Xiaomi Redmi Note 8 Pro 64Gb+6Gb Dual LTE [121/132] Direct boot

technology available on the device (e.g. the ARM Cryptography Extensions), is above 50 MiB/sec,

device implementations:

[C-1-1] MUST support data storage encryption of the application private data ( /data

partition), as well as the application shared storage partition ( /sdcard partition) if it is a

permanent, non-removable part of the device, except for device implementations that are

typically shared (e.g. Television).

[C-1-2] MUST enable the data storage encryption by default at the time the user has

completed the out-of-box setup experience, except for device implementations that are

typically shared (e.g. Television).

If device implementations are already launched on an earlier Android version and cannot meet the

requirement through a system software update, they MAY be exempted from the above requirements.

Device implementations:

SHOULD meet the above data storage encryption requirement via implementing File

Based Encryption (FBE).

9.9.1. Direct Boot

Device implementations:

[C-0-1] MUST implement the Direct Boot mode APIs even if they do not support Storage

Encryption.

[C-0-2] The ACTION_LOCKED_BOOT_COMPLETED and ACTION_USER_UNLOCKED Intents

MUST still be broadcast to signal Direct Boot aware applications that Device Encrypted

(DE) and Credential Encrypted (CE) storage locations are available for user.

9.9.2. File Based Encryption

If device implementations support FBE, they:

[C-1-1] MUST boot up without challenging the user for credentials and allow Direct Boot

aware apps to access to the Device Encrypted (DE) storage after the

ACTION_LOCKED_BOOT_COMPLETED message is broadcasted.

[C-1-2] MUST only allow access to Credential Encrypted (CE) storage after the user has

unlocked the device by supplying their credentials (eg. passcode, pin, pattern or

fingerprint) and the ACTION_USER_UNLOCKED message is broadcasted.

[C-1-3] MUST NOT offer any method to unlock the CE protected storage without either the

user-supplied credentials or a registered escrow key.

[C-1-4] MUST support Verified Boot and ensure that DE keys are cryptographically bound

to the device's hardware root of trust.

[C-1-5] MUST support encrypting file contents using AES-256-XTS. AES-256-XTS refers

to the Advanced Encryption Standard with a 256-bit key length, operated in XTS mode.

The full length of the XTS key is 512 bits.

[C-1-6] MUST support encrypting file names using AES-256 in CBC-CTS mode.

The keys protecting CE and DE storage areas:

[C-1-7] MUST be cryptographically bound to a hardware-backed Keystore.

[C-1-8] CE keys MUST be bound to a user's lock screen credentials.

[C-1-9] CE keys MUST be bound to a default passcode when the user has not specified

lock screen credentials.

Page 121 of 132