cryptfs.c revision 6322302a5a6f8848097031e7acda44dba88c7ea2
1/* 2 * Copyright (C) 2010 The Android Open Source Project 3 * 4 * Licensed under the Apache License, Version 2.0 (the "License"); 5 * you may not use this file except in compliance with the License. 6 * You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* TO DO: 18 * 1. Perhaps keep several copies of the encrypted key, in case something 19 * goes horribly wrong? 20 * 21 */ 22 23#include <sys/types.h> 24#include <sys/wait.h> 25#include <sys/stat.h> 26#include <ctype.h> 27#include <fcntl.h> 28#include <inttypes.h> 29#include <unistd.h> 30#include <stdio.h> 31#include <sys/ioctl.h> 32#include <linux/dm-ioctl.h> 33#include <libgen.h> 34#include <stdlib.h> 35#include <sys/param.h> 36#include <string.h> 37#include <sys/mount.h> 38#include <openssl/evp.h> 39#include <errno.h> 40#include <ext4.h> 41#include <linux/kdev_t.h> 42#include <fs_mgr.h> 43#include <time.h> 44#include <math.h> 45#include "cryptfs.h" 46#define LOG_TAG "Cryptfs" 47#include "cutils/log.h" 48#include "cutils/properties.h" 49#include "cutils/android_reboot.h" 50#include "hardware_legacy/power.h" 51#include <logwrap/logwrap.h> 52#include "VolumeManager.h" 53#include "VoldUtil.h" 54#include "crypto_scrypt.h" 55#include "ext4_utils.h" 56#include "f2fs_sparseblock.h" 57#include "CheckBattery.h" 58#include "Process.h" 59 60#include <hardware/keymaster.h> 61 62#define UNUSED __attribute__((unused)) 63 64#define UNUSED __attribute__((unused)) 65 66#ifdef CONFIG_HW_DISK_ENCRYPTION 67#include "cryptfs_hw.h" 68#endif 69 70#define DM_CRYPT_BUF_SIZE 4096 71 72#define HASH_COUNT 2000 73#define KEY_LEN_BYTES 16 74#define IV_LEN_BYTES 16 75 76#define KEY_IN_FOOTER "footer" 77 78// "default_password" encoded into hex (d=0x64 etc) 79#define DEFAULT_PASSWORD "64656661756c745f70617373776f7264" 80 81#define EXT4_FS 1 82#define F2FS_FS 2 83 84#define TABLE_LOAD_RETRIES 10 85 86#define RSA_KEY_SIZE 2048 87#define RSA_KEY_SIZE_BYTES (RSA_KEY_SIZE / 8) 88#define RSA_EXPONENT 0x10001 89 90#define RETRY_MOUNT_ATTEMPTS 10 91#define RETRY_MOUNT_DELAY_SECONDS 1 92 93char *me = "cryptfs"; 94 95static unsigned char saved_master_key[KEY_LEN_BYTES]; 96static char *saved_mount_point; 97static int master_key_saved = 0; 98static struct crypt_persist_data *persist_data = NULL; 99 100static int keymaster_init(keymaster_device_t **keymaster_dev) 101{ 102 int rc; 103 104 const hw_module_t* mod; 105 rc = hw_get_module_by_class(KEYSTORE_HARDWARE_MODULE_ID, NULL, &mod); 106 if (rc) { 107 ALOGE("could not find any keystore module"); 108 goto out; 109 } 110 111 rc = keymaster_open(mod, keymaster_dev); 112 if (rc) { 113 ALOGE("could not open keymaster device in %s (%s)", 114 KEYSTORE_HARDWARE_MODULE_ID, strerror(-rc)); 115 goto out; 116 } 117 118 return 0; 119 120out: 121 *keymaster_dev = NULL; 122 return rc; 123} 124 125/* Should we use keymaster? */ 126static int keymaster_check_compatibility() 127{ 128 keymaster_device_t *keymaster_dev = 0; 129 int rc = 0; 130 131 if (keymaster_init(&keymaster_dev)) { 132 SLOGE("Failed to init keymaster"); 133 rc = -1; 134 goto out; 135 } 136 137 SLOGI("keymaster version is %d", keymaster_dev->common.module->module_api_version); 138 139 if (keymaster_dev->common.module->module_api_version 140 < KEYMASTER_MODULE_API_VERSION_0_3) { 141 rc = 0; 142 goto out; 143 } 144 145 if (!(keymaster_dev->flags & KEYMASTER_SOFTWARE_ONLY) && 146 (keymaster_dev->flags & KEYMASTER_BLOBS_ARE_STANDALONE)) { 147 rc = 1; 148 } 149 150out: 151 keymaster_close(keymaster_dev); 152 return rc; 153} 154 155/* Create a new keymaster key and store it in this footer */ 156static int keymaster_create_key(struct crypt_mnt_ftr *ftr) 157{ 158 uint8_t* key = 0; 159 keymaster_device_t *keymaster_dev = 0; 160 161 if (keymaster_init(&keymaster_dev)) { 162 SLOGE("Failed to init keymaster"); 163 return -1; 164 } 165 166 int rc = 0; 167 168 keymaster_rsa_keygen_params_t params; 169 memset(¶ms, '\0', sizeof(params)); 170 params.public_exponent = RSA_EXPONENT; 171 params.modulus_size = RSA_KEY_SIZE; 172 173 size_t key_size; 174 if (keymaster_dev->generate_keypair(keymaster_dev, TYPE_RSA, ¶ms, 175 &key, &key_size)) { 176 SLOGE("Failed to generate keypair"); 177 rc = -1; 178 goto out; 179 } 180 181 if (key_size > KEYMASTER_BLOB_SIZE) { 182 SLOGE("Keymaster key too large for crypto footer"); 183 rc = -1; 184 goto out; 185 } 186 187 memcpy(ftr->keymaster_blob, key, key_size); 188 ftr->keymaster_blob_size = key_size; 189 190out: 191 keymaster_close(keymaster_dev); 192 free(key); 193 return rc; 194} 195 196/* This signs the given object using the keymaster key. */ 197static int keymaster_sign_object(struct crypt_mnt_ftr *ftr, 198 const unsigned char *object, 199 const size_t object_size, 200 unsigned char **signature, 201 size_t *signature_size) 202{ 203 int rc = 0; 204 keymaster_device_t *keymaster_dev = 0; 205 if (keymaster_init(&keymaster_dev)) { 206 SLOGE("Failed to init keymaster"); 207 return -1; 208 } 209 210 /* We currently set the digest type to DIGEST_NONE because it's the 211 * only supported value for keymaster. A similar issue exists with 212 * PADDING_NONE. Long term both of these should likely change. 213 */ 214 keymaster_rsa_sign_params_t params; 215 params.digest_type = DIGEST_NONE; 216 params.padding_type = PADDING_NONE; 217 218 unsigned char to_sign[RSA_KEY_SIZE_BYTES]; 219 size_t to_sign_size = sizeof(to_sign); 220 memset(to_sign, 0, RSA_KEY_SIZE_BYTES); 221 222 // To sign a message with RSA, the message must satisfy two 223 // constraints: 224 // 225 // 1. The message, when interpreted as a big-endian numeric value, must 226 // be strictly less than the public modulus of the RSA key. Note 227 // that because the most significant bit of the public modulus is 228 // guaranteed to be 1 (else it's an (n-1)-bit key, not an n-bit 229 // key), an n-bit message with most significant bit 0 always 230 // satisfies this requirement. 231 // 232 // 2. The message must have the same length in bits as the public 233 // modulus of the RSA key. This requirement isn't mathematically 234 // necessary, but is necessary to ensure consistency in 235 // implementations. 236 switch (ftr->kdf_type) { 237 case KDF_SCRYPT_KEYMASTER_UNPADDED: 238 // This is broken: It produces a message which is shorter than 239 // the public modulus, failing criterion 2. 240 memcpy(to_sign, object, object_size); 241 to_sign_size = object_size; 242 SLOGI("Signing unpadded object"); 243 break; 244 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED: 245 // This is broken: Since the value of object is uniformly 246 // distributed, it produces a message that is larger than the 247 // public modulus with probability 0.25. 248 memcpy(to_sign, object, min(RSA_KEY_SIZE_BYTES, object_size)); 249 SLOGI("Signing end-padded object"); 250 break; 251 case KDF_SCRYPT_KEYMASTER: 252 // This ensures the most significant byte of the signed message 253 // is zero. We could have zero-padded to the left instead, but 254 // this approach is slightly more robust against changes in 255 // object size. However, it's still broken (but not unusably 256 // so) because we really should be using a proper RSA padding 257 // function, such as OAEP. 258 // 259 // TODO(paullawrence): When keymaster 0.4 is available, change 260 // this to use the padding options it provides. 261 memcpy(to_sign + 1, object, min(RSA_KEY_SIZE_BYTES - 1, object_size)); 262 SLOGI("Signing safely-padded object"); 263 break; 264 default: 265 SLOGE("Unknown KDF type %d", ftr->kdf_type); 266 return -1; 267 } 268 269 rc = keymaster_dev->sign_data(keymaster_dev, 270 ¶ms, 271 ftr->keymaster_blob, 272 ftr->keymaster_blob_size, 273 to_sign, 274 to_sign_size, 275 signature, 276 signature_size); 277 278 keymaster_close(keymaster_dev); 279 return rc; 280} 281 282/* Store password when userdata is successfully decrypted and mounted. 283 * Cleared by cryptfs_clear_password 284 * 285 * To avoid a double prompt at boot, we need to store the CryptKeeper 286 * password and pass it to KeyGuard, which uses it to unlock KeyStore. 287 * Since the entire framework is torn down and rebuilt after encryption, 288 * we have to use a daemon or similar to store the password. Since vold 289 * is secured against IPC except from system processes, it seems a reasonable 290 * place to store this. 291 * 292 * password should be cleared once it has been used. 293 * 294 * password is aged out after password_max_age_seconds seconds. 295 */ 296static char* password = 0; 297static int password_expiry_time = 0; 298static const int password_max_age_seconds = 60; 299 300extern struct fstab *fstab; 301 302enum RebootType {reboot, recovery, shutdown}; 303static void cryptfs_reboot(enum RebootType rt) 304{ 305 switch(rt) { 306 case reboot: 307 property_set(ANDROID_RB_PROPERTY, "reboot"); 308 break; 309 310 case recovery: 311 property_set(ANDROID_RB_PROPERTY, "reboot,recovery"); 312 break; 313 314 case shutdown: 315 property_set(ANDROID_RB_PROPERTY, "shutdown"); 316 break; 317 } 318 319 sleep(20); 320 321 /* Shouldn't get here, reboot should happen before sleep times out */ 322 return; 323} 324 325static void ioctl_init(struct dm_ioctl *io, size_t dataSize, const char *name, unsigned flags) 326{ 327 memset(io, 0, dataSize); 328 io->data_size = dataSize; 329 io->data_start = sizeof(struct dm_ioctl); 330 io->version[0] = 4; 331 io->version[1] = 0; 332 io->version[2] = 0; 333 io->flags = flags; 334 if (name) { 335 strncpy(io->name, name, sizeof(io->name)); 336 } 337} 338 339/** 340 * Gets the default device scrypt parameters for key derivation time tuning. 341 * The parameters should lead to about one second derivation time for the 342 * given device. 343 */ 344static void get_device_scrypt_params(struct crypt_mnt_ftr *ftr) { 345 const int default_params[] = SCRYPT_DEFAULTS; 346 int params[] = SCRYPT_DEFAULTS; 347 char paramstr[PROPERTY_VALUE_MAX]; 348 char *token; 349 char *saveptr; 350 int i; 351 352 property_get(SCRYPT_PROP, paramstr, ""); 353 if (paramstr[0] != '\0') { 354 /* 355 * The token we're looking for should be three integers separated by 356 * colons (e.g., "12:8:1"). Scan the property to make sure it matches. 357 */ 358 for (i = 0, token = strtok_r(paramstr, ":", &saveptr); 359 token != NULL && i < 3; 360 i++, token = strtok_r(NULL, ":", &saveptr)) { 361 char *endptr; 362 params[i] = strtol(token, &endptr, 10); 363 364 /* 365 * Check that there was a valid number and it's 8-bit. If not, 366 * break out and the end check will take the default values. 367 */ 368 if ((*token == '\0') || (*endptr != '\0') || params[i] < 0 || params[i] > 255) { 369 break; 370 } 371 } 372 373 /* 374 * If there were not enough tokens or a token was malformed (not an 375 * integer), it will end up here and the default parameters can be 376 * taken. 377 */ 378 if ((i != 3) || (token != NULL)) { 379 SLOGW("bad scrypt parameters '%s' should be like '12:8:1'; using defaults", paramstr); 380 memcpy(params, default_params, sizeof(params)); 381 } 382 } 383 384 ftr->N_factor = params[0]; 385 ftr->r_factor = params[1]; 386 ftr->p_factor = params[2]; 387} 388 389static unsigned int get_fs_size(char *dev) 390{ 391 int fd, block_size; 392 struct ext4_super_block sb; 393 off64_t len; 394 395 if ((fd = open(dev, O_RDONLY)) < 0) { 396 SLOGE("Cannot open device to get filesystem size "); 397 return 0; 398 } 399 400 if (lseek64(fd, 1024, SEEK_SET) < 0) { 401 SLOGE("Cannot seek to superblock"); 402 return 0; 403 } 404 405 if (read(fd, &sb, sizeof(sb)) != sizeof(sb)) { 406 SLOGE("Cannot read superblock"); 407 return 0; 408 } 409 410 close(fd); 411 412 if (le32_to_cpu(sb.s_magic) != EXT4_SUPER_MAGIC) { 413 SLOGE("Not a valid ext4 superblock"); 414 return 0; 415 } 416 block_size = 1024 << sb.s_log_block_size; 417 /* compute length in bytes */ 418 len = ( ((off64_t)sb.s_blocks_count_hi << 32) + sb.s_blocks_count_lo) * block_size; 419 420 /* return length in sectors */ 421 return (unsigned int) (len / 512); 422} 423 424static int get_crypt_ftr_info(char **metadata_fname, off64_t *off) 425{ 426 static int cached_data = 0; 427 static off64_t cached_off = 0; 428 static char cached_metadata_fname[PROPERTY_VALUE_MAX] = ""; 429 int fd; 430 char key_loc[PROPERTY_VALUE_MAX]; 431 char real_blkdev[PROPERTY_VALUE_MAX]; 432 unsigned int nr_sec; 433 int rc = -1; 434 435 if (!cached_data) { 436 fs_mgr_get_crypt_info(fstab, key_loc, real_blkdev, sizeof(key_loc)); 437 438 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 439 if ( (fd = open(real_blkdev, O_RDWR)) < 0) { 440 SLOGE("Cannot open real block device %s\n", real_blkdev); 441 return -1; 442 } 443 444 if ((nr_sec = get_blkdev_size(fd))) { 445 /* If it's an encrypted Android partition, the last 16 Kbytes contain the 446 * encryption info footer and key, and plenty of bytes to spare for future 447 * growth. 448 */ 449 strlcpy(cached_metadata_fname, real_blkdev, sizeof(cached_metadata_fname)); 450 cached_off = ((off64_t)nr_sec * 512) - CRYPT_FOOTER_OFFSET; 451 cached_data = 1; 452 } else { 453 SLOGE("Cannot get size of block device %s\n", real_blkdev); 454 } 455 close(fd); 456 } else { 457 strlcpy(cached_metadata_fname, key_loc, sizeof(cached_metadata_fname)); 458 cached_off = 0; 459 cached_data = 1; 460 } 461 } 462 463 if (cached_data) { 464 if (metadata_fname) { 465 *metadata_fname = cached_metadata_fname; 466 } 467 if (off) { 468 *off = cached_off; 469 } 470 rc = 0; 471 } 472 473 return rc; 474} 475 476/* key or salt can be NULL, in which case just skip writing that value. Useful to 477 * update the failed mount count but not change the key. 478 */ 479static int put_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 480{ 481 int fd; 482 unsigned int nr_sec, cnt; 483 /* starting_off is set to the SEEK_SET offset 484 * where the crypto structure starts 485 */ 486 off64_t starting_off; 487 int rc = -1; 488 char *fname = NULL; 489 struct stat statbuf; 490 491 if (get_crypt_ftr_info(&fname, &starting_off)) { 492 SLOGE("Unable to get crypt_ftr_info\n"); 493 return -1; 494 } 495 if (fname[0] != '/') { 496 SLOGE("Unexpected value for crypto key location\n"); 497 return -1; 498 } 499 if ( (fd = open(fname, O_RDWR | O_CREAT, 0600)) < 0) { 500 SLOGE("Cannot open footer file %s for put\n", fname); 501 return -1; 502 } 503 504 /* Seek to the start of the crypt footer */ 505 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 506 SLOGE("Cannot seek to real block device footer\n"); 507 goto errout; 508 } 509 510 if ((cnt = write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 511 SLOGE("Cannot write real block device footer\n"); 512 goto errout; 513 } 514 515 fstat(fd, &statbuf); 516 /* If the keys are kept on a raw block device, do not try to truncate it. */ 517 if (S_ISREG(statbuf.st_mode)) { 518 if (ftruncate(fd, 0x4000)) { 519 SLOGE("Cannot set footer file size\n"); 520 goto errout; 521 } 522 } 523 524 /* Success! */ 525 rc = 0; 526 527errout: 528 close(fd); 529 return rc; 530 531} 532 533static inline int unix_read(int fd, void* buff, int len) 534{ 535 return TEMP_FAILURE_RETRY(read(fd, buff, len)); 536} 537 538static inline int unix_write(int fd, const void* buff, int len) 539{ 540 return TEMP_FAILURE_RETRY(write(fd, buff, len)); 541} 542 543static void init_empty_persist_data(struct crypt_persist_data *pdata, int len) 544{ 545 memset(pdata, 0, len); 546 pdata->persist_magic = PERSIST_DATA_MAGIC; 547 pdata->persist_valid_entries = 0; 548} 549 550/* A routine to update the passed in crypt_ftr to the lastest version. 