vold: add gc period in setGCUrgentPace am: 7c788fc3e9

Original change: https://android-review.googlesource.com/c/platform/system/vold/+/2032446

Change-Id: I691c355f6eb91f83af0b4bbdade10bd67ceb62a3
Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>
diff --git a/FsCrypt.cpp b/FsCrypt.cpp
index be68222..42df78b 100644
--- a/FsCrypt.cpp
+++ b/FsCrypt.cpp
@@ -470,6 +470,8 @@
     return true;
 }
 
+bool fscrypt_init_user0_done;
+
 bool fscrypt_init_user0() {
     LOG(DEBUG) << "fscrypt_init_user0";
     if (fscrypt_is_native()) {
@@ -504,6 +506,7 @@
         if (!try_reload_ce_keys()) return false;
     }
 
+    fscrypt_init_user0_done = true;
     return true;
 }
 
@@ -764,7 +767,7 @@
         // unlock directories when not in emulation mode, to bring devices
         // back into a known-good state.
         if (!emulated_unlock(android::vold::BuildDataSystemCePath(user_id), 0771) ||
-            !emulated_unlock(android::vold::BuildDataMiscCePath(user_id), 01771) ||
+            !emulated_unlock(android::vold::BuildDataMiscCePath("", user_id), 01771) ||
             !emulated_unlock(android::vold::BuildDataMediaCePath("", user_id), 0770) ||
             !emulated_unlock(android::vold::BuildDataUserCePath("", user_id), 0771)) {
             LOG(ERROR) << "Failed to unlock user " << user_id;
@@ -782,7 +785,7 @@
     } else if (fscrypt_is_emulated()) {
         // When in emulation mode, we just use chmod
         if (!emulated_lock(android::vold::BuildDataSystemCePath(user_id)) ||
-            !emulated_lock(android::vold::BuildDataMiscCePath(user_id)) ||
+            !emulated_lock(android::vold::BuildDataMiscCePath("", user_id)) ||
             !emulated_lock(android::vold::BuildDataMediaCePath("", user_id)) ||
             !emulated_lock(android::vold::BuildDataUserCePath("", user_id))) {
             LOG(ERROR) << "Failed to lock user " << user_id;
@@ -817,7 +820,7 @@
 
         // DE_n key
         auto system_de_path = android::vold::BuildDataSystemDePath(user_id);
-        auto misc_de_path = android::vold::BuildDataMiscDePath(user_id);
+        auto misc_de_path = android::vold::BuildDataMiscDePath(volume_uuid, user_id);
         auto vendor_de_path = android::vold::BuildDataVendorDePath(user_id);
         auto user_de_path = android::vold::BuildDataUserDePath(volume_uuid, user_id);
 
@@ -831,9 +834,10 @@
             if (!prepare_dir(profiles_de_path, 0771, AID_SYSTEM, AID_SYSTEM)) return false;
 
             if (!prepare_dir(system_de_path, 0770, AID_SYSTEM, AID_SYSTEM)) return false;
-            if (!prepare_dir(misc_de_path, 01771, AID_SYSTEM, AID_MISC)) return false;
             if (!prepare_dir(vendor_de_path, 0771, AID_ROOT, AID_ROOT)) return false;
         }
+
+        if (!prepare_dir(misc_de_path, 01771, AID_SYSTEM, AID_MISC)) return false;
         if (!prepare_dir(user_de_path, 0771, AID_SYSTEM, AID_SYSTEM)) return false;
 
         if (fscrypt_is_native()) {
@@ -841,11 +845,14 @@
             if (volume_uuid.empty()) {
                 if (!lookup_policy(s_de_policies, user_id, &de_policy)) return false;
                 if (!EnsurePolicy(de_policy, system_de_path)) return false;
-                if (!EnsurePolicy(de_policy, misc_de_path)) return false;
                 if (!EnsurePolicy(de_policy, vendor_de_path)) return false;
             } else {
-                if (!read_or_create_volkey(misc_de_path, volume_uuid, &de_policy)) return false;
+                auto misc_de_empty_volume_path = android::vold::BuildDataMiscDePath("", user_id);
+                if (!read_or_create_volkey(misc_de_empty_volume_path, volume_uuid, &de_policy)) {
+                    return false;
+                }
             }
+            if (!EnsurePolicy(de_policy, misc_de_path)) return false;
             if (!EnsurePolicy(de_policy, user_de_path)) return false;
         }
     }
@@ -853,14 +860,13 @@
     if (flags & android::os::IVold::STORAGE_FLAG_CE) {
         // CE_n key
         auto system_ce_path = android::vold::BuildDataSystemCePath(user_id);
-        auto misc_ce_path = android::vold::BuildDataMiscCePath(user_id);
+        auto misc_ce_path = android::vold::BuildDataMiscCePath(volume_uuid, user_id);
         auto vendor_ce_path = android::vold::BuildDataVendorCePath(user_id);
         auto media_ce_path = android::vold::BuildDataMediaCePath(volume_uuid, user_id);
         auto user_ce_path = android::vold::BuildDataUserCePath(volume_uuid, user_id);
 
