summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Ng <dave@codeaurora.org>2018-03-23 06:43:59 (GMT)
committerDavid Ng <dave@codeaurora.org>2018-05-24 07:27:04 (GMT)
commitf09fb2e8705804b48aab18ca4ec023b9c14bd8f1 (patch)
treef7c8aa49f0d0abd8a3a5faf8181c1bfaeee82c5e
parentdda2692d71cdb4b4bceb93406a6163506becc116 (diff)
downloadandroid_vendor_qcom_opensource_cryptfs_hw-f09fb2e8705804b48aab18ca4ec023b9c14bd8f1.zip
android_vendor_qcom_opensource_cryptfs_hw-f09fb2e8705804b48aab18ca4ec023b9c14bd8f1.tar.gz
android_vendor_qcom_opensource_cryptfs_hw-f09fb2e8705804b48aab18ca4ec023b9c14bd8f1.tar.bz2
Relocation of cryptfs_hw module from device/qcom/common
Project restructuring for single system image. Relocation of some files from device/qcom/common at b5ce80cb1f60759a142a9338104d3adf3303ec0c. Change-Id: Iae4304c09859918c130c6798cd3e59a3728e2ea5
-rw-r--r--Android.mk39
-rw-r--r--NOTICE31
-rw-r--r--cryptfs_hw.c381
-rw-r--r--cryptfs_hw.h46
4 files changed, 497 insertions, 0 deletions
diff --git a/Android.mk b/Android.mk
new file mode 100644
index 0000000..84e3c38
--- /dev/null
+++ b/Android.mk
@@ -0,0 +1,39 @@
+ifeq ($(TARGET_USES_QSSI),true)
+ifeq ($(TARGET_HW_DISK_ENCRYPTION),true)
+LOCAL_PATH:= $(call my-dir)
+include $(CLEAR_VARS)
+
+sourceFiles := \
+ cryptfs_hw.c
+
+commonSharedLibraries := \
+ libcutils \
+ libutils \
+ libdl \
+ libhardware \
+ liblog
+
+commonIncludes := \
+ hardware/libhardware/include/hardware/ \
+ $(TARGET_OUT_INTERMEDIATES)/KERNEL_OBJ/usr/include \
+
+LOCAL_ADDITIONAL_DEPENDENCIES := $(TARGET_OUT_INTERMEDIATES)/KERNEL_OBJ/usr
+
+LOCAL_C_INCLUDES := $(commonIncludes)
+LOCAL_SRC_FILES := $(sourceFiles)
+
+LOCAL_MODULE_TAGS := optional
+LOCAL_MODULE:= libcryptfs_hw
+LOCAL_SHARED_LIBRARIES := $(commonSharedLibraries)
+
+LOCAL_MODULE_OWNER := qti
+
+# USE_ICE_FOR_STORAGE_ENCRYPTION would be true in future if
+# TARGET_USE_EMMC_USE_ICE is set
+ifeq ($(TARGET_USE_UFS_ICE),true)
+LOCAL_CFLAGS += -DUSE_ICE_FOR_STORAGE_ENCRYPTION
+endif
+
+include $(BUILD_SHARED_LIBRARY)
+endif
+endif
diff --git a/NOTICE b/NOTICE
new file mode 100644
index 0000000..7d243ca
--- /dev/null
+++ b/NOTICE
@@ -0,0 +1,31 @@
+Copyright (c) 2014, 2017, The Linux Foundation. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted (subject to the limitations in the
+disclaimer below) provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+ * Redistributions in binary form must reproduce the above
+ copyright notice, this list of conditions and the following
+ disclaimer in the documentation and/or other materials provided
+ with the distribution.
+
+ * Neither the name of The Linux Foundation nor the names of its
+ contributors may be used to endorse or promote products derived
+ from this software without specific prior written permission.
