patches: Bliss GSI v11.4 Release
Signed-off-by: Jackeagle <jackeagle102@gmail.com>
Change-Id: I372e872292ed19dde130635da2882309751f59dd
diff --git a/patches/system/vold/0008-Revert-vold-Add-Hardware-FDE-feature.patch b/patches/system/vold/0008-Revert-vold-Add-Hardware-FDE-feature.patch
new file mode 100644
index 0000000..7c33769
--- /dev/null
+++ b/patches/system/vold/0008-Revert-vold-Add-Hardware-FDE-feature.patch
@@ -0,0 +1,1038 @@
+From fb99aa2057ddf1c6477777bc02aa4c0d54513a0c Mon Sep 17 00:00:00 2001
+From: Jackeagle <jackeagle102@gmail.com>
+Date: Wed, 19 Dec 2018 17:02:25 +0100
+Subject: [PATCH 8/8] Revert "vold: Add Hardware FDE feature"
+
+This reverts commit 3585008ea98f4a1caf69d10c32a02e1169eeb248.
+---
+ Android.bp | 8 -
+ VoldNativeService.cpp | 4 +-
+ VoldNativeService.h | 2 +-
+ binder/android/os/IVold.aidl | 2 +-
+ cryptfs.cpp | 637 +++--------------------------------
+ cryptfs.h | 10 +-
+ 6 files changed, 49 insertions(+), 614 deletions(-)
+
+diff --git a/Android.bp b/Android.bp
+index ffb139e..48dfaaf 100644
+--- a/Android.bp
++++ b/Android.bp
+@@ -140,11 +140,6 @@ cc_library_static {
+ "libarcobbvolume",
+ ],
+ },
+- device_support_hwfde: {
+- cflags: ["-DCONFIG_HW_DISK_ENCRYPTION"],
+- header_libs: ["libcryptfs_hw_headers"],
+- shared_libs: ["libcryptfs_hw"],
+- },
+ },
+ }
+
+@@ -164,9 +159,6 @@ cc_binary {
+ "libarcobbvolume",
+ ],
+ },
+- device_support_hwfde: {
+- shared_libs: ["libcryptfs_hw"],
+- },
+ },
+ init_rc: [
+ "vold.rc",
+diff --git a/VoldNativeService.cpp b/VoldNativeService.cpp
+index 6d6c6ec..81523c6 100644
+--- a/VoldNativeService.cpp
++++ b/VoldNativeService.cpp
+@@ -581,11 +581,11 @@ binder::Status VoldNativeService::fdeEnable(int32_t passwordType,
+ }
+
+ binder::Status VoldNativeService::fdeChangePassword(int32_t passwordType,
+- const std::string& currentPassword, const std::string& password) {
++ const std::string& password) {
+ ENFORCE_UID(AID_SYSTEM);
+ ACQUIRE_CRYPT_LOCK;
+
+- return translate(cryptfs_changepw(passwordType, currentPassword.c_str(), password.c_str()));
++ return translate(cryptfs_changepw(passwordType, password.c_str()));
+ }
+
+ binder::Status VoldNativeService::fdeVerifyPassword(const std::string& password) {
+diff --git a/VoldNativeService.h b/VoldNativeService.h
+index da8c660..2e90101 100644
+--- a/VoldNativeService.h
++++ b/VoldNativeService.h
+@@ -82,7 +82,7 @@ public:
+ binder::Status fdeEnable(int32_t passwordType,
+ const std::string& password, int32_t encryptionFlags);
+ binder::Status fdeChangePassword(int32_t passwordType,
+- const std::string& currentPassword, const std::string& password);
++ const std::string& password);
+ binder::Status fdeVerifyPassword(const std::string& password);
+ binder::Status fdeGetField(const std::string& key, std::string* _aidl_return);
+ binder::Status fdeSetField(const std::string& key, const std::string& value);
+diff --git a/binder/android/os/IVold.aidl b/binder/android/os/IVold.aidl
+index 9f5b21a..f386889 100644
+--- a/binder/android/os/IVold.aidl
++++ b/binder/android/os/IVold.aidl
+@@ -65,7 +65,7 @@ interface IVold {
+ void fdeRestart();
+ int fdeComplete();
+ void fdeEnable(int passwordType, @utf8InCpp String password, int encryptionFlags);
+- void fdeChangePassword(int passwordType, @utf8InCpp String currentPassword, @utf8InCpp String password);
++ void fdeChangePassword(int passwordType, @utf8InCpp String password);
+ void fdeVerifyPassword(@utf8InCpp String password);
+ @utf8InCpp String fdeGetField(@utf8InCpp String key);
+ void fdeSetField(@utf8InCpp String key, @utf8InCpp String value);
+diff --git a/cryptfs.cpp b/cryptfs.cpp
+index 3452fe3..5a061bb 100644
+--- a/cryptfs.cpp
++++ b/cryptfs.cpp
+@@ -63,9 +63,6 @@
+ #include "Keymaster.h"
+ #include "android-base/properties.h"