551 * fd is open read/write on the device that holds the crypto footer and persistent 552 * data, crypt_ftr is a pointer to the struct to be updated, and offset is the 553 * absolute offset to the start of the crypt_mnt_ftr on the passed in fd. 554 */ 555static void upgrade_crypt_ftr(int fd, struct crypt_mnt_ftr *crypt_ftr, off64_t offset) 556{ 557 int orig_major = crypt_ftr->major_version; 558 int orig_minor = crypt_ftr->minor_version; 559 560 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 0)) { 561 struct crypt_persist_data *pdata; 562 off64_t pdata_offset = offset + CRYPT_FOOTER_TO_PERSIST_OFFSET; 563 564 SLOGW("upgrading crypto footer to 1.1"); 565 566 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 567 if (pdata == NULL) { 568 SLOGE("Cannot allocate persisent data\n"); 569 return; 570 } 571 memset(pdata, 0, CRYPT_PERSIST_DATA_SIZE); 572 573 /* Need to initialize the persistent data area */ 574 if (lseek64(fd, pdata_offset, SEEK_SET) == -1) { 575 SLOGE("Cannot seek to persisent data offset\n"); 576 return; 577 } 578 /* Write all zeros to the first copy, making it invalid */ 579 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 580 581 /* Write a valid but empty structure to the second copy */ 582 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 583 unix_write(fd, pdata, CRYPT_PERSIST_DATA_SIZE); 584 585 /* Update the footer */ 586 crypt_ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 587 crypt_ftr->persist_data_offset[0] = pdata_offset; 588 crypt_ftr->persist_data_offset[1] = pdata_offset + CRYPT_PERSIST_DATA_SIZE; 589 crypt_ftr->minor_version = 1; 590 } 591 592 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 1)) { 593 SLOGW("upgrading crypto footer to 1.2"); 594 /* But keep the old kdf_type. 595 * It will get updated later to KDF_SCRYPT after the password has been verified. 596 */ 597 crypt_ftr->kdf_type = KDF_PBKDF2; 598 get_device_scrypt_params(crypt_ftr); 599 crypt_ftr->minor_version = 2; 600 } 601 602 if ((crypt_ftr->major_version == 1) && (crypt_ftr->minor_version == 2)) { 603 SLOGW("upgrading crypto footer to 1.3"); 604 crypt_ftr->crypt_type = CRYPT_TYPE_PASSWORD; 605 crypt_ftr->minor_version = 3; 606 } 607 608 if ((orig_major != crypt_ftr->major_version) || (orig_minor != crypt_ftr->minor_version)) { 609 if (lseek64(fd, offset, SEEK_SET) == -1) { 610 SLOGE("Cannot seek to crypt footer\n"); 611 return; 612 } 613 unix_write(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr)); 614 } 615} 616 617 618static int get_crypt_ftr_and_key(struct crypt_mnt_ftr *crypt_ftr) 619{ 620 int fd; 621 unsigned int nr_sec, cnt; 622 off64_t starting_off; 623 int rc = -1; 624 char *fname = NULL; 625 struct stat statbuf; 626 627 if (get_crypt_ftr_info(&fname, &starting_off)) { 628 SLOGE("Unable to get crypt_ftr_info\n"); 629 return -1; 630 } 631 if (fname[0] != '/') { 632 SLOGE("Unexpected value for crypto key location\n"); 633 return -1; 634 } 635 if ( (fd = open(fname, O_RDWR)) < 0) { 636 SLOGE("Cannot open footer file %s for get\n", fname); 637 return -1; 638 } 639 640 /* Make sure it's 16 Kbytes in length */ 641 fstat(fd, &statbuf); 642 if (S_ISREG(statbuf.st_mode) && (statbuf.st_size != 0x4000)) { 643 SLOGE("footer file %s is not the expected size!\n", fname); 644 goto errout; 645 } 646 647 /* Seek to the start of the crypt footer */ 648 if (lseek64(fd, starting_off, SEEK_SET) == -1) { 649 SLOGE("Cannot seek to real block device footer\n"); 650 goto errout; 651 } 652 653 if ( (cnt = read(fd, crypt_ftr, sizeof(struct crypt_mnt_ftr))) != sizeof(struct crypt_mnt_ftr)) { 654 SLOGE("Cannot read real block device footer\n"); 655 goto errout; 656 } 657 658 if (crypt_ftr->magic != CRYPT_MNT_MAGIC) { 659 SLOGE("Bad magic for real block device %s\n", fname); 660 goto errout; 661 } 662 663 if (crypt_ftr->major_version != CURRENT_MAJOR_VERSION) { 664 SLOGE("Cannot understand major version %d real block device footer; expected %d\n", 665 crypt_ftr->major_version, CURRENT_MAJOR_VERSION); 666 goto errout; 667 } 668 669 if (crypt_ftr->minor_version > CURRENT_MINOR_VERSION) { 670 SLOGW("Warning: crypto footer minor version %d, expected <= %d, continuing...\n", 671 crypt_ftr->minor_version, CURRENT_MINOR_VERSION); 672 } 673 674 /* If this is a verion 1.0 crypt_ftr, make it a 1.1 crypt footer, and update the 675 * copy on disk before returning. 676 */ 677 if (crypt_ftr->minor_version < CURRENT_MINOR_VERSION) { 678 upgrade_crypt_ftr(fd, crypt_ftr, starting_off); 679 } 680 681 /* Success! */ 682 rc = 0; 683 684errout: 685 close(fd); 686 return rc; 687} 688 689static int validate_persistent_data_storage(struct crypt_mnt_ftr *crypt_ftr) 690{ 691 if (crypt_ftr->persist_data_offset[0] + crypt_ftr->persist_data_size > 692 crypt_ftr->persist_data_offset[1]) { 693 SLOGE("Crypt_ftr persist data regions overlap"); 694 return -1; 695 } 696 697 if (crypt_ftr->persist_data_offset[0] >= crypt_ftr->persist_data_offset[1]) { 698 SLOGE("Crypt_ftr persist data region 0 starts after region 1"); 699 return -1; 700 } 701 702 if (((crypt_ftr->persist_data_offset[1] + crypt_ftr->persist_data_size) - 703 (crypt_ftr->persist_data_offset[0] - CRYPT_FOOTER_TO_PERSIST_OFFSET)) > 704 CRYPT_FOOTER_OFFSET) { 705 SLOGE("Persistent data extends past crypto footer"); 706 return -1; 707 } 708 709 return 0; 710} 711 712static int load_persistent_data(void) 713{ 714 struct crypt_mnt_ftr crypt_ftr; 715 struct crypt_persist_data *pdata = NULL; 716 char encrypted_state[PROPERTY_VALUE_MAX]; 717 char *fname; 718 int found = 0; 719 int fd; 720 int ret; 721 int i; 722 723 if (persist_data) { 724 /* Nothing to do, we've already loaded or initialized it */ 725 return 0; 726 } 727 728 729 /* If not encrypted, just allocate an empty table and initialize it */ 730 property_get("ro.crypto.state", encrypted_state, ""); 731 if (strcmp(encrypted_state, "encrypted") ) { 732 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 733 if (pdata) { 734 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 735 persist_data = pdata; 736 return 0; 737 } 738 return -1; 739 } 740 741 if(get_crypt_ftr_and_key(&crypt_ftr)) { 742 return -1; 743 } 744 745 if ((crypt_ftr.major_version < 1) 746 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 747 SLOGE("Crypt_ftr version doesn't support persistent data"); 748 return -1; 749 } 750 751 if (get_crypt_ftr_info(&fname, NULL)) { 752 return -1; 753 } 754 755 ret = validate_persistent_data_storage(&crypt_ftr); 756 if (ret) { 757 return -1; 758 } 759 760 fd = open(fname, O_RDONLY); 761 if (fd < 0) { 762 SLOGE("Cannot open %s metadata file", fname); 763 return -1; 764 } 765 766 if (persist_data == NULL) { 767 pdata = malloc(crypt_ftr.persist_data_size); 768 if (pdata == NULL) { 769 SLOGE("Cannot allocate memory for persistent data"); 770 goto err; 771 } 772 } 773 774 for (i = 0; i < 2; i++) { 775 if (lseek64(fd, crypt_ftr.persist_data_offset[i], SEEK_SET) < 0) { 776 SLOGE("Cannot seek to read persistent data on %s", fname); 777 goto err2; 778 } 779 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0){ 780 SLOGE("Error reading persistent data on iteration %d", i); 781 goto err2; 782 } 783 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 784 found = 1; 785 break; 786 } 787 } 788 789 if (!found) { 790 SLOGI("Could not find valid persistent data, creating"); 791 init_empty_persist_data(pdata, crypt_ftr.persist_data_size); 792 } 793 794 /* Success */ 795 persist_data = pdata; 796 close(fd); 797 return 0; 798 799err2: 800 free(pdata); 801 802err: 803 close(fd); 804 return -1; 805} 806 807static int save_persistent_data(void) 808{ 809 struct crypt_mnt_ftr crypt_ftr; 810 struct crypt_persist_data *pdata; 811 char *fname; 812 off64_t write_offset; 813 off64_t erase_offset; 814 int found = 0; 815 int fd; 816 int ret; 817 818 if (persist_data == NULL) { 819 SLOGE("No persistent data to save"); 820 return -1; 821 } 822 823 if(get_crypt_ftr_and_key(&crypt_ftr)) { 824 return -1; 825 } 826 827 if ((crypt_ftr.major_version < 1) 828 || (crypt_ftr.major_version == 1 && crypt_ftr.minor_version < 1)) { 829 SLOGE("Crypt_ftr version doesn't support persistent data"); 830 return -1; 831 } 832 833 ret = validate_persistent_data_storage(&crypt_ftr); 834 if (ret) { 835 return -1; 836 } 837 838 if (get_crypt_ftr_info(&fname, NULL)) { 839 return -1; 840 } 841 842 fd = open(fname, O_RDWR); 843 if (fd < 0) { 844 SLOGE("Cannot open %s metadata file", fname); 845 return -1; 846 } 847 848 pdata = malloc(crypt_ftr.persist_data_size); 849 if (pdata == NULL) { 850 SLOGE("Cannot allocate persistant data"); 851 goto err; 852 } 853 854 if (lseek64(fd, crypt_ftr.persist_data_offset[0], SEEK_SET) < 0) { 855 SLOGE("Cannot seek to read persistent data on %s", fname); 856 goto err2; 857 } 858 859 if (unix_read(fd, pdata, crypt_ftr.persist_data_size) < 0) { 860 SLOGE("Error reading persistent data before save"); 861 goto err2; 862 } 863 864 if (pdata->persist_magic == PERSIST_DATA_MAGIC) { 865 /* The first copy is the curent valid copy, so write to 866 * the second copy and erase this one */ 867 write_offset = crypt_ftr.persist_data_offset[1]; 868 erase_offset = crypt_ftr.persist_data_offset[0]; 869 } else { 870 /* The second copy must be the valid copy, so write to 871 * the first copy, and erase the second */ 872 write_offset = crypt_ftr.persist_data_offset[0]; 873 erase_offset = crypt_ftr.persist_data_offset[1]; 874 } 875 876 /* Write the new copy first, if successful, then erase the old copy */ 877 if (lseek(fd, write_offset, SEEK_SET) < 0) { 878 SLOGE("Cannot seek to write persistent data"); 879 goto err2; 880 } 881 if (unix_write(fd, persist_data, crypt_ftr.persist_data_size) == 882 (int) crypt_ftr.persist_data_size) { 883 if (lseek(fd, erase_offset, SEEK_SET) < 0) { 884 SLOGE("Cannot seek to erase previous persistent data"); 885 goto err2; 886 } 887 fsync(fd); 888 memset(pdata, 0, crypt_ftr.persist_data_size); 889 if (unix_write(fd, pdata, crypt_ftr.persist_data_size) != 890 (int) crypt_ftr.persist_data_size) { 891 SLOGE("Cannot write to erase previous persistent data"); 892 goto err2; 893 } 894 fsync(fd); 895 } else { 896 SLOGE("Cannot write to save persistent data"); 897 goto err2; 898 } 899 900 /* Success */ 901 free(pdata); 902 close(fd); 903 return 0; 904 905err2: 906 free(pdata); 907err: 908 close(fd); 909 return -1; 910} 911 912static int hexdigit (char c) 913{ 914 if (c >= '0' && c <= '9') return c - '0'; 915 c = tolower(c); 916 if (c >= 'a' && c <= 'f') return c - 'a' + 10; 917 return -1; 918} 919 920static unsigned char* convert_hex_ascii_to_key(const char* master_key_ascii, 921 unsigned int* out_keysize) 922{ 923 unsigned int i; 924 *out_keysize = 0; 925 926 size_t size = strlen (master_key_ascii); 927 if (size % 2) { 928 SLOGE("Trying to convert ascii string of odd length"); 929 return NULL; 930 } 931 932 unsigned char* master_key = (unsigned char*) malloc(size / 2); 933 if (master_key == 0) { 934 SLOGE("Cannot allocate"); 935 return NULL; 936 } 937 938 for (i = 0; i < size; i += 2) { 939 int high_nibble = hexdigit (master_key_ascii[i]); 940 int low_nibble = hexdigit (master_key_ascii[i + 1]); 941 942 if(high_nibble < 0 || low_nibble < 0) { 943 SLOGE("Invalid hex string"); 944 free (master_key); 945 return NULL; 946 } 947 948 master_key[*out_keysize] = high_nibble * 16 + low_nibble; 949 (*out_keysize)++; 950 } 951 952 return master_key; 953} 954 955/* Convert a binary key of specified length into an ascii hex string equivalent, 956 * without the leading 0x and with null termination 957 */ 958static void convert_key_to_hex_ascii(unsigned char *master_key, unsigned int keysize, 959 char *master_key_ascii) 960{ 961 unsigned int i, a; 962 unsigned char nibble; 963 964 for (i=0, a=0; i<keysize; i++, a+=2) { 965 /* For each byte, write out two ascii hex digits */ 966 nibble = (master_key[i] >> 4) & 0xf; 967 master_key_ascii[a] = nibble + (nibble > 9 ? 0x37 : 0x30); 968 969 nibble = master_key[i] & 0xf; 970 master_key_ascii[a+1] = nibble + (nibble > 9 ? 0x37 : 0x30); 971 } 972 973 /* Add the null termination */ 974 master_key_ascii[a] = '\0'; 975 976} 977 978static int load_crypto_mapping_table(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 979 char *real_blk_name, const char *name, int fd, 980 char *extra_params) 981{ 982 char buffer[DM_CRYPT_BUF_SIZE]; 983 struct dm_ioctl *io; 984 struct dm_target_spec *tgt; 985 char *crypt_params; 986 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 987 int i; 988 989 io = (struct dm_ioctl *) buffer; 990 991 /* Load the mapping table for this device */ 992 tgt = (struct dm_target_spec *) &buffer[sizeof(struct dm_ioctl)]; 993 994 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 995 io->target_count = 1; 996 tgt->status = 0; 997 tgt->sector_start = 0; 998 tgt->length = crypt_ftr->fs_size; 999#ifdef CONFIG_HW_DISK_ENCRYPTION 1000 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 1001 strlcpy(tgt->target_type, "req-crypt", DM_MAX_TYPE_NAME); 1002 } 1003 else { 1004 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 1005 } 1006#else 1007 strlcpy(tgt->target_type, "crypt", DM_MAX_TYPE_NAME); 1008#endif 1009 1010 crypt_params = buffer + sizeof(struct dm_ioctl) + sizeof(struct dm_target_spec); 1011 convert_key_to_hex_ascii(master_key, crypt_ftr->keysize, master_key_ascii); 1012 sprintf(crypt_params, "%s %s 0 %s 0 %s", crypt_ftr->crypto_type_name, 1013 master_key_ascii, real_blk_name, extra_params); 1014 crypt_params += strlen(crypt_params) + 1; 1015 crypt_params = (char *) (((unsigned long)crypt_params + 7) & ~8); /* Align to an 8 byte boundary */ 1016 tgt->next = crypt_params - buffer; 1017 1018 for (i = 0; i < TABLE_LOAD_RETRIES; i++) { 1019 if (! ioctl(fd, DM_TABLE_LOAD, io)) { 1020 break; 1021 } 1022 usleep(500000); 1023 } 1024 1025 if (i == TABLE_LOAD_RETRIES) { 1026 /* We failed to load the table, return an error */ 1027 return -1; 1028 } else { 1029 return i + 1; 1030 } 1031} 1032 1033 1034static int get_dm_crypt_version(int fd, const char *name, int *version) 1035{ 1036 char buffer[DM_CRYPT_BUF_SIZE]; 1037 struct dm_ioctl *io; 1038 struct dm_target_versions *v; 1039 int i; 1040 1041 io = (struct dm_ioctl *) buffer; 1042 1043 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1044 1045 if (ioctl(fd, DM_LIST_VERSIONS, io)) { 1046 return -1; 1047 } 1048 1049 /* Iterate over the returned versions, looking for name of "crypt". 