Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / system / vold / 83a73d7d5025c5c3148ccf655ea68aacb4885160^! / . / KeyUtil.h
commit83a73d7d5025c5c3148ccf655ea68aacb4885160[log] [tgz]
authorEric Biggers <ebiggers@google.com>Mon Sep 30 13:06:47 2019 -0700
committerEric Biggers <ebiggers@google.com>Fri Oct 04 16:04:36 2019 -0700
treef3cd1fcf2da043870f94e0ee997c68a6f0db87e6
parentf3dc4203ddb18b41a9ed137af02519f85180a1f7 [diff] [blame]
vold: support v2 encryption policies

Add support for setting v2 encryption policies when configured in the
fstab (for internal storage) or in system properties (for adoptable
storage), and for installing and evicting the keys for such policies.

v2 policies support the same encryption modes and flags as v1 policies,
but internally they use a more standard, secure, and flexible KDF.  Due
to this, some future features will be supported by v2 policies only.

Bug: 140500999
Test: Configured a device to use v2 encryption policies (applied the
      needed kernel patches and added
      "fileencryption=aes-256-xts:aes-256-cts:v2" to fstab, and set the
      corresponding system properties for adoptable storage).  Wiped
      userdata, booted device and checked logs to verify that v2
      policies were being used.

      Also enabled virtual SD card and formatted as adoptable storage;
      verified it works and that v2 policies were being used on it.

      Also created, started, and stopped a 2nd user and verified their
      keys were evicted.

      Also verified that the device comes up again after rebooting.

      Also verified that a device using v1 encryption policies continues
      to work, both with and without an updated kernel -- including
      stopping a user so that their keys get evicted.

Change-Id: If64028d8580584b2c33c614cabd5d6b93657f608

diff --git a/KeyUtil.h b/KeyUtil.h
index 146f4d3..f6799d9 100644
--- a/KeyUtil.h
+++ b/KeyUtil.h

@@ -30,11 +30,13 @@
 
 bool isFsKeyringSupported(void);
 
-bool installKey(const KeyBuffer& key, const std::string& mountpoint, std::string* raw_ref);
-bool evictKey(const std::string& mountpoint, const std::string& raw_ref);
+bool installKey(const KeyBuffer& key, const std::string& mountpoint, int policy_version,
+                std::string* raw_ref);
+bool evictKey(const std::string& mountpoint, const std::string& raw_ref, int policy_version);
 bool retrieveAndInstallKey(bool create_if_absent, const KeyAuthentication& key_authentication,
                            const std::string& key_path, const std::string& tmp_path,
-                           const std::string& volume_uuid, std::string* key_ref);
+                           const std::string& volume_uuid, int policy_version,
+                           std::string* key_ref);
 bool retrieveKey(bool create_if_absent, const std::string& key_path, const std::string& tmp_path,
                  KeyBuffer* key, bool keepOld = true);