nkk71
7d1222a5fe
* HTC U11 Oreo is using keymaster3 FDE encryption which requires
the new services:
1- /system/bin/hwservicemanager
2- /vendor/bin/hw/android.hardware.keymaster@3.0-service
3- /vendor/bin/qseecomd (instead of /system/bin/qseecomd)
So in addition to /vendor/lib and /vendor/lib64 also
symlink /system/vendor/bin to /vendor/bin.
* vold_decrypt services now have separate prefixes:
1- 'sys_' referring to /system/bin
2- 'ven_' referring to /vendor/bin
* The additional (hwservicemanager, keymaster-3-0) and modified
(qseecomd) .rc files have been updated in the vold_decrypt
directory.
Comments were added directly in the .rc files, please check
them.
* /etc/recovery.fstab needs to be temporarily moved since
vold will use it if it finds the '/sbin/recovery' file
(refer to fs_mgr for the fstab load code https://goo.gl/8KaZyf).
Since fs_mgr cannot parse TWRP style fstab, we 'hide' it
and attempt to create a symlink to /fstab.{ro.hardware}.
Also remove shell dependencies, code cleanup, new error codes:
* Critical sections of vold_decrypt should not rely on the external
shell (and the available binaries) provided by TWFunc::Exec_Cmd.
Doing so may lead to failures resulting from different shell
provided binaries not working properly, especially since busybox
can be inconsistent across different trees.
In particular the following functions have been changed:
* run_vdc() no longer uses daisy chained commands, instead
it now forks and executes vdc directly including a 30 second
built in timeout.
* Symlink_Firmware_Files() no longer relies on the shell 'find'
command to retrieve the list of firmware/vendor files and instead
uses a built in function, Find_Firmware_Files(), which traverses
the system partition to retrieve the list of files.
* The code has also been cleaned up a little for better consistency,
and vold_decrypt will now return various error codes for the
different failures, as defined in vold_decrypt.h, which allows the
gui_msg to be moved back to partitionmanager.cpp.
Notes regarding pre Android 8.0 builds:
* Service names in .rc files cannot exceed 16 characters (including
the prepended 'sys_' or 'ven_') in Android 7.1 and below, so a
service name such as 'sys_hwservicemanager' is out of the question
for 7.1 and below.
* hwservicemanager will check ACLs on 'hwservicemanager' and 'ITokenManager'
if they are even allowed to run, otherwise the interfaces will fail.
The policies have only been introduced in 8.0, and although it is possible
to manually add them to the 7.1 policies it's not recommended.
* Therefore the best course of action is to build in 8.0.
* SIDE NOTE: On the HTC U11 we are actually using omni-7.1 with some changes
in the device tree to support both Nougat and Oreo decryption, please
refer to:
1- https://gerrit.twrp.me/c/2756/ for the necessary sepolicy and
BoardConfig changes.
2- The Android.mk file for vold_decrypt was modified to truncate
greater than 16 character service names (as mentioned therein)
Other changes:
* TW_CRYPTO_SYSTEM_VOLD_DISABLE_TIMEOUT is now deprecated due to built-
in fork and timeout.
* Output_dmesg_to_recovery_log() is also deprecated so upon a failed
decryption the recovery.log will no longer append it, instead you can
just use 'adb shell dmesg' to check it. Nonetheless if a true debug
build is needed use the original TW_CRYPTO_SYSTEM_VOLD_DEBUG flag as
outlined in the original commit message (see below).
