1 /* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 /* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23 #include <sys/types.h> 24 #include <sys/wait.h> 25 #include <sys/stat.h> 26 #include <ctype.h> 27 #include <fcntl.h> 28 #include <inttypes.h> 29 #include <unistd.h> 30 #include <stdio.h> 31 #include <sys/ioctl.h> 32 #include <linux/dm-ioctl.h> 33 #include <libgen.h> 34 #include <stdlib.h> 35 #include <sys/param.h> 36 #include <string.h> 37 #include <sys/mount.h> 38 #include <openssl/evp.h> 39 #include <errno.h> 40 #include <ext4.h> 41 #include <linux/kdev_t.h> 42 #include <fs_mgr.h> 43 #include <time.h> 44 #include <math.h> 45 #include "cryptfs.h" 46 #define LOG_TAG "Cryptfs" 47 #include "cutils/log.h" 48 #include "cutils/properties.h" 49 #include "cutils/android_reboot.h" 50 #include "hardware_legacy/power.h" 51 #include <logwrap/logwrap.h> 52 #include "VolumeManager.h" 53 #include "VoldUtil.h" 54 #include "crypto_scrypt.h" 55 #include "ext4_utils.h" 56 #include "f2fs_sparseblock.h" 57 #include "CheckBattery.h" 58 #include "Process.h" 59 60 #include <hardware/keymaster.h> 61 62 #define UNUSED __attribute__((unused)) 63 64 #define UNUSED __attribute__((unused)) 65 66 #ifdef CONFIG_HW_DISK_ENCRYPTION 67 #include "cryptfs_hw.h" 68 #endif 69 70 #define DM_CRYPT_BUF_SIZE 4096 71 72 #define HASH_COUNT 2000 73 #define KEY_LEN_BYTES 16 74 #define IV_LEN_BYTES 16 75 76 #define KEY_IN_FOOTER "footer" 77 78 // "default_password" encoded into hex (d=0x64 etc) 79 #define DEFAULT_PASSWORD "64656661756c745f70617373776f7264" 80 81 #define EXT4_FS 1 82 #define F2FS_FS 2 83 84 #define TABLE_LOAD_RETRIES 10 85 86 #define RSA_KEY_SIZE 2048 87 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) 88 #define RSA_EXPONENT 0x10001 89 90 #define RETRY_MOUNT_ATTEMPTS 10 91 #define RETRY_MOUNT_DELAY_SECONDS 1 92 93 char *me = "cryptfs"; 94 95 static unsigned char saved_master_key[KEY_LEN_BYTES]; 96 static char *saved_mount_point; 97 static int master_key_saved = 0; 98 static struct crypt_persist_data *persist_data = NULL; 99 100 static int keymaster_init(keymaster_device_t **keymaster_dev) 101 { 102 int rc; 103 104 const hw_module_t* mod; 105 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 106 if (rc) { 107 ALOGE("could not find any keystore module"); 108 goto out; 109 } 110 111 rc = keymaster_open(mod, keymaster_dev); 112 if (rc) { 113 ALOGE("could not open keymaster device in %s (%s)", 114 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); 115 goto out; 116 } 117 118 return 0; 119 120 out: 121 *keymaster_dev = NULL; 122 return rc; 123 } 124 125 /* Should we use keymaster? */ 126 static int keymaster_check_compatibility() 127 { 128 keymaster_device_t *keymaster_dev = 0; 129 int rc = 0; 130 131 if (keymaster_init(&keymaster_dev)) { 132 SLOGE("Failed to init keymaster"); 133 rc = -1; 134 goto out; 135 } 136 137 SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version); 138 139 if (keymaster_dev->common.module->module_api_version 140 < KEYMASTER_MODULE_API_VERSION_0_3) { 141 rc = 0; 142 goto out; 143 } 144 145 if (!(keymaster_dev->flags & KEYMASTER_SOFTWARE_ONLY) && 146 (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) { 147 rc = 1; 148 } 149 150 out: 151 keymaster_close(keymaster_dev); 152 return rc; 153 } 154 155 /* Create a new keymaster key and store it in this footer */ 156 static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 157 { 158 uint8_t* key = 0; 159 keymaster_device_t *keymaster_dev = 0; 160 161 if (keymaster_init(&keymaster_dev)) { 162 SLOGE("Failed to init keymaster"); 163 return -1; 164 } 165 166 int rc = 0; 167 168 keymaster_rsa_keygen_params_t params; 169 memset(¶ms, '\0', sizeof(params)); 170 params.public_exponent = RSA_EXPONENT; 171 params.modulus_size = RSA_KEY_SIZE; 172 173 size_t key_size; 174 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, ¶ms, 175 &key, &key_size)) { 176 SLOGE("Failed to generate keypair"); 177 rc = -1; 178 goto out; 179 } 180 181 if (key_size > KEYMASTER_BLOB_SIZE) { 182 SLOGE("Keymaster key too large for crypto footer"); 183 rc = -1; 184 goto out; 185 } 186 187 memcpy(ftr->keymaster_blob, key, key_size); 188 ftr->keymaster_blob_size = key_size; 189 190 out: 191 keymaster_close(keymaster_dev); 192 free(key); 193 return rc; 194 } 195 196 /* This signs the given object using the keymaster key. */ 197 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 198 const unsigned char *object, 199 const size_t object_size, 200 unsigned char **signature, 201 size_t *signature_size) 202 { 203 int rc = 0; 204 keymaster_device_t *keymaster_dev = 0; 205 if (keymaster_init(&keymaster_dev)) { 206 SLOGE("Failed to init keymaster"); 207 return -1; 208 } 209 210 /* We currently set the digest type to DIGEST_NONE because it's the 211 * only supported value for keymaster. A similar issue exists with 212 * PADDING_NONE. Long term both of these should likely change. 213 */ 214 keymaster_rsa_sign_params_t params; 215 params.digest_type = DIGEST_NONE; 216 params.padding_type = PADDING_NONE; 217 218 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 219 size_t to_sign_size = sizeof(to_sign); 220 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 221 222 // To sign a message with RSA, the message must satisfy two 223 // constraints: 224 // 225 // 1. The message, when interpreted as a big-endian numeric value, must 226 // be strictly less than the public modulus of the RSA key. Note 227 // that because the most significant bit of the public modulus is 228 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 229 // key), an n-bit message with most significant bit 0 always 230 // satisfies this requirement. 231 // 232 // 2. The message must have the same length in bits as the public 233 // modulus of the RSA key. This requirement isn't mathematically 234 // necessary, but is necessary to ensure consistency in 235 // implementations. 236 switch (ftr->kdf_type) { 237 case KDF_SCRYPT_KEYMASTER_UNPADDED: 238 // This is broken: It produces a message which is shorter than 239 // the public modulus, failing criterion 2. 240 memcpy(to_sign, object, object_size); 241 to_sign_size = object_size; 242 SLOGI("Signing unpadded object"); 243 break; 244 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED: 245 // This is broken: Since the value of object is uniformly 246 // distributed, it produces a message that is larger than the 247 // public modulus with probability 0.25. 248 memcpy(to_sign, object, min(RSA_KEY_SIZE_BYTES, object_size)); 249 SLOGI("Signing end-padded object"); 250 break; 251 case KDF_SCRYPT_KEYMASTER: 252 // This ensures the most significant byte of the signed message 253 // is zero. We could have zero-padded to the left instead, but 254 // this approach is slightly more robust against changes in 255 // object size. However, it's still broken (but not unusably 256 // so) because we really should be using a proper RSA padding 257 // function, such as OAEP. 258 // 259 // TODO(paullawrence): When keymaster 0.4 is available, change 260 // this to use the padding options it provides. 261 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); 262 SLOGI("Signing safely-padded object"); 263 break; 264 default: 265 SLOGE("Unknown KDF type %d", ftr->kdf_type); 266 return -1; 267 } 268 269 rc = keymaster_dev->sign_data(keymaster_dev, 270 ¶ms, 271 ftr->keymaster_blob, 272 ftr->keymaster_blob_size, 273 to_sign, 274 to_sign_size, 275 signature, 276 signature_size); 277 278 keymaster_close(keymaster_dev); 279 return rc; 280 } 281 282 /* Store password when userdata is successfully decrypted and mounted. 283 * Cleared by cryptfs_clear_password 284 * 285 * To avoid a double prompt at boot, we need to store the CryptKeeper 286 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 287 * Since the entire framework is torn down and rebuilt after encryption, 288 * we have to use a daemon or similar to store the password. Since vold 289 * is secured against IPC except from system processes, it seems a reasonable 290 * place to store this. 291 * 292 * password should be cleared once it has been used. 293 * 294 * password is aged out after password_max_age_seconds seconds. 295 */ 296 static char* password = 0; 297 static int password_expiry_time = 0; 298 static const int password_max_age_seconds = 60; 299 300 extern struct fstab *fstab; 301 302 enum RebootType {reboot, recovery, shutdown}; 303 static void cryptfs_reboot(enum RebootType rt) 304 { 305 switch(rt) { 306 case reboot: 307 property_set(ANDROID_RB_PROPERTY, "reboot"); 308 break; 309 310 case recovery: 311 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 312 break; 313 314 case shutdown: 315 property_set(ANDROID_RB_PROPERTY, "shutdown"); 316 break; 317 } 318 319 sleep(20); 320 321 /* Shouldn't get here, reboot should happen before sleep times out */ 322 return; 323 } 324 325 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 326 { 327 memset(io, 0, dataSize); 328 io->data_size = dataSize; 329 io->data_start = sizeof(struct dm_ioctl); 330 io->version[0] = 4; 331 io->version[1] = 0; 332 io->version[2] = 0; 333 io->flags = flags; 334 if (name) { 335 strncpy(io->name, name, sizeof(io->name)); 336 } 337 } 338 339 /** 340 * Gets the default device scrypt parameters for key derivation time tuning. 341 * The parameters should lead to about one second derivation time for the 342 * given device. 343 */ 344 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 345 const int default_params[] = SCRYPT_DEFAULTS; 346 int params[] = SCRYPT_DEFAULTS; 347 char paramstr[PROPERTY_VALUE_MAX]; 348 char *token; 349 char *saveptr; 350 int i; 351 352 property_get(SCRYPT_PROP, paramstr, ""); 353 if (paramstr[0] != '\0') { 354 /* 355 * The token we're looking for should be three integers separated by 356 * colons (e.g., "12:8:1"). Scan the property to make sure it matches. 357 */ 358 for (i = 0, token = strtok_r(paramstr, ":", &saveptr); 359 token != NULL && i < 3; 360 i++, token = strtok_r(NULL, ":", &saveptr)) { 361 char *endptr; 362 params[i] = strtol(token, &endptr, 10); 363 364 /* 365 * Check that there was a valid number and it's 8-bit. If not, 366 * break out and the end check will take the default values. 367 */ 368 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) { 369 break; 370 } 371 } 372 373 /* 374 * If there were not enough tokens or a token was malformed (not an 375 * integer), it will end up here and the default parameters can be 376 * taken. 377 */ 378 if ((i != 3) || (token != NULL)) { 379 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 380 memcpy(params, default_params, sizeof(params)); 381 } 382 } 383 384 ftr->N_factor = params[0]; 385 ftr->r_factor = params[1]; 386 ftr->p_factor = params[2]; 387 } 388 389 static unsigned int get_fs_size(char *dev) 390 { 391 int fd, block_size; 392 struct ext4_super_block sb; 393 off64_t len; 394 395 if ((fd = open(dev, O_RDONLY)) < 0) { 396 SLOGE("Cannot open device to get filesystem size "); 397 return 0; 398 } 399 400 if (lseek64(fd, 1024, SEEK_SET) < 0) { 401 SLOGE("Cannot seek to superblock"); 402 return 0; 403 } 404 405 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 406 SLOGE("Cannot read superblock"); 407 return 0; 408 } 409 410 close(fd); 411 412 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 413 SLOGE("Not a valid ext4 superblock"); 414 return 0; 415 } 416 block_size = 1024 << sb.s_log_block_size; 417 /* compute length in bytes */ 418 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 419 420 /* return length in sectors */ 421 return (unsigned int) (len / 512); 422 } 423 424 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 425 { 426 static int cached_data = 0; 427 static off64_t cached_off = 0; 428 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 429 int fd; 430 char key_loc[PROPERTY_VALUE_MAX]; 431 char real_blkdev[PROPERTY_VALUE_MAX]; 432 unsigned int nr_sec; 433 int rc = -1; 434 435 if (!cached_data) { 436 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc)); 437 438 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 439 if ( (fd = open(real_blkdev, O_RDWR)) < 0) { 440 SLOGE("Cannot open real block device %s\n", real_blkdev); 441 return -1; 442 } 443 444 if ((nr_sec = get_blkdev_size(fd))) { 445 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 446 * encryption info footer and key, and plenty of bytes to spare for future 447 * growth. 448 */ 449 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 450 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 451 cached_data = 1; 452 } else { 453 SLOGE("Cannot get size of block device %s\n", real_blkdev); 454 } 455 close(fd); 456 } else { 457 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 458 cached_off = 0; 459 cached_data = 1; 460 } 461 } 462 463 if (cached_data) { 464 if (metadata_fname) { 465 *metadata_fname = cached_metadata_fname; 466 } 467 if (off) { 468 *off = cached_off; 469 } 470 rc = 0; 471 } 472 473 return rc; 474 } 475 476 /* key or salt can be NULL, in which case just skip writing that value. Useful to 477 * update the failed mount count but not change the key. 478 */ 479 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 480 { 481 int fd; 482 unsigned int nr_sec, cnt; 483 /* starting_off is set to the SEEK_SET offset 484 * where the crypto structure starts 485 */ 486 off64_t starting_off; 487 int rc = -1; 488 char *fname = NULL; 489 struct stat statbuf; 490 491 if (get_crypt_ftr_info(&fname, &starting_off)) { 492 SLOGE("Unable to get crypt_ftr_info\n"); 493 return -1; 494 } 495 if (fname[0] != '/') { 496 SLOGE("Unexpected value for crypto key location\n"); 497 return -1; 498 } 499 if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) { 500 SLOGE("Cannot open footer file %s for put\n", fname); 501 return -1; 502 } 503 504 /* Seek to the start of the crypt footer */ 505 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 506 SLOGE("Cannot seek to real block device footer\n"); 507 goto errout; 508 } 509 510 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 511 SLOGE("Cannot write real block device footer\n"); 512 goto errout; 513 } 514 515 fstat(fd, &statbuf); 516 /* If the keys are kept on a raw block device, do not try to truncate it. */ 517 if (S_ISREG(statbuf.st_mode)) { 518 if (ftruncate(fd, 0x4000)) { 519 SLOGE("Cannot set footer file size\n"); 520 goto errout; 521 } 522 } 523 524 /* Success! */ 525 rc = 0; 526 527 errout: 528 close(fd); 529 return rc; 530 531 } 532 533 static inline int unix_read(int fd, void* buff, int len) 534 { 535 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 536 } 537 538 static inline int unix_write(int fd, const void* buff, int len) 539 { 540 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 541 } 542 543 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 544 { 545 memset(pdata, 0, len); 546 pdata->persist_magic = PERSIST_DATA_MAGIC; 547 pdata->persist_valid_entries = 0; 548 } 549 550 /* A routine to update the passed in crypt_ftr to the lastest version. 