summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
author Eric Biggers <ebiggers@google.com> 2022-05-19 21:44:37 +0000
committer Eric Biggers <ebiggers@google.com> 2022-06-02 00:53:48 +0000
commita0da4eb7919eb76fdf61483fef700f7ea671d7fb (patch)
tree8944fbd7bd63fb03458c23f7701036f96fb20f3c
parentd2ac8db60a3483f41b1f23c25f7cda49762a2f9e (diff)
Remove obsolete support for emulated FBE
Emulated FBE was a developer-mode feature intended to allow developers to add Direct Boot support to apps before native FBE devices became widely available. Since all devices running the latest version of Android now use native FBE (except for a couple edge cases not relevant here, like in-development devices on which encryption hasn't been enabled yet), and emulated FBE doesn't work on native FBE devices anyway, there's no longer any need to carry the code for emulated FBE. Bug: 232458753 Change-Id: I2ab35472c872b19b2bf64aa99424b5ccd9f6170f
Diffstat
-rw-r--r--cmds/sm/src/com/android/commands/sm/Sm.java14
-rw-r--r--core/java/android/os/storage/StorageManager.java35
-rw-r--r--services/core/java/com/android/server/StorageManagerService.java75
-rw-r--r--services/core/java/com/android/server/pm/UserDataPreparer.java13
-rw-r--r--services/tests/servicestests/src/com/android/server/pm/UserDataPreparerTest.java5
5 files changed, 22 insertions, 120 deletions
diff --git a/cmds/sm/src/com/android/commands/sm/Sm.java b/cmds/sm/src/com/android/commands/sm/Sm.java
index 260c8a47ea3c..c7ef8bd287be 100644
--- a/cmds/sm/src/com/android/commands/sm/Sm.java
+++ b/cmds/sm/src/com/android/commands/sm/Sm.java
@@ -94,8 +94,6 @@ public final class Sm {
runBenchmark();
} else if ("forget".equals(op)) {
runForget();
- } else if ("set-emulate-fbe".equals(op)) {
- runSetEmulateFbe();
} else if ("get-fbe-mode".equals(op)) {
runGetFbeMode();
} else if ("idle-maint".equals(op)) {
@@ -191,17 +189,9 @@ public final class Sm {
}
}
- public void runSetEmulateFbe() throws RemoteException {
- final boolean emulateFbe = Boolean.parseBoolean(nextArg());
- mSm.setDebugFlags(emulateFbe ? StorageManager.DEBUG_EMULATE_FBE : 0,
- StorageManager.DEBUG_EMULATE_FBE);
- }
-
public void runGetFbeMode() {
- if (StorageManager.isFileEncryptedNativeOnly()) {
+ if (StorageManager.isFileEncrypted()) {
System.out.println("native");
- } else if (StorageManager.isFileEncryptedEmulatedOnly()) {
- System.out.println("emulated");
} else {
System.out.println("none");
}
@@ -357,8 +347,6 @@ public final class Sm {
System.err.println("");
System.err.println(" sm forget [UUID|all]");
System.err.println("");
- System.err.println(" sm set-emulate-fbe [true|false]");
- System.err.println("");
System.err.println(" sm start-checkpoint <num-retries>");
System.err.println("");
System.err.println(" sm supports-checkpoint");
diff --git a/core/java/android/os/storage/StorageManager.java b/core/java/android/os/storage/StorageManager.java
index e1542a8503fc..649a1f5d302c 100644
--- a/core/java/android/os/storage/StorageManager.java
+++ b/core/java/android/os/storage/StorageManager.java
@@ -152,8 +152,6 @@ public class StorageManager {
/** {@hide} */
public static final String PROP_ADOPTABLE = "persist.sys.adoptable";
/** {@hide} */
- public static final String PROP_EMULATE_FBE = "persist.sys.emulate_fbe";
- /** {@hide} */
public static final String PROP_SDCARDFS = "persist.sys.sdcardfs";
/** {@hide} */
