf;
- ftr->p_factor = pf;
-}
-
-static uint64_t get_fs_size(const char* dev) {
- int fd, block_size;
- struct ext4_super_block sb;
- uint64_t len;
-
- if ((fd = open(dev, O_RDONLY | O_CLOEXEC)) < 0) {
- SLOGE("Cannot open device to get filesystem size ");
- return 0;
- }
-
- if (lseek64(fd, 1024, SEEK_SET) < 0) {
- SLOGE("Cannot seek to superblock");
- return 0;
- }
-
- if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) {
- SLOGE("Cannot read superblock");
- return 0;
- }
-
- close(fd);
-
- if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) {
- SLOGE("Not a valid ext4 superblock");
- return 0;
- }
- block_size = 1024 << sb.s_log_block_size;
- /* compute length in bytes */
- len = (((uint64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size;
-
- /* return length in sectors */
- return len / 512;
-}
-
-static void get_crypt_info(std::string* key_loc, std::string* real_blk_device) {
- for (const auto& entry : fstab_default) {
- if (!entry.fs_mgr_flags.vold_managed &&
- (entry.fs_mgr_flags.crypt || entry.fs_mgr_flags.force_crypt ||
- entry.fs_mgr_flags.force_fde_or_fbe || entry.fs_mgr_flags.file_encryption)) {
- if (key_loc != nullptr) {
- *key_loc = entry.key_loc;
- }
- if (real_blk_device != nullptr) {
- *real_blk_device = entry.blk_device;
- }
- return;
- }
- }
-}
-
-static int get_crypt_ftr_info(char** metadata_fname, off64_t* off) {
- static int cached_data = 0;
- static uint64_t cached_off = 0;
- static char cached_metadata_fname[PROPERTY_VALUE_MAX] = "";
- char key_loc[PROPERTY_VALUE_MAX];
- char real_blkdev[PROPERTY_VALUE_MAX];
- int rc = -1;
-
- if (!cached_data) {
- std::string key_loc;
- std::string real_blkdev;
- get_crypt_info(&key_loc, &real_blkdev);
-
- if (key_loc == KEY_IN_FOOTER) {
- if (android::vold::GetBlockDevSize(real_blkdev, &cached_off) == android::OK) {
- /* If it's an encrypted Android partition, the last 16 Kbytes contain the
- * encryption info footer and key, and plenty of bytes to spare for future
- * growth.
- */
- strlcpy(cached_metadata_fname, real_blkdev.c_str(), sizeof(cached_metadata_fname));
- cached_off -= CRYPT_FOOTER_OFFSET;
- cached_data = 1;
- } else {
- SLOGE("Cannot get size of block device %s\n", real_blkdev.c_str());
- }
- } else {
- strlcpy(cached_metadata_fname, key_loc.c_str(), sizeof(cached_metadata_fname));
- cached_off = 0;
- cached_data = 1;
- }
- }
-
- if (cached_data) {
- if (metadata_fname) {
- *metadata_fname = cached_metadata_fname;
- }
- if (off) {
- *off = cached_off;
- }
- rc = 0;
- }
-
- return rc;
-}
-
-/* Set sha256 checksum in structure */
-static void set_ftr_sha(struct crypt_mnt_ftr* crypt_ftr) {
- SHA256_CTX c;
- SHA256_Init(&c);
- memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256));
- SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr));
- SHA256_Final(crypt_ftr->sha256, &c);
-}
-
-/* key or salt can be NULL, in which case just skip writing that value. Useful to
- * update the failed mount count but not change the key.
- */
-static int put_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr) {
- int fd;
- unsigned int cnt;
- /* starting_off is set to the SEEK_SET offset
- * where the crypto structure starts
- */
- off64_t starting_off;
- int rc = -1;
- char* fname = NULL;
- struct stat statbuf;
-
- set_ftr_sha(crypt_ftr);
-
- if (get_crypt_ftr_info(&fname, &starting_off)) {
- SLOGE("Unable to get crypt_ftr_info\n");
- return -1;
- }
- if (fname[0] != '/') {
- SLOGE("Unexpected value for crypto key location\n");
- return -1;
- }
- if ((fd = open(fname, O_RDWR | O_CREAT | O_CLOEXEC, 0600)) < 0) {
- SLOGE("Cannot open footer file %s for put\n", fname);
- return -1;
- }
-
- /* Seek to the start of the crypt footer */
- if (lseek64(fd, starting_off, SEEK_SET) == -1) {
- SLOGE("Cannot seek to real block device footer\n");
- goto errout;
- }
-
- if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
- SLOGE("Cannot write real block device footer\n");
- goto errout;
- }
-
- fstat(fd, &statbuf);
- /* If the keys are kept on a raw block device, do not try to truncate it. */
- if (S_ISREG(statbuf.st_mode)) {
- if (ftruncate(fd, 0x4000)) {
- SLOGE("Cannot set footer file size\n");
- goto errout;
- }
- }
-
- /* Success! */
- rc = 0;
-
-errout:
- close(fd);
- return rc;
-}
-
-static bool check_ftr_sha(const struct crypt_mnt_ftr* crypt_ftr) {
- struct crypt_mnt_ftr copy;
- memcpy(©, crypt_ftr, sizeof(copy));
- set_ftr_sha(©);
- return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0;
-}
-
-static inline int unix_read(int fd, void* buff, int len) {
- return TEMP_FAILURE_RETRY(read(fd, buff, len));
-}
-
-static inline int unix_write(int fd, const void* buff, int len) {
- return TEMP_FAILURE_RETRY(write(fd, buff, len));
-}
-
-static void init_empty_persist_data(struct crypt_persist_data* pdata, int len) {
- memset(pdata, 0, len);
- pdata->persist_magic = PERSIST_DATA_MAGIC;
- pdata->persist_valid_entries = 0;
-}
-
-/* A routine to update the passed in crypt_ftr to the lastest version.
- * fd is open read/write on the device that holds the crypto footer and persistent
- * data, crypt_ftr is a pointer to the struct to be updated, and offset is the
- * absolute offset to the start of the crypt_mnt_ftr on the passed in fd.
- */
-static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr* crypt_ftr, off64_t offset) {
- int orig_major = crypt_ftr->major_version;
- int orig_minor = crypt_ftr->minor_version;
-
- if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) {
- struct crypt_persist_data* pdata;
- off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET;
-
- SLOGW("upgrading crypto footer to 1.1");
-
- pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
- if (pdata == NULL) {
- SLOGE("Cannot allocate persisent data\n");
- return;
- }
- memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE);
-
- /* Need to initialize the persistent data area */
- if (lseek64(fd, pdata_offset, SEEK_SET) == -1) {
- SLOGE("Cannot seek to persisent data offset\n");
- free(pdata);
- return;
- }
- /* Write all zeros to the first copy, making it invalid */
- unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
-
- /* Write a valid but empty structure to the second copy */
- init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
- unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE);
-
- /* Update the footer */
- crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
- crypt_ftr->persist_data_offset[0] = pdata_offset;
- crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE;
- crypt_ftr->minor_version = 1;
- free(pdata);
- }
-
- if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) {
- SLOGW("upgrading crypto footer to 1.2");
- /* But keep the old kdf_type.
- * It will get updated later to KDF_SCRYPT after the password has been verified.
- */
- crypt_ftr->kdf_type = KDF_PBKDF2;
- get_device_scrypt_params(crypt_ftr);
- crypt_ftr->minor_version = 2;
- }
-
- if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) {
- SLOGW("upgrading crypto footer to 1.3");
- crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD;
- crypt_ftr->minor_version = 3;
- }
-
- if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) {
- if (lseek64(fd, offset, SEEK_SET) == -1) {
- SLOGE("Cannot seek to crypt footer\n");
- return;
- }
- unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr));
- }
-}
-
-static int get_crypt_ftr_and_key(struct crypt_mnt_ftr* crypt_ftr) {
- int fd;
- unsigned int cnt;
- off64_t starting_off;
- int rc = -1;
- char* fname = NULL;
- struct stat statbuf;
-
- if (get_crypt_ftr_info(&fname, &starting_off)) {
- SLOGE("Unable to get crypt_ftr_info\n");
- return -1;
- }
- if (fname[0] != '/') {
- SLOGE("Unexpected value for crypto key location\n");
- return -1;
- }
- if ((fd = open(fname, O_RDWR | O_CLOEXEC)) < 0) {
- SLOGE("Cannot open footer file %s for get\n", fname);
- return -1;
- }
-
- /* Make sure it's 16 Kbytes in length */
- fstat(fd, &statbuf);
- if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) {
- SLOGE("footer file %s is not the expected size!\n", fname);
- goto errout;
- }
-
- /* Seek to the start of the crypt footer */
- if (lseek64(fd, starting_off, SEEK_SET) == -1) {
- SLOGE("Cannot seek to real block device footer\n");
- goto errout;
- }
-
- if ((cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) {
- SLOGE("Cannot read real block device footer\n");
- goto errout;
- }
-
- if (crypt_ftr->magic != CRYPT_MNT_MAGIC) {
- SLOGE("Bad magic for real block device %s\n", fname);
- goto errout;
- }
-
- if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) {
- SLOGE("Cannot understand major version %d real block device footer; expected %d\n",
- crypt_ftr->major_version, CURRENT_MAJOR_VERSION);
- goto errout;
- }
-
- // We risk buffer overflows with oversized keys, so we just reject them.
- // 0-sized keys are problematic (essentially by-passing encryption), and
- // AES-CBC key wrapping only works for multiples of 16 bytes.
- if ((crypt_ftr->keysize == 0) || ((crypt_ftr->keysize % 16) != 0) ||
- (crypt_ftr->keysize > MAX_KEY_LEN)) {
- SLOGE(
- "Invalid keysize (%u) for block device %s; Must be non-zero, "
- "divisible by 16, and <= %d\n",
- crypt_ftr->keysize, fname, MAX_KEY_LEN);
- goto errout;
- }
-
- if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) {
- SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n",
- crypt_ftr->minor_version, CURRENT_MINOR_VERSION);
- }
-
- /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the
- * copy on disk before returning.
- */
- if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) {
- upgrade_crypt_ftr(fd, crypt_ftr, starting_off);
- }
-
- /* Success! */
- rc = 0;
-
-errout:
- close(fd);
- return rc;
-}
-
-static int validate_persistent_data_storage(struct crypt_mnt_ftr* crypt_ftr) {
- if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size >
- crypt_ftr->persist_data_offset[1]) {
- SLOGE("Crypt_ftr persist data regions overlap");
- return -1;
- }
-
- if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) {
- SLOGE("Crypt_ftr persist data region 0 starts after region 1");
- return -1;
- }
-
- if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) -
- (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) >
- CRYPT_FOOTER_OFFSET) {
- SLOGE("Persistent data extends past crypto footer");
- return -1;
- }
-
- return 0;
-}
-
-static int load_persistent_data(void) {
- struct crypt_mnt_ftr crypt_ftr;
- struct crypt_persist_data* pdata = NULL;
- char encrypted_state[PROPERTY_VALUE_MAX];
- char* fname;
- int found = 0;
- int fd;
- int ret;
- int i;
-
- if (persist_data) {
- /* Nothing to do, we've already loaded or initialized it */
- return 0;
- }
-
- /* If not encrypted, just allocate an empty table and initialize it */
- property_get("ro.crypto.state", encrypted_state, "");
- if (strcmp(encrypted_state, "encrypted")) {
- pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
- if (pdata) {
- init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
- persist_data = pdata;
- return 0;
- }
- return -1;
- }
-
- if (get_crypt_ftr_and_key(&crypt_ftr)) {
- return -1;
- }
-
- if ((crypt_ftr.major_version < 1) ||
- (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
- SLOGE("Crypt_ftr version doesn't support persistent data");
- return -1;
- }
-
- if (get_crypt_ftr_info(&fname, NULL)) {
- return -1;
- }
-
- ret = validate_persistent_data_storage(&crypt_ftr);
- if (ret) {
- return -1;
- }
-
- fd = open(fname, O_RDONLY | O_CLOEXEC);
- if (fd < 0) {
- SLOGE("Cannot open %s metadata file", fname);
- return -1;
- }
-
- pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
- if (pdata == NULL) {
- SLOGE("Cannot allocate memory for persistent data");
- goto err;
- }
-
- for (i = 0; i < 2; i++) {
- if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) {
- SLOGE("Cannot seek to read persistent data on %s", fname);
- goto err2;
- }
- if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
- SLOGE("Error reading persistent data on iteration %d", i);
- goto err2;
- }
- if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
- found = 1;
- break;
- }
- }
-
- if (!found) {
- SLOGI("Could not find valid persistent data, creating");
- init_empty_persist_data(pdata, crypt_ftr.persist_data_size);
- }
-
- /* Success */
- persist_data = pdata;
- close(fd);
- return 0;
-
-err2:
- free(pdata);
-
-err:
- close(fd);
- return -1;
-}
-
-static int save_persistent_data(void) {
- struct crypt_mnt_ftr crypt_ftr;
- struct crypt_persist_data* pdata;
- char* fname;
- off64_t write_offset;
- off64_t erase_offset;
- int fd;
- int ret;
-
- if (persist_data == NULL) {
- SLOGE("No persistent data to save");
- return -1;
- }
-
- if (get_crypt_ftr_and_key(&crypt_ftr)) {
- return -1;
- }
-
- if ((crypt_ftr.major_version < 1) ||
- (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) {
- SLOGE("Crypt_ftr version doesn't support persistent data");
- return -1;
- }
-
- ret = validate_persistent_data_storage(&crypt_ftr);
- if (ret) {
- return -1;
- }
-
- if (get_crypt_ftr_info(&fname, NULL)) {
- return -1;
- }
-
- fd = open(fname, O_RDWR | O_CLOEXEC);
- if (fd < 0) {
- SLOGE("Cannot open %s metadata file", fname);
- return -1;
- }
-
- pdata = (crypt_persist_data*)malloc(crypt_ftr.persist_data_size);
- if (pdata == NULL) {
- SLOGE("Cannot allocate persistant data");
- goto err;
- }
-
- if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) {
- SLOGE("Cannot seek to read persistent data on %s", fname);
- goto err2;
- }
-
- if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) {
- SLOGE("Error reading persistent data before save");
- goto err2;
- }
-
- if (pdata->persist_magic == PERSIST_DATA_MAGIC) {
- /* The first copy is the curent valid copy, so write to
- * the second copy and erase this one */
- write_offset = crypt_ftr.persist_data_offset[1];
- erase_offset = crypt_ftr.persist_data_offset[0];
- } else {
- /* The second copy must be the valid copy, so write to
- * the first copy, and erase the second */
- write_offset = crypt_ftr.persist_data_offset[0];
- erase_offset = crypt_ftr.persist_data_offset[1];
- }
-
- /* Write the new copy first, if successful, then erase the old copy */
- if (lseek64(fd, write_offset, SEEK_SET) < 0) {
- SLOGE("Cannot seek to write persistent data");
- goto err2;
- }
- if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) ==
- (int)crypt_ftr.persist_data_size) {
- if (lseek64(fd, erase_offset, SEEK_SET) < 0) {
- SLOGE("Cannot seek to erase previous persistent data");
- goto err2;
- }
- fsync(fd);
- memset(pdata, 0, crypt_ftr.persist_data_size);
- if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != (int)crypt_ftr.persist_data_size) {
- SLOGE("Cannot write to erase previous persistent data");
- goto err2;
- }
- fsync(fd);
- } else {
- SLOGE("Cannot write to save persistent data");
- goto err2;
- }
-
- /* Success */
- free(pdata);
- close(fd);
- return 0;
-
-err2:
- free(pdata);
-err:
- close(fd);
- return -1;
-}
-
/* Convert a binary key of specified length into an ascii hex string equivalent,
* without the leading 0x and with null termination
*/
-static void convert_key_to_hex_ascii(const unsigned char* master_key, unsigned int keysize,
- char* master_key_ascii) {
+static void convert_key_to_hex_ascii(const KeyBuffer& key, char* key_ascii) {
unsigned int i, a;
unsigned char nibble;
- for (i = 0, a = 0; i < keysize; i++, a += 2) {
+ for (i = 0, a = 0; i < key.size(); i++, a += 2) {
/* For each byte, write out two ascii hex digits */
- nibble = (master_key[i] >> 4) & 0xf;
- master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
+ nibble = (key[i] >> 4) & 0xf;
+ key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30);
- nibble = master_key[i] & 0xf;
- master_key_ascii[a + 1] = nibble + (nibble > 9 ? 0x37 : 0x30);
+ nibble = key[i] & 0xf;
+ key_ascii[a + 1] = nibble + (nibble > 9 ? 0x37 : 0x30);
}
/* Add the null termination */
- master_key_ascii[a] = '\0';
-}
-
-/*
- * If the ro.crypto.fde_sector_size system property is set, append the
- * parameters to make dm-crypt use the specified crypto sector size and round
- * the crypto device size down to a crypto sector boundary.
