commit 90edd2e867b238e71ee198e3460e289cd7dee54c
author Peter Cai <peter@typeblog.net> Thu May 23 16:32:22 2019 +0800
committer big biff <bigbiff@teamw.in> Sun Sep 01 19:33:30 2019 +0200
tree 3febcf7620a3ee3bb2043d91c981f9e7a1b635ff
parent 69ab4a60005783e04c1f416708cac1ba4dee07cd

ext4crypt: support wrappedkey for FBE

Qualcomm devices use a special `wrappedkey` mode for FBE. This is ported
from CAF
https://source.codeaurora.org/quic/la/platform/system/vold/commit/?h=LA.UM.7.8.r4-01000-SDM710.0&id=9229262d893a8592f7bc1b4e8a8dab7aad8df68c,
originally by folks at Mokee for vold
https://mokeedev.review/c/MoKee/android_system_vold/+/34102.

This patch ports the above changes to `ext4crypt`, which we can use in
recovery. Note that since we do not have `fs_mgr` in the recovery, we
cannot read the `wrappedkey` flag from fstab. Instead, similar to
`fbe.contents`, we use a special property `fbe.data.wrappedkey` to
indicate support for wrappedkey mode. Devices that need to use this
should set this property to `true` to activate corresponding code.

Change-Id: I79c2855d577156670b45c10c7c7b1fcd9fece8d9

crypto/ext4crypt/Ext4CryptPie.cpp

diff --git a/crypto/ext4crypt/Ext4CryptPie.cpp b/crypto/ext4crypt/Ext4CryptPie.cpp
index d6ea531..d76ca24 100644
--- a/crypto/ext4crypt/Ext4CryptPie.cpp
+++ b/crypto/ext4crypt/Ext4CryptPie.cpp
@@ -16,6 +16,7 @@
 
 #include "Ext4CryptPie.h"
 
+#include "Keymaster4.h"
 #include "KeyStorage4.h"
 #include "KeyUtil.h"
 #include "Utils.h"
@@ -68,6 +69,8 @@
 using android::base::WriteStringToFile;
 using android::vold::kEmptyAuthentication;
 using android::vold::KeyBuffer;
+using android::vold::Keymaster;
+using android::hardware::keymaster::V4_0::KeyFormat;
 
 // Store main DE raw ref / policy
 std::string de_raw_ref;
@@ -204,12 +207,42 @@
     return false;
 }
 
+static bool is_wrapped_key_supported_common(const std::string& mount_point) {
+    LOG(DEBUG) << "Determining wrapped-key support for " << mount_point;
+    std::string wrapped_key_supported = android::base::GetProperty("fbe.data.wrappedkey", "false");
+    LOG(DEBUG) << "fbe.data.wrappedkey = " << wrapped_key_supported;
+    if (mount_point == DATA_MNT_POINT && wrapped_key_supported == "true") {
+        LOG(DEBUG) << "Wrapped key supported on " << mount_point;
+        return true;
+    } else {
+        return false;
+    }
+}
+
+bool is_wrapped_key_supported() {
+    return is_wrapped_key_supported_common(DATA_MNT_POINT);
+}
+
+bool is_wrapped_key_supported_external() {
+    return false;
+}
+
 static bool read_and_install_user_ce_key(userid_t user_id,
                                          const android::vold::KeyAuthentication& auth) {
     if (s_ce_key_raw_refs.count(user_id) != 0) return true;
     KeyBuffer ce_key;
     if (!read_and_fixate_user_ce_key(user_id, auth, &ce_key)) return false;
     std::string ce_raw_ref;
+
+    if (is_wrapped_key_supported()) {
+        KeyBuffer ephemeral_wrapped_key;
+        if (!getEphemeralWrappedKey(KeyFormat::RAW, ce_key, &ephemeral_wrapped_key)) {
+           LOG(ERROR) << "Failed to export ce key";
+           return false;
+        }
+
+        ce_key = std::move(ephemeral_wrapped_key);
+    }
     if (!android::vold::installKey(ce_key, &ce_raw_ref)) return false;
     s_ce_keys[user_id] = std::move(ce_key);
     s_ce_key_raw_refs[user_id] = ce_raw_ref;
@@ -335,6 +368,14 @@
             KeyBuffer key;
             if (!android::vold::retrieveKey(key_path, kEmptyAuthentication, &key)) return false;
             std::string raw_ref;
+            if (is_wrapped_key_supported()) {
+                KeyBuffer ephemeral_wrapped_key;
+                if (!getEphemeralWrappedKey(KeyFormat::RAW, key, &ephemeral_wrapped_key)) {
+                   LOG(ERROR) << "Failed to export de_key in create_and_install_user_keys";
+                   return false;
+                }
+                key = std::move(ephemeral_wrapped_key);
+            }
             if (!android::vold::installKey(key, &raw_ref)) return false;
             s_de_key_raw_refs[user_id] = raw_ref;
             LOG(DEBUG) << "Installed de key for user " << user_id << std::endl;
@@ -347,6 +388,7 @@
 
 bool e4crypt_initialize_global_de() {
     LOG(INFO) << "e4crypt_initialize_global_de" << std::endl;
+    bool wrapped_key_supported = false;
 
     if (s_global_de_initialized) {
         LOG(INFO) << "Already initialized" << std::endl;
@@ -354,9 +396,10 @@
     }
 
     PolicyKeyRef device_ref;
+    wrapped_key_supported = is_wrapped_key_supported();
     LOG(INFO) << "calling retrieveAndInstallKey\n";
     if (!android::vold::retrieveAndInstallKey(true, kEmptyAuthentication, device_key_path,
-                                              device_key_temp, &device_ref.key_raw_ref))
+                                              device_key_temp, &device_ref.key_raw_ref, wrapped_key_supported))
         return false;
     get_data_file_encryption_modes(&device_ref);
 
@@ -535,6 +578,7 @@
                                   PolicyKeyRef* key_ref) {
     auto secdiscardable_path = volume_secdiscardable_path(volume_uuid);
     std::string secdiscardable_hash;
+    bool wrapped_key_supported = false;
     if (android::vold::pathExists(secdiscardable_path)) {
         if (!android::vold::readSecdiscardable(secdiscardable_path, &secdiscardable_hash))
             return false;
@@ -552,8 +596,9 @@
         return false;
     }
     android::vold::KeyAuthentication auth("", secdiscardable_hash);
+    wrapped_key_supported = is_wrapped_key_supported_external();
     if (!android::vold::retrieveAndInstallKey(true, auth, key_path, key_path + "_tmp",
-                                              &key_ref->key_raw_ref))
+                                              &key_ref->key_raw_ref, wrapped_key_supported))
         return false;
     key_ref->contents_mode =
         android::base::GetProperty("ro.crypto.volume.contents_mode", "aes-256-xts");