1 /* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 /* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23 #include <sys/types.h> 24 #include <sys/wait.h> 25 #include <sys/stat.h> 26 #include <ctype.h> 27 #include <fcntl.h> 28 #include <inttypes.h> 29 #include <unistd.h> 30 #include <stdio.h> 31 #include <sys/ioctl.h> 32 #include <linux/dm-ioctl.h> 33 #include <libgen.h> 34 #include <stdlib.h> 35 #include <sys/param.h> 36 #include <string.h> 37 #include <sys/mount.h> 38 #include <openssl/evp.h> 39 #include <errno.h> 40 #include <ext4.h> 41 #include <linux/kdev_t.h> 42 #include <fs_mgr.h> 43 #include <time.h> 44 #include "cryptfs.h" 45 #define LOG_TAG "Cryptfs" 46 #include "cutils/log.h" 47 #include "cutils/properties.h" 48 #include "cutils/android_reboot.h" 49 #include "hardware_legacy/power.h" 50 #include <logwrap/logwrap.h> 51 #include "VolumeManager.h" 52 #include "VoldUtil.h" 53 #include "crypto_scrypt.h" 54 #include "ext4_utils.h" 55 #include "f2fs_sparseblock.h" 56 #include "CheckBattery.h" 57 #include "Process.h" 58 59 #include <hardware/keymaster.h> 60 61 #define UNUSED __attribute__((unused)) 62 63 #define UNUSED __attribute__((unused)) 64 65 #define DM_CRYPT_BUF_SIZE 4096 66 67 #define HASH_COUNT 2000 68 #define KEY_LEN_BYTES 16 69 #define IV_LEN_BYTES 16 70 71 #define KEY_IN_FOOTER "footer" 72 73 // "default_password" encoded into hex (d=0x64 etc) 74 #define DEFAULT_PASSWORD "64656661756c745f70617373776f7264" 75 76 #define EXT4_FS 1 77 #define F2FS_FS 2 78 79 #define TABLE_LOAD_RETRIES 10 80 81 #define RSA_KEY_SIZE 2048 82 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) 83 #define RSA_EXPONENT 0x10001 84 85 #define RETRY_MOUNT_ATTEMPTS 10 86 #define RETRY_MOUNT_DELAY_SECONDS 1 87 88 char *me = "cryptfs"; 89 90 static unsigned char saved_master_key[KEY_LEN_BYTES]; 91 static char *saved_mount_point; 92 static int master_key_saved = 0; 93 static struct crypt_persist_data *persist_data = NULL; 94 95 static int keymaster_init(keymaster_device_t **keymaster_dev) 96 { 97 int rc; 98 99 const hw_module_t* mod; 100 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 101 if (rc) { 102 ALOGE("could not find any keystore module"); 103 goto out; 104 } 105 106 rc = keymaster_open(mod, keymaster_dev); 107 if (rc) { 108 ALOGE("could not open keymaster device in %s (%s)", 109 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); 110 goto out; 111 } 112 113 return 0; 114 115 out: 116 *keymaster_dev = NULL; 117 return rc; 118 } 119 120 /* Should we use keymaster? */ 121 static int keymaster_check_compatibility() 122 { 123 keymaster_device_t *keymaster_dev = 0; 124 int rc = 0; 125 126 if (keymaster_init(&keymaster_dev)) { 127 SLOGE("Failed to init keymaster"); 128 rc = -1; 129 goto out; 130 } 131 132 SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version); 133 134 if (keymaster_dev->common.module->module_api_version 135 < KEYMASTER_MODULE_API_VERSION_0_3) { 136 rc = 0; 137 goto out; 138 } 139 140 if (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE) { 141 rc = 1; 142 } 143 144 out: 145 keymaster_close(keymaster_dev); 146 return rc; 147 } 148 149 /* Create a new keymaster key and store it in this footer */ 150 static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 151 { 152 uint8_t* key = 0; 153 keymaster_device_t *keymaster_dev = 0; 154 155 if (keymaster_init(&keymaster_dev)) { 156 SLOGE("Failed to init keymaster"); 157 return -1; 158 } 159 160 int rc = 0; 161 162 keymaster_rsa_keygen_params_t params; 163 memset(¶ms, '\0', sizeof(params)); 164 params.public_exponent = RSA_EXPONENT; 165 params.modulus_size = RSA_KEY_SIZE; 166 167 size_t key_size; 168 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, ¶ms, 169 &key, &key_size)) { 170 SLOGE("Failed to generate keypair"); 171 rc = -1; 172 goto out; 173 } 174 175 if (key_size > KEYMASTER_BLOB_SIZE) { 176 SLOGE("Keymaster key too large for crypto footer"); 177 rc = -1; 178 goto out; 179 } 180 181 memcpy(ftr->keymaster_blob, key, key_size); 182 ftr->keymaster_blob_size = key_size; 183 184 out: 185 keymaster_close(keymaster_dev); 186 free(key); 187 return rc; 188 } 189 190 /* This signs the given object using the keymaster key. */ 191 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 192 const unsigned char *object, 193 const size_t object_size, 194 unsigned char **signature, 195 size_t *signature_size) 196 { 197 int rc = 0; 198 keymaster_device_t *keymaster_dev = 0; 199 if (keymaster_init(&keymaster_dev)) { 200 SLOGE("Failed to init keymaster"); 201 return -1; 202 } 203 204 /* We currently set the digest type to DIGEST_NONE because it's the 205 * only supported value for keymaster. A similar issue exists with 206 * PADDING_NONE. Long term both of these should likely change. 207 */ 208 keymaster_rsa_sign_params_t params; 209 params.digest_type = DIGEST_NONE; 210 params.padding_type = PADDING_NONE; 211 212 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 213 size_t to_sign_size = sizeof(to_sign); 214 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 215 216 // To sign a message with RSA, the message must satisfy two 217 // constraints: 218 // 219 // 1. The message, when interpreted as a big-endian numeric value, must 220 // be strictly less than the public modulus of the RSA key. Note 221 // that because the most significant bit of the public modulus is 222 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 223 // key), an n-bit message with most significant bit 0 always 224 // satisfies this requirement. 225 // 226 // 2. The message must have the same length in bits as the public 227 // modulus of the RSA key. This requirement isn't mathematically 228 // necessary, but is necessary to ensure consistency in 229 // implementations. 230 switch (ftr->kdf_type) { 231 case KDF_SCRYPT_KEYMASTER_UNPADDED: 232 // This is broken: It produces a message which is shorter than 233 // the public modulus, failing criterion 2. 234 memcpy(to_sign, object, object_size); 235 to_sign_size = object_size; 236 SLOGI("Signing unpadded object"); 237 break; 238 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED: 239 // This is broken: Since the value of object is uniformly 240 // distributed, it produces a message that is larger than the 241 // public modulus with probability 0.25. 242 memcpy(to_sign, object, min(RSA_KEY_SIZE_BYTES, object_size)); 243 SLOGI("Signing end-padded object"); 244 break; 245 case KDF_SCRYPT_KEYMASTER: 246 // This ensures the most significant byte of the signed message 247 // is zero. We could have zero-padded to the left instead, but 248 // this approach is slightly more robust against changes in 249 // object size. However, it's still broken (but not unusably 250 // so) because we really should be using a proper RSA padding 251 // function, such as OAEP. 252 // 253 // TODO(paullawrence): When keymaster 0.4 is available, change 254 // this to use the padding options it provides. 255 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); 256 SLOGI("Signing safely-padded object"); 257 break; 258 default: 259 SLOGE("Unknown KDF type %d", ftr->kdf_type); 260 return -1; 261 } 262 263 rc = keymaster_dev->sign_data(keymaster_dev, 264 ¶ms, 265 ftr->keymaster_blob, 266 ftr->keymaster_blob_size, 267 to_sign, 268 to_sign_size, 269 signature, 270 signature_size); 271 272 keymaster_close(keymaster_dev); 273 return rc; 274 } 275 276 /* Store password when userdata is successfully decrypted and mounted. 277 * Cleared by cryptfs_clear_password 278 * 279 * To avoid a double prompt at boot, we need to store the CryptKeeper 280 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 281 * Since the entire framework is torn down and rebuilt after encryption, 282 * we have to use a daemon or similar to store the password. Since vold 283 * is secured against IPC except from system processes, it seems a reasonable 284 * place to store this. 285 * 286 * password should be cleared once it has been used. 287 * 288 * password is aged out after password_max_age_seconds seconds. 289 */ 290 static char* password = 0; 291 static int password_expiry_time = 0; 292 static const int password_max_age_seconds = 60; 293 294 extern struct fstab *fstab; 295 296 enum RebootType {reboot, recovery, shutdown}; 297 static void cryptfs_reboot(enum RebootType rt) 298 { 299 switch(rt) { 300 case reboot: 301 property_set(ANDROID_RB_PROPERTY, "reboot"); 302 break; 303 304 case recovery: 305 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 306 break; 307 308 case shutdown: 309 property_set(ANDROID_RB_PROPERTY, "shutdown"); 310 break; 311 } 312 313 sleep(20); 314 315 /* Shouldn't get here, reboot should happen before sleep times out */ 316 return; 317 } 318 319 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 320 { 321 memset(io, 0, dataSize); 322 io->data_size = dataSize; 323 io->data_start = sizeof(struct dm_ioctl); 324 io->version[0] = 4; 325 io->version[1] = 0; 326 io->version[2] = 0; 327 io->flags = flags; 328 if (name) { 329 strncpy(io->name, name, sizeof(io->name)); 330 } 331 } 332 333 /** 334 * Gets the default device scrypt parameters for key derivation time tuning. 335 * The parameters should lead to about one second derivation time for the 336 * given device. 337 */ 338 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 339 const int default_params[] = SCRYPT_DEFAULTS; 340 int params[] = SCRYPT_DEFAULTS; 341 char paramstr[PROPERTY_VALUE_MAX]; 342 char *token; 343 char *saveptr; 344 int i; 345 346 property_get(SCRYPT_PROP, paramstr, ""); 347 if (paramstr[0] != '\0') { 348 /* 349 * The token we're looking for should be three integers separated by 350 * colons (e.g., "12:8:1"). Scan the property to make sure it matches. 351 */ 352 for (i = 0, token = strtok_r(paramstr, ":", &saveptr); 353 token != NULL && i < 3; 354 i++, token = strtok_r(NULL, ":", &saveptr)) { 355 char *endptr; 356 params[i] = strtol(token, &endptr, 10); 357 358 /* 359 * Check that there was a valid number and it's 8-bit. If not, 360 * break out and the end check will take the default values. 361 */ 362 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) { 363 break; 364 } 365 } 366 367 /* 368 * If there were not enough tokens or a token was malformed (not an 369 * integer), it will end up here and the default parameters can be 370 * taken. 371 */ 372 if ((i != 3) || (token != NULL)) { 373 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 374 memcpy(params, default_params, sizeof(params)); 375 } 376 } 377 378 ftr->N_factor = params[0]; 379 ftr->r_factor = params[1]; 380 ftr->p_factor = params[2]; 381 } 382 383 static unsigned int get_fs_size(char *dev) 384 { 385 int fd, block_size; 386 struct ext4_super_block sb; 387 off64_t len; 388 389 if ((fd = open(dev, O_RDONLY)) < 0) { 390 SLOGE("Cannot open device to get filesystem size "); 391 return 0; 392 } 393 394 if (lseek64(fd, 1024, SEEK_SET) < 0) { 395 SLOGE("Cannot seek to superblock"); 396 return 0; 397 } 398 399 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 400 SLOGE("Cannot read superblock"); 401 return 0; 402 } 403 404 close(fd); 405 406 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 407 SLOGE("Not a valid ext4 superblock"); 408 return 0; 409 } 410 block_size = 1024 << sb.s_log_block_size; 411 /* compute length in bytes */ 412 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 413 414 /* return length in sectors */ 415 return (unsigned int) (len / 512); 416 } 417 418 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 419 { 420 static int cached_data = 0; 421 static off64_t cached_off = 0; 422 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 423 int fd; 424 char key_loc[PROPERTY_VALUE_MAX]; 425 char real_blkdev[PROPERTY_VALUE_MAX]; 426 unsigned int nr_sec; 427 int rc = -1; 428 429 if (!cached_data) { 430 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc)); 431 432 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 433 if ( (fd = open(real_blkdev, O_RDWR)) < 0) { 434 SLOGE("Cannot open real block device %s\n", real_blkdev); 435 return -1; 436 } 437 438 if ((nr_sec = get_blkdev_size(fd))) { 439 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 440 * encryption info footer and key, and plenty of bytes to spare for future 441 * growth. 