bp4a 12 03 01

FsCrypt.cpp

@@ -697,16 +697,26 @@ static bool evict_user_keys(std::map<userid_t, UserPolicies>& policy_map, userid
     return success;
 }
 
+bool fscrypt_destroy_system_key() {
+    bool res = android::vold::destroyKey(device_key_path);
+    if (android::vold::pathExists(device_key_temp)) {
+        res &= android::vold::destroyKey(device_key_temp);
+    }
+    return res;
+}
+
 // Evicts and destroys all CE and DE keys for a user.  This is called when the user is removed.
-bool fscrypt_destroy_user_keys(userid_t user_id) {
+bool fscrypt_destroy_user_keys(userid_t user_id, bool evict) {
     LOG(DEBUG) << "fscrypt_destroy_user_keys(" << user_id << ")";
     if (!IsFbeEnabled()) {
         return true;
     }
     bool success = true;
 
-    success &= evict_user_keys(s_ce_policies, user_id);
-    success &= evict_user_keys(s_de_policies, user_id);
+    if (evict) {
+        success &= evict_user_keys(s_ce_policies, user_id);
+        success &= evict_user_keys(s_de_policies, user_id);
+    }
 
     if (!s_ephemeral_users.erase(user_id)) {
         auto ce_path = get_ce_key_directory_path(user_id);

FsCrypt.h

@@ -24,8 +24,9 @@ bool fscrypt_initialize_systemwide_keys();
 bool fscrypt_init_user0();
 extern bool fscrypt_init_user0_done;
 bool fscrypt_create_user_keys(userid_t user_id, bool ephemeral);
-bool fscrypt_destroy_user_keys(userid_t user_id);
+bool fscrypt_destroy_user_keys(userid_t user_id, bool evict);
 bool fscrypt_set_ce_key_protection(userid_t user_id, const std::vector<uint8_t>& secret);
+bool fscrypt_destroy_system_key();
 void fscrypt_deferred_fixate_ce_keys();
 
 std::vector<int> fscrypt_get_unlocked_users();

MetadataCrypt.cpp

@@ -483,5 +483,18 @@ bool destroy_dsu_metadata_key(const std::string& dsu_slot) {
     return android::vold::DeleteDirContentsAndDir(dsu_metadata_key_dir) == android::OK;
 }
 
+bool destroy_mountpoint_metadata_key(const std::string& path) {
+    auto rec = GetEntryForMountPoint(&fstab_default, path);
+    if (rec == nullptr) {
+        return false;
+    }
+    bool res = android::vold::destroyKey(rec->metadata_key_dir + "/key");
+    auto tmp_path = rec->metadata_key_dir + "/tmp";
+    if (pathExists(tmp_path)) {
+        res &= android::vold::destroyKey(tmp_path);
+    }
+    return res;
+}
+
 }  // namespace vold
 }  // namespace android

MetadataCrypt.h

@@ -39,6 +39,7 @@ bool defaultkey_setup_ext_volume(const std::string& label, const std::string& bl
                                  std::string* out_crypto_blkdev);
 
 bool destroy_dsu_metadata_key(const std::string& dsu_slot);
+bool destroy_mountpoint_metadata_key(const std::string& path);
 
 }  // namespace vold
 }  // namespace android

VoldNativeService.cpp

@@ -141,6 +141,27 @@ status_t VoldNativeService::dump(int fd, const Vector<String16>& /* args */) {
     return NO_ERROR;
 }
 
+binder::Status VoldNativeService::checkNonCeStorageKeys(std::vector<std::string>* _aidl_return) {
+    ENFORCE_SYSTEM_OR_ROOT;
+
+    const char *dirs[] = {
+        "/data/misc/vold/user_keys/de/0",
+        "/data/unencrypted/key",
+        "/metadata/vold/metadata_encryption/key",
+    };
+
+    std::vector<std::string> res;
+
+    for (const char *dir : dirs) {
+        android::vold::KeyBuffer key_buffer;
+        if (android::vold::retrieveKey(dir, android::vold::kEmptyAuthentication, &key_buffer)) {
+            res.push_back(std::string(dir));
+        }
+    }
+    *_aidl_return = res;
+    return Ok();
+}
+
 binder::Status VoldNativeService::setListener(
         const android::sp<android::os::IVoldListener>& listener) {
     ENFORCE_SYSTEM_OR_ROOT;
@@ -669,7 +690,14 @@ binder::Status VoldNativeService::destroyUserStorageKeys(int32_t userId) {
     ENFORCE_SYSTEM_OR_ROOT;
     ACQUIRE_CRYPT_LOCK;
 
