回退 'Pull Request !692 : 针对A/B类加密能力实现'

This commit is contained in:
openharmony_ci 2023-12-04 07:05:26 +00:00 committed by Gitee
parent 005aa98640
commit bcfb7da2c8
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
30 changed files with 149 additions and 831 deletions

View File

@ -73,7 +73,6 @@ ohos_static_library("libsdcrypto") {
"hilog:libhilog",
"huks:libhukssdk",
"init:libbegetutil",
"ipc:ipc_core",
]
subsystem_name = "filemanagement"

View File

@ -34,26 +34,6 @@ namespace {
const std::string PATH_LATEST_BACKUP = "/latest_bak";
const std::string PATH_KEY_VERSION = "/version_";
const std::string PATH_KEY_TEMP = "/temp";
#ifndef F2FS_IOCTL_MAGIC
#define F2FS_IOCTL_MAGIC 0xf5
#endif
#ifndef F2FS_IOC_SEC_TRIM_FILE
struct F2fsSectrimRange {
uint64_t start;
uint64_t len;
uint64_t flags;
};
using F2fsSectrim = F2fsSectrimRange;
#define F2FS_IOC_SEC_TRIM_FILE _IOW(F2FS_IOCTL_MAGIC, 20, F2fsSectrim)
#define F2FS_TRIM_FILE_DISCARD 0x1
#define F2FS_TRIM_FILE_ZEROOUT 0x2
#endif
#ifndef F2FS_IOC_SET_PIN_FILE
#define F2FS_IOC_SET_PIN_FILE _IOW(F2FS_IOCTL_MAGIC, 13, set)
#define F2FS_IOC_GET_PIN_FILE _IOR(F2FS_IOCTL_MAGIC, 14, set)
#endif
}
namespace OHOS {
@ -449,49 +429,11 @@ bool BaseKey::ClearKey(const std::string &mnt)
LOGD("enter, dir_ = %{public}s", dir_.c_str());
InactiveKey(USER_DESTROY, mnt);
keyInfo_.key.Clear();
WipingActionDir(dir_);
return OHOS::ForceRemoveDirectory(dir_);
// use F2FS_IOC_SEC_TRIM_FILE
}
void BaseKey::WipingActionDir(std::string &path)
{
std::vector<std::string> fileList;
LOGI("WipingActionDir path.c_str() is %{public}s", path.c_str());
OpenSubFile(path.c_str(), fileList);
for (const auto &it: fileList) {
int fd = open(it.c_str(), O_WRONLY | O_CLOEXEC);
if (fd < 0) {
LOGE("open %{public}s failed, errno %{public}u", it.c_str(), errno);
return;
}
uint32_t set = 1;
int ret = ioctl(fd, F2FS_IOC_SET_PIN_FILE, &set);
if (ret != 0) {
LOGE("F2FS_IOC_SET_PIN_FILE ioctl is %{public}u, errno = %{public}u", ret, errno);
}
struct F2fsSectrimRange trimRange;
trimRange.start = 0;
trimRange.len = -1;
trimRange.flags = F2FS_TRIM_FILE_DISCARD | F2FS_TRIM_FILE_ZEROOUT;
ret = ioctl(fd, F2FS_IOC_SEC_TRIM_FILE, &trimRange);
if (ret != 0 && errno == EOPNOTSUPP) {
trimRange.flags = F2FS_TRIM_FILE_ZEROOUT;
ret = ioctl(fd, F2FS_IOC_SEC_TRIM_FILE, &trimRange);
if (ret != 0) {
LOGE("F2FS_IOC_SEC_TRIM_FILE ioctl is %{public}u, errno = %{public}u", ret, errno);
}
}
set = 0;
ret = ioctl(fd, F2FS_IOC_SET_PIN_FILE, &set);
if (ret != 0) {
LOGE("F2FS_IOC_SET_PIN_FILE ioctl is %{public}u", ret);
}
LOGI("WipingActionDir success");
close(fd);
}
}
void BaseKey::SyncKeyDir() const
{
int fd = open(dir_.c_str(), O_RDONLY | O_DIRECTORY | O_CLOEXEC);

View File

@ -157,9 +157,8 @@ int FBEX::LockScreenToKernel(uint32_t userId)
LOGE("open fbex_cmd failed, errno: %{public}d", errno);
return -errno;
}
FbeOpts ops;
(void)memset_s(&ops, sizeof(FbeOpts), 0, sizeof(FbeOpts));
ops.user = userId;
FbeOpts ops{.user = userId};
int ret = ioctl(fd, FBEX_IOC_LOCK_SCREEN, &ops);
if (ret != 0) {
LOGE("ioctl fbex_cmd failed, ret: 0x%{public}x, errno: %{public}d", ret, errno);

View File

@ -26,60 +26,21 @@ static const std::string CRYPTO_NAME_PREFIXES[] = {"ext4", "f2fs", "fscrypt"};
bool FscryptKeyV1::ActiveKey(uint32_t flag, const std::string &mnt)
{
uint32_t elType;
uint32_t sdpClass;
(void)mnt;
LOGD("enter");
if (!GenerateKeyDesc()) {
LOGE("GenerateKeyDesc failed");
return false;
}
KeyBlob keys(keyInfo_.key);
if (!fscryptV1Ext.ActiveKeyExt(flag, keyInfo_.key.data.get(), keyInfo_.key.size, elType)) {
if (!fscryptV1Ext.ActiveKeyExt(flag, keyInfo_.key.data.get(), keyInfo_.key.size)) {
LOGE("fscryptV1Ext ActiveKeyExtfailed");
return false;
}
if (elType == TYPE_EL3 || elType == TYPE_EL4) {
if (elType == TYPE_EL3) {
sdpClass = FSCRYPT_SDP_SECE_CLASS;
} else {
sdpClass = FSCRYPT_SDP_ECE_CLASS;
}
if (!InstallEceSeceKeyToKeyring(sdpClass)) {
LOGE("InstallEceSeceKeyToKeyring failed");
return false;
}
} else {
if (!InstallKeyToKeyring()) {
LOGE("InstallKeyToKeyring failed");
return false;
}
}
keyInfo_.key = std::move(keys);
LOGD("success");
return true;
}
bool FscryptKeyV1::UnlockUserScreen(uint32_t flag, uint32_t sdpClass, const std::string &mnt)
{
(void)mnt;
LOGD("enter");
if (!GenerateKeyDesc()) {
LOGE("GenerateKeyDesc failed");
return false;
}
KeyBlob keys(keyInfo_.key);
if (!fscryptV1Ext.UnlockUserScreenExt(flag, keyInfo_.key.data.get(), keyInfo_.key.size)) {
LOGE("fscryptV1Ext UnlockUserScreenExtfailed");
return false;
}
if (sdpClass == FSCRYPT_SDP_ECE_CLASS) {
if (!InstallEceSeceKeyToKeyring(sdpClass)) {
LOGE("UnlockUserScreen InstallKeyToKeyring failed");
return false;
}
}
keyInfo_.key = std::move(keys);
LOGD("success");
return true;
}
@ -122,48 +83,6 @@ bool FscryptKeyV1::InstallKeyToKeyring()
return true;
}
bool FscryptKeyV1::InstallEceSeceKeyToKeyring(uint32_t sdpClass)
{
EncryptionKeySdp fskey;
if (keyInfo_.key.size != sizeof(fskey.raw)) {
LOGE("Wrong key size is %{public}d", keyInfo_.key.size);
return false;
}
fskey.mode = EXT4_ENCRYPTION_MODE_AES_256_XTS;
auto err = memcpy_s(fskey.raw, sizeof(fskey.raw), keyInfo_.key.data.get(), keyInfo_.key.size);
if (err != EOK) {
LOGE("memcpy failed ret %{public}d", err);
return false;
}
fskey.size = EXT4_AES_256_XTS_KEY_SIZE_TO_KEYRING;
fskey.sdpClass = sdpClass;
fskey.version = 0;
key_serial_t krid = KeyCtrlSearch(KEY_SPEC_SESSION_KEYRING, "keyring", "fscrypt", 0);
if (krid == -1) {
LOGI("no session keyring for fscrypt");
krid = KeyCtrlAddKey("keyring", "fscrypt", KEY_SPEC_SESSION_KEYRING);
if (krid == -1) {
LOGE("failed to add session keyring");
return false;
}
}
for (auto prefix : CRYPTO_NAME_PREFIXES) {
std::string keyref = prefix + ":" + keyInfo_.keyDesc.ToString();
key_serial_t ks =
KeyCtrlAddKeySdp("logon", keyref.c_str(), &fskey, krid);
if (ks == -1) {
// Addkey failed, need to process the error
LOGE("Failed to AddKey %{public}s into keyring %{public}d, errno %{public}d", keyref.c_str(), krid,
errno);
}
}
if (!SaveKeyBlob(keyInfo_.keyDesc, dir_ + PATH_KEYDESC)) {
return false;
}
LOGD("success");
return true;
}
bool FscryptKeyV1::InactiveKey(uint32_t flag, const std::string &mnt)
{
(void)mnt;
@ -182,26 +101,6 @@ bool FscryptKeyV1::InactiveKey(uint32_t flag, const std::string &mnt)
return ret;
}
bool FscryptKeyV1::LockUserScreen(uint32_t flag, uint32_t sdpClass, const std::string &mnt)
{
uint32_t elType;
(void)mnt;
LOGD("enter");
bool ret = true;
if (!fscryptV1Ext.LockUserScreenExt(flag, elType)) {
LOGE("fscryptV1Ext InactiveKeyExt failed");
ret = false;
}
if (elType == TYPE_EL4) {
if (!UninstallKeyToKeyring()) {
LOGE("UninstallKeyToKeyring failed");
ret = false;
}
}
LOGD("finish");
return ret;
}
bool FscryptKeyV1::UninstallKeyToKeyring()
{
if (keyInfo_.keyDesc.IsEmpty()) {

