cryptfs.c revision 36801cccf27152c9eca5aab6ba3527221525110f
1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23#include <sys/types.h> 24#include <sys/wait.h> 25#include <sys/stat.h> 26#include <ctype.h> 27#include <fcntl.h> 28#include <inttypes.h> 29#include <unistd.h> 30#include <stdio.h> 31#include <sys/ioctl.h> 32#include <linux/dm-ioctl.h> 33#include <libgen.h> 34#include <stdlib.h> 35#include <sys/param.h> 36#include <string.h> 37#include <sys/mount.h> 38#include <openssl/evp.h> 39#include <openssl/sha.h> 40#include <errno.h> 41#include <ext4.h> 42#include <linux/kdev_t.h> 43#include <fs_mgr.h> 44#include <time.h> 45#include <math.h> 46#include "cryptfs.h" 47#define LOG_TAG "Cryptfs" 48#include "cutils/log.h" 49#include "cutils/properties.h" 50#include "cutils/android_reboot.h" 51#include "hardware_legacy/power.h" 52#include <logwrap/logwrap.h> 53#include "VolumeManager.h" 54#include "VoldUtil.h" 55#include "crypto_scrypt.h" 56#include "ext4_crypt.h" 57#include "ext4_utils.h" 58#include "f2fs_sparseblock.h" 59#include "CheckBattery.h" 60#include "Process.h" 61 62#include <hardware/keymaster0.h> 63 64#define UNUSED __attribute__((unused)) 65 66#define UNUSED __attribute__((unused)) 67 68#ifdef CONFIG_HW_DISK_ENCRYPTION 69#include "cryptfs_hw.h" 70#endif 71 72#define DM_CRYPT_BUF_SIZE 4096 73 74#define HASH_COUNT 2000 75#define KEY_LEN_BYTES 16 76#define IV_LEN_BYTES 16 77 78#define KEY_IN_FOOTER "footer" 79 80// "default_password" encoded into hex (d=0x64 etc) 81#define DEFAULT_PASSWORD "64656661756c745f70617373776f7264" 82 83#define EXT4_FS 1 84#define F2FS_FS 2 85 86#define TABLE_LOAD_RETRIES 10 87 88#define RSA_KEY_SIZE 2048 89#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) 90#define RSA_EXPONENT 0x10001 91 92#define RETRY_MOUNT_ATTEMPTS 10 93#define RETRY_MOUNT_DELAY_SECONDS 1 94 95char *me = "cryptfs"; 96 97static unsigned char saved_master_key[KEY_LEN_BYTES]; 98static char *saved_mount_point; 99static int master_key_saved = 0; 100static struct crypt_persist_data *persist_data = NULL; 101 102static int keymaster_init(keymaster0_device_t **keymaster_dev) 103{ 104 int rc; 105 106 const hw_module_t* mod; 107 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 108 if (rc) { 109 ALOGE("could not find any keystore module"); 110 goto out; 111 } 112 113 rc = keymaster0_open(mod, keymaster_dev); 114 if (rc) { 115 ALOGE("could not open keymaster device in %s (%s)", 116 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); 117 goto out; 118 } 119 120 return 0; 121 122out: 123 *keymaster_dev = NULL; 124 return rc; 125} 126 127/* Should we use keymaster? */ 128static int keymaster_check_compatibility() 129{ 130 keymaster0_device_t *keymaster_dev = 0; 131 int rc = 0; 132 133 if (keymaster_init(&keymaster_dev)) { 134 SLOGE("Failed to init keymaster"); 135 rc = -1; 136 goto out; 137 } 138 139 SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version); 140 141 if (keymaster_dev->common.module->module_api_version 142 < KEYMASTER_MODULE_API_VERSION_0_3) { 143 rc = 0; 144 goto out; 145 } 146 147 if (!(keymaster_dev->flags & KEYMASTER_SOFTWARE_ONLY) && 148 (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) { 149 rc = 1; 150 } 151 152out: 153 keymaster0_close(keymaster_dev); 154 return rc; 155} 156 157/* Create a new keymaster key and store it in this footer */ 158static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 159{ 160 uint8_t* key = 0; 161 keymaster0_device_t *keymaster_dev = 0; 162 163 if (keymaster_init(&keymaster_dev)) { 164 SLOGE("Failed to init keymaster"); 165 return -1; 166 } 167 168 int rc = 0; 169 170 keymaster_rsa_keygen_params_t params; 171 memset(¶ms, '\0', sizeof(params)); 172 params.public_exponent = RSA_EXPONENT; 173 params.modulus_size = RSA_KEY_SIZE; 174 175 size_t key_size; 176 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, ¶ms, 177 &key, &key_size)) { 178 SLOGE("Failed to generate keypair"); 179 rc = -1; 180 goto out; 181 } 182 183 if (key_size > KEYMASTER_BLOB_SIZE) { 184 SLOGE("Keymaster key too large for crypto footer"); 185 rc = -1; 186 goto out; 187 } 188 189 memcpy(ftr->keymaster_blob, key, key_size); 190 ftr->keymaster_blob_size = key_size; 191 192out: 193 keymaster0_close(keymaster_dev); 194 free(key); 195 return rc; 196} 197 198/* This signs the given object using the keymaster key. */ 199static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 200 const unsigned char *object, 201 const size_t object_size, 202 unsigned char **signature, 203 size_t *signature_size) 204{ 205 int rc = 0; 206 keymaster0_device_t *keymaster_dev = 0; 207 if (keymaster_init(&keymaster_dev)) { 208 SLOGE("Failed to init keymaster"); 209 return -1; 210 } 211 212 /* We currently set the digest type to DIGEST_NONE because it's the 213 * only supported value for keymaster. A similar issue exists with 214 * PADDING_NONE. Long term both of these should likely change. 215 */ 216 keymaster_rsa_sign_params_t params; 217 params.digest_type = DIGEST_NONE; 218 params.padding_type = PADDING_NONE; 219 220 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 221 size_t to_sign_size = sizeof(to_sign); 222 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 223 224 // To sign a message with RSA, the message must satisfy two 225 // constraints: 226 // 227 // 1. The message, when interpreted as a big-endian numeric value, must 228 // be strictly less than the public modulus of the RSA key. Note 229 // that because the most significant bit of the public modulus is 230 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 231 // key), an n-bit message with most significant bit 0 always 232 // satisfies this requirement. 233 // 234 // 2. The message must have the same length in bits as the public 235 // modulus of the RSA key. This requirement isn't mathematically 236 // necessary, but is necessary to ensure consistency in 237 // implementations. 238 switch (ftr->kdf_type) { 239 case KDF_SCRYPT_KEYMASTER: 240 // This ensures the most significant byte of the signed message 241 // is zero. We could have zero-padded to the left instead, but 242 // this approach is slightly more robust against changes in 243 // object size. However, it's still broken (but not unusably 244 // so) because we really should be using a proper RSA padding 245 // function, such as OAEP. 246 // 247 // TODO(paullawrence): When keymaster 0.4 is available, change 248 // this to use the padding options it provides. 249 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); 250 SLOGI("Signing safely-padded object"); 251 break; 252 default: 253 SLOGE("Unknown KDF type %d", ftr->kdf_type); 254 return -1; 255 } 256 257 rc = keymaster_dev->sign_data(keymaster_dev, 258 ¶ms, 259 ftr->keymaster_blob, 260 ftr->keymaster_blob_size, 261 to_sign, 262 to_sign_size, 263 signature, 264 signature_size); 265 266 keymaster0_close(keymaster_dev); 267 return rc; 268} 269 270/* Store password when userdata is successfully decrypted and mounted. 271 * Cleared by cryptfs_clear_password 272 * 273 * To avoid a double prompt at boot, we need to store the CryptKeeper 274 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 275 * Since the entire framework is torn down and rebuilt after encryption, 276 * we have to use a daemon or similar to store the password. Since vold 277 * is secured against IPC except from system processes, it seems a reasonable 278 * place to store this. 279 * 280 * password should be cleared once it has been used. 281 * 282 * password is aged out after password_max_age_seconds seconds. 283 */ 284static char* password = 0; 285static int password_expiry_time = 0; 286static const int password_max_age_seconds = 60; 287 288extern struct fstab *fstab; 289 290enum RebootType {reboot, recovery, shutdown}; 291static void cryptfs_reboot(enum RebootType rt) 292{ 293 switch(rt) { 294 case reboot: 295 property_set(ANDROID_RB_PROPERTY, "reboot"); 296 break; 297 298 case recovery: 299 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 300 break; 301 302 case shutdown: 303 property_set(ANDROID_RB_PROPERTY, "shutdown"); 304 break; 305 } 306 307 sleep(20); 308 309 /* Shouldn't get here, reboot should happen before sleep times out */ 310 return; 311} 312 313static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 314{ 315 memset(io, 0, dataSize); 316 io->data_size = dataSize; 317 io->data_start = sizeof(struct dm_ioctl); 318 io->version[0] = 4; 319 io->version[1] = 0; 320 io->version[2] = 0; 321 io->flags = flags; 322 if (name) { 323 strlcpy(io->name, name, sizeof(io->name)); 324 } 325} 326 327/** 328 * Gets the default device scrypt parameters for key derivation time tuning. 329 * The parameters should lead to about one second derivation time for the 330 * given device. 331 */ 332static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 333 const int default_params[] = SCRYPT_DEFAULTS; 334 int params[] = SCRYPT_DEFAULTS; 335 char paramstr[PROPERTY_VALUE_MAX]; 336 char *token; 337 char *saveptr; 338 int i; 339 340 property_get(SCRYPT_PROP, paramstr, ""); 341 if (paramstr[0] != '\0') { 342 /* 343 * The token we're looking for should be three integers separated by 344 * colons (e.g., "12:8:1"). Scan the property to make sure it matches. 345 */ 346 for (i = 0, token = strtok_r(paramstr, ":", &saveptr); 347 token != NULL && i < 3; 348 i++, token = strtok_r(NULL, ":", &saveptr)) { 349 char *endptr; 350 params[i] = strtol(token, &endptr, 10); 351 352 /* 353 * Check that there was a valid number and it's 8-bit. If not, 354 * break out and the end check will take the default values. 355 */ 356 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) { 357 break; 358 } 359 } 360 361 /* 362 * If there were not enough tokens or a token was malformed (not an 363 * integer), it will end up here and the default parameters can be 364 * taken. 365 */ 366 if ((i != 3) || (token != NULL)) { 367 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 368 memcpy(params, default_params, sizeof(params)); 369 } 370 } 371 372 ftr->N_factor = params[0]; 373 ftr->r_factor = params[1]; 374 ftr->p_factor = params[2]; 375} 376 377static unsigned int get_fs_size(char *dev) 378{ 379 int fd, block_size; 380 struct ext4_super_block sb; 381 off64_t len; 382 383 if ((fd = open(dev, O_RDONLY)) < 0) { 384 SLOGE("Cannot open device to get filesystem size "); 385 return 0; 386 } 387 388 if (lseek64(fd, 1024, SEEK_SET) < 0) { 389 SLOGE("Cannot seek to superblock"); 390 return 0; 391 } 392 393 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 394 SLOGE("Cannot read superblock"); 395 return 0; 396 } 397 398 close(fd); 399 400 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 401 SLOGE("Not a valid ext4 superblock"); 402 return 0; 403 } 404 block_size = 1024 << sb.s_log_block_size; 405 /* compute length in bytes */ 406 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 407 408 /* return length in sectors */ 409 return (unsigned int) (len / 512); 410} 411 412static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 413{ 414 static int cached_data = 0; 415 static off64_t cached_off = 0; 416 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 417 int fd; 418 char key_loc[PROPERTY_VALUE_MAX]; 419 char real_blkdev[PROPERTY_VALUE_MAX]; 420 int rc = -1; 421 422 if (!cached_data) { 423 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc)); 424 425 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 426 if ( (fd = open(real_blkdev, O_RDWR)) < 0) { 427 SLOGE("Cannot open real block device %s\n", real_blkdev); 428 return -1; 429 } 430 431 unsigned long nr_sec = 0; 432 get_blkdev_size(fd, &nr_sec); 433 if (nr_sec != 0) { 434 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 435 * encryption info footer and key, and plenty of bytes to spare for future 436 * growth. 437 */ 438 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 439 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 440 cached_data = 1; 441 } else { 442 SLOGE("Cannot get size of block device %s\n", real_blkdev); 443 } 444 close(fd); 445 } else { 446 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 447 cached_off = 0; 448 cached_data = 1; 449 } 450 } 451 452 if (cached_data) { 453 if (metadata_fname) { 454 *metadata_fname = cached_metadata_fname; 455 } 456 if (off) { 457 *off = cached_off; 458 } 459 rc = 0; 460 } 461 462 return rc; 463} 464 465/* key or salt can be NULL, in which case just skip writing that value. Useful to 466 * update the failed mount count but not change the key. 467 */ 468static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 469{ 470 int fd; 471 unsigned int cnt; 472 /* starting_off is set to the SEEK_SET offset 473 * where the crypto structure starts 474 */ 475 off64_t starting_off; 476 int rc = -1; 477 char *fname = NULL; 478 struct stat statbuf; 479 480 if (get_crypt_ftr_info(&fname, &starting_off)) { 481 SLOGE("Unable to get crypt_ftr_info\n"); 482 return -1; 483 } 484 if (fname[0] != '/') { 485 SLOGE("Unexpected value for crypto key location\n"); 486 return -1; 487 } 488 if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) { 489 SLOGE("Cannot open footer file %s for put\n", fname); 490 return -1; 491 } 492 493 /* Seek to the start of the crypt footer */ 494 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 495 SLOGE("Cannot seek to real block device footer\n"); 496 goto errout; 497 } 498 499 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 500 SLOGE("Cannot write real block device footer\n"); 501 goto errout; 502 } 503 504 fstat(fd, &statbuf); 505 /* If the keys are kept on a raw block device, do not try to truncate it. */ 506 if (S_ISREG(statbuf.st_mode)) { 507 if (ftruncate(fd, 0x4000)) { 508 SLOGE("Cannot set footer file size\n"); 509 goto errout; 510 } 511 } 512 513 /* Success! */ 514 rc = 0; 515 516errout: 517 close(fd); 518 return rc; 519 520} 521 522static inline int unix_read(int fd, void* buff, int len) 523{ 524 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 525} 526 527static inline int unix_write(int fd, const void* buff, int len) 528{ 529 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 530} 531 532static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 533{ 534 memset(pdata, 0, len); 535 pdata->persist_magic = PERSIST_DATA_MAGIC; 536 pdata->persist_valid_entries = 0; 537} 538 539/* A routine to update the passed in crypt_ftr to the lastest version. 