diff options
author | Barani Muthukumaran <quic_bmuthuku@quicinc.com> | 2020-02-03 13:06:45 -0800 |
---|---|---|
committer | Paul Crowley <paulcrowley@google.com> | 2020-02-12 14:26:26 -0800 |
commit | 3dfb094cb26cf37e14b3bbf81e31248b913b3e41 (patch) | |
tree | 60c22742e4653106e93c886e2aa003c3ae0cb0c2 /KeyUtil.cpp | |
parent | 68b9fb10ae1bf1491c8dc6d854be900e62ebc090 (diff) | |
download | vold-3dfb094cb26cf37e14b3bbf81e31248b913b3e41.tar.gz |
vold: Support Storage keys for FBE
To prevent keys from being compromised if an attacker
acquires read access to kernel memory, some inline
encryption hardware supports protecting the keys in
hardware without software having access to or the
ability to set the plaintext keys. Instead, software
only sees "wrapped keys", which may differ on every boot.
'wrappedkey_v0' fileencryption flag is used to denote
that the device supports inline encryption hardware that
supports this feature. On such devices keymaster is used
to generate keys with STORAGE_KEY tag and export a
per-boot ephemerally wrapped storage key to install it in
the kernel.
The wrapped key framework in the linux kernel ensures the
wrapped key is provided to the inline encryption hardware
where it is unwrapped and the file contents key is derived
to encrypt contents without revealing the plaintext key in
the clear.
Test: FBE validation with Fscrypt v2 + inline crypt + wrapped
key changes kernel.
Bug: 147733587
Change-Id: I1f0de61b56534ec1df9baef075acb74bacd00758
Diffstat (limited to 'KeyUtil.cpp')
-rw-r--r-- | KeyUtil.cpp | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/KeyUtil.cpp b/KeyUtil.cpp index d4a653b5..ae4d70bf 100644 --- a/KeyUtil.cpp +++ b/KeyUtil.cpp @@ -29,6 +29,7 @@ #include <android-base/logging.h> #include <keyutils.h> +#include <fscrypt_uapi.h> #include "KeyStorage.h" #include "Utils.h" @@ -45,6 +46,13 @@ bool randomKey(KeyBuffer* key) { return true; } +bool generateStorageKey(const EncryptionOptions& options, KeyBuffer* key) { + if (options.use_hw_wrapped_key) { + return generateWrappedStorageKey(key); + } + return randomKey(key); +} + // Return true if the kernel supports the ioctls to add/remove fscrypt keys // directly to/from the filesystem. bool isFsKeyringSupported(void) { @@ -222,6 +230,7 @@ bool installKey(const std::string& mountpoint, const EncryptionOptions& options, return false; } + if (options.use_hw_wrapped_key) arg->flags |= FSCRYPT_ADD_KEY_FLAG_WRAPPED; // Provide the raw key. arg->raw_size = key.size(); memcpy(arg->raw, key.data(), key.size()); @@ -307,8 +316,8 @@ bool evictKey(const std::string& mountpoint, const EncryptionPolicy& policy) { } bool retrieveKey(bool create_if_absent, const KeyAuthentication& key_authentication, - const std::string& key_path, const std::string& tmp_path, KeyBuffer* key, - bool keepOld) { + const std::string& key_path, const std::string& tmp_path, + const EncryptionOptions& options, KeyBuffer* key, bool keepOld) { if (pathExists(key_path)) { LOG(DEBUG) << "Key exists, using: " << key_path; if (!retrieveKey(key_path, key_authentication, key, keepOld)) return false; @@ -318,7 +327,7 @@ bool retrieveKey(bool create_if_absent, const KeyAuthentication& key_authenticat return false; } LOG(INFO) << "Creating new key in " << key_path; - if (!randomKey(key)) return false; + if (!generateStorageKey(options, key)) return false; if (!storeKeyAtomically(key_path, tmp_path, key_authentication, *key)) return false; } return true; |