1 /* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17 /* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23 #include <sys/types.h> 24 #include <sys/wait.h> 25 #include <sys/stat.h> 26 #include <ctype.h> 27 #include <fcntl.h> 28 #include <inttypes.h> 29 #include <unistd.h> 30 #include <stdio.h> 31 #include <sys/ioctl.h> 32 #include <linux/dm-ioctl.h> 33 #include <libgen.h> 34 #include <stdlib.h> 35 #include <sys/param.h> 36 #include <string.h> 37 #include <sys/mount.h> 38 #include <openssl/evp.h> 39 #include <openssl/sha.h> 40 #include <errno.h> 41 #include <ext4.h> 42 #include <linux/kdev_t.h> 43 #include <fs_mgr.h> 44 #include <time.h> 45 #include <math.h> 46 #include <selinux/selinux.h> 47 #include "cryptfs.h" 48 #include "secontext.h" 49 #define LOG_TAG "Cryptfs" 50 #include "cutils/log.h" 51 #include "cutils/properties.h" 52 #include "cutils/android_reboot.h" 53 #include "hardware_legacy/power.h" 54 #include <logwrap/logwrap.h> 55 #include "ScryptParameters.h" 56 #include "VolumeManager.h" 57 #include "VoldUtil.h" 58 #include "crypto_scrypt.h" 59 #include "Ext4Crypt.h" 60 #include "ext4_utils.h" 61 #include "f2fs_sparseblock.h" 62 #include "CheckBattery.h" 63 #include "Process.h" 64 65 #include <bootloader_message_writer.h> 66 #include <hardware/keymaster0.h> 67 #include <hardware/keymaster1.h> 68 69 #define UNUSED __attribute__((unused)) 70 71 #define UNUSED __attribute__((unused)) 72 73 #ifdef CONFIG_HW_DISK_ENCRYPTION 74 #include "cryptfs_hw.h" 75 #endif 76 77 #define DM_CRYPT_BUF_SIZE 4096 78 79 #define HASH_COUNT 2000 80 #define KEY_LEN_BYTES 16 81 #define IV_LEN_BYTES 16 82 83 #define KEY_IN_FOOTER "footer" 84 85 #define DEFAULT_PASSWORD "default_password" 86 87 #define CRYPTO_BLOCK_DEVICE "userdata" 88 89 #define BREADCRUMB_FILE "/data/misc/vold/convert_fde" 90 91 #define EXT4_FS 1 92 #define F2FS_FS 2 93 94 #define TABLE_LOAD_RETRIES 10 95 96 #define RSA_KEY_SIZE 2048 97 #define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) 98 #define RSA_EXPONENT 0x10001 99 #define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second 100 101 #define RETRY_MOUNT_ATTEMPTS 10 102 #define RETRY_MOUNT_DELAY_SECONDS 1 103 104 char *me = "cryptfs"; 105 106 static unsigned char saved_master_key[KEY_LEN_BYTES]; 107 static char *saved_mount_point; 108 static int master_key_saved = 0; 109 static struct crypt_persist_data *persist_data = NULL; 110 111 static int keymaster_init(keymaster0_device_t **keymaster0_dev, 112 keymaster1_device_t **keymaster1_dev) 113 { 114 int rc; 115 116 const hw_module_t* mod; 117 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 118 if (rc) { 119 ALOGE("could not find any keystore module"); 120 goto err; 121 } 122 123 SLOGI("keymaster module name is %s", mod->name); 124 SLOGI("keymaster version is %d", mod->module_api_version); 125 126 *keymaster0_dev = NULL; 127 *keymaster1_dev = NULL; 128 if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) { 129 SLOGI("Found keymaster1 module, using keymaster1 API."); 130 rc = keymaster1_open(mod, keymaster1_dev); 131 } else { 132 SLOGI("Found keymaster0 module, using keymaster0 API."); 133 rc = keymaster0_open(mod, keymaster0_dev); 134 } 135 136 if (rc) { 137 ALOGE("could not open keymaster device in %s (%s)", 138 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); 139 goto err; 140 } 141 142 return 0; 143 144 err: 145 *keymaster0_dev = NULL; 146 *keymaster1_dev = NULL; 147 return rc; 148 } 149 150 /* Should we use keymaster? */ 151 static int keymaster_check_compatibility() 152 { 153 keymaster0_device_t *keymaster0_dev = 0; 154 keymaster1_device_t *keymaster1_dev = 0; 155 int rc = 0; 156 157 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) { 158 SLOGE("Failed to init keymaster"); 159 rc = -1; 160 goto out; 161 } 162 163 if (keymaster1_dev) { 164 rc = 1; 165 goto out; 166 } 167 168 if (!keymaster0_dev || !keymaster0_dev->common.module) { 169 rc = -1; 170 goto out; 171 } 172 173 // TODO(swillden): Check to see if there's any reason to require v0.3. I think v0.1 and v0.2 174 // should work. 175 if (keymaster0_dev->common.module->module_api_version 176 < KEYMASTER_MODULE_API_VERSION_0_3) { 177 rc = 0; 178 goto out; 179 } 180 181 if (!(keymaster0_dev->flags & KEYMASTER_SOFTWARE_ONLY) && 182 (keymaster0_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) { 183 rc = 1; 184 } 185 186 out: 187 if (keymaster1_dev) { 188 keymaster1_close(keymaster1_dev); 189 } 190 if (keymaster0_dev) { 191 keymaster0_close(keymaster0_dev); 192 } 193 return rc; 194 } 195 196 /* Create a new keymaster key and store it in this footer */ 197 static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 198 { 199 uint8_t* key = 0; 200 keymaster0_device_t *keymaster0_dev = 0; 201 keymaster1_device_t *keymaster1_dev = 0; 202 203 if (ftr->keymaster_blob_size) { 204 SLOGI("Already have key"); 205 return 0; 206 } 207 208 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) { 209 SLOGE("Failed to init keymaster"); 210 return -1; 211 } 212 213 int rc = 0; 214 size_t key_size = 0; 215 if (keymaster1_dev) { 216 keymaster_key_param_t params[] = { 217 /* Algorithm & size specifications. Stick with RSA for now. Switch to AES later. */ 218 keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA), 219 keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE), 220 keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT), 221 222 /* The only allowed purpose for this key is signing. */ 223 keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN), 224 225 /* Padding & digest specifications. */ 226 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE), 227 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE), 228 229 /* Require that the key be usable in standalone mode. File system isn't available. */ 230 keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE), 231 232 /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */ 233 keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED), 234 235 /* Rate-limit key usage attempts, to rate-limit brute force */ 236 keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT), 237 }; 238 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) }; 239 keymaster_key_blob_t key_blob; 240 keymaster_error_t error = keymaster1_dev->generate_key(keymaster1_dev, ¶m_set, 241 &key_blob, 242 NULL /* characteristics */); 243 if (error != KM_ERROR_OK) { 244 SLOGE("Failed to generate keymaster1 key, error %d", error); 245 rc = -1; 246 goto out; 247 } 248 249 key = (uint8_t*)key_blob.key_material; 250 key_size = key_blob.key_material_size; 251 } 252 else if (keymaster0_dev) { 253 keymaster_rsa_keygen_params_t params; 254 memset(¶ms, '\0', sizeof(params)); 255 params.public_exponent = RSA_EXPONENT; 256 params.modulus_size = RSA_KEY_SIZE; 257 258 if (keymaster0_dev->generate_keypair(keymaster0_dev, TYPE_RSA, ¶ms, 259 &key, &key_size)) { 260 SLOGE("Failed to generate keypair"); 261 rc = -1; 262 goto out; 263 } 264 } else { 265 SLOGE("Cryptfs bug: keymaster_init succeeded but didn't initialize a device"); 266 rc = -1; 267 goto out; 268 } 269 270 if (key_size > KEYMASTER_BLOB_SIZE) { 271 SLOGE("Keymaster key too large for crypto footer"); 272 rc = -1; 273 goto out; 274 } 275 276 memcpy(ftr->keymaster_blob, key, key_size); 277 ftr->keymaster_blob_size = key_size; 278 279 out: 280 if (keymaster0_dev) 281 keymaster0_close(keymaster0_dev); 282 if (keymaster1_dev) 283 keymaster1_close(keymaster1_dev); 284 free(key); 285 return rc; 286 } 287 288 /* This signs the given object using the keymaster key. */ 289 static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 290 const unsigned char *object, 291 const size_t object_size, 292 unsigned char **signature, 293 size_t *signature_size) 294 { 295 int rc = 0; 296 keymaster0_device_t *keymaster0_dev = 0; 297 keymaster1_device_t *keymaster1_dev = 0; 298 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) { 299 SLOGE("Failed to init keymaster"); 300 rc = -1; 301 goto out; 302 } 303 304 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 305 size_t to_sign_size = sizeof(to_sign); 306 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 307 308 // To sign a message with RSA, the message must satisfy two 309 // constraints: 310 // 311 // 1. The message, when interpreted as a big-endian numeric value, must 312 // be strictly less than the public modulus of the RSA key. Note 313 // that because the most significant bit of the public modulus is 314 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 315 // key), an n-bit message with most significant bit 0 always 316 // satisfies this requirement. 317 // 318 // 2. The message must have the same length in bits as the public 319 // modulus of the RSA key. This requirement isn't mathematically 320 // necessary, but is necessary to ensure consistency in 321 // implementations. 322 switch (ftr->kdf_type) { 323 case KDF_SCRYPT_KEYMASTER: 324 // This ensures the most significant byte of the signed message 325 // is zero. We could have zero-padded to the left instead, but 326 // this approach is slightly more robust against changes in 327 // object size. However, it's still broken (but not unusably 328 // so) because we really should be using a proper deterministic 329 // RSA padding function, such as PKCS1. 330 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); 331 SLOGI("Signing safely-padded object"); 332 break; 333 default: 334 SLOGE("Unknown KDF type %d", ftr->kdf_type); 335 rc = -1; 336 goto out; 337 } 338 339 if (keymaster0_dev) { 340 keymaster_rsa_sign_params_t params; 341 params.digest_type = DIGEST_NONE; 342 params.padding_type = PADDING_NONE; 343 344 rc = keymaster0_dev->sign_data(keymaster0_dev, 345 ¶ms, 346 ftr->keymaster_blob, 347 ftr->keymaster_blob_size, 348 to_sign, 349 to_sign_size, 350 signature, 351 signature_size); 352 goto out; 353 } else if (keymaster1_dev) { 354 keymaster_key_blob_t key = { ftr->keymaster_blob, ftr->keymaster_blob_size }; 355 keymaster_key_param_t params[] = { 356 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE), 357 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE), 358 }; 359 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) }; 360 keymaster_operation_handle_t op_handle; 361 keymaster_error_t error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key, 362 ¶m_set, NULL /* out_params */, 363 &op_handle); 364 if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) { 365 // Key usage has been rate-limited. Wait a bit and try again. 366 sleep(KEYMASTER_CRYPTFS_RATE_LIMIT); 367 error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key, 368 ¶m_set, NULL /* out_params */, 369 &op_handle); 370 } 371 if (error != KM_ERROR_OK) { 372 SLOGE("Error starting keymaster signature transaction: %d", error); 373 rc = -1; 374 goto out; 375 } 376 377 keymaster_blob_t input = { to_sign, to_sign_size }; 378 size_t input_consumed; 379 error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */, 380 &input, &input_consumed, NULL /* out_params */, 381 NULL /* output */); 382 if (error != KM_ERROR_OK) { 383 SLOGE("Error sending data to keymaster signature transaction: %d", error); 384 rc = -1; 385 goto out; 386 } 387 if (input_consumed != to_sign_size) { 388 // This should never happen. If it does, it's a bug in the keymaster implementation. 389 SLOGE("Keymaster update() did not consume all data."); 390 keymaster1_dev->abort(keymaster1_dev, op_handle); 391 rc = -1; 392 goto out; 393 } 394 395 keymaster_blob_t tmp_sig; 396 error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */, 397 NULL /* verify signature */, NULL /* out_params */, 398 &tmp_sig); 399 if (error != KM_ERROR_OK) { 400 SLOGE("Error finishing keymaster signature transaction: %d", error); 401 rc = -1; 402 goto out; 403 } 404 405 *signature = (uint8_t*)tmp_sig.data; 406 *signature_size = tmp_sig.data_length; 407 } else { 408 SLOGE("Cryptfs bug: keymaster_init succeded but didn't initialize a device."); 409 rc = -1; 410 goto out; 411 } 412 413 out: 414 if (keymaster1_dev) 415 keymaster1_close(keymaster1_dev); 416 if (keymaster0_dev) 417 keymaster0_close(keymaster0_dev); 418 419 return rc; 420 } 421 422 /* Store password when userdata is successfully decrypted and mounted. 423 * Cleared by cryptfs_clear_password 424 * 425 * To avoid a double prompt at boot, we need to store the CryptKeeper 426 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 427 * Since the entire framework is torn down and rebuilt after encryption, 428 * we have to use a daemon or similar to store the password. Since vold 429 * is secured against IPC except from system processes, it seems a reasonable 430 * place to store this. 431 * 432 * password should be cleared once it has been used. 433 * 434 * password is aged out after password_max_age_seconds seconds. 435 */ 436 static char* password = 0; 437 static int password_expiry_time = 0; 438 static const int password_max_age_seconds = 60; 439 440 extern struct fstab *fstab; 441 442 enum RebootType {reboot, recovery, shutdown}; 443 static void cryptfs_reboot(enum RebootType rt) 444 { 445 switch(rt) { 446 case reboot: 447 property_set(ANDROID_RB_PROPERTY, "reboot"); 448 break; 449 450 case recovery: 451 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 452 break; 453 454 case shutdown: 455 property_set(ANDROID_RB_PROPERTY, "shutdown"); 456 break; 457 } 458 459 sleep(20); 460 461 /* Shouldn't get here, reboot should happen before sleep times out */ 462 return; 463 } 464 465 static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 466 { 467 memset(io, 0, dataSize); 468 io->data_size = dataSize; 469 io->data_start = sizeof(struct dm_ioctl); 470 io->version[0] = 4; 471 io->version[1] = 0; 472 io->version[2] = 0; 473 io->flags = flags; 474 if (name) { 475 strlcpy(io->name, name, sizeof(io->name)); 476 } 477 } 478 479 /** 480 * Gets the default device scrypt parameters for key derivation time tuning. 481 * The parameters should lead to about one second derivation time for the 482 * given device. 