+
+NO EXPRESS OR IMPLIED LICENSES TO ANY PARTY'S PATENT RIGHTS ARE
+GRANTED BY THIS LICENSE. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT
+HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED
+WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE
+GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER
+IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
diff --git a/cryptfs_hw.c b/cryptfs_hw.c
new file mode 100644
index 0000000..139c0be
--- /dev/null
+++ b/cryptfs_hw.c
@@ -0,0 +1,381 @@
+/* Copyright (c) 2014, 2017, The Linux Foundation. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ * * Neither the name of The Linux Foundation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+ * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdlib.h>
+#include <string.h>
+#include <sys/limits.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <dirent.h>
+#include <dlfcn.h>
+#include <linux/qseecom.h>
+#include "cutils/log.h"
+#include "cutils/properties.h"
+#include "cutils/android_reboot.h"
+#include "keymaster_common.h"
+#include "hardware.h"
+#include "cryptfs_hw.h"
+
+/*
+ * When device comes up or when user tries to change the password, user can
+ * try wrong password upto a certain number of times. If user enters wrong
+ * password further, HW would wipe all disk encryption related crypto data
+ * and would return an error ERR_MAX_PASSWORD_ATTEMPTS to VOLD. VOLD would
+ * wipe userdata partition once this error is received.
+ */
+#define ERR_MAX_PASSWORD_ATTEMPTS -10
+#define MAX_PASSWORD_LEN 32
+#define QTI_ICE_STORAGE_UFS 1
+#define QTI_ICE_STORAGE_SDCC 2
+#define SET_HW_DISK_ENC_KEY 1
+#define UPDATE_HW_DISK_ENC_KEY 2
+
+#define CRYPTFS_HW_KMS_CLEAR_KEY 0
+#define CRYPTFS_HW_KMS_WIPE_KEY 1
+#define CRYPTFS_HW_UP_CHECK_COUNT 10
+#define CRYPTFS_HW_CLEAR_KEY_FAILED -11
+#define CRYPTFS_HW_KMS_MAX_FAILURE -10
+#define CRYPTFS_HW_UPDATE_KEY_FAILED -9
+#define CRYPTFS_HW_WIPE_KEY_FAILED -8
+#define CRYPTFS_HW_CREATE_KEY_FAILED -7
+
+enum cryptfs_hw_key_management_usage_type {
+ CRYPTFS_HW_KM_USAGE_DISK_ENCRYPTION = 0x01,
+ CRYPTFS_HW_KM_USAGE_FILE_ENCRYPTION = 0x02,
+ CRYPTFS_HW_KM_USAGE_UFS_ICE_DISK_ENCRYPTION = 0x03,
+ CRYPTFS_HW_KM_USAGE_SDCC_ICE_DISK_ENCRYPTION = 0x04,
+ CRYPTFS_HW_KM_USAGE_MAX
+};
+
+static inline void* secure_memset(void* v, int c , size_t n)
+{
+ volatile unsigned char* p = (volatile unsigned char* )v;
+ while (n--) *p++ = c;
+ return v;
+}
+
+static size_t memscpy(void *dst, size_t dst_size, const void *src, size_t src_size)
+{
+ size_t min_size = (dst_size < src_size) ? dst_size : src_size;
+ memcpy(dst, src, min_size);
+ return min_size;
+}
+
+static int cryptfs_hw_create_key(enum cryptfs_hw_key_management_usage_type usage,
+ unsigned char *hash32)
+{
+ struct qseecom_create_key_req req;
+ int qseecom_fd;
+ int32_t ret;
+
+ if (usage < CRYPTFS_HW_KM_USAGE_DISK_ENCRYPTION ||
+ usage >= CRYPTFS_HW_KM_USAGE_MAX) {
+ SLOGE("Error:: unsupported usage %d\n", usage);
+ return CRYPTFS_HW_CREATE_KEY_FAILED;
