cryptfs.c revision 2f61b41e5de6b5791f118a212938f94d5d4f1897
1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23#include <sys/types.h> 24#include <sys/wait.h> 25#include <sys/stat.h> 26#include <ctype.h> 27#include <fcntl.h> 28#include <inttypes.h> 29#include <unistd.h> 30#include <stdio.h> 31#include <sys/ioctl.h> 32#include <linux/dm-ioctl.h> 33#include <libgen.h> 34#include <stdlib.h> 35#include <sys/param.h> 36#include <string.h> 37#include <sys/mount.h> 38#include <openssl/evp.h> 39#include <errno.h> 40#include <ext4.h> 41#include <linux/kdev_t.h> 42#include <fs_mgr.h> 43#include "cryptfs.h" 44#define LOG_TAG "Cryptfs" 45#include "cutils/log.h" 46#include "cutils/properties.h" 47#include "cutils/android_reboot.h" 48#include "hardware_legacy/power.h" 49#include <logwrap/logwrap.h> 50#include "VolumeManager.h" 51#include "VoldUtil.h" 52#include "crypto_scrypt.h" 53#include "ext4_utils.h" 54#include "f2fs_sparseblock.h" 55#include "CheckBattery.h" 56 57#include <hardware/keymaster.h> 58 59#define UNUSED __attribute__((unused)) 60 61#define UNUSED __attribute__((unused)) 62 63#define DM_CRYPT_BUF_SIZE 4096 64 65#define HASH_COUNT 2000 66#define KEY_LEN_BYTES 16 67#define IV_LEN_BYTES 16 68 69#define KEY_IN_FOOTER "footer" 70 71// "default_password" encoded into hex (d=0x64 etc) 72#define DEFAULT_PASSWORD "64656661756c745f70617373776f7264" 73 74#define EXT4_FS 1 75#define F2FS_FS 2 76 77#define TABLE_LOAD_RETRIES 10 78 79#define RSA_KEY_SIZE 2048 80#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) 81#define RSA_EXPONENT 0x10001 82 83#define RETRY_MOUNT_ATTEMPTS 10 84#define RETRY_MOUNT_DELAY_SECONDS 1 85 86char *me = "cryptfs"; 87 88static unsigned char saved_master_key[KEY_LEN_BYTES]; 89static char *saved_mount_point; 90static int master_key_saved = 0; 91static struct crypt_persist_data *persist_data = NULL; 92 93static int keymaster_init(keymaster_device_t **keymaster_dev) 94{ 95 int rc; 96 97 const hw_module_t* mod; 98 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 99 if (rc) { 100 ALOGE("could not find any keystore module"); 101 goto out; 102 } 103 104 rc = keymaster_open(mod, keymaster_dev); 105 if (rc) { 106 ALOGE("could not open keymaster device in %s (%s)", 107 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); 108 goto out; 109 } 110 111 return 0; 112 113out: 114 *keymaster_dev = NULL; 115 return rc; 116} 117 118/* Should we use keymaster? */ 119static int keymaster_check_compatibility() 120{ 121 keymaster_device_t *keymaster_dev = 0; 122 int rc = 0; 123 124 if (keymaster_init(&keymaster_dev)) { 125 SLOGE("Failed to init keymaster"); 126 rc = -1; 127 goto out; 128 } 129 130 SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version); 131 132 if (keymaster_dev->common.module->module_api_version 133 < KEYMASTER_MODULE_API_VERSION_0_3) { 134 rc = 0; 135 goto out; 136 } 137 138 if (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE) { 139 rc = 1; 140 } 141 142out: 143 keymaster_close(keymaster_dev); 144 return rc; 145} 146 147/* Create a new keymaster key and store it in this footer */ 148static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 149{ 150 uint8_t* key = 0; 151 keymaster_device_t *keymaster_dev = 0; 152 153 if (keymaster_init(&keymaster_dev)) { 154 SLOGE("Failed to init keymaster"); 155 return -1; 156 } 157 158 int rc = 0; 159 160 keymaster_rsa_keygen_params_t params; 161 memset(¶ms, '\0', sizeof(params)); 162 params.public_exponent = RSA_EXPONENT; 163 params.modulus_size = RSA_KEY_SIZE; 164 165 size_t key_size; 166 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, ¶ms, 167 &key, &key_size)) { 168 SLOGE("Failed to generate keypair"); 169 rc = -1; 170 goto out; 171 } 172 173 if (key_size > KEYMASTER_BLOB_SIZE) { 174 SLOGE("Keymaster key too large for crypto footer"); 175 rc = -1; 176 goto out; 177 } 178 179 memcpy(ftr->keymaster_blob, key, key_size); 180 ftr->keymaster_blob_size = key_size; 181 182out: 183 keymaster_close(keymaster_dev); 184 free(key); 185 return rc; 186} 187 188/* This signs the given object using the keymaster key. */ 189static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 190 const unsigned char *object, 191 const size_t object_size, 192 unsigned char **signature, 193 size_t *signature_size) 194{ 195 int rc = 0; 196 keymaster_device_t *keymaster_dev = 0; 197 if (keymaster_init(&keymaster_dev)) { 198 SLOGE("Failed to init keymaster"); 199 return -1; 200 } 201 202 /* We currently set the digest type to DIGEST_NONE because it's the 203 * only supported value for keymaster. A similar issue exists with 204 * PADDING_NONE. Long term both of these should likely change. 205 */ 206 keymaster_rsa_sign_params_t params; 207 params.digest_type = DIGEST_NONE; 208 params.padding_type = PADDING_NONE; 209 210 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 211 size_t to_sign_size = sizeof(to_sign); 212 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 213 214 // To sign a message with RSA, the message must satisfy two 215 // constraints: 216 // 217 // 1. The message, when interpreted as a big-endian numeric value, must 218 // be strictly less than the public modulus of the RSA key. Note 219 // that because the most significant bit of the public modulus is 220 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 221 // key), an n-bit message with most significant bit 0 always 222 // satisfies this requirement. 223 // 224 // 2. The message must have the same length in bits as the public 225 // modulus of the RSA key. This requirement isn't mathematically 226 // necessary, but is necessary to ensure consistency in 227 // implementations. 228 switch (ftr->kdf_type) { 229 case KDF_SCRYPT_KEYMASTER_UNPADDED: 230 // This is broken: It produces a message which is shorter than 231 // the public modulus, failing criterion 2. 232 memcpy(to_sign, object, object_size); 233 to_sign_size = object_size; 234 SLOGI("Signing unpadded object"); 235 break; 236 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED: 237 // This is broken: Since the value of object is uniformly 238 // distributed, it produces a message that is larger than the 239 // public modulus with probability 0.25. 240 memcpy(to_sign, object, min(RSA_KEY_SIZE_BYTES, object_size)); 241 SLOGI("Signing end-padded object"); 242 break; 243 case KDF_SCRYPT_KEYMASTER: 244 // This ensures the most significant byte of the signed message 245 // is zero. We could have zero-padded to the left instead, but 246 // this approach is slightly more robust against changes in 247 // object size. However, it's still broken (but not unusably 248 // so) because we really should be using a proper RSA padding 249 // function, such as OAEP. 250 // 251 // TODO(paullawrence): When keymaster 0.4 is available, change 252 // this to use the padding options it provides. 253 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); 254 SLOGI("Signing safely-padded object"); 255 break; 256 default: 257 SLOGE("Unknown KDF type %d", ftr->kdf_type); 258 return -1; 259 } 260 261 rc = keymaster_dev->sign_data(keymaster_dev, 262 ¶ms, 263 ftr->keymaster_blob, 264 ftr->keymaster_blob_size, 265 to_sign, 266 to_sign_size, 267 signature, 268 signature_size); 269 270 keymaster_close(keymaster_dev); 271 return rc; 272} 273 274/* Store password when userdata is successfully decrypted and mounted. 275 * Cleared by cryptfs_clear_password 276 * 277 * To avoid a double prompt at boot, we need to store the CryptKeeper 278 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 279 * Since the entire framework is torn down and rebuilt after encryption, 280 * we have to use a daemon or similar to store the password. Since vold 281 * is secured against IPC except from system processes, it seems a reasonable 282 * place to store this. 283 * 284 * password should be cleared once it has been used. 285 * 286 * password is aged out after password_max_age_seconds seconds. 287 */ 288static char* password = 0; 289static int password_expiry_time = 0; 290static const int password_max_age_seconds = 60; 291 292extern struct fstab *fstab; 293 294enum RebootType {reboot, recovery, shutdown}; 295static void cryptfs_reboot(enum RebootType rt) 296{ 297 switch(rt) { 298 case reboot: 299 property_set(ANDROID_RB_PROPERTY, "reboot"); 300 break; 301 302 case recovery: 303 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 304 break; 305 306 case shutdown: 307 property_set(ANDROID_RB_PROPERTY, "shutdown"); 308 break; 309 } 310 311 sleep(20); 312 313 /* Shouldn't get here, reboot should happen before sleep times out */ 314 return; 315} 316 317static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 318{ 319 memset(io, 0, dataSize); 320 io->data_size = dataSize; 321 io->data_start = sizeof(struct dm_ioctl); 322 io->version[0] = 4; 323 io->version[1] = 0; 324 io->version[2] = 0; 325 io->flags = flags; 326 if (name) { 327 strncpy(io->name, name, sizeof(io->name)); 328 } 329} 330 331/** 332 * Gets the default device scrypt parameters for key derivation time tuning. 333 * The parameters should lead to about one second derivation time for the 334 * given device. 335 */ 336static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 337 const int default_params[] = SCRYPT_DEFAULTS; 338 int params[] = SCRYPT_DEFAULTS; 339 char paramstr[PROPERTY_VALUE_MAX]; 340 char *token; 341 char *saveptr; 342 int i; 343 344 property_get(SCRYPT_PROP, paramstr, ""); 345 if (paramstr[0] != '\0') { 346 /* 347 * The token we're looking for should be three integers separated by 348 * colons (e.g., "12:8:1"). Scan the property to make sure it matches. 349 */ 350 for (i = 0, token = strtok_r(paramstr, ":", &saveptr); 351 token != NULL && i < 3; 352 i++, token = strtok_r(NULL, ":", &saveptr)) { 353 char *endptr; 354 params[i] = strtol(token, &endptr, 10); 355 356 /* 357 * Check that there was a valid number and it's 8-bit. If not, 358 * break out and the end check will take the default values. 359 */ 360 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) { 361 break; 362 } 363 } 364 365 /* 366 * If there were not enough tokens or a token was malformed (not an 367 * integer), it will end up here and the default parameters can be 368 * taken. 369 */ 370 if ((i != 3) || (token != NULL)) { 371 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 372 memcpy(params, default_params, sizeof(params)); 373 } 374 } 375 376 ftr->N_factor = params[0]; 377 ftr->r_factor = params[1]; 378 ftr->p_factor = params[2]; 379} 380 381static unsigned int get_fs_size(char *dev) 382{ 383 int fd, block_size; 384 struct ext4_super_block sb; 385 off64_t len; 386 387 if ((fd = open(dev, O_RDONLY)) < 0) { 388 SLOGE("Cannot open device to get filesystem size "); 389 return 0; 390 } 391 392 if (lseek64(fd, 1024, SEEK_SET) < 0) { 393 SLOGE("Cannot seek to superblock"); 394 return 0; 395 } 396 397 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 398 SLOGE("Cannot read superblock"); 399 return 0; 400 } 401 402 close(fd); 403 404 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 405 SLOGE("Not a valid ext4 superblock"); 406 return 0; 407 } 408 block_size = 1024 << sb.s_log_block_size; 409 /* compute length in bytes */ 410 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 411 412 /* return length in sectors */ 413 return (unsigned int) (len / 512); 414} 415 416static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 417{ 418 static int cached_data = 0; 419 static off64_t cached_off = 0; 420 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 421 int fd; 422 char key_loc[PROPERTY_VALUE_MAX]; 423 char real_blkdev[PROPERTY_VALUE_MAX]; 424 unsigned int nr_sec; 425 int rc = -1; 426 427 if (!cached_data) { 428 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc)); 429 430 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 431 if ( (fd = open(real_blkdev, O_RDWR)) < 0) { 432 SLOGE("Cannot open real block device %s\n", real_blkdev); 433 return -1; 434 } 435 436 if ((nr_sec = get_blkdev_size(fd))) { 437 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 438 * encryption info footer and key, and plenty of bytes to spare for future 439 * growth. 