patches/system/vold/0008-Revert-vold-Add-Hardware-FDE-feature.patch

From 3df1faeb7e70914cddefb4fb6ecd27bb989c4cc5 Mon Sep 17 00:00:00 2001
From: Jackeagle <jackeagle102@gmail.com>
Date: Mon, 6 May 2019 19:57:11 +0200
Subject: [PATCH 8/8] Revert "vold: Add Hardware FDE feature"

This reverts commit 3585008ea98f4a1caf69d10c32a02e1169eeb248.

Change-Id: I808cd01881cd9c968e9a631adccdbaf22501e650
Signed-off-by: Jackeagle <jackeagle102@gmail.com>
---
 Android.bp                   |   8 -
 VoldNativeService.cpp        |   4 +-
 VoldNativeService.h          |   2 +-
 binder/android/os/IVold.aidl |   2 +-
 cryptfs.cpp                  | 638 +++--------------------------------
 cryptfs.h                    |  10 +-
 6 files changed, 50 insertions(+), 614 deletions(-)

diff --git a/Android.bp b/Android.bp
index ffb139e..48dfaaf 100644
--- a/Android.bp
+++ b/Android.bp
@@ -140,11 +140,6 @@ cc_library_static {
                 "libarcobbvolume",
             ],
         },
-        device_support_hwfde: {
-            cflags: ["-DCONFIG_HW_DISK_ENCRYPTION"],
-            header_libs: ["libcryptfs_hw_headers"],
-            shared_libs: ["libcryptfs_hw"],
-        },
     },
 }
 
@@ -164,9 +159,6 @@ cc_binary {
                 "libarcobbvolume",
             ],
         },
-        device_support_hwfde: {
-            shared_libs: ["libcryptfs_hw"],
-        },
     },
     init_rc: [
         "vold.rc",
diff --git a/VoldNativeService.cpp b/VoldNativeService.cpp
index 6d6c6ec..81523c6 100644
--- a/VoldNativeService.cpp
+++ b/VoldNativeService.cpp
@@ -581,11 +581,11 @@ binder::Status VoldNativeService::fdeEnable(int32_t passwordType,
 }
 
 binder::Status VoldNativeService::fdeChangePassword(int32_t passwordType,
-        const std::string& currentPassword, const std::string& password) {
+        const std::string& password) {
     ENFORCE_UID(AID_SYSTEM);
     ACQUIRE_CRYPT_LOCK;
 
-    return translate(cryptfs_changepw(passwordType, currentPassword.c_str(), password.c_str()));
+    return translate(cryptfs_changepw(passwordType, password.c_str()));
 }
 
 binder::Status VoldNativeService::fdeVerifyPassword(const std::string& password) {
diff --git a/VoldNativeService.h b/VoldNativeService.h
index da8c660..2e90101 100644
--- a/VoldNativeService.h
+++ b/VoldNativeService.h
@@ -82,7 +82,7 @@ public:
     binder::Status fdeEnable(int32_t passwordType,
             const std::string& password, int32_t encryptionFlags);
     binder::Status fdeChangePassword(int32_t passwordType,
-            const std::string& currentPassword, const std::string& password);
+            const std::string& password);
     binder::Status fdeVerifyPassword(const std::string& password);
     binder::Status fdeGetField(const std::string& key, std::string* _aidl_return);
     binder::Status fdeSetField(const std::string& key, const std::string& value);
diff --git a/binder/android/os/IVold.aidl b/binder/android/os/IVold.aidl
index 9f5b21a..f386889 100644
--- a/binder/android/os/IVold.aidl
+++ b/binder/android/os/IVold.aidl
@@ -65,7 +65,7 @@ interface IVold {
     void fdeRestart();
     int fdeComplete();
     void fdeEnable(int passwordType, @utf8InCpp String password, int encryptionFlags);
-    void fdeChangePassword(int passwordType, @utf8InCpp String currentPassword, @utf8InCpp String password);
+    void fdeChangePassword(int passwordType, @utf8InCpp String password);
     void fdeVerifyPassword(@utf8InCpp String password);
     @utf8InCpp String fdeGetField(@utf8InCpp String key);
     void fdeSetField(@utf8InCpp String key, @utf8InCpp String value);
diff --git a/cryptfs.cpp b/cryptfs.cpp
index bea9b2f..7aee819 100644
--- a/cryptfs.cpp
+++ b/cryptfs.cpp
@@ -66,9 +66,6 @@
 #include "android-base/properties.h"
 #include "android-base/stringprintf.h"
 #include <bootloader_message/bootloader_message.h>
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-#include <cryptfs_hw.h>
-#endif
 extern "C" {
 #include <crypto_scrypt.h>
 }
@@ -94,7 +91,6 @@ static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN,
 
 #define KEY_IN_FOOTER  "footer"
 
-#define DEFAULT_HEX_PASSWORD "64656661756c745f70617373776f7264"
 #define DEFAULT_PASSWORD "default_password"
 