+ #include <bootloader_message/bootloader_message.h>
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+-#include <cryptfs_hw.h>
+-#endif
+ extern "C" {
+ #include <crypto_scrypt.h>
+ }
+@@ -87,7 +84,6 @@ static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN,
+
+ #define KEY_IN_FOOTER "footer"
+
+-#define DEFAULT_HEX_PASSWORD "64656661756c745f70617373776f7264"
+ #define DEFAULT_PASSWORD "default_password"
+
+ #define CRYPTO_BLOCK_DEVICE "userdata"
+@@ -103,7 +99,6 @@ static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN,
+ #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
+ #define RSA_EXPONENT 0x10001
+ #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second
+-#define KEY_LEN_BYTES 16
+
+ #define RETRY_MOUNT_ATTEMPTS 10
+ #define RETRY_MOUNT_DELAY_SECONDS 1
+@@ -117,151 +112,6 @@ static char *saved_mount_point;
+ static int master_key_saved = 0;
+ static struct crypt_persist_data *persist_data = NULL;
+
+-static int previous_type;
+-
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+-static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
+- unsigned char *ikey, void *params);
+-static void convert_key_to_hex_ascii(const unsigned char *master_key,
+- unsigned int keysize, char *master_key_ascii);
+-static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr);
+-static int test_mount_hw_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
+- const char *passwd, const char *mount_point, const char *label);
+-int cryptfs_changepw_hw_fde(int crypt_type, const char *currentpw,
+- const char *newpw);
+-int cryptfs_check_passwd_hw(char *passwd);
+-int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password,
+- unsigned char* master_key);
+-
+-static void convert_key_to_hex_ascii_for_upgrade(const unsigned char *master_key,
+- unsigned int keysize, char *master_key_ascii)
+-{
+- unsigned int i, a;
+- unsigned char nibble;
+-
+- for (i = 0, a = 0; i < keysize; i++, a += 2) {
+- /* For each byte, write out two ascii hex digits */
+- nibble = (master_key[i] >> 4) & 0xf;
+- master_key_ascii[a] = nibble + (nibble > 9 ? 0x57 : 0x30);
+-
+- nibble = master_key[i] & 0xf;
+- master_key_ascii[a + 1] = nibble + (nibble > 9 ? 0x57 : 0x30);
+- }
+-
+- /* Add the null termination */
+- master_key_ascii[a] = '\0';
+-}
+-
+-static int get_keymaster_hw_fde_passwd(const char* passwd, unsigned char* newpw,
+- unsigned char* salt,
+- const struct crypt_mnt_ftr *ftr)
+-{
+- /* if newpw updated, return 0
+- * if newpw not updated return -1
+- */
+- int rc = -1;
+-
+- if (should_use_keymaster()) {
+- if (scrypt_keymaster(passwd, salt, newpw, (void*)ftr)) {
+- SLOGE("scrypt failed");
+- } else {
+- rc = 0;
+- }
+- }
+-
+- return rc;
+-}
+-
+-static int verify_hw_fde_passwd(const char *passwd, struct crypt_mnt_ftr* crypt_ftr)
+-{
+- unsigned char newpw[32] = {0};
+- int key_index;
+- if (get_keymaster_hw_fde_passwd(passwd, newpw, crypt_ftr->salt, crypt_ftr))
+- key_index = set_hw_device_encryption_key(passwd,
+- (char*) crypt_ftr->crypto_type_name);
+- else
+- key_index = set_hw_device_encryption_key((const char*)newpw,
+- (char*) crypt_ftr->crypto_type_name);
+- return key_index;
+-}
+-
+-static int verify_and_update_hw_fde_passwd(const char *passwd,
+- struct crypt_mnt_ftr* crypt_ftr)
+-{
+- char* new_passwd = NULL;
+- unsigned char newpw[32] = {0};
+- int key_index = -1;
+- int passwd_updated = -1;
+- int ascii_passwd_updated = (crypt_ftr->flags & CRYPT_ASCII_PASSWORD_UPDATED);
+-
+- key_index = verify_hw_fde_passwd(passwd, crypt_ftr);
+- if (key_index < 0) {
+- ++crypt_ftr->failed_decrypt_count;
+-
+- if (ascii_passwd_updated) {
+- SLOGI("Ascii password was updated");
+- } else {
+- /* Code in else part would execute only once:
+- * When device is upgraded from L->M release.
+- * Once upgraded, code flow should never come here.
