gugelfrei
/
android_system_vold
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'c803d524ea'
${ noResults }
android_system_vold/KeyUtil.h

91 lines
3.2 KiB
Raw Normal View History Unescape

Refactor to lay the groundwork for metadata encryption Bug: 26778031 Test: Angler, Marlin build and boot Change-Id: Ic136dfe6195a650f7db76d3489f36da6a1929dc5
8 years ago
/*
* Copyright (C) 2016 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#ifndef ANDROID_VOLD_KEYUTIL_H
#define ANDROID_VOLD_KEYUTIL_H
Zero memory used for encryuption keys. std::vector with custom zeroing allocator is used instead of std::string for data that can contain encryption keys. Bug: 64201177 Test: manually created a managed profile, changed it's credentials Test: manually upgraded a phone with profile from O to MR1. Change-Id: Ic31877049f69eba9f8ea64fd99acaaca5a01d3dd
7 years ago
#include "KeyBuffer.h"
When we forget a volume, forget per-volume key Protect all per-volume-per-user keys with a per-volume key, which is forgotten when the volume is forgotten. This means that the user's key is securely lost even when their storage is encrypted at forgetting time. Bug: 25861755 Test: create a volume, forget it, check logs and filesystem. Change-Id: I8df77bc91bbfa2258e082ddd54d6160dbf39b378
7 years ago
#include "KeyStorage.h"
Zero memory used for encryuption keys. std::vector with custom zeroing allocator is used instead of std::string for data that can contain encryption keys. Bug: 64201177 Test: manually created a managed profile, changed it's credentials Test: manually upgraded a phone with profile from O to MR1. Change-Id: Ic31877049f69eba9f8ea64fd99acaaca5a01d3dd
7 years ago
Refactor to use EncryptionPolicy everywhere we used to use raw_ref Test: Boots, no bad log messages: Cuttlefish with v2 policies, Taimen Bug: 147733587 Change-Id: Ice4acac3236b6b7d90e60a2f57b46814aa1949f5
4 years ago
#include <fscrypt/fscrypt.h>
Zero memory used for encryuption keys. std::vector with custom zeroing allocator is used instead of std::string for data that can contain encryption keys. Bug: 64201177 Test: manually created a managed profile, changed it's credentials Test: manually upgraded a phone with profile from O to MR1. Change-Id: Ic31877049f69eba9f8ea64fd99acaaca5a01d3dd
7 years ago
#include <memory>
clang-format many files. Test: Format-only changes; treehugger suffices. Change-Id: I23cde3f0bbcac13bef555d13514e922c79d5ad48
6 years ago
#include <string>
Refactor to lay the groundwork for metadata encryption Bug: 26778031 Test: Angler, Marlin build and boot Change-Id: Ic136dfe6195a650f7db76d3489f36da6a1929dc5
8 years ago
namespace android {
namespace vold {
Refactor to use EncryptionPolicy everywhere we used to use raw_ref Test: Boots, no bad log messages: Cuttlefish with v2 policies, Taimen Bug: 147733587 Change-Id: Ice4acac3236b6b7d90e60a2f57b46814aa1949f5
4 years ago
using namespace android::fscrypt;
Refactor key generation to handle both normal and metadata encryption. Bug: 147733587 Test: Treehugger Change-Id: Iee176037dec2621c84da325c2627f988fcebbc8d Merged-In: Iee176037dec2621c84da325c2627f988fcebbc8d
4 years ago
// Description of how to generate a key when needed.