+ }
+
+ qseecom_fd = open("/dev/qseecom", O_RDWR);
+ if (qseecom_fd < 0) {
+ SLOGE("Error::Failed to open /dev/qseecom device\n");
+ return CRYPTFS_HW_CREATE_KEY_FAILED;;
+ }
+
+ if (!hash32) {
+ secure_memset((void *)req.hash32, 0, QSEECOM_HASH_SIZE);
+ } else {
+ memscpy((void *)req.hash32, QSEECOM_HASH_SIZE, (void *)hash32,
+ QSEECOM_HASH_SIZE);
+ }
+
+ req.usage = (enum qseecom_key_management_usage_type)usage;
+ ret = ioctl(qseecom_fd, QSEECOM_IOCTL_CREATE_KEY_REQ, &req);
+ if (ret) {
+ SLOGE("Error::ioctl call to create encryption key for usage %d failed with ret = %d, errno = %d\n",
+ usage, ret, errno);
+ if (errno == ERANGE)
+ ret = CRYPTFS_HW_KMS_MAX_FAILURE;
+ else
+ ret = CRYPTFS_HW_CREATE_KEY_FAILED;
+ } else {
+ SLOGE("SUCESS::ioctl call to create encryption key for usage %d success with ret = %d\n",
+ usage, ret);
+ }
+ close(qseecom_fd);
+ return ret;
+}
+
+static int __cryptfs_hw_wipe_clear_key(enum cryptfs_hw_key_management_usage_type usage, int wipe_key_flag)
+{
+ struct qseecom_wipe_key_req req;
+ int32_t ret;
+ int qseecom_fd;
+
+ if (usage < CRYPTFS_HW_KM_USAGE_DISK_ENCRYPTION ||
+ usage >= CRYPTFS_HW_KM_USAGE_MAX) {
+ SLOGE("Error:: unsupported usage %d\n", usage);
+ return -1;
+ }
+ qseecom_fd = open("/dev/qseecom", O_RDWR);
+ if (qseecom_fd < 0) {
+ SLOGE("Error::Failed to open /dev/qseecom device\n");
+ return -1;
+ }
+
+ req.usage = (enum qseecom_key_management_usage_type)usage;
+ req.wipe_key_flag = wipe_key_flag;
+ ret = ioctl(qseecom_fd, QSEECOM_IOCTL_WIPE_KEY_REQ, &req);
+ close(qseecom_fd);
+ return ret;
+}
+
+static int cryptfs_hw_wipe_key(enum cryptfs_hw_key_management_usage_type usage)
+{
+ int32_t ret;
+
+ ret = __cryptfs_hw_wipe_clear_key(usage, CRYPTFS_HW_KMS_WIPE_KEY);
+ if (ret) {
+ SLOGE("Error::ioctl call to wipe the encryption key for usage %d failed with ret = %d, errno = %d\n",
+ usage, ret, errno);
+ ret = CRYPTFS_HW_WIPE_KEY_FAILED;
+ } else {
+ SLOGE("SUCCESS::ioctl call to wipe the encryption key for usage %d success with ret = %d\n",
+ usage, ret);
+ }
+ return ret;
+}
+
+static int cryptfs_hw_clear_key(enum cryptfs_hw_key_management_usage_type usage)
+{
+ int32_t ret;
+
+ ret = __cryptfs_hw_wipe_clear_key(usage, CRYPTFS_HW_KMS_CLEAR_KEY);
+ if (ret) {
+ SLOGE("Error::ioctl call to wipe the encryption key for usage %d failed with ret = %d, errno = %d\n",
+ usage, ret, errno);
+ ret = CRYPTFS_HW_CLEAR_KEY_FAILED;
+ } else {
+ SLOGE("SUCCESS::ioctl call to wipe the encryption key for usage %d success with ret = %d\n",
+ usage, ret);
+ }
+ return ret;
+}
+
+static int cryptfs_hw_update_key(enum cryptfs_hw_key_management_usage_type usage,
+ unsigned char *current_hash32, unsigned char *new_hash32)
+{
+ struct qseecom_update_key_userinfo_req req;
+ int qseecom_fd;
+ int32_t ret;
+
+ if (usage < CRYPTFS_HW_KM_USAGE_DISK_ENCRYPTION ||
+ usage >= CRYPTFS_HW_KM_USAGE_MAX) {
+ SLOGE("Error:: unsupported usage %d\n", usage);
+ return CRYPTFS_HW_UPDATE_KEY_FAILED;
+ }
+ qseecom_fd = open("/dev/qseecom", O_RDWR);