- */
-static int add_sector_size_param(DmTargetCrypt* target, struct crypt_mnt_ftr* ftr) {
- constexpr char DM_CRYPT_SECTOR_SIZE[] = "ro.crypto.fde_sector_size";
- char value[PROPERTY_VALUE_MAX];
-
- if (property_get(DM_CRYPT_SECTOR_SIZE, value, "") > 0) {
- unsigned int sector_size;
-
- if (!ParseUint(value, §or_size) || sector_size < 512 || sector_size > 4096 ||
- (sector_size & (sector_size - 1)) != 0) {
- SLOGE("Invalid value for %s: %s. Must be >= 512, <= 4096, and a power of 2\n",
- DM_CRYPT_SECTOR_SIZE, value);
- return -1;
- }
-
- target->SetSectorSize(sector_size);
-
- // With this option, IVs will match the sector numbering, instead
- // of being hard-coded to being based on 512-byte sectors.
- target->SetIvLargeSectors();
-
- // Round the crypto device size down to a crypto sector boundary.
- ftr->fs_size &= ~((sector_size / 512) - 1);
- }
- return 0;
-}
-
-static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned char* master_key,
- const char* real_blk_name, std::string* crypto_blk_name,
- const char* name, uint32_t flags) {
- auto& dm = DeviceMapper::Instance();
-
- // We need two ASCII characters to represent each byte, and need space for
- // the '\0' terminator.
- char master_key_ascii[MAX_KEY_LEN * 2 + 1];
- convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
-
- auto target = std::make_unique<DmTargetCrypt>(0, crypt_ftr->fs_size,
- (const char*)crypt_ftr->crypto_type_name,
- master_key_ascii, 0, real_blk_name, 0);
- target->AllowDiscards();
-
- if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE) {
- target->AllowEncryptOverride();
- }
- if (add_sector_size_param(target.get(), crypt_ftr)) {
- SLOGE("Error processing dm-crypt sector size param\n");
- return -1;
- }
-
- DmTable table;
- table.AddTarget(std::move(target));
-
- int load_count = 1;
- while (load_count < TABLE_LOAD_RETRIES) {
- if (dm.CreateDevice(name, table)) {
- break;
- }
- load_count++;
- }
-
- if (load_count >= TABLE_LOAD_RETRIES) {
- SLOGE("Cannot load dm-crypt mapping table.\n");
- return -1;
- }
- if (load_count > 1) {
- SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
- }
-
- if (!dm.GetDmDevicePathByName(name, crypto_blk_name)) {
- SLOGE("Cannot determine dm-crypt path for %s.\n", name);
- return -1;
- }
-
- /* Ensure the dm device has been created before returning. */
- if (android::vold::WaitForFile(crypto_blk_name->c_str(), 1s) < 0) {
- // WaitForFile generates a suitable log message
- return -1;
- }
- return 0;
-}
-
-static int delete_crypto_blk_dev(const std::string& name) {
- bool ret;
- auto& dm = DeviceMapper::Instance();
- // TODO(b/149396179) there appears to be a race somewhere in the system where trying
- // to delete the device fails with EBUSY; for now, work around this by retrying.
- int tries = 5;
- while (tries-- > 0) {
- ret = dm.DeleteDevice(name);
- if (ret || errno != EBUSY) {
- break;
- }
- SLOGW("DM_DEV Cannot remove dm-crypt device %s: %s, retrying...\n", name.c_str(),
- strerror(errno));
- std::this_thread::sleep_for(std::chrono::milliseconds(100));
- }
- if (!ret) {
- SLOGE("DM_DEV Cannot remove dm-crypt device %s: %s\n", name.c_str(), strerror(errno));
- return -1;
- }
- return 0;
-}
-
-static int pbkdf2(const char* passwd, const unsigned char* salt, unsigned char* ikey,
- void* params UNUSED) {
- SLOGI("Using pbkdf2 for cryptfs KDF");
-
- /* Turn the password into a key and IV that can decrypt the master key */
- return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN, HASH_COUNT,
- INTERMEDIATE_BUF_SIZE, ikey) != 1;
-}
-
-static int scrypt(const char* passwd, const unsigned char* salt, unsigned char* ikey, void* params) {
- SLOGI("Using scrypt for cryptfs KDF");
-
- struct crypt_mnt_ftr* ftr = (struct crypt_mnt_ftr*)params;
-
- int N = 1 << ftr->N_factor;
- int r = 1 << ftr->r_factor;
- int p = 1 << ftr->p_factor;
-
- /* Turn the password into a key and IV that can decrypt the master key */
- crypto_scrypt((const uint8_t*)passwd, strlen(passwd), salt, SALT_LEN, N, r, p, ikey,
- INTERMEDIATE_BUF_SIZE);
-
- return 0;
-}
-
-static int scrypt_keymaster(const char* passwd, const unsigned char* salt, unsigned char* ikey,
- void* params) {
- SLOGI("Using scrypt with keymaster for cryptfs KDF");
-
- int rc;
- size_t signature_size;
- unsigned char* signature;
- struct crypt_mnt_ftr* ftr = (struct crypt_mnt_ftr*)params;
-
- int N = 1 << ftr->N_factor;
- int r = 1 << ftr->r_factor;
- int p = 1 << ftr->p_factor;
-
- rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd), salt, SALT_LEN, N, r, p, ikey,
- INTERMEDIATE_BUF_SIZE);
-
- if (rc) {
- SLOGE("scrypt failed");
- return -1;
- }
-
- if (keymaster_sign_object(ftr, ikey, INTERMEDIATE_BUF_SIZE, &signature, &signature_size)) {
- SLOGE("Signing failed");
- return -1;
- }
-
- rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, N, r, p, ikey,
- INTERMEDIATE_BUF_SIZE);
- free(signature);
-
- if (rc) {
- SLOGE("scrypt failed");
- return -1;
- }
-
- return 0;
-}
-
-static int encrypt_master_key(const char* passwd, const unsigned char* salt,
- const unsigned char* decrypted_master_key,
- unsigned char* encrypted_master_key, struct crypt_mnt_ftr* crypt_ftr) {
- unsigned char ikey[INTERMEDIATE_BUF_SIZE] = {0};
- EVP_CIPHER_CTX e_ctx;
- int encrypted_len, final_len;
- int rc = 0;
-
- /* Turn the password into an intermediate key and IV that can decrypt the master key */
- get_device_scrypt_params(crypt_ftr);
-
- switch (crypt_ftr->kdf_type) {
- case KDF_SCRYPT_KEYMASTER:
- if (keymaster_create_key(crypt_ftr)) {
- SLOGE("keymaster_create_key failed");
- return -1;
- }
-
- if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) {
- SLOGE("scrypt failed");
- return -1;
- }
- break;
-
- case KDF_SCRYPT:
- if (scrypt(passwd, salt, ikey, crypt_ftr)) {
- SLOGE("scrypt failed");
- return -1;
- }
- break;
-
- default:
- SLOGE("Invalid kdf_type");
- return -1;
- }
-
- /* Initialize the decryption engine */
- EVP_CIPHER_CTX_init(&e_ctx);
- if (!EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey,
- ikey + INTERMEDIATE_KEY_LEN_BYTES)) {
- SLOGE("EVP_EncryptInit failed\n");
- return -1;
- }
- EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */
-
- /* Encrypt the master key */
- if (!EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, decrypted_master_key,
- crypt_ftr->keysize)) {
- SLOGE("EVP_EncryptUpdate failed\n");
- return -1;
- }
- if (!EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) {
- SLOGE("EVP_EncryptFinal failed\n");
- return -1;
- }
-
- if (encrypted_len + final_len != static_cast<int>(crypt_ftr->keysize)) {
- SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len);
- return -1;
- }
-
- /* Store the scrypt of the intermediate key, so we can validate if it's a
- password error or mount error when things go wrong.
- Note there's no need to check for errors, since if this is incorrect, we
- simply won't wipe userdata, which is the correct default behavior
- */
- int N = 1 << crypt_ftr->N_factor;
- int r = 1 << crypt_ftr->r_factor;
- int p = 1 << crypt_ftr->p_factor;
-
- rc = crypto_scrypt(ikey, INTERMEDIATE_KEY_LEN_BYTES, crypt_ftr->salt, sizeof(crypt_ftr->salt),
- N, r, p, crypt_ftr->scrypted_intermediate_key,
- sizeof(crypt_ftr->scrypted_intermediate_key));
-
- if (rc) {
- SLOGE("encrypt_master_key: crypto_scrypt failed");
- }
-
- EVP_CIPHER_CTX_cleanup(&e_ctx);
-
- return 0;
-}
-
-static int decrypt_master_key_aux(const char* passwd, unsigned char* salt,
- const unsigned char* encrypted_master_key, size_t keysize,
- unsigned char* decrypted_master_key, kdf_func kdf,
- void* kdf_params, unsigned char** intermediate_key,
- size_t* intermediate_key_size) {
- unsigned char ikey[INTERMEDIATE_BUF_SIZE] = {0};
- EVP_CIPHER_CTX d_ctx;
- int decrypted_len, final_len;
-
- /* Turn the password into an intermediate key and IV that can decrypt the
- master key */
- if (kdf(passwd, salt, ikey, kdf_params)) {
- SLOGE("kdf failed");
- return -1;
- }
-
- /* Initialize the decryption engine */
- EVP_CIPHER_CTX_init(&d_ctx);
- if (!EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey,
- ikey + INTERMEDIATE_KEY_LEN_BYTES)) {
- return -1;
- }
- EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */
- /* Decrypt the master key */
- if (!EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, encrypted_master_key,
- keysize)) {
- return -1;
- }
- if (!EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) {
- return -1;
- }
-
- if (decrypted_len + final_len != static_cast<int>(keysize)) {
- return -1;
- }
-
- /* Copy intermediate key if needed by params */
- if (intermediate_key && intermediate_key_size) {
- *intermediate_key = (unsigned char*)malloc(INTERMEDIATE_KEY_LEN_BYTES);
- if (*intermediate_key) {
- memcpy(*intermediate_key, ikey, INTERMEDIATE_KEY_LEN_BYTES);
- *intermediate_key_size = INTERMEDIATE_KEY_LEN_BYTES;
- }
- }
-
- EVP_CIPHER_CTX_cleanup(&d_ctx);
-
- return 0;
-}
-
-static void get_kdf_func(struct crypt_mnt_ftr* ftr, kdf_func* kdf, void** kdf_params) {
- if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
- *kdf = scrypt_keymaster;
- *kdf_params = ftr;
- } else if (ftr->kdf_type == KDF_SCRYPT) {
- *kdf = scrypt;
- *kdf_params = ftr;
- } else {
- *kdf = pbkdf2;
- *kdf_params = NULL;
- }
-}
-
-static int decrypt_master_key(const char* passwd, unsigned char* decrypted_master_key,
- struct crypt_mnt_ftr* crypt_ftr, unsigned char** intermediate_key,
- size_t* intermediate_key_size) {
- kdf_func kdf;
- void* kdf_params;
- int ret;
-
- get_kdf_func(crypt_ftr, &kdf, &kdf_params);
- ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, crypt_ftr->keysize,
- decrypted_master_key, kdf, kdf_params, intermediate_key,
- intermediate_key_size);
- if (ret != 0) {
- SLOGW("failure decrypting master key");
- }
-
- return ret;
-}
-
-static int create_encrypted_random_key(const char* passwd, unsigned char* master_key,
- unsigned char* salt, struct crypt_mnt_ftr* crypt_ftr) {
- unsigned char key_buf[MAX_KEY_LEN];
-
- /* Get some random bits for a key and salt */
- if (android::vold::ReadRandomBytes(sizeof(key_buf), reinterpret_cast<char*>(key_buf)) != 0) {
- return -1;
- }
- if (android::vold::ReadRandomBytes(SALT_LEN, reinterpret_cast<char*>(salt)) != 0) {
- return -1;
- }
-
- /* Now encrypt it with the password */
- return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
-}
-
-static void ensure_subdirectory_unmounted(const char *prefix) {
- std::vector<std::string> umount_points;
- std::unique_ptr<FILE, int (*)(FILE*)> mnts(setmntent("/proc/mounts", "r"), endmntent);
- if (!mnts) {
- SLOGW("could not read mount files");
- return;
- }
-
- //Find sudirectory mount point
- mntent* mentry;
- std::string top_directory(prefix);
- if (!android::base::EndsWith(prefix, "/")) {
- top_directory = top_directory + "/";
- }
- while ((mentry = getmntent(mnts.get())) != nullptr) {
- if (strcmp(mentry->mnt_dir, top_directory.c_str()) == 0) {
- continue;
- }
-
- if (android::base::StartsWith(mentry->mnt_dir, top_directory)) {
- SLOGW("found sub-directory mount %s - %s\n", prefix, mentry->mnt_dir);
- umount_points.push_back(mentry->mnt_dir);
- }
- }
-
- //Sort by path length to umount longest path first
- std::sort(std::begin(umount_points), std::end(umount_points),
- [](const std::string& s1, const std::string& s2) {return s1.length() > s2.length(); });
-
- for (std::string& mount_point : umount_points) {
- umount(mount_point.c_str());
- SLOGW("umount sub-directory mount %s\n", mount_point.c_str());
- }
-}
-
-static int wait_and_unmount(const char* mountpoint, bool kill) {
- int i, err, rc;
-
- // Subdirectory mount will cause a failure of umount.
- ensure_subdirectory_unmounted(mountpoint);
-#define WAIT_UNMOUNT_COUNT 20
-
- /* Now umount the tmpfs filesystem */
- for (i = 0; i < WAIT_UNMOUNT_COUNT; i++) {
- if (umount(mountpoint) == 0) {
- break;
- }
-
- if (errno == EINVAL) {
- /* EINVAL is returned if the directory is not a mountpoint,
- * i.e. there is no filesystem mounted there. So just get out.
