• nkk71's avatar
    vold_decrypt: FDE Keymaster 3.0 support · 7d1222a5
    nkk71 authored
    * HTC U11 Oreo is using keymaster3 FDE encryption which requires
      the new services:
        1- /system/bin/hwservicemanager
        2- /vendor/bin/hw/android.hardware.keymaster@3.0-service
        3- /vendor/bin/qseecomd (instead of /system/bin/qseecomd)
      So in addition to /vendor/lib and /vendor/lib64 also
      symlink /system/vendor/bin to /vendor/bin.
    
    * vold_decrypt services now have separate prefixes:
        1- 'sys_' referring to /system/bin
        2- 'ven_' referring to /vendor/bin
    
    * The additional (hwservicemanager, keymaster-3-0) and modified
      (qseecomd) .rc files have been updated in the vold_decrypt
      directory.
      Comments were added directly in the .rc files, please check
      them.
    
    * /etc/recovery.fstab needs to be temporarily moved since
      vold will use it if it finds the '/sbin/recovery' file
      (refer to fs_mgr for the fstab load code https://goo.gl/8KaZyf).
      Since fs_mgr cannot parse TWRP style fstab, we 'hide' it
      and attempt to create a symlink to /fstab.{ro.hardware}.
    
    Also remove shell dependencies, code cleanup, new error codes:
    * Critical sections of vold_decrypt should not rely on the external
      shell (and the available binaries) provided by TWFunc::Exec_Cmd.
      Doing so may lead to failures resulting from different shell
      provided binaries not working properly, especially since busybox
      can be inconsistent across different trees.
    
      In particular the following functions have been changed:
      * run_vdc() no longer uses daisy chained commands, instead
        it now forks and executes vdc directly including a 30 second
        built in timeout.
      * Symlink_Firmware_Files() no longer relies on the shell 'find'
        command to retrieve the list of firmware/vendor files and instead
        uses a built in function, Find_Firmware_Files(), which traverses
        the system partition to retrieve the list of files.
    
    * The code has also been cleaned up a little for better consistency,
      and vold_decrypt will now return various error codes for the
      different failures, as defined in vold_decrypt.h, which allows the
      gui_msg to be moved back to partitionmanager.cpp.
    
    Notes regarding pre Android 8.0 builds:
    * Service names in .rc files cannot exceed 16 characters (including
      the prepended 'sys_' or 'ven_') in Android 7.1 and below, so a
      service name such as 'sys_hwservicemanager' is out of the question
      for 7.1 and below.
    * hwservicemanager will check ACLs on 'hwservicemanager' and 'ITokenManager'
      if they are even allowed to run, otherwise the interfaces will fail.
      The policies have only been introduced in 8.0, and although it is possible
      to manually add them to the 7.1 policies it's not recommended.
    * Therefore the best course of action is to build in 8.0.
    
    * SIDE NOTE: On the HTC U11 we are actually using omni-7.1 with some changes
      in the device tree to support both Nougat and Oreo decryption, please
      refer to:
        1- https://gerrit.twrp.me/c/2756/ for the necessary sepolicy and
           BoardConfig changes.
        2- The Android.mk file for vold_decrypt was modified to truncate
           greater than 16 character service names (as mentioned therein)
    
    Other changes:
    * TW_CRYPTO_SYSTEM_VOLD_DISABLE_TIMEOUT is now deprecated due to built-
      in fork and timeout.
    * Output_dmesg_to_recovery_log() is also deprecated so upon a failed
      decryption the recovery.log will no longer append it, instead you can
      just use 'adb shell dmesg' to check it. Nonetheless if a true debug
      build is needed use the original TW_CRYPTO_SYSTEM_VOLD_DEBUG flag as
      outlined in the original commit message (see below).
    
    Usage info:
    This is an update to the initial vold_decrypt, for more info refer to
    https://github.com/omnirom/android_bootable_recovery/commit/71c6c50d0da1f32dd18a749797e88de2358c5ba1
    
