Disk encryption in android

Hello again i’m right now trying to trying to get disk encyryption to work on android. When i try to enable it from the ui it’s stuck at the android logo. When i try to enable with adb. i get this and the encryption segfaults. Does the hikey960 support Full disk encryption? I’m currently using manifest 3.4.2 with android 9.0

Check the fstab line corresponding to the userdata partition. I believe that it should have an argument “encryptable” to enable optional encryption. It might be something like “encrypted” to force it. You will have to look up the details though.

Android fstab file.

# <mnt_point> <mnt_flags and options> <fs_mgr_flags>

The filesystem that contains the filesystem checker binary (typically /system) cannot

specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK

#/dev/block/platform/soc/ff3b0000.ufs/by-name/system_a /system ext4 ro wait
#/dev/block/platform/soc/ff3b0000.ufs/by-name/cache /cache ext4 discard,noauto_da_alloc,data=ordered,user_xattr,barrier=1 wait
/dev/block/sdd5 /cache ext4 discard,noatime,noauto_da_alloc,data=ordered,user_xattr,barrier=1 wait
#/dev/block/platform/soc/ff3b0000.ufs/by-name/userdata /data ext4 discard,noauto_da_alloc,data=ordered,user_xattr,barrier=1 wait
/dev/block/sdd13 /data f2fs discard,noatime,nosuid,nodev wait,check,fileencryption=software,quota
/dev/block/sdd13 /data ext4 discard,noatime,nosuid,nodev,noauto_da_alloc,data=ordered,user_xattr,barrier=1 wait,formattable
/devices/platform/soc/ff37f000.dwmmc1/mmc_host/mmc* auto auto defaults voldmanaged=sdcard1:auto,encryptable=userdata
/devices/platform/soc/ff200000.hisi_usb/ff100000.dwc3/xhci-hcd..auto/usb auto auto defaults voldmanaged=usbdisk:auto,encryptable=userdata
/devices/platform/soc/f4000000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/nvme/nvme* auto auto defaults voldmanaged=nvmedisk:auto,encryptable=userdata

i’m thinking that encryptable has already been set
this is /storage/optee_android_manifest/device/linaro/hikey/hikey960/fstab.hikey960

should i set userdata like this?
#/dev/block/platform/soc/ff3b0000.ufs/by-name/userdata /data ext4 discard,noauto_da_alloc,data=ordered,user_xattr,barrier=1 encryptable=userdata wait

I don’t know the details to tell you how to make it work. I’m just pointing you to what I remember having seen.

I don’t know what the optee repository has in it, but this is what is in aosp;
https://android.googlesource.com/device/linaro/hikey/+/refs/heads/master/hikey960/fstab.hikey960#10

I think that means that its trying to do file-based encryption. As in, its making a decision to encrypt or not on a file-by-file basis.

Read this: Full-Disk Encryption  |  Android Open Source Project

Note that where it says “new devices running android 10 must…” – I believe that is related to shipping version and authorization to ship with google binaries for production devices, not related to developer devices.

i don’t have that line in my fstab config. So i’m thinking that it’s the change i have to make. i’m on android 9.0.1 so i think that’s will do the trick. Also i have a question that should have been addressed. How come i have so many files to compile when i run build-p-hikey? What is the proper way to change the source tree and generate the image files?

I don’t know what “build_p_hikey” is.

In AOSP, to build, you run the following;

. build/envsetup.sh
lunch hikey960_userdebug
m

If you make changes, you run m again, and it recompiles the changes only (as well as anything depending on the changes) and generates new images.

Changing your fstab to match that line may not work. There are probably kernel dependencies that you don’t have. Focus on full disk encryption like the last link.

when i run m i get this and also the build-p-hikey is ./build-p-hikey960.sh

ninja: error: 'device/linaro/hikey-kernel/Image.gz-dtb-hikey960-4.9', needed by 'out/target/product/hikey960/kernel', missing and no known rule to make it

i changed the flag and still i’m getting the same thing from logcat

@Zacchaeus_Liang Disk encryption, specifically FBE in this case, requires support of the keymaster HAL. The OP-TEE and default software keymaster HALs are available, but the OP-TEE HAL isn’t supported atm due to circular dependency issues with vold. To add support for FBE with the default SW keymaster HAL, do the following:

  1. device/linaro/hikey/hikey960/fstab.hikey960

#/dev/block/platform/soc/ff3b0000.ufs/by-name/userdata /data ext4 discard,noauto_da_alloc,data=ordered,user_xattr,barrier=1 wait
/dev/block/sdd13 /data f2fs discard,noatime,nosuid,nodev wait,check,fileencryption=software,quota
/dev/block/sdd13 /data ext4

This line already supports FBE, i.e. fileencryption=software. You just need to uncomment it, i.e. remove the ‘#’. Not sure why you have the line commented out, because that means you’re booting up without mounting the userdata partition (/data), and it’s working for you?

