Briefly Introduct Direct-Boot && FBE
2017-01-13 15:21
1226 查看
What is Direct Boot?
Starting with Android N, a device that has been powered on can boot into a new mode called Direct Boot before the user has a chance to unlock it for the first time.
Direct Boot For Users
1、Boot directly to lock screen 2、Calls, SMS, alarms work after device reboot before unlock 3、Per-user disk encryption
Direct Boot For Developers
Data
On an FBE-enabled device, each user of the device has two storage locations available to applications: 1、Credential Encrypted (CE) storage: By default, all app`s data in here 2、Device Encrypted (DE) storage: DirectBootAware run before first user unlock and can use it
Api for create data in Android: Context.createCredentialProtectedStorageContext() Context.isCredentialProtectedStorage()
Aware
android:directBootAware=”true”marking all components in the app as being encryption aware.
android:defaultToDeviceProtectedStorage=”true”
redirects the default app storage location to point at DE storage instead of pointing at CE storage.
Broadcast
In the normal boot state, when boot completed, system send "Intent.ACTION_BOOT_COMPLETED" broadcast. if enabled FBE(File-Based encryption),system send "Intent.ACTION_LOCKED_BOOT_COMPLETED" broadcast before unlock device.
State
Api: UserManager.isUserUnlocked() States: FLAG_OR_STOPPED FLAG_AND_LOCKED FLAG_AND_UNLOCKED FLAG_AND_UNLOCKING_OR_UNLOCKED
Direct Boot Best Practices
Most appropriate for apps that depen on time-sensitive alertsLimit data you store in Device Protected storage
a、Avoid storing long-lived credentals in DP storage
b、Create limited purpose tokens(e.g. receive mail, not send it)
c、Encrypt sensitive data you receive to be decrypter only after unlock
Examples
Dialer DeskClock SystemUI LatinIME Settings ...
How to use it?
For users: 1、Settings > Developer options > Convert to file encryption 2、$ adb reboot-bootloader $ fastboot --wipe-and-use-fbe Warning: Both methods will perform a ***factory reset*** and ***delete all user data*** on your device. For Developers, you can use an emulated Direct Boot mode: $ adb shell sm set-emulate-fbe true $ adb shell sm set-emulate-fbe false
File-Based Encryption
Android 7.0 and above supports file-based encryption (FBE). File-based encryption allows different files to be encrypted with different keys that can be unlocked independently. The Relationship with Direct Boot?
Conclusion: ***Direct Boot depends on FBE***
Dependencies
Kernel Support for ext4 encryptionKeymaster Support with a HAL version 1.0 or 2.0.
Keymaster/Keystore and Gatekeeper must be implemented in a Trusted Execution Environment (TEE) to provide protection for the DE keys
Encryption performance in the kernel of at least 50MB/s
Hardware Root of Trust and Verified Boot bound to the keymaster initialisation is required to ensure
Kernel Support
The recommended solution is to use a kernel based on 4.4 or later. Ext4 encryption has also been backported to a 3.10 kernel in the Android common repositories and for the supported Nexus kernels.
Enabling file-based encryption
File name: fstab_fbe.bullhead
https://android.googlesource.com/device/lge/bullhead/+/nougat-release/fstab_fbe.bullhead
Validation
cts— kvm-xfstests -c encrypt -g auto
For manufacturers :
ro.crypto.state = encrypted
ro.crypto.type = file
Make sure /data/data contains encrypted filenames;
PPT Link
http://download.csdn.net/detail/lijunxie/9682091
相关文章推荐
- Boot.ini中输入Ansi控制码"ESC"
- 安装Visual Studio 6的"Error Lauching acmboot.exe"问题解决方法
- 6410开发版烧录Android映像 && IMG说明 && MTK平台解包和打包 boot.img/system.img
- bootmem & buddy Allocator
- uboot & jffs2根文件系统
- u-boot编译过程中"uses hardware FP whereas u-boot uses software FP"
- S3C2410&&WINCE6.0&&NBOOT
- S3C2410&&WINCE6.0&&NBOOT
- uboot & makefile
- Task 1 Complete!--raw LCD show & nboot mixing ok!!
- S3C2410&&WINCE6.0&&NBOOT (转载)
- SUN SCJP Certification Practice Exams Boot camp & Braindump
- WINCE6.0&&NBOOT
- arm-linux-toolchain & u-boot 下载安装
- How to Dual-Boot Windows XP & Mac OS X
- Hiren's BootCD 9.4 Incl Keyboard Patch
- u-boot 編譯時錯誤No rule to make target `hello_world.srec', needed by `all'. Stop
- 系统启动时出现"Exiting Intel Boot Agent"问题解决一例
- 编译U-boot 出现 undefined reference to `dm9000_initialize' 的问题
- 深入理解 GNU GRUB - 03 diskboot.S 3.1 diskboot.S执行时的环境 & 3.2 diskboot.S代码结构