a52q: Decryption bringup

*Import correct blobs
*Copy gatekeeper impl to both lib64/ and lib64/hw/, otherwise it won't load

Change-Id: I59e3cef576558b589a1562395ffb3320c7946c7f

BoardConfig.mk

@@ -92,15 +92,16 @@ TARGET_BOARD_PLATFORM_GPU := qcom-adreno618
 QCOM_BOARD_PLATFORMS += $(TARGET_BOARD_PLATFORM)
 
 # Encryption: Rollback for Encryption
-PLATFORM_VERSION := 16.1.0
-PLATFORM_SECURITY_PATCH := 2099-12-31
-VENDOR_SECURITY_PATCH := 2099-12-31
+PLATFORM_VERSION := 127
+PLATFORM_VERSION_LAST_STABLE := $(PLATFORM_VERSION)
+PLATFORM_SECURITY_PATCH := 2127-12-31
+VENDOR_SECURITY_PATCH := $(PLATFORM_SECURITY_PATCH)
 
 # Encryption: Setup it
-TW_INCLUDE_CRYPTO := false
-TW_INCLUDE_CRYPTO_FBE := false
-BOARD_USES_METADATA_PARTITION := false
-TW_INCLUDE_FBE_METADATA_DECRYPT := false
+TW_INCLUDE_CRYPTO := true
+TW_INCLUDE_CRYPTO_FBE := true
+BOARD_USES_QCOM_FBE_DECRYPTION := true
+BOARD_USES_METADATA_PARTITION := true
 
 # File systems
 BOARD_USERDATAIMAGE_FILE_SYSTEM_TYPE := ext4
@@ -114,7 +115,7 @@ TARGET_USES_MKE2FS := true
 TARGET_COPY_OUT_VENDOR := vendor
 
 # Extras
-BOARD_ROOT_EXTRA_FOLDERS := persist efs
+BOARD_ROOT_EXTRA_FOLDERS := persist efs firmware
 TARGET_SYSTEM_PROP += $(DEVICE_PATH)/system.prop
 
 # Partition: Size
@@ -148,6 +149,8 @@ TW_NO_EXFAT_FUSE := true
 TW_Y_OFFSET := 142
 TW_H_OFFSET := -142
 TARGET_USE_CUSTOM_LUN_FILE_PATH := "/config/usb_gadget/g1/functions/mass_storage.0/lun.%d/file"
+TW_CRYPTO_SYSTEM_VOLD_DEBUG := true
+TW_INCLUDE_RESETPROP := true
 
 # TWRP Configuration: Brightness/CPU
 TW_CUSTOM_CPU_TEMP_PATH := /sys/class/thermal/thermal_zone17/temp

device.mk

@@ -14,14 +14,14 @@
 # limitations under the License.
 #
 
-# Encryption: Use common FBE decryption script
-#BOARD_USES_QCOM_FBE_DECRYPTION := true
+# Encryption
+PRODUCT_PACKAGES += \
+    qcom_decrypt \
+    qcom_decrypt_fbe
 
-# Encryption: Setup it
-#PRODUCT_PACKAGES += \
-#    qcom_decrypt \
-#    qcom_decrypt_fbe
-
-# Apex
-PRODUCT_HOST_PACKAGES += \
+TARGET_RECOVERY_DEVICE_MODULES += \
+    libion \
     libandroidicu
+
+RECOVERY_LIBRARY_SOURCE_FILES += \
+    $(TARGET_OUT_SHARED_LIBRARIES)/libion.so

recovery/root/init.recovery.qcom.rc

@@ -25,6 +25,11 @@
 # ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 #
 
+import /init.recovery.qcom_decrypt.rc
+
+on init
+    setprop prepdecrypt.loglevel 2
+
 on fs
     # Force ANDROID_ROOT to /system_root
     export ANDROID_ROOT /system_root
@@ -33,6 +38,16 @@ on fs
     wait /dev/block/platform/${ro.boot.boot_devices}
     symlink /dev/block/platform/${ro.boot.boot_devices} /dev/block/bootdevice
 