+- * L release passed actual password in hex, so try with hex
+- * Each nible of passwd was encoded as a byte, so allocate memory
+- * twice of password len plus one more byte for null termination
+- */
+- if (crypt_ftr->crypt_type == CRYPT_TYPE_DEFAULT) {
+- new_passwd = (char*)malloc(strlen(DEFAULT_HEX_PASSWORD) + 1);
+- if (new_passwd == NULL) {
+- SLOGE("System out of memory. Password verification incomplete");
+- goto out;
+- }
+- strlcpy(new_passwd, DEFAULT_HEX_PASSWORD, strlen(DEFAULT_HEX_PASSWORD) + 1);
+- } else {
+- new_passwd = (char*)malloc(strlen(passwd) * 2 + 1);
+- if (new_passwd == NULL) {
+- SLOGE("System out of memory. Password verification incomplete");
+- goto out;
+- }
+- convert_key_to_hex_ascii_for_upgrade((const unsigned char*)passwd,
+- strlen(passwd), new_passwd);
+- }
+- key_index = set_hw_device_encryption_key((const char*)new_passwd,
+- (char*) crypt_ftr->crypto_type_name);
+- if (key_index >=0) {
+- crypt_ftr->failed_decrypt_count = 0;
+- SLOGI("Hex password verified...will try to update with Ascii value");
+- /* Before updating password, tie that with keymaster to tie with ROT */
+-
+- if (get_keymaster_hw_fde_passwd(passwd, newpw,
+- crypt_ftr->salt, crypt_ftr)) {
+- passwd_updated = update_hw_device_encryption_key(new_passwd,
+- passwd, (char*)crypt_ftr->crypto_type_name);
+- } else {
+- passwd_updated = update_hw_device_encryption_key(new_passwd,
+- (const char*)newpw, (char*)crypt_ftr->crypto_type_name);
+- }
+-
+- if (passwd_updated >= 0) {
+- crypt_ftr->flags |= CRYPT_ASCII_PASSWORD_UPDATED;
+- SLOGI("Ascii password recorded and updated");
+- } else {
+- SLOGI("Passwd verified, could not update...Will try next time");
+- }
+- } else {
+- ++crypt_ftr->failed_decrypt_count;
+- }
+- free(new_passwd);
+- }
+- } else {
+- if (!ascii_passwd_updated)
+- crypt_ftr->flags |= CRYPT_ASCII_PASSWORD_UPDATED;
+- }
+-out:
+- // update footer before leaving
+- put_crypt_ftr_and_key(crypt_ftr);
+- return key_index;
+-}
+-#endif
+-
+ /* Should we use keymaster? */
+ static int keymaster_check_compatibility()
+ {
+@@ -1150,36 +1000,16 @@ static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr,
+ tgt->status = 0;
+ tgt->sector_start = 0;
+ tgt->length = crypt_ftr->fs_size;
++ strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
++
+ crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
++ convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
++
+ buff_offset = crypt_params - buffer;
+ SLOGI("Extra parameters for dm_crypt: %s\n", extra_params);
+-
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+- if(is_hw_disk_encryption((char*)crypt_ftr->crypto_type_name)) {
+- strlcpy(tgt->target_type, "req-crypt",DM_MAX_TYPE_NAME);
+- if (is_ice_enabled())
+- convert_key_to_hex_ascii(master_key, sizeof(int), master_key_ascii);
+- else
+- convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
+- }
+- else {
+- convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
+- strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
+- }
+- snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s 0",
+- crypt_ftr->crypto_type_name, master_key_ascii,
+- real_blk_name, extra_params);
+-
+- SLOGI("target_type = %s", tgt->target_type);
+- SLOGI("real_blk_name = %s, extra_params = %s", real_blk_name, extra_params);
+-#else
+- convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
+- strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
+ snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s",
+ crypt_ftr->crypto_type_name, master_key_ascii, real_blk_name,
+ extra_params);
+-#endif
+-
+ crypt_params += strlen(crypt_params) + 1;
+ crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
+ tgt->next = crypt_params - buffer;
+@@ -1199,6 +1029,7 @@ static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr,
+ }
+ }
+
++
+ static int get_dm_crypt_version(int fd, const char *name, int *version)
+ {
+ char buffer[DM_CRYPT_BUF_SIZE];
+@@ -1218,11 +1049,7 @@ static int get_dm_crypt_version(int fd, const char *name, int *version)
+ */
+ v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
+ while (v->next) {
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+- if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) {
+-#else
+ if (! strcmp(v->name, "crypt")) {
+-#endif
+ /* We found the crypt driver, return the version, and get out */
+ version[0] = v->version[0];
+ version[1] = v->version[1];
+@@ -1235,7 +1062,6 @@ static int get_dm_crypt_version(int fd, const char *name, int *version)
+ return -1;
+ }
+
