diff --git a/Patches/LineageOS-14.1/android_system_vold/0001-AES256.patch b/Patches/LineageOS-14.1/android_system_vold/0001-AES256.patch new file mode 100644 index 00000000..18fe5b03 --- /dev/null +++ b/Patches/LineageOS-14.1/android_system_vold/0001-AES256.patch @@ -0,0 +1,50 @@ +From af22f14223092a5403bc33608260f355b57284f3 Mon Sep 17 00:00:00 2001 +From: Tad +Date: Mon, 1 Jan 2018 09:50:29 -0500 +Subject: [PATCH] Build time variable for AES-256 encryption + +Change-Id: Id08b5a18c5b4d4ec1f3f67a8e5eab93f5b967060 +--- + cryptfs.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/cryptfs.c b/cryptfs.c +index b25510f..86ffac3 100644 +--- a/cryptfs.c ++++ b/cryptfs.c +@@ -76,9 +76,17 @@ + + #define DM_CRYPT_BUF_SIZE 4096 + ++#ifdef CONFIG_STRONG_ENCRYPTION ++#define HASH_COUNT 6000 ++#define KEY_LEN_BYTES 32 ++#define IV_LEN_BYTES 32 ++#define RSA_KEY_SIZE 4096 ++#else + #define HASH_COUNT 2000 + #define KEY_LEN_BYTES 16 + #define IV_LEN_BYTES 16 ++#define RSA_KEY_SIZE 2048 ++#endif + + #define KEY_IN_FOOTER "footer" + +@@ -94,13 +102,12 @@ + + #define TABLE_LOAD_RETRIES 10 + +-#define RSA_KEY_SIZE 2048 + #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) + #define RSA_EXPONENT 0x10001 + #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second + + #define RETRY_MOUNT_ATTEMPTS 20 +-#define RETRY_MOUNT_DELAY_SECONDS 1 ++#define RETRY_MOUNT_DELAY_SECONDS 3 + + char *me = "cryptfs"; + +-- +2.15.1 + diff --git a/Scripts/LineageOS-14.1/Functions.sh b/Scripts/LineageOS-14.1/Functions.sh index 1e0114f8..d059510c 100644 --- a/Scripts/LineageOS-14.1/Functions.sh +++ b/Scripts/LineageOS-14.1/Functions.sh @@ -65,7 +65,7 @@ enableZram() { } export -f enableZram; -enabledForcedEncryption() { +enableForcedEncryption() { cd $base$1; if [[ $1 != *"mako"* ]]; then #Forced encryption seems to prevent some devices from booting sed -i 's|encryptable=/|forceencrypt=/|' fstab.* root/fstab.* rootdir/fstab.* rootdir/etc/fstab.* &>/dev/null || true; @@ -73,7 +73,15 @@ enabledForcedEncryption() { fi; cd $base; } -export -f enabledForcedEncryption; +export -f enableForcedEncryption; + +enableStrongEncryption() { + cd $base$1; + echo "CONFIG_STRONG_ENCRYPTION := true" >> BoardConfig.mk; + echo "Enabled AES-256 encryption for $1"; + cd $base; +} +export -f enableStrongEncryption; hardenDefconfig() { cd $base$1; diff --git a/Scripts/LineageOS-14.1/Patch.sh b/Scripts/LineageOS-14.1/Patch.sh index 2f7a64cd..731eca51 100755 --- a/Scripts/LineageOS-14.1/Patch.sh +++ b/Scripts/LineageOS-14.1/Patch.sh @@ -141,7 +141,7 @@ enter "packages/apps/PackageInstaller" patch -p1 < $patches"android_packages_apps_PackageInstaller/64d8b44.diff" #Fix an issue with Permission Review enter "packages/apps/Settings" -sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 32;/' src/com/android/settings/ChooseLockPassword.java; #Increase max password length +sed -i 's/private int mPasswordMaxLength = 16;/private int mPasswordMaxLength = 48;/' src/com/android/settings/ChooseLockPassword.java; #Increase