551 * fd is open read/write on the device that holds the crypto footer and persistent 552 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 553 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 554 */ 555 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 556 { 557 int orig_major = crypt_ftr->major_version; 558 int orig_minor = crypt_ftr->minor_version; 559 560 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 561 struct crypt_persist_data *pdata; 562 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 563 564 SLOGW("upgrading crypto footer to 1.1"); 565 566 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 567 if (pdata == NULL) { 568 SLOGE("Cannot allocate persisent data\n"); 569 return; 570 } 571 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 572 573 /* Need to initialize the persistent data area */ 574 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 575 SLOGE("Cannot seek to persisent data offset\n"); 576 return; 577 } 578 /* Write all zeros to the first copy, making it invalid */ 579 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 580 581 /* Write a valid but empty structure to the second copy */ 582 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 583 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 584 585 /* Update the footer */ 586 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 587 crypt_ftr->persist_data_offset[0] = pdata_offset; 588 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 589 crypt_ftr->minor_version = 1; 590 } 591 592 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 593 SLOGW("upgrading crypto footer to 1.2"); 594 /* But keep the old kdf_type. 595 * It will get updated later to KDF_SCRYPT after the password has been verified. 596 */ 597 crypt_ftr->kdf_type = KDF_PBKDF2; 598 get_device_scrypt_params(crypt_ftr); 599 crypt_ftr->minor_version = 2; 600 } 601 602 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 603 SLOGW("upgrading crypto footer to 1.3"); 604 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 605 crypt_ftr->minor_version = 3; 606 } 607 608 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 609 if (lseek64(fd, offset, SEEK_SET) == -1) { 610 SLOGE("Cannot seek to crypt footer\n"); 611 return; 612 } 613 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 614 } 615 } 616 617 618 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 619 { 620 int fd; 621 unsigned int nr_sec, cnt; 622 off64_t starting_off; 623 int rc = -1; 624 char *fname = NULL; 625 struct stat statbuf; 626 627 if (get_crypt_ftr_info(&fname, &starting_off)) { 628 SLOGE("Unable to get crypt_ftr_info\n"); 629 return -1; 630 } 631 if (fname[0] != '/') { 632 SLOGE("Unexpected value for crypto key location\n"); 633 return -1; 634 } 635 if ( (fd = open(fname, O_RDWR)) < 0) { 636 SLOGE("Cannot open footer file %s for get\n", fname); 637 return -1; 638 } 639 640 /* Make sure it's 16 Kbytes in length */ 641 fstat(fd, &statbuf); 642 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 643 SLOGE("footer file %s is not the expected size!\n", fname); 644 goto errout; 645 } 646 647 /* Seek to the start of the crypt footer */ 648 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 649 SLOGE("Cannot seek to real block device footer\n"); 650 goto errout; 651 } 652 653 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 654 SLOGE("Cannot read real block device footer\n"); 655 goto errout; 656 } 657 658 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 659 SLOGE("Bad magic for real block device %s\n", fname); 660 goto errout; 661 } 662 663 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 664 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 665 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 666 goto errout; 667 } 668 669 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 670 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 671 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 672 } 673 674 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 675 * copy on disk before returning. 676 */ 677 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 678 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 679 } 680 681 /* Success! */ 682 rc = 0; 683 684 errout: 685 close(fd); 686 return rc; 687 } 688 689 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 690 { 691 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 692 crypt_ftr->persist_data_offset[1]) { 693 SLOGE("Crypt_ftr persist data regions overlap"); 694 return -1; 695 } 696 697 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 698 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 699 return -1; 700 } 701 702 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 703 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 704 CRYPT_FOOTER_OFFSET) { 705 SLOGE("Persistent data extends past crypto footer"); 706 return -1; 707 } 708 709 return 0; 710 } 711 712 static int load_persistent_data(void) 713 { 714 struct crypt_mnt_ftr crypt_ftr; 715 struct crypt_persist_data *pdata = NULL; 716 char encrypted_state[PROPERTY_VALUE_MAX]; 717 char *fname; 718 int found = 0; 719 int fd; 720 int ret; 721 int i; 722 723 if (persist_data) { 724 /* Nothing to do, we've already loaded or initialized it */ 725 return 0; 726 } 727 728 729 /* If not encrypted, just allocate an empty table and initialize it */ 730 property_get("ro.crypto.state", encrypted_state, ""); 731 if (strcmp(encrypted_state, "encrypted") ) { 732 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 733 if (pdata) { 734 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 735 persist_data = pdata; 736 return 0; 737 } 738 return -1; 739 } 740 741 if(get_crypt_ftr_and_key(&crypt_ftr)) { 742 return -1; 743 } 744 745 if ((crypt_ftr.major_version < 1) 746 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 747 SLOGE("Crypt_ftr version doesn't support persistent data"); 748 return -1; 749 } 750 751 if (get_crypt_ftr_info(&fname, NULL)) { 752 return -1; 753 } 754 755 ret = validate_persistent_data_storage(&crypt_ftr); 756 if (ret) { 757 return -1; 758 } 759 760 fd = open(fname, O_RDONLY); 761 if (fd < 0) { 762 SLOGE("Cannot open %s metadata file", fname); 763 return -1; 764 } 765 766 if (persist_data == NULL) { 767 pdata = malloc(crypt_ftr.persist_data_size); 768 if (pdata == NULL) { 769 SLOGE("Cannot allocate memory for persistent data"); 770 goto err; 771 } 772 } 773 774 for (i = 0; i < 2; i++) { 775 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 776 SLOGE("Cannot seek to read persistent data on %s", fname); 777 goto err2; 778 } 779 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 780 SLOGE("Error reading persistent data on iteration %d", i); 781 goto err2; 782 } 783 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 784 found = 1; 785 break; 786 } 787 } 788 789 if (!found) { 790 SLOGI("Could not find valid persistent data, creating"); 791 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 792 } 793 794 /* Success */ 795 persist_data = pdata; 796 close(fd); 797 return 0; 798 799 err2: 800 free(pdata); 801 802 err: 803 close(fd); 804 return -1; 805 } 806 807 static int save_persistent_data(void) 808 { 809 struct crypt_mnt_ftr crypt_ftr; 810 struct crypt_persist_data *pdata; 811 char *fname; 812 off64_t write_offset; 813 off64_t erase_offset; 814 int found = 0; 815 int fd; 816 int ret; 817 818 if (persist_data == NULL) { 819 SLOGE("No persistent data to save"); 820 return -1; 821 } 822 823 if(get_crypt_ftr_and_key(&crypt_ftr)) { 824 return -1; 825 } 826 827 if ((crypt_ftr.major_version < 1) 828 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 829 SLOGE("Crypt_ftr version doesn't support persistent data"); 830 return -1; 831 } 832 833 ret = validate_persistent_data_storage(&crypt_ftr); 834 if (ret) { 835 return -1; 836 } 837 838 if (get_crypt_ftr_info(&fname, NULL)) { 839 return -1; 840 } 841 842 fd = open(fname, O_RDWR); 843 if (fd < 0) { 844 SLOGE("Cannot open %s metadata file", fname); 845 return -1; 846 } 847 848 pdata = malloc(crypt_ftr.persist_data_size); 849 if (pdata == NULL) { 850 SLOGE("Cannot allocate persistant data"); 851 goto err; 852 } 853 854 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 855 SLOGE("Cannot seek to read persistent data on %s", fname); 856 goto err2; 857 } 858 859 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 860 SLOGE("Error reading persistent data before save"); 861 goto err2; 862 } 863 864 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 865 /* The first copy is the curent valid copy, so write to 866 * the second copy and erase this one */ 867 write_offset = crypt_ftr.persist_data_offset[1]; 868 erase_offset = crypt_ftr.persist_data_offset[0]; 869 } else { 870 /* The second copy must be the valid copy, so write to 871 * the first copy, and erase the second */ 872 write_offset = crypt_ftr.persist_data_offset[0]; 873 erase_offset = crypt_ftr.persist_data_offset[1]; 874 } 875 876 /* Write the new copy first, if successful, then erase the old copy */ 877 if (lseek(fd, write_offset, SEEK_SET) < 0) { 878 SLOGE("Cannot seek to write persistent data"); 879 goto err2; 880 } 881 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 882 (int) crypt_ftr.persist_data_size) { 883 if (lseek(fd, erase_offset, SEEK_SET) < 0) { 884 SLOGE("Cannot seek to erase previous persistent data"); 885 goto err2; 886 } 887 fsync(fd); 888 memset(pdata, 0, crypt_ftr.persist_data_size); 889 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 890 (int) crypt_ftr.persist_data_size) { 891 SLOGE("Cannot write to erase previous persistent data"); 892 goto err2; 893 } 894 fsync(fd); 895 } else { 896 SLOGE("Cannot write to save persistent data"); 897 goto err2; 898 } 899 900 /* Success */ 901 free(pdata); 902 close(fd); 903 return 0; 904 905 err2: 906 free(pdata); 907 err: 908 close(fd); 909 return -1; 910 } 911 912 static int hexdigit (char c) 913 { 914 if (c >= '0' && c <= '9') return c - '0'; 915 c = tolower(c); 916 if (c >= 'a' && c <= 'f') return c - 'a' + 10; 917 return -1; 918 } 919 920 static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii, 921 unsigned int* out_keysize) 922 { 923 unsigned int i; 924 *out_keysize = 0; 925 926 size_t size = strlen (master_key_ascii); 927 if (size % 2) { 928 SLOGE("Trying to convert ascii string of odd length"); 929 return NULL; 930 } 931 932 unsigned char* master_key = (unsigned char*) malloc(size / 2); 933 if (master_key == 0) { 934 SLOGE("Cannot allocate"); 935 return NULL; 936 } 937 938 for (i = 0; i < size; i += 2) { 939 int high_nibble = hexdigit (master_key_ascii[i]); 940 int low_nibble = hexdigit (master_key_ascii[i + 1]); 941 942 if(high_nibble < 0 || low_nibble < 0) { 943 SLOGE("Invalid hex string"); 944 free (master_key); 945 return NULL; 946 } 947 948 master_key[*out_keysize] = high_nibble * 16 + low_nibble; 949 (*out_keysize)++; 950 } 951 952 return master_key; 953 } 954 955 /* Convert a binary key of specified length into an ascii hex string equivalent, 956 * without the leading 0x and with null termination 957 */ 958 static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize, 959 char *master_key_ascii) 960 { 961 unsigned int i, a; 962 unsigned char nibble; 963 964 for (i=0, a=0; i<keysize; i++, a+=2) { 965 /* For each byte, write out two ascii hex digits */ 966 nibble = (master_key[i] >> 4) & 0xf; 967 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 968 969 nibble = master_key[i] & 0xf; 970 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 971 } 972 973 /* Add the null termination */ 974 master_key_ascii[a] = '\0'; 975 976 } 977 978 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 979 char *real_blk_name, const char *name, int fd, 980 char *extra_params) 981 { 982 char buffer[DM_CRYPT_BUF_SIZE]; 983 struct dm_ioctl *io; 984 struct dm_target_spec *tgt; 985 char *crypt_params; 986 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 987 int i; 988 989 io = (struct dm_ioctl *) buffer; 990 991 /* Load the mapping table for this device */ 992 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 993 994 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 995 io->target_count = 1; 996 tgt->status = 0; 997 tgt->sector_start = 0; 998 tgt->length = crypt_ftr->fs_size; 999 #ifdef CONFIG_HW_DISK_ENCRYPTION 1000 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 1001 strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME); 1002 } 1003 else { 1004 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 1005 } 1006 #else 1007 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 1008 #endif 1009 1010 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 1011 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 1012 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name, 1013 master_key_ascii, real_blk_name, extra_params); 1014 crypt_params += strlen(crypt_params) + 1; 1015 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 1016 tgt->next = crypt_params - buffer; 1017 1018 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 1019 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 1020 break; 1021 } 1022 usleep(500000); 1023 } 1024 1025 if (i == TABLE_LOAD_RETRIES) { 1026 /* We failed to load the table, return an error */ 1027 return -1; 1028 } else { 1029 return i + 1; 1030 } 1031 } 1032 1033 1034 static int get_dm_crypt_version(int fd, const char *name, int *version) 1035 { 1036 char buffer[DM_CRYPT_BUF_SIZE]; 1037 struct dm_ioctl *io; 1038 struct dm_target_versions *v; 1039 int i; 1040 1041 io = (struct dm_ioctl *) buffer; 1042 1043 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1044 1045 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 1046 return -1; 1047 } 1048 1049 /* Iterate over the returned versions, looking for name of "crypt". 