1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23#include <sys/types.h> 24#include <sys/wait.h> 25#include <sys/stat.h> 26#include <ctype.h> 27#include <fcntl.h> 28#include <inttypes.h> 29#include <unistd.h> 30#include <stdio.h> 31#include <sys/ioctl.h> 32#include <linux/dm-ioctl.h> 33#include <libgen.h> 34#include <stdlib.h> 35#include <sys/param.h> 36#include <string.h> 37#include <sys/mount.h> 38#include <openssl/evp.h> 39#include <openssl/sha.h> 40#include <errno.h> 41#include <ext4.h> 42#include <linux/kdev_t.h> 43#include <fs_mgr.h> 44#include <time.h> 45#include <math.h> 46#include "cryptfs.h" 47#define LOG_TAG "Cryptfs" 48#include "cutils/log.h" 49#include "cutils/properties.h" 50#include "cutils/android_reboot.h" 51#include "hardware_legacy/power.h" 52#include <logwrap/logwrap.h> 53#include "VolumeManager.h" 54#include "VoldUtil.h" 55#include "crypto_scrypt.h" 56#include "Ext4Crypt.h" 57#include "ext4_crypt_init_extensions.h" 58#include "ext4_utils.h" 59#include "f2fs_sparseblock.h" 60#include "CheckBattery.h" 61#include "Process.h" 62 63#include <hardware/keymaster0.h> 64#include <hardware/keymaster1.h> 65 66#define UNUSED __attribute__((unused)) 67 68#define UNUSED __attribute__((unused)) 69 70#ifdef CONFIG_HW_DISK_ENCRYPTION 71#include "cryptfs_hw.h" 72#endif 73 74#define DM_CRYPT_BUF_SIZE 4096 75 76#define HASH_COUNT 2000 77#define KEY_LEN_BYTES 16 78#define IV_LEN_BYTES 16 79 80#define KEY_IN_FOOTER "footer" 81 82#define DEFAULT_PASSWORD "default_password" 83 84#define EXT4_FS 1 85#define F2FS_FS 2 86 87#define TABLE_LOAD_RETRIES 10 88 89#define RSA_KEY_SIZE 2048 90#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) 91#define RSA_EXPONENT 0x10001 92#define KEYMASTER_CRYPTFS_RATE_LIMIT 1 // Maximum one try per second 93 94#define RETRY_MOUNT_ATTEMPTS 10 95#define RETRY_MOUNT_DELAY_SECONDS 1 96 97char *me = "cryptfs"; 98 99static unsigned char saved_master_key[KEY_LEN_BYTES]; 100static char *saved_mount_point; 101static int master_key_saved = 0; 102static struct crypt_persist_data *persist_data = NULL; 103 104static int keymaster_init(keymaster0_device_t **keymaster0_dev, 105 keymaster1_device_t **keymaster1_dev) 106{ 107 int rc; 108 109 const hw_module_t* mod; 110 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 111 if (rc) { 112 ALOGE("could not find any keystore module"); 113 goto err; 114 } 115 116 SLOGI("keymaster module name is %s", mod->name); 117 SLOGI("keymaster version is %d", mod->module_api_version); 118 119 *keymaster0_dev = NULL; 120 *keymaster1_dev = NULL; 121 if (mod->module_api_version == KEYMASTER_MODULE_API_VERSION_1_0) { 122 SLOGI("Found keymaster1 module, using keymaster1 API."); 123 rc = keymaster1_open(mod, keymaster1_dev); 124 } else { 125 SLOGI("Found keymaster0 module, using keymaster0 API."); 126 rc = keymaster0_open(mod, keymaster0_dev); 127 } 128 129 if (rc) { 130 ALOGE("could not open keymaster device in %s (%s)", 131 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); 132 goto err; 133 } 134 135 return 0; 136 137err: 138 *keymaster0_dev = NULL; 139 *keymaster1_dev = NULL; 140 return rc; 141} 142 143/* Should we use keymaster? */ 144static int keymaster_check_compatibility() 145{ 146 keymaster0_device_t *keymaster0_dev = 0; 147 keymaster1_device_t *keymaster1_dev = 0; 148 int rc = 0; 149 150 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) { 151 SLOGE("Failed to init keymaster"); 152 rc = -1; 153 goto out; 154 } 155 156 if (keymaster1_dev) { 157 rc = 1; 158 goto out; 159 } 160 161 // TODO(swillden): Check to see if there's any reason to require v0.3. I think v0.1 and v0.2 162 // should work. 163 if (keymaster0_dev->common.module->module_api_version 164 < KEYMASTER_MODULE_API_VERSION_0_3) { 165 rc = 0; 166 goto out; 167 } 168 169 if (!(keymaster0_dev->flags & KEYMASTER_SOFTWARE_ONLY) && 170 (keymaster0_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) { 171 rc = 1; 172 } 173 174out: 175 if (keymaster1_dev) { 176 keymaster1_close(keymaster1_dev); 177 } 178 if (keymaster0_dev) { 179 keymaster0_close(keymaster0_dev); 180 } 181 return rc; 182} 183 184/* Create a new keymaster key and store it in this footer */ 185static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 186{ 187 uint8_t* key = 0; 188 keymaster0_device_t *keymaster0_dev = 0; 189 keymaster1_device_t *keymaster1_dev = 0; 190 191 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) { 192 SLOGE("Failed to init keymaster"); 193 return -1; 194 } 195 196 int rc = 0; 197 size_t key_size = 0; 198 if (keymaster1_dev) { 199 keymaster_key_param_t params[] = { 200 /* Algorithm & size specifications. Stick with RSA for now. Switch to AES later. */ 201 keymaster_param_enum(KM_TAG_ALGORITHM, KM_ALGORITHM_RSA), 202 keymaster_param_int(KM_TAG_KEY_SIZE, RSA_KEY_SIZE), 203 keymaster_param_long(KM_TAG_RSA_PUBLIC_EXPONENT, RSA_EXPONENT), 204 205 /* The only allowed purpose for this key is signing. */ 206 keymaster_param_enum(KM_TAG_PURPOSE, KM_PURPOSE_SIGN), 207 208 /* Padding & digest specifications. */ 209 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE), 210 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE), 211 212 /* Require that the key be usable in standalone mode. File system isn't available. */ 213 keymaster_param_enum(KM_TAG_BLOB_USAGE_REQUIREMENTS, KM_BLOB_STANDALONE), 214 215 /* No auth requirements, because cryptfs is not yet integrated with gatekeeper. */ 216 keymaster_param_bool(KM_TAG_NO_AUTH_REQUIRED), 217 218 /* Rate-limit key usage attempts, to rate-limit brute force */ 219 keymaster_param_int(KM_TAG_MIN_SECONDS_BETWEEN_OPS, KEYMASTER_CRYPTFS_RATE_LIMIT), 220 }; 221 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) }; 222 keymaster_key_blob_t key_blob; 223 keymaster_error_t error = keymaster1_dev->generate_key(keymaster1_dev, ¶m_set, 224 &key_blob, 225 NULL /* characteristics */); 226 if (error != KM_ERROR_OK) { 227 SLOGE("Failed to generate keymaster1 key, error %d", error); 228 rc = -1; 229 goto out; 230 } 231 232 key = (uint8_t*)key_blob.key_material; 233 key_size = key_blob.key_material_size; 234 } 235 else if (keymaster0_dev) { 236 keymaster_rsa_keygen_params_t params; 237 memset(¶ms, '\0', sizeof(params)); 238 params.public_exponent = RSA_EXPONENT; 239 params.modulus_size = RSA_KEY_SIZE; 240 241 if (keymaster0_dev->generate_keypair(keymaster0_dev, TYPE_RSA, ¶ms, 242 &key, &key_size)) { 243 SLOGE("Failed to generate keypair"); 244 rc = -1; 245 goto out; 246 } 247 } else { 248 SLOGE("Cryptfs bug: keymaster_init succeeded but didn't initialize a device"); 249 rc = -1; 250 goto out; 251 } 252 253 if (key_size > KEYMASTER_BLOB_SIZE) { 254 SLOGE("Keymaster key too large for crypto footer"); 255 rc = -1; 256 goto out; 257 } 258 259 memcpy(ftr->keymaster_blob, key, key_size); 260 ftr->keymaster_blob_size = key_size; 261 262out: 263 if (keymaster0_dev) 264 keymaster0_close(keymaster0_dev); 265 if (keymaster1_dev) 266 keymaster1_close(keymaster1_dev); 267 free(key); 268 return rc; 269} 270 271/* This signs the given object using the keymaster key. */ 272static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 273 const unsigned char *object, 274 const size_t object_size, 275 unsigned char **signature, 276 size_t *signature_size) 277{ 278 int rc = 0; 279 keymaster0_device_t *keymaster0_dev = 0; 280 keymaster1_device_t *keymaster1_dev = 0; 281 if (keymaster_init(&keymaster0_dev, &keymaster1_dev)) { 282 SLOGE("Failed to init keymaster"); 283 rc = -1; 284 goto out; 285 } 286 287 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 288 size_t to_sign_size = sizeof(to_sign); 289 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 290 291 // To sign a message with RSA, the message must satisfy two 292 // constraints: 293 // 294 // 1. The message, when interpreted as a big-endian numeric value, must 295 // be strictly less than the public modulus of the RSA key. Note 296 // that because the most significant bit of the public modulus is 297 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 298 // key), an n-bit message with most significant bit 0 always 299 // satisfies this requirement. 300 // 301 // 2. The message must have the same length in bits as the public 302 // modulus of the RSA key. This requirement isn't mathematically 303 // necessary, but is necessary to ensure consistency in 304 // implementations. 305 switch (ftr->kdf_type) { 306 case KDF_SCRYPT_KEYMASTER: 307 // This ensures the most significant byte of the signed message 308 // is zero. We could have zero-padded to the left instead, but 309 // this approach is slightly more robust against changes in 310 // object size. However, it's still broken (but not unusably 311 // so) because we really should be using a proper deterministic 312 // RSA padding function, such as PKCS1. 313 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); 314 SLOGI("Signing safely-padded object"); 315 break; 316 default: 317 SLOGE("Unknown KDF type %d", ftr->kdf_type); 318 rc = -1; 319 goto out; 320 } 321 322 if (keymaster0_dev) { 323 keymaster_rsa_sign_params_t params; 324 params.digest_type = DIGEST_NONE; 325 params.padding_type = PADDING_NONE; 326 327 rc = keymaster0_dev->sign_data(keymaster0_dev, 328 ¶ms, 329 ftr->keymaster_blob, 330 ftr->keymaster_blob_size, 331 to_sign, 332 to_sign_size, 333 signature, 334 signature_size); 335 goto out; 336 } else if (keymaster1_dev) { 337 keymaster_key_blob_t key = { ftr->keymaster_blob, ftr->keymaster_blob_size }; 338 keymaster_key_param_t params[] = { 339 keymaster_param_enum(KM_TAG_PADDING, KM_PAD_NONE), 340 keymaster_param_enum(KM_TAG_DIGEST, KM_DIGEST_NONE), 341 }; 342 keymaster_key_param_set_t param_set = { params, sizeof(params)/sizeof(*params) }; 343 keymaster_operation_handle_t op_handle; 344 keymaster_error_t error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key, 345 ¶m_set, NULL /* out_params */, 346 &op_handle); 347 if (error == KM_ERROR_KEY_RATE_LIMIT_EXCEEDED) { 348 // Key usage has been rate-limited. Wait a bit and try again. 349 sleep(KEYMASTER_CRYPTFS_RATE_LIMIT); 350 error = keymaster1_dev->begin(keymaster1_dev, KM_PURPOSE_SIGN, &key, 351 ¶m_set, NULL /* out_params */, 352 &op_handle); 353 } 354 if (error != KM_ERROR_OK) { 355 SLOGE("Error starting keymaster signature transaction: %d", error); 356 rc = -1; 357 goto out; 358 } 359 360 keymaster_blob_t input = { to_sign, to_sign_size }; 361 size_t input_consumed; 362 error = keymaster1_dev->update(keymaster1_dev, op_handle, NULL /* in_params */, 363 &input, &input_consumed, NULL /* out_params */, 364 NULL /* output */); 365 if (error != KM_ERROR_OK) { 366 SLOGE("Error sending data to keymaster signature transaction: %d", error); 367 rc = -1; 368 goto out; 369 } 370 if (input_consumed != to_sign_size) { 371 // This should never happen. If it does, it's a bug in the keymaster implementation. 372 SLOGE("Keymaster update() did not consume all data."); 373 keymaster1_dev->abort(keymaster1_dev, op_handle); 374 rc = -1; 375 goto out; 376 } 377 378 keymaster_blob_t tmp_sig; 379 error = keymaster1_dev->finish(keymaster1_dev, op_handle, NULL /* in_params */, 380 NULL /* verify signature */, NULL /* out_params */, 381 &tmp_sig); 382 if (error != KM_ERROR_OK) { 383 SLOGE("Error finishing keymaster signature transaction: %d", error); 384 rc = -1; 385 goto out; 386 } 387 388 *signature = (uint8_t*)tmp_sig.data; 389 *signature_size = tmp_sig.data_length; 390 } else { 391 SLOGE("Cryptfs bug: keymaster_init succeded but didn't initialize a device."); 392 rc = -1; 393 goto out; 394 } 395 396 out: 397 if (keymaster1_dev) 398 keymaster1_close(keymaster1_dev); 399 if (keymaster0_dev) 400 keymaster0_close(keymaster0_dev); 401 402 return rc; 403} 404 405/* Store password when userdata is successfully decrypted and mounted. 406 * Cleared by cryptfs_clear_password 407 * 408 * To avoid a double prompt at boot, we need to store the CryptKeeper 409 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 410 * Since the entire framework is torn down and rebuilt after encryption, 411 * we have to use a daemon or similar to store the password. Since vold 412 * is secured against IPC except from system processes, it seems a reasonable 413 * place to store this. 414 * 415 * password should be cleared once it has been used. 416 * 417 * password is aged out after password_max_age_seconds seconds. 418 */ 419static char* password = 0; 420static int password_expiry_time = 0; 421static const int password_max_age_seconds = 60; 422 423extern struct fstab *fstab; 424 425enum RebootType {reboot, recovery, shutdown}; 426static void cryptfs_reboot(enum RebootType rt) 427{ 428 switch(rt) { 429 case reboot: 430 property_set(ANDROID_RB_PROPERTY, "reboot"); 431 break; 432 433 case recovery: 434 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 435 break; 436 437 case shutdown: 438 property_set(ANDROID_RB_PROPERTY, "shutdown"); 439 break; 440 } 441 442 sleep(20); 443 444 /* Shouldn't get here, reboot should happen before sleep times out */ 445 return; 446} 447 448static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 449{ 450 memset(io, 0, dataSize); 451 io->data_size = dataSize; 452 io->data_start = sizeof(struct dm_ioctl); 453 io->version[0] = 4; 454 io->version[1] = 0; 455 io->version[2] = 0; 456 io->flags = flags; 457 if (name) { 458 strlcpy(io->name, name, sizeof(io->name)); 459 } 460} 461 462/** 463 * Gets the default device scrypt parameters for key derivation time tuning. 464 * The parameters should lead to about one second derivation time for the 465 * given device. 466 */ 467static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 468 const int default_params[] = SCRYPT_DEFAULTS; 469 int params[] = SCRYPT_DEFAULTS; 470 char paramstr[PROPERTY_VALUE_MAX]; 471 char *token; 472 char *saveptr; 473 int i; 474 475 property_get(SCRYPT_PROP, paramstr, ""); 476 if (paramstr[0] != '\0') { 477 /* 478 * The token we're looking for should be three integers separated by 479 * colons (e.g., "12:8:1"). Scan the property to make sure it matches. 