483 */ 484 static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 485 char paramstr[PROPERTY_VALUE_MAX]; 486 int Nf, rf, pf; 487 488 property_get(SCRYPT_PROP, paramstr, SCRYPT_DEFAULTS); 489 if (!parse_scrypt_parameters(paramstr, &Nf, &rf, &pf)) { 490 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 491 parse_scrypt_parameters(SCRYPT_DEFAULTS, &Nf, &rf, &pf); 492 } 493 ftr->N_factor = Nf; 494 ftr->r_factor = rf; 495 ftr->p_factor = pf; 496 } 497 498 static unsigned int get_fs_size(char *dev) 499 { 500 int fd, block_size; 501 struct ext4_super_block sb; 502 off64_t len; 503 504 if ((fd = open(dev, O_RDONLY|O_CLOEXEC)) < 0) { 505 SLOGE("Cannot open device to get filesystem size "); 506 return 0; 507 } 508 509 if (lseek64(fd, 1024, SEEK_SET) < 0) { 510 SLOGE("Cannot seek to superblock"); 511 return 0; 512 } 513 514 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 515 SLOGE("Cannot read superblock"); 516 return 0; 517 } 518 519 close(fd); 520 521 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 522 SLOGE("Not a valid ext4 superblock"); 523 return 0; 524 } 525 block_size = 1024 << sb.s_log_block_size; 526 /* compute length in bytes */ 527 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 528 529 /* return length in sectors */ 530 return (unsigned int) (len / 512); 531 } 532 533 static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 534 { 535 static int cached_data = 0; 536 static off64_t cached_off = 0; 537 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 538 int fd; 539 char key_loc[PROPERTY_VALUE_MAX]; 540 char real_blkdev[PROPERTY_VALUE_MAX]; 541 int rc = -1; 542 543 if (!cached_data) { 544 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc)); 545 546 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 547 if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) { 548 SLOGE("Cannot open real block device %s\n", real_blkdev); 549 return -1; 550 } 551 552 unsigned long nr_sec = 0; 553 get_blkdev_size(fd, &nr_sec); 554 if (nr_sec != 0) { 555 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 556 * encryption info footer and key, and plenty of bytes to spare for future 557 * growth. 558 */ 559 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 560 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 561 cached_data = 1; 562 } else { 563 SLOGE("Cannot get size of block device %s\n", real_blkdev); 564 } 565 close(fd); 566 } else { 567 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 568 cached_off = 0; 569 cached_data = 1; 570 } 571 } 572 573 if (cached_data) { 574 if (metadata_fname) { 575 *metadata_fname = cached_metadata_fname; 576 } 577 if (off) { 578 *off = cached_off; 579 } 580 rc = 0; 581 } 582 583 return rc; 584 } 585 586 /* Set sha256 checksum in structure */ 587 static void set_ftr_sha(struct crypt_mnt_ftr *crypt_ftr) 588 { 589 SHA256_CTX c; 590 SHA256_Init(&c); 591 memset(crypt_ftr->sha256, 0, sizeof(crypt_ftr->sha256)); 592 SHA256_Update(&c, crypt_ftr, sizeof(*crypt_ftr)); 593 SHA256_Final(crypt_ftr->sha256, &c); 594 } 595 596 /* key or salt can be NULL, in which case just skip writing that value. Useful to 597 * update the failed mount count but not change the key. 598 */ 599 static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 600 { 601 int fd; 602 unsigned int cnt; 603 /* starting_off is set to the SEEK_SET offset 604 * where the crypto structure starts 605 */ 606 off64_t starting_off; 607 int rc = -1; 608 char *fname = NULL; 609 struct stat statbuf; 610 611 set_ftr_sha(crypt_ftr); 612 613 if (get_crypt_ftr_info(&fname, &starting_off)) { 614 SLOGE("Unable to get crypt_ftr_info\n"); 615 return -1; 616 } 617 if (fname[0] != '/') { 618 SLOGE("Unexpected value for crypto key location\n"); 619 return -1; 620 } 621 if ( (fd = open(fname, O_RDWR | O_CREAT|O_CLOEXEC, 0600)) < 0) { 622 SLOGE("Cannot open footer file %s for put\n", fname); 623 return -1; 624 } 625 626 /* Seek to the start of the crypt footer */ 627 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 628 SLOGE("Cannot seek to real block device footer\n"); 629 goto errout; 630 } 631 632 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 633 SLOGE("Cannot write real block device footer\n"); 634 goto errout; 635 } 636 637 fstat(fd, &statbuf); 638 /* If the keys are kept on a raw block device, do not try to truncate it. */ 639 if (S_ISREG(statbuf.st_mode)) { 640 if (ftruncate(fd, 0x4000)) { 641 SLOGE("Cannot set footer file size\n"); 642 goto errout; 643 } 644 } 645 646 /* Success! */ 647 rc = 0; 648 649 errout: 650 close(fd); 651 return rc; 652 653 } 654 655 static bool check_ftr_sha(const struct crypt_mnt_ftr *crypt_ftr) 656 { 657 struct crypt_mnt_ftr copy; 658 memcpy(©, crypt_ftr, sizeof(copy)); 659 set_ftr_sha(©); 660 return memcmp(copy.sha256, crypt_ftr->sha256, sizeof(copy.sha256)) == 0; 661 } 662 663 static inline int unix_read(int fd, void* buff, int len) 664 { 665 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 666 } 667 668 static inline int unix_write(int fd, const void* buff, int len) 669 { 670 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 671 } 672 673 static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 674 { 675 memset(pdata, 0, len); 676 pdata->persist_magic = PERSIST_DATA_MAGIC; 677 pdata->persist_valid_entries = 0; 678 } 679 680 /* A routine to update the passed in crypt_ftr to the lastest version. 681 * fd is open read/write on the device that holds the crypto footer and persistent 682 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 683 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 684 */ 685 static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 686 { 687 int orig_major = crypt_ftr->major_version; 688 int orig_minor = crypt_ftr->minor_version; 689 690 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 691 struct crypt_persist_data *pdata; 692 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 693 694 SLOGW("upgrading crypto footer to 1.1"); 695 696 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 697 if (pdata == NULL) { 698 SLOGE("Cannot allocate persisent data\n"); 699 return; 700 } 701 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 702 703 /* Need to initialize the persistent data area */ 704 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 705 SLOGE("Cannot seek to persisent data offset\n"); 706 free(pdata); 707 return; 708 } 709 /* Write all zeros to the first copy, making it invalid */ 710 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 711 712 /* Write a valid but empty structure to the second copy */ 713 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 714 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 715 716 /* Update the footer */ 717 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 718 crypt_ftr->persist_data_offset[0] = pdata_offset; 719 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 720 crypt_ftr->minor_version = 1; 721 free(pdata); 722 } 723 724 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 725 SLOGW("upgrading crypto footer to 1.2"); 726 /* But keep the old kdf_type. 727 * It will get updated later to KDF_SCRYPT after the password has been verified. 728 */ 729 crypt_ftr->kdf_type = KDF_PBKDF2; 730 get_device_scrypt_params(crypt_ftr); 731 crypt_ftr->minor_version = 2; 732 } 733 734 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 735 SLOGW("upgrading crypto footer to 1.3"); 736 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 737 crypt_ftr->minor_version = 3; 738 } 739 740 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 741 if (lseek64(fd, offset, SEEK_SET) == -1) { 742 SLOGE("Cannot seek to crypt footer\n"); 743 return; 744 } 745 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 746 } 747 } 748 749 750 static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 751 { 752 int fd; 753 unsigned int cnt; 754 off64_t starting_off; 755 int rc = -1; 756 char *fname = NULL; 757 struct stat statbuf; 758 759 if (get_crypt_ftr_info(&fname, &starting_off)) { 760 SLOGE("Unable to get crypt_ftr_info\n"); 761 return -1; 762 } 763 if (fname[0] != '/') { 764 SLOGE("Unexpected value for crypto key location\n"); 765 return -1; 766 } 767 if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) { 768 SLOGE("Cannot open footer file %s for get\n", fname); 769 return -1; 770 } 771 772 /* Make sure it's 16 Kbytes in length */ 773 fstat(fd, &statbuf); 774 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 775 SLOGE("footer file %s is not the expected size!\n", fname); 776 goto errout; 777 } 778 779 /* Seek to the start of the crypt footer */ 780 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 781 SLOGE("Cannot seek to real block device footer\n"); 782 goto errout; 783 } 784 785 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 786 SLOGE("Cannot read real block device footer\n"); 787 goto errout; 788 } 789 790 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 791 SLOGE("Bad magic for real block device %s\n", fname); 792 goto errout; 793 } 794 795 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 796 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 797 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 798 goto errout; 799 } 800 801 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 802 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 803 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 804 } 805 806 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 807 * copy on disk before returning. 808 */ 809 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 810 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 811 } 812 813 /* Success! */ 814 rc = 0; 815 816 errout: 817 close(fd); 818 return rc; 819 } 820 821 static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 822 { 823 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 824 crypt_ftr->persist_data_offset[1]) { 825 SLOGE("Crypt_ftr persist data regions overlap"); 826 return -1; 827 } 828 829 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 830 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 831 return -1; 832 } 833 834 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 835 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 836 CRYPT_FOOTER_OFFSET) { 837 SLOGE("Persistent data extends past crypto footer"); 838 return -1; 839 } 840 841 return 0; 842 } 843 844 static int load_persistent_data(void) 845 { 846 struct crypt_mnt_ftr crypt_ftr; 847 struct crypt_persist_data *pdata = NULL; 848 char encrypted_state[PROPERTY_VALUE_MAX]; 849 char *fname; 850 int found = 0; 851 int fd; 852 int ret; 853 int i; 854 855 if (persist_data) { 856 /* Nothing to do, we've already loaded or initialized it */ 857 return 0; 858 } 859 860 861 /* If not encrypted, just allocate an empty table and initialize it */ 862 property_get("ro.crypto.state", encrypted_state, ""); 863 if (strcmp(encrypted_state, "encrypted") ) { 864 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 865 if (pdata) { 866 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 867 persist_data = pdata; 868 return 0; 869 } 870 return -1; 871 } 872 873 if(get_crypt_ftr_and_key(&crypt_ftr)) { 874 return -1; 875 } 876 877 if ((crypt_ftr.major_version < 1) 878 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 879 SLOGE("Crypt_ftr version doesn't support persistent data"); 880 return -1; 881 } 882 883 if (get_crypt_ftr_info(&fname, NULL)) { 884 return -1; 885 } 886 887 ret = validate_persistent_data_storage(&crypt_ftr); 888 if (ret) { 889 return -1; 890 } 891 892 fd = open(fname, O_RDONLY|O_CLOEXEC); 893 if (fd < 0) { 894 SLOGE("Cannot open %s metadata file", fname); 895 return -1; 896 } 897 898 pdata = malloc(crypt_ftr.persist_data_size); 899 if (pdata == NULL) { 900 SLOGE("Cannot allocate memory for persistent data"); 901 goto err; 902 } 903 904 for (i = 0; i < 2; i++) { 905 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 906 SLOGE("Cannot seek to read persistent data on %s", fname); 907 goto err2; 908 } 909 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 910 SLOGE("Error reading persistent data on iteration %d", i); 911 goto err2; 912 } 913 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 914 found = 1; 915 break; 916 } 917 } 918 919 if (!found) { 920 SLOGI("Could not find valid persistent data, creating"); 921 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 922 } 923 924 /* Success */ 925 persist_data = pdata; 926 close(fd); 927 return 0; 928 929 err2: 930 free(pdata); 931 932 err: 933 close(fd); 934 return -1; 935 } 936 937 static int save_persistent_data(void) 938 { 939 struct crypt_mnt_ftr crypt_ftr; 940 struct crypt_persist_data *pdata; 941 char *fname; 942 off64_t write_offset; 943 off64_t erase_offset; 944 int fd; 945 int ret; 946 947 if (persist_data == NULL) { 948 SLOGE("No persistent data to save"); 949 return -1; 950 } 951 952 if(get_crypt_ftr_and_key(&crypt_ftr)) { 953 return -1; 954 } 955 956 if ((crypt_ftr.major_version < 1) 957 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 958 SLOGE("Crypt_ftr version doesn't support persistent data"); 959 return -1; 960 } 961 962 ret = validate_persistent_data_storage(&crypt_ftr); 963 if (ret) { 964 return -1; 965 } 966 967 if (get_crypt_ftr_info(&fname, NULL)) { 968 return -1; 969 } 970 971 fd = open(fname, O_RDWR|O_CLOEXEC); 972 if (fd < 0) { 973 SLOGE("Cannot open %s metadata file", fname); 974 return -1; 975 } 976 977 pdata = malloc(crypt_ftr.persist_data_size); 978 if (pdata == NULL) { 979 SLOGE("Cannot allocate persistant data"); 980 goto err; 981 } 982 983 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 984 SLOGE("Cannot seek to read persistent data on %s", fname); 985 goto err2; 986 } 987 988 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 989 SLOGE("Error reading persistent data before save"); 990 goto err2; 991 } 992 993 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 994 /* The first copy is the curent valid copy, so write to 995 * the second copy and erase this one */ 996 write_offset = crypt_ftr.persist_data_offset[1]; 997 erase_offset = crypt_ftr.persist_data_offset[0]; 998 } else { 999 /* The second copy must be the valid copy, so write to 1000 * the first copy, and erase the second */ 1001 write_offset = crypt_ftr.persist_data_offset[0]; 1002 erase_offset = crypt_ftr.persist_data_offset[1]; 1003 } 1004 1005 /* Write the new copy first, if successful, then erase the old copy */ 1006 if (lseek64(fd, write_offset, SEEK_SET) < 0) { 1007 SLOGE("Cannot seek to write persistent data"); 1008 goto err2; 1009 } 1010 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 1011 (int) crypt_ftr.persist_data_size) { 1012 if (lseek64(fd, erase_offset, SEEK_SET) < 0) { 1013 SLOGE("Cannot seek to erase previous persistent data"); 1014 goto err2; 1015 } 1016 fsync(fd); 1017 memset(pdata, 0, crypt_ftr.persist_data_size); 1018 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 1019 (int) crypt_ftr.persist_data_size) { 1020 SLOGE("Cannot write to erase previous persistent data"); 1021 goto err2; 1022 } 1023 fsync(fd); 1024 } else { 1025 SLOGE("Cannot write to save persistent data"); 1026 goto err2; 1027 } 1028 1029 /* Success */ 1030 free(pdata); 1031 close(fd); 1032 return 0; 1033 1034 err2: 1035 free(pdata); 1036 err: 1037 close(fd); 1038 return -1; 1039 } 1040 1041 /* Convert a binary key of specified length into an ascii hex string equivalent, 1042 * without the leading 0x and with null termination 1043 */ 1044 static void convert_key_to_hex_ascii(const unsigned char *master_key, 1045 unsigned int keysize, char *master_key_ascii) { 1046 unsigned int i, a; 1047 unsigned char nibble; 1048 1049 for (i=0, a=0; i<keysize; i++, a+=2) { 1050 /* For each byte, write out two ascii hex digits */ 1051 nibble = (master_key[i] >> 4) & 0xf; 1052 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 1053 1054 nibble = master_key[i] & 0xf; 1055 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 1056 } 1057 1058 /* Add the null termination */ 1059 master_key_ascii[a] = '\0'; 1060 1061 } 1062 1063 static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, 1064 const unsigned char *master_key, const char *real_blk_name, 1065 const char *name, int fd, const char *extra_params) { 1066 _Alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE]; 1067 struct dm_ioctl *io; 1068 struct dm_target_spec *tgt; 1069 char *crypt_params; 1070 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 1071 int i; 1072 1073 io = (struct dm_ioctl *) buffer; 1074 1075 /* Load the mapping table for this device */ 1076 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 1077 1078 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1079 io->target_count = 1; 1080 tgt->status = 0; 1081 tgt->sector_start = 0; 1082 tgt->length = crypt_ftr->fs_size; 1083 #ifdef CONFIG_HW_DISK_ENCRYPTION 1084 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 1085 strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME); 1086 } 1087 else { 1088 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 1089 } 1090 #else 1091 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 1092 #endif 1093 1094 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 1095 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 1096 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name, 1097 master_key_ascii, real_blk_name, extra_params); 1098 crypt_params += strlen(crypt_params) + 1; 1099 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 1100 tgt->next = crypt_params - buffer; 1101 1102 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 1103 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 1104 break; 1105 } 1106 usleep(500000); 1107 } 1108 1109 if (i == TABLE_LOAD_RETRIES) { 1110 /* We failed to load the table, return an error */ 1111 return -1; 1112 } else { 1113 return i + 1; 1114 } 1115 } 1116 1117 1118 static int get_dm_crypt_version(int fd, const char *name, int *version) 1119 { 1120 char buffer[DM_CRYPT_BUF_SIZE]; 1121 struct dm_ioctl *io; 1122 struct dm_target_versions *v; 1123 1124 io = (struct dm_ioctl *) buffer; 1125 1126 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1127 1128 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 1129 return -1; 1130 } 1131 1132 /* Iterate over the returned versions, looking for name of "crypt". 1133 * When found, get and return the version. 1134 */ 1135 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 1136 while (v->next) { 1137 #ifdef CONFIG_HW_DISK_ENCRYPTION 1138 if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) { 1139 #else 1140 if (! strcmp(v->name, "crypt")) { 1141 #endif 1142 /* We found the crypt driver, return the version, and get out */ 1143 version[0] = v->version[0]; 1144 version[1] = v->version[1]; 1145 version[2] = v->version[2]; 1146 return 0; 1147 } 1148 v = (struct dm_target_versions *)(((char *)v) + v->next); 1149 } 1150 1151 return -1; 1152 } 1153 1154 static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, 1155 const unsigned char *master_key, const char *real_blk_name, 1156 char *crypto_blk_name, const char *name) { 1157 char buffer[DM_CRYPT_BUF_SIZE]; 1158 struct dm_ioctl *io; 1159 unsigned int minor; 1160 int fd=0; 1161 int err; 1162 int retval = -1; 1163 int version[3]; 1164 char *extra_params; 1165 int load_count; 1166 1167 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) { 1168 SLOGE("Cannot open device-mapper\n"); 1169 goto errout; 1170 } 1171 1172 io = (struct dm_ioctl *) buffer; 1173 1174 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1175 err = ioctl(fd, DM_DEV_CREATE, io); 1176 if (err) { 1177 SLOGE("Cannot create dm-crypt device %s: %s\n", name, strerror(errno)); 1178 goto errout; 1179 } 1180 1181 /* Get the device status, in particular, the name of it's device file */ 1182 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1183 if (ioctl(fd, DM_DEV_STATUS, io)) { 1184 SLOGE("Cannot retrieve dm-crypt device status\n"); 1185 goto errout; 1186 } 1187 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 1188 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 1189 1190 extra_params = ""; 1191 if (! get_dm_crypt_version(fd, name, version)) { 1192 /* Support for allow_discards was added in version 1.11.0 */ 1193 if ((version[0] >= 2) || 1194 ((version[0] == 1) && (version[1] >= 11))) { 1195 extra_params = "1 allow_discards"; 1196 SLOGI("Enabling support for allow_discards in dmcrypt.\n"); 1197 } 1198 } 1199 1200 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, 1201 fd, extra_params); 1202 if (load_count < 0) { 1203 SLOGE("Cannot load dm-crypt mapping table.\n"); 1204 goto errout; 1205 } else if (load_count > 1) { 1206 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 1207 } 1208 1209 /* Resume this device to activate it */ 1210 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1211 1212 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 1213 SLOGE("Cannot resume the dm-crypt device\n"); 1214 goto errout; 1215 } 1216 1217 /* We made it here with no errors. Woot! */ 1218 retval = 0; 1219 1220 errout: 1221 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1222 1223 return retval; 1224 } 1225 1226 static int delete_crypto_blk_dev(char *name) 1227 { 1228 int fd; 1229 char buffer[DM_CRYPT_BUF_SIZE]; 1230 struct dm_ioctl *io; 1231 int retval = -1; 1232 1233 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) { 1234 SLOGE("Cannot open device-mapper\n"); 1235 goto errout; 1236 } 1237 1238 io = (struct dm_ioctl *) buffer; 1239 1240 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1241 if (ioctl(fd, DM_DEV_REMOVE, io)) { 1242 SLOGE("Cannot remove dm-crypt device\n"); 1243 goto errout; 1244 } 1245 1246 /* We made it here with no errors. Woot! */ 1247 retval = 0; 1248 1249 errout: 1250 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1251 1252 return retval; 1253 1254 } 1255 1256 static int pbkdf2(const char *passwd, const unsigned char *salt, 1257 unsigned char *ikey, void *params UNUSED) 1258 { 1259 SLOGI("Using pbkdf2 for cryptfs KDF"); 1260 1261 /* Turn the password into a key and IV that can decrypt the master key */ 1262 return PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), salt, SALT_LEN, 1263 HASH_COUNT, KEY_LEN_BYTES + IV_LEN_BYTES, 1264 ikey) != 1; 1265 } 1266 1267 static int scrypt(const char *passwd, const unsigned char *salt, 1268 unsigned char *ikey, void *params) 1269 { 1270 SLOGI("Using scrypt for cryptfs KDF"); 1271 1272 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1273 1274 int N = 1 << ftr->N_factor; 1275 int r = 1 << ftr->r_factor; 1276 int p = 1 << ftr->p_factor; 1277 1278 /* Turn the password into a key and IV that can decrypt the master key */ 1279 unsigned int keysize; 1280 crypto_scrypt((const uint8_t*)passwd, strlen(passwd), 1281 salt, SALT_LEN, N, r, p, ikey, 1282 KEY_LEN_BYTES + IV_LEN_BYTES); 1283 1284 return 0; 1285 } 1286 1287 static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1288 unsigned char *ikey, void *params) 1289 { 1290 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1291 1292 int rc; 1293 size_t signature_size; 1294 unsigned char* signature; 1295 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1296 1297 int N = 1 << ftr->N_factor; 1298 int r = 1 << ftr->r_factor; 1299 int p = 1 << ftr->p_factor; 1300 1301 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd), 1302 salt, SALT_LEN, N, r, p, ikey, 1303 KEY_LEN_BYTES + IV_LEN_BYTES); 1304 1305 if (rc) { 1306 SLOGE("scrypt failed"); 1307 return -1; 1308 } 1309 1310 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES, 1311 &signature, &signature_size)) { 1312 SLOGE("Signing failed"); 1313 return -1; 1314 } 1315 1316 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1317 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1318 free(signature); 1319 1320 if (rc) { 1321 SLOGE("scrypt failed"); 1322 return -1; 1323 } 1324 1325 return 0; 1326 } 1327 1328 static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1329 const unsigned char *decrypted_master_key, 1330 unsigned char *encrypted_master_key, 1331 struct crypt_mnt_ftr *crypt_ftr) 1332 { 1333 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1334 EVP_CIPHER_CTX e_ctx; 1335 int encrypted_len, final_len; 1336 int rc = 0; 1337 1338 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1339 get_device_scrypt_params(crypt_ftr); 1340 1341 switch (crypt_ftr->kdf_type) { 1342 case KDF_SCRYPT_KEYMASTER: 1343 if (keymaster_create_key(crypt_ftr)) { 1344 SLOGE("keymaster_create_key failed"); 1345 return -1; 1346 } 1347 1348 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1349 SLOGE("scrypt failed"); 1350 return -1; 1351 } 1352 break; 1353 1354 case KDF_SCRYPT: 1355 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1356 SLOGE("scrypt failed"); 1357 return -1; 1358 } 1359 break; 1360 1361 default: 1362 SLOGE("Invalid kdf_type"); 1363 return -1; 1364 } 1365 1366 /* Initialize the decryption engine */ 1367 EVP_CIPHER_CTX_init(&e_ctx); 1368 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1369 SLOGE("EVP_EncryptInit failed\n"); 1370 return -1; 1371 } 1372 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1373 1374 /* Encrypt the master key */ 1375 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1376 decrypted_master_key, KEY_LEN_BYTES)) { 1377 SLOGE("EVP_EncryptUpdate failed\n"); 1378 return -1; 1379 } 1380 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1381 SLOGE("EVP_EncryptFinal failed\n"); 1382 return -1; 1383 } 1384 1385 if (encrypted_len + final_len != KEY_LEN_BYTES) { 1386 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1387 return -1; 1388 } 1389 1390 /* Store the scrypt of the intermediate key, so we can validate if it's a 1391 password error or mount error when things go wrong. 1392 Note there's no need to check for errors, since if this is incorrect, we 1393 simply won't wipe userdata, which is the correct default behavior 1394 */ 1395 int N = 1 << crypt_ftr->N_factor; 1396 int r = 1 << crypt_ftr->r_factor; 1397 int p = 1 << crypt_ftr->p_factor; 1398 1399 rc = crypto_scrypt(ikey, KEY_LEN_BYTES, 1400 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1401 crypt_ftr->scrypted_intermediate_key, 1402 sizeof(crypt_ftr->scrypted_intermediate_key)); 1403 1404 if (rc) { 1405 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1406 } 1407 1408 return 0; 1409 } 1410 1411 static int decrypt_master_key_aux(const char *passwd, unsigned char *salt, 1412 unsigned char *encrypted_master_key, 1413 unsigned char *decrypted_master_key, 1414 kdf_func kdf, void *kdf_params, 1415 unsigned char** intermediate_key, 1416 size_t* intermediate_key_size) 1417 { 1418 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1419 EVP_CIPHER_CTX d_ctx; 1420 int decrypted_len, final_len; 1421 1422 /* Turn the password into an intermediate key and IV that can decrypt the 1423 master key */ 1424 if (kdf(passwd, salt, ikey, kdf_params)) { 1425 SLOGE("kdf failed"); 1426 return -1; 1427 } 1428 1429 /* Initialize the decryption engine */ 1430 EVP_CIPHER_CTX_init(&d_ctx); 1431 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1432 return -1; 1433 } 1434 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1435 /* Decrypt the master key */ 1436 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1437 encrypted_master_key, KEY_LEN_BYTES)) { 1438 return -1; 1439 } 1440 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1441 return -1; 1442 } 1443 1444 if (decrypted_len + final_len != KEY_LEN_BYTES) { 1445 return -1; 1446 } 1447 1448 /* Copy intermediate key if needed by params */ 1449 if (intermediate_key && intermediate_key_size) { 1450 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES); 1451 if (intermediate_key) { 1452 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES); 1453 *intermediate_key_size = KEY_LEN_BYTES; 1454 } 1455 } 1456 1457 return 0; 1458 } 1459 1460 static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1461 { 1462 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1463 *kdf = scrypt_keymaster; 1464 *kdf_params = ftr; 1465 } else if (ftr->kdf_type == KDF_SCRYPT) { 1466 *kdf = scrypt; 1467 *kdf_params = ftr; 1468 } else { 1469 *kdf = pbkdf2; 1470 *kdf_params = NULL; 1471 } 1472 } 1473 1474 static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key, 1475 struct crypt_mnt_ftr *crypt_ftr, 1476 unsigned char** intermediate_key, 1477 size_t* intermediate_key_size) 1478 { 1479 kdf_func kdf; 1480 void *kdf_params; 1481 int ret; 1482 1483 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1484 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1485 decrypted_master_key, kdf, kdf_params, 1486 intermediate_key, intermediate_key_size); 1487 if (ret != 0) { 1488 SLOGW("failure decrypting master key"); 1489 } 1490 1491 return ret; 1492 } 1493 1494 static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt, 1495 struct crypt_mnt_ftr *crypt_ftr) { 1496 int fd; 1497 unsigned char key_buf[KEY_LEN_BYTES]; 1498 1499 /* Get some random bits for a key */ 1500 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC); 1501 read(fd, key_buf, sizeof(key_buf)); 1502 read(fd, salt, SALT_LEN); 1503 close(fd); 1504 1505 /* Now encrypt it with the password */ 1506 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1507 } 1508 1509 int wait_and_unmount(const char *mountpoint, bool kill) 1510 { 1511 int i, err, rc; 1512 #define WAIT_UNMOUNT_COUNT 20 1513 1514 /* Now umount the tmpfs filesystem */ 1515 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1516 if (umount(mountpoint) == 0) { 1517 break; 1518 } 1519 1520 if (errno == EINVAL) { 1521 /* EINVAL is returned if the directory is not a mountpoint, 1522 * i.e. there is no filesystem mounted there. So just get out. 1523 */ 1524 break; 1525 } 1526 1527 err = errno; 1528 1529 /* If allowed, be increasingly aggressive before the last two retries */ 1530 if (kill) { 1531 if (i == (WAIT_UNMOUNT_COUNT - 3)) { 1532 SLOGW("sending SIGHUP to processes with open files\n"); 1533 vold_killProcessesWithOpenFiles(mountpoint, SIGTERM); 1534 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) { 1535 SLOGW("sending SIGKILL to processes with open files\n"); 1536 vold_killProcessesWithOpenFiles(mountpoint, SIGKILL); 1537 } 1538 } 1539 1540 sleep(1); 1541 } 1542 1543 if (i < WAIT_UNMOUNT_COUNT) { 1544 SLOGD("unmounting %s succeeded\n", mountpoint); 1545 rc = 0; 1546 } else { 1547 vold_killProcessesWithOpenFiles(mountpoint, 0); 1548 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err)); 1549 rc = -1; 1550 } 1551 1552 return rc; 1553 } 1554 1555 #define DATA_PREP_TIMEOUT 1000 1556 static int prep_data_fs(void) 1557 { 1558 int i; 1559 1560 // NOTE: post_fs_data results in init calling back around to vold, so all 1561 // callers to this method must be async 1562 1563 /* Do the prep of the /data filesystem */ 1564 property_set("vold.post_fs_data_done", "0"); 1565 property_set("vold.decrypt", "trigger_post_fs_data"); 1566 SLOGD("Just triggered post_fs_data\n"); 1567 1568 /* Wait a max of 50 seconds, hopefully it takes much less */ 1569 for (i=0; i<DATA_PREP_TIMEOUT; i++) { 1570 char p[PROPERTY_VALUE_MAX]; 1571 1572 property_get("vold.post_fs_data_done", p, "0"); 1573 if (*p == '1') { 1574 break; 1575 } else { 1576 usleep(50000); 1577 } 1578 } 1579 if (i == DATA_PREP_TIMEOUT) { 1580 /* Ugh, we failed to prep /data in time. Bail. */ 1581 SLOGE("post_fs_data timed out!