1050 * When found, get and return the version. 1051 */ 1052 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 1053 while (v->next) { 1054 #ifdef CONFIG_HW_DISK_ENCRYPTION 1055 if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) { 1056 #else 1057 if (! strcmp(v->name, "crypt")) { 1058 #endif 1059 /* We found the crypt driver, return the version, and get out */ 1060 version[0] = v->version[0]; 1061 version[1] = v->version[1]; 1062 version[2] = v->version[2]; 1063 return 0; 1064 } 1065 v = (struct dm_target_versions *)(((char *)v) + v->next); 1066 } 1067 1068 return -1; 1069 } 1070 1071 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 1072 char *real_blk_name, char *crypto_blk_name, const char *name) 1073 { 1074 char buffer[DM_CRYPT_BUF_SIZE]; 1075 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 1076 char *crypt_params; 1077 struct dm_ioctl *io; 1078 struct dm_target_spec *tgt; 1079 unsigned int minor; 1080 int fd=0; 1081 int i; 1082 int retval = -1; 1083 int version[3]; 1084 char *extra_params; 1085 int load_count; 1086 1087 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1088 SLOGE("Cannot open device-mapper\n"); 1089 goto errout; 1090 } 1091 1092 io = (struct dm_ioctl *) buffer; 1093 1094 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1095 if (ioctl(fd, DM_DEV_CREATE, io)) { 1096 SLOGE("Cannot create dm-crypt device\n"); 1097 goto errout; 1098 } 1099 1100 /* Get the device status, in particular, the name of it's device file */ 1101 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1102 if (ioctl(fd, DM_DEV_STATUS, io)) { 1103 SLOGE("Cannot retrieve dm-crypt device status\n"); 1104 goto errout; 1105 } 1106 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 1107 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 1108 1109 extra_params = ""; 1110 if (! get_dm_crypt_version(fd, name, version)) { 1111 /* Support for allow_discards was added in version 1.11.0 */ 1112 if ((version[0] >= 2) || 1113 ((version[0] == 1) && (version[1] >= 11))) { 1114 extra_params = "1 allow_discards"; 1115 SLOGI("Enabling support for allow_discards in dmcrypt.\n"); 1116 } 1117 } 1118 1119 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, 1120 fd, extra_params); 1121 if (load_count < 0) { 1122 SLOGE("Cannot load dm-crypt mapping table.\n"); 1123 goto errout; 1124 } else if (load_count > 1) { 1125 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 1126 } 1127 1128 /* Resume this device to activate it */ 1129 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1130 1131 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 1132 SLOGE("Cannot resume the dm-crypt device\n"); 1133 goto errout; 1134 } 1135 1136 /* We made it here with no errors. Woot! */ 1137 retval = 0; 1138 1139 errout: 1140 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1141 1142 return retval; 1143 } 1144 1145 static int delete_crypto_blk_dev(char *name) 1146 { 1147 int fd; 1148 char buffer[DM_CRYPT_BUF_SIZE]; 1149 struct dm_ioctl *io; 1150 int retval = -1; 1151 1152 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1153 SLOGE("Cannot open device-mapper\n"); 1154 goto errout; 1155 } 1156 1157 io = (struct dm_ioctl *) buffer; 1158 1159 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1160 if (ioctl(fd, DM_DEV_REMOVE, io)) { 1161 SLOGE("Cannot remove dm-crypt device\n"); 1162 goto errout; 1163 } 1164 1165 /* We made it here with no errors. Woot! */ 1166 retval = 0; 1167 1168 errout: 1169 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1170 1171 return retval; 1172 1173 } 1174 1175 static int pbkdf2(const char *passwd, const unsigned char *salt, 1176 unsigned char *ikey, void *params UNUSED) 1177 { 1178 SLOGI("Using pbkdf2 for cryptfs KDF"); 1179 1180 /* Turn the password into a key and IV that can decrypt the master key */ 1181 unsigned int keysize; 1182 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize); 1183 if (!master_key) return -1; 1184 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN, 1185 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey); 1186 1187 memset(master_key, 0, keysize); 1188 free (master_key); 1189 return 0; 1190 } 1191 1192 static int scrypt(const char *passwd, const unsigned char *salt, 1193 unsigned char *ikey, void *params) 1194 { 1195 SLOGI("Using scrypt for cryptfs KDF"); 1196 1197 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1198 1199 int N = 1 << ftr->N_factor; 1200 int r = 1 << ftr->r_factor; 1201 int p = 1 << ftr->p_factor; 1202 1203 /* Turn the password into a key and IV that can decrypt the master key */ 1204 unsigned int keysize; 1205 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize); 1206 if (!master_key) return -1; 1207 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey, 1208 KEY_LEN_BYTES + IV_LEN_BYTES); 1209 1210 memset(master_key, 0, keysize); 1211 free (master_key); 1212 return 0; 1213 } 1214 1215 static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1216 unsigned char *ikey, void *params) 1217 { 1218 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1219 1220 int rc; 1221 unsigned int key_size; 1222 size_t signature_size; 1223 unsigned char* signature; 1224 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1225 1226 int N = 1 << ftr->N_factor; 1227 int r = 1 << ftr->r_factor; 1228 int p = 1 << ftr->p_factor; 1229 1230 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size); 1231 if (!master_key) { 1232 SLOGE("Failed to convert passwd from hex"); 1233 return -1; 1234 } 1235 1236 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN, 1237 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1238 memset(master_key, 0, key_size); 1239 free(master_key); 1240 1241 if (rc) { 1242 SLOGE("scrypt failed"); 1243 return -1; 1244 } 1245 1246 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES, 1247 &signature, &signature_size)) { 1248 SLOGE("Signing failed"); 1249 return -1; 1250 } 1251 1252 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1253 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1254 free(signature); 1255 1256 if (rc) { 1257 SLOGE("scrypt failed"); 1258 return -1; 1259 } 1260 1261 return 0; 1262 } 1263 1264 static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1265 const unsigned char *decrypted_master_key, 1266 unsigned char *encrypted_master_key, 1267 struct crypt_mnt_ftr *crypt_ftr) 1268 { 1269 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1270 EVP_CIPHER_CTX e_ctx; 1271 int encrypted_len, final_len; 1272 int rc = 0; 1273 1274 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1275 get_device_scrypt_params(crypt_ftr); 1276 1277 switch (crypt_ftr->kdf_type) { 1278 case KDF_SCRYPT_KEYMASTER_UNPADDED: 1279 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED: 1280 case KDF_SCRYPT_KEYMASTER: 1281 if (keymaster_create_key(crypt_ftr)) { 1282 SLOGE("keymaster_create_key failed"); 1283 return -1; 1284 } 1285 1286 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1287 SLOGE("scrypt failed"); 1288 return -1; 1289 } 1290 break; 1291 1292 case KDF_SCRYPT: 1293 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1294 SLOGE("scrypt failed"); 1295 return -1; 1296 } 1297 break; 1298 1299 default: 1300 SLOGE("Invalid kdf_type"); 1301 return -1; 1302 } 1303 1304 /* Initialize the decryption engine */ 1305 if (! EVP_EncryptInit(&e_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) { 1306 SLOGE("EVP_EncryptInit failed\n"); 1307 return -1; 1308 } 1309 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1310 1311 /* Encrypt the master key */ 1312 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1313 decrypted_master_key, KEY_LEN_BYTES)) { 1314 SLOGE("EVP_EncryptUpdate failed\n"); 1315 return -1; 1316 } 1317 if (! EVP_EncryptFinal(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1318 SLOGE("EVP_EncryptFinal failed\n"); 1319 return -1; 1320 } 1321 1322 if (encrypted_len + final_len != KEY_LEN_BYTES) { 1323 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1324 return -1; 1325 } 1326 1327 /* Store the scrypt of the intermediate key, so we can validate if it's a 1328 password error or mount error when things go wrong. 1329 Note there's no need to check for errors, since if this is incorrect, we 1330 simply won't wipe userdata, which is the correct default behavior 1331 */ 1332 int N = 1 << crypt_ftr->N_factor; 1333 int r = 1 << crypt_ftr->r_factor; 1334 int p = 1 << crypt_ftr->p_factor; 1335 1336 rc = crypto_scrypt(ikey, KEY_LEN_BYTES, 1337 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1338 crypt_ftr->scrypted_intermediate_key, 1339 sizeof(crypt_ftr->scrypted_intermediate_key)); 1340 1341 if (rc) { 1342 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1343 } 1344 1345 return 0; 1346 } 1347 1348 static int decrypt_master_key_aux(char *passwd, unsigned char *salt, 1349 unsigned char *encrypted_master_key, 1350 unsigned char *decrypted_master_key, 1351 kdf_func kdf, void *kdf_params, 1352 unsigned char** intermediate_key, 1353 size_t* intermediate_key_size) 1354 { 1355 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1356 EVP_CIPHER_CTX d_ctx; 1357 int decrypted_len, final_len; 1358 1359 /* Turn the password into an intermediate key and IV that can decrypt the 1360 master key */ 1361 if (kdf(passwd, salt, ikey, kdf_params)) { 1362 SLOGE("kdf failed"); 1363 return -1; 1364 } 1365 1366 /* Initialize the decryption engine */ 1367 if (! EVP_DecryptInit(&d_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) { 1368 return -1; 1369 } 1370 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1371 /* Decrypt the master key */ 1372 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1373 encrypted_master_key, KEY_LEN_BYTES)) { 1374 return -1; 1375 } 1376 if (! EVP_DecryptFinal(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1377 return -1; 1378 } 1379 1380 if (decrypted_len + final_len != KEY_LEN_BYTES) { 1381 return -1; 1382 } 1383 1384 /* Copy intermediate key if needed by params */ 1385 if (intermediate_key && intermediate_key_size) { 1386 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES); 1387 if (intermediate_key) { 1388 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES); 1389 *intermediate_key_size = KEY_LEN_BYTES; 1390 } 1391 } 1392 1393 return 0; 1394 } 1395 1396 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1397 { 1398 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER_UNPADDED || 1399 ftr->kdf_type == KDF_SCRYPT_KEYMASTER_BADLY_PADDED || 1400 ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1401 *kdf = scrypt_keymaster; 1402 *kdf_params = ftr; 1403 } else if (ftr->kdf_type == KDF_SCRYPT) { 1404 *kdf = scrypt; 1405 *kdf_params = ftr; 1406 } else { 1407 *kdf = pbkdf2; 1408 *kdf_params = NULL; 1409 } 1410 } 1411 1412 static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key, 1413 struct crypt_mnt_ftr *crypt_ftr, 1414 unsigned char** intermediate_key, 1415 size_t* intermediate_key_size) 1416 { 1417 kdf_func kdf; 1418 void *kdf_params; 1419 int ret; 1420 1421 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1422 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1423 decrypted_master_key, kdf, kdf_params, 1424 intermediate_key, intermediate_key_size); 1425 if (ret != 0) { 1426 SLOGW("failure decrypting master key"); 1427 } 1428 1429 return ret; 1430 } 1431 1432 static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt, 1433 struct crypt_mnt_ftr *crypt_ftr) { 1434 int fd; 1435 unsigned char key_buf[KEY_LEN_BYTES]; 1436 EVP_CIPHER_CTX e_ctx; 1437 int encrypted_len, final_len; 1438 1439 /* Get some random bits for a key */ 1440 fd = open("/dev/urandom", O_RDONLY); 1441 read(fd, key_buf, sizeof(key_buf)); 1442 read(fd, salt, SALT_LEN); 1443 close(fd); 1444 1445 /* Now encrypt it with the password */ 1446 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1447 } 1448 1449 static int wait_and_unmount(char *mountpoint, bool kill) 1450 { 1451 int i, err, rc; 1452 #define WAIT_UNMOUNT_COUNT 20 1453 1454 /* Now umount the tmpfs filesystem */ 1455 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1456 if (umount(mountpoint) == 0) { 1457 break; 1458 } 1459 1460 if (errno == EINVAL) { 1461 /* EINVAL is returned if the directory is not a mountpoint, 1462 * i.e. there is no filesystem mounted there. So just get out. 1463 */ 1464 break; 1465 } 1466 1467 err = errno; 1468 1469 /* If allowed, be increasingly aggressive before the last two retries */ 1470 if (kill) { 1471 if (i == (WAIT_UNMOUNT_COUNT - 3)) { 1472 SLOGW("sending SIGHUP to processes with open files\n"); 1473 vold_killProcessesWithOpenFiles(mountpoint, 1); 1474 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) { 1475 SLOGW("sending SIGKILL to processes with open files\n"); 1476 vold_killProcessesWithOpenFiles(mountpoint, 2); 1477 } 1478 } 1479 1480 sleep(1); 1481 } 1482 1483 if (i < WAIT_UNMOUNT_COUNT) { 1484 SLOGD("unmounting %s succeeded\n", mountpoint); 1485 rc = 0; 1486 } else { 1487 vold_killProcessesWithOpenFiles(mountpoint, 0); 1488 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err)); 1489 rc = -1; 1490 } 1491 1492 return rc; 1493 } 1494 1495 #define DATA_PREP_TIMEOUT 200 1496 static int prep_data_fs(void) 1497 { 1498 int i; 1499 1500 /* Do the prep of the /data filesystem */ 1501 property_set("vold.post_fs_data_done", "0"); 1502 property_set("vold.decrypt", "trigger_post_fs_data"); 1503 SLOGD("Just triggered post_fs_data\n"); 1504 1505 /* Wait a max of 50 seconds, hopefully it takes much less */ 1506 for (i=0; i<DATA_PREP_TIMEOUT; i++) { 1507 char p[PROPERTY_VALUE_MAX]; 1508 1509 property_get("vold.post_fs_data_done", p, "0"); 1510 if (*p == '1') { 1511 break; 1512 } else { 1513 usleep(250000); 1514 } 1515 } 1516 if (i == DATA_PREP_TIMEOUT) { 1517 /* Ugh, we failed to prep /data in time. Bail. */ 1518 SLOGE("post_fs_data timed out!