Snap for 5970985 from 1b535e41fd6c1b666cf806aae782cf621b7782bc to qt-d4-releaseandroid-10.0.0_r45android-10.0.0_r44android-10.0.0_r43android-10.0.0_r42android10-d4-s1-releaseandroid10-d4-release

Change-Id: I93cc32d700fa5d6899dfc8dae941c19a19455b9f

4 files changed, 22 insertions, 8 deletions

diff --git a/Checkpoint.cpp b/Checkpoint.cpp
index c8af08c2..3f688f8f 100644
--- a/Checkpoint.cpp
+++ b/Checkpoint.cpp
@@ -244,6 +244,11 @@ bool cp_needsRollback() {
 }
 
 bool cp_needsCheckpoint() {
+    // Make sure we only return true during boot. See b/138952436 for discussion
+    static bool called_once = false;
+    if (called_once) return isCheckpointing;
+    called_once = true;
+
     bool ret;
     std::string content;
     sp<IBootControl> module = IBootControl::getService();
@@ -317,6 +322,8 @@ static void cp_healthDaemon(std::string mnt_pnt, std::string blk_device, bool is
 }  // namespace
 
 Status cp_prepareCheckpoint() {
+    // Log to notify CTS - see b/137924328 for context
+    LOG(INFO) << "cp_prepareCheckpoint called";
     if (!isCheckpointing) {
         return Status::ok();
     }
diff --git a/FsCrypt.cpp b/FsCrypt.cpp
index 2a8e110b..07560e0b 100644
--- a/FsCrypt.cpp
+++ b/FsCrypt.cpp
@@ -84,7 +84,7 @@ const std::string prepare_subdirs_path = "/system/bin/vold_prepare_subdirs";
 const std::string systemwide_volume_key_dir =
     std::string() + DATA_MNT_POINT + "/misc/vold/volume_keys";
 
-bool s_global_de_initialized = false;
+bool s_systemwide_keys_initialized = false;
 
 // Some users are ephemeral, don't try to wipe their keys from disk
 std::set<userid_t> s_ephemeral_users;
@@ -335,10 +335,10 @@ static bool load_all_de_keys() {
     return true;
 }
 
-bool fscrypt_initialize_global_de() {
-    LOG(INFO) << "fscrypt_initialize_global_de";
+bool fscrypt_initialize_systemwide_keys() {
+    LOG(INFO) << "fscrypt_initialize_systemwide_keys";
 
-    if (s_global_de_initialized) {
+    if (s_systemwide_keys_initialized) {
         LOG(INFO) << "Already initialized";
         return true;
     }
@@ -355,11 +355,18 @@ bool fscrypt_initialize_global_de() {
 
     std::string ref_filename = std::string("/data") + fscrypt_key_ref;
     if (!android::vold::writeStringToFile(device_ref.key_raw_ref, ref_filename)) return false;
-
     LOG(INFO) << "Wrote system DE key reference to:" << ref_filename;
 
+    KeyBuffer per_boot_key;
+    if (!android::vold::randomKey(&per_boot_key)) return false;
+    std::string per_boot_raw_ref;
+    if (!android::vold::installKey(per_boot_key, &per_boot_raw_ref)) return false;
+    std::string per_boot_ref_filename = std::string("/data") + fscrypt_key_per_boot_ref;
+    if (!android::vold::writeStringToFile(per_boot_raw_ref, per_boot_ref_filename)) return false;
+    LOG(INFO) << "Wrote per boot key reference to:" << per_boot_ref_filename;
+
     if (!android::vold::FsyncDirectory(device_key_dir)) return false;
-    s_global_de_initialized = true;
+    s_systemwide_keys_initialized = true;
     return true;
 }
 
diff --git a/FsCrypt.h b/FsCrypt.h
index 16e2f9ae..03ec2e16 100644
--- a/FsCrypt.h
+++ b/FsCrypt.h
@@ -18,7 +18,7 @@
 
 #include <cutils/multiuser.h>
 
-bool fscrypt_initialize_global_de();
+bool fscrypt_initialize_systemwide_keys();
 
 bool fscrypt_init_user0();
 bool fscrypt_vold_create_user_key(userid_t user_id, int serial, bool ephemeral);
diff --git a/VoldNativeService.cpp b/VoldNativeService.cpp
index 1762b70f..7f7f2897 100644
--- a/VoldNativeService.cpp
+++ b/VoldNativeService.cpp
@@ -691,7 +691,7 @@ binder::Status VoldNativeService::fbeEnable() {
     ENFORCE_UID(AID_SYSTEM);
     ACQUIRE_CRYPT_LOCK;
 
-    return translateBool(fscrypt_initialize_global_de());
+    return translateBool(fscrypt_initialize_systemwide_keys());
 }
 
 binder::Status VoldNativeService::mountDefaultEncrypted() {