cryptfs.c revision 00786076cd6a3a32a42f95b4813ea807321b3fda
1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23#include <sys/types.h> 24#include <sys/wait.h> 25#include <sys/stat.h> 26#include <ctype.h> 27#include <fcntl.h> 28#include <inttypes.h> 29#include <unistd.h> 30#include <stdio.h> 31#include <sys/ioctl.h> 32#include <linux/dm-ioctl.h> 33#include <libgen.h> 34#include <stdlib.h> 35#include <sys/param.h> 36#include <string.h> 37#include <sys/mount.h> 38#include <openssl/evp.h> 39#include <errno.h> 40#include <ext4.h> 41#include <linux/kdev_t.h> 42#include <fs_mgr.h> 43#include "cryptfs.h" 44#define LOG_TAG "Cryptfs" 45#include "cutils/log.h" 46#include "cutils/properties.h" 47#include "cutils/android_reboot.h" 48#include "hardware_legacy/power.h" 49#include <logwrap/logwrap.h> 50#include "VolumeManager.h" 51#include "VoldUtil.h" 52#include "crypto_scrypt.h" 53#include "ext4_utils.h" 54#include "f2fs_sparseblock.h" 55#include "CheckBattery.h" 56 57#include <hardware/keymaster.h> 58 59#define UNUSED __attribute__((unused)) 60 61#define UNUSED __attribute__((unused)) 62 63#define DM_CRYPT_BUF_SIZE 4096 64 65#define HASH_COUNT 2000 66#define KEY_LEN_BYTES 16 67#define IV_LEN_BYTES 16 68 69#define KEY_IN_FOOTER "footer" 70 71// "default_password" encoded into hex (d=0x64 etc) 72#define DEFAULT_PASSWORD "64656661756c745f70617373776f7264" 73 74#define EXT4_FS 1 75#define F2FS_FS 2 76 77#define TABLE_LOAD_RETRIES 10 78 79#define RSA_DEFAULT_KEY_SIZE 2048 80#define RSA_DEFAULT_EXPONENT 0x10001 81 82char *me = "cryptfs"; 83 84static unsigned char saved_master_key[KEY_LEN_BYTES]; 85static char *saved_mount_point; 86static int master_key_saved = 0; 87static struct crypt_persist_data *persist_data = NULL; 88 89static int keymaster_init(keymaster_device_t **keymaster_dev) 90{ 91 int rc; 92 93 const hw_module_t* mod; 94 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 95 if (rc) { 96 ALOGE("could not find any keystore module"); 97 goto out; 98 } 99 100 rc = keymaster_open(mod, keymaster_dev); 101 if (rc) { 102 ALOGE("could not open keymaster device in %s (%s)", 103 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); 104 goto out; 105 } 106 107 return 0; 108 109out: 110 *keymaster_dev = NULL; 111 return rc; 112} 113 114/* Should we use keymaster? */ 115static int keymaster_check_compatibility() 116{ 117 keymaster_device_t *keymaster_dev = 0; 118 int rc = 0; 119 120 if (keymaster_init(&keymaster_dev)) { 121 SLOGE("Failed to init keymaster"); 122 rc = -1; 123 goto out; 124 } 125 126 SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version); 127 128 if (keymaster_dev->common.module->module_api_version 129 < KEYMASTER_MODULE_API_VERSION_0_3) { 130 rc = 0; 131 goto out; 132 } 133 134 if (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE) { 135 rc = 1; 136 } 137 138out: 139 keymaster_close(keymaster_dev); 140 return rc; 141} 142 143/* Create a new keymaster key and store it in this footer */ 144static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 145{ 146 uint8_t* key = 0; 147 keymaster_device_t *keymaster_dev = 0; 148 149 if (keymaster_init(&keymaster_dev)) { 150 SLOGE("Failed to init keymaster"); 151 return -1; 152 } 153 154 int rc = 0; 155 156 keymaster_rsa_keygen_params_t params; 157 memset(¶ms, '\0', sizeof(params)); 158 params.public_exponent = RSA_DEFAULT_EXPONENT; 159 params.modulus_size = RSA_DEFAULT_KEY_SIZE; 160 161 size_t key_size; 162 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, ¶ms, 163 &key, &key_size)) { 164 SLOGE("Failed to generate keypair"); 165 rc = -1; 166 goto out; 167 } 168 169 if (key_size > KEYMASTER_BLOB_SIZE) { 170 SLOGE("Keymaster key too large for crypto footer"); 171 rc = -1; 172 goto out; 173 } 174 175 memcpy(ftr->keymaster_blob, key, key_size); 176 ftr->keymaster_blob_size = key_size; 177 178out: 179 keymaster_close(keymaster_dev); 180 free(key); 181 return rc; 182} 183 184/* This signs the given object using the keymaster key */ 185static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 186 const unsigned char *object, 187 const size_t object_size, 188 unsigned char **signature, 189 size_t *signature_size) 190{ 191 int rc = 0; 192 keymaster_device_t *keymaster_dev = 0; 193 if (keymaster_init(&keymaster_dev)) { 194 SLOGE("Failed to init keymaster"); 195 return -1; 196 } 197 198 /* We currently set the digest type to DIGEST_NONE because it's the 199 * only supported value for keymaster. A similar issue exists with 200 * PADDING_NONE. Long term both of these should likely change. 201 */ 202 keymaster_rsa_sign_params_t params; 203 params.digest_type = DIGEST_NONE; 204 params.padding_type = PADDING_NONE; 205 206 rc = keymaster_dev->sign_data(keymaster_dev, 207 ¶ms, 208 ftr->keymaster_blob, 209 ftr->keymaster_blob_size, 210 object, 211 object_size, 212 signature, 213 signature_size); 214 215 keymaster_close(keymaster_dev); 216 return rc; 217} 218 219/* Store password when userdata is successfully decrypted and mounted. 220 * Cleared by cryptfs_clear_password 221 * 222 * To avoid a double prompt at boot, we need to store the CryptKeeper 223 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 224 * Since the entire framework is torn down and rebuilt after encryption, 225 * we have to use a daemon or similar to store the password. Since vold 226 * is secured against IPC except from system processes, it seems a reasonable 227 * place to store this. 228 * 229 * password should be cleared once it has been used. 230 * 231 * password is aged out after password_max_age_seconds seconds. 232 */ 233static char* password = 0; 234static int password_expiry_time = 0; 235static const int password_max_age_seconds = 60; 236 237extern struct fstab *fstab; 238 239enum RebootType {reboot, recovery, shutdown}; 240static void cryptfs_reboot(enum RebootType rt) 241{ 242 switch(rt) { 243 case reboot: 244 property_set(ANDROID_RB_PROPERTY, "reboot"); 245 break; 246 247 case recovery: 248 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 249 break; 250 251 case shutdown: 252 property_set(ANDROID_RB_PROPERTY, "shutdown"); 253 break; 254 } 255 256 sleep(20); 257 258 /* Shouldn't get here, reboot should happen before sleep times out */ 259 return; 260} 261 262static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 263{ 264 memset(io, 0, dataSize); 265 io->data_size = dataSize; 266 io->data_start = sizeof(struct dm_ioctl); 267 io->version[0] = 4; 268 io->version[1] = 0; 269 io->version[2] = 0; 270 io->flags = flags; 271 if (name) { 272 strncpy(io->name, name, sizeof(io->name)); 273 } 274} 275 276/** 277 * Gets the default device scrypt parameters for key derivation time tuning. 278 * The parameters should lead to about one second derivation time for the 279 * given device. 280 */ 281static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 282 const int default_params[] = SCRYPT_DEFAULTS; 283 int params[] = SCRYPT_DEFAULTS; 284 char paramstr[PROPERTY_VALUE_MAX]; 285 char *token; 286 char *saveptr; 287 int i; 288 289 property_get(SCRYPT_PROP, paramstr, ""); 290 if (paramstr[0] != '\0') { 291 /* 292 * The token we're looking for should be three integers separated by 293 * colons (e.g., "12:8:1"). Scan the property to make sure it matches. 294 */ 295 for (i = 0, token = strtok_r(paramstr, ":", &saveptr); 296 token != NULL && i < 3; 297 i++, token = strtok_r(NULL, ":", &saveptr)) { 298 char *endptr; 299 params[i] = strtol(token, &endptr, 10); 300 301 /* 302 * Check that there was a valid number and it's 8-bit. If not, 303 * break out and the end check will take the default values. 304 */ 305 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) { 306 break; 307 } 308 } 309 310 /* 311 * If there were not enough tokens or a token was malformed (not an 312 * integer), it will end up here and the default parameters can be 313 * taken. 314 */ 315 if ((i != 3) || (token != NULL)) { 316 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 317 memcpy(params, default_params, sizeof(params)); 318 } 319 } 320 321 ftr->N_factor = params[0]; 322 ftr->r_factor = params[1]; 323 ftr->p_factor = params[2]; 324} 325 326static unsigned int get_fs_size(char *dev) 327{ 328 int fd, block_size; 329 struct ext4_super_block sb; 330 off64_t len; 331 332 if ((fd = open(dev, O_RDONLY)) < 0) { 333 SLOGE("Cannot open device to get filesystem size "); 334 return 0; 335 } 336 337 if (lseek64(fd, 1024, SEEK_SET) < 0) { 338 SLOGE("Cannot seek to superblock"); 339 return 0; 340 } 341 342 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 343 SLOGE("Cannot read superblock"); 344 return 0; 345 } 346 347 close(fd); 348 349 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 350 SLOGE("Not a valid ext4 superblock"); 351 return 0; 352 } 353 block_size = 1024 << sb.s_log_block_size; 354 /* compute length in bytes */ 355 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 356 357 /* return length in sectors */ 358 return (unsigned int) (len / 512); 359} 360 361static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 362{ 363 static int cached_data = 0; 364 static off64_t cached_off = 0; 365 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 366 int fd; 367 char key_loc[PROPERTY_VALUE_MAX]; 368 char real_blkdev[PROPERTY_VALUE_MAX]; 369 unsigned int nr_sec; 370 int rc = -1; 371 372 if (!cached_data) { 373 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc)); 374 375 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 376 if ( (fd = open(real_blkdev, O_RDWR)) < 0) { 377 SLOGE("Cannot open real block device %s\n", real_blkdev); 378 return -1; 379 } 380 381 if ((nr_sec = get_blkdev_size(fd))) { 382 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 383 * encryption info footer and key, and plenty of bytes to spare for future 384 * growth. 385 */ 386 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 387 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 388 cached_data = 1; 389 } else { 390 SLOGE("Cannot get size of block device %s\n", real_blkdev); 391 } 392 close(fd); 393 } else { 394 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 395 cached_off = 0; 396 cached_data = 1; 397 } 398 } 399 400 if (cached_data) { 401 if (metadata_fname) { 402 *metadata_fname = cached_metadata_fname; 403 } 404 if (off) { 405 *off = cached_off; 406 } 407 rc = 0; 408 } 409 410 return rc; 411} 412 413/* key or salt can be NULL, in which case just skip writing that value. Useful to 414 * update the failed mount count but not change the key. 415 */ 416static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 417{ 418 int fd; 419 unsigned int nr_sec, cnt; 420 /* starting_off is set to the SEEK_SET offset 421 * where the crypto structure starts 422 */ 423 off64_t starting_off; 424 int rc = -1; 425 char *fname = NULL; 426 struct stat statbuf; 427 428 if (get_crypt_ftr_info(&fname, &starting_off)) { 429 SLOGE("Unable to get crypt_ftr_info\n"); 430 return -1; 431 } 432 if (fname[0] != '/') { 433 SLOGE("Unexpected value for crypto key location\n"); 434 return -1; 435 } 436 if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) { 437 SLOGE("Cannot open footer file %s for put\n", fname); 438 return -1; 439 } 440 441 /* Seek to the start of the crypt footer */ 442 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 443 SLOGE("Cannot seek to real block device footer\n"); 444 goto errout; 445 } 446 447 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 448 SLOGE("Cannot write real block device footer\n"); 449 goto errout; 450 } 451 452 fstat(fd, &statbuf); 453 /* If the keys are kept on a raw block device, do not try to truncate it. */ 454 if (S_ISREG(statbuf.st_mode)) { 455 if (ftruncate(fd, 0x4000)) { 456 SLOGE("Cannot set footer file size\n"); 457 goto errout; 458 } 459 } 460 461 /* Success! */ 462 rc = 0; 463 464errout: 465 close(fd); 466 return rc; 467 468} 469 470static inline int unix_read(int fd, void* buff, int len) 471{ 472 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 473} 474 475static inline int unix_write(int fd, const void* buff, int len) 476{ 477 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 478} 479 480static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 481{ 482 memset(pdata, 0, len); 483 pdata->persist_magic = PERSIST_DATA_MAGIC; 484 pdata->persist_valid_entries = 0; 485} 486 487/* A routine to update the passed in crypt_ftr to the lastest version. 