+-#ifndef CONFIG_HW_DISK_ENCRYPTION
+ static std::string extra_params_as_string(const std::vector<std::string>& extra_params_vec) {
+ if (extra_params_vec.empty()) return "";
+ std::string extra_params = std::to_string(extra_params_vec.size());
+@@ -1245,7 +1071,6 @@ static std::string extra_params_as_string(const std::vector<std::string>& extra_
+ }
+ return extra_params;
+ }
+-#endif
+
+ static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned char* master_key,
+ const char* real_blk_name, char* crypto_blk_name, const char* name,
+@@ -1258,13 +1083,7 @@ static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned
+ int retval = -1;
+ int version[3];
+ int load_count;
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+- char encrypted_state[PROPERTY_VALUE_MAX] = {0};
+- char progress[PROPERTY_VALUE_MAX] = {0};
+- const char *extra_params;
+-#else
+ std::vector<std::string> extra_params_vec;
+-#endif
+
+ if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
+ SLOGE("Cannot open device-mapper\n");
+@@ -1289,45 +1108,6 @@ static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned
+ minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
+ snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
+
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+- if(is_hw_disk_encryption((char*)crypt_ftr->crypto_type_name)) {
+- /* Set fde_enabled if either FDE completed or in-progress */
+- property_get("ro.crypto.state", encrypted_state, ""); /* FDE completed */
+- property_get("vold.encrypt_progress", progress, ""); /* FDE in progress */
+- if (!strcmp(encrypted_state, "encrypted") || strcmp(progress, "")) {
+- if (is_ice_enabled()) {
+- if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE)
+- extra_params = "fde_enabled ice allow_encrypt_override";
+- else
+- extra_params = "fde_enabled ice";
+- } else {
+- if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE)
+- extra_params = "fde_enabled allow_encrypt_override";
+- else
+- extra_params = "fde_enabled";
+- }
+- } else {
+- if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE)
+- extra_params = "fde_enabled allow_encrypt_override";
+- else
+- extra_params = "fde_enabled";
+- }
+- } else {
+- extra_params = "";
+- if (! get_dm_crypt_version(fd, name, version)) {
+- /* Support for allow_discards was added in version 1.11.0 */
+- if ((version[0] >= 2) || ((version[0] == 1) && (version[1] >= 11))) {
+- if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE)
+- extra_params = "2 allow_discards allow_encrypt_override";
+- else
+- extra_params = "1 allow_discards";
+- SLOGI("Enabling support for allow_discards in dmcrypt.\n");
+- }
+- }
+- }
+- load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, fd,
+- extra_params);
+-#else
+ if (!get_dm_crypt_version(fd, name, version)) {
+ /* Support for allow_discards was added in version 1.11.0 */
+ if ((version[0] >= 2) || ((version[0] == 1) && (version[1] >= 11))) {
+@@ -1339,7 +1119,6 @@ static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned
+ }
+ load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, fd,
+ extra_params_as_string(extra_params_vec).c_str());
+-#endif
+ if (load_count < 0) {
+ SLOGE("Cannot load dm-crypt mapping table.\n");
+ goto errout;
+@@ -1468,8 +1247,7 @@ static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
+ static int encrypt_master_key(const char *passwd, const unsigned char *salt,
+ const unsigned char *decrypted_master_key,
+ unsigned char *encrypted_master_key,
+- struct crypt_mnt_ftr *crypt_ftr,
+- bool create_keymaster_key)
++ struct crypt_mnt_ftr *crypt_ftr)
+ {
+ unsigned char ikey[INTERMEDIATE_BUF_SIZE] = { 0 };
+ EVP_CIPHER_CTX e_ctx;
+@@ -1481,7 +1259,7 @@ static int encrypt_master_key(const char *passwd, const unsigned char *salt,
+
+ switch (crypt_ftr->kdf_type) {
+ case KDF_SCRYPT_KEYMASTER:
+- if (create_keymaster_key && keymaster_create_key(crypt_ftr)) {
++ if (keymaster_create_key(crypt_ftr)) {
+ SLOGE("keymaster_create_key failed");
+ return -1;
+ }
+@@ -1651,13 +1429,13 @@ static int create_encrypted_random_key(const char *passwd, unsigned char *master
+ close(fd);
+
+ /* Now encrypt it with the password */
+- return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr, true);
++ return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
+ }
+
+ int wait_and_unmount(const char *mountpoint, bool kill)
+ {
+ int i, err, rc;
+-#define WAIT_UNMOUNT_COUNT 200
++#define WAIT_UNMOUNT_COUNT 20
+
+ /* Now umount the tmpfs filesystem */
+ for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
