Newer
Older
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
#!/bin/sh
. /lib/functions/preinit.sh
. /lib/functions/iopsys-system-layout.sh
is_migrated() {
local overlay_mount="${1:-/overlay}"
local data_dir="$overlay_mount/data"
local key_desc="$(get_board_specific_encryption_key_desc)"
local data_dir_key_desc="$(fscryptctl get_policy $data_dir | grep Descriptor | awk '{print $3}')"
if [ "$data_dir_key_desc" = "$key_desc" ]; then
return 0
else
return 1
fi
}
migrate_overlay() {
local overlay_mount="${1:-/overlay}"
local data_dir="$overlay_mount/data"
local tmp_data_dir="$overlay_mount/data.tmp"
local new_desc="$(get_board_specific_encryption_key_desc)"
echo "$0 migrating overlay" >> /dev/console
mkdir -p "$tmp_data_dir"
fscryptctl set_policy "$new_desc" "$tmp_data_dir"
#migrate files, if any
mv "$data_dir/*" "$tmp_data_dir/" 2>/dev/null
mv "$data_dir" "$data_dir.old"
mv "$tmp_data_dir" "$data_dir"
rm -rf "$data_dir.old"
}
encryption_init_kernel_keyring_old_key() {
if [ -f /proc/device-tree/key_dev_specific_512 ]; then
local key="$(cat /proc/device-tree/key_dev_specific_512)"
[ -z "$key" ] || echo -n "$key" | fscryptctl insert_key > /dev/null
else
echo "Old key key_dev_specific_512 not found!" >> /dev/stderr
fi
}
bcm_fscrypt_key_migration() {
local overlay_mount="/overlay"
use_overlay_encryption || return
get_system_layout_info_in_global_var
encryption_init_kernel_keyring
mount_overlay_partition current "$overlay_mount"
if is_migrated "$overlay_mount"; then
umount $overlay_mount
return
fi
encryption_init_kernel_keyring_old_key
migrate_overlay "$overlay_mount"
umount $overlay_mount
}
bcm_fscrypt_key_migration