+ if (qseecom_fd < 0) {
+ SLOGE("Error::Failed to open /dev/qseecom device\n");
+ return CRYPTFS_HW_UPDATE_KEY_FAILED;
+ }
+
+ req.usage = (enum qseecom_key_management_usage_type)usage;
+ if (!current_hash32) {
+ secure_memset((void *)req.current_hash32, 0, QSEECOM_HASH_SIZE);
+ } else {
+ memscpy((void *)req.current_hash32, QSEECOM_HASH_SIZE, (void *)current_hash32,
+ QSEECOM_HASH_SIZE);
+ }
+ if (!new_hash32) {
+ secure_memset((void *)req.new_hash32, 0, QSEECOM_HASH_SIZE);
+ } else {
+ memscpy((void *)req.new_hash32, QSEECOM_HASH_SIZE, (void *)new_hash32,
+ QSEECOM_HASH_SIZE);
+ }
+
+ ret = ioctl(qseecom_fd, QSEECOM_IOCTL_UPDATE_KEY_USER_INFO_REQ, &req);
+ if (ret) {
+ SLOGE("Error::ioctl call to update the encryption key for usage %d failed with ret = %d, errno = %d\n",
+ usage, ret, errno);
+ if (errno == ERANGE)
+ ret = CRYPTFS_HW_KMS_MAX_FAILURE;
+ else
+ ret = CRYPTFS_HW_UPDATE_KEY_FAILED;
+ } else {
+ SLOGE("SUCCESS::ioctl call to update the encryption key for usage %d success with ret = %d\n",
+ usage, ret);
+ }
+ close(qseecom_fd);
+ return ret;
+}
+
+static int map_usage(int usage)
+{
+ int storage_type = is_ice_enabled();
+ if (usage == CRYPTFS_HW_KM_USAGE_DISK_ENCRYPTION) {
+ if (storage_type == QTI_ICE_STORAGE_UFS) {
+ return CRYPTFS_HW_KM_USAGE_UFS_ICE_DISK_ENCRYPTION;
+ }
+ else if (storage_type == QTI_ICE_STORAGE_SDCC) {
+ return CRYPTFS_HW_KM_USAGE_SDCC_ICE_DISK_ENCRYPTION;
+ }
+ }
+ return usage;
+}
+
+static unsigned char* get_tmp_passwd(const char* passwd)
+{
+ int passwd_len = 0;
+ unsigned char * tmp_passwd = NULL;
+ if(passwd) {
+ tmp_passwd = (unsigned char*)malloc(MAX_PASSWORD_LEN);
+ if(tmp_passwd) {
+ secure_memset(tmp_passwd, 0, MAX_PASSWORD_LEN);
+ passwd_len = strnlen(passwd, MAX_PASSWORD_LEN);
+ memcpy(tmp_passwd, passwd, passwd_len);
+ } else {
+ SLOGE("%s: Failed to allocate memory for tmp passwd \n", __func__);
+ }
+ } else {
+ SLOGE("%s: Passed argument is NULL \n", __func__);
+ }
+ return tmp_passwd;
+}
+
+static int is_qseecom_up()
+{
+ int i = 0;
+ char value[PROPERTY_VALUE_MAX] = {0};
+
+ for (; i<CRYPTFS_HW_UP_CHECK_COUNT; i++) {
+ property_get("sys.keymaster.loaded", value, "");
+ if (!strncmp(value, "true", PROPERTY_VALUE_MAX))
+ return 1;
+ usleep(100000);
+ }
+ return 0;
+}
+
+/*
+ * For NON-ICE targets, it would return 0 on success. On ICE based targets,
+ * it would return key index in the ICE Key LUT
+ */
+static int set_key(const char* currentpasswd, const char* passwd, const char* enc_mode, int operation)
+{
+ int err = -1;
+ if (is_hw_disk_encryption(enc_mode)) {
+ unsigned char* tmp_passwd = get_tmp_passwd(passwd);
+ unsigned char* tmp_currentpasswd = get_tmp_passwd(currentpasswd);
+ if (tmp_passwd) {
+ if (operation == UPDATE_HW_DISK_ENC_KEY) {
+ if (tmp_currentpasswd) {
+ err = cryptfs_hw_update_key(map_usage(CRYPTFS_HW_KM_USAGE_DISK_ENCRYPTION), tmp_currentpasswd, tmp_passwd);
+ secure_memset(tmp_currentpasswd, 0, MAX_PASSWORD_LEN);
+ }
+ } else if (operation == SET_HW_DISK_ENC_KEY) {