440 */ 441 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 442 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 443 cached_data = 1; 444 } else { 445 SLOGE("Cannot get size of block device %s\n", real_blkdev); 446 } 447 close(fd); 448 } else { 449 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 450 cached_off = 0; 451 cached_data = 1; 452 } 453 } 454 455 if (cached_data) { 456 if (metadata_fname) { 457 *metadata_fname = cached_metadata_fname; 458 } 459 if (off) { 460 *off = cached_off; 461 } 462 rc = 0; 463 } 464 465 return rc; 466} 467 468/* key or salt can be NULL, in which case just skip writing that value. Useful to 469 * update the failed mount count but not change the key. 470 */ 471static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 472{ 473 int fd; 474 unsigned int nr_sec, cnt; 475 /* starting_off is set to the SEEK_SET offset 476 * where the crypto structure starts 477 */ 478 off64_t starting_off; 479 int rc = -1; 480 char *fname = NULL; 481 struct stat statbuf; 482 483 if (get_crypt_ftr_info(&fname, &starting_off)) { 484 SLOGE("Unable to get crypt_ftr_info\n"); 485 return -1; 486 } 487 if (fname[0] != '/') { 488 SLOGE("Unexpected value for crypto key location\n"); 489 return -1; 490 } 491 if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) { 492 SLOGE("Cannot open footer file %s for put\n", fname); 493 return -1; 494 } 495 496 /* Seek to the start of the crypt footer */ 497 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 498 SLOGE("Cannot seek to real block device footer\n"); 499 goto errout; 500 } 501 502 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 503 SLOGE("Cannot write real block device footer\n"); 504 goto errout; 505 } 506 507 fstat(fd, &statbuf); 508 /* If the keys are kept on a raw block device, do not try to truncate it. */ 509 if (S_ISREG(statbuf.st_mode)) { 510 if (ftruncate(fd, 0x4000)) { 511 SLOGE("Cannot set footer file size\n"); 512 goto errout; 513 } 514 } 515 516 /* Success! */ 517 rc = 0; 518 519errout: 520 close(fd); 521 return rc; 522 523} 524 525static inline int unix_read(int fd, void* buff, int len) 526{ 527 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 528} 529 530static inline int unix_write(int fd, const void* buff, int len) 531{ 532 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 533} 534 535static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 536{ 537 memset(pdata, 0, len); 538 pdata->persist_magic = PERSIST_DATA_MAGIC; 539 pdata->persist_valid_entries = 0; 540} 541 542/* A routine to update the passed in crypt_ftr to the lastest version. 543 * fd is open read/write on the device that holds the crypto footer and persistent 544 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 545 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 546 */ 547static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 548{ 549 int orig_major = crypt_ftr->major_version; 550 int orig_minor = crypt_ftr->minor_version; 551 552 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 553 struct crypt_persist_data *pdata; 554 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 555 556 SLOGW("upgrading crypto footer to 1.1"); 557 558 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 559 if (pdata == NULL) { 560 SLOGE("Cannot allocate persisent data\n"); 561 return; 562 } 563 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 564 565 /* Need to initialize the persistent data area */ 566 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 567 SLOGE("Cannot seek to persisent data offset\n"); 568 return; 569 } 570 /* Write all zeros to the first copy, making it invalid */ 571 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 572 573 /* Write a valid but empty structure to the second copy */ 574 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 575 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 576 577 /* Update the footer */ 578 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 579 crypt_ftr->persist_data_offset[0] = pdata_offset; 580 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 581 crypt_ftr->minor_version = 1; 582 } 583 584 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 585 SLOGW("upgrading crypto footer to 1.2"); 586 /* But keep the old kdf_type. 587 * It will get updated later to KDF_SCRYPT after the password has been verified. 588 */ 589 crypt_ftr->kdf_type = KDF_PBKDF2; 590 get_device_scrypt_params(crypt_ftr); 591 crypt_ftr->minor_version = 2; 592 } 593 594 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 595 SLOGW("upgrading crypto footer to 1.3"); 596 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 597 crypt_ftr->minor_version = 3; 598 } 599 600 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 601 if (lseek64(fd, offset, SEEK_SET) == -1) { 602 SLOGE("Cannot seek to crypt footer\n"); 603 return; 604 } 605 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 606 } 607} 608 609 610static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 611{ 612 int fd; 613 unsigned int nr_sec, cnt; 614 off64_t starting_off; 615 int rc = -1; 616 char *fname = NULL; 617 struct stat statbuf; 618 619 if (get_crypt_ftr_info(&fname, &starting_off)) { 620 SLOGE("Unable to get crypt_ftr_info\n"); 621 return -1; 622 } 623 if (fname[0] != '/') { 624 SLOGE("Unexpected value for crypto key location\n"); 625 return -1; 626 } 627 if ( (fd = open(fname, O_RDWR)) < 0) { 628 SLOGE("Cannot open footer file %s for get\n", fname); 629 return -1; 630 } 631 632 /* Make sure it's 16 Kbytes in length */ 633 fstat(fd, &statbuf); 634 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 635 SLOGE("footer file %s is not the expected size!\n", fname); 636 goto errout; 637 } 638 639 /* Seek to the start of the crypt footer */ 640 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 641 SLOGE("Cannot seek to real block device footer\n"); 642 goto errout; 643 } 644 645 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 646 SLOGE("Cannot read real block device footer\n"); 647 goto errout; 648 } 649 650 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 651 SLOGE("Bad magic for real block device %s\n", fname); 652 goto errout; 653 } 654 655 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 656 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 657 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 658 goto errout; 659 } 660 661 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 662 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 663 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 664 } 665 666 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 667 * copy on disk before returning. 668 */ 669 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 670 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 671 } 672 673 /* Success! */ 674 rc = 0; 675 676errout: 677 close(fd); 678 return rc; 679} 680 681static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 682{ 683 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 684 crypt_ftr->persist_data_offset[1]) { 685 SLOGE("Crypt_ftr persist data regions overlap"); 686 return -1; 687 } 688 689 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 690 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 691 return -1; 692 } 693 694 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 695 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 696 CRYPT_FOOTER_OFFSET) { 697 SLOGE("Persistent data extends past crypto footer"); 698 return -1; 699 } 700 701 return 0; 702} 703 704static int load_persistent_data(void) 705{ 706 struct crypt_mnt_ftr crypt_ftr; 707 struct crypt_persist_data *pdata = NULL; 708 char encrypted_state[PROPERTY_VALUE_MAX]; 709 char *fname; 710 int found = 0; 711 int fd; 712 int ret; 713 int i; 714 715 if (persist_data) { 716 /* Nothing to do, we've already loaded or initialized it */ 717 return 0; 718 } 719 720 721 /* If not encrypted, just allocate an empty table and initialize it */ 722 property_get("ro.crypto.state", encrypted_state, ""); 723 if (strcmp(encrypted_state, "encrypted") ) { 724 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 725 if (pdata) { 726 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 727 persist_data = pdata; 728 return 0; 729 } 730 return -1; 731 } 732 733 if(get_crypt_ftr_and_key(&crypt_ftr)) { 734 return -1; 735 } 736 737 if ((crypt_ftr.major_version < 1) 738 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 739 SLOGE("Crypt_ftr version doesn't support persistent data"); 740 return -1; 741 } 742 743 if (get_crypt_ftr_info(&fname, NULL)) { 744 return -1; 745 } 746 747 ret = validate_persistent_data_storage(&crypt_ftr); 748 if (ret) { 749 return -1; 750 } 751 752 fd = open(fname, O_RDONLY); 753 if (fd < 0) { 754 SLOGE("Cannot open %s metadata file", fname); 755 return -1; 756 } 757 758 if (persist_data == NULL) { 759 pdata = malloc(crypt_ftr.persist_data_size); 760 if (pdata == NULL) { 761 SLOGE("Cannot allocate memory for persistent data"); 762 goto err; 763 } 764 } 765 766 for (i = 0; i < 2; i++) { 767 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 768 SLOGE("Cannot seek to read persistent data on %s", fname); 769 goto err2; 770 } 771 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 772 SLOGE("Error reading persistent data on iteration %d", i); 773 goto err2; 774 } 775 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 776 found = 1; 777 break; 778 } 779 } 780 781 if (!found) { 782 SLOGI("Could not find valid persistent data, creating"); 783 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 784 } 785 786 /* Success */ 787 persist_data = pdata; 788 close(fd); 789 return 0; 790 791err2: 792 free(pdata); 793 794err: 795 close(fd); 796 return -1; 797} 798 799static int save_persistent_data(void) 800{ 801 struct crypt_mnt_ftr crypt_ftr; 802 struct crypt_persist_data *pdata; 803 char *fname; 804 off64_t write_offset; 805 off64_t erase_offset; 806 int found = 0; 807 int fd; 808 int ret; 809 810 if (persist_data == NULL) { 811 SLOGE("No persistent data to save"); 812 return -1; 813 } 814 815 if(get_crypt_ftr_and_key(&crypt_ftr)) { 816 return -1; 817 } 818 819 if ((crypt_ftr.major_version < 1) 820 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 821 SLOGE("Crypt_ftr version doesn't support persistent data"); 822 return -1; 823 } 824 825 ret = validate_persistent_data_storage(&crypt_ftr); 826 if (ret) { 827 return -1; 828 } 829 830 if (get_crypt_ftr_info(&fname, NULL)) { 831 return -1; 832 } 833 834 fd = open(fname, O_RDWR); 835 if (fd < 0) { 836 SLOGE("Cannot open %s metadata file", fname); 837 return -1; 838 } 839 840 pdata = malloc(crypt_ftr.persist_data_size); 841 if (pdata == NULL) { 842 SLOGE("Cannot allocate persistant data"); 843 goto err; 844 } 845 846 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 847 SLOGE("Cannot seek to read persistent data on %s", fname); 848 goto err2; 849 } 850 851 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 852 SLOGE("Error reading persistent data before save"); 853 goto err2; 854 } 855 856 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 857 /* The first copy is the curent valid copy, so write to 858 * the second copy and erase this one */ 859 write_offset = crypt_ftr.persist_data_offset[1]; 860 erase_offset = crypt_ftr.persist_data_offset[0]; 861 } else { 862 /* The second copy must be the valid copy, so write to 863 * the first copy, and erase the second */ 864 write_offset = crypt_ftr.persist_data_offset[0]; 865 erase_offset = crypt_ftr.persist_data_offset[1]; 866 } 867 868 /* Write the new copy first, if successful, then erase the old copy */ 869 if (lseek(fd, write_offset, SEEK_SET) < 0) { 870 SLOGE("Cannot seek to write persistent data"); 871 goto err2; 872 } 873 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 874 (int) crypt_ftr.persist_data_size) { 875 if (lseek(fd, erase_offset, SEEK_SET) < 0) { 876 SLOGE("Cannot seek to erase previous persistent data"); 877 goto err2; 878 } 879 fsync(fd); 880 memset(pdata, 0, crypt_ftr.persist_data_size); 881 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 882 (int) crypt_ftr.persist_data_size) { 883 SLOGE("Cannot write to erase previous persistent data"); 884 goto err2; 885 } 886 fsync(fd); 887 } else { 888 SLOGE("Cannot write to save persistent