cryptohome: Do not migrate dircrypto policy yet. To preserve our rollback policy of N-1, this can read the new dircrypto policy but not yet change the storage for new users. Will be merged to M-88. The migration was introduced in: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2471980 BUG=b:175610730 TEST=tast run ${DUT_IP} hwsec.* Change-Id: I754dad0c57de54274789be8f27b935f197d137ff Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2590697 Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> Reviewed-by: Sarthak Kukreti <sarthakkukreti@chromium.org> Reviewed-by: Daniil Lunev <dlunev@chromium.org> Commit-Queue: Hardik Goyal <hardikgoyal@chromium.org> Commit-Queue: Greg Kerr <kerrnel@chromium.org> Tested-by: Hardik Goyal <hardikgoyal@chromium.org> Tested-by: Greg Kerr <kerrnel@chromium.org> Auto-Submit: Greg Kerr <kerrnel@chromium.org>

commit: 5c5ade424f22ec9fdd06f5ff5c4b06dede4a240f [log] [tgz]
author: Greg Kerr <kerrnel@chromium.org> Mon Dec 14 23:36:26 2020 +0000
committer: Commit Bot <commit-bot@chromium.org> Wed Dec 16 05:54:55 2020 +0000
tree: 02d1675f8efab6002e6d5070a7ecabdadb5a92ad
parent: 1aa148b50663f990662e0e01a76aab2093db73f7 [diff]
diff --git a/cryptohome/keyset_management.cc b/cryptohome/keyset_management.cc
index cf9e0b6..fd5321c 100644
--- a/cryptohome/keyset_management.cc
+++ b/cryptohome/keyset_management.cc

@@ -223,7 +223,8 @@
   return (labels->size() > 0);
 }
 
-bool KeysetManagement::AddInitialKeyset(const Credentials& credentials) {
+bool KeysetManagement::AddInitialKeyset(const Credentials& credentials,
+                                        bool dircrypto_v2) {
   const brillo::SecureBlob passkey = credentials.passkey();
   std::string obfuscated_username =
       credentials.GetObfuscatedUsername(system_salt_);
@@ -241,6 +242,11 @@
     *vk->mutable_serialized()->mutable_signature_challenge_info() =
         credentials.challenge_credentials_keyset_info();
   }
+
+  if (dircrypto_v2) {
+    vk->mutable_serialized()->set_fscrypt_policy_version(FSCRYPT_POLICY_V2);
+  }
+
   // Merge in the key data from credentials using the label() as
   // the existence test. (All new-format calls must populate the
   // label on creation.)

diff --git a/cryptohome/keyset_management.h b/cryptohome/keyset_management.h
index d21b1a2..80b4dec 100644
--- a/cryptohome/keyset_management.h
+++ b/cryptohome/keyset_management.h

@@ -76,7 +76,8 @@
       const Credentials& credentials, MountError* error);
 
   // Adds initial keyset for the credentials.
-  virtual bool AddInitialKeyset(const Credentials& credentials);
+  virtual bool AddInitialKeyset(const Credentials& credentials,
+                                bool dircrypto_v2);
 
   // Adds a new vault keyset for the user using the |existing_credentials| to
   // unwrap the homedir key and the |new_credentials| to rewrap and persist to

diff --git a/cryptohome/keyset_management_unittest.cc b/cryptohome/keyset_management_unittest.cc
index 4b1bf3e..d841461 100644
--- a/cryptohome/keyset_management_unittest.cc
+++ b/cryptohome/keyset_management_unittest.cc

@@ -273,7 +273,8 @@
 
   // TEST
 
-  EXPECT_TRUE(keyset_management_->AddInitialKeyset(users_[0].credentials));
+  EXPECT_TRUE(keyset_management_->AddInitialKeyset(users_[0].credentials,
+                                                   /*dircrypto_v2=*/true));
 
   // VERIFY
   // Initial keyset is added, readable, has "new-er" fields correctly

diff --git a/cryptohome/make_tests.cc b/cryptohome/make_tests.cc
index 2ace583..a108dc8 100644
--- a/cryptohome/make_tests.cc
+++ b/cryptohome/make_tests.cc

@@ -256,7 +256,8 @@
       .WillOnce(DoAll(SaveArg<1>(&credentials), Return(true)));
   ASSERT_TRUE(homedirs.Create(local_credentials.username()));
   ASSERT_TRUE(mount->PrepareCryptohome(obfuscated_username, force_ecryptfs));
-  ASSERT_TRUE(keyset_management.AddInitialKeyset(local_credentials));
+  ASSERT_TRUE(keyset_management.AddInitialKeyset(local_credentials,
+                                                 /*dircrypto_v2=*/false));
   DCHECK(credentials.size());
 
   // Unmount succeeds. This is called when |mount| is destroyed.

diff --git a/cryptohome/mock_keyset_management.h b/cryptohome/mock_keyset_management.h
index 28f4d0c..7dc76d4 100644
--- a/cryptohome/mock_keyset_management.h
+++ b/cryptohome/mock_keyset_management.h

@@ -47,7 +47,7 @@
               GetVaultKeysetLabels,
               (const std::string&, std::vector<std::string>*),
               (const, override));
-  MOCK_METHOD(bool, AddInitialKeyset, (const Credentials&), (override));
+  MOCK_METHOD(bool, AddInitialKeyset, (const Credentials&, bool), (override));
   MOCK_METHOD(CryptohomeErrorCode,
               AddKeyset,
               (const Credentials&,

diff --git a/cryptohome/user_session.cc b/cryptohome/user_session.cc
index e03ec64..db76b08 100644
--- a/cryptohome/user_session.cc
+++ b/cryptohome/user_session.cc

@@ -37,10 +37,14 @@
       return MOUNT_ERROR_USER_DOES_NOT_EXIST;
     }
 
+    bool dircrypto_v2 = !mount_args.create_as_ecryptfs &&
+                        dircrypto::CheckFscryptKeyIoctlSupport();
+
     if (!homedirs_->Create(credentials.username()) ||
         !mount_->PrepareCryptohome(obfuscated_username,
                                    mount_args.create_as_ecryptfs) ||
-        !homedirs_->keyset_management()->AddInitialKeyset(credentials)) {
+        !homedirs_->keyset_management()->AddInitialKeyset(credentials,
+                                                          dircrypto_v2)) {
       LOG(ERROR) << "Error creating cryptohome.";
       return MOUNT_ERROR_CREATE_CRYPTOHOME_FAILED;
     }
commit	5c5ade424f22ec9fdd06f5ff5c4b06dede4a240f	[log] [tgz]
author	Greg Kerr <kerrnel@chromium.org>	Mon Dec 14 23:36:26 2020 +0000
committer	Commit Bot <commit-bot@chromium.org>	Wed Dec 16 05:54:55 2020 +0000
tree	02d1675f8efab6002e6d5070a7ecabdadb5a92ad
parent	1aa148b50663f990662e0e01a76aab2093db73f7 [diff]