Usage info:
This is an update to the initial vold_decrypt, for more info refer to
https://github.com/omnirom/android_bootable_recovery/commit/71c6c50d0da1f32dd18a749797e88de2358c5ba1
Change-Id: Id7129d125ae7f5dcba0779489825add718022ba3
100 lines
3.9 KiB
Makefile
100 lines
3.9 KiB
Makefile
# Copyright (C) 2017 TeamWin Recovery Project
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
|
|
LOCAL_PATH := $(call my-dir)
|
|
|
|
ifeq ($(TW_INCLUDE_CRYPTO), true)
|
|
ifneq ($(TW_CRYPTO_USE_SYSTEM_VOLD),)
|
|
|
|
|
|
# Parse TW_CRYPTO_USE_SYSTEM_VOLD
|
|
ifeq ($(TW_CRYPTO_USE_SYSTEM_VOLD),true)
|
|
# Just enabled, so only vold + vdc
|
|
services :=
|
|
else
|
|
# Additional services needed by vold
|
|
services := $(TW_CRYPTO_USE_SYSTEM_VOLD)
|
|
endif
|
|
|
|
# List of .rc files for each additional service
|
|
rc_files := $(foreach item,$(services),init.recovery.vold_decrypt.$(item).rc)
|
|
|
|
|
|
include $(CLEAR_VARS)
|
|
LOCAL_MODULE := init.recovery.vold_decrypt.rc
|
|
LOCAL_MODULE_TAGS := eng
|
|
LOCAL_MODULE_CLASS := RECOVERY_EXECUTABLES
|
|
|
|
# Cannot send to TARGET_RECOVERY_ROOT_OUT since build system wipes init*.rc
|
|
# during ramdisk creation and only allows init.recovery.*.rc files to be copied
|
|
# from TARGET_ROOT_OUT thereafter
|
|
LOCAL_MODULE_PATH := $(TARGET_ROOT_OUT)
|
|
|
|
LOCAL_SRC_FILES := $(LOCAL_MODULE)
|
|
|
|
# Add additional .rc files and imports into init.recovery.vold_decrypt.rc
|
|
# Note: any init.recovery.vold_decrypt.{service}.rc that are not default
|
|
# in crypto/vold_decrypt should be in the device tree
|
|
LOCAL_POST_INSTALL_CMD := $(hide) \
|
|
$(foreach item, $(rc_files), \
|
|
sed -i '1iimport \/$(item)' "$(TARGET_ROOT_OUT)/$(LOCAL_MODULE)"; \
|
|
if [ -f "$(LOCAL_PATH)/$(item)" ]; then \
|
|
cp -f "$(LOCAL_PATH)/$(item)" "$(TARGET_ROOT_OUT)"/; \
|
|
fi; \
|
|
)
|
|
|
|
ifeq ($(shell test $(PLATFORM_SDK_VERSION) -lt 26; echo $$?),0)
|
|
# Truncate service_name to max 16 characters
|
|
LOCAL_POST_INSTALL_CMD += \
|
|
$(foreach item, $(rc_files), \
|
|
if [ -f "$(TARGET_ROOT_OUT)/$(item)" ]; then \
|
|
sed -i 's/\([ \t]*service[ \t]*\)\(.\{16\}\).*\([ \t].*\)/\1\2\3/' "$(TARGET_ROOT_OUT)/$(item)"; \
|
|
fi; \
|
|
)
|
|
endif
|
|
|
|
include $(BUILD_PREBUILT)
|
|
|
|
|
|
include $(CLEAR_VARS)
|
|
LOCAL_MODULE := libvolddecrypt
|
|
LOCAL_MODULE_TAGS := eng optional
|
|
LOCAL_CFLAGS := -Wall
|
|
ifeq ($(shell test $(PLATFORM_SDK_VERSION) -lt 23; echo $$?),0)
|
|
LOCAL_C_INCLUDES += external/stlport/stlport bionic bionic/libstdc++/include
|
|
endif
|
|
|
|
ifneq ($(services),)
|
|
ifeq ($(shell test $(PLATFORM_SDK_VERSION) -lt 26; echo $$?),0)
|
|
# Truncate service_name to max 12 characters due to the 4 character prefix
|
|
truncated_services := $(foreach item,$(services),$(shell echo -n "$(item)" | sed 's/\(.\{12\}\).*/\1/'))
|
|
LOCAL_CFLAGS += -DTW_CRYPTO_SYSTEM_VOLD_SERVICES='"$(truncated_services)"'
|
|
LOCAL_CFLAGS += -D_USING_SHORT_SERVICE_NAMES
|
|
else
|
|
LOCAL_CFLAGS += -DTW_CRYPTO_SYSTEM_VOLD_SERVICES='"$(services)"'
|
|
endif
|
|
endif
|
|
|
|
ifeq ($(TW_CRYPTO_SYSTEM_VOLD_DEBUG),true)
|
|
# Enabling strace will expose the password in the strace logs!!
|
|
LOCAL_CFLAGS += -DTW_CRYPTO_SYSTEM_VOLD_DEBUG
|
|
endif
|
|
|
|
LOCAL_SRC_FILES = vold_decrypt.cpp
|
|
LOCAL_SHARED_LIBRARIES := libcutils
|
|
include $(BUILD_STATIC_LIBRARY)
|
|
|
|
endif
|
|
endif
|