public static final String PROP_VIRTUAL_DISK = "persist.sys.virtual_disk";
@@ -257,13 +255,11 @@ public class StorageManager {
/** {@hide} */
public static final int DEBUG_ADOPTABLE_FORCE_OFF = 1 << 1;
/** {@hide} */
- public static final int DEBUG_EMULATE_FBE = 1 << 2;
- /** {@hide} */
- public static final int DEBUG_SDCARDFS_FORCE_ON = 1 << 3;
+ public static final int DEBUG_SDCARDFS_FORCE_ON = 1 << 2;
/** {@hide} */
- public static final int DEBUG_SDCARDFS_FORCE_OFF = 1 << 4;
+ public static final int DEBUG_SDCARDFS_FORCE_OFF = 1 << 3;
/** {@hide} */
- public static final int DEBUG_VIRTUAL_DISK = 1 << 5;
+ public static final int DEBUG_VIRTUAL_DISK = 1 << 4;
/** {@hide} */
public static final int FLAG_STORAGE_DE = IInstalld.FLAG_STORAGE_DE;
@@ -1591,30 +1587,31 @@ public class StorageManager {
}
/** {@hide}
- * Is this device file encrypted?
- * @return true for file encrypted. (Implies isEncrypted() == true)
- * false not encrypted or using "managed" encryption
+ * Does this device have file-based encryption (FBE) enabled?
+ * @return true if the device has file-based encryption enabled.
*/
- @UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553)
- public static boolean isFileEncryptedNativeOnly() {
+ public static boolean isFileEncrypted() {
if (!isEncrypted()) {
return false;
}
return RoSystemProperties.CRYPTO_FILE_ENCRYPTED;
}
- /** {@hide} */
- public static boolean isFileEncryptedEmulatedOnly() {
- return SystemProperties.getBoolean(StorageManager.PROP_EMULATE_FBE, false);
+ /** {@hide}
+ * @deprecated Use {@link #isFileEncrypted} instead, since emulated FBE is no longer supported.
+ */
+ @UnsupportedAppUsage(maxTargetSdk = Build.VERSION_CODES.R, trackingBug = 170729553)
+ @Deprecated
+ public static boolean isFileEncryptedNativeOnly() {
+ return isFileEncrypted();
}
/** {@hide}
- * Is this device running in a file encrypted mode, either native or emulated?
- * @return true for file encrypted, false otherwise
+ * @deprecated Use {@link #isFileEncrypted} instead, since emulated FBE is no longer supported.
*/
+ @Deprecated
public static boolean isFileEncryptedNativeOrEmulated() {
- return isFileEncryptedNativeOnly()
- || isFileEncryptedEmulatedOnly();
+ return isFileEncrypted();
}
/** {@hide} */
diff --git a/services/core/java/com/android/server/StorageManagerService.java b/services/core/java/com/android/server/StorageManagerService.java
index 9e60cf671865..7cbe218a9234 100644
--- a/services/core/java/com/android/server/StorageManagerService.java
+++ b/services/core/java/com/android/server/StorageManagerService.java
@@ -94,7 +94,6 @@ import android.os.Message;
import android.os.ParcelFileDescriptor;
import android.os.ParcelableException;
import android.os.PersistableBundle;
-import android.os.PowerManager;
import android.os.Process;
import android.os.RemoteCallbackList;
import android.os.RemoteException;
@@ -289,15 +288,6 @@ class StorageManagerService extends IStorageManager.Stub
*/
private static final boolean WATCHDOG_ENABLE = true;
- /**
- * Our goal is for all Android devices to be usable as development devices,
- * which includes the new Direct Boot mode added in N. For devices that
- * don't have native FBE support, we offer an emulation mode for developer
- * testing purposes, but if it's prohibitively difficult to support this
- * mode, it can be disabled for specific products using this flag.