- */
- break;
- }
-
- err = errno;
-
- /* If allowed, be increasingly aggressive before the last two retries */
- if (kill) {
- if (i == (WAIT_UNMOUNT_COUNT - 3)) {
- SLOGW("sending SIGHUP to processes with open files\n");
- android::vold::KillProcessesWithOpenFiles(mountpoint, SIGTERM);
- } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
- SLOGW("sending SIGKILL to processes with open files\n");
- android::vold::KillProcessesWithOpenFiles(mountpoint, SIGKILL);
- }
- }
-
- sleep(1);
- }
-
- if (i < WAIT_UNMOUNT_COUNT) {
- SLOGD("unmounting %s succeeded\n", mountpoint);
- rc = 0;
- } else {
- android::vold::KillProcessesWithOpenFiles(mountpoint, 0);
- SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err));
- rc = -1;
- }
-
- return rc;
-}
-
-static void prep_data_fs(void) {
- // NOTE: post_fs_data results in init calling back around to vold, so all
- // callers to this method must be async
-
- /* Do the prep of the /data filesystem */
- property_set("vold.post_fs_data_done", "0");
- property_set("vold.decrypt", "trigger_post_fs_data");
- SLOGD("Just triggered post_fs_data");
-
- /* Wait a max of 50 seconds, hopefully it takes much less */
- while (!android::base::WaitForProperty("vold.post_fs_data_done", "1", std::chrono::seconds(15))) {
- /* We timed out to prep /data in time. Continue wait. */
- SLOGE("waited 15s for vold.post_fs_data_done, still waiting...");
- }
- SLOGD("post_fs_data done");
-}
-
-static void cryptfs_set_corrupt() {
- // Mark the footer as bad
- struct crypt_mnt_ftr crypt_ftr;
- if (get_crypt_ftr_and_key(&crypt_ftr)) {
- SLOGE("Failed to get crypto footer - panic");
- return;
- }
-
- crypt_ftr.flags |= CRYPT_DATA_CORRUPT;
- if (put_crypt_ftr_and_key(&crypt_ftr)) {
- SLOGE("Failed to set crypto footer - panic");
- return;
- }
-}
-
-static void cryptfs_trigger_restart_min_framework() {
- if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
- SLOGE("Failed to mount tmpfs on data - panic");
- return;
- }
-
- if (property_set("vold.decrypt", "trigger_post_fs_data")) {
- SLOGE("Failed to trigger post fs data - panic");
- return;
- }
-
- if (property_set("vold.decrypt", "trigger_restart_min_framework")) {
- SLOGE("Failed to trigger restart min framework - panic");
- return;
- }
-}
-
-/* returns < 0 on failure */
-static int cryptfs_restart_internal(int restart_main) {
- char crypto_blkdev[MAXPATHLEN];
- int rc = -1;
- static int restart_successful = 0;
-
- /* Validate that it's OK to call this routine */
- if (!master_key_saved) {
- SLOGE("Encrypted filesystem not validated, aborting");
- return -1;
- }
-
- if (restart_successful) {
- SLOGE("System already restarted with encrypted disk, aborting");
- return -1;
- }
-
- if (restart_main) {
- /* Here is where we shut down the framework. The init scripts
- * start all services in one of these classes: core, early_hal, hal,
- * main and late_start. To get to the minimal UI for PIN entry, we
- * need to start core, early_hal, hal and main. When we want to
- * shutdown the framework again, we need to stop most of the services in
- * these classes, but only those services that were started after
- * /data was mounted. This excludes critical services like vold and
- * ueventd, which need to keep running. We could possible stop
- * even fewer services, but because we want services to pick up APEX
- * libraries from the real /data, restarting is better, as it makes
- * these devices consistent with FBE devices and lets them use the
- * most recent code.
- *
- * Once these services have stopped, we should be able
- * to umount the tmpfs /data, then mount the encrypted /data.
- * We then restart the class core, hal, main, and also the class
- * late_start.
- *
- * At the moment, I've only put a few things in late_start that I know
- * are not needed to bring up the framework, and that also cause problems
- * with unmounting the tmpfs /data, but I hope to add add more services
- * to the late_start class as we optimize this to decrease the delay
- * till the user is asked for the password to the filesystem.
- */
-
- /* The init files are setup to stop the right set of services when
- * vold.decrypt is set to trigger_shutdown_framework.
- */
- property_set("vold.decrypt", "trigger_shutdown_framework");
- SLOGD("Just asked init to shut down class main\n");
-
- /* Ugh, shutting down the framework is not synchronous, so until it
- * can be fixed, this horrible hack will wait a moment for it all to
- * shut down before proceeding. Without it, some devices cannot
- * restart the graphics services.
- */
- sleep(2);
- }
-
- /* Now that the framework is shutdown, we should be able to umount()
- * the tmpfs filesystem, and mount the real one.
- */
-
- property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, "");
- if (strlen(crypto_blkdev) == 0) {
- SLOGE("fs_crypto_blkdev not set\n");
- return -1;
- }
-
- if (!(rc = wait_and_unmount(DATA_MNT_POINT, true))) {
- /* If ro.crypto.readonly is set to 1, mount the decrypted
- * filesystem readonly. This is used when /data is mounted by
- * recovery mode.
- */
- char ro_prop[PROPERTY_VALUE_MAX];
- property_get("ro.crypto.readonly", ro_prop, "");
- if (strlen(ro_prop) > 0 && std::stoi(ro_prop)) {
- auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT);
- if (entry != nullptr) {
- entry->flags |= MS_RDONLY;
- }
- }
-
- /* If that succeeded, then mount the decrypted filesystem */
- int retries = RETRY_MOUNT_ATTEMPTS;
- int mount_rc;
-
- /*
- * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted
- * partitions in the fsck domain.
- */
- if (setexeccon(android::vold::sFsckContext)) {
- SLOGE("Failed to setexeccon");
- return -1;
- }
- bool needs_cp = android::vold::cp_needsCheckpoint();
- while ((mount_rc = fs_mgr_do_mount(&fstab_default, DATA_MNT_POINT, crypto_blkdev, 0,
- needs_cp, false)) != 0) {
- if (mount_rc == FS_MGR_DOMNT_BUSY) {
- /* TODO: invoke something similar to
- Process::killProcessWithOpenFiles(DATA_MNT_POINT,
- retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */
- SLOGI("Failed to mount %s because it is busy - waiting", crypto_blkdev);
- if (--retries) {
- sleep(RETRY_MOUNT_DELAY_SECONDS);
- } else {
- /* Let's hope that a reboot clears away whatever is keeping
- the mount busy */
- cryptfs_reboot(RebootType::reboot);
- }
- } else {
- SLOGE("Failed to mount decrypted data");
- cryptfs_set_corrupt();
- cryptfs_trigger_restart_min_framework();
- SLOGI("Started framework to offer wipe");
- if (setexeccon(NULL)) {
- SLOGE("Failed to setexeccon");
- }
- return -1;
- }
- }
- if (setexeccon(NULL)) {
- SLOGE("Failed to setexeccon");
- return -1;
- }
-
- /* Create necessary paths on /data */
- prep_data_fs();
- property_set("vold.decrypt", "trigger_load_persist_props");
-
- /* startup service classes main and late_start */
- property_set("vold.decrypt", "trigger_restart_framework");
- SLOGD("Just triggered restart_framework\n");
-
- /* Give it a few moments to get started */
- sleep(1);
- }
-
- if (rc == 0) {
- restart_successful = 1;
- }
-
- return rc;
-}
-
-int cryptfs_restart(void) {
- SLOGI("cryptfs_restart");
- if (fscrypt_is_native()) {
- SLOGE("cryptfs_restart not valid for file encryption:");
- return -1;
- }
-
- /* Call internal implementation forcing a restart of main service group */
- return cryptfs_restart_internal(1);
-}
-
-static int do_crypto_complete(const char* mount_point) {
- struct crypt_mnt_ftr crypt_ftr;
- char encrypted_state[PROPERTY_VALUE_MAX];
-
- property_get("ro.crypto.state", encrypted_state, "");
- if (strcmp(encrypted_state, "encrypted")) {
- SLOGE("not running with encryption, aborting");
- return CRYPTO_COMPLETE_NOT_ENCRYPTED;
- }
-
- // crypto_complete is full disk encrypted status
- if (fscrypt_is_native()) {
- return CRYPTO_COMPLETE_NOT_ENCRYPTED;
- }
-
- if (get_crypt_ftr_and_key(&crypt_ftr)) {
- std::string key_loc;
- get_crypt_info(&key_loc, nullptr);
-
- /*
- * Only report this error if key_loc is a file and it exists.
- * If the device was never encrypted, and /data is not mountable for
- * some reason, returning 1 should prevent the UI from presenting the
- * a "enter password" screen, or worse, a "press button to wipe the
- * device" screen.
- */
- if (!key_loc.empty() && key_loc[0] == '/' && (access("key_loc", F_OK) == -1)) {
- SLOGE("master key file does not exist, aborting");
- return CRYPTO_COMPLETE_NOT_ENCRYPTED;
- } else {
- SLOGE("Error getting crypt footer and key\n");
- return CRYPTO_COMPLETE_BAD_METADATA;
- }
- }
-
- // Test for possible error flags
- if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) {
- SLOGE("Encryption process is partway completed\n");
- return CRYPTO_COMPLETE_PARTIAL;
- }
-
- if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
- SLOGE("Encryption process was interrupted but cannot continue\n");
- return CRYPTO_COMPLETE_INCONSISTENT;
- }
-
- if (crypt_ftr.flags & CRYPT_DATA_CORRUPT) {
- SLOGE("Encryption is successful but data is corrupt\n");
- return CRYPTO_COMPLETE_CORRUPT;
- }
-
- /* We passed the test! We shall diminish, and return to the west */
- return CRYPTO_COMPLETE_ENCRYPTED;
-}
-
-static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, const char* passwd,
- const char* mount_point, const char* label) {
- unsigned char decrypted_master_key[MAX_KEY_LEN];
- std::string crypto_blkdev;
- std::string real_blkdev;
- char tmp_mount_point[64];
- unsigned int orig_failed_decrypt_count;
- int rc;
- int use_keymaster = 0;
- int upgrade = 0;
- unsigned char* intermediate_key = 0;
- size_t intermediate_key_size = 0;
- int N = 1 << crypt_ftr->N_factor;
- int r = 1 << crypt_ftr->r_factor;
- int p = 1 << crypt_ftr->p_factor;
-
- SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
- orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
-
- if (!(crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED)) {
- if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, &intermediate_key,
- &intermediate_key_size)) {
- SLOGE("Failed to decrypt master key\n");
- rc = -1;
- goto errout;
- }
- }
-
- get_crypt_info(nullptr, &real_blkdev);
-
- // Create crypto block device - all (non fatal) code paths
- // need it
- if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, real_blkdev.c_str(), &crypto_blkdev,
- label, 0)) {
- SLOGE("Error creating decrypted block device\n");
- rc = -1;
- goto errout;
- }
-
- /* Work out if the problem is the password or the data */
- unsigned char scrypted_intermediate_key[sizeof(crypt_ftr->scrypted_intermediate_key)];
-
- rc = crypto_scrypt(intermediate_key, intermediate_key_size, crypt_ftr->salt,
- sizeof(crypt_ftr->salt), N, r, p, scrypted_intermediate_key,
- sizeof(scrypted_intermediate_key));
-
- // Does the key match the crypto footer?
- if (rc == 0 && memcmp(scrypted_intermediate_key, crypt_ftr->scrypted_intermediate_key,
- sizeof(scrypted_intermediate_key)) == 0) {
- SLOGI("Password matches");
- rc = 0;
- } else {
- /* Try mounting the file system anyway, just in case the problem's with
- * the footer, not the key. */
- snprintf(tmp_mount_point, sizeof(tmp_mount_point), "%s/tmp_mnt", mount_point);
- mkdir(tmp_mount_point, 0755);
- if (fs_mgr_do_mount(&fstab_default, DATA_MNT_POINT,
- const_cast<char*>(crypto_blkdev.c_str()), tmp_mount_point)) {
- SLOGE("Error temp mounting decrypted block device\n");
- delete_crypto_blk_dev(label);
-
- rc = ++crypt_ftr->failed_decrypt_count;
- put_crypt_ftr_and_key(crypt_ftr);
- } else {
- /* Success! */
- SLOGI("Password did not match but decrypted drive mounted - continue");
- umount(tmp_mount_point);
- rc = 0;
- }
- }
-
- if (rc == 0) {
- crypt_ftr->failed_decrypt_count = 0;
- if (orig_failed_decrypt_count != 0) {
- put_crypt_ftr_and_key(crypt_ftr);
- }
-
- /* Save the name of the crypto block device
- * so we can mount it when restarting the framework. */
- property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev.c_str());
-
- /* Also save a the master key so we can reencrypted the key
- * the key when we want to change the password on it. */
- memcpy(saved_master_key, decrypted_master_key, crypt_ftr->keysize);
- saved_mount_point = strdup(mount_point);
- master_key_saved = 1;
- SLOGD("%s(): Master key saved\n", __FUNCTION__);
- rc = 0;
-
- // Upgrade if we're not using the latest KDF.
- use_keymaster = keymaster_check_compatibility();
- if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) {
- // Don't allow downgrade
- } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) {
- crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
- upgrade = 1;
- } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) {
- crypt_ftr->kdf_type = KDF_SCRYPT;
- upgrade = 1;
- }
-
- if (upgrade) {
- rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
- crypt_ftr->master_key, crypt_ftr);
- if (!rc) {
- rc = put_crypt_ftr_and_key(crypt_ftr);
- }
- SLOGD("Key Derivation Function upgrade: rc=%d\n", rc);
-
- // Do not fail even if upgrade failed - machine is bootable
- // Note that if this code is ever hit, there is a *serious* problem
- // since KDFs should never fail. You *must* fix the kdf before
- // proceeding!
- if (rc) {
- SLOGW(
- "Upgrade failed with error %d,"
- " but continuing with previous state",
- rc);
- rc = 0;
- }
- }
- }
-
-errout:
- if (intermediate_key) {
- memset(intermediate_key, 0, intermediate_key_size);
- free(intermediate_key);
- }
- return rc;
+ key_ascii[a] = '\0';
}
/*
@@ -1886,912 +114,75 @@
return -1;
}
- struct crypt_mnt_ftr ext_crypt_ftr;
- memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr));
- ext_crypt_ftr.fs_size = nr_sec;
- ext_crypt_ftr.keysize = crypto_type.get_keysize();
- strlcpy((char*)ext_crypt_ftr.crypto_type_name, crypto_type.get_kernel_name(),
- MAX_CRYPTO_TYPE_NAME_LEN);
- uint32_t flags = 0;
- if (fscrypt_is_native() &&
- android::base::GetBoolProperty("ro.crypto.allow_encrypt_override", false))
- flags |= CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE;
+ constexpr char DM_CRYPT_SECTOR_SIZE[] = "ro.crypto.fde_sector_size";
+ char value[PROPERTY_VALUE_MAX];
+ unsigned int sector_size = 0;
- return create_crypto_blk_dev(&ext_crypt_ftr, reinterpret_cast<const unsigned char*>(key.data()),
- real_blkdev, out_crypto_blkdev, label, flags);
-}
-
-int cryptfs_crypto_complete(void) {
- return do_crypto_complete("/data");
-}
-
-int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) {
- char encrypted_state[PROPERTY_VALUE_MAX];
- property_get("ro.crypto.state", encrypted_state, "");
- if (master_key_saved || strcmp(encrypted_state, "encrypted")) {
- SLOGE(
- "encrypted fs already validated or not running with encryption,"
- " aborting");
- return -1;
- }
-
- if (get_crypt_ftr_and_key(crypt_ftr)) {
- SLOGE("Error getting crypt footer and key");
- return -1;
- }
-
- return 0;
-}
-
-int cryptfs_check_passwd(const char* passwd) {
- SLOGI("cryptfs_check_passwd");
- if (fscrypt_is_native()) {
- SLOGE("cryptfs_check_passwd not valid for file encryption");
- return -1;
- }
-
- struct crypt_mnt_ftr crypt_ftr;
- int rc;
-
- rc = check_unmounted_and_get_ftr(&crypt_ftr);
- if (rc) {
- SLOGE("Could not get footer");
- return rc;
- }
-
- rc = test_mount_encrypted_fs(&crypt_ftr, passwd, DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
- if (rc) {
- SLOGE("Password did not match");
- return rc;
- }
-
- if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
- // Here we have a default actual password but a real password
- // we must test against the scrypted value
- // First, we must delete the crypto block device that
- // test_mount_encrypted_fs leaves behind as a side effect
- delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
- rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD, DATA_MNT_POINT,
- CRYPTO_BLOCK_DEVICE);
- if (rc) {
- SLOGE("Default password did not match on reboot encryption");
- return rc;
- }
-
- crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
- put_crypt_ftr_and_key(&crypt_ftr);
- rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd);
- if (rc) {
- SLOGE("Could not change password on reboot encryption");
- return rc;
- }
- }
-
- if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
- cryptfs_clear_password();
- password = strdup(passwd);
- struct timespec now;
- clock_gettime(CLOCK_BOOTTIME, &now);
- password_expiry_time = now.tv_sec + password_max_age_seconds;
- }
-
- return rc;
-}
-
-int cryptfs_verify_passwd(const char* passwd) {
- struct crypt_mnt_ftr crypt_ftr;
- unsigned char decrypted_master_key[MAX_KEY_LEN];
- char encrypted_state[PROPERTY_VALUE_MAX];
- int rc;
-
- property_get("ro.crypto.state", encrypted_state, "");
- if (strcmp(encrypted_state, "encrypted")) {
- SLOGE("device not encrypted, aborting");
- return -2;
- }
-
- if (!master_key_saved) {
- SLOGE("encrypted fs not yet mounted, aborting");
- return -1;
- }
-
- if (!saved_mount_point) {
- SLOGE("encrypted fs failed to save mount point, aborting");
- return -1;
- }
-
- if (get_crypt_ftr_and_key(&crypt_ftr)) {
- SLOGE("Error getting crypt footer and key\n");
- return -1;
- }
-
- if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) {
- /* If the device has no password, then just say the password is valid */
- rc = 0;
- } else {
- decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
- if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
- /* They match, the password is correct */
- rc = 0;
- } else {
- /* If incorrect, sleep for a bit to prevent dictionary attacks */
- sleep(1);
- rc = 1;
- }
- }
-
- return rc;
-}
-
-/* Initialize a crypt_mnt_ftr structure. The keysize is
- * defaulted to get_crypto_type().get_keysize() bytes, and the filesystem size to 0.
