cryptohome: Do not migrate dircrypto policy yet.
To preserve our rollback policy of N-1, this can read the new dircrypto
policy but not yet change the storage for new users. Will be merged to
M-88. The migration was introduced in:
https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2471980
BUG=b:175610730
TEST=tast run ${DUT_IP} hwsec.*
Change-Id: I754dad0c57de54274789be8f27b935f197d137ff
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2590697
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>
Reviewed-by: Sarthak Kukreti <sarthakkukreti@chromium.org>
Reviewed-by: Daniil Lunev <dlunev@chromium.org>
Commit-Queue: Hardik Goyal <hardikgoyal@chromium.org>
Commit-Queue: Greg Kerr <kerrnel@chromium.org>
Tested-by: Hardik Goyal <hardikgoyal@chromium.org>
Tested-by: Greg Kerr <kerrnel@chromium.org>
Auto-Submit: Greg Kerr <kerrnel@chromium.org>
diff --git a/cryptohome/keyset_management.cc b/cryptohome/keyset_management.cc
index cf9e0b6..fd5321c 100644
--- a/cryptohome/keyset_management.cc
+++ b/cryptohome/keyset_management.cc
@@ -223,7 +223,8 @@
return (labels->size() > 0);
}
-bool KeysetManagement::AddInitialKeyset(const Credentials& credentials) {
+bool KeysetManagement::AddInitialKeyset(const Credentials& credentials,
+ bool dircrypto_v2) {
const brillo::SecureBlob passkey = credentials.passkey();
std::string obfuscated_username =
credentials.GetObfuscatedUsername(system_salt_);
@@ -241,6 +242,11 @@
*vk->mutable_serialized()->mutable_signature_challenge_info() =
credentials.challenge_credentials_keyset_info();
}
+
+ if (dircrypto_v2) {
+ vk->mutable_serialized()->set_fscrypt_policy_version(FSCRYPT_POLICY_V2);
+ }
+
// Merge in the key data from credentials using the label() as
// the existence test. (All new-format calls must populate the
// label on creation.)
diff --git a/cryptohome/keyset_management.h b/cryptohome/keyset_management.h
index d21b1a2..80b4dec 100644
--- a/cryptohome/keyset_management.h
+++ b/cryptohome/keyset_management.h
@@ -76,7 +76,8 @@
const Credentials& credentials, MountError* error);
// Adds initial keyset for the credentials.
- virtual bool AddInitialKeyset(const Credentials& credentials);
+ virtual bool AddInitialKeyset(const Credentials& credentials,
+ bool dircrypto_v2);
// Adds a new vault keyset for the user using the |existing_credentials| to
// unwrap the homedir key and the |new_credentials| to rewrap and persist to
diff --git a/cryptohome/keyset_management_unittest.cc b/cryptohome/keyset_management_unittest.cc
index 4b1bf3e..d841461 100644
--- a/cryptohome/keyset_management_unittest.cc
+++ b/cryptohome/keyset_management_unittest.cc
@@ -273,7 +273,8 @@
// TEST
- EXPECT_TRUE(keyset_management_->AddInitialKeyset(users_[0].credentials));
+ EXPECT_TRUE(keyset_management_->AddInitialKeyset(users_[0].credentials,
+ /*dircrypto_v2=*/true));
// VERIFY
// Initial keyset is added, readable, has "new-er" fields correctly
diff --git a/cryptohome/make_tests.cc b/cryptohome/make_tests.cc
index 2ace583..a108dc8 100644
--- a/cryptohome/make_tests.cc
+++ b/cryptohome/make_tests.cc
@@ -256,7 +256,8 @@
.WillOnce(DoAll(SaveArg<1>(&credentials), Return(true)));
ASSERT_TRUE(homedirs.Create(local_credentials.username()));
ASSERT_TRUE(mount->PrepareCryptohome(obfuscated_username, force_ecryptfs));
- ASSERT_TRUE(keyset_management.AddInitialKeyset(local_credentials));
+ ASSERT_TRUE(keyset_management.AddInitialKeyset(local_credentials,
+ /*dircrypto_v2=*/false));
DCHECK(credentials.size());
// Unmount succeeds. This is called when |mount| is destroyed.
diff --git a/cryptohome/mock_keyset_management.h b/cryptohome/mock_keyset_management.h
index 28f4d0c..7dc76d4 100644
--- a/cryptohome/mock_keyset_management.h
+++ b/cryptohome/mock_keyset_management.h
@@ -47,7 +47,7 @@
GetVaultKeysetLabels,
(const std::string&, std::vector<std::string>*),
(const, override));
- MOCK_METHOD(bool, AddInitialKeyset, (const Credentials&), (override));
+ MOCK_METHOD(bool, AddInitialKeyset, (const Credentials&, bool), (override));
MOCK_METHOD(CryptohomeErrorCode,
AddKeyset,
(const Credentials&,
diff --git a/cryptohome/user_session.cc b/cryptohome/user_session.cc
index e03ec64..db76b08 100644
--- a/cryptohome/user_session.cc
+++ b/cryptohome/user_session.cc
@@ -37,10 +37,14 @@
return MOUNT_ERROR_USER_DOES_NOT_EXIST;
}
+ bool dircrypto_v2 = !mount_args.create_as_ecryptfs &&
+ dircrypto::CheckFscryptKeyIoctlSupport();
+
if (!homedirs_->Create(credentials.username()) ||
!mount_->PrepareCryptohome(obfuscated_username,
mount_args.create_as_ecryptfs) ||
- !homedirs_->keyset_management()->AddInitialKeyset(credentials)) {
+ !homedirs_->keyset_management()->AddInitialKeyset(credentials,
+ dircrypto_v2)) {
LOG(ERROR) << "Error creating cryptohome.";
return MOUNT_ERROR_CREATE_CRYPTOHOME_FAILED;
}