gs101: use wrapped keys for storage encryption

Make better use of the new hardware by using wrapped keys via the KDN (Key Distribution Network), rather than standard keys. Wrapped keys are slightly better protected against being compromised. When this change is submitted, a factory reset will be required. Bug: 149360056 Test: Booted Android and verified via the kernel log and 'dmctl table userdata' that both FBE and metadata encryption are using wrapped keys. Also ran vts_kernel_encryption_test. Also storage-qa and reboot stress testing (b/178650615). Change-Id: Iab6f4199306de02b5846062e7499783b7aedf901
2021-01-20 16:57:13 -08:00 · 2021-01-20 16:57:13 -08:00 · c27e9e5ff9
commit c27e9e5ff9
parent fa50bf6c7c
1 changed files with 1 additions and 1 deletions
--- a/conf/fstab.gs101
+++ b/conf/fstab.gs101
@ -15,6 +15,6 @@ vendor                                                   /vendor
 /dev/block/platform/14700000.ufs/by-name/misc            /misc                       emmc    defaults                 wait
 /dev/block/platform/14700000.ufs/by-name/metadata        /metadata                   ext4    noatime,nosuid,nodev,data=journal,commit=1    wait,check,formattable,first_stage_mount,metadata_csum
 /dev/block/platform/14700000.ufs/by-name/pvmfw           /pvmfw                      emmc    defaults                 wait,slotselect,avb=pvmfw,first_stage_mount
-/dev/block/platform/14700000.ufs/by-name/userdata        /data                       f2fs    noatime,nosuid,nodev,discard,reserve_root=32768,resgid=1065,fsync_mode=nobarrier,inlinecrypt,compress_extension=apk,compress_extension=apex,compress_extension=so,atgc    latemount,wait,check,quota,formattable,sysfs_path=/dev/sys/block/bootdevice,checkpoint=fs,reservedsize=128M,fileencryption=aes-256-xts:aes-256-cts:v2,keydirectory=/metadata/vold/metadata_encryption,fscompress
+/dev/block/platform/14700000.ufs/by-name/userdata        /data                       f2fs    noatime,nosuid,nodev,discard,reserve_root=32768,resgid=1065,fsync_mode=nobarrier,inlinecrypt,compress_extension=apk,compress_extension=apex,compress_extension=so,atgc    latemount,wait,check,quota,formattable,sysfs_path=/dev/sys/block/bootdevice,checkpoint=fs,reservedsize=128M,fileencryption=::inlinecrypt_optimized+wrappedkey_v0,metadata_encryption=:wrappedkey_v0,keydirectory=/metadata/vold/metadata_encryption,fscompress
 /dev/block/zram0                                         none                        swap    defaults                 zramsize=2147483648,max_comp_streams=8,zram_backingdev_size=512M
 /devices/platform/11110000.usb*                          auto                        vfat    defaults                 voldmanaged=usb:auto