| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| |
| |
| |
| |
| | |
fs_mgr dependency"
* commit '959de99af47dec9ed7a3499ce57e4097be399d7d':
Add dependency on libsquashfs_utils due to fs_mgr dependency
|
| |
| |
| |
| |
| | |
Change-Id: I894d18c2086a6532194f478853a9837eb4b6fc09
Signed-off-by: Mohamad Ayyash <mkayyash@google.com>
|
| |
| |
| |
| |
| | |
Bug: 19993667
Change-Id: I1f6519655c5a366eca25e2329e1bf95d81b3bf8c
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This adds support for private volumes which is just a filesystem
wrapped in a dm-crypt layer. For now we're using the exact same
configuration as internal encryption (aes-cbc-essiv:sha256), but we
don't store any key material on the removable media. Instead, we
store the key on internal storage, and use the GPT partition GUID
to identify which key should be used.
This means that private external storage is effectively as secure as
the internal storage of the device. That is, if the internal storage
is encrypted, then our external storage key is also encrypted.
When partitioning disks, we now support a "private" mode which has
a PrivateVolume partition, and a currently unused 16MB metadata
partition reserved for future use. It also supports a "mixed" mode
which creates both a PublicVolume and PrivateVolume on the same
disk. Mixed mode is currently experimental.
For now, just add ext4 support to PrivateVolume; we'll look at f2fs
in a future change. Add VolumeBase lifecycle for setting up crypto
mappings, and extract blkid logic into shared method. Sprinkle some
more "static" around the cryptfs code to improve invariants.
Bug: 19993667
Change-Id: Ibd1df6250735b706959a1eb9d9f7219ea85912a0
|
| |
| |
| |
| | |
Change-Id: I23b1281a63031a7481ea7b33c9ddbdbe7d3d6174
|
|/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is the first in a series of changes that are designed to
introduce better support for dynamic block devices.
It starts by defining a new Volume object which represents a storage
endpoint that knows how to mount, unmount, and format itself. This
could be a filesystem directly on a partition, or it could be an
emulated FUSE filesystem, an ASEC, or an OBB.
These new volumes can be "stacked" so that unmounting a volume will
also unmount any volumes stacked above it. Volumes that provide
shared storage can also be asked to present themselves (through bind
mounts) into user-specific mount areas.
This change also adds a Disk class which is created based on block
kernel netlink events. Instead of waiting for partition events from
the kernel, it uses gptfdisk to read partition details and creates
the relevant Volume objects.
Change-Id: I0e8bc1f8f9dcb24405f5e795c0658998e22ae2f7
|
|\
| |
| |
| |
| | |
* commit '269702997153cdf92c65cfee277c76afed44e9e5':
Remove superfluous OpenSSL include paths.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The libcrypto and libssl modules (and their respective static and host
versions) use LOCAL_EXPORT_C_INCLUDE_DIRS thus just including the module
is sufficient.
Additionally, cryptfs.h was including an OpenSSL header just to get the
length of a SHA-256 hash. Rather than force all users of this header to
also depend on libcrypto, it's easier just to define that value in the
header file.
Change-Id: I3e3e0db906a212e1093944b298e4a8ff2e2fb07d
|
|\|
| |
| |
| | |
Change-Id: Ie5ef819dd8168cb6a73f84a881a92c116705fffc
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Since the dm_ioctl struct was being allocated on the stack as a large
character array, it was getting character alignment rather than the
proper alignment for the struct. GCC had been getting away with this
so far, but it's undefined behavior that clang managed to expose.
Bug: 18736778
Change-Id: Ied275dfad7fcc41d712b2d02c8a185f499221f57
|
|\|
| |
| |
| | |
Change-Id: If504710a618d8c3adf85297d5fd2909558ed57a3
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
-Wno-missing-field-initializers is used as well, but that is an
overzealous warning from initializing structs with {0} and not a
real warning.
bug 18736778 and 16868177
Change-Id: Iffde89cd7200d9a11193e1614f1819f9fcace30a
|
|\|
| |
| |
| |
| | |
* commit 'a20bb17e4c6095a77425418d7eb0c1ceb50d05f7':
Move vold to GCC.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
It looks like clang might have a miscompile that is causing SIGBUS in
`ioctl_init` when the device is encrypted. Move back to GCC until we
can sort this out.
Bug: 18736778
Change-Id: I21ae3b9d7d9ebff8679ecc1a828b7c59f27d0903
|
|\ \
| |/
|/|
| | |
Change-Id: Ie873baff626fe786515497f2e81aa9db2329168d
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently Android provides disk encryption support using dm-crypt
which is based on bios. dm-crypt uses 512 bytes packet size for
crypto operations. While 512 bytes size packet is ok for SW based
disk encryption, it is inefficient for HW based crypto engines.
dm-req-crypt is similar to dm-crypt except it uses block requests
rathe bios for crypto operations. block requests when unpacked
carries data upto 512KB. Hence, HW based crypto engine can be used
more efficiently.
