From: s414.kim <s414.kim@samsung.com>
Date: Mon, 13 May 2019 06:21:33 +0000 (+0900)
Subject: Add start encryption/decryption API for internal storage
X-Git-Tag: submit/tizen/20190607.051013~1
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=4581a875bb2c15efccd9842dbb46ad65d5d6ad58;p=platform%2Fcore%2Fsecurity%2Fode.git

Add start encryption/decryption API for internal storage

- Depending on UX changes, add those APIs to set start flags and to reboot

Change-Id: Ib97f6101e890aa02b210b28536d40d21ddcdf751
Signed-off-by: s414.kim <s414.kim@samsung.com>
---

diff --git a/lib/internal-encryption.cpp b/lib/internal-encryption.cpp
index fa918ae..6acd85f 100644
--- a/lib/internal-encryption.cpp
+++ b/lib/internal-encryption.cpp
@@ -63,6 +63,24 @@ int InternalEncryptionClient::umount()
 	}
 }
 
+int InternalEncryptionClient::prepareEncryption(unsigned int options)
+{
+	try {
+		return context->methodCall<int>("InternalEncryptionServer::prepareEncryption", options);
+	} catch (runtime::Exception& e) {
+		return error::Unknown;
+	}
+}
+
+int InternalEncryptionClient::prepareDecryption()
+{
+	try {
+		return context->methodCall<int>("InternalEncryptionServer::prepareDecryption");
+	} catch (runtime::Exception& e) {
+		return error::Unknown;
+	}
+}
+
 int InternalEncryptionClient::encrypt(const std::string& password, unsigned int options)
 {
 	try {
diff --git a/lib/internal-encryption.h b/lib/internal-encryption.h
index ccedd04..a24ec1b 100644
--- a/lib/internal-encryption.h
+++ b/lib/internal-encryption.h
@@ -36,6 +36,9 @@ public:
 	int umount();
 	int isMounted();
 
+	int prepareEncryption(unsigned int options);
+	int prepareDecryption();
+
 	int encrypt(const std::string& password, unsigned int options);
 	int decrypt(const std::string& password);
 
diff --git a/lib/ode/common.h b/lib/ode/common.h
index 5f23338..a1ab888 100644
--- a/lib/ode/common.h
+++ b/lib/ode/common.h
@@ -72,6 +72,8 @@ typedef enum {
     ODE_STATE_UNENCRYPTED   = 0, /**< Device is not encrypted */
     ODE_STATE_ENCRYPTED     = 1, /**< Device is encrypted  */
     ODE_STATE_CORRUPTED     = 2, /**< Device is corrupted because of encryption error */
+	ODE_STATE_PREPARED_ENCRYPTION = 3,
+	ODE_STATE_PREPARED_DECRYPTION = 4,
 } ode_state_e;
 
 /**
diff --git a/lib/ode/internal-encryption.cpp b/lib/ode/internal-encryption.cpp
index 90c5358..de808c0 100644
--- a/lib/ode/internal-encryption.cpp
+++ b/lib/ode/internal-encryption.cpp
@@ -80,6 +80,24 @@ int ode_internal_encryption_umount()
 	return toApiError(internal.umount());
 }
 
+int ode_internal_encryption_prepare_encryption(unsigned int options)
+{
+	ClientContext client;
+	RET_ON_FAILURE(client.connect() == 0, ODE_ERROR_CONNECTION_REFUSED);
+	InternalEncryptionClient internal = client.createInterface<InternalEncryptionClient>();
+
+	return toApiError(internal.prepareEncryption(options));
+}
+
+int ode_internal_encryption_prepare_decryption()
+{
+	ClientContext client;
+	RET_ON_FAILURE(client.connect() == 0, ODE_ERROR_CONNECTION_REFUSED);
+	InternalEncryptionClient internal = client.createInterface<InternalEncryptionClient>();
+
+	return toApiError(internal.prepareDecryption());
+}
+
 int ode_internal_encryption_encrypt(const char* password, unsigned int options)
 {
 	RET_ON_FAILURE(password, ODE_ERROR_INVALID_PARAMETER);
diff --git a/lib/ode/internal-encryption.h b/lib/ode/internal-encryption.h
index 3c1d074..5eb7499 100644
--- a/lib/ode/internal-encryption.h
+++ b/lib/ode/internal-encryption.h
@@ -120,6 +120,29 @@ ODE_API int ode_internal_encryption_is_mounted(bool *result);
  */
 ODE_API int ode_internal_encryption_umount();
 
