Merge changes If530edaf,I7f11a135,I28412f24,Ia27a61fa,If221e239 into main

* changes:
  Revert "fskeyring & userspace reboot: support CE keys"
  Evict adoptable storage CE and DE keys when possible
  Don't erase key from s_new_ce_keys on eviction
  Call fscrypt_destroy_volume_keys() under mCryptLock
  Fold read_and_install_user_ce_key() into fscrypt_unlock_user_key()
diff --git a/FsCrypt.cpp b/FsCrypt.cpp
index 9d25740..45b062d 100644
--- a/FsCrypt.cpp
+++ b/FsCrypt.cpp
@@ -106,15 +106,25 @@
 // New CE keys that haven't been committed to disk yet
 std::map<userid_t, KeyBuffer> s_new_ce_keys;
 
+// CE key fixation operations that have been deferred to checkpoint commit
+std::map<std::string, std::string> s_deferred_fixations;
+
 // The system DE encryption policy
 EncryptionPolicy s_device_policy;
 
-// Map user ids to encryption policies
-std::map<userid_t, EncryptionPolicy> s_de_policies;
-std::map<userid_t, EncryptionPolicy> s_ce_policies;
+// Struct that holds the EncryptionPolicy for each CE or DE key that is currently installed
+// (added to the kernel) for a particular user
+struct UserPolicies {
+    // Internal storage policy.  Exists whenever a user's UserPolicies exists at all, and used
+    // instead of a map entry keyed by an empty UUID to make this invariant explicit.
+    EncryptionPolicy internal;
+    // Adoptable storage policies, indexed by (nonempty) volume UUID
+    std::map<std::string, EncryptionPolicy> adoptable;
+};
 
-// CE key fixation operations that have been deferred to checkpoint commit
-std::map<std::string, std::string> s_deferred_fixations;
+// The currently installed CE and DE keys for each user.  Protected by VolumeManager::mCryptLock.
+std::map<userid_t, UserPolicies> s_ce_policies;
+std::map<userid_t, UserPolicies> s_de_policies;
 
 }  // namespace
 
@@ -316,18 +326,6 @@
     return true;
 }
 
-static bool read_and_install_user_ce_key(userid_t user_id,
-                                         const android::vold::KeyAuthentication& auth) {
-    if (s_ce_policies.count(user_id) != 0) return true;
-    KeyBuffer ce_key;
-    if (!read_and_fixate_user_ce_key(user_id, auth, &ce_key)) return false;
-    EncryptionPolicy ce_policy;
-    if (!install_storage_key(DATA_MNT_POINT, s_data_options, ce_key, &ce_policy)) return false;
-    s_ce_policies[user_id] = ce_policy;
-    LOG(DEBUG) << "Installed ce key for user " << user_id;
-    return true;
-}
-
 // Prepare a directory without assigning it an encryption policy.  The directory
 // will inherit the encryption policy of its parent directory, or will be
 // unencrypted if the parent directory is unencrypted.
@@ -410,7 +408,7 @@
         return false;
     EncryptionPolicy de_policy;
     if (!install_storage_key(DATA_MNT_POINT, s_data_options, de_key, &de_policy)) return false;
-    s_de_policies[user_id] = de_policy;
+    s_de_policies[user_id].internal = de_policy;
     LOG(INFO) << "Created DE key for user " << user_id;
     return true;
 }
@@ -428,21 +426,11 @@
     }
     EncryptionPolicy ce_policy;
     if (!install_storage_key(DATA_MNT_POINT, s_data_options, ce_key, &ce_policy)) return false;
-    s_ce_policies[user_id] = ce_policy;
+    s_ce_policies[user_id].internal = ce_policy;
     LOG(INFO) << "Created CE key for user " << user_id;
     return true;
 }
 