488 * fd is open read/write on the device that holds the crypto footer and persistent 489 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 490 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 491 */ 492static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 493{ 494 int orig_major = crypt_ftr->major_version; 495 int orig_minor = crypt_ftr->minor_version; 496 497 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 498 struct crypt_persist_data *pdata; 499 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 500 501 SLOGW("upgrading crypto footer to 1.1"); 502 503 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 504 if (pdata == NULL) { 505 SLOGE("Cannot allocate persisent data\n"); 506 return; 507 } 508 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 509 510 /* Need to initialize the persistent data area */ 511 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 512 SLOGE("Cannot seek to persisent data offset\n"); 513 return; 514 } 515 /* Write all zeros to the first copy, making it invalid */ 516 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 517 518 /* Write a valid but empty structure to the second copy */ 519 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 520 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 521 522 /* Update the footer */ 523 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 524 crypt_ftr->persist_data_offset[0] = pdata_offset; 525 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 526 crypt_ftr->minor_version = 1; 527 } 528 529 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 530 SLOGW("upgrading crypto footer to 1.2"); 531 /* But keep the old kdf_type. 532 * It will get updated later to KDF_SCRYPT after the password has been verified. 533 */ 534 crypt_ftr->kdf_type = KDF_PBKDF2; 535 get_device_scrypt_params(crypt_ftr); 536 crypt_ftr->minor_version = 2; 537 } 538 539 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 540 SLOGW("upgrading crypto footer to 1.3"); 541 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 542 crypt_ftr->minor_version = 3; 543 } 544 545 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 546 if (lseek64(fd, offset, SEEK_SET) == -1) { 547 SLOGE("Cannot seek to crypt footer\n"); 548 return; 549 } 550 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 551 } 552} 553 554 555static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 556{ 557 int fd; 558 unsigned int nr_sec, cnt; 559 off64_t starting_off; 560 int rc = -1; 561 char *fname = NULL; 562 struct stat statbuf; 563 564 if (get_crypt_ftr_info(&fname, &starting_off)) { 565 SLOGE("Unable to get crypt_ftr_info\n"); 566 return -1; 567 } 568 if (fname[0] != '/') { 569 SLOGE("Unexpected value for crypto key location\n"); 570 return -1; 571 } 572 if ( (fd = open(fname, O_RDWR)) < 0) { 573 SLOGE("Cannot open footer file %s for get\n", fname); 574 return -1; 575 } 576 577 /* Make sure it's 16 Kbytes in length */ 578 fstat(fd, &statbuf); 579 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 580 SLOGE("footer file %s is not the expected size!\n", fname); 581 goto errout; 582 } 583 584 /* Seek to the start of the crypt footer */ 585 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 586 SLOGE("Cannot seek to real block device footer\n"); 587 goto errout; 588 } 589 590 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 591 SLOGE("Cannot read real block device footer\n"); 592 goto errout; 593 } 594 595 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 596 SLOGE("Bad magic for real block device %s\n", fname); 597 goto errout; 598 } 599 600 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 601 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 602 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 603 goto errout; 604 } 605 606 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 607 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 608 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 609 } 610 611 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 612 * copy on disk before returning. 613 */ 614 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 615 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 616 } 617 618 /* Success! */ 619 rc = 0; 620 621errout: 622 close(fd); 623 return rc; 624} 625 626static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 627{ 628 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 629 crypt_ftr->persist_data_offset[1]) { 630 SLOGE("Crypt_ftr persist data regions overlap"); 631 return -1; 632 } 633 634 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 635 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 636 return -1; 637 } 638 639 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 640 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 641 CRYPT_FOOTER_OFFSET) { 642 SLOGE("Persistent data extends past crypto footer"); 643 return -1; 644 } 645 646 return 0; 647} 648 649static int load_persistent_data(void) 650{ 651 struct crypt_mnt_ftr crypt_ftr; 652 struct crypt_persist_data *pdata = NULL; 653 char encrypted_state[PROPERTY_VALUE_MAX]; 654 char *fname; 655 int found = 0; 656 int fd; 657 int ret; 658 int i; 659 660 if (persist_data) { 661 /* Nothing to do, we've already loaded or initialized it */ 662 return 0; 663 } 664 665 666 /* If not encrypted, just allocate an empty table and initialize it */ 667 property_get("ro.crypto.state", encrypted_state, ""); 668 if (strcmp(encrypted_state, "encrypted") ) { 669 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 670 if (pdata) { 671 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 672 persist_data = pdata; 673 return 0; 674 } 675 return -1; 676 } 677 678 if(get_crypt_ftr_and_key(&crypt_ftr)) { 679 return -1; 680 } 681 682 if ((crypt_ftr.major_version < 1) 683 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 684 SLOGE("Crypt_ftr version doesn't support persistent data"); 685 return -1; 686 } 687 688 if (get_crypt_ftr_info(&fname, NULL)) { 689 return -1; 690 } 691 692 ret = validate_persistent_data_storage(&crypt_ftr); 693 if (ret) { 694 return -1; 695 } 696 697 fd = open(fname, O_RDONLY); 698 if (fd < 0) { 699 SLOGE("Cannot open %s metadata file", fname); 700 return -1; 701 } 702 703 if (persist_data == NULL) { 704 pdata = malloc(crypt_ftr.persist_data_size); 705 if (pdata == NULL) { 706 SLOGE("Cannot allocate memory for persistent data"); 707 goto err; 708 } 709 } 710 711 for (i = 0; i < 2; i++) { 712 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 713 SLOGE("Cannot seek to read persistent data on %s", fname); 714 goto err2; 715 } 716 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 717 SLOGE("Error reading persistent data on iteration %d", i); 718 goto err2; 719 } 720 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 721 found = 1; 722 break; 723 } 724 } 725 726 if (!found) { 727 SLOGI("Could not find valid persistent data, creating"); 728 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 729 } 730 731 /* Success */ 732 persist_data = pdata; 733 close(fd); 734 return 0; 735 736err2: 737 free(pdata); 738 739err: 740 close(fd); 741 return -1; 742} 743 744static int save_persistent_data(void) 745{ 746 struct crypt_mnt_ftr crypt_ftr; 747 struct crypt_persist_data *pdata; 748 char *fname; 749 off64_t write_offset; 750 off64_t erase_offset; 751 int found = 0; 752 int fd; 753 int ret; 754 755 if (persist_data == NULL) { 756 SLOGE("No persistent data to save"); 757 return -1; 758 } 759 760 if(get_crypt_ftr_and_key(&crypt_ftr)) { 761 return -1; 762 } 763 764 if ((crypt_ftr.major_version < 1) 765 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 766 SLOGE("Crypt_ftr version doesn't support persistent data"); 767 return -1; 768 } 769 770 ret = validate_persistent_data_storage(&crypt_ftr); 771 if (ret) { 772 return -1; 773 } 774 775 if (get_crypt_ftr_info(&fname, NULL)) { 776 return -1; 777 } 778 779 fd = open(fname, O_RDWR); 780 if (fd < 0) { 781 SLOGE("Cannot open %s metadata file", fname); 782 return -1; 783 } 784 785 pdata = malloc(crypt_ftr.persist_data_size); 786 if (pdata == NULL) { 787 SLOGE("Cannot allocate persistant data"); 788 goto err; 789 } 790 791 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 792 SLOGE("Cannot seek to read persistent data on %s", fname); 793 goto err2; 794 } 795 796 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 797 SLOGE("Error reading persistent data before save"); 798 goto err2; 799 } 800 801 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 802 /* The first copy is the curent valid copy, so write to 803 * the second copy and erase this one */ 804 write_offset = crypt_ftr.persist_data_offset[1]; 805 erase_offset = crypt_ftr.persist_data_offset[0]; 806 } else { 807 /* The second copy must be the valid copy, so write to 808 * the first copy, and erase the second */ 809 write_offset = crypt_ftr.persist_data_offset[0]; 810 erase_offset = crypt_ftr.persist_data_offset[1]; 811 } 812 813 /* Write the new copy first, if successful, then erase the old copy */ 814 if (lseek(fd, write_offset, SEEK_SET) < 0) { 815 SLOGE("Cannot seek to write persistent data"); 816 goto err2; 817 } 818 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 819 (int) crypt_ftr.persist_data_size) { 820 if (lseek(fd, erase_offset, SEEK_SET) < 0) { 821 SLOGE("Cannot seek to erase previous persistent data"); 822 goto err2; 823 } 824 fsync(fd); 825 memset(pdata, 0, crypt_ftr.persist_data_size); 826 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 827 (int) crypt_ftr.persist_data_size) { 828 SLOGE("Cannot write to erase previous persistent data"); 829 goto err2; 830 } 831 fsync(fd); 832 } else { 833 SLOGE("Cannot write to save persistent data"); 834 goto err2; 835 } 836 837 /* Success */ 838 free(pdata); 839 close(fd); 840 return 0; 841 842err2: 843 free(pdata); 844err: 845 close(fd); 846 return -1; 847} 848 849static int hexdigit (char c) 850{ 851 if (c >= '0' && c <= '9') return c - '0'; 852 c = tolower(c); 853 if (c >= 'a' && c <= 'f') return c - 'a' + 10; 854 return -1; 855} 856 857static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii, 858 unsigned int* out_keysize) 859{ 860 unsigned int i; 861 *out_keysize = 0; 862 863 size_t size = strlen (master_key_ascii); 864 if (size % 2) { 865 SLOGE("Trying to convert ascii string of odd length"); 866 return NULL; 867 } 868 869 unsigned char* master_key = (unsigned char*) malloc(size / 2); 870 if (master_key == 0) { 871 SLOGE("Cannot allocate"); 872 return NULL; 873 } 874 875 for (i = 0; i < size; i += 2) { 876 int high_nibble = hexdigit (master_key_ascii[i]); 877 int low_nibble = hexdigit (master_key_ascii[i + 1]); 878 879 if(high_nibble < 0 || low_nibble < 0) { 880 SLOGE("Invalid hex string"); 881 free (master_key); 882 return NULL; 883 } 884 885 master_key[*out_keysize] = high_nibble * 16 + low_nibble; 886 (*out_keysize)++; 887 } 888 889 return master_key; 890} 891 892/* Convert a binary key of specified length into an ascii hex string equivalent, 893 * without the leading 0x and with null termination 894 */ 895static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize, 896 char *master_key_ascii) 897{ 898 unsigned int i, a; 899 unsigned char nibble; 900 901 for (i=0, a=0; i<keysize; i++, a+=2) { 902 /* For each byte, write out two ascii hex digits */ 903 nibble = (master_key[i] >> 4) & 0xf; 904 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 905 906 nibble = master_key[i] & 0xf; 907 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 908 } 909 910 /* Add the null termination */ 911 master_key_ascii[a] = '\0'; 912 913} 914 915static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 916 char *real_blk_name, const char *name, int fd, 917 char *extra_params) 918{ 919 char buffer[DM_CRYPT_BUF_SIZE]; 920 struct dm_ioctl *io; 921 struct dm_target_spec *tgt; 922 char *crypt_params; 923 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 924 int i; 925 926 io = (struct dm_ioctl *) buffer; 927 928 /* Load the mapping table for this device */ 929 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 930 931 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 932 io->target_count = 1; 933 tgt->status = 0; 934 tgt->sector_start = 0; 935 tgt->length = crypt_ftr->fs_size; 936 strcpy(tgt->target_type, "crypt"); 937 938 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 939 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 940 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name, 941 master_key_ascii, real_blk_name, extra_params); 942 crypt_params += strlen(crypt_params) + 1; 943 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 944 tgt->next = crypt_params - buffer; 945 946 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 947 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 948 break; 949 } 950 usleep(500000); 951 } 952 953 if (i == TABLE_LOAD_RETRIES) { 954 /* We failed to load the table, return an error */ 955 return -1; 956 } else { 957 return i + 1; 958 } 959} 960 961 962static int get_dm_crypt_version(int fd, const char *name, int *version) 963{ 964 char buffer[DM_CRYPT_BUF_SIZE]; 965 struct dm_ioctl *io; 966 struct dm_target_versions *v; 967 int i; 968 969 io = (struct dm_ioctl *) buffer; 970 971 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 972 973 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 974 return -1; 975 } 976 977 /* Iterate over the returned versions, looking for name of "crypt". 978 * When found, get and return the version. 979 */ 980 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 981 while (v->next) { 982 if (! strcmp(v->name, "crypt")) { 983 /* We found the crypt driver, return the version, and get out */ 984 version[0] = v->version[0]; 985 version[1] = v->version[1]; 986 version[2] = v->version[2]; 987 return 0; 988 } 989 v = (struct dm_target_versions *)(((char *)v) + v->next); 990 } 991 992 return -1; 993} 994 995static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 996 char *real_blk_name, char *crypto_blk_name, const char *name) 997{ 998 char buffer[DM_CRYPT_BUF_SIZE]; 999 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 1000 char *crypt_params; 1001 struct dm_ioctl *io; 1002 struct dm_target_spec *tgt; 1003 unsigned int minor; 1004 int fd; 1005 int i; 1006 int retval = -1; 1007 int version[3]; 1008 char *extra_params; 1009 int load_count; 1010 1011 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1012 SLOGE("Cannot open device-mapper\n"); 1013 goto errout; 1014 } 1015 1016 io = (struct dm_ioctl *) buffer; 1017 1018 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1019 if (ioctl(fd, DM_DEV_CREATE, io)) { 1020 SLOGE("Cannot create dm-crypt device\n"); 1021 goto errout; 1022 } 1023 1024 /* Get the device status, in particular, the name of it's device file */ 1025 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1026 if (ioctl(fd, DM_DEV_STATUS, io)) { 1027 SLOGE("Cannot retrieve dm-crypt device status\n"); 1028 goto errout; 1029 } 1030 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 1031 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 1032 1033 extra_params = ""; 1034 if (! get_dm_crypt_version(fd, name, version)) { 1035 /* Support for allow_discards was added in version 1.11.0 */ 1036 if ((version[0] >= 2) || 1037 ((version[0] == 1) && (version[1] >= 11))) { 1038 extra_params = "1 allow_discards"; 1039 SLOGI("Enabling support for allow_discards in dmcrypt.\n"); 1040 } 1041 } 1042 1043 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, 1044 fd, extra_params); 1045 if (load_count < 0) { 1046 SLOGE("Cannot load dm-crypt mapping table.\n"); 1047 goto errout; 1048 } else if (load_count > 1) { 1049 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 1050 } 1051 1052 /* Resume this device to activate it */ 1053 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1054 1055 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 1056 SLOGE("Cannot resume the dm-crypt device\n"); 1057 goto errout; 1058 } 1059 1060 /* We made it here with no errors. Woot! */ 1061 retval = 0; 1062 1063errout: 1064 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1065 1066 return retval; 1067} 1068 1069static int delete_crypto_blk_dev(char *name) 1070{ 1071 int fd; 1072 char buffer[DM_CRYPT_BUF_SIZE]; 1073 struct dm_ioctl *io; 1074 int retval = -1; 1075 1076 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1077 SLOGE("Cannot open device-mapper\n"); 1078 goto errout; 1079 } 1080 1081 io = (struct dm_ioctl *) buffer; 1082 1083 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1084 if (ioctl(fd, DM_DEV_REMOVE, io)) { 1085 SLOGE("Cannot remove dm-crypt device\n"); 1086 goto errout; 1087 } 1088 1089 /* We made it here with no errors. Woot! */ 1090 retval = 0; 1091 1092errout: 1093 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1094 1095 return retval; 1096 1097} 1098 1099static int pbkdf2(const char *passwd, const unsigned char *salt, 1100 unsigned char *ikey, void *params UNUSED) 1101{ 1102 SLOGI("Using pbkdf2 for cryptfs KDF"); 1103 1104 /* Turn the password into a key and IV that can decrypt the master key */ 1105 unsigned int keysize; 1106 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize); 1107 if (!master_key) return -1; 1108 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN, 1109 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey); 1110 1111 memset(master_key, 0, keysize); 1112 free (master_key); 1113 return 0; 1114} 1115 1116static int scrypt(const char *passwd, const unsigned char *salt, 1117 unsigned char *ikey, void *params) 1118{ 1119 SLOGI("Using scrypt for cryptfs KDF"); 1120 1121 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1122 1123 int N = 1 << ftr->N_factor; 1124 int r = 1 << ftr->r_factor; 1125 int p = 1 << ftr->p_factor; 1126 1127 /* Turn the password into a key and IV that can decrypt the master key */ 1128 unsigned int keysize; 1129 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize); 1130 if (!master_key) return -1; 1131 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey, 1132 KEY_LEN_BYTES + IV_LEN_BYTES); 1133 1134 memset(master_key, 0, keysize); 1135 free (master_key); 1136 return 0; 1137} 1138 1139static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1140 unsigned char *ikey, void *params) 1141{ 1142 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1143 1144 int rc; 1145 unsigned int key_size; 1146 size_t signature_size; 1147 unsigned char* signature; 1148 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1149 1150 int N = 1 << ftr->N_factor; 1151 int r = 1 << ftr->r_factor; 1152 int p = 1 << ftr->p_factor; 1153 1154 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size); 1155 if (!master_key) { 1156 SLOGE("Failed to convert passwd from hex"); 1157 return -1; 1158 } 1159 1160 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN, 1161 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1162 memset(master_key, 0, key_size); 1163 free(master_key); 1164 1165 if (rc) { 1166 SLOGE("scrypt failed"); 1167 return -1; 1168 } 1169 1170 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES, 1171 &signature, &signature_size)) { 1172 SLOGE("Signing failed"); 1173 return -1; 1174 } 1175 1176 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1177 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1178 free(signature); 1179 1180 if (rc) { 1181 SLOGE("scrypt failed"); 1182 return -1; 1183 } 1184 1185 return 0; 1186} 1187 1188static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1189 const unsigned char *decrypted_master_key, 1190 unsigned char *encrypted_master_key, 1191 struct crypt_mnt_ftr *crypt_ftr) 1192{ 1193 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1194 EVP_CIPHER_CTX e_ctx; 1195 int encrypted_len, final_len; 1196 int rc = 0; 1197 1198 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1199 get_device_scrypt_params(crypt_ftr); 1200 1201 switch (crypt_ftr->kdf_type) { 1202 case KDF_SCRYPT_KEYMASTER: 1203 if (keymaster_create_key(crypt_ftr)) { 1204 SLOGE("keymaster_create_key failed"); 1205 return -1; 1206 } 1207 1208 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1209 SLOGE("scrypt failed"); 1210 return -1; 1211 } 1212 break; 1213 1214 case KDF_SCRYPT: 1215 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1216 SLOGE("scrypt failed"); 1217 return -1; 1218 } 1219 break; 1220 1221 default: 1222 SLOGE("Invalid kdf_type"); 1223 return -1; 1224 } 1225 1226 /* Initialize the decryption engine */ 1227 if (! EVP_EncryptInit(&e_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) { 1228 SLOGE("EVP_EncryptInit failed\n"); 1229 return -1; 1230 } 1231 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1232 1233 /* Encrypt the master key */ 1234 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1235 decrypted_master_key, KEY_LEN_BYTES)) { 1236 SLOGE("EVP_EncryptUpdate failed\n"); 1237 return -1; 1238 } 1239 if (! EVP_EncryptFinal(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1240 SLOGE("EVP_EncryptFinal failed\n"); 1241 return -1; 1242 } 1243 1244 if (encrypted_len + final_len != KEY_LEN_BYTES) { 1245 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1246 return -1; 1247 } 1248 1249 /* Store the scrypt of the intermediate key, so we can validate if it's a 1250 password error or mount error when things go wrong. 