+    chmod 0660 /dev/qseecom
+    chown system drmrpc /dev/qseecom
+    chmod 0664 /dev/ion
+    chown system system /dev/ion
+
+    mount vfat /dev/block/bootdevice/by-name/apnhlos /firmware ro shortname=lower,uid=0,gid=1000,dmask=227,fmask=337
+
+on property:ro.build.version.security_patch=*
+    setprop ro.vendor.build.security_patch ${ro.build.version.security_patch}
+
 on property:sys.usb.ffs.ready=1
     start mountfix
 

recovery/root/system/etc/recovery.fstab

@@ -38,5 +38,5 @@ vendor                                     /vendor         ext4    ro,barrier=1,
 product                                    /product        ext4    ro,barrier=1,discard                                                                                wait,logical,first_stage_mount
 odm                                        /odm            ext4    ro,barrier=1,discard                                                                                wait,logical,first_stage_mount
 
-/dev/block/bootdevice/by-name/userdata     /data           f2fs    noatime,nosuid,nodev,discard,usrquota,grpquota,fsync_mode=nobarrier,reserve_root=32768,resgid=5678  wait,encryptable=footer,length=-16384
+/dev/block/bootdevice/by-name/userdata     /data           f2fs    noatime,nosuid,nodev,discard,usrquota,grpquota,fsync_mode=nobarrier,reserve_root=32768,resgid=5678,inlinecrypt  wait,check,quota,fileencryption=aes-256-xts:aes-256-cts:v2+inlinecrypt_optimized,keydirectory=/metadata/vold/metadata_encryption,metadata_encryption=aes-256-xts
 /dev/block/bootdevice/by-name/misc         /misc           emmc    defaults                                                                                            defaults

recovery/root/system/etc/twrp.flags

@@ -16,7 +16,7 @@ odm                 /odm         ext4        ro,barrier=1,discard
 
 # ETC Moint Point
 /cache              ext4         /dev/block/bootdevice/by-name/cache             flags=display="Cache";backup=1;wipeingui
-/metadata           ext4         /dev/block/bootdevice/by-name/metadata          flags=display="Metadata";wipeingui;wrappedkey
+/metadata           ext4         /dev/block/bootdevice/by-name/metadata          flags=display="Metadata";backup=1;wipeingui
 
 # Persist Point
 /persist            ext4         /dev/block/bootdevice/by-name/persist           flags=display="Persist";backup=1
@@ -30,3 +30,5 @@ odm                 /odm         ext4        ro,barrier=1,discard
 # SD Card & USB-OTG Points
 /external_sd        auto         /dev/block/mmcblk0p1  /dev/block/mmcblk0        flags=display="MicroSD Card";storage;wipeingui;removable
 /usb_otg            auto         /dev/block/sde1       /dev/block/sde            flags=display="USB-OTG";storage;wipeingui;removable
+
+/firmware           vfat         /dev/block/bootdevice/by-name/apnhlos           flags=display="Firmware";mounttodecrypt