data"); 889 goto err2; 890 } 891 892 /* Success */ 893 free(pdata); 894 close(fd); 895 return 0; 896 897err2: 898 free(pdata); 899err: 900 close(fd); 901 return -1; 902} 903 904static int hexdigit (char c) 905{ 906 if (c >= '0' && c <= '9') return c - '0'; 907 c = tolower(c); 908 if (c >= 'a' && c <= 'f') return c - 'a' + 10; 909 return -1; 910} 911 912static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii, 913 unsigned int* out_keysize) 914{ 915 unsigned int i; 916 *out_keysize = 0; 917 918 size_t size = strlen (master_key_ascii); 919 if (size % 2) { 920 SLOGE("Trying to convert ascii string of odd length"); 921 return NULL; 922 } 923 924 unsigned char* master_key = (unsigned char*) malloc(size / 2); 925 if (master_key == 0) { 926 SLOGE("Cannot allocate"); 927 return NULL; 928 } 929 930 for (i = 0; i < size; i += 2) { 931 int high_nibble = hexdigit (master_key_ascii[i]); 932 int low_nibble = hexdigit (master_key_ascii[i + 1]); 933 934 if(high_nibble < 0 || low_nibble < 0) { 935 SLOGE("Invalid hex string"); 936 free (master_key); 937 return NULL; 938 } 939 940 master_key[*out_keysize] = high_nibble * 16 + low_nibble; 941 (*out_keysize)++; 942 } 943 944 return master_key; 945} 946 947/* Convert a binary key of specified length into an ascii hex string equivalent, 948 * without the leading 0x and with null termination 949 */ 950static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize, 951 char *master_key_ascii) 952{ 953 unsigned int i, a; 954 unsigned char nibble; 955 956 for (i=0, a=0; i<keysize; i++, a+=2) { 957 /* For each byte, write out two ascii hex digits */ 958 nibble = (master_key[i] >> 4) & 0xf; 959 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 960 961 nibble = master_key[i] & 0xf; 962 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 963 } 964 965 /* Add the null termination */ 966 master_key_ascii[a] = '\0'; 967 968} 969 970static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 971 char *real_blk_name, const char *name, int fd, 972 char *extra_params) 973{ 974 char buffer[DM_CRYPT_BUF_SIZE]; 975 struct dm_ioctl *io; 976 struct dm_target_spec *tgt; 977 char *crypt_params; 978 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 979 int i; 980 981 io = (struct dm_ioctl *) buffer; 982 983 /* Load the mapping table for this device */ 984 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 985 986 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 987 io->target_count = 1; 988 tgt->status = 0; 989 tgt->sector_start = 0; 990 tgt->length = crypt_ftr->fs_size; 991 strcpy(tgt->target_type, "crypt"); 992 993 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 994 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 995 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name, 996 master_key_ascii, real_blk_name, extra_params); 997 crypt_params += strlen(crypt_params) + 1; 998 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 999 tgt->next = crypt_params - buffer; 1000 1001 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 1002 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 1003 break; 1004 } 1005 usleep(500000); 1006 } 1007 1008 if (i == TABLE_LOAD_RETRIES) { 1009 /* We failed to load the table, return an error */ 1010 return -1; 1011 } else { 1012 return i + 1; 1013 } 1014} 1015 1016 1017static int get_dm_crypt_version(int fd, const char *name, int *version) 1018{ 1019 char buffer[DM_CRYPT_BUF_SIZE]; 1020 struct dm_ioctl *io; 1021 struct dm_target_versions *v; 1022 int i; 1023 1024 io = (struct dm_ioctl *) buffer; 1025 1026 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1027 1028 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 1029 return -1; 1030 } 1031 1032 /* Iterate over the returned versions, looking for name of "crypt". 1033 * When found, get and return the version. 1034 */ 1035 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 1036 while (v->next) { 1037 if (! strcmp(v->name, "crypt")) { 1038 /* We found the crypt driver, return the version, and get out */ 1039 version[0] = v->version[0]; 1040 version[1] = v->version[1]; 1041 version[2] = v->version[2]; 1042 return 0; 1043 } 1044 v = (struct dm_target_versions *)(((char *)v) + v->next); 1045 } 1046 1047 return -1; 1048} 1049 1050static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 1051 char *real_blk_name, char *crypto_blk_name, const char *name) 1052{ 1053 char buffer[DM_CRYPT_BUF_SIZE]; 1054 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 1055 char *crypt_params; 1056 struct dm_ioctl *io; 1057 struct dm_target_spec *tgt; 1058 unsigned int minor; 1059 int fd; 1060 int i; 1061 int retval = -1; 1062 int version[3]; 1063 char *extra_params; 1064 int load_count; 1065 1066 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1067 SLOGE("Cannot open device-mapper\n"); 1068 goto errout; 1069 } 1070 1071 io = (struct dm_ioctl *) buffer; 1072 1073 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1074 if (ioctl(fd, DM_DEV_CREATE, io)) { 1075 SLOGE("Cannot create dm-crypt device\n"); 1076 goto errout; 1077 } 1078 1079 /* Get the device status, in particular, the name of it's device file */ 1080 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1081 if (ioctl(fd, DM_DEV_STATUS, io)) { 1082 SLOGE("Cannot retrieve dm-crypt device status\n"); 1083 goto errout; 1084 } 1085 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 1086 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 1087 1088 extra_params = ""; 1089 if (! get_dm_crypt_version(fd, name, version)) { 1090 /* Support for allow_discards was added in version 1.11.0 */ 1091 if ((version[0] >= 2) || 1092 ((version[0] == 1) && (version[1] >= 11))) { 1093 extra_params = "1 allow_discards"; 1094 SLOGI("Enabling support for allow_discards in dmcrypt.\n"); 1095 } 1096 } 1097 1098 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, 1099 fd, extra_params); 1100 if (load_count < 0) { 1101 SLOGE("Cannot load dm-crypt mapping table.\n"); 1102 goto errout; 1103 } else if (load_count > 1) { 1104 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 1105 } 1106 1107 /* Resume this device to activate it */ 1108 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1109 1110 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 1111 SLOGE("Cannot resume the dm-crypt device\n"); 1112 goto errout; 1113 } 1114 1115 /* We made it here with no errors. Woot! */ 1116 retval = 0; 1117 1118errout: 1119 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1120 1121 return retval; 1122} 1123 1124static int delete_crypto_blk_dev(char *name) 1125{ 1126 int fd; 1127 char buffer[DM_CRYPT_BUF_SIZE]; 1128 struct dm_ioctl *io; 1129 int retval = -1; 1130 1131 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1132 SLOGE("Cannot open device-mapper\n"); 1133 goto errout; 1134 } 1135 1136 io = (struct dm_ioctl *) buffer; 1137 1138 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1139 if (ioctl(fd, DM_DEV_REMOVE, io)) { 1140 SLOGE("Cannot remove dm-crypt device\n"); 1141 goto errout; 1142 } 1143 1144 /* We made it here with no errors. Woot! */ 1145 retval = 0; 1146 1147errout: 1148 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1149 1150 return retval; 1151 1152} 1153 1154static int pbkdf2(const char *passwd, const unsigned char *salt, 1155 unsigned char *ikey, void *params UNUSED) 1156{ 1157 SLOGI("Using pbkdf2 for cryptfs KDF"); 1158 1159 /* Turn the password into a key and IV that can decrypt the master key */ 1160 unsigned int keysize; 1161 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize); 1162 if (!master_key) return -1; 1163 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN, 1164 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey); 1165 1166 memset(master_key, 0, keysize); 1167 free (master_key); 1168 return 0; 1169} 1170 1171static int scrypt(const char *passwd, const unsigned char *salt, 1172 unsigned char *ikey, void *params) 1173{ 1174 SLOGI("Using scrypt for cryptfs KDF"); 1175 1176 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1177 1178 int N = 1 << ftr->N_factor; 1179 int r = 1 << ftr->r_factor; 1180 int p = 1 << ftr->p_factor; 1181 1182 /* Turn the password into a key and IV that can decrypt the master key */ 1183 unsigned int keysize; 1184 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize); 1185 if (!master_key) return -1; 1186 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey, 1187 KEY_LEN_BYTES + IV_LEN_BYTES); 1188 1189 memset(master_key, 0, keysize); 1190 free (master_key); 1191 return 0; 1192} 1193 1194static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1195 unsigned char *ikey, void *params) 1196{ 1197 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1198 1199 int rc; 1200 unsigned int key_size; 1201 size_t signature_size; 1202 unsigned char* signature; 1203 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1204 1205 int N = 1 << ftr->N_factor; 1206 int r = 1 << ftr->r_factor; 1207 int p = 1 << ftr->p_factor; 1208 1209 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size); 1210 if (!master_key) { 1211 SLOGE("Failed to convert passwd from hex"); 1212 return -1; 1213 } 1214 1215 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN, 1216 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1217 memset(master_key, 0, key_size); 1218 free(master_key); 1219 1220 if (rc) { 1221 SLOGE("scrypt failed"); 1222 return -1; 1223 } 1224 1225 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES, 1226 &signature, &signature_size)) { 1227 SLOGE("Signing failed"); 1228 return -1; 1229 } 1230 1231 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1232 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1233 free(signature); 1234 1235 if (rc) { 1236 SLOGE("scrypt failed"); 1237 return -1; 1238 } 1239 1240 return 0; 1241} 1242 1243static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1244 const unsigned char *decrypted_master_key, 1245 unsigned char *encrypted_master_key, 1246 struct crypt_mnt_ftr *crypt_ftr) 1247{ 1248 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1249 EVP_CIPHER_CTX e_ctx; 1250 int encrypted_len, final_len; 1251 int rc = 0; 1252 1253 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1254 get_device_scrypt_params(crypt_ftr); 1255 1256 switch (crypt_ftr->kdf_type) { 1257 case KDF_SCRYPT_KEYMASTER_UNPADDED: 1258 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED: 1259 case KDF_SCRYPT_KEYMASTER: 1260 if (keymaster_create_key(crypt_ftr)) { 1261 SLOGE("keymaster_create_key failed"); 1262 return -1; 1263 } 1264 1265 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1266 SLOGE("scrypt failed"); 1267 return -1; 1268 } 1269 break; 1270 1271 case KDF_SCRYPT: 1272 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1273 SLOGE("scrypt failed"); 1274 return -1; 1275 } 1276 break; 1277 1278 default: 1279 SLOGE("Invalid kdf_type"); 1280 return -1; 1281 } 1282 1283 /* Initialize the decryption engine */ 1284 EVP_CIPHER_CTX_init(&e_ctx); 1285 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1286 SLOGE("EVP_EncryptInit failed\n"); 1287 return -1; 1288 } 1289 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1290 1291 /* Encrypt the master key */ 1292 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1293 decrypted_master_key, KEY_LEN_BYTES)) { 1294 SLOGE("EVP_EncryptUpdate failed\n"); 1295 return -1; 1296 } 1297 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1298 SLOGE("EVP_EncryptFinal failed\n"); 1299 return -1; 1300 } 1301 1302 if (encrypted_len + final_len != KEY_LEN_BYTES) { 1303 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1304 return -1; 1305 } 1306 1307 /* Store the scrypt of the intermediate key, so we can validate if it's a 1308 password error or mount error when things go wrong. 