fskeyring & userspace reboot: support DE keys
During userspace reboot /data might be unmounted, which means that if
device supports filesystem keyring, DE keys will be lost and are needed
to be re-installed.
Test: adb shell setprop sys.init.userdata_remount.force_umount 1
Test: adb shell svc power reboot userspace
Test: atest CtsUserspaceRebootHostSideTestCases
Bug: 143970043
Change-Id: I153caa1d7c373b3c906a34f1184c681e52854a9d
diff --git a/FsCrypt.cpp b/FsCrypt.cpp
index 276444c..d43bc08 100644
--- a/FsCrypt.cpp
+++ b/FsCrypt.cpp
@@ -87,8 +87,6 @@
const std::string systemwide_volume_key_dir =
std::string() + DATA_MNT_POINT + "/misc/vold/volume_keys";
-bool s_systemwide_keys_initialized = false;
-
// Some users are ephemeral, don't try to wipe their keys from disk
std::set<userid_t> s_ephemeral_users;
@@ -363,15 +361,17 @@
continue;
}
userid_t user_id = std::stoi(entry->d_name);
- if (s_de_policies.count(user_id) == 0) {
- auto key_path = de_dir + "/" + entry->d_name;
- KeyBuffer de_key;
- if (!retrieveKey(key_path, kEmptyAuthentication, &de_key)) return false;
- EncryptionPolicy de_policy;
- if (!install_storage_key(DATA_MNT_POINT, options, de_key, &de_policy)) return false;
- s_de_policies[user_id] = de_policy;
- LOG(DEBUG) << "Installed de key for user " << user_id;
+ auto key_path = de_dir + "/" + entry->d_name;
+ KeyBuffer de_key;
+ if (!retrieveKey(key_path, kEmptyAuthentication, &de_key)) return false;
+ EncryptionPolicy de_policy;
+ if (!install_storage_key(DATA_MNT_POINT, options, de_key, &de_policy)) return false;
+ auto ret = s_de_policies.insert({user_id, de_policy});
+ if (!ret.second && ret.first->second != de_policy) {
+ LOG(ERROR) << "DE policy for user" << user_id << " changed";
+ return false;
}
+ LOG(DEBUG) << "Installed de key for user " << user_id;
}
// fscrypt:TODO: go through all DE directories, ensure that all user dirs have the
// correct policy set on them, and that no rogue ones exist.
@@ -381,10 +381,6 @@
bool fscrypt_initialize_systemwide_keys() {
LOG(INFO) << "fscrypt_initialize_systemwide_keys";
- if (s_systemwide_keys_initialized) {
- LOG(INFO) << "Already initialized";
- return true;
- }
EncryptionOptions options;
if (!get_data_file_encryption_options(&options)) return false;
@@ -418,7 +414,6 @@
LOG(INFO) << "Wrote per boot key reference to:" << per_boot_ref_filename;
if (!android::vold::FsyncDirectory(device_key_dir)) return false;
- s_systemwide_keys_initialized = true;
return true;
}