Home | History | Annotate | Download | only in encryption 
      1 <html devsite><head>
      2     <title></title>
      3     <meta name="project_path" value="/_project.yaml"/>
      4     <meta name="book_path" value="/_book.yaml"/>
      5   </head>
      6   <body>
      7   <!--
      8       Copyright 2017 The Android Open Source Project
      9 
     10       Licensed under the Apache License, Version 2.0 (the "License");
     11       you may not use this file except in compliance with the License.
     12       You may obtain a copy of the License at
     13 
     14           http://www.apache.org/licenses/LICENSE-2.0
     15 
     16       Unless required by applicable law or agreed to in writing, software
     17       distributed under the License is distributed on an "AS IS" BASIS,
     18       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
     19       See the License for the specific language governing permissions and
     20       limitations under the License.
     21   -->
     22 
     23 <p> Android </p>
     24 
     25 <p> Android 4.4  Android 5.0 </p>
     26 <ul>
     27   <li> EXT4  F2FS 
     28   </li><li> <a href="/devices/storage/config.html"><code>forceencrypt</code> fstab </a>
     29   </li><li>
     30   </li><li>TEE TrustZone<a href="#storing_the_encrypted_key"></a>
     31 </li></ul>
     32 
     33 <p class="caution"><strong></strong> Android 5.0  Android 5.0 </p>
     34 
     35 <h2 id="how_android_encryption_works">Android </h2>
     36 
     37 <p>Android  <code>dm-crypt</code><strong> </strong>(eMMC) YAFFS  NAND </p>
     38 
     39 <p> 128  (AES)  (CBC)  ESSIV:SHA256 128  AES  OpenSSL  128  256 </p>
     40 
     41 <p class="note"><strong></strong> (OEM)  128 </p>
     42 
     43 <p>Android 5.0  4 </p>
     44 
     45 <ul>
     46   <li></li><li>PIN </li><li></li><li></li></ul>
     47 
     48 <p> 128 default_password TEE TrustZoneTEE </p>
     49 
     50 <p> Android  <a href="https://android.googlesource.com/platform/system/vold/+/master/cryptfs.c">cryptfs.c</a> </p>
     51 
     52 <p> PIN / 128  PIN //<a href="http://developer.android.com/guide/topics/admin/device-admin.html"></a> PIN </p>
     53 
     54 <p> <code>init</code>  <code>vold</code> 
     55 <code>init</code>  <code>vold</code> vold  init  <code>vold</code>  <code>vdc</code>  <code>cryptfs</code> <code>checkpw</code><code>restart</code><code>enablecrypto</code><code>changepw</code><code>cryptocomplete</code><code>verifypw</code><code>setfield</code><code>getfield</code><code>mountdefaultencrypted</code><code>getpwtype</code><code>getpw</code>  <code>clearpw</code></p>
     56 
     57 <p> <code>/data</code><code>/data</code>  <code>/data</code> <code>/data</code> Android  <code>/data</code>  <code>/data</code> <code>core</code><code>main</code>  <code>late_start</code></p>
     58 
     59 <ul>
     60   <li><code>core</code>
     61   </li><li><code>main</code>
     62   </li><li><code>late_start</code> <code>/data</code> 
     63 </li></ul>
     64 
     65 <p><code>vold.decrypt</code> <a href="https://android.googlesource.com/platform/system/vold/+/master/cryptfs.c"></a> <code>init</code> </p>
     66 
     67 <ul>
     68   <li><code>class_reset</code> class_start 
     69   </li><li><code>class_start</code>
     70   </li><li><code>class_stop</code> <code>SVC_DISABLED</code>  <code>class_start</code> 
     71 </li></ul>
     72 
     73 <h2 id="flows"></h2>
     74 
     75 <p> 4 </p>
     76 
     77 <ul>
     78   <li><ul>
     79     <li> <code>forceencrypt</code>  Android L 
     80     </li><li>Android K 
     81   </li></ul>
     82   </li><li><ul>
     83     <li> Android 5.0 
     84     </li><li>
     85   </li></ul>
     86 </li></ul>
     87 
     88 <p> <code>/data</code></p>
     89 
     90 <h3 id="encrypt_a_new_device_with_forceencrypt"> forceencrypt </h3>
     91 
     92 <p> Android 5.0 </p>
     93 
     94 <ol>
     95   <li><strong> <code>forceencrypt</code> </strong>
     96 
     97 <p>