 #define CRYPTO_BLOCK_DEVICE "userdata"
@@ -110,7 +106,6 @@ static_assert(INTERMEDIATE_BUF_SIZE == SCRYPT_LEN,
 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
 #define RSA_EXPONENT 0x10001
 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1  // Maximum one try per second
-#define KEY_LEN_BYTES 16
 
 #define RETRY_MOUNT_ATTEMPTS 10
 #define RETRY_MOUNT_DELAY_SECONDS 1
@@ -124,151 +119,6 @@ static char *saved_mount_point;
 static int  master_key_saved = 0;
 static struct crypt_persist_data *persist_data = NULL;
 
-static int previous_type;
-
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
-                            unsigned char *ikey, void *params);
-static void convert_key_to_hex_ascii(const unsigned char *master_key,
-                                     unsigned int keysize, char *master_key_ascii);
-static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr);
-static int test_mount_hw_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
-                const char *passwd, const char *mount_point, const char *label);
-int cryptfs_changepw_hw_fde(int crypt_type, const char *currentpw,
-                                   const char *newpw);
-int cryptfs_check_passwd_hw(char *passwd);
-int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password,
-                                   unsigned char* master_key);
-
-static void convert_key_to_hex_ascii_for_upgrade(const unsigned char *master_key,
-                                     unsigned int keysize, char *master_key_ascii)
-{
-    unsigned int i, a;
-    unsigned char nibble;
-
-    for (i = 0, a = 0; i < keysize; i++, a += 2) {
-        /* For each byte, write out two ascii hex digits */
-        nibble = (master_key[i] >> 4) & 0xf;
-        master_key_ascii[a] = nibble + (nibble > 9 ? 0x57 : 0x30);
-
-        nibble = master_key[i] & 0xf;
-        master_key_ascii[a + 1] = nibble + (nibble > 9 ? 0x57 : 0x30);
-    }
-
-    /* Add the null termination */
-    master_key_ascii[a] = '\0';
-}
-
-static int get_keymaster_hw_fde_passwd(const char* passwd, unsigned char* newpw,
-                                  unsigned char* salt,
-                                  const struct crypt_mnt_ftr *ftr)
-{
-    /* if newpw updated, return 0
-     * if newpw not updated return -1
-     */
-    int rc = -1;
-
-    if (should_use_keymaster()) {
-        if (scrypt_keymaster(passwd, salt, newpw, (void*)ftr)) {
-            SLOGE("scrypt failed");
-        } else {
-            rc = 0;
-        }
-    }
-
-    return rc;
-}
-
-static int verify_hw_fde_passwd(const char *passwd, struct crypt_mnt_ftr* crypt_ftr)
-{
-    unsigned char newpw[32] = {0};
-    int key_index;
-    if (get_keymaster_hw_fde_passwd(passwd, newpw, crypt_ftr->salt, crypt_ftr))
-        key_index = set_hw_device_encryption_key(passwd,
-                                           (char*) crypt_ftr->crypto_type_name);
-    else
-        key_index = set_hw_device_encryption_key((const char*)newpw,
-                                           (char*) crypt_ftr->crypto_type_name);
-    return key_index;
-}
-
-static int verify_and_update_hw_fde_passwd(const char *passwd,
-                                           struct crypt_mnt_ftr* crypt_ftr)
-{
-    char* new_passwd = NULL;
-    unsigned char newpw[32] = {0};
-    int key_index = -1;
-    int passwd_updated = -1;
-    int ascii_passwd_updated = (crypt_ftr->flags & CRYPT_ASCII_PASSWORD_UPDATED);
-
-    key_index = verify_hw_fde_passwd(passwd, crypt_ftr);
-    if (key_index < 0) {
-        ++crypt_ftr->failed_decrypt_count;
-
-        if (ascii_passwd_updated) {
-            SLOGI("Ascii password was updated");
-        } else {
-            /* Code in else part would execute only once:
-             * When device is upgraded from L->M release.
-             * Once upgraded, code flow should never come here.
-             * L release passed actual password in hex, so try with hex
-             * Each nible of passwd was encoded as a byte, so allocate memory
-             * twice of password len plus one more byte for null termination
-             */
-            if (crypt_ftr->crypt_type == CRYPT_TYPE_DEFAULT) {
-                new_passwd = (char*)malloc(strlen(DEFAULT_HEX_PASSWORD) + 1);
-                if (new_passwd == NULL) {
-                    SLOGE("System out of memory. Password verification  incomplete");
-                    goto out;
-                }
-                strlcpy(new_passwd, DEFAULT_HEX_PASSWORD, strlen(DEFAULT_HEX_PASSWORD) + 1);
-            } else {
-                new_passwd = (char*)malloc(strlen(passwd) * 2 + 1);
-                if (new_passwd == NULL) {
-                    SLOGE("System out of memory. Password verification  incomplete");
-                    goto out;
-                }
-                convert_key_to_hex_ascii_for_upgrade((const unsigned char*)passwd,
-                                       strlen(passwd), new_passwd);
-            }
-            key_index = set_hw_device_encryption_key((const char*)new_passwd,
-                                       (char*) crypt_ftr->crypto_type_name);
-            if (key_index >=0) {
-                crypt_ftr->failed_decrypt_count = 0;
-                SLOGI("Hex password verified...will try to update with Ascii value");
-                /* Before updating password, tie that with keymaster to tie with ROT */
-
-                if (get_keymaster_hw_fde_passwd(passwd, newpw,
-                                                crypt_ftr->salt, crypt_ftr)) {
-                    passwd_updated = update_hw_device_encryption_key(new_passwd,
-                                     passwd, (char*)crypt_ftr->crypto_type_name);
-                } else {
-                    passwd_updated = update_hw_device_encryption_key(new_passwd,
-                                     (const char*)newpw, (char*)crypt_ftr->crypto_type_name);
-                }
-
-                if (passwd_updated >= 0) {
-                    crypt_ftr->flags |= CRYPT_ASCII_PASSWORD_UPDATED;
-                    SLOGI("Ascii password recorded and updated");
-                } else {
-                    SLOGI("Passwd verified, could not update...Will try next time");
-                }
-            } else {
-                ++crypt_ftr->failed_decrypt_count;
-            }
-            free(new_passwd);
-        }
-    } else {
-        if (!ascii_passwd_updated)
-            crypt_ftr->flags |= CRYPT_ASCII_PASSWORD_UPDATED;
-    }
-out:
-    // update footer before leaving
-    put_crypt_ftr_and_key(crypt_ftr);
-    return key_index;
-}
-#endif
-
 /* Should we use keymaster? */
 static int keymaster_check_compatibility()
 {
@@ -1161,40 +1011,21 @@ static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr,
   tgt->status = 0;
   tgt->sector_start = 0;
   tgt->length = crypt_ftr->fs_size;
+  strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
+
   crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec);
+  convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
+
   buff_offset = crypt_params - buffer;
+
   SLOGI(
       "Creating crypto dev \"%s\"; cipher=%s, keysize=%u, real_dev=%s, len=%llu, params=\"%s\"\n",
       name, crypt_ftr->crypto_type_name, crypt_ftr->keysize, real_blk_name, tgt->length * 512,
       extra_params);
-      
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-  if(is_hw_disk_encryption((char*)crypt_ftr->crypto_type_name)) {
-    strlcpy(tgt->target_type, "req-crypt",DM_MAX_TYPE_NAME);
-    if (is_ice_enabled())
-      convert_key_to_hex_ascii(master_key, sizeof(int), master_key_ascii);
-    else
-      convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
-  }
-  else {
-    convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
-    strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
-  }
-  snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s 0",
-           crypt_ftr->crypto_type_name, master_key_ascii,
-           real_blk_name, extra_params);
-
-  SLOGI("target_type = %s", tgt->target_type);
-  SLOGI("real_blk_name = %s, extra_params = %s", real_blk_name, extra_params);
-#else
-  convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii);
-  strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME);
 