\n"); 1582 return -1; 1583 } else { 1584 SLOGD("post_fs_data done\n"); 1585 return 0; 1586 } 1587 } 1588 1589 static void cryptfs_set_corrupt() 1590 { 1591 // Mark the footer as bad 1592 struct crypt_mnt_ftr crypt_ftr; 1593 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1594 SLOGE("Failed to get crypto footer - panic"); 1595 return; 1596 } 1597 1598 crypt_ftr.flags |= CRYPT_DATA_CORRUPT; 1599 if (put_crypt_ftr_and_key(&crypt_ftr)) { 1600 SLOGE("Failed to set crypto footer - panic"); 1601 return; 1602 } 1603 } 1604 1605 static void cryptfs_trigger_restart_min_framework() 1606 { 1607 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 1608 SLOGE("Failed to mount tmpfs on data - panic"); 1609 return; 1610 } 1611 1612 if (property_set("vold.decrypt", "trigger_post_fs_data")) { 1613 SLOGE("Failed to trigger post fs data - panic"); 1614 return; 1615 } 1616 1617 if (property_set("vold.decrypt", "trigger_restart_min_framework")) { 1618 SLOGE("Failed to trigger restart min framework - panic"); 1619 return; 1620 } 1621 } 1622 1623 /* returns < 0 on failure */ 1624 static int cryptfs_restart_internal(int restart_main) 1625 { 1626 char crypto_blkdev[MAXPATHLEN]; 1627 int rc = -1; 1628 static int restart_successful = 0; 1629 1630 /* Validate that it's OK to call this routine */ 1631 if (! master_key_saved) { 1632 SLOGE("Encrypted filesystem not validated, aborting"); 1633 return -1; 1634 } 1635 1636 if (restart_successful) { 1637 SLOGE("System already restarted with encrypted disk, aborting"); 1638 return -1; 1639 } 1640 1641 if (restart_main) { 1642 /* Here is where we shut down the framework. The init scripts 1643 * start all services in one of three classes: core, main or late_start. 1644 * On boot, we start core and main. Now, we stop main, but not core, 1645 * as core includes vold and a few other really important things that 1646 * we need to keep running. Once main has stopped, we should be able 1647 * to umount the tmpfs /data, then mount the encrypted /data. 1648 * We then restart the class main, and also the class late_start. 1649 * At the moment, I've only put a few things in late_start that I know 1650 * are not needed to bring up the framework, and that also cause problems 1651 * with unmounting the tmpfs /data, but I hope to add add more services 1652 * to the late_start class as we optimize this to decrease the delay 1653 * till the user is asked for the password to the filesystem. 1654 */ 1655 1656 /* The init files are setup to stop the class main when vold.decrypt is 1657 * set to trigger_reset_main. 1658 */ 1659 property_set("vold.decrypt", "trigger_reset_main"); 1660 SLOGD("Just asked init to shut down class main\n"); 1661 1662 /* Ugh, shutting down the framework is not synchronous, so until it 1663 * can be fixed, this horrible hack will wait a moment for it all to 1664 * shut down before proceeding. Without it, some devices cannot 1665 * restart the graphics services. 1666 */ 1667 sleep(2); 1668 } 1669 1670 /* Now that the framework is shutdown, we should be able to umount() 1671 * the tmpfs filesystem, and mount the real one. 1672 */ 1673 1674 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1675 if (strlen(crypto_blkdev) == 0) { 1676 SLOGE("fs_crypto_blkdev not set\n"); 1677 return -1; 1678 } 1679 1680 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) { 1681 /* If ro.crypto.readonly is set to 1, mount the decrypted 1682 * filesystem readonly. This is used when /data is mounted by 1683 * recovery mode. 1684 */ 1685 char ro_prop[PROPERTY_VALUE_MAX]; 1686 property_get("ro.crypto.readonly", ro_prop, ""); 1687 if (strlen(ro_prop) > 0 && atoi(ro_prop)) { 1688 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1689 rec->flags |= MS_RDONLY; 1690 } 1691 1692 /* If that succeeded, then mount the decrypted filesystem */ 1693 int retries = RETRY_MOUNT_ATTEMPTS; 1694 int mount_rc; 1695 1696 /* 1697 * fs_mgr_do_mount runs fsck. Use setexeccon to run trusted 1698 * partitions in the fsck domain. 1699 */ 1700 if (setexeccon(secontextFsck())){ 1701 SLOGE("Failed to setexeccon"); 1702 return -1; 1703 } 1704 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, 1705 crypto_blkdev, 0)) 1706 != 0) { 1707 if (mount_rc == FS_MGR_DOMNT_BUSY) { 1708 /* TODO: invoke something similar to 1709 Process::killProcessWithOpenFiles(DATA_MNT_POINT, 1710 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */ 1711 SLOGI("Failed to mount %s because it is busy - waiting", 1712 crypto_blkdev); 1713 if (--retries) { 1714 sleep(RETRY_MOUNT_DELAY_SECONDS); 1715 } else { 1716 /* Let's hope that a reboot clears away whatever is keeping 1717 the mount busy */ 1718 cryptfs_reboot(reboot); 1719 } 1720 } else { 1721 SLOGE("Failed to mount decrypted data"); 1722 cryptfs_set_corrupt(); 1723 cryptfs_trigger_restart_min_framework(); 1724 SLOGI("Started framework to offer wipe"); 1725 if (setexeccon(NULL)) { 1726 SLOGE("Failed to setexeccon"); 1727 } 1728 return -1; 1729 } 1730 } 1731 if (setexeccon(NULL)) { 1732 SLOGE("Failed to setexeccon"); 1733 return -1; 1734 } 1735 1736 property_set("vold.decrypt", "trigger_load_persist_props"); 1737 /* Create necessary paths on /data */ 1738 if (prep_data_fs()) { 1739 return -1; 1740 } 1741 1742 /* startup service classes main and late_start */ 1743 property_set("vold.decrypt", "trigger_restart_framework"); 1744 SLOGD("Just triggered restart_framework\n"); 1745 1746 /* Give it a few moments to get started */ 1747 sleep(1); 1748 } 1749 1750 if (rc == 0) { 1751 restart_successful = 1; 1752 } 1753 1754 return rc; 1755 } 1756 1757 int cryptfs_restart(void) 1758 { 1759 SLOGI("cryptfs_restart"); 1760 if (e4crypt_is_native()) { 1761 SLOGE("cryptfs_restart not valid for file encryption:"); 1762 return -1; 1763 } 1764 1765 /* Call internal implementation forcing a restart of main service group */ 1766 return cryptfs_restart_internal(1); 1767 } 1768 1769 static int do_crypto_complete(char *mount_point) 1770 { 1771 struct crypt_mnt_ftr crypt_ftr; 1772 char encrypted_state[PROPERTY_VALUE_MAX]; 1773 char key_loc[PROPERTY_VALUE_MAX]; 1774 1775 property_get("ro.crypto.state", encrypted_state, ""); 1776 if (strcmp(encrypted_state, "encrypted") ) { 1777 SLOGE("not running with encryption, aborting"); 1778 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1779 } 1780 1781 // crypto_complete is full disk encrypted status 1782 if (e4crypt_is_native()) { 1783 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1784 } 1785 1786 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1787 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 1788 1789 /* 1790 * Only report this error if key_loc is a file and it exists. 1791 * If the device was never encrypted, and /data is not mountable for 1792 * some reason, returning 1 should prevent the UI from presenting the 1793 * a "enter password" screen, or worse, a "press button to wipe the 1794 * device" screen. 1795 */ 1796 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1797 SLOGE("master key file does not exist, aborting"); 1798 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1799 } else { 1800 SLOGE("Error getting crypt footer and key\n"); 1801 return CRYPTO_COMPLETE_BAD_METADATA; 1802 } 1803 } 1804 1805 // Test for possible error flags 1806 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){ 1807 SLOGE("Encryption process is partway completed\n"); 1808 return CRYPTO_COMPLETE_PARTIAL; 1809 } 1810 1811 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){ 1812 SLOGE("Encryption process was interrupted but cannot continue\n"); 1813 return CRYPTO_COMPLETE_INCONSISTENT; 1814 } 1815 1816 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){ 1817 SLOGE("Encryption is successful but data is corrupt\n"); 1818 return CRYPTO_COMPLETE_CORRUPT; 1819 } 1820 1821 /* We passed the test! We shall diminish, and return to the west */ 1822 return CRYPTO_COMPLETE_ENCRYPTED; 1823 } 1824 1825 static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1826 char *passwd, char *mount_point, char *label) 1827 { 1828 /* Allocate enough space for a 256 bit key, but we may use less */ 1829 unsigned char decrypted_master_key[32]; 1830 char crypto_blkdev[MAXPATHLEN]; 1831 char real_blkdev[MAXPATHLEN]; 1832 char tmp_mount_point[64]; 1833 unsigned int orig_failed_decrypt_count; 1834 int rc; 1835 int use_keymaster = 0; 1836 int upgrade = 0; 1837 unsigned char* intermediate_key = 0; 1838 size_t intermediate_key_size = 0; 1839 1840 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1841 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1842 1843 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1844 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1845 &intermediate_key, &intermediate_key_size)) { 1846 SLOGE("Failed to decrypt master key\n"); 1847 rc = -1; 1848 goto errout; 1849 } 1850 } 1851 1852 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 1853 1854 #ifdef CONFIG_HW_DISK_ENCRYPTION 1855 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 1856 if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) { 1857 SLOGE("Hardware encryption key does not match"); 1858 } 1859 } 1860 #endif 1861 1862 // Create crypto block device - all (non fatal) code paths 1863 // need it 1864 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, 1865 real_blkdev, crypto_blkdev, label)) { 1866 SLOGE("Error creating decrypted block device\n"); 1867 rc = -1; 1868 goto errout; 1869 } 1870 1871 /* Work out if the problem is the password or the data */ 1872 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1873 scrypted_intermediate_key)]; 1874 int N = 1 << crypt_ftr->N_factor; 1875 int r = 1 << crypt_ftr->r_factor; 1876 int p = 1 << crypt_ftr->p_factor; 1877 1878 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1879 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1880 N, r, p, scrypted_intermediate_key, 1881 sizeof(scrypted_intermediate_key)); 1882 1883 // Does the key match the crypto footer? 1884 if (rc == 0 && memcmp(scrypted_intermediate_key, 1885 crypt_ftr->scrypted_intermediate_key, 1886 sizeof(scrypted_intermediate_key)) == 0) { 1887 SLOGI("Password matches"); 1888 rc = 0; 1889 } else { 1890 /* Try mounting the file system anyway, just in case the problem's with 1891 * the footer, not the key. */ 1892 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point); 1893 mkdir(tmp_mount_point, 0755); 1894 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1895 SLOGE("Error temp mounting decrypted block device\n"); 1896 delete_crypto_blk_dev(label); 1897 1898 rc = ++crypt_ftr->failed_decrypt_count; 1899 put_crypt_ftr_and_key(crypt_ftr); 1900 } else { 1901 /* Success! */ 1902 SLOGI("Password did not match but decrypted drive mounted - continue"); 1903 umount(tmp_mount_point); 1904 rc = 0; 1905 } 1906 } 1907 1908 if (rc == 0) { 1909 crypt_ftr->failed_decrypt_count = 0; 1910 if (orig_failed_decrypt_count != 0) { 1911 put_crypt_ftr_and_key(crypt_ftr); 1912 } 1913 1914 /* Save the name of the crypto block device 1915 * so we can mount it when restarting the framework. */ 1916 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1917 1918 /* Also save a the master key so we can reencrypted the key 1919 * the key when we want to change the password on it. */ 1920 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES); 1921 saved_mount_point = strdup(mount_point); 1922 master_key_saved = 1; 1923 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1924 rc = 0; 1925 1926 // Upgrade if we're not using the latest KDF. 1927 use_keymaster = keymaster_check_compatibility(); 1928 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1929 // Don't allow downgrade 1930 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1931 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1932 upgrade = 1; 1933 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1934 crypt_ftr->kdf_type = KDF_SCRYPT; 1935 upgrade = 1; 1936 } 1937 1938 if (upgrade) { 1939 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1940 crypt_ftr->master_key, crypt_ftr); 1941 if (!rc) { 1942 rc = put_crypt_ftr_and_key(crypt_ftr); 1943 } 1944 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1945 1946 // Do not fail even if upgrade failed - machine is bootable 1947 // Note that if this code is ever hit, there is a *serious* problem 1948 // since KDFs should never fail. You *must* fix the kdf before 1949 // proceeding! 1950 if (rc) { 1951 SLOGW("Upgrade failed with error %d," 1952 " but continuing with previous state", 1953 rc); 1954 rc = 0; 1955 } 1956 } 1957 } 1958 1959 errout: 1960 if (intermediate_key) { 1961 memset(intermediate_key, 0, intermediate_key_size); 1962 free(intermediate_key); 1963 } 1964 return rc; 1965 } 1966 1967 /* 1968 * Called by vold when it's asked to mount an encrypted external 1969 * storage volume. The incoming partition has no crypto header/footer, 1970 * as any metadata is been stored in a separate, small partition. 