diff options
| author | TreeHugger Robot <treehugger-gerrit@google.com> | 2018-03-30 20:54:43 +0000 |
|---|---|---|
| committer | Android (Google) Code Review <android-gerrit@google.com> | 2018-03-30 20:54:43 +0000 |
| commit | 8c2705f568fffc69a6b22707d49771dac627f75c (patch) | |
| tree | e85d1375977b5ae8d1b12aa7dd44af7c1870f2b4 | |
| parent | b659e39bceee394ae5d51cf3725e7d37fad7b55e (diff) | |
| parent | 6a0fa62dc71157f85b24ed15e39ada277f9b5201 (diff) | |
| download | extras-8c2705f568fffc69a6b22707d49771dac627f75c.tar.gz | |
Merge "Support Speck encryption." into pi-dev
| -rw-r--r-- | ext4_utils/ext4_crypt.cpp | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/ext4_utils/ext4_crypt.cpp b/ext4_utils/ext4_crypt.cpp index 6540e514..f392046a 100644 --- a/ext4_utils/ext4_crypt.cpp +++ b/ext4_utils/ext4_crypt.cpp @@ -48,6 +48,8 @@ struct ext4_encryption_policy { #define EXT4_ENCRYPTION_MODE_AES_256_XTS 1 #define EXT4_ENCRYPTION_MODE_AES_256_CTS 4 +#define EXT4_ENCRYPTION_MODE_SPECK128_256_XTS 7 +#define EXT4_ENCRYPTION_MODE_SPECK128_256_CTS 8 #define EXT4_ENCRYPTION_MODE_AES_256_HEH 126 #define EXT4_ENCRYPTION_MODE_PRIVATE 127 @@ -109,18 +111,15 @@ static bool is_dir_empty(const char *dirname, bool *is_empty) } static uint8_t e4crypt_get_policy_flags(int filenames_encryption_mode) { - - // With HEH, pad filenames with zeroes to the next 16-byte boundary. This - // is not required, but it's more secure (helps hide the length of - // filenames), makes the inputs evenly divisible into blocks which is more - // efficient for encryption and decryption, and we had the opportunity to - // make a breaking change when introducing a new mode anyway. - if (filenames_encryption_mode == EXT4_ENCRYPTION_MODE_AES_256_HEH) { - return EXT4_POLICY_FLAGS_PAD_16; + if (filenames_encryption_mode == EXT4_ENCRYPTION_MODE_AES_256_CTS) { + // Use legacy padding with our original filenames encryption mode. + return EXT4_POLICY_FLAGS_PAD_4; } - - // Default flags (4-byte padding) for CTS - return EXT4_POLICY_FLAGS_PAD_4; + // With a new mode we can use the better padding flag without breaking existing devices: pad + // filenames with zeroes to the next 16-byte boundary. This is more secure (helps hide the + // length of filenames) and makes the inputs evenly divisible into blocks which is more + // efficient for encryption and decryption. + return EXT4_POLICY_FLAGS_PAD_16; } static bool e4crypt_policy_set(const char *directory, const char *policy, @@ -234,6 +233,8 @@ int e4crypt_policy_ensure(const char *directory, const char *policy, if (!strcmp(contents_encryption_mode, "software") || !strcmp(contents_encryption_mode, "aes-256-xts")) { contents_mode = EXT4_ENCRYPTION_MODE_AES_256_XTS; + } else if (!strcmp(contents_encryption_mode, "speck128/256-xts")) { + contents_mode = EXT4_ENCRYPTION_MODE_SPECK128_256_XTS; } else if (!strcmp(contents_encryption_mode, "ice")) { contents_mode = EXT4_ENCRYPTION_MODE_PRIVATE; } else { @@ -244,6 +245,8 @@ int e4crypt_policy_ensure(const char *directory, const char *policy, if (!strcmp(filenames_encryption_mode, "aes-256-cts")) { filenames_mode = EXT4_ENCRYPTION_MODE_AES_256_CTS; + } else if (!strcmp(filenames_encryption_mode, "speck128/256-cts")) { + filenames_mode = EXT4_ENCRYPTION_MODE_SPECK128_256_CTS; } else if (!strcmp(filenames_encryption_mode, "aes-256-heh")) { filenames_mode = EXT4_ENCRYPTION_MODE_AES_256_HEH; } else { |