View File

@ -23,7 +23,7 @@
namespace OHOS {
namespace StorageDaemon {
bool FscryptKeyV1Ext::ActiveKeyExt(uint32_t flag, uint8_t *iv, uint32_t size, uint32_t &elType)
bool FscryptKeyV1Ext::ActiveKeyExt(uint32_t flag, uint8_t *iv, uint32_t size)
{
if (!FBEX::IsFBEXSupported()) {
return true;
@ -35,21 +35,7 @@ bool FscryptKeyV1Ext::ActiveKeyExt(uint32_t flag, uint8_t *iv, uint32_t size, ui
LOGE("InstallKeyToKernel failed, userId %{public}d, type %{public}d, flag %{public}u", userId_, type_, flag);
return false;
}
//Used to associate el3 and el4 kernels.
elType = type_;
return true;
}
bool FscryptKeyV1Ext::UnlockUserScreenExt(uint32_t flag, uint8_t *iv, uint32_t size)
{
if (!FBEX::IsFBEXSupported()) {
return true;
}
LOGD("enter");
if (FBEX::UnlockScreenToKernel(userId_, type_, iv, size)) {
LOGE("UnlockScreenToKernel failed, userId %{public}d", userId_);
return false;
}
return true;
}
@ -77,21 +63,6 @@ bool FscryptKeyV1Ext::InactiveKeyExt(uint32_t flag)
return true;
}
bool FscryptKeyV1Ext::LockUserScreenExt(uint32_t flag, uint32_t &elType)
{
if (!FBEX::IsFBEXSupported()) {
return true;
}
LOGD("enter");
if (FBEX::LockScreenToKernel(flag)) {
LOGE("LockScreenToKernel failed, userId %{public}d", flag);
return false;
}
//Used to associate el3 and el4 kernels.
elType = type_;
return true;
}
uint32_t FscryptKeyV1Ext::GetUserIdFromDir()
{
int userId = USERID_GLOBAL_EL1; // default to global el1

View File

@ -112,21 +112,5 @@ bool FscryptKeyV2::InactiveKey(uint32_t flag, const std::string &mnt)
return false;
}
#endif
bool FscryptKeyV2::LockUserScreen(uint32_t flag, uint32_t sdpClass, const std::string &mnt)
{
(void)mnt;
(void)flag;
LOGI("Unsupported fscrypt v2");
return false;
}
bool FscryptKeyV2::UnlockUserScreen(uint32_t flag, uint32_t sdpClass, const std::string &mnt)
{
(void)mnt;
(void)flag;
LOGI("Unsupported fscrypt v2");
return false;
}
} // namespace StorageDaemon
} // namespace OHOS