   snprintf(crypt_params, sizeof(buffer) - buff_offset, "%s %s 0 %s 0 %s",
            crypt_ftr->crypto_type_name, master_key_ascii, real_blk_name,
            extra_params);
-#endif
-
   crypt_params += strlen(crypt_params) + 1;
   crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */
   tgt->next = crypt_params - buffer;
@@ -1214,6 +1045,7 @@ static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr,
   }
 }
 
+
 static int get_dm_crypt_version(int fd, const char *name,  int *version)
 {
     char buffer[DM_CRYPT_BUF_SIZE];
@@ -1233,11 +1065,7 @@ static int get_dm_crypt_version(int fd, const char *name,  int *version)
      */
     v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)];
     while (v->next) {
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-        if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) {
-#else
         if (! strcmp(v->name, "crypt")) {
-#endif
             /* We found the crypt driver, return the version, and get out */
             version[0] = v->version[0];
             version[1] = v->version[1];
@@ -1250,7 +1078,6 @@ static int get_dm_crypt_version(int fd, const char *name,  int *version)
     return -1;
 }
 
-#ifndef CONFIG_HW_DISK_ENCRYPTION
 static std::string extra_params_as_string(const std::vector<std::string>& extra_params_vec) {
     if (extra_params_vec.empty()) return "";
     std::string extra_params = std::to_string(extra_params_vec.size());
@@ -1260,7 +1087,6 @@ static std::string extra_params_as_string(const std::vector<std::string>& extra_
     }
     return extra_params;
 }
-#endif
 
 /*
  * If the ro.crypto.fde_sector_size system property is set, append the
@@ -1306,13 +1132,7 @@ static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned
     int retval = -1;
     int version[3];
     int load_count;
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-    char encrypted_state[PROPERTY_VALUE_MAX] = {0};
-    char progress[PROPERTY_VALUE_MAX] = {0};
-    const char *extra_params;
-#else
     std::vector<std::string> extra_params_vec;
-#endif
 
     if ((fd = open("/dev/device-mapper", O_RDWR | O_CLOEXEC)) < 0) {
         SLOGE("Cannot open device-mapper\n");
@@ -1337,45 +1157,6 @@ static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned
     minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00);
     snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor);
 