  1. device/linaro/hikey/device-common.mk

Comment out or delete all lines has the word ‘keymaster’ or ‘gatekeeper’ in it, except for the following:

PRODUCT_PACKAGES +=
android.hardware.keymaster@3.0-impl
android.hardware.keymaster@3.0-service

  1. out/target/product/hikey960/vendor/etc/init

Delete the following files if exist:
android.hardware.keymaster@3.0-service.optee.rc
android.hardware.gatekeeper@1.0-service.optee.rc
wait_for_keymaster_optee.rc

  1. Rebuild and reflash the vendor image, or all images to be safe.

@doitright Just a high level fyi, OP-TEE is a Trusted Execution Environment (TEE) designed based on the GlobalPlatform API specifications. To help OP-TEE developers on the hikey 620 and 960 AOSP platforms, Linaro provides a set of unofficial wrapper scripts over the AOSP build commands, hence names like build-p-hikey.sh, etc. The scripts basically apply a bunch of patches before the build so that the bootloader firmware, kernel and AOSP images are built with additional components required to run the host/client applications and corresponding Trusted Applications (TAs) the developers created.

To all OP-TEE developers here, for future reference, if you happen to see this, for all OP-TEE related questions, please raise an issue @ https://github.com/OP-TEE/optee_os/issues/new. For all OP-TEE on AOSP related questions, raise an issue @ https://github.com/linaro-swg/optee_android_manifest/issues/new. Any other AOSP related questions can be posted here.

# Android fstab file.
#<src>                                                  <mnt_point>         <type>    <mnt_flags and options>                               <fs_mgr_flags>
# The filesystem that contains the filesystem checker binary (typically /system) cannot
# specify MF_CHECK, and must come before any filesystems that do specify MF_CHECK

/dev/block/platform/soc/ff3b0000.ufs/by-name/system_a    /system    ext4    ro                                                                   wait
#/dev/block/platform/soc/ff3b0000.ufs/by-name/cache       /cache     ext4    discard,noauto_da_alloc,data=ordered,user_xattr,barrier=1    wait
/dev/block/sdd5     /cache     ext4    discard,noatime,noauto_da_alloc,data=ordered,user_xattr,barrier=1    wait
/dev/block/platform/soc/ff3b0000.ufs/by-name/userdata    /data      ext4    discard,noauto_da_alloc,data=ordered,user_xattr,barrier=1,encryptable=userdata    wait
/dev/block/sdd13    /data      f2fs    discard,noatime,nosuid,nodev                                 wait,check,fileencryption=software,quota
/dev/block/sdd13    /data      ext4    discard,noatime,nosuid,nodev,noauto_da_alloc,data=ordered,user_xattr,barrier=1    wait,formattable
/devices/platform/soc/ff37f000.dwmmc1/mmc_host/mmc*      auto       auto    defaults    voldmanaged=sdcard1:auto,encryptable=userdata
/devices/platform/soc/ff200000.hisi_usb/ff100000.dwc3/xhci-hcd.*.auto/usb*               auto               auto      defaults  voldmanaged=usbdisk:auto,encryptable=userdata
/devices/platform/soc/f4000000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0/nvme/nvme*      auto       auto    defaults    voldmanaged=nvmedisk:auto,encryptable=userdata

so i this is what my changes look like for the fstab file
and as for the device.mk file

PRODUCT_PACKAGES +=
android.hardware.keymaster@3.0-impl
android.hardware.keymaster@3.0-service

/# Gatekeeper HAL

PRODUCT_PACKAGES +=
android.hardware.gatekeeper@1.0-impl
android.hardware.gatekeeper@1.0-service

these are the only 2 lines and i’m curious why they were commented initally?