+@@ -1674,18 +1452,18 @@ int wait_and_unmount(const char *mountpoint, bool kill)
+
+ err = errno;
+
+- /* If allowed, be increasingly aggressive before the last 2 seconds */
++ /* If allowed, be increasingly aggressive before the last two retries */
+ if (kill) {
+- if (i == (WAIT_UNMOUNT_COUNT - 30)) {
++ if (i == (WAIT_UNMOUNT_COUNT - 3)) {
+ SLOGW("sending SIGHUP to processes with open files\n");
+ android::vold::KillProcessesWithOpenFiles(mountpoint, SIGTERM);
+- } else if (i == (WAIT_UNMOUNT_COUNT - 20)) {
++ } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
+ SLOGW("sending SIGKILL to processes with open files\n");
+ android::vold::KillProcessesWithOpenFiles(mountpoint, SIGKILL);
+ }
+ }
+
+- usleep(100000);
++ sleep(1);
+ }
+
+ if (i < WAIT_UNMOUNT_COUNT) {
+@@ -1852,17 +1630,6 @@ static int cryptfs_restart_internal(int restart_main)
+ cryptfs_reboot(RebootType::reboot);
+ }
+ } else {
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+- if (--retries) {
+- sleep(RETRY_MOUNT_DELAY_SECONDS);
+- } else {
+- SLOGE("Failed to mount decrypted data");
+- cryptfs_set_corrupt();
+- cryptfs_trigger_restart_min_framework();
+- SLOGI("Started framework to offer wipe");
+- return -1;
+- }
+-#else
+ SLOGE("Failed to mount decrypted data");
+ cryptfs_set_corrupt();
+ cryptfs_trigger_restart_min_framework();
+@@ -1871,7 +1638,6 @@ static int cryptfs_restart_internal(int restart_main)
+ SLOGE("Failed to setexeccon");
+ }
+ return -1;
+-#endif
+ }
+ }
+ if (setexeccon(NULL)) {
+@@ -1966,66 +1732,6 @@ static int do_crypto_complete(const char *mount_point)
+ return CRYPTO_COMPLETE_ENCRYPTED;
+ }
+
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+-static int test_mount_hw_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
+- const char *passwd, const char *mount_point, const char *label)
+-{
+- /* Allocate enough space for a 256 bit key, but we may use less */
+- unsigned char decrypted_master_key[32];
+- char crypto_blkdev[MAXPATHLEN];
+- char real_blkdev[MAXPATHLEN];
+- unsigned int orig_failed_decrypt_count;
+- int rc = 0;
+-
+- SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
+- orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
+-
+- fs_mgr_get_crypt_info(fstab_default, 0, real_blkdev, sizeof(real_blkdev));
+-
+- int key_index = 0;
+- if(is_hw_disk_encryption((char*)crypt_ftr->crypto_type_name)) {
+- key_index = verify_and_update_hw_fde_passwd(passwd, crypt_ftr);
+- if (key_index < 0) {
+- rc = crypt_ftr->failed_decrypt_count;
+- goto errout;
+- }
+- else {
+- if (is_ice_enabled()) {
+- if (create_crypto_blk_dev(crypt_ftr, (unsigned char*)&key_index,
+- real_blkdev, crypto_blkdev, label, 0)) {
+- SLOGE("Error creating decrypted block device");
+- rc = -1;
+- goto errout;
+- }
+- } else {
+- if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
+- real_blkdev, crypto_blkdev, label, 0)) {
+- SLOGE("Error creating decrypted block device");
+- rc = -1;
+- goto errout;
+- }
+- }
+- }
+- }
+-
+- if (rc == 0) {
+- crypt_ftr->failed_decrypt_count = 0;
+- if (orig_failed_decrypt_count != 0) {
+- put_crypt_ftr_and_key(crypt_ftr);
+- }
+-
+- /* Save the name of the crypto block device
+- * so we can mount it when restarting the framework. */
+- property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
+- master_key_saved = 1;
+- }
+-
+- errout:
+- return rc;
+-}
+-#endif
+-
+-
+ static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
+ const char *passwd, const char *mount_point, const char *label)
+ {
+@@ -2132,7 +1838,7 @@ static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
+
+ if (upgrade) {
+ rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
+- crypt_ftr->master_key, crypt_ftr, true);
++ crypt_ftr->master_key, crypt_ftr);
+ if (!rc) {
+ rc = put_crypt_ftr_and_key(crypt_ftr);
+ }
+@@ -2229,66 +1935,6 @@ int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
+ return 0;
+ }
+
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+-int cryptfs_check_passwd_hw(const char* passwd)
+-{
+- struct crypt_mnt_ftr crypt_ftr;
+- int rc;
+- unsigned char master_key[KEY_LEN_BYTES];
+-
+- /* get key */
+- if (get_crypt_ftr_and_key(&crypt_ftr)) {
+- SLOGE("Error getting crypt footer and key");
+- return -1;
+- }
+-
+- /*
+- * in case of manual encryption (from GUI), the encryption is done with
+- * default password
+- */
+- if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
+- /* compare scrypted_intermediate_key with stored scrypted_intermediate_key
+- * which was created with actual password before reboot.