- */
- private static final boolean EMULATE_FBE_SUPPORTED = true;
-
private static final String TAG = "StorageManagerService";
private static final boolean LOCAL_LOGV = Log.isLoggable(TAG, Log.VERBOSE);
@@ -1091,31 +1081,6 @@ class StorageManagerService extends IStorageManager.Stub
mVolumes.put(internal.id, internal);
}
- private void initIfBootedAndConnected() {
- Slog.d(TAG, "Thinking about init, mBootCompleted=" + mBootCompleted
- + ", mDaemonConnected=" + mDaemonConnected);
- if (mBootCompleted && mDaemonConnected
- && !StorageManager.isFileEncryptedNativeOnly()) {
- // When booting a device without native support, make sure that our
- // user directories are locked or unlocked based on the current
- // emulation status.
- final boolean initLocked = StorageManager.isFileEncryptedEmulatedOnly();
- Slog.d(TAG, "Setting up emulation state, initlocked=" + initLocked);
- final List<UserInfo> users = mContext.getSystemService(UserManager.class).getUsers();
- for (UserInfo user : users) {
- try {
- if (initLocked) {
- mVold.lockUserKey(user.id);
- } else {
- mVold.unlockUserKey(user.id, user.serialNumber, encodeBytes(null));
- }
- } catch (Exception e) {
- Slog.wtf(TAG, e);
- }
- }
- }
- }
-
private void resetIfBootedAndConnected() {
Slog.d(TAG, "Thinking about reset, mBootCompleted=" + mBootCompleted
+ ", mDaemonConnected=" + mDaemonConnected);
@@ -1362,7 +1327,6 @@ class StorageManagerService extends IStorageManager.Stub
}
private void handleDaemonConnected() {
- initIfBootedAndConnected();
resetIfBootedAndConnected();
}
@@ -2110,7 +2074,6 @@ class StorageManagerService extends IStorageManager.Stub
}
private void handleBootCompleted() {
- initIfBootedAndConnected();
resetIfBootedAndConnected();
}
@@ -2805,32 +2768,6 @@ class StorageManagerService extends IStorageManager.Stub
public void setDebugFlags(int flags, int mask) {
enforcePermission(android.Manifest.permission.MOUNT_UNMOUNT_FILESYSTEMS);
- if ((mask & StorageManager.DEBUG_EMULATE_FBE) != 0) {
- if (!EMULATE_FBE_SUPPORTED) {
- throw new IllegalStateException(
- "Emulation not supported on this device");
- }
- if (StorageManager.isFileEncryptedNativeOnly()) {
- throw new IllegalStateException(
- "Emulation not supported on device with native FBE");
- }
- if (mLockPatternUtils.isCredentialRequiredToDecrypt(false)) {
- throw new IllegalStateException(
- "Emulation requires disabling 'Secure start-up' in Settings > Security");
- }
-
- final long token = Binder.clearCallingIdentity();
- try {
- final boolean emulateFbe = (flags & StorageManager.DEBUG_EMULATE_FBE) != 0;
- SystemProperties.set(StorageManager.PROP_EMULATE_FBE, Boolean.toString(emulateFbe));
-
- // Perform hard reboot to kick policy into place
- mContext.getSystemService(PowerManager.class).reboot(null);
- } finally {
- Binder.restoreCallingIdentity(token);
- }
- }
-
if ((mask & (StorageManager.DEBUG_ADOPTABLE_FORCE_ON
| StorageManager.DEBUG_ADOPTABLE_FORCE_OFF)) != 0) {
final String value;
@@ -2918,8 +2855,7 @@ class StorageManagerService extends IStorageManager.Stub
// We need all the users unlocked to move their primary storage
final List<UserInfo> users = mContext.getSystemService(UserManager.class).getUsers();
for (UserInfo user : users) {
- if (StorageManager.isFileEncryptedNativeOrEmulated()
- && !isUserKeyUnlocked(user.id)) {
+ if (StorageManager.isFileEncrypted() && !isUserKeyUnlocked(user.id)) {
