Evolution-X-Tensor/device_google_zuma
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
device_google_zuma/conf/Android.bp
Kenny Root 4e34e0ac28 fstab: add back inlinecrypt for hw encryption 
Without this flag, fscrypt will return error for any filesystem operation involving
the partitions mounted with the fileencryption=::inlinecrypt_optimized flag.

Bug: 241606997
Test: enable KDN, switch to :gen_fstab.foo-hw-encrypt
Signed-off-by: Kenny Root <kroot@google.com>
Change-Id: I9601fcdfa627df4e67f1586cd32ceef3c1f9ecac
2022-08-08 16:49:08 -07:00

76 lines
2.7 KiB
Text
Raw Blame History

/*
* Copyright (C) 2021 The Android Open Source Project
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
// By default this device uses hardware-wrapped keys for storage encryption,
// which is intended to offer increased security over the traditional method
// (software keys). However, hardware-wrapped keys aren't compatible with
// FIPS-140 certification of the encryption hardware, and hence we have to
// disable the use of them in FIPS mode. This requires having two fstab files:
// one for the default mode, and one for FIPS mode selectable via
// androidboot.fstab_suffix on the kernel command line. These fstabs should be
// identical with the exception of the encryption settings, so to keep them in
// sync the rules below generate them from a template file.
package {
// See: http://go/android-license-faq
// A large-scale-change added 'default_applicable_licenses' to import
// all of the 'license_kinds' from "device_google_zuma_license"
// to get the below license kinds:
// SPDX-license-identifier-Apache-2.0
default_applicable_licenses: ["device_google_zuma_license"],
}
genrule {
name: "gen_fstab.zuma-hw-encrypt",
srcs: ["fstab.zuma.in"],
out: ["fstab.zuma"],
cmd: "sed -e s/@fileencryption@/::inlinecrypt_optimized+wrappedkey_v0/" +
" -e s/@inlinecrypt@/inlinecrypt/ " +
" -e s/@metadata_encryption@/:wrappedkey_v0/ $(in) > $(out)",
}
genrule {
name: "gen_fstab.zuma-sw-encrypt",
srcs: ["fstab.zuma.in"],
out: ["fstab.zuma"],
cmd: "sed -e s/@fileencryption@/aes-256-xts/" +
" -e s/@inlinecrypt@// " +
" -e s/@metadata_encryption@// $(in) > $(out)",
}
genrule {
name: "gen_fstab.zuma-fips",
srcs: ["fstab.zuma.in"],
out: ["fstab.zuma-fips"],
cmd: "sed -e s/@fileencryption@/aes-256-xts/" +
" -e s/@inlinecrypt@/inlinecrypt/ " +
" -e s/@metadata_encryption@/aes-256-xts/ $(in) > $(out)",
}
// TODO: change below to gen_fstab.zuma-hw-encrypt once GSA is ready
prebuilt_etc {
name: "fstab.zuma",
src: ":gen_fstab.zuma-sw-encrypt",
vendor: true,
vendor_ramdisk_available: true,
}
prebuilt_etc {
name: "fstab.zuma-fips",
src: ":gen_fstab.zuma-fips",
vendor: true,
vendor_ramdisk_available: true,
}
Reference in a new issue View git blame Copy permalink