i’m getting unable to open gate keeper

06-22 18:26:59.457 10957 10957 F DEBUG   : *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
06-22 18:26:59.457 10957 10957 F DEBUG   : Build fingerprint: 'Android/hikey960/hikey960:9/PQ1A.190105.004/root06081621:userdebug/test-keys'
06-22 18:26:59.457 10957 10957 F DEBUG   : Revision: '0'
06-22 18:26:59.457 10957 10957 F DEBUG   : ABI: 'arm64'
06-22 18:26:59.457 10957 10957 F DEBUG   : pid: 10954, tid: 10954, name: android.hardwar  >>> /vendor/bin/hw/android.hardware.gatekeeper@1.0-service <<<
06-22 18:26:59.457 10957 10957 F DEBUG   : signal 6 (SIGABRT), code -6 (SI_TKILL), fault addr --------
06-22 18:26:59.457 10957 10957 F DEBUG   : Abort message: 'Unable to open GateKeeper HAL'
06-22 18:26:59.457 10957 10957 F DEBUG   :     x0  0000000000000000  x1  0000000000002aca  x2  0000000000000006  x3  0000000000000008
06-22 18:26:59.457 10957 10957 F DEBUG   :     x4  637160672d63686e  x5  637160672d63686e  x6  637160672d63686e  x7  7f7f7f7f7f7f7f7f
06-22 18:26:59.457 10957 10957 F DEBUG   :     x8  0000000000000083  x9  00000070b93b8a68  x10 fffffff87fffffdf  x11 0000000000000001
06-22 18:26:59.457 10957 10957 F DEBUG   :     x12 0000007ff9089c50  x13 ffffffffffffffff  x14 ffffffffff000000  x15 ffffffffffffffff
06-22 18:26:59.457 10957 10957 F DEBUG   :     x16 00000070b93f12c8  x17 00000070b932f2d8  x18 0000000000000000  x19 0000000000002aca
06-22 18:26:59.457 10957 10957 F DEBUG   :     x20 0000000000002aca  x21 0000000000000083  x22 0000007ff908a1e8  x23 00000070b8e2d360
06-22 18:26:59.457 10957 10957 F DEBUG   :     x24 00000070b9c065e0  x25 00000070b8e2d360  x26 00000070b8e2d360  x27 0000007ff908a1b9
06-22 18:26:59.457 10957 10957 F DEBUG   :     x28 0000000000000001  x29 0000007ff9089b70
06-22 18:26:59.457 10957 10957 F DEBUG   :     sp  0000007ff9089b30  lr  00000070b9323a90  pc  00000070b9323abc
06-22 18:26:59.461 10957 10957 F DEBUG   : 
06-22 18:26:59.461 10957 10957 F DEBUG   : backtrace:
06-22 18:26:59.462 10957 10957 F DEBUG   :     #00 pc 0000000000021abc  /system/lib64/libc.so (abort+124)
06-22 18:26:59.462 10957 10957 F DEBUG   :     #01 pc 00000000000080f8  /system/lib64/liblog.so (__android_log_assert+296)
06-22 18:26:59.462 10957 10957 F DEBUG   :     #02 pc 0000000000002f58  /vendor/lib64/hw/android.hardware.gatekeeper@1.0-impl.so (HIDL_FETCH_IGatekeeper+160)
06-22 18:26:59.462 10957 10957 F DEBUG   :     #03 pc 000000000002f958  /system/lib64/vndk-sp-28/libhidltransport.so (_ZZN7android8hardware25PassthroughServiceManager3getERKNS0_11hidl_stringES4_ENKUlPvRKNSt3__112basic_stringIcNS6_11char_traitsIcEENS6_9allocatorIcEEEESE_E_clES5_SE_SE_+96)
06-22 18:26:59.462 10957 10957 F DEBUG   :     #04 pc 000000000002bd7c  /system/lib64/
/dev/block/sdd13 /data f2fs discard,noatime,nosuid,nodev wait,check,fileencryption=software,quota /dev/block/sdd13 /data ext4 discard,noatime,nosuid,nodev,noauto_da_alloc,data=ordered,user_xattr,barrier=1 wait,formattable

You want fileencryption=software on the ext4 line, NOT the f2fs line.

PRODUCT_PACKAGES +=
android.hardware.gatekeeper@1.0-impl
android.hardware.gatekeeper@1.0-service

Comment out these lines as well. They were commented out initially because we couldn’t get the default software gatekeeper HAL to work for whatever reason in this build, so you only want the keymaster ones.

In out/target/product/hikey960/vendor/etc/init, delete android.hardware.gatekeeper@1.0-service.rc as well.

Rebuild and reflash.

just to check it’s the line above?

Edit: passwords don’t work not and encryption does not work either make the changes

@Zacchaeus_Liang The build as mentioned in AOSP+OP-TEE build and sync issue in Hikey960 - #34 by vchong supports FBE by default.