1971 * 1972 * out_crypto_blkdev must be MAXPATHLEN. 1973 */ 1974 int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev, 1975 const unsigned char* key, int keysize, char* out_crypto_blkdev) { 1976 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC); 1977 if (fd == -1) { 1978 SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno)); 1979 return -1; 1980 } 1981 1982 unsigned long nr_sec = 0; 1983 get_blkdev_size(fd, &nr_sec); 1984 close(fd); 1985 1986 if (nr_sec == 0) { 1987 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno)); 1988 return -1; 1989 } 1990 1991 struct crypt_mnt_ftr ext_crypt_ftr; 1992 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr)); 1993 ext_crypt_ftr.fs_size = nr_sec; 1994 ext_crypt_ftr.keysize = keysize; 1995 strcpy((char*) ext_crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256"); 1996 1997 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev, 1998 out_crypto_blkdev, label); 1999 } 2000 2001 /* 2002 * Called by vold when it's asked to unmount an encrypted external 2003 * storage volume. 2004 */ 2005 int cryptfs_revert_ext_volume(const char* label) { 2006 return delete_crypto_blk_dev((char*) label); 2007 } 2008 2009 int cryptfs_crypto_complete(void) 2010 { 2011 return do_crypto_complete("/data"); 2012 } 2013 2014 int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 2015 { 2016 char encrypted_state[PROPERTY_VALUE_MAX]; 2017 property_get("ro.crypto.state", encrypted_state, ""); 2018 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 2019 SLOGE("encrypted fs already validated or not running with encryption," 2020 " aborting"); 2021 return -1; 2022 } 2023 2024 if (get_crypt_ftr_and_key(crypt_ftr)) { 2025 SLOGE("Error getting crypt footer and key"); 2026 return -1; 2027 } 2028 2029 return 0; 2030 } 2031 2032 int cryptfs_check_passwd(char *passwd) 2033 { 2034 SLOGI("cryptfs_check_passwd"); 2035 if (e4crypt_is_native()) { 2036 SLOGE("cryptfs_check_passwd not valid for file encryption"); 2037 return -1; 2038 } 2039 2040 struct crypt_mnt_ftr crypt_ftr; 2041 int rc; 2042 2043 rc = check_unmounted_and_get_ftr(&crypt_ftr); 2044 if (rc) { 2045 SLOGE("Could not get footer"); 2046 return rc; 2047 } 2048 2049 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2050 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE); 2051 if (rc) { 2052 SLOGE("Password did not match"); 2053 return rc; 2054 } 2055 2056 if (crypt_ftr.flags & CRYPT_FORCE_COMPLETE) { 2057 // Here we have a default actual password but a real password 2058 // we must test against the scrypted value 2059 // First, we must delete the crypto block device that 2060 // test_mount_encrypted_fs leaves behind as a side effect 2061 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE); 2062 rc = test_mount_encrypted_fs(&crypt_ftr, DEFAULT_PASSWORD, 2063 DATA_MNT_POINT, CRYPTO_BLOCK_DEVICE); 2064 if (rc) { 2065 SLOGE("Default password did not match on reboot encryption"); 2066 return rc; 2067 } 2068 2069 crypt_ftr.flags &= ~CRYPT_FORCE_COMPLETE; 2070 put_crypt_ftr_and_key(&crypt_ftr); 2071 rc = cryptfs_changepw(crypt_ftr.crypt_type, passwd); 2072 if (rc) { 2073 SLOGE("Could not change password on reboot encryption"); 2074 return rc; 2075 } 2076 } 2077 2078 if (crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 2079 cryptfs_clear_password(); 2080 password = strdup(passwd); 2081 struct timespec now; 2082 clock_gettime(CLOCK_BOOTTIME, &now); 2083 password_expiry_time = now.tv_sec + password_max_age_seconds; 2084 } 2085 2086 return rc; 2087 } 2088 2089 int cryptfs_verify_passwd(char *passwd) 2090 { 2091 struct crypt_mnt_ftr crypt_ftr; 2092 /* Allocate enough space for a 256 bit key, but we may use less */ 2093 unsigned char decrypted_master_key[32]; 2094 char encrypted_state[PROPERTY_VALUE_MAX]; 2095 int rc; 2096 2097 property_get("ro.crypto.state", encrypted_state, ""); 2098 if (strcmp(encrypted_state, "encrypted") ) { 2099 SLOGE("device not encrypted, aborting"); 2100 return -2; 2101 } 2102 2103 if (!master_key_saved) { 2104 SLOGE("encrypted fs not yet mounted, aborting"); 2105 return -1; 2106 } 2107 2108 if (!saved_mount_point) { 2109 SLOGE("encrypted fs failed to save mount point, aborting"); 2110 return -1; 2111 } 2112 2113 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2114 SLOGE("Error getting crypt footer and key\n"); 2115 return -1; 2116 } 2117 2118 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 2119 /* If the device has no password, then just say the password is valid */ 2120 rc = 0; 2121 } else { 2122 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2123 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 2124 /* They match, the password is correct */ 2125 rc = 0; 2126 } else { 2127 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 2128 sleep(1); 2129 rc = 1; 2130 } 2131 } 2132 2133 return rc; 2134 } 2135 2136 /* Initialize a crypt_mnt_ftr structure. The keysize is 2137 * defaulted to 16 bytes, and the filesystem size to 0. 2138 * Presumably, at a minimum, the caller will update the 2139 * filesystem size and crypto_type_name after calling this function. 2140 */ 2141 static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 2142 { 2143 off64_t off; 2144 2145 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 2146 ftr->magic = CRYPT_MNT_MAGIC; 2147 ftr->major_version = CURRENT_MAJOR_VERSION; 2148 ftr->minor_version = CURRENT_MINOR_VERSION; 2149 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 2150 ftr->keysize = KEY_LEN_BYTES; 2151 2152 switch (keymaster_check_compatibility()) { 2153 case 1: 2154 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 2155 break; 2156 2157 case 0: 2158 ftr->kdf_type = KDF_SCRYPT; 2159 break; 2160 2161 default: 2162 SLOGE("keymaster_check_compatibility failed"); 2163 return -1; 2164 } 2165 2166 get_device_scrypt_params(ftr); 2167 2168 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 2169 if (get_crypt_ftr_info(NULL, &off) == 0) { 2170 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 2171 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 2172 ftr->persist_data_size; 2173 } 2174 2175 return 0; 2176 } 2177 2178 static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type) 2179 { 2180 const char *args[10]; 2181 char size_str[32]; /* Must be large enough to hold a %lld and null byte */ 2182 int num_args; 2183 int status; 2184 int tmp; 2185 int rc = -1; 2186 2187 if (type == EXT4_FS) { 2188 args[0] = "/system/bin/make_ext4fs"; 2189 args[1] = "-a"; 2190 args[2] = "/data"; 2191 args[3] = "-l"; 2192 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512); 2193 args[4] = size_str; 2194 args[5] = crypto_blkdev; 2195 num_args = 6; 2196 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n", 2197 args[0], args[1], args[2], args[3], args[4], args[5]); 2198 } else if (type == F2FS_FS) { 2199 args[0] = "/system/bin/mkfs.f2fs"; 2200 args[1] = "-t"; 2201 args[2] = "-d1"; 2202 args[3] = crypto_blkdev; 2203 snprintf(size_str, sizeof(size_str), "%" PRId64, size); 2204 args[4] = size_str; 2205 num_args = 5; 2206 SLOGI("Making empty filesystem with command %s %s %s %s %s\n", 2207 args[0], args[1], args[2], args[3], args[4]); 2208 } else { 2209 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type); 2210 return -1; 2211 } 2212 2213 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true); 2214 2215 if (tmp != 0) { 2216 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev); 2217 } else { 2218 if (WIFEXITED(status)) { 2219 if (WEXITSTATUS(status)) { 2220 SLOGE("Error creating filesystem on %s, exit status %d ", 2221 crypto_blkdev, WEXITSTATUS(status)); 2222 } else { 2223 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev); 2224 rc = 0; 2225 } 2226 } else { 2227 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev); 2228 } 2229 } 2230 2231 return rc; 2232 } 2233 2234 #define CRYPT_INPLACE_BUFSIZE 4096 2235 #define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE) 2236 #define CRYPT_SECTOR_SIZE 512 2237 2238 /* aligned 32K writes tends to make flash happy. 2239 * SD card association recommends it. 2240 */ 2241 #ifndef CONFIG_HW_DISK_ENCRYPTION 2242 #define BLOCKS_AT_A_TIME 8 2243 #else 2244 #define BLOCKS_AT_A_TIME 1024 2245 #endif 2246 2247 struct encryptGroupsData 2248 { 2249 int realfd; 2250 int cryptofd; 2251 off64_t numblocks; 2252 off64_t one_pct, cur_pct, new_pct; 2253 off64_t blocks_already_done, tot_numblocks; 2254 off64_t used_blocks_already_done, tot_used_blocks; 2255 char* real_blkdev, * crypto_blkdev; 2256 int count; 2257 off64_t offset; 2258 char* buffer; 2259 off64_t last_written_sector; 2260 int completed; 2261 time_t time_started; 2262 int remaining_time; 2263 }; 2264 2265 static void update_progress(struct encryptGroupsData* data, int is_used) 2266 { 2267 data->blocks_already_done++; 2268 2269 if (is_used) { 2270 data->used_blocks_already_done++; 2271 } 2272 if (data->tot_used_blocks) { 2273 data->new_pct = data->used_blocks_already_done / data->one_pct; 2274 } else { 2275 data->new_pct = data->blocks_already_done / data->one_pct; 2276 } 2277 2278 if (data->new_pct > data->cur_pct) { 2279 char buf[8]; 2280 data->cur_pct = data->new_pct; 2281 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct); 2282 property_set("vold.encrypt_progress", buf); 2283 } 2284 2285 if (data->cur_pct >= 5) { 2286 struct timespec time_now; 2287 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) { 2288 SLOGW("Error getting time"); 2289 } else { 2290 double elapsed_time = difftime(time_now.tv_sec, data->time_started); 2291 off64_t remaining_blocks = data->tot_used_blocks 2292 - data->used_blocks_already_done; 2293 int remaining_time = (int)(elapsed_time * remaining_blocks 2294 / data->used_blocks_already_done); 2295 2296 // Change time only if not yet set, lower, or a lot higher for 2297 // best user experience 2298 if (data->remaining_time == -1 2299 || remaining_time < data->remaining_time 2300 || remaining_time > data->remaining_time + 60) { 2301 char buf[8]; 2302 snprintf(buf, sizeof(buf), "%d", remaining_time); 2303 property_set("vold.encrypt_time_remaining", buf); 2304 data->remaining_time = remaining_time; 2305 } 2306 } 2307 } 2308 } 2309 2310 static void log_progress(struct encryptGroupsData const* data, bool completed) 2311 { 2312 // Precondition - if completed data = 0 else data != 0 2313 2314 // Track progress so we can skip logging blocks 2315 static off64_t offset = -1; 2316 2317 // Need to close existing 'Encrypting from' log? 2318 if (completed || (offset != -1 && data->offset != offset)) { 2319 SLOGI("Encrypted to sector %" PRId64, 2320 offset / info.block_size * CRYPT_SECTOR_SIZE); 2321 offset = -1; 2322 } 2323 2324 // Need to start new 'Encrypting from' log? 2325 if (!completed && offset != data->offset) { 2326 SLOGI("Encrypting from sector %" PRId64, 2327 data->offset / info.block_size * CRYPT_SECTOR_SIZE); 2328 } 2329 2330 // Update offset 2331 if (!completed) { 2332 offset = data->offset + (off64_t)data->count * info.block_size; 2333 } 2334 } 2335 2336 static int flush_outstanding_data(struct encryptGroupsData* data) 2337 { 2338 if (data->count == 0) { 2339 return 0; 2340 } 2341 2342 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset); 2343 2344 if (pread64(data->realfd, data->buffer, 2345 info.block_size * data->count, data->offset) 2346 <= 0) { 2347 SLOGE("Error reading real_blkdev %s for inplace encrypt", 2348 data->real_blkdev); 2349 return -1; 2350 } 2351 2352 if (pwrite64(data->cryptofd, data->buffer, 2353 info.block_size * data->count, data->offset) 2354 <= 0) { 2355 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", 2356 data->crypto_blkdev); 2357 return -1; 2358 } else { 2359 log_progress(data, false); 2360 } 2361 2362 data->count = 0; 2363 data->last_written_sector = (data->offset + data->count) 2364 / info.block_size * CRYPT_SECTOR_SIZE - 1; 2365 return 0; 2366 } 2367 2368 static int encrypt_groups(struct encryptGroupsData* data) 2369 { 2370 unsigned int i; 2371 u8 *block_bitmap = 0; 2372 unsigned int block; 2373 off64_t ret; 2374 int rc = -1; 2375 2376 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME); 2377 if (!data->buffer) { 2378 SLOGE("Failed to allocate crypto buffer"); 2379 goto errout; 2380 } 2381 2382 block_bitmap = malloc(info.block_size); 2383 if (!block_bitmap) { 2384 SLOGE("failed to allocate block bitmap"); 2385 goto errout; 2386 } 2387 2388 for (i = 0; i < aux_info.groups; ++i) { 2389 SLOGI("Encrypting group %d", i); 2390 2391 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group; 2392 u32 block_count = min(info.blocks_per_group, 2393 aux_info.len_blocks - first_block); 2394 2395 off64_t offset = (u64)info.block_size 2396 * aux_info.bg_desc[i].bg_block_bitmap; 2397 2398 ret = pread64(data->realfd, block_bitmap, info.block_size, offset); 2399 if (ret != (int)info.block_size) { 2400 SLOGE("failed to read all of block group bitmap %d", i); 2401 goto errout; 2402 } 2403 2404 offset = (u64)info.block_size * first_block; 2405 2406 data->count = 0; 2407 2408 for (block = 0; block < block_count; block++) { 2409 int used = (aux_info.bg_desc[i].bg_flags & EXT4_BG_BLOCK_UNINIT) ? 2410 0 : bitmap_get_bit(block_bitmap, block); 2411 update_progress(data, used); 2412 if (used) { 2413 if (data->count == 0) { 2414 data->offset = offset; 2415 } 2416 data->count++; 2417 } else { 2418 if (flush_outstanding_data(data)) { 2419 goto errout; 2420 } 2421 } 2422 2423 offset += info.block_size; 2424 2425 /* Write data if we are aligned or buffer size reached */ 2426 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0 2427 || data->count == BLOCKS_AT_A_TIME) { 2428 if (flush_outstanding_data(data)) { 2429 goto errout; 2430 } 2431 } 2432 2433 if (!is_battery_ok_to_continue()) { 2434 SLOGE("Stopping encryption due to low battery"); 2435 rc = 0; 2436 goto errout; 2437 } 2438 2439 } 2440 if (flush_outstanding_data(data)) { 2441 goto errout; 2442 } 2443 } 2444 2445 data->completed = 1; 2446 rc = 0; 2447 2448 errout: 2449 log_progress(0, true); 2450 free(data->buffer); 2451 free(block_bitmap); 2452 return rc; 2453 } 2454 2455 static int cryptfs_enable_inplace_ext4(char *crypto_blkdev, 2456 char *real_blkdev, 2457 off64_t size, 2458 off64_t *size_already_done, 2459 off64_t tot_size, 2460 off64_t previously_encrypted_upto) 2461 { 2462 u32 i; 2463 struct encryptGroupsData data; 2464 int rc; // Can't initialize without causing warning -Wclobbered 2465 2466 if (previously_encrypted_upto > *size_already_done) { 2467 SLOGD("Not fast encrypting since resuming part way through"); 2468 return -1; 2469 } 2470 2471 memset(&data, 0, sizeof(data)); 2472 data.real_blkdev = real_blkdev; 2473 data.crypto_blkdev = crypto_blkdev; 2474 2475 if ( (data.realfd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) { 2476 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n", 2477 real_blkdev, errno, strerror(errno)); 2478 rc = -1; 2479 goto errout; 2480 } 2481 2482 // Wait until the block device appears. Re-use the mount retry values since it is reasonable. 