442 */ 443 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 444 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 445 cached_data = 1; 446 } else { 447 SLOGE("Cannot get size of block device %s\n", real_blkdev); 448 } 449 close(fd); 450 } else { 451 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 452 cached_off = 0; 453 cached_data = 1; 454 } 455 } 456 457 if (cached_data) { 458 if (metadata_fname) { 459 *metadata_fname = cached_metadata_fname; 460 } 461 if (off) { 462 *off = cached_off; 463 } 464 rc = 0; 465 } 466 467 return rc; 468 } 469 470 /* key or salt can be NULL, in which case just skip writing that value. Useful to 471 * update the failed mount count but not change the key. 472 */ 473 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 474 { 475 int fd; 476 unsigned int nr_sec, cnt; 477 /* starting_off is set to the SEEK_SET offset 478 * where the crypto structure starts 479 */ 480 off64_t starting_off; 481 int rc = -1; 482 char *fname = NULL; 483 struct stat statbuf; 484 485 if (get_crypt_ftr_info(&fname, &starting_off)) { 486 SLOGE("Unable to get crypt_ftr_info\n"); 487 return -1; 488 } 489 if (fname[0] != '/') { 490 SLOGE("Unexpected value for crypto key location\n"); 491 return -1; 492 } 493 if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) { 494 SLOGE("Cannot open footer file %s for put\n", fname); 495 return -1; 496 } 497 498 /* Seek to the start of the crypt footer */ 499 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 500 SLOGE("Cannot seek to real block device footer\n"); 501 goto errout; 502 } 503 504 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 505 SLOGE("Cannot write real block device footer\n"); 506 goto errout; 507 } 508 509 fstat(fd, &statbuf); 510 /* If the keys are kept on a raw block device, do not try to truncate it. */ 511 if (S_ISREG(statbuf.st_mode)) { 512 if (ftruncate(fd, 0x4000)) { 513 SLOGE("Cannot set footer file size\n"); 514 goto errout; 515 } 516 } 517 518 /* Success! */ 519 rc = 0; 520 521 errout: 522 close(fd); 523 return rc; 524 525 } 526 527 static inline int unix_read(int fd, void* buff, int len) 528 { 529 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 530 } 531 532 static inline int unix_write(int fd, const void* buff, int len) 533 { 534 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 535 } 536 537 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 538 { 539 memset(pdata, 0, len); 540 pdata->persist_magic = PERSIST_DATA_MAGIC; 541 pdata->persist_valid_entries = 0; 542 } 543 544 /* A routine to update the passed in crypt_ftr to the lastest version. 545 * fd is open read/write on the device that holds the crypto footer and persistent 546 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 547 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 548 */ 549 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 550 { 551 int orig_major = crypt_ftr->major_version; 552 int orig_minor = crypt_ftr->minor_version; 553 554 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 555 struct crypt_persist_data *pdata; 556 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 557 558 SLOGW("upgrading crypto footer to 1.1"); 559 560 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 561 if (pdata == NULL) { 562 SLOGE("Cannot allocate persisent data\n"); 563 return; 564 } 565 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 566 567 /* Need to initialize the persistent data area */ 568 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 569 SLOGE("Cannot seek to persisent data offset\n"); 570 return; 571 } 572 /* Write all zeros to the first copy, making it invalid */ 573 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 574 575 /* Write a valid but empty structure to the second copy */ 576 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 577 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 578 579 /* Update the footer */ 580 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 581 crypt_ftr->persist_data_offset[0] = pdata_offset; 582 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 583 crypt_ftr->minor_version = 1; 584 } 585 586 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 587 SLOGW("upgrading crypto footer to 1.2"); 588 /* But keep the old kdf_type. 589 * It will get updated later to KDF_SCRYPT after the password has been verified. 590 */ 591 crypt_ftr->kdf_type = KDF_PBKDF2; 592 get_device_scrypt_params(crypt_ftr); 593 crypt_ftr->minor_version = 2; 594 } 595 596 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 597 SLOGW("upgrading crypto footer to 1.3"); 598 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 599 crypt_ftr->minor_version = 3; 600 } 601 602 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 603 if (lseek64(fd, offset, SEEK_SET) == -1) { 604 SLOGE("Cannot seek to crypt footer\n"); 605 return; 606 } 607 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 608 } 609 } 610 611 612 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 613 { 614 int fd; 615 unsigned int nr_sec, cnt; 616 off64_t starting_off; 617 int rc = -1; 618 char *fname = NULL; 619 struct stat statbuf; 620 621 if (get_crypt_ftr_info(&fname, &starting_off)) { 622 SLOGE("Unable to get crypt_ftr_info\n"); 623 return -1; 624 } 625 if (fname[0] != '/') { 626 SLOGE("Unexpected value for crypto key location\n"); 627 return -1; 628 } 629 if ( (fd = open(fname, O_RDWR)) < 0) { 630 SLOGE("Cannot open footer file %s for get\n", fname); 631 return -1; 632 } 633 634 /* Make sure it's 16 Kbytes in length */ 635 fstat(fd, &statbuf); 636 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 637 SLOGE("footer file %s is not the expected size!\n", fname); 638 goto errout; 639 } 640 641 /* Seek to the start of the crypt footer */ 642 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 643 SLOGE("Cannot seek to real block device footer\n"); 644 goto errout; 645 } 646 647 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 648 SLOGE("Cannot read real block device footer\n"); 649 goto errout; 650 } 651 652 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 653 SLOGE("Bad magic for real block device %s\n", fname); 654 goto errout; 655 } 656 657 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 658 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 659 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 660 goto errout; 661 } 662 663 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 664 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 665 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 666 } 667 668 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 669 * copy on disk before returning. 670 */ 671 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 672 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 673 } 674 675 /* Success! */ 676 rc = 0; 677 678 errout: 679 close(fd); 680 return rc; 681 } 682 683 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 684 { 685 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 686 crypt_ftr->persist_data_offset[1]) { 687 SLOGE("Crypt_ftr persist data regions overlap"); 688 return -1; 689 } 690 691 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 692 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 693 return -1; 694 } 695 696 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 697 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 698 CRYPT_FOOTER_OFFSET) { 699 SLOGE("Persistent data extends past crypto footer"); 700 return -1; 701 } 702 703 return 0; 704 } 705 706 static int load_persistent_data(void) 707 { 708 struct crypt_mnt_ftr crypt_ftr; 709 struct crypt_persist_data *pdata = NULL; 710 char encrypted_state[PROPERTY_VALUE_MAX]; 711 char *fname; 712 int found = 0; 713 int fd; 714 int ret; 715 int i; 716 717 if (persist_data) { 718 /* Nothing to do, we've already loaded or initialized it */ 719 return 0; 720 } 721 722 723 /* If not encrypted, just allocate an empty table and initialize it */ 724 property_get("ro.crypto.state", encrypted_state, ""); 725 if (strcmp(encrypted_state, "encrypted") ) { 726 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 727 if (pdata) { 728 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 729 persist_data = pdata; 730 return 0; 731 } 732 return -1; 733 } 734 735 if(get_crypt_ftr_and_key(&crypt_ftr)) { 736 return -1; 737 } 738 739 if ((crypt_ftr.major_version < 1) 740 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 741 SLOGE("Crypt_ftr version doesn't support persistent data"); 742 return -1; 743 } 744 745 if (get_crypt_ftr_info(&fname, NULL)) { 746 return -1; 747 } 748 749 ret = validate_persistent_data_storage(&crypt_ftr); 750 if (ret) { 751 return -1; 752 } 753 754 fd = open(fname, O_RDONLY); 755 if (fd < 0) { 756 SLOGE("Cannot open %s metadata file", fname); 757 return -1; 758 } 759 760 if (persist_data == NULL) { 761 pdata = malloc(crypt_ftr.persist_data_size); 762 if (pdata == NULL) { 763 SLOGE("Cannot allocate memory for persistent data"); 764 goto err; 765 } 766 } 767 768 for (i = 0; i < 2; i++) { 769 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 770 SLOGE("Cannot seek to read persistent data on %s", fname); 771 goto err2; 772 } 773 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 774 SLOGE("Error reading persistent data on iteration %d", i); 775 goto err2; 776 } 777 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 778 found = 1; 779 break; 780 } 781 } 782 783 if (!found) { 784 SLOGI("Could not find valid persistent data, creating"); 785 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 786 } 787 788 /* Success */ 789 persist_data = pdata; 790 close(fd); 791 return 0; 792 793 err2: 794 free(pdata); 795 796 err: 797 close(fd); 798 return -1; 799 } 800 801 static int save_persistent_data(void) 802 { 803 struct crypt_mnt_ftr crypt_ftr; 804 struct crypt_persist_data *pdata; 805 char *fname; 806 off64_t write_offset; 807 off64_t erase_offset; 808 int found = 0; 809 int fd; 810 int ret; 811 812 if (persist_data == NULL) { 813 SLOGE("No persistent data to save"); 814 return -1; 815 } 816 817 if(get_crypt_ftr_and_key(&crypt_ftr)) { 818 return -1; 819 } 820 821 if ((crypt_ftr.major_version < 1) 822 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 823 SLOGE("Crypt_ftr version doesn't support persistent data"); 824 return -1; 825 } 826 827 ret = validate_persistent_data_storage(&crypt_ftr); 828 if (ret) { 829 return -1; 830 } 831 832 if (get_crypt_ftr_info(&fname, NULL)) { 833 return -1; 834 } 835 836 fd = open(fname, O_RDWR); 837 if (fd < 0) { 838 SLOGE("Cannot open %s metadata file", fname); 839 return -1; 840 } 841 842 pdata = malloc(crypt_ftr.persist_data_size); 843 if (pdata == NULL) { 844 SLOGE("Cannot allocate persistant data"); 845 goto err; 846 } 847 848 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 849 SLOGE("Cannot seek to read persistent data on %s", fname); 850 goto err2; 851 } 852 853 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 854 SLOGE("Error reading persistent data before save"); 855 goto err2; 856 } 857 858 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 859 /* The first copy is the curent valid copy, so write to 860 * the second copy and erase this one */ 861 write_offset = crypt_ftr.persist_data_offset[1]; 862 erase_offset = crypt_ftr.persist_data_offset[0]; 863 } else { 864 /* The second copy must be the valid copy, so write to 865 * the first copy, and erase the second */ 866 write_offset = crypt_ftr.persist_data_offset[0]; 867 erase_offset = crypt_ftr.persist_data_offset[1]; 868 } 869 870 /* Write the new copy first, if successful, then erase the old copy */ 871 if (lseek(fd, write_offset, SEEK_SET) < 0) { 872 SLOGE("Cannot seek to write persistent data"); 873 goto err2; 874 } 875 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 876 (int) crypt_ftr.persist_data_size) { 877 if (lseek(fd, erase_offset, SEEK_SET) < 0) { 878 SLOGE("Cannot seek to erase previous persistent data"); 879 goto err2; 880 } 881 fsync(fd); 882 memset(pdata, 0, crypt_ftr.persist_data_size); 883 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 884 (int) crypt_ftr.persist_data_size) { 885 SLOGE("Cannot write to erase previous persistent data"); 886 goto err2; 887 } 888 fsync(fd); 889 } else { 890 SLOGE("Cannot write to save persistent data"); 891 goto err2; 892 } 893 894 /* Success */ 895 free(pdata); 896 close(fd); 897 return 0; 898 899 err2: 900 free(pdata); 901 err: 902 close(fd); 903 return -1; 904 } 905 906 static int hexdigit (char c) 907 { 908 if (c >= '0' && c <= '9') return c - '0'; 909 c = tolower(c); 910 if (c >= 'a' && c <= 'f') return c - 'a' + 10; 911 return -1; 912 } 913 914 static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii, 915 unsigned int* out_keysize) 916 { 917 unsigned int i; 918 *out_keysize = 0; 919 920 size_t size = strlen (master_key_ascii); 921 if (size % 2) { 922 SLOGE("Trying to convert ascii string of odd length"); 923 return NULL; 924 } 925 926 unsigned char* master_key = (unsigned char*) malloc(size / 2); 927 if (master_key == 0) { 928 SLOGE("Cannot allocate"); 929 return NULL; 930 } 931 932 for (i = 0; i < size; i += 2) { 933 int high_nibble = hexdigit (master_key_ascii[i]); 934 int low_nibble = hexdigit (master_key_ascii[i + 1]); 935 936 if(high_nibble < 0 || low_nibble < 0) { 937 SLOGE("Invalid hex string"); 938 free (master_key); 939 return NULL; 940 } 941 942 master_key[*out_keysize] = high_nibble * 16 + low_nibble; 943 (*out_keysize)++; 944 } 945 946 return master_key; 947 } 948 949 /* Convert a binary key of specified length into an ascii hex string equivalent, 950 * without the leading 0x and with null termination 951 */ 952 static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize, 953 char *master_key_ascii) 954 { 955 unsigned int i, a; 956 unsigned char nibble; 957 958 for (i=0, a=0; i<keysize; i++, a+=2) { 959 /* For each byte, write out two ascii hex digits */ 960 nibble = (master_key[i] >> 4) & 0xf; 961 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 