1251 Note there's no need to check for errors, since if this is incorrect, we 1252 simply won't wipe userdata, which is the correct default behavior 1253 */ 1254 int N = 1 << crypt_ftr->N_factor; 1255 int r = 1 << crypt_ftr->r_factor; 1256 int p = 1 << crypt_ftr->p_factor; 1257 1258 rc = crypto_scrypt(ikey, KEY_LEN_BYTES, 1259 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1260 crypt_ftr->scrypted_intermediate_key, 1261 sizeof(crypt_ftr->scrypted_intermediate_key)); 1262 1263 if (rc) { 1264 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1265 } 1266 1267 return 0; 1268} 1269 1270static int decrypt_master_key_aux(char *passwd, unsigned char *salt, 1271 unsigned char *encrypted_master_key, 1272 unsigned char *decrypted_master_key, 1273 kdf_func kdf, void *kdf_params, 1274 unsigned char** intermediate_key, 1275 size_t* intermediate_key_size) 1276{ 1277 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1278 EVP_CIPHER_CTX d_ctx; 1279 int decrypted_len, final_len; 1280 1281 /* Turn the password into an intermediate key and IV that can decrypt the 1282 master key */ 1283 if (kdf(passwd, salt, ikey, kdf_params)) { 1284 SLOGE("kdf failed"); 1285 return -1; 1286 } 1287 1288 /* Initialize the decryption engine */ 1289 if (! EVP_DecryptInit(&d_ctx, EVP_aes_128_cbc(), ikey, ikey+KEY_LEN_BYTES)) { 1290 return -1; 1291 } 1292 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1293 /* Decrypt the master key */ 1294 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1295 encrypted_master_key, KEY_LEN_BYTES)) { 1296 return -1; 1297 } 1298 if (! EVP_DecryptFinal(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1299 return -1; 1300 } 1301 1302 if (decrypted_len + final_len != KEY_LEN_BYTES) { 1303 return -1; 1304 } 1305 1306 /* Copy intermediate key if needed by params */ 1307 if (intermediate_key && intermediate_key_size) { 1308 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES); 1309 if (intermediate_key) { 1310 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES); 1311 *intermediate_key_size = KEY_LEN_BYTES; 1312 } 1313 } 1314 1315 return 0; 1316} 1317 1318static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1319{ 1320 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1321 *kdf = scrypt_keymaster; 1322 *kdf_params = ftr; 1323 } else if (ftr->kdf_type == KDF_SCRYPT) { 1324 *kdf = scrypt; 1325 *kdf_params = ftr; 1326 } else { 1327 *kdf = pbkdf2; 1328 *kdf_params = NULL; 1329 } 1330} 1331 1332static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key, 1333 struct crypt_mnt_ftr *crypt_ftr, 1334 unsigned char** intermediate_key, 1335 size_t* intermediate_key_size) 1336{ 1337 kdf_func kdf; 1338 void *kdf_params; 1339 int ret; 1340 1341 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1342 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1343 decrypted_master_key, kdf, kdf_params, 1344 intermediate_key, intermediate_key_size); 1345 if (ret != 0) { 1346 SLOGW("failure decrypting master key"); 1347 } 1348 1349 return ret; 1350} 1351 1352static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt, 1353 struct crypt_mnt_ftr *crypt_ftr) { 1354 int fd; 1355 unsigned char key_buf[KEY_LEN_BYTES]; 1356 EVP_CIPHER_CTX e_ctx; 1357 int encrypted_len, final_len; 1358 1359 /* Get some random bits for a key */ 1360 fd = open("/dev/urandom", O_RDONLY); 1361 read(fd, key_buf, sizeof(key_buf)); 1362 read(fd, salt, SALT_LEN); 1363 close(fd); 1364 1365 /* Now encrypt it with the password */ 1366 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1367} 1368 1369static int wait_and_unmount(char *mountpoint) 1370{ 1371 int i, rc; 1372#define WAIT_UNMOUNT_COUNT 20 1373 1374 /* Now umount the tmpfs filesystem */ 1375 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1376 if (umount(mountpoint)) { 1377 if (errno == EINVAL) { 1378 /* EINVAL is returned if the directory is not a mountpoint, 1379 * i.e. there is no filesystem mounted there. So just get out. 1380 */ 1381 break; 1382 } 1383 sleep(1); 1384 i++; 1385 } else { 1386 break; 1387 } 1388 } 1389 1390 if (i < WAIT_UNMOUNT_COUNT) { 1391 SLOGD("unmounting %s succeeded\n", mountpoint); 1392 rc = 0; 1393 } else { 1394 SLOGE("unmounting %s failed\n", mountpoint); 1395 rc = -1; 1396 } 1397 1398 return rc; 1399} 1400 1401#define DATA_PREP_TIMEOUT 200 1402static int prep_data_fs(void) 1403{ 1404 int i; 1405 1406 /* Do the prep of the /data filesystem */ 1407 property_set("vold.post_fs_data_done", "0"); 1408 property_set("vold.decrypt", "trigger_post_fs_data"); 1409 SLOGD("Just triggered post_fs_data\n"); 1410 1411 /* Wait a max of 50 seconds, hopefully it takes much less */ 1412 for (i=0; i<DATA_PREP_TIMEOUT; i++) { 1413 char p[PROPERTY_VALUE_MAX]; 1414 1415 property_get("vold.post_fs_data_done", p, "0"); 1416 if (*p == '1') { 1417 break; 1418 } else { 1419 usleep(250000); 1420 } 1421 } 1422 if (i == DATA_PREP_TIMEOUT) { 1423 /* Ugh, we failed to prep /data in time. Bail. */ 1424 SLOGE("post_fs_data timed out!\n"); 1425 return -1; 1426 } else { 1427 SLOGD("post_fs_data done\n"); 1428 return 0; 1429 } 1430} 1431 1432static int cryptfs_restart_internal(int restart_main) 1433{ 1434 char fs_type[32]; 1435 char real_blkdev[MAXPATHLEN]; 1436 char crypto_blkdev[MAXPATHLEN]; 1437 char fs_options[256]; 1438 unsigned long mnt_flags; 1439 struct stat statbuf; 1440 int rc = -1, i; 1441 static int restart_successful = 0; 1442 1443 /* Validate that it's OK to call this routine */ 1444 if (! master_key_saved) { 1445 SLOGE("Encrypted filesystem not validated, aborting"); 1446 return -1; 1447 } 1448 1449 if (restart_successful) { 1450 SLOGE("System already restarted with encrypted disk, aborting"); 1451 return -1; 1452 } 1453 1454 if (restart_main) { 1455 /* Here is where we shut down the framework. The init scripts 1456 * start all services in one of three classes: core, main or late_start. 1457 * On boot, we start core and main. Now, we stop main, but not core, 1458 * as core includes vold and a few other really important things that 1459 * we need to keep running. Once main has stopped, we should be able 1460 * to umount the tmpfs /data, then mount the encrypted /data. 1461 * We then restart the class main, and also the class late_start. 1462 * At the moment, I've only put a few things in late_start that I know 1463 * are not needed to bring up the framework, and that also cause problems 1464 * with unmounting the tmpfs /data, but I hope to add add more services 1465 * to the late_start class as we optimize this to decrease the delay 1466 * till the user is asked for the password to the filesystem. 1467 */ 1468 1469 /* The init files are setup to stop the class main when vold.decrypt is 1470 * set to trigger_reset_main. 1471 */ 1472 property_set("vold.decrypt", "trigger_reset_main"); 1473 SLOGD("Just asked init to shut down class main\n"); 1474 1475 /* Ugh, shutting down the framework is not synchronous, so until it 1476 * can be fixed, this horrible hack will wait a moment for it all to 1477 * shut down before proceeding. Without it, some devices cannot 1478 * restart the graphics services. 1479 */ 1480 sleep(2); 1481 } 1482 1483 /* Now that the framework is shutdown, we should be able to umount() 1484 * the tmpfs filesystem, and mount the real one. 1485 */ 1486 1487 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1488 if (strlen(crypto_blkdev) == 0) { 1489 SLOGE("fs_crypto_blkdev not set\n"); 1490 return -1; 1491 } 1492 1493 if (! (rc = wait_and_unmount(DATA_MNT_POINT)) ) { 1494 /* If ro.crypto.readonly is set to 1, mount the decrypted 1495 * filesystem readonly. This is used when /data is mounted by 1496 * recovery mode. 1497 */ 1498 char ro_prop[PROPERTY_VALUE_MAX]; 1499 property_get("ro.crypto.readonly", ro_prop, ""); 1500 if (strlen(ro_prop) > 0 && atoi(ro_prop)) { 1501 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1502 rec->flags |= MS_RDONLY; 1503 } 1504 1505 /* If that succeeded, then mount the decrypted filesystem */ 1506 fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, 0); 1507 1508 property_set("vold.decrypt", "trigger_load_persist_props"); 1509 /* Create necessary paths on /data */ 1510 if (prep_data_fs()) { 1511 return -1; 1512 } 1513 1514 /* startup service classes main and late_start */ 1515 property_set("vold.decrypt", "trigger_restart_framework"); 1516 SLOGD("Just triggered restart_framework\n"); 1517 1518 /* Give it a few moments to get started */ 1519 sleep(1); 1520 } 1521 1522 if (rc == 0) { 1523 restart_successful = 1; 1524 } 1525 1526 return rc; 1527} 1528 1529int cryptfs_restart(void) 1530{ 1531 /* Call internal implementation forcing a restart of main service group */ 1532 return cryptfs_restart_internal(1); 1533} 1534 1535static int do_crypto_complete(char *mount_point UNUSED) 1536{ 1537 struct crypt_mnt_ftr crypt_ftr; 1538 char encrypted_state[PROPERTY_VALUE_MAX]; 1539 char key_loc[PROPERTY_VALUE_MAX]; 1540 1541 property_get("ro.crypto.state", encrypted_state, ""); 1542 if (strcmp(encrypted_state, "encrypted") ) { 1543 SLOGE("not running with encryption, aborting"); 1544 return 1; 1545 } 1546 1547 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1548 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 1549 1550 /* 1551 * Only report this error if key_loc is a file and it exists. 1552 * If the device was never encrypted, and /data is not mountable for 1553 * some reason, returning 1 should prevent the UI from presenting the 1554 * a "enter password" screen, or worse, a "press button to wipe the 1555 * device" screen. 1556 */ 1557 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1558 SLOGE("master key file does not exist, aborting"); 1559 return 1; 1560 } else { 1561 SLOGE("Error getting crypt footer and key\n"); 1562 return -1; 1563 } 1564 } 1565 1566 if (crypt_ftr.flags 1567 & (CRYPT_ENCRYPTION_IN_PROGRESS | CRYPT_INCONSISTENT_STATE)) { 1568 SLOGE("Encryption process didn't finish successfully\n"); 1569 return -2; /* -2 is the clue to the UI that there is no usable data on the disk, 1570 * and give the user an option to wipe the disk */ 1571 } 1572 1573 /* We passed the test! We shall diminish, and return to the west */ 1574 return 0; 1575} 1576 1577static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1578 char *passwd, char *mount_point, char *label) 1579{ 1580 /* Allocate enough space for a 256 bit key, but we may use less */ 1581 unsigned char decrypted_master_key[32]; 1582 char crypto_blkdev[MAXPATHLEN]; 1583 char real_blkdev[MAXPATHLEN]; 1584 char tmp_mount_point[64]; 1585 unsigned int orig_failed_decrypt_count; 1586 int rc; 1587 kdf_func kdf; 1588 void *kdf_params; 1589 int use_keymaster = 0; 1590 int upgrade = 0; 1591 unsigned char* intermediate_key = 0; 1592 size_t intermediate_key_size = 0; 1593 1594 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1595 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1596 1597 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1598 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1599 &intermediate_key, &intermediate_key_size)) { 1600 SLOGE("Failed to decrypt master key\n"); 1601 rc = -1; 1602 goto errout; 1603 } 1604 } 1605 1606 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 1607 1608 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, 1609 real_blkdev, crypto_blkdev, label)) { 1610 SLOGE("Error creating decrypted block device\n"); 1611 rc = -1; 1612 goto errout; 1613 } 1614 1615 /* If init detects an encrypted filesystem, it writes a file for each such 1616 * encrypted fs into the tmpfs /data filesystem, and then the framework finds those 1617 * files and passes that data to me */ 1618 /* Create a tmp mount point to try mounting the decryptd fs 1619 * Since we're here, the mount_point should be a tmpfs filesystem, so make 1620 * a directory in it to test mount the decrypted filesystem. 1621 */ 1622 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point); 1623 mkdir(tmp_mount_point, 0755); 1624 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1625 SLOGE("Error temp mounting decrypted block device\n"); 1626 delete_crypto_blk_dev(label); 1627 1628 /* Work out if the problem is the password or the data */ 1629 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1630 scrypted_intermediate_key)]; 1631 int N = 1 << crypt_ftr->N_factor; 1632 int r = 1 << crypt_ftr->r_factor; 1633 int p = 1 << crypt_ftr->p_factor; 1634 1635 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1636 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1637 N, r, p, scrypted_intermediate_key, 1638 sizeof(scrypted_intermediate_key)); 1639 if (rc == 0 && memcmp(scrypted_intermediate_key, 1640 crypt_ftr->scrypted_intermediate_key, 1641 sizeof(scrypted_intermediate_key)) == 0) { 1642 SLOGE("Right password, so wipe"); 1643 rc = -1; 1644 } else { 1645 SLOGE(rc ? "scrypt failure, so allow retry" : 1646 "Wrong password, so allow retry"); 1647 rc = ++crypt_ftr->failed_decrypt_count; 1648 put_crypt_ftr_and_key(crypt_ftr); 1649 } 1650 } else { 1651 /* Success! 