struct KeyGeneration {
size_t keysize;
bool allow_gen;
bool use_hw_wrapped_key;
};
vold: use new ioctls to add/remove fscrypt keys when supported When the kernel supports the new fscrypt key management ioctls, use them instead of add_key() and keyctl_unlink(). This will be needed in order to support v2 encryption policies, since v2 encryption policies only support the new ioctls. The new ioctls have other advantages too. For example, FS_IOC_REMOVE_ENCRYPTION_KEY automatically evicts exactly the necessary kernel objects, so the drop_caches sysctl is no longer needed. This makes evicting keys faster and more reliable. FS_IOC_REMOVE_ENCRYPTION_KEY also detects if any files are still open and therefore couldn't be "locked", whereas this went undetected before. Therefore, to start out this patch adds support for using the new ioctls for v1 encryption policies, i.e. on existing devices. (Originally based on a patch by Satya Tangirala <satyat@google.com>) Bug: 140500828 Test: tested that a device using v1 policies continues to work, both with and without an updated kernel. See If64028d8580584b2c33c614cabd5d6b93657f608 for more details. Also checked via the log that the filesystem-level keyring is in fact used when supported. Change-Id: I296ef78138578a3fd773797ac0cd46af1296b959
5 years ago
Refactor key generation to handle both normal and metadata encryption. Bug: 147733587 Test: Treehugger Change-Id: Iee176037dec2621c84da325c2627f988fcebbc8d Merged-In: Iee176037dec2621c84da325c2627f988fcebbc8d
4 years ago
// Generate a key as specified in KeyGeneration
bool generateStorageKey(const KeyGeneration& gen, KeyBuffer* key);
// Returns a key with allow_gen false so generateStorageKey returns false;
// this is used to indicate to retrieveOrGenerateKey that a key should not
// be generated.
const KeyGeneration neverGen();
vold: Support Storage keys for FBE To prevent keys from being compromised if an attacker acquires read access to kernel memory, some inline encryption hardware supports protecting the keys in hardware without software having access to or the ability to set the plaintext keys. Instead, software only sees "wrapped keys", which may differ on every boot. 'wrappedkey_v0' fileencryption flag is used to denote that the device supports inline encryption hardware that supports this feature. On such devices keymaster is used to generate keys with STORAGE_KEY tag and export a per-boot ephemerally wrapped storage key to install it in the kernel. The wrapped key framework in the linux kernel ensures the wrapped key is provided to the inline encryption hardware where it is unwrapped and the file contents key is derived to encrypt contents without revealing the plaintext key in the clear. Test: FBE validation with Fscrypt v2 + inline crypt + wrapped key changes kernel. Bug: 147733587 Change-Id: I1f0de61b56534ec1df9baef075acb74bacd00758
4 years ago
vold: use new ioctls to add/remove fscrypt keys when supported When the kernel supports the new fscrypt key management ioctls, use them instead of add_key() and keyctl_unlink(). This will be needed in order to support v2 encryption policies, since v2 encryption policies only support the new ioctls. The new ioctls have other advantages too. For example, FS_IOC_REMOVE_ENCRYPTION_KEY automatically evicts exactly the necessary kernel objects, so the drop_caches sysctl is no longer needed. This makes evicting keys faster and more reliable. FS_IOC_REMOVE_ENCRYPTION_KEY also detects if any files are still open and therefore couldn't be "locked", whereas this went undetected before. Therefore, to start out this patch adds support for using the new ioctls for v1 encryption policies, i.e. on existing devices. (Originally based on a patch by Satya Tangirala <satyat@google.com>) Bug: 140500828 Test: tested that a device using v1 policies continues to work, both with and without an updated kernel. See If64028d8580584b2c33c614cabd5d6b93657f608 for more details. Also checked via the log that the filesystem-level keyring is in fact used when supported. Change-Id: I296ef78138578a3fd773797ac0cd46af1296b959
5 years ago
bool isFsKeyringSupported(void);
Refactor to use EncryptionPolicy everywhere we used to use raw_ref Test: Boots, no bad log messages: Cuttlefish with v2 policies, Taimen Bug: 147733587 Change-Id: Ice4acac3236b6b7d90e60a2f57b46814aa1949f5
4 years ago
// Install a file-based encryption key to the kernel, for use by encrypted files
// on the specified filesystem using the specified encryption policy version.
//
// For v1 policies, we use FS_IOC_ADD_ENCRYPTION_KEY if the kernel supports it.
fskeyring & userspace reboot: support CE keys During userspace reboot /data might be unmounted & remounted, meaning that CE keys stored in fs-level keyring will be lost. In order to be able to restore them, when installing new key to fs-level keyring, it's also added to session-level keyring with type "fscrypt-provisioning". Then when init_user0 is called during userspace reboot, vold will try to load CE keys from the session-level keyring back into fs-level keyring for all the users that were unlocked before the reboot. If for any user vold fails to install the key, init_user0 will fail and fallback to hard reboot will be triggered. Test: set a pin pattern Test: adb shell setprop sys.init.userdata_remount.force_umount 1 Test: adb shell svc power reboot userspace Test: atest CtsUserspaceRebootHostSideTestCases Bug: 143970043 Change-Id: I37603dc136c7ededc7b0381e4d730cb0ffd912b4
4 years ago
// Otherwise we add the key to the global session keyring as a "logon" key.