480 */ 481 for (i = 0, token = strtok_r(paramstr, ":", &saveptr); 482 token != NULL && i < 3; 483 i++, token = strtok_r(NULL, ":", &saveptr)) { 484 char *endptr; 485 params[i] = strtol(token, &endptr, 10); 486 487 /* 488 * Check that there was a valid number and it's 8-bit. If not, 489 * break out and the end check will take the default values. 490 */ 491 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) { 492 break; 493 } 494 } 495 496 /* 497 * If there were not enough tokens or a token was malformed (not an 498 * integer), it will end up here and the default parameters can be 499 * taken. 500 */ 501 if ((i != 3) || (token != NULL)) { 502 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 503 memcpy(params, default_params, sizeof(params)); 504 } 505 } 506 507 ftr->N_factor = params[0]; 508 ftr->r_factor = params[1]; 509 ftr->p_factor = params[2]; 510} 511 512static unsigned int get_fs_size(char *dev) 513{ 514 int fd, block_size; 515 struct ext4_super_block sb; 516 off64_t len; 517 518 if ((fd = open(dev, O_RDONLY|O_CLOEXEC)) < 0) { 519 SLOGE("Cannot open device to get filesystem size "); 520 return 0; 521 } 522 523 if (lseek64(fd, 1024, SEEK_SET) < 0) { 524 SLOGE("Cannot seek to superblock"); 525 return 0; 526 } 527 528 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 529 SLOGE("Cannot read superblock"); 530 return 0; 531 } 532 533 close(fd); 534 535 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 536 SLOGE("Not a valid ext4 superblock"); 537 return 0; 538 } 539 block_size = 1024 << sb.s_log_block_size; 540 /* compute length in bytes */ 541 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 542 543 /* return length in sectors */ 544 return (unsigned int) (len / 512); 545} 546 547static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 548{ 549 static int cached_data = 0; 550 static off64_t cached_off = 0; 551 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 552 int fd; 553 char key_loc[PROPERTY_VALUE_MAX]; 554 char real_blkdev[PROPERTY_VALUE_MAX]; 555 int rc = -1; 556 557 if (!cached_data) { 558 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc)); 559 560 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 561 if ( (fd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) { 562 SLOGE("Cannot open real block device %s\n", real_blkdev); 563 return -1; 564 } 565 566 unsigned long nr_sec = 0; 567 get_blkdev_size(fd, &nr_sec); 568 if (nr_sec != 0) { 569 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 570 * encryption info footer and key, and plenty of bytes to spare for future 571 * growth. 572 */ 573 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 574 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 575 cached_data = 1; 576 } else { 577 SLOGE("Cannot get size of block device %s\n", real_blkdev); 578 } 579 close(fd); 580 } else { 581 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 582 cached_off = 0; 583 cached_data = 1; 584 } 585 } 586 587 if (cached_data) { 588 if (metadata_fname) { 589 *metadata_fname = cached_metadata_fname; 590 } 591 if (off) { 592 *off = cached_off; 593 } 594 rc = 0; 595 } 596 597 return rc; 598} 599 600/* key or salt can be NULL, in which case just skip writing that value. Useful to 601 * update the failed mount count but not change the key. 602 */ 603static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 604{ 605 int fd; 606 unsigned int cnt; 607 /* starting_off is set to the SEEK_SET offset 608 * where the crypto structure starts 609 */ 610 off64_t starting_off; 611 int rc = -1; 612 char *fname = NULL; 613 struct stat statbuf; 614 615 if (get_crypt_ftr_info(&fname, &starting_off)) { 616 SLOGE("Unable to get crypt_ftr_info\n"); 617 return -1; 618 } 619 if (fname[0] != '/') { 620 SLOGE("Unexpected value for crypto key location\n"); 621 return -1; 622 } 623 if ( (fd = open(fname, O_RDWR | O_CREAT|O_CLOEXEC, 0600)) < 0) { 624 SLOGE("Cannot open footer file %s for put\n", fname); 625 return -1; 626 } 627 628 /* Seek to the start of the crypt footer */ 629 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 630 SLOGE("Cannot seek to real block device footer\n"); 631 goto errout; 632 } 633 634 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 635 SLOGE("Cannot write real block device footer\n"); 636 goto errout; 637 } 638 639 fstat(fd, &statbuf); 640 /* If the keys are kept on a raw block device, do not try to truncate it. */ 641 if (S_ISREG(statbuf.st_mode)) { 642 if (ftruncate(fd, 0x4000)) { 643 SLOGE("Cannot set footer file size\n"); 644 goto errout; 645 } 646 } 647 648 /* Success! */ 649 rc = 0; 650 651errout: 652 close(fd); 653 return rc; 654 655} 656 657static inline int unix_read(int fd, void* buff, int len) 658{ 659 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 660} 661 662static inline int unix_write(int fd, const void* buff, int len) 663{ 664 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 665} 666 667static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 668{ 669 memset(pdata, 0, len); 670 pdata->persist_magic = PERSIST_DATA_MAGIC; 671 pdata->persist_valid_entries = 0; 672} 673 674/* A routine to update the passed in crypt_ftr to the lastest version. 675 * fd is open read/write on the device that holds the crypto footer and persistent 676 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 677 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 678 */ 679static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 680{ 681 int orig_major = crypt_ftr->major_version; 682 int orig_minor = crypt_ftr->minor_version; 683 684 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 685 struct crypt_persist_data *pdata; 686 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 687 688 SLOGW("upgrading crypto footer to 1.1"); 689 690 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 691 if (pdata == NULL) { 692 SLOGE("Cannot allocate persisent data\n"); 693 return; 694 } 695 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 696 697 /* Need to initialize the persistent data area */ 698 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 699 SLOGE("Cannot seek to persisent data offset\n"); 700 free(pdata); 701 return; 702 } 703 /* Write all zeros to the first copy, making it invalid */ 704 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 705 706 /* Write a valid but empty structure to the second copy */ 707 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 708 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 709 710 /* Update the footer */ 711 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 712 crypt_ftr->persist_data_offset[0] = pdata_offset; 713 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 714 crypt_ftr->minor_version = 1; 715 free(pdata); 716 } 717 718 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 719 SLOGW("upgrading crypto footer to 1.2"); 720 /* But keep the old kdf_type. 721 * It will get updated later to KDF_SCRYPT after the password has been verified. 722 */ 723 crypt_ftr->kdf_type = KDF_PBKDF2; 724 get_device_scrypt_params(crypt_ftr); 725 crypt_ftr->minor_version = 2; 726 } 727 728 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 729 SLOGW("upgrading crypto footer to 1.3"); 730 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 731 crypt_ftr->minor_version = 3; 732 } 733 734 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 735 if (lseek64(fd, offset, SEEK_SET) == -1) { 736 SLOGE("Cannot seek to crypt footer\n"); 737 return; 738 } 739 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 740 } 741} 742 743 744static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 745{ 746 int fd; 747 unsigned int cnt; 748 off64_t starting_off; 749 int rc = -1; 750 char *fname = NULL; 751 struct stat statbuf; 752 753 if (get_crypt_ftr_info(&fname, &starting_off)) { 754 SLOGE("Unable to get crypt_ftr_info\n"); 755 return -1; 756 } 757 if (fname[0] != '/') { 758 SLOGE("Unexpected value for crypto key location\n"); 759 return -1; 760 } 761 if ( (fd = open(fname, O_RDWR|O_CLOEXEC)) < 0) { 762 SLOGE("Cannot open footer file %s for get\n", fname); 763 return -1; 764 } 765 766 /* Make sure it's 16 Kbytes in length */ 767 fstat(fd, &statbuf); 768 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 769 SLOGE("footer file %s is not the expected size!\n", fname); 770 goto errout; 771 } 772 773 /* Seek to the start of the crypt footer */ 774 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 775 SLOGE("Cannot seek to real block device footer\n"); 776 goto errout; 777 } 778 779 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 780 SLOGE("Cannot read real block device footer\n"); 781 goto errout; 782 } 783 784 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 785 SLOGE("Bad magic for real block device %s\n", fname); 786 goto errout; 787 } 788 789 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 790 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 791 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 792 goto errout; 793 } 794 795 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 796 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 797 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 798 } 799 800 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 801 * copy on disk before returning. 802 */ 803 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 804 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 805 } 806 807 /* Success! */ 808 rc = 0; 809 810errout: 811 close(fd); 812 return rc; 813} 814 815static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 816{ 817 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 818 crypt_ftr->persist_data_offset[1]) { 819 SLOGE("Crypt_ftr persist data regions overlap"); 820 return -1; 821 } 822 823 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 824 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 825 return -1; 826 } 827 828 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 829 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 830 CRYPT_FOOTER_OFFSET) { 831 SLOGE("Persistent data extends past crypto footer"); 832 return -1; 833 } 834 835 return 0; 836} 837 838static int load_persistent_data(void) 839{ 840 struct crypt_mnt_ftr crypt_ftr; 841 struct crypt_persist_data *pdata = NULL; 842 char encrypted_state[PROPERTY_VALUE_MAX]; 843 char *fname; 844 int found = 0; 845 int fd; 846 int ret; 847 int i; 848 849 if (persist_data) { 850 /* Nothing to do, we've already loaded or initialized it */ 851 return 0; 852 } 853 854 855 /* If not encrypted, just allocate an empty table and initialize it */ 856 property_get("ro.crypto.state", encrypted_state, ""); 857 if (strcmp(encrypted_state, "encrypted") ) { 858 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 859 if (pdata) { 860 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 861 persist_data = pdata; 862 return 0; 863 } 864 return -1; 865 } 866 867 if(get_crypt_ftr_and_key(&crypt_ftr)) { 868 return -1; 869 } 870 871 if ((crypt_ftr.major_version < 1) 872 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 873 SLOGE("Crypt_ftr version doesn't support persistent data"); 874 return -1; 875 } 876 877 if (get_crypt_ftr_info(&fname, NULL)) { 878 return -1; 879 } 880 881 ret = validate_persistent_data_storage(&crypt_ftr); 882 if (ret) { 883 return -1; 884 } 885 886 fd = open(fname, O_RDONLY|O_CLOEXEC); 887 if (fd < 0) { 888 SLOGE("Cannot open %s metadata file", fname); 889 return -1; 890 } 891 892 if (persist_data == NULL) { 893 pdata = malloc(crypt_ftr.persist_data_size); 894 if (pdata == NULL) { 895 SLOGE("Cannot allocate memory for persistent data"); 896 goto err; 897 } 898 } 899 900 for (i = 0; i < 2; i++) { 901 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 902 SLOGE("Cannot seek to read persistent data on %s", fname); 903 goto err2; 904 } 905 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 906 SLOGE("Error reading persistent data on iteration %d", i); 907 goto err2; 908 } 909 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 910 found = 1; 911 break; 912 } 913 } 914 915 if (!found) { 916 SLOGI("Could not find valid persistent data, creating"); 917 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 918 } 919 920 /* Success */ 921 persist_data = pdata; 922 close(fd); 923 return 0; 924 925err2: 926 free(pdata); 927 928err: 929 close(fd); 930 return -1; 931} 932 933static int save_persistent_data(void) 934{ 935 struct crypt_mnt_ftr crypt_ftr; 936 struct crypt_persist_data *pdata; 937 char *fname; 938 off64_t write_offset; 939 off64_t erase_offset; 940 int fd; 941 int ret; 942 943 if (persist_data == NULL) { 944 SLOGE("No persistent data to save"); 945 return -1; 946 } 947 948 if(get_crypt_ftr_and_key(&crypt_ftr)) { 949 return -1; 950 } 951 952 if ((crypt_ftr.major_version < 1) 953 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 954 SLOGE("Crypt_ftr version doesn't support persistent data"); 955 return -1; 956 } 957 958 ret = validate_persistent_data_storage(&crypt_ftr); 959 if (ret) { 960 return -1; 961 } 962 963 if (get_crypt_ftr_info(&fname, NULL)) { 964 return -1; 965 } 966 967 fd = open(fname, O_RDWR|O_CLOEXEC); 968 if (fd < 0) { 969 SLOGE("Cannot open %s metadata file", fname); 970 return -1; 971 } 972 973 pdata = malloc(crypt_ftr.persist_data_size); 974 if (pdata == NULL) { 975 SLOGE("Cannot allocate persistant data"); 976 goto err; 977 } 978 979 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 980 SLOGE("Cannot seek to read persistent data on %s", fname); 981 goto err2; 982 } 983 984 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 985 SLOGE("Error reading persistent data before save"); 986 goto err2; 987 } 988 989 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 990 /* The first copy is the curent valid copy, so write to 991 * the second copy and erase this one */ 992 write_offset = crypt_ftr.persist_data_offset[1]; 993 erase_offset = crypt_ftr.persist_data_offset[0]; 994 } else { 995 /* The second copy must be the valid copy, so write to 996 * the first copy, and erase the second */ 997 write_offset = crypt_ftr.persist_data_offset[0]; 998 erase_offset = crypt_ftr.persist_data_offset[1]; 999 } 1000 1001 /* Write the new copy first, if successful, then erase the