View File

@ -189,10 +189,6 @@ int KeyManager::GenerateAndInstallUserKey(uint32_t userId, const std::string &di
userEl1Key_[userId] = elKey;
} else if (type == EL2_KEY) {
userEl2Key_[userId] = elKey;
} else if (type == EL3_KEY) {
userEl3Key_[userId] = elKey;
} else if (type == EL4_KEY) {
userEl4Key_[userId] = elKey;
}
LOGI("key create success");
@ -231,10 +227,6 @@ int KeyManager::RestoreUserKey(uint32_t userId, const std::string &dir, const Us
userEl1Key_[userId] = elKey;
} else if (type == EL2_KEY) {
userEl2Key_[userId] = elKey;
} else if (type == EL3_KEY) {
userEl3Key_[userId] = elKey;
} else if (type == EL4_KEY) {
userEl4Key_[userId] = elKey;
}
LOGI("key restore success");
@ -254,16 +246,6 @@ bool KeyManager::HasElkey(uint32_t userId, KeyType type)
LOGD("user el2 key has existed");
return true;
}
} else if (type == EL3_KEY) {
if (userEl3Key_.find(userId) != userEl3Key_.end()) {
LOGD("user el3 key has existed");
return true;
}
} else if (type == EL4_KEY) {
if (userEl4Key_.find(userId) != userEl4Key_.end()) {
LOGD("user el4 key has existed");
return true;
}
} else {
LOGE("key type error");
}
@ -313,18 +295,6 @@ int KeyManager::InitUserElkeyStorageDir(void)
LOGE("make el2 storage dir error");
return ret;
}
// 0700 means create el3 permissions
ret = MkDir(USER_EL3_DIR, 0700);
if (ret && errno != EEXIST) {
LOGE("make el3 storage dir error");
return ret;
}
// 0700 means create el4 permissions
ret = MkDir(USER_EL4_DIR, 0700);
if (ret && errno != EEXIST) {
LOGE("make el4 storage dir error");
return ret;
}
return 0;
}
@ -375,16 +345,14 @@ int KeyManager::GenerateUserKeys(unsigned int user, uint32_t flags)
}
std::lock_guard<std::mutex> lock(keyMutex_);
if ((!IsDir(USER_EL1_DIR)) || (!IsDir(USER_EL2_DIR)) || (!IsDir(USER_EL3_DIR)) || (!IsDir(USER_EL4_DIR))) {
if ((!IsDir(USER_EL1_DIR)) || (!IsDir(USER_EL2_DIR))) {
LOGD("El storage dir is not existed");
return -ENOENT;
}
std::string el1Path = USER_EL1_DIR + "/" + std::to_string(user);
std::string el2Path = USER_EL2_DIR + "/" + std::to_string(user);
std::string el3Path = USER_EL3_DIR + "/" + std::to_string(user);
std::string el4Path = USER_EL4_DIR + "/" + std::to_string(user);
if (IsDir(el1Path) || IsDir(el2Path) || IsDir(el3Path) || IsDir(el4Path)) {
if (IsDir(el1Path) || IsDir(el2Path)) {
LOGE("user %{public}d el key have existed, create error", user);
return -EEXIST;
}
@ -400,36 +368,22 @@ int KeyManager::GenerateUserKeys(unsigned int user, uint32_t flags)
LOGE("user el2 create error");
return ret;
}
ret = GenerateAndInstallUserKey(user, el3Path, NULL_KEY_AUTH, EL3_KEY);
if (ret) {
DoDeleteUserKeys(user);
LOGE("user el3 create error");
return ret;
}
ret = GenerateAndInstallUserKey(user, el4Path, NULL_KEY_AUTH, EL4_KEY);
if (ret) {
DoDeleteUserKeys(user);
LOGE("user el4 create error");
return ret;
}
LOGI("Create user el success");
return 0;
}
int KeyManager::DoDeleteUserCeEceSeceKeys(unsigned int user,
const std::string USER_DIR,
std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_)
int KeyManager::DoDeleteUserKeys(unsigned int user)
{
int ret = 0;
std::string elPath;
auto it = userElKey_.find(user);
if (it != userElKey_.end()) {
auto it = userEl1Key_.find(user);
if (it != userEl1Key_.end()) {
auto elKey = it->second;
elKey->ClearKey();
userElKey_.erase(user);
userEl1Key_.erase(user);
} else {
elPath = USER_DIR + "/" + std::to_string(user);
elPath = USER_EL1_DIR + "/" + std::to_string(user);
std::shared_ptr<BaseKey> elKey = GetBaseKey(elPath);
if (elKey == nullptr) {
LOGE("Malloc el1 Basekey memory failed");
@ -440,33 +394,25 @@ int KeyManager::DoDeleteUserCeEceSeceKeys(unsigned int user,
ret = -EFAULT;
}
}
return ret;
}
int KeyManager::DoDeleteUserKeys(unsigned int user)
{
int ret = 0;
std::string elPath;
ret = DoDeleteUserCeEceSeceKeys(user, USER_EL1_DIR, userEl1Key_);
if (ret != 0) {
LOGE("Delete el1 key failed");
ret = -EFAULT;
it = userEl2Key_.find(user);
if (it != userEl2Key_.end()) {
auto elKey = it->second;
elKey->ClearKey();
userEl2Key_.erase(user);
} else {
elPath = USER_EL2_DIR + "/" + std::to_string(user);
std::shared_ptr<BaseKey> elKey = GetBaseKey(elPath);
if (elKey == nullptr) {
LOGE("Malloc el2 Basekey memory failed");
return -ENOMEM;
}
ret = DoDeleteUserCeEceSeceKeys(user, USER_EL2_DIR, userEl2Key_);
if (ret != 0) {
if (!elKey->ClearKey()) {
LOGE("Delete el2 key failed");
ret = -EFAULT;
}
ret = DoDeleteUserCeEceSeceKeys(user, USER_EL3_DIR, userEl3Key_);
if (ret != 0) {
LOGE("Delete el3 key failed");
ret = -EFAULT;
}
ret = DoDeleteUserCeEceSeceKeys(user, USER_EL4_DIR, userEl4Key_);
if (ret != 0) {
LOGE("Delete el4 key failed");
ret = -EFAULT;
}
return ret;
}
@ -485,83 +431,36 @@ int KeyManager::DeleteUserKeys(unsigned int user)
}
#ifdef USER_CRYPTO_MIGRATE_KEY
int KeyManager::UpdateUserAuth(unsigned int user, struct UserTokenSecret *userTokenSecret,
int KeyManager::UpdateUserAuth(unsigned int user, uint64_t secureUid,
const std::vector<uint8_t> &token,
const std::vector<uint8_t> &oldSecret,
const std::vector<uint8_t> &newSecret,
bool needGenerateShield)
#else
int KeyManager::UpdateUserAuth(unsigned int user, struct UserTokenSecret *userTokenSecret)
int KeyManager::UpdateUserAuth(unsigned int user, uint64_t secureUid,
const std::vector<uint8_t> &token,
const std::vector<uint8_t> &oldSecret,
const std::vector<uint8_t> &newSecret)
#endif
{
#ifdef USER_CRYPTO_MIGRATE_KEY
int ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, userEl2Key_, needGenerateShield);
if (ret != 0) {
LOGE("user %{public}u UpdateUserAuth el2 key fail", user);
return -EFAULT;
;
}
ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, userEl3Key_, needGenerateShield);
if (ret != 0) {
LOGE("user %{public}u UpdateUserAuth el3 key fail", user);
return -EFAULT;
;
}
ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, userEl4Key_, needGenerateShield);
if (ret != 0) {
LOGE("user %{public}u UpdateUserAuth el4 key fail", user);
return -EFAULT;
;
}
#else
int ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, userEl2Key_);
if (ret != 0) {
LOGE("user %{public}u UpdateUserAuth el2 key fail", user);
return -EFAULT;
;
}
ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, userEl3Key_);
if (ret != 0) {
LOGE("user %{public}u UpdateUserAuth el3 key fail", user);
return -EFAULT;
;
}
ret = UpdateCeEceSeceUserAuth(user, userTokenSecret, userEl4Key_);
if (ret != 0) {
LOGE("user %{public}u UpdateUserAuth el4 key fail", user);
return -EFAULT;
}
#endif
return ret;
}
#ifdef USER_CRYPTO_MIGRATE_KEY
int KeyManager::UpdateCeEceSeceUserAuth(unsigned int user,
struct UserTokenSecret *userTokenSecret,
std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_,
bool needGenerateShield)
{
#else
int KeyManager::UpdateCeEceSeceUserAuth(unsigned int user,
struct UserTokenSecret *userTokenSecret,
std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_)
{
#endif
LOGI("start, user:%{public}d", user);
if (!KeyCtrlHasFscryptSyspara()) {
return 0;
}
std::lock_guard<std::mutex> lock(keyMutex_);
if (userElKey_.find(user) == userElKey_.end()) {
LOGE("Have not found user %{public}u el key", user);
if (userEl2Key_.find(user) == userEl2Key_.end()) {
LOGE("Have not found user %{public}u el2 key", user);
return -ENOENT;
}
auto item = userElKey_[user];
UserAuth auth = {userTokenSecret->token, userTokenSecret->oldSecret, userTokenSecret->secureUid};
auto item = userEl2Key_[user];
UserAuth auth = {token, oldSecret, secureUid};
if ((item->RestoreKey(auth) == false) && (item->RestoreKey(NULL_KEY_AUTH) == false)) {
LOGE("Restore key error");
return -EFAULT;
}
auth.secret = userTokenSecret->newSecret;
auth.secret = newSecret;
#ifdef USER_CRYPTO_MIGRATE_KEY
if (item->StoreKey(auth, needGenerateShield) == false) {
#else
@ -570,6 +469,7 @@ int KeyManager::UpdateCeEceSeceUserAuth(unsigned int user,
LOGE("Store key error");
return -EFAULT;
}
item->keyInfo_.key.Clear();
return 0;
}
@ -581,37 +481,16 @@ int KeyManager::ActiveUserKey(unsigned int user, const std::vector<uint8_t> &tok
if (!KeyCtrlHasFscryptSyspara()) {
return 0;
}
std::string keyEL2Dir = USER_EL2_DIR + "/" + std::to_string(user);
std::string keyEL3Dir = USER_EL3_DIR + "/" + std::to_string(user);
std::string keyEL4Dir = USER_EL4_DIR + "/" + std::to_string(user);
if (ActiveCeSceSeceUserKey(user, userEl2Key_, keyEL2Dir, token, secret) != 0) {
LOGI("Active user %{public}u el2 fail", user);
return -EFAULT;
}
if (ActiveCeSceSeceUserKey(user, userEl3Key_, keyEL3Dir, token, secret) != 0) {
LOGI("Active user %{public}u el3 fail", user);
return -EFAULT;
}
if (ActiveCeSceSeceUserKey(user, userEl4Key_, keyEL4Dir, token, secret) != 0) {
LOGI("Active user %{public}u el4 fail", user);
return -EFAULT;
}
return 0;
}
int KeyManager::ActiveCeSceSeceUserKey(unsigned int user,
std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_,
std::string keyDir,
const std::vector<uint8_t> &token,
const std::vector<uint8_t> &secret)
{
std::lock_guard<std::mutex> lock(keyMutex_);
if (userElKey_.find(user) != userElKey_.end()) {
LOGE("The user %{public}u el have been actived, keyDir is %{public}s", user, keyDir.c_str());
if (userEl2Key_.find(user) != userEl2Key_.end()) {
LOGE("The user %{public}u el2 have been actived", user);
return 0;
}
std::string keyDir = USER_EL2_DIR + "/" + std::to_string(user);
std::string NEED_UPDATE_PATH = keyDir + PATH_LATEST + SUFFIX_NEED_UPDATE;
if (!IsDir(keyDir)) {
LOGE("Have not found user %{public}u el", user);
LOGE("Have not found user %{public}u el2", user);
return -ENOENT;
}
@ -629,40 +508,25 @@ int KeyManager::ActiveCeSceSeceUserKey(unsigned int user,
LOGE("Restore el failed");
return -EFAULT;
}
std::string NEED_UPDATE_PATH = keyDir + PATH_LATEST + SUFFIX_NEED_UPDATE;
if (!FileExists(NEED_UPDATE_PATH) && (elKey->StoreKey(auth) == false)) {
LOGE("Store el failed");
return -EFAULT;
}
if (elKey->ActiveKey(RETRIEVE_KEY) == false) {
LOGE("Active user %{public}u key failed", user);
return -EFAULT;
}
userElKey_[user] = elKey;
LOGI("Active user %{public}u el success", user);
userEl2Key_[user] = elKey;
LOGI("Active user %{public}u el2 success", user);
return 0;
}
int KeyManager::UnlockUserScreen(uint32_t user)
{
LOGI("start");
if (!KeyCtrlHasFscryptSyspara()) {
return 0;
}
std::lock_guard<std::mutex> lock(keyMutex_);
if (userEl4Key_.find(user) == userEl4Key_.end()) {
LOGE("The user %{public}u not been actived", user);
return 0;
}
auto el4Key = userEl4Key_[user];
if (!el4Key->UnlockUserScreen(user, FSCRYPT_SDP_ECE_CLASS)) {
LOGE("UnlockUserScreen user %{public}u el4 key failed", user);
return -EFAULT;
}
LOGI("UnlockUserScreen user %{public}u el3 and el4 success", user);
LOGI("user %{public}u UnlockUserScreen success", user);
return 0;
}
@ -683,63 +547,27 @@ int KeyManager::InActiveUserKey(unsigned int user)
LOGE("Clear user %{public}u key failed", user);
return -EFAULT;
}
userEl2Key_.erase(user);
LOGI("Inactive user %{public}u el2 success", user);
if (userEl3Key_.find(user) == userEl3Key_.end()) {
LOGE("Have not found user %{public}u el3", user);
return -ENOENT;
}
elKey = userEl3Key_[user];
if (elKey->InactiveKey(USER_LOGOUT) == false) {
LOGE("Clear user %{public}u key failed", user);
return -EFAULT;
}
userEl3Key_.erase(user);
LOGI("Inactive user %{public}u el3 success", user);
if (userEl4Key_.find(user) == userEl4Key_.end()) {
LOGE("Have not found user %{public}u el4", user);
return -ENOENT;
}
elKey = userEl4Key_[user];
if (elKey->InactiveKey(USER_LOGOUT) == false) {
LOGE("Clear user %{public}u key failed", user);
return -EFAULT;
}
userEl4Key_.erase(user);
LOGI("Inactive user %{public}u el3 success", user);
return 0;
}
int KeyManager::LockUserScreen(uint32_t user)
{
LOGI("start");
if (!KeyCtrlHasFscryptSyspara()) {
LOGI("user %{public}u LockUserScreen success", user);
return 0;
}
std::lock_guard<std::mutex> lock(keyMutex_);
if (userEl4Key_.find(user) == userEl4Key_.end()) {
LOGE("Have not found user %{public}u el3 or el4", user);
return -ENOENT;
}
auto elKey = userEl4Key_[user];
if (!elKey->LockUserScreen(user, FSCRYPT_SDP_ECE_CLASS)) {
LOGE("Clear user %{public}u key failed", user);
return -EFAULT;
}
LOGI("LockUserScreen user %{public}u el3 and el4 success", user);
return 0;
}
int KeyManager::SetDirectoryElPolicy(unsigned int user, KeyType type, const std::vector<FileList> &vec)
int KeyManager::SetDirectoryElPolicy(unsigned int user, KeyType type,
const std::vector<FileList> &vec)
{
LOGI("start");
if (!KeyCtrlHasFscryptSyspara()) {
return 0;
}
std::string keyPath;
std::string eceSeceKeyPath;
std::lock_guard<std::mutex> lock(keyMutex_);
if (type == EL1_KEY) {
if (userEl1Key_.find(user) == userEl1Key_.end()) {
@ -747,7 +575,7 @@ int KeyManager::SetDirectoryElPolicy(unsigned int user, KeyType type, const std:
return -ENOENT;
}
keyPath = userEl1Key_[user]->GetDir();
} else if (type == EL2_KEY || type == EL3_KEY || type == EL4_KEY) {
} else if (type == EL2_KEY) {
if (userEl2Key_.find(user) == userEl2Key_.end()) {
LOGD("Have not found user %{public}u el2 key, not enable el2", user);
return -ENOENT;
@ -757,85 +585,37 @@ int KeyManager::SetDirectoryElPolicy(unsigned int user, KeyType type, const std:
LOGD("Not specify el flags, no need to crypt");
return 0;
}
if (getEceSeceKeyPath(user, type, eceSeceKeyPath) != 0) {
LOGD("method getEceSeceKeyPath fail");
return -ENOENT;
}
for (auto item : vec) {
if (LoadAndSetPolicy(keyPath.c_str(), item.path.c_str()) != 0) {
LOGE("Set directory el policy error!");
return -EFAULT;
}
}
if (type == EL3_KEY || type == EL4_KEY) {
for (auto item : vec) {
if (LoadAndSetEceAndSecePolicy(eceSeceKeyPath.c_str(), item.path.c_str(), static_cast<int>(type)) != 0) {
LOGE("Set directory el policy error!");
return -EFAULT;
}
}
}
LOGI("Set user %{public}u el policy success", user);
return 0;
}
int KeyManager::getEceSeceKeyPath(unsigned int user, KeyType type, std::string &eceSeceKeyPath)
{
if (type == EL3_KEY) {
if (userEl3Key_.find(user) == userEl3Key_.end()) {
LOGD("Have not found user %{public}u el3 key, not enable el3", user);
return -ENOENT;
}
eceSeceKeyPath = userEl3Key_[user]->GetDir();
}
if (type == EL4_KEY) {
if (userEl4Key_.find(user) == userEl4Key_.end()) {
LOGD("Have not found user %{public}u el4 key, not enable el4", user);
return -ENOENT;
}
eceSeceKeyPath = userEl4Key_[user]->GetDir();
}
return 0;
}
int KeyManager::UpdateCeEceSeceKeyContext(uint32_t userId, std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_)
{
LOGI("start");
if (!KeyCtrlHasFscryptSyspara()) {
return 0;
}
std::lock_guard<std::mutex> lock(keyMutex_);
if (userElKey_.find(userId) == userElKey_.end()) {
LOGE("Have not found user %{public}u el2", userId);
return -ENOENT;
}
auto elKey = userElKey_[userId];
if (!elKey->UpdateKey()) {
LOGE("Basekey update newest context failed");
return -EFAULT;
}
return 0;
}
int KeyManager::UpdateKeyContext(uint32_t userId)
{
LOGI("UpdateKeyContext enter");
int ret = UpdateCeEceSeceKeyContext(userId, userEl2Key_);
if (ret != 0) {
LOGE("Basekey update EL2 newest context failed");
return -EFAULT;
LOGI("start");
if (!KeyCtrlHasFscryptSyspara()) {
return 0;
}
ret = UpdateCeEceSeceKeyContext(userId, userEl3Key_);
if (ret != 0) {
LOGE("Basekey update EL3 newest context failed");
return -EFAULT;
std::lock_guard<std::mutex> lock(keyMutex_);
if (userEl2Key_.find(userId) == userEl2Key_.end()) {
LOGE("Have not found user %{public}u el2", userId);
return -ENOENT;
}
ret = UpdateCeEceSeceKeyContext(userId, userEl4Key_);
if (ret != 0) {
LOGE("Basekey update EL4 newest context failed");
auto elKey = userEl2Key_[userId];
if (!elKey->UpdateKey()) {
LOGE("Basekey update newest context failed");
return -EFAULT;
}
LOGI("Basekey update key context success");
return 0;
}

