xref: /aosp_15_r20/system/vold/model/VolumeEncryption.cpp (revision f40fafd4c6c2594924d919feffc1a1fd6e3b30f3) 
1*f40fafd4SAndroid Build Coastguard Worker /*
2*f40fafd4SAndroid Build Coastguard Worker  * Copyright (C) 2020 The Android Open Source Project
3*f40fafd4SAndroid Build Coastguard Worker  *
4*f40fafd4SAndroid Build Coastguard Worker  * Licensed under the Apache License, Version 2.0 (the "License");
5*f40fafd4SAndroid Build Coastguard Worker  * you may not use this file except in compliance with the License.
6*f40fafd4SAndroid Build Coastguard Worker  * You may obtain a copy of the License at
7*f40fafd4SAndroid Build Coastguard Worker  *
8*f40fafd4SAndroid Build Coastguard Worker  *      http://www.apache.org/licenses/LICENSE-2.0
9*f40fafd4SAndroid Build Coastguard Worker  *
10*f40fafd4SAndroid Build Coastguard Worker  * Unless required by applicable law or agreed to in writing, software
11*f40fafd4SAndroid Build Coastguard Worker  * distributed under the License is distributed on an "AS IS" BASIS,
12*f40fafd4SAndroid Build Coastguard Worker  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13*f40fafd4SAndroid Build Coastguard Worker  * See the License for the specific language governing permissions and
14*f40fafd4SAndroid Build Coastguard Worker  * limitations under the License.
15*f40fafd4SAndroid Build Coastguard Worker  */
16*f40fafd4SAndroid Build Coastguard Worker 
17*f40fafd4SAndroid Build Coastguard Worker #include "VolumeEncryption.h"
18*f40fafd4SAndroid Build Coastguard Worker 
19*f40fafd4SAndroid Build Coastguard Worker #include <string>
20*f40fafd4SAndroid Build Coastguard Worker 
21*f40fafd4SAndroid Build Coastguard Worker #include <android-base/logging.h>
22*f40fafd4SAndroid Build Coastguard Worker #include <android-base/properties.h>
23*f40fafd4SAndroid Build Coastguard Worker 
24*f40fafd4SAndroid Build Coastguard Worker #include "KeyBuffer.h"
25*f40fafd4SAndroid Build Coastguard Worker #include "KeyUtil.h"
26*f40fafd4SAndroid Build Coastguard Worker #include "MetadataCrypt.h"
27*f40fafd4SAndroid Build Coastguard Worker #include "cryptfs.h"
28*f40fafd4SAndroid Build Coastguard Worker 
29*f40fafd4SAndroid Build Coastguard Worker namespace android {
30*f40fafd4SAndroid Build Coastguard Worker namespace vold {
31*f40fafd4SAndroid Build Coastguard Worker 
32*f40fafd4SAndroid Build Coastguard Worker enum class VolumeMethod { kFailed, kCrypt, kDefaultKey };
33*f40fafd4SAndroid Build Coastguard Worker 
lookup_volume_method()34*f40fafd4SAndroid Build Coastguard Worker static VolumeMethod lookup_volume_method() {
35*f40fafd4SAndroid Build Coastguard Worker     auto first_api_level =
36*f40fafd4SAndroid Build Coastguard Worker             android::base::GetUintProperty<uint64_t>("ro.product.first_api_level", 0);
37*f40fafd4SAndroid Build Coastguard Worker     auto method = android::base::GetProperty("ro.crypto.volume.metadata.method", "default");
38*f40fafd4SAndroid Build Coastguard Worker     if (method == "default") {
39*f40fafd4SAndroid Build Coastguard Worker         return first_api_level > __ANDROID_API_Q__ ? VolumeMethod::kDefaultKey
40*f40fafd4SAndroid Build Coastguard Worker                                                    : VolumeMethod::kCrypt;
41*f40fafd4SAndroid Build Coastguard Worker     } else if (method == "dm-default-key") {
42*f40fafd4SAndroid Build Coastguard Worker         return VolumeMethod::kDefaultKey;
43*f40fafd4SAndroid Build Coastguard Worker     } else if (method == "dm-crypt") {
44*f40fafd4SAndroid Build Coastguard Worker         if (first_api_level > __ANDROID_API_Q__) {
45*f40fafd4SAndroid Build Coastguard Worker             LOG(ERROR) << "volume encryption method dm-crypt cannot be used, "
46*f40fafd4SAndroid Build Coastguard Worker                           "ro.product.first_api_level = "
47*f40fafd4SAndroid Build Coastguard Worker                        << first_api_level;