+- */
+- rc = cryptfs_get_master_key(&crypt_ftr, passwd, master_key);
+- if (rc) {
+- SLOGE("password doesn't match");
+- rc = ++crypt_ftr.failed_decrypt_count;
+- put_crypt_ftr_and_key(&crypt_ftr);
+- return rc;
+- }
+-
+- rc = test_mount_hw_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD,
+- DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
+-
+- if (rc) {
+- SLOGE("Default password did not match on reboot encryption");
+- return rc;
+- }
+-
+- crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
+- put_crypt_ftr_and_key(&crypt_ftr);
+- rc = cryptfs_changepw(crypt_ftr.crypt_type, DEFAULT_PASSWORD, passwd);
+- if (rc) {
+- SLOGE("Could not change password on reboot encryption");
+- return rc;
+- }
+- } else
+- rc = test_mount_hw_encrypted_fs(&crypt_ftr, passwd,
+- DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
+-
+- if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
+- cryptfs_clear_password();
+- password = strdup(passwd);
+- struct timespec now;
+- clock_gettime(CLOCK_BOOTTIME, &now);
+- password_expiry_time = now.tv_sec + password_max_age_seconds;
+- }
+-
+- return rc;
+-}
+-#endif
+-
+ int cryptfs_check_passwd(const char *passwd)
+ {
+ SLOGI("cryptfs_check_passwd");
+@@ -2306,14 +1952,8 @@ int cryptfs_check_passwd(const char *passwd)
+ return rc;
+ }
+
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+- if (is_hw_disk_encryption((char*)crypt_ftr.crypto_type_name))
+- return cryptfs_check_passwd_hw(passwd);
+-#endif
+-
+ rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
+ DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
+-
+ if (rc) {
+ SLOGE("Password did not match");
+ return rc;
+@@ -2334,7 +1974,7 @@ int cryptfs_check_passwd(const char *passwd)
+
+ crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
+ put_crypt_ftr_and_key(&crypt_ftr);
+- rc = cryptfs_changepw(crypt_ftr.crypt_type, DEFAULT_PASSWORD, passwd);
++ rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd);
+ if (rc) {
+ SLOGE("Could not change password on reboot encryption");
+ return rc;
+@@ -2384,24 +2024,6 @@ int cryptfs_verify_passwd(const char *passwd)
+ /* If the device has no password, then just say the password is valid */
+ rc = 0;
+ } else {
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+- if(is_hw_disk_encryption((char*)crypt_ftr.crypto_type_name)) {
+- if (verify_hw_fde_passwd(passwd, &crypt_ftr) >= 0)
+- rc = 0;
+- else
+- rc = -1;
+- } else {
+- decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
+- if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
+- /* They match, the password is correct */
+- rc = 0;
+- } else {
+- /* If incorrect, sleep for a bit to prevent dictionary attacks */
+- sleep(1);
+- rc = 1;
+- }
+- }
+-#else
+ decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
+ if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
+ /* They match, the password is correct */
+@@ -2411,7 +2033,6 @@ int cryptfs_verify_passwd(const char *passwd)
+ sleep(1);
+ rc = 1;
+ }
+-#endif
+ }
+
+ return rc;
+@@ -2535,12 +2156,6 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
+ off64_t previously_encrypted_upto = 0;
+ bool rebootEncryption = false;
+ bool onlyCreateHeader = false;
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+- unsigned char newpw[32];
+- int key_index = 0;
+-#endif
+- int index = 0;
+-
+ int fd = -1;
+
+ if (get_crypt_ftr_and_key(&crypt_ftr) == 0) {
+@@ -2645,6 +2260,30 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
+ fclose(breadcrumb);
+ }
+
++ /* Do extra work for a better UX when doing the long inplace encryption */
++ if (!onlyCreateHeader) {
++ /* Now that /data is unmounted, we need to mount a tmpfs
++ * /data, set a property saying we're doing inplace encryption,
++ * and restart the framework.
++ */
++ if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
++ goto error_shutting_down;
++ }
++ /* Tells the framework that inplace encryption is starting */
++ property_set("vold.encrypt_progress", "0");
++
++ /* restart the framework. */
++ /* Create necessary paths on /data */
++ prep_data_fs();
++
++ /* Ugh, shutting down the framework is not synchronous, so until it
++ * can be fixed, this horrible hack will wait a moment for it all to
++ * shut down before proceeding. Without it, some devices cannot
++ * restart the graphics services.
++ */
++ sleep(2);
++ }
++
+ /* Start the actual work of making an encrypted filesystem */
+ /* Initialize a crypt_mnt_ftr for the partition */
+ if (previously_encrypted_upto == 0 && !rebootEncryption) {
+@@ -2668,11 +2307,7 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
+ crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
+ }
+ crypt_ftr.crypt_type = crypt_type;
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+- strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN);
+-#else
+ strlcpy((char *)crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(), MAX_CRYPTO_TYPE_NAME_LEN);
+-#endif
+
+ /* Make an encrypted master key */
+ if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
+@@ -2687,7 +2322,7 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
+ unsigned char encrypted_fake_master_key[MAX_KEY_LEN];
+ memset(fake_master_key, 0, sizeof(fake_master_key));
+ encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key,
+- encrypted_fake_master_key, &crypt_ftr, true);
++ encrypted_fake_master_key, &crypt_ftr);
+ }
+
+ /* Write the key to the end of the partition */
+@@ -2708,57 +2343,12 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
+ }
+ }
+
+- /* When encryption triggered from settings, encryption starts after reboot.
+- So set the encryption key when the actual encryption starts.