- * Presumably, at a minimum, the caller will update the
- * filesystem size and crypto_type_name after calling this function.
- */
-static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr* ftr) {
- off64_t off;
-
- memset(ftr, 0, sizeof(struct crypt_mnt_ftr));
- ftr->magic = CRYPT_MNT_MAGIC;
- ftr->major_version = CURRENT_MAJOR_VERSION;
- ftr->minor_version = CURRENT_MINOR_VERSION;
- ftr->ftr_size = sizeof(struct crypt_mnt_ftr);
- ftr->keysize = get_crypto_type().get_keysize();
-
- switch (keymaster_check_compatibility()) {
- case 1:
- ftr->kdf_type = KDF_SCRYPT_KEYMASTER;
- break;
-
- case 0:
- ftr->kdf_type = KDF_SCRYPT;
- break;
-
- default:
- SLOGE("keymaster_check_compatibility failed");
+ if (property_get(DM_CRYPT_SECTOR_SIZE, value, "") > 0) {
+ if (!ParseUint(value, §or_size) || sector_size < 512 || sector_size > 4096 ||
+ (sector_size & (sector_size - 1)) != 0) {
+ SLOGE("Invalid value for %s: %s. Must be >= 512, <= 4096, and a power of 2\n",
+ DM_CRYPT_SECTOR_SIZE, value);
return -1;
+ }
}
- get_device_scrypt_params(ftr);
-
- ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE;
- if (get_crypt_ftr_info(NULL, &off) == 0) {
- ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET;
- ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + ftr->persist_data_size;
+ // Round the crypto device size down to a crypto sector boundary.
+ if (sector_size > 0) {
+ nr_sec &= ~((sector_size / 512) - 1);
}
+ auto& dm = DeviceMapper::Instance();
+ // We need two ASCII characters to represent each byte, and need space for
+ // the '\0' terminator.
+ char key_ascii[MAX_KEY_LEN * 2 + 1];
+ convert_key_to_hex_ascii(key, key_ascii);
+
+ auto target = std::make_unique<DmTargetCrypt>(0, nr_sec, crypto_type.get_kernel_name(),
+ key_ascii, 0, real_blkdev, 0);
+ target->AllowDiscards();
+
+ if (IsFbeEnabled() &&
+ android::base::GetBoolProperty("ro.crypto.allow_encrypt_override", false)) {
+ target->AllowEncryptOverride();
+ }
+
+ // Append the parameters to make dm-crypt use the specified crypto sector size.
+ if (sector_size > 0) {
+ target->SetSectorSize(sector_size);
+ // With this option, IVs will match the sector numbering, instead
+ // of being hard-coded to being based on 512-byte sectors.
+ target->SetIvLargeSectors();
+ }
+
+ DmTable table;
+ table.AddTarget(std::move(target));
+
+ int load_count = 1;
+ while (load_count < TABLE_LOAD_RETRIES) {
+ if (dm.CreateDevice(label, table)) {
+ break;
+ }
+ load_count++;
+ }
+
+ if (load_count >= TABLE_LOAD_RETRIES) {
+ SLOGE("Cannot load dm-crypt mapping table.\n");
+ return -1;
+ }
+ if (load_count > 1) {
+ SLOGI("Took %d tries to load dmcrypt table.\n", load_count);
+ }
+
+ if (!dm.GetDmDevicePathByName(label, out_crypto_blkdev)) {
+ SLOGE("Cannot determine dm-crypt path for %s.\n", label);
+ return -1;
+ }
+
+ /* Ensure the dm device has been created before returning. */
+ if (android::vold::WaitForFile(out_crypto_blkdev->c_str(), 1s) < 0) {
+ // WaitForFile generates a suitable log message
+ return -1;
+ }
return 0;
}
-
-#define FRAMEWORK_BOOT_WAIT 60
-
-static int vold_unmountAll(void) {
- VolumeManager* vm = VolumeManager::Instance();
- return vm->unmountAll();
-}
-
-int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
- std::string crypto_blkdev;
- std::string real_blkdev;
- unsigned char decrypted_master_key[MAX_KEY_LEN];
- int rc = -1, i;
- struct crypt_mnt_ftr crypt_ftr;
- struct crypt_persist_data* pdata;
- char encrypted_state[PROPERTY_VALUE_MAX];
- char lockid[32] = {0};
- std::string key_loc;
- int num_vols;
- bool rebootEncryption = false;
- bool onlyCreateHeader = false;
-
- /* Get a wakelock as this may take a while, and we don't want the
- * device to sleep on us. We'll grab a partial wakelock, and if the UI
- * wants to keep the screen on, it can grab a full wakelock.
- */
- snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int)getpid());
- auto wl = android::wakelock::WakeLock::tryGet(lockid);
- if (!wl.has_value()) {
- return android::UNEXPECTED_NULL;
- }
-
- if (get_crypt_ftr_and_key(&crypt_ftr) == 0) {
- if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) {
- if (!check_ftr_sha(&crypt_ftr)) {
- memset(&crypt_ftr, 0, sizeof(crypt_ftr));
- put_crypt_ftr_and_key(&crypt_ftr);
- goto error_unencrypted;
- }
-
- /* Doing a reboot-encryption*/
- crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION;
- crypt_ftr.flags |= CRYPT_FORCE_COMPLETE;
- rebootEncryption = true;
- }
- } else {
- // We don't want to accidentally reference invalid data.
- memset(&crypt_ftr, 0, sizeof(crypt_ftr));
- }
-
- property_get("ro.crypto.state", encrypted_state, "");
- if (!strcmp(encrypted_state, "encrypted")) {
- SLOGE("Device is already running encrypted, aborting");
- goto error_unencrypted;
- }
-
- get_crypt_info(&key_loc, &real_blkdev);
-
- /* Get the size of the real block device */
- uint64_t nr_sec;
- if (android::vold::GetBlockDev512Sectors(real_blkdev, &nr_sec) != android::OK) {
- SLOGE("Cannot get size of block device %s\n", real_blkdev.c_str());
- goto error_unencrypted;
- }
-
- /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */
- if (key_loc == KEY_IN_FOOTER) {
- uint64_t fs_size_sec, max_fs_size_sec;
- fs_size_sec = get_fs_size(real_blkdev.c_str());
- if (fs_size_sec == 0) fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev.data());
-
- max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
-
- if (fs_size_sec > max_fs_size_sec) {
- SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place.");
- goto error_unencrypted;
- }
- }
-
- /* The init files are setup to stop the class main and late start when
- * vold sets trigger_shutdown_framework.
- */
- property_set("vold.decrypt", "trigger_shutdown_framework");
- SLOGD("Just asked init to shut down class main\n");
-
- /* Ask vold to unmount all devices that it manages */
- if (vold_unmountAll()) {
- SLOGE("Failed to unmount all vold managed devices");
- }
-
- /* no_ui means we are being called from init, not settings.
- Now we always reboot from settings, so !no_ui means reboot
- */
- if (!no_ui) {
- /* Try fallback, which is to reboot and try there */
- onlyCreateHeader = true;
- FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we");
- if (breadcrumb == 0) {
- SLOGE("Failed to create breadcrumb file");
- goto error_shutting_down;
- }
- fclose(breadcrumb);
- }
-
- /* Do extra work for a better UX when doing the long inplace encryption */
- if (!onlyCreateHeader) {
- /* Now that /data is unmounted, we need to mount a tmpfs
- * /data, set a property saying we're doing inplace encryption,
- * and restart the framework.
- */
- wait_and_unmount(DATA_MNT_POINT, true);
- if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
- goto error_shutting_down;
- }
- /* Tells the framework that inplace encryption is starting */
- property_set("vold.encrypt_progress", "0");
-
- /* restart the framework. */
- /* Create necessary paths on /data */
- prep_data_fs();
-
- /* Ugh, shutting down the framework is not synchronous, so until it
- * can be fixed, this horrible hack will wait a moment for it all to
- * shut down before proceeding. Without it, some devices cannot
- * restart the graphics services.
- */
- sleep(2);
- }
-
- /* Start the actual work of making an encrypted filesystem */
- /* Initialize a crypt_mnt_ftr for the partition */
- if (!rebootEncryption) {
- if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) {
- goto error_shutting_down;
- }
-
- if (key_loc == KEY_IN_FOOTER) {
- crypt_ftr.fs_size = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE);
- } else {
- crypt_ftr.fs_size = nr_sec;
- }
- /* At this point, we are in an inconsistent state. Until we successfully
- complete encryption, a reboot will leave us broken. So mark the
- encryption failed in case that happens.
- On successfully completing encryption, remove this flag */
- if (onlyCreateHeader) {
- crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION;
- } else {
- crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
- }
- crypt_ftr.crypt_type = crypt_type;
- strlcpy((char*)crypt_ftr.crypto_type_name, get_crypto_type().get_kernel_name(),
- MAX_CRYPTO_TYPE_NAME_LEN);
-
- /* Make an encrypted master key */
- if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
- crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) {
- SLOGE("Cannot create encrypted master key\n");
- goto error_shutting_down;
- }
-
- /* Replace scrypted intermediate key if we are preparing for a reboot */
- if (onlyCreateHeader) {
- unsigned char fake_master_key[MAX_KEY_LEN];
- unsigned char encrypted_fake_master_key[MAX_KEY_LEN];
- memset(fake_master_key, 0, sizeof(fake_master_key));
- encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key, encrypted_fake_master_key,
- &crypt_ftr);
- }
-
- /* Write the key to the end of the partition */
- put_crypt_ftr_and_key(&crypt_ftr);
-
- /* If any persistent data has been remembered, save it.
- * If none, create a valid empty table and save that.
- */
- if (!persist_data) {
- pdata = (crypt_persist_data*)malloc(CRYPT_PERSIST_DATA_SIZE);
- if (pdata) {
- init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE);
- persist_data = pdata;
- }
- }
- if (persist_data) {
- save_persistent_data();
- }
- }
-
- if (onlyCreateHeader) {
- sleep(2);
- cryptfs_reboot(RebootType::reboot);
- }
-
- if (!no_ui || rebootEncryption) {
- /* startup service classes main and late_start */
- property_set("vold.decrypt", "trigger_restart_min_framework");
- SLOGD("Just triggered restart_min_framework\n");
-
- /* OK, the framework is restarted and will soon be showing a
- * progress bar. Time to setup an encrypted mapping, and
- * either write a new filesystem, or encrypt in place updating
- * the progress bar as we work.
- */
- }
-
- decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
- rc = create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev.c_str(),
- &crypto_blkdev, CRYPTO_BLOCK_DEVICE, 0);
- if (!rc) {
- if (encrypt_inplace(crypto_blkdev, real_blkdev, crypt_ftr.fs_size, true)) {
- crypt_ftr.encrypted_upto = crypt_ftr.fs_size;
- rc = 0;
- } else {
- rc = -1;
- }
- /* Undo the dm-crypt mapping whether we succeed or not */
- delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE);
- }
-
- if (!rc) {
- /* Success */
- crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE;
-
- put_crypt_ftr_and_key(&crypt_ftr);
-
- char value[PROPERTY_VALUE_MAX];
- property_get("ro.crypto.state", value, "");
- if (!strcmp(value, "")) {
- /* default encryption - continue first boot sequence */
- property_set("ro.crypto.state", "encrypted");
- property_set("ro.crypto.type", "block");
- wl.reset();
- if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
- // Bring up cryptkeeper that will check the password and set it
- property_set("vold.decrypt", "trigger_shutdown_framework");
- sleep(2);
- property_set("vold.encrypt_progress", "");
- cryptfs_trigger_restart_min_framework();
- } else {
- cryptfs_check_passwd(DEFAULT_PASSWORD);
- cryptfs_restart_internal(1);
- }
- return 0;
- } else {
- sleep(2); /* Give the UI a chance to show 100% progress */
- cryptfs_reboot(RebootType::reboot);
- }
- } else {
- char value[PROPERTY_VALUE_MAX];
-
- property_get("ro.vold.wipe_on_crypt_fail", value, "0");
- if (!strcmp(value, "1")) {
- /* wipe data if encryption failed */
- SLOGE("encryption failed - rebooting into recovery to wipe data\n");
- std::string err;
- const std::vector<std::string> options = {
- "--wipe_data\n--reason=cryptfs_enable_internal\n"};
- if (!write_bootloader_message(options, &err)) {
- SLOGE("could not write bootloader message: %s", err.c_str());
- }
- cryptfs_reboot(RebootType::recovery);
- } else {
- /* set property to trigger dialog */
- property_set("vold.encrypt_progress", "error_partially_encrypted");
- }
- return -1;
- }
-
- /* hrm, the encrypt step claims success, but the reboot failed.
- * This should not happen.
- * Set the property and return. Hope the framework can deal with it.
- */
- property_set("vold.encrypt_progress", "error_reboot_failed");
- return rc;
-
-error_unencrypted:
- property_set("vold.encrypt_progress", "error_not_encrypted");
- return -1;
-
-error_shutting_down:
- /* we failed, and have not encrypted anthing, so the users's data is still intact,
- * but the framework is stopped and not restarted to show the error, so it's up to
- * vold to restart the system.
- */
- SLOGE(
- "Error enabling encryption after framework is shutdown, no data changed, restarting "
- "system");
- cryptfs_reboot(RebootType::reboot);
-
- /* shouldn't get here */
- property_set("vold.encrypt_progress", "error_shutting_down");
- return -1;
-}
-
-int cryptfs_enable(int type, const char* passwd, int no_ui) {
- return cryptfs_enable_internal(type, passwd, no_ui);
-}
-
-int cryptfs_enable_default(int no_ui) {
- return cryptfs_enable_internal(CRYPT_TYPE_DEFAULT, DEFAULT_PASSWORD, no_ui);
-}
-
-int cryptfs_changepw(int crypt_type, const char* newpw) {
- if (fscrypt_is_native()) {
- SLOGE("cryptfs_changepw not valid for file encryption");
- return -1;
- }
-
- struct crypt_mnt_ftr crypt_ftr;
- int rc;
-
- /* This is only allowed after we've successfully decrypted the master key */
- if (!master_key_saved) {
- SLOGE("Key not saved, aborting");
- return -1;
- }
-
- if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
- SLOGE("Invalid crypt_type %d", crypt_type);
- return -1;
- }
-
- /* get key */
- if (get_crypt_ftr_and_key(&crypt_ftr)) {
- SLOGE("Error getting crypt footer and key");
- return -1;
- }
-
- crypt_ftr.crypt_type = crypt_type;
-
- rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD : newpw,
- crypt_ftr.salt, saved_master_key, crypt_ftr.master_key, &crypt_ftr);
- if (rc) {
- SLOGE("Encrypt master key failed: %d", rc);
- return -1;
- }
- /* save the key */
- put_crypt_ftr_and_key(&crypt_ftr);
-
- return 0;
-}
-
-static unsigned int persist_get_max_entries(int encrypted) {
- struct crypt_mnt_ftr crypt_ftr;
- unsigned int dsize;
-
- /* If encrypted, use the values from the crypt_ftr, otherwise
- * use the values for the current spec.