View File

@ -911,20 +911,17 @@ HWTEST_F(CryptoKeyTest, key_manager_generate_delete_user_keys, TestSize.Level1)
KeyManager::GetInstance()->InitGlobalDeviceKey();
KeyManager::GetInstance()->InitGlobalUserKeys();
UserTokenSecret userTokenSecret = {.token = {'t', 'o', 'k', 'e', 'n'}, .oldSecret = {},
.newSecret = {'s', 'e', 'c', 'r', 'e', 't'}, .secureUid = 0};
UserTokenSecret userTokenSecretNull = {.token = {}, .oldSecret = {}, .newSecret = {}, .secureUid = 0};
#ifndef CRYPTO_TEST
KeyManager::GetInstance()->UpdateUserAuth(userId, &userTokenSecret);
KeyManager::GetInstance()->UpdateUserAuth(userId, 0, {'t', 'o', 'k', 'e', 'n'}, {}, {'s', 'e', 'c', 'r', 'e', 't'});
KeyManager::GetInstance()->InActiveUserKey(userId); // may fail on some platforms
#else
EXPECT_EQ(0, KeyManager::GetInstance()->GenerateUserKeys(userId, 0));
EXPECT_EQ(-EEXIST, KeyManager::GetInstance()->GenerateUserKeys(userId, 0)); // key existed
EXPECT_EQ(0, KeyManager::GetInstance()->SetDirectoryElPolicy(userId, EL1_KEY, {{userId, USER_EL1_DIR}}));
EXPECT_EQ(0, KeyManager::GetInstance()->SetDirectoryElPolicy(userId, EL2_KEY, {{userId, USER_EL2_DIR}}));
EXPECT_EQ(0, KeyManager::GetInstance()->UpdateUserAuth(userId, &userTokenSecretNull));
EXPECT_EQ(0, KeyManager::GetInstance()->UpdateUserAuth(userId, 0, {}, {}, {}));
EXPECT_EQ(0, KeyManager::GetInstance()->UpdateKeyContext(userId));
KeyManager::GetInstance()->UpdateUserAuth(userId, &userTokenSecret);
KeyManager::GetInstance()->UpdateUserAuth(userId, 0, {'t', 'o', 'k', 'e', 'n'}, {}, {'s', 'e', 'c', 'r', 'e', 't'});
EXPECT_EQ(-EFAULT, KeyManager::GetInstance()->UpdateKeyContext(userId)); // no need to update keycontext
KeyManager::GetInstance()->InActiveUserKey(userId); // may fail on some platforms
EXPECT_EQ(0, KeyManager::GetInstance()->ActiveUserKey(userId, {}, {}));
@ -940,7 +937,7 @@ HWTEST_F(CryptoKeyTest, key_manager_generate_delete_user_keys, TestSize.Level1)
EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->SetDirectoryElPolicy(userId, EL2_KEY, {{userId, USER_EL2_DIR}}));
EXPECT_EQ(0, KeyManager::GetInstance()->SetDirectoryElPolicy(userId, static_cast<KeyType>(0),
{{userId, USER_EL2_DIR}})); // bad keytype
EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->UpdateUserAuth(userId, &userTokenSecretNull));
EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->UpdateUserAuth(userId, 0, {}, {}, {}));
EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->UpdateKeyContext(userId));
EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->InActiveUserKey(userId));
EXPECT_EQ(-ENOENT, KeyManager::GetInstance()->ActiveUserKey(userId, {}, {}));