962 963 nibble = master_key[i] & 0xf; 964 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 965 } 966 967 /* Add the null termination */ 968 master_key_ascii[a] = '\0'; 969 970 } 971 972 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 973 char *real_blk_name, const char *name, int fd, 974 char *extra_params) 975 { 976 char buffer[DM_CRYPT_BUF_SIZE]; 977 struct dm_ioctl *io; 978 struct dm_target_spec *tgt; 979 char *crypt_params; 980 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 981 int i; 982 983 io = (struct dm_ioctl *) buffer; 984 985 /* Load the mapping table for this device */ 986 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 987 988 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 989 io->target_count = 1; 990 tgt->status = 0; 991 tgt->sector_start = 0; 992 tgt->length = crypt_ftr->fs_size; 993 strcpy(tgt->target_type, "crypt"); 994 995 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 996 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 997 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name, 998 master_key_ascii, real_blk_name, extra_params); 999 crypt_params += strlen(crypt_params) + 1; 1000 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 1001 tgt->next = crypt_params - buffer; 1002 1003 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 1004 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 1005 break; 1006 } 1007 usleep(500000); 1008 } 1009 1010 if (i == TABLE_LOAD_RETRIES) { 1011 /* We failed to load the table, return an error */ 1012 return -1; 1013 } else { 1014 return i + 1; 1015 } 1016 } 1017 1018 1019 static int get_dm_crypt_version(int fd, const char *name, int *version) 1020 { 1021 char buffer[DM_CRYPT_BUF_SIZE]; 1022 struct dm_ioctl *io; 1023 struct dm_target_versions *v; 1024 int i; 1025 1026 io = (struct dm_ioctl *) buffer; 1027 1028 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1029 1030 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 1031 return -1; 1032 } 1033 1034 /* Iterate over the returned versions, looking for name of "crypt". 1035 * When found, get and return the version. 1036 */ 1037 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 1038 while (v->next) { 1039 if (! strcmp(v->name, "crypt")) { 1040 /* We found the crypt driver, return the version, and get out */ 1041 version[0] = v->version[0]; 1042 version[1] = v->version[1]; 1043 version[2] = v->version[2]; 1044 return 0; 1045 } 1046 v = (struct dm_target_versions *)(((char *)v) + v->next); 1047 } 1048 1049 return -1; 1050 } 1051 1052 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 1053 char *real_blk_name, char *crypto_blk_name, const char *name) 1054 { 1055 char buffer[DM_CRYPT_BUF_SIZE]; 1056 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 1057 char *crypt_params; 1058 struct dm_ioctl *io; 1059 struct dm_target_spec *tgt; 1060 unsigned int minor; 1061 int fd; 1062 int i; 1063 int retval = -1; 1064 int version[3]; 1065 char *extra_params; 1066 int load_count; 1067 1068 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1069 SLOGE("Cannot open device-mapper\n"); 1070 goto errout; 1071 } 1072 1073 io = (struct dm_ioctl *) buffer; 1074 1075 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1076 if (ioctl(fd, DM_DEV_CREATE, io)) { 1077 SLOGE("Cannot create dm-crypt device\n"); 1078 goto errout; 1079 } 1080 1081 /* Get the device status, in particular, the name of it's device file */ 1082 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1083 if (ioctl(fd, DM_DEV_STATUS, io)) { 1084 SLOGE("Cannot retrieve dm-crypt device status\n"); 1085 goto errout; 1086 } 1087 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 1088 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 1089 1090 extra_params = ""; 1091 if (! get_dm_crypt_version(fd, name, version)) { 1092 /* Support for allow_discards was added in version 1.11.0 */ 1093 if ((version[0] >= 2) || 1094 ((version[0] == 1) && (version[1] >= 11))) { 1095 extra_params = "1 allow_discards"; 1096 SLOGI("Enabling support for allow_discards in dmcrypt.\n"); 1097 } 1098 } 1099 1100 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, 1101 fd, extra_params); 1102 if (load_count < 0) { 1103 SLOGE("Cannot load dm-crypt mapping table.\n"); 1104 goto errout; 1105 } else if (load_count > 1) { 1106 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 1107 } 1108 1109 /* Resume this device to activate it */ 1110 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1111 1112 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 1113 SLOGE("Cannot resume the dm-crypt device\n"); 1114 goto errout; 1115 } 1116 1117 /* We made it here with no errors. Woot! */ 1118 retval = 0; 1119 1120 errout: 1121 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1122 1123 return retval; 1124 } 1125 1126 static int delete_crypto_blk_dev(char *name) 1127 { 1128 int fd; 1129 char buffer[DM_CRYPT_BUF_SIZE]; 1130 struct dm_ioctl *io; 1131 int retval = -1; 1132 1133 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1134 SLOGE("Cannot open device-mapper\n"); 1135 goto errout; 1136 } 1137 1138 io = (struct dm_ioctl *) buffer; 1139 1140 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1141 if (ioctl(fd, DM_DEV_REMOVE, io)) { 1142 SLOGE("Cannot remove dm-crypt device\n"); 1143 goto errout; 1144 } 1145 1146 /* We made it here with no errors. Woot! */ 1147 retval = 0; 1148 1149 errout: 1150 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1151 1152 return retval; 1153 1154 } 1155 1156 static int pbkdf2(const char *passwd, const unsigned char *salt, 1157 unsigned char *ikey, void *params UNUSED) 1158 { 1159 SLOGI("Using pbkdf2 for cryptfs KDF"); 1160 1161 /* Turn the password into a key and IV that can decrypt the master key */ 1162 unsigned int keysize; 1163 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize); 1164 if (!master_key) return -1; 1165 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN, 1166 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey); 1167 1168 memset(master_key, 0, keysize); 1169 free (master_key); 1170 return 0; 1171 } 1172 1173 static int scrypt(const char *passwd, const unsigned char *salt, 1174 unsigned char *ikey, void *params) 1175 { 1176 SLOGI("Using scrypt for cryptfs KDF"); 1177 1178 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1179 1180 int N = 1 << ftr->N_factor; 1181 int r = 1 << ftr->r_factor; 1182 int p = 1 << ftr->p_factor; 1183 1184 /* Turn the password into a key and IV that can decrypt the master key */ 1185 unsigned int keysize; 1186 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize); 1187 if (!master_key) return -1; 1188 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey, 1189 KEY_LEN_BYTES + IV_LEN_BYTES); 1190 1191 memset(master_key, 0, keysize); 1192 free (master_key); 1193 return 0; 1194 } 1195 1196 static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1197 unsigned char *ikey, void *params) 1198 { 1199 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1200 1201 int rc; 1202 unsigned int key_size; 1203 size_t signature_size; 1204 unsigned char* signature; 1205 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1206 1207 int N = 1 << ftr->N_factor; 1208 int r = 1 << ftr->r_factor; 1209 int p = 1 << ftr->p_factor; 1210 1211 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size); 1212 if (!master_key) { 1213 SLOGE("Failed to convert passwd from hex"); 1214 return -1; 1215 } 1216 1217 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN, 1218 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1219 memset(master_key, 0, key_size); 1220 free(master_key); 1221 1222 if (rc) { 1223 SLOGE("scrypt failed"); 1224 return -1; 1225 } 1226 1227 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES, 1228 &signature, &signature_size)) { 1229 SLOGE("Signing failed"); 1230 return -1; 1231 } 1232 1233 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1234 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1235 free(signature); 1236 1237 if (rc) { 1238 SLOGE("scrypt failed"); 1239 return -1; 1240 } 1241 1242 return 0; 1243 } 1244 1245 static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1246 const unsigned char *decrypted_master_key, 1247 unsigned char *encrypted_master_key, 1248 struct crypt_mnt_ftr *crypt_ftr) 1249 { 1250 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1251 EVP_CIPHER_CTX e_ctx; 1252 int encrypted_len, final_len; 1253 int rc = 0; 1254 1255 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1256 get_device_scrypt_params(crypt_ftr); 1257 1258 switch (crypt_ftr->kdf_type) { 1259 case KDF_SCRYPT_KEYMASTER_UNPADDED: 1260 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED: 1261 case KDF_SCRYPT_KEYMASTER: 1262 if (keymaster_create_key(crypt_ftr)) { 1263 SLOGE("keymaster_create_key failed"); 1264 return -1; 1265 } 1266 1267 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1268 SLOGE("scrypt failed"); 1269 return -1; 1270 } 1271 break; 1272 1273 case KDF_SCRYPT: 1274 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1275 SLOGE("scrypt failed"); 1276 return -1; 1277 } 1278 break; 1279 1280 default: 1281 SLOGE("Invalid kdf_type"); 1282 return -1; 1283 } 1284 1285 /* Initialize the decryption engine */ 1286 if (! EVP_EncryptInit(&e_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) { 1287 SLOGE("EVP_EncryptInit failed\n"); 1288 return -1; 1289 } 1290 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1291 1292 /* Encrypt the master key */ 1293 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1294 decrypted_master_key, KEY_LEN_BYTES)) { 1295 SLOGE("EVP_EncryptUpdate failed\n"); 1296 return -1; 1297 } 1298 if (! EVP_EncryptFinal(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1299 SLOGE("EVP_EncryptFinal failed\n"); 1300 return -1; 1301 } 1302 1303 if (encrypted_len + final_len != KEY_LEN_BYTES) { 1304 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1305 return -1; 1306 } 1307 1308 /* Store the scrypt of the intermediate key, so we can validate if it's a 1309 password error or mount error when things go wrong. 1310 Note there's no need to check for errors, since if this is incorrect, we 1311 simply won't wipe userdata, which is the correct default behavior 1312 */ 1313 int N = 1 << crypt_ftr->N_factor; 1314 int r = 1 << crypt_ftr->r_factor; 1315 int p = 1 << crypt_ftr->p_factor; 1316 1317 rc = crypto_scrypt(ikey, KEY_LEN_BYTES, 1318 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1319 crypt_ftr->scrypted_intermediate_key, 1320 sizeof(crypt_ftr->scrypted_intermediate_key)); 1321 1322 if (rc) { 1323 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1324 } 1325 1326 return 0; 1327 } 1328 1329 static int decrypt_master_key_aux(char *passwd, unsigned char *salt, 1330 unsigned char *encrypted_master_key, 1331 unsigned char *decrypted_master_key, 1332 kdf_func kdf, void *kdf_params, 1333 unsigned char** intermediate_key, 1334 size_t* intermediate_key_size) 1335 { 1336 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1337 EVP_CIPHER_CTX d_ctx; 1338 int decrypted_len, final_len; 1339 1340 /* Turn the password into an intermediate key and IV that can decrypt the 1341 master key */ 1342 if (kdf(passwd, salt, ikey, kdf_params)) { 1343 SLOGE("kdf failed"); 1344 return -1; 1345 } 1346 1347 /* Initialize the decryption engine */ 1348 if (! EVP_DecryptInit(&d_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) { 1349 return -1; 1350 } 1351 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1352 /* Decrypt the master key */ 1353 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1354 encrypted_master_key, KEY_LEN_BYTES)) { 1355 return -1; 1356 } 1357 if (! EVP_DecryptFinal(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1358 return -1; 1359 } 1360 1361 if (decrypted_len + final_len != KEY_LEN_BYTES) { 1362 return -1; 1363 } 1364 1365 /* Copy intermediate key if needed by params */ 1366 if (intermediate_key && intermediate_key_size) { 1367 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES); 1368 if (intermediate_key) { 1369 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES); 1370 *intermediate_key_size = KEY_LEN_BYTES; 1371 } 1372 } 1373 1374 return 0; 1375 } 1376 1377 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1378 { 1379 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER_UNPADDED || 1380 ftr->kdf_type == KDF_SCRYPT_KEYMASTER_BADLY_PADDED || 1381 ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1382 *kdf = scrypt_keymaster; 1383 *kdf_params = ftr; 1384 } else if (ftr->kdf_type == KDF_SCRYPT) { 1385 *kdf = scrypt; 1386 *kdf_params = ftr; 1387 } else { 1388 *kdf = pbkdf2; 1389 *kdf_params = NULL; 1390 } 1391 } 1392 1393 static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key, 1394 struct crypt_mnt_ftr *crypt_ftr, 1395 unsigned char** intermediate_key, 1396 size_t* intermediate_key_size) 1397 { 1398 kdf_func kdf; 1399 void *kdf_params; 1400 int ret; 1401 1402 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1403 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1404 decrypted_master_key, kdf, kdf_params, 1405 intermediate_key, intermediate_key_size); 