storage_isolated_driver_manager/
zxcrypt.rs

1// Copyright 2022 The Fuchsia Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5use anyhow::{Context as _, Result};
6use device_watcher::{recursive_wait_and_open, recursive_wait_and_open_directory};
7use fidl_fuchsia_device::{ControllerMarker, ControllerProxy};
8use fidl_fuchsia_hardware_block_encrypted::DeviceManagerMarker;
9use fidl_fuchsia_io as fio;
10use fuchsia_component::client::connect_to_named_protocol_at_dir_root;
11
12const ZXCRYPT_DRIVER_PATH: &str = "zxcrypt.cm";
13
14/// Binds the zxcrypt driver to the device at `controller`. Does not wait for the zxcrypt driver to
15/// be ready.
16pub async fn bind_zxcrypt_driver(controller: &ControllerProxy) -> Result<()> {
17    controller
18        .bind(ZXCRYPT_DRIVER_PATH)
19        .await
20        .context("zxcrypt driver bind fidl failure")?
21        .map_err(zx::Status::from_raw)
22        .context("zxcrypt driver bind returned error")?;
23    Ok(())
24}
25
26/// Sets up zxcrypt on top of `block_device` using an insecure key. Returns a path to the block
27/// device exposed by zxcrypt.
28pub async fn set_up_insecure_zxcrypt(
29    block_device: &fio::DirectoryProxy,
30) -> Result<fio::DirectoryProxy> {
31    const UNSEALED_BLOCK_PATH: &str = "unsealed/block";
32    let device_controller = connect_to_named_protocol_at_dir_root::<ControllerMarker>(
33        block_device,
34        "device_controller",
35    )?;
36    bind_zxcrypt_driver(&device_controller).await.context("zxcrypt driver bind")?;
37
38    const ZXCRYPT_DEVICE_NAME: &str = "zxcrypt";
39    let zxcrypt = recursive_wait_and_open::<DeviceManagerMarker>(block_device, ZXCRYPT_DEVICE_NAME)
40        .await
41        .context("zxcrypt device wait")?;
42
43    zx::ok(zxcrypt.format(&[0u8; 32], 0).await.context("zxcrypt format fidl failure")?)
44        .context("zxcrypt format returned error")?;
45    zx::ok(zxcrypt.unseal(&[0u8; 32], 0).await.context("zxcrypt unseal fidl failure")?)
46        .context("zxcrypt unseal returned error")?;
47
48    let zxcrypt_dir = fuchsia_fs::directory::open_directory_async(
49        block_device,
50        ZXCRYPT_DEVICE_NAME,
51        fio::Flags::empty(),
52    )?;
53
54    recursive_wait_and_open_directory(&zxcrypt_dir, UNSEALED_BLOCK_PATH)
55        .await
56        .context("zxcrypt unsealed dir wait")
57}
58
59#[cfg(test)]
60mod tests {
61    use super::*;
62    use fidl_fuchsia_hardware_block::BlockMarker;
63    use ramdevice_client::RamdiskClient;
64    use test_util::assert_lt;
65
66    const BLOCK_SIZE: u64 = 512;
67    const BLOCK_COUNT: u64 = 64 * 1024 * 1024 / BLOCK_SIZE;
68
69    #[fuchsia::test]
70    async fn set_up_insecure_zxcrypt_test() {
71        let ramdisk = RamdiskClient::create(BLOCK_SIZE, BLOCK_COUNT).await.unwrap();
72        let ramdisk_dir = ramdisk.as_dir().expect("invalid directory proxy");
73        let zxcrypt_block_dir =
74            set_up_insecure_zxcrypt(ramdisk_dir).await.expect("Failed to set up zxcrypt");
75
76        let zxcrypt_block_device =
77            connect_to_named_protocol_at_dir_root::<BlockMarker>(&zxcrypt_block_dir, ".").unwrap();
78        let info = zxcrypt_block_device.get_info().await.unwrap().unwrap();
79        assert_lt!(info.block_count, BLOCK_COUNT);
80    }
81}