View File

@ -38,7 +38,10 @@ int32_t KeyManager::DeleteUserKeys(unsigned int user)
{
return E_OK;
}
int32_t KeyManager::UpdateUserAuth(unsigned int user, struct UserTokenSecret *userTokenSecret)
int32_t KeyManager::UpdateUserAuth(unsigned int user, uint64_t secureUid,
const std::vector<uint8_t> &token,
const std::vector<uint8_t> &oldSecret,
const std::vector<uint8_t> &newSecret)
{
return E_OK;
}

View File

@ -44,10 +44,7 @@ public:
bool RestoreKey(const UserAuth &auth);
virtual bool ActiveKey(uint32_t flag, const std::string &mnt = MNT_DATA) = 0;
virtual bool InactiveKey(uint32_t flag, const std::string &mnt = MNT_DATA) = 0;
virtual bool LockUserScreen(uint32_t flag, uint32_t sdpClass, const std::string &mnt = MNT_DATA) = 0;
virtual bool UnlockUserScreen(uint32_t flag, uint32_t sdpClass, const std::string &mnt = MNT_DATA) = 0;
bool ClearKey(const std::string &mnt = MNT_DATA);
void WipingActionDir(std::string &path);
bool UpgradeKeys();
KeyInfo keyInfo_;
std::string GetDir() const

View File

@ -23,8 +23,8 @@ namespace StorageDaemon {
constexpr uint32_t USERID_GLOBAL_EL1 = 0;
constexpr uint32_t TYPE_EL1 = 0;
constexpr uint32_t TYPE_EL2 = 1;
constexpr uint32_t TYPE_EL3 = 3;
constexpr uint32_t TYPE_EL4 = 2;
constexpr uint32_t TYPE_EL3 = 2;
constexpr uint32_t TYPE_EL4 = 3;
constexpr uint32_t TYPE_GLOBAL_EL1 = 4;
constexpr uint32_t FBEX_IV_SIZE = 64;

View File

@ -18,7 +18,6 @@
#include "base_key.h"
#include "fscrypt_key_v1_ext.h"
#include "libfscrypt/key_control.h"
#include "fbex.h"
namespace OHOS {
namespace StorageDaemon {
@ -34,13 +33,10 @@ public:
bool ActiveKey(uint32_t flag = 0, const std::string &mnt = MNT_DATA);
bool InactiveKey(uint32_t flag = 0, const std::string &mnt = MNT_DATA);
bool LockUserScreen(uint32_t flag = 0, uint32_t sdpClass = 0, const std::string &mnt = MNT_DATA);
bool UnlockUserScreen(uint32_t flag = 0, uint32_t sdpClass = 0, const std::string &mnt = MNT_DATA);
private:
bool GenerateKeyDesc();
bool InstallKeyToKeyring();
bool InstallEceSeceKeyToKeyring(uint32_t sdpClass);
bool UninstallKeyToKeyring();
FscryptKeyV1Ext fscryptV1Ext;
};

View File

@ -30,10 +30,8 @@ public:
userId_ = GetUserIdFromDir();
type_ = GetTypeFromDir();
}
bool ActiveKeyExt(uint32_t flag, uint8_t *iv, uint32_t size, uint32_t &elType);
bool ActiveKeyExt(uint32_t flag, uint8_t *iv, uint32_t size);
bool InactiveKeyExt(uint32_t flag);
bool LockUserScreenExt(uint32_t flag, uint32_t &elType);
bool UnlockUserScreenExt(uint32_t flag, uint8_t *iv, uint32_t size);
private:
uint32_t GetUserIdFromDir();

View File

@ -32,8 +32,6 @@ public:
bool ActiveKey(uint32_t flag = 0, const std::string &mnt = MNT_DATA);
bool InactiveKey(uint32_t flag = 0, const std::string &mnt = MNT_DATA);
bool LockUserScreen(uint32_t flag = 0, uint32_t sdpClass = 0, const std::string &mnt = MNT_DATA);
bool UnlockUserScreen(uint32_t flag = 0, uint32_t sdpClass = 0, const std::string &mnt = MNT_DATA);
};
} // namespace StorageDaemon
} // namespace OHOS

View File

@ -59,14 +59,6 @@ const std::string DEVICE_EL1_DIR = STORAGE_DAEMON_DIR + "/sd";
class KeyBlob {
public:
KeyBlob() = default;
KeyBlob(KeyBlob const &blob)
{
Alloc(blob.size);
auto ret = memcpy_s(data.get(), size, blob.data.get(), blob.size);
if (ret != EOK) {
Clear();
}
}
~KeyBlob()
{
Clear();

View File

@ -23,7 +23,6 @@
#include "base_key.h"
#include "key_blob.h"
#include "ipc/storage_daemon.h"
#include "storage_service_constant.h"
#include "utils/file_utils.h"
@ -34,8 +33,6 @@ const std::string SERVICE_STORAGE_DAEMON_DIR = FSCRYPT_USER_EL1_PUBLIC + "/stora
const std::string FSCRYPT_EL_DIR = SERVICE_STORAGE_DAEMON_DIR + "/sd";
const std::string USER_EL1_DIR = FSCRYPT_EL_DIR + "/el1";
const std::string USER_EL2_DIR = FSCRYPT_EL_DIR + "/el2";
const std::string USER_EL3_DIR = FSCRYPT_EL_DIR + "/el3";
const std::string USER_EL4_DIR = FSCRYPT_EL_DIR + "/el4";
class KeyManager {
public:
static KeyManager *GetInstance(void)
@ -47,29 +44,24 @@ public:
int InitGlobalUserKeys(void);
int GenerateUserKeys(unsigned int user, uint32_t flags);
int DeleteUserKeys(unsigned int user);
#ifdef USER_CRYPTO_MIGRATE_KEY
int UpdateUserAuth(unsigned int user, struct UserTokenSecret *userTokenSecret,
int UpdateUserAuth(unsigned int user, uint64_t secureUid,
const std::vector<uint8_t> &token,
const std::vector<uint8_t> &oldSecret,
const std::vector<uint8_t> &newSecret,
bool needGenerateShield = true);
int UpdateCeEceSeceUserAuth(unsigned int user, struct UserTokenSecret *userTokenSecret,
std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_, bool needGenerateShield);
#else
int UpdateUserAuth(unsigned int user, struct UserTokenSecret *userTokenSecret);
int UpdateCeEceSeceUserAuth(unsigned int user, struct UserTokenSecret *userTokenSecret,
std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_);
int UpdateUserAuth(unsigned int user, uint64_t secureUid,
const std::vector<uint8_t> &token,
const std::vector<uint8_t> &oldSecret,
const std::vector<uint8_t> &newSecret);
#endif
int ActiveUserKey(unsigned int user, const std::vector<uint8_t> &token,
const std::vector<uint8_t> &secret);
int ActiveCeSceSeceUserKey(unsigned int user, std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_,
std::string keyDir, const std::vector<uint8_t> &token,
const std::vector<uint8_t> &secret);
int InActiveUserKey(unsigned int user);
int SetDirectoryElPolicy(unsigned int user, KeyType type,
const std::vector<FileList> &vec);
int UpdateKeyContext(uint32_t userId);
int UpdateCeEceSeceKeyContext(uint32_t userId, std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_);
int getEceSeceKeyPath(unsigned int user, KeyType type, std::string &eceSeceKeyPath);
int LockUserScreen(uint32_t user);
int UnlockUserScreen(uint32_t user);
#ifdef USER_CRYPTO_MIGRATE_KEY
@ -89,15 +81,11 @@ private:
int InitUserElkeyStorageDir(void);
bool HasElkey(uint32_t userId, KeyType type);
int DoDeleteUserKeys(unsigned int user);
int DoDeleteUserCeEceSeceKeys(unsigned int user, const std::string USER_DIR,
std::map<unsigned int, std::shared_ptr<BaseKey>> &userElKey_);
int UpgradeKeys(const std::vector<FileList> &dirInfo);
std::shared_ptr<BaseKey> GetBaseKey(const std::string& dir);
std::map<unsigned int, std::shared_ptr<BaseKey>> userEl1Key_;
std::map<unsigned int, std::shared_ptr<BaseKey>> userEl2Key_;
std::map<unsigned int, std::shared_ptr<BaseKey>> userEl3Key_;
std::map<unsigned int, std::shared_ptr<BaseKey>> userEl4Key_;
std::shared_ptr<BaseKey> globalEl1Key_ { nullptr };
std::mutex keyMutex_;

View File

@ -25,9 +25,7 @@ class IStorageDaemon : public IRemoteBroker {
public:
enum {
CRYPTO_FLAG_EL1 = 1,
CRYPTO_FLAG_EL2 = 2,
CRYPTO_FLAG_EL3 = 4,
CRYPTO_FLAG_EL4 = 8,
CRYPTO_FLAG_EL2,
};
virtual int32_t Shutdown() = 0;