\n"); 1519 return -1; 1520 } else { 1521 SLOGD("post_fs_data done\n"); 1522 return 0; 1523 } 1524 } 1525 1526 static void cryptfs_set_corrupt() 1527 { 1528 // Mark the footer as bad 1529 struct crypt_mnt_ftr crypt_ftr; 1530 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1531 SLOGE("Failed to get crypto footer - panic"); 1532 return; 1533 } 1534 1535 crypt_ftr.flags |= CRYPT_DATA_CORRUPT; 1536 if (put_crypt_ftr_and_key(&crypt_ftr)) { 1537 SLOGE("Failed to set crypto footer - panic"); 1538 return; 1539 } 1540 } 1541 1542 static void cryptfs_trigger_restart_min_framework() 1543 { 1544 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 1545 SLOGE("Failed to mount tmpfs on data - panic"); 1546 return; 1547 } 1548 1549 if (property_set("vold.decrypt", "trigger_post_fs_data")) { 1550 SLOGE("Failed to trigger post fs data - panic"); 1551 return; 1552 } 1553 1554 if (property_set("vold.decrypt", "trigger_restart_min_framework")) { 1555 SLOGE("Failed to trigger restart min framework - panic"); 1556 return; 1557 } 1558 } 1559 1560 /* returns < 0 on failure */ 1561 static int cryptfs_restart_internal(int restart_main) 1562 { 1563 char fs_type[32]; 1564 char real_blkdev[MAXPATHLEN]; 1565 char crypto_blkdev[MAXPATHLEN]; 1566 char fs_options[256]; 1567 unsigned long mnt_flags; 1568 struct stat statbuf; 1569 int rc = -1, i; 1570 static int restart_successful = 0; 1571 1572 /* Validate that it's OK to call this routine */ 1573 if (! master_key_saved) { 1574 SLOGE("Encrypted filesystem not validated, aborting"); 1575 return -1; 1576 } 1577 1578 if (restart_successful) { 1579 SLOGE("System already restarted with encrypted disk, aborting"); 1580 return -1; 1581 } 1582 1583 if (restart_main) { 1584 /* Here is where we shut down the framework. The init scripts 1585 * start all services in one of three classes: core, main or late_start. 1586 * On boot, we start core and main. Now, we stop main, but not core, 1587 * as core includes vold and a few other really important things that 1588 * we need to keep running. Once main has stopped, we should be able 1589 * to umount the tmpfs /data, then mount the encrypted /data. 1590 * We then restart the class main, and also the class late_start. 1591 * At the moment, I've only put a few things in late_start that I know 1592 * are not needed to bring up the framework, and that also cause problems 1593 * with unmounting the tmpfs /data, but I hope to add add more services 1594 * to the late_start class as we optimize this to decrease the delay 1595 * till the user is asked for the password to the filesystem. 1596 */ 1597 1598 /* The init files are setup to stop the class main when vold.decrypt is 1599 * set to trigger_reset_main. 1600 */ 1601 property_set("vold.decrypt", "trigger_reset_main"); 1602 SLOGD("Just asked init to shut down class main\n"); 1603 1604 /* Ugh, shutting down the framework is not synchronous, so until it 1605 * can be fixed, this horrible hack will wait a moment for it all to 1606 * shut down before proceeding. Without it, some devices cannot 1607 * restart the graphics services. 1608 */ 1609 sleep(2); 1610 } 1611 1612 /* Now that the framework is shutdown, we should be able to umount() 1613 * the tmpfs filesystem, and mount the real one. 1614 */ 1615 1616 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1617 if (strlen(crypto_blkdev) == 0) { 1618 SLOGE("fs_crypto_blkdev not set\n"); 1619 return -1; 1620 } 1621 1622 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) { 1623 /* If ro.crypto.readonly is set to 1, mount the decrypted 1624 * filesystem readonly. This is used when /data is mounted by 1625 * recovery mode. 1626 */ 1627 char ro_prop[PROPERTY_VALUE_MAX]; 1628 property_get("ro.crypto.readonly", ro_prop, ""); 1629 if (strlen(ro_prop) > 0 && atoi(ro_prop)) { 1630 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1631 rec->flags |= MS_RDONLY; 1632 } 1633 1634 /* If that succeeded, then mount the decrypted filesystem */ 1635 int retries = RETRY_MOUNT_ATTEMPTS; 1636 int mount_rc; 1637 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, 1638 crypto_blkdev, 0)) 1639 != 0) { 1640 if (mount_rc == FS_MGR_DOMNT_BUSY) { 1641 /* TODO: invoke something similar to 1642 Process::killProcessWithOpenFiles(DATA_MNT_POINT, 1643 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */ 1644 SLOGI("Failed to mount %s because it is busy - waiting", 1645 crypto_blkdev); 1646 if (--retries) { 1647 sleep(RETRY_MOUNT_DELAY_SECONDS); 1648 } else { 1649 /* Let's hope that a reboot clears away whatever is keeping 1650 the mount busy */ 1651 cryptfs_reboot(reboot); 1652 } 1653 } else { 1654 SLOGE("Failed to mount decrypted data"); 1655 cryptfs_set_corrupt(); 1656 cryptfs_trigger_restart_min_framework(); 1657 SLOGI("Started framework to offer wipe"); 1658 return -1; 1659 } 1660 } 1661 1662 property_set("vold.decrypt", "trigger_load_persist_props"); 1663 /* Create necessary paths on /data */ 1664 if (prep_data_fs()) { 1665 return -1; 1666 } 1667 1668 /* startup service classes main and late_start */ 1669 property_set("vold.decrypt", "trigger_restart_framework"); 1670 SLOGD("Just triggered restart_framework\n"); 1671 1672 /* Give it a few moments to get started */ 1673 sleep(1); 1674 } 1675 1676 if (rc == 0) { 1677 restart_successful = 1; 1678 } 1679 1680 return rc; 1681 } 1682 1683 int cryptfs_restart(void) 1684 { 1685 /* Call internal implementation forcing a restart of main service group */ 1686 return cryptfs_restart_internal(1); 1687 } 1688 1689 static int do_crypto_complete(char *mount_point UNUSED) 1690 { 1691 struct crypt_mnt_ftr crypt_ftr; 1692 char encrypted_state[PROPERTY_VALUE_MAX]; 1693 char key_loc[PROPERTY_VALUE_MAX]; 1694 1695 property_get("ro.crypto.state", encrypted_state, ""); 1696 if (strcmp(encrypted_state, "encrypted") ) { 1697 SLOGE("not running with encryption, aborting"); 1698 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1699 } 1700 1701 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1702 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 1703 1704 /* 1705 * Only report this error if key_loc is a file and it exists. 1706 * If the device was never encrypted, and /data is not mountable for 1707 * some reason, returning 1 should prevent the UI from presenting the 1708 * a "enter password" screen, or worse, a "press button to wipe the 1709 * device" screen. 1710 */ 1711 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1712 SLOGE("master key file does not exist, aborting"); 1713 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1714 } else { 1715 SLOGE("Error getting crypt footer and key\n"); 1716 return CRYPTO_COMPLETE_BAD_METADATA; 1717 } 1718 } 1719 1720 // Test for possible error flags 1721 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){ 1722 SLOGE("Encryption process is partway completed\n"); 1723 return CRYPTO_COMPLETE_PARTIAL; 1724 } 1725 1726 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){ 1727 SLOGE("Encryption process was interrupted but cannot continue\n"); 1728 return CRYPTO_COMPLETE_INCONSISTENT; 1729 } 1730 1731 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){ 1732 SLOGE("Encryption is successful but data is corrupt\n"); 1733 return CRYPTO_COMPLETE_CORRUPT; 1734 } 1735 1736 /* We passed the test! We shall diminish, and return to the west */ 1737 return CRYPTO_COMPLETE_ENCRYPTED; 1738 } 1739 1740 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1741 char *passwd, char *mount_point, char *label) 1742 { 1743 /* Allocate enough space for a 256 bit key, but we may use less */ 1744 unsigned char decrypted_master_key[32]; 1745 char crypto_blkdev[MAXPATHLEN]; 1746 char real_blkdev[MAXPATHLEN]; 1747 char tmp_mount_point[64]; 1748 unsigned int orig_failed_decrypt_count; 1749 int rc; 1750 kdf_func kdf; 1751 void *kdf_params; 1752 int use_keymaster = 0; 1753 int upgrade = 0; 1754 unsigned char* intermediate_key = 0; 1755 size_t intermediate_key_size = 0; 1756 1757 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1758 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1759 1760 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1761 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1762 &intermediate_key, &intermediate_key_size)) { 1763 SLOGE("Failed to decrypt master key\n"); 1764 rc = -1; 1765 goto errout; 1766 } 1767 } 1768 1769 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 1770 1771 #ifdef CONFIG_HW_DISK_ENCRYPTION 1772 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 1773 if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) { 1774 SLOGE("Hardware encryption key does not match"); 1775 } 1776 } 1777 #endif 1778 1779 // Create crypto block device - all (non fatal) code paths 1780 // need it 1781 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, 1782 real_blkdev, crypto_blkdev, label)) { 1783 SLOGE("Error creating decrypted block device\n"); 1784 rc = -1; 1785 goto errout; 1786 } 1787 1788 /* Work out if the problem is the password or the data */ 1789 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1790 scrypted_intermediate_key)]; 1791 int N = 1 << crypt_ftr->N_factor; 1792 int r = 1 << crypt_ftr->r_factor; 1793 int p = 1 << crypt_ftr->p_factor; 1794 1795 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1796 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1797 N, r, p, scrypted_intermediate_key, 1798 sizeof(scrypted_intermediate_key)); 1799 1800 // Does the key match the crypto footer? 1801 if (rc == 0 && memcmp(scrypted_intermediate_key, 1802 crypt_ftr->scrypted_intermediate_key, 1803 sizeof(scrypted_intermediate_key)) == 0) { 1804 SLOGI("Password matches"); 1805 rc = 0; 1806 } else { 1807 /* Try mounting the file system anyway, just in case the problem's with 1808 * the footer, not the key. */ 1809 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point); 1810 mkdir(tmp_mount_point, 0755); 1811 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1812 SLOGE("Error temp mounting decrypted block device\n"); 1813 delete_crypto_blk_dev(label); 1814 1815 rc = ++crypt_ftr->failed_decrypt_count; 1816 put_crypt_ftr_and_key(crypt_ftr); 1817 } else { 1818 /* Success! */ 1819 SLOGI("Password did not match but decrypted drive mounted - continue"); 1820 umount(tmp_mount_point); 1821 rc = 0; 1822 } 1823 } 1824 1825 if (rc == 0) { 1826 crypt_ftr->failed_decrypt_count = 0; 1827 if (orig_failed_decrypt_count != 0) { 1828 put_crypt_ftr_and_key(crypt_ftr); 1829 } 1830 1831 /* Save the name of the crypto block device 1832 * so we can mount it when restarting the framework. */ 1833 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1834 1835 /* Also save a the master key so we can reencrypted the key 1836 * the key when we want to change the password on it. */ 1837 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES); 1838 saved_mount_point = strdup(mount_point); 1839 master_key_saved = 1; 1840 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1841 rc = 0; 1842 1843 // Upgrade if we're not using the latest KDF. 1844 use_keymaster = keymaster_check_compatibility(); 1845 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1846 // Don't allow downgrade 1847 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1848 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1849 upgrade = 1; 1850 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1851 crypt_ftr->kdf_type = KDF_SCRYPT; 1852 upgrade = 1; 1853 } 1854 1855 if (upgrade) { 1856 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1857 crypt_ftr->master_key, crypt_ftr); 1858 if (!rc) { 1859 rc = put_crypt_ftr_and_key(crypt_ftr); 1860 } 1861 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1862 1863 // Do not fail even if upgrade failed - machine is bootable 1864 // Note that if this code is ever hit, there is a *serious* problem 1865 // since KDFs should never fail. You *must* fix the kdf before 1866 // proceeding! 1867 if (rc) { 1868 SLOGW("Upgrade failed with error %d," 1869 " but continuing with previous state", 1870 rc); 1871 rc = 0; 1872 } 1873 } 1874 } 1875 1876 errout: 1877 if (intermediate_key) { 1878 memset(intermediate_key, 0, intermediate_key_size); 1879 free(intermediate_key); 1880 } 1881 return rc; 1882 } 1883 1884 /* Called by vold when it wants to undo the crypto mapping of a volume it 1885 * manages. This is usually in response to a factory reset, when we want 1886 * to undo the crypto mapping so the volume is formatted in the clear. 1887 */ 1888 int cryptfs_revert_volume(const char *label) 1889 { 1890 return delete_crypto_blk_dev((char *)label); 1891 } 1892 1893 /* 1894 * Called by vold when it's asked to mount an encrypted, nonremovable volume. 1895 * Setup a dm-crypt mapping, use the saved master key from 1896 * setting up the /data mapping, and return the new device path. 1897 */ 1898 int cryptfs_setup_volume(const char *label, int major, int minor, 1899 char *crypto_sys_path, unsigned int max_path, 1900 int *new_major, int *new_minor) 1901 { 1902 char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN]; 1903 struct crypt_mnt_ftr sd_crypt_ftr; 1904 struct stat statbuf; 1905 int nr_sec, fd; 1906 1907 sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor); 1908 1909 get_crypt_ftr_and_key(&sd_crypt_ftr); 1910 1911 /* Update the fs_size field to be the size of the volume */ 1912 fd = open(real_blkdev, O_RDONLY); 1913 nr_sec = get_blkdev_size(fd); 1914 close(fd); 1915 if (nr_sec == 0) { 1916 SLOGE("Cannot get size of volume %s\n", real_blkdev); 1917 return -1; 1918 } 1919 1920 sd_crypt_ftr.fs_size = nr_sec; 1921 create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev, 1922 crypto_blkdev, label); 1923 1924 if (stat(crypto_blkdev, &statbuf) < 0) { 1925 SLOGE("Error get stat for crypto_blkdev %s. err=%d(%s)\n", 1926 crypto_blkdev, errno, strerror(errno)); 1927 } 1928 *new_major = MAJOR(statbuf.st_rdev); 1929 *new_minor = MINOR(statbuf.st_rdev); 1930 1931 /* Create path to sys entry for this block device */ 1932 snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1); 1933 1934 return 0; 1935 } 1936 1937 int cryptfs_crypto_complete(void) 1938 { 1939 return do_crypto_complete("/data"); 1940 } 1941 1942 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 1943 { 1944 char encrypted_state[PROPERTY_VALUE_MAX]; 1945 property_get("ro.crypto.state", encrypted_state, ""); 1946 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 1947 SLOGE("encrypted fs already validated or not running with encryption," 1948 " aborting"); 1949 return -1; 1950 } 1951 1952 if (get_crypt_ftr_and_key(crypt_ftr)) { 1953 SLOGE("Error getting crypt footer and key"); 1954 return -1; 1955 } 1956 1957 return 0; 1958 } 1959 1960 /* 1961 * TODO - transition patterns to new format in calling code 1962 * and remove this vile hack, and the use of hex in 1963 * the password passing code. 1964 * 1965 * Patterns are passed in zero based (i.e. the top left dot 1966 * is represented by zero, the top middle one etc), but we want 1967 * to store them '1' based. 