Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5d7c35ce authored by Eric Biggers's avatar Eric Biggers
Browse files

init: remove session keyring workaround for old kernels 

The android-4.14-stable and later kernels support the
FS_IOC_ADD_ENCRYPTION_KEY and FS_IOC_REMOVE_ENCRYPTION_KEY ioctls.  This
has superseded the old way of adding fscrypt keys to the kernel, which
was to use the add_key() syscall to add keys to the "session" keyring.
On kernels that support the ioctls, Android doesn't use the obsolete
way.  Since upgrading even just to Android 14 requires at minimum a
android-4.14-stable kernel (according to
https://source.android.com/docs/core/architecture/kernel/android-common#compatibility-matrix),
there is no need to support the obsolete way anymore.

Therefore, this commit removes the code from init that created a keyring
named "fscrypt" in the session keyring.  It also removes the code that
created the session keyring itself, since the only reason that Android
even created a session keyring was just to hold the "fscrypt" keyring.

Flag: N/A for the following reasons:
      - Removing obsolete code, which is fairly safe
      - Very early code, so runtime flag cannot be used
      - Even a build-time flag cannot be used, since init needs
        recovery_available, which aconfig libraries do not support

Bug: 311736104
Test: Build and boot Cuttlefish
Change-Id: Id9a184c68cf16d5c4b1d889444cf637c95a91413
parent bc907c00

init/Android.bp

+0 −1
Original line number Diff line number Diff line
@@ -188,7 +188,6 @@ libinit_cc_defaults { 
        "libfs_mgr",

        "libgsi",

        "libhidl-gen-utils",

        "libkeyutils",

        "liblog",

        "liblogwrap",

        "liblp",

init/builtins.cpp

+0 −3
Original line number Diff line number Diff line
@@ -592,9 +592,6 @@ static Result<void> queue_fs_event(int code) { 
    } else if (code == FS_MGR_MNTALL_DEV_FILE_ENCRYPTED ||

               code == FS_MGR_MNTALL_DEV_IS_METADATA_ENCRYPTED ||

               code == FS_MGR_MNTALL_DEV_NEEDS_METADATA_ENCRYPTION) {

        if (!FscryptInstallKeyring()) {

            return Error() << "FscryptInstallKeyring() failed";

        }

        SetProperty("ro.crypto.state", "encrypted");



        // Although encrypted, vold has already set the device up, so we do not need to

init/fscrypt_init_extensions.cpp

+0 −16
Original line number Diff line number Diff line
@@ -34,28 +34,12 @@ 
#include <cutils/properties.h>

#include <cutils/sockets.h>

#include <fscrypt/fscrypt.h>

#include <keyutils.h>

#include <logwrap/logwrap.h>



#define TAG "fscrypt"



using namespace android::fscrypt;



bool FscryptInstallKeyring() {

    if (keyctl_search(KEY_SPEC_SESSION_KEYRING, "keyring", "fscrypt", 0) != -1) {

        LOG(INFO) << "Keyring is already created";

        return true;

    }

    key_serial_t device_keyring = add_key("keyring", "fscrypt", 0, 0, KEY_SPEC_SESSION_KEYRING);



    if (device_keyring == -1) {

        PLOG(ERROR) << "Failed to create keyring";

        return false;

    }

    LOG(INFO) << "Keyring created with id " << device_keyring << " in process " << getpid();

    return true;

}



// TODO(b/139378601): use a single central implementation of this.

static void delete_dir_contents(const std::string& dir) {

    char* const paths[2] = {const_cast<char*>(dir.c_str()), nullptr};

init/fscrypt_init_extensions.h

+0 −1
Original line number Diff line number Diff line
@@ -25,6 +25,5 @@ enum class FscryptAction { 
    kDeleteIfNecessary,

};



bool FscryptInstallKeyring();

bool FscryptSetDirectoryPolicy(const std::string& ref_basename, FscryptAction action,

                               const std::string& dir);

init/fuzzer/Android.bp

+0 −1
Original line number Diff line number Diff line
@@ -32,7 +32,6 @@ cc_defaults { 
        "libbase",

        "libfs_mgr",

        "libhidl-gen-utils",

        "libkeyutils",

        "liblog",

        "libprocessgroup",

        "libselinux",