1406 if (ret != 0) { 1407 SLOGW("failure decrypting master key"); 1408 } 1409 1410 return ret; 1411 } 1412 1413 static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt, 1414 struct crypt_mnt_ftr *crypt_ftr) { 1415 int fd; 1416 unsigned char key_buf[KEY_LEN_BYTES]; 1417 EVP_CIPHER_CTX e_ctx; 1418 int encrypted_len, final_len; 1419 1420 /* Get some random bits for a key */ 1421 fd = open("/dev/urandom", O_RDONLY); 1422 read(fd, key_buf, sizeof(key_buf)); 1423 read(fd, salt, SALT_LEN); 1424 close(fd); 1425 1426 /* Now encrypt it with the password */ 1427 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1428 } 1429 1430 static int wait_and_unmount(char *mountpoint, bool kill) 1431 { 1432 int i, err, rc; 1433 #define WAIT_UNMOUNT_COUNT 20 1434 1435 /* Now umount the tmpfs filesystem */ 1436 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1437 if (umount(mountpoint) == 0) { 1438 break; 1439 } 1440 1441 if (errno == EINVAL) { 1442 /* EINVAL is returned if the directory is not a mountpoint, 1443 * i.e. there is no filesystem mounted there. So just get out. 1444 */ 1445 break; 1446 } 1447 1448 err = errno; 1449 1450 /* If allowed, be increasingly aggressive before the last two retries */ 1451 if (kill) { 1452 if (i == (WAIT_UNMOUNT_COUNT - 3)) { 1453 SLOGW("sending SIGHUP to processes with open files\n"); 1454 vold_killProcessesWithOpenFiles(mountpoint, 1); 1455 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) { 1456 SLOGW("sending SIGKILL to processes with open files\n"); 1457 vold_killProcessesWithOpenFiles(mountpoint, 2); 1458 } 1459 } 1460 1461 sleep(1); 1462 } 1463 1464 if (i < WAIT_UNMOUNT_COUNT) { 1465 SLOGD("unmounting %s succeeded\n", mountpoint); 1466 rc = 0; 1467 } else { 1468 vold_killProcessesWithOpenFiles(mountpoint, 0); 1469 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err)); 1470 rc = -1; 1471 } 1472 1473 return rc; 1474 } 1475 1476 #define DATA_PREP_TIMEOUT 200 1477 static int prep_data_fs(void) 1478 { 1479 int i; 1480 1481 /* Do the prep of the /data filesystem */ 1482 property_set("vold.post_fs_data_done", "0"); 1483 property_set("vold.decrypt", "trigger_post_fs_data"); 1484 SLOGD("Just triggered post_fs_data\n"); 1485 1486 /* Wait a max of 50 seconds, hopefully it takes much less */ 1487 for (i=0; i<DATA_PREP_TIMEOUT; i++) { 1488 char p[PROPERTY_VALUE_MAX]; 1489 1490 property_get("vold.post_fs_data_done", p, "0"); 1491 if (*p == '1') { 1492 break; 1493 } else { 1494 usleep(250000); 1495 } 1496 } 1497 if (i == DATA_PREP_TIMEOUT) { 1498 /* Ugh, we failed to prep /data in time. Bail. */ 1499 SLOGE("post_fs_data timed out!\n"); 1500 return -1; 1501 } else { 1502 SLOGD("post_fs_data done\n"); 1503 return 0; 1504 } 1505 } 1506 1507 static void cryptfs_set_corrupt() 1508 { 1509 // Mark the footer as bad 1510 struct crypt_mnt_ftr crypt_ftr; 1511 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1512 SLOGE("Failed to get crypto footer - panic"); 1513 return; 1514 } 1515 1516 crypt_ftr.flags |= CRYPT_DATA_CORRUPT; 1517 if (put_crypt_ftr_and_key(&crypt_ftr)) { 1518 SLOGE("Failed to set crypto footer - panic"); 1519 return; 1520 } 1521 } 1522 1523 static void cryptfs_trigger_restart_min_framework() 1524 { 1525 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 1526 SLOGE("Failed to mount tmpfs on data - panic"); 1527 return; 1528 } 1529 1530 if (property_set("vold.decrypt", "trigger_post_fs_data")) { 1531 SLOGE("Failed to trigger post fs data - panic"); 1532 return; 1533 } 1534 1535 if (property_set("vold.decrypt", "trigger_restart_min_framework")) { 1536 SLOGE("Failed to trigger restart min framework - panic"); 1537 return; 1538 } 1539 } 1540 1541 /* returns < 0 on failure */ 1542 static int cryptfs_restart_internal(int restart_main) 1543 { 1544 char fs_type[32]; 1545 char real_blkdev[MAXPATHLEN]; 1546 char crypto_blkdev[MAXPATHLEN]; 1547 char fs_options[256]; 1548 unsigned long mnt_flags; 1549 struct stat statbuf; 1550 int rc = -1, i; 1551 static int restart_successful = 0; 1552 1553 /* Validate that it's OK to call this routine */ 1554 if (! master_key_saved) { 1555 SLOGE("Encrypted filesystem not validated, aborting"); 1556 return -1; 1557 } 1558 1559 if (restart_successful) { 1560 SLOGE("System already restarted with encrypted disk, aborting"); 1561 return -1; 1562 } 1563 1564 if (restart_main) { 1565 /* Here is where we shut down the framework. The init scripts 1566 * start all services in one of three classes: core, main or late_start. 1567 * On boot, we start core and main. Now, we stop main, but not core, 1568 * as core includes vold and a few other really important things that 1569 * we need to keep running. Once main has stopped, we should be able 1570 * to umount the tmpfs /data, then mount the encrypted /data. 1571 * We then restart the class main, and also the class late_start. 1572 * At the moment, I've only put a few things in late_start that I know 1573 * are not needed to bring up the framework, and that also cause problems 1574 * with unmounting the tmpfs /data, but I hope to add add more services 1575 * to the late_start class as we optimize this to decrease the delay 1576 * till the user is asked for the password to the filesystem. 1577 */ 1578 1579 /* The init files are setup to stop the class main when vold.decrypt is 1580 * set to trigger_reset_main. 1581 */ 1582 property_set("vold.decrypt", "trigger_reset_main"); 1583 SLOGD("Just asked init to shut down class main\n"); 1584 1585 /* Ugh, shutting down the framework is not synchronous, so until it 1586 * can be fixed, this horrible hack will wait a moment for it all to 1587 * shut down before proceeding. Without it, some devices cannot 1588 * restart the graphics services. 1589 */ 1590 sleep(2); 1591 } 1592 1593 /* Now that the framework is shutdown, we should be able to umount() 1594 * the tmpfs filesystem, and mount the real one. 1595 */ 1596 1597 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1598 if (strlen(crypto_blkdev) == 0) { 1599 SLOGE("fs_crypto_blkdev not set\n"); 1600 return -1; 1601 } 1602 1603 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) { 1604 /* If ro.crypto.readonly is set to 1, mount the decrypted 1605 * filesystem readonly. This is used when /data is mounted by 1606 * recovery mode. 1607 */ 1608 char ro_prop[PROPERTY_VALUE_MAX]; 1609 property_get("ro.crypto.readonly", ro_prop, ""); 1610 if (strlen(ro_prop) > 0 && atoi(ro_prop)) { 1611 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1612 rec->flags |= MS_RDONLY; 1613 } 1614 1615 /* If that succeeded, then mount the decrypted filesystem */ 1616 int retries = RETRY_MOUNT_ATTEMPTS; 1617 int mount_rc; 1618 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, 1619 crypto_blkdev, 0)) 1620 != 0) { 1621 if (mount_rc == FS_MGR_DOMNT_BUSY) { 1622 /* TODO: invoke something similar to 1623 Process::killProcessWithOpenFiles(DATA_MNT_POINT, 1624 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */ 1625 SLOGI("Failed to mount %s because it is busy - waiting", 1626 crypto_blkdev); 1627 if (--retries) { 1628 sleep(RETRY_MOUNT_DELAY_SECONDS); 1629 } else { 1630 /* Let's hope that a reboot clears away whatever is keeping 1631 the mount busy */ 1632 cryptfs_reboot(reboot); 1633 } 1634 } else { 1635 SLOGE("Failed to mount decrypted data"); 1636 cryptfs_set_corrupt(); 1637 cryptfs_trigger_restart_min_framework(); 1638 SLOGI("Started framework to offer wipe"); 1639 return -1; 1640 } 1641 } 1642 1643 property_set("vold.decrypt", "trigger_load_persist_props"); 1644 /* Create necessary paths on /data */ 1645 if (prep_data_fs()) { 1646 return -1; 1647 } 1648 1649 /* startup service classes main and late_start */ 1650 property_set("vold.decrypt", "trigger_restart_framework"); 1651 SLOGD("Just triggered restart_framework\n"); 1652 1653 /* Give it a few moments to get started */ 1654 sleep(1); 1655 } 1656 1657 if (rc == 0) { 1658 restart_successful = 1; 1659 } 1660 1661 return rc; 1662 } 1663 1664 int cryptfs_restart(void) 1665 { 1666 /* Call internal implementation forcing a restart of main service group */ 1667 return cryptfs_restart_internal(1); 1668 } 1669 1670 static int do_crypto_complete(char *mount_point UNUSED) 1671 { 1672 struct crypt_mnt_ftr crypt_ftr; 1673 char encrypted_state[PROPERTY_VALUE_MAX]; 1674 char key_loc[PROPERTY_VALUE_MAX]; 1675 1676 property_get("ro.crypto.state", encrypted_state, ""); 1677 if (strcmp(encrypted_state, "encrypted") ) { 1678 SLOGE("not running with encryption, aborting"); 1679 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1680 } 1681 1682 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1683 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 1684 1685 /* 1686 * Only report this error if key_loc is a file and it exists. 1687 * If the device was never encrypted, and /data is not mountable for 1688 * some reason, returning 1 should prevent the UI from presenting the 1689 * a "enter password" screen, or worse, a "press button to wipe the 1690 * device" screen. 1691 */ 1692 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1693 SLOGE("master key file does not exist, aborting"); 1694 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1695 } else { 1696 SLOGE("Error getting crypt footer and key\n"); 1697 return CRYPTO_COMPLETE_BAD_METADATA; 1698 } 1699 } 1700 1701 // Test for possible error flags 1702 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){ 1703 SLOGE("Encryption process is partway completed\n"); 1704 return CRYPTO_COMPLETE_PARTIAL; 1705 } 1706 1707 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){ 1708 SLOGE("Encryption process was interrupted but cannot continue\n"); 1709 return CRYPTO_COMPLETE_INCONSISTENT; 1710 } 1711 1712 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){ 1713 SLOGE("Encryption is successful but data is corrupt\n"); 1714 return CRYPTO_COMPLETE_CORRUPT; 1715 } 1716 1717 /* We passed the test! We shall diminish, and return to the west */ 1718 return CRYPTO_COMPLETE_ENCRYPTED; 1719 } 1720 1721 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1722 char *passwd, char *mount_point, char *label) 1723 { 1724 /* Allocate enough space for a 256 bit key, but we may use less */ 1725 unsigned char decrypted_master_key[32]; 1726 char crypto_blkdev[MAXPATHLEN]; 1727 char real_blkdev[MAXPATHLEN]; 1728 char tmp_mount_point[64]; 1729 unsigned int orig_failed_decrypt_count; 1730 int rc; 1731 kdf_func kdf; 1732 void *kdf_params; 1733 int use_keymaster = 0; 1734 int upgrade = 0; 1735 unsigned char* intermediate_key = 0; 1736 size_t intermediate_key_size = 0; 1737 1738 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1739 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1740 1741 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1742 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1743 &intermediate_key, &intermediate_key_size)) { 1744 SLOGE("Failed to decrypt master key\n"); 1745 rc = -1; 1746 goto errout; 1747 } 1748 } 1749 1750 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 1751 1752 // Create crypto block device - all (non fatal) code paths 1753 // need it 1754 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, 1755 real_blkdev, crypto_blkdev, label)) { 1756 SLOGE("Error creating decrypted block device\n"); 1757 rc = -1; 1758 goto errout; 1759 } 1760 1761 /* Work out if the problem is the password or the data */ 1762 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1763 scrypted_intermediate_key)]; 1764 int N = 1 << crypt_ftr->N_factor; 1765 int r = 1 << crypt_ftr->r_factor; 1766 int p = 1 << crypt_ftr->p_factor; 1767 1768 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1769 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1770 N, r, p, scrypted_intermediate_key, 1771 sizeof(scrypted_intermediate_key)); 1772 1773 // Does the key match the crypto footer? 1774 if (rc == 0 && memcmp(scrypted_intermediate_key, 1775 crypt_ftr->scrypted_intermediate_key, 1776 sizeof(scrypted_intermediate_key)) == 0) { 1777 SLOGI("Password matches"); 1778 rc = 0; 1779 } else { 1780 /* Try mounting the file system anyway, just in case the problem's with 1781 * the footer, not the key. */ 1782 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point); 1783 mkdir(tmp_mount_point, 0755); 1784 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1785 SLOGE("Error temp mounting decrypted block device\n"); 1786 delete_crypto_blk_dev(label); 1787 1788 rc = ++crypt_ftr->failed_decrypt_count; 1789 put_crypt_ftr_and_key(crypt_ftr); 1790 } else { 1791 /* Success! */ 1792 SLOGI("Password did not match but decrypted drive mounted - continue"); 1793 umount(tmp_mount_point); 1794 rc = 0; 1795 } 1796 } 1797 1798 if (rc == 0) { 1799 crypt_ftr->failed_decrypt_count = 0; 1800 if (orig_failed_decrypt_count != 0) { 1801 put_crypt_ftr_and_key(crypt_ftr); 1802 } 1803 1804 /* Save the name of the crypto block device 1805 * so we can mount it when restarting the framework. */ 1806 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1807 1808 /* Also save a the master key so we can reencrypted the key 1809 * the key when we want to change the password on it. */ 1810 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES); 1811 saved_mount_point = strdup(mount_point); 1812 master_key_saved = 1; 1813 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1814 rc = 0; 1815 1816 // Upgrade if we're not using the latest KDF. 1817 use_keymaster = keymaster_check_compatibility(); 1818 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1819 // Don't allow downgrade 1820 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1821 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1822 upgrade = 1; 1823 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1824 crypt_ftr->kdf_type = KDF_SCRYPT; 1825 upgrade = 1; 1826 } 1827 1828 if (upgrade) { 1829 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1830 crypt_ftr->master_key, crypt_ftr); 1831 if (!rc) { 1832 rc = put_crypt_ftr_and_key(crypt_ftr); 1833 } 1834 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1835 1836 // Do not fail even if upgrade failed - machine is bootable 1837 // Note that if this code is ever hit, there is a *serious* problem 1838 // since KDFs should never fail. You *must* fix the kdf before 1839 // proceeding! 