old copy */ 1002 if (lseek64(fd, write_offset, SEEK_SET) < 0) { 1003 SLOGE("Cannot seek to write persistent data"); 1004 goto err2; 1005 } 1006 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 1007 (int) crypt_ftr.persist_data_size) { 1008 if (lseek64(fd, erase_offset, SEEK_SET) < 0) { 1009 SLOGE("Cannot seek to erase previous persistent data"); 1010 goto err2; 1011 } 1012 fsync(fd); 1013 memset(pdata, 0, crypt_ftr.persist_data_size); 1014 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 1015 (int) crypt_ftr.persist_data_size) { 1016 SLOGE("Cannot write to erase previous persistent data"); 1017 goto err2; 1018 } 1019 fsync(fd); 1020 } else { 1021 SLOGE("Cannot write to save persistent data"); 1022 goto err2; 1023 } 1024 1025 /* Success */ 1026 free(pdata); 1027 close(fd); 1028 return 0; 1029 1030err2: 1031 free(pdata); 1032err: 1033 close(fd); 1034 return -1; 1035} 1036 1037/* Convert a binary key of specified length into an ascii hex string equivalent, 1038 * without the leading 0x and with null termination 1039 */ 1040static void convert_key_to_hex_ascii(const unsigned char *master_key, 1041 unsigned int keysize, char *master_key_ascii) { 1042 unsigned int i, a; 1043 unsigned char nibble; 1044 1045 for (i=0, a=0; i<keysize; i++, a+=2) { 1046 /* For each byte, write out two ascii hex digits */ 1047 nibble = (master_key[i] >> 4) & 0xf; 1048 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 1049 1050 nibble = master_key[i] & 0xf; 1051 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 1052 } 1053 1054 /* Add the null termination */ 1055 master_key_ascii[a] = '\0'; 1056 1057} 1058 1059static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, 1060 const unsigned char *master_key, const char *real_blk_name, 1061 const char *name, int fd, const char *extra_params) { 1062 _Alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE]; 1063 struct dm_ioctl *io; 1064 struct dm_target_spec *tgt; 1065 char *crypt_params; 1066 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 1067 int i; 1068 1069 io = (struct dm_ioctl *) buffer; 1070 1071 /* Load the mapping table for this device */ 1072 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 1073 1074 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1075 io->target_count = 1; 1076 tgt->status = 0; 1077 tgt->sector_start = 0; 1078 tgt->length = crypt_ftr->fs_size; 1079#ifdef CONFIG_HW_DISK_ENCRYPTION 1080 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 1081 strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME); 1082 } 1083 else { 1084 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 1085 } 1086#else 1087 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 1088#endif 1089 1090 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 1091 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 1092 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name, 1093 master_key_ascii, real_blk_name, extra_params); 1094 crypt_params += strlen(crypt_params) + 1; 1095 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 1096 tgt->next = crypt_params - buffer; 1097 1098 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 1099 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 1100 break; 1101 } 1102 usleep(500000); 1103 } 1104 1105 if (i == TABLE_LOAD_RETRIES) { 1106 /* We failed to load the table, return an error */ 1107 return -1; 1108 } else { 1109 return i + 1; 1110 } 1111} 1112 1113 1114static int get_dm_crypt_version(int fd, const char *name, int *version) 1115{ 1116 char buffer[DM_CRYPT_BUF_SIZE]; 1117 struct dm_ioctl *io; 1118 struct dm_target_versions *v; 1119 1120 io = (struct dm_ioctl *) buffer; 1121 1122 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1123 1124 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 1125 return -1; 1126 } 1127 1128 /* Iterate over the returned versions, looking for name of "crypt". 1129 * When found, get and return the version. 1130 */ 1131 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 1132 while (v->next) { 1133#ifdef CONFIG_HW_DISK_ENCRYPTION 1134 if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) { 1135#else 1136 if (! strcmp(v->name, "crypt")) { 1137#endif 1138 /* We found the crypt driver, return the version, and get out */ 1139 version[0] = v->version[0]; 1140 version[1] = v->version[1]; 1141 version[2] = v->version[2]; 1142 return 0; 1143 } 1144 v = (struct dm_target_versions *)(((char *)v) + v->next); 1145 } 1146 1147 return -1; 1148} 1149 1150static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, 1151 const unsigned char *master_key, const char *real_blk_name, 1152 char *crypto_blk_name, const char *name) { 1153 char buffer[DM_CRYPT_BUF_SIZE]; 1154 struct dm_ioctl *io; 1155 unsigned int minor; 1156 int fd=0; 1157 int retval = -1; 1158 int version[3]; 1159 char *extra_params; 1160 int load_count; 1161 1162 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) { 1163 SLOGE("Cannot open device-mapper\n"); 1164 goto errout; 1165 } 1166 1167 io = (struct dm_ioctl *) buffer; 1168 1169 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1170 if (ioctl(fd, DM_DEV_CREATE, io)) { 1171 SLOGE("Cannot create dm-crypt device\n"); 1172 goto errout; 1173 } 1174 1175 /* Get the device status, in particular, the name of it's device file */ 1176 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1177 if (ioctl(fd, DM_DEV_STATUS, io)) { 1178 SLOGE("Cannot retrieve dm-crypt device status\n"); 1179 goto errout; 1180 } 1181 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 1182 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 1183 1184 extra_params = ""; 1185 if (! get_dm_crypt_version(fd, name, version)) { 1186 /* Support for allow_discards was added in version 1.11.0 */ 1187 if ((version[0] >= 2) || 1188 ((version[0] == 1) && (version[1] >= 11))) { 1189 extra_params = "1 allow_discards"; 1190 SLOGI("Enabling support for allow_discards in dmcrypt.\n"); 1191 } 1192 } 1193 1194 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, 1195 fd, extra_params); 1196 if (load_count < 0) { 1197 SLOGE("Cannot load dm-crypt mapping table.\n"); 1198 goto errout; 1199 } else if (load_count > 1) { 1200 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 1201 } 1202 1203 /* Resume this device to activate it */ 1204 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1205 1206 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 1207 SLOGE("Cannot resume the dm-crypt device\n"); 1208 goto errout; 1209 } 1210 1211 /* We made it here with no errors. Woot! */ 1212 retval = 0; 1213 1214errout: 1215 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1216 1217 return retval; 1218} 1219 1220static int delete_crypto_blk_dev(char *name) 1221{ 1222 int fd; 1223 char buffer[DM_CRYPT_BUF_SIZE]; 1224 struct dm_ioctl *io; 1225 int retval = -1; 1226 1227 if ((fd = open("/dev/device-mapper", O_RDWR|O_CLOEXEC)) < 0 ) { 1228 SLOGE("Cannot open device-mapper\n"); 1229 goto errout; 1230 } 1231 1232 io = (struct dm_ioctl *) buffer; 1233 1234 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1235 if (ioctl(fd, DM_DEV_REMOVE, io)) { 1236 SLOGE("Cannot remove dm-crypt device\n"); 1237 goto errout; 1238 } 1239 1240 /* We made it here with no errors. Woot! */ 1241 retval = 0; 1242 1243errout: 1244 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1245 1246 return retval; 1247 1248} 1249 1250static int pbkdf2(const char *passwd, const unsigned char *salt, 1251 unsigned char *ikey, void *params UNUSED) 1252{ 1253 SLOGI("Using pbkdf2 for cryptfs KDF"); 1254 1255 /* Turn the password into a key and IV that can decrypt the master key */ 1256 PKCS5_PBKDF2_HMAC_SHA1(passwd, strlen(passwd), 1257 salt, SALT_LEN, 1258 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey); 1259 1260 return 0; 1261} 1262 1263static int scrypt(const char *passwd, const unsigned char *salt, 1264 unsigned char *ikey, void *params) 1265{ 1266 SLOGI("Using scrypt for cryptfs KDF"); 1267 1268 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1269 1270 int N = 1 << ftr->N_factor; 1271 int r = 1 << ftr->r_factor; 1272 int p = 1 << ftr->p_factor; 1273 1274 /* Turn the password into a key and IV that can decrypt the master key */ 1275 unsigned int keysize; 1276 crypto_scrypt((const uint8_t*)passwd, strlen(passwd), 1277 salt, SALT_LEN, N, r, p, ikey, 1278 KEY_LEN_BYTES + IV_LEN_BYTES); 1279 1280 return 0; 1281} 1282 1283static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1284 unsigned char *ikey, void *params) 1285{ 1286 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1287 1288 int rc; 1289 size_t signature_size; 1290 unsigned char* signature; 1291 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1292 1293 int N = 1 << ftr->N_factor; 1294 int r = 1 << ftr->r_factor; 1295 int p = 1 << ftr->p_factor; 1296 1297 rc = crypto_scrypt((const uint8_t*)passwd, strlen(passwd), 1298 salt, SALT_LEN, N, r, p, ikey, 1299 KEY_LEN_BYTES + IV_LEN_BYTES); 1300 1301 if (rc) { 1302 SLOGE("scrypt failed"); 1303 return -1; 1304 } 1305 1306 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES, 1307 &signature, &signature_size)) { 1308 SLOGE("Signing failed"); 1309 return -1; 1310 } 1311 1312 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1313 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1314 free(signature); 1315 1316 if (rc) { 1317 SLOGE("scrypt failed"); 1318 return -1; 1319 } 1320 1321 return 0; 1322} 1323 1324static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1325 const unsigned char *decrypted_master_key, 1326 unsigned char *encrypted_master_key, 1327 struct crypt_mnt_ftr *crypt_ftr) 1328{ 1329 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1330 EVP_CIPHER_CTX e_ctx; 1331 int encrypted_len, final_len; 1332 int rc = 0; 1333 1334 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1335 get_device_scrypt_params(crypt_ftr); 1336 1337 switch (crypt_ftr->kdf_type) { 1338 case KDF_SCRYPT_KEYMASTER: 1339 if (keymaster_create_key(crypt_ftr)) { 1340 SLOGE("keymaster_create_key failed"); 1341 return -1; 1342 } 1343 1344 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1345 SLOGE("scrypt failed"); 1346 return -1; 1347 } 1348 break; 1349 1350 case KDF_SCRYPT: 1351 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1352 SLOGE("scrypt failed"); 1353 return -1; 1354 } 1355 break; 1356 1357 default: 1358 SLOGE("Invalid kdf_type"); 1359 return -1; 1360 } 1361 1362 /* Initialize the decryption engine */ 1363 EVP_CIPHER_CTX_init(&e_ctx); 1364 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1365 SLOGE("EVP_EncryptInit failed\n"); 1366 return -1; 1367 } 1368 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1369 1370 /* Encrypt the master key */ 1371 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1372 decrypted_master_key, KEY_LEN_BYTES)) { 1373 SLOGE("EVP_EncryptUpdate failed\n"); 1374 return -1; 1375 } 1376 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1377 SLOGE("EVP_EncryptFinal failed\n"); 1378 return -1; 1379 } 1380 1381 if (encrypted_len + final_len != KEY_LEN_BYTES) { 1382 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1383 return -1; 1384 } 1385 1386 /* Store the scrypt of the intermediate key, so we can validate if it's a 1387 password error or mount error when things go wrong. 1388 Note there's no need to check for errors, since if this is incorrect, we 1389 simply won't wipe userdata, which is the correct default behavior 1390 */ 1391 int N = 1 << crypt_ftr->N_factor; 1392 int r = 1 << crypt_ftr->r_factor; 1393 int p = 1 << crypt_ftr->p_factor; 1394 1395 rc = crypto_scrypt(ikey, KEY_LEN_BYTES, 1396 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1397 crypt_ftr->scrypted_intermediate_key, 1398 sizeof(crypt_ftr->scrypted_intermediate_key)); 1399 1400 if (rc) { 1401 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1402 } 1403 1404 return 0; 1405} 1406 1407static int decrypt_master_key_aux(const char *passwd, unsigned char *salt, 1408 unsigned char *encrypted_master_key, 1409 unsigned char *decrypted_master_key, 1410 kdf_func kdf, void *kdf_params, 1411 unsigned char** intermediate_key, 1412 size_t* intermediate_key_size) 1413{ 1414 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1415 EVP_CIPHER_CTX d_ctx; 1416 int decrypted_len, final_len; 1417 1418 /* Turn the password into an intermediate key and IV that can decrypt the 1419 master key */ 1420 if (kdf(passwd, salt, ikey, kdf_params)) { 1421 SLOGE("kdf failed"); 1422 return -1; 1423 } 1424 1425 /* Initialize the decryption engine */ 1426 EVP_CIPHER_CTX_init(&d_ctx); 1427 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1428 return -1; 1429 } 1430 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1431 /* Decrypt the master key */ 1432 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1433 encrypted_master_key, KEY_LEN_BYTES)) { 1434 return -1; 1435 } 1436 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1437 return -1; 1438 } 1439 1440 if (decrypted_len + final_len != KEY_LEN_BYTES) { 1441 return -1; 1442 } 1443 1444 /* Copy intermediate key if needed by params */ 1445 if (intermediate_key && intermediate_key_size) { 1446 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES); 1447 if (intermediate_key) { 1448 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES); 1449 *intermediate_key_size = KEY_LEN_BYTES; 1450 } 1451 } 1452 1453 return 0; 1454} 1455 1456static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1457{ 1458 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1459 *kdf = scrypt_keymaster; 1460 *kdf_params = ftr; 1461 } else if (ftr->kdf_type == KDF_SCRYPT) { 1462 *kdf = scrypt; 1463 *kdf_params = ftr; 1464 } else { 1465 *kdf = pbkdf2; 1466 *kdf_params = NULL; 1467 } 1468} 1469 1470static int decrypt_master_key(const char *passwd, unsigned char *decrypted_master_key, 1471 struct crypt_mnt_ftr *crypt_ftr, 1472 unsigned char** intermediate_key, 1473 size_t* intermediate_key_size) 1474{ 1475 kdf_func kdf; 1476 void *kdf_params; 1477 int ret; 1478 1479 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1480 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1481 