48*f40fafd4SAndroid Build Coastguard Worker             return VolumeMethod::kFailed;
49*f40fafd4SAndroid Build Coastguard Worker         }
50*f40fafd4SAndroid Build Coastguard Worker         return VolumeMethod::kCrypt;
51*f40fafd4SAndroid Build Coastguard Worker     } else {
52*f40fafd4SAndroid Build Coastguard Worker         LOG(ERROR) << "Unknown volume encryption method: " << method;
53*f40fafd4SAndroid Build Coastguard Worker         return VolumeMethod::kFailed;
54*f40fafd4SAndroid Build Coastguard Worker     }
55*f40fafd4SAndroid Build Coastguard Worker }
56*f40fafd4SAndroid Build Coastguard Worker 
volume_method()57*f40fafd4SAndroid Build Coastguard Worker static VolumeMethod volume_method() {
58*f40fafd4SAndroid Build Coastguard Worker     static VolumeMethod method = lookup_volume_method();
59*f40fafd4SAndroid Build Coastguard Worker     return method;
60*f40fafd4SAndroid Build Coastguard Worker }
61*f40fafd4SAndroid Build Coastguard Worker 
generate_volume_key(android::vold::KeyBuffer * key)62*f40fafd4SAndroid Build Coastguard Worker bool generate_volume_key(android::vold::KeyBuffer* key) {
63*f40fafd4SAndroid Build Coastguard Worker     KeyGeneration gen;
64*f40fafd4SAndroid Build Coastguard Worker     switch (volume_method()) {
65*f40fafd4SAndroid Build Coastguard Worker         case VolumeMethod::kFailed:
66*f40fafd4SAndroid Build Coastguard Worker             LOG(ERROR) << "Volume encryption setup failed";
67*f40fafd4SAndroid Build Coastguard Worker             return false;
68*f40fafd4SAndroid Build Coastguard Worker         case VolumeMethod::kCrypt:
69*f40fafd4SAndroid Build Coastguard Worker             gen = cryptfs_get_keygen();
70*f40fafd4SAndroid Build Coastguard Worker             break;
71*f40fafd4SAndroid Build Coastguard Worker         case VolumeMethod::kDefaultKey:
72*f40fafd4SAndroid Build Coastguard Worker             if (!defaultkey_volume_keygen(&gen)) return false;
73*f40fafd4SAndroid Build Coastguard Worker             break;
74*f40fafd4SAndroid Build Coastguard Worker     }
75*f40fafd4SAndroid Build Coastguard Worker     if (!generateStorageKey(gen, key)) return false;
76*f40fafd4SAndroid Build Coastguard Worker     return true;
77*f40fafd4SAndroid Build Coastguard Worker }
78*f40fafd4SAndroid Build Coastguard Worker 
setup_ext_volume(const std::string & label,const std::string & blk_device,const android::vold::KeyBuffer & key,std::string * out_crypto_blkdev)79*f40fafd4SAndroid Build Coastguard Worker bool setup_ext_volume(const std::string& label, const std::string& blk_device,
80*f40fafd4SAndroid Build Coastguard Worker                       const android::vold::KeyBuffer& key, std::string* out_crypto_blkdev) {
81*f40fafd4SAndroid Build Coastguard Worker     switch (volume_method()) {
82*f40fafd4SAndroid Build Coastguard Worker         case VolumeMethod::kFailed:
83*f40fafd4SAndroid Build Coastguard Worker             LOG(ERROR) << "Volume encryption setup failed";
84*f40fafd4SAndroid Build Coastguard Worker             return false;
85*f40fafd4SAndroid Build Coastguard Worker         case VolumeMethod::kCrypt:
86*f40fafd4SAndroid Build Coastguard Worker             return cryptfs_setup_ext_volume(label.c_str(), blk_device.c_str(), key,
87*f40fafd4SAndroid Build Coastguard Worker                                             out_crypto_blkdev) == 0;
88*f40fafd4SAndroid Build Coastguard Worker         case VolumeMethod::kDefaultKey:
89*f40fafd4SAndroid Build Coastguard Worker             return defaultkey_setup_ext_volume(label, blk_device, key, out_crypto_blkdev);
90*f40fafd4SAndroid Build Coastguard Worker     }
91*f40fafd4SAndroid Build Coastguard Worker }
92*f40fafd4SAndroid Build Coastguard Worker 
93*f40fafd4SAndroid Build Coastguard Worker }  // namespace vold
94*f40fafd4SAndroid Build Coastguard Worker }  // namespace android
95