1840 if (rc) { 1841 SLOGW("Upgrade failed with error %d," 1842 " but continuing with previous state", 1843 rc); 1844 rc = 0; 1845 } 1846 } 1847 } 1848 1849 errout: 1850 if (intermediate_key) { 1851 memset(intermediate_key, 0, intermediate_key_size); 1852 free(intermediate_key); 1853 } 1854 return rc; 1855 } 1856 1857 /* Called by vold when it wants to undo the crypto mapping of a volume it 1858 * manages. This is usually in response to a factory reset, when we want 1859 * to undo the crypto mapping so the volume is formatted in the clear. 1860 */ 1861 int cryptfs_revert_volume(const char *label) 1862 { 1863 return delete_crypto_blk_dev((char *)label); 1864 } 1865 1866 /* 1867 * Called by vold when it's asked to mount an encrypted, nonremovable volume. 1868 * Setup a dm-crypt mapping, use the saved master key from 1869 * setting up the /data mapping, and return the new device path. 1870 */ 1871 int cryptfs_setup_volume(const char *label, int major, int minor, 1872 char *crypto_sys_path, unsigned int max_path, 1873 int *new_major, int *new_minor) 1874 { 1875 char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN]; 1876 struct crypt_mnt_ftr sd_crypt_ftr; 1877 struct stat statbuf; 1878 int nr_sec, fd; 1879 1880 sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor); 1881 1882 get_crypt_ftr_and_key(&sd_crypt_ftr); 1883 1884 /* Update the fs_size field to be the size of the volume */ 1885 fd = open(real_blkdev, O_RDONLY); 1886 nr_sec = get_blkdev_size(fd); 1887 close(fd); 1888 if (nr_sec == 0) { 1889 SLOGE("Cannot get size of volume %s\n", real_blkdev); 1890 return -1; 1891 } 1892 1893 sd_crypt_ftr.fs_size = nr_sec; 1894 create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev, 1895 crypto_blkdev, label); 1896 1897 stat(crypto_blkdev, &statbuf); 1898 *new_major = MAJOR(statbuf.st_rdev); 1899 *new_minor = MINOR(statbuf.st_rdev); 1900 1901 /* Create path to sys entry for this block device */ 1902 snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1); 1903 1904 return 0; 1905 } 1906 1907 int cryptfs_crypto_complete(void) 1908 { 1909 return do_crypto_complete("/data"); 1910 } 1911 1912 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 1913 { 1914 char encrypted_state[PROPERTY_VALUE_MAX]; 1915 property_get("ro.crypto.state", encrypted_state, ""); 1916 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 1917 SLOGE("encrypted fs already validated or not running with encryption," 1918 " aborting"); 1919 return -1; 1920 } 1921 1922 if (get_crypt_ftr_and_key(crypt_ftr)) { 1923 SLOGE("Error getting crypt footer and key"); 1924 return -1; 1925 } 1926 1927 return 0; 1928 } 1929 1930 /* 1931 * TODO - transition patterns to new format in calling code 1932 * and remove this vile hack, and the use of hex in 1933 * the password passing code. 1934 * 1935 * Patterns are passed in zero based (i.e. the top left dot 1936 * is represented by zero, the top middle one etc), but we want 1937 * to store them '1' based. 1938 * This is to allow us to migrate the calling code to use this 1939 * convention. It also solves a nasty problem whereby scrypt ignores 1940 * trailing zeros, so patterns ending at the top left could be 1941 * truncated, and similarly, you could add the top left to any 1942 * pattern and still match. 1943 * adjust_passwd is a hack function that returns the alternate representation 1944 * if the password appears to be a pattern (hex numbers all less than 09) 1945 * If it succeeds we need to try both, and in particular try the alternate 1946 * first. If the original matches, then we need to update the footer 1947 * with the alternate. 1948 * All code that accepts passwords must adjust them first. Since 1949 * cryptfs_check_passwd is always the first function called after a migration 1950 * (and indeed on any boot) we only need to do the double try in this 1951 * function. 1952 */ 1953 char* adjust_passwd(const char* passwd) 1954 { 1955 size_t index, length; 1956 1957 if (!passwd) { 1958 return 0; 1959 } 1960 1961 // Check even length. Hex encoded passwords are always 1962 // an even length, since each character encodes to two characters. 1963 length = strlen(passwd); 1964 if (length % 2) { 1965 SLOGW("Password not correctly hex encoded."); 1966 return 0; 1967 } 1968 1969 // Check password is old-style pattern - a collection of hex 1970 // encoded bytes less than 9 (00 through 08) 1971 for (index = 0; index < length; index +=2) { 1972 if (passwd[index] != '0' 1973 || passwd[index + 1] < '0' || passwd[index + 1] > '8') { 1974 return 0; 1975 } 1976 } 1977 1978 // Allocate room for adjusted passwd and null terminate 1979 char* adjusted = malloc(length + 1); 1980 adjusted[length] = 0; 1981 1982 // Add 0x31 ('1') to each character 1983 for (index = 0; index < length; index += 2) { 1984 // output is 31 through 39 so set first byte to three, second to src + 1 1985 adjusted[index] = '3'; 1986 adjusted[index + 1] = passwd[index + 1] + 1; 1987 } 1988 1989 return adjusted; 1990 } 1991 1992 int cryptfs_check_passwd(char *passwd) 1993 { 1994 struct crypt_mnt_ftr crypt_ftr; 1995 int rc; 1996 1997 rc = check_unmounted_and_get_ftr(&crypt_ftr); 1998 if (rc) 1999 return rc; 2000 2001 char* adjusted_passwd = adjust_passwd(passwd); 2002 if (adjusted_passwd) { 2003 int failed_decrypt_count = crypt_ftr.failed_decrypt_count; 2004 rc = test_mount_encrypted_fs(&crypt_ftr, adjusted_passwd, 2005 DATA_MNT_POINT, "userdata"); 2006 2007 // Maybe the original one still works? 2008 if (rc) { 2009 // Don't double count this failure 2010 crypt_ftr.failed_decrypt_count = failed_decrypt_count; 2011 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2012 DATA_MNT_POINT, "userdata"); 2013 if (!rc) { 2014 // cryptfs_changepw also adjusts so pass original 2015 // Note that adjust_passwd only recognises patterns 2016 // so we can safely use CRYPT_TYPE_PATTERN 2017 SLOGI("Updating pattern to new format"); 2018 cryptfs_changepw(CRYPT_TYPE_PATTERN, passwd); 2019 } 2020 } 2021 free(adjusted_passwd); 2022 } else { 2023 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2024 DATA_MNT_POINT, "userdata"); 2025 } 2026 2027 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 2028 cryptfs_clear_password(); 2029 password = strdup(passwd); 2030 struct timespec now; 2031 clock_gettime(CLOCK_BOOTTIME, &now); 2032 password_expiry_time = now.tv_sec + password_max_age_seconds; 2033 } 2034 2035 return rc; 2036 } 2037 2038 int cryptfs_verify_passwd(char *passwd) 2039 { 2040 struct crypt_mnt_ftr crypt_ftr; 2041 /* Allocate enough space for a 256 bit key, but we may use less */ 2042 unsigned char decrypted_master_key[32]; 2043 char encrypted_state[PROPERTY_VALUE_MAX]; 2044 int rc; 2045 2046 property_get("ro.crypto.state", encrypted_state, ""); 2047 if (strcmp(encrypted_state, "encrypted") ) { 2048 SLOGE("device not encrypted, aborting"); 2049 return -2; 2050 } 2051 2052 if (!master_key_saved) { 2053 SLOGE("encrypted fs not yet mounted, aborting"); 2054 return -1; 2055 } 2056 2057 if (!saved_mount_point) { 2058 SLOGE("encrypted fs failed to save mount point, aborting"); 2059 return -1; 2060 } 2061 2062 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2063 SLOGE("Error getting crypt footer and key\n"); 2064 return -1; 2065 } 2066 2067 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 2068 /* If the device has no password, then just say the password is valid */ 2069 rc = 0; 2070 } else { 2071 char* adjusted_passwd = adjust_passwd(passwd); 2072 if (adjusted_passwd) { 2073 passwd = adjusted_passwd; 2074 } 2075 2076 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2077 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 2078 /* They match, the password is correct */ 2079 rc = 0; 2080 } else { 2081 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 2082 sleep(1); 2083 rc = 1; 2084 } 2085 2086 free(adjusted_passwd); 2087 } 2088 2089 return rc; 2090 } 2091 2092 /* Initialize a crypt_mnt_ftr structure. The keysize is 2093 * defaulted to 16 bytes, and the filesystem size to 0. 2094 * Presumably, at a minimum, the caller will update the 2095 * filesystem size and crypto_type_name after calling this function. 2096 */ 2097 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 2098 { 2099 off64_t off; 2100 2101 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 2102 ftr->magic = CRYPT_MNT_MAGIC; 2103 ftr->major_version = CURRENT_MAJOR_VERSION; 2104 ftr->minor_version = CURRENT_MINOR_VERSION; 2105 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 2106 ftr->keysize = KEY_LEN_BYTES; 2107 2108 switch (keymaster_check_compatibility()) { 2109 case 1: 2110 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 2111 break; 2112 2113 case 0: 2114 ftr->kdf_type = KDF_SCRYPT; 2115 break; 2116 2117 default: 2118 SLOGE("keymaster_check_compatibility failed"); 2119 return -1; 2120 } 2121 2122 get_device_scrypt_params(ftr); 2123 2124 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 2125 if (get_crypt_ftr_info(NULL, &off) == 0) { 2126 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 2127 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 2128 ftr->persist_data_size; 2129 } 2130 2131 return 0; 2132 } 2133 2134 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type) 2135 { 2136 const char *args[10]; 2137 char size_str[32]; /* Must be large enough to hold a %lld and null byte */ 2138 int num_args; 2139 int status; 2140 int tmp; 2141 int rc = -1; 2142 2143 if (type == EXT4_FS) { 2144 args[0] = "/system/bin/make_ext4fs"; 2145 args[1] = "-a"; 2146 args[2] = "/data"; 2147 args[3] = "-l"; 2148 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512); 2149 args[4] = size_str; 2150 args[5] = crypto_blkdev; 2151 num_args = 6; 2152 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n", 2153 args[0], args[1], args[2], args[3], args[4], args[5]); 2154 } else if (type == F2FS_FS) { 2155 args[0] = "/system/bin/mkfs.f2fs"; 2156 args[1] = "-t"; 2157 args[2] = "-d1"; 2158 args[3] = crypto_blkdev; 2159 snprintf(size_str, sizeof(size_str), "%" PRId64, size); 2160 args[4] = size_str; 2161 num_args = 5; 2162 SLOGI("Making empty filesystem with command %s %s %s %s %s\n", 2163 args[0], args[1], args[2], args[3], args[4]); 2164 } else { 2165 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type); 2166 return -1; 2167 } 2168 2169 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true); 2170 2171 if (tmp != 0) { 2172 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev); 2173 } else { 2174 if (WIFEXITED(status)) { 2175 if (WEXITSTATUS(status)) { 2176 SLOGE("Error creating filesystem on %s, exit status %d ", 2177 crypto_blkdev, WEXITSTATUS(status)); 2178 } else { 2179 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev); 2180 rc = 0; 2181 } 2182 } else { 2183 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev); 2184 } 2185 } 2186 2187 return rc; 2188 } 2189 2190 #define CRYPT_INPLACE_BUFSIZE 4096 2191 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE) 2192 #define CRYPT_SECTOR_SIZE 512 2193 2194 /* aligned 32K writes tends to make flash happy. 