d4aea9089b
Fix prefix-correlation weakness in filenames encryption by switching to AES-256-HCTR2. Enabling HCTR2 fixes a longstanding known weakness in filenames encryption. Also enable HCTR2 for adoptable storage. Pixel phones don't have an SD card slot. So they can only have adoptable storage through the "Virtual SD Card", which is for testing only. Bug: 265046004 Test: Equivalent changes were tested on P21 since I don't have a P23. Will be tested with storage-qa. Change-Id: I0666eb07c4b93b1bab4da41e3b4f5019ac38c213
84 lines
3 KiB
Text
84 lines
3 KiB
Text
/*
|
|
* Copyright (C) 2021 The Android Open Source Project
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
// By default this device uses hardware-wrapped keys for storage encryption,
|
|
// which is intended to offer increased security over the traditional method
|
|
// (software keys). However, hardware-wrapped keys aren't compatible with
|
|
// FIPS-140 certification of the encryption hardware, and hence we have to
|
|
// disable the use of them in FIPS mode. This requires having two fstab files:
|
|
// one for the default mode, and one for FIPS mode selectable via
|
|
// androidboot.fstab_suffix on the kernel command line. These fstabs should be
|
|
// identical with the exception of the encryption settings, so to keep them in
|
|
// sync the rules below generate them from a template file.
|
|
|
|
package {
|
|
// See: http://go/android-license-faq
|
|
// A large-scale-change added 'default_applicable_licenses' to import
|
|
// all of the 'license_kinds' from "device_google_zuma_license"
|
|
// to get the below license kinds:
|
|
// SPDX-license-identifier-Apache-2.0
|
|
default_applicable_licenses: ["device_google_zuma_license"],
|
|
}
|
|
|
|
genrule {
|
|
name: "gen_fstab.zuma-hw-encrypt",
|
|
srcs: ["fstab.zuma.in"],
|
|
out: ["fstab.zuma"],
|
|
cmd: "sed -e s/@fileencryption@/fileencryption=:aes-256-hctr2:inlinecrypt_optimized+wrappedkey_v0/" +
|
|
" -e s/@inlinecrypt@/inlinecrypt/ " +
|
|
" -e s/@metadata_encryption@/metadata_encryption=:wrappedkey_v0/ $(in) > $(out)",
|
|
}
|
|
|
|
genrule {
|
|
name: "gen_fstab.zuma-sw-encrypt",
|
|
srcs: ["fstab.zuma.in"],
|
|
out: ["fstab.zuma"],
|
|
cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts:aes-256-hctr2/" +
|
|
" -e s/@inlinecrypt@// " +
|
|
" -e s/@metadata_encryption@/metadata_encryption=/ $(in) > $(out)",
|
|
}
|
|
|
|
genrule {
|
|
name: "gen_fstab.zuma-no-encrypt",
|
|
srcs: ["fstab.zuma.in"],
|
|
out: ["fstab.zuma"],
|
|
cmd: "sed -e s/@fileencryption@//" +
|
|
" -e s/@inlinecrypt@// " +
|
|
" -e s/@metadata_encryption@// $(in) > $(out)",
|
|
}
|
|
|
|
genrule {
|
|
name: "gen_fstab.zuma-fips",
|
|
srcs: ["fstab.zuma.in"],
|
|
out: ["fstab.zuma-fips"],
|
|
cmd: "sed -e s/@fileencryption@/fileencryption=aes-256-xts/" +
|
|
" -e s/@inlinecrypt@/inlinecrypt/ " +
|
|
" -e s/@metadata_encryption@/metadata_encryption=aes-256-xts/ $(in) > $(out)",
|
|
}
|
|
|
|
prebuilt_etc {
|
|
name: "fstab.zuma",
|
|
src: ":gen_fstab.zuma-hw-encrypt",
|
|
vendor: true,
|
|
vendor_ramdisk_available: true,
|
|
}
|
|
|
|
prebuilt_etc {
|
|
name: "fstab.zuma-fips",
|
|
src: ":gen_fstab.zuma-fips",
|
|
vendor: true,
|
|
vendor_ramdisk_available: true,
|
|
}
|