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-    if(is_hw_disk_encryption((char*)crypt_ftr->crypto_type_name)) {
-      /* Set fde_enabled if either FDE completed or in-progress */
-      property_get("ro.crypto.state", encrypted_state, ""); /* FDE completed */
-      property_get("vold.encrypt_progress", progress, ""); /* FDE in progress */
-      if (!strcmp(encrypted_state, "encrypted") || strcmp(progress, "")) {
-        if (is_ice_enabled()) {
-          if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE)
-            extra_params = "fde_enabled ice allow_encrypt_override";
-          else
-            extra_params = "fde_enabled ice";
-        } else {
-          if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE)
-            extra_params = "fde_enabled allow_encrypt_override";
-          else
-            extra_params = "fde_enabled";
-        }
-      } else {
-          if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE)
-            extra_params = "fde_enabled allow_encrypt_override";
-          else
-            extra_params = "fde_enabled";
-      }
-    } else {
-      extra_params = "";
-      if (! get_dm_crypt_version(fd, name, version)) {
-        /* Support for allow_discards was added in version 1.11.0 */
-        if ((version[0] >= 2) || ((version[0] == 1) && (version[1] >= 11))) {
-          if (flags & CREATE_CRYPTO_BLK_DEV_FLAGS_ALLOW_ENCRYPT_OVERRIDE)
-            extra_params = "2 allow_discards allow_encrypt_override";
-          else
-            extra_params = "1 allow_discards";
-          SLOGI("Enabling support for allow_discards in dmcrypt.\n");
-        }
-      }
-    }
-    load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, fd,
-                                           extra_params);
-#else
     if (!get_dm_crypt_version(fd, name, version)) {
         /* Support for allow_discards was added in version 1.11.0 */
         if ((version[0] >= 2) || ((version[0] == 1) && (version[1] >= 11))) {
@@ -1391,7 +1172,6 @@ static int create_crypto_blk_dev(struct crypt_mnt_ftr* crypt_ftr, const unsigned
     }
     load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, fd,
                                            extra_params_as_string(extra_params_vec).c_str());
-#endif
     if (load_count < 0) {
         SLOGE("Cannot load dm-crypt mapping table.\n");
         goto errout;
@@ -1526,8 +1306,7 @@ static int scrypt_keymaster(const char *passwd, const unsigned char *salt,
 static int encrypt_master_key(const char *passwd, const unsigned char *salt,
                               const unsigned char *decrypted_master_key,
                               unsigned char *encrypted_master_key,
-                              struct crypt_mnt_ftr *crypt_ftr,
-                              bool create_keymaster_key)
+                              struct crypt_mnt_ftr *crypt_ftr)
 {
     unsigned char ikey[INTERMEDIATE_BUF_SIZE] = { 0 };
     EVP_CIPHER_CTX e_ctx;
@@ -1539,7 +1318,7 @@ static int encrypt_master_key(const char *passwd, const unsigned char *salt,
 
     switch (crypt_ftr->kdf_type) {
     case KDF_SCRYPT_KEYMASTER:
-        if (create_keymaster_key && keymaster_create_key(crypt_ftr)) {
+        if (keymaster_create_key(crypt_ftr)) {
             SLOGE("keymaster_create_key failed");
             return -1;
         }
@@ -1709,13 +1488,13 @@ static int create_encrypted_random_key(const char *passwd, unsigned char *master
     close(fd);
 
     /* Now encrypt it with the password */
-    return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr, true);
+    return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr);
 }
 
 int wait_and_unmount(const char *mountpoint, bool kill)
 {
     int i, err, rc;
-#define WAIT_UNMOUNT_COUNT 200
+#define WAIT_UNMOUNT_COUNT 20
 
     /*  Now umount the tmpfs filesystem */
     for (i=0; i<WAIT_UNMOUNT_COUNT; i++) {
@@ -1732,18 +1511,18 @@ int wait_and_unmount(const char *mountpoint, bool kill)
 
         err = errno;
 
-        /* If allowed, be increasingly aggressive before the last 2 seconds */
+        /* If allowed, be increasingly aggressive before the last two retries */
         if (kill) {
-            if (i == (WAIT_UNMOUNT_COUNT - 30)) {
+            if (i == (WAIT_UNMOUNT_COUNT - 3)) {
                 SLOGW("sending SIGHUP to processes with open files\n");
                 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGTERM);
-            } else if (i == (WAIT_UNMOUNT_COUNT - 20)) {
+            } else if (i == (WAIT_UNMOUNT_COUNT - 2)) {
                 SLOGW("sending SIGKILL to processes with open files\n");
                 android::vold::KillProcessesWithOpenFiles(mountpoint, SIGKILL);
             }
         }
 