1968 * This is to allow us to migrate the calling code to use this 1969 * convention. It also solves a nasty problem whereby scrypt ignores 1970 * trailing zeros, so patterns ending at the top left could be 1971 * truncated, and similarly, you could add the top left to any 1972 * pattern and still match. 1973 * adjust_passwd is a hack function that returns the alternate representation 1974 * if the password appears to be a pattern (hex numbers all less than 09) 1975 * If it succeeds we need to try both, and in particular try the alternate 1976 * first. If the original matches, then we need to update the footer 1977 * with the alternate. 1978 * All code that accepts passwords must adjust them first. Since 1979 * cryptfs_check_passwd is always the first function called after a migration 1980 * (and indeed on any boot) we only need to do the double try in this 1981 * function. 1982 */ 1983 char* adjust_passwd(const char* passwd) 1984 { 1985 size_t index, length; 1986 1987 if (!passwd) { 1988 return 0; 1989 } 1990 1991 // Check even length. Hex encoded passwords are always 1992 // an even length, since each character encodes to two characters. 1993 length = strlen(passwd); 1994 if (length % 2) { 1995 SLOGW("Password not correctly hex encoded."); 1996 return 0; 1997 } 1998 1999 // Check password is old-style pattern - a collection of hex 2000 // encoded bytes less than 9 (00 through 08) 2001 for (index = 0; index < length; index +=2) { 2002 if (passwd[index] != '0' 2003 || passwd[index + 1] < '0' || passwd[index + 1] > '8') { 2004 return 0; 2005 } 2006 } 2007 2008 // Allocate room for adjusted passwd and null terminate 2009 char* adjusted = malloc(length + 1); 2010 adjusted[length] = 0; 2011 2012 // Add 0x31 ('1') to each character 2013 for (index = 0; index < length; index += 2) { 2014 // output is 31 through 39 so set first byte to three, second to src + 1 2015 adjusted[index] = '3'; 2016 adjusted[index + 1] = passwd[index + 1] + 1; 2017 } 2018 2019 return adjusted; 2020 } 2021 2022 int cryptfs_check_passwd(char *passwd) 2023 { 2024 struct crypt_mnt_ftr crypt_ftr; 2025 int rc; 2026 2027 rc = check_unmounted_and_get_ftr(&crypt_ftr); 2028 if (rc) 2029 return rc; 2030 2031 char* adjusted_passwd = adjust_passwd(passwd); 2032 if (adjusted_passwd) { 2033 int failed_decrypt_count = crypt_ftr.failed_decrypt_count; 2034 rc = test_mount_encrypted_fs(&crypt_ftr, adjusted_passwd, 2035 DATA_MNT_POINT, "userdata"); 2036 2037 // Maybe the original one still works? 2038 if (rc) { 2039 // Don't double count this failure 2040 crypt_ftr.failed_decrypt_count = failed_decrypt_count; 2041 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2042 DATA_MNT_POINT, "userdata"); 2043 if (!rc) { 2044 // cryptfs_changepw also adjusts so pass original 2045 // Note that adjust_passwd only recognises patterns 2046 // so we can safely use CRYPT_TYPE_PATTERN 2047 SLOGI("Updating pattern to new format"); 2048 cryptfs_changepw(CRYPT_TYPE_PATTERN, passwd); 2049 } 2050 } 2051 free(adjusted_passwd); 2052 } else { 2053 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2054 DATA_MNT_POINT, "userdata"); 2055 } 2056 2057 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 2058 cryptfs_clear_password(); 2059 password = strdup(passwd); 2060 struct timespec now; 2061 clock_gettime(CLOCK_BOOTTIME, &now); 2062 password_expiry_time = now.tv_sec + password_max_age_seconds; 2063 } 2064 2065 return rc; 2066 } 2067 2068 int cryptfs_verify_passwd(char *passwd) 2069 { 2070 struct crypt_mnt_ftr crypt_ftr; 2071 /* Allocate enough space for a 256 bit key, but we may use less */ 2072 unsigned char decrypted_master_key[32]; 2073 char encrypted_state[PROPERTY_VALUE_MAX]; 2074 int rc; 2075 2076 property_get("ro.crypto.state", encrypted_state, ""); 2077 if (strcmp(encrypted_state, "encrypted") ) { 2078 SLOGE("device not encrypted, aborting"); 2079 return -2; 2080 } 2081 2082 if (!master_key_saved) { 2083 SLOGE("encrypted fs not yet mounted, aborting"); 2084 return -1; 2085 } 2086 2087 if (!saved_mount_point) { 2088 SLOGE("encrypted fs failed to save mount point, aborting"); 2089 return -1; 2090 } 2091 2092 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2093 SLOGE("Error getting crypt footer and key\n"); 2094 return -1; 2095 } 2096 2097 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 2098 /* If the device has no password, then just say the password is valid */ 2099 rc = 0; 2100 } else { 2101 char* adjusted_passwd = adjust_passwd(passwd); 2102 if (adjusted_passwd) { 2103 passwd = adjusted_passwd; 2104 } 2105 2106 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2107 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 2108 /* They match, the password is correct */ 2109 rc = 0; 2110 } else { 2111 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 2112 sleep(1); 2113 rc = 1; 2114 } 2115 2116 free(adjusted_passwd); 2117 } 2118 2119 return rc; 2120 } 2121 2122 /* Initialize a crypt_mnt_ftr structure. The keysize is 2123 * defaulted to 16 bytes, and the filesystem size to 0. 2124 * Presumably, at a minimum, the caller will update the 2125 * filesystem size and crypto_type_name after calling this function. 2126 */ 2127 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 2128 { 2129 off64_t off; 2130 2131 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 2132 ftr->magic = CRYPT_MNT_MAGIC; 2133 ftr->major_version = CURRENT_MAJOR_VERSION; 2134 ftr->minor_version = CURRENT_MINOR_VERSION; 2135 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 2136 ftr->keysize = KEY_LEN_BYTES; 2137 2138 switch (keymaster_check_compatibility()) { 2139 case 1: 2140 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 2141 break; 2142 2143 case 0: 2144 ftr->kdf_type = KDF_SCRYPT; 2145 break; 2146 2147 default: 2148 SLOGE("keymaster_check_compatibility failed"); 2149 return -1; 2150 } 2151 2152 get_device_scrypt_params(ftr); 2153 2154 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 2155 if (get_crypt_ftr_info(NULL, &off) == 0) { 2156 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 2157 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 2158 ftr->persist_data_size; 2159 } 2160 2161 return 0; 2162 } 2163 2164 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type) 2165 { 2166 const char *args[10]; 2167 char size_str[32]; /* Must be large enough to hold a %lld and null byte */ 2168 int num_args; 2169 int status; 2170 int tmp; 2171 int rc = -1; 2172 2173 if (type == EXT4_FS) { 2174 args[0] = "/system/bin/make_ext4fs"; 2175 args[1] = "-a"; 2176 args[2] = "/data"; 2177 args[3] = "-l"; 2178 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512); 2179 args[4] = size_str; 2180 args[5] = crypto_blkdev; 2181 num_args = 6; 2182 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n", 2183 args[0], args[1], args[2], args[3], args[4], args[5]); 2184 } else if (type == F2FS_FS) { 2185 args[0] = "/system/bin/mkfs.f2fs"; 2186 args[1] = "-t"; 2187 args[2] = "-d1"; 2188 args[3] = crypto_blkdev; 2189 snprintf(size_str, sizeof(size_str), "%" PRId64, size); 2190 args[4] = size_str; 2191 num_args = 5; 2192 SLOGI("Making empty filesystem with command %s %s %s %s %s\n", 2193 args[0], args[1], args[2], args[3], args[4]); 2194 } else { 2195 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type); 2196 return -1; 2197 } 2198 2199 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true); 2200 2201 if (tmp != 0) { 2202 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev); 2203 } else { 2204 if (WIFEXITED(status)) { 2205 if (WEXITSTATUS(status)) { 2206 SLOGE("Error creating filesystem on %s, exit status %d ", 2207 crypto_blkdev, WEXITSTATUS(status)); 2208 } else { 2209 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev); 2210 rc = 0; 2211 } 2212 } else { 2213 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev); 2214 } 2215 } 2216 2217 return rc; 2218 } 2219 2220 #define CRYPT_INPLACE_BUFSIZE 4096 2221 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE) 2222 #define CRYPT_SECTOR_SIZE 512 2223 2224 /* aligned 32K writes tends to make flash happy. 2225 * SD card association recommends it. 2226 */ 2227 #ifndef CONFIG_HW_DISK_ENCRYPTION 2228 #define BLOCKS_AT_A_TIME 8 2229 #else 2230 #define BLOCKS_AT_A_TIME 1024 2231 #endif 2232 2233 struct encryptGroupsData 2234 { 2235 int realfd; 2236 int cryptofd; 2237 off64_t numblocks; 2238 off64_t one_pct, cur_pct, new_pct; 2239 off64_t blocks_already_done, tot_numblocks; 2240 off64_t used_blocks_already_done, tot_used_blocks; 2241 char* real_blkdev, * crypto_blkdev; 2242 int count; 2243 off64_t offset; 2244 char* buffer; 2245 off64_t last_written_sector; 2246 int completed; 2247 time_t time_started; 2248 int remaining_time; 2249 }; 2250 2251 static void update_progress(struct encryptGroupsData* data, int is_used) 2252 { 2253 data->blocks_already_done++; 2254 2255 if (is_used) { 2256 data->used_blocks_already_done++; 2257 } 2258 if (data->tot_used_blocks) { 2259 data->new_pct = data->used_blocks_already_done / data->one_pct; 2260 } else { 2261 data->new_pct = data->blocks_already_done / data->one_pct; 2262 } 2263 2264 if (data->new_pct > data->cur_pct) { 2265 char buf[8]; 2266 data->cur_pct = data->new_pct; 2267 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct); 2268 property_set("vold.encrypt_progress", buf); 2269 } 2270 2271 if (data->cur_pct >= 5) { 2272 struct timespec time_now; 2273 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) { 2274 SLOGW("Error getting time"); 2275 } else { 2276 double elapsed_time = difftime(time_now.tv_sec, data->time_started); 2277 off64_t remaining_blocks = data->tot_used_blocks 2278 - data->used_blocks_already_done; 2279 int remaining_time = (int)(elapsed_time * remaining_blocks 2280 / data->used_blocks_already_done); 2281 2282 // Change time only if not yet set, lower, or a lot higher for 2283 // best user experience 2284 if (data->remaining_time == -1 2285 || remaining_time < data->remaining_time 2286 || remaining_time > data->remaining_time + 60) { 2287 char buf[8]; 2288 snprintf(buf, sizeof(buf), "%d", remaining_time); 2289 property_set("vold.encrypt_time_remaining", buf); 2290 data->remaining_time = remaining_time; 2291 } 2292 } 2293 } 2294 } 2295 2296 static void log_progress(struct encryptGroupsData const* data, bool completed) 2297 { 2298 // Precondition - if completed data = 0 else data != 0 2299 2300 // Track progress so we can skip logging blocks 2301 static off64_t offset = -1; 2302 2303 // Need to close existing 'Encrypting from' log? 2304 if (completed || (offset != -1 && data->offset != offset)) { 2305 SLOGI("Encrypted to sector %" PRId64, 2306 offset / info.block_size * CRYPT_SECTOR_SIZE); 2307 offset = -1; 2308 } 2309 2310 // Need to start new 'Encrypting from' log? 2311 if (!completed && offset != data->offset) { 2312 SLOGI("Encrypting from sector %" PRId64, 2313 data->offset / info.block_size * CRYPT_SECTOR_SIZE); 2314 } 2315 2316 // Update offset 2317 if (!completed) { 2318 offset = data->offset + (off64_t)data->count * info.block_size; 2319 } 2320 } 2321 2322 static int flush_outstanding_data(struct encryptGroupsData* data) 2323 { 2324 if (data->count == 0) { 2325 return 0; 2326 } 2327 2328 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset); 2329 2330 if (pread64(data->realfd, data->buffer, 2331 info.block_size * data->count, data->offset) 2332 <= 0) { 2333 SLOGE("Error reading real_blkdev %s for inplace encrypt", 2334 data->real_blkdev); 2335 return -1; 2336 } 2337 2338 if (pwrite64(data->cryptofd, data->buffer, 2339 info.block_size * data->count, data->offset) 2340 <= 0) { 2341 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", 2342 data->crypto_blkdev); 2343 return -1; 2344 } else { 2345 log_progress(data, false); 2346 } 2347 2348 data->count = 0; 2349 data->last_written_sector = (data->offset + data->count) 2350 / info.block_size * CRYPT_SECTOR_SIZE - 1; 2351 return 0; 2352 } 2353 2354 static int encrypt_groups(struct encryptGroupsData* data) 2355 { 2356 unsigned int i; 2357 u8 *block_bitmap = 0; 2358 unsigned int block; 2359 off64_t ret; 2360 int rc = -1; 2361 2362 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME); 2363 if (!data->buffer) { 2364 SLOGE("Failed to allocate crypto buffer"); 2365 goto errout; 2366 } 2367 2368 block_bitmap = malloc(info.block_size); 2369 if (!block_bitmap) { 2370 SLOGE("failed to allocate block bitmap"); 2371 goto errout; 2372 } 2373 2374 for (i = 0; i < aux_info.groups; ++i) { 2375 SLOGI("Encrypting group %d", i); 2376 2377 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group; 2378 u32 block_count = min(info.blocks_per_group, 2379 aux_info.len_blocks - first_block); 2380 2381 off64_t offset = (u64)info.block_size 2382 * aux_info.bg_desc[i].bg_block_bitmap; 2383 2384 ret = pread64(data->realfd, block_bitmap, info.block_size, offset); 2385 if (ret != (int)info.block_size) { 2386 SLOGE("failed to read all of block group bitmap %d", i); 2387 goto errout; 2388 } 2389 2390 offset = (u64)info.block_size * first_block; 2391 2392 data->count = 0; 2393 2394 for (block = 0; block < block_count; block++) { 2395 int used = bitmap_get_bit(block_bitmap, block); 