Refactor to use EncryptionPolicy everywhere we used to use raw_ref Test: Boots, no bad log messages: Cuttlefish with v2 policies, Taimen Bug: 147733587 Change-Id: Ice4acac3236b6b7d90e60a2f57b46814aa1949f5
4 years ago
//
// For v2 policies, we always use FS_IOC_ADD_ENCRYPTION_KEY; it's the only way
// the kernel supports.
//
fskeyring & userspace reboot: support CE keys During userspace reboot /data might be unmounted & remounted, meaning that CE keys stored in fs-level keyring will be lost. In order to be able to restore them, when installing new key to fs-level keyring, it's also added to session-level keyring with type "fscrypt-provisioning". Then when init_user0 is called during userspace reboot, vold will try to load CE keys from the session-level keyring back into fs-level keyring for all the users that were unlocked before the reboot. If for any user vold fails to install the key, init_user0 will fail and fallback to hard reboot will be triggered. Test: set a pin pattern Test: adb shell setprop sys.init.userdata_remount.force_umount 1 Test: adb shell svc power reboot userspace Test: atest CtsUserspaceRebootHostSideTestCases Bug: 143970043 Change-Id: I37603dc136c7ededc7b0381e4d730cb0ffd912b4
4 years ago
// If kernel supports FS_IOC_ADD_ENCRYPTION_KEY, also installs key of
// fscrypt-provisioning type to the global session keyring. This makes it
// possible to unmount and then remount mountpoint without losing the file-based
// key.
//
Refactor to use EncryptionPolicy everywhere we used to use raw_ref Test: Boots, no bad log messages: Cuttlefish with v2 policies, Taimen Bug: 147733587 Change-Id: Ice4acac3236b6b7d90e60a2f57b46814aa1949f5
4 years ago
// Returns %true on success, %false on failure. On success also sets *policy
// to the EncryptionPolicy used to refer to this key.
bool installKey(const std::string& mountpoint, const EncryptionOptions& options,
const KeyBuffer& key, EncryptionPolicy* policy);
// Evict a file-based encryption key from the kernel.
//
fskeyring & userspace reboot: support CE keys During userspace reboot /data might be unmounted & remounted, meaning that CE keys stored in fs-level keyring will be lost. In order to be able to restore them, when installing new key to fs-level keyring, it's also added to session-level keyring with type "fscrypt-provisioning". Then when init_user0 is called during userspace reboot, vold will try to load CE keys from the session-level keyring back into fs-level keyring for all the users that were unlocked before the reboot. If for any user vold fails to install the key, init_user0 will fail and fallback to hard reboot will be triggered. Test: set a pin pattern Test: adb shell setprop sys.init.userdata_remount.force_umount 1 Test: adb shell svc power reboot userspace Test: atest CtsUserspaceRebootHostSideTestCases Bug: 143970043 Change-Id: I37603dc136c7ededc7b0381e4d730cb0ffd912b4
4 years ago
// This undoes the effect of installKey().
Refactor to use EncryptionPolicy everywhere we used to use raw_ref Test: Boots, no bad log messages: Cuttlefish with v2 policies, Taimen Bug: 147733587 Change-Id: Ice4acac3236b6b7d90e60a2f57b46814aa1949f5
4 years ago
//
fskeyring & userspace reboot: support CE keys During userspace reboot /data might be unmounted & remounted, meaning that CE keys stored in fs-level keyring will be lost. In order to be able to restore them, when installing new key to fs-level keyring, it's also added to session-level keyring with type "fscrypt-provisioning". Then when init_user0 is called during userspace reboot, vold will try to load CE keys from the session-level keyring back into fs-level keyring for all the users that were unlocked before the reboot. If for any user vold fails to install the key, init_user0 will fail and fallback to hard reboot will be triggered. Test: set a pin pattern Test: adb shell setprop sys.init.userdata_remount.force_umount 1 Test: adb shell svc power reboot userspace Test: atest CtsUserspaceRebootHostSideTestCases Bug: 143970043 Change-Id: I37603dc136c7ededc7b0381e4d730cb0ffd912b4
4 years ago
// If the kernel doesn't support the filesystem-level keyring, the caller is
// responsible for dropping caches.