-        usleep(100000);
+        sleep(1);
     }
 
     if (i < WAIT_UNMOUNT_COUNT) {
@@ -1910,17 +1689,6 @@ static int cryptfs_restart_internal(int restart_main)
                     cryptfs_reboot(RebootType::reboot);
                 }
             } else {
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-                if (--retries) {
-                    sleep(RETRY_MOUNT_DELAY_SECONDS);
-                } else {
-                    SLOGE("Failed to mount decrypted data");
-                    cryptfs_set_corrupt();
-                    cryptfs_trigger_restart_min_framework();
-                    SLOGI("Started framework to offer wipe");
-                    return -1;
-                }
-#else
                 SLOGE("Failed to mount decrypted data");
                 cryptfs_set_corrupt();
                 cryptfs_trigger_restart_min_framework();
@@ -1929,7 +1697,6 @@ static int cryptfs_restart_internal(int restart_main)
                     SLOGE("Failed to setexeccon");
                 }
                 return -1;
-#endif
             }
         }
         if (setexeccon(NULL)) {
@@ -2024,66 +1791,6 @@ static int do_crypto_complete(const char *mount_point)
   return CRYPTO_COMPLETE_ENCRYPTED;
 }
 
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-static int test_mount_hw_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
-             const char *passwd, const char *mount_point, const char *label)
-{
-  /* Allocate enough space for a 256 bit key, but we may use less */
-  unsigned char decrypted_master_key[32];
-  char crypto_blkdev[MAXPATHLEN];
-  char real_blkdev[MAXPATHLEN];
-  unsigned int orig_failed_decrypt_count;
-  int rc = 0;
-
-  SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size);
-  orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count;
-
-  fs_mgr_get_crypt_info(fstab_default, 0, real_blkdev, sizeof(real_blkdev));
-
-  int key_index = 0;
-  if(is_hw_disk_encryption((char*)crypt_ftr->crypto_type_name)) {
-    key_index = verify_and_update_hw_fde_passwd(passwd, crypt_ftr);
-    if (key_index < 0) {
-      rc = crypt_ftr->failed_decrypt_count;
-      goto errout;
-    }
-    else {
-      if (is_ice_enabled()) {
-        if (create_crypto_blk_dev(crypt_ftr, (unsigned char*)&key_index,
-                            real_blkdev, crypto_blkdev, label, 0)) {
-          SLOGE("Error creating decrypted block device");
-          rc = -1;
-          goto errout;
-        }
-      } else {
-        if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key,
-                            real_blkdev, crypto_blkdev, label, 0)) {
-          SLOGE("Error creating decrypted block device");
-          rc = -1;
-          goto errout;
-        }
-      }
-    }
-  }
-
-  if (rc == 0) {
-    crypt_ftr->failed_decrypt_count = 0;
-    if (orig_failed_decrypt_count != 0) {
-      put_crypt_ftr_and_key(crypt_ftr);
-    }
-
-    /* Save the name of the crypto block device
-     * so we can mount it when restarting the framework. */
-    property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev);
-    master_key_saved = 1;
-  }
-
- errout:
-  return rc;
-}
-#endif
-
-
 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
                                    const char *passwd, const char *mount_point, const char *label)
 {
@@ -2190,7 +1897,7 @@ static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr,
 
     if (upgrade) {
         rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key,
-                                crypt_ftr->master_key, crypt_ftr, true);
+                                crypt_ftr->master_key, crypt_ftr);
         if (!rc) {
             rc = put_crypt_ftr_and_key(crypt_ftr);
         }
@@ -2287,66 +1994,6 @@ int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr)
     return 0;
 }
 
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-int cryptfs_check_passwd_hw(const char* passwd)
-{
-    struct crypt_mnt_ftr crypt_ftr;
-    int rc;
-    unsigned char master_key[KEY_LEN_BYTES];
-
-    /* get key */
-    if (get_crypt_ftr_and_key(&crypt_ftr)) {
-        SLOGE("Error getting crypt footer and key");
-        return -1;
-    }
-
-    /*
-     * in case of manual encryption (from GUI), the encryption is done with
-     * default password
-     */
-    if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) {
-        /* compare scrypted_intermediate_key with stored scrypted_intermediate_key
-         * which was created with actual password before reboot.
-         */
-        rc = cryptfs_get_master_key(&crypt_ftr, passwd, master_key);
-        if (rc) {
-            SLOGE("password doesn't match");
-            rc = ++crypt_ftr.failed_decrypt_count;
-            put_crypt_ftr_and_key(&crypt_ftr);
-            return rc;
-        }
-
-        rc = test_mount_hw_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD,
-            DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
-
-        if (rc) {
-            SLOGE("Default password did not match on reboot encryption");
-            return rc;
-        }
-
-        crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
-        put_crypt_ftr_and_key(&crypt_ftr);
-        rc = cryptfs_changepw(crypt_ftr.crypt_type, DEFAULT_PASSWORD, passwd);
-        if (rc) {
-            SLOGE("Could not change password on reboot encryption");
-            return rc;
-        }
-    } else
-        rc = test_mount_hw_encrypted_fs(&crypt_ftr, passwd,
-            DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
-
-    if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) {
-        cryptfs_clear_password();
-        password = strdup(passwd);
-        struct timespec now;
-        clock_gettime(CLOCK_BOOTTIME, &now);
-        password_expiry_time = now.tv_sec + password_max_age_seconds;
-    }
-
-    return rc;
-}
-#endif
-
 int cryptfs_check_passwd(const char *passwd)
 {
     SLOGI("cryptfs_check_passwd");
@@ -2364,14 +2011,8 @@ int cryptfs_check_passwd(const char *passwd)
         return rc;
     }
 
