密码和fbe关系,Android FBE"/>
android锁屏密码和fbe关系,Android FBE
Android FBE
1. FBE 简介名称: FBE, File-Based Encryption,基于文件的加密
凭据加密 (CE) 存储空间:这是默认存储位置,只有在用户解锁设备后才可用。设备加密 (DE) 存储空间:在直接启动模式期间以及用户解锁设备后均可用。
开启 FBE 方式,在相关的 fstab 文件中添加相关的代码:
/dev/block/bootdevice/by-name/userdata /data ext4 noatime,nosuid,nodev,barrier=1,noauto_da_alloc,discard wait,check,resize,**fileencryption=aes-256-xts**,quota一些概念性内容这里不再赘述,如有需要自行阅读 Goole FBE
2. FBE 流程分析
2.1 开机过程中,加密前的准备init.rc 中加入相关的代码,用于根据 fstab 文件中进行相关的挂载操作
on fs
wait /dev/block/bootdevice
write /proc/sys/vm/swappiness 100
mount_all fstab.qcom看完 init.rc 中,当然是查看 init 进程中如何解析 init.rc ,代码在 system/core/init/builtins.cpp 中:
const BuiltinFunctionMap::Map& BuiltinFunctionMap::map() const {
...
{"mount_all", {1, kMax, do_mount_all}},
...
}
static int do_mount_all(const std::vector<:string>& args) {
...
/*mount_fstab 会 fork 出一个子进程调用 fs_mgr_read_fstab 以及 fs_mgr_mount_all 函数,前一个函数用于读取 fstab 文件,后者用于 mount,之后重点分析 fs_mgr_mount_all函数*/
int ret = mount_fstab(fstabfile, mount_mode);
...
if (queue_event) {
/* queue_fs_event will queue event based on mount_fstab return code
* and return processed return code*/
ret = queue_fs_event(ret);
}
}现在来看一下 fs_mgr_mount_all 函数,代码路径在system/core/fs_mgr/fs_mgr.cpp
int fs_mgr_mount_all(struct fstab *fstab, int mount_mode){
int encryptable = FS_MGR_MNTALL_DEV_NOT_ENCRYPTABLE;
...
for (i = 0; i < fstab->num_entries; i++) {
......
int last_idx_inspected;
int top_idx = i;
mret = mount_with_alternatives(fstab, i, &last_idx_inspected, &attempted_idx);
i = last_idx_inspected;
mount_errno = errno;
/* Deal with encryptability. */
if (!mret) {
int status = handle_encryptable(&fstab->recs[attempted_idx]);
if (status == FS_MGR_MNTALL_FAIL) {
/* Fatal error - no point continuing */
return status;
}
if (status != FS_MGR_MNTALL_DEV_NOT_ENCRYPTABLE) {
if (encryptable != FS_MGR_MNTALL_DEV_NOT_ENCRYPTABLE) {
// Log and continue LERROR << "Only one encryptable/encrypted partition supported";
}
//结果赋值给 encryptable encryptable = status;
}
/* Success! Go get the next one */
continue;
}
}
......
/*此处返回给父进程,即 queue_fs_event 接收返回值进行之后的处理*/
if (error_count) {
return FS_MGR_MNTALL_FAIL;
} else {
return encryptable;
}
- [ ] }先来看一下 queue_fs_event 函数,它会根据 mount_fstab 的返回值结果进行不同的操作,而 mount_fstab 会返回 FS_MGR_MNTALL_DEV_FILE_ENCRYPTED 给 queue_fs_event,然后调用 e4crypt_install_keyring 函数用于安装 e4crypt keyring,这个用于存放文件加密的 key,之后设置相关的属性,然后触发 nonencrypted 这个 trigger 。
static int queue_fs_event(int code) {
int ret = code;
if (code == FS_MGR_MNTALL_DEV_NEEDS_ENCRYPTION) {
ActionManager::GetInstance().QueueEventTrigger("encrypt");
} else if (code == FS_MGR_MNTALL_DEV_MIGHT_BE_ENCRYPTED) {
property_set("ro.crypto.state", "encrypted");
property_set("ro.crypto.type", "block");
ActionManager::GetInstance().QueueEventTrigger("defaultcrypto");
} else if (code == FS_MGR_MNTALL_DEV_NOT_ENCRYPTED) {
property_set("ro.crypto.state", "unencrypted");
ActionManager::GetInstance().QueueEventTrigger("nonencrypted");
} else if (code == FS_MGR_MNTALL_DEV_NOT_ENCRYPTABLE) {
property_set("ro.crypto.state", "unsupported");
ActionManager::GetInstance().QueueEventTrigger("nonencrypted");
} else if (code == FS_MGR_MNTALL_DEV_NEEDS_RECOVERY) {
/* Setup a wipe via recovery, and reboot into recovery */
PLOG(ERROR) << "fs_mgr_mount_all suggested recovery, so wiping data via recovery.";
const std::vector<:string> options = {"--wipe_data", "--reason=fs_mgr_mount_all" };
reboot_into_recovery(options);
return 0;
/* If reboot worked, there is no return. */
} else if (code == FS_MGR_MNTALL_DEV_FILE_ENCRYPTED) {
if (e4crypt_install_keyring()) {
return -1;
}
property_set("ro.crypto.state", "encrypted");
property_set("ro.crypto.type", "file");
// Although encrypted, we have device key, so we do not need to // do anything different from the nonencrypted case. ActionManager::GetInstance().QueueEventTrigger("nonencrypted");
} else if (code == FS_MGR_MNTALL_DEV_IS_METADATA_ENCRYPTED) {
if (e4crypt_install_keyring()) {
return -1;
}
property_set("ro.crypto.state", "encrypted");
property_set("ro.crypto.type", "file");
// defaultcrypto detects file/block encryption. init flow is same for each. ActionManager::GetInstance().QueueEventTrigger("defaultcrypto");
} else if (code == FS_MGR_MNTALL_DEV_NEEDS_METADATA_ENCRYPTION) {
if (e4crypt_in
更多推荐
android锁屏密码和fbe关系,Android FBE
发布评论