HiKey960: Enable metadata encryption
This fully enables metadata encryption on hikey960 by following
the instructions here:
https://source.android.com/security/encryption/metadata?hl=en
Mostly just adding --early/--late mountall arguments in the
init.rc and the "latemount" and
"keydirectory=/metadata/vold/metadata_encryption" options to the
userdata fstab line.
Note: You will likely need to flash new userdata (and possibly
reflash metadata as well) after applying this. Use the flashall
script if you are having any trouble.
Test: atest vts_kernel_encryption_test
Reported-by: YongQin Liu <yongqin.liu@linaro.org>
Signed-off-by: John Stultz <john.stultz@linaro.org>
Change-Id: Idd57774ac21ca1535259e679fc92f127e1e710e0
diff --git a/hikey/init.hikey.rc b/hikey/init.hikey.rc
index 8046f91..6ea3b3b 100644
--- a/hikey/init.hikey.rc
+++ b/hikey/init.hikey.rc
@@ -1,5 +1,8 @@
import init.common.rc
+on fs
+ mount_all /vendor/etc/fstab.${ro.hardware}
+
on post-fs
# Set supported opengles version
setprop ro.hardware.hwcomposer drm_hikey
diff --git a/hikey960/fstab.hikey960 b/hikey960/fstab.hikey960
index 5891323..09356a7 100644
--- a/hikey960/fstab.hikey960
+++ b/hikey960/fstab.hikey960
@@ -6,7 +6,7 @@
#/dev/block/platform/soc/ff3b0000.ufs/by-name/system_a /system ext4 ro wait
#/dev/block/platform/soc/ff3b0000.ufs/by-name/cache /cache ext4 discard,noauto_da_alloc,data=ordered,user_xattr,barrier=1 wait
#/dev/block/platform/soc/ff3b0000.ufs/by-name/userdata /data ext4 discard,noauto_da_alloc,data=ordered,user_xattr,barrier=1 wait
-/dev/block/by-name/userdata /data ext4 discard,noatime,nosuid,nodev,noauto_da_alloc,data=ordered,user_xattr,barrier=1,inlinecrypt wait,formattable,fileencryption=aes-256-xts:aes-256-cts:v2+inlinecrypt_optimized,quota
+/dev/block/by-name/userdata /data ext4 discard,noatime,nosuid,nodev,noauto_da_alloc,data=ordered,user_xattr,barrier=1,inlinecrypt latemount,wait,formattable,fileencryption=aes-256-xts:aes-256-cts:v2+inlinecrypt_optimized,keydirectory=/metadata/vold/metadata_encryption,quota
/dev/block/by-name/cache /metadata ext4 noatime,nosuid,nodev,discard wait,formattable,first_stage_mount,check
/devices/platform/soc/ff37f000.dwmmc1/mmc_host/mmc* auto auto defaults voldmanaged=sdcard1:auto,encryptable=userdata
/devices/platform/soc/ff200000.hisi_usb/ff100000.dwc3/xhci-hcd.*.auto/usb* auto auto defaults voldmanaged=usbdisk:auto,encryptable=userdata
diff --git a/hikey960/init.hikey960.rc b/hikey960/init.hikey960.rc
index b767134..92c1385 100644
--- a/hikey960/init.hikey960.rc
+++ b/hikey960/init.hikey960.rc
@@ -1,6 +1,12 @@
import init.common.rc
+on fs
+ mount_all /vendor/etc/fstab.${ro.hardware} --early
+
on post-fs
# Set supported opengles version
setprop ro.hardware.hwcomposer drm_hikey960
+on late-fs
+ mount_all /vendor/etc/fstab.${ro.hardware} --late
+
diff --git a/init.common.rc b/init.common.rc
index 1ae164b..7018eef 100644
--- a/init.common.rc
+++ b/init.common.rc
@@ -16,8 +16,10 @@
start watchdogd
+on early-fs
+ start vold
+
on fs
- mount_all /vendor/etc/fstab.${ro.hardware}
setprop ro.crypto.fuse_sdcard false
on post-fs