decrypted_master_key, kdf, kdf_params, 1482 intermediate_key, intermediate_key_size); 1483 if (ret != 0) { 1484 SLOGW("failure decrypting master key"); 1485 } 1486 1487 return ret; 1488} 1489 1490static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt, 1491 struct crypt_mnt_ftr *crypt_ftr) { 1492 int fd; 1493 unsigned char key_buf[KEY_LEN_BYTES]; 1494 1495 /* Get some random bits for a key */ 1496 fd = open("/dev/urandom", O_RDONLY|O_CLOEXEC); 1497 read(fd, key_buf, sizeof(key_buf)); 1498 read(fd, salt, SALT_LEN); 1499 close(fd); 1500 1501 /* Now encrypt it with the password */ 1502 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1503} 1504 1505int wait_and_unmount(const char *mountpoint, bool kill) 1506{ 1507 int i, err, rc; 1508#define WAIT_UNMOUNT_COUNT 20 1509 1510 /* Now umount the tmpfs filesystem */ 1511 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1512 if (umount(mountpoint) == 0) { 1513 break; 1514 } 1515 1516 if (errno == EINVAL) { 1517 /* EINVAL is returned if the directory is not a mountpoint, 1518 * i.e. there is no filesystem mounted there. So just get out. 1519 */ 1520 break; 1521 } 1522 1523 err = errno; 1524 1525 /* If allowed, be increasingly aggressive before the last two retries */ 1526 if (kill) { 1527 if (i == (WAIT_UNMOUNT_COUNT - 3)) { 1528 SLOGW("sending SIGHUP to processes with open files\n"); 1529 vold_killProcessesWithOpenFiles(mountpoint, SIGTERM); 1530 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) { 1531 SLOGW("sending SIGKILL to processes with open files\n"); 1532 vold_killProcessesWithOpenFiles(mountpoint, SIGKILL); 1533 } 1534 } 1535 1536 sleep(1); 1537 } 1538 1539 if (i < WAIT_UNMOUNT_COUNT) { 1540 SLOGD("unmounting %s succeeded\n", mountpoint); 1541 rc = 0; 1542 } else { 1543 vold_killProcessesWithOpenFiles(mountpoint, 0); 1544 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err)); 1545 rc = -1; 1546 } 1547 1548 return rc; 1549} 1550 1551#define DATA_PREP_TIMEOUT 1000 1552static int prep_data_fs(void) 1553{ 1554 int i; 1555 1556 /* Do the prep of the /data filesystem */ 1557 property_set("vold.post_fs_data_done", "0"); 1558 property_set("vold.decrypt", "trigger_post_fs_data"); 1559 SLOGD("Just triggered post_fs_data\n"); 1560 1561 /* Wait a max of 50 seconds, hopefully it takes much less */ 1562 for (i=0; i<DATA_PREP_TIMEOUT; i++) { 1563 char p[PROPERTY_VALUE_MAX]; 1564 1565 property_get("vold.post_fs_data_done", p, "0"); 1566 if (*p == '1') { 1567 break; 1568 } else { 1569 usleep(50000); 1570 } 1571 } 1572 if (i == DATA_PREP_TIMEOUT) { 1573 /* Ugh, we failed to prep /data in time. Bail. */ 1574 SLOGE("post_fs_data timed out!\n"); 1575 return -1; 1576 } else { 1577 SLOGD("post_fs_data done\n"); 1578 return 0; 1579 } 1580} 1581 1582static void cryptfs_set_corrupt() 1583{ 1584 // Mark the footer as bad 1585 struct crypt_mnt_ftr crypt_ftr; 1586 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1587 SLOGE("Failed to get crypto footer - panic"); 1588 return; 1589 } 1590 1591 crypt_ftr.flags |= CRYPT_DATA_CORRUPT; 1592 if (put_crypt_ftr_and_key(&crypt_ftr)) { 1593 SLOGE("Failed to set crypto footer - panic"); 1594 return; 1595 } 1596} 1597 1598static void cryptfs_trigger_restart_min_framework() 1599{ 1600 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 1601 SLOGE("Failed to mount tmpfs on data - panic"); 1602 return; 1603 } 1604 1605 if (property_set("vold.decrypt", "trigger_post_fs_data")) { 1606 SLOGE("Failed to trigger post fs data - panic"); 1607 return; 1608 } 1609 1610 if (property_set("vold.decrypt", "trigger_restart_min_framework")) { 1611 SLOGE("Failed to trigger restart min framework - panic"); 1612 return; 1613 } 1614} 1615 1616/* returns < 0 on failure */ 1617static int cryptfs_restart_internal(int restart_main) 1618{ 1619 char crypto_blkdev[MAXPATHLEN]; 1620 int rc = -1; 1621 static int restart_successful = 0; 1622 1623 /* Validate that it's OK to call this routine */ 1624 if (! master_key_saved) { 1625 SLOGE("Encrypted filesystem not validated, aborting"); 1626 return -1; 1627 } 1628 1629 if (restart_successful) { 1630 SLOGE("System already restarted with encrypted disk, aborting"); 1631 return -1; 1632 } 1633 1634 if (restart_main) { 1635 /* Here is where we shut down the framework. The init scripts 1636 * start all services in one of three classes: core, main or late_start. 1637 * On boot, we start core and main. Now, we stop main, but not core, 1638 * as core includes vold and a few other really important things that 1639 * we need to keep running. Once main has stopped, we should be able 1640 * to umount the tmpfs /data, then mount the encrypted /data. 1641 * We then restart the class main, and also the class late_start. 1642 * At the moment, I've only put a few things in late_start that I know 1643 * are not needed to bring up the framework, and that also cause problems 1644 * with unmounting the tmpfs /data, but I hope to add add more services 1645 * to the late_start class as we optimize this to decrease the delay 1646 * till the user is asked for the password to the filesystem. 1647 */ 1648 1649 /* The init files are setup to stop the class main when vold.decrypt is 1650 * set to trigger_reset_main. 1651 */ 1652 property_set("vold.decrypt", "trigger_reset_main"); 1653 SLOGD("Just asked init to shut down class main\n"); 1654 1655 /* Ugh, shutting down the framework is not synchronous, so until it 1656 * can be fixed, this horrible hack will wait a moment for it all to 1657 * shut down before proceeding. Without it, some devices cannot 1658 * restart the graphics services. 1659 */ 1660 sleep(2); 1661 } 1662 1663 /* Now that the framework is shutdown, we should be able to umount() 1664 * the tmpfs filesystem, and mount the real one. 1665 */ 1666 1667 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1668 if (strlen(crypto_blkdev) == 0) { 1669 SLOGE("fs_crypto_blkdev not set\n"); 1670 return -1; 1671 } 1672 1673 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) { 1674 /* If ro.crypto.readonly is set to 1, mount the decrypted 1675 * filesystem readonly. This is used when /data is mounted by 1676 * recovery mode. 1677 */ 1678 char ro_prop[PROPERTY_VALUE_MAX]; 1679 property_get("ro.crypto.readonly", ro_prop, ""); 1680 if (strlen(ro_prop) > 0 && atoi(ro_prop)) { 1681 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1682 rec->flags |= MS_RDONLY; 1683 } 1684 1685 /* If that succeeded, then mount the decrypted filesystem */ 1686 int retries = RETRY_MOUNT_ATTEMPTS; 1687 int mount_rc; 1688 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, 1689 crypto_blkdev, 0)) 1690 != 0) { 1691 if (mount_rc == FS_MGR_DOMNT_BUSY) { 1692 /* TODO: invoke something similar to 1693 Process::killProcessWithOpenFiles(DATA_MNT_POINT, 1694 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */ 1695 SLOGI("Failed to mount %s because it is busy - waiting", 1696 crypto_blkdev); 1697 if (--retries) { 1698 sleep(RETRY_MOUNT_DELAY_SECONDS); 1699 } else { 1700 /* Let's hope that a reboot clears away whatever is keeping 1701 the mount busy */ 1702 cryptfs_reboot(reboot); 1703 } 1704 } else { 1705 SLOGE("Failed to mount decrypted data"); 1706 cryptfs_set_corrupt(); 1707 cryptfs_trigger_restart_min_framework(); 1708 SLOGI("Started framework to offer wipe"); 1709 return -1; 1710 } 1711 } 1712 1713 property_set("vold.decrypt", "trigger_load_persist_props"); 1714 /* Create necessary paths on /data */ 1715 if (prep_data_fs()) { 1716 return -1; 1717 } 1718 1719 /* startup service classes main and late_start */ 1720 property_set("vold.decrypt", "trigger_restart_framework"); 1721 SLOGD("Just triggered restart_framework\n"); 1722 1723 /* Give it a few moments to get started */ 1724 sleep(1); 1725 } 1726 1727 if (rc == 0) { 1728 restart_successful = 1; 1729 } 1730 1731 return rc; 1732} 1733 1734int cryptfs_restart(void) 1735{ 1736 SLOGI("cryptfs_restart"); 1737 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 1738 struct fstab_rec* rec; 1739 int rc; 1740 1741 if (e4crypt_restart(DATA_MNT_POINT)) { 1742 SLOGE("Can't unmount e4crypt temp volume\n"); 1743 return -1; 1744 } 1745 1746 rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1747 if (!rec) { 1748 SLOGE("Can't get fstab record for %s\n", DATA_MNT_POINT); 1749 return -1; 1750 } 1751 1752 rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, rec->blk_device, 0); 1753 if (rc) { 1754 SLOGE("Can't mount %s\n", DATA_MNT_POINT); 1755 return rc; 1756 } 1757 1758 property_set("vold.decrypt", "trigger_restart_framework"); 1759 return 0; 1760 } 1761 1762 /* Call internal implementation forcing a restart of main service group */ 1763 return cryptfs_restart_internal(1); 1764} 1765 1766static int do_crypto_complete(char *mount_point) 1767{ 1768 struct crypt_mnt_ftr crypt_ftr; 1769 char encrypted_state[PROPERTY_VALUE_MAX]; 1770 char key_loc[PROPERTY_VALUE_MAX]; 1771 1772 property_get("ro.crypto.state", encrypted_state, ""); 1773 if (strcmp(encrypted_state, "encrypted") ) { 1774 SLOGE("not running with encryption, aborting"); 1775 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1776 } 1777 1778 if (e4crypt_crypto_complete(mount_point) == 0) { 1779 return CRYPTO_COMPLETE_ENCRYPTED; 1780 } 1781 1782 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1783 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 1784 1785 /* 1786 * Only report this error if key_loc is a file and it exists. 1787 * If the device was never encrypted, and /data is not mountable for 1788 * some reason, returning 1 should prevent the UI from presenting the 1789 * a "enter password" screen, or worse, a "press button to wipe the 1790 * device" screen. 1791 */ 1792 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1793 SLOGE("master key file does not exist, aborting"); 1794 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1795 } else { 1796 SLOGE("Error getting crypt footer and key\n"); 1797 return CRYPTO_COMPLETE_BAD_METADATA; 1798 } 1799 } 1800 1801 // Test for possible error flags 1802 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){ 1803 SLOGE("Encryption process is partway completed\n"); 1804 return CRYPTO_COMPLETE_PARTIAL; 1805 } 1806 1807 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){ 1808 SLOGE("Encryption process was interrupted but cannot continue\n"); 1809 return CRYPTO_COMPLETE_INCONSISTENT; 1810 } 1811 1812 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){ 1813 SLOGE("Encryption is successful but data is corrupt\n"); 1814 return CRYPTO_COMPLETE_CORRUPT; 1815 } 1816 1817 /* We passed the test! We shall diminish, and return to the west */ 1818 return CRYPTO_COMPLETE_ENCRYPTED; 1819} 1820 1821static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1822 char *passwd, char *mount_point, char *label) 1823{ 1824 /* Allocate enough space for a 256 bit key, but we may use less */ 1825 unsigned char decrypted_master_key[32]; 1826 char crypto_blkdev[MAXPATHLEN]; 1827 char real_blkdev[MAXPATHLEN]; 1828 char tmp_mount_point[64]; 1829 unsigned int orig_failed_decrypt_count; 1830 int rc; 1831 int use_keymaster = 0; 1832 int upgrade = 0; 1833 unsigned char* intermediate_key = 0; 1834 size_t intermediate_key_size = 0; 1835 1836 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1837 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1838 1839 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1840 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1841 &intermediate_key, &intermediate_key_size)) { 1842 SLOGE("Failed to decrypt master key\n"); 1843 rc = -1; 1844 goto errout; 1845 } 1846 } 1847 1848 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 1849 1850#ifdef CONFIG_HW_DISK_ENCRYPTION 1851 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 1852 if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) { 1853 SLOGE("Hardware encryption key does not match"); 1854 } 1855 } 1856#endif 1857 1858 // Create crypto block device - all (non fatal) code paths 1859 // need it 1860 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, 1861 real_blkdev, crypto_blkdev, label)) { 1862 SLOGE("Error creating decrypted block device\n"); 1863 rc = -1; 1864 goto errout; 1865 } 1866 1867 /* Work out if the problem is the password or the data */ 1868 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1869 scrypted_intermediate_key)]; 1870 int N = 1 << crypt_ftr->N_factor; 1871 int r = 1 << crypt_ftr->r_factor; 1872 int p = 1 << crypt_ftr->p_factor; 1873 1874 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1875 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1876 N, r, p, scrypted_intermediate_key, 1877 sizeof(scrypted_intermediate_key)); 1878 1879 // Does the key match the crypto footer? 1880 if (rc == 0 && memcmp(scrypted_intermediate_key, 1881 crypt_ftr->scrypted_intermediate_key, 1882 sizeof(scrypted_intermediate_key)) == 0) { 1883 SLOGI("Password matches"); 1884 rc = 0; 1885 } else { 1886 /* Try mounting the file system anyway, just in case the problem's with 1887 * the footer, not the key. */ 1888 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point); 1889 mkdir(tmp_mount_point, 0755); 1890 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1891 SLOGE("Error temp mounting decrypted block device\n"); 1892 delete_crypto_blk_dev(label); 1893 1894 rc = ++crypt_ftr->failed_decrypt_count; 1895 put_crypt_ftr_and_key(crypt_ftr); 1896 } else { 1897 /* Success! */ 1898 SLOGI("Password did not match but decrypted drive mounted - continue"); 1899 umount(tmp_mount_point); 1900 rc = 0; 1901 } 1902 } 1903 1904 if (rc == 0) { 1905 crypt_ftr->failed_decrypt_count = 0; 1906 if (orig_failed_decrypt_count != 0) { 1907 put_crypt_ftr_and_key(crypt_ftr); 1908 } 1909 1910 /* Save the name of the crypto block device 1911 * so we can mount it when restarting the framework. */ 1912 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1913 1914 /* Also save a the master key so we can reencrypted the key 1915 * the key when we want to change the password on it. */ 1916 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES); 1917 saved_mount_point = strdup(mount_point); 1918 master_key_saved = 1; 1919 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1920 rc = 0; 1921 1922 // Upgrade if we're not using the latest KDF. 1923 use_keymaster = keymaster_check_compatibility(); 1924 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1925 // Don't allow downgrade 1926 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1927 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1928 upgrade = 1; 1929 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1930 crypt_ftr->kdf_type = KDF_SCRYPT; 1931 upgrade = 1; 1932 } 1933 1934 if (upgrade) { 1935 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1936 crypt_ftr->master_key, crypt_ftr); 1937 if (!rc) { 1938 rc = put_crypt_ftr_and_key(crypt_ftr); 1939 } 1940 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1941 1942 // Do not fail even if upgrade failed - machine is bootable 1943 // Note that if this code is ever hit, there is a *serious* problem 1944 // since KDFs should never fail. You *must* fix the kdf before 1945 // proceeding! 