From 707930005e1430be9ec39244609363168a586428 Mon Sep 17 00:00:00 2001 From: Pig Date: Fri, 25 Sep 2020 22:56:33 +0800 Subject: [PATCH] vold: Bring in more wrapped key changes Conflicts: KeyStorage.cpp KeyUtil.cpp [wight554: Apply changes from CAF 12] Change-Id: I44e81afaec78c567a0bf2eed30a79eb737e2a867 Signed-off-by: Volodymyr Zhdanov --- FsCrypt.cpp | 4 ++++ KeyStorage.cpp | 13 +++++++++++-- KeyUtil.cpp | 9 ++++++++- 3 files changed, 23 insertions(+), 3 deletions(-) diff --git a/FsCrypt.cpp b/FsCrypt.cpp index a48feddb..09dcf818 100644 --- a/FsCrypt.cpp +++ b/FsCrypt.cpp @@ -249,6 +249,10 @@ static bool get_data_file_encryption_options(EncryptionOptions* options) { "this flag from the device's fstab"; return false; } + if (options->version == 1) { + options->use_hw_wrapped_key = + GetEntryForMountPoint(&fstab_default, DATA_MNT_POINT)->fs_mgr_flags.wrapped_key; + } return true; } diff --git a/KeyStorage.cpp b/KeyStorage.cpp index 472e6b1e..0aa9d4a8 100644 --- a/KeyStorage.cpp +++ b/KeyStorage.cpp @@ -59,6 +59,7 @@ static constexpr size_t AES_KEY_BYTES = 32; static constexpr size_t GCM_NONCE_BYTES = 12; static constexpr size_t GCM_MAC_BYTES = 16; static constexpr size_t SECDISCARDABLE_BYTES = 1 << 14; +constexpr int EXT4_AES_256_XTS_KEY_SIZE = 64; static const char* kCurrentVersion = "1"; static const char* kRmPath = "/system/bin/rm"; @@ -74,6 +75,8 @@ static const char* kFn_secdiscardable = "secdiscardable"; static const char* kFn_stretching = "stretching"; static const char* kFn_version = "version"; +static const int32_t KM_TAG_FBE_ICE = static_cast(7 << 28) | 16201; + namespace { // Storage binding info for ensuring key encryption keys include a @@ -154,8 +157,14 @@ bool generateWrappedStorageKey(KeyBuffer* key) { Keymaster keymaster; if (!keymaster) return false; std::string key_temp; - auto paramBuilder = km::AuthorizationSetBuilder().AesEncryptionKey(AES_KEY_BYTES * 8); - paramBuilder.Authorization(km::TAG_STORAGE_KEY); + auto paramBuilder = km::AuthorizationSetBuilder().AesEncryptionKey(AES_KEY_BYTES * 8) + .Authorization(km::TAG_STORAGE_KEY); + + km::KeyParameter param1; + param1.tag = (km::Tag) (KM_TAG_FBE_ICE); + param1.value = km::KeyParameterValue::make(true); + paramBuilder.push_back(param1); + if (!generateKeymasterKey(keymaster, paramBuilder, &key_temp)) return false; *key = KeyBuffer(key_temp.size()); memcpy(reinterpret_cast(key->data()), key_temp.c_str(), key->size()); diff --git a/KeyUtil.cpp b/KeyUtil.cpp index 886054e6..2074b18c 100644 --- a/KeyUtil.cpp +++ b/KeyUtil.cpp @@ -273,7 +273,14 @@ bool installKey(const std::string& mountpoint, const EncryptionOptions& options, // A key for a v1 policy is specified by an arbitrary 8-byte // "descriptor", which must be provided by userspace. We use the // first 8 bytes from the double SHA-512 of the key itself. - policy->key_raw_ref = generateKeyRef((const uint8_t*)key.data(), key.size()); + if (options.use_hw_wrapped_key) { + /* When wrapped key is supported, only the first 32 bytes are + the same per boot. The second 32 bytes can change as the ephemeral + key is different. */ + policy->key_raw_ref = generateKeyRef((const uint8_t*)key.data(), key.size()/2); + } else { + policy->key_raw_ref = generateKeyRef((const uint8_t*)key.data(), key.size()); + } if (!isFsKeyringSupported()) { return installKeyLegacy(key, policy->key_raw_ref); }