1309 Note there's no need to check for errors, since if this is incorrect, we 1310 simply won't wipe userdata, which is the correct default behavior 1311 */ 1312 int N = 1 << crypt_ftr->N_factor; 1313 int r = 1 << crypt_ftr->r_factor; 1314 int p = 1 << crypt_ftr->p_factor; 1315 1316 rc = crypto_scrypt(ikey, KEY_LEN_BYTES, 1317 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1318 crypt_ftr->scrypted_intermediate_key, 1319 sizeof(crypt_ftr->scrypted_intermediate_key)); 1320 1321 if (rc) { 1322 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1323 } 1324 1325 return 0; 1326} 1327 1328static int decrypt_master_key_aux(char *passwd, unsigned char *salt, 1329 unsigned char *encrypted_master_key, 1330 unsigned char *decrypted_master_key, 1331 kdf_func kdf, void *kdf_params, 1332 unsigned char** intermediate_key, 1333 size_t* intermediate_key_size) 1334{ 1335 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1336 EVP_CIPHER_CTX d_ctx; 1337 int decrypted_len, final_len; 1338 1339 /* Turn the password into an intermediate key and IV that can decrypt the 1340 master key */ 1341 if (kdf(passwd, salt, ikey, kdf_params)) { 1342 SLOGE("kdf failed"); 1343 return -1; 1344 } 1345 1346 /* Initialize the decryption engine */ 1347 EVP_CIPHER_CTX_init(&d_ctx); 1348 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1349 return -1; 1350 } 1351 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1352 /* Decrypt the master key */ 1353 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1354 encrypted_master_key, KEY_LEN_BYTES)) { 1355 return -1; 1356 } 1357 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1358 return -1; 1359 } 1360 1361 if (decrypted_len + final_len != KEY_LEN_BYTES) { 1362 return -1; 1363 } 1364 1365 /* Copy intermediate key if needed by params */ 1366 if (intermediate_key && intermediate_key_size) { 1367 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES); 1368 if (intermediate_key) { 1369 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES); 1370 *intermediate_key_size = KEY_LEN_BYTES; 1371 } 1372 } 1373 1374 return 0; 1375} 1376 1377static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1378{ 1379 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER_UNPADDED || 1380 ftr->kdf_type == KDF_SCRYPT_KEYMASTER_BADLY_PADDED || 1381 ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1382 *kdf = scrypt_keymaster; 1383 *kdf_params = ftr; 1384 } else if (ftr->kdf_type == KDF_SCRYPT) { 1385 *kdf = scrypt; 1386 *kdf_params = ftr; 1387 } else { 1388 *kdf = pbkdf2; 1389 *kdf_params = NULL; 1390 } 1391} 1392 1393static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key, 1394 struct crypt_mnt_ftr *crypt_ftr, 1395 unsigned char** intermediate_key, 1396 size_t* intermediate_key_size) 1397{ 1398 kdf_func kdf; 1399 void *kdf_params; 1400 int ret; 1401 1402 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1403 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1404 decrypted_master_key, kdf, kdf_params, 1405 intermediate_key, intermediate_key_size); 1406 if (ret != 0) { 1407 SLOGW("failure decrypting master key"); 1408 } 1409 1410 return ret; 1411} 1412 1413static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt, 1414 struct crypt_mnt_ftr *crypt_ftr) { 1415 int fd; 1416 unsigned char key_buf[KEY_LEN_BYTES]; 1417 EVP_CIPHER_CTX e_ctx; 1418 int encrypted_len, final_len; 1419 1420 /* Get some random bits for a key */ 1421 fd = open("/dev/urandom", O_RDONLY); 1422 read(fd, key_buf, sizeof(key_buf)); 1423 read(fd, salt, SALT_LEN); 1424 close(fd); 1425 1426 /* Now encrypt it with the password */ 1427 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1428} 1429 1430static int wait_and_unmount(char *mountpoint) 1431{ 1432 int i, rc; 1433#define WAIT_UNMOUNT_COUNT 20 1434 1435 /* Now umount the tmpfs filesystem */ 1436 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1437 if (umount(mountpoint)) { 1438 if (errno == EINVAL) { 1439 /* EINVAL is returned if the directory is not a mountpoint, 1440 * i.e. there is no filesystem mounted there. So just get out. 1441 */ 1442 break; 1443 } 1444 sleep(1); 1445 i++; 1446 } else { 1447 break; 1448 } 1449 } 1450 1451 if (i < WAIT_UNMOUNT_COUNT) { 1452 SLOGD("unmounting %s succeeded\n", mountpoint); 1453 rc = 0; 1454 } else { 1455 SLOGE("unmounting %s failed\n", mountpoint); 1456 rc = -1; 1457 } 1458 1459 return rc; 1460} 1461 1462#define DATA_PREP_TIMEOUT 200 1463static int prep_data_fs(void) 1464{ 1465 int i; 1466 1467 /* Do the prep of the /data filesystem */ 1468 property_set("vold.post_fs_data_done", "0"); 1469 property_set("vold.decrypt", "trigger_post_fs_data"); 1470 SLOGD("Just triggered post_fs_data\n"); 1471 1472 /* Wait a max of 50 seconds, hopefully it takes much less */ 1473 for (i=0; i<DATA_PREP_TIMEOUT; i++) { 1474 char p[PROPERTY_VALUE_MAX]; 1475 1476 property_get("vold.post_fs_data_done", p, "0"); 1477 if (*p == '1') { 1478 break; 1479 } else { 1480 usleep(250000); 1481 } 1482 } 1483 if (i == DATA_PREP_TIMEOUT) { 1484 /* Ugh, we failed to prep /data in time. Bail. */ 1485 SLOGE("post_fs_data timed out!\n"); 1486 return -1; 1487 } else { 1488 SLOGD("post_fs_data done\n"); 1489 return 0; 1490 } 1491} 1492 1493static void cryptfs_set_corrupt() 1494{ 1495 // Mark the footer as bad 1496 struct crypt_mnt_ftr crypt_ftr; 1497 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1498 SLOGE("Failed to get crypto footer - panic"); 1499 return; 1500 } 1501 1502 crypt_ftr.flags |= CRYPT_DATA_CORRUPT; 1503 if (put_crypt_ftr_and_key(&crypt_ftr)) { 1504 SLOGE("Failed to set crypto footer - panic"); 1505 return; 1506 } 1507} 1508 1509static void cryptfs_trigger_restart_min_framework() 1510{ 1511 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 1512 SLOGE("Failed to mount tmpfs on data - panic"); 1513 return; 1514 } 1515 1516 if (property_set("vold.decrypt", "trigger_post_fs_data")) { 1517 SLOGE("Failed to trigger post fs data - panic"); 1518 return; 1519 } 1520 1521 if (property_set("vold.decrypt", "trigger_restart_min_framework")) { 1522 SLOGE("Failed to trigger restart min framework - panic"); 1523 return; 1524 } 1525} 1526 1527/* returns < 0 on failure */ 1528static int cryptfs_restart_internal(int restart_main) 1529{ 1530 char fs_type[32]; 1531 char real_blkdev[MAXPATHLEN]; 1532 char crypto_blkdev[MAXPATHLEN]; 1533 char fs_options[256]; 1534 unsigned long mnt_flags; 1535 struct stat statbuf; 1536 int rc = -1, i; 1537 static int restart_successful = 0; 1538 1539 /* Validate that it's OK to call this routine */ 1540 if (! master_key_saved) { 1541 SLOGE("Encrypted filesystem not validated, aborting"); 1542 return -1; 1543 } 1544 1545 if (restart_successful) { 1546 SLOGE("System already restarted with encrypted disk, aborting"); 1547 return -1; 1548 } 1549 1550 if (restart_main) { 1551 /* Here is where we shut down the framework. The init scripts 1552 * start all services in one of three classes: core, main or late_start. 1553 * On boot, we start core and main. Now, we stop main, but not core, 1554 * as core includes vold and a few other really important things that 1555 * we need to keep running. Once main has stopped, we should be able 1556 * to umount the tmpfs /data, then mount the encrypted /data. 1557 * We then restart the class main, and also the class late_start. 1558 * At the moment, I've only put a few things in late_start that I know 1559 * are not needed to bring up the framework, and that also cause problems 1560 * with unmounting the tmpfs /data, but I hope to add add more services 1561 * to the late_start class as we optimize this to decrease the delay 1562 * till the user is asked for the password to the filesystem. 1563 */ 1564 1565 /* The init files are setup to stop the class main when vold.decrypt is 1566 * set to trigger_reset_main. 1567 */ 1568 property_set("vold.decrypt", "trigger_reset_main"); 1569 SLOGD("Just asked init to shut down class main\n"); 1570 1571 /* Ugh, shutting down the framework is not synchronous, so until it 1572 * can be fixed, this horrible hack will wait a moment for it all to 1573 * shut down before proceeding. Without it, some devices cannot 1574 * restart the graphics services. 1575 */ 1576 sleep(2); 1577 } 1578 1579 /* Now that the framework is shutdown, we should be able to umount() 1580 * the tmpfs filesystem, and mount the real one. 1581 */ 1582 1583 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1584 if (strlen(crypto_blkdev) == 0) { 1585 SLOGE("fs_crypto_blkdev not set\n"); 1586 return -1; 1587 } 1588 1589 if (! (rc = wait_and_unmount(DATA_MNT_POINT)) ) { 1590 /* If ro.crypto.readonly is set to 1, mount the decrypted 1591 * filesystem readonly. This is used when /data is mounted by 1592 * recovery mode. 1593 */ 1594 char ro_prop[PROPERTY_VALUE_MAX]; 1595 property_get("ro.crypto.readonly", ro_prop, ""); 1596 if (strlen(ro_prop) > 0 && atoi(ro_prop)) { 1597 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1598 rec->flags |= MS_RDONLY; 1599 } 1600 1601 /* If that succeeded, then mount the decrypted filesystem */ 1602 int retries = RETRY_MOUNT_ATTEMPTS; 1603 int mount_rc; 1604 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, 1605 crypto_blkdev, 0)) 1606 != 0) { 1607 if (mount_rc == FS_MGR_DOMNT_BUSY) { 1608 /* TODO: invoke something similar to 1609 Process::killProcessWithOpenFiles(DATA_MNT_POINT, 1610 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */ 1611 SLOGI("Failed to mount %s because it is busy - waiting", 1612 crypto_blkdev); 1613 if (--retries) { 1614 sleep(RETRY_MOUNT_DELAY_SECONDS); 1615 } else { 1616 /* Let's hope that a reboot clears away whatever is keeping 1617 the mount busy */ 1618 cryptfs_reboot(reboot); 1619 } 1620 } else { 1621 SLOGE("Failed to mount decrypted data"); 1622 cryptfs_set_corrupt(); 1623 cryptfs_trigger_restart_min_framework(); 1624 SLOGI("Started framework to offer wipe"); 1625 return -1; 1626 } 1627 } 1628 1629 property_set("vold.decrypt", "trigger_load_persist_props"); 1630 /* Create necessary paths on /data */ 1631 if (prep_data_fs()) { 1632 return -1; 1633 } 1634 1635 /* startup service classes main and late_start */ 1636 property_set("vold.decrypt", "trigger_restart_framework"); 1637 SLOGD("Just triggered restart_framework\n"); 1638 1639 /* Give it a few moments to get started */ 1640 sleep(1); 1641 } 1642 1643 if (rc == 0) { 1644 restart_successful = 1; 1645 } 1646 1647 return rc; 1648} 1649 1650int cryptfs_restart(void) 1651{ 1652 /* Call internal implementation forcing a restart of main service group */ 1653 return cryptfs_restart_internal(1); 1654} 1655 1656static int do_crypto_complete(char *mount_point UNUSED) 1657{ 1658 struct crypt_mnt_ftr crypt_ftr; 1659 char encrypted_state[PROPERTY_VALUE_MAX]; 1660 char key_loc[PROPERTY_VALUE_MAX]; 1661 1662 property_get("ro.crypto.state", encrypted_state, ""); 1663 if (strcmp(encrypted_state, "encrypted") ) { 1664 SLOGE("not running with encryption, aborting"); 1665 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1666 } 1667 1668 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1669 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 1670 1671 /* 1672 * Only report this error if key_loc is a file and it exists. 1673 * If the device was never encrypted, and /data is not mountable for 1674 * some reason, returning 1 should prevent the UI from presenting the 1675 * a "enter password" screen, or worse, a "press button to wipe the 1676 * device" screen. 