diff options
author | Eric Biggers <ebiggers@google.com> | 2019-09-13 11:07:42 -0700 |
---|---|---|
committer | Eric Biggers <ebiggers@google.com> | 2019-09-30 10:26:12 -0700 |
commit | 17115c7725f56b68f5117d6f4cd6eb68a99ad406 (patch) | |
tree | f96fe8d7ff4ba6939b7e0f093763b33dce3b2a55 /libfscrypt/include/fscrypt | |
parent | 0888874bb4a645dc5c6cacd0be17d83ae1cad168 (diff) | |
download | extras-17115c7725f56b68f5117d6f4cd6eb68a99ad406.tar.gz |
libfscrypt: support setting v2 encryption policies
Update libfscrypt to support setting v2 encryption policies. For this,
the ioctl to use is still FS_IOC_SET_ENCRYPTION_POLICY; we just need to
pass it a slightly different structure.
v2 policies support the same encryption modes and flags as v1 policies,
but internally they use a more standard, secure, and flexible KDF. Due
to this, some future features will be supported by v2 policies only.
Other notes:
- Use 16 byte filenames padding for all v2 policies. There's no need to
use the legacy 4 bytes padding.
- Unlike v1 policies, setting a v2 policy requires CAP_FOWNER if the key
hasn't been installed. This isn't an issue for Android, however --
Android always installs the keys first, and even if it didn't,
policies are only set by init and vold, which have CAP_FOWNER.
Bug: 140500999
Test: tested as series; see If64028d8580584b2c33c614cabd5d6b93657f608
Change-Id: I325f75fd3e59d6f00a5c66938b99b127981183a5
Diffstat (limited to 'libfscrypt/include/fscrypt')
-rw-r--r-- | libfscrypt/include/fscrypt/fscrypt.h | 7 |
1 files changed, 3 insertions, 4 deletions
diff --git a/libfscrypt/include/fscrypt/fscrypt.h b/libfscrypt/include/fscrypt/fscrypt.h index ff82d47a..13358bb7 100644 --- a/libfscrypt/include/fscrypt/fscrypt.h +++ b/libfscrypt/include/fscrypt/fscrypt.h @@ -25,10 +25,9 @@ __BEGIN_DECLS bool fscrypt_is_native(); -int fscrypt_policy_ensure(const char *directory, const char *policy, - size_t policy_length, - const char *contents_encryption_mode, - const char *filenames_encryption_mode); +int fscrypt_policy_ensure(const char* directory, const char* key_raw_ref, size_t key_raw_ref_length, + const char* contents_encryption_mode, + const char* filenames_encryption_mode, int policy_version); static const char* fscrypt_unencrypted_folder = "/unencrypted"; static const char* fscrypt_key_ref = "/unencrypted/ref"; |