Google Git
Sign in
cos / mirrors / cros / chromiumos / platform2 / bfa2faaeeb23e910910394509dd09e73559457e1^! / .
commitbfa2faaeeb23e910910394509dd09e73559457e1[log] [tgz]
authorSarthak Kukreti <sarthakkukreti@chromium.org>Mon Nov 16 11:37:02 2020 -0800
committerCommit Bot <commit-bot@chromium.org>Thu Dec 24 05:31:25 2020 +0000
tree25a1868805aad0f7be7bd7e6e9dd8f20911e1428
parent54a2ed0d9528719ab80cac18452ae0d57166fd15 [diff]
cryptohome: Use fscrypt encrypted container for encrypted reboot vault

Use the fscrypt container for the encrypted reboot vault.

BUG=b:172344853
TEST=platform.EncryptedRebootVault

Change-Id: I65f66db4a3904165b451a2491dbe94cc39731e12
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform2/+/2579889
Tested-by: Sarthak Kukreti <sarthakkukreti@chromium.org>
Commit-Queue: Sarthak Kukreti <sarthakkukreti@chromium.org>
Reviewed-by: Daniil Lunev <dlunev@chromium.org>

diff --git a/cryptohome/encrypted_reboot_vault/encrypted_reboot_vault.cc b/cryptohome/encrypted_reboot_vault/encrypted_reboot_vault.cc
index 954a33f..f53c679 100644
--- a/cryptohome/encrypted_reboot_vault/encrypted_reboot_vault.cc
+++ b/cryptohome/encrypted_reboot_vault/encrypted_reboot_vault.cc

@@ -6,6 +6,9 @@
 
 #include <cryptohome/cryptolib.h>
 #include <cryptohome/dircrypto_util.h>
+#include <cryptohome/platform.h>
+#include <cryptohome/storage/encrypted_container/encrypted_container.h>
+#include <cryptohome/storage/encrypted_container/filesystem_key.h>
 
 #include <base/files/file_enumerator.h>
 #include <base/files/file_path.h>
@@ -40,12 +43,12 @@
   return true;
 }
 
-bool SaveKey(const brillo::SecureBlob& key) {
+bool SaveKey(const cryptohome::FileSystemKey& key) {
   // Do not use store.Save() since it uses WriteFileAtomically() which will
   // fail on /dev/pmsg0.
   brillo::KeyValueStore store;
   store.SetString(kEncryptionKeyTag,
-                  cryptohome::CryptoLib::SecureBlobToHex(key));
+                  cryptohome::CryptoLib::SecureBlobToHex(key.fek));
 
   std::string store_contents = store.SaveToString();
   if (store_contents.empty() ||
@@ -56,7 +59,8 @@
   return true;
 }
 
-brillo::SecureBlob RetrieveKey() {
+cryptohome::FileSystemKey RetrieveKey() {
+  cryptohome::FileSystemKey key;
   base::FileEnumerator pmsg_ramoops_enumerator(
       base::FilePath(kPstorePath), true /* recursive */,
       base::FileEnumerator::FILES, kPmsgKeystoreRamoopsPathDesc);
@@ -66,31 +70,30 @@
     brillo::KeyValueStore store;
     std::string val;
     if (store.Load(ramoops_file) && store.GetString(kEncryptionKeyTag, &val)) {
-      auto encryption_key =
-          brillo::SecureHexToSecureBlob(brillo::SecureBlob(val));
+      key.fek = brillo::SecureHexToSecureBlob(brillo::SecureBlob(val));
       base::DeleteFile(ramoops_file);
       // SaveKey stores the key again into pstore-pmsg on every boot since the
       // pstore object isn't persistent. Since the pstore object is always
       // stored in RAM on ChromiumOS, it is cleared the next time the device
       // shuts down or loses power.
-      if (!SaveKey(encryption_key))
+      if (!SaveKey(key))
         LOG(WARNING) << "Failed to store key for next reboot.";
-      return encryption_key;
+      return key;
     }
   }
-  return brillo::SecureBlob();
+  return key;
 }
 
 }  // namespace
 
 EncryptedRebootVault::EncryptedRebootVault()
     : vault_path_(base::FilePath(kEncryptedRebootVaultPath)) {
-  if (dircrypto::CheckFscryptKeyIoctlSupport()) {
-    key_reference_.policy_version = FSCRYPT_POLICY_V2;
-  } else {
-    key_reference_.reference = brillo::SecureBlob(kEncryptionKeyTag);
-    key_reference_.policy_version = FSCRYPT_POLICY_V1;
-  }
+  cryptohome::FileSystemKeyReference key_reference;
+  key_reference.fek_sig = brillo::SecureBlob(kEncryptionKeyTag);
+
+  encrypted_container_ = cryptohome::EncryptedContainer::Generate(
+      cryptohome::EncryptedContainerType::kFscrypt, vault_path_, key_reference,
+      &platform_);
 }
 
 bool EncryptedRebootVault::CreateVault() {
@@ -107,15 +110,10 @@
   PurgeVault();
 