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-    if (is_hw_disk_encryption((char*)crypt_ftr.crypto_type_name))
-        return cryptfs_check_passwd_hw(passwd);
-#endif
-
     rc = test_mount_encrypted_fs(&crypt_ftr, passwd,
                                  DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE);
-
     if (rc) {
         SLOGE("Password did not match");
         return rc;
@@ -2392,7 +2033,7 @@ int cryptfs_check_passwd(const char *passwd)
 
         crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE;
         put_crypt_ftr_and_key(&crypt_ftr);
-        rc = cryptfs_changepw(crypt_ftr.crypt_type, DEFAULT_PASSWORD, passwd);
+        rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd);
         if (rc) {
             SLOGE("Could not change password on reboot encryption");
             return rc;
@@ -2442,24 +2083,6 @@ int cryptfs_verify_passwd(const char *passwd)
         /* If the device has no password, then just say the password is valid */
         rc = 0;
     } else {
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-        if(is_hw_disk_encryption((char*)crypt_ftr.crypto_type_name)) {
-            if (verify_hw_fde_passwd(passwd, &crypt_ftr) >= 0)
-              rc = 0;
-            else
-              rc = -1;
-        } else {
-            decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
-            if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
-                /* They match, the password is correct */
-                rc = 0;
-            } else {
-              /* If incorrect, sleep for a bit to prevent dictionary attacks */
-                sleep(1);
-                rc = 1;
-            }
-        }
-#else
         decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
         if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) {
             /* They match, the password is correct */
@@ -2469,7 +2092,6 @@ int cryptfs_verify_passwd(const char *passwd)
             sleep(1);
             rc = 1;
         }
-#endif
     }
 
     return rc;
@@ -2593,12 +2215,6 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
     off64_t previously_encrypted_upto = 0;
     bool rebootEncryption = false;
     bool onlyCreateHeader = false;
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-    unsigned char newpw[32];
-    int key_index = 0;
-#endif
-    int index = 0;
-
     int fd = -1;
 
     if (get_crypt_ftr_and_key(&crypt_ftr) == 0) {
@@ -2703,6 +2319,30 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
         fclose(breadcrumb);
     }
 
+    /* Do extra work for a better UX when doing the long inplace encryption */
+    if (!onlyCreateHeader) {
+        /* Now that /data is unmounted, we need to mount a tmpfs
+         * /data, set a property saying we're doing inplace encryption,
+         * and restart the framework.
+         */
+        if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
+            goto error_shutting_down;
+        }
+        /* Tells the framework that inplace encryption is starting */
+        property_set("vold.encrypt_progress", "0");
+
+        /* restart the framework. */
+        /* Create necessary paths on /data */
+        prep_data_fs();
+
+        /* Ugh, shutting down the framework is not synchronous, so until it
+         * can be fixed, this horrible hack will wait a moment for it all to
+         * shut down before proceeding.  Without it, some devices cannot
+         * restart the graphics services.
+         */
+        sleep(2);
+    }
+
     /* Start the actual work of making an encrypted filesystem */
     /* Initialize a crypt_mnt_ftr for the partition */
     if (previously_encrypted_upto == 0 && !rebootEncryption) {
@@ -2726,11 +2366,7 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
             crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE;
         }
         crypt_ftr.crypt_type = crypt_type;
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-        strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN);
-#else
         strlcpy((char *)crypt_ftr.crypto_type_name, cryptfs_get_crypto_name(), MAX_CRYPTO_TYPE_NAME_LEN);
-#endif
 
         /* Make an encrypted master key */
         if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
@@ -2745,7 +2381,7 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
             unsigned char encrypted_fake_master_key[MAX_KEY_LEN];
             memset(fake_master_key, 0, sizeof(fake_master_key));
             encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key,
-                               encrypted_fake_master_key, &crypt_ftr, true);
+                               encrypted_fake_master_key, &crypt_ftr);
         }
 
         /* Write the key to the end of the partition */
@@ -2766,57 +2402,12 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
         }
     }
 
