On newer devices, use dm-default-key to encrypt SD cards
The dm-crypt solution requires a kernel patch that won't be present in
the GKI kernel, while the new metadata encryption system in the GKI
kernel solves this problem in a much cleaner way.
Test: create private volume on Cuttlefish, setting property both ways.
Bug: 147814592
Change-Id: Ie02bd647c38d8101af2bbc47637f65845d312cea
diff --git a/model/Disk.cpp b/model/Disk.cpp
index f92435d..6a6585e 100644
--- a/model/Disk.cpp
+++ b/model/Disk.cpp
@@ -16,11 +16,11 @@
#include "Disk.h"
#include "FsCrypt.h"
-#include "KeyUtil.h"
#include "PrivateVolume.h"
#include "PublicVolume.h"
#include "Utils.h"
#include "VolumeBase.h"
+#include "VolumeEncryption.h"
#include "VolumeManager.h"
#include <android-base/file.h>
@@ -31,8 +31,6 @@
#include <android-base/strings.h>
#include <fscrypt/fscrypt.h>
-#include "cryptfs.h"
-
#include <fcntl.h>
#include <inttypes.h>
#include <stdio.h>
@@ -507,7 +505,7 @@
}
KeyBuffer key;
- if (!generateStorageKey(cryptfs_get_keygen(), &key)) {
+ if (!generate_volume_key(&key)) {
LOG(ERROR) << "Failed to generate key";
return -EIO;
}
diff --git a/model/PrivateVolume.cpp b/model/PrivateVolume.cpp
index 4a0b250..fd3daea 100644
--- a/model/PrivateVolume.cpp
+++ b/model/PrivateVolume.cpp
@@ -17,8 +17,8 @@
#include "PrivateVolume.h"
#include "EmulatedVolume.h"
#include "Utils.h"
+#include "VolumeEncryption.h"
#include "VolumeManager.h"
-#include "cryptfs.h"
#include "fs/Ext4.h"
#include "fs/F2fs.h"
@@ -75,9 +75,8 @@
// TODO: figure out better SELinux labels for private volumes
- int res = cryptfs_setup_ext_volume(getId().c_str(), mRawDevPath.c_str(), mKeyRaw, &mDmDevPath);
- if (res != 0) {
- PLOG(ERROR) << getId() << " failed to setup cryptfs";
+ if (!setup_ext_volume(getId(), mRawDevPath, mKeyRaw, &mDmDevPath)) {
+ LOG(ERROR) << getId() << " failed to setup metadata encryption";
return -EIO;
}
diff --git a/model/VolumeEncryption.cpp b/model/VolumeEncryption.cpp
new file mode 100644
index 0000000..5b0e73d
--- /dev/null
+++ b/model/VolumeEncryption.cpp
@@ -0,0 +1,94 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "VolumeEncryption.h"
+
+#include <string>
+
+#include <android-base/logging.h>
+#include <android-base/properties.h>
+
+#include "KeyBuffer.h"
+#include "KeyUtil.h"
+#include "MetadataCrypt.h"
+#include "cryptfs.h"
+
+namespace android {
+namespace vold {
+
+enum class VolumeMethod { kFailed, kCrypt, kDefaultKey };
+
+static VolumeMethod lookup_volume_method() {
+ constexpr uint64_t pre_gki_level = 29;
+ auto first_api_level =
+ android::base::GetUintProperty<uint64_t>("ro.product.first_api_level", 0);
+ auto method = android::base::GetProperty("ro.crypto.volume.metadata.method", "default");
+ if (method == "default") {
+ return first_api_level > pre_gki_level ? VolumeMethod::kDefaultKey : VolumeMethod::kCrypt;
+ } else if (method == "dm-default-key") {
+ return VolumeMethod::kDefaultKey;
+ } else if (method == "dm-crypt") {
+ if (first_api_level > pre_gki_level) {
+ LOG(ERROR) << "volume encryption method dm-crypt cannot be used, "
+ "ro.product.first_api_level = "
+ << first_api_level;
+ return VolumeMethod::kFailed;
+ }
+ return VolumeMethod::kCrypt;
+ } else {
+ LOG(ERROR) << "Unknown volume encryption method: " << method;
+ return VolumeMethod::kFailed;
+ }
+}
+
+static VolumeMethod volume_method() {
+ static VolumeMethod method = lookup_volume_method();
+ return method;
+}
+
+bool generate_volume_key(android::vold::KeyBuffer* key) {
+ KeyGeneration gen;
+ switch (volume_method()) {
+ case VolumeMethod::kFailed:
+ LOG(ERROR) << "Volume encryption setup failed";
+ return false;
+ case VolumeMethod::kCrypt:
+ gen = cryptfs_get_keygen();
+ break;
+ case VolumeMethod::kDefaultKey:
+ if (!defaultkey_volume_keygen(&gen)) return false;
+ break;
+ }
+ if (!generateStorageKey(gen, key)) return false;
+ return true;
+}
+
+bool setup_ext_volume(const std::string& label, const std::string& blk_device,
+ const android::vold::KeyBuffer& key, std::string* out_crypto_blkdev) {
+ switch (volume_method()) {
+ case VolumeMethod::kFailed:
+ LOG(ERROR) << "Volume encryption setup failed";
+ return false;
+ case VolumeMethod::kCrypt:
+ return cryptfs_setup_ext_volume(label.c_str(), blk_device.c_str(), key,
+ out_crypto_blkdev) == 0;
+ case VolumeMethod::kDefaultKey:
+ return defaultkey_setup_ext_volume(label, blk_device, key, out_crypto_blkdev);
+ }
+}
+
+} // namespace vold
+} // namespace android
diff --git a/model/VolumeEncryption.h b/model/VolumeEncryption.h
new file mode 100644
index 0000000..d06c12b
--- /dev/null
+++ b/model/VolumeEncryption.h
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) 2020 The Android Open Source Project
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#pragma once
+
+#include <string>
+
+#include "KeyBuffer.h"
+
+namespace android {
+namespace vold {
+
+bool generate_volume_key(android::vold::KeyBuffer* key);
+
+bool setup_ext_volume(const std::string& label, const std::string& blk_device,
+ const android::vold::KeyBuffer& key, std::string* out_crypto_blkdev);
+
+} // namespace vold
+} // namespace android