Interaction between direncrypt and ARC++

73 views
Skip to first unread message

nat...@lenovo-chrome.com

unread,
Aug 11, 2017, 8:57:10 PM8/11/17
to Chromium OS dev
Hello all,

I'm trying to understand how ext4 encryption (direncrypt USE flag, specifically) interacts with ARC++. The source code references a bug I unfortunately can't access (no idea if it would be helpful or not), so a brief primer would be greatly appreciated.

Bernie Thompson

unread,
Aug 11, 2017, 9:18:04 PM8/11/17
to nat...@lenovo-chrome.com, Chromium OS dev
Essentially ext4 encryption is required for use with Android N, however it breaks Android M, as more builds move to N, more get the direncryption USE flag.

We should expect to see more ext4 encryption in the future, and the eventual deprecation of ecryptfs, we expect to be only on N in the R62 time frame for instance, it is not clear when we will cut over to all systems using ext4 encryption only yet though.

-Bernie

On Fri, Aug 11, 2017 at 5:57 PM, <nat...@lenovo-chrome.com> wrote:
Hello all,

I'm trying to understand how ext4 encryption (direncrypt USE flag, specifically) interacts with ARC++. The source code references a bug I unfortunately can't access (no idea if it would be helpful or not), so a brief primer would be greatly appreciated.

--
--
Chromium OS Developers mailing list: chromiu...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-os-dev?hl=en


Ryo Hashimoto

unread,
Aug 14, 2017, 12:08:10 AM8/14/17
to Bernie Thompson, nat...@lenovo-chrome.com, Chromium OS dev
You can find general Linux description about ext4 encryption on LWN.net. (https://lwn.net/Articles/639427/)
On Chrome OS, a service called cryptohome is responsible to setup a necessary key for ext4 encryption. (https://chromium.git.corp.google.com/chromiumos/platform2/+/be52b087f7c778d1aa1aa2653199a1b7c1ea4081/cryptohome/mount.cc#546)
As we are patching upstart to set up a session keyring to force all processes to use the same session keyring, ARC processes can also access the ext4 encryption key and can access the encrypted contents.

Please let me know if you have any technical questions about how it works.
HTH
- Ryo

nat...@lenovo-chrome.com

unread,
Aug 14, 2017, 1:24:20 PM8/14/17
to Chromium OS dev, bhtho...@chromium.org, nat...@lenovo-chrome.com
Thanks Bernie and Ryo!

The bit that I was missing was that Android N requires direncryption but Android M requires it to be off. Once I understood that (and understood which ebuilds were for which Android version), I was able to fix my problem.

Much appreciated!

Nathan
Reply all
Reply to author
Forward
This conversation is locked
You cannot reply and perform actions on locked conversations.
0 new messages