diff options
| author | Barani Muthukumaran <quic_bmuthuku@quicinc.com> | 2020-01-23 17:40:01 -0800 |
|---|---|---|
| committer | Paul Crowley <paulcrowley@google.com> | 2020-02-03 18:48:02 +0000 |
| commit | 35602670ea2ee023788d5ad2a8adfe6fcd5286d1 (patch) | |
| tree | d8442ac49504bcee4798458918e6258f6647dd5a /libfscrypt | |
| parent | 18f8a1a981a5aeac889b80f52e83e171d9db3781 (diff) | |
| download | extras-35602670ea2ee023788d5ad2a8adfe6fcd5286d1.tar.gz | |
libfscrypt: Support hardware wrapped keys
Some inline encryption hardware supports protecting
file based encryption keys in hardware without software
having access to or ability to set plaintext keys.
New fileencryption fstab flag 'wrappedkey_v0' is added to
support these hardware. libfscrypt parses the flag and
adds the flag to EncryptionOptions allowing vold to determine
the status.
Test: FBE validation with Fscrypt v2 + inline crypt + wrapped
key changes kernel.
Bug: 147733587
Change-Id: I9fb2b2d6e510a5316976d7698e26a1aae1548ce6
Diffstat (limited to 'libfscrypt')
| -rw-r--r-- | libfscrypt/fscrypt.cpp | 13 | ||||
| -rw-r--r-- | libfscrypt/include/fscrypt/fscrypt.h | 1 |
2 files changed, 13 insertions, 1 deletions
diff --git a/libfscrypt/fscrypt.cpp b/libfscrypt/fscrypt.cpp index a1f1fc4c..9ea8cd33 100644 --- a/libfscrypt/fscrypt.cpp +++ b/libfscrypt/fscrypt.cpp @@ -131,6 +131,12 @@ static bool fscrypt_is_encrypted(int fd) { return ioctl(fd, FS_IOC_GET_ENCRYPTION_POLICY, &policy) == 0 || errno == EINVAL; } +bool operator!=(const EncryptionOptions& lhs, const EncryptionOptions& rhs) { + return !((lhs.version == rhs.version) && (lhs.contents_mode == rhs.contents_mode) && + (lhs.filenames_mode == rhs.filenames_mode) && (lhs.flags == rhs.flags) && + (lhs.use_hw_wrapped_key == rhs.use_hw_wrapped_key)); +} + bool OptionsToString(const EncryptionOptions& options, std::string* options_string) { std::string contents_mode, filenames_mode; if (!LookupModeById(contents_modes, options.contents_mode, &contents_mode)) { @@ -143,12 +149,15 @@ bool OptionsToString(const EncryptionOptions& options, std::string* options_stri if ((options.flags & FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64)) { *options_string += "+inlinecrypt_optimized"; } + if (options.use_hw_wrapped_key) { + *options_string += "+wrappedkey_v0"; + } EncryptionOptions options_check; if (!ParseOptions(*options_string, &options_check)) { LOG(ERROR) << "Internal error serializing options as string: " << *options_string; return false; } - if (memcmp(&options, &options_check, sizeof(options_check)) != 0) { + if (options != options_check) { LOG(ERROR) << "Internal error serializing options as string, round trip failed: " << *options_string; return false; @@ -187,6 +196,8 @@ bool ParseOptions(const std::string& options_string, EncryptionOptions* options) options->version = 2; } else if (flag == "inlinecrypt_optimized") { options->flags |= FSCRYPT_POLICY_FLAG_IV_INO_LBLK_64; + } else if (flag == "wrappedkey_v0") { + options->use_hw_wrapped_key = true; } else { LOG(ERROR) << "Unknown flag: " << flag; return false; diff --git a/libfscrypt/include/fscrypt/fscrypt.h b/libfscrypt/include/fscrypt/fscrypt.h index ca051f4a..18fb4fc3 100644 --- a/libfscrypt/include/fscrypt/fscrypt.h +++ b/libfscrypt/include/fscrypt/fscrypt.h @@ -34,6 +34,7 @@ struct EncryptionOptions { int contents_mode; int filenames_mode; int flags; + bool use_hw_wrapped_key; // Ensure that "version" is not valid on creation and so must be explicitly set EncryptionOptions() : version(0) {} |