Also move create disk encryption key before framework start as
HW based disk encryption creates key in secure side. Key creation
can take sometime to create the key securely. If framework is
started before creating the key, it is possible that framework
requests service from secure side. Secure side can serve mostly one
request at a time. Secure side may reject framework request if key
creation request is still going on. This may cause problem in the
system
b/17475056 Enable hardware crypto for userdata encryption
Change-Id: I5480ab72a37c02532218a18faaba598a824589fd
Signed-off-by: Iliyan Malchev <malchev@google.com>
|
|\ \
| | |
| | |
| | |
| | | |
* commit '36859212614fd112e08dcf92065ee6db910769bb':
Move vold to libc++.
|
| | |
| | |
| | |
| | |
| | | |
Bug: 15193147
Change-Id: Ib868f1ed8145ca5cbfdb4cd60ed0c47a6182ac62
|
|\| |
| | |
| | |
| | |
| | | |
* commit '460a93a6d4d01bf0efa83acea0c84b4d43ab23c9':
Move vold to clang so ASAN_ALL works.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
ASAN_ALL uses ASAN for anything built with clang. Since some of vold's
dependencies use clang, they will have unresolved ASAN symbols unless
vold is also built with clang. There's no harm in just moving this
project to clang.
Change-Id: Ia6f412beb7bf092121bff2a5a980531636adcdb9
|
|\| |
| |/
|/|
| | |
Change-Id: I224499833777ef80d85c1199f475f5ed1568d053
|
| |
| |
| |
| |
| |
| | |
Don't manually include stlport, and don't use private bionic headers.
Change-Id: I44dd212fdd5874e625890c548e9d7bf3a9c27912
|
| |
| |
| |
| |
| |
| | |
This reverts commit a70abc60091aed3c3eaf8bc8e1766e233c1c3a2f.
Change-Id: Ic41d1924638586cf9b2297f91ed5417f3b0303c6
|
| |
| |
| |
| |
| |
| | |
This reverts commit 74c01201dec12b5de43ba0f20a2f38e835cd00af.
Change-Id: Ib397a2b5812179ee2e2b68de5d718077563adc1c
|
| |
| |
| |
| |
| | |
Bug: 15749466
Change-Id: I25452a05e1cbe90ac6603a89db9b720c7ab17e55
Signed-off-by: Daniel Rosenberg <drosen@google.com>
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Use keymaster to wrap the cryptfs keys.
Requires selinux change
https://googleplex-android-review.git.corp.google.com/#/c/449411
Bug: 9467042
Change-Id: If25a01cb85ed193a271d61382de0560d85553b7e
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Stop encryption when battery is low, mark position, and continue on reboot.
Note - support for multiple encrypted volumes removed as no devices seem
to exist with an fstab that uses this feature. If you want support for such
a device, contact me and we will re-add it with appropriate testing.
Bug: 13284213
Change-Id: I1f7178e4f7dd8ea816cbc03ab5c4f6543e98acaa
|
|\|
| |
| |
| |
| |
| |
| | |
containers."
* commit 'ca3593df3d48cb4b51acf89e6df4872b922fd51d':
Add SELinux restorecon calls on ASEC containers.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This will allow fine-grained labeling of the
contents of ASEC containers. Some of the contents
need to be world readable and thus should be
distinguishable in policy.
Change-Id: Iefee74214d664acd262edecbb4f981d633ff96ce
Signed-off-by: rpcraig <rpcraig@tycho.ncsc.mil>
|
|\|
| |
| |
| |
| | |
* commit '8328e8150f4e7b785785754f2d44794e7bab3577':
vold: remove $(KERNEL_HEADERS) from include path
|
| |
| |
| |
| |
| |
| |
| |
| | |
The kernel headers are already in the include path, and manually
adding them again will break on a multiarch build, where the
kernel headers may be different for each arch.
Change-Id: Ifb11fa7bdff6b317c44258968244313b7039a9e1
|
|\|
| |
| |
| |
| |
| |
| | |
volumes." into klp-dev
* commit 'f4a8c0b9f646cd9fa51fe3746bc8a00bb987124b':
Extract UUID and label from inserted volumes.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Uses "blkid" tool to extract metadata from an inserted volume, and
reports it up to the framework. This needs to happen in vold, since
only the FUSE-wrapped volume is visible to userspace.
Remove autorun sanitization, since FUSE takes care of this now.
Bug: 11175082
Change-Id: Ie69b38011ad6011bfb50e40d4f35a29e02150c19
|
|/
|
|
|
|
|
|
| |
This code appears to be unused. Delete it.
This is essentially a revert of 2350c44ff39b4cb2940893964a05f778fc80a436.
