Add ramoops decryption

Bug: 37554629 Bug: 37553996 Test: Walleye/Taimen able to decrypt ramoops Change-Id: I834460a0d8dc878aef511ebac47335eb30e53980 Merged-In: I834460a0d8dc878aef511ebac47335eb30e53980
2026-02-01 07:50:47 +00:00 · 2017-07-21 13:30:50 -07:00
parent 261e1f7eb3
commit fe4a14cc0d
10 changed files with 82 additions and 7 deletions
--- a/device.mk
+++ b/device.mk
@@ -66,7 +66,8 @@ PRODUCT_COPY_FILES += \
    $(LOCAL_PATH)/uinput-fpc.idc:system/usr/idc/uinput-fpc.idc \
    $(LOCAL_PATH)/init.qcom.devstart.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.qcom.devstart.sh \
    $(LOCAL_PATH)/init.qcom.ipastart.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.qcom.ipastart.sh \
-    $(LOCAL_PATH)/init.insmod.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.insmod.sh
+    $(LOCAL_PATH)/init.insmod.sh:$(TARGET_COPY_OUT_VENDOR)/bin/init.insmod.sh \
+    $(LOCAL_PATH)/init.ramoops.sh:$(TARGET_COPY_OUT_SYSTEM)/bin/init.ramoops.sh

 ifneq (,$(filter userdebug eng, $(TARGET_BUILD_VARIANT)))
  PRODUCT_COPY_FILES += \
--- a/init.hardware.rc
+++ b/init.hardware.rc
@@ -226,6 +226,12 @@ on post-fs
    # Wait qseecomd started
    wait_for_prop sys.listeners.registered true

+on property:sys.user.0.ce_available=true
+    mkdir /data/misc_ce/0/ramoops
+    start ramoops_sh
+
+on property:sys.ramoops.decrypted=true
+    mount pstore pstore /sys/fs/pstore

 on property:sys.listeners.registered=true
    # load IPA FWs
@@ -455,6 +461,13 @@ on boot
    # default country code
    setprop ro.boot.wificountrycode 00

+    # Encrypted ramoops
+    umount /sys/fs/pstore
+    chmod 770 /dev/access-ramoops
+    chown system system /dev/access-ramoops
+    chmod 770 /dev/access-metadata
+    chown system system /dev/access-metadata
+
    # Make the ftm4 command node writeable from dumpstate
    chown system system /sys/devices/virtual/input/ftm4_touch/cmd

@@ -768,3 +781,11 @@ service insmod_sh /vendor/bin/init.insmod.sh
    group root system
    disabled
    oneshot
+
+service ramoops_sh /system/bin/init.ramoops.sh
+    class main
+    user root
+    group root system
+    disabled
+    oneshot
+
--- a/init.ramoops.sh
+++ b/init.ramoops.sh
@@ -0,0 +1,20 @@
+#!/system/bin/sh
+
+# Decrypt the keys and write them to the kernel
+ramoops -D
+
+if [ $? -eq 0 ]; then
+    # Pivot (and decrypt) and remount pstore
+    echo 1 > /sys/devices/virtual/ramoops/pstore/use_alt
+    setprop sys.ramoops.decrypted true
+else
+    setprop sys.ramoops.decrypted Error-$?
+fi
+
+# Generate keys (if none exist), and load the keys to carveout
+if [[ $(getprop ro.hardware) == "walleye" ]]; then
+    ramoops -g -l -c
+else
+    ramoops -g -l
+fi
+
--- a/sepolicy/private/device.te
+++ b/sepolicy/private/device.te
@@ -0,0 +1 @@
+type ramoops_device, dev_type;
--- a/sepolicy/private/file_contexts
+++ b/sepolicy/private/file_contexts
@@ -1,6 +1,11 @@
-/system/bin/e2fsdroid		u:object_r:e2fs_exec:s0
-/system/bin/mke2fs		u:object_r:e2fs_exec:s0
-/sys/fs/ext4/features(/.*)?    u:object_r:sysfs_fs_ext4_features:s0
-/system/bin/folio_daemon        u:object_r:folio_daemon_exec:s0
-/data/misc/elabel(/.*)?         u:object_r:elabel_data_file:s0
-/system/bin/init\.elabel\.sh    u:object_r:init_elabel_exec:s0
+/system/bin/e2fsdroid              u:object_r:e2fs_exec:s0
+/system/bin/mke2fs                 u:object_r:e2fs_exec:s0
+/sys/fs/ext4/features(/.*)?        u:object_r:sysfs_fs_ext4_features:s0
+/system/bin/folio_daemon           u:object_r:folio_daemon_exec:s0
+/data/misc/elabel(/.*)?            u:object_r:elabel_data_file:s0
+/system/bin/init\.elabel\.sh       u:object_r:init_elabel_exec:s0
+/system/bin/ramoops                u:object_r:ramoops_exec:s0
+/system/bin/init\.ramoops\.sh      u:object_r:ramoops_exec:s0
+/dev/access-metadata               u:object_r:ramoops_device:s0
+/dev/access-ramoops                u:object_r:ramoops_device:s0
+/data/misc_ce/[0-9]+/ramoops(/.*)? u:object_r:ramoops_data_file:s0
--- a/sepolicy/private/genfs_contexts
+++ b/sepolicy/private/genfs_contexts
@@ -0,0 +1,4 @@
+genfscon sysfs /devices/virtual/ramoops/pstore/aes_key                  u:object_r:sysfs_pstore:s0
+genfscon sysfs /devices/virtual/ramoops/pstore/aes_key_iv               u:object_r:sysfs_pstore:s0
+genfscon sysfs /devices/virtual/ramoops/pstore/aes_key_tag              u:object_r:sysfs_pstore:s0
+genfscon sysfs /devices/virtual/ramoops/pstore/use_alt                  u:object_r:sysfs_pstore:s0
--- a/sepolicy/private/property.te
+++ b/sepolicy/private/property.te
@@ -1,2 +1,3 @@
 # TODO: delete this once it's in common sepolicy.
 type netd_stable_secret_prop, property_type;
+type ramoops_prop, property_type;
--- a/sepolicy/private/property_contexts
+++ b/sepolicy/private/property_contexts
@@ -1,2 +1,3 @@
 # TODO: delete this once it's in common sepolicy.
 persist.netd.stable_secret    u:object_r:netd_stable_secret_prop:s0
+sys.ramoops.decrypted         u:object_r:ramoops_prop:s0
--- a/sepolicy/private/ramoops.te
+++ b/sepolicy/private/ramoops.te
@@ -0,0 +1,20 @@
+type ramoops, domain, coredomain;
+type ramoops_data_file, file_type, data_file_type;
+type ramoops_exec, exec_type, file_type;
+
+init_daemon_domain(ramoops);
+
+# kmod=crypto-gcm(aes)
+dontaudit ramoops kernel:system module_request;
+
+allow ramoops ramoops_exec:file rx_file_perms;
+allow ramoops shell_exec:file rx_file_perms;
+allow ramoops toolbox_exec:file rx_file_perms;
+
+# Set the sys.ramoops.decrypted property
+set_prop(ramoops, ramoops_prop);
+
+allow ramoops sysfs_pstore:file rw_file_perms;
+allow ramoops ramoops_device:chr_file rw_file_perms;
+allow ramoops ramoops_data_file:file create_file_perms;
+allow ramoops ramoops_data_file:dir rw_dir_perms;
--- a/sepolicy/public/file.te
+++ b/sepolicy/public/file.te
@@ -1 +1,2 @@
 type elabel_data_file, file_type, data_file_type;
+type sysfs_pstore, sysfs_type, fs_type;