View File

@ -17,19 +17,11 @@
#define OHOS_STORAGE_DAEMON_STORAGE_DAEMON_H
#include <mutex>
#include "system_ability_status_change_stub.h"
#include "ipc/storage_daemon_stub.h"
#include <vector>
#include "system_ability_status_change_stub.h"
namespace OHOS {
namespace StorageDaemon {
struct UserTokenSecret {
const std::vector<uint8_t> token;
const std::vector<uint8_t> oldSecret;
const std::vector<uint8_t> newSecret;
uint64_t secureUid;
};
class StorageDaemon : public StorageDaemonStub {
public:
StorageDaemon() = default;

View File

@ -15,35 +15,15 @@
#ifndef FSCRYPT_CONTROL_H
#define FSCRYPT_CONTROL_H
#include "key_control.h"
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
#endif
#define SDP_VERSIOIN 0
#define SDP_FLAGS 0
#define SDP_CONTENTS_ENCRYPTION_MODE 1
#define SDP_FILENAMES_ENCRYPTION_MODE 4
#define FS_KEY_DESC_SIZE 8
#define F2FS_IOCTL_MAGIC 0xf5
#define F2FS_IOC_SET_SDP_ENCRYPTION_POLICY _IOW(F2FS_IOCTL_MAGIC, 80, struct FscryptSdpPolicy)
#pragma pack(push, 1)
struct FscryptSdpPolicy {
uint8_t version;
uint8_t sdpclass;
uint8_t contentsEncryptionMode;
uint8_t filenamesEncryptionMode;
uint8_t flags;
uint8_t masterKeyDescriptor[FS_KEY_DESC_SIZE];
};
#pragma pack(pop)
int FscryptSetSysparam(const char *policy);
int SetGlobalEl1DirPolicy(const char *dir);
int LoadAndSetPolicy(const char *keyDir, const char *dir);
int LoadAndSetEceAndSecePolicy(const char *keyDir, const char *dir, int type);
int InitFscryptPolicy(void);
uint8_t GetFscryptVersionFromPolicy(void);

View File

@ -25,7 +25,6 @@
#endif
#include <stdbool.h>
#include <stdint.h>
#ifdef __cplusplus
extern "C" {
@ -33,37 +32,12 @@ extern "C" {
#define POLICY_BUF_SIZE (100)
static const uint32_t FSCRYPT_CE_CLASS = 1;
static const uint32_t FSCRYPT_SDP_ECE_CLASS = 2;
static const uint32_t FSCRYPT_SDP_SECE_CLASS = 3;
static const uint32_t FSCRYPT_DPS_CLASS = 4;
#define EXT4_AES_256_XTS_KEY_SIZE 64
#define EXT4_ENCRYPTION_MODE_ECDH 3
#define EXT4_ENCRYPTION_MODE_AES_256_XTS 1
#define SECE_PUB_KEY_LEN 64
#define SECE_PRI_KEY_LEN 32
#define EXT4_AES_256_XTS_KEY_SIZE_TO_KEYRING 32
enum {
FSCRYPT_INVALID = 0,
FSCRYPT_V1 = 1,
FSCRYPT_V2 = 2,
};
#define EXT4_MAX_KEY_SIZE 64
#pragma pack(push, 1)
struct EncryptionKeySdp {
uint32_t version;
uint32_t sdpClass; //ECE || SECE
uint32_t mode; //xts or ecdh
char raw[EXT4_MAX_KEY_SIZE];
uint32_t size;
char pubkey[EXT4_MAX_KEY_SIZE];
uint32_t pubkeySize;
};
#pragma pack(pop)
union FscryptPolicy {
struct fscrypt_policy_v1 v1;
#ifdef SUPPORT_FSCRYPT_V2
@ -82,8 +56,6 @@ key_serial_t KeyCtrlAddKey(const char *type, const char *description,
const key_serial_t ringId);
key_serial_t KeyCtrlAddKeyEx(const char *type, const char *description,
struct fscrypt_key *fsKey, const key_serial_t ringId);
key_serial_t KeyCtrlAddKeySdp(const char *type, const char *description,
struct EncryptionKeySdp *fsKey, const key_serial_t ringId);
long KeyCtrlSearch(key_serial_t ringId, const char *type, const char *description,
key_serial_t destRingId);
long KeyCtrlUnlink(key_serial_t key, key_serial_t keyring);

View File

@ -52,7 +52,6 @@ private:
static std::shared_ptr<UserManager> instance_;
const std::vector<DirInfo> rootDirVec_;
const std::vector<DirInfo> eceSeceDirVec_;
const std::vector<DirInfo> subDirVec_;
const std::vector<DirInfo> el2DirVec_;
const std::vector<DirInfo> el1DirVec_;

View File

@ -51,7 +51,6 @@ void TraverseDirUevent(const std::string &path, bool flag);
void ChownRecursion(const std::string dir, uid_t uid, gid_t gid);
int IsSameGidUid(const std::string dir, uid_t uid, gid_t gid);
void MoveFileManagerData(const std::string &filesPath);
void OpenSubFile(const std::string &path, std::vector<std::string> &dirInfo);
}
}

View File

@ -170,8 +170,6 @@ int32_t StorageDaemon::RestoreUserKey(int32_t userId, uint32_t flags)
int32_t StorageDaemon::PrepareUserDirs(int32_t userId, uint32_t flags)
{
//CRYPTO_FLAG_EL3 create el3, CRYPTO_FLAG_EL4 create el4
flags = flags | IStorageDaemon::CRYPTO_FLAG_EL3 | IStorageDaemon::CRYPTO_FLAG_EL4;
#ifdef USER_CRYPTO_MANAGER
int32_t ret = KeyManager::GetInstance()->GenerateUserKeys(userId, flags);
#ifdef USER_CRYPTO_MIGRATE_KEY
@ -190,8 +188,6 @@ int32_t StorageDaemon::PrepareUserDirs(int32_t userId, uint32_t flags)
int32_t StorageDaemon::DestroyUserDirs(int32_t userId, uint32_t flags)
{
//CRYPTO_FLAG_EL3 destroy el3, CRYPTO_FLAG_EL4 destroy el4
flags = flags | IStorageDaemon::CRYPTO_FLAG_EL3 | IStorageDaemon::CRYPTO_FLAG_EL4;
int32_t ret = UserManager::GetInstance()->DestroyUserDirs(userId, flags);
if (ret != E_OK) {
LOGW("Destroy user %{public}d dirs failed, please check", userId);
@ -267,10 +263,8 @@ int32_t StorageDaemon::UpdateUserAuth(uint32_t userId, uint64_t secureUid,
const std::vector<uint8_t> &oldSecret,
const std::vector<uint8_t> &newSecret)
{
UserTokenSecret userTokenSecret = {
.token = token, .oldSecret = oldSecret, .newSecret = newSecret, .secureUid = secureUid};
#ifdef USER_CRYPTO_MANAGER
return KeyManager::GetInstance()->UpdateUserAuth(userId, &userTokenSecret);
return KeyManager::GetInstance()->UpdateUserAuth(userId, secureUid, token, oldSecret, newSecret);
#else
return E_OK;
#endif
@ -286,8 +280,7 @@ int32_t StorageDaemon::PrepareUserDirsAndUpdateUserAuth(uint32_t userId, const s
if (ret != E_OK) {
return ret;
}
UserTokenSecret userTokenSecret = {.token = token, .oldSecret = {'!'}, .newSecret = secret, .secureUid = 0};
ret = KeyManager::GetInstance()->UpdateUserAuth(userId, &userTokenSecret);
ret = KeyManager::GetInstance()->UpdateUserAuth(userId, 0, token, {'!'}, secret, false);
if (ret != E_OK) {
return ret;
}

View File

@ -23,7 +23,6 @@ config("fscrypt_utils_config") {
"${start_init_services_path}/log",
"${start_init_interfaces_path}/innerkits/include",
"${start_init_interfaces_path}/innerkits/include/param",
"${storage_service_common_path}/include",
]
cflags = [
@ -92,11 +91,6 @@ ohos_static_library("libfscryptutils_static") {
configs = [ ":fscrypt_utils_config" ]
external_deps = [
"c_utils:utils",
"init:libbegetutil",
]
subsystem_name = "filemanagement"
part_name = "storage_service"
deps = [ "//third_party/bounds_checking_function:libsec_static" ]

