diff --git a/FsCrypt.cpp b/FsCrypt.cpp index 9666b6e4..08bda3fe 100644 --- a/FsCrypt.cpp +++ b/FsCrypt.cpp @@ -697,16 +697,26 @@ static bool evict_user_keys(std::map& policy_map, userid return success; } +bool fscrypt_destroy_system_key() { + bool res = android::vold::destroyKey(device_key_path); + if (android::vold::pathExists(device_key_temp)) { + res &= android::vold::destroyKey(device_key_temp); + } + return res; +} + // Evicts and destroys all CE and DE keys for a user. This is called when the user is removed. -bool fscrypt_destroy_user_keys(userid_t user_id) { +bool fscrypt_destroy_user_keys(userid_t user_id, bool evict) { LOG(DEBUG) << "fscrypt_destroy_user_keys(" << user_id << ")"; if (!IsFbeEnabled()) { return true; } bool success = true; - success &= evict_user_keys(s_ce_policies, user_id); - success &= evict_user_keys(s_de_policies, user_id); + if (evict) { + success &= evict_user_keys(s_ce_policies, user_id); + success &= evict_user_keys(s_de_policies, user_id); + } if (!s_ephemeral_users.erase(user_id)) { auto ce_path = get_ce_key_directory_path(user_id); diff --git a/FsCrypt.h b/FsCrypt.h index be21fba2..3d19efb4 100644 --- a/FsCrypt.h +++ b/FsCrypt.h @@ -24,8 +24,9 @@ bool fscrypt_initialize_systemwide_keys(); bool fscrypt_init_user0(); extern bool fscrypt_init_user0_done; bool fscrypt_create_user_keys(userid_t user_id, bool ephemeral); -bool fscrypt_destroy_user_keys(userid_t user_id); +bool fscrypt_destroy_user_keys(userid_t user_id, bool evict); bool fscrypt_set_ce_key_protection(userid_t user_id, const std::vector& secret); +bool fscrypt_destroy_system_key(); void fscrypt_deferred_fixate_ce_keys(); std::vector fscrypt_get_unlocked_users(); diff --git a/MetadataCrypt.cpp b/MetadataCrypt.cpp index 2fa0cff0..99d173dd 100644 --- a/MetadataCrypt.cpp +++ b/MetadataCrypt.cpp @@ -483,5 +483,18 @@ bool destroy_dsu_metadata_key(const std::string& dsu_slot) { return android::vold::DeleteDirContentsAndDir(dsu_metadata_key_dir) == android::OK; } +bool destroy_mountpoint_metadata_key(const std::string& path) { + auto rec = GetEntryForMountPoint(&fstab_default, path); + if (rec == nullptr) { + return false; + } + bool res = android::vold::destroyKey(rec->metadata_key_dir + "/key"); + auto tmp_path = rec->metadata_key_dir + "/tmp"; + if (pathExists(tmp_path)) { + res &= android::vold::destroyKey(tmp_path); + } + return res; +} + } // namespace vold } // namespace android diff --git a/MetadataCrypt.h b/MetadataCrypt.h index 6c462371..16ccf46d 100644 --- a/MetadataCrypt.h +++ b/MetadataCrypt.h @@ -39,6 +39,7 @@ bool defaultkey_setup_ext_volume(const std::string& label, const std::string& bl std::string* out_crypto_blkdev); bool destroy_dsu_metadata_key(const std::string& dsu_slot); +bool destroy_mountpoint_metadata_key(const std::string& path); } // namespace vold } // namespace android diff --git a/VoldNativeService.cpp b/VoldNativeService.cpp index aa9d842d..8caa8170 100644 --- a/VoldNativeService.cpp +++ b/VoldNativeService.cpp @@ -141,6 +141,27 @@ status_t VoldNativeService::dump(int fd, const Vector& /* args */) { return NO_ERROR; } +binder::Status VoldNativeService::checkNonCeStorageKeys(std::vector* _aidl_return) { + ENFORCE_SYSTEM_OR_ROOT; + + const char *dirs[] = { + "/data/misc/vold/user_keys/de/0", + "/data/unencrypted/key", + "/metadata/vold/metadata_encryption/key", + }; + + std::vector res; + + for (const char *dir : dirs) { + android::vold::KeyBuffer key_buffer; + if (android::vold::retrieveKey(dir, android::vold::kEmptyAuthentication, &key_buffer)) { + res.push_back(std::string(dir)); + } + } + *_aidl_return = res; + return Ok(); +} + binder::Status VoldNativeService::setListener( const android::sp& listener) { ENFORCE_SYSTEM_OR_ROOT; @@ -669,7 +690,14 @@ binder::Status VoldNativeService::destroyUserStorageKeys(int32_t userId) { ENFORCE_SYSTEM_OR_ROOT; ACQUIRE_CRYPT_LOCK; - return translateBool(fscrypt_destroy_user_keys(userId)); + return translateBool(fscrypt_destroy_user_keys(userId, true)); +} + +binder::Status VoldNativeService::destroyUserStorageKeys2(int32_t userId, bool