-static bool lookup_policy(const std::map<userid_t, EncryptionPolicy>& key_map, userid_t user_id,
-                          EncryptionPolicy* policy) {
-    auto refi = key_map.find(user_id);
-    if (refi == key_map.end()) {
-        return false;
-    }
-    *policy = refi->second;
-    return true;
-}
-
 static bool is_numeric(const char* name) {
     for (const char* p = name; *p != '\0'; p++) {
         if (!isdigit(*p)) return false;
@@ -482,8 +470,8 @@
         }
         EncryptionPolicy de_policy;
         if (!install_storage_key(DATA_MNT_POINT, s_data_options, de_key, &de_policy)) return false;
-        auto ret = s_de_policies.insert({user_id, de_policy});
-        if (!ret.second && ret.first->second != de_policy) {
+        const auto& [existing, is_new] = s_de_policies.insert({user_id, {de_policy, {}}});
+        if (!is_new && existing->second.internal != de_policy) {
             LOG(ERROR) << "DE policy for user" << user_id << " changed";
             return false;
         }
@@ -494,17 +482,6 @@
     return true;
 }
 
-// Attempt to reinstall CE keys for users that we think are unlocked.
-static bool try_reload_ce_keys() {
-    for (const auto& it : s_ce_policies) {
-        if (!android::vold::reloadKeyFromSessionKeyring(DATA_MNT_POINT, it.second)) {
-            LOG(ERROR) << "Failed to load CE key from session keyring for user " << it.first;
-            return false;
-        }
-    }
-    return true;
-}
-
 bool fscrypt_initialize_systemwide_keys() {
     LOG(INFO) << "fscrypt_initialize_systemwide_keys";
 
@@ -561,8 +538,8 @@
     // On first boot, we'll be creating /data/data for the first time, and user
     // 0's CE key will be installed already since it was just created.  Take the
     // opportunity to also set the encryption policy of /data/data right away.
-    EncryptionPolicy ce_policy;
-    if (lookup_policy(s_ce_policies, 0, &ce_policy)) {
+    if (s_ce_policies.count(0) != 0) {
+        const EncryptionPolicy& ce_policy = s_ce_policies[0].internal;
         if (!prepare_dir_with_policy(data_data_dir, 0771, AID_SYSTEM, AID_SYSTEM, ce_policy)) {
             // Preparing /data/data failed, yet we had just generated a new CE
             // key because one wasn't stored.  Before erroring out, try deleting
@@ -633,13 +610,6 @@
         return false;
     }
 
-    // In some scenarios (e.g. userspace reboot) we might unmount userdata
-    // without doing a hard reboot. If CE keys were stored in fs keyring then
-    // they will be lost after unmount. Attempt to re-install them.
-    if (IsFbeEnabled() && android::vold::isFsKeyringSupported()) {
-        if (!try_reload_ce_keys()) return false;
-    }
-
     fscrypt_init_user0_done = true;
     return true;
 }
@@ -683,30 +653,34 @@
     }
 }
 
-static bool evict_ce_key(userid_t user_id) {
+// Evicts all the user's keys of one type from all volumes (internal and adoptable).
+// This evicts either CE keys or DE keys, depending on which map is passed.
+static bool evict_user_keys(std::map<userid_t, UserPolicies>& policy_map, userid_t user_id) {
     bool success = true;
-    EncryptionPolicy policy;
-    // If we haven't loaded the CE key, no need to evict it.
-    if (lookup_policy(s_ce_policies, user_id, &policy)) {
-        success &= android::vold::evictKey(DATA_MNT_POINT, policy);
+    auto it = policy_map.find(user_id);
+    if (it != policy_map.end()) {
+        const UserPolicies& policies = it->second;
+        success &= android::vold::evictKey(BuildDataPath(""), policies.internal);
+        for (const auto& [volume_uuid, policy] : policies.adoptable) {
+            success &= android::vold::evictKey(BuildDataPath(volume_uuid), policy);
+        }
+        policy_map.erase(it);
         drop_caches_if_needed();
     }
-    s_ce_policies.erase(user_id);
-    s_new_ce_keys.erase(user_id);
     return success;
 }
 