     98 <code>/data</code>  <code>forceencrypt</code>  <code>/data</code></p>
     99 
    100   </li><li><strong> <code>/data</code></strong>
    101 
    102 <p><code>vold.decrypt = "trigger_encryption"</code>  <code>init.rc</code> <code>vold</code>  <code>/data</code> </p>
    103 
    104   </li><li><strong> tmpfs</strong>
    105 
    106 <p><code>vold</code>  tmpfs <code>/data</code> <code>ro.crypto.tmpfs_options</code>  tmpfs  <code>vold.encrypt_progress</code>  0
    107 <code>vold</code>  tmpfs <code>/data</code>  <code>vold.decrypt</code>  <code>trigger_restart_min_framework</code>
    108 </p>
    109 
    110   </li><li><strong></strong>
    111 
    112 <p><a href="#encrypt_an_existing_device"></a></p>
    113 
    114   </li><li><strong><code>/data</code> </strong>
    115 
    116 <p><code>vold</code>  <code>vold.decrypt</code>  <code>trigger_default_encryption</code> <code>defaultcrypto</code> <code>trigger_default_encryption</code>  <code>/data</code>  Android 5.0  <code>/data</code></p>
    117 
    118   </li><li><strong> <code>/data</code></strong>
    119 
    120 <p><code>init</code>  <code>ro.crypto.tmpfs_options</code> <code>init.rc</code>  tmpfs RAMDisk  <code>/data</code></p>
    121 
    122   </li><li><strong></strong>
    123 
    124 <p> <code>vold</code>  <code>trigger_restart_framework</code></p>
    125 </li></ol>
    126 
    127 <h3 id="encrypt_an_existing_device"></h3>
    128 
    129 <p> Android K  L </p>
    130 
    131 <p></p>
    132 
    133 <p class="warning"><strong></strong></p>
    134 
    135 <p><code>vold</code> <code>vold</code> </p>
    136 
    137 <p><strong></strong> <code>ro.crypto.state = "unencrypted"</code> <code>on nonencrypted</code> <code>init</code> </p>
    138 
    139 <ol>
    140   <li><strong></strong>
    141 
    142 <p> <code>cryptfs enablecrypto inplace</code>  <code>vold</code> <code>passwd</code> </p>
    143 
    144   </li><li><strong></strong>
    145 
    146 <p><code>vold</code>  -1 <code>vold.decrypt</code>  <code>trigger_shutdown_framework</code> <code>init.rc</code>  <code>late_start</code>  <code>main</code> </p>
    147 
    148   </li><li><strong></strong></li>
    149   <li><strong></strong></li>
    150   <li><strong></strong></li>
    151   <li><strong></strong></li>
    152   <li><strong> <code>/data</code></strong>
    153 
    154 <p><code>vold</code> <code>vold</code> </p>
    155 
    156   </li><li><strong> tmpfs</strong>
    157 
    158 <p><code>vold</code>  tmpfs <code>/data</code> <code>ro.crypto.tmpfs_options</code>  tmpfs  <code>vold.encrypt_progress</code>  0<code>vold</code>  tmpfs <code>/data</code>  <code>vold.decrypt</code>  <code>trigger_restart_min_framework</code> </p>
    159 
    160   </li><li><strong></strong>
    161 
    162 <p><code>trigger_restart_min_framework </code>  <code>init.rc</code>  <code>main</code>  <code>vold.encrypt_progress</code>  0  5  <code>vold.encrypt_progress</code></p>
    163 
    164   </li><li><strong><code> /data</code> </strong>
    165 
    166 <p><code>/data</code> <code>vold</code>  <code>ENCRYPTION_IN_PROGRESS</code> </p>
    167 
    168 <p></p>
    169 
    170 <p><code>vold</code>  <code>vold.encrypt_progress</code>  <code>error_reboot_failed</code></p>
    171 </li></ol>
    172 
    173 <h3 id="starting_an_encrypted_device_with_default_encryption"></h3>
    174 
    175 <p> Android 5.0 <em></em></p>
    176 
    177 <ol>
    178   <li><strong> <code>/data</code></strong>
    179 
    180 <p> Android  <code>/data</code>  <code>encryptable</code>  <code>forceencrypt</code> </p>
    181 
    182 <p><code>vold</code>  <code>vold.decrypt</code>  <code>trigger_default_encryption</code> <code>defaultcrypto</code> <code>trigger_default_encryption</code>  <code>/data</code> </p>
    183 
    184   </li><li><strong> /data</strong>
    185 
    186 <p> <code>dm-crypt</code> </p>
    187 
    188   </li><li><strong> /data</strong>
    189 