    Change-Id: Id7129d125ae7f5dcba0779489825add718022ba3
    7d1222a5
Name
Last commit
Last update
adbbu Loading commit data...
applypatch Loading commit data...
attr Loading commit data...
bmlutils Loading commit data...
bootloader_message Loading commit data...
bootloader_message_twrp Loading commit data...
crypto Loading commit data...
dosfstools Loading commit data...
edify Loading commit data...
etc Loading commit data...
exfat Loading commit data...
fb2png Loading commit data...
flashutils Loading commit data...
fonts Loading commit data...
fuse Loading commit data...
gpt Loading commit data...
gui Loading commit data...
htcdumlock Loading commit data...
injecttwrp Loading commit data...
libblkid Loading commit data...
libcrecovery Loading commit data...
libmincrypt Loading commit data...
libpixelflinger Loading commit data...
libtar Loading commit data...
minadbd Loading commit data...
minadbd21 Loading commit data...
minui Loading commit data...
minui21 Loading commit data...
minuitwrp Loading commit data...
minzip Loading commit data...
mmcutils Loading commit data...
mtdutils Loading commit data...
mtp Loading commit data...
openaes Loading commit data...
orscmd Loading commit data...
otafault Loading commit data...
otautil Loading commit data...
pigz Loading commit data...
prebuilt Loading commit data...
private Loading commit data...
res Loading commit data...
res-hdpi/images Loading commit data...
res-mdpi/images Loading commit data...
res-xhdpi/images Loading commit data...
res-xxhdpi/images Loading commit data...
res-xxxhdpi/images Loading commit data...
scripts Loading commit data...
sepolicy Loading commit data...
simg2img Loading commit data...
tests Loading commit data...
toolbox Loading commit data...
tools Loading commit data...
toybox Loading commit data...
twrpDigest Loading commit data...
twrpTarMain Loading commit data...
uncrypt Loading commit data...
update_verifier Loading commit data...
updater Loading commit data...
verifier24 Loading commit data...
.clang-format Loading commit data...
.gitignore Loading commit data...
Android.mk Loading commit data...
CleanSpec.mk Loading commit data...
NOTICE Loading commit data...
README.md Loading commit data...
adb_install.cpp Loading commit data...
adb_install.h Loading commit data...
asn1_decoder.cpp Loading commit data...
asn1_decoder.h Loading commit data...
bootloader.h Loading commit data...
common.h Loading commit data...
data.cpp Loading commit data...
data.hpp Loading commit data...
default_device.cpp Loading commit data...
device.cpp Loading commit data...
device.h Loading commit data...
error_code.h Loading commit data...
exclude.cpp Loading commit data...
exclude.hpp Loading commit data...
find_file.cpp Loading commit data...
find_file.hpp Loading commit data...
fixContexts.cpp Loading commit data...
fixContexts.hpp Loading commit data...
fuse.h Loading commit data...
fuse_sdcard_provider.cpp Loading commit data...
fuse_sdcard_provider.h Loading commit data...
fuse_sideload.cpp Loading commit data...
fuse_sideload.h Loading commit data...
infomanager.cpp Loading commit data...
infomanager.hpp Loading commit data...
install.cpp Loading commit data...
install.h Loading commit data...
installcommand.cpp Loading commit data...
installcommand.h Loading commit data...
interlace-frames.py Loading commit data...
legacy_properties.h Loading commit data...
legacy_property_service.cpp Loading commit data...
legacy_property_service.h Loading commit data...
mounts.c Loading commit data...
mounts.cpp Loading commit data...
mounts.h Loading commit data...
mounts.h~HEAD Loading commit data...
openrecoveryscript.cpp Loading commit data...
openrecoveryscript.hpp Loading commit data...
partition.cpp Loading commit data...
partitionmanager.cpp Loading commit data...
partitions.hpp Loading commit data...
print_sha1.h Loading commit data...
progresstracking.cpp Loading commit data...
progresstracking.hpp Loading commit data...
recovery-persist.cpp Loading commit data...
recovery-persist.rc Loading commit data...
recovery-refresh.cpp Loading commit data...
recovery-refresh.rc Loading commit data...
recovery.cpp Loading commit data...
recovery_ui.h Loading commit data...
res-560dpi Loading commit data...
roots.cpp Loading commit data...
roots.h Loading commit data...
rotate_logs.cpp Loading commit data...
rotate_logs.h Loading commit data...
screen_ui.cpp Loading commit data...
screen_ui.h Loading commit data...
set_metadata.cpp Loading commit data...
set_metadata.h Loading commit data...
stub_ui.h Loading commit data...
tarWrite.c Loading commit data...
tarWrite.h Loading commit data...
tw_atomic.cpp Loading commit data...
tw_atomic.hpp Loading commit data...
twcommon.h Loading commit data...
twinstall.cpp Loading commit data...
twinstall.h Loading commit data...
twinstallorig.cpp Loading commit data...
twinstallorig.h Loading commit data...
twrp-functions.cpp Loading commit data...
twrp-functions.hpp Loading commit data...
twrp.cpp Loading commit data...
twrpAdbBuFifo.cpp Loading commit data...
twrpAdbBuFifo.hpp Loading commit data...
twrpDigestDriver.cpp Loading commit data...
twrpDigestDriver.hpp Loading commit data...
twrpTar.cpp Loading commit data...
twrpTar.h Loading commit data...
twrpTar.hpp Loading commit data...
ui.cpp Loading commit data...
ui.h Loading commit data...
variables.h Loading commit data...
verifier.cpp Loading commit data...
verifier.h Loading commit data...
wear_touch.cpp Loading commit data...
wear_touch.h Loading commit data...
wear_ui.cpp Loading commit data...
wear_ui.h Loading commit data...
zipwrap.cpp Loading commit data...
zipwrap.hpp Loading commit data...