-    /* When encryption triggered from settings, encryption starts after reboot.
-       So set the encryption key when the actual encryption starts.
-     */
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-    if (previously_encrypted_upto == 0) {
-        if (!rebootEncryption)
-            clear_hw_device_encryption_key();
-
-        if (get_keymaster_hw_fde_passwd(
-                         onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
-                         newpw, crypt_ftr.salt, &crypt_ftr))
-            key_index = set_hw_device_encryption_key(
-                         onlyCreateHeader ? DEFAULT_PASSWORD : passwd,
-                         (char*)crypt_ftr.crypto_type_name);
-        else
-            key_index = set_hw_device_encryption_key((const char*)newpw,
-                                (char*) crypt_ftr.crypto_type_name);
-        if (key_index < 0)
-            goto error_shutting_down;
-
-        crypt_ftr.flags |= CRYPT_ASCII_PASSWORD_UPDATED;
-        put_crypt_ftr_and_key(&crypt_ftr);
-    }
-#endif
-
     if (onlyCreateHeader) {
         sleep(2);
         cryptfs_reboot(RebootType::reboot);
-    } else {
-        /* Do extra work for a better UX when doing the long inplace encryption */
-        /* Now that /data is unmounted, we need to mount a tmpfs
-         * /data, set a property saying we're doing inplace encryption,
-         * and restart the framework.
-         */
-        if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) {
-            goto error_shutting_down;
-        }
-        /* Tells the framework that inplace encryption is starting */
-        property_set("vold.encrypt_progress", "0");
-
-        /* restart the framework. */
-        /* Create necessary paths on /data */
-        prep_data_fs();
-
-        /* Ugh, shutting down the framework is not synchronous, so until it
-         * can be fixed, this horrible hack will wait a moment for it all to
-         * shut down before proceeding.  Without it, some devices cannot
-         * restart the graphics services.
-         */
-        sleep(2);
+    }
 
+    if (!no_ui || rebootEncryption) {
         /* startup service classes main and late_start */
         property_set("vold.decrypt", "trigger_restart_min_framework");
         SLOGD("Just triggered restart_min_framework\n");
@@ -2829,17 +2420,8 @@ int cryptfs_enable_internal(int crypt_type, const char* passwd, int no_ui) {
     }
 
     decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-    if (is_hw_disk_encryption((char*)crypt_ftr.crypto_type_name) && is_ice_enabled())
-      create_crypto_blk_dev(&crypt_ftr, (unsigned char*)&key_index, real_blkdev, crypto_blkdev,
-                          CRYPTO_BLOCK_DEVICE, 0);
-    else
-      create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
-                          CRYPTO_BLOCK_DEVICE, 0);
-#else
     create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,
                           CRYPTO_BLOCK_DEVICE, 0);
-#endif
 
     /* If we are continuing, check checksums match */
     rc = 0;
@@ -2973,7 +2555,7 @@ int cryptfs_enable_default(int no_ui) {
     return cryptfs_enable_internal(CRYPT_TYPE_DEFAULT, DEFAULT_PASSWORD, no_ui);
 }
 
-int cryptfs_changepw(int crypt_type, const char *currentpw, const char *newpw)
+int cryptfs_changepw(int crypt_type, const char *newpw)
 {
     if (e4crypt_is_native()) {
         SLOGE("cryptfs_changepw not valid for file encryption");
@@ -3000,28 +2582,6 @@ int cryptfs_changepw(int crypt_type, const char *currentpw, const char *newpw)
         return -1;
     }
 
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-    if(is_hw_disk_encryption((char*)crypt_ftr.crypto_type_name))
-        return  cryptfs_changepw_hw_fde(crypt_type, currentpw, newpw);
-    else {
-        crypt_ftr.crypt_type = crypt_type;
-
-        rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ?
-                                     DEFAULT_PASSWORD : newpw,
-                                     crypt_ftr.salt,
-                                     saved_master_key,
-                                     crypt_ftr.master_key,
-                                     &crypt_ftr, false);
-        if (rc) {
-            SLOGE("Encrypt master key failed: %d", rc);
-            return -1;
-        }
-        /* save the key */
-        put_crypt_ftr_and_key(&crypt_ftr);
-
-        return 0;
-    }
-#else
     crypt_ftr.crypt_type = crypt_type;
 
     rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD
@@ -3029,7 +2589,7 @@ int cryptfs_changepw(int crypt_type, const char *currentpw, const char *newpw)
                        crypt_ftr.salt,
                        saved_master_key,
                        crypt_ftr.master_key,
-                       &crypt_ftr, false);
+                       &crypt_ftr);
     if (rc) {
         SLOGE("Encrypt master key failed: %d", rc);
         return -1;
@@ -3037,57 +2597,8 @@ int cryptfs_changepw(int crypt_type, const char *currentpw, const char *newpw)
     /* save the key */
     put_crypt_ftr_and_key(&crypt_ftr);
 