1677 */ 1678 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1679 SLOGE("master key file does not exist, aborting"); 1680 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1681 } else { 1682 SLOGE("Error getting crypt footer and key\n"); 1683 return CRYPTO_COMPLETE_BAD_METADATA; 1684 } 1685 } 1686 1687 // Test for possible error flags 1688 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){ 1689 SLOGE("Encryption process is partway completed\n"); 1690 return CRYPTO_COMPLETE_PARTIAL; 1691 } 1692 1693 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){ 1694 SLOGE("Encryption process was interrupted but cannot continue\n"); 1695 return CRYPTO_COMPLETE_INCONSISTENT; 1696 } 1697 1698 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){ 1699 SLOGE("Encryption is successful but data is corrupt\n"); 1700 return CRYPTO_COMPLETE_CORRUPT; 1701 } 1702 1703 /* We passed the test! We shall diminish, and return to the west */ 1704 return CRYPTO_COMPLETE_ENCRYPTED; 1705} 1706 1707static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1708 char *passwd, char *mount_point, char *label) 1709{ 1710 /* Allocate enough space for a 256 bit key, but we may use less */ 1711 unsigned char decrypted_master_key[32]; 1712 char crypto_blkdev[MAXPATHLEN]; 1713 char real_blkdev[MAXPATHLEN]; 1714 char tmp_mount_point[64]; 1715 unsigned int orig_failed_decrypt_count; 1716 int rc; 1717 kdf_func kdf; 1718 void *kdf_params; 1719 int use_keymaster = 0; 1720 int upgrade = 0; 1721 unsigned char* intermediate_key = 0; 1722 size_t intermediate_key_size = 0; 1723 1724 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1725 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1726 1727 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1728 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1729 &intermediate_key, &intermediate_key_size)) { 1730 SLOGE("Failed to decrypt master key\n"); 1731 rc = -1; 1732 goto errout; 1733 } 1734 } 1735 1736 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 1737 1738 // Create crypto block device - all (non fatal) code paths 1739 // need it 1740 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, 1741 real_blkdev, crypto_blkdev, label)) { 1742 SLOGE("Error creating decrypted block device\n"); 1743 rc = -1; 1744 goto errout; 1745 } 1746 1747 /* Work out if the problem is the password or the data */ 1748 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1749 scrypted_intermediate_key)]; 1750 int N = 1 << crypt_ftr->N_factor; 1751 int r = 1 << crypt_ftr->r_factor; 1752 int p = 1 << crypt_ftr->p_factor; 1753 1754 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1755 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1756 N, r, p, scrypted_intermediate_key, 1757 sizeof(scrypted_intermediate_key)); 1758 1759 // Does the key match the crypto footer? 1760 if (rc == 0 && memcmp(scrypted_intermediate_key, 1761 crypt_ftr->scrypted_intermediate_key, 1762 sizeof(scrypted_intermediate_key)) == 0) { 1763 SLOGI("Password matches"); 1764 rc = 0; 1765 } else { 1766 /* Try mounting the file system anyway, just in case the problem's with 1767 * the footer, not the key. */ 1768 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point); 1769 mkdir(tmp_mount_point, 0755); 1770 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1771 SLOGE("Error temp mounting decrypted block device\n"); 1772 delete_crypto_blk_dev(label); 1773 1774 rc = ++crypt_ftr->failed_decrypt_count; 1775 put_crypt_ftr_and_key(crypt_ftr); 1776 } else { 1777 /* Success! */ 1778 SLOGI("Password did not match but decrypted drive mounted - continue"); 1779 umount(tmp_mount_point); 1780 rc = 0; 1781 } 1782 } 1783 1784 if (rc == 0) { 1785 crypt_ftr->failed_decrypt_count = 0; 1786 1787 /* Save the name of the crypto block device 1788 * so we can mount it when restarting the framework. */ 1789 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1790 1791 /* Also save a the master key so we can reencrypted the key 1792 * the key when we want to change the password on it. */ 1793 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES); 1794 saved_mount_point = strdup(mount_point); 1795 master_key_saved = 1; 1796 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1797 rc = 0; 1798 1799 // Upgrade if we're not using the latest KDF. 1800 use_keymaster = keymaster_check_compatibility(); 1801 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1802 // Don't allow downgrade 1803 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1804 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1805 upgrade = 1; 1806 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1807 crypt_ftr->kdf_type = KDF_SCRYPT; 1808 upgrade = 1; 1809 } 1810 1811 if (upgrade) { 1812 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1813 crypt_ftr->master_key, crypt_ftr); 1814 if (!rc) { 1815 rc = put_crypt_ftr_and_key(crypt_ftr); 1816 } 1817 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1818 1819 // Do not fail even if upgrade failed - machine is bootable 1820 // Note that if this code is ever hit, there is a *serious* problem 1821 // since KDFs should never fail. You *must* fix the kdf before 1822 // proceeding! 1823 if (rc) { 1824 SLOGW("Upgrade failed with error %d," 1825 " but continuing with previous state", 1826 rc); 1827 rc = 0; 1828 } 1829 } 1830 } 1831 1832 errout: 1833 if (intermediate_key) { 1834 memset(intermediate_key, 0, intermediate_key_size); 1835 free(intermediate_key); 1836 } 1837 return rc; 1838} 1839 1840/* Called by vold when it wants to undo the crypto mapping of a volume it 1841 * manages. This is usually in response to a factory reset, when we want 1842 * to undo the crypto mapping so the volume is formatted in the clear. 1843 */ 1844int cryptfs_revert_volume(const char *label) 1845{ 1846 return delete_crypto_blk_dev((char *)label); 1847} 1848 1849/* 1850 * Called by vold when it's asked to mount an encrypted, nonremovable volume. 1851 * Setup a dm-crypt mapping, use the saved master key from 1852 * setting up the /data mapping, and return the new device path. 1853 */ 1854int cryptfs_setup_volume(const char *label, int major, int minor, 1855 char *crypto_sys_path, unsigned int max_path, 1856 int *new_major, int *new_minor) 1857{ 1858 char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN]; 1859 struct crypt_mnt_ftr sd_crypt_ftr; 1860 struct stat statbuf; 1861 int nr_sec, fd; 1862 1863 sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor); 1864 1865 get_crypt_ftr_and_key(&sd_crypt_ftr); 1866 1867 /* Update the fs_size field to be the size of the volume */ 1868 fd = open(real_blkdev, O_RDONLY); 1869 nr_sec = get_blkdev_size(fd); 1870 close(fd); 1871 if (nr_sec == 0) { 1872 SLOGE("Cannot get size of volume %s\n", real_blkdev); 1873 return -1; 1874 } 1875 1876 sd_crypt_ftr.fs_size = nr_sec; 1877 create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev, 1878 crypto_blkdev, label); 1879 1880 stat(crypto_blkdev, &statbuf); 1881 *new_major = MAJOR(statbuf.st_rdev); 1882 *new_minor = MINOR(statbuf.st_rdev); 1883 1884 /* Create path to sys entry for this block device */ 1885 snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1); 1886 1887 return 0; 1888} 1889 1890int cryptfs_crypto_complete(void) 1891{ 1892 return do_crypto_complete("/data"); 1893} 1894 1895int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 1896{ 1897 char encrypted_state[PROPERTY_VALUE_MAX]; 1898 property_get("ro.crypto.state", encrypted_state, ""); 1899 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 1900 SLOGE("encrypted fs already validated or not running with encryption," 1901 " aborting"); 1902 return -1; 1903 } 1904 1905 if (get_crypt_ftr_and_key(crypt_ftr)) { 1906 SLOGE("Error getting crypt footer and key"); 1907 return -1; 1908 } 1909 1910 return 0; 1911} 1912 1913int cryptfs_check_passwd(char *passwd) 1914{ 1915 struct crypt_mnt_ftr crypt_ftr; 1916 int rc; 1917 1918 rc = check_unmounted_and_get_ftr(&crypt_ftr); 1919 if (rc) 1920 return rc; 1921 1922 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 1923 DATA_MNT_POINT, "userdata"); 1924 1925 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 1926 cryptfs_clear_password(); 1927 password = strdup(passwd); 1928 struct timespec now; 1929 clock_gettime(CLOCK_BOOTTIME, &now); 1930 password_expiry_time = now.tv_sec + password_max_age_seconds; 1931 } 1932 1933 return rc; 1934} 1935 1936int cryptfs_verify_passwd(char *passwd) 1937{ 1938 struct crypt_mnt_ftr crypt_ftr; 1939 /* Allocate enough space for a 256 bit key, but we may use less */ 1940 unsigned char decrypted_master_key[32]; 1941 char encrypted_state[PROPERTY_VALUE_MAX]; 1942 int rc; 1943 1944 property_get("ro.crypto.state", encrypted_state, ""); 1945 if (strcmp(encrypted_state, "encrypted") ) { 1946 SLOGE("device not encrypted, aborting"); 1947 return -2; 1948 } 1949 1950 if (!master_key_saved) { 1951 SLOGE("encrypted fs not yet mounted, aborting"); 1952 return -1; 1953 } 1954 1955 if (!saved_mount_point) { 1956 SLOGE("encrypted fs failed to save mount point, aborting"); 1957 return -1; 1958 } 1959 1960 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1961 SLOGE("Error getting crypt footer and key\n"); 1962 return -1; 1963 } 1964 1965 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 1966 /* If the device has no password, then just say the password is valid */ 1967 rc = 0; 1968 } else { 1969 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 1970 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 1971 /* They match, the password is correct */ 1972 rc = 0; 1973 } else { 1974 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 1975 sleep(1); 1976 rc = 1; 1977 } 1978 } 1979 1980 return rc; 1981} 1982 1983/* Initialize a crypt_mnt_ftr structure. The keysize is 1984 * defaulted to 16 bytes, and the filesystem size to 0. 1985 * Presumably, at a minimum, the caller will update the 1986 * filesystem size and crypto_type_name after calling this function. 1987 */ 1988static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 1989{ 1990 off64_t off; 1991 1992 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 1993 ftr->magic = CRYPT_MNT_MAGIC; 1994 ftr->major_version = CURRENT_MAJOR_VERSION; 1995 ftr->minor_version = CURRENT_MINOR_VERSION; 1996 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 1997 ftr->keysize = KEY_LEN_BYTES; 1998 1999 switch (keymaster_check_compatibility()) { 2000 case 1: 2001 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 2002 break; 2003 2004 case 0: 2005 ftr->kdf_type = KDF_SCRYPT; 2006 break; 2007 2008 default: 2009 SLOGE("keymaster_check_compatibility failed"); 2010 return -1; 2011 } 2012 2013 get_device_scrypt_params(ftr); 2014 2015 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 2016 if (get_crypt_ftr_info(NULL, &off) == 0) { 2017 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 2018 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 2019 ftr->persist_data_size; 2020 } 2021 2022 return 0; 2023} 2024 2025static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type) 2026{ 2027 const char *args[10]; 2028 char size_str[32]; /* Must be large enough to hold a %lld and null byte */ 2029 int num_args; 2030 int status; 2031 int tmp; 2032 int rc = -1; 2033 2034 if (type == EXT4_FS) { 2035 args[0] = "/system/bin/make_ext4fs"; 2036 args[1] = "-a"; 2037 args[2] = "/data"; 2038 args[3] = "-l"; 2039 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512); 2040 args[4] = size_str; 2041 args[5] = crypto_blkdev; 2042 num_args = 6; 2043 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n", 2044 args[0], args[1], args[2], args[3], args[4], args[5]); 2045 } else if (type == F2FS_FS) { 2046 args[0] = "/system/bin/mkfs.f2fs"; 2047 args[1] = "-t"; 2048 args[2] = "-d1"; 2049 args[3] = crypto_blkdev; 2050 snprintf(size_str, sizeof(size_str), "%" PRId64, size); 2051 args[4] = size_str; 2052 num_args = 5; 2053 SLOGI("Making empty filesystem with command %s %s %s %s %s\n", 2054 args[0], args[1], args[2], args[3], args[4]); 2055 } else { 2056 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type); 2057 return -1; 2058 } 2059 2060 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true); 2061 2062 if (tmp != 0) { 2063 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev); 2064 } else { 2065 if (WIFEXITED(status)) { 2066 if (WEXITSTATUS(status)) { 2067 SLOGE("Error creating filesystem on %s, exit status %d ", 2068 crypto_blkdev, WEXITSTATUS(status)); 2069 } else { 2070 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev); 2071 rc = 0; 2072 } 2073 } else { 2074 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev); 2075 } 2076 } 2077 2078 return rc; 2079} 2080 2081#define CRYPT_INPLACE_BUFSIZE 4096 2082#define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE) 2083#define CRYPT_SECTOR_SIZE 512 2084 2085/* aligned 32K writes tends to make flash happy. 