1652 * umount and we'll mount it properly when we restart the framework. 1653 */ 1654 umount(tmp_mount_point); 1655 crypt_ftr->failed_decrypt_count = 0; 1656 1657 /* Save the name of the crypto block device 1658 * so we can mount it when restarting the framework. 1659 */ 1660 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1661 1662 /* Also save a the master key so we can reencrypted the key 1663 * the key when we want to change the password on it. 1664 */ 1665 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES); 1666 saved_mount_point = strdup(mount_point); 1667 master_key_saved = 1; 1668 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1669 rc = 0; 1670 1671 /* 1672 * Upgrade if we're not using the latest KDF. 1673 */ 1674 use_keymaster = keymaster_check_compatibility(); 1675 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1676 // Don't allow downgrade to KDF_SCRYPT 1677 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1678 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1679 upgrade = 1; 1680 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1681 crypt_ftr->kdf_type = KDF_SCRYPT; 1682 upgrade = 1; 1683 } 1684 1685 if (upgrade) { 1686 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1687 crypt_ftr->master_key, crypt_ftr); 1688 if (!rc) { 1689 rc = put_crypt_ftr_and_key(crypt_ftr); 1690 } 1691 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1692 } 1693 } 1694 1695 errout: 1696 if (intermediate_key) { 1697 memset(intermediate_key, 0, intermediate_key_size); 1698 free(intermediate_key); 1699 } 1700 return rc; 1701} 1702 1703/* Called by vold when it wants to undo the crypto mapping of a volume it 1704 * manages. This is usually in response to a factory reset, when we want 1705 * to undo the crypto mapping so the volume is formatted in the clear. 1706 */ 1707int cryptfs_revert_volume(const char *label) 1708{ 1709 return delete_crypto_blk_dev((char *)label); 1710} 1711 1712/* 1713 * Called by vold when it's asked to mount an encrypted, nonremovable volume. 1714 * Setup a dm-crypt mapping, use the saved master key from 1715 * setting up the /data mapping, and return the new device path. 1716 */ 1717int cryptfs_setup_volume(const char *label, int major, int minor, 1718 char *crypto_sys_path, unsigned int max_path, 1719 int *new_major, int *new_minor) 1720{ 1721 char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN]; 1722 struct crypt_mnt_ftr sd_crypt_ftr; 1723 struct stat statbuf; 1724 int nr_sec, fd; 1725 1726 sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor); 1727 1728 get_crypt_ftr_and_key(&sd_crypt_ftr); 1729 1730 /* Update the fs_size field to be the size of the volume */ 1731 fd = open(real_blkdev, O_RDONLY); 1732 nr_sec = get_blkdev_size(fd); 1733 close(fd); 1734 if (nr_sec == 0) { 1735 SLOGE("Cannot get size of volume %s\n", real_blkdev); 1736 return -1; 1737 } 1738 1739 sd_crypt_ftr.fs_size = nr_sec; 1740 create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev, 1741 crypto_blkdev, label); 1742 1743 stat(crypto_blkdev, &statbuf); 1744 *new_major = MAJOR(statbuf.st_rdev); 1745 *new_minor = MINOR(statbuf.st_rdev); 1746 1747 /* Create path to sys entry for this block device */ 1748 snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1); 1749 1750 return 0; 1751} 1752 1753int cryptfs_crypto_complete(void) 1754{ 1755 return do_crypto_complete("/data"); 1756} 1757 1758int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 1759{ 1760 char encrypted_state[PROPERTY_VALUE_MAX]; 1761 property_get("ro.crypto.state", encrypted_state, ""); 1762 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 1763 SLOGE("encrypted fs already validated or not running with encryption," 1764 " aborting"); 1765 return -1; 1766 } 1767 1768 if (get_crypt_ftr_and_key(crypt_ftr)) { 1769 SLOGE("Error getting crypt footer and key"); 1770 return -1; 1771 } 1772 1773 return 0; 1774} 1775 1776int cryptfs_check_passwd(char *passwd) 1777{ 1778 struct crypt_mnt_ftr crypt_ftr; 1779 int rc; 1780 1781 rc = check_unmounted_and_get_ftr(&crypt_ftr); 1782 if (rc) 1783 return rc; 1784 1785 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 1786 DATA_MNT_POINT, "userdata"); 1787 1788 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 1789 cryptfs_clear_password(); 1790 password = strdup(passwd); 1791 struct timespec now; 1792 clock_gettime(CLOCK_BOOTTIME, &now); 1793 password_expiry_time = now.tv_sec + password_max_age_seconds; 1794 } 1795 1796 return rc; 1797} 1798 1799int cryptfs_verify_passwd(char *passwd) 1800{ 1801 struct crypt_mnt_ftr crypt_ftr; 1802 /* Allocate enough space for a 256 bit key, but we may use less */ 1803 unsigned char decrypted_master_key[32]; 1804 char encrypted_state[PROPERTY_VALUE_MAX]; 1805 int rc; 1806 1807 property_get("ro.crypto.state", encrypted_state, ""); 1808 if (strcmp(encrypted_state, "encrypted") ) { 1809 SLOGE("device not encrypted, aborting"); 1810 return -2; 1811 } 1812 1813 if (!master_key_saved) { 1814 SLOGE("encrypted fs not yet mounted, aborting"); 1815 return -1; 1816 } 1817 1818 if (!saved_mount_point) { 1819 SLOGE("encrypted fs failed to save mount point, aborting"); 1820 return -1; 1821 } 1822 1823 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1824 SLOGE("Error getting crypt footer and key\n"); 1825 return -1; 1826 } 1827 1828 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 1829 /* If the device has no password, then just say the password is valid */ 1830 rc = 0; 1831 } else { 1832 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 1833 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 1834 /* They match, the password is correct */ 1835 rc = 0; 1836 } else { 1837 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 1838 sleep(1); 1839 rc = 1; 1840 } 1841 } 1842 1843 return rc; 1844} 1845 1846/* Initialize a crypt_mnt_ftr structure. The keysize is 1847 * defaulted to 16 bytes, and the filesystem size to 0. 1848 * Presumably, at a minimum, the caller will update the 1849 * filesystem size and crypto_type_name after calling this function. 1850 */ 1851static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 1852{ 1853 off64_t off; 1854 1855 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 1856 ftr->magic = CRYPT_MNT_MAGIC; 1857 ftr->major_version = CURRENT_MAJOR_VERSION; 1858 ftr->minor_version = CURRENT_MINOR_VERSION; 1859 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 1860 ftr->keysize = KEY_LEN_BYTES; 1861 1862 switch (keymaster_check_compatibility()) { 1863 case 1: 1864 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1865 break; 1866 1867 case 0: 1868 ftr->kdf_type = KDF_SCRYPT; 1869 break; 1870 1871 default: 1872 SLOGE("keymaster_check_compatibility failed"); 1873 return -1; 1874 } 1875 1876 get_device_scrypt_params(ftr); 1877 1878 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 1879 if (get_crypt_ftr_info(NULL, &off) == 0) { 1880 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 1881 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 1882 ftr->persist_data_size; 1883 } 1884 1885 return 0; 1886} 1887 1888static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type) 1889{ 1890 const char *args[10]; 1891 char size_str[32]; /* Must be large enough to hold a %lld and null byte */ 1892 int num_args; 1893 int status; 1894 int tmp; 1895 int rc = -1; 1896 1897 if (type == EXT4_FS) { 1898 args[0] = "/system/bin/make_ext4fs"; 1899 args[1] = "-a"; 1900 args[2] = "/data"; 1901 args[3] = "-l"; 1902 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512); 1903 args[4] = size_str; 1904 args[5] = crypto_blkdev; 1905 num_args = 6; 1906 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n", 1907 args[0], args[1], args[2], args[3], args[4], args[5]); 1908 } else if (type == F2FS_FS) { 1909 args[0] = "/system/bin/mkfs.f2fs"; 1910 args[1] = "-t"; 1911 args[2] = "-d1"; 1912 args[3] = crypto_blkdev; 1913 snprintf(size_str, sizeof(size_str), "%" PRId64, size); 1914 args[4] = size_str; 1915 num_args = 5; 1916 SLOGI("Making empty filesystem with command %s %s %s %s %s\n", 1917 args[0], args[1], args[2], args[3], args[4]); 1918 } else { 1919 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type); 1920 return -1; 1921 } 1922 1923 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true); 1924 1925 if (tmp != 0) { 1926 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev); 1927 } else { 1928 if (WIFEXITED(status)) { 1929 if (WEXITSTATUS(status)) { 1930 SLOGE("Error creating filesystem on %s, exit status %d ", 1931 crypto_blkdev, WEXITSTATUS(status)); 1932 } else { 1933 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev); 1934 rc = 0; 1935 } 1936 } else { 1937 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev); 1938 } 1939 } 1940 1941 return rc; 1942} 1943 1944#define CRYPT_INPLACE_BUFSIZE 4096 1945#define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE) 1946#define CRYPT_SECTOR_SIZE 512 1947 1948/* aligned 32K writes tends to make flash happy. 1949 * SD card association recommends it. 1950 */ 1951#define BLOCKS_AT_A_TIME 8 1952 1953struct encryptGroupsData 1954{ 1955 int realfd; 1956 int cryptofd; 1957 off64_t numblocks; 1958 off64_t one_pct, cur_pct, new_pct; 1959 off64_t blocks_already_done, tot_numblocks; 1960 off64_t used_blocks_already_done, tot_used_blocks; 1961 char* real_blkdev, * crypto_blkdev; 1962 int count; 1963 off64_t offset; 1964 char* buffer; 1965 off64_t last_written_sector; 1966 int completed; 1967 time_t time_started; 1968 int remaining_time; 1969}; 1970 1971static void update_progress(struct encryptGroupsData* data, int is_used) 1972{ 1973 data->blocks_already_done++; 1974 1975 if (is_used) { 1976 data->used_blocks_already_done++; 1977 } 1978 if (data->tot_used_blocks) { 1979 data->new_pct = data->used_blocks_already_done / data->one_pct; 1980 } else { 1981 data->new_pct = data->blocks_already_done / data->one_pct; 1982 } 1983 1984 if (data->new_pct > data->cur_pct) { 1985 char buf[8]; 1986 data->cur_pct = data->new_pct; 1987 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct); 1988 property_set("vold.encrypt_progress", buf); 1989 SLOGI("Encrypted %" PRId64 " percent of drive", data->cur_pct); 1990 } 1991 1992 if (data->cur_pct >= 5) { 1993 double elapsed_time = difftime(time(NULL), data->time_started); 1994 off64_t remaining_blocks = data->tot_used_blocks 1995 - data->used_blocks_already_done; 1996 int remaining_time = (int)(elapsed_time * remaining_blocks 1997 / data->used_blocks_already_done); 1998 1999 // Change time only if not yet set, lower, or a lot higher for 2000 // best user experience 2001 if (data->remaining_time == -1 2002 || remaining_time < data->remaining_time 2003 || remaining_time > data->remaining_time + 60) { 2004 char buf[8]; 2005 snprintf(buf, sizeof(buf), "%d", remaining_time); 2006 property_set("vold.encrypt_time_remaining", buf); 2007 2008 SLOGI("Encrypted %" PRId64 " percent of drive, %d seconds to go", 2009 data->cur_pct, remaining_time); 2010 data->remaining_time = remaining_time; 2011 } 2012 } 2013} 2014 2015static int flush_outstanding_data(struct encryptGroupsData* data) 2016{ 2017 if (data->count == 0) { 2018 return 0; 2019 } 2020 2021 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset); 2022 2023 if (pread64(data->realfd, data->buffer, 