From 166fa3de7060198252b43a4a9ddd841fb6d65cf7 Mon Sep 17 00:00:00 2001 From: Paul Lawrence Date: Mon, 3 Feb 2014 13:27:49 -0800 Subject: [PATCH] Auto-encrypt drive at startup Modify fs_mgr to unmount encryptable drives after test mounting them and then trigger an auto-encrypt via the init script Needs matching vold changes from https://googleplex-android-review.googlesource.com/#/c/414200/ Feature is limited to list of serial numbers with this change Bug: 11985952 Change-Id: I84f85a258b6a7e9809467c9149249302e203c41b --- fs_mgr/fs_mgr.c | 48 +++++++++++++++++++++++++++++++++++++++++++----- init/builtins.c | 8 ++++++-- rootdir/init.rc | 12 ++++++++++++ 3 files changed, 61 insertions(+), 7 deletions(-) diff --git a/fs_mgr/fs_mgr.c b/fs_mgr/fs_mgr.c index c4f27a0a5..9ac68cdd6 100644 --- a/fs_mgr/fs_mgr.c +++ b/fs_mgr/fs_mgr.c @@ -54,6 +54,32 @@ #define ARRAY_SIZE(a) (sizeof(a) / sizeof(*(a))) +/** + * TODO - Remove to enable always on encryption for all devices + * This limits the machines on which this feature is enabled + * Remove call from fs_mgr_mount_all as well + */ +static const char* serial_numbers[] = { + "039b83b8437e9637", + 0 +}; + +static int serial_matches() +{ + char tmp[PROP_VALUE_MAX]; + *tmp = 0; + __system_property_get("ro.serialno", tmp); + + const char** i; + for (i = serial_numbers; *i; ++i) { + if (!strcmp(*i, tmp)) { + return 1; + } + } + + return 0; +} + /* * gettime() - returns the time in seconds of the system's monotonic clock or * zero on error. @@ -254,6 +280,22 @@ int fs_mgr_mount_all(struct fstab *fstab) fstab->recs[i].fs_options); if (!mret) { + /* If this is encryptable, need to trigger encryption */ + if ((fstab->recs[i].fs_mgr_flags & MF_CRYPT)) { + if (serial_matches() && umount(fstab->recs[i].mount_point) == 0) { + if (!encryptable) { + encryptable = 2; + } else { + ERROR("Only one encryptable/encrypted partition supported"); + encryptable = 1; + } + } else { + INFO("Could not umount %s - allow continue unencrypted", + fstab->recs[i].mount_point); + continue; + } + } + /* Success! Go get the next one */ continue; } @@ -287,12 +329,8 @@ int fs_mgr_mount_all(struct fstab *fstab) if (error_count) { return -1; - } - - if (encryptable) { - return 1; } else { - return 0; + return encryptable; } } diff --git a/init/builtins.c b/init/builtins.c index a16806278..a857c9805 100644 --- a/init/builtins.c +++ b/init/builtins.c @@ -501,8 +501,12 @@ int do_mount_all(int nargs, char **args) return -1; } - /* ret is 1 if the device appears encrypted, 0 if not, and -1 on error */ - if (ret == 1) { + /* ret is 2 if device needs encrypted, 1 if the device appears encrypted, + * 0 if not, and -1 on error */ + if (ret == 2) { + property_set("ro.crypto.state", "unencrypted"); + property_set("vold.decrypt", "trigger_encryption"); + } else if (ret == 1) { property_set("ro.crypto.state", "encrypted"); property_set("vold.decrypt", "trigger_default_encryption"); } else if (ret == 0) { diff --git a/rootdir/init.rc b/rootdir/init.rc index 5675cac2c..f63b3322e 100644 --- a/rootdir/init.rc +++ b/rootdir/init.rc @@ -399,6 +399,11 @@ on property:vold.decrypt=trigger_default_encryption start surfaceflinger start defaultcrypto +on property:vold.decrypt=trigger_encryption + start surfaceflinger + start encrypt + class_start main + on charger class_start charger @@ -554,6 +559,13 @@ service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted # vold will set vold.decrypt to trigger_restart_framework (default # encryption) or trigger_restart_min_framework (other encryption) +# One shot invocation to encrypt unencrypted volumes +service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace + disabled + oneshot + # vold will set vold.decrypt to trigger_restart_framework (default + # encryption) + service bootanim /system/bin/bootanimation class main user graphics