Refactor to use EncryptionPolicy everywhere we used to use raw_ref Test: Boots, no bad log messages: Cuttlefish with v2 policies, Taimen Bug: 147733587 Change-Id: Ice4acac3236b6b7d90e60a2f57b46814aa1949f5
4 years ago
bool evictKey(const std::string& mountpoint, const EncryptionPolicy& policy);
KeyUtil: don't use keepOld=true for system DE and volume keys Commit 77df7f207dce / http://aosp/1217657 ("Refactor to use EncryptionPolicy everywhere we used to use raw_ref") unintentionally made fscrypt_initialize_systemwide_keys() start specifying keepOld=true (via default parameter value) when retrieving the system DE key, and likewise for read_or_create_volkey() and volume keys. As a result, if the associated Keymaster key needs to be upgraded, the upgraded key blob gets written to "keymaster_key_blob_upgraded", but it doesn't replace the original "keymaster_key_blob", nor is the original key deleted from Keymaster. This happens at every boot, eventually resulting in the RPMB partition in Keymaster becoming full. Only the metadata encryption key ever needs keepOld=true, since it's the only key that isn't stored in /data, and the purpose of keepOld=true is to allow a key that isn't stored in /data to be committed or rolled back when a userdata checkpoint is committed or rolled back. So, fix this bug by removing the default value of keepOld, and specifying false everywhere except the metadata encryption key. Note that when an affected device gets this fix, it will finally upgrade its system DE key correctly. However, this fix doesn't free up space in Keymaster that was consumed by this bug. Test: On bramble: - Flashed rvc-d1-dev build, with wiping userdata - Flashed a newer build, without wiping userdata - Log expectedly shows key upgrades: $ adb logcat | grep 'Upgrading key' D vold : Upgrading key: /metadata/vold/metadata_encryption/key D vold : Upgrading key: /data/unencrypted/key D vold : Upgrading key: /data/misc/vold/user_keys/de/0 D vold : Upgrading key: /data/misc/vold/user_keys/ce/0/current - Rebooted - Log unexpectedly shows the system DE key being upgraded again: $ adb logcat | grep 'Upgrading key' D vold : Upgrading key: /data/unencrypted/key - "keymaster_key_blob_upgraded" unexpectedly still exists: $ adb shell find /data /metadata -name keymaster_key_blob_upgraded /data/unencrypted/key/keymaster_key_blob_upgraded - Applied this fix and flashed, without wiping userdata - Log shows system DE key being upgraded (expected because due to the bug, the upgraded key didn't replace the original one before) $ adb logcat | grep 'Upgrading key' D vold : Upgrading key: /data/unencrypted/key - "keymaster_key_blob_upgraded" expectedly no longer exists $ adb shell find /data /metadata -name keymaster_key_blob_upgraded - Rebooted - Log expectedly doesn't show any more key upgrades $ adb logcat | grep 'Upgrading key' Bug: 171944521 Bug: 172019387 (cherry picked from commit c493903732d0c17b33091cf722cbcc3262292801) Merged-In: I42d3f5fbe32cb2ec229f4b614cfb271412a3ed29 Change-Id: I42d3f5fbe32cb2ec229f4b614cfb271412a3ed29
4 years ago
// Retrieves the key from the named directory, or generates it if it doesn't
// exist. In most cases |keepOld| must be false; see retrieveKey() for details.