1946 if (rc) { 1947 SLOGW("Upgrade failed with error %d," 1948 " but continuing with previous state", 1949 rc); 1950 rc = 0; 1951 } 1952 } 1953 } 1954 1955 errout: 1956 if (intermediate_key) { 1957 memset(intermediate_key, 0, intermediate_key_size); 1958 free(intermediate_key); 1959 } 1960 return rc; 1961} 1962 1963/* 1964 * Called by vold when it's asked to mount an encrypted external 1965 * storage volume. The incoming partition has no crypto header/footer, 1966 * as any metadata is been stored in a separate, small partition. 1967 * 1968 * out_crypto_blkdev must be MAXPATHLEN. 1969 */ 1970int cryptfs_setup_ext_volume(const char* label, const char* real_blkdev, 1971 const unsigned char* key, int keysize, char* out_crypto_blkdev) { 1972 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC); 1973 if (fd == -1) { 1974 SLOGE("Failed to open %s: %s", real_blkdev, strerror(errno)); 1975 return -1; 1976 } 1977 1978 unsigned long nr_sec = 0; 1979 get_blkdev_size(fd, &nr_sec); 1980 close(fd); 1981 1982 if (nr_sec == 0) { 1983 SLOGE("Failed to get size of %s: %s", real_blkdev, strerror(errno)); 1984 return -1; 1985 } 1986 1987 struct crypt_mnt_ftr ext_crypt_ftr; 1988 memset(&ext_crypt_ftr, 0, sizeof(ext_crypt_ftr)); 1989 ext_crypt_ftr.fs_size = nr_sec; 1990 ext_crypt_ftr.keysize = keysize; 1991 strcpy((char*) ext_crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256"); 1992 1993 return create_crypto_blk_dev(&ext_crypt_ftr, key, real_blkdev, 1994 out_crypto_blkdev, label); 1995} 1996 1997/* 1998 * Called by vold when it's asked to unmount an encrypted external 1999 * storage volume. 2000 */ 2001int cryptfs_revert_ext_volume(const char* label) { 2002 return delete_crypto_blk_dev((char*) label); 2003} 2004 2005int cryptfs_crypto_complete(void) 2006{ 2007 return do_crypto_complete("/data"); 2008} 2009 2010int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 2011{ 2012 char encrypted_state[PROPERTY_VALUE_MAX]; 2013 property_get("ro.crypto.state", encrypted_state, ""); 2014 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 2015 SLOGE("encrypted fs already validated or not running with encryption," 2016 " aborting"); 2017 return -1; 2018 } 2019 2020 if (get_crypt_ftr_and_key(crypt_ftr)) { 2021 SLOGE("Error getting crypt footer and key"); 2022 return -1; 2023 } 2024 2025 return 0; 2026} 2027 2028int cryptfs_check_passwd(char *passwd) 2029{ 2030 SLOGI("cryptfs_check_passwd"); 2031 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 2032 return e4crypt_check_passwd(DATA_MNT_POINT, passwd); 2033 } 2034 2035 struct crypt_mnt_ftr crypt_ftr; 2036 int rc; 2037 2038 rc = check_unmounted_and_get_ftr(&crypt_ftr); 2039 if (rc) 2040 return rc; 2041 2042 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2043 DATA_MNT_POINT, "userdata"); 2044 2045 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 2046 cryptfs_clear_password(); 2047 password = strdup(passwd); 2048 struct timespec now; 2049 clock_gettime(CLOCK_BOOTTIME, &now); 2050 password_expiry_time = now.tv_sec + password_max_age_seconds; 2051 } 2052 2053 return rc; 2054} 2055 2056int cryptfs_verify_passwd(char *passwd) 2057{ 2058 struct crypt_mnt_ftr crypt_ftr; 2059 /* Allocate enough space for a 256 bit key, but we may use less */ 2060 unsigned char decrypted_master_key[32]; 2061 char encrypted_state[PROPERTY_VALUE_MAX]; 2062 int rc; 2063 2064 property_get("ro.crypto.state", encrypted_state, ""); 2065 if (strcmp(encrypted_state, "encrypted") ) { 2066 SLOGE("device not encrypted, aborting"); 2067 return -2; 2068 } 2069 2070 if (!master_key_saved) { 2071 SLOGE("encrypted fs not yet mounted, aborting"); 2072 return -1; 2073 } 2074 2075 if (!saved_mount_point) { 2076 SLOGE("encrypted fs failed to save mount point, aborting"); 2077 return -1; 2078 } 2079 2080 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2081 SLOGE("Error getting crypt footer and key\n"); 2082 return -1; 2083 } 2084 2085 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 2086 /* If the device has no password, then just say the password is valid */ 2087 rc = 0; 2088 } else { 2089 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2090 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 2091 /* They match, the password is correct */ 2092 rc = 0; 2093 } else { 2094 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 2095 sleep(1); 2096 rc = 1; 2097 } 2098 } 2099 2100 return rc; 2101} 2102 2103/* Initialize a crypt_mnt_ftr structure. The keysize is 2104 * defaulted to 16 bytes, and the filesystem size to 0. 2105 * Presumably, at a minimum, the caller will update the 2106 * filesystem size and crypto_type_name after calling this function. 2107 */ 2108static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 2109{ 2110 off64_t off; 2111 2112 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 2113 ftr->magic = CRYPT_MNT_MAGIC; 2114 ftr->major_version = CURRENT_MAJOR_VERSION; 2115 ftr->minor_version = CURRENT_MINOR_VERSION; 2116 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 2117 ftr->keysize = KEY_LEN_BYTES; 2118 2119 switch (keymaster_check_compatibility()) { 2120 case 1: 2121 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 2122 break; 2123 2124 case 0: 2125 ftr->kdf_type = KDF_SCRYPT; 2126 break; 2127 2128 default: 2129 SLOGE("keymaster_check_compatibility failed"); 2130 return -1; 2131 } 2132 2133 get_device_scrypt_params(ftr); 2134 2135 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 2136 if (get_crypt_ftr_info(NULL, &off) == 0) { 2137 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 2138 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 2139 ftr->persist_data_size; 2140 } 2141 2142 return 0; 2143} 2144 2145static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type) 2146{ 2147 const char *args[10]; 2148 char size_str[32]; /* Must be large enough to hold a %lld and null byte */ 2149 int num_args; 2150 int status; 2151 int tmp; 2152 int rc = -1; 2153 2154 if (type == EXT4_FS) { 2155 args[0] = "/system/bin/make_ext4fs"; 2156 args[1] = "-a"; 2157 args[2] = "/data"; 2158 args[3] = "-l"; 2159 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512); 2160 args[4] = size_str; 2161 args[5] = crypto_blkdev; 2162 num_args = 6; 2163 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n", 2164 args[0], args[1], args[2], args[3], args[4], args[5]); 2165 } else if (type == F2FS_FS) { 2166 args[0] = "/system/bin/mkfs.f2fs"; 2167 args[1] = "-t"; 2168 args[2] = "-d1"; 2169 args[3] = crypto_blkdev; 2170 snprintf(size_str, sizeof(size_str), "%" PRId64, size); 2171 args[4] = size_str; 2172 num_args = 5; 2173 SLOGI("Making empty filesystem with command %s %s %s %s %s\n", 2174 args[0], args[1], args[2], args[3], args[4]); 2175 } else { 2176 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type); 2177 return -1; 2178 } 2179 2180 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true); 2181 2182 if (tmp != 0) { 2183 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev); 2184 } else { 2185 if (WIFEXITED(status)) { 2186 if (WEXITSTATUS(status)) { 2187 SLOGE("Error creating filesystem on %s, exit status %d ", 2188 crypto_blkdev, WEXITSTATUS(status)); 2189 } else { 2190 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev); 2191 rc = 0; 2192 } 2193 } else { 2194 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev); 2195 } 2196 } 2197 2198 return rc; 2199} 2200 2201#define CRYPT_INPLACE_BUFSIZE 4096 2202#define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE) 2203#define CRYPT_SECTOR_SIZE 512 2204 2205/* aligned 32K writes tends to make flash happy. 2206 * SD card association recommends it. 2207 */ 2208#ifndef CONFIG_HW_DISK_ENCRYPTION 2209#define BLOCKS_AT_A_TIME 8 2210#else 2211#define BLOCKS_AT_A_TIME 1024 2212#endif 2213 2214struct encryptGroupsData 2215{ 2216 int realfd; 2217 int cryptofd; 2218 off64_t numblocks; 2219 off64_t one_pct, cur_pct, new_pct; 2220 off64_t blocks_already_done, tot_numblocks; 2221 off64_t used_blocks_already_done, tot_used_blocks; 2222 char* real_blkdev, * crypto_blkdev; 2223 int count; 2224 off64_t offset; 2225 char* buffer; 2226 off64_t last_written_sector; 2227 int completed; 2228 time_t time_started; 2229 int remaining_time; 2230}; 2231 2232static void update_progress(struct encryptGroupsData* data, int is_used) 2233{ 2234 data->blocks_already_done++; 2235 2236 if (is_used) { 2237 data->used_blocks_already_done++; 2238 } 2239 if (data->tot_used_blocks) { 2240 data->new_pct = data->used_blocks_already_done / data->one_pct; 2241 } else { 2242 data->new_pct = data->blocks_already_done / data->one_pct; 2243 } 2244 2245 if (data->new_pct > data->cur_pct) { 2246 char buf[8]; 2247 data->cur_pct = data->new_pct; 2248 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct); 2249 property_set("vold.encrypt_progress", buf); 2250 } 2251 2252 if (data->cur_pct >= 5) { 2253 struct timespec time_now; 2254 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) { 2255 SLOGW("Error getting time"); 2256 } else { 2257 double elapsed_time = difftime(time_now.tv_sec, data->time_started); 2258 off64_t remaining_blocks = data->tot_used_blocks 2259 - data->used_blocks_already_done; 2260 int remaining_time = (int)(elapsed_time * remaining_blocks 2261 / data->used_blocks_already_done); 2262 2263 // Change time only if not yet set, lower, or a lot higher for 2264 // best user experience 2265 if (data->remaining_time == -1 2266 || remaining_time < data->remaining_time 2267 || remaining_time > data->remaining_time + 60) { 2268 char buf[8]; 2269 snprintf(buf, sizeof(buf), "%d", remaining_time); 2270 property_set("vold.encrypt_time_remaining", buf); 2271 data->remaining_time = remaining_time; 2272 } 2273 } 2274 } 2275} 2276 2277static void log_progress(struct encryptGroupsData const* data, bool completed) 2278{ 2279 // Precondition - if completed data = 0 else data != 0 2280 2281 // Track progress so we can skip logging blocks 2282 static off64_t offset = -1; 2283 2284 // Need to close existing 'Encrypting from' log? 2285 if (completed || (offset != -1 && data->offset != offset)) { 2286 SLOGI("Encrypted to sector %" PRId64, 2287 offset / info.block_size * CRYPT_SECTOR_SIZE); 2288 offset = -1; 2289 } 2290 2291 // Need to start new 'Encrypting from' log? 2292 if (!completed && offset != data->offset) { 2293 SLOGI("Encrypting from sector %" PRId64, 2294 data->offset / info.block_size * CRYPT_SECTOR_SIZE); 2295 } 2296 2297 // Update offset 2298 if (!completed) { 2299 offset = data->offset + (off64_t)data->count * info.block_size; 2300 } 2301} 2302 2303static int flush_outstanding_data(struct encryptGroupsData* data) 2304{ 2305 if (data->count == 0) { 2306 return 0; 2307 } 2308 2309 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset); 2310 2311 if (pread64(data->realfd, data->buffer, 2312 info.block_size * data->count, data->offset) 2313 <= 0) { 2314 SLOGE("Error reading real_blkdev %s for inplace encrypt", 2315 data->real_blkdev); 2316 return -1; 2317 } 2318 2319 if (pwrite64(data->cryptofd, data->buffer, 2320 info.block_size * data->count, data->offset) 2321 <= 0) { 2322 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", 2323 data->crypto_blkdev); 2324 return -1; 2325 } else { 2326 log_progress(data, false); 2327 } 2328 2329 data->count = 0; 2330 data->last_written_sector = (data->offset + data->count) 2331 / info.block_size * CRYPT_SECTOR_SIZE - 1; 2332 return 0; 2333} 2334 2335static int encrypt_groups(struct encryptGroupsData* data) 2336{ 2337 unsigned int i; 2338 u8 *block_bitmap = 0; 2339 unsigned int block; 2340 off64_t ret; 2341 int rc = -1; 2342 2343 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME); 2344 if (!data->buffer) { 2345 SLOGE("Failed to allocate crypto buffer"); 2346 goto errout; 2347 } 2348 2349 block_bitmap = malloc(info.block_size); 2350 if (!block_bitmap) { 2351 SLOGE("failed to allocate block bitmap"); 2352 goto errout; 2353 } 2354 2355 for (i = 0; i < aux_info.groups; ++i) { 2356 SLOGI("Encrypting group %d", i); 2357 2358 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group; 2359 u32 block_count = min(info.blocks_per_group, 2360 aux_info.len_blocks - first_block); 2361 2362 off64_t offset = (u64)info.block_size 2363 * aux_info.bg_desc[i].bg_block_bitmap; 2364 2365 ret = pread64(data->realfd, block_bitmap, info.block_size, offset); 2366 if (ret != (int)info.block_size) { 2367 SLOGE("failed to read all of block group bitmap %d", i); 2368 goto errout; 2369 } 2370 2371 offset = (u64)info.block_size * first_block; 2372 2373 data->count = 0; 2374 2375 for (block = 0; block < block_count; block++) { 2376 int used = bitmap_get_bit(block_bitmap, block); 2377 update_progress(data, used); 2378 if (used) { 2379 if (data->count == 0) { 2380 data->offset = offset; 2381 } 2382 data->count++; 2383 } else { 2384 if (flush_outstanding_data(data)) { 2385 goto errout; 2386 } 2387 } 2388 2389 offset += info.block_size; 2390 2391 /* Write data if we are aligned or buffer size reached */ 2392 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0 2393 || data->count == BLOCKS_AT_A_TIME) { 2394 if (flush_outstanding_data(data)) { 2395 goto errout; 2396 } 2397 } 2398 2399 