         if (volume_uuid.empty()) {
             if (!prepare_dir(system_ce_path, 0770, AID_SYSTEM, AID_SYSTEM)) return false;
-            if (!prepare_dir(misc_ce_path, 01771, AID_SYSTEM, AID_MISC)) return false;
             if (!prepare_dir(vendor_ce_path, 0771, AID_ROOT, AID_ROOT)) return false;
         }
         if (!prepare_dir(media_ce_path, 02770, AID_MEDIA_RW, AID_MEDIA_RW)) return false;
@@ -873,6 +879,7 @@
             return false;
         }
 
+        if (!prepare_dir(misc_ce_path, 01771, AID_SYSTEM, AID_MISC)) return false;
         if (!prepare_dir(user_ce_path, 0771, AID_SYSTEM, AID_SYSTEM)) return false;
 
         if (fscrypt_is_native()) {
@@ -880,12 +887,15 @@
             if (volume_uuid.empty()) {
                 if (!lookup_policy(s_ce_policies, user_id, &ce_policy)) return false;
                 if (!EnsurePolicy(ce_policy, system_ce_path)) return false;
-                if (!EnsurePolicy(ce_policy, misc_ce_path)) return false;
                 if (!EnsurePolicy(ce_policy, vendor_ce_path)) return false;
             } else {
-                if (!read_or_create_volkey(misc_ce_path, volume_uuid, &ce_policy)) return false;
+                auto misc_ce_empty_volume_path = android::vold::BuildDataMiscCePath("", user_id);
+                if (!read_or_create_volkey(misc_ce_empty_volume_path, volume_uuid, &ce_policy)) {
+                    return false;
+                }
             }
             if (!EnsurePolicy(ce_policy, media_ce_path)) return false;
+            if (!EnsurePolicy(ce_policy, misc_ce_path)) return false;
             if (!EnsurePolicy(ce_policy, user_ce_path)) return false;
         }
 
@@ -913,20 +923,21 @@
     if (flags & android::os::IVold::STORAGE_FLAG_CE) {
         // CE_n key
         auto system_ce_path = android::vold::BuildDataSystemCePath(user_id);
-        auto misc_ce_path = android::vold::BuildDataMiscCePath(user_id);
+        auto misc_ce_path = android::vold::BuildDataMiscCePath(volume_uuid, user_id);
         auto vendor_ce_path = android::vold::BuildDataVendorCePath(user_id);
         auto media_ce_path = android::vold::BuildDataMediaCePath(volume_uuid, user_id);
         auto user_ce_path = android::vold::BuildDataUserCePath(volume_uuid, user_id);
 
         res &= destroy_dir(media_ce_path);
+        res &= destroy_dir(misc_ce_path);
         res &= destroy_dir(user_ce_path);
         if (volume_uuid.empty()) {
             res &= destroy_dir(system_ce_path);
-            res &= destroy_dir(misc_ce_path);
             res &= destroy_dir(vendor_ce_path);
         } else {
             if (fscrypt_is_native()) {
-                res &= destroy_volkey(misc_ce_path, volume_uuid);
+                auto misc_ce_empty_volume_path = android::vold::BuildDataMiscCePath("", user_id);
+                res &= destroy_volkey(misc_ce_empty_volume_path, volume_uuid);
             }
         }
     }
@@ -939,11 +950,12 @@
 
