From 2f7ee6b7dd36f3d5c55473b67dc2430c795402ce Mon Sep 17 00:00:00 2001
From: Paul Lawrence <paullawrence@google.com>
Date: Wed, 7 Jan 2015 11:44:51 -0800
Subject: [PATCH 1/2] Provide a way to select force encryption from vendor
 partition

This allows a vendor to force encryption on devices via a vendor
partition flag:

ro.vold.forceencryption 1

Bug: 18764230
Change-Id: Id0049ce64e34e4f6f96e593aadd70c277ac131c8
---
 fs_mgr/fs_mgr.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/fs_mgr/fs_mgr.c b/fs_mgr/fs_mgr.c
index d6edd293c..8e3aa11c9 100644
--- a/fs_mgr/fs_mgr.c
+++ b/fs_mgr/fs_mgr.c
@@ -258,6 +258,15 @@ static int device_is_secure() {
     return strcmp(value, "0") ? 1 : 0;
 }
 
+static int device_is_force_encrypted() {
+    int ret = -1;
+    char value[PROP_VALUE_MAX];
+    ret = __system_property_get("ro.vold.forceencryption", value);
+    if (ret < 0)
+        return 0;
+    return strcmp(value, "1") ? 0 : 1;
+}
+
 /*
  * Tries to mount any of the consecutive fstab entries that match
  * the mountpoint of the one given by fstab->recs[start_idx].
@@ -468,7 +477,9 @@ int fs_mgr_mount_all(struct fstab *fstab)
         /* Deal with encryptability. */
         if (!mret) {
             /* If this is encryptable, need to trigger encryption */
-            if ((fstab->recs[attempted_idx].fs_mgr_flags & MF_FORCECRYPT)) {
+            if (   (fstab->recs[attempted_idx].fs_mgr_flags & MF_FORCECRYPT)
+                || (device_is_force_encrypted()
+                    && fs_mgr_is_encryptable(&fstab->recs[attempted_idx]))) {
                 if (umount(fstab->recs[attempted_idx].mount_point) == 0) {
                     if (encryptable == FS_MGR_MNTALL_DEV_NOT_ENCRYPTED) {
                         ERROR("Will try to encrypt %s %s\n", fstab->recs[attempted_idx].mount_point,

From 36d0eaecd7bd7970b91ac35d6753bf715097e3b9 Mon Sep 17 00:00:00 2001
From: Paul Lawrence <paullawrence@google.com>
Date: Wed, 21 Jan 2015 09:57:01 -0800
Subject: [PATCH 2/2] Make encryption configurable

Delay mounting encryptable but unencrypted volumes until we can
check the ro.vold.forceencrypt flag, then optionally encrypt.

Requires matching vold change from
    https://googleplex-android-review.git.corp.google.com/#/c/615309/

Bug: 18764230
Change-Id: If22008be8de6a4f3216b349f81ace49be1730314
---
 fs_mgr/fs_mgr.c         | 4 +---
 fs_mgr/fs_mgr_fstab.c   | 5 +++++
 fs_mgr/include/fs_mgr.h | 1 +
 rootdir/init.rc         | 2 +-
 4 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/fs_mgr/fs_mgr.c b/fs_mgr/fs_mgr.c
index 8e3aa11c9..fa52d1601 100644
--- a/fs_mgr/fs_mgr.c
+++ b/fs_mgr/fs_mgr.c
@@ -477,9 +477,7 @@ int fs_mgr_mount_all(struct fstab *fstab)
         /* Deal with encryptability. */
         if (!mret) {
             /* If this is encryptable, need to trigger encryption */
-            if (   (fstab->recs[attempted_idx].fs_mgr_flags & MF_FORCECRYPT)
-                || (device_is_force_encrypted()
-                    && fs_mgr_is_encryptable(&fstab->recs[attempted_idx]))) {
+          if (fs_mgr_is_encryptable(&fstab->recs[attempted_idx])) {
                 if (umount(fstab->recs[attempted_idx].mount_point) == 0) {
                     if (encryptable == FS_MGR_MNTALL_DEV_NOT_ENCRYPTED) {
                         ERROR("Will try to encrypt %s %s\n", fstab->recs[attempted_idx].mount_point,
diff --git a/fs_mgr/fs_mgr_fstab.c b/fs_mgr/fs_mgr_fstab.c
index ab8f128ce..9d536bdac 100644
--- a/fs_mgr/fs_mgr_fstab.c
+++ b/fs_mgr/fs_mgr_fstab.c
@@ -428,6 +428,11 @@ int fs_mgr_is_encryptable(struct fstab_rec *fstab)
     return fstab->fs_mgr_flags & (MF_CRYPT | MF_FORCECRYPT);
 }
 
+int fs_mgr_is_force_encrypted(struct fstab_rec *fstab)
+{
+    return fstab->fs_mgr_flags & MF_FORCECRYPT;
+}
+
 int fs_mgr_is_noemulatedsd(struct fstab_rec *fstab)
 {
     return fstab->fs_mgr_flags & MF_NOEMULATEDSD;
diff --git a/fs_mgr/include/fs_mgr.h b/fs_mgr/include/fs_mgr.h
index 5e2ff416a..5ec3b991c 100644
--- a/fs_mgr/include/fs_mgr.h
+++ b/fs_mgr/include/fs_mgr.h
@@ -83,6 +83,7 @@ int fs_mgr_is_voldmanaged(struct fstab_rec *fstab);
 int fs_mgr_is_nonremovable(struct fstab_rec *fstab);
 int fs_mgr_is_verified(struct fstab_rec *fstab);
 int fs_mgr_is_encryptable(struct fstab_rec *fstab);
+int fs_mgr_is_force_encrypted(struct fstab_rec *fstab);
 int fs_mgr_is_noemulatedsd(struct fstab_rec *fstab);
 int fs_mgr_swapon_all(struct fstab *fstab);
 #ifdef __cplusplus
diff --git a/rootdir/init.rc b/rootdir/init.rc
index 642af09bc..dcdc6581b 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -581,7 +581,7 @@ service defaultcrypto /system/bin/vdc --wait cryptfs mountdefaultencrypted
     # encryption) or trigger_restart_min_framework (other encryption)
 
 # One shot invocation to encrypt unencrypted volumes
-service encrypt /system/bin/vdc --wait cryptfs enablecrypto inplace default
+service encrypt /system/bin/vdc --wait cryptfs maybeenabledefaultcrypto
     disabled
     oneshot
     # vold will set vold.decrypt to trigger_restart_framework (default