View File

@ -27,7 +27,6 @@
#include "init_utils.h"
#include "key_control.h"
#include "securec.h"
#include <sys/ioctl.h>
#define ARRAY_LEN(array) (sizeof((array)) / sizeof((array)[0]))
@ -395,82 +394,6 @@ int LoadAndSetPolicy(const char *keyDir, const char *dir)
return ret;
}
static int ActSetFileXattrActSetFileXattr(const char *path, char *keyDesc, int storageType)
{
struct FscryptSdpPolicy PolicySDP = {0, 0, 0, 0, 0, {0, 0, 0, 0, 0, 0, 0, 0}};
PolicySDP.version = SDP_VERSIOIN;
PolicySDP.sdpclass = storageType;
PolicySDP.contentsEncryptionMode = SDP_CONTENTS_ENCRYPTION_MODE;
PolicySDP.filenamesEncryptionMode = SDP_FILENAMES_ENCRYPTION_MODE;
PolicySDP.flags = SDP_FLAGS;
int ret = memcpy_s((char *)PolicySDP.masterKeyDescriptor, FS_KEY_DESC_SIZE, (char *)keyDesc,
FSCRYPT_KEY_DESCRIPTOR_SIZE);
if (ret != 0) {
FSCRYPT_LOGE("memcpy_s copy failed");
return -errno;
}
int fd = open((char *)path, O_DIRECTORY | O_NOFOLLOW | O_CLOEXEC);
if (fd < 0) {
FSCRYPT_LOGE("install File or Directory open failed: %{public}d", errno);
return -errno;
}
ret = ioctl(fd, F2FS_IOC_SET_SDP_ENCRYPTION_POLICY, &PolicySDP);
if (ret != 0) {
FSCRYPT_LOGE("ioctl fbex_cmd failed, ret: 0x%{public}X, errno: %{public}d", ret, errno);
close(fd);
return ret;
}
close(fd);
return ret;
}
int LoadAndSetEceAndSecePolicy(const char *keyDir, const char *dir, int type)
{
int el3Key = 3; // el3
int el4Key = 4; // el4
if (!keyDir || !dir) {
FSCRYPT_LOGE("set policy parameters is null");
return -EINVAL;
}
char *pathBuf = NULL;
int ret = -ENOTSUP;
ret = SpliceKeyPath(keyDir, strlen(keyDir), PATH_KEYDESC, strlen(PATH_KEYDESC), &pathBuf);
if (ret != 0) {
FSCRYPT_LOGE("path splice error");
return ret;
}
uint8_t fscryptVer = KeyCtrlLoadVersion(keyDir);
if (fscryptVer == FSCRYPT_V1) {
if (type == el3Key || type == el4Key) {
if (type == el3Key) {
type = FSCRYPT_SDP_SECE_CLASS;
} else {
type = FSCRYPT_SDP_ECE_CLASS;
}
char keyDesc[FSCRYPT_KEY_DESCRIPTOR_SIZE] = {0};
ret = ReadKeyFile(pathBuf, keyDesc, FSCRYPT_KEY_DESCRIPTOR_SIZE);
if (ret != 0) {
return ret;
}
ret = ActSetFileXattrActSetFileXattr(dir, keyDesc, type);
if (ret != 0) {
FSCRYPT_LOGE("ActSetFileXattr failed");
return ret;
}
}
#ifdef SUPPORT_FSCRYPT_V2
} else if (fscryptVer == FSCRYPT_V2) {
return 0;
#endif
}
if (pathBuf != NULL) {
free(pathBuf);
}
return ret;
}
int SetGlobalEl1DirPolicy(const char *dir)
{
if (!g_fscryptEnabled) {
@ -479,7 +402,8 @@ int SetGlobalEl1DirPolicy(const char *dir)
}
for (size_t i = 0; i < ARRAY_LEN(GLOBAL_FSCRYPT_DIR); i++) {
size_t tmpLen = strlen(GLOBAL_FSCRYPT_DIR[i]);
if ((strncmp(dir, GLOBAL_FSCRYPT_DIR[i], tmpLen) == 0) && (strlen(dir) == tmpLen)) {
if ((strncmp(dir, GLOBAL_FSCRYPT_DIR[i], tmpLen) == 0) &&
(strlen(dir) == tmpLen)) {
return LoadAndSetPolicy(DEVICE_EL1_DIR, dir);
}
}

View File

@ -50,14 +50,6 @@ key_serial_t KeyCtrlAddKeyEx(const char *type, const char *description,
ringId);
}
key_serial_t KeyCtrlAddKeySdp(const char *type, const char *description,
struct EncryptionKeySdp *fsKey, const key_serial_t ringId)
{
return syscall(__NR_add_key, type, description,
(void *)(fsKey), sizeof(struct EncryptionKeySdp),
ringId);
}
long KeyCtrlSearch(key_serial_t ringId, const char *type, const char *description,
key_serial_t destRingId)
{

View File

@ -23,7 +23,9 @@
#include "storage_daemon_client.h"
#include "storage_service_log.h"
#include "utils/file_utils.h"
constexpr const uint32_t ARGS_NUMS_SIX = 6;
constexpr const uint32_t ARGS_NUMS_FIVE = 5;
constexpr const uint32_t ARGS_NUMS_FOUR = 4;
static int32_t InitGlobalKey(const std::vector<std::string> &args)
{
(void)args;
@ -39,7 +41,7 @@ static int32_t InitMainUser(const std::vector<std::string> &args)
#ifdef SDC_TEST_ENABLE
static int32_t GenerateUserKeys(const std::vector<std::string> &args)
{
if (args.size() < 5) {
if (args.size() < ARGS_NUMS_FIVE) {
LOGE("Parameter nums is less than 5, please retry");
return -EINVAL;
}
@ -56,7 +58,7 @@ static int32_t GenerateUserKeys(const std::vector<std::string> &args)
static int32_t PrepareUserSpace(const std::vector<std::string> &args)
{
if (args.size() < 5) {
if (args.size() < ARGS_NUMS_FIVE) {
LOGE("Parameter nums is less than 5, please retry");
return -EINVAL;
}
@ -73,7 +75,7 @@ static int32_t PrepareUserSpace(const std::vector<std::string> &args)
static int32_t DeleteUserKeys(const std::vector<std::string> &args)
{
if (args.size() < 4) {
if (args.size() < ARGS_NUMS_FOUR) {
LOGE("Parameter nums is less than 4, please retry");
return -EINVAL;
}
@ -88,7 +90,7 @@ static int32_t DeleteUserKeys(const std::vector<std::string> &args)
static int32_t DestroyUserSpace(const std::vector<std::string> &args)
{
if (args.size() < 5) {
if (args.size() < ARGS_NUMS_FIVE) {
LOGE("Parameter nums is less than 5, please retry");
return -EINVAL;
}
@ -105,7 +107,7 @@ static int32_t DestroyUserSpace(const std::vector<std::string> &args)
static int32_t UpdateUserAuth(const std::vector<std::string> &args)
{
if (args.size() < 5) {
if (args.size() < ARGS_NUMS_FIVE) {
LOGE("Parameter nums is less than 5, please retry");
return -EINVAL;
}
@ -117,7 +119,7 @@ static int32_t UpdateUserAuth(const std::vector<std::string> &args)
}
// 4 means take the fifth argument of args, 5 means take the sixth argument of args
if (args.size() == 6) {
if (args.size() == ARGS_NUMS_SIX) {
std::vector<uint8_t> oldSecret(args[4].begin(), args[4].end());
std::vector<uint8_t> newSecret(args[5].begin(), args[5].end());
return OHOS::StorageDaemon::StorageDaemonClient::UpdateUserAuth(userId, 0, {}, oldSecret, newSecret);
@ -128,7 +130,7 @@ static int32_t UpdateUserAuth(const std::vector<std::string> &args)
static int32_t ActiveUserKey(const std::vector<std::string> &args)
{
if (args.size() < 4) {
if (args.size() < ARGS_NUMS_FOUR) {
LOGE("Parameter nums is less than 4, please retry");
return -EINVAL;
}
@ -139,7 +141,7 @@ static int32_t ActiveUserKey(const std::vector<std::string> &args)
return -EINVAL;
}
// 4 means take the fifth argument of args
if (args.size() == 5) {
if (args.size() == ARGS_NUMS_FIVE) {
std::vector<uint8_t> secret(args[4].begin(), args[4].end());
return OHOS::StorageDaemon::StorageDaemonClient::ActiveUserKey(userId, {}, secret);
}
@ -148,7 +150,7 @@ static int32_t ActiveUserKey(const std::vector<std::string> &args)
static int32_t InactiveUserKey(const std::vector<std::string> &args)
{
if (args.size() < 4) {
if (args.size() < ARGS_NUMS_FOUR) {
LOGE("Parameter nums is less than 4, please retry");
return -EINVAL;
}
@ -163,7 +165,7 @@ static int32_t InactiveUserKey(const std::vector<std::string> &args)
static int32_t LockUserScreen(const std::vector<std::string> &args)
{
if (args.size() < 4) {
if (args.size() < ARGS_NUMS_FOUR) {
LOGE("Parameter nums is less than 4, please retry");
return -EINVAL;
}
@ -178,7 +180,7 @@ static int32_t LockUserScreen(const std::vector<std::string> &args)
static int32_t UnlockUserScreen(const std::vector<std::string> &args)
{
if (args.size() < 4) {
if (args.size() < ARGS_NUMS_FOUR) {
LOGE("Parameter nums is less than 4, please retry");
return -EINVAL;
}
@ -193,7 +195,7 @@ static int32_t UnlockUserScreen(const std::vector<std::string> &args)
static int32_t EnableFscrypt(const std::vector<std::string> &args)
{
if (args.size() < 4) {
if (args.size() < ARGS_NUMS_FOUR) {
LOGE("Parameter nums is less than 4, please retry");
return -EINVAL;
}
@ -203,7 +205,7 @@ static int32_t EnableFscrypt(const std::vector<std::string> &args)
static int32_t UpdateKeyContext(const std::vector<std::string> &args)
{
if (args.size() < 4) {
if (args.size() < ARGS_NUMS_FOUR) {
LOGE("Parameter nums is less than 4, please retry");
return -EINVAL;
}