2086 * SD card association recommends it. 2087 */ 2088#define BLOCKS_AT_A_TIME 8 2089 2090struct encryptGroupsData 2091{ 2092 int realfd; 2093 int cryptofd; 2094 off64_t numblocks; 2095 off64_t one_pct, cur_pct, new_pct; 2096 off64_t blocks_already_done, tot_numblocks; 2097 off64_t used_blocks_already_done, tot_used_blocks; 2098 char* real_blkdev, * crypto_blkdev; 2099 int count; 2100 off64_t offset; 2101 char* buffer; 2102 off64_t last_written_sector; 2103 int completed; 2104 time_t time_started; 2105 int remaining_time; 2106}; 2107 2108static void update_progress(struct encryptGroupsData* data, int is_used) 2109{ 2110 data->blocks_already_done++; 2111 2112 if (is_used) { 2113 data->used_blocks_already_done++; 2114 } 2115 if (data->tot_used_blocks) { 2116 data->new_pct = data->used_blocks_already_done / data->one_pct; 2117 } else { 2118 data->new_pct = data->blocks_already_done / data->one_pct; 2119 } 2120 2121 if (data->new_pct > data->cur_pct) { 2122 char buf[8]; 2123 data->cur_pct = data->new_pct; 2124 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct); 2125 property_set("vold.encrypt_progress", buf); 2126 SLOGI("Encrypted %" PRId64 " percent of drive", data->cur_pct); 2127 } 2128 2129 if (data->cur_pct >= 5) { 2130 double elapsed_time = difftime(time(NULL), data->time_started); 2131 off64_t remaining_blocks = data->tot_used_blocks 2132 - data->used_blocks_already_done; 2133 int remaining_time = (int)(elapsed_time * remaining_blocks 2134 / data->used_blocks_already_done); 2135 2136 // Change time only if not yet set, lower, or a lot higher for 2137 // best user experience 2138 if (data->remaining_time == -1 2139 || remaining_time < data->remaining_time 2140 || remaining_time > data->remaining_time + 60) { 2141 char buf[8]; 2142 snprintf(buf, sizeof(buf), "%d", remaining_time); 2143 property_set("vold.encrypt_time_remaining", buf); 2144 2145 SLOGI("Encrypted %" PRId64 " percent of drive, %d seconds to go", 2146 data->cur_pct, remaining_time); 2147 data->remaining_time = remaining_time; 2148 } 2149 } 2150} 2151 2152static int flush_outstanding_data(struct encryptGroupsData* data) 2153{ 2154 if (data->count == 0) { 2155 return 0; 2156 } 2157 2158 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset); 2159 2160 if (pread64(data->realfd, data->buffer, 2161 info.block_size * data->count, data->offset) 2162 <= 0) { 2163 SLOGE("Error reading real_blkdev %s for inplace encrypt", 2164 data->real_blkdev); 2165 return -1; 2166 } 2167 2168 if (pwrite64(data->cryptofd, data->buffer, 2169 info.block_size * data->count, data->offset) 2170 <= 0) { 2171 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", 2172 data->crypto_blkdev); 2173 return -1; 2174 } else { 2175 SLOGI("Encrypted %d blocks at sector %" PRId64, 2176 data->count, data->offset / info.block_size * CRYPT_SECTOR_SIZE); 2177 } 2178 2179 data->count = 0; 2180 data->last_written_sector = (data->offset + data->count) 2181 / info.block_size * CRYPT_SECTOR_SIZE - 1; 2182 return 0; 2183} 2184 2185static int encrypt_groups(struct encryptGroupsData* data) 2186{ 2187 unsigned int i; 2188 u8 *block_bitmap = 0; 2189 unsigned int block; 2190 off64_t ret; 2191 int rc = -1; 2192 2193 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME); 2194 if (!data->buffer) { 2195 SLOGE("Failed to allocate crypto buffer"); 2196 goto errout; 2197 } 2198 2199 block_bitmap = malloc(info.block_size); 2200 if (!block_bitmap) { 2201 SLOGE("failed to allocate block bitmap"); 2202 goto errout; 2203 } 2204 2205 for (i = 0; i < aux_info.groups; ++i) { 2206 SLOGI("Encrypting group %d", i); 2207 2208 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group; 2209 u32 block_count = min(info.blocks_per_group, 2210 aux_info.len_blocks - first_block); 2211 2212 off64_t offset = (u64)info.block_size 2213 * aux_info.bg_desc[i].bg_block_bitmap; 2214 2215 ret = pread64(data->realfd, block_bitmap, info.block_size, offset); 2216 if (ret != (int)info.block_size) { 2217 SLOGE("failed to read all of block group bitmap %d", i); 2218 goto errout; 2219 } 2220 2221 offset = (u64)info.block_size * first_block; 2222 2223 data->count = 0; 2224 2225 for (block = 0; block < block_count; block++) { 2226 int used = bitmap_get_bit(block_bitmap, block); 2227 update_progress(data, used); 2228 if (used) { 2229 if (data->count == 0) { 2230 data->offset = offset; 2231 } 2232 data->count++; 2233 } else { 2234 if (flush_outstanding_data(data)) { 2235 goto errout; 2236 } 2237 } 2238 2239 offset += info.block_size; 2240 2241 /* Write data if we are aligned or buffer size reached */ 2242 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0 2243 || data->count == BLOCKS_AT_A_TIME) { 2244 if (flush_outstanding_data(data)) { 2245 goto errout; 2246 } 2247 } 2248 2249 if (!is_battery_ok_to_continue()) { 2250 SLOGE("Stopping encryption due to low battery"); 2251 rc = 0; 2252 goto errout; 2253 } 2254 2255 } 2256 if (flush_outstanding_data(data)) { 2257 goto errout; 2258 } 2259 } 2260 2261 data->completed = 1; 2262 rc = 0; 2263 2264errout: 2265 free(data->buffer); 2266 free(block_bitmap); 2267 return rc; 2268} 2269 2270static int cryptfs_enable_inplace_ext4(char *crypto_blkdev, 2271 char *real_blkdev, 2272 off64_t size, 2273 off64_t *size_already_done, 2274 off64_t tot_size, 2275 off64_t previously_encrypted_upto) 2276{ 2277 u32 i; 2278 struct encryptGroupsData data; 2279 int rc; // Can't initialize without causing warning -Wclobbered 2280 2281 if (previously_encrypted_upto > *size_already_done) { 2282 SLOGD("Not fast encrypting since resuming part way through"); 2283 return -1; 2284 } 2285 2286 memset(&data, 0, sizeof(data)); 2287 data.real_blkdev = real_blkdev; 2288 data.crypto_blkdev = crypto_blkdev; 2289 2290 if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) { 2291 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", 2292 real_blkdev); 2293 rc = -1; 2294 goto errout; 2295 } 2296 2297 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2298 SLOGE("Error opening crypto_blkdev %s for inplace encrypt\n", 2299 crypto_blkdev); 2300 rc = -1; 2301 goto errout; 2302 } 2303 2304 if (setjmp(setjmp_env)) { 2305 SLOGE("Reading extent caused an exception"); 2306 rc = -1; 2307 goto errout; 2308 } 2309 2310 if (read_ext(data.realfd, 0) != 0) { 2311 SLOGE("Failed to read extent"); 2312 rc = -1; 2313 goto errout; 2314 } 2315 2316 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2317 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2318 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2319 2320 SLOGI("Encrypting filesystem in place..."); 2321 2322 data.tot_used_blocks = data.numblocks; 2323 for (i = 0; i < aux_info.groups; ++i) { 2324 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count; 2325 } 2326 2327 data.one_pct = data.tot_used_blocks / 100; 2328 data.cur_pct = 0; 2329 data.time_started = time(NULL); 2330 data.remaining_time = -1; 2331 2332 rc = encrypt_groups(&data); 2333 if (rc) { 2334 SLOGE("Error encrypting groups"); 2335 goto errout; 2336 } 2337 2338 *size_already_done += data.completed ? size : data.last_written_sector; 2339 rc = 0; 2340 2341errout: 2342 close(data.realfd); 2343 close(data.cryptofd); 2344 2345 return rc; 2346} 2347 2348static int encrypt_one_block_f2fs(u64 pos, void *data) 2349{ 2350 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data; 2351 2352 priv_dat->blocks_already_done = pos - 1; 2353 update_progress(priv_dat, 1); 2354 2355 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE; 2356 2357 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2358 SLOGE("Error reading real_blkdev %s for inplace encrypt", priv_dat->crypto_blkdev); 2359 return -1; 2360 } 2361 2362 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2363 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", priv_dat->crypto_blkdev); 2364 return -1; 2365 } else { 2366 SLOGD("Encrypted block %"PRIu64, pos); 2367 } 2368 2369 return 0; 2370} 2371 2372static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev, 2373 char *real_blkdev, 2374 off64_t size, 2375 off64_t *size_already_done, 2376 off64_t tot_size, 2377 off64_t previously_encrypted_upto) 2378{ 2379 u32 i; 2380 struct encryptGroupsData data; 2381 struct f2fs_info *f2fs_info = NULL; 2382 int rc = -1; 2383 if (previously_encrypted_upto > *size_already_done) { 2384 SLOGD("Not fast encrypting since resuming part way through"); 2385 return -1; 2386 } 2387 memset(&data, 0, sizeof(data)); 2388 data.real_blkdev = real_blkdev; 2389 data.crypto_blkdev = crypto_blkdev; 2390 data.realfd = -1; 2391 data.cryptofd = -1; 2392 if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) { 2393 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", 2394 real_blkdev); 2395 goto errout; 2396 } 2397 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) { 2398 SLOGE("Error opening crypto_blkdev %s for inplace encrypt\n", 2399 crypto_blkdev); 2400 goto errout; 2401 } 2402 2403 f2fs_info = generate_f2fs_info(data.realfd); 2404 if (!f2fs_info) 2405 goto errout; 2406 2407 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2408 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2409 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2410 2411 data.tot_used_blocks = get_num_blocks_used(f2fs_info); 2412 2413 data.one_pct = data.tot_used_blocks / 100; 2414 data.cur_pct = 0; 2415 data.time_started = time(NULL); 2416 data.remaining_time = -1; 2417 2418 data.buffer = malloc(f2fs_info->block_size); 2419 if (!data.buffer) { 2420 SLOGE("Failed to allocate crypto buffer"); 2421 goto errout; 2422 } 2423 2424 data.count = 0; 2425 2426 /* Currently, this either runs to completion, or hits a nonrecoverable error */ 2427 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data); 2428 2429 if (rc) { 2430 SLOGE("Error in running over blocks"); 2431 goto errout; 2432 } 2433 2434 *size_already_done += size; 2435 rc = 0; 2436 2437errout: 2438 if (rc) 2439 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev); 2440 2441 free(f2fs_info); 2442 free(data.buffer); 2443 close(data.realfd); 2444 close(data.cryptofd); 2445 2446 return rc; 2447} 2448 2449static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev, 2450 off64_t size, off64_t *size_already_done, 2451 off64_t tot_size, 2452 off64_t previously_encrypted_upto) 2453{ 2454 int realfd, cryptofd; 2455 char *buf[CRYPT_INPLACE_BUFSIZE]; 2456 int rc = -1; 2457 off64_t numblocks, i, remainder; 2458 off64_t one_pct, cur_pct, new_pct; 2459 off64_t blocks_already_done, tot_numblocks; 2460 2461 if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) { 2462 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev); 2463 return -1; 2464 } 2465 2466 if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2467 SLOGE("Error opening crypto_blkdev %s for inplace encrypt\n", crypto_blkdev); 2468 close(realfd); 2469 return -1; 2470 } 2471 2472 /* This is pretty much a simple loop of reading 4K, and writing 4K. 2473 * The size passed in is the number of 512 byte sectors in the filesystem. 2474 * So compute the number of whole 4K blocks we should read/write, 2475 * and the remainder. 