Merge "Remove obsolete support for emulated FBE" am: d96c8701 am: 5f2aa0bd...

            runBenchmark();

            runBenchmark();

        } else if ("forget".equals(op)) {

        } else if ("forget".equals(op)) {

            runForget();

            runForget();

        } else if ("set-emulate-fbe".equals(op)) {

            runSetEmulateFbe();

        } else if ("get-fbe-mode".equals(op)) {

        } else if ("get-fbe-mode".equals(op)) {

            runGetFbeMode();

            runGetFbeMode();

        } else if ("idle-maint".equals(op)) {

        } else if ("idle-maint".equals(op)) {

        }

        }

    }

    }

    public void runSetEmulateFbe() throws RemoteException {

        final boolean emulateFbe = Boolean.parseBoolean(nextArg());

        mSm.setDebugFlags(emulateFbe ? StorageManager.DEBUG_EMULATE_FBE : 0,

                StorageManager.DEBUG_EMULATE_FBE);

    }

    public void runGetFbeMode() {

    public void runGetFbeMode() {

        if (StorageManager.isFileEncryptedNativeOnly()) {

        if (StorageManager.isFileEncrypted()) {

            System.out.println("native");

            System.out.println("native");

        } else if (StorageManager.isFileEncryptedEmulatedOnly()) {

            System.out.println("emulated");

        } else {

        } else {

            System.out.println("none");

            System.out.println("none");

        }

        }

        System.err.println("");

        System.err.println("");

        System.err.println("       sm forget [UUID|all]");

        System.err.println("       sm forget [UUID|all]");

        System.err.println("");

        System.err.println("");

        System.err.println("       sm set-emulate-fbe [true|false]");

        System.err.println("");

        System.err.println("       sm start-checkpoint <num-retries>");

        System.err.println("       sm start-checkpoint <num-retries>");

        System.err.println("");

        System.err.println("");

        System.err.println("       sm supports-checkpoint");

        System.err.println("       sm supports-checkpoint");

    /** {@hide} */

    /** {@hide} */

    public static final String PROP_ADOPTABLE = "persist.sys.adoptable";

    public static final String PROP_ADOPTABLE = "persist.sys.adoptable";

    /** {@hide} */

    /** {@hide} */

    public static final String PROP_EMULATE_FBE = "persist.sys.emulate_fbe";

    /** {@hide} */

    public static final String PROP_SDCARDFS = "persist.sys.sdcardfs";

    public static final String PROP_SDCARDFS = "persist.sys.sdcardfs";

    /** {@hide} */

    /** {@hide} */

    public static final String PROP_VIRTUAL_DISK = "persist.sys.virtual_disk";

    public static final String PROP_VIRTUAL_DISK = "persist.sys.virtual_disk";

    /** {@hide} */

    /** {@hide} */

    public static final int DEBUG_ADOPTABLE_FORCE_OFF = 1 << 1;

    public static final int DEBUG_ADOPTABLE_FORCE_OFF = 1 << 1;

    /** {@hide} */

    /** {@hide} */

    public static final int DEBUG_EMULATE_FBE = 1 << 2;

    public static final int DEBUG_SDCARDFS_FORCE_ON = 1 << 2;

    /** {@hide} */

    public static final int DEBUG_SDCARDFS_FORCE_ON = 1 << 3;

    /** {@hide} */

    /** {@hide} */

    public static final int DEBUG_SDCARDFS_FORCE_OFF = 1 << 4;

    public static final int DEBUG_SDCARDFS_FORCE_OFF = 1 << 3;

    /** {@hide} */

    /** {@hide} */

    public static final int DEBUG_VIRTUAL_DISK = 1 << 5;

    public static final int DEBUG_VIRTUAL_DISK = 1 << 4;

    /** {@hide} */

    /** {@hide} */

    public static final int FLAG_STORAGE_DE = IInstalld.FLAG_STORAGE_DE;

    public static final int FLAG_STORAGE_DE = IInstalld.FLAG_STORAGE_DE;

    }

    }

    /** {@hide}

    /** {@hide}

     * Is this device file encrypted?

     * Does this device have file-based encryption (FBE) enabled?

     * @return true for file encrypted. (Implies isEncrypted() == true)

     * @return true if the device has file-based encryption enabled.

     *         false not encrypted or using "managed" encryption

     */

     */

    @UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553)

    public static boolean isFileEncrypted() {

    public static boolean isFileEncryptedNativeOnly() {

        if (!isEncrypted()) {

        if (!isEncrypted()) {

            return false;

            return false;

        }

        }

        return RoSystemProperties.CRYPTO_FILE_ENCRYPTED;

        return RoSystemProperties.CRYPTO_FILE_ENCRYPTED;

    }

    }

    /** {@hide} */

    /** {@hide}

    public static boolean isFileEncryptedEmulatedOnly() {

     * @deprecated Use {@link #isFileEncrypted} instead, since emulated FBE is no longer supported.

        return SystemProperties.getBoolean(StorageManager.PROP_EMULATE_FBE, false);

     */

    @UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553)

    @Deprecated

    public static boolean isFileEncryptedNativeOnly() {

        return isFileEncrypted();

    }

    }

    /** {@hide}

    /** {@hide}

     * Is this device running in a file encrypted mode, either native or emulated?

