diff options
Diffstat (limited to 'crypto/ext4crypt/KeyUtil.cpp')
-rw-r--r-- | crypto/ext4crypt/KeyUtil.cpp | 32 |
1 files changed, 29 insertions, 3 deletions
diff --git a/crypto/ext4crypt/KeyUtil.cpp b/crypto/ext4crypt/KeyUtil.cpp index 946c6cf9c..3dc05004c 100644 --- a/crypto/ext4crypt/KeyUtil.cpp +++ b/crypto/ext4crypt/KeyUtil.cpp @@ -27,6 +27,7 @@ #include <keyutils.h> #include "KeyStorage4.h" +#include "Ext4CryptPie.h" #include "Utils.h" #include <iostream> @@ -35,6 +36,11 @@ #include <sys/types.h> #include <unistd.h> +#define MAX_USER_ID 0xFFFFFFFF + +using android::hardware::keymaster::V4_0::KeyFormat; +using android::vold::KeyType; + namespace android { namespace vold { @@ -128,7 +134,14 @@ bool installKey(const KeyBuffer& key, std::string* raw_ref) { ext4_encryption_key &ext4_key = *reinterpret_cast<ext4_encryption_key*>(ext4KeyBuffer.data()); if (!fillKey(key, &ext4_key)) return false; - *raw_ref = generateKeyRef(ext4_key.raw, ext4_key.size); + if (is_wrapped_key_supported()) { + /* When wrapped key is supported, only the first 32 bytes are + the same per boot. The second 32 bytes can change as the ephemeral + key is different. */ + *raw_ref = generateKeyRef(ext4_key.raw, (ext4_key.size)/2); + } else { + *raw_ref = generateKeyRef(ext4_key.raw, ext4_key.size); + } key_serial_t device_keyring; if (!e4cryptKeyring(&device_keyring)) return false; for (char const* const* name_prefix = NAME_PREFIXES; *name_prefix != nullptr; name_prefix++) { @@ -171,7 +184,7 @@ bool evictKey(const std::string& raw_ref) { bool retrieveAndInstallKey(bool create_if_absent, const KeyAuthentication& key_authentication, const std::string& key_path, const std::string& tmp_path, - std::string* key_ref) { + std::string* key_ref, bool wrapped_key_supported) { KeyBuffer key; if (pathExists(key_path)) { LOG(DEBUG) << "Key exists, using: " << key_path << std::endl; @@ -182,10 +195,23 @@ bool retrieveAndInstallKey(bool create_if_absent, const KeyAuthentication& key_a return false; } LOG(INFO) << "Creating new key in " << key_path << std::endl; - if (!randomKey(&key)) return false; + if (wrapped_key_supported) { + if(!generateWrappedKey(MAX_USER_ID, KeyType::DE_SYS, &key)) return false; + } else { + if (!randomKey(&key)) return false; + } if (!storeKeyAtomically(key_path, tmp_path, key_authentication, key)) return false; } + if (wrapped_key_supported) { + KeyBuffer ephemeral_wrapped_key; + if (!getEphemeralWrappedKey(KeyFormat::RAW, key, &ephemeral_wrapped_key)) { + LOG(ERROR) << "Failed to export key in retrieveAndInstallKey"; + return false; + } + key = std::move(ephemeral_wrapped_key); + } + if (!installKey(key, key_ref)) { LOG(ERROR) << "Failed to install key in " << key_path << std::endl; return false; |