GitLab

Change-Id: I4069297a799260b8ecf355e91a1594b4f03126af
Signed-off-by: Mike Lockwood <lockwood@android.com>

Change-Id: I8bb658bb2ab66026f0a54f9c1f80fc5c6e8d918a
Signed-off-by: Mike Lockwood <lockwood@android.com>

Fix for bug 3415286.  Trigger an action in init.rc to load the persistent
properties after /data has been decrypted and mounted.

Change-Id: I5fe3b481bcc6963113e830728c204b22ffc3b722

The new android_reboot() function is a nicer way to reboot.
It can optionally sync(2) and remount as read-only writable
filesystems.  This fixes bug 3350709.

Change-Id: I4618bd5e8cccdce08494a7ca3f40ef72b2875e68

Need to detect if the encryption process didn't finish successfully, and if
so, provide a way for the UI to detect that and give the user an option to
wipe the system clean.  Otherwise, the user is stuck in a reboot loop, and
they will need to do magic button presses to enter recovery and wipe the
device to get out of it.

Change-Id: I58253e1e523ee42bdd1a59aa7d8a9d20071bd18b

* commit '18ed5640':
  Use LOOP_GET_STATUS64 for checking loop devices

* commit '7f7dbaa2':
  Improve detection of incomplete encryption

To determine whether a loop device was available, we use an ioctl call
to LOOP_GET_STATUS, but this fails on devices with large storage
partitions with errno = EOVERFLOW. Instead use LOOP_GET_STATUS64 which
succeeds.

Bug: 3412121
Change-Id: Ica3cb48885d3555f2d27073c00e31fc51a08c730

Bug 3384231 is punted to MR1, but the code to set the flag is already
in the tree, so this CL does 3 things:

1.  Comments out the lines that set the flag
2.  Removes the change to the checkpw that was added in the last change.
3.  Implements a new command to check the flag (which no one is calling
    yet and the flag won't be set anyhow).

When MR1 comes, it will be a simple matter to enable the flag setting
code and start testing it.

The fear is a false positive detection of incomplete encryption could
cause people to be prompted to wipe their data when MR1 comes out and
the flag is checked.  Not setting this for first release, and testing
this more before MR1, will give us confidence that the code will not
detect false positives of encryption failure.

Change-Id: I6dfba11646e291fe5867e8375b71a53c815f3968

* commit 'd33d417e':
  Detect when encryption failed to complete

For the case there encryption failes to complete because of a kernel
crash or the user power cycling the device, define a flag in the
crypto footer that says encryption is in progress.  Set it when starting
the actual encryption, and clear it when it successfully completes.

When the user is asked for the disk password, if the flag is set,
return a special error to the caller so the UI can know to tell the
user there is no valid data on the disk, and present a button to
wipe and reset the device.

Change-Id: I3723ec77f33437d94b3ac9ad5db0a5c950d11648

* commit '5d4c68e4':
  Have vold grab a partial wakelock when encrypting

The Progress bar UI grabs a full wakelock when encrypting, but we've seen
a case where it looks like the progress bar UI crashes, and the wakelock is
lost, and then all hell breaks loose.  The enablecrypto command has a lot of
work to do, and it will take some time, so it should grab a wakelock to
ensure it can finish without being interrupted and put to sleep.

It grabs a partial wake lock, as it doesn't need the screen to be on to do
its work.  If the UI wants to keep it on, it should also grab a full wakelock,
which it does.  If the UI crashes, the screen may turn off, but the encryption
will keep going, and vold will reboot the device when it's done.

Change-Id: I51d3a72b8c77383044a3facb1604c1ee510733ae

am 3f476690: Merge "Don\'t try to encrypt in place a filesystem that is too large and return proper errors" into honeycomb

* commit '3f476690':
  Don't try to encrypt in place a filesystem that is too large and return proper errors

Merge "Don't try to encrypt in place a filesystem that is too large and return proper errors" into honeycomb

* commit '70a4b3fd':
  Change cryptfs changepw to only require a new password.