540 * fd is open read/write on the device that holds the crypto footer and persistent 541 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 542 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 543 */ 544static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 545{ 546 int orig_major = crypt_ftr->major_version; 547 int orig_minor = crypt_ftr->minor_version; 548 549 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 550 struct crypt_persist_data *pdata; 551 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 552 553 SLOGW("upgrading crypto footer to 1.1"); 554 555 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 556 if (pdata == NULL) { 557 SLOGE("Cannot allocate persisent data\n"); 558 return; 559 } 560 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 561 562 /* Need to initialize the persistent data area */ 563 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 564 SLOGE("Cannot seek to persisent data offset\n"); 565 free(pdata); 566 return; 567 } 568 /* Write all zeros to the first copy, making it invalid */ 569 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 570 571 /* Write a valid but empty structure to the second copy */ 572 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 573 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 574 575 /* Update the footer */ 576 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 577 crypt_ftr->persist_data_offset[0] = pdata_offset; 578 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 579 crypt_ftr->minor_version = 1; 580 free(pdata); 581 } 582 583 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 584 SLOGW("upgrading crypto footer to 1.2"); 585 /* But keep the old kdf_type. 586 * It will get updated later to KDF_SCRYPT after the password has been verified. 587 */ 588 crypt_ftr->kdf_type = KDF_PBKDF2; 589 get_device_scrypt_params(crypt_ftr); 590 crypt_ftr->minor_version = 2; 591 } 592 593 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 594 SLOGW("upgrading crypto footer to 1.3"); 595 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 596 crypt_ftr->minor_version = 3; 597 } 598 599 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 600 if (lseek64(fd, offset, SEEK_SET) == -1) { 601 SLOGE("Cannot seek to crypt footer\n"); 602 return; 603 } 604 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 605 } 606} 607 608 609static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 610{ 611 int fd; 612 unsigned int cnt; 613 off64_t starting_off; 614 int rc = -1; 615 char *fname = NULL; 616 struct stat statbuf; 617 618 if (get_crypt_ftr_info(&fname, &starting_off)) { 619 SLOGE("Unable to get crypt_ftr_info\n"); 620 return -1; 621 } 622 if (fname[0] != '/') { 623 SLOGE("Unexpected value for crypto key location\n"); 624 return -1; 625 } 626 if ( (fd = open(fname, O_RDWR)) < 0) { 627 SLOGE("Cannot open footer file %s for get\n", fname); 628 return -1; 629 } 630 631 /* Make sure it's 16 Kbytes in length */ 632 fstat(fd, &statbuf); 633 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 634 SLOGE("footer file %s is not the expected size!\n", fname); 635 goto errout; 636 } 637 638 /* Seek to the start of the crypt footer */ 639 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 640 SLOGE("Cannot seek to real block device footer\n"); 641 goto errout; 642 } 643 644 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 645 SLOGE("Cannot read real block device footer\n"); 646 goto errout; 647 } 648 649 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 650 SLOGE("Bad magic for real block device %s\n", fname); 651 goto errout; 652 } 653 654 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 655 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 656 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 657 goto errout; 658 } 659 660 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 661 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 662 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 663 } 664 665 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 666 * copy on disk before returning. 667 */ 668 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 669 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 670 } 671 672 /* Success! */ 673 rc = 0; 674 675errout: 676 close(fd); 677 return rc; 678} 679 680static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 681{ 682 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 683 crypt_ftr->persist_data_offset[1]) { 684 SLOGE("Crypt_ftr persist data regions overlap"); 685 return -1; 686 } 687 688 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 689 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 690 return -1; 691 } 692 693 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 694 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 695 CRYPT_FOOTER_OFFSET) { 696 SLOGE("Persistent data extends past crypto footer"); 697 return -1; 698 } 699 700 return 0; 701} 702 703static int load_persistent_data(void) 704{ 705 struct crypt_mnt_ftr crypt_ftr; 706 struct crypt_persist_data *pdata = NULL; 707 char encrypted_state[PROPERTY_VALUE_MAX]; 708 char *fname; 709 int found = 0; 710 int fd; 711 int ret; 712 int i; 713 714 if (persist_data) { 715 /* Nothing to do, we've already loaded or initialized it */ 716 return 0; 717 } 718 719 720 /* If not encrypted, just allocate an empty table and initialize it */ 721 property_get("ro.crypto.state", encrypted_state, ""); 722 if (strcmp(encrypted_state, "encrypted") ) { 723 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 724 if (pdata) { 725 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 726 persist_data = pdata; 727 return 0; 728 } 729 return -1; 730 } 731 732 if(get_crypt_ftr_and_key(&crypt_ftr)) { 733 return -1; 734 } 735 736 if ((crypt_ftr.major_version < 1) 737 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 738 SLOGE("Crypt_ftr version doesn't support persistent data"); 739 return -1; 740 } 741 742 if (get_crypt_ftr_info(&fname, NULL)) { 743 return -1; 744 } 745 746 ret = validate_persistent_data_storage(&crypt_ftr); 747 if (ret) { 748 return -1; 749 } 750 751 fd = open(fname, O_RDONLY); 752 if (fd < 0) { 753 SLOGE("Cannot open %s metadata file", fname); 754 return -1; 755 } 756 757 if (persist_data == NULL) { 758 pdata = malloc(crypt_ftr.persist_data_size); 759 if (pdata == NULL) { 760 SLOGE("Cannot allocate memory for persistent data"); 761 goto err; 762 } 763 } 764 765 for (i = 0; i < 2; i++) { 766 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 767 SLOGE("Cannot seek to read persistent data on %s", fname); 768 goto err2; 769 } 770 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 771 SLOGE("Error reading persistent data on iteration %d", i); 772 goto err2; 773 } 774 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 775 found = 1; 776 break; 777 } 778 } 779 780 if (!found) { 781 SLOGI("Could not find valid persistent data, creating"); 782 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 783 } 784 785 /* Success */ 786 persist_data = pdata; 787 close(fd); 788 return 0; 789 790err2: 791 free(pdata); 792 793err: 794 close(fd); 795 return -1; 796} 797 798static int save_persistent_data(void) 799{ 800 struct crypt_mnt_ftr crypt_ftr; 801 struct crypt_persist_data *pdata; 802 char *fname; 803 off64_t write_offset; 804 off64_t erase_offset; 805 int fd; 806 int ret; 807 808 if (persist_data == NULL) { 809 SLOGE("No persistent data to save"); 810 return -1; 811 } 812 813 if(get_crypt_ftr_and_key(&crypt_ftr)) { 814 return -1; 815 } 816 817 if ((crypt_ftr.major_version < 1) 818 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 819 SLOGE("Crypt_ftr version doesn't support persistent data"); 820 return -1; 821 } 822 823 ret = validate_persistent_data_storage(&crypt_ftr); 824 if (ret) { 825 return -1; 826 } 827 828 if (get_crypt_ftr_info(&fname, NULL)) { 829 return -1; 830 } 831 832 fd = open(fname, O_RDWR); 833 if (fd < 0) { 834 SLOGE("Cannot open %s metadata file", fname); 835 return -1; 836 } 837 838 pdata = malloc(crypt_ftr.persist_data_size); 839 if (pdata == NULL) { 840 SLOGE("Cannot allocate persistant data"); 841 goto err; 842 } 843 844 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 845 SLOGE("Cannot seek to read persistent data on %s", fname); 846 goto err2; 847 } 848 849 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 850 SLOGE("Error reading persistent data before save"); 851 goto err2; 852 } 853 854 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 855 /* The first copy is the curent valid copy, so write to 856 * the second copy and erase this one */ 857 write_offset = crypt_ftr.persist_data_offset[1]; 858 erase_offset = crypt_ftr.persist_data_offset[0]; 859 } else { 860 /* The second copy must be the valid copy, so write to 861 * the first copy, and erase the second */ 862 write_offset = crypt_ftr.persist_data_offset[0]; 863 erase_offset = crypt_ftr.persist_data_offset[1]; 864 } 865 866 /* Write the new copy first, if successful, then erase the old copy */ 867 if (lseek64(fd, write_offset, SEEK_SET) < 0) { 868 SLOGE("Cannot seek to write persistent data"); 869 goto err2; 870 } 871 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 872 (int) crypt_ftr.persist_data_size) { 873 if (lseek64(fd, erase_offset, SEEK_SET) < 0) { 874 SLOGE("Cannot seek to erase previous persistent data"); 875 goto err2; 876 } 877 fsync(fd); 878 memset(pdata, 0, crypt_ftr.persist_data_size); 879 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 880 (int) crypt_ftr.persist_data_size) { 881 SLOGE("Cannot write to erase previous persistent data"); 882 goto err2; 883 } 884 fsync(fd); 885 } else { 886 SLOGE("Cannot write to save persistent data"); 887 goto err2; 888 } 889 890 /* Success */ 891 free(pdata); 892 close(fd); 893 return 0; 894 895err2: 896 free(pdata); 897err: 898 close(fd); 899 return -1; 900} 901 902static int hexdigit (char c) 903{ 904 if (c >= '0' && c <= '9') return c - '0'; 905 c = tolower(c); 906 if (c >= 'a' && c <= 'f') return c - 'a' + 10; 907 return -1; 908} 909 910static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii, 911 unsigned int* out_keysize) 912{ 913 unsigned int i; 914 *out_keysize = 0; 915 916 size_t size = strlen (master_key_ascii); 917 if (size % 2) { 918 SLOGE("Trying to convert ascii string of odd length"); 919 return NULL; 920 } 921 922 unsigned char* master_key = (unsigned char*) malloc(size / 2); 923 if (master_key == 0) { 924 SLOGE("Cannot allocate"); 925 return NULL; 926 } 927 928 for (i = 0; i < size; i += 2) { 929 int high_nibble = hexdigit (master_key_ascii[i]); 930 int low_nibble = hexdigit (master_key_ascii[i + 1]); 931 932 if(high_nibble < 0 || low_nibble < 0) { 933 SLOGE("Invalid hex string"); 934 free (master_key); 935 return NULL; 936 } 937 938 master_key[*out_keysize] = high_nibble * 16 + low_nibble; 939 (*out_keysize)++; 940 } 941 942 return master_key; 943} 944 945/* Convert a binary key of specified length into an ascii hex string equivalent, 946 * without the leading 0x and with null termination 947 */ 948static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize, 949 char *master_key_ascii) 950{ 951 unsigned int i, a; 952 unsigned char nibble; 953 954 for (i=0, a=0; i<keysize; i++, a+=2) { 955 /* For each byte, write out two ascii hex digits */ 956 nibble = (master_key[i] >> 4) & 0xf; 957 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 958 959 nibble = master_key[i] & 0xf; 960 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 961 } 962 963 /* Add the null termination */ 964 master_key_ascii[a] = '\0'; 965 966} 967 968static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 969 char *real_blk_name, const char *name, int fd, 970 char *extra_params) 971{ 972 _Alignas(struct dm_ioctl) char buffer[DM_CRYPT_BUF_SIZE]; 973 struct dm_ioctl *io; 974 struct dm_target_spec *tgt; 975 char *crypt_params; 976 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 977 int i; 978 979 io = (struct dm_ioctl *) buffer; 980 981 /* Load the mapping table for this device */ 982 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 983 984 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 985 io->target_count = 1; 986 tgt->status = 0; 987 tgt->sector_start = 0; 988 tgt->length = crypt_ftr->fs_size; 989#ifdef CONFIG_HW_DISK_ENCRYPTION 990 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 991 strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME); 992 } 993 else { 994 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 995 } 996#else 997 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 998#endif 999 1000 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 1001 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 1002 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name, 1003 master_key_ascii, real_blk_name, extra_params); 1004 crypt_params += strlen(crypt_params) + 1; 1005 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 1006 tgt->next = crypt_params - buffer; 1007 1008 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 1009 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 1010 break; 1011 } 1012 usleep(500000); 1013 } 1014 1015 if (i == TABLE_LOAD_RETRIES) { 1016 /* We failed to load the table, return an error */ 1017 return -1; 1018 } else { 1019 return i + 1; 1020 } 1021} 1022 1023 1024static int get_dm_crypt_version(int fd, const char *name, int *version) 1025{ 1026 char buffer[DM_CRYPT_BUF_SIZE]; 1027 struct dm_ioctl *io; 1028 struct dm_target_versions *v; 1029 1030 io = (struct dm_ioctl *) buffer; 1031 1032 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1033 1034 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 1035 return -1; 1036 } 1037 1038 /* Iterate over the returned versions, looking for name of "crypt". 1039 * When found, get and return the version. 