max password length sed -i 's/GSETTINGS_PROVIDER = "com.google.settings";/GSETTINGS_PROVIDER = "com.google.oQuae4av";/' src/com/android/settings/PrivacySettings.java; #MicroG doesn't support Backup, hide the options patch -p1 < $patches"android_packages_apps_Settings/0001-Privacy_Guard-More_Perms.patch" #Allow more control over various permissions via Privacy Guard @@ -174,12 +174,7 @@ cat /tmp/ar/hosts >> rootdir/etc/hosts #Merge in our HOSTS file patch -p1 < $patches"android_system_core/0001-Harden_Mounts.patch" #Harden mounts with nodev/noexec/nosuid. Disclaimer: From CopperheadOS 13.0 enter "system/vold" -#XXX: THESE VALUES MUST *NOT* EVER BE CHANGED AFTER RELEASE! -#sed -i 's|define HASH_COUNT 2000|define HASH_COUNT 6000|' cryptfs.c; #Increase pbkdf iterations -#sed -i 's|define KEY_LEN_BYTES 16|define KEY_LEN_BYTES 32|' cryptfs.c; #128-bit -> 256-bit -#sed -i 's|define IV_LEN_BYTES 16|define IV_LEN_BYTES 32|' cryptfs.c; -#sed -i 's|define RSA_KEY_SIZE 2048|define RSA_KEY_SIZE 4096|' cryptfs.c; #Increase signning key size to 4096 -sed -i 's|define RETRY_MOUNT_DELAY_SECONDS 1|define RETRY_MOUNT_DELAY_SECONDS 3|' cryptfs.c; +patch -p1 < $patches"android_system_vold/0001-AES256.patch" #Add a variable for enabling AES-256 bit encryption enter "vendor/cm" rm -rf overlay/common/vendor/cmsdk/packages #Remove analytics @@ -219,7 +214,7 @@ patch -p1 < $patches"android_kernel_oneplus_msm8974/0001-OverUnderClock-EXTREME. enter "kernel/lge/g3" #sed -i 's/39 01 00 00 00 00 04 F2 01 00 40/39 01 00 00 00 00 04 F2 01 00 00/' arch/arm/boot/dts/msm8974pro-lge-common/msm8974pro-lge-panel.dtsi; #Oversharpening fix, Credit: @Skin1980 -patch -p1 < $patches"android_kernel_lge_g3/Overclock-1.patch" #2.45Ghz -> 2.76Ghz =+1.24Ghz XXX: Untested! +patch -p1 < $patches"android_kernel_lge_g3/Overclock-1.patch" #2.45Ghz -> 2.76Ghz =+1.24Ghz patch -p1 < $patches"android_kernel_lge_g3/Overclock-2.patch" patch -p1 < $patches"android_kernel_lge_g3/Overclock-3.patch" patch -p1 < $patches"android_kernel_lge_g3/Overclock-4.patch" @@ -240,10 +235,12 @@ patch -p1 < $patches"android_kernel_motorola_msm8916/0001-Overclock.patch" #1.36 #Make changes to all devices cd $base find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enhanceLocation "$0"' {} \; -find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enabledForcedEncryption "$0"' {} \; +find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableForcedEncryption "$0"' {} \; +#find "device" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'enableStrongEncryption "$0"' {} \; find "kernel" -maxdepth 2 -mindepth 2 -type d -exec bash -c 'hardenDefconfig "$0"' {} \; cd $base -sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_flo_defconfig; #Breaks compile +enableStrongEncryption device/lge/mako #Enable experimental strong encryption for mako for testing +sed -i "s/CONFIG_DEBUG_RODATA=y/# CONFIG_DEBUG_RODATA is not set/" kernel/google/msm/arch/arm/configs/lineageos_flo_defconfig; #Breaks on compile # #END OF DEVICE CHANGES #