if (!is_battery_ok_to_continue()) { 2400 SLOGE("Stopping encryption due to low battery"); 2401 rc = 0; 2402 goto errout; 2403 } 2404 2405 } 2406 if (flush_outstanding_data(data)) { 2407 goto errout; 2408 } 2409 } 2410 2411 data->completed = 1; 2412 rc = 0; 2413 2414errout: 2415 log_progress(0, true); 2416 free(data->buffer); 2417 free(block_bitmap); 2418 return rc; 2419} 2420 2421static int cryptfs_enable_inplace_ext4(char *crypto_blkdev, 2422 char *real_blkdev, 2423 off64_t size, 2424 off64_t *size_already_done, 2425 off64_t tot_size, 2426 off64_t previously_encrypted_upto) 2427{ 2428 u32 i; 2429 struct encryptGroupsData data; 2430 int rc; // Can't initialize without causing warning -Wclobbered 2431 2432 if (previously_encrypted_upto > *size_already_done) { 2433 SLOGD("Not fast encrypting since resuming part way through"); 2434 return -1; 2435 } 2436 2437 memset(&data, 0, sizeof(data)); 2438 data.real_blkdev = real_blkdev; 2439 data.crypto_blkdev = crypto_blkdev; 2440 2441 if ( (data.realfd = open(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) { 2442 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n", 2443 real_blkdev, errno, strerror(errno)); 2444 rc = -1; 2445 goto errout; 2446 } 2447 2448 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) { 2449 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n", 2450 crypto_blkdev, errno, strerror(errno)); 2451 rc = ENABLE_INPLACE_ERR_DEV; 2452 goto errout; 2453 } 2454 2455 if (setjmp(setjmp_env)) { 2456 SLOGE("Reading ext4 extent caused an exception\n"); 2457 rc = -1; 2458 goto errout; 2459 } 2460 2461 if (read_ext(data.realfd, 0) != 0) { 2462 SLOGE("Failed to read ext4 extent\n"); 2463 rc = -1; 2464 goto errout; 2465 } 2466 2467 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2468 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2469 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2470 2471 SLOGI("Encrypting ext4 filesystem in place..."); 2472 2473 data.tot_used_blocks = data.numblocks; 2474 for (i = 0; i < aux_info.groups; ++i) { 2475 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count; 2476 } 2477 2478 data.one_pct = data.tot_used_blocks / 100; 2479 data.cur_pct = 0; 2480 2481 struct timespec time_started = {0}; 2482 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) { 2483 SLOGW("Error getting time at start"); 2484 // Note - continue anyway - we'll run with 0 2485 } 2486 data.time_started = time_started.tv_sec; 2487 data.remaining_time = -1; 2488 2489 rc = encrypt_groups(&data); 2490 if (rc) { 2491 SLOGE("Error encrypting groups"); 2492 goto errout; 2493 } 2494 2495 *size_already_done += data.completed ? size : data.last_written_sector; 2496 rc = 0; 2497 2498errout: 2499 close(data.realfd); 2500 close(data.cryptofd); 2501 2502 return rc; 2503} 2504 2505static void log_progress_f2fs(u64 block, bool completed) 2506{ 2507 // Precondition - if completed data = 0 else data != 0 2508 2509 // Track progress so we can skip logging blocks 2510 static u64 last_block = (u64)-1; 2511 2512 // Need to close existing 'Encrypting from' log? 2513 if (completed || (last_block != (u64)-1 && block != last_block + 1)) { 2514 SLOGI("Encrypted to block %" PRId64, last_block); 2515 last_block = -1; 2516 } 2517 2518 // Need to start new 'Encrypting from' log? 2519 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) { 2520 SLOGI("Encrypting from block %" PRId64, block); 2521 } 2522 2523 // Update offset 2524 if (!completed) { 2525 last_block = block; 2526 } 2527} 2528 2529static int encrypt_one_block_f2fs(u64 pos, void *data) 2530{ 2531 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data; 2532 2533 priv_dat->blocks_already_done = pos - 1; 2534 update_progress(priv_dat, 1); 2535 2536 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE; 2537 2538 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2539 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2540 return -1; 2541 } 2542 2543 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2544 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2545 return -1; 2546 } else { 2547 log_progress_f2fs(pos, false); 2548 } 2549 2550 return 0; 2551} 2552 2553static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev, 2554 char *real_blkdev, 2555 off64_t size, 2556 off64_t *size_already_done, 2557 off64_t tot_size, 2558 off64_t previously_encrypted_upto) 2559{ 2560 struct encryptGroupsData data; 2561 struct f2fs_info *f2fs_info = NULL; 2562 int rc = ENABLE_INPLACE_ERR_OTHER; 2563 if (previously_encrypted_upto > *size_already_done) { 2564 SLOGD("Not fast encrypting since resuming part way through"); 2565 return ENABLE_INPLACE_ERR_OTHER; 2566 } 2567 memset(&data, 0, sizeof(data)); 2568 data.real_blkdev = real_blkdev; 2569 data.crypto_blkdev = crypto_blkdev; 2570 data.realfd = -1; 2571 data.cryptofd = -1; 2572 if ( (data.realfd = open64(real_blkdev, O_RDWR|O_CLOEXEC)) < 0) { 2573 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n", 2574 real_blkdev); 2575 goto errout; 2576 } 2577 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) { 2578 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n", 2579 crypto_blkdev, errno, strerror(errno)); 2580 rc = ENABLE_INPLACE_ERR_DEV; 2581 goto errout; 2582 } 2583 2584 f2fs_info = generate_f2fs_info(data.realfd); 2585 if (!f2fs_info) 2586 goto errout; 2587 2588 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2589 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2590 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2591 2592 data.tot_used_blocks = get_num_blocks_used(f2fs_info); 2593 2594 data.one_pct = data.tot_used_blocks / 100; 2595 data.cur_pct = 0; 2596 data.time_started = time(NULL); 2597 data.remaining_time = -1; 2598 2599 data.buffer = malloc(f2fs_info->block_size); 2600 if (!data.buffer) { 2601 SLOGE("Failed to allocate crypto buffer"); 2602 goto errout; 2603 } 2604 2605 data.count = 0; 2606 2607 /* Currently, this either runs to completion, or hits a nonrecoverable error */ 2608 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data); 2609 2610 if (rc) { 2611 SLOGE("Error in running over f2fs blocks"); 2612 rc = ENABLE_INPLACE_ERR_OTHER; 2613 goto errout; 2614 } 2615 2616 *size_already_done += size; 2617 rc = 0; 2618 2619errout: 2620 if (rc) 2621 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev); 2622 2623 log_progress_f2fs(0, true); 2624 free(f2fs_info); 2625 free(data.buffer); 2626 close(data.realfd); 2627 close(data.cryptofd); 2628 2629 return rc; 2630} 2631 2632static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev, 2633 off64_t size, off64_t *size_already_done, 2634 off64_t tot_size, 2635 off64_t previously_encrypted_upto) 2636{ 2637 int realfd, cryptofd; 2638 char *buf[CRYPT_INPLACE_BUFSIZE]; 2639 int rc = ENABLE_INPLACE_ERR_OTHER; 2640 off64_t numblocks, i, remainder; 2641 off64_t one_pct, cur_pct, new_pct; 2642 off64_t blocks_already_done, tot_numblocks; 2643 2644 if ( (realfd = open(real_blkdev, O_RDONLY|O_CLOEXEC)) < 0) { 2645 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev); 2646 return ENABLE_INPLACE_ERR_OTHER; 2647 } 2648 2649 if ( (cryptofd = open(crypto_blkdev, O_WRONLY|O_CLOEXEC)) < 0) { 2650 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n", 2651 crypto_blkdev, errno, strerror(errno)); 2652 close(realfd); 2653 return ENABLE_INPLACE_ERR_DEV; 2654 } 2655 2656 /* This is pretty much a simple loop of reading 4K, and writing 4K. 2657 * The size passed in is the number of 512 byte sectors in the filesystem. 2658 * So compute the number of whole 4K blocks we should read/write, 2659 * and the remainder. 2660 */ 2661 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2662 remainder = size % CRYPT_SECTORS_PER_BUFSIZE; 2663 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2664 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2665 2666 SLOGE("Encrypting filesystem in place..."); 2667 2668 i = previously_encrypted_upto + 1 - *size_already_done; 2669 2670 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2671 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev); 2672 goto errout; 2673 } 2674 2675 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2676 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev); 2677 goto errout; 2678 } 2679 2680 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) { 2681 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2682 SLOGE("Error reading initial sectors from real_blkdev %s for " 2683 "inplace encrypt\n", crypto_blkdev); 2684 goto errout; 2685 } 2686 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2687 SLOGE("Error writing initial sectors to crypto_blkdev %s for " 2688 "inplace encrypt\n", crypto_blkdev); 2689 goto errout; 2690 } else { 2691 SLOGI("Encrypted 1 block at %" PRId64, i); 2692 } 2693 } 2694 2695 one_pct = tot_numblocks / 100; 2696 cur_pct = 0; 2697 /* process the majority of the filesystem in blocks */ 2698 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) { 2699 new_pct = (i + blocks_already_done) / one_pct; 2700 if (new_pct > cur_pct) { 2701 char buf[8]; 2702 2703 cur_pct = new_pct; 2704 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct); 2705 property_set("vold.encrypt_progress", buf); 2706 } 2707 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2708 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev); 2709 goto errout; 2710 } 2711 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2712 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2713 goto errout; 2714 } else { 2715 SLOGD("Encrypted %d block at %" PRId64, 2716 CRYPT_SECTORS_PER_BUFSIZE, 2717 i * CRYPT_SECTORS_PER_BUFSIZE); 2718 } 2719 2720 if (!is_battery_ok_to_continue()) { 2721 SLOGE("Stopping encryption due to low battery"); 2722 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1; 2723 rc = 0; 2724 goto errout; 2725 } 2726 } 2727 2728 /* Do any remaining sectors */ 2729 for (i=0; i<remainder; i++) { 2730 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2731 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev); 2732 goto errout; 2733 } 2734 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2735 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2736 goto errout; 2737 } else { 2738 SLOGI("Encrypted 1 block at next location"); 2739 } 2740 } 2741 2742 *size_already_done += size; 2743 rc = 0; 2744 2745errout: 2746 close(realfd); 2747 close(cryptofd); 2748 2749 return rc; 2750} 2751 2752/* returns on of the ENABLE_INPLACE_* return codes */ 2753static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev, 2754 off64_t size, off64_t *size_already_done, 2755 off64_t tot_size, 2756 off64_t previously_encrypted_upto) 2757{ 2758 int rc_ext4, rc_f2fs, rc_full; 2759 if (previously_encrypted_upto) { 2760 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto); 2761 } 2762 2763 if (*size_already_done + size < previously_encrypted_upto) { 2764 *size_already_done += size; 2765 return 0; 2766 } 2767 2768 /* TODO: identify filesystem type. 2769 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and 2770 * then we will drop down to cryptfs_enable_inplace_f2fs. 2771 * */ 2772 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev, 2773 size, size_already_done, 2774 tot_size, previously_encrypted_upto)) == 0) { 2775 return 0; 2776 } 2777 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4); 2778 2779 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev, 2780 size, size_already_done, 2781 tot_size, previously_encrypted_upto)) == 0) { 2782 return 0; 2783 } 2784 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs); 2785 2786 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev, 2787 size, size_already_done, tot_size, 2788 previously_encrypted_upto); 2789 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full); 2790 2791 /* Hack for b/17898962, the following is the symptom... */ 2792 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV 2793 && rc_f2fs == ENABLE_INPLACE_ERR_DEV 2794 && rc_full == ENABLE_INPLACE_ERR_DEV) { 2795 return ENABLE_INPLACE_ERR_DEV; 2796 } 2797 return rc_full; 2798} 2799 2800#define CRYPTO_ENABLE_WIPE 1 2801#define CRYPTO_ENABLE_INPLACE 2 2802 2803#define FRAMEWORK_BOOT_WAIT 60 2804 2805static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2806{ 2807 int fd = open(filename, O_RDONLY|O_CLOEXEC); 2808 if (fd == -1) { 2809 SLOGE("Error opening file %s", filename); 2810 return -1; 2811 } 2812 2813 char block[CRYPT_INPLACE_BUFSIZE]; 2814 memset(block, 0, sizeof(block)); 2815 if (unix_read(fd, block, sizeof(block)) < 0) { 2816 SLOGE("Error reading file %s", filename); 2817 close(fd); 2818 return -1; 2819 } 2820 2821 close(fd); 2822 2823 SHA256_CTX c; 2824 SHA256_Init(&c); 2825 SHA256_Update(&c, block, sizeof(block)); 2826 SHA256_Final(buf, &c); 2827 2828 return 0; 2829} 2830 2831static int get_fs_type(struct fstab_rec *rec) 2832{ 2833 if (!strcmp(rec->fs_type, "ext4")) { 2834 return EXT4_FS; 2835 } else if (!strcmp(rec->fs_type, "f2fs")) { 2836 return F2FS_FS; 2837 } else { 2838 return -1; 2839 } 2840} 2841 2842static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how, 2843 char *crypto_blkdev, char *real_blkdev, 2844 int previously_encrypted_upto) 2845{ 2846 off64_t cur_encryption_done=0, tot_encryption_size=0; 2847 int rc = -1; 2848 2849 if (!is_battery_ok_to_start()) { 2850 SLOGW("Not starting encryption due to low battery"); 2851 return 0; 2852 } 2853 2854 /* The size of the userdata partition, and add in the vold volumes below */ 2855 tot_encryption_size = crypt_ftr->fs_size; 2856 2857 if (how == CRYPTO_ENABLE_WIPE) { 2858 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 2859 int fs_type = get_fs_type(rec); 2860 if (fs_type < 0) { 2861 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type); 2862 return -1; 2863 } 2864 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type); 2865 } else if (how == CRYPTO_ENABLE_INPLACE) { 2866 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, 2867 crypt_ftr->fs_size, &cur_encryption_done, 2868 tot_encryption_size, 2869 previously_encrypted_upto); 2870 2871 if (rc == ENABLE_INPLACE_ERR_DEV) { 2872 /* Hack for b/17898962 */ 2873 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n"); 2874 cryptfs_reboot(reboot); 2875 } 2876 2877 if (!rc) { 2878 crypt_ftr->encrypted_upto = cur_encryption_done; 2879 } 2880 2881 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2882 /* The inplace routine never actually sets the progress to 100% due 2883 * to the round down nature of integer division, so set it here */ 2884 property_set("vold.encrypt_progress", "100"); 2885 } 2886 } else { 2887 /* Shouldn't happen */ 2888 SLOGE("cryptfs_enable: internal error, unknown option\n"); 2889 rc = -1; 2890 } 2891 2892 return rc; 2893} 2894 2895int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd, 2896 int allow_reboot) 2897{ 2898 int how = 0; 2899 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2900 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2901 int rc=-1, i; 2902 struct crypt_mnt_ftr crypt_ftr; 2903 struct crypt_persist_data *pdata; 2904 char encrypted_state[PROPERTY_VALUE_MAX]; 2905 char lockid[32] = { 0 }; 2906 char key_loc[PROPERTY_VALUE_MAX]; 2907 int num_vols; 2908 off64_t previously_encrypted_upto = 0; 2909 2910 if (!strcmp(howarg, "wipe")) { 2911 how = CRYPTO_ENABLE_WIPE; 2912 } else if (! strcmp(howarg, "inplace")) { 2913 how = CRYPTO_ENABLE_INPLACE; 2914 } else { 2915 /* Shouldn't happen, as CommandListener vets the args */ 2916 goto error_unencrypted; 2917 } 2918 2919 /* See if an encryption was underway and interrupted */ 2920 if (how == CRYPTO_ENABLE_INPLACE 2921 && get_crypt_ftr_and_key(&crypt_ftr) == 0 2922 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) { 2923 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2924 crypt_ftr.encrypted_upto = 0; 2925 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2926 2927 /* At this point, we are in an inconsistent state. Until we successfully 2928 complete encryption, a reboot will leave us broken. So mark the 2929 encryption failed in case that happens. 