2024 info.block_size * data->count, data->offset) 2025 <= 0) { 2026 SLOGE("Error reading real_blkdev %s for inplace encrypt", 2027 data->real_blkdev); 2028 return -1; 2029 } 2030 2031 if (pwrite64(data->cryptofd, data->buffer, 2032 info.block_size * data->count, data->offset) 2033 <= 0) { 2034 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", 2035 data->crypto_blkdev); 2036 return -1; 2037 } else { 2038 SLOGI("Encrypted %d blocks at sector %" PRId64, 2039 data->count, data->offset / info.block_size * CRYPT_SECTOR_SIZE); 2040 } 2041 2042 data->count = 0; 2043 data->last_written_sector = (data->offset + data->count) 2044 / info.block_size * CRYPT_SECTOR_SIZE - 1; 2045 return 0; 2046} 2047 2048static int encrypt_groups(struct encryptGroupsData* data) 2049{ 2050 unsigned int i; 2051 u8 *block_bitmap = 0; 2052 unsigned int block; 2053 off64_t ret; 2054 int rc = -1; 2055 2056 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME); 2057 if (!data->buffer) { 2058 SLOGE("Failed to allocate crypto buffer"); 2059 goto errout; 2060 } 2061 2062 block_bitmap = malloc(info.block_size); 2063 if (!block_bitmap) { 2064 SLOGE("failed to allocate block bitmap"); 2065 goto errout; 2066 } 2067 2068 for (i = 0; i < aux_info.groups; ++i) { 2069 SLOGI("Encrypting group %d", i); 2070 2071 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group; 2072 u32 block_count = min(info.blocks_per_group, 2073 aux_info.len_blocks - first_block); 2074 2075 off64_t offset = (u64)info.block_size 2076 * aux_info.bg_desc[i].bg_block_bitmap; 2077 2078 ret = pread64(data->realfd, block_bitmap, info.block_size, offset); 2079 if (ret != (int)info.block_size) { 2080 SLOGE("failed to read all of block group bitmap %d", i); 2081 goto errout; 2082 } 2083 2084 offset = (u64)info.block_size * first_block; 2085 2086 data->count = 0; 2087 2088 for (block = 0; block < block_count; block++) { 2089 int used = bitmap_get_bit(block_bitmap, block); 2090 update_progress(data, used); 2091 if (used) { 2092 if (data->count == 0) { 2093 data->offset = offset; 2094 } 2095 data->count++; 2096 } else { 2097 if (flush_outstanding_data(data)) { 2098 goto errout; 2099 } 2100 } 2101 2102 offset += info.block_size; 2103 2104 /* Write data if we are aligned or buffer size reached */ 2105 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0 2106 || data->count == BLOCKS_AT_A_TIME) { 2107 if (flush_outstanding_data(data)) { 2108 goto errout; 2109 } 2110 } 2111 2112 if (!is_battery_ok_to_continue()) { 2113 SLOGE("Stopping encryption due to low battery"); 2114 rc = 0; 2115 goto errout; 2116 } 2117 2118 } 2119 if (flush_outstanding_data(data)) { 2120 goto errout; 2121 } 2122 } 2123 2124 data->completed = 1; 2125 rc = 0; 2126 2127errout: 2128 free(data->buffer); 2129 free(block_bitmap); 2130 return rc; 2131} 2132 2133static int cryptfs_enable_inplace_ext4(char *crypto_blkdev, 2134 char *real_blkdev, 2135 off64_t size, 2136 off64_t *size_already_done, 2137 off64_t tot_size, 2138 off64_t previously_encrypted_upto) 2139{ 2140 u32 i; 2141 struct encryptGroupsData data; 2142 int rc = -1; 2143 2144 if (previously_encrypted_upto > *size_already_done) { 2145 SLOGD("Not fast encrypting since resuming part way through"); 2146 return -1; 2147 } 2148 2149 memset(&data, 0, sizeof(data)); 2150 data.real_blkdev = real_blkdev; 2151 data.crypto_blkdev = crypto_blkdev; 2152 2153 if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) { 2154 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", 2155 real_blkdev); 2156 goto errout; 2157 } 2158 2159 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2160 SLOGE("Error opening crypto_blkdev %s for inplace encrypt\n", 2161 crypto_blkdev); 2162 goto errout; 2163 } 2164 2165 if (setjmp(setjmp_env)) { 2166 SLOGE("Reading extent caused an exception"); 2167 goto errout; 2168 } 2169 2170 if (read_ext(data.realfd, 0) != 0) { 2171 SLOGE("Failed to read extent"); 2172 goto errout; 2173 } 2174 2175 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2176 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2177 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2178 2179 SLOGI("Encrypting filesystem in place..."); 2180 2181 data.tot_used_blocks = data.numblocks; 2182 for (i = 0; i < aux_info.groups; ++i) { 2183 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count; 2184 } 2185 2186 data.one_pct = data.tot_used_blocks / 100; 2187 data.cur_pct = 0; 2188 data.time_started = time(NULL); 2189 data.remaining_time = -1; 2190 2191 rc = encrypt_groups(&data); 2192 if (rc) { 2193 SLOGE("Error encrypting groups"); 2194 goto errout; 2195 } 2196 2197 *size_already_done += data.completed ? size : data.last_written_sector; 2198 rc = 0; 2199 2200errout: 2201 close(data.realfd); 2202 close(data.cryptofd); 2203 2204 return rc; 2205} 2206 2207static int encrypt_one_block_f2fs(u64 pos, void *data) 2208{ 2209 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data; 2210 2211 priv_dat->blocks_already_done = pos - 1; 2212 update_progress(priv_dat, 1); 2213 2214 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE; 2215 2216 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2217 SLOGE("Error reading real_blkdev %s for inplace encrypt", priv_dat->crypto_blkdev); 2218 return -1; 2219 } 2220 2221 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2222 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", priv_dat->crypto_blkdev); 2223 return -1; 2224 } else { 2225 SLOGD("Encrypted block %"PRIu64, pos); 2226 } 2227 2228 return 0; 2229} 2230 2231static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev, 2232 char *real_blkdev, 2233 off64_t size, 2234 off64_t *size_already_done, 2235 off64_t tot_size, 2236 off64_t previously_encrypted_upto) 2237{ 2238 u32 i; 2239 struct encryptGroupsData data; 2240 struct f2fs_info *f2fs_info = NULL; 2241 int rc = -1; 2242 if (previously_encrypted_upto > *size_already_done) { 2243 SLOGD("Not fast encrypting since resuming part way through"); 2244 return -1; 2245 } 2246 memset(&data, 0, sizeof(data)); 2247 data.real_blkdev = real_blkdev; 2248 data.crypto_blkdev = crypto_blkdev; 2249 data.realfd = -1; 2250 data.cryptofd = -1; 2251 if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) { 2252 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", 2253 real_blkdev); 2254 goto errout; 2255 } 2256 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) { 2257 SLOGE("Error opening crypto_blkdev %s for inplace encrypt\n", 2258 crypto_blkdev); 2259 goto errout; 2260 } 2261 2262 f2fs_info = generate_f2fs_info(data.realfd); 2263 if (!f2fs_info) 2264 goto errout; 2265 2266 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2267 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2268 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2269 2270 data.tot_used_blocks = get_num_blocks_used(f2fs_info); 2271 2272 data.one_pct = data.tot_used_blocks / 100; 2273 data.cur_pct = 0; 2274 data.time_started = time(NULL); 2275 data.remaining_time = -1; 2276 2277 data.buffer = malloc(f2fs_info->block_size); 2278 if (!data.buffer) { 2279 SLOGE("Failed to allocate crypto buffer"); 2280 goto errout; 2281 } 2282 2283 data.count = 0; 2284 2285 /* Currently, this either runs to completion, or hits a nonrecoverable error */ 2286 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data); 2287 2288 if (rc) { 2289 SLOGE("Error in running over blocks"); 2290 goto errout; 2291 } 2292 2293 *size_already_done += size; 2294 rc = 0; 2295 2296errout: 2297 if (rc) 2298 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev); 2299 2300 free(f2fs_info); 2301 free(data.buffer); 2302 close(data.realfd); 2303 close(data.cryptofd); 2304 2305 return rc; 2306} 2307 2308static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev, 2309 off64_t size, off64_t *size_already_done, 2310 off64_t tot_size, 2311 off64_t previously_encrypted_upto) 2312{ 2313 int realfd, cryptofd; 2314 char *buf[CRYPT_INPLACE_BUFSIZE]; 2315 int rc = -1; 2316 off64_t numblocks, i, remainder; 2317 off64_t one_pct, cur_pct, new_pct; 2318 off64_t blocks_already_done, tot_numblocks; 2319 2320 if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) { 2321 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev); 2322 return -1; 2323 } 2324 2325 if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2326 SLOGE("Error opening crypto_blkdev %s for inplace encrypt\n", crypto_blkdev); 2327 close(realfd); 2328 return -1; 2329 } 2330 2331 /* This is pretty much a simple loop of reading 4K, and writing 4K. 2332 * The size passed in is the number of 512 byte sectors in the filesystem. 2333 * So compute the number of whole 4K blocks we should read/write, 2334 * and the remainder. 2335 */ 2336 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2337 remainder = size % CRYPT_SECTORS_PER_BUFSIZE; 2338 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2339 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2340 2341 SLOGE("Encrypting filesystem in place..."); 2342 2343 i = previously_encrypted_upto + 1 - *size_already_done; 2344 2345 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2346 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev); 2347 goto errout; 2348 } 2349 2350 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2351 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev); 2352 goto errout; 2353 } 2354 2355 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) { 2356 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2357 SLOGE("Error reading initial sectors from real_blkdev %s for " 2358 "inplace encrypt\n", crypto_blkdev); 2359 goto errout; 2360 } 2361 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2362 SLOGE("Error writing initial sectors to crypto_blkdev %s for " 2363 "inplace encrypt\n", crypto_blkdev); 2364 goto errout; 2365 } else { 2366 SLOGI("Encrypted 1 block at %" PRId64, i); 2367 } 2368 } 2369 2370 one_pct = tot_numblocks / 100; 2371 cur_pct = 0; 2372 /* process the majority of the filesystem in blocks */ 2373 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) { 2374 new_pct = (i + blocks_already_done) / one_pct; 2375 if (new_pct > cur_pct) { 2376 char buf[8]; 2377 2378 cur_pct = new_pct; 2379 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct); 2380 property_set("vold.encrypt_progress", buf); 2381 } 2382 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2383 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev); 2384 goto errout; 2385 } 2386 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2387 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2388 goto errout; 2389 } else { 2390 SLOGD("Encrypted %d block at %" PRId64, 2391 CRYPT_SECTORS_PER_BUFSIZE, 2392 i * CRYPT_SECTORS_PER_BUFSIZE); 2393 } 2394 2395 if (!is_battery_ok_to_continue()) { 2396 SLOGE("Stopping encryption due to low battery"); 2397 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1; 2398 rc = 0; 2399 goto errout; 2400 } 2401 } 2402 2403 /* Do any remaining sectors */ 2404 for (i=0; i<remainder; i++) { 2405 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2406 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev); 2407 goto errout; 2408 } 2409 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2410 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2411 goto errout; 2412 } else { 2413 SLOGI("Encrypted 1 block at next location"); 2414 } 2415 } 2416 2417 *size_already_done += size; 2418 rc = 0; 2419 2420errout: 2421 close(realfd); 2422 close(cryptofd); 2423 2424 return rc; 2425} 2426 2427static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev, 2428 off64_t