Disk encryption and verified boot on android-x86

[Jingbin Liu]

Hello everyone!

Recently I want to implement disk encryption and verified boot on android-x86. Android implements these functions using a setup on mounting partition /system and partition /data during mount_all in init.${vendor}.rc. In this procedure, android reads the fstab.${vendor} file and decides whether a partition needs encryption or verified. But on android-x86, I find mounting /system and /data is processed in the bootable/newinstaller/initrd/init. I have a few question here.

1) Why mounting /system and /data is implemented in the bootable/newinstaller/initrd/init, not included in the init.rc in the android using fstab file? Can I mount them later? Besides, what's the purpose of this file, I think it is executed after the linux kernel boot and before android init, but I don't know why need it.

2) Can I remount the /system and /data later in android init? I want to use the existing code and it seems it doesn't use these two partition at this step.

3) Can I remount the /system and /data after android init? It seems risky but flexible. It is only an option but I don't prefer this solution. Because if more programs run before it, it will bring less security.

Any help would be appreciated! Thank you!

[Chih-Wei Huang]

2017-11-03 15:57 GMT+08:00 Jingbin Liu <liujingb...@gmail.com>:
> Hello everyone!
>
> Recently I want to implement disk encryption and verified boot on
> android-x86. Android implements these functions using a setup on mounting
> partition /system and partition /data during mount_all in init.${vendor}.rc.
> In this procedure, android reads the fstab.${vendor} file and decides
> whether a partition needs encryption or verified. But on android-x86, I find
> mounting /system and /data is processed in the
> bootable/newinstaller/initrd/init. I have a few question here.
>
> 1) Why mounting /system and /data is implemented in the
> bootable/newinstaller/initrd/init, not included in the init.rc in the
> android using fstab file? Can I mount them later? Besides, what's the
> purpose of this file, I think it is executed after the linux kernel boot and
> before android init, but I don't know why need it.

Because we want to support various of use cases
including live mode and one partition layout in
several different filesystems (ext4, ntfs, vfat, etc).
You can see the init script tries to cover these cases as possible.
Though it's also possible to do these via android init
with some hacks, I chose the easier way in
the beginning of this project.

> 2) Can I remount the /system and /data later in android init? I want to use
> the existing code and it seems it doesn't use these two partition at this
> step.

Surely you can do that providing you
have a standard android partition layout.
Actually it's not too difficult to eliminate initrd.img
and use android's ramdisk.img directly.

> 3) Can I remount the /system and /data after android init? It seems risky
> but flexible. It is only an option but I don't prefer this solution. Because
> if more programs run before it, it will bring less security.

Not sure what you want to do exactly.
Basically it's possible to do anything
if you know how to do that correctly.


--
Chih-Wei
Android-x86 project
http://www.android-x86.org