2930 On successfully completing encryption, remove this flag */ 2931 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2932 2933 put_crypt_ftr_and_key(&crypt_ftr); 2934 } 2935 2936 property_get("ro.crypto.state", encrypted_state, ""); 2937 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2938 SLOGE("Device is already running encrypted, aborting"); 2939 goto error_unencrypted; 2940 } 2941 2942 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2943 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 2944 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 2945 2946 /* Get the size of the real block device */ 2947 int fd = open(real_blkdev, O_RDONLY|O_CLOEXEC); 2948 if (fd == -1) { 2949 SLOGE("Cannot open block device %s\n", real_blkdev); 2950 goto error_unencrypted; 2951 } 2952 unsigned long nr_sec; 2953 get_blkdev_size(fd, &nr_sec); 2954 if (nr_sec == 0) { 2955 SLOGE("Cannot get size of block device %s\n", real_blkdev); 2956 goto error_unencrypted; 2957 } 2958 close(fd); 2959 2960 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 2961 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) { 2962 unsigned int fs_size_sec, max_fs_size_sec; 2963 fs_size_sec = get_fs_size(real_blkdev); 2964 if (fs_size_sec == 0) 2965 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 2966 2967 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2968 2969 if (fs_size_sec > max_fs_size_sec) { 2970 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 2971 goto error_unencrypted; 2972 } 2973 } 2974 2975 /* Get a wakelock as this may take a while, and we don't want the 2976 * device to sleep on us. We'll grab a partial wakelock, and if the UI 2977 * wants to keep the screen on, it can grab a full wakelock. 2978 */ 2979 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 2980 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 2981 2982 /* The init files are setup to stop the class main and late start when 2983 * vold sets trigger_shutdown_framework. 2984 */ 2985 property_set("vold.decrypt", "trigger_shutdown_framework"); 2986 SLOGD("Just asked init to shut down class main\n"); 2987 2988 /* Ask vold to unmount all devices that it manages */ 2989 if (vold_unmountAll()) { 2990 SLOGE("Failed to unmount all vold managed devices"); 2991 } 2992 2993 /* Now unmount the /data partition. */ 2994 if (wait_and_unmount(DATA_MNT_POINT, false)) { 2995 if (allow_reboot) { 2996 goto error_shutting_down; 2997 } else { 2998 goto error_unencrypted; 2999 } 3000 } 3001 3002 /* Do extra work for a better UX when doing the long inplace encryption */ 3003 if (how == CRYPTO_ENABLE_INPLACE) { 3004 /* Now that /data is unmounted, we need to mount a tmpfs 3005 * /data, set a property saying we're doing inplace encryption, 3006 * and restart the framework. 3007 */ 3008 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 3009 goto error_shutting_down; 3010 } 3011 /* Tells the framework that inplace encryption is starting */ 3012 property_set("vold.encrypt_progress", "0"); 3013 3014 /* restart the framework. */ 3015 /* Create necessary paths on /data */ 3016 if (prep_data_fs()) { 3017 goto error_shutting_down; 3018 } 3019 3020 /* Ugh, shutting down the framework is not synchronous, so until it 3021 * can be fixed, this horrible hack will wait a moment for it all to 3022 * shut down before proceeding. Without it, some devices cannot 3023 * restart the graphics services. 3024 */ 3025 sleep(2); 3026 } 3027 3028 /* Start the actual work of making an encrypted filesystem */ 3029 /* Initialize a crypt_mnt_ftr for the partition */ 3030 if (previously_encrypted_upto == 0) { 3031 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 3032 goto error_shutting_down; 3033 } 3034 3035 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 3036 crypt_ftr.fs_size = nr_sec 3037 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 3038 } else { 3039 crypt_ftr.fs_size = nr_sec; 3040 } 3041 /* At this point, we are in an inconsistent state. Until we successfully 3042 complete encryption, a reboot will leave us broken. So mark the 3043 encryption failed in case that happens. 3044 On successfully completing encryption, remove this flag */ 3045 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 3046 crypt_ftr.crypt_type = crypt_type; 3047#ifndef CONFIG_HW_DISK_ENCRYPTION 3048 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN); 3049#else 3050 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN); 3051 3052 rc = clear_hw_device_encryption_key(); 3053 if (!rc) { 3054 SLOGE("Error clearing device encryption hardware key. rc = %d", rc); 3055 } 3056 3057 rc = set_hw_device_encryption_key(passwd, 3058 (char*) crypt_ftr.crypto_type_name); 3059 if (!rc) { 3060 SLOGE("Error initializing device encryption hardware key. rc = %d", rc); 3061 goto error_shutting_down; 3062 } 3063#endif 3064 3065 /* Make an encrypted master key */ 3066 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 3067 SLOGE("Cannot create encrypted master key\n"); 3068 goto error_shutting_down; 3069 } 3070 3071 /* Write the key to the end of the partition */ 3072 put_crypt_ftr_and_key(&crypt_ftr); 3073 3074 /* If any persistent data has been remembered, save it. 3075 * If none, create a valid empty table and save that. 3076 */ 3077 if (!persist_data) { 3078 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 3079 if (pdata) { 3080 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 3081 persist_data = pdata; 3082 } 3083 } 3084 if (persist_data) { 3085 save_persistent_data(); 3086 } 3087 } 3088 3089 if (how == CRYPTO_ENABLE_INPLACE) { 3090 /* startup service classes main and late_start */ 3091 property_set("vold.decrypt", "trigger_restart_min_framework"); 3092 SLOGD("Just triggered restart_min_framework\n"); 3093 3094 /* OK, the framework is restarted and will soon be showing a 3095 * progress bar. Time to setup an encrypted mapping, and 3096 * either write a new filesystem, or encrypt in place updating 3097 * the progress bar as we work. 3098 */ 3099 } 3100 3101 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 3102 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 3103 "userdata"); 3104 3105 /* If we are continuing, check checksums match */ 3106 rc = 0; 3107 if (previously_encrypted_upto) { 3108 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 3109 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 3110 3111 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 3112 sizeof(hash_first_block)) != 0) { 3113 SLOGE("Checksums do not match - trigger wipe"); 3114 rc = -1; 3115 } 3116 } 3117 3118 if (!rc) { 3119 rc = cryptfs_enable_all_volumes(&crypt_ftr, how, 3120 crypto_blkdev, real_blkdev, 3121 previously_encrypted_upto); 3122 } 3123 3124 /* Calculate checksum if we are not finished */ 3125 if (!rc && how == CRYPTO_ENABLE_INPLACE 3126 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3127 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 3128 crypt_ftr.hash_first_block); 3129 if (rc) { 3130 SLOGE("Error calculating checksum for continuing encryption"); 3131 rc = -1; 3132 } 3133 } 3134 3135 /* Undo the dm-crypt mapping whether we succeed or not */ 3136 delete_crypto_blk_dev("userdata"); 3137 3138 if (! rc) { 3139 /* Success */ 3140 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 3141 3142 if (how == CRYPTO_ENABLE_INPLACE 3143 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3144 SLOGD("Encrypted up to sector %lld - will continue after reboot", 3145 crypt_ftr.encrypted_upto); 3146 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 3147 } 3148 3149 put_crypt_ftr_and_key(&crypt_ftr); 3150 3151 if (how == CRYPTO_ENABLE_WIPE 3152 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 3153 char value[PROPERTY_VALUE_MAX]; 3154 property_get("ro.crypto.state", value, ""); 3155 if (!strcmp(value, "")) { 3156 /* default encryption - continue first boot sequence */ 3157 property_set("ro.crypto.state", "encrypted"); 3158 release_wake_lock(lockid); 3159 cryptfs_check_passwd(DEFAULT_PASSWORD); 3160 cryptfs_restart_internal(1); 3161 return 0; 3162 } else { 3163 sleep(2); /* Give the UI a chance to show 100% progress */ 3164 cryptfs_reboot(reboot); 3165 } 3166 } else { 3167 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 3168 cryptfs_reboot(shutdown); 3169 } 3170 } else { 3171 char value[PROPERTY_VALUE_MAX]; 3172 3173 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 3174 if (!strcmp(value, "1")) { 3175 /* wipe data if encryption failed */ 3176 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 3177 mkdir("/cache/recovery", 0700); 3178 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC|O_CLOEXEC, 0600); 3179 if (fd >= 0) { 3180 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1); 3181 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1); 3182 close(fd); 3183 } else { 3184 SLOGE("could not open /cache/recovery/command\n"); 3185 } 3186 cryptfs_reboot(recovery); 3187 } else { 3188 /* set property to trigger dialog */ 3189 property_set("vold.encrypt_progress", "error_partially_encrypted"); 3190 release_wake_lock(lockid); 3191 } 3192 return -1; 3193 } 3194 3195 /* hrm, the encrypt step claims success, but the reboot failed. 3196 * This should not happen. 3197 * Set the property and return. Hope the framework can deal with it. 3198 */ 3199 property_set("vold.encrypt_progress", "error_reboot_failed"); 3200 release_wake_lock(lockid); 3201 return rc; 3202 3203error_unencrypted: 3204 property_set("vold.encrypt_progress", "error_not_encrypted"); 3205 if (lockid[0]) { 3206 release_wake_lock(lockid); 3207 } 3208 return -1; 3209 3210error_shutting_down: 3211 /* we failed, and have not encrypted anthing, so the users's data is still intact, 3212 * but the framework is stopped and not restarted to show the error, so it's up to 3213 * vold to restart the system. 3214 */ 3215 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 3216 cryptfs_reboot(reboot); 3217 3218 /* shouldn't get here */ 3219 property_set("vold.encrypt_progress", "error_shutting_down"); 3220 if (lockid[0]) { 3221 release_wake_lock(lockid); 3222 } 3223 return -1; 3224} 3225 3226int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot) 3227{ 3228 return cryptfs_enable_internal(howarg, type, passwd, allow_reboot); 3229} 3230 3231int cryptfs_enable_default(char *howarg, int allow_reboot) 3232{ 3233 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT, 3234 DEFAULT_PASSWORD, allow_reboot); 3235} 3236 3237int cryptfs_changepw(int crypt_type, const char *newpw) 3238{ 3239 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3240 return e4crypt_change_password(DATA_MNT_POINT, crypt_type, newpw); 3241 } 3242 3243 struct crypt_mnt_ftr crypt_ftr; 3244 int rc; 3245 3246 /* This is only allowed after we've successfully decrypted the master key */ 3247 if (!master_key_saved) { 3248 SLOGE("Key not saved, aborting"); 3249 return -1; 3250 } 3251 3252 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3253 SLOGE("Invalid crypt_type %d", crypt_type); 3254 return -1; 3255 } 3256 3257 /* get key */ 3258 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3259 SLOGE("Error getting crypt footer and key"); 3260 return -1; 3261 } 3262 3263 crypt_ftr.crypt_type = crypt_type; 3264 3265 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 3266 : newpw, 3267 crypt_ftr.salt, 3268 saved_master_key, 3269 crypt_ftr.master_key, 3270 &crypt_ftr); 3271 if (rc) { 3272 SLOGE("Encrypt master key failed: %d", rc); 3273 return -1; 3274 } 3275 /* save the key */ 3276 put_crypt_ftr_and_key(&crypt_ftr); 3277 3278#ifdef CONFIG_HW_DISK_ENCRYPTION 3279 if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) { 3280 if (crypt_type == CRYPT_TYPE_DEFAULT) { 3281 int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name); 3282 SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc); 3283 if (!rc) 3284 return -1; 3285 } else { 3286 int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name); 3287 SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc); 3288 if (!rc) 3289 return -1; 3290 } 3291 } 3292#endif 3293 return 0; 3294} 3295 3296static unsigned int persist_get_max_entries(int encrypted) { 3297 struct crypt_mnt_ftr crypt_ftr; 3298 unsigned