2195 * SD card association recommends it. 2196 */ 2197 #define BLOCKS_AT_A_TIME 8 2198 2199 struct encryptGroupsData 2200 { 2201 int realfd; 2202 int cryptofd; 2203 off64_t numblocks; 2204 off64_t one_pct, cur_pct, new_pct; 2205 off64_t blocks_already_done, tot_numblocks; 2206 off64_t used_blocks_already_done, tot_used_blocks; 2207 char* real_blkdev, * crypto_blkdev; 2208 int count; 2209 off64_t offset; 2210 char* buffer; 2211 off64_t last_written_sector; 2212 int completed; 2213 time_t time_started; 2214 int remaining_time; 2215 }; 2216 2217 static void update_progress(struct encryptGroupsData* data, int is_used) 2218 { 2219 data->blocks_already_done++; 2220 2221 if (is_used) { 2222 data->used_blocks_already_done++; 2223 } 2224 if (data->tot_used_blocks) { 2225 data->new_pct = data->used_blocks_already_done / data->one_pct; 2226 } else { 2227 data->new_pct = data->blocks_already_done / data->one_pct; 2228 } 2229 2230 if (data->new_pct > data->cur_pct) { 2231 char buf[8]; 2232 data->cur_pct = data->new_pct; 2233 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct); 2234 property_set("vold.encrypt_progress", buf); 2235 } 2236 2237 if (data->cur_pct >= 5) { 2238 struct timespec time_now; 2239 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) { 2240 SLOGW("Error getting time"); 2241 } else { 2242 double elapsed_time = difftime(time_now.tv_sec, data->time_started); 2243 off64_t remaining_blocks = data->tot_used_blocks 2244 - data->used_blocks_already_done; 2245 int remaining_time = (int)(elapsed_time * remaining_blocks 2246 / data->used_blocks_already_done); 2247 2248 // Change time only if not yet set, lower, or a lot higher for 2249 // best user experience 2250 if (data->remaining_time == -1 2251 || remaining_time < data->remaining_time 2252 || remaining_time > data->remaining_time + 60) { 2253 char buf[8]; 2254 snprintf(buf, sizeof(buf), "%d", remaining_time); 2255 property_set("vold.encrypt_time_remaining", buf); 2256 data->remaining_time = remaining_time; 2257 } 2258 } 2259 } 2260 } 2261 2262 static void log_progress(struct encryptGroupsData const* data, bool completed) 2263 { 2264 // Precondition - if completed data = 0 else data != 0 2265 2266 // Track progress so we can skip logging blocks 2267 static off64_t offset = -1; 2268 2269 // Need to close existing 'Encrypting from' log? 2270 if (completed || (offset != -1 && data->offset != offset)) { 2271 SLOGI("Encrypted to sector %" PRId64, 2272 offset / info.block_size * CRYPT_SECTOR_SIZE); 2273 offset = -1; 2274 } 2275 2276 // Need to start new 'Encrypting from' log? 2277 if (!completed && offset != data->offset) { 2278 SLOGI("Encrypting from sector %" PRId64, 2279 data->offset / info.block_size * CRYPT_SECTOR_SIZE); 2280 } 2281 2282 // Update offset 2283 if (!completed) { 2284 offset = data->offset + (off64_t)data->count * info.block_size; 2285 } 2286 } 2287 2288 static int flush_outstanding_data(struct encryptGroupsData* data) 2289 { 2290 if (data->count == 0) { 2291 return 0; 2292 } 2293 2294 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset); 2295 2296 if (pread64(data->realfd, data->buffer, 2297 info.block_size * data->count, data->offset) 2298 <= 0) { 2299 SLOGE("Error reading real_blkdev %s for inplace encrypt", 2300 data->real_blkdev); 2301 return -1; 2302 } 2303 2304 if (pwrite64(data->cryptofd, data->buffer, 2305 info.block_size * data->count, data->offset) 2306 <= 0) { 2307 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", 2308 data->crypto_blkdev); 2309 return -1; 2310 } else { 2311 log_progress(data, false); 2312 } 2313 2314 data->count = 0; 2315 data->last_written_sector = (data->offset + data->count) 2316 / info.block_size * CRYPT_SECTOR_SIZE - 1; 2317 return 0; 2318 } 2319 2320 static int encrypt_groups(struct encryptGroupsData* data) 2321 { 2322 unsigned int i; 2323 u8 *block_bitmap = 0; 2324 unsigned int block; 2325 off64_t ret; 2326 int rc = -1; 2327 2328 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME); 2329 if (!data->buffer) { 2330 SLOGE("Failed to allocate crypto buffer"); 2331 goto errout; 2332 } 2333 2334 block_bitmap = malloc(info.block_size); 2335 if (!block_bitmap) { 2336 SLOGE("failed to allocate block bitmap"); 2337 goto errout; 2338 } 2339 2340 for (i = 0; i < aux_info.groups; ++i) { 2341 SLOGI("Encrypting group %d", i); 2342 2343 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group; 2344 u32 block_count = min(info.blocks_per_group, 2345 aux_info.len_blocks - first_block); 2346 2347 off64_t offset = (u64)info.block_size 2348 * aux_info.bg_desc[i].bg_block_bitmap; 2349 2350 ret = pread64(data->realfd, block_bitmap, info.block_size, offset); 2351 if (ret != (int)info.block_size) { 2352 SLOGE("failed to read all of block group bitmap %d", i); 2353 goto errout; 2354 } 2355 2356 offset = (u64)info.block_size * first_block; 2357 2358 data->count = 0; 2359 2360 for (block = 0; block < block_count; block++) { 2361 int used = bitmap_get_bit(block_bitmap, block); 2362 update_progress(data, used); 2363 if (used) { 2364 if (data->count == 0) { 2365 data->offset = offset; 2366 } 2367 data->count++; 2368 } else { 2369 if (flush_outstanding_data(data)) { 2370 goto errout; 2371 } 2372 } 2373 2374 offset += info.block_size; 2375 2376 /* Write data if we are aligned or buffer size reached */ 2377 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0 2378 || data->count == BLOCKS_AT_A_TIME) { 2379 if (flush_outstanding_data(data)) { 2380 goto errout; 2381 } 2382 } 2383 2384 if (!is_battery_ok_to_continue()) { 2385 SLOGE("Stopping encryption due to low battery"); 2386 rc = 0; 2387 goto errout; 2388 } 2389 2390 } 2391 if (flush_outstanding_data(data)) { 2392 goto errout; 2393 } 2394 } 2395 2396 data->completed = 1; 2397 rc = 0; 2398 2399 errout: 2400 log_progress(0, true); 2401 free(data->buffer); 2402 free(block_bitmap); 2403 return rc; 2404 } 2405 2406 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev, 2407 char *real_blkdev, 2408 off64_t size, 2409 off64_t *size_already_done, 2410 off64_t tot_size, 2411 off64_t previously_encrypted_upto) 2412 { 2413 u32 i; 2414 struct encryptGroupsData data; 2415 int rc; // Can't initialize without causing warning -Wclobbered 2416 2417 if (previously_encrypted_upto > *size_already_done) { 2418 SLOGD("Not fast encrypting since resuming part way through"); 2419 return -1; 2420 } 2421 2422 memset(&data, 0, sizeof(data)); 2423 data.real_blkdev = real_blkdev; 2424 data.crypto_blkdev = crypto_blkdev; 2425 2426 if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) { 2427 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n", 2428 real_blkdev, errno, strerror(errno)); 2429 rc = -1; 2430 goto errout; 2431 } 2432 2433 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2434 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n", 2435 crypto_blkdev, errno, strerror(errno)); 2436 rc = ENABLE_INPLACE_ERR_DEV; 2437 goto errout; 2438 } 2439 2440 if (setjmp(setjmp_env)) { 2441 SLOGE("Reading ext4 extent caused an exception\n"); 2442 rc = -1; 2443 goto errout; 2444 } 2445 2446 if (read_ext(data.realfd, 0) != 0) { 2447 SLOGE("Failed to read ext4 extent\n"); 2448 rc = -1; 2449 goto errout; 2450 } 2451 2452 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2453 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2454 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2455 2456 SLOGI("Encrypting ext4 filesystem in place..."); 2457 2458 data.tot_used_blocks = data.numblocks; 2459 for (i = 0; i < aux_info.groups; ++i) { 2460 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count; 2461 } 2462 2463 data.one_pct = data.tot_used_blocks / 100; 2464 data.cur_pct = 0; 2465 2466 struct timespec time_started = {0}; 2467 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) { 2468 SLOGW("Error getting time at start"); 2469 // Note - continue anyway - we'll run with 0 2470 } 2471 data.time_started = time_started.tv_sec; 2472 data.remaining_time = -1; 2473 2474 rc = encrypt_groups(&data); 2475 if (rc) { 2476 SLOGE("Error encrypting groups"); 2477 goto errout; 2478 } 2479 2480 *size_already_done += data.completed ? size : data.last_written_sector; 2481 rc = 0; 2482 2483 errout: 2484 close(data.realfd); 2485 close(data.cryptofd); 2486 2487 return rc; 2488 } 2489 2490 static void log_progress_f2fs(u64 block, bool completed) 2491 { 2492 // Precondition - if completed data = 0 else data != 0 2493 2494 // Track progress so we can skip logging blocks 2495 static u64 last_block = (u64)-1; 2496 2497 // Need to close existing 'Encrypting from' log? 2498 if (completed || (last_block != (u64)-1 && block != last_block + 1)) { 2499 SLOGI("Encrypted to block %" PRId64, last_block); 2500 last_block = -1; 2501 } 2502 2503 // Need to start new 'Encrypting from' log? 2504 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) { 2505 SLOGI("Encrypting from block %" PRId64, block); 2506 } 2507 2508 // Update offset 2509 if (!completed) { 2510 last_block = block; 2511 } 2512 } 2513 2514 static int encrypt_one_block_f2fs(u64 pos, void *data) 2515 { 2516 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data; 2517 2518 priv_dat->blocks_already_done = pos - 1; 2519 update_progress(priv_dat, 1); 2520 2521 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE; 2522 2523 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2524 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2525 return -1; 2526 } 2527 2528 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2529 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2530 return -1; 2531 } else { 2532 log_progress_f2fs(pos, false); 2533 } 2534 2535 return 0; 2536 } 2537 2538 static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev, 2539 char *real_blkdev, 2540 off64_t size, 2541 off64_t *size_already_done, 2542 off64_t tot_size, 2543 off64_t previously_encrypted_upto) 2544 { 2545 u32 i; 2546 struct encryptGroupsData data; 2547 struct f2fs_info *f2fs_info = NULL; 2548 int rc = ENABLE_INPLACE_ERR_OTHER; 2549 if (previously_encrypted_upto > *size_already_done) { 2550 SLOGD("Not fast encrypting since resuming part way through"); 2551 return ENABLE_INPLACE_ERR_OTHER; 2552 } 2553 memset(&data, 0, sizeof(data)); 2554 data.real_blkdev = real_blkdev; 2555 data.crypto_blkdev = crypto_blkdev; 2556 data.realfd = -1; 2557 data.cryptofd = -1; 2558 if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) { 2559 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n", 2560 real_blkdev); 2561 goto errout; 2562 } 2563 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) { 2564 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n", 2565 crypto_blkdev, errno, strerror(errno)); 2566 rc = ENABLE_INPLACE_ERR_DEV; 2567 goto errout; 2568 } 2569 2570 f2fs_info = generate_f2fs_info(data.realfd); 2571 if (!f2fs_info) 2572 goto errout; 2573 2574 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2575 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2576 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2577 2578 data.tot_used_blocks = get_num_blocks_used(f2fs_info); 2579 2580 data.one_pct = data.tot_used_blocks / 100; 2581 data.cur_pct = 0; 2582 data.time_started = time(NULL); 2583 data.remaining_time = -1; 2584 2585 data.buffer = malloc(f2fs_info->block_size); 2586 if (!data.buffer) { 2587 SLOGE("Failed to allocate crypto buffer"); 2588 goto errout; 2589 } 2590 2591 data.count = 0; 2592 2593 /* Currently, this either runs to completion, or hits a nonrecoverable error */ 2594 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data); 2595 2596 if (rc) { 2597 SLOGE("Error in running over f2fs blocks"); 2598 rc = ENABLE_INPLACE_ERR_OTHER; 2599 goto errout; 2600 } 2601 2602 *size_already_done += size; 2603 rc = 0; 2604 2605 errout: 2606 if (rc) 2607 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev); 2608 2609 log_progress_f2fs(0, true); 2610 free(f2fs_info); 2611 free(data.buffer); 2612 close(data.realfd); 2613 close(data.cryptofd); 2614 2615 return rc; 2616 } 2617 2618 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev, 2619 off64_t size, off64_t *size_already_done, 2620 off64_t tot_size, 2621 off64_t previously_encrypted_upto) 2622 { 2623 int realfd, cryptofd; 2624 char *buf[CRYPT_INPLACE_BUFSIZE]; 2625 int rc = ENABLE_INPLACE_ERR_OTHER; 2626 off64_t numblocks, i, remainder; 2627 off64_t one_pct, cur_pct, new_pct; 2628 off64_t blocks_already_done, tot_numblocks; 2629 2630 if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) { 2631 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev); 2632 return ENABLE_INPLACE_ERR_OTHER; 2633 } 2634 2635 if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2636 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n", 2637 crypto_blkdev, errno, strerror(errno)); 2638 close(realfd); 2639 return ENABLE_INPLACE_ERR_DEV; 2640 } 2641 2642 /* This is pretty much a simple loop of reading 4K, and writing 4K. 2643 * The size passed in is the number of 512 byte sectors in the filesystem. 2644 * So compute the number of whole 4K blocks we should read/write, 2645 * and the remainder. 