evict) { + ENFORCE_SYSTEM_OR_ROOT; + ACQUIRE_CRYPT_LOCK; + + return translateBool(fscrypt_destroy_user_keys(userId, evict)); } binder::Status VoldNativeService::setCeStorageProtection(int32_t userId, @@ -990,6 +1018,20 @@ binder::Status VoldNativeService::destroyDsuMetadataKey(const std::string& dsuSl return translateBool(destroy_dsu_metadata_key(dsuSlot)); } +binder::Status VoldNativeService::destroyMetadataKey(const std::string& mountPointPath) { + ENFORCE_SYSTEM_OR_ROOT; + ACQUIRE_CRYPT_LOCK; + + return translateBool(destroy_mountpoint_metadata_key(mountPointPath)); +} + +binder::Status VoldNativeService::destroySystemStorageKey() { + ENFORCE_SYSTEM_OR_ROOT; + ACQUIRE_CRYPT_LOCK; + + return translateBool(fscrypt_destroy_system_key()); +} + binder::Status VoldNativeService::getStorageSize(int64_t* storageSize) { ENFORCE_SYSTEM_OR_ROOT; return translate(GetStorageSize(storageSize)); diff --git a/VoldNativeService.h b/VoldNativeService.h index 2d0613c0..d1b9eaee 100644 --- a/VoldNativeService.h +++ b/VoldNativeService.h @@ -117,6 +117,7 @@ class VoldNativeService : public BinderService, public os::Bn binder::Status createUserStorageKeys(int32_t userId, bool ephemeral); binder::Status destroyUserStorageKeys(int32_t userId); + binder::Status destroyUserStorageKeys2(int32_t userId, bool evict); binder::Status setCeStorageProtection(int32_t userId, const std::vector& secret); @@ -171,6 +172,10 @@ class VoldNativeService : public BinderService, public os::Bn binder::Status setWriteBoosterBufferFlush(bool enable, bool* _aidl_return); binder::Status setWriteBoosterBufferOn(bool enable, bool* _aidl_return); binder::Status getWriteBoosterLifeTimeEstimate(int32_t* _aidl_return); + + binder::Status checkNonCeStorageKeys(std::vector* _aidl_return) override; + binder::Status destroyMetadataKey(const std::string& mountPointPath) override; + binder::Status destroySystemStorageKey() override; }; } // namespace vold diff --git a/VolumeManager.cpp b/VolumeManager.cpp index 9846e12a..2642c96e 100644 --- a/VolumeManager.cpp +++ b/VolumeManager.cpp @@ -147,7 +147,7 @@ int VolumeManager::updateVirtualDisk() { auto disk = new android::vold::Disk( "virtual", buf.st_rdev, "virtual", - android::vold::Disk::Flags::kAdoptable | android::vold::Disk::Flags::kSd); + android::vold::Disk::Flags::kSd); mVirtualDisk = std::shared_ptr(disk); handleDiskAdded(mVirtualDisk); } diff --git a/binder/android/os/IVold.aidl b/binder/android/os/IVold.aidl index 15213ea9..699c292b 100644 --- a/binder/android/os/IVold.aidl +++ b/binder/android/os/IVold.aidl @@ -90,6 +90,7 @@ interface IVold { void createUserStorageKeys(int userId, boolean ephemeral); void destroyUserStorageKeys(int userId); + void destroyUserStorageKeys2(int userId, boolean evict); void setCeStorageProtection(int userId, in byte[] secret); @@ -135,6 +136,8 @@ interface IVold { void bindMount(@utf8InCpp String sourceDir, @utf8InCpp String targetDir); void destroyDsuMetadataKey(@utf8InCpp String dsuSlot); + void destroyMetadataKey(@utf8InCpp String mountPointPath); + void destroySystemStorageKey(); long getStorageSize(); @@ -149,6 +152,8 @@ interface IVold { boolean setWriteBoosterBufferOn(boolean enable); int getWriteBoosterLifeTimeEstimate(); + @utf8InCpp String[] checkNonCeStorageKeys(); + const int FSTRIM_FLAG_DEEP_TRIM = 1; const int MOUNT_FLAG_PRIMARY = 1; diff --git a/main.cpp b/main.cpp index bdce76ed..8bcc3f9a 100644 --- a/main.cpp +++ b/main.cpp @@ -278,8 +278,6 @@ static int process_config(VolumeManager* vm, VoldConfigs* configs) { int flags = 0; if (entry.is_encryptable()) { - flags |= android::vold::Disk::Flags::kAdoptable; - configs->has_adoptable = true; } if (entry.fs_mgr_flags.no_emulated_sd || android::base::GetBoolProperty("vold.debug.default_primary", false)) { diff --git a/model/Disk.h b/model/Disk.h index 8c75f59b..39409afb 100644 --- a/model/Disk.h +++ b/model/Disk.h @@ -42,8 +42,6 @@ class Disk { virtual ~Disk(); enum Flags { - /* Flag that disk is adoptable */ - kAdoptable = 1 << 0, /* Flag that disk is considered primary when the user hasn't * explicitly picked a primary storage location */ kDefaultPrimary = 1 << 1,