recovery/root/system/etc/vintf/manifest.xml

@@ -0,0 +1,145 @@
+<!--
+    Input:
+        manifest.xml
+        framework_manifest.xml
+        manifest.xml
+-->
+<manifest version="4.0" type="framework">
+    <hal format="hidl">
+        <name>android.frameworks.displayservice</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>IDisplayService</name>
+            <instance>default</instance>
+        </interface>
+        <fqname>@1.0::IDisplayService/default</fqname>
+    </hal>
+    <hal format="hidl" max-level="5">
+        <name>android.frameworks.schedulerservice</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>ISchedulingPolicyService</name>
+            <instance>default</instance>
+        </interface>
+        <fqname>@1.0::ISchedulingPolicyService/default</fqname>
+    </hal>
+    <hal format="hidl">
+        <name>android.frameworks.sensorservice</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>ISensorManager</name>
+            <instance>default</instance>
+        </interface>
+        <fqname>@1.0::ISensorManager/default</fqname>
+    </hal>
+    <hal format="hidl">
+        <name>android.hidl.manager</name>
+        <transport>hwbinder</transport>
+        <version>1.2</version>
+        <interface>
+            <name>IServiceManager</name>
+            <instance>default</instance>
+        </interface>
+        <fqname>@1.2::IServiceManager/default</fqname>
+    </hal>
+    <hal format="hidl">
+        <name>android.hidl.memory</name>
+        <transport arch="32+64">passthrough</transport>
+        <version>1.0</version>
+        <interface>
+            <name>IMapper</name>
+            <instance>ashmem</instance>
+        </interface>
+        <fqname>@1.0::IMapper/ashmem</fqname>
+    </hal>
+    <hal format="hidl">
+        <name>android.hidl.token</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>ITokenManager</name>
+            <instance>default</instance>
+        </interface>
+        <fqname>@1.0::ITokenManager/default</fqname>
+    </hal>
+    <hal format="hidl">
+        <name>android.system.net.netd</name>
+        <transport>hwbinder</transport>
+        <version>1.1</version>
+        <interface>
+            <name>INetd</name>
+            <instance>default</instance>
+        </interface>
+        <fqname>@1.1::INetd/default</fqname>
+    </hal>
+    <hal format="hidl">
+        <name>android.system.wifi.keystore</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>IKeystore</name>
+            <instance>default</instance>
+        </interface>
+        <fqname>@1.0::IKeystore/default</fqname>
+    </hal>
+    <hal format="native">
+        <name>netutils-wrapper</name>
+        <version>1.0</version>
+    </hal>
+    <hal format="hidl">
+        <name>vendor.qti.hardware.radio.atcmdfwd</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>IAtCmdFwd</name>
+            <instance>AtCmdFwdService</instance>
+        </interface>
+        <fqname>@1.0::IAtCmdFwd/AtCmdFwdService</fqname>
+    </hal>
+    <hal format="hidl">
+        <name>vendor.qti.hardware.sigma_miracast</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>Isigma_miracast</name>
+            <instance>sigmahal</instance>
+            <instance>sigmahal64</instance>
+        </interface>
+        <fqname>@1.0::Isigma_miracast/sigmahal</fqname>
+        <fqname>@1.0::Isigma_miracast/sigmahal64</fqname>
+    </hal>
+    <hal format="hidl">
+        <name>vendor.qti.hardware.systemhelper</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>ISystemEvent</name>
+            <instance>default</instance>
+        </interface>
+        <interface>
+            <name>ISystemResource</name>
+            <instance>default</instance>
+        </interface>
+        <fqname>@1.0::ISystemEvent/default</fqname>
+        <fqname>@1.0::ISystemResource/default</fqname>
+    </hal>
+    <hal format="hidl">
+        <name>vendor.samsung.frameworks.security.ucm.crypto</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>ISehUcmKeystore</name>
+            <instance>default</instance>
+        </interface>
+        <fqname>@1.0::ISehUcmKeystore/default</fqname>
+    </hal>
+    <system-sdk>
+        <version>28</version>
+        <version>29</version>
+        <version>30</version>
+        <version>31</version>
+    </system-sdk>
+</manifest>

recovery/root/vendor/firmware_mnt

@@ -0,0 +1 @@
+/firmware

recovery/root/vendor/manifest.xml

@@ -0,0 +1,20 @@
+<manifest version="1.0" type="device">
+    <hal format="hidl">
+        <name>android.hardware.gatekeeper</name>
+        <transport>hwbinder</transport>
+        <version>1.0</version>
+        <interface>
+            <name>IGatekeeper</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
+    <hal format="hidl">
+        <name>android.hardware.keymaster</name>
+        <transport>hwbinder</transport>
+        <version>4.0</version>
+        <interface>
+            <name>IKeymasterDevice</name>
+            <instance>default</instance>
+        </interface>
+    </hal>
+</manifest>

system.prop

@@ -13,8 +13,13 @@ sys.usb.controller=a600000.dwc3
 ro.boot.dynamic_partitions=true
 
 # Encryption
+ro.hardware.gatekeeper=mdfpp
 vendor.gatekeeper.disable_spu=true
-fbe.metadata.wrappedkey=true
+ro.crypto.metadata_init_delete_all_keys.enabled=false
+ro.crypto.volume.filenames_mode=aes-256-cts
+ro.crypto.allow_encrypt_override=true
+ro.crypto.dm_default_key.options_format.version=2
+ro.crypto.volume.metadata.method=dm-default-key
 
 # Disable Rescue Party
 persist.sys.disable_rescue=true

omni.dependencies → twrp.dependencies

@@ -3,6 +3,6 @@
     "remote":      "TeamWin",
     "repository":  "android_device_qcom_twrp-common",
     "target_path": "device/qcom/twrp-common",
-    "revision":    "android-10"
+    "revision":    "android-12.1"
   }
 ]