2646 */ 2647 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2648 remainder = size % CRYPT_SECTORS_PER_BUFSIZE; 2649 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2650 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2651 2652 SLOGE("Encrypting filesystem in place..."); 2653 2654 i = previously_encrypted_upto + 1 - *size_already_done; 2655 2656 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2657 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev); 2658 goto errout; 2659 } 2660 2661 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2662 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev); 2663 goto errout; 2664 } 2665 2666 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) { 2667 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2668 SLOGE("Error reading initial sectors from real_blkdev %s for " 2669 "inplace encrypt\n", crypto_blkdev); 2670 goto errout; 2671 } 2672 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2673 SLOGE("Error writing initial sectors to crypto_blkdev %s for " 2674 "inplace encrypt\n", crypto_blkdev); 2675 goto errout; 2676 } else { 2677 SLOGI("Encrypted 1 block at %" PRId64, i); 2678 } 2679 } 2680 2681 one_pct = tot_numblocks / 100; 2682 cur_pct = 0; 2683 /* process the majority of the filesystem in blocks */ 2684 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) { 2685 new_pct = (i + blocks_already_done) / one_pct; 2686 if (new_pct > cur_pct) { 2687 char buf[8]; 2688 2689 cur_pct = new_pct; 2690 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct); 2691 property_set("vold.encrypt_progress", buf); 2692 } 2693 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2694 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev); 2695 goto errout; 2696 } 2697 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2698 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2699 goto errout; 2700 } else { 2701 SLOGD("Encrypted %d block at %" PRId64, 2702 CRYPT_SECTORS_PER_BUFSIZE, 2703 i * CRYPT_SECTORS_PER_BUFSIZE); 2704 } 2705 2706 if (!is_battery_ok_to_continue()) { 2707 SLOGE("Stopping encryption due to low battery"); 2708 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1; 2709 rc = 0; 2710 goto errout; 2711 } 2712 } 2713 2714 /* Do any remaining sectors */ 2715 for (i=0; i<remainder; i++) { 2716 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2717 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev); 2718 goto errout; 2719 } 2720 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2721 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2722 goto errout; 2723 } else { 2724 SLOGI("Encrypted 1 block at next location"); 2725 } 2726 } 2727 2728 *size_already_done += size; 2729 rc = 0; 2730 2731 errout: 2732 close(realfd); 2733 close(cryptofd); 2734 2735 return rc; 2736 } 2737 2738 /* returns on of the ENABLE_INPLACE_* return codes */ 2739 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev, 2740 off64_t size, off64_t *size_already_done, 2741 off64_t tot_size, 2742 off64_t previously_encrypted_upto) 2743 { 2744 int rc_ext4, rc_f2fs, rc_full; 2745 if (previously_encrypted_upto) { 2746 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto); 2747 } 2748 2749 if (*size_already_done + size < previously_encrypted_upto) { 2750 *size_already_done += size; 2751 return 0; 2752 } 2753 2754 /* TODO: identify filesystem type. 2755 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and 2756 * then we will drop down to cryptfs_enable_inplace_f2fs. 2757 * */ 2758 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev, 2759 size, size_already_done, 2760 tot_size, previously_encrypted_upto)) == 0) { 2761 return 0; 2762 } 2763 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4); 2764 2765 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev, 2766 size, size_already_done, 2767 tot_size, previously_encrypted_upto)) == 0) { 2768 return 0; 2769 } 2770 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs); 2771 2772 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev, 2773 size, size_already_done, tot_size, 2774 previously_encrypted_upto); 2775 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full); 2776 2777 /* Hack for b/17898962, the following is the symptom... */ 2778 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV 2779 && rc_f2fs == ENABLE_INPLACE_ERR_DEV 2780 && rc_full == ENABLE_INPLACE_ERR_DEV) { 2781 return ENABLE_INPLACE_ERR_DEV; 2782 } 2783 return rc_full; 2784 } 2785 2786 #define CRYPTO_ENABLE_WIPE 1 2787 #define CRYPTO_ENABLE_INPLACE 2 2788 2789 #define FRAMEWORK_BOOT_WAIT 60 2790 2791 static inline int should_encrypt(struct volume_info *volume) 2792 { 2793 return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) == 2794 (VOL_ENCRYPTABLE | VOL_NONREMOVABLE); 2795 } 2796 2797 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2798 { 2799 int fd = open(filename, O_RDONLY); 2800 if (fd == -1) { 2801 SLOGE("Error opening file %s", filename); 2802 return -1; 2803 } 2804 2805 char block[CRYPT_INPLACE_BUFSIZE]; 2806 memset(block, 0, sizeof(block)); 2807 if (unix_read(fd, block, sizeof(block)) < 0) { 2808 SLOGE("Error reading file %s", filename); 2809 close(fd); 2810 return -1; 2811 } 2812 2813 close(fd); 2814 2815 SHA256_CTX c; 2816 SHA256_Init(&c); 2817 SHA256_Update(&c, block, sizeof(block)); 2818 SHA256_Final(buf, &c); 2819 2820 return 0; 2821 } 2822 2823 static int get_fs_type(struct fstab_rec *rec) 2824 { 2825 if (!strcmp(rec->fs_type, "ext4")) { 2826 return EXT4_FS; 2827 } else if (!strcmp(rec->fs_type, "f2fs")) { 2828 return F2FS_FS; 2829 } else { 2830 return -1; 2831 } 2832 } 2833 2834 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how, 2835 char *crypto_blkdev, char *real_blkdev, 2836 int previously_encrypted_upto) 2837 { 2838 off64_t cur_encryption_done=0, tot_encryption_size=0; 2839 int i, rc = -1; 2840 2841 if (!is_battery_ok_to_start()) { 2842 SLOGW("Not starting encryption due to low battery"); 2843 return 0; 2844 } 2845 2846 /* The size of the userdata partition, and add in the vold volumes below */ 2847 tot_encryption_size = crypt_ftr->fs_size; 2848 2849 if (how == CRYPTO_ENABLE_WIPE) { 2850 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 2851 int fs_type = get_fs_type(rec); 2852 if (fs_type < 0) { 2853 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type); 2854 return -1; 2855 } 2856 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type); 2857 } else if (how == CRYPTO_ENABLE_INPLACE) { 2858 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, 2859 crypt_ftr->fs_size, &cur_encryption_done, 2860 tot_encryption_size, 2861 previously_encrypted_upto); 2862 2863 if (rc == ENABLE_INPLACE_ERR_DEV) { 2864 /* Hack for b/17898962 */ 2865 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n"); 2866 cryptfs_reboot(reboot); 2867 } 2868 2869 if (!rc) { 2870 crypt_ftr->encrypted_upto = cur_encryption_done; 2871 } 2872 2873 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2874 /* The inplace routine never actually sets the progress to 100% due 2875 * to the round down nature of integer division, so set it here */ 2876 property_set("vold.encrypt_progress", "100"); 2877 } 2878 } else { 2879 /* Shouldn't happen */ 2880 SLOGE("cryptfs_enable: internal error, unknown option\n"); 2881 rc = -1; 2882 } 2883 2884 return rc; 2885 } 2886 2887 int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd, 2888 int allow_reboot) 2889 { 2890 int how = 0; 2891 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2892 unsigned long nr_sec; 2893 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2894 int rc=-1, fd, i, ret; 2895 struct crypt_mnt_ftr crypt_ftr; 2896 struct crypt_persist_data *pdata; 2897 char encrypted_state[PROPERTY_VALUE_MAX]; 2898 char lockid[32] = { 0 }; 2899 char key_loc[PROPERTY_VALUE_MAX]; 2900 char fuse_sdcard[PROPERTY_VALUE_MAX]; 2901 char *sd_mnt_point; 2902 int num_vols; 2903 struct volume_info *vol_list = 0; 2904 off64_t previously_encrypted_upto = 0; 2905 2906 if (!strcmp(howarg, "wipe")) { 2907 how = CRYPTO_ENABLE_WIPE; 2908 } else if (! strcmp(howarg, "inplace")) { 2909 how = CRYPTO_ENABLE_INPLACE; 2910 } else { 2911 /* Shouldn't happen, as CommandListener vets the args */ 2912 goto error_unencrypted; 2913 } 2914 2915 /* See if an encryption was underway and interrupted */ 2916 if (how == CRYPTO_ENABLE_INPLACE 2917 && get_crypt_ftr_and_key(&crypt_ftr) == 0 2918 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) { 2919 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2920 crypt_ftr.encrypted_upto = 0; 2921 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2922 2923 /* At this point, we are in an inconsistent state. Until we successfully 2924 complete encryption, a reboot will leave us broken. So mark the 2925 encryption failed in case that happens. 2926 On successfully completing encryption, remove this flag */ 2927 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2928 2929 put_crypt_ftr_and_key(&crypt_ftr); 2930 } 2931 2932 property_get("ro.crypto.state", encrypted_state, ""); 2933 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2934 SLOGE("Device is already running encrypted, aborting"); 2935 goto error_unencrypted; 2936 } 2937 2938 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2939 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 2940 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 2941 2942 /* Get the size of the real block device */ 2943 fd = open(real_blkdev, O_RDONLY); 2944 if ( (nr_sec = get_blkdev_size(fd)) == 0) { 2945 SLOGE("Cannot get size of block device %s\n", real_blkdev); 2946 goto error_unencrypted; 2947 } 2948 close(fd); 2949 2950 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 2951 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) { 2952 unsigned int fs_size_sec, max_fs_size_sec; 2953 fs_size_sec = get_fs_size(real_blkdev); 2954 if (fs_size_sec == 0) 2955 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 2956 2957 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2958 2959 if (fs_size_sec > max_fs_size_sec) { 2960 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 2961 goto error_unencrypted; 2962 } 2963 } 2964 2965 /* Get a wakelock as this may take a while, and we don't want the 2966 * device to sleep on us. We'll grab a partial wakelock, and if the UI 2967 * wants to keep the screen on, it can grab a full wakelock. 2968 */ 2969 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 2970 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 2971 2972 /* Get the sdcard mount point */ 2973 sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE"); 2974 if (!sd_mnt_point) { 2975 sd_mnt_point = getenv("EXTERNAL_STORAGE"); 2976 } 2977 if (!sd_mnt_point) { 2978 sd_mnt_point = "/mnt/sdcard"; 2979 } 2980 2981 /* TODO 2982 * Currently do not have test devices with multiple encryptable volumes. 2983 * When we acquire some, re-add support. 2984 */ 2985 num_vols=vold_getNumDirectVolumes(); 2986 vol_list = malloc(sizeof(struct volume_info) * num_vols); 2987 vold_getDirectVolumeList(vol_list); 2988 2989 for (i=0; i<num_vols; i++) { 2990 if (should_encrypt(&vol_list[i])) { 2991 SLOGE("Cannot encrypt if there are multiple encryptable volumes" 2992 "%s\n", vol_list[i].label); 2993 goto error_unencrypted; 2994 } 2995 } 2996 2997 /* The init files are setup to stop the class main and late start when 2998 * vold sets trigger_shutdown_framework. 2999 */ 3000 property_set("vold.decrypt", "trigger_shutdown_framework"); 3001 SLOGD("Just asked init to shut down class main\n"); 3002 3003 if (vold_unmountAllAsecs()) { 3004 /* Just report the error. If any are left mounted, 3005 * umounting /data below will fail and handle the error. 3006 */ 3007 SLOGE("Error unmounting internal asecs"); 3008 } 3009 3010 property_get("ro.crypto.fuse_sdcard", fuse_sdcard, ""); 3011 if (!strcmp(fuse_sdcard, "true")) { 3012 /* This is a device using the fuse layer to emulate the sdcard semantics 3013 * on top of the userdata partition. vold does not manage it, it is managed 3014 * by the sdcard service. The sdcard service was killed by the property trigger 3015 * above, so just unmount it now. We must do this _AFTER_ killing the framework, 3016 * unlike the case for vold managed devices above. 3017 */ 3018 if (wait_and_unmount(sd_mnt_point, false)) { 3019 goto error_shutting_down; 3020 } 3021 } 3022 3023 /* Now unmount the /data partition. */ 3024 if (wait_and_unmount(DATA_MNT_POINT, false)) { 3025 if (allow_reboot) { 3026 goto error_shutting_down; 3027 } else { 3028 goto error_unencrypted; 3029 } 3030 } 3031 3032 /* Do extra work for a better UX when doing the long inplace encryption */ 3033 if (how == CRYPTO_ENABLE_INPLACE) { 3034 /* Now that /data is unmounted, we need to mount a tmpfs 3035 * /data, set a property saying we're doing inplace encryption, 3036 * and restart the framework. 3037 */ 3038 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 3039 goto error_shutting_down; 3040 } 3041 /* Tells the framework that inplace encryption is starting */ 3042 property_set("vold.encrypt_progress", "0"); 3043 3044 /* restart the framework. */ 3045 /* Create necessary paths on /data */ 3046 if (prep_data_fs()) { 3047 goto error_shutting_down; 3048 } 3049 3050 /* Ugh, shutting down the framework is not synchronous, so until it 3051 * can be fixed, this horrible hack will wait a moment for it all to 3052 * shut down before proceeding. Without it, some devices cannot 3053 * restart the graphics services. 3054 */ 3055 sleep(2); 3056 3057 /* startup service classes main and late_start */ 3058 property_set("vold.decrypt", "trigger_restart_min_framework"); 3059 SLOGD("Just triggered restart_min_framework\n"); 3060 3061 /* OK, the framework is restarted and will soon be showing a 3062 * progress bar. Time to setup an encrypted mapping, and 3063 * either write a new filesystem, or encrypt in place updating 3064 * the progress bar as we work. 3065 */ 3066 } 3067 3068 /* Start the actual work of making an encrypted filesystem */ 3069 /* Initialize a crypt_mnt_ftr for the partition */ 3070 if (previously_encrypted_upto == 0) { 3071 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 3072 goto error_shutting_down; 3073 } 3074 3075 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 3076 crypt_ftr.fs_size = nr_sec 3077 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 3078 } else { 3079 crypt_ftr.fs_size = nr_sec; 3080 } 3081 /* At this point, we are in an inconsistent state. Until we successfully 3082 complete encryption, a reboot will leave us broken. So mark the 3083 encryption failed in case that happens. 