1040 */ 1041 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 1042 while (v->next) { 1043#ifdef CONFIG_HW_DISK_ENCRYPTION 1044 if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) { 1045#else 1046 if (! strcmp(v->name, "crypt")) { 1047#endif 1048 /* We found the crypt driver, return the version, and get out */ 1049 version[0] = v->version[0]; 1050 version[1] = v->version[1]; 1051 version[2] = v->version[2]; 1052 return 0; 1053 } 1054 v = (struct dm_target_versions *)(((char *)v) + v->next); 1055 } 1056 1057 return -1; 1058} 1059 1060static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 1061 char *real_blk_name, char *crypto_blk_name, const char *name) 1062{ 1063 char buffer[DM_CRYPT_BUF_SIZE]; 1064 struct dm_ioctl *io; 1065 unsigned int minor; 1066 int fd=0; 1067 int retval = -1; 1068 int version[3]; 1069 char *extra_params; 1070 int load_count; 1071 1072 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1073 SLOGE("Cannot open device-mapper\n"); 1074 goto errout; 1075 } 1076 1077 io = (struct dm_ioctl *) buffer; 1078 1079 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1080 if (ioctl(fd, DM_DEV_CREATE, io)) { 1081 SLOGE("Cannot create dm-crypt device\n"); 1082 goto errout; 1083 } 1084 1085 /* Get the device status, in particular, the name of it's device file */ 1086 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1087 if (ioctl(fd, DM_DEV_STATUS, io)) { 1088 SLOGE("Cannot retrieve dm-crypt device status\n"); 1089 goto errout; 1090 } 1091 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 1092 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 1093 1094 extra_params = ""; 1095 if (! get_dm_crypt_version(fd, name, version)) { 1096 /* Support for allow_discards was added in version 1.11.0 */ 1097 if ((version[0] >= 2) || 1098 ((version[0] == 1) && (version[1] >= 11))) { 1099 extra_params = "1 allow_discards"; 1100 SLOGI("Enabling support for allow_discards in dmcrypt.\n"); 1101 } 1102 } 1103 1104 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, 1105 fd, extra_params); 1106 if (load_count < 0) { 1107 SLOGE("Cannot load dm-crypt mapping table.\n"); 1108 goto errout; 1109 } else if (load_count > 1) { 1110 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 1111 } 1112 1113 /* Resume this device to activate it */ 1114 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1115 1116 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 1117 SLOGE("Cannot resume the dm-crypt device\n"); 1118 goto errout; 1119 } 1120 1121 /* We made it here with no errors. Woot! */ 1122 retval = 0; 1123 1124errout: 1125 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1126 1127 return retval; 1128} 1129 1130static int delete_crypto_blk_dev(char *name) 1131{ 1132 int fd; 1133 char buffer[DM_CRYPT_BUF_SIZE]; 1134 struct dm_ioctl *io; 1135 int retval = -1; 1136 1137 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1138 SLOGE("Cannot open device-mapper\n"); 1139 goto errout; 1140 } 1141 1142 io = (struct dm_ioctl *) buffer; 1143 1144 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1145 if (ioctl(fd, DM_DEV_REMOVE, io)) { 1146 SLOGE("Cannot remove dm-crypt device\n"); 1147 goto errout; 1148 } 1149 1150 /* We made it here with no errors. Woot! */ 1151 retval = 0; 1152 1153errout: 1154 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1155 1156 return retval; 1157 1158} 1159 1160static int pbkdf2(const char *passwd, const unsigned char *salt, 1161 unsigned char *ikey, void *params UNUSED) 1162{ 1163 SLOGI("Using pbkdf2 for cryptfs KDF"); 1164 1165 /* Turn the password into a key and IV that can decrypt the master key */ 1166 unsigned int keysize; 1167 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize); 1168 if (!master_key) return -1; 1169 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN, 1170 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey); 1171 1172 memset(master_key, 0, keysize); 1173 free (master_key); 1174 return 0; 1175} 1176 1177static int scrypt(const char *passwd, const unsigned char *salt, 1178 unsigned char *ikey, void *params) 1179{ 1180 SLOGI("Using scrypt for cryptfs KDF"); 1181 1182 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1183 1184 int N = 1 << ftr->N_factor; 1185 int r = 1 << ftr->r_factor; 1186 int p = 1 << ftr->p_factor; 1187 1188 /* Turn the password into a key and IV that can decrypt the master key */ 1189 unsigned int keysize; 1190 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize); 1191 if (!master_key) return -1; 1192 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey, 1193 KEY_LEN_BYTES + IV_LEN_BYTES); 1194 1195 memset(master_key, 0, keysize); 1196 free (master_key); 1197 return 0; 1198} 1199 1200static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1201 unsigned char *ikey, void *params) 1202{ 1203 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1204 1205 int rc; 1206 unsigned int key_size; 1207 size_t signature_size; 1208 unsigned char* signature; 1209 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1210 1211 int N = 1 << ftr->N_factor; 1212 int r = 1 << ftr->r_factor; 1213 int p = 1 << ftr->p_factor; 1214 1215 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size); 1216 if (!master_key) { 1217 SLOGE("Failed to convert passwd from hex"); 1218 return -1; 1219 } 1220 1221 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN, 1222 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1223 memset(master_key, 0, key_size); 1224 free(master_key); 1225 1226 if (rc) { 1227 SLOGE("scrypt failed"); 1228 return -1; 1229 } 1230 1231 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES, 1232 &signature, &signature_size)) { 1233 SLOGE("Signing failed"); 1234 return -1; 1235 } 1236 1237 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1238 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1239 free(signature); 1240 1241 if (rc) { 1242 SLOGE("scrypt failed"); 1243 return -1; 1244 } 1245 1246 return 0; 1247} 1248 1249static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1250 const unsigned char *decrypted_master_key, 1251 unsigned char *encrypted_master_key, 1252 struct crypt_mnt_ftr *crypt_ftr) 1253{ 1254 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1255 EVP_CIPHER_CTX e_ctx; 1256 int encrypted_len, final_len; 1257 int rc = 0; 1258 1259 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1260 get_device_scrypt_params(crypt_ftr); 1261 1262 switch (crypt_ftr->kdf_type) { 1263 case KDF_SCRYPT_KEYMASTER: 1264 if (keymaster_create_key(crypt_ftr)) { 1265 SLOGE("keymaster_create_key failed"); 1266 return -1; 1267 } 1268 1269 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1270 SLOGE("scrypt failed"); 1271 return -1; 1272 } 1273 break; 1274 1275 case KDF_SCRYPT: 1276 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1277 SLOGE("scrypt failed"); 1278 return -1; 1279 } 1280 break; 1281 1282 default: 1283 SLOGE("Invalid kdf_type"); 1284 return -1; 1285 } 1286 1287 /* Initialize the decryption engine */ 1288 EVP_CIPHER_CTX_init(&e_ctx); 1289 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1290 SLOGE("EVP_EncryptInit failed\n"); 1291 return -1; 1292 } 1293 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1294 1295 /* Encrypt the master key */ 1296 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1297 decrypted_master_key, KEY_LEN_BYTES)) { 1298 SLOGE("EVP_EncryptUpdate failed\n"); 1299 return -1; 1300 } 1301 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1302 SLOGE("EVP_EncryptFinal failed\n"); 1303 return -1; 1304 } 1305 1306 if (encrypted_len + final_len != KEY_LEN_BYTES) { 1307 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1308 return -1; 1309 } 1310 1311 /* Store the scrypt of the intermediate key, so we can validate if it's a 1312 password error or mount error when things go wrong. 1313 Note there's no need to check for errors, since if this is incorrect, we 1314 simply won't wipe userdata, which is the correct default behavior 1315 */ 1316 int N = 1 << crypt_ftr->N_factor; 1317 int r = 1 << crypt_ftr->r_factor; 1318 int p = 1 << crypt_ftr->p_factor; 1319 1320 rc = crypto_scrypt(ikey, KEY_LEN_BYTES, 1321 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1322 crypt_ftr->scrypted_intermediate_key, 1323 sizeof(crypt_ftr->scrypted_intermediate_key)); 1324 1325 if (rc) { 1326 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1327 } 1328 1329 return 0; 1330} 1331 1332static int decrypt_master_key_aux(char *passwd, unsigned char *salt, 1333 unsigned char *encrypted_master_key, 1334 unsigned char *decrypted_master_key, 1335 kdf_func kdf, void *kdf_params, 1336 unsigned char** intermediate_key, 1337 size_t* intermediate_key_size) 1338{ 1339 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1340 EVP_CIPHER_CTX d_ctx; 1341 int decrypted_len, final_len; 1342 1343 /* Turn the password into an intermediate key and IV that can decrypt the 1344 master key */ 1345 if (kdf(passwd, salt, ikey, kdf_params)) { 1346 SLOGE("kdf failed"); 1347 return -1; 1348 } 1349 1350 /* Initialize the decryption engine */ 1351 EVP_CIPHER_CTX_init(&d_ctx); 1352 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1353 return -1; 1354 } 1355 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1356 /* Decrypt the master key */ 1357 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1358 encrypted_master_key, KEY_LEN_BYTES)) { 1359 return -1; 1360 } 1361 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1362 return -1; 1363 } 1364 1365 if (decrypted_len + final_len != KEY_LEN_BYTES) { 1366 return -1; 1367 } 1368 1369 /* Copy intermediate key if needed by params */ 1370 if (intermediate_key && intermediate_key_size) { 1371 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES); 1372 if (intermediate_key) { 1373 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES); 1374 *intermediate_key_size = KEY_LEN_BYTES; 1375 } 1376 } 1377 1378 return 0; 1379} 1380 1381static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1382{ 1383 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1384 *kdf = scrypt_keymaster; 1385 *kdf_params = ftr; 1386 } else if (ftr->kdf_type == KDF_SCRYPT) { 1387 *kdf = scrypt; 1388 *kdf_params = ftr; 1389 } else { 1390 *kdf = pbkdf2; 1391 *kdf_params = NULL; 1392 } 1393} 1394 1395static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key, 1396 struct crypt_mnt_ftr *crypt_ftr, 1397 unsigned char** intermediate_key, 1398 size_t* intermediate_key_size) 1399{ 1400 kdf_func kdf; 1401 void *kdf_params; 1402 int ret; 1403 1404 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1405 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1406 decrypted_master_key, kdf, kdf_params, 1407 intermediate_key, intermediate_key_size); 1408 if (ret != 0) { 1409 SLOGW("failure decrypting master key"); 1410 } 1411 1412 return ret; 1413} 1414 1415static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt, 1416 struct crypt_mnt_ftr *crypt_ftr) { 1417 int fd; 1418 unsigned char key_buf[KEY_LEN_BYTES]; 1419 1420 /* Get some random bits for a key */ 1421 fd = open("/dev/urandom", O_RDONLY); 1422 read(fd, key_buf, sizeof(key_buf)); 1423 read(fd, salt, SALT_LEN); 1424 close(fd); 1425 1426 /* Now encrypt it with the password */ 1427 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1428} 1429 1430static int wait_and_unmount(char *mountpoint, bool kill) 1431{ 1432 int i, err, rc; 1433#define WAIT_UNMOUNT_COUNT 20 1434 1435 /* Now umount the tmpfs filesystem */ 1436 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1437 if (umount(mountpoint) == 0) { 1438 break; 1439 } 1440 1441 if (errno == EINVAL) { 1442 /* EINVAL is returned if the directory is not a mountpoint, 1443 * i.e. there is no filesystem mounted there. So just get out. 1444 */ 1445 break; 1446 } 1447 1448 err = errno; 1449 1450 /* If allowed, be increasingly aggressive before the last two retries */ 1451 if (kill) { 1452 if (i == (WAIT_UNMOUNT_COUNT - 3)) { 1453 SLOGW("sending SIGHUP to processes with open files\n"); 1454 vold_killProcessesWithOpenFiles(mountpoint, SIGTERM); 1455 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) { 1456 SLOGW("sending SIGKILL to processes with open files\n"); 1457 vold_killProcessesWithOpenFiles(mountpoint, SIGKILL); 1458 } 1459 } 1460 1461 sleep(1); 1462 } 1463 1464 if (i < WAIT_UNMOUNT_COUNT) { 1465 SLOGD("unmounting %s succeeded\n", mountpoint); 1466 rc = 0; 1467 } else { 1468 vold_killProcessesWithOpenFiles(mountpoint, 0); 1469 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err)); 1470 rc = -1; 1471 } 1472 1473 return rc; 1474} 1475 1476#define DATA_PREP_TIMEOUT 200 1477static int prep_data_fs(void) 1478{ 1479 int i; 1480 1481 /* Do the prep of the /data filesystem */ 1482 property_set("vold.post_fs_data_done", "0"); 1483 property_set("vold.decrypt", "trigger_post_fs_data"); 1484 SLOGD("Just triggered post_fs_data\n"); 1485 1486 /* Wait a max of 50 seconds, hopefully it takes much less */ 1487 for (i=0; i<DATA_PREP_TIMEOUT; i++) { 1488 char p[PROPERTY_VALUE_MAX]; 1489 1490 property_get("vold.post_fs_data_done", p, "0"); 1491 if (*p == '1') { 1492 break; 1493 } else { 1494 usleep(250000); 1495 } 1496 } 1497 if (i == DATA_PREP_TIMEOUT) { 1498 /* Ugh, we failed to prep /data in time. Bail. */ 1499 SLOGE("post_fs_data timed out!\n"); 1500 return -1; 1501 } else { 1502 SLOGD("post_fs_data done\n"); 1503 return 0; 1504 } 1505} 1506 1507static void cryptfs_set_corrupt() 1508{ 1509 // Mark the footer as bad 1510 struct crypt_mnt_ftr crypt_ftr; 1511 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1512 SLOGE("Failed to get crypto footer - panic"); 1513 return; 1514 } 1515 1516 crypt_ftr.flags |= CRYPT_DATA_CORRUPT; 1517 if (put_crypt_ftr_and_key(&crypt_ftr)) { 1518 SLOGE("Failed to set crypto footer - panic"); 1519 return; 1520 } 1521} 1522 1523static void cryptfs_trigger_restart_min_framework() 1524{ 1525 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 1526 SLOGE("Failed to mount tmpfs on data - panic"); 1527 return; 1528 } 1529 1530 if (property_set("vold.decrypt", "trigger_post_fs_data")) { 1531 SLOGE("Failed to trigger post fs data - panic"); 1532 return; 1533 } 1534 1535 if (property_set("vold.decrypt", "trigger_restart_min_framework")) { 1536 SLOGE("Failed to trigger restart min framework - panic"); 1537 return; 1538 } 1539} 1540 1541/* returns < 0 on failure */ 1542static int cryptfs_restart_internal(int restart_main) 1543{ 1544 char crypto_blkdev[MAXPATHLEN]; 1545 int rc = -1; 1546 static int restart_successful = 0; 1547 1548 /* Validate that it's OK to call this routine */ 1549 if (! master_key_saved) { 1550 SLOGE("Encrypted filesystem not validated, aborting"); 1551 return -1; 1552 } 1553 1554 if (restart_successful) { 1555 SLOGE("System already restarted with encrypted disk, aborting"); 1556 return -1; 1557 } 1558 1559 if (restart_main) { 1560 /* Here is where we shut down the framework. The init scripts 1561 * start all services in one of three classes: core, main or late_start. 