Merge RP1A.200204.001
Change-Id: I80a6f45bfa61ee0a8b3517de0e5e1d27aa8aa7aa
diff --git a/MetadataCrypt.cpp b/MetadataCrypt.cpp
index 3c2e0d5..d41662b 100644
--- a/MetadataCrypt.cpp
+++ b/MetadataCrypt.cpp
@@ -37,6 +37,7 @@
#include "Checkpoint.h"
#include "EncryptInplace.h"
+#include "FsCrypt.h"
#include "KeyStorage.h"
#include "KeyUtil.h"
#include "Keymaster.h"
@@ -106,19 +107,19 @@
}
static bool read_key(const FstabEntry& data_rec, bool create_if_absent, KeyBuffer* key) {
- if (data_rec.key_dir.empty()) {
- LOG(ERROR) << "Failed to get key_dir";
+ if (data_rec.metadata_key_dir.empty()) {
+ LOG(ERROR) << "Failed to get metadata_key_dir";
return false;
}
- std::string key_dir = data_rec.key_dir;
+ std::string metadata_key_dir = data_rec.metadata_key_dir;
std::string sKey;
- auto dir = key_dir + "/key";
- LOG(DEBUG) << "key_dir/key: " << dir;
+ auto dir = metadata_key_dir + "/key";
+ LOG(DEBUG) << "metadata_key_dir/key: " << dir;
if (fs_mkdirs(dir.c_str(), 0700)) {
PLOG(ERROR) << "Creating directories: " << dir;
return false;
}
- auto temp = key_dir + "/tmp";
+ auto temp = metadata_key_dir + "/tmp";
auto newKeyPath = dir + "/" + kFn_keymaster_key_blob_upgraded;
/* If we have a leftover upgraded key, delete it.
* We either failed an update and must return to the old key,
@@ -135,7 +136,9 @@
unlink(newKeyPath.c_str());
}
bool needs_cp = cp_needsCheckpoint();
- if (!android::vold::retrieveKey(create_if_absent, dir, temp, key, needs_cp)) return false;
+ if (!android::vold::retrieveKey(create_if_absent, kEmptyAuthentication, dir, temp,
+ is_metadata_wrapped_key_supported(), key, needs_cp))
+ return false;
if (needs_cp && pathExists(newKeyPath)) std::thread(commit_key, dir).detach();
return true;
}
@@ -151,10 +154,32 @@
return true;
}
-static bool create_crypto_blk_dev(const std::string& dm_name, uint64_t nr_sec,
- const std::string& real_blkdev, const KeyBuffer& key,
- std::string* crypto_blkdev, bool set_dun) {
- auto& dm = DeviceMapper::Instance();
+static std::string lookup_cipher(const std::string& cipher_name, bool is_legacy) {
+ if (is_legacy) {
+ if (cipher_name.empty() || cipher_name == "aes-256-xts") {
+ return "AES-256-XTS";
+ }
+ } else {
+ if (cipher_name.empty() || cipher_name == "aes-256-xts") {
+ return "aes-xts-plain64";
+ } else if (cipher_name == "adiantum") {
+ return "xchacha12,aes-adiantum-plain64";
+ }
+ }
+ LOG(ERROR) << "No metadata cipher named " << cipher_name << " found, is_legacy=" << is_legacy;
+ return "";
+}
+
+static bool create_crypto_blk_dev(const std::string& dm_name, const FstabEntry* data_rec,
+ const KeyBuffer& key, std::string* crypto_blkdev) {
+ uint64_t nr_sec;
+ if (!get_number_of_sectors(data_rec->blk_device, &nr_sec)) return false;
+
+ bool is_legacy;
+ if (!DmTargetDefaultKey::IsLegacy(&is_legacy)) return false;
+
+ auto cipher = lookup_cipher(data_rec->metadata_cipher, is_legacy);
+ if (cipher.empty()) return false;
KeyBuffer hex_key_buffer;
if (android::vold::StrToHex(key, hex_key_buffer) != android::OK) {
@@ -163,15 +188,24 @@
}
std::string hex_key(hex_key_buffer.data(), hex_key_buffer.size());
- DmTable table;
- table.Emplace<DmTargetDefaultKey>(0, nr_sec, "AES-256-XTS", hex_key, real_blkdev, 0, set_dun);
+ // Non-legacy driver always sets DUN
+ bool set_dun = !is_legacy || android::base::GetBoolProperty("ro.crypto.set_dun", false);
+ if (!set_dun && data_rec->fs_mgr_flags.checkpoint_blk) {
+ LOG(ERROR) << "Block checkpoints and metadata encryption require ro.crypto.set_dun option";
+ return false;
+ }
+ DmTable table;
+ table.Emplace<DmTargetDefaultKey>(0, nr_sec, cipher, hex_key, data_rec->blk_device, 0,
+ is_legacy, set_dun);
+
+ auto& dm = DeviceMapper::Instance();
for (int i = 0;; i++) {
if (dm.CreateDevice(dm_name, table)) {
break;
}
if (i + 1 >= TABLE_LOAD_RETRIES) {
- LOG(ERROR) << "Could not create default-key device " << dm_name;
+ PLOG(ERROR) << "Could not create default-key device " << dm_name;
return false;
}
PLOG(INFO) << "Could not create default-key device, retrying";
@@ -196,25 +230,24 @@
auto data_rec = GetEntryForMountPoint(&fstab_default, mount_point);
if (!data_rec) {
- LOG(ERROR) << "Failed to get data_rec";
+ LOG(ERROR) << "Failed to get data_rec for " << mount_point;
+ return false;
+ }
+ if (blk_device != data_rec->blk_device) {
+ LOG(ERROR) << "blk_device " << blk_device << " does not match fstab entry "
+ << data_rec->blk_device << " for " << mount_point;
return false;
}
KeyBuffer key;
if (!read_key(*data_rec, needs_encrypt, &key)) return false;
- uint64_t nr_sec;
- if (!get_number_of_sectors(data_rec->blk_device, &nr_sec)) return false;
- bool set_dun = android::base::GetBoolProperty("ro.crypto.set_dun", false);
- if (!set_dun && data_rec->fs_mgr_flags.checkpoint_blk) {
- LOG(ERROR) << "Block checkpoints and metadata encryption require setdun option!";
- return false;
- }
std::string crypto_blkdev;
- if (!create_crypto_blk_dev(kDmNameUserdata, nr_sec, blk_device, key, &crypto_blkdev, set_dun))
- return false;
+ if (!create_crypto_blk_dev(kDmNameUserdata, data_rec, key, &crypto_blkdev)) return false;
// FIXME handle the corrupt case
if (needs_encrypt) {
+ uint64_t nr_sec;
+ if (!get_number_of_sectors(data_rec->blk_device, &nr_sec)) return false;
LOG(INFO) << "Beginning inplace encryption, nr_sec: " << nr_sec;
off64_t size_already_done = 0;
auto rc = cryptfs_enable_inplace(crypto_blkdev.data(), blk_device.data(), nr_sec,