+/**
+ * @brief       Prepare to encrypt internal storage
+ * @details     Administrator can use this API to prepare encryption internal storage.
+ * @since_tizen 5.5
+ * @param[in]   options Encryption options
+ * @return      #ODE_ERROR_NONE on success, otherwise a negative value
+ * @retval      #ODE_ERROR_NONE Successful
+ * @post        ode_internal_encryption_encrypt() must be invoked after rebooting
+ * @see         ode_internal_encryption_prepare_decryption()
+ */
+ODE_API int ode_internal_encryption_prepare_encryption(unsigned int options);
+
+/**
+ * @brief       Prepare to decrypt internal storage
+ * @details     Administrator can use this API to prepare decryption internal storage.
+ * @since_tizen 5.5
+ * @return      #ODE_ERROR_NONE on success, otherwise a negative value
+ * @retval      #ODE_ERROR_NONE Successful
+ * @post        ode_internal_encryption_decrypt() must be invoked after rebooting
+ * @see         ode_internal_encryption_prepare_encryption()
+ */
+ODE_API int ode_internal_encryption_prepare_decryption();
+
 /**
  * @brief       Encrypt internal storage by given password.
  * @details     Administrator can use this API to encrypt internal storage.
@@ -137,6 +160,8 @@ ODE_API int ode_internal_encryption_umount();
  * @retval      #ODE_ERROR_UNKNOWN Unknown error
  * @pre         The password must match with what is set by
  *              ode_internal_encryption_init_password().
+ * @pre         The device must be prepared to encrypt by
+ *              ode_internal_encryption_prepare_encryption()
  * @see         ode_internal_encryption_mount()
  * @see         ode_internal_encryption_decrypt()
  * @see         ode_internal_encryption_get_supported_options()
@@ -159,6 +184,8 @@ ODE_API int ode_internal_encryption_encrypt(const char* password, unsigned int o
  * @retval      #ODE_ERROR_UNKNOWN Unknown error
  * @pre         The password must match with what is set by
  *              ode_internal_encryption_init_password().
+ * @pre         The device must be prepared to decrypt by
+ *              ode_internal_encryption_prepare_decryption()
  * @see         ode_internal_encryption_encrypt()
  */
 ODE_API int ode_internal_encryption_decrypt(const char* password);
diff --git a/rmi/internal-encryption.h b/rmi/internal-encryption.h
index a38e25a..0186c45 100644
--- a/rmi/internal-encryption.h
+++ b/rmi/internal-encryption.h
@@ -36,6 +36,9 @@ public:
 	virtual int umount() = 0;
 	virtual int isMounted() = 0;
 
+	virtual int prepareEncryption(unsigned int options) = 0;
+	virtual int prepareDecryption() = 0;
+
 	virtual int encrypt(const std::string& password, unsigned int options) = 0;
 	virtual int decrypt(const std::string& password) = 0;
 