1562 * On boot, we start core and main. Now, we stop main, but not core, 1563 * as core includes vold and a few other really important things that 1564 * we need to keep running. Once main has stopped, we should be able 1565 * to umount the tmpfs /data, then mount the encrypted /data. 1566 * We then restart the class main, and also the class late_start. 1567 * At the moment, I've only put a few things in late_start that I know 1568 * are not needed to bring up the framework, and that also cause problems 1569 * with unmounting the tmpfs /data, but I hope to add add more services 1570 * to the late_start class as we optimize this to decrease the delay 1571 * till the user is asked for the password to the filesystem. 1572 */ 1573 1574 /* The init files are setup to stop the class main when vold.decrypt is 1575 * set to trigger_reset_main. 1576 */ 1577 property_set("vold.decrypt", "trigger_reset_main"); 1578 SLOGD("Just asked init to shut down class main\n"); 1579 1580 /* Ugh, shutting down the framework is not synchronous, so until it 1581 * can be fixed, this horrible hack will wait a moment for it all to 1582 * shut down before proceeding. Without it, some devices cannot 1583 * restart the graphics services. 1584 */ 1585 sleep(2); 1586 } 1587 1588 /* Now that the framework is shutdown, we should be able to umount() 1589 * the tmpfs filesystem, and mount the real one. 1590 */ 1591 1592 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1593 if (strlen(crypto_blkdev) == 0) { 1594 SLOGE("fs_crypto_blkdev not set\n"); 1595 return -1; 1596 } 1597 1598 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) { 1599 /* If ro.crypto.readonly is set to 1, mount the decrypted 1600 * filesystem readonly. This is used when /data is mounted by 1601 * recovery mode. 1602 */ 1603 char ro_prop[PROPERTY_VALUE_MAX]; 1604 property_get("ro.crypto.readonly", ro_prop, ""); 1605 if (strlen(ro_prop) > 0 && atoi(ro_prop)) { 1606 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1607 rec->flags |= MS_RDONLY; 1608 } 1609 1610 /* If that succeeded, then mount the decrypted filesystem */ 1611 int retries = RETRY_MOUNT_ATTEMPTS; 1612 int mount_rc; 1613 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, 1614 crypto_blkdev, 0)) 1615 != 0) { 1616 if (mount_rc == FS_MGR_DOMNT_BUSY) { 1617 /* TODO: invoke something similar to 1618 Process::killProcessWithOpenFiles(DATA_MNT_POINT, 1619 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */ 1620 SLOGI("Failed to mount %s because it is busy - waiting", 1621 crypto_blkdev); 1622 if (--retries) { 1623 sleep(RETRY_MOUNT_DELAY_SECONDS); 1624 } else { 1625 /* Let's hope that a reboot clears away whatever is keeping 1626 the mount busy */ 1627 cryptfs_reboot(reboot); 1628 } 1629 } else { 1630 SLOGE("Failed to mount decrypted data"); 1631 cryptfs_set_corrupt(); 1632 cryptfs_trigger_restart_min_framework(); 1633 SLOGI("Started framework to offer wipe"); 1634 return -1; 1635 } 1636 } 1637 1638 property_set("vold.decrypt", "trigger_load_persist_props"); 1639 /* Create necessary paths on /data */ 1640 if (prep_data_fs()) { 1641 return -1; 1642 } 1643 1644 /* startup service classes main and late_start */ 1645 property_set("vold.decrypt", "trigger_restart_framework"); 1646 SLOGD("Just triggered restart_framework\n"); 1647 1648 /* Give it a few moments to get started */ 1649 sleep(1); 1650 } 1651 1652 if (rc == 0) { 1653 restart_successful = 1; 1654 } 1655 1656 return rc; 1657} 1658 1659int cryptfs_restart(void) 1660{ 1661 SLOGI("cryptfs_restart"); 1662 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 1663 struct fstab_rec* rec; 1664 int rc; 1665 1666 if (e4crypt_restart(DATA_MNT_POINT)) { 1667 SLOGE("Can't unmount e4crypt temp volume\n"); 1668 return -1; 1669 } 1670 1671 rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1672 if (!rec) { 1673 SLOGE("Can't get fstab record for %s\n", DATA_MNT_POINT); 1674 return -1; 1675 } 1676 1677 rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, rec->blk_device, 0); 1678 if (rc) { 1679 SLOGE("Can't mount %s\n", DATA_MNT_POINT); 1680 return rc; 1681 } 1682 1683 property_set("vold.decrypt", "trigger_restart_framework"); 1684 return 0; 1685 } 1686 1687 /* Call internal implementation forcing a restart of main service group */ 1688 return cryptfs_restart_internal(1); 1689} 1690 1691static int do_crypto_complete(char *mount_point) 1692{ 1693 struct crypt_mnt_ftr crypt_ftr; 1694 char encrypted_state[PROPERTY_VALUE_MAX]; 1695 char key_loc[PROPERTY_VALUE_MAX]; 1696 1697 property_get("ro.crypto.state", encrypted_state, ""); 1698 if (strcmp(encrypted_state, "encrypted") ) { 1699 SLOGE("not running with encryption, aborting"); 1700 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1701 } 1702 1703 if (e4crypt_crypto_complete(mount_point) == 0) { 1704 return CRYPTO_COMPLETE_ENCRYPTED; 1705 } 1706 1707 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1708 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 1709 1710 /* 1711 * Only report this error if key_loc is a file and it exists. 1712 * If the device was never encrypted, and /data is not mountable for 1713 * some reason, returning 1 should prevent the UI from presenting the 1714 * a "enter password" screen, or worse, a "press button to wipe the 1715 * device" screen. 1716 */ 1717 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1718 SLOGE("master key file does not exist, aborting"); 1719 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1720 } else { 1721 SLOGE("Error getting crypt footer and key\n"); 1722 return CRYPTO_COMPLETE_BAD_METADATA; 1723 } 1724 } 1725 1726 // Test for possible error flags 1727 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){ 1728 SLOGE("Encryption process is partway completed\n"); 1729 return CRYPTO_COMPLETE_PARTIAL; 1730 } 1731 1732 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){ 1733 SLOGE("Encryption process was interrupted but cannot continue\n"); 1734 return CRYPTO_COMPLETE_INCONSISTENT; 1735 } 1736 1737 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){ 1738 SLOGE("Encryption is successful but data is corrupt\n"); 1739 return CRYPTO_COMPLETE_CORRUPT; 1740 } 1741 1742 /* We passed the test! We shall diminish, and return to the west */ 1743 return CRYPTO_COMPLETE_ENCRYPTED; 1744} 1745 1746static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1747 char *passwd, char *mount_point, char *label) 1748{ 1749 /* Allocate enough space for a 256 bit key, but we may use less */ 1750 unsigned char decrypted_master_key[32]; 1751 char crypto_blkdev[MAXPATHLEN]; 1752 char real_blkdev[MAXPATHLEN]; 1753 char tmp_mount_point[64]; 1754 unsigned int orig_failed_decrypt_count; 1755 int rc; 1756 int use_keymaster = 0; 1757 int upgrade = 0; 1758 unsigned char* intermediate_key = 0; 1759 size_t intermediate_key_size = 0; 1760 1761 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1762 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1763 1764 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1765 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1766 &intermediate_key, &intermediate_key_size)) { 1767 SLOGE("Failed to decrypt master key\n"); 1768 rc = -1; 1769 goto errout; 1770 } 1771 } 1772 1773 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 1774 1775#ifdef CONFIG_HW_DISK_ENCRYPTION 1776 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 1777 if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) { 1778 SLOGE("Hardware encryption key does not match"); 1779 } 1780 } 1781#endif 1782 1783 // Create crypto block device - all (non fatal) code paths 1784 // need it 1785 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, 1786 real_blkdev, crypto_blkdev, label)) { 1787 SLOGE("Error creating decrypted block device\n"); 1788 rc = -1; 1789 goto errout; 1790 } 1791 1792 /* Work out if the problem is the password or the data */ 1793 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1794 scrypted_intermediate_key)]; 1795 int N = 1 << crypt_ftr->N_factor; 1796 int r = 1 << crypt_ftr->r_factor; 1797 int p = 1 << crypt_ftr->p_factor; 1798 1799 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1800 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1801 N, r, p, scrypted_intermediate_key, 1802 sizeof(scrypted_intermediate_key)); 1803 1804 // Does the key match the crypto footer? 1805 if (rc == 0 && memcmp(scrypted_intermediate_key, 1806 crypt_ftr->scrypted_intermediate_key, 1807 sizeof(scrypted_intermediate_key)) == 0) { 1808 SLOGI("Password matches"); 1809 rc = 0; 1810 } else { 1811 /* Try mounting the file system anyway, just in case the problem's with 1812 * the footer, not the key. */ 1813 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point); 1814 mkdir(tmp_mount_point, 0755); 1815 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1816 SLOGE("Error temp mounting decrypted block device\n"); 1817 delete_crypto_blk_dev(label); 1818 1819 rc = ++crypt_ftr->failed_decrypt_count; 1820 put_crypt_ftr_and_key(crypt_ftr); 1821 } else { 1822 /* Success! */ 1823 SLOGI("Password did not match but decrypted drive mounted - continue"); 1824 umount(tmp_mount_point); 1825 rc = 0; 1826 } 1827 } 1828 1829 if (rc == 0) { 1830 crypt_ftr->failed_decrypt_count = 0; 1831 if (orig_failed_decrypt_count != 0) { 1832 put_crypt_ftr_and_key(crypt_ftr); 1833 } 1834 1835 /* Save the name of the crypto block device 1836 * so we can mount it when restarting the framework. */ 1837 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1838 1839 /* Also save a the master key so we can reencrypted the key 1840 * the key when we want to change the password on it. */ 1841 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES); 1842 saved_mount_point = strdup(mount_point); 1843 master_key_saved = 1; 1844 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1845 rc = 0; 1846 1847 // Upgrade if we're not using the latest KDF. 1848 use_keymaster = keymaster_check_compatibility(); 1849 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1850 // Don't allow downgrade 1851 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1852 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1853 upgrade = 1; 1854 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1855 crypt_ftr->kdf_type = KDF_SCRYPT; 1856 upgrade = 1; 1857 } 1858 1859 if (upgrade) { 1860 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1861 crypt_ftr->master_key, crypt_ftr); 1862 if (!rc) { 1863 rc = put_crypt_ftr_and_key(crypt_ftr); 1864 } 1865 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1866 1867 // Do not fail even if upgrade failed - machine is bootable 1868 // Note that if this code is ever hit, there is a *serious* problem 1869 // since KDFs should never fail. You *must* fix the kdf before 1870 // proceeding! 1871 if (rc) { 1872 SLOGW("Upgrade failed with error %d," 1873 " but continuing with previous state", 1874 rc); 1875 rc = 0; 1876 } 1877 } 1878 } 1879 1880 errout: 1881 if (intermediate_key) { 1882 memset(intermediate_key, 0, intermediate_key_size); 1883 free(intermediate_key); 1884 } 1885 return rc; 1886} 1887 1888/* Called by vold when it wants to undo the crypto mapping of a volume it 1889 * manages. This is usually in response to a factory reset, when we want 1890 * to undo the crypto mapping so the volume is formatted in the clear. 1891 */ 1892int cryptfs_revert_volume(const char *label) 1893{ 1894 return delete_crypto_blk_dev((char *)label); 1895} 1896 1897/* 1898 * Called by vold when it's asked to mount an encrypted, nonremovable volume. 1899 * Setup a dm-crypt mapping, use the saved master key from 1900 * setting up the /data mapping, and return the new device path. 1901 */ 1902int cryptfs_setup_volume(const char *label, int major, int minor, 1903 char *crypto_sys_path, unsigned int max_path, 1904 int *new_major, int *new_minor) 1905{ 1906 char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN]; 1907 struct crypt_mnt_ftr sd_crypt_ftr; 1908 struct stat statbuf; 1909 1910 sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor); 1911 1912 get_crypt_ftr_and_key(&sd_crypt_ftr); 1913 1914 /* Update the fs_size field to be the size of the volume */ 1915 int fd = open(real_blkdev, O_RDONLY); 1916 if (fd == -1) { 1917 SLOGE("Cannot open volume %s\n", real_blkdev); 1918 return -1; 1919 } 1920 1921 unsigned long nr_sec = 0; 1922 get_blkdev_size(fd, &nr_sec); 1923 close(fd); 1924 1925 if (nr_sec == 0) { 1926 SLOGE("Cannot get size of volume %s\n", real_blkdev); 1927 return -1; 1928 } 1929 1930 sd_crypt_ftr.fs_size = nr_sec; 1931 create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev, 1932 crypto_blkdev, label); 1933 1934 if (stat(crypto_blkdev, &statbuf) < 0) { 1935 SLOGE("Error get stat for crypto_blkdev %s. err=%d(%s)\n", 1936 crypto_blkdev, errno, strerror(errno)); 1937 } 1938 *new_major = MAJOR(statbuf.st_rdev); 1939 *new_minor = MINOR(statbuf.st_rdev); 1940 1941 /* Create path to sys entry for this block device */ 1942 snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1); 1943 1944 return 0; 1945} 1946 1947int cryptfs_crypto_complete(void) 1948{ 1949 return do_crypto_complete("/data"); 1950} 1951 1952int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 1953{ 1954 char encrypted_state[PROPERTY_VALUE_MAX]; 1955 property_get("ro.crypto.state", encrypted_state, ""); 1956 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 1957 SLOGE("encrypted fs already validated or not running with encryption," 1958 " aborting"); 1959 return -1; 1960 } 1961 1962 if (get_crypt_ftr_and_key(crypt_ftr)) { 1963 SLOGE("Error getting crypt footer and key"); 1964 return -1; 1965 } 1966 1967 return 0; 1968} 1969 1970/* 1971 * TODO - transition patterns to new format in calling code 1972 * and remove this vile hack, and the use of hex in 1973 * the password passing code. 1974 * 1975 * Patterns are passed in zero based (i.e. the top left dot 1976 * is represented by zero, the top middle one etc), but we want 1977 * to store them '1' based. 