         // DE_n key
         auto system_de_path = android::vold::BuildDataSystemDePath(user_id);
-        auto misc_de_path = android::vold::BuildDataMiscDePath(user_id);
+        auto misc_de_path = android::vold::BuildDataMiscDePath(volume_uuid, user_id);
         auto vendor_de_path = android::vold::BuildDataVendorDePath(user_id);
         auto user_de_path = android::vold::BuildDataUserDePath(volume_uuid, user_id);
 
         res &= destroy_dir(user_de_path);
+        res &= destroy_dir(misc_de_path);
         if (volume_uuid.empty()) {
             res &= destroy_dir(system_legacy_path);
 #if MANAGE_MISC_DIRS
@@ -951,11 +963,11 @@
 #endif
             res &= destroy_dir(profiles_de_path);
             res &= destroy_dir(system_de_path);
-            res &= destroy_dir(misc_de_path);
             res &= destroy_dir(vendor_de_path);
         } else {
             if (fscrypt_is_native()) {
-                res &= destroy_volkey(misc_de_path, volume_uuid);
+                auto misc_de_empty_volume_path = android::vold::BuildDataMiscDePath("", user_id);
+                res &= destroy_volkey(misc_de_empty_volume_path, volume_uuid);
             }
         }
     }
diff --git a/FsCrypt.h b/FsCrypt.h
index 2946be5..e5af487 100644
--- a/FsCrypt.h
+++ b/FsCrypt.h
@@ -22,6 +22,7 @@
 bool fscrypt_initialize_systemwide_keys();
 
 bool fscrypt_init_user0();
+extern bool fscrypt_init_user0_done;
 bool fscrypt_vold_create_user_key(userid_t user_id, int serial, bool ephemeral);
 bool fscrypt_destroy_user_key(userid_t user_id);
 bool fscrypt_add_user_key_auth(userid_t user_id, int serial, const std::string& secret);
diff --git a/Keystore.cpp b/Keystore.cpp
index a017d68..d993b0d 100644
--- a/Keystore.cpp
+++ b/Keystore.cpp
@@ -166,7 +166,13 @@
         *key = std::string(ephemeral_key_response.ephemeralKey.begin(),
                            ephemeral_key_response.ephemeralKey.end());
 
-    // TODO b/185811713 store the upgraded key blob if provided and delete the old key blob.
+    // vold intentionally ignores ephemeral_key_response.upgradedBlob, since the
+    // concept of "upgrading" doesn't make sense for TAG_STORAGE_KEY keys
+    // (hardware-wrapped inline encryption keys).  These keys are only meant as
+    // a substitute for raw keys; they still go through vold's usual layer of
+    // key wrapping, which already handles version binding.  So, vold just keeps
+    // using the original blobs for TAG_STORAGE_KEY keys.  If KeyMint "upgrades"
+    // them anyway, then they'll just get re-upgraded before each use.
 
     ret = true;
 out:
diff --git a/MetadataCrypt.cpp b/MetadataCrypt.cpp
index bd3c0ef..5c9e644 100644
--- a/MetadataCrypt.cpp
+++ b/MetadataCrypt.cpp
@@ -261,7 +261,7 @@
 
     CryptoOptions options;
     if (options_format_version == 1) {
-        if (!data_rec->metadata_encryption.empty()) {
+        if (!data_rec->metadata_encryption_options.empty()) {
             LOG(ERROR) << "metadata_encryption options cannot be set in legacy mode";
             return false;
         }
@@ -274,7 +274,7 @@
             return false;
         }
     } else if (options_format_version == 2) {
-        if (!parse_options(data_rec->metadata_encryption, &options)) return false;
+        if (!parse_options(data_rec->metadata_encryption_options, &options)) return false;
     } else {
         LOG(ERROR) << "Unknown options_format_version: " << options_format_version;
         return false;
diff --git a/TEST_MAPPING b/TEST_MAPPING
index 49b2d60..a535181 100644
--- a/TEST_MAPPING
+++ b/TEST_MAPPING
@@ -12,5 +12,19 @@
     {
       "name": "AdoptableHostTest"
     }
+  ],
+  "hwasan-postsubmit": [
+    {
+      "name": "CtsScopedStorageCoreHostTest"
+    },
+    {
+      "name": "CtsScopedStorageHostTest"
+    },
+    {
+      "name": "CtsScopedStorageDeviceOnlyTest"
+    },
+    {
+      "name": "AdoptableHostTest"
+    }
   ]
 }
diff --git a/Utils.cpp b/Utils.cpp
index 66e642f..ba6afd8 100644
--- a/Utils.cpp
+++ b/Utils.cpp
@@ -1120,14 +1120,6 @@
     return StringPrintf("%s/misc/user/%u", BuildDataPath("").c_str(), userId);
 }
 