- */
- if (encrypted) {
- if (get_crypt_ftr_and_key(&crypt_ftr)) {
- /* Something is wrong, assume no space for entries */
- return 0;
- }
- dsize = crypt_ftr.persist_data_size;
- } else {
- dsize = CRYPT_PERSIST_DATA_SIZE;
- }
-
- if (dsize > sizeof(struct crypt_persist_data)) {
- return (dsize - sizeof(struct crypt_persist_data)) / sizeof(struct crypt_persist_entry);
- } else {
- return 0;
- }
-}
-
-static int persist_get_key(const char* fieldname, char* value) {
- unsigned int i;
-
- if (persist_data == NULL) {
- return -1;
- }
- for (i = 0; i < persist_data->persist_valid_entries; i++) {
- if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
- /* We found it! */
- strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX);
- return 0;
- }
- }
-
- return -1;
-}
-
-static int persist_set_key(const char* fieldname, const char* value, int encrypted) {
- unsigned int i;
- unsigned int num;
- unsigned int max_persistent_entries;
-
- if (persist_data == NULL) {
- return -1;
- }
-
- max_persistent_entries = persist_get_max_entries(encrypted);
-
- num = persist_data->persist_valid_entries;
-
- for (i = 0; i < num; i++) {
- if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) {
- /* We found an existing entry, update it! */
- memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX);
- strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX);
- return 0;
- }
- }
-
- /* We didn't find it, add it to the end, if there is room */
- if (persist_data->persist_valid_entries < max_persistent_entries) {
- memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry));
- strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX);
- strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX);
- persist_data->persist_valid_entries++;
- return 0;
- }
-
- return -1;
-}
-
-/**
- * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the
- * sequence and its index is greater than or equal to index. Return 0 otherwise.
- */
-int match_multi_entry(const char* key, const char* field, unsigned index) {
- std::string key_ = key;
- std::string field_ = field;
-
- std::string parsed_field;
- unsigned parsed_index;
-
- std::string::size_type split = key_.find_last_of('_');
- if (split == std::string::npos) {
- parsed_field = key_;
- parsed_index = 0;
- } else {
- parsed_field = key_.substr(0, split);
- parsed_index = std::stoi(key_.substr(split + 1));
- }
-
- return parsed_field == field_ && parsed_index >= index;
-}
-
-/*
- * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all
- * remaining entries starting from index will be deleted.
- * returns PERSIST_DEL_KEY_OK if deletion succeeds,
- * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist,
- * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs.
- *
- */
-static int persist_del_keys(const char* fieldname, unsigned index) {
- unsigned int i;
- unsigned int j;
- unsigned int num;
-
- if (persist_data == NULL) {
- return PERSIST_DEL_KEY_ERROR_OTHER;
- }
-
- num = persist_data->persist_valid_entries;
-
- j = 0; // points to the end of non-deleted entries.
- // Filter out to-be-deleted entries in place.
- for (i = 0; i < num; i++) {
- if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) {
- persist_data->persist_entry[j] = persist_data->persist_entry[i];
- j++;
- }
- }
-
- if (j < num) {
- persist_data->persist_valid_entries = j;
- // Zeroise the remaining entries
- memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry));
- return PERSIST_DEL_KEY_OK;
- } else {
- // Did not find an entry matching the given fieldname
- return PERSIST_DEL_KEY_ERROR_NO_FIELD;
- }
-}
-
-static int persist_count_keys(const char* fieldname) {
- unsigned int i;
- unsigned int count;
-
- if (persist_data == NULL) {
- return -1;
- }
-
- count = 0;
- for (i = 0; i < persist_data->persist_valid_entries; i++) {
- if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) {
- count++;
- }
- }
-
- return count;
-}
-
-/* Return the value of the specified field. */
-int cryptfs_getfield(const char* fieldname, char* value, int len) {
- if (fscrypt_is_native()) {
- SLOGE("Cannot get field when file encrypted");
- return -1;
- }
-
- char temp_value[PROPERTY_VALUE_MAX];
- /* CRYPTO_GETFIELD_OK is success,
- * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set,
- * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small,
- * CRYPTO_GETFIELD_ERROR_OTHER is any other error
- */
- int rc = CRYPTO_GETFIELD_ERROR_OTHER;
- int i;
- char temp_field[PROPERTY_KEY_MAX];
-
- if (persist_data == NULL) {
- load_persistent_data();
- if (persist_data == NULL) {
- SLOGE("Getfield error, cannot load persistent data");
- goto out;
- }
- }
-
- // Read value from persistent entries. If the original value is split into multiple entries,
- // stitch them back together.
- if (!persist_get_key(fieldname, temp_value)) {
- // We found it, copy it to the caller's buffer and keep going until all entries are read.
- if (strlcpy(value, temp_value, len) >= (unsigned)len) {
- // value too small
- rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
- goto out;
- }
- rc = CRYPTO_GETFIELD_OK;
-
- for (i = 1; /* break explicitly */; i++) {
- if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >=
- (int)sizeof(temp_field)) {
- // If the fieldname is very long, we stop as soon as it begins to overflow the
- // maximum field length. At this point we have in fact fully read out the original
- // value because cryptfs_setfield would not allow fields with longer names to be
- // written in the first place.
- break;
- }
- if (!persist_get_key(temp_field, temp_value)) {
- if (strlcat(value, temp_value, len) >= (unsigned)len) {
- // value too small.
- rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL;
- goto out;
- }
- } else {
- // Exhaust all entries.
- break;
- }
- }
- } else {
- /* Sadness, it's not there. Return the error */
- rc = CRYPTO_GETFIELD_ERROR_NO_FIELD;
- }
-
-out:
- return rc;
-}
-
-/* Set the value of the specified field. */
-int cryptfs_setfield(const char* fieldname, const char* value) {
- if (fscrypt_is_native()) {
- SLOGE("Cannot set field when file encrypted");
- return -1;
- }
-
- char encrypted_state[PROPERTY_VALUE_MAX];
- /* 0 is success, negative values are error */
- int rc = CRYPTO_SETFIELD_ERROR_OTHER;
- int encrypted = 0;
- unsigned int field_id;
- char temp_field[PROPERTY_KEY_MAX];
- unsigned int num_entries;
- unsigned int max_keylen;
-
- if (persist_data == NULL) {
- load_persistent_data();
- if (persist_data == NULL) {
- SLOGE("Setfield error, cannot load persistent data");
- goto out;
- }
- }
-
- property_get("ro.crypto.state", encrypted_state, "");
- if (!strcmp(encrypted_state, "encrypted")) {
- encrypted = 1;
- }
-
- // Compute the number of entries required to store value, each entry can store up to
- // (PROPERTY_VALUE_MAX - 1) chars
- if (strlen(value) == 0) {
- // Empty value also needs one entry to store.
- num_entries = 1;
- } else {
- num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1);
- }
-
- max_keylen = strlen(fieldname);
- if (num_entries > 1) {
- // Need an extra "_%d" suffix.
- max_keylen += 1 + log10(num_entries);
- }
- if (max_keylen > PROPERTY_KEY_MAX - 1) {
- rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG;
- goto out;
- }
-
- // Make sure we have enough space to write the new value
- if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) >
- persist_get_max_entries(encrypted)) {
- rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG;
- goto out;
- }
-
- // Now that we know persist_data has enough space for value, let's delete the old field first
- // to make up space.
- persist_del_keys(fieldname, 0);
-
- if (persist_set_key(fieldname, value, encrypted)) {
- // fail to set key, should not happen as we have already checked the available space
- SLOGE("persist_set_key() error during setfield()");
- goto out;
- }
-
- for (field_id = 1; field_id < num_entries; field_id++) {
- snprintf(temp_field, sizeof(temp_field), "%s_%u", fieldname, field_id);
-
- if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) {
- // fail to set key, should not happen as we have already checked the available space.
- SLOGE("persist_set_key() error during setfield()");
- goto out;
- }
- }
-
- /* If we are running encrypted, save the persistent data now */
- if (encrypted) {
- if (save_persistent_data()) {
- SLOGE("Setfield error, cannot save persistent data");
- goto out;
- }
- }
-
- rc = CRYPTO_SETFIELD_OK;
-
-out:
- return rc;
-}
-
-/* Checks userdata. Attempt to mount the volume if default-
- * encrypted.
- * On success trigger next init phase and return 0.
- * Currently do not handle failure - see TODO below.
- */
-int cryptfs_mount_default_encrypted(void) {
- int crypt_type = cryptfs_get_password_type();
- if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) {
- SLOGE("Bad crypt type - error");
- } else if (crypt_type != CRYPT_TYPE_DEFAULT) {
- SLOGD(
- "Password is not default - "
- "starting min framework to prompt");
- property_set("vold.decrypt", "trigger_restart_min_framework");
- return 0;
- } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) {
- SLOGD("Password is default - restarting filesystem");
- cryptfs_restart_internal(0);
- return 0;
- } else {
- SLOGE("Encrypted, default crypt type but can't decrypt");
- }
-
- /** Corrupt. Allow us to boot into framework, which will detect bad
- crypto when it calls do_crypto_complete, then do a factory reset
- */
- property_set("vold.decrypt", "trigger_restart_min_framework");
- return 0;
-}
-
-/* Returns type of the password, default, pattern, pin or password.
- */
-int cryptfs_get_password_type(void) {
- if (fscrypt_is_native()) {
- SLOGE("cryptfs_get_password_type not valid for file encryption");
- return -1;
- }
-
- struct crypt_mnt_ftr crypt_ftr;
-
- if (get_crypt_ftr_and_key(&crypt_ftr)) {
- SLOGE("Error getting crypt footer and key\n");
- return -1;
- }
-
- if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) {
- return -1;
- }
-
- return crypt_ftr.crypt_type;
-}
-
-const char* cryptfs_get_password() {
- if (fscrypt_is_native()) {
- SLOGE("cryptfs_get_password not valid for file encryption");
- return 0;
- }
-
- struct timespec now;
- clock_gettime(CLOCK_BOOTTIME, &now);
- if (now.tv_sec < password_expiry_time) {
- return password;
- } else {
- cryptfs_clear_password();
- return 0;
- }
-}
-
-void cryptfs_clear_password() {
- if (password) {
- size_t len = strlen(password);
- memset(password, 0, len);
- free(password);
- password = 0;
- password_expiry_time = 0;
- }
-}
-
-int cryptfs_isConvertibleToFBE() {
- auto entry = GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT);
- return entry && entry->fs_mgr_flags.force_fde_or_fbe;
-}
diff --git a/cryptfs.h b/cryptfs.h
index 872806e..e166f49 100644
--- a/cryptfs.h
+++ b/cryptfs.h
@@ -19,61 +19,11 @@
#include <string>
-#include <linux/types.h>
-#include <stdbool.h>
-#include <stdint.h>
-
-#include <cutils/properties.h>
-
#include "KeyBuffer.h"
#include "KeyUtil.h"
-#define CRYPT_FOOTER_OFFSET 0x4000
-
-/* Return values for cryptfs_crypto_complete */
-#define CRYPTO_COMPLETE_NOT_ENCRYPTED 1
-#define CRYPTO_COMPLETE_ENCRYPTED 0
-#define CRYPTO_COMPLETE_BAD_METADATA (-1)
-#define CRYPTO_COMPLETE_PARTIAL (-2)
-#define CRYPTO_COMPLETE_INCONSISTENT (-3)
-#define CRYPTO_COMPLETE_CORRUPT (-4)
-
-/* Return values for cryptfs_getfield */
-#define CRYPTO_GETFIELD_OK 0
-#define CRYPTO_GETFIELD_ERROR_NO_FIELD (-1)
-#define CRYPTO_GETFIELD_ERROR_OTHER (-2)
-#define CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL (-3)
-
-/* Return values for cryptfs_setfield */
-#define CRYPTO_SETFIELD_OK 0
-#define CRYPTO_SETFIELD_ERROR_OTHER (-1)
-#define CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG (-2)
-#define CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG (-3)
-
-/* Return values for persist_del_key */
-#define PERSIST_DEL_KEY_OK 0
-#define PERSIST_DEL_KEY_ERROR_OTHER (-1)
-#define PERSIST_DEL_KEY_ERROR_NO_FIELD (-2)
-
-// Exposed for testing only
-int match_multi_entry(const char* key, const char* field, unsigned index);
-
-int cryptfs_crypto_complete(void);
-int cryptfs_check_passwd(const char* pw);
-int cryptfs_verify_passwd(const char* pw);
-int cryptfs_restart(void);
-int cryptfs_enable(int type, const char* passwd, int no_ui);
-int cryptfs_changepw(int type, const char* newpw);
-int cryptfs_enable_default(int no_ui);
int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev,
const android::vold::KeyBuffer& key, std::string* out_crypto_blkdev);
-int cryptfs_getfield(const char* fieldname, char* value, int len);
-int cryptfs_setfield(const char* fieldname, const char* value);
-int cryptfs_mount_default_encrypted(void);
-int cryptfs_get_password_type(void);
-const char* cryptfs_get_password(void);
-void cryptfs_clear_password(void);
-int cryptfs_isConvertibleToFBE(void);
const android::vold::KeyGeneration cryptfs_get_keygen();
#endif /* ANDROID_VOLD_CRYPTFS_H */
diff --git a/fs/Exfat.cpp b/fs/Exfat.cpp
index 7782dd3..c8b19e0 100644
--- a/fs/Exfat.cpp
+++ b/fs/Exfat.cpp
@@ -44,7 +44,7 @@
cmd.push_back("-y");
cmd.push_back(source);
- int rc = ForkExecvp(cmd, nullptr, sFsckUntrustedContext);
+ int rc = ForkExecvpTimeout(cmd, kUntrustedFsckSleepTime, sFsckUntrustedContext);
if (rc == 0) {
LOG(INFO) << "Check OK";
return 0;
diff --git a/fs/Ext4.cpp b/fs/Ext4.cpp
index 6bc7ad2..293efc4 100644
--- a/fs/Ext4.cpp
+++ b/fs/Ext4.cpp
@@ -66,8 +66,6 @@
const char* c_source = source.c_str();
const char* c_target = target.c_str();
-
- int status;
int ret;
long tmpmnt_flags = MS_NOATIME | MS_NOEXEC | MS_NOSUID;
char* tmpmnt_opts = (char*)"nomblk_io_submit,errors=remount-ro";
@@ -173,7 +171,7 @@
bool needs_casefold =
android::base::GetBoolProperty("external_storage.casefold.enabled", false);
- bool needs_projid = android::base::GetBoolProperty("external_storage.projid.enabled", false);
+ bool needs_projid = true;
if (needs_projid) {
cmd.push_back("-I");
@@ -184,7 +182,7 @@
if (android::base::GetBoolProperty("vold.has_quota", false)) {
options += ",quota";
}
- if (fscrypt_is_native()) {