   // Generate encryption key.
-  brillo::SecureBlob transient_encryption_key =
+  cryptohome::FileSystemKey transient_encryption_key;
+  transient_encryption_key.fek =
       cryptohome::CryptoLib::CreateSecureRandomBlob(kEncryptionKeySize);
 
-  // The key descriptor needs to be exactly 8 bytes for v1 encryption policies.
-  if (!dircrypto::AddDirectoryKey(transient_encryption_key, &key_reference_)) {
-    LOG(ERROR) << "Failed to add pmsg-key";
-    return false;
-  }
-
   // Store key into pmsg. If it fails, we bail out.
   if (!SaveKey(transient_encryption_key)) {
     LOG(ERROR) << "Failed to store transient encryption key to pmsg.";
@@ -123,14 +121,8 @@
   }
 
   // Set up the encrypted reboot vault.
-  if (!base::CreateDirectory(vault_path_)) {
-    LOG(ERROR) << "Failed to create directory";
-    return false;
-  }
-
-  // Set the fscrypt context for the directory.
-  if (!dircrypto::SetDirectoryKey(vault_path_, key_reference_)) {
-    LOG(ERROR) << "Failed to set directory key";
+  if (!encrypted_container_->Setup(transient_encryption_key, /*create=*/true)) {
+    LOG(ERROR) << "Failed to setup encrypted container";
     return false;
   }
 
@@ -145,10 +137,10 @@
 }
 
 bool EncryptedRebootVault::PurgeVault() {
-  if (!dircrypto::RemoveDirectoryKey(key_reference_, vault_path_)) {
+  if (!encrypted_container_->Teardown()) {
     LOG(WARNING) << "Failed to unlink encryption key from keyring.";
   }
-  return base::DeletePathRecursively(vault_path_);
+  return encrypted_container_->Purge();
 }
 
 bool EncryptedRebootVault::UnlockVault() {
@@ -168,30 +160,17 @@
     return false;
   }
 
-  // If the vault exists, get the policy version from the directory.
-  switch (dircrypto::GetDirectoryPolicyVersion(vault_path_)) {
-    case FSCRYPT_POLICY_V1:
-      key_reference_.policy_version = FSCRYPT_POLICY_V1;
-      key_reference_.reference = brillo::SecureBlob(kEncryptionKeyTag);
-      break;
-    case FSCRYPT_POLICY_V2:
-      key_reference_.policy_version = FSCRYPT_POLICY_V2;
-      break;
-    default:
-      LOG(ERROR) << "Failed to get policy version for directory";
-      return false;
-  }
-
   // Retrieve key.
-  brillo::SecureBlob transient_encryption_key = RetrieveKey();
-  if (transient_encryption_key.empty()) {
+  cryptohome::FileSystemKey transient_encryption_key = RetrieveKey();
+  if (transient_encryption_key.fek.empty()) {
     LOG(INFO) << "No valid key found: the device might have booted up from a "
                  "shutdown.";
     return false;
   }
 
   // Unlock vault.
-  if (!dircrypto::AddDirectoryKey(transient_encryption_key, &key_reference_)) {
+  if (!encrypted_container_->Setup(transient_encryption_key,
+                                   /*create=*/false)) {
     LOG(ERROR) << "Failed to add key to keyring.";
     return false;
   }

diff --git a/cryptohome/encrypted_reboot_vault/encrypted_reboot_vault.h b/cryptohome/encrypted_reboot_vault/encrypted_reboot_vault.h
index 77816ab..1591ffc 100644
--- a/cryptohome/encrypted_reboot_vault/encrypted_reboot_vault.h
+++ b/cryptohome/encrypted_reboot_vault/encrypted_reboot_vault.h

@@ -5,12 +5,15 @@
 #ifndef CRYPTOHOME_ENCRYPTED_REBOOT_VAULT_ENCRYPTED_REBOOT_VAULT_H_
 #define CRYPTOHOME_ENCRYPTED_REBOOT_VAULT_ENCRYPTED_REBOOT_VAULT_H_
 
+#include <memory>
 #include <string>
 
 #include <base/files/file_path.h>
 #include <brillo/brillo_export.h>
 
 #include <cryptohome/dircrypto_util.h>
+#include <cryptohome/platform.h>
+#include <cryptohome/storage/encrypted_container/encrypted_container.h>
 
 class EncryptedRebootVault {
  public:
@@ -27,7 +30,8 @@
 
  private:
   base::FilePath vault_path_;
-  dircrypto::KeyReference key_reference_;
+  cryptohome::Platform platform_;
+  std::unique_ptr<cryptohome::EncryptedContainer> encrypted_container_;
 };
 
 #endif  // CRYPTOHOME_ENCRYPTED_REBOOT_VAULT_ENCRYPTED_REBOOT_VAULT_H_