-std::string BuildDataMiscCePath(userid_t userId) {
-    return StringPrintf("%s/misc_ce/%u", BuildDataPath("").c_str(), userId);
-}
-
-std::string BuildDataMiscDePath(userid_t userId) {
-    return StringPrintf("%s/misc_de/%u", BuildDataPath("").c_str(), userId);
-}
-
 // Keep in sync with installd (frameworks/native/cmds/installd/utils.h)
 std::string BuildDataProfilesDePath(userid_t userId) {
     return StringPrintf("%s/misc/profiles/cur/%u", BuildDataPath("").c_str(), userId);
@@ -1157,6 +1149,14 @@
     return StringPrintf("%s/media/%u", data.c_str(), userId);
 }
 
+std::string BuildDataMiscCePath(const std::string& volumeUuid, userid_t userId) {
+    return StringPrintf("%s/misc_ce/%u", BuildDataPath(volumeUuid).c_str(), userId);
+}
+
+std::string BuildDataMiscDePath(const std::string& volumeUuid, userid_t userId) {
+    return StringPrintf("%s/misc_de/%u", BuildDataPath(volumeUuid).c_str(), userId);
+}
+
 std::string BuildDataUserCePath(const std::string& volumeUuid, userid_t userId) {
     // TODO: unify with installd path generation logic
     std::string data(BuildDataPath(volumeUuid));
diff --git a/Utils.h b/Utils.h
index 7733152..71eb5eb 100644
--- a/Utils.h
+++ b/Utils.h
@@ -150,14 +150,14 @@
 std::string BuildDataSystemCePath(userid_t userid);
 std::string BuildDataSystemDePath(userid_t userid);
 std::string BuildDataMiscLegacyPath(userid_t userid);
-std::string BuildDataMiscCePath(userid_t userid);
-std::string BuildDataMiscDePath(userid_t userid);
 std::string BuildDataProfilesDePath(userid_t userid);
 std::string BuildDataVendorCePath(userid_t userid);
 std::string BuildDataVendorDePath(userid_t userid);
 
 std::string BuildDataPath(const std::string& volumeUuid);
 std::string BuildDataMediaCePath(const std::string& volumeUuid, userid_t userid);
+std::string BuildDataMiscCePath(const std::string& volumeUuid, userid_t userid);
+std::string BuildDataMiscDePath(const std::string& volumeUuid, userid_t userid);
 std::string BuildDataUserCePath(const std::string& volumeUuid, userid_t userid);
 std::string BuildDataUserDePath(const std::string& volumeUuid, userid_t userid);
 
diff --git a/VoldNativeService.cpp b/VoldNativeService.cpp
index 71eaddc..8ba3aaf 100644
--- a/VoldNativeService.cpp
+++ b/VoldNativeService.cpp
@@ -551,110 +551,6 @@
     return Ok();
 }
 