+- */
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+- if (previously_encrypted_upto == 0) {
+- if (!rebootEncryption)
+- clear_hw_device_encryption_key();
+-
+- if (get_keymaster_hw_fde_passwd(
+- onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
+- newpw, crypt_ftr.salt, &crypt_ftr))
+- key_index = set_hw_device_encryption_key(
+- onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
+- (char*)crypt_ftr.crypto_type_name);
+- else
+- key_index = set_hw_device_encryption_key((const char*)newpw,
+- (char*) crypt_ftr.crypto_type_name);
+- if (key_index < 0)
+- goto error_shutting_down;
+-
+- crypt_ftr.flags |= CRYPT_ASCII_PASSWORD_UPDATED;
+- put_crypt_ftr_and_key(&crypt_ftr);
+- }
+-#endif
+-
+ if (onlyCreateHeader) {
+ sleep(2);
+ cryptfs_reboot(RebootType::reboot);
+- } else {
+- /* Do extra work for a better UX when doing the long inplace encryption */
+- /* Now that /data is unmounted, we need to mount a tmpfs
+- * /data, set a property saying we're doing inplace encryption,
+- * and restart the framework.
+- */
+- if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
+- goto error_shutting_down;
+- }
+- /* Tells the framework that inplace encryption is starting */
+- property_set("vold.encrypt_progress", "0");
+-
+- /* restart the framework. */
+- /* Create necessary paths on /data */
+- prep_data_fs();
+-
+- /* Ugh, shutting down the framework is not synchronous, so until it
+- * can be fixed, this horrible hack will wait a moment for it all to
+- * shut down before proceeding. Without it, some devices cannot
+- * restart the graphics services.
+- */
+- sleep(2);
++ }
+
++ if (!no_ui || rebootEncryption) {
+ /* startup service classes main and late_start */
+ property_set("vold.decrypt", "trigger_restart_min_framework");
+ SLOGD("Just triggered restart_min_framework\n");
+@@ -2771,17 +2361,8 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
+ }
+
+ decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+- if (is_hw_disk_encryption((char*)crypt_ftr.crypto_type_name) && is_ice_enabled())
+- create_crypto_blk_dev(&crypt_ftr, (unsigned char*)&key_index, real_blkdev, crypto_blkdev,
+- CRYPTO_BLOCK_DEVICE, 0);
+- else
+- create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
+- CRYPTO_BLOCK_DEVICE, 0);
+-#else
+ create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
+ CRYPTO_BLOCK_DEVICE, 0);
+-#endif
+
+ /* If we are continuing, check checksums match */
+ rc = 0;
+@@ -2915,7 +2496,7 @@ int cryptfs_enable_default(int no_ui) {
+ return cryptfs_enable_internal(CRYPT_TYPE_DEFAULT, DEFAULT_PASSWORD, no_ui);
+ }
+
+-int cryptfs_changepw(int crypt_type, const char *currentpw, const char *newpw)
++int cryptfs_changepw(int crypt_type, const char *newpw)
+ {
+ if (e4crypt_is_native()) {
+ SLOGE("cryptfs_changepw not valid for file encryption");
+@@ -2942,28 +2523,6 @@ int cryptfs_changepw(int crypt_type, const char *currentpw, const char *newpw)
+ return -1;
+ }
+
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+- if(is_hw_disk_encryption((char*)crypt_ftr.crypto_type_name))
+- return cryptfs_changepw_hw_fde(crypt_type, currentpw, newpw);
+- else {
+- crypt_ftr.crypt_type = crypt_type;
+-
+- rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ?
+- DEFAULT_PASSWORD : newpw,
+- crypt_ftr.salt,
+- saved_master_key,
+- crypt_ftr.master_key,
+- &crypt_ftr, false);
+- if (rc) {
+- SLOGE("Encrypt master key failed: %d", rc);
+- return -1;
+- }
+- /* save the key */
+- put_crypt_ftr_and_key(&crypt_ftr);
+-
+- return 0;
+- }
+-#else
+ crypt_ftr.crypt_type = crypt_type;
+
+ rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
+@@ -2971,7 +2530,7 @@ int cryptfs_changepw(int crypt_type, const char *currentpw, const char *newpw)
+ crypt_ftr.salt,
+ saved_master_key,
+ crypt_ftr.master_key,
+- &crypt_ftr, false);
++ &crypt_ftr);
+ if (rc) {
+ SLOGE("Encrypt master key failed: %d", rc);
+ return -1;
+@@ -2979,57 +2538,8 @@ int cryptfs_changepw(int crypt_type, const char *currentpw, const char *newpw)
+ /* save the key */
+ put_crypt_ftr_and_key(&crypt_ftr);
+
+- return 0;
+-#endif
+-}
+-
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+-int cryptfs_changepw_hw_fde(int crypt_type, const char *currentpw, const char *newpw)
+-{
+- struct crypt_mnt_ftr crypt_ftr;
+- int rc;
+- int previous_type;
+-
+- /* get key */
+- if (get_crypt_ftr_and_key(&crypt_ftr)) {
+- SLOGE("Error getting crypt footer and key");
+- return -1;
+- }
+-
+- previous_type = crypt_ftr.crypt_type;
+- int rc1;
+- unsigned char tmp_curpw[32] = {0};
+- rc1 = get_keymaster_hw_fde_passwd(crypt_ftr.crypt_type == CRYPT_TYPE_DEFAULT ?
