Briefly Introduct Direct-Boot && FBE

What is Direct Boot?

Starting with Android N, a device that has been powered on can boot into a new mode called Direct Boot before the user has a chance to unlock it for the first time.
           

Direct Boot For Users

1、Boot directly to lock screen

2、Calls, SMS, alarms work after device reboot before unlock

3、Per-user disk encryption
           

Direct Boot For Developers

Data

On an FBE-enabled device, each user of the device has two storage locations available to applications:
1、Credential Encrypted (CE) storage: 
    By default, all app`s data in here
2、Device Encrypted (DE) storage: 
    DirectBootAware run before first user unlock and can use it
           

Api for create data in Android:
    Context.createCredentialProtectedStorageContext()
    Context.isCredentialProtectedStorage()
           

Aware

1. android:directBootAware=”true”

   marking all components in the app as being encryption aware.

   

2. android:defaultToDeviceProtectedStorage=”true”

   redirects the default app storage location to point at DE storage instead of pointing at CE storage.

   

Broadcast

In the normal boot state, when boot completed, system send "Intent.ACTION_BOOT_COMPLETED" broadcast.

if enabled FBE(File-Based encryption),system send "Intent.ACTION_LOCKED_BOOT_COMPLETED" broadcast before unlock device.
           

State

Api: UserManager.isUserUnlocked()

States: FLAG_OR_STOPPED
        FLAG_AND_LOCKED
        FLAG_AND_UNLOCKED
        FLAG_AND_UNLOCKING_OR_UNLOCKED
           

Direct Boot Best Practices

1. Most appropriate for apps that depen on time-sensitive alerts

2. Limit data you store in Device Protected storage

   a、Avoid storing long-lived credentals in DP storage

   b、Create limited purpose tokens(e.g. receive mail, not send it)

   c、Encrypt sensitive data you receive to be decrypter only after unlock

Examples

Dialer
DeskClock
SystemUI  
LatinIME
Settings
... 
           

How to use it?

For users:

1、Settings > Developer options > Convert to file encryption
2、$ adb reboot-bootloader  
   $ fastboot --wipe-and-use-fbe  

Warning: Both methods will perform a ***factory reset*** and ***delete all user data*** on your device.


For Developers, you can use an emulated Direct Boot mode:
   $ adb shell sm set-emulate-fbe true  
   $ adb shell sm set-emulate-fbe false  
           

File-Based Encryption

Android 7.0 and above supports file-based encryption (FBE). File-based encryption allows different files to be encrypted with different keys that can be unlocked independently.

The Relationship with Direct Boot?
           

Conclusion: ***Direct Boot  depends on  FBE***
           

Dependencies

1. Kernel Support for ext4 encryption
2. Keymaster Support with a HAL version 1.0 or 2.0.
3. Keymaster/Keystore and Gatekeeper must be implemented in a Trusted Execution Environment (TEE) to provide protection for the DE keys
4. Encryption performance in the kernel of at least 50MB/s
5. Hardware Root of Trust and Verified Boot bound to the keymaster initialisation is required to ensure

Kernel Support

The recommended solution is to use a kernel based on 4.4 or later. 
Ext4 encryption has also been backported to a 3.10 kernel in the Android common repositories and for the supported Nexus kernels.
           

Enabling file-based encryption

File name:    fstab_fbe.bullhead
           

https://android.googlesource.com/device/lge/bullhead/+/nougat-release/fstab_fbe.bullhead

Validation

1. cts

   — kvm-xfstests -c encrypt -g auto

2. For manufacturers :

   ro.crypto.state = encrypted

   ro.crypto.type = file

3. Make sure /data/data contains encrypted filenames;

PPT Link

http://download.csdn.net/detail/lijunxie/9682091