1978 * This is to allow us to migrate the calling code to use this 1979 * convention. It also solves a nasty problem whereby scrypt ignores 1980 * trailing zeros, so patterns ending at the top left could be 1981 * truncated, and similarly, you could add the top left to any 1982 * pattern and still match. 1983 * adjust_passwd is a hack function that returns the alternate representation 1984 * if the password appears to be a pattern (hex numbers all less than 09) 1985 * If it succeeds we need to try both, and in particular try the alternate 1986 * first. If the original matches, then we need to update the footer 1987 * with the alternate. 1988 * All code that accepts passwords must adjust them first. Since 1989 * cryptfs_check_passwd is always the first function called after a migration 1990 * (and indeed on any boot) we only need to do the double try in this 1991 * function. 1992 */ 1993char* adjust_passwd(const char* passwd) 1994{ 1995 size_t index, length; 1996 1997 if (!passwd) { 1998 return 0; 1999 } 2000 2001 // Check even length. Hex encoded passwords are always 2002 // an even length, since each character encodes to two characters. 2003 length = strlen(passwd); 2004 if (length % 2) { 2005 SLOGW("Password not correctly hex encoded."); 2006 return 0; 2007 } 2008 2009 // Check password is old-style pattern - a collection of hex 2010 // encoded bytes less than 9 (00 through 08) 2011 for (index = 0; index < length; index +=2) { 2012 if (passwd[index] != '0' 2013 || passwd[index + 1] < '0' || passwd[index + 1] > '8') { 2014 return 0; 2015 } 2016 } 2017 2018 // Allocate room for adjusted passwd and null terminate 2019 char* adjusted = malloc(length + 1); 2020 adjusted[length] = 0; 2021 2022 // Add 0x31 ('1') to each character 2023 for (index = 0; index < length; index += 2) { 2024 // output is 31 through 39 so set first byte to three, second to src + 1 2025 adjusted[index] = '3'; 2026 adjusted[index + 1] = passwd[index + 1] + 1; 2027 } 2028 2029 return adjusted; 2030} 2031 2032int cryptfs_check_passwd(char *passwd) 2033{ 2034 SLOGI("cryptfs_check_passwd"); 2035 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 2036 return e4crypt_check_passwd(DATA_MNT_POINT, passwd); 2037 } 2038 2039 struct crypt_mnt_ftr crypt_ftr; 2040 int rc; 2041 2042 rc = check_unmounted_and_get_ftr(&crypt_ftr); 2043 if (rc) 2044 return rc; 2045 2046 char* adjusted_passwd = adjust_passwd(passwd); 2047 if (adjusted_passwd) { 2048 int failed_decrypt_count = crypt_ftr.failed_decrypt_count; 2049 rc = test_mount_encrypted_fs(&crypt_ftr, adjusted_passwd, 2050 DATA_MNT_POINT, "userdata"); 2051 2052 // Maybe the original one still works? 2053 if (rc) { 2054 // Don't double count this failure 2055 crypt_ftr.failed_decrypt_count = failed_decrypt_count; 2056 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2057 DATA_MNT_POINT, "userdata"); 2058 if (!rc) { 2059 // cryptfs_changepw also adjusts so pass original 2060 // Note that adjust_passwd only recognises patterns 2061 // so we can safely use CRYPT_TYPE_PATTERN 2062 SLOGI("Updating pattern to new format"); 2063 cryptfs_changepw(CRYPT_TYPE_PATTERN, passwd); 2064 } 2065 } 2066 free(adjusted_passwd); 2067 } else { 2068 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2069 DATA_MNT_POINT, "userdata"); 2070 } 2071 2072 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 2073 cryptfs_clear_password(); 2074 password = strdup(passwd); 2075 struct timespec now; 2076 clock_gettime(CLOCK_BOOTTIME, &now); 2077 password_expiry_time = now.tv_sec + password_max_age_seconds; 2078 } 2079 2080 return rc; 2081} 2082 2083int cryptfs_verify_passwd(char *passwd) 2084{ 2085 struct crypt_mnt_ftr crypt_ftr; 2086 /* Allocate enough space for a 256 bit key, but we may use less */ 2087 unsigned char decrypted_master_key[32]; 2088 char encrypted_state[PROPERTY_VALUE_MAX]; 2089 int rc; 2090 2091 property_get("ro.crypto.state", encrypted_state, ""); 2092 if (strcmp(encrypted_state, "encrypted") ) { 2093 SLOGE("device not encrypted, aborting"); 2094 return -2; 2095 } 2096 2097 if (!master_key_saved) { 2098 SLOGE("encrypted fs not yet mounted, aborting"); 2099 return -1; 2100 } 2101 2102 if (!saved_mount_point) { 2103 SLOGE("encrypted fs failed to save mount point, aborting"); 2104 return -1; 2105 } 2106 2107 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2108 SLOGE("Error getting crypt footer and key\n"); 2109 return -1; 2110 } 2111 2112 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 2113 /* If the device has no password, then just say the password is valid */ 2114 rc = 0; 2115 } else { 2116 char* adjusted_passwd = adjust_passwd(passwd); 2117 if (adjusted_passwd) { 2118 passwd = adjusted_passwd; 2119 } 2120 2121 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2122 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 2123 /* They match, the password is correct */ 2124 rc = 0; 2125 } else { 2126 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 2127 sleep(1); 2128 rc = 1; 2129 } 2130 2131 free(adjusted_passwd); 2132 } 2133 2134 return rc; 2135} 2136 2137/* Initialize a crypt_mnt_ftr structure. The keysize is 2138 * defaulted to 16 bytes, and the filesystem size to 0. 2139 * Presumably, at a minimum, the caller will update the 2140 * filesystem size and crypto_type_name after calling this function. 2141 */ 2142static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 2143{ 2144 off64_t off; 2145 2146 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 2147 ftr->magic = CRYPT_MNT_MAGIC; 2148 ftr->major_version = CURRENT_MAJOR_VERSION; 2149 ftr->minor_version = CURRENT_MINOR_VERSION; 2150 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 2151 ftr->keysize = KEY_LEN_BYTES; 2152 2153 switch (keymaster_check_compatibility()) { 2154 case 1: 2155 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 2156 break; 2157 2158 case 0: 2159 ftr->kdf_type = KDF_SCRYPT; 2160 break; 2161 2162 default: 2163 SLOGE("keymaster_check_compatibility failed"); 2164 return -1; 2165 } 2166 2167 get_device_scrypt_params(ftr); 2168 2169 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 2170 if (get_crypt_ftr_info(NULL, &off) == 0) { 2171 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 2172 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 2173 ftr->persist_data_size; 2174 } 2175 2176 return 0; 2177} 2178 2179static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type) 2180{ 2181 const char *args[10]; 2182 char size_str[32]; /* Must be large enough to hold a %lld and null byte */ 2183 int num_args; 2184 int status; 2185 int tmp; 2186 int rc = -1; 2187 2188 if (type == EXT4_FS) { 2189 args[0] = "/system/bin/make_ext4fs"; 2190 args[1] = "-a"; 2191 args[2] = "/data"; 2192 args[3] = "-l"; 2193 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512); 2194 args[4] = size_str; 2195 args[5] = crypto_blkdev; 2196 num_args = 6; 2197 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n", 2198 args[0], args[1], args[2], args[3], args[4], args[5]); 2199 } else if (type == F2FS_FS) { 2200 args[0] = "/system/bin/mkfs.f2fs"; 2201 args[1] = "-t"; 2202 args[2] = "-d1"; 2203 args[3] = crypto_blkdev; 2204 snprintf(size_str, sizeof(size_str), "%" PRId64, size); 2205 args[4] = size_str; 2206 num_args = 5; 2207 SLOGI("Making empty filesystem with command %s %s %s %s %s\n", 2208 args[0], args[1], args[2], args[3], args[4]); 2209 } else { 2210 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type); 2211 return -1; 2212 } 2213 2214 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true); 2215 2216 if (tmp != 0) { 2217 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev); 2218 } else { 2219 if (WIFEXITED(status)) { 2220 if (WEXITSTATUS(status)) { 2221 SLOGE("Error creating filesystem on %s, exit status %d ", 2222 crypto_blkdev, WEXITSTATUS(status)); 2223 } else { 2224 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev); 2225 rc = 0; 2226 } 2227 } else { 2228 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev); 2229 } 2230 } 2231 2232 return rc; 2233} 2234 2235#define CRYPT_INPLACE_BUFSIZE 4096 2236#define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE) 2237#define CRYPT_SECTOR_SIZE 512 2238 2239/* aligned 32K writes tends to make flash happy. 2240 * SD card association recommends it. 2241 */ 2242#ifndef CONFIG_HW_DISK_ENCRYPTION 2243#define BLOCKS_AT_A_TIME 8 2244#else 2245#define BLOCKS_AT_A_TIME 1024 2246#endif 2247 2248struct encryptGroupsData 2249{ 2250 int realfd; 2251 int cryptofd; 2252 off64_t numblocks; 2253 off64_t one_pct, cur_pct, new_pct; 2254 off64_t blocks_already_done, tot_numblocks; 2255 off64_t used_blocks_already_done, tot_used_blocks; 2256 char* real_blkdev, * crypto_blkdev; 2257 int count; 2258 off64_t offset; 2259 char* buffer; 2260 off64_t last_written_sector; 2261 int completed; 2262 time_t time_started; 2263 int remaining_time; 2264}; 2265 2266static void update_progress(struct encryptGroupsData* data, int is_used) 2267{ 2268 data->blocks_already_done++; 2269 2270 if (is_used) { 2271 data->used_blocks_already_done++; 2272 } 2273 if (data->tot_used_blocks) { 2274 data->new_pct = data->used_blocks_already_done / data->one_pct; 2275 } else { 2276 data->new_pct = data->blocks_already_done / data->one_pct; 2277 } 2278 2279 if (data->new_pct > data->cur_pct) { 2280 char buf[8]; 2281 data->cur_pct = data->new_pct; 2282 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct); 2283 property_set("vold.encrypt_progress", buf); 2284 } 2285 2286 if (data->cur_pct >= 5) { 2287 struct timespec time_now; 2288 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) { 2289 SLOGW("Error getting time"); 2290 } else { 2291 double elapsed_time = difftime(time_now.tv_sec, data->time_started); 2292 off64_t remaining_blocks = data->tot_used_blocks 2293 - data->used_blocks_already_done; 2294 int remaining_time = (int)(elapsed_time * remaining_blocks 2295 / data->used_blocks_already_done); 2296 2297 // Change time only if not yet set, lower, or a lot higher for 2298 // best user experience 2299 if (data->remaining_time == -1 2300 || remaining_time < data->remaining_time 2301 || remaining_time > data->remaining_time + 60) { 2302 char buf[8]; 2303 snprintf(buf, sizeof(buf), "%d", remaining_time); 2304 property_set("vold.encrypt_time_remaining", buf); 2305 data->remaining_time = remaining_time; 2306 } 2307 } 2308 } 2309} 2310 2311static void log_progress(struct encryptGroupsData const* data, bool completed) 2312{ 2313 // Precondition - if completed data = 0 else data != 0 2314 2315 // Track progress so we can skip logging blocks 2316 static off64_t offset = -1; 2317 2318 // Need to close existing 'Encrypting from' log? 2319 if (completed || (offset != -1 && data->offset != offset)) { 2320 SLOGI("Encrypted to sector %" PRId64, 2321 offset / info.block_size * CRYPT_SECTOR_SIZE); 2322 offset = -1; 2323 } 2324 2325 // Need to start new 'Encrypting from' log? 2326 if (!completed && offset != data->offset) { 2327 SLOGI("Encrypting from sector %" PRId64, 2328 data->offset / info.block_size * CRYPT_SECTOR_SIZE); 2329 } 2330 2331 // Update offset 2332 if (!completed) { 2333 offset = data->offset + (off64_t)data->count * info.block_size; 2334 } 2335} 2336 2337static int flush_outstanding_data(struct encryptGroupsData* data) 2338{ 2339 if (data->count == 0) { 2340 return 0; 2341 } 2342 2343 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset); 2344 2345 if (pread64(data->realfd, data->buffer, 2346 info.block_size * data->count, data->offset) 2347 <= 0) { 2348 SLOGE("Error reading real_blkdev %s for inplace encrypt", 2349 data->real_blkdev); 2350 return -1; 2351 } 2352 2353 if (pwrite64(data->cryptofd, data->buffer, 2354 info.block_size * data->count, data->offset) 2355 <= 0) { 2356 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", 2357 data->crypto_blkdev); 2358 return -1; 2359 } else { 2360 log_progress(data, false); 2361 } 2362 2363 data->count = 0; 2364 data->last_written_sector = (data->offset + data->count) 2365 / info.block_size * CRYPT_SECTOR_SIZE - 1; 2366 return 0; 2367} 2368 2369static int encrypt_groups(struct encryptGroupsData* data) 2370{ 2371 unsigned int i; 2372 u8 *block_bitmap = 0; 2373 unsigned int block; 2374 off64_t ret; 2375 int rc = -1; 2376 2377 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME); 2378 if (!data->buffer) { 2379 SLOGE("Failed to allocate crypto buffer"); 2380 goto errout; 2381 } 2382 2383 block_bitmap = malloc(info.block_size); 2384 if (!block_bitmap) { 2385 SLOGE("failed to allocate block bitmap"); 2386 goto errout; 2387 } 2388 2389 for (i = 0; i < aux_info.groups; ++i) { 2390 SLOGI("Encrypting group %d", i); 2391 2392 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group; 2393 u32 block_count = min(info.blocks_per_group, 2394 aux_info.len_blocks - first_block); 2395 2396 off64_t offset = (u64)info.block_size 2397 * aux_info.bg_desc[i].bg_block_bitmap; 2398 2399 ret = pread64(data->realfd, block_bitmap, info.block_size, offset); 2400 if (ret != (int)info.block_size) { 2401 SLOGE("failed to read all of block group bitmap %d", i); 2402 goto errout; 2403 } 2404 2405 offset = (u64)info.block_size * first_block; 2406 2407 data->count = 0; 2408 2409 for (block = 0; block < block_count; block++) { 2410 int used = bitmap_get_bit(block_bitmap, block); 2411 update_progress(data, used); 2412 if (used) { 2413 if (data->count == 0) { 2414 data->offset = offset; 2415 } 2416 data->count++; 2417 } else { 2418 if (flush_outstanding_data(data)) { 2419 goto errout; 2420 } 2421 } 2422 2423 offset += info.block_size; 2424 2425 /* Write data if we are aligned or buffer size reached */ 2426 