From c27e9e5ff94f19541ba10d4b7eab601033412a23 Mon Sep 17 00:00:00 2001
From: Eric Biggers <ebiggers@google.com>
Date: Wed, 20 Jan 2021 16:57:13 -0800
Subject: [PATCH] gs101: use wrapped keys for storage encryption

Make better use of the new hardware by using wrapped keys via the KDN
(Key Distribution Network), rather than standard keys.  Wrapped keys are
slightly better protected against being compromised.

When this change is submitted, a factory reset will be required.

Bug: 149360056
Test: Booted Android and verified via the kernel log and
      'dmctl table userdata' that both FBE and metadata encryption are
      using wrapped keys.  Also ran vts_kernel_encryption_test.
      Also storage-qa and reboot stress testing (b/178650615).
Change-Id: Iab6f4199306de02b5846062e7499783b7aedf901
---
 conf/fstab.gs101 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/conf/fstab.gs101 b/conf/fstab.gs101
index 8bfd58cd..66f9b768 100644
--- a/conf/fstab.gs101
+++ b/conf/fstab.gs101
@@ -15,6 +15,6 @@ vendor                                                   /vendor
 /dev/block/platform/14700000.ufs/by-name/misc            /misc                       emmc    defaults                 wait
 /dev/block/platform/14700000.ufs/by-name/metadata        /metadata                   ext4    noatime,nosuid,nodev,data=journal,commit=1    wait,check,formattable,first_stage_mount,metadata_csum
 /dev/block/platform/14700000.ufs/by-name/pvmfw           /pvmfw                      emmc    defaults                 wait,slotselect,avb=pvmfw,first_stage_mount
-/dev/block/platform/14700000.ufs/by-name/userdata        /data                       f2fs    noatime,nosuid,nodev,discard,reserve_root=32768,resgid=1065,fsync_mode=nobarrier,inlinecrypt,compress_extension=apk,compress_extension=apex,compress_extension=so,atgc    latemount,wait,check,quota,formattable,sysfs_path=/dev/sys/block/bootdevice,checkpoint=fs,reservedsize=128M,fileencryption=aes-256-xts:aes-256-cts:v2,keydirectory=/metadata/vold/metadata_encryption,fscompress
+/dev/block/platform/14700000.ufs/by-name/userdata        /data                       f2fs    noatime,nosuid,nodev,discard,reserve_root=32768,resgid=1065,fsync_mode=nobarrier,inlinecrypt,compress_extension=apk,compress_extension=apex,compress_extension=so,atgc    latemount,wait,check,quota,formattable,sysfs_path=/dev/sys/block/bootdevice,checkpoint=fs,reservedsize=128M,fileencryption=::inlinecrypt_optimized+wrappedkey_v0,metadata_encryption=:wrappedkey_v0,keydirectory=/metadata/vold/metadata_encryption,fscompress
 /dev/block/zram0                                         none                        swap    defaults                 zramsize=2147483648,max_comp_streams=8,zram_backingdev_size=512M
 /devices/platform/11110000.usb*                          auto                        vfat    defaults                 voldmanaged=usb:auto