2476 */ 2477 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2478 remainder = size % CRYPT_SECTORS_PER_BUFSIZE; 2479 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2480 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2481 2482 SLOGE("Encrypting filesystem in place..."); 2483 2484 i = previously_encrypted_upto + 1 - *size_already_done; 2485 2486 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2487 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev); 2488 goto errout; 2489 } 2490 2491 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2492 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev); 2493 goto errout; 2494 } 2495 2496 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) { 2497 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2498 SLOGE("Error reading initial sectors from real_blkdev %s for " 2499 "inplace encrypt\n", crypto_blkdev); 2500 goto errout; 2501 } 2502 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2503 SLOGE("Error writing initial sectors to crypto_blkdev %s for " 2504 "inplace encrypt\n", crypto_blkdev); 2505 goto errout; 2506 } else { 2507 SLOGI("Encrypted 1 block at %" PRId64, i); 2508 } 2509 } 2510 2511 one_pct = tot_numblocks / 100; 2512 cur_pct = 0; 2513 /* process the majority of the filesystem in blocks */ 2514 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) { 2515 new_pct = (i + blocks_already_done) / one_pct; 2516 if (new_pct > cur_pct) { 2517 char buf[8]; 2518 2519 cur_pct = new_pct; 2520 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct); 2521 property_set("vold.encrypt_progress", buf); 2522 } 2523 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2524 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev); 2525 goto errout; 2526 } 2527 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2528 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2529 goto errout; 2530 } else { 2531 SLOGD("Encrypted %d block at %" PRId64, 2532 CRYPT_SECTORS_PER_BUFSIZE, 2533 i * CRYPT_SECTORS_PER_BUFSIZE); 2534 } 2535 2536 if (!is_battery_ok_to_continue()) { 2537 SLOGE("Stopping encryption due to low battery"); 2538 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1; 2539 rc = 0; 2540 goto errout; 2541 } 2542 } 2543 2544 /* Do any remaining sectors */ 2545 for (i=0; i<remainder; i++) { 2546 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2547 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev); 2548 goto errout; 2549 } 2550 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2551 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2552 goto errout; 2553 } else { 2554 SLOGI("Encrypted 1 block at next location"); 2555 } 2556 } 2557 2558 *size_already_done += size; 2559 rc = 0; 2560 2561errout: 2562 close(realfd); 2563 close(cryptofd); 2564 2565 return rc; 2566} 2567 2568static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev, 2569 off64_t size, off64_t *size_already_done, 2570 off64_t tot_size, 2571 off64_t previously_encrypted_upto) 2572{ 2573 if (previously_encrypted_upto) { 2574 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto); 2575 } 2576 2577 if (*size_already_done + size < previously_encrypted_upto) { 2578 *size_already_done += size; 2579 return 0; 2580 } 2581 2582 /* TODO: identify filesystem type. 2583 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and 2584 * then we will drop down to cryptfs_enable_inplace_f2fs. 2585 * */ 2586 if (cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev, 2587 size, size_already_done, 2588 tot_size, previously_encrypted_upto) == 0) { 2589 return 0; 2590 } 2591 2592 if (cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev, 2593 size, size_already_done, 2594 tot_size, previously_encrypted_upto) == 0) { 2595 return 0; 2596 } 2597 2598 return cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev, 2599 size, size_already_done, tot_size, 2600 previously_encrypted_upto); 2601} 2602 2603#define CRYPTO_ENABLE_WIPE 1 2604#define CRYPTO_ENABLE_INPLACE 2 2605 2606#define FRAMEWORK_BOOT_WAIT 60 2607 2608static inline int should_encrypt(struct volume_info *volume) 2609{ 2610 return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) == 2611 (VOL_ENCRYPTABLE | VOL_NONREMOVABLE); 2612} 2613 2614static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2615{ 2616 int fd = open(filename, O_RDONLY); 2617 if (fd == -1) { 2618 SLOGE("Error opening file %s", filename); 2619 return -1; 2620 } 2621 2622 char block[CRYPT_INPLACE_BUFSIZE]; 2623 memset(block, 0, sizeof(block)); 2624 if (unix_read(fd, block, sizeof(block)) < 0) { 2625 SLOGE("Error reading file %s", filename); 2626 close(fd); 2627 return -1; 2628 } 2629 2630 close(fd); 2631 2632 SHA256_CTX c; 2633 SHA256_Init(&c); 2634 SHA256_Update(&c, block, sizeof(block)); 2635 SHA256_Final(buf, &c); 2636 2637 return 0; 2638} 2639 2640static int get_fs_type(struct fstab_rec *rec) 2641{ 2642 if (!strcmp(rec->fs_type, "ext4")) { 2643 return EXT4_FS; 2644 } else if (!strcmp(rec->fs_type, "f2fs")) { 2645 return F2FS_FS; 2646 } else { 2647 return -1; 2648 } 2649} 2650 2651static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how, 2652 char *crypto_blkdev, char *real_blkdev, 2653 int previously_encrypted_upto) 2654{ 2655 off64_t cur_encryption_done=0, tot_encryption_size=0; 2656 int i, rc = -1; 2657 2658 if (!is_battery_ok_to_start()) { 2659 SLOGW("Not starting encryption due to low battery"); 2660 return 0; 2661 } 2662 2663 /* The size of the userdata partition, and add in the vold volumes below */ 2664 tot_encryption_size = crypt_ftr->fs_size; 2665 2666 if (how == CRYPTO_ENABLE_WIPE) { 2667 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 2668 int fs_type = get_fs_type(rec); 2669 if (fs_type < 0) { 2670 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type); 2671 return -1; 2672 } 2673 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type); 2674 } else if (how == CRYPTO_ENABLE_INPLACE) { 2675 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, 2676 crypt_ftr->fs_size, &cur_encryption_done, 2677 tot_encryption_size, 2678 previously_encrypted_upto); 2679 2680 if (!rc) { 2681 crypt_ftr->encrypted_upto = cur_encryption_done; 2682 } 2683 2684 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2685 /* The inplace routine never actually sets the progress to 100% due 2686 * to the round down nature of integer division, so set it here */ 2687 property_set("vold.encrypt_progress", "100"); 2688 } 2689 } else { 2690 /* Shouldn't happen */ 2691 SLOGE("cryptfs_enable: internal error, unknown option\n"); 2692 rc = -1; 2693 } 2694 2695 return rc; 2696} 2697 2698int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd, 2699 int allow_reboot) 2700{ 2701 int how = 0; 2702 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2703 unsigned long nr_sec; 2704 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2705 int rc=-1, fd, i, ret; 2706 struct crypt_mnt_ftr crypt_ftr; 2707 struct crypt_persist_data *pdata; 2708 char encrypted_state[PROPERTY_VALUE_MAX]; 2709 char lockid[32] = { 0 }; 2710 char key_loc[PROPERTY_VALUE_MAX]; 2711 char fuse_sdcard[PROPERTY_VALUE_MAX]; 2712 char *sd_mnt_point; 2713 int num_vols; 2714 struct volume_info *vol_list = 0; 2715 off64_t previously_encrypted_upto = 0; 2716 2717 if (!strcmp(howarg, "wipe")) { 2718 how = CRYPTO_ENABLE_WIPE; 2719 } else if (! strcmp(howarg, "inplace")) { 2720 how = CRYPTO_ENABLE_INPLACE; 2721 } else { 2722 /* Shouldn't happen, as CommandListener vets the args */ 2723 goto error_unencrypted; 2724 } 2725 2726 /* See if an encryption was underway and interrupted */ 2727 if (how == CRYPTO_ENABLE_INPLACE 2728 && get_crypt_ftr_and_key(&crypt_ftr) == 0 2729 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) { 2730 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2731 crypt_ftr.encrypted_upto = 0; 2732 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2733 2734 /* At this point, we are in an inconsistent state. Until we successfully 2735 complete encryption, a reboot will leave us broken. So mark the 2736 encryption failed in case that happens. 2737 On successfully completing encryption, remove this flag */ 2738 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2739 2740 put_crypt_ftr_and_key(&crypt_ftr); 2741 } 2742 2743 property_get("ro.crypto.state", encrypted_state, ""); 2744 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2745 SLOGE("Device is already running encrypted, aborting"); 2746 goto error_unencrypted; 2747 } 2748 2749 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2750 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 2751 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 2752 2753 /* Get the size of the real block device */ 2754 fd = open(real_blkdev, O_RDONLY); 2755 if ( (nr_sec = get_blkdev_size(fd)) == 0) { 2756 SLOGE("Cannot get size of block device %s\n", real_blkdev); 2757 goto error_unencrypted; 2758 } 2759 close(fd); 2760 2761 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 2762 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) { 2763 unsigned int fs_size_sec, max_fs_size_sec; 2764 fs_size_sec = get_fs_size(real_blkdev); 2765 if (fs_size_sec == 0) 2766 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 2767 2768 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2769 2770 if (fs_size_sec > max_fs_size_sec) { 2771 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 2772 goto error_unencrypted; 2773 } 2774 } 2775 2776 /* Get a wakelock as this may take a while, and we don't want the 2777 * device to sleep on us. We'll grab a partial wakelock, and if the UI 2778 * wants to keep the screen on, it can grab a full wakelock. 2779 */ 2780 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 2781 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 2782 2783 /* Get the sdcard mount point */ 2784 sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE"); 2785 if (!sd_mnt_point) { 2786 sd_mnt_point = getenv("EXTERNAL_STORAGE"); 2787 } 2788 if (!sd_mnt_point) { 2789 sd_mnt_point = "/mnt/sdcard"; 2790 } 2791 2792 /* TODO 2793 * Currently do not have test devices with multiple encryptable volumes. 2794 * When we acquire some, re-add support. 2795 */ 2796 num_vols=vold_getNumDirectVolumes(); 2797 vol_list = malloc(sizeof(struct volume_info) * num_vols); 2798 vold_getDirectVolumeList(vol_list); 2799 2800 for (i=0; i<num_vols; i++) { 2801 if (should_encrypt(&vol_list[i])) { 2802 SLOGE("Cannot encrypt if there are multiple encryptable volumes" 2803 "%s\n", vol_list[i].label); 2804 goto error_unencrypted; 2805 } 2806 } 2807 2808 /* The init files are setup to stop the class main and late start when 2809 * vold sets trigger_shutdown_framework. 2810 */ 2811 property_set("vold.decrypt", "trigger_shutdown_framework"); 2812 SLOGD("Just asked init to shut down class main\n"); 2813 2814 if (vold_unmountAllAsecs()) { 2815 /* Just report the error. If any are left mounted, 2816 * umounting /data below will fail and handle the error. 2817 */ 2818 SLOGE("Error unmounting internal asecs"); 2819 } 2820 2821 property_get("ro.crypto.fuse_sdcard", fuse_sdcard, ""); 2822 if (!strcmp(fuse_sdcard, "true")) { 2823 /* This is a device using the fuse layer to emulate the sdcard semantics 2824 * on top of the userdata partition. vold does not manage it, it is managed 2825 * by the sdcard service. The sdcard service was killed by the property trigger 2826 * above, so just unmount it now. We must do this _AFTER_ killing the framework, 2827 * unlike the case for vold managed devices above. 2828 */ 2829 if (wait_and_unmount(sd_mnt_point)) { 2830 goto error_shutting_down; 2831 } 2832 } 2833 2834 /* Now unmount the /data partition. */ 2835 if (wait_and_unmount(DATA_MNT_POINT)) { 2836 if (allow_reboot) { 2837 goto error_shutting_down; 2838 } else { 2839 goto error_unencrypted; 2840 } 2841 } 2842 2843 /* Do extra work for a better UX when doing the long inplace encryption */ 2844 if (how == CRYPTO_ENABLE_INPLACE) { 2845 /* Now that /data is unmounted, we need to mount a tmpfs 2846 * /data, set a property saying we're doing inplace encryption, 2847 * and restart the framework. 2848 */ 2849 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 2850 goto error_shutting_down; 2851 } 2852 /* Tells the framework that inplace encryption is starting */ 2853 property_set("vold.encrypt_progress", "0"); 2854 2855 /* restart the framework. */ 2856 /* Create necessary paths on /data */ 2857 if (prep_data_fs()) { 2858 goto error_shutting_down; 2859 } 2860 2861 /* Ugh, shutting down the framework is not synchronous, so until it 2862 * can be fixed, this horrible hack will wait a moment for it all to 2863 * shut down before proceeding. Without it, some devices cannot 2864 * restart the graphics services. 2865 */ 2866 sleep(2); 2867 2868 /* startup service classes main and late_start */ 2869 property_set("vold.decrypt", "trigger_restart_min_framework"); 2870 SLOGD("Just triggered restart_min_framework\n"); 2871 2872 /* OK, the framework is restarted and will soon be showing a 2873 * progress bar. Time to setup an encrypted mapping, and 2874 * either write a new filesystem, or encrypt in place updating 2875 * the progress bar as we work. 2876 */ 2877 } 2878 2879 /* Start the actual work of making an encrypted filesystem */ 2880 /* Initialize a crypt_mnt_ftr for the partition */ 2881 if (previously_encrypted_upto == 0) { 2882 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 2883 goto error_shutting_down; 2884 } 2885 2886 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 2887 crypt_ftr.fs_size = nr_sec 2888 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2889 } else { 2890 crypt_ftr.fs_size = nr_sec; 2891 } 2892 /* At this point, we are in an inconsistent state. Until we successfully 2893 complete encryption, a reboot will leave us broken. So mark the 2894 encryption failed in case that happens. 