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0 2427 || data->count == BLOCKS_AT_A_TIME) { 2428 if (flush_outstanding_data(data)) { 2429 goto errout; 2430 } 2431 } 2432 2433 if (!is_battery_ok_to_continue()) { 2434 SLOGE("Stopping encryption due to low battery"); 2435 rc = 0; 2436 goto errout; 2437 } 2438 2439 } 2440 if (flush_outstanding_data(data)) { 2441 goto errout; 2442 } 2443 } 2444 2445 data->completed = 1; 2446 rc = 0; 2447 2448errout: 2449 log_progress(0, true); 2450 free(data->buffer); 2451 free(block_bitmap); 2452 return rc; 2453} 2454 2455static int cryptfs_enable_inplace_ext4(char *crypto_blkdev, 2456 char *real_blkdev, 2457 off64_t size, 2458 off64_t *size_already_done, 2459 off64_t tot_size, 2460 off64_t previously_encrypted_upto) 2461{ 2462 u32 i; 2463 struct encryptGroupsData data; 2464 int rc; // Can't initialize without causing warning -Wclobbered 2465 2466 if (previously_encrypted_upto > *size_already_done) { 2467 SLOGD("Not fast encrypting since resuming part way through"); 2468 return -1; 2469 } 2470 2471 memset(&data, 0, sizeof(data)); 2472 data.real_blkdev = real_blkdev; 2473 data.crypto_blkdev = crypto_blkdev; 2474 2475 if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) { 2476 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n", 2477 real_blkdev, errno, strerror(errno)); 2478 rc = -1; 2479 goto errout; 2480 } 2481 2482 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2483 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n", 2484 crypto_blkdev, errno, strerror(errno)); 2485 rc = ENABLE_INPLACE_ERR_DEV; 2486 goto errout; 2487 } 2488 2489 if (setjmp(setjmp_env)) { 2490 SLOGE("Reading ext4 extent caused an exception\n"); 2491 rc = -1; 2492 goto errout; 2493 } 2494 2495 if (read_ext(data.realfd, 0) != 0) { 2496 SLOGE("Failed to read ext4 extent\n"); 2497 rc = -1; 2498 goto errout; 2499 } 2500 2501 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2502 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2503 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2504 2505 SLOGI("Encrypting ext4 filesystem in place..."); 2506 2507 data.tot_used_blocks = data.numblocks; 2508 for (i = 0; i < aux_info.groups; ++i) { 2509 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count; 2510 } 2511 2512 data.one_pct = data.tot_used_blocks / 100; 2513 data.cur_pct = 0; 2514 2515 struct timespec time_started = {0}; 2516 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) { 2517 SLOGW("Error getting time at start"); 2518 // Note - continue anyway - we'll run with 0 2519 } 2520 data.time_started = time_started.tv_sec; 2521 data.remaining_time = -1; 2522 2523 rc = encrypt_groups(&data); 2524 if (rc) { 2525 SLOGE("Error encrypting groups"); 2526 goto errout; 2527 } 2528 2529 *size_already_done += data.completed ? size : data.last_written_sector; 2530 rc = 0; 2531 2532errout: 2533 close(data.realfd); 2534 close(data.cryptofd); 2535 2536 return rc; 2537} 2538 2539static void log_progress_f2fs(u64 block, bool completed) 2540{ 2541 // Precondition - if completed data = 0 else data != 0 2542 2543 // Track progress so we can skip logging blocks 2544 static u64 last_block = (u64)-1; 2545 2546 // Need to close existing 'Encrypting from' log? 2547 if (completed || (last_block != (u64)-1 && block != last_block + 1)) { 2548 SLOGI("Encrypted to block %" PRId64, last_block); 2549 last_block = -1; 2550 } 2551 2552 // Need to start new 'Encrypting from' log? 2553 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) { 2554 SLOGI("Encrypting from block %" PRId64, block); 2555 } 2556 2557 // Update offset 2558 if (!completed) { 2559 last_block = block; 2560 } 2561} 2562 2563static int encrypt_one_block_f2fs(u64 pos, void *data) 2564{ 2565 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data; 2566 2567 priv_dat->blocks_already_done = pos - 1; 2568 update_progress(priv_dat, 1); 2569 2570 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE; 2571 2572 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2573 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2574 return -1; 2575 } 2576 2577 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2578 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2579 return -1; 2580 } else { 2581 log_progress_f2fs(pos, false); 2582 } 2583 2584 return 0; 2585} 2586 2587static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev, 2588 char *real_blkdev, 2589 off64_t size, 2590 off64_t *size_already_done, 2591 off64_t tot_size, 2592 off64_t previously_encrypted_upto) 2593{ 2594 struct encryptGroupsData data; 2595 struct f2fs_info *f2fs_info = NULL; 2596 int rc = ENABLE_INPLACE_ERR_OTHER; 2597 if (previously_encrypted_upto > *size_already_done) { 2598 SLOGD("Not fast encrypting since resuming part way through"); 2599 return ENABLE_INPLACE_ERR_OTHER; 2600 } 2601 memset(&data, 0, sizeof(data)); 2602 data.real_blkdev = real_blkdev; 2603 data.crypto_blkdev = crypto_blkdev; 2604 data.realfd = -1; 2605 data.cryptofd = -1; 2606 if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) { 2607 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n", 2608 real_blkdev); 2609 goto errout; 2610 } 2611 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) { 2612 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n", 2613 crypto_blkdev, errno, strerror(errno)); 2614 rc = ENABLE_INPLACE_ERR_DEV; 2615 goto errout; 2616 } 2617 2618 f2fs_info = generate_f2fs_info(data.realfd); 2619 if (!f2fs_info) 2620 goto errout; 2621 2622 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2623 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2624 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2625 2626 data.tot_used_blocks = get_num_blocks_used(f2fs_info); 2627 2628 data.one_pct = data.tot_used_blocks / 100; 2629 data.cur_pct = 0; 2630 data.time_started = time(NULL); 2631 data.remaining_time = -1; 2632 2633 data.buffer = malloc(f2fs_info->block_size); 2634 if (!data.buffer) { 2635 SLOGE("Failed to allocate crypto buffer"); 2636 goto errout; 2637 } 2638 2639 data.count = 0; 2640 2641 /* Currently, this either runs to completion, or hits a nonrecoverable error */ 2642 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data); 2643 2644 if (rc) { 2645 SLOGE("Error in running over f2fs blocks"); 2646 rc = ENABLE_INPLACE_ERR_OTHER; 2647 goto errout; 2648 } 2649 2650 *size_already_done += size; 2651 rc = 0; 2652 2653errout: 2654 if (rc) 2655 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev); 2656 2657 log_progress_f2fs(0, true); 2658 free(f2fs_info); 2659 free(data.buffer); 2660 close(data.realfd); 2661 close(data.cryptofd); 2662 2663 return rc; 2664} 2665 2666static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev, 2667 off64_t size, off64_t *size_already_done, 2668 off64_t tot_size, 2669 off64_t previously_encrypted_upto) 2670{ 2671 int realfd, cryptofd; 2672 char *buf[CRYPT_INPLACE_BUFSIZE]; 2673 int rc = ENABLE_INPLACE_ERR_OTHER; 2674 off64_t numblocks, i, remainder; 2675 off64_t one_pct, cur_pct, new_pct; 2676 off64_t blocks_already_done, tot_numblocks; 2677 2678 if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) { 2679 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev); 2680 return ENABLE_INPLACE_ERR_OTHER; 2681 } 2682 2683 if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2684 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n", 2685 crypto_blkdev, errno, strerror(errno)); 2686 close(realfd); 2687 return ENABLE_INPLACE_ERR_DEV; 2688 } 2689 2690 /* This is pretty much a simple loop of reading 4K, and writing 4K. 2691 * The size passed in is the number of 512 byte sectors in the filesystem. 2692 * So compute the number of whole 4K blocks we should read/write, 2693 * and the remainder. 2694 */ 2695 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2696 remainder = size % CRYPT_SECTORS_PER_BUFSIZE; 2697 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2698 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2699 2700 SLOGE("Encrypting filesystem in place..."); 2701 2702 i = previously_encrypted_upto + 1 - *size_already_done; 2703 2704 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2705 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev); 2706 goto errout; 2707 } 2708 2709 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2710 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev); 2711 goto errout; 2712 } 2713 2714 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) { 2715 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2716 SLOGE("Error reading initial sectors from real_blkdev %s for " 2717 "inplace encrypt\n", crypto_blkdev); 2718 goto errout; 2719 } 2720 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2721 SLOGE("Error writing initial sectors to crypto_blkdev %s for " 2722 "inplace encrypt\n", crypto_blkdev); 2723 goto errout; 2724 } else { 2725 SLOGI("Encrypted 1 block at %" PRId64, i); 2726 } 2727 } 2728 2729 one_pct = tot_numblocks / 100; 2730 cur_pct = 0; 2731 /* process the majority of the filesystem in blocks */ 2732 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) { 2733 new_pct = (i + blocks_already_done) / one_pct; 2734 if (new_pct > cur_pct) { 2735 char buf[8]; 2736 2737 cur_pct = new_pct; 2738 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct); 2739 property_set("vold.encrypt_progress", buf); 2740 } 2741 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2742 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev); 2743 goto errout; 2744 } 2745 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2746 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2747 goto errout; 2748 } else { 2749 SLOGD("Encrypted %d block at %" PRId64, 2750 CRYPT_SECTORS_PER_BUFSIZE, 2751 i * CRYPT_SECTORS_PER_BUFSIZE); 2752 } 2753 2754 if (!is_battery_ok_to_continue()) { 2755 SLOGE("Stopping encryption due to low battery"); 2756 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1; 2757 rc = 0; 2758 goto errout; 2759 } 2760 } 2761 2762 /* Do any remaining sectors */ 2763 for (i=0; i<remainder; i++) { 2764 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2765 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev); 2766 goto errout; 2767 } 2768 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2769 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2770 goto errout; 2771 } else { 2772 SLOGI("Encrypted 1 block at next location"); 2773 } 2774 } 2775 2776 *size_already_done += size; 2777 rc = 0; 2778 2779errout: 2780 close(realfd); 2781 close(cryptofd); 2782 2783 return rc; 2784} 2785 2786/* returns on of the ENABLE_INPLACE_* return codes */ 2787static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev, 2788 off64_t size, off64_t *size_already_done, 2789 off64_t tot_size, 2790 off64_t previously_encrypted_upto) 2791{ 2792 int rc_ext4, rc_f2fs, rc_full; 2793 if (previously_encrypted_upto) { 2794 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto); 2795 } 2796 2797 if (*size_already_done + size < previously_encrypted_upto) { 2798 *size_already_done += size; 2799 return 0; 2800 } 2801 2802 /* TODO: identify filesystem type. 2803 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and 2804 * then we will drop down to cryptfs_enable_inplace_f2fs. 2805 * */ 2806 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev, 2807 size, size_already_done, 2808 tot_size, previously_encrypted_upto)) == 0) { 2809 return 0; 2810 } 2811 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4); 2812 2813 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev, 2814 size, size_already_done, 2815 tot_size, previously_encrypted_upto)) == 0) { 2816 return 0; 2817 } 2818 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs); 2819 2820 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev, 2821 size, size_already_done, tot_size, 2822 previously_encrypted_upto); 2823 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full); 2824 2825 /* Hack for b/17898962, the following is the symptom... */ 2826 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV 2827 && rc_f2fs == ENABLE_INPLACE_ERR_DEV 2828 && rc_full == ENABLE_INPLACE_ERR_DEV) { 2829 return ENABLE_INPLACE_ERR_DEV; 2830 } 2831 return rc_full; 2832} 2833 2834#define CRYPTO_ENABLE_WIPE 1 2835#define CRYPTO_ENABLE_INPLACE 2 2836 2837#define FRAMEWORK_BOOT_WAIT 60 2838 2839static inline int should_encrypt(struct volume_info *volume) 2840{ 2841 return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) == 2842 (VOL_ENCRYPTABLE | VOL_NONREMOVABLE); 2843} 2844 2845static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2846{ 2847 int fd = open(filename, O_RDONLY); 2848 if (fd == -1) { 2849 SLOGE("Error opening file %s", filename); 2850 return -1; 2851 } 2852 2853 char block[CRYPT_INPLACE_BUFSIZE]; 2854 memset(block, 0, sizeof(block)); 2855 if (unix_read(fd, block, sizeof(block)) < 0) { 2856 SLOGE("Error reading file %s", filename); 2857 close(fd); 2858 return -1; 2859 } 2860 2861 close(fd); 2862 2863 SHA256_CTX c; 2864 SHA256_Init(&c); 2865 SHA256_Update(&c, block, sizeof(block)); 2866 SHA256_Final(buf, &c); 2867 2868 return 0; 2869} 2870 2871static int get_fs_type(struct fstab_rec *rec) 2872{ 2873 if (!strcmp(rec->fs_type, "ext4")) { 2874 return EXT4_FS; 2875 } else if (!strcmp(rec->fs_type, "f2fs")) { 2876 return F2FS_FS; 2877 } else { 2878 return -1; 2879 } 2880} 2881 2882static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how, 2883 char *crypto_blkdev, char *real_blkdev, 2884 int previously_encrypted_upto) 2885{ 2886 off64_t cur_encryption_done=0, tot_encryption_size=0; 2887 int rc = -1; 2888 2889 if (!is_battery_ok_to_start()) { 2890 SLOGW("Not starting encryption due to low battery"); 2891 return 0; 2892 } 2893 2894 /* The size of the userdata partition, and add in the vold volumes below */ 2895 tot_encryption_size = crypt_ftr->fs_size; 2896 2897 if (how == CRYPTO_ENABLE_WIPE) { 2898 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 2899 int fs_type = get_fs_type(rec); 2900 if (fs_type < 0) { 2901 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type); 2902 return -1; 2903 } 2904 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type); 2905 } else if (how == CRYPTO_ENABLE_INPLACE) { 