In a previous post we looked at disk encryption enhancements introduced inwards Android 5.0. That article was written based on the Lollipop preview release, earlier the platform source code was available, in addition to land the shipping service got most of the details most hardware-backed telephone substitution protection correct (the official documentation has since been released), it appears that it was overly optimistic inwards expecting that high-end Lollipop devices volition ship amongst hardware-accelerated disk encryption. Android 5.0 did come upwards amongst disk encryption enabled yesteryear default (at to the lowest degree on Nexus devices), but FDE also brought some performance problems, in addition to many Android enthusiasts rushed to disable it. While slower disk access to a greater extent than oftentimes than non doesn't comport on perceived performance when using a particular app, longer charge times tin add together upwards in addition to lawsuit inwards slower switching betwixt apps, every bit good every bit longer boot times. In social club to improve performance without sacrificing device safety Android 5.1 integrated back upwards for hardware-accelerated disk encryption on devices that furnish dedicated cryptographic hardware, such every bit the Nexus 6. Unfortunately, this characteristic ended upwards disabled inwards the electrical flow Android release, but hopefully volition live turned dorsum on inwards a futurity release.
This shipping service volition aspect into the implementation of hardware-backed disk encryption on the Nexus 6, present how it improves performance, in addition to lastly pull some of the problems of the electrical flow implementation.
Pretty much all SoC's used inwards electrical flow Android devices come upwards amongst some form of AES-capable hardware, commonly inwards social club to implement efficient DRM. OMAP devices furnish
This shipping service volition aspect into the implementation of hardware-backed disk encryption on the Nexus 6, present how it improves performance, in addition to lastly pull some of the problems of the electrical flow implementation.
Kernel crypto
As previously discussed, Android's FDE implementation is based on the
dm-crypt device-mapper target. As such, it performs cryptographic operations via the interfaces provided yesteryear the Linux essence crypto API. The essence crypto API defines a standard, extensible interface to ciphers in addition to other information transformations implemented inwards the essence (or every bit loadable modules). The API supports symmetric ciphers, AEAD ciphers, message digests in addition to random number generators, collectively referred to every bit 'transformations'. All transformations own got a lift in addition to a priority, every bit good every bit additional properties that pull their block size, supported telephone substitution sizes, in addition to so on. For example, a desktop Linux organisation you lot may back upwards the following:$ truthful cat /proc/crypto ... lift : aes driver : aes-generic module : essence priority : 100 refcnt : 1 selftest : passed type : zero blocksize : xvi instant keysize : xvi max keysize : 32 ... lift : aes driver : aes-aesni module : essence priority : 300 refcnt : 1 selftest : passed type : zero blocksize : xvi instant keysize : xvi max keysize : 32 lift : aes driver : aes-asm module : essence priority : 200 refcnt : 1 selftest : passed type : zero blocksize : xvi instant keysize : xvi max keysize : 32 ...
Here nosotros run across 3 dissimilar implementations of the
The API provides single-block ciphers in addition to hashes, which tin live combined inwards social club to furnish higher-level cryptographic constructs via 'templates'. For example, AES inwards CBC agency is specified amongst the cbc(aes) template. Templates tin live nested inwards social club to asking composite transformations that include to a greater extent than than 1 cryptographic primitive.
The API defines synchronous in addition to asynchronous versions of cryptographic operations. Asynchronous operations render at 1 time in addition to deliver their lawsuit via a callback, land synchronous operations block until the lawsuit is available. The crypto API also provides a user infinite interface via a dedicated socket type,
aes transformation, all built into the kernel, but amongst dissimilar priorities. When creating an instance of a particular transformation clients of the crypto API alone specify its lift in addition to the essence automatically returns the 1 amongst the highest priority. In this particular example, the aes-aesni implementation (which takes wages of the AES-NI pedagogy laid available on recent x86 CPUs) volition live returned. New implementations tin live added using the crypto_register_alg() in addition to crypto_register_algs() functions. The API provides single-block ciphers in addition to hashes, which tin live combined inwards social club to furnish higher-level cryptographic constructs via 'templates'. For example, AES inwards CBC agency is specified amongst the cbc(aes) template. Templates tin live nested inwards social club to asking composite transformations that include to a greater extent than than 1 cryptographic primitive.