Refactor key generation to handle both normal and metadata encryption. Bug: 147733587 Test: Treehugger Change-Id: Iee176037dec2621c84da325c2627f988fcebbc8d Merged-In: Iee176037dec2621c84da325c2627f988fcebbc8d
4 years ago
bool retrieveOrGenerateKey(const std::string& key_path, const std::string& tmp_path,
const KeyAuthentication& key_authentication, const KeyGeneration& gen,
KeyUtil: don't use keepOld=true for system DE and volume keys Commit 77df7f207dce / http://aosp/1217657 ("Refactor to use EncryptionPolicy everywhere we used to use raw_ref") unintentionally made fscrypt_initialize_systemwide_keys() start specifying keepOld=true (via default parameter value) when retrieving the system DE key, and likewise for read_or_create_volkey() and volume keys. As a result, if the associated Keymaster key needs to be upgraded, the upgraded key blob gets written to "keymaster_key_blob_upgraded", but it doesn't replace the original "keymaster_key_blob", nor is the original key deleted from Keymaster. This happens at every boot, eventually resulting in the RPMB partition in Keymaster becoming full. Only the metadata encryption key ever needs keepOld=true, since it's the only key that isn't stored in /data, and the purpose of keepOld=true is to allow a key that isn't stored in /data to be committed or rolled back when a userdata checkpoint is committed or rolled back. So, fix this bug by removing the default value of keepOld, and specifying false everywhere except the metadata encryption key. Note that when an affected device gets this fix, it will finally upgrade its system DE key correctly. However, this fix doesn't free up space in Keymaster that was consumed by this bug. Test: On bramble: - Flashed rvc-d1-dev build, with wiping userdata - Flashed a newer build, without wiping userdata - Log expectedly shows key upgrades: $ adb logcat | grep 'Upgrading key' D vold : Upgrading key: /metadata/vold/metadata_encryption/key D vold : Upgrading key: /data/unencrypted/key D vold : Upgrading key: /data/misc/vold/user_keys/de/0 D vold : Upgrading key: /data/misc/vold/user_keys/ce/0/current - Rebooted - Log unexpectedly shows the system DE key being upgraded again: $ adb logcat | grep 'Upgrading key' D vold : Upgrading key: /data/unencrypted/key - "keymaster_key_blob_upgraded" unexpectedly still exists: $ adb shell find /data /metadata -name keymaster_key_blob_upgraded /data/unencrypted/key/keymaster_key_blob_upgraded - Applied this fix and flashed, without wiping userdata - Log shows system DE key being upgraded (expected because due to the bug, the upgraded key didn't replace the original one before) $ adb logcat | grep 'Upgrading key' D vold : Upgrading key: /data/unencrypted/key - "keymaster_key_blob_upgraded" expectedly no longer exists $ adb shell find /data /metadata -name keymaster_key_blob_upgraded - Rebooted - Log expectedly doesn't show any more key upgrades $ adb logcat | grep 'Upgrading key' Bug: 171944521 Bug: 172019387 (cherry picked from commit c493903732d0c17b33091cf722cbcc3262292801) Merged-In: I42d3f5fbe32cb2ec229f4b614cfb271412a3ed29 Change-Id: I42d3f5fbe32cb2ec229f4b614cfb271412a3ed29
4 years ago
KeyBuffer* key, bool keepOld);
Refactor to lay the groundwork for metadata encryption Bug: 26778031 Test: Angler, Marlin build and boot Change-Id: Ic136dfe6195a650f7db76d3489f36da6a1929dc5
8 years ago
fskeyring & userspace reboot: support CE keys During userspace reboot /data might be unmounted & remounted, meaning that CE keys stored in fs-level keyring will be lost. In order to be able to restore them, when installing new key to fs-level keyring, it's also added to session-level keyring with type "fscrypt-provisioning". Then when init_user0 is called during userspace reboot, vold will try to load CE keys from the session-level keyring back into fs-level keyring for all the users that were unlocked before the reboot. If for any user vold fails to install the key, init_user0 will fail and fallback to hard reboot will be triggered. Test: set a pin pattern Test: adb shell setprop sys.init.userdata_remount.force_umount 1 Test: adb shell svc power reboot userspace Test: atest CtsUserspaceRebootHostSideTestCases Bug: 143970043 Change-Id: I37603dc136c7ededc7b0381e4d730cb0ffd912b4
4 years ago
// Re-installs a file-based encryption key of fscrypt-provisioning type from the
// global session keyring back into fs keyring of the mountpoint.
bool reloadKeyFromSessionKeyring(const std::string& mountpoint, const EncryptionPolicy& policy);
Refactor to lay the groundwork for metadata encryption Bug: 26778031 Test: Angler, Marlin build and boot Change-Id: Ic136dfe6195a650f7db76d3489f36da6a1929dc5
8 years ago
} // namespace vold
} // namespace android
#endif