+ err = cryptfs_hw_create_key(map_usage(CRYPTFS_HW_KM_USAGE_DISK_ENCRYPTION), tmp_passwd);
+ }
+ if(err < 0) {
+ if(ERR_MAX_PASSWORD_ATTEMPTS == err)
+ SLOGI("Maximum wrong password attempts reached, will erase userdata\n");
+ }
+ secure_memset(tmp_passwd, 0, MAX_PASSWORD_LEN);
+ free(tmp_passwd);
+ free(tmp_currentpasswd);
+ }
+ }
+ return err;
+}
+
+int set_hw_device_encryption_key(const char* passwd, const char* enc_mode)
+{
+ return set_key(NULL, passwd, enc_mode, SET_HW_DISK_ENC_KEY);
+}
+
+int update_hw_device_encryption_key(const char* oldpw, const char* newpw, const char* enc_mode)
+{
+ return set_key(oldpw, newpw, enc_mode, UPDATE_HW_DISK_ENC_KEY);
+}
+
+unsigned int is_hw_disk_encryption(const char* encryption_mode)
+{
+ int ret = 0;
+ if(encryption_mode) {
+ if (!strcmp(encryption_mode, "aes-xts")) {
+ SLOGD("HW based disk encryption is enabled \n");
+ ret = 1;
+ }
+ }
+ return ret;
+}
+
+int is_ice_enabled(void)
+{
+ char prop_storage[PATH_MAX];
+ int storage_type = 0;
+ int fd;
+
+ if (property_get("ro.boot.bootdevice", prop_storage, "")) {
+ if (strstr(prop_storage, "ufs")) {
+ /* All UFS based devices has ICE in it. So we dont need
+ * to check if corresponding device exists or not
+ */
+ storage_type = QTI_ICE_STORAGE_UFS;
+ } else if (strstr(prop_storage, "sdhc")) {
+ if (access("/dev/icesdcc", F_OK) != -1)
+ storage_type = QTI_ICE_STORAGE_SDCC;
+ }
+ }
+ return storage_type;
+}
+
+int clear_hw_device_encryption_key()
+{
+ return cryptfs_hw_wipe_key(map_usage(CRYPTFS_HW_KM_USAGE_DISK_ENCRYPTION));
+}
+
+static int get_keymaster_version()
+{
+ int rc = -1;
+ const hw_module_t* mod;
+ rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod);
+ if (rc) {
+ SLOGE("could not find any keystore module");
+ return rc;
+ }
+
+ return mod->module_api_version;
+}
+
+int should_use_keymaster()
+{
+ /*
+ * HW FDE key should be tied to keymaster
+ */
+ return 1;
+}
diff --git a/cryptfs_hw.h b/cryptfs_hw.h
new file mode 100644
index 0000000..e857c47
--- /dev/null
+++ b/cryptfs_hw.h
@@ -0,0 +1,46 @@
+/* Copyright (c) 2014, The Linux Foundation. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following
+ * disclaimer in the documentation and/or other materials provided
+ * with the distribution.
+ * * Neither the name of The Linux Foundation nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED "AS IS" AND ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
+ * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
+ * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN
+ * IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __CRYPTFS_HW_H_
+#define __CRYPTFS_HW_H_
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+int set_hw_device_encryption_key(const char*, const char*);
+int update_hw_device_encryption_key(const char*, const char*, const char*);
+int clear_hw_device_encryption_key();
+unsigned int is_hw_disk_encryption(const char*);
+int is_ice_enabled(void);
+int should_use_keymaster();
+
+#ifdef __cplusplus
+}
+#endif
+#endif