2396 update_progress(data, used); 2397 if (used) { 2398 if (data->count == 0) { 2399 data->offset = offset; 2400 } 2401 data->count++; 2402 } else { 2403 if (flush_outstanding_data(data)) { 2404 goto errout; 2405 } 2406 } 2407 2408 offset += info.block_size; 2409 2410 /* Write data if we are aligned or buffer size reached */ 2411 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0 2412 || data->count == BLOCKS_AT_A_TIME) { 2413 if (flush_outstanding_data(data)) { 2414 goto errout; 2415 } 2416 } 2417 2418 if (!is_battery_ok_to_continue()) { 2419 SLOGE("Stopping encryption due to low battery"); 2420 rc = 0; 2421 goto errout; 2422 } 2423 2424 } 2425 if (flush_outstanding_data(data)) { 2426 goto errout; 2427 } 2428 } 2429 2430 data->completed = 1; 2431 rc = 0; 2432 2433 errout: 2434 log_progress(0, true); 2435 free(data->buffer); 2436 free(block_bitmap); 2437 return rc; 2438 } 2439 2440 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev, 2441 char *real_blkdev, 2442 off64_t size, 2443 off64_t *size_already_done, 2444 off64_t tot_size, 2445 off64_t previously_encrypted_upto) 2446 { 2447 u32 i; 2448 struct encryptGroupsData data; 2449 int rc; // Can't initialize without causing warning -Wclobbered 2450 2451 if (previously_encrypted_upto > *size_already_done) { 2452 SLOGD("Not fast encrypting since resuming part way through"); 2453 return -1; 2454 } 2455 2456 memset(&data, 0, sizeof(data)); 2457 data.real_blkdev = real_blkdev; 2458 data.crypto_blkdev = crypto_blkdev; 2459 2460 if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) { 2461 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n", 2462 real_blkdev, errno, strerror(errno)); 2463 rc = -1; 2464 goto errout; 2465 } 2466 2467 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2468 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n", 2469 crypto_blkdev, errno, strerror(errno)); 2470 rc = ENABLE_INPLACE_ERR_DEV; 2471 goto errout; 2472 } 2473 2474 if (setjmp(setjmp_env)) { 2475 SLOGE("Reading ext4 extent caused an exception\n"); 2476 rc = -1; 2477 goto errout; 2478 } 2479 2480 if (read_ext(data.realfd, 0) != 0) { 2481 SLOGE("Failed to read ext4 extent\n"); 2482 rc = -1; 2483 goto errout; 2484 } 2485 2486 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2487 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2488 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2489 2490 SLOGI("Encrypting ext4 filesystem in place..."); 2491 2492 data.tot_used_blocks = data.numblocks; 2493 for (i = 0; i < aux_info.groups; ++i) { 2494 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count; 2495 } 2496 2497 data.one_pct = data.tot_used_blocks / 100; 2498 data.cur_pct = 0; 2499 2500 struct timespec time_started = {0}; 2501 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) { 2502 SLOGW("Error getting time at start"); 2503 // Note - continue anyway - we'll run with 0 2504 } 2505 data.time_started = time_started.tv_sec; 2506 data.remaining_time = -1; 2507 2508 rc = encrypt_groups(&data); 2509 if (rc) { 2510 SLOGE("Error encrypting groups"); 2511 goto errout; 2512 } 2513 2514 *size_already_done += data.completed ? size : data.last_written_sector; 2515 rc = 0; 2516 2517 errout: 2518 close(data.realfd); 2519 close(data.cryptofd); 2520 2521 return rc; 2522 } 2523 2524 static void log_progress_f2fs(u64 block, bool completed) 2525 { 2526 // Precondition - if completed data = 0 else data != 0 2527 2528 // Track progress so we can skip logging blocks 2529 static u64 last_block = (u64)-1; 2530 2531 // Need to close existing 'Encrypting from' log? 2532 if (completed || (last_block != (u64)-1 && block != last_block + 1)) { 2533 SLOGI("Encrypted to block %" PRId64, last_block); 2534 last_block = -1; 2535 } 2536 2537 // Need to start new 'Encrypting from' log? 2538 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) { 2539 SLOGI("Encrypting from block %" PRId64, block); 2540 } 2541 2542 // Update offset 2543 if (!completed) { 2544 last_block = block; 2545 } 2546 } 2547 2548 static int encrypt_one_block_f2fs(u64 pos, void *data) 2549 { 2550 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data; 2551 2552 priv_dat->blocks_already_done = pos - 1; 2553 update_progress(priv_dat, 1); 2554 2555 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE; 2556 2557 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2558 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2559 return -1; 2560 } 2561 2562 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2563 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2564 return -1; 2565 } else { 2566 log_progress_f2fs(pos, false); 2567 } 2568 2569 return 0; 2570 } 2571 2572 static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev, 2573 char *real_blkdev, 2574 off64_t size, 2575 off64_t *size_already_done, 2576 off64_t tot_size, 2577 off64_t previously_encrypted_upto) 2578 { 2579 u32 i; 2580 struct encryptGroupsData data; 2581 struct f2fs_info *f2fs_info = NULL; 2582 int rc = ENABLE_INPLACE_ERR_OTHER; 2583 if (previously_encrypted_upto > *size_already_done) { 2584 SLOGD("Not fast encrypting since resuming part way through"); 2585 return ENABLE_INPLACE_ERR_OTHER; 2586 } 2587 memset(&data, 0, sizeof(data)); 2588 data.real_blkdev = real_blkdev; 2589 data.crypto_blkdev = crypto_blkdev; 2590 data.realfd = -1; 2591 data.cryptofd = -1; 2592 if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) { 2593 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n", 2594 real_blkdev); 2595 goto errout; 2596 } 2597 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) { 2598 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n", 2599 crypto_blkdev, errno, strerror(errno)); 2600 rc = ENABLE_INPLACE_ERR_DEV; 2601 goto errout; 2602 } 2603 2604 f2fs_info = generate_f2fs_info(data.realfd); 2605 if (!f2fs_info) 2606 goto errout; 2607 2608 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2609 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2610 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2611 2612 data.tot_used_blocks = get_num_blocks_used(f2fs_info); 2613 2614 data.one_pct = data.tot_used_blocks / 100; 2615 data.cur_pct = 0; 2616 data.time_started = time(NULL); 2617 data.remaining_time = -1; 2618 2619 data.buffer = malloc(f2fs_info->block_size); 2620 if (!data.buffer) { 2621 SLOGE("Failed to allocate crypto buffer"); 2622 goto errout; 2623 } 2624 2625 data.count = 0; 2626 2627 /* Currently, this either runs to completion, or hits a nonrecoverable error */ 2628 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data); 2629 2630 if (rc) { 2631 SLOGE("Error in running over f2fs blocks"); 2632 rc = ENABLE_INPLACE_ERR_OTHER; 2633 goto errout; 2634 } 2635 2636 *size_already_done += size; 2637 rc = 0; 2638 2639 errout: 2640 if (rc) 2641 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev); 2642 2643 log_progress_f2fs(0, true); 2644 free(f2fs_info); 2645 free(data.buffer); 2646 close(data.realfd); 2647 close(data.cryptofd); 2648 2649 return rc; 2650 } 2651 2652 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev, 2653 off64_t size, off64_t *size_already_done, 2654 off64_t tot_size, 2655 off64_t previously_encrypted_upto) 2656 { 2657 int realfd, cryptofd; 2658 char *buf[CRYPT_INPLACE_BUFSIZE]; 2659 int rc = ENABLE_INPLACE_ERR_OTHER; 2660 off64_t numblocks, i, remainder; 2661 off64_t one_pct, cur_pct, new_pct; 2662 off64_t blocks_already_done, tot_numblocks; 2663 2664 if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) { 2665 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev); 2666 return ENABLE_INPLACE_ERR_OTHER; 2667 } 2668 2669 if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2670 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n", 2671 crypto_blkdev, errno, strerror(errno)); 2672 close(realfd); 2673 return ENABLE_INPLACE_ERR_DEV; 2674 } 2675 2676 /* This is pretty much a simple loop of reading 4K, and writing 4K. 2677 * The size passed in is the number of 512 byte sectors in the filesystem. 2678 * So compute the number of whole 4K blocks we should read/write, 2679 * and the remainder. 2680 */ 2681 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2682 remainder = size % CRYPT_SECTORS_PER_BUFSIZE; 2683 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2684 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2685 2686 SLOGE("Encrypting filesystem in place..."); 2687 2688 i = previously_encrypted_upto + 1 - *size_already_done; 2689 2690 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2691 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev); 2692 goto errout; 2693 } 2694 2695 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2696 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev); 2697 goto errout; 2698 } 2699 2700 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) { 2701 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2702 SLOGE("Error reading initial sectors from real_blkdev %s for " 2703 "inplace encrypt\n", crypto_blkdev); 2704 goto errout; 2705 } 2706 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2707 SLOGE("Error writing initial sectors to crypto_blkdev %s for " 2708 "inplace encrypt\n", crypto_blkdev); 2709 goto errout; 2710 } else { 2711 SLOGI("Encrypted 1 block at %" PRId64, i); 2712 } 2713 } 2714 2715 one_pct = tot_numblocks / 100; 2716 cur_pct = 0; 2717 /* process the majority of the filesystem in blocks */ 2718 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) { 2719 new_pct = (i + blocks_already_done) / one_pct; 2720 if (new_pct > cur_pct) { 2721 char buf[8]; 2722 2723 cur_pct = new_pct; 2724 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct); 2725 property_set("vold.encrypt_progress", buf); 2726 } 2727 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2728 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev); 2729 goto errout; 2730 } 2731 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2732 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2733 goto errout; 2734 } else { 2735 SLOGD("Encrypted %d block at %" PRId64, 2736 CRYPT_SECTORS_PER_BUFSIZE, 2737 i * CRYPT_SECTORS_PER_BUFSIZE); 2738 } 2739 2740 if (!is_battery_ok_to_continue()) { 2741 SLOGE("Stopping encryption due to low battery"); 2742 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1; 2743 rc = 0; 2744 goto errout; 2745 } 2746 } 2747 2748 /* Do any remaining sectors */ 2749 for (i=0; i<remainder; i++) { 2750 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2751 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev); 2752 goto errout; 2753 } 2754 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2755 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2756 goto errout; 2757 } else { 2758 SLOGI("Encrypted 1 block at next location"); 2759 } 2760 } 2761 2762 *size_already_done += size; 2763 rc = 0; 2764 2765 errout: 2766 close(realfd); 2767 close(cryptofd); 2768 2769 return rc; 2770 } 2771 2772 /* returns on of the ENABLE_INPLACE_* return codes */ 2773 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev, 2774 off64_t size, off64_t *size_already_done, 2775 off64_t tot_size, 2776 off64_t previously_encrypted_upto) 2777 { 2778 int rc_ext4, rc_f2fs, rc_full; 2779 if (previously_encrypted_upto) { 2780 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto); 2781 } 2782 2783 if (*size_already_done + size < previously_encrypted_upto) { 2784 *size_already_done += size; 2785 return 0; 2786 } 2787 2788 /* TODO: identify filesystem type. 2789 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and 2790 * then we will drop down to cryptfs_enable_inplace_f2fs. 2791 * */ 2792 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev, 2793 size, size_already_done, 2794 tot_size, previously_encrypted_upto)) == 0) { 2795 return 0; 2796 } 2797 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4); 2798 2799 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev, 2800 size, size_already_done, 2801 tot_size, previously_encrypted_upto)) == 0) { 2802 return 0; 2803 } 2804 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs); 2805 2806 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev, 2807 size, size_already_done, tot_size, 2808 previously_encrypted_upto); 2809 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full); 2810 2811 /* Hack for b/17898962, the following is the symptom... */ 2812 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV 2813 && rc_f2fs == ENABLE_INPLACE_ERR_DEV 2814 && rc_full == ENABLE_INPLACE_ERR_DEV) { 2815 return ENABLE_INPLACE_ERR_DEV; 2816 } 2817 return rc_full; 2818 } 2819 2820 #define CRYPTO_ENABLE_WIPE 1 2821 #define CRYPTO_ENABLE_INPLACE 2 2822 2823 #define FRAMEWORK_BOOT_WAIT 60 2824 2825 static inline int should_encrypt(struct volume_info *volume) 2826 { 2827 return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) == 2828 (VOL_ENCRYPTABLE | VOL_NONREMOVABLE); 2829 } 2830 2831 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2832 { 2833 int fd = open(filename, O_RDONLY); 2834 if (fd == -1) { 2835 SLOGE("Error opening file %s", filename); 2836 return -1; 2837 } 2838 2839 char block[CRYPT_INPLACE_BUFSIZE]; 2840 memset(block, 0, sizeof(block)); 2841 if (unix_read(fd, block, sizeof(block)) < 0) { 2842 SLOGE("Error reading file %s", filename); 2843 close(fd); 2844 return -1; 2845 } 2846 2847 close(fd); 2848 2849 SHA256_CTX c; 2850 SHA256_Init(&c); 2851 SHA256_Update(&c, block, sizeof(block)); 2852 SHA256_Final(buf, &c); 2853 2854 return 0; 2855 } 2856 2857 static int get_fs_type(struct fstab_rec *rec) 2858 { 2859 if (!strcmp(rec->fs_type, "ext4")) { 2860 return EXT4_FS; 2861 } else if (!strcmp(rec->fs_type, "f2fs")) { 2862 return F2FS_FS; 2863 } else { 2864 return -1; 2865 } 2866 } 2867 2868 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how, 2869 char *crypto_blkdev, char *real_blkdev, 2870 int previously_encrypted_upto) 2871 { 2872 off64_t cur_encryption_done=0, tot_encryption_size=0; 2873 int i, rc = -1; 2874 2875 if (!is_battery_ok_to_start()) { 2876 SLOGW("Not starting encryption due to low battery"); 2877 return 0; 2878 } 2879 2880 /* The size of the userdata partition, and add in the vold volumes