diff options
author | Konstantin Vyshetsky <vkon@google.com> | 2021-10-07 14:27:38 -0700 |
---|---|---|
committer | TreeHugger Robot <treehugger-gerrit@google.com> | 2021-11-11 05:04:50 +0000 |
commit | 067512ec32b105fb41b8a8878b17082d53203fd6 (patch) | |
tree | 78086ed381c7f2fff5cdd517d805682d54f41153 /conf | |
parent | 11475b1588120ac8c36af302d7bb2ada8f4c6df6 (diff) | |
download | gs201-067512ec32b105fb41b8a8878b17082d53203fd6.tar.gz |
Generate a separate fstab file for FIPS mode
Add a file "fstab.gs201-fips" alongside the existing "fstab.gs201" in
order to specify different encryption settings in FIPS mode.
"androidboot.fstab_suffix=gs201-fips" on the kernel command line will be
used to select the FIPS fstab when needed.
As the two fstabs should be otherwise identical, generate them from a
template file so that they will stay in sync.
Note that generating the fstabs requires that they be installed as build
system modules rather than via PRODUCT_COPY_FILES, which results in the
vendor_ramdisk copy of the fstabs being installed to system/etc rather
than /. This shouldn't cause any problem, now that Android has been
updated to look for the fstab in this location too.
(cherry-pick from device/google/gs101)
Test: Boot to home screen with/without fips mode
Bug: 202417706
Signed-off-by: Konstantin Vyshetsky <vkon@google.com>
Change-Id: I8fdc1c9a91399816fa2d4c53f282d63e988ce7d5
Diffstat (limited to 'conf')
-rw-r--r-- | conf/Android.bp | 55 | ||||
-rw-r--r-- | conf/fstab.gs201.in (renamed from conf/fstab.gs201) | 2 | ||||
-rw-r--r-- | conf/init.gs201.rc | 4 |
3 files changed, 58 insertions, 3 deletions
diff --git a/conf/Android.bp b/conf/Android.bp new file mode 100644 index 0000000..bac5f07 --- /dev/null +++ b/conf/Android.bp @@ -0,0 +1,55 @@ +/* + * Copyright (C) 2021 The Android Open Source Project + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +// By default this device uses hardware-wrapped keys for storage encryption, +// which is intended to offer increased security over the traditional method +// (software keys). However, hardware-wrapped keys aren't compatible with +// FIPS-140 certification of the encryption hardware, and hence we have to +// disable the use of them in FIPS mode. This requires having two fstab files: +// one for the default mode, and one for FIPS mode selectable via +// androidboot.fstab_suffix on the kernel command line. These fstabs should be +// identical with the exception of the encryption settings, so to keep them in +// sync the rules below generate them from a template file. + +genrule { + name: "gen_fstab.gs201", + srcs: ["fstab.gs201.in"], + out: ["fstab.gs201"], + cmd: "sed -e s/@fileencryption@/::inlinecrypt_optimized+wrappedkey_v0/" + + " -e s/@metadata_encryption@/:wrappedkey_v0/ $(in) > $(out)", +} + +genrule { + name: "gen_fstab.gs201-fips", + srcs: ["fstab.gs201.in"], + out: ["fstab.gs201-fips"], + cmd: "sed -e s/@fileencryption@/aes-256-xts/" + + " -e s/@metadata_encryption@/aes-256-xts/ $(in) > $(out)", +} + +prebuilt_etc { + name: "fstab.gs201", + src: ":gen_fstab.gs201", + vendor: true, + vendor_ramdisk_available: true, +} + +prebuilt_etc { + name: "fstab.gs201-fips", + src: ":gen_fstab.gs201-fips", + vendor: true, + vendor_ramdisk_available: true, +} diff --git a/conf/fstab.gs201 b/conf/fstab.gs201.in index b7f5751..9edf95b 100644 --- a/conf/fstab.gs201 +++ b/conf/fstab.gs201.in @@ -17,7 +17,7 @@ vendor_dlkm /vendor_dlkm /dev/block/platform/14700000.ufs/by-name/misc /misc emmc defaults wait /dev/block/platform/14700000.ufs/by-name/metadata /metadata f2fs noatime,nosuid,nodev,sync wait,check,formattable,first_stage_mount #/dev/block/platform/14700000.ufs/by-name/pvmfw /pvmfw emmc defaults wait,slotselect,avb=pvmfw,first_stage_mount -/dev/block/platform/14700000.ufs/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,reserve_root=32768,resgid=1065,fsync_mode=nobarrier,inlinecrypt,compress_extension=apk,compress_extension=apex,compress_extension=so,compress_extension=vdex,compress_extension=odex,atgc,checkpoint_merge latemount,wait,check,quota,formattable,sysfs_path=/dev/sys/block/bootdevice,checkpoint=fs,reservedsize=128M,fileencryption=::inlinecrypt_optimized+wrappedkey_v0,metadata_encryption=:wrappedkey_v0,keydirectory=/metadata/vold/metadata_encryption,fscompress,readahead_size_kb=128 +/dev/block/platform/14700000.ufs/by-name/userdata /data f2fs noatime,nosuid,nodev,discard,reserve_root=32768,resgid=1065,fsync_mode=nobarrier,inlinecrypt,compress_extension=apk,compress_extension=apex,compress_extension=so,compress_extension=vdex,compress_extension=odex,atgc,checkpoint_merge latemount,wait,check,quota,formattable,sysfs_path=/dev/sys/block/bootdevice,checkpoint=fs,reservedsize=128M,fileencryption=@fileencryption@,metadata_encryption=@metadata_encryption@,keydirectory=/metadata/vold/metadata_encryption,fscompress,readahead_size_kb=128 /dev/block/platform/14700000.ufs/by-name/vbmeta /vbmeta emmc defaults slotselect,first_stage_mount /dev/block/zram0 none swap defaults zramsize=2147483648,max_comp_streams=8,zram_backingdev_size=512M /devices/platform/11210000.usb* auto vfat defaults voldmanaged=usb:auto diff --git a/conf/init.gs201.rc b/conf/init.gs201.rc index 4054494..713633a 100644 --- a/conf/init.gs201.rc +++ b/conf/init.gs201.rc @@ -255,7 +255,7 @@ on late-fs class_start animation # Mount RW partitions which need run fsck - mount_all /vendor/etc/fstab.gs201 --late + mount_all --late on post-fs-data # Log data folder @@ -449,7 +449,7 @@ on property:persist.vendor.radio.no_modem_board=1 setprop ro.radio.noril yes on fs - mount_all /vendor/etc/fstab.gs201 --early + mount_all --early restorecon_recursive /mnt/vendor/efs chown radio system /mnt/vendor/efs restorecon_recursive /mnt/vendor/efs_backup |