Patch for AES256 encryption

2024-10-01 01:35:54 -04:00 · 2018-01-01 14:49:15 -05:00 · 2018-01-01 14:49:15 -05:00 · a350cd92f1
commit a350cd92f1
parent d6148bb4df
3 changed files with 67 additions and 12 deletions
--- a/Patches/LineageOS-14.1/android_system_vold/0001-AES256.patch
+++ b/Patches/LineageOS-14.1/android_system_vold/0001-AES256.patch
@ -0,0 +1,50 @@
+From af22f14223092a5403bc33608260f355b57284f3 Mon Sep 17 00:00:00 2001
+From: Tad <tad@spotco.us>
+Date: Mon, 1 Jan 2018 09:50:29 -0500
+Subject: [PATCH] Build time variable for AES-256 encryption
+
+Change-Id: Id08b5a18c5b4d4ec1f3f67a8e5eab93f5b967060
+---
+ cryptfs.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/cryptfs.c b/cryptfs.c
+index b25510f..86ffac3 100644
+--- a/cryptfs.c
+++ b/cryptfs.c
+@@ -76,9 +76,17 @@
+ 
+ #define DM_CRYPT_BUF_SIZE 4096
+ 
+#ifdef CONFIG_STRONG_ENCRYPTION
+#define HASH_COUNT 6000
+#define KEY_LEN_BYTES 32
+#define IV_LEN_BYTES 32
+#define RSA_KEY_SIZE 4096
+#else
+ #define HASH_COUNT 2000
+ #define KEY_LEN_BYTES 16
+ #define IV_LEN_BYTES 16
+#define RSA_KEY_SIZE 2048
+#endif
+ 
+ #define KEY_IN_FOOTER  "footer"
+ 
+@@ -94,13 +102,12 @@
+ 
+ #define TABLE_LOAD_RETRIES 10
+ 
+-#define RSA_KEY_SIZE 2048
+ #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8)
+ #define RSA_EXPONENT 0x10001
+ #define KEYMASTER_CRYPTFS_RATE_LIMIT 1  // Maximum one try per second
+ 
+ #define RETRY_MOUNT_ATTEMPTS 20
+-#define RETRY_MOUNT_DELAY_SECONDS 1
+#define RETRY_MOUNT_DELAY_SECONDS 3
+ 
+ char *me = "cryptfs";
+ 
+-- 
+2.15.1
+
--- a/Scripts/LineageOS-14.1/Functions.sh
+++ b/Scripts/LineageOS-14.1/Functions.sh
@ -65,7 +65,7 @@ enableZram() {
 }
 export -f enableZram;

-enabledForcedEncryption() {
+enableForcedEncryption() {
 	cd $base$1;
 	if [[ $1 != *"mako"* ]]; then #Forced encryption seems to prevent some devices from booting
 		sed -i 's|encryptable=/|forceencrypt=/|' fstab.* root/fstab.* rootdir/fstab.* rootdir/etc/fstab.* &>/dev/null || true;
@ -73,7 +73,15 @@ enabledForcedEncryption() {
 	fi;
 	cd $base;
 }
-export -f enabledForcedEncryption;
+export -f enableForcedEncryption;
+
+enableStrongEncryption() {
+	cd $base$1;
+		echo "CONFIG_STRONG_ENCRYPTION := true" >> BoardConfig.mk;
+		echo "Enabled AES-256 encryption for $1";
+	cd $base;
+}
+export -f enableStrongEncryption;

 hardenDefconfig() {
 	cd $base$1;
--- a/Scripts/LineageOS-14.1/Patch.sh
+++ b/Scripts/LineageOS-14.1/Patch.sh
@ -141,7 +141,7 @@ enter "packages/apps/PackageInstaller"
 patch -p1 < $patches"android_packages_apps_PackageInstaller/64d8b44.diff" #Fix an issue with Permission Review

 enter "packages/apps/Settings"
-sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 32;/' src/com/android/settings/ChooseLockPassword.java; #Increase max password length
+sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/ChooseLockPassword.java; #Increase max password length
 sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/PrivacySettings.java; #MicroG doesn't support Backup, hide the options
 patch -p1 < $patches"android_packages_apps_Settings/0001-Privacy_Guard-More_Perms.patch" #Allow more control over various permissions via Privacy Guard

@ -174,12 +174,7 @@ cat /tmp/ar/hosts >> rootdir/etc/hosts #Merge in our HOSTS file
 patch -p1 < $patches"android_system_core/0001-Harden_Mounts.patch" #Harden mounts with nodev/noexec/nosuid. Disclaimer: From CopperheadOS 13.0

 enter "system/vold"
-#XXX: THESE VALUES MUST *NOT* EVER BE CHANGED AFTER RELEASE!
-#sed -i 's|define HASH_COUNT 2000|define HASH_COUNT 6000|' cryptfs.c; #Increase pbkdf iterations
-#sed -i 's|define KEY_LEN_BYTES 16|define KEY_LEN_BYTES 32|' cryptfs.c; #128-bit -> 256-bit
-#sed -i 's|define IV_LEN_BYTES 16|define IV_LEN_BYTES 32|' cryptfs.c;
-#sed -i 's|define RSA_KEY_SIZE 2048|define RSA_KEY_SIZE 4096|' cryptfs.c; #Increase signning key size to 4096
-sed -i 's|define RETRY_MOUNT_DELAY_SECONDS 1|define RETRY_MOUNT_DELAY_SECONDS 3|' cryptfs.c;
+patch -p1 < $patches"android_system_vold/0001-AES256.patch" #Add a variable for enabling AES-256 bit encryption

 enter "vendor/cm"
 rm -rf overlay/common/vendor/cmsdk/packages #Remove analytics
@ -219,7 +214,7 @@ patch -p1 < $patches"android_kernel_oneplus_msm8974/0001-OverUnderClock-EXTREME.

 enter "kernel/lge/g3"
 #sed -i 's/39 01 00 00 00 00 04 F2 01 00 40/39 01 00 00 00 00 04 F2 01 00 00/' arch/arm/boot/dts/msm8974pro-lge-common/msm8974pro-lge-panel.dtsi; #Oversharpening fix, Credit: @Skin1980
-patch -p1 < $patches"android_kernel_lge_g3/Overclock-1.patch" #2.45Ghz -> 2.76Ghz =+1.24Ghz XXX: Untested!
+patch -p1 < $patches"android_kernel_lge_g3/Overclock-1.patch" #2.45Ghz -> 2.76Ghz =+1.24Ghz
 patch -p1 < $patches"android_kernel_lge_g3/Overclock-2.patch"
 patch -p1 < $patches"android_kernel_lge_g3/Overclock-3.patch"
 patch -p1 < $patches"android_kernel_lge_g3/Overclock-4.patch"
@ -240,10 +235,12 @@ patch -p1 < $patches"android_kernel_motorola_msm8916/0001-Overclock.patch" #1.36
 #Make changes to all devices
 cd $base
 find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enhanceLocation "$0"' {} \;
-find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enabledForcedEncryption "$0"' {} \;
+find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableForcedEncryption "$0"' {} \;
+#find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableStrongEncryption "$0"' {} \;
 find "kernel" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'hardenDefconfig "$0"' {} \;
 cd $base
-sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_flo_defconfig; #Breaks compile
+enableStrongEncryption device/lge/mako #Enable experimental strong encryption for mako for testing
+sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_flo_defconfig; #Breaks on compile
 #
 #END OF DEVICE CHANGES
 #