+- DEFAULT_PASSWORD : currentpw, tmp_curpw,
+- crypt_ftr.salt, &crypt_ftr);
+-
+- crypt_ftr.crypt_type = crypt_type;
+-
+- int ret, rc2;
+- unsigned char tmp_newpw[32] = {0};
+-
+- rc2 = get_keymaster_hw_fde_passwd(crypt_type == CRYPT_TYPE_DEFAULT ?
+- DEFAULT_PASSWORD : newpw , tmp_newpw,
+- crypt_ftr.salt, &crypt_ftr);
+-
+- if (is_hw_disk_encryption((char*)crypt_ftr.crypto_type_name)) {
+- ret = update_hw_device_encryption_key(
+- rc1 ? (previous_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD : currentpw) : (const char*)tmp_curpw,
+- rc2 ? (crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD : newpw): (const char*)tmp_newpw,
+- (char*)crypt_ftr.crypto_type_name);
+- if (ret) {
+- SLOGE("Error updating device encryption hardware key ret %d", ret);
+- return -1;
+- } else {
+- SLOGI("Encryption hardware key updated");
+- }
+- }
+-
+- /* save the key */
+- put_crypt_ftr_and_key(&crypt_ftr);
+ return 0;
+ }
+-#endif
+
+ static unsigned int persist_get_max_entries(int encrypted) {
+ struct crypt_mnt_ftr crypt_ftr;
+@@ -3432,62 +2942,3 @@ int cryptfs_isConvertibleToFBE()
+ struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab_default, DATA_MNT_POINT);
+ return fs_mgr_is_convertible_to_fbe(rec) ? 1 : 0;
+ }
+-
+-int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length)
+-{
+- if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) {
+- SLOGE("Failed to initialize crypt_ftr");
+- return -1;
+- }
+-
+- if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key,
+- crypt_ftr->salt, crypt_ftr)) {
+- SLOGE("Cannot create encrypted master key\n");
+- return -1;
+- }
+-
+- //crypt_ftr->keysize = key_length / 8;
+- return 0;
+-}
+-
+-int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password,
+- unsigned char* master_key)
+-{
+- int rc;
+-
+- unsigned char* intermediate_key = 0;
+- size_t intermediate_key_size = 0;
+-
+- if (password == 0 || *password == 0) {
+- password = DEFAULT_PASSWORD;
+- }
+-
+- rc = decrypt_master_key(password, master_key, ftr, &intermediate_key,
+- &intermediate_key_size);
+-
+- if (rc) {
+- SLOGE("Can't calculate intermediate key");
+- return rc;
+- }
+-
+- int N = 1 << ftr->N_factor;
+- int r = 1 << ftr->r_factor;
+- int p = 1 << ftr->p_factor;
+-
+- unsigned char scrypted_intermediate_key[sizeof(ftr->scrypted_intermediate_key)];
+-
+- rc = crypto_scrypt(intermediate_key, intermediate_key_size,
+- ftr->salt, sizeof(ftr->salt), N, r, p,
+- scrypted_intermediate_key,
+- sizeof(scrypted_intermediate_key));
+-
+- free(intermediate_key);
+-
+- if (rc) {
+- SLOGE("Can't scrypt intermediate key");
+- return rc;
+- }
+-
+- return memcmp(scrypted_intermediate_key, ftr->scrypted_intermediate_key,
+- intermediate_key_size);
+-}
+diff --git a/cryptfs.h b/cryptfs.h
+index d8923db..d6c7dc5 100644
+--- a/cryptfs.h
++++ b/cryptfs.h
+@@ -66,14 +66,6 @@
+ complete. On next cryptkeeper entry, match
+ the password. If it matches fix the master
+ key and remove this flag. */
+-#ifdef CONFIG_HW_DISK_ENCRYPTION
+-/* This flag is used to transition from L->M upgrade. L release passed
+- * a byte for every nible of user password while M release is passing
+- * ascii value of user password.
+- * Random flag value is chosen so that it does not conflict with other use cases
+- */
+-#define CRYPT_ASCII_PASSWORD_UPDATED 0x1000
+-#endif
+
+ /* Allowed values for type in the structure below */
+ #define CRYPT_TYPE_PASSWORD 0 /* master_key is encrypted with a password
+@@ -241,7 +233,7 @@ int cryptfs_check_passwd(const char* pw);
+ int cryptfs_verify_passwd(const char* pw);
+ int cryptfs_restart(void);
+ int cryptfs_enable(int type, const char* passwd, int no_ui);
+-int cryptfs_changepw(int type, const char *currentpw, const char* newpw);
++int cryptfs_changepw(int type, const char* newpw);
+ int cryptfs_enable_default(int no_ui);
+ int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev, const unsigned char* key,
+ char* out_crypto_blkdev);
+--
+2.17.1
+