2483 int retries = RETRY_MOUNT_ATTEMPTS; 2484 while ((data.cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) { 2485 if (--retries) { 2486 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s), retrying\n", 2487 crypto_blkdev, errno, strerror(errno)); 2488 sleep(RETRY_MOUNT_DELAY_SECONDS); 2489 } else { 2490 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n", 2491 crypto_blkdev, errno, strerror(errno)); 2492 rc = ENABLE_INPLACE_ERR_DEV; 2493 goto errout; 2494 } 2495 } 2496 2497 if (setjmp(setjmp_env)) { 2498 SLOGE("Reading ext4 extent caused an exception\n"); 2499 rc = -1; 2500 goto errout; 2501 } 2502 2503 if (read_ext(data.realfd, 0) != 0) { 2504 SLOGE("Failed to read ext4 extent\n"); 2505 rc = -1; 2506 goto errout; 2507 } 2508 2509 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2510 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2511 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2512 2513 SLOGI("Encrypting ext4 filesystem in place..."); 2514 2515 data.tot_used_blocks = data.numblocks; 2516 for (i = 0; i < aux_info.groups; ++i) { 2517 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count; 2518 } 2519 2520 data.one_pct = data.tot_used_blocks / 100; 2521 data.cur_pct = 0; 2522 2523 struct timespec time_started = {0}; 2524 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) { 2525 SLOGW("Error getting time at start"); 2526 // Note - continue anyway - we'll run with 0 2527 } 2528 data.time_started = time_started.tv_sec; 2529 data.remaining_time = -1; 2530 2531 rc = encrypt_groups(&data); 2532 if (rc) { 2533 SLOGE("Error encrypting groups"); 2534 goto errout; 2535 } 2536 2537 *size_already_done += data.completed ? size : data.last_written_sector; 2538 rc = 0; 2539 2540 errout: 2541 close(data.realfd); 2542 close(data.cryptofd); 2543 2544 return rc; 2545 } 2546 2547 static void log_progress_f2fs(u64 block, bool completed) 2548 { 2549 // Precondition - if completed data = 0 else data != 0 2550 2551 // Track progress so we can skip logging blocks 2552 static u64 last_block = (u64)-1; 2553 2554 // Need to close existing 'Encrypting from' log? 2555 if (completed || (last_block != (u64)-1 && block != last_block + 1)) { 2556 SLOGI("Encrypted to block %" PRId64, last_block); 2557 last_block = -1; 2558 } 2559 2560 // Need to start new 'Encrypting from' log? 2561 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) { 2562 SLOGI("Encrypting from block %" PRId64, block); 2563 } 2564 2565 // Update offset 2566 if (!completed) { 2567 last_block = block; 2568 } 2569 } 2570 2571 static int encrypt_one_block_f2fs(u64 pos, void *data) 2572 { 2573 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data; 2574 2575 priv_dat->blocks_already_done = pos - 1; 2576 update_progress(priv_dat, 1); 2577 2578 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE; 2579 2580 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2581 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2582 return -1; 2583 } 2584 2585 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2586 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2587 return -1; 2588 } else { 2589 log_progress_f2fs(pos, false); 2590 } 2591 2592 return 0; 2593 } 2594 2595 static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev, 2596 char *real_blkdev, 2597 off64_t size, 2598 off64_t *size_already_done, 2599 off64_t tot_size, 2600 off64_t previously_encrypted_upto) 2601 { 2602 struct encryptGroupsData data; 2603 struct f2fs_info *f2fs_info = NULL; 2604 int rc = ENABLE_INPLACE_ERR_OTHER; 2605 if (previously_encrypted_upto > *size_already_done) { 2606 SLOGD("Not fast encrypting since resuming part way through"); 2607 return ENABLE_INPLACE_ERR_OTHER; 2608 } 2609 memset(&data, 0, sizeof(data)); 2610 data.real_blkdev = real_blkdev; 2611 data.crypto_blkdev = crypto_blkdev; 2612 data.realfd = -1; 2613 data.cryptofd = -1; 2614 if ( (data.realfd = open64(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) { 2615 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n", 2616 real_blkdev); 2617 goto errout; 2618 } 2619 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) { 2620 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n", 2621 crypto_blkdev, errno, strerror(errno)); 2622 rc = ENABLE_INPLACE_ERR_DEV; 2623 goto errout; 2624 } 2625 2626 f2fs_info = generate_f2fs_info(data.realfd); 2627 if (!f2fs_info) 2628 goto errout; 2629 2630 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2631 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2632 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2633 2634 data.tot_used_blocks = get_num_blocks_used(f2fs_info); 2635 2636 data.one_pct = data.tot_used_blocks / 100; 2637 data.cur_pct = 0; 2638 data.time_started = time(NULL); 2639 data.remaining_time = -1; 2640 2641 data.buffer = malloc(f2fs_info->block_size); 2642 if (!data.buffer) { 2643 SLOGE("Failed to allocate crypto buffer"); 2644 goto errout; 2645 } 2646 2647 data.count = 0; 2648 2649 /* Currently, this either runs to completion, or hits a nonrecoverable error */ 2650 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data); 2651 2652 if (rc) { 2653 SLOGE("Error in running over f2fs blocks"); 2654 rc = ENABLE_INPLACE_ERR_OTHER; 2655 goto errout; 2656 } 2657 2658 *size_already_done += size; 2659 rc = 0; 2660 2661 errout: 2662 if (rc) 2663 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev); 2664 2665 log_progress_f2fs(0, true); 2666 free(f2fs_info); 2667 free(data.buffer); 2668 close(data.realfd); 2669 close(data.cryptofd); 2670 2671 return rc; 2672 } 2673 2674 static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev, 2675 off64_t size, off64_t *size_already_done, 2676 off64_t tot_size, 2677 off64_t previously_encrypted_upto) 2678 { 2679 int realfd, cryptofd; 2680 char *buf[CRYPT_INPLACE_BUFSIZE]; 2681 int rc = ENABLE_INPLACE_ERR_OTHER; 2682 off64_t numblocks, i, remainder; 2683 off64_t one_pct, cur_pct, new_pct; 2684 off64_t blocks_already_done, tot_numblocks; 2685 2686 if ( (realfd = open(real_blkdev, O_RDONLY|O_CLOEXEC)) < 0) { 2687 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev); 2688 return ENABLE_INPLACE_ERR_OTHER; 2689 } 2690 2691 if ( (cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) { 2692 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n", 2693 crypto_blkdev, errno, strerror(errno)); 2694 close(realfd); 2695 return ENABLE_INPLACE_ERR_DEV; 2696 } 2697 2698 /* This is pretty much a simple loop of reading 4K, and writing 4K. 2699 * The size passed in is the number of 512 byte sectors in the filesystem. 2700 * So compute the number of whole 4K blocks we should read/write, 2701 * and the remainder. 2702 */ 2703 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2704 remainder = size % CRYPT_SECTORS_PER_BUFSIZE; 2705 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2706 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2707 2708 SLOGE("Encrypting filesystem in place..."); 2709 2710 i = previously_encrypted_upto + 1 - *size_already_done; 2711 2712 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2713 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev); 2714 goto errout; 2715 } 2716 2717 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2718 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev); 2719 goto errout; 2720 } 2721 2722 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) { 2723 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2724 SLOGE("Error reading initial sectors from real_blkdev %s for " 2725 "inplace encrypt\n", crypto_blkdev); 2726 goto errout; 2727 } 2728 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2729 SLOGE("Error writing initial sectors to crypto_blkdev %s for " 2730 "inplace encrypt\n", crypto_blkdev); 2731 goto errout; 2732 } else { 2733 SLOGI("Encrypted 1 block at %" PRId64, i); 2734 } 2735 } 2736 2737 one_pct = tot_numblocks / 100; 2738 cur_pct = 0; 2739 /* process the majority of the filesystem in blocks */ 2740 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) { 2741 new_pct = (i + blocks_already_done) / one_pct; 2742 if (new_pct > cur_pct) { 2743 char buf[8]; 2744 2745 cur_pct = new_pct; 2746 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct); 2747 property_set("vold.encrypt_progress", buf); 2748 } 2749 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2750 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev); 2751 goto errout; 2752 } 2753 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2754 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2755 goto errout; 2756 } else { 2757 SLOGD("Encrypted %d block at %" PRId64, 2758 CRYPT_SECTORS_PER_BUFSIZE, 2759 i * CRYPT_SECTORS_PER_BUFSIZE); 2760 } 2761 2762 if (!is_battery_ok_to_continue()) { 2763 SLOGE("Stopping encryption due to low battery"); 2764 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1; 2765 rc = 0; 2766 goto errout; 2767 } 2768 } 2769 2770 /* Do any remaining sectors */ 2771 for (i=0; i<remainder; i++) { 2772 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2773 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev); 2774 goto errout; 2775 } 2776 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2777 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2778 goto errout; 2779 } else { 2780 SLOGI("Encrypted 1 block at next location"); 2781 } 2782 } 2783 2784 *size_already_done += size; 2785 rc = 0; 2786 2787 errout: 2788 close(realfd); 2789 close(cryptofd); 2790 2791 return rc; 2792 } 2793 2794 /* returns on of the ENABLE_INPLACE_* return codes */ 2795 static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev, 2796 off64_t size, off64_t *size_already_done, 2797 off64_t tot_size, 2798 off64_t previously_encrypted_upto) 2799 { 2800 int rc_ext4, rc_f2fs, rc_full; 2801 if (previously_encrypted_upto) { 2802 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto); 2803 } 2804 2805 if (*size_already_done + size < previously_encrypted_upto) { 2806 *size_already_done += size; 2807 return 0; 2808 } 2809 2810 /* TODO: identify filesystem type. 2811 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and 2812 * then we will drop down to cryptfs_enable_inplace_f2fs. 2813 * */ 2814 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev, 2815 size, size_already_done, 2816 tot_size, previously_encrypted_upto)) == 0) { 2817 return 0; 2818 } 2819 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4); 2820 2821 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev, 2822 size, size_already_done, 2823 tot_size, previously_encrypted_upto)) == 0) { 2824 return 0; 2825 } 2826 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs); 2827 2828 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev, 2829 size, size_already_done, tot_size, 2830 previously_encrypted_upto); 2831 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full); 2832 2833 /* Hack for b/17898962, the following is the symptom... */ 2834 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV 2835 && rc_f2fs == ENABLE_INPLACE_ERR_DEV 2836 && rc_full == ENABLE_INPLACE_ERR_DEV) { 2837 return ENABLE_INPLACE_ERR_DEV; 2838 } 2839 return rc_full; 2840 } 2841 2842 #define CRYPTO_ENABLE_WIPE 1 2843 #define CRYPTO_ENABLE_INPLACE 2 2844 2845 #define FRAMEWORK_BOOT_WAIT 60 2846 2847 static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2848 { 2849 int fd = open(filename, O_RDONLY|O_CLOEXEC); 2850 if (fd == -1) { 2851 SLOGE("Error opening file %s", filename); 2852 return -1; 2853 } 2854 2855 char block[CRYPT_INPLACE_BUFSIZE]; 2856 memset(block, 0, sizeof(block)); 2857 if (unix_read(fd, block, sizeof(block)) < 0) { 2858 SLOGE("Error reading file %s", filename); 2859 close(fd); 2860 return -1; 2861 } 2862 2863 close(fd); 2864 2865 SHA256_CTX c; 2866 SHA256_Init(&c); 2867 SHA256_Update(&c, block, sizeof(block)); 2868 SHA256_Final(buf, &c); 2869 2870 return 0; 2871 } 2872 2873 static int get_fs_type(struct fstab_rec *rec) 2874 { 2875 if (!strcmp(rec->fs_type, "ext4")) { 2876 return EXT4_FS; 2877 } else if (!strcmp(rec->fs_type, "f2fs")) { 2878 return F2FS_FS; 2879 } else { 2880 return -1; 2881 } 2882 } 2883 2884 static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how, 2885 char *crypto_blkdev, char *real_blkdev, 2886 int previously_encrypted_upto) 2887 { 2888 off64_t cur_encryption_done=0, tot_encryption_size=0; 2889 int rc = -1; 2890 2891 if (!is_battery_ok_to_start()) { 2892 SLOGW("Not starting encryption due to low battery"); 2893 return 0; 2894 } 2895 2896 /* The size of the userdata partition, and add in the vold volumes below */ 2897 tot_encryption_size = crypt_ftr->fs_size; 2898 2899 if (how == CRYPTO_ENABLE_WIPE) { 2900 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 2901 int fs_type = get_fs_type(rec); 2902 if (fs_type < 0) { 2903 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type); 2904 return -1; 2905 } 2906 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type); 2907 } else if (how == CRYPTO_ENABLE_INPLACE) { 2908 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, 2909 crypt_ftr->fs_size, &cur_encryption_done, 2910 tot_encryption_size, 2911 previously_encrypted_upto); 2912 2913 if (rc == ENABLE_INPLACE_ERR_DEV) { 2914 /* Hack for b/17898962 */ 2915 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n"); 2916 cryptfs_reboot(reboot); 2917 } 2918 2919 if (!rc) { 2920 crypt_ftr->encrypted_upto = cur_encryption_done; 2921 } 2922 2923 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2924 /* The inplace routine never actually sets the progress to 100% due 2925 * to the round down nature of integer division, so set it here */ 2926 property_set("vold.encrypt_progress", "100"); 2927 } 2928 } else { 2929 /* Shouldn't happen */ 2930 SLOGE("cryptfs_enable: internal error, unknown option\n"); 2931 rc = -1; 2932 } 2933 2934 return rc; 2935 } 2936 2937 int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd, 2938 int no_ui) 2939 { 2940 int how = 0; 2941 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2942 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2943 int rc=-1, i; 2944 struct crypt_mnt_ftr crypt_ftr; 2945 struct crypt_persist_data *pdata; 2946 char encrypted_state[PROPERTY_VALUE_MAX]; 2947 char lockid[32] = { 0 }; 2948 char key_loc[PROPERTY_VALUE_MAX]; 2949 int num_vols; 2950 off64_t previously_encrypted_upto = 0; 2951 bool rebootEncryption = false; 2952 2953 if (!strcmp(howarg, "wipe")) { 2954 how = CRYPTO_ENABLE_WIPE; 2955 } else if (! strcmp(howarg, "inplace")) { 2956 how = CRYPTO_ENABLE_INPLACE; 2957 } else { 2958 /* Shouldn't happen, as CommandListener vets the args */ 2959 goto error_unencrypted; 2960 } 2961 2962 if (how == CRYPTO_ENABLE_INPLACE 2963 && get_crypt_ftr_and_key(&crypt_ftr) == 0) { 2964 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS) { 2965 /* An encryption was underway and was interrupted */ 2966 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2967 crypt_ftr.encrypted_upto = 0; 2968 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2969 2970 /* At this point, we are in an inconsistent state. Until we successfully 2971 complete encryption, a reboot will leave us broken. So mark the 2972 encryption failed in case that happens. 