+// Evicts and destroys all CE and DE keys for a user.  This is called when the user is removed.
 bool fscrypt_destroy_user_key(userid_t user_id) {
     LOG(DEBUG) << "fscrypt_destroy_user_key(" << user_id << ")";
     if (!IsFbeEnabled()) {
         return true;
     }
     bool success = true;
-    success &= evict_ce_key(user_id);
-    EncryptionPolicy de_policy;
-    success &= lookup_policy(s_de_policies, user_id, &de_policy) &&
-               android::vold::evictKey(DATA_MNT_POINT, de_policy);
-    s_de_policies.erase(user_id);
+
+    success &= evict_user_keys(s_ce_policies, user_id);
+    success &= evict_user_keys(s_de_policies, user_id);
+
     if (!s_ephemeral_users.erase(user_id)) {
         auto ce_path = get_ce_key_directory_path(user_id);
         if (!s_new_ce_keys.erase(user_id)) {
@@ -759,7 +733,7 @@
 }
 
 static bool read_or_create_volkey(const std::string& misc_path, const std::string& volume_uuid,
-                                  EncryptionPolicy* policy) {
+                                  UserPolicies& user_policies, EncryptionPolicy* policy) {
     auto secdiscardable_path = volume_secdiscardable_path(volume_uuid);
     std::string secdiscardable_hash;
     if (android::vold::pathExists(secdiscardable_path)) {
@@ -780,6 +754,7 @@
     if (!retrieveOrGenerateKey(key_path, key_path + "_tmp", auth, makeGen(options), &key))
         return false;
     if (!install_storage_key(BuildDataPath(volume_uuid), options, key, policy)) return false;
+    user_policies.adoptable[volume_uuid] = *policy;
     return true;
 }
 
@@ -887,37 +862,38 @@
 
 std::vector<int> fscrypt_get_unlocked_users() {
     std::vector<int> user_ids;
-    for (const auto& it : s_ce_policies) {
-        user_ids.push_back(it.first);
+    for (const auto& [user_id, user_policies] : s_ce_policies) {
+        user_ids.push_back(user_id);
     }
     return user_ids;
 }
 
-// TODO: rename to 'install' for consistency, and take flags to know which keys to install
+// Unlocks internal CE storage for the given user.  This only unlocks internal storage, since
+// fscrypt_prepare_user_storage() has to be called for each adoptable storage volume anyway (since
+// the volume might have been absent when the user was created), and that handles the unlocking.
 bool fscrypt_unlock_user_key(userid_t user_id, int serial, const std::string& secret_hex) {
     LOG(DEBUG) << "fscrypt_unlock_user_key " << user_id << " serial=" << serial;
-    if (IsFbeEnabled()) {
-        if (s_ce_policies.count(user_id) != 0) {
-            LOG(WARNING) << "Tried to unlock already-unlocked key for user " << user_id;
-            return true;
-        }
-        auto auth = authentication_from_hex(secret_hex);
-        if (!auth) return false;
-        if (!read_and_install_user_ce_key(user_id, *auth)) {
-            LOG(ERROR) << "Couldn't read key for " << user_id;
-            return false;
-        }
+    if (!IsFbeEnabled()) return true;
+    if (s_ce_policies.count(user_id) != 0) {
+        LOG(WARNING) << "Tried to unlock already-unlocked key for user " << user_id;
+        return true;
     }
+    auto auth = authentication_from_hex(secret_hex);
+    if (!auth) return false;
+    KeyBuffer ce_key;
+    if (!read_and_fixate_user_ce_key(user_id, *auth, &ce_key)) return false;
+    EncryptionPolicy ce_policy;
+    if (!install_storage_key(DATA_MNT_POINT, s_data_options, ce_key, &ce_policy)) return false;
+    s_ce_policies[user_id].internal = ce_policy;
+    LOG(DEBUG) << "Installed ce key for user " << user_id;
     return true;
 }
 
-// TODO: rename to 'evict' for consistency
+// Locks CE storage for the given user.  This locks both internal and adoptable storage.
 bool fscrypt_lock_user_key(userid_t user_id) {
     LOG(DEBUG) << "fscrypt_lock_user_key " << user_id;
-    if (IsFbeEnabled()) {
-        return evict_ce_key(user_id);
-    }
-    return true;
+    if (!IsFbeEnabled()) return true;
+    return evict_user_keys(s_ce_policies, user_id);
 }
 
 static bool prepare_subdirs(const std::string& action, const std::string& volume_uuid,
@@ -967,14 +943,18 @@
         auto user_de_path = android::vold::BuildDataUserDePath(volume_uuid, user_id);
 
