From 71c6c50d0da1f32dd18a749797e88de2358c5ba1 Mon Sep 17 00:00:00 2001 From: nkk71 Date: Thu, 5 Jan 2017 23:55:05 +0200 Subject: crypto: Use system's vold for decryption If TWRP crypto fails to decrypt partition, mount the system partition and use system's own vold to attempt decryption. This provides a fallback for proprietary OEM encryption as well as encryption methods which TWRP hasn't been updated for. Requirements in device tree: * fstab.{ro.hardware} in device/recovery/root The fstab does not need to be complete, but it does need the data partition and the encryption entries. * 'TW_CRYPTO_USE_SYSTEM_VOLD := true' in BoardConfig or * 'TW_CRYPTO_USE_SYSTEM_VOLD := ' Notes: * Setting the flag to 'true' will just use system's vdc+vold or * Setting the flag with additional services, will also start them prior to attempting vdc+vold decryption, eg: for qualcomm based devices you usually need 'TW_CRYPTO_USE_SYSTEM_VOLD := qseecomd' * For each service listed an additional import will be automatically added to the vold_decrypt.rc file in the form of init.recovery.vold_decrypt.{service}.rc You will need to add any not already existing .rc files in your device/recovery/root folder. * The service names specified in the vold_decrypt.{service}.rc files have to be named 'sys_{service}' eg: 'service sys_qseecomd /system/bin/qseecomd' * Any service already existing in TWRP as {service} or sbin{service} will be stopped and restarted as needed. * You can override the default init.recovery.vold_decrypt.rc file(s) by placing same named ones in your device/recovery/root folder. If you do, you'll need to manually add the needed imports. * If /vendor and /firmware folders are temporarily moved and symlinked to the folders and files in the system partition, the properties 'vold_decrypt.symlinked_vendor' and 'vold_decrypt.symlinked_firmware' will be set to 1. This allows for additional control in the .rc files for any extra actions (symlinks, cp files, etc) that may be needed for decryption by using: on property:vold_decrypt.symlinked_vendor=1 and/or on property:vold_decrypt.symlinked_firmware=1 triggers. Debug mode: 'TW_CRYPTO_SYSTEM_VOLD_DEBUG := true' in BoardConfig * Specifying this flag, will enable strace on init and vdc, which will create separate log files in /tmp for every process created, allowing for detailed analysis of which services and files are being accessed. * Note that enabling strace will expose the password in the logs!! * You need to manually add strace to your build. Thanks to @Captain_Throwback for co-authoring and testing. Tested successfully on HTC devices: M8 (KK through MM), M9 (MM and N), A9 (N), 10 (N), Bolt (N), Desire 626s (MM), U Ultra (N) HTC One X9 (MTK device) And by Nikolay Jeliazkov on: Xiaomi Mi Max Change-Id: I4d22ab55baf6a2a50adde2e4c1c510c142714227 --- Android.mk | 11 +++++++++++ 1 file changed, 11 insertions(+) (limited to 'Android.mk') diff --git a/Android.mk b/Android.mk index 626f6abcf..4b29e47f8 100644 --- a/Android.mk +++ b/Android.mk @@ -298,6 +298,12 @@ ifeq ($(TW_INCLUDE_CRYPTO), true) LOCAL_CFLAGS += -DTW_INCLUDE_FBE LOCAL_SHARED_LIBRARIES += libe4crypt endif + ifneq ($(TW_CRYPTO_USE_SYSTEM_VOLD),) + ifneq ($(TW_CRYPTO_USE_SYSTEM_VOLD),false) + LOCAL_CFLAGS += -DTW_CRYPTO_USE_SYSTEM_VOLD + LOCAL_STATIC_LIBRARIES += libvolddecrypt + endif + endif endif WITH_CRYPTO_UTILS := \ $(if $(wildcard system/core/libcrypto_utils/Android.mk),true) @@ -691,6 +697,11 @@ ifeq ($(TW_INCLUDE_CRYPTO), true) ifeq ($(TW_INCLUDE_CRYPTO_FBE), true) include $(commands_recovery_local_path)/crypto/ext4crypt/Android.mk endif + ifneq ($(TW_CRYPTO_USE_SYSTEM_VOLD),) + ifneq ($(TW_CRYPTO_USE_SYSTEM_VOLD),false) + include $(commands_recovery_local_path)/crypto/vold_decrypt/Android.mk + endif + endif include $(commands_recovery_local_path)/gpt/Android.mk endif ifeq ($(BUILD_ID), GINGERBREAD) -- cgit v1.2.3