2906 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, 2907 crypt_ftr->fs_size, &cur_encryption_done, 2908 tot_encryption_size, 2909 previously_encrypted_upto); 2910 2911 if (rc == ENABLE_INPLACE_ERR_DEV) { 2912 /* Hack for b/17898962 */ 2913 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n"); 2914 cryptfs_reboot(reboot); 2915 } 2916 2917 if (!rc) { 2918 crypt_ftr->encrypted_upto = cur_encryption_done; 2919 } 2920 2921 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2922 /* The inplace routine never actually sets the progress to 100% due 2923 * to the round down nature of integer division, so set it here */ 2924 property_set("vold.encrypt_progress", "100"); 2925 } 2926 } else { 2927 /* Shouldn't happen */ 2928 SLOGE("cryptfs_enable: internal error, unknown option\n"); 2929 rc = -1; 2930 } 2931 2932 return rc; 2933} 2934 2935int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd, 2936 int allow_reboot) 2937{ 2938 int how = 0; 2939 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2940 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2941 int rc=-1, i; 2942 struct crypt_mnt_ftr crypt_ftr; 2943 struct crypt_persist_data *pdata; 2944 char encrypted_state[PROPERTY_VALUE_MAX]; 2945 char lockid[32] = { 0 }; 2946 char key_loc[PROPERTY_VALUE_MAX]; 2947 char fuse_sdcard[PROPERTY_VALUE_MAX]; 2948 char *sd_mnt_point; 2949 int num_vols; 2950 struct volume_info *vol_list = 0; 2951 off64_t previously_encrypted_upto = 0; 2952 2953 if (!strcmp(howarg, "wipe")) { 2954 how = CRYPTO_ENABLE_WIPE; 2955 } else if (! strcmp(howarg, "inplace")) { 2956 how = CRYPTO_ENABLE_INPLACE; 2957 } else { 2958 /* Shouldn't happen, as CommandListener vets the args */ 2959 goto error_unencrypted; 2960 } 2961 2962 /* See if an encryption was underway and interrupted */ 2963 if (how == CRYPTO_ENABLE_INPLACE 2964 && get_crypt_ftr_and_key(&crypt_ftr) == 0 2965 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) { 2966 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2967 crypt_ftr.encrypted_upto = 0; 2968 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2969 2970 /* At this point, we are in an inconsistent state. Until we successfully 2971 complete encryption, a reboot will leave us broken. So mark the 2972 encryption failed in case that happens. 2973 On successfully completing encryption, remove this flag */ 2974 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2975 2976 put_crypt_ftr_and_key(&crypt_ftr); 2977 } 2978 2979 property_get("ro.crypto.state", encrypted_state, ""); 2980 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2981 SLOGE("Device is already running encrypted, aborting"); 2982 goto error_unencrypted; 2983 } 2984 2985 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2986 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 2987 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 2988 2989 /* Get the size of the real block device */ 2990 int fd = open(real_blkdev, O_RDONLY); 2991 if (fd == -1) { 2992 SLOGE("Cannot open block device %s\n", real_blkdev); 2993 goto error_unencrypted; 2994 } 2995 unsigned long nr_sec; 2996 get_blkdev_size(fd, &nr_sec); 2997 if (nr_sec == 0) { 2998 SLOGE("Cannot get size of block device %s\n", real_blkdev); 2999 goto error_unencrypted; 3000 } 3001 close(fd); 3002 3003 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 3004 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) { 3005 unsigned int fs_size_sec, max_fs_size_sec; 3006 fs_size_sec = get_fs_size(real_blkdev); 3007 if (fs_size_sec == 0) 3008 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 3009 3010 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 3011 3012 if (fs_size_sec > max_fs_size_sec) { 3013 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 3014 goto error_unencrypted; 3015 } 3016 } 3017 3018 /* Get a wakelock as this may take a while, and we don't want the 3019 * device to sleep on us. We'll grab a partial wakelock, and if the UI 3020 * wants to keep the screen on, it can grab a full wakelock. 3021 */ 3022 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 3023 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 3024 3025 /* Get the sdcard mount point */ 3026 sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE"); 3027 if (!sd_mnt_point) { 3028 sd_mnt_point = getenv("EXTERNAL_STORAGE"); 3029 } 3030 if (!sd_mnt_point) { 3031 sd_mnt_point = "/mnt/sdcard"; 3032 } 3033 3034 /* TODO 3035 * Currently do not have test devices with multiple encryptable volumes. 3036 * When we acquire some, re-add support. 3037 */ 3038 num_vols=vold_getNumDirectVolumes(); 3039 vol_list = malloc(sizeof(struct volume_info) * num_vols); 3040 vold_getDirectVolumeList(vol_list); 3041 3042 for (i=0; i<num_vols; i++) { 3043 if (should_encrypt(&vol_list[i])) { 3044 SLOGE("Cannot encrypt if there are multiple encryptable volumes" 3045 "%s\n", vol_list[i].label); 3046 goto error_unencrypted; 3047 } 3048 } 3049 3050 /* The init files are setup to stop the class main and late start when 3051 * vold sets trigger_shutdown_framework. 3052 */ 3053 property_set("vold.decrypt", "trigger_shutdown_framework"); 3054 SLOGD("Just asked init to shut down class main\n"); 3055 3056 if (vold_unmountAllAsecs()) { 3057 /* Just report the error. If any are left mounted, 3058 * umounting /data below will fail and handle the error. 3059 */ 3060 SLOGE("Error unmounting internal asecs"); 3061 } 3062 3063 property_get("ro.crypto.fuse_sdcard", fuse_sdcard, ""); 3064 if (!strcmp(fuse_sdcard, "true")) { 3065 // STOPSHIP: UNMOUNT ALL STORAGE BEFORE REACHING HERE, SINCE VOLD NOW MANAGES FUSE 3066 // "ro.crypto.fuse_sdcard" is now deprecated 3067 3068 /* This is a device using the fuse layer to emulate the sdcard semantics 3069 * on top of the userdata partition. vold does not manage it, it is managed 3070 * by the sdcard service. The sdcard service was killed by the property trigger 3071 * above, so just unmount it now. We must do this _AFTER_ killing the framework, 3072 * unlike the case for vold managed devices above. 3073 */ 3074 if (wait_and_unmount(sd_mnt_point, false)) { 3075 goto error_shutting_down; 3076 } 3077 } 3078 3079 /* Now unmount the /data partition. */ 3080 if (wait_and_unmount(DATA_MNT_POINT, false)) { 3081 if (allow_reboot) { 3082 goto error_shutting_down; 3083 } else { 3084 goto error_unencrypted; 3085 } 3086 } 3087 3088 /* Do extra work for a better UX when doing the long inplace encryption */ 3089 if (how == CRYPTO_ENABLE_INPLACE) { 3090 /* Now that /data is unmounted, we need to mount a tmpfs 3091 * /data, set a property saying we're doing inplace encryption, 3092 * and restart the framework. 3093 */ 3094 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 3095 goto error_shutting_down; 3096 } 3097 /* Tells the framework that inplace encryption is starting */ 3098 property_set("vold.encrypt_progress", "0"); 3099 3100 /* restart the framework. */ 3101 /* Create necessary paths on /data */ 3102 if (prep_data_fs()) { 3103 goto error_shutting_down; 3104 } 3105 3106 /* Ugh, shutting down the framework is not synchronous, so until it 3107 * can be fixed, this horrible hack will wait a moment for it all to 3108 * shut down before proceeding. Without it, some devices cannot 3109 * restart the graphics services. 3110 */ 3111 sleep(2); 3112 } 3113 3114 /* Start the actual work of making an encrypted filesystem */ 3115 /* Initialize a crypt_mnt_ftr for the partition */ 3116 if (previously_encrypted_upto == 0) { 3117 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 3118 goto error_shutting_down; 3119 } 3120 3121 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 3122 crypt_ftr.fs_size = nr_sec 3123 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 3124 } else { 3125 crypt_ftr.fs_size = nr_sec; 3126 } 3127 /* At this point, we are in an inconsistent state. Until we successfully 3128 complete encryption, a reboot will leave us broken. So mark the 3129 encryption failed in case that happens. 3130 On successfully completing encryption, remove this flag */ 3131 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 3132 crypt_ftr.crypt_type = crypt_type; 3133#ifndef CONFIG_HW_DISK_ENCRYPTION 3134 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN); 3135#else 3136 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN); 3137 3138 rc = clear_hw_device_encryption_key(); 3139 if (!rc) { 3140 SLOGE("Error clearing device encryption hardware key. rc = %d", rc); 3141 } 3142 3143 rc = set_hw_device_encryption_key(passwd, 3144 (char*) crypt_ftr.crypto_type_name); 3145 if (!rc) { 3146 SLOGE("Error initializing device encryption hardware key. rc = %d", rc); 3147 goto error_shutting_down; 3148 } 3149#endif 3150 3151 /* Make an encrypted master key */ 3152 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 3153 SLOGE("Cannot create encrypted master key\n"); 3154 goto error_shutting_down; 3155 } 3156 3157 /* Write the key to the end of the partition */ 3158 put_crypt_ftr_and_key(&crypt_ftr); 3159 3160 /* If any persistent data has been remembered, save it. 3161 * If none, create a valid empty table and save that. 3162 */ 3163 if (!persist_data) { 3164 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 3165 if (pdata) { 3166 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 3167 persist_data = pdata; 3168 } 3169 } 3170 if (persist_data) { 3171 save_persistent_data(); 3172 } 3173 } 3174 3175 if (how == CRYPTO_ENABLE_INPLACE) { 3176 /* startup service classes main and late_start */ 3177 property_set("vold.decrypt", "trigger_restart_min_framework"); 3178 SLOGD("Just triggered restart_min_framework\n"); 3179 3180 /* OK, the framework is restarted and will soon be showing a 3181 * progress bar. Time to setup an encrypted mapping, and 3182 * either write a new filesystem, or encrypt in place updating 3183 * the progress bar as we work. 3184 */ 3185 } 3186 3187 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 3188 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 3189 "userdata"); 3190 3191 /* If we are continuing, check checksums match */ 3192 rc = 0; 3193 if (previously_encrypted_upto) { 3194 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 3195 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 3196 3197 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 3198 sizeof(hash_first_block)) != 0) { 3199 SLOGE("Checksums do not match - trigger wipe"); 3200 rc = -1; 3201 } 3202 } 3203 3204 if (!rc) { 3205 rc = cryptfs_enable_all_volumes(&crypt_ftr, how, 3206 crypto_blkdev, real_blkdev, 3207 previously_encrypted_upto); 3208 } 3209 3210 /* Calculate checksum if we are not finished */ 3211 if (!rc && how == CRYPTO_ENABLE_INPLACE 3212 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3213 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 3214 crypt_ftr.hash_first_block); 3215 if (rc) { 3216 SLOGE("Error calculating checksum for continuing encryption"); 3217 rc = -1; 3218 } 3219 } 3220 3221 /* Undo the dm-crypt mapping whether we succeed or not */ 3222 delete_crypto_blk_dev("userdata"); 3223 3224 free(vol_list); 3225 3226 if (! rc) { 3227 /* Success */ 3228 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 3229 3230 if (how == CRYPTO_ENABLE_INPLACE 3231 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3232 SLOGD("Encrypted up to sector %lld - will continue after reboot", 3233 crypt_ftr.encrypted_upto); 3234 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 3235 } 3236 3237 put_crypt_ftr_and_key(&crypt_ftr); 3238 3239 if (how == CRYPTO_ENABLE_WIPE 3240 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 3241 char value[PROPERTY_VALUE_MAX]; 3242 property_get("ro.crypto.state", value, ""); 3243 if (!strcmp(value, "")) { 3244 /* default encryption - continue first boot sequence */ 3245 property_set("ro.crypto.state", "encrypted"); 3246 release_wake_lock(lockid); 3247 cryptfs_check_passwd(DEFAULT_PASSWORD); 3248 cryptfs_restart_internal(1); 3249 return 0; 3250 } else { 3251 sleep(2); /* Give the UI a chance to show 100% progress */ 3252 cryptfs_reboot(reboot); 3253 } 3254 } else { 3255 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 3256 cryptfs_reboot(shutdown); 3257 } 3258 } else { 3259 char value[PROPERTY_VALUE_MAX]; 3260 3261 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 3262 if (!strcmp(value, "1")) { 3263 /* wipe data if encryption failed */ 3264 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 3265 mkdir("/cache/recovery", 0700); 3266 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600); 3267 if (fd >= 0) { 3268 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1); 3269 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1); 3270 close(fd); 3271 } else { 3272 SLOGE("could not open /cache/recovery/command\n"); 3273 } 3274 cryptfs_reboot(recovery); 3275 } else { 3276 /* set property to trigger dialog */ 3277 property_set("vold.encrypt_progress", "error_partially_encrypted"); 3278 release_wake_lock(lockid); 3279 } 3280 return -1; 3281 } 3282 3283 /* hrm, the encrypt step claims success, but the reboot failed. 3284 * This should not happen. 3285 * Set the property and return. Hope the framework can deal with it. 3286 */ 3287 property_set("vold.encrypt_progress", "error_reboot_failed"); 3288 release_wake_lock(lockid); 3289 return rc; 3290 3291error_unencrypted: 3292 free(vol_list); 3293 property_set("vold.encrypt_progress", "error_not_encrypted"); 3294 if (lockid[0]) { 3295 release_wake_lock(lockid); 3296 } 3297 return -1; 3298 3299error_shutting_down: 3300 /* we failed, and have not encrypted anthing, so the users's data is still intact, 3301 * but the framework is stopped and not restarted to show the error, so it's up to 3302 * vold to restart the system. 