         if (IsFbeEnabled()) {
+            auto it = s_de_policies.find(user_id);
+            if (it == s_de_policies.end()) {
+                LOG(ERROR) << "Cannot find DE policy for user " << user_id;
+                return false;
+            }
+            UserPolicies& user_de_policies = it->second;
             if (volume_uuid.empty()) {
-                if (!lookup_policy(s_de_policies, user_id, &de_policy)) {
-                    LOG(ERROR) << "Cannot find DE policy for user " << user_id;
-                    return false;
-                }
+                de_policy = user_de_policies.internal;
             } else {
                 auto misc_de_empty_volume_path = android::vold::BuildDataMiscDePath("", user_id);
-                if (!read_or_create_volkey(misc_de_empty_volume_path, volume_uuid, &de_policy)) {
+                if (!read_or_create_volkey(misc_de_empty_volume_path, volume_uuid, user_de_policies,
+                                           &de_policy)) {
                     return false;
                 }
             }
@@ -1011,14 +991,18 @@
         auto user_ce_path = android::vold::BuildDataUserCePath(volume_uuid, user_id);
 
         if (IsFbeEnabled()) {
+            auto it = s_ce_policies.find(user_id);
+            if (it == s_ce_policies.end()) {
+                LOG(ERROR) << "Cannot find CE policy for user " << user_id;
+                return false;
+            }
+            UserPolicies& user_ce_policies = it->second;
             if (volume_uuid.empty()) {
-                if (!lookup_policy(s_ce_policies, user_id, &ce_policy)) {
-                    LOG(ERROR) << "Cannot find CE policy for user " << user_id;
-                    return false;
-                }
+                ce_policy = user_ce_policies.internal;
             } else {
                 auto misc_ce_empty_volume_path = android::vold::BuildDataMiscCePath("", user_id);
-                if (!read_or_create_volkey(misc_ce_empty_volume_path, volume_uuid, &ce_policy)) {
+                if (!read_or_create_volkey(misc_ce_empty_volume_path, volume_uuid, user_ce_policies,
+                                           &ce_policy)) {
                     return false;
                 }
             }
@@ -1148,12 +1132,27 @@
     return res;
 }
 
+static void erase_volume_policies(std::map<userid_t, UserPolicies>& policy_map,
+                                  const std::string& volume_uuid) {
+    for (auto& [user_id, user_policies] : policy_map) {
+        user_policies.adoptable.erase(volume_uuid);
+    }
+}
+
+// Destroys all CE and DE keys for an adoptable storage volume that is permanently going away.
+// Requires VolumeManager::mCryptLock.
 bool fscrypt_destroy_volume_keys(const std::string& volume_uuid) {
+    if (!IsFbeEnabled()) return true;
     bool res = true;
     LOG(DEBUG) << "fscrypt_destroy_volume_keys for volume " << escape_empty(volume_uuid);
     auto secdiscardable_path = volume_secdiscardable_path(volume_uuid);
     res &= android::vold::runSecdiscardSingle(secdiscardable_path);
     res &= destroy_volume_keys("/data/misc_ce", volume_uuid);
     res &= destroy_volume_keys("/data/misc_de", volume_uuid);
+    // Drop the CE and DE policies stored in memory, as they are not needed anymore.  Note that it's
+    // not necessary to also evict the corresponding keys from the kernel, as that happens
+    // automatically as a result of the volume being unmounted.
+    erase_volume_policies(s_ce_policies, volume_uuid);
+    erase_volume_policies(s_de_policies, volume_uuid);
     return res;
 }
diff --git a/KeyUtil.cpp b/KeyUtil.cpp
index 5a8b550..9e8920d 100644
--- a/KeyUtil.cpp
+++ b/KeyUtil.cpp
@@ -164,7 +164,7 @@
     return true;
 }
 
-// Add an encryption key of type "logon" to the global session keyring.
+// Add an encryption key to the legacy global session keyring.
 static bool installKeyLegacy(const KeyBuffer& key, const std::string& raw_ref) {
     // Place fscrypt_key into automatically zeroing buffer.
     KeyBuffer fsKeyBuffer(sizeof(fscrypt_key));
@@ -187,32 +187,6 @@
     return true;
 }
 