@@ -52,6 +55,8 @@ public:
 		Unencrypted  = 0,
 		Encrypted    = 1,
 		Corrupted    = 2,
+		PreparedEncryption = 3,
+		PreparedDecryption = 4,
 	};
 
 	virtual int getState() = 0;
diff --git a/server/internal-encryption.cpp b/server/internal-encryption.cpp
index 4861738..0f29d6a 100644
--- a/server/internal-encryption.cpp
+++ b/server/internal-encryption.cpp
@@ -435,6 +435,8 @@ InternalEncryptionServer::InternalEncryptionServer(ServerContext& srv,
 	server.expose(this, PRIVILEGE_PLATFORM, (int)(InternalEncryptionServer::mount)(std::vector<unsigned char>, unsigned int));
 	server.expose(this, PRIVILEGE_PLATFORM, (int)(InternalEncryptionServer::umount)());
 	server.expose(this, PRIVILEGE_PLATFORM, (int)(InternalEncryptionServer::isMounted)());
+	server.expose(this, PRIVILEGE_PLATFORM, (int)(InternalEncryptionServer::prepareEncryption)(unsigned int));
+	server.expose(this, PRIVILEGE_PLATFORM, (int)(InternalEncryptionServer::prepareDecryption)());
 	server.expose(this, PRIVILEGE_PLATFORM, (int)(InternalEncryptionServer::encrypt)(std::string, unsigned int));
 	server.expose(this, PRIVILEGE_PLATFORM, (int)(InternalEncryptionServer::decrypt)(std::string));
 	server.expose(this, "", (int)(InternalEncryptionServer::isPasswordInitialized)());
@@ -584,6 +586,52 @@ int InternalEncryptionServer::umount()
 	return error::None;
 }
 
+int InternalEncryptionServer::prepareEncryption(unsigned int options)
+{
+	if (getState() != State::Unencrypted) {
+		ERROR(SINK, "Cannot encrypt, partition's state incorrect.");
+		return error::NoSuchDevice;
+	}
+
+	try {
+		runtime::File file("/opt/etc/.odeprogress");
+		file.create(MODE_0640);
+	} catch (runtime::Exception &e) {
+		ERROR(SINK, "Failed to create the flag file: " + std::string(e.what()));
+		return error::Unknown;
+	}
+
+	setOptions(options & getSupportedOptions());
+
+	::vconf_set_str(VCONFKEY_ODE_CRYPTO_STATE, "prepared_encryption");
+	::sync();
+	::reboot(RB_AUTOBOOT);
+
+	return error::None;
+}
+
+int InternalEncryptionServer::prepareDecryption()
+{
+	if (getState() != State::Encrypted) {
+		ERROR(SINK, "Cannot decrypt, partition's state incorrect.");
+		return error::NoSuchDevice;
+	}
+
+	try {
+		runtime::File file("/opt/etc/.odeprogress");
+		file.create(MODE_0640);
+	} catch (runtime::Exception &e) {
+		ERROR(SINK, "Failed to create the flag file: " + std::string(e.what()));
+		return error::Unknown;
+	}
+
+	::vconf_set_str(VCONFKEY_ODE_CRYPTO_STATE, "prepared_decryption");
+	::sync();
+	::reboot(RB_AUTOBOOT);
+
+	return error::None;
+}
+
 int InternalEncryptionServer::encrypt(const std::string& password, unsigned int options)
 {
 	if (getState() != State::Unencrypted) {
@@ -791,6 +839,10 @@ int InternalEncryptionServer::getState()
 		return State::Encrypted;
 	else if (valueStr == "unencrypted")
 		return State::Unencrypted;
+	else if (valueStr == "prepared_encryption")
+		return State::PreparedEncryption;
+	else if (valueStr == "prepared_decryption")
+		return State::PreparedDecryption;
 	else if (valueStr == "error_partially_encrypted" || valueStr == "error_partially_decrypted")
 		return State::Corrupted;
 
diff --git a/server/internal-encryption.h b/server/internal-encryption.h
index 488fac9..2bf5990 100644
--- a/server/internal-encryption.h
+++ b/server/internal-encryption.h
@@ -40,6 +40,9 @@ public:
 	int umount();
 	int isMounted();
 
+	int prepareEncryption(unsigned int options);
+	int prepareDecryption();
+
 	int encrypt(const std::string& password, unsigned int options);
 	int decrypt(const std::string& password);