Support /home encryption using Lomiri & fscrypt
Due to the use of not only Android-based kernels & drivers, but also their bootloaders and partitioning schemes, the use of full-disk encryption is not possible. Our runtime environment consists of:
- Rootfs installed in system partition
- Writable data (including /home) copied-over and bind-mounted to /userdata
There is an alternative to full-disk encryption though: Filesystem-based encryption.
This allows flexible usecases though, since fscrypt can easily encrypt separate files based on different policy and protectors, one of them being PAM.
Now, unity8 has already supported the use-case of providing a login greeter for lightdm, using --mode=greeter, so the split-personality approach of Lomiri works in our favor when setup correctly.
This allows spawning a lightweight lightdm session with just Lomiri as the greeter and an OSK. The greeter logs in the user based on their credentials (passphrase, PIN), unlocks their /home/$USER directory and spawns a full session.
For this goal to be reached, some components need to be added and modified.
-
Install fscrypt & libpam-fscrypt into the rootfs -
Make sure both jumpercable & halium-boot create the necessary symlink for /dev/root (fscrypt needs it)newer fscrypt in noble has fixes in place -
Have fscrypt generate it's configuration during boot inHave port maintainer provide an overlay for this./etc/fscrypt.conf -
Make a symlink from /.fscryptto/userdata/.fscryptfor PAM to find the right fscrypt protectors in writable storage -
Configure lightdm to launch the greeter instead of auto-logging in -
Make sure to display an OSK in the greeter session -
Let PAM unlock the key using pam_fscrypt.so when the user enters PIN in lightdm greeter ("See Changes required to PAM & libpam-fscrypt")Already handled with default Debian packaging -
Make the phablet session autostart lomiri with --mode=full-shell
Changes required to PAM & libpam-fscrypt:
- See "Set up PAM" section here: http://tlbdk.github.io/ubuntu/2018/10/22/fscrypt.html
- Increasing priority for the fscrypt PAM config: https://github.com/google/fscrypt/pull/278
I suggest changing those two in separate files related to the ubuntu-touch-session package instead of vendoring in libpam-fscrypt.