Change-Id: I20a525bb49f6ee8fec8c1ec22e01ad47d0c72960
|
|
|
|
|
|
|
|
|
| |
A quick fix to a broken build resulted in using a static library
to build vold when a shared library was available. This fixes
that.
Bug: 10332978
Change-Id: I31c2b4a87c7b37647e71f7f3c93b0d64dd52da44
|
|
|
|
|
|
| |
This accomodates verity changes, which now utilize these libraries.
Change-Id: I1ff8c012e972e245cf3e4bc3a02bef0989165d75
|
|
|
|
|
|
|
|
|
|
|
|
| |
scrypt is a sequential memory-hard key derivation algorithm that makes
it more difficult for adversaries to brute force passwords using
specialized equipment. See http://www.tarsnap.com/scrypt/scrypt.pdf for
more details of the algorithm.
This adds support for initializing disk encryption using scrypt and
upgrading from the previous PBKDF2 algorithm.
Change-Id: I1d26db4eb9d27fea7310be3e49c8e6219e6d2c3b
|
|
|
|
|
|
|
|
|
|
| |
The new wipe option to the vold format command will invoke BLKDISCARD
on the partition before invoking newfs_msdos. This will be used whenever
a full wipe of the device is wanted, as this is more secure than just
doing newfs_msdos.
Bug: 9392982
Change-Id: Ie106f1b9cc70abc61206006d1821641c27c7ccae
|
|
|
|
|
| |
Bug: 8580410
Change-Id: I1a59b45c87cd901b3de52540ad7b670c42ffcbd5
|
|
|
|
|
|
|
|
|
| |
The fstrim subsystem implements the dotrim command, which goes
through all the writable filesystems on the device, and invokes
the FITRIM ioctl() on them. This marks all the unused blocks on
the underlying flash device as unused, so the device performs better.
Change-Id: I5fc8c2f60e0bc823f162d0f89580fb288ecb2160
|
|
|
|
|
|
|
| |
Use liblogwrap to provide logwrapper functionality instead of
using vold's own implementation.
Change-Id: I76aac5aa72a1fdca043a63b86c6a9b54e7abec16
|
|
|
|
|
|
|
|
|
|
| |
The new filesystem manager is in charge of mounting the block devices now,
removing much of the knowledge from init.<device>.rc. This also let us
clean up some init code dealing with encryption, so this change updates
vold to work with that. More cleanup is possible, but the main goal of the
filesystem manager was to enable e2fsck, not a full cleanup of encryption.
Change-Id: I00ea80a923d14770ed8fdd190e8840be195f8514
|
|
|
|
|
|
|
|
|
| |
Now forward locked applications will be in ASEC containers both internal
to the system and externally.
This change adds support for putting applications in ext4-based ASECs.
Change-Id: I8d6765b72dd2606e429c067b47a2dbcaa8bef37d
|
|
|
|
|
|
| |
Stop format string bugs from creeping into root level processes.
Change-Id: Ifa19ac0cacba76392040ab16cebe557b5b016706
|
|
|
|
|
|
| |
Bug: 5010576
Change-Id: I7e531101ae057fb059d7d56c99433c4d66e866dc
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Progress bar UI grabs a full wakelock when encrypting, but we've seen
a case where it looks like the progress bar UI crashes, and the wakelock is
lost, and then all hell breaks loose. The enablecrypto command has a lot of
work to do, and it will take some time, so it should grab a wakelock to
ensure it can finish without being interrupted and put to sleep.
It grabs a partial wake lock, as it doesn't need the screen to be on to do
its work. If the UI wants to keep it on, it should also grab a full wakelock,
which it does. If the UI crashes, the screen may turn off, but the encryption
will keep going, and vold will reboot the device when it's done.
Change-Id: I51d3a72b8c77383044a3facb1604c1ee510733ae
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
proper errors
If the already existing filesystem encompasses the entire /data partition
and does not leave the last 16 Kbytes for the crypto footer, refuse to
do encrypt in place and return an error. This is only an issue for folks
with early development systems trying to encrypt an old /data. This should
not be seen in released devices.
Also, if there is an error, try to report back to the UI what the error was
so it can deal with it.
Change-Id: If66781a4fe03034c96c3dd12075240deb8663db0
|
|
|
|
|
|
|
|
|
|
| |
There are still a few hacks and performance issues related
to shutting down the framework in this code, but it is
functional and tested. Without the UI changes, it requires
cryptic adb shell commands to enable, which I shall not
utter here.
Change-Id: I0b8f90afd707e17fbdb0373d156236946633cf8b
|
|
|
|
|
|
|
| |
Hash was printed using snprintf(), but we can just write yet another hex
conversion utility!
Change-Id: I04f1992deaf5bf1b3e2751c8f07072f8ed6660e9
|
|
|
|
| |
Change-Id: I9b84370fa9a98464c211ebe8983be8dbe9dd7ccd
|