1050 * When found, get and return the version. 1051 */ 1052 v = (struct dm_target_versions *) &buffer[sizeof(struct dm_ioctl)]; 1053 while (v->next) { 1054#ifdef CONFIG_HW_DISK_ENCRYPTION 1055 if (! strcmp(v->name, "crypt") || ! strcmp(v->name, "req-crypt")) { 1056#else 1057 if (! strcmp(v->name, "crypt")) { 1058#endif 1059 /* We found the crypt driver, return the version, and get out */ 1060 version[0] = v->version[0]; 1061 version[1] = v->version[1]; 1062 version[2] = v->version[2]; 1063 return 0; 1064 } 1065 v = (struct dm_target_versions *)(((char *)v) + v->next); 1066 } 1067 1068 return -1; 1069} 1070 1071static int create_crypto_blk_dev(struct crypt_mnt_ftr *crypt_ftr, unsigned char *master_key, 1072 char *real_blk_name, char *crypto_blk_name, const char *name) 1073{ 1074 char buffer[DM_CRYPT_BUF_SIZE]; 1075 char master_key_ascii[129]; /* Large enough to hold 512 bit key and null */ 1076 char *crypt_params; 1077 struct dm_ioctl *io; 1078 struct dm_target_spec *tgt; 1079 unsigned int minor; 1080 int fd=0; 1081 int i; 1082 int retval = -1; 1083 int version[3]; 1084 char *extra_params; 1085 int load_count; 1086 1087 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1088 SLOGE("Cannot open device-mapper\n"); 1089 goto errout; 1090 } 1091 1092 io = (struct dm_ioctl *) buffer; 1093 1094 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1095 if (ioctl(fd, DM_DEV_CREATE, io)) { 1096 SLOGE("Cannot create dm-crypt device\n"); 1097 goto errout; 1098 } 1099 1100 /* Get the device status, in particular, the name of it's device file */ 1101 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1102 if (ioctl(fd, DM_DEV_STATUS, io)) { 1103 SLOGE("Cannot retrieve dm-crypt device status\n"); 1104 goto errout; 1105 } 1106 minor = (io->dev & 0xff) | ((io->dev >> 12) & 0xfff00); 1107 snprintf(crypto_blk_name, MAXPATHLEN, "/dev/block/dm-%u", minor); 1108 1109 extra_params = ""; 1110 if (! get_dm_crypt_version(fd, name, version)) { 1111 /* Support for allow_discards was added in version 1.11.0 */ 1112 if ((version[0] >= 2) || 1113 ((version[0] == 1) && (version[1] >= 11))) { 1114 extra_params = "1 allow_discards"; 1115 SLOGI("Enabling support for allow_discards in dmcrypt.\n"); 1116 } 1117 } 1118 1119 load_count = load_crypto_mapping_table(crypt_ftr, master_key, real_blk_name, name, 1120 fd, extra_params); 1121 if (load_count < 0) { 1122 SLOGE("Cannot load dm-crypt mapping table.\n"); 1123 goto errout; 1124 } else if (load_count > 1) { 1125 SLOGI("Took %d tries to load dmcrypt table.\n", load_count); 1126 } 1127 1128 /* Resume this device to activate it */ 1129 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1130 1131 if (ioctl(fd, DM_DEV_SUSPEND, io)) { 1132 SLOGE("Cannot resume the dm-crypt device\n"); 1133 goto errout; 1134 } 1135 1136 /* We made it here with no errors. Woot! */ 1137 retval = 0; 1138 1139errout: 1140 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1141 1142 return retval; 1143} 1144 1145static int delete_crypto_blk_dev(char *name) 1146{ 1147 int fd; 1148 char buffer[DM_CRYPT_BUF_SIZE]; 1149 struct dm_ioctl *io; 1150 int retval = -1; 1151 1152 if ((fd = open("/dev/device-mapper", O_RDWR)) < 0 ) { 1153 SLOGE("Cannot open device-mapper\n"); 1154 goto errout; 1155 } 1156 1157 io = (struct dm_ioctl *) buffer; 1158 1159 ioctl_init(io, DM_CRYPT_BUF_SIZE, name, 0); 1160 if (ioctl(fd, DM_DEV_REMOVE, io)) { 1161 SLOGE("Cannot remove dm-crypt device\n"); 1162 goto errout; 1163 } 1164 1165 /* We made it here with no errors. Woot! */ 1166 retval = 0; 1167 1168errout: 1169 close(fd); /* If fd is <0 from a failed open call, it's safe to just ignore the close error */ 1170 1171 return retval; 1172 1173} 1174 1175static int pbkdf2(const char *passwd, const unsigned char *salt, 1176 unsigned char *ikey, void *params UNUSED) 1177{ 1178 SLOGI("Using pbkdf2 for cryptfs KDF"); 1179 1180 /* Turn the password into a key and IV that can decrypt the master key */ 1181 unsigned int keysize; 1182 char* master_key = (char*)convert_hex_ascii_to_key(passwd, &keysize); 1183 if (!master_key) return -1; 1184 PKCS5_PBKDF2_HMAC_SHA1(master_key, keysize, salt, SALT_LEN, 1185 HASH_COUNT, KEY_LEN_BYTES+IV_LEN_BYTES, ikey); 1186 1187 memset(master_key, 0, keysize); 1188 free (master_key); 1189 return 0; 1190} 1191 1192static int scrypt(const char *passwd, const unsigned char *salt, 1193 unsigned char *ikey, void *params) 1194{ 1195 SLOGI("Using scrypt for cryptfs KDF"); 1196 1197 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1198 1199 int N = 1 << ftr->N_factor; 1200 int r = 1 << ftr->r_factor; 1201 int p = 1 << ftr->p_factor; 1202 1203 /* Turn the password into a key and IV that can decrypt the master key */ 1204 unsigned int keysize; 1205 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &keysize); 1206 if (!master_key) return -1; 1207 crypto_scrypt(master_key, keysize, salt, SALT_LEN, N, r, p, ikey, 1208 KEY_LEN_BYTES + IV_LEN_BYTES); 1209 1210 memset(master_key, 0, keysize); 1211 free (master_key); 1212 return 0; 1213} 1214 1215static int scrypt_keymaster(const char *passwd, const unsigned char *salt, 1216 unsigned char *ikey, void *params) 1217{ 1218 SLOGI("Using scrypt with keymaster for cryptfs KDF"); 1219 1220 int rc; 1221 unsigned int key_size; 1222 size_t signature_size; 1223 unsigned char* signature; 1224 struct crypt_mnt_ftr *ftr = (struct crypt_mnt_ftr *) params; 1225 1226 int N = 1 << ftr->N_factor; 1227 int r = 1 << ftr->r_factor; 1228 int p = 1 << ftr->p_factor; 1229 1230 unsigned char* master_key = convert_hex_ascii_to_key(passwd, &key_size); 1231 if (!master_key) { 1232 SLOGE("Failed to convert passwd from hex"); 1233 return -1; 1234 } 1235 1236 rc = crypto_scrypt(master_key, key_size, salt, SALT_LEN, 1237 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1238 memset(master_key, 0, key_size); 1239 free(master_key); 1240 1241 if (rc) { 1242 SLOGE("scrypt failed"); 1243 return -1; 1244 } 1245 1246 if (keymaster_sign_object(ftr, ikey, KEY_LEN_BYTES + IV_LEN_BYTES, 1247 &signature, &signature_size)) { 1248 SLOGE("Signing failed"); 1249 return -1; 1250 } 1251 1252 rc = crypto_scrypt(signature, signature_size, salt, SALT_LEN, 1253 N, r, p, ikey, KEY_LEN_BYTES + IV_LEN_BYTES); 1254 free(signature); 1255 1256 if (rc) { 1257 SLOGE("scrypt failed"); 1258 return -1; 1259 } 1260 1261 return 0; 1262} 1263 1264static int encrypt_master_key(const char *passwd, const unsigned char *salt, 1265 const unsigned char *decrypted_master_key, 1266 unsigned char *encrypted_master_key, 1267 struct crypt_mnt_ftr *crypt_ftr) 1268{ 1269 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1270 EVP_CIPHER_CTX e_ctx; 1271 int encrypted_len, final_len; 1272 int rc = 0; 1273 1274 /* Turn the password into an intermediate key and IV that can decrypt the master key */ 1275 get_device_scrypt_params(crypt_ftr); 1276 1277 switch (crypt_ftr->kdf_type) { 1278 case KDF_SCRYPT_KEYMASTER_UNPADDED: 1279 case KDF_SCRYPT_KEYMASTER_BADLY_PADDED: 1280 case KDF_SCRYPT_KEYMASTER: 1281 if (keymaster_create_key(crypt_ftr)) { 1282 SLOGE("keymaster_create_key failed"); 1283 return -1; 1284 } 1285 1286 if (scrypt_keymaster(passwd, salt, ikey, crypt_ftr)) { 1287 SLOGE("scrypt failed"); 1288 return -1; 1289 } 1290 break; 1291 1292 case KDF_SCRYPT: 1293 if (scrypt(passwd, salt, ikey, crypt_ftr)) { 1294 SLOGE("scrypt failed"); 1295 return -1; 1296 } 1297 break; 1298 1299 default: 1300 SLOGE("Invalid kdf_type"); 1301 return -1; 1302 } 1303 1304 /* Initialize the decryption engine */ 1305 EVP_CIPHER_CTX_init(&e_ctx); 1306 if (! EVP_EncryptInit_ex(&e_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1307 SLOGE("EVP_EncryptInit failed\n"); 1308 return -1; 1309 } 1310 EVP_CIPHER_CTX_set_padding(&e_ctx, 0); /* Turn off padding as our data is block aligned */ 1311 1312 /* Encrypt the master key */ 1313 if (! EVP_EncryptUpdate(&e_ctx, encrypted_master_key, &encrypted_len, 1314 decrypted_master_key, KEY_LEN_BYTES)) { 1315 SLOGE("EVP_EncryptUpdate failed\n"); 1316 return -1; 1317 } 1318 if (! EVP_EncryptFinal_ex(&e_ctx, encrypted_master_key + encrypted_len, &final_len)) { 1319 SLOGE("EVP_EncryptFinal failed\n"); 1320 return -1; 1321 } 1322 1323 if (encrypted_len + final_len != KEY_LEN_BYTES) { 1324 SLOGE("EVP_Encryption length check failed with %d, %d bytes\n", encrypted_len, final_len); 1325 return -1; 1326 } 1327 1328 /* Store the scrypt of the intermediate key, so we can validate if it's a 1329 password error or mount error when things go wrong. 1330 Note there's no need to check for errors, since if this is incorrect, we 1331 simply won't wipe userdata, which is the correct default behavior 1332 */ 1333 int N = 1 << crypt_ftr->N_factor; 1334 int r = 1 << crypt_ftr->r_factor; 1335 int p = 1 << crypt_ftr->p_factor; 1336 1337 rc = crypto_scrypt(ikey, KEY_LEN_BYTES, 1338 crypt_ftr->salt, sizeof(crypt_ftr->salt), N, r, p, 1339 crypt_ftr->scrypted_intermediate_key, 1340 sizeof(crypt_ftr->scrypted_intermediate_key)); 1341 1342 if (rc) { 1343 SLOGE("encrypt_master_key: crypto_scrypt failed"); 1344 } 1345 1346 return 0; 1347} 1348 1349static int decrypt_master_key_aux(char *passwd, unsigned char *salt, 1350 unsigned char *encrypted_master_key, 1351 unsigned char *decrypted_master_key, 1352 kdf_func kdf, void *kdf_params, 1353 unsigned char** intermediate_key, 1354 size_t* intermediate_key_size) 1355{ 1356 unsigned char ikey[32+32] = { 0 }; /* Big enough to hold a 256 bit key and 256 bit IV */ 1357 EVP_CIPHER_CTX d_ctx; 1358 int decrypted_len, final_len; 1359 1360 /* Turn the password into an intermediate key and IV that can decrypt the 1361 master key */ 1362 if (kdf(passwd, salt, ikey, kdf_params)) { 1363 SLOGE("kdf failed"); 1364 return -1; 1365 } 1366 1367 /* Initialize the decryption engine */ 1368 EVP_CIPHER_CTX_init(&d_ctx); 1369 if (! EVP_DecryptInit_ex(&d_ctx, EVP_aes_128_cbc(), NULL, ikey, ikey+KEY_LEN_BYTES)) { 1370 return -1; 1371 } 1372 EVP_CIPHER_CTX_set_padding(&d_ctx, 0); /* Turn off padding as our data is block aligned */ 1373 /* Decrypt the master key */ 1374 if (! EVP_DecryptUpdate(&d_ctx, decrypted_master_key, &decrypted_len, 1375 encrypted_master_key, KEY_LEN_BYTES)) { 1376 return -1; 1377 } 1378 if (! EVP_DecryptFinal_ex(&d_ctx, decrypted_master_key + decrypted_len, &final_len)) { 1379 return -1; 1380 } 1381 1382 if (decrypted_len + final_len != KEY_LEN_BYTES) { 1383 return -1; 1384 } 1385 1386 /* Copy intermediate key if needed by params */ 1387 if (intermediate_key && intermediate_key_size) { 1388 *intermediate_key = (unsigned char*) malloc(KEY_LEN_BYTES); 1389 if (intermediate_key) { 1390 memcpy(*intermediate_key, ikey, KEY_LEN_BYTES); 1391 *intermediate_key_size = KEY_LEN_BYTES; 1392 } 1393 } 1394 1395 return 0; 1396} 1397 1398static void get_kdf_func(struct crypt_mnt_ftr *ftr, kdf_func *kdf, void** kdf_params) 1399{ 1400 if (ftr->kdf_type == KDF_SCRYPT_KEYMASTER_UNPADDED || 1401 ftr->kdf_type == KDF_SCRYPT_KEYMASTER_BADLY_PADDED || 1402 ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1403 *kdf = scrypt_keymaster; 1404 *kdf_params = ftr; 1405 } else if (ftr->kdf_type == KDF_SCRYPT) { 1406 *kdf = scrypt; 1407 *kdf_params = ftr; 1408 } else { 1409 *kdf = pbkdf2; 1410 *kdf_params = NULL; 1411 } 1412} 1413 1414static int decrypt_master_key(char *passwd, unsigned char *decrypted_master_key, 1415 struct crypt_mnt_ftr *crypt_ftr, 1416 unsigned char** intermediate_key, 1417 size_t* intermediate_key_size) 1418{ 1419 kdf_func kdf; 1420 void *kdf_params; 1421 int ret; 1422 1423 get_kdf_func(crypt_ftr, &kdf, &kdf_params); 1424 ret = decrypt_master_key_aux(passwd, crypt_ftr->salt, crypt_ftr->master_key, 1425 decrypted_master_key, kdf, kdf_params, 1426 intermediate_key, intermediate_key_size); 1427 if (ret != 0) { 1428 SLOGW("failure decrypting master key"); 1429 } 1430 1431 return ret; 1432} 1433 1434static int create_encrypted_random_key(char *passwd, unsigned char *master_key, unsigned char *salt, 1435 struct crypt_mnt_ftr *crypt_ftr) { 1436 int fd; 1437 unsigned char key_buf[KEY_LEN_BYTES]; 1438 EVP_CIPHER_CTX e_ctx; 1439 int encrypted_len, final_len; 1440 1441 /* Get some random bits for a key */ 1442 fd = open("/dev/urandom", O_RDONLY); 1443 read(fd, key_buf, sizeof(key_buf)); 1444 read(fd, salt, SALT_LEN); 1445 close(fd); 1446 1447 /* Now encrypt it with the password */ 1448 return encrypt_master_key(passwd, salt, key_buf, master_key, crypt_ftr); 1449} 1450 1451static int wait_and_unmount(char *mountpoint, bool kill) 1452{ 1453 int i, err, rc; 1454#define WAIT_UNMOUNT_COUNT 20 1455 1456 /* Now umount the tmpfs filesystem */ 1457 for (i=0; i<WAIT_UNMOUNT_COUNT; i++) { 1458 if (umount(mountpoint) == 0) { 1459 break; 1460 } 1461 1462 if (errno == EINVAL) { 1463 /* EINVAL is returned if the directory is not a mountpoint, 1464 * i.e. there is no filesystem mounted there. So just get out. 1465 */ 1466 break; 1467 } 1468 1469 err = errno; 1470 1471 /* If allowed, be increasingly aggressive before the last two retries */ 1472 if (kill) { 1473 if (i == (WAIT_UNMOUNT_COUNT - 3)) { 1474 SLOGW("sending SIGHUP to processes with open files\n"); 1475 vold_killProcessesWithOpenFiles(mountpoint, 1); 1476 } else if (i == (WAIT_UNMOUNT_COUNT - 2)) { 1477 SLOGW("sending SIGKILL to processes with open files\n"); 1478 vold_killProcessesWithOpenFiles(mountpoint, 2); 1479 } 1480 } 1481 1482 sleep(1); 1483 } 1484 1485 if (i < WAIT_UNMOUNT_COUNT) { 1486 SLOGD("unmounting %s succeeded\n", mountpoint); 1487 rc = 0; 1488 } else { 1489 vold_killProcessesWithOpenFiles(mountpoint, 0); 1490 SLOGE("unmounting %s failed: %s\n", mountpoint, strerror(err)); 1491 rc = -1; 1492 } 1493 1494 return rc; 1495} 1496 1497#define DATA_PREP_TIMEOUT 200 1498static int prep_data_fs(void) 1499{ 1500 int i; 1501 1502 /* Do the prep of the /data filesystem */ 1503 property_set("vold.post_fs_data_done", "0"); 1504 property_set("vold.decrypt", "trigger_post_fs_data"); 1505 SLOGD("Just triggered post_fs_data\n"); 1506 1507 /* Wait a max of 50 seconds, hopefully it takes much less */ 1508 for (i=0; i<DATA_PREP_TIMEOUT; i++) { 1509 char p[PROPERTY_VALUE_MAX]; 1510 1511 property_get("vold.post_fs_data_done", p, "0"); 1512 if (*p == '1') { 1513 break; 1514 } else { 1515 usleep(250000); 1516 } 1517 } 1518 if (i == DATA_PREP_TIMEOUT) { 1519 /* Ugh, we failed to prep /data in time. Bail. */ 1520 SLOGE("post_fs_data timed out!