From c856e2fe8a12456db2d4981d18a17dc3b529751f Mon Sep 17 00:00:00 2001
From: Pig <pig.priv@gmail.com>
Date: Fri, 25 Sep 2020 22:56:33 +0800
Subject: [PATCH] vold: Bring in more wrapped key changes

Change-Id: I44e81afaec78c567a0bf2eed30a79eb737e2a867
---
 FsCrypt.cpp    |  4 ++++
 KeyStorage.cpp |  7 +++++--
 KeyUtil.cpp    | 10 +++++++++-
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/FsCrypt.cpp b/FsCrypt.cpp
index 33cac04..4a3cb6e 100644
--- a/FsCrypt.cpp
+++ b/FsCrypt.cpp
@@ -246,6 +246,10 @@ static bool get_data_file_encryption_options(EncryptionOptions* options) {
                       "this flag from the device's fstab";
         return false;
     }
+    if (options->version == 1) {
+        options->use_hw_wrapped_key =
+            GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT)->fs_mgr_flags.wrapped_key;
+    }
     return true;
 }
 
diff --git a/KeyStorage.cpp b/KeyStorage.cpp
index 3fab96a..b64ddea 100644
--- a/KeyStorage.cpp
+++ b/KeyStorage.cpp
@@ -141,8 +141,11 @@ bool generateWrappedStorageKey(KeyBuffer* key) {
     if (!keymaster) return false;
     std::string key_temp;
     auto paramBuilder = km::AuthorizationSetBuilder().AesEncryptionKey(AES_KEY_BYTES * 8);
-    paramBuilder.Authorization(km::TAG_ROLLBACK_RESISTANCE);
-    paramBuilder.Authorization(km::TAG_STORAGE_KEY);
+    km::KeyParameter param1;
+    param1.tag = static_cast<::android::hardware::keymaster::V4_0::Tag>(
+        android::hardware::keymaster::V4_0::KM_TAG_FBE_ICE);
+    param1.f.boolValue = true;
+    paramBuilder.push_back(param1);
     if (!keymaster.generateKey(paramBuilder, &key_temp)) return false;
     *key = KeyBuffer(key_temp.size());
     memcpy(reinterpret_cast<void*>(key->data()), key_temp.c_str(), key->size());
diff --git a/KeyUtil.cpp b/KeyUtil.cpp
index acc42db..dafe4da 100644
--- a/KeyUtil.cpp
+++ b/KeyUtil.cpp
@@ -31,6 +31,7 @@
 #include <keyutils.h>
 
 #include <fscrypt_uapi.h>
+#include "FsCrypt.h"
 #include "KeyStorage.h"
 #include "Utils.h"
 
@@ -275,7 +276,14 @@ bool installKey(const std::string& mountpoint, const EncryptionOptions& options,
             // A key for a v1 policy is specified by an arbitrary 8-byte
             // "descriptor", which must be provided by userspace.  We use the
             // first 8 bytes from the double SHA-512 of the key itself.
-            policy->key_raw_ref = generateKeyRef((const uint8_t*)key.data(), key.size());
+            if (options.use_hw_wrapped_key) {
+                // When wrapped key is supported, only the first 32 bytes are
+                // the same per boot. The second 32 bytes can change as the ephemeral
+                // key is different.
+                policy->key_raw_ref = generateKeyRef((const uint8_t*)key.data(), key.size()/2);
+            } else {
+                policy->key_raw_ref = generateKeyRef((const uint8_t*)key.data(), key.size());
+            }
             if (!isFsKeyringSupported()) {
                 return installKeyLegacy(key, policy->key_raw_ref);
             }