FsCrypt update: support fscrypt policies v1 and v2
This patchset introduces support decryption for Android 11.
In this update we deprecate ext4crypt. To specify the
policy version to use, use TW_USE_FSCRYPT_POLICY := 1 or
TW_USE_FSCRYPT_POLICY := 2. By default policy version will
be set to 2 if this variable is omitted.
Change-Id: I62a29c1bef36c259ec4b11259f71be613d20a112
diff --git a/crypto/fscrypt/Keymaster.cpp b/crypto/fscrypt/Keymaster.cpp
index 706181d..27353f1 100755
--- a/crypto/fscrypt/Keymaster.cpp
+++ b/crypto/fscrypt/Keymaster.cpp
@@ -3,7 +3,7 @@
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
+ * You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
@@ -17,11 +17,9 @@
#include "Keymaster.h"
#include <android-base/logging.h>
-#include <keymasterV4_0/authorization_set.h>
-#include <keymasterV4_0/keymaster_utils.h>
+#include <keymasterV4_1/authorization_set.h>
+#include <keymasterV4_1/keymaster_utils.h>
-namespace android {
-namespace vold {
using ::android::hardware::hidl_string;
using ::android::hardware::hidl_vec;
@@ -138,30 +136,25 @@
return true;
}
-km::ErrorCode Keymaster::exportKey(km::KeyFormat format, KeyBuffer& kmKey, const std::string& clientId,
- const std::string& appData, std::string* key) {
+bool Keymaster::exportKey(const KeyBuffer& kmKey, std::string* key) {
auto kmKeyBlob = km::support::blob2hidlVec(std::string(kmKey.data(), kmKey.size()));
- auto emptyAssign = NULL;
- auto kmClientId = (clientId == "!") ? emptyAssign: km::support::blob2hidlVec(clientId);
- auto kmAppData = (appData == "!") ? emptyAssign: km::support::blob2hidlVec(appData);
km::ErrorCode km_error;
auto hidlCb = [&](km::ErrorCode ret, const hidl_vec<uint8_t>& exportedKeyBlob) {
km_error = ret;
if (km_error != km::ErrorCode::OK) return;
- if(key)
- key->assign(reinterpret_cast<const char*>(&exportedKeyBlob[0]),
- exportedKeyBlob.size());
+ if (key)
+ key->assign(reinterpret_cast<const char*>(&exportedKeyBlob[0]), exportedKeyBlob.size());
};
- auto error = mDevice->exportKey(format, kmKeyBlob, kmClientId, kmAppData, hidlCb);
+ auto error = mDevice->exportKey(km::KeyFormat::RAW, kmKeyBlob, {}, {}, hidlCb);
if (!error.isOk()) {
LOG(ERROR) << "export_key failed: " << error.description();
- return km::ErrorCode::UNKNOWN_ERROR;
+ return false;
}
if (km_error != km::ErrorCode::OK) {
LOG(ERROR) << "export_key failed, code " << int32_t(km_error);
- return km_error;
+ return false;
}
- return km::ErrorCode::OK;
+ return true;
}
bool Keymaster::deleteKey(const std::string& key) {
@@ -233,10 +226,22 @@
return mDevice->halVersion().securityLevel != km::SecurityLevel::SOFTWARE;
}
-} // namespace vold
-} // namespace android
-
-using namespace ::android::vold;
+void Keymaster::earlyBootEnded() {
+ auto devices = KmDevice::enumerateAvailableDevices();
+ for (auto& dev : devices) {
+ auto error = dev->earlyBootEnded();
+ if (!error.isOk()) {
+ LOG(ERROR) << "earlyBootEnded call failed: " << error.description() << " for "
+ << dev->halVersion().keymasterName;
+ }
+ km::V4_1_ErrorCode km_error = error;
+ if (km_error != km::V4_1_ErrorCode::OK && km_error != km::V4_1_ErrorCode::UNIMPLEMENTED) {
+ LOG(ERROR) << "Error reporting early boot ending to keymaster: "
+ << static_cast<int32_t>(km_error) << " for "
+ << dev->halVersion().keymasterName;
+ }
+ }
+}
int keymaster_compatibility_cryptfs_scrypt() {
Keymaster dev;