\n"); 1521 return -1; 1522 } else { 1523 SLOGD("post_fs_data done\n"); 1524 return 0; 1525 } 1526} 1527 1528static void cryptfs_set_corrupt() 1529{ 1530 // Mark the footer as bad 1531 struct crypt_mnt_ftr crypt_ftr; 1532 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1533 SLOGE("Failed to get crypto footer - panic"); 1534 return; 1535 } 1536 1537 crypt_ftr.flags |= CRYPT_DATA_CORRUPT; 1538 if (put_crypt_ftr_and_key(&crypt_ftr)) { 1539 SLOGE("Failed to set crypto footer - panic"); 1540 return; 1541 } 1542} 1543 1544static void cryptfs_trigger_restart_min_framework() 1545{ 1546 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 1547 SLOGE("Failed to mount tmpfs on data - panic"); 1548 return; 1549 } 1550 1551 if (property_set("vold.decrypt", "trigger_post_fs_data")) { 1552 SLOGE("Failed to trigger post fs data - panic"); 1553 return; 1554 } 1555 1556 if (property_set("vold.decrypt", "trigger_restart_min_framework")) { 1557 SLOGE("Failed to trigger restart min framework - panic"); 1558 return; 1559 } 1560} 1561 1562/* returns < 0 on failure */ 1563static int cryptfs_restart_internal(int restart_main) 1564{ 1565 char fs_type[32]; 1566 char real_blkdev[MAXPATHLEN]; 1567 char crypto_blkdev[MAXPATHLEN]; 1568 char fs_options[256]; 1569 unsigned long mnt_flags; 1570 struct stat statbuf; 1571 int rc = -1, i; 1572 static int restart_successful = 0; 1573 1574 /* Validate that it's OK to call this routine */ 1575 if (! master_key_saved) { 1576 SLOGE("Encrypted filesystem not validated, aborting"); 1577 return -1; 1578 } 1579 1580 if (restart_successful) { 1581 SLOGE("System already restarted with encrypted disk, aborting"); 1582 return -1; 1583 } 1584 1585 if (restart_main) { 1586 /* Here is where we shut down the framework. The init scripts 1587 * start all services in one of three classes: core, main or late_start. 1588 * On boot, we start core and main. Now, we stop main, but not core, 1589 * as core includes vold and a few other really important things that 1590 * we need to keep running. Once main has stopped, we should be able 1591 * to umount the tmpfs /data, then mount the encrypted /data. 1592 * We then restart the class main, and also the class late_start. 1593 * At the moment, I've only put a few things in late_start that I know 1594 * are not needed to bring up the framework, and that also cause problems 1595 * with unmounting the tmpfs /data, but I hope to add add more services 1596 * to the late_start class as we optimize this to decrease the delay 1597 * till the user is asked for the password to the filesystem. 1598 */ 1599 1600 /* The init files are setup to stop the class main when vold.decrypt is 1601 * set to trigger_reset_main. 1602 */ 1603 property_set("vold.decrypt", "trigger_reset_main"); 1604 SLOGD("Just asked init to shut down class main\n"); 1605 1606 /* Ugh, shutting down the framework is not synchronous, so until it 1607 * can be fixed, this horrible hack will wait a moment for it all to 1608 * shut down before proceeding. Without it, some devices cannot 1609 * restart the graphics services. 1610 */ 1611 sleep(2); 1612 } 1613 1614 /* Now that the framework is shutdown, we should be able to umount() 1615 * the tmpfs filesystem, and mount the real one. 1616 */ 1617 1618 property_get("ro.crypto.fs_crypto_blkdev", crypto_blkdev, ""); 1619 if (strlen(crypto_blkdev) == 0) { 1620 SLOGE("fs_crypto_blkdev not set\n"); 1621 return -1; 1622 } 1623 1624 if (! (rc = wait_and_unmount(DATA_MNT_POINT, true)) ) { 1625 /* If ro.crypto.readonly is set to 1, mount the decrypted 1626 * filesystem readonly. This is used when /data is mounted by 1627 * recovery mode. 1628 */ 1629 char ro_prop[PROPERTY_VALUE_MAX]; 1630 property_get("ro.crypto.readonly", ro_prop, ""); 1631 if (strlen(ro_prop) > 0 && atoi(ro_prop)) { 1632 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 1633 rec->flags |= MS_RDONLY; 1634 } 1635 1636 /* If that succeeded, then mount the decrypted filesystem */ 1637 int retries = RETRY_MOUNT_ATTEMPTS; 1638 int mount_rc; 1639 while ((mount_rc = fs_mgr_do_mount(fstab, DATA_MNT_POINT, 1640 crypto_blkdev, 0)) 1641 != 0) { 1642 if (mount_rc == FS_MGR_DOMNT_BUSY) { 1643 /* TODO: invoke something similar to 1644 Process::killProcessWithOpenFiles(DATA_MNT_POINT, 1645 retries > RETRY_MOUNT_ATTEMPT/2 ? 1 : 2 ) */ 1646 SLOGI("Failed to mount %s because it is busy - waiting", 1647 crypto_blkdev); 1648 if (--retries) { 1649 sleep(RETRY_MOUNT_DELAY_SECONDS); 1650 } else { 1651 /* Let's hope that a reboot clears away whatever is keeping 1652 the mount busy */ 1653 cryptfs_reboot(reboot); 1654 } 1655 } else { 1656 SLOGE("Failed to mount decrypted data"); 1657 cryptfs_set_corrupt(); 1658 cryptfs_trigger_restart_min_framework(); 1659 SLOGI("Started framework to offer wipe"); 1660 return -1; 1661 } 1662 } 1663 1664 property_set("vold.decrypt", "trigger_load_persist_props"); 1665 /* Create necessary paths on /data */ 1666 if (prep_data_fs()) { 1667 return -1; 1668 } 1669 1670 /* startup service classes main and late_start */ 1671 property_set("vold.decrypt", "trigger_restart_framework"); 1672 SLOGD("Just triggered restart_framework\n"); 1673 1674 /* Give it a few moments to get started */ 1675 sleep(1); 1676 } 1677 1678 if (rc == 0) { 1679 restart_successful = 1; 1680 } 1681 1682 return rc; 1683} 1684 1685int cryptfs_restart(void) 1686{ 1687 /* Call internal implementation forcing a restart of main service group */ 1688 return cryptfs_restart_internal(1); 1689} 1690 1691static int do_crypto_complete(char *mount_point UNUSED) 1692{ 1693 struct crypt_mnt_ftr crypt_ftr; 1694 char encrypted_state[PROPERTY_VALUE_MAX]; 1695 char key_loc[PROPERTY_VALUE_MAX]; 1696 1697 property_get("ro.crypto.state", encrypted_state, ""); 1698 if (strcmp(encrypted_state, "encrypted") ) { 1699 SLOGE("not running with encryption, aborting"); 1700 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1701 } 1702 1703 if (get_crypt_ftr_and_key(&crypt_ftr)) { 1704 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 1705 1706 /* 1707 * Only report this error if key_loc is a file and it exists. 1708 * If the device was never encrypted, and /data is not mountable for 1709 * some reason, returning 1 should prevent the UI from presenting the 1710 * a "enter password" screen, or worse, a "press button to wipe the 1711 * device" screen. 1712 */ 1713 if ((key_loc[0] == '/') && (access("key_loc", F_OK) == -1)) { 1714 SLOGE("master key file does not exist, aborting"); 1715 return CRYPTO_COMPLETE_NOT_ENCRYPTED; 1716 } else { 1717 SLOGE("Error getting crypt footer and key\n"); 1718 return CRYPTO_COMPLETE_BAD_METADATA; 1719 } 1720 } 1721 1722 // Test for possible error flags 1723 if (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS){ 1724 SLOGE("Encryption process is partway completed\n"); 1725 return CRYPTO_COMPLETE_PARTIAL; 1726 } 1727 1728 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE){ 1729 SLOGE("Encryption process was interrupted but cannot continue\n"); 1730 return CRYPTO_COMPLETE_INCONSISTENT; 1731 } 1732 1733 if (crypt_ftr.flags & CRYPT_DATA_CORRUPT){ 1734 SLOGE("Encryption is successful but data is corrupt\n"); 1735 return CRYPTO_COMPLETE_CORRUPT; 1736 } 1737 1738 /* We passed the test! We shall diminish, and return to the west */ 1739 return CRYPTO_COMPLETE_ENCRYPTED; 1740} 1741 1742static int test_mount_encrypted_fs(struct crypt_mnt_ftr* crypt_ftr, 1743 char *passwd, char *mount_point, char *label) 1744{ 1745 /* Allocate enough space for a 256 bit key, but we may use less */ 1746 unsigned char decrypted_master_key[32]; 1747 char crypto_blkdev[MAXPATHLEN]; 1748 char real_blkdev[MAXPATHLEN]; 1749 char tmp_mount_point[64]; 1750 unsigned int orig_failed_decrypt_count; 1751 int rc; 1752 kdf_func kdf; 1753 void *kdf_params; 1754 int use_keymaster = 0; 1755 int upgrade = 0; 1756 unsigned char* intermediate_key = 0; 1757 size_t intermediate_key_size = 0; 1758 1759 SLOGD("crypt_ftr->fs_size = %lld\n", crypt_ftr->fs_size); 1760 orig_failed_decrypt_count = crypt_ftr->failed_decrypt_count; 1761 1762 if (! (crypt_ftr->flags & CRYPT_MNT_KEY_UNENCRYPTED) ) { 1763 if (decrypt_master_key(passwd, decrypted_master_key, crypt_ftr, 1764 &intermediate_key, &intermediate_key_size)) { 1765 SLOGE("Failed to decrypt master key\n"); 1766 rc = -1; 1767 goto errout; 1768 } 1769 } 1770 1771 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 1772 1773#ifdef CONFIG_HW_DISK_ENCRYPTION 1774 if (!strcmp((char *)crypt_ftr->crypto_type_name, "aes-xts")) { 1775 if(!set_hw_device_encryption_key(passwd, (char*) crypt_ftr->crypto_type_name)) { 1776 SLOGE("Hardware encryption key does not match"); 1777 } 1778 } 1779#endif 1780 1781 // Create crypto block device - all (non fatal) code paths 1782 // need it 1783 if (create_crypto_blk_dev(crypt_ftr, decrypted_master_key, 1784 real_blkdev, crypto_blkdev, label)) { 1785 SLOGE("Error creating decrypted block device\n"); 1786 rc = -1; 1787 goto errout; 1788 } 1789 1790 /* Work out if the problem is the password or the data */ 1791 unsigned char scrypted_intermediate_key[sizeof(crypt_ftr-> 1792 scrypted_intermediate_key)]; 1793 int N = 1 << crypt_ftr->N_factor; 1794 int r = 1 << crypt_ftr->r_factor; 1795 int p = 1 << crypt_ftr->p_factor; 1796 1797 rc = crypto_scrypt(intermediate_key, intermediate_key_size, 1798 crypt_ftr->salt, sizeof(crypt_ftr->salt), 1799 N, r, p, scrypted_intermediate_key, 1800 sizeof(scrypted_intermediate_key)); 1801 1802 // Does the key match the crypto footer? 1803 if (rc == 0 && memcmp(scrypted_intermediate_key, 1804 crypt_ftr->scrypted_intermediate_key, 1805 sizeof(scrypted_intermediate_key)) == 0) { 1806 SLOGI("Password matches"); 1807 rc = 0; 1808 } else { 1809 /* Try mounting the file system anyway, just in case the problem's with 1810 * the footer, not the key. */ 1811 sprintf(tmp_mount_point, "%s/tmp_mnt", mount_point); 1812 mkdir(tmp_mount_point, 0755); 1813 if (fs_mgr_do_mount(fstab, DATA_MNT_POINT, crypto_blkdev, tmp_mount_point)) { 1814 SLOGE("Error temp mounting decrypted block device\n"); 1815 delete_crypto_blk_dev(label); 1816 1817 rc = ++crypt_ftr->failed_decrypt_count; 1818 put_crypt_ftr_and_key(crypt_ftr); 1819 } else { 1820 /* Success! */ 1821 SLOGI("Password did not match but decrypted drive mounted - continue"); 1822 umount(tmp_mount_point); 1823 rc = 0; 1824 } 1825 } 1826 1827 if (rc == 0) { 1828 crypt_ftr->failed_decrypt_count = 0; 1829 if (orig_failed_decrypt_count != 0) { 1830 put_crypt_ftr_and_key(crypt_ftr); 1831 } 1832 1833 /* Save the name of the crypto block device 1834 * so we can mount it when restarting the framework. */ 1835 property_set("ro.crypto.fs_crypto_blkdev", crypto_blkdev); 1836 1837 /* Also save a the master key so we can reencrypted the key 1838 * the key when we want to change the password on it. */ 1839 memcpy(saved_master_key, decrypted_master_key, KEY_LEN_BYTES); 1840 saved_mount_point = strdup(mount_point); 1841 master_key_saved = 1; 1842 SLOGD("%s(): Master key saved\n", __FUNCTION__); 1843 rc = 0; 1844 1845 // Upgrade if we're not using the latest KDF. 1846 use_keymaster = keymaster_check_compatibility(); 1847 if (crypt_ftr->kdf_type == KDF_SCRYPT_KEYMASTER) { 1848 // Don't allow downgrade 1849 } else if (use_keymaster == 1 && crypt_ftr->kdf_type != KDF_SCRYPT_KEYMASTER) { 1850 crypt_ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 1851 upgrade = 1; 1852 } else if (use_keymaster == 0 && crypt_ftr->kdf_type != KDF_SCRYPT) { 1853 crypt_ftr->kdf_type = KDF_SCRYPT; 1854 upgrade = 1; 1855 } 1856 1857 if (upgrade) { 1858 rc = encrypt_master_key(passwd, crypt_ftr->salt, saved_master_key, 1859 crypt_ftr->master_key, crypt_ftr); 1860 if (!rc) { 1861 rc = put_crypt_ftr_and_key(crypt_ftr); 1862 } 1863 SLOGD("Key Derivation Function upgrade: rc=%d\n", rc); 1864 1865 // Do not fail even if upgrade failed - machine is bootable 1866 // Note that if this code is ever hit, there is a *serious* problem 1867 // since KDFs should never fail. You *must* fix the kdf before 1868 // proceeding! 1869 if (rc) { 1870 SLOGW("Upgrade failed with error %d," 1871 " but continuing with previous state", 1872 rc); 1873 rc = 0; 1874 } 1875 } 1876 } 1877 1878 errout: 1879 if (intermediate_key) { 1880 memset(intermediate_key, 0, intermediate_key_size); 1881 free(intermediate_key); 1882 } 1883 return rc; 1884} 1885 1886/* Called by vold when it wants to undo the crypto mapping of a volume it 1887 * manages. This is usually in response to a factory reset, when we want 1888 * to undo the crypto mapping so the volume is formatted in the clear. 1889 */ 1890int cryptfs_revert_volume(const char *label) 1891{ 1892 return delete_crypto_blk_dev((char *)label); 1893} 1894 1895/* 1896 * Called by vold when it's asked to mount an encrypted, nonremovable volume. 1897 * Setup a dm-crypt mapping, use the saved master key from 1898 * setting up the /data mapping, and return the new device path. 1899 */ 1900int cryptfs_setup_volume(const char *label, int major, int minor, 1901 char *crypto_sys_path, unsigned int max_path, 1902 int *new_major, int *new_minor) 1903{ 1904 char real_blkdev[MAXPATHLEN], crypto_blkdev[MAXPATHLEN]; 1905 struct crypt_mnt_ftr sd_crypt_ftr; 1906 struct stat statbuf; 1907 int nr_sec, fd; 1908 1909 sprintf(real_blkdev, "/dev/block/vold/%d:%d", major, minor); 1910 1911 get_crypt_ftr_and_key(&sd_crypt_ftr); 1912 1913 /* Update the fs_size field to be the size of the volume */ 1914 fd = open(real_blkdev, O_RDONLY); 1915 nr_sec = get_blkdev_size(fd); 1916 close(fd); 1917 if (nr_sec == 0) { 1918 SLOGE("Cannot get size of volume %s\n", real_blkdev); 1919 return -1; 1920 } 1921 1922 sd_crypt_ftr.fs_size = nr_sec; 1923 create_crypto_blk_dev(&sd_crypt_ftr, saved_master_key, real_blkdev, 1924 crypto_blkdev, label); 1925 1926 if (stat(crypto_blkdev, &statbuf) < 0) { 1927 SLOGE("Error get stat for crypto_blkdev %s. err=%d(%s)\n", 1928 crypto_blkdev, errno, strerror(errno)); 1929 } 1930 *new_major = MAJOR(statbuf.st_rdev); 1931 *new_minor = MINOR(statbuf.st_rdev); 1932 1933 /* Create path to sys entry for this block device */ 1934 snprintf(crypto_sys_path, max_path, "/devices/virtual/block/%s", strrchr(crypto_blkdev, '/')+1); 1935 1936 return 0; 1937} 1938 1939int cryptfs_crypto_complete(void) 1940{ 1941 return do_crypto_complete("/data"); 1942} 1943 1944int check_unmounted_and_get_ftr(struct crypt_mnt_ftr* crypt_ftr) 1945{ 1946 char encrypted_state[PROPERTY_VALUE_MAX]; 1947 property_get("ro.crypto.state", encrypted_state, ""); 1948 if ( master_key_saved || strcmp(encrypted_state, "encrypted") ) { 1949 SLOGE("encrypted fs already validated or not running with encryption," 1950 " aborting"); 1951 return -1; 1952 } 1953 1954 if (get_crypt_ftr_and_key(crypt_ftr)) { 1955 SLOGE("Error getting crypt footer and key"); 1956 return -1; 1957 } 1958 1959 return 0; 1960} 1961 1962/* 1963 * TODO - transition patterns to new format in calling code 1964 * and remove this vile hack, and the use of hex in 1965 * the password passing code. 1966 * 1967 * Patterns are passed in zero based (i.e. the top left dot 1968 * is represented by zero, the top middle one etc), but we want 1969 * to store them '1' based. 