If the already existing filesystem encompasses the entire /data partition
and does not leave the last 16 Kbytes for the crypto footer, refuse to
do encrypt in place and return an error.  This is only an issue for folks
with early development systems trying to encrypt an old /data.  This should
not be seen in released devices.

Also, if there is an error, try to report back to the UI what the error was
so it can deal with it.

Change-Id: If66781a4fe03034c96c3dd12075240deb8663db0

The master key is now stored unhashed in memory. This
is needed because certain operation like remote reseting
of passwords the old password is not avaliable.
The changepw interface has been changed to only take
the new password as the only argument. When this is
called we reencrypt the master key with the new password
and old salt.

Bug: 3382129
Change-Id: I9a596b89013194605d6d7790067691aa0dc75e72

* commit '0167cb15':
  Always return success if the command was run.

The caller will check the result code for success. This prevents a exception from being thrown when the result code needs to be propagated to the caller.

Change-Id: I471e8d6eb6f339c6f4e40f47adf60d20f6a70974

* commit 'e8744070':
  Create and use a salt when calling pbkdf2 to encrypt/decrypt the master key.

* commit '0cc16638':
  Verify that it's OK to run the various cryptfs commands

In order to prevent rainbow table attacks on decrypting the master key,
create a 16 byte "salt" by reading /dev/urandom.  This is done right after
reading urandom to get the master key for the filesystem.  The salt is
stored 32 bytes after the end of the key (a padding added to help prevent
accidental overwriting of the salt) and the salt is fixed at 16 bytes long.

This change will make existing encrypted filesystems unusable.

Change-Id: I420549d064c61d38aea78eef4d86c88acb265ca3

* commit '7df84120':
  Don't wait for the framework to come up before starting to encrypt in place.

Maintain and query some internal state to know if it's OK to run
the various cryptfs commands.  Do not allow enablecrypto to run if
the device is already encrypted.  Do no allow restart to run if
we have already run it before or if the password has not been
validated.  Do not allow checkpw to run if not encrypted, or it
has already validated the password.

This is an extra layer of safety on top of the checks up in the
UI code agains possible DoS attacks on the device.

Change-Id: I9afc8d42773020e82a512e6b637feede101d1362

Also, change the value that triggers the progress bar framework from
"startup" to "0" in the property vold.encrypt_progress.

Change-Id: I3890e66a95283ce2ceeca82f516859b083919b9e

* commit '57b63e61':
  Minor tweaks to logging for the cryptfs changepw command.

Change-Id: I87ff9788a56de6d461002407bf6c3cd4c6f900ee

* commit '8ddbe40a':
  Updates to cryptfs framework.

Update the enable inplace API to allow the UI to show a progress bar.
Add new command changepw (whichis currently not working)
Internal restructuring of code to support these two features.
Some minor cleanup of the code as well.

Change-Id: I11461fc9ce66965bea6cd0b6bb2ff48bcf607b97

* commit '6864b7ec':
  Change the cryptfs command to separate out checking the password and restarting

In order to make the animations and the UI look right, we need to change
the cryptfs checkpw command to return a status if the password was
correct or not, and not have it automatically restart if it's correct.

There is a new command restart that will restart the framework with the
encrypted filesystem.

Change-Id: Ia8ae00d7ed8667699aa58d05ad8ba953cca9316e

* commit '2eaf7138':
  Cleanup a few issues with the cryptfs code.

Now that the framework shuts down quickly, remove the 30
second sleep when enabling crypto.  Also, stop spewing
the secret master key to the disk in the system log!

Change-Id: Icb3f9456ababe3dff8de52cbbae92da0e9e5dd2f

This reverts commit 499806cd.

Change-Id: I3526b1920817c2a28ac3e84c1ea278932a9ec895

There are still a few hacks and performance issues related
to shutting down the framework in this code, but it is
functional and tested.  Without the UI changes, it requires
cryptic adb shell commands to enable, which I shall not
utter here.

Change-Id: I0b8f90afd707e17fbdb0373d156236946633cf8b

Change-Id: I9770ab880f379e2f7f6a93d3c84990edec60a116
Signed-off-by: Mike Lockwood <lockwood@android.com>

* commit 'c1d80272':
  vold: replace strsep by strtok_r