+ if (IsFbeEnabled()) {
options += ",encrypt";
}
if (needs_casefold) {
@@ -198,7 +196,7 @@
cmd.push_back("-E");
std::string extopts = "";
if (needs_casefold) extopts += "encoding=utf8,";
- if (needs_projid) extopts += "quotatype=prjquota,";
+ if (needs_projid) extopts += "quotatype=usrquota:grpquota:prjquota,";
cmd.push_back(extopts);
}
diff --git a/fs/F2fs.cpp b/fs/F2fs.cpp
index d6f3dab..23363e3 100644
--- a/fs/F2fs.cpp
+++ b/fs/F2fs.cpp
@@ -20,6 +20,7 @@
#include <android-base/logging.h>
#include <android-base/properties.h>
#include <android-base/stringprintf.h>
+#include <logwrap/logwrap.h>
#include <fscrypt/fscrypt.h>
#include <string>
@@ -70,46 +71,39 @@
return res;
}
-status_t Format(const std::string& source) {
- std::vector<std::string> cmd;
- cmd.push_back(kMkfsPath);
+status_t Format(const std::string& source, const std::string& zoned_device) {
+ std::vector<char const*> cmd;
+ cmd.emplace_back(kMkfsPath);
- cmd.push_back("-f");
- cmd.push_back("-d1");
+ cmd.emplace_back("-f");
+ cmd.emplace_back("-d1");
- if (android::base::GetBoolProperty("vold.has_quota", false)) {
- cmd.push_back("-O");
- cmd.push_back("quota");
- }
- if (fscrypt_is_native()) {
- cmd.push_back("-O");
- cmd.push_back("encrypt");
- }
+ cmd.emplace_back("-g");
+ cmd.emplace_back("android");
+
if (android::base::GetBoolProperty("vold.has_compress", false)) {
- cmd.push_back("-O");
- cmd.push_back("compression");
- cmd.push_back("-O");
- cmd.push_back("extra_attr");
+ cmd.emplace_back("-O");
+ cmd.emplace_back("compression");
+ cmd.emplace_back("-O");
+ cmd.emplace_back("extra_attr");
}
- cmd.push_back("-O");
- cmd.push_back("verity");
const bool needs_casefold =
android::base::GetBoolProperty("external_storage.casefold.enabled", false);
- const bool needs_projid =
- android::base::GetBoolProperty("external_storage.projid.enabled", false);
- if (needs_projid) {
- cmd.push_back("-O");
- cmd.push_back("project_quota,extra_attr");
- }
if (needs_casefold) {
- cmd.push_back("-O");
- cmd.push_back("casefold");
- cmd.push_back("-C");
- cmd.push_back("utf8");
+ cmd.emplace_back("-O");
+ cmd.emplace_back("casefold");
+ cmd.emplace_back("-C");
+ cmd.emplace_back("utf8");
}
- cmd.push_back(source);
- return ForkExecvp(cmd);
+ if (!zoned_device.empty()) {
+ cmd.emplace_back("-c");
+ cmd.emplace_back(zoned_device.c_str());
+ cmd.emplace_back("-m");
+ }
+ cmd.emplace_back(source.c_str());
+ return logwrap_fork_execvp(cmd.size(), cmd.data(), nullptr, false, LOG_KLOG,
+ false, nullptr);
}
} // namespace f2fs
diff --git a/fs/F2fs.h b/fs/F2fs.h
index f710212..cdad581 100644
--- a/fs/F2fs.h
+++ b/fs/F2fs.h
@@ -29,7 +29,7 @@
status_t Check(const std::string& source);
status_t Mount(const std::string& source, const std::string& target);
-status_t Format(const std::string& source);
+status_t Format(const std::string& source, const std::string& zoned_device = "");
} // namespace f2fs
} // namespace vold
diff --git a/fs/Vfat.cpp b/fs/Vfat.cpp
index 4f1e982..f3f04d8 100644
--- a/fs/Vfat.cpp
+++ b/fs/Vfat.cpp
@@ -68,10 +68,9 @@
cmd.push_back(source);
// Fat devices are currently always untrusted
- rc = ForkExecvp(cmd, nullptr, sFsckUntrustedContext);
-
+ rc = ForkExecvpTimeout(cmd, kUntrustedFsckSleepTime, sFsckUntrustedContext);
if (rc < 0) {
- LOG(ERROR) << "Filesystem check failed due to logwrap error";
+ LOG(ERROR) << "Filesystem check failed due to fork error";
errno = EIO;
return -1;
}
@@ -81,6 +80,10 @@
LOG(INFO) << "Filesystem check completed OK";
return 0;
+ case 1:
+ LOG(INFO) << "Failed to check filesystem";
+ return -1;
+
case 2:
LOG(ERROR) << "Filesystem check failed (not a FAT filesystem)";
errno = ENODATA;
@@ -100,6 +103,11 @@
errno = ENODATA;
return -1;
+ case ETIMEDOUT:
+ LOG(ERROR) << "Filesystem check timed out";
+ errno = ETIMEDOUT;
+ return -1;
+
default:
LOG(ERROR) << "Filesystem check failed (unknown exit code " << rc << ")";
errno = EIO;
diff --git a/main.cpp b/main.cpp
index 1f85fb5..078ee14 100644
--- a/main.cpp
+++ b/main.cpp
@@ -16,6 +16,8 @@
#define ATRACE_TAG ATRACE_TAG_PACKAGE_MANAGER
+#include "FsCrypt.h"
+#include "MetadataCrypt.h"
#include "NetlinkManager.h"
#include "VoldNativeService.h"
#include "VoldUtil.h"
@@ -51,8 +53,11 @@
static int process_config(VolumeManager* vm, VoldConfigs* configs);
static void coldboot(const char* path);
static void parse_args(int argc, char** argv);
+static void VoldLogger(android::base::LogId log_buffer_id, android::base::LogSeverity severity,
+ const char* tag, const char* file, unsigned int line, const char* message);
struct selabel_handle* sehandle;
+android::base::LogdLogger logd_logger(android::base::SYSTEM);
using android::base::StringPrintf;
using android::fs_mgr::ReadDefaultFstab;
@@ -60,7 +65,7 @@
int main(int argc, char** argv) {
atrace_set_tracing_enabled(false);
setenv("ANDROID_LOG_TAGS", "*:d", 1); // Do not submit with verbose logs enabled
- android::base::InitLogging(argv, android::base::LogdLogger(android::base::SYSTEM));
+ android::base::InitLogging(argv, &VoldLogger);
LOG(INFO) << "Vold 3.0 (the awakening) firing up";
@@ -77,9 +82,11 @@
parse_args(argc, argv);
sehandle = selinux_android_file_context_handle();
- if (sehandle) {
- selinux_android_set_sehandle(sehandle);
+ if (!sehandle) {
+ LOG(ERROR) << "Failed to get SELinux file contexts handle";
+ exit(1);
}
+ selinux_android_set_sehandle(sehandle);
mkdir("/dev/block/vold", 0755);
@@ -247,6 +254,11 @@
PLOG(FATAL) << "could not find logical partition " << entry.blk_device;
}
+ if (entry.mount_point == "/data" && !entry.metadata_key_dir.empty()) {
+ // Pre-populate userdata dm-devices since the uevents are asynchronous (b/198405417).
+ android::vold::defaultkey_precreate_dm_device();
+ }
+
if (entry.fs_mgr_flags.vold_managed) {
if (entry.fs_mgr_flags.nonremovable) {
LOG(WARNING) << "nonremovable no longer supported; ignoring volume";
@@ -272,3 +284,29 @@
}
return 0;
}
+
+static void VoldLogger(android::base::LogId log_buffer_id, android::base::LogSeverity severity,
+ const char* tag, const char* file, unsigned int line, const char* message) {
+ logd_logger(log_buffer_id, severity, tag, file, line, message);
+
+ if (severity >= android::base::WARNING) {
+ static bool early_boot_done = false;
+
+ // If metadata encryption setup (fscrypt_mount_metadata_encrypted) or
+ // basic FBE setup (fscrypt_init_user0) fails, then the boot will fail
+ // before adb can be started, so logcat won't be available. To allow
+ // debugging these early boot failures, log early errors and warnings to
+ // the kernel log. This allows diagnosing failures via the serial log,
+ // or via last dmesg/"fastboot oem dmesg" on devices that support it.
+ //
+ // As a very quick-and-dirty test for whether /data has been mounted,
+ // check whether /data/misc/vold exists.
+ if (!early_boot_done) {
+ if (access("/data/misc/vold", F_OK) == 0 && fscrypt_init_user0_done) {
+ early_boot_done = true;
+ return;
+ }
+ android::base::KernelLogger(log_buffer_id, severity, tag, file, line, message);
+ }
+ }
+}
diff --git a/model/Disk.h b/model/Disk.h
index 16476dc..8c75f59 100644
--- a/model/Disk.h
+++ b/model/Disk.h
@@ -70,6 +70,8 @@
const std::string& getLabel() const { return mLabel; }
int getFlags() const { return mFlags; }
+ bool isStub() const { return (mFlags & kStubInvisible) || (mFlags & kStubVisible); }
+
std::shared_ptr<VolumeBase> findVolume(const std::string& id);
void listVolumes(VolumeBase::Type type, std::list<std::string>& list) const;
@@ -123,8 +125,6 @@
int getMaxMinors();
- bool isStub() { return (mFlags & kStubInvisible) || (mFlags & kStubVisible); }
-
DISALLOW_COPY_AND_ASSIGN(Disk);
};
diff --git a/model/EmulatedVolume.cpp b/model/EmulatedVolume.cpp
index 4a77846..270dcd4 100644
--- a/model/EmulatedVolume.cpp
+++ b/model/EmulatedVolume.cpp
@@ -18,6 +18,7 @@
#include "AppFuseUtil.h"
#include "Utils.h"
+#include "VolumeBase.h"
#include "VolumeManager.h"
#include <android-base/logging.h>
@@ -66,7 +67,7 @@
EmulatedVolume::~EmulatedVolume() {}
-std::string EmulatedVolume::getLabel() {
+std::string EmulatedVolume::getLabel() const {
// We could have migrated storage to an adopted private volume, so always
// call primary storage "emulated" to avoid media rescans.
if (getMountFlags() & MountFlags::kPrimary) {
@@ -89,6 +90,29 @@
return OK;
}
+// Bind mounts the volume 'volume' onto this volume.
+status_t EmulatedVolume::bindMountVolume(const EmulatedVolume& volume,
+ std::list<std::string>& pathsToUnmount) {
+ int myUserId = getMountUserId();
+ int volumeUserId = volume.getMountUserId();
+ std::string label = volume.getLabel();
+
+ // eg /mnt/user/10/emulated/10
+ std::string srcUserPath = GetFuseMountPathForUser(volumeUserId, label);
+ std::string srcPath = StringPrintf("%s/%d", srcUserPath.c_str(), volumeUserId);
+ // eg /mnt/user/0/emulated/10
+ std::string dstUserPath = GetFuseMountPathForUser(myUserId, label);
+ std::string dstPath = StringPrintf("%s/%d", dstUserPath.c_str(), volumeUserId);
+
+ auto status = doFuseBindMount(srcPath, dstPath, pathsToUnmount);
+ if (status == OK) {
+ // Store the mount path, so we can unmount it when this volume goes away
+ mSharedStorageMountPath = dstPath;
+ }
+
+ return status;
+}
+
status_t EmulatedVolume::mountFuseBindMounts() {
std::string androidSource;
std::string label = getLabel();
@@ -116,24 +140,22 @@
}
status_t status = OK;
- // When app data isolation is enabled, obb/ will be mounted per app, otherwise we should
- // bind mount the whole Android/ to speed up reading.
- if (!mAppDataIsolationEnabled) {
- std::string androidDataSource = StringPrintf("%s/data", androidSource.c_str());
- std::string androidDataTarget(
- StringPrintf("/mnt/user/%d/%s/%d/Android/data", userId, label.c_str(), userId));
- status = doFuseBindMount(androidDataSource, androidDataTarget, pathsToUnmount);
- if (status != OK) {
- return status;
- }
+ // Zygote will unmount these dirs if app data isolation is enabled, so apps
+ // cannot access these dirs directly.
+ std::string androidDataSource = StringPrintf("%s/data", androidSource.c_str());
+ std::string androidDataTarget(
+ StringPrintf("/mnt/user/%d/%s/%d/Android/data", userId, label.c_str(), userId));
+ status = doFuseBindMount(androidDataSource, androidDataTarget, pathsToUnmount);
+ if (status != OK) {
+ return status;
+ }
- std::string androidObbSource = StringPrintf("%s/obb", androidSource.c_str());
- std::string androidObbTarget(
- StringPrintf("/mnt/user/%d/%s/%d/Android/obb", userId, label.c_str(), userId));
- status = doFuseBindMount(androidObbSource, androidObbTarget, pathsToUnmount);
- if (status != OK) {
- return status;
- }
+ std::string androidObbSource = StringPrintf("%s/obb", androidSource.c_str());
+ std::string androidObbTarget(
+ StringPrintf("/mnt/user/%d/%s/%d/Android/obb", userId, label.c_str(), userId));
+ status = doFuseBindMount(androidObbSource, androidObbTarget, pathsToUnmount);
+ if (status != OK) {
+ return status;
}
// Installers get the same view as all other apps, with the sole exception that the
@@ -150,42 +172,59 @@
if (status != OK) {
return status;
}
- } else if (mAppDataIsolationEnabled) {
- std::string obbSource(StringPrintf("%s/obb", androidSource.c_str()));
- std::string obbInstallerTarget(StringPrintf("/mnt/installer/%d/%s/%d/Android/obb",
- userId, label.c_str(), userId));
-
- status = doFuseBindMount(obbSource, obbInstallerTarget, pathsToUnmount);
- if (status != OK) {
- return status;
- }
}
- // /mnt/androidwriteable is similar to /mnt/installer, but it's for
- // MOUNT_EXTERNAL_ANDROID_WRITABLE apps and it can also access DATA (Android/data) dirs.
- if (mAppDataIsolationEnabled) {
- std::string obbSource = mUseSdcardFs ?
- StringPrintf("/mnt/runtime/write/%s/%d/Android/obb", label.c_str(), userId)
- : StringPrintf("%s/obb", androidSource.c_str());
-
- std::string obbAndroidWritableTarget(
- StringPrintf("/mnt/androidwritable/%d/%s/%d/Android/obb",
- userId, label.c_str(), userId));
-
- status = doFuseBindMount(obbSource, obbAndroidWritableTarget, pathsToUnmount);
- if (status != OK) {
- return status;
- }
-
- std::string dataSource = mUseSdcardFs ?
- StringPrintf("/mnt/runtime/write/%s/%d/Android/data", label.c_str(), userId)
- : StringPrintf("%s/data", androidSource.c_str());
- std::string dataTarget(StringPrintf("/mnt/androidwritable/%d/%s/%d/Android/data",
- userId, label.c_str(), userId));
-
- status = doFuseBindMount(dataSource, dataTarget, pathsToUnmount);
- if (status != OK) {
- return status;
+ // For users that share their volume with another user (eg a clone
+ // profile), the current mount setup can cause page cache inconsistency
+ // issues. Let's say this is user 10, and the user it shares storage with
+ // is user 0.
+ // Then:
+ // * The FUSE daemon for user 0 serves /mnt/user/0
+ // * The FUSE daemon for user 10 serves /mnt/user/10
+ // The emulated volume for user 10 would be located at two paths:
+ // /mnt/user/0/emulated/10
+ // /mnt/user/10/emulated/10
+ // Since these paths refer to the same files but are served by different FUSE
+ // daemons, this can result in page cache inconsistency issues. To prevent this,
+ // bind mount the relevant paths for the involved users:
+ // 1. /mnt/user/10/emulated/10 =B=> /mnt/user/0/emulated/10
+ // 2. /mnt/user/0/emulated/0 =B=> /mnt/user/10/emulated/0
+ //
+ // This will ensure that any access to the volume for a specific user always
+ // goes through a single FUSE daemon.
+ userid_t sharedStorageUserId = VolumeManager::Instance()->getSharedStorageUser(userId);
+ if (sharedStorageUserId != USER_UNKNOWN) {
+ auto filter_fn = [&](const VolumeBase& vol) {
+ if (vol.getState() != VolumeBase::State::kMounted) {
+ // The volume must be mounted
+ return false;
+ }
+ if (vol.getType() != VolumeBase::Type::kEmulated) {
+ return false;
+ }
+ if (vol.getMountUserId() != sharedStorageUserId) {
+ return false;
+ }
+ if ((vol.getMountFlags() & MountFlags::kPrimary) == 0) {
+ // We only care about the primary emulated volume, so not a private
+ // volume with an emulated volume stacked on top.