1970 * This is to allow us to migrate the calling code to use this 1971 * convention. It also solves a nasty problem whereby scrypt ignores 1972 * trailing zeros, so patterns ending at the top left could be 1973 * truncated, and similarly, you could add the top left to any 1974 * pattern and still match. 1975 * adjust_passwd is a hack function that returns the alternate representation 1976 * if the password appears to be a pattern (hex numbers all less than 09) 1977 * If it succeeds we need to try both, and in particular try the alternate 1978 * first. If the original matches, then we need to update the footer 1979 * with the alternate. 1980 * All code that accepts passwords must adjust them first. Since 1981 * cryptfs_check_passwd is always the first function called after a migration 1982 * (and indeed on any boot) we only need to do the double try in this 1983 * function. 1984 */ 1985char* adjust_passwd(const char* passwd) 1986{ 1987 size_t index, length; 1988 1989 if (!passwd) { 1990 return 0; 1991 } 1992 1993 // Check even length. Hex encoded passwords are always 1994 // an even length, since each character encodes to two characters. 1995 length = strlen(passwd); 1996 if (length % 2) { 1997 SLOGW("Password not correctly hex encoded."); 1998 return 0; 1999 } 2000 2001 // Check password is old-style pattern - a collection of hex 2002 // encoded bytes less than 9 (00 through 08) 2003 for (index = 0; index < length; index +=2) { 2004 if (passwd[index] != '0' 2005 || passwd[index + 1] < '0' || passwd[index + 1] > '8') { 2006 return 0; 2007 } 2008 } 2009 2010 // Allocate room for adjusted passwd and null terminate 2011 char* adjusted = malloc(length + 1); 2012 adjusted[length] = 0; 2013 2014 // Add 0x31 ('1') to each character 2015 for (index = 0; index < length; index += 2) { 2016 // output is 31 through 39 so set first byte to three, second to src + 1 2017 adjusted[index] = '3'; 2018 adjusted[index + 1] = passwd[index + 1] + 1; 2019 } 2020 2021 return adjusted; 2022} 2023 2024int cryptfs_check_passwd(char *passwd) 2025{ 2026 struct crypt_mnt_ftr crypt_ftr; 2027 int rc; 2028 2029 rc = check_unmounted_and_get_ftr(&crypt_ftr); 2030 if (rc) 2031 return rc; 2032 2033 char* adjusted_passwd = adjust_passwd(passwd); 2034 if (adjusted_passwd) { 2035 int failed_decrypt_count = crypt_ftr.failed_decrypt_count; 2036 rc = test_mount_encrypted_fs(&crypt_ftr, adjusted_passwd, 2037 DATA_MNT_POINT, "userdata"); 2038 2039 // Maybe the original one still works? 2040 if (rc) { 2041 // Don't double count this failure 2042 crypt_ftr.failed_decrypt_count = failed_decrypt_count; 2043 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2044 DATA_MNT_POINT, "userdata"); 2045 if (!rc) { 2046 // cryptfs_changepw also adjusts so pass original 2047 // Note that adjust_passwd only recognises patterns 2048 // so we can safely use CRYPT_TYPE_PATTERN 2049 SLOGI("Updating pattern to new format"); 2050 cryptfs_changepw(CRYPT_TYPE_PATTERN, passwd); 2051 } 2052 } 2053 free(adjusted_passwd); 2054 } else { 2055 rc = test_mount_encrypted_fs(&crypt_ftr, passwd, 2056 DATA_MNT_POINT, "userdata"); 2057 } 2058 2059 if (rc == 0 && crypt_ftr.crypt_type != CRYPT_TYPE_DEFAULT) { 2060 cryptfs_clear_password(); 2061 password = strdup(passwd); 2062 struct timespec now; 2063 clock_gettime(CLOCK_BOOTTIME, &now); 2064 password_expiry_time = now.tv_sec + password_max_age_seconds; 2065 } 2066 2067 return rc; 2068} 2069 2070int cryptfs_verify_passwd(char *passwd) 2071{ 2072 struct crypt_mnt_ftr crypt_ftr; 2073 /* Allocate enough space for a 256 bit key, but we may use less */ 2074 unsigned char decrypted_master_key[32]; 2075 char encrypted_state[PROPERTY_VALUE_MAX]; 2076 int rc; 2077 2078 property_get("ro.crypto.state", encrypted_state, ""); 2079 if (strcmp(encrypted_state, "encrypted") ) { 2080 SLOGE("device not encrypted, aborting"); 2081 return -2; 2082 } 2083 2084 if (!master_key_saved) { 2085 SLOGE("encrypted fs not yet mounted, aborting"); 2086 return -1; 2087 } 2088 2089 if (!saved_mount_point) { 2090 SLOGE("encrypted fs failed to save mount point, aborting"); 2091 return -1; 2092 } 2093 2094 if (get_crypt_ftr_and_key(&crypt_ftr)) { 2095 SLOGE("Error getting crypt footer and key\n"); 2096 return -1; 2097 } 2098 2099 if (crypt_ftr.flags & CRYPT_MNT_KEY_UNENCRYPTED) { 2100 /* If the device has no password, then just say the password is valid */ 2101 rc = 0; 2102 } else { 2103 char* adjusted_passwd = adjust_passwd(passwd); 2104 if (adjusted_passwd) { 2105 passwd = adjusted_passwd; 2106 } 2107 2108 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 2109 if (!memcmp(decrypted_master_key, saved_master_key, crypt_ftr.keysize)) { 2110 /* They match, the password is correct */ 2111 rc = 0; 2112 } else { 2113 /* If incorrect, sleep for a bit to prevent dictionary attacks */ 2114 sleep(1); 2115 rc = 1; 2116 } 2117 2118 free(adjusted_passwd); 2119 } 2120 2121 return rc; 2122} 2123 2124/* Initialize a crypt_mnt_ftr structure. The keysize is 2125 * defaulted to 16 bytes, and the filesystem size to 0. 2126 * Presumably, at a minimum, the caller will update the 2127 * filesystem size and crypto_type_name after calling this function. 2128 */ 2129static int cryptfs_init_crypt_mnt_ftr(struct crypt_mnt_ftr *ftr) 2130{ 2131 off64_t off; 2132 2133 memset(ftr, 0, sizeof(struct crypt_mnt_ftr)); 2134 ftr->magic = CRYPT_MNT_MAGIC; 2135 ftr->major_version = CURRENT_MAJOR_VERSION; 2136 ftr->minor_version = CURRENT_MINOR_VERSION; 2137 ftr->ftr_size = sizeof(struct crypt_mnt_ftr); 2138 ftr->keysize = KEY_LEN_BYTES; 2139 2140 switch (keymaster_check_compatibility()) { 2141 case 1: 2142 ftr->kdf_type = KDF_SCRYPT_KEYMASTER; 2143 break; 2144 2145 case 0: 2146 ftr->kdf_type = KDF_SCRYPT; 2147 break; 2148 2149 default: 2150 SLOGE("keymaster_check_compatibility failed"); 2151 return -1; 2152 } 2153 2154 get_device_scrypt_params(ftr); 2155 2156 ftr->persist_data_size = CRYPT_PERSIST_DATA_SIZE; 2157 if (get_crypt_ftr_info(NULL, &off) == 0) { 2158 ftr->persist_data_offset[0] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET; 2159 ftr->persist_data_offset[1] = off + CRYPT_FOOTER_TO_PERSIST_OFFSET + 2160 ftr->persist_data_size; 2161 } 2162 2163 return 0; 2164} 2165 2166static int cryptfs_enable_wipe(char *crypto_blkdev, off64_t size, int type) 2167{ 2168 const char *args[10]; 2169 char size_str[32]; /* Must be large enough to hold a %lld and null byte */ 2170 int num_args; 2171 int status; 2172 int tmp; 2173 int rc = -1; 2174 2175 if (type == EXT4_FS) { 2176 args[0] = "/system/bin/make_ext4fs"; 2177 args[1] = "-a"; 2178 args[2] = "/data"; 2179 args[3] = "-l"; 2180 snprintf(size_str, sizeof(size_str), "%" PRId64, size * 512); 2181 args[4] = size_str; 2182 args[5] = crypto_blkdev; 2183 num_args = 6; 2184 SLOGI("Making empty filesystem with command %s %s %s %s %s %s\n", 2185 args[0], args[1], args[2], args[3], args[4], args[5]); 2186 } else if (type == F2FS_FS) { 2187 args[0] = "/system/bin/mkfs.f2fs"; 2188 args[1] = "-t"; 2189 args[2] = "-d1"; 2190 args[3] = crypto_blkdev; 2191 snprintf(size_str, sizeof(size_str), "%" PRId64, size); 2192 args[4] = size_str; 2193 num_args = 5; 2194 SLOGI("Making empty filesystem with command %s %s %s %s %s\n", 2195 args[0], args[1], args[2], args[3], args[4]); 2196 } else { 2197 SLOGE("cryptfs_enable_wipe(): unknown filesystem type %d\n", type); 2198 return -1; 2199 } 2200 2201 tmp = android_fork_execvp(num_args, (char **)args, &status, false, true); 2202 2203 if (tmp != 0) { 2204 SLOGE("Error creating empty filesystem on %s due to logwrap error\n", crypto_blkdev); 2205 } else { 2206 if (WIFEXITED(status)) { 2207 if (WEXITSTATUS(status)) { 2208 SLOGE("Error creating filesystem on %s, exit status %d ", 2209 crypto_blkdev, WEXITSTATUS(status)); 2210 } else { 2211 SLOGD("Successfully created filesystem on %s\n", crypto_blkdev); 2212 rc = 0; 2213 } 2214 } else { 2215 SLOGE("Error creating filesystem on %s, did not exit normally\n", crypto_blkdev); 2216 } 2217 } 2218 2219 return rc; 2220} 2221 2222#define CRYPT_INPLACE_BUFSIZE 4096 2223#define CRYPT_SECTORS_PER_BUFSIZE (CRYPT_INPLACE_BUFSIZE / CRYPT_SECTOR_SIZE) 2224#define CRYPT_SECTOR_SIZE 512 2225 2226/* aligned 32K writes tends to make flash happy. 2227 * SD card association recommends it. 2228 */ 2229#ifndef CONFIG_HW_DISK_ENCRYPTION 2230#define BLOCKS_AT_A_TIME 8 2231#else 2232#define BLOCKS_AT_A_TIME 1024 2233#endif 2234 2235struct encryptGroupsData 2236{ 2237 int realfd; 2238 int cryptofd; 2239 off64_t numblocks; 2240 off64_t one_pct, cur_pct, new_pct; 2241 off64_t blocks_already_done, tot_numblocks; 2242 off64_t used_blocks_already_done, tot_used_blocks; 2243 char* real_blkdev, * crypto_blkdev; 2244 int count; 2245 off64_t offset; 2246 char* buffer; 2247 off64_t last_written_sector; 2248 int completed; 2249 time_t time_started; 2250 int remaining_time; 2251}; 2252 2253static void update_progress(struct encryptGroupsData* data, int is_used) 2254{ 2255 data->blocks_already_done++; 2256 2257 if (is_used) { 2258 data->used_blocks_already_done++; 2259 } 2260 if (data->tot_used_blocks) { 2261 data->new_pct = data->used_blocks_already_done / data->one_pct; 2262 } else { 2263 data->new_pct = data->blocks_already_done / data->one_pct; 2264 } 2265 2266 if (data->new_pct > data->cur_pct) { 2267 char buf[8]; 2268 data->cur_pct = data->new_pct; 2269 snprintf(buf, sizeof(buf), "%" PRId64, data->cur_pct); 2270 property_set("vold.encrypt_progress", buf); 2271 } 2272 2273 if (data->cur_pct >= 5) { 2274 struct timespec time_now; 2275 if (clock_gettime(CLOCK_MONOTONIC, &time_now)) { 2276 SLOGW("Error getting time"); 2277 } else { 2278 double elapsed_time = difftime(time_now.tv_sec, data->time_started); 2279 off64_t remaining_blocks = data->tot_used_blocks 2280 - data->used_blocks_already_done; 2281 int remaining_time = (int)(elapsed_time * remaining_blocks 2282 / data->used_blocks_already_done); 2283 2284 // Change time only if not yet set, lower, or a lot higher for 2285 // best user experience 2286 if (data->remaining_time == -1 2287 || remaining_time < data->remaining_time 2288 || remaining_time > data->remaining_time + 60) { 2289 char buf[8]; 2290 snprintf(buf, sizeof(buf), "%d", remaining_time); 2291 property_set("vold.encrypt_time_remaining", buf); 2292 data->remaining_time = remaining_time; 2293 } 2294 } 2295 } 2296} 2297 2298static void log_progress(struct encryptGroupsData const* data, bool completed) 2299{ 2300 // Precondition - if completed data = 0 else data != 0 2301 2302 // Track progress so we can skip logging blocks 2303 static off64_t offset = -1; 2304 2305 // Need to close existing 'Encrypting from' log? 2306 if (completed || (offset != -1 && data->offset != offset)) { 2307 SLOGI("Encrypted to sector %" PRId64, 2308 offset / info.block_size * CRYPT_SECTOR_SIZE); 2309 offset = -1; 2310 } 2311 2312 // Need to start new 'Encrypting from' log? 2313 if (!completed && offset != data->offset) { 2314 SLOGI("Encrypting from sector %" PRId64, 2315 data->offset / info.block_size * CRYPT_SECTOR_SIZE); 2316 } 2317 2318 // Update offset 2319 if (!completed) { 2320 offset = data->offset + (off64_t)data->count * info.block_size; 2321 } 2322} 2323 2324static int flush_outstanding_data(struct encryptGroupsData* data) 2325{ 2326 if (data->count == 0) { 2327 return 0; 2328 } 2329 2330 SLOGV("Copying %d blocks at offset %" PRIx64, data->count, data->offset); 2331 2332 if (pread64(data->realfd, data->buffer, 2333 info.block_size * data->count, data->offset) 2334 <= 0) { 2335 SLOGE("Error reading real_blkdev %s for inplace encrypt", 2336 data->real_blkdev); 2337 return -1; 2338 } 2339 2340 if (pwrite64(data->cryptofd, data->buffer, 2341 info.block_size * data->count, data->offset) 2342 <= 0) { 2343 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", 2344 data->crypto_blkdev); 2345 return -1; 2346 } else { 2347 log_progress(data, false); 2348 } 2349 2350 data->count = 0; 2351 data->last_written_sector = (data->offset + data->count) 2352 / info.block_size * CRYPT_SECTOR_SIZE - 1; 2353 return 0; 2354} 2355 2356static int encrypt_groups(struct encryptGroupsData* data) 2357{ 2358 unsigned int i; 2359 u8 *block_bitmap = 0; 2360 unsigned int block; 2361 off64_t ret; 2362 int rc = -1; 2363 2364 data->buffer = malloc(info.block_size * BLOCKS_AT_A_TIME); 2365 if (!data->buffer) { 2366 SLOGE("Failed to allocate crypto buffer"); 2367 goto errout; 2368 } 2369 2370 block_bitmap = malloc(info.block_size); 2371 if (!block_bitmap) { 2372 SLOGE("failed to allocate block bitmap"); 2373 goto errout; 2374 } 2375 2376 for (i = 0; i < aux_info.groups; ++i) { 2377 SLOGI("Encrypting group %d", i); 2378 2379 u32 first_block = aux_info.first_data_block + i * info.blocks_per_group; 2380 u32 block_count = min(info.blocks_per_group, 2381 aux_info.len_blocks - first_block); 2382 2383 off64_t offset = (u64)info.block_size 2384 * aux_info.bg_desc[i].bg_block_bitmap; 2385 2386 ret = pread64(data->realfd, block_bitmap, info.block_size, offset); 2387 if (ret != (int)info.block_size) { 2388 SLOGE("failed to read all of block group bitmap %d", i); 2389 goto errout; 2390 } 2391 2392 offset = (u64)info.block_size * first_block; 2393 2394 data->count = 0; 2395 2396 for (block = 0; block < block_count; block++) { 2397 int used = bitmap_get_bit(block_bitmap, block); 2398 update_progress(data, used); 2399 if (used) { 2400 if (data->count == 0) { 2401 data->offset = offset; 2402 } 2403 data->count++; 2404 } else { 2405 if (flush_outstanding_data(data)) { 2406 goto errout; 2407 } 2408 } 2409 2410 offset += info.block_size; 2411 2412 /* Write data if we are aligned or buffer size reached */ 2413 if (offset % (info.block_size * BLOCKS_AT_A_TIME) == 0 2414 || data->count == BLOCKS_AT_A_TIME) { 2415 if (flush_outstanding_data(data)) { 2416 goto errout; 2417 } 2418 } 2419 2420 if (!is_battery_ok_to_continue()) { 2421 SLOGE("Stopping encryption due to low battery"); 2422 rc = 0; 2423 goto errout; 2424 } 2425 2426 } 2427 if (flush_outstanding_data(data)) { 2428 goto errout; 2429 } 2430 } 2431 2432 data->completed = 1; 2433 rc = 0; 2434 2435errout: 2436 log_progress(0, true); 2437 free(data->buffer); 2438 free(block_bitmap); 2439 return rc; 2440} 2441 2442static int cryptfs_enable_inplace_ext4(char *crypto_blkdev, 2443 char *real_blkdev, 2444 off64_t size, 2445 off64_t *size_already_done, 2446 off64_t tot_size, 2447 off64_t previously_encrypted_upto) 2448{ 2449 u32 i; 2450 struct encryptGroupsData data; 2451 int rc; // Can't initialize without causing warning -Wclobbered 2452 2453 if (previously_encrypted_upto > *size_already_done) { 2454 SLOGD("Not fast encrypting since resuming part way through"); 2455 return -1; 2456 } 2457 2458 memset(&data, 0, sizeof(data)); 2459 data.real_blkdev = real_blkdev; 2460 data.crypto_blkdev = crypto_blkdev; 2461 2462 if ( (data.realfd = open(real_blkdev, O_RDWR)) < 0) { 2463 SLOGE("Error opening real_blkdev %s for inplace encrypt. err=%d(%s)\n", 2464 real_blkdev, errno, strerror(errno)); 2465 rc = -1; 2466 goto errout; 2467 } 2468 2469 if ( (data.cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2470 SLOGE("Error opening crypto_blkdev %s for ext4 inplace encrypt. err=%d(%s)\n", 2471 crypto_blkdev, errno, strerror(errno)); 2472 rc = ENABLE_INPLACE_ERR_DEV; 2473 goto errout; 2474 } 2475 2476 if (setjmp(setjmp_env)) { 2477 SLOGE("Reading ext4 extent caused an exception\n"); 2478 rc = -1; 2479 goto errout; 2480 } 2481 2482 if (read_ext(data.realfd, 0) != 0) { 2483 SLOGE("Failed to read ext4 extent\n"); 2484 rc = -1; 2485 goto errout; 2486 } 2487 2488 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2489 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2490 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2491 2492 SLOGI("Encrypting ext4 filesystem in place..."); 2493 2494 data.tot_used_blocks = data.numblocks; 2495 for (i = 0; i < aux_info.groups; ++i) { 2496 data.tot_used_blocks -= aux_info.bg_desc[i].bg_free_blocks_count; 2497 } 2498 2499 data.one_pct = data.tot_used_blocks / 100; 2500 data.cur_pct = 0; 2501 2502 struct timespec time_started = {0}; 2503 if (clock_gettime(CLOCK_MONOTONIC, &time_started)) { 2504 SLOGW("Error getting time at start"); 2505 // Note - continue anyway - we'll run with 0 2506 } 2507 data.time_started = time_started.tv_sec; 2508 data.remaining_time = -1; 2509 2510 rc = encrypt_groups(&data); 2511 if (rc) { 2512 SLOGE("Error encrypting groups"); 2513 goto errout; 2514 } 2515 2516 *size_already_done += data.completed ? size : data.last_written_sector; 2517 rc = 0; 2518 2519errout: 2520 close(data.realfd); 2521 close(data.cryptofd); 2522 2523 return rc; 2524} 2525 2526static void log_progress_f2fs(u64 block, bool completed) 2527{ 2528 // Precondition - if completed data = 0 else data != 0 2529 2530 // Track progress so we can skip logging blocks 2531 static u64 last_block = (u64)-1; 2532 2533 // Need to close existing 'Encrypting from' log? 2534 if (completed || (last_block != (u64)-1 && block != last_block + 1)) { 2535 SLOGI("Encrypted to block %" PRId64, last_block); 2536 last_block = -1; 2537 } 2538 2539 // Need to start new 'Encrypting from' log? 2540 if (!completed && (last_block == (u64)-1 || block != last_block + 1)) { 2541 SLOGI("Encrypting from block %" PRId64, block); 2542 } 2543 2544 // Update offset 2545 if (!completed) { 2546 last_block = block; 2547 } 2548} 2549 2550static int encrypt_one_block_f2fs(u64 pos, void *data) 2551{ 2552 struct encryptGroupsData *priv_dat = (struct encryptGroupsData *)data; 2553 2554 priv_dat->blocks_already_done = pos - 1; 2555 update_progress(priv_dat, 1); 2556 2557 off64_t offset = pos * CRYPT_INPLACE_BUFSIZE; 2558 2559 if (pread64(priv_dat->realfd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2560 SLOGE("Error reading real_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2561 return -1; 2562 } 2563 2564 if (pwrite64(priv_dat->cryptofd, priv_dat->buffer, CRYPT_INPLACE_BUFSIZE, offset) <= 0) { 2565 SLOGE("Error writing crypto_blkdev %s for f2fs inplace encrypt", priv_dat->crypto_blkdev); 2566 return -1; 2567 } else { 2568 log_progress_f2fs(pos, false); 2569 } 2570 2571 return 0; 2572} 2573 2574static int cryptfs_enable_inplace_f2fs(char *crypto_blkdev, 2575 char *real_blkdev, 2576 off64_t size, 2577 off64_t *size_already_done, 2578 off64_t tot_size, 2579 off64_t previously_encrypted_upto) 2580{ 2581 u32 i; 2582 struct encryptGroupsData data; 2583 struct f2fs_info *f2fs_info = NULL; 2584 int rc = ENABLE_INPLACE_ERR_OTHER; 2585 if (previously_encrypted_upto > *size_already_done) { 2586 SLOGD("Not fast encrypting since resuming part way through"); 2587 return ENABLE_INPLACE_ERR_OTHER; 2588 } 2589 memset(&data, 0, sizeof(data)); 2590 data.real_blkdev = real_blkdev; 2591 data.crypto_blkdev = crypto_blkdev; 2592 data.realfd = -1; 2593 data.cryptofd = -1; 2594 if ( (data.realfd = open64(real_blkdev, O_RDWR)) < 0) { 2595 SLOGE("Error opening real_blkdev %s for f2fs inplace encrypt\n", 2596 real_blkdev); 2597 goto errout; 2598 } 2599 if ( (data.cryptofd = open64(crypto_blkdev, O_WRONLY)) < 0) { 2600 SLOGE("Error opening crypto_blkdev %s for f2fs inplace encrypt. err=%d(%s)\n", 2601 crypto_blkdev, errno, strerror(errno)); 2602 rc = ENABLE_INPLACE_ERR_DEV; 2603 goto errout; 2604 } 2605 2606 f2fs_info = generate_f2fs_info(data.realfd); 2607 if (!f2fs_info) 2608 goto errout; 2609 2610 data.numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2611 data.tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2612 data.blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2613 2614 data.tot_used_blocks = get_num_blocks_used(f2fs_info); 2615 2616 data.one_pct = data.tot_used_blocks / 100; 2617 data.cur_pct = 0; 2618 data.time_started = time(NULL); 2619 data.remaining_time = -1; 2620 2621 data.buffer = malloc(f2fs_info->block_size); 2622 if (!data.buffer) { 2623 SLOGE("Failed to allocate crypto buffer"); 2624 goto errout; 2625 } 2626 2627 data.count = 0; 2628 2629 /* Currently, this either runs to completion, or hits a nonrecoverable error */ 2630 rc = run_on_used_blocks(data.blocks_already_done, f2fs_info, &encrypt_one_block_f2fs, &data); 2631 2632 if (rc) { 2633 SLOGE("Error in running over f2fs blocks"); 2634 rc = ENABLE_INPLACE_ERR_OTHER; 2635 goto errout; 2636 } 2637 2638 *size_already_done += size; 2639 rc = 0; 2640 2641errout: 2642 if (rc) 2643 SLOGE("Failed to encrypt f2fs filesystem on %s", real_blkdev); 2644 2645 log_progress_f2fs(0, true); 2646 free(f2fs_info); 2647 free(data.buffer); 2648 close(data.realfd); 2649 close(data.cryptofd); 2650 2651 return rc; 2652} 2653 2654static int cryptfs_enable_inplace_full(char *crypto_blkdev, char *real_blkdev, 2655 off64_t size, off64_t *size_already_done, 2656 off64_t tot_size, 2657 off64_t previously_encrypted_upto) 2658{ 2659 int realfd, cryptofd; 2660 char *buf[CRYPT_INPLACE_BUFSIZE]; 2661 int rc = ENABLE_INPLACE_ERR_OTHER; 2662 off64_t numblocks, i, remainder; 2663 off64_t one_pct, cur_pct, new_pct; 2664 off64_t blocks_already_done, tot_numblocks; 2665 2666 if ( (realfd = open(real_blkdev, O_RDONLY)) < 0) { 2667 SLOGE("Error opening real_blkdev %s for inplace encrypt\n", real_blkdev); 2668 return ENABLE_INPLACE_ERR_OTHER; 2669 } 2670 2671 if ( (cryptofd = open(crypto_blkdev, O_WRONLY)) < 0) { 2672 SLOGE("Error opening crypto_blkdev %s for inplace encrypt. err=%d(%s)\n", 2673 crypto_blkdev, errno, strerror(errno)); 2674 close(realfd); 2675 return ENABLE_INPLACE_ERR_DEV; 2676 } 2677 2678 /* This is pretty much a simple loop of reading 4K, and writing 4K. 2679 * The size passed in is the number of 512 byte sectors in the filesystem. 2680 * So compute the number of whole 4K blocks we should read/write, 2681 * and the remainder. 2682 */ 2683 numblocks = size / CRYPT_SECTORS_PER_BUFSIZE; 2684 remainder = size % CRYPT_SECTORS_PER_BUFSIZE; 2685 tot_numblocks = tot_size / CRYPT_SECTORS_PER_BUFSIZE; 2686 blocks_already_done = *size_already_done / CRYPT_SECTORS_PER_BUFSIZE; 2687 2688 SLOGE("Encrypting filesystem in place..."); 2689 2690 i = previously_encrypted_upto + 1 - *size_already_done; 2691 2692 if (lseek64(realfd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2693 SLOGE("Cannot seek to previously encrypted point on %s", real_blkdev); 2694 goto errout; 2695 } 2696 2697 if (lseek64(cryptofd, i * CRYPT_SECTOR_SIZE, SEEK_SET) < 0) { 2698 SLOGE("Cannot seek to previously encrypted point on %s", crypto_blkdev); 2699 goto errout; 2700 } 2701 2702 for (;i < size && i % CRYPT_SECTORS_PER_BUFSIZE != 0; ++i) { 2703 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2704 SLOGE("Error reading initial sectors from real_blkdev %s for " 2705 "inplace encrypt\n", crypto_blkdev); 2706 goto errout; 2707 } 2708 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2709 SLOGE("Error writing initial sectors to crypto_blkdev %s for " 2710 "inplace encrypt\n", crypto_blkdev); 2711 goto errout; 2712 } else { 2713 SLOGI("Encrypted 1 block at %" PRId64, i); 2714 } 2715 } 2716 2717 one_pct = tot_numblocks / 100; 2718 cur_pct = 0; 2719 /* process the majority of the filesystem in blocks */ 2720 for (i/=CRYPT_SECTORS_PER_BUFSIZE; i<numblocks; i++) { 2721 new_pct = (i + blocks_already_done) / one_pct; 2722 if (new_pct > cur_pct) { 2723 char buf[8]; 2724 2725 cur_pct = new_pct; 2726 snprintf(buf, sizeof(buf), "%" PRId64, cur_pct); 2727 property_set("vold.encrypt_progress", buf); 2728 } 2729 if (unix_read(realfd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2730 SLOGE("Error reading real_blkdev %s for inplace encrypt", crypto_blkdev); 2731 goto errout; 2732 } 2733 if (unix_write(cryptofd, buf, CRYPT_INPLACE_BUFSIZE) <= 0) { 2734 SLOGE("Error writing crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2735 goto errout; 2736 } else { 2737 SLOGD("Encrypted %d block at %" PRId64, 2738 CRYPT_SECTORS_PER_BUFSIZE, 2739 i * CRYPT_SECTORS_PER_BUFSIZE); 2740 } 2741 2742 if (!is_battery_ok_to_continue()) { 2743 SLOGE("Stopping encryption due to low battery"); 2744 *size_already_done += (i + 1) * CRYPT_SECTORS_PER_BUFSIZE - 1; 2745 rc = 0; 2746 goto errout; 2747 } 2748 } 2749 2750 /* Do any remaining sectors */ 2751 for (i=0; i<remainder; i++) { 2752 if (unix_read(realfd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2753 SLOGE("Error reading final sectors from real_blkdev %s for inplace encrypt", crypto_blkdev); 2754 goto errout; 2755 } 2756 if (unix_write(cryptofd, buf, CRYPT_SECTOR_SIZE) <= 0) { 2757 SLOGE("Error writing final sectors to crypto_blkdev %s for inplace encrypt", crypto_blkdev); 2758 goto errout; 2759 } else { 2760 SLOGI("Encrypted 1 block at next location"); 2761 } 2762 } 2763 2764 *size_already_done += size; 2765 rc = 0; 2766 2767errout: 2768 close(realfd); 2769 close(cryptofd); 2770 2771 return rc; 2772} 2773 2774/* returns on of the ENABLE_INPLACE_* return codes */ 2775static int cryptfs_enable_inplace(char *crypto_blkdev, char *real_blkdev, 2776 off64_t size, off64_t *size_already_done, 2777 off64_t tot_size, 2778 off64_t previously_encrypted_upto) 2779{ 2780 int rc_ext4, rc_f2fs, rc_full; 2781 if (previously_encrypted_upto) { 2782 SLOGD("Continuing encryption from %" PRId64, previously_encrypted_upto); 2783 } 2784 2785 if (*size_already_done + size < previously_encrypted_upto) { 2786 *size_already_done += size; 2787 return 0; 2788 } 2789 2790 /* TODO: identify filesystem type. 2791 * As is, cryptfs_enable_inplace_ext4 will fail on an f2fs partition, and 2792 * then we will drop down to cryptfs_enable_inplace_f2fs. 2793 * */ 2794 if ((rc_ext4 = cryptfs_enable_inplace_ext4(crypto_blkdev, real_blkdev, 2795 size, size_already_done, 2796 tot_size, previously_encrypted_upto)) == 0) { 2797 return 0; 2798 } 2799 SLOGD("cryptfs_enable_inplace_ext4()=%d\n", rc_ext4); 2800 2801 if ((rc_f2fs = cryptfs_enable_inplace_f2fs(crypto_blkdev, real_blkdev, 2802 size, size_already_done, 2803 tot_size, previously_encrypted_upto)) == 0) { 2804 return 0; 2805 } 2806 SLOGD("cryptfs_enable_inplace_f2fs()=%d\n", rc_f2fs); 2807 2808 rc_full = cryptfs_enable_inplace_full(crypto_blkdev, real_blkdev, 2809 size, size_already_done, tot_size, 2810 previously_encrypted_upto); 2811 SLOGD("cryptfs_enable_inplace_full()=%d\n", rc_full); 2812 2813 /* Hack for b/17898962, the following is the symptom... */ 2814 if (rc_ext4 == ENABLE_INPLACE_ERR_DEV 2815 && rc_f2fs == ENABLE_INPLACE_ERR_DEV 2816 && rc_full == ENABLE_INPLACE_ERR_DEV) { 2817 return ENABLE_INPLACE_ERR_DEV; 2818 } 2819 return rc_full; 2820} 2821 2822#define CRYPTO_ENABLE_WIPE 1 2823#define CRYPTO_ENABLE_INPLACE 2 2824 2825#define FRAMEWORK_BOOT_WAIT 60 2826 2827static inline int should_encrypt(struct volume_info *volume) 2828{ 2829 return (volume->flags & (VOL_ENCRYPTABLE | VOL_NONREMOVABLE)) == 2830 (VOL_ENCRYPTABLE | VOL_NONREMOVABLE); 2831} 2832 2833static int cryptfs_SHA256_fileblock(const char* filename, __le8* buf) 2834{ 2835 int fd = open(filename, O_RDONLY); 2836 if (fd == -1) { 2837 SLOGE("Error opening file %s", filename); 2838 return -1; 2839 } 2840 2841 char block[CRYPT_INPLACE_BUFSIZE]; 2842 memset(block, 0, sizeof(block)); 2843 if (unix_read(fd, block, sizeof(block)) < 0) { 2844 SLOGE("Error reading file %s", filename); 2845 close(fd); 2846 return -1; 2847 } 2848 2849 close(fd); 2850 2851 SHA256_CTX c; 2852 SHA256_Init(&c); 2853 SHA256_Update(&c, block, sizeof(block)); 2854 SHA256_Final(buf, &c); 2855 2856 return 0; 2857} 2858 2859static int get_fs_type(struct fstab_rec *rec) 2860{ 2861 if (!strcmp(rec->fs_type, "ext4")) { 2862 return EXT4_FS; 2863 } else if (!strcmp(rec->fs_type, "f2fs")) { 2864 return F2FS_FS; 2865 } else { 2866 return -1; 2867 } 2868} 2869 2870static int cryptfs_enable_all_volumes(struct crypt_mnt_ftr *crypt_ftr, int how, 2871 char *crypto_blkdev, char *real_blkdev, 2872 int previously_encrypted_upto) 2873{ 2874 off64_t cur_encryption_done=0, tot_encryption_size=0; 2875 int i, rc = -1; 2876 2877 if (!is_battery_ok_to_start()) { 2878 SLOGW("Not starting encryption due to low battery"); 2879 return 0; 2880 } 2881 2882 /* The size of the userdata partition, and add in the vold volumes below */ 2883 tot_encryption_size = crypt_ftr->fs_size; 2884 2885 if (how == CRYPTO_ENABLE_WIPE) { 2886 struct fstab_rec* rec = fs_mgr_get_entry_for_mount_point(fstab, DATA_MNT_POINT); 2887 int fs_type = get_fs_type(rec); 2888 if (fs_type < 0) { 2889 SLOGE("cryptfs_enable: unsupported fs type %s\n", rec->fs_type); 2890 return -1; 2891 } 2892 rc = cryptfs_enable_wipe(crypto_blkdev, crypt_ftr->fs_size, fs_type); 2893 } else if (how == CRYPTO_ENABLE_INPLACE) { 2894 rc = cryptfs_enable_inplace(crypto_blkdev, real_blkdev, 2895 crypt_ftr->fs_size, &cur_encryption_done, 2896 tot_encryption_size, 2897 previously_encrypted_upto); 2898 2899 if (rc == ENABLE_INPLACE_ERR_DEV) { 2900 /* Hack for b/17898962 */ 2901 SLOGE("cryptfs_enable: crypto block dev failure. Must reboot...