porting to android

porting to android

[James Muir]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

hello list,

I'm interested in porting some of the ecryptfs userland tools to android
- -- specifically, I want to get the mount and umount utilities working.

I've hacked around a bit and see that there is a dependency with Mozilla
NSS (e.g. in the functions ecryptfs_wrap_passphrase and
ecryptfs_unwrap_passphrase).  Apparently, NSS can be built for Android,
but before I go further down the hole, I wondered if someone more
familiar with the user tools might have some perspective to share.  My
impression is that getting the tools working on Android shouldn't
be too difficult, but I wonder if I am being too optimistic...  if I
sort out NSS, will it be smooth sailing?

Note the ./configure script suggests that it is possible to build
against gcrypt rather than NSS ("--disable-nss           Build against
gcrypt rather than NSS"), but I suspect that configuration hasn't
actually been implemented yet.  Has anyone built the user tools using
gcrypt?

More generally, has anyone worked on porting these utilities
previously?  I've googled and found mention that ecryptfs is used on
the Droid X but the source code was not published:

http://android.stackexchange.com/questions/20105/motorola-droidx-ecryptfs-related-sources

Also, the following blueprint suggests that an android port has been on
the Linaro backlog for some time:

https://blueprints.launchpad.net/linaro-android/+spec/linaro-android-integrate-ecryptfs

thanks for your help,

- -James

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlI1MgAACgkQ4Arkm0Hw/FLFYgCbBoS8p2yHQjpx0b/zW9xzPxRs
d98AoIGvDYK3EK35zISXxc9I3tXQnWAb
=8Nr5
-----END PGP SIGNATURE-----

Re: porting to android

[James Muir]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/16/2013 10:27 AM, William Roberts wrote:
> I've used ecryptfs on Android before, but I wrote my own userland
> tools. I found it easier to just strace the program to figure out
> what the kernel was expecting.
> 

Were your tools generic? or did you create them just to access a
particular ecryptfs container?

I've tried using strace when mounting my encrypted folder like so:

  # strace mount -t ecryptfs /home/username/.Private
/home/username/Private

but I didn't get any output after answering the prompts on ecryptfs
mount options :-(

- -James
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlI3TOQACgkQ4Arkm0Hw/FILNACfQsv+RYHlKhZp9Wje3JvBOLIF
xVMAoImjw+WmBCuKxqd28TR676aks7Ry
=2J+k
-----END PGP SIGNATURE-----

Re: porting to android

[James Muir]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/16/2013 02:34 PM, William Roberts wrote:
> my tools were generic... I did it over a year ago. I am having a
> hard time remembering what, or how I did it.
> 

That's too bad.  I could use some help :-)

I've had limited success so far.  I've if-def'd out the Mozilla NSS
stuff and am just concentrating on getting mount.ecryptfs working when
 options are passed directly to it:

  mount.ecryptfs lower upper \
 -o ecryptfs_cipher=aes,ecryptfs_key_bytes=16,...

There are three libraries that mount.ecryptfs needs:  libkeyutils,
libecryptfs, and libecryptfs_key_mod_passphrase.  I've managed to
build each of those after some minor changes (for android-arm).  With
those libraries available, I can then build the mount utility.
However, when I try the above command on my device I get an error from
the function ecryptfs_eval_decision_graph()  :-(

Here is a more general question for the list:  is this forum more for
the ecryptfs kernel mod devs?  or do the ecryptfs user-tool devs hang
out here, too?

- -James M
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlI6HLsACgkQ4Arkm0Hw/FIg+QCghuQJadNtJm5rRL9QID7ugJwf
P4sAnjbNzYw52jhPMdtkFZgPBBRiCasz
=NVGB
-----END PGP SIGNATURE-----

Re: porting to android

[James Muir]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Success!  I've managed to get the user-land tools working (albeit with
limited functionality) and can now mount/umount ecryptfs volumes on
android.

In hindsight, I can see a much shorter path than the one I took (of
course :-) ).  I think you can do without the mount.ecryptfs utility
for basic applications.

