vold: Bring in more wrapped key changes

Conflicts: KeyStorage.cpp KeyUtil.cpp [wight554: Apply changes from CAF 12] Change-Id: I44e81afaec78c567a0bf2eed30a79eb737e2a867 Signed-off-by: Volodymyr Zhdanov <[email protected]>
ProjectRadiant · Jan 5, 2022 · 7079300 · 7079300
1 parent 7872bb6
commit 7079300
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 3 deletions.
diff --git a/FsCrypt.cpp b/FsCrypt.cpp
@@ -249,6 +249,10 @@ static bool get_data_file_encryption_options(EncryptionOptions* options) {
                       "this flag from the device's fstab";
         return false;
     }
+    if (options->version == 1) {
+        options->use_hw_wrapped_key =
+            GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT)->fs_mgr_flags.wrapped_key;
+    }
     return true;
 }
 

diff --git a/KeyStorage.cpp b/KeyStorage.cpp
@@ -59,6 +59,7 @@ static constexpr size_t AES_KEY_BYTES = 32;
 static constexpr size_t GCM_NONCE_BYTES = 12;
 static constexpr size_t GCM_MAC_BYTES = 16;
 static constexpr size_t SECDISCARDABLE_BYTES = 1 << 14;
+constexpr int EXT4_AES_256_XTS_KEY_SIZE = 64;
 
 static const char* kCurrentVersion = "1";
 static const char* kRmPath = "/system/bin/rm";
@@ -74,6 +75,8 @@ static const char* kFn_secdiscardable = "secdiscardable";
 static const char* kFn_stretching = "stretching";
 static const char* kFn_version = "version";
 
+static const int32_t KM_TAG_FBE_ICE = static_cast<int32_t>(7 << 28) | 16201;
+
 namespace {
 
 // Storage binding info for ensuring key encryption keys include a
@@ -154,8 +157,14 @@ bool generateWrappedStorageKey(KeyBuffer* key) {
     Keymaster keymaster;
     if (!keymaster) return false;
     std::string key_temp;
-    auto paramBuilder = km::AuthorizationSetBuilder().AesEncryptionKey(AES_KEY_BYTES * 8);
-    paramBuilder.Authorization(km::TAG_STORAGE_KEY);
+    auto paramBuilder = km::AuthorizationSetBuilder().AesEncryptionKey(AES_KEY_BYTES * 8)
+        .Authorization(km::TAG_STORAGE_KEY);
+
+    km::KeyParameter param1;
+    param1.tag = (km::Tag) (KM_TAG_FBE_ICE);
+    param1.value = km::KeyParameterValue::make<km::KeyParameterValue::boolValue>(true);
+    paramBuilder.push_back(param1);
+
     if (!generateKeymasterKey(keymaster, paramBuilder, &key_temp)) return false;
     *key = KeyBuffer(key_temp.size());
     memcpy(reinterpret_cast<void*>(key->data()), key_temp.c_str(), key->size());

diff --git a/KeyUtil.cpp b/KeyUtil.cpp
@@ -273,7 +273,14 @@ bool installKey(const std::string& mountpoint, const EncryptionOptions& options,
             // A key for a v1 policy is specified by an arbitrary 8-byte
             // "descriptor", which must be provided by userspace.  We use the
             // first 8 bytes from the double SHA-512 of the key itself.
-            policy->key_raw_ref = generateKeyRef((const uint8_t*)key.data(), key.size());
+            if (options.use_hw_wrapped_key) {
+                /* When wrapped key is supported, only the first 32 bytes are
+                   the same per boot. The second 32 bytes can change as the ephemeral
+                   key is different. */
+                policy->key_raw_ref = generateKeyRef((const uint8_t*)key.data(), key.size()/2);
+            } else {
+                policy->key_raw_ref = generateKeyRef((const uint8_t*)key.data(), key.size());
+            }
             if (!isFsKeyringSupported()) {
                 return installKeyLegacy(key, policy->key_raw_ref);
             }