2973 On successfully completing encryption, remove this flag */ 2974 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2975 2976 put_crypt_ftr_and_key(&crypt_ftr); 2977 } else if (crypt_ftr.flags & CRYPT_FORCE_ENCRYPTION) { 2978 if (!check_ftr_sha(&crypt_ftr)) { 2979 memset(&crypt_ftr, 0, sizeof(crypt_ftr)); 2980 put_crypt_ftr_and_key(&crypt_ftr); 2981 goto error_unencrypted; 2982 } 2983 2984 /* Doing a reboot-encryption*/ 2985 crypt_ftr.flags &= ~CRYPT_FORCE_ENCRYPTION; 2986 crypt_ftr.flags |= CRYPT_FORCE_COMPLETE; 2987 rebootEncryption = true; 2988 } 2989 } 2990 2991 property_get("ro.crypto.state", encrypted_state, ""); 2992 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2993 SLOGE("Device is already running encrypted, aborting"); 2994 goto error_unencrypted; 2995 } 2996 2997 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2998 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 2999 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 3000 3001 /* Get the size of the real block device */ 3002 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC); 3003 if (fd == -1) { 3004 SLOGE("Cannot open block device %s\n", real_blkdev); 3005 goto error_unencrypted; 3006 } 3007 unsigned long nr_sec; 3008 get_blkdev_size(fd, &nr_sec); 3009 if (nr_sec == 0) { 3010 SLOGE("Cannot get size of block device %s\n", real_blkdev); 3011 goto error_unencrypted; 3012 } 3013 close(fd); 3014 3015 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 3016 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) { 3017 unsigned int fs_size_sec, max_fs_size_sec; 3018 fs_size_sec = get_fs_size(real_blkdev); 3019 if (fs_size_sec == 0) 3020 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 3021 3022 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 3023 3024 if (fs_size_sec > max_fs_size_sec) { 3025 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 3026 goto error_unencrypted; 3027 } 3028 } 3029 3030 /* Get a wakelock as this may take a while, and we don't want the 3031 * device to sleep on us. We'll grab a partial wakelock, and if the UI 3032 * wants to keep the screen on, it can grab a full wakelock. 3033 */ 3034 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 3035 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 3036 3037 /* The init files are setup to stop the class main and late start when 3038 * vold sets trigger_shutdown_framework. 3039 */ 3040 property_set("vold.decrypt", "trigger_shutdown_framework"); 3041 SLOGD("Just asked init to shut down class main\n"); 3042 3043 /* Ask vold to unmount all devices that it manages */ 3044 if (vold_unmountAll()) { 3045 SLOGE("Failed to unmount all vold managed devices"); 3046 } 3047 3048 /* no_ui means we are being called from init, not settings. 3049 Now we always reboot from settings, so !no_ui means reboot 3050 */ 3051 bool onlyCreateHeader = false; 3052 if (!no_ui) { 3053 /* Try fallback, which is to reboot and try there */ 3054 onlyCreateHeader = true; 3055 FILE* breadcrumb = fopen(BREADCRUMB_FILE, "we"); 3056 if (breadcrumb == 0) { 3057 SLOGE("Failed to create breadcrumb file"); 3058 goto error_shutting_down; 3059 } 3060 fclose(breadcrumb); 3061 } 3062 3063 /* Do extra work for a better UX when doing the long inplace encryption */ 3064 if (how == CRYPTO_ENABLE_INPLACE && !onlyCreateHeader) { 3065 /* Now that /data is unmounted, we need to mount a tmpfs 3066 * /data, set a property saying we're doing inplace encryption, 3067 * and restart the framework. 3068 */ 3069 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 3070 goto error_shutting_down; 3071 } 3072 /* Tells the framework that inplace encryption is starting */ 3073 property_set("vold.encrypt_progress", "0"); 3074 3075 /* restart the framework. */ 3076 /* Create necessary paths on /data */ 3077 if (prep_data_fs()) { 3078 goto error_shutting_down; 3079 } 3080 3081 /* Ugh, shutting down the framework is not synchronous, so until it 3082 * can be fixed, this horrible hack will wait a moment for it all to 3083 * shut down before proceeding. Without it, some devices cannot 3084 * restart the graphics services. 3085 */ 3086 sleep(2); 3087 } 3088 3089 /* Start the actual work of making an encrypted filesystem */ 3090 /* Initialize a crypt_mnt_ftr for the partition */ 3091 if (previously_encrypted_upto == 0 && !rebootEncryption) { 3092 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 3093 goto error_shutting_down; 3094 } 3095 3096 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 3097 crypt_ftr.fs_size = nr_sec 3098 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 3099 } else { 3100 crypt_ftr.fs_size = nr_sec; 3101 } 3102 /* At this point, we are in an inconsistent state. Until we successfully 3103 complete encryption, a reboot will leave us broken. So mark the 3104 encryption failed in case that happens. 3105 On successfully completing encryption, remove this flag */ 3106 if (onlyCreateHeader) { 3107 crypt_ftr.flags |= CRYPT_FORCE_ENCRYPTION; 3108 } else { 3109 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 3110 } 3111 crypt_ftr.crypt_type = crypt_type; 3112 #ifndef CONFIG_HW_DISK_ENCRYPTION 3113 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN); 3114 #else 3115 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN); 3116 3117 rc = clear_hw_device_encryption_key(); 3118 if (!rc) { 3119 SLOGE("Error clearing device encryption hardware key. rc = %d", rc); 3120 } 3121 3122 rc = set_hw_device_encryption_key(passwd, 3123 (char*) crypt_ftr.crypto_type_name); 3124 if (!rc) { 3125 SLOGE("Error initializing device encryption hardware key. rc = %d", rc); 3126 goto error_shutting_down; 3127 } 3128 #endif 3129 3130 /* Make an encrypted master key */ 3131 if (create_encrypted_random_key(onlyCreateHeader ? DEFAULT_PASSWORD : passwd, 3132 crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 3133 SLOGE("Cannot create encrypted master key\n"); 3134 goto error_shutting_down; 3135 } 3136 3137 /* Replace scrypted intermediate key if we are preparing for a reboot */ 3138 if (onlyCreateHeader) { 3139 unsigned char fake_master_key[KEY_LEN_BYTES]; 3140 unsigned char encrypted_fake_master_key[KEY_LEN_BYTES]; 3141 memset(fake_master_key, 0, sizeof(fake_master_key)); 3142 encrypt_master_key(passwd, crypt_ftr.salt, fake_master_key, 3143 encrypted_fake_master_key, &crypt_ftr); 3144 } 3145 3146 /* Write the key to the end of the partition */ 3147 put_crypt_ftr_and_key(&crypt_ftr); 3148 3149 /* If any persistent data has been remembered, save it. 3150 * If none, create a valid empty table and save that. 3151 */ 3152 if (!persist_data) { 3153 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 3154 if (pdata) { 3155 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 3156 persist_data = pdata; 3157 } 3158 } 3159 if (persist_data) { 3160 save_persistent_data(); 3161 } 3162 } 3163 3164 if (onlyCreateHeader) { 3165 sleep(2); 3166 cryptfs_reboot(reboot); 3167 } 3168 3169 if (how == CRYPTO_ENABLE_INPLACE && (!no_ui || rebootEncryption)) { 3170 /* startup service classes main and late_start */ 3171 property_set("vold.decrypt", "trigger_restart_min_framework"); 3172 SLOGD("Just triggered restart_min_framework\n"); 3173 3174 /* OK, the framework is restarted and will soon be showing a 3175 * progress bar. Time to setup an encrypted mapping, and 3176 * either write a new filesystem, or encrypt in place updating 3177 * the progress bar as we work. 3178 */ 3179 } 3180 3181 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 3182 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 3183 CRYPTO_BLOCK_DEVICE); 3184 3185 /* If we are continuing, check checksums match */ 3186 rc = 0; 3187 if (previously_encrypted_upto) { 3188 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 3189 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 3190 3191 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 3192 sizeof(hash_first_block)) != 0) { 3193 SLOGE("Checksums do not match - trigger wipe"); 3194 rc = -1; 3195 } 3196 } 3197 3198 if (!rc) { 3199 rc = cryptfs_enable_all_volumes(&crypt_ftr, how, 3200 crypto_blkdev, real_blkdev, 3201 previously_encrypted_upto); 3202 } 3203 3204 /* Calculate checksum if we are not finished */ 3205 if (!rc && how == CRYPTO_ENABLE_INPLACE 3206 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3207 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 3208 crypt_ftr.hash_first_block); 3209 if (rc) { 3210 SLOGE("Error calculating checksum for continuing encryption"); 3211 rc = -1; 3212 } 3213 } 3214 3215 /* Undo the dm-crypt mapping whether we succeed or not */ 3216 delete_crypto_blk_dev(CRYPTO_BLOCK_DEVICE); 3217 3218 if (! rc) { 3219 /* Success */ 3220 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 3221 3222 if (how == CRYPTO_ENABLE_INPLACE 3223 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3224 SLOGD("Encrypted up to sector %lld - will continue after reboot", 3225 crypt_ftr.encrypted_upto); 3226 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 3227 } 3228 3229 put_crypt_ftr_and_key(&crypt_ftr); 3230 3231 if (how == CRYPTO_ENABLE_WIPE 3232 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 3233 char value[PROPERTY_VALUE_MAX]; 3234 property_get("ro.crypto.state", value, ""); 3235 if (!strcmp(value, "")) { 3236 /* default encryption - continue first boot sequence */ 3237 property_set("ro.crypto.state", "encrypted"); 3238 property_set("ro.crypto.type", "block"); 3239 release_wake_lock(lockid); 3240 if (rebootEncryption && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 3241 // Bring up cryptkeeper that will check the password and set it 3242 property_set("vold.decrypt", "trigger_shutdown_framework"); 3243 sleep(2); 3244 property_set("vold.encrypt_progress", ""); 3245 cryptfs_trigger_restart_min_framework(); 3246 } else { 3247 cryptfs_check_passwd(DEFAULT_PASSWORD); 3248 cryptfs_restart_internal(1); 3249 } 3250 return 0; 3251 } else { 3252 sleep(2); /* Give the UI a chance to show 100% progress */ 3253 cryptfs_reboot(reboot); 3254 } 3255 } else { 3256 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 3257 cryptfs_reboot(shutdown); 3258 } 3259 } else { 3260 char value[PROPERTY_VALUE_MAX]; 3261 3262 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 3263 if (!strcmp(value, "1")) { 3264 /* wipe data if encryption failed */ 3265 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 3266 if (!write_bootloader_message("--wipe_data\n--reason=cryptfs_enable_internal\n")) { 3267 SLOGE("could not write bootloader message\n"); 3268 } 3269 cryptfs_reboot(recovery); 3270 } else { 3271 /* set property to trigger dialog */ 3272 property_set("vold.encrypt_progress", "error_partially_encrypted"); 3273 release_wake_lock(lockid); 3274 } 3275 return -1; 3276 } 3277 3278 /* hrm, the encrypt step claims success, but the reboot failed. 3279 * This should not happen. 3280 * Set the property and return. Hope the framework can deal with it. 3281 */ 3282 property_set("vold.encrypt_progress", "error_reboot_failed"); 3283 release_wake_lock(lockid); 3284 return rc; 3285 3286 error_unencrypted: 3287 property_set("vold.encrypt_progress", "error_not_encrypted"); 3288 if (lockid[0]) { 3289 release_wake_lock(lockid); 3290 } 3291 return -1; 3292 3293 error_shutting_down: 3294 /* we failed, and have not encrypted anthing, so the users's data is still intact, 3295 * but the framework is stopped and not restarted to show the error, so it's up to 3296 * vold to restart the system. 