The API defines synchronous in addition to asynchronous versions of cryptographic operations. Asynchronous operations render at 1 time in addition to deliver their lawsuit via a callback, land synchronous operations block until the lawsuit is available. The crypto API also provides a user infinite interface via a dedicated socket type,
AF_ALG.Accelerating dm-crypt
dm-crypt parses the zero specification (aes-cbc-essiv:sha256 inwards stock Android) passed every bit constituent of its mapping table in addition to instantiates the corresponding transforms via the essence crypto API. Thus inwards social club to own got dm-crypt utilization hardware acceleration, 1 has to either register a hardware-backed AES implementation amongst a high priority (which may comport on other essence services), or utilization a unique AES transformation lift in addition to alter the mapping tabular array accordingly.Pretty much all SoC's used inwards electrical flow Android devices come upwards amongst some form of AES-capable hardware, commonly inwards social club to implement efficient DRM. OMAP devices furnish
ecb(aes), cbc(aes), in addition to ctr(aes) implementations (in omap-aes.c) backed yesteryear the OMAP Crypto Engine; Tegra devices furnish ecb(aes), cbc(aes), in addition to ofb(aes) (in tegra-aes.c) backed yesteryear NVIDIA's bitstream engine. ARMv8 devices offering an AES implementation which takes wages of the the dedicated aese, aesd, in addition to aesmc instructions of the CPU. If the hardware-backed AES transformations available on these devices own got higher priority than the corresponding software implementations, dm-crypt volition automatically utilization them in addition to own got wages of whatsoever acceleration (offloading to dedicated hardware/co-processor) they provide.Qualcomm crypto engine
Recent (and likely older, too) this post for details). When an encrypted device is booted, the PIN or password entered yesteryear the user is run through scrypt, so signed amongst a hardware-bound RSA key, the lawsuit is run through scrypt over again to derive the telephone substitution encryption telephone substitution (KEK) in addition to IV, which are inwards plough used to decrypt the master copy telephone substitution stored inwards the crypto footer. The master copy telephone substitution is so passed to the device mapper driver every bit constituent of the mapping tabular array via an
Generating a disk encryption telephone substitution causes the
ioctl() call. However, the dm-req-crypt implementation completely ignores the passed zero string, encryption telephone substitution in addition to IV offset, in addition to alone uses the device path in addition to start sector hardware-backed keystore). That said, the mucilage code that integrates it amongst vold, every bit good every bit the essence driver are opened upwards source, so nosotros tin larn a fairly proficient thought of how the organisation works. The disk encryption telephone substitution is set, updated in addition to cleared using the cryptfs_hw mucilage library. This library simply loads several functions from the proprietary libQSEEComAPI.so library using dlopen() in addition to provides wrappers around them. For example, the disk encryption telephone substitution is laid yesteryear calling set_hw_device_encryption_key(), which inwards plough calls QSEECom_update_key_user_info() from the proprietary library. This business office shipping commands to the secure OS via the qseecom essence driver which is visible to user infinite every bit the /dev/qseecom device.Generating a disk encryption telephone substitution causes the
qseecom driver to asking loading a trusted app inwards the secure OS, in addition to so sends the QSEOS_GENERATE_KEY command, which kicks off telephone substitution generation. Generated keys appear to live stored on the ssd ('secure storage device'?) sectionalisation which points to /dev/block/mmcblk0p34 on the Nexus 6. After the telephone substitution is generated, it is loaded into the hardware crypto engine using the QSEOS_SET_KEY ascendency in addition to tin henceforth live used for encryption or decryption.Using HW-accelerated FDE
As discussed inwards the 'Integrating
dm-req-crypt' section, 2 things are needed to enable hardware-accelerated disk encryption: a vold binary amongst dm-req-crypt back upwards in addition to the libcryptfs_hw library. And, of course, all of the proprietary bits in addition to pieces that brand upwards the QSEE take away to live inwards place. Thus it is easier to start amongst a stock 5.1 image, rather than build 1 from AOSP, because some of the required proprietary binaries seem to live missing from the officially released tarballs. Once everything is inwards place, encryption works just every bit before: if the fstab.shamu file includes the forceencrypt flag, the device volition live encrypted on offset boot, otherwise you lot take away to boot off encryption from Settings->Security->Encrypt phone. One matter to banker's complaint is that at that topographic point is no agency to transition a dm-crypt encrypted sectionalisation to dm-req-crypt, so if the device is already encrypted, you lot take away to wipe the userdata sectionalisation first. After the encryption completes, the crypto footer (in the metadata sectionalisation on the N6) volition aspect similar this:Android FDE crypto footer ------------------------- Magic : 0xD0B5B1C4 Major Version : 1 Minor Version : 3 Footer Size : 2320 bytes Flags : 0x00000020 Key Size : 128 bits Failed Decrypts : 0 Crypto Type : aes-xts Encrypted Key : CC43B0AE14BF27BAFE4709A102A96140 Salt : 1BB69D5DE1132F15D024E65370C29F33 KDF : scrypt+keymaster N_factor : xv (N=32768) r_factor : 3 (r=8) p_factor : 1 (p=2) crypt type : PIN FS size : 55615232 encrypted upto : 0 hash offset block : 000000000000000000000000000000... scrypted IK : 8B6DDC19F047331740B31B0F41E4EC5F...
