diff options
| author | Paul Crowley <paulcrowley@google.com> | 2018-03-30 09:42:04 -0700 |
|---|---|---|
| committer | Paul Crowley <paulcrowley@google.com> | 2018-03-30 10:47:13 -0700 |
| commit | 6a0fa62dc71157f85b24ed15e39ada277f9b5201 (patch) | |
| tree | 1896fea442684429f7f6326097379de1c0a25eab | |
| parent | 2a7b571d3216c83d025e47d6553be25a9159dd27 (diff) | |
| download | extras-6a0fa62dc71157f85b24ed15e39ada277f9b5201.tar.gz | |
Support Speck encryption.
Test: Modified Pixel to support and use Speck encryption, booted.
Bug: 77227248
Change-Id: I1efc54b60e074265914fde764ab4b85798128d67
Merged-In: I1efc54b60e074265914fde764ab4b85798128d67
| -rw-r--r-- | ext4_utils/ext4_crypt.cpp | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/ext4_utils/ext4_crypt.cpp b/ext4_utils/ext4_crypt.cpp index 6540e514..f392046a 100644 --- a/ext4_utils/ext4_crypt.cpp +++ b/ext4_utils/ext4_crypt.cpp @@ -48,6 +48,8 @@ struct ext4_encryption_policy { #define EXT4_ENCRYPTION_MODE_AES_256_XTS 1 #define EXT4_ENCRYPTION_MODE_AES_256_CTS 4 +#define EXT4_ENCRYPTION_MODE_SPECK128_256_XTS 7 +#define EXT4_ENCRYPTION_MODE_SPECK128_256_CTS 8 #define EXT4_ENCRYPTION_MODE_AES_256_HEH 126 #define EXT4_ENCRYPTION_MODE_PRIVATE 127 @@ -109,18 +111,15 @@ static bool is_dir_empty(const char *dirname, bool *is_empty) } static uint8_t e4crypt_get_policy_flags(int filenames_encryption_mode) { - - // With HEH, pad filenames with zeroes to the next 16-byte boundary. This - // is not required, but it's more secure (helps hide the length of - // filenames), makes the inputs evenly divisible into blocks which is more - // efficient for encryption and decryption, and we had the opportunity to - // make a breaking change when introducing a new mode anyway. - if (filenames_encryption_mode == EXT4_ENCRYPTION_MODE_AES_256_HEH) { - return EXT4_POLICY_FLAGS_PAD_16; + if (filenames_encryption_mode == EXT4_ENCRYPTION_MODE_AES_256_CTS) { + // Use legacy padding with our original filenames encryption mode. + return EXT4_POLICY_FLAGS_PAD_4; } - - // Default flags (4-byte padding) for CTS - return EXT4_POLICY_FLAGS_PAD_4; + // With a new mode we can use the better padding flag without breaking existing devices: pad + // filenames with zeroes to the next 16-byte boundary. This is more secure (helps hide the + // length of filenames) and makes the inputs evenly divisible into blocks which is more + // efficient for encryption and decryption. + return EXT4_POLICY_FLAGS_PAD_16; } static bool e4crypt_policy_set(const char *directory, const char *policy, @@ -234,6 +233,8 @@ int e4crypt_policy_ensure(const char *directory, const char *policy, if (!strcmp(contents_encryption_mode, "software") || !strcmp(contents_encryption_mode, "aes-256-xts")) { contents_mode = EXT4_ENCRYPTION_MODE_AES_256_XTS; + } else if (!strcmp(contents_encryption_mode, "speck128/256-xts")) { + contents_mode = EXT4_ENCRYPTION_MODE_SPECK128_256_XTS; } else if (!strcmp(contents_encryption_mode, "ice")) { contents_mode = EXT4_ENCRYPTION_MODE_PRIVATE; } else { @@ -244,6 +245,8 @@ int e4crypt_policy_ensure(const char *directory, const char *policy, if (!strcmp(filenames_encryption_mode, "aes-256-cts")) { filenames_mode = EXT4_ENCRYPTION_MODE_AES_256_CTS; + } else if (!strcmp(filenames_encryption_mode, "speck128/256-cts")) { + filenames_mode = EXT4_ENCRYPTION_MODE_SPECK128_256_CTS; } else if (!strcmp(filenames_encryption_mode, "aes-256-heh")) { filenames_mode = EXT4_ENCRYPTION_MODE_AES_256_HEH; } else { |