    190 <p><code>vold</code>  <code>/data</code>  <code>vold.post_fs_data_done</code>  0 <code>vold.decrypt</code>  <code>trigger_post_fs_data</code> <code>init.rc</code>  <code>post-fs-data</code>  <code>vold.post_fs_data_done</code>  1</p>
    191 
    192 <p> <code>vold</code>  1  <code>vold.decrypt</code>  <code>trigger_restart_framework.</code>  <code>init.rc</code>  <code>main</code>  <code>late_start</code> </p>
    193 
    194   </li><li><strong></strong>
    195 
    196 <p> <code>/data</code> </p>
    197 </li></ol>
    198 
    199 <h3 id="starting_an_encrypted_device_without_default_encryption"></h3>
    200 
    201 <p> PIN </p>
    202 
    203 <ol>
    204   <li><strong></strong>
    205 
    206 <p> Android  <code>ro.crypto.state = "encrypted"</code> </p>
    207 
    208 <p> <code>/data</code>  <code>vold</code>  <code>vold.decrypt</code>  <code>trigger_restart_min_framework</code></p>
    209 
    210   </li><li><strong> tmpfs</strong>
    211 
    212 <p><code>init</code>  5  <code>/data</code> <code>init.rc</code> 
    213 <code>vold</code> </p>
    214 
    215 <ol>
    216   <li><code>ro.crypto.fs_type</code>
    217   </li><li><code>ro.crypto.fs_real_blkdev</code>
    218   </li><li><code>ro.crypto.fs_mnt_point</code>
    219   </li><li><code>ro.crypto.fs_options</code>
    220   </li><li><code>ro.crypto.fs_flags </code>ASCII  8  0x </li></ol>
    221 
    222   </li><li><strong></strong>
    223 
    224 <p> <code>vold.decrypt</code>  <code>trigger_restart_min_framework</code> tmpfs <code>/data</code> </p>
    225 
    226 <p> <code>vold</code>  <code>cryptfs cryptocomplete</code> 
    227 <code>vold</code>  0 -1 -2<code>vold</code>  <code>CRYPTO_ENCRYPTION_IN_PROGRESS</code>  <code>vold</code> </p>
    228 
    229   </li><li><strong></strong>
    230 
    231 <p><code>cryptfs cryptocomplete</code>  <code>vold</code>  <code>cryptfs checkpw</code>  <code>/data</code><code>vold</code>  <code>ro.crypto.fs_crypto_blkdev</code>  0 -1</p>
    232 
    233   </li><li><strong></strong>
    234 
    235 <p> <code>cryptfs restart</code>  <code>vold</code><code>vold</code>  <code>vold.decrypt</code>  <code>trigger_reset_main</code> <code>init.rc</code>  <code>class_reset main</code>  main  tmpfs <code>/data</code></p>
    236 
    237   </li><li><strong> <code>/data</code></strong>
    238 
    239 <p><code>vold</code>  <code>/data</code>  <code>vold.post_fs_data_done</code>  0 <code>vold.decrypt</code>  <code>trigger_post_fs_data</code> <code>init.rc</code>  <code>post-fs-data</code>  <code>vold.post_fs_data_done</code>  1 <code>vold</code>  1  <code>vold.decrypt</code>  <code>trigger_restart_framework</code> <code>init.rc</code>  <code>main</code>  <code>late_start</code> </p>
    240 
    241   </li><li><strong></strong>
    242 
    243 <p> <code>/data</code> </p>
    244 </li></ol>
    245 
    246 <h3 id="failure"></h3>
    247 
    248 <p></p>
    249 
    250 <ol>
    251   <li></li><li> tmpfs</li><li></li></ol>
    252 
    253 <p></p>
    254 
    255 <ul>
    256   <li></li><li> 30 </li></ul>
    257 
    258 <p><strong></strong></p>
    259 
    260 <p> <code>vold</code> <code>vold</code>  <code>vold.encrypt_progress </code> <code>error_not_encrypted</code><code>vold</code>  <code>vold.encrypt_progress</code>  <code>error_shutting_down</code>  -1</p>
    261 
    262 <p> <code>vold</code>  <code>vold.encrypt_progress</code>  <code>error_partially_encrypted</code>  -1</p>
    263 
    264 <h2 id="storing_the_encrypted_key"></h2>
    265 
    266 <p> (TEE)  scrypt  TEE  scrypt</p>
    267 
    268 <ol>
    269   <li> 16  (DEK)  16 
    270   </li><li> scrypt 32  1 (IK1)
    271   </li><li> IK1  (HBK) 00 || IK1 || 00..001 32  IK1 223 
    272   </li><li> HBK  IK1  256  IK2
    273   </li><li> IK2  2  scrypt 32  IK3
    274   </li><li> IK3  16  KEK 16  IV</li><li> AES_CBC KEK  IV  DEK</li></ol>
    275 
    276 <h2 id="changing_the_password"></h2>
    277 
    278 <p> <code>vold</code>  <code>cryptfs changepw</code>  <code>vold</code> </p>
    279 
    280 <h2 id="encryption_properties"></h2>
    281 
    282 <p><code>vold</code>  <code>init</code> </p>