-    return 0;
-#endif
-}
-
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-int cryptfs_changepw_hw_fde(int crypt_type, const char *currentpw, const char *newpw)
-{
-    struct crypt_mnt_ftr crypt_ftr;
-    int rc;
-    int previous_type;
-
-    /* get key */
-    if (get_crypt_ftr_and_key(&crypt_ftr)) {
-        SLOGE("Error getting crypt footer and key");
-        return -1;
-    }
-
-    previous_type = crypt_ftr.crypt_type;
-    int rc1;
-    unsigned char tmp_curpw[32] = {0};
-    rc1 = get_keymaster_hw_fde_passwd(crypt_ftr.crypt_type == CRYPT_TYPE_DEFAULT ?
-                                      DEFAULT_PASSWORD : currentpw, tmp_curpw,
-                                      crypt_ftr.salt, &crypt_ftr);
-
-    crypt_ftr.crypt_type = crypt_type;
-
-    int ret, rc2;
-    unsigned char tmp_newpw[32] = {0};
-
-    rc2 = get_keymaster_hw_fde_passwd(crypt_type == CRYPT_TYPE_DEFAULT ?
-                                DEFAULT_PASSWORD : newpw , tmp_newpw,
-                                crypt_ftr.salt, &crypt_ftr);
-
-    if (is_hw_disk_encryption((char*)crypt_ftr.crypto_type_name)) {
-        ret = update_hw_device_encryption_key(
-                rc1 ? (previous_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD : currentpw) : (const char*)tmp_curpw,
-                rc2 ? (crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD : newpw): (const char*)tmp_newpw,
-                                    (char*)crypt_ftr.crypto_type_name);
-        if (ret) {
-            SLOGE("Error updating device encryption hardware key ret %d", ret);
-            return -1;
-        } else {
-            SLOGI("Encryption hardware key updated");
-        }
-    }
-
-    /* save the key */
-    put_crypt_ftr_and_key(&crypt_ftr);
     return 0;
 }
-#endif
 
 static unsigned int persist_get_max_entries(int encrypted) {
     struct crypt_mnt_ftr crypt_ftr;
@@ -3489,62 +3000,3 @@ int cryptfs_isConvertibleToFBE()
     struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab_default, DATA_MNT_POINT);
     return fs_mgr_is_convertible_to_fbe(rec) ? 1 : 0;
 }
-
-int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length)
-{
-    if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) {
-        SLOGE("Failed to initialize crypt_ftr");
-        return -1;
-    }
-
-    if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key,
-                                    crypt_ftr->salt, crypt_ftr)) {
-        SLOGE("Cannot create encrypted master key\n");
-        return -1;
-    }
-
-    //crypt_ftr->keysize = key_length / 8;
-    return 0;
-}
-
-int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password,
-                           unsigned char* master_key)
-{
-    int rc;
-
-    unsigned char* intermediate_key = 0;
-    size_t intermediate_key_size = 0;
-
-    if (password == 0 || *password == 0) {
-        password = DEFAULT_PASSWORD;
-    }
-
-    rc = decrypt_master_key(password, master_key, ftr, &intermediate_key,
-                            &intermediate_key_size);
-
-    if (rc) {
-        SLOGE("Can't calculate intermediate key");
-        return rc;
-    }
-
-    int N = 1 << ftr->N_factor;
-    int r = 1 << ftr->r_factor;
-    int p = 1 << ftr->p_factor;
-
-    unsigned char scrypted_intermediate_key[sizeof(ftr->scrypted_intermediate_key)];
-
-    rc = crypto_scrypt(intermediate_key, intermediate_key_size,
-                       ftr->salt, sizeof(ftr->salt), N, r, p,
-                       scrypted_intermediate_key,
-                       sizeof(scrypted_intermediate_key));
-
-    free(intermediate_key);
-
-    if (rc) {
-        SLOGE("Can't scrypt intermediate key");
-        return rc;
-    }
-
-    return memcmp(scrypted_intermediate_key, ftr->scrypted_intermediate_key,
-                  intermediate_key_size);
-}
diff --git a/cryptfs.h b/cryptfs.h
index d8923db..d6c7dc5 100644
--- a/cryptfs.h
+++ b/cryptfs.h
@@ -66,14 +66,6 @@
                                      complete. On next cryptkeeper entry, match
                                      the password. If it matches fix the master
                                      key and remove this flag. */
-#ifdef CONFIG_HW_DISK_ENCRYPTION
-/* This flag is used to transition from L->M upgrade. L release passed
- * a byte for every nible of user password while M release is passing
- * ascii value of user password.
- * Random flag value is chosen so that it does not conflict with other use cases
- */
-#define CRYPT_ASCII_PASSWORD_UPDATED 0x1000
-#endif
 
 /* Allowed values for type in the structure below */
 #define CRYPT_TYPE_PASSWORD 0 /* master_key is encrypted with a password
@@ -241,7 +233,7 @@ int cryptfs_check_passwd(const char* pw);
 int cryptfs_verify_passwd(const char* pw);
 int cryptfs_restart(void);
 int cryptfs_enable(int type, const char* passwd, int no_ui);
-int cryptfs_changepw(int type, const char *currentpw, const char* newpw);
+int cryptfs_changepw(int type, const char* newpw);
 int cryptfs_enable_default(int no_ui);
 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev, const unsigned char* key,
                              char* out_crypto_blkdev);
-- 
2.21.0