From e131bec179826431b7b89e4748ae05e8a4262145 Mon Sep 17 00:00:00 2001 From: Ethan Yonker Date: Fri, 15 Dec 2017 23:48:02 -0600 Subject: Add spblob decrypt for secdis method (Pixel 1 non-weaver) Support decrypting Pixel 1 devices using secdis method with the gatekeeper instead of weaver. Add a bit of a dirty workaround to a permissions issue that the keystore presents because the keystore checks the uid of the calling process and refuses to let the root user add authorization tokens. We write the auth token to a file and start a separate service that runs under the system user. The service reads the token from the file and adds it to the keystore. You must define this service in your init.recovery.{hardware}.rc file: service keystore_auth /sbin/keystore_auth disabled oneshot user system group root seclabel u:r:recovery:s0 TWRP will run this service when needed. Change-Id: I0ff48d3355f03dc0be8e75cddb8b484bdef98772 --- crypto/ext4crypt/Android.mk | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'crypto/ext4crypt/Android.mk') diff --git a/crypto/ext4crypt/Android.mk b/crypto/ext4crypt/Android.mk index af5ab3af0..693b67518 100644 --- a/crypto/ext4crypt/Android.mk +++ b/crypto/ext4crypt/Android.mk @@ -28,6 +28,7 @@ ifeq ($(shell test $(PLATFORM_SDK_VERSION) -ge 26; echo $$?),0) LOCAL_CFLAGS += -DHAVE_LIBKEYUTILS LOCAL_SHARED_LIBRARIES += libkeyutils endif + LOCAL_ADDITIONAL_DEPENDENCIES := keystore_auth else LOCAL_SRC_FILES += Keymaster.cpp KeyStorage.cpp endif @@ -58,4 +59,15 @@ LOCAL_LDFLAGS += -Wl,-dynamic-linker,/sbin/linker64 include $(BUILD_EXECUTABLE) +include $(CLEAR_VARS) +LOCAL_MODULE := keystore_auth +LOCAL_MODULE_TAGS := optional +LOCAL_MODULE_CLASS := RECOVERY_EXECUTABLES +LOCAL_MODULE_PATH := $(TARGET_RECOVERY_ROOT_OUT)/sbin +LOCAL_SRC_FILES := keystore_auth.cpp +LOCAL_SHARED_LIBRARIES := libc libkeystore_binder libutils libbinder liblog +LOCAL_LDFLAGS += -Wl,-dynamic-linker,/sbin/linker64 + +include $(BUILD_EXECUTABLE) + endif -- cgit v1.2.3