\n"); 2902 cryptfs_reboot(reboot); 2903 } 2904 2905 if (!rc) { 2906 crypt_ftr->encrypted_upto = cur_encryption_done; 2907 } 2908 2909 if (!rc && crypt_ftr->encrypted_upto == crypt_ftr->fs_size) { 2910 /* The inplace routine never actually sets the progress to 100% due 2911 * to the round down nature of integer division, so set it here */ 2912 property_set("vold.encrypt_progress", "100"); 2913 } 2914 } else { 2915 /* Shouldn't happen */ 2916 SLOGE("cryptfs_enable: internal error, unknown option\n"); 2917 rc = -1; 2918 } 2919 2920 return rc; 2921} 2922 2923int cryptfs_enable_internal(char *howarg, int crypt_type, char *passwd, 2924 int allow_reboot) 2925{ 2926 int how = 0; 2927 char crypto_blkdev[MAXPATHLEN], real_blkdev[MAXPATHLEN]; 2928 unsigned long nr_sec; 2929 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 2930 int rc=-1, fd, i, ret; 2931 struct crypt_mnt_ftr crypt_ftr; 2932 struct crypt_persist_data *pdata; 2933 char encrypted_state[PROPERTY_VALUE_MAX]; 2934 char lockid[32] = { 0 }; 2935 char key_loc[PROPERTY_VALUE_MAX]; 2936 char fuse_sdcard[PROPERTY_VALUE_MAX]; 2937 char *sd_mnt_point; 2938 int num_vols; 2939 struct volume_info *vol_list = 0; 2940 off64_t previously_encrypted_upto = 0; 2941 2942 if (!strcmp(howarg, "wipe")) { 2943 how = CRYPTO_ENABLE_WIPE; 2944 } else if (! strcmp(howarg, "inplace")) { 2945 how = CRYPTO_ENABLE_INPLACE; 2946 } else { 2947 /* Shouldn't happen, as CommandListener vets the args */ 2948 goto error_unencrypted; 2949 } 2950 2951 /* See if an encryption was underway and interrupted */ 2952 if (how == CRYPTO_ENABLE_INPLACE 2953 && get_crypt_ftr_and_key(&crypt_ftr) == 0 2954 && (crypt_ftr.flags & CRYPT_ENCRYPTION_IN_PROGRESS)) { 2955 previously_encrypted_upto = crypt_ftr.encrypted_upto; 2956 crypt_ftr.encrypted_upto = 0; 2957 crypt_ftr.flags &= ~CRYPT_ENCRYPTION_IN_PROGRESS; 2958 2959 /* At this point, we are in an inconsistent state. Until we successfully 2960 complete encryption, a reboot will leave us broken. So mark the 2961 encryption failed in case that happens. 2962 On successfully completing encryption, remove this flag */ 2963 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 2964 2965 put_crypt_ftr_and_key(&crypt_ftr); 2966 } 2967 2968 property_get("ro.crypto.state", encrypted_state, ""); 2969 if (!strcmp(encrypted_state, "encrypted") && !previously_encrypted_upto) { 2970 SLOGE("Device is already running encrypted, aborting"); 2971 goto error_unencrypted; 2972 } 2973 2974 // TODO refactor fs_mgr_get_crypt_info to get both in one call 2975 fs_mgr_get_crypt_info(fstab, key_loc, 0, sizeof(key_loc)); 2976 fs_mgr_get_crypt_info(fstab, 0, real_blkdev, sizeof(real_blkdev)); 2977 2978 /* Get the size of the real block device */ 2979 fd = open(real_blkdev, O_RDONLY); 2980 if ( (nr_sec = get_blkdev_size(fd)) == 0) { 2981 SLOGE("Cannot get size of block device %s\n", real_blkdev); 2982 goto error_unencrypted; 2983 } 2984 close(fd); 2985 2986 /* If doing inplace encryption, make sure the orig fs doesn't include the crypto footer */ 2987 if ((how == CRYPTO_ENABLE_INPLACE) && (!strcmp(key_loc, KEY_IN_FOOTER))) { 2988 unsigned int fs_size_sec, max_fs_size_sec; 2989 fs_size_sec = get_fs_size(real_blkdev); 2990 if (fs_size_sec == 0) 2991 fs_size_sec = get_f2fs_filesystem_size_sec(real_blkdev); 2992 2993 max_fs_size_sec = nr_sec - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 2994 2995 if (fs_size_sec > max_fs_size_sec) { 2996 SLOGE("Orig filesystem overlaps crypto footer region. Cannot encrypt in place."); 2997 goto error_unencrypted; 2998 } 2999 } 3000 3001 /* Get a wakelock as this may take a while, and we don't want the 3002 * device to sleep on us. We'll grab a partial wakelock, and if the UI 3003 * wants to keep the screen on, it can grab a full wakelock. 3004 */ 3005 snprintf(lockid, sizeof(lockid), "enablecrypto%d", (int) getpid()); 3006 acquire_wake_lock(PARTIAL_WAKE_LOCK, lockid); 3007 3008 /* Get the sdcard mount point */ 3009 sd_mnt_point = getenv("EMULATED_STORAGE_SOURCE"); 3010 if (!sd_mnt_point) { 3011 sd_mnt_point = getenv("EXTERNAL_STORAGE"); 3012 } 3013 if (!sd_mnt_point) { 3014 sd_mnt_point = "/mnt/sdcard"; 3015 } 3016 3017 /* TODO 3018 * Currently do not have test devices with multiple encryptable volumes. 3019 * When we acquire some, re-add support. 3020 */ 3021 num_vols=vold_getNumDirectVolumes(); 3022 vol_list = malloc(sizeof(struct volume_info) * num_vols); 3023 vold_getDirectVolumeList(vol_list); 3024 3025 for (i=0; i<num_vols; i++) { 3026 if (should_encrypt(&vol_list[i])) { 3027 SLOGE("Cannot encrypt if there are multiple encryptable volumes" 3028 "%s\n", vol_list[i].label); 3029 goto error_unencrypted; 3030 } 3031 } 3032 3033 /* The init files are setup to stop the class main and late start when 3034 * vold sets trigger_shutdown_framework. 3035 */ 3036 property_set("vold.decrypt", "trigger_shutdown_framework"); 3037 SLOGD("Just asked init to shut down class main\n"); 3038 3039 if (vold_unmountAllAsecs()) { 3040 /* Just report the error. If any are left mounted, 3041 * umounting /data below will fail and handle the error. 3042 */ 3043 SLOGE("Error unmounting internal asecs"); 3044 } 3045 3046 property_get("ro.crypto.fuse_sdcard", fuse_sdcard, ""); 3047 if (!strcmp(fuse_sdcard, "true")) { 3048 /* This is a device using the fuse layer to emulate the sdcard semantics 3049 * on top of the userdata partition. vold does not manage it, it is managed 3050 * by the sdcard service. The sdcard service was killed by the property trigger 3051 * above, so just unmount it now. We must do this _AFTER_ killing the framework, 3052 * unlike the case for vold managed devices above. 3053 */ 3054 if (wait_and_unmount(sd_mnt_point, false)) { 3055 goto error_shutting_down; 3056 } 3057 } 3058 3059 /* Now unmount the /data partition. */ 3060 if (wait_and_unmount(DATA_MNT_POINT, false)) { 3061 if (allow_reboot) { 3062 goto error_shutting_down; 3063 } else { 3064 goto error_unencrypted; 3065 } 3066 } 3067 3068 /* Do extra work for a better UX when doing the long inplace encryption */ 3069 if (how == CRYPTO_ENABLE_INPLACE) { 3070 /* Now that /data is unmounted, we need to mount a tmpfs 3071 * /data, set a property saying we're doing inplace encryption, 3072 * and restart the framework. 3073 */ 3074 if (fs_mgr_do_tmpfs_mount(DATA_MNT_POINT)) { 3075 goto error_shutting_down; 3076 } 3077 /* Tells the framework that inplace encryption is starting */ 3078 property_set("vold.encrypt_progress", "0"); 3079 3080 /* restart the framework. */ 3081 /* Create necessary paths on /data */ 3082 if (prep_data_fs()) { 3083 goto error_shutting_down; 3084 } 3085 3086 /* Ugh, shutting down the framework is not synchronous, so until it 3087 * can be fixed, this horrible hack will wait a moment for it all to 3088 * shut down before proceeding. Without it, some devices cannot 3089 * restart the graphics services. 3090 */ 3091 sleep(2); 3092 } 3093 3094 /* Start the actual work of making an encrypted filesystem */ 3095 /* Initialize a crypt_mnt_ftr for the partition */ 3096 if (previously_encrypted_upto == 0) { 3097 if (cryptfs_init_crypt_mnt_ftr(&crypt_ftr)) { 3098 goto error_shutting_down; 3099 } 3100 3101 if (!strcmp(key_loc, KEY_IN_FOOTER)) { 3102 crypt_ftr.fs_size = nr_sec 3103 - (CRYPT_FOOTER_OFFSET / CRYPT_SECTOR_SIZE); 3104 } else { 3105 crypt_ftr.fs_size = nr_sec; 3106 } 3107 /* At this point, we are in an inconsistent state. Until we successfully 3108 complete encryption, a reboot will leave us broken. So mark the 3109 encryption failed in case that happens. 3110 On successfully completing encryption, remove this flag */ 3111 crypt_ftr.flags |= CRYPT_INCONSISTENT_STATE; 3112 crypt_ftr.crypt_type = crypt_type; 3113#ifndef CONFIG_HW_DISK_ENCRYPTION 3114 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-cbc-essiv:sha256", MAX_CRYPTO_TYPE_NAME_LEN); 3115#else 3116 strlcpy((char *)crypt_ftr.crypto_type_name, "aes-xts", MAX_CRYPTO_TYPE_NAME_LEN); 3117 3118 rc = clear_hw_device_encryption_key(); 3119 if (!rc) { 3120 SLOGE("Error clearing device encryption hardware key. rc = %d", rc); 3121 } 3122 3123 rc = set_hw_device_encryption_key(passwd, 3124 (char*) crypt_ftr.crypto_type_name); 3125 if (!rc) { 3126 SLOGE("Error initializing device encryption hardware key. rc = %d", rc); 3127 goto error_shutting_down; 3128 } 3129#endif 3130 3131 /* Make an encrypted master key */ 3132 if (create_encrypted_random_key(passwd, crypt_ftr.master_key, crypt_ftr.salt, &crypt_ftr)) { 3133 SLOGE("Cannot create encrypted master key\n"); 3134 goto error_shutting_down; 3135 } 3136 3137 /* Write the key to the end of the partition */ 3138 put_crypt_ftr_and_key(&crypt_ftr); 3139 3140 /* If any persistent data has been remembered, save it. 3141 * If none, create a valid empty table and save that. 3142 */ 3143 if (!persist_data) { 3144 pdata = malloc(CRYPT_PERSIST_DATA_SIZE); 3145 if (pdata) { 3146 init_empty_persist_data(pdata, CRYPT_PERSIST_DATA_SIZE); 3147 persist_data = pdata; 3148 } 3149 } 3150 if (persist_data) { 3151 save_persistent_data(); 3152 } 3153 } 3154 3155 if (how == CRYPTO_ENABLE_INPLACE) { 3156 /* startup service classes main and late_start */ 3157 property_set("vold.decrypt", "trigger_restart_min_framework"); 3158 SLOGD("Just triggered restart_min_framework\n"); 3159 3160 /* OK, the framework is restarted and will soon be showing a 3161 * progress bar. Time to setup an encrypted mapping, and 3162 * either write a new filesystem, or encrypt in place updating 3163 * the progress bar as we work. 3164 */ 3165 } 3166 3167 decrypt_master_key(passwd, decrypted_master_key, &crypt_ftr, 0, 0); 3168 create_crypto_blk_dev(&crypt_ftr, decrypted_master_key, real_blkdev, crypto_blkdev, 3169 "userdata"); 3170 3171 /* If we are continuing, check checksums match */ 3172 rc = 0; 3173 if (previously_encrypted_upto) { 3174 __le8 hash_first_block[SHA256_DIGEST_LENGTH]; 3175 rc = cryptfs_SHA256_fileblock(crypto_blkdev, hash_first_block); 3176 3177 if (!rc && memcmp(hash_first_block, crypt_ftr.hash_first_block, 3178 sizeof(hash_first_block)) != 0) { 3179 SLOGE("Checksums do not match - trigger wipe"); 3180 rc = -1; 3181 } 3182 } 3183 3184 if (!rc) { 3185 rc = cryptfs_enable_all_volumes(&crypt_ftr, how, 3186 crypto_blkdev, real_blkdev, 3187 previously_encrypted_upto); 3188 } 3189 3190 /* Calculate checksum if we are not finished */ 3191 if (!rc && how == CRYPTO_ENABLE_INPLACE 3192 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3193 rc = cryptfs_SHA256_fileblock(crypto_blkdev, 3194 crypt_ftr.hash_first_block); 3195 if (rc) { 3196 SLOGE("Error calculating checksum for continuing encryption"); 3197 rc = -1; 3198 } 3199 } 3200 3201 /* Undo the dm-crypt mapping whether we succeed or not */ 3202 delete_crypto_blk_dev("userdata"); 3203 3204 free(vol_list); 3205 3206 if (! rc) { 3207 /* Success */ 3208 crypt_ftr.flags &= ~CRYPT_INCONSISTENT_STATE; 3209 3210 if (how == CRYPTO_ENABLE_INPLACE 3211 && crypt_ftr.encrypted_upto != crypt_ftr.fs_size) { 3212 SLOGD("Encrypted up to sector %lld - will continue after reboot", 3213 crypt_ftr.encrypted_upto); 3214 crypt_ftr.flags |= CRYPT_ENCRYPTION_IN_PROGRESS; 3215 } 3216 3217 put_crypt_ftr_and_key(&crypt_ftr); 3218 3219 if (how == CRYPTO_ENABLE_WIPE 3220 || crypt_ftr.encrypted_upto == crypt_ftr.fs_size) { 3221 char value[PROPERTY_VALUE_MAX]; 3222 property_get("ro.crypto.state", value, ""); 3223 if (!strcmp(value, "")) { 3224 /* default encryption - continue first boot sequence */ 3225 property_set("ro.crypto.state", "encrypted"); 3226 release_wake_lock(lockid); 3227 cryptfs_check_passwd(DEFAULT_PASSWORD); 3228 cryptfs_restart_internal(1); 3229 return 0; 3230 } else { 3231 sleep(2); /* Give the UI a chance to show 100% progress */ 3232 cryptfs_reboot(reboot); 3233 } 3234 } else { 3235 sleep(2); /* Partially encrypted, ensure writes flushed to ssd */ 3236 cryptfs_reboot(shutdown); 3237 } 3238 } else { 3239 char value[PROPERTY_VALUE_MAX]; 3240 3241 property_get("ro.vold.wipe_on_crypt_fail", value, "0"); 3242 if (!strcmp(value, "1")) { 3243 /* wipe data if encryption failed */ 3244 SLOGE("encryption failed - rebooting into recovery to wipe data\n"); 3245 mkdir("/cache/recovery", 0700); 3246 int fd = open("/cache/recovery/command", O_RDWR|O_CREAT|O_TRUNC, 0600); 3247 if (fd >= 0) { 3248 write(fd, "--wipe_data\n", strlen("--wipe_data\n") + 1); 3249 write(fd, "--reason=cryptfs_enable_internal\n", strlen("--reason=cryptfs_enable_internal\n") + 1); 3250 close(fd); 3251 } else { 3252 SLOGE("could not open /cache/recovery/command\n"); 3253 } 3254 cryptfs_reboot(recovery); 3255 } else { 3256 /* set property to trigger dialog */ 3257 property_set("vold.encrypt_progress", "error_partially_encrypted"); 3258 release_wake_lock(lockid); 3259 } 3260 return -1; 3261 } 3262 3263 /* hrm, the encrypt step claims success, but the reboot failed. 3264 * This should not happen. 3265 * Set the property and return. Hope the framework can deal with it. 3266 */ 3267 property_set("vold.encrypt_progress", "error_reboot_failed"); 3268 release_wake_lock(lockid); 3269 return rc; 3270 3271error_unencrypted: 3272 free(vol_list); 3273 property_set("vold.encrypt_progress", "error_not_encrypted"); 3274 if (lockid[0]) { 3275 release_wake_lock(lockid); 3276 } 3277 return -1; 3278 3279error_shutting_down: 3280 /* we failed, and have not encrypted anthing, so the users's data is still intact, 3281 * but the framework is stopped and not restarted to show the error, so it's up to 3282 * vold to restart the system. 