-// TODO(b/191796797) remove this once caller is removed
-binder::Status VoldNativeService::fdeCheckPassword(const std::string& password) {
-    ENFORCE_SYSTEM_OR_ROOT;
-    ACQUIRE_CRYPT_LOCK;
-
-    SLOGE("fdeCheckPassword is no longer supported");
-    return translate(-1);
-}
-
-// TODO(b/191796797) remove this once caller is removed
-binder::Status VoldNativeService::fdeRestart() {
-    ENFORCE_SYSTEM_OR_ROOT;
-    ACQUIRE_CRYPT_LOCK;
-
-    SLOGE("fdeRestart is no longer supported");
-    return Ok();
-}
-
-// TODO(b/191796797) remove this once caller is removed
-#define CRYPTO_COMPLETE_NOT_ENCRYPTED 1
-binder::Status VoldNativeService::fdeComplete(int32_t* _aidl_return) {
-    ENFORCE_SYSTEM_OR_ROOT;
-    ACQUIRE_CRYPT_LOCK;
-
-    SLOGE("fdeComplete is no longer supported");
-    *_aidl_return = CRYPTO_COMPLETE_NOT_ENCRYPTED;
-    return Ok();
-}
-
-// TODO(b/191796797) remove this once caller is removed
-binder::Status VoldNativeService::fdeEnable(int32_t passwordType, const std::string& password,
-                                            int32_t encryptionFlags) {
-    ENFORCE_SYSTEM_OR_ROOT;
-    ACQUIRE_CRYPT_LOCK;
-
-    SLOGE("fdeEnable is no longer supported");
-    return translate(-1);
-}
-
-// TODO(b/191796797) remove this once caller is removed
-binder::Status VoldNativeService::fdeChangePassword(int32_t passwordType,
-                                                    const std::string& password) {
-    ENFORCE_SYSTEM_OR_ROOT;
-    ACQUIRE_CRYPT_LOCK;
-
-    SLOGE("fdeChangePassword is no longer supported");
-    return translate(-1);
-}
-
-// TODO(b/191796797) remove this once caller is removed
-binder::Status VoldNativeService::fdeVerifyPassword(const std::string& password) {
-    ENFORCE_SYSTEM_OR_ROOT;
-    ACQUIRE_CRYPT_LOCK;
-
-    SLOGE("fdeVerifyPassword is no longer supported");
-    return translate(-1);
-}
-
-// TODO(b/191796797) remove this once caller is removed
-binder::Status VoldNativeService::fdeGetField(const std::string& key, std::string* _aidl_return) {
-    ENFORCE_SYSTEM_OR_ROOT;
-    ACQUIRE_CRYPT_LOCK;
-
-    SLOGE("fdeGetField is no longer supported");
-    return translate(-1);
-}
-
-// TODO(b/191796797) remove this once caller is removed
-binder::Status VoldNativeService::fdeSetField(const std::string& key, const std::string& value) {
-    ENFORCE_SYSTEM_OR_ROOT;
-    ACQUIRE_CRYPT_LOCK;
-
-    SLOGE("fdeSetField is no longer supported");
-    return translate(-1);
-}
-
-// TODO(b/191796797) remove this once caller is removed
-binder::Status VoldNativeService::fdeGetPasswordType(int32_t* _aidl_return) {
-    ENFORCE_SYSTEM_OR_ROOT;
-    ACQUIRE_CRYPT_LOCK;
-
-    SLOGE("fdeGetPasswordType is no longer supported");
-    *_aidl_return = -1;
-    return Ok();
-}
-
-// TODO(b/191796797) remove this once caller is removed
-binder::Status VoldNativeService::fdeGetPassword(std::string* _aidl_return) {
-    ENFORCE_SYSTEM_OR_ROOT;
-    ACQUIRE_CRYPT_LOCK;
-
-    SLOGE("fdeGetPassword is no longer supported");
-    return Ok();
-}
-
-// TODO(b/191796797) remove this once caller is removed
-binder::Status VoldNativeService::fdeClearPassword() {
-    ENFORCE_SYSTEM_OR_ROOT;
-    ACQUIRE_CRYPT_LOCK;
-
-    SLOGE("fdeClearPassword is no longer supported");
-    return Ok();
-}
-
 binder::Status VoldNativeService::fbeEnable() {
     ENFORCE_SYSTEM_OR_ROOT;
     ACQUIRE_CRYPT_LOCK;
@@ -662,15 +558,6 @@
     return translateBool(fscrypt_initialize_systemwide_keys());
 }
 
-// TODO(b/191796797) remove this once caller is removed
-binder::Status VoldNativeService::mountDefaultEncrypted() {
-    ENFORCE_SYSTEM_OR_ROOT;
-    ACQUIRE_CRYPT_LOCK;
-
-    SLOGE("mountDefaultEncrypted is no longer supported");
-    return Ok();
-}
-
 binder::Status VoldNativeService::initUser0() {
     ENFORCE_SYSTEM_OR_ROOT;
     ACQUIRE_CRYPT_LOCK;
@@ -678,16 +565,6 @@
     return translateBool(fscrypt_init_user0());
 }
 