-// Installs fscrypt-provisioning key into session level kernel keyring.
-// This allows for the given key to be installed back into filesystem keyring.
-// For more context see reloadKeyFromSessionKeyring.
-static bool installProvisioningKey(const KeyBuffer& key, const std::string& ref,
-                                   const fscrypt_key_specifier& key_spec) {
-    key_serial_t device_keyring;
-    if (!fscryptKeyring(&device_keyring)) return false;
-
-    // Place fscrypt_provisioning_key_payload into automatically zeroing buffer.
-    KeyBuffer buf(sizeof(fscrypt_provisioning_key_payload) + key.size(), 0);
-    fscrypt_provisioning_key_payload& provisioning_key =
-            *reinterpret_cast<fscrypt_provisioning_key_payload*>(buf.data());
-    memcpy(provisioning_key.raw, key.data(), key.size());
-    provisioning_key.type = key_spec.type;
-
-    key_serial_t key_id = add_key("fscrypt-provisioning", ref.c_str(), (void*)&provisioning_key,
-                                  buf.size(), device_keyring);
-    if (key_id == -1) {
-        PLOG(ERROR) << "Failed to insert fscrypt-provisioning key for " << ref
-                    << " into session keyring";
-        return false;
-    }
-    LOG(DEBUG) << "Added fscrypt-provisioning key for " << ref << " to session keyring";
-    return true;
-}
-
 // Build a struct fscrypt_key_specifier for use in the key management ioctls.
 static bool buildKeySpecifier(fscrypt_key_specifier* spec, const EncryptionPolicy& policy) {
     switch (policy.options.version) {
@@ -240,34 +214,6 @@
     }
 }
 
-// Installs key into keyring of a filesystem mounted on |mountpoint|.
-//
-// It's callers responsibility to fill key specifier, and either arg->raw or arg->key_id.
-//
-// In case arg->key_spec.type equals to FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER
-// arg->key_spec.u.identifier will be populated with raw key reference generated
-// by kernel.
-//
-// For documentation on difference between arg->raw and arg->key_id see
-// https://www.kernel.org/doc/html/latest/filesystems/fscrypt.html#fs-ioc-add-encryption-key
-static bool installFsKeyringKey(const std::string& mountpoint, const EncryptionOptions& options,
-                                fscrypt_add_key_arg* arg) {
-    if (options.use_hw_wrapped_key) arg->__flags |= __FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED;
-
-    android::base::unique_fd fd(open(mountpoint.c_str(), O_RDONLY | O_DIRECTORY | O_CLOEXEC));
-    if (fd == -1) {
-        PLOG(ERROR) << "Failed to open " << mountpoint << " to install key";
-        return false;
-    }
-
-    if (ioctl(fd, FS_IOC_ADD_ENCRYPTION_KEY, arg) != 0) {
-        PLOG(ERROR) << "Failed to install fscrypt key to " << mountpoint;
-        return false;
-    }
-
-    return true;
-}
-
 bool installKey(const std::string& mountpoint, const EncryptionOptions& options,
                 const KeyBuffer& key, EncryptionPolicy* policy) {
     const std::lock_guard<std::mutex> lock(fscrypt_keyring_mutex);
@@ -304,24 +250,33 @@
             return false;
     }
 
+    if (options.use_hw_wrapped_key) arg->__flags |= __FSCRYPT_ADD_KEY_FLAG_HW_WRAPPED;
+    // Provide the raw key.
     arg->raw_size = key.size();
     memcpy(arg->raw, key.data(), key.size());
 
-    if (!installFsKeyringKey(mountpoint, options, arg)) return false;
+    android::base::unique_fd fd(open(mountpoint.c_str(), O_RDONLY | O_DIRECTORY | O_CLOEXEC));
+    if (fd == -1) {
+        PLOG(ERROR) << "Failed to open " << mountpoint << " to install key";
+        return false;
+    }
+
+    if (ioctl(fd, FS_IOC_ADD_ENCRYPTION_KEY, arg) != 0) {
+        PLOG(ERROR) << "Failed to install fscrypt key to " << mountpoint;
+        return false;
+    }
 
     if (arg->key_spec.type == FSCRYPT_KEY_SPEC_TYPE_IDENTIFIER) {
         // Retrieve the key identifier that the kernel computed.
         policy->key_raw_ref =
                 std::string((char*)arg->key_spec.u.identifier, FSCRYPT_KEY_IDENTIFIER_SIZE);
     }
-    std::string ref = keyrefstring(policy->key_raw_ref);
-    LOG(DEBUG) << "Installed fscrypt key with ref " << ref << " to " << mountpoint;
-
-    if (!installProvisioningKey(key, ref, arg->key_spec)) return false;
+    LOG(DEBUG) << "Installed fscrypt key with ref " << keyrefstring(policy->key_raw_ref) << " to "
+               << mountpoint;
     return true;
 }
 
