在Android M版本,手机都要求默认开启FDE,在download完之后的第一次开机过程中会对手机/data分区进行加密。其流程大致如下:
1,*.rc文件中,mount_all /fstab
2,/system/core/init/builtins.cpp的do_mount_all接口
在这里会去读取fstabl中关于/data分区的加密的flag,并做mount动作。
3,Mount /data的返回值值FS_MGR_MNTALL_DEV_NEEDS_ENCRYPTION
445 if(ret ==FS_MGR_MNTALL_DEV_NEEDS_ENCRYPTION) {
446 property_set("vold.decrypt","trigger_encryption");
4,触发encryption
502on property:vold.decrypt=trigger_encryption
503 start surfaceflinger
504 start encrypt
670service encrypt/system/bin/vdc --wait cryptfs enablecrypto inplacedefault noui
671 disabled
672 oneshot
673 #vold will setvold.decrypt to trigger_restart_framework (default
674 #encryption)
5,接着CryptCommandListener接收enablecryptocommand
201 for (tries = 0; tries < 2; ++tries) {
203 cli->sendMsg(ResponseCode::CommandSyntaxError,syntax,
204 false);
205 return 0;
206 } else if (type == CRYPT_TYPE_DEFAULT) {
207 rc =cryptfs_enable_default(argv[2],no_ui);
208 } else {
209 rc = cryptfs_enable(argv[2],type,argv[4],no_ui);
210 }
213 break;
215 Process::killProcessesWithOpenFiles(DATA_MNT_POINT,SIGKILL);
216 }
217 }
6,执行cryptfs.c中的cryptfs_enable_default函数
3235intcryptfs_enable_default(char*howarg,intno_ui)
3236{
3237 returncryptfs_enable_internal(howarg,CRYPT_TYPE_DEFAULT,
3239}
7,cryptfs_enable_default是加密流程中比较重要的一个函数,在这里就详细说明下,
1),get_crypt_ftr_and_key函数,一些重要的接口都定义在cryptfs.h中
2),fs_mgr_get_crypt_info,这个在fstab中有设定
3),trigger_shutdown_framework
4),unmount all volumes
5),unmount /data
6),mount tempfs on /data
7),设定vold.encrypt_progress为0
8),pre data fs
1552static int prep_data_fs(void)1553{1554 int i;15551556 /* Do the prep of the /data filesystem */1557 property_set("vold.post_fs_data_done", "0");1558 property_set("vold.decrypt", "trigger_post_fs_data");1559 SLOGD("Just triggered post_fs_data\n");
9),config hwencryption
3051#ifndef CONFIG_HW_DISK_ENCRYPTION3052 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN);3053#else3054 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN);30553056 rc = clear_hw_device_encryption_key();3057 if (!rc) {3058 SLOGE("Error clearing device encryption hardware key. rc = %d", rc);3059 }30603061 rc = set_hw_device_encryption_key(passwd,3062 (char*) crypt_ftr.crypto_type_name);3063 if (!rc) {
3064 SLOGE("Error initializing device encryption hardware key. rc = %d", rc);3065 goto error_shutting_down;
10),make anencrypted master key
1552static int prep_data_fs(void)1553{1554 int i;15551556 /* Do the prep of the /data filesystem */1557 property_set("vold.post_fs_data_done", "0");1558 property_set("vold.decrypt", "trigger_post_fs_data");1559 SLOGD("Just triggered post_fs_data\n");
11),write thekey to the end partition
3075 /* Write the key to the end of the partition */3076 put_crypt_ftr_and_key(&crypt_ftr);
12),restart minframework
3093 if (how == CRYPTO_ENABLE_INPLACE && !no_ui) {3094 /* startup service classes main and late_start */3095 property_set("vold.decrypt", "trigger_restart_min_framework");3096 SLOGD("Just triggered restart_min_framework\n");30973098 /* OK, the framework is restarted and will soon be showing a3099 * progress bar. Time to setup an encrypted mapping, and3100 * either write a new filesystem, or encrypt in place updating3101 * the progress bar as we work.3102 */3103 }
13),用输入的password去拿decryptmaster key
3105 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0);
14),用decryptmaster key创建crypto block dev(dm device)
3106 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev,3107 "userdata");
15),encrypt
3122 if (!rc) {3123 rc = cryptfs_enable_all_volumes(&crypt_ftr, how,3124 crypto_blkdev, real_blkdev,3125 previously_encrypted_upto);3126 }
16),如果是default加密,就不会走重启流程,是调用cryptfs_restart_internal(1)
3161 property_set("ro.crypto.state", "encrypted");3162 release_wake_lock(lockid);3163 cryptfs_check_passwd(DEFAULT_PASSWORD);3164 cryptfs_restart_internal(1);3165 return 0;
17),如果不是default加密,那么就会重启
3166 } else {3167 sleep(2); /* Give the UI a chance to show 100% progress */3168 cryptfs_reboot(reboot);
【更多文章列表,尽在手机安全之家】
【1】Android Security框架
【2】FDE Introduction
【3】FDE之要求密码开机流程
【4】FDE之默认密码开机流程
【5】预置apk签名
【6】FDE之加密流程
【7】Adb Shell 安全
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
尽请关注手机安全之家,了解更多Android Security知识。
关注方法:打开手机微信->通讯录->右上角"添加"->"搜号码"->输入"手机安全之家"->搜索。
或者而通过扫描下方二维码也可以添加。