Slog.w(TAG, "Failing move due to locked user " + user.id);
onMoveStatusLocked(PackageManager.MOVE_FAILED_LOCKED_USER);
return;
@@ -3222,9 +3158,9 @@ class StorageManagerService extends IStorageManager.Stub
@Override
public void unlockUserKey(int userId, int serialNumber, byte[] secret) {
- boolean isFsEncrypted = StorageManager.isFileEncryptedNativeOrEmulated();
+ boolean isFileEncrypted = StorageManager.isFileEncrypted();
Slog.d(TAG, "unlockUserKey: " + userId
- + " isFileEncryptedNativeOrEmulated: " + isFsEncrypted
+ + " isFileEncrypted: " + isFileEncrypted
+ " hasSecret: " + (secret != null));
enforcePermission(android.Manifest.permission.STORAGE_INTERNAL);
@@ -3233,11 +3169,10 @@ class StorageManagerService extends IStorageManager.Stub
return;
}
- if (isFsEncrypted) {
+ if (isFileEncrypted) {
// When a user has a secure lock screen, a secret is required to
// unlock the key, so don't bother trying to unlock it without one.
- // This prevents misleading error messages from being logged. This
- // is also needed for emulated FBE to behave like native FBE.
+ // This prevents misleading error messages from being logged.
if (mLockPatternUtils.isSecure(userId) && ArrayUtils.isEmpty(secret)) {
Slog.d(TAG, "Not unlocking user " + userId
+ "'s CE storage yet because a secret is needed");
diff --git a/services/core/java/com/android/server/pm/UserDataPreparer.java b/services/core/java/com/android/server/pm/UserDataPreparer.java
index 7650d2ef5b2e..1ca7bcd32741 100644
--- a/services/core/java/com/android/server/pm/UserDataPreparer.java
+++ b/services/core/java/com/android/server/pm/UserDataPreparer.java
@@ -286,11 +286,6 @@ class UserDataPreparer {
return Environment.getDataUserDeDirectory(volumeUuid, userId);
}
- @VisibleForTesting
- protected boolean isFileEncryptedEmulatedOnly() {
- return StorageManager.isFileEncryptedEmulatedOnly();
- }
-
/**
* Enforce that serial number stored in user directory inode matches the
* given expected value. Gracefully sets the serial number if currently
@@ -300,14 +295,6 @@ class UserDataPreparer {
* number is mismatched.
*/
void enforceSerialNumber(File file, int serialNumber) throws IOException {
- if (isFileEncryptedEmulatedOnly()) {
- // When we're emulating FBE, the directory may have been chmod
- // 000'ed, meaning we can't read the serial number to enforce it;
- // instead of destroying the user, just log a warning.
- Slog.w(TAG, "Device is emulating FBE; assuming current serial number is valid");
- return;
- }
-
final int foundSerial = getSerialNumber(file);
Slog.v(TAG, "Found " + file + " with serial number " + foundSerial);
diff --git a/services/tests/servicestests/src/com/android/server/pm/UserDataPreparerTest.java b/services/tests/servicestests/src/com/android/server/pm/UserDataPreparerTest.java
index de83e518067e..2c6bb2791124 100644
--- a/services/tests/servicestests/src/com/android/server/pm/UserDataPreparerTest.java
+++ b/services/tests/servicestests/src/com/android/server/pm/UserDataPreparerTest.java
@@ -261,11 +261,6 @@ public class UserDataPreparerTest {
protected File getDataUserDeDirectory(String volumeUuid, int userId) {
return new File(testDir, "user_de_" + userId);
}
-
- @Override
- protected boolean isFileEncryptedEmulatedOnly() {
- return false;
- }
}
}
generated by cgit v1.2.3-59-g8ed1b (git 2.39.0) at 2025-11-01 17:28:13 +0000