1 /* 2 * Copyright (C) 2016 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 #ifndef ANDROID_VOLD_KEYUTIL_H 18 #define ANDROID_VOLD_KEYUTIL_H 19 20 #include "KeyBuffer.h" 21 #include "KeyStorage.h" 22 23 #include <fscrypt/fscrypt.h> 24 25 #include <memory> 26 #include <string> 27 28 namespace android { 29 namespace vold { 30 31 using namespace android::fscrypt; 32 33 // Description of how to generate a key when needed. 34 struct KeyGeneration { 35 size_t keysize; 36 bool allow_gen; 37 bool use_hw_wrapped_key; 38 }; 39 40 // Generate a key as specified in KeyGeneration 41 bool generateStorageKey(const KeyGeneration& gen, KeyBuffer* key); 42 43 // Returns a key with allow_gen false so generateStorageKey returns false; 44 // this is used to indicate to retrieveOrGenerateKey that a key should not 45 // be generated. 46 const KeyGeneration neverGen(); 47 48 bool isFsKeyringSupported(void); 49 50 // Install a file-based encryption key to the kernel, for use by encrypted files 51 // on the specified filesystem using the specified encryption policy version. 52 // 53 // For v1 policies, we use FS_IOC_ADD_ENCRYPTION_KEY if the kernel supports it. 54 // Otherwise we add the key to the global session keyring as a "logon" key. 55 // 56 // For v2 policies, we always use FS_IOC_ADD_ENCRYPTION_KEY; it's the only way 57 // the kernel supports. 58 // 59 // If kernel supports FS_IOC_ADD_ENCRYPTION_KEY, also installs key of 60 // fscrypt-provisioning type to the global session keyring. This makes it 61 // possible to unmount and then remount mountpoint without losing the file-based 62 // key. 63 // 64 // Returns %true on success, %false on failure. On success also sets *policy 65 // to the EncryptionPolicy used to refer to this key. 66 bool installKey(const std::string& mountpoint, const EncryptionOptions& options, 67 const KeyBuffer& key, EncryptionPolicy* policy); 68 69 // Evict a file-based encryption key from the kernel. 70 // 71 // This undoes the effect of installKey(). 72 // 73 // If the kernel doesn't support the filesystem-level keyring, the caller is 74 // responsible for dropping caches. 75 bool evictKey(const std::string& mountpoint, const EncryptionPolicy& policy); 76 77 bool retrieveOrGenerateKey(const std::string& key_path, const std::string& tmp_path, 78 const KeyAuthentication& key_authentication, const KeyGeneration& gen, 79 KeyBuffer* key, bool keepOld = true); 80 81 // Re-installs a file-based encryption key of fscrypt-provisioning type from the 82 // global session keyring back into fs keyring of the mountpoint. 83 bool reloadKeyFromSessionKeyring(const std::string& mountpoint, const EncryptionPolicy& policy); 84 85 } // namespace vold 86 } // namespace android 87 88 #endif 89