size, off64_t *size_already_done, 2429 off64_t tot_size, 2430 off64_t previously_encrypted_upto) 2431{ 2432 if (previously_encrypted_upto) { 2433 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto); 2434 } 2435 2436 if (*size_already_done + size < previously_encrypted_upto) { 2437 *size_already_done += size; 2438 return 0; 2439 } 2440 2441 /* TODO: identify filesystem type. 2442 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and 2443 * then we will drop down to cryptfs_enable_inplace_f2fs. 2444 * */ 2445 if (cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev, 2446 size, size_already_done, 2447 tot_size, previously_encrypted_upto) == 0) { 2448 return 0; 2449 } 2450 2451 if (cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev, 2452 size, size_already_done, 2453 tot_size, previously_encrypted_upto) == 0) { 2454 return 0; 2455 } 2456 2457 return cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev, 2458 size, size_already_done, tot_size, 2459 previously_encrypted_upto); 2460} 2461 2462#define CRYPTO_ENABLE_WIPE 1 2463#define CRYPTO_ENABLE_INPLACE 2 2464 2465#define FRAMEWORK_BOOT_WAIT 60 2466 2467static inline int should_encrypt(struct volume_info *volume) 2468{ 2469 return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) == 2470 (VOL_ENCRYPTABLE | VOL_NONREMOVABLE); 2471} 2472 2473static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2474{ 2475 int fd = open(filename, O_RDONLY); 2476 if (fd == -1) { 2477 SLOGE("Error opening file %s", filename); 2478 return -1; 2479 } 2480 2481 char block[CRYPT_INPLACE_BUFSIZE]; 2482 memset(block, 0, sizeof(block)); 2483 if (unix_read(fd, block, sizeof(block)) < 0) { 2484 SLOGE("Error reading file %s", filename); 2485 close(fd); 2486 return -1; 2487 } 2488 2489 close(fd); 2490 2491 SHA256_CTX c; 2492 SHA256_Init(&c); 2493 SHA256_Update(&c, block, sizeof(block)); 2494 SHA256_Final(buf, &c); 2495 2496 return 0; 2497} 2498 2499static int get_fs_type(struct fstab_rec *rec) 2500{ 2501 if (!strcmp(rec->fs_type, "ext4")) { 2502 return EXT4_FS; 2503 } else if (!strcmp(rec->fs_type, "f2fs")) { 2504 return F2FS_FS; 2505 } else { 2506 return -1; 2507 } 2508} 2509 2510static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how, 2511 char *crypto_blkdev, char *real_blkdev, 2512 int previously_encrypted_upto) 2513{ 2514 off64_t cur_encryption_done=0, tot_encryption_size=0; 2515 int i, rc = -1; 2516 2517 if (!is_battery_ok_to_start()) { 2518 SLOGW("Not starting encryption due to low battery"); 2519 return 0; 2520 } 2521 2522 /* The size of the userdata partition, and add in the vold volumes below */ 2523 tot_encryption_size = crypt_ftr->fs_size; 2524 2525 if (how == CRYPTO_ENABLE_WIPE) { 2526 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 2527 int fs_type = get_fs_type(rec); 2528 if (fs_type < 0) { 2529 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type); 2530 return -1; 2531 } 2532 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type); 2533 } else if (how == CRYPTO_ENABLE_INPLACE) { 2534 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, 2535 crypt_ftr->fs_size, &cur_encryption_done, 2536 tot_encryption_size, 2537 previously_encrypted_upto); 2538 2539 if (!rc) { 2540 crypt_ftr->encrypted_upto = cur_encryption_done; 2541 } 2542 2543 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2544 /* The inplace routine never actually sets the progress to 100% due 2545 * to the round down nature of integer division, so set it here */ 2546 property_set("vold.encrypt_progress", "100"); 2547 } 2548 } else { 2549 /* Shouldn't happen */ 2550 SLOGE("cryptfs_enable: internal error, unknown option\n"); 2551 rc = -1; 2552 } 2553 2554 return rc; 2555} 2556 2557int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd, 2558 int allow_reboot) 2559{ 2560 int how = 0; 2561 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2562 unsigned long nr_sec; 2563 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2564 int rc=-1, fd, i, ret; 2565 struct crypt_mnt_ftr crypt_ftr; 2566 struct crypt_persist_data *pdata; 2567 char encrypted_state[PROPERTY_VALUE_MAX]; 2568 char lockid[32] = { 0 }; 2569 char key_loc[PROPERTY_VALUE_MAX]; 2570 char fuse_sdcard[PROPERTY_VALUE_MAX]; 2571 char *sd_mnt_point; 2572 int num_vols; 2573 struct volume_info *vol_list = 0; 2574 off64_t previously_encrypted_upto = 0; 2575 2576 if (!strcmp(howarg, "wipe")) { 2577 how = CRYPTO_ENABLE_WIPE; 2578 } else if (! strcmp(howarg, "inplace")) { 2579 how = CRYPTO_ENABLE_INPLACE; 2580 } else { 2581 /* Shouldn't happen, as CommandListener vets the args */ 2582 goto error_unencrypted; 2583 } 2584 2585 /* See if an encryption was underway and interrupted */ 2586 if (how == CRYPTO_ENABLE_INPLACE 2587 && get_crypt_ftr_and_key(&crypt_ftr) == 0 2588 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) { 2589 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2590 crypt_ftr.encrypted_upto = 0; 2591 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2592 2593 /* At this point, we are in an inconsistent state. Until we successfully 2594 complete encryption, a reboot will leave us broken. So mark the 2595 encryption failed in case that happens. 2596 On successfully completing encryption, remove this flag */ 2597 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2598 2599 put_crypt_ftr_and_key(&crypt_ftr); 2600 } 2601 2602 property_get("ro.crypto.state", encrypted_state, ""); 2603 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2604 SLOGE("Device is already running encrypted, aborting"); 2605 goto error_unencrypted; 2606 } 2607 2608 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2609 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 2610 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 2611 2612 /* Get the size of the real block device */ 2613 fd = open(real_blkdev, O_RDONLY); 2614 if ( (nr_sec = get_blkdev_size(fd)) == 0) { 2615 SLOGE("Cannot get size of block device %s\n", real_blkdev); 2616 goto error_unencrypted; 2617 } 2618 close(fd); 2619 2620 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 2621 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) { 2622 unsigned int fs_size_sec, max_fs_size_sec; 2623 fs_size_sec = get_fs_size(real_blkdev); 2624 if (fs_size_sec == 0) 2625 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 2626 2627 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2628 2629 if (fs_size_sec > max_fs_size_sec) { 2630 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 2631 goto error_unencrypted; 2632 } 2633 } 2634 2635 /* Get a wakelock as this may take a while, and we don't want the 2636 * device to sleep on us. We'll grab a partial wakelock, and if the UI 2637 * wants to keep the screen on, it can grab a full wakelock. 2638 */ 2639 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 2640 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 2641 2642 /* Get the sdcard mount point */ 2643 sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE"); 2644 if (!sd_mnt_point) { 2645 sd_mnt_point = getenv("EXTERNAL_STORAGE"); 2646 } 2647 if (!sd_mnt_point) { 2648 sd_mnt_point = "/mnt/sdcard"; 2649 } 2650 2651 /* TODO 2652 * Currently do not have test devices with multiple encryptable volumes. 2653 * When we acquire some, re-add support. 2654 */ 2655 num_vols=vold_getNumDirectVolumes(); 2656 vol_list = malloc(sizeof(struct volume_info) * num_vols); 2657 vold_getDirectVolumeList(vol_list); 2658 2659 for (i=0; i<num_vols; i++) { 2660 if (should_encrypt(&vol_list[i])) { 2661 SLOGE("Cannot encrypt if there are multiple encryptable volumes" 2662 "%s\n", vol_list[i].label); 2663 goto error_unencrypted; 2664 } 2665 } 2666 2667 /* The init files are setup to stop the class main and late start when 2668 * vold sets trigger_shutdown_framework. 2669 */ 2670 property_set("vold.decrypt", "trigger_shutdown_framework"); 2671 SLOGD("Just asked init to shut down class main\n"); 2672 2673 if (vold_unmountAllAsecs()) { 2674 /* Just report the error. If any are left mounted, 2675 * umounting /data below will fail and handle the error. 2676 */ 2677 SLOGE("Error unmounting internal asecs"); 2678 } 2679 2680 property_get("ro.crypto.fuse_sdcard", fuse_sdcard, ""); 2681 if (!strcmp(fuse_sdcard, "true")) { 2682 /* This is a device using the fuse layer to emulate the sdcard semantics 2683 * on top of the userdata partition. vold does not manage it, it is managed 2684 * by the sdcard service. The sdcard service was killed by the property trigger 2685 * above, so just unmount it now. We must do this _AFTER_ killing the framework, 2686 * unlike the case for vold managed devices above. 2687 */ 2688 if (wait_and_unmount(sd_mnt_point)) { 2689 goto error_shutting_down; 2690 } 2691 } 2692 2693 /* Now unmount the /data partition. */ 2694 if (wait_and_unmount(DATA_MNT_POINT)) { 2695 if (allow_reboot) { 2696 goto error_shutting_down; 2697 } else { 2698 goto error_unencrypted; 2699 } 2700 } 2701 2702 /* Do extra work for a better UX when doing the long inplace encryption */ 2703 if (how == CRYPTO_ENABLE_INPLACE) { 2704 /* Now that /data is unmounted, we need to mount a tmpfs 2705 * /data, set a property saying we're doing inplace encryption, 2706 * and restart the framework. 2707 */ 2708 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 2709 goto error_shutting_down; 2710 } 2711 /* Tells the framework that inplace encryption is starting */ 2712 property_set("vold.encrypt_progress", "0"); 2713 2714 /* restart the framework. */ 2715 /* Create necessary paths on /data */ 2716 if (prep_data_fs()) { 2717 goto error_shutting_down; 2718 } 2719 2720 /* Ugh, shutting down the framework is not synchronous, so until it 2721 * can be fixed, this horrible hack will wait a moment for it all to 2722 * shut down before proceeding. Without it, some devices cannot 2723 * restart the graphics services. 2724 */ 2725 sleep(2); 2726 2727 /* startup service classes main and late_start */ 2728 property_set("vold.decrypt", "trigger_restart_min_framework"); 2729 SLOGD("Just triggered restart_min_framework\n"); 2730 2731 /* OK, the framework is restarted and will soon be showing a 2732 * progress bar. Time to setup an encrypted mapping, and 2733 * either write a new filesystem, or encrypt in place updating 2734 * the progress bar as we work. 2735 */ 2736 } 2737 2738 /* Start the actual work of making an encrypted filesystem */ 2739 /* Initialize a crypt_mnt_ftr for the partition */ 2740 if (previously_encrypted_upto == 0) { 2741 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 2742 goto error_shutting_down; 2743 } 2744 2745 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 2746 crypt_ftr.fs_size = nr_sec 2747 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2748 } else { 2749 crypt_ftr.fs_size = nr_sec; 2750 } 2751 /* At this point, we are in an inconsistent state. Until we successfully 2752 complete encryption, a reboot will leave us broken. So mark the 2753 encryption failed in case that happens. 