+ return false;
+ }
+ return true;
+ };
+ auto vol = VolumeManager::Instance()->findVolumeWithFilter(filter_fn);
+ if (vol != nullptr) {
+ auto sharedVol = static_cast<EmulatedVolume*>(vol.get());
+ // Bind mount this volume in the other user's primary volume
+ status = sharedVol->bindMountVolume(*this, pathsToUnmount);
+ if (status != OK) {
+ return status;
+ }
+ // And vice-versa
+ status = bindMountVolume(*sharedVol, pathsToUnmount);
+ if (status != OK) {
+ return status;
+ }
}
}
unmount_guard.Disable();
@@ -196,6 +235,14 @@
std::string label = getLabel();
int userId = getMountUserId();
+ if (!mSharedStorageMountPath.empty()) {
+ LOG(INFO) << "Unmounting " << mSharedStorageMountPath;
+ auto status = UnmountTree(mSharedStorageMountPath);
+ if (status != OK) {
+ LOG(ERROR) << "Failed to unmount " << mSharedStorageMountPath;
+ }
+ mSharedStorageMountPath = "";
+ }
if (mUseSdcardFs || mAppDataIsolationEnabled) {
std::string installerTarget(
StringPrintf("/mnt/installer/%d/%s/%d/Android/obb", userId, label.c_str(), userId));
@@ -229,28 +276,31 @@
// umount the whole Android/ dir.
if (mAppDataIsolationEnabled) {
std::string appObbDir(StringPrintf("%s/%d/Android/obb", getPath().c_str(), userId));
- KillProcessesWithMountPrefix(appObbDir);
- } else {
- std::string androidDataTarget(
- StringPrintf("/mnt/user/%d/%s/%d/Android/data", userId, label.c_str(), userId));
-
- LOG(INFO) << "Unmounting " << androidDataTarget;
- auto status = UnmountTree(androidDataTarget);
- if (status != OK) {
- return status;
- }
- LOG(INFO) << "Unmounted " << androidDataTarget;
-
- std::string androidObbTarget(
- StringPrintf("/mnt/user/%d/%s/%d/Android/obb", userId, label.c_str(), userId));
-
- LOG(INFO) << "Unmounting " << androidObbTarget;
- status = UnmountTree(androidObbTarget);
- if (status != OK) {
- return status;
- }
- LOG(INFO) << "Unmounted " << androidObbTarget;
+ // Here we assume obb/data dirs is mounted as tmpfs, then it must be caused by
+ // app data isolation.
+ KillProcessesWithTmpfsMountPrefix(appObbDir);
}
+
+ // Always unmount data and obb dirs as they are mounted to lowerfs for speeding up access.
+ std::string androidDataTarget(
+ StringPrintf("/mnt/user/%d/%s/%d/Android/data", userId, label.c_str(), userId));
+
+ LOG(INFO) << "Unmounting " << androidDataTarget;
+ auto status = UnmountTree(androidDataTarget);
+ if (status != OK) {
+ return status;
+ }
+ LOG(INFO) << "Unmounted " << androidDataTarget;
+
+ std::string androidObbTarget(
+ StringPrintf("/mnt/user/%d/%s/%d/Android/obb", userId, label.c_str(), userId));
+
+ LOG(INFO) << "Unmounting " << androidObbTarget;
+ status = UnmountTree(androidObbTarget);
+ if (status != OK) {
+ return status;
+ }
+ LOG(INFO) << "Unmounted " << androidObbTarget;
return OK;
}
@@ -281,7 +331,7 @@
status_t EmulatedVolume::doMount() {
std::string label = getLabel();
- bool isVisible = getMountFlags() & MountFlags::kVisible;
+ bool isVisible = isVisibleForWrite();
mSdcardFsDefault = StringPrintf("/mnt/runtime/default/%s", label.c_str());
mSdcardFsRead = StringPrintf("/mnt/runtime/read/%s", label.c_str());
@@ -394,10 +444,12 @@
}
}
- // Only do the bind-mounts when we know for sure the FUSE daemon can resolve the path.
- res = mountFuseBindMounts();
- if (res != OK) {
- return res;
+ if (!IsFuseBpfEnabled()) {
+ // Only do the bind-mounts when we know for sure the FUSE daemon can resolve the path.
+ res = mountFuseBindMounts();
+ if (res != OK) {
+ return res;
+ }
}
ConfigureReadAheadForFuse(GetFuseMountPathForUser(user_id, label), 256u);
@@ -451,9 +503,11 @@
if (mFuseMounted) {
std::string label = getLabel();
- // Ignoring unmount return status because we do want to try to unmount
- // the rest cleanly.
- unmountFuseBindMounts();
+ if (!IsFuseBpfEnabled()) {
+ // Ignoring unmount return status because we do want to try to
+ // unmount the rest cleanly.
+ unmountFuseBindMounts();
+ }
if (UnmountUserFuse(userId, getInternalPath(), label) != OK) {
PLOG(INFO) << "UnmountUserFuse failed on emulated fuse volume";
diff --git a/model/EmulatedVolume.h b/model/EmulatedVolume.h
index 1d2385d..0389ea7 100644
--- a/model/EmulatedVolume.h
+++ b/model/EmulatedVolume.h
@@ -52,7 +52,9 @@
status_t mountFuseBindMounts();
status_t unmountFuseBindMounts();
- std::string getLabel();
+ status_t bindMountVolume(const EmulatedVolume& vol, std::list<std::string>& pathsToUnmount);
+
+ std::string getLabel() const;
std::string mRawPath;
std::string mLabel;
@@ -70,6 +72,9 @@
/* Whether to use app data isolation is enabled tor this volume */
bool mAppDataIsolationEnabled;
+ /* Location of bind mount for another profile that shares storage with us */
+ std::string mSharedStorageMountPath = "";
+
DISALLOW_COPY_AND_ASSIGN(EmulatedVolume);
};
diff --git a/model/ObbVolume.cpp b/model/ObbVolume.cpp
index 21479c4..b64c1ba 100644
--- a/model/ObbVolume.cpp
+++ b/model/ObbVolume.cpp
@@ -15,7 +15,6 @@
*/
#include "ObbVolume.h"
-#include "Devmapper.h"
#include "Loop.h"
#include "Utils.h"
#include "VoldUtil.h"
@@ -39,12 +38,10 @@
namespace android {
namespace vold {
-ObbVolume::ObbVolume(int id, const std::string& sourcePath, const std::string& sourceKey,
- gid_t ownerGid)
+ObbVolume::ObbVolume(int id, const std::string& sourcePath, gid_t ownerGid)
: VolumeBase(Type::kObb) {
setId(StringPrintf("obb:%d", id));
mSourcePath = sourcePath;
- mSourceKey = sourceKey;
mOwnerGid = ownerGid;
}
@@ -55,36 +52,13 @@
PLOG(ERROR) << getId() << " failed to create loop";
return -1;
}
-
- if (!mSourceKey.empty()) {
- uint64_t nr_sec = 0;
- if (GetBlockDev512Sectors(mLoopPath, &nr_sec) != OK) {
- PLOG(ERROR) << getId() << " failed to get loop size";
- return -1;
- }
-
- char tmp[PATH_MAX];
- if (Devmapper::create(getId().c_str(), mLoopPath.c_str(), mSourceKey.c_str(), nr_sec, tmp,
- PATH_MAX)) {
- PLOG(ERROR) << getId() << " failed to create dm";
- return -1;
- }
- mDmPath = tmp;
- mMountPath = mDmPath;
- } else {
- mMountPath = mLoopPath;
- }
return OK;
}
status_t ObbVolume::doDestroy() {
- if (!mDmPath.empty() && Devmapper::destroy(getId().c_str())) {
- PLOG(WARNING) << getId() << " failed to destroy dm";
- }
if (!mLoopPath.empty() && Loop::destroyByDevice(mLoopPath.c_str())) {
PLOG(WARNING) << getId() << " failed to destroy loop";
}
- mDmPath.clear();
mLoopPath.clear();
return OK;
}
@@ -98,7 +72,7 @@
return -1;
}
// clang-format off
- if (android::vold::vfat::Mount(mMountPath, path, true, false, true,
+ if (android::vold::vfat::Mount(mLoopPath, path, true, false, true,
0, mOwnerGid, 0227, false)) {
// clang-format on
PLOG(ERROR) << getId() << " failed to mount";
diff --git a/model/ObbVolume.h b/model/ObbVolume.h
index 8f7ee94..bfcd3d2 100644
--- a/model/ObbVolume.h
+++ b/model/ObbVolume.h
@@ -29,7 +29,7 @@
*/
class ObbVolume : public VolumeBase {
public:
- ObbVolume(int id, const std::string& sourcePath, const std::string& sourceKey, gid_t ownerGid);
+ ObbVolume(int id, const std::string& sourcePath, gid_t ownerGid);
virtual ~ObbVolume();
protected:
@@ -40,12 +40,9 @@
private:
std::string mSourcePath;
- std::string mSourceKey;
gid_t mOwnerGid;
std::string mLoopPath;
- std::string mDmPath;
- std::string mMountPath;
DISALLOW_COPY_AND_ASSIGN(ObbVolume);
};
diff --git a/model/PrivateVolume.cpp b/model/PrivateVolume.cpp
index 1875b7b..a692ea9 100644
--- a/model/PrivateVolume.cpp
+++ b/model/PrivateVolume.cpp
@@ -173,6 +173,8 @@
if (PrepareDir(mPath + "/app", 0771, AID_SYSTEM, AID_SYSTEM) ||
PrepareDir(mPath + "/user", 0711, AID_SYSTEM, AID_SYSTEM) ||
PrepareDir(mPath + "/user_de", 0711, AID_SYSTEM, AID_SYSTEM) ||
+ PrepareDir(mPath + "/misc_ce", 0711, AID_SYSTEM, AID_SYSTEM) ||
+ PrepareDir(mPath + "/misc_de", 0711, AID_SYSTEM, AID_SYSTEM) ||
PrepareDir(mPath + "/media", 0770, AID_MEDIA_RW, AID_MEDIA_RW, attrs) ||
PrepareDir(mPath + "/media/0", 0770, AID_MEDIA_RW, AID_MEDIA_RW) ||
PrepareDir(mPath + "/local", 0751, AID_ROOT, AID_ROOT) ||
diff --git a/model/PublicVolume.cpp b/model/PublicVolume.cpp
index 8dae923..034fb23 100644
--- a/model/PublicVolume.cpp
+++ b/model/PublicVolume.cpp
@@ -97,7 +97,7 @@
}
status_t PublicVolume::doMount() {
- bool isVisible = getMountFlags() & MountFlags::kVisible;
+ bool isVisible = isVisibleForWrite();
readMetadata();
if (mFsType == "vfat" && vfat::IsSupported()) {
@@ -315,12 +315,14 @@
}
status_t PublicVolume::doFormat(const std::string& fsType) {
- bool useVfat = vfat::IsSupported();
- bool useExfat = exfat::IsSupported();
+ bool isVfatSup = vfat::IsSupported();
+ bool isExfatSup = exfat::IsSupported();
status_t res = OK;
- // Resolve the target filesystem type
- if (fsType == "auto" && useVfat && useExfat) {
+ enum { NONE, VFAT, EXFAT } fsPick = NONE;
+
+ // Resolve auto requests
+ if (fsType == "auto" && isVfatSup && isExfatSup) {
uint64_t size = 0;
res = GetBlockDevSize(mDevPath, &size);
@@ -331,29 +333,34 @@
// If both vfat & exfat are supported use exfat for SDXC (>~32GiB) cards
if (size > 32896LL * 1024 * 1024) {
- useVfat = false;
+ fsPick = EXFAT;
} else {
- useExfat = false;
+ fsPick = VFAT;
}
- } else if (fsType == "vfat") {
- useExfat = false;
- } else if (fsType == "exfat") {
- useVfat = false;
+ } else if (fsType == "auto" && isExfatSup) {
+ fsPick = EXFAT;
+ } else if (fsType == "auto" && isVfatSup) {
+ fsPick = VFAT;
}
- if (!useVfat && !useExfat) {
- LOG(ERROR) << "Unsupported filesystem " << fsType;
- return -EINVAL;
+ // Resolve explicit requests
+ if (fsType == "vfat" && isVfatSup) {
+ fsPick = VFAT;
+ } else if (fsType == "exfat" && isExfatSup) {
+ fsPick = EXFAT;
}
if (WipeBlockDevice(mDevPath) != OK) {
LOG(WARNING) << getId() << " failed to wipe";
}
- if (useVfat) {
+ if (fsPick == VFAT) {
res = vfat::Format(mDevPath, 0);
- } else if (useExfat) {
+ } else if (fsPick == EXFAT) {
res = exfat::Format(mDevPath);
+ } else {
+ LOG(ERROR) << "Unsupported filesystem " << fsType;
+ return -EINVAL;
}
if (res != OK) {
diff --git a/model/VolumeBase.h b/model/VolumeBase.h
index 689750d..f29df65 100644
--- a/model/VolumeBase.h
+++ b/model/VolumeBase.h
@@ -63,8 +63,14 @@
enum MountFlags {
/* Flag that volume is primary external storage */
kPrimary = 1 << 0,
- /* Flag that volume is visible to normal apps */
- kVisible = 1 << 1,
+ /*
+ * Flags indicating that volume is visible to normal apps.
+ * kVisibleForRead and kVisibleForWrite correspond to
+ * VolumeInfo.MOUNT_FLAG_VISIBLE_FOR_READ and
+ * VolumeInfo.MOUNT_FLAG_VISIBLE_FOR_WRITE, respectively.