3283 */ 3284 SLOGE("Error enabling encryption after framework is shutdown, no data changed, restarting system"); 3285 cryptfs_reboot(reboot); 3286 3287 /* shouldn't get here */ 3288 property_set("vold.encrypt_progress", "error_shutting_down"); 3289 free(vol_list); 3290 if (lockid[0]) { 3291 release_wake_lock(lockid); 3292 } 3293 return -1; 3294} 3295 3296int cryptfs_enable(char *howarg, int type, char *passwd, int allow_reboot) 3297{ 3298 char* adjusted_passwd = adjust_passwd(passwd); 3299 if (adjusted_passwd) { 3300 passwd = adjusted_passwd; 3301 } 3302 3303 int rc = cryptfs_enable_internal(howarg, type, passwd, allow_reboot); 3304 3305 free(adjusted_passwd); 3306 return rc; 3307} 3308 3309int cryptfs_enable_default(char *howarg, int allow_reboot) 3310{ 3311 return cryptfs_enable_internal(howarg, CRYPT_TYPE_DEFAULT, 3312 DEFAULT_PASSWORD, allow_reboot); 3313} 3314 3315int cryptfs_changepw(int crypt_type, const char *newpw) 3316{ 3317 struct crypt_mnt_ftr crypt_ftr; 3318 unsigned char decrypted_master_key[KEY_LEN_BYTES]; 3319 3320 /* This is only allowed after we've successfully decrypted the master key */ 3321 if (!master_key_saved) { 3322 SLOGE("Key not saved, aborting"); 3323 return -1; 3324 } 3325 3326 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3327 SLOGE("Invalid crypt_type %d", crypt_type); 3328 return -1; 3329 } 3330 3331 /* get key */ 3332 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3333 SLOGE("Error getting crypt footer and key"); 3334 return -1; 3335 } 3336 3337 crypt_ftr.crypt_type = crypt_type; 3338 3339 char* adjusted_passwd = adjust_passwd(newpw); 3340 if (adjusted_passwd) { 3341 newpw = adjusted_passwd; 3342 } 3343 3344 encrypt_master_key(crypt_type == CRYPT_TYPE_DEFAULT ? DEFAULT_PASSWORD 3345 : newpw, 3346 crypt_ftr.salt, 3347 saved_master_key, 3348 crypt_ftr.master_key, 3349 &crypt_ftr); 3350 3351 /* save the key */ 3352 put_crypt_ftr_and_key(&crypt_ftr); 3353 3354 free(adjusted_passwd); 3355 3356#ifdef CONFIG_HW_DISK_ENCRYPTION 3357 if (!strcmp((char *)crypt_ftr.crypto_type_name, "aes-xts")) { 3358 if (crypt_type == CRYPT_TYPE_DEFAULT) { 3359 int rc = update_hw_device_encryption_key(DEFAULT_PASSWORD, (char*) crypt_ftr.crypto_type_name); 3360 SLOGD("Update hardware encryption key to default for crypt_type: %d. rc = %d", crypt_type, rc); 3361 if (!rc) 3362 return -1; 3363 } else { 3364 int rc = update_hw_device_encryption_key(newpw, (char*) crypt_ftr.crypto_type_name); 3365 SLOGD("Update hardware encryption key for crypt_type: %d. rc = %d", crypt_type, rc); 3366 if (!rc) 3367 return -1; 3368 } 3369 } 3370#endif 3371 return 0; 3372} 3373 3374static unsigned int persist_get_max_entries(int encrypted) { 3375 struct crypt_mnt_ftr crypt_ftr; 3376 unsigned int dsize; 3377 unsigned int max_persistent_entries; 3378 3379 /* If encrypted, use the values from the crypt_ftr, otherwise 3380 * use the values for the current spec. 3381 */ 3382 if (encrypted) { 3383 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3384 return -1; 3385 } 3386 dsize = crypt_ftr.persist_data_size; 3387 } else { 3388 dsize = CRYPT_PERSIST_DATA_SIZE; 3389 } 3390 3391 max_persistent_entries = (dsize - sizeof(struct crypt_persist_data)) / 3392 sizeof(struct crypt_persist_entry); 3393 3394 return max_persistent_entries; 3395} 3396 3397static int persist_get_key(const char *fieldname, char *value) 3398{ 3399 unsigned int i; 3400 3401 if (persist_data == NULL) { 3402 return -1; 3403 } 3404 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3405 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3406 /* We found it! */ 3407 strlcpy(value, persist_data->persist_entry[i].val, PROPERTY_VALUE_MAX); 3408 return 0; 3409 } 3410 } 3411 3412 return -1; 3413} 3414 3415static int persist_set_key(const char *fieldname, const char *value, int encrypted) 3416{ 3417 unsigned int i; 3418 unsigned int num; 3419 unsigned int max_persistent_entries; 3420 3421 if (persist_data == NULL) { 3422 return -1; 3423 } 3424 3425 max_persistent_entries = persist_get_max_entries(encrypted); 3426 3427 num = persist_data->persist_valid_entries; 3428 3429 for (i = 0; i < num; i++) { 3430 if (!strncmp(persist_data->persist_entry[i].key, fieldname, PROPERTY_KEY_MAX)) { 3431 /* We found an existing entry, update it! */ 3432 memset(persist_data->persist_entry[i].val, 0, PROPERTY_VALUE_MAX); 3433 strlcpy(persist_data->persist_entry[i].val, value, PROPERTY_VALUE_MAX); 3434 return 0; 3435 } 3436 } 3437 3438 /* We didn't find it, add it to the end, if there is room */ 3439 if (persist_data->persist_valid_entries < max_persistent_entries) { 3440 memset(&persist_data->persist_entry[num], 0, sizeof(struct crypt_persist_entry)); 3441 strlcpy(persist_data->persist_entry[num].key, fieldname, PROPERTY_KEY_MAX); 3442 strlcpy(persist_data->persist_entry[num].val, value, PROPERTY_VALUE_MAX); 3443 persist_data->persist_valid_entries++; 3444 return 0; 3445 } 3446 3447 return -1; 3448} 3449 3450/** 3451 * Test if key is part of the multi-entry (field, index) sequence. Return non-zero if key is in the 3452 * sequence and its index is greater than or equal to index. Return 0 otherwise. 3453 */ 3454static int match_multi_entry(const char *key, const char *field, unsigned index) { 3455 unsigned int i; 3456 unsigned int field_len; 3457 unsigned int key_index; 3458 field_len = strlen(field); 3459 3460 if (index == 0) { 3461 // The first key in a multi-entry field is just the filedname itself. 3462 if (!strcmp(key, field)) { 3463 return 1; 3464 } 3465 } 3466 // Match key against "%s_%d" % (field, index) 3467 if (strlen(key) < field_len + 1 + 1) { 3468 // Need at least a '_' and a digit. 3469 return 0; 3470 } 3471 if (strncmp(key, field, field_len)) { 3472 // If the key does not begin with field, it's not a match. 3473 return 0; 3474 } 3475 if (1 != sscanf(&key[field_len],"_%d", &key_index)) { 3476 return 0; 3477 } 3478 return key_index >= index; 3479} 3480 3481/* 3482 * Delete entry/entries from persist_data. If the entries are part of a multi-segment field, all 3483 * remaining entries starting from index will be deleted. 3484 * returns PERSIST_DEL_KEY_OK if deletion succeeds, 3485 * PERSIST_DEL_KEY_ERROR_NO_FIELD if the field does not exist, 3486 * and PERSIST_DEL_KEY_ERROR_OTHER if error occurs. 3487 * 3488 */ 3489static int persist_del_keys(const char *fieldname, unsigned index) 3490{ 3491 unsigned int i; 3492 unsigned int j; 3493 unsigned int num; 3494 3495 if (persist_data == NULL) { 3496 return PERSIST_DEL_KEY_ERROR_OTHER; 3497 } 3498 3499 num = persist_data->persist_valid_entries; 3500 3501 j = 0; // points to the end of non-deleted entries. 3502 // Filter out to-be-deleted entries in place. 3503 for (i = 0; i < num; i++) { 3504 if (!match_multi_entry(persist_data->persist_entry[i].key, fieldname, index)) { 3505 persist_data->persist_entry[j] = persist_data->persist_entry[i]; 3506 j++; 3507 } 3508 } 3509 3510 if (j < num) { 3511 persist_data->persist_valid_entries = j; 3512 // Zeroise the remaining entries 3513 memset(&persist_data->persist_entry[j], 0, (num - j) * sizeof(struct crypt_persist_entry)); 3514 return PERSIST_DEL_KEY_OK; 3515 } else { 3516 // Did not find an entry matching the given fieldname 3517 return PERSIST_DEL_KEY_ERROR_NO_FIELD; 3518 } 3519} 3520 3521static int persist_count_keys(const char *fieldname) 3522{ 3523 unsigned int i; 3524 unsigned int count; 3525 3526 if (persist_data == NULL) { 3527 return -1; 3528 } 3529 3530 count = 0; 3531 for (i = 0; i < persist_data->persist_valid_entries; i++) { 3532 if (match_multi_entry(persist_data->persist_entry[i].key, fieldname, 0)) { 3533 count++; 3534 } 3535 } 3536 3537 return count; 3538} 3539 3540/* Return the value of the specified field. */ 3541int cryptfs_getfield(const char *fieldname, char *value, int len) 3542{ 3543 char temp_value[PROPERTY_VALUE_MAX]; 3544 char real_blkdev[MAXPATHLEN]; 3545 /* CRYPTO_GETFIELD_OK is success, 3546 * CRYPTO_GETFIELD_ERROR_NO_FIELD is value not set, 3547 * CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL is buffer (as given by len) too small, 3548 * CRYPTO_GETFIELD_ERROR_OTHER is any other error 3549 */ 3550 int rc = CRYPTO_GETFIELD_ERROR_OTHER; 3551 int i; 3552 char temp_field[PROPERTY_KEY_MAX]; 3553 3554 if (persist_data == NULL) { 3555 load_persistent_data(); 3556 if (persist_data == NULL) { 3557 SLOGE("Getfield error, cannot load persistent data"); 3558 goto out; 3559 } 3560 } 3561 3562 // Read value from persistent entries. If the original value is split into multiple entries, 3563 // stitch them back together. 3564 if (!persist_get_key(fieldname, temp_value)) { 3565 // We found it, copy it to the caller's buffer and keep going until all entries are read. 3566 if (strlcpy(value, temp_value, len) >= (unsigned) len) { 3567 // value too small 3568 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3569 goto out; 3570 } 3571 rc = CRYPTO_GETFIELD_OK; 3572 3573 for (i = 1; /* break explicitly */; i++) { 3574 if (snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, i) >= 3575 (int) sizeof(temp_field)) { 3576 // If the fieldname is very long, we stop as soon as it begins to overflow the 3577 // maximum field length. At this point we have in fact fully read out the original 3578 // value because cryptfs_setfield would not allow fields with longer names to be 3579 // written in the first place. 3580 break; 3581 } 3582 if (!persist_get_key(temp_field, temp_value)) { 3583 if (strlcat(value, temp_value, len) >= (unsigned)len) { 3584 // value too small. 3585 rc = CRYPTO_GETFIELD_ERROR_BUF_TOO_SMALL; 3586 goto out; 3587 } 3588 } else { 3589 // Exhaust all entries. 3590 break; 3591 } 3592 } 3593 } else { 3594 /* Sadness, it's not there. Return the error */ 3595 rc = CRYPTO_GETFIELD_ERROR_NO_FIELD; 3596 } 3597 3598out: 3599 return rc; 3600} 3601 3602/* Set the value of the specified field. */ 3603int cryptfs_setfield(const char *fieldname, const char *value) 3604{ 3605 struct crypt_persist_data stored_pdata; 3606 struct crypt_persist_data *pdata_p; 3607 struct crypt_mnt_ftr crypt_ftr; 3608 char encrypted_state[PROPERTY_VALUE_MAX]; 3609 /* 0 is success, negative values are error */ 3610 int rc = CRYPTO_SETFIELD_ERROR_OTHER; 3611 int encrypted = 0; 3612 unsigned int field_id; 3613 char temp_field[PROPERTY_KEY_MAX]; 3614 unsigned int num_entries; 3615 unsigned int max_keylen; 3616 3617 if (persist_data == NULL) { 3618 load_persistent_data(); 3619 if (persist_data == NULL) { 3620 SLOGE("Setfield error, cannot load persistent data"); 3621 goto out; 3622 } 3623 } 3624 3625 property_get("ro.crypto.state", encrypted_state, ""); 3626 if (!strcmp(encrypted_state, "encrypted") ) { 3627 encrypted = 1; 3628 } 3629 3630 // Compute the number of entries required to store value, each entry can store up to 3631 // (PROPERTY_VALUE_MAX - 1) chars 3632 if (strlen(value) == 0) { 3633 // Empty value also needs one entry to store. 3634 num_entries = 1; 3635 } else { 3636 num_entries = (strlen(value) + (PROPERTY_VALUE_MAX - 1) - 1) / (PROPERTY_VALUE_MAX - 1); 3637 } 3638 3639 max_keylen = strlen(fieldname); 3640 if (num_entries > 1) { 3641 // Need an extra "_%d" suffix. 3642 max_keylen += 1 + log10(num_entries); 3643 } 3644 if (max_keylen > PROPERTY_KEY_MAX - 1) { 3645 rc = CRYPTO_SETFIELD_ERROR_FIELD_TOO_LONG; 3646 goto out; 3647 } 3648 3649 // Make sure we have enough space to write the new value 3650 if (persist_data->persist_valid_entries + num_entries - persist_count_keys(fieldname) > 3651 persist_get_max_entries(encrypted)) { 3652 rc = CRYPTO_SETFIELD_ERROR_VALUE_TOO_LONG; 3653 goto out; 3654 } 3655 3656 // Now that we know persist_data has enough space for value, let's delete the old field first 3657 // to make up space. 3658 persist_del_keys(fieldname, 0); 3659 3660 if (persist_set_key(fieldname, value, encrypted)) { 3661 // fail to set key, should not happen as we have already checked the available space 3662 SLOGE("persist_set_key() error during setfield()"); 3663 goto out; 3664 } 3665 3666 for (field_id = 1; field_id < num_entries; field_id++) { 3667 snprintf(temp_field, sizeof(temp_field), "%s_%d", fieldname, field_id); 3668 3669 if (persist_set_key(temp_field, value + field_id * (PROPERTY_VALUE_MAX - 1), encrypted)) { 3670 // fail to set key, should not happen as we have already checked the available space. 3671 SLOGE("persist_set_key() error during setfield()"); 3672 goto out; 3673 } 3674 } 3675 3676 /* If we are running encrypted, save the persistent data now */ 3677 if (encrypted) { 3678 if (save_persistent_data()) { 3679 SLOGE("Setfield error, cannot save persistent data"); 3680 goto out; 3681 } 3682 } 3683 3684 rc = CRYPTO_SETFIELD_OK; 3685 3686out: 3687 return rc; 3688} 3689 3690/* Checks userdata. Attempt to mount the volume if default- 3691 * encrypted. 3692 * On success trigger next init phase and return 0. 3693 * Currently do not handle failure - see TODO below. 3694 */ 3695int cryptfs_mount_default_encrypted(void) 3696{ 3697 char decrypt_state[PROPERTY_VALUE_MAX]; 3698 property_get("vold.decrypt", decrypt_state, "0"); 3699 if (!strcmp(decrypt_state, "0")) { 3700 SLOGE("Not encrypted - should not call here"); 3701 } else { 3702 int crypt_type = cryptfs_get_password_type(); 3703 if (crypt_type < 0 || crypt_type > CRYPT_TYPE_MAX_TYPE) { 3704 SLOGE("Bad crypt type - error"); 3705 } else if (crypt_type != CRYPT_TYPE_DEFAULT) { 3706 SLOGD("Password is not default - " 3707 "starting min framework to prompt"); 3708 property_set("vold.decrypt", "trigger_restart_min_framework"); 3709 return 0; 3710 } else if (cryptfs_check_passwd(DEFAULT_PASSWORD) == 0) { 3711 SLOGD("Password is default - restarting filesystem"); 3712 cryptfs_restart_internal(0); 3713 return 0; 3714 } else { 3715 SLOGE("Encrypted, default crypt type but can't decrypt"); 3716 } 3717 } 3718 3719 /** Corrupt. Allow us to boot into framework, which will detect bad 3720 crypto when it calls do_crypto_complete, then do a factory reset 3721 */ 3722 property_set("vold.decrypt", "trigger_restart_min_framework"); 3723 return 0; 3724} 3725 3726/* Returns type of the password, default, pattern, pin or password. 3727 */ 3728int cryptfs_get_password_type(void) 3729{ 3730 struct crypt_mnt_ftr crypt_ftr; 3731 3732 if (get_crypt_ftr_and_key(&crypt_ftr)) { 3733 SLOGE("Error getting crypt footer and key\n"); 3734 return -1; 3735 } 3736 3737 if (crypt_ftr.flags & CRYPT_INCONSISTENT_STATE) { 3738 return -1; 3739 } 3740 3741 return crypt_ftr.crypt_type; 3742} 3743 3744char* cryptfs_get_password() 3745{ 3746 struct timespec now; 3747 clock_gettime(CLOCK_BOOTTIME, &now); 3748 if (now.tv_sec < password_expiry_time) { 3749 return password; 3750 } else { 3751 cryptfs_clear_password(); 3752 return 0; 3753 } 3754} 3755 3756void cryptfs_clear_password() 3757{ 3758 if (password) { 3759 size_t len = strlen(password); 3760 memset(password, 0, len); 3761 free(password); 3762 password = 0; 3763 password_expiry_time = 0; 3764 } 3765} 3766