1 files changed, 29 insertions, 3 deletions

diff --git a/crypto/ext4crypt/KeyUtil.cpp b/crypto/ext4crypt/KeyUtil.cpp
index 946c6cf9c..3dc05004c 100644
--- a/crypto/ext4crypt/KeyUtil.cpp
+++ b/crypto/ext4crypt/KeyUtil.cpp
@@ -27,6 +27,7 @@
 #include <keyutils.h>
 
 #include "KeyStorage4.h"
+#include "Ext4CryptPie.h"
 #include "Utils.h"
 
 #include <iostream>
@@ -35,6 +36,11 @@
 #include <sys/types.h>
 #include <unistd.h>
 
+#define MAX_USER_ID 0xFFFFFFFF
+
+using android::hardware::keymaster::V4_0::KeyFormat;
+using android::vold::KeyType;
+
 namespace android {
 namespace vold {
 
@@ -128,7 +134,14 @@ bool installKey(const KeyBuffer& key, std::string* raw_ref) {
     ext4_encryption_key &ext4_key = *reinterpret_cast<ext4_encryption_key*>(ext4KeyBuffer.data());
 
     if (!fillKey(key, &ext4_key)) return false;
-    *raw_ref = generateKeyRef(ext4_key.raw, ext4_key.size);
+    if (is_wrapped_key_supported()) {
+        /* When wrapped key is supported, only the first 32 bytes are
+           the same per boot. The second 32 bytes can change as the ephemeral
+           key is different. */
+        *raw_ref = generateKeyRef(ext4_key.raw, (ext4_key.size)/2);
+    } else {
+        *raw_ref = generateKeyRef(ext4_key.raw, ext4_key.size);
+    }
     key_serial_t device_keyring;
     if (!e4cryptKeyring(&device_keyring)) return false;
     for (char const* const* name_prefix = NAME_PREFIXES; *name_prefix != nullptr; name_prefix++) {
@@ -171,7 +184,7 @@ bool evictKey(const std::string& raw_ref) {
 
 bool retrieveAndInstallKey(bool create_if_absent, const KeyAuthentication& key_authentication,
                            const std::string& key_path, const std::string& tmp_path,
-                           std::string* key_ref) {
+                           std::string* key_ref, bool wrapped_key_supported) {
     KeyBuffer key;
     if (pathExists(key_path)) {
         LOG(DEBUG) << "Key exists, using: " << key_path << std::endl;
@@ -182,10 +195,23 @@ bool retrieveAndInstallKey(bool create_if_absent, const KeyAuthentication& key_a
            return false;
         }
         LOG(INFO) << "Creating new key in " << key_path << std::endl;
-        if (!randomKey(&key)) return false;
+        if (wrapped_key_supported) {
+            if(!generateWrappedKey(MAX_USER_ID, KeyType::DE_SYS, &key)) return false;
+        } else {
+            if (!randomKey(&key)) return false;
+        }
         if (!storeKeyAtomically(key_path, tmp_path, key_authentication, key)) return false;
     }
 
+    if (wrapped_key_supported) {
+        KeyBuffer ephemeral_wrapped_key;
+        if (!getEphemeralWrappedKey(KeyFormat::RAW, key, &ephemeral_wrapped_key)) {
+            LOG(ERROR) << "Failed to export key in retrieveAndInstallKey";
+            return false;
+        }
+        key = std::move(ephemeral_wrapped_key);
+    }
+
     if (!installKey(key, key_ref)) {
         LOG(ERROR) << "Failed to install key in " << key_path << std::endl;
         return false;