-// Remove an encryption key of type "logon" from the global session keyring.
+// Remove an encryption key from the legacy global session keyring.
 static bool evictKeyLegacy(const std::string& raw_ref) {
     key_serial_t device_keyring;
     if (!fscryptKeyring(&device_keyring)) return false;
@@ -344,26 +299,6 @@
     return success;
 }
 
-static bool evictProvisioningKey(const std::string& ref) {
-    key_serial_t device_keyring;
-    if (!fscryptKeyring(&device_keyring)) {
-        return false;
-    }
-
-    auto key_serial = keyctl_search(device_keyring, "fscrypt-provisioning", ref.c_str(), 0);
-    if (key_serial == -1 && errno != ENOKEY) {
-        PLOG(ERROR) << "Error searching session keyring for fscrypt-provisioning key for " << ref;
-        return false;
-    }
-
-    if (key_serial != -1 && keyctl_unlink(key_serial, device_keyring) != 0) {
-        PLOG(ERROR) << "Failed to unlink fscrypt-provisioning key for " << ref
-                    << " from session keyring";
-        return false;
-    }
-    return true;
-}
-
 static void waitForBusyFiles(const struct fscrypt_key_specifier key_spec, const std::string ref,
                              const std::string mountpoint) {
     android::base::unique_fd fd(open(mountpoint.c_str(), O_RDONLY | O_DIRECTORY | O_CLOEXEC));
@@ -462,8 +397,6 @@
         std::thread busyFilesThread(waitForBusyFiles, arg.key_spec, ref, mountpoint);
         busyFilesThread.detach();
     }
-
-    if (!evictProvisioningKey(ref)) return false;
     return true;
 }
 
@@ -485,31 +418,5 @@
     return true;
 }
 
-bool reloadKeyFromSessionKeyring(const std::string& mountpoint, const EncryptionPolicy& policy) {
-    key_serial_t device_keyring;
-    if (!fscryptKeyring(&device_keyring)) {
-        return false;
-    }
-
-    std::string ref = keyrefstring(policy.key_raw_ref);
-    auto key_serial = keyctl_search(device_keyring, "fscrypt-provisioning", ref.c_str(), 0);
-    if (key_serial == -1) {
-        PLOG(ERROR) << "Failed to find fscrypt-provisioning key for " << ref
-                    << " in session keyring";
-        return false;
-    }
-
-    LOG(DEBUG) << "Installing fscrypt-provisioning key for " << ref << " back into " << mountpoint
-               << " fs-keyring";
-
-    struct fscrypt_add_key_arg arg;
-    memset(&arg, 0, sizeof(arg));
-    if (!buildKeySpecifier(&arg.key_spec, policy)) return false;
-    arg.key_id = key_serial;
-    if (!installFsKeyringKey(mountpoint, policy.options, &arg)) return false;
-
-    return true;
-}
-
 }  // namespace vold
 }  // namespace android
diff --git a/KeyUtil.h b/KeyUtil.h
index 5940b8a..17a234e 100644
--- a/KeyUtil.h
+++ b/KeyUtil.h
@@ -49,16 +49,11 @@
 // on the specified filesystem using the specified encryption policy version.
 //
 // For v1 policies, we use FS_IOC_ADD_ENCRYPTION_KEY if the kernel supports it.
-// Otherwise we add the key to the global session keyring as a "logon" key.
+// Otherwise we add the key to the legacy global session keyring.
 //
 // For v2 policies, we always use FS_IOC_ADD_ENCRYPTION_KEY; it's the only way
 // the kernel supports.
 //
-// If kernel supports FS_IOC_ADD_ENCRYPTION_KEY, also installs key of
-// fscrypt-provisioning type to the global session keyring. This makes it
-// possible to unmount and then remount mountpoint without losing the file-based
-// key.
-//
 // Returns %true on success, %false on failure.  On success also sets *policy
 // to the EncryptionPolicy used to refer to this key.
 bool installKey(const std::string& mountpoint, const android::fscrypt::EncryptionOptions& options,
@@ -66,10 +61,10 @@
 