-// TODO(b/191796797) remove this once caller is removed
-binder::Status VoldNativeService::isConvertibleToFbe(bool* _aidl_return) {
-    ENFORCE_SYSTEM_OR_ROOT;
-    ACQUIRE_CRYPT_LOCK;
-
-    SLOGE("isConvertibleToFbe is no longer supported");
-    *_aidl_return = false;
-    return Ok();
-}
-
 binder::Status VoldNativeService::mountFstab(const std::string& blkDevice,
                                              const std::string& mountPoint) {
     ENFORCE_SYSTEM_OR_ROOT;
diff --git a/VoldNativeService.h b/VoldNativeService.h
index 1a85296..423e8f9 100644
--- a/VoldNativeService.h
+++ b/VoldNativeService.h
@@ -100,24 +100,9 @@
     binder::Status openAppFuseFile(int32_t uid, int32_t mountId, int32_t fileId, int32_t flags,
                                    android::base::unique_fd* _aidl_return);
 
-    binder::Status fdeCheckPassword(const std::string& password);
-    binder::Status fdeRestart();
-    binder::Status fdeComplete(int32_t* _aidl_return);
-    binder::Status fdeEnable(int32_t passwordType, const std::string& password,
-                             int32_t encryptionFlags);
-    binder::Status fdeChangePassword(int32_t passwordType, const std::string& password);
-    binder::Status fdeVerifyPassword(const std::string& password);
-    binder::Status fdeGetField(const std::string& key, std::string* _aidl_return);
-    binder::Status fdeSetField(const std::string& key, const std::string& value);
-    binder::Status fdeGetPasswordType(int32_t* _aidl_return);
-    binder::Status fdeGetPassword(std::string* _aidl_return);
-    binder::Status fdeClearPassword();
-
     binder::Status fbeEnable();
 
-    binder::Status mountDefaultEncrypted();
     binder::Status initUser0();
-    binder::Status isConvertibleToFbe(bool* _aidl_return);
     binder::Status mountFstab(const std::string& blkDevice, const std::string& mountPoint);
     binder::Status encryptFstab(const std::string& blkDevice, const std::string& mountPoint,
                                 bool shouldFormat, const std::string& fsType);
diff --git a/binder/android/os/IVold.aidl b/binder/android/os/IVold.aidl
index 9508d91..d77c7da 100644
--- a/binder/android/os/IVold.aidl
+++ b/binder/android/os/IVold.aidl
@@ -76,23 +76,9 @@
     FileDescriptor mountAppFuse(int uid, int mountId);
     void unmountAppFuse(int uid, int mountId);
 
-    void fdeCheckPassword(@utf8InCpp String password);
-    void fdeRestart();
-    int fdeComplete();
-    void fdeEnable(int passwordType, @utf8InCpp String password, int encryptionFlags);
-    void fdeChangePassword(int passwordType, @utf8InCpp String password);
-    void fdeVerifyPassword(@utf8InCpp String password);
-    @utf8InCpp String fdeGetField(@utf8InCpp String key);
-    void fdeSetField(@utf8InCpp String key, @utf8InCpp String value);
-    int fdeGetPasswordType();
-    @utf8InCpp String fdeGetPassword();
-    void fdeClearPassword();
-
     void fbeEnable();
 
-    void mountDefaultEncrypted();
     void initUser0();
-    boolean isConvertibleToFbe();
     void mountFstab(@utf8InCpp String blkDevice, @utf8InCpp String mountPoint);
     void encryptFstab(@utf8InCpp String blkDevice, @utf8InCpp String mountPoint, boolean shouldFormat, @utf8InCpp String fsType);
 
@@ -149,15 +135,6 @@
 
     void destroyDsuMetadataKey(@utf8InCpp String dsuSlot);
 
-    const int ENCRYPTION_FLAG_NO_UI = 4;
-
-    const int ENCRYPTION_STATE_NONE = 1;
-    const int ENCRYPTION_STATE_OK = 0;
-    const int ENCRYPTION_STATE_ERROR_UNKNOWN = -1;
-    const int ENCRYPTION_STATE_ERROR_INCOMPLETE = -2;
-    const int ENCRYPTION_STATE_ERROR_INCONSISTENT = -3;
-    const int ENCRYPTION_STATE_ERROR_CORRUPT = -4;
-
     const int FSTRIM_FLAG_DEEP_TRIM = 1;
 
     const int MOUNT_FLAG_PRIMARY = 1;
@@ -168,11 +145,6 @@
     const int PARTITION_TYPE_PRIVATE = 1;
     const int PARTITION_TYPE_MIXED = 2;
 