+ */
+ kVisibleForRead = 1 << 1,
+ kVisibleForWrite = 1 << 2,
};
enum class State {
@@ -103,6 +109,9 @@
std::shared_ptr<VolumeBase> findVolume(const std::string& id);
bool isEmulated() { return mType == Type::kEmulated; }
+ bool isVisibleForRead() const { return (mMountFlags & MountFlags::kVisibleForRead) != 0; }
+ bool isVisibleForWrite() const { return (mMountFlags & MountFlags::kVisibleForWrite) != 0; }
+ bool isVisible() const { return isVisibleForRead() || isVisibleForWrite(); }
status_t create();
status_t destroy();
diff --git a/secdiscard.cpp b/secdiscard.cpp
index b91f321..490e5a1 100644
--- a/secdiscard.cpp
+++ b/secdiscard.cpp
@@ -97,7 +97,7 @@
TEMP_FAILURE_RETRY(open(target.c_str(), O_WRONLY | O_CLOEXEC, 0)));
if (fd == -1) {
LOG(ERROR) << "Secure discard open failed for: " << target;
- return 0;
+ continue;
}
__u32 set = 1;
ioctl(fd, F2FS_IOC_SET_PIN_FILE, &set);
diff --git a/tests/Android.bp b/tests/Android.bp
index cad96fd..da63d95 100644
--- a/tests/Android.bp
+++ b/tests/Android.bp
@@ -12,8 +12,31 @@
srcs: [
"Utils_test.cpp",
"VoldNativeServiceValidation_test.cpp",
- "cryptfs_test.cpp",
],
static_libs: ["libvold"],
shared_libs: ["libbinder"]
}
+
+cc_fuzz {
+ name: "vold_native_service_fuzzer",
+ defaults: [
+ "vold_default_flags",
+ "vold_default_libs",
+ "keystore2_use_latest_aidl_ndk_shared",
+ "service_fuzzer_defaults",
+ ],
+ static_libs: [
+ "libvold",
+ "android.security.maintenance-ndk",
+ "libkeymint_support",
+ ],
+ header_libs: ["libvold_headers"],
+ srcs: [
+ "VoldFuzzer.cpp",
+ ],
+ fuzz_config: {
+ cc: [
+ "maco@google.com",
+ ],
+ }
+}
diff --git a/tests/VoldFuzzer.cpp b/tests/VoldFuzzer.cpp
new file mode 100644
index 0000000..630a785
--- /dev/null
+++ b/tests/VoldFuzzer.cpp
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) 2023 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include <android-base/logging.h>
+#include <fuzzbinder/libbinder_driver.h>
+
+#include "VoldNativeService.h"
+#include "sehandle.h"
+
+using ::android::fuzzService;
+using ::android::sp;
+
+struct selabel_handle* sehandle;
+
+extern "C" int LLVMFuzzerInitialize(int argc, char argv) {
+ sehandle = selinux_android_file_context_handle();
+ if (!sehandle) {
+ LOG(ERROR) << "Failed to get SELinux file contexts handle in voldFuzzer!";
+ exit(1);
+ }
+ selinux_android_set_sehandle(sehandle);
+ return 0;
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+ auto voldService = sp<android::vold::VoldNativeService>::make();
+ fuzzService(voldService, FuzzedDataProvider(data, size));
+ return 0;
+}
\ No newline at end of file
diff --git a/tests/cryptfs_test.cpp b/tests/cryptfs_test.cpp
deleted file mode 100644
index 2093768..0000000
--- a/tests/cryptfs_test.cpp
+++ /dev/null
@@ -1,52 +0,0 @@
-/*
- * Copyright (C) 2017 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <gtest/gtest.h>
-
-#include "../cryptfs.h"
-
-namespace android {
-
-class CryptfsTest : public testing::Test {
- protected:
- virtual void SetUp() {}
-
- virtual void TearDown() {}
-};
-
-TEST_F(CryptfsTest, MatchMultiEntryTest) {
- ASSERT_NE(0, match_multi_entry("foo", "foo", 0));
- ASSERT_NE(0, match_multi_entry("foo_0", "foo", 0));
- ASSERT_NE(0, match_multi_entry("foo_1", "foo", 0));
- ASSERT_NE(0, match_multi_entry("foo_2", "foo", 0));
-
- ASSERT_EQ(0, match_multi_entry("foo", "foo", 1));
- ASSERT_EQ(0, match_multi_entry("foo_0", "foo", 1));
- ASSERT_NE(0, match_multi_entry("foo_1", "foo", 1));
- ASSERT_NE(0, match_multi_entry("foo_2", "foo", 1));
-
- ASSERT_EQ(0, match_multi_entry("foo", "foo", 2));
- ASSERT_EQ(0, match_multi_entry("foo_0", "foo", 2));
- ASSERT_EQ(0, match_multi_entry("foo_1", "foo", 2));
- ASSERT_NE(0, match_multi_entry("foo_2", "foo", 2));
-
- ASSERT_EQ(0, match_multi_entry("food", "foo", 0));
- ASSERT_EQ(0, match_multi_entry("foo", "food", 0));
- ASSERT_EQ(0, match_multi_entry("foo", "bar", 0));
- ASSERT_EQ(0, match_multi_entry("foo_2", "bar", 0));
-}
-
-} // namespace android
diff --git a/vdc.cpp b/vdc.cpp
index 47d98de..b63abbb 100644
--- a/vdc.cpp
+++ b/vdc.cpp
@@ -28,6 +28,7 @@
#include <sys/types.h>
#include <sys/un.h>
+#include "Utils.h"
#include "android/os/IVold.h"
#include <android-base/logging.h>
@@ -37,6 +38,7 @@
#include <android-base/strings.h>
#include <binder/IServiceManager.h>
#include <binder/Status.h>
+#include <utils/Errors.h>
#include <private/android_filesystem_config.h>
@@ -64,6 +66,26 @@
exit(ENOTTY);
}
+static void bindkeys(std::vector<std::string>& args, const android::sp<android::os::IVold>& vold) {
+ std::string raw_bytes;
+ const char* seed_value;
+
+ seed_value = getenv("SEED_VALUE");
+ if (seed_value == NULL) {
+ LOG(ERROR) << "Empty seed";
+ exit(EINVAL);
+ }
+
+ android::status_t status = android::vold::HexToStr(seed_value, raw_bytes);
+ if (status != android::OK) {
+ LOG(ERROR) << "Extraction of seed failed: " << status;
+ exit(status);
+ }
+
+ std::vector<uint8_t> seed{raw_bytes.begin(), raw_bytes.end()};
+ checkStatus(args, vold->setStorageBindingSeed(seed));
+}
+
int main(int argc, char** argv) {
setenv("ANDROID_LOG_TAGS", "*:v", 1);
if (getppid() == 1) {
@@ -94,26 +116,22 @@
checkStatus(args, vold->fbeEnable());
} else if (args[0] == "cryptfs" && args[1] == "init_user0") {
checkStatus(args, vold->initUser0());
- } else if (args[0] == "cryptfs" && args[1] == "enablecrypto") {
- int passwordType = android::os::IVold::PASSWORD_TYPE_DEFAULT;
- int encryptionFlags = android::os::IVold::ENCRYPTION_FLAG_NO_UI;
- checkStatus(args, vold->fdeEnable(passwordType, "", encryptionFlags));
- } else if (args[0] == "cryptfs" && args[1] == "mountdefaultencrypted") {
- checkStatus(args, vold->mountDefaultEncrypted());
} else if (args[0] == "volume" && args[1] == "abort_fuse") {
checkStatus(args, vold->abortFuse());
} else if (args[0] == "volume" && args[1] == "shutdown") {
checkStatus(args, vold->shutdown());
} else if (args[0] == "volume" && args[1] == "reset") {
checkStatus(args, vold->reset());
- } else if (args[0] == "cryptfs" && args[1] == "mountFstab" && args.size() == 4) {
- checkStatus(args, vold->mountFstab(args[2], args[3]));
- } else if (args[0] == "cryptfs" && args[1] == "encryptFstab" && args.size() == 6) {
+ } else if (args[0] == "cryptfs" && args[1] == "bindkeys") {
+ bindkeys(args, vold);
+ } else if (args[0] == "cryptfs" && args[1] == "mountFstab" && args.size() == 5) {
+ checkStatus(args, vold->mountFstab(args[2], args[3], args[4]));
+ } else if (args[0] == "cryptfs" && args[1] == "encryptFstab" && args.size() == 7) {
auto shouldFormat = android::base::ParseBool(args[4]);
if (shouldFormat == android::base::ParseBoolResult::kError) exit(EINVAL);
checkStatus(args, vold->encryptFstab(args[2], args[3],
shouldFormat == android::base::ParseBoolResult::kTrue,
- args[5]));
+ args[5], args[6]));
} else if (args[0] == "checkpoint" && args[1] == "supportsCheckpoint" && args.size() == 2) {
bool supported = false;
checkStatus(args, vold->supportsCheckpoint(&supported));
diff --git a/vdc.rc b/vdc.rc
deleted file mode 100644
index f2a8076..0000000
--- a/vdc.rc
+++ /dev/null
@@ -1,12 +0,0 @@
-# One shot invocation to deal with encrypted volume.
-on defaultcrypto
- exec - root -- /system/bin/vdc --wait cryptfs mountdefaultencrypted
- # vold will set vold.decrypt to trigger_restart_framework (default
- # encryption) or trigger_restart_min_framework (other encryption)
-
-# One shot invocation to encrypt unencrypted volumes
-on encrypt
- start surfaceflinger
- exec - root -- /system/bin/vdc --wait cryptfs enablecrypto
- # vold will set vold.decrypt to trigger_restart_framework (default
- # encryption)
diff --git a/vold.rc b/vold.rc
index 93d8786..bf72b0c 100644
--- a/vold.rc
+++ b/vold.rc
@@ -3,6 +3,8 @@
--fsck_context=u:r:fsck:s0 --fsck_untrusted_context=u:r:fsck_untrusted:s0
class core
ioprio be 2
- writepid /dev/cpuset/foreground/tasks
+ task_profiles ProcessCapacityHigh
shutdown critical
group root reserved_disk
+ user root
+ reboot_on_failure reboot,vold-failed
diff --git a/vold_prepare_subdirs.cpp b/vold_prepare_subdirs.cpp
index e2afb81..60e82f5 100644
--- a/vold_prepare_subdirs.cpp
+++ b/vold_prepare_subdirs.cpp
@@ -58,32 +58,32 @@
const std::string& path, uid_t user_id) {
auto clearfscreatecon = android::base::make_scope_guard([] { setfscreatecon(nullptr); });
auto secontext = std::unique_ptr<char, void (*)(char*)>(nullptr, freecon);
- if (sehandle) {
- char* tmp_secontext;
+ char* tmp_secontext;
- if (selabel_lookup(sehandle, &tmp_secontext, path.c_str(), S_IFDIR) == 0) {
- secontext.reset(tmp_secontext);
-
- if (user_id != (uid_t)-1) {
- if (selinux_android_context_with_level(secontext.get(), &tmp_secontext, user_id,
- (uid_t)-1) != 0) {
- PLOG(ERROR) << "Unable to create context with level for: " << path;
- return false;
- }
- secontext.reset(tmp_secontext); // Free the context
+ if (selabel_lookup(sehandle, &tmp_secontext, path.c_str(), S_IFDIR) == 0) {
+ secontext.reset(tmp_secontext);
+ if (user_id != (uid_t)-1) {
+ if (selinux_android_context_with_level(secontext.get(), &tmp_secontext, user_id,
+ (uid_t)-1) != 0) {
+ PLOG(ERROR) << "Unable to create context with level for: " << path;
+ return false;
}
+ secontext.reset(tmp_secontext);
}
+ if (setfscreatecon(secontext.get()) != 0) {
+ LOG(ERROR) << "Failed to setfscreatecon for directory " << path;
+ return false;
+ }
+ } else if (errno == ENOENT) {
+ LOG(DEBUG) << "No selabel defined for directory " << path;
+ } else {
+ PLOG(ERROR) << "Failed to look up selabel for directory " << path;
+ return false;
}
LOG(DEBUG) << "Setting up mode " << std::oct << mode << std::dec << " uid " << uid << " gid "
<< gid << " context " << (secontext ? secontext.get() : "null")
<< " on path: " << path;
- if (secontext) {
- if (setfscreatecon(secontext.get()) != 0) {
- PLOG(ERROR) << "Unable to setfscreatecon for: " << path;
- return false;
- }
- }
if (fs_prepare_dir(path.c_str(), mode, uid, gid) != 0) {
return false;
}
@@ -114,6 +114,9 @@
static bool rmrf_contents(const std::string& path) {
auto dirp = std::unique_ptr<DIR, int (*)(DIR*)>(opendir(path.c_str()), closedir);
if (!dirp) {
+ if (errno == ENOENT) {
+ return true;
+ }
PLOG(ERROR) << "Unable to open directory: " << path;
return false;
}
@@ -165,6 +168,10 @@
static bool prepare_subdirs(const std::string& volume_uuid, int user_id, int flags) {
struct selabel_handle* sehandle = selinux_android_file_context_handle();
+ if (!sehandle) {
+ LOG(ERROR) << "Failed to get SELinux file contexts handle";
+ return false;
+ }
if (flags & android::os::IVold::STORAGE_FLAG_DE) {
auto user_de_path = android::vold::BuildDataUserDePath(volume_uuid, user_id);
@@ -172,8 +179,13 @@
return false;
}
+ auto misc_de_path = android::vold::BuildDataMiscDePath(volume_uuid, user_id);
+ if (!prepare_dir_for_user(sehandle, 0771, AID_SYSTEM, AID_SYSTEM,
+ misc_de_path + "/sdksandbox", user_id)) {
+ return false;
+ }
+
if (volume_uuid.empty()) {
- auto misc_de_path = android::vold::BuildDataMiscDePath(user_id);
if (!prepare_dir(sehandle, 0700, 0, 0, misc_de_path + "/vold")) return false;
if (!prepare_dir(sehandle, 0700, 0, 0, misc_de_path + "/storaged")) return false;
if (!prepare_dir(sehandle, 0700, 0, 0, misc_de_path + "/rollback")) return false;
@@ -203,15 +215,33 @@
return false;
}
+ auto misc_ce_path = android::vold::BuildDataMiscCePath(volume_uuid, user_id);
+ if (!prepare_dir_for_user(sehandle, 0771, AID_SYSTEM, AID_SYSTEM,
+ misc_ce_path + "/sdksandbox", user_id)) {
+ return false;
+ }
+
if (volume_uuid.empty()) {
- auto misc_ce_path = android::vold::BuildDataMiscCePath(user_id);
if (!prepare_dir(sehandle, 0700, 0, 0, misc_ce_path + "/vold")) return false;
if (!prepare_dir(sehandle, 0700, 0, 0, misc_ce_path + "/storaged")) return false;
if (!prepare_dir(sehandle, 0700, 0, 0, misc_ce_path + "/rollback")) return false;
-
// TODO: Return false if this returns false once sure this should succeed.
prepare_dir(sehandle, 0700, 0, 0, misc_ce_path + "/apexrollback");
prepare_apex_subdirs(sehandle, misc_ce_path);
+ // Give gmscore (who runs in cache group) access to the checkin directory. Also provide
+ // the user id to set the correct selinux mls_level.
+ if (!prepare_dir_for_user(sehandle, 0770, AID_SYSTEM, AID_CACHE,
+ misc_ce_path + "/checkin", user_id)) {
+ // TODO(b/203742483) the checkin directory was created with the wrong permission &
+ // context. Delete the directory to get these devices out of the bad state. Revert
+ // the change once the droidfood population is on newer build.
+ LOG(INFO) << "Failed to prepare the checkin directory, deleting for recreation";
+ android::vold::DeleteDirContentsAndDir(misc_ce_path + "/checkin");
+ if (!prepare_dir_for_user(sehandle, 0770, AID_SYSTEM, AID_CACHE,
+ misc_ce_path + "/checkin", user_id)) {
+ return false;
+ }
+ }
auto system_ce_path = android::vold::BuildDataSystemCePath(user_id);
if (!prepare_dir(sehandle, 0700, AID_SYSTEM, AID_SYSTEM, system_ce_path + "/backup")) {
@@ -233,18 +263,20 @@
static bool destroy_subdirs(const std::string& volume_uuid, int user_id, int flags) {
bool res = true;
- if (volume_uuid.empty()) {
- if (flags & android::os::IVold::STORAGE_FLAG_CE) {
- auto misc_ce_path = android::vold::BuildDataMiscCePath(user_id);
- res &= rmrf_contents(misc_ce_path);
+ if (flags & android::os::IVold::STORAGE_FLAG_CE) {
+ auto misc_ce_path = android::vold::BuildDataMiscCePath(volume_uuid, user_id);
+ res &= rmrf_contents(misc_ce_path);
+ if (volume_uuid.empty()) {
auto vendor_ce_path = android::vold::BuildDataVendorCePath(user_id);
res &= rmrf_contents(vendor_ce_path);
}
- if (flags & android::os::IVold::STORAGE_FLAG_DE) {
- auto misc_de_path = android::vold::BuildDataMiscDePath(user_id);
- res &= rmrf_contents(misc_de_path);
+ }
+ if (flags & android::os::IVold::STORAGE_FLAG_DE) {
+ auto misc_de_path = android::vold::BuildDataMiscDePath(volume_uuid, user_id);
+ res &= rmrf_contents(misc_de_path);
+ if (volume_uuid.empty()) {
auto vendor_de_path = android::vold::BuildDataVendorDePath(user_id);
res &= rmrf_contents(vendor_de_path);
}
diff --git a/wait_for_keymaster.cpp b/wait_for_keymaster.cpp
deleted file mode 100644
index bf26518..0000000
--- a/wait_for_keymaster.cpp
+++ /dev/null
@@ -1,33 +0,0 @@
-/*
- * Copyright (C) 2018 The Android Open Source Project
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-#include <android-base/logging.h>
-
-#include "Keymaster.h"
-
-int main(int argc, char** argv) {
- setenv("ANDROID_LOG_TAGS", "*:v", 1);
- if (getppid() == 1) {
- // If init is calling us then it's during boot and we should log to kmsg
- android::base::InitLogging(argv, &android::base::KernelLogger);
- } else {
- android::base::InitLogging(argv, &android::base::StderrLogger);
- }
- LOG(INFO) << "Waiting for Keymaster device";
- android::vold::Keymaster keymaster;
- LOG(INFO) << "Keymaster device ready";
- return 0;
-}
diff --git a/wait_for_keymaster.rc b/wait_for_keymaster.rc
deleted file mode 100644
index 9e83a93..0000000
--- a/wait_for_keymaster.rc
+++ /dev/null
@@ -1,5 +0,0 @@
-service wait_for_keymaster /system/bin/wait_for_keymaster
- user root
- group root system
- priority -20
- ioprio rt 0