below */ 2881 tot_encryption_size = crypt_ftr->fs_size; 2882 2883 if (how == CRYPTO_ENABLE_WIPE) { 2884 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 2885 int fs_type = get_fs_type(rec); 2886 if (fs_type < 0) { 2887 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type); 2888 return -1; 2889 } 2890 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type); 2891 } else if (how == CRYPTO_ENABLE_INPLACE) { 2892 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, 2893 crypt_ftr->fs_size, &cur_encryption_done, 2894 tot_encryption_size, 2895 previously_encrypted_upto); 2896 2897 if (rc == ENABLE_INPLACE_ERR_DEV) { 2898 /* Hack for b/17898962 */ 2899 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n"); 2900 cryptfs_reboot(reboot); 2901 } 2902 2903 if (!rc) { 2904 crypt_ftr->encrypted_upto = cur_encryption_done; 2905 } 2906 2907 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2908 /* The inplace routine never actually sets the progress to 100% due 2909 * to the round down nature of integer division, so set it here */ 2910 property_set("vold.encrypt_progress", "100"); 2911 } 2912 } else { 2913 /* Shouldn't happen */ 2914 SLOGE("cryptfs_enable: internal error, unknown option\n"); 2915 rc = -1; 2916 } 2917 2918 return rc; 2919 } 2920 2921 int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd, 2922 int allow_reboot) 2923 { 2924 int how = 0; 2925 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2926 unsigned long nr_sec; 2927 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2928 int rc=-1, fd, i, ret; 2929 struct crypt_mnt_ftr crypt_ftr; 2930 struct crypt_persist_data *pdata; 2931 char encrypted_state[PROPERTY_VALUE_MAX]; 2932 char lockid[32] = { 0 }; 2933 char key_loc[PROPERTY_VALUE_MAX]; 2934 char fuse_sdcard[PROPERTY_VALUE_MAX]; 2935 char *sd_mnt_point; 2936 int num_vols; 2937 struct volume_info *vol_list = 0; 2938 off64_t previously_encrypted_upto = 0; 2939 2940 if (!strcmp(howarg, "wipe")) { 2941 how = CRYPTO_ENABLE_WIPE; 2942 } else if (! strcmp(howarg, "inplace")) { 2943 how = CRYPTO_ENABLE_INPLACE; 2944 } else { 2945 /* Shouldn't happen, as CommandListener vets the args */ 2946 goto error_unencrypted; 2947 } 2948 2949 /* See if an encryption was underway and interrupted */ 2950 if (how == CRYPTO_ENABLE_INPLACE 2951 && get_crypt_ftr_and_key(&crypt_ftr) == 0 2952 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) { 2953 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2954 crypt_ftr.encrypted_upto = 0; 2955 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2956 2957 /* At this point, we are in an inconsistent state. Until we successfully 2958 complete encryption, a reboot will leave us broken. So mark the 2959 encryption failed in case that happens. 2960 On successfully completing encryption, remove this flag */ 2961 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2962 2963 put_crypt_ftr_and_key(&crypt_ftr); 2964 } 2965 2966 property_get("ro.crypto.state", encrypted_state, ""); 2967 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2968 SLOGE("Device is already running encrypted, aborting"); 2969 goto error_unencrypted; 2970 } 2971 2972 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2973 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 2974 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 2975 2976 /* Get the size of the real block device */ 2977 fd = open(real_blkdev, O_RDONLY); 2978 if ( (nr_sec = get_blkdev_size(fd)) == 0) { 2979 SLOGE("Cannot get size of block device %s\n", real_blkdev); 2980 goto error_unencrypted; 2981 } 2982 close(fd); 2983 2984 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 2985 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) { 2986 unsigned int fs_size_sec, max_fs_size_sec; 2987 fs_size_sec = get_fs_size(real_blkdev); 2988 if (fs_size_sec == 0) 2989 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 2990 2991 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2992 2993 if (fs_size_sec > max_fs_size_sec) { 2994 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 2995 goto error_unencrypted; 2996 } 2997 } 2998 2999 /* Get a wakelock as this may take a while, and we don't want the 3000 * device to sleep on us. We'll grab a partial wakelock, and if the UI 3001 * wants to keep the screen on, it can grab a full wakelock. 3002 */ 3003 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 3004 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 3005 3006 /* Get the sdcard mount point */ 3007 sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE"); 3008 if (!sd_mnt_point) { 3009 sd_mnt_point = getenv("EXTERNAL_STORAGE"); 3010 } 3011 if (!sd_mnt_point) { 3012 sd_mnt_point = "/mnt/sdcard"; 3013 } 3014 3015 /* TODO 3016 * Currently do not have test devices with multiple encryptable volumes. 3017 * When we acquire some, re-add support. 3018 */ 3019 num_vols=vold_getNumDirectVolumes(); 3020 vol_list = malloc(sizeof(struct volume_info) * num_vols); 3021 vold_getDirectVolumeList(vol_list); 3022 3023 for (i=0; i<num_vols; i++) { 3024 if (should_encrypt(&vol_list[i])) { 3025 SLOGE("Cannot encrypt if there are multiple encryptable volumes" 3026 "%s\n", vol_list[i].label); 3027 goto error_unencrypted; 3028 } 3029 } 3030 3031 /* The init files are setup to stop the class main and late start when 3032 * vold sets trigger_shutdown_framework. 3033 */ 3034 property_set("vold.decrypt", "trigger_shutdown_framework"); 3035 SLOGD("Just asked init to shut down class main\n"); 3036 3037 if (vold_unmountAllAsecs()) { 3038 /* Just report the error. If any are left mounted, 3039 * umounting /data below will fail and handle the error. 3040 */ 3041 SLOGE("Error unmounting internal asecs"); 3042 } 3043 3044 property_get("ro.crypto.fuse_sdcard", fuse_sdcard, ""); 3045 if (!strcmp(fuse_sdcard, "true")) { 3046 /* This is a device using the fuse layer to emulate the sdcard semantics 3047 * on top of the userdata partition. vold does not manage it, it is managed 3048 * by the sdcard service. The sdcard service was killed by the property trigger 3049 * above, so just unmount it now. We must do this _AFTER_ killing the framework, 3050 * unlike the case for vold managed devices above. 3051 */ 3052 if (wait_and_unmount(sd_mnt_point, false)) { 3053 goto error_shutting_down; 3054 } 3055 } 3056 3057 /* Now unmount the /data partition. */ 3058 if (wait_and_unmount(DATA_MNT_POINT, false)) { 3059 if (allow_reboot) { 3060 goto error_shutting_down; 3061 } else { 3062 goto error_unencrypted; 3063 } 3064 } 3065 3066 /* Do extra work for a better UX when doing the long inplace encryption */ 3067 if (how == CRYPTO_ENABLE_INPLACE) { 3068 /* Now that /data is unmounted, we need to mount a tmpfs 3069 * /data, set a property saying we're doing inplace encryption, 3070 * and restart the framework. 3071 */ 3072 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 3073 goto error_shutting_down; 3074 } 3075 /* Tells the framework that inplace encryption is starting */ 3076 property_set("vold.encrypt_progress", "0"); 3077 3078 /* restart the framework. */ 3079 /* Create necessary paths on /data */ 3080 if (prep_data_fs()) { 3081 goto error_shutting_down; 3082 } 3083 3084 /* Ugh, shutting down the framework is not synchronous, so until it 3085 * can be fixed, this horrible hack will wait a moment for it all to 3086 * shut down before proceeding. Without it, some devices cannot 3087 * restart the graphics services. 3088 */ 3089 sleep(2); 3090 } 3091 3092 /* Start the actual work of making an encrypted filesystem */ 3093 /* Initialize a crypt_mnt_ftr for the partition */ 3094 if (previously_encrypted_upto == 0) { 3095 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 3096 goto error_shutting_down; 3097 } 3098 3099 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 3100 crypt_ftr.fs_size = nr_sec 3101 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 3102 } else { 3103 crypt_ftr.fs_size = nr_sec; 3104 } 3105 /* At this point, we are in an inconsistent state. Until we successfully 3106 complete encryption, a reboot will leave us broken. So mark the 3107 encryption failed in case that happens. 3108 On successfully completing encryption, remove this flag */ 3109 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 3110 crypt_ftr.crypt_type = crypt_type; 3111 #ifndef CONFIG_HW_DISK_ENCRYPTION 3112 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN); 3113 #else 3114 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN); 3115 3116 rc = clear_hw_device_encryption_key(); 3117 if (!rc) { 3118 SLOGE("Error clearing device encryption hardware key. rc = %d", rc); 3119 } 3120 3121 rc = set_hw_device_encryption_key(passwd, 3122 (char*) crypt_ftr.crypto_type_name); 3123 if (!rc) { 3124 SLOGE("Error initializing device encryption hardware key. rc = %d", rc); 3125 goto error_shutting_down; 3126 } 3127 #endif 3128 3129 /* Make an encrypted master key */ 3130 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 3131 SLOGE("Cannot create encrypted master key\n"); 3132 goto error_shutting_down; 3133 } 3134 3135 /* Write the key to the end of the partition */ 3136 put_crypt_ftr_and_key(&crypt_ftr); 3137 3138 /* If any persistent data has been remembered, save it. 3139 * If none, create a valid empty table and save that. 3140 */ 3141 if (!persist_data) { 3142 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 3143 if (pdata) { 3144 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 3145 persist_data = pdata; 3146 } 3147 } 3148 if (persist_data) { 3149 save_persistent_data(); 3150 } 3151 } 3152 3153 if (how == CRYPTO_ENABLE_INPLACE) { 3154 /* startup service classes main and late_start */ 3155 property_set("vold.decrypt", "trigger_restart_min_framework"); 3156 SLOGD("Just triggered restart_min_framework\n"); 3157 3158 /* OK, the framework is restarted and will soon be showing a 3159 * progress bar. Time to setup an encrypted mapping, and 3160 * either write a new filesystem, or encrypt in place updating 3161 * the progress bar as we work. 3162 */ 3163 } 3164 3165 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 3166 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 3167 "userdata"); 3168 3169 /* If we are continuing, check checksums match */ 3170 rc = 0; 3171 if (previously_encrypted_upto) { 3172 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 3173 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 3174 3175 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 3176 sizeof(hash_first_block)) != 0) { 3177 SLOGE("Checksums do not match - trigger wipe"); 3178 rc = -1; 3179 } 3180 } 3181 3182 if (!rc) { 3183 rc = cryptfs_enable_all_volumes(&crypt_ftr, how, 3184 crypto_blkdev, real_blkdev, 3185 previously_encrypted_upto); 3186 } 3187 3188 /* Calculate checksum if we are not finished */ 3189 if (!rc && how == CRYPTO_ENABLE_INPLACE 3190 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3191 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 3192 crypt_ftr.hash_first_block); 3193 if (rc) { 3194 SLOGE("Error calculating checksum for continuing encryption"); 3195 rc = -1; 3196 } 3197 } 3198 3199 /* Undo the dm-crypt mapping whether we succeed or not */ 3200 delete_crypto_blk_dev("userdata"); 3201 3202 free(vol_list); 3203 3204 if (! rc) { 3205 /* Success */ 3206 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 3207 3208 if (how == CRYPTO_ENABLE_INPLACE 3209 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3210 SLOGD("Encrypted up to sector %lld - will continue after reboot", 3211 crypt_ftr.encrypted_upto); 3212 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 3213 } 3214 3215 put_crypt_ftr_and_key(&crypt_ftr); 3216 3217 if (how == CRYPTO_ENABLE_WIPE 3218 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 3219 char value[PROPERTY_VALUE_MAX]; 3220 property_get("ro.crypto.state", value, ""); 3221 if (!strcmp(value, "")) { 3222 /* default encryption - continue first boot sequence */ 3223 property_set("ro.crypto.state", "encrypted"); 3224 release_wake_lock(lockid); 3225 cryptfs_check_passwd(DEFAULT_PASSWORD); 3226 cryptfs_restart_internal(1); 3227 return 0; 3228 } else { 3229 sleep(2); /* Give the UI a chance to show 100% progress */ 3230 cryptfs_reboot(reboot); 3231 } 3232 } else { 3233 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 3234 cryptfs_reboot(shutdown); 3235 } 3236 } else { 3237 char value[PROPERTY_VALUE_MAX]; 3238 3239 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 3240 if (!strcmp(value, "1")) { 3241 /* wipe data if encryption failed */ 3242 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 3243 mkdir("/cache/recovery", 0700); 3244 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600); 3245 if (fd >= 0) { 3246 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1); 3247 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1); 3248 close(fd); 3249 } else { 3250 SLOGE("could not open /cache/recovery/command\n"); 3251 } 3252 cryptfs_reboot(recovery); 3253 } else { 3254 /* set property to trigger dialog */ 3255 property_set("vold.encrypt_progress", "error_partially_encrypted"); 3256 release_wake_lock(lockid); 3257 } 3258 return -1; 3259 } 3260 3261 /* hrm, the encrypt step claims success, but the reboot failed. 3262 * This should not happen. 3263 * Set the property and return. Hope the framework can deal with it. 3264 */ 3265 property_set("vold.encrypt_progress", "error_reboot_failed"); 3266 release_wake_lock(lockid); 3267 return rc; 3268 3269 error_unencrypted: 3270 free(vol_list); 3271 property_set("vold.encrypt_progress", "error_not_encrypted"); 3272 if (lockid[0]) { 3273 release_wake_lock(lockid); 3274 } 3275 return -1; 3276 3277 error_shutting_down: 3278 /* we failed, and have not encrypted anthing, so the users's data is still intact, 3279 * but the framework is stopped and not restarted to show the error, so it's up to 3280 * vold to restart the system. 