View File

@ -33,8 +33,6 @@ UserManager::UserManager()
: rootDirVec_{{"/data/app/%s/%d", 0711, OID_ROOT, OID_ROOT},
{"/data/service/%s/%d", 0711, OID_ROOT, OID_ROOT},
{"/data/chipset/%s/%d", 0711, OID_ROOT, OID_ROOT}},
eceSeceDirVec_{{"/data/app/%s/%d", 0711, OID_ROOT, OID_ROOT},
{"/data/service/%s/%d", 0711, OID_ROOT, OID_ROOT}},
subDirVec_{{"/data/app/%s/%d/base", 0711, OID_ROOT, OID_ROOT},
{"/data/app/%s/%d/database", 0711, OID_ROOT, OID_ROOT}},
el2DirVec_{{"/data/service/el2/%d/backup", 02771, OID_BACKUP, OID_BACKUP},
@ -77,44 +75,40 @@ int32_t UserManager::PrepareUserDirs(int32_t userId, uint32_t flags)
if (err != E_OK) {
return err;
}
err = PrepareEl1BundleDir(userId);
if (err != E_OK) {
return err;
}
}
if (flags & IStorageDaemon::CRYPTO_FLAG_EL2) {
err = PrepareDirsFromIdAndLevel(userId, EL2);
if (err != E_OK) {
return err;
}
err = PrepareEl2BackupDir(userId);
if (err != E_OK) {
return err;
}
}
if (flags & IStorageDaemon::CRYPTO_FLAG_EL3) {
err = PrepareDirsFromIdAndLevel(userId, EL3);
if (err != E_OK) {
return err;
}
}
if (flags & IStorageDaemon::CRYPTO_FLAG_EL4) {
err = PrepareDirsFromIdAndLevel(userId, EL4);
if (err != E_OK) {
return err;
}
}
if (flags & IStorageDaemon::CRYPTO_FLAG_EL2) {
err = MountManager::GetInstance()->PrepareHmdfsDirs(userId);
if (err != E_OK) {
LOGE("Prepare hmdfs dir error");
return err;
}
err = MountManager::GetInstance()->PrepareFileManagerDirs(userId);
if (err != E_OK) {
LOGE("Prepare fileManager dir error");
return err;
}
err = PrepareEl2BackupDir(userId);
if (err != E_OK) {
return err;
}
int32_t errorCode = PrepareEl1Dir(userId);
if (errorCode != E_OK) {
LOGW("Prepare el1 dir fail, %{public}d.", errorCode);
}
}
return E_OK;
@ -155,16 +149,6 @@ int32_t UserManager::DestroyUserDirs(int32_t userId, uint32_t flags)
ret = (err != E_OK) ? err : ret;
}
if (flags & IStorageDaemon::CRYPTO_FLAG_EL3) {
err = DestroyDirsFromIdAndLevel(userId, EL3);
ret = (err != E_OK) ? err : ret;
}
if (flags & IStorageDaemon::CRYPTO_FLAG_EL4) {
err = DestroyDirsFromIdAndLevel(userId, EL4);
ret = (err != E_OK) ? err : ret;
}
return ret;
}
@ -194,32 +178,19 @@ inline bool DestroyDirsFromVec(int32_t userId, const std::string &level, const s
int32_t UserManager::PrepareDirsFromIdAndLevel(int32_t userId, const std::string &level)
{
std::vector<FileList> list;
if (level != EL3 && level != EL4) {
if (!PrepareDirsFromVec(userId, level, rootDirVec_)) {
LOGE("failed to prepare %{public}s root dirs for userid %{public}d", level.c_str(), userId);
return E_PREPARE_DIR;
}
// set policy here
std::vector<FileList> list;
for (auto item : rootDirVec_) {
FileList temp;
temp.userId = static_cast<uint32_t>(userId);
temp.path = StringPrintf(item.path.c_str(), level.c_str(), userId);
list.push_back(temp);
}
} else {
if (!PrepareDirsFromVec(userId, level, eceSeceDirVec_)) {
LOGE("failed to prepare %{public}s root dirs for userid %{public}d", level.c_str(), userId);
return E_PREPARE_DIR;
}
// set policy here
for (auto item : eceSeceDirVec_) {
FileList temp;
temp.userId = static_cast<uint32_t>(userId);
temp.path = StringPrintf(item.path.c_str(), level.c_str(), userId);
list.push_back(temp);
}
}
int ret = SetElDirFscryptPolicy(userId, level, list);
if (ret != E_OK) {
LOGE("Set el poilcy failed");
@ -236,17 +207,11 @@ int32_t UserManager::PrepareDirsFromIdAndLevel(int32_t userId, const std::string
int32_t UserManager::DestroyDirsFromIdAndLevel(int32_t userId, const std::string &level)
{
if (level != EL3 && level != EL4) {
if (!DestroyDirsFromVec(userId, level, rootDirVec_)) {
LOGE("failed to destroy %{public}s dirs for userid %{public}d", level.c_str(), userId);
return E_DESTROY_DIR;
}
} else {
if (!DestroyDirsFromVec(userId, level, eceSeceDirVec_)) {
LOGE("failed to destroy %{public}s dirs for userid %{public}d", level.c_str(), userId);
return E_DESTROY_DIR;
}
}
return E_OK;
}

View File

@ -123,8 +123,7 @@ HWTEST_F(UserManagerTest, Storage_Manager_UserManagerTest_PrepareUserDirs_001, T
auto bRet = StorageTest::StorageTestUtils::CreateFile(filePath);
EXPECT_TRUE(bRet) << "check the file create";
int32_t flags = IStorageDaemon::CRYPTO_FLAG_EL1 | IStorageDaemon::CRYPTO_FLAG_EL2 |
IStorageDaemon::CRYPTO_FLAG_EL3 | IStorageDaemon::CRYPTO_FLAG_EL4;
int32_t flags = IStorageDaemon::CRYPTO_FLAG_EL1 | IStorageDaemon::CRYPTO_FLAG_EL2;
int32_t ret = userManager->PrepareUserDirs(StorageTest::StorageTestUtils::USER_ID1, flags);
EXPECT_TRUE(ret == E_PREPARE_DIR) << "the path is not dir";
@ -170,8 +169,7 @@ HWTEST_F(UserManagerTest, Storage_Manager_UserManagerTest_PrepareUserDirs_003, T
std::shared_ptr<UserManager> userManager = UserManager::GetInstance();
ASSERT_TRUE(userManager != nullptr);
int32_t flags = IStorageDaemon::CRYPTO_FLAG_EL1 | IStorageDaemon::CRYPTO_FLAG_EL2 |
IStorageDaemon::CRYPTO_FLAG_EL3 | IStorageDaemon::CRYPTO_FLAG_EL4;
int32_t flags = IStorageDaemon::CRYPTO_FLAG_EL1 | IStorageDaemon::CRYPTO_FLAG_EL2;
auto ret = KeyManager::GetInstance()->GenerateUserKeys(StorageTest::StorageTestUtils::USER_ID5, flags);
EXPECT_EQ(ret, E_OK);

View File

@ -325,39 +325,6 @@ void ReadDigitDir(const std::string &path, std::vector<FileList> &dirInfo)
(void)closedir(dir);
}
void OpenSubFile(const std::string &path, std::vector<std::string> &file)
{
struct stat st;
int ret = TEMP_FAILURE_RETRY(lstat(path.c_str(), &st));
if (ret != 0 || ((st.st_mode & S_IFDIR) != S_IFDIR)) {
LOGI("path is not dir");
return;
}
DIR *dir = opendir(path.c_str());
if (!dir) {
LOGI("failed to open dir %{public}s, errno %{public}d", path.c_str(), errno);
return;
}
for (struct dirent *ent = readdir(dir); ent != nullptr; ent = readdir(dir)) {
if ((ent->d_type != DT_DIR)) {
std::string name(ent->d_name);
std::string filePath = path + "/" + name;
LOGI("filePath is %{public}s", filePath.c_str());
file.push_back(filePath);
continue;
} else {
if ((strcmp(ent->d_name, ".") == 0) || (strcmp(ent->d_name, "..") == 0)) {
continue;
}
std::string name(ent->d_name);
std::string filePath = path + "/" + name;
OpenSubFile(filePath, file);
}
}
(void)closedir(dir);
}
bool ReadFile(std::string path, std::string *str)
{
std::ifstream infile;