Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_vold / 8c1659e27155a5c52f5739f1a0c82576a672ce28^! / . / VoldNativeService.cpp
commit8c1659e27155a5c52f5739f1a0c82576a672ce28[log] [tgz]
authorEric Biggers <ebiggers@google.com>Tue Sep 06 21:29:14 2022 +0000
committerEric Biggers <ebiggers@google.com>Tue Sep 06 21:30:36 2022 +0000
tree3085204964646073ce392f9aecde18d71d0eeedd
parentc954f8d8bfbe3431e64e9d1aa86fa1855abb3656 [diff] [blame]
Make the CE key always be encrypted by the synthetic password

When generating a CE key, don't persist it immediately with
kEmptyAuthentication.  Instead, cache it in memory and persist it later
when the secret to protect it with is given.  This is needed to make it
so that the CE key is always encrypted by the user's synthetic password
while it is stored on-disk.  See the corresponding system_server changes
for more information about this design change and its motivation.

As part of this, simplify vold's Binder interface by replacing the three
methods addUserKeyAuth(), clearUserKeyAuth(), and
fixateNewestUserKeyAuth() with a single method setUserKeyProtection().
setUserKeyProtection() handles persisting the key for a new user or
re-encrypting the default-encrypted key for an existing unsecured user.

Bug: 232452368
Ignore-AOSP-First: This depends on frameworks/base changes that can only
                   be submitted to internal master, due to conflicts.
Test: see Ia753ea21bbaca8ef7a90c03fe73b66c896b1536e
Change-Id: Id36ba8ee343ccb6de7ec892c3f600abd636f6ce5

diff --git a/VoldNativeService.cpp b/VoldNativeService.cpp
index ea2c98c..be0fa28 100644
--- a/VoldNativeService.cpp
+++ b/VoldNativeService.cpp

@@ -610,27 +610,11 @@
     return translateBool(fscrypt_destroy_user_key(userId));
 }
 
-binder::Status VoldNativeService::addUserKeyAuth(int32_t userId, int32_t userSerial,
-                                                 const std::string& secret) {
+binder::Status VoldNativeService::setUserKeyProtection(int32_t userId, const std::string& secret) {
     ENFORCE_SYSTEM_OR_ROOT;
     ACQUIRE_CRYPT_LOCK;
 
-    return translateBool(fscrypt_add_user_key_auth(userId, userSerial, secret));
-}
-
-binder::Status VoldNativeService::clearUserKeyAuth(int32_t userId, int32_t userSerial,
-                                                   const std::string& secret) {
-    ENFORCE_SYSTEM_OR_ROOT;
-    ACQUIRE_CRYPT_LOCK;
-
-    return translateBool(fscrypt_clear_user_key_auth(userId, userSerial, secret));
-}
-
-binder::Status VoldNativeService::fixateNewestUserKeyAuth(int32_t userId) {
-    ENFORCE_SYSTEM_OR_ROOT;
-    ACQUIRE_CRYPT_LOCK;
-
-    return translateBool(fscrypt_fixate_newest_user_key_auth(userId));
+    return translateBool(fscrypt_set_user_key_protection(userId, secret));
 }
 
 binder::Status VoldNativeService::getUnlockedUsers(std::vector<int>* _aidl_return) {