3281 */ 3282 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 3283 cryptfs_reboot(reboot); 3284 3285 /* shouldn't get here */ 3286 property_set("vold.encrypt_progress", "error_shutting_down"); 3287 free(vol_list); 3288 if (lockid[0]) { 3289 release_wake_lock(lockid); 3290 } 3291 return -1; 3292 } 3293 3294 int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot) 3295 { 3296 char* adjusted_passwd = adjust_passwd(passwd); 3297 if (adjusted_passwd) { 3298 passwd = adjusted_passwd; 3299 } 3300 3301 int rc = cryptfs_enable_internal(howarg, type, passwd, allow_reboot); 3302 3303 free(adjusted_passwd); 3304 return rc; 3305 } 3306 3307 int cryptfs_enable_default(char *howarg, int allow_reboot) 3308 { 3309 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT, 3310 DEFAULT_PASSWORD, allow_reboot); 3311 } 3312 3313 int cryptfs_changepw(int crypt_type, const char *newpw) 3314 { 3315 struct crypt_mnt_ftr crypt_ftr; 3316 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 3317 3318 /* This is only allowed after we've successfully decrypted the master key */ 3319 if (!master_key_saved) { 3320 SLOGE("Key not saved, aborting"); 3321 return -1; 3322 } 3323 3324 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3325 SLOGE("Invalid crypt_type %d", crypt_type); 3326 return -1; 3327 } 3328 3329 /* get key */ 3330 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3331 SLOGE("Error getting crypt footer and key"); 3332 return -1; 3333 } 3334 3335 crypt_ftr.crypt_type = crypt_type; 3336 3337 char* adjusted_passwd = adjust_passwd(newpw); 3338 if (adjusted_passwd) { 3339 newpw = adjusted_passwd; 3340 } 3341 3342 encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 3343 : newpw, 3344 crypt_ftr.salt, 3345 saved_master_key, 3346 crypt_ftr.master_key, 3347 &crypt_ftr); 3348 3349 /* save the key */ 3350 put_crypt_ftr_and_key(&crypt_ftr); 3351 3352 free(adjusted_passwd); 3353 3354 #ifdef CONFIG_HW_DISK_ENCRYPTION 3355 if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) { 3356 if (crypt_type == CRYPT_TYPE_DEFAULT) { 3357 int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name); 3358 SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc); 3359 if (!rc) 3360 return -1; 3361 } else { 3362 int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name); 3363 SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc); 3364 if (!rc) 3365 return -1; 3366 } 3367 } 3368 #endif 3369 return 0; 3370 } 3371 3372 static unsigned int persist_get_max_entries(int encrypted) { 3373 struct crypt_mnt_ftr crypt_ftr; 3374 unsigned int dsize; 3375 unsigned int max_persistent_entries; 3376 3377 /* If encrypted, use the values from the crypt_ftr, otherwise 3378 * use the values for the current spec. 3379 */ 3380 if (encrypted) { 3381 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3382 return -1; 3383 } 3384 dsize = crypt_ftr.persist_data_size; 3385 } else { 3386 dsize = CRYPT_PERSIST_DATA_SIZE; 3387 } 3388 3389 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 3390 sizeof(struct crypt_persist_entry); 3391 3392 return max_persistent_entries; 3393 } 3394 3395 static int persist_get_key(const char *fieldname, char *value) 3396 { 3397 unsigned int i; 3398 3399 if (persist_data == NULL) { 3400 return -1; 3401 } 3402 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3403 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3404 /* We found it! */ 3405 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 3406 return 0; 3407 } 3408 } 3409 3410 return -1; 3411 } 3412 3413 static int persist_set_key(const char *fieldname, const char *value, int encrypted) 3414 { 3415 unsigned int i; 3416 unsigned int num; 3417 unsigned int max_persistent_entries; 3418 3419 if (persist_data == NULL) { 3420 return -1; 3421 } 3422 3423 max_persistent_entries = persist_get_max_entries(encrypted); 3424 3425 num = persist_data->persist_valid_entries; 3426 3427 for (i = 0; i < num; i++) { 3428 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3429 /* We found an existing entry, update it! */ 3430 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 3431 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 3432 return 0; 3433 } 3434 } 3435 3436 /* We didn't find it, add it to the end, if there is room */ 3437 if (persist_data->persist_valid_entries < max_persistent_entries) { 3438 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 3439 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 3440 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 3441 persist_data->persist_valid_entries++; 3442 return 0; 3443 } 3444 3445 return -1; 3446 } 3447 3448 /** 3449 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the 3450 * sequence and its index is greater than or equal to index. Return 0 otherwise. 3451 */ 3452 static int match_multi_entry(const char *key, const char *field, unsigned index) { 3453 unsigned int i; 3454 unsigned int field_len; 3455 unsigned int key_index; 3456 field_len = strlen(field); 3457 3458 if (index == 0) { 3459 // The first key in a multi-entry field is just the filedname itself. 3460 if (!strcmp(key, field)) { 3461 return 1; 3462 } 3463 } 3464 // Match key against "%s_%d" % (field, index) 3465 if (strlen(key) < field_len + 1 + 1) { 3466 // Need at least a '_' and a digit. 3467 return 0; 3468 } 3469 if (strncmp(key, field, field_len)) { 3470 // If the key does not begin with field, it's not a match. 3471 return 0; 3472 } 3473 if (1 != sscanf(&key[field_len],"_%d", &key_index)) { 3474 return 0; 3475 } 3476 return key_index >= index; 3477 } 3478 3479 /* 3480 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all 3481 * remaining entries starting from index will be deleted. 3482 * returns PERSIST_DEL_KEY_OK if deletion succeeds, 3483 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist, 3484 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs. 3485 * 3486 */ 3487 static int persist_del_keys(const char *fieldname, unsigned index) 3488 { 3489 unsigned int i; 3490 unsigned int j; 3491 unsigned int num; 3492 3493 if (persist_data == NULL) { 3494 return PERSIST_DEL_KEY_ERROR_OTHER; 3495 } 3496 3497 num = persist_data->persist_valid_entries; 3498 3499 j = 0; // points to the end of non-deleted entries. 3500 // Filter out to-be-deleted entries in place. 3501 for (i = 0; i < num; i++) { 3502 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) { 3503 persist_data->persist_entry[j] = persist_data->persist_entry[i]; 3504 j++; 3505 } 3506 } 3507 3508 if (j < num) { 3509 persist_data->persist_valid_entries = j; 3510 // Zeroise the remaining entries 3511 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry)); 3512 return PERSIST_DEL_KEY_OK; 3513 } else { 3514 // Did not find an entry matching the given fieldname 3515 return PERSIST_DEL_KEY_ERROR_NO_FIELD; 3516 } 3517 } 3518 3519 static int persist_count_keys(const char *fieldname) 3520 { 3521 unsigned int i; 3522 unsigned int count; 3523 3524 if (persist_data == NULL) { 3525 return -1; 3526 } 3527 3528 count = 0; 3529 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3530 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) { 3531 count++; 3532 } 3533 } 3534 3535 return count; 3536 } 3537 3538 /* Return the value of the specified field. */ 3539 int cryptfs_getfield(const char *fieldname, char *value, int len) 3540 { 3541 char temp_value[PROPERTY_VALUE_MAX]; 3542 char real_blkdev[MAXPATHLEN]; 3543 /* CRYPTO_GETFIELD_OK is success, 3544 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set, 3545 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small, 3546 * CRYPTO_GETFIELD_ERROR_OTHER is any other error 3547 */ 3548 int rc = CRYPTO_GETFIELD_ERROR_OTHER; 3549 int i; 3550 char temp_field[PROPERTY_KEY_MAX]; 3551 3552 if (persist_data == NULL) { 3553 load_persistent_data(); 3554 if (persist_data == NULL) { 3555 SLOGE("Getfield error, cannot load persistent data"); 3556 goto out; 3557 } 3558 } 3559 3560 // Read value from persistent entries. If the original value is split into multiple entries, 3561 // stitch them back together. 3562 if (!persist_get_key(fieldname, temp_value)) { 3563 // We found it, copy it to the caller's buffer and keep going until all entries are read. 3564 if (strlcpy(value, temp_value, len) >= (unsigned) len) { 3565 // value too small 3566 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3567 goto out; 3568 } 3569 rc = CRYPTO_GETFIELD_OK; 3570 3571 for (i = 1; /* break explicitly */; i++) { 3572 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >= 3573 (int) sizeof(temp_field)) { 3574 // If the fieldname is very long, we stop as soon as it begins to overflow the 3575 // maximum field length. At this point we have in fact fully read out the original 3576 // value because cryptfs_setfield would not allow fields with longer names to be 3577 // written in the first place. 3578 break; 3579 } 3580 if (!persist_get_key(temp_field, temp_value)) { 3581 if (strlcat(value, temp_value, len) >= (unsigned)len) { 3582 // value too small. 3583 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3584 goto out; 3585 } 3586 } else { 3587 // Exhaust all entries. 3588 break; 3589 } 3590 } 3591 } else { 3592 /* Sadness, it's not there. Return the error */ 3593 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD; 3594 } 3595 3596 out: 3597 return rc; 3598 } 3599 3600 /* Set the value of the specified field. */ 3601 int cryptfs_setfield(const char *fieldname, const char *value) 3602 { 3603 struct crypt_persist_data stored_pdata; 3604 struct crypt_persist_data *pdata_p; 3605 struct crypt_mnt_ftr crypt_ftr; 3606 char encrypted_state[PROPERTY_VALUE_MAX]; 3607 /* 0 is success, negative values are error */ 3608 int rc = CRYPTO_SETFIELD_ERROR_OTHER; 3609 int encrypted = 0; 3610 unsigned int field_id; 3611 char temp_field[PROPERTY_KEY_MAX]; 3612 unsigned int num_entries; 3613 unsigned int max_keylen; 3614 3615 if (persist_data == NULL) { 3616 load_persistent_data(); 3617 if (persist_data == NULL) { 3618 SLOGE("Setfield error, cannot load persistent data"); 3619 goto out; 3620 } 3621 } 3622 3623 property_get("ro.crypto.state", encrypted_state, ""); 3624 if (!strcmp(encrypted_state, "encrypted") ) { 3625 encrypted = 1; 3626 } 3627 3628 // Compute the number of entries required to store value, each entry can store up to 3629 // (PROPERTY_VALUE_MAX - 1) chars 3630 if (strlen(value) == 0) { 3631 // Empty value also needs one entry to store. 3632 num_entries = 1; 3633 } else { 3634 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1); 3635 } 3636 3637 max_keylen = strlen(fieldname); 3638 if (num_entries > 1) { 3639 // Need an extra "_%d" suffix. 3640 max_keylen += 1 + log10(num_entries); 3641 } 3642 if (max_keylen > PROPERTY_KEY_MAX - 1) { 3643 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG; 3644 goto out; 3645 } 3646 3647 // Make sure we have enough space to write the new value 3648 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) > 3649 persist_get_max_entries(encrypted)) { 3650 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG; 3651 goto out; 3652 } 3653 3654 // Now that we know persist_data has enough space for value, let's delete the old field first 3655 // to make up space. 3656 persist_del_keys(fieldname, 0); 3657 3658 if (persist_set_key(fieldname, value, encrypted)) { 3659 // fail to set key, should not happen as we have already checked the available space 3660 SLOGE("persist_set_key() error during setfield()"); 3661 goto out; 3662 } 3663 3664 for (field_id = 1; field_id < num_entries; field_id++) { 3665 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id); 3666 3667 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) { 3668 // fail to set key, should not happen as we have already checked the available space. 3669 SLOGE("persist_set_key() error during setfield()"); 3670 goto out; 3671 } 3672 } 3673 3674 /* If we are running encrypted, save the persistent data now */ 3675 if (encrypted) { 3676 if (save_persistent_data()) { 3677 SLOGE("Setfield error, cannot save persistent data"); 3678 goto out; 3679 } 3680 } 3681 3682 rc = CRYPTO_SETFIELD_OK; 3683 3684 out: 3685 return rc; 3686 } 3687 3688 /* Checks userdata. Attempt to mount the volume if default- 3689 * encrypted. 3690 * On success trigger next init phase and return 0. 3691 * Currently do not handle failure - see TODO below. 3692 */ 3693 int cryptfs_mount_default_encrypted(void) 3694 { 3695 char decrypt_state[PROPERTY_VALUE_MAX]; 3696 property_get("vold.decrypt", decrypt_state, "0"); 3697 if (!strcmp(decrypt_state, "0")) { 3698 SLOGE("Not encrypted - should not call here"); 3699 } else { 3700 int crypt_type = cryptfs_get_password_type(); 3701 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3702 SLOGE("Bad crypt type - error"); 3703 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 3704 SLOGD("Password is not default - " 3705 "starting min framework to prompt"); 3706 property_set("vold.decrypt", "trigger_restart_min_framework"); 3707 return 0; 3708 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 3709 SLOGD("Password is default - restarting filesystem"); 3710 cryptfs_restart_internal(0); 3711 return 0; 3712 } else { 3713 SLOGE("Encrypted, default crypt type but can't decrypt"); 3714 } 3715 } 3716 3717 /** Corrupt. Allow us to boot into framework, which will detect bad 3718 crypto when it calls do_crypto_complete, then do a factory reset 3719 */ 3720 property_set("vold.decrypt", "trigger_restart_min_framework"); 3721 return 0; 3722 } 3723 3724 /* Returns type of the password, default, pattern, pin or password. 3725 */ 3726 int cryptfs_get_password_type(void) 3727 { 3728 struct crypt_mnt_ftr crypt_ftr; 3729 3730 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3731 SLOGE("Error getting crypt footer and key\n"); 3732 return -1; 3733 } 3734 3735 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 3736 return -1; 3737 } 3738 3739 return crypt_ftr.crypt_type; 3740 } 3741 3742 char* cryptfs_get_password() 3743 { 3744 struct timespec now; 3745 clock_gettime(CLOCK_BOOTTIME, &now); 3746 if (now.tv_sec < password_expiry_time) { 3747 return password; 3748 } else { 3749 cryptfs_clear_password(); 3750 return 0; 3751 } 3752 } 3753 3754 void cryptfs_clear_password() 3755 { 3756 if (password) { 3757 size_t len = strlen(password); 3758 memset(password, 0, len); 3759 free(password); 3760 password = 0; 3761 password_expiry_time = 0; 3762 } 3763 } 3764