-    const int PASSWORD_TYPE_PASSWORD = 0;
-    const int PASSWORD_TYPE_DEFAULT = 1;
-    const int PASSWORD_TYPE_PATTERN = 2;
-    const int PASSWORD_TYPE_PIN = 3;
-
     const int STORAGE_FLAG_DE = 1;
     const int STORAGE_FLAG_CE = 2;
 
diff --git a/fs/Ext4.cpp b/fs/Ext4.cpp
index 77cec80..52f6772 100644
--- a/fs/Ext4.cpp
+++ b/fs/Ext4.cpp
@@ -171,7 +171,7 @@
 
     bool needs_casefold =
             android::base::GetBoolProperty("external_storage.casefold.enabled", false);
-    bool needs_projid = android::base::GetBoolProperty("external_storage.projid.enabled", false);
+    bool needs_projid = true;
 
     if (needs_projid) {
         cmd.push_back("-I");
diff --git a/fs/F2fs.cpp b/fs/F2fs.cpp
index f4a81ee..55b0823 100644
--- a/fs/F2fs.cpp
+++ b/fs/F2fs.cpp
@@ -78,31 +78,18 @@
     cmd.emplace_back("-f");
     cmd.emplace_back("-d1");
 
-    if (android::base::GetBoolProperty("vold.has_quota", false)) {
-        cmd.emplace_back("-O");
-        cmd.emplace_back("quota");
-    }
-    if (fscrypt_is_native()) {
-        cmd.emplace_back("-O");
-        cmd.emplace_back("encrypt");
-    }
+    cmd.emplace_back("-g");
+    cmd.emplace_back("android");
+
     if (android::base::GetBoolProperty("vold.has_compress", false)) {
         cmd.emplace_back("-O");
         cmd.emplace_back("compression");
         cmd.emplace_back("-O");
         cmd.emplace_back("extra_attr");
     }
-    cmd.emplace_back("-O");
-    cmd.emplace_back("verity");
 
     const bool needs_casefold =
             android::base::GetBoolProperty("external_storage.casefold.enabled", false);
-    const bool needs_projid =
-            android::base::GetBoolProperty("external_storage.projid.enabled", false);
-    if (needs_projid) {
-        cmd.emplace_back("-O");
-        cmd.emplace_back("project_quota,extra_attr");
-    }
     if (needs_casefold) {
         cmd.emplace_back("-O");
         cmd.emplace_back("casefold");
diff --git a/main.cpp b/main.cpp
index 978db66..b07ee68 100644
--- a/main.cpp
+++ b/main.cpp
@@ -16,6 +16,7 @@
 
 #define ATRACE_TAG ATRACE_TAG_PACKAGE_MANAGER
 
+#include "FsCrypt.h"
 #include "MetadataCrypt.h"
 #include "NetlinkManager.h"
 #include "VoldNativeService.h"
@@ -251,7 +252,7 @@
             PLOG(FATAL) << "could not find logical partition " << entry.blk_device;
         }
 
-        if (entry.mount_point == "/data" && !entry.metadata_encryption.empty()) {
+        if (entry.mount_point == "/data" && !entry.metadata_key_dir.empty()) {
             // Pre-populate userdata dm-devices since the uevents are asynchronous (b/198405417).
             android::vold::defaultkey_precreate_dm_device();
         }
@@ -286,18 +287,24 @@
                        const char* tag, const char* file, unsigned int line, const char* message) {
     logd_logger(log_buffer_id, severity, tag, file, line, message);
 
-    if (severity >= android::base::ERROR) {
-        static bool is_data_mounted = false;
+    if (severity >= android::base::WARNING) {
+        static bool early_boot_done = false;
 