3303 */ 3304 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 3305 cryptfs_reboot(reboot); 3306 3307 /* shouldn't get here */ 3308 property_set("vold.encrypt_progress", "error_shutting_down"); 3309 free(vol_list); 3310 if (lockid[0]) { 3311 release_wake_lock(lockid); 3312 } 3313 return -1; 3314} 3315 3316int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot) 3317{ 3318 char* adjusted_passwd = adjust_passwd(passwd); 3319 if (adjusted_passwd) { 3320 passwd = adjusted_passwd; 3321 } 3322 3323 int rc = cryptfs_enable_internal(howarg, type, passwd, allow_reboot); 3324 3325 free(adjusted_passwd); 3326 return rc; 3327} 3328 3329int cryptfs_enable_default(char *howarg, int allow_reboot) 3330{ 3331 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT, 3332 DEFAULT_PASSWORD, allow_reboot); 3333} 3334 3335int cryptfs_changepw(int crypt_type, const char *newpw) 3336{ 3337 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3338 return e4crypt_change_password(DATA_MNT_POINT, crypt_type, newpw); 3339 } 3340 3341 struct crypt_mnt_ftr crypt_ftr; 3342 int rc; 3343 3344 /* This is only allowed after we've successfully decrypted the master key */ 3345 if (!master_key_saved) { 3346 SLOGE("Key not saved, aborting"); 3347 return -1; 3348 } 3349 3350 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3351 SLOGE("Invalid crypt_type %d", crypt_type); 3352 return -1; 3353 } 3354 3355 /* get key */ 3356 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3357 SLOGE("Error getting crypt footer and key"); 3358 return -1; 3359 } 3360 3361 crypt_ftr.crypt_type = crypt_type; 3362 3363 char* adjusted_passwd = adjust_passwd(newpw); 3364 if (adjusted_passwd) { 3365 newpw = adjusted_passwd; 3366 } 3367 3368 rc = encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 3369 : newpw, 3370 crypt_ftr.salt, 3371 saved_master_key, 3372 crypt_ftr.master_key, 3373 &crypt_ftr); 3374 free(adjusted_passwd); 3375 if (rc) { 3376 SLOGE("Encrypt master key failed: %d", rc); 3377 return -1; 3378 } 3379 /* save the key */ 3380 put_crypt_ftr_and_key(&crypt_ftr); 3381 3382#ifdef CONFIG_HW_DISK_ENCRYPTION 3383 if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) { 3384 if (crypt_type == CRYPT_TYPE_DEFAULT) { 3385 int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name); 3386 SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc); 3387 if (!rc) 3388 return -1; 3389 } else { 3390 int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name); 3391 SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc); 3392 if (!rc) 3393 return -1; 3394 } 3395 } 3396#endif 3397 return 0; 3398} 3399 3400static unsigned int persist_get_max_entries(int encrypted) { 3401 struct crypt_mnt_ftr crypt_ftr; 3402 unsigned int dsize; 3403 unsigned int max_persistent_entries; 3404 3405 /* If encrypted, use the values from the crypt_ftr, otherwise 3406 * use the values for the current spec. 3407 */ 3408 if (encrypted) { 3409 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3410 return -1; 3411 } 3412 dsize = crypt_ftr.persist_data_size; 3413 } else { 3414 dsize = CRYPT_PERSIST_DATA_SIZE; 3415 } 3416 3417 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 3418 sizeof(struct crypt_persist_entry); 3419 3420 return max_persistent_entries; 3421} 3422 3423static int persist_get_key(const char *fieldname, char *value) 3424{ 3425 unsigned int i; 3426 3427 if (persist_data == NULL) { 3428 return -1; 3429 } 3430 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3431 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3432 /* We found it! */ 3433 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 3434 return 0; 3435 } 3436 } 3437 3438 return -1; 3439} 3440 3441static int persist_set_key(const char *fieldname, const char *value, int encrypted) 3442{ 3443 unsigned int i; 3444 unsigned int num; 3445 unsigned int max_persistent_entries; 3446 3447 if (persist_data == NULL) { 3448 return -1; 3449 } 3450 3451 max_persistent_entries = persist_get_max_entries(encrypted); 3452 3453 num = persist_data->persist_valid_entries; 3454 3455 for (i = 0; i < num; i++) { 3456 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3457 /* We found an existing entry, update it! */ 3458 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 3459 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 3460 return 0; 3461 } 3462 } 3463 3464 /* We didn't find it, add it to the end, if there is room */ 3465 if (persist_data->persist_valid_entries < max_persistent_entries) { 3466 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 3467 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 3468 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 3469 persist_data->persist_valid_entries++; 3470 return 0; 3471 } 3472 3473 return -1; 3474} 3475 3476/** 3477 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the 3478 * sequence and its index is greater than or equal to index. Return 0 otherwise. 3479 */ 3480static int match_multi_entry(const char *key, const char *field, unsigned index) { 3481 unsigned int field_len; 3482 unsigned int key_index; 3483 field_len = strlen(field); 3484 3485 if (index == 0) { 3486 // The first key in a multi-entry field is just the filedname itself. 3487 if (!strcmp(key, field)) { 3488 return 1; 3489 } 3490 } 3491 // Match key against "%s_%d" % (field, index) 3492 if (strlen(key) < field_len + 1 + 1) { 3493 // Need at least a '_' and a digit. 3494 return 0; 3495 } 3496 if (strncmp(key, field, field_len)) { 3497 // If the key does not begin with field, it's not a match. 3498 return 0; 3499 } 3500 if (1 != sscanf(&key[field_len],"_%d", &key_index)) { 3501 return 0; 3502 } 3503 return key_index >= index; 3504} 3505 3506/* 3507 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all 3508 * remaining entries starting from index will be deleted. 3509 * returns PERSIST_DEL_KEY_OK if deletion succeeds, 3510 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist, 3511 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs. 3512 * 3513 */ 3514static int persist_del_keys(const char *fieldname, unsigned index) 3515{ 3516 unsigned int i; 3517 unsigned int j; 3518 unsigned int num; 3519 3520 if (persist_data == NULL) { 3521 return PERSIST_DEL_KEY_ERROR_OTHER; 3522 } 3523 3524 num = persist_data->persist_valid_entries; 3525 3526 j = 0; // points to the end of non-deleted entries. 3527 // Filter out to-be-deleted entries in place. 3528 for (i = 0; i < num; i++) { 3529 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) { 3530 persist_data->persist_entry[j] = persist_data->persist_entry[i]; 3531 j++; 3532 } 3533 } 3534 3535 if (j < num) { 3536 persist_data->persist_valid_entries = j; 3537 // Zeroise the remaining entries 3538 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry)); 3539 return PERSIST_DEL_KEY_OK; 3540 } else { 3541 // Did not find an entry matching the given fieldname 3542 return PERSIST_DEL_KEY_ERROR_NO_FIELD; 3543 } 3544} 3545 3546static int persist_count_keys(const char *fieldname) 3547{ 3548 unsigned int i; 3549 unsigned int count; 3550 3551 if (persist_data == NULL) { 3552 return -1; 3553 } 3554 3555 count = 0; 3556 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3557 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) { 3558 count++; 3559 } 3560 } 3561 3562 return count; 3563} 3564 3565/* Return the value of the specified field. */ 3566int cryptfs_getfield(const char *fieldname, char *value, int len) 3567{ 3568 char temp_value[PROPERTY_VALUE_MAX]; 3569 /* CRYPTO_GETFIELD_OK is success, 3570 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set, 3571 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small, 3572 * CRYPTO_GETFIELD_ERROR_OTHER is any other error 3573 */ 3574 int rc = CRYPTO_GETFIELD_ERROR_OTHER; 3575 int i; 3576 char temp_field[PROPERTY_KEY_MAX]; 3577 3578 if (persist_data == NULL) { 3579 load_persistent_data(); 3580 if (persist_data == NULL) { 3581 SLOGE("Getfield error, cannot load persistent data"); 3582 goto out; 3583 } 3584 } 3585 3586 // Read value from persistent entries. If the original value is split into multiple entries, 3587 // stitch them back together. 3588 if (!persist_get_key(fieldname, temp_value)) { 3589 // We found it, copy it to the caller's buffer and keep going until all entries are read. 3590 if (strlcpy(value, temp_value, len) >= (unsigned) len) { 3591 // value too small 3592 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3593 goto out; 3594 } 3595 rc = CRYPTO_GETFIELD_OK; 3596 3597 for (i = 1; /* break explicitly */; i++) { 3598 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >= 3599 (int) sizeof(temp_field)) { 3600 // If the fieldname is very long, we stop as soon as it begins to overflow the 3601 // maximum field length. At this point we have in fact fully read out the original 3602 // value because cryptfs_setfield would not allow fields with longer names to be 3603 // written in the first place. 3604 break; 3605 } 3606 if (!persist_get_key(temp_field, temp_value)) { 3607 if (strlcat(value, temp_value, len) >= (unsigned)len) { 3608 // value too small. 3609 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3610 goto out; 3611 } 3612 } else { 3613 // Exhaust all entries. 3614 break; 3615 } 3616 } 3617 } else { 3618 /* Sadness, it's not there. Return the error */ 3619 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD; 3620 } 3621 3622out: 3623 return rc; 3624} 3625 3626/* Set the value of the specified field. */ 3627int cryptfs_setfield(const char *fieldname, const char *value) 3628{ 3629 char encrypted_state[PROPERTY_VALUE_MAX]; 3630 /* 0 is success, negative values are error */ 3631 int rc = CRYPTO_SETFIELD_ERROR_OTHER; 3632 int encrypted = 0; 3633 unsigned int field_id; 3634 char temp_field[PROPERTY_KEY_MAX]; 3635 unsigned int num_entries; 3636 unsigned int max_keylen; 3637 3638 if (persist_data == NULL) { 3639 load_persistent_data(); 3640 if (persist_data == NULL) { 3641 SLOGE("Setfield error, cannot load persistent data"); 3642 goto out; 3643 } 3644 } 3645 3646 property_get("ro.crypto.state", encrypted_state, ""); 3647 if (!strcmp(encrypted_state, "encrypted") ) { 3648 encrypted = 1; 3649 } 3650 3651 // Compute the number of entries required to store value, each entry can store up to 3652 // (PROPERTY_VALUE_MAX - 1) chars 3653 if (strlen(value) == 0) { 3654 // Empty value also needs one entry to store. 3655 num_entries = 1; 3656 } else { 3657 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1); 3658 } 3659 3660 max_keylen = strlen(fieldname); 3661 if (num_entries > 1) { 3662 // Need an extra "_%d" suffix. 3663 max_keylen += 1 + log10(num_entries); 3664 } 3665 if (max_keylen > PROPERTY_KEY_MAX - 1) { 3666 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG; 3667 goto out; 3668 } 3669 3670 // Make sure we have enough space to write the new value 3671 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) > 3672 persist_get_max_entries(encrypted)) { 3673 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG; 3674 goto out; 3675 } 3676 3677 // Now that we know persist_data has enough space for value, let's delete the old field first 3678 // to make up space. 3679 persist_del_keys(fieldname, 0); 3680 3681 if (persist_set_key(fieldname, value, encrypted)) { 3682 // fail to set key, should not happen as we have already checked the available space 3683 SLOGE("persist_set_key() error during setfield()"); 3684 goto out; 3685 } 3686 3687 for (field_id = 1; field_id < num_entries; field_id++) { 3688 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id); 3689 3690 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) { 3691 // fail to set key, should not happen as we have already checked the available space. 3692 SLOGE("persist_set_key() error during setfield()"); 3693 goto out; 3694 } 3695 } 3696 3697 /* If we are running encrypted, save the persistent data now */ 3698 if (encrypted) { 3699 if (save_persistent_data()) { 3700 SLOGE("Setfield error, cannot save persistent data"); 3701 goto out; 3702 } 3703 } 3704 3705 rc = CRYPTO_SETFIELD_OK; 3706 3707out: 3708 return rc; 3709} 3710 3711/* Checks userdata. Attempt to mount the volume if default- 3712 * encrypted. 3713 * On success trigger next init phase and return 0. 3714 * Currently do not handle failure - see TODO below. 3715 */ 3716int cryptfs_mount_default_encrypted(void) 3717{ 3718 char decrypt_state[PROPERTY_VALUE_MAX]; 3719 property_get("vold.decrypt", decrypt_state, "0"); 3720 if (!strcmp(decrypt_state, "0")) { 3721 SLOGE("Not encrypted - should not call here"); 3722 } else { 3723 int crypt_type = cryptfs_get_password_type(); 3724 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3725 SLOGE("Bad crypt type - error"); 3726 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 3727 SLOGD("Password is not default - " 3728 "starting min framework to prompt"); 3729 property_set("vold.decrypt", "trigger_restart_min_framework"); 3730 return 0; 3731 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 3732 SLOGD("Password is default - restarting filesystem"); 3733 cryptfs_restart_internal(0); 3734 return 0; 3735 } else { 3736 SLOGE("Encrypted, default crypt type but can't decrypt"); 3737 } 3738 } 3739 3740 /** Corrupt. Allow us to boot into framework, which will detect bad 3741 crypto when it calls do_crypto_complete, then do a factory reset 3742 */ 3743 property_set("vold.decrypt", "trigger_restart_min_framework"); 3744 return 0; 3745} 3746 3747/* Returns type of the password, default, pattern, pin or password. 3748 */ 3749int cryptfs_get_password_type(void) 3750{ 3751 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3752 return e4crypt_get_password_type(DATA_MNT_POINT); 3753 } 3754 3755 struct crypt_mnt_ftr crypt_ftr; 3756 3757 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3758 SLOGE("Error getting crypt footer and key\n"); 3759 return -1; 3760 } 3761 3762 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 3763 return -1; 3764 } 3765 3766 return crypt_ftr.crypt_type; 3767} 3768 3769const char* cryptfs_get_password() 3770{ 3771 if (e4crypt_crypto_complete(DATA_MNT_POINT) == 0) { 3772 return e4crypt_get_password(DATA_MNT_POINT); 3773 } 3774 3775 struct timespec now; 3776 clock_gettime(CLOCK_BOOTTIME, &now); 3777 if (now.tv_sec < password_expiry_time) { 3778 return password; 3779 } else { 3780 cryptfs_clear_password(); 3781 return 0; 3782 } 3783} 3784 3785void cryptfs_clear_password() 3786{ 3787 if (password) { 3788 size_t len = strlen(password); 3789 memset(password, 0, len); 3790 free(password); 3791 password = 0; 3792 password_expiry_time = 0; 3793 } 3794} 3795