2754 On successfully completing encryption, remove this flag */ 2755 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2756 crypt_ftr.crypt_type = crypt_type; 2757 strcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256"); 2758 2759 /* Make an encrypted master key */ 2760 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 2761 SLOGE("Cannot create encrypted master key\n"); 2762 goto error_shutting_down; 2763 } 2764 2765 /* Write the key to the end of the partition */ 2766 put_crypt_ftr_and_key(&crypt_ftr); 2767 2768 /* If any persistent data has been remembered, save it. 2769 * If none, create a valid empty table and save that. 2770 */ 2771 if (!persist_data) { 2772 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 2773 if (pdata) { 2774 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 2775 persist_data = pdata; 2776 } 2777 } 2778 if (persist_data) { 2779 save_persistent_data(); 2780 } 2781 } 2782 2783 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2784 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 2785 "userdata"); 2786 2787 /* If we are continuing, check checksums match */ 2788 rc = 0; 2789 if (previously_encrypted_upto) { 2790 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 2791 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 2792 2793 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 2794 sizeof(hash_first_block)) != 0) { 2795 SLOGE("Checksums do not match - trigger wipe"); 2796 rc = -1; 2797 } 2798 } 2799 2800 if (!rc) { 2801 rc = cryptfs_enable_all_volumes(&crypt_ftr, how, 2802 crypto_blkdev, real_blkdev, 2803 previously_encrypted_upto); 2804 } 2805 2806 /* Calculate checksum if we are not finished */ 2807 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 2808 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 2809 crypt_ftr.hash_first_block); 2810 if (rc) { 2811 SLOGE("Error calculating checksum for continuing encryption"); 2812 rc = -1; 2813 } 2814 } 2815 2816 /* Undo the dm-crypt mapping whether we succeed or not */ 2817 delete_crypto_blk_dev("userdata"); 2818 2819 free(vol_list); 2820 2821 if (! rc) { 2822 /* Success */ 2823 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 2824 2825 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 2826 SLOGD("Encrypted up to sector %lld - will continue after reboot", 2827 crypt_ftr.encrypted_upto); 2828 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 2829 } 2830 2831 put_crypt_ftr_and_key(&crypt_ftr); 2832 2833 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 2834 char value[PROPERTY_VALUE_MAX]; 2835 property_get("ro.crypto.state", value, ""); 2836 if (!strcmp(value, "")) { 2837 /* default encryption - continue first boot sequence */ 2838 property_set("ro.crypto.state", "encrypted"); 2839 release_wake_lock(lockid); 2840 cryptfs_check_passwd(DEFAULT_PASSWORD); 2841 cryptfs_restart_internal(1); 2842 return 0; 2843 } else { 2844 sleep(2); /* Give the UI a chance to show 100% progress */ 2845 cryptfs_reboot(reboot); 2846 } 2847 } else { 2848 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 2849 cryptfs_reboot(shutdown); 2850 } 2851 } else { 2852 char value[PROPERTY_VALUE_MAX]; 2853 2854 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 2855 if (!strcmp(value, "1")) { 2856 /* wipe data if encryption failed */ 2857 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 2858 mkdir("/cache/recovery", 0700); 2859 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600); 2860 if (fd >= 0) { 2861 write(fd, "--wipe_data", strlen("--wipe_data") + 1); 2862 close(fd); 2863 } else { 2864 SLOGE("could not open /cache/recovery/command\n"); 2865 } 2866 cryptfs_reboot(recovery); 2867 } else { 2868 /* set property to trigger dialog */ 2869 property_set("vold.encrypt_progress", "error_partially_encrypted"); 2870 release_wake_lock(lockid); 2871 } 2872 return -1; 2873 } 2874 2875 /* hrm, the encrypt step claims success, but the reboot failed. 2876 * This should not happen. 2877 * Set the property and return. Hope the framework can deal with it. 2878 */ 2879 property_set("vold.encrypt_progress", "error_reboot_failed"); 2880 release_wake_lock(lockid); 2881 return rc; 2882 2883error_unencrypted: 2884 free(vol_list); 2885 property_set("vold.encrypt_progress", "error_not_encrypted"); 2886 if (lockid[0]) { 2887 release_wake_lock(lockid); 2888 } 2889 return -1; 2890 2891error_shutting_down: 2892 /* we failed, and have not encrypted anthing, so the users's data is still intact, 2893 * but the framework is stopped and not restarted to show the error, so it's up to 2894 * vold to restart the system. 2895 */ 2896 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 2897 cryptfs_reboot(reboot); 2898 2899 /* shouldn't get here */ 2900 property_set("vold.encrypt_progress", "error_shutting_down"); 2901 free(vol_list); 2902 if (lockid[0]) { 2903 release_wake_lock(lockid); 2904 } 2905 return -1; 2906} 2907 2908int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot) 2909{ 2910 return cryptfs_enable_internal(howarg, type, passwd, allow_reboot); 2911} 2912 2913int cryptfs_enable_default(char *howarg, int allow_reboot) 2914{ 2915 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT, 2916 DEFAULT_PASSWORD, allow_reboot); 2917} 2918 2919int cryptfs_changepw(int crypt_type, const char *newpw) 2920{ 2921 struct crypt_mnt_ftr crypt_ftr; 2922 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2923 2924 /* This is only allowed after we've successfully decrypted the master key */ 2925 if (!master_key_saved) { 2926 SLOGE("Key not saved, aborting"); 2927 return -1; 2928 } 2929 2930 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 2931 SLOGE("Invalid crypt_type %d", crypt_type); 2932 return -1; 2933 } 2934 2935 /* get key */ 2936 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2937 SLOGE("Error getting crypt footer and key"); 2938 return -1; 2939 } 2940 2941 crypt_ftr.crypt_type = crypt_type; 2942 2943 encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 2944 : newpw, 2945 crypt_ftr.salt, 2946 saved_master_key, 2947 crypt_ftr.master_key, 2948 &crypt_ftr); 2949 2950 /* save the key */ 2951 put_crypt_ftr_and_key(&crypt_ftr); 2952 2953 return 0; 2954} 2955 2956static int persist_get_key(char *fieldname, char *value) 2957{ 2958 unsigned int i; 2959 2960 if (persist_data == NULL) { 2961 return -1; 2962 } 2963 for (i = 0; i < persist_data->persist_valid_entries; i++) { 2964 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 2965 /* We found it! */ 2966 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 2967 return 0; 2968 } 2969 } 2970 2971 return -1; 2972} 2973 2974static int persist_set_key(char *fieldname, char *value, int encrypted) 2975{ 2976 unsigned int i; 2977 unsigned int num; 2978 struct crypt_mnt_ftr crypt_ftr; 2979 unsigned int max_persistent_entries; 2980 unsigned int dsize; 2981 2982 if (persist_data == NULL) { 2983 return -1; 2984 } 2985 2986 /* If encrypted, use the values from the crypt_ftr, otherwise 2987 * use the values for the current spec. 2988 */ 2989 if (encrypted) { 2990 if(get_crypt_ftr_and_key(&crypt_ftr)) { 2991 return -1; 2992 } 2993 dsize = crypt_ftr.persist_data_size; 2994 } else { 2995 dsize = CRYPT_PERSIST_DATA_SIZE; 2996 } 2997 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 2998 sizeof(struct crypt_persist_entry); 2999 3000 num = persist_data->persist_valid_entries; 3001 3002 for (i = 0; i < num; i++) { 3003 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3004 /* We found an existing entry, update it! */ 3005 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 3006 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 3007 return 0; 3008 } 3009 } 3010 3011 /* We didn't find it, add it to the end, if there is room */ 3012 if (persist_data->persist_valid_entries < max_persistent_entries) { 3013 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 3014 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 3015 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 3016 persist_data->persist_valid_entries++; 3017 return 0; 3018 } 3019 3020 return -1; 3021} 3022 3023/* Return the value of the specified field. */ 3024int cryptfs_getfield(char *fieldname, char *value, int len) 3025{ 3026 char temp_value[PROPERTY_VALUE_MAX]; 3027 char real_blkdev[MAXPATHLEN]; 3028 /* 0 is success, 1 is not encrypted, 3029 * -1 is value not set, -2 is any other error 3030 */ 3031 int rc = -2; 3032 3033 if (persist_data == NULL) { 3034 load_persistent_data(); 3035 if (persist_data == NULL) { 3036 SLOGE("Getfield error, cannot load persistent data"); 3037 goto out; 3038 } 3039 } 3040 3041 if (!persist_get_key(fieldname, temp_value)) { 3042 /* We found it, copy it to the caller's buffer and return */ 3043 strlcpy(value, temp_value, len); 3044 rc = 0; 3045 } else { 3046 /* Sadness, it's not there. Return the error */ 3047 rc = -1; 3048 } 3049 3050out: 3051 return rc; 3052} 3053 3054/* Set the value of the specified field. */ 3055int cryptfs_setfield(char *fieldname, char *value) 3056{ 3057 struct crypt_persist_data stored_pdata; 3058 struct crypt_persist_data *pdata_p; 3059 struct crypt_mnt_ftr crypt_ftr; 3060 char encrypted_state[PROPERTY_VALUE_MAX]; 3061 /* 0 is success, -1 is an error */ 3062 int rc = -1; 3063 int encrypted = 0; 3064 3065 if (persist_data == NULL) { 3066 load_persistent_data(); 3067 if (persist_data == NULL) { 3068 SLOGE("Setfield error, cannot load persistent data"); 3069 goto out; 3070 } 3071 } 3072 3073 property_get("ro.crypto.state", encrypted_state, ""); 3074 if (!strcmp(encrypted_state, "encrypted") ) { 3075 encrypted = 1; 3076 } 3077 3078 if (persist_set_key(fieldname, value, encrypted)) { 3079 goto out; 3080 } 3081 3082 /* If we are running encrypted, save the persistent data now */ 3083 if (encrypted) { 3084 if (save_persistent_data()) { 3085 SLOGE("Setfield error, cannot save persistent data"); 3086 goto out; 3087 } 3088 } 3089 3090 rc = 0; 3091 3092out: 3093 return rc; 3094} 3095 3096/* Checks userdata. Attempt to mount the volume if default- 3097 * encrypted. 3098 * On success trigger next init phase and return 0. 3099 * Currently do not handle failure - see TODO below. 3100 */ 3101int cryptfs_mount_default_encrypted(void) 3102{ 3103 char decrypt_state[PROPERTY_VALUE_MAX]; 3104 property_get("vold.decrypt", decrypt_state, "0"); 3105 if (!strcmp(decrypt_state, "0")) { 3106 SLOGE("Not encrypted - should not call here"); 3107 } else { 3108 int crypt_type = cryptfs_get_password_type(); 3109 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3110 SLOGE("Bad crypt type - error"); 3111 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 3112 SLOGD("Password is not default - " 3113 "starting min framework to prompt"); 3114 property_set("vold.decrypt", "trigger_restart_min_framework"); 3115 return 0; 3116 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 3117 SLOGD("Password is default - restarting filesystem"); 3118 cryptfs_restart_internal(0); 3119 return 0; 3120 } else { 3121 SLOGE("Encrypted, default crypt type but can't decrypt"); 3122 } 3123 } 3124 3125 /** Corrupt. Allow us to boot into framework, which will detect bad 3126 crypto when it calls do_crypto_complete, then do a factory reset 3127 */ 3128 property_set("vold.decrypt", "trigger_restart_min_framework"); 3129 return 0; 3130} 3131 3132/* Returns type of the password, default, pattern, pin or password. 3133 */ 3134int cryptfs_get_password_type(void) 3135{ 3136 struct crypt_mnt_ftr crypt_ftr; 3137 3138 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3139 SLOGE("Error getting crypt footer and key\n"); 3140 return -1; 3141 } 3142 3143 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 3144 return -1; 3145 } 3146 3147 return crypt_ftr.crypt_type; 3148} 3149 3150char* cryptfs_get_password() 3151{ 3152 struct timespec now; 3153 clock_gettime(CLOCK_MONOTONIC, &now); 3154 if (now.tv_sec < password_expiry_time) { 3155 return password; 3156 } else { 3157 cryptfs_clear_password(); 3158 return 0; 3159 } 3160} 3161 3162void cryptfs_clear_password() 3163{ 3164 if (password) { 3165 size_t len = strlen(password); 3166 memset(password, 0, len); 3167 free(password); 3168 password = 0; 3169 password_expiry_time = 0; 3170 } 3171} 3172