Pixel Security: Better, Faster, Stronger

Posted by Paul Crowley, Senior Software Engineer and Paul Lawrence, Senior Software Engineer




Encryption protects your data if your phone falls into someone else's hands. The
new Google Pixel and Pixel XL are encrypted by default to offer strong data
protection, while maintaining a great user experience with high I/O performance
and long battery life. In addition to encryption, the Pixel phones debuted
running the Android Nougat release, which has even more href="http://android-developers.blogspot.com/2016/09/security-enhancements-in-nougat.html">security
improvements.



This blog post covers the encryption implementation on Google Pixel devices and
how it improves the user experience, performance, and security of the device.






File-Based Encryption Direct Boot experience



One of the security features introduced in Android Nougat was href="https://source.android.com/security/encryption/file-based.html">file-based
encryption. File-based encryption (FBE) means different files are encrypted
with different keys that can be unlocked independently. FBE also separates data
into device encrypted (DE) data and credential encrypted (CE) data.



href="https://developer.android.com/training/articles/direct-boot.html">Direct
boot uses file-based encryption to allow a seamless user experience when a
device reboots by combining the unlock and decrypt screen. For users, this means
that applications like alarm clocks, accessibility settings, and phone calls are
available immediately after boot.


Enhanced with TrustZone® security



Modern processors provide a means to execute code in a mode that remains secure
even if the kernel is compromised. On ARM®-based processors this mode is known
as TrustZone. Starting in Android Nougat, all disk encryption keys are stored
encrypted with keys held by TrustZone software. This secures encrypted data in
two ways:


  • TrustZone enforces the href="https://source.android.com/security/verifiedboot/">Verified Boot
    process. If TrustZone detects that the operating system has been modified, it
    won't decrypt disk encryption keys; this helps to secure device encrypted (DE)
    data.
  • TrustZone enforces a waiting period between guesses at the user credential,
    which gets longer after a sequence of wrong guesses. With 1624 valid four-point
    patterns and TrustZone's ever-growing waiting period, trying all patterns would
    take more than four years. This improves security for all users, especially
    those who have a shorter and more easily guessed pattern, PIN, or
    password.


Encryption on Pixel phones



Protecting different folders with different keys required a distinct approach
from href="http://source.android.com/security/encryption/full-disk.html">full-disk
encryption (FDE). The natural choice for Linux-based systems is the
industry-standard eCryptFS. However, eCryptFS didn't meet our performance
requirements. Fortunately one of the eCryptFS creators, Michael Halcrow, worked
with the ext4 maintainer, Ted Ts'o, to add encryption natively to ext4, and
Android became the first consumer of this technology. ext4 encryption
performance is similar to full-disk encryption, which is as performant as a
software-only solution can be.



Additionally, Pixel phones have an inline hardware encryption engine, which
gives them the ability to write encrypted data at line speed to the flash
memory. To take advantage of this, we modified ext4 encryption to use this
hardware by adding a key reference to the bio structure, within the ext4 driver
before passing it to the block layer. (The bio structure is the basic container
for block I/O in the Linux kernel.) We then modified the inline encryption block
driver to pass this to the hardware. As with ext4 encryption, keys are managed
by the Linux keyring. To see our implementation, take a look at the href="https://android.googlesource.com/kernel/msm/+/android-msm-marlin-3.18-nougat-dr1/fs/ext4/crypto_key.c">source
code for the Pixel kernel.



While this specific implementation of file-based encryption using ext4 with
inline encryption benefits Pixel users, FBE is available in AOSP and ready to
use, along with the other features mentioned in this post.