- -James
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlI8iScACgkQ4Arkm0Hw/FJC9gCeISH/F1GviL6vBdqL8kn1frS+
nHsAn0SQm2hU2ItN7LcVGmCHt4B4Xf81
=lJqk
-----END PGP SIGNATURE-----

Re: porting to android

[Dustin Kirkland]

On Fri, Sep 20, 2013 at 12:43 PM, James Muir <muir.james.a@gmail.com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Success!  I've managed to get the user-land tools working (albeit with
> limited functionality) and can now mount/umount ecryptfs volumes on
> android.
>
> In hindsight, I can see a much shorter path than the one I took (of
> course :-) ).  I think you can do without the mount.ecryptfs utility
> for basic applications.

Hi James,

Sorry for the delayed response.  I'm one of the two maintainers of
eCryptfs.  Tyler Hicks tends to the kernel side of eCryptfs, and I
maintain the userspace ecryptfs-utils.

I'm delighted to hear that you have ecryptfs-utils working on Android!
 There was some work a little while back, and it seemed to work on
Linaro builds, but this is the first work I'm aware of, getting
eCryptfs mounting/unmounting on Android.

Do you have a comprehensive set of instructions, or perhaps a blog
post, on this?  Are there changes required upstream in ecryptfs-utils
to accommodate the build or functionality?  I would be quite keen to
getting those merged upstream, if we can test and verify the
functionality...

Cheers,
:-Dustin

Dustin Kirkland
eCryptfs Maintainer

> - -James
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.12 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlI8iScACgkQ4Arkm0Hw/FJC9gCeISH/F1GviL6vBdqL8kn1frS+
> nHsAn0SQm2hU2ItN7LcVGmCHt4B4Xf81
> =lJqk
> -----END PGP SIGNATURE-----
> --
> To unsubscribe from this list: send the line "unsubscribe ecryptfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

Re: porting to android

[James Muir]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/03/2013 11:44 AM, Dustin Kirkland wrote:
> On Fri, Sep 20, 2013 at 12:43 PM, James Muir
> <muir.james.a@gmail.com> wrote: Success!  I've managed to get the
> user-land tools working (albeit with limited functionality) and can
> now mount/umount ecryptfs volumes on android.
> 
> In hindsight, I can see a much shorter path than the one I took
> (of course :-) ).  I think you can do without the mount.ecryptfs
> utility for basic applications.
> 
>> Hi James,
> 
>> Sorry for the delayed response.  I'm one of the two maintainers
>> of eCryptfs.  Tyler Hicks tends to the kernel side of eCryptfs,
>> and I maintain the userspace ecryptfs-utils.
> 
>> I'm delighted to hear that you have ecryptfs-utils working on
>> Android! There was some work a little while back, and it seemed
>> to work on Linaro builds, but this is the first work I'm aware
>> of, getting eCryptfs mounting/unmounting on Android.
> 
>> Do you have a comprehensive set of instructions, or perhaps a
>> blog post, on this?  Are there changes required upstream in
>> ecryptfs-utils to accommodate the build or functionality?  I
>> would be quite keen to getting those merged upstream, if we can
>> test and verify the functionality...

Hi Tyler,

thanks for your note.  It is nice to know that user-space devs read
this list, too :-)

I haven't written any instructions on getting ecryptfs-utils working
in Android yet, but this is something I would like to do.  Importing
keyutils into aosp is a snap, but not so much for ecryptfs-utils.

Unfortunately, the changes I made aren't very merge-friendly, but I
can reformat them inside appropriate if-def blocks (i.e. #ifdef
ANDROID... #endif).  I could then send you a patch (or point you to a
git repo) based on the 103 release.

sound ok?

- -James M
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJUINwACgkQ4Arkm0Hw/FJ8QgCfXiWIefB4zHEfM4esS+nwbIUf
/ewAn2NhwEQdhyshdoEyQzbDEWd95nvq
=ZT+y
-----END PGP SIGNATURE-----