 // Evict a file-based encryption key from the kernel.
 //
-// This undoes the effect of installKey().
+// We use FS_IOC_REMOVE_ENCRYPTION_KEY if the kernel supports it.  Otherwise we
+// remove the key from the legacy global session keyring.
 //
-// If the kernel doesn't support the filesystem-level keyring, the caller is
-// responsible for dropping caches.
+// In the latter case, the caller is responsible for dropping caches.
 bool evictKey(const std::string& mountpoint, const android::fscrypt::EncryptionPolicy& policy);
 
 // Retrieves the key from the named directory, or generates it if it doesn't
@@ -78,11 +73,6 @@
                            const KeyAuthentication& key_authentication, const KeyGeneration& gen,
                            KeyBuffer* key);
 
-// Re-installs a file-based encryption key of fscrypt-provisioning type from the
-// global session keyring back into fs keyring of the mountpoint.
-bool reloadKeyFromSessionKeyring(const std::string& mountpoint,
-                                 const android::fscrypt::EncryptionPolicy& policy);
-
 }  // namespace vold
 }  // namespace android
 
diff --git a/VoldNativeService.cpp b/VoldNativeService.cpp
index bcca50a..d51652b 100644
--- a/VoldNativeService.cpp
+++ b/VoldNativeService.cpp
@@ -256,9 +256,19 @@
     ENFORCE_SYSTEM_OR_ROOT;
     CHECK_ARGUMENT_HEX(partGuid);
     CHECK_ARGUMENT_HEX(fsUuid);
-    ACQUIRE_LOCK;
+    bool success = true;
 
-    return translate(VolumeManager::Instance()->forgetPartition(partGuid, fsUuid));
+    {
+        ACQUIRE_LOCK;
+        success &= VolumeManager::Instance()->forgetPartition(partGuid, fsUuid);
+    }
+
+    {
+        ACQUIRE_CRYPT_LOCK;
+        success &= fscrypt_destroy_volume_keys(fsUuid);
+    }
+
+    return translateBool(success);
 }
 
 binder::Status VoldNativeService::mount(
diff --git a/VolumeManager.cpp b/VolumeManager.cpp
index db356db..c981f2d 100644
--- a/VolumeManager.cpp
+++ b/VolumeManager.cpp
@@ -349,25 +349,19 @@
     }
 }
 
-int VolumeManager::forgetPartition(const std::string& partGuid, const std::string& fsUuid) {
+bool VolumeManager::forgetPartition(const std::string& partGuid, const std::string& fsUuid) {
     std::string normalizedGuid;
     if (android::vold::NormalizeHex(partGuid, normalizedGuid)) {
         LOG(WARNING) << "Invalid GUID " << partGuid;
-        return -1;
+        return false;
     }
 
-    bool success = true;
     std::string keyPath = android::vold::BuildKeyPath(normalizedGuid);
     if (unlink(keyPath.c_str()) != 0) {
         LOG(ERROR) << "Failed to unlink " << keyPath;
-        success = false;
+        return false;
     }
-    if (IsFbeEnabled()) {
-        if (!fscrypt_destroy_volume_keys(fsUuid)) {
-            success = false;
-        }
-    }
-    return success ? 0 : -1;
+    return true;
 }
 
 void VolumeManager::destroyEmulatedVolumesForUser(userid_t userId) {
diff --git a/VolumeManager.h b/VolumeManager.h
index 2d6b968..fb6081f 100644
--- a/VolumeManager.h
+++ b/VolumeManager.h
@@ -106,7 +106,7 @@
 
     userid_t getSharedStorageUser(userid_t userId);
 
-    int forgetPartition(const std::string& partGuid, const std::string& fsUuid);
+    bool forgetPartition(const std::string& partGuid, const std::string& fsUuid);
 
     int onUserAdded(userid_t userId, int userSerialNumber, userid_t cloneParentUserId);
     int onUserRemoved(userid_t userId);