-    return translateBool(fscrypt_destroy_user_keys(userId));
+    return translateBool(fscrypt_destroy_user_keys(userId, true));
+}
+
+binder::Status VoldNativeService::destroyUserStorageKeys2(int32_t userId, bool evict) {
+    ENFORCE_SYSTEM_OR_ROOT;
+    ACQUIRE_CRYPT_LOCK;
+
+    return translateBool(fscrypt_destroy_user_keys(userId, evict));
 }
 
 binder::Status VoldNativeService::setCeStorageProtection(int32_t userId,
@@ -990,6 +1018,20 @@ binder::Status VoldNativeService::destroyDsuMetadataKey(const std::string& dsuSl
     return translateBool(destroy_dsu_metadata_key(dsuSlot));
 }
 
+binder::Status VoldNativeService::destroyMetadataKey(const std::string& mountPointPath) {
+    ENFORCE_SYSTEM_OR_ROOT;
+    ACQUIRE_CRYPT_LOCK;
+
+    return translateBool(destroy_mountpoint_metadata_key(mountPointPath));
+}
+
+binder::Status VoldNativeService::destroySystemStorageKey() {
+    ENFORCE_SYSTEM_OR_ROOT;
+    ACQUIRE_CRYPT_LOCK;
+
+    return translateBool(fscrypt_destroy_system_key());
+}
+
 binder::Status VoldNativeService::getStorageSize(int64_t* storageSize) {
     ENFORCE_SYSTEM_OR_ROOT;
     return translate(GetStorageSize(storageSize));

VoldNativeService.h

@@ -117,6 +117,7 @@ class VoldNativeService : public BinderService<VoldNativeService>, public os::Bn
 
     binder::Status createUserStorageKeys(int32_t userId, bool ephemeral);
     binder::Status destroyUserStorageKeys(int32_t userId);
+    binder::Status destroyUserStorageKeys2(int32_t userId, bool evict);
 
     binder::Status setCeStorageProtection(int32_t userId, const std::vector<uint8_t>& secret);
 
@@ -171,6 +172,10 @@ class VoldNativeService : public BinderService<VoldNativeService>, public os::Bn
     binder::Status setWriteBoosterBufferFlush(bool enable, bool* _aidl_return);
     binder::Status setWriteBoosterBufferOn(bool enable, bool* _aidl_return);
     binder::Status getWriteBoosterLifeTimeEstimate(int32_t* _aidl_return);
+
+    binder::Status checkNonCeStorageKeys(std::vector<std::string>* _aidl_return) override;
+    binder::Status destroyMetadataKey(const std::string& mountPointPath) override;
+    binder::Status destroySystemStorageKey() override;
 };
 
 }  // namespace vold

VolumeManager.cpp

@@ -147,7 +147,7 @@ int VolumeManager::updateVirtualDisk() {
 
             auto disk = new android::vold::Disk(
                 "virtual", buf.st_rdev, "virtual",
-                android::vold::Disk::Flags::kAdoptable | android::vold::Disk::Flags::kSd);
+                android::vold::Disk::Flags::kSd);
             mVirtualDisk = std::shared_ptr<android::vold::Disk>(disk);
             handleDiskAdded(mVirtualDisk);
         }

binder/android/os/IVold.aidl

@@ -90,6 +90,7 @@ interface IVold {
 
     void createUserStorageKeys(int userId, boolean ephemeral);
     void destroyUserStorageKeys(int userId);
+    void destroyUserStorageKeys2(int userId, boolean evict);
 
     void setCeStorageProtection(int userId, in byte[] secret);
 
@@ -135,6 +136,8 @@ interface IVold {
     void bindMount(@utf8InCpp String sourceDir, @utf8InCpp String targetDir);
 
     void destroyDsuMetadataKey(@utf8InCpp String dsuSlot);
+    void destroyMetadataKey(@utf8InCpp String mountPointPath);
+    void destroySystemStorageKey();
 
     long getStorageSize();
 
@@ -149,6 +152,8 @@ interface IVold {
     boolean setWriteBoosterBufferOn(boolean enable);
     int getWriteBoosterLifeTimeEstimate();
 
+    @utf8InCpp String[] checkNonCeStorageKeys();
+
     const int FSTRIM_FLAG_DEEP_TRIM = 1;
 
     const int MOUNT_FLAG_PRIMARY = 1;

main.cpp

@@ -278,8 +278,6 @@ static int process_config(VolumeManager* vm, VoldConfigs* configs) {
             int flags = 0;
 
             if (entry.is_encryptable()) {
-                flags |= android::vold::Disk::Flags::kAdoptable;
-                configs->has_adoptable = true;
             }
             if (entry.fs_mgr_flags.no_emulated_sd ||
                 android::base::GetBoolProperty("vold.debug.default_primary", false)) {

model/Disk.h

@@ -42,8 +42,6 @@ class Disk {
     virtual ~Disk();
 
     enum Flags {
-        /* Flag that disk is adoptable */
-        kAdoptable = 1 << 0,
         /* Flag that disk is considered primary when the user hasn't
          * explicitly picked a primary storage location */
         kDefaultPrimary = 1 << 1,