    283 
    284 <h3 id="vold_properties">vold </h3>
    285 
    286 <table>
    287   <tbody><tr>
    288     <th></th>
    289     <th></th>
    290   </tr>
    291   <tr>
    292     <td><code>vold.decrypt  trigger_encryption</code></td>
    293     <td></td>
    294   </tr>
    295   <tr>
    296     <td><code>vold.decrypt  trigger_default_encryption</code></td>
    297     <td> <code>vold.decrypt</code>  trigger_restart_min_framework</td>
    298   </tr>
    299   <tr>
    300     <td><code>vold.decrypt  trigger_reset_main</code></td>
    301     <td> vold </td>
    302   </tr>
    303   <tr>
    304     <td><code>vold.decrypt  trigger_post_fs_data</code></td>
    305     <td> vold  /data</td>
    306   </tr>
    307   <tr>
    308     <td><code>vold.decrypt  trigger_restart_framework</code></td>
    309     <td> vold </td>
    310   </tr>
    311   <tr>
    312     <td><code>vold.decrypt  trigger_shutdown_framework</code></td>
    313     <td> vold </td>
    314   </tr>
    315   <tr>
    316     <td><code>vold.decrypt  trigger_restart_min_framework</code></td>
    317     <td> vold  <code>ro.crypto.state</code> </td>
    318   </tr>
    319   <tr>
    320     <td><code>vold.encrypt_progress</code></td>
    321     <td></td>
    322   </tr>
    323   <tr>
    324     <td><code>vold.encrypt_progress  0 to 100</code></td>
    325     <td></td>
    326   </tr>
    327   <tr>
    328     <td><code>vold.encrypt_progress  error_partially_encrypted</code></td>
    329     <td></td>
    330   </tr>
    331   <tr>
    332     <td><code>vold.encrypt_progress  error_reboot_failed</code></td>
    333     <td></td>
    334   </tr>
    335   <tr>
    336     <td><code>vold.encrypt_progress  error_not_encrypted</code></td>
    337     <td></td>
    338   </tr>
    339   <tr>
    340     <td><code>vold.encrypt_progress  error_shutting_down</code></td>
    341     <td></td>
    342   </tr>
    343   <tr>
    344     <td><code>vold.post_fs_data_done  0</code></td>
    345     <td> <code>vold</code>  <code>vold.decrypt</code>  <code>trigger_post_fs_data</code> </td>
    346   </tr>
    347   <tr>
    348     <td><code>vold.post_fs_data_done  1</code></td>
    349     <td> <code>init.rc</code>  <code>init.rc</code>  <code>post-fs-data</code> </td>
    350   </tr>
    351 </tbody></table>
    352 <h3 id="init_properties">init </h3>
    353 
    354 <table>
    355   <tbody><tr>
    356     <th></th>
    357     <th></th>
    358   </tr>
    359   <tr>
    360     <td><code>ro.crypto.fs_crypto_blkdev</code></td>
    361     <td> <code>vold</code>  <code>checkpw</code>  <code>vold</code>  <code>restart</code> </td>
    362   </tr>
    363   <tr>
    364     <td><code>ro.crypto.state unencrypted</code></td>
    365     <td> <code>init</code>  <code>/data ro.crypto.state encrypted</code>  <code>init</code>  <code>/data</code> </td>
    366   </tr>
    367   <tr>
    368     <td><p><code>ro.crypto.fs_type<br />
    369       ro.crypto.fs_real_blkdev      <br />
    370       ro.crypto.fs_mnt_point<br />
    371       ro.crypto.fs_options<br />
    372       ro.crypto.fs_flags      <br />
    373     </code></p></td>
    374     <td> 5  <code>init</code>  <code>/data</code> <code>init.rc</code> <code>vold</code> </td>
    375   </tr>
    376   <tr>
    377     <td><code>ro.crypto.tmpfs_options</code></td>
    378     <td> <code>init.rc</code>  init  tmpfs /data </td>
    379   </tr>
    380 </tbody></table>
    381 <h2 id="init_actions">init </h2>
    382 
    383 <pre>
    384 on post-fs-data
    385 on nonencrypted
    386 on property:vold.decrypt=trigger_reset_main
    387 on property:vold.decrypt=trigger_post_fs_data
    388 on property:vold.decrypt=trigger_restart_min_framework
    389 on property:vold.decrypt=trigger_restart_framework
    390 on property:vold.decrypt=trigger_shutdown_framework
    391 on property:vold.decrypt=trigger_encryption
    392 on property:vold.decrypt=trigger_default_encryption
    393 </pre>
    394 
    395 </body></html>