The of import chip hither is the crypto type which is laid to
aes-xts. Because the actual disk encryption telephone substitution is manged yesteryear the crypto engine, all other parameters (encrypted key, salt, etc.) are alone used when verifying the user PIN or password. On boot, vold checks the value of the crypto type, in addition to if laid to aes-xts, loads the disk encryption telephone substitution using the cryptfs_hw library, in addition to so initializes the dm-req-crypt device mapper target. From there, the organisation simply mounts the created dm-0 device every bit /data, in addition to all reads in addition to writes are decrypted/encrypted transparently.Performance
As tin live expected, hardware-backed disk encryption performs amend than software-based
As you lot tin see, land disk access when using hardware-backed disk encryption is nonetheless most 40% slower than on an unencrypted device, random in addition to sequential reads are almost 2 times faster compared to the software implementation (when reading 256KB blocks of data: 46.3MB/s vs. 25.1MB/s). So why isn't hardware-backed FDE enabled on electrical flow Nexus half dozen builds?
dm-crypt implementation. The screenshots below present the actual numbers, every bit measured yesteryear the AndEBenchPro application ('low-tech' dd read/write results are similar). |  |  |
| No FDE | Software FDE | Hardware FDE |
As you lot tin see, land disk access when using hardware-backed disk encryption is nonetheless most 40% slower than on an unencrypted device, random in addition to sequential reads are almost 2 times faster compared to the software implementation (when reading 256KB blocks of data: 46.3MB/s vs. 25.1MB/s). So why isn't hardware-backed FDE enabled on electrical flow Nexus half dozen builds?
Stability problems
Unfortunately, land the electrical flow implementation performs pretty well, at that topographic point are nonetheless some problems, peculiarly when the device is inwards slumber mode. If the device is inwards slumber agency for a relatively long catamenia of time, read errors tin occur, in addition to the
userdata sectionalisation may live mounted every bit read alone (which wreaks havoc amongst the system's content providers); the device may fifty-fifty mightiness off. While a reboot seems to prepare the issue, if the the userdata was mounted read-only, the SQLite databases storing organisation configuration in addition to accounts may larn corrupted, which inwards some cases tin alone live fixed yesteryear a manufacturing works life reset. Thus, hardware-accelerated disk encryption is unfortunately currently non quite suitable for daily utilization on the Nexus 6.The OnePlus One (which has a Snapdragon 801 SoC), running CyanogenOS 12 also includes a
dm-req-crypt-based FDE implementation which is enabled out of the box (disk encryption has to live triggered manually though). The FDE implementation 1 the OnePlus One seems to live quite stable, amongst comparable performance (50MB/s random read), so hopefully the work on the Nexus half dozen is a software 1 in addition to tin live resolved amongst a essence update.Summary
Disk encryption on Android tin live accelerated yesteryear adding a essence crypto API driver which takes wages of the SoC's cryptographic hardware. This allows block encryption to live offloaded from the principal CPU(s), in addition to improves disk access times. Devices based on recent Qualcomm Snapdragon SoC's such every bit the Nexus half dozen in addition to the OnePlus One tin own got wages of the SoC's crypto core module using the
qcedev in addition to qcrypto essence drivers. H5N1 dedicated disk encryption device mapper target, dm-req-crypt, which batches encryption requests inwards social club to growth throughput is also supported. Additionally, disk encryption keys are managed through a TEE secure app, in addition to thus are non accessible yesteryear the Android OS, including the kernel. When using hardware-accelerated FDE disk access is almost 2 times faster compared to the software-based dm-crypt implementation, but unfortunately at that topographic point are some major stability problems on the Nexus 6. Hopefully those volition live fixed inwards the adjacent Android release, in addition to hardware-accelerated disk encryption volition live enabled out of the box.
Tag :
android security
0 Komentar untuk "Droidcedas : Hardware-Accelerated Disk Encryption Inwards Android 5.1"