3297 */ 3298 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 3299 cryptfs_reboot(reboot); 3300 3301 /* shouldn't get here */ 3302 property_set("vold.encrypt_progress", "error_shutting_down"); 3303 if (lockid[0]) { 3304 release_wake_lock(lockid); 3305 } 3306 return -1; 3307 } 3308 3309 int cryptfs_enable(char *howarg, int type, char *passwd, int no_ui) 3310 { 3311 return cryptfs_enable_internal(howarg, type, passwd, no_ui); 3312 } 3313 3314 int cryptfs_enable_default(char *howarg, int no_ui) 3315 { 3316 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT, 3317 DEFAULT_PASSWORD, no_ui); 3318 } 3319 3320 int cryptfs_changepw(int crypt_type, const char *newpw) 3321 { 3322 if (e4crypt_is_native()) { 3323 SLOGE("cryptfs_changepw not valid for file encryption"); 3324 return -1; 3325 } 3326 3327 struct crypt_mnt_ftr crypt_ftr; 3328 int rc; 3329 3330 /* This is only allowed after we've successfully decrypted the master key */ 3331 if (!master_key_saved) { 3332 SLOGE("Key not saved, aborting"); 3333 return -1; 3334 } 3335 3336 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3337 SLOGE("Invalid crypt_type %d", crypt_type); 3338 return -1; 3339 } 3340 3341 /* get key */ 3342 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3343 SLOGE("Error getting crypt footer and key"); 3344 return -1; 3345 } 3346 3347 crypt_ftr.crypt_type = crypt_type; 3348 3349 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 3350 : newpw, 3351 crypt_ftr.salt, 3352 saved_master_key, 3353 crypt_ftr.master_key, 3354 &crypt_ftr); 3355 if (rc) { 3356 SLOGE("Encrypt master key failed: %d", rc); 3357 return -1; 3358 } 3359 /* save the key */ 3360 put_crypt_ftr_and_key(&crypt_ftr); 3361 3362 #ifdef CONFIG_HW_DISK_ENCRYPTION 3363 if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) { 3364 if (crypt_type == CRYPT_TYPE_DEFAULT) { 3365 int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name); 3366 SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc); 3367 if (!rc) 3368 return -1; 3369 } else { 3370 int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name); 3371 SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc); 3372 if (!rc) 3373 return -1; 3374 } 3375 } 3376 #endif 3377 return 0; 3378 } 3379 3380 static unsigned int persist_get_max_entries(int encrypted) { 3381 struct crypt_mnt_ftr crypt_ftr; 3382 unsigned int dsize; 3383 unsigned int max_persistent_entries; 3384 3385 /* If encrypted, use the values from the crypt_ftr, otherwise 3386 * use the values for the current spec. 3387 */ 3388 if (encrypted) { 3389 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3390 return -1; 3391 } 3392 dsize = crypt_ftr.persist_data_size; 3393 } else { 3394 dsize = CRYPT_PERSIST_DATA_SIZE; 3395 } 3396 3397 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 3398 sizeof(struct crypt_persist_entry); 3399 3400 return max_persistent_entries; 3401 } 3402 3403 static int persist_get_key(const char *fieldname, char *value) 3404 { 3405 unsigned int i; 3406 3407 if (persist_data == NULL) { 3408 return -1; 3409 } 3410 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3411 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3412 /* We found it! */ 3413 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 3414 return 0; 3415 } 3416 } 3417 3418 return -1; 3419 } 3420 3421 static int persist_set_key(const char *fieldname, const char *value, int encrypted) 3422 { 3423 unsigned int i; 3424 unsigned int num; 3425 unsigned int max_persistent_entries; 3426 3427 if (persist_data == NULL) { 3428 return -1; 3429 } 3430 3431 max_persistent_entries = persist_get_max_entries(encrypted); 3432 3433 num = persist_data->persist_valid_entries; 3434 3435 for (i = 0; i < num; i++) { 3436 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3437 /* We found an existing entry, update it! */ 3438 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 3439 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 3440 return 0; 3441 } 3442 } 3443 3444 /* We didn't find it, add it to the end, if there is room */ 3445 if (persist_data->persist_valid_entries < max_persistent_entries) { 3446 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 3447 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 3448 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 3449 persist_data->persist_valid_entries++; 3450 return 0; 3451 } 3452 3453 return -1; 3454 } 3455 3456 /** 3457 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the 3458 * sequence and its index is greater than or equal to index. Return 0 otherwise. 3459 */ 3460 static int match_multi_entry(const char *key, const char *field, unsigned index) { 3461 unsigned int field_len; 3462 unsigned int key_index; 3463 field_len = strlen(field); 3464 3465 if (index == 0) { 3466 // The first key in a multi-entry field is just the filedname itself. 3467 if (!strcmp(key, field)) { 3468 return 1; 3469 } 3470 } 3471 // Match key against "%s_%d" % (field, index) 3472 if (strlen(key) < field_len + 1 + 1) { 3473 // Need at least a '_' and a digit. 3474 return 0; 3475 } 3476 if (strncmp(key, field, field_len)) { 3477 // If the key does not begin with field, it's not a match. 3478 return 0; 3479 } 3480 if (1 != sscanf(&key[field_len],"_%d", &key_index)) { 3481 return 0; 3482 } 3483 return key_index >= index; 3484 } 3485 3486 /* 3487 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all 3488 * remaining entries starting from index will be deleted. 3489 * returns PERSIST_DEL_KEY_OK if deletion succeeds, 3490 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist, 3491 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs. 3492 * 3493 */ 3494 static int persist_del_keys(const char *fieldname, unsigned index) 3495 { 3496 unsigned int i; 3497 unsigned int j; 3498 unsigned int num; 3499 3500 if (persist_data == NULL) { 3501 return PERSIST_DEL_KEY_ERROR_OTHER; 3502 } 3503 3504 num = persist_data->persist_valid_entries; 3505 3506 j = 0; // points to the end of non-deleted entries. 3507 // Filter out to-be-deleted entries in place. 3508 for (i = 0; i < num; i++) { 3509 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) { 3510 persist_data->persist_entry[j] = persist_data->persist_entry[i]; 3511 j++; 3512 } 3513 } 3514 3515 if (j < num) { 3516 persist_data->persist_valid_entries = j; 3517 // Zeroise the remaining entries 3518 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry)); 3519 return PERSIST_DEL_KEY_OK; 3520 } else { 3521 // Did not find an entry matching the given fieldname 3522 return PERSIST_DEL_KEY_ERROR_NO_FIELD; 3523 } 3524 } 3525 3526 static int persist_count_keys(const char *fieldname) 3527 { 3528 unsigned int i; 3529 unsigned int count; 3530 3531 if (persist_data == NULL) { 3532 return -1; 3533 } 3534 3535 count = 0; 3536 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3537 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) { 3538 count++; 3539 } 3540 } 3541 3542 return count; 3543 } 3544 3545 /* Return the value of the specified field. */ 3546 int cryptfs_getfield(const char *fieldname, char *value, int len) 3547 { 3548 if (e4crypt_is_native()) { 3549 SLOGE("Cannot get field when file encrypted"); 3550 return -1; 3551 } 3552 3553 char temp_value[PROPERTY_VALUE_MAX]; 3554 /* CRYPTO_GETFIELD_OK is success, 3555 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set, 3556 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small, 3557 * CRYPTO_GETFIELD_ERROR_OTHER is any other error 3558 */ 3559 int rc = CRYPTO_GETFIELD_ERROR_OTHER; 3560 int i; 3561 char temp_field[PROPERTY_KEY_MAX]; 3562 3563 if (persist_data == NULL) { 3564 load_persistent_data(); 3565 if (persist_data == NULL) { 3566 SLOGE("Getfield error, cannot load persistent data"); 3567 goto out; 3568 } 3569 } 3570 3571 // Read value from persistent entries. If the original value is split into multiple entries, 3572 // stitch them back together. 3573 if (!persist_get_key(fieldname, temp_value)) { 3574 // We found it, copy it to the caller's buffer and keep going until all entries are read. 3575 if (strlcpy(value, temp_value, len) >= (unsigned) len) { 3576 // value too small 3577 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3578 goto out; 3579 } 3580 rc = CRYPTO_GETFIELD_OK; 3581 3582 for (i = 1; /* break explicitly */; i++) { 3583 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >= 3584 (int) sizeof(temp_field)) { 3585 // If the fieldname is very long, we stop as soon as it begins to overflow the 3586 // maximum field length. At this point we have in fact fully read out the original 3587 // value because cryptfs_setfield would not allow fields with longer names to be 3588 // written in the first place. 3589 break; 3590 } 3591 if (!persist_get_key(temp_field, temp_value)) { 3592 if (strlcat(value, temp_value, len) >= (unsigned)len) { 3593 // value too small. 3594 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3595 goto out; 3596 } 3597 } else { 3598 // Exhaust all entries. 3599 break; 3600 } 3601 } 3602 } else { 3603 /* Sadness, it's not there. Return the error */ 3604 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD; 3605 } 3606 3607 out: 3608 return rc; 3609 } 3610 3611 /* Set the value of the specified field. */ 3612 int cryptfs_setfield(const char *fieldname, const char *value) 3613 { 3614 if (e4crypt_is_native()) { 3615 SLOGE("Cannot set field when file encrypted"); 3616 return -1; 3617 } 3618 3619 char encrypted_state[PROPERTY_VALUE_MAX]; 3620 /* 0 is success, negative values are error */ 3621 int rc = CRYPTO_SETFIELD_ERROR_OTHER; 3622 int encrypted = 0; 3623 unsigned int field_id; 3624 char temp_field[PROPERTY_KEY_MAX]; 3625 unsigned int num_entries; 3626 unsigned int max_keylen; 3627 3628 if (persist_data == NULL) { 3629 load_persistent_data(); 3630 if (persist_data == NULL) { 3631 SLOGE("Setfield error, cannot load persistent data"); 3632 goto out; 3633 } 3634 } 3635 3636 property_get("ro.crypto.state", encrypted_state, ""); 3637 if (!strcmp(encrypted_state, "encrypted") ) { 3638 encrypted = 1; 3639 } 3640 3641 // Compute the number of entries required to store value, each entry can store up to 3642 // (PROPERTY_VALUE_MAX - 1) chars 3643 if (strlen(value) == 0) { 3644 // Empty value also needs one entry to store. 3645 num_entries = 1; 3646 } else { 3647 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1); 3648 } 3649 3650 max_keylen = strlen(fieldname); 3651 if (num_entries > 1) { 3652 // Need an extra "_%d" suffix. 3653 max_keylen += 1 + log10(num_entries); 3654 } 3655 if (max_keylen > PROPERTY_KEY_MAX - 1) { 3656 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG; 3657 goto out; 3658 } 3659 3660 // Make sure we have enough space to write the new value 3661 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) > 3662 persist_get_max_entries(encrypted)) { 3663 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG; 3664 goto out; 3665 } 3666 3667 // Now that we know persist_data has enough space for value, let's delete the old field first 3668 // to make up space. 3669 persist_del_keys(fieldname, 0); 3670 3671 if (persist_set_key(fieldname, value, encrypted)) { 3672 // fail to set key, should not happen as we have already checked the available space 3673 SLOGE("persist_set_key() error during setfield()"); 3674 goto out; 3675 } 3676 3677 for (field_id = 1; field_id < num_entries; field_id++) { 3678 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id); 3679 3680 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) { 3681 // fail to set key, should not happen as we have already checked the available space. 3682 SLOGE("persist_set_key() error during setfield()"); 3683 goto out; 3684 } 3685 } 3686 3687 /* If we are running encrypted, save the persistent data now */ 3688 if (encrypted) { 3689 if (save_persistent_data()) { 3690 SLOGE("Setfield error, cannot save persistent data"); 3691 goto out; 3692 } 3693 } 3694 3695 rc = CRYPTO_SETFIELD_OK; 3696 3697 out: 3698 return rc; 3699 } 3700 3701 /* Checks userdata. Attempt to mount the volume if default- 3702 * encrypted. 3703 * On success trigger next init phase and return 0. 3704 * Currently do not handle failure - see TODO below. 3705 */ 3706 int cryptfs_mount_default_encrypted(void) 3707 { 3708 int crypt_type = cryptfs_get_password_type(); 3709 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3710 SLOGE("Bad crypt type - error"); 3711 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 3712 SLOGD("Password is not default - " 3713 "starting min framework to prompt"); 3714 property_set("vold.decrypt", "trigger_restart_min_framework"); 3715 return 0; 3716 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 3717 SLOGD("Password is default - restarting filesystem"); 3718 cryptfs_restart_internal(0); 3719 return 0; 3720 } else { 3721 SLOGE("Encrypted, default crypt type but can't decrypt"); 3722 } 3723 3724 /** Corrupt. Allow us to boot into framework, which will detect bad 3725 crypto when it calls do_crypto_complete, then do a factory reset 3726 */ 3727 property_set("vold.decrypt", "trigger_restart_min_framework"); 3728 return 0; 3729 } 3730 3731 /* Returns type of the password, default, pattern, pin or password. 3732 */ 3733 int cryptfs_get_password_type(void) 3734 { 3735 if (e4crypt_is_native()) { 3736 SLOGE("cryptfs_get_password_type not valid for file encryption"); 3737 return -1; 3738 } 3739 3740 struct crypt_mnt_ftr crypt_ftr; 3741 3742 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3743 SLOGE("Error getting crypt footer and key\n"); 3744 return -1; 3745 } 3746 3747 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 3748 return -1; 3749 } 3750 3751 return crypt_ftr.crypt_type; 3752 } 3753 3754 const char* cryptfs_get_password() 3755 { 3756 if (e4crypt_is_native()) { 3757 SLOGE("cryptfs_get_password not valid for file encryption"); 3758 return 0; 3759 } 3760 3761 struct timespec now; 3762 clock_gettime(CLOCK_BOOTTIME, &now); 3763 if (now.tv_sec < password_expiry_time) { 3764 return password; 3765 } else { 3766 cryptfs_clear_password(); 3767 return 0; 3768 } 3769 } 3770 3771 void cryptfs_clear_password() 3772 { 3773 if (password) { 3774 size_t len = strlen(password); 3775 memset(password, 0, len); 3776 free(password); 3777 password = 0; 3778 password_expiry_time = 0; 3779 } 3780 } 3781 3782 int cryptfs_enable_file() 3783 { 3784 return e4crypt_initialize_global_de(); 3785 } 3786 3787 int cryptfs_isConvertibleToFBE() 3788 { 3789 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 3790 return fs_mgr_is_convertible_to_fbe(rec) ? 1 : 0; 3791 } 3792 3793 int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length) 3794 { 3795 if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) { 3796 SLOGE("Failed to initialize crypt_ftr"); 3797 return -1; 3798 } 3799 3800 if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key, 3801 crypt_ftr->salt, crypt_ftr)) { 3802 SLOGE("Cannot create encrypted master key\n"); 3803 return -1; 3804 } 3805 3806 //crypt_ftr->keysize = key_length / 8; 3807 return 0; 3808 } 3809 3810 int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password, 3811 unsigned char* master_key) 3812 { 3813 int rc; 3814 3815 unsigned char* intermediate_key = 0; 3816 size_t intermediate_key_size = 0; 3817 3818 if (password == 0 || *password == 0) { 3819 password = DEFAULT_PASSWORD; 3820 } 3821 3822 rc = decrypt_master_key(password, master_key, ftr, &intermediate_key, 3823 &intermediate_key_size); 3824 3825 if (rc) { 3826 SLOGE("Can't calculate intermediate key"); 3827 return rc; 3828 } 3829 3830 int N = 1 << ftr->N_factor; 3831 int r = 1 << ftr->r_factor; 3832 int p = 1 << ftr->p_factor; 3833 3834 unsigned char scrypted_intermediate_key[sizeof(ftr->scrypted_intermediate_key)]; 3835 3836 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 3837 ftr->salt, sizeof(ftr->salt), N, r, p, 3838 scrypted_intermediate_key, 3839 sizeof(scrypted_intermediate_key)); 3840 3841 free(intermediate_key); 3842 3843 if (rc) { 3844 SLOGE("Can't scrypt intermediate key"); 3845 return rc; 3846 } 3847 3848 return memcmp(scrypted_intermediate_key, ftr->scrypted_intermediate_key, 3849 intermediate_key_size); 3850 } 3851 3852 int cryptfs_set_password(struct crypt_mnt_ftr* ftr, const char* password, 3853 const unsigned char* master_key) 3854 { 3855 return encrypt_master_key(password, ftr->salt, master_key, ftr->master_key, 3856 ftr); 3857 } 3858
