diff options
| author | Paul Crowley <paulcrowley@google.com> | 2018-03-30 09:42:04 -0700 |
|---|---|---|
| committer | Paul Crowley <paulcrowley@google.com> | 2018-03-30 10:47:53 -0700 |
| commit | 0aec08a8a7f1b6a1808e4e13173e7f7abfbda026 (patch) | |
| tree | c2cee8f6332ee53c9b4f1b425d058bfa9a12db8a /ext4_utils | |
| parent | 2b3f24a5961ba06e8ac8a08247839208c7f9a19c (diff) | |
| download | extras-0aec08a8a7f1b6a1808e4e13173e7f7abfbda026.tar.gz | |
Support Speck encryption.
Test: Modified Pixel to support and use Speck encryption, booted.
Bug: 77227248
Change-Id: I1efc54b60e074265914fde764ab4b85798128d67
Merged-In: I1efc54b60e074265914fde764ab4b85798128d67
Diffstat (limited to 'ext4_utils')
| -rw-r--r-- | ext4_utils/ext4_crypt.cpp | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/ext4_utils/ext4_crypt.cpp b/ext4_utils/ext4_crypt.cpp index de85f7e9..25d929e7 100644 --- a/ext4_utils/ext4_crypt.cpp +++ b/ext4_utils/ext4_crypt.cpp @@ -48,6 +48,8 @@ struct ext4_encryption_policy { #define EXT4_ENCRYPTION_MODE_AES_256_XTS 1 #define EXT4_ENCRYPTION_MODE_AES_256_CTS 4 +#define EXT4_ENCRYPTION_MODE_SPECK128_256_XTS 7 +#define EXT4_ENCRYPTION_MODE_SPECK128_256_CTS 8 #define EXT4_ENCRYPTION_MODE_AES_256_HEH 126 #define EXT4_ENCRYPTION_MODE_PRIVATE 127 @@ -109,18 +111,15 @@ static bool is_dir_empty(const char *dirname, bool *is_empty) } static uint8_t e4crypt_get_policy_flags(int filenames_encryption_mode) { - - // With HEH, pad filenames with zeroes to the next 16-byte boundary. This - // is not required, but it's more secure (helps hide the length of - // filenames), makes the inputs evenly divisible into blocks which is more - // efficient for encryption and decryption, and we had the opportunity to - // make a breaking change when introducing a new mode anyway. - if (filenames_encryption_mode == EXT4_ENCRYPTION_MODE_AES_256_HEH) { - return EXT4_POLICY_FLAGS_PAD_16; + if (filenames_encryption_mode == EXT4_ENCRYPTION_MODE_AES_256_CTS) { + // Use legacy padding with our original filenames encryption mode. + return EXT4_POLICY_FLAGS_PAD_4; } - - // Default flags (4-byte padding) for CTS - return EXT4_POLICY_FLAGS_PAD_4; + // With a new mode we can use the better padding flag without breaking existing devices: pad + // filenames with zeroes to the next 16-byte boundary. This is more secure (helps hide the + // length of filenames) and makes the inputs evenly divisible into blocks which is more + // efficient for encryption and decryption. + return EXT4_POLICY_FLAGS_PAD_16; } static bool e4crypt_policy_set(const char *directory, const char *policy, @@ -231,6 +230,8 @@ int e4crypt_policy_ensure(const char *directory, const char *policy, if (!strcmp(contents_encryption_mode, "software") || !strcmp(contents_encryption_mode, "aes-256-xts")) { contents_mode = EXT4_ENCRYPTION_MODE_AES_256_XTS; + } else if (!strcmp(contents_encryption_mode, "speck128/256-xts")) { + contents_mode = EXT4_ENCRYPTION_MODE_SPECK128_256_XTS; } else if (!strcmp(contents_encryption_mode, "ice")) { contents_mode = EXT4_ENCRYPTION_MODE_PRIVATE; } else { @@ -241,6 +242,8 @@ int e4crypt_policy_ensure(const char *directory, const char *policy, if (!strcmp(filenames_encryption_mode, "aes-256-cts")) { filenames_mode = EXT4_ENCRYPTION_MODE_AES_256_CTS; + } else if (!strcmp(filenames_encryption_mode, "speck128/256-cts")) { + filenames_mode = EXT4_ENCRYPTION_MODE_SPECK128_256_CTS; } else if (!strcmp(filenames_encryption_mode, "aes-256-heh")) { filenames_mode = EXT4_ENCRYPTION_MODE_AES_256_HEH; } else { |