commit 7cee8f29c2df1afcea04b02386726f0c1fae8b69
author Eric Biggers <ebiggers@google.com> Tue Jan 21 11:22:05 2020 -0800
committer Gina Dimino <gdimino@google.com> Tue Jul 21 19:58:55 2020 +0000
tree 10b37b2fdc5dc0bad08d9043fd19aba5f99df0a8
parent ca55e5cc150f37d34ebf4fa37519d6a6e321dd09

CDD: mandate non-reversible FBE key derivation function

The kernel portion of FBE originally used an AES-128-ECB based Key
Derivation Function (KDF) to derive per-file keys.  While this met the
original security requirements, it is not a standard KDF and it does not
follow cryptographic best practices.  For example, it is reversible, so
if a single file's key was compromised then all other files protected by
the same FBE policy were too.  It is also inflexible, making it hard to
add new features to FBE and encouraging poor practices like reusing the
FBE master keys for both encryption and key derivation.

Android R supports a new FBE policy version which uses HKDF-SHA512
to derive all subkeys from the master key.  It can be enabled using an
fstab option like "fileencryption=aes-256-xts:aes-256-cts:v2".  It is
also the default setting when the shipping API level is >= R.  Kernel
support is in android-4.14 and later, and in the upstream Linux kernel.

So, start requiring that a strong KDF be used and that FBE keys are not
used for different cryptographic purposes.  As with the other storage
encryption format requirements, this only applies to new devices; this
is covered by the paragraph at the beginning of section 9.9.

This requirement does not require any special hardware support, and the
new KDF performs as well or better than the old KDF.

Bug: 144509061
Change-Id: Ie8b8df0a19be21dcfb7aed18aa3ac7e9c7e2b893