Briefly Introduct Direct-Boot && FBE

What is Direct Boot?

Starting with Android N, a device that has been powered on can boot into a new mode called Direct Boot before the user has a chance to unlock it for the first time.

Direct Boot For Users

1、Boot directly to lock screen

2、Calls, SMS, alarms work after device reboot before unlock

3、Per-user disk encryption

Direct Boot For Developers

Data

On an FBE-enabled device, each user of the device has two storage locations available to applications:
1、Credential Encrypted (CE) storage:
By default, all app`s data in here
2、Device Encrypted (DE) storage:
DirectBootAware run before first user unlock and can use it

Api for create data in Android:
Context.createCredentialProtectedStorageContext()
Context.isCredentialProtectedStorage()

Aware

android:directBootAware=”true”

marking all components in the app as being encryption aware.



android:defaultToDeviceProtectedStorage=”true”

redirects the default app storage location to point at DE storage instead of pointing at CE storage.

Broadcast

In the normal boot state, when boot completed, system send "Intent.ACTION_BOOT_COMPLETED" broadcast.

if enabled FBE(File-Based encryption),system send "Intent.ACTION_LOCKED_BOOT_COMPLETED" broadcast before unlock device.

State

Api: UserManager.isUserUnlocked()

States: FLAG_OR_STOPPED
FLAG_AND_LOCKED
FLAG_AND_UNLOCKED
FLAG_AND_UNLOCKING_OR_UNLOCKED

Direct Boot Best Practices

Most appropriate for apps that depen on time-sensitive alerts

Limit data you store in Device Protected storage

a、Avoid storing long-lived credentals in DP storage

b、Create limited purpose tokens(e.g. receive mail, not send it)

c、Encrypt sensitive data you receive to be decrypter only after unlock

Examples

Dialer
DeskClock
SystemUI
LatinIME
Settings
...

How to use it?

For users:

1、Settings > Developer options > Convert to file encryption
2、$ adb reboot-bootloader
$ fastboot --wipe-and-use-fbe

Warning: Both methods will perform a ***factory reset*** and ***delete all user data*** on your device.

For Developers, you can use an emulated Direct Boot mode:
$ adb shell sm set-emulate-fbe true
$ adb shell sm set-emulate-fbe false

File-Based Encryption

Android 7.0 and above supports file-based encryption (FBE). File-based encryption allows different files to be encrypted with different keys that can be unlocked independently.

The Relationship with Direct Boot?

Conclusion: ***Direct Boot  depends on  FBE***

Dependencies

Kernel Support for ext4 encryption

Keymaster Support with a HAL version 1.0 or 2.0.

Keymaster/Keystore and Gatekeeper must be implemented in a Trusted Execution Environment (TEE) to provide protection for the DE keys

Encryption performance in the kernel of at least 50MB/s

Hardware Root of Trust and Verified Boot bound to the keymaster initialisation is required to ensure

Kernel Support

The recommended solution is to use a kernel based on 4.4 or later.
Ext4 encryption has also been backported to a 3.10 kernel in the Android common repositories and for the supported Nexus kernels.

Enabling file-based encryption

File name:    fstab_fbe.bullhead

https://android.googlesource.com/device/lge/bullhead/+/nougat-release/fstab_fbe.bullhead

Validation

cts

— kvm-xfstests -c encrypt -g auto

For manufacturers :

ro.crypto.state = encrypted

ro.crypto.type = file

Make sure /data/data contains encrypted filenames;

PPT Link

http://download.csdn.net/detail/lijunxie/9682091