3084 On successfully completing encryption, remove this flag */ 3085 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 3086 crypt_ftr.crypt_type = crypt_type; 3087 strcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256"); 3088 3089 /* Make an encrypted master key */ 3090 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 3091 SLOGE("Cannot create encrypted master key\n"); 3092 goto error_shutting_down; 3093 } 3094 3095 /* Write the key to the end of the partition */ 3096 put_crypt_ftr_and_key(&crypt_ftr); 3097 3098 /* If any persistent data has been remembered, save it. 3099 * If none, create a valid empty table and save that. 3100 */ 3101 if (!persist_data) { 3102 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 3103 if (pdata) { 3104 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 3105 persist_data = pdata; 3106 } 3107 } 3108 if (persist_data) { 3109 save_persistent_data(); 3110 } 3111 } 3112 3113 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 3114 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 3115 "userdata"); 3116 3117 /* If we are continuing, check checksums match */ 3118 rc = 0; 3119 if (previously_encrypted_upto) { 3120 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 3121 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 3122 3123 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 3124 sizeof(hash_first_block)) != 0) { 3125 SLOGE("Checksums do not match - trigger wipe"); 3126 rc = -1; 3127 } 3128 } 3129 3130 if (!rc) { 3131 rc = cryptfs_enable_all_volumes(&crypt_ftr, how, 3132 crypto_blkdev, real_blkdev, 3133 previously_encrypted_upto); 3134 } 3135 3136 /* Calculate checksum if we are not finished */ 3137 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3138 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 3139 crypt_ftr.hash_first_block); 3140 if (rc) { 3141 SLOGE("Error calculating checksum for continuing encryption"); 3142 rc = -1; 3143 } 3144 } 3145 3146 /* Undo the dm-crypt mapping whether we succeed or not */ 3147 delete_crypto_blk_dev("userdata"); 3148 3149 free(vol_list); 3150 3151 if (! rc) { 3152 /* Success */ 3153 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 3154 3155 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3156 SLOGD("Encrypted up to sector %lld - will continue after reboot", 3157 crypt_ftr.encrypted_upto); 3158 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 3159 } 3160 3161 put_crypt_ftr_and_key(&crypt_ftr); 3162 3163 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 3164 char value[PROPERTY_VALUE_MAX]; 3165 property_get("ro.crypto.state", value, ""); 3166 if (!strcmp(value, "")) { 3167 /* default encryption - continue first boot sequence */ 3168 property_set("ro.crypto.state", "encrypted"); 3169 release_wake_lock(lockid); 3170 cryptfs_check_passwd(DEFAULT_PASSWORD); 3171 cryptfs_restart_internal(1); 3172 return 0; 3173 } else { 3174 sleep(2); /* Give the UI a chance to show 100% progress */ 3175 cryptfs_reboot(reboot); 3176 } 3177 } else { 3178 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 3179 cryptfs_reboot(shutdown); 3180 } 3181 } else { 3182 char value[PROPERTY_VALUE_MAX]; 3183 3184 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 3185 if (!strcmp(value, "1")) { 3186 /* wipe data if encryption failed */ 3187 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 3188 mkdir("/cache/recovery", 0700); 3189 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600); 3190 if (fd >= 0) { 3191 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1); 3192 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1); 3193 close(fd); 3194 } else { 3195 SLOGE("could not open /cache/recovery/command\n"); 3196 } 3197 cryptfs_reboot(recovery); 3198 } else { 3199 /* set property to trigger dialog */ 3200 property_set("vold.encrypt_progress", "error_partially_encrypted"); 3201 release_wake_lock(lockid); 3202 } 3203 return -1; 3204 } 3205 3206 /* hrm, the encrypt step claims success, but the reboot failed. 3207 * This should not happen. 3208 * Set the property and return. Hope the framework can deal with it. 3209 */ 3210 property_set("vold.encrypt_progress", "error_reboot_failed"); 3211 release_wake_lock(lockid); 3212 return rc; 3213 3214 error_unencrypted: 3215 free(vol_list); 3216 property_set("vold.encrypt_progress", "error_not_encrypted"); 3217 if (lockid[0]) { 3218 release_wake_lock(lockid); 3219 } 3220 return -1; 3221 3222 error_shutting_down: 3223 /* we failed, and have not encrypted anthing, so the users's data is still intact, 3224 * but the framework is stopped and not restarted to show the error, so it's up to 3225 * vold to restart the system. 3226 */ 3227 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 3228 cryptfs_reboot(reboot); 3229 3230 /* shouldn't get here */ 3231 property_set("vold.encrypt_progress", "error_shutting_down"); 3232 free(vol_list); 3233 if (lockid[0]) { 3234 release_wake_lock(lockid); 3235 } 3236 return -1; 3237 } 3238 3239 int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot) 3240 { 3241 char* adjusted_passwd = adjust_passwd(passwd); 3242 if (adjusted_passwd) { 3243 passwd = adjusted_passwd; 3244 } 3245 3246 int rc = cryptfs_enable_internal(howarg, type, passwd, allow_reboot); 3247 3248 free(adjusted_passwd); 3249 return rc; 3250 } 3251 3252 int cryptfs_enable_default(char *howarg, int allow_reboot) 3253 { 3254 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT, 3255 DEFAULT_PASSWORD, allow_reboot); 3256 } 3257 3258 int cryptfs_changepw(int crypt_type, const char *newpw) 3259 { 3260 struct crypt_mnt_ftr crypt_ftr; 3261 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 3262 3263 /* This is only allowed after we've successfully decrypted the master key */ 3264 if (!master_key_saved) { 3265 SLOGE("Key not saved, aborting"); 3266 return -1; 3267 } 3268 3269 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3270 SLOGE("Invalid crypt_type %d", crypt_type); 3271 return -1; 3272 } 3273 3274 /* get key */ 3275 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3276 SLOGE("Error getting crypt footer and key"); 3277 return -1; 3278 } 3279 3280 crypt_ftr.crypt_type = crypt_type; 3281 3282 char* adjusted_passwd = adjust_passwd(newpw); 3283 if (adjusted_passwd) { 3284 newpw = adjusted_passwd; 3285 } 3286 3287 encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 3288 : newpw, 3289 crypt_ftr.salt, 3290 saved_master_key, 3291 crypt_ftr.master_key, 3292 &crypt_ftr); 3293 3294 /* save the key */ 3295 put_crypt_ftr_and_key(&crypt_ftr); 3296 3297 free(adjusted_passwd); 3298 return 0; 3299 } 3300 3301 static int persist_get_key(char *fieldname, char *value) 3302 { 3303 unsigned int i; 3304 3305 if (persist_data == NULL) { 3306 return -1; 3307 } 3308 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3309 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3310 /* We found it! */ 3311 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 3312 return 0; 3313 } 3314 } 3315 3316 return -1; 3317 } 3318 3319 static int persist_set_key(char *fieldname, char *value, int encrypted) 3320 { 3321 unsigned int i; 3322 unsigned int num; 3323 struct crypt_mnt_ftr crypt_ftr; 3324 unsigned int max_persistent_entries; 3325 unsigned int dsize; 3326 3327 if (persist_data == NULL) { 3328 return -1; 3329 } 3330 3331 /* If encrypted, use the values from the crypt_ftr, otherwise 3332 * use the values for the current spec. 3333 */ 3334 if (encrypted) { 3335 if(get_crypt_ftr_and_key(&crypt_ftr)) { 3336 return -1; 3337 } 3338 dsize = crypt_ftr.persist_data_size; 3339 } else { 3340 dsize = CRYPT_PERSIST_DATA_SIZE; 3341 } 3342 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 3343 sizeof(struct crypt_persist_entry); 3344 3345 num = persist_data->persist_valid_entries; 3346 3347 for (i = 0; i < num; i++) { 3348 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3349 /* We found an existing entry, update it! */ 3350 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 3351 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 3352 return 0; 3353 } 3354 } 3355 3356 /* We didn't find it, add it to the end, if there is room */ 3357 if (persist_data->persist_valid_entries < max_persistent_entries) { 3358 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 3359 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 3360 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 3361 persist_data->persist_valid_entries++; 3362 return 0; 3363 } 3364 3365 return -1; 3366 } 3367 3368 /* Return the value of the specified field. */ 3369 int cryptfs_getfield(char *fieldname, char *value, int len) 3370 { 3371 char temp_value[PROPERTY_VALUE_MAX]; 3372 char real_blkdev[MAXPATHLEN]; 3373 /* 0 is success, 1 is not encrypted, 3374 * -1 is value not set, -2 is any other error 3375 */ 3376 int rc = -2; 3377 3378 if (persist_data == NULL) { 3379 load_persistent_data(); 3380 if (persist_data == NULL) { 3381 SLOGE("Getfield error, cannot load persistent data"); 3382 goto out; 3383 } 3384 } 3385 3386 if (!persist_get_key(fieldname, temp_value)) { 3387 /* We found it, copy it to the caller's buffer and return */ 3388 strlcpy(value, temp_value, len); 3389 rc = 0; 3390 } else { 3391 /* Sadness, it's not there. Return the error */ 3392 rc = -1; 3393 } 3394 3395 out: 3396 return rc; 3397 } 3398 3399 /* Set the value of the specified field. */ 3400 int cryptfs_setfield(char *fieldname, char *value) 3401 { 3402 struct crypt_persist_data stored_pdata; 3403 struct crypt_persist_data *pdata_p; 3404 struct crypt_mnt_ftr crypt_ftr; 3405 char encrypted_state[PROPERTY_VALUE_MAX]; 3406 /* 0 is success, -1 is an error */ 3407 int rc = -1; 3408 int encrypted = 0; 3409 3410 if (persist_data == NULL) { 3411 load_persistent_data(); 3412 if (persist_data == NULL) { 3413 SLOGE("Setfield error, cannot load persistent data"); 3414 goto out; 3415 } 3416 } 3417 3418 property_get("ro.crypto.state", encrypted_state, ""); 3419 if (!strcmp(encrypted_state, "encrypted") ) { 3420 encrypted = 1; 3421 } 3422 3423 if (persist_set_key(fieldname, value, encrypted)) { 3424 goto out; 3425 } 3426 3427 /* If we are running encrypted, save the persistent data now */ 3428 if (encrypted) { 3429 if (save_persistent_data()) { 3430 SLOGE("Setfield error, cannot save persistent data"); 3431 goto out; 3432 } 3433 } 3434 3435 rc = 0; 3436 3437 out: 3438 return rc; 3439 } 3440 3441 /* Checks userdata. Attempt to mount the volume if default- 3442 * encrypted. 3443 * On success trigger next init phase and return 0. 3444 * Currently do not handle failure - see TODO below. 3445 */ 3446 int cryptfs_mount_default_encrypted(void) 3447 { 3448 char decrypt_state[PROPERTY_VALUE_MAX]; 3449 property_get("vold.decrypt", decrypt_state, "0"); 3450 if (!strcmp(decrypt_state, "0")) { 3451 SLOGE("Not encrypted - should not call here"); 3452 } else { 3453 int crypt_type = cryptfs_get_password_type(); 3454 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3455 SLOGE("Bad crypt type - error"); 3456 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 3457 SLOGD("Password is not default - " 3458 "starting min framework to prompt"); 3459 property_set("vold.decrypt", "trigger_restart_min_framework"); 3460 return 0; 3461 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 3462 SLOGD("Password is default - restarting filesystem"); 3463 cryptfs_restart_internal(0); 3464 return 0; 3465 } else { 3466 SLOGE("Encrypted, default crypt type but can't decrypt"); 3467 } 3468 } 3469 3470 /** Corrupt. Allow us to boot into framework, which will detect bad 3471 crypto when it calls do_crypto_complete, then do a factory reset 3472 */ 3473 property_set("vold.decrypt", "trigger_restart_min_framework"); 3474 return 0; 3475 } 3476 3477 /* Returns type of the password, default, pattern, pin or password. 3478 */ 3479 int cryptfs_get_password_type(void) 3480 { 3481 struct crypt_mnt_ftr crypt_ftr; 3482 3483 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3484 SLOGE("Error getting crypt footer and key\n"); 3485 return -1; 3486 } 3487 3488 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 3489 return -1; 3490 } 3491 3492 return crypt_ftr.crypt_type; 3493 } 3494 3495 char* cryptfs_get_password() 3496 { 3497 struct timespec now; 3498 clock_gettime(CLOCK_MONOTONIC, &now); 3499 if (now.tv_sec < password_expiry_time) { 3500 return password; 3501 } else { 3502 cryptfs_clear_password(); 3503 return 0; 3504 } 3505 } 3506 3507 void cryptfs_clear_password() 3508 { 3509 if (password) { 3510 size_t len = strlen(password); 3511 memset(password, 0, len); 3512 free(password); 3513 password = 0; 3514 password_expiry_time = 0; 3515 } 3516 } 3517