mount-encrypted: finalize if keyfile missing

If a system key is available (could read TPM NVRAM), but the "finalization
needed" file exists, it means that we are in the situation where either
cryptohome was interrupted, or the TPM was temporarily unavailable at an
earlier boot. In this case, it is up to mount-encrypted to perform the
finalization. Before, we were making the very bad assumption that the
keyfile was valid if a system key was found, meaning we would delete the
"finalization needed" file, leaving us with no way to find the encryption
key leading to an OOBE on the next boot.

TEST=daisy build, manual testing

Change-Id: Ifb6d74d8a38100e00d9a4597c25a71a6c33f806c
Signed-off-by: Kees Cook <>
Reviewed-by: Luigi Semenzato <>
Reviewed-by: Elly Jones <>
Reviewed-by: Will Drewry <>
Reviewed-by: Jorge Lucangeli Obes <>
1 file changed