     * @deprecated Use {@link #isFileEncrypted} instead, since emulated FBE is no longer supported.

     * @return true for file encrypted, false otherwise

     */

     */

    @Deprecated

    public static boolean isFileEncryptedNativeOrEmulated() {

    public static boolean isFileEncryptedNativeOrEmulated() {

        return isFileEncryptedNativeOnly()

        return isFileEncrypted();

               || isFileEncryptedEmulatedOnly();

    }

    }

    /** {@hide} */

    /** {@hide} */

import android.os.ParcelFileDescriptor;

import android.os.ParcelFileDescriptor;

import android.os.ParcelableException;

import android.os.ParcelableException;

import android.os.PersistableBundle;

import android.os.PersistableBundle;

import android.os.PowerManager;

import android.os.Process;

import android.os.Process;

import android.os.RemoteCallbackList;

import android.os.RemoteCallbackList;

import android.os.RemoteException;

import android.os.RemoteException;

     */

     */

    private static final boolean WATCHDOG_ENABLE = true;

    private static final boolean WATCHDOG_ENABLE = true;

    /**

     * Our goal is for all Android devices to be usable as development devices,

     * which includes the new Direct Boot mode added in N. For devices that

     * don't have native FBE support, we offer an emulation mode for developer

     * testing purposes, but if it's prohibitively difficult to support this

     * mode, it can be disabled for specific products using this flag.

     */

    private static final boolean EMULATE_FBE_SUPPORTED = true;

    private static final String TAG = "StorageManagerService";

    private static final String TAG = "StorageManagerService";

    private static final boolean LOCAL_LOGV = Log.isLoggable(TAG, Log.VERBOSE);

    private static final boolean LOCAL_LOGV = Log.isLoggable(TAG, Log.VERBOSE);

        mVolumes.put(internal.id, internal);

        mVolumes.put(internal.id, internal);

    }

    }

    private void initIfBootedAndConnected() {

        Slog.d(TAG, "Thinking about init, mBootCompleted=" + mBootCompleted

                + ", mDaemonConnected=" + mDaemonConnected);

        if (mBootCompleted && mDaemonConnected

                && !StorageManager.isFileEncryptedNativeOnly()) {

            // When booting a device without native support, make sure that our

            // user directories are locked or unlocked based on the current

            // emulation status.

            final boolean initLocked = StorageManager.isFileEncryptedEmulatedOnly();

            Slog.d(TAG, "Setting up emulation state, initlocked=" + initLocked);

            final List<UserInfo> users = mContext.getSystemService(UserManager.class).getUsers();

            for (UserInfo user : users) {

                try {

                    if (initLocked) {

                        mVold.lockUserKey(user.id);

                    } else {

                        mVold.unlockUserKey(user.id, user.serialNumber, encodeBytes(null));

                    }

                } catch (Exception e) {

                    Slog.wtf(TAG, e);

                }

            }

        }

    }

    private void resetIfBootedAndConnected() {

    private void resetIfBootedAndConnected() {

        Slog.d(TAG, "Thinking about reset, mBootCompleted=" + mBootCompleted

        Slog.d(TAG, "Thinking about reset, mBootCompleted=" + mBootCompleted

                + ", mDaemonConnected=" + mDaemonConnected);

                + ", mDaemonConnected=" + mDaemonConnected);

    }

    }

    private void handleDaemonConnected() {

    private void handleDaemonConnected() {

        initIfBootedAndConnected();

        resetIfBootedAndConnected();

        resetIfBootedAndConnected();

    }

    }

    }

    }

    private void handleBootCompleted() {

    private void handleBootCompleted() {

        initIfBootedAndConnected();

        resetIfBootedAndConnected();

        resetIfBootedAndConnected();

    }

    }

    public void setDebugFlags(int flags, int mask) {

    public void setDebugFlags(int flags, int mask) {

        enforcePermission(android.Manifest.permission.MOUNT_UNMOUNT_FILESYSTEMS);

        enforcePermission(android.Manifest.permission.MOUNT_UNMOUNT_FILESYSTEMS);

        if ((mask & StorageManager.DEBUG_EMULATE_FBE) != 0) {

            if (!EMULATE_FBE_SUPPORTED) {

                throw new IllegalStateException(

                        "Emulation not supported on this device");

            }

            if (StorageManager.isFileEncryptedNativeOnly()) {

                throw new IllegalStateException(

                        "Emulation not supported on device with native FBE");

            }

            if (mLockPatternUtils.isCredentialRequiredToDecrypt(false)) {

                throw new IllegalStateException(

                        "Emulation requires disabling 'Secure start-up' in Settings > Security");

            }

            final long token = Binder.clearCallingIdentity();

            try {

                final boolean emulateFbe = (flags & StorageManager.DEBUG_EMULATE_FBE) != 0;

                SystemProperties.set(StorageManager.PROP_EMULATE_FBE, Boolean.toString(emulateFbe));

