1 <html devsite><head> 2 <title></title> 3 <meta name="project_path" value="/_project.yaml"/> 4 <meta name="book_path" value="/_book.yaml"/> 5 </head> 6 <body> 7 <!-- 8 Copyright 2017 The Android Open Source Project 9 10 Licensed under the Apache License, Version 2.0 (the "License"); 11 you may not use this file except in compliance with the License. 12 You may obtain a copy of the License at 13 14 http://www.apache.org/licenses/LICENSE-2.0 15 16 Unless required by applicable law or agreed to in writing, software 17 distributed under the License is distributed on an "AS IS" BASIS, 18 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 19 See the License for the specific language governing permissions and 20 limitations under the License. 21 --> 22 23 <p>Android 7.0 (FBE) 24 </p> 25 <p> Direct Boot API 26 </p> 27 <h2 id="direct-boot"></h2> 28 <p>Android 7.0 <a href="https://developer.android.com/training/articles/direct-boot.html"></a><a href="full-disk.html"></a> (FDE) 29 </p> 30 <p> (FBE) API 31 </p> 32 <p> FBE </p> 33 <ul> 34 <li> (CE) </li> 35 <li> (DE) </li> 36 </ul> 37 <p> 38 </p> 39 <p>Direct Boot API CE <a href="https://developer.android.com/about/versions/nougat/android-7.0.html#android_for_work"></a><em></em> FBE Android 7.0 API FBEDE CE 40 </p> 41 <p>Android (AOSP) EXT4 FBE (SoC) 42 </p> 43 <p>AOSP </p> 44 45 <ul> 46 <li></li><li></li></ul> 47 48 <h2 id="examples-and-source"></h2> 49 50 <p>Android vold (system/vold) Android PDE vold CE DE <a href="#kernel-support">EXT4 </a> SystemUI FBE </p> 51 52 <ul> 53 <li>AOSP (packages/apps/Dialer)</li><li> (packages/apps/DeskClock)</li><li>LatinIME (packages/inputmethods/LatinIME)*</li><li> (packages/apps/Settings)*</li><li>SystemUI (frameworks/base/packages/SystemUI)*</li></ul> 54 <p> 55 <em>* <code><a href="#supporting-direct-boot-in-system-applications">defaultToDeviceProtectedStorage</a></code> </em> 56 </p> 57 <p> AOSP <code>mangrep directBootAware</code> 58 </p> 59 <h2 id="dependencies"></h2> 60 <p> AOSP FBE </p> 61 62 <ul> 63 <li> EXT4 <strong></strong>EXT4_FS_ENCRYPTION</li><li> 1.0 2.0 HAL <strong><a href="/security/keystore/index.html">Keymaster </a></strong> Keymaster 0.3 64 </li><li><a href="/security/trusty/index.html"></a> (TEE) <strong>Keymaster/<a href="/security/keystore/index.html">Keystore</a> Gatekeeper</strong> DE DE 65 </li><li><strong></strong> AES XTS 50MB/s 66 </li><li><strong></strong><strong></strong> Keymaster </li> 67 </ul> 68 69 <p class="note"> 70 <strong></strong> OTA 71 </p> 72 73 <h2 id="implementation"></h2> 74 <p><a href="https://developer.android.com/training/articles/direct-boot.html"></a> android:directBootAware 75 </p> 76 <h3 id="kernel-support"></h3> 77 <p>AOSP Linux 4.4 EXT4 4.4 EXT4 Android 3.10 Nexus 78 </p> 79 <p>AOSP / Git android-3.10.y Linux <a href="https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/?id=refs/tags/v4.6">linux-4.6</a> EXT4 JBD2 Nexus 80 </p> 81 <table> 82 <tbody><tr> 83 <th></th> 84 <th></th> 85 </tr> 86 <tr> 87 <td>Android Common</td> 88 <td><strong>kernel/common</strong> android-3.10.y (<a href="https://android.googlesource.com/kernel/common/+/android-3.10.y">Git</a>)</td> 89 </tr> 90 <tr> 91 <td>Nexus 5X (bullhead)</td> 92 <td><strong>kernel/msm</strong> android-msm-bullhead-3.10-n-preview-2 (<a href="https://android.googlesource.com/kernel/msm/+/android-msm-bullhead-3.10-n-preview-2">Git</a>)</td> 93 </tr> 94 <tr> 95 <td>Nexus 6P (angler)</td> 96 <td><strong>kernel/msm</strong> android-msm-angler-3.10-n-preview-2 (<a href="https://android.googlesource.com/kernel/msm/+/android-msm-angler-3.10-n-preview-2">Git</a>)</td> 97 </tr> 98 </tbody></table> 99 <p> 3.10 Linux 3.18 EXT4 JBD2 3.10 Nexus </p> 100 101 <ul> 102 <li>EXT3 EXT4 EXT3 </li><li> (GFS) </li><li>EXT4 ACL </li> 103 </ul> 104 105 <p> EXT4 106 </p> 107 <h3 id="enabling-file-based-encryption"></h3> 108 <p> <code>fileencryption</code> <code>userdata</code> <code>fstab</code> FBE <a href="https://android.googlesource.com/device/lge/bullhead/+/nougat-release/fstab_fbe.bullhead">https://android.googlesource.com/device/lge/bullhead/+/nougat-release/fstab_fbe.bullhead</a> 109 </p> 110 <p> FBE <code>forcefdeorfbe="<path/to/metadata/partition>"</code> 111 </p> 112 <p> FDE FBE <code>forceencrypt</code> FDE FBE fastboot FBE</p> 113 <p> 114 <code>$ fastboot --wipe-and-use-fbe</code> 115 </p> 116 <p> FBE FBE 117 </p> 118 <h3 id="integrating-with-keymaster"> Keymaster </h3> 119 <p><code>vold</code> AOSP FBE 1.0 Keymaster HAL Keymaster HAL </p> 120 <p> 0 <code>init</code> <code>on-post-fs</code> Keymaster Nexus </p> 121 122 <ul> 123 <li> Keymaster <code>/data</code> </li><li>AOSP XTS AES-256 <p class="note"> 124 <strong></strong> XTS AES-256 XTS 256 CE DE 512 125 </p> 126 </li> 127 </ul> 128 129 <h3 id="encryption-policy"></h3> 130 <p>EXT4 <code>userdata</code> <code>init</code> 0 CE DE 131 </p> 132 <p> AOSP </p> 133 <p> 134 <code>/system/extras/ext4_utils/ext4_crypt_init_extensions.cpp</code> 135 </p> 136 <p> <code>directories_to_exclude</code> <a href="/security/selinux/device-policy.html">SELinux </a> 137 </p> 138 <p> OTA 139 </p> 140 <h3 id="supporting-direct-boot-in-system-applications"></h3> 141 142 <h4 id="making-applications-direct-boot-aware"></h4> 143 <p><code>defaultToDeviceProtectedStorage</code> <code>directBootAware</code> 144 </p> 145 146 <pre> 147 <application 148 android:directBootAware="true" 149 android:defaultToDeviceProtectedStorage="true"> 150 </pre> 151 152 <p> <code>directBootAware</code> 153 </p> 154 <p><code>defaultToDeviceProtectedStorage</code> DE CE CE 155 </p> 156 <p> API CE Context API API 157 </p> 158 159 <ul> 160 <li><code>Context.createCredentialProtectedStorageContext()</code> 161 </li><li><code>Context.isCredentialProtectedStorage()</code></li> 162 </ul> 163 <h4 id="supporting-multiple-users"></h4> 164 <p> DE CE 0 <a href="/devices/tech/admin/index.html"></a> 165 </p> 166 <p><code>INTERACT_ACROSS_USERS</code> <code>INTERACT_ACROSS_USERS_FULL</code> CE 167 </p> 168 <p> DE 169 </p> 170 <p> ID DE CE Keymaster TEE TEE 171 </p> 172 <h3 id="handling-updates"></h3> 173 <p> DE FBE OTA A/B OTA 174 </p> 175 <p> OTA OTA </p> 176 177 <ul> 178 <li>misc_ne 179 </li><li><a href="#encryption-policy"></a> 180 </li><li> OTA 181 </li><li> SELinux OTA 182 </li><li></li> 183 </ul> 184 185 <p> OTA 186 </p> 187 <h2 id="validation"></h2> 188 <p> FBE <a href="https://android.googlesource.com/platform/cts/+/nougat-cts-release/hostsidetests/appsecurity/src/android/appsecurity/cts/DirectBootHostTest.java">CTS </a> 189 </p> 190 <p> x86 QEMU <a hre="https://git.kernel.org/cgit/fs/ext2/xfstests-bld.git/plain/quick-start?h=META">xfstest</a> </p> 191 <pre> 192 $ kvm-xfstests -c encrypt -g auto 193 </pre> 194 <p> FBE </p> 195 196 <ul> 197 <li> <code>ro.crypto.state</code> <ul> 198 <li> <code>ro.crypto.state</code> </li> 199 </ul> 200 </li> 201 <li> <code>ro.crypto.type</code> <ul> 202 <li> <code>ro.crypto.type</code> <code>file</code></li> 203 </ul> 204 </li> 205 </ul> 206 207 <p> <code>userdebug</code> <code>adb</code> shell <code>su</code> root <code>/data/data</code> 208 </p> 209 <h2 id="aosp-implementation-details">AOSP </h2> 210 <p> AOSP FBE 211 </p> 212 <h3 id="ext4-encryption">EXT4 </h3> 213 <p>AOSP EXT4 </p><ul> 214 <li> XTS AES-256 </li><li> CBC-CTS AES-256 </li></ul> 215 <h3 id="key-derivation"></h3> 216 <p>512 AES-XTS TEE 256 AES-GCM TEE </p><ul> 217 <li></li><li></li><li>secdiscardable hash</li></ul> 218 <p> <a href="/security/authentication/gatekeeper.html">Gatekeeper</a> <em></em> TEE 219 </p> 220 <p> <code>scrypt</code> <em></em> <code>vold</code> <code>scrypt</code> TEE <code>KM_TAG_APPLICATION_ID</code> 221 </p> 222 <p><code>secdiscardable hash</code> 16 KB 512 secdiscardable hash TEE <code>KM_TAG_APPLICATION_ID</code> <a href="/security/keystore/implementer-ref.html"> Keystore </a> 223 224 </p></body></html>