fs: crypto: Add support for legacy pfk based FBE
Enable legacy method to generate aes keys derived from nonce and master key. In private mode the keys will be used as file encryption keys and set into Inline Crypto Engine hardware. This will be used to support OTA upgrades where device were launched using legacy PFK generation method. Test: 1) Flashed P meta, create multiple files under /data. 2) Set PIN 3) Build R (include OTA changes) and flash APPS images of R except userdata and boot the device. 4) Device booted upto UI. 5) Unlock device by PIN set on P build. 6) Files created with Q build retained. 7) Created new files under /data and checked retention across multiple re-boots. Change-Id: I6b4e49ed4549bf4f27ea63ab33016b00dca9fcf0 Signed-off-by: Jiten Patel <jitepate@codeaurora.org>
This commit is contained in:
parent
05d7be5fc4
commit
f4ecbf76c7
@ -29,3 +29,12 @@ config FS_ENCRYPTION_INLINE_CRYPT
|
||||
depends on FS_ENCRYPTION && BLK_INLINE_ENCRYPTION
|
||||
help
|
||||
Enable fscrypt to use inline encryption hardware if available.
|
||||
|
||||
config ENABLE_LEGACY_PFK
|
||||
bool "Legacy method to generate per file key"
|
||||
default n
|
||||
help
|
||||
Enable legacy method to generate aes keys derived
|
||||
from nonce and master key. In private mode the keys
|
||||
will be used by inline crypto hardware to encrypt the
|
||||
file content.
|
||||
|
@ -302,7 +302,7 @@ static int setup_v1_file_key_direct(struct fscrypt_info *ci,
|
||||
static int setup_v1_file_key_derived(struct fscrypt_info *ci,
|
||||
const u8 *raw_master_key)
|
||||
{
|
||||
u8 *derived_key;
|
||||
u8 *derived_key = NULL;
|
||||
int err;
|
||||
int i;
|
||||
union {
|
||||
@ -334,7 +334,21 @@ static int setup_v1_file_key_derived(struct fscrypt_info *ci,
|
||||
ci->ci_hashed_ino = siphash_1u64(ci->ci_inode->i_ino,
|
||||
&ino_hash_key.k);
|
||||
}
|
||||
|
||||
#if IS_ENABLED(CONFIG_ENABLE_LEGACY_PFK)
|
||||
derived_key = kmalloc(ci->ci_mode->keysize, GFP_NOFS);
|
||||
if (!derived_key)
|
||||
return -ENOMEM;
|
||||
|
||||
err = derive_key_aes(raw_master_key, ci->ci_nonce,
|
||||
derived_key, ci->ci_mode->keysize);
|
||||
if (err)
|
||||
goto out;
|
||||
|
||||
memcpy(key_new.bytes, derived_key, ci->ci_mode->keysize);
|
||||
#else
|
||||
memcpy(key_new.bytes, raw_master_key, ci->ci_mode->keysize);
|
||||
#endif
|
||||
|
||||
for (i = 0; i < ARRAY_SIZE(key_new.words); i++)
|
||||
__cpu_to_be32s(&key_new.words[i]);
|
||||
@ -344,6 +358,9 @@ static int setup_v1_file_key_derived(struct fscrypt_info *ci,
|
||||
ci->ci_mode->keysize,
|
||||
false,
|
||||
ci);
|
||||
if (derived_key)
|
||||
kzfree(derived_key);
|
||||
|
||||
return err;
|
||||
}
|
||||
/*
|
||||
@ -361,7 +378,9 @@ static int setup_v1_file_key_derived(struct fscrypt_info *ci,
|
||||
|
||||
err = fscrypt_set_per_file_enc_key(ci, derived_key);
|
||||
out:
|
||||
kzfree(derived_key);
|
||||
if (derived_key)
|
||||
kzfree(derived_key);
|
||||
|
||||
return err;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user