decrypt: AOSP 10 requires the use of fscrypt
fscrypt aosp doc: https://source.android.com/security/encryption/file-based
kernel fscrypt doc: https://www.kernel.org/doc/html/v4.18/filesystems/fscrypt.html
This commit implements the ability for TWRP to use fscrypt to decrypt
files on the fscrypt implementation. It has been implemented mostly
in a new successor library to e4crypt called libtwrpfscrypt. Most of the
code was ported from AOSP vold.
Notable updates include:
- updated policy storage by libtar
- lookup of fbe policies by libtwrpfscrypt
- threaded keystore operations
Big thanks to Dees_Troy for the initial trailblazing
of encryption in TWRP.
Change-Id: I69cd2eba3693a9914e00213d4943229635d0cdae
diff --git a/Android.mk b/Android.mk
index 71b2b55..a750252 100755
--- a/Android.mk
+++ b/Android.mk
@@ -84,6 +84,11 @@
ifeq ($(shell test $(PLATFORM_SDK_VERSION) -ge 29; echo $$?),0)
LOCAL_STATIC_LIBRARIES += libavb
LOCAL_SHARED_LIBRARIES += libfs_mgr libinit
+ ifeq ($(TW_INCLUDE_CRYPTO),true)
+ LOCAL_CFLAGS += -DUSE_FSCRYPT -Wno-macro-redefined
+ LOCAL_C_INCLUDES += bootable/recovery/crypto/fscrypt \
+ bootable/recovery/crypto
+ endif
LOCAL_C_INCLUDES += \
system/core/fs_mgr/libfs_avb/include/ \
system/core/fs_mgr/include_fstab/ \
@@ -91,7 +96,8 @@
system/core/fs_mgr/libdm/include/ \
system/core/fs_mgr/liblp/include/ \
system/gsid/include/ \
- system/core/init/
+ system/core/init/ \
+ system/extras/ext4_utils/include
endif
ifneq ($(TARGET_RECOVERY_REBOOT_SRC),)
@@ -103,7 +109,7 @@
RECOVERY_API_VERSION := 3
RECOVERY_FSTAB_VERSION := 2
LOCAL_CFLAGS += -DRECOVERY_API_VERSION=$(RECOVERY_API_VERSION)
-LOCAL_CFLAGS += -Wno-unused-parameter
+LOCAL_CFLAGS += -Wno-unused-parameter -Wno-unused-function
LOCAL_CLANG := true
LOCAL_C_INCLUDES += \
@@ -348,7 +354,11 @@
ifeq ($(shell test $(PLATFORM_SDK_VERSION) -ge 24; echo $$?),0)
TW_INCLUDE_CRYPTO_FBE := true
LOCAL_CFLAGS += -DTW_INCLUDE_FBE
- LOCAL_SHARED_LIBRARIES += libe4crypt
+ ifeq ($(shell test $(PLATFORM_SDK_VERSION) -ge 29; echo $$?),0)
+ LOCAL_SHARED_LIBRARIES += libtwrpfscrypt
+ else
+ LOCAL_SHARED_LIBRARIES += libe4crypt
+ endif
ifeq ($(shell test $(PLATFORM_SDK_VERSION) -ge 28; echo $$?),0)
LOCAL_CFLAGS += -DTW_INCLUDE_FBE_METADATA_DECRYPT
endif
@@ -439,7 +449,7 @@
TWRP_REQUIRED_MODULES += \
relink \
- relink_init \
+ twrp_ramdisk \
dump_image \
erase_image \
flash_image \
@@ -456,7 +466,20 @@
init.recovery.hlthchrg.rc \
init.recovery.service.rc \
init.recovery.ldconfig.rc \
- awk
+ awk \
+
+ifneq ($(TW_INCLUDE_CRYPTO),)
+TWRP_REQUIRED_MODULES += \
+ plat_service_contexts \
+ plat_hwservice_contexts \
+ vendor_hwservice_contexts \
+ vndservice_contexts \
+ hwservicemanager \
+ servicemanager \
+ vndservicemanager \
+ vold_prepare_subdirs \
+ fscryptpolicyget
+endif
ifneq ($(TARGET_ARCH), arm64)
ifneq ($(TARGET_ARCH), x86_64)
@@ -695,7 +718,7 @@
LOCAL_STATIC_LIBRARIES := \
libminui \
libotautil \
- libvintf_recovery \
+ libvintf \
libcrypto_utils \
libcrypto \
libbase \
@@ -720,7 +743,7 @@
install/set_metadata.cpp verifier28/verifier.cpp install/zipwrap.cpp install/ZipUtil.cpp
endif
LOCAL_SHARED_LIBRARIES += libbase libbootloader_message libcrypto libext4_utils \
- libfs_mgr libfusesideload libhidl-gen-utils libhidlbase libhidltransport \
+ libfs_mgr libfusesideload libhidl-gen-utils libhidlbase \
liblog libselinux libtinyxml2 libutils libz libziparchive libcutils
LOCAL_CFLAGS += -DRECOVERY_API_VERSION=$(RECOVERY_API_VERSION)
ifeq ($(shell test $(PLATFORM_SDK_VERSION) -lt 23; echo $$?),0)
@@ -875,7 +898,11 @@
include $(commands_TWRP_local_path)/crypto/fde/Android.mk
include $(commands_TWRP_local_path)/crypto/scrypt/Android.mk
ifeq ($(TW_INCLUDE_CRYPTO_FBE), true)
- include $(commands_TWRP_local_path)/crypto/ext4crypt/Android.mk
+ ifeq ($(shell test $(PLATFORM_SDK_VERSION) -ge 29; echo $$?),0)
+ include $(commands_TWRP_local_path)/crypto/fscrypt/Android.mk
+ else
+ include $(commands_TWRP_local_path)/crypto/ext4crypt/Android.mk
+ endif
endif
ifneq ($(TW_CRYPTO_USE_SYSTEM_VOLD),)
ifneq ($(TW_CRYPTO_USE_SYSTEM_VOLD),false)