int dsize; 3299 unsigned int max_persistent_entries; 3300 3301 /* If encrypted, use the values from the crypt_ftr, otherwise 3302 * use the values for the current spec. 3303 */ 3304 if (encrypted) { 3305 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3306 return -1; 3307 } 3308 dsize = crypt_ftr.persist_data_size; 3309 } else { 3310 dsize = CRYPT_PERSIST_DATA_SIZE; 3311 } 3312 3313 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 3314 sizeof(struct crypt_persist_entry); 3315 3316 return max_persistent_entries; 3317} 3318 3319static int persist_get_key(const char *fieldname, char *value) 3320{ 3321 unsigned int i; 3322 3323 if (persist_data == NULL) { 3324 return -1; 3325 } 3326 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3327 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3328 /* We found it! */ 3329 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 3330 return 0; 3331 } 3332 } 3333 3334 return -1; 3335} 3336 3337static int persist_set_key(const char *fieldname, const char *value, int encrypted) 3338{ 3339 unsigned int i; 3340 unsigned int num; 3341 unsigned int max_persistent_entries; 3342 3343 if (persist_data == NULL) { 3344 return -1; 3345 } 3346 3347 max_persistent_entries = persist_get_max_entries(encrypted); 3348 3349 num = persist_data->persist_valid_entries; 3350 3351 for (i = 0; i < num; i++) { 3352 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3353 /* We found an existing entry, update it! */ 3354 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 3355 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 3356 return 0; 3357 } 3358 } 3359 3360 /* We didn't find it, add it to the end, if there is room */ 3361 if (persist_data->persist_valid_entries < max_persistent_entries) { 3362 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 3363 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 3364 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 3365 persist_data->persist_valid_entries++; 3366 return 0; 3367 } 3368 3369 return -1; 3370} 3371 3372/** 3373 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the 3374 * sequence and its index is greater than or equal to index. Return 0 otherwise. 3375 */ 3376static int match_multi_entry(const char *key, const char *field, unsigned index) { 3377 unsigned int field_len; 3378 unsigned int key_index; 3379 field_len = strlen(field); 3380 3381 if (index == 0) { 3382 // The first key in a multi-entry field is just the filedname itself. 3383 if (!strcmp(key, field)) { 3384 return 1; 3385 } 3386 } 3387 // Match key against "%s_%d" % (field, index) 3388 if (strlen(key) < field_len + 1 + 1) { 3389 // Need at least a '_' and a digit. 3390 return 0; 3391 } 3392 if (strncmp(key, field, field_len)) { 3393 // If the key does not begin with field, it's not a match. 3394 return 0; 3395 } 3396 if (1 != sscanf(&key[field_len],"_%d", &key_index)) { 3397 return 0; 3398 } 3399 return key_index >= index; 3400} 3401 3402/* 3403 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all 3404 * remaining entries starting from index will be deleted. 3405 * returns PERSIST_DEL_KEY_OK if deletion succeeds, 3406 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist, 3407 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs. 3408 * 3409 */ 3410static int persist_del_keys(const char *fieldname, unsigned index) 3411{ 3412 unsigned int i; 3413 unsigned int j; 3414 unsigned int num; 3415 3416 if (persist_data == NULL) { 3417 return PERSIST_DEL_KEY_ERROR_OTHER; 3418 } 3419 3420 num = persist_data->persist_valid_entries; 3421 3422 j = 0; // points to the end of non-deleted entries. 3423 // Filter out to-be-deleted entries in place. 3424 for (i = 0; i < num; i++) { 3425 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) { 3426 persist_data->persist_entry[j] = persist_data->persist_entry[i]; 3427 j++; 3428 } 3429 } 3430 3431 if (j < num) { 3432 persist_data->persist_valid_entries = j; 3433 // Zeroise the remaining entries 3434 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry)); 3435 return PERSIST_DEL_KEY_OK; 3436 } else { 3437 // Did not find an entry matching the given fieldname 3438 return PERSIST_DEL_KEY_ERROR_NO_FIELD; 3439 } 3440} 3441 3442static int persist_count_keys(const char *fieldname) 3443{ 3444 unsigned int i; 3445 unsigned int count; 3446 3447 if (persist_data == NULL) { 3448 return -1; 3449 } 3450 3451 count = 0; 3452 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3453 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) { 3454 count++; 3455 } 3456 } 3457 3458 return count; 3459} 3460 3461/* Return the value of the specified field. */ 3462int cryptfs_getfield(const char *fieldname, char *value, int len) 3463{ 3464 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3465 return e4crypt_get_field(DATA_MNT_POINT, fieldname, value, len); 3466 } 3467 3468 char temp_value[PROPERTY_VALUE_MAX]; 3469 /* CRYPTO_GETFIELD_OK is success, 3470 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set, 3471 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small, 3472 * CRYPTO_GETFIELD_ERROR_OTHER is any other error 3473 */ 3474 int rc = CRYPTO_GETFIELD_ERROR_OTHER; 3475 int i; 3476 char temp_field[PROPERTY_KEY_MAX]; 3477 3478 if (persist_data == NULL) { 3479 load_persistent_data(); 3480 if (persist_data == NULL) { 3481 SLOGE("Getfield error, cannot load persistent data"); 3482 goto out; 3483 } 3484 } 3485 3486 // Read value from persistent entries. If the original value is split into multiple entries, 3487 // stitch them back together. 3488 if (!persist_get_key(fieldname, temp_value)) { 3489 // We found it, copy it to the caller's buffer and keep going until all entries are read. 3490 if (strlcpy(value, temp_value, len) >= (unsigned) len) { 3491 // value too small 3492 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3493 goto out; 3494 } 3495 rc = CRYPTO_GETFIELD_OK; 3496 3497 for (i = 1; /* break explicitly */; i++) { 3498 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >= 3499 (int) sizeof(temp_field)) { 3500 // If the fieldname is very long, we stop as soon as it begins to overflow the 3501 // maximum field length. At this point we have in fact fully read out the original 3502 // value because cryptfs_setfield would not allow fields with longer names to be 3503 // written in the first place. 3504 break; 3505 } 3506 if (!persist_get_key(temp_field, temp_value)) { 3507 if (strlcat(value, temp_value, len) >= (unsigned)len) { 3508 // value too small. 3509 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3510 goto out; 3511 } 3512 } else { 3513 // Exhaust all entries. 3514 break; 3515 } 3516 } 3517 } else { 3518 /* Sadness, it's not there. Return the error */ 3519 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD; 3520 } 3521 3522out: 3523 return rc; 3524} 3525 3526/* Set the value of the specified field. */ 3527int cryptfs_setfield(const char *fieldname, const char *value) 3528{ 3529 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3530 return e4crypt_set_field(DATA_MNT_POINT, fieldname, value); 3531 } 3532 3533 char encrypted_state[PROPERTY_VALUE_MAX]; 3534 /* 0 is success, negative values are error */ 3535 int rc = CRYPTO_SETFIELD_ERROR_OTHER; 3536 int encrypted = 0; 3537 unsigned int field_id; 3538 char temp_field[PROPERTY_KEY_MAX]; 3539 unsigned int num_entries; 3540 unsigned int max_keylen; 3541 3542 if (persist_data == NULL) { 3543 load_persistent_data(); 3544 if (persist_data == NULL) { 3545 SLOGE("Setfield error, cannot load persistent data"); 3546 goto out; 3547 } 3548 } 3549 3550 property_get("ro.crypto.state", encrypted_state, ""); 3551 if (!strcmp(encrypted_state, "encrypted") ) { 3552 encrypted = 1; 3553 } 3554 3555 // Compute the number of entries required to store value, each entry can store up to 3556 // (PROPERTY_VALUE_MAX - 1) chars 3557 if (strlen(value) == 0) { 3558 // Empty value also needs one entry to store. 3559 num_entries = 1; 3560 } else { 3561 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1); 3562 } 3563 3564 max_keylen = strlen(fieldname); 3565 if (num_entries > 1) { 3566 // Need an extra "_%d" suffix. 3567 max_keylen += 1 + log10(num_entries); 3568 } 3569 if (max_keylen > PROPERTY_KEY_MAX - 1) { 3570 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG; 3571 goto out; 3572 } 3573 3574 // Make sure we have enough space to write the new value 3575 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) > 3576 persist_get_max_entries(encrypted)) { 3577 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG; 3578 goto out; 3579 } 3580 3581 // Now that we know persist_data has enough space for value, let's delete the old field first 3582 // to make up space. 3583 persist_del_keys(fieldname, 0); 3584 3585 if (persist_set_key(fieldname, value, encrypted)) { 3586 // fail to set key, should not happen as we have already checked the available space 3587 SLOGE("persist_set_key() error during setfield()"); 3588 goto out; 3589 } 3590 3591 for (field_id = 1; field_id < num_entries; field_id++) { 3592 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id); 3593 3594 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) { 3595 // fail to set key, should not happen as we have already checked the available space. 3596 SLOGE("persist_set_key() error during setfield()"); 3597 goto out; 3598 } 3599 } 3600 3601 /* If we are running encrypted, save the persistent data now */ 3602 if (encrypted) { 3603 if (save_persistent_data()) { 3604 SLOGE("Setfield error, cannot save persistent data"); 3605 goto out; 3606 } 3607 } 3608 3609 rc = CRYPTO_SETFIELD_OK; 3610 3611out: 3612 return rc; 3613} 3614 3615/* Checks userdata. Attempt to mount the volume if default- 3616 * encrypted. 3617 * On success trigger next init phase and return 0. 3618 * Currently do not handle failure - see TODO below. 3619 */ 3620int cryptfs_mount_default_encrypted(void) 3621{ 3622 char decrypt_state[PROPERTY_VALUE_MAX]; 3623 property_get("vold.decrypt", decrypt_state, "0"); 3624 if (!strcmp(decrypt_state, "0")) { 3625 SLOGE("Not encrypted - should not call here"); 3626 } else { 3627 int crypt_type = cryptfs_get_password_type(); 3628 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3629 SLOGE("Bad crypt type - error"); 3630 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 3631 SLOGD("Password is not default - " 3632 "starting min framework to prompt"); 3633 property_set("vold.decrypt", "trigger_restart_min_framework"); 3634 return 0; 3635 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 3636 SLOGD("Password is default - restarting filesystem"); 3637 cryptfs_restart_internal(0); 3638 return 0; 3639 } else { 3640 SLOGE("Encrypted, default crypt type but can't decrypt"); 3641 } 3642 } 3643 3644 /** Corrupt. Allow us to boot into framework, which will detect bad 3645 crypto when it calls do_crypto_complete, then do a factory reset 3646 */ 3647 property_set("vold.decrypt", "trigger_restart_min_framework"); 3648 return 0; 3649} 3650 3651/* Returns type of the password, default, pattern, pin or password. 3652 */ 3653int cryptfs_get_password_type(void) 3654{ 3655 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3656 return e4crypt_get_password_type(DATA_MNT_POINT); 3657 } 3658 3659 struct crypt_mnt_ftr crypt_ftr; 3660 3661 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3662 SLOGE("Error getting crypt footer and key\n"); 3663 return -1; 3664 } 3665 3666 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 3667 return -1; 3668 } 3669 3670 return crypt_ftr.crypt_type; 3671} 3672 3673const char* cryptfs_get_password() 3674{ 3675 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3676 return e4crypt_get_password(DATA_MNT_POINT); 3677 } 3678 3679 struct timespec now; 3680 clock_gettime(CLOCK_BOOTTIME, &now); 3681 if (now.tv_sec < password_expiry_time) { 3682 return password; 3683 } else { 3684 cryptfs_clear_password(); 3685 return 0; 3686 } 3687} 3688 3689void cryptfs_clear_password() 3690{ 3691 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3692 e4crypt_clear_password(DATA_MNT_POINT); 3693 } 3694 3695 if (password) { 3696 size_t len = strlen(password); 3697 memset(password, 0, len); 3698 free(password); 3699 password = 0; 3700 password_expiry_time = 0; 3701 } 3702} 3703 3704int cryptfs_enable_file() 3705{ 3706 return e4crypt_enable(DATA_MNT_POINT); 3707} 3708 3709int cryptfs_create_default_ftr(struct crypt_mnt_ftr* crypt_ftr, __attribute__((unused))int key_length) 3710{ 3711 if (cryptfs_init_crypt_mnt_ftr(crypt_ftr)) { 3712 SLOGE("Failed to initialize crypt_ftr"); 3713 return -1; 3714 } 3715 3716 if (create_encrypted_random_key(DEFAULT_PASSWORD, crypt_ftr->master_key, 3717 crypt_ftr->salt, crypt_ftr)) { 3718 SLOGE("Cannot create encrypted master key\n"); 3719 return -1; 3720 } 3721 3722 //crypt_ftr->keysize = key_length / 8; 3723 return 0; 3724} 3725 3726int cryptfs_get_master_key(struct crypt_mnt_ftr* ftr, const char* password, 3727 unsigned char* master_key) 3728{ 3729 int rc; 3730 3731 unsigned char* intermediate_key = 0; 3732 size_t intermediate_key_size = 0; 3733 3734 if (password == 0 || *password == 0) { 3735 password = DEFAULT_PASSWORD; 3736 } 3737 3738 rc = decrypt_master_key(password, master_key, ftr, &intermediate_key, 3739 &intermediate_key_size); 3740 3741 int N = 1 << ftr->N_factor; 3742 int r = 1 << ftr->r_factor; 3743 int p = 1 << ftr->p_factor; 3744 3745 unsigned char scrypted_intermediate_key[sizeof(ftr->scrypted_intermediate_key)]; 3746 3747 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 3748 ftr->salt, sizeof(ftr->salt), N, r, p, 3749 scrypted_intermediate_key, 3750 sizeof(scrypted_intermediate_key)); 3751 3752 free(intermediate_key); 3753 3754 if (rc) { 3755 SLOGE("Can't calculate intermediate key"); 3756 return rc; 3757 } 3758 3759 return memcmp(scrypted_intermediate_key, ftr->scrypted_intermediate_key, 3760 intermediate_key_size); 3761} 3762 3763int cryptfs_set_password(struct crypt_mnt_ftr* ftr, const char* password, 3764 const unsigned char* master_key) 3765{ 3766 return encrypt_master_key(password, ftr->salt, master_key, ftr->master_key, 3767 ftr); 3768} 3769