2895 On successfully completing encryption, remove this flag */ 2896 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2897 crypt_ftr.crypt_type = crypt_type; 2898 strcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256"); 2899 2900 /* Make an encrypted master key */ 2901 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 2902 SLOGE("Cannot create encrypted master key\n"); 2903 goto error_shutting_down; 2904 } 2905 2906 /* Write the key to the end of the partition */ 2907 put_crypt_ftr_and_key(&crypt_ftr); 2908 2909 /* If any persistent data has been remembered, save it. 2910 * If none, create a valid empty table and save that. 2911 */ 2912 if (!persist_data) { 2913 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 2914 if (pdata) { 2915 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 2916 persist_data = pdata; 2917 } 2918 } 2919 if (persist_data) { 2920 save_persistent_data(); 2921 } 2922 } 2923 2924 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2925 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 2926 "userdata"); 2927 2928 /* If we are continuing, check checksums match */ 2929 rc = 0; 2930 if (previously_encrypted_upto) { 2931 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 2932 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 2933 2934 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 2935 sizeof(hash_first_block)) != 0) { 2936 SLOGE("Checksums do not match - trigger wipe"); 2937 rc = -1; 2938 } 2939 } 2940 2941 if (!rc) { 2942 rc = cryptfs_enable_all_volumes(&crypt_ftr, how, 2943 crypto_blkdev, real_blkdev, 2944 previously_encrypted_upto); 2945 } 2946 2947 /* Calculate checksum if we are not finished */ 2948 if (!rc && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 2949 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 2950 crypt_ftr.hash_first_block); 2951 if (rc) { 2952 SLOGE("Error calculating checksum for continuing encryption"); 2953 rc = -1; 2954 } 2955 } 2956 2957 /* Undo the dm-crypt mapping whether we succeed or not */ 2958 delete_crypto_blk_dev("userdata"); 2959 2960 free(vol_list); 2961 2962 if (! rc) { 2963 /* Success */ 2964 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 2965 2966 if (crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 2967 SLOGD("Encrypted up to sector %lld - will continue after reboot", 2968 crypt_ftr.encrypted_upto); 2969 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 2970 } 2971 2972 put_crypt_ftr_and_key(&crypt_ftr); 2973 2974 if (crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 2975 char value[PROPERTY_VALUE_MAX]; 2976 property_get("ro.crypto.state", value, ""); 2977 if (!strcmp(value, "")) { 2978 /* default encryption - continue first boot sequence */ 2979 property_set("ro.crypto.state", "encrypted"); 2980 release_wake_lock(lockid); 2981 cryptfs_check_passwd(DEFAULT_PASSWORD); 2982 cryptfs_restart_internal(1); 2983 return 0; 2984 } else { 2985 sleep(2); /* Give the UI a chance to show 100% progress */ 2986 cryptfs_reboot(reboot); 2987 } 2988 } else { 2989 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 2990 cryptfs_reboot(shutdown); 2991 } 2992 } else { 2993 char value[PROPERTY_VALUE_MAX]; 2994 2995 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 2996 if (!strcmp(value, "1")) { 2997 /* wipe data if encryption failed */ 2998 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 2999 mkdir("/cache/recovery", 0700); 3000 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600); 3001 if (fd >= 0) { 3002 write(fd, "--wipe_data", strlen("--wipe_data") + 1); 3003 close(fd); 3004 } else { 3005 SLOGE("could not open /cache/recovery/command\n"); 3006 } 3007 cryptfs_reboot(recovery); 3008 } else { 3009 /* set property to trigger dialog */ 3010 property_set("vold.encrypt_progress", "error_partially_encrypted"); 3011 release_wake_lock(lockid); 3012 } 3013 return -1; 3014 } 3015 3016 /* hrm, the encrypt step claims success, but the reboot failed. 3017 * This should not happen. 3018 * Set the property and return. Hope the framework can deal with it. 3019 */ 3020 property_set("vold.encrypt_progress", "error_reboot_failed"); 3021 release_wake_lock(lockid); 3022 return rc; 3023 3024error_unencrypted: 3025 free(vol_list); 3026 property_set("vold.encrypt_progress", "error_not_encrypted"); 3027 if (lockid[0]) { 3028 release_wake_lock(lockid); 3029 } 3030 return -1; 3031 3032error_shutting_down: 3033 /* we failed, and have not encrypted anthing, so the users's data is still intact, 3034 * but the framework is stopped and not restarted to show the error, so it's up to 3035 * vold to restart the system. 3036 */ 3037 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 3038 cryptfs_reboot(reboot); 3039 3040 /* shouldn't get here */ 3041 property_set("vold.encrypt_progress", "error_shutting_down"); 3042 free(vol_list); 3043 if (lockid[0]) { 3044 release_wake_lock(lockid); 3045 } 3046 return -1; 3047} 3048 3049int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot) 3050{ 3051 return cryptfs_enable_internal(howarg, type, passwd, allow_reboot); 3052} 3053 3054int cryptfs_enable_default(char *howarg, int allow_reboot) 3055{ 3056 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT, 3057 DEFAULT_PASSWORD, allow_reboot); 3058} 3059 3060int cryptfs_changepw(int crypt_type, const char *newpw) 3061{ 3062 struct crypt_mnt_ftr crypt_ftr; 3063 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 3064 3065 /* This is only allowed after we've successfully decrypted the master key */ 3066 if (!master_key_saved) { 3067 SLOGE("Key not saved, aborting"); 3068 return -1; 3069 } 3070 3071 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3072 SLOGE("Invalid crypt_type %d", crypt_type); 3073 return -1; 3074 } 3075 3076 /* get key */ 3077 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3078 SLOGE("Error getting crypt footer and key"); 3079 return -1; 3080 } 3081 3082 crypt_ftr.crypt_type = crypt_type; 3083 3084 encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 3085 : newpw, 3086 crypt_ftr.salt, 3087 saved_master_key, 3088 crypt_ftr.master_key, 3089 &crypt_ftr); 3090 3091 /* save the key */ 3092 put_crypt_ftr_and_key(&crypt_ftr); 3093 3094 return 0; 3095} 3096 3097static int persist_get_key(char *fieldname, char *value) 3098{ 3099 unsigned int i; 3100 3101 if (persist_data == NULL) { 3102 return -1; 3103 } 3104 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3105 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3106 /* We found it! */ 3107 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 3108 return 0; 3109 } 3110 } 3111 3112 return -1; 3113} 3114 3115static int persist_set_key(char *fieldname, char *value, int encrypted) 3116{ 3117 unsigned int i; 3118 unsigned int num; 3119 struct crypt_mnt_ftr crypt_ftr; 3120 unsigned int max_persistent_entries; 3121 unsigned int dsize; 3122 3123 if (persist_data == NULL) { 3124 return -1; 3125 } 3126 3127 /* If encrypted, use the values from the crypt_ftr, otherwise 3128 * use the values for the current spec. 3129 */ 3130 if (encrypted) { 3131 if(get_crypt_ftr_and_key(&crypt_ftr)) { 3132 return -1; 3133 } 3134 dsize = crypt_ftr.persist_data_size; 3135 } else { 3136 dsize = CRYPT_PERSIST_DATA_SIZE; 3137 } 3138 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 3139 sizeof(struct crypt_persist_entry); 3140 3141 num = persist_data->persist_valid_entries; 3142 3143 for (i = 0; i < num; i++) { 3144 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3145 /* We found an existing entry, update it! */ 3146 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 3147 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 3148 return 0; 3149 } 3150 } 3151 3152 /* We didn't find it, add it to the end, if there is room */ 3153 if (persist_data->persist_valid_entries < max_persistent_entries) { 3154 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 3155 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 3156 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 3157 persist_data->persist_valid_entries++; 3158 return 0; 3159 } 3160 3161 return -1; 3162} 3163 3164/* Return the value of the specified field. */ 3165int cryptfs_getfield(char *fieldname, char *value, int len) 3166{ 3167 char temp_value[PROPERTY_VALUE_MAX]; 3168 char real_blkdev[MAXPATHLEN]; 3169 /* 0 is success, 1 is not encrypted, 3170 * -1 is value not set, -2 is any other error 3171 */ 3172 int rc = -2; 3173 3174 if (persist_data == NULL) { 3175 load_persistent_data(); 3176 if (persist_data == NULL) { 3177 SLOGE("Getfield error, cannot load persistent data"); 3178 goto out; 3179 } 3180 } 3181 3182 if (!persist_get_key(fieldname, temp_value)) { 3183 /* We found it, copy it to the caller's buffer and return */ 3184 strlcpy(value, temp_value, len); 3185 rc = 0; 3186 } else { 3187 /* Sadness, it's not there. Return the error */ 3188 rc = -1; 3189 } 3190 3191out: 3192 return rc; 3193} 3194 3195/* Set the value of the specified field. */ 3196int cryptfs_setfield(char *fieldname, char *value) 3197{ 3198 struct crypt_persist_data stored_pdata; 3199 struct crypt_persist_data *pdata_p; 3200 struct crypt_mnt_ftr crypt_ftr; 3201 char encrypted_state[PROPERTY_VALUE_MAX]; 3202 /* 0 is success, -1 is an error */ 3203 int rc = -1; 3204 int encrypted = 0; 3205 3206 if (persist_data == NULL) { 3207 load_persistent_data(); 3208 if (persist_data == NULL) { 3209 SLOGE("Setfield error, cannot load persistent data"); 3210 goto out; 3211 } 3212 } 3213 3214 property_get("ro.crypto.state", encrypted_state, ""); 3215 if (!strcmp(encrypted_state, "encrypted") ) { 3216 encrypted = 1; 3217 } 3218 3219 if (persist_set_key(fieldname, value, encrypted)) { 3220 goto out; 3221 } 3222 3223 /* If we are running encrypted, save the persistent data now */ 3224 if (encrypted) { 3225 if (save_persistent_data()) { 3226 SLOGE("Setfield error, cannot save persistent data"); 3227 goto out; 3228 } 3229 } 3230 3231 rc = 0; 3232 3233out: 3234 return rc; 3235} 3236 3237/* Checks userdata. Attempt to mount the volume if default- 3238 * encrypted. 3239 * On success trigger next init phase and return 0. 3240 * Currently do not handle failure - see TODO below. 3241 */ 3242int cryptfs_mount_default_encrypted(void) 3243{ 3244 char decrypt_state[PROPERTY_VALUE_MAX]; 3245 property_get("vold.decrypt", decrypt_state, "0"); 3246 if (!strcmp(decrypt_state, "0")) { 3247 SLOGE("Not encrypted - should not call here"); 3248 } else { 3249 int crypt_type = cryptfs_get_password_type(); 3250 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3251 SLOGE("Bad crypt type - error"); 3252 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 3253 SLOGD("Password is not default - " 3254 "starting min framework to prompt"); 3255 property_set("vold.decrypt", "trigger_restart_min_framework"); 3256 return 0; 3257 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 3258 SLOGD("Password is default - restarting filesystem"); 3259 cryptfs_restart_internal(0); 3260 return 0; 3261 } else { 3262 SLOGE("Encrypted, default crypt type but can't decrypt"); 3263 } 3264 } 3265 3266 /** Corrupt. Allow us to boot into framework, which will detect bad 3267 crypto when it calls do_crypto_complete, then do a factory reset 3268 */ 3269 property_set("vold.decrypt", "trigger_restart_min_framework"); 3270 return 0; 3271} 3272 3273/* Returns type of the password, default, pattern, pin or password. 3274 */ 3275int cryptfs_get_password_type(void) 3276{ 3277 struct crypt_mnt_ftr crypt_ftr; 3278 3279 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3280 SLOGE("Error getting crypt footer and key\n"); 3281 return -1; 3282 } 3283 3284 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 3285 return -1; 3286 } 3287 3288 return crypt_ftr.crypt_type; 3289} 3290 3291char* cryptfs_get_password() 3292{ 3293 struct timespec now; 3294 clock_gettime(CLOCK_MONOTONIC, &now); 3295 if (now.tv_sec < password_expiry_time) { 3296 return password; 3297 } else { 3298 cryptfs_clear_password(); 3299 return 0; 3300 } 3301} 3302 3303void cryptfs_clear_password() 3304{ 3305 if (password) { 3306 size_t len = strlen(password); 3307 memset(password, 0, len); 3308 free(password); 3309 password = 0; 3310 password_expiry_time = 0; 3311 } 3312} 3313