                // Perform hard reboot to kick policy into place

                mContext.getSystemService(PowerManager.class).reboot(null);

            } finally {

                Binder.restoreCallingIdentity(token);

            }

        }

        if ((mask & (StorageManager.DEBUG_ADOPTABLE_FORCE_ON

        if ((mask & (StorageManager.DEBUG_ADOPTABLE_FORCE_ON

                | StorageManager.DEBUG_ADOPTABLE_FORCE_OFF)) != 0) {

                | StorageManager.DEBUG_ADOPTABLE_FORCE_OFF)) != 0) {

            final String value;

            final String value;

            // We need all the users unlocked to move their primary storage

            // We need all the users unlocked to move their primary storage

            final List<UserInfo> users = mContext.getSystemService(UserManager.class).getUsers();

            final List<UserInfo> users = mContext.getSystemService(UserManager.class).getUsers();

            for (UserInfo user : users) {

            for (UserInfo user : users) {

                if (StorageManager.isFileEncryptedNativeOrEmulated()

                if (StorageManager.isFileEncrypted() && !isUserKeyUnlocked(user.id)) {

                        && !isUserKeyUnlocked(user.id)) {

                    Slog.w(TAG, "Failing move due to locked user " + user.id);

                    Slog.w(TAG, "Failing move due to locked user " + user.id);

                    onMoveStatusLocked(PackageManager.MOVE_FAILED_LOCKED_USER);

                    onMoveStatusLocked(PackageManager.MOVE_FAILED_LOCKED_USER);

                    return;

                    return;

    @Override

    @Override

    public void unlockUserKey(int userId, int serialNumber, byte[] secret) {

    public void unlockUserKey(int userId, int serialNumber, byte[] secret) {

        boolean isFsEncrypted = StorageManager.isFileEncryptedNativeOrEmulated();

        boolean isFileEncrypted = StorageManager.isFileEncrypted();

        Slog.d(TAG, "unlockUserKey: " + userId

        Slog.d(TAG, "unlockUserKey: " + userId

                + " isFileEncryptedNativeOrEmulated: " + isFsEncrypted

                + " isFileEncrypted: " + isFileEncrypted

                + " hasSecret: " + (secret != null));

                + " hasSecret: " + (secret != null));

        enforcePermission(android.Manifest.permission.STORAGE_INTERNAL);

        enforcePermission(android.Manifest.permission.STORAGE_INTERNAL);

            return;

            return;

        }

        }

        if (isFsEncrypted) {

        if (isFileEncrypted) {

            // When a user has a secure lock screen, a secret is required to

            // When a user has a secure lock screen, a secret is required to

            // unlock the key, so don't bother trying to unlock it without one.

            // unlock the key, so don't bother trying to unlock it without one.

            // This prevents misleading error messages from being logged.  This

            // This prevents misleading error messages from being logged.

            // is also needed for emulated FBE to behave like native FBE.

            if (mLockPatternUtils.isSecure(userId) && ArrayUtils.isEmpty(secret)) {

            if (mLockPatternUtils.isSecure(userId) && ArrayUtils.isEmpty(secret)) {

                Slog.d(TAG, "Not unlocking user " + userId

                Slog.d(TAG, "Not unlocking user " + userId

                        + "'s CE storage yet because a secret is needed");

                        + "'s CE storage yet because a secret is needed");

        return Environment.getDataUserDeDirectory(volumeUuid, userId);

        return Environment.getDataUserDeDirectory(volumeUuid, userId);

    }

    }

    @VisibleForTesting

    protected boolean isFileEncryptedEmulatedOnly() {

        return StorageManager.isFileEncryptedEmulatedOnly();

    }

    /**

    /**

     * Enforce that serial number stored in user directory inode matches the

     * Enforce that serial number stored in user directory inode matches the

     * given expected value. Gracefully sets the serial number if currently

     * given expected value. Gracefully sets the serial number if currently

     *             number is mismatched.

     *             number is mismatched.

     */

     */

    void enforceSerialNumber(File file, int serialNumber) throws IOException {

    void enforceSerialNumber(File file, int serialNumber) throws IOException {

        if (isFileEncryptedEmulatedOnly()) {

            // When we're emulating FBE, the directory may have been chmod

            // 000'ed, meaning we can't read the serial number to enforce it;

            // instead of destroying the user, just log a warning.

            Slog.w(TAG, "Device is emulating FBE; assuming current serial number is valid");

            return;

        }

        final int foundSerial = getSerialNumber(file);

        final int foundSerial = getSerialNumber(file);

        Slog.v(TAG, "Found " + file + " with serial number " + foundSerial);

        Slog.v(TAG, "Found " + file + " with serial number " + foundSerial);

        protected File getDataUserDeDirectory(String volumeUuid, int userId) {

        protected File getDataUserDeDirectory(String volumeUuid, int userId) {

            return new File(testDir, "user_de_" + userId);

            return new File(testDir, "user_de_" + userId);

        }

        }

        @Override

        protected boolean isFileEncryptedEmulatedOnly() {

            return false;

        }

    }

    }

}

}