-        // When /data fails to mount, we don't have adb to get logcat. So until /data is
-        // mounted we log errors to the kernel. This allows us to get failures via serial logs
-        // and via last dmesg/"fastboot oem dmesg" on devices that support it.
+        // If metadata encryption setup (fscrypt_mount_metadata_encrypted) or
+        // basic FBE setup (fscrypt_init_user0) fails, then the boot will fail
+        // before adb can be started, so logcat won't be available.  To allow
+        // debugging these early boot failures, log early errors and warnings to
+        // the kernel log.  This allows diagnosing failures via the serial log,
+        // or via last dmesg/"fastboot oem dmesg" on devices that support it.
         //
-        // As a very quick-and-dirty test for /data, we check whether /data/misc/vold exists.
-        if (is_data_mounted || access("/data/misc/vold", F_OK) == 0) {
-            is_data_mounted = true;
-            return;
+        // As a very quick-and-dirty test for whether /data has been mounted,
+        // check whether /data/misc/vold exists.
+        if (!early_boot_done) {
+            if (access("/data/misc/vold", F_OK) == 0 && fscrypt_init_user0_done) {
+                early_boot_done = true;
+                return;
+            }
+            android::base::KernelLogger(log_buffer_id, severity, tag, file, line, message);
         }
-        android::base::KernelLogger(log_buffer_id, severity, tag, file, line, message);
     }
 }
diff --git a/model/PrivateVolume.cpp b/model/PrivateVolume.cpp
index 1875b7b..a692ea9 100644
--- a/model/PrivateVolume.cpp
+++ b/model/PrivateVolume.cpp
@@ -173,6 +173,8 @@
     if (PrepareDir(mPath + "/app", 0771, AID_SYSTEM, AID_SYSTEM) ||
         PrepareDir(mPath + "/user", 0711, AID_SYSTEM, AID_SYSTEM) ||
         PrepareDir(mPath + "/user_de", 0711, AID_SYSTEM, AID_SYSTEM) ||
+        PrepareDir(mPath + "/misc_ce", 0711, AID_SYSTEM, AID_SYSTEM) ||
+        PrepareDir(mPath + "/misc_de", 0711, AID_SYSTEM, AID_SYSTEM) ||
         PrepareDir(mPath + "/media", 0770, AID_MEDIA_RW, AID_MEDIA_RW, attrs) ||
         PrepareDir(mPath + "/media/0", 0770, AID_MEDIA_RW, AID_MEDIA_RW) ||
         PrepareDir(mPath + "/local", 0751, AID_ROOT, AID_ROOT) ||
diff --git a/vold_prepare_subdirs.cpp b/vold_prepare_subdirs.cpp
index 692c500..94d7f15 100644
--- a/vold_prepare_subdirs.cpp
+++ b/vold_prepare_subdirs.cpp
@@ -172,7 +172,7 @@
             return false;
         }
 
-        auto misc_de_path = android::vold::BuildDataMiscDePath(user_id);
+        auto misc_de_path = android::vold::BuildDataMiscDePath(volume_uuid, user_id);
         if (!prepare_dir_for_user(sehandle, 0771, AID_SYSTEM, AID_SYSTEM,
                                   misc_de_path + "/sdksandbox", user_id)) {
             return false;
@@ -208,7 +208,7 @@
             return false;
         }
 
-        auto misc_ce_path = android::vold::BuildDataMiscCePath(user_id);
+        auto misc_ce_path = android::vold::BuildDataMiscCePath(volume_uuid, user_id);
         if (!prepare_dir_for_user(sehandle, 0771, AID_SYSTEM, AID_SYSTEM,
                                   misc_ce_path + "/sdksandbox", user_id)) {
             return false;
@@ -256,18 +256,20 @@
 
 static bool destroy_subdirs(const std::string& volume_uuid, int user_id, int flags) {
     bool res = true;
-    if (volume_uuid.empty()) {
-        if (flags & android::os::IVold::STORAGE_FLAG_CE) {
-            auto misc_ce_path = android::vold::BuildDataMiscCePath(user_id);
-            res &= rmrf_contents(misc_ce_path);
+    if (flags & android::os::IVold::STORAGE_FLAG_CE) {
+        auto misc_ce_path = android::vold::BuildDataMiscCePath(volume_uuid, user_id);
+        res &= rmrf_contents(misc_ce_path);
 
+        if (volume_uuid.empty()) {
             auto vendor_ce_path = android::vold::BuildDataVendorCePath(user_id);
             res &= rmrf_contents(vendor_ce_path);
         }
-        if (flags & android::os::IVold::STORAGE_FLAG_DE) {
-            auto misc_de_path = android::vold::BuildDataMiscDePath(user_id);
-            res &= rmrf_contents(misc_de_path);
+    }
+    if (flags & android::os::IVold::STORAGE_FLAG_DE) {
+        auto misc_de_path = android::vold::BuildDataMiscDePath(volume_uuid, user_id);
+        res &= rmrf_